xmrig | 2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc

Analysis

max time kernel
130s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 19:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
Size

3.0MB
MD5

56861f5746650ac966ef44b9fcbca314
SHA1

845efca9facc0d69105080f46121ed44d3d40634
SHA256

2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc
SHA512

e89b68ee55fd69fb8f3dfe330a58778545f664e2226120b5186b713a366781b399f91cb6c0e883536683a445ba30bc60288b64c5de7246ec8231468b52688f82
SSDEEP

49152:71G1NtyBwTI3ySZbrkXV1etEKLlWUTOfeiRA2R76zHrWax9hMkHC0INFWEWBN4t:71ONtyBeSFkXV1etEKLlWUTOfeiRA2RR

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects executables containing URLs to raw contents of a Github gist 64 IoCs

resource	yara_rule
behavioral2/memory/1696-0-0x00007FF721780000-0x00007FF721B76000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023433-7.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x000900000002342e-5.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023437-35.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x000700000002343b-56.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x000700000002343d-68.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x000700000002343c-82.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023443-102.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3316-119-0x00007FF79C370000-0x00007FF79C766000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2520-122-0x00007FF7A2C60000-0x00007FF7A3056000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x000700000002344a-139.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3964-158-0x00007FF619B20000-0x00007FF619F16000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3152-162-0x00007FF75DE80000-0x00007FF75E276000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4988-167-0x00007FF7FBD30000-0x00007FF7FC126000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/408-169-0x00007FF73A2F0000-0x00007FF73A6E6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4972-168-0x00007FF7992A0000-0x00007FF799696000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4780-166-0x00007FF755F10000-0x00007FF756306000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/1908-165-0x00007FF6C3630000-0x00007FF6C3A26000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2196-164-0x00007FF7B1F50000-0x00007FF7B2346000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4492-163-0x00007FF7F5690000-0x00007FF7F5A86000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4568-161-0x00007FF7A7750000-0x00007FF7A7B46000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/1852-160-0x00007FF77E0F0000-0x00007FF77E4E6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/400-159-0x00007FF7CD8C0000-0x00007FF7CDCB6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2284-157-0x00007FF694C40000-0x00007FF695036000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/452-156-0x00007FF65EB90000-0x00007FF65EF86000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3796-155-0x00007FF65E810000-0x00007FF65EC06000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023449-151.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0008000000023447-149.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x000900000002342f-147.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023448-145.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4960-144-0x00007FF6409B0000-0x00007FF640DA6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3756-143-0x00007FF7B2ED0000-0x00007FF7B32C6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023445-141.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2572-140-0x00007FF6C0F30000-0x00007FF6C1326000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/1452-138-0x00007FF7B21E0000-0x00007FF7B25D6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023444-107.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x000700000002343f-105.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2060-104-0x00007FF63EE70000-0x00007FF63F266000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023442-100.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023441-98.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023440-96.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x000700000002343e-94.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x000700000002343a-63.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023439-59.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023434-50.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023436-47.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023438-45.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023432-38.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x0007000000023435-32.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4916-27-0x00007FF7610E0000-0x00007FF7614D6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3584-13-0x00007FF78F790000-0x00007FF78FB86000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x000700000002344b-383.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x000700000002349d-389.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x00070000000234a2-395.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x00070000000234a6-405.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x00070000000234a3-406.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/files/0x00070000000234a7-414.dat	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3584-2140-0x00007FF78F790000-0x00007FF78FB86000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4916-2141-0x00007FF7610E0000-0x00007FF7614D6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/1908-2144-0x00007FF6C3630000-0x00007FF6C3A26000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3584-2145-0x00007FF78F790000-0x00007FF78FB86000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3316-2151-0x00007FF79C370000-0x00007FF79C766000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4916-2150-0x00007FF7610E0000-0x00007FF7614D6000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2520-2149-0x00007FF7A2C60000-0x00007FF7A3056000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/1696-0-0x00007FF721780000-0x00007FF721B76000-memory.dmp	UPX
behavioral2/files/0x0007000000023433-7.dat	UPX
behavioral2/files/0x000900000002342e-5.dat	UPX
behavioral2/files/0x0007000000023437-35.dat	UPX
behavioral2/files/0x000700000002343b-56.dat	UPX
behavioral2/files/0x000700000002343d-68.dat	UPX
behavioral2/files/0x000700000002343c-82.dat	UPX
behavioral2/files/0x0007000000023443-102.dat	UPX
behavioral2/memory/3316-119-0x00007FF79C370000-0x00007FF79C766000-memory.dmp	UPX
behavioral2/memory/2520-122-0x00007FF7A2C60000-0x00007FF7A3056000-memory.dmp	UPX
behavioral2/files/0x000700000002344a-139.dat	UPX
behavioral2/memory/3964-158-0x00007FF619B20000-0x00007FF619F16000-memory.dmp	UPX
behavioral2/memory/3152-162-0x00007FF75DE80000-0x00007FF75E276000-memory.dmp	UPX
behavioral2/memory/4988-167-0x00007FF7FBD30000-0x00007FF7FC126000-memory.dmp	UPX
behavioral2/memory/408-169-0x00007FF73A2F0000-0x00007FF73A6E6000-memory.dmp	UPX
behavioral2/memory/4972-168-0x00007FF7992A0000-0x00007FF799696000-memory.dmp	UPX
behavioral2/memory/4780-166-0x00007FF755F10000-0x00007FF756306000-memory.dmp	UPX
behavioral2/memory/1908-165-0x00007FF6C3630000-0x00007FF6C3A26000-memory.dmp	UPX
behavioral2/memory/2196-164-0x00007FF7B1F50000-0x00007FF7B2346000-memory.dmp	UPX
behavioral2/memory/4492-163-0x00007FF7F5690000-0x00007FF7F5A86000-memory.dmp	UPX
behavioral2/memory/4568-161-0x00007FF7A7750000-0x00007FF7A7B46000-memory.dmp	UPX
behavioral2/memory/1852-160-0x00007FF77E0F0000-0x00007FF77E4E6000-memory.dmp	UPX
behavioral2/memory/400-159-0x00007FF7CD8C0000-0x00007FF7CDCB6000-memory.dmp	UPX
behavioral2/memory/2284-157-0x00007FF694C40000-0x00007FF695036000-memory.dmp	UPX
behavioral2/memory/452-156-0x00007FF65EB90000-0x00007FF65EF86000-memory.dmp	UPX
behavioral2/memory/3796-155-0x00007FF65E810000-0x00007FF65EC06000-memory.dmp	UPX
behavioral2/files/0x0007000000023449-151.dat	UPX
behavioral2/files/0x0008000000023447-149.dat	UPX
behavioral2/files/0x000900000002342f-147.dat	UPX
behavioral2/files/0x0007000000023448-145.dat	UPX
behavioral2/memory/4960-144-0x00007FF6409B0000-0x00007FF640DA6000-memory.dmp	UPX
behavioral2/memory/3756-143-0x00007FF7B2ED0000-0x00007FF7B32C6000-memory.dmp	UPX
behavioral2/files/0x0007000000023445-141.dat	UPX
behavioral2/memory/2572-140-0x00007FF6C0F30000-0x00007FF6C1326000-memory.dmp	UPX
behavioral2/memory/1452-138-0x00007FF7B21E0000-0x00007FF7B25D6000-memory.dmp	UPX
behavioral2/files/0x0007000000023444-107.dat	UPX
behavioral2/files/0x000700000002343f-105.dat	UPX
behavioral2/memory/2060-104-0x00007FF63EE70000-0x00007FF63F266000-memory.dmp	UPX
behavioral2/files/0x0007000000023442-100.dat	UPX
behavioral2/files/0x0007000000023441-98.dat	UPX
behavioral2/files/0x0007000000023440-96.dat	UPX
behavioral2/files/0x000700000002343e-94.dat	UPX
behavioral2/files/0x000700000002343a-63.dat	UPX
behavioral2/files/0x0007000000023439-59.dat	UPX
behavioral2/files/0x0007000000023434-50.dat	UPX
behavioral2/files/0x0007000000023436-47.dat	UPX
behavioral2/files/0x0007000000023438-45.dat	UPX
behavioral2/files/0x0007000000023432-38.dat	UPX
behavioral2/files/0x0007000000023435-32.dat	UPX
behavioral2/memory/4916-27-0x00007FF7610E0000-0x00007FF7614D6000-memory.dmp	UPX
behavioral2/memory/3584-13-0x00007FF78F790000-0x00007FF78FB86000-memory.dmp	UPX
behavioral2/files/0x000700000002344b-383.dat	UPX
behavioral2/files/0x000700000002349d-389.dat	UPX
behavioral2/files/0x00070000000234a2-395.dat	UPX
behavioral2/files/0x00070000000234a6-405.dat	UPX
behavioral2/files/0x00070000000234a3-406.dat	UPX
behavioral2/files/0x00070000000234a7-414.dat	UPX
behavioral2/memory/3584-2140-0x00007FF78F790000-0x00007FF78FB86000-memory.dmp	UPX
behavioral2/memory/4916-2141-0x00007FF7610E0000-0x00007FF7614D6000-memory.dmp	UPX
behavioral2/memory/1908-2144-0x00007FF6C3630000-0x00007FF6C3A26000-memory.dmp	UPX
behavioral2/memory/3584-2145-0x00007FF78F790000-0x00007FF78FB86000-memory.dmp	UPX
behavioral2/memory/3316-2151-0x00007FF79C370000-0x00007FF79C766000-memory.dmp	UPX
behavioral2/memory/4916-2150-0x00007FF7610E0000-0x00007FF7614D6000-memory.dmp	UPX
behavioral2/memory/2520-2149-0x00007FF7A2C60000-0x00007FF7A3056000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/1696-0-0x00007FF721780000-0x00007FF721B76000-memory.dmp	xmrig
behavioral2/files/0x0007000000023433-7.dat	xmrig
behavioral2/files/0x000900000002342e-5.dat	xmrig
behavioral2/files/0x0007000000023437-35.dat	xmrig
behavioral2/files/0x000700000002343b-56.dat	xmrig
behavioral2/files/0x000700000002343d-68.dat	xmrig
behavioral2/files/0x000700000002343c-82.dat	xmrig
behavioral2/files/0x0007000000023443-102.dat	xmrig
behavioral2/memory/3316-119-0x00007FF79C370000-0x00007FF79C766000-memory.dmp	xmrig
behavioral2/memory/2520-122-0x00007FF7A2C60000-0x00007FF7A3056000-memory.dmp	xmrig
behavioral2/files/0x000700000002344a-139.dat	xmrig
behavioral2/memory/3964-158-0x00007FF619B20000-0x00007FF619F16000-memory.dmp	xmrig
behavioral2/memory/3152-162-0x00007FF75DE80000-0x00007FF75E276000-memory.dmp	xmrig
behavioral2/memory/4988-167-0x00007FF7FBD30000-0x00007FF7FC126000-memory.dmp	xmrig
behavioral2/memory/408-169-0x00007FF73A2F0000-0x00007FF73A6E6000-memory.dmp	xmrig
behavioral2/memory/4972-168-0x00007FF7992A0000-0x00007FF799696000-memory.dmp	xmrig
behavioral2/memory/4780-166-0x00007FF755F10000-0x00007FF756306000-memory.dmp	xmrig
behavioral2/memory/1908-165-0x00007FF6C3630000-0x00007FF6C3A26000-memory.dmp	xmrig
behavioral2/memory/2196-164-0x00007FF7B1F50000-0x00007FF7B2346000-memory.dmp	xmrig
behavioral2/memory/4492-163-0x00007FF7F5690000-0x00007FF7F5A86000-memory.dmp	xmrig
behavioral2/memory/4568-161-0x00007FF7A7750000-0x00007FF7A7B46000-memory.dmp	xmrig
behavioral2/memory/1852-160-0x00007FF77E0F0000-0x00007FF77E4E6000-memory.dmp	xmrig
behavioral2/memory/400-159-0x00007FF7CD8C0000-0x00007FF7CDCB6000-memory.dmp	xmrig
behavioral2/memory/2284-157-0x00007FF694C40000-0x00007FF695036000-memory.dmp	xmrig
behavioral2/memory/452-156-0x00007FF65EB90000-0x00007FF65EF86000-memory.dmp	xmrig
behavioral2/memory/3796-155-0x00007FF65E810000-0x00007FF65EC06000-memory.dmp	xmrig
behavioral2/files/0x0007000000023449-151.dat	xmrig
behavioral2/files/0x0008000000023447-149.dat	xmrig
behavioral2/files/0x000900000002342f-147.dat	xmrig
behavioral2/files/0x0007000000023448-145.dat	xmrig
behavioral2/memory/4960-144-0x00007FF6409B0000-0x00007FF640DA6000-memory.dmp	xmrig
behavioral2/memory/3756-143-0x00007FF7B2ED0000-0x00007FF7B32C6000-memory.dmp	xmrig
behavioral2/files/0x0007000000023445-141.dat	xmrig
behavioral2/memory/2572-140-0x00007FF6C0F30000-0x00007FF6C1326000-memory.dmp	xmrig
behavioral2/memory/1452-138-0x00007FF7B21E0000-0x00007FF7B25D6000-memory.dmp	xmrig
behavioral2/files/0x0007000000023444-107.dat	xmrig
behavioral2/files/0x000700000002343f-105.dat	xmrig
behavioral2/memory/2060-104-0x00007FF63EE70000-0x00007FF63F266000-memory.dmp	xmrig
behavioral2/files/0x0007000000023442-100.dat	xmrig
behavioral2/files/0x0007000000023441-98.dat	xmrig
behavioral2/files/0x0007000000023440-96.dat	xmrig
behavioral2/files/0x000700000002343e-94.dat	xmrig
behavioral2/files/0x000700000002343a-63.dat	xmrig
behavioral2/files/0x0007000000023439-59.dat	xmrig
behavioral2/files/0x0007000000023434-50.dat	xmrig
behavioral2/files/0x0007000000023436-47.dat	xmrig
behavioral2/files/0x0007000000023438-45.dat	xmrig
behavioral2/files/0x0007000000023432-38.dat	xmrig
behavioral2/files/0x0007000000023435-32.dat	xmrig
behavioral2/memory/4916-27-0x00007FF7610E0000-0x00007FF7614D6000-memory.dmp	xmrig
behavioral2/memory/3584-13-0x00007FF78F790000-0x00007FF78FB86000-memory.dmp	xmrig
behavioral2/files/0x000700000002344b-383.dat	xmrig
behavioral2/files/0x000700000002349d-389.dat	xmrig
behavioral2/files/0x00070000000234a2-395.dat	xmrig
behavioral2/files/0x00070000000234a6-405.dat	xmrig
behavioral2/files/0x00070000000234a3-406.dat	xmrig
behavioral2/files/0x00070000000234a7-414.dat	xmrig
behavioral2/memory/3584-2140-0x00007FF78F790000-0x00007FF78FB86000-memory.dmp	xmrig
behavioral2/memory/4916-2141-0x00007FF7610E0000-0x00007FF7614D6000-memory.dmp	xmrig
behavioral2/memory/1908-2144-0x00007FF6C3630000-0x00007FF6C3A26000-memory.dmp	xmrig
behavioral2/memory/3584-2145-0x00007FF78F790000-0x00007FF78FB86000-memory.dmp	xmrig
behavioral2/memory/3316-2151-0x00007FF79C370000-0x00007FF79C766000-memory.dmp	xmrig
behavioral2/memory/4916-2150-0x00007FF7610E0000-0x00007FF7614D6000-memory.dmp	xmrig
behavioral2/memory/2520-2149-0x00007FF7A2C60000-0x00007FF7A3056000-memory.dmp	xmrig

