xmrig | 69533ff382566c6dadba66e0436bf651a048e0a7551b9c521999799f3c20600e

Analysis

max time kernel
116s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/08/2024, 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a88c1dfd64b12ad881aee58002e08ec0N.exe
Size

1.9MB
MD5

a88c1dfd64b12ad881aee58002e08ec0
SHA1

334d32beaf4a8c6be68444601400e87e8359c832
SHA256

69533ff382566c6dadba66e0436bf651a048e0a7551b9c521999799f3c20600e
SHA512

0116a8f595637f16226027f25f3954e4d8142c44a312e363fc56d26cd4689f9e1a1d698f74aee4a12063b77adabe524f50844a3c7bd74a6acd931d44074bdbe3
SSDEEP

24576:zv3/fTLF671TilQFG4P5PMkFfkeMlNIZbElhzBXeCnfJCwCc4MAKFpMloooIX3Gt:Lz071uv4BPMkFfdgIZohteLMxRwWYC1N

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/5028-58-0x00007FF710110000-0x00007FF710502000-memory.dmp	xmrig
behavioral2/memory/32-59-0x00007FF654BD0000-0x00007FF654FC2000-memory.dmp	xmrig
behavioral2/memory/868-460-0x00007FF6AAC70000-0x00007FF6AB062000-memory.dmp	xmrig
behavioral2/memory/3368-474-0x00007FF6955A0000-0x00007FF695992000-memory.dmp	xmrig
behavioral2/memory/2912-505-0x00007FF668670000-0x00007FF668A62000-memory.dmp	xmrig
behavioral2/memory/4364-499-0x00007FF684D70000-0x00007FF685162000-memory.dmp	xmrig
behavioral2/memory/4228-492-0x00007FF61A350000-0x00007FF61A742000-memory.dmp	xmrig
behavioral2/memory/2372-482-0x00007FF60EAD0000-0x00007FF60EEC2000-memory.dmp	xmrig
behavioral2/memory/5036-473-0x00007FF7CE4C0000-0x00007FF7CE8B2000-memory.dmp	xmrig
behavioral2/memory/3532-464-0x00007FF759A90000-0x00007FF759E82000-memory.dmp	xmrig
behavioral2/memory/1520-457-0x00007FF6EAC10000-0x00007FF6EB002000-memory.dmp	xmrig
behavioral2/memory/3216-449-0x00007FF678BA0000-0x00007FF678F92000-memory.dmp	xmrig
behavioral2/memory/2924-446-0x00007FF6711E0000-0x00007FF6715D2000-memory.dmp	xmrig
behavioral2/memory/1524-50-0x00007FF733C60000-0x00007FF734052000-memory.dmp	xmrig
behavioral2/memory/2352-46-0x00007FF759350000-0x00007FF759742000-memory.dmp	xmrig
behavioral2/memory/4848-518-0x00007FF76CC30000-0x00007FF76D022000-memory.dmp	xmrig
behavioral2/memory/2708-521-0x00007FF72ACF0000-0x00007FF72B0E2000-memory.dmp	xmrig
behavioral2/memory/2304-546-0x00007FF651FF0000-0x00007FF6523E2000-memory.dmp	xmrig
behavioral2/memory/5016-552-0x00007FF6E6E00000-0x00007FF6E71F2000-memory.dmp	xmrig
behavioral2/memory/364-542-0x00007FF78CC80000-0x00007FF78D072000-memory.dmp	xmrig
behavioral2/memory/4488-539-0x00007FF6FF4A0000-0x00007FF6FF892000-memory.dmp	xmrig
behavioral2/memory/2992-535-0x00007FF768900000-0x00007FF768CF2000-memory.dmp	xmrig
behavioral2/memory/3476-517-0x00007FF6F53D0000-0x00007FF6F57C2000-memory.dmp	xmrig
behavioral2/memory/3976-511-0x00007FF75BCE0000-0x00007FF75C0D2000-memory.dmp	xmrig
behavioral2/memory/2992-3425-0x00007FF768900000-0x00007FF768CF2000-memory.dmp	xmrig
behavioral2/memory/2352-3427-0x00007FF759350000-0x00007FF759742000-memory.dmp	xmrig
behavioral2/memory/1524-3431-0x00007FF733C60000-0x00007FF734052000-memory.dmp	xmrig
behavioral2/memory/4488-3454-0x00007FF6FF4A0000-0x00007FF6FF892000-memory.dmp	xmrig
behavioral2/memory/5028-3462-0x00007FF710110000-0x00007FF710502000-memory.dmp	xmrig
behavioral2/memory/364-3471-0x00007FF78CC80000-0x00007FF78D072000-memory.dmp	xmrig
behavioral2/memory/3216-3481-0x00007FF678BA0000-0x00007FF678F92000-memory.dmp	xmrig
behavioral2/memory/1520-3483-0x00007FF6EAC10000-0x00007FF6EB002000-memory.dmp	xmrig
behavioral2/memory/5036-3489-0x00007FF7CE4C0000-0x00007FF7CE8B2000-memory.dmp	xmrig
behavioral2/memory/3368-3491-0x00007FF6955A0000-0x00007FF695992000-memory.dmp	xmrig
behavioral2/memory/868-3487-0x00007FF6AAC70000-0x00007FF6AB062000-memory.dmp	xmrig
behavioral2/memory/3532-3486-0x00007FF759A90000-0x00007FF759E82000-memory.dmp	xmrig
behavioral2/memory/5016-3479-0x00007FF6E6E00000-0x00007FF6E71F2000-memory.dmp	xmrig
behavioral2/memory/2924-3477-0x00007FF6711E0000-0x00007FF6715D2000-memory.dmp	xmrig
behavioral2/memory/32-3476-0x00007FF654BD0000-0x00007FF654FC2000-memory.dmp	xmrig
behavioral2/memory/2304-3474-0x00007FF651FF0000-0x00007FF6523E2000-memory.dmp	xmrig
behavioral2/memory/4228-3495-0x00007FF61A350000-0x00007FF61A742000-memory.dmp	xmrig
behavioral2/memory/4364-3497-0x00007FF684D70000-0x00007FF685162000-memory.dmp	xmrig
behavioral2/memory/2372-3494-0x00007FF60EAD0000-0x00007FF60EEC2000-memory.dmp	xmrig
behavioral2/memory/2708-3518-0x00007FF72ACF0000-0x00007FF72B0E2000-memory.dmp	xmrig
behavioral2/memory/3976-3514-0x00007FF75BCE0000-0x00007FF75C0D2000-memory.dmp	xmrig
behavioral2/memory/3476-3513-0x00007FF6F53D0000-0x00007FF6F57C2000-memory.dmp	xmrig
behavioral2/memory/2912-3510-0x00007FF668670000-0x00007FF668A62000-memory.dmp	xmrig
behavioral2/memory/4848-3516-0x00007FF76CC30000-0x00007FF76D022000-memory.dmp	xmrig

Blocklisted process makes network request 6 IoCs

flow	pid	Process
8	5012	powershell.exe
10	5012	powershell.exe
16	5012	powershell.exe
17	5012	powershell.exe
19	5012	powershell.exe
22	5012	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
5012	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
2992	ZkPEIEu.exe
2352	xJsrpTq.exe
1524	DkcUhfZ.exe
5028	bnpBUnC.exe
4488	TqoUCtF.exe
364	kGacSPv.exe
32	mngFitN.exe
2304	NstuZqp.exe
5016	DJQBrsM.exe
2924	abOVjDp.exe
3216	UdkNbCO.exe
1520	yYFzNyY.exe
868	eqGCVSZ.exe
3532	QLMNwff.exe
5036	ZdHPkmg.exe
3368	TlAUVmT.exe
2372	kplbIoS.exe
4228	WNqditD.exe
4364	hlhdBBQ.exe
2912	xVavMId.exe
3976	dANJqUj.exe
3476	YoExRlP.exe
4848	wqhkHuA.exe
2708	apqpdfc.exe
876	okhtpqS.exe
3664	KxzTCvS.exe
5040	FgyLpdK.exe
1012	FSYiAwI.exe
64	evMrOuK.exe
4552	FXqDzsV.exe
4452	BqodCyA.exe
2900	shTVwID.exe
3336	nfpGSjC.exe
1140	qzguMBB.exe
4728	MHxQWUs.exe
968	LvrHJJU.exe
3064	NlBerOc.exe
3016	jVkNMFx.exe
3008	pJIYAiD.exe
3984	tCjYHjt.exe
2664	evCqRto.exe
3124	IsPYcer.exe
4972	pHXCuca.exe
1740	KXsXSzM.exe
1028	ZnuvNmy.exe
4468	qITUnvO.exe
1204	ODYWoQx.exe
4408	QcqOjdC.exe
2012	sedpAwB.exe
2344	adGJHkk.exe
2660	ZabKlvu.exe
1780	skDhoAg.exe
1556	bwoibAd.exe
2300	SRQuEsQ.exe
2280	HqRLtFQ.exe
512	wJYRZNf.exe
1816	VmtgOrn.exe
1912	qREQqxL.exe
1256	lJWLreh.exe
3248	cOybMqo.exe
1048	PFItwel.exe
1624	HHpZvGH.exe
1708	gGDsMBA.exe
4472	cMlmpfB.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4068-0-0x00007FF677AC0000-0x00007FF677EB2000-memory.dmp	upx
behavioral2/files/0x000a0000000234e1-6.dat	upx
behavioral2/files/0x00070000000234f1-14.dat	upx
behavioral2/files/0x00070000000234ee-17.dat	upx
behavioral2/files/0x00080000000234f0-36.dat	upx
behavioral2/files/0x00080000000234ef-42.dat	upx
behavioral2/files/0x00070000000234f3-47.dat	upx
behavioral2/memory/5028-58-0x00007FF710110000-0x00007FF710502000-memory.dmp	upx
behavioral2/memory/32-59-0x00007FF654BD0000-0x00007FF654FC2000-memory.dmp	upx
behavioral2/files/0x00070000000234f4-51.dat	upx
behavioral2/files/0x00070000000234f6-65.dat	upx
behavioral2/files/0x00070000000234f7-70.dat	upx
behavioral2/files/0x00070000000234fc-95.dat	upx
behavioral2/files/0x00070000000234fe-113.dat	upx
behavioral2/files/0x0007000000023500-123.dat	upx
behavioral2/files/0x0007000000023502-133.dat	upx
behavioral2/files/0x0007000000023505-140.dat	upx
behavioral2/files/0x0007000000023506-153.dat	upx
behavioral2/files/0x000700000002350b-178.dat	upx
behavioral2/files/0x000700000002350d-180.dat	upx
behavioral2/files/0x000700000002350c-175.dat	upx
behavioral2/files/0x000700000002350a-173.dat	upx
behavioral2/files/0x0007000000023509-168.dat	upx
behavioral2/files/0x0007000000023508-163.dat	upx
behavioral2/files/0x0007000000023507-158.dat	upx
behavioral2/files/0x0007000000023504-143.dat	upx
behavioral2/files/0x0007000000023503-138.dat	upx
behavioral2/files/0x0007000000023501-128.dat	upx
behavioral2/files/0x00070000000234ff-118.dat	upx
behavioral2/memory/868-460-0x00007FF6AAC70000-0x00007FF6AB062000-memory.dmp	upx
behavioral2/memory/3368-474-0x00007FF6955A0000-0x00007FF695992000-memory.dmp	upx
behavioral2/memory/2912-505-0x00007FF668670000-0x00007FF668A62000-memory.dmp	upx
behavioral2/memory/4364-499-0x00007FF684D70000-0x00007FF685162000-memory.dmp	upx
behavioral2/memory/4228-492-0x00007FF61A350000-0x00007FF61A742000-memory.dmp	upx
behavioral2/memory/2372-482-0x00007FF60EAD0000-0x00007FF60EEC2000-memory.dmp	upx
behavioral2/memory/5036-473-0x00007FF7CE4C0000-0x00007FF7CE8B2000-memory.dmp	upx
behavioral2/memory/3532-464-0x00007FF759A90000-0x00007FF759E82000-memory.dmp	upx
behavioral2/memory/1520-457-0x00007FF6EAC10000-0x00007FF6EB002000-memory.dmp	upx
behavioral2/memory/3216-449-0x00007FF678BA0000-0x00007FF678F92000-memory.dmp	upx
behavioral2/memory/2924-446-0x00007FF6711E0000-0x00007FF6715D2000-memory.dmp	upx
behavioral2/files/0x00070000000234fd-108.dat	upx
behavioral2/files/0x00070000000234fb-98.dat	upx
behavioral2/files/0x00070000000234fa-93.dat	upx
behavioral2/files/0x00070000000234f9-88.dat	upx
behavioral2/files/0x00070000000234f8-83.dat	upx
behavioral2/files/0x00070000000234f5-68.dat	upx
behavioral2/memory/1524-50-0x00007FF733C60000-0x00007FF734052000-memory.dmp	upx
behavioral2/memory/2352-46-0x00007FF759350000-0x00007FF759742000-memory.dmp	upx
behavioral2/files/0x00070000000234f2-39.dat	upx
behavioral2/memory/4848-518-0x00007FF76CC30000-0x00007FF76D022000-memory.dmp	upx
behavioral2/memory/2708-521-0x00007FF72ACF0000-0x00007FF72B0E2000-memory.dmp	upx
behavioral2/memory/2304-546-0x00007FF651FF0000-0x00007FF6523E2000-memory.dmp	upx
behavioral2/memory/5016-552-0x00007FF6E6E00000-0x00007FF6E71F2000-memory.dmp	upx
behavioral2/memory/364-542-0x00007FF78CC80000-0x00007FF78D072000-memory.dmp	upx
behavioral2/memory/4488-539-0x00007FF6FF4A0000-0x00007FF6FF892000-memory.dmp	upx
behavioral2/memory/2992-535-0x00007FF768900000-0x00007FF768CF2000-memory.dmp	upx
behavioral2/memory/3476-517-0x00007FF6F53D0000-0x00007FF6F57C2000-memory.dmp	upx
behavioral2/memory/3976-511-0x00007FF75BCE0000-0x00007FF75C0D2000-memory.dmp	upx
behavioral2/memory/2992-3425-0x00007FF768900000-0x00007FF768CF2000-memory.dmp	upx
behavioral2/memory/2352-3427-0x00007FF759350000-0x00007FF759742000-memory.dmp	upx
behavioral2/memory/1524-3431-0x00007FF733C60000-0x00007FF734052000-memory.dmp	upx
behavioral2/memory/4488-3454-0x00007FF6FF4A0000-0x00007FF6FF892000-memory.dmp	upx
behavioral2/memory/5028-3462-0x00007FF710110000-0x00007FF710502000-memory.dmp	upx
behavioral2/memory/364-3471-0x00007FF78CC80000-0x00007FF78D072000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	raw.githubusercontent.com
8	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\oPDylKY.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\jyixlVt.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\uSxOSFF.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\ZfblBTr.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\ZMrGDiQ.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\YxHGaAO.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\skDhoAg.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\vwHCyRI.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\cHFzUfL.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\BguIgRZ.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\kNwHwrH.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\lHRtLqs.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\OolHHtV.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\UsFQKOA.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\dFFssog.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\LomRrKY.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\MHyNMyN.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\dOdppxk.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\rkcVXsj.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\aaZuFIY.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\alIKcus.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\MlTvWmZ.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\xfaALHI.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\lioRdPi.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\NwyqXXn.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\omISHcF.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\xdGJavL.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\QTVhjJC.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\lrSEGrM.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\QDCadJa.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\PAkqGDF.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\ywlfwXs.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\cZDPfQW.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\lKqdwKS.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\WBcEJtG.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\yvxzhtC.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\vOlFgKg.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\vMVrYwr.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\mNwjjCV.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\VdbKHgS.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\rWuPzTe.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\lkIEygx.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\pEnJJim.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\nOYktBO.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\CgIKGAC.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\HuovaCi.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\npuLluf.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\GFUNbpi.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\WMeINuI.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\YxZmoiD.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\fxUDxan.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\leqahwP.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\cvAAaid.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\WONcQsW.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\dZjtwzZ.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\dJVaeNy.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\JIYrwJk.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\TStTAPY.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\MxjoORo.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\gjPBGHv.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\NffkejE.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\JRUDZgw.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\ZUQsiMV.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe
File created	C:\Windows\System\aBjcDEk.exe	a88c1dfd64b12ad881aee58002e08ec0N.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5012	powershell.exe
5012	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	5012	powershell.exe
Token: SeLockMemoryPrivilege	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe
Token: SeLockMemoryPrivilege	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe
Token: SeCreateGlobalPrivilege	13168	dwm.exe
Token: SeChangeNotifyPrivilege	13168	dwm.exe
Token: 33	13168	dwm.exe
Token: SeIncBasePriorityPrivilege	13168	dwm.exe
Token: SeShutdownPrivilege	13168	dwm.exe
Token: SeCreatePagefilePrivilege	13168	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4068 wrote to memory of 5012	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	85
PID 4068 wrote to memory of 5012	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	85
PID 4068 wrote to memory of 2992	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	86
PID 4068 wrote to memory of 2992	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	86
PID 4068 wrote to memory of 2352	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	87
PID 4068 wrote to memory of 2352	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	87
PID 4068 wrote to memory of 1524	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	88
PID 4068 wrote to memory of 1524	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	88
PID 4068 wrote to memory of 5028	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	89
PID 4068 wrote to memory of 5028	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	89
PID 4068 wrote to memory of 4488	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	90
PID 4068 wrote to memory of 4488	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	90
PID 4068 wrote to memory of 364	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	91
PID 4068 wrote to memory of 364	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	91
PID 4068 wrote to memory of 32	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	92
PID 4068 wrote to memory of 32	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	92
PID 4068 wrote to memory of 2304	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	93
PID 4068 wrote to memory of 2304	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	93
PID 4068 wrote to memory of 5016	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	94
PID 4068 wrote to memory of 5016	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	94
PID 4068 wrote to memory of 2924	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	95
PID 4068 wrote to memory of 2924	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	95
PID 4068 wrote to memory of 3216	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	96
PID 4068 wrote to memory of 3216	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	96
PID 4068 wrote to memory of 1520	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	97
PID 4068 wrote to memory of 1520	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	97
PID 4068 wrote to memory of 868	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	98
PID 4068 wrote to memory of 868	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	98
PID 4068 wrote to memory of 3532	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	99
PID 4068 wrote to memory of 3532	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	99
PID 4068 wrote to memory of 5036	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	100
PID 4068 wrote to memory of 5036	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	100
PID 4068 wrote to memory of 3368	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	101
PID 4068 wrote to memory of 3368	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	101
PID 4068 wrote to memory of 2372	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	102
PID 4068 wrote to memory of 2372	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	102
PID 4068 wrote to memory of 4228	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	103
PID 4068 wrote to memory of 4228	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	103
PID 4068 wrote to memory of 4364	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	104
PID 4068 wrote to memory of 4364	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	104
PID 4068 wrote to memory of 2912	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	105
PID 4068 wrote to memory of 2912	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	105
PID 4068 wrote to memory of 3976	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	106
PID 4068 wrote to memory of 3976	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	106
PID 4068 wrote to memory of 3476	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	107
PID 4068 wrote to memory of 3476	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	107
PID 4068 wrote to memory of 4848	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	108
PID 4068 wrote to memory of 4848	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	108
PID 4068 wrote to memory of 2708	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	109
PID 4068 wrote to memory of 2708	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	109
PID 4068 wrote to memory of 876	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	110
PID 4068 wrote to memory of 876	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	110
PID 4068 wrote to memory of 3664	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	111
PID 4068 wrote to memory of 3664	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	111
PID 4068 wrote to memory of 5040	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	112
PID 4068 wrote to memory of 5040	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	112
PID 4068 wrote to memory of 1012	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	113
PID 4068 wrote to memory of 1012	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	113
PID 4068 wrote to memory of 64	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	114
PID 4068 wrote to memory of 64	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	114
PID 4068 wrote to memory of 4552	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	115
PID 4068 wrote to memory of 4552	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	115
PID 4068 wrote to memory of 4452	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	116
PID 4068 wrote to memory of 4452	4068	a88c1dfd64b12ad881aee58002e08ec0N.exe	116

