xmrig | c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea

Analysis

max time kernel
144s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24/07/2024, 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
Size

3.4MB
MD5

feec3c0193e6d2687beb7b9d9543361d
SHA1

04ec8fff01ad4f632c5967be7715d8e71bd6b3d1
SHA256

c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea
SHA512

702c9a0799561b8ddb9b1be22e3cdacf34369f195c5f030b2cc8ad494a09990dedfe0871bc4474c07f21d8b3d7aa22e0fbf7331aa67c4784e7a665535015b0bb
SSDEEP

98304:71ONtyBeSFkXV1etEKLlWUTOfeiRA2R76zHrW9:7bBeSFkp

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/2916-0-0x00007FF7F1370000-0x00007FF7F1766000-memory.dmp	xmrig
behavioral2/files/0x00070000000234a5-12.dat	xmrig
behavioral2/files/0x00070000000234a6-26.dat	xmrig
behavioral2/files/0x00070000000234ac-42.dat	xmrig
behavioral2/files/0x00070000000234ab-50.dat	xmrig
behavioral2/files/0x00070000000234ae-70.dat	xmrig
behavioral2/files/0x00070000000234b1-80.dat	xmrig
behavioral2/memory/5092-99-0x00007FF783260000-0x00007FF783656000-memory.dmp	xmrig
behavioral2/memory/4832-110-0x00007FF778990000-0x00007FF778D86000-memory.dmp	xmrig
behavioral2/memory/3144-115-0x00007FF7028D0000-0x00007FF702CC6000-memory.dmp	xmrig
behavioral2/memory/3188-119-0x00007FF60BF60000-0x00007FF60C356000-memory.dmp	xmrig
behavioral2/memory/316-122-0x00007FF60A840000-0x00007FF60AC36000-memory.dmp	xmrig
behavioral2/memory/4268-121-0x00007FF685690000-0x00007FF685A86000-memory.dmp	xmrig
behavioral2/memory/116-120-0x00007FF7F5C80000-0x00007FF7F6076000-memory.dmp	xmrig
behavioral2/memory/1908-118-0x00007FF70BBF0000-0x00007FF70BFE6000-memory.dmp	xmrig
behavioral2/memory/4836-117-0x00007FF7F4940000-0x00007FF7F4D36000-memory.dmp	xmrig
behavioral2/memory/1348-116-0x00007FF7A8600000-0x00007FF7A89F6000-memory.dmp	xmrig
behavioral2/memory/4960-113-0x00007FF606B10000-0x00007FF606F06000-memory.dmp	xmrig
behavioral2/memory/2752-112-0x00007FF7516D0000-0x00007FF751AC6000-memory.dmp	xmrig
behavioral2/memory/4952-111-0x00007FF64BF70000-0x00007FF64C366000-memory.dmp	xmrig
behavioral2/memory/2364-109-0x00007FF697F00000-0x00007FF6982F6000-memory.dmp	xmrig
behavioral2/memory/4796-98-0x00007FF7B4AE0000-0x00007FF7B4ED6000-memory.dmp	xmrig
behavioral2/files/0x00070000000234b5-96.dat	xmrig
behavioral2/files/0x00070000000234b4-94.dat	xmrig
behavioral2/files/0x00070000000234b3-91.dat	xmrig
behavioral2/files/0x00070000000234b0-88.dat	xmrig
behavioral2/files/0x00070000000234b2-86.dat	xmrig
behavioral2/files/0x00070000000234ad-84.dat	xmrig
behavioral2/files/0x00070000000234af-82.dat	xmrig
behavioral2/memory/4788-76-0x00007FF77D290000-0x00007FF77D686000-memory.dmp	xmrig
behavioral2/memory/2120-75-0x00007FF60C6C0000-0x00007FF60CAB6000-memory.dmp	xmrig
behavioral2/files/0x00070000000234aa-58.dat	xmrig
behavioral2/files/0x00070000000234a9-47.dat	xmrig
behavioral2/files/0x00070000000234a8-43.dat	xmrig
behavioral2/files/0x00070000000234a7-36.dat	xmrig
behavioral2/memory/884-15-0x00007FF712240000-0x00007FF712636000-memory.dmp	xmrig
behavioral2/files/0x000a00000002349d-8.dat	xmrig
behavioral2/files/0x00080000000234a2-126.dat	xmrig
behavioral2/files/0x00070000000234b8-138.dat	xmrig
behavioral2/files/0x00070000000234b9-147.dat	xmrig
behavioral2/memory/4452-157-0x00007FF601BC0000-0x00007FF601FB6000-memory.dmp	xmrig
behavioral2/files/0x00070000000234bd-180.dat	xmrig
behavioral2/files/0x00070000000234c1-194.dat	xmrig
behavioral2/files/0x00070000000234c3-197.dat	xmrig
behavioral2/memory/4444-196-0x00007FF612450000-0x00007FF612846000-memory.dmp	xmrig
behavioral2/files/0x00070000000234c2-195.dat	xmrig
behavioral2/files/0x00070000000234c0-193.dat	xmrig
behavioral2/files/0x00070000000234bf-190.dat	xmrig
behavioral2/memory/976-187-0x00007FF6F9840000-0x00007FF6F9C36000-memory.dmp	xmrig
behavioral2/files/0x00070000000234be-182.dat	xmrig
behavioral2/memory/2508-179-0x00007FF7112C0000-0x00007FF7116B6000-memory.dmp	xmrig
behavioral2/files/0x00070000000234bc-171.dat	xmrig
behavioral2/files/0x00070000000234bb-163.dat	xmrig
behavioral2/memory/1308-156-0x00007FF6AB3E0000-0x00007FF6AB7D6000-memory.dmp	xmrig
behavioral2/files/0x00070000000234ba-152.dat	xmrig
behavioral2/files/0x00080000000234b7-160.dat	xmrig
behavioral2/memory/2044-148-0x00007FF65DF70000-0x00007FF65E366000-memory.dmp	xmrig
behavioral2/files/0x00080000000234b6-143.dat	xmrig
behavioral2/memory/884-1904-0x00007FF712240000-0x00007FF712636000-memory.dmp	xmrig
behavioral2/memory/116-1905-0x00007FF7F5C80000-0x00007FF7F6076000-memory.dmp	xmrig
behavioral2/memory/3188-1906-0x00007FF60BF60000-0x00007FF60C356000-memory.dmp	xmrig
behavioral2/memory/4788-1907-0x00007FF77D290000-0x00007FF77D686000-memory.dmp	xmrig
behavioral2/memory/2364-1908-0x00007FF697F00000-0x00007FF6982F6000-memory.dmp	xmrig
behavioral2/memory/4832-1909-0x00007FF778990000-0x00007FF778D86000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
7	3076	powershell.exe
20	3076	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
3076	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
884	VcTDhYI.exe
3188	pSUxfZj.exe
116	ZNDonjr.exe
2120	NwTwiCH.exe
4788	mkQLgDg.exe
4796	jcblcaP.exe
5092	KrojdCZ.exe
2364	ZXtbfFw.exe
4832	EocpfzS.exe
4952	WOPMSgm.exe
2752	pzxwxVc.exe
4960	TshCouF.exe
3144	DSwrQwe.exe
1348	WhYqPDj.exe
4268	DcbgbSL.exe
4836	cDkHrKc.exe
316	xcmzMut.exe
1908	gPepFpn.exe
2044	CLNXffS.exe
2508	OXjKXzr.exe
1308	AHDHEOE.exe
976	LjrJdIZ.exe
4452	VlWtvlF.exe
4444	JWLEEmY.exe
3372	vZgatiy.exe
3672	khmgpdC.exe
2540	GEFRmEI.exe
4116	SWGUSpQ.exe
2164	poCEKYc.exe
3644	XGKnsGv.exe
2832	kMWJldk.exe
2600	bZEwtuM.exe
4644	cFywxYI.exe
2348	iseypgZ.exe
2892	VlxySAx.exe
3524	YdrHOfH.exe
208	SMefKol.exe
1996	umkwVFL.exe
3196	ZhpwceH.exe
2996	vlNRrVr.exe
2304	AyspnpS.exe
4540	pbsqnyH.exe
4124	pBzUyUT.exe
928	JFuoGND.exe
2188	aumnStK.exe
2976	XHIiUcU.exe
1984	ZkXhDkM.exe
788	uNfBrJS.exe
2332	XAOGTHd.exe
4956	NifpnJH.exe
1028	mKLhHOX.exe
1804	cfuPgTW.exe
3716	wtWXANB.exe
5004	ezyTxOz.exe
2620	qeMMFtt.exe
4664	aMFOyNx.exe
4212	KUheloe.exe
4180	YZQWjJD.exe
3696	sAQoMDv.exe
2700	JCfASWF.exe
1344	vgBXoHC.exe
2064	avadAoK.exe
1144	tXKPBcn.exe
4676	OEXYDuS.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2916-0-0x00007FF7F1370000-0x00007FF7F1766000-memory.dmp	upx
behavioral2/files/0x00070000000234a5-12.dat	upx
behavioral2/files/0x00070000000234a6-26.dat	upx
behavioral2/files/0x00070000000234ac-42.dat	upx
behavioral2/files/0x00070000000234ab-50.dat	upx
behavioral2/files/0x00070000000234ae-70.dat	upx
behavioral2/files/0x00070000000234b1-80.dat	upx
behavioral2/memory/5092-99-0x00007FF783260000-0x00007FF783656000-memory.dmp	upx
behavioral2/memory/4832-110-0x00007FF778990000-0x00007FF778D86000-memory.dmp	upx
behavioral2/memory/3144-115-0x00007FF7028D0000-0x00007FF702CC6000-memory.dmp	upx
behavioral2/memory/3188-119-0x00007FF60BF60000-0x00007FF60C356000-memory.dmp	upx
behavioral2/memory/316-122-0x00007FF60A840000-0x00007FF60AC36000-memory.dmp	upx
behavioral2/memory/4268-121-0x00007FF685690000-0x00007FF685A86000-memory.dmp	upx
behavioral2/memory/116-120-0x00007FF7F5C80000-0x00007FF7F6076000-memory.dmp	upx
behavioral2/memory/1908-118-0x00007FF70BBF0000-0x00007FF70BFE6000-memory.dmp	upx
behavioral2/memory/4836-117-0x00007FF7F4940000-0x00007FF7F4D36000-memory.dmp	upx
behavioral2/memory/1348-116-0x00007FF7A8600000-0x00007FF7A89F6000-memory.dmp	upx
behavioral2/memory/4960-113-0x00007FF606B10000-0x00007FF606F06000-memory.dmp	upx
behavioral2/memory/2752-112-0x00007FF7516D0000-0x00007FF751AC6000-memory.dmp	upx
behavioral2/memory/4952-111-0x00007FF64BF70000-0x00007FF64C366000-memory.dmp	upx
behavioral2/memory/2364-109-0x00007FF697F00000-0x00007FF6982F6000-memory.dmp	upx
behavioral2/memory/4796-98-0x00007FF7B4AE0000-0x00007FF7B4ED6000-memory.dmp	upx
behavioral2/files/0x00070000000234b5-96.dat	upx
behavioral2/files/0x00070000000234b4-94.dat	upx
behavioral2/files/0x00070000000234b3-91.dat	upx
behavioral2/files/0x00070000000234b0-88.dat	upx
behavioral2/files/0x00070000000234b2-86.dat	upx
behavioral2/files/0x00070000000234ad-84.dat	upx
behavioral2/files/0x00070000000234af-82.dat	upx
behavioral2/memory/4788-76-0x00007FF77D290000-0x00007FF77D686000-memory.dmp	upx
behavioral2/memory/2120-75-0x00007FF60C6C0000-0x00007FF60CAB6000-memory.dmp	upx
behavioral2/files/0x00070000000234aa-58.dat	upx
behavioral2/files/0x00070000000234a9-47.dat	upx
behavioral2/files/0x00070000000234a8-43.dat	upx
behavioral2/files/0x00070000000234a7-36.dat	upx
behavioral2/memory/884-15-0x00007FF712240000-0x00007FF712636000-memory.dmp	upx
behavioral2/files/0x000a00000002349d-8.dat	upx
behavioral2/files/0x00080000000234a2-126.dat	upx
behavioral2/files/0x00070000000234b8-138.dat	upx
behavioral2/files/0x00070000000234b9-147.dat	upx
behavioral2/memory/4452-157-0x00007FF601BC0000-0x00007FF601FB6000-memory.dmp	upx
behavioral2/files/0x00070000000234bd-180.dat	upx
behavioral2/files/0x00070000000234c1-194.dat	upx
behavioral2/files/0x00070000000234c3-197.dat	upx
behavioral2/memory/4444-196-0x00007FF612450000-0x00007FF612846000-memory.dmp	upx
behavioral2/files/0x00070000000234c2-195.dat	upx
behavioral2/files/0x00070000000234c0-193.dat	upx
behavioral2/files/0x00070000000234bf-190.dat	upx
behavioral2/memory/976-187-0x00007FF6F9840000-0x00007FF6F9C36000-memory.dmp	upx
behavioral2/files/0x00070000000234be-182.dat	upx
behavioral2/memory/2508-179-0x00007FF7112C0000-0x00007FF7116B6000-memory.dmp	upx
behavioral2/files/0x00070000000234bc-171.dat	upx
behavioral2/files/0x00070000000234bb-163.dat	upx
behavioral2/memory/1308-156-0x00007FF6AB3E0000-0x00007FF6AB7D6000-memory.dmp	upx
behavioral2/files/0x00070000000234ba-152.dat	upx
behavioral2/files/0x00080000000234b7-160.dat	upx
behavioral2/memory/2044-148-0x00007FF65DF70000-0x00007FF65E366000-memory.dmp	upx
behavioral2/files/0x00080000000234b6-143.dat	upx
behavioral2/memory/884-1904-0x00007FF712240000-0x00007FF712636000-memory.dmp	upx
behavioral2/memory/116-1905-0x00007FF7F5C80000-0x00007FF7F6076000-memory.dmp	upx
behavioral2/memory/3188-1906-0x00007FF60BF60000-0x00007FF60C356000-memory.dmp	upx
behavioral2/memory/4788-1907-0x00007FF77D290000-0x00007FF77D686000-memory.dmp	upx
behavioral2/memory/2364-1908-0x00007FF697F00000-0x00007FF6982F6000-memory.dmp	upx
behavioral2/memory/4832-1909-0x00007FF778990000-0x00007FF778D86000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
7	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\GzDkinQ.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\enqxwAR.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\QdjBYQN.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\mqDNerb.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\QwMbiOu.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\dHXmxEy.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\oIfLGSu.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\RvBFrju.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\TNLazIG.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\JCfASWF.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\YKlmaWZ.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\ZdmFYRX.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\JzxdXrw.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\dHEFDyA.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\dHiMmeZ.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\NDXPwfG.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\KVuHJaE.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\wlcVYeG.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\KgYEcIp.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\dDwJMHn.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\Kifciba.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\dxXqtMQ.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\AZPVuxq.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\JpeyeTi.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\mfSQpBD.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\ZesqGjb.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\woAYmpU.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\kYSELEw.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\NmZbHYe.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\lcweqht.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\UqEpmPG.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\feLLKXF.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\FsnFWwP.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\NNFEHoe.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\GEFRmEI.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\ONaTOwa.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\zVSrtyH.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\qgNaxNW.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\MIDjIPt.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\SkfAMoO.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\TromSbL.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\WquAbKQ.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\KWsYGxq.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\GyrJzVN.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\jCrlTNi.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\QTVjrDa.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\jHcmyRS.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\geiiBFk.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\LjwAVlQ.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\ifcwLVm.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\eyNWHvo.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\XHIiUcU.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\PxCcBFf.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\mONROvG.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\cQemdeI.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\tvygMrP.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\fgkXkqx.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\kGHUVfV.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\cHQuBuI.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\MSdHVvJ.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\WhYqPDj.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\hzdmcuW.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\GuqbuqD.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
File created	C:\Windows\System\psTafRe.exe	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3076	powershell.exe
3076	powershell.exe
3076	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
Token: SeLockMemoryPrivilege	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
Token: SeDebugPrivilege	3076	powershell.exe
Token: SeCreateGlobalPrivilege	12344	dwm.exe
Token: SeChangeNotifyPrivilege	12344	dwm.exe
Token: 33	12344	dwm.exe
Token: SeIncBasePriorityPrivilege	12344	dwm.exe
Token: SeShutdownPrivilege	12344	dwm.exe
Token: SeCreatePagefilePrivilege	12344	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 3076	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	85
PID 2916 wrote to memory of 3076	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	85
PID 2916 wrote to memory of 884	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	87
PID 2916 wrote to memory of 884	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	87
PID 2916 wrote to memory of 3188	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	88
PID 2916 wrote to memory of 3188	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	88
PID 2916 wrote to memory of 116	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	89
PID 2916 wrote to memory of 116	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	89
PID 2916 wrote to memory of 2120	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	90
PID 2916 wrote to memory of 2120	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	90
PID 2916 wrote to memory of 4788	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	91
PID 2916 wrote to memory of 4788	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	91
PID 2916 wrote to memory of 4796	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	92
PID 2916 wrote to memory of 4796	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	92
PID 2916 wrote to memory of 5092	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	93
PID 2916 wrote to memory of 5092	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	93
PID 2916 wrote to memory of 2364	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	94
PID 2916 wrote to memory of 2364	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	94
PID 2916 wrote to memory of 4832	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	95
PID 2916 wrote to memory of 4832	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	95
PID 2916 wrote to memory of 2752	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	96
PID 2916 wrote to memory of 2752	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	96
PID 2916 wrote to memory of 3144	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	97
PID 2916 wrote to memory of 3144	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	97
PID 2916 wrote to memory of 4952	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	98
PID 2916 wrote to memory of 4952	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	98
PID 2916 wrote to memory of 4960	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	99
PID 2916 wrote to memory of 4960	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	99
PID 2916 wrote to memory of 1348	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	100
PID 2916 wrote to memory of 1348	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	100
PID 2916 wrote to memory of 4268	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	101
PID 2916 wrote to memory of 4268	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	101
PID 2916 wrote to memory of 4836	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	102
PID 2916 wrote to memory of 4836	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	102
PID 2916 wrote to memory of 316	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	103
PID 2916 wrote to memory of 316	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	103
PID 2916 wrote to memory of 1908	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	104
PID 2916 wrote to memory of 1908	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	104
PID 2916 wrote to memory of 2044	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	106
PID 2916 wrote to memory of 2044	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	106
PID 2916 wrote to memory of 2508	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	107
PID 2916 wrote to memory of 2508	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	107
PID 2916 wrote to memory of 976	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	108
PID 2916 wrote to memory of 976	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	108
PID 2916 wrote to memory of 1308	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	109
PID 2916 wrote to memory of 1308	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	109
PID 2916 wrote to memory of 4444	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	110
PID 2916 wrote to memory of 4444	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	110
PID 2916 wrote to memory of 4452	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	111
PID 2916 wrote to memory of 4452	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	111
PID 2916 wrote to memory of 3372	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	112
PID 2916 wrote to memory of 3372	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	112
PID 2916 wrote to memory of 3672	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	113
PID 2916 wrote to memory of 3672	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	113
PID 2916 wrote to memory of 2540	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	114
PID 2916 wrote to memory of 2540	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	114
PID 2916 wrote to memory of 4116	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	115
PID 2916 wrote to memory of 4116	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	115
PID 2916 wrote to memory of 2164	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	116
PID 2916 wrote to memory of 2164	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	116
PID 2916 wrote to memory of 3644	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	117
PID 2916 wrote to memory of 3644	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	117
PID 2916 wrote to memory of 2832	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	118
PID 2916 wrote to memory of 2832	2916	c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe	118

