xmrig | 25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da

Analysis

max time kernel
106s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2024 03:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
Size

2.2MB
MD5

e33b29e493e7f08ae9a5e37888fe5b3c
SHA1

fc2579a365d32d5ad39256678a97a1db15cbbff9
SHA256

25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da
SHA512

7adbbff1766c23b4b956dd0320b38ad78b9458996abe2b4d87286c944d358eaeaa892bca0df72b7e19f99c50c123fcf8d79d7191f3db54e15e9a496cef132f55
SSDEEP

49152:oezaTF8FcNkNdfE0pZ9ozt4wIlMmSdbbUGsVOutxLh+f:oemTLkNdfE0pZrq

Score

10^/10

xmrig miner persistence privilege_escalation upx

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/1520-0-0x00007FF7CB9B0000-0x00007FF7CBD04000-memory.dmp	xmrig
behavioral2/files/0x000f000000023bbf-5.dat	xmrig
behavioral2/files/0x000e000000023bd3-7.dat	xmrig
behavioral2/memory/1712-41-0x00007FF740880000-0x00007FF740BD4000-memory.dmp	xmrig
behavioral2/files/0x0008000000023bd8-29.dat	xmrig
behavioral2/files/0x0008000000023bd9-28.dat	xmrig
behavioral2/files/0x0009000000023bcf-26.dat	xmrig
behavioral2/files/0x0008000000023bd5-33.dat	xmrig
behavioral2/memory/4148-23-0x00007FF6963A0000-0x00007FF6966F4000-memory.dmp	xmrig
behavioral2/memory/4524-11-0x00007FF65B3E0000-0x00007FF65B734000-memory.dmp	xmrig
behavioral2/memory/748-62-0x00007FF7D8E10000-0x00007FF7D9164000-memory.dmp	xmrig
behavioral2/files/0x0008000000023c16-79.dat	xmrig
behavioral2/files/0x0008000000023c31-106.dat	xmrig
behavioral2/memory/2628-132-0x00007FF799230000-0x00007FF799584000-memory.dmp	xmrig
behavioral2/files/0x000b000000023c48-153.dat	xmrig
behavioral2/memory/3412-176-0x00007FF700350000-0x00007FF7006A4000-memory.dmp	xmrig
behavioral2/memory/1268-185-0x00007FF697EF0000-0x00007FF698244000-memory.dmp	xmrig
behavioral2/memory/4612-190-0x00007FF7DD380000-0x00007FF7DD6D4000-memory.dmp	xmrig
behavioral2/memory/2980-197-0x00007FF6A5720000-0x00007FF6A5A74000-memory.dmp	xmrig
behavioral2/memory/1960-196-0x00007FF7B6E70000-0x00007FF7B71C4000-memory.dmp	xmrig
behavioral2/memory/892-195-0x00007FF7CB310000-0x00007FF7CB664000-memory.dmp	xmrig
behavioral2/memory/3024-194-0x00007FF67D0B0000-0x00007FF67D404000-memory.dmp	xmrig
behavioral2/memory/780-193-0x00007FF782140000-0x00007FF782494000-memory.dmp	xmrig
behavioral2/memory/452-192-0x00007FF6515B0000-0x00007FF651904000-memory.dmp	xmrig
behavioral2/memory/5012-191-0x00007FF74CA60000-0x00007FF74CDB4000-memory.dmp	xmrig
behavioral2/memory/1176-189-0x00007FF735A40000-0x00007FF735D94000-memory.dmp	xmrig
behavioral2/memory/2608-188-0x00007FF64D2E0000-0x00007FF64D634000-memory.dmp	xmrig
behavioral2/memory/4220-187-0x00007FF752BF0000-0x00007FF752F44000-memory.dmp	xmrig
behavioral2/memory/1056-186-0x00007FF767E20000-0x00007FF768174000-memory.dmp	xmrig
behavioral2/memory/2444-184-0x00007FF68FFF0000-0x00007FF690344000-memory.dmp	xmrig
behavioral2/memory/5036-183-0x00007FF7AED90000-0x00007FF7AF0E4000-memory.dmp	xmrig
behavioral2/memory/3172-182-0x00007FF7B96A0000-0x00007FF7B99F4000-memory.dmp	xmrig
behavioral2/memory/4156-181-0x00007FF737010000-0x00007FF737364000-memory.dmp	xmrig
behavioral2/memory/2440-180-0x00007FF6D39B0000-0x00007FF6D3D04000-memory.dmp	xmrig
behavioral2/files/0x0008000000023c61-173.dat	xmrig
behavioral2/memory/4964-172-0x00007FF677D50000-0x00007FF6780A4000-memory.dmp	xmrig
behavioral2/files/0x0008000000023c5f-170.dat	xmrig
behavioral2/files/0x0008000000023c53-168.dat	xmrig
behavioral2/files/0x0008000000023c4f-165.dat	xmrig
behavioral2/files/0x0008000000023c63-163.dat	xmrig
behavioral2/files/0x0008000000023c2f-161.dat	xmrig
behavioral2/files/0x0016000000023c49-159.dat	xmrig
behavioral2/files/0x0008000000023c28-157.dat	xmrig
behavioral2/files/0x0009000000023bc8-156.dat	xmrig
behavioral2/files/0x0008000000023c62-152.dat	xmrig
behavioral2/memory/2188-151-0x00007FF6A4780000-0x00007FF6A4AD4000-memory.dmp	xmrig
behavioral2/files/0x0008000000023c30-148.dat	xmrig
behavioral2/files/0x0008000000023c2e-145.dat	xmrig
behavioral2/files/0x0008000000023c0f-140.dat	xmrig
behavioral2/files/0x0008000000023c33-136.dat	xmrig
behavioral2/memory/1332-133-0x00007FF6699F0000-0x00007FF669D44000-memory.dmp	xmrig
behavioral2/files/0x0008000000023c60-131.dat	xmrig
behavioral2/files/0x0008000000023c15-126.dat	xmrig
behavioral2/files/0x0008000000023c14-119.dat	xmrig
behavioral2/files/0x0008000000023c0e-115.dat	xmrig
behavioral2/memory/564-112-0x00007FF7DAAF0000-0x00007FF7DAE44000-memory.dmp	xmrig
behavioral2/files/0x0008000000023c32-110.dat	xmrig
behavioral2/files/0x0008000000023c0d-101.dat	xmrig
behavioral2/files/0x0008000000023c0a-90.dat	xmrig
behavioral2/files/0x0008000000023bda-87.dat	xmrig
behavioral2/memory/3608-85-0x00007FF793140000-0x00007FF793494000-memory.dmp	xmrig
behavioral2/files/0x0008000000023bdb-72.dat	xmrig
behavioral2/files/0x0008000000023c0c-68.dat	xmrig
behavioral2/files/0x0008000000023c0b-94.dat	xmrig