C:\Users\Admin\AppData\Local\Temp\a88c1dfd64b12ad881aee58002e08ec0N.exe
"C:\Users\Admin\AppData\Local\Temp\a88c1dfd64b12ad881aee58002e08ec0N.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5012
- C:\Windows\System\ZkPEIEu.exe
  C:\Windows\System\ZkPEIEu.exe
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\System\xJsrpTq.exe
  C:\Windows\System\xJsrpTq.exe
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\System\DkcUhfZ.exe
  C:\Windows\System\DkcUhfZ.exe
  2⤵
  - Executes dropped EXE
  PID:1524
- C:\Windows\System\bnpBUnC.exe
  C:\Windows\System\bnpBUnC.exe
  2⤵
  - Executes dropped EXE
  PID:5028
- C:\Windows\System\TqoUCtF.exe
  C:\Windows\System\TqoUCtF.exe
  2⤵
  - Executes dropped EXE
  PID:4488
- C:\Windows\System\kGacSPv.exe
  C:\Windows\System\kGacSPv.exe
  2⤵
  - Executes dropped EXE
  PID:364
- C:\Windows\System\mngFitN.exe
  C:\Windows\System\mngFitN.exe
  2⤵
  - Executes dropped EXE
  PID:32
- C:\Windows\System\NstuZqp.exe
  C:\Windows\System\NstuZqp.exe
  2⤵
  - Executes dropped EXE
  PID:2304
- C:\Windows\System\DJQBrsM.exe
  C:\Windows\System\DJQBrsM.exe
  2⤵
  - Executes dropped EXE
  PID:5016
- C:\Windows\System\abOVjDp.exe
  C:\Windows\System\abOVjDp.exe
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Windows\System\UdkNbCO.exe
  C:\Windows\System\UdkNbCO.exe
  2⤵
  - Executes dropped EXE
  PID:3216
- C:\Windows\System\yYFzNyY.exe
  C:\Windows\System\yYFzNyY.exe
  2⤵
  - Executes dropped EXE
  PID:1520
- C:\Windows\System\eqGCVSZ.exe
  C:\Windows\System\eqGCVSZ.exe
  2⤵
  - Executes dropped EXE
  PID:868
- C:\Windows\System\QLMNwff.exe
  C:\Windows\System\QLMNwff.exe
  2⤵
  - Executes dropped EXE
  PID:3532
- C:\Windows\System\ZdHPkmg.exe
  C:\Windows\System\ZdHPkmg.exe
  2⤵
  - Executes dropped EXE
  PID:5036
- C:\Windows\System\TlAUVmT.exe
  C:\Windows\System\TlAUVmT.exe
  2⤵
  - Executes dropped EXE
  PID:3368
- C:\Windows\System\kplbIoS.exe
  C:\Windows\System\kplbIoS.exe
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\Windows\System\WNqditD.exe
  C:\Windows\System\WNqditD.exe
  2⤵
  - Executes dropped EXE
  PID:4228
- C:\Windows\System\hlhdBBQ.exe
  C:\Windows\System\hlhdBBQ.exe
  2⤵
  - Executes dropped EXE
  PID:4364
- C:\Windows\System\xVavMId.exe
  C:\Windows\System\xVavMId.exe
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\System\dANJqUj.exe
  C:\Windows\System\dANJqUj.exe
  2⤵
  - Executes dropped EXE
  PID:3976
- C:\Windows\System\YoExRlP.exe
  C:\Windows\System\YoExRlP.exe
  2⤵
  - Executes dropped EXE
  PID:3476
- C:\Windows\System\wqhkHuA.exe
  C:\Windows\System\wqhkHuA.exe
  2⤵
  - Executes dropped EXE
  PID:4848
- C:\Windows\System\apqpdfc.exe
  C:\Windows\System\apqpdfc.exe
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\System\okhtpqS.exe
  C:\Windows\System\okhtpqS.exe
  2⤵
  - Executes dropped EXE
  PID:876
- C:\Windows\System\KxzTCvS.exe
  C:\Windows\System\KxzTCvS.exe
  2⤵
  - Executes dropped EXE
  PID:3664
- C:\Windows\System\FgyLpdK.exe
  C:\Windows\System\FgyLpdK.exe
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Windows\System\FSYiAwI.exe
  C:\Windows\System\FSYiAwI.exe
  2⤵
  - Executes dropped EXE
  PID:1012
- C:\Windows\System\evMrOuK.exe
  C:\Windows\System\evMrOuK.exe
  2⤵
  - Executes dropped EXE
  PID:64
- C:\Windows\System\FXqDzsV.exe
  C:\Windows\System\FXqDzsV.exe
  2⤵
  - Executes dropped EXE
  PID:4552
- C:\Windows\System\BqodCyA.exe
  C:\Windows\System\BqodCyA.exe
  2⤵
  - Executes dropped EXE
  PID:4452
- C:\Windows\System\shTVwID.exe
  C:\Windows\System\shTVwID.exe
  2⤵
  - Executes dropped EXE
  PID:2900
- C:\Windows\System\nfpGSjC.exe
  C:\Windows\System\nfpGSjC.exe
  2⤵
  - Executes dropped EXE
  PID:3336
- C:\Windows\System\qzguMBB.exe
  C:\Windows\System\qzguMBB.exe
  2⤵
  - Executes dropped EXE
  PID:1140
- C:\Windows\System\MHxQWUs.exe
  C:\Windows\System\MHxQWUs.exe
  2⤵
  - Executes dropped EXE
  PID:4728
- C:\Windows\System\LvrHJJU.exe
  C:\Windows\System\LvrHJJU.exe
  2⤵
  - Executes dropped EXE
  PID:968
- C:\Windows\System\NlBerOc.exe
  C:\Windows\System\NlBerOc.exe
  2⤵
  - Executes dropped EXE
  PID:3064
- C:\Windows\System\jVkNMFx.exe
  C:\Windows\System\jVkNMFx.exe
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\System\pJIYAiD.exe
  C:\Windows\System\pJIYAiD.exe
  2⤵
  - Executes dropped EXE
  PID:3008
- C:\Windows\System\tCjYHjt.exe
  C:\Windows\System\tCjYHjt.exe
  2⤵
  - Executes dropped EXE
  PID:3984
- C:\Windows\System\evCqRto.exe
  C:\Windows\System\evCqRto.exe
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\System\IsPYcer.exe
  C:\Windows\System\IsPYcer.exe
  2⤵
  - Executes dropped EXE
  PID:3124
- C:\Windows\System\pHXCuca.exe
  C:\Windows\System\pHXCuca.exe
  2⤵
  - Executes dropped EXE
  PID:4972
- C:\Windows\System\KXsXSzM.exe
  C:\Windows\System\KXsXSzM.exe
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Windows\System\ZnuvNmy.exe
  C:\Windows\System\ZnuvNmy.exe
  2⤵
  - Executes dropped EXE
  PID:1028
- C:\Windows\System\qITUnvO.exe
  C:\Windows\System\qITUnvO.exe
  2⤵
  - Executes dropped EXE
  PID:4468
- C:\Windows\System\ODYWoQx.exe
  C:\Windows\System\ODYWoQx.exe
  2⤵
  - Executes dropped EXE
  PID:1204
- C:\Windows\System\QcqOjdC.exe
  C:\Windows\System\QcqOjdC.exe
  2⤵
  - Executes dropped EXE
  PID:4408
- C:\Windows\System\sedpAwB.exe
  C:\Windows\System\sedpAwB.exe
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\System\adGJHkk.exe
  C:\Windows\System\adGJHkk.exe
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\System\ZabKlvu.exe
  C:\Windows\System\ZabKlvu.exe
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\System\skDhoAg.exe
  C:\Windows\System\skDhoAg.exe
  2⤵
  - Executes dropped EXE
  PID:1780
- C:\Windows\System\bwoibAd.exe
  C:\Windows\System\bwoibAd.exe
  2⤵
  - Executes dropped EXE
  PID:1556
- C:\Windows\System\SRQuEsQ.exe
  C:\Windows\System\SRQuEsQ.exe
  2⤵
  - Executes dropped EXE
  PID:2300
- C:\Windows\System\HqRLtFQ.exe
  C:\Windows\System\HqRLtFQ.exe
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Windows\System\wJYRZNf.exe
  C:\Windows\System\wJYRZNf.exe
  2⤵
  - Executes dropped EXE
  PID:512
- C:\Windows\System\VmtgOrn.exe
  C:\Windows\System\VmtgOrn.exe
  2⤵
  - Executes dropped EXE
  PID:1816
- C:\Windows\System\qREQqxL.exe
  C:\Windows\System\qREQqxL.exe
  2⤵
  - Executes dropped EXE
  PID:1912
- C:\Windows\System\lJWLreh.exe
  C:\Windows\System\lJWLreh.exe
  2⤵
  - Executes dropped EXE
  PID:1256
- C:\Windows\System\cOybMqo.exe
  C:\Windows\System\cOybMqo.exe
  2⤵
  - Executes dropped EXE
  PID:3248
- C:\Windows\System\PFItwel.exe
  C:\Windows\System\PFItwel.exe
  2⤵
  - Executes dropped EXE
  PID:1048
- C:\Windows\System\HHpZvGH.exe
  C:\Windows\System\HHpZvGH.exe
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Windows\System\gGDsMBA.exe
  C:\Windows\System\gGDsMBA.exe
  2⤵
  - Executes dropped EXE
  PID:1708
- C:\Windows\System\cMlmpfB.exe
  C:\Windows\System\cMlmpfB.exe
  2⤵
  - Executes dropped EXE
  PID:4472
- C:\Windows\System\VPoINBC.exe
  C:\Windows\System\VPoINBC.exe
  2⤵
  PID:4320
- C:\Windows\System\FtFksyx.exe
  C:\Windows\System\FtFksyx.exe
  2⤵
  PID:780
- C:\Windows\System\SZUZszZ.exe
  C:\Windows\System\SZUZszZ.exe
  2⤵
  PID:4660
- C:\Windows\System\kHKJTQG.exe
  C:\Windows\System\kHKJTQG.exe
  2⤵
  PID:2920
- C:\Windows\System\PTPEevH.exe
  C:\Windows\System\PTPEevH.exe
  2⤵
  PID:3324
- C:\Windows\System\QxSayGg.exe
  C:\Windows\System\QxSayGg.exe
  2⤵
  PID:4916
- C:\Windows\System\ErIWWOd.exe
  C:\Windows\System\ErIWWOd.exe
  2⤵
  PID:2332
- C:\Windows\System\fyQPNFx.exe
  C:\Windows\System\fyQPNFx.exe
  2⤵
  PID:692
- C:\Windows\System\KfMnCji.exe
  C:\Windows\System\KfMnCji.exe
  2⤵
  PID:388
- C:\Windows\System\IZlxkAT.exe
  C:\Windows\System\IZlxkAT.exe
  2⤵
  PID:3712
- C:\Windows\System\XXDZCDb.exe
  C:\Windows\System\XXDZCDb.exe
  2⤵
  PID:232
- C:\Windows\System\aCrxjov.exe
  C:\Windows\System\aCrxjov.exe
  2⤵
  PID:1668
- C:\Windows\System\cMPHvvA.exe
  C:\Windows\System\cMPHvvA.exe
  2⤵
  PID:1000
- C:\Windows\System\dzbcJfU.exe
  C:\Windows\System\dzbcJfU.exe
  2⤵
  PID:5144
- C:\Windows\System\GpQjXLE.exe
  C:\Windows\System\GpQjXLE.exe
  2⤵
  PID:5172
- C:\Windows\System\HrprXgq.exe
  C:\Windows\System\HrprXgq.exe
  2⤵
  PID:5200
- C:\Windows\System\meIkcms.exe
  C:\Windows\System\meIkcms.exe
  2⤵
  PID:5228
- C:\Windows\System\lKkhTYE.exe
  C:\Windows\System\lKkhTYE.exe
  2⤵
  PID:5260
- C:\Windows\System\hYkgFmg.exe
  C:\Windows\System\hYkgFmg.exe
  2⤵
  PID:5288
- C:\Windows\System\ydKZTjJ.exe
  C:\Windows\System\ydKZTjJ.exe
  2⤵
  PID:5320
- C:\Windows\System\nkZWzIm.exe
  C:\Windows\System\nkZWzIm.exe
  2⤵
  PID:5344
- C:\Windows\System\yRuTfpt.exe
  C:\Windows\System\yRuTfpt.exe
  2⤵
  PID:5372
- C:\Windows\System\ZInbiRi.exe
  C:\Windows\System\ZInbiRi.exe
  2⤵
  PID:5400
- C:\Windows\System\bEvWgFT.exe
  C:\Windows\System\bEvWgFT.exe
  2⤵
  PID:5428
- C:\Windows\System\CholwmX.exe
  C:\Windows\System\CholwmX.exe
  2⤵
  PID:5456
- C:\Windows\System\TtEjTNs.exe
  C:\Windows\System\TtEjTNs.exe
  2⤵
  PID:5480
- C:\Windows\System\QsHzYKi.exe
  C:\Windows\System\QsHzYKi.exe
  2⤵
  PID:5508
- C:\Windows\System\FAYcxgG.exe
  C:\Windows\System\FAYcxgG.exe
  2⤵
  PID:5544
- C:\Windows\System\PeCzXjX.exe
  C:\Windows\System\PeCzXjX.exe
  2⤵
  PID:5568
- C:\Windows\System\JbvvzWt.exe
  C:\Windows\System\JbvvzWt.exe
