xmrig | ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597

Analysis

max time kernel
120s
max time network
63s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
Size

2.3MB
MD5

5976e8aafe1bbec9642f22557ad9dfa1
SHA1

d97245a539f5228527303e23fddcb20c6eba8b60
SHA256

ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597
SHA512

ade75309028bfd800900fff318a69e7627099392ec525373c3afe11202902d9d77c0b116532fc9baf6c4f1e91aabb7ab1b92cb1ae2d54fac2683ddd300dae1e9
SSDEEP

49152:oezaTF8FcNkNdfE0pZ9ozt4wIlMm+ZQaLwBXhu+:oemTLkNdfE0pZrb

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/3172-0-0x00007FF7820C0000-0x00007FF782414000-memory.dmp	UPX
behavioral2/files/0x000700000002340e-51.dat	UPX
behavioral2/files/0x0007000000023410-53.dat	UPX
behavioral2/files/0x0007000000023412-68.dat	UPX
behavioral2/files/0x0007000000023417-96.dat	UPX
behavioral2/files/0x0007000000023419-114.dat	UPX
behavioral2/files/0x0007000000023418-133.dat	UPX
behavioral2/files/0x000700000002341f-150.dat	UPX
behavioral2/memory/1696-157-0x00007FF69F8D0000-0x00007FF69FC24000-memory.dmp	UPX
behavioral2/memory/644-162-0x00007FF758E60000-0x00007FF7591B4000-memory.dmp	UPX
behavioral2/memory/1960-168-0x00007FF749840000-0x00007FF749B94000-memory.dmp	UPX
behavioral2/memory/3408-170-0x00007FF73CEF0000-0x00007FF73D244000-memory.dmp	UPX
behavioral2/memory/4600-169-0x00007FF6F9DA0000-0x00007FF6FA0F4000-memory.dmp	UPX
behavioral2/memory/1636-167-0x00007FF6C7020000-0x00007FF6C7374000-memory.dmp	UPX
behavioral2/memory/2488-166-0x00007FF7DAD80000-0x00007FF7DB0D4000-memory.dmp	UPX
behavioral2/memory/3032-165-0x00007FF6F1B60000-0x00007FF6F1EB4000-memory.dmp	UPX
behavioral2/memory/3956-164-0x00007FF703B80000-0x00007FF703ED4000-memory.dmp	UPX
behavioral2/memory/4584-163-0x00007FF6A39F0000-0x00007FF6A3D44000-memory.dmp	UPX
behavioral2/memory/3616-161-0x00007FF67F270000-0x00007FF67F5C4000-memory.dmp	UPX
behavioral2/memory/1804-160-0x00007FF7AD420000-0x00007FF7AD774000-memory.dmp	UPX
behavioral2/memory/784-159-0x00007FF665670000-0x00007FF6659C4000-memory.dmp	UPX
behavioral2/memory/1424-158-0x00007FF707CF0000-0x00007FF708044000-memory.dmp	UPX
behavioral2/memory/1440-156-0x00007FF6740F0000-0x00007FF674444000-memory.dmp	UPX
behavioral2/memory/1856-155-0x00007FF730D30000-0x00007FF731084000-memory.dmp	UPX
behavioral2/memory/2996-154-0x00007FF60C8C0000-0x00007FF60CC14000-memory.dmp	UPX
behavioral2/files/0x0007000000023420-152.dat	UPX
behavioral2/files/0x000700000002341e-148.dat	UPX
behavioral2/memory/4428-147-0x00007FF652240000-0x00007FF652594000-memory.dmp	UPX
behavioral2/files/0x000700000002341d-145.dat	UPX
behavioral2/files/0x000700000002341c-143.dat	UPX
behavioral2/files/0x000700000002341b-141.dat	UPX
behavioral2/files/0x000700000002341a-139.dat	UPX
behavioral2/memory/908-136-0x00007FF725BB0000-0x00007FF725F04000-memory.dmp	UPX
behavioral2/files/0x0007000000023415-130.dat	UPX
behavioral2/files/0x0007000000023416-125.dat	UPX
behavioral2/memory/2512-124-0x00007FF7FA4E0000-0x00007FF7FA834000-memory.dmp	UPX
behavioral2/memory/4468-122-0x00007FF74EC40000-0x00007FF74EF94000-memory.dmp	UPX
behavioral2/files/0x0007000000023413-110.dat	UPX
behavioral2/files/0x0007000000023414-102.dat	UPX
behavioral2/memory/4624-91-0x00007FF6B5620000-0x00007FF6B5974000-memory.dmp	UPX
behavioral2/files/0x000700000002340f-86.dat	UPX
behavioral2/files/0x0007000000023411-78.dat	UPX
behavioral2/memory/1248-71-0x00007FF7E9C50000-0x00007FF7E9FA4000-memory.dmp	UPX
behavioral2/files/0x000700000002340d-66.dat	UPX
behavioral2/files/0x000700000002340a-64.dat	UPX
behavioral2/files/0x0007000000023423-183.dat	UPX
behavioral2/files/0x0007000000023422-185.dat	UPX
behavioral2/memory/4120-181-0x00007FF79C880000-0x00007FF79CBD4000-memory.dmp	UPX
behavioral2/files/0x0007000000023421-174.dat	UPX
behavioral2/files/0x000700000002340c-61.dat	UPX
behavioral2/memory/2744-59-0x00007FF69F380000-0x00007FF69F6D4000-memory.dmp	UPX
behavioral2/files/0x000700000002340b-58.dat	UPX
behavioral2/memory/1372-55-0x00007FF7F0050000-0x00007FF7F03A4000-memory.dmp	UPX
behavioral2/files/0x0007000000023424-190.dat	UPX
behavioral2/memory/4804-47-0x00007FF7D8E50000-0x00007FF7D91A4000-memory.dmp	UPX
behavioral2/memory/8-38-0x00007FF6464A0000-0x00007FF6467F4000-memory.dmp	UPX
behavioral2/files/0x0007000000023409-34.dat	UPX
behavioral2/files/0x0007000000023408-26.dat	UPX
behavioral2/files/0x0007000000023407-25.dat	UPX
behavioral2/files/0x0008000000023406-19.dat	UPX
behavioral2/memory/4172-15-0x00007FF7C9E60000-0x00007FF7CA1B4000-memory.dmp	UPX
behavioral2/files/0x00060000000232a4-6.dat	UPX
behavioral2/memory/3172-2123-0x00007FF7820C0000-0x00007FF782414000-memory.dmp	UPX
behavioral2/memory/1248-2124-0x00007FF7E9C50000-0x00007FF7E9FA4000-memory.dmp	UPX

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/3172-0-0x00007FF7820C0000-0x00007FF782414000-memory.dmp	xmrig
behavioral2/files/0x000700000002340e-51.dat	xmrig
behavioral2/files/0x0007000000023410-53.dat	xmrig
behavioral2/files/0x0007000000023412-68.dat	xmrig
behavioral2/files/0x0007000000023417-96.dat	xmrig
behavioral2/files/0x0007000000023419-114.dat	xmrig
behavioral2/files/0x0007000000023418-133.dat	xmrig
behavioral2/files/0x000700000002341f-150.dat	xmrig
behavioral2/memory/1696-157-0x00007FF69F8D0000-0x00007FF69FC24000-memory.dmp	xmrig
behavioral2/memory/644-162-0x00007FF758E60000-0x00007FF7591B4000-memory.dmp	xmrig
behavioral2/memory/1960-168-0x00007FF749840000-0x00007FF749B94000-memory.dmp	xmrig
behavioral2/memory/3408-170-0x00007FF73CEF0000-0x00007FF73D244000-memory.dmp	xmrig
behavioral2/memory/4600-169-0x00007FF6F9DA0000-0x00007FF6FA0F4000-memory.dmp	xmrig
behavioral2/memory/1636-167-0x00007FF6C7020000-0x00007FF6C7374000-memory.dmp	xmrig
behavioral2/memory/2488-166-0x00007FF7DAD80000-0x00007FF7DB0D4000-memory.dmp	xmrig
behavioral2/memory/3032-165-0x00007FF6F1B60000-0x00007FF6F1EB4000-memory.dmp	xmrig
behavioral2/memory/3956-164-0x00007FF703B80000-0x00007FF703ED4000-memory.dmp	xmrig
behavioral2/memory/4584-163-0x00007FF6A39F0000-0x00007FF6A3D44000-memory.dmp	xmrig
behavioral2/memory/3616-161-0x00007FF67F270000-0x00007FF67F5C4000-memory.dmp	xmrig
behavioral2/memory/1804-160-0x00007FF7AD420000-0x00007FF7AD774000-memory.dmp	xmrig
behavioral2/memory/784-159-0x00007FF665670000-0x00007FF6659C4000-memory.dmp	xmrig
behavioral2/memory/1424-158-0x00007FF707CF0000-0x00007FF708044000-memory.dmp	xmrig
behavioral2/memory/1440-156-0x00007FF6740F0000-0x00007FF674444000-memory.dmp	xmrig
behavioral2/memory/1856-155-0x00007FF730D30000-0x00007FF731084000-memory.dmp	xmrig
behavioral2/memory/2996-154-0x00007FF60C8C0000-0x00007FF60CC14000-memory.dmp	xmrig
behavioral2/files/0x0007000000023420-152.dat	xmrig
behavioral2/files/0x000700000002341e-148.dat	xmrig
behavioral2/memory/4428-147-0x00007FF652240000-0x00007FF652594000-memory.dmp	xmrig
behavioral2/files/0x000700000002341d-145.dat	xmrig
behavioral2/files/0x000700000002341c-143.dat	xmrig
behavioral2/files/0x000700000002341b-141.dat	xmrig
behavioral2/files/0x000700000002341a-139.dat	xmrig
behavioral2/memory/908-136-0x00007FF725BB0000-0x00007FF725F04000-memory.dmp	xmrig
behavioral2/files/0x0007000000023415-130.dat	xmrig
behavioral2/files/0x0007000000023416-125.dat	xmrig
behavioral2/memory/2512-124-0x00007FF7FA4E0000-0x00007FF7FA834000-memory.dmp	xmrig
behavioral2/memory/4468-122-0x00007FF74EC40000-0x00007FF74EF94000-memory.dmp	xmrig
behavioral2/files/0x0007000000023413-110.dat	xmrig
behavioral2/files/0x0007000000023414-102.dat	xmrig
behavioral2/memory/4624-91-0x00007FF6B5620000-0x00007FF6B5974000-memory.dmp	xmrig
behavioral2/files/0x000700000002340f-86.dat	xmrig
behavioral2/files/0x0007000000023411-78.dat	xmrig
behavioral2/memory/1248-71-0x00007FF7E9C50000-0x00007FF7E9FA4000-memory.dmp	xmrig
behavioral2/files/0x000700000002340d-66.dat	xmrig
behavioral2/files/0x000700000002340a-64.dat	xmrig
behavioral2/files/0x0007000000023423-183.dat	xmrig
behavioral2/files/0x0007000000023422-185.dat	xmrig
behavioral2/memory/4120-181-0x00007FF79C880000-0x00007FF79CBD4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023421-174.dat	xmrig
behavioral2/files/0x000700000002340c-61.dat	xmrig
behavioral2/memory/2744-59-0x00007FF69F380000-0x00007FF69F6D4000-memory.dmp	xmrig
behavioral2/files/0x000700000002340b-58.dat	xmrig
behavioral2/memory/1372-55-0x00007FF7F0050000-0x00007FF7F03A4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023424-190.dat	xmrig
behavioral2/memory/4804-47-0x00007FF7D8E50000-0x00007FF7D91A4000-memory.dmp	xmrig
behavioral2/memory/8-38-0x00007FF6464A0000-0x00007FF6467F4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023409-34.dat	xmrig
behavioral2/files/0x0007000000023408-26.dat	xmrig
behavioral2/files/0x0007000000023407-25.dat	xmrig
behavioral2/files/0x0008000000023406-19.dat	xmrig
behavioral2/memory/4172-15-0x00007FF7C9E60000-0x00007FF7CA1B4000-memory.dmp	xmrig
behavioral2/files/0x00060000000232a4-6.dat	xmrig
behavioral2/memory/3172-2123-0x00007FF7820C0000-0x00007FF782414000-memory.dmp	xmrig
behavioral2/memory/1248-2124-0x00007FF7E9C50000-0x00007FF7E9FA4000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4172	wrrlwJc.exe
8	ulbBIyU.exe
3956	EHppQnR.exe
4804	qNYDRRp.exe
1372	KHkxJtj.exe
2744	nHtBsAC.exe
1248	gEnJFDF.exe
3032	VKcFfyq.exe
4624	iRSnEHD.exe
2488	jPHQVhQ.exe
4468	uMMLBtJ.exe
2512	kqDuspB.exe
908	cfFIGBJ.exe
1636	LNhBdCu.exe
4428	QmEhpgO.exe
1960	sjIzcMJ.exe
2996	WQTGkgs.exe
1856	valZLFp.exe
1440	qKYRouW.exe
1696	xaPKxri.exe
4600	wEiDrRc.exe
1424	JQcGvtn.exe
784	vUUHkDA.exe
1804	cPkwVat.exe
3616	lDafque.exe
3408	hBBRAMR.exe
644	DhcXYMC.exe
4584	BMwkxZr.exe
4120	VQYSAPf.exe
3280	GwPqbbf.exe
4420	TmzByeD.exe
4384	VWtzhfk.exe
1796	txoJSys.exe
1392	eDHLjoF.exe
1328	BblqhsO.exe
1892	naAOJjS.exe
4964	RKikbac.exe
1552	PjDwWkz.exe
5100	tZnDxTE.exe
3272	vbdCidQ.exe
1876	TQvUkXa.exe
4884	hAMRXxE.exe
4340	KBPbmmv.exe
3368	gWFhivJ.exe
3676	EqsOvhm.exe
3964	ghbNtic.exe
1192	BXqRthE.exe
1320	awxwUbu.exe
2068	BEylWCz.exe
2476	vdRSVNH.exe
2532	dTPeOaE.exe
1900	cylgRqL.exe
3628	mxqXQpW.exe
2356	WSEPFBI.exe
4760	FCfyhmX.exe
1972	vYfpAjz.exe
3496	cZTHcvL.exe
4748	yjkKESJ.exe
804	hHYLjYM.exe
3352	BLzySIl.exe
1232	dErXIBR.exe
412	sMTAXWk.exe
4972	dRzFCLc.exe
1336	bhohQqM.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3172-0-0x00007FF7820C0000-0x00007FF782414000-memory.dmp	upx
behavioral2/files/0x000700000002340e-51.dat	upx
behavioral2/files/0x0007000000023410-53.dat	upx
behavioral2/files/0x0007000000023412-68.dat	upx
behavioral2/files/0x0007000000023417-96.dat	upx
behavioral2/files/0x0007000000023419-114.dat	upx
behavioral2/files/0x0007000000023418-133.dat	upx
behavioral2/files/0x000700000002341f-150.dat	upx
behavioral2/memory/1696-157-0x00007FF69F8D0000-0x00007FF69FC24000-memory.dmp	upx
behavioral2/memory/644-162-0x00007FF758E60000-0x00007FF7591B4000-memory.dmp	upx
behavioral2/memory/1960-168-0x00007FF749840000-0x00007FF749B94000-memory.dmp	upx
behavioral2/memory/3408-170-0x00007FF73CEF0000-0x00007FF73D244000-memory.dmp	upx
behavioral2/memory/4600-169-0x00007FF6F9DA0000-0x00007FF6FA0F4000-memory.dmp	upx
behavioral2/memory/1636-167-0x00007FF6C7020000-0x00007FF6C7374000-memory.dmp	upx
behavioral2/memory/2488-166-0x00007FF7DAD80000-0x00007FF7DB0D4000-memory.dmp	upx
behavioral2/memory/3032-165-0x00007FF6F1B60000-0x00007FF6F1EB4000-memory.dmp	upx
behavioral2/memory/3956-164-0x00007FF703B80000-0x00007FF703ED4000-memory.dmp	upx
behavioral2/memory/4584-163-0x00007FF6A39F0000-0x00007FF6A3D44000-memory.dmp	upx
behavioral2/memory/3616-161-0x00007FF67F270000-0x00007FF67F5C4000-memory.dmp	upx
behavioral2/memory/1804-160-0x00007FF7AD420000-0x00007FF7AD774000-memory.dmp	upx
behavioral2/memory/784-159-0x00007FF665670000-0x00007FF6659C4000-memory.dmp	upx
behavioral2/memory/1424-158-0x00007FF707CF0000-0x00007FF708044000-memory.dmp	upx
behavioral2/memory/1440-156-0x00007FF6740F0000-0x00007FF674444000-memory.dmp	upx
behavioral2/memory/1856-155-0x00007FF730D30000-0x00007FF731084000-memory.dmp	upx
behavioral2/memory/2996-154-0x00007FF60C8C0000-0x00007FF60CC14000-memory.dmp	upx
behavioral2/files/0x0007000000023420-152.dat	upx
behavioral2/files/0x000700000002341e-148.dat	upx
behavioral2/memory/4428-147-0x00007FF652240000-0x00007FF652594000-memory.dmp	upx
behavioral2/files/0x000700000002341d-145.dat	upx
behavioral2/files/0x000700000002341c-143.dat	upx
behavioral2/files/0x000700000002341b-141.dat	upx
behavioral2/files/0x000700000002341a-139.dat	upx
behavioral2/memory/908-136-0x00007FF725BB0000-0x00007FF725F04000-memory.dmp	upx
behavioral2/files/0x0007000000023415-130.dat	upx
behavioral2/files/0x0007000000023416-125.dat	upx
behavioral2/memory/2512-124-0x00007FF7FA4E0000-0x00007FF7FA834000-memory.dmp	upx
behavioral2/memory/4468-122-0x00007FF74EC40000-0x00007FF74EF94000-memory.dmp	upx
behavioral2/files/0x0007000000023413-110.dat	upx
behavioral2/files/0x0007000000023414-102.dat	upx
behavioral2/memory/4624-91-0x00007FF6B5620000-0x00007FF6B5974000-memory.dmp	upx
behavioral2/files/0x000700000002340f-86.dat	upx
behavioral2/files/0x0007000000023411-78.dat	upx
behavioral2/memory/1248-71-0x00007FF7E9C50000-0x00007FF7E9FA4000-memory.dmp	upx
behavioral2/files/0x000700000002340d-66.dat	upx
behavioral2/files/0x000700000002340a-64.dat	upx
behavioral2/files/0x0007000000023423-183.dat	upx
behavioral2/files/0x0007000000023422-185.dat	upx
behavioral2/memory/4120-181-0x00007FF79C880000-0x00007FF79CBD4000-memory.dmp	upx
behavioral2/files/0x0007000000023421-174.dat	upx
behavioral2/files/0x000700000002340c-61.dat	upx
behavioral2/memory/2744-59-0x00007FF69F380000-0x00007FF69F6D4000-memory.dmp	upx
behavioral2/files/0x000700000002340b-58.dat	upx
behavioral2/memory/1372-55-0x00007FF7F0050000-0x00007FF7F03A4000-memory.dmp	upx
behavioral2/files/0x0007000000023424-190.dat	upx
behavioral2/memory/4804-47-0x00007FF7D8E50000-0x00007FF7D91A4000-memory.dmp	upx
behavioral2/memory/8-38-0x00007FF6464A0000-0x00007FF6467F4000-memory.dmp	upx
behavioral2/files/0x0007000000023409-34.dat	upx
behavioral2/files/0x0007000000023408-26.dat	upx
behavioral2/files/0x0007000000023407-25.dat	upx
behavioral2/files/0x0008000000023406-19.dat	upx
behavioral2/memory/4172-15-0x00007FF7C9E60000-0x00007FF7CA1B4000-memory.dmp	upx
behavioral2/files/0x00060000000232a4-6.dat	upx
behavioral2/memory/3172-2123-0x00007FF7820C0000-0x00007FF782414000-memory.dmp	upx
behavioral2/memory/1248-2124-0x00007FF7E9C50000-0x00007FF7E9FA4000-memory.dmp	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\xIIGhKP.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\escYdck.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\VaAzPUQ.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\TrzfBJm.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\qWbeZcc.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\QOthAiI.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\puLvAza.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\TTAVUlc.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\DzJbRaG.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\TZWVIbq.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\TKIcTKi.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\qgAUyxa.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\MOWvdzZ.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\yJZpohC.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\MvasZYI.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\ulbBIyU.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\wpXvInX.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\XFrtFBp.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\oBCNhgw.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\WdEDrqd.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\kctjDCC.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\esoWaCV.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\yeIoUoZ.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\WTpkpnv.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\PEPKWKF.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\kqTUGIb.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\kgdPSBT.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\BMwkxZr.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\awxwUbu.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\sMTAXWk.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\sfzQUJG.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\pkaiVOa.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\gWFhivJ.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\WymbNtW.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\bovNYmf.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\oPrCiuD.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\KBPbmmv.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\OWvRYJH.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\dekpKMf.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\dnLRDYn.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\zoYMoPN.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\JCzWTzC.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\ETPOWPq.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\VQYSAPf.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\dtUKRPc.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\VuOFiCu.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\kqDuspB.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\iwwqjnJ.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\SJGMgxc.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\IzTAppJ.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\XatwIUf.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\bACoupq.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\ibIJVsU.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\rhosJat.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\fMoHEHI.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\EwXZiQu.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\APTrPIh.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\xlkoQMo.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\gFeAokn.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\GDXQGpC.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\JkeRzVS.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\wUImpSd.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\jzOupyp.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
File created	C:\Windows\System\czhXbba.exe	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13476	dwm.exe
Token: SeChangeNotifyPrivilege	13476	dwm.exe
Token: 33	13476	dwm.exe
Token: SeIncBasePriorityPrivilege	13476	dwm.exe
Token: SeShutdownPrivilege	13476	dwm.exe
Token: SeCreatePagefilePrivilege	13476	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3172 wrote to memory of 4172	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	82
PID 3172 wrote to memory of 4172	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	82
PID 3172 wrote to memory of 8	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	83
PID 3172 wrote to memory of 8	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	83
PID 3172 wrote to memory of 3956	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	84
PID 3172 wrote to memory of 3956	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	84
PID 3172 wrote to memory of 4804	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	85
PID 3172 wrote to memory of 4804	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	85
PID 3172 wrote to memory of 1372	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	86
PID 3172 wrote to memory of 1372	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	86
PID 3172 wrote to memory of 2744	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	87
PID 3172 wrote to memory of 2744	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	87
PID 3172 wrote to memory of 1248	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	88
PID 3172 wrote to memory of 1248	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	88
PID 3172 wrote to memory of 3032	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	89
PID 3172 wrote to memory of 3032	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	89
PID 3172 wrote to memory of 4624	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	90
PID 3172 wrote to memory of 4624	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	90
PID 3172 wrote to memory of 2488	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	91
PID 3172 wrote to memory of 2488	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	91
PID 3172 wrote to memory of 4468	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	92
PID 3172 wrote to memory of 4468	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	92
PID 3172 wrote to memory of 2512	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	93
PID 3172 wrote to memory of 2512	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	93
PID 3172 wrote to memory of 908	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	94
PID 3172 wrote to memory of 908	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	94
PID 3172 wrote to memory of 1636	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	95
PID 3172 wrote to memory of 1636	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	95
PID 3172 wrote to memory of 4428	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	96
PID 3172 wrote to memory of 4428	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	96
PID 3172 wrote to memory of 1960	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	97
PID 3172 wrote to memory of 1960	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	97
PID 3172 wrote to memory of 2996	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	98
PID 3172 wrote to memory of 2996	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	98
PID 3172 wrote to memory of 1856	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	99
PID 3172 wrote to memory of 1856	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	99
PID 3172 wrote to memory of 1440	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	100
PID 3172 wrote to memory of 1440	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	100
PID 3172 wrote to memory of 1696	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	101
PID 3172 wrote to memory of 1696	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	101
PID 3172 wrote to memory of 4600	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	102
PID 3172 wrote to memory of 4600	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	102
PID 3172 wrote to memory of 1424	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	103
PID 3172 wrote to memory of 1424	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	103
PID 3172 wrote to memory of 784	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	104
PID 3172 wrote to memory of 784	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	104
PID 3172 wrote to memory of 1804	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	105
PID 3172 wrote to memory of 1804	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	105
PID 3172 wrote to memory of 3616	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	106
PID 3172 wrote to memory of 3616	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	106
PID 3172 wrote to memory of 3408	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	107
PID 3172 wrote to memory of 3408	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	107
PID 3172 wrote to memory of 644	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	108
PID 3172 wrote to memory of 644	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	108
PID 3172 wrote to memory of 4584	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	109
PID 3172 wrote to memory of 4584	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	109
PID 3172 wrote to memory of 4120	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	110
PID 3172 wrote to memory of 4120	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	110
PID 3172 wrote to memory of 3280	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	111
PID 3172 wrote to memory of 3280	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	111
PID 3172 wrote to memory of 4420	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	112
PID 3172 wrote to memory of 4420	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	112
PID 3172 wrote to memory of 4384	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	113
PID 3172 wrote to memory of 4384	3172	ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe	113