Blocklisted process makes network request 7 IoCs

flow	pid	Process
9	3980	powershell.exe
11	3980	powershell.exe
13	3980	powershell.exe
14	3980	powershell.exe
16	3980	powershell.exe
17	3980	powershell.exe
18	3980	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
3980	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
3584	aCkbrOg.exe
4916	LNEnrfE.exe
1908	NOPATWP.exe
2060	RKfXkhE.exe
3316	wbuoubM.exe
4780	nxifSJg.exe
2520	urqCtTJ.exe
1452	RdANJnX.exe
2572	fReAUhl.exe
3756	cyqvlzJ.exe
4960	dfkDzqP.exe
3796	ZVJkPqA.exe
452	gSxeHbq.exe
2284	fbYblGX.exe
4988	tnsEtkT.exe
3964	bbsfxuq.exe
400	kfrFXBB.exe
1852	MjwXxUo.exe
4568	GnGDhkX.exe
3152	FtnDWgn.exe
4972	gVNtVGC.exe
408	sluuXWH.exe
4492	FCfOJYA.exe
2196	HUZYoCT.exe
4832	pOasppt.exe
976	ZoAQMme.exe
3000	fhDfchT.exe
1628	TXGBbbp.exe
1236	UPJBgwH.exe
224	OGVPWcn.exe
4556	BpvYWwR.exe
5000	AgrlDcz.exe
4376	XWyTxKw.exe
2392	POvrucS.exe
2744	yPaDRWP.exe
2804	Auryrya.exe
5076	QKGVJEN.exe
920	zCGnNka.exe
4328	tJNVfIX.exe
1140	KguYmpG.exe
1588	NqMLYrf.exe
4552	iQkzWob.exe
3504	WBIsMRt.exe
4632	DwBXJZA.exe
3620	sZAfmuZ.exe
4984	mxFGgnU.exe
1656	ccnDQFC.exe
2288	bEieCBN.exe
1316	VDPPeMb.exe
4084	DOMbUdu.exe
1440	ubyAtQX.exe
4056	LfeSiMg.exe
2772	cSkgzeD.exe
3156	EabhBMP.exe
3248	BxSMRUT.exe
2128	DslWTHD.exe
4876	RqytRcN.exe
456	aDIdXpS.exe
4020	cgKYnKo.exe
5088	nmoSOCX.exe
756	UbdAIqh.exe
4692	YBedSbp.exe
3836	MaKKgIB.exe
1836	fVAhoxI.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1696-0-0x00007FF721780000-0x00007FF721B76000-memory.dmp	upx
behavioral2/files/0x0007000000023433-7.dat	upx
behavioral2/files/0x000900000002342e-5.dat	upx
behavioral2/files/0x0007000000023437-35.dat	upx
behavioral2/files/0x000700000002343b-56.dat	upx
behavioral2/files/0x000700000002343d-68.dat	upx
behavioral2/files/0x000700000002343c-82.dat	upx
behavioral2/files/0x0007000000023443-102.dat	upx
behavioral2/memory/3316-119-0x00007FF79C370000-0x00007FF79C766000-memory.dmp	upx
behavioral2/memory/2520-122-0x00007FF7A2C60000-0x00007FF7A3056000-memory.dmp	upx
behavioral2/files/0x000700000002344a-139.dat	upx
behavioral2/memory/3964-158-0x00007FF619B20000-0x00007FF619F16000-memory.dmp	upx
behavioral2/memory/3152-162-0x00007FF75DE80000-0x00007FF75E276000-memory.dmp	upx
behavioral2/memory/4988-167-0x00007FF7FBD30000-0x00007FF7FC126000-memory.dmp	upx
behavioral2/memory/408-169-0x00007FF73A2F0000-0x00007FF73A6E6000-memory.dmp	upx
behavioral2/memory/4972-168-0x00007FF7992A0000-0x00007FF799696000-memory.dmp	upx
behavioral2/memory/4780-166-0x00007FF755F10000-0x00007FF756306000-memory.dmp	upx
behavioral2/memory/1908-165-0x00007FF6C3630000-0x00007FF6C3A26000-memory.dmp	upx
behavioral2/memory/2196-164-0x00007FF7B1F50000-0x00007FF7B2346000-memory.dmp	upx
behavioral2/memory/4492-163-0x00007FF7F5690000-0x00007FF7F5A86000-memory.dmp	upx
behavioral2/memory/4568-161-0x00007FF7A7750000-0x00007FF7A7B46000-memory.dmp	upx
behavioral2/memory/1852-160-0x00007FF77E0F0000-0x00007FF77E4E6000-memory.dmp	upx
behavioral2/memory/400-159-0x00007FF7CD8C0000-0x00007FF7CDCB6000-memory.dmp	upx
behavioral2/memory/2284-157-0x00007FF694C40000-0x00007FF695036000-memory.dmp	upx
behavioral2/memory/452-156-0x00007FF65EB90000-0x00007FF65EF86000-memory.dmp	upx
behavioral2/memory/3796-155-0x00007FF65E810000-0x00007FF65EC06000-memory.dmp	upx
behavioral2/files/0x0007000000023449-151.dat	upx
behavioral2/files/0x0008000000023447-149.dat	upx
behavioral2/files/0x000900000002342f-147.dat	upx
behavioral2/files/0x0007000000023448-145.dat	upx
behavioral2/memory/4960-144-0x00007FF6409B0000-0x00007FF640DA6000-memory.dmp	upx
behavioral2/memory/3756-143-0x00007FF7B2ED0000-0x00007FF7B32C6000-memory.dmp	upx
behavioral2/files/0x0007000000023445-141.dat	upx
behavioral2/memory/2572-140-0x00007FF6C0F30000-0x00007FF6C1326000-memory.dmp	upx
behavioral2/memory/1452-138-0x00007FF7B21E0000-0x00007FF7B25D6000-memory.dmp	upx
behavioral2/files/0x0007000000023444-107.dat	upx
behavioral2/files/0x000700000002343f-105.dat	upx
behavioral2/memory/2060-104-0x00007FF63EE70000-0x00007FF63F266000-memory.dmp	upx
behavioral2/files/0x0007000000023442-100.dat	upx
behavioral2/files/0x0007000000023441-98.dat	upx
behavioral2/files/0x0007000000023440-96.dat	upx
behavioral2/files/0x000700000002343e-94.dat	upx
behavioral2/files/0x000700000002343a-63.dat	upx
behavioral2/files/0x0007000000023439-59.dat	upx
behavioral2/files/0x0007000000023434-50.dat	upx
behavioral2/files/0x0007000000023436-47.dat	upx
behavioral2/files/0x0007000000023438-45.dat	upx
behavioral2/files/0x0007000000023432-38.dat	upx
behavioral2/files/0x0007000000023435-32.dat	upx
behavioral2/memory/4916-27-0x00007FF7610E0000-0x00007FF7614D6000-memory.dmp	upx
behavioral2/memory/3584-13-0x00007FF78F790000-0x00007FF78FB86000-memory.dmp	upx
behavioral2/files/0x000700000002344b-383.dat	upx
behavioral2/files/0x000700000002349d-389.dat	upx
behavioral2/files/0x00070000000234a2-395.dat	upx
behavioral2/files/0x00070000000234a6-405.dat	upx
behavioral2/files/0x00070000000234a3-406.dat	upx
behavioral2/files/0x00070000000234a7-414.dat	upx
behavioral2/memory/3584-2140-0x00007FF78F790000-0x00007FF78FB86000-memory.dmp	upx
behavioral2/memory/4916-2141-0x00007FF7610E0000-0x00007FF7614D6000-memory.dmp	upx
behavioral2/memory/1908-2144-0x00007FF6C3630000-0x00007FF6C3A26000-memory.dmp	upx
behavioral2/memory/3584-2145-0x00007FF78F790000-0x00007FF78FB86000-memory.dmp	upx
behavioral2/memory/3316-2151-0x00007FF79C370000-0x00007FF79C766000-memory.dmp	upx
behavioral2/memory/4916-2150-0x00007FF7610E0000-0x00007FF7614D6000-memory.dmp	upx
behavioral2/memory/2520-2149-0x00007FF7A2C60000-0x00007FF7A3056000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	raw.githubusercontent.com
9	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\ABXfgGX.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\oHBRoDv.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\yKPibNE.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\RsSfhVo.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\kRPbpIw.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\buRGzkB.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\YYwZMiH.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\GTxqTUb.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\aVLDdpr.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\NQICgpW.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\kTgjhXP.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\yiLwrAv.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\HladlbF.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\KzREsVg.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\HpXbNce.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\JoZNLtm.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\aKAsSOz.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\KnVtnXO.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\MZpGWiy.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\kTSeAiX.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\yVbAnJu.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\JWqDAQX.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\fJEoJFx.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\EkDINcN.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\WSqbwYE.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\IJBLRjS.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\UJFsrTx.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\ByhwQFZ.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\pFAzHNN.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\hohDLDg.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\OhJJQNY.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\NpdfxjE.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\JMmQkJy.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\dJcokme.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\lPAYVPi.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\tvlGQHA.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\MTxMlxU.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\dLOXgro.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\OmjOWir.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\BBCbciM.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\BAHqFry.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\qCnzjER.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\EccfWox.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\lyhWkGz.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\zncOwHb.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\vWGamKH.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\qkiZmYM.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\BzPqOVm.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\ngwsiYy.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\NSBcJiK.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\BdyvJmz.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\drWUXWv.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\PIuXScf.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\KLfhilX.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\RwZwfRm.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\PKsFGUW.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\wvAApln.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\gDuOMkK.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\HLTnoaV.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\JGIqcxX.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\uONcGZq.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\RijENWt.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\DmqeJeH.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
File created	C:\Windows\System\fuEBtpO.exe	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3980	powershell.exe
3980	powershell.exe
3980	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
Token: SeLockMemoryPrivilege	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
Token: SeDebugPrivilege	3980	powershell.exe
Token: SeCreateGlobalPrivilege	11672	dwm.exe
Token: SeChangeNotifyPrivilege	11672	dwm.exe
Token: 33	11672	dwm.exe
Token: SeIncBasePriorityPrivilege	11672	dwm.exe
Token: SeShutdownPrivilege	11672	dwm.exe
Token: SeCreatePagefilePrivilege	11672	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 3980	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	83
PID 1696 wrote to memory of 3980	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	83
PID 1696 wrote to memory of 3584	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	84
PID 1696 wrote to memory of 3584	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	84
PID 1696 wrote to memory of 4916	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	85
PID 1696 wrote to memory of 4916	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	85
PID 1696 wrote to memory of 1908	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	86
PID 1696 wrote to memory of 1908	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	86
PID 1696 wrote to memory of 2060	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	87
PID 1696 wrote to memory of 2060	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	87
PID 1696 wrote to memory of 3316	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	88
PID 1696 wrote to memory of 3316	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	88
PID 1696 wrote to memory of 4780	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	89
PID 1696 wrote to memory of 4780	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	89
PID 1696 wrote to memory of 2520	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	90
PID 1696 wrote to memory of 2520	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	90
PID 1696 wrote to memory of 1452	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	91
PID 1696 wrote to memory of 1452	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	91
PID 1696 wrote to memory of 2572	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	92
PID 1696 wrote to memory of 2572	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	92
PID 1696 wrote to memory of 3756	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	93
PID 1696 wrote to memory of 3756	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	93
PID 1696 wrote to memory of 4960	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	94
PID 1696 wrote to memory of 4960	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	94
PID 1696 wrote to memory of 3796	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	95
PID 1696 wrote to memory of 3796	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	95
PID 1696 wrote to memory of 452	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	96
PID 1696 wrote to memory of 452	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	96
PID 1696 wrote to memory of 2284	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	97
PID 1696 wrote to memory of 2284	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	97
PID 1696 wrote to memory of 4568	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	98
PID 1696 wrote to memory of 4568	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	98
PID 1696 wrote to memory of 4988	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	99
PID 1696 wrote to memory of 4988	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	99
PID 1696 wrote to memory of 3964	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	100
PID 1696 wrote to memory of 3964	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	100
PID 1696 wrote to memory of 400	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	101
PID 1696 wrote to memory of 400	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	101
PID 1696 wrote to memory of 1852	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	102
PID 1696 wrote to memory of 1852	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	102
PID 1696 wrote to memory of 3152	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	103
PID 1696 wrote to memory of 3152	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	103
PID 1696 wrote to memory of 4972	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	104
PID 1696 wrote to memory of 4972	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	104
PID 1696 wrote to memory of 408	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	105
PID 1696 wrote to memory of 408	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	105
PID 1696 wrote to memory of 4492	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	106
PID 1696 wrote to memory of 4492	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	106
PID 1696 wrote to memory of 2196	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	107
PID 1696 wrote to memory of 2196	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	107
PID 1696 wrote to memory of 4832	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	108
PID 1696 wrote to memory of 4832	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	108
PID 1696 wrote to memory of 976	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	109
PID 1696 wrote to memory of 976	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	109
PID 1696 wrote to memory of 3000	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	110
PID 1696 wrote to memory of 3000	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	110
PID 1696 wrote to memory of 1628	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	111
PID 1696 wrote to memory of 1628	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	111
PID 1696 wrote to memory of 1236	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	112
PID 1696 wrote to memory of 1236	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	112
PID 1696 wrote to memory of 224	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	113
PID 1696 wrote to memory of 224	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	113
PID 1696 wrote to memory of 4556	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	114
PID 1696 wrote to memory of 4556	1696	2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe	114

