xmrig | b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
Size

1.7MB
MD5

cb4207ba094715a98495556c9525d024
SHA1

72983d9322968c3df899b3a82c6566ce7cc2df86
SHA256

b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41
SHA512

68c8975603d9e6b1ee7a909f80d706225b2436b606c6795cd68aebccbdd0a89dafddadc4eff0a6e2d12ebd1848e335e7b0e5dbe39490adef4d4fa94e6e680ce5
SSDEEP

24576:zv3/fTLF671TilQFG4P5PMkFfkeMlN675EgEPgsU5qTqOkDilK3uPpHbcMfOoQW:Lz071uv4BPMkFfdg6NsOkc2oW

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects executables containing URLs to raw contents of a Github gist 25 IoCs

resource	yara_rule
behavioral2/memory/212-17-0x00007FF76FB60000-0x00007FF76FF52000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4016-412-0x00007FF6854C0000-0x00007FF6858B2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4936-528-0x00007FF785FE0000-0x00007FF7863D2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2864-576-0x00007FF6A79C0000-0x00007FF6A7DB2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4976-580-0x00007FF625FC0000-0x00007FF6263B2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3384-585-0x00007FF73FBC0000-0x00007FF73FFB2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/1892-638-0x00007FF654690000-0x00007FF654A82000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4608-588-0x00007FF615DE0000-0x00007FF6161D2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3212-587-0x00007FF61A700000-0x00007FF61AAF2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3048-586-0x00007FF7F04F0000-0x00007FF7F08E2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/1772-584-0x00007FF794B80000-0x00007FF794F72000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2144-583-0x00007FF71D270000-0x00007FF71D662000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4488-582-0x00007FF7C4900000-0x00007FF7C4CF2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2328-581-0x00007FF6F3800000-0x00007FF6F3BF2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4248-579-0x00007FF6C5B30000-0x00007FF6C5F22000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/2712-578-0x00007FF6F66A0000-0x00007FF6F6A92000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/1704-577-0x00007FF7B3A20000-0x00007FF7B3E12000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/436-575-0x00007FF7CA0F0000-0x00007FF7CA4E2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3136-574-0x00007FF7B55A0000-0x00007FF7B5992000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/1888-573-0x00007FF62C500000-0x00007FF62C8F2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/3516-572-0x00007FF727BF0000-0x00007FF727FE2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4708-332-0x00007FF7FAB50000-0x00007FF7FAF42000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/1220-274-0x00007FF6B97D0000-0x00007FF6B9BC2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/4032-218-0x00007FF62D2D0000-0x00007FF62D6C2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral2/memory/232-4199-0x00007FF6481B0000-0x00007FF6485A2000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL

UPX dump on OEP (original entry point) 64 IoCs

resource	yara_rule
behavioral2/memory/232-0-0x00007FF6481B0000-0x00007FF6485A2000-memory.dmp	UPX
behavioral2/files/0x0008000000023416-5.dat	UPX
behavioral2/files/0x000700000002341b-9.dat	UPX
behavioral2/files/0x000700000002341a-13.dat	UPX
behavioral2/files/0x000700000002341d-22.dat	UPX
behavioral2/memory/212-17-0x00007FF76FB60000-0x00007FF76FF52000-memory.dmp	UPX
behavioral2/files/0x000700000002341e-43.dat	UPX
behavioral2/files/0x0007000000023421-41.dat	UPX
behavioral2/files/0x0007000000023420-40.dat	UPX
behavioral2/files/0x000700000002341f-36.dat	UPX
behavioral2/files/0x000700000002341c-21.dat	UPX
behavioral2/files/0x0007000000023425-57.dat	UPX
behavioral2/files/0x0007000000023424-56.dat	UPX
behavioral2/files/0x0007000000023423-55.dat	UPX
behavioral2/files/0x0007000000023422-52.dat	UPX
behavioral2/files/0x0007000000023429-86.dat	UPX
behavioral2/files/0x0007000000023436-146.dat	UPX
behavioral2/files/0x000700000002342c-186.dat	UPX
behavioral2/memory/4016-412-0x00007FF6854C0000-0x00007FF6858B2000-memory.dmp	UPX
behavioral2/memory/4936-528-0x00007FF785FE0000-0x00007FF7863D2000-memory.dmp	UPX
behavioral2/memory/2864-576-0x00007FF6A79C0000-0x00007FF6A7DB2000-memory.dmp	UPX
behavioral2/memory/4976-580-0x00007FF625FC0000-0x00007FF6263B2000-memory.dmp	UPX
behavioral2/memory/3384-585-0x00007FF73FBC0000-0x00007FF73FFB2000-memory.dmp	UPX
behavioral2/memory/1892-638-0x00007FF654690000-0x00007FF654A82000-memory.dmp	UPX
behavioral2/memory/4608-588-0x00007FF615DE0000-0x00007FF6161D2000-memory.dmp	UPX
behavioral2/memory/3212-587-0x00007FF61A700000-0x00007FF61AAF2000-memory.dmp	UPX
behavioral2/memory/3048-586-0x00007FF7F04F0000-0x00007FF7F08E2000-memory.dmp	UPX
behavioral2/memory/1772-584-0x00007FF794B80000-0x00007FF794F72000-memory.dmp	UPX
behavioral2/memory/2144-583-0x00007FF71D270000-0x00007FF71D662000-memory.dmp	UPX
behavioral2/memory/4488-582-0x00007FF7C4900000-0x00007FF7C4CF2000-memory.dmp	UPX
behavioral2/memory/2328-581-0x00007FF6F3800000-0x00007FF6F3BF2000-memory.dmp	UPX
behavioral2/memory/4248-579-0x00007FF6C5B30000-0x00007FF6C5F22000-memory.dmp	UPX
behavioral2/memory/2712-578-0x00007FF6F66A0000-0x00007FF6F6A92000-memory.dmp	UPX
behavioral2/memory/1704-577-0x00007FF7B3A20000-0x00007FF7B3E12000-memory.dmp	UPX
behavioral2/memory/436-575-0x00007FF7CA0F0000-0x00007FF7CA4E2000-memory.dmp	UPX
behavioral2/memory/3136-574-0x00007FF7B55A0000-0x00007FF7B5992000-memory.dmp	UPX
behavioral2/memory/1888-573-0x00007FF62C500000-0x00007FF62C8F2000-memory.dmp	UPX
behavioral2/memory/3516-572-0x00007FF727BF0000-0x00007FF727FE2000-memory.dmp	UPX
behavioral2/memory/4708-332-0x00007FF7FAB50000-0x00007FF7FAF42000-memory.dmp	UPX
behavioral2/memory/1220-274-0x00007FF6B97D0000-0x00007FF6B9BC2000-memory.dmp	UPX
behavioral2/memory/4032-218-0x00007FF62D2D0000-0x00007FF62D6C2000-memory.dmp	UPX
behavioral2/files/0x000700000002343f-205.dat	UPX
behavioral2/files/0x0007000000023430-187.dat	UPX
behavioral2/files/0x000700000002343e-181.dat	UPX
behavioral2/files/0x0007000000023435-180.dat	UPX
behavioral2/files/0x000700000002343c-167.dat	UPX
behavioral2/files/0x000700000002343a-151.dat	UPX
behavioral2/files/0x0007000000023434-204.dat	UPX
behavioral2/files/0x0007000000023432-200.dat	UPX
behavioral2/files/0x0007000000023437-195.dat	UPX
behavioral2/files/0x000700000002342f-148.dat	UPX
behavioral2/files/0x000700000002342e-144.dat	UPX
behavioral2/files/0x0007000000023428-140.dat	UPX
behavioral2/files/0x000700000002343d-179.dat	UPX
behavioral2/files/0x000700000002342d-134.dat	UPX
behavioral2/files/0x000700000002343b-166.dat	UPX
behavioral2/files/0x0007000000023433-123.dat	UPX
behavioral2/files/0x0007000000023431-119.dat	UPX
behavioral2/files/0x0007000000023439-150.dat	UPX
behavioral2/files/0x0007000000023438-149.dat	UPX
behavioral2/files/0x0007000000023427-130.dat	UPX
behavioral2/files/0x000700000002342b-90.dat	UPX
behavioral2/files/0x000700000002342a-87.dat	UPX
behavioral2/files/0x0007000000023426-65.dat	UPX

XMRig Miner payload 25 IoCs

miner

resource	yara_rule
behavioral2/memory/212-17-0x00007FF76FB60000-0x00007FF76FF52000-memory.dmp	xmrig
behavioral2/memory/4016-412-0x00007FF6854C0000-0x00007FF6858B2000-memory.dmp	xmrig
behavioral2/memory/4936-528-0x00007FF785FE0000-0x00007FF7863D2000-memory.dmp	xmrig
behavioral2/memory/2864-576-0x00007FF6A79C0000-0x00007FF6A7DB2000-memory.dmp	xmrig
behavioral2/memory/4976-580-0x00007FF625FC0000-0x00007FF6263B2000-memory.dmp	xmrig
behavioral2/memory/3384-585-0x00007FF73FBC0000-0x00007FF73FFB2000-memory.dmp	xmrig
behavioral2/memory/1892-638-0x00007FF654690000-0x00007FF654A82000-memory.dmp	xmrig
behavioral2/memory/4608-588-0x00007FF615DE0000-0x00007FF6161D2000-memory.dmp	xmrig
behavioral2/memory/3212-587-0x00007FF61A700000-0x00007FF61AAF2000-memory.dmp	xmrig
behavioral2/memory/3048-586-0x00007FF7F04F0000-0x00007FF7F08E2000-memory.dmp	xmrig
behavioral2/memory/1772-584-0x00007FF794B80000-0x00007FF794F72000-memory.dmp	xmrig
behavioral2/memory/2144-583-0x00007FF71D270000-0x00007FF71D662000-memory.dmp	xmrig
behavioral2/memory/4488-582-0x00007FF7C4900000-0x00007FF7C4CF2000-memory.dmp	xmrig
behavioral2/memory/2328-581-0x00007FF6F3800000-0x00007FF6F3BF2000-memory.dmp	xmrig
behavioral2/memory/4248-579-0x00007FF6C5B30000-0x00007FF6C5F22000-memory.dmp	xmrig
behavioral2/memory/2712-578-0x00007FF6F66A0000-0x00007FF6F6A92000-memory.dmp	xmrig
behavioral2/memory/1704-577-0x00007FF7B3A20000-0x00007FF7B3E12000-memory.dmp	xmrig
behavioral2/memory/436-575-0x00007FF7CA0F0000-0x00007FF7CA4E2000-memory.dmp	xmrig
behavioral2/memory/3136-574-0x00007FF7B55A0000-0x00007FF7B5992000-memory.dmp	xmrig
behavioral2/memory/1888-573-0x00007FF62C500000-0x00007FF62C8F2000-memory.dmp	xmrig
behavioral2/memory/3516-572-0x00007FF727BF0000-0x00007FF727FE2000-memory.dmp	xmrig
behavioral2/memory/4708-332-0x00007FF7FAB50000-0x00007FF7FAF42000-memory.dmp	xmrig
behavioral2/memory/1220-274-0x00007FF6B97D0000-0x00007FF6B9BC2000-memory.dmp	xmrig
behavioral2/memory/4032-218-0x00007FF62D2D0000-0x00007FF62D6C2000-memory.dmp	xmrig
behavioral2/memory/232-4199-0x00007FF6481B0000-0x00007FF6485A2000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
952	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
212	RPGRjuC.exe
3212	HKOwcGL.exe
4608	JcOQskT.exe
4032	HeJrMrO.exe
1220	fcJCXsm.exe
4708	nVkeEgs.exe
4016	OMGOcPn.exe
4936	YZqeLpN.exe
3516	yxqQNtm.exe
1888	AmtOhSV.exe
3136	ZInSEMK.exe
436	yLXhOzc.exe
2864	gCFbLiy.exe
1704	tAWpDyf.exe
2712	JxcMYLM.exe
4248	AFvLlBk.exe
4976	MfOWkGH.exe
2328	zjtduzh.exe
4488	aCqWLom.exe
1892	iAcPkIy.exe
2144	UwRIKfI.exe
1772	uSVSnvN.exe
3384	PdJyNfu.exe
3048	SKIhLyB.exe
392	BRuKWsO.exe
968	doxWgLm.exe
2876	ZXerhhn.exe
4880	cUCqrpe.exe
2540	gXwmEbM.exe
2388	cjaRVvs.exe
4432	fjjeXPL.exe
2252	bsXfTKx.exe
3468	UvjDSKX.exe
2020	zBiZZdY.exe
332	ufPwYwJ.exe
1504	DJcxteQ.exe
4428	nDIGOPp.exe
4424	OVBWHGh.exe
3916	FzeDPwd.exe
3636	ZqbJMgF.exe
2472	qZlQmSI.exe
2600	rImVxZY.exe
1636	wEAtkNp.exe
4228	vxyfCOQ.exe
5020	EkhEtot.exe
3608	MmtpMAl.exe
5072	lGZIRZs.exe
1196	lqtXNBQ.exe
2340	lKgamjr.exe
4052	lGLFzLn.exe
516	MKrZTZy.exe
3180	uddkDVp.exe
1884	SEyylid.exe
916	ksVCWcB.exe
1184	KnRKuWE.exe
2624	CsFGMyQ.exe
2444	GQWtfNM.exe
808	HzumGFa.exe
4412	NCTMZWS.exe
1680	cXjcRsK.exe
5016	eymvMwh.exe
3008	vwYgqAq.exe
1768	SUWjXCY.exe
1296	JBuZHOR.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/232-0-0x00007FF6481B0000-0x00007FF6485A2000-memory.dmp	upx
behavioral2/files/0x0008000000023416-5.dat	upx
behavioral2/files/0x000700000002341b-9.dat	upx
behavioral2/files/0x000700000002341a-13.dat	upx
behavioral2/files/0x000700000002341d-22.dat	upx
behavioral2/memory/212-17-0x00007FF76FB60000-0x00007FF76FF52000-memory.dmp	upx
behavioral2/files/0x000700000002341e-43.dat	upx
behavioral2/files/0x0007000000023421-41.dat	upx
behavioral2/files/0x0007000000023420-40.dat	upx
behavioral2/files/0x000700000002341f-36.dat	upx
behavioral2/files/0x000700000002341c-21.dat	upx
behavioral2/files/0x0007000000023425-57.dat	upx
behavioral2/files/0x0007000000023424-56.dat	upx
behavioral2/files/0x0007000000023423-55.dat	upx
behavioral2/files/0x0007000000023422-52.dat	upx
behavioral2/files/0x0007000000023429-86.dat	upx
behavioral2/files/0x0007000000023436-146.dat	upx
behavioral2/files/0x000700000002342c-186.dat	upx
behavioral2/memory/4016-412-0x00007FF6854C0000-0x00007FF6858B2000-memory.dmp	upx
behavioral2/memory/4936-528-0x00007FF785FE0000-0x00007FF7863D2000-memory.dmp	upx
behavioral2/memory/2864-576-0x00007FF6A79C0000-0x00007FF6A7DB2000-memory.dmp	upx
behavioral2/memory/4976-580-0x00007FF625FC0000-0x00007FF6263B2000-memory.dmp	upx
behavioral2/memory/3384-585-0x00007FF73FBC0000-0x00007FF73FFB2000-memory.dmp	upx
behavioral2/memory/1892-638-0x00007FF654690000-0x00007FF654A82000-memory.dmp	upx
behavioral2/memory/4608-588-0x00007FF615DE0000-0x00007FF6161D2000-memory.dmp	upx
behavioral2/memory/3212-587-0x00007FF61A700000-0x00007FF61AAF2000-memory.dmp	upx
behavioral2/memory/3048-586-0x00007FF7F04F0000-0x00007FF7F08E2000-memory.dmp	upx
behavioral2/memory/1772-584-0x00007FF794B80000-0x00007FF794F72000-memory.dmp	upx
behavioral2/memory/2144-583-0x00007FF71D270000-0x00007FF71D662000-memory.dmp	upx
behavioral2/memory/4488-582-0x00007FF7C4900000-0x00007FF7C4CF2000-memory.dmp	upx
behavioral2/memory/2328-581-0x00007FF6F3800000-0x00007FF6F3BF2000-memory.dmp	upx
behavioral2/memory/4248-579-0x00007FF6C5B30000-0x00007FF6C5F22000-memory.dmp	upx
behavioral2/memory/2712-578-0x00007FF6F66A0000-0x00007FF6F6A92000-memory.dmp	upx
behavioral2/memory/1704-577-0x00007FF7B3A20000-0x00007FF7B3E12000-memory.dmp	upx
behavioral2/memory/436-575-0x00007FF7CA0F0000-0x00007FF7CA4E2000-memory.dmp	upx
behavioral2/memory/3136-574-0x00007FF7B55A0000-0x00007FF7B5992000-memory.dmp	upx
behavioral2/memory/1888-573-0x00007FF62C500000-0x00007FF62C8F2000-memory.dmp	upx
behavioral2/memory/3516-572-0x00007FF727BF0000-0x00007FF727FE2000-memory.dmp	upx
behavioral2/memory/4708-332-0x00007FF7FAB50000-0x00007FF7FAF42000-memory.dmp	upx
behavioral2/memory/1220-274-0x00007FF6B97D0000-0x00007FF6B9BC2000-memory.dmp	upx
behavioral2/memory/4032-218-0x00007FF62D2D0000-0x00007FF62D6C2000-memory.dmp	upx
behavioral2/files/0x000700000002343f-205.dat	upx
behavioral2/files/0x0007000000023430-187.dat	upx
behavioral2/files/0x000700000002343e-181.dat	upx
behavioral2/files/0x0007000000023435-180.dat	upx
behavioral2/files/0x000700000002343c-167.dat	upx
behavioral2/files/0x000700000002343a-151.dat	upx
behavioral2/files/0x0007000000023434-204.dat	upx
behavioral2/files/0x0007000000023432-200.dat	upx
behavioral2/files/0x0007000000023437-195.dat	upx
behavioral2/files/0x000700000002342f-148.dat	upx
behavioral2/files/0x000700000002342e-144.dat	upx
behavioral2/files/0x0007000000023428-140.dat	upx
behavioral2/files/0x000700000002343d-179.dat	upx
behavioral2/files/0x000700000002342d-134.dat	upx
behavioral2/files/0x000700000002343b-166.dat	upx
behavioral2/files/0x0007000000023433-123.dat	upx
behavioral2/files/0x0007000000023431-119.dat	upx
behavioral2/files/0x0007000000023439-150.dat	upx
behavioral2/files/0x0007000000023438-149.dat	upx
behavioral2/files/0x0007000000023427-130.dat	upx
behavioral2/files/0x000700000002342b-90.dat	upx
behavioral2/files/0x000700000002342a-87.dat	upx
behavioral2/files/0x0007000000023426-65.dat	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\vaDZumy.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\xAnZzZu.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\jYCvfCS.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\wNSePJN.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\OHEtlgh.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\lrDEEGM.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\GkERTYb.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\xpkDXgj.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\DYsqtcx.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\BivPDib.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\ykARgAQ.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\vluuboJ.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\TBgEFyd.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\QaaeqFb.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\kcydpJj.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\PqQgOsR.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\TuTSXrA.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\BGKRmxR.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\JqXGtBv.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\vWpaaEV.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\NDfvAfx.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\xnnAZdo.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\gCFbLiy.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\luGFLNF.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\uFmUXIo.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\iGeTGYR.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\lTberSc.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\vdcWkaF.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\kzTEHEW.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\fDaBqTH.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\SRGXjCX.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\EWLJTFF.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\qSzydUO.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\oNlWVtl.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\ZhyBKjV.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\eArcNyA.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\nvnkOrM.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\SZMkeuG.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\UuMWlnk.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\fznmjzM.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\qdBfSuA.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\QapLOoJ.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\yTwsPNf.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\MZQmPye.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\fIhmsMd.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\cbBZlkd.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\bOEEKfX.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\tqNZTaM.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\EXBNwMf.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\dSVYhjY.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\SPBfesH.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\QUOtDnz.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\NCTMZWS.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\axJFisH.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\jiXHguI.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\ZMSKNnJ.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\psGeFWG.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\VATyFGd.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\mpMThLE.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\IUOLizJ.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\oCSBfVu.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\xNOWOVT.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\zggZDdk.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
File created	C:\Windows\System\dIrsqLo.exe	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
952	powershell.exe
952	powershell.exe
952	powershell.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
13192	Process not Found
12928	Process not Found
9056	Process not Found
10216	Process not Found
8760	Process not Found
8984	Process not Found
9192	Process not Found
13264	Process not Found
11952	Process not Found
12264	Process not Found
13260	Process not Found
10652	Process not Found
9560	Process not Found
7212	Process not Found
12820	Process not Found
9672	Process not Found
10108	Process not Found
7628	Process not Found
11796	Process not Found
5060	Process not Found
8580	Process not Found
8712	Process not Found
4736	Process not Found
12248	Process not Found
10452	Process not Found
6296	Process not Found
12704	Process not Found
10060	Process not Found
13084	Process not Found
12968	Process not Found
10640	Process not Found
1808	Process not Found
11956	Process not Found
12936	Process not Found
9668	Process not Found
4904	Process not Found
12084	Process not Found
12372	Process not Found
13252	Process not Found
2008	Process not Found
11404	Process not Found
11508	Process not Found
5124	Process not Found
7092	Process not Found
8064	Process not Found
8024	Process not Found
6904	Process not Found
11996	Process not Found
7200	Process not Found
8916	Process not Found
7412	Process not Found
10168	Process not Found
10164	Process not Found
3604	Process not Found
3864	Process not Found
3324	Process not Found
4496	Process not Found
212	Process not Found
4220	Process not Found
4608	Process not Found
4032	Process not Found
4708	Process not Found
3868	Process not Found
2036	Process not Found