C:\Users\Admin\AppData\Local\Temp\ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe
"C:\Users\Admin\AppData\Local\Temp\ac1b37870a8f3868a77b3a1b3d61b9571dba563a64063a3454ea5c2e47b0d597.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3172
- C:\Windows\System\wrrlwJc.exe
  C:\Windows\System\wrrlwJc.exe
  2⤵
  - Executes dropped EXE
  PID:4172
- C:\Windows\System\ulbBIyU.exe
  C:\Windows\System\ulbBIyU.exe
  2⤵
  - Executes dropped EXE
  PID:8
- C:\Windows\System\EHppQnR.exe
  C:\Windows\System\EHppQnR.exe
  2⤵
  - Executes dropped EXE
  PID:3956
- C:\Windows\System\qNYDRRp.exe
  C:\Windows\System\qNYDRRp.exe
  2⤵
  - Executes dropped EXE
  PID:4804
- C:\Windows\System\KHkxJtj.exe
  C:\Windows\System\KHkxJtj.exe
  2⤵
  - Executes dropped EXE
  PID:1372
- C:\Windows\System\nHtBsAC.exe
  C:\Windows\System\nHtBsAC.exe
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\System\gEnJFDF.exe
  C:\Windows\System\gEnJFDF.exe
  2⤵
  - Executes dropped EXE
  PID:1248
- C:\Windows\System\VKcFfyq.exe
  C:\Windows\System\VKcFfyq.exe
  2⤵
  - Executes dropped EXE
  PID:3032
- C:\Windows\System\iRSnEHD.exe
  C:\Windows\System\iRSnEHD.exe
  2⤵
  - Executes dropped EXE
  PID:4624
- C:\Windows\System\jPHQVhQ.exe
  C:\Windows\System\jPHQVhQ.exe
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\System\uMMLBtJ.exe
  C:\Windows\System\uMMLBtJ.exe
  2⤵
  - Executes dropped EXE
  PID:4468
- C:\Windows\System\kqDuspB.exe
  C:\Windows\System\kqDuspB.exe
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\System\cfFIGBJ.exe
  C:\Windows\System\cfFIGBJ.exe
  2⤵
  - Executes dropped EXE
  PID:908
- C:\Windows\System\LNhBdCu.exe
  C:\Windows\System\LNhBdCu.exe
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\System\QmEhpgO.exe
  C:\Windows\System\QmEhpgO.exe
  2⤵
  - Executes dropped EXE
  PID:4428
- C:\Windows\System\sjIzcMJ.exe
  C:\Windows\System\sjIzcMJ.exe
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Windows\System\WQTGkgs.exe
  C:\Windows\System\WQTGkgs.exe
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\System\valZLFp.exe
  C:\Windows\System\valZLFp.exe
  2⤵
  - Executes dropped EXE
  PID:1856
- C:\Windows\System\qKYRouW.exe
  C:\Windows\System\qKYRouW.exe
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Windows\System\xaPKxri.exe
  C:\Windows\System\xaPKxri.exe
  2⤵
  - Executes dropped EXE
  PID:1696
- C:\Windows\System\wEiDrRc.exe
  C:\Windows\System\wEiDrRc.exe
  2⤵
  - Executes dropped EXE
  PID:4600
- C:\Windows\System\JQcGvtn.exe
  C:\Windows\System\JQcGvtn.exe
  2⤵
  - Executes dropped EXE
  PID:1424
- C:\Windows\System\vUUHkDA.exe
  C:\Windows\System\vUUHkDA.exe
  2⤵
  - Executes dropped EXE
  PID:784
- C:\Windows\System\cPkwVat.exe
  C:\Windows\System\cPkwVat.exe
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\Windows\System\lDafque.exe
  C:\Windows\System\lDafque.exe
  2⤵
  - Executes dropped EXE
  PID:3616
- C:\Windows\System\hBBRAMR.exe
  C:\Windows\System\hBBRAMR.exe
  2⤵
  - Executes dropped EXE
  PID:3408
- C:\Windows\System\DhcXYMC.exe
  C:\Windows\System\DhcXYMC.exe
  2⤵
  - Executes dropped EXE
  PID:644
- C:\Windows\System\BMwkxZr.exe
  C:\Windows\System\BMwkxZr.exe
  2⤵
  - Executes dropped EXE
  PID:4584
- C:\Windows\System\VQYSAPf.exe
  C:\Windows\System\VQYSAPf.exe
  2⤵
  - Executes dropped EXE
  PID:4120
- C:\Windows\System\GwPqbbf.exe
  C:\Windows\System\GwPqbbf.exe
  2⤵
  - Executes dropped EXE
  PID:3280
- C:\Windows\System\TmzByeD.exe
  C:\Windows\System\TmzByeD.exe
  2⤵
  - Executes dropped EXE
  PID:4420
- C:\Windows\System\VWtzhfk.exe
  C:\Windows\System\VWtzhfk.exe
  2⤵
  - Executes dropped EXE
  PID:4384
- C:\Windows\System\txoJSys.exe
  C:\Windows\System\txoJSys.exe
  2⤵
  - Executes dropped EXE
  PID:1796
- C:\Windows\System\eDHLjoF.exe
  C:\Windows\System\eDHLjoF.exe
  2⤵
  - Executes dropped EXE
  PID:1392
- C:\Windows\System\BblqhsO.exe
  C:\Windows\System\BblqhsO.exe
  2⤵
  - Executes dropped EXE
  PID:1328
- C:\Windows\System\naAOJjS.exe
  C:\Windows\System\naAOJjS.exe
  2⤵
  - Executes dropped EXE
  PID:1892
- C:\Windows\System\RKikbac.exe
  C:\Windows\System\RKikbac.exe
  2⤵
  - Executes dropped EXE
  PID:4964
- C:\Windows\System\PjDwWkz.exe
  C:\Windows\System\PjDwWkz.exe
  2⤵
  - Executes dropped EXE
  PID:1552
- C:\Windows\System\tZnDxTE.exe
  C:\Windows\System\tZnDxTE.exe
  2⤵
  - Executes dropped EXE
  PID:5100
- C:\Windows\System\vbdCidQ.exe
  C:\Windows\System\vbdCidQ.exe
  2⤵
  - Executes dropped EXE
  PID:3272
- C:\Windows\System\TQvUkXa.exe
  C:\Windows\System\TQvUkXa.exe
  2⤵
  - Executes dropped EXE
  PID:1876
- C:\Windows\System\hAMRXxE.exe
  C:\Windows\System\hAMRXxE.exe
  2⤵
  - Executes dropped EXE
  PID:4884
- C:\Windows\System\KBPbmmv.exe
  C:\Windows\System\KBPbmmv.exe
  2⤵
  - Executes dropped EXE
  PID:4340
- C:\Windows\System\gWFhivJ.exe
  C:\Windows\System\gWFhivJ.exe
  2⤵
  - Executes dropped EXE
  PID:3368
- C:\Windows\System\EqsOvhm.exe
  C:\Windows\System\EqsOvhm.exe
  2⤵
  - Executes dropped EXE
  PID:3676
- C:\Windows\System\ghbNtic.exe
  C:\Windows\System\ghbNtic.exe
  2⤵
  - Executes dropped EXE
  PID:3964
- C:\Windows\System\BXqRthE.exe
  C:\Windows\System\BXqRthE.exe
  2⤵
  - Executes dropped EXE
  PID:1192
- C:\Windows\System\awxwUbu.exe
  C:\Windows\System\awxwUbu.exe
  2⤵
  - Executes dropped EXE
  PID:1320
- C:\Windows\System\BEylWCz.exe
  C:\Windows\System\BEylWCz.exe
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\System\vdRSVNH.exe
  C:\Windows\System\vdRSVNH.exe
  2⤵
  - Executes dropped EXE
  PID:2476
- C:\Windows\System\dTPeOaE.exe
  C:\Windows\System\dTPeOaE.exe
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\System\cylgRqL.exe
  C:\Windows\System\cylgRqL.exe
  2⤵
  - Executes dropped EXE
  PID:1900
- C:\Windows\System\mxqXQpW.exe
  C:\Windows\System\mxqXQpW.exe
  2⤵
  - Executes dropped EXE
  PID:3628
- C:\Windows\System\WSEPFBI.exe
  C:\Windows\System\WSEPFBI.exe
  2⤵
  - Executes dropped EXE
  PID:2356
- C:\Windows\System\FCfyhmX.exe
  C:\Windows\System\FCfyhmX.exe
  2⤵
  - Executes dropped EXE
  PID:4760
- C:\Windows\System\vYfpAjz.exe
  C:\Windows\System\vYfpAjz.exe
  2⤵
  - Executes dropped EXE
  PID:1972
- C:\Windows\System\cZTHcvL.exe
  C:\Windows\System\cZTHcvL.exe
  2⤵
  - Executes dropped EXE
  PID:3496
- C:\Windows\System\yjkKESJ.exe
  C:\Windows\System\yjkKESJ.exe
  2⤵
  - Executes dropped EXE
  PID:4748
- C:\Windows\System\hHYLjYM.exe
  C:\Windows\System\hHYLjYM.exe
  2⤵
  - Executes dropped EXE
  PID:804
- C:\Windows\System\BLzySIl.exe
  C:\Windows\System\BLzySIl.exe
  2⤵
  - Executes dropped EXE
  PID:3352
- C:\Windows\System\dErXIBR.exe
  C:\Windows\System\dErXIBR.exe
  2⤵
  - Executes dropped EXE
  PID:1232
- C:\Windows\System\sMTAXWk.exe
  C:\Windows\System\sMTAXWk.exe
  2⤵
  - Executes dropped EXE
  PID:412
- C:\Windows\System\dRzFCLc.exe
  C:\Windows\System\dRzFCLc.exe
  2⤵
  - Executes dropped EXE
  PID:4972
- C:\Windows\System\bhohQqM.exe
  C:\Windows\System\bhohQqM.exe
  2⤵
  - Executes dropped EXE
  PID:1336
- C:\Windows\System\qQytpZm.exe
  C:\Windows\System\qQytpZm.exe
  2⤵
  PID:1288
- C:\Windows\System\THPQFch.exe
  C:\Windows\System\THPQFch.exe
  2⤵
  PID:2892
- C:\Windows\System\IlfrubY.exe
  C:\Windows\System\IlfrubY.exe
  2⤵
  PID:3904
- C:\Windows\System\LAFLVmZ.exe
  C:\Windows\System\LAFLVmZ.exe
  2⤵
  PID:3068
- C:\Windows\System\TZWVIbq.exe
  C:\Windows\System\TZWVIbq.exe
  2⤵
  PID:1764
- C:\Windows\System\wheIGpU.exe
  C:\Windows\System\wheIGpU.exe
  2⤵
  PID:680
- C:\Windows\System\MXTGlYi.exe
  C:\Windows\System\MXTGlYi.exe
  2⤵
  PID:740
- C:\Windows\System\JLusvDq.exe
  C:\Windows\System\JLusvDq.exe
  2⤵
  PID:4956
- C:\Windows\System\qpCdyFK.exe
  C:\Windows\System\qpCdyFK.exe
  2⤵
  PID:4656
- C:\Windows\System\RHpuOvs.exe
  C:\Windows\System\RHpuOvs.exe
  2⤵
  PID:2632
- C:\Windows\System\SuTtaYq.exe
  C:\Windows\System\SuTtaYq.exe
  2⤵
  PID:4092
- C:\Windows\System\OWvRYJH.exe
  C:\Windows\System\OWvRYJH.exe
  2⤵
  PID:1948
- C:\Windows\System\pjHooXC.exe
  C:\Windows\System\pjHooXC.exe
  2⤵
  PID:4344
- C:\Windows\System\liFtXUm.exe
  C:\Windows\System\liFtXUm.exe
  2⤵
  PID:4628
- C:\Windows\System\nPfSINj.exe
  C:\Windows\System\nPfSINj.exe
  2⤵
  PID:1136
- C:\Windows\System\CNZFppp.exe
  C:\Windows\System\CNZFppp.exe
  2⤵
  PID:1064
- C:\Windows\System\szsBrrW.exe
  C:\Windows\System\szsBrrW.exe
  2⤵
  PID:4752
- C:\Windows\System\WPikQCs.exe
  C:\Windows\System\WPikQCs.exe
  2⤵
  PID:1472
- C:\Windows\System\adrdZvV.exe
  C:\Windows\System\adrdZvV.exe
  2⤵
  PID:1580
- C:\Windows\System\jlfHxRV.exe
  C:\Windows\System\jlfHxRV.exe
  2⤵
  PID:1504
- C:\Windows\System\GYvPtId.exe
  C:\Windows\System\GYvPtId.exe
  2⤵
  PID:2760
- C:\Windows\System\ScydCEa.exe
  C:\Windows\System\ScydCEa.exe
  2⤵
  PID:2524
- C:\Windows\System\zqrVXAW.exe
  C:\Windows\System\zqrVXAW.exe
  2⤵
  PID:3652
- C:\Windows\System\OTSIJKL.exe
  C:\Windows\System\OTSIJKL.exe
  2⤵
  PID:4496
- C:\Windows\System\dekpKMf.exe
  C:\Windows\System\dekpKMf.exe
  2⤵
  PID:2872
- C:\Windows\System\ShUUSWp.exe
  C:\Windows\System\ShUUSWp.exe
  2⤵
  PID:2216
- C:\Windows\System\Svgnnbj.exe
  C:\Windows\System\Svgnnbj.exe
  2⤵
  PID:3716
- C:\Windows\System\sfzQUJG.exe
  C:\Windows\System\sfzQUJG.exe
  2⤵
  PID:3236
- C:\Windows\System\bEeBdsL.exe
  C:\Windows\System\bEeBdsL.exe
  2⤵
  PID:2028
- C:\Windows\System\QEirDQk.exe
  C:\Windows\System\QEirDQk.exe
  2⤵
  PID:5024
- C:\Windows\System\tVYqnyx.exe
  C:\Windows\System\tVYqnyx.exe
  2⤵
  PID:1912
- C:\Windows\System\cCdolaN.exe
  C:\Windows\System\cCdolaN.exe
  2⤵
  PID:3092
- C:\Windows\System\oYJycFz.exe
  C:\Windows\System\oYJycFz.exe
  2⤵
  PID:4368
- C:\Windows\System\ZxmoDuS.exe
  C:\Windows\System\ZxmoDuS.exe
  2⤵
  PID:632
- C:\Windows\System\TdcGiJg.exe
  C:\Windows\System\TdcGiJg.exe
  2⤵
  PID:720
- C:\Windows\System\JHCirXg.exe
  C:\Windows\System\JHCirXg.exe
  2⤵
  PID:1044
- C:\Windows\System\aVEQbex.exe
  C:\Windows\System\aVEQbex.exe
  2⤵
  PID:460
- C:\Windows\System\EAJkmrc.exe
  C:\Windows\System\EAJkmrc.exe
  2⤵
  PID:3840
- C:\Windows\System\oYjrVpy.exe
  C:\Windows\System\oYjrVpy.exe
  2⤵
  PID:4184
- C:\Windows\System\tnVUpyP.exe
  C:\Windows\System\tnVUpyP.exe
  2⤵
  PID:2160
- C:\Windows\System\pkaiVOa.exe
  C:\Windows\System\pkaiVOa.exe
  2⤵
  PID:5140
- C:\Windows\System\WymbNtW.exe
  C:\Windows\System\WymbNtW.exe
  2⤵
  PID:5168
- C:\Windows\System\moNlwHW.exe
  C:\Windows\System\moNlwHW.exe
  2⤵
  PID:5196
- C:\Windows\System\RaFDKlT.exe
  C:\Windows\System\RaFDKlT.exe
  2⤵
  PID:5224
- C:\Windows\System\yycIrgH.exe
  C:\Windows\System\yycIrgH.exe
  2⤵
  PID:5256
- C:\Windows\System\UqCpCMM.exe
  C:\Windows\System\UqCpCMM.exe
  2⤵
  PID:5284
- C:\Windows\System\FCaMmNf.exe
  C:\Windows\System\FCaMmNf.exe
  2⤵
  PID:5312
- C:\Windows\System\QMmyqOT.exe
  C:\Windows\System\QMmyqOT.exe
  2⤵
  PID:5332
- C:\Windows\System\PlgqCTO.exe
  C:\Windows\System\PlgqCTO.exe
  2⤵
  PID:5360
- C:\Windows\System\TNkXprZ.exe
  C:\Windows\System\TNkXprZ.exe
  2⤵
  PID:5384
- C:\Windows\System\OelMZQm.exe