  2⤵
  PID:5604
- C:\Windows\System\oYyCMcV.exe
  C:\Windows\System\oYyCMcV.exe
  2⤵
  PID:5636
- C:\Windows\System\wiQlQEU.exe
  C:\Windows\System\wiQlQEU.exe
  2⤵
  PID:5664
- C:\Windows\System\BkTmCvo.exe
  C:\Windows\System\BkTmCvo.exe
  2⤵
  PID:5692
- C:\Windows\System\FTqfSlu.exe
  C:\Windows\System\FTqfSlu.exe
  2⤵
  PID:5720
- C:\Windows\System\ufOJBIS.exe
  C:\Windows\System\ufOJBIS.exe
  2⤵
  PID:5752
- C:\Windows\System\GRdKOpZ.exe
  C:\Windows\System\GRdKOpZ.exe
  2⤵
  PID:5776
- C:\Windows\System\ubnjpGO.exe
  C:\Windows\System\ubnjpGO.exe
  2⤵
  PID:5808
- C:\Windows\System\hKRqjHg.exe
  C:\Windows\System\hKRqjHg.exe
  2⤵
  PID:5836
- C:\Windows\System\ihOeIkz.exe
  C:\Windows\System\ihOeIkz.exe
  2⤵
  PID:5860
- C:\Windows\System\JoHWXzc.exe
  C:\Windows\System\JoHWXzc.exe
  2⤵
  PID:5888
- C:\Windows\System\ENxthCJ.exe
  C:\Windows\System\ENxthCJ.exe
  2⤵
  PID:5920
- C:\Windows\System\egsuvlK.exe
  C:\Windows\System\egsuvlK.exe
  2⤵
  PID:5948
- C:\Windows\System\tfOYfLU.exe
  C:\Windows\System\tfOYfLU.exe
  2⤵
  PID:5976
- C:\Windows\System\umIVAra.exe
  C:\Windows\System\umIVAra.exe
  2⤵
  PID:6000
- C:\Windows\System\qZBNgzv.exe
  C:\Windows\System\qZBNgzv.exe
  2⤵
  PID:6028
- C:\Windows\System\jdcoZFb.exe
  C:\Windows\System\jdcoZFb.exe
  2⤵
  PID:6060
- C:\Windows\System\huyKuJm.exe
  C:\Windows\System\huyKuJm.exe
  2⤵
  PID:6088
- C:\Windows\System\ELtPqah.exe
  C:\Windows\System\ELtPqah.exe
  2⤵
  PID:6116
- C:\Windows\System\UOYJjxx.exe
  C:\Windows\System\UOYJjxx.exe
  2⤵
  PID:6140
- C:\Windows\System\zZyNUkP.exe
  C:\Windows\System\zZyNUkP.exe
  2⤵
  PID:2540
- C:\Windows\System\opEtBph.exe
  C:\Windows\System\opEtBph.exe
  2⤵
  PID:2392
- C:\Windows\System\ragrtTp.exe
  C:\Windows\System\ragrtTp.exe
  2⤵
  PID:3864
- C:\Windows\System\pyzivXJ.exe
  C:\Windows\System\pyzivXJ.exe
  2⤵
  PID:5164
- C:\Windows\System\qgqnCUU.exe
  C:\Windows\System\qgqnCUU.exe
  2⤵
  PID:5220
- C:\Windows\System\YFCjlZy.exe
  C:\Windows\System\YFCjlZy.exe
  2⤵
  PID:5276
- C:\Windows\System\bXWOoow.exe
  C:\Windows\System\bXWOoow.exe
  2⤵
  PID:5420
- C:\Windows\System\GMmdydD.exe
  C:\Windows\System\GMmdydD.exe
  2⤵
  PID:5500
- C:\Windows\System\UjQLdxZ.exe
  C:\Windows\System\UjQLdxZ.exe
  2⤵
  PID:5600
- C:\Windows\System\hXbVYld.exe
  C:\Windows\System\hXbVYld.exe
  2⤵
  PID:5656
- C:\Windows\System\zoQymDd.exe
  C:\Windows\System\zoQymDd.exe
  2⤵
  PID:5688
- C:\Windows\System\SEQmusY.exe
  C:\Windows\System\SEQmusY.exe
  2⤵
  PID:5740
- C:\Windows\System\bQUTgxi.exe
  C:\Windows\System\bQUTgxi.exe
  2⤵
  PID:5764
- C:\Windows\System\pAashbe.exe
  C:\Windows\System\pAashbe.exe
  2⤵
  PID:5820
- C:\Windows\System\hnKBPGu.exe
  C:\Windows\System\hnKBPGu.exe
  2⤵
  PID:5852
- C:\Windows\System\eriPUdW.exe
  C:\Windows\System\eriPUdW.exe
  2⤵
  PID:5908
- C:\Windows\System\mZldGDh.exe
  C:\Windows\System\mZldGDh.exe
  2⤵
  PID:5960
- C:\Windows\System\wRKnfHx.exe
  C:\Windows\System\wRKnfHx.exe
  2⤵
  PID:4720
- C:\Windows\System\oUsDPPp.exe
  C:\Windows\System\oUsDPPp.exe
  2⤵
  PID:6048
- C:\Windows\System\NnAQdxq.exe
  C:\Windows\System\NnAQdxq.exe
  2⤵
  PID:2340
- C:\Windows\System\QBDFEcA.exe
  C:\Windows\System\QBDFEcA.exe
  2⤵
  PID:3676
- C:\Windows\System\trspTyY.exe
  C:\Windows\System\trspTyY.exe
  2⤵
  PID:2020
- C:\Windows\System\HESlItK.exe
  C:\Windows\System\HESlItK.exe
  2⤵
  PID:728
- C:\Windows\System\HuysvZK.exe
  C:\Windows\System\HuysvZK.exe
  2⤵
  PID:5316
- C:\Windows\System\DHCaQyz.exe
  C:\Windows\System\DHCaQyz.exe
  2⤵
  PID:5364
- C:\Windows\System\kBoFENp.exe
  C:\Windows\System\kBoFENp.exe
  2⤵
  PID:1984
- C:\Windows\System\yedAaBJ.exe
  C:\Windows\System\yedAaBJ.exe
  2⤵
  PID:2820
- C:\Windows\System\QpjYOOP.exe
  C:\Windows\System\QpjYOOP.exe
  2⤵
  PID:4752
- C:\Windows\System\KlTNcnA.exe
  C:\Windows\System\KlTNcnA.exe
  2⤵
  PID:4368
- C:\Windows\System\nLSHFMa.exe
  C:\Windows\System\nLSHFMa.exe
  2⤵
  PID:4740
- C:\Windows\System\AIsycjL.exe
  C:\Windows\System\AIsycjL.exe
  2⤵
  PID:5684
- C:\Windows\System\gZXYNeE.exe
  C:\Windows\System\gZXYNeE.exe
  2⤵
  PID:2748
- C:\Windows\System\seSdgkG.exe
  C:\Windows\System\seSdgkG.exe
  2⤵
  PID:5904
- C:\Windows\System\jLyqYEA.exe
  C:\Windows\System\jLyqYEA.exe
  2⤵
  PID:6072
- C:\Windows\System\zPTCTBn.exe
  C:\Windows\System\zPTCTBn.exe
  2⤵
  PID:5272
- C:\Windows\System\NRLUBJy.exe
  C:\Windows\System\NRLUBJy.exe
  2⤵
  PID:3948
- C:\Windows\System\MbYMXou.exe
  C:\Windows\System\MbYMXou.exe
  2⤵
  PID:4876
- C:\Windows\System\lMavTDn.exe
  C:\Windows\System\lMavTDn.exe
  2⤵
  PID:5800
- C:\Windows\System\wGuzTUS.exe
  C:\Windows\System\wGuzTUS.exe
  2⤵
  PID:5212
- C:\Windows\System\OTPPUym.exe
  C:\Windows\System\OTPPUym.exe
  2⤵
  PID:5560
- C:\Windows\System\KoovLjO.exe
  C:\Windows\System\KoovLjO.exe
  2⤵
  PID:6172
- C:\Windows\System\MXUbScP.exe
  C:\Windows\System\MXUbScP.exe
  2⤵
  PID:6200
- C:\Windows\System\oLNxQjP.exe
  C:\Windows\System\oLNxQjP.exe
  2⤵
  PID:6228
- C:\Windows\System\hDkEMpU.exe
  C:\Windows\System\hDkEMpU.exe
  2⤵
  PID:6256
- C:\Windows\System\wpBZRXw.exe
  C:\Windows\System\wpBZRXw.exe
  2⤵
  PID:6276
- C:\Windows\System\XQhCwhU.exe
  C:\Windows\System\XQhCwhU.exe
  2⤵
  PID:6304
- C:\Windows\System\XXLafFB.exe
  C:\Windows\System\XXLafFB.exe
  2⤵
  PID:6332
- C:\Windows\System\nzJXgDM.exe
  C:\Windows\System\nzJXgDM.exe
  2⤵
  PID:6360
- C:\Windows\System\xybworQ.exe
  C:\Windows\System\xybworQ.exe
  2⤵
  PID:6388
- C:\Windows\System\fDmqrVB.exe
  C:\Windows\System\fDmqrVB.exe
  2⤵
  PID:6444
- C:\Windows\System\MZLPBBl.exe
  C:\Windows\System\MZLPBBl.exe
  2⤵
  PID:6548
- C:\Windows\System\clYVKPa.exe
  C:\Windows\System\clYVKPa.exe
  2⤵
  PID:6576
- C:\Windows\System\zhuJTdk.exe
  C:\Windows\System\zhuJTdk.exe
  2⤵
  PID:6596
- C:\Windows\System\rapGXeo.exe
  C:\Windows\System\rapGXeo.exe
  2⤵
  PID:6620
- C:\Windows\System\YNLUabf.exe
  C:\Windows\System\YNLUabf.exe
  2⤵
  PID:6652
- C:\Windows\System\lhkrDBF.exe
  C:\Windows\System\lhkrDBF.exe
  2⤵
  PID:6668
- C:\Windows\System\GTFgVqa.exe
  C:\Windows\System\GTFgVqa.exe
  2⤵
  PID:6688
- C:\Windows\System\rWuPzTe.exe
  C:\Windows\System\rWuPzTe.exe
  2⤵
  PID:6716
- C:\Windows\System\quyKJSj.exe
  C:\Windows\System\quyKJSj.exe
  2⤵
  PID:6756
- C:\Windows\System\ANKaVOk.exe
  C:\Windows\System\ANKaVOk.exe
  2⤵
  PID:6784
- C:\Windows\System\rseKRhy.exe
  C:\Windows\System\rseKRhy.exe
  2⤵
  PID:6800
- C:\Windows\System\Iaskfkp.exe
  C:\Windows\System\Iaskfkp.exe
  2⤵
  PID:6844
- C:\Windows\System\uOUHmzK.exe
  C:\Windows\System\uOUHmzK.exe
  2⤵
  PID:6864
- C:\Windows\System\AHQbvdD.exe
  C:\Windows\System\AHQbvdD.exe
  2⤵
  PID:6880
- C:\Windows\System\JZEKpUD.exe
  C:\Windows\System\JZEKpUD.exe
  2⤵
  PID:6960
- C:\Windows\System\pXPPQPL.exe
  C:\Windows\System\pXPPQPL.exe
  2⤵
  PID:6976
- C:\Windows\System\aWFyxlx.exe
  C:\Windows\System\aWFyxlx.exe
  2⤵
  PID:7004
- C:\Windows\System\AAtluCB.exe
  C:\Windows\System\AAtluCB.exe
  2⤵
  PID:7104
- C:\Windows\System\hxpatOD.exe
  C:\Windows\System\hxpatOD.exe
  2⤵
  PID:7120
- C:\Windows\System\cqLYThu.exe
  C:\Windows\System\cqLYThu.exe
  2⤵
  PID:6192
- C:\Windows\System\vVjbjEZ.exe
  C:\Windows\System\vVjbjEZ.exe
  2⤵
  PID:4544
- C:\Windows\System\rXYcrGm.exe
  C:\Windows\System\rXYcrGm.exe
  2⤵
  PID:704
- C:\Windows\System\EMfVvmE.exe
  C:\Windows\System\EMfVvmE.exe
  2⤵
  PID:6348
- C:\Windows\System\KIaXIqW.exe
  C:\Windows\System\KIaXIqW.exe
  2⤵
  PID:6436
- C:\Windows\System\qkzkxwl.exe
  C:\Windows\System\qkzkxwl.exe
  2⤵
  PID:340
- C:\Windows\System\vNKWCCf.exe
  C:\Windows\System\vNKWCCf.exe
  2⤵
  PID:5360
- C:\Windows\System\OaEiTMk.exe
  C:\Windows\System\OaEiTMk.exe
  2⤵
  PID:6664
- C:\Windows\System\qKlTwDX.exe
  C:\Windows\System\qKlTwDX.exe
  2⤵
  PID:6724
- C:\Windows\System\ABJcAmQ.exe
  C:\Windows\System\ABJcAmQ.exe
  2⤵
  PID:6836
- C:\Windows\System\pghQlAf.exe
  C:\Windows\System\pghQlAf.exe
  2⤵
  PID:6912
- C:\Windows\System\ljbuIhp.exe
  C:\Windows\System\ljbuIhp.exe
  2⤵
  PID:7076
- C:\Windows\System\Hkrwhpa.exe
  C:\Windows\System\Hkrwhpa.exe
  2⤵
  PID:6220
- C:\Windows\System\xDzPIOi.exe
  C:\Windows\System\xDzPIOi.exe
  2⤵
  PID:3012
- C:\Windows\System\IqIbgxZ.exe
  C:\Windows\System\IqIbgxZ.exe
  2⤵
  PID:5628
- C:\Windows\System\jOZgopy.exe
  C:\Windows\System\jOZgopy.exe
  2⤵
  PID:6344
- C:\Windows\System\iVdGmpJ.exe
  C:\Windows\System\iVdGmpJ.exe
  2⤵
  PID:5140
- C:\Windows\System\EwuTsOz.exe
  C:\Windows\System\EwuTsOz.exe
  2⤵
  PID:6632
- C:\Windows\System\ZWInaCC.exe
  C:\Windows\System\ZWInaCC.exe
  2⤵
  PID:6860
- C:\Windows\System\wIpGQNr.exe
  C:\Windows\System\wIpGQNr.exe
  2⤵
  PID:6824
- C:\Windows\System\vyURuDP.exe
  C:\Windows\System\vyURuDP.exe
  2⤵
  PID:6988
- C:\Windows\System\STluXBm.exe
  C:\Windows\System\STluXBm.exe
  2⤵
  PID:7152
- C:\Windows\System\ypRGjtX.exe
  C:\Windows\System\ypRGjtX.exe
  2⤵
  PID:6384
- C:\Windows\System\KlbcAhu.exe
  C:\Windows\System\KlbcAhu.exe
  2⤵
  PID:3828
- C:\Windows\System\whUkAjb.exe
  C:\Windows\System\whUkAjb.exe
  2⤵
  PID:6568
- C:\Windows\System\GkFgqTz.exe
  C:\Windows\System\GkFgqTz.exe
  2⤵
  PID:6712
- C:\Windows\System\GUHJoKg.exe
  C:\Windows\System\GUHJoKg.exe
  2⤵
  PID:6464
- C:\Windows\System\uSVqxxY.exe
  C:\Windows\System\uSVqxxY.exe
  2⤵
  PID:6816
- C:\Windows\System\utjssfm.exe