C:\Users\Admin\AppData\Local\Temp\2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe
"C:\Users\Admin\AppData\Local\Temp\2579a9ccecddaa24caab396acd79808249b01418650698fa9cd49655b886bafc.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3980
- C:\Windows\System\aCkbrOg.exe
  C:\Windows\System\aCkbrOg.exe
  2⤵
  - Executes dropped EXE
  PID:3584
- C:\Windows\System\LNEnrfE.exe
  C:\Windows\System\LNEnrfE.exe
  2⤵
  - Executes dropped EXE
  PID:4916
- C:\Windows\System\NOPATWP.exe
  C:\Windows\System\NOPATWP.exe
  2⤵
  - Executes dropped EXE
  PID:1908
- C:\Windows\System\RKfXkhE.exe
  C:\Windows\System\RKfXkhE.exe
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\Windows\System\wbuoubM.exe
  C:\Windows\System\wbuoubM.exe
  2⤵
  - Executes dropped EXE
  PID:3316
- C:\Windows\System\nxifSJg.exe
  C:\Windows\System\nxifSJg.exe
  2⤵
  - Executes dropped EXE
  PID:4780
- C:\Windows\System\urqCtTJ.exe
  C:\Windows\System\urqCtTJ.exe
  2⤵
  - Executes dropped EXE
  PID:2520
- C:\Windows\System\RdANJnX.exe
  C:\Windows\System\RdANJnX.exe
  2⤵
  - Executes dropped EXE
  PID:1452
- C:\Windows\System\fReAUhl.exe
  C:\Windows\System\fReAUhl.exe
  2⤵
  - Executes dropped EXE
  PID:2572
- C:\Windows\System\cyqvlzJ.exe
  C:\Windows\System\cyqvlzJ.exe
  2⤵
  - Executes dropped EXE
  PID:3756
- C:\Windows\System\dfkDzqP.exe
  C:\Windows\System\dfkDzqP.exe
  2⤵
  - Executes dropped EXE
  PID:4960
- C:\Windows\System\ZVJkPqA.exe
  C:\Windows\System\ZVJkPqA.exe
  2⤵
  - Executes dropped EXE
  PID:3796
- C:\Windows\System\gSxeHbq.exe
  C:\Windows\System\gSxeHbq.exe
  2⤵
  - Executes dropped EXE
  PID:452
- C:\Windows\System\fbYblGX.exe
  C:\Windows\System\fbYblGX.exe
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\System\GnGDhkX.exe
  C:\Windows\System\GnGDhkX.exe
  2⤵
  - Executes dropped EXE
  PID:4568
- C:\Windows\System\tnsEtkT.exe
  C:\Windows\System\tnsEtkT.exe
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Windows\System\bbsfxuq.exe
  C:\Windows\System\bbsfxuq.exe
  2⤵
  - Executes dropped EXE
  PID:3964
- C:\Windows\System\kfrFXBB.exe
  C:\Windows\System\kfrFXBB.exe
  2⤵
  - Executes dropped EXE
  PID:400
- C:\Windows\System\MjwXxUo.exe
  C:\Windows\System\MjwXxUo.exe
  2⤵
  - Executes dropped EXE
  PID:1852
- C:\Windows\System\FtnDWgn.exe
  C:\Windows\System\FtnDWgn.exe
  2⤵
  - Executes dropped EXE
  PID:3152
- C:\Windows\System\gVNtVGC.exe
  C:\Windows\System\gVNtVGC.exe
  2⤵
  - Executes dropped EXE
  PID:4972
- C:\Windows\System\sluuXWH.exe
  C:\Windows\System\sluuXWH.exe
  2⤵
  - Executes dropped EXE
  PID:408
- C:\Windows\System\FCfOJYA.exe
  C:\Windows\System\FCfOJYA.exe
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Windows\System\HUZYoCT.exe
  C:\Windows\System\HUZYoCT.exe
  2⤵
  - Executes dropped EXE
  PID:2196
- C:\Windows\System\pOasppt.exe
  C:\Windows\System\pOasppt.exe
  2⤵
  - Executes dropped EXE
  PID:4832
- C:\Windows\System\ZoAQMme.exe
  C:\Windows\System\ZoAQMme.exe
  2⤵
  - Executes dropped EXE
  PID:976
- C:\Windows\System\fhDfchT.exe
  C:\Windows\System\fhDfchT.exe
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\System\TXGBbbp.exe
  C:\Windows\System\TXGBbbp.exe
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\System\UPJBgwH.exe
  C:\Windows\System\UPJBgwH.exe
  2⤵
  - Executes dropped EXE
  PID:1236
- C:\Windows\System\OGVPWcn.exe
  C:\Windows\System\OGVPWcn.exe
  2⤵
  - Executes dropped EXE
  PID:224
- C:\Windows\System\BpvYWwR.exe
  C:\Windows\System\BpvYWwR.exe
  2⤵
  - Executes dropped EXE
  PID:4556
- C:\Windows\System\AgrlDcz.exe
  C:\Windows\System\AgrlDcz.exe
  2⤵
  - Executes dropped EXE
  PID:5000
- C:\Windows\System\XWyTxKw.exe
  C:\Windows\System\XWyTxKw.exe
  2⤵
  - Executes dropped EXE
  PID:4376
- C:\Windows\System\POvrucS.exe
  C:\Windows\System\POvrucS.exe
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Windows\System\yPaDRWP.exe
  C:\Windows\System\yPaDRWP.exe
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\System\Auryrya.exe
  C:\Windows\System\Auryrya.exe
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Windows\System\QKGVJEN.exe
  C:\Windows\System\QKGVJEN.exe
  2⤵
  - Executes dropped EXE
  PID:5076
- C:\Windows\System\zCGnNka.exe
  C:\Windows\System\zCGnNka.exe
  2⤵
  - Executes dropped EXE
  PID:920
- C:\Windows\System\tJNVfIX.exe
  C:\Windows\System\tJNVfIX.exe
  2⤵
  - Executes dropped EXE
  PID:4328
- C:\Windows\System\KguYmpG.exe
  C:\Windows\System\KguYmpG.exe
  2⤵
  - Executes dropped EXE
  PID:1140
- C:\Windows\System\NqMLYrf.exe
  C:\Windows\System\NqMLYrf.exe
  2⤵
  - Executes dropped EXE
  PID:1588
- C:\Windows\System\iQkzWob.exe
  C:\Windows\System\iQkzWob.exe
  2⤵
  - Executes dropped EXE
  PID:4552
- C:\Windows\System\WBIsMRt.exe
  C:\Windows\System\WBIsMRt.exe
  2⤵
  - Executes dropped EXE
  PID:3504
- C:\Windows\System\DwBXJZA.exe
  C:\Windows\System\DwBXJZA.exe
  2⤵
  - Executes dropped EXE
  PID:4632
- C:\Windows\System\sZAfmuZ.exe
  C:\Windows\System\sZAfmuZ.exe
  2⤵
  - Executes dropped EXE
  PID:3620
- C:\Windows\System\mxFGgnU.exe
  C:\Windows\System\mxFGgnU.exe
  2⤵
  - Executes dropped EXE
  PID:4984
- C:\Windows\System\ccnDQFC.exe
  C:\Windows\System\ccnDQFC.exe
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Windows\System\bEieCBN.exe
  C:\Windows\System\bEieCBN.exe
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Windows\System\VDPPeMb.exe
  C:\Windows\System\VDPPeMb.exe
  2⤵
  - Executes dropped EXE
  PID:1316
- C:\Windows\System\DOMbUdu.exe
  C:\Windows\System\DOMbUdu.exe
  2⤵
  - Executes dropped EXE
  PID:4084
- C:\Windows\System\ubyAtQX.exe
  C:\Windows\System\ubyAtQX.exe
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Windows\System\LfeSiMg.exe
  C:\Windows\System\LfeSiMg.exe
  2⤵
  - Executes dropped EXE
  PID:4056
- C:\Windows\System\cSkgzeD.exe
  C:\Windows\System\cSkgzeD.exe
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\System\EabhBMP.exe
  C:\Windows\System\EabhBMP.exe
  2⤵
  - Executes dropped EXE
  PID:3156
- C:\Windows\System\BxSMRUT.exe
  C:\Windows\System\BxSMRUT.exe
  2⤵
  - Executes dropped EXE
  PID:3248
- C:\Windows\System\DslWTHD.exe
  C:\Windows\System\DslWTHD.exe
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\System\RqytRcN.exe
  C:\Windows\System\RqytRcN.exe
  2⤵
  - Executes dropped EXE
  PID:4876
- C:\Windows\System\aDIdXpS.exe
  C:\Windows\System\aDIdXpS.exe
  2⤵
  - Executes dropped EXE
  PID:456
- C:\Windows\System\cgKYnKo.exe
  C:\Windows\System\cgKYnKo.exe
  2⤵
  - Executes dropped EXE
  PID:4020
- C:\Windows\System\nmoSOCX.exe
  C:\Windows\System\nmoSOCX.exe
  2⤵
  - Executes dropped EXE
  PID:5088
- C:\Windows\System\UbdAIqh.exe
  C:\Windows\System\UbdAIqh.exe
  2⤵
  - Executes dropped EXE
  PID:756
- C:\Windows\System\YBedSbp.exe
  C:\Windows\System\YBedSbp.exe
  2⤵
  - Executes dropped EXE
  PID:4692
- C:\Windows\System\MaKKgIB.exe
  C:\Windows\System\MaKKgIB.exe
  2⤵
  - Executes dropped EXE
  PID:3836
- C:\Windows\System\fVAhoxI.exe
  C:\Windows\System\fVAhoxI.exe
  2⤵
  - Executes dropped EXE
  PID:1836
- C:\Windows\System\XwbeXUt.exe
  C:\Windows\System\XwbeXUt.exe
  2⤵
  PID:1564
- C:\Windows\System\DLToWMq.exe
  C:\Windows\System\DLToWMq.exe
  2⤵
  PID:1928
- C:\Windows\System\uqJfSxA.exe
  C:\Windows\System\uqJfSxA.exe
  2⤵
  PID:4620
- C:\Windows\System\fQkUdtN.exe
  C:\Windows\System\fQkUdtN.exe
  2⤵
  PID:3784
- C:\Windows\System\qZBvDpm.exe
  C:\Windows\System\qZBvDpm.exe
  2⤵
  PID:4028
- C:\Windows\System\ydNivVh.exe
  C:\Windows\System\ydNivVh.exe
  2⤵
  PID:2008
- C:\Windows\System\zgLpIua.exe
  C:\Windows\System\zgLpIua.exe
  2⤵
  PID:612
- C:\Windows\System\ZSkDWUT.exe
  C:\Windows\System\ZSkDWUT.exe
  2⤵
  PID:4828
- C:\Windows\System\nPfXgcb.exe
  C:\Windows\System\nPfXgcb.exe
  2⤵
  PID:5080
- C:\Windows\System\lhLKkee.exe
  C:\Windows\System\lhLKkee.exe
  2⤵
  PID:5040
- C:\Windows\System\RbVYrHj.exe
  C:\Windows\System\RbVYrHj.exe
  2⤵
  PID:4076
- C:\Windows\System\PdZpSDU.exe
  C:\Windows\System\PdZpSDU.exe
  2⤵
  PID:2944
- C:\Windows\System\AoHaEJK.exe
  C:\Windows\System\AoHaEJK.exe
  2⤵
  PID:1796
- C:\Windows\System\AtngLyI.exe
  C:\Windows\System\AtngLyI.exe
  2⤵
  PID:3208
- C:\Windows\System\QVevTSv.exe
  C:\Windows\System\QVevTSv.exe
  2⤵
  PID:1364
- C:\Windows\System\tqKzoAR.exe
  C:\Windows\System\tqKzoAR.exe
  2⤵
  PID:3904
- C:\Windows\System\YphDZeI.exe
  C:\Windows\System\YphDZeI.exe
  2⤵
  PID:2712
- C:\Windows\System\AnEkMSq.exe
  C:\Windows\System\AnEkMSq.exe
  2⤵
  PID:2308
- C:\Windows\System\JvCVzhl.exe
  C:\Windows\System\JvCVzhl.exe
  2⤵
  PID:2604
- C:\Windows\System\ucfWOkA.exe
  C:\Windows\System\ucfWOkA.exe
  2⤵
  PID:4820
- C:\Windows\System\JklRWLK.exe
  C:\Windows\System\JklRWLK.exe
  2⤵
  PID:2908
- C:\Windows\System\ewOBFJa.exe
  C:\Windows\System\ewOBFJa.exe
  2⤵
  PID:936
- C:\Windows\System\kTWFGyo.exe
  C:\Windows\System\kTWFGyo.exe
  2⤵
  PID:5136
- C:\Windows\System\HyXuKnB.exe
  C:\Windows\System\HyXuKnB.exe
  2⤵
  PID:5156
- C:\Windows\System\SRZQXjy.exe
  C:\Windows\System\SRZQXjy.exe
  2⤵
  PID:5184
- C:\Windows\System\fKUHxDu.exe
  C:\Windows\System\fKUHxDu.exe
  2⤵
  PID:5200
- C:\Windows\System\BRvHibb.exe
  C:\Windows\System\BRvHibb.exe
  2⤵
  PID:5216
- C:\Windows\System\XNYHBLw.exe
  C:\Windows\System\XNYHBLw.exe
  2⤵
  PID:5264
- C:\Windows\System\duEvWmW.exe
  C:\Windows\System\duEvWmW.exe
  2⤵
  PID:5304
- C:\Windows\System\zdDtJzf.exe
  C:\Windows\System\zdDtJzf.exe
  2⤵
  PID:5324
- C:\Windows\System\LadEhYv.exe
  C:\Windows\System\LadEhYv.exe
  2⤵
  PID:5352
- C:\Windows\System\YDlBTwC.exe
  C:\Windows\System\YDlBTwC.exe
  2⤵
  PID:5392
- C:\Windows\System\mNhcUKD.exe
  C:\Windows\System\mNhcUKD.exe
  2⤵
  PID:5412
- C:\Windows\System\uChKeQE.exe
  C:\Windows\System\uChKeQE.exe
  2⤵
  PID:5448
- C:\Windows\System\CNaYkIT.exe
  C:\Windows\System\CNaYkIT.exe
  2⤵
  PID:5472
- C:\Windows\System\ZwthbRN.exe
  C:\Windows\System\ZwthbRN.exe
  2⤵
  PID:5516
- C:\Windows\System\PFtxsvb.exe
  C:\Windows\System\PFtxsvb.exe
  2⤵
  PID:5556
- C:\Windows\System\kuFkpKB.exe
  C:\Windows\System\kuFkpKB.exe
  2⤵
  PID:5592
- C:\Windows\System\bsErIbA.exe
  C:\Windows\System\bsErIbA.exe
  2⤵
  PID:5624
- C:\Windows\System\FapSogk.exe
  C:\Windows\System\FapSogk.exe
  2⤵
  PID:5652
- C:\Windows\System\tHfaRyF.exe
  C:\Windows\System\tHfaRyF.exe
  2⤵
  PID:5668
- C:\Windows\System\UjZzXMQ.exe
  C:\Windows\System\UjZzXMQ.exe
  2⤵
  PID:5692
- C:\Windows\System\rlxBaDO.exe
  C:\Windows\System\rlxBaDO.exe
  2⤵
  PID:5716
- C:\Windows\System\KoLEmhY.exe
  C:\Windows\System\KoLEmhY.exe
  2⤵
  PID:5744
- C:\Windows\System\LUXLzAg.exe
  C:\Windows\System\LUXLzAg.exe
  2⤵
  PID:5784
- C:\Windows\System\mKfXOvO.exe
  C:\Windows\System\mKfXOvO.exe
  2⤵
  PID:5824
- C:\Windows\System\FzUYZBA.exe
  C:\Windows\System\FzUYZBA.exe
  2⤵
  PID:5860
- C:\Windows\System\onnmofn.exe
  C:\Windows\System\onnmofn.exe
  2⤵
  PID:5880
- C:\Windows\System\UCEECyc.exe
  C:\Windows\System\UCEECyc.exe
  2⤵
  PID:5908
- C:\Windows\System\SEzhlhG.exe
  C:\Windows\System\SEzhlhG.exe
  2⤵
  PID:5936
- C:\Windows\System\ZFievgL.exe
  C:\Windows\System\ZFievgL.exe
  2⤵
  PID:5964
- C:\Windows\System\ZLXDVrO.exe
  C:\Windows\System\ZLXDVrO.exe
  2⤵
  PID:5988
- C:\Windows\System\ztMBKMT.exe
  C:\Windows\System\ztMBKMT.exe
  2⤵
  PID:6024
- C:\Windows\System\KCYZycw.exe
  C:\Windows\System\KCYZycw.exe
  2⤵
  PID:6048
- C:\Windows\System\nlQvDbm.exe
  C:\Windows\System\nlQvDbm.exe