C:\Users\Admin\AppData\Local\Temp\c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe
"C:\Users\Admin\AppData\Local\Temp\c6094bfabc87d93ddb1136a296fa4675df11b138c59ab5e1cd69db6680466fea.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3076
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3076" "2892" "2448" "2896" "0" "0" "2900" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:2252
- C:\Windows\System\VcTDhYI.exe
  C:\Windows\System\VcTDhYI.exe
  2⤵
  - Executes dropped EXE
  PID:884
- C:\Windows\System\pSUxfZj.exe
  C:\Windows\System\pSUxfZj.exe
  2⤵
  - Executes dropped EXE
  PID:3188
- C:\Windows\System\ZNDonjr.exe
  C:\Windows\System\ZNDonjr.exe
  2⤵
  - Executes dropped EXE
  PID:116
- C:\Windows\System\NwTwiCH.exe
  C:\Windows\System\NwTwiCH.exe
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Windows\System\mkQLgDg.exe
  C:\Windows\System\mkQLgDg.exe
  2⤵
  - Executes dropped EXE
  PID:4788
- C:\Windows\System\jcblcaP.exe
  C:\Windows\System\jcblcaP.exe
  2⤵
  - Executes dropped EXE
  PID:4796
- C:\Windows\System\KrojdCZ.exe
  C:\Windows\System\KrojdCZ.exe
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Windows\System\ZXtbfFw.exe
  C:\Windows\System\ZXtbfFw.exe
  2⤵
  - Executes dropped EXE
  PID:2364
- C:\Windows\System\EocpfzS.exe
  C:\Windows\System\EocpfzS.exe
  2⤵
  - Executes dropped EXE
  PID:4832
- C:\Windows\System\pzxwxVc.exe
  C:\Windows\System\pzxwxVc.exe
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\System\DSwrQwe.exe
  C:\Windows\System\DSwrQwe.exe
  2⤵
  - Executes dropped EXE
  PID:3144
- C:\Windows\System\WOPMSgm.exe
  C:\Windows\System\WOPMSgm.exe
  2⤵
  - Executes dropped EXE
  PID:4952
- C:\Windows\System\TshCouF.exe
  C:\Windows\System\TshCouF.exe
  2⤵
  - Executes dropped EXE
  PID:4960
- C:\Windows\System\WhYqPDj.exe
  C:\Windows\System\WhYqPDj.exe
  2⤵
  - Executes dropped EXE
  PID:1348
- C:\Windows\System\DcbgbSL.exe
  C:\Windows\System\DcbgbSL.exe
  2⤵
  - Executes dropped EXE
  PID:4268
- C:\Windows\System\cDkHrKc.exe
  C:\Windows\System\cDkHrKc.exe
  2⤵
  - Executes dropped EXE
  PID:4836
- C:\Windows\System\xcmzMut.exe
  C:\Windows\System\xcmzMut.exe
  2⤵
  - Executes dropped EXE
  PID:316
- C:\Windows\System\gPepFpn.exe
  C:\Windows\System\gPepFpn.exe
  2⤵
  - Executes dropped EXE
  PID:1908
- C:\Windows\System\CLNXffS.exe
  C:\Windows\System\CLNXffS.exe
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\System\OXjKXzr.exe
  C:\Windows\System\OXjKXzr.exe
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Windows\System\LjrJdIZ.exe
  C:\Windows\System\LjrJdIZ.exe
  2⤵
  - Executes dropped EXE
  PID:976
- C:\Windows\System\AHDHEOE.exe
  C:\Windows\System\AHDHEOE.exe
  2⤵
  - Executes dropped EXE
  PID:1308
- C:\Windows\System\JWLEEmY.exe
  C:\Windows\System\JWLEEmY.exe
  2⤵
  - Executes dropped EXE
  PID:4444
- C:\Windows\System\VlWtvlF.exe
  C:\Windows\System\VlWtvlF.exe
  2⤵
  - Executes dropped EXE
  PID:4452
- C:\Windows\System\vZgatiy.exe
  C:\Windows\System\vZgatiy.exe
  2⤵
  - Executes dropped EXE
  PID:3372
- C:\Windows\System\khmgpdC.exe
  C:\Windows\System\khmgpdC.exe
  2⤵
  - Executes dropped EXE
  PID:3672
- C:\Windows\System\GEFRmEI.exe
  C:\Windows\System\GEFRmEI.exe
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\System\SWGUSpQ.exe
  C:\Windows\System\SWGUSpQ.exe
  2⤵
  - Executes dropped EXE
  PID:4116
- C:\Windows\System\poCEKYc.exe
  C:\Windows\System\poCEKYc.exe
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Windows\System\XGKnsGv.exe
  C:\Windows\System\XGKnsGv.exe
  2⤵
  - Executes dropped EXE
  PID:3644
- C:\Windows\System\kMWJldk.exe
  C:\Windows\System\kMWJldk.exe
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\System\bZEwtuM.exe
  C:\Windows\System\bZEwtuM.exe
  2⤵
  - Executes dropped EXE
  PID:2600
- C:\Windows\System\cFywxYI.exe
  C:\Windows\System\cFywxYI.exe
  2⤵
  - Executes dropped EXE
  PID:4644
- C:\Windows\System\iseypgZ.exe
  C:\Windows\System\iseypgZ.exe
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\System\VlxySAx.exe
  C:\Windows\System\VlxySAx.exe
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\System\YdrHOfH.exe
  C:\Windows\System\YdrHOfH.exe
  2⤵
  - Executes dropped EXE
  PID:3524
- C:\Windows\System\SMefKol.exe
  C:\Windows\System\SMefKol.exe
  2⤵
  - Executes dropped EXE
  PID:208
- C:\Windows\System\umkwVFL.exe
  C:\Windows\System\umkwVFL.exe
  2⤵
  - Executes dropped EXE
  PID:1996
- C:\Windows\System\ZhpwceH.exe
  C:\Windows\System\ZhpwceH.exe
  2⤵
  - Executes dropped EXE
  PID:3196
- C:\Windows\System\vlNRrVr.exe
  C:\Windows\System\vlNRrVr.exe
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\System\AyspnpS.exe
  C:\Windows\System\AyspnpS.exe
  2⤵
  - Executes dropped EXE
  PID:2304
- C:\Windows\System\pbsqnyH.exe
  C:\Windows\System\pbsqnyH.exe
  2⤵
  - Executes dropped EXE
  PID:4540
- C:\Windows\System\pBzUyUT.exe
  C:\Windows\System\pBzUyUT.exe
  2⤵
  - Executes dropped EXE
  PID:4124
- C:\Windows\System\JFuoGND.exe
  C:\Windows\System\JFuoGND.exe
  2⤵
  - Executes dropped EXE
  PID:928
- C:\Windows\System\aumnStK.exe
  C:\Windows\System\aumnStK.exe
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\System\XHIiUcU.exe
  C:\Windows\System\XHIiUcU.exe
  2⤵
  - Executes dropped EXE
  PID:2976
- C:\Windows\System\ZkXhDkM.exe
  C:\Windows\System\ZkXhDkM.exe
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\Windows\System\uNfBrJS.exe
  C:\Windows\System\uNfBrJS.exe
  2⤵
  - Executes dropped EXE
  PID:788
- C:\Windows\System\XAOGTHd.exe
  C:\Windows\System\XAOGTHd.exe
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Windows\System\NifpnJH.exe
  C:\Windows\System\NifpnJH.exe
  2⤵
  - Executes dropped EXE
  PID:4956
- C:\Windows\System\mKLhHOX.exe
  C:\Windows\System\mKLhHOX.exe
  2⤵
  - Executes dropped EXE
  PID:1028
- C:\Windows\System\cfuPgTW.exe
  C:\Windows\System\cfuPgTW.exe
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\Windows\System\wtWXANB.exe
  C:\Windows\System\wtWXANB.exe
  2⤵
  - Executes dropped EXE
  PID:3716
- C:\Windows\System\ezyTxOz.exe
  C:\Windows\System\ezyTxOz.exe
  2⤵
  - Executes dropped EXE
  PID:5004
- C:\Windows\System\qeMMFtt.exe
  C:\Windows\System\qeMMFtt.exe
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\System\aMFOyNx.exe
  C:\Windows\System\aMFOyNx.exe
  2⤵
  - Executes dropped EXE
  PID:4664
- C:\Windows\System\KUheloe.exe
  C:\Windows\System\KUheloe.exe
  2⤵
  - Executes dropped EXE
  PID:4212
- C:\Windows\System\YZQWjJD.exe
  C:\Windows\System\YZQWjJD.exe
  2⤵
  - Executes dropped EXE
  PID:4180
- C:\Windows\System\sAQoMDv.exe
  C:\Windows\System\sAQoMDv.exe
  2⤵
  - Executes dropped EXE
  PID:3696
- C:\Windows\System\JCfASWF.exe
  C:\Windows\System\JCfASWF.exe
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\System\vgBXoHC.exe
  C:\Windows\System\vgBXoHC.exe
  2⤵
  - Executes dropped EXE
  PID:1344
- C:\Windows\System\avadAoK.exe
  C:\Windows\System\avadAoK.exe
  2⤵
  - Executes dropped EXE
  PID:2064
- C:\Windows\System\tXKPBcn.exe
  C:\Windows\System\tXKPBcn.exe
  2⤵
  - Executes dropped EXE
  PID:1144
- C:\Windows\System\OEXYDuS.exe
  C:\Windows\System\OEXYDuS.exe
  2⤵
  - Executes dropped EXE
  PID:4676
- C:\Windows\System\dxXqtMQ.exe
  C:\Windows\System\dxXqtMQ.exe
  2⤵
  PID:2708
- C:\Windows\System\LZzNMFv.exe
  C:\Windows\System\LZzNMFv.exe
  2⤵
  PID:1848
- C:\Windows\System\EtWEWQn.exe
  C:\Windows\System\EtWEWQn.exe
  2⤵
  PID:3224
- C:\Windows\System\psTafRe.exe
  C:\Windows\System\psTafRe.exe
  2⤵
  PID:4216
- C:\Windows\System\hgXssCJ.exe
  C:\Windows\System\hgXssCJ.exe
  2⤵
  PID:220
- C:\Windows\System\UlNeCLe.exe
  C:\Windows\System\UlNeCLe.exe
  2⤵
  PID:2780
- C:\Windows\System\GzDkinQ.exe
  C:\Windows\System\GzDkinQ.exe
  2⤵
  PID:448
- C:\Windows\System\PxCcBFf.exe
  C:\Windows\System\PxCcBFf.exe
  2⤵
  PID:2052
- C:\Windows\System\bEHpvVH.exe
  C:\Windows\System\bEHpvVH.exe
  2⤵
  PID:2840
- C:\Windows\System\TMuuaXD.exe
  C:\Windows\System\TMuuaXD.exe
  2⤵
  PID:4076
- C:\Windows\System\ikpQvyn.exe
  C:\Windows\System\ikpQvyn.exe
  2⤵
  PID:4688
- C:\Windows\System\PVDTsVv.exe
  C:\Windows\System\PVDTsVv.exe
  2⤵
  PID:2072
- C:\Windows\System\JhNLUaV.exe
  C:\Windows\System\JhNLUaV.exe
  2⤵
  PID:3060
- C:\Windows\System\FckznuB.exe
  C:\Windows\System\FckznuB.exe
  2⤵
  PID:1636
- C:\Windows\System\EYLsmQR.exe
  C:\Windows\System\EYLsmQR.exe
  2⤵
  PID:4276
- C:\Windows\System\tIWHYIK.exe
  C:\Windows\System\tIWHYIK.exe
  2⤵
  PID:2388
- C:\Windows\System\ucSARKx.exe
  C:\Windows\System\ucSARKx.exe
  2⤵
  PID:4360
- C:\Windows\System\cLKBUpg.exe
  C:\Windows\System\cLKBUpg.exe
  2⤵
  PID:3544
- C:\Windows\System\kWqpZuV.exe
  C:\Windows\System\kWqpZuV.exe
  2⤵
  PID:1232
- C:\Windows\System\kUVHzez.exe
  C:\Windows\System\kUVHzez.exe
  2⤵
  PID:1816
- C:\Windows\System\indoyOt.exe
  C:\Windows\System\indoyOt.exe
  2⤵
  PID:5036
- C:\Windows\System\pThtPUz.exe
  C:\Windows\System\pThtPUz.exe
  2⤵
  PID:2384
- C:\Windows\System\ztwQXJR.exe
  C:\Windows\System\ztwQXJR.exe
  2⤵
  PID:2092
- C:\Windows\System\IYPNfYd.exe
  C:\Windows\System\IYPNfYd.exe
  2⤵
  PID:2288
- C:\Windows\System\vhIwPOM.exe
  C:\Windows\System\vhIwPOM.exe
  2⤵
  PID:3556
- C:\Windows\System\jhAKIUv.exe
  C:\Windows\System\jhAKIUv.exe
  2⤵
  PID:5148
- C:\Windows\System\gwLPoPv.exe
  C:\Windows\System\gwLPoPv.exe
  2⤵
  PID:5172
- C:\Windows\System\AZPVuxq.exe
  C:\Windows\System\AZPVuxq.exe
  2⤵
  PID:5200
- C:\Windows\System\AWGYoLl.exe
  C:\Windows\System\AWGYoLl.exe