  C:\Windows\System\utjssfm.exe
  2⤵
  PID:7020
- C:\Windows\System\jllIxPg.exe
  C:\Windows\System\jllIxPg.exe
  2⤵
  PID:6544
- C:\Windows\System\akUKhLr.exe
  C:\Windows\System\akUKhLr.exe
  2⤵
  PID:6268
- C:\Windows\System\dDrGpma.exe
  C:\Windows\System\dDrGpma.exe
  2⤵
  PID:6792
- C:\Windows\System\NtRipzj.exe
  C:\Windows\System\NtRipzj.exe
  2⤵
  PID:6928
- C:\Windows\System\ALgUpJd.exe
  C:\Windows\System\ALgUpJd.exe
  2⤵
  PID:6808
- C:\Windows\System\jTPTWVA.exe
  C:\Windows\System\jTPTWVA.exe
  2⤵
  PID:6920
- C:\Windows\System\imCgTWt.exe
  C:\Windows\System\imCgTWt.exe
  2⤵
  PID:7172
- C:\Windows\System\eyazsHA.exe
  C:\Windows\System\eyazsHA.exe
  2⤵
  PID:7204
- C:\Windows\System\WLfgRBu.exe
  C:\Windows\System\WLfgRBu.exe
  2⤵
  PID:7232
- C:\Windows\System\tMAdUDy.exe
  C:\Windows\System\tMAdUDy.exe
  2⤵
  PID:7260
- C:\Windows\System\PXbaJHJ.exe
  C:\Windows\System\PXbaJHJ.exe
  2⤵
  PID:7288
- C:\Windows\System\tpNQyJX.exe
  C:\Windows\System\tpNQyJX.exe
  2⤵
  PID:7312
- C:\Windows\System\GPtDKcT.exe
  C:\Windows\System\GPtDKcT.exe
  2⤵
  PID:7348
- C:\Windows\System\lfMrPhP.exe
  C:\Windows\System\lfMrPhP.exe
  2⤵
  PID:7372
- C:\Windows\System\XIbVyND.exe
  C:\Windows\System\XIbVyND.exe
  2⤵
  PID:7396
- C:\Windows\System\xhEENYw.exe
  C:\Windows\System\xhEENYw.exe
  2⤵
  PID:7444
- C:\Windows\System\auCeVjo.exe
  C:\Windows\System\auCeVjo.exe
  2⤵
  PID:7520
- C:\Windows\System\QSEzLRR.exe
  C:\Windows\System\QSEzLRR.exe
  2⤵
  PID:7552
- C:\Windows\System\UhYGSiY.exe
  C:\Windows\System\UhYGSiY.exe
  2⤵
  PID:7580
- C:\Windows\System\UwBZLWV.exe
  C:\Windows\System\UwBZLWV.exe
  2⤵
  PID:7648
- C:\Windows\System\ztseNBj.exe
  C:\Windows\System\ztseNBj.exe
  2⤵
  PID:7712
- C:\Windows\System\mCMXOYQ.exe
  C:\Windows\System\mCMXOYQ.exe
  2⤵
  PID:7760
- C:\Windows\System\gFkLDbC.exe
  C:\Windows\System\gFkLDbC.exe
  2⤵
  PID:7784
- C:\Windows\System\DwWRztU.exe
  C:\Windows\System\DwWRztU.exe
  2⤵
  PID:7816
- C:\Windows\System\JIbUXrb.exe
  C:\Windows\System\JIbUXrb.exe
  2⤵
  PID:7840
- C:\Windows\System\dBFYDvq.exe
  C:\Windows\System\dBFYDvq.exe
  2⤵
  PID:7864
- C:\Windows\System\vkdGyZQ.exe
  C:\Windows\System\vkdGyZQ.exe
  2⤵
  PID:7880
- C:\Windows\System\KnzBBLv.exe
  C:\Windows\System\KnzBBLv.exe
  2⤵
  PID:7968
- C:\Windows\System\BTxEAOL.exe
  C:\Windows\System\BTxEAOL.exe
  2⤵
  PID:7988
- C:\Windows\System\LVEYkNP.exe
  C:\Windows\System\LVEYkNP.exe
  2⤵
  PID:8008
- C:\Windows\System\CsFqSaY.exe
  C:\Windows\System\CsFqSaY.exe
  2⤵
  PID:7112
- C:\Windows\System\LdlGXnn.exe
  C:\Windows\System\LdlGXnn.exe
  2⤵
  PID:7196
- C:\Windows\System\YoLMBSf.exe
  C:\Windows\System\YoLMBSf.exe
  2⤵
  PID:7272
- C:\Windows\System\uNdFQnm.exe
  C:\Windows\System\uNdFQnm.exe
  2⤵
  PID:7300
- C:\Windows\System\IjYQNjw.exe
  C:\Windows\System\IjYQNjw.exe
  2⤵
  PID:7324
- C:\Windows\System\vjEsyXK.exe
  C:\Windows\System\vjEsyXK.exe
  2⤵
  PID:7384
- C:\Windows\System\OWisRFD.exe
  C:\Windows\System\OWisRFD.exe
  2⤵
  PID:7464
- C:\Windows\System\LvuFdfH.exe
  C:\Windows\System\LvuFdfH.exe
  2⤵
  PID:7500
- C:\Windows\System\RAFYRcP.exe
  C:\Windows\System\RAFYRcP.exe
  2⤵
  PID:7508
- C:\Windows\System\NRUqjcE.exe
  C:\Windows\System\NRUqjcE.exe
  2⤵
  PID:7576
- C:\Windows\System\sIjxTrY.exe
  C:\Windows\System\sIjxTrY.exe
  2⤵
  PID:7612
- C:\Windows\System\eFHzbNo.exe
  C:\Windows\System\eFHzbNo.exe
  2⤵
  PID:7704
- C:\Windows\System\xRtAQRV.exe
  C:\Windows\System\xRtAQRV.exe
  2⤵
  PID:7780
- C:\Windows\System\KadkMHL.exe
  C:\Windows\System\KadkMHL.exe
  2⤵
  PID:7804
- C:\Windows\System\VfajVvW.exe
  C:\Windows\System\VfajVvW.exe
  2⤵
  PID:7740
- C:\Windows\System\pbQGPik.exe
  C:\Windows\System\pbQGPik.exe
  2⤵
  PID:7924
- C:\Windows\System\SNDDujC.exe
  C:\Windows\System\SNDDujC.exe
  2⤵
  PID:7956
- C:\Windows\System\smrpjAv.exe
  C:\Windows\System\smrpjAv.exe
  2⤵
  PID:7984
- C:\Windows\System\tqOFrAi.exe
  C:\Windows\System\tqOFrAi.exe
  2⤵
  PID:8084
- C:\Windows\System\MlTvWmZ.exe
  C:\Windows\System\MlTvWmZ.exe
  2⤵
  PID:8100
- C:\Windows\System\qhEYhOm.exe
  C:\Windows\System\qhEYhOm.exe
  2⤵
  PID:8116
- C:\Windows\System\GwvlXbR.exe
  C:\Windows\System\GwvlXbR.exe
  2⤵
  PID:8144
- C:\Windows\System\ajFKLtq.exe
  C:\Windows\System\ajFKLtq.exe
  2⤵
  PID:8184
- C:\Windows\System\GXOTOiw.exe
  C:\Windows\System\GXOTOiw.exe
  2⤵
  PID:8188
- C:\Windows\System\DPsTMdP.exe
  C:\Windows\System\DPsTMdP.exe
  2⤵
  PID:7072
- C:\Windows\System\vKzRYvy.exe
  C:\Windows\System\vKzRYvy.exe
  2⤵
  PID:7244
- C:\Windows\System\tdpxmVZ.exe
  C:\Windows\System\tdpxmVZ.exe
  2⤵
  PID:7380
- C:\Windows\System\BYekkOP.exe
  C:\Windows\System\BYekkOP.exe
  2⤵
  PID:7480
- C:\Windows\System\OBcxGSI.exe
  C:\Windows\System\OBcxGSI.exe
  2⤵
  PID:7680
- C:\Windows\System\cdTftNq.exe
  C:\Windows\System\cdTftNq.exe
  2⤵
  PID:7792
- C:\Windows\System\irZXmwh.exe
  C:\Windows\System\irZXmwh.exe
  2⤵
  PID:7996
- C:\Windows\System\bJLAYpe.exe
  C:\Windows\System\bJLAYpe.exe
  2⤵
  PID:8096
- C:\Windows\System\NYQeibX.exe
  C:\Windows\System\NYQeibX.exe
  2⤵
  PID:8156
- C:\Windows\System\cCOfaTz.exe
  C:\Windows\System\cCOfaTz.exe
  2⤵
  PID:7336
- C:\Windows\System\ntTdJTA.exe
  C:\Windows\System\ntTdJTA.exe
  2⤵
  PID:7676
- C:\Windows\System\IWrIeqM.exe
  C:\Windows\System\IWrIeqM.exe
  2⤵
  PID:7944
- C:\Windows\System\yXnndbM.exe
  C:\Windows\System\yXnndbM.exe
  2⤵
  PID:8136
- C:\Windows\System\kMZnxLC.exe
  C:\Windows\System\kMZnxLC.exe
  2⤵
  PID:7364
- C:\Windows\System\FUZxTvS.exe
  C:\Windows\System\FUZxTvS.exe
  2⤵
  PID:7320
- C:\Windows\System\zfAGBHZ.exe
  C:\Windows\System\zfAGBHZ.exe
  2⤵
  PID:7512
- C:\Windows\System\AcnxrnB.exe
  C:\Windows\System\AcnxrnB.exe
  2⤵
  PID:7588
- C:\Windows\System\iAUzOLu.exe
  C:\Windows\System\iAUzOLu.exe
  2⤵
  PID:8240
- C:\Windows\System\gwxFLeP.exe
  C:\Windows\System\gwxFLeP.exe
  2⤵
  PID:8268
- C:\Windows\System\qQSdtrx.exe
  C:\Windows\System\qQSdtrx.exe
  2⤵
  PID:8288
- C:\Windows\System\mbmRzuJ.exe
  C:\Windows\System\mbmRzuJ.exe
  2⤵
  PID:8316
- C:\Windows\System\frlzdkw.exe
  C:\Windows\System\frlzdkw.exe
  2⤵
  PID:8352
- C:\Windows\System\oeqMRPq.exe
  C:\Windows\System\oeqMRPq.exe
  2⤵
  PID:8368
- C:\Windows\System\CwQBAnx.exe
  C:\Windows\System\CwQBAnx.exe
  2⤵
  PID:8428
- C:\Windows\System\GNNrzgu.exe
  C:\Windows\System\GNNrzgu.exe
  2⤵
  PID:8456
- C:\Windows\System\YTxZXHM.exe
  C:\Windows\System\YTxZXHM.exe
  2⤵
  PID:8472
- C:\Windows\System\MwlrTwp.exe
  C:\Windows\System\MwlrTwp.exe
  2⤵
  PID:8500
- C:\Windows\System\VGmZXMm.exe
  C:\Windows\System\VGmZXMm.exe
  2⤵
  PID:8520
- C:\Windows\System\VeDxFJu.exe
  C:\Windows\System\VeDxFJu.exe
  2⤵
  PID:8544
- C:\Windows\System\gEBtcuk.exe
  C:\Windows\System\gEBtcuk.exe
  2⤵
  PID:8560
- C:\Windows\System\FEBFoUP.exe
  C:\Windows\System\FEBFoUP.exe
  2⤵
  PID:8580
- C:\Windows\System\nvNVThV.exe
  C:\Windows\System\nvNVThV.exe
  2⤵
  PID:8644
- C:\Windows\System\ASBSoOH.exe
  C:\Windows\System\ASBSoOH.exe
  2⤵
  PID:8700
- C:\Windows\System\ciUfqLT.exe
  C:\Windows\System\ciUfqLT.exe
  2⤵
  PID:8724
- C:\Windows\System\UWpNipO.exe
  C:\Windows\System\UWpNipO.exe
  2⤵
  PID:8744
- C:\Windows\System\TYAuMIF.exe
  C:\Windows\System\TYAuMIF.exe
  2⤵
  PID:8768
- C:\Windows\System\iEYlNcJ.exe
  C:\Windows\System\iEYlNcJ.exe
  2⤵
  PID:8820
- C:\Windows\System\AGanoZc.exe
  C:\Windows\System\AGanoZc.exe
  2⤵
  PID:8844
- C:\Windows\System\yIIRHuZ.exe
  C:\Windows\System\yIIRHuZ.exe
  2⤵
  PID:8884
- C:\Windows\System\yYwiQHn.exe
  C:\Windows\System\yYwiQHn.exe
  2⤵
  PID:8904
- C:\Windows\System\cOheyUZ.exe
  C:\Windows\System\cOheyUZ.exe
  2⤵
  PID:8924
- C:\Windows\System\jxScaAH.exe
  C:\Windows\System\jxScaAH.exe
  2⤵
  PID:8948
- C:\Windows\System\mCOjEyM.exe
  C:\Windows\System\mCOjEyM.exe
  2⤵
  PID:8972
- C:\Windows\System\NkoBWUY.exe
  C:\Windows\System\NkoBWUY.exe
  2⤵
  PID:8992
- C:\Windows\System\LzIUEcj.exe
  C:\Windows\System\LzIUEcj.exe
  2⤵
  PID:9012
- C:\Windows\System\POSmnJz.exe
  C:\Windows\System\POSmnJz.exe
  2⤵
  PID:9072
- C:\Windows\System\SZEdjzq.exe
  C:\Windows\System\SZEdjzq.exe
  2⤵
  PID:9108
- C:\Windows\System\CchVOeT.exe
  C:\Windows\System\CchVOeT.exe
  2⤵
  PID:9128
- C:\Windows\System\AbZyezX.exe
  C:\Windows\System\AbZyezX.exe
  2⤵
  PID:9144
- C:\Windows\System\VYtEDSb.exe
  C:\Windows\System\VYtEDSb.exe
  2⤵
  PID:9164
- C:\Windows\System\aCUrhCR.exe
  C:\Windows\System\aCUrhCR.exe
  2⤵
  PID:9204
- C:\Windows\System\GtPsjSF.exe
  C:\Windows\System\GtPsjSF.exe
  2⤵
  PID:8148
- C:\Windows\System\bBKMeqc.exe
  C:\Windows\System\bBKMeqc.exe
  2⤵
  PID:7412
- C:\Windows\System\yyhrKZB.exe
  C:\Windows\System\yyhrKZB.exe
  2⤵
  PID:8248
- C:\Windows\System\vTKSNRp.exe
  C:\Windows\System\vTKSNRp.exe
  2⤵
  PID:8420
- C:\Windows\System\AKInmrv.exe
  C:\Windows\System\AKInmrv.exe
  2⤵
  PID:8360
- C:\Windows\System\kKvZzXH.exe
  C:\Windows\System\kKvZzXH.exe
  2⤵
  PID:8212
- C:\Windows\System\qIBXQMi.exe
  C:\Windows\System\qIBXQMi.exe
  2⤵
  PID:3804
- C:\Windows\System\BnNFMdJ.exe
  C:\Windows\System\BnNFMdJ.exe
  2⤵
  PID:8208
- C:\Windows\System\DrhYlEq.exe
  C:\Windows\System\DrhYlEq.exe
  2⤵
  PID:8556
- C:\Windows\System\NoDKYpy.exe
  C:\Windows\System\NoDKYpy.exe
  2⤵
  PID:8540
- C:\Windows\System\yoNHuwH.exe
  C:\Windows\System\yoNHuwH.exe
  2⤵