  2⤵
  PID:6080
- C:\Windows\System\HRVSGPY.exe
  C:\Windows\System\HRVSGPY.exe
  2⤵
  PID:6112
- C:\Windows\System\KMglhmy.exe
  C:\Windows\System\KMglhmy.exe
  2⤵
  PID:1600
- C:\Windows\System\WRMJfjn.exe
  C:\Windows\System\WRMJfjn.exe
  2⤵
  PID:5192
- C:\Windows\System\fMmhrht.exe
  C:\Windows\System\fMmhrht.exe
  2⤵
  PID:5252
- C:\Windows\System\DWdTUKq.exe
  C:\Windows\System\DWdTUKq.exe
  2⤵
  PID:5316
- C:\Windows\System\zROGCka.exe
  C:\Windows\System\zROGCka.exe
  2⤵
  PID:5404
- C:\Windows\System\dKzbqOt.exe
  C:\Windows\System\dKzbqOt.exe
  2⤵
  PID:5460
- C:\Windows\System\lBQUuyZ.exe
  C:\Windows\System\lBQUuyZ.exe
  2⤵
  PID:5524
- C:\Windows\System\opSWydf.exe
  C:\Windows\System\opSWydf.exe
  2⤵
  PID:5616
- C:\Windows\System\ENUxliN.exe
  C:\Windows\System\ENUxliN.exe
  2⤵
  PID:5660
- C:\Windows\System\UijNybf.exe
  C:\Windows\System\UijNybf.exe
  2⤵
  PID:5728
- C:\Windows\System\uGHKeSX.exe
  C:\Windows\System\uGHKeSX.exe
  2⤵
  PID:5816
- C:\Windows\System\FbeBtxK.exe
  C:\Windows\System\FbeBtxK.exe
  2⤵
  PID:5868
- C:\Windows\System\XgUzxoZ.exe
  C:\Windows\System\XgUzxoZ.exe
  2⤵
  PID:5948
- C:\Windows\System\BqukPxu.exe
  C:\Windows\System\BqukPxu.exe
  2⤵
  PID:6036
- C:\Windows\System\FGJeCJK.exe
  C:\Windows\System\FGJeCJK.exe
  2⤵
  PID:6100
- C:\Windows\System\TuAfQOc.exe
  C:\Windows\System\TuAfQOc.exe
  2⤵
  PID:5176
- C:\Windows\System\THNhXDl.exe
  C:\Windows\System\THNhXDl.exe
  2⤵
  PID:5424
- C:\Windows\System\rzIzXTU.exe
  C:\Windows\System\rzIzXTU.exe
  2⤵
  PID:5712
- C:\Windows\System\UjyiYWZ.exe
  C:\Windows\System\UjyiYWZ.exe
  2⤵
  PID:4672
- C:\Windows\System\uEaoBvY.exe
  C:\Windows\System\uEaoBvY.exe
  2⤵
  PID:6032
- C:\Windows\System\uWAMCpg.exe
  C:\Windows\System\uWAMCpg.exe
  2⤵
  PID:5384
- C:\Windows\System\dacNSmi.exe
  C:\Windows\System\dacNSmi.exe
  2⤵
  PID:5972
- C:\Windows\System\Plwuwcj.exe
  C:\Windows\System\Plwuwcj.exe
  2⤵
  PID:5740
- C:\Windows\System\QFzbNyT.exe
  C:\Windows\System\QFzbNyT.exe
  2⤵
  PID:6164
- C:\Windows\System\hlHFAeS.exe
  C:\Windows\System\hlHFAeS.exe
  2⤵
  PID:6224
- C:\Windows\System\CnVEtWp.exe
  C:\Windows\System\CnVEtWp.exe
  2⤵
  PID:6252
- C:\Windows\System\TTgdypE.exe
  C:\Windows\System\TTgdypE.exe
  2⤵
  PID:6276
- C:\Windows\System\iGNFtYI.exe
  C:\Windows\System\iGNFtYI.exe
  2⤵
  PID:6316
- C:\Windows\System\OktXUKD.exe
  C:\Windows\System\OktXUKD.exe
  2⤵
  PID:6380
- C:\Windows\System\CBwiZro.exe
  C:\Windows\System\CBwiZro.exe
  2⤵
  PID:6412
- C:\Windows\System\jiXItBf.exe
  C:\Windows\System\jiXItBf.exe
  2⤵
  PID:6428
- C:\Windows\System\ihcQNDx.exe
  C:\Windows\System\ihcQNDx.exe
  2⤵
  PID:6476
- C:\Windows\System\HRhwoBX.exe
  C:\Windows\System\HRhwoBX.exe
  2⤵
  PID:6492
- C:\Windows\System\DAYTbKk.exe
  C:\Windows\System\DAYTbKk.exe
  2⤵
  PID:6532
- C:\Windows\System\RQTZJQp.exe
  C:\Windows\System\RQTZJQp.exe
  2⤵
  PID:6548
- C:\Windows\System\jEIHpmj.exe
  C:\Windows\System\jEIHpmj.exe
  2⤵
  PID:6580
- C:\Windows\System\HqfvdPG.exe
  C:\Windows\System\HqfvdPG.exe
  2⤵
  PID:6620
- C:\Windows\System\CuOfWCf.exe
  C:\Windows\System\CuOfWCf.exe
  2⤵
  PID:6656
- C:\Windows\System\CKALfUF.exe
  C:\Windows\System\CKALfUF.exe
  2⤵
  PID:6684
- C:\Windows\System\rXXTsuC.exe
  C:\Windows\System\rXXTsuC.exe
  2⤵
  PID:6700
- C:\Windows\System\mnHNSvV.exe
  C:\Windows\System\mnHNSvV.exe
  2⤵
  PID:6716
- C:\Windows\System\reSGLOP.exe
  C:\Windows\System\reSGLOP.exe
  2⤵
  PID:6764
- C:\Windows\System\ScdaEMM.exe
  C:\Windows\System\ScdaEMM.exe
  2⤵
  PID:6812
- C:\Windows\System\xRUHqXb.exe
  C:\Windows\System\xRUHqXb.exe
  2⤵
  PID:6844
- C:\Windows\System\NLnmQYc.exe
  C:\Windows\System\NLnmQYc.exe
  2⤵
  PID:6860
- C:\Windows\System\dpPzMpb.exe
  C:\Windows\System\dpPzMpb.exe
  2⤵
  PID:6892
- C:\Windows\System\JKJIvnA.exe
  C:\Windows\System\JKJIvnA.exe
  2⤵
  PID:6920
- C:\Windows\System\ztigKqk.exe
  C:\Windows\System\ztigKqk.exe
  2⤵
  PID:6940
- C:\Windows\System\RHgEydH.exe
  C:\Windows\System\RHgEydH.exe
  2⤵
  PID:6980
- C:\Windows\System\gSKVVTv.exe
  C:\Windows\System\gSKVVTv.exe
  2⤵
  PID:7020
- C:\Windows\System\faOUJbx.exe
  C:\Windows\System\faOUJbx.exe
  2⤵
  PID:7036
- C:\Windows\System\hyUTCCE.exe
  C:\Windows\System\hyUTCCE.exe
  2⤵
  PID:7072
- C:\Windows\System\sEyfdLx.exe
  C:\Windows\System\sEyfdLx.exe
  2⤵
  PID:7096
- C:\Windows\System\AdTfLDP.exe
  C:\Windows\System\AdTfLDP.exe
  2⤵
  PID:7120
- C:\Windows\System\qwPNJBq.exe
  C:\Windows\System\qwPNJBq.exe
  2⤵
  PID:7148
- C:\Windows\System\ABEDzei.exe
  C:\Windows\System\ABEDzei.exe
  2⤵
  PID:6240
- C:\Windows\System\QkbwIhI.exe
  C:\Windows\System\QkbwIhI.exe
  2⤵
  PID:6308
- C:\Windows\System\MCqvTsv.exe
  C:\Windows\System\MCqvTsv.exe
  2⤵
  PID:6424
- C:\Windows\System\bwNsLzd.exe
  C:\Windows\System\bwNsLzd.exe
  2⤵
  PID:6460
- C:\Windows\System\QxZXyht.exe
  C:\Windows\System\QxZXyht.exe
  2⤵
  PID:6516
- C:\Windows\System\lVQraox.exe
  C:\Windows\System\lVQraox.exe
  2⤵
  PID:6560
- C:\Windows\System\joHUWBA.exe
  C:\Windows\System\joHUWBA.exe
  2⤵
  PID:6640
- C:\Windows\System\HLQJMNR.exe
  C:\Windows\System\HLQJMNR.exe
  2⤵
  PID:6736
- C:\Windows\System\JNdLROf.exe
  C:\Windows\System\JNdLROf.exe
  2⤵
  PID:6820
- C:\Windows\System\LMzcPkv.exe
  C:\Windows\System\LMzcPkv.exe
  2⤵
  PID:6880
- C:\Windows\System\czcpaLh.exe
  C:\Windows\System\czcpaLh.exe
  2⤵
  PID:6988
- C:\Windows\System\oLtzkrz.exe
  C:\Windows\System\oLtzkrz.exe
  2⤵
  PID:7028
- C:\Windows\System\fdvrSFp.exe
  C:\Windows\System\fdvrSFp.exe
  2⤵
  PID:7088
- C:\Windows\System\RDDAZwV.exe
  C:\Windows\System\RDDAZwV.exe
  2⤵
  PID:6264
- C:\Windows\System\YWtAddd.exe
  C:\Windows\System\YWtAddd.exe
  2⤵
  PID:3752
- C:\Windows\System\mGoQHgB.exe
  C:\Windows\System\mGoQHgB.exe
  2⤵
  PID:6524
- C:\Windows\System\gdoUZcM.exe
  C:\Windows\System\gdoUZcM.exe
  2⤵
  PID:6672
- C:\Windows\System\ScSTyIR.exe
  C:\Windows\System\ScSTyIR.exe
  2⤵
  PID:6840
- C:\Windows\System\FoGwPcQ.exe
  C:\Windows\System\FoGwPcQ.exe
  2⤵
  PID:7056
- C:\Windows\System\luQHCGH.exe
  C:\Windows\System\luQHCGH.exe
  2⤵
  PID:6304
- C:\Windows\System\RxaELCq.exe
  C:\Windows\System\RxaELCq.exe
  2⤵
  PID:6596
- C:\Windows\System\SDKVreq.exe
  C:\Windows\System\SDKVreq.exe
  2⤵
  PID:6796
- C:\Windows\System\ZKgNZle.exe
  C:\Windows\System\ZKgNZle.exe
  2⤵
  PID:7000
- C:\Windows\System\jnxXeRG.exe
  C:\Windows\System\jnxXeRG.exe
  2⤵
  PID:6908
- C:\Windows\System\Unjpqzj.exe
  C:\Windows\System\Unjpqzj.exe
  2⤵
  PID:7200
- C:\Windows\System\AtprRKa.exe
  C:\Windows\System\AtprRKa.exe
  2⤵
  PID:7236
- C:\Windows\System\FKJNnuU.exe
  C:\Windows\System\FKJNnuU.exe
  2⤵
  PID:7256
- C:\Windows\System\RgeRRKx.exe
  C:\Windows\System\RgeRRKx.exe
  2⤵
  PID:7284
- C:\Windows\System\CtBXasj.exe
  C:\Windows\System\CtBXasj.exe
  2⤵
  PID:7312
- C:\Windows\System\HAkrQYA.exe
  C:\Windows\System\HAkrQYA.exe
  2⤵
  PID:7340
- C:\Windows\System\jkvERWz.exe
  C:\Windows\System\jkvERWz.exe
  2⤵
  PID:7380
- C:\Windows\System\qQHtwGn.exe
  C:\Windows\System\qQHtwGn.exe
  2⤵
  PID:7400
- C:\Windows\System\psDhKOs.exe
  C:\Windows\System\psDhKOs.exe
  2⤵
  PID:7428
- C:\Windows\System\XHibWaU.exe
  C:\Windows\System\XHibWaU.exe
  2⤵
  PID:7456
- C:\Windows\System\nomabwR.exe
  C:\Windows\System\nomabwR.exe
  2⤵
  PID:7492
- C:\Windows\System\tfZWFLh.exe
  C:\Windows\System\tfZWFLh.exe
  2⤵
  PID:7512
- C:\Windows\System\ItECCNs.exe
  C:\Windows\System\ItECCNs.exe
  2⤵
  PID:7540
- C:\Windows\System\NgIBGnl.exe
  C:\Windows\System\NgIBGnl.exe
  2⤵
  PID:7568
- C:\Windows\System\WEQXUBi.exe
  C:\Windows\System\WEQXUBi.exe
  2⤵
  PID:7596
- C:\Windows\System\nMdVfPe.exe
  C:\Windows\System\nMdVfPe.exe
  2⤵
  PID:7624
- C:\Windows\System\oTCbgQq.exe
  C:\Windows\System\oTCbgQq.exe
  2⤵
  PID:7656
- C:\Windows\System\lgkOEvz.exe
  C:\Windows\System\lgkOEvz.exe
  2⤵
  PID:7680
- C:\Windows\System\OCPIRCb.exe
  C:\Windows\System\OCPIRCb.exe
  2⤵
  PID:7712
- C:\Windows\System\MAunYmI.exe
  C:\Windows\System\MAunYmI.exe
  2⤵
  PID:7756
- C:\Windows\System\HBJjvih.exe
  C:\Windows\System\HBJjvih.exe
  2⤵
  PID:7780
- C:\Windows\System\luqNcaI.exe
  C:\Windows\System\luqNcaI.exe
  2⤵
  PID:7816
- C:\Windows\System\ZYLbfZL.exe
  C:\Windows\System\ZYLbfZL.exe
  2⤵
  PID:7840
- C:\Windows\System\xEgZbdj.exe
  C:\Windows\System\xEgZbdj.exe
  2⤵
  PID:7868
- C:\Windows\System\kDZexeE.exe
  C:\Windows\System\kDZexeE.exe
  2⤵
  PID:7896
- C:\Windows\System\SPCkaTG.exe
  C:\Windows\System\SPCkaTG.exe
  2⤵
  PID:7932
- C:\Windows\System\XSiwQSo.exe
  C:\Windows\System\XSiwQSo.exe
  2⤵
  PID:7972
- C:\Windows\System\EKgVhbr.exe
  C:\Windows\System\EKgVhbr.exe
  2⤵
  PID:8020
- C:\Windows\System\nUBYcpl.exe
  C:\Windows\System\nUBYcpl.exe
  2⤵
  PID:8048
- C:\Windows\System\NGNIRHC.exe
  C:\Windows\System\NGNIRHC.exe
  2⤵
  PID:8084
- C:\Windows\System\zKOOeHy.exe
  C:\Windows\System\zKOOeHy.exe
  2⤵
  PID:8112
- C:\Windows\System\gigIJuk.exe
  C:\Windows\System\gigIJuk.exe
  2⤵
  PID:8136
- C:\Windows\System\bczIkqm.exe
  C:\Windows\System\bczIkqm.exe
  2⤵
  PID:8168
- C:\Windows\System\GsqBFwY.exe
  C:\Windows\System\GsqBFwY.exe
  2⤵
  PID:7140
- C:\Windows\System\bhuvzDk.exe
  C:\Windows\System\bhuvzDk.exe
  2⤵
  PID:7220
- C:\Windows\System\KvCXwpt.exe
  C:\Windows\System\KvCXwpt.exe
  2⤵
  PID:7280
- C:\Windows\System\deJVQyr.exe
  C:\Windows\System\deJVQyr.exe
  2⤵
  PID:7364
- C:\Windows\System\FYYcHkY.exe
  C:\Windows\System\FYYcHkY.exe
  2⤵
  PID:7424
- C:\Windows\System\CGYGzvg.exe
  C:\Windows\System\CGYGzvg.exe
  2⤵
  PID:7500
- C:\Windows\System\XsTJgKH.exe
  C:\Windows\System\XsTJgKH.exe
  2⤵
  PID:7552
- C:\Windows\System\nMNxuzH.exe
  C:\Windows\System\nMNxuzH.exe
  2⤵
  PID:7616
- C:\Windows\System\kTgjhXP.exe
  C:\Windows\System\kTgjhXP.exe
  2⤵
  PID:7676
- C:\Windows\System\Mkxbhlu.exe
  C:\Windows\System\Mkxbhlu.exe
  2⤵
  PID:7764
- C:\Windows\System\EKMIqUY.exe
  C:\Windows\System\EKMIqUY.exe
  2⤵
  PID:7836
- C:\Windows\System\IhhGXfn.exe
  C:\Windows\System\IhhGXfn.exe
  2⤵
  PID:7892
- C:\Windows\System\FFDirnk.exe
  C:\Windows\System\FFDirnk.exe
  2⤵
  PID:8028
- C:\Windows\System\CJvnYto.exe
  C:\Windows\System\CJvnYto.exe
  2⤵
  PID:8076
- C:\Windows\System\PANKbko.exe
  C:\Windows\System\PANKbko.exe
  2⤵
  PID:8148
- C:\Windows\System\uGEZMqT.exe
  C:\Windows\System\uGEZMqT.exe
  2⤵
  PID:7196
- C:\Windows\System\tOsqgKX.exe
  C:\Windows\System\tOsqgKX.exe
  2⤵
  PID:7336
- C:\Windows\System\EtLPzFR.exe
  C:\Windows\System\EtLPzFR.exe
  2⤵
  PID:7508
- C:\Windows\System\pzgmOmf.exe
  C:\Windows\System\pzgmOmf.exe
  2⤵
  PID:7648
- C:\Windows\System\ARYuCBj.exe
  C:\Windows\System\ARYuCBj.exe
  2⤵
  PID:7824
- C:\Windows\System\GlHotZi.exe
  C:\Windows\System\GlHotZi.exe
  2⤵
  PID:8040
- C:\Windows\System\bUlULsN.exe
  C:\Windows\System\bUlULsN.exe
  2⤵
  PID:8188
- C:\Windows\System\sVekaep.exe
  C:\Windows\System\sVekaep.exe
  2⤵
  PID:7476
- C:\Windows\System\fxWzdlr.exe
  C:\Windows\System\fxWzdlr.exe
  2⤵
  PID:7792
- C:\Windows\System\ZUuIFfB.exe
  C:\Windows\System\ZUuIFfB.exe
  2⤵
  PID:7468
- C:\Windows\System\UywUpcA.exe
  C:\Windows\System\UywUpcA.exe
  2⤵
  PID:8104
- C:\Windows\System\ufNtXbl.exe
  C:\Windows\System\ufNtXbl.exe
  2⤵
  PID:8212
- C:\Windows\System\tNorAeG.exe
  C:\Windows\System\tNorAeG.exe
  2⤵
  PID:8240
- C:\Windows\System\siYPWWR.exe
  C:\Windows\System\siYPWWR.exe
  2⤵
  PID:8268
- C:\Windows\System\FIQtqCq.exe