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
Token: SeLockMemoryPrivilege	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
Token: SeDebugPrivilege	952	powershell.exe
Token: SeCreateGlobalPrivilege	2320	dwm.exe
Token: SeChangeNotifyPrivilege	2320	dwm.exe
Token: 33	2320	dwm.exe
Token: SeIncBasePriorityPrivilege	2320	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 232 wrote to memory of 952	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	81
PID 232 wrote to memory of 952	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	81
PID 232 wrote to memory of 212	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	82
PID 232 wrote to memory of 212	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	82
PID 232 wrote to memory of 3212	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	83
PID 232 wrote to memory of 3212	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	83
PID 232 wrote to memory of 1220	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	84
PID 232 wrote to memory of 1220	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	84
PID 232 wrote to memory of 4608	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	85
PID 232 wrote to memory of 4608	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	85
PID 232 wrote to memory of 4032	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	86
PID 232 wrote to memory of 4032	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	86
PID 232 wrote to memory of 4708	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	87
PID 232 wrote to memory of 4708	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	87
PID 232 wrote to memory of 4016	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	88
PID 232 wrote to memory of 4016	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	88
PID 232 wrote to memory of 4936	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	89
PID 232 wrote to memory of 4936	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	89
PID 232 wrote to memory of 3516	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	90
PID 232 wrote to memory of 3516	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	90
PID 232 wrote to memory of 1888	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	91
PID 232 wrote to memory of 1888	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	91
PID 232 wrote to memory of 3136	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	92
PID 232 wrote to memory of 3136	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	92
PID 232 wrote to memory of 436	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	93
PID 232 wrote to memory of 436	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	93
PID 232 wrote to memory of 2864	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	94
PID 232 wrote to memory of 2864	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	94
PID 232 wrote to memory of 1704	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	95
PID 232 wrote to memory of 1704	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	95
PID 232 wrote to memory of 2712	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	96
PID 232 wrote to memory of 2712	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	96
PID 232 wrote to memory of 4248	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	97
PID 232 wrote to memory of 4248	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	97
PID 232 wrote to memory of 4976	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	98
PID 232 wrote to memory of 4976	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	98
PID 232 wrote to memory of 2328	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	99
PID 232 wrote to memory of 2328	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	99
PID 232 wrote to memory of 4488	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	100
PID 232 wrote to memory of 4488	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	100
PID 232 wrote to memory of 1772	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	101
PID 232 wrote to memory of 1772	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	101
PID 232 wrote to memory of 1892	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	102
PID 232 wrote to memory of 1892	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	102
PID 232 wrote to memory of 2144	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	103
PID 232 wrote to memory of 2144	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	103
PID 232 wrote to memory of 4432	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	104
PID 232 wrote to memory of 4432	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	104
PID 232 wrote to memory of 3384	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	105
PID 232 wrote to memory of 3384	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	105
PID 232 wrote to memory of 3048	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	106
PID 232 wrote to memory of 3048	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	106
PID 232 wrote to memory of 392	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	107
PID 232 wrote to memory of 392	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	107
PID 232 wrote to memory of 968	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	108
PID 232 wrote to memory of 968	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	108
PID 232 wrote to memory of 2876	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	109
PID 232 wrote to memory of 2876	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	109
PID 232 wrote to memory of 4880	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	110
PID 232 wrote to memory of 4880	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	110
PID 232 wrote to memory of 2540	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	111
PID 232 wrote to memory of 2540	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	111
PID 232 wrote to memory of 2388	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	112
PID 232 wrote to memory of 2388	232	b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe	112