Executes dropped EXE 64 IoCs

pid	Process
4524	kmpWflh.exe
4148	awjphZn.exe
452	AUNQfiS.exe
1712	HMHetJj.exe
748	nJpzydt.exe
780	EHLyqBN.exe
3024	rCNPpmp.exe
3608	VbUOAEL.exe
564	OGaQSZy.exe
2628	HCVgvma.exe
1332	yEHiDRR.exe
2188	NPqdJsj.exe
892	yzadbSG.exe
4964	OqiwRpq.exe
3412	zZwhEjf.exe
2440	BcJqiql.exe
4156	gbZiYky.exe
1960	ybCTdpc.exe
3172	AXwVSTR.exe
5036	SfMczif.exe
2444	rkQbrjO.exe
1268	RwaEwLn.exe
2980	RVtfsuj.exe
1056	Xyusgsc.exe
4220	pDbikWN.exe
2608	nZKwxeY.exe
1176	kqkwYik.exe
4612	YPyWiak.exe
5012	EDidAwL.exe
4740	mIbHnlC.exe
2036	jfnANGC.exe
4616	LoUsbcq.exe
3260	ktxYVnd.exe
3000	jQJTyjG.exe
5064	rdPSMSq.exe
4752	gewomkS.exe
2544	UXFPCNx.exe
3988	NvwbOTr.exe
4384	MZfbyBL.exe
2476	qnywrJk.exe
4828	JMmMaRA.exe
5028	BsMWLzQ.exe
1508	oxWoqWV.exe
4656	SzeTsIN.exe
3912	gMMEYTI.exe
1620	nKwqIuh.exe
2240	jkFWZOd.exe
4284	kKyLyrJ.exe
4380	MHNmSFV.exe
2212	MQWlXQt.exe
1328	THAqNzf.exe
5112	uIygllU.exe
1568	rQbhFRY.exe
3828	QOgZHiT.exe
552	WywgSxZ.exe
1764	ydgwZLL.exe
680	LgNSxty.exe
5008	QsDItHX.exe
1152	wbEAGEA.exe
1908	HkJMjtQ.exe
2508	viuMdBx.exe
1368	mbXOAVt.exe
456	vUQubWq.exe
2448	aJwSkhT.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1520-0-0x00007FF7CB9B0000-0x00007FF7CBD04000-memory.dmp	upx
behavioral2/files/0x000f000000023bbf-5.dat	upx
behavioral2/files/0x000e000000023bd3-7.dat	upx
behavioral2/memory/1712-41-0x00007FF740880000-0x00007FF740BD4000-memory.dmp	upx
behavioral2/files/0x0008000000023bd8-29.dat	upx
behavioral2/files/0x0008000000023bd9-28.dat	upx
behavioral2/files/0x0009000000023bcf-26.dat	upx
behavioral2/files/0x0008000000023bd5-33.dat	upx
behavioral2/memory/4148-23-0x00007FF6963A0000-0x00007FF6966F4000-memory.dmp	upx
behavioral2/memory/4524-11-0x00007FF65B3E0000-0x00007FF65B734000-memory.dmp	upx
behavioral2/memory/748-62-0x00007FF7D8E10000-0x00007FF7D9164000-memory.dmp	upx
behavioral2/files/0x0008000000023c16-79.dat	upx
behavioral2/files/0x0008000000023c31-106.dat	upx
behavioral2/memory/2628-132-0x00007FF799230000-0x00007FF799584000-memory.dmp	upx
behavioral2/files/0x000b000000023c48-153.dat	upx
behavioral2/memory/3412-176-0x00007FF700350000-0x00007FF7006A4000-memory.dmp	upx
behavioral2/memory/1268-185-0x00007FF697EF0000-0x00007FF698244000-memory.dmp	upx
behavioral2/memory/4612-190-0x00007FF7DD380000-0x00007FF7DD6D4000-memory.dmp	upx
behavioral2/memory/2980-197-0x00007FF6A5720000-0x00007FF6A5A74000-memory.dmp	upx
behavioral2/memory/1960-196-0x00007FF7B6E70000-0x00007FF7B71C4000-memory.dmp	upx
behavioral2/memory/892-195-0x00007FF7CB310000-0x00007FF7CB664000-memory.dmp	upx
behavioral2/memory/3024-194-0x00007FF67D0B0000-0x00007FF67D404000-memory.dmp	upx
behavioral2/memory/780-193-0x00007FF782140000-0x00007FF782494000-memory.dmp	upx
behavioral2/memory/452-192-0x00007FF6515B0000-0x00007FF651904000-memory.dmp	upx
behavioral2/memory/5012-191-0x00007FF74CA60000-0x00007FF74CDB4000-memory.dmp	upx
behavioral2/memory/1176-189-0x00007FF735A40000-0x00007FF735D94000-memory.dmp	upx
behavioral2/memory/2608-188-0x00007FF64D2E0000-0x00007FF64D634000-memory.dmp	upx
behavioral2/memory/4220-187-0x00007FF752BF0000-0x00007FF752F44000-memory.dmp	upx
behavioral2/memory/1056-186-0x00007FF767E20000-0x00007FF768174000-memory.dmp	upx
behavioral2/memory/2444-184-0x00007FF68FFF0000-0x00007FF690344000-memory.dmp	upx
behavioral2/memory/5036-183-0x00007FF7AED90000-0x00007FF7AF0E4000-memory.dmp	upx
behavioral2/memory/3172-182-0x00007FF7B96A0000-0x00007FF7B99F4000-memory.dmp	upx
behavioral2/memory/4156-181-0x00007FF737010000-0x00007FF737364000-memory.dmp	upx
behavioral2/memory/2440-180-0x00007FF6D39B0000-0x00007FF6D3D04000-memory.dmp	upx
behavioral2/files/0x0008000000023c61-173.dat	upx
behavioral2/memory/4964-172-0x00007FF677D50000-0x00007FF6780A4000-memory.dmp	upx
behavioral2/files/0x0008000000023c5f-170.dat	upx
behavioral2/files/0x0008000000023c53-168.dat	upx
behavioral2/files/0x0008000000023c4f-165.dat	upx
behavioral2/files/0x0008000000023c63-163.dat	upx
behavioral2/files/0x0008000000023c2f-161.dat	upx
behavioral2/files/0x0016000000023c49-159.dat	upx
behavioral2/files/0x0008000000023c28-157.dat	upx
behavioral2/files/0x0009000000023bc8-156.dat	upx
behavioral2/files/0x0008000000023c62-152.dat	upx
behavioral2/memory/2188-151-0x00007FF6A4780000-0x00007FF6A4AD4000-memory.dmp	upx
behavioral2/files/0x0008000000023c30-148.dat	upx
behavioral2/files/0x0008000000023c2e-145.dat	upx
behavioral2/files/0x0008000000023c0f-140.dat	upx
behavioral2/files/0x0008000000023c33-136.dat	upx
behavioral2/memory/1332-133-0x00007FF6699F0000-0x00007FF669D44000-memory.dmp	upx
behavioral2/files/0x0008000000023c60-131.dat	upx
behavioral2/files/0x0008000000023c15-126.dat	upx
behavioral2/files/0x0008000000023c14-119.dat	upx
behavioral2/files/0x0008000000023c0e-115.dat	upx
behavioral2/memory/564-112-0x00007FF7DAAF0000-0x00007FF7DAE44000-memory.dmp	upx
behavioral2/files/0x0008000000023c32-110.dat	upx
behavioral2/files/0x0008000000023c0d-101.dat	upx
behavioral2/files/0x0008000000023c0a-90.dat	upx
behavioral2/files/0x0008000000023bda-87.dat	upx
behavioral2/memory/3608-85-0x00007FF793140000-0x00007FF793494000-memory.dmp	upx
behavioral2/files/0x0008000000023bdb-72.dat	upx
behavioral2/files/0x0008000000023c0c-68.dat	upx
behavioral2/files/0x0008000000023c0b-94.dat	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\VfGSpWR.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\ZPYFFJH.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\XESLDeN.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\nZKwxeY.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\JaxuAva.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\XohumXZ.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\oUgDCaw.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\IKXytRh.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\TypPZtM.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\xzxZYOe.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\LdxVzKa.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\iEGsseI.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\QkTZAYG.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\GwpRgfC.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\zfHFCGq.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\xTBrngU.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\ikWYBqQ.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\kjejNCM.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\XzwUntx.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\IxROccg.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\JdzbbSZ.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\eymzyfB.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\pNkvsDJ.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\RSRxWXf.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\vzinIVW.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\abHJpAU.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\RrFVkJy.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\VLARBkt.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\NnlFAIZ.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\BQXNwAF.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\zaTtMvE.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\mGJYAVn.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\TYWSNgS.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\xhHvQNK.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\YISrOtJ.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\tWuUTTK.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\ulpPieA.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\hUtbPbu.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\geLxSFv.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\xsjnpZE.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\pKYgKSF.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\vnJXlxA.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\aHQSHIz.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\AXZfBzm.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\GgXDSOx.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\rqDPIXp.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\PdgAXnE.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\pLbbzUP.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\pSOZkAY.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\hOYiFvt.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\SWBTmiF.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\nLNBBKg.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\PmzkvZr.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\AmMQuEb.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\uHkLNDW.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\aSIEAeg.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\JHmhGek.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\eFjnCkc.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\qEfUPQT.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\NvwbOTr.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\AcLhOjO.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\igxbAny.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\zsEkHGG.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
File created	C:\Windows\System\NlXRfmY.exe	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	15120	dwm.exe
Token: SeChangeNotifyPrivilege	15120	dwm.exe
Token: 33	15120	dwm.exe
Token: SeIncBasePriorityPrivilege	15120	dwm.exe
Token: SeShutdownPrivilege	15120	dwm.exe
Token: SeCreatePagefilePrivilege	15120	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 4524	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	84
PID 1520 wrote to memory of 4524	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	84
PID 1520 wrote to memory of 4148	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	85
PID 1520 wrote to memory of 4148	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	85
PID 1520 wrote to memory of 452	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	86
PID 1520 wrote to memory of 452	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	86
PID 1520 wrote to memory of 1712	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	87
PID 1520 wrote to memory of 1712	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	87
PID 1520 wrote to memory of 748	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	88
PID 1520 wrote to memory of 748	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	88
PID 1520 wrote to memory of 780	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	89
PID 1520 wrote to memory of 780	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	89
PID 1520 wrote to memory of 3024	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	90
PID 1520 wrote to memory of 3024	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	90
PID 1520 wrote to memory of 1332	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	91
PID 1520 wrote to memory of 1332	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	91
PID 1520 wrote to memory of 3608	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	92
PID 1520 wrote to memory of 3608	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	92
PID 1520 wrote to memory of 564	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	93
PID 1520 wrote to memory of 564	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	93
PID 1520 wrote to memory of 2628	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	94
PID 1520 wrote to memory of 2628	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	94
PID 1520 wrote to memory of 2188	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	95
PID 1520 wrote to memory of 2188	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	95
PID 1520 wrote to memory of 892	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	96
PID 1520 wrote to memory of 892	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	96
PID 1520 wrote to memory of 4964	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	97
PID 1520 wrote to memory of 4964	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	97
PID 1520 wrote to memory of 3412	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	98
PID 1520 wrote to memory of 3412	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	98
PID 1520 wrote to memory of 2440	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	99
PID 1520 wrote to memory of 2440	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	99
PID 1520 wrote to memory of 4156	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	100
PID 1520 wrote to memory of 4156	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	100
PID 1520 wrote to memory of 1056	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	101
PID 1520 wrote to memory of 1056	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	101
PID 1520 wrote to memory of 1960	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	102
PID 1520 wrote to memory of 1960	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	102
PID 1520 wrote to memory of 3172	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	103
PID 1520 wrote to memory of 3172	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	103
PID 1520 wrote to memory of 5036	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	104
PID 1520 wrote to memory of 5036	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	104
PID 1520 wrote to memory of 2444	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	105
PID 1520 wrote to memory of 2444	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	105
PID 1520 wrote to memory of 1268	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	106
PID 1520 wrote to memory of 1268	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	106
PID 1520 wrote to memory of 4740	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	107
PID 1520 wrote to memory of 4740	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	107
PID 1520 wrote to memory of 2980	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	108
PID 1520 wrote to memory of 2980	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	108
PID 1520 wrote to memory of 4220	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	109
PID 1520 wrote to memory of 4220	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	109
PID 1520 wrote to memory of 2608	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	110
PID 1520 wrote to memory of 2608	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	110
PID 1520 wrote to memory of 1176	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	111
PID 1520 wrote to memory of 1176	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	111
PID 1520 wrote to memory of 4612	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	112
PID 1520 wrote to memory of 4612	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	112
PID 1520 wrote to memory of 5012	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	113
PID 1520 wrote to memory of 5012	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	113
PID 1520 wrote to memory of 2036	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	114
PID 1520 wrote to memory of 2036	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	114
PID 1520 wrote to memory of 4616	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	115
PID 1520 wrote to memory of 4616	1520	25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe	115