  2⤵
  PID:5236
- C:\Windows\System\jFPCniT.exe
  C:\Windows\System\jFPCniT.exe
  2⤵
  PID:5260
- C:\Windows\System\qftKtMW.exe
  C:\Windows\System\qftKtMW.exe
  2⤵
  PID:5288
- C:\Windows\System\vXNKjHS.exe
  C:\Windows\System\vXNKjHS.exe
  2⤵
  PID:5316
- C:\Windows\System\uCQsRUb.exe
  C:\Windows\System\uCQsRUb.exe
  2⤵
  PID:5344
- C:\Windows\System\VHUrXSs.exe
  C:\Windows\System\VHUrXSs.exe
  2⤵
  PID:5372
- C:\Windows\System\HRarCXp.exe
  C:\Windows\System\HRarCXp.exe
  2⤵
  PID:5400
- C:\Windows\System\iBRmvQw.exe
  C:\Windows\System\iBRmvQw.exe
  2⤵
  PID:5428
- C:\Windows\System\fiJrlrj.exe
  C:\Windows\System\fiJrlrj.exe
  2⤵
  PID:5460
- C:\Windows\System\dHEFDyA.exe
  C:\Windows\System\dHEFDyA.exe
  2⤵
  PID:5488
- C:\Windows\System\aqAwzuf.exe
  C:\Windows\System\aqAwzuf.exe
  2⤵
  PID:5516
- C:\Windows\System\pLYPiyR.exe
  C:\Windows\System\pLYPiyR.exe
  2⤵
  PID:5544
- C:\Windows\System\HciTkdD.exe
  C:\Windows\System\HciTkdD.exe
  2⤵
  PID:5572
- C:\Windows\System\JrgyqsU.exe
  C:\Windows\System\JrgyqsU.exe
  2⤵
  PID:5600
- C:\Windows\System\exdVUFl.exe
  C:\Windows\System\exdVUFl.exe
  2⤵
  PID:5628
- C:\Windows\System\CNSpGxA.exe
  C:\Windows\System\CNSpGxA.exe
  2⤵
  PID:5656
- C:\Windows\System\sLYtrKR.exe
  C:\Windows\System\sLYtrKR.exe
  2⤵
  PID:5680
- C:\Windows\System\nofgjVP.exe
  C:\Windows\System\nofgjVP.exe
  2⤵
  PID:5720
- C:\Windows\System\JlEBWKU.exe
  C:\Windows\System\JlEBWKU.exe
  2⤵
  PID:5740
- C:\Windows\System\dhIMXDt.exe
  C:\Windows\System\dhIMXDt.exe
  2⤵
  PID:5768
- C:\Windows\System\qLHzIAn.exe
  C:\Windows\System\qLHzIAn.exe
  2⤵
  PID:5800
- C:\Windows\System\ZXNBzDD.exe
  C:\Windows\System\ZXNBzDD.exe
  2⤵
  PID:5824
- C:\Windows\System\wxOgJGh.exe
  C:\Windows\System\wxOgJGh.exe
  2⤵
  PID:5852
- C:\Windows\System\pQhhEjd.exe
  C:\Windows\System\pQhhEjd.exe
  2⤵
  PID:5880
- C:\Windows\System\oPYtsDq.exe
  C:\Windows\System\oPYtsDq.exe
  2⤵
  PID:5908
- C:\Windows\System\KzdlwMY.exe
  C:\Windows\System\KzdlwMY.exe
  2⤵
  PID:5940
- C:\Windows\System\QPHJKrd.exe
  C:\Windows\System\QPHJKrd.exe
  2⤵
  PID:5964
- C:\Windows\System\FgJvzuw.exe
  C:\Windows\System\FgJvzuw.exe
  2⤵
  PID:5980
- C:\Windows\System\DKkhYbo.exe
  C:\Windows\System\DKkhYbo.exe
  2⤵
  PID:6004
- C:\Windows\System\OwePlkV.exe
  C:\Windows\System\OwePlkV.exe
  2⤵
  PID:6036
- C:\Windows\System\UCbVRqr.exe
  C:\Windows\System\UCbVRqr.exe
  2⤵
  PID:6072
- C:\Windows\System\XubiANH.exe
  C:\Windows\System\XubiANH.exe
  2⤵
  PID:6108
- C:\Windows\System\DPAFqwy.exe
  C:\Windows\System\DPAFqwy.exe
  2⤵
  PID:6136
- C:\Windows\System\TohtsMS.exe
  C:\Windows\System\TohtsMS.exe
  2⤵
  PID:5164
- C:\Windows\System\iOXkMcc.exe
  C:\Windows\System\iOXkMcc.exe
  2⤵
  PID:5228
- C:\Windows\System\slQyIbM.exe
  C:\Windows\System\slQyIbM.exe
  2⤵
  PID:5300
- C:\Windows\System\LcGdFgR.exe
  C:\Windows\System\LcGdFgR.exe
  2⤵
  PID:5364
- C:\Windows\System\KWsYGxq.exe
  C:\Windows\System\KWsYGxq.exe
  2⤵
  PID:5424
- C:\Windows\System\CCJOyge.exe
  C:\Windows\System\CCJOyge.exe
  2⤵
  PID:5484
- C:\Windows\System\aYeNMap.exe
  C:\Windows\System\aYeNMap.exe
  2⤵
  PID:5564
- C:\Windows\System\jlWfWtI.exe
  C:\Windows\System\jlWfWtI.exe
  2⤵
  PID:5624
- C:\Windows\System\iaZoYdR.exe
  C:\Windows\System\iaZoYdR.exe
  2⤵
  PID:5708
- C:\Windows\System\ommaTZI.exe
  C:\Windows\System\ommaTZI.exe
  2⤵
  PID:5752
- C:\Windows\System\Yvkvmzl.exe
  C:\Windows\System\Yvkvmzl.exe
  2⤵
  PID:5816
- C:\Windows\System\wzAJaoU.exe
  C:\Windows\System\wzAJaoU.exe
  2⤵
  PID:5892
- C:\Windows\System\EDLmsst.exe
  C:\Windows\System\EDLmsst.exe
  2⤵
  PID:5956
- C:\Windows\System\VXzjULS.exe
  C:\Windows\System\VXzjULS.exe
  2⤵
  PID:5992
- C:\Windows\System\kfKtOQo.exe
  C:\Windows\System\kfKtOQo.exe
  2⤵
  PID:6060
- C:\Windows\System\fvOCikQ.exe
  C:\Windows\System\fvOCikQ.exe
  2⤵
  PID:5168
- C:\Windows\System\BTijXtw.exe
  C:\Windows\System\BTijXtw.exe
  2⤵
  PID:5284
- C:\Windows\System\DACkQfo.exe
  C:\Windows\System\DACkQfo.exe
  2⤵
  PID:5468
- C:\Windows\System\VjflUya.exe
  C:\Windows\System\VjflUya.exe
  2⤵
  PID:5612
- C:\Windows\System\cOpkCYa.exe
  C:\Windows\System\cOpkCYa.exe
  2⤵
  PID:5732
- C:\Windows\System\DluHIdj.exe
  C:\Windows\System\DluHIdj.exe
  2⤵
  PID:5904
- C:\Windows\System\FPkkIHD.exe
  C:\Windows\System\FPkkIHD.exe
  2⤵
  PID:5928
- C:\Windows\System\ssFVjWl.exe
  C:\Windows\System\ssFVjWl.exe
  2⤵
  PID:5252
- C:\Windows\System\IpLOors.exe
  C:\Windows\System\IpLOors.exe
  2⤵
  PID:5588
- C:\Windows\System\oKWnqPv.exe
  C:\Windows\System\oKWnqPv.exe
  2⤵
  PID:5960
- C:\Windows\System\eguQOme.exe
  C:\Windows\System\eguQOme.exe
  2⤵
  PID:5540
- C:\Windows\System\SgdEonT.exe
  C:\Windows\System\SgdEonT.exe
  2⤵
  PID:5224
- C:\Windows\System\ZnmWYjP.exe
  C:\Windows\System\ZnmWYjP.exe
  2⤵
  PID:6164
- C:\Windows\System\zqeOpKe.exe
  C:\Windows\System\zqeOpKe.exe
  2⤵
  PID:6188
- C:\Windows\System\pieGYUo.exe
  C:\Windows\System\pieGYUo.exe
  2⤵
  PID:6204
- C:\Windows\System\LLXRGCt.exe
  C:\Windows\System\LLXRGCt.exe
  2⤵
  PID:6244
- C:\Windows\System\jWPyHBM.exe
  C:\Windows\System\jWPyHBM.exe
  2⤵
  PID:6264
- C:\Windows\System\trCEAgD.exe
  C:\Windows\System\trCEAgD.exe
  2⤵
  PID:6300
- C:\Windows\System\hqwvwEV.exe
  C:\Windows\System\hqwvwEV.exe
  2⤵
  PID:6328
- C:\Windows\System\gyOznkC.exe
  C:\Windows\System\gyOznkC.exe
  2⤵
  PID:6356
- C:\Windows\System\rdkrtdq.exe
  C:\Windows\System\rdkrtdq.exe
  2⤵
  PID:6388
- C:\Windows\System\bInLerb.exe
  C:\Windows\System\bInLerb.exe
  2⤵
  PID:6412
- C:\Windows\System\KLIPzQX.exe
  C:\Windows\System\KLIPzQX.exe
  2⤵
  PID:6440
- C:\Windows\System\CMBpsxt.exe
  C:\Windows\System\CMBpsxt.exe
  2⤵
  PID:6472
- C:\Windows\System\XKpdSZH.exe
  C:\Windows\System\XKpdSZH.exe
  2⤵
  PID:6500
- C:\Windows\System\LieSpRO.exe
  C:\Windows\System\LieSpRO.exe
  2⤵
  PID:6528
- C:\Windows\System\dedomjX.exe
  C:\Windows\System\dedomjX.exe
  2⤵
  PID:6556
- C:\Windows\System\muAbnaf.exe
  C:\Windows\System\muAbnaf.exe
  2⤵
  PID:6584
- C:\Windows\System\xsvYFzp.exe
  C:\Windows\System\xsvYFzp.exe
  2⤵
  PID:6600
- C:\Windows\System\MkeFHNP.exe
  C:\Windows\System\MkeFHNP.exe
  2⤵
  PID:6616
- C:\Windows\System\fzHfIqO.exe
  C:\Windows\System\fzHfIqO.exe
  2⤵
  PID:6644
- C:\Windows\System\lJcZlKC.exe
  C:\Windows\System\lJcZlKC.exe
  2⤵
  PID:6684
- C:\Windows\System\GmDRKmP.exe
  C:\Windows\System\GmDRKmP.exe
  2⤵
  PID:6720
- C:\Windows\System\gklDxnO.exe
  C:\Windows\System\gklDxnO.exe
  2⤵
  PID:6760
- C:\Windows\System\HoEGzlB.exe
  C:\Windows\System\HoEGzlB.exe
  2⤵
  PID:6784
- C:\Windows\System\nOnVtNf.exe
  C:\Windows\System\nOnVtNf.exe
  2⤵
  PID:6828
- C:\Windows\System\DdXPtLu.exe
  C:\Windows\System\DdXPtLu.exe
  2⤵
  PID:6856
- C:\Windows\System\YZUUQsi.exe
  C:\Windows\System\YZUUQsi.exe
  2⤵
  PID:6884
- C:\Windows\System\tmKpipi.exe
  C:\Windows\System\tmKpipi.exe
  2⤵
  PID:6912
- C:\Windows\System\MIDjIPt.exe
  C:\Windows\System\MIDjIPt.exe
  2⤵
  PID:6940
- C:\Windows\System\dHXmxEy.exe
  C:\Windows\System\dHXmxEy.exe
  2⤵
  PID:6968
- C:\Windows\System\jVXTGAC.exe
  C:\Windows\System\jVXTGAC.exe
  2⤵
  PID:6996
- C:\Windows\System\kXhPyCH.exe
  C:\Windows\System\kXhPyCH.exe
  2⤵
  PID:7028
- C:\Windows\System\LMYHemG.exe
  C:\Windows\System\LMYHemG.exe
  2⤵
  PID:7056
- C:\Windows\System\aKhVXXr.exe
  C:\Windows\System\aKhVXXr.exe
  2⤵
  PID:7084
- C:\Windows\System\jjhHcRW.exe
  C:\Windows\System\jjhHcRW.exe
  2⤵
  PID:7112
- C:\Windows\System\PqKPUDO.exe
  C:\Windows\System\PqKPUDO.exe
  2⤵
  PID:7140
- C:\Windows\System\jmiZJIi.exe
  C:\Windows\System\jmiZJIi.exe
  2⤵
  PID:6124
- C:\Windows\System\ZHLYOIk.exe
  C:\Windows\System\ZHLYOIk.exe
  2⤵
  PID:6224
- C:\Windows\System\aQAmUwy.exe
  C:\Windows\System\aQAmUwy.exe
  2⤵
  PID:6272
- C:\Windows\System\oIHqPkh.exe
  C:\Windows\System\oIHqPkh.exe
  2⤵
  PID:6376
- C:\Windows\System\mONROvG.exe
  C:\Windows\System\mONROvG.exe
  2⤵
  PID:6424
- C:\Windows\System\WjIlxGO.exe
  C:\Windows\System\WjIlxGO.exe
  2⤵
  PID:6492
- C:\Windows\System\gfRATEL.exe
  C:\Windows\System\gfRATEL.exe
  2⤵
  PID:6696
- C:\Windows\System\RYhywzQ.exe
  C:\Windows\System\RYhywzQ.exe
  2⤵
  PID:6716
- C:\Windows\System\ZzzkMgx.exe
  C:\Windows\System\ZzzkMgx.exe
  2⤵
  PID:6792
- C:\Windows\System\dHiMmeZ.exe
  C:\Windows\System\dHiMmeZ.exe
  2⤵
  PID:6880
- C:\Windows\System\aJdVeIZ.exe
  C:\Windows\System\aJdVeIZ.exe
  2⤵
  PID:6924
- C:\Windows\System\kYSELEw.exe
  C:\Windows\System\kYSELEw.exe
  2⤵
  PID:6988
- C:\Windows\System\qTaMQpG.exe
  C:\Windows\System\qTaMQpG.exe
  2⤵
  PID:7016
- C:\Windows\System\yttttcy.exe
  C:\Windows\System\yttttcy.exe
  2⤵
  PID:7080
- C:\Windows\System\BTBArdi.exe
  C:\Windows\System\BTBArdi.exe
  2⤵
  PID:7152
- C:\Windows\System\cjRkXXF.exe
  C:\Windows\System\cjRkXXF.exe
  2⤵
  PID:6184
- C:\Windows\System\McfEnYq.exe
  C:\Windows\System\McfEnYq.exe
  2⤵
  PID:6368
- C:\Windows\System\dWbXuGV.exe
  C:\Windows\System\dWbXuGV.exe
  2⤵
  PID:6548
- C:\Windows\System\LIvUfSc.exe
  C:\Windows\System\LIvUfSc.exe
  2⤵
  PID:6840
- C:\Windows\System\MrntpWj.exe
  C:\Windows\System\MrntpWj.exe
  2⤵
  PID:7020
- C:\Windows\System\RbaNdzd.exe
  C:\Windows\System\RbaNdzd.exe
  2⤵
  PID:7164
- C:\Windows\System\nACFanE.exe
  C:\Windows\System\nACFanE.exe
  2⤵
  PID:6428
- C:\Windows\System\ikXOCPe.exe
  C:\Windows\System\ikXOCPe.exe
  2⤵
  PID:7188
- C:\Windows\System\egauSIP.exe
  C:\Windows\System\egauSIP.exe