  C:\Windows\System\OelMZQm.exe
  2⤵
  PID:5416
- C:\Windows\System\jrrazzM.exe
  C:\Windows\System\jrrazzM.exe
  2⤵
  PID:5452
- C:\Windows\System\caYifvE.exe
  C:\Windows\System\caYifvE.exe
  2⤵
  PID:5488
- C:\Windows\System\ehbCGLp.exe
  C:\Windows\System\ehbCGLp.exe
  2⤵
  PID:5508
- C:\Windows\System\EsVPkYq.exe
  C:\Windows\System\EsVPkYq.exe
  2⤵
  PID:5540
- C:\Windows\System\HfnCerY.exe
  C:\Windows\System\HfnCerY.exe
  2⤵
  PID:5556
- C:\Windows\System\WsFVoJs.exe
  C:\Windows\System\WsFVoJs.exe
  2⤵
  PID:5572
- C:\Windows\System\OMzBmvi.exe
  C:\Windows\System\OMzBmvi.exe
  2⤵
  PID:5596
- C:\Windows\System\MKnGmpS.exe
  C:\Windows\System\MKnGmpS.exe
  2⤵
  PID:5620
- C:\Windows\System\CmhZNRc.exe
  C:\Windows\System\CmhZNRc.exe
  2⤵
  PID:5644
- C:\Windows\System\hjvQIzA.exe
  C:\Windows\System\hjvQIzA.exe
  2⤵
  PID:5660
- C:\Windows\System\hxMsHYx.exe
  C:\Windows\System\hxMsHYx.exe
  2⤵
  PID:5688
- C:\Windows\System\omxPRng.exe
  C:\Windows\System\omxPRng.exe
  2⤵
  PID:5728
- C:\Windows\System\uulZhAX.exe
  C:\Windows\System\uulZhAX.exe
  2⤵
  PID:5756
- C:\Windows\System\dtUKRPc.exe
  C:\Windows\System\dtUKRPc.exe
  2⤵
  PID:5812
- C:\Windows\System\fMoHEHI.exe
  C:\Windows\System\fMoHEHI.exe
  2⤵
  PID:5840
- C:\Windows\System\DusVJkV.exe
  C:\Windows\System\DusVJkV.exe
  2⤵
  PID:5868
- C:\Windows\System\RnssVaq.exe
  C:\Windows\System\RnssVaq.exe
  2⤵
  PID:5896
- C:\Windows\System\cmsRYBQ.exe
  C:\Windows\System\cmsRYBQ.exe
  2⤵
  PID:5916
- C:\Windows\System\fIlhLLL.exe
  C:\Windows\System\fIlhLLL.exe
  2⤵
  PID:5952
- C:\Windows\System\dSWpBcQ.exe
  C:\Windows\System\dSWpBcQ.exe
  2⤵
  PID:5980
- C:\Windows\System\MikUgNs.exe
  C:\Windows\System\MikUgNs.exe
  2⤵
  PID:6020
- C:\Windows\System\mpcpPht.exe
  C:\Windows\System\mpcpPht.exe
  2⤵
  PID:6048
- C:\Windows\System\VekwAHu.exe
  C:\Windows\System\VekwAHu.exe
  2⤵
  PID:6072
- C:\Windows\System\GuCjxvO.exe
  C:\Windows\System\GuCjxvO.exe
  2⤵
  PID:6096
- C:\Windows\System\BSWHMch.exe
  C:\Windows\System\BSWHMch.exe
  2⤵
  PID:6132
- C:\Windows\System\hnJTGLZ.exe
  C:\Windows\System\hnJTGLZ.exe
  2⤵
  PID:5132
- C:\Windows\System\HsEwLUu.exe
  C:\Windows\System\HsEwLUu.exe
  2⤵
  PID:5164
- C:\Windows\System\LAsGCFc.exe
  C:\Windows\System\LAsGCFc.exe
  2⤵
  PID:5220
- C:\Windows\System\wpXvInX.exe
  C:\Windows\System\wpXvInX.exe
  2⤵
  PID:5304
- C:\Windows\System\qWbeZcc.exe
  C:\Windows\System\qWbeZcc.exe
  2⤵
  PID:5380
- C:\Windows\System\MrvjjsC.exe
  C:\Windows\System\MrvjjsC.exe
  2⤵
  PID:5448
- C:\Windows\System\pWzxaKj.exe
  C:\Windows\System\pWzxaKj.exe
  2⤵
  PID:5520
- C:\Windows\System\PYpCgZX.exe
  C:\Windows\System\PYpCgZX.exe
  2⤵
  PID:5672
- C:\Windows\System\EykutFN.exe
  C:\Windows\System\EykutFN.exe
  2⤵
  PID:5716
- C:\Windows\System\XFrtFBp.exe
  C:\Windows\System\XFrtFBp.exe
  2⤵
  PID:5744
- C:\Windows\System\cdcQSHp.exe
  C:\Windows\System\cdcQSHp.exe
  2⤵
  PID:5820
- C:\Windows\System\UcYfXLf.exe
  C:\Windows\System\UcYfXLf.exe
  2⤵
  PID:5804
- C:\Windows\System\JGdOmoH.exe
  C:\Windows\System\JGdOmoH.exe
  2⤵
  PID:5884
- C:\Windows\System\acwPpiH.exe
  C:\Windows\System\acwPpiH.exe
  2⤵
  PID:5932
- C:\Windows\System\AnfyGSa.exe
  C:\Windows\System\AnfyGSa.exe
  2⤵
  PID:6064
- C:\Windows\System\DDASDUF.exe
  C:\Windows\System\DDASDUF.exe
  2⤵
  PID:6116
- C:\Windows\System\ButhYmw.exe
  C:\Windows\System\ButhYmw.exe
  2⤵
  PID:5152
- C:\Windows\System\LVnmCUo.exe
  C:\Windows\System\LVnmCUo.exe
  2⤵
  PID:5340
- C:\Windows\System\JkeRzVS.exe
  C:\Windows\System\JkeRzVS.exe
  2⤵
  PID:5548
- C:\Windows\System\fcCNrqd.exe
  C:\Windows\System\fcCNrqd.exe
  2⤵
  PID:5588
- C:\Windows\System\AXzYyTr.exe
  C:\Windows\System\AXzYyTr.exe
  2⤵
  PID:5828
- C:\Windows\System\epRBEdI.exe
  C:\Windows\System\epRBEdI.exe
  2⤵
  PID:6032
- C:\Windows\System\kVUqXGA.exe
  C:\Windows\System\kVUqXGA.exe
  2⤵
  PID:5208
- C:\Windows\System\bMakUyX.exe
  C:\Windows\System\bMakUyX.exe
  2⤵
  PID:5404
- C:\Windows\System\aDuQrGc.exe
  C:\Windows\System\aDuQrGc.exe
  2⤵
  PID:5712
- C:\Windows\System\zFlVUxJ.exe
  C:\Windows\System\zFlVUxJ.exe
  2⤵
  PID:5248
- C:\Windows\System\bEskwaA.exe
  C:\Windows\System\bEskwaA.exe
  2⤵
  PID:6156
- C:\Windows\System\mdRFVEw.exe
  C:\Windows\System\mdRFVEw.exe
  2⤵
  PID:6176
- C:\Windows\System\QxIgOHt.exe
  C:\Windows\System\QxIgOHt.exe
  2⤵
  PID:6196
- C:\Windows\System\bahNXHR.exe
  C:\Windows\System\bahNXHR.exe
  2⤵
  PID:6220
- C:\Windows\System\BuAPPAH.exe
  C:\Windows\System\BuAPPAH.exe
  2⤵
  PID:6240
- C:\Windows\System\POvUBVN.exe
  C:\Windows\System\POvUBVN.exe
  2⤵
  PID:6276
- C:\Windows\System\YdZpQrp.exe
  C:\Windows\System\YdZpQrp.exe
  2⤵
  PID:6312
- C:\Windows\System\OsLqiCc.exe
  C:\Windows\System\OsLqiCc.exe
  2⤵
  PID:6340
- C:\Windows\System\uFxYyYj.exe
  C:\Windows\System\uFxYyYj.exe
  2⤵
  PID:6384
- C:\Windows\System\VKzDhuC.exe
  C:\Windows\System\VKzDhuC.exe
  2⤵
  PID:6408
- C:\Windows\System\eOZnKIi.exe
  C:\Windows\System\eOZnKIi.exe
  2⤵
  PID:6452
- C:\Windows\System\HonUWZC.exe
  C:\Windows\System\HonUWZC.exe
  2⤵
  PID:6472
- C:\Windows\System\XvWONDz.exe
  C:\Windows\System\XvWONDz.exe
  2⤵
  PID:6504
- C:\Windows\System\HguOPDA.exe
  C:\Windows\System\HguOPDA.exe
  2⤵
  PID:6532
- C:\Windows\System\BSxJrCA.exe
  C:\Windows\System\BSxJrCA.exe
  2⤵
  PID:6560
- C:\Windows\System\lQNMTwq.exe
  C:\Windows\System\lQNMTwq.exe
  2⤵
  PID:6600
- C:\Windows\System\ALVVeNx.exe
  C:\Windows\System\ALVVeNx.exe
  2⤵
  PID:6616
- C:\Windows\System\lQgHLNg.exe
  C:\Windows\System\lQgHLNg.exe
  2⤵
  PID:6644
- C:\Windows\System\eQRQvfY.exe
  C:\Windows\System\eQRQvfY.exe
  2⤵
  PID:6688
- C:\Windows\System\psfjOdF.exe
  C:\Windows\System\psfjOdF.exe
  2⤵
  PID:6712
- C:\Windows\System\dvbFLOK.exe
  C:\Windows\System\dvbFLOK.exe
  2⤵
  PID:6740
- C:\Windows\System\IaRueVf.exe
  C:\Windows\System\IaRueVf.exe
  2⤵
  PID:6768
- C:\Windows\System\wUImpSd.exe
  C:\Windows\System\wUImpSd.exe
  2⤵
  PID:6796
- C:\Windows\System\uCEVNlW.exe
  C:\Windows\System\uCEVNlW.exe
  2⤵
  PID:6836
- C:\Windows\System\cvcWzYb.exe
  C:\Windows\System\cvcWzYb.exe
  2⤵
  PID:6856
- C:\Windows\System\kKNOICY.exe
  C:\Windows\System\kKNOICY.exe
  2⤵
  PID:6872
- C:\Windows\System\BiQFoQV.exe
  C:\Windows\System\BiQFoQV.exe
  2⤵
  PID:6900
- C:\Windows\System\KvRibqm.exe
  C:\Windows\System\KvRibqm.exe
  2⤵
  PID:6936
- C:\Windows\System\hdWatug.exe
  C:\Windows\System\hdWatug.exe
  2⤵
  PID:6968
- C:\Windows\System\cypPfIP.exe
  C:\Windows\System\cypPfIP.exe
  2⤵
  PID:6992
- C:\Windows\System\oBCNhgw.exe
  C:\Windows\System\oBCNhgw.exe
  2⤵
  PID:7012
- C:\Windows\System\KPeszxz.exe
  C:\Windows\System\KPeszxz.exe
  2⤵
  PID:7036
- C:\Windows\System\TyzZvSF.exe
  C:\Windows\System\TyzZvSF.exe
  2⤵
  PID:7068
- C:\Windows\System\jMaDOUs.exe
  C:\Windows\System\jMaDOUs.exe
  2⤵
  PID:7096
- C:\Windows\System\cvonGsR.exe
  C:\Windows\System\cvonGsR.exe
  2⤵
  PID:7124
- C:\Windows\System\pMCJriT.exe
  C:\Windows\System\pMCJriT.exe
  2⤵
  PID:7160
- C:\Windows\System\QOthAiI.exe
  C:\Windows\System\QOthAiI.exe
  2⤵
  PID:6168
- C:\Windows\System\hTfqKGL.exe
  C:\Windows\System\hTfqKGL.exe
  2⤵
  PID:6192
- C:\Windows\System\XRgmiOC.exe
  C:\Windows\System\XRgmiOC.exe
  2⤵
  PID:6292
- C:\Windows\System\TKIcTKi.exe
  C:\Windows\System\TKIcTKi.exe
  2⤵
  PID:6324
- C:\Windows\System\puLvAza.exe
  C:\Windows\System\puLvAza.exe
  2⤵
  PID:6420
- C:\Windows\System\IlAETVf.exe
  C:\Windows\System\IlAETVf.exe
  2⤵
  PID:6492
- C:\Windows\System\GyFdCfp.exe
  C:\Windows\System\GyFdCfp.exe
  2⤵
  PID:6524
- C:\Windows\System\VxwiXCm.exe
  C:\Windows\System\VxwiXCm.exe
  2⤵
  PID:6608
- C:\Windows\System\fPTAhBL.exe
  C:\Windows\System\fPTAhBL.exe
  2⤵
  PID:6656
- C:\Windows\System\rkBiKoO.exe
  C:\Windows\System\rkBiKoO.exe
  2⤵
  PID:6728
- C:\Windows\System\MvpYNuG.exe
  C:\Windows\System\MvpYNuG.exe
  2⤵
  PID:6780
- C:\Windows\System\aHdbbpQ.exe
  C:\Windows\System\aHdbbpQ.exe
  2⤵
  PID:6844
- C:\Windows\System\DYbVjhg.exe
  C:\Windows\System\DYbVjhg.exe
  2⤵
  PID:6912
- C:\Windows\System\UNCWtNd.exe
  C:\Windows\System\UNCWtNd.exe
  2⤵
  PID:6976
- C:\Windows\System\DbkUsOM.exe
  C:\Windows\System\DbkUsOM.exe
  2⤵
  PID:7060
- C:\Windows\System\slMtilD.exe
  C:\Windows\System\slMtilD.exe
  2⤵
  PID:7116
- C:\Windows\System\FWbQvGU.exe
  C:\Windows\System\FWbQvGU.exe
  2⤵
  PID:5972
- C:\Windows\System\TTAVUlc.exe
  C:\Windows\System\TTAVUlc.exe
  2⤵
  PID:6260
- C:\Windows\System\BHPjQRQ.exe
  C:\Windows\System\BHPjQRQ.exe
  2⤵
  PID:6396
- C:\Windows\System\jzOupyp.exe
  C:\Windows\System\jzOupyp.exe
  2⤵
  PID:6632
- C:\Windows\System\uADyHaY.exe
  C:\Windows\System\uADyHaY.exe
  2⤵
  PID:6820
- C:\Windows\System\YRStavj.exe
  C:\Windows\System\YRStavj.exe
  2⤵
  PID:6984
- C:\Windows\System\VbYEnTX.exe
  C:\Windows\System\VbYEnTX.exe
  2⤵
  PID:7020
- C:\Windows\System\nYMlilh.exe
  C:\Windows\System\nYMlilh.exe
  2⤵
  PID:6188
- C:\Windows\System\EwXZiQu.exe
  C:\Windows\System\EwXZiQu.exe
  2⤵
  PID:6696
- C:\Windows\System\TSkkwsi.exe
  C:\Windows\System\TSkkwsi.exe
  2⤵
  PID:7112
- C:\Windows\System\xAkIZrF.exe
  C:\Windows\System\xAkIZrF.exe
  2⤵
  PID:6484
- C:\Windows\System\nPzFiyr.exe
  C:\Windows\System\nPzFiyr.exe
  2⤵
  PID:7172
- C:\Windows\System\koQsmyh.exe
  C:\Windows\System\koQsmyh.exe
  2⤵
  PID:7188
- C:\Windows\System\WWBCxfT.exe
  C:\Windows\System\WWBCxfT.exe
  2⤵
  PID:7228
- C:\Windows\System\gHrlBQF.exe
  C:\Windows\System\gHrlBQF.exe
  2⤵
  PID:7248
- C:\Windows\System\ShAiXtb.exe
  C:\Windows\System\ShAiXtb.exe
  2⤵
  PID:7288
- C:\Windows\System\rKXpkeJ.exe
  C:\Windows\System\rKXpkeJ.exe
  2⤵
  PID:7320
- C:\Windows\System\NvXBDML.exe
  C:\Windows\System\NvXBDML.exe
  2⤵
  PID:7344
- C:\Windows\System\UuJmaXt.exe
  C:\Windows\System\UuJmaXt.exe
  2⤵
  PID:7372
- C:\Windows\System\IHflxVg.exe
  C:\Windows\System\IHflxVg.exe
  2⤵
  PID:7404
- C:\Windows\System\gBZGJWi.exe
  C:\Windows\System\gBZGJWi.exe
  2⤵
  PID:7448
- C:\Windows\System\lChYyzb.exe
  C:\Windows\System\lChYyzb.exe
  2⤵
  PID:7468
- C:\Windows\System\ScnnAnS.exe
  C:\Windows\System\ScnnAnS.exe
  2⤵
  PID:7484
- C:\Windows\System\iKCAEoh.exe
  C:\Windows\System\iKCAEoh.exe
  2⤵
  PID:7524
- C:\Windows\System\Oukzymy.exe
  C:\Windows\System\Oukzymy.exe
  2⤵
  PID:7540
- C:\Windows\System\IyvjPBx.exe
  C:\Windows\System\IyvjPBx.exe
  2⤵
  PID:7568
- C:\Windows\System\BgSkodW.exe
  C:\Windows\System\BgSkodW.exe
  2⤵
  PID:7596
- C:\Windows\System\wwUCOHk.exe
  C:\Windows\System\wwUCOHk.exe
  2⤵
  PID:7620
- C:\Windows\System\dnLRDYn.exe
  C:\Windows\System\dnLRDYn.exe
  2⤵
  PID:7652
- C:\Windows\System\zoYMoPN.exe
  C:\Windows\System\zoYMoPN.exe
  2⤵
  PID:7680
- C:\Windows\System\ipOlVfF.exe
  C:\Windows\System\ipOlVfF.exe
  2⤵
  PID:7708
- C:\Windows\System\naXlTTO.exe
  C:\Windows\System\naXlTTO.exe
  2⤵
  PID:7736
- C:\Windows\System\SbLLwEs.exe
  C:\Windows\System\SbLLwEs.exe
  2⤵
  PID:7768
- C:\Windows\System\zKwkrsC.exe
  C:\Windows\System\zKwkrsC.exe