C:\Users\Admin\AppData\Local\Temp\25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe
"C:\Users\Admin\AppData\Local\Temp\25094ce4ca4d7399dd080dc02394d112e873e82b3e405cbd92d02d32e5c9d4da.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Windows\System\kmpWflh.exe
  C:\Windows\System\kmpWflh.exe
  2⤵
  - Executes dropped EXE
  PID:4524
- C:\Windows\System\awjphZn.exe
  C:\Windows\System\awjphZn.exe
  2⤵
  - Executes dropped EXE
  PID:4148
- C:\Windows\System\AUNQfiS.exe
  C:\Windows\System\AUNQfiS.exe
  2⤵
  - Executes dropped EXE
  PID:452
- C:\Windows\System\HMHetJj.exe
  C:\Windows\System\HMHetJj.exe
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Windows\System\nJpzydt.exe
  C:\Windows\System\nJpzydt.exe
  2⤵
  - Executes dropped EXE
  PID:748
- C:\Windows\System\EHLyqBN.exe
  C:\Windows\System\EHLyqBN.exe
  2⤵
  - Executes dropped EXE
  PID:780
- C:\Windows\System\rCNPpmp.exe
  C:\Windows\System\rCNPpmp.exe
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Windows\System\yEHiDRR.exe
  C:\Windows\System\yEHiDRR.exe
  2⤵
  - Executes dropped EXE
  PID:1332
- C:\Windows\System\VbUOAEL.exe
  C:\Windows\System\VbUOAEL.exe
  2⤵
  - Executes dropped EXE
  PID:3608
- C:\Windows\System\OGaQSZy.exe
  C:\Windows\System\OGaQSZy.exe
  2⤵
  - Executes dropped EXE
  PID:564
- C:\Windows\System\HCVgvma.exe
  C:\Windows\System\HCVgvma.exe
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\System\NPqdJsj.exe
  C:\Windows\System\NPqdJsj.exe
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\System\yzadbSG.exe
  C:\Windows\System\yzadbSG.exe
  2⤵
  - Executes dropped EXE
  PID:892
- C:\Windows\System\OqiwRpq.exe
  C:\Windows\System\OqiwRpq.exe
  2⤵
  - Executes dropped EXE
  PID:4964
- C:\Windows\System\zZwhEjf.exe
  C:\Windows\System\zZwhEjf.exe
  2⤵
  - Executes dropped EXE
  PID:3412
- C:\Windows\System\BcJqiql.exe
  C:\Windows\System\BcJqiql.exe
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\System\gbZiYky.exe
  C:\Windows\System\gbZiYky.exe
  2⤵
  - Executes dropped EXE
  PID:4156
- C:\Windows\System\Xyusgsc.exe
  C:\Windows\System\Xyusgsc.exe
  2⤵
  - Executes dropped EXE
  PID:1056
- C:\Windows\System\ybCTdpc.exe
  C:\Windows\System\ybCTdpc.exe
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Windows\System\AXwVSTR.exe
  C:\Windows\System\AXwVSTR.exe
  2⤵
  - Executes dropped EXE
  PID:3172
- C:\Windows\System\SfMczif.exe
  C:\Windows\System\SfMczif.exe
  2⤵
  - Executes dropped EXE
  PID:5036
- C:\Windows\System\rkQbrjO.exe
  C:\Windows\System\rkQbrjO.exe
  2⤵
  - Executes dropped EXE
  PID:2444
- C:\Windows\System\RwaEwLn.exe
  C:\Windows\System\RwaEwLn.exe
  2⤵
  - Executes dropped EXE
  PID:1268
- C:\Windows\System\mIbHnlC.exe
  C:\Windows\System\mIbHnlC.exe
  2⤵
  - Executes dropped EXE
  PID:4740
- C:\Windows\System\RVtfsuj.exe
  C:\Windows\System\RVtfsuj.exe
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\System\pDbikWN.exe
  C:\Windows\System\pDbikWN.exe
  2⤵
  - Executes dropped EXE
  PID:4220
- C:\Windows\System\nZKwxeY.exe
  C:\Windows\System\nZKwxeY.exe
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\System\kqkwYik.exe
  C:\Windows\System\kqkwYik.exe
  2⤵
  - Executes dropped EXE
  PID:1176
- C:\Windows\System\YPyWiak.exe
  C:\Windows\System\YPyWiak.exe
  2⤵
  - Executes dropped EXE
  PID:4612
- C:\Windows\System\EDidAwL.exe
  C:\Windows\System\EDidAwL.exe
  2⤵
  - Executes dropped EXE
  PID:5012
- C:\Windows\System\jfnANGC.exe
  C:\Windows\System\jfnANGC.exe
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\System\LoUsbcq.exe
  C:\Windows\System\LoUsbcq.exe
  2⤵
  - Executes dropped EXE
  PID:4616
- C:\Windows\System\ktxYVnd.exe
  C:\Windows\System\ktxYVnd.exe
  2⤵
  - Executes dropped EXE
  PID:3260
- C:\Windows\System\jQJTyjG.exe
  C:\Windows\System\jQJTyjG.exe
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\System\rdPSMSq.exe
  C:\Windows\System\rdPSMSq.exe
  2⤵
  - Executes dropped EXE
  PID:5064
- C:\Windows\System\gewomkS.exe
  C:\Windows\System\gewomkS.exe
  2⤵
  - Executes dropped EXE
  PID:4752
- C:\Windows\System\UXFPCNx.exe
  C:\Windows\System\UXFPCNx.exe
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\System\NvwbOTr.exe
  C:\Windows\System\NvwbOTr.exe
  2⤵
  - Executes dropped EXE
  PID:3988
- C:\Windows\System\MZfbyBL.exe
  C:\Windows\System\MZfbyBL.exe
  2⤵
  - Executes dropped EXE
  PID:4384
- C:\Windows\System\qnywrJk.exe
  C:\Windows\System\qnywrJk.exe
  2⤵
  - Executes dropped EXE
  PID:2476
- C:\Windows\System\JMmMaRA.exe
  C:\Windows\System\JMmMaRA.exe
  2⤵
  - Executes dropped EXE
  PID:4828
- C:\Windows\System\BsMWLzQ.exe
  C:\Windows\System\BsMWLzQ.exe
  2⤵
  - Executes dropped EXE
  PID:5028
- C:\Windows\System\oxWoqWV.exe
  C:\Windows\System\oxWoqWV.exe
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Windows\System\SzeTsIN.exe
  C:\Windows\System\SzeTsIN.exe
  2⤵
  - Executes dropped EXE
  PID:4656
- C:\Windows\System\gMMEYTI.exe
  C:\Windows\System\gMMEYTI.exe
  2⤵
  - Executes dropped EXE
  PID:3912
- C:\Windows\System\nKwqIuh.exe
  C:\Windows\System\nKwqIuh.exe
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Windows\System\jkFWZOd.exe
  C:\Windows\System\jkFWZOd.exe
  2⤵
  - Executes dropped EXE
  PID:2240
- C:\Windows\System\kKyLyrJ.exe
  C:\Windows\System\kKyLyrJ.exe
  2⤵
  - Executes dropped EXE
  PID:4284
- C:\Windows\System\MHNmSFV.exe
  C:\Windows\System\MHNmSFV.exe
  2⤵
  - Executes dropped EXE
  PID:4380
- C:\Windows\System\MQWlXQt.exe
  C:\Windows\System\MQWlXQt.exe
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Windows\System\THAqNzf.exe
  C:\Windows\System\THAqNzf.exe
  2⤵
  - Executes dropped EXE
  PID:1328
- C:\Windows\System\uIygllU.exe
  C:\Windows\System\uIygllU.exe
  2⤵
  - Executes dropped EXE
  PID:5112
- C:\Windows\System\rQbhFRY.exe
  C:\Windows\System\rQbhFRY.exe
  2⤵
  - Executes dropped EXE
  PID:1568
- C:\Windows\System\QOgZHiT.exe
  C:\Windows\System\QOgZHiT.exe
  2⤵
  - Executes dropped EXE
  PID:3828
- C:\Windows\System\WywgSxZ.exe
  C:\Windows\System\WywgSxZ.exe
  2⤵
  - Executes dropped EXE
  PID:552
- C:\Windows\System\ydgwZLL.exe
  C:\Windows\System\ydgwZLL.exe
  2⤵
  - Executes dropped EXE
  PID:1764
- C:\Windows\System\LgNSxty.exe
  C:\Windows\System\LgNSxty.exe
  2⤵
  - Executes dropped EXE
  PID:680
- C:\Windows\System\QsDItHX.exe
  C:\Windows\System\QsDItHX.exe
  2⤵
  - Executes dropped EXE
  PID:5008
- C:\Windows\System\wbEAGEA.exe
  C:\Windows\System\wbEAGEA.exe
  2⤵
  - Executes dropped EXE
  PID:1152
- C:\Windows\System\HkJMjtQ.exe
  C:\Windows\System\HkJMjtQ.exe
  2⤵
  - Executes dropped EXE
  PID:1908
- C:\Windows\System\viuMdBx.exe
  C:\Windows\System\viuMdBx.exe
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Windows\System\mbXOAVt.exe
  C:\Windows\System\mbXOAVt.exe
  2⤵
  - Executes dropped EXE
  PID:1368
- C:\Windows\System\vUQubWq.exe
  C:\Windows\System\vUQubWq.exe
  2⤵
  - Executes dropped EXE
  PID:456
- C:\Windows\System\aJwSkhT.exe
  C:\Windows\System\aJwSkhT.exe
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\System\YYpiNik.exe
  C:\Windows\System\YYpiNik.exe
  2⤵
  PID:3596
- C:\Windows\System\lhllfzh.exe
  C:\Windows\System\lhllfzh.exe
  2⤵
  PID:1028
- C:\Windows\System\lrMcvuf.exe
  C:\Windows\System\lrMcvuf.exe
  2⤵
  PID:368
- C:\Windows\System\OROwezZ.exe
  C:\Windows\System\OROwezZ.exe
  2⤵
  PID:3424
- C:\Windows\System\alkredm.exe