  2⤵
  PID:7208
- C:\Windows\System\JMxDrzL.exe
  C:\Windows\System\JMxDrzL.exe
  2⤵
  PID:7232
- C:\Windows\System\enqxwAR.exe
  C:\Windows\System\enqxwAR.exe
  2⤵
  PID:7272
- C:\Windows\System\owlSYIr.exe
  C:\Windows\System\owlSYIr.exe
  2⤵
  PID:7288
- C:\Windows\System\rxooEDj.exe
  C:\Windows\System\rxooEDj.exe
  2⤵
  PID:7320
- C:\Windows\System\QdjBYQN.exe
  C:\Windows\System\QdjBYQN.exe
  2⤵
  PID:7356
- C:\Windows\System\BBbEdCq.exe
  C:\Windows\System\BBbEdCq.exe
  2⤵
  PID:7388
- C:\Windows\System\qglNvjh.exe
  C:\Windows\System\qglNvjh.exe
  2⤵
  PID:7412
- C:\Windows\System\eACQZxI.exe
  C:\Windows\System\eACQZxI.exe
  2⤵
  PID:7448
- C:\Windows\System\MgVWdkM.exe
  C:\Windows\System\MgVWdkM.exe
  2⤵
  PID:7480
- C:\Windows\System\GCcXIze.exe
  C:\Windows\System\GCcXIze.exe
  2⤵
  PID:7512
- C:\Windows\System\tVrXeXQ.exe
  C:\Windows\System\tVrXeXQ.exe
  2⤵
  PID:7544
- C:\Windows\System\qsBwyJc.exe
  C:\Windows\System\qsBwyJc.exe
  2⤵
  PID:7572
- C:\Windows\System\TOzugPd.exe
  C:\Windows\System\TOzugPd.exe
  2⤵
  PID:7600
- C:\Windows\System\NDXPwfG.exe
  C:\Windows\System\NDXPwfG.exe
  2⤵
  PID:7656
- C:\Windows\System\lymsjjL.exe
  C:\Windows\System\lymsjjL.exe
  2⤵
  PID:7692
- C:\Windows\System\LySMNdU.exe
  C:\Windows\System\LySMNdU.exe
  2⤵
  PID:7716
- C:\Windows\System\ULgAUfg.exe
  C:\Windows\System\ULgAUfg.exe
  2⤵
  PID:7760
- C:\Windows\System\HfxVhKW.exe
  C:\Windows\System\HfxVhKW.exe
  2⤵
  PID:7800
- C:\Windows\System\VlHEmgg.exe
  C:\Windows\System\VlHEmgg.exe
  2⤵
  PID:7832
- C:\Windows\System\BGZIwJw.exe
  C:\Windows\System\BGZIwJw.exe
  2⤵
  PID:7860
- C:\Windows\System\jHcmyRS.exe
  C:\Windows\System\jHcmyRS.exe
  2⤵
  PID:7904
- C:\Windows\System\cQemdeI.exe
  C:\Windows\System\cQemdeI.exe
  2⤵
  PID:7948
- C:\Windows\System\fnkqlQB.exe
  C:\Windows\System\fnkqlQB.exe
  2⤵
  PID:7984
- C:\Windows\System\QKabuuu.exe
  C:\Windows\System\QKabuuu.exe
  2⤵
  PID:8028
- C:\Windows\System\BktugEA.exe
  C:\Windows\System\BktugEA.exe
  2⤵
  PID:8044
- C:\Windows\System\seuPOdX.exe
  C:\Windows\System\seuPOdX.exe
  2⤵
  PID:8100
- C:\Windows\System\PPNiSWO.exe
  C:\Windows\System\PPNiSWO.exe
  2⤵
  PID:8128
- C:\Windows\System\KzjSBqb.exe
  C:\Windows\System\KzjSBqb.exe
  2⤵
  PID:8156
- C:\Windows\System\sclYNZI.exe
  C:\Windows\System\sclYNZI.exe
  2⤵
  PID:8172
- C:\Windows\System\FCVktiG.exe
  C:\Windows\System\FCVktiG.exe
  2⤵
  PID:6580
- C:\Windows\System\eogdOQf.exe
  C:\Windows\System\eogdOQf.exe
  2⤵
  PID:7196
- C:\Windows\System\SkfAMoO.exe
  C:\Windows\System\SkfAMoO.exe
  2⤵
  PID:7256
- C:\Windows\System\cHrFDRB.exe
  C:\Windows\System\cHrFDRB.exe
  2⤵
  PID:7284
- C:\Windows\System\okiYsAh.exe
  C:\Windows\System\okiYsAh.exe
  2⤵
  PID:7408
- C:\Windows\System\yHLCclN.exe
  C:\Windows\System\yHLCclN.exe
  2⤵
  PID:7048
- C:\Windows\System\SaCyWex.exe
  C:\Windows\System\SaCyWex.exe
  2⤵
  PID:7464
- C:\Windows\System\RutNyJz.exe
  C:\Windows\System\RutNyJz.exe
  2⤵
  PID:7556
- C:\Windows\System\aFGpZgj.exe
  C:\Windows\System\aFGpZgj.exe
  2⤵
  PID:7712
- C:\Windows\System\QMQctCq.exe
  C:\Windows\System\QMQctCq.exe
  2⤵
  PID:7792
- C:\Windows\System\tvygMrP.exe
  C:\Windows\System\tvygMrP.exe
  2⤵
  PID:7900
- C:\Windows\System\ttIoqVq.exe
  C:\Windows\System\ttIoqVq.exe
  2⤵
  PID:7980
- C:\Windows\System\kUKqEbq.exe
  C:\Windows\System\kUKqEbq.exe
  2⤵
  PID:8056
- C:\Windows\System\KSJbnlc.exe
  C:\Windows\System\KSJbnlc.exe
  2⤵
  PID:8112
- C:\Windows\System\nttrFWj.exe
  C:\Windows\System\nttrFWj.exe
  2⤵
  PID:8184
- C:\Windows\System\oIfLGSu.exe
  C:\Windows\System\oIfLGSu.exe
  2⤵
  PID:7260
- C:\Windows\System\zhwFclk.exe
  C:\Windows\System\zhwFclk.exe
  2⤵
  PID:7400
- C:\Windows\System\xeTbwZj.exe
  C:\Windows\System\xeTbwZj.exe
  2⤵
  PID:7560
- C:\Windows\System\ajOUnJY.exe
  C:\Windows\System\ajOUnJY.exe
  2⤵
  PID:7820
- C:\Windows\System\CgTHcDZ.exe
  C:\Windows\System\CgTHcDZ.exe
  2⤵
  PID:8096
- C:\Windows\System\nGWTDTu.exe
  C:\Windows\System\nGWTDTu.exe
  2⤵
  PID:7184
- C:\Windows\System\gsHajpC.exe
  C:\Windows\System\gsHajpC.exe
  2⤵
  PID:7612
- C:\Windows\System\NZazfVZ.exe
  C:\Windows\System\NZazfVZ.exe
  2⤵
  PID:8140
- C:\Windows\System\CEcrzeZ.exe
  C:\Windows\System\CEcrzeZ.exe
  2⤵
  PID:7932
- C:\Windows\System\GyrJzVN.exe
  C:\Windows\System\GyrJzVN.exe
  2⤵
  PID:7488
- C:\Windows\System\mYvkpgt.exe
  C:\Windows\System\mYvkpgt.exe
  2⤵
  PID:8220
- C:\Windows\System\fgkXkqx.exe
  C:\Windows\System\fgkXkqx.exe
  2⤵
  PID:8248
- C:\Windows\System\hhsrUJN.exe
  C:\Windows\System\hhsrUJN.exe
  2⤵
  PID:8280
- C:\Windows\System\XupiHHB.exe
  C:\Windows\System\XupiHHB.exe
  2⤵
  PID:8308
- C:\Windows\System\DJPgGbU.exe
  C:\Windows\System\DJPgGbU.exe
  2⤵
  PID:8336
- C:\Windows\System\mqDNerb.exe
  C:\Windows\System\mqDNerb.exe
  2⤵
  PID:8364
- C:\Windows\System\VjNrXrb.exe
  C:\Windows\System\VjNrXrb.exe
  2⤵
  PID:8392
- C:\Windows\System\JpeyeTi.exe
  C:\Windows\System\JpeyeTi.exe
  2⤵
  PID:8420
- C:\Windows\System\hnRZFJu.exe
  C:\Windows\System\hnRZFJu.exe
  2⤵
  PID:8448
- C:\Windows\System\vbRuZoi.exe
  C:\Windows\System\vbRuZoi.exe
  2⤵
  PID:8476
- C:\Windows\System\MeqFWJp.exe
  C:\Windows\System\MeqFWJp.exe
  2⤵
  PID:8504
- C:\Windows\System\MfWrGHZ.exe
  C:\Windows\System\MfWrGHZ.exe
  2⤵
  PID:8532
- C:\Windows\System\apmwOFs.exe
  C:\Windows\System\apmwOFs.exe
  2⤵
  PID:8560
- C:\Windows\System\OqUYGiS.exe
  C:\Windows\System\OqUYGiS.exe
  2⤵
  PID:8588
- C:\Windows\System\afmzZlk.exe
  C:\Windows\System\afmzZlk.exe
  2⤵
  PID:8616
- C:\Windows\System\OOGShRi.exe
  C:\Windows\System\OOGShRi.exe
  2⤵
  PID:8644
- C:\Windows\System\RvBFrju.exe
  C:\Windows\System\RvBFrju.exe
  2⤵
  PID:8672
- C:\Windows\System\GzGcIlP.exe
  C:\Windows\System\GzGcIlP.exe
  2⤵
  PID:8700
- C:\Windows\System\qcKLkLI.exe
  C:\Windows\System\qcKLkLI.exe
  2⤵
  PID:8728
- C:\Windows\System\svWtrEn.exe
  C:\Windows\System\svWtrEn.exe
  2⤵
  PID:8748
- C:\Windows\System\yFHJjDR.exe
  C:\Windows\System\yFHJjDR.exe
  2⤵
  PID:8784
- C:\Windows\System\odtqovA.exe
  C:\Windows\System\odtqovA.exe
  2⤵
  PID:8808
- C:\Windows\System\rfSiPii.exe
  C:\Windows\System\rfSiPii.exe
  2⤵
  PID:8836
- C:\Windows\System\gpAzzLO.exe
  C:\Windows\System\gpAzzLO.exe
  2⤵
  PID:8868
- C:\Windows\System\WCWMOen.exe
  C:\Windows\System\WCWMOen.exe
  2⤵
  PID:8896
- C:\Windows\System\BVFTmoc.exe
  C:\Windows\System\BVFTmoc.exe
  2⤵
  PID:8924
- C:\Windows\System\jEiPMje.exe
  C:\Windows\System\jEiPMje.exe
  2⤵
  PID:8952
- C:\Windows\System\KVuHJaE.exe
  C:\Windows\System\KVuHJaE.exe
  2⤵
  PID:8980
- C:\Windows\System\yfWdTpP.exe
  C:\Windows\System\yfWdTpP.exe
  2⤵
  PID:9008
- C:\Windows\System\zckgCQR.exe
  C:\Windows\System\zckgCQR.exe
  2⤵
  PID:9036
- C:\Windows\System\sElyebx.exe
  C:\Windows\System\sElyebx.exe
  2⤵
  PID:9064
- C:\Windows\System\QPAUiOT.exe
  C:\Windows\System\QPAUiOT.exe
  2⤵
  PID:9092
- C:\Windows\System\SGTJJPW.exe
  C:\Windows\System\SGTJJPW.exe
  2⤵
  PID:9120
- C:\Windows\System\wtNhREU.exe
  C:\Windows\System\wtNhREU.exe
  2⤵
  PID:9148
- C:\Windows\System\rCkLfAb.exe
  C:\Windows\System\rCkLfAb.exe
  2⤵
  PID:9176
- C:\Windows\System\NiWfMTn.exe
  C:\Windows\System\NiWfMTn.exe
  2⤵
  PID:9204
- C:\Windows\System\Xxgwver.exe
  C:\Windows\System\Xxgwver.exe
  2⤵
  PID:8240
- C:\Windows\System\nUIOKPB.exe
  C:\Windows\System\nUIOKPB.exe
  2⤵
  PID:8268
- C:\Windows\System\uwRaKMb.exe
  C:\Windows\System\uwRaKMb.exe
  2⤵
  PID:8348
- C:\Windows\System\lHnFJzX.exe
  C:\Windows\System\lHnFJzX.exe
  2⤵
  PID:8432
- C:\Windows\System\JNkQaXn.exe
  C:\Windows\System\JNkQaXn.exe
  2⤵
  PID:8488
- C:\Windows\System\WrEEgtw.exe
  C:\Windows\System\WrEEgtw.exe
  2⤵
  PID:8580
- C:\Windows\System\ONaTOwa.exe
  C:\Windows\System\ONaTOwa.exe
  2⤵
  PID:8636
- C:\Windows\System\sbGxNny.exe
  C:\Windows\System\sbGxNny.exe
  2⤵
  PID:8716
- C:\Windows\System\TIecurs.exe
  C:\Windows\System\TIecurs.exe
  2⤵
  PID:8768
- C:\Windows\System\OdegCjj.exe
  C:\Windows\System\OdegCjj.exe
  2⤵
  PID:8832
- C:\Windows\System\LFWNMna.exe
  C:\Windows\System\LFWNMna.exe
  2⤵
  PID:8916
- C:\Windows\System\ggkRcqD.exe
  C:\Windows\System\ggkRcqD.exe
  2⤵
  PID:8944
- C:\Windows\System\lqAoYqw.exe
  C:\Windows\System\lqAoYqw.exe
  2⤵
  PID:9000
- C:\Windows\System\jBXjprH.exe
  C:\Windows\System\jBXjprH.exe
  2⤵
  PID:9088
- C:\Windows\System\cGADCLK.exe
  C:\Windows\System\cGADCLK.exe
  2⤵
  PID:9160
- C:\Windows\System\KiDlPRt.exe
  C:\Windows\System\KiDlPRt.exe
  2⤵
  PID:8260
- C:\Windows\System\QwIziwl.exe
  C:\Windows\System\QwIziwl.exe
  2⤵
  PID:8412
- C:\Windows\System\JGqxnwB.exe
  C:\Windows\System\JGqxnwB.exe
  2⤵
  PID:8576
- C:\Windows\System\hUaLIMd.exe
  C:\Windows\System\hUaLIMd.exe
  2⤵
  PID:8684
- C:\Windows\System\lXPZrlP.exe
  C:\Windows\System\lXPZrlP.exe
  2⤵
  PID:8864
- C:\Windows\System\zOBDwWC.exe
  C:\Windows\System\zOBDwWC.exe
  2⤵
  PID:9020
- C:\Windows\System\cIDNkKn.exe
  C:\Windows\System\cIDNkKn.exe
  2⤵
  PID:9168
- C:\Windows\System\kRSzQfS.exe
  C:\Windows\System\kRSzQfS.exe
  2⤵
  PID:664
- C:\Windows\System\kjfYWHl.exe
  C:\Windows\System\kjfYWHl.exe
  2⤵
  PID:8828
- C:\Windows\System\TlUILSf.exe
  C:\Windows\System\TlUILSf.exe
  2⤵
  PID:8216
- C:\Windows\System\UVYNfCX.exe
  C:\Windows\System\UVYNfCX.exe
  2⤵
  PID:8776
- C:\Windows\System\nColImn.exe
  C:\Windows\System\nColImn.exe
  2⤵
  PID:9228
- C:\Windows\System\zixdVjt.exe
  C:\Windows\System\zixdVjt.exe
  2⤵
  PID:9256