  2⤵
  PID:7808
- C:\Windows\System\CEcqchn.exe
  C:\Windows\System\CEcqchn.exe
  2⤵
  PID:7836
- C:\Windows\System\dECYfIX.exe
  C:\Windows\System\dECYfIX.exe
  2⤵
  PID:7868
- C:\Windows\System\qGmzjYj.exe
  C:\Windows\System\qGmzjYj.exe
  2⤵
  PID:7892
- C:\Windows\System\NwOWjND.exe
  C:\Windows\System\NwOWjND.exe
  2⤵
  PID:7908
- C:\Windows\System\DQZaqkD.exe
  C:\Windows\System\DQZaqkD.exe
  2⤵
  PID:7936
- C:\Windows\System\lGCkHSl.exe
  C:\Windows\System\lGCkHSl.exe
  2⤵
  PID:7968
- C:\Windows\System\zUoLLcd.exe
  C:\Windows\System\zUoLLcd.exe
  2⤵
  PID:7992
- C:\Windows\System\lSEcBVA.exe
  C:\Windows\System\lSEcBVA.exe
  2⤵
  PID:8016
- C:\Windows\System\avlkzwG.exe
  C:\Windows\System\avlkzwG.exe
  2⤵
  PID:8048
- C:\Windows\System\iXlAmZS.exe
  C:\Windows\System\iXlAmZS.exe
  2⤵
  PID:8088
- C:\Windows\System\WTpkpnv.exe
  C:\Windows\System\WTpkpnv.exe
  2⤵
  PID:8104
- C:\Windows\System\BscKufu.exe
  C:\Windows\System\BscKufu.exe
  2⤵
  PID:8144
- C:\Windows\System\jxLGNGV.exe
  C:\Windows\System\jxLGNGV.exe
  2⤵
  PID:8164
- C:\Windows\System\tEFKzXl.exe
  C:\Windows\System\tEFKzXl.exe
  2⤵
  PID:5684
- C:\Windows\System\abwyFCc.exe
  C:\Windows\System\abwyFCc.exe
  2⤵
  PID:7204
- C:\Windows\System\rMaeIrJ.exe
  C:\Windows\System\rMaeIrJ.exe
  2⤵
  PID:7260
- C:\Windows\System\lJGlCTy.exe
  C:\Windows\System\lJGlCTy.exe
  2⤵
  PID:7328
- C:\Windows\System\cVrVGHK.exe
  C:\Windows\System\cVrVGHK.exe
  2⤵
  PID:7388
- C:\Windows\System\QIJuccU.exe
  C:\Windows\System\QIJuccU.exe
  2⤵
  PID:7432
- C:\Windows\System\EfKhIcm.exe
  C:\Windows\System\EfKhIcm.exe
  2⤵
  PID:7512
- C:\Windows\System\DGIVeRf.exe
  C:\Windows\System\DGIVeRf.exe
  2⤵
  PID:7584
- C:\Windows\System\ZSJEPBo.exe
  C:\Windows\System\ZSJEPBo.exe
  2⤵
  PID:7668
- C:\Windows\System\cuGrsUI.exe
  C:\Windows\System\cuGrsUI.exe
  2⤵
  PID:7760
- C:\Windows\System\NAkYnFV.exe
  C:\Windows\System\NAkYnFV.exe
  2⤵
  PID:7800
- C:\Windows\System\APTrPIh.exe
  C:\Windows\System\APTrPIh.exe
  2⤵
  PID:7860
- C:\Windows\System\qFSaIsw.exe
  C:\Windows\System\qFSaIsw.exe
  2⤵
  PID:7928
- C:\Windows\System\egYkkeL.exe
  C:\Windows\System\egYkkeL.exe
  2⤵
  PID:7984
- C:\Windows\System\vEoNpDm.exe
  C:\Windows\System\vEoNpDm.exe
  2⤵
  PID:8036
- C:\Windows\System\zoNPCUM.exe
  C:\Windows\System\zoNPCUM.exe
  2⤵
  PID:8124
- C:\Windows\System\WdEDrqd.exe
  C:\Windows\System\WdEDrqd.exe
  2⤵
  PID:6392
- C:\Windows\System\xIIGhKP.exe
  C:\Windows\System\xIIGhKP.exe
  2⤵
  PID:7240
- C:\Windows\System\ZXVKshI.exe
  C:\Windows\System\ZXVKshI.exe
  2⤵
  PID:7420
- C:\Windows\System\hWuaxde.exe
  C:\Windows\System\hWuaxde.exe
  2⤵
  PID:7552
- C:\Windows\System\sRrECnC.exe
  C:\Windows\System\sRrECnC.exe
  2⤵
  PID:7724
- C:\Windows\System\MpigFpN.exe
  C:\Windows\System\MpigFpN.exe
  2⤵
  PID:7920
- C:\Windows\System\lhPJuAL.exe
  C:\Windows\System\lhPJuAL.exe
  2⤵
  PID:8012
- C:\Windows\System\rHPeTqz.exe
  C:\Windows\System\rHPeTqz.exe
  2⤵
  PID:8152
- C:\Windows\System\jhLuFFP.exe
  C:\Windows\System\jhLuFFP.exe
  2⤵
  PID:7360
- C:\Windows\System\nRPUyLC.exe
  C:\Windows\System\nRPUyLC.exe
  2⤵
  PID:7832
- C:\Windows\System\MkYSbIx.exe
  C:\Windows\System\MkYSbIx.exe
  2⤵
  PID:7412
- C:\Windows\System\cfjLkpo.exe
  C:\Windows\System\cfjLkpo.exe
  2⤵
  PID:7616
- C:\Windows\System\YRvKnlw.exe
  C:\Windows\System\YRvKnlw.exe
  2⤵
  PID:8212
- C:\Windows\System\eFOVUkv.exe
  C:\Windows\System\eFOVUkv.exe
  2⤵
  PID:8240
- C:\Windows\System\OmdaHTY.exe
  C:\Windows\System\OmdaHTY.exe
  2⤵
  PID:8268
- C:\Windows\System\VJsvfHk.exe
  C:\Windows\System\VJsvfHk.exe
  2⤵
  PID:8296
- C:\Windows\System\xabzALO.exe
  C:\Windows\System\xabzALO.exe
  2⤵
  PID:8332
- C:\Windows\System\QFiaBEe.exe
  C:\Windows\System\QFiaBEe.exe
  2⤵
  PID:8352
- C:\Windows\System\tVpdMWx.exe
  C:\Windows\System\tVpdMWx.exe
  2⤵
  PID:8392
- C:\Windows\System\saCaaUk.exe
  C:\Windows\System\saCaaUk.exe
  2⤵
  PID:8408
- C:\Windows\System\PGxRAkQ.exe
  C:\Windows\System\PGxRAkQ.exe
  2⤵
  PID:8448
- C:\Windows\System\HWHNXSK.exe
  C:\Windows\System\HWHNXSK.exe
  2⤵
  PID:8464
- C:\Windows\System\xqeNnUz.exe
  C:\Windows\System\xqeNnUz.exe
  2⤵
  PID:8492
- C:\Windows\System\fDQEqcu.exe
  C:\Windows\System\fDQEqcu.exe
  2⤵
  PID:8520
- C:\Windows\System\nqNgEDz.exe
  C:\Windows\System\nqNgEDz.exe
  2⤵
  PID:8548
- C:\Windows\System\ZoCQUKP.exe
  C:\Windows\System\ZoCQUKP.exe
  2⤵
  PID:8588
- C:\Windows\System\aNTeymm.exe
  C:\Windows\System\aNTeymm.exe
  2⤵
  PID:8604
- C:\Windows\System\QtMSWlP.exe
  C:\Windows\System\QtMSWlP.exe
  2⤵
  PID:8636
- C:\Windows\System\sRqfARt.exe
  C:\Windows\System\sRqfARt.exe
  2⤵
  PID:8664
- C:\Windows\System\LjHeDCe.exe
  C:\Windows\System\LjHeDCe.exe
  2⤵
  PID:8692
- C:\Windows\System\kSsFyed.exe
  C:\Windows\System\kSsFyed.exe
  2⤵
  PID:8720
- C:\Windows\System\MbPHeNa.exe
  C:\Windows\System\MbPHeNa.exe
  2⤵
  PID:8760
- C:\Windows\System\FofPqWd.exe
  C:\Windows\System\FofPqWd.exe
  2⤵
  PID:8780
- C:\Windows\System\aGQlHbd.exe
  C:\Windows\System\aGQlHbd.exe
  2⤵
  PID:8804
- C:\Windows\System\HPoMPdN.exe
  C:\Windows\System\HPoMPdN.exe
  2⤵
  PID:8824
- C:\Windows\System\rPFnXBh.exe
  C:\Windows\System\rPFnXBh.exe
  2⤵
  PID:8860
- C:\Windows\System\lCrVpiA.exe
  C:\Windows\System\lCrVpiA.exe
  2⤵
  PID:8896
- C:\Windows\System\EBeiXfT.exe
  C:\Windows\System\EBeiXfT.exe
  2⤵
  PID:8916
- C:\Windows\System\hBmxIYI.exe
  C:\Windows\System\hBmxIYI.exe
  2⤵
  PID:8944
- C:\Windows\System\ZnukMux.exe
  C:\Windows\System\ZnukMux.exe
  2⤵
  PID:8972
- C:\Windows\System\SWLWtij.exe
  C:\Windows\System\SWLWtij.exe
  2⤵
  PID:9008
- C:\Windows\System\jhSUpzZ.exe
  C:\Windows\System\jhSUpzZ.exe
  2⤵
  PID:9040
- C:\Windows\System\CXZGhMZ.exe
  C:\Windows\System\CXZGhMZ.exe
  2⤵
  PID:9068
- C:\Windows\System\cIDPDoC.exe
  C:\Windows\System\cIDPDoC.exe
  2⤵
  PID:9084
- C:\Windows\System\MEuSwAV.exe
  C:\Windows\System\MEuSwAV.exe
  2⤵
  PID:9104
- C:\Windows\System\HkmTaad.exe
  C:\Windows\System\HkmTaad.exe
  2⤵
  PID:9140
- C:\Windows\System\tjLoaju.exe
  C:\Windows\System\tjLoaju.exe
  2⤵
  PID:9160
- C:\Windows\System\ncXrfqQ.exe
  C:\Windows\System\ncXrfqQ.exe
  2⤵
  PID:9196
- C:\Windows\System\LPsvhTa.exe
  C:\Windows\System\LPsvhTa.exe
  2⤵
  PID:8100
- C:\Windows\System\OUfDrTp.exe
  C:\Windows\System\OUfDrTp.exe
  2⤵
  PID:8224
- C:\Windows\System\FirhRKM.exe
  C:\Windows\System\FirhRKM.exe
  2⤵
  PID:8288
- C:\Windows\System\aRFzYMX.exe
  C:\Windows\System\aRFzYMX.exe
  2⤵
  PID:8380
- C:\Windows\System\iVIMHvu.exe
  C:\Windows\System\iVIMHvu.exe
  2⤵
  PID:8436
- C:\Windows\System\ozsKAYB.exe
  C:\Windows\System\ozsKAYB.exe
  2⤵
  PID:8484
- C:\Windows\System\DfrRiEy.exe
  C:\Windows\System\DfrRiEy.exe
  2⤵
  PID:8572
- C:\Windows\System\YPOjRKp.exe
  C:\Windows\System\YPOjRKp.exe
  2⤵
  PID:8620
- C:\Windows\System\RtmeBBY.exe
  C:\Windows\System\RtmeBBY.exe
  2⤵
  PID:8688
- C:\Windows\System\RTSZdsI.exe
  C:\Windows\System\RTSZdsI.exe
  2⤵
  PID:8768
- C:\Windows\System\YpoAMdR.exe
  C:\Windows\System\YpoAMdR.exe
  2⤵
  PID:8816
- C:\Windows\System\aJcJpWD.exe
  C:\Windows\System\aJcJpWD.exe
  2⤵
  PID:8908
- C:\Windows\System\HcNPEyT.exe
  C:\Windows\System\HcNPEyT.exe
  2⤵
  PID:9016
- C:\Windows\System\jkAcYNu.exe
  C:\Windows\System\jkAcYNu.exe
  2⤵
  PID:9052
- C:\Windows\System\CKTzOWJ.exe
  C:\Windows\System\CKTzOWJ.exe
  2⤵
  PID:9124
- C:\Windows\System\TCsQXYZ.exe
  C:\Windows\System\TCsQXYZ.exe
  2⤵
  PID:9148
- C:\Windows\System\vnItOnF.exe
  C:\Windows\System\vnItOnF.exe
  2⤵
  PID:8196
- C:\Windows\System\NkUQFjB.exe
  C:\Windows\System\NkUQFjB.exe
  2⤵
  PID:8324
- C:\Windows\System\EtFNocj.exe
  C:\Windows\System\EtFNocj.exe
  2⤵
  PID:8476
- C:\Windows\System\swZUrdy.exe
  C:\Windows\System\swZUrdy.exe
  2⤵
  PID:8616
- C:\Windows\System\KDCcnaM.exe
  C:\Windows\System\KDCcnaM.exe
  2⤵
  PID:8704
- C:\Windows\System\DGrLGHz.exe
  C:\Windows\System\DGrLGHz.exe
  2⤵
  PID:8928
- C:\Windows\System\xnvccWF.exe
  C:\Windows\System\xnvccWF.exe
  2⤵
  PID:9100
- C:\Windows\System\qkEhiUL.exe
  C:\Windows\System\qkEhiUL.exe
  2⤵
  PID:9180
- C:\Windows\System\yBKFVis.exe
  C:\Windows\System\yBKFVis.exe
  2⤵
  PID:8404
- C:\Windows\System\lJvynyl.exe
  C:\Windows\System\lJvynyl.exe
  2⤵
  PID:8964
- C:\Windows\System\iPqlFyA.exe
  C:\Windows\System\iPqlFyA.exe
  2⤵
  PID:9028
- C:\Windows\System\VZNeAwt.exe
  C:\Windows\System\VZNeAwt.exe
  2⤵
  PID:9032
- C:\Windows\System\awNsaHJ.exe
  C:\Windows\System\awNsaHJ.exe
  2⤵
  PID:9244
- C:\Windows\System\pjSUslB.exe
  C:\Windows\System\pjSUslB.exe
  2⤵
  PID:9272
- C:\Windows\System\QUCqPjL.exe
  C:\Windows\System\QUCqPjL.exe
  2⤵
  PID:9300
- C:\Windows\System\MgoCpYA.exe
  C:\Windows\System\MgoCpYA.exe
  2⤵
  PID:9328
- C:\Windows\System\jGSDGnw.exe
  C:\Windows\System\jGSDGnw.exe
  2⤵
  PID:9348
- C:\Windows\System\sPaiPnx.exe
  C:\Windows\System\sPaiPnx.exe
  2⤵
  PID:9384
- C:\Windows\System\eMdSJqc.exe
  C:\Windows\System\eMdSJqc.exe
  2⤵
  PID:9416
- C:\Windows\System\SJfGidU.exe
  C:\Windows\System\SJfGidU.exe
  2⤵
  PID:9440
- C:\Windows\System\EKcvZZU.exe
  C:\Windows\System\EKcvZZU.exe
  2⤵
  PID:9460
- C:\Windows\System\ozorAFm.exe
  C:\Windows\System\ozorAFm.exe
  2⤵
  PID:9500
- C:\Windows\System\zYgNFKl.exe
  C:\Windows\System\zYgNFKl.exe
  2⤵
  PID:9520
- C:\Windows\System\aaKifMu.exe
  C:\Windows\System\aaKifMu.exe
  2⤵
  PID:9548
- C:\Windows\System\UlcwwPq.exe
  C:\Windows\System\UlcwwPq.exe
  2⤵
  PID:9584
- C:\Windows\System\DNgUTXW.exe
  C:\Windows\System\DNgUTXW.exe
  2⤵
  PID:9620
- C:\Windows\System\GsxSIhQ.exe
  C:\Windows\System\GsxSIhQ.exe
  2⤵
  PID:9652
- C:\Windows\System\nRhnxiC.exe
  C:\Windows\System\nRhnxiC.exe
  2⤵
  PID:9672
- C:\Windows\System\VuOFiCu.exe
  C:\Windows\System\VuOFiCu.exe
  2⤵
  PID:9704
- C:\Windows\System\WHedOKy.exe
  C:\Windows\System\WHedOKy.exe
  2⤵
  PID:9728
- C:\Windows\System\ljZFdxC.exe
  C:\Windows\System\ljZFdxC.exe
  2⤵
  PID:9752
- C:\Windows\System\rBdnXOC.exe
  C:\Windows\System\rBdnXOC.exe
  2⤵
  PID:9768
- C:\Windows\System\FznwBRK.exe
  C:\Windows\System\FznwBRK.exe
  2⤵
  PID:9784
- C:\Windows\System\RoQLXeH.exe
  C:\Windows\System\RoQLXeH.exe
  2⤵
  PID:9800
- C:\Windows\System\wVDZOpN.exe
  C:\Windows\System\wVDZOpN.exe
  2⤵
  PID:9852
- C:\Windows\System\YgSGUpY.exe
  C:\Windows\System\YgSGUpY.exe
  2⤵
  PID:9880
- C:\Windows\System\JJJrJDp.exe
  C:\Windows\System\JJJrJDp.exe
  2⤵
  PID:9900
- C:\Windows\System\EEwfmZf.exe
  C:\Windows\System\EEwfmZf.exe
  2⤵
  PID:9936
- C:\Windows\System\kRTxGoL.exe
  C:\Windows\System\kRTxGoL.exe
  2⤵
  PID:9960
- C:\Windows\System\dDoMErP.exe
  C:\Windows\System\dDoMErP.exe
  2⤵
  PID:9992
- C:\Windows\System\XatwIUf.exe
  C:\Windows\System\XatwIUf.exe
  2⤵
  PID:10028
- C:\Windows\System\focYRTe.exe
  C:\Windows\System\focYRTe.exe
  2⤵
  PID:10060
- C:\Windows\System\xdsaZOS.exe
  C:\Windows\System\xdsaZOS.exe
  2⤵
  PID:10080
- C:\Windows\System\BLCSzVQ.exe
  C:\Windows\System\BLCSzVQ.exe
  2⤵
  PID:10100