C:\Users\Admin\AppData\Local\Temp\b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe
"C:\Users\Admin\AppData\Local\Temp\b42f1c8e33f8bda3b3c072cdded956caa8f4053748f2111874f39957b5a98b41.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:952
- C:\Windows\System\RPGRjuC.exe
  C:\Windows\System\RPGRjuC.exe
  2⤵
  - Executes dropped EXE
  PID:212
- C:\Windows\System\HKOwcGL.exe
  C:\Windows\System\HKOwcGL.exe
  2⤵
  - Executes dropped EXE
  PID:3212
- C:\Windows\System\fcJCXsm.exe
  C:\Windows\System\fcJCXsm.exe
  2⤵
  - Executes dropped EXE
  PID:1220
- C:\Windows\System\JcOQskT.exe
  C:\Windows\System\JcOQskT.exe
  2⤵
  - Executes dropped EXE
  PID:4608
- C:\Windows\System\HeJrMrO.exe
  C:\Windows\System\HeJrMrO.exe
  2⤵
  - Executes dropped EXE
  PID:4032
- C:\Windows\System\nVkeEgs.exe
  C:\Windows\System\nVkeEgs.exe
  2⤵
  - Executes dropped EXE
  PID:4708
- C:\Windows\System\OMGOcPn.exe
  C:\Windows\System\OMGOcPn.exe
  2⤵
  - Executes dropped EXE
  PID:4016
- C:\Windows\System\YZqeLpN.exe
  C:\Windows\System\YZqeLpN.exe
  2⤵
  - Executes dropped EXE
  PID:4936
- C:\Windows\System\yxqQNtm.exe
  C:\Windows\System\yxqQNtm.exe
  2⤵
  - Executes dropped EXE
  PID:3516
- C:\Windows\System\AmtOhSV.exe
  C:\Windows\System\AmtOhSV.exe
  2⤵
  - Executes dropped EXE
  PID:1888
- C:\Windows\System\ZInSEMK.exe
  C:\Windows\System\ZInSEMK.exe
  2⤵
  - Executes dropped EXE
  PID:3136
- C:\Windows\System\yLXhOzc.exe
  C:\Windows\System\yLXhOzc.exe
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Windows\System\gCFbLiy.exe
  C:\Windows\System\gCFbLiy.exe
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\System\tAWpDyf.exe
  C:\Windows\System\tAWpDyf.exe
  2⤵
  - Executes dropped EXE
  PID:1704
- C:\Windows\System\JxcMYLM.exe
  C:\Windows\System\JxcMYLM.exe
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\System\AFvLlBk.exe
  C:\Windows\System\AFvLlBk.exe
  2⤵
  - Executes dropped EXE
  PID:4248
- C:\Windows\System\MfOWkGH.exe
  C:\Windows\System\MfOWkGH.exe
  2⤵
  - Executes dropped EXE
  PID:4976
- C:\Windows\System\zjtduzh.exe
  C:\Windows\System\zjtduzh.exe
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Windows\System\aCqWLom.exe
  C:\Windows\System\aCqWLom.exe
  2⤵
  - Executes dropped EXE
  PID:4488
- C:\Windows\System\uSVSnvN.exe
  C:\Windows\System\uSVSnvN.exe
  2⤵
  - Executes dropped EXE
  PID:1772
- C:\Windows\System\iAcPkIy.exe
  C:\Windows\System\iAcPkIy.exe
  2⤵
  - Executes dropped EXE
  PID:1892
- C:\Windows\System\UwRIKfI.exe
  C:\Windows\System\UwRIKfI.exe
  2⤵
  - Executes dropped EXE
  PID:2144
- C:\Windows\System\fjjeXPL.exe
  C:\Windows\System\fjjeXPL.exe
  2⤵
  - Executes dropped EXE
  PID:4432
- C:\Windows\System\PdJyNfu.exe
  C:\Windows\System\PdJyNfu.exe
  2⤵
  - Executes dropped EXE
  PID:3384
- C:\Windows\System\SKIhLyB.exe
  C:\Windows\System\SKIhLyB.exe
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\System\BRuKWsO.exe
  C:\Windows\System\BRuKWsO.exe
  2⤵
  - Executes dropped EXE
  PID:392
- C:\Windows\System\doxWgLm.exe
  C:\Windows\System\doxWgLm.exe
  2⤵
  - Executes dropped EXE
  PID:968
- C:\Windows\System\ZXerhhn.exe
  C:\Windows\System\ZXerhhn.exe
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Windows\System\cUCqrpe.exe
  C:\Windows\System\cUCqrpe.exe
  2⤵
  - Executes dropped EXE
  PID:4880
- C:\Windows\System\gXwmEbM.exe
  C:\Windows\System\gXwmEbM.exe
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\System\cjaRVvs.exe
  C:\Windows\System\cjaRVvs.exe
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\System\bsXfTKx.exe
  C:\Windows\System\bsXfTKx.exe
  2⤵
  - Executes dropped EXE
  PID:2252
- C:\Windows\System\UvjDSKX.exe
  C:\Windows\System\UvjDSKX.exe
  2⤵
  - Executes dropped EXE
  PID:3468
- C:\Windows\System\zBiZZdY.exe
  C:\Windows\System\zBiZZdY.exe
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\Windows\System\ufPwYwJ.exe
  C:\Windows\System\ufPwYwJ.exe
  2⤵
  - Executes dropped EXE
  PID:332
- C:\Windows\System\DJcxteQ.exe
  C:\Windows\System\DJcxteQ.exe
  2⤵
  - Executes dropped EXE
  PID:1504
- C:\Windows\System\nDIGOPp.exe
  C:\Windows\System\nDIGOPp.exe
  2⤵
  - Executes dropped EXE
  PID:4428
- C:\Windows\System\OVBWHGh.exe
  C:\Windows\System\OVBWHGh.exe
  2⤵
  - Executes dropped EXE
  PID:4424
- C:\Windows\System\FzeDPwd.exe
  C:\Windows\System\FzeDPwd.exe
  2⤵
  - Executes dropped EXE
  PID:3916
- C:\Windows\System\ZqbJMgF.exe
  C:\Windows\System\ZqbJMgF.exe
  2⤵
  - Executes dropped EXE
  PID:3636
- C:\Windows\System\qZlQmSI.exe
  C:\Windows\System\qZlQmSI.exe
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\System\rImVxZY.exe
  C:\Windows\System\rImVxZY.exe
  2⤵
  - Executes dropped EXE
  PID:2600
- C:\Windows\System\wEAtkNp.exe
  C:\Windows\System\wEAtkNp.exe
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\System\vxyfCOQ.exe
  C:\Windows\System\vxyfCOQ.exe
  2⤵
  - Executes dropped EXE
  PID:4228
- C:\Windows\System\GQWtfNM.exe
  C:\Windows\System\GQWtfNM.exe
  2⤵
  - Executes dropped EXE
  PID:2444
- C:\Windows\System\EkhEtot.exe
  C:\Windows\System\EkhEtot.exe
  2⤵
  - Executes dropped EXE
  PID:5020
- C:\Windows\System\MmtpMAl.exe
  C:\Windows\System\MmtpMAl.exe
  2⤵
  - Executes dropped EXE
  PID:3608
- C:\Windows\System\CYEpeXp.exe
  C:\Windows\System\CYEpeXp.exe
  2⤵
  PID:4672
- C:\Windows\System\lGZIRZs.exe
  C:\Windows\System\lGZIRZs.exe
  2⤵
  - Executes dropped EXE
  PID:5072
- C:\Windows\System\lqtXNBQ.exe
  C:\Windows\System\lqtXNBQ.exe
  2⤵
  - Executes dropped EXE
  PID:1196
- C:\Windows\System\lKgamjr.exe
  C:\Windows\System\lKgamjr.exe
  2⤵
  - Executes dropped EXE
  PID:2340
- C:\Windows\System\lGLFzLn.exe
  C:\Windows\System\lGLFzLn.exe
  2⤵
  - Executes dropped EXE
  PID:4052
- C:\Windows\System\MKrZTZy.exe
  C:\Windows\System\MKrZTZy.exe
  2⤵
  - Executes dropped EXE
  PID:516
- C:\Windows\System\uddkDVp.exe
  C:\Windows\System\uddkDVp.exe
  2⤵
  - Executes dropped EXE
  PID:3180
- C:\Windows\System\SEyylid.exe
  C:\Windows\System\SEyylid.exe
  2⤵
  - Executes dropped EXE
  PID:1884
- C:\Windows\System\rzenQhH.exe
  C:\Windows\System\rzenQhH.exe
  2⤵
  PID:1032
- C:\Windows\System\ksVCWcB.exe
  C:\Windows\System\ksVCWcB.exe
  2⤵
  - Executes dropped EXE
  PID:916
- C:\Windows\System\KnRKuWE.exe
  C:\Windows\System\KnRKuWE.exe
  2⤵
  - Executes dropped EXE
  PID:1184
- C:\Windows\System\CsFGMyQ.exe
  C:\Windows\System\CsFGMyQ.exe
  2⤵
  - Executes dropped EXE
  PID:2624
- C:\Windows\System\HzumGFa.exe
  C:\Windows\System\HzumGFa.exe
  2⤵
  - Executes dropped EXE
  PID:808
- C:\Windows\System\NCTMZWS.exe
  C:\Windows\System\NCTMZWS.exe
  2⤵
  - Executes dropped EXE
  PID:4412
- C:\Windows\System\cXjcRsK.exe
  C:\Windows\System\cXjcRsK.exe
  2⤵
  - Executes dropped EXE
  PID:1680
- C:\Windows\System\eymvMwh.exe
  C:\Windows\System\eymvMwh.exe
  2⤵
  - Executes dropped EXE
  PID:5016
- C:\Windows\System\vwYgqAq.exe
  C:\Windows\System\vwYgqAq.exe
  2⤵
  - Executes dropped EXE
  PID:3008
- C:\Windows\System\SUWjXCY.exe
  C:\Windows\System\SUWjXCY.exe
  2⤵
  - Executes dropped EXE
  PID:1768
- C:\Windows\System\JBuZHOR.exe
  C:\Windows\System\JBuZHOR.exe
  2⤵
  - Executes dropped EXE
  PID:1296
- C:\Windows\System\fIZtiIq.exe
  C:\Windows\System\fIZtiIq.exe
  2⤵
  PID:3692
- C:\Windows\System\ebsMQTN.exe
  C:\Windows\System\ebsMQTN.exe
  2⤵
  PID:4436
- C:\Windows\System\UpvHIxz.exe
  C:\Windows\System\UpvHIxz.exe
  2⤵
  PID:4444
- C:\Windows\System\sBNrkVf.exe
  C:\Windows\System\sBNrkVf.exe
  2⤵
  PID:4100
- C:\Windows\System\nHoNrBP.exe
  C:\Windows\System\nHoNrBP.exe
  2⤵
  PID:2276
- C:\Windows\System\nvfezbG.exe
  C:\Windows\System\nvfezbG.exe
  2⤵
  PID:5084
- C:\Windows\System\nijaUqK.exe
  C:\Windows\System\nijaUqK.exe
  2⤵
  PID:1188
- C:\Windows\System\OboUfWP.exe
  C:\Windows\System\OboUfWP.exe
  2⤵
  PID:1796
- C:\Windows\System\hrxikeu.exe
  C:\Windows\System\hrxikeu.exe
  2⤵
  PID:1316
- C:\Windows\System\WjGyYdg.exe
  C:\Windows\System\WjGyYdg.exe
  2⤵
  PID:2512
- C:\Windows\System\SeoAotZ.exe
  C:\Windows\System\SeoAotZ.exe
  2⤵
  PID:4752
- C:\Windows\System\VZbqKMY.exe
  C:\Windows\System\VZbqKMY.exe
  2⤵
  PID:2760
- C:\Windows\System\ZCyWgFV.exe
  C:\Windows\System\ZCyWgFV.exe
  2⤵
  PID:2580
- C:\Windows\System\LUvvZPq.exe
  C:\Windows\System\LUvvZPq.exe
  2⤵
  PID:4636
- C:\Windows\System\tGtSDHf.exe
  C:\Windows\System\tGtSDHf.exe
  2⤵
  PID:3460
- C:\Windows\System\MozWqus.exe
  C:\Windows\System\MozWqus.exe
  2⤵
  PID:396
- C:\Windows\System\sutOBRc.exe
  C:\Windows\System\sutOBRc.exe
  2⤵
  PID:964
- C:\Windows\System\pMoDzqH.exe
  C:\Windows\System\pMoDzqH.exe
  2⤵
  PID:1860
- C:\Windows\System\dLrSwMS.exe
  C:\Windows\System\dLrSwMS.exe
  2⤵
  PID:2364
- C:\Windows\System\WNhgpjZ.exe
  C:\Windows\System\WNhgpjZ.exe
  2⤵
  PID:3856
- C:\Windows\System\WNtpbIp.exe
  C:\Windows\System\WNtpbIp.exe
  2⤵
  PID:1648
- C:\Windows\System\FSfKHEL.exe
  C:\Windows\System\FSfKHEL.exe
  2⤵
  PID:860
- C:\Windows\System\MVSDrrk.exe
  C:\Windows\System\MVSDrrk.exe
  2⤵
  PID:3588
- C:\Windows\System\zxDESMJ.exe
  C:\Windows\System\zxDESMJ.exe
  2⤵
  PID:4308
- C:\Windows\System\ZfOqjIW.exe
  C:\Windows\System\ZfOqjIW.exe
  2⤵
  PID:4876
- C:\Windows\System\HWdwDqm.exe
  C:\Windows\System\HWdwDqm.exe
  2⤵
  PID:4504
- C:\Windows\System\FXbeePG.exe
  C:\Windows\System\FXbeePG.exe
  2⤵
  PID:1348
- C:\Windows\System\WnOyXwo.exe
  C:\Windows\System\WnOyXwo.exe
  2⤵
  PID:2348
- C:\Windows\System\ESPipei.exe
  C:\Windows\System\ESPipei.exe
  2⤵
  PID:1828
- C:\Windows\System\JEkeMOO.exe
  C:\Windows\System\JEkeMOO.exe
  2⤵
  PID:1272
- C:\Windows\System\jOTBeEF.exe
  C:\Windows\System\jOTBeEF.exe
  2⤵
  PID:5140
- C:\Windows\System\KqbXKNV.exe
  C:\Windows\System\KqbXKNV.exe
  2⤵
  PID:5160
- C:\Windows\System\LiAbIzj.exe
  C:\Windows\System\LiAbIzj.exe
  2⤵
  PID:5180
- C:\Windows\System\Eiahdkw.exe
  C:\Windows\System\Eiahdkw.exe
  2⤵
  PID:5204
- C:\Windows\System\eGtRmbv.exe
  C:\Windows\System\eGtRmbv.exe
  2⤵
  PID:5220
- C:\Windows\System\OJTTgyB.exe
  C:\Windows\System\OJTTgyB.exe
  2⤵
  PID:5244
- C:\Windows\System\EubwVSd.exe
  C:\Windows\System\EubwVSd.exe
  2⤵
  PID:5268
- C:\Windows\System\kPZahac.exe
  C:\Windows\System\kPZahac.exe
  2⤵
  PID:5288
- C:\Windows\System\cpBLwwz.exe
  C:\Windows\System\cpBLwwz.exe
  2⤵
  PID:5308
- C:\Windows\System\zkDWeni.exe
  C:\Windows\System\zkDWeni.exe
  2⤵
  PID:5328
- C:\Windows\System\ePaowoY.exe
  C:\Windows\System\ePaowoY.exe
  2⤵
  PID:5348
- C:\Windows\System\oxSaTdE.exe
  C:\Windows\System\oxSaTdE.exe
  2⤵
  PID:5368
- C:\Windows\System\peuHZLW.exe
  C:\Windows\System\peuHZLW.exe
  2⤵
  PID:5384
- C:\Windows\System\CdFueCo.exe
  C:\Windows\System\CdFueCo.exe
  2⤵
  PID:5408
- C:\Windows\System\rkTyxkf.exe
  C:\Windows\System\rkTyxkf.exe
  2⤵
  PID:5448
- C:\Windows\System\HMIUtmT.exe
  C:\Windows\System\HMIUtmT.exe
  2⤵
  PID:5468
- C:\Windows\System\eKBIppo.exe
  C:\Windows\System\eKBIppo.exe
  2⤵
  PID:5492
- C:\Windows\System\vZbZbvo.exe
  C:\Windows\System\vZbZbvo.exe
  2⤵
  PID:5520
- C:\Windows\System\URJeGjH.exe
  C:\Windows\System\URJeGjH.exe
  2⤵
  PID:5540
- C:\Windows\System\UOiFkZm.exe
  C:\Windows\System\UOiFkZm.exe
  2⤵
  PID:5556
- C:\Windows\System\FqlWvui.exe
  C:\Windows\System\FqlWvui.exe
  2⤵
  PID:5580
- C:\Windows\System\nHZIbrX.exe
  C:\Windows\System\nHZIbrX.exe
  2⤵
  PID:5596
- C:\Windows\System\KRnvDHn.exe
  C:\Windows\System\KRnvDHn.exe
  2⤵
  PID:5628
- C:\Windows\System\BSVvnRC.exe
  C:\Windows\System\BSVvnRC.exe
  2⤵
  PID:5656
- C:\Windows\System\PHUZwNn.exe
  C:\Windows\System\PHUZwNn.exe
  2⤵
  PID:5672
- C:\Windows\System\uDlfifv.exe
  C:\Windows\System\uDlfifv.exe
  2⤵
  PID:5696
- C:\Windows\System\gjsuPtA.exe
  C:\Windows\System\gjsuPtA.exe
  2⤵
  PID:5712
- C:\Windows\System\vGCWkSs.exe
  C:\Windows\System\vGCWkSs.exe
  2⤵
  PID:5772
- C:\Windows\System\jjJtFTb.exe
  C:\Windows\System\jjJtFTb.exe
  2⤵
  PID:5792
- C:\Windows\System\fXSeedI.exe
  C:\Windows\System\fXSeedI.exe
  2⤵
  PID:5820
- C:\Windows\System\WqXHoCU.exe
  C:\Windows\System\WqXHoCU.exe
  2⤵
  PID:5844
- C:\Windows\System\gpUFaMQ.exe
  C:\Windows\System\gpUFaMQ.exe
  2⤵
  PID:5860
- C:\Windows\System\dQesYeH.exe
  C:\Windows\System\dQesYeH.exe
  2⤵
  PID:5880
- C:\Windows\System\FsYQGFL.exe
  C:\Windows\System\FsYQGFL.exe
  2⤵
  PID:5900
- C:\Windows\System\RFrsnzD.exe
  C:\Windows\System\RFrsnzD.exe
  2⤵
  PID:5920
- C:\Windows\System\CFyjYim.exe
  C:\Windows\System\CFyjYim.exe
  2⤵
  PID:5936
- C:\Windows\System\lfzJzyQ.exe
  C:\Windows\System\lfzJzyQ.exe
  2⤵
  PID:5956
- C:\Windows\System\gPfQeTM.exe
  C:\Windows\System\gPfQeTM.exe
  2⤵
  PID:5980
- C:\Windows\System\rZLLPXN.exe
  C:\Windows\System\rZLLPXN.exe
  2⤵
  PID:6000
- C:\Windows\System\GmlzCUf.exe
  C:\Windows\System\GmlzCUf.exe
  2⤵
  PID:6020
- C:\Windows\System\qFdAcAp.exe
  C:\Windows\System\qFdAcAp.exe
  2⤵
  PID:6048
- C:\Windows\System\ZoQrzZp.exe
  C:\Windows\System\ZoQrzZp.exe
  2⤵
  PID:6072
- C:\Windows\System\BraQjWJ.exe
  C:\Windows\System\BraQjWJ.exe
  2⤵
  PID:6092
- C:\Windows\System\eugMEAz.exe
  C:\Windows\System\eugMEAz.exe
  2⤵
  PID:6116
- C:\Windows\System\hUFbQjN.exe
  C:\Windows\System\hUFbQjN.exe
  2⤵
  PID:6136
- C:\Windows\System\ciVWVrv.exe
  C:\Windows\System\ciVWVrv.exe
  2⤵
  PID:4960
- C:\Windows\System\jmIjVvD.exe
  C:\Windows\System\jmIjVvD.exe
  2⤵
  PID:3880
- C:\Windows\System\zVOYcAo.exe
  C:\Windows\System\zVOYcAo.exe
  2⤵
  PID:2308
- C:\Windows\System\NUFrrOg.exe
  C:\Windows\System\NUFrrOg.exe
  2⤵
  PID:3252
- C:\Windows\System\bFqAWgC.exe
  C:\Windows\System\bFqAWgC.exe
  2⤵
  PID:8
- C:\Windows\System\zPTbKdm.exe
  C:\Windows\System\zPTbKdm.exe
  2⤵
  PID:4676
- C:\Windows\System\IKPgByv.exe
  C:\Windows\System\IKPgByv.exe
  2⤵
  PID:4124
- C:\Windows\System\wfcecTm.exe
  C:\Windows\System\wfcecTm.exe
  2⤵
  PID:2212
- C:\Windows\System\WsuwqPo.exe
  C:\Windows\System\WsuwqPo.exe
  2⤵
  PID:3928
- C:\Windows\System\UiIkzJu.exe
  C:\Windows\System\UiIkzJu.exe
  2⤵
  PID:3436
- C:\Windows\System\IfTzrnU.exe
  C:\Windows\System\IfTzrnU.exe
  2⤵
  PID:4372
- C:\Windows\System\qQclrwF.exe
  C:\Windows\System\qQclrwF.exe
  2⤵
  PID:1180
- C:\Windows\System\ztWUuvg.exe
  C:\Windows\System\ztWUuvg.exe
  2⤵
  PID:5420
- C:\Windows\System\mShglwy.exe
  C:\Windows\System\mShglwy.exe
  2⤵
  PID:5488
- C:\Windows\System\QjjKngb.exe
  C:\Windows\System\QjjKngb.exe
  2⤵
  PID:5516
- C:\Windows\System\kyqlQvh.exe
  C:\Windows\System\kyqlQvh.exe
  2⤵
  PID:5604
- C:\Windows\System\nqkCnLt.exe
  C:\Windows\System\nqkCnLt.exe
  2⤵
  PID:464