- C:\Windows\System\PKjqEfL.exe
  C:\Windows\System\PKjqEfL.exe
  2⤵
  PID:9284
- C:\Windows\System\BGIRicR.exe
  C:\Windows\System\BGIRicR.exe
  2⤵
  PID:9328
- C:\Windows\System\LMnWwng.exe
  C:\Windows\System\LMnWwng.exe
  2⤵
  PID:9352
- C:\Windows\System\MDTXifs.exe
  C:\Windows\System\MDTXifs.exe
  2⤵
  PID:9388
- C:\Windows\System\MFBZxSi.exe
  C:\Windows\System\MFBZxSi.exe
  2⤵
  PID:9424
- C:\Windows\System\ZjmCDxQ.exe
  C:\Windows\System\ZjmCDxQ.exe
  2⤵
  PID:9452
- C:\Windows\System\kpdczKD.exe
  C:\Windows\System\kpdczKD.exe
  2⤵
  PID:9480
- C:\Windows\System\LtAqaFl.exe
  C:\Windows\System\LtAqaFl.exe
  2⤵
  PID:9508
- C:\Windows\System\PhIhSJW.exe
  C:\Windows\System\PhIhSJW.exe
  2⤵
  PID:9528
- C:\Windows\System\LeYsFrb.exe
  C:\Windows\System\LeYsFrb.exe
  2⤵
  PID:9552
- C:\Windows\System\xkTgURw.exe
  C:\Windows\System\xkTgURw.exe
  2⤵
  PID:9592
- C:\Windows\System\tIqLRWI.exe
  C:\Windows\System\tIqLRWI.exe
  2⤵
  PID:9620
- C:\Windows\System\auTzwox.exe
  C:\Windows\System\auTzwox.exe
  2⤵
  PID:9648
- C:\Windows\System\mGLlXyl.exe
  C:\Windows\System\mGLlXyl.exe
  2⤵
  PID:9676
- C:\Windows\System\HSOcnMb.exe
  C:\Windows\System\HSOcnMb.exe
  2⤵
  PID:9704
- C:\Windows\System\NCQIZeO.exe
  C:\Windows\System\NCQIZeO.exe
  2⤵
  PID:9732
- C:\Windows\System\PgpQgqV.exe
  C:\Windows\System\PgpQgqV.exe
  2⤵
  PID:9760
- C:\Windows\System\KQLucIc.exe
  C:\Windows\System\KQLucIc.exe
  2⤵
  PID:9788
- C:\Windows\System\yHGYSXQ.exe
  C:\Windows\System\yHGYSXQ.exe
  2⤵
  PID:9816
- C:\Windows\System\qCUOXLW.exe
  C:\Windows\System\qCUOXLW.exe
  2⤵
  PID:9844
- C:\Windows\System\sFKgEAA.exe
  C:\Windows\System\sFKgEAA.exe
  2⤵
  PID:9872
- C:\Windows\System\IlXXGyd.exe
  C:\Windows\System\IlXXGyd.exe
  2⤵
  PID:9896
- C:\Windows\System\CdEhckS.exe
  C:\Windows\System\CdEhckS.exe
  2⤵
  PID:9932
- C:\Windows\System\SiRzCjz.exe
  C:\Windows\System\SiRzCjz.exe
  2⤵
  PID:9960
- C:\Windows\System\Tuntipd.exe
  C:\Windows\System\Tuntipd.exe
  2⤵
  PID:9988
- C:\Windows\System\GGdFzrC.exe
  C:\Windows\System\GGdFzrC.exe
  2⤵
  PID:10012
- C:\Windows\System\QkOKIwm.exe
  C:\Windows\System\QkOKIwm.exe
  2⤵
  PID:10036
- C:\Windows\System\JMLLGuA.exe
  C:\Windows\System\JMLLGuA.exe
  2⤵
  PID:10072
- C:\Windows\System\QhczsLW.exe
  C:\Windows\System\QhczsLW.exe
  2⤵
  PID:10100
- C:\Windows\System\jqBYvwv.exe
  C:\Windows\System\jqBYvwv.exe
  2⤵
  PID:10128
- C:\Windows\System\oXHYUdm.exe
  C:\Windows\System\oXHYUdm.exe
  2⤵
  PID:10156
- C:\Windows\System\SlZvOij.exe
  C:\Windows\System\SlZvOij.exe
  2⤵
  PID:10184
- C:\Windows\System\gTOebGR.exe
  C:\Windows\System\gTOebGR.exe
  2⤵
  PID:10212
- C:\Windows\System\YKlmaWZ.exe
  C:\Windows\System\YKlmaWZ.exe
  2⤵
  PID:8992
- C:\Windows\System\mfSQpBD.exe
  C:\Windows\System\mfSQpBD.exe
  2⤵
  PID:9264
- C:\Windows\System\iQrVchY.exe
  C:\Windows\System\iQrVchY.exe
  2⤵
  PID:9344
- C:\Windows\System\ZTNjQUk.exe
  C:\Windows\System\ZTNjQUk.exe
  2⤵
  PID:9408
- C:\Windows\System\ZlYjeho.exe
  C:\Windows\System\ZlYjeho.exe
  2⤵
  PID:9492
- C:\Windows\System\zottpzM.exe
  C:\Windows\System\zottpzM.exe
  2⤵
  PID:9548
- C:\Windows\System\viXiFZY.exe
  C:\Windows\System\viXiFZY.exe
  2⤵
  PID:9612
- C:\Windows\System\PihOsxS.exe
  C:\Windows\System\PihOsxS.exe
  2⤵
  PID:9688
- C:\Windows\System\mMOctKF.exe
  C:\Windows\System\mMOctKF.exe
  2⤵
  PID:9756
- C:\Windows\System\BScuhsg.exe
  C:\Windows\System\BScuhsg.exe
  2⤵
  PID:9784
- C:\Windows\System\nmKIHdS.exe
  C:\Windows\System\nmKIHdS.exe
  2⤵
  PID:9856
- C:\Windows\System\aEsLzHv.exe
  C:\Windows\System\aEsLzHv.exe
  2⤵
  PID:9944
- C:\Windows\System\rqMGiCO.exe
  C:\Windows\System\rqMGiCO.exe
  2⤵
  PID:9996
- C:\Windows\System\EQwfTkL.exe
  C:\Windows\System\EQwfTkL.exe
  2⤵
  PID:10068
- C:\Windows\System\geiiBFk.exe
  C:\Windows\System\geiiBFk.exe
  2⤵
  PID:10140
- C:\Windows\System\JJVKcRB.exe
  C:\Windows\System\JJVKcRB.exe
  2⤵
  PID:10208
- C:\Windows\System\JUwMYOB.exe
  C:\Windows\System\JUwMYOB.exe
  2⤵
  PID:9252
- C:\Windows\System\ZLHCnqP.exe
  C:\Windows\System\ZLHCnqP.exe
  2⤵
  PID:9448
- C:\Windows\System\ctTPhyw.exe
  C:\Windows\System\ctTPhyw.exe
  2⤵
  PID:9588
- C:\Windows\System\jZeQxjk.exe
  C:\Windows\System\jZeQxjk.exe
  2⤵
  PID:9672
- C:\Windows\System\cNmGtMs.exe
  C:\Windows\System\cNmGtMs.exe
  2⤵
  PID:9836
- C:\Windows\System\yltprVO.exe
  C:\Windows\System\yltprVO.exe
  2⤵
  PID:10064
- C:\Windows\System\BLFBtyC.exe
  C:\Windows\System\BLFBtyC.exe
  2⤵
  PID:10180
- C:\Windows\System\cHMulyj.exe
  C:\Windows\System\cHMulyj.exe
  2⤵
  PID:9516
- C:\Windows\System\dBBTDnd.exe
  C:\Windows\System\dBBTDnd.exe
  2⤵
  PID:9880
- C:\Windows\System\cJYCcYY.exe
  C:\Windows\System\cJYCcYY.exe
  2⤵
  PID:10120
- C:\Windows\System\hsNHuee.exe
  C:\Windows\System\hsNHuee.exe
  2⤵
  PID:9640
- C:\Windows\System\gaTOMNt.exe
  C:\Windows\System\gaTOMNt.exe
  2⤵
  PID:9928
- C:\Windows\System\IAhDWxJ.exe
  C:\Windows\System\IAhDWxJ.exe
  2⤵
  PID:10276
- C:\Windows\System\ftsQbJD.exe
  C:\Windows\System\ftsQbJD.exe
  2⤵
  PID:10304
- C:\Windows\System\GCNJfvF.exe
  C:\Windows\System\GCNJfvF.exe
  2⤵
  PID:10340
- C:\Windows\System\DxWGsQb.exe
  C:\Windows\System\DxWGsQb.exe
  2⤵
  PID:10372
- C:\Windows\System\alUZhmv.exe
  C:\Windows\System\alUZhmv.exe
  2⤵
  PID:10412
- C:\Windows\System\UvYVMKo.exe
  C:\Windows\System\UvYVMKo.exe
  2⤵
  PID:10444
- C:\Windows\System\wCOmymp.exe
  C:\Windows\System\wCOmymp.exe
  2⤵
  PID:10472
- C:\Windows\System\jwiOriT.exe
  C:\Windows\System\jwiOriT.exe
  2⤵
  PID:10492
- C:\Windows\System\rLzuYEJ.exe
  C:\Windows\System\rLzuYEJ.exe
  2⤵
  PID:10528
- C:\Windows\System\fsZWVEO.exe
  C:\Windows\System\fsZWVEO.exe
  2⤵
  PID:10548
- C:\Windows\System\gAlztLs.exe
  C:\Windows\System\gAlztLs.exe
  2⤵
  PID:10588
- C:\Windows\System\ZjLbsdQ.exe
  C:\Windows\System\ZjLbsdQ.exe
  2⤵
  PID:10624
- C:\Windows\System\zTdcjxY.exe
  C:\Windows\System\zTdcjxY.exe
  2⤵
  PID:10652
- C:\Windows\System\vpOWbtU.exe
  C:\Windows\System\vpOWbtU.exe
  2⤵
  PID:10668
- C:\Windows\System\mtzguoF.exe
  C:\Windows\System\mtzguoF.exe
  2⤵
  PID:10684
- C:\Windows\System\HJJlNUv.exe
  C:\Windows\System\HJJlNUv.exe
  2⤵
  PID:10716
- C:\Windows\System\YdgJRnI.exe
  C:\Windows\System\YdgJRnI.exe
  2⤵
  PID:10764
- C:\Windows\System\YHGPwPc.exe
  C:\Windows\System\YHGPwPc.exe
  2⤵
  PID:10780
- C:\Windows\System\ZuhaNYQ.exe
  C:\Windows\System\ZuhaNYQ.exe
  2⤵
  PID:10808
- C:\Windows\System\tZqRzdf.exe
  C:\Windows\System\tZqRzdf.exe
  2⤵
  PID:10848
- C:\Windows\System\ZesqGjb.exe
  C:\Windows\System\ZesqGjb.exe
  2⤵
  PID:10876
- C:\Windows\System\MGUtEdd.exe
  C:\Windows\System\MGUtEdd.exe
  2⤵
  PID:10912
- C:\Windows\System\ImYRhGE.exe
  C:\Windows\System\ImYRhGE.exe
  2⤵
  PID:10932
- C:\Windows\System\UrAfkqu.exe
  C:\Windows\System\UrAfkqu.exe
  2⤵
  PID:10956
- C:\Windows\System\WUIhfbm.exe
  C:\Windows\System\WUIhfbm.exe
  2⤵
  PID:10992
- C:\Windows\System\lcweqht.exe
  C:\Windows\System\lcweqht.exe
  2⤵
  PID:11012
- C:\Windows\System\hWffgtk.exe
  C:\Windows\System\hWffgtk.exe
  2⤵
  PID:11032
- C:\Windows\System\cXQJoey.exe
  C:\Windows\System\cXQJoey.exe
  2⤵
  PID:11060
- C:\Windows\System\zdtsnxj.exe
  C:\Windows\System\zdtsnxj.exe
  2⤵
  PID:11100
- C:\Windows\System\nEEavOW.exe
  C:\Windows\System\nEEavOW.exe
  2⤵
  PID:11136
- C:\Windows\System\cYhpeMb.exe
  C:\Windows\System\cYhpeMb.exe
  2⤵
  PID:11164
- C:\Windows\System\wlcVYeG.exe
  C:\Windows\System\wlcVYeG.exe
  2⤵
  PID:11180
- C:\Windows\System\IzxBsBS.exe
  C:\Windows\System\IzxBsBS.exe
  2⤵
  PID:11212
- C:\Windows\System\YuJJIRq.exe
  C:\Windows\System\YuJJIRq.exe
  2⤵
  PID:11248
- C:\Windows\System\GqFRtkv.exe
  C:\Windows\System\GqFRtkv.exe
  2⤵
  PID:10260
- C:\Windows\System\iNquTXn.exe
  C:\Windows\System\iNquTXn.exe
  2⤵
  PID:10320
- C:\Windows\System\sMSlQfM.exe
  C:\Windows\System\sMSlQfM.exe
  2⤵
  PID:2360
- C:\Windows\System\MnzpLCj.exe
  C:\Windows\System\MnzpLCj.exe
  2⤵
  PID:10428
- C:\Windows\System\KHgGpuZ.exe
  C:\Windows\System\KHgGpuZ.exe
  2⤵
  PID:10460
- C:\Windows\System\hzdmcuW.exe
  C:\Windows\System\hzdmcuW.exe
  2⤵
  PID:10540
- C:\Windows\System\ixfsPhX.exe
  C:\Windows\System\ixfsPhX.exe
  2⤵
  PID:10620
- C:\Windows\System\vqtDWdx.exe
  C:\Windows\System\vqtDWdx.exe
  2⤵
  PID:10676
- C:\Windows\System\CZpPcgN.exe
  C:\Windows\System\CZpPcgN.exe
  2⤵
  PID:10708
- C:\Windows\System\wluhPev.exe
  C:\Windows\System\wluhPev.exe
  2⤵
  PID:10804
- C:\Windows\System\KZoxsRU.exe
  C:\Windows\System\KZoxsRU.exe
  2⤵
  PID:10828
- C:\Windows\System\ifcwLVm.exe
  C:\Windows\System\ifcwLVm.exe
  2⤵
  PID:10920
- C:\Windows\System\iOkFOKN.exe
  C:\Windows\System\iOkFOKN.exe
  2⤵
  PID:11028
- C:\Windows\System\qrMadHw.exe
  C:\Windows\System\qrMadHw.exe
  2⤵
  PID:11052
- C:\Windows\System\dHwJVpO.exe
  C:\Windows\System\dHwJVpO.exe
  2⤵
  PID:11176
- C:\Windows\System\hySzElo.exe
  C:\Windows\System\hySzElo.exe
  2⤵
  PID:11236
- C:\Windows\System\ZaiGjGd.exe
  C:\Windows\System\ZaiGjGd.exe
  2⤵
  PID:10380
- C:\Windows\System\xhmqmTY.exe
  C:\Windows\System\xhmqmTY.exe
  2⤵
  PID:10512
- C:\Windows\System\HYlcJHm.exe
  C:\Windows\System\HYlcJHm.exe
  2⤵
  PID:10696
- C:\Windows\System\czQFqqY.exe
  C:\Windows\System\czQFqqY.exe
  2⤵
  PID:10984
- C:\Windows\System\lRlzvXh.exe
  C:\Windows\System\lRlzvXh.exe
  2⤵
  PID:11092
- C:\Windows\System\AyrdfUr.exe
  C:\Windows\System\AyrdfUr.exe
  2⤵
  PID:11156
- C:\Windows\System\woAYmpU.exe