- C:\Windows\System\POlpZtZ.exe
  C:\Windows\System\POlpZtZ.exe
  2⤵
  PID:10124
- C:\Windows\System\IeRduQI.exe
  C:\Windows\System\IeRduQI.exe
  2⤵
  PID:10160
- C:\Windows\System\pdNmsDY.exe
  C:\Windows\System\pdNmsDY.exe
  2⤵
  PID:10196
- C:\Windows\System\MHihxNg.exe
  C:\Windows\System\MHihxNg.exe
  2⤵
  PID:10228
- C:\Windows\System\klXToVV.exe
  C:\Windows\System\klXToVV.exe
  2⤵
  PID:9240
- C:\Windows\System\GDezCZy.exe
  C:\Windows\System\GDezCZy.exe
  2⤵
  PID:9312
- C:\Windows\System\BJSoBLS.exe
  C:\Windows\System\BJSoBLS.exe
  2⤵
  PID:9364
- C:\Windows\System\HngBXRn.exe
  C:\Windows\System\HngBXRn.exe
  2⤵
  PID:9400
- C:\Windows\System\ptTNAxS.exe
  C:\Windows\System\ptTNAxS.exe
  2⤵
  PID:9456
- C:\Windows\System\QzaUzCv.exe
  C:\Windows\System\QzaUzCv.exe
  2⤵
  PID:8632
- C:\Windows\System\NzhxdsR.exe
  C:\Windows\System\NzhxdsR.exe
  2⤵
  PID:9572
- C:\Windows\System\rRdOLWn.exe
  C:\Windows\System\rRdOLWn.exe
  2⤵
  PID:9648
- C:\Windows\System\jvsXEGP.exe
  C:\Windows\System\jvsXEGP.exe
  2⤵
  PID:9680
- C:\Windows\System\YDzobNH.exe
  C:\Windows\System\YDzobNH.exe
  2⤵
  PID:9720
- C:\Windows\System\UnLZTkM.exe
  C:\Windows\System\UnLZTkM.exe
  2⤵
  PID:9828
- C:\Windows\System\AKiaBxr.exe
  C:\Windows\System\AKiaBxr.exe
  2⤵
  PID:9924
- C:\Windows\System\BLKWvGz.exe
  C:\Windows\System\BLKWvGz.exe
  2⤵
  PID:9972
- C:\Windows\System\BBVSrPd.exe
  C:\Windows\System\BBVSrPd.exe
  2⤵
  PID:10052
- C:\Windows\System\EGZlYmZ.exe
  C:\Windows\System\EGZlYmZ.exe
  2⤵
  PID:10088
- C:\Windows\System\kctjDCC.exe
  C:\Windows\System\kctjDCC.exe
  2⤵
  PID:10144
- C:\Windows\System\vkIeGNI.exe
  C:\Windows\System\vkIeGNI.exe
  2⤵
  PID:10204
- C:\Windows\System\vGomthI.exe
  C:\Windows\System\vGomthI.exe
  2⤵
  PID:9372
- C:\Windows\System\MXKtPxb.exe
  C:\Windows\System\MXKtPxb.exe
  2⤵
  PID:9536
- C:\Windows\System\esoWaCV.exe
  C:\Windows\System\esoWaCV.exe
  2⤵
  PID:9716
- C:\Windows\System\aXgBXEV.exe
  C:\Windows\System\aXgBXEV.exe
  2⤵
  PID:9892
- C:\Windows\System\DIWdnwd.exe
  C:\Windows\System\DIWdnwd.exe
  2⤵
  PID:9980
- C:\Windows\System\cUkzGAx.exe
  C:\Windows\System\cUkzGAx.exe
  2⤵
  PID:10132
- C:\Windows\System\uecqowH.exe
  C:\Windows\System\uecqowH.exe
  2⤵
  PID:9432
- C:\Windows\System\hIuNaAX.exe
  C:\Windows\System\hIuNaAX.exe
  2⤵
  PID:9740
- C:\Windows\System\akPRhuW.exe
  C:\Windows\System\akPRhuW.exe
  2⤵
  PID:9832
- C:\Windows\System\mXGGOIM.exe
  C:\Windows\System\mXGGOIM.exe
  2⤵
  PID:9284
- C:\Windows\System\GaQMJvs.exe
  C:\Windows\System\GaQMJvs.exe
  2⤵
  PID:8872
- C:\Windows\System\VAKgxgr.exe
  C:\Windows\System\VAKgxgr.exe
  2⤵
  PID:10244
- C:\Windows\System\xlkoQMo.exe
  C:\Windows\System\xlkoQMo.exe
  2⤵
  PID:10280
- C:\Windows\System\VlqunsI.exe
  C:\Windows\System\VlqunsI.exe
  2⤵
  PID:10320
- C:\Windows\System\QYmcCoU.exe
  C:\Windows\System\QYmcCoU.exe
  2⤵
  PID:10336
- C:\Windows\System\PZZjJXM.exe
  C:\Windows\System\PZZjJXM.exe
  2⤵
  PID:10364
- C:\Windows\System\czhXbba.exe
  C:\Windows\System\czhXbba.exe
  2⤵
  PID:10392
- C:\Windows\System\kfjlgNa.exe
  C:\Windows\System\kfjlgNa.exe
  2⤵
  PID:10424
- C:\Windows\System\kCoKwjz.exe
  C:\Windows\System\kCoKwjz.exe
  2⤵
  PID:10448
- C:\Windows\System\iairepQ.exe
  C:\Windows\System\iairepQ.exe
  2⤵
  PID:10480
- C:\Windows\System\xleVkfS.exe
  C:\Windows\System\xleVkfS.exe
  2⤵
  PID:10504
- C:\Windows\System\NEKZtRc.exe
  C:\Windows\System\NEKZtRc.exe
  2⤵
  PID:10532
- C:\Windows\System\JCzWTzC.exe
  C:\Windows\System\JCzWTzC.exe
  2⤵
  PID:10568
- C:\Windows\System\IukDesf.exe
  C:\Windows\System\IukDesf.exe
  2⤵
  PID:10596
- C:\Windows\System\gFeAokn.exe
  C:\Windows\System\gFeAokn.exe
  2⤵
  PID:10620
- C:\Windows\System\mYEwlTZ.exe
  C:\Windows\System\mYEwlTZ.exe
  2⤵
  PID:10640
- C:\Windows\System\gzjdCbm.exe
  C:\Windows\System\gzjdCbm.exe
  2⤵
  PID:10676
- C:\Windows\System\AAMQPlk.exe
  C:\Windows\System\AAMQPlk.exe
  2⤵
  PID:10692
- C:\Windows\System\HNXqdNF.exe
  C:\Windows\System\HNXqdNF.exe
  2⤵
  PID:10720
- C:\Windows\System\QLlYyNW.exe
  C:\Windows\System\QLlYyNW.exe
  2⤵
  PID:10748
- C:\Windows\System\jYxBOSb.exe
  C:\Windows\System\jYxBOSb.exe
  2⤵
  PID:10764
- C:\Windows\System\BevZCBS.exe
  C:\Windows\System\BevZCBS.exe
  2⤵
  PID:10796
- C:\Windows\System\jEgwrWg.exe
  C:\Windows\System\jEgwrWg.exe
  2⤵
  PID:10824
- C:\Windows\System\zXMkxUw.exe
  C:\Windows\System\zXMkxUw.exe
  2⤵
  PID:10860
- C:\Windows\System\PEPKWKF.exe
  C:\Windows\System\PEPKWKF.exe
  2⤵
  PID:10892
- C:\Windows\System\rtusYXP.exe
  C:\Windows\System\rtusYXP.exe
  2⤵
  PID:10924
- C:\Windows\System\xAIRYZv.exe
  C:\Windows\System\xAIRYZv.exe
  2⤵
  PID:10968
- C:\Windows\System\bbsPApA.exe
  C:\Windows\System\bbsPApA.exe
  2⤵
  PID:10988
- C:\Windows\System\GDwSguW.exe
  C:\Windows\System\GDwSguW.exe
  2⤵
  PID:11016
- C:\Windows\System\zwuZAGw.exe
  C:\Windows\System\zwuZAGw.exe
  2⤵
  PID:11052
- C:\Windows\System\yimQRre.exe
  C:\Windows\System\yimQRre.exe
  2⤵
  PID:11084
- C:\Windows\System\hjpAEPs.exe
  C:\Windows\System\hjpAEPs.exe
  2⤵
  PID:11100
- C:\Windows\System\WptoBOg.exe
  C:\Windows\System\WptoBOg.exe
  2⤵
  PID:11132
- C:\Windows\System\HInOixU.exe
  C:\Windows\System\HInOixU.exe
  2⤵
  PID:11168
- C:\Windows\System\bACoupq.exe
  C:\Windows\System\bACoupq.exe
  2⤵
  PID:11184
- C:\Windows\System\ENwzrgU.exe
  C:\Windows\System\ENwzrgU.exe
  2⤵
  PID:11224
- C:\Windows\System\WzXFVmM.exe
  C:\Windows\System\WzXFVmM.exe
  2⤵
  PID:11248
- C:\Windows\System\JJSDPzW.exe
  C:\Windows\System\JJSDPzW.exe
  2⤵
  PID:10260
- C:\Windows\System\VxKAGTs.exe
  C:\Windows\System\VxKAGTs.exe
  2⤵
  PID:10312
- C:\Windows\System\pwwWAMx.exe
  C:\Windows\System\pwwWAMx.exe
  2⤵
  PID:10348
- C:\Windows\System\avvGrLZ.exe
  C:\Windows\System\avvGrLZ.exe
  2⤵
  PID:10436
- C:\Windows\System\BOgkBje.exe
  C:\Windows\System\BOgkBje.exe
  2⤵
  PID:10520
- C:\Windows\System\DHBHEbJ.exe
  C:\Windows\System\DHBHEbJ.exe
  2⤵
  PID:10580
- C:\Windows\System\moHltFy.exe
  C:\Windows\System\moHltFy.exe
  2⤵
  PID:10628
- C:\Windows\System\jbPbRMK.exe
  C:\Windows\System\jbPbRMK.exe
  2⤵
  PID:10672
- C:\Windows\System\dsRIsbH.exe
  C:\Windows\System\dsRIsbH.exe
  2⤵
  PID:10756
- C:\Windows\System\XOrtCHX.exe
  C:\Windows\System\XOrtCHX.exe
  2⤵
  PID:10804
- C:\Windows\System\hBIMyqP.exe
  C:\Windows\System\hBIMyqP.exe
  2⤵
  PID:10904
- C:\Windows\System\hikbiAd.exe
  C:\Windows\System\hikbiAd.exe
  2⤵
  PID:10932
- C:\Windows\System\kEtLZEW.exe
  C:\Windows\System\kEtLZEW.exe
  2⤵
  PID:11028
- C:\Windows\System\oXFZpbQ.exe
  C:\Windows\System\oXFZpbQ.exe
  2⤵
  PID:11076
- C:\Windows\System\FhcXXKQ.exe
  C:\Windows\System\FhcXXKQ.exe
  2⤵
  PID:11120
- C:\Windows\System\HDEsKXX.exe
  C:\Windows\System\HDEsKXX.exe
  2⤵
  PID:11180
- C:\Windows\System\vYMvnzM.exe
  C:\Windows\System\vYMvnzM.exe
  2⤵
  PID:10264
- C:\Windows\System\VMtHazO.exe
  C:\Windows\System\VMtHazO.exe
  2⤵
  PID:10332
- C:\Windows\System\RZODNdG.exe
  C:\Windows\System\RZODNdG.exe
  2⤵
  PID:10492
- C:\Windows\System\THPbHLx.exe
  C:\Windows\System\THPbHLx.exe
  2⤵
  PID:10604
- C:\Windows\System\GDXQGpC.exe
  C:\Windows\System\GDXQGpC.exe
  2⤵
  PID:10780
- C:\Windows\System\kqTUGIb.exe
  C:\Windows\System\kqTUGIb.exe
  2⤵
  PID:10984
- C:\Windows\System\ivVytzE.exe
  C:\Windows\System\ivVytzE.exe
  2⤵
  PID:11116
- C:\Windows\System\PZpkVCD.exe
  C:\Windows\System\PZpkVCD.exe
  2⤵
  PID:11256
- C:\Windows\System\iVFgBWs.exe
  C:\Windows\System\iVFgBWs.exe
  2⤵
  PID:10524
- C:\Windows\System\SqUWhjI.exe
  C:\Windows\System\SqUWhjI.exe
  2⤵
  PID:11232
- C:\Windows\System\aoVMzcH.exe
  C:\Windows\System\aoVMzcH.exe
  2⤵
  PID:10948
- C:\Windows\System\xBzKnGV.exe
  C:\Windows\System\xBzKnGV.exe
  2⤵
  PID:11280
- C:\Windows\System\iwwqjnJ.exe
  C:\Windows\System\iwwqjnJ.exe
  2⤵
  PID:11300
- C:\Windows\System\eccGbOG.exe
  C:\Windows\System\eccGbOG.exe
  2⤵
  PID:11340
- C:\Windows\System\SdbFsNA.exe
  C:\Windows\System\SdbFsNA.exe
  2⤵
  PID:11376
- C:\Windows\System\ssyiqbs.exe
  C:\Windows\System\ssyiqbs.exe
  2⤵
  PID:11404
- C:\Windows\System\rPIrGre.exe
  C:\Windows\System\rPIrGre.exe
  2⤵
  PID:11440
- C:\Windows\System\SedeYQa.exe
  C:\Windows\System\SedeYQa.exe
  2⤵
  PID:11456
- C:\Windows\System\ceYRvbZ.exe
  C:\Windows\System\ceYRvbZ.exe
  2⤵
  PID:11488
- C:\Windows\System\xGphqOg.exe
  C:\Windows\System\xGphqOg.exe
  2⤵
  PID:11516
- C:\Windows\System\IsaQdbx.exe
  C:\Windows\System\IsaQdbx.exe
  2⤵
  PID:11544
- C:\Windows\System\gAnicTG.exe
  C:\Windows\System\gAnicTG.exe
  2⤵
  PID:11564
- C:\Windows\System\iHMVSoi.exe
  C:\Windows\System\iHMVSoi.exe
  2⤵
  PID:11584
- C:\Windows\System\arWcqUS.exe
  C:\Windows\System\arWcqUS.exe
  2⤵
  PID:11608
- C:\Windows\System\wGXeYZf.exe
  C:\Windows\System\wGXeYZf.exe
  2⤵
  PID:11652
- C:\Windows\System\grAsBhq.exe
  C:\Windows\System\grAsBhq.exe
  2⤵
  PID:11668
- C:\Windows\System\sdCIKQX.exe
  C:\Windows\System\sdCIKQX.exe
  2⤵
  PID:11700
- C:\Windows\System\ocNOrNV.exe
  C:\Windows\System\ocNOrNV.exe
  2⤵
  PID:11740
- C:\Windows\System\YuUJfPe.exe
  C:\Windows\System\YuUJfPe.exe
  2⤵
  PID:11796
- C:\Windows\System\sjBUKfI.exe
  C:\Windows\System\sjBUKfI.exe
  2⤵
  PID:11812
- C:\Windows\System\SJGMgxc.exe
  C:\Windows\System\SJGMgxc.exe
  2⤵
  PID:11828
- C:\Windows\System\IzTAppJ.exe
  C:\Windows\System\IzTAppJ.exe
  2⤵
  PID:11860
- C:\Windows\System\EnLufqP.exe
  C:\Windows\System\EnLufqP.exe
  2⤵
  PID:11896
- C:\Windows\System\hqNJlfX.exe
  C:\Windows\System\hqNJlfX.exe
  2⤵
  PID:11924
- C:\Windows\System\OqfhORA.exe
  C:\Windows\System\OqfhORA.exe
  2⤵
  PID:11940
- C:\Windows\System\ibIJVsU.exe
  C:\Windows\System\ibIJVsU.exe
  2⤵
  PID:11976
- C:\Windows\System\ORYtbFo.exe
  C:\Windows\System\ORYtbFo.exe
  2⤵
  PID:12000
- C:\Windows\System\HFKVlUv.exe
  C:\Windows\System\HFKVlUv.exe
  2⤵
  PID:12028
- C:\Windows\System\gMVmNLk.exe
  C:\Windows\System\gMVmNLk.exe
  2⤵
  PID:12052
- C:\Windows\System\MoaRPYU.exe
  C:\Windows\System\MoaRPYU.exe
  2⤵
  PID:12080
- C:\Windows\System\KkwuRAR.exe
  C:\Windows\System\KkwuRAR.exe
  2⤵
  PID:12116
- C:\Windows\System\UfoDPUo.exe
  C:\Windows\System\UfoDPUo.exe
  2⤵
  PID:12152
- C:\Windows\System\CJtzGad.exe
  C:\Windows\System\CJtzGad.exe
  2⤵
  PID:12168
- C:\Windows\System\dqXGIkP.exe
  C:\Windows\System\dqXGIkP.exe
  2⤵
  PID:12184
- C:\Windows\System\nqClOPU.exe
  C:\Windows\System\nqClOPU.exe
  2⤵
  PID:12208
- C:\Windows\System\zfCJwQc.exe
  C:\Windows\System\zfCJwQc.exe
  2⤵
  PID:12240
- C:\Windows\System\rMHNzWH.exe
  C:\Windows\System\rMHNzWH.exe
  2⤵
  PID:12268
- C:\Windows\System\afSXoLk.exe
  C:\Windows\System\afSXoLk.exe
  2⤵
  PID:10856
- C:\Windows\System\wTiDset.exe
  C:\Windows\System\wTiDset.exe
  2⤵
  PID:11288
- C:\Windows\System\LFtjrCU.exe
  C:\Windows\System\LFtjrCU.exe
  2⤵
  PID:11428
- C:\Windows\System\bUrlmjz.exe
  C:\Windows\System\bUrlmjz.exe
  2⤵
  PID:11476
- C:\Windows\System\geCjdyt.exe
  C:\Windows\System\geCjdyt.exe
  2⤵
  PID:11532