  C:\Windows\System\FIQtqCq.exe
  2⤵
  PID:8296
- C:\Windows\System\jeXXRMe.exe
  C:\Windows\System\jeXXRMe.exe
  2⤵
  PID:8324
- C:\Windows\System\IwSrpCo.exe
  C:\Windows\System\IwSrpCo.exe
  2⤵
  PID:8352
- C:\Windows\System\BCSgSZM.exe
  C:\Windows\System\BCSgSZM.exe
  2⤵
  PID:8380
- C:\Windows\System\JBdwUQm.exe
  C:\Windows\System\JBdwUQm.exe
  2⤵
  PID:8412
- C:\Windows\System\lJmebSK.exe
  C:\Windows\System\lJmebSK.exe
  2⤵
  PID:8444
- C:\Windows\System\GohlRFC.exe
  C:\Windows\System\GohlRFC.exe
  2⤵
  PID:8472
- C:\Windows\System\aOIPOwd.exe
  C:\Windows\System\aOIPOwd.exe
  2⤵
  PID:8500
- C:\Windows\System\BIHbmfj.exe
  C:\Windows\System\BIHbmfj.exe
  2⤵
  PID:8528
- C:\Windows\System\KAUyuYi.exe
  C:\Windows\System\KAUyuYi.exe
  2⤵
  PID:8556
- C:\Windows\System\ePYfYpa.exe
  C:\Windows\System\ePYfYpa.exe
  2⤵
  PID:8584
- C:\Windows\System\erbYKnF.exe
  C:\Windows\System\erbYKnF.exe
  2⤵
  PID:8612
- C:\Windows\System\XsusBbP.exe
  C:\Windows\System\XsusBbP.exe
  2⤵
  PID:8640
- C:\Windows\System\ZUCoqLD.exe
  C:\Windows\System\ZUCoqLD.exe
  2⤵
  PID:8668
- C:\Windows\System\ivtHxdo.exe
  C:\Windows\System\ivtHxdo.exe
  2⤵
  PID:8696
- C:\Windows\System\SMztRnV.exe
  C:\Windows\System\SMztRnV.exe
  2⤵
  PID:8724
- C:\Windows\System\XudzCEk.exe
  C:\Windows\System\XudzCEk.exe
  2⤵
  PID:8756
- C:\Windows\System\jvFKTuw.exe
  C:\Windows\System\jvFKTuw.exe
  2⤵
  PID:8784
- C:\Windows\System\MiPUEwZ.exe
  C:\Windows\System\MiPUEwZ.exe
  2⤵
  PID:8816
- C:\Windows\System\gxzrqNL.exe
  C:\Windows\System\gxzrqNL.exe
  2⤵
  PID:8844
- C:\Windows\System\ggzuMtI.exe
  C:\Windows\System\ggzuMtI.exe
  2⤵
  PID:8860
- C:\Windows\System\ygJLcfU.exe
  C:\Windows\System\ygJLcfU.exe
  2⤵
  PID:8884
- C:\Windows\System\NRYCJeH.exe
  C:\Windows\System\NRYCJeH.exe
  2⤵
  PID:8920
- C:\Windows\System\BSobQPw.exe
  C:\Windows\System\BSobQPw.exe
  2⤵
  PID:8948
- C:\Windows\System\AxSvZAX.exe
  C:\Windows\System\AxSvZAX.exe
  2⤵
  PID:8984
- C:\Windows\System\tQLWlRY.exe
  C:\Windows\System\tQLWlRY.exe
  2⤵
  PID:9012
- C:\Windows\System\oTCGrIT.exe
  C:\Windows\System\oTCGrIT.exe
  2⤵
  PID:9040
- C:\Windows\System\zdiXkvw.exe
  C:\Windows\System\zdiXkvw.exe
  2⤵
  PID:9068
- C:\Windows\System\BzPqOVm.exe
  C:\Windows\System\BzPqOVm.exe
  2⤵
  PID:9096
- C:\Windows\System\AhTyCDs.exe
  C:\Windows\System\AhTyCDs.exe
  2⤵
  PID:9128
- C:\Windows\System\xZvZsIX.exe
  C:\Windows\System\xZvZsIX.exe
  2⤵
  PID:9156
- C:\Windows\System\hNfzSkp.exe
  C:\Windows\System\hNfzSkp.exe
  2⤵
  PID:9184
- C:\Windows\System\ypafmCb.exe
  C:\Windows\System\ypafmCb.exe
  2⤵
  PID:9212
- C:\Windows\System\LoZYROH.exe
  C:\Windows\System\LoZYROH.exe
  2⤵
  PID:8236
- C:\Windows\System\WLIJboB.exe
  C:\Windows\System\WLIJboB.exe
  2⤵
  PID:8308
- C:\Windows\System\IjPWrLN.exe
  C:\Windows\System\IjPWrLN.exe
  2⤵
  PID:8372
- C:\Windows\System\YYyGmVG.exe
  C:\Windows\System\YYyGmVG.exe
  2⤵
  PID:8440
- C:\Windows\System\PvGsQpb.exe
  C:\Windows\System\PvGsQpb.exe
  2⤵
  PID:8512
- C:\Windows\System\dElrdDG.exe
  C:\Windows\System\dElrdDG.exe
  2⤵
  PID:8576
- C:\Windows\System\XhWfGQg.exe
  C:\Windows\System\XhWfGQg.exe
  2⤵
  PID:8636
- C:\Windows\System\Zabstsc.exe
  C:\Windows\System\Zabstsc.exe
  2⤵
  PID:8716
- C:\Windows\System\WFVwZSs.exe
  C:\Windows\System\WFVwZSs.exe
  2⤵
  PID:8752
- C:\Windows\System\dkhsOLW.exe
  C:\Windows\System\dkhsOLW.exe
  2⤵
  PID:8836
- C:\Windows\System\dECNQxm.exe
  C:\Windows\System\dECNQxm.exe
  2⤵
  PID:8904
- C:\Windows\System\XLjkMcX.exe
  C:\Windows\System\XLjkMcX.exe
  2⤵
  PID:8968
- C:\Windows\System\vRGAHzJ.exe
  C:\Windows\System\vRGAHzJ.exe
  2⤵
  PID:9064
- C:\Windows\System\QoLQSWM.exe
  C:\Windows\System\QoLQSWM.exe
  2⤵
  PID:9120
- C:\Windows\System\opZWQjR.exe
  C:\Windows\System\opZWQjR.exe
  2⤵
  PID:9176
- C:\Windows\System\ZrBAZKM.exe
  C:\Windows\System\ZrBAZKM.exe
  2⤵
  PID:8252
- C:\Windows\System\fKQmNWf.exe
  C:\Windows\System\fKQmNWf.exe
  2⤵
  PID:8424
- C:\Windows\System\qDjMZFt.exe
  C:\Windows\System\qDjMZFt.exe
  2⤵
  PID:8540
- C:\Windows\System\MmmzLMn.exe
  C:\Windows\System\MmmzLMn.exe
  2⤵
  PID:8688
- C:\Windows\System\HXKuYgD.exe
  C:\Windows\System\HXKuYgD.exe
  2⤵
  PID:8780
- C:\Windows\System\zLvWskw.exe
  C:\Windows\System\zLvWskw.exe
  2⤵
  PID:9004
- C:\Windows\System\ugJlkpZ.exe
  C:\Windows\System\ugJlkpZ.exe
  2⤵
  PID:9168
- C:\Windows\System\KrnxxVV.exe
  C:\Windows\System\KrnxxVV.exe
  2⤵
  PID:8404
- C:\Windows\System\vYqvPUB.exe
  C:\Windows\System\vYqvPUB.exe
  2⤵
  PID:8812
- C:\Windows\System\yKVPgdw.exe
  C:\Windows\System\yKVPgdw.exe
  2⤵
  PID:8804
- C:\Windows\System\wRXIhcD.exe
  C:\Windows\System\wRXIhcD.exe
  2⤵
  PID:8692
- C:\Windows\System\sLHYLVY.exe
  C:\Windows\System\sLHYLVY.exe
  2⤵
  PID:8976
- C:\Windows\System\qdGyrRV.exe
  C:\Windows\System\qdGyrRV.exe
  2⤵
  PID:9244
- C:\Windows\System\OcOYZjN.exe
  C:\Windows\System\OcOYZjN.exe
  2⤵
  PID:9272
- C:\Windows\System\hLvtYHJ.exe
  C:\Windows\System\hLvtYHJ.exe
  2⤵
  PID:9300
- C:\Windows\System\EdinhMO.exe
  C:\Windows\System\EdinhMO.exe
  2⤵
  PID:9328
- C:\Windows\System\WMlsyXa.exe
  C:\Windows\System\WMlsyXa.exe
  2⤵
  PID:9356
- C:\Windows\System\mDCSDod.exe
  C:\Windows\System\mDCSDod.exe
  2⤵
  PID:9400
- C:\Windows\System\ypVSAbq.exe
  C:\Windows\System\ypVSAbq.exe
  2⤵
  PID:9440
- C:\Windows\System\fYhTdgk.exe
  C:\Windows\System\fYhTdgk.exe
  2⤵
  PID:9468
- C:\Windows\System\oNdYhvJ.exe
  C:\Windows\System\oNdYhvJ.exe
  2⤵
  PID:9512
- C:\Windows\System\kiazRXR.exe
  C:\Windows\System\kiazRXR.exe
  2⤵
  PID:9544
- C:\Windows\System\HdvSTGZ.exe
  C:\Windows\System\HdvSTGZ.exe
  2⤵
  PID:9580
- C:\Windows\System\QQIkSXc.exe
  C:\Windows\System\QQIkSXc.exe
  2⤵
  PID:9608
- C:\Windows\System\AzRlWPk.exe
  C:\Windows\System\AzRlWPk.exe
  2⤵
  PID:9628
- C:\Windows\System\DbTjObN.exe
  C:\Windows\System\DbTjObN.exe
  2⤵
  PID:9660
- C:\Windows\System\kyYDmBd.exe
  C:\Windows\System\kyYDmBd.exe
  2⤵
  PID:9700
- C:\Windows\System\ZSaUkXm.exe
  C:\Windows\System\ZSaUkXm.exe
  2⤵
  PID:9744
- C:\Windows\System\VxirUtD.exe
  C:\Windows\System\VxirUtD.exe
  2⤵
  PID:9772
- C:\Windows\System\DBGwONr.exe
  C:\Windows\System\DBGwONr.exe
  2⤵
  PID:9804
- C:\Windows\System\oCgLUWI.exe
  C:\Windows\System\oCgLUWI.exe
  2⤵
  PID:9844
- C:\Windows\System\CgeypMj.exe
  C:\Windows\System\CgeypMj.exe
  2⤵
  PID:9880
- C:\Windows\System\kFziWbW.exe
  C:\Windows\System\kFziWbW.exe
  2⤵
  PID:9916
- C:\Windows\System\AxbOvpf.exe
  C:\Windows\System\AxbOvpf.exe
  2⤵
  PID:9932
- C:\Windows\System\DRzRpFW.exe
  C:\Windows\System\DRzRpFW.exe
  2⤵
  PID:9972
- C:\Windows\System\zQtEvrP.exe
  C:\Windows\System\zQtEvrP.exe
  2⤵
  PID:9992
- C:\Windows\System\BKxZouG.exe
  C:\Windows\System\BKxZouG.exe
  2⤵
  PID:10008
- C:\Windows\System\KAjvhdj.exe
  C:\Windows\System\KAjvhdj.exe
  2⤵
  PID:10024
- C:\Windows\System\HmwLUSl.exe
  C:\Windows\System\HmwLUSl.exe
  2⤵
  PID:10052
- C:\Windows\System\UvKqQeh.exe
  C:\Windows\System\UvKqQeh.exe
  2⤵
  PID:10080
- C:\Windows\System\MIaNvIe.exe
  C:\Windows\System\MIaNvIe.exe
  2⤵
  PID:10120
- C:\Windows\System\GmbePSp.exe
  C:\Windows\System\GmbePSp.exe
  2⤵
  PID:10148
- C:\Windows\System\WTbjdow.exe
  C:\Windows\System\WTbjdow.exe
  2⤵
  PID:10180
- C:\Windows\System\YZdtOgd.exe
  C:\Windows\System\YZdtOgd.exe
  2⤵
  PID:10212
- C:\Windows\System\KrLCgNK.exe
  C:\Windows\System\KrLCgNK.exe
  2⤵
  PID:8548
- C:\Windows\System\okVHAqS.exe
  C:\Windows\System\okVHAqS.exe
  2⤵
  PID:9292
- C:\Windows\System\ggXAjrA.exe
  C:\Windows\System\ggXAjrA.exe
  2⤵
  PID:9376
- C:\Windows\System\CsZfEDC.exe
  C:\Windows\System\CsZfEDC.exe
  2⤵
  PID:9504
- C:\Windows\System\WGAMlEB.exe
  C:\Windows\System\WGAMlEB.exe
  2⤵
  PID:9588
- C:\Windows\System\PgbeMeP.exe
  C:\Windows\System\PgbeMeP.exe
  2⤵
  PID:9648
- C:\Windows\System\YONLPIi.exe
  C:\Windows\System\YONLPIi.exe
  2⤵
  PID:9732
- C:\Windows\System\SNYtrPC.exe
  C:\Windows\System\SNYtrPC.exe
  2⤵
  PID:9832
- C:\Windows\System\QnSLSGG.exe
  C:\Windows\System\QnSLSGG.exe
  2⤵
  PID:9868
- C:\Windows\System\nIyuBLX.exe
  C:\Windows\System\nIyuBLX.exe
  2⤵
  PID:9952
- C:\Windows\System\nsWUZAA.exe
  C:\Windows\System\nsWUZAA.exe
  2⤵
  PID:9980
- C:\Windows\System\thEKWtl.exe
  C:\Windows\System\thEKWtl.exe
  2⤵
  PID:10076
- C:\Windows\System\cLAyigF.exe
  C:\Windows\System\cLAyigF.exe
  2⤵
  PID:10132
- C:\Windows\System\BFQmtLR.exe
  C:\Windows\System\BFQmtLR.exe
  2⤵
  PID:10204
- C:\Windows\System\tboAPFv.exe
  C:\Windows\System\tboAPFv.exe
  2⤵
  PID:9256
- C:\Windows\System\DElLqEt.exe
  C:\Windows\System\DElLqEt.exe
  2⤵
  PID:9568
- C:\Windows\System\NdxKzpR.exe
  C:\Windows\System\NdxKzpR.exe
  2⤵
  PID:9616
- C:\Windows\System\pINSMVk.exe
  C:\Windows\System\pINSMVk.exe
  2⤵
  PID:9828
- C:\Windows\System\ldKiDBa.exe
  C:\Windows\System\ldKiDBa.exe
  2⤵
  PID:9988
- C:\Windows\System\BRUgayc.exe
  C:\Windows\System\BRUgayc.exe
  2⤵
  PID:10200
- C:\Windows\System\IQlZNGP.exe
  C:\Windows\System\IQlZNGP.exe
  2⤵
  PID:9424
- C:\Windows\System\xzEVxpw.exe
  C:\Windows\System\xzEVxpw.exe
  2⤵
  PID:9796
- C:\Windows\System\cwRYuNo.exe
  C:\Windows\System\cwRYuNo.exe
  2⤵
  PID:9268
- C:\Windows\System\UoSbRWj.exe
  C:\Windows\System\UoSbRWj.exe
  2⤵
  PID:10092
- C:\Windows\System\FZZteva.exe
  C:\Windows\System\FZZteva.exe
  2⤵
  PID:10260
- C:\Windows\System\pveTLHQ.exe
  C:\Windows\System\pveTLHQ.exe
  2⤵
  PID:10292
- C:\Windows\System\AZJeBhO.exe
  C:\Windows\System\AZJeBhO.exe
  2⤵
  PID:10316
- C:\Windows\System\QZfXeUd.exe
  C:\Windows\System\QZfXeUd.exe
  2⤵
  PID:10332
- C:\Windows\System\sOudFTg.exe
  C:\Windows\System\sOudFTg.exe
  2⤵
  PID:10356
- C:\Windows\System\RtyltLf.exe
  C:\Windows\System\RtyltLf.exe
  2⤵
  PID:10376
- C:\Windows\System\rqnBBmx.exe
  C:\Windows\System\rqnBBmx.exe
  2⤵
  PID:10400
- C:\Windows\System\gBKosIK.exe
  C:\Windows\System\gBKosIK.exe
  2⤵
  PID:10452
- C:\Windows\System\WrIAxxM.exe
  C:\Windows\System\WrIAxxM.exe
  2⤵
  PID:10492
- C:\Windows\System\twGArhS.exe
  C:\Windows\System\twGArhS.exe
  2⤵
  PID:10516
- C:\Windows\System\SkQGeIE.exe
  C:\Windows\System\SkQGeIE.exe
  2⤵
  PID:10540
- C:\Windows\System\nQTYxwA.exe
  C:\Windows\System\nQTYxwA.exe
  2⤵
  PID:10568
- C:\Windows\System\gKUzEHl.exe
  C:\Windows\System\gKUzEHl.exe
  2⤵
  PID:10596
- C:\Windows\System\rnLsPIw.exe
  C:\Windows\System\rnLsPIw.exe
  2⤵
  PID:10624
- C:\Windows\System\TmTPgbW.exe
  C:\Windows\System\TmTPgbW.exe
  2⤵
  PID:10664
- C:\Windows\System\mVterrJ.exe
  C:\Windows\System\mVterrJ.exe
  2⤵
  PID:10692
- C:\Windows\System\VMAtzZF.exe
  C:\Windows\System\VMAtzZF.exe
  2⤵
  PID:10720
- C:\Windows\System\xjtNUqS.exe
  C:\Windows\System\xjtNUqS.exe
  2⤵
  PID:10748
- C:\Windows\System\woLrEHf.exe
  C:\Windows\System\woLrEHf.exe
  2⤵
  PID:10776
- C:\Windows\System\NLMuqPw.exe
  C:\Windows\System\NLMuqPw.exe
  2⤵
  PID:10796
- C:\Windows\System\IooOkjD.exe
  C:\Windows\System\IooOkjD.exe
  2⤵
  PID:10832
- C:\Windows\System\UQnDSdo.exe
  C:\Windows\System\UQnDSdo.exe
  2⤵
  PID:10852
- C:\Windows\System\SpzshcX.exe
  C:\Windows\System\SpzshcX.exe
  2⤵
  PID:10880
- C:\Windows\System\JzbPaIf.exe
  C:\Windows\System\JzbPaIf.exe
  2⤵
  PID:10908
- C:\Windows\System\qdOIYeI.exe
  C:\Windows\System\qdOIYeI.exe
  2⤵
  PID:10932
- C:\Windows\System\IuSkYOZ.exe
  C:\Windows\System\IuSkYOZ.exe
  2⤵
  PID:10968
- C:\Windows\System\wUsGwLn.exe