  C:\Windows\System\woAYmpU.exe
  2⤵
  PID:1892
- C:\Windows\System\KPRNMGq.exe
  C:\Windows\System\KPRNMGq.exe
  2⤵
  PID:11268
- C:\Windows\System\jaxtbIm.exe
  C:\Windows\System\jaxtbIm.exe
  2⤵
  PID:11316
- C:\Windows\System\UBnzEVr.exe
  C:\Windows\System\UBnzEVr.exe
  2⤵
  PID:11352
- C:\Windows\System\JUAEfmF.exe
  C:\Windows\System\JUAEfmF.exe
  2⤵
  PID:11388
- C:\Windows\System\BgUVrPi.exe
  C:\Windows\System\BgUVrPi.exe
  2⤵
  PID:11420
- C:\Windows\System\qbzdVQa.exe
  C:\Windows\System\qbzdVQa.exe
  2⤵
  PID:11452
- C:\Windows\System\XuFckgP.exe
  C:\Windows\System\XuFckgP.exe
  2⤵
  PID:11476
- C:\Windows\System\iqkOlBQ.exe
  C:\Windows\System\iqkOlBQ.exe
  2⤵
  PID:11504
- C:\Windows\System\vGQKMzG.exe
  C:\Windows\System\vGQKMzG.exe
  2⤵
  PID:11520
- C:\Windows\System\fssSAnB.exe
  C:\Windows\System\fssSAnB.exe
  2⤵
  PID:11536
- C:\Windows\System\jCrlTNi.exe
  C:\Windows\System\jCrlTNi.exe
  2⤵
  PID:11556
- C:\Windows\System\UaZCDSM.exe
  C:\Windows\System\UaZCDSM.exe
  2⤵
  PID:11584
- C:\Windows\System\KVgokSt.exe
  C:\Windows\System\KVgokSt.exe
  2⤵
  PID:11604
- C:\Windows\System\RNOIUMJ.exe
  C:\Windows\System\RNOIUMJ.exe
  2⤵
  PID:11624
- C:\Windows\System\vGVrWXV.exe
  C:\Windows\System\vGVrWXV.exe
  2⤵
  PID:11664
- C:\Windows\System\mjPncIb.exe
  C:\Windows\System\mjPncIb.exe
  2⤵
  PID:11708
- C:\Windows\System\xBKzEtg.exe
  C:\Windows\System\xBKzEtg.exe
  2⤵
  PID:11736
- C:\Windows\System\WOFJUDY.exe
  C:\Windows\System\WOFJUDY.exe
  2⤵
  PID:11784
- C:\Windows\System\iaikRoA.exe
  C:\Windows\System\iaikRoA.exe
  2⤵
  PID:11832
- C:\Windows\System\vNBmXWi.exe
  C:\Windows\System\vNBmXWi.exe
  2⤵
  PID:11860
- C:\Windows\System\bJLRZHF.exe
  C:\Windows\System\bJLRZHF.exe
  2⤵
  PID:11892
- C:\Windows\System\KgYEcIp.exe
  C:\Windows\System\KgYEcIp.exe
  2⤵
  PID:11920
- C:\Windows\System\qcTEaZW.exe
  C:\Windows\System\qcTEaZW.exe
  2⤵
  PID:11948
- C:\Windows\System\HzMyRVk.exe
  C:\Windows\System\HzMyRVk.exe
  2⤵
  PID:11976
- C:\Windows\System\RUGhJBf.exe
  C:\Windows\System\RUGhJBf.exe
  2⤵
  PID:12004
- C:\Windows\System\nIoJQbh.exe
  C:\Windows\System\nIoJQbh.exe
  2⤵
  PID:12020
- C:\Windows\System\TMMMAWk.exe
  C:\Windows\System\TMMMAWk.exe
  2⤵
  PID:12052
- C:\Windows\System\ZUHIagS.exe
  C:\Windows\System\ZUHIagS.exe
  2⤵
  PID:12076
- C:\Windows\System\TromSbL.exe
  C:\Windows\System\TromSbL.exe
  2⤵
  PID:12104
- C:\Windows\System\trXmoMQ.exe
  C:\Windows\System\trXmoMQ.exe
  2⤵
  PID:12144
- C:\Windows\System\OVYLsqu.exe
  C:\Windows\System\OVYLsqu.exe
  2⤵
  PID:12164
- C:\Windows\System\eirDssY.exe
  C:\Windows\System\eirDssY.exe
  2⤵
  PID:12180
- C:\Windows\System\jtMaaNO.exe
  C:\Windows\System\jtMaaNO.exe
  2⤵
  PID:12220
- C:\Windows\System\xJdDaQS.exe
  C:\Windows\System\xJdDaQS.exe
  2⤵
  PID:12260
- C:\Windows\System\QaCPwHN.exe
  C:\Windows\System\QaCPwHN.exe
  2⤵
  PID:11148
- C:\Windows\System\rsWGYeO.exe
  C:\Windows\System\rsWGYeO.exe
  2⤵
  PID:11324
- C:\Windows\System\XnuNuYi.exe
  C:\Windows\System\XnuNuYi.exe
  2⤵
  PID:11384
- C:\Windows\System\nVcSnCY.exe
  C:\Windows\System\nVcSnCY.exe
  2⤵
  PID:11472
- C:\Windows\System\xwUfMfL.exe
  C:\Windows\System\xwUfMfL.exe
  2⤵
  PID:11532
- C:\Windows\System\DXQalwd.exe
  C:\Windows\System\DXQalwd.exe
  2⤵
  PID:11568
- C:\Windows\System\LjwAVlQ.exe
  C:\Windows\System\LjwAVlQ.exe
  2⤵
  PID:11592
- C:\Windows\System\IaDzYIM.exe
  C:\Windows\System\IaDzYIM.exe
  2⤵
  PID:11776
- C:\Windows\System\QMLDEHL.exe
  C:\Windows\System\QMLDEHL.exe
  2⤵
  PID:11812
- C:\Windows\System\nnHFhTS.exe
  C:\Windows\System\nnHFhTS.exe
  2⤵
  PID:11880
- C:\Windows\System\iPbboBo.exe
  C:\Windows\System\iPbboBo.exe
  2⤵
  PID:11932
- C:\Windows\System\rsWccOU.exe
  C:\Windows\System\rsWccOU.exe
  2⤵
  PID:11996
- C:\Windows\System\qHkpISZ.exe
  C:\Windows\System\qHkpISZ.exe
  2⤵
  PID:12044
- C:\Windows\System\PkIhLCs.exe
  C:\Windows\System\PkIhLCs.exe
  2⤵
  PID:12172
- C:\Windows\System\gNfzwmf.exe
  C:\Windows\System\gNfzwmf.exe
  2⤵
  PID:12200
- C:\Windows\System\nXWsPcM.exe
  C:\Windows\System\nXWsPcM.exe
  2⤵
  PID:12276
- C:\Windows\System\BpoPMbj.exe
  C:\Windows\System\BpoPMbj.exe
  2⤵
  PID:11368
- C:\Windows\System\xXfcAQi.exe
  C:\Windows\System\xXfcAQi.exe
  2⤵
  PID:11496
- C:\Windows\System\BSHngnx.exe
  C:\Windows\System\BSHngnx.exe
  2⤵
  PID:11656
- C:\Windows\System\YYdQYny.exe
  C:\Windows\System\YYdQYny.exe
  2⤵
  PID:3608
- C:\Windows\System\QpvphVp.exe
  C:\Windows\System\QpvphVp.exe
  2⤵
  PID:11912
- C:\Windows\System\lTUDHeP.exe
  C:\Windows\System\lTUDHeP.exe
  2⤵
  PID:12092
- C:\Windows\System\dIGVPMf.exe
  C:\Windows\System\dIGVPMf.exe
  2⤵
  PID:12152
- C:\Windows\System\EaNukXk.exe
  C:\Windows\System\EaNukXk.exe
  2⤵
  PID:11448
- C:\Windows\System\QuUoFUK.exe
  C:\Windows\System\QuUoFUK.exe
  2⤵
  PID:11856
- C:\Windows\System\sWAFAQC.exe
  C:\Windows\System\sWAFAQC.exe
  2⤵
  PID:12232
- C:\Windows\System\UqEpmPG.exe
  C:\Windows\System\UqEpmPG.exe
  2⤵
  PID:11636
- C:\Windows\System\urHlYyp.exe
  C:\Windows\System\urHlYyp.exe
  2⤵
  PID:11764
- C:\Windows\System\zVSrtyH.exe
  C:\Windows\System\zVSrtyH.exe
  2⤵
  PID:11440
- C:\Windows\System\eyNWHvo.exe
  C:\Windows\System\eyNWHvo.exe
  2⤵
  PID:12204
- C:\Windows\System\nWlwvCo.exe
  C:\Windows\System\nWlwvCo.exe
  2⤵
  PID:12308
- C:\Windows\System\qZgBJHO.exe
  C:\Windows\System\qZgBJHO.exe
  2⤵
  PID:12336
- C:\Windows\System\UsDaUIe.exe
  C:\Windows\System\UsDaUIe.exe
  2⤵
  PID:12364
- C:\Windows\System\eIzPZRf.exe
  C:\Windows\System\eIzPZRf.exe
  2⤵
  PID:12400
- C:\Windows\System\snGFFyp.exe
  C:\Windows\System\snGFFyp.exe
  2⤵
  PID:12424
- C:\Windows\System\CHqAgtB.exe
  C:\Windows\System\CHqAgtB.exe
  2⤵
  PID:12456
- C:\Windows\System\vhRSnRG.exe
  C:\Windows\System\vhRSnRG.exe
  2⤵
  PID:12484
- C:\Windows\System\aMCwcGw.exe
  C:\Windows\System\aMCwcGw.exe
  2⤵
  PID:12512
- C:\Windows\System\yDqSCos.exe
  C:\Windows\System\yDqSCos.exe
  2⤵
  PID:12540
- C:\Windows\System\lKxulpD.exe
  C:\Windows\System\lKxulpD.exe
  2⤵
  PID:12556
- C:\Windows\System\SXshOdA.exe
  C:\Windows\System\SXshOdA.exe
  2⤵
  PID:12592
- C:\Windows\System\BorauGL.exe
  C:\Windows\System\BorauGL.exe
  2⤵
  PID:12612
- C:\Windows\System\xyHgEwq.exe
  C:\Windows\System\xyHgEwq.exe
  2⤵
  PID:12648
- C:\Windows\System\IyOHMKb.exe
  C:\Windows\System\IyOHMKb.exe
  2⤵
  PID:12680
- C:\Windows\System\tPTNXBs.exe
  C:\Windows\System\tPTNXBs.exe
  2⤵
  PID:12708
- C:\Windows\System\idmwTep.exe
  C:\Windows\System\idmwTep.exe
  2⤵
  PID:12724
- C:\Windows\System\DyjGJeo.exe
  C:\Windows\System\DyjGJeo.exe
  2⤵
  PID:12764
- C:\Windows\System\yAIafnp.exe
  C:\Windows\System\yAIafnp.exe
  2⤵
  PID:12780
- C:\Windows\System\Dqbqaqs.exe
  C:\Windows\System\Dqbqaqs.exe
  2⤵
  PID:12816
- C:\Windows\System\WkDjUrU.exe
  C:\Windows\System\WkDjUrU.exe
  2⤵
  PID:12848
- C:\Windows\System\QwMbiOu.exe
  C:\Windows\System\QwMbiOu.exe
  2⤵
  PID:12876
- C:\Windows\System\GdvHNMD.exe
  C:\Windows\System\GdvHNMD.exe
  2⤵
  PID:12904
- C:\Windows\System\feLLKXF.exe
  C:\Windows\System\feLLKXF.exe
  2⤵
  PID:12932
- C:\Windows\System\sdraWgN.exe
  C:\Windows\System\sdraWgN.exe
  2⤵
  PID:12960
- C:\Windows\System\lzcsdSK.exe
  C:\Windows\System\lzcsdSK.exe
  2⤵
  PID:12988
- C:\Windows\System\TWuHfXA.exe
  C:\Windows\System\TWuHfXA.exe
  2⤵
  PID:13008
- C:\Windows\System\YMClCLn.exe
  C:\Windows\System\YMClCLn.exe
  2⤵
  PID:13044
- C:\Windows\System\sANBjIn.exe
  C:\Windows\System\sANBjIn.exe
  2⤵
  PID:13076
- C:\Windows\System\UAAQXvB.exe
  C:\Windows\System\UAAQXvB.exe
  2⤵
  PID:13120
- C:\Windows\System\ehstFVL.exe
  C:\Windows\System\ehstFVL.exe
  2⤵
  PID:13136
- C:\Windows\System\uafCQOe.exe
  C:\Windows\System\uafCQOe.exe
  2⤵
  PID:13164
- C:\Windows\System\nMmpRvr.exe
  C:\Windows\System\nMmpRvr.exe
  2⤵
  PID:13192
- C:\Windows\System\NmZbHYe.exe
  C:\Windows\System\NmZbHYe.exe
  2⤵
  PID:13216
- C:\Windows\System\rTBDczt.exe
  C:\Windows\System\rTBDczt.exe
  2⤵
  PID:13248
- C:\Windows\System\smMjtjn.exe
  C:\Windows\System\smMjtjn.exe
  2⤵
  PID:13276
- C:\Windows\System\sUTibmI.exe
  C:\Windows\System\sUTibmI.exe
  2⤵
  PID:13292
- C:\Windows\System\ZdmFYRX.exe
  C:\Windows\System\ZdmFYRX.exe
  2⤵
  PID:12316
- C:\Windows\System\lAbBZvx.exe
  C:\Windows\System\lAbBZvx.exe
  2⤵
  PID:12396
- C:\Windows\System\crFdrAh.exe
  C:\Windows\System\crFdrAh.exe
  2⤵
  PID:12468
- C:\Windows\System\HKVatTN.exe
  C:\Windows\System\HKVatTN.exe
  2⤵
  PID:12524
- C:\Windows\System\rZAlkYF.exe
  C:\Windows\System\rZAlkYF.exe
  2⤵
  PID:12576
- C:\Windows\System\TNLazIG.exe
  C:\Windows\System\TNLazIG.exe
  2⤵
  PID:12624
- C:\Windows\System\ZskvOzG.exe
  C:\Windows\System\ZskvOzG.exe
  2⤵
  PID:12704
- C:\Windows\System\GXNomDD.exe
  C:\Windows\System\GXNomDD.exe
  2⤵
  PID:12772
- C:\Windows\System\XNJwqdS.exe
  C:\Windows\System\XNJwqdS.exe
  2⤵
  PID:12840
- C:\Windows\System\WJdxQIq.exe
  C:\Windows\System\WJdxQIq.exe
  2⤵
  PID:12900
- C:\Windows\System\VBehUGw.exe
  C:\Windows\System\VBehUGw.exe
  2⤵
  PID:13040
- C:\Windows\System\besqWUw.exe
  C:\Windows\System\besqWUw.exe
  2⤵
  PID:13092
- C:\Windows\System\gEYNgux.exe
  C:\Windows\System\gEYNgux.exe
  2⤵
  PID:13148
- C:\Windows\System\aEmqJVn.exe
  C:\Windows\System\aEmqJVn.exe
  2⤵
  PID:13208
- C:\Windows\System\eizmjfm.exe
  C:\Windows\System\eizmjfm.exe
  2⤵
  PID:13288
- C:\Windows\System\wTvdTSD.exe
  C:\Windows\System\wTvdTSD.exe
  2⤵
  PID:4808