- C:\Windows\System\vPXowCH.exe
  C:\Windows\System\vPXowCH.exe
  2⤵
  PID:11620
- C:\Windows\System\mofQCCj.exe
  C:\Windows\System\mofQCCj.exe
  2⤵
  PID:11688
- C:\Windows\System\btlRrmd.exe
  C:\Windows\System\btlRrmd.exe
  2⤵
  PID:11752
- C:\Windows\System\tanWVQA.exe
  C:\Windows\System\tanWVQA.exe
  2⤵
  PID:10840
- C:\Windows\System\pDTdeAW.exe
  C:\Windows\System\pDTdeAW.exe
  2⤵
  PID:11808
- C:\Windows\System\Mrnratp.exe
  C:\Windows\System\Mrnratp.exe
  2⤵
  PID:11892
- C:\Windows\System\bovNYmf.exe
  C:\Windows\System\bovNYmf.exe
  2⤵
  PID:11936
- C:\Windows\System\BgSsYhl.exe
  C:\Windows\System\BgSsYhl.exe
  2⤵
  PID:12036
- C:\Windows\System\IUyBDda.exe
  C:\Windows\System\IUyBDda.exe
  2⤵
  PID:12092
- C:\Windows\System\UFHDyeI.exe
  C:\Windows\System\UFHDyeI.exe
  2⤵
  PID:12160
- C:\Windows\System\pCnAvfF.exe
  C:\Windows\System\pCnAvfF.exe
  2⤵
  PID:12196
- C:\Windows\System\yfWyUrw.exe
  C:\Windows\System\yfWyUrw.exe
  2⤵
  PID:12264
- C:\Windows\System\NesHxSX.exe
  C:\Windows\System\NesHxSX.exe
  2⤵
  PID:11372
- C:\Windows\System\eYpLFau.exe
  C:\Windows\System\eYpLFau.exe
  2⤵
  PID:11504
- C:\Windows\System\fggSykm.exe
  C:\Windows\System\fggSykm.exe
  2⤵
  PID:11600
- C:\Windows\System\HxmcEFT.exe
  C:\Windows\System\HxmcEFT.exe
  2⤵
  PID:11772
- C:\Windows\System\YzRAgAs.exe
  C:\Windows\System\YzRAgAs.exe
  2⤵
  PID:11868
- C:\Windows\System\fxOAVml.exe
  C:\Windows\System\fxOAVml.exe
  2⤵
  PID:11908
- C:\Windows\System\jhKMazo.exe
  C:\Windows\System\jhKMazo.exe
  2⤵
  PID:12180
- C:\Windows\System\escYdck.exe
  C:\Windows\System\escYdck.exe
  2⤵
  PID:10376
- C:\Windows\System\bBtmoVj.exe
  C:\Windows\System\bBtmoVj.exe
  2⤵
  PID:11820
- C:\Windows\System\OmMEFYF.exe
  C:\Windows\System\OmMEFYF.exe
  2⤵
  PID:11764
- C:\Windows\System\DRdYSvb.exe
  C:\Windows\System\DRdYSvb.exe
  2⤵
  PID:11576
- C:\Windows\System\srqELLl.exe
  C:\Windows\System\srqELLl.exe
  2⤵
  PID:11932
- C:\Windows\System\jBFqZFC.exe
  C:\Windows\System\jBFqZFC.exe
  2⤵
  PID:12304
- C:\Windows\System\NDzVdfg.exe
  C:\Windows\System\NDzVdfg.exe
  2⤵
  PID:12348
- C:\Windows\System\qzwATrx.exe
  C:\Windows\System\qzwATrx.exe
  2⤵
  PID:12376
- C:\Windows\System\GlYPVpY.exe
  C:\Windows\System\GlYPVpY.exe
  2⤵
  PID:12404
- C:\Windows\System\jDHyvIa.exe
  C:\Windows\System\jDHyvIa.exe
  2⤵
  PID:12440
- C:\Windows\System\QsAOltX.exe
  C:\Windows\System\QsAOltX.exe
  2⤵
  PID:12460
- C:\Windows\System\EDifpLs.exe
  C:\Windows\System\EDifpLs.exe
  2⤵
  PID:12488
- C:\Windows\System\lAWMqFj.exe
  C:\Windows\System\lAWMqFj.exe
  2⤵
  PID:12504
- C:\Windows\System\URNXMEZ.exe
  C:\Windows\System\URNXMEZ.exe
  2⤵
  PID:12532
- C:\Windows\System\ArOIyKK.exe
  C:\Windows\System\ArOIyKK.exe
  2⤵
  PID:12548
- C:\Windows\System\OZmwUwm.exe
  C:\Windows\System\OZmwUwm.exe
  2⤵
  PID:12564
- C:\Windows\System\AwLMgUT.exe
  C:\Windows\System\AwLMgUT.exe
  2⤵
  PID:12604
- C:\Windows\System\udDJQHY.exe
  C:\Windows\System\udDJQHY.exe
  2⤵
  PID:12640
- C:\Windows\System\nDjTgkQ.exe
  C:\Windows\System\nDjTgkQ.exe
  2⤵
  PID:12672
- C:\Windows\System\CeymFrA.exe
  C:\Windows\System\CeymFrA.exe
  2⤵
  PID:12704
- C:\Windows\System\ETPOWPq.exe
  C:\Windows\System\ETPOWPq.exe
  2⤵
  PID:12740
- C:\Windows\System\wyqQOEU.exe
  C:\Windows\System\wyqQOEU.exe
  2⤵
  PID:12760
- C:\Windows\System\HZucjDQ.exe
  C:\Windows\System\HZucjDQ.exe
  2⤵
  PID:12784
- C:\Windows\System\AinbmaQ.exe
  C:\Windows\System\AinbmaQ.exe
  2⤵
  PID:12816
- C:\Windows\System\CbcZzKG.exe
  C:\Windows\System\CbcZzKG.exe
  2⤵
  PID:12840
- C:\Windows\System\WnoyiPj.exe
  C:\Windows\System\WnoyiPj.exe
  2⤵
  PID:12868
- C:\Windows\System\hYaBsMc.exe
  C:\Windows\System\hYaBsMc.exe
  2⤵
  PID:12900
- C:\Windows\System\zZQPzxM.exe
  C:\Windows\System\zZQPzxM.exe
  2⤵
  PID:12936
- C:\Windows\System\QUZwpuS.exe
  C:\Windows\System\QUZwpuS.exe
  2⤵
  PID:12956
- C:\Windows\System\PyJUwZa.exe
  C:\Windows\System\PyJUwZa.exe
  2⤵
  PID:12988
- C:\Windows\System\uuLaCFf.exe
  C:\Windows\System\uuLaCFf.exe
  2⤵
  PID:13024
- C:\Windows\System\homMyUl.exe
  C:\Windows\System\homMyUl.exe
  2⤵
  PID:13040
- C:\Windows\System\zhzuttK.exe
  C:\Windows\System\zhzuttK.exe
  2⤵
  PID:13068
- C:\Windows\System\kIpyvrr.exe
  C:\Windows\System\kIpyvrr.exe
  2⤵
  PID:13108
- C:\Windows\System\JWrPamg.exe
  C:\Windows\System\JWrPamg.exe
  2⤵
  PID:13124
- C:\Windows\System\MtSLroX.exe
  C:\Windows\System\MtSLroX.exe
  2⤵
  PID:13152
- C:\Windows\System\DdWEIvz.exe
  C:\Windows\System\DdWEIvz.exe
  2⤵
  PID:13192
- C:\Windows\System\GFEdQpo.exe
  C:\Windows\System\GFEdQpo.exe
  2⤵
  PID:13220
- C:\Windows\System\AvzzWCX.exe
  C:\Windows\System\AvzzWCX.exe
  2⤵
  PID:13252
- C:\Windows\System\ISSJgEH.exe
  C:\Windows\System\ISSJgEH.exe
  2⤵
  PID:13284
- C:\Windows\System\WcrWDlR.exe
  C:\Windows\System\WcrWDlR.exe
  2⤵
  PID:11464
- C:\Windows\System\PBdaGxa.exe
  C:\Windows\System\PBdaGxa.exe
  2⤵
  PID:12292
- C:\Windows\System\kgdPSBT.exe
  C:\Windows\System\kgdPSBT.exe
  2⤵
  PID:12368
- C:\Windows\System\OhZqToO.exe
  C:\Windows\System\OhZqToO.exe
  2⤵
  PID:12436
- C:\Windows\System\OQponCb.exe
  C:\Windows\System\OQponCb.exe
  2⤵
  PID:12472
- C:\Windows\System\FOoViIw.exe
  C:\Windows\System\FOoViIw.exe
  2⤵
  PID:12540
- C:\Windows\System\KmnHCkK.exe
  C:\Windows\System\KmnHCkK.exe
  2⤵
  PID:12584
- C:\Windows\System\KEvgNoG.exe
  C:\Windows\System\KEvgNoG.exe
  2⤵
  PID:12660
- C:\Windows\System\LJdupsv.exe
  C:\Windows\System\LJdupsv.exe
  2⤵
  PID:12728
- C:\Windows\System\BpUFcLy.exe
  C:\Windows\System\BpUFcLy.exe
  2⤵
  PID:4872
- C:\Windows\System\FnwkrjS.exe
  C:\Windows\System\FnwkrjS.exe
  2⤵
  PID:12812
- C:\Windows\System\iDYXRcq.exe
  C:\Windows\System\iDYXRcq.exe
  2⤵
  PID:848
- C:\Windows\System\BBQUIBf.exe
  C:\Windows\System\BBQUIBf.exe
  2⤵
  PID:12912
- C:\Windows\System\tWNkbJq.exe
  C:\Windows\System\tWNkbJq.exe
  2⤵
  PID:13012
- C:\Windows\System\FMrNyAX.exe
  C:\Windows\System\FMrNyAX.exe
  2⤵
  PID:13032
- C:\Windows\System\MvasZYI.exe
  C:\Windows\System\MvasZYI.exe
  2⤵
  PID:13080
- C:\Windows\System\LjZdhFt.exe
  C:\Windows\System\LjZdhFt.exe
  2⤵
  PID:13172
- C:\Windows\System\KjFbtmD.exe
  C:\Windows\System\KjFbtmD.exe
  2⤵
  PID:13236
- C:\Windows\System\iWKXEpA.exe
  C:\Windows\System\iWKXEpA.exe
  2⤵
  PID:12332
- C:\Windows\System\qgAUyxa.exe
  C:\Windows\System\qgAUyxa.exe
  2⤵
  PID:12400
- C:\Windows\System\zqBRbsQ.exe
  C:\Windows\System\zqBRbsQ.exe
  2⤵
  PID:12596
- C:\Windows\System\jFpWlKJ.exe
  C:\Windows\System\jFpWlKJ.exe
  2⤵
  PID:2372
- C:\Windows\System\zRACbLg.exe
  C:\Windows\System\zRACbLg.exe
  2⤵
  PID:3028
- C:\Windows\System\XecmgjT.exe
  C:\Windows\System\XecmgjT.exe
  2⤵
  PID:12948
- C:\Windows\System\aHiaZYY.exe
  C:\Windows\System\aHiaZYY.exe
  2⤵
  PID:13056
- C:\Windows\System\iMphBEY.exe
  C:\Windows\System\iMphBEY.exe
  2⤵
  PID:13216
- C:\Windows\System\NMxFjGI.exe
  C:\Windows\System\NMxFjGI.exe
  2⤵
  PID:3992
- C:\Windows\System\SSQFJkK.exe
  C:\Windows\System\SSQFJkK.exe
  2⤵
  PID:2824
- C:\Windows\System\ywppvYf.exe
  C:\Windows\System\ywppvYf.exe
  2⤵
  PID:1832
- C:\Windows\System\WrIXdis.exe
  C:\Windows\System\WrIXdis.exe
  2⤵
  PID:13272
- C:\Windows\System\oPrCiuD.exe
  C:\Windows\System\oPrCiuD.exe
  2⤵
  PID:12716
- C:\Windows\System\FQpfWmd.exe
  C:\Windows\System\FQpfWmd.exe
  2⤵
  PID:13332
- C:\Windows\System\BqIpPpN.exe
  C:\Windows\System\BqIpPpN.exe
  2⤵
  PID:13360
- C:\Windows\System\lZHhOGA.exe
  C:\Windows\System\lZHhOGA.exe
  2⤵
  PID:13400
- C:\Windows\System\BIwFAqr.exe
  C:\Windows\System\BIwFAqr.exe
  2⤵
  PID:13428
- C:\Windows\System\aAzyOmL.exe
  C:\Windows\System\aAzyOmL.exe
  2⤵
  PID:13456
- C:\Windows\System\MZozHJI.exe
  C:\Windows\System\MZozHJI.exe
  2⤵
  PID:13484
- C:\Windows\System\dolPyEW.exe
  C:\Windows\System\dolPyEW.exe
  2⤵
  PID:13500
- C:\Windows\System\FzTTwXO.exe
  C:\Windows\System\FzTTwXO.exe
  2⤵
  PID:13528
- C:\Windows\System\VaAzPUQ.exe
  C:\Windows\System\VaAzPUQ.exe
  2⤵
  PID:13568
- C:\Windows\System\LWaVZTv.exe
  C:\Windows\System\LWaVZTv.exe
  2⤵
  PID:13592
- C:\Windows\System\rCTLJWw.exe
  C:\Windows\System\rCTLJWw.exe
  2⤵
  PID:13620
- C:\Windows\System\ynVOwvr.exe
  C:\Windows\System\ynVOwvr.exe
  2⤵
  PID:13640
- C:\Windows\System\agwdsxS.exe
  C:\Windows\System\agwdsxS.exe
  2⤵
  PID:13680
- C:\Windows\System\DhFfqqG.exe
  C:\Windows\System\DhFfqqG.exe
  2⤵
  PID:13700
- C:\Windows\System\mhHJEHu.exe
  C:\Windows\System\mhHJEHu.exe
  2⤵
  PID:13744
- C:\Windows\System\HUFSLmP.exe
  C:\Windows\System\HUFSLmP.exe
  2⤵
  PID:13780
- C:\Windows\System\YxAxaYW.exe
  C:\Windows\System\YxAxaYW.exe
  2⤵
  PID:13808
- C:\Windows\System\lALfUSX.exe
  C:\Windows\System\lALfUSX.exe
  2⤵
  PID:13836
- C:\Windows\System\nJQiupl.exe
  C:\Windows\System\nJQiupl.exe
  2⤵
  PID:13852
- C:\Windows\System\UfyZVeH.exe
  C:\Windows\System\UfyZVeH.exe
  2⤵
  PID:13892
- C:\Windows\System\xZLDuQQ.exe
  C:\Windows\System\xZLDuQQ.exe
  2⤵
  PID:13908
- C:\Windows\System\NHbWGlS.exe
  C:\Windows\System\NHbWGlS.exe
  2⤵
  PID:13936
- C:\Windows\System\ELYBRYb.exe
  C:\Windows\System\ELYBRYb.exe
  2⤵
  PID:13964
- C:\Windows\System\GElldFb.exe
  C:\Windows\System\GElldFb.exe
  2⤵
  PID:13984
- C:\Windows\System\NivycrN.exe
  C:\Windows\System\NivycrN.exe
  2⤵
  PID:14012
- C:\Windows\System\nPKUqMh.exe
  C:\Windows\System\nPKUqMh.exe
  2⤵
  PID:14032
- C:\Windows\System\RevSmPz.exe
  C:\Windows\System\RevSmPz.exe
  2⤵
  PID:14052
- C:\Windows\System\VAhxScu.exe
  C:\Windows\System\VAhxScu.exe
  2⤵
  PID:14068
- C:\Windows\System\zVaCwhh.exe
  C:\Windows\System\zVaCwhh.exe
  2⤵
  PID:14108
- C:\Windows\System\JDWZlaW.exe
  C:\Windows\System\JDWZlaW.exe
  2⤵
  PID:14140
- C:\Windows\System\FhkPOBs.exe
  C:\Windows\System\FhkPOBs.exe
  2⤵
  PID:14176
- C:\Windows\System\yDbvuTp.exe
  C:\Windows\System\yDbvuTp.exe
  2⤵
  PID:14208
- C:\Windows\System\IaRyWXW.exe
  C:\Windows\System\IaRyWXW.exe
  2⤵
  PID:14232
- C:\Windows\System\MOWvdzZ.exe
  C:\Windows\System\MOWvdzZ.exe
  2⤵
  PID:14248
- C:\Windows\System\pJpJZyl.exe
  C:\Windows\System\pJpJZyl.exe
  2⤵
  PID:14268
- C:\Windows\System\dVZyBtz.exe
  C:\Windows\System\dVZyBtz.exe
  2⤵
  PID:14292
- C:\Windows\System\yeIoUoZ.exe
  C:\Windows\System\yeIoUoZ.exe
  2⤵
  PID:14320
- C:\Windows\System\rIFMuOv.exe
  C:\Windows\System\rIFMuOv.exe
  2⤵
  PID:12560
- C:\Windows\System\NMLlYBE.exe
  C:\Windows\System\NMLlYBE.exe
  2⤵
  PID:13384
- C:\Windows\System\AAFAVZs.exe
  C:\Windows\System\AAFAVZs.exe
  2⤵
  PID:13412
- C:\Windows\System\pKpKFfB.exe
  C:\Windows\System\pKpKFfB.exe
  2⤵
  PID:13472
- C:\Windows\System\HFtUMOR.exe
  C:\Windows\System\HFtUMOR.exe
  2⤵
  PID:13556
- C:\Windows\System\syKBgBh.exe
  C:\Windows\System\syKBgBh.exe
  2⤵
  PID:13612
- C:\Windows\System\FmMZSrk.exe
  C:\Windows\System\FmMZSrk.exe
  2⤵
  PID:13688
- C:\Windows\System\TrzfBJm.exe
  C:\Windows\System\TrzfBJm.exe
  2⤵
  PID:13776
- C:\Windows\System\LsWxAjb.exe
  C:\Windows\System\LsWxAjb.exe
  2⤵
  PID:13844