  C:\Windows\System\wUsGwLn.exe
  2⤵
  PID:11000
- C:\Windows\System\tUoghwb.exe
  C:\Windows\System\tUoghwb.exe
  2⤵
  PID:11036
- C:\Windows\System\uzoRpFL.exe
  C:\Windows\System\uzoRpFL.exe
  2⤵
  PID:11056
- C:\Windows\System\JxOsxAQ.exe
  C:\Windows\System\JxOsxAQ.exe
  2⤵
  PID:11092
- C:\Windows\System\QcYwmxU.exe
  C:\Windows\System\QcYwmxU.exe
  2⤵
  PID:11108
- C:\Windows\System\HJPIeOm.exe
  C:\Windows\System\HJPIeOm.exe
  2⤵
  PID:11148
- C:\Windows\System\skoGAFW.exe
  C:\Windows\System\skoGAFW.exe
  2⤵
  PID:11176
- C:\Windows\System\BoatWCP.exe
  C:\Windows\System\BoatWCP.exe
  2⤵
  PID:11200
- C:\Windows\System\hSWcPyG.exe
  C:\Windows\System\hSWcPyG.exe
  2⤵
  PID:11232
- C:\Windows\System\BvvzWrg.exe
  C:\Windows\System\BvvzWrg.exe
  2⤵
  PID:9676
- C:\Windows\System\tasDzbR.exe
  C:\Windows\System\tasDzbR.exe
  2⤵
  PID:10256
- C:\Windows\System\gWJqLeR.exe
  C:\Windows\System\gWJqLeR.exe
  2⤵
  PID:10308
- C:\Windows\System\PMvlFWf.exe
  C:\Windows\System\PMvlFWf.exe
  2⤵
  PID:10352
- C:\Windows\System\qnhlGIZ.exe
  C:\Windows\System\qnhlGIZ.exe
  2⤵
  PID:10412
- C:\Windows\System\pQGfXEb.exe
  C:\Windows\System\pQGfXEb.exe
  2⤵
  PID:10508
- C:\Windows\System\GaPqvHu.exe
  C:\Windows\System\GaPqvHu.exe
  2⤵
  PID:10552
- C:\Windows\System\fJVfwWZ.exe
  C:\Windows\System\fJVfwWZ.exe
  2⤵
  PID:10636
- C:\Windows\System\fbeQeQR.exe
  C:\Windows\System\fbeQeQR.exe
  2⤵
  PID:10704
- C:\Windows\System\CpoAHrS.exe
  C:\Windows\System\CpoAHrS.exe
  2⤵
  PID:10760
- C:\Windows\System\wjiMFmB.exe
  C:\Windows\System\wjiMFmB.exe
  2⤵
  PID:10844
- C:\Windows\System\oVNCAyp.exe
  C:\Windows\System\oVNCAyp.exe
  2⤵
  PID:10896
- C:\Windows\System\dFEPiOe.exe
  C:\Windows\System\dFEPiOe.exe
  2⤵
  PID:10980
- C:\Windows\System\XDVtuIz.exe
  C:\Windows\System\XDVtuIz.exe
  2⤵
  PID:11048
- C:\Windows\System\dWxFGnE.exe
  C:\Windows\System\dWxFGnE.exe
  2⤵
  PID:11104
- C:\Windows\System\IeIbrdr.exe
  C:\Windows\System\IeIbrdr.exe
  2⤵
  PID:11172
- C:\Windows\System\xNFXKxB.exe
  C:\Windows\System\xNFXKxB.exe
  2⤵
  PID:11228
- C:\Windows\System\kjiSiFM.exe
  C:\Windows\System\kjiSiFM.exe
  2⤵
  PID:10272
- C:\Windows\System\QHtEQbG.exe
  C:\Windows\System\QHtEQbG.exe
  2⤵
  PID:10384
- C:\Windows\System\jmceQAF.exe
  C:\Windows\System\jmceQAF.exe
  2⤵
  PID:10608
- C:\Windows\System\FCrYvTE.exe
  C:\Windows\System\FCrYvTE.exe
  2⤵
  PID:10716
- C:\Windows\System\tkuJvUh.exe
  C:\Windows\System\tkuJvUh.exe
  2⤵
  PID:10928
- C:\Windows\System\SHrZCso.exe
  C:\Windows\System\SHrZCso.exe
  2⤵
  PID:10952
- C:\Windows\System\XgbeLge.exe
  C:\Windows\System\XgbeLge.exe
  2⤵
  PID:11224
- C:\Windows\System\xNizRzY.exe
  C:\Windows\System\xNizRzY.exe
  2⤵
  PID:10372
- C:\Windows\System\JTuFHLi.exe
  C:\Windows\System\JTuFHLi.exe
  2⤵
  PID:10676
- C:\Windows\System\LWeopAa.exe
  C:\Windows\System\LWeopAa.exe
  2⤵
  PID:10684
- C:\Windows\System\xlTFzYp.exe
  C:\Windows\System\xlTFzYp.exe
  2⤵
  PID:11292
- C:\Windows\System\AgsWSRm.exe
  C:\Windows\System\AgsWSRm.exe
  2⤵
  PID:11312
- C:\Windows\System\dwbOQbX.exe
  C:\Windows\System\dwbOQbX.exe
  2⤵
  PID:11328
- C:\Windows\System\NbUdbJw.exe
  C:\Windows\System\NbUdbJw.exe
  2⤵
  PID:11360
- C:\Windows\System\vnKbJFb.exe
  C:\Windows\System\vnKbJFb.exe
  2⤵
  PID:11388
- C:\Windows\System\gMGiXED.exe
  C:\Windows\System\gMGiXED.exe
  2⤵
  PID:11424
- C:\Windows\System\JzKjnPO.exe
  C:\Windows\System\JzKjnPO.exe
  2⤵
  PID:11456
- C:\Windows\System\dCEKsKZ.exe
  C:\Windows\System\dCEKsKZ.exe
  2⤵
  PID:11492
- C:\Windows\System\aOHUrVp.exe
  C:\Windows\System\aOHUrVp.exe
  2⤵
  PID:11536
- C:\Windows\System\wIrmjyR.exe
  C:\Windows\System\wIrmjyR.exe
  2⤵
  PID:11556
- C:\Windows\System\JWBnFyo.exe
  C:\Windows\System\JWBnFyo.exe
  2⤵
  PID:11572
- C:\Windows\System\uBqZCFo.exe
  C:\Windows\System\uBqZCFo.exe
  2⤵
  PID:11616
- C:\Windows\System\syGubBj.exe
  C:\Windows\System\syGubBj.exe
  2⤵
  PID:11644
- C:\Windows\System\JfkJCyD.exe
  C:\Windows\System\JfkJCyD.exe
  2⤵
  PID:11676
- C:\Windows\System\DiNsdYE.exe
  C:\Windows\System\DiNsdYE.exe
  2⤵
  PID:11700
- C:\Windows\System\YklhSYS.exe
  C:\Windows\System\YklhSYS.exe
  2⤵
  PID:11728
- C:\Windows\System\OXFEhMj.exe
  C:\Windows\System\OXFEhMj.exe
  2⤵
  PID:11756
- C:\Windows\System\ZcTAPjF.exe
  C:\Windows\System\ZcTAPjF.exe
  2⤵
  PID:11792
- C:\Windows\System\hkzLmNQ.exe
  C:\Windows\System\hkzLmNQ.exe
  2⤵
  PID:11812
- C:\Windows\System\RIwpsrI.exe
  C:\Windows\System\RIwpsrI.exe
  2⤵
  PID:11836
- C:\Windows\System\GKsWEsV.exe
  C:\Windows\System\GKsWEsV.exe
  2⤵
  PID:11872
- C:\Windows\System\cdvhSOu.exe
  C:\Windows\System\cdvhSOu.exe
  2⤵
  PID:11900
- C:\Windows\System\MKpyNoX.exe
  C:\Windows\System\MKpyNoX.exe
  2⤵
  PID:11932
- C:\Windows\System\arFSEsm.exe
  C:\Windows\System\arFSEsm.exe
  2⤵
  PID:11956
- C:\Windows\System\adyWYlN.exe
  C:\Windows\System\adyWYlN.exe
  2⤵
  PID:11972
- C:\Windows\System\CNVRlcj.exe
  C:\Windows\System\CNVRlcj.exe
  2⤵
  PID:12000
- C:\Windows\System\ieZWpka.exe
  C:\Windows\System\ieZWpka.exe
  2⤵
  PID:12016
- C:\Windows\System\QTeBOIQ.exe
  C:\Windows\System\QTeBOIQ.exe
  2⤵
  PID:12044
- C:\Windows\System\HgCEQoV.exe
  C:\Windows\System\HgCEQoV.exe
  2⤵
  PID:12080
- C:\Windows\System\uIlbemc.exe
  C:\Windows\System\uIlbemc.exe
  2⤵
  PID:12104
- C:\Windows\System\QXCqqIA.exe
  C:\Windows\System\QXCqqIA.exe
  2⤵
  PID:12144
- C:\Windows\System\onbCRfu.exe
  C:\Windows\System\onbCRfu.exe
  2⤵
  PID:12184
- C:\Windows\System\EHQQcbQ.exe
  C:\Windows\System\EHQQcbQ.exe
  2⤵
  PID:12224
- C:\Windows\System\zVkLcQZ.exe
  C:\Windows\System\zVkLcQZ.exe
  2⤵
  PID:12248
- C:\Windows\System\dLOXgro.exe
  C:\Windows\System\dLOXgro.exe
  2⤵
  PID:12268
- C:\Windows\System\iEwoAhw.exe
  C:\Windows\System\iEwoAhw.exe
  2⤵
  PID:10956
- C:\Windows\System\kYSlAqj.exe
  C:\Windows\System\kYSlAqj.exe
  2⤵
  PID:11304
- C:\Windows\System\JYUUjys.exe
  C:\Windows\System\JYUUjys.exe
  2⤵
  PID:11376
- C:\Windows\System\SdMYBHj.exe
  C:\Windows\System\SdMYBHj.exe
  2⤵
  PID:11320
- C:\Windows\System\CtocVfN.exe
  C:\Windows\System\CtocVfN.exe
  2⤵
  PID:11508
- C:\Windows\System\boTYMqz.exe
  C:\Windows\System\boTYMqz.exe
  2⤵
  PID:11520
- C:\Windows\System\ZzSFAZN.exe
  C:\Windows\System\ZzSFAZN.exe
  2⤵
  PID:11632
- C:\Windows\System\sltRyhf.exe
  C:\Windows\System\sltRyhf.exe
  2⤵
  PID:11684
- C:\Windows\System\SdRWOuw.exe
  C:\Windows\System\SdRWOuw.exe
  2⤵
  PID:11740
- C:\Windows\System\ntoxBhy.exe
  C:\Windows\System\ntoxBhy.exe
  2⤵
  PID:11804
- C:\Windows\System\ueKTRvi.exe
  C:\Windows\System\ueKTRvi.exe
  2⤵
  PID:11896
- C:\Windows\System\fiGLjSG.exe
  C:\Windows\System\fiGLjSG.exe
  2⤵
  PID:11924
- C:\Windows\System\WfbNhKs.exe
  C:\Windows\System\WfbNhKs.exe
  2⤵
  PID:11992
- C:\Windows\System\ukJCJDV.exe
  C:\Windows\System\ukJCJDV.exe
  2⤵
  PID:12116
- C:\Windows\System\RbJJweK.exe
  C:\Windows\System\RbJJweK.exe
  2⤵
  PID:12156
- C:\Windows\System\USgAntb.exe
  C:\Windows\System\USgAntb.exe
  2⤵
  PID:12240
- C:\Windows\System\HvkVImb.exe
  C:\Windows\System\HvkVImb.exe
  2⤵
  PID:12280
- C:\Windows\System\bbAmTHo.exe
  C:\Windows\System\bbAmTHo.exe
  2⤵
  PID:11484
- C:\Windows\System\TGSpjLB.exe
  C:\Windows\System\TGSpjLB.exe
  2⤵
  PID:11564
- C:\Windows\System\sRaGgqc.exe
  C:\Windows\System\sRaGgqc.exe
  2⤵
  PID:11660
- C:\Windows\System\gDMUdYO.exe
  C:\Windows\System\gDMUdYO.exe
  2⤵
  PID:11748
- C:\Windows\System\dSToeCR.exe
  C:\Windows\System\dSToeCR.exe
  2⤵
  PID:4596
- C:\Windows\System\gCJnaNy.exe
  C:\Windows\System\gCJnaNy.exe
  2⤵
  PID:11948
- C:\Windows\System\MTHBMdj.exe
  C:\Windows\System\MTHBMdj.exe
  2⤵
  PID:12064
- C:\Windows\System\tmANYeO.exe
  C:\Windows\System\tmANYeO.exe
  2⤵
  PID:12264
- C:\Windows\System\RtiuyHP.exe
  C:\Windows\System\RtiuyHP.exe
  2⤵
  PID:11448
- C:\Windows\System\gNjiwhu.exe
  C:\Windows\System\gNjiwhu.exe
  2⤵
  PID:3892
- C:\Windows\System\JYhwoUM.exe
  C:\Windows\System\JYhwoUM.exe
  2⤵
  PID:11984
- C:\Windows\System\NHGJijz.exe
  C:\Windows\System\NHGJijz.exe
  2⤵
  PID:10556
- C:\Windows\System\kHlAVVM.exe
  C:\Windows\System\kHlAVVM.exe
  2⤵
  PID:11784
- C:\Windows\System\FOblFjF.exe
  C:\Windows\System\FOblFjF.exe
  2⤵
  PID:11356
- C:\Windows\System\gOAZIJm.exe
  C:\Windows\System\gOAZIJm.exe
  2⤵
  PID:12324
- C:\Windows\System\YjlFvBj.exe
  C:\Windows\System\YjlFvBj.exe
  2⤵
  PID:12356
- C:\Windows\System\OoMKgFU.exe
  C:\Windows\System\OoMKgFU.exe
  2⤵
  PID:12392
- C:\Windows\System\sOhuZue.exe
  C:\Windows\System\sOhuZue.exe
  2⤵
  PID:12420
- C:\Windows\System\qpJrTjY.exe
  C:\Windows\System\qpJrTjY.exe
  2⤵
  PID:12444
- C:\Windows\System\tuAOqZX.exe
  C:\Windows\System\tuAOqZX.exe
  2⤵
  PID:12464
- C:\Windows\System\nrzwxWK.exe
  C:\Windows\System\nrzwxWK.exe
  2⤵
  PID:12496
- C:\Windows\System\VRtcRVP.exe
  C:\Windows\System\VRtcRVP.exe
  2⤵
  PID:12520
- C:\Windows\System\OtKUYKm.exe
  C:\Windows\System\OtKUYKm.exe
  2⤵
  PID:12560
- C:\Windows\System\maNfKDd.exe
  C:\Windows\System\maNfKDd.exe
  2⤵
  PID:12576
- C:\Windows\System\GeSqumi.exe
  C:\Windows\System\GeSqumi.exe
  2⤵
  PID:12592
- C:\Windows\System\yyJgzPF.exe
  C:\Windows\System\yyJgzPF.exe
  2⤵
  PID:12612
- C:\Windows\System\mBLBNNK.exe
  C:\Windows\System\mBLBNNK.exe
  2⤵
  PID:12664
- C:\Windows\System\ObRKncV.exe
  C:\Windows\System\ObRKncV.exe
  2⤵
  PID:12688
- C:\Windows\System\ksDbiXG.exe
  C:\Windows\System\ksDbiXG.exe
  2⤵
  PID:12716
- C:\Windows\System\pZzGGKR.exe
  C:\Windows\System\pZzGGKR.exe
  2⤵
  PID:12732
- C:\Windows\System\kfKPJmA.exe
  C:\Windows\System\kfKPJmA.exe
  2⤵
  PID:12764
- C:\Windows\System\LpTKAfQ.exe
  C:\Windows\System\LpTKAfQ.exe
  2⤵
  PID:12824
- C:\Windows\System\htrwOZP.exe
  C:\Windows\System\htrwOZP.exe
  2⤵
  PID:12840
- C:\Windows\System\isZiTzC.exe
  C:\Windows\System\isZiTzC.exe
  2⤵
  PID:12868
- C:\Windows\System\xjkKMZu.exe
  C:\Windows\System\xjkKMZu.exe
  2⤵
  PID:12884
- C:\Windows\System\MQxEkfM.exe
  C:\Windows\System\MQxEkfM.exe
  2⤵
  PID:12920
- C:\Windows\System\wYxRpoK.exe
  C:\Windows\System\wYxRpoK.exe
  2⤵
  PID:12952
- C:\Windows\System\zSlCcdv.exe
  C:\Windows\System\zSlCcdv.exe
  2⤵
  PID:12980
- C:\Windows\System\oPMxmgj.exe
  C:\Windows\System\oPMxmgj.exe
  2⤵
  PID:13016
- C:\Windows\System\DINMgxV.exe
  C:\Windows\System\DINMgxV.exe
  2⤵
  PID:13052
- C:\Windows\System\QSpxuBU.exe
  C:\Windows\System\QSpxuBU.exe
  2⤵
  PID:13092
- C:\Windows\System\vUDsbmS.exe
  C:\Windows\System\vUDsbmS.exe
  2⤵
  PID:13120
- C:\Windows\System\UZSeXLI.exe
  C:\Windows\System\UZSeXLI.exe
  2⤵
  PID:13144
- C:\Windows\System\vfGAcuv.exe
  C:\Windows\System\vfGAcuv.exe
  2⤵
  PID:13180
- C:\Windows\System\LbHtjfl.exe
  C:\Windows\System\LbHtjfl.exe
  2⤵
  PID:13208
- C:\Windows\System\gGiExzs.exe
  C:\Windows\System\gGiExzs.exe
  2⤵
  PID:13224
- C:\Windows\System\OmjOWir.exe
  C:\Windows\System\OmjOWir.exe
  2⤵
  PID:13252
- C:\Windows\System\CRlceaM.exe
  C:\Windows\System\CRlceaM.exe
  2⤵
  PID:13276
- C:\Windows\System\wIQcYCv.exe
  C:\Windows\System\wIQcYCv.exe
  2⤵
  PID:12168
- C:\Windows\System\AoUfeIH.exe
  C:\Windows\System\AoUfeIH.exe
  2⤵
  PID:12384
- C:\Windows\System\wiRUmTJ.exe
  C:\Windows\System\wiRUmTJ.exe
  2⤵
  PID:12436
- C:\Windows\System\QtpmXsx.exe
  C:\Windows\System\QtpmXsx.exe
  2⤵
  PID:12484
- C:\Windows\System\RBbMVxB.exe
  C:\Windows\System\RBbMVxB.exe
  2⤵
  PID:12512