  PID:8664
- C:\Windows\System\PyzMZgs.exe
  C:\Windows\System\PyzMZgs.exe
  2⤵
  PID:8692
- C:\Windows\System\TSxmLpo.exe
  C:\Windows\System\TSxmLpo.exe
  2⤵
  PID:8808
- C:\Windows\System\jmNEDbh.exe
  C:\Windows\System\jmNEDbh.exe
  2⤵
  PID:8940
- C:\Windows\System\JtMWBIl.exe
  C:\Windows\System\JtMWBIl.exe
  2⤵
  PID:8980
- C:\Windows\System\QApfyHi.exe
  C:\Windows\System\QApfyHi.exe
  2⤵
  PID:9036
- C:\Windows\System\azWORIU.exe
  C:\Windows\System\azWORIU.exe
  2⤵
  PID:9092
- C:\Windows\System\FutEerw.exe
  C:\Windows\System\FutEerw.exe
  2⤵
  PID:9212
- C:\Windows\System\sePAvbk.exe
  C:\Windows\System\sePAvbk.exe
  2⤵
  PID:9200
- C:\Windows\System\MNkGbTb.exe
  C:\Windows\System\MNkGbTb.exe
  2⤵
  PID:8220
- C:\Windows\System\UfABXXO.exe
  C:\Windows\System\UfABXXO.exe
  2⤵
  PID:8464
- C:\Windows\System\iZlfOeK.exe
  C:\Windows\System\iZlfOeK.exe
  2⤵
  PID:8204
- C:\Windows\System\eOUKdde.exe
  C:\Windows\System\eOUKdde.exe
  2⤵
  PID:8576
- C:\Windows\System\beqrKLO.exe
  C:\Windows\System\beqrKLO.exe
  2⤵
  PID:8804
- C:\Windows\System\cMiOaGW.exe
  C:\Windows\System\cMiOaGW.exe
  2⤵
  PID:9044
- C:\Windows\System\XtfKKzx.exe
  C:\Windows\System\XtfKKzx.exe
  2⤵
  PID:8200
- C:\Windows\System\bvFlDPb.exe
  C:\Windows\System\bvFlDPb.exe
  2⤵
  PID:8448
- C:\Windows\System\MnoHsyb.exe
  C:\Windows\System\MnoHsyb.exe
  2⤵
  PID:8708
- C:\Windows\System\OVVyDwk.exe
  C:\Windows\System\OVVyDwk.exe
  2⤵
  PID:9068
- C:\Windows\System\MJvZuhy.exe
  C:\Windows\System\MJvZuhy.exe
  2⤵
  PID:8280
- C:\Windows\System\rdcYrFl.exe
  C:\Windows\System\rdcYrFl.exe
  2⤵
  PID:8496
- C:\Windows\System\OOkJeHU.exe
  C:\Windows\System\OOkJeHU.exe
  2⤵
  PID:9236
- C:\Windows\System\RjLWYps.exe
  C:\Windows\System\RjLWYps.exe
  2⤵
  PID:9280
- C:\Windows\System\sPtlWdL.exe
  C:\Windows\System\sPtlWdL.exe
  2⤵
  PID:9304
- C:\Windows\System\ZqahFSs.exe
  C:\Windows\System\ZqahFSs.exe
  2⤵
  PID:9336
- C:\Windows\System\nYmJXMR.exe
  C:\Windows\System\nYmJXMR.exe
  2⤵
  PID:9364
- C:\Windows\System\zGIVSnp.exe
  C:\Windows\System\zGIVSnp.exe
  2⤵
  PID:9400
- C:\Windows\System\DGRQAZG.exe
  C:\Windows\System\DGRQAZG.exe
  2⤵
  PID:9440
- C:\Windows\System\BQxrAck.exe
  C:\Windows\System\BQxrAck.exe
  2⤵
  PID:9460
- C:\Windows\System\yrWCHhN.exe
  C:\Windows\System\yrWCHhN.exe
  2⤵
  PID:9492
- C:\Windows\System\cyHrrVf.exe
  C:\Windows\System\cyHrrVf.exe
  2⤵
  PID:9508
- C:\Windows\System\WIWmTEW.exe
  C:\Windows\System\WIWmTEW.exe
  2⤵
  PID:9528
- C:\Windows\System\AsZXTRO.exe
  C:\Windows\System\AsZXTRO.exe
  2⤵
  PID:9568
- C:\Windows\System\sGAbXIk.exe
  C:\Windows\System\sGAbXIk.exe
  2⤵
  PID:9588
- C:\Windows\System\wGftOCh.exe
  C:\Windows\System\wGftOCh.exe
  2⤵
  PID:9616
- C:\Windows\System\hDasWSp.exe
  C:\Windows\System\hDasWSp.exe
  2⤵
  PID:9660
- C:\Windows\System\ibsuFDr.exe
  C:\Windows\System\ibsuFDr.exe
  2⤵
  PID:9680
- C:\Windows\System\XiAELRz.exe
  C:\Windows\System\XiAELRz.exe
  2⤵
  PID:9700
- C:\Windows\System\atIMNug.exe
  C:\Windows\System\atIMNug.exe
  2⤵
  PID:9812
- C:\Windows\System\eSEhdKM.exe
  C:\Windows\System\eSEhdKM.exe
  2⤵
  PID:9852
- C:\Windows\System\apGnJOP.exe
  C:\Windows\System\apGnJOP.exe
  2⤵
  PID:9908
- C:\Windows\System\YAeiRPP.exe
  C:\Windows\System\YAeiRPP.exe
  2⤵
  PID:9924
- C:\Windows\System\ddKeRVN.exe
  C:\Windows\System\ddKeRVN.exe
  2⤵
  PID:9940
- C:\Windows\System\vPzHSkH.exe
  C:\Windows\System\vPzHSkH.exe
  2⤵
  PID:9956
- C:\Windows\System\tJVzAyX.exe
  C:\Windows\System\tJVzAyX.exe
  2⤵
  PID:9972
- C:\Windows\System\zFBRwdQ.exe
  C:\Windows\System\zFBRwdQ.exe
  2⤵
  PID:9996
- C:\Windows\System\dXVGkDm.exe
  C:\Windows\System\dXVGkDm.exe
  2⤵
  PID:10012
- C:\Windows\System\qzpizEy.exe
  C:\Windows\System\qzpizEy.exe
  2⤵
  PID:10032
- C:\Windows\System\uWZOOhw.exe
  C:\Windows\System\uWZOOhw.exe
  2⤵
  PID:10072
- C:\Windows\System\LcRygaN.exe
  C:\Windows\System\LcRygaN.exe
  2⤵
  PID:10096
- C:\Windows\System\yOpaMBV.exe
  C:\Windows\System\yOpaMBV.exe
  2⤵
  PID:10144
- C:\Windows\System\MNgdzDc.exe
  C:\Windows\System\MNgdzDc.exe
  2⤵
  PID:10204
- C:\Windows\System\rKgTlWe.exe
  C:\Windows\System\rKgTlWe.exe
  2⤵
  PID:10232
- C:\Windows\System\kZVHCsR.exe
  C:\Windows\System\kZVHCsR.exe
  2⤵
  PID:8988
- C:\Windows\System\gzmBSMG.exe
  C:\Windows\System\gzmBSMG.exe
  2⤵
  PID:9272
- C:\Windows\System\NyouCyy.exe
  C:\Windows\System\NyouCyy.exe
  2⤵
  PID:9312
- C:\Windows\System\RAjAyTK.exe
  C:\Windows\System\RAjAyTK.exe
  2⤵
  PID:9424
- C:\Windows\System\vDRRxIh.exe
  C:\Windows\System\vDRRxIh.exe
  2⤵
  PID:9596
- C:\Windows\System\eTciEjw.exe
  C:\Windows\System\eTciEjw.exe
  2⤵
  PID:9628
- C:\Windows\System\MBVqwFd.exe
  C:\Windows\System\MBVqwFd.exe
  2⤵
  PID:9676
- C:\Windows\System\mUiViSI.exe
  C:\Windows\System\mUiViSI.exe
  2⤵
  PID:9848
- C:\Windows\System\IFWLzde.exe
  C:\Windows\System\IFWLzde.exe
  2⤵
  PID:9832
- C:\Windows\System\WfRQWLz.exe
  C:\Windows\System\WfRQWLz.exe
  2⤵
  PID:9752
- C:\Windows\System\TdCCAks.exe
  C:\Windows\System\TdCCAks.exe
  2⤵
  PID:9800
- C:\Windows\System\OpwWadg.exe
  C:\Windows\System\OpwWadg.exe
  2⤵
  PID:9964
- C:\Windows\System\dYHGUhE.exe
  C:\Windows\System\dYHGUhE.exe
  2⤵
  PID:9892
- C:\Windows\System\vlFDfgH.exe
  C:\Windows\System\vlFDfgH.exe
  2⤵
  PID:9936
- C:\Windows\System\xAMcadD.exe
  C:\Windows\System\xAMcadD.exe
  2⤵
  PID:10008
- C:\Windows\System\EjoSGyR.exe
  C:\Windows\System\EjoSGyR.exe
  2⤵
  PID:10048
- C:\Windows\System\qkbnIlr.exe
  C:\Windows\System\qkbnIlr.exe
  2⤵
  PID:10136
- C:\Windows\System\sEoAuDi.exe
  C:\Windows\System\sEoAuDi.exe
  2⤵
  PID:8656
- C:\Windows\System\EdXGvDG.exe
  C:\Windows\System\EdXGvDG.exe
  2⤵
  PID:10224
- C:\Windows\System\vovIbvd.exe
  C:\Windows\System\vovIbvd.exe
  2⤵
  PID:9456
- C:\Windows\System\LLOZXue.exe
  C:\Windows\System\LLOZXue.exe
  2⤵
  PID:9580
- C:\Windows\System\pKOxiMi.exe
  C:\Windows\System\pKOxiMi.exe
  2⤵
  PID:9768
- C:\Windows\System\MSAjxbf.exe
  C:\Windows\System\MSAjxbf.exe
  2⤵
  PID:9764
- C:\Windows\System\zGZcPzd.exe
  C:\Windows\System\zGZcPzd.exe
  2⤵
  PID:9920
- C:\Windows\System\WUyMBmH.exe
  C:\Windows\System\WUyMBmH.exe
  2⤵
  PID:9952
- C:\Windows\System\FMuUCrM.exe
  C:\Windows\System\FMuUCrM.exe
  2⤵
  PID:10228
- C:\Windows\System\roQDRet.exe
  C:\Windows\System\roQDRet.exe
  2⤵
  PID:10192
- C:\Windows\System\KrObbBO.exe
  C:\Windows\System\KrObbBO.exe
  2⤵
  PID:9484
- C:\Windows\System\UBSMpiY.exe
  C:\Windows\System\UBSMpiY.exe
  2⤵
  PID:9864
- C:\Windows\System\VoTpdUq.exe
  C:\Windows\System\VoTpdUq.exe
  2⤵
  PID:8752
- C:\Windows\System\FAJCFnf.exe
  C:\Windows\System\FAJCFnf.exe
  2⤵
  PID:9716
- C:\Windows\System\GRypjXM.exe
  C:\Windows\System\GRypjXM.exe
  2⤵
  PID:10252
- C:\Windows\System\HSTKAOP.exe
  C:\Windows\System\HSTKAOP.exe
  2⤵
  PID:10276
- C:\Windows\System\KVnHwvD.exe
  C:\Windows\System\KVnHwvD.exe
  2⤵
  PID:10316
- C:\Windows\System\OdqciWU.exe
  C:\Windows\System\OdqciWU.exe
  2⤵
  PID:10332
- C:\Windows\System\fPjRAYO.exe
  C:\Windows\System\fPjRAYO.exe
  2⤵
  PID:10372
- C:\Windows\System\YJMmtGp.exe
  C:\Windows\System\YJMmtGp.exe
  2⤵
  PID:10424
- C:\Windows\System\XVJHnfg.exe
  C:\Windows\System\XVJHnfg.exe
  2⤵
  PID:10440
- C:\Windows\System\iFxOpTa.exe
  C:\Windows\System\iFxOpTa.exe
  2⤵
  PID:10460
- C:\Windows\System\QwblFWa.exe
  C:\Windows\System\QwblFWa.exe
  2⤵
  PID:10480
- C:\Windows\System\XreccYE.exe
  C:\Windows\System\XreccYE.exe
  2⤵
  PID:10520
- C:\Windows\System\BcaFviw.exe
  C:\Windows\System\BcaFviw.exe
  2⤵
  PID:10556
- C:\Windows\System\qTWWquN.exe
  C:\Windows\System\qTWWquN.exe
  2⤵
  PID:10580
- C:\Windows\System\sCTwYHi.exe
  C:\Windows\System\sCTwYHi.exe
  2⤵
  PID:10600
- C:\Windows\System\ZzapNia.exe
  C:\Windows\System\ZzapNia.exe
  2⤵
  PID:10616
- C:\Windows\System\YjNbaab.exe
  C:\Windows\System\YjNbaab.exe
  2⤵
  PID:10636
- C:\Windows\System\XaRbmDP.exe
  C:\Windows\System\XaRbmDP.exe
  2⤵
  PID:10664
- C:\Windows\System\yqgwEbA.exe
  C:\Windows\System\yqgwEbA.exe
  2⤵
  PID:10692
- C:\Windows\System\RusEmYi.exe
  C:\Windows\System\RusEmYi.exe
  2⤵
  PID:10708
- C:\Windows\System\bygONWs.exe
  C:\Windows\System\bygONWs.exe
  2⤵
  PID:10740
- C:\Windows\System\EVEjQgy.exe
  C:\Windows\System\EVEjQgy.exe
  2⤵
  PID:10788
- C:\Windows\System\XezWcGB.exe
  C:\Windows\System\XezWcGB.exe
  2⤵
  PID:10808
- C:\Windows\System\pKHAPJS.exe
  C:\Windows\System\pKHAPJS.exe
  2⤵
  PID:10848
- C:\Windows\System\TeoZfJZ.exe
  C:\Windows\System\TeoZfJZ.exe
  2⤵
  PID:10884
- C:\Windows\System\sLgjNdW.exe
  C:\Windows\System\sLgjNdW.exe
  2⤵
  PID:10912
- C:\Windows\System\wIXGWxZ.exe
  C:\Windows\System\wIXGWxZ.exe
  2⤵
  PID:10940
- C:\Windows\System\kqVFOku.exe
  C:\Windows\System\kqVFOku.exe
  2⤵
  PID:10964
- C:\Windows\System\PSpeGPR.exe
  C:\Windows\System\PSpeGPR.exe
  2⤵
  PID:10980
- C:\Windows\System\gYaGNby.exe
  C:\Windows\System\gYaGNby.exe
  2⤵
  PID:11028
- C:\Windows\System\MPBAmBz.exe
  C:\Windows\System\MPBAmBz.exe
  2⤵
  PID:11060
- C:\Windows\System\GOAUlbB.exe
  C:\Windows\System\GOAUlbB.exe
  2⤵
  PID:11096
- C:\Windows\System\ZKdmPTO.exe
  C:\Windows\System\ZKdmPTO.exe
  2⤵
  PID:11120
- C:\Windows\System\WiCIQBl.exe
  C:\Windows\System\WiCIQBl.exe
  2⤵
  PID:11144
- C:\Windows\System\jACRMHx.exe
  C:\Windows\System\jACRMHx.exe
  2⤵
  PID:11184
- C:\Windows\System\NBSBABv.exe
  C:\Windows\System\NBSBABv.exe
  2⤵
  PID:11208
- C:\Windows\System\wVTSVeo.exe
  C:\Windows\System\wVTSVeo.exe
  2⤵
  PID:11228
- C:\Windows\System\jAuejFP.exe
  C:\Windows\System\jAuejFP.exe
  2⤵
  PID:11248
- C:\Windows\System\tXwrzAO.exe
  C:\Windows\System\tXwrzAO.exe
  2⤵
  PID:9984
- C:\Windows\System\NFucBhV.exe
  C:\Windows\System\NFucBhV.exe
  2⤵
  PID:10248
- C:\Windows\System\FVtjbDo.exe
  C:\Windows\System\FVtjbDo.exe
  2⤵
  PID:10296
- C:\Windows\System\lsxMwvg.exe
  C:\Windows\System\lsxMwvg.exe
  2⤵
  PID:10400
- C:\Windows\System\UENbGkg.exe
  C:\Windows\System\UENbGkg.exe
  2⤵
  PID:10496
- C:\Windows\System\bTTofoS.exe
  C:\Windows\System\bTTofoS.exe
  2⤵
  PID:10544
- C:\Windows\System\krDAMDZ.exe
  C:\Windows\System\krDAMDZ.exe
  2⤵
  PID:10680
- C:\Windows\System\VGzZWdM.exe
  C:\Windows\System\VGzZWdM.exe
  2⤵
  PID:10672
- C:\Windows\System\WPAMbok.exe
  C:\Windows\System\WPAMbok.exe
  2⤵
  PID:10704
- C:\Windows\System\ogahmDo.exe
  C:\Windows\System\ogahmDo.exe
  2⤵
  PID:10768
- C:\Windows\System\rqOvANV.exe
  C:\Windows\System\rqOvANV.exe
  2⤵
  PID:10892
- C:\Windows\System\oJKNNVR.exe
  C:\Windows\System\oJKNNVR.exe
  2⤵
  PID:10908
- C:\Windows\System\NkzLiKW.exe
  C:\Windows\System\NkzLiKW.exe
  2⤵
  PID:10960
- C:\Windows\System\YJUpkqq.exe
  C:\Windows\System\YJUpkqq.exe
  2⤵
  PID:11012
- C:\Windows\System\spNaybM.exe
  C:\Windows\System\spNaybM.exe
  2⤵
  PID:11072
- C:\Windows\System\XQutKtn.exe
  C:\Windows\System\XQutKtn.exe
  2⤵
  PID:11116
- C:\Windows\System\abwVpvc.exe
  C:\Windows\System\abwVpvc.exe
  2⤵
  PID:11160
- C:\Windows\System\cLqlGTx.exe
  C:\Windows\System\cLqlGTx.exe
  2⤵
  PID:11220
- C:\Windows\System\tewjQEo.exe
  C:\Windows\System\tewjQEo.exe
  2⤵
  PID:9896
- C:\Windows\System\UKPIpwQ.exe
  C:\Windows\System\UKPIpwQ.exe
  2⤵
  PID:10264
- C:\Windows\System\lkAPYvc.exe
  C:\Windows\System\lkAPYvc.exe
  2⤵
  PID:10436
- C:\Windows\System\tzuTmMn.exe
  C:\Windows\System\tzuTmMn.exe
  2⤵
  PID:10596
- C:\Windows\System\gAWbRiT.exe
  C:\Windows\System\gAWbRiT.exe
  2⤵
  PID:10776
- C:\Windows\System\rMqCVpb.exe
  C:\Windows\System\rMqCVpb.exe
  2⤵
  PID:11240
- C:\Windows\System\kVAOkmV.exe
  C:\Windows\System\kVAOkmV.exe
  2⤵
  PID:10452
- C:\Windows\System\KLnGeDi.exe
  C:\Windows\System\KLnGeDi.exe
  2⤵
  PID:11112
- C:\Windows\System\oMiuSIy.exe
  C:\Windows\System\oMiuSIy.exe
  2⤵
  PID:10720
- C:\Windows\System\YrGjoTA.exe
  C:\Windows\System\YrGjoTA.exe
  2⤵
  PID:11296
- C:\Windows\System\uEgZgaw.exe
  C:\Windows\System\uEgZgaw.exe
  2⤵
  PID:11352
- C:\Windows\System\gejKjRZ.exe
  C:\Windows\System\gejKjRZ.exe
  2⤵
  PID:11400
- C:\Windows\System\tvSUbWE.exe
  C:\Windows\System\tvSUbWE.exe
  2⤵
  PID:11428
- C:\Windows\System\IMOJVHs.exe
  C:\Windows\System\IMOJVHs.exe
  2⤵
  PID:11452
- C:\Windows\System\YMqEQYT.exe
  C:\Windows\System\YMqEQYT.exe
  2⤵
  PID:11484
- C:\Windows\System\ClRfSZV.exe
  C:\Windows\System\ClRfSZV.exe
  2⤵
  PID:11512
- C:\Windows\System\XSCzNKx.exe
  C:\Windows\System\XSCzNKx.exe
  2⤵
  PID:11540
- C:\Windows\System\SkToRdD.exe
  C:\Windows\System\SkToRdD.exe
  2⤵
  PID:11560
- C:\Windows\System\tEsDBhD.exe
  C:\Windows\System\tEsDBhD.exe
  2⤵
  PID:11592
- C:\Windows\System\HJszzrZ.exe
  C:\Windows\System\HJszzrZ.exe
  2⤵
  PID:11612
- C:\Windows\System\HSAECxz.exe
  C:\Windows\System\HSAECxz.exe
  2⤵
  PID:11664
- C:\Windows\System\hrjXrQb.exe
  C:\Windows\System\hrjXrQb.exe
  2⤵
  PID:11692
- C:\Windows\System\XRJbnIJ.exe
  C:\Windows\System\XRJbnIJ.exe
  2⤵
  PID:11708
- C:\Windows\System\rgmUKck.exe
  C:\Windows\System\rgmUKck.exe
  2⤵
  PID:11756
- C:\Windows\System\AcAToRN.exe
  C:\Windows\System\AcAToRN.exe
  2⤵
  PID:11772
- C:\Windows\System\rNOyHhS.exe
  C:\Windows\System\rNOyHhS.exe
  2⤵
  PID:11792
- C:\Windows\System\MNCHuJl.exe
  C:\Windows\System\MNCHuJl.exe
  2⤵
  PID:11836
- C:\Windows\System\zYYHCKZ.exe
  C:\Windows\System\zYYHCKZ.exe
  2⤵
  PID:11856
- C:\Windows\System\OfOAZOx.exe
  C:\Windows\System\OfOAZOx.exe
  2⤵
  PID:11888
- C:\Windows\System\bKNAjoe.exe
  C:\Windows\System\bKNAjoe.exe
  2⤵
  PID:11908
- C:\Windows\System\EgIDkmS.exe
  C:\Windows\System\EgIDkmS.exe
  2⤵
  PID:11928
- C:\Windows\System\WAeFksW.exe
  C:\Windows\System\WAeFksW.exe
  2⤵
  PID:11964
- C:\Windows\System\pRCisJE.exe
  C:\Windows\System\pRCisJE.exe
  2⤵
  PID:11984
- C:\Windows\System\zCkgMLt.exe
  C:\Windows\System\zCkgMLt.exe
  2⤵
  PID:12000
- C:\Windows\System\FKbNHxz.exe
  C:\Windows\System\FKbNHxz.exe
  2⤵
  PID:12044
- C:\Windows\System\IcFblBD.exe
  C:\Windows\System\IcFblBD.exe
  2⤵
  PID:12068
- C:\Windows\System\jPwuDsU.exe
  C:\Windows\System\jPwuDsU.exe
  2⤵
  PID:12084
- C:\Windows\System\ZTogcBK.exe
  C:\Windows\System\ZTogcBK.exe
  2⤵
  PID:12140
- C:\Windows\System\GZNAcYg.exe
  C:\Windows\System\GZNAcYg.exe
  2⤵
  PID:12164
- C:\Windows\System\vYypaJl.exe
  C:\Windows\System\vYypaJl.exe
  2⤵
  PID:12180
- C:\Windows\System\kCiAkTe.exe
  C:\Windows\System\kCiAkTe.exe
  2⤵
  PID:12224
- C:\Windows\System\mzeHUfr.exe
  C:\Windows\System\mzeHUfr.exe
  2⤵
  PID:12240
- C:\Windows\System\wEjkuVB.exe
  C:\Windows\System\wEjkuVB.exe
  2⤵
  PID:12264
- C:\Windows\System\mSZqMts.exe
  C:\Windows\System\mSZqMts.exe
  2⤵
  PID:11288
- C:\Windows\System\JGLrYuT.exe
  C:\Windows\System\JGLrYuT.exe
  2⤵
  PID:10368
- C:\Windows\System\sYyQCzu.exe
  C:\Windows\System\sYyQCzu.exe
  2⤵
  PID:11292
- C:\Windows\System\nnzQyUc.exe
  C:\Windows\System\nnzQyUc.exe
  2⤵
  PID:11360
- C:\Windows\System\wvCnYuq.exe
  C:\Windows\System\wvCnYuq.exe
  2⤵
  PID:11392
- C:\Windows\System\Wszrsxv.exe
  C:\Windows\System\Wszrsxv.exe
  2⤵
  PID:11440
- C:\Windows\System\QqZiYqf.exe
  C:\Windows\System\QqZiYqf.exe
  2⤵
  PID:11500
- C:\Windows\System\zXDNznQ.exe
  C:\Windows\System\zXDNznQ.exe
  2⤵
  PID:11636
- C:\Windows\System\JDIaRiZ.exe
  C:\Windows\System\JDIaRiZ.exe
  2⤵
  PID:3224
- C:\Windows\System\fiBVJcY.exe
  C:\Windows\System\fiBVJcY.exe
  2⤵
  PID:11716
- C:\Windows\System\fVAhRab.exe
  C:\Windows\System\fVAhRab.exe
  2⤵
  PID:11764
- C:\Windows\System\hDoEWvS.exe
  C:\Windows\System\hDoEWvS.exe
  2⤵
  PID:11828
- C:\Windows\System\tAgLPKQ.exe
  C:\Windows\System\tAgLPKQ.exe
  2⤵
  PID:11884
- C:\Windows\System\WwHsWeC.exe
  C:\Windows\System\WwHsWeC.exe
  2⤵
  PID:11920
- C:\Windows\System\RdvWbGU.exe
  C:\Windows\System\RdvWbGU.exe
  2⤵
  PID:11972
- C:\Windows\System\YFQMSKQ.exe
  C:\Windows\System\YFQMSKQ.exe
  2⤵
  PID:12056
- C:\Windows\System\aPrRBWL.exe
  C:\Windows\System\aPrRBWL.exe
  2⤵
  PID:12172
- C:\Windows\System\Vckwqgr.exe
  C:\Windows\System\Vckwqgr.exe
  2⤵
  PID:12280
- C:\Windows\System\lRpzjnf.exe
  C:\Windows\System\lRpzjnf.exe
  2⤵
  PID:12260
- C:\Windows\System\Nryxoeu.exe
  C:\Windows\System\Nryxoeu.exe
  2⤵
  PID:10404
- C:\Windows\System\TDhAZlZ.exe
  C:\Windows\System\TDhAZlZ.exe
  2⤵
  PID:11388
- C:\Windows\System\RrbnzwI.exe
  C:\Windows\System\RrbnzwI.exe
  2⤵
  PID:11476
- C:\Windows\System\FdnpozR.exe
  C:\Windows\System\FdnpozR.exe
  2⤵
  PID:11736
- C:\Windows\System\UKyGGXQ.exe
  C:\Windows\System\UKyGGXQ.exe
  2⤵
  PID:11904
- C:\Windows\System\XvPAoRl.exe
  C:\Windows\System\XvPAoRl.exe
  2⤵
  PID:11952
- C:\Windows\System\gjgJgxf.exe
  C:\Windows\System\gjgJgxf.exe
  2⤵
  PID:12148
- C:\Windows\System\yRkTnys.exe
  C:\Windows\System\yRkTnys.exe
  2⤵
  PID:12216
- C:\Windows\System\KYvjiDK.exe
  C:\Windows\System\KYvjiDK.exe
  2⤵
  PID:11136
- C:\Windows\System\ucWLTRx.exe
  C:\Windows\System\ucWLTRx.exe
  2⤵
  PID:4088
- C:\Windows\System\Hptwoay.exe
  C:\Windows\System\Hptwoay.exe
  2⤵
  PID:11812
- C:\Windows\System\oFNMGpz.exe
  C:\Windows\System\oFNMGpz.exe
  2⤵
  PID:11900
- C:\Windows\System\lGHuonV.exe
  C:\Windows\System\lGHuonV.exe
  2⤵
  PID:11880
- C:\Windows\System\xgEjDnJ.exe
  C:\Windows\System\xgEjDnJ.exe
  2⤵
  PID:12316
- C:\Windows\System\lXXSCLt.exe
  C:\Windows\System\lXXSCLt.exe
  2⤵
  PID:12340
- C:\Windows\System\psQdJnj.exe
  C:\Windows\System\psQdJnj.exe
  2⤵
  PID:12360
- C:\Windows\System\QHwkpom.exe
  C:\Windows\System\QHwkpom.exe
  2⤵
  PID:12380
- C:\Windows\System\yscZzxb.exe
  C:\Windows\System\yscZzxb.exe
  2⤵
  PID:12400
- C:\Windows\System\zPgGIYC.exe
  C:\Windows\System\zPgGIYC.exe
  2⤵
  PID:12432
- C:\Windows\System\klfyVFF.exe
  C:\Windows\System\klfyVFF.exe
  2⤵
  PID:12480
- C:\Windows\System\DGMVqVG.exe
  C:\Windows\System\DGMVqVG.exe
  2⤵
  PID:12500
- C:\Windows\System\oXmtUdB.exe
  C:\Windows\System\oXmtUdB.exe
  2⤵
  PID:12532
- C:\Windows\System\rmZKlFa.exe
  C:\Windows\System\rmZKlFa.exe
  2⤵
  PID:12568
- C:\Windows\System\JRUDZgw.exe
  C:\Windows\System\JRUDZgw.exe
  2⤵
  PID:12608
- C:\Windows\System\iVTjblT.exe
  C:\Windows\System\iVTjblT.exe
  2⤵
  PID:12628
- C:\Windows\System\nrJvEAT.exe
  C:\Windows\System\nrJvEAT.exe
  2⤵
  PID:12652
- C:\Windows\System\rGnhbUg.exe
  C:\Windows\System\rGnhbUg.exe
  2⤵
  PID:12672
- C:\Windows\System\xTeeDtx.exe
  C:\Windows\System\xTeeDtx.exe
  2⤵
  PID:12700
- C:\Windows\System\YvWugoS.exe
  C:\Windows\System\YvWugoS.exe
  2⤵
  PID:12728
- C:\Windows\System\BTrPxXF.exe
  C:\Windows\System\BTrPxXF.exe
  2⤵
  PID:12848
- C:\Windows\System\dXixqUx.exe
  C:\Windows\System\dXixqUx.exe
  2⤵
  PID:12868
- C:\Windows\System\DGWFhBy.exe
  C:\Windows\System\DGWFhBy.exe
  2⤵
  PID:12692

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_npcgixgm.cw3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\BqodCyA.exe

Filesize
1.9MB

MD5
b0e38a034731fc4f495f0944db067f60

SHA1
01515c6ed0bea1d3fa7cb7048a23e763b687e20c

SHA256
b6f4cd36793c84a557015c23fe76f38dc1cde2dfe507573ef3dbff8fe464cdbe

SHA512
ded79c6345a8258c69733a93d1d80064b3468a777e60f52bf8852bcef31af51e8405790f1a6334ab731281b8163856064c5b9ee4c8fcdc408dfc122a6b17194f

Download Submit
C:\Windows\System\DJQBrsM.exe

Filesize
1.9MB

MD5
628777b6930fe1ecd025d67b331485d7

SHA1
30bd1c0563edebe70b39d885fd713f18135ad207

SHA256
1bf1381112150a9e81c562526f55baa78921bd2391a9eb936c769e499aa585e1

SHA512
fabefdc3d99ce04bc5ef17614c6101858c13c645852057ddaa0d39e4491478e70d05aca2d24e3d1467d088cc9a15163cc8c839c92f2204c1da7fb8e4ca09575b

Download Submit
C:\Windows\System\DkcUhfZ.exe

Filesize
1.9MB

MD5
dc7b6099625e5b55b196b4e287e03136

SHA1
64f1b3c851abf370ef06610ceeea3adb26f6caa5

SHA256
87bf984bbbee4fe1d80ee5da311d11aaf19d34ea2565022e15914097e5095f1d

SHA512
b6f402e8bb6999e5df27f65ac7b7d0dd6162b4f0339cfe1cefe8f4ef149ab4caa49f632187b62feea4c57df08e5fb8efd44acba695163027743c747fd4c4345e

Download Submit
C:\Windows\System\FSYiAwI.exe

Filesize
1.9MB

MD5
ceda3be1386eb8c37187548abaa977f7

SHA1
e95174a12b93ba1ff3a59c72f2f65e97cec02c68

SHA256
557b73d7cabc5c0dc9cf10d83bae7e7a5225ac41d344c255f2d6e5861df949d4

SHA512
4cd3ebe4e7f8651673fc6d6a05199a334d14f93bc49bcdcd7a6294f21483b9908c5227c5371901776783b5f5325e1d08254ae58741355cc2aaff06850a84e6e1

Download Submit
C:\Windows\System\FXqDzsV.exe

Filesize
1.9MB

MD5
f04092ed19d7f8f4a2a1e155f7916b66

SHA1
9310798a04919d5d3a596f71ac8d8ca5cf3983da

SHA256
b5751f2640428f7b60e45926fca17a1d41643879c36f470c15e2c3f0988ea2dd

SHA512
12caa00e520f03bfe2731873271bad30ff8ff2c62a656bd1983a268d7a44ca3057ef9e0ed09760ccf15246217d2392f8ea3c1bb54fbe8d9f6b5fc04adc6591f1

Download Submit
C:\Windows\System\FgyLpdK.exe

Filesize
1.9MB

MD5
352f1bcc6182336693bde23464416897

SHA1
d10be34ed168ec6108aceb64f2e356a860104ed5

SHA256
eadcc0de8cec57ff46ec937ce7900571a0dda376a0df03a045bf1a6dc3555f4a

SHA512
d23cce7ce2e08afd060f5e158a4b0128224745ed686570c2572b3dabc6772fd6619b0d276aacfad7af9a828cc0c37535c8236a6e4da1fde193b4f01c550adaa9

Download Submit
C:\Windows\System\KxzTCvS.exe

Filesize
1.9MB

MD5
409a3689eae7707f86444412dbe7d6b5

SHA1
9e3527437bf7f1f71a847f9536da58e065744490

SHA256
ecf183f692d9e12a473cd2aa525420825348ef989b7fdda0ff7a85e6a730c769

SHA512
25a8f41628bd428144548891be6b9ef37d1dd70f24a7ebe986d3ec6db2b37c583f35e23ffca85df09cf8a80b4a3a1eac1f6ed1d06576ade119bc45e4a63c5c5a

Download Submit
C:\Windows\System\NstuZqp.exe

Filesize
1.9MB

MD5
ea41c0663ea1c383d6ec46d80195187f

SHA1
b254594879d1920256749042b1f657fa98b3b84e

SHA256
dfc8134abc93db6bd437f722bcf7a2de7f78b965747a0b1c33b58814a9064873

SHA512
7734610ce158bde3c151af663ac29959db0567a05aa5808389676e06dd3391d38c49426676a051d31a835e9b3d190670f820d3559036ccde553c02aed2723256

Download Submit
C:\Windows\System\QLMNwff.exe

Filesize
1.9MB

MD5
689d63cb0461ce46ee494684c4867e51

SHA1
5aad3645c1cbcaae086a0cb7b581d506d9f958f4

SHA256
5e0403adf3e39b9bf3967e67ce225ae111e334d87895464afcb2eec3c211c64a

SHA512
6ec696596d958a57a4ac420f548b72c7796105081384705d53684ccaef62a6703d56ffede1935d58f743b50d49d08b2998ac576212d31709f340ae65eafa33a4

Download Submit
C:\Windows\System\TlAUVmT.exe

Filesize
1.9MB

MD5
aa17df6708cb959cb5e90d30f7c229de

SHA1
c0b21f56ca6e619823dd5ee468fcdd4de78f4ddd

SHA256
70e07b38b81df901495b0f4ab08efeb451709825b157dddd7398e791bfbbe2e9

SHA512
cd18969e9ecb4351352eeb0e910947c5daade51cc8bb22124f901b719f234438e4d231cc3a37271b38bd3fcf03c4a6c5c7a4093ad784a09631d5428ecd1d8de4

Download Submit
C:\Windows\System\TqoUCtF.exe

Filesize
1.9MB

MD5
bfca2258a32458d41f126f4a62a3269d

SHA1
cf58c4a11d092751610a2dcf45933a2b24372d05

SHA256
61c6c8ab7c4a6e30992abc8a6903702722577df1aacd42a7250f5fbb88bd0478

SHA512
8e0f89e3313a994bc824b67ce63d9379a830652efc61f8519e741a67501ee7c035867d2ba8f5ce64afbcc286394437af29d20bb1dd9aacb76643ab32ee2d71eb

Download Submit
C:\Windows\System\UdkNbCO.exe

Filesize
1.9MB

MD5
d2f2e6c70576951cd280913088637434

SHA1
bf6f582f24eadc222d1108e3bd19ecb404d89093

SHA256
d250bc7c4d9667e0f4c3319cf0ec6ef473b538c980019005234a7018c6ffa4b7

SHA512
811891ba2743ee4dcaffb76a493bd527a24fe4b947fd28b32f74485bc2e0b03518bd1b350500cc23d07d0d24a39453fc20ad3709f84640934c0cc6c75800d846

Download Submit
C:\Windows\System\WNqditD.exe

Filesize
1.9MB

MD5
d0aff9322313559d4d2d2a344a13d852

SHA1
1fff0f4145d0511f06a51583171dad2d3ee24e75

SHA256
4fabf22c522bfc83673b2b969734844b60bf17503ccdd86fbfc19bb7c82f6a1f

SHA512
d3f64f5149103bbaaafa663c1599ef8d8e773abb181036f21f59069f1a2566783a9f829ff24887372b2ffbf04e37ed15801070d0c86e7474905b407d0c6f85df

Download Submit
C:\Windows\System\YoExRlP.exe

Filesize
1.9MB

MD5
78a49ed7e9679450da02941f119bd032

SHA1
9279c90cb6eba2ac512d15c10f8da248b7035830

SHA256
580fe90adc008b3aa6859ae4344e4f18af5fafeaa82487175460192563a48152

SHA512
b1a9def235461c918fad753e03c1ea49e433e807482795873544f04fa4d84bedf2c0565ab88a120e5f3aeddf705f1bd828a5aad96474499d5d91e89baabae849

Download Submit
C:\Windows\System\ZdHPkmg.exe

Filesize
1.9MB

MD5
f26b9798d5f45c307493849e97ccd6f5

SHA1
404f5ad0c52ab316ef188fa2bbb3c1854e732215

SHA256
c707c952aa717704f45f7211fe9b1944c96543871dec683bbe8c078a9593b526

SHA512
89412df8b63c6fe0c18e559f0615f1bba2cbf4990228589522ab87436aef7fd8943e972cff5669d9d90264f807c4ae1f722ad25940f28f85b6bcf89d75fa1d36

Download Submit
C:\Windows\System\ZgdNZDX.exe

Filesize
8B

MD5
1af7e98463131124b148af32285c918d

SHA1
4fc8eb3d450b38da0e2316366a916fa521d6d5e3

SHA256
d023445448a248e11aeca045c34b63465bae476a73399cb8ca6cdacc6a044499

SHA512
cc36debed9e4a37cf20562198a93c6bec18ccc7c03b74204f72f9af5ad89c2c65c02a91c47fa3cb98427bbb72bfb1a0abe5465c78403f138717bd5b0c82f1312

Download Submit
C:\Windows\System\ZkPEIEu.exe

Filesize
1.9MB

MD5
8b7ccb3309b9bb6634ef53d0bc47bc88

SHA1
7c4c5871e6210e2f608afbedb2e22d5a7d5530ae

SHA256
2ba6ef8648b3b83ceccf452cd90016723c4f419cb982bbaa8b512d598d47477c

SHA512
1460a0d308574a0d1d9ce2bf1d49afc0500476b88b47ad95f7270d3b9fed0db45959384bcfcf0dc45e8749c5026bb28143bba633fa911c1bba949d7d48cf4c10

Download Submit
C:\Windows\System\abOVjDp.exe

Filesize
1.9MB

MD5
069b66b5b4e568b749fb45c7445383f9

SHA1
7ccfc00d2f4a9622460a653ba95820fae1ac3ad6

SHA256
4a623cc736e3de83ef587b463bac96d48cbe7e67ee32adda2539e1db7587bfa5

SHA512
4e5ed344a6020b286458f6354d7029d432a0e475adcdde476eca7d1ffcfd7939696dc2c1a7e5fa67c73eba683d674ad31a3dbd184c0a907daa32d66a6b0aa3ed

Download Submit
C:\Windows\System\apqpdfc.exe

Filesize
1.9MB

MD5
0eec911ec23056390663233441fe7338

SHA1
7dbfe09c681f1d8ff415e72a075275c5881875d5

SHA256
0942e7915ade24f318eb0cc13a2af268019332e359276ebbe8d4f1b214d6246e

SHA512
bfeac9b4e36a1a83435f849485bf7a4715c8115b0f8a1bbea447fa0a9686ee5c479501a31aa881006ae0b4d7dc30a124d79a8c19b87830ea723de490d4e73e53

Download Submit
C:\Windows\System\bnpBUnC.exe

Filesize
1.9MB

MD5
ffe3408476735601cbebb6ea1649853b

SHA1
787c5ee4a7550f3f59faa238d5219e92ed401f59

SHA256
34c2e930fd0231c71ea32ca96af6cba6ffa510f93ce1ed27829422d622e5caa3

SHA512
88eca8a2aabf49efe0fda14b871a36aa38eb608d28b0ca7a4e95e3059ac1c82bbd3004d2b634413aa23692690628f27cf7dd0ab287a23c136dff8a4e3fb902bd

Download Submit
C:\Windows\System\dANJqUj.exe

Filesize
1.9MB

MD5
8699e93282f210792e716c05b846cdf1

SHA1
3b08c8af440c65b3344a979344ea8c93c88eb0c1

SHA256
a1e94d61e76f70ccb7ed2b183dd6e879724d0fc83f628306bd6c7f26ecfb97fa

SHA512
c71bc4297d00f07601b5eb5d6d82e8f882b06b1fdb002ec71d9e25d7d47b16371afd86cbdfc00166376ef2a81239ea56617f6ef8c671ac716089e4cc67c01b28

Download Submit
C:\Windows\System\eqGCVSZ.exe

Filesize
1.9MB

MD5
6bed79069998f6b96defdbbc697ce0b7

SHA1
a72838b69a5073c8535d948a2190728716ac4a2c

SHA256
cd88d4afd19390b102a4af3a0843bfd7967937b08c3125c0241886bdeb86d6d1

SHA512
17112736d846a5d2580c0bad8af19c53ba8b38dd5e68fe517f289d35eca00827efbc384d74fd9bea5aeb720c6ebce0f5f17fca52fc5de10599e98f2715c35b13

Download Submit
C:\Windows\System\evMrOuK.exe

Filesize
1.9MB

MD5
b5c3ce027d32f10bf8f7efe1b28140e9

SHA1
f98b1835f98da0bf4ad9c26a0d13fd3ee48d16bb

SHA256
8bbcb0e9610a6c4fd7cfdbfb3796403f8ade492b7034eff1eb008ae8b1c5015f

SHA512
95c73b0d173032c05ef12c490c0ed63460c17245d4716c533b19ecefe762d2c9900436bfabec08afc6cf2197d869fb84902c67472f58894cdd681af7d68c3b84

Download Submit
C:\Windows\System\hlhdBBQ.exe

Filesize
1.9MB

MD5
b141dae2cba167e69fb699805a58d10a

SHA1
6a06658db4f5f4295c3cee996598f274c401c913

SHA256
7cb56939dc2560389888e4e9066f2fc661f9f31265a984be743b3119baa62f10

SHA512
51dfb143170d50220766dece5bc57d17cb8c4bd634a764e25130ab911dc65c9eee8c09ac1029ba1130ece49640a1d07059cb0ca6d5bda953b0f30a844d603ba5

Download Submit
C:\Windows\System\kGacSPv.exe

Filesize
1.9MB

MD5
cea4b4161e840fe21615b194d4185441

SHA1
a431750ec55162d31dfe6c1628b3707bb679c126

SHA256
c7e7175f5882938bef185a618fa39791f3a5f3151ecbf876063433729338fa43

SHA512
6d242fd9abe73967ba172dc6279e0d8e7fcb553a8df85717cc36ffd963f5a88940de5b9abcb500b65dee78b01cdd4ef80ff44851a4ffd818112bf1723d79ae77

Download Submit
C:\Windows\System\kplbIoS.exe

Filesize
1.9MB

MD5
a0597e0e78e329b05df20599c83c749f

SHA1
14f9f6ebfd3f5d6cefee76c4e57c0fb68f92894b

SHA256
ab3bc6465b8a27f12377f6e992f51164964b19ec85c48a9d95b621c2b0a215d7

SHA512
fef6e4e27a751006d94cdda6b596419723bb0c73ad62d07ce252ba70d4b1c4b10e0fc6c586cee2d787461ae840588dbc1823e200b7523e4f9c4d1a74825091e1

Download Submit
C:\Windows\System\mngFitN.exe

Filesize
1.9MB

MD5
c34204fdc2b705bee4c5c64208f0d492

SHA1
af48e31eeaf915c0d589ccb255c2fa56010e5b3a

SHA256
04991f8137bfdcd1dfbac23f924e0a4c0b86d6820d92905a6d961c6223fb37bf

SHA512
5e9c879a39fac36e2b4983acb11cdedf8c651000226bf68f9b3a1ab2b8072efc46367c904ea926bac6be9ca79f1078c9476d1d4ecd27a1bf2714b0d8538b056b

Download Submit
C:\Windows\System\nfpGSjC.exe

Filesize
1.9MB

MD5
ea7060536528796a89372041a811232c

SHA1
025ce5ab56d1ac5097a29412e8cb372b02dae9b5

SHA256
9716f2ef2dafe4fbe5af9b6be3e31d9f22ac495962e85c2062f424628aaa8019

SHA512
49972ca898da7822da9d58413b7eea22cd9ec42cfd03ac7d0fcc2c74a4eae1ab4e9af51c9d4b1f565f8403b114e2791c58adfb24bea673defcd2b49e54cd4158

Download Submit
C:\Windows\System\okhtpqS.exe

Filesize
1.9MB

MD5
70fe72c37dc6d6a16dfe02668c3959d3

SHA1
a8626496230f15dd794bbd000048c2f48896cd88

SHA256
97763df4d5cfdc8edcba1f9778407e9d99b2e86c9649507f1412a14a0c639d82

SHA512
5e47718979ab798cf1f134eb6eedd109b8b68728f49529bd33ef818250e345d668e86e44ab896bb808ed714a24e3408db2db51c7a6186ba76f5f5749369acd37

Download Submit
C:\Windows\System\shTVwID.exe

Filesize
1.9MB

MD5
eb2ddb5c42d0f55dd81e33ea4315f847

SHA1
9368ec6ca67009cc9491432cdef1991c44d98109

SHA256
1183cf98b83d06e7e9f6b1a8dc212023a167f50d550a76e403a25ff7f7bdb365

SHA512
90b6091532ca4f1f44a0a7ee725509e0a8253b3a838a5327a5a184b2015264f81b7c636a3cc656a46035e2ab76986038621888d2ba46a11574b2f2eb471b862c

Download Submit
C:\Windows\System\wqhkHuA.exe

Filesize
1.9MB

MD5
df07b5ad8d621e3a2fc99f04b3393c3d

SHA1
fb1bc32012fe6898fa8c1bed0d77e926463d05fa

SHA256
fdfa40793e75e5a0a4310d996a1187d4dc94960d7ed2ff0a0c49a80391d1ed89

SHA512
d51f292424c7b2b910e1f441bd8c79ed673f43d4de781804a0d9512f79b92c2a6fa244a6154cfbb7ed98b6d3a6830cd93bde58e68715150ac17611ee2aba759b

Download Submit
C:\Windows\System\xJsrpTq.exe

Filesize
1.9MB

MD5
b18cd9a66b2391fc2db445df3db4d78b

SHA1
6e5796ce420a7cf7cd874659021e270ec1595eb2

SHA256
35e96036ec05dc891a9b33ec53d594c829aeed93089f7b8500c02cf5f3bb4784

SHA512
efb6447bbf4814b38da12432ccd43269d1077597d8dd7672a8ccb174dda475b98a5550c9e8ae117d5768b18d07bd18dc3553c6a825a9647845b8cb7fbac0a298

Download Submit
C:\Windows\System\xVavMId.exe

Filesize
1.9MB

MD5
2040c8dc2b8462cf60ca94d10c44f9fa

SHA1
9277db0f0c57bf61bd10d176c12ef675bad3ac26

SHA256
cbbd330eeee0021907a9b7995732343003626807565e9b88c8931ddc75caae56

SHA512
d11eff7096b1f5de7b0c0f6afba6c6e5025a254f47d4ed79f8a2464d9103c1c9584be15f15d39b4f9b928b093d879d18a0f49873d0cb60a00534a73a7e0c8858

Download Submit
C:\Windows\System\yYFzNyY.exe

Filesize
1.9MB

MD5
2e2960b1688de67cf44843e59a6fb4bb

SHA1
a8857c1af8e4d45f62b992bf1c22e722e51f3f42

SHA256
c9210cce68cb94da35e3af4faae01934a8138aa03a4908cf871044ed737a39fb

SHA512
8ba96e73a1c5ee800bb1308307905b88b5314540b36440830de624284c1ed0a705b0e3dd782ca6390ee204a17b0f8807a52bf694b9a28b6b4cf2692ed1ba4a50

Download Submit
memory/32-3476-0x00007FF654BD0000-0x00007FF654FC2000-memory.dmp

Filesize
3.9MB

Download
memory/32-59-0x00007FF654BD0000-0x00007FF654FC2000-memory.dmp

Filesize
3.9MB

Download
memory/364-542-0x00007FF78CC80000-0x00007FF78D072000-memory.dmp

Filesize
3.9MB

Download
memory/364-3471-0x00007FF78CC80000-0x00007FF78D072000-memory.dmp

Filesize
3.9MB

Download
memory/868-460-0x00007FF6AAC70000-0x00007FF6AB062000-memory.dmp

Filesize
3.9MB

Download
memory/868-3487-0x00007FF6AAC70000-0x00007FF6AB062000-memory.dmp

Filesize
3.9MB

Download
memory/1520-3483-0x00007FF6EAC10000-0x00007FF6EB002000-memory.dmp

Filesize
3.9MB

Download
memory/1520-457-0x00007FF6EAC10000-0x00007FF6EB002000-memory.dmp

Filesize
3.9MB

Download
memory/1524-50-0x00007FF733C60000-0x00007FF734052000-memory.dmp

Filesize
3.9MB

Download
memory/1524-3431-0x00007FF733C60000-0x00007FF734052000-memory.dmp

Filesize
3.9MB

Download
memory/2304-3474-0x00007FF651FF0000-0x00007FF6523E2000-memory.dmp

Filesize
3.9MB

Download
memory/2304-546-0x00007FF651FF0000-0x00007FF6523E2000-memory.dmp

Filesize
3.9MB

Download
memory/2352-46-0x00007FF759350000-0x00007FF759742000-memory.dmp

Filesize
3.9MB

Download
memory/2352-3427-0x00007FF759350000-0x00007FF759742000-memory.dmp

Filesize
3.9MB

Download
memory/2372-3494-0x00007FF60EAD0000-0x00007FF60EEC2000-memory.dmp

Filesize
3.9MB

Download
memory/2372-482-0x00007FF60EAD0000-0x00007FF60EEC2000-memory.dmp

Filesize
3.9MB

Download
memory/2708-521-0x00007FF72ACF0000-0x00007FF72B0E2000-memory.dmp

Filesize
3.9MB

Download
memory/2708-3518-0x00007FF72ACF0000-0x00007FF72B0E2000-memory.dmp

Filesize
3.9MB

Download
memory/2912-505-0x00007FF668670000-0x00007FF668A62000-memory.dmp

Filesize
3.9MB

Download
memory/2912-3510-0x00007FF668670000-0x00007FF668A62000-memory.dmp

Filesize
3.9MB

Download
memory/2924-3477-0x00007FF6711E0000-0x00007FF6715D2000-memory.dmp

Filesize
3.9MB

Download
memory/2924-446-0x00007FF6711E0000-0x00007FF6715D2000-memory.dmp

Filesize
3.9MB

Download
memory/2992-535-0x00007FF768900000-0x00007FF768CF2000-memory.dmp

Filesize
3.9MB

Download
memory/2992-3425-0x00007FF768900000-0x00007FF768CF2000-memory.dmp

Filesize
3.9MB

Download
memory/3216-449-0x00007FF678BA0000-0x00007FF678F92000-memory.dmp

Filesize
3.9MB

Download
memory/3216-3481-0x00007FF678BA0000-0x00007FF678F92000-memory.dmp

Filesize
3.9MB

Download
memory/3368-3491-0x00007FF6955A0000-0x00007FF695992000-memory.dmp

Filesize
3.9MB

Download
memory/3368-474-0x00007FF6955A0000-0x00007FF695992000-memory.dmp

Filesize
3.9MB

Download
memory/3476-3513-0x00007FF6F53D0000-0x00007FF6F57C2000-memory.dmp

Filesize
3.9MB

Download
memory/3476-517-0x00007FF6F53D0000-0x00007FF6F57C2000-memory.dmp

Filesize
3.9MB

Download
memory/3532-464-0x00007FF759A90000-0x00007FF759E82000-memory.dmp

Filesize
3.9MB

Download
memory/3532-3486-0x00007FF759A90000-0x00007FF759E82000-memory.dmp

Filesize
3.9MB

Download
memory/3976-3514-0x00007FF75BCE0000-0x00007FF75C0D2000-memory.dmp

Filesize
3.9MB

Download
memory/3976-511-0x00007FF75BCE0000-0x00007FF75C0D2000-memory.dmp

Filesize
3.9MB

Download
memory/4068-1-0x000001BF1C010000-0x000001BF1C020000-memory.dmp

Filesize
64KB

Download
memory/4068-0-0x00007FF677AC0000-0x00007FF677EB2000-memory.dmp

Filesize
3.9MB

Download
memory/4228-3495-0x00007FF61A350000-0x00007FF61A742000-memory.dmp

Filesize
3.9MB

Download
memory/4228-492-0x00007FF61A350000-0x00007FF61A742000-memory.dmp

Filesize
3.9MB

Download
memory/4364-3497-0x00007FF684D70000-0x00007FF685162000-memory.dmp

Filesize
3.9MB

Download
memory/4364-499-0x00007FF684D70000-0x00007FF685162000-memory.dmp

Filesize
3.9MB

Download
memory/4488-3454-0x00007FF6FF4A0000-0x00007FF6FF892000-memory.dmp

Filesize
3.9MB

Download
memory/4488-539-0x00007FF6FF4A0000-0x00007FF6FF892000-memory.dmp

Filesize
3.9MB

Download
memory/4848-3516-0x00007FF76CC30000-0x00007FF76D022000-memory.dmp

Filesize
3.9MB

Download
memory/4848-518-0x00007FF76CC30000-0x00007FF76D022000-memory.dmp

Filesize
3.9MB

Download
memory/5012-25-0x000001B04FB60000-0x000001B04FB82000-memory.dmp

Filesize
136KB

Download
memory/5012-38-0x00007FFCB11E0000-0x00007FFCB1CA1000-memory.dmp

Filesize
10.8MB

Download
memory/5012-32-0x00007FFCB11E0000-0x00007FFCB1CA1000-memory.dmp

Filesize
10.8MB

Download
memory/5012-3-0x00007FFCB11E3000-0x00007FFCB11E5000-memory.dmp

Filesize
8KB

Download
memory/5012-3423-0x00007FFCB11E3000-0x00007FFCB11E5000-memory.dmp

Filesize
8KB

Download
memory/5012-351-0x000001B0506E0000-0x000001B050E86000-memory.dmp

Filesize
7.6MB

Download
memory/5012-3422-0x00007FFCB11E0000-0x00007FFCB1CA1000-memory.dmp

Filesize
10.8MB

Download
memory/5016-3479-0x00007FF6E6E00000-0x00007FF6E71F2000-memory.dmp

Filesize
3.9MB

Download
memory/5016-552-0x00007FF6E6E00000-0x00007FF6E71F2000-memory.dmp

Filesize
3.9MB

Download
memory/5028-3462-0x00007FF710110000-0x00007FF710502000-memory.dmp

Filesize
3.9MB

Download
memory/5028-58-0x00007FF710110000-0x00007FF710502000-memory.dmp

Filesize
3.9MB

Download
memory/5036-473-0x00007FF7CE4C0000-0x00007FF7CE8B2000-memory.dmp

Filesize
3.9MB

Download
memory/5036-3489-0x00007FF7CE4C0000-0x00007FF7CE8B2000-memory.dmp

Filesize
3.9MB

Download