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fjygn0yx.r5e.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\AHDHEOE.exe

Filesize
3.4MB

MD5
ee54c51ae7a2a398cdecf2060ee9edc7

SHA1
946300e743409f440f066e5e81082f70204111b5

SHA256
972c5e1c72069a09b535878158a540feb571e5520ea8b4f6f03dc185c6386a01

SHA512
b1a4ef60a9a433a16672f414988f383309c39582a5be79131dcbf7c4725135fbc99e21ee6b39dcda6176a7f453081062a0acfaf5c12f8a3d6f45a0c5e2a4964f

Download Submit
C:\Windows\System\CLNXffS.exe

Filesize
3.4MB

MD5
8e1537d232a6e6872fc2c398195e7123

SHA1
72121d77cc7bd65db317a866f01b309f065e3b4d

SHA256
53d01e05ea545cee14d65774074f340b5cfbaa4549f07a63a948506f07368eb5

SHA512
dbdff6addbc67ed4182cfc297331e568d56759fb166a6d46023c2f80ae63df67ac0568e6aaa2d4e1ebf4dba2c53725ae2a26b7c8861b46bc67ae2de09622f860

Download Submit
C:\Windows\System\DSwrQwe.exe

Filesize
3.4MB

MD5
30b605cc47e3d19614851ee909fbb88c

SHA1
cf178e8969fb1d48f6247356d9810da4e6ee0b78

SHA256
6fedc943a9aa87739772d135e10cc7e7ce3ec09e08397a8667bd70d365ef5b00

SHA512
f8ceea2b694f34f2cbbe918420803e32059d4feba80a9c98bd0e80548c2fb4726f8ce782bf5d302c88d01612fc5dbbc3869594117761f1c5f84512972db5f5b1

Download Submit
C:\Windows\System\DcbgbSL.exe

Filesize
3.4MB

MD5
f3bbb0f3b2d749efef7dacf109d99913

SHA1
086d2ed13b2260800aed08ef5f83e8084cea0d78

SHA256
c6fc8bdffdb8b9eccfb960d24992f349f650eac47e6cfa3282c718ab71f6c6b1

SHA512
1ed7fdc9c6f5136b9a1eccd2f4c2431890b86db52817ff3842a12a469da4a8a614ec2cffd381146fea77ab5906fae5fcf92088c49d5aee8f18033ba305e36d25

Download Submit
C:\Windows\System\EocpfzS.exe

Filesize
3.4MB

MD5
78287d07ac3f72587eb93aecfec9616e

SHA1
d8482984e66b5ac40ef473bafb11027e3eabe3b3

SHA256
f5df50441cc3dd2419c7457c970fcc8ac4d5df71fb87255f7d512c2ac0b30c50

SHA512
b2c8fdf26e4dff410cfe454e74866301cc189664792baae2830dd7a3be6d54030f1fbabd36b002d84c8c1ad728cfde31acc36809216c7d3ee62271fa3839b28c

Download Submit
C:\Windows\System\GEFRmEI.exe

Filesize
3.4MB

MD5
d71b5afda54044e5e98573bcdcac8011

SHA1
a62901b3cd4ac7a4c0707d9fdf3b7c96e3e13fee

SHA256
62db6c490fecb23ce91adefbfd0f75d74099ce71b68aa11ee4d08544fb8209b0

SHA512
eebcf3935aab31253b481a33ecfe4587786bc89354e5044d10ac16a6bfb0144d8e3b17d2244ce4d91e15b214b7bdf85f20aecee86e17818953045c4fef5c4191

Download Submit
C:\Windows\System\JWLEEmY.exe

Filesize
3.4MB

MD5
e11de8542a4fc5246d60c1e61ecc697e

SHA1
a11961186edd0e3d580255e789e6916a306d18a9

SHA256
fe81b08d3f90532ce6410bbd76503eb5302198808c7b9553fe73f0c8c1e955aa

SHA512
9bec11ae38f62836545b14a0280948e9b0b54964cba9a5bded20fd9bab2bd3611973fa5dab26763cab6f1fce67339fec780dc698a44032b8d937deb214a65db5

Download Submit
C:\Windows\System\KrojdCZ.exe

Filesize
3.4MB

MD5
18fe533f321ae7942d577540bcb6d3e0

SHA1
b17971d852c8c3f683e3da3aac0d8b0213953d20

SHA256
3bbbf1360392317c18fa04ca3ac3bb552f60b0b2d1b12a1a2a45827ecf139e34

SHA512
807f465520459eb22e0be9e1545cd81927932e1abbfc4a18ed0cd5dd157a93940631810b0fe7184be103f72811472e979822cbfb278248348c181208989c55a8

Download Submit
C:\Windows\System\LjrJdIZ.exe

Filesize
3.4MB

MD5
695be1504b3404760aead6d186cef322

SHA1
6c5061b96ed867ebdbcfd6bc7e3b4e1aba5bd9ba

SHA256
a4cb2ff21b9d4d26fcc1cf988fd48f2129b362de3ccd6cf92b1c88ada054c81d

SHA512
36ae96c06898dc142fcb0e0dcf0c27da0209e174746fcf56fbd1b0a35309c72a1f7b0b7524545133f75e9a3ae1010c9812828450f13ecfd0e57e5d582e7386b4

Download Submit
C:\Windows\System\NwTwiCH.exe

Filesize
3.4MB

MD5
32ae617b47900137d7b4585efd33474f

SHA1
62751606c03ba1187fcfde8be3ccb706ab94a4b7

SHA256
86bf7c0a0cd8e4bc0ba9e0e66cb5a2f0a8b2f3551c8009a065f7fc11fe93b73d

SHA512
ab3fa763270a306af6447e0e058e3f0eddd728cb7465c906e02f789d563a227e940390462684a201bef779d25f15a52eb5d71220db8f9bbc8342cc80d2403d2f

Download Submit
C:\Windows\System\OXjKXzr.exe

Filesize
3.4MB

MD5
9b6a7fb0efb75a71c4d489f641f0e1f6

SHA1
ec9bebc70caa16aeee0efa64c16c92915f3a7653

SHA256
fc03be25230cdf7d1f1ad078f753d7eca56131ab8a9efe7c63ae9a877b41025c

SHA512
1b1acf200f3c353cd1ab77a4d2a4a249575dfa261fae4d0ee6ac92a36a44cdf009193d9501a9a7b853cb9bc54b5be89c1dff0c197cac85d6686781eb2d9a039d

Download Submit
C:\Windows\System\SWGUSpQ.exe

Filesize
3.4MB

MD5
150d96029d2d50ba09fa89f4f2042f2f

SHA1
e3ee60c427a9e7f7758feea4b8c8c8f7fb4d3679

SHA256
8210af17d2a0531ca4eddbb9e89658e3bcd8b750aff159e4242d83adee3972a4

SHA512
696e5f194c0133bc6dd805856bac00085e43f42e04fffdab6cb9ac731db7ebd55fbf505fbeed22f6dcbff4b944e34c8dfb3f802e47c93f54735f8b10ca8636ad

Download Submit
C:\Windows\System\TshCouF.exe

Filesize
3.4MB

MD5
332155cb184e3c47c92cd3a9c5f41bf4

SHA1
1dd560e0086b8e9654ab058cfaaa518c2efdc357

SHA256
ec14606a4f72c7b2824d3a2d4ad5acddc25cd0ca24f986e17544e00f094c797c

SHA512
53497d9888afc6abcc544650f2df349c9a0a92c82af2523593d3d18719d13112e4eac2d560ac5e2b1f4c08a403c2557ea61fa979ac34dd367180c5454162b9b6

Download Submit
C:\Windows\System\VcTDhYI.exe

Filesize
3.4MB

MD5
5937155932e34da421bbe844240fadcc

SHA1
863481fa8d7467782bd20f247cbb31317c9fc4e3

SHA256
8529c18fed0188b2136df82124f1e06546051550fef7b2746ae9cf5c4468ef16

SHA512
af6361a5f31d40efe274a5a771b1af5d42d092c23dd4eaa8d086fa9b1ca7d875b4ffc9158c5bf839cc78491d7a54121a4e79ba420f0a02b3bdb14097622c5405

Download Submit
C:\Windows\System\VlWtvlF.exe

Filesize
3.4MB

MD5
e8dad70353ca5eefbe3dce750e6248ff

SHA1
51f37a37983b794cef046473b39f9b94a4af28e7

SHA256
297dcac64ba918feb52be3190a0783de201b8d4616f922bd05d86e5586bb11e9

SHA512
304d2ce2f2b06ed5cd629ba3bbb33612b4c00f91ff6fd0d418d81b47815f5b9bdfa2745065660b56bb26dab98ca004d48ef77a6de4c6f0faa9d564d141c3effb

Download Submit
C:\Windows\System\WOPMSgm.exe

Filesize
3.4MB

MD5
37a422aa0876bcc95bbc961196e5d713

SHA1
63b1aa53d739877603ec155523d813c451d5d9cd

SHA256
3826620bb45ad3552eb972b01785051e434f14bc06688ae9a7e18fe8a4d65002

SHA512
11ccd8bf7735b3132dfcd007f816671ecc7f6acfd7c7093279d8f8c019fe0728c6ab0d4d6182a354d1c70bdf75433b75507b0316c23b19176bcfb963ff03fae7

Download Submit
C:\Windows\System\WhYqPDj.exe

Filesize
3.4MB

MD5
acd1d262a7426125133e93daf45897b8

SHA1
5d33a28038526791742b99d9d9031afe6bdd5b93

SHA256
24a19398abd5e31b7a0820a74bc6ce1b06e236d7e736153ba095093169f325c7

SHA512
f0bad14930e06d4bf968a9498d060e4c4fb149beff69d5c1f5b40731156a3ee1610342452ae66eaf22d81a384f6cad42af44661f2791da5db27672f906817a9e

Download Submit
C:\Windows\System\XGKnsGv.exe

Filesize
3.4MB

MD5
249c949acbecca4812cab299eb692f9f

SHA1
084be1d88ee699bffa0219c0932a094e91cd4024

SHA256
15009e326d2f072306cd08dd130d681203fa7bef3e4612f7c5debc6c7f3a6b56

SHA512
cc3427d6d10aa46999094235740138d339041ab1af874c43eee5b9c98e0246c20ff961de20585debb7b24607b2243059542771d55f792c07d4da92299aa9673b

Download Submit
C:\Windows\System\ZNDonjr.exe

Filesize
3.4MB

MD5
91646803ef17cf3ec0f5a9015d1da841

SHA1
f01f095d602c90b61ebc4fff259c4069239c4586

SHA256
650a8f96c665deebaf3b34668dcb368e9e4130c0d6d25ad77553ae973993b397

SHA512
e49d7f7d135419f2901d0cd821e56454b54fe2151ea8f1cd034e2e8d14bb507fbd34cf36e699da5e5ec2d6bc93f37267d1e8ca41cbf0a1bfb45dc9b3a4f69991

Download Submit
C:\Windows\System\ZXtbfFw.exe

Filesize
3.4MB

MD5
d207ebf6d01ac09217a53b465d82870b

SHA1
96c426cbaccefccb436036f3abed01ab48e66100

SHA256
ac73e5a06464ef6c8861cb78c196df90255198a2d2843c1c86993d9c46e3dbae

SHA512
f2dfc7c5a925024db639b9c2e27dc68d6b42f1bf48066fb62dc9dbb879734453ad7f054d7d91a625b8648ef9750ba10ca0c8c3f5308accdc6b7934633eed7d44

Download Submit
C:\Windows\System\bZEwtuM.exe

Filesize
3.4MB

MD5
285c37eeb61a6b855417df6dfd282972

SHA1
cf6db7aa75c97190ed6ee06d896987c739f5377c

SHA256
ec6655a5ef33fe2f59ce92a16866e683b0d72bf4276d56bd3c765d6a30a3d231

SHA512
d255e539f66e1d47a8ab107f6cad9cb718b8fe2a67ab5d3966f9b8399d68c3bb5b563291437c1665bb74217beb6c11af45334113bfc0cf3532b21a1bee18dbcd