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BMwkxZr.exe

Filesize
2.3MB

MD5
9138d70f959942071dd7ca8fe5cb3036

SHA1
1912ca08cc2d65107d6f5d03f13caed229ed24eb

SHA256
32f8eea6a6c460f15624908d168ff623b6f46e8ec18c598e7b31eadc5335f597

SHA512
ffdb245faad38393f544b6d6a6ea5e63d369ccf15d31fef770ddb9bc9325485ef8a1eca280cb599df563c8488325ec9fd9f7fb33362acf9d2eb5681096586aed

Download Submit
C:\Windows\System\DhcXYMC.exe

Filesize
2.3MB

MD5
72adaf7ecdca6ead69d60787c49f1bb3

SHA1
8628c8d8b345ddb126c0d3f584f46274617875e1

SHA256
5443da410c5a15344bf246ce29f17c42d7c3a482ba61023259d93c73df50b52c

SHA512
ec999ab1cc3da1b63345d19415e8c36a4d3cbd7ca11853f72915fe5f3d994fd36b73aa8c67c5a10dc934a3643c70a88a9d6eb25cfc55fb51fc89eac4268b8fc6

Download Submit
C:\Windows\System\EHppQnR.exe

Filesize
2.3MB

MD5
199658017a42c55bda32890fd2ed7e6c

SHA1
a5d6f327845635bfa4f1a21a9ff8dc5c1a8c8725

SHA256
5e5d12c9752cab70de361741daab256cd9d7c9c02ef6f3d478974c5df650c53e

SHA512
1b47142ba85a7ee88239c09d82c96de539396c0f00a98d52b56ebd0131b53b5f11c52a4fb10dcbf894eb3e131a11c5ab169a48243500eae003e13197c3fc4eb7

Download Submit
C:\Windows\System\GwPqbbf.exe

Filesize
2.3MB

MD5
b33bb9d13990f005493e4866c65415f7

SHA1
b31450e124d27452ea2ba904303b1fa9abbdb29f

SHA256
624a5ad9781cbd60db06feecdf7f6a0226f21a03cf16590a2e06e579324a512c

SHA512
7b15c2d1a6b789233350d3e34d65c01e5f6206ab513f96b440df925a441c73edf2941179516fb534fa80944f0f0bc35aeaf4445b5a9d2ea58d790252c998305b

Download Submit
C:\Windows\System\JQcGvtn.exe

Filesize
2.3MB

MD5
5022887c7efda3f1ebde0cfab6061bf2

SHA1
20f5d05f452fe3615ff9a311d982be3e49eddb4a

SHA256
899f2f61b92fad69bb648b0b13283acf1f3f07181e2a79903737c1315f1a4aea

SHA512
3f0cb66cfb9debc1a835ec0c6547734bc92ccae19fcb48adab576c03beaad316064bd194e5ab6b388274328907db9d68034c62f0b4a190702874ab042a554e0b

Download Submit
C:\Windows\System\KHkxJtj.exe

Filesize
2.3MB

MD5
a03a52d4125496af4cb53bc3e89d7c5f

SHA1
ebed83bd3a9b8f602185584a02a7335ed766e21f

SHA256
62b5b3e15dff8190fdd1420f75fc00d02767fc654d4cc4ab030c8a3a4c417740

SHA512
077488360ec5d65d94b87b99ff0f355a1d4ff77f9141cb079e080d4774fe5bdee63652062cef051f51cce5b93533212b7862196937949ef86fa63a53a2025cde

Download Submit
C:\Windows\System\LNhBdCu.exe

Filesize
2.3MB

MD5
e30661da9914f99d43ab57afb7502ca3

SHA1
89a9eb9b290e4a9b60f46c2b2664d93c3d3a784a

SHA256
39035541631a7bf0b109d84f7a1d4b62b7e3b69a9159f57f2ed62925f82dcf20

SHA512
ba3a50739e6c1508a26671b3b15380758334f3103de34f83e3c672227a776ca9ae37cd27927ce2bbf641e67ed5507ba4a319136fd1f6f20063c2e218b34691e8

Download Submit
C:\Windows\System\QmEhpgO.exe

Filesize
2.3MB

MD5
b0811250f9f922580a9c529bbbb479b8

SHA1
f7f85ec2a481c74d74694efa4b379a0c2e43e1fb

SHA256
79543ab49de482fc7483f2943b664a46c07a22313e84c790bcbd7817f0303cf6

SHA512
11fb050823a9be18747fa49c5bb90db722aeaef631da545cadd074654d44a2c495099803af05513c8eadcd1b1ff43af538e7affb1033e368f836c5d862fc7da0

Download Submit
C:\Windows\System\TmzByeD.exe

Filesize
2.3MB

MD5
5dee655f01f7cec7681c82dac14bb366

SHA1
211cdac2e0c731bb2e5bb4ab7402021847b1f689

SHA256
42f88e0c994eccfcf5dd993d21b96bc522e49f973d94609603540a9e70fc7ab5

SHA512
388d8b4f2911fcf82539d8ce54608853e8ab534c5b4610600d918b561a1a09d09709ce36375d59f56dbd8f857719968d3cc71d87ec4e5c385f41857e534915b2

Download Submit
C:\Windows\System\VKcFfyq.exe

Filesize
2.3MB

MD5
c4e5687547676e36b2499b57b3b0d23c

SHA1
60c17f760b760638f8a8916c6055bd521f409a49

SHA256
c427da64623642f05043700b1d6240658251242322651fcb2fe9331205fc21a2

SHA512
305a582c8dd62d966b8216b30e9701b29fe238590090067045335076687d862498aafc93b0bc8d32df14a24e3515a19993162dd3be01922f27da5aa8fd753907

Download Submit
C:\Windows\System\VQYSAPf.exe

Filesize
2.3MB

MD5
f249e31d9dff79f2784de12e28513929

SHA1
068bdcc445aee2106afe67d3fc369cb811dc20ad

SHA256
fea56304e8e3b071767281fe36cde882ec2c27eccfef8c9675e4bb8f2cf57d0d

SHA512
f06deb798f5a15df3a12b7ce336b67f0a5288d14e2d960ef0dd83c2b2b05dcae6ca7250fef53eda571fe2999aa6262c7413bdc1158c77afcc392d720ff4c5f08

Download Submit
C:\Windows\System\VWtzhfk.exe

Filesize
2.3MB

MD5
7bb6b2fc6d0ed23ba2fdc791cb412b90

SHA1
6ea7b78ec609122133e61eb98ddbbc422c569d9c

SHA256
0fe0d5e16fd03e421dba7736e60c4d9b2eab74ddb9957a694409189a92c781cf

SHA512
b2f099359d79a9bb7f23078fd9bcba32298388a2254c6f0920dd2a91066f27c4924a9a08de92b751ab15217d35b3beca00b262a36e0d9f8bd8d204a992d8d2a8

Download Submit
C:\Windows\System\WQTGkgs.exe

Filesize
2.3MB

MD5
2908934a9424ea01a1a9afd2a5181456

SHA1
fd3718928111a63fd36ea14626212270e569f818

SHA256
8fef4575a6501a2fda3f0d6c578ddb6cc7658ec4ebb8f7a94bb145383642ce63

SHA512
270b3ccdf054853408755632d11f246d1c4b7cf4293a95281add841440a047ccb28f38adb9a147ecda9e3418e8b3baf742106a13a03417861efe5b6fc525b40d

Download Submit
C:\Windows\System\cPkwVat.exe

Filesize
2.3MB

MD5
009795efc1572247de9dcbe83b5e030a

SHA1
d3c94b38e0a7a4518a8efbb2a6a5e7a01643b321

SHA256
78872831deb189851258a62a45dd6c3c63ac2486f70e3f9f835a9800b1d153ca

SHA512
ebd1e2d838d482580a843bca69ce1db16b2187bd4cbfa5247178e96852524679df25af0b5dbf53d9b96151b29a430f3788e5da61e5d6d39406d84b8569139165

Download Submit
C:\Windows\System\cfFIGBJ.exe

Filesize
2.3MB

MD5
134c6277c5ed7d81df097c434362a995

SHA1
5854334ab82831433f908fef9420ba74f8c828d2

SHA256
01decb5eb53ce0f94a26c6475a6246aab31db42756b3ca35e24d4760a0092fac

SHA512
15bc8aeefcefdf5ad7d843f3ecc04ba92dfa9d8d8d5c3311bb048cf2d43427ce41219194bb9eab16e3e8ac714c3da6cb65e67d57de0b4294204d0418e29fd6ad

Download Submit
C:\Windows\System\gEnJFDF.exe

Filesize
2.3MB

MD5
c0bfc32e0389198413541f21a6a0cd0d

SHA1
abf8538c12e09de2206fce5692e717d6f7a0ecc2

SHA256
f544fa3f9aaeb0c6c792b2109a24d89d4831a4bb0e7c86aa3437ea1209abfe85

SHA512
2419906b9b367795f51b2699ff674207f1ec620d7f2fafcd35981f1dfecf64f219d3491ebb13d36cea86a5c9d0dd4ab1fddd6c4a0aa18e1ae7cc24820d7bdb68