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:11672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lvbpkvgm.qty.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\AgrlDcz.exe

Filesize
3.0MB

MD5
d5102bec5239e191350c3945bb53fce1

SHA1
7f481c3225622678b3681c054d5aab62147d0532

SHA256
25bd45139a1332d9ed3cc484673f764acc81cabc85425c010aa4f65dd4d287fb

SHA512
29ebdbbbb34e55aa8ee976b2109b4aee1571fa4fc6e646512fbbc89b6b2d080b3af9eec975540c98421e77aa0e536656bb2efdfe84f401420e024a114ea179c2

Download Submit
C:\Windows\System\BpvYWwR.exe

Filesize
3.0MB

MD5
22b821f44b852bc0190b05c059b38615

SHA1
99505ae2e2fa4539d7b42ed6cf57d68e507a9dd0

SHA256
84dfbe9d28109c9585368f260fb1ec27aa5eb7cb9128e07b9e218500a0a05aa3

SHA512
25615215dc9f11848055dc76b52137e769ecd989ecd86a39016d397e7dbd2022e2abb0a10341a47d164db56a23d4be069dd267af0d812efce189a76c0beed446

Download Submit
C:\Windows\System\FCfOJYA.exe

Filesize
3.0MB

MD5
e3d6d407516e07006589e2792edaba0e

SHA1
bda1327aea2ebe2568b988813c886a8fa37b2366

SHA256
7307676001b522a1fc78d9defc2a90e0cfb8fca245190e42ea6c33e247bf63f7

SHA512
284ec07080039075ec2f8853b2420d33e9ca6bb562d2002e449c9f0b2f89068882a94f16ff6ec76e7baaba68e45b1a3e7ff98dbf2d9a881552794d97a6c50011

Download Submit
C:\Windows\System\FtnDWgn.exe

Filesize
3.0MB

MD5
092a0d31dd8efbe42f9f0df137e82ccb

SHA1
fc46ea072d7fb2b300fb6779c01a818563a2f456

SHA256
58a18e4b56e56c26cb315442485c788c5841e0b3a51ccd1bbd657a67a7b0528a

SHA512
08c86d0d08d11099bd9f552c1d8ae42680f37cc856e9fe3a77e37789147e6a4da4fd2a5052621142eb0fd164c943eb5ff38a3010eb3175d45b36ae7708481f47

Download Submit
C:\Windows\System\GnGDhkX.exe

Filesize
3.0MB

MD5
62acbbf393f5f20eaab8df0fcbb8fcf1

SHA1
365eb36daa89bb276a901d37424e28c128ede3e8

SHA256
fac405d7e37dfd989bf7f05efdf913085300e35fc8427a3ce9f4b81e6a7d21a9

SHA512
dd301f53339e61ee991a1b3c3e5e7b559e7e9e52b1e501290093a2c695f59c6b750f0c057b7b113dac15c308be47f81e9fea804b8bdad86c261ceec03c3f6a36

Download Submit
C:\Windows\System\HUZYoCT.exe

Filesize
3.0MB

MD5
7ba6fe61ad74d4d7896bcb326491960f

SHA1
903ff7abb781bb1a5d5ddfd0a713dbcc8531973d

SHA256
a2a799ed195485334d1209cedf5da136b7b140bcccf370499245d3c05fb23751

SHA512
1a0655cf76b535650239c6f4815e3ba1f1a038aabb5dc2e172a75ca9d971626430b3500abbd2b81461e05ec44b0aab95c36ceb58d379bbe637f7c10b82c8432b

Download Submit
C:\Windows\System\LNEnrfE.exe

Filesize
3.0MB

MD5
f908ca518db661ec8b0daa6cb793e76d

SHA1
6300aee7fb3d83cdad091634f1d62cba7eccfdc5

SHA256
a2bb69346b96ba632e2c75e29e7b8f3dd823c7cbaac905d58c32b3c716271455

SHA512
5f17a063e3ea33490895dd00ed8587c86de1ca974f335b93177d58aad390aa2a6b24f1c3eede5f6229265c89a6f78af3b7565cbadae48817384442a34ece5c1f

Download Submit
C:\Windows\System\MjwXxUo.exe

Filesize
3.0MB

MD5
97674ebe027f5d4ff2a86e4195147187

SHA1
45da11b0db961d658879774614b3fd6ea0dfd42a

SHA256
09a4e7f832cca03948102ce9169b9fcff4418f97edfcf190f5d5115c5d6e1772

SHA512
a7f5a3752c85ce50e563b3928b9906683864abedb18b7e9a172765fa968a412da4d941548487b1ac52cbdd5403ff18a518f9ac04c7fd17c16c1f09014122dccb

Download Submit
C:\Windows\System\NOPATWP.exe

Filesize
3.0MB

MD5
db7a137141ce8b0883c662f7ec47efc5

SHA1
b190d11e4798ed3dcb867b87a78dd95caf4d3c38

SHA256
06989180656f6b9f3cecc947880cca003d794d5c7636a1a107c5afa33a1b742e

SHA512
fc444577a666e564e90ec6bb1a1783db5abb00aa22f0bae833073dc5d3bd701f359f53b7ab7cf5dc1fe1e4010cc71792ce3c276d90ea9c4a4c907cfa54122281

Download Submit
C:\Windows\System\OGVPWcn.exe

Filesize
3.0MB

MD5
8fb923d32afa3ab60e9fdfe15540475c

SHA1
523193880f2ed157da67a0143b0a7af0e91d014f

SHA256
f7088ac8209054b08ccf7ba56b0495ce113cc9b99a0aa206de02173f450de44b

SHA512
b35eea0c8d4cc887e870360d86acf4c73e6cbda017b434ac1877d4ed34be704243f9bb52add61a7cec8c91088cd3c9e4b933011cadd0b392de7dbba9633383c4

Download Submit
C:\Windows\System\RKfXkhE.exe

Filesize
3.0MB

MD5
2658d8f4d9841b2618785b3aef87023a

SHA1
fd5378af8917d07a1a694947f7dbb34876813d86

SHA256
72de4f2baf837fe94f8d9c1b7185761462cebdfb10a10c17f4075bb4bc4507e3

SHA512
989a90b83041ea781e1417c1862c7dcaa205befacdac9707d0b87e7426568a93e86a94c3e1d8f67a02ab18c39c7f77e227d02de7df4c65667d8f660ae30805f3

Download Submit
C:\Windows\System\RdANJnX.exe

Filesize
3.0MB

MD5
ddabb17b213fb7773e946407dcee711f

SHA1
f9b5cedb2692d4221636af82054971f92a855656

SHA256
5d586369efbe9b525194e7299e203ab1f5426799e94d2bf1ebda57d72c9526c7

SHA512
50c06a9f593e01b801bc687cd9d066e235770732909a5b7391f2f64973e4add26cf9ab7f622bfc53e9d934e0471bd80854ce833544dacc0965184cbf023058a1

Download Submit
C:\Windows\System\TXGBbbp.exe

Filesize
3.0MB

MD5
7e792d957fca02068468f956495c468a

SHA1
7c6a2033d4694129d491df510080111de37d1dd0

SHA256
8a8c324516b00617a3d9ec863daca2e72bab026b8c9379be8435be33d3112e44

SHA512
01abe4f8bff3c2e7d35f556d2964135de091a55057abe5ac52c6ef0595a3183fa562e5dbd8e97de1c6cd24b1e96c4c4d6d1c765d651e1db238724d2749b1d747

Download Submit
C:\Windows\System\UPJBgwH.exe

Filesize
3.0MB

MD5
f759cb0fbd0f92bf8a53ff60ca1aaf84

SHA1
683ec1f4db9868aeb715b551db8814c2a636c9c5

SHA256
5dc9e32aabba1626b578620dc76dcecc80968b8b3470b4560b2aef05d1d0079d

SHA512
bc445de1165d4911e59f8486f9b3d8dea1fbee180bede6fdb654a8d7ac16bb663f364e2019edb90549cf85a57836d953f10a00ad486ea96a74fa00e67161a601

Download Submit
C:\Windows\System\Yxybxdp.exe

Filesize
8B

MD5
67d893d1a2095d39d451d08ee1cc05e9

SHA1
dad7ef4487e41ff3c3e600250e691ed16832dc94

SHA256
cc871666e89dd430f5e3dc9cc361cd1a4ecf7214b4b8daeb86cca2257079f3ce

SHA512
7799e4db272ac6c136cb55f2e50c1582a5027767dc6d148dbf159fdb6f776a047cf2ac573fbb2f2ca5a994173cf0465c93ef3f6e6c86e8981136e854def9801d

Download Submit
C:\Windows\System\ZVJkPqA.exe

Filesize
3.0MB

MD5
d988ceb28fe54da1bf5d443cd49aef4f

SHA1
f485aa5d8837d184fdf66659b54facdfd355e8bc

SHA256
55c988356fae2ac349099fbe22c37e82c65f9aff15eda1e0c8fb516c2767f5d4

SHA512
80a6b8f25a4b468a9dca942c53e40d91d8fa293ba09d9b0d7e8db54991fc5bd980350b4539850e5cf338dcae1c5e95a3fef37236590ac48f893bac659a3c49b7

Download Submit
C:\Windows\System\ZoAQMme.exe

Filesize
3.0MB

MD5
d51cd63325d716b8519c199e91906bd4

SHA1
d86841b483c1ce2e719a50dce41d72b04f4fca02

SHA256
bbb53bea3bcade97dad09f57c0cb16cb714ec40d033614c52a830dc3b118d10e

SHA512
d0c5c1ff5f2ddb7d451f3927f72f995e841a4118b30d48d4695ab1b819cda6fca7ab7558784da4aeb5b5900548a6a551bec2563d9fffdbfc21e0bb66133fee8c

Download Submit
C:\Windows\System\aCkbrOg.exe

Filesize
3.0MB

MD5
b9c4864131ccaf6aff526226836f19e5

SHA1
8b94a1e11184238bc2512312a4bb0bcdd2606fd7

SHA256
48df071d73d508eaf32da8459096506bff1217f4ab2a26f443afb7c9fd11226d

SHA512
132bf93be2f117142fac2c40e34b1fb30a19f6f457625cd377c2f69d02d64080a2e5489fea80a8c23e93bbb86c8fed8bea03f1c99d2f7e0e1dc9efa1edc50b5c