  C:\Windows\System\alkredm.exe
  2⤵
  PID:3588
- C:\Windows\System\bPAkVAE.exe
  C:\Windows\System\bPAkVAE.exe
  2⤵
  PID:4816
- C:\Windows\System\VPElbjn.exe
  C:\Windows\System\VPElbjn.exe
  2⤵
  PID:4652
- C:\Windows\System\DIdPFEz.exe
  C:\Windows\System\DIdPFEz.exe
  2⤵
  PID:3152
- C:\Windows\System\vupZDrF.exe
  C:\Windows\System\vupZDrF.exe
  2⤵
  PID:4304
- C:\Windows\System\oETJJsz.exe
  C:\Windows\System\oETJJsz.exe
  2⤵
  PID:2080
- C:\Windows\System\XocPOeV.exe
  C:\Windows\System\XocPOeV.exe
  2⤵
  PID:4932
- C:\Windows\System\CCZDNAo.exe
  C:\Windows\System\CCZDNAo.exe
  2⤵
  PID:4352
- C:\Windows\System\YZIiflU.exe
  C:\Windows\System\YZIiflU.exe
  2⤵
  PID:3344
- C:\Windows\System\ufTjWkP.exe
  C:\Windows\System\ufTjWkP.exe
  2⤵
  PID:2416
- C:\Windows\System\VBtYLfo.exe
  C:\Windows\System\VBtYLfo.exe
  2⤵
  PID:3972
- C:\Windows\System\WtLgLnz.exe
  C:\Windows\System\WtLgLnz.exe
  2⤵
  PID:3804
- C:\Windows\System\lNLfifR.exe
  C:\Windows\System\lNLfifR.exe
  2⤵
  PID:3532
- C:\Windows\System\BQXNwAF.exe
  C:\Windows\System\BQXNwAF.exe
  2⤵
  PID:3452
- C:\Windows\System\tGXWsNp.exe
  C:\Windows\System\tGXWsNp.exe
  2⤵
  PID:1964
- C:\Windows\System\ySGdBZk.exe
  C:\Windows\System\ySGdBZk.exe
  2⤵
  PID:4460
- C:\Windows\System\kjejNCM.exe
  C:\Windows\System\kjejNCM.exe
  2⤵
  PID:2916
- C:\Windows\System\zaTtMvE.exe
  C:\Windows\System\zaTtMvE.exe
  2⤵
  PID:4276
- C:\Windows\System\FCTUbyr.exe
  C:\Windows\System\FCTUbyr.exe
  2⤵
  PID:4744
- C:\Windows\System\tygZrqp.exe
  C:\Windows\System\tygZrqp.exe
  2⤵
  PID:1760
- C:\Windows\System\wBZkTEi.exe
  C:\Windows\System\wBZkTEi.exe
  2⤵
  PID:2968
- C:\Windows\System\AoVFDod.exe
  C:\Windows\System\AoVFDod.exe
  2⤵
  PID:1020
- C:\Windows\System\YWRhMoW.exe
  C:\Windows\System\YWRhMoW.exe
  2⤵
  PID:1632
- C:\Windows\System\TLIrBZy.exe
  C:\Windows\System\TLIrBZy.exe
  2⤵
  PID:3668
- C:\Windows\System\RHfEUHo.exe
  C:\Windows\System\RHfEUHo.exe
  2⤵
  PID:1068
- C:\Windows\System\SmsyVtx.exe
  C:\Windows\System\SmsyVtx.exe
  2⤵
  PID:2884
- C:\Windows\System\igxbAny.exe
  C:\Windows\System\igxbAny.exe
  2⤵
  PID:1448
- C:\Windows\System\zWmSMht.exe
  C:\Windows\System\zWmSMht.exe
  2⤵
  PID:1464
- C:\Windows\System\fSCfpSG.exe
  C:\Windows\System\fSCfpSG.exe
  2⤵
  PID:4776
- C:\Windows\System\veQTKXX.exe
  C:\Windows\System\veQTKXX.exe
  2⤵
  PID:5024
- C:\Windows\System\OdcuaIG.exe
  C:\Windows\System\OdcuaIG.exe
  2⤵
  PID:4412
- C:\Windows\System\rfvUNjW.exe
  C:\Windows\System\rfvUNjW.exe
  2⤵
  PID:920
- C:\Windows\System\izRRPVa.exe
  C:\Windows\System\izRRPVa.exe
  2⤵
  PID:1048
- C:\Windows\System\Mjtclbj.exe
  C:\Windows\System\Mjtclbj.exe
  2⤵
  PID:4376
- C:\Windows\System\MQgmbkC.exe
  C:\Windows\System\MQgmbkC.exe
  2⤵
  PID:632
- C:\Windows\System\AMchPaQ.exe
  C:\Windows\System\AMchPaQ.exe
  2⤵
  PID:4732
- C:\Windows\System\hUtbPbu.exe
  C:\Windows\System\hUtbPbu.exe
  2⤵
  PID:2384
- C:\Windows\System\ntFViDt.exe
  C:\Windows\System\ntFViDt.exe
  2⤵
  PID:348
- C:\Windows\System\vSUoKll.exe
  C:\Windows\System\vSUoKll.exe
  2⤵
  PID:1676
- C:\Windows\System\JMjKTIu.exe
  C:\Windows\System\JMjKTIu.exe
  2⤵
  PID:1660
- C:\Windows\System\iLLYLDh.exe
  C:\Windows\System\iLLYLDh.exe
  2⤵
  PID:4312
- C:\Windows\System\CUrlQkl.exe
  C:\Windows\System\CUrlQkl.exe
  2⤵
  PID:1400
- C:\Windows\System\JkPXKHT.exe
  C:\Windows\System\JkPXKHT.exe
  2⤵
  PID:2400
- C:\Windows\System\YSknyEf.exe
  C:\Windows\System\YSknyEf.exe
  2⤵
  PID:4976
- C:\Windows\System\IRjhWpK.exe
  C:\Windows\System\IRjhWpK.exe
  2⤵
  PID:2932
- C:\Windows\System\nLNBBKg.exe
  C:\Windows\System\nLNBBKg.exe
  2⤵
  PID:5144
- C:\Windows\System\PmzkvZr.exe
  C:\Windows\System\PmzkvZr.exe
  2⤵
  PID:5160
- C:\Windows\System\AXZfBzm.exe
  C:\Windows\System\AXZfBzm.exe
  2⤵
  PID:5192
- C:\Windows\System\YoheDqX.exe
  C:\Windows\System\YoheDqX.exe
  2⤵
  PID:5228
- C:\Windows\System\AcLhOjO.exe
  C:\Windows\System\AcLhOjO.exe
  2⤵
  PID:5248
- C:\Windows\System\ojIHMTA.exe
  C:\Windows\System\ojIHMTA.exe
  2⤵
  PID:5288
- C:\Windows\System\rEvCjqd.exe
  C:\Windows\System\rEvCjqd.exe
  2⤵
  PID:5316
- C:\Windows\System\tWvTvGp.exe
  C:\Windows\System\tWvTvGp.exe
  2⤵
  PID:5332
- C:\Windows\System\CjlswBo.exe
  C:\Windows\System\CjlswBo.exe
  2⤵
  PID:5368
- C:\Windows\System\gmjGpyr.exe
  C:\Windows\System\gmjGpyr.exe
  2⤵
  PID:5404
- C:\Windows\System\gTobDnR.exe
  C:\Windows\System\gTobDnR.exe
  2⤵
  PID:5428
- C:\Windows\System\RSRxWXf.exe
  C:\Windows\System\RSRxWXf.exe
  2⤵
  PID:5444
- C:\Windows\System\ifRvkum.exe
  C:\Windows\System\ifRvkum.exe
  2⤵
  PID:5472
- C:\Windows\System\SMjALBI.exe
  C:\Windows\System\SMjALBI.exe
  2⤵
  PID:5512
- C:\Windows\System\FWVRdGf.exe
  C:\Windows\System\FWVRdGf.exe
  2⤵
  PID:5540
- C:\Windows\System\jRLrmye.exe
  C:\Windows\System\jRLrmye.exe
  2⤵
  PID:5560
- C:\Windows\System\zjqoScx.exe
  C:\Windows\System\zjqoScx.exe
  2⤵
  PID:5576
- C:\Windows\System\cDzrSKd.exe
  C:\Windows\System\cDzrSKd.exe
  2⤵
  PID:5600
- C:\Windows\System\NhNbeHO.exe
  C:\Windows\System\NhNbeHO.exe
  2⤵
  PID:5616
- C:\Windows\System\oLDJDNL.exe
  C:\Windows\System\oLDJDNL.exe
  2⤵
  PID:5636
- C:\Windows\System\OMXOtNd.exe
  C:\Windows\System\OMXOtNd.exe
  2⤵
  PID:5656
- C:\Windows\System\XzwUntx.exe
  C:\Windows\System\XzwUntx.exe
  2⤵
  PID:5688
- C:\Windows\System\tnNQonB.exe
  C:\Windows\System\tnNQonB.exe
  2⤵
  PID:5716
- C:\Windows\System\IkfhLUn.exe
  C:\Windows\System\IkfhLUn.exe
  2⤵
  PID:5748
- C:\Windows\System\lMLtBjC.exe
  C:\Windows\System\lMLtBjC.exe
  2⤵
  PID:5800
- C:\Windows\System\BzpIWAp.exe
  C:\Windows\System\BzpIWAp.exe
  2⤵
  PID:5828
- C:\Windows\System\jpAWPnN.exe
  C:\Windows\System\jpAWPnN.exe
  2⤵
  PID:5856
- C:\Windows\System\zlNeHir.exe
  C:\Windows\System\zlNeHir.exe
  2⤵
  PID:5896
- C:\Windows\System\uzsURWD.exe
  C:\Windows\System\uzsURWD.exe
  2⤵
  PID:5936
- C:\Windows\System\bNHYNNr.exe
  C:\Windows\System\bNHYNNr.exe
  2⤵
  PID:5964
- C:\Windows\System\OldBTbS.exe
  C:\Windows\System\OldBTbS.exe
  2⤵
  PID:5980
- C:\Windows\System\dHCoiUT.exe
  C:\Windows\System\dHCoiUT.exe
  2⤵
  PID:6012
- C:\Windows\System\KIYMBfm.exe
  C:\Windows\System\KIYMBfm.exe
  2⤵
  PID:6044
- C:\Windows\System\GWMMssU.exe
  C:\Windows\System\GWMMssU.exe
  2⤵
  PID:6072
- C:\Windows\System\MJNSWfz.exe
  C:\Windows\System\MJNSWfz.exe
  2⤵
  PID:6104
- C:\Windows\System\YaYqHjT.exe
  C:\Windows\System\YaYqHjT.exe
  2⤵
  PID:6132
- C:\Windows\System\vzinIVW.exe
  C:\Windows\System\vzinIVW.exe
  2⤵
  PID:5136
- C:\Windows\System\JIObkKS.exe
  C:\Windows\System\JIObkKS.exe
  2⤵
  PID:5184
- C:\Windows\System\LKUSbru.exe
  C:\Windows\System\LKUSbru.exe
  2⤵
  PID:5284
- C:\Windows\System\UlBZojV.exe
  C:\Windows\System\UlBZojV.exe
  2⤵
  PID:5304
- C:\Windows\System\xKquxqP.exe
  C:\Windows\System\xKquxqP.exe
  2⤵
  PID:5352
- C:\Windows\System\zsEkHGG.exe
  C:\Windows\System\zsEkHGG.exe
  2⤵
  PID:5440
- C:\Windows\System\iEGsseI.exe
  C:\Windows\System\iEGsseI.exe
  2⤵
  PID:5496
- C:\Windows\System\AQMwiym.exe
  C:\Windows\System\AQMwiym.exe
  2⤵
  PID:5572
- C:\Windows\System\lYsDsdi.exe
  C:\Windows\System\lYsDsdi.exe
  2⤵
  PID:5648
- C:\Windows\System\GIlTJel.exe
  C:\Windows\System\GIlTJel.exe
  2⤵
  PID:5704
- C:\Windows\System\wmKTKuN.exe
  C:\Windows\System\wmKTKuN.exe
  2⤵
  PID:5796