Download Submit
C:\Windows\System\cDkHrKc.exe

Filesize
3.4MB

MD5
d1abe31b8179822329c0d64ad0201698

SHA1
1ef51c12acbb7c6d73b833b274dcfb366d16b1ea

SHA256
45df9eddc227fa403a101fd10e7236002654291d257f54ef23da5647e05cb82f

SHA512
e7cd33efe7f48adebd7ce8f627509ef49eaaa1008c31fe215815d7506d2e73f44b29e0fa143425f01e1ace113f5e460b5044c2c9380067a4f5d73d74ace2047f

Download Submit
C:\Windows\System\cFywxYI.exe

Filesize
3.4MB

MD5
e06b9538dd670a706b7ff17818e8d748

SHA1
43b5bab819e3a0281554aa854c688712c1e0c028

SHA256
ce85dc92dd5b62827cccaa29e8776ae438ae9167874d2e9338ba7098e59fa00d

SHA512
0e60a174083327eccada9720fd009c5ed50c6a93ae2385485ba74e65a10f7b1ea4a0a82243bb06c84f5bfa09358e2b6d13f0bc3cb020a6c60b2af61e636aacdf

Download Submit
C:\Windows\System\gPepFpn.exe

Filesize
3.4MB

MD5
ee16c5c21b056cd6a8424d0ea8d8f3b9

SHA1
1667582ed5d78ef5b85a94dee4f94e90c804f8a3

SHA256
1ca9d77282053b585d1d5c817ae54a37e29372f4ae7ff49b9e0b221f0d85e175

SHA512
5a76b6cc0cdb33f152b1f1741cc55aa7f9e21fdf3f5a87f264189e77f4959dc7a9dd7aa8b115ada7cc1571fa890526c6775e35b1a8ef4b647d25b1b5cce3c26c

Download Submit
C:\Windows\System\jcblcaP.exe

Filesize
3.4MB

MD5
1b0e2c4a3110dcf9b6c90587e5bdc6af

SHA1
1cce72d2a8bba045dba44e25257265a54f6424e3

SHA256
8c3e576008b0f9f7bca339221d6b254a85e635dd3e3c958d3a6429e8cea9de11

SHA512
f7b371d9b663a0f777be490674f77cab2fc5b90d9ab891a03fdfe04212779c020915f5cb65f505cd48ac44a9e28ecfcf4eaebfb71b4457791089418a01138d1f

Download Submit
C:\Windows\System\kMWJldk.exe

Filesize
3.4MB

MD5
bef77adfeb6bac3427443e068b79921f

SHA1
1e1b46213ee3de3539603b666e3a8ab48fb2f638

SHA256
b5e636ef5239dab4d45117095779129b87a289f3c805e928d879dfc2b78722a6

SHA512
984ca15df8da9b863184d327efac31361503bf85a104510f477072fcd1d3109b133dbd950d97d436ce755513e5deae2dca2c37603871c499da63bd0f867964b1

Download Submit
C:\Windows\System\khmgpdC.exe

Filesize
3.4MB

MD5
070346aaa5831d66898c14ac6deaf705

SHA1
edce87b408fbd35d5865ea59a087ad3f5f230cc5

SHA256
559aa3bcb72a4e4dbc5a69c80a7e8682bb0616eadf7a494328ee7d2086eec6de

SHA512
43ce4f0cab4910cb449231768961ae62cab47fa0a336fc734a19e5f291d0aba9ecaaefa9d988b72b0f23834636b900b5b601f80467e4eed338f53cd26beb9cc6

Download Submit
C:\Windows\System\mkQLgDg.exe

Filesize
3.4MB

MD5
e67f3ea3486de0eb91490d15dd206413

SHA1
3cb630ca6104fb5029d0ec3a28e3651d880ab54c

SHA256
be87bb44be58895f352e6b447fcdfacbbdf35f184d856c040b7761938ba58dc8

SHA512
59e7d1514e04ce57ef2ba35c96fb77b539dafa70b123c8df372abf3b6f2d13d1d1e3b3568fe5c4004e1c3e8357c45f38ee869ca173c22f666090b20b36b65668

Download Submit
C:\Windows\System\pSUxfZj.exe

Filesize
3.4MB

MD5
79cc8564fdc79504fc5f7195128860fd

SHA1
b443cbc6f5f99151930cf7f84881a786bd6c6df2

SHA256
4395174d24a61134d3cd2e1f5c5bb05c9afbc42578487a8cc7b2dac79f751ebc

SHA512
0eb53b31b63ddc450fb15ef97bda446db86660dfb6a9b6820c3999e7364a2577d8a8345b327bb85da2093b8884b6a317ed3c9f4a5f69143cd84fd55305225e5f

Download Submit
C:\Windows\System\poCEKYc.exe

Filesize
3.4MB

MD5
2ce1ce65e4991b63cb53f65b7d5451a4

SHA1
37657aebac8ab3b899153a16d21f6f5b1c120e45

SHA256
15abb249bb09a2443288415dd9a0041eb83af091b92d580d417a768d9d961543

SHA512
76ebc7f7d26e578bd9b9a93bb2c994079ad6c1d9cf55790a2f803819030854ed10d7e8e9497cef72b5eab7fa1fcf7ec668f525bcdf9ca072fcfb6ecaabe1417a

Download Submit
C:\Windows\System\pwqzqbZ.exe

Filesize
8B

MD5
3f9cfe8a165fbe5ed357bf4fb6550d1a

SHA1
d1f76cef8b11f404ce3021901f1968e523167625

SHA256
fe7331c05f745b95f5509c04136ec2be8073cae1c2054bbe90290f3a5e3a1c01

SHA512
7c297d93de1529b68ba232f55d08c5bdfcf13a5c3741f810e605eeec9da08911d3d07e6bd5c21436fbf2be3db2070f19515d3ae2f1e7604c2ff2f34139c616ce

Download Submit
C:\Windows\System\pzxwxVc.exe

Filesize
3.4MB

MD5
221e0bc6ddeafbadc4220f384534efec

SHA1
3bdfada5c0defa2d54ceee8a081f375218e48f18

SHA256
18c16c6bc8106736955c2f6adbd66019acd8008e2279990d982ce72b7ee25633

SHA512
2d3bdfdb88097d92ee68bcc65a198e573c921bf4c49e89b9626bd83bf3cfccd164c045f63c92df05da277b4d2b5d490acd4232cf120a925ddf5be35e03cf64f1

Download Submit
C:\Windows\System\vZgatiy.exe

Filesize
3.4MB

MD5
451d32a45a3c8b67cbd71bcbe1789db5

SHA1
1f86d860d88f7636d27e6d8ed1ccf881abf7739d

SHA256
5d204da9c257e3a2ecce90d7bdab52f8e3f0c6ee5c46f86b40c223caec9ba2ec

SHA512
6e152e5ea8d3d12ebb4e32833b8d7771ec5fdb7330acfd76aef0d4c8bb89e77aa5b852ce6a1fc630af2bd00e7bfca302e93ed65c0f9a0f4d0b7a8fb405160297

Download Submit
C:\Windows\System\xcmzMut.exe

Filesize
3.4MB

MD5
78e237125b06061acd8f308e512e799c

SHA1
6d9238673208d3d31bd94e5ef483ef3b3a778823

SHA256
5b2e1ff7af423fd5c8c9bee48b694a9a7918a3285523779887b5f15ca9f5b559

SHA512
46766a2cebcddbc2e43e685b149a1fcefd663d9d40eb03992889812dedfaf36d2b95fb5e44b9ae231d3296f1db2e6e9c29d8a00221502ce4e85680c2791a9224

Download Submit
memory/116-120-0x00007FF7F5C80000-0x00007FF7F6076000-memory.dmp

Filesize
4.0MB

Download
memory/116-1905-0x00007FF7F5C80000-0x00007FF7F6076000-memory.dmp

Filesize
4.0MB

Download
memory/316-122-0x00007FF60A840000-0x00007FF60AC36000-memory.dmp

Filesize
4.0MB

Download
memory/316-1920-0x00007FF60A840000-0x00007FF60AC36000-memory.dmp

Filesize
4.0MB

Download
memory/884-1904-0x00007FF712240000-0x00007FF712636000-memory.dmp

Filesize
4.0MB

Download
memory/884-15-0x00007FF712240000-0x00007FF712636000-memory.dmp

Filesize
4.0MB

Download
memory/976-1937-0x00007FF6F9840000-0x00007FF6F9C36000-memory.dmp

Filesize
4.0MB

Download
memory/976-187-0x00007FF6F9840000-0x00007FF6F9C36000-memory.dmp

Filesize
4.0MB

Download
memory/1308-156-0x00007FF6AB3E0000-0x00007FF6AB7D6000-memory.dmp

Filesize
4.0MB

Download
memory/1308-1934-0x00007FF6AB3E0000-0x00007FF6AB7D6000-memory.dmp

Filesize
4.0MB

Download
memory/1308-1922-0x00007FF6AB3E0000-0x00007FF6AB7D6000-memory.dmp

Filesize
4.0MB

Download
memory/1348-1915-0x00007FF7A8600000-0x00007FF7A89F6000-memory.dmp

Filesize
4.0MB

Download
memory/1348-116-0x00007FF7A8600000-0x00007FF7A89F6000-memory.dmp

Filesize
4.0MB

Download
memory/1908-118-0x00007FF70BBF0000-0x00007FF70BFE6000-memory.dmp

Filesize
4.0MB

Download
memory/1908-1919-0x00007FF70BBF0000-0x00007FF70BFE6000-memory.dmp

Filesize
4.0MB

Download
memory/2044-148-0x00007FF65DF70000-0x00007FF65E366000-memory.dmp

Filesize
4.0MB

Download
memory/2044-1932-0x00007FF65DF70000-0x00007FF65E366000-memory.dmp

Filesize
4.0MB

Download
memory/2120-75-0x00007FF60C6C0000-0x00007FF60CAB6000-memory.dmp

Filesize
4.0MB

Download
memory/2120-1910-0x00007FF60C6C0000-0x00007FF60CAB6000-memory.dmp

Filesize
4.0MB

Download
memory/2364-109-0x00007FF697F00000-0x00007FF6982F6000-memory.dmp

Filesize
4.0MB

Download
memory/2364-1908-0x00007FF697F00000-0x00007FF6982F6000-memory.dmp

Filesize
4.0MB

Download
memory/2508-179-0x00007FF7112C0000-0x00007FF7116B6000-memory.dmp

Filesize
4.0MB

Download
memory/2508-1933-0x00007FF7112C0000-0x00007FF7116B6000-memory.dmp

Filesize
4.0MB

Download
memory/2752-1917-0x00007FF7516D0000-0x00007FF751AC6000-memory.dmp

Filesize
4.0MB

Download
memory/2752-112-0x00007FF7516D0000-0x00007FF751AC6000-memory.dmp

Filesize
4.0MB

Download
memory/2916-1-0x00000261F8FB0000-0x00000261F8FC0000-memory.dmp

Filesize
64KB

Download
memory/2916-0-0x00007FF7F1370000-0x00007FF7F1766000-memory.dmp

Filesize
4.0MB

Download
memory/3076-93-0x00007FFBD35A0000-0x00007FFBD4061000-memory.dmp

Filesize
10.8MB

Download
memory/3076-16-0x00007FFBD35A3000-0x00007FFBD35A5000-memory.dmp

Filesize
8KB

Download
memory/3076-698-0x0000017EF04A0000-0x0000017EF0C46000-memory.dmp

Filesize
7.6MB

Download
memory/3076-1723-0x00007FFBD35A0000-0x00007FFBD4061000-memory.dmp

Filesize
10.8MB

Download
memory/3076-66-0x00007FFBD35A0000-0x00007FFBD4061000-memory.dmp

Filesize
10.8MB

Download
memory/3076-1903-0x00007FFBD35A3000-0x00007FFBD35A5000-memory.dmp

Filesize
8KB

Download
memory/3076-1931-0x00007FFBD35A0000-0x00007FFBD4061000-memory.dmp

Filesize
10.8MB

Download
memory/3076-114-0x0000017EEF840000-0x0000017EEF862000-memory.dmp

Filesize
136KB

Download
memory/3144-115-0x00007FF7028D0000-0x00007FF702CC6000-memory.dmp

Filesize
4.0MB

Download
memory/3144-1912-0x00007FF7028D0000-0x00007FF702CC6000-memory.dmp

Filesize
4.0MB

Download
memory/3188-1906-0x00007FF60BF60000-0x00007FF60C356000-memory.dmp

Filesize
4.0MB

Download
memory/3188-119-0x00007FF60BF60000-0x00007FF60C356000-memory.dmp

Filesize
4.0MB

Download
memory/4268-1918-0x00007FF685690000-0x00007FF685A86000-memory.dmp

Filesize
4.0MB

Download
memory/4268-121-0x00007FF685690000-0x00007FF685A86000-memory.dmp

Filesize
4.0MB

Download
memory/4444-196-0x00007FF612450000-0x00007FF612846000-memory.dmp

Filesize
4.0MB

Download
memory/4444-1936-0x00007FF612450000-0x00007FF612846000-memory.dmp

Filesize
4.0MB

Download
memory/4452-157-0x00007FF601BC0000-0x00007FF601FB6000-memory.dmp

Filesize
4.0MB

Download
memory/4452-1935-0x00007FF601BC0000-0x00007FF601FB6000-memory.dmp

Filesize
4.0MB

Download
memory/4788-1907-0x00007FF77D290000-0x00007FF77D686000-memory.dmp

Filesize
4.0MB

Download
memory/4788-76-0x00007FF77D290000-0x00007FF77D686000-memory.dmp

Filesize
4.0MB

Download
memory/4796-98-0x00007FF7B4AE0000-0x00007FF7B4ED6000-memory.dmp

Filesize
4.0MB

Download
memory/4796-1913-0x00007FF7B4AE0000-0x00007FF7B4ED6000-memory.dmp

Filesize
4.0MB

Download
memory/4832-110-0x00007FF778990000-0x00007FF778D86000-memory.dmp

Filesize
4.0MB

Download
memory/4832-1909-0x00007FF778990000-0x00007FF778D86000-memory.dmp

Filesize
4.0MB

Download
memory/4836-117-0x00007FF7F4940000-0x00007FF7F4D36000-memory.dmp

Filesize
4.0MB

Download
memory/4836-1921-0x00007FF7F4940000-0x00007FF7F4D36000-memory.dmp

Filesize
4.0MB

Download
memory/4952-111-0x00007FF64BF70000-0x00007FF64C366000-memory.dmp

Filesize
4.0MB

Download
memory/4952-1914-0x00007FF64BF70000-0x00007FF64C366000-memory.dmp

Filesize
4.0MB

Download
memory/4960-1916-0x00007FF606B10000-0x00007FF606F06000-memory.dmp

Filesize
4.0MB

Download
memory/4960-113-0x00007FF606B10000-0x00007FF606F06000-memory.dmp

Filesize
4.0MB

Download
memory/5092-1911-0x00007FF783260000-0x00007FF783656000-memory.dmp

Filesize
4.0MB

Download
memory/5092-99-0x00007FF783260000-0x00007FF783656000-memory.dmp

Filesize
4.0MB

Download