Download Submit
C:\Windows\System\bbsfxuq.exe

Filesize
3.0MB

MD5
8fc37ed69206571ed509fd67bc62d194

SHA1
d88414e3bc98f009497dbf572b6306b2af8b06c9

SHA256
25b9b6167b96487942d730ac4ad9e236a1a4c1b94a2b4e46d9498ba070f4780e

SHA512
7adcbda8f605bfffda803dd3837c38c1da5433a97c35e098ed7de5d3c9246a348c6f6ce038585708a2542cbab865dc4d0b80b579ec90e5314fc6baedd238cf57

Download Submit
C:\Windows\System\cyqvlzJ.exe

Filesize
3.0MB

MD5
6a60b9ffe2e398aa5e2d4ca89f919782

SHA1
81649f8ba90c0d1a4431a7b527c01df540526fb6

SHA256
3c6887d556371ffdf4068548d5a3d8daba79993a9c691d703d699048ec209c00

SHA512
a1bc440129ce556f287b4f297ff4d739d01d691b995fb1d50af696291cc820416b9a34873099eea3cee4a8949279e4e10c72ef00e9a2cb24e1b916a95fbb092a

Download Submit
C:\Windows\System\dfkDzqP.exe

Filesize
3.0MB

MD5
277c88f8ccbc01bb6ff82f1fdc809b5c

SHA1
52db9a3baa18c3a1ac33215a5d96d8e08b20fac6

SHA256
7028946d7726438f2c18b36aa8bcdaf942cb578b09652c2e48b55e7b98bff872

SHA512
bd3c08fc3cbe4912a59f2a41ebd3c4b9979b65200482dc7cea3913b3163a55d3be0a47ef65566dc142d2f0b0a2a5e06163fa25ef67bee8c1f824f07e3b193ab5

Download Submit
C:\Windows\System\fReAUhl.exe

Filesize
3.0MB

MD5
2542cfad7267d2458d2e203283908023

SHA1
5ea91e3cbd4ce6adf981ab7ff09fdbca386e8a35

SHA256
06217e28da4944b50fc4c26289b8cb374f1bd6210450100a25a3c27b341aaae0

SHA512
20596693e05d92ba8282804077c6d1c1b7ea715b9d731f4a38ca471a7348026d4e3c8bce054008c4282fee94d8ecbbd44f876088d041a10a1af09232dc2f0cc7

Download Submit
C:\Windows\System\fbYblGX.exe

Filesize
3.0MB

MD5
fa5b80ed2b0c6b087ea9b8ca58b8acde

SHA1
cdf37e40d451556f4ef7e824d67b466e85d33dcf

SHA256
b439e4df39099aa9e14c00da81f630c55ccb02bfc5a67c4bd4356ee9ade6d5b3

SHA512
faa7c9bf47d81ce74a973e3160546353bf4b907fe284cb84f9e0a8a203c92d1ef7381f5c0530582eddfbb7937d5492282febfaac79a9f115bbfef99bff4c561a

Download Submit
C:\Windows\System\fhDfchT.exe

Filesize
3.0MB

MD5
15867538fb23d3846861ed7b47bcf678

SHA1
614bf45acefbb99cc826b3fab55e554123181658

SHA256
e4765b6f66d579a8ed2749aeed7aada3633dee704ac7fadf68938b0ff0ed57e8

SHA512
047bdf51b9a9eb22eed8f0aa0f54ed6e31951a00b24eaa32ad7cc2e9b6809a68207d114f2c157cb358a9e9bbe5cb628cbed6b0acf82de9d207bdb1cb461bc9be

Download Submit
C:\Windows\System\gSxeHbq.exe

Filesize
3.0MB

MD5
a459b614d0bf02daaba0b3babd8aae2c

SHA1
21fa1a783ce5bb0257130f079650d080d11db765

SHA256
3f66c47e15ae6bcf33b4f304d2fa34b940695437825c4b2574b48beef3ef0dc1

SHA512
406eb69fdd50ac145b26bb58d4a5852045b2ce3e38ed3e3fb68fa988b846f099afb3c8bdc9760e441569b25a5469ae79d4837ce75aa41218e3c28c468afaf474

Download Submit
C:\Windows\System\gVNtVGC.exe

Filesize
3.0MB

MD5
30f5b9c93618338748cbc679d9f6b42f

SHA1
a76c1d27a0b507091f1e73fcbaba464a73af2336

SHA256
5614cdcb4c6ab5bf0dfb54cec62b310161502b36c26ae1f93a8921c700be59fb

SHA512
fd605f8f01efcb5839a71b925ee3f87ab6a4dfbe3fb777f06b80547a2dc3c42cea3f44eef4fb5bdd9eff631e0095428f7b8424151ddb8e8ada120188d644ee5d

Download Submit
C:\Windows\System\kfrFXBB.exe

Filesize
3.0MB

MD5
e0e2a41b0ad3720cb849e2cd79b091a7

SHA1
5b85dc03253f49a435b47aeef4b5c1504971339c

SHA256
427f5ae1ab62ef08ca0a0d2df2de920fe6a9350f8e596800d6c879d0f9c65583

SHA512
3e734aa52db032f30de4c58eb1b78c2ad05bff8982a14865c9efc19bae29c78868fe5442b3a2a58104e4d987f831d3a99eed66ac37ce5e143e24bfba47b9eda6

Download Submit
C:\Windows\System\nxifSJg.exe

Filesize
3.0MB

MD5
17c055a44bfa7e09cf20c4e3353ec19d

SHA1
7b4835a6cad8c0885109e3c9ad70100f00c306fc

SHA256
717bd4588fb8406bd48cba5592e25a6bbd34b45f3ad133867b08b12d21d4621f

SHA512
8d9a33012051a69a9d0679f08d5b03036439cf70f7d14e8304604a6b8efec06029b6ba001b650dd6f0949eb628b2b0c93b94be52d54a77ba87f7867cf8794ce6

Download Submit
C:\Windows\System\pOasppt.exe

Filesize
3.0MB

MD5
ccca3fe7c3aaf25d60198bdcb8278819

SHA1
14f7a56fccf854ac24d6b3780830f202e3ef3855

SHA256
cf95066b3274ef730a92500aef7057411ad2df489e181b3153d7299baf96e405

SHA512
1822eead3a4c058d72d023c3e45df7bbc314a2eb3f5c4337337aa8b6779e32431fff98203c67ea517fcf52af6983492d128ed7e4bed7ed5739828c46511ea214

Download Submit
C:\Windows\System\sluuXWH.exe

Filesize
3.0MB

MD5
ab2a1a41ff6ab1e33fd9e319bf52e19e

SHA1
9245c5463de6d70f53b6aa77ded20bd45a84b76c

SHA256
70e091fb12e4fe21e594e9d0d7b4a46ab0b2993368c9b6404a83cff6b18cf505

SHA512
9c3bdfa9c58b2632fbde9588c90bb3a7fedc97107275035a264216e40bbafcef1aabb38f9a22fb8263b261bb8d147041770bcd9a1ae3d710087c60e622510713

Download Submit
C:\Windows\System\tnsEtkT.exe

Filesize
3.0MB

MD5
3b259ea5deb8cff06bb61071dc49d240

SHA1
bf565871be37b359ca2cb350047870776fb38d6b

SHA256
18e2ba414e06632b6adfe7c027e7049d501473096cb1aa5a9b386abea46af303

SHA512
ee0777fe410f36ff22b15ea3a8388455f0d87a1bf9426b138114656d1a04626be9e9fd864937133089fb6d2eddead9b2ded56260ab40edb45953966fa3f98e83

Download Submit
C:\Windows\System\urqCtTJ.exe

Filesize
3.0MB

MD5
c65d46fcaa6014cc302f762dfb3611d4

SHA1
53d7037158b9a950a131f8180f1f840fa2f5f7a8

SHA256
b7d5fd0f79cc4bf6d75e8baeefff4fa8b78cf6895262762ed318769d25e8f0af

SHA512
9149f06d4eb1bd70dd0ab2d228be131c5a23b25ffa98a9cb64503b83ea311edba596af05527d94b612f6d1294a4b455ec7bd1f4f400517a57255570f516cab2b

Download Submit
C:\Windows\System\wbuoubM.exe

Filesize
3.0MB

MD5
4a8dd8c2f21678b56ac678ac1a565dbb

SHA1
2ae0998cb5d576cbfd5753d913e3eae35e326154

SHA256
730aaae1edb2dcd70cc165072a98aa725746a33d738ee2473b285fb90dea3327

SHA512
49398e3b73a6f2f6eea52c475f364207a463365d1af8805efee47f692b736dc50d3ff63b422b885c492a0b920499e5207b26f9ae3f3981a375840e1467eced48

Download Submit
memory/400-159-0x00007FF7CD8C0000-0x00007FF7CDCB6000-memory.dmp

Filesize
4.0MB

Download
memory/400-2152-0x00007FF7CD8C0000-0x00007FF7CDCB6000-memory.dmp

Filesize
4.0MB

Download
memory/408-169-0x00007FF73A2F0000-0x00007FF73A6E6000-memory.dmp

Filesize
4.0MB

Download
memory/408-2165-0x00007FF73A2F0000-0x00007FF73A6E6000-memory.dmp

Filesize
4.0MB

Download
memory/452-156-0x00007FF65EB90000-0x00007FF65EF86000-memory.dmp

Filesize
4.0MB

Download
memory/452-2160-0x00007FF65EB90000-0x00007FF65EF86000-memory.dmp

Filesize
4.0MB

Download
memory/1452-138-0x00007FF7B21E0000-0x00007FF7B25D6000-memory.dmp

Filesize
4.0MB

Download
memory/1452-2148-0x00007FF7B21E0000-0x00007FF7B25D6000-memory.dmp

Filesize
4.0MB

Download
memory/1696-0-0x00007FF721780000-0x00007FF721B76000-memory.dmp

Filesize
4.0MB

Download
memory/1696-1-0x00000274B2890000-0x00000274B28A0000-memory.dmp

Filesize
64KB

Download
memory/1852-160-0x00007FF77E0F0000-0x00007FF77E4E6000-memory.dmp

Filesize
4.0MB

Download
memory/1852-2153-0x00007FF77E0F0000-0x00007FF77E4E6000-memory.dmp

Filesize
4.0MB

Download
memory/1908-2144-0x00007FF6C3630000-0x00007FF6C3A26000-memory.dmp

Filesize
4.0MB

Download
memory/1908-165-0x00007FF6C3630000-0x00007FF6C3A26000-memory.dmp

Filesize
4.0MB

Download
memory/2060-104-0x00007FF63EE70000-0x00007FF63F266000-memory.dmp

Filesize
4.0MB

Download
memory/2060-2146-0x00007FF63EE70000-0x00007FF63F266000-memory.dmp

Filesize
4.0MB

Download
memory/2196-2166-0x00007FF7B1F50000-0x00007FF7B2346000-memory.dmp

Filesize
4.0MB

Download
memory/2196-164-0x00007FF7B1F50000-0x00007FF7B2346000-memory.dmp

Filesize
4.0MB

Download
memory/2284-2157-0x00007FF694C40000-0x00007FF695036000-memory.dmp

Filesize
4.0MB

Download
memory/2284-157-0x00007FF694C40000-0x00007FF695036000-memory.dmp

Filesize
4.0MB

Download
memory/2520-2149-0x00007FF7A2C60000-0x00007FF7A3056000-memory.dmp

Filesize
4.0MB

Download
memory/2520-122-0x00007FF7A2C60000-0x00007FF7A3056000-memory.dmp

Filesize
4.0MB

Download
memory/2572-140-0x00007FF6C0F30000-0x00007FF6C1326000-memory.dmp

Filesize
4.0MB

Download
memory/2572-2161-0x00007FF6C0F30000-0x00007FF6C1326000-memory.dmp

Filesize
4.0MB

Download
memory/3152-2158-0x00007FF75DE80000-0x00007FF75E276000-memory.dmp

Filesize
4.0MB

Download
memory/3152-162-0x00007FF75DE80000-0x00007FF75E276000-memory.dmp

Filesize
4.0MB

Download
memory/3316-2151-0x00007FF79C370000-0x00007FF79C766000-memory.dmp

Filesize
4.0MB

Download
memory/3316-119-0x00007FF79C370000-0x00007FF79C766000-memory.dmp

Filesize
4.0MB

Download
memory/3584-13-0x00007FF78F790000-0x00007FF78FB86000-memory.dmp

Filesize
4.0MB

Download
memory/3584-2145-0x00007FF78F790000-0x00007FF78FB86000-memory.dmp

Filesize
4.0MB

Download
memory/3584-2140-0x00007FF78F790000-0x00007FF78FB86000-memory.dmp

Filesize
4.0MB

Download
memory/3756-143-0x00007FF7B2ED0000-0x00007FF7B32C6000-memory.dmp

Filesize
4.0MB

Download
memory/3756-2162-0x00007FF7B2ED0000-0x00007FF7B32C6000-memory.dmp

Filesize
4.0MB

Download
memory/3796-155-0x00007FF65E810000-0x00007FF65EC06000-memory.dmp

Filesize
4.0MB

Download
memory/3796-2159-0x00007FF65E810000-0x00007FF65EC06000-memory.dmp

Filesize
4.0MB

Download
memory/3964-158-0x00007FF619B20000-0x00007FF619F16000-memory.dmp

Filesize
4.0MB

Download
memory/3964-2155-0x00007FF619B20000-0x00007FF619F16000-memory.dmp

Filesize
4.0MB

Download
memory/3980-170-0x0000014A79380000-0x0000014A79B26000-memory.dmp

Filesize
7.6MB

Download
memory/3980-2142-0x00007FFF7CB10000-0x00007FFF7D5D1000-memory.dmp

Filesize
10.8MB

Download
memory/3980-89-0x00007FFF7CB10000-0x00007FFF7D5D1000-memory.dmp

Filesize
10.8MB

Download
memory/3980-133-0x0000014A787A0000-0x0000014A787C2000-memory.dmp

Filesize
136KB

Download
memory/3980-64-0x00007FFF7CB10000-0x00007FFF7D5D1000-memory.dmp

Filesize
10.8MB

Download
memory/3980-2143-0x00007FFF7CB13000-0x00007FFF7CB15000-memory.dmp

Filesize
8KB

Download
memory/3980-28-0x00007FFF7CB13000-0x00007FFF7CB15000-memory.dmp

Filesize
8KB

Download
memory/4492-2164-0x00007FF7F5690000-0x00007FF7F5A86000-memory.dmp

Filesize
4.0MB

Download
memory/4492-163-0x00007FF7F5690000-0x00007FF7F5A86000-memory.dmp

Filesize
4.0MB

Download
memory/4568-161-0x00007FF7A7750000-0x00007FF7A7B46000-memory.dmp

Filesize
4.0MB

Download
memory/4568-2154-0x00007FF7A7750000-0x00007FF7A7B46000-memory.dmp

Filesize
4.0MB

Download
memory/4780-2147-0x00007FF755F10000-0x00007FF756306000-memory.dmp

Filesize
4.0MB

Download
memory/4780-166-0x00007FF755F10000-0x00007FF756306000-memory.dmp

Filesize
4.0MB

Download
memory/4916-2141-0x00007FF7610E0000-0x00007FF7614D6000-memory.dmp

Filesize
4.0MB

Download
memory/4916-2150-0x00007FF7610E0000-0x00007FF7614D6000-memory.dmp

Filesize
4.0MB

Download
memory/4916-27-0x00007FF7610E0000-0x00007FF7614D6000-memory.dmp

Filesize
4.0MB

Download
memory/4960-144-0x00007FF6409B0000-0x00007FF640DA6000-memory.dmp

Filesize
4.0MB

Download
memory/4960-2163-0x00007FF6409B0000-0x00007FF640DA6000-memory.dmp

Filesize
4.0MB

Download
memory/4972-2167-0x00007FF7992A0000-0x00007FF799696000-memory.dmp

Filesize
4.0MB

Download
memory/4972-168-0x00007FF7992A0000-0x00007FF799696000-memory.dmp

Filesize
4.0MB

Download
memory/4988-2156-0x00007FF7FBD30000-0x00007FF7FC126000-memory.dmp

Filesize
4.0MB

Download
memory/4988-167-0x00007FF7FBD30000-0x00007FF7FC126000-memory.dmp

Filesize
4.0MB

Download