- C:\Windows\System\TTcOmua.exe
  C:\Windows\System\TTcOmua.exe
  2⤵
  PID:3208
- C:\Windows\System\QWzVMob.exe
  C:\Windows\System\QWzVMob.exe
  2⤵
  PID:6152
- C:\Windows\System\fzUOgOS.exe
  C:\Windows\System\fzUOgOS.exe
  2⤵
  PID:6176
- C:\Windows\System\ynWPCPV.exe
  C:\Windows\System\ynWPCPV.exe
  2⤵
  PID:6196
- C:\Windows\System\aBfIjFt.exe
  C:\Windows\System\aBfIjFt.exe
  2⤵
  PID:6216
- C:\Windows\System\LFoIWyV.exe
  C:\Windows\System\LFoIWyV.exe
  2⤵
  PID:6236
- C:\Windows\System\tdRCNGk.exe
  C:\Windows\System\tdRCNGk.exe
  2⤵
  PID:6256
- C:\Windows\System\pJNceqs.exe
  C:\Windows\System\pJNceqs.exe
  2⤵
  PID:6272
- C:\Windows\System\tHzkHkS.exe
  C:\Windows\System\tHzkHkS.exe
  2⤵
  PID:6328
- C:\Windows\System\oMUhxqv.exe
  C:\Windows\System\oMUhxqv.exe
  2⤵
  PID:6356
- C:\Windows\System\FQEDHaE.exe
  C:\Windows\System\FQEDHaE.exe
  2⤵
  PID:6372
- C:\Windows\System\VlrAKzc.exe
  C:\Windows\System\VlrAKzc.exe
  2⤵
  PID:6396
- C:\Windows\System\GwlpHRU.exe
  C:\Windows\System\GwlpHRU.exe
  2⤵
  PID:6412
- C:\Windows\System\KrTqRoh.exe
  C:\Windows\System\KrTqRoh.exe
  2⤵
  PID:6432
- C:\Windows\System\kmNavMb.exe
  C:\Windows\System\kmNavMb.exe
  2⤵
  PID:6456
- C:\Windows\System\qJhwgNu.exe
  C:\Windows\System\qJhwgNu.exe
  2⤵
  PID:6472
- C:\Windows\System\Vppzjcm.exe
  C:\Windows\System\Vppzjcm.exe
  2⤵
  PID:6492
- C:\Windows\System\OUuQwcV.exe
  C:\Windows\System\OUuQwcV.exe
  2⤵
  PID:6512
- C:\Windows\System\SZMkeuG.exe
  C:\Windows\System\SZMkeuG.exe
  2⤵
  PID:6536
- C:\Windows\System\jcosMMZ.exe
  C:\Windows\System\jcosMMZ.exe
  2⤵
  PID:6552
- C:\Windows\System\TYccFWv.exe
  C:\Windows\System\TYccFWv.exe
  2⤵
  PID:6576
- C:\Windows\System\CZhSLrz.exe
  C:\Windows\System\CZhSLrz.exe
  2⤵
  PID:6592
- C:\Windows\System\PGhZLWf.exe
  C:\Windows\System\PGhZLWf.exe
  2⤵
  PID:6616
- C:\Windows\System\zoGgkqX.exe
  C:\Windows\System\zoGgkqX.exe
  2⤵
  PID:6636
- C:\Windows\System\StPguZu.exe
  C:\Windows\System\StPguZu.exe
  2⤵
  PID:6656
- C:\Windows\System\tdKJxsB.exe
  C:\Windows\System\tdKJxsB.exe
  2⤵
  PID:6676
- C:\Windows\System\ioAVHnz.exe
  C:\Windows\System\ioAVHnz.exe
  2⤵
  PID:6696
- C:\Windows\System\IXbyhIK.exe
  C:\Windows\System\IXbyhIK.exe
  2⤵
  PID:6720
- C:\Windows\System\UXaWsSR.exe
  C:\Windows\System\UXaWsSR.exe
  2⤵
  PID:6744
- C:\Windows\System\WXjFKxA.exe
  C:\Windows\System\WXjFKxA.exe
  2⤵
  PID:6764
- C:\Windows\System\ekBExLR.exe
  C:\Windows\System\ekBExLR.exe
  2⤵
  PID:6780
- C:\Windows\System\JqScocF.exe
  C:\Windows\System\JqScocF.exe
  2⤵
  PID:6800
- C:\Windows\System\hMfWaIp.exe
  C:\Windows\System\hMfWaIp.exe
  2⤵
  PID:6824
- C:\Windows\System\VbCfVQR.exe
  C:\Windows\System\VbCfVQR.exe
  2⤵
  PID:6840
- C:\Windows\System\sjXxeXJ.exe
  C:\Windows\System\sjXxeXJ.exe
  2⤵
  PID:6868
- C:\Windows\System\NwwVPPG.exe
  C:\Windows\System\NwwVPPG.exe
  2⤵
  PID:6888
- C:\Windows\System\EGAaXtX.exe
  C:\Windows\System\EGAaXtX.exe
  2⤵
  PID:6908
- C:\Windows\System\decXKmR.exe
  C:\Windows\System\decXKmR.exe
  2⤵
  PID:6928
- C:\Windows\System\DjSwmuV.exe
  C:\Windows\System\DjSwmuV.exe
  2⤵
  PID:6944
- C:\Windows\System\PTcNMyc.exe
  C:\Windows\System\PTcNMyc.exe
  2⤵
  PID:6968
- C:\Windows\System\KmhKRKy.exe
  C:\Windows\System\KmhKRKy.exe
  2⤵
  PID:6988
- C:\Windows\System\vhmCMUQ.exe
  C:\Windows\System\vhmCMUQ.exe
  2⤵
  PID:4728
- C:\Windows\System\toXNZXN.exe
  C:\Windows\System\toXNZXN.exe
  2⤵
  PID:4060
- C:\Windows\System\IJXJTXz.exe
  C:\Windows\System\IJXJTXz.exe
  2⤵
  PID:5876
- C:\Windows\System\XogHalA.exe
  C:\Windows\System\XogHalA.exe
  2⤵
  PID:5932
- C:\Windows\System\gQDFwAM.exe
  C:\Windows\System\gQDFwAM.exe
  2⤵
  PID:5972
- C:\Windows\System\WVxwzHc.exe
  C:\Windows\System\WVxwzHc.exe
  2⤵
  PID:5912
- C:\Windows\System\CBXVCSX.exe
  C:\Windows\System\CBXVCSX.exe
  2⤵
  PID:6008
- C:\Windows\System\UciLYFk.exe
  C:\Windows\System\UciLYFk.exe
  2⤵
  PID:6088
- C:\Windows\System\ZSbvGrH.exe
  C:\Windows\System\ZSbvGrH.exe
  2⤵
  PID:6124
- C:\Windows\System\AMECABv.exe
  C:\Windows\System\AMECABv.exe
  2⤵
  PID:2772
- C:\Windows\System\PzcEJgU.exe
  C:\Windows\System\PzcEJgU.exe
  2⤵
  PID:2016
- C:\Windows\System\MIDGGXZ.exe
  C:\Windows\System\MIDGGXZ.exe
  2⤵
  PID:3988
- C:\Windows\System\iqmsUSC.exe
  C:\Windows\System\iqmsUSC.exe
  2⤵
  PID:5460
- C:\Windows\System\djzUnUD.exe
  C:\Windows\System\djzUnUD.exe
  2⤵
  PID:6228
- C:\Windows\System\yGGTPIN.exe
  C:\Windows\System\yGGTPIN.exe
  2⤵
  PID:6380
- C:\Windows\System\FZyOtjt.exe
  C:\Windows\System\FZyOtjt.exe
  2⤵
  PID:6560
- C:\Windows\System\ctFpXZh.exe
  C:\Windows\System\ctFpXZh.exe
  2⤵
  PID:4900
- C:\Windows\System\SFROVmA.exe
  C:\Windows\System\SFROVmA.exe
  2⤵
  PID:6232
- C:\Windows\System\nGwSxJv.exe
  C:\Windows\System\nGwSxJv.exe
  2⤵
  PID:6408
- C:\Windows\System\oGdcGzz.exe
  C:\Windows\System\oGdcGzz.exe
  2⤵
  PID:4972
- C:\Windows\System\UASPcDX.exe
  C:\Windows\System\UASPcDX.exe
  2⤵
  PID:3600
- C:\Windows\System\zyzMxex.exe
  C:\Windows\System\zyzMxex.exe
  2⤵
  PID:6340
- C:\Windows\System\jYaeYNc.exe
  C:\Windows\System\jYaeYNc.exe
  2⤵
  PID:6424
- C:\Windows\System\KPtpULQ.exe
  C:\Windows\System\KPtpULQ.exe
  2⤵
  PID:7184
- C:\Windows\System\nQNDTcJ.exe
  C:\Windows\System\nQNDTcJ.exe
  2⤵
  PID:7204
- C:\Windows\System\dDUyyth.exe
  C:\Windows\System\dDUyyth.exe
  2⤵
  PID:7240
- C:\Windows\System\PpzVJIZ.exe
  C:\Windows\System\PpzVJIZ.exe
  2⤵
  PID:7260
- C:\Windows\System\ptlqkCY.exe
  C:\Windows\System\ptlqkCY.exe
  2⤵
  PID:7280
- C:\Windows\System\eDuvJkt.exe
  C:\Windows\System\eDuvJkt.exe
  2⤵
  PID:7296
- C:\Windows\System\KZOkKfl.exe
  C:\Windows\System\KZOkKfl.exe
  2⤵
  PID:7340
- C:\Windows\System\YqmAcbc.exe
  C:\Windows\System\YqmAcbc.exe
  2⤵
  PID:7364
- C:\Windows\System\iPwAfwB.exe
  C:\Windows\System\iPwAfwB.exe
  2⤵
  PID:7384
- C:\Windows\System\NeeBFBq.exe
  C:\Windows\System\NeeBFBq.exe
  2⤵
  PID:7420
- C:\Windows\System\CFgiDZI.exe
  C:\Windows\System\CFgiDZI.exe
  2⤵
  PID:7456
- C:\Windows\System\HHtAWOC.exe
  C:\Windows\System\HHtAWOC.exe
  2⤵
  PID:7484
- C:\Windows\System\GhyLFuH.exe
  C:\Windows\System\GhyLFuH.exe
  2⤵
  PID:7500
- C:\Windows\System\CwgABAF.exe
  C:\Windows\System\CwgABAF.exe
  2⤵
  PID:7520
- C:\Windows\System\BWVLYIt.exe
  C:\Windows\System\BWVLYIt.exe
  2⤵
  PID:7536
- C:\Windows\System\aHJejpS.exe
  C:\Windows\System\aHJejpS.exe
  2⤵
  PID:7560
- C:\Windows\System\yBXfCdY.exe
  C:\Windows\System\yBXfCdY.exe
  2⤵
  PID:7596
- C:\Windows\System\CpqemwE.exe
  C:\Windows\System\CpqemwE.exe
  2⤵
  PID:7616
- C:\Windows\System\lDoozfz.exe
  C:\Windows\System\lDoozfz.exe
  2⤵
  PID:7640
- C:\Windows\System\DhLJlch.exe
  C:\Windows\System\DhLJlch.exe
  2⤵
  PID:7672
- C:\Windows\System\gcpkuzr.exe
  C:\Windows\System\gcpkuzr.exe
  2⤵
  PID:7692
- C:\Windows\System\XWMyeVj.exe
  C:\Windows\System\XWMyeVj.exe
  2⤵
  PID:7728
- C:\Windows\System\CHeqmxD.exe
  C:\Windows\System\CHeqmxD.exe
  2⤵
  PID:7748
- C:\Windows\System\TQXbqVd.exe
  C:\Windows\System\TQXbqVd.exe
  2⤵
  PID:7772
- C:\Windows\System\cbMIWHA.exe
  C:\Windows\System\cbMIWHA.exe
  2⤵
  PID:7792
- C:\Windows\System\dBJwGhI.exe
  C:\Windows\System\dBJwGhI.exe
  2⤵
  PID:7812
- C:\Windows\System\NAMnXVp.exe
  C:\Windows\System\NAMnXVp.exe
  2⤵
  PID:7832
- C:\Windows\System\XcorMau.exe
  C:\Windows\System\XcorMau.exe
  2⤵
  PID:7856
- C:\Windows\System\YjihxCB.exe
  C:\Windows\System\YjihxCB.exe
  2⤵
  PID:7876
- C:\Windows\System\UukzeMf.exe
  C:\Windows\System\UukzeMf.exe
  2⤵
  PID:7904
- C:\Windows\System\KWDJchS.exe
  C:\Windows\System\KWDJchS.exe
  2⤵
  PID:7936
- C:\Windows\System\rnqxYrD.exe
  C:\Windows\System\rnqxYrD.exe
  2⤵
  PID:7956
- C:\Windows\System\KihWcLQ.exe
  C:\Windows\System\KihWcLQ.exe
  2⤵
  PID:7976
- C:\Windows\System\DtvIMuq.exe
  C:\Windows\System\DtvIMuq.exe
  2⤵
  PID:7992
- C:\Windows\System\tkIKRtt.exe
  C:\Windows\System\tkIKRtt.exe
  2⤵
  PID:8108
- C:\Windows\System\DATTTTw.exe
  C:\Windows\System\DATTTTw.exe
  2⤵
  PID:8128
- C:\Windows\System\IUeRPpn.exe
  C:\Windows\System\IUeRPpn.exe
  2⤵
  PID:8144
- C:\Windows\System\jVeZRLK.exe
  C:\Windows\System\jVeZRLK.exe
  2⤵
  PID:8160
- C:\Windows\System\nrGtXgP.exe
  C:\Windows\System\nrGtXgP.exe
  2⤵
  PID:8176
- C:\Windows\System\luGFLNF.exe
  C:\Windows\System\luGFLNF.exe
  2⤵
  PID:6484
- C:\Windows\System\RpsAbhM.exe
  C:\Windows\System\RpsAbhM.exe
  2⤵
  PID:6648
- C:\Windows\System\AeBfpet.exe
  C:\Windows\System\AeBfpet.exe
  2⤵
  PID:6940
- C:\Windows\System\ndBVTKo.exe
  C:\Windows\System\ndBVTKo.exe
  2⤵
  PID:3092
- C:\Windows\System\yXMjqUx.exe
  C:\Windows\System\yXMjqUx.exe
  2⤵
  PID:5032
- C:\Windows\System\qVIobTg.exe
  C:\Windows\System\qVIobTg.exe
  2⤵
  PID:1028
- C:\Windows\System\iMuNKse.exe
  C:\Windows\System\iMuNKse.exe
  2⤵
  PID:4452
- C:\Windows\System\LEWZKuc.exe
  C:\Windows\System\LEWZKuc.exe
  2⤵
  PID:6168
- C:\Windows\System\HDNFsiv.exe
  C:\Windows\System\HDNFsiv.exe
  2⤵
  PID:6468
- C:\Windows\System\JhcAcwz.exe
  C:\Windows\System\JhcAcwz.exe
  2⤵
  PID:6572
- C:\Windows\System\fPCMnkx.exe
  C:\Windows\System\fPCMnkx.exe
  2⤵
  PID:6672
- C:\Windows\System\DzEynNZ.exe
  C:\Windows\System\DzEynNZ.exe
  2⤵
  PID:6716
- C:\Windows\System\MCgGwrD.exe
  C:\Windows\System\MCgGwrD.exe
  2⤵
  PID:6788
- C:\Windows\System\VPhWdkT.exe
  C:\Windows\System\VPhWdkT.exe
  2⤵
  PID:6936
- C:\Windows\System\zlpcRHK.exe
  C:\Windows\System\zlpcRHK.exe
  2⤵
  PID:5680
- C:\Windows\System\HpsntQr.exe
  C:\Windows\System\HpsntQr.exe
  2⤵
  PID:7944
- C:\Windows\System\lrHWCls.exe
  C:\Windows\System\lrHWCls.exe
  2⤵
  PID:8228
- C:\Windows\System\ZzZUHlR.exe
  C:\Windows\System\ZzZUHlR.exe
  2⤵
  PID:8244
- C:\Windows\System\djGViCC.exe
  C:\Windows\System\djGViCC.exe
  2⤵
  PID:8260
- C:\Windows\System\KQXGzIF.exe
  C:\Windows\System\KQXGzIF.exe
  2⤵
  PID:8276
- C:\Windows\System\gvnxChq.exe
  C:\Windows\System\gvnxChq.exe
  2⤵
  PID:8292
- C:\Windows\System\QahBKwM.exe
  C:\Windows\System\QahBKwM.exe
  2⤵
  PID:8308
- C:\Windows\System\MeBrWnU.exe
  C:\Windows\System\MeBrWnU.exe
  2⤵
  PID:8324
- C:\Windows\System\oWymZwx.exe
  C:\Windows\System\oWymZwx.exe
  2⤵
  PID:8340
- C:\Windows\System\SRstSQy.exe
  C:\Windows\System\SRstSQy.exe
  2⤵
  PID:8356
- C:\Windows\System\DpykTQV.exe
  C:\Windows\System\DpykTQV.exe
  2⤵
  PID:8372
- C:\Windows\System\YXMaVAK.exe
  C:\Windows\System\YXMaVAK.exe
  2⤵
  PID:8388
- C:\Windows\System\KiRbSVa.exe
  C:\Windows\System\KiRbSVa.exe
  2⤵
  PID:8404
- C:\Windows\System\JInwjgO.exe
  C:\Windows\System\JInwjgO.exe
  2⤵
  PID:8420
- C:\Windows\System\epUmKly.exe
  C:\Windows\System\epUmKly.exe
  2⤵
  PID:8436
- C:\Windows\System\nDRaorj.exe
  C:\Windows\System\nDRaorj.exe
  2⤵
  PID:8456
- C:\Windows\System\IRugLKv.exe
  C:\Windows\System\IRugLKv.exe
  2⤵
  PID:8472
- C:\Windows\System\BDAMElX.exe
  C:\Windows\System\BDAMElX.exe
  2⤵
  PID:8492
- C:\Windows\System\CyhEAzS.exe
  C:\Windows\System\CyhEAzS.exe
  2⤵
  PID:8512
- C:\Windows\System\oFaWQyt.exe
  C:\Windows\System\oFaWQyt.exe
  2⤵
  PID:8536
- C:\Windows\System\BpckolR.exe
  C:\Windows\System\BpckolR.exe
  2⤵
  PID:8560
- C:\Windows\System\jWpCgUd.exe
  C:\Windows\System\jWpCgUd.exe
  2⤵
  PID:8584
- C:\Windows\System\oGSPWJf.exe
  C:\Windows\System\oGSPWJf.exe
  2⤵
  PID:8616
- C:\Windows\System\VHxTBYz.exe
  C:\Windows\System\VHxTBYz.exe
  2⤵
  PID:8640
- C:\Windows\System\jeQisKe.exe
  C:\Windows\System\jeQisKe.exe
  2⤵
  PID:8656
- C:\Windows\System\Zwlboqk.exe
  C:\Windows\System\Zwlboqk.exe
  2⤵
  PID:8680
- C:\Windows\System\yHtEGbI.exe
  C:\Windows\System\yHtEGbI.exe
  2⤵
  PID:8700
- C:\Windows\System\AHAKaba.exe
  C:\Windows\System\AHAKaba.exe
  2⤵
  PID:8732
- C:\Windows\System\LnAfmpt.exe
  C:\Windows\System\LnAfmpt.exe
  2⤵
  PID:8748
- C:\Windows\System\lCYsRKi.exe
  C:\Windows\System\lCYsRKi.exe
  2⤵
  PID:8764
- C:\Windows\System\mQgNrzo.exe
  C:\Windows\System\mQgNrzo.exe
  2⤵
  PID:8780
- C:\Windows\System\cqfZDlU.exe
  C:\Windows\System\cqfZDlU.exe
  2⤵
  PID:8800
- C:\Windows\System\aMnMPiw.exe
  C:\Windows\System\aMnMPiw.exe
  2⤵
  PID:8848
- C:\Windows\System\pqcBGZN.exe
  C:\Windows\System\pqcBGZN.exe
  2⤵
  PID:8868
- C:\Windows\System\uNxgvqY.exe
  C:\Windows\System\uNxgvqY.exe
  2⤵
  PID:8888
- C:\Windows\System\jyDRfNT.exe
  C:\Windows\System\jyDRfNT.exe
  2⤵
  PID:8908
- C:\Windows\System\CTICNcR.exe
  C:\Windows\System\CTICNcR.exe
  2⤵
  PID:8928
- C:\Windows\System\fyuhtQl.exe
  C:\Windows\System\fyuhtQl.exe
  2⤵
  PID:8952
- C:\Windows\System\GEcdZFC.exe
  C:\Windows\System\GEcdZFC.exe
  2⤵
  PID:8976
- C:\Windows\System\RkFWefz.exe
  C:\Windows\System\RkFWefz.exe
  2⤵
  PID:8996
- C:\Windows\System\rNrnSCM.exe
  C:\Windows\System\rNrnSCM.exe
  2⤵
  PID:9016
- C:\Windows\System\bOfCpGM.exe
  C:\Windows\System\bOfCpGM.exe
  2⤵
  PID:9040
- C:\Windows\System\vpqdsbG.exe
  C:\Windows\System\vpqdsbG.exe
  2⤵
  PID:9060
- C:\Windows\System\bQBOxmI.exe
  C:\Windows\System\bQBOxmI.exe
  2⤵
  PID:9080
- C:\Windows\System\CwEeNjz.exe
  C:\Windows\System\CwEeNjz.exe
  2⤵
  PID:9100
- C:\Windows\System\iRzDHmT.exe
  C:\Windows\System\iRzDHmT.exe
  2⤵
  PID:9120
- C:\Windows\System\SLzpBXo.exe
  C:\Windows\System\SLzpBXo.exe
  2⤵
  PID:9144
- C:\Windows\System\MzBUVBN.exe
  C:\Windows\System\MzBUVBN.exe
  2⤵
  PID:9160
- C:\Windows\System\jzxYsNM.exe
  C:\Windows\System\jzxYsNM.exe
  2⤵
  PID:9184
- C:\Windows\System\CccoMVR.exe
  C:\Windows\System\CccoMVR.exe
  2⤵
  PID:9208
- C:\Windows\System\qjraTFI.exe
  C:\Windows\System\qjraTFI.exe
  2⤵
  PID:5664
- C:\Windows\System\XSqaVWm.exe
  C:\Windows\System\XSqaVWm.exe
  2⤵
  PID:5804
- C:\Windows\System\AcfWjCg.exe
  C:\Windows\System\AcfWjCg.exe
  2⤵
  PID:5340
- C:\Windows\System\AybgoDM.exe
  C:\Windows\System\AybgoDM.exe
  2⤵
  PID:2992
- C:\Windows\System\TbHDIPc.exe
  C:\Windows\System\TbHDIPc.exe
  2⤵
  PID:540
- C:\Windows\System\vvJJVRE.exe
  C:\Windows\System\vvJJVRE.exe
  2⤵
  PID:5176
- C:\Windows\System\SPGtgEk.exe
  C:\Windows\System\SPGtgEk.exe
  2⤵
  PID:3464
- C:\Windows\System\LPbgvLk.exe
  C:\Windows\System\LPbgvLk.exe
  2⤵
  PID:6504
- C:\Windows\System\VUGDBkY.exe
  C:\Windows\System\VUGDBkY.exe
  2⤵
  PID:5404
- C:\Windows\System\bdDmvpI.exe
  C:\Windows\System\bdDmvpI.exe
  2⤵
  PID:4632
- C:\Windows\System\dFENuVc.exe
  C:\Windows\System\dFENuVc.exe
  2⤵
  PID:6608
- C:\Windows\System\mdGttNp.exe
  C:\Windows\System\mdGttNp.exe
  2⤵
  PID:5908
- C:\Windows\System\glhUkra.exe
  C:\Windows\System\glhUkra.exe
  2⤵
  PID:6112
- C:\Windows\System\zGFruhV.exe
  C:\Windows\System\zGFruhV.exe