Download Submit
C:\Windows\System\hBBRAMR.exe

Filesize
2.3MB

MD5
cf59f9b38cec01c9e653ce3c409cb574

SHA1
2b5fd1a4df6416700ce91af332f8552bb66ec25d

SHA256
253c17d671230df64226622e42bf428c2a8002d5bc4317e4519d7779d85729b2

SHA512
6b13aba1e86bd79e527633916c51dccf173140c952bfe9f60e0620acc1a4be922164e0cf48c3b8c2fe349323d4fb9343f33524eb79094258f7a558aaf064b984

Download Submit
C:\Windows\System\iRSnEHD.exe

Filesize
2.3MB

MD5
384bf52fea1f2fb316697b0d6716cd06

SHA1
6623184acd74f49ffddd5ccd9d30fbe36ffc5c2a

SHA256
aa778c445a0190cf9fb36671e71cabc7cf1278a51ff843972046b0e1b2dda5fb

SHA512
ad59fc6e21260f8240c38eba54a537af4000c4aa8ceca316cb2c7acad8e17be574df0e4b13d46c0f1d542fa4e96a97fb08e1ba86bd55411f80ae0176d855a5c3

Download Submit
C:\Windows\System\jPHQVhQ.exe

Filesize
2.3MB

MD5
ff121ab54bffb3d5e79e05992d2805a7

SHA1
8c818b9350e411c2443b549edaa97319f33ac41f

SHA256
81571646232dc01c14000cea4dd616200f4c7b18037b2ac8b94dc17d3fd89736

SHA512
0a06a88c7103ad7b3d8d3b056bf0e7a8d1e7876f55634c4e1d264efe1b05568edfd2bbdb49335edd56a31419a8518ec78ac4b2e981483e417fa0d9a1e3ba461f

Download Submit
C:\Windows\System\kqDuspB.exe

Filesize
2.3MB

MD5
17f4abae3db87aec560a55221fa81cc7

SHA1
1dad2ffb155fad850844cfbd4cd730d75bd14fb3

SHA256
37058abcacb9f28b15d27ed74db4c397651d23464aead27fb4f5f1a4bb78bc3e

SHA512
e8b6a3015981f33cc772e8d4279bff178d0daf882a484da6a0f37cc46559b38ea0c638dd3a2fb2c16617e362de69993be0f878c9d61c38990ed2c23cc5a01a97

Download Submit
C:\Windows\System\lDafque.exe

Filesize
2.3MB

MD5
b0b1e82e1303085402b039bc4b36cf1a

SHA1
d99c55ab1f53886cb9cebded0bd65cc905f20aeb

SHA256
e2b840202814a1a563d19d9bc4396b5791e699b5b6ed54393d34df5e5c53222b

SHA512
96a016b46da540a461d15aa61b3320f8431e3ed11f1386183943830002b1b0beb3fb8233d0f8c1e6a7f9179681cd5d2e680dc51edafe8bf9ebfd87c78b444a7d

Download Submit
C:\Windows\System\nHtBsAC.exe

Filesize
2.3MB

MD5
76254fcfa951f30b450e7d2e3260dea4

SHA1
c85ec9adc33042d8fbaab4741c26c35bea99e353

SHA256
3edcc99f88ddba771bdf4dd3fd772935cfc83e7bf2ab03ca828a4585f206816b

SHA512
23f5796fe2695375f1b2d8eb76874a5b3b32d161d31e7e9851142a5ef4bb12983d2e34c25899abfba29ec50110665ade0790331dbc755a2abd2c817a10d6933c

Download Submit
C:\Windows\System\qKYRouW.exe

Filesize
2.3MB

MD5
dc9bb49218b9c5baa086daed8f7eebf7

SHA1
eacf03ebd69f43ee40894f379862261cf279f875

SHA256
604d1562679b83a4adff8faad0a8ee2a29af126d7e8b3aa411f78a1990503634

SHA512
fb5a78a30f26e9a5d9af8fd6bf91f878bc02c48639d0ffe0ccae38a14f5f0410423da12705e6c34326d508a2c5dfe08cc2d2189deba3aef773248a2adba36496

Download Submit
C:\Windows\System\qNYDRRp.exe

Filesize
2.3MB

MD5
80a40267176555ead9f311a74c65ed6a

SHA1
e17cae2d5c0b0d51c1a0f04b8837692372665734

SHA256
a85bd0d0d38b011d0dc28ce3bf801b973283a0ac4c12e55985eca3cafecf11f7

SHA512
893f3a33e54ef0a152ab2e44a8453f9480d637910490224506aebe40f48cb9d63ac694d9898fbfbbf7aa44e245d67cf56a96739a13966153fef179a234b88631

Download Submit
C:\Windows\System\sjIzcMJ.exe

Filesize
2.3MB

MD5
b1ea3e97c49a86ee7167b91540cb03e4

SHA1
44e92cdfc92d27c3615f0d3e01eba5c8698c9bf6

SHA256
dc7cbbe37d9d342c6b0589caa61a2ea59a62af64b951e6107fc525aae0692aca

SHA512
7471ef8a038be40d0ea9aebf0e3aca944acd8d5dd4fa1ab1e9de3fa8562096304c12de9ae20562a692ac25c2a70d248451012019172a30b5ef0c322f5d2f2131

Download Submit
C:\Windows\System\uMMLBtJ.exe

Filesize
2.3MB

MD5
a8cbfcbadc27bc8fa1269c2a2de94ac2

SHA1
52040acdb244dacf0ab5f5b6d297b0e1714ff349

SHA256
6ca586dfbc4bdeeed94bad149b641a12627a7dbc707150d734fb58ba408ba864

SHA512
5ff66275b8deae8969f623f096564de53ae6d9700ac4603806eb58bd59ede794c9c857061835d4805b62bd24e826740b8afe7dc08cb9500ba3eece3c3cd41eab

Download Submit
C:\Windows\System\ulbBIyU.exe

Filesize
2.3MB

MD5
8e16fb7a7a3e94b21849edbe58f306cb

SHA1
62c353fd7f43484f4393fc6f209211d439c59c93

SHA256
4c7a11f589dd5be81a03f2cf65e74a0adaad98f31a692b3e5e576097e50889bb

SHA512
843d97a3dde85c2d53ed792f0db9cbe8fc08ec5a357384da45a4988268c7e3058ec815554d78558350ffb69f6794061b4ab42e97260ffd128bfa5a5395848577

Download Submit
C:\Windows\System\vUUHkDA.exe

Filesize
2.3MB

MD5
afb02150e714e08d416d83e18ba49cb4

SHA1
a1559adf9f6366ec8ec8ae5651106bdd96165e80

SHA256
3f180d0b07338b2d017ed5d0ddbfd3c97b3952bd0e31d96ad8eb98d5a6fb225b

SHA512
dee95b75120340e6416dbadce069f1408046405081fc2606e214bf08a52d8568393048ba7e30b5fc4946b4f0b9b04867bb44531a92670caede1c47dd13d89e0f

Download Submit
C:\Windows\System\valZLFp.exe

Filesize
2.3MB

MD5
8e37008c41dec8b57ec8c3708a1417b0

SHA1
069ca44842a7fa00245cf03b69dbb94a546e5e8d

SHA256
9af971019d103ac25646cd8084a2bcf7c5f581a58825823673ab8dd387642b49

SHA512
9bf61e3d2d2792f8c17e66e527e0e743296b13fac9d608a819c715cb92aef9adc7002aeb41582d38603da28b4b652c3f6c018fcfc7f76aef155d0521a5d743bd

Download Submit
C:\Windows\System\wEiDrRc.exe

Filesize
2.3MB

MD5
f076a1f0e287bf8cea56b61b7375a6eb

SHA1
9fb7d6c71bb1d14678a8330c16ed5a348e8e8e25

SHA256
4042d92c4e298cf21ea8bef541e9423d430c07343c6f6940995158b4d5970d98

SHA512
730f082595325e9e78b0c34036a291042e7741b4a1e429bf0fa0ae686b38076c10c048efe355eea2b0c3e8eb736c1a14e8485ab791edc0f1533f447e151d0a82

Download Submit
C:\Windows\System\wrrlwJc.exe

Filesize
2.3MB

MD5
35eb859234bb6e10b834c0940e2920a1

SHA1
bac0c1e74ca2a83398810abc2e82f0ae1fc668e0

SHA256
0c52ad523eb5eb82a6ee3cc17ca0f9cafb8bb3256dc133e090e8ff96524bdced

SHA512
ea7620853659d9e5079385770e6dcde1fd63ce23973dfc090def3fbd3ec30407ee70dfdc732d9f654f47e07ffc03feedc01c2cad341161130eccf2c39e7ff07b

Download Submit
C:\Windows\System\xaPKxri.exe

Filesize
2.3MB

MD5
ab395a2b45c648412b041212aa1a80b4

SHA1
b833ef1fc2c23c0d134e9c2d787313194f2a7712

SHA256
f4e53835e6adcca57fd67d1498012146d08eac9f371605b6f7984fe1344e7ccd

SHA512
e1b1d6c731a6226ec6c9e0e63f137ae38768570f1f7c5b23d111b15fecd63e5f70fb1997a1614fc00681d5e88f32b79ae9705f2eecdeee25596934231ff1a841

Download Submit
memory/8-2128-0x00007FF6464A0000-0x00007FF6467F4000-memory.dmp

Filesize
3.3MB

Download
memory/8-38-0x00007FF6464A0000-0x00007FF6467F4000-memory.dmp

Filesize
3.3MB

Download
memory/644-162-0x00007FF758E60000-0x00007FF7591B4000-memory.dmp

Filesize
3.3MB

Download
memory/644-2147-0x00007FF758E60000-0x00007FF7591B4000-memory.dmp

Filesize
3.3MB

Download
memory/784-159-0x00007FF665670000-0x00007FF6659C4000-memory.dmp

Filesize
3.3MB

Download
memory/784-2154-0x00007FF665670000-0x00007FF6659C4000-memory.dmp

Filesize
3.3MB

Download
memory/908-136-0x00007FF725BB0000-0x00007FF725F04000-memory.dmp

Filesize
3.3MB

Download
memory/908-2139-0x00007FF725BB0000-0x00007FF725F04000-memory.dmp

Filesize
3.3MB

Download
memory/1248-2124-0x00007FF7E9C50000-0x00007FF7E9FA4000-memory.dmp

Filesize
3.3MB

Download
memory/1248-71-0x00007FF7E9C50000-0x00007FF7E9FA4000-memory.dmp

Filesize
3.3MB

Download
memory/1248-2135-0x00007FF7E9C50000-0x00007FF7E9FA4000-memory.dmp

Filesize
3.3MB

Download
memory/1372-55-0x00007FF7F0050000-0x00007FF7F03A4000-memory.dmp

Filesize
3.3MB

Download
memory/1372-2131-0x00007FF7F0050000-0x00007FF7F03A4000-memory.dmp

Filesize
3.3MB

Download
memory/1424-158-0x00007FF707CF0000-0x00007FF708044000-memory.dmp

Filesize
3.3MB

Download
memory/1424-2153-0x00007FF707CF0000-0x00007FF708044000-memory.dmp

Filesize
3.3MB

Download
memory/1440-2142-0x00007FF6740F0000-0x00007FF674444000-memory.dmp

Filesize
3.3MB

Download
memory/1440-156-0x00007FF6740F0000-0x00007FF674444000-memory.dmp

Filesize
3.3MB

Download
memory/1636-2141-0x00007FF6C7020000-0x00007FF6C7374000-memory.dmp

Filesize
3.3MB

Download
memory/1636-167-0x00007FF6C7020000-0x00007FF6C7374000-memory.dmp

Filesize
3.3MB

Download
memory/1696-157-0x00007FF69F8D0000-0x00007FF69FC24000-memory.dmp

Filesize
3.3MB

Download
memory/1696-2146-0x00007FF69F8D0000-0x00007FF69FC24000-memory.dmp

Filesize
3.3MB

Download
memory/1804-160-0x00007FF7AD420000-0x00007FF7AD774000-memory.dmp

Filesize
3.3MB

Download
memory/1804-2150-0x00007FF7AD420000-0x00007FF7AD774000-memory.dmp

Filesize
3.3MB

Download
memory/1856-155-0x00007FF730D30000-0x00007FF731084000-memory.dmp

Filesize
3.3MB

Download
memory/1856-2143-0x00007FF730D30000-0x00007FF731084000-memory.dmp

Filesize
3.3MB

Download
memory/1960-168-0x00007FF749840000-0x00007FF749B94000-memory.dmp

Filesize
3.3MB

Download
memory/1960-2145-0x00007FF749840000-0x00007FF749B94000-memory.dmp

Filesize
3.3MB

Download
memory/2488-166-0x00007FF7DAD80000-0x00007FF7DB0D4000-memory.dmp

Filesize
3.3MB

Download
memory/2488-2138-0x00007FF7DAD80000-0x00007FF7DB0D4000-memory.dmp

Filesize
3.3MB

Download
memory/2512-124-0x00007FF7FA4E0000-0x00007FF7FA834000-memory.dmp

Filesize
3.3MB

Download
memory/2512-2137-0x00007FF7FA4E0000-0x00007FF7FA834000-memory.dmp

Filesize
3.3MB

Download
memory/2744-2126-0x00007FF69F380000-0x00007FF69F6D4000-memory.dmp

Filesize
3.3MB

Download
memory/2744-59-0x00007FF69F380000-0x00007FF69F6D4000-memory.dmp

Filesize
3.3MB

Download
memory/2744-2133-0x00007FF69F380000-0x00007FF69F6D4000-memory.dmp

Filesize
3.3MB

Download
memory/2996-154-0x00007FF60C8C0000-0x00007FF60CC14000-memory.dmp

Filesize
3.3MB

Download
memory/2996-2144-0x00007FF60C8C0000-0x00007FF60CC14000-memory.dmp

Filesize
3.3MB

Download
memory/3032-165-0x00007FF6F1B60000-0x00007FF6F1EB4000-memory.dmp

Filesize
3.3MB

Download
memory/3032-2132-0x00007FF6F1B60000-0x00007FF6F1EB4000-memory.dmp

Filesize
3.3MB

Download
memory/3172-1-0x00000133D67D0000-0x00000133D67E0000-memory.dmp

Filesize
64KB

Download
memory/3172-0-0x00007FF7820C0000-0x00007FF782414000-memory.dmp

Filesize
3.3MB

Download
memory/3172-2123-0x00007FF7820C0000-0x00007FF782414000-memory.dmp

Filesize
3.3MB

Download
memory/3408-170-0x00007FF73CEF0000-0x00007FF73D244000-memory.dmp

Filesize
3.3MB

Download
memory/3408-2148-0x00007FF73CEF0000-0x00007FF73D244000-memory.dmp

Filesize
3.3MB

Download
memory/3616-2152-0x00007FF67F270000-0x00007FF67F5C4000-memory.dmp

Filesize
3.3MB

Download
memory/3616-161-0x00007FF67F270000-0x00007FF67F5C4000-memory.dmp

Filesize
3.3MB

Download
memory/3956-2130-0x00007FF703B80000-0x00007FF703ED4000-memory.dmp

Filesize
3.3MB

Download
memory/3956-164-0x00007FF703B80000-0x00007FF703ED4000-memory.dmp

Filesize
3.3MB

Download
memory/4120-181-0x00007FF79C880000-0x00007FF79CBD4000-memory.dmp

Filesize
3.3MB

Download
memory/4120-2155-0x00007FF79C880000-0x00007FF79CBD4000-memory.dmp

Filesize
3.3MB

Download
memory/4172-2127-0x00007FF7C9E60000-0x00007FF7CA1B4000-memory.dmp

Filesize
3.3MB

Download
memory/4172-15-0x00007FF7C9E60000-0x00007FF7CA1B4000-memory.dmp

Filesize
3.3MB

Download
memory/4428-2140-0x00007FF652240000-0x00007FF652594000-memory.dmp

Filesize
3.3MB

Download
memory/4428-147-0x00007FF652240000-0x00007FF652594000-memory.dmp

Filesize
3.3MB

Download
memory/4468-2136-0x00007FF74EC40000-0x00007FF74EF94000-memory.dmp

Filesize
3.3MB

Download
memory/4468-122-0x00007FF74EC40000-0x00007FF74EF94000-memory.dmp

Filesize
3.3MB

Download
memory/4584-163-0x00007FF6A39F0000-0x00007FF6A3D44000-memory.dmp

Filesize
3.3MB

Download
memory/4584-2149-0x00007FF6A39F0000-0x00007FF6A3D44000-memory.dmp

Filesize
3.3MB

Download
memory/4600-169-0x00007FF6F9DA0000-0x00007FF6FA0F4000-memory.dmp

Filesize
3.3MB

Download
memory/4600-2151-0x00007FF6F9DA0000-0x00007FF6FA0F4000-memory.dmp

Filesize
3.3MB

Download
memory/4624-91-0x00007FF6B5620000-0x00007FF6B5974000-memory.dmp

Filesize
3.3MB

Download
memory/4624-2134-0x00007FF6B5620000-0x00007FF6B5974000-memory.dmp

Filesize
3.3MB

Download
memory/4624-2125-0x00007FF6B5620000-0x00007FF6B5974000-memory.dmp

Filesize
3.3MB

Download
memory/4804-2129-0x00007FF7D8E50000-0x00007FF7D91A4000-memory.dmp

Filesize
3.3MB

Download
memory/4804-47-0x00007FF7D8E50000-0x00007FF7D91A4000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads