xmrig | 2b93c9851ec9a01314b84d7c3e82bd33d27745043d7ae5406897b0414c4c933f

Analysis

max time kernel
115s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 03:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14ef9060bf69907de2d8906d59a9b1b0N.exe
Size

3.2MB
MD5

14ef9060bf69907de2d8906d59a9b1b0
SHA1

9c7dd4aebfccf85e4500c136400ae7702b5ec472
SHA256

2b93c9851ec9a01314b84d7c3e82bd33d27745043d7ae5406897b0414c4c933f
SHA512

f266d9759ae7b31e65e30482432dfa48b8386d8ade0a30c5b84259f4988e4061072fb3f9dc8d7aef2da426e0d6ba82958937e695b957f6473c8db6269d6f4f10
SSDEEP

98304:71ONtyBeSFkXV1etEKLlWUTOfeiRA2R76zHrWk:7bBeSFkQ

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/2300-0-0x00007FF673F40000-0x00007FF674336000-memory.dmp	xmrig
behavioral2/files/0x000c000000023429-4.dat	xmrig
behavioral2/files/0x000700000002343a-33.dat	xmrig
behavioral2/files/0x000700000002343b-40.dat	xmrig
behavioral2/files/0x000700000002343d-47.dat	xmrig
behavioral2/files/0x000700000002343c-56.dat	xmrig
behavioral2/files/0x0007000000023442-70.dat	xmrig
behavioral2/files/0x0007000000023446-116.dat	xmrig
behavioral2/files/0x0007000000023450-136.dat	xmrig
behavioral2/memory/4064-164-0x00007FF686D10000-0x00007FF687106000-memory.dmp	xmrig
behavioral2/files/0x0007000000023454-176.dat	xmrig
behavioral2/memory/3572-181-0x00007FF6325C0000-0x00007FF6329B6000-memory.dmp	xmrig
behavioral2/files/0x0007000000023457-207.dat	xmrig
behavioral2/files/0x0007000000023456-204.dat	xmrig
behavioral2/files/0x000800000002344d-197.dat	xmrig
behavioral2/files/0x0007000000023455-192.dat	xmrig
behavioral2/memory/5060-189-0x00007FF798DC0000-0x00007FF7991B6000-memory.dmp	xmrig
behavioral2/memory/560-188-0x00007FF743180000-0x00007FF743576000-memory.dmp	xmrig
behavioral2/memory/3500-187-0x00007FF682A80000-0x00007FF682E76000-memory.dmp	xmrig
behavioral2/memory/4900-186-0x00007FF686B50000-0x00007FF686F46000-memory.dmp	xmrig
behavioral2/memory/3920-185-0x00007FF6B7330000-0x00007FF6B7726000-memory.dmp	xmrig
behavioral2/memory/1552-182-0x00007FF6DD1B0000-0x00007FF6DD5A6000-memory.dmp	xmrig
behavioral2/memory/3984-180-0x00007FF7F27E0000-0x00007FF7F2BD6000-memory.dmp	xmrig
behavioral2/memory/3216-179-0x00007FF73F460000-0x00007FF73F856000-memory.dmp	xmrig
behavioral2/memory/1416-178-0x00007FF60E7E0000-0x00007FF60EBD6000-memory.dmp	xmrig
behavioral2/memory/2180-175-0x00007FF6EC100000-0x00007FF6EC4F6000-memory.dmp	xmrig
behavioral2/files/0x0007000000023453-173.dat	xmrig
behavioral2/files/0x000800000002344e-171.dat	xmrig
behavioral2/files/0x0007000000023452-169.dat	xmrig
behavioral2/files/0x0008000000023435-167.dat	xmrig
behavioral2/files/0x0007000000023451-165.dat	xmrig
behavioral2/files/0x000700000002344f-160.dat	xmrig
behavioral2/files/0x000700000002344c-158.dat	xmrig
behavioral2/files/0x000700000002344b-156.dat	xmrig
behavioral2/files/0x000700000002344a-154.dat	xmrig
behavioral2/memory/5000-152-0x00007FF6EB1B0000-0x00007FF6EB5A6000-memory.dmp	xmrig
behavioral2/files/0x0007000000023449-150.dat	xmrig
behavioral2/files/0x0007000000023448-147.dat	xmrig
behavioral2/files/0x0007000000023447-139.dat	xmrig
behavioral2/memory/3104-135-0x00007FF60F030000-0x00007FF60F426000-memory.dmp	xmrig
behavioral2/memory/5116-113-0x00007FF688720000-0x00007FF688B16000-memory.dmp	xmrig
behavioral2/files/0x0007000000023445-100.dat	xmrig
behavioral2/files/0x0007000000023444-96.dat	xmrig
behavioral2/files/0x0007000000023443-83.dat	xmrig
behavioral2/memory/1612-80-0x00007FF752EF0000-0x00007FF7532E6000-memory.dmp	xmrig
behavioral2/files/0x0007000000023441-72.dat	xmrig
behavioral2/memory/3776-69-0x00007FF79A330000-0x00007FF79A726000-memory.dmp	xmrig
behavioral2/files/0x0007000000023440-67.dat	xmrig
behavioral2/memory/2820-66-0x00007FF75FD50000-0x00007FF760146000-memory.dmp	xmrig
behavioral2/memory/4664-63-0x00007FF7CC5A0000-0x00007FF7CC996000-memory.dmp	xmrig
behavioral2/files/0x000700000002343f-54.dat	xmrig
behavioral2/files/0x000700000002343e-51.dat	xmrig
behavioral2/memory/4856-48-0x00007FF6282E0000-0x00007FF6286D6000-memory.dmp	xmrig
behavioral2/memory/4124-39-0x00007FF6B5C50000-0x00007FF6B6046000-memory.dmp	xmrig
behavioral2/memory/2808-30-0x00007FF7B9E20000-0x00007FF7BA216000-memory.dmp	xmrig
behavioral2/memory/3156-26-0x00007FF6EBEB0000-0x00007FF6EC2A6000-memory.dmp	xmrig
behavioral2/files/0x0007000000023439-25.dat	xmrig
behavioral2/memory/1900-14-0x00007FF6951D0000-0x00007FF6955C6000-memory.dmp	xmrig
behavioral2/files/0x0007000000023438-19.dat	xmrig
behavioral2/memory/3156-1288-0x00007FF6EBEB0000-0x00007FF6EC2A6000-memory.dmp	xmrig
behavioral2/memory/1900-1285-0x00007FF6951D0000-0x00007FF6955C6000-memory.dmp	xmrig
behavioral2/memory/2300-1282-0x00007FF673F40000-0x00007FF674336000-memory.dmp	xmrig
behavioral2/memory/4856-1296-0x00007FF6282E0000-0x00007FF6286D6000-memory.dmp	xmrig
behavioral2/memory/4124-1294-0x00007FF6B5C50000-0x00007FF6B6046000-memory.dmp	xmrig

Blocklisted process makes network request 7 IoCs

flow	pid	Process
9	1380	powershell.exe
11	1380	powershell.exe
15	1380	powershell.exe
16	1380	powershell.exe
18	1380	powershell.exe
21	1380	powershell.exe
24	1380	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
1380	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
1900	gCAJtJo.exe
3156	QxWGFot.exe
2808	Wsrbtpx.exe
4124	bhLBVjD.exe
3920	AKeSUlx.exe
4856	yYUzbEo.exe
4664	pdkPiDK.exe
2820	WebklGo.exe
3776	OAzpihs.exe
4900	JtmaqUh.exe
1612	NEbaEpB.exe
3500	NZyaEiy.exe
5116	eETVcNF.exe
560	RVgGMVG.exe
3104	uzUraSb.exe
5000	dSTlNlj.exe
4064	wqgxNZP.exe
2180	BiiVjVb.exe
1416	sAPjXYt.exe
3216	VBAOHuq.exe
3984	ZzQvqSZ.exe
3572	QnSBAkV.exe
1552	STWYyuS.exe
5060	ROAhHIY.exe
2960	dvJVqRz.exe
1524	yzaEuxG.exe
4236	hxZNcWl.exe
2084	PhpeRjK.exe
1840	AoYGOmd.exe
4992	yfAvXzj.exe
2392	FkBSiKp.exe
4912	MfZYKJv.exe
5012	gUXnqVR.exe
440	snJECGA.exe
856	zyUPhpX.exe
4944	YZbMUFN.exe
4672	sRFdVIJ.exe
3952	AzLZIrr.exe
4388	RnUkLfB.exe
4556	EvSlrvX.exe
660	HefgQEK.exe
3592	dnblNnx.exe
3224	HWkAXHi.exe
1440	CImIIqi.exe
2556	wrFxzie.exe
2872	wvuQDvc.exe
3688	cuLjRHa.exe
2992	UUnwedS.exe
4956	eNAXUAL.exe
3496	rExEuaQ.exe
1820	olsHGrt.exe
1772	joPyumn.exe
1452	hOrVtIy.exe
1120	CBXDCeC.exe
2288	KxayHdW.exe
1540	RxyxIzp.exe
4684	vDiiSJB.exe
1872	QGjkQxR.exe
3528	FUtzGcz.exe
1976	lWaoXNG.exe
2656	vqqYLpU.exe
1636	BxWiuUn.exe
5084	obxXXVW.exe
3744	fLGRHyd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2300-0-0x00007FF673F40000-0x00007FF674336000-memory.dmp	upx
behavioral2/files/0x000c000000023429-4.dat	upx
behavioral2/files/0x000700000002343a-33.dat	upx
behavioral2/files/0x000700000002343b-40.dat	upx
behavioral2/files/0x000700000002343d-47.dat	upx
behavioral2/files/0x000700000002343c-56.dat	upx
behavioral2/files/0x0007000000023442-70.dat	upx
behavioral2/files/0x0007000000023446-116.dat	upx
behavioral2/files/0x0007000000023450-136.dat	upx
behavioral2/memory/4064-164-0x00007FF686D10000-0x00007FF687106000-memory.dmp	upx
behavioral2/files/0x0007000000023454-176.dat	upx
behavioral2/memory/3572-181-0x00007FF6325C0000-0x00007FF6329B6000-memory.dmp	upx
behavioral2/files/0x0007000000023457-207.dat	upx
behavioral2/files/0x0007000000023456-204.dat	upx
behavioral2/files/0x000800000002344d-197.dat	upx
behavioral2/files/0x0007000000023455-192.dat	upx
behavioral2/memory/5060-189-0x00007FF798DC0000-0x00007FF7991B6000-memory.dmp	upx
behavioral2/memory/560-188-0x00007FF743180000-0x00007FF743576000-memory.dmp	upx
behavioral2/memory/3500-187-0x00007FF682A80000-0x00007FF682E76000-memory.dmp	upx
behavioral2/memory/4900-186-0x00007FF686B50000-0x00007FF686F46000-memory.dmp	upx
behavioral2/memory/3920-185-0x00007FF6B7330000-0x00007FF6B7726000-memory.dmp	upx
behavioral2/memory/1552-182-0x00007FF6DD1B0000-0x00007FF6DD5A6000-memory.dmp	upx
behavioral2/memory/3984-180-0x00007FF7F27E0000-0x00007FF7F2BD6000-memory.dmp	upx
behavioral2/memory/3216-179-0x00007FF73F460000-0x00007FF73F856000-memory.dmp	upx
behavioral2/memory/1416-178-0x00007FF60E7E0000-0x00007FF60EBD6000-memory.dmp	upx
behavioral2/memory/2180-175-0x00007FF6EC100000-0x00007FF6EC4F6000-memory.dmp	upx
behavioral2/files/0x0007000000023453-173.dat	upx
behavioral2/files/0x000800000002344e-171.dat	upx
behavioral2/files/0x0007000000023452-169.dat	upx
behavioral2/files/0x0008000000023435-167.dat	upx
behavioral2/files/0x0007000000023451-165.dat	upx
behavioral2/files/0x000700000002344f-160.dat	upx
behavioral2/files/0x000700000002344c-158.dat	upx
behavioral2/files/0x000700000002344b-156.dat	upx
behavioral2/files/0x000700000002344a-154.dat	upx
behavioral2/memory/5000-152-0x00007FF6EB1B0000-0x00007FF6EB5A6000-memory.dmp	upx
behavioral2/files/0x0007000000023449-150.dat	upx
behavioral2/files/0x0007000000023448-147.dat	upx
behavioral2/files/0x0007000000023447-139.dat	upx
behavioral2/memory/3104-135-0x00007FF60F030000-0x00007FF60F426000-memory.dmp	upx
behavioral2/memory/5116-113-0x00007FF688720000-0x00007FF688B16000-memory.dmp	upx
behavioral2/files/0x0007000000023445-100.dat	upx
behavioral2/files/0x0007000000023444-96.dat	upx
behavioral2/files/0x0007000000023443-83.dat	upx
behavioral2/memory/1612-80-0x00007FF752EF0000-0x00007FF7532E6000-memory.dmp	upx
behavioral2/files/0x0007000000023441-72.dat	upx
behavioral2/memory/3776-69-0x00007FF79A330000-0x00007FF79A726000-memory.dmp	upx
behavioral2/files/0x0007000000023440-67.dat	upx
behavioral2/memory/2820-66-0x00007FF75FD50000-0x00007FF760146000-memory.dmp	upx
behavioral2/memory/4664-63-0x00007FF7CC5A0000-0x00007FF7CC996000-memory.dmp	upx
behavioral2/files/0x000700000002343f-54.dat	upx
behavioral2/files/0x000700000002343e-51.dat	upx
behavioral2/memory/4856-48-0x00007FF6282E0000-0x00007FF6286D6000-memory.dmp	upx
behavioral2/memory/4124-39-0x00007FF6B5C50000-0x00007FF6B6046000-memory.dmp	upx
behavioral2/memory/2808-30-0x00007FF7B9E20000-0x00007FF7BA216000-memory.dmp	upx
behavioral2/memory/3156-26-0x00007FF6EBEB0000-0x00007FF6EC2A6000-memory.dmp	upx
behavioral2/files/0x0007000000023439-25.dat	upx
behavioral2/memory/1900-14-0x00007FF6951D0000-0x00007FF6955C6000-memory.dmp	upx
behavioral2/files/0x0007000000023438-19.dat	upx
behavioral2/memory/3156-1288-0x00007FF6EBEB0000-0x00007FF6EC2A6000-memory.dmp	upx
behavioral2/memory/1900-1285-0x00007FF6951D0000-0x00007FF6955C6000-memory.dmp	upx
behavioral2/memory/2300-1282-0x00007FF673F40000-0x00007FF674336000-memory.dmp	upx
behavioral2/memory/4856-1296-0x00007FF6282E0000-0x00007FF6286D6000-memory.dmp	upx
behavioral2/memory/4124-1294-0x00007FF6B5C50000-0x00007FF6B6046000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	raw.githubusercontent.com
9	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\PMseyon.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\uWzcOUI.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\vfdfoid.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\nOsEdwS.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\aPPfKCw.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\dNzFTkq.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\LhpRKTa.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\yRLzaCJ.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\xyQFpoY.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\tERnZBe.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\lbTcQDy.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\sgfJnsR.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\gyjpeXC.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\zZiOuKo.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\fHWORWR.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\PbUKtmG.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\srlsQXF.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\kryvkFY.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\iMvxXex.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\kCIUyzk.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\qoSPXJi.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\fuVSFhX.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\WicbMfC.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\MZqdpTX.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\twIldjB.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\wFRuikx.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\zlnVVmC.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\KshxCxo.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\GMNecLX.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\etkVZuf.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\KtjJIqb.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\rwAFsnm.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\EgYxgol.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\ysUkPmX.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\TVuFLNg.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\rScJXyX.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\SjWdtAe.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\kPsDoEa.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\BRJfoFs.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\cRhfvxe.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\TYfGBRq.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\JEgBjQH.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\AqAEjuz.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\MyyhIox.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\zlpSCfV.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\FANjXKs.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\CqaOkHZ.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\iKzZPoV.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\uaKYzQn.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\xdiZoKB.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\EJITiEY.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\KEcaTxU.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\DGCmXdO.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\JsAlusV.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\KBtHueQ.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\EtYUUyB.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\OuVVlVv.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\tpWjDjI.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\JsXKdhM.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\mDkEdnr.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\kOTgPKf.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\yHgdBOk.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\iHPSZwK.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe
File created	C:\Windows\System\csWdGCJ.exe	14ef9060bf69907de2d8906d59a9b1b0N.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1380	powershell.exe
1380	powershell.exe
1380	powershell.exe
1380	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe
Token: SeLockMemoryPrivilege	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe
Token: SeDebugPrivilege	1380	powershell.exe
Token: SeCreateGlobalPrivilege	13508	dwm.exe
Token: SeChangeNotifyPrivilege	13508	dwm.exe
Token: 33	13508	dwm.exe
Token: SeIncBasePriorityPrivilege	13508	dwm.exe
Token: SeShutdownPrivilege	13508	dwm.exe
Token: SeCreatePagefilePrivilege	13508	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 1380	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	85
PID 2300 wrote to memory of 1380	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	85
PID 2300 wrote to memory of 1900	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	86
PID 2300 wrote to memory of 1900	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	86
PID 2300 wrote to memory of 3156	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	87
PID 2300 wrote to memory of 3156	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	87
PID 2300 wrote to memory of 2808	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	88
PID 2300 wrote to memory of 2808	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	88
PID 2300 wrote to memory of 3920	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	89
PID 2300 wrote to memory of 3920	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	89
PID 2300 wrote to memory of 4124	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	90
PID 2300 wrote to memory of 4124	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	90
PID 2300 wrote to memory of 4856	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	91
PID 2300 wrote to memory of 4856	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	91
PID 2300 wrote to memory of 4664	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	92
PID 2300 wrote to memory of 4664	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	92
PID 2300 wrote to memory of 2820	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	93
PID 2300 wrote to memory of 2820	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	93
PID 2300 wrote to memory of 3776	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	94
PID 2300 wrote to memory of 3776	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	94
PID 2300 wrote to memory of 4900	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	95
PID 2300 wrote to memory of 4900	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	95
PID 2300 wrote to memory of 1612	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	96
PID 2300 wrote to memory of 1612	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	96
PID 2300 wrote to memory of 3500	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	97
PID 2300 wrote to memory of 3500	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	97
PID 2300 wrote to memory of 5116	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	98
PID 2300 wrote to memory of 5116	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	98
PID 2300 wrote to memory of 560	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	99
PID 2300 wrote to memory of 560	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	99
PID 2300 wrote to memory of 3104	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	100
PID 2300 wrote to memory of 3104	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	100
PID 2300 wrote to memory of 5000	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	101
PID 2300 wrote to memory of 5000	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	101
PID 2300 wrote to memory of 4064	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	102
PID 2300 wrote to memory of 4064	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	102
PID 2300 wrote to memory of 2180	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	103
PID 2300 wrote to memory of 2180	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	103
PID 2300 wrote to memory of 1416	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	104
PID 2300 wrote to memory of 1416	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	104
PID 2300 wrote to memory of 3216	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	105
PID 2300 wrote to memory of 3216	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	105
PID 2300 wrote to memory of 3984	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	106
PID 2300 wrote to memory of 3984	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	106
PID 2300 wrote to memory of 3572	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	107
PID 2300 wrote to memory of 3572	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	107
PID 2300 wrote to memory of 1552	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	108
PID 2300 wrote to memory of 1552	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	108
PID 2300 wrote to memory of 5060	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	109
PID 2300 wrote to memory of 5060	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	109
PID 2300 wrote to memory of 2960	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	110
PID 2300 wrote to memory of 2960	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	110
PID 2300 wrote to memory of 1524	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	111
PID 2300 wrote to memory of 1524	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	111
PID 2300 wrote to memory of 4236	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	112
PID 2300 wrote to memory of 4236	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	112
PID 2300 wrote to memory of 2084	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	113
PID 2300 wrote to memory of 2084	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	113
PID 2300 wrote to memory of 1840	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	114
PID 2300 wrote to memory of 1840	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	114
PID 2300 wrote to memory of 4992	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	115
PID 2300 wrote to memory of 4992	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	115
PID 2300 wrote to memory of 2392	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	116
PID 2300 wrote to memory of 2392	2300	14ef9060bf69907de2d8906d59a9b1b0N.exe	116