- C:\Windows\System\SPsjfup.exe
  C:\Windows\System\SPsjfup.exe
  2⤵
  PID:5816
- C:\Windows\System\NlXRfmY.exe
  C:\Windows\System\NlXRfmY.exe
  2⤵
  PID:5924
- C:\Windows\System\KWYAEBa.exe
  C:\Windows\System\KWYAEBa.exe
  2⤵
  PID:5976
- C:\Windows\System\WWPVBDV.exe
  C:\Windows\System\WWPVBDV.exe
  2⤵
  PID:6056
- C:\Windows\System\vrDQoVJ.exe
  C:\Windows\System\vrDQoVJ.exe
  2⤵
  PID:6092
- C:\Windows\System\rcQMvgu.exe
  C:\Windows\System\rcQMvgu.exe
  2⤵
  PID:6140
- C:\Windows\System\geLxSFv.exe
  C:\Windows\System\geLxSFv.exe
  2⤵
  PID:5328
- C:\Windows\System\rcGVLvW.exe
  C:\Windows\System\rcGVLvW.exe
  2⤵
  PID:5392
- C:\Windows\System\kkmITbY.exe
  C:\Windows\System\kkmITbY.exe
  2⤵
  PID:5608
- C:\Windows\System\LYJuyVY.exe
  C:\Windows\System\LYJuyVY.exe
  2⤵
  PID:5676
- C:\Windows\System\gEZDqIi.exe
  C:\Windows\System\gEZDqIi.exe
  2⤵
  PID:5792
- C:\Windows\System\oZhNRpW.exe
  C:\Windows\System\oZhNRpW.exe
  2⤵
  PID:5868
- C:\Windows\System\fkZkxPm.exe
  C:\Windows\System\fkZkxPm.exe
  2⤵
  PID:6116
- C:\Windows\System\grnulgN.exe
  C:\Windows\System\grnulgN.exe
  2⤵
  PID:5204
- C:\Windows\System\DXCNYlk.exe
  C:\Windows\System\DXCNYlk.exe
  2⤵
  PID:5484
- C:\Windows\System\zwJByUT.exe
  C:\Windows\System\zwJByUT.exe
  2⤵
  PID:6020
- C:\Windows\System\MPPpcWh.exe
  C:\Windows\System\MPPpcWh.exe
  2⤵
  PID:5532
- C:\Windows\System\VoTwEbU.exe
  C:\Windows\System\VoTwEbU.exe
  2⤵
  PID:6164
- C:\Windows\System\drxRQWk.exe
  C:\Windows\System\drxRQWk.exe
  2⤵
  PID:6192
- C:\Windows\System\CVwuDKO.exe
  C:\Windows\System\CVwuDKO.exe
  2⤵
  PID:6228
- C:\Windows\System\HlSaxWy.exe
  C:\Windows\System\HlSaxWy.exe
  2⤵
  PID:6256
- C:\Windows\System\kBDWLiN.exe
  C:\Windows\System\kBDWLiN.exe
  2⤵
  PID:6284
- C:\Windows\System\TXRUXnL.exe
  C:\Windows\System\TXRUXnL.exe
  2⤵
  PID:6316
- C:\Windows\System\mchCJxJ.exe
  C:\Windows\System\mchCJxJ.exe
  2⤵
  PID:6352
- C:\Windows\System\ysSRfof.exe
  C:\Windows\System\ysSRfof.exe
  2⤵
  PID:6380
- C:\Windows\System\qsxDWXS.exe
  C:\Windows\System\qsxDWXS.exe
  2⤵
  PID:6412
- C:\Windows\System\yTBzojb.exe
  C:\Windows\System\yTBzojb.exe
  2⤵
  PID:6448
- C:\Windows\System\NxxsdiO.exe
  C:\Windows\System\NxxsdiO.exe
  2⤵
  PID:6464
- C:\Windows\System\ZULVuoz.exe
  C:\Windows\System\ZULVuoz.exe
  2⤵
  PID:6500
- C:\Windows\System\moTxWMP.exe
  C:\Windows\System\moTxWMP.exe
  2⤵
  PID:6528
- C:\Windows\System\SEPGZxN.exe
  C:\Windows\System\SEPGZxN.exe
  2⤵
  PID:6560
- C:\Windows\System\KgpDzDQ.exe
  C:\Windows\System\KgpDzDQ.exe
  2⤵
  PID:6576
- C:\Windows\System\iNetuzT.exe
  C:\Windows\System\iNetuzT.exe
  2⤵
  PID:6608
- C:\Windows\System\ifqNVxZ.exe
  C:\Windows\System\ifqNVxZ.exe
  2⤵
  PID:6636
- C:\Windows\System\KCRlCVM.exe
  C:\Windows\System\KCRlCVM.exe
  2⤵
  PID:6664
- C:\Windows\System\UkOuXgi.exe
  C:\Windows\System\UkOuXgi.exe
  2⤵
  PID:6692
- C:\Windows\System\XfdCAoS.exe
  C:\Windows\System\XfdCAoS.exe
  2⤵
  PID:6720
- C:\Windows\System\VoGJnne.exe
  C:\Windows\System\VoGJnne.exe
  2⤵
  PID:6740
- C:\Windows\System\pPBsOVS.exe
  C:\Windows\System\pPBsOVS.exe
  2⤵
  PID:6772
- C:\Windows\System\mTwfOZR.exe
  C:\Windows\System\mTwfOZR.exe
  2⤵
  PID:6796
- C:\Windows\System\quCWOHk.exe
  C:\Windows\System\quCWOHk.exe
  2⤵
  PID:6828
- C:\Windows\System\UdzIoyF.exe
  C:\Windows\System\UdzIoyF.exe
  2⤵
  PID:6852
- C:\Windows\System\VVWomrn.exe
  C:\Windows\System\VVWomrn.exe
  2⤵
  PID:6880
- C:\Windows\System\knhqoTM.exe
  C:\Windows\System\knhqoTM.exe
  2⤵
  PID:6916
- C:\Windows\System\pLlZAAz.exe
  C:\Windows\System\pLlZAAz.exe
  2⤵
  PID:6948
- C:\Windows\System\vXnlOgq.exe
  C:\Windows\System\vXnlOgq.exe
  2⤵
  PID:6988
- C:\Windows\System\eYjMZIu.exe
  C:\Windows\System\eYjMZIu.exe
  2⤵
  PID:7008
- C:\Windows\System\nGdBULe.exe
  C:\Windows\System\nGdBULe.exe
  2⤵
  PID:7040
- C:\Windows\System\doGCRPQ.exe
  C:\Windows\System\doGCRPQ.exe
  2⤵
  PID:7064
- C:\Windows\System\YxTCquR.exe
  C:\Windows\System\YxTCquR.exe
  2⤵
  PID:7104
- C:\Windows\System\lzLIEfL.exe
  C:\Windows\System\lzLIEfL.exe
  2⤵
  PID:7124
- C:\Windows\System\jctPFUC.exe
  C:\Windows\System\jctPFUC.exe
  2⤵
  PID:7160
- C:\Windows\System\yaomJXP.exe
  C:\Windows\System\yaomJXP.exe
  2⤵
  PID:6160
- C:\Windows\System\HkbmOFu.exe
  C:\Windows\System\HkbmOFu.exe
  2⤵
  PID:6200
- C:\Windows\System\ZOlgOMA.exe
  C:\Windows\System\ZOlgOMA.exe
  2⤵
  PID:6208
- C:\Windows\System\zfYasEg.exe
  C:\Windows\System\zfYasEg.exe
  2⤵
  PID:6272
- C:\Windows\System\PpnqrsH.exe
  C:\Windows\System\PpnqrsH.exe
  2⤵
  PID:6372
- C:\Windows\System\stPDcwC.exe
  C:\Windows\System\stPDcwC.exe
  2⤵
  PID:6440
- C:\Windows\System\sztaOvL.exe
  C:\Windows\System\sztaOvL.exe
  2⤵
  PID:6488
- C:\Windows\System\FYJkNAw.exe
  C:\Windows\System\FYJkNAw.exe
  2⤵
  PID:6592
- C:\Windows\System\qfMQZOM.exe
  C:\Windows\System\qfMQZOM.exe
  2⤵
  PID:6684
- C:\Windows\System\HmeNCme.exe
  C:\Windows\System\HmeNCme.exe
  2⤵
  PID:6764
- C:\Windows\System\ZwikEDo.exe
  C:\Windows\System\ZwikEDo.exe
  2⤵
  PID:6804
- C:\Windows\System\dPdmbnS.exe
  C:\Windows\System\dPdmbnS.exe
  2⤵
  PID:6900
- C:\Windows\System\CDwDLwo.exe
  C:\Windows\System\CDwDLwo.exe
  2⤵
  PID:6944
- C:\Windows\System\VRMSMRk.exe
  C:\Windows\System\VRMSMRk.exe
  2⤵
  PID:7048
- C:\Windows\System\QxERdGo.exe
  C:\Windows\System\QxERdGo.exe
  2⤵
  PID:7148
- C:\Windows\System\SGNHEBz.exe
  C:\Windows\System\SGNHEBz.exe
  2⤵
  PID:6216
- C:\Windows\System\BOwzZoE.exe
  C:\Windows\System\BOwzZoE.exe
  2⤵
  PID:6244
- C:\Windows\System\mXsKmnk.exe
  C:\Windows\System\mXsKmnk.exe
  2⤵
  PID:6476
- C:\Windows\System\FDqJzAA.exe
  C:\Windows\System\FDqJzAA.exe
  2⤵
  PID:6520
- C:\Windows\System\NcrDcLc.exe
  C:\Windows\System\NcrDcLc.exe
  2⤵
  PID:1160
- C:\Windows\System\UgoJEYE.exe
  C:\Windows\System\UgoJEYE.exe
  2⤵
  PID:6932
- C:\Windows\System\MwliBIM.exe
  C:\Windows\System\MwliBIM.exe
  2⤵
  PID:7096
- C:\Windows\System\AsdsKCQ.exe
  C:\Windows\System\AsdsKCQ.exe
  2⤵
  PID:7156
- C:\Windows\System\LNQFEIR.exe
  C:\Windows\System\LNQFEIR.exe
  2⤵
  PID:6728
- C:\Windows\System\lCPaLid.exe
  C:\Windows\System\lCPaLid.exe
  2⤵
  PID:6812
- C:\Windows\System\qtBPpKU.exe
  C:\Windows\System\qtBPpKU.exe
  2⤵
  PID:6220
- C:\Windows\System\ieucJZR.exe
  C:\Windows\System\ieucJZR.exe
  2⤵
  PID:7020
- C:\Windows\System\rIBOjDj.exe
  C:\Windows\System\rIBOjDj.exe
  2⤵
  PID:7180
- C:\Windows\System\QUwJDqg.exe
  C:\Windows\System\QUwJDqg.exe
  2⤵
  PID:7208
- C:\Windows\System\lOpGfIZ.exe
  C:\Windows\System\lOpGfIZ.exe
  2⤵
  PID:7240
- C:\Windows\System\ZiyJGHu.exe
  C:\Windows\System\ZiyJGHu.exe
  2⤵
  PID:7264
- C:\Windows\System\pkVCnsS.exe
  C:\Windows\System\pkVCnsS.exe
  2⤵
  PID:7296
- C:\Windows\System\YwqMjqr.exe
  C:\Windows\System\YwqMjqr.exe
  2⤵
  PID:7332
- C:\Windows\System\dGhYSWf.exe
  C:\Windows\System\dGhYSWf.exe
  2⤵
  PID:7360
- C:\Windows\System\NiTRZcw.exe
  C:\Windows\System\NiTRZcw.exe
  2⤵
  PID:7388
- C:\Windows\System\rqdBbTV.exe
  C:\Windows\System\rqdBbTV.exe
  2⤵
  PID:7404
- C:\Windows\System\MBurFgQ.exe
  C:\Windows\System\MBurFgQ.exe
  2⤵
  PID:7440
- C:\Windows\System\oSxRBBR.exe
  C:\Windows\System\oSxRBBR.exe
  2⤵
  PID:7476
- C:\Windows\System\CNuSzoJ.exe
  C:\Windows\System\CNuSzoJ.exe
  2⤵
  PID:7500
- C:\Windows\System\yTiBNfq.exe
  C:\Windows\System\yTiBNfq.exe
  2⤵