  2⤵
  PID:2284
- C:\Windows\System\WKPIjDk.exe
  C:\Windows\System\WKPIjDk.exe
  2⤵
  PID:5356
- C:\Windows\System\rLYFuLV.exe
  C:\Windows\System\rLYFuLV.exe
  2⤵
  PID:6308
- C:\Windows\System\YYEunRQ.exe
  C:\Windows\System\YYEunRQ.exe
  2⤵
  PID:6668
- C:\Windows\System\fSkvouc.exe
  C:\Windows\System\fSkvouc.exe
  2⤵
  PID:6252
- C:\Windows\System\JiSmDPk.exe
  C:\Windows\System\JiSmDPk.exe
  2⤵
  PID:1908
- C:\Windows\System\HFpyffe.exe
  C:\Windows\System\HFpyffe.exe
  2⤵
  PID:7392
- C:\Windows\System\cHOYGwE.exe
  C:\Windows\System\cHOYGwE.exe
  2⤵
  PID:7448
- C:\Windows\System\TAEjFHE.exe
  C:\Windows\System\TAEjFHE.exe
  2⤵
  PID:7472
- C:\Windows\System\uXbtVgE.exe
  C:\Windows\System\uXbtVgE.exe
  2⤵
  PID:7528
- C:\Windows\System\YEqUpsu.exe
  C:\Windows\System\YEqUpsu.exe
  2⤵
  PID:7568
- C:\Windows\System\jyDPXmP.exe
  C:\Windows\System\jyDPXmP.exe
  2⤵
  PID:7624
- C:\Windows\System\yCmfSWo.exe
  C:\Windows\System\yCmfSWo.exe
  2⤵
  PID:7660
- C:\Windows\System\qrKrqml.exe
  C:\Windows\System\qrKrqml.exe
  2⤵
  PID:7736
- C:\Windows\System\lPMNAiT.exe
  C:\Windows\System\lPMNAiT.exe
  2⤵
  PID:7760
- C:\Windows\System\kquXuXd.exe
  C:\Windows\System\kquXuXd.exe
  2⤵
  PID:7800
- C:\Windows\System\MePMhXX.exe
  C:\Windows\System\MePMhXX.exe
  2⤵
  PID:7844
- C:\Windows\System\IynCLxQ.exe
  C:\Windows\System\IynCLxQ.exe
  2⤵
  PID:7884
- C:\Windows\System\uCKHhvo.exe
  C:\Windows\System\uCKHhvo.exe
  2⤵
  PID:8432
- C:\Windows\System\hbyUKUC.exe
  C:\Windows\System\hbyUKUC.exe
  2⤵
  PID:8188
- C:\Windows\System\jgQFlmV.exe
  C:\Windows\System\jgQFlmV.exe
  2⤵
  PID:6624
- C:\Windows\System\gMcGqpl.exe
  C:\Windows\System\gMcGqpl.exe
  2⤵
  PID:6884
- C:\Windows\System\AtDFuwD.exe
  C:\Windows\System\AtDFuwD.exe
  2⤵
  PID:6964
- C:\Windows\System\XNMAiGX.exe
  C:\Windows\System\XNMAiGX.exe
  2⤵
  PID:7972
- C:\Windows\System\UlqROKD.exe
  C:\Windows\System\UlqROKD.exe
  2⤵
  PID:9820
- C:\Windows\System\SsdbUzk.exe
  C:\Windows\System\SsdbUzk.exe
  2⤵
  PID:9940
- C:\Windows\System\fsFjBLt.exe
  C:\Windows\System\fsFjBLt.exe
  2⤵
  PID:9956
- C:\Windows\System\JsPHIFu.exe
  C:\Windows\System\JsPHIFu.exe
  2⤵
  PID:9980
- C:\Windows\System\OakLGZl.exe
  C:\Windows\System\OakLGZl.exe
  2⤵
  PID:10024
- C:\Windows\System\EGcyqEe.exe
  C:\Windows\System\EGcyqEe.exe
  2⤵
  PID:10044
- C:\Windows\System\XDDQsni.exe
  C:\Windows\System\XDDQsni.exe
  2⤵
  PID:10068
- C:\Windows\System\NmJMnCs.exe
  C:\Windows\System\NmJMnCs.exe
  2⤵
  PID:10088
- C:\Windows\System\gNrBtJQ.exe
  C:\Windows\System\gNrBtJQ.exe
  2⤵
  PID:10120
- C:\Windows\System\oDhcMiQ.exe
  C:\Windows\System\oDhcMiQ.exe
  2⤵
  PID:10140
- C:\Windows\System\jrRIOpL.exe
  C:\Windows\System\jrRIOpL.exe
  2⤵
  PID:10204
- C:\Windows\System\vcyPapK.exe
  C:\Windows\System\vcyPapK.exe
  2⤵
  PID:10224
- C:\Windows\System\qLncGwf.exe
  C:\Windows\System\qLncGwf.exe
  2⤵
  PID:2824
- C:\Windows\System\uBgknPb.exe
  C:\Windows\System\uBgknPb.exe
  2⤵
  PID:8168
- C:\Windows\System\kszolcw.exe
  C:\Windows\System\kszolcw.exe
  2⤵
  PID:8204
- C:\Windows\System\NRVvMin.exe
  C:\Windows\System\NRVvMin.exe
  2⤵
  PID:8236
- C:\Windows\System\htiwIEa.exe
  C:\Windows\System\htiwIEa.exe
  2⤵
  PID:8288
- C:\Windows\System\lhZfHee.exe
  C:\Windows\System\lhZfHee.exe
  2⤵
  PID:8320
- C:\Windows\System\fhPDuLn.exe
  C:\Windows\System\fhPDuLn.exe
  2⤵
  PID:8364
- C:\Windows\System\bwHHQrF.exe
  C:\Windows\System\bwHHQrF.exe
  2⤵
  PID:8448
- C:\Windows\System\vAmNyiO.exe
  C:\Windows\System\vAmNyiO.exe
  2⤵
  PID:7720
- C:\Windows\System\ebViWuc.exe
  C:\Windows\System\ebViWuc.exe
  2⤵
  PID:6712
- C:\Windows\System\mTyFlwl.exe
  C:\Windows\System\mTyFlwl.exe
  2⤵
  PID:8072
- C:\Windows\System\cmWQrFA.exe
  C:\Windows\System\cmWQrFA.exe
  2⤵
  PID:9404
- C:\Windows\System\gbTCOby.exe
  C:\Windows\System\gbTCOby.exe
  2⤵
  PID:9540
- C:\Windows\System\dFOETZG.exe
  C:\Windows\System\dFOETZG.exe
  2⤵
  PID:8500
- C:\Windows\System\exyotaX.exe
  C:\Windows\System\exyotaX.exe
  2⤵
  PID:8532
- C:\Windows\System\fHGbnaj.exe
  C:\Windows\System\fHGbnaj.exe
  2⤵
  PID:8652
- C:\Windows\System\zIZStiM.exe
  C:\Windows\System\zIZStiM.exe
  2⤵
  PID:8860
- C:\Windows\System\IWxCcbj.exe
  C:\Windows\System\IWxCcbj.exe
  2⤵
  PID:8900
- C:\Windows\System\zGIyyEy.exe
  C:\Windows\System\zGIyyEy.exe
  2⤵
  PID:8936
- C:\Windows\System\oeAPsGE.exe
  C:\Windows\System\oeAPsGE.exe
  2⤵
  PID:8968
- C:\Windows\System\HcoJdKn.exe
  C:\Windows\System\HcoJdKn.exe
  2⤵
  PID:8992
- C:\Windows\System\JusGQoc.exe
  C:\Windows\System\JusGQoc.exe
  2⤵
  PID:9036
- C:\Windows\System\XmaWvkD.exe
  C:\Windows\System\XmaWvkD.exe
  2⤵
  PID:9072
- C:\Windows\System\DqMDfhn.exe
  C:\Windows\System\DqMDfhn.exe
  2⤵
  PID:9096
- C:\Windows\System\ssSaHEG.exe
  C:\Windows\System\ssSaHEG.exe
  2⤵
  PID:9136
- C:\Windows\System\xxsfGqW.exe
  C:\Windows\System\xxsfGqW.exe
  2⤵
  PID:9168
- C:\Windows\System\NkeDZZk.exe
  C:\Windows\System\NkeDZZk.exe
  2⤵
  PID:9204
- C:\Windows\System\HxTctdc.exe
  C:\Windows\System\HxTctdc.exe
  2⤵
  PID:5856
- C:\Windows\System\CWsmQDJ.exe
  C:\Windows\System\CWsmQDJ.exe
  2⤵
  PID:6032
- C:\Windows\System\yJALPwl.exe
  C:\Windows\System\yJALPwl.exe
  2⤵
  PID:5172
- C:\Windows\System\MdpbjyQ.exe
  C:\Windows\System\MdpbjyQ.exe
  2⤵
  PID:6896
- C:\Windows\System\DzjPgMR.exe
  C:\Windows\System\DzjPgMR.exe
  2⤵
  PID:9460
- C:\Windows\System\auBrZkt.exe
  C:\Windows\System\auBrZkt.exe
  2⤵
  PID:9508
- C:\Windows\System\OXUGgjB.exe
  C:\Windows\System\OXUGgjB.exe
  2⤵
  PID:10212
- C:\Windows\System\ugAcDxl.exe
  C:\Windows\System\ugAcDxl.exe
  2⤵
  PID:10264
- C:\Windows\System\yZxJxzx.exe
  C:\Windows\System\yZxJxzx.exe
  2⤵
  PID:10280
- C:\Windows\System\AEsbOPV.exe
  C:\Windows\System\AEsbOPV.exe
  2⤵
  PID:10304
- C:\Windows\System\hJGpbvA.exe
  C:\Windows\System\hJGpbvA.exe
  2⤵
  PID:10328
- C:\Windows\System\xSJyRpw.exe
  C:\Windows\System\xSJyRpw.exe
  2⤵
  PID:10356
- C:\Windows\System\vqhBshw.exe
  C:\Windows\System\vqhBshw.exe
  2⤵
  PID:10372
- C:\Windows\System\meBxqGl.exe
  C:\Windows\System\meBxqGl.exe
  2⤵
  PID:10392
- C:\Windows\System\ujHCozK.exe
  C:\Windows\System\ujHCozK.exe
  2⤵
  PID:10420
- C:\Windows\System\BzQLIvH.exe
  C:\Windows\System\BzQLIvH.exe
  2⤵
  PID:10444
- C:\Windows\System\jLKuZsz.exe
  C:\Windows\System\jLKuZsz.exe
  2⤵
  PID:10464
- C:\Windows\System\gMFaWEt.exe
  C:\Windows\System\gMFaWEt.exe
  2⤵
  PID:10488
- C:\Windows\System\QnDBbqm.exe
  C:\Windows\System\QnDBbqm.exe
  2⤵
  PID:10508
- C:\Windows\System\mkMKUeH.exe
  C:\Windows\System\mkMKUeH.exe
  2⤵
  PID:10524
- C:\Windows\System\rHzbRhf.exe
  C:\Windows\System\rHzbRhf.exe
  2⤵
  PID:10548
- C:\Windows\System\ATQumFs.exe
  C:\Windows\System\ATQumFs.exe
  2⤵
  PID:10572
- C:\Windows\System\JyNMNCX.exe
  C:\Windows\System\JyNMNCX.exe
  2⤵
  PID:10612
- C:\Windows\System\KpLSzrO.exe
  C:\Windows\System\KpLSzrO.exe
  2⤵
  PID:10632
- C:\Windows\System\LDIXKKz.exe
  C:\Windows\System\LDIXKKz.exe
  2⤵
  PID:10656
- C:\Windows\System\tCgWNPe.exe
  C:\Windows\System\tCgWNPe.exe
  2⤵
  PID:10680
- C:\Windows\System\yunNejK.exe
  C:\Windows\System\yunNejK.exe
  2⤵
  PID:10700
- C:\Windows\System\kuOQMsH.exe
  C:\Windows\System\kuOQMsH.exe
  2⤵
  PID:10720
- C:\Windows\System\rXCfOwy.exe
  C:\Windows\System\rXCfOwy.exe
  2⤵
  PID:10744
- C:\Windows\System\VBiWptk.exe
  C:\Windows\System\VBiWptk.exe
  2⤵
  PID:10768
- C:\Windows\System\kXoBDLh.exe
  C:\Windows\System\kXoBDLh.exe
  2⤵
  PID:10792
- C:\Windows\System\blMquXj.exe
  C:\Windows\System\blMquXj.exe
  2⤵
  PID:10816
- C:\Windows\System\eDgkmft.exe
  C:\Windows\System\eDgkmft.exe
  2⤵
  PID:10840
- C:\Windows\System\GKmjoBt.exe
  C:\Windows\System\GKmjoBt.exe
  2⤵
  PID:10856
- C:\Windows\System\rlNSohx.exe
  C:\Windows\System\rlNSohx.exe
  2⤵
  PID:10880
- C:\Windows\System\zOiCXuk.exe
  C:\Windows\System\zOiCXuk.exe
  2⤵
  PID:10904
- C:\Windows\System\PvPyRaC.exe
  C:\Windows\System\PvPyRaC.exe
  2⤵
  PID:10924
- C:\Windows\System\RhYYlxW.exe
  C:\Windows\System\RhYYlxW.exe
  2⤵
  PID:10944
- C:\Windows\System\yNUOCfv.exe
  C:\Windows\System\yNUOCfv.exe
  2⤵
  PID:10968
- C:\Windows\System\ajNetak.exe
  C:\Windows\System\ajNetak.exe
  2⤵
  PID:10992
- C:\Windows\System\KjvWDuI.exe
  C:\Windows\System\KjvWDuI.exe
  2⤵
  PID:11012
- C:\Windows\System\dMwBfpL.exe
  C:\Windows\System\dMwBfpL.exe
  2⤵
  PID:11032
- C:\Windows\System\VJGMTUk.exe
  C:\Windows\System\VJGMTUk.exe
  2⤵
  PID:11056
- C:\Windows\System\qiTLBnc.exe
  C:\Windows\System\qiTLBnc.exe
  2⤵
  PID:11076
- C:\Windows\System\OJsSSsL.exe
  C:\Windows\System\OJsSSsL.exe
  2⤵
  PID:11096
- C:\Windows\System\JkZvWsn.exe
  C:\Windows\System\JkZvWsn.exe
  2⤵
  PID:11120
- C:\Windows\System\tgKRMpO.exe
  C:\Windows\System\tgKRMpO.exe
  2⤵
  PID:11144
- C:\Windows\System\jlHArsA.exe
  C:\Windows\System\jlHArsA.exe
  2⤵
  PID:11160
- C:\Windows\System\oGKsMdJ.exe
  C:\Windows\System\oGKsMdJ.exe
  2⤵
  PID:11180
- C:\Windows\System\MmeYBWp.exe
  C:\Windows\System\MmeYBWp.exe
  2⤵
  PID:11200
- C:\Windows\System\AzwGuzY.exe
  C:\Windows\System\AzwGuzY.exe
  2⤵
  PID:11232
- C:\Windows\System\WIcbwLv.exe
  C:\Windows\System\WIcbwLv.exe
  2⤵
  PID:11248
- C:\Windows\System\TKRYxHg.exe
  C:\Windows\System\TKRYxHg.exe
  2⤵
  PID:4656
- C:\Windows\System\ZWynbop.exe
  C:\Windows\System\ZWynbop.exe
  2⤵
  PID:3936
- C:\Windows\System\PTbFpYc.exe
  C:\Windows\System\PTbFpYc.exe
  2⤵
  PID:9596
- C:\Windows\System\kGYieFR.exe
  C:\Windows\System\kGYieFR.exe
  2⤵
  PID:6104
- C:\Windows\System\KtrBHPU.exe
  C:\Windows\System\KtrBHPU.exe
  2⤵
  PID:6444
- C:\Windows\System\GkYpuAY.exe
  C:\Windows\System\GkYpuAY.exe
  2⤵
  PID:4516
- C:\Windows\System\mWAhAvU.exe
  C:\Windows\System\mWAhAvU.exe
  2⤵
  PID:8272
- C:\Windows\System\yoEUcHV.exe
  C:\Windows\System\yoEUcHV.exe
  2⤵
  PID:7964
- C:\Windows\System\hzrmGWs.exe
  C:\Windows\System\hzrmGWs.exe
  2⤵
  PID:9616
- C:\Windows\System\OwzomRR.exe
  C:\Windows\System\OwzomRR.exe
  2⤵
  PID:8688
- C:\Windows\System\VoEaQjC.exe
  C:\Windows\System\VoEaQjC.exe
  2⤵
  PID:7176
- C:\Windows\System\ypkdpcX.exe
  C:\Windows\System\ypkdpcX.exe
  2⤵
  PID:11280
- C:\Windows\System\ANYBKFD.exe
  C:\Windows\System\ANYBKFD.exe
  2⤵
  PID:11296
- C:\Windows\System\UZkBUik.exe
  C:\Windows\System\UZkBUik.exe
  2⤵
  PID:11312
- C:\Windows\System\DgkzLoh.exe
  C:\Windows\System\DgkzLoh.exe
  2⤵
  PID:11332
- C:\Windows\System\cqmVlta.exe
  C:\Windows\System\cqmVlta.exe
  2⤵
  PID:11348
- C:\Windows\System\ENGIGRR.exe
  C:\Windows\System\ENGIGRR.exe
  2⤵
  PID:11368
- C:\Windows\System\DqMIycr.exe
  C:\Windows\System\DqMIycr.exe
  2⤵
  PID:11392
- C:\Windows\System\TGeaiPV.exe
  C:\Windows\System\TGeaiPV.exe
  2⤵
  PID:11416
- C:\Windows\System\bzuAnFF.exe
  C:\Windows\System\bzuAnFF.exe
  2⤵
  PID:11436
- C:\Windows\System\drmLWMG.exe
  C:\Windows\System\drmLWMG.exe
  2⤵
  PID:11476
- C:\Windows\System\VPDOXwp.exe
  C:\Windows\System\VPDOXwp.exe
  2⤵
  PID:11496
- C:\Windows\System\VvcsJMt.exe
  C:\Windows\System\VvcsJMt.exe
  2⤵
  PID:11516
- C:\Windows\System\VCnwrWo.exe
  C:\Windows\System\VCnwrWo.exe
  2⤵
  PID:11540
- C:\Windows\System\KgyEPMv.exe
  C:\Windows\System\KgyEPMv.exe
  2⤵
  PID:11564
- C:\Windows\System\GCnZKZv.exe
  C:\Windows\System\GCnZKZv.exe
  2⤵
  PID:11584
- C:\Windows\System\dWstXwO.exe
  C:\Windows\System\dWstXwO.exe
  2⤵
  PID:11608
- C:\Windows\System\PsWnTKA.exe
  C:\Windows\System\PsWnTKA.exe
  2⤵
  PID:11628
- C:\Windows\System\zmQfLTK.exe
  C:\Windows\System\zmQfLTK.exe
  2⤵
  PID:11648
- C:\Windows\System\LEkEVdy.exe
  C:\Windows\System\LEkEVdy.exe
  2⤵
  PID:11680
- C:\Windows\System\tKxNBto.exe
  C:\Windows\System\tKxNBto.exe
  2⤵
  PID:11704
- C:\Windows\System\dsnVbps.exe
  C:\Windows\System\dsnVbps.exe
  2⤵
  PID:11728
- C:\Windows\System\JRQOuaT.exe
  C:\Windows\System\JRQOuaT.exe
  2⤵
  PID:11744
- C:\Windows\System\GIThDuE.exe
  C:\Windows\System\GIThDuE.exe
  2⤵
  PID:11764
- C:\Windows\System\GWBdtcP.exe
  C:\Windows\System\GWBdtcP.exe
  2⤵
  PID:11784
- C:\Windows\System\tRhRfVE.exe
  C:\Windows\System\tRhRfVE.exe
  2⤵
  PID:11808
- C:\Windows\System\EHNQQtb.exe
  C:\Windows\System\EHNQQtb.exe
  2⤵
  PID:11832
- C:\Windows\System\KGhMdWq.exe
  C:\Windows\System\KGhMdWq.exe
  2⤵
  PID:11848
- C:\Windows\System\MwUQPRx.exe
  C:\Windows\System\MwUQPRx.exe
  2⤵
  PID:11872
- C:\Windows\System\cbaQfrU.exe
  C:\Windows\System\cbaQfrU.exe
  2⤵
  PID:11896
- C:\Windows\System\JpotaTE.exe
  C:\Windows\System\JpotaTE.exe
  2⤵
  PID:11920
- C:\Windows\System\GkyKwoH.exe
  C:\Windows\System\GkyKwoH.exe
  2⤵
  PID:11940
- C:\Windows\System\ITcPtXS.exe
  C:\Windows\System\ITcPtXS.exe
  2⤵
  PID:11964
- C:\Windows\System\sIzZjJo.exe
  C:\Windows\System\sIzZjJo.exe
  2⤵
  PID:11984
- C:\Windows\System\zqmSUrm.exe
  C:\Windows\System\zqmSUrm.exe
  2⤵
  PID:12008
- C:\Windows\System\cuyakyh.exe
  C:\Windows\System\cuyakyh.exe
  2⤵
  PID:12024
- C:\Windows\System\epIJTGa.exe
  C:\Windows\System\epIJTGa.exe
  2⤵
  PID:12048
- C:\Windows\System\fcvLOUy.exe
  C:\Windows\System\fcvLOUy.exe
  2⤵
  PID:12076
- C:\Windows\System\SkFNuul.exe
  C:\Windows\System\SkFNuul.exe
  2⤵
  PID:12092
- C:\Windows\System\mQICHBq.exe
  C:\Windows\System\mQICHBq.exe
  2⤵
  PID:8812
- C:\Windows\System\wARzDUO.exe
  C:\Windows\System\wARzDUO.exe
  2⤵
  PID:1952
- C:\Windows\System\BXGxwwc.exe
  C:\Windows\System\BXGxwwc.exe
  2⤵
  PID:9804
- C:\Windows\System\XSbjYoN.exe
  C:\Windows\System\XSbjYoN.exe
  2⤵
  PID:9964
- C:\Windows\System\XeZCbaF.exe
  C:\Windows\System\XeZCbaF.exe
  2⤵
  PID:10036
- C:\Windows\System\FxUTidC.exe
  C:\Windows\System\FxUTidC.exe
  2⤵
  PID:10076
- C:\Windows\System\EGcHxVL.exe
  C:\Windows\System\EGcHxVL.exe
  2⤵
  PID:10132
- C:\Windows\System\tomPpSf.exe
  C:\Windows\System\tomPpSf.exe
  2⤵
  PID:5048
- C:\Windows\System\AJmNFkl.exe
  C:\Windows\System\AJmNFkl.exe
  2⤵
  PID:11536
- C:\Windows\System\AAQwoJu.exe
  C:\Windows\System\AAQwoJu.exe
  2⤵
  PID:11592
- C:\Windows\System\pAFxcvP.exe
  C:\Windows\System\pAFxcvP.exe
  2⤵
  PID:11624
- C:\Windows\System\ECZZAvO.exe
  C:\Windows\System\ECZZAvO.exe
  2⤵
  PID:11644
- C:\Windows\System\WDsJItn.exe
  C:\Windows\System\WDsJItn.exe
  2⤵
  PID:11740
- C:\Windows\System\slNWcUy.exe
  C:\Windows\System\slNWcUy.exe
  2⤵
  PID:11792
- C:\Windows\System\gqTRIRd.exe
  C:\Windows\System\gqTRIRd.exe
  2⤵
  PID:10236
- C:\Windows\System\iIpkopC.exe
  C:\Windows\System\iIpkopC.exe
  2⤵
  PID:10476
- C:\Windows\System\DpKzJUP.exe
  C:\Windows\System\DpKzJUP.exe