C:\Users\Admin\AppData\Local\Temp\14ef9060bf69907de2d8906d59a9b1b0N.exe
"C:\Users\Admin\AppData\Local\Temp\14ef9060bf69907de2d8906d59a9b1b0N.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1380
- C:\Windows\System\gCAJtJo.exe
  C:\Windows\System\gCAJtJo.exe
  2⤵
  - Executes dropped EXE
  PID:1900
- C:\Windows\System\QxWGFot.exe
  C:\Windows\System\QxWGFot.exe
  2⤵
  - Executes dropped EXE
  PID:3156
- C:\Windows\System\Wsrbtpx.exe
  C:\Windows\System\Wsrbtpx.exe
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Windows\System\AKeSUlx.exe
  C:\Windows\System\AKeSUlx.exe
  2⤵
  - Executes dropped EXE
  PID:3920
- C:\Windows\System\bhLBVjD.exe
  C:\Windows\System\bhLBVjD.exe
  2⤵
  - Executes dropped EXE
  PID:4124
- C:\Windows\System\yYUzbEo.exe
  C:\Windows\System\yYUzbEo.exe
  2⤵
  - Executes dropped EXE
  PID:4856
- C:\Windows\System\pdkPiDK.exe
  C:\Windows\System\pdkPiDK.exe
  2⤵
  - Executes dropped EXE
  PID:4664
- C:\Windows\System\WebklGo.exe
  C:\Windows\System\WebklGo.exe
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\System\OAzpihs.exe
  C:\Windows\System\OAzpihs.exe
  2⤵
  - Executes dropped EXE
  PID:3776
- C:\Windows\System\JtmaqUh.exe
  C:\Windows\System\JtmaqUh.exe
  2⤵
  - Executes dropped EXE
  PID:4900
- C:\Windows\System\NEbaEpB.exe
  C:\Windows\System\NEbaEpB.exe
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Windows\System\NZyaEiy.exe
  C:\Windows\System\NZyaEiy.exe
  2⤵
  - Executes dropped EXE
  PID:3500
- C:\Windows\System\eETVcNF.exe
  C:\Windows\System\eETVcNF.exe
  2⤵
  - Executes dropped EXE
  PID:5116
- C:\Windows\System\RVgGMVG.exe
  C:\Windows\System\RVgGMVG.exe
  2⤵
  - Executes dropped EXE
  PID:560
- C:\Windows\System\uzUraSb.exe
  C:\Windows\System\uzUraSb.exe
  2⤵
  - Executes dropped EXE
  PID:3104
- C:\Windows\System\dSTlNlj.exe
  C:\Windows\System\dSTlNlj.exe
  2⤵
  - Executes dropped EXE
  PID:5000
- C:\Windows\System\wqgxNZP.exe
  C:\Windows\System\wqgxNZP.exe
  2⤵
  - Executes dropped EXE
  PID:4064
- C:\Windows\System\BiiVjVb.exe
  C:\Windows\System\BiiVjVb.exe
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Windows\System\sAPjXYt.exe
  C:\Windows\System\sAPjXYt.exe
  2⤵
  - Executes dropped EXE
  PID:1416
- C:\Windows\System\VBAOHuq.exe
  C:\Windows\System\VBAOHuq.exe
  2⤵
  - Executes dropped EXE
  PID:3216
- C:\Windows\System\ZzQvqSZ.exe
  C:\Windows\System\ZzQvqSZ.exe
  2⤵
  - Executes dropped EXE
  PID:3984
- C:\Windows\System\QnSBAkV.exe
  C:\Windows\System\QnSBAkV.exe
  2⤵
  - Executes dropped EXE
  PID:3572
- C:\Windows\System\STWYyuS.exe
  C:\Windows\System\STWYyuS.exe
  2⤵
  - Executes dropped EXE
  PID:1552
- C:\Windows\System\ROAhHIY.exe
  C:\Windows\System\ROAhHIY.exe
  2⤵
  - Executes dropped EXE
  PID:5060
- C:\Windows\System\dvJVqRz.exe
  C:\Windows\System\dvJVqRz.exe
  2⤵
  - Executes dropped EXE
  PID:2960
- C:\Windows\System\yzaEuxG.exe
  C:\Windows\System\yzaEuxG.exe
  2⤵
  - Executes dropped EXE
  PID:1524
- C:\Windows\System\hxZNcWl.exe
  C:\Windows\System\hxZNcWl.exe
  2⤵
  - Executes dropped EXE
  PID:4236
- C:\Windows\System\PhpeRjK.exe
  C:\Windows\System\PhpeRjK.exe
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Windows\System\AoYGOmd.exe
  C:\Windows\System\AoYGOmd.exe
  2⤵
  - Executes dropped EXE
  PID:1840
- C:\Windows\System\yfAvXzj.exe
  C:\Windows\System\yfAvXzj.exe
  2⤵
  - Executes dropped EXE
  PID:4992
- C:\Windows\System\FkBSiKp.exe
  C:\Windows\System\FkBSiKp.exe
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Windows\System\MfZYKJv.exe
  C:\Windows\System\MfZYKJv.exe
  2⤵
  - Executes dropped EXE
  PID:4912
- C:\Windows\System\gUXnqVR.exe
  C:\Windows\System\gUXnqVR.exe
  2⤵
  - Executes dropped EXE
  PID:5012
- C:\Windows\System\snJECGA.exe
  C:\Windows\System\snJECGA.exe
  2⤵
  - Executes dropped EXE
  PID:440
- C:\Windows\System\zyUPhpX.exe
  C:\Windows\System\zyUPhpX.exe
  2⤵
  - Executes dropped EXE
  PID:856
- C:\Windows\System\YZbMUFN.exe
  C:\Windows\System\YZbMUFN.exe
  2⤵
  - Executes dropped EXE
  PID:4944
- C:\Windows\System\sRFdVIJ.exe
  C:\Windows\System\sRFdVIJ.exe
  2⤵
  - Executes dropped EXE
  PID:4672
- C:\Windows\System\AzLZIrr.exe
  C:\Windows\System\AzLZIrr.exe
  2⤵
  - Executes dropped EXE
  PID:3952
- C:\Windows\System\RnUkLfB.exe
  C:\Windows\System\RnUkLfB.exe
  2⤵
  - Executes dropped EXE
  PID:4388
- C:\Windows\System\EvSlrvX.exe
  C:\Windows\System\EvSlrvX.exe
  2⤵
  - Executes dropped EXE
  PID:4556
- C:\Windows\System\HefgQEK.exe
  C:\Windows\System\HefgQEK.exe
  2⤵
  - Executes dropped EXE
  PID:660
- C:\Windows\System\dnblNnx.exe
  C:\Windows\System\dnblNnx.exe
  2⤵
  - Executes dropped EXE
  PID:3592
- C:\Windows\System\HWkAXHi.exe
  C:\Windows\System\HWkAXHi.exe
  2⤵
  - Executes dropped EXE
  PID:3224
- C:\Windows\System\CImIIqi.exe
  C:\Windows\System\CImIIqi.exe
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Windows\System\wrFxzie.exe
  C:\Windows\System\wrFxzie.exe
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Windows\System\wvuQDvc.exe
  C:\Windows\System\wvuQDvc.exe
  2⤵
  - Executes dropped EXE
  PID:2872
- C:\Windows\System\cuLjRHa.exe
  C:\Windows\System\cuLjRHa.exe
  2⤵
  - Executes dropped EXE
  PID:3688
- C:\Windows\System\UUnwedS.exe
  C:\Windows\System\UUnwedS.exe
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\System\eNAXUAL.exe
  C:\Windows\System\eNAXUAL.exe
  2⤵
  - Executes dropped EXE
  PID:4956
- C:\Windows\System\rExEuaQ.exe
  C:\Windows\System\rExEuaQ.exe
  2⤵
  - Executes dropped EXE
  PID:3496
- C:\Windows\System\olsHGrt.exe
  C:\Windows\System\olsHGrt.exe
  2⤵
  - Executes dropped EXE
  PID:1820
- C:\Windows\System\joPyumn.exe
  C:\Windows\System\joPyumn.exe
  2⤵
  - Executes dropped EXE
  PID:1772
- C:\Windows\System\hOrVtIy.exe
  C:\Windows\System\hOrVtIy.exe
  2⤵
  - Executes dropped EXE
  PID:1452
- C:\Windows\System\CBXDCeC.exe
  C:\Windows\System\CBXDCeC.exe
  2⤵
  - Executes dropped EXE
  PID:1120
- C:\Windows\System\KxayHdW.exe
  C:\Windows\System\KxayHdW.exe
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Windows\System\RxyxIzp.exe
  C:\Windows\System\RxyxIzp.exe
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Windows\System\vDiiSJB.exe
  C:\Windows\System\vDiiSJB.exe
  2⤵
  - Executes dropped EXE
  PID:4684
- C:\Windows\System\QGjkQxR.exe
  C:\Windows\System\QGjkQxR.exe
  2⤵
  - Executes dropped EXE
  PID:1872
- C:\Windows\System\FUtzGcz.exe
  C:\Windows\System\FUtzGcz.exe
  2⤵
  - Executes dropped EXE
  PID:3528
- C:\Windows\System\lWaoXNG.exe
  C:\Windows\System\lWaoXNG.exe
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\System\vqqYLpU.exe
  C:\Windows\System\vqqYLpU.exe
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\System\BxWiuUn.exe
  C:\Windows\System\BxWiuUn.exe
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\System\obxXXVW.exe
  C:\Windows\System\obxXXVW.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System\fLGRHyd.exe
  C:\Windows\System\fLGRHyd.exe
  2⤵
  - Executes dropped EXE
  PID:3744
- C:\Windows\System\RzVmMvI.exe
  C:\Windows\System\RzVmMvI.exe
  2⤵
  PID:460
- C:\Windows\System\UogiMKo.exe
  C:\Windows\System\UogiMKo.exe
  2⤵
  PID:1972
- C:\Windows\System\NKplHmh.exe
  C:\Windows\System\NKplHmh.exe
  2⤵
  PID:2900
- C:\Windows\System\EgYxgol.exe
  C:\Windows\System\EgYxgol.exe
  2⤵
  PID:1128
- C:\Windows\System\pHeahtV.exe
  C:\Windows\System\pHeahtV.exe
  2⤵
  PID:4964
- C:\Windows\System\dJOoiQV.exe
  C:\Windows\System\dJOoiQV.exe
  2⤵
  PID:5004
- C:\Windows\System\dQSOvAa.exe
  C:\Windows\System\dQSOvAa.exe
  2⤵
  PID:680
- C:\Windows\System\pYGGwzw.exe
  C:\Windows\System\pYGGwzw.exe
  2⤵
  PID:3384
- C:\Windows\System\gOnavXt.exe
  C:\Windows\System\gOnavXt.exe
  2⤵
  PID:1248
- C:\Windows\System\WxhumxP.exe
  C:\Windows\System\WxhumxP.exe
  2⤵
  PID:4960
- C:\Windows\System\ENbxeJq.exe
  C:\Windows\System\ENbxeJq.exe
  2⤵
  PID:3464
- C:\Windows\System\BycMkgV.exe
  C:\Windows\System\BycMkgV.exe
  2⤵
  PID:392
- C:\Windows\System\mBHqSwT.exe
  C:\Windows\System\mBHqSwT.exe
  2⤵
  PID:3608
- C:\Windows\System\vagNHcb.exe
  C:\Windows\System\vagNHcb.exe
  2⤵
  PID:4192
- C:\Windows\System\cgnoLBC.exe
  C:\Windows\System\cgnoLBC.exe
  2⤵
  PID:2828
- C:\Windows\System\BiTNSaa.exe
  C:\Windows\System\BiTNSaa.exe
  2⤵
  PID:5032
- C:\Windows\System\qdBCqnI.exe
  C:\Windows\System\qdBCqnI.exe
  2⤵
  PID:2388
- C:\Windows\System\vyqWMWP.exe
  C:\Windows\System\vyqWMWP.exe
  2⤵
  PID:768
- C:\Windows\System\zbjGBxs.exe
  C:\Windows\System\zbjGBxs.exe
  2⤵
  PID:5052
- C:\Windows\System\ECDjHbq.exe
  C:\Windows\System\ECDjHbq.exe
  2⤵
  PID:4748
- C:\Windows\System\HYuxTVT.exe
  C:\Windows\System\HYuxTVT.exe
  2⤵
  PID:2068
- C:\Windows\System\fSIyjsK.exe
  C:\Windows\System\fSIyjsK.exe
  2⤵
  PID:1564
- C:\Windows\System\HlJPCPj.exe
  C:\Windows\System\HlJPCPj.exe
  2⤵
  PID:3004
- C:\Windows\System\hkHZhLe.exe
  C:\Windows\System\hkHZhLe.exe
  2⤵
  PID:1964
- C:\Windows\System\NryKdsi.exe
  C:\Windows\System\NryKdsi.exe
  2⤵
  PID:3456
- C:\Windows\System\iHvcmVD.exe
  C:\Windows\System\iHvcmVD.exe
  2⤵
  PID:1244
- C:\Windows\System\aiHXdID.exe
  C:\Windows\System\aiHXdID.exe
  2⤵
  PID:3268
- C:\Windows\System\BMspPuD.exe
  C:\Windows\System\BMspPuD.exe
  2⤵
  PID:2396
- C:\Windows\System\hEBlqDw.exe
  C:\Windows\System\hEBlqDw.exe
  2⤵
  PID:468
- C:\Windows\System\TGxbUSl.exe
  C:\Windows\System\TGxbUSl.exe
  2⤵
  PID:2456
- C:\Windows\System\ArgyIEc.exe
  C:\Windows\System\ArgyIEc.exe
  2⤵
  PID:1428
- C:\Windows\System\dpZVrja.exe
  C:\Windows\System\dpZVrja.exe
  2⤵
  PID:832
- C:\Windows\System\FjGpbBU.exe
  C:\Windows\System\FjGpbBU.exe
  2⤵
  PID:4452
- C:\Windows\System\xUHdjTQ.exe
  C:\Windows\System\xUHdjTQ.exe
  2⤵
  PID:5132
- C:\Windows\System\YhJYakD.exe
  C:\Windows\System\YhJYakD.exe
  2⤵
  PID:5160
- C:\Windows\System\UTvQVCV.exe
  C:\Windows\System\UTvQVCV.exe
  2⤵
  PID:5188
- C:\Windows\System\BPFSwas.exe
  C:\Windows\System\BPFSwas.exe
  2⤵
  PID:5216
- C:\Windows\System\JorrYJv.exe
  C:\Windows\System\JorrYJv.exe
  2⤵
  PID:5244
- C:\Windows\System\aUWCbUi.exe
  C:\Windows\System\aUWCbUi.exe
  2⤵
  PID:5272
- C:\Windows\System\AOshpyk.exe
  C:\Windows\System\AOshpyk.exe
  2⤵
  PID:5300
- C:\Windows\System\zTwPoRB.exe
  C:\Windows\System\zTwPoRB.exe
  2⤵
  PID:5328
- C:\Windows\System\tKYBCRO.exe
  C:\Windows\System\tKYBCRO.exe
  2⤵
  PID:5356
- C:\Windows\System\ImSDRTJ.exe
  C:\Windows\System\ImSDRTJ.exe
  2⤵
  PID:5384
- C:\Windows\System\HAMGKbf.exe
  C:\Windows\System\HAMGKbf.exe
  2⤵
  PID:5412
- C:\Windows\System\JuVjiAs.exe
  C:\Windows\System\JuVjiAs.exe
  2⤵
  PID:5440
- C:\Windows\System\UueqltW.exe
  C:\Windows\System\UueqltW.exe
  2⤵
  PID:5468
- C:\Windows\System\icolvQc.exe
  C:\Windows\System\icolvQc.exe
  2⤵
  PID:5488
- C:\Windows\System\frYQvCg.exe
  C:\Windows\System\frYQvCg.exe
  2⤵
  PID:5528
- C:\Windows\System\coDlOzj.exe
  C:\Windows\System\coDlOzj.exe
  2⤵
  PID:5556
- C:\Windows\System\NVwjBNY.exe
  C:\Windows\System\NVwjBNY.exe
  2⤵
  PID:5584
- C:\Windows\System\UKYALPk.exe
  C:\Windows\System\UKYALPk.exe
  2⤵
  PID:5612
- C:\Windows\System\zqBEKUK.exe
  C:\Windows\System\zqBEKUK.exe
  2⤵
  PID:5640
- C:\Windows\System\GTevyga.exe
  C:\Windows\System\GTevyga.exe
  2⤵
  PID:5668
- C:\Windows\System\BgXhrUL.exe
  C:\Windows\System\BgXhrUL.exe
  2⤵
  PID:5696
- C:\Windows\System\JxZsKWl.exe
  C:\Windows\System\JxZsKWl.exe
  2⤵
  PID:5732
- C:\Windows\System\ehlTHcv.exe
  C:\Windows\System\ehlTHcv.exe
  2⤵
  PID:5752
- C:\Windows\System\JKcTIYR.exe
  C:\Windows\System\JKcTIYR.exe
  2⤵
  PID:5784
- C:\Windows\System\Duuzsek.exe
  C:\Windows\System\Duuzsek.exe
  2⤵
  PID:5812
- C:\Windows\System\cVZRWbg.exe
  C:\Windows\System\cVZRWbg.exe
  2⤵
  PID:5836
- C:\Windows\System\dMuiUHE.exe
  C:\Windows\System\dMuiUHE.exe
  2⤵
  PID:5884
- C:\Windows\System\GoygMJG.exe
  C:\Windows\System\GoygMJG.exe
  2⤵
  PID:5920
- C:\Windows\System\LLnauXe.exe
  C:\Windows\System\LLnauXe.exe
  2⤵
  PID:5952
- C:\Windows\System\HCCISFd.exe
  C:\Windows\System\HCCISFd.exe
  2⤵
  PID:5992
- C:\Windows\System\KRTmocv.exe
  C:\Windows\System\KRTmocv.exe
  2⤵
  PID:6016
- C:\Windows\System\hmnqxBX.exe
  C:\Windows\System\hmnqxBX.exe
  2⤵
  PID:6032
- C:\Windows\System\CzmZDlY.exe
  C:\Windows\System\CzmZDlY.exe
  2⤵
  PID:6060
- C:\Windows\System\vaSctQN.exe
  C:\Windows\System\vaSctQN.exe
  2⤵
  PID:6088
- C:\Windows\System\paaCOOR.exe
  C:\Windows\System\paaCOOR.exe
  2⤵
  PID:6124
- C:\Windows\System\ktPfsET.exe
  C:\Windows\System\ktPfsET.exe
  2⤵
  PID:5172
- C:\Windows\System\ussMucQ.exe
  C:\Windows\System\ussMucQ.exe
  2⤵
  PID:5252
- C:\Windows\System\boQcOwA.exe
  C:\Windows\System\boQcOwA.exe
  2⤵
  PID:5308
- C:\Windows\System\KBMkIIq.exe
  C:\Windows\System\KBMkIIq.exe
  2⤵
  PID:5368
- C:\Windows\System\mRksBoZ.exe
  C:\Windows\System\mRksBoZ.exe
  2⤵
  PID:5424
- C:\Windows\System\GvsrjXK.exe
  C:\Windows\System\GvsrjXK.exe
  2⤵
  PID:5460
- C:\Windows\System\EJeorNP.exe
  C:\Windows\System\EJeorNP.exe
  2⤵
  PID:5512
- C:\Windows\System\MBmdUdD.exe
  C:\Windows\System\MBmdUdD.exe
  2⤵
  PID:5652
- C:\Windows\System\ERmioEV.exe
  C:\Windows\System\ERmioEV.exe
  2⤵
  PID:5748
- C:\Windows\System\pXRfgqm.exe
  C:\Windows\System\pXRfgqm.exe
  2⤵
  PID:5892
- C:\Windows\System\KzKOpPH.exe
  C:\Windows\System\KzKOpPH.exe
  2⤵
  PID:5964
- C:\Windows\System\zkJpWQO.exe
  C:\Windows\System\zkJpWQO.exe
  2⤵
  PID:6068
- C:\Windows\System\biPUwEv.exe
  C:\Windows\System\biPUwEv.exe
  2⤵
  PID:5336
- C:\Windows\System\mAosUbI.exe
  C:\Windows\System\mAosUbI.exe
  2⤵
  PID:5568
- C:\Windows\System\YOLFTzv.exe
  C:\Windows\System\YOLFTzv.exe
  2⤵
  PID:5724
- C:\Windows\System\jYUykzL.exe
  C:\Windows\System\jYUykzL.exe
  2⤵
  PID:5932
- C:\Windows\System\PhzjDVZ.exe
  C:\Windows\System\PhzjDVZ.exe
  2⤵
  PID:5720
- C:\Windows\System\RdThVoe.exe
  C:\Windows\System\RdThVoe.exe
  2⤵
  PID:6052
- C:\Windows\System\cPxpfgn.exe
  C:\Windows\System\cPxpfgn.exe
  2⤵
  PID:6080
- C:\Windows\System\DtKVGvI.exe
  C:\Windows\System\DtKVGvI.exe
  2⤵
  PID:5984
- C:\Windows\System\gBLdGhb.exe
  C:\Windows\System\gBLdGhb.exe
  2⤵
  PID:5604
- C:\Windows\System\faDDNWU.exe
  C:\Windows\System\faDDNWU.exe
  2⤵
  PID:4548
- C:\Windows\System\MrotlUC.exe
  C:\Windows\System\MrotlUC.exe
  2⤵
  PID:6156
- C:\Windows\System\ihrKesW.exe
  C:\Windows\System\ihrKesW.exe
  2⤵
  PID:6216
- C:\Windows\System\ogtLddf.exe
  C:\Windows\System\ogtLddf.exe
  2⤵
  PID:6276
- C:\Windows\System\TqfZTBG.exe
  C:\Windows\System\TqfZTBG.exe
  2⤵
  PID:6328
- C:\Windows\System\rqopoVO.exe
  C:\Windows\System\rqopoVO.exe
  2⤵
  PID:6380
- C:\Windows\System\nCnjJCO.exe
  C:\Windows\System\nCnjJCO.exe
  2⤵
  PID:6432
- C:\Windows\System\xuSxNzW.exe
  C:\Windows\System\xuSxNzW.exe
  2⤵
  PID:6492
- C:\Windows\System\fRgvEBA.exe
  C:\Windows\System\fRgvEBA.exe
  2⤵
  PID:6540
- C:\Windows\System\SjZRKxY.exe
  C:\Windows\System\SjZRKxY.exe
  2⤵
  PID:6584
- C:\Windows\System\hWAnXhQ.exe
  C:\Windows\System\hWAnXhQ.exe
  2⤵
  PID:6612
- C:\Windows\System\DJgvXFB.exe
  C:\Windows\System\DJgvXFB.exe
  2⤵
  PID:6680
- C:\Windows\System\PzlPVqN.exe
  C:\Windows\System\PzlPVqN.exe
  2⤵
  PID:6716
- C:\Windows\System\DTdicTB.exe
  C:\Windows\System\DTdicTB.exe
  2⤵
  PID:6788
- C:\Windows\System\eNKhuah.exe
  C:\Windows\System\eNKhuah.exe
  2⤵
  PID:6820
- C:\Windows\System\eNlhBeq.exe
  C:\Windows\System\eNlhBeq.exe
  2⤵
  PID:6872
- C:\Windows\System\fQIeWIn.exe
  C:\Windows\System\fQIeWIn.exe
  2⤵
  PID:6920
- C:\Windows\System\XxCWewE.exe
  C:\Windows\System\XxCWewE.exe
  2⤵
  PID:6972
- C:\Windows\System\UVXdqMy.exe
  C:\Windows\System\UVXdqMy.exe
  2⤵
  PID:7016
- C:\Windows\System\TfDKWCy.exe
  C:\Windows\System\TfDKWCy.exe
  2⤵
  PID:7068
- C:\Windows\System\YuHfwLr.exe
  C:\Windows\System\YuHfwLr.exe
  2⤵
  PID:7124
- C:\Windows\System\IrKxaLE.exe
  C:\Windows\System\IrKxaLE.exe
  2⤵
  PID:5676
- C:\Windows\System\TdHIvQi.exe
  C:\Windows\System\TdHIvQi.exe
  2⤵
  PID:6192
- C:\Windows\System\ldYYVeZ.exe
  C:\Windows\System\ldYYVeZ.exe
  2⤵
  PID:6240
- C:\Windows\System\tBJDblO.exe
  C:\Windows\System\tBJDblO.exe
  2⤵
  PID:6308
- C:\Windows\System\qKXZOws.exe
  C:\Windows\System\qKXZOws.exe
  2⤵
  PID:6364
- C:\Windows\System\uMDEUmL.exe
  C:\Windows\System\uMDEUmL.exe
  2⤵
  PID:6452
- C:\Windows\System\drlROAi.exe
  C:\Windows\System\drlROAi.exe
  2⤵
  PID:6556
- C:\Windows\System\IghtRUq.exe
  C:\Windows\System\IghtRUq.exe
  2⤵
  PID:5364
- C:\Windows\System\gahdaaW.exe
  C:\Windows\System\gahdaaW.exe
  2⤵
  PID:5348
- C:\Windows\System\pDfZKvF.exe
  C:\Windows\System\pDfZKvF.exe
  2⤵
  PID:6772
- C:\Windows\System\nWuJchg.exe
  C:\Windows\System\nWuJchg.exe
  2⤵
  PID:6880
- C:\Windows\System\XgfHrQv.exe
  C:\Windows\System\XgfHrQv.exe
  2⤵
  PID:6964
- C:\Windows\System\KRTvqza.exe
  C:\Windows\System\KRTvqza.exe
  2⤵
  PID:7036
- C:\Windows\System\HbRtOxl.exe
  C:\Windows\System\HbRtOxl.exe
  2⤵
  PID:7096
- C:\Windows\System\hJhdVaa.exe
  C:\Windows\System\hJhdVaa.exe
  2⤵
  PID:7152
- C:\Windows\System\lpBnLNR.exe
  C:\Windows\System\lpBnLNR.exe
  2⤵
  PID:6168
- C:\Windows\System\uTUorMy.exe
  C:\Windows\System\uTUorMy.exe
  2⤵
  PID:6304
- C:\Windows\System\zRmjmcR.exe
  C:\Windows\System\zRmjmcR.exe
  2⤵
  PID:6348
- C:\Windows\System\dSZDMxM.exe
  C:\Windows\System\dSZDMxM.exe
  2⤵
  PID:6448
- C:\Windows\System\JFWBBSY.exe
  C:\Windows\System\JFWBBSY.exe
  2⤵
  PID:6620
- C:\Windows\System\BexHzPi.exe
  C:\Windows\System\BexHzPi.exe
  2⤵
  PID:6668
- C:\Windows\System\xCJOFPK.exe
  C:\Windows\System\xCJOFPK.exe
  2⤵
  PID:6708
- C:\Windows\System\lmnQfkW.exe
  C:\Windows\System\lmnQfkW.exe
  2⤵
  PID:6816
- C:\Windows\System\MPAFoyK.exe
  C:\Windows\System\MPAFoyK.exe
  2⤵
  PID:6908
- C:\Windows\System\SpoPGQh.exe
  C:\Windows\System\SpoPGQh.exe
  2⤵
  PID:7004
- C:\Windows\System\gONOzzj.exe
  C:\Windows\System\gONOzzj.exe
  2⤵
  PID:7112
- C:\Windows\System\oORJyUP.exe
  C:\Windows\System\oORJyUP.exe
  2⤵
  PID:6176
- C:\Windows\System\eoJfPuG.exe
  C:\Windows\System\eoJfPuG.exe
  2⤵
  PID:6356
- C:\Windows\System\WksrMnN.exe
  C:\Windows\System\WksrMnN.exe
  2⤵
  PID:6572
- C:\Windows\System\SIxrXVI.exe
  C:\Windows\System\SIxrXVI.exe
  2⤵
  PID:6696
- C:\Windows\System\bArKpyL.exe
  C:\Windows\System\bArKpyL.exe
  2⤵
  PID:6808
- C:\Windows\System\zGOPevo.exe
  C:\Windows\System\zGOPevo.exe
  2⤵
  PID:6676
- C:\Windows\System\YmqbxsX.exe
  C:\Windows\System\YmqbxsX.exe
  2⤵
  PID:5856
- C:\Windows\System\qJqlLbD.exe
  C:\Windows\System\qJqlLbD.exe
  2⤵
  PID:6568
- C:\Windows\System\FfZJENB.exe
  C:\Windows\System\FfZJENB.exe
  2⤵
  PID:6948
- C:\Windows\System\iqAypyF.exe
  C:\Windows\System\iqAypyF.exe
  2⤵
  PID:6236
- C:\Windows\System\mvdoRzP.exe
  C:\Windows\System\mvdoRzP.exe
  2⤵
  PID:6804
- C:\Windows\System\yOwzbyw.exe
  C:\Windows\System\yOwzbyw.exe
  2⤵
  PID:7092
- C:\Windows\System\xhPKbiA.exe
  C:\Windows\System\xhPKbiA.exe
  2⤵
  PID:7184
- C:\Windows\System\gGfygCQ.exe
  C:\Windows\System\gGfygCQ.exe
  2⤵
  PID:7228
- C:\Windows\System\gGdlGsl.exe
  C:\Windows\System\gGdlGsl.exe
  2⤵
  PID:7264
- C:\Windows\System\jdLebQf.exe
  C:\Windows\System\jdLebQf.exe
  2⤵
  PID:7296
- C:\Windows\System\MLaiRSv.exe
  C:\Windows\System\MLaiRSv.exe
  2⤵
  PID:7332
- C:\Windows\System\fkaDUBG.exe
  C:\Windows\System\fkaDUBG.exe
  2⤵
  PID:7368
- C:\Windows\System\davfhpS.exe
  C:\Windows\System\davfhpS.exe
  2⤵
  PID:7412
- C:\Windows\System\mrcVLtw.exe
  C:\Windows\System\mrcVLtw.exe
  2⤵
  PID:7440
- C:\Windows\System\BzTRApX.exe
  C:\Windows\System\BzTRApX.exe
  2⤵
  PID:7456
- C:\Windows\System\qHdCrvi.exe
  C:\Windows\System\qHdCrvi.exe
  2⤵
  PID:7484
- C:\Windows\System\VngBtqK.exe
  C:\Windows\System\VngBtqK.exe
  2⤵
  PID:7532
- C:\Windows\System\nmEcqOb.exe
  C:\Windows\System\nmEcqOb.exe
  2⤵
  PID:7568
- C:\Windows\System\FrLPolq.exe
  C:\Windows\System\FrLPolq.exe
  2⤵
  PID:7600
- C:\Windows\System\XYLVAMw.exe
  C:\Windows\System\XYLVAMw.exe
  2⤵
  PID:7628
- C:\Windows\System\uUcahvh.exe
  C:\Windows\System\uUcahvh.exe
  2⤵
  PID:7644
- C:\Windows\System\gydHzwp.exe
  C:\Windows\System\gydHzwp.exe
  2⤵
  PID:7660
- C:\Windows\System\fNtZeau.exe
  C:\Windows\System\fNtZeau.exe
  2⤵
  PID:7688
- C:\Windows\System\UfuZXSe.exe
  C:\Windows\System\UfuZXSe.exe
  2⤵
  PID:7720
- C:\Windows\System\bnslkuX.exe
  C:\Windows\System\bnslkuX.exe
  2⤵
  PID:7764
- C:\Windows\System\BXtemrj.exe
  C:\Windows\System\BXtemrj.exe
  2⤵
  PID:7800
- C:\Windows\System\GwmdglJ.exe
  C:\Windows\System\GwmdglJ.exe
  2⤵
  PID:7828
- C:\Windows\System\fBOaCQV.exe
  C:\Windows\System\fBOaCQV.exe
  2⤵
  PID:7856
- C:\Windows\System\QsxpXKw.exe
  C:\Windows\System\QsxpXKw.exe
  2⤵
  PID:7872
- C:\Windows\System\ozKKjks.exe
  C:\Windows\System\ozKKjks.exe
  2⤵
  PID:7900
- C:\Windows\System\zobclOp.exe
  C:\Windows\System\zobclOp.exe
  2⤵
  PID:7944
- C:\Windows\System\vPFeZYy.exe
  C:\Windows\System\vPFeZYy.exe
  2⤵
  PID:7968
- C:\Windows\System\ifoiLpw.exe
  C:\Windows\System\ifoiLpw.exe
  2⤵
  PID:8000
- C:\Windows\System\WySpTgl.exe
  C:\Windows\System\WySpTgl.exe
  2⤵
  PID:8024
- C:\Windows\System\mjsyOYb.exe
  C:\Windows\System\mjsyOYb.exe
  2⤵
  PID:8048
- C:\Windows\System\CYNvZej.exe
  C:\Windows\System\CYNvZej.exe
  2⤵
  PID:8080
- C:\Windows\System\NlkGGmk.exe
  C:\Windows\System\NlkGGmk.exe
  2⤵
  PID:8104
- C:\Windows\System\pLXicGD.exe
  C:\Windows\System\pLXicGD.exe
  2⤵
  PID:8124
- C:\Windows\System\FSdsZqD.exe
  C:\Windows\System\FSdsZqD.exe
  2⤵
  PID:8152
- C:\Windows\System\uKqjhYg.exe
  C:\Windows\System\uKqjhYg.exe
  2⤵
  PID:8180
- C:\Windows\System\CkdQjOO.exe
  C:\Windows\System\CkdQjOO.exe
  2⤵
  PID:7204
- C:\Windows\System\yRffNao.exe
  C:\Windows\System\yRffNao.exe
  2⤵
  PID:7272
- C:\Windows\System\cQAVxhB.exe
  C:\Windows\System\cQAVxhB.exe
  2⤵
  PID:7316
- C:\Windows\System\BeTqGrP.exe
  C:\Windows\System\BeTqGrP.exe
  2⤵
  PID:7364
- C:\Windows\System\JUwFWhU.exe
  C:\Windows\System\JUwFWhU.exe
  2⤵
  PID:7400
- C:\Windows\System\eEKjNFM.exe
  C:\Windows\System\eEKjNFM.exe
  2⤵
  PID:7452
- C:\Windows\System\TOixGAC.exe
  C:\Windows\System\TOixGAC.exe
  2⤵
  PID:7512
- C:\Windows\System\WxgODDe.exe
  C:\Windows\System\WxgODDe.exe
  2⤵
  PID:7560
- C:\Windows\System\RAytBzq.exe
  C:\Windows\System\RAytBzq.exe
  2⤵
  PID:7596
- C:\Windows\System\CBklqxM.exe
  C:\Windows\System\CBklqxM.exe
  2⤵
  PID:7672
- C:\Windows\System\xgIGcAA.exe
  C:\Windows\System\xgIGcAA.exe
  2⤵
  PID:7752
- C:\Windows\System\imMxvTZ.exe
  C:\Windows\System\imMxvTZ.exe
  2⤵
  PID:7848
- C:\Windows\System\eVPiUjs.exe
  C:\Windows\System\eVPiUjs.exe
  2⤵
  PID:7896
- C:\Windows\System\gqEneon.exe
  C:\Windows\System\gqEneon.exe
  2⤵
  PID:7936
- C:\Windows\System\geVZltx.exe
  C:\Windows\System\geVZltx.exe
  2⤵
  PID:7980
- C:\Windows\System\pAAkrgi.exe
  C:\Windows\System\pAAkrgi.exe
  2⤵
  PID:8032
- C:\Windows\System\gknoUmE.exe
  C:\Windows\System\gknoUmE.exe
  2⤵
  PID:8092
- C:\Windows\System\MdwkJGG.exe
  C:\Windows\System\MdwkJGG.exe
  2⤵
  PID:7172
- C:\Windows\System\VbDsPjM.exe
  C:\Windows\System\VbDsPjM.exe
  2⤵
  PID:7208
- C:\Windows\System\ApQsnTi.exe
  C:\Windows\System\ApQsnTi.exe
  2⤵
  PID:7476
- C:\Windows\System\BKRrFBH.exe
  C:\Windows\System\BKRrFBH.exe
  2⤵
  PID:7464
- C:\Windows\System\ZFNfHxD.exe
  C:\Windows\System\ZFNfHxD.exe
  2⤵
  PID:7772
- C:\Windows\System\EObrJUq.exe
  C:\Windows\System\EObrJUq.exe
  2⤵
  PID:7788
- C:\Windows\System\IWIRpMN.exe
  C:\Windows\System\IWIRpMN.exe
  2⤵
  PID:7884
- C:\Windows\System\FDfqHAa.exe
  C:\Windows\System\FDfqHAa.exe
  2⤵
  PID:8064
- C:\Windows\System\LKqOqrc.exe
  C:\Windows\System\LKqOqrc.exe
  2⤵
  PID:7432
- C:\Windows\System\BphkOUe.exe
  C:\Windows\System\BphkOUe.exe
  2⤵
  PID:7812
- C:\Windows\System\gXzjEaH.exe
  C:\Windows\System\gXzjEaH.exe
  2⤵
  PID:8012
- C:\Windows\System\OIBXGsU.exe
  C:\Windows\System\OIBXGsU.exe
  2⤵
  PID:7576
- C:\Windows\System\xauyvgT.exe
  C:\Windows\System\xauyvgT.exe
  2⤵
  PID:7424
- C:\Windows\System\MbdMygQ.exe
  C:\Windows\System\MbdMygQ.exe
  2⤵
  PID:8220
- C:\Windows\System\mQzchnZ.exe
  C:\Windows\System\mQzchnZ.exe
  2⤵
  PID:8248
- C:\Windows\System\crinSPr.exe
  C:\Windows\System\crinSPr.exe
  2⤵
  PID:8272
- C:\Windows\System\AorWbGy.exe
  C:\Windows\System\AorWbGy.exe
  2⤵
  PID:8308
- C:\Windows\System\PTJGFOO.exe
  C:\Windows\System\PTJGFOO.exe
  2⤵
  PID:8344
- C:\Windows\System\vCfqTlw.exe
  C:\Windows\System\vCfqTlw.exe
  2⤵
  PID:8364
- C:\Windows\System\DdFRlLj.exe
  C:\Windows\System\DdFRlLj.exe
  2⤵
  PID:8396
- C:\Windows\System\CKoyVVx.exe
  C:\Windows\System\CKoyVVx.exe
  2⤵
  PID:8424
- C:\Windows\System\rBXYbKL.exe
  C:\Windows\System\rBXYbKL.exe
  2⤵
  PID:8456
- C:\Windows\System\ltAExcg.exe
  C:\Windows\System\ltAExcg.exe
  2⤵
  PID:8496
- C:\Windows\System\MRkkUiq.exe
  C:\Windows\System\MRkkUiq.exe
  2⤵
  PID:8512
- C:\Windows\System\gmPSHAc.exe
  C:\Windows\System\gmPSHAc.exe
  2⤵
  PID:8552
- C:\Windows\System\JdEkdee.exe
  C:\Windows\System\JdEkdee.exe
  2⤵
  PID:8580
- C:\Windows\System\VPFzjcZ.exe
  C:\Windows\System\VPFzjcZ.exe
  2⤵
  PID:8616
- C:\Windows\System\vhxbUKP.exe
  C:\Windows\System\vhxbUKP.exe
  2⤵
  PID:8648
- C:\Windows\System\UXSeJuZ.exe
  C:\Windows\System\UXSeJuZ.exe
  2⤵
  PID:8680
- C:\Windows\System\dpsicQg.exe
  C:\Windows\System\dpsicQg.exe
  2⤵
  PID:8716
- C:\Windows\System\tUdODlO.exe
  C:\Windows\System\tUdODlO.exe
  2⤵
  PID:8744
- C:\Windows\System\XEMtkIQ.exe
  C:\Windows\System\XEMtkIQ.exe
  2⤵
  PID:8772
- C:\Windows\System\ucwGfdS.exe
  C:\Windows\System\ucwGfdS.exe
  2⤵
  PID:8800
- C:\Windows\System\EUYngAM.exe
  C:\Windows\System\EUYngAM.exe
  2⤵
  PID:8828
- C:\Windows\System\YBjntlg.exe
  C:\Windows\System\YBjntlg.exe
  2⤵
  PID:8856
- C:\Windows\System\OWDIPpN.exe
  C:\Windows\System\OWDIPpN.exe
  2⤵
  PID:8884
- C:\Windows\System\MKOCurE.exe
  C:\Windows\System\MKOCurE.exe
  2⤵
  PID:8912
- C:\Windows\System\hobrHbs.exe
  C:\Windows\System\hobrHbs.exe
  2⤵
  PID:8928
- C:\Windows\System\iqDLPgI.exe
  C:\Windows\System\iqDLPgI.exe
  2⤵
  PID:8972
- C:\Windows\System\ntLfpXB.exe
  C:\Windows\System\ntLfpXB.exe
  2⤵
  PID:8992
- C:\Windows\System\VKnRbVk.exe
  C:\Windows\System\VKnRbVk.exe
  2⤵
  PID:9020
- C:\Windows\System\KqySVle.exe
  C:\Windows\System\KqySVle.exe
  2⤵
  PID:9048
- C:\Windows\System\VibDLVe.exe
  C:\Windows\System\VibDLVe.exe
  2⤵
  PID:9072
- C:\Windows\System\KjAHFVJ.exe
  C:\Windows\System\KjAHFVJ.exe
  2⤵
  PID:9100
- C:\Windows\System\XQWWFSx.exe
  C:\Windows\System\XQWWFSx.exe
  2⤵
  PID:9124
- C:\Windows\System\LNpyFNJ.exe
  C:\Windows\System\LNpyFNJ.exe
  2⤵
  PID:9148
- C:\Windows\System\rQlTHnZ.exe
  C:\Windows\System\rQlTHnZ.exe
  2⤵
  PID:9172
- C:\Windows\System\ATCdTts.exe
  C:\Windows\System\ATCdTts.exe
  2⤵
  PID:9200
- C:\Windows\System\AuymPPU.exe
  C:\Windows\System\AuymPPU.exe
  2⤵
  PID:8168
- C:\Windows\System\oiAYMhR.exe
  C:\Windows\System\oiAYMhR.exe
  2⤵
  PID:8236
- C:\Windows\System\xzWaobw.exe
  C:\Windows\System\xzWaobw.exe
  2⤵
  PID:8256
- C:\Windows\System\WirYtjv.exe
  C:\Windows\System\WirYtjv.exe
  2⤵
  PID:8332
- C:\Windows\System\YJvEahm.exe
  C:\Windows\System\YJvEahm.exe
  2⤵
  PID:8508
- C:\Windows\System\yJeKnTb.exe
  C:\Windows\System\yJeKnTb.exe
  2⤵
  PID:8536
- C:\Windows\System\zhrQkEl.exe
  C:\Windows\System\zhrQkEl.exe
  2⤵
  PID:8664
- C:\Windows\System\PrVZggl.exe
  C:\Windows\System\PrVZggl.exe
  2⤵
  PID:8792
- C:\Windows\System\CgpDTzU.exe
  C:\Windows\System\CgpDTzU.exe
  2⤵
  PID:8892
- C:\Windows\System\keAMmrH.exe
  C:\Windows\System\keAMmrH.exe
  2⤵
  PID:8920
- C:\Windows\System\wKFNtOe.exe
  C:\Windows\System\wKFNtOe.exe
  2⤵
  PID:8964
- C:\Windows\System\gLLdVlS.exe
  C:\Windows\System\gLLdVlS.exe
  2⤵
  PID:9028
- C:\Windows\System\XQQHVXS.exe
  C:\Windows\System\XQQHVXS.exe
  2⤵
  PID:9120
- C:\Windows\System\hBWPrTB.exe
  C:\Windows\System\hBWPrTB.exe
  2⤵
  PID:9164
- C:\Windows\System\htlmQZF.exe
  C:\Windows\System\htlmQZF.exe
  2⤵
  PID:8212
- C:\Windows\System\qLHIIPG.exe
  C:\Windows\System\qLHIIPG.exe
  2⤵
  PID:8372
- C:\Windows\System\yodTrnB.exe
  C:\Windows\System\yodTrnB.exe
  2⤵
  PID:9008
- C:\Windows\System\BKulPVc.exe
  C:\Windows\System\BKulPVc.exe
  2⤵
  PID:8592
- C:\Windows\System\YtHIOIP.exe
  C:\Windows\System\YtHIOIP.exe
  2⤵
  PID:9160
- C:\Windows\System\WXsCZVm.exe
  C:\Windows\System\WXsCZVm.exe
  2⤵
  PID:9228
- C:\Windows\System\jCZiQDw.exe
  C:\Windows\System\jCZiQDw.exe
  2⤵
  PID:9244
- C:\Windows\System\esyQugq.exe
  C:\Windows\System\esyQugq.exe
  2⤵
  PID:9268
- C:\Windows\System\JHShvvI.exe
  C:\Windows\System\JHShvvI.exe
  2⤵
  PID:9288
- C:\Windows\System\eNQbmLn.exe
  C:\Windows\System\eNQbmLn.exe
  2⤵
  PID:9372
- C:\Windows\System\ROUreQO.exe
  C:\Windows\System\ROUreQO.exe
  2⤵
  PID:9388
- C:\Windows\System\WRkpdih.exe
  C:\Windows\System\WRkpdih.exe
  2⤵
  PID:9428
- C:\Windows\System\QbJxMHO.exe
  C:\Windows\System\QbJxMHO.exe
  2⤵
  PID:9480
- C:\Windows\System\MgImflV.exe
  C:\Windows\System\MgImflV.exe
  2⤵
  PID:9496
- C:\Windows\System\HsAvJhB.exe
  C:\Windows\System\HsAvJhB.exe
  2⤵
  PID:9524
- C:\Windows\System\xBdmhQQ.exe
  C:\Windows\System\xBdmhQQ.exe
  2⤵
  PID:9544
- C:\Windows\System\XWIWnAN.exe
  C:\Windows\System\XWIWnAN.exe
  2⤵
  PID:9568
- C:\Windows\System\wJnzgmu.exe
  C:\Windows\System\wJnzgmu.exe
  2⤵
  PID:9588
- C:\Windows\System\nzBikhO.exe
  C:\Windows\System\nzBikhO.exe
  2⤵
  PID:9608
- C:\Windows\System\VMdDTJj.exe
  C:\Windows\System\VMdDTJj.exe
  2⤵
  PID:9640
- C:\Windows\System\CKXypGD.exe
  C:\Windows\System\CKXypGD.exe
  2⤵
  PID:9660
- C:\Windows\System\OruoUGc.exe
  C:\Windows\System\OruoUGc.exe
  2⤵
  PID:9684
- C:\Windows\System\myOhpZk.exe
  C:\Windows\System\myOhpZk.exe
  2⤵
  PID:9708
- C:\Windows\System\nKOXpsU.exe
  C:\Windows\System\nKOXpsU.exe
  2⤵
  PID:9736
- C:\Windows\System\YxUJtZp.exe
  C:\Windows\System\YxUJtZp.exe
  2⤵
  PID:9756
- C:\Windows\System\NcBwxhz.exe
  C:\Windows\System\NcBwxhz.exe
  2⤵
  PID:9780
- C:\Windows\System\TMhLTmW.exe
  C:\Windows\System\TMhLTmW.exe
  2⤵
  PID:9824
- C:\Windows\System\kjiuszH.exe
  C:\Windows\System\kjiuszH.exe
  2⤵
  PID:9876
- C:\Windows\System\gEltnlv.exe
  C:\Windows\System\gEltnlv.exe
  2⤵
  PID:9912
- C:\Windows\System\aYhMTGN.exe
  C:\Windows\System\aYhMTGN.exe
  2⤵
  PID:9940
- C:\Windows\System\zChaNTj.exe
  C:\Windows\System\zChaNTj.exe
  2⤵
  PID:9968
- C:\Windows\System\IoXkCuC.exe
  C:\Windows\System\IoXkCuC.exe
  2⤵
  PID:9996
- C:\Windows\System\hWgsNXs.exe
  C:\Windows\System\hWgsNXs.exe
  2⤵
  PID:10020
- C:\Windows\System\LSZMjNf.exe
  C:\Windows\System\LSZMjNf.exe
  2⤵
  PID:10060
- C:\Windows\System\AkhijtN.exe
  C:\Windows\System\AkhijtN.exe
  2⤵
  PID:10112
- C:\Windows\System\HBHbbCZ.exe
  C:\Windows\System\HBHbbCZ.exe
  2⤵
  PID:10132
- C:\Windows\System\msvUNjD.exe
  C:\Windows\System\msvUNjD.exe
  2⤵
  PID:10152
- C:\Windows\System\SCLIDKu.exe
  C:\Windows\System\SCLIDKu.exe
  2⤵
  PID:10180
- C:\Windows\System\cafguFr.exe
  C:\Windows\System\cafguFr.exe
  2⤵
  PID:10212
- C:\Windows\System\svEyNxo.exe
  C:\Windows\System\svEyNxo.exe
  2⤵
  PID:10236
- C:\Windows\System\BBWKkqY.exe
  C:\Windows\System\BBWKkqY.exe
  2⤵
  PID:9236
- C:\Windows\System\wTaxJra.exe
  C:\Windows\System\wTaxJra.exe
  2⤵
  PID:9348
- C:\Windows\System\zZiOuKo.exe
  C:\Windows\System\zZiOuKo.exe
  2⤵
  PID:9144
- C:\Windows\System\LCUcVdJ.exe
  C:\Windows\System\LCUcVdJ.exe
  2⤵
  PID:9440
- C:\Windows\System\CwNjwwF.exe
  C:\Windows\System\CwNjwwF.exe
  2⤵
  PID:9536
- C:\Windows\System\sVGcclr.exe
  C:\Windows\System\sVGcclr.exe
  2⤵
  PID:9628
- C:\Windows\System\BaHgotm.exe
  C:\Windows\System\BaHgotm.exe
  2⤵
  PID:9560
- C:\Windows\System\jubtbhU.exe
  C:\Windows\System\jubtbhU.exe
  2⤵
  PID:9832
- C:\Windows\System\hnQZKlk.exe
  C:\Windows\System\hnQZKlk.exe
  2⤵
  PID:9928
- C:\Windows\System\lLMIjbN.exe
  C:\Windows\System\lLMIjbN.exe
  2⤵
  PID:9908
- C:\Windows\System\sigABUF.exe
  C:\Windows\System\sigABUF.exe
  2⤵
  PID:10040
- C:\Windows\System\RJEgZvn.exe
  C:\Windows\System\RJEgZvn.exe
  2⤵
  PID:10016
- C:\Windows\System\Wzbyicp.exe
  C:\Windows\System\Wzbyicp.exe
  2⤵
  PID:10176
- C:\Windows\System\wQRGQXS.exe
  C:\Windows\System\wQRGQXS.exe
  2⤵
  PID:2924
- C:\Windows\System\hItyNAv.exe
  C:\Windows\System\hItyNAv.exe
  2⤵
  PID:9108
- C:\Windows\System\CsYrrDg.exe
  C:\Windows\System\CsYrrDg.exe
  2⤵
  PID:9508
- C:\Windows\System\ILffGXD.exe
  C:\Windows\System\ILffGXD.exe
  2⤵
  PID:9556
- C:\Windows\System\wqFGaEC.exe
  C:\Windows\System\wqFGaEC.exe
  2⤵
  PID:9776
- C:\Windows\System\sewozqY.exe
  C:\Windows\System\sewozqY.exe
  2⤵
  PID:10200
- C:\Windows\System\YlAjKNA.exe
  C:\Windows\System\YlAjKNA.exe
  2⤵
  PID:9400
- C:\Windows\System\UJlVadY.exe
  C:\Windows\System\UJlVadY.exe
  2⤵
  PID:9576
- C:\Windows\System\EwewOYk.exe
  C:\Windows\System\EwewOYk.exe
  2⤵
  PID:10228
- C:\Windows\System\WbMMpGs.exe
  C:\Windows\System\WbMMpGs.exe
  2⤵
  PID:9816
- C:\Windows\System\HgSUVKG.exe
  C:\Windows\System\HgSUVKG.exe
  2⤵
  PID:10260
- C:\Windows\System\mIWpOJz.exe
  C:\Windows\System\mIWpOJz.exe
  2⤵
  PID:10276
- C:\Windows\System\DXcWRcH.exe
  C:\Windows\System\DXcWRcH.exe
  2⤵
  PID:10324
- C:\Windows\System\lZWxZVc.exe
  C:\Windows\System\lZWxZVc.exe
  2⤵
  PID:10352
- C:\Windows\System\xeNIYKu.exe
  C:\Windows\System\xeNIYKu.exe
  2⤵
  PID:10368
- C:\Windows\System\yIzFlPg.exe
  C:\Windows\System\yIzFlPg.exe
  2⤵
  PID:10400
- C:\Windows\System\lXFGluR.exe
  C:\Windows\System\lXFGluR.exe
  2⤵
  PID:10436
- C:\Windows\System\MVyrwFp.exe
  C:\Windows\System\MVyrwFp.exe
  2⤵
  PID:10468
- C:\Windows\System\aYrdOYz.exe
  C:\Windows\System\aYrdOYz.exe
  2⤵
  PID:10492
- C:\Windows\System\VxVrSmi.exe
  C:\Windows\System\VxVrSmi.exe
  2⤵
  PID:10512
- C:\Windows\System\TExXnVX.exe
  C:\Windows\System\TExXnVX.exe
  2⤵
  PID:10532
- C:\Windows\System\iBVINbQ.exe
  C:\Windows\System\iBVINbQ.exe
  2⤵
  PID:10548
- C:\Windows\System\NmRomcn.exe
  C:\Windows\System\NmRomcn.exe
  2⤵
  PID:10572
- C:\Windows\System\aCWQfFJ.exe
  C:\Windows\System\aCWQfFJ.exe
  2⤵
  PID:10588
- C:\Windows\System\vXqdbYX.exe
  C:\Windows\System\vXqdbYX.exe
  2⤵
  PID:10616
- C:\Windows\System\JqTmtth.exe
  C:\Windows\System\JqTmtth.exe
  2⤵
  PID:10664
- C:\Windows\System\PDlhUIJ.exe
  C:\Windows\System\PDlhUIJ.exe
  2⤵
  PID:10704
- C:\Windows\System\EOZpHYk.exe
  C:\Windows\System\EOZpHYk.exe
  2⤵
  PID:10752
- C:\Windows\System\DDhBMDd.exe
  C:\Windows\System\DDhBMDd.exe
  2⤵
  PID:10768
- C:\Windows\System\EACfXlL.exe
  C:\Windows\System\EACfXlL.exe
  2⤵
  PID:10836
- C:\Windows\System\HypHivD.exe
  C:\Windows\System\HypHivD.exe
  2⤵
  PID:10876
- C:\Windows\System\pGGOvjD.exe
  C:\Windows\System\pGGOvjD.exe
  2⤵
  PID:10904
- C:\Windows\System\bwJKDya.exe
  C:\Windows\System\bwJKDya.exe
  2⤵
  PID:10936
- C:\Windows\System\STQaTLK.exe
  C:\Windows\System\STQaTLK.exe
  2⤵
  PID:10956
- C:\Windows\System\sKcKbvq.exe
  C:\Windows\System\sKcKbvq.exe
  2⤵
  PID:10980
- C:\Windows\System\mtUsXkA.exe
  C:\Windows\System\mtUsXkA.exe
  2⤵
  PID:11020
- C:\Windows\System\LkTbHfw.exe
  C:\Windows\System\LkTbHfw.exe
  2⤵
  PID:11048
- C:\Windows\System\AqtRTyp.exe
  C:\Windows\System\AqtRTyp.exe
  2⤵
  PID:11076
- C:\Windows\System\vrFfsqA.exe
  C:\Windows\System\vrFfsqA.exe
  2⤵
  PID:11096
- C:\Windows\System\tpFfOLm.exe
  C:\Windows\System\tpFfOLm.exe
  2⤵
  PID:11132
- C:\Windows\System\iTDyqDo.exe
  C:\Windows\System\iTDyqDo.exe
  2⤵
  PID:11152
- C:\Windows\System\KBDBGno.exe
  C:\Windows\System\KBDBGno.exe
  2⤵
  PID:11184
- C:\Windows\System\FNstoex.exe
  C:\Windows\System\FNstoex.exe
  2⤵
  PID:11208
- C:\Windows\System\aGvtQNW.exe
  C:\Windows\System\aGvtQNW.exe
  2⤵
  PID:11244
- C:\Windows\System\ulaNTtN.exe
  C:\Windows\System\ulaNTtN.exe
  2⤵
  PID:10252
- C:\Windows\System\cPgnzBF.exe
  C:\Windows\System\cPgnzBF.exe
  2⤵
  PID:10288
- C:\Windows\System\lbWdifg.exe
  C:\Windows\System\lbWdifg.exe
  2⤵
  PID:10408
- C:\Windows\System\nfZprmz.exe
  C:\Windows\System\nfZprmz.exe
  2⤵
  PID:10460
- C:\Windows\System\oaGUzfE.exe
  C:\Windows\System\oaGUzfE.exe
  2⤵
  PID:10524
- C:\Windows\System\TwUncPV.exe
  C:\Windows\System\TwUncPV.exe
  2⤵
  PID:10604
- C:\Windows\System\BNVtPFt.exe
  C:\Windows\System\BNVtPFt.exe
  2⤵
  PID:10676
- C:\Windows\System\nGhnFBw.exe
  C:\Windows\System\nGhnFBw.exe
  2⤵
  PID:10716
- C:\Windows\System\guKByrl.exe
  C:\Windows\System\guKByrl.exe
  2⤵
  PID:10764
- C:\Windows\System\WsMPRlZ.exe
  C:\Windows\System\WsMPRlZ.exe
  2⤵
  PID:10896
- C:\Windows\System\GXfduwK.exe
  C:\Windows\System\GXfduwK.exe
  2⤵
  PID:10992
- C:\Windows\System\EoYbRBg.exe
  C:\Windows\System\EoYbRBg.exe
  2⤵
  PID:11032
- C:\Windows\System\MtjhqPN.exe
  C:\Windows\System\MtjhqPN.exe
  2⤵
  PID:11140
- C:\Windows\System\uIolhnW.exe
  C:\Windows\System\uIolhnW.exe
  2⤵
  PID:11180
- C:\Windows\System\AXHDumf.exe
  C:\Windows\System\AXHDumf.exe
  2⤵
  PID:10272
- C:\Windows\System\WYUxezF.exe
  C:\Windows\System\WYUxezF.exe
  2⤵
  PID:10428
- C:\Windows\System\WtLayPp.exe
  C:\Windows\System\WtLayPp.exe
  2⤵
  PID:10500
- C:\Windows\System\dhEPDfy.exe
  C:\Windows\System\dhEPDfy.exe
  2⤵
  PID:10644
- C:\Windows\System\lGgHXxd.exe
  C:\Windows\System\lGgHXxd.exe
  2⤵
  PID:10892
- C:\Windows\System\pPDOMLb.exe
  C:\Windows\System\pPDOMLb.exe
  2⤵
  PID:11124
- C:\Windows\System\YsilTwS.exe
  C:\Windows\System\YsilTwS.exe
  2⤵
  PID:11224
- C:\Windows\System\TPPKOuC.exe
  C:\Windows\System\TPPKOuC.exe
  2⤵
  PID:10484
- C:\Windows\System\FOSwixS.exe
  C:\Windows\System\FOSwixS.exe
  2⤵
  PID:10968
- C:\Windows\System\EOwJKaA.exe
  C:\Windows\System\EOwJKaA.exe
  2⤵
  PID:10448
- C:\Windows\System\xfZeJgW.exe
  C:\Windows\System\xfZeJgW.exe
  2⤵
  PID:10820
- C:\Windows\System\fHOynCt.exe
  C:\Windows\System\fHOynCt.exe
  2⤵
  PID:10320
- C:\Windows\System\uqZlbWY.exe
  C:\Windows\System\uqZlbWY.exe
  2⤵
  PID:11300
- C:\Windows\System\igsBjKL.exe
  C:\Windows\System\igsBjKL.exe
  2⤵
  PID:11336
- C:\Windows\System\tdgAiDY.exe
  C:\Windows\System\tdgAiDY.exe
  2⤵
  PID:11364
- C:\Windows\System\hXuMDTc.exe
  C:\Windows\System\hXuMDTc.exe
  2⤵
  PID:11384
- C:\Windows\System\yhgSaOv.exe
  C:\Windows\System\yhgSaOv.exe
  2⤵
  PID:11420
- C:\Windows\System\pUEbigM.exe
  C:\Windows\System\pUEbigM.exe
  2⤵
  PID:11440
- C:\Windows\System\kxySUQm.exe
  C:\Windows\System\kxySUQm.exe
  2⤵
  PID:11464
- C:\Windows\System\CmVkXwU.exe
  C:\Windows\System\CmVkXwU.exe
  2⤵
  PID:11504
- C:\Windows\System\BHgdyzX.exe
  C:\Windows\System\BHgdyzX.exe
  2⤵
  PID:11544
- C:\Windows\System\FKXSHHi.exe
  C:\Windows\System\FKXSHHi.exe
  2⤵
  PID:11564
- C:\Windows\System\yfGFUUW.exe
  C:\Windows\System\yfGFUUW.exe
  2⤵
  PID:11592
- C:\Windows\System\dNsWcac.exe
  C:\Windows\System\dNsWcac.exe
  2⤵
  PID:11620
- C:\Windows\System\gALSJeA.exe
  C:\Windows\System\gALSJeA.exe
  2⤵
  PID:11648
- C:\Windows\System\VUFvePe.exe
  C:\Windows\System\VUFvePe.exe
  2⤵
  PID:11676
- C:\Windows\System\nYscdql.exe
  C:\Windows\System\nYscdql.exe
  2⤵
  PID:11704
- C:\Windows\System\nrBgvCj.exe
  C:\Windows\System\nrBgvCj.exe
  2⤵
  PID:11720
- C:\Windows\System\dnOJhlD.exe
  C:\Windows\System\dnOJhlD.exe
  2⤵
  PID:11748
- C:\Windows\System\tMBmiYd.exe
  C:\Windows\System\tMBmiYd.exe
  2⤵
  PID:11764
- C:\Windows\System\ABKhoAN.exe
  C:\Windows\System\ABKhoAN.exe
  2⤵
  PID:11804
- C:\Windows\System\KNKIXdw.exe
  C:\Windows\System\KNKIXdw.exe
  2⤵
  PID:11840
- C:\Windows\System\jHLMSme.exe
  C:\Windows\System\jHLMSme.exe
  2⤵
  PID:11872
- C:\Windows\System\pwnOgOh.exe
  C:\Windows\System\pwnOgOh.exe
  2⤵
  PID:11888
- C:\Windows\System\qTUCRsa.exe
  C:\Windows\System\qTUCRsa.exe
  2⤵
  PID:11916
- C:\Windows\System\eBqwHSt.exe
  C:\Windows\System\eBqwHSt.exe
  2⤵
  PID:11944
- C:\Windows\System\lRytbpV.exe
  C:\Windows\System\lRytbpV.exe
  2⤵
  PID:11972
- C:\Windows\System\jNTGtrH.exe
  C:\Windows\System\jNTGtrH.exe
  2⤵
  PID:12004
- C:\Windows\System\CYTFdIo.exe
  C:\Windows\System\CYTFdIo.exe
  2⤵
  PID:12040
- C:\Windows\System\xxTuSRn.exe
  C:\Windows\System\xxTuSRn.exe
  2⤵
  PID:12068
- C:\Windows\System\PKtVQPc.exe
  C:\Windows\System\PKtVQPc.exe
  2⤵
  PID:12096
- C:\Windows\System\ojJsiim.exe
  C:\Windows\System\ojJsiim.exe
  2⤵
  PID:12116
- C:\Windows\System\weuEnIT.exe
  C:\Windows\System\weuEnIT.exe
  2⤵
  PID:12144
- C:\Windows\System\qLtbXvo.exe
  C:\Windows\System\qLtbXvo.exe
  2⤵
  PID:12180
- C:\Windows\System\FgkWmAb.exe
  C:\Windows\System\FgkWmAb.exe
  2⤵
  PID:12204
- C:\Windows\System\HJSBVPl.exe
  C:\Windows\System\HJSBVPl.exe
  2⤵
  PID:12224
- C:\Windows\System\tJsrIpU.exe
  C:\Windows\System\tJsrIpU.exe
  2⤵
  PID:12256
- C:\Windows\System\AOjqxmA.exe
  C:\Windows\System\AOjqxmA.exe
  2⤵
  PID:12284
- C:\Windows\System\bybHJfE.exe
  C:\Windows\System\bybHJfE.exe
  2⤵
  PID:11320
- C:\Windows\System\JGvQFFR.exe
  C:\Windows\System\JGvQFFR.exe
  2⤵
  PID:11392
- C:\Windows\System\txYgNIO.exe
  C:\Windows\System\txYgNIO.exe
  2⤵
  PID:11448
- C:\Windows\System\OaHoSve.exe
  C:\Windows\System\OaHoSve.exe
  2⤵
  PID:11540
- C:\Windows\System\vzLBgPO.exe
  C:\Windows\System\vzLBgPO.exe
  2⤵
  PID:11608
- C:\Windows\System\tMyGyif.exe
  C:\Windows\System\tMyGyif.exe
  2⤵
  PID:11644
- C:\Windows\System\TxQLiOu.exe
  C:\Windows\System\TxQLiOu.exe
  2⤵
  PID:11716
- C:\Windows\System\OuSVwbl.exe
  C:\Windows\System\OuSVwbl.exe
  2⤵
  PID:11756
- C:\Windows\System\HGYAMxb.exe
  C:\Windows\System\HGYAMxb.exe
  2⤵
  PID:11824
- C:\Windows\System\BIZjtGV.exe
  C:\Windows\System\BIZjtGV.exe
  2⤵
  PID:11900
- C:\Windows\System\ArzraSf.exe
  C:\Windows\System\ArzraSf.exe
  2⤵
  PID:11992
- C:\Windows\System\yBlUYZe.exe
  C:\Windows\System\yBlUYZe.exe
  2⤵
  PID:12060
- C:\Windows\System\GGqzWKe.exe
  C:\Windows\System\GGqzWKe.exe
  2⤵
  PID:12104
- C:\Windows\System\YQHjaTs.exe
  C:\Windows\System\YQHjaTs.exe
  2⤵
  PID:12176
- C:\Windows\System\OJHvohU.exe
  C:\Windows\System\OJHvohU.exe
  2⤵
  PID:12244
- C:\Windows\System\ssmnPIo.exe
  C:\Windows\System\ssmnPIo.exe
  2⤵
  PID:11348
- C:\Windows\System\fyeGUcO.exe
  C:\Windows\System\fyeGUcO.exe
  2⤵
  PID:11488
- C:\Windows\System\ayMLVDm.exe
  C:\Windows\System\ayMLVDm.exe
  2⤵
  PID:11664
- C:\Windows\System\LviJKob.exe
  C:\Windows\System\LviJKob.exe
  2⤵
  PID:11816
- C:\Windows\System\InLOAnn.exe
  C:\Windows\System\InLOAnn.exe
  2⤵
  PID:11952
- C:\Windows\System\AAxsHWc.exe
  C:\Windows\System\AAxsHWc.exe
  2⤵
  PID:12092
- C:\Windows\System\xxiyRXy.exe
  C:\Windows\System\xxiyRXy.exe
  2⤵
  PID:12220
- C:\Windows\System\lUljdSv.exe
  C:\Windows\System\lUljdSv.exe
  2⤵
  PID:11560
- C:\Windows\System\MguNUHY.exe
  C:\Windows\System\MguNUHY.exe
  2⤵
  PID:11412
- C:\Windows\System\QSttuAA.exe
  C:\Windows\System\QSttuAA.exe
  2⤵
  PID:11928
- C:\Windows\System\MCtVokT.exe
  C:\Windows\System\MCtVokT.exe
  2⤵
  PID:11588
- C:\Windows\System\CFqIBfE.exe
  C:\Windows\System\CFqIBfE.exe
  2⤵
  PID:12152
- C:\Windows\System\wQyUCci.exe
  C:\Windows\System\wQyUCci.exe
  2⤵
  PID:12320
- C:\Windows\System\MHLBmKy.exe
  C:\Windows\System\MHLBmKy.exe
  2⤵
  PID:12348
- C:\Windows\System\hpVKrYf.exe
  C:\Windows\System\hpVKrYf.exe
  2⤵
  PID:12364
- C:\Windows\System\IwAniwI.exe
  C:\Windows\System\IwAniwI.exe
  2⤵
  PID:12392
- C:\Windows\System\zEUqDkD.exe
  C:\Windows\System\zEUqDkD.exe
  2⤵
  PID:12436
- C:\Windows\System\QilkrAh.exe
  C:\Windows\System\QilkrAh.exe
  2⤵
  PID:12464
- C:\Windows\System\ZdyXcSH.exe
  C:\Windows\System\ZdyXcSH.exe
  2⤵
  PID:12480
- C:\Windows\System\sUckFDA.exe
  C:\Windows\System\sUckFDA.exe
  2⤵
  PID:12508
- C:\Windows\System\gqyrkdp.exe
  C:\Windows\System\gqyrkdp.exe
  2⤵
  PID:12544
- C:\Windows\System\hJVBjva.exe
  C:\Windows\System\hJVBjva.exe
  2⤵
  PID:12568
- C:\Windows\System\uftDWAl.exe
  C:\Windows\System\uftDWAl.exe
  2⤵
  PID:12592
- C:\Windows\System\npNVbsG.exe
  C:\Windows\System\npNVbsG.exe
  2⤵
  PID:12616
- C:\Windows\System\uqKrLux.exe
  C:\Windows\System\uqKrLux.exe
  2⤵
  PID:12660
- C:\Windows\System\HmtPghF.exe
  C:\Windows\System\HmtPghF.exe
  2⤵
  PID:12676
- C:\Windows\System\Nhxqxsx.exe
  C:\Windows\System\Nhxqxsx.exe
  2⤵
  PID:12704
- C:\Windows\System\vFjTlPi.exe
  C:\Windows\System\vFjTlPi.exe
  2⤵
  PID:12736
- C:\Windows\System\TIzmOfv.exe
  C:\Windows\System\TIzmOfv.exe
  2⤵
  PID:12760
- C:\Windows\System\waoBpIu.exe
  C:\Windows\System\waoBpIu.exe
  2⤵
  PID:12796
- C:\Windows\System\etqUgNq.exe
  C:\Windows\System\etqUgNq.exe
  2⤵
  PID:12828
- C:\Windows\System\iWtoXhx.exe
  C:\Windows\System\iWtoXhx.exe
  2⤵
  PID:12844
- C:\Windows\System\vOifRbO.exe
  C:\Windows\System\vOifRbO.exe
  2⤵
  PID:12876
- C:\Windows\System\pujPIRY.exe
  C:\Windows\System\pujPIRY.exe
  2⤵
  PID:12900
- C:\Windows\System\CKuBMgA.exe
  C:\Windows\System\CKuBMgA.exe
  2⤵
  PID:12928
- C:\Windows\System\hoPEMvR.exe
  C:\Windows\System\hoPEMvR.exe
  2⤵
  PID:12960
- C:\Windows\System\uUQIqxj.exe
  C:\Windows\System\uUQIqxj.exe
  2⤵
  PID:12996
- C:\Windows\System\uSHdehe.exe
  C:\Windows\System\uSHdehe.exe
  2⤵
  PID:13024
- C:\Windows\System\KPHCWfU.exe
  C:\Windows\System\KPHCWfU.exe
  2⤵
  PID:13052
- C:\Windows\System\ysUkPmX.exe
  C:\Windows\System\ysUkPmX.exe
  2⤵
  PID:13068
- C:\Windows\System\rISrjyq.exe
  C:\Windows\System\rISrjyq.exe
  2⤵
  PID:13108
- C:\Windows\System\McckqkD.exe
  C:\Windows\System\McckqkD.exe
  2⤵
  PID:13124
- C:\Windows\System\qZPLKYr.exe
  C:\Windows\System\qZPLKYr.exe
  2⤵
  PID:13152
- C:\Windows\System\FMBfEoB.exe
  C:\Windows\System\FMBfEoB.exe
  2⤵
  PID:13192
- C:\Windows\System\mryhKtw.exe
  C:\Windows\System\mryhKtw.exe
  2⤵
  PID:13208
- C:\Windows\System\XLUnSix.exe
  C:\Windows\System\XLUnSix.exe
  2⤵
  PID:13228
- C:\Windows\System\oUTnLXF.exe
  C:\Windows\System\oUTnLXF.exe
  2⤵
  PID:13252
- C:\Windows\System\xyQFpoY.exe
  C:\Windows\System\xyQFpoY.exe
  2⤵
  PID:13284
- C:\Windows\System\qfnxNlK.exe
  C:\Windows\System\qfnxNlK.exe
  2⤵
  PID:12248
- C:\Windows\System\vqJpexJ.exe
  C:\Windows\System\vqJpexJ.exe
  2⤵
  PID:12356
- C:\Windows\System\RoItYhM.exe
  C:\Windows\System\RoItYhM.exe
  2⤵
  PID:2356
- C:\Windows\System\vyOdEfN.exe
  C:\Windows\System\vyOdEfN.exe
  2⤵
  PID:12416
- C:\Windows\System\xLTZVqH.exe
  C:\Windows\System\xLTZVqH.exe
  2⤵
  PID:12472
- C:\Windows\System\EwXArev.exe
  C:\Windows\System\EwXArev.exe
  2⤵
  PID:12556
- C:\Windows\System\MZVTkoA.exe
  C:\Windows\System\MZVTkoA.exe
  2⤵
  PID:12628
- C:\Windows\System\wnQLJKe.exe
  C:\Windows\System\wnQLJKe.exe
  2⤵
  PID:12720
- C:\Windows\System\tGgVpHA.exe
  C:\Windows\System\tGgVpHA.exe
  2⤵
  PID:12744
- C:\Windows\System\bWKHlWZ.exe
  C:\Windows\System\bWKHlWZ.exe
  2⤵
  PID:12820
- C:\Windows\System\GbOgWSi.exe
  C:\Windows\System\GbOgWSi.exe
  2⤵
  PID:12920
- C:\Windows\System\LtEQTsT.exe
  C:\Windows\System\LtEQTsT.exe
  2⤵
  PID:12948
- C:\Windows\System\BuBdeCc.exe
  C:\Windows\System\BuBdeCc.exe
  2⤵
  PID:13044
- C:\Windows\System\tpWjDjI.exe
  C:\Windows\System\tpWjDjI.exe
  2⤵
  PID:13120
- C:\Windows\System\KjQcGuJ.exe
  C:\Windows\System\KjQcGuJ.exe
  2⤵
  PID:13216
- C:\Windows\System\xohcatH.exe
  C:\Windows\System\xohcatH.exe
  2⤵
  PID:13268
- C:\Windows\System\IxQofcV.exe
  C:\Windows\System\IxQofcV.exe
  2⤵
  PID:12448
- C:\Windows\System\gZsVCsr.exe
  C:\Windows\System\gZsVCsr.exe
  2⤵
  PID:12584
- C:\Windows\System\voJAVTx.exe
  C:\Windows\System\voJAVTx.exe
  2⤵
  PID:12756
- C:\Windows\System\zfJDkLY.exe
  C:\Windows\System\zfJDkLY.exe
  2⤵
  PID:12968
- C:\Windows\System\ZkoYxYi.exe
  C:\Windows\System\ZkoYxYi.exe
  2⤵
  PID:13100
- C:\Windows\System\TDLroaL.exe
  C:\Windows\System\TDLroaL.exe
  2⤵
  PID:12536
- C:\Windows\System\fWDeOzd.exe
  C:\Windows\System\fWDeOzd.exe
  2⤵
  PID:12916
- C:\Windows\System\RDfWTZI.exe
  C:\Windows\System\RDfWTZI.exe
  2⤵
  PID:13332
- C:\Windows\System\MyyhIox.exe
  C:\Windows\System\MyyhIox.exe
  2⤵
  PID:13360
- C:\Windows\System\yiImMnL.exe
  C:\Windows\System\yiImMnL.exe
  2⤵
  PID:13388
- C:\Windows\System\vnzDUxV.exe
  C:\Windows\System\vnzDUxV.exe
  2⤵
  PID:13428
- C:\Windows\System\vcLEfBJ.exe
  C:\Windows\System\vcLEfBJ.exe
  2⤵
  PID:13452
- C:\Windows\System\DPhilCc.exe
  C:\Windows\System\DPhilCc.exe
  2⤵
  PID:13484
- C:\Windows\System\GCFjKVz.exe
  C:\Windows\System\GCFjKVz.exe
  2⤵
  PID:13520
- C:\Windows\System\qWYmbEr.exe
  C:\Windows\System\qWYmbEr.exe
  2⤵
  PID:13556
- C:\Windows\System\RirLqGc.exe
  C:\Windows\System\RirLqGc.exe
  2⤵
  PID:13572
- C:\Windows\System\hXKGIUJ.exe
  C:\Windows\System\hXKGIUJ.exe
  2⤵
  PID:13612
- C:\Windows\System\vZAqEzf.exe
  C:\Windows\System\vZAqEzf.exe
  2⤵
  PID:13632
- C:\Windows\System\cHJpcng.exe
  C:\Windows\System\cHJpcng.exe
  2⤵
  PID:13672
- C:\Windows\System\NwrAvxN.exe
  C:\Windows\System\NwrAvxN.exe
  2⤵
  PID:13688
- C:\Windows\System\hdiWJqv.exe
  C:\Windows\System\hdiWJqv.exe
  2⤵
  PID:13704
- C:\Windows\System\EAquxmA.exe
  C:\Windows\System\EAquxmA.exe
  2⤵
  PID:13724
- C:\Windows\System\ozSUHCw.exe
  C:\Windows\System\ozSUHCw.exe
  2⤵
  PID:13744
- C:\Windows\System\TLmtmwY.exe
  C:\Windows\System\TLmtmwY.exe
  2⤵
  PID:13776
- C:\Windows\System\qrmBXiG.exe
  C:\Windows\System\qrmBXiG.exe
  2⤵
  PID:13848