  PID:7524
- C:\Windows\System\nEdMyOY.exe
  C:\Windows\System\nEdMyOY.exe
  2⤵
  PID:7564
- C:\Windows\System\bUXLrUv.exe
  C:\Windows\System\bUXLrUv.exe
  2⤵
  PID:7588
- C:\Windows\System\ZYMYqWp.exe
  C:\Windows\System\ZYMYqWp.exe
  2⤵
  PID:7616
- C:\Windows\System\NVwcszS.exe
  C:\Windows\System\NVwcszS.exe
  2⤵
  PID:7640
- C:\Windows\System\iVWovyA.exe
  C:\Windows\System\iVWovyA.exe
  2⤵
  PID:7656
- C:\Windows\System\ncxuMlj.exe
  C:\Windows\System\ncxuMlj.exe
  2⤵
  PID:7680
- C:\Windows\System\hCFtyYQ.exe
  C:\Windows\System\hCFtyYQ.exe
  2⤵
  PID:7708
- C:\Windows\System\vzQifmG.exe
  C:\Windows\System\vzQifmG.exe
  2⤵
  PID:7728
- C:\Windows\System\hEBSufe.exe
  C:\Windows\System\hEBSufe.exe
  2⤵
  PID:7764
- C:\Windows\System\wfHRcTe.exe
  C:\Windows\System\wfHRcTe.exe
  2⤵
  PID:7800
- C:\Windows\System\rKbsqez.exe
  C:\Windows\System\rKbsqez.exe
  2⤵
  PID:7840
- C:\Windows\System\QkTZAYG.exe
  C:\Windows\System\QkTZAYG.exe
  2⤵
  PID:7884
- C:\Windows\System\vfbrvzg.exe
  C:\Windows\System\vfbrvzg.exe
  2⤵
  PID:7912
- C:\Windows\System\RkSJMYC.exe
  C:\Windows\System\RkSJMYC.exe
  2⤵
  PID:7932
- C:\Windows\System\YISrOtJ.exe
  C:\Windows\System\YISrOtJ.exe
  2⤵
  PID:7956
- C:\Windows\System\VJPWKkT.exe
  C:\Windows\System\VJPWKkT.exe
  2⤵
  PID:7984
- C:\Windows\System\FGECkho.exe
  C:\Windows\System\FGECkho.exe
  2⤵
  PID:8012
- C:\Windows\System\nPzONVl.exe
  C:\Windows\System\nPzONVl.exe
  2⤵
  PID:8044
- C:\Windows\System\QyrJOlo.exe
  C:\Windows\System\QyrJOlo.exe
  2⤵
  PID:8076
- C:\Windows\System\bIdbkSD.exe
  C:\Windows\System\bIdbkSD.exe
  2⤵
  PID:8100
- C:\Windows\System\eJAtSfE.exe
  C:\Windows\System\eJAtSfE.exe
  2⤵
  PID:8124
- C:\Windows\System\FEuXTQF.exe
  C:\Windows\System\FEuXTQF.exe
  2⤵
  PID:8156
- C:\Windows\System\WHBfUio.exe
  C:\Windows\System\WHBfUio.exe
  2⤵
  PID:8184
- C:\Windows\System\JiSyiGD.exe
  C:\Windows\System\JiSyiGD.exe
  2⤵
  PID:7200
- C:\Windows\System\qngSvvV.exe
  C:\Windows\System\qngSvvV.exe
  2⤵
  PID:7256
- C:\Windows\System\gVNGauK.exe
  C:\Windows\System\gVNGauK.exe
  2⤵
  PID:7328
- C:\Windows\System\qblFbwZ.exe
  C:\Windows\System\qblFbwZ.exe
  2⤵
  PID:7372
- C:\Windows\System\FyuwYgD.exe
  C:\Windows\System\FyuwYgD.exe
  2⤵
  PID:7460
- C:\Windows\System\DgttxHo.exe
  C:\Windows\System\DgttxHo.exe
  2⤵
  PID:7516
- C:\Windows\System\aHWGfFh.exe
  C:\Windows\System\aHWGfFh.exe
  2⤵
  PID:7620
- C:\Windows\System\DtWyVwp.exe
  C:\Windows\System\DtWyVwp.exe
  2⤵
  PID:7648
- C:\Windows\System\QklCIkX.exe
  C:\Windows\System\QklCIkX.exe
  2⤵
  PID:7668
- C:\Windows\System\BTmWPtE.exe
  C:\Windows\System\BTmWPtE.exe
  2⤵
  PID:7776
- C:\Windows\System\ukMAttl.exe
  C:\Windows\System\ukMAttl.exe
  2⤵
  PID:7852
- C:\Windows\System\tYzFlpu.exe
  C:\Windows\System\tYzFlpu.exe
  2⤵
  PID:7908
- C:\Windows\System\PuUsxTZ.exe
  C:\Windows\System\PuUsxTZ.exe
  2⤵
  PID:8004
- C:\Windows\System\JfZgNEe.exe
  C:\Windows\System\JfZgNEe.exe
  2⤵
  PID:8084
- C:\Windows\System\cIhRRbM.exe
  C:\Windows\System\cIhRRbM.exe
  2⤵
  PID:8148
- C:\Windows\System\paOJDiC.exe
  C:\Windows\System\paOJDiC.exe
  2⤵
  PID:7260
- C:\Windows\System\ptftAMc.exe
  C:\Windows\System\ptftAMc.exe
  2⤵
  PID:7400
- C:\Windows\System\GapoiCR.exe
  C:\Windows\System\GapoiCR.exe
  2⤵
  PID:7496
- C:\Windows\System\WrmQskS.exe
  C:\Windows\System\WrmQskS.exe
  2⤵
  PID:7592
- C:\Windows\System\dAbZyAn.exe
  C:\Windows\System\dAbZyAn.exe
  2⤵
  PID:7896
- C:\Windows\System\YvwUYLH.exe
  C:\Windows\System\YvwUYLH.exe
  2⤵
  PID:7996
- C:\Windows\System\QrPygDQ.exe
  C:\Windows\System\QrPygDQ.exe
  2⤵
  PID:8108
- C:\Windows\System\QRXlFeN.exe
  C:\Windows\System\QRXlFeN.exe
  2⤵
  PID:8180
- C:\Windows\System\imZknfr.exe
  C:\Windows\System\imZknfr.exe
  2⤵
  PID:6868
- C:\Windows\System\uIsCCsv.exe
  C:\Windows\System\uIsCCsv.exe
  2⤵
  PID:7952
- C:\Windows\System\KKXDelN.exe
  C:\Windows\System\KKXDelN.exe
  2⤵
  PID:8068
- C:\Windows\System\BWfBoRe.exe
  C:\Windows\System\BWfBoRe.exe
  2⤵
  PID:7720
- C:\Windows\System\JoLbkvk.exe
  C:\Windows\System\JoLbkvk.exe
  2⤵
  PID:8208
- C:\Windows\System\yOVOEnN.exe
  C:\Windows\System\yOVOEnN.exe
  2⤵
  PID:8252
- C:\Windows\System\lNWOFDy.exe
  C:\Windows\System\lNWOFDy.exe
  2⤵
  PID:8300
- C:\Windows\System\TZBmuko.exe
  C:\Windows\System\TZBmuko.exe
  2⤵
  PID:8316
- C:\Windows\System\ruabMTh.exe
  C:\Windows\System\ruabMTh.exe
  2⤵
  PID:8332
- C:\Windows\System\HeeCVnV.exe
  C:\Windows\System\HeeCVnV.exe
  2⤵
  PID:8380
- C:\Windows\System\gQitdmB.exe
  C:\Windows\System\gQitdmB.exe
  2⤵
  PID:8412
- C:\Windows\System\xurmnBh.exe
  C:\Windows\System\xurmnBh.exe
  2⤵
  PID:8440
- C:\Windows\System\nFKWZWt.exe
  C:\Windows\System\nFKWZWt.exe
  2⤵
  PID:8460
- C:\Windows\System\ymdDWRT.exe
  C:\Windows\System\ymdDWRT.exe
  2⤵
  PID:8480
- C:\Windows\System\uKslOFt.exe
  C:\Windows\System\uKslOFt.exe
  2⤵
  PID:8504
- C:\Windows\System\xzxZYOe.exe
  C:\Windows\System\xzxZYOe.exe
  2⤵
  PID:8536
- C:\Windows\System\wluPSBb.exe
  C:\Windows\System\wluPSBb.exe
  2⤵
  PID:8564
- C:\Windows\System\nZxTLOp.exe
  C:\Windows\System\nZxTLOp.exe
  2⤵
  PID:8596
- C:\Windows\System\LdxVzKa.exe
  C:\Windows\System\LdxVzKa.exe
  2⤵
  PID:8628
- C:\Windows\System\EjsaeFl.exe
  C:\Windows\System\EjsaeFl.exe
  2⤵
  PID:8660
- C:\Windows\System\FDfcUtZ.exe
  C:\Windows\System\FDfcUtZ.exe
  2⤵
  PID:8692
- C:\Windows\System\eymzyfB.exe
  C:\Windows\System\eymzyfB.exe
  2⤵
  PID:8712
- C:\Windows\System\xRzTiCT.exe
  C:\Windows\System\xRzTiCT.exe
  2⤵
  PID:8744
- C:\Windows\System\XnzYzKG.exe
  C:\Windows\System\XnzYzKG.exe
  2⤵
  PID:8776
- C:\Windows\System\DHxMyue.exe
  C:\Windows\System\DHxMyue.exe
  2⤵
  PID:8804
- C:\Windows\System\rqDPIXp.exe
  C:\Windows\System\rqDPIXp.exe
  2⤵
  PID:8828
- C:\Windows\System\FTCcPhX.exe
  C:\Windows\System\FTCcPhX.exe
  2⤵
  PID:8856
- C:\Windows\System\MHdlaxJ.exe
  C:\Windows\System\MHdlaxJ.exe
  2⤵
  PID:8888
- C:\Windows\System\KlegwBm.exe
  C:\Windows\System\KlegwBm.exe
  2⤵
  PID:8924
- C:\Windows\System\FwhhneE.exe
  C:\Windows\System\FwhhneE.exe
  2⤵
  PID:8952
- C:\Windows\System\hcMRuMv.exe
  C:\Windows\System\hcMRuMv.exe
  2⤵
  PID:8968
- C:\Windows\System\gIkFEun.exe
  C:\Windows\System\gIkFEun.exe
  2⤵
  PID:9004
- C:\Windows\System\ZglkDmx.exe
  C:\Windows\System\ZglkDmx.exe
  2⤵
  PID:9028
- C:\Windows\System\KTtTnQg.exe
  C:\Windows\System\KTtTnQg.exe
  2⤵
  PID:9056
- C:\Windows\System\HKamxWX.exe
  C:\Windows\System\HKamxWX.exe
  2⤵
  PID:9084
- C:\Windows\System\srVQyzi.exe
  C:\Windows\System\srVQyzi.exe
  2⤵
  PID:9100
- C:\Windows\System\XohumXZ.exe
  C:\Windows\System\XohumXZ.exe
  2⤵
  PID:9128
- C:\Windows\System\ZcwANhF.exe
  C:\Windows\System\ZcwANhF.exe
  2⤵
  PID:9144
- C:\Windows\System\auqkVtI.exe
  C:\Windows\System\auqkVtI.exe
  2⤵
  PID:9188
- C:\Windows\System\EJETUri.exe
  C:\Windows\System\EJETUri.exe
  2⤵
  PID:9212
- C:\Windows\System\BMHEwst.exe
  C:\Windows\System\BMHEwst.exe
  2⤵
  PID:8092
- C:\Windows\System\QgEghSf.exe
  C:\Windows\System\QgEghSf.exe
  2⤵
  PID:8308
- C:\Windows\System\JSnEmCz.exe
  C:\Windows\System\JSnEmCz.exe
  2⤵
  PID:8288
- C:\Windows\System\gJEHYNA.exe
  C:\Windows\System\gJEHYNA.exe
  2⤵
  PID:8396
- C:\Windows\System\GgXDSOx.exe
  C:\Windows\System\GgXDSOx.exe
  2⤵
  PID:8404
- C:\Windows\System\abHJpAU.exe
  C:\Windows\System\abHJpAU.exe