  2⤵
  PID:10496
- C:\Windows\System\yaqIoKP.exe
  C:\Windows\System\yaqIoKP.exe
  2⤵
  PID:10756
- C:\Windows\System\lDBjGcw.exe
  C:\Windows\System\lDBjGcw.exe
  2⤵
  PID:8284
- C:\Windows\System\qlcUVQU.exe
  C:\Windows\System\qlcUVQU.exe
  2⤵
  PID:8368
- C:\Windows\System\YrLYxPr.exe
  C:\Windows\System\YrLYxPr.exe
  2⤵
  PID:7552
- C:\Windows\System\UryOXQo.exe
  C:\Windows\System\UryOXQo.exe
  2⤵
  PID:8464
- C:\Windows\System\TEHaGBA.exe
  C:\Windows\System\TEHaGBA.exe
  2⤵
  PID:9444
- C:\Windows\System\meRluPz.exe
  C:\Windows\System\meRluPz.exe
  2⤵
  PID:8816
- C:\Windows\System\VUnDvBc.exe
  C:\Windows\System\VUnDvBc.exe
  2⤵
  PID:8924
- C:\Windows\System\wVcUzVE.exe
  C:\Windows\System\wVcUzVE.exe
  2⤵
  PID:9024
- C:\Windows\System\DapxzWm.exe
  C:\Windows\System\DapxzWm.exe
  2⤵
  PID:2028
- C:\Windows\System\ONiMiBS.exe
  C:\Windows\System\ONiMiBS.exe
  2⤵
  PID:9524
- C:\Windows\System\eukHkyd.exe
  C:\Windows\System\eukHkyd.exe
  2⤵
  PID:10368
- C:\Windows\System\FjltNby.exe
  C:\Windows\System\FjltNby.exe
  2⤵
  PID:11104
- C:\Windows\System\QxQmoxF.exe
  C:\Windows\System\QxQmoxF.exe
  2⤵
  PID:3240
- C:\Windows\System\BROANKG.exe
  C:\Windows\System\BROANKG.exe
  2⤵
  PID:11752
- C:\Windows\System\MXBKVvs.exe
  C:\Windows\System\MXBKVvs.exe
  2⤵
  PID:11572
- C:\Windows\System\IwZpBYC.exe
  C:\Windows\System\IwZpBYC.exe
  2⤵
  PID:11424
- C:\Windows\System\NzKKlfB.exe
  C:\Windows\System\NzKKlfB.exe
  2⤵
  PID:11320
- C:\Windows\System\UaufnUo.exe
  C:\Windows\System\UaufnUo.exe
  2⤵
  PID:9396
- C:\Windows\System\hMupCmr.exe
  C:\Windows\System\hMupCmr.exe
  2⤵
  PID:9304
- C:\Windows\System\iWnEmgx.exe
  C:\Windows\System\iWnEmgx.exe
  2⤵
  PID:12020
- C:\Windows\System\Npyylcq.exe
  C:\Windows\System\Npyylcq.exe
  2⤵
  PID:10716
- C:\Windows\System\gNAFWkf.exe
  C:\Windows\System\gNAFWkf.exe
  2⤵
  PID:10800
- C:\Windows\System\XUvHEHB.exe
  C:\Windows\System\XUvHEHB.exe
  2⤵
  PID:10900
- C:\Windows\System\iThUnTz.exe
  C:\Windows\System\iThUnTz.exe
  2⤵
  PID:10988
- C:\Windows\System\eRKlOtN.exe
  C:\Windows\System\eRKlOtN.exe
  2⤵
  PID:11004
- C:\Windows\System\wIktdBN.exe
  C:\Windows\System\wIktdBN.exe
  2⤵
  PID:11136
- C:\Windows\System\JLDVpCM.exe
  C:\Windows\System\JLDVpCM.exe
  2⤵
  PID:11256
- C:\Windows\System\sVVwWXC.exe
  C:\Windows\System\sVVwWXC.exe
  2⤵
  PID:11468
- C:\Windows\System\rXlbHCX.exe
  C:\Windows\System\rXlbHCX.exe
  2⤵
  PID:12296
- C:\Windows\System\hqignEh.exe
  C:\Windows\System\hqignEh.exe
  2⤵
  PID:12316
- C:\Windows\System\AxPhuab.exe
  C:\Windows\System\AxPhuab.exe
  2⤵
  PID:12340
- C:\Windows\System\aoKSnqN.exe
  C:\Windows\System\aoKSnqN.exe
  2⤵
  PID:12360
- C:\Windows\System\JaCJqxH.exe
  C:\Windows\System\JaCJqxH.exe
  2⤵
  PID:12380
- C:\Windows\System\ubCSCXP.exe
  C:\Windows\System\ubCSCXP.exe
  2⤵
  PID:12404
- C:\Windows\System\OMyBaZI.exe
  C:\Windows\System\OMyBaZI.exe
  2⤵
  PID:12420
- C:\Windows\System\OfviwKX.exe
  C:\Windows\System\OfviwKX.exe
  2⤵
  PID:12444
- C:\Windows\System\nHbfUSa.exe
  C:\Windows\System\nHbfUSa.exe
  2⤵
  PID:12460
- C:\Windows\System\amvoXnJ.exe
  C:\Windows\System\amvoXnJ.exe
  2⤵
  PID:12484
- C:\Windows\System\gJNcNJe.exe
  C:\Windows\System\gJNcNJe.exe
  2⤵
  PID:12508
- C:\Windows\System\byMUpPF.exe
  C:\Windows\System\byMUpPF.exe
  2⤵
  PID:12532
- C:\Windows\System\OTxOPCd.exe
  C:\Windows\System\OTxOPCd.exe
  2⤵
  PID:12560
- C:\Windows\System\iNdymKz.exe
  C:\Windows\System\iNdymKz.exe
  2⤵
  PID:12580
- C:\Windows\System\tlaMVcv.exe
  C:\Windows\System\tlaMVcv.exe
  2⤵
  PID:12604
- C:\Windows\System\nBcVhCb.exe
  C:\Windows\System\nBcVhCb.exe
  2⤵
  PID:12628
- C:\Windows\System\GFtlaiv.exe
  C:\Windows\System\GFtlaiv.exe
  2⤵
  PID:12648
- C:\Windows\System\kMWPUMx.exe
  C:\Windows\System\kMWPUMx.exe
  2⤵
  PID:12672
- C:\Windows\System\ETuxoUu.exe
  C:\Windows\System\ETuxoUu.exe
  2⤵
  PID:12696
- C:\Windows\System\KJlAlRG.exe
  C:\Windows\System\KJlAlRG.exe
  2⤵
  PID:12716
- C:\Windows\System\VSRfSQM.exe
  C:\Windows\System\VSRfSQM.exe
  2⤵
  PID:11064
- C:\Windows\System\HbNxfYe.exe
  C:\Windows\System\HbNxfYe.exe
  2⤵
  PID:11912
- C:\Windows\System\ICVsVwR.exe
  C:\Windows\System\ICVsVwR.exe
  2⤵
  PID:10012
- C:\Windows\System\OuqtzHM.exe
  C:\Windows\System\OuqtzHM.exe
  2⤵
  PID:10084
- C:\Windows\System\pKSMMXg.exe
  C:\Windows\System\pKSMMXg.exe
  2⤵
  PID:11512
- C:\Windows\System\JUzOlWm.exe
  C:\Windows\System\JUzOlWm.exe
  2⤵
  PID:11616
- C:\Windows\System\uuUcize.exe
  C:\Windows\System\uuUcize.exe
  2⤵
  PID:11776
- C:\Windows\System\IMhCTGe.exe
  C:\Windows\System\IMhCTGe.exe
  2⤵
  PID:10544
- C:\Windows\System\nzKPQJA.exe
  C:\Windows\System\nzKPQJA.exe
  2⤵
  PID:10220
- C:\Windows\System\mGDvwyJ.exe
  C:\Windows\System\mGDvwyJ.exe
  2⤵
  PID:2672
- C:\Windows\System\gmMZVoA.exe
  C:\Windows\System\gmMZVoA.exe
  2⤵
  PID:9468
- C:\Windows\System\ysnKMtQ.exe
  C:\Windows\System\ysnKMtQ.exe
  2⤵
  PID:12200
- C:\Windows\System\jTDWDmS.exe
  C:\Windows\System\jTDWDmS.exe
  2⤵
  PID:11376
- C:\Windows\System\JwHvgfz.exe
  C:\Windows\System\JwHvgfz.exe
  2⤵
  PID:208
- C:\Windows\System\pVVKYyi.exe
  C:\Windows\System\pVVKYyi.exe
  2⤵
  PID:10788
- C:\Windows\System\xZDhJqv.exe
  C:\Windows\System\xZDhJqv.exe
  2⤵
  PID:3852
- C:\Windows\System\ZyuXxkY.exe
  C:\Windows\System\ZyuXxkY.exe
  2⤵
  PID:12284
- C:\Windows\System\ICymeaX.exe
  C:\Windows\System\ICymeaX.exe
  2⤵
  PID:7492
- C:\Windows\System\xzJAxiJ.exe
  C:\Windows\System\xzJAxiJ.exe
  2⤵
  PID:7756
- C:\Windows\System\FICpgbO.exe
  C:\Windows\System\FICpgbO.exe
  2⤵
  PID:6520
- C:\Windows\System\iEhmcpU.exe
  C:\Windows\System\iEhmcpU.exe
  2⤵
  PID:10804
- C:\Windows\System\sMVwZdG.exe
  C:\Windows\System\sMVwZdG.exe
  2⤵
  PID:11000
- C:\Windows\System\NZRnPme.exe
  C:\Windows\System\NZRnPme.exe
  2⤵
  PID:1064
- C:\Windows\System\gNEUTJK.exe
  C:\Windows\System\gNEUTJK.exe
  2⤵
  PID:12600
- C:\Windows\System\lDLOmor.exe
  C:\Windows\System\lDLOmor.exe
  2⤵
  PID:12692
- C:\Windows\System\upsfsgS.exe
  C:\Windows\System\upsfsgS.exe
  2⤵
  PID:12748
- C:\Windows\System\MNHrYGr.exe
  C:\Windows\System\MNHrYGr.exe
  2⤵
  PID:12796
- C:\Windows\System\BsIVYrr.exe
  C:\Windows\System\BsIVYrr.exe
  2⤵
  PID:11908
- C:\Windows\System\RuebdNQ.exe
  C:\Windows\System\RuebdNQ.exe
  2⤵
  PID:4072
- C:\Windows\System\WcXaMbV.exe
  C:\Windows\System\WcXaMbV.exe
  2⤵
  PID:12932
- C:\Windows\System\XzPfpog.exe
  C:\Windows\System\XzPfpog.exe
  2⤵
  PID:13132
- C:\Windows\System\IWaVMsw.exe
  C:\Windows\System\IWaVMsw.exe
  2⤵
  PID:12552
- C:\Windows\System\wPSLyUq.exe
  C:\Windows\System\wPSLyUq.exe
  2⤵
  PID:12520
- C:\Windows\System\nTSkJDw.exe
  C:\Windows\System\nTSkJDw.exe
  2⤵
  PID:12476
- C:\Windows\System\bqzjgEw.exe
  C:\Windows\System\bqzjgEw.exe
  2⤵
  PID:12428
- C:\Windows\System\DXvJHrw.exe
  C:\Windows\System\DXvJHrw.exe
  2⤵
  PID:12352
- C:\Windows\System\rcNWwHc.exe
  C:\Windows\System\rcNWwHc.exe
  2⤵
  PID:12304
- C:\Windows\System\qmsJcFy.exe
  C:\Windows\System\qmsJcFy.exe
  2⤵
  PID:11224
- C:\Windows\System\SootKru.exe
  C:\Windows\System\SootKru.exe
  2⤵
  PID:10964
- C:\Windows\System\JsSnkct.exe
  C:\Windows\System\JsSnkct.exe
  2⤵
  PID:10832
- C:\Windows\System\BuJDzbw.exe
  C:\Windows\System\BuJDzbw.exe
  2⤵
  PID:2724
- C:\Windows\System\DazYUXS.exe
  C:\Windows\System\DazYUXS.exe
  2⤵
  PID:10752
- C:\Windows\System\mXzfUuL.exe
  C:\Windows\System\mXzfUuL.exe
  2⤵
  PID:12952
- C:\Windows\System\QPHnbhP.exe
  C:\Windows\System\QPHnbhP.exe
  2⤵
  PID:1016
- C:\Windows\System\PdhbQlF.exe
  C:\Windows\System\PdhbQlF.exe
  2⤵
  PID:10688
- C:\Windows\System\iMkfJpp.exe
  C:\Windows\System\iMkfJpp.exe
  2⤵
  PID:10608
- C:\Windows\System\cwNLvjf.exe
  C:\Windows\System\cwNLvjf.exe
  2⤵
  PID:10272
- C:\Windows\System\bLPUOwT.exe
  C:\Windows\System\bLPUOwT.exe
  2⤵
  PID:12852
- C:\Windows\System\xyvpHqD.exe
  C:\Windows\System\xyvpHqD.exe
  2⤵
  PID:4644
- C:\Windows\System\qzXJXBi.exe
  C:\Windows\System\qzXJXBi.exe
  2⤵
  PID:9776
- C:\Windows\System\sIusXfq.exe
  C:\Windows\System\sIusXfq.exe
  2⤵
  PID:7612
- C:\Windows\System\fLWKpZw.exe
  C:\Windows\System\fLWKpZw.exe
  2⤵
  PID:11532
- C:\Windows\System\uaEZNcJ.exe
  C:\Windows\System\uaEZNcJ.exe
  2⤵
  PID:3096
- C:\Windows\System\kFJcFBo.exe
  C:\Windows\System\kFJcFBo.exe
  2⤵
  PID:12572
- C:\Windows\System\mBKjHjH.exe
  C:\Windows\System\mBKjHjH.exe
  2⤵
  PID:5044
- C:\Windows\System\cCZsOhN.exe
  C:\Windows\System\cCZsOhN.exe
  2⤵
  PID:3300
- C:\Windows\System\wHWecmf.exe
  C:\Windows\System\wHWecmf.exe
  2⤵
  PID:13068
- C:\Windows\System\INQPOXq.exe
  C:\Windows\System\INQPOXq.exe
  2⤵
  PID:12888
- C:\Windows\System\lxxXOEu.exe
  C:\Windows\System\lxxXOEu.exe
  2⤵
  PID:4216
- C:\Windows\System\EheoWHe.exe
  C:\Windows\System\EheoWHe.exe
  2⤵
  PID:12668
- C:\Windows\System\gqQoQwg.exe
  C:\Windows\System\gqQoQwg.exe
  2⤵
  PID:944
- C:\Windows\System\ZucpDLT.exe
  C:\Windows\System\ZucpDLT.exe
  2⤵
  PID:376
- C:\Windows\System\pBabudA.exe
  C:\Windows\System\pBabudA.exe
  2⤵
  PID:12332
- C:\Windows\System\PBCTzcr.exe
  C:\Windows\System\PBCTzcr.exe
  2⤵
  PID:5996
- C:\Windows\System\cTFYIBr.exe
  C:\Windows\System\cTFYIBr.exe
  2⤵
  PID:10912
- C:\Windows\System\zAjhBEa.exe
  C:\Windows\System\zAjhBEa.exe
  2⤵
  PID:12540
- C:\Windows\System\HyKOYyu.exe
  C:\Windows\System\HyKOYyu.exe
  2⤵
  PID:13000
- C:\Windows\System\yrEsFbS.exe
  C:\Windows\System\yrEsFbS.exe
  2⤵
  PID:13116
- C:\Windows\System\neHlskg.exe
  C:\Windows\System\neHlskg.exe
  2⤵
  PID:2860
- C:\Windows\System\ejhaEMx.exe
  C:\Windows\System\ejhaEMx.exe
  2⤵
  PID:13140
- C:\Windows\System\wQAPNUJ.exe
  C:\Windows\System\wQAPNUJ.exe
  2⤵
  PID:12376
- C:\Windows\System\JGlRBOM.exe
  C:\Windows\System\JGlRBOM.exe
  2⤵
  PID:11020
- C:\Windows\System\ZoWFroe.exe
  C:\Windows\System\ZoWFroe.exe
  2⤵
  PID:12348
- C:\Windows\System\pNaiQao.exe
  C:\Windows\System\pNaiQao.exe
  2⤵
  PID:4004
- C:\Windows\System\nqWSqTV.exe
  C:\Windows\System\nqWSqTV.exe
  2⤵
  PID:11324
- C:\Windows\System\JdaUKMk.exe
  C:\Windows\System\JdaUKMk.exe
  2⤵
  PID:1492
- C:\Windows\System\xwpjnTH.exe
  C:\Windows\System\xwpjnTH.exe
  2⤵
  PID:12388
- C:\Windows\System\rzXCiYR.exe
  C:\Windows\System\rzXCiYR.exe
  2⤵
  PID:10864
- C:\Windows\System\MquLTBK.exe
  C:\Windows\System\MquLTBK.exe
  2⤵
  PID:12988
- C:\Windows\System\oSxjCnH.exe
  C:\Windows\System\oSxjCnH.exe
  2⤵
  PID:12256
- C:\Windows\System\SujJIyR.exe
  C:\Windows\System\SujJIyR.exe
  2⤵
  PID:12440
- C:\Windows\System\DwaUXyC.exe
  C:\Windows\System\DwaUXyC.exe
  2⤵
  PID:13200
- C:\Windows\System\ifsUxlX.exe
  C:\Windows\System\ifsUxlX.exe
  2⤵
  PID:13248
- C:\Windows\System\SeVaQZQ.exe
  C:\Windows\System\SeVaQZQ.exe
  2⤵
  PID:3472
- C:\Windows\System\LoFCRSQ.exe
  C:\Windows\System\LoFCRSQ.exe
  2⤵
  PID:452
- C:\Windows\System\BduFRlf.exe
  C:\Windows\System\BduFRlf.exe
  2⤵
  PID:5300
- C:\Windows\System\kMdaiby.exe
  C:\Windows\System\kMdaiby.exe
  2⤵
  PID:3492
- C:\Windows\System\PNcJkyA.exe
  C:\Windows\System\PNcJkyA.exe
  2⤵
  PID:4384
- C:\Windows\System\dOrastp.exe
  C:\Windows\System\dOrastp.exe
  2⤵
  PID:3432
- C:\Windows\System\RsLIqBg.exe
  C:\Windows\System\RsLIqBg.exe
  2⤵
  PID:13088
- C:\Windows\System\RelZyyS.exe
  C:\Windows\System\RelZyyS.exe
  2⤵
  PID:5376
- C:\Windows\System\eArcNyA.exe
  C:\Windows\System\eArcNyA.exe
  2⤵
  PID:4992
- C:\Windows\System\ChumHEL.exe
  C:\Windows\System\ChumHEL.exe
  2⤵
  PID:5688
- C:\Windows\System\ktfDXNx.exe
  C:\Windows\System\ktfDXNx.exe
  2⤵
  PID:4756
- C:\Windows\System\kpMexAg.exe
  C:\Windows\System\kpMexAg.exe
  2⤵
  PID:11344
- C:\Windows\System\mPROSLI.exe
  C:\Windows\System\mPROSLI.exe
  2⤵
  PID:4264
- C:\Windows\System\EIvLVZZ.exe
  C:\Windows\System\EIvLVZZ.exe
  2⤵
  PID:13280
- C:\Windows\System\RhHChMx.exe
  C:\Windows\System\RhHChMx.exe
  2⤵
  PID:9484
- C:\Windows\System\UyXVZha.exe
  C:\Windows\System\UyXVZha.exe
  2⤵
  PID:2032
- C:\Windows\System\pTHCZJP.exe
  C:\Windows\System\pTHCZJP.exe
  2⤵
  PID:11156
- C:\Windows\System\FTMrXAt.exe
  C:\Windows\System\FTMrXAt.exe
  2⤵
  PID:1628
- C:\Windows\System\YpdsOzC.exe
  C:\Windows\System\YpdsOzC.exe
  2⤵
  PID:13288
- C:\Windows\System\wnmawtw.exe
  C:\Windows\System\wnmawtw.exe
  2⤵
  PID:7112
- C:\Windows\System\FvdikmQ.exe
  C:\Windows\System\FvdikmQ.exe
  2⤵
  PID:7164
- C:\Windows\System\DTIrOMM.exe
  C:\Windows\System\DTIrOMM.exe
  2⤵
  PID:7136
- C:\Windows\System\xfGWEns.exe
  C:\Windows\System\xfGWEns.exe
  2⤵
  PID:13156
- C:\Windows\System\gxGfCKc.exe
  C:\Windows\System\gxGfCKc.exe
  2⤵
  PID:11936
- C:\Windows\System\MvjEmmK.exe
  C:\Windows\System\MvjEmmK.exe
  2⤵
  PID:12228
- C:\Windows\System\gdGVTKY.exe
  C:\Windows\System\gdGVTKY.exe
  2⤵
  PID:3196
- C:\Windows\System\loRtBDa.exe
  C:\Windows\System\loRtBDa.exe
  2⤵
  PID:2044
- C:\Windows\System\MAsMUPa.exe
  C:\Windows\System\MAsMUPa.exe
  2⤵
  PID:844
- C:\Windows\System\HLxbzmG.exe
  C:\Windows\System\HLxbzmG.exe
  2⤵
  PID:12456
- C:\Windows\System\wjLPsMZ.exe
  C:\Windows\System\wjLPsMZ.exe
  2⤵
  PID:1344
- C:\Windows\System\TvKQrRI.exe
  C:\Windows\System\TvKQrRI.exe
  2⤵
  PID:2960
- C:\Windows\System\ZMOKwiv.exe
  C:\Windows\System\ZMOKwiv.exe
  2⤵
  PID:720
- C:\Windows\System\wmYiknQ.exe
  C:\Windows\System\wmYiknQ.exe
  2⤵
  PID:4188
- C:\Windows\System\ciyvokV.exe
  C:\Windows\System\ciyvokV.exe
  2⤵
  PID:4268
- C:\Windows\System\pLuHxgr.exe
  C:\Windows\System\pLuHxgr.exe
  2⤵
  PID:13276
- C:\Windows\System\dUSmhjT.exe
  C:\Windows\System\dUSmhjT.exe
  2⤵
  PID:1132
- C:\Windows\System\sHxjDba.exe
  C:\Windows\System\sHxjDba.exe
  2⤵
  PID:3744
- C:\Windows\System\ZAjtVgF.exe
  C:\Windows\System\ZAjtVgF.exe
  2⤵
  PID:784
- C:\Windows\System\vlMBMfF.exe
  C:\Windows\System\vlMBMfF.exe
  2⤵
  PID:4208
- C:\Windows\System\uJibQxK.exe
  C:\Windows\System\uJibQxK.exe
  2⤵
  PID:4260
- C:\Windows\System\fSxnLQP.exe
  C:\Windows\System\fSxnLQP.exe
  2⤵
  PID:2320
- C:\Windows\System\AXQPdcU.exe
  C:\Windows\System\AXQPdcU.exe
  2⤵
  PID:1172
- C:\Windows\System\dlZtEBv.exe
  C:\Windows\System\dlZtEBv.exe
  2⤵
  PID:10596
- C:\Windows\System\ESrDJsh.exe
  C:\Windows\System\ESrDJsh.exe
  2⤵
  PID:7128
- C:\Windows\System\aiJDEBA.exe
  C:\Windows\System\aiJDEBA.exe
  2⤵
  PID:2808
- C:\Windows\System\hlUAkfe.exe
  C:\Windows\System\hlUAkfe.exe
  2⤵
  PID:4204
- C:\Windows\System\yxHByVV.exe
  C:\Windows\System\yxHByVV.exe
  2⤵
  PID:1208
- C:\Windows\System\QacVOMs.exe
  C:\Windows\System\QacVOMs.exe
  2⤵
  PID:1116