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0iw1jg3c.xjj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\AKeSUlx.exe

Filesize
3.2MB

MD5
71f1d6910c8dd19ee064fba8cafc488a

SHA1
f14abdb30b9a0f02d979efa6ab04a7557b2438bf

SHA256
f660361b0c65f4d7e5816ee14f71ad06cf78f7a1ed7547c8b4227e3d4177589a

SHA512
dc2954a6b5a7648ee252340cbe9fe70d70367e4ad5668a4bfc935036a95f4bae33bf91c9ed5f2ce93e0fc6fc1f4e3f48b9282a82e17ab3dbebf207944dc8dadb

Download Submit
C:\Windows\System\AoYGOmd.exe

Filesize
3.2MB

MD5
7ee35657038a3cab90610994c8496c5e

SHA1
172f46bb83c4248a12325166014f1f3632e14dba

SHA256
5fadb7b081ac580bcaa1257fe99ce79861f277f4f16a07288c1332e950e5ef47

SHA512
bbc0cc904d9c3e839d44162681a330111bdadb2b5b51346b400adfb4d65deda4626e4801db2b10e0fb91b7e63e8c1688bbb2df68ce6965b4d84dc517de986538

Download Submit
C:\Windows\System\BiiVjVb.exe

Filesize
3.2MB

MD5
975083d5c7463666579eaaee457c10db

SHA1
7d46ffa135a67f687c0e40aba1f40a8164e436b4

SHA256
e78514aaf968356b455f1e336b72f6458b923e2e9bc72cae825725beb3df5bcc

SHA512
55eb82618d21a6bb59f764a68bcf18716cd14a19e9b3b01828fecfd2e05cd2e3e6db7cb3f68f378048cf8a8a38684d2e23e56834954355d32df03b30ec735391

Download Submit
C:\Windows\System\FkBSiKp.exe

Filesize
3.2MB

MD5
a15aded08cd0456e387bfd0e5d41bb3f

SHA1
1a16394c35049ed8c7491611f3f0f2d117b7c3d5

SHA256
d3b1cb7f63117e5403fa985e13cf7cf3ea6d0c90cba865a39f10911309a4e8fc

SHA512
8c21fad8e793c450db22e83defedf90315e97a19f7890b996bf9dc65344331632b28ef614ff80848a24b784a2c7c940c8b33839c856c66ce7be6d1a2178b38cc

Download Submit
C:\Windows\System\JtmaqUh.exe

Filesize
3.2MB

MD5
a7a2f1887512cf3d4890bd80bd52725a

SHA1
92e1f1f5731c29fe0a1b73b25db110b83a8ad243

SHA256
7fdbb69b6bf446b151f7b7af415723efd3888761459980badc80e27efecbab29

SHA512
7da9267121c3c57053c0371020b84e6e2018fa0b3cbb17d7f2bc4fc797b33b944b1a71e8b9edf613af7046d43c07c7b4d3cdd8a908cec5ea1ecffbe9a677f7af

Download Submit
C:\Windows\System\MfZYKJv.exe

Filesize
3.2MB

MD5
05f8b48b5d60925c542da3bb735712cc

SHA1
00a62de8617b0a3c12ae1e6b032f9b4c39fbcf32

SHA256
d35453481a91b754812b5a9e9526b96e79a24dd1eeb855a7c6b643954f23220d

SHA512
30e340d03240da2f28c3b7d30fc78129dfe037b605f9e4f4058468e84d1317302741fba97bedc7749d594a7dcc88eb5336e4bae16090b48962427ce35beb8cfd

Download Submit
C:\Windows\System\NEbaEpB.exe

Filesize
3.2MB

MD5
b05eaf2a05c53c2872df789ec61dd8d6

SHA1
9af1bbea8af351009d06c245604aabfdf24b4df0

SHA256
4c378a6e8a4bbe891a239213a49d0e583f7a665cf0cb4ab96a2737cd6167731b

SHA512
2f2adfa9197fa875226ef133229fa3ac2e27caa30529f1d92c76073d9efc181e4fa41eddcd76149234a8fdaf855a78e5d6868a53d469a466a968393c7966103d

Download Submit
C:\Windows\System\NZyaEiy.exe

Filesize
3.2MB

MD5
49a2634612f3220082ebb2ca8afc67e1

SHA1
8c2fe3861476ba8129827cca197333ef77d8e123

SHA256
21afc7be11cd4a21ea9d4d7da360a1014c81ad47729844d63bd7b147c689fc8f

SHA512
32171b469e5109474fcbd7da51d3d2c5959ded9b58552063caaa72294863e93f114372306879019499b1ec46fe12153166d5d9347ef9f717c8d06fa1ade6c73f

Download Submit
C:\Windows\System\OAzpihs.exe

Filesize
3.2MB

MD5
b8f9e9e217a4f92a5ed9b8fd60cdd7e7

SHA1
e70fd15214b44f7ef091ca585618ee4e7dd01eaf

SHA256
498125a21c992f53ae0c254fee42d905a2461c801cc83958042c254dbeddfc4c

SHA512
38c8dbf915c86633f6507d2f62b27170ab3081be7b88b346f237e0d011c0aefd5512a041fcaad583aec102f4f3c238466f6c178a94de71d9af3e7ef59e79a397

Download Submit
C:\Windows\System\PhpeRjK.exe

Filesize
3.2MB

MD5
bd0162b6592efbc5fc634586683710c4

SHA1
8503782fdfa2760f71b0269e61b9fff879220236

SHA256
6cc9a0cc6a75fd91314695549fdb30a5e23bc21c971e66d60df657ac599504ea

SHA512
5e119a76e189a33bfdac04925952e67bd7c8882785957d81ac7afd0cfef0ed6a638d9b5f97bcd8d722b3d8da5b8f2ad2ebb66787ea6ac95e685f4084c52f7a48

Download Submit
C:\Windows\System\QnSBAkV.exe

Filesize
3.2MB

MD5
f33c7c78a802fe9ea2a24ceea32891ce

SHA1
127e74030930a63b5fddc9c38cb256317e4e1f31

SHA256
c885c6311bad3883f984c401af397a7eebeba5bd9e304b4de38a5ee644bf5abd

SHA512
4f9e54af2724b752347bfad7830e342b293244ed9f28c666de1a4c2d009858ccf18b52c417f4b34beb24679fb76cf0d00ec807e7b145187120c6364905397b78

Download Submit
C:\Windows\System\QxWGFot.exe

Filesize
3.2MB

MD5
b8674fdacf60a46d07ba97456ac55100

SHA1
f1e85d27dab0462cd2078f59b79808f47a7c09cb

SHA256
3856265999a05a8b14f7c0b4f22e5f561627ee419f2a952ccd4ed0e1cb5e0efa

SHA512
e55dbb7a18a39dc50191083fcfb7d918ad5287a4836f85be980ab1570e8212aa49b0b27f9d83f54830a2f8ddc83a8bb16d6282559c34a6aa50a8ac1a17bb1765

Download Submit
C:\Windows\System\ROAhHIY.exe

Filesize
3.2MB

MD5
9d5091c7eb2d31e196ac568946e0f421

SHA1
f2ee683d6f04652918c1e7dafa18fc53364489a3

SHA256
920abc71b0f6cbe6a320f944b57b6eca6e4c50d8fb5bc5ad8d163a59ba7242f6

SHA512
efe53ef3ddf110ce6065c94d5972ac9b08eee79eeb3e25f9bc8383d19068c202fecf60633f1801ffe1c125e52ef79bff988bedd06de98d25ff650f027a98c09c

Download Submit
C:\Windows\System\RVgGMVG.exe

Filesize
3.2MB

MD5
1b109033a9edd0ce51c1b7c2a6cd4509

SHA1
b2d6b511435ff69ee24d0155cc39423184616cf3

SHA256
ccdf032f691f3e133316b65aba0727ac4c4a8ad4e1d0af89913ff26fecbdb8d3

SHA512
78b893baa9b4dbc8eaf9aa2e6b04c8331dadde5c13144d47f9fb2a49efcb0616937ed334ea25f1d9368feba3cf0f37c9385a403c2c1ad6c31ba9ba4c9243ad85

Download Submit
C:\Windows\System\STWYyuS.exe

Filesize
3.2MB

MD5
05d683ca54fb30a40fb8e3e0a6408861

SHA1
16d3361ac06fde2ae7af61eb6aa697707e41d1a1

SHA256
f5b8bbced6381805ba7c2061499411008c08feaa3dbd861c10252cbd1bdfe2f5

SHA512
3f492d0e7c0e90a8170af4d894c4fd95ab80b2b56f15cb70020673e7e56045742c607d02ad20895b02658768fc391369945857d85600a132a7700f7aa7254f8e

Download Submit
C:\Windows\System\UrKYIzw.exe

Filesize
8B

MD5
312122a26bfd41e53f11ecf87b200e66

SHA1
ba3bc8d526477934526353d913c218c180273a98

SHA256
c4fc9d6bcb32b5166a35e24496e1a157d30a6a7e98917d8b634f6647615a0d16

SHA512
3e54b6d37c17acb4c7969e9c925519ad8dbdee44f322aa197883e286ffc85835a6f7829abc892c0b38943c242f254c406a3c1a32718f01a03c38dd09681c38bf

Download Submit
C:\Windows\System\VBAOHuq.exe

Filesize
3.2MB

MD5
700df8b0a93cf15d1f89a7f80b671990

SHA1
4a7ae1d4e20d02e443f7e553acd3ba874c18a1d1

SHA256
96859d50aac2b1aeb981f122ea92f307feb4ffaeef3eb1f88a45664f2e93ba5e

SHA512
d2e96731e312cdb818609d9065269f1c544b895430b9e21c919a3b1613006e028253cd685970b514e9fab1aaad89db34459bdae41b88d68025d41ff1cbee7cca

Download Submit
C:\Windows\System\WebklGo.exe

Filesize
3.2MB

MD5
3284f96967ae2ce1357c3862f4daf8b7

SHA1
777e6f299b376b1ba3afb86f896e950640135784

SHA256
649dfa31b041e2808a4baaa0602e591ec088a41863fe9c474b87cd2df4cd8aa5

SHA512
c6f4d9a478b3bb6d98574833be92d75007af7c8b1a62ef9acdb5d56c5e997ca04bf68021592277a0d7eafe4dcf54851ab0e83095388b9bc5804212a4fbd9279f

Download Submit
C:\Windows\System\Wsrbtpx.exe

Filesize
3.2MB

MD5
e4bab871b24c0cd74d3b56525be5c145

SHA1
72ba1065978e22d72426e201b8cefff7b03eb440

SHA256
934ef4b18a7e6fb701aefb7cf978a9e4002c1373c947cef1db33e52173ba902b

SHA512
9d937e5034d9515c4dcf3defa73475ea0a06b8b43ec2841c3b73caa0ae4ce8e48453b14d5014d647d52cd505be99d95f662101b5fb73f6c78c9e60d3919f8831

Download Submit
C:\Windows\System\ZzQvqSZ.exe

Filesize
3.2MB

MD5
e9ff1fd147cff1f3ca39e1ebbd13c564

SHA1
5a87a0ce03b1f4fbbabe21aa9f8128900c1daafb

SHA256
4a082570fbc5e303b421a57f4d5d31dc774ba3e53b894ca3e4709676304930f5

SHA512
71dd2afefa66ff61bce53de55efe4a4b7925f2de89e8f0b49ddc20140ef8141d3075055267dfeb9565850f59e4388b49a90b85bee3664f35558f908c6ae6df59

Download Submit
C:\Windows\System\bhLBVjD.exe

Filesize
3.2MB

MD5
2173a2cd040e6d7e673340eb5471350e

SHA1
6c68a5d8c64392021d836168a7bdf7b64204a615

SHA256
8b0038f59060522219e7bd8936cfd1e52ee4f537b46079c456d898ec1221835e

SHA512
4e01d0ab2c700b0b0ebce47630343fc97f588fa1e73893022dc49ca2a56a8669d3e640285006228e746ad9e68e0b433a30d144dca19c8e9dce4bd80cf8a2eb40

Download Submit
C:\Windows\System\dSTlNlj.exe

Filesize
3.2MB

MD5
92bc266f8f7aaad72c0d1ca601b024cb

SHA1
0927d273d6196dc17008e0e2e68574796b4ddfb8

SHA256
80e14f94e60bf936ef101743ff0a9be44b032dd27fb255b9a42b2b95c952f5f6

SHA512
3b7097062f95d6b80c4142aa5a5919471bf36602c47132d442903ef1e309251ba21d934409613b28f6322a91ae16cc6e33612b89cdf91e0044559ccf23e6fcd6