  2⤵
  PID:8448
- C:\Windows\System\zXpMcvM.exe
  C:\Windows\System\zXpMcvM.exe
  2⤵
  PID:8492
- C:\Windows\System\tSNvBOa.exe
  C:\Windows\System\tSNvBOa.exe
  2⤵
  PID:8552
- C:\Windows\System\EciBNQA.exe
  C:\Windows\System\EciBNQA.exe
  2⤵
  PID:8612
- C:\Windows\System\jPakeiG.exe
  C:\Windows\System\jPakeiG.exe
  2⤵
  PID:8648
- C:\Windows\System\iKAmivM.exe
  C:\Windows\System\iKAmivM.exe
  2⤵
  PID:8708
- C:\Windows\System\chTTztD.exe
  C:\Windows\System\chTTztD.exe
  2⤵
  PID:8760
- C:\Windows\System\RfGGJpO.exe
  C:\Windows\System\RfGGJpO.exe
  2⤵
  PID:8796
- C:\Windows\System\fmFhzPd.exe
  C:\Windows\System\fmFhzPd.exe
  2⤵
  PID:8824
- C:\Windows\System\dLChyZL.exe
  C:\Windows\System\dLChyZL.exe
  2⤵
  PID:8908
- C:\Windows\System\MoNvmFR.exe
  C:\Windows\System\MoNvmFR.exe
  2⤵
  PID:8964
- C:\Windows\System\MtzjhzK.exe
  C:\Windows\System\MtzjhzK.exe
  2⤵
  PID:9024
- C:\Windows\System\VnvMrRQ.exe
  C:\Windows\System\VnvMrRQ.exe
  2⤵
  PID:9068
- C:\Windows\System\pbEQcNm.exe
  C:\Windows\System\pbEQcNm.exe
  2⤵
  PID:9120
- C:\Windows\System\RKYaoCy.exe
  C:\Windows\System\RKYaoCy.exe
  2⤵
  PID:9176
- C:\Windows\System\aRlegOq.exe
  C:\Windows\System\aRlegOq.exe
  2⤵
  PID:7700
- C:\Windows\System\OPvsFrY.exe
  C:\Windows\System\OPvsFrY.exe
  2⤵
  PID:8352
- C:\Windows\System\suPouvi.exe
  C:\Windows\System\suPouvi.exe
  2⤵
  PID:8328
- C:\Windows\System\KtMKtwY.exe
  C:\Windows\System\KtMKtwY.exe
  2⤵
  PID:8428
- C:\Windows\System\VNzHXBn.exe
  C:\Windows\System\VNzHXBn.exe
  2⤵
  PID:8736
- C:\Windows\System\uMyLGmI.exe
  C:\Windows\System\uMyLGmI.exe
  2⤵
  PID:8672
- C:\Windows\System\RHvmdHm.exe
  C:\Windows\System\RHvmdHm.exe
  2⤵
  PID:9220
- C:\Windows\System\YEfvoOf.exe
  C:\Windows\System\YEfvoOf.exe
  2⤵
  PID:9324
- C:\Windows\System\DSRvZOS.exe
  C:\Windows\System\DSRvZOS.exe
  2⤵
  PID:9360
- C:\Windows\System\PFXQlhs.exe
  C:\Windows\System\PFXQlhs.exe
  2⤵
  PID:9388
- C:\Windows\System\qJhrldT.exe
  C:\Windows\System\qJhrldT.exe
  2⤵
  PID:9420
- C:\Windows\System\bPdRtAg.exe
  C:\Windows\System\bPdRtAg.exe
  2⤵
  PID:9440
- C:\Windows\System\rIlcCHF.exe
  C:\Windows\System\rIlcCHF.exe
  2⤵
  PID:9464
- C:\Windows\System\WnVLiPn.exe
  C:\Windows\System\WnVLiPn.exe
  2⤵
  PID:9492
- C:\Windows\System\BOsIoFz.exe
  C:\Windows\System\BOsIoFz.exe
  2⤵
  PID:9520
- C:\Windows\System\FWXlGod.exe
  C:\Windows\System\FWXlGod.exe
  2⤵
  PID:9560
- C:\Windows\System\ekKUjWo.exe
  C:\Windows\System\ekKUjWo.exe
  2⤵
  PID:9596
- C:\Windows\System\IEEzVDO.exe
  C:\Windows\System\IEEzVDO.exe
  2⤵
  PID:9628
- C:\Windows\System\QzKVsoA.exe
  C:\Windows\System\QzKVsoA.exe
  2⤵
  PID:9656
- C:\Windows\System\bcrEHSH.exe
  C:\Windows\System\bcrEHSH.exe
  2⤵
  PID:9684
- C:\Windows\System\APlgdZX.exe
  C:\Windows\System\APlgdZX.exe
  2⤵
  PID:9720
- C:\Windows\System\digJEHv.exe
  C:\Windows\System\digJEHv.exe
  2⤵
  PID:9756
- C:\Windows\System\GwpRgfC.exe
  C:\Windows\System\GwpRgfC.exe
  2⤵
  PID:9772
- C:\Windows\System\cWaSutL.exe
  C:\Windows\System\cWaSutL.exe
  2⤵
  PID:9796
- C:\Windows\System\lGKwRiv.exe
  C:\Windows\System\lGKwRiv.exe
  2⤵
  PID:9816
- C:\Windows\System\ZOLVoDB.exe
  C:\Windows\System\ZOLVoDB.exe
  2⤵
  PID:9832
- C:\Windows\System\RwaGgMy.exe
  C:\Windows\System\RwaGgMy.exe
  2⤵
  PID:9848
- C:\Windows\System\YwFCmuy.exe
  C:\Windows\System\YwFCmuy.exe
  2⤵
  PID:9872
- C:\Windows\System\LSQBqYY.exe
  C:\Windows\System\LSQBqYY.exe
  2⤵
  PID:9888
- C:\Windows\System\vVLcUZG.exe
  C:\Windows\System\vVLcUZG.exe
  2⤵
  PID:9908
- C:\Windows\System\XPVxMsV.exe
  C:\Windows\System\XPVxMsV.exe
  2⤵
  PID:9940
- C:\Windows\System\LtTODAf.exe
  C:\Windows\System\LtTODAf.exe
  2⤵
  PID:9968
- C:\Windows\System\scbaJCV.exe
  C:\Windows\System\scbaJCV.exe
  2⤵
  PID:9992
- C:\Windows\System\YhaAmfz.exe
  C:\Windows\System\YhaAmfz.exe
  2⤵
  PID:10032
- C:\Windows\System\DhHAXIh.exe
  C:\Windows\System\DhHAXIh.exe
  2⤵
  PID:10056
- C:\Windows\System\NfZwIsW.exe
  C:\Windows\System\NfZwIsW.exe
  2⤵
  PID:10072
- C:\Windows\System\DyDpDHO.exe
  C:\Windows\System\DyDpDHO.exe
  2⤵
  PID:10108
- C:\Windows\System\wAJRaoJ.exe
  C:\Windows\System\wAJRaoJ.exe
  2⤵
  PID:10144
- C:\Windows\System\rNbBpmW.exe
  C:\Windows\System\rNbBpmW.exe
  2⤵
  PID:10160
- C:\Windows\System\purXROP.exe
  C:\Windows\System\purXROP.exe
  2⤵
  PID:10180
- C:\Windows\System\SuUQBQJ.exe
  C:\Windows\System\SuUQBQJ.exe
  2⤵
  PID:10232
- C:\Windows\System\UOaQacF.exe
  C:\Windows\System\UOaQacF.exe
  2⤵
  PID:9168
- C:\Windows\System\vaGgeYW.exe
  C:\Windows\System\vaGgeYW.exe
  2⤵
  PID:7796
- C:\Windows\System\dzONtck.exe
  C:\Windows\System\dzONtck.exe
  2⤵
  PID:8136
- C:\Windows\System\COwVIKg.exe
  C:\Windows\System\COwVIKg.exe
  2⤵
  PID:8524
- C:\Windows\System\idIoazX.exe
  C:\Windows\System\idIoazX.exe
  2⤵
  PID:9316
- C:\Windows\System\RrFVkJy.exe
  C:\Windows\System\RrFVkJy.exe
  2⤵
  PID:9096
- C:\Windows\System\tNMoBOi.exe
  C:\Windows\System\tNMoBOi.exe
  2⤵
  PID:9476
- C:\Windows\System\rliSXNI.exe
  C:\Windows\System\rliSXNI.exe
  2⤵
  PID:9508
- C:\Windows\System\ExIBZXh.exe
  C:\Windows\System\ExIBZXh.exe
  2⤵
  PID:9504
- C:\Windows\System\XWWkeJH.exe
  C:\Windows\System\XWWkeJH.exe
  2⤵
  PID:9452
- C:\Windows\System\bifzcyV.exe
  C:\Windows\System\bifzcyV.exe
  2⤵
  PID:9556
- C:\Windows\System\bABHIkk.exe
  C:\Windows\System\bABHIkk.exe
  2⤵
  PID:9676
- C:\Windows\System\baQvdVf.exe
  C:\Windows\System\baQvdVf.exe
  2⤵
  PID:9812
- C:\Windows\System\CJtellC.exe
  C:\Windows\System\CJtellC.exe
  2⤵
  PID:9844
- C:\Windows\System\zWIbLLV.exe
  C:\Windows\System\zWIbLLV.exe
  2⤵
  PID:9840
- C:\Windows\System\tWuUTTK.exe
  C:\Windows\System\tWuUTTK.exe
  2⤵
  PID:9896
- C:\Windows\System\RVqMZXV.exe
  C:\Windows\System\RVqMZXV.exe
  2⤵
  PID:10068
- C:\Windows\System\NedfgcM.exe
  C:\Windows\System\NedfgcM.exe
  2⤵
  PID:10016
- C:\Windows\System\PdgAXnE.exe
  C:\Windows\System\PdgAXnE.exe
  2⤵
  PID:10064
- C:\Windows\System\MEEzAyH.exe
  C:\Windows\System\MEEzAyH.exe
  2⤵
  PID:9960
- C:\Windows\System\dizgswT.exe
  C:\Windows\System\dizgswT.exe
  2⤵
  PID:10116
- C:\Windows\System\iTbyZjN.exe
  C:\Windows\System\iTbyZjN.exe
  2⤵
  PID:8232
- C:\Windows\System\txLdtWm.exe
  C:\Windows\System\txLdtWm.exe
  2⤵
  PID:8476
- C:\Windows\System\eaEMoOc.exe
  C:\Windows\System\eaEMoOc.exe
  2⤵
  PID:9116
- C:\Windows\System\WVByRyi.exe
  C:\Windows\System\WVByRyi.exe
  2⤵
  PID:9040
- C:\Windows\System\oUgDCaw.exe
  C:\Windows\System\oUgDCaw.exe
  2⤵
  PID:9880
- C:\Windows\System\jOZORBb.exe
  C:\Windows\System\jOZORBb.exe
  2⤵
  PID:10092
- C:\Windows\System\jCNMnKR.exe
  C:\Windows\System\jCNMnKR.exe
  2⤵
  PID:9980
- C:\Windows\System\VzYdsSM.exe
  C:\Windows\System\VzYdsSM.exe
  2⤵
  PID:10252
- C:\Windows\System\qvKgTxs.exe
  C:\Windows\System\qvKgTxs.exe
  2⤵
  PID:10460
- C:\Windows\System\HVgmawb.exe
  C:\Windows\System\HVgmawb.exe
  2⤵
  PID:10476
- C:\Windows\System\aIcPUns.exe
  C:\Windows\System\aIcPUns.exe
  2⤵
  PID:10496
- C:\Windows\System\GxBpGAQ.exe
  C:\Windows\System\GxBpGAQ.exe
  2⤵
  PID:10520
- C:\Windows\System\eVFOjFT.exe
  C:\Windows\System\eVFOjFT.exe
  2⤵
  PID:10552
- C:\Windows\System\ZGjepMY.exe
  C:\Windows\System\ZGjepMY.exe
  2⤵
  PID:10576
- C:\Windows\System\uHkLNDW.exe
  C:\Windows\System\uHkLNDW.exe
  2⤵
  PID:10608
- C:\Windows\System\dIFZYxU.exe