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 688 -p 12796 -ip 12796
1⤵
PID:12256

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:4808

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:10584

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:13040

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:12456

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:7140

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:7116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:4024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:9744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_frpnsajt.w2c.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\AFvLlBk.exe

Filesize
1.7MB

MD5
c931da9cb04afcace73685d53bc24fcd

SHA1
a7d88ed9f147a60711b52e95b16397b66f30236b

SHA256
1d15ffe45255480df120540c369a52b1132720cea61893269ec9b6329157a2a6

SHA512
0f57c46b67ab89269520995bf0d5f18672b5df31ea55a2e88bc6ce54fc45dedd13255700ea17a3a8d79a8ec5612f1fb9f90df1b10117c3a75d9e07b25ae44202

Download Submit
C:\Windows\System\AmtOhSV.exe

Filesize
1.7MB

MD5
bc7206d41bc7a8bde04947af1586d5cc

SHA1
1da1845e98f34b5269eda62f6c7a2ca89cdeca64

SHA256
9f9ce01efe00fb5da52deaca09aeb75c5daec4254f0821f32a274ba547dbd8be

SHA512
8de76e16f58cccbab7318f6cfc7dfe3fd1b213684446f8c5146e0d79e67da97363ae9c40a596493cf9cc5555e1b6d6b32173b2d3ca7a7daf970eac62a8b865e2

Download Submit
C:\Windows\System\BRuKWsO.exe

Filesize
1.7MB

MD5
7db2db1c7088d62fd71b6ce24f0003a5

SHA1
a85c2751e47fd901cc0035659c96d94b89d58ea2

SHA256
0201887ced5a353ab287dc08e402b3f03a2eea21315b7379bff378a830d3fe97

SHA512
067250c5560de3b5492b2aba040a03824d29547550ae07dbf0e32e13ea36e5e76dee8120abee76ff885aae582c201951b47f258249e06319e8ab40c9d7d7d3c9

Download Submit
C:\Windows\System\DJcxteQ.exe

Filesize
1.7MB

MD5
ac7b1514e24c4cee6ecedba1aa08297b

SHA1
7edc97fe777a7a92374a335c420e49abfbd9b8ac

SHA256
637947f4f1b3ceefd6940e4f8bd804eae5b1e7025104f1fbd15feb4df1ce8e59

SHA512
173a3d2afc66923b9f8b13bb1010817280268492f376eeac7255dc87f5c731a8f8abb767be8901229918d99f92355fdd9bb7c21af5d151386b62d25b007bb8a0

Download Submit
C:\Windows\System\FzeDPwd.exe

Filesize
1.7MB

MD5
2c8bb6e900ce3e2aa03786842432767b

SHA1
5fa6dbd46705ed343eefb53c331adf5ead8df76b

SHA256
8bf3ee5faec34e1a4f3a5e8303b94524384cf4f836d557f2e1b8db265fddd9a1

SHA512
6e19ccff43d6dbce6c0a32e42d1affb64aa0ab3ba1b7d95ed5ea36ea81745ccfef5d69ece42d0d3b1d054f6e6668e3095302a9e9251e53965546eb8579f3651a

Download Submit
C:\Windows\System\HKOwcGL.exe

Filesize
1.7MB

MD5
74d1d789c9d399c61a9f8eab7de8e78c

SHA1
a1bd534a579c1cb90a3b0adc1aef9695b4eb03f0

SHA256
86af18615a8f3c65490a8034f5294a3f750609e06ef6d753f3de632abf766a3e

SHA512
46f7f2f65c3d9538127640dd10b06cea1b650cbe4664b9a1511abc5d42f408a705d4a04b873f5b3249bb1ab04cef64a5d53eba2a46c1525626d2f874eff19e8a

Download Submit
C:\Windows\System\HeJrMrO.exe

Filesize
1.7MB

MD5
83d8b5e81389d7a6997d296a2f3f3f76

SHA1
13ed3ffc66c7555b7de0c1965e991f5d5bca88d6

SHA256
6b44b1006d7895443cc53ce486744d96dedad1e0d04c4b9e4c602cff92bd6f39

SHA512
b5d7e646c4c6613181b5605d50fee2739040e036a83e94c3ac11fd2dafafd95aeac428d6cf973abf3f5e3045230922fb771dcfb8237a666546704edfb6714d78

Download Submit
C:\Windows\System\JcOQskT.exe

Filesize
1.7MB

MD5
ee81c8f9395ca7ba8a3f4e5edb5a1a2d

SHA1
8822155132f09dcfe7e523b4323a4941b71f6825

SHA256
4e0e9ab6e46461ccfcf5603c5edf49a352b4a9b52a9860fa4c0684ec357af94c

SHA512
ecc2c07ea9002af708189a37e671ec6eb84540917af0eb39ca2532ac9186b324cdc490525ca6cc6128282e2cf83b69ff60300fb1d98453f75ea21a7aa56895c8

Download Submit
C:\Windows\System\JxcMYLM.exe

Filesize
1.7MB

MD5
443734a711eb1184983ab2de5971fdde

SHA1
40f87af9def2db3f3d70be3ba7b075947eb58261

SHA256
4924aa637cdc7710eb3b8bdc769583bddf6e77cb96bea6eb6f1578b1ec1e2d30

SHA512
942e4015742a0385a6659abecd39deb993ab0c488a4dec0ae5b37cbec2e0d278f59c86ecf46ddbb958a906a367a85c24f5bbc7482e7dcb14df4f7e695e556f7e

Download Submit
C:\Windows\System\MfOWkGH.exe

Filesize
1.7MB

MD5
54e8eaaa6518970d0abb59009d4efd6b

SHA1
7acbb21b1d55213e1e92e0d8456fb5e0d6fbd7db

SHA256
751b9a3d9e7ebaab1895476ba9703e993c3685f41bede20f8729583392a4da05

SHA512
71ee9de3112c68bada24c26f669a3c1f918f6c8a9d57c2f1c69fbbecb62bcbc449dba71f9f06abcb8ccf4cf9c758b5174015a4484f1d8cb0fc570a284bfa1b59

Download Submit
C:\Windows\System\OMGOcPn.exe

Filesize
1.7MB

MD5
bc7a064c9740569ee6aafd9d60d58c52

SHA1
5ffc6b562be7f60bcc52faaf766399376ddba27d

SHA256
9b4e7440443dcf11e28261c19a65f01a78aebe7cad2773abf065dbaa896d8f61

SHA512
14b865234870661d9656bdc454781c12aba7717cd702e9984acbf45a4cb840170fcb9db2113aaffe5124fe236e6f67e68fbc5616f05f8b7ac6c0c7f25730ce83

Download Submit
C:\Windows\System\OVBWHGh.exe

Filesize
1.7MB

MD5
851bf4ff3fcad8068cd0d407cd8ef25a

SHA1
d3542a7154c4edfe7fbc9b74bddfb81ab20f6829

SHA256
cf01f1c7a8db2b95956536b488a741551d29487cff991e0f4d0e54a58e124345

SHA512
629328128f9e81f3db3489dcaeca3af37e4d3efc696763f521eed4f5c404814e4548d31a79ed570d304ef0d17b02f0eeb4d533ae4095d06103ca7ef91630539d

Download Submit
C:\Windows\System\PdJyNfu.exe

Filesize
1.7MB

MD5
41052ea222f63a0e1fb7c5caed0f1c99

SHA1
b40796716415b082600b045e79e926968c937c13

SHA256
4a1293825ccdd38a1196013ea2491a06811d9acfde2f9a898fa3cd8863429ea3

SHA512
903eba33449c5b81e21ace1092363a7d545c56f76648b48039332b350195b7b4310c800ba0f8507137f813db9363a00d01697c70b75d1fde293af17e6f848602

Download Submit
C:\Windows\System\RPGRjuC.exe

Filesize
1.7MB

MD5
67a11832fab2c0907caababe1e4e4e8f

SHA1
bb5a2912404eac6c4507cc0cbe0d3b2fa8b6dd9b

SHA256
89e55fc399cf80caeb632dc0020f0ec207bd8299c5e5c8e58a687991c8b2395c

SHA512
5eeab072dae5a143511c3167cbffd9919d6c3a1c4d4330c5f4536d21e05d4d86ac96e391a7f32ea7ae4dcea4542f9e94d59e1cab3af1623d9aaa3f354bdefe86

Download Submit
C:\Windows\System\SKIhLyB.exe

Filesize
1.7MB

MD5
483ee20ac583aee54121dfc7de989bf7

SHA1
5e68e6e25578a886ec2cf58b277232145a9a1ddb

SHA256
d89a1ff29ff05df7ef1086253cc5773eaa7ccabdf5550c64b6030c878187b995

SHA512
9fb8807a974b68199f5305feb575cbfc3594a4ecb0537abaf88d1352a496b292f5031fd5ab9768e922fb3102a93c554ca7ea6e2ed3d9ecad6a8a4ac7da89485a