Download Submit
C:\Windows\System\dvJVqRz.exe

Filesize
3.2MB

MD5
d18ed8e373612b587ecde92a1390e3ee

SHA1
789c704157fbdd51c9e95bfdee3d5032218597aa

SHA256
552e852f92022ac1497460cfdcb1d592a992d0742fdc93593bd87ae51b327a3c

SHA512
8b9069a93910a2c6d24d4538c22f59c45bce77ea4c9d33f940d334bcd65eb5e25414e55c83921247c176229059862e5678f8bacb12c5f497e43862262e416cc9

Download Submit
C:\Windows\System\eETVcNF.exe

Filesize
3.2MB

MD5
27552b95559c3d12395c2cc3e0d9c41e

SHA1
b9458580ab8852a5eb1a9c99c5ce96c6b3cd759d

SHA256
df53a3653b70293e6a51114e236a4069287f76a6230165d0152034bf27a7cc6d

SHA512
1d5a1e2e2d3822cc7d033c195efcd42ffe31886387cefbce7019ae666d6fb7b9b1d74f059fffc8291b5c95090adf5bbbdbc212953c821ebba120f5e0fcc53e2c

Download Submit
C:\Windows\System\gCAJtJo.exe

Filesize
3.2MB

MD5
f340f2122de3770b87c5e5ff554fec0f

SHA1
1ead58e384f5cb491d15bbaa782820fe4b885846

SHA256
d7d3e41555d2fc5a4e282adcb571f3fe4f704ac5a1c52c6debb5458c783f9ea7

SHA512
fd99ffbe636da2571d500558d3350387f1db5cbabb1ae143ca971fdfda024626fe3bede0960543f89b9af9fdc557d3e1d46feeb9507b41863d0912cae4f21e0f

Download Submit
C:\Windows\System\gUXnqVR.exe

Filesize
3.2MB

MD5
51db188b8b789cfaabb05873229b9346

SHA1
4890da42d10f9541998950e197f00e8d99f69824

SHA256
7dba8803ce1b5a8f5db851e36c60317e2d555b57330d6cf29937c977c5ddf699

SHA512
01452ef17909652e25955cb911b9b5c2663003d3aadbf632373a4bdbd226727781ca3c55a49804ec387b2648200d09799273beabebb0a087ed994d5b15901184

Download Submit
C:\Windows\System\hxZNcWl.exe

Filesize
3.2MB

MD5
44d2aa55aca0a4d413adb8c3e48b1646

SHA1
e44763475a9b1840a82434f3142d9b58f963a220

SHA256
8ff765cc4bcabf247f63ea07dd3c54b041bd1d2c819d0b2ef8e453557c28c0a2

SHA512
a0009fb67b65cf4e7482fe8079b2cb950f9914f0a241ff4c47fa09fc7e6e4eb8fece94c9204e8ddd6b1b41fc8a8acb6cc81a3f883dc74b7983dbf684754ae1cd

Download Submit
C:\Windows\System\pdkPiDK.exe

Filesize
3.2MB

MD5
7ce321236b2a9ad6b155354602e86f1a

SHA1
f112d50cdea554da2ebdfcbac8a2525b04c59908

SHA256
d56fb8556046d37cbf3ee2ce84af55bd6ac1fef16913d670d2c8f1416a9d02e7

SHA512
f272a4031b4ae251b18989cae31ab591a63f95a029da23d8b700e5ade9ad3ace052198817fa3c456c32499ad2a7b8444471f26fcab1cc3de3b42172ad7ead88a

Download Submit
C:\Windows\System\sAPjXYt.exe

Filesize
3.2MB

MD5
3c8c425fefa51ce6d726dbe7905f5872

SHA1
739000c80f68bae3038c6b0bdd10e2692e9a8ce6

SHA256
eac0a86c0cce7416ebc0ca9cd6701eed87967de708159a73c8f42ea7d710b5d1

SHA512
c086afc6d6b37fad7c74a623eb9cfe9e415ae7b77a9d8f920c037d16db26e4a39f33d5eda4a8518ab6b0c3461c8887e345eed7298d2dfc19dfe8340317cfea88

Download Submit
C:\Windows\System\snJECGA.exe

Filesize
3.2MB

MD5
3a8e373c9d80877917736cc651166d31

SHA1
65a27bfe86399d2cb73ca49c02b9dd537ac8bff6

SHA256
57f0aa2bedf52d5295d108ac9f976be43c9a3c9b4494ccd0740f89154e0101eb

SHA512
404b99e0cec387fc549b68c6228cd424ff60d8a2734463ed9f4175c96936e219fcada555e37ab2f907f073f0d652c0482719ea262a563e054e72c39e534697f2

Download Submit
C:\Windows\System\uzUraSb.exe

Filesize
3.2MB

MD5
692170dad33bf14a4a16010bf7fcc0df

SHA1
34191fcadb413ee33a32513c6cc41a437a4e81dc

SHA256
22d91b9286cb366f004c23f148471821ecde726e10bf2ae45894f55d172192ea

SHA512
1e961b896c2ae4f7680c92f920af591e747ec24130592fa845a0660f657d641bec00b36e38d460061fdb81507a527992b198c7c6988cd9dc97c93be246093516

Download Submit
C:\Windows\System\wqgxNZP.exe

Filesize
3.2MB

MD5
5f9e8330020f5da1bd98643b0d8772ed

SHA1
bc81856cb1f1091cfe38d879243bda29fe7b33ac

SHA256
c164a68bf433149799f6a48b06b9d2de6db6b0344b6202c52e140bf61e9ee744

SHA512
b2f0898b20b10dc3ff9f7b37824aaf7db5f94242853cc0490149ee814decd2057d390092f8fb1bede90f73497f4e4e7b82ee0b3bf30a29bdce62fd6caeca01f5

Download Submit
C:\Windows\System\yYUzbEo.exe

Filesize
3.2MB

MD5
2cecd1b18fbfdb7c462af3918fe4be23

SHA1
65221dbe9686b8aca6c68892543ce8bba111c1fa

SHA256
e60cc4b1088c7c4f17b8be1d01c49651324c4f06b8f0373012eeb8b8046a278a

SHA512
9581c9e5c05d3c6f0063b7e7c75a4ba15a5d4c8fdcb1ef652514ddcb949435d441f232d12ea3cc20ada1a7efcfa3ded8f5e4cf79e5e828487de51c17d8de3c17

Download Submit
C:\Windows\System\yfAvXzj.exe

Filesize
3.2MB

MD5
9c173a836cb88157e95834d5e889cef3

SHA1
c6306ccb4f0ac194843e26bbdc94b006a2dd23de

SHA256
6e8303de0ee08782c3c95bde548bee4b32814a6f38f2c30a64199af59fe94a10

SHA512
fa3953fd72724b44bdab82e5f441fa561676f152bffbb927354a25b72a1b44da1353bc208189ec947842460e619ae0e5180872c635bfac20fd936844ba4c030f

Download Submit
C:\Windows\System\yzaEuxG.exe

Filesize
3.2MB

MD5
6490981809fe6a0d6529a16c363c808a

SHA1
e397a8a577472ded7ddf08d7b7c13387aa3d5d44

SHA256
4e4873ded005ae6db3e49530e7aebcca9ade6dbac002a151a43589cde0e80baf

SHA512
ab8ada6d1223a3c5484b18ce3581357d8e0a10fb45f944ee76369d76fd34e7bd0622ff1f0a273e28484577d46aa4edbf1e4c58963a726bc80d67a922fe047ff0

Download Submit
memory/560-188-0x00007FF743180000-0x00007FF743576000-memory.dmp

Filesize
4.0MB

Download
memory/560-2361-0x00007FF743180000-0x00007FF743576000-memory.dmp

Filesize
4.0MB

Download
memory/1380-1563-0x00007FFB946F0000-0x00007FFB951B1000-memory.dmp

Filesize
10.8MB

Download
memory/1380-183-0x00007FFB946F3000-0x00007FFB946F5000-memory.dmp

Filesize
8KB

Download
memory/1380-1557-0x00007FFB946F3000-0x00007FFB946F5000-memory.dmp

Filesize
8KB

Download
memory/1380-184-0x00007FFB946F0000-0x00007FFB951B1000-memory.dmp

Filesize
10.8MB

Download
memory/1380-244-0x00000278E8EB0000-0x00000278E9656000-memory.dmp

Filesize
7.6MB

Download
memory/1380-17-0x00000278E61B0000-0x00000278E61C0000-memory.dmp

Filesize
64KB

Download
memory/1380-112-0x00000278CDF70000-0x00000278CDF92000-memory.dmp

Filesize
136KB

Download
memory/1416-2370-0x00007FF60E7E0000-0x00007FF60EBD6000-memory.dmp

Filesize
4.0MB

Download
memory/1416-178-0x00007FF60E7E0000-0x00007FF60EBD6000-memory.dmp

Filesize
4.0MB

Download
memory/1552-182-0x00007FF6DD1B0000-0x00007FF6DD5A6000-memory.dmp

Filesize
4.0MB

Download
memory/1552-2367-0x00007FF6DD1B0000-0x00007FF6DD5A6000-memory.dmp

Filesize
4.0MB

Download
memory/1612-2360-0x00007FF752EF0000-0x00007FF7532E6000-memory.dmp

Filesize
4.0MB

Download
memory/1612-1391-0x00007FF752EF0000-0x00007FF7532E6000-memory.dmp

Filesize
4.0MB

Download
memory/1612-80-0x00007FF752EF0000-0x00007FF7532E6000-memory.dmp

Filesize
4.0MB

Download
memory/1900-1285-0x00007FF6951D0000-0x00007FF6955C6000-memory.dmp

Filesize
4.0MB

Download
memory/1900-14-0x00007FF6951D0000-0x00007FF6955C6000-memory.dmp

Filesize
4.0MB

Download
memory/1900-2348-0x00007FF6951D0000-0x00007FF6955C6000-memory.dmp

Filesize
4.0MB

Download
memory/2180-175-0x00007FF6EC100000-0x00007FF6EC4F6000-memory.dmp

Filesize
4.0MB

Download
memory/2180-2371-0x00007FF6EC100000-0x00007FF6EC4F6000-memory.dmp

Filesize
4.0MB

Download
memory/2300-0-0x00007FF673F40000-0x00007FF674336000-memory.dmp

Filesize
4.0MB

Download
memory/2300-1-0x000002258C7A0000-0x000002258C7B0000-memory.dmp

Filesize
64KB

Download
memory/2300-1282-0x00007FF673F40000-0x00007FF674336000-memory.dmp

Filesize
4.0MB

Download
memory/2808-30-0x00007FF7B9E20000-0x00007FF7BA216000-memory.dmp

Filesize
4.0MB

Download
memory/2808-1386-0x00007FF7B9E20000-0x00007FF7BA216000-memory.dmp

Filesize
4.0MB

Download
memory/2808-2350-0x00007FF7B9E20000-0x00007FF7BA216000-memory.dmp

Filesize
4.0MB

Download
memory/2820-2353-0x00007FF75FD50000-0x00007FF760146000-memory.dmp

Filesize
4.0MB

Download
memory/2820-66-0x00007FF75FD50000-0x00007FF760146000-memory.dmp

Filesize
4.0MB

Download
memory/3104-2363-0x00007FF60F030000-0x00007FF60F426000-memory.dmp

Filesize
4.0MB

Download
memory/3104-135-0x00007FF60F030000-0x00007FF60F426000-memory.dmp

Filesize
4.0MB

Download
memory/3156-1288-0x00007FF6EBEB0000-0x00007FF6EC2A6000-memory.dmp

Filesize
4.0MB

Download
memory/3156-26-0x00007FF6EBEB0000-0x00007FF6EC2A6000-memory.dmp

Filesize
4.0MB

Download
memory/3156-2349-0x00007FF6EBEB0000-0x00007FF6EC2A6000-memory.dmp

Filesize
4.0MB

Download
memory/3216-2366-0x00007FF73F460000-0x00007FF73F856000-memory.dmp

Filesize
4.0MB

Download
memory/3216-179-0x00007FF73F460000-0x00007FF73F856000-memory.dmp

Filesize
4.0MB

Download
memory/3500-187-0x00007FF682A80000-0x00007FF682E76000-memory.dmp

Filesize
4.0MB

Download
memory/3500-2359-0x00007FF682A80000-0x00007FF682E76000-memory.dmp

Filesize
4.0MB

Download
memory/3572-181-0x00007FF6325C0000-0x00007FF6329B6000-memory.dmp

Filesize
4.0MB

Download
memory/3572-2368-0x00007FF6325C0000-0x00007FF6329B6000-memory.dmp

Filesize
4.0MB

Download
memory/3776-69-0x00007FF79A330000-0x00007FF79A726000-memory.dmp

Filesize
4.0MB

Download
memory/3776-2352-0x00007FF79A330000-0x00007FF79A726000-memory.dmp

Filesize
4.0MB

Download
memory/3920-185-0x00007FF6B7330000-0x00007FF6B7726000-memory.dmp

Filesize
4.0MB

Download
memory/3920-2355-0x00007FF6B7330000-0x00007FF6B7726000-memory.dmp

Filesize
4.0MB

Download
memory/3984-180-0x00007FF7F27E0000-0x00007FF7F2BD6000-memory.dmp

Filesize
4.0MB

Download
memory/3984-2365-0x00007FF7F27E0000-0x00007FF7F2BD6000-memory.dmp

Filesize
4.0MB

Download
memory/4064-164-0x00007FF686D10000-0x00007FF687106000-memory.dmp

Filesize
4.0MB

Download
memory/4064-2364-0x00007FF686D10000-0x00007FF687106000-memory.dmp

Filesize
4.0MB

Download
memory/4124-2351-0x00007FF6B5C50000-0x00007FF6B6046000-memory.dmp

Filesize
4.0MB

Download
memory/4124-1294-0x00007FF6B5C50000-0x00007FF6B6046000-memory.dmp

Filesize
4.0MB

Download
memory/4124-39-0x00007FF6B5C50000-0x00007FF6B6046000-memory.dmp

Filesize
4.0MB

Download
memory/4664-63-0x00007FF7CC5A0000-0x00007FF7CC996000-memory.dmp

Filesize
4.0MB

Download
memory/4664-2356-0x00007FF7CC5A0000-0x00007FF7CC996000-memory.dmp

Filesize
4.0MB

Download
memory/4856-2354-0x00007FF6282E0000-0x00007FF6286D6000-memory.dmp

Filesize
4.0MB

Download
memory/4856-1296-0x00007FF6282E0000-0x00007FF6286D6000-memory.dmp

Filesize
4.0MB

Download
memory/4856-48-0x00007FF6282E0000-0x00007FF6286D6000-memory.dmp

Filesize
4.0MB

Download
memory/4900-2357-0x00007FF686B50000-0x00007FF686F46000-memory.dmp

Filesize
4.0MB

Download
memory/4900-186-0x00007FF686B50000-0x00007FF686F46000-memory.dmp

Filesize
4.0MB

Download
memory/5000-2362-0x00007FF6EB1B0000-0x00007FF6EB5A6000-memory.dmp

Filesize
4.0MB

Download
memory/5000-152-0x00007FF6EB1B0000-0x00007FF6EB5A6000-memory.dmp

Filesize
4.0MB

Download
memory/5060-2369-0x00007FF798DC0000-0x00007FF7991B6000-memory.dmp

Filesize
4.0MB

Download
memory/5060-189-0x00007FF798DC0000-0x00007FF7991B6000-memory.dmp

Filesize
4.0MB

Download
memory/5116-2358-0x00007FF688720000-0x00007FF688B16000-memory.dmp

Filesize
4.0MB

Download
memory/5116-113-0x00007FF688720000-0x00007FF688B16000-memory.dmp

Filesize
4.0MB

Download