  C:\Windows\System\dIFZYxU.exe
  2⤵
  PID:10632
- C:\Windows\System\daJqmYY.exe
  C:\Windows\System\daJqmYY.exe
  2⤵
  PID:10660
- C:\Windows\System\aSIEAeg.exe
  C:\Windows\System\aSIEAeg.exe
  2⤵
  PID:10688
- C:\Windows\System\pLbbzUP.exe
  C:\Windows\System\pLbbzUP.exe
  2⤵
  PID:10704
- C:\Windows\System\DXjircW.exe
  C:\Windows\System\DXjircW.exe
  2⤵
  PID:10732
- C:\Windows\System\eTyRNBb.exe
  C:\Windows\System\eTyRNBb.exe
  2⤵
  PID:10752
- C:\Windows\System\IkwhejK.exe
  C:\Windows\System\IkwhejK.exe
  2⤵
  PID:10788
- C:\Windows\System\OWQDhZP.exe
  C:\Windows\System\OWQDhZP.exe
  2⤵
  PID:10808
- C:\Windows\System\CrVcKhU.exe
  C:\Windows\System\CrVcKhU.exe
  2⤵
  PID:10844
- C:\Windows\System\CNjgkLK.exe
  C:\Windows\System\CNjgkLK.exe
  2⤵
  PID:10868
- C:\Windows\System\hBhKFxs.exe
  C:\Windows\System\hBhKFxs.exe
  2⤵
  PID:10888
- C:\Windows\System\xJvwnsk.exe
  C:\Windows\System\xJvwnsk.exe
  2⤵
  PID:10920
- C:\Windows\System\zfHFCGq.exe
  C:\Windows\System\zfHFCGq.exe
  2⤵
  PID:10944
- C:\Windows\System\xTBrngU.exe
  C:\Windows\System\xTBrngU.exe
  2⤵
  PID:10960
- C:\Windows\System\EGpqmxn.exe
  C:\Windows\System\EGpqmxn.exe
  2⤵
  PID:10984
- C:\Windows\System\JHmhGek.exe
  C:\Windows\System\JHmhGek.exe
  2⤵
  PID:11000
- C:\Windows\System\rrQyWkH.exe
  C:\Windows\System\rrQyWkH.exe
  2⤵
  PID:11032
- C:\Windows\System\HRDZKBd.exe
  C:\Windows\System\HRDZKBd.exe
  2⤵
  PID:11048
- C:\Windows\System\LMfkyNE.exe
  C:\Windows\System\LMfkyNE.exe
  2⤵
  PID:11072
- C:\Windows\System\bakcAoS.exe
  C:\Windows\System\bakcAoS.exe
  2⤵
  PID:11092
- C:\Windows\System\NnutkMb.exe
  C:\Windows\System\NnutkMb.exe
  2⤵
  PID:11124
- C:\Windows\System\tJPnKxL.exe
  C:\Windows\System\tJPnKxL.exe
  2⤵
  PID:11152
- C:\Windows\System\cKtpQlC.exe
  C:\Windows\System\cKtpQlC.exe
  2⤵
  PID:11172
- C:\Windows\System\IOZzwUw.exe
  C:\Windows\System\IOZzwUw.exe
  2⤵
  PID:11196
- C:\Windows\System\pRzPfzB.exe
  C:\Windows\System\pRzPfzB.exe
  2⤵
  PID:11224
- C:\Windows\System\NhAOiSz.exe
  C:\Windows\System\NhAOiSz.exe
  2⤵
  PID:11248
- C:\Windows\System\eYOmzLH.exe
  C:\Windows\System\eYOmzLH.exe
  2⤵
  PID:10172
- C:\Windows\System\xsjnpZE.exe
  C:\Windows\System\xsjnpZE.exe
  2⤵
  PID:10204
- C:\Windows\System\maTaDit.exe
  C:\Windows\System\maTaDit.exe
  2⤵
  PID:9692
- C:\Windows\System\kSWAttU.exe
  C:\Windows\System\kSWAttU.exe
  2⤵
  PID:9976
- C:\Windows\System\ZreBHWg.exe
  C:\Windows\System\ZreBHWg.exe
  2⤵
  PID:10292
- C:\Windows\System\magnInY.exe
  C:\Windows\System\magnInY.exe
  2⤵
  PID:8960
- C:\Windows\System\pKYgKSF.exe
  C:\Windows\System\pKYgKSF.exe
  2⤵
  PID:10484
- C:\Windows\System\ISyILEb.exe
  C:\Windows\System\ISyILEb.exe
  2⤵
  PID:10536
- C:\Windows\System\VwNxvwX.exe
  C:\Windows\System\VwNxvwX.exe
  2⤵
  PID:10592
- C:\Windows\System\rBNtjNu.exe
  C:\Windows\System\rBNtjNu.exe
  2⤵
  PID:10696
- C:\Windows\System\ZNoviOc.exe
  C:\Windows\System\ZNoviOc.exe
  2⤵
  PID:10724
- C:\Windows\System\fUcgZEF.exe
  C:\Windows\System\fUcgZEF.exe
  2⤵
  PID:10824
- C:\Windows\System\DJvmkzY.exe
  C:\Windows\System\DJvmkzY.exe
  2⤵
  PID:10916
- C:\Windows\System\ZmLLgop.exe
  C:\Windows\System\ZmLLgop.exe
  2⤵
  PID:10980
- C:\Windows\System\DpoybuQ.exe
  C:\Windows\System\DpoybuQ.exe
  2⤵
  PID:10992
- C:\Windows\System\sbWQzLB.exe
  C:\Windows\System\sbWQzLB.exe
  2⤵
  PID:11024
- C:\Windows\System\mDmLhDa.exe
  C:\Windows\System\mDmLhDa.exe
  2⤵
  PID:11188
- C:\Windows\System\JQYzyah.exe
  C:\Windows\System\JQYzyah.exe
  2⤵
  PID:11236
- C:\Windows\System\ityCriH.exe
  C:\Windows\System\ityCriH.exe
  2⤵
  PID:11184
- C:\Windows\System\BZFdBAz.exe
  C:\Windows\System\BZFdBAz.exe
  2⤵
  PID:10264
- C:\Windows\System\wsynxEH.exe
  C:\Windows\System\wsynxEH.exe
  2⤵
  PID:10456
- C:\Windows\System\LiwHOSK.exe
  C:\Windows\System\LiwHOSK.exe
  2⤵
  PID:10412
- C:\Windows\System\MMNMnUy.exe
  C:\Windows\System\MMNMnUy.exe
  2⤵
  PID:10572
- C:\Windows\System\JgFrXMV.exe
  C:\Windows\System\JgFrXMV.exe
  2⤵
  PID:10972
- C:\Windows\System\xXsNRYE.exe
  C:\Windows\System\xXsNRYE.exe
  2⤵
  PID:11104
- C:\Windows\System\DWwypza.exe
  C:\Windows\System\DWwypza.exe
  2⤵
  PID:11164
- C:\Windows\System\kMbrypw.exe
  C:\Windows\System\kMbrypw.exe
  2⤵
  PID:11120
- C:\Windows\System\IKXytRh.exe
  C:\Windows\System\IKXytRh.exe
  2⤵
  PID:11136
- C:\Windows\System\FUhYxqH.exe
  C:\Windows\System\FUhYxqH.exe
  2⤵
  PID:10676
- C:\Windows\System\DZyEIHz.exe
  C:\Windows\System\DZyEIHz.exe
  2⤵
  PID:10804
- C:\Windows\System\FJwXcHA.exe
  C:\Windows\System\FJwXcHA.exe
  2⤵
  PID:11272
- C:\Windows\System\ivwAOfL.exe
  C:\Windows\System\ivwAOfL.exe
  2⤵
  PID:11308
- C:\Windows\System\CZaSDED.exe
  C:\Windows\System\CZaSDED.exe
  2⤵
  PID:11336
- C:\Windows\System\BepUyKB.exe
  C:\Windows\System\BepUyKB.exe
  2⤵
  PID:11368
- C:\Windows\System\THNgjqF.exe
  C:\Windows\System\THNgjqF.exe
  2⤵
  PID:11400
- C:\Windows\System\PtSwMza.exe
  C:\Windows\System\PtSwMza.exe
  2⤵
  PID:11420
- C:\Windows\System\JaxuAva.exe
  C:\Windows\System\JaxuAva.exe
  2⤵
  PID:11448
- C:\Windows\System\iIRlHrd.exe
  C:\Windows\System\iIRlHrd.exe
  2⤵
  PID:11492
- C:\Windows\System\UFenZlQ.exe
  C:\Windows\System\UFenZlQ.exe
  2⤵
  PID:11524
- C:\Windows\System\SXKTJqd.exe
  C:\Windows\System\SXKTJqd.exe
  2⤵
  PID:11556
- C:\Windows\System\jVpAXhj.exe
  C:\Windows\System\jVpAXhj.exe
  2⤵
  PID:11588
- C:\Windows\System\rFJCWsR.exe
  C:\Windows\System\rFJCWsR.exe
  2⤵
  PID:11612
- C:\Windows\System\NEosyNT.exe
  C:\Windows\System\NEosyNT.exe
  2⤵
  PID:11640
- C:\Windows\System\wnyhUHt.exe
  C:\Windows\System\wnyhUHt.exe
  2⤵
  PID:11668
- C:\Windows\System\rpZWhCm.exe
  C:\Windows\System\rpZWhCm.exe
  2⤵
  PID:11704
- C:\Windows\System\DDNMlxt.exe
  C:\Windows\System\DDNMlxt.exe
  2⤵
  PID:11728
- C:\Windows\System\AArsXJo.exe
  C:\Windows\System\AArsXJo.exe
  2⤵
  PID:11760
- C:\Windows\System\NDtdpHo.exe
  C:\Windows\System\NDtdpHo.exe
  2⤵
  PID:11792
- C:\Windows\System\WwpXKsA.exe
  C:\Windows\System\WwpXKsA.exe
  2⤵
  PID:11816
- C:\Windows\System\NXJCkUh.exe
  C:\Windows\System\NXJCkUh.exe
  2⤵
  PID:11836
- C:\Windows\System\viDBwWZ.exe
  C:\Windows\System\viDBwWZ.exe
  2⤵
  PID:11872
- C:\Windows\System\ViZsVhx.exe
  C:\Windows\System\ViZsVhx.exe
  2⤵
  PID:11892
- C:\Windows\System\aClZpQx.exe
  C:\Windows\System\aClZpQx.exe
  2⤵
  PID:11920
- C:\Windows\System\ZSQkHTR.exe
  C:\Windows\System\ZSQkHTR.exe
  2⤵
  PID:11948
- C:\Windows\System\KwuEuZj.exe
  C:\Windows\System\KwuEuZj.exe
  2⤵
  PID:11964
- C:\Windows\System\pNkvsDJ.exe
  C:\Windows\System\pNkvsDJ.exe
  2⤵
  PID:11996
- C:\Windows\System\nWleTvY.exe
  C:\Windows\System\nWleTvY.exe
  2⤵
  PID:12024
- C:\Windows\System\iIDmNUX.exe
  C:\Windows\System\iIDmNUX.exe
  2⤵
  PID:12064
- C:\Windows\System\IjxGXJJ.exe
  C:\Windows\System\IjxGXJJ.exe
  2⤵
  PID:12080
- C:\Windows\System\HBYODvb.exe
  C:\Windows\System\HBYODvb.exe
  2⤵
  PID:12096
- C:\Windows\System\FIUMgij.exe
  C:\Windows\System\FIUMgij.exe
  2⤵
  PID:12120
- C:\Windows\System\HLFUclL.exe
  C:\Windows\System\HLFUclL.exe
  2⤵
  PID:12152
- C:\Windows\System\ThleiPs.exe
  C:\Windows\System\ThleiPs.exe
  2⤵
  PID:12184
- C:\Windows\System\JnHmndN.exe
  C:\Windows\System\JnHmndN.exe
  2⤵
  PID:12224
- C:\Windows\System\fXjSOeC.exe
  C:\Windows\System\fXjSOeC.exe
  2⤵
  PID