Download Submit
C:\Windows\System\UvjDSKX.exe

Filesize
1.7MB

MD5
5fbba4db47111b471dd69d271844602b

SHA1
8c2fe0ee106ef770954a158df1118ba9c1aaa6e6

SHA256
82bc2fe622e1308e058946873d5d7cc9ec479363ba67f72e5d75ed3a4a30988b

SHA512
e7c1539b13672a8e20f91fa5fc1fab5c5f98f9891f42a9f639b9787c7c9dc1bed232ebdcf8f4e865d4ad08d43d8e4b4321144cb5b2c646164a7176b91a99688e

Download Submit
C:\Windows\System\UwRIKfI.exe

Filesize
1.7MB

MD5
753c7af58398a486e9e6c5bdd92c41e7

SHA1
1d7dea981d0aa2cb20834669f1783afe1c36d1a9

SHA256
2fc5a17fab8a8f77b68d217c6d99631ce7ea6bf78985119fe1b405fab161d02d

SHA512
00fffb208fc0b68877b0767819af4a452934072f0ba5856ed22b7c242645219d9c0ef83e02aed86bcc6db435ee76032d5911b75e7feb98595612445f82d47d6f

Download Submit
C:\Windows\System\YZqeLpN.exe

Filesize
1.7MB

MD5
1a1d4e3089d6d40071af312ab2d6da08

SHA1
b5b80ea300ffabdb9fa2d376e206b3bd5dda5f28

SHA256
a8cac1c4b735d4a554a9274b682f9edebae302ce8c4774af81968b865a5ed51e

SHA512
4192eabf364b78e3f391ebc0e8ee60b3a786e26222648bf49b4964ff06ba43586c46803712e9169f932bed3ed1c0dc76f1814b3c567c0f055152f03141a40255

Download Submit
C:\Windows\System\ZInSEMK.exe

Filesize
1.7MB

MD5
558cd3087b0e9ec43f2cdad8f59d6feb

SHA1
c526e78f30c99a8f6e5faed632e3c730ec6e97bc

SHA256
1bb6000977de499c19597d4e5bd8204197361463a0ce0527e77847eedfc9af7f

SHA512
515c41f3ae3fc72904f565dd6aa2cb80de42ed1f4020506cd37e0b6460b874537455307075f79806d5f7c5e99a716301aba877c9ae24cc568e762d33b6b06468

Download Submit
C:\Windows\System\ZXerhhn.exe

Filesize
1.7MB

MD5
d6f95cb8e28cd064d059ced7ee7713ed

SHA1
532da7c4cba96b5ec3dd1c4108d334c7282a2496

SHA256
a0e51202c874de8a048c7490b8b39ab9da7e47771296740019c51f696fd6e48a

SHA512
d4013e5eaf891824e20f479cb86d85eeb850a2e841940cef10c35e76d3befa0e7ba1b4642afe8c0186dcd97eebd1ecb74eb253d0f0d400eaab74028fb439a042

Download Submit
C:\Windows\System\aCqWLom.exe

Filesize
1.7MB

MD5
94119ef21e6df3667459c68294d28d90

SHA1
5fb480330e5421087dbc4b66f6c83e27806bfb64

SHA256
4c635c1150a522af3c710290fcabb138dc0f2cb93fc7e3337c1afa297b483d69

SHA512
ae295e231788a4d05c4f48ffbf45bf2e5fb24ce895cef707754067ec17c8621156507a8e9710a4aa3852ec9c8b470326f007178ca611bb565ef9290889ab3776

Download Submit
C:\Windows\System\bsXfTKx.exe

Filesize
1.7MB

MD5
2c5fb9297f9b8c3db821e649e86dd7f1

SHA1
3f3c0604cc3deac6a7401e8d3243bec1375325df

SHA256
5a9b1ce5fa9dd7f8b6662f486e8ea3ef9456705d8ac49bce121d385d03db9939

SHA512
c3e03e3a23a6999c65246d840bbaf40abb10c6479b39f5904eec90f6f01ba37b0f75dd83c1c18b2347b7a40a7b4196e8cd04eb7978aa1e55707b787f09d010a6

Download Submit
C:\Windows\System\cUCqrpe.exe

Filesize
1.7MB

MD5
d514c01e66a39972e27efc3fbb54cff6

SHA1
9f578977b6cf38bb48ad85892c7a381efa81abff

SHA256
54589b3c61b1fb1ba6521df78af636e2c48f78d2a29263a630df032be304c8ba

SHA512
2b19ed2e966168c1bebb2de8826406661f42afe5c510c3b34fd1568dcfc007c6805cb8be7fb6bacb58e9423e3f0dc2a18c8d6d9967d5094fd8295c11831ad4f5

Download Submit
C:\Windows\System\cjaRVvs.exe

Filesize
1.7MB

MD5
e370938a3b6db7143dd2a37346f5556d

SHA1
5e3901df4a3ed6dddc07645fba21843c963e034b

SHA256
03c6614334f79057319b1195798f32b8e38f7c689e84226a18f41814190b3626

SHA512
9efbe268594681a7dbd0a6fa74aa443bb1ebd2ef7fa9c0deedf9e120535ff23bcb90701ba5ceea6fad4b0cc3b5d3786b96494d9729caecb8987c0af3483c0b42

Download Submit
C:\Windows\System\doxWgLm.exe

Filesize
1.7MB

MD5
6d6fbf97a3818305fd2546664ff68f8a

SHA1
6e535dbf2ae7e12cd72a61644ac7c637079a7dd5

SHA256
713d3d30897c4e4bb527fb0280fe5b16229edd389cf3ee6019ea2f87ced6a003

SHA512
f9263ddba82cd1e35ffbe63bdc4799d8311ed2f33484eb635b857d25ef85754c241cdeaf67e10d5022fd8c5f20da83db684f34cf470797e1fa6d78b42e8a2cf1

Download Submit
C:\Windows\System\fcJCXsm.exe

Filesize
1.7MB

MD5
194b5cf2da6c91edd1f1d37f59128678

SHA1
5a6a72d06b7fcc409ab52571ad23f10b8f5dfd03

SHA256
e0475e64baf8cae3920c31db3add11c089cbf163e4c0ac4f0c60140051332337

SHA512
d402b4fc9c7ecc7d17d9d8c84a5bc6ff7bb3487fd4c6aa2f983d2c9ae33ef4681187972c1714d462d075713ae42b9974fd4f58b3aa8a368c13d7909aa8c43a9e

Download Submit
C:\Windows\System\fjjeXPL.exe

Filesize
1.7MB

MD5
ebd18a5ca6d2ab2c94673de4f7a93564

SHA1
0340e5b60f2f682dd5f05327c2560ea2fb4d1e27

SHA256
3265541f442f3ab4edca42a63b252045d7afdd98dcd2167a31b89f994bc1bc27

SHA512
c14c609e0e846bf541300d7daeff79e102f982fa5773ff69b19f53195e8bd533680357c262d811b90c782ca60d25b68a7c822f3925474ae8388484c0556be40a

Download Submit
C:\Windows\System\gCFbLiy.exe

Filesize
1.7MB

MD5
df722fbd3777db4f20101b8ebd3b4b99

SHA1
5f3c72fade016b41289dc6435283f0cc3e7e8cc9

SHA256
c96419d82413562ab998b6971109919cbd4149f82f0468538671418a50e37463

SHA512
fe6883bc07eeb27c21aae07ade1a64597563d42621acc78de8eb64d7c93b6e240d3914b947b5fd77cc5a579e69b340be726c14eaed81532ba93e932b282017d1

Download Submit
C:\Windows\System\gXwmEbM.exe

Filesize
1.7MB

MD5
3a749b3d0a014270853a19bb2052c972

SHA1
dfc200ec125a2fb27a93ca27f4e4c07cc1503fe6

SHA256
3f522317adcdfd384e6f949e02f4fcc21066d397c6c70cd42382b24bd8b7bdab

SHA512
73dd0b64a1db045dde3325242bd3a560b246021efeba3b0f60ac0217e3e1bb7c9583156ad764d96247463ec128a4f752801faf694ebe8ed8487ce861eba0be4d

Download Submit
C:\Windows\System\iAcPkIy.exe

Filesize
1.7MB

MD5
f09e71521fa1fc7045f894636d5a0fd7

SHA1
7a8b113725819c89b389fb6235bacb7f5a1d982c

SHA256
28e8bbf212d5b465784ef335a458a34f27152ec9dbc83700a46eabf026fbceac

SHA512
a45545a261989d51b8af2b2f0966e53aaf705ea59b0f865b7b7949d6d51487ed3267d0ed56267e1c778605f8e867cd41cebaa30403ebae97b8680014c56fb071

Download Submit
C:\Windows\System\nBXNOqz.exe

Filesize
8B

MD5
b51f4f6ea566c7181d4d1f715615a414

SHA1
5f5d2057c3e793a449fbedd304d5084c92db621c

SHA256
efa8a7a6952ccabd712273da0ab5538682fcdaff585ff7604e7a4346286e9320

SHA512
cf70e5addae3f1995c350d8ead332088224d80c10cffe6e3f241ed79cc752dc79ee18c102b4cce11ffe47af43c22c4887cb7ff11f4d8c7bdc4456269c5638b1a

Download Submit
C:\Windows\System\nDIGOPp.exe

Filesize
1.7MB

MD5
cacd7c7c11c5619641e57d0b664c10b3

SHA1
adb2b61d23e5fc1d5d521a9c13625782b4e65f48

SHA256
c590dd4682212771d87033c1b47f976b9e8776001089c2912a2c8fab306bd715

SHA512
85f31a1a3c03eab31fa2998a80f3a35f0ce7a94b2b0fc317f0b27d2561eb08eb36c4f8d7d0a3650d404123c9369cee21f7c45c06f855ec51503e97c8821c1b2b

Download Submit
C:\Windows\System\nVkeEgs.exe

Filesize
1.7MB

MD5
e73db010054efa048b37b1fc9cf4e47b

SHA1
438a694783ee3e2ec79b9856122078fb0f9d0070

SHA256
993e04a5fe0ae786284d14f271465ff0f2dd0167dafaa70138b2be69be1b83e8

SHA512
ec60e44cf980aa0144b4c8be82ec8017fd9ae7f0dae8b715bba37d3238cc5299705761d8f8e0934dd058f2369188084c848c601251d46b7de230651868fe7d2a

Download Submit
C:\Windows\System\tAWpDyf.exe

Filesize
1.7MB

MD5
545c8edd845e6388ec83521a54acda89

SHA1
af51ea47ab6ab0a4a3c19cb06aa717e993d2549b

SHA256
aa9e7413563baa9994d1f0ecf37eb9a4bdc6557f4fe8f8464890406420de81dc

SHA512
2fc98f39d8312e9e45e138babb8907cde560b0c984fe6c73eed190a56d69ca55b1dd116545b7509a5f5c8e56825b00d4886fd22186ffb7137d3c8ffecb26902e

Download Submit
C:\Windows\System\uSVSnvN.exe

Filesize
1.7MB

MD5
5e5985985650d6d16467892c0460fc91

SHA1
ef19449f09088656ace8020e2e54c4d92ce51d34

SHA256
36a67c15e5dfbda8c8d6b0a7fa94f48c188279fff3defe8bf553276aa015f84c

SHA512
9bbfc3422142c77a5a14d94326b5bca2a974d0050aad46a50f6e32e427d9cdc52819e5329ef13954f00e94574a2c9f2950423e80296ff3e1dfed0ae923873483

Download Submit
C:\Windows\System\ufPwYwJ.exe

Filesize
1.7MB

MD5
24366df6efc8582767a1eab9584ee585

SHA1
f8c7d08a3cf296e55b6940cb30ac854e3f41fbc8

SHA256
2f6e1233955b9223455219e5e0189b9bd1101228222b27ce5db7dd00130823d4

SHA512
36bcec98f22a5964627bf4c415689525c10c046b901fb4349e550541758799dc26524a41f684f935e36dc82cf2b43e5f61b78a60cdadfff82d47fbcfcf13296e

Download Submit
C:\Windows\System\yLXhOzc.exe

Filesize
1.7MB

MD5
9e57f3f916f1d60b539fe1f19f6f5476

SHA1
da29caccadc8b9469c1d8a8a551dff09c5488a7b

SHA256
a100e27ee62943e86be88a3c400c2159586de46f35aa1a003f34c2208e4a700f

SHA512
5611a4c23fb6a02d15bc9c46240cc538a15a06283660a84a0461acd57c1c3e571e8b275a3106127037380cbc0492324215e5794a07e77e9f57f3d97db25f23ed

Download Submit
C:\Windows\System\yxqQNtm.exe

Filesize
1.7MB

MD5
35ebfee00112706d561e6d990404df01

SHA1
431a0533cffaa5ef1fcb08a1505bd6a6d8e11caf

SHA256
5a0f531da145193f492a6dcfc6da1a3468818f287cffcbac6b2583e4dbb1d551

SHA512
ed5156a65045ca592f37dbe37908f27d3c3a75c5b4fa085858130ccd5e4a851cbc2fefc1ba279a8a4ceb09996a3e67a5942fa980931ad88c9c03a87803e31116

Download Submit
C:\Windows\System\zBiZZdY.exe

Filesize
1.7MB

MD5
ff15a3d57f433be8224c78d5fc9cde92

SHA1
023256578d211e492b62016dc1fc851e2e45ec9e

SHA256
fa01b11813fb4febb3f3b4aff6c23d7e9d9785bade1ff105c3613497784cb6fc

SHA512
68d790e8f9405630547dfcf614a0d8764398a087cdf7eb9e517f891a1cbc8630895944986095ba4f7f6d18173f50507908ec2dd13bcbfdf48ca1497873b6e0e9

Download Submit
C:\Windows\System\zjtduzh.exe

Filesize
1.7MB

MD5
ed7805dad0ab0e88bd1a881fa8505b44

SHA1
b56b2761dcad35ae46caa1c54d4db1fca09f4182

SHA256
4de153234ef0052458eb6b34b97a6836ca476becfae0cea326afdb6ec971f99e

SHA512
cdd33cd77162cf99427efd5a16532391233dcb6a180fb2ba06d2173391dc606aa8645a0f94bac4c825f15a491b52e7b2df0e3c7d93cf1c607218c7a27b25faf4

Download Submit
memory/212-17-0x00007FF76FB60000-0x00007FF76FF52000-memory.dmp

Filesize
3.9MB

Download
memory/232-1-0x0000028F47470000-0x0000028F47480000-memory.dmp

Filesize
64KB

Download
memory/232-0-0x00007FF6481B0000-0x00007FF6485A2000-memory.dmp

Filesize
3.9MB

Download
memory/232-4199-0x00007FF6481B0000-0x00007FF6485A2000-memory.dmp

Filesize
3.9MB

Download
memory/436-575-0x00007FF7CA0F0000-0x00007FF7CA4E2000-memory.dmp

Filesize
3.9MB

Download
memory/952-886-0x0000023E89B10000-0x0000023E89B32000-memory.dmp

Filesize
136KB

Download
memory/952-77-0x00007FFCFA420000-0x00007FFCFAEE1000-memory.dmp

Filesize
10.8MB

Download
memory/952-129-0x00007FFCFA420000-0x00007FFCFAEE1000-memory.dmp

Filesize
10.8MB

Download
memory/952-1897-0x00007FFCFA420000-0x00007FFCFAEE1000-memory.dmp

Filesize
10.8MB

Download
memory/952-3-0x00007FFCFA423000-0x00007FFCFA425000-memory.dmp

Filesize
8KB

Download
memory/1220-274-0x00007FF6B97D0000-0x00007FF6B9BC2000-memory.dmp

Filesize
3.9MB

Download
memory/1704-577-0x00007FF7B3A20000-0x00007FF7B3E12000-memory.dmp

Filesize
3.9MB

Download
memory/1772-584-0x00007FF794B80000-0x00007FF794F72000-memory.dmp

Filesize
3.9MB

Download
memory/1888-573-0x00007FF62C500000-0x00007FF62C8F2000-memory.dmp

Filesize
3.9MB

Download
memory/1892-638-0x00007FF654690000-0x00007FF654A82000-memory.dmp

Filesize
3.9MB

Download
memory/2144-583-0x00007FF71D270000-0x00007FF71D662000-memory.dmp

Filesize
3.9MB

Download
memory/2328-581-0x00007FF6F3800000-0x00007FF6F3BF2000-memory.dmp

Filesize
3.9MB

Download
memory/2712-578-0x00007FF6F66A0000-0x00007FF6F6A92000-memory.dmp

Filesize
3.9MB

Download
memory/2864-576-0x00007FF6A79C0000-0x00007FF6A7DB2000-memory.dmp

Filesize
3.9MB

Download
memory/3048-586-0x00007FF7F04F0000-0x00007FF7F08E2000-memory.dmp

Filesize
3.9MB

Download
memory/3136-574-0x00007FF7B55A0000-0x00007FF7B5992000-memory.dmp

Filesize
3.9MB

Download
memory/3212-587-0x00007FF61A700000-0x00007FF61AAF2000-memory.dmp

Filesize
3.9MB

Download
memory/3384-585-0x00007FF73FBC0000-0x00007FF73FFB2000-memory.dmp

Filesize
3.9MB

Download
memory/3516-572-0x00007FF727BF0000-0x00007FF727FE2000-memory.dmp

Filesize
3.9MB

Download
memory/4016-412-0x00007FF6854C0000-0x00007FF6858B2000-memory.dmp

Filesize
3.9MB

Download
memory/4032-218-0x00007FF62D2D0000-0x00007FF62D6C2000-memory.dmp

Filesize
3.9MB

Download
memory/4248-579-0x00007FF6C5B30000-0x00007FF6C5F22000-memory.dmp

Filesize
3.9MB

Download
memory/4488-582-0x00007FF7C4900000-0x00007FF7C4CF2000-memory.dmp

Filesize
3.9MB

Download
memory/4608-588-0x00007FF615DE0000-0x00007FF6161D2000-memory.dmp

Filesize
3.9MB

Download
memory/4708-332-0x00007FF7FAB50000-0x00007FF7FAF42000-memory.dmp

Filesize
3.9MB

Download
memory/4936-528-0x00007FF785FE0000-0x00007FF7863D2000-memory.dmp

Filesize
3.9MB

Download
memory/4976-580-0x00007FF625FC0000-0x00007FF6263B2000-memory.dmp

Filesize
3.9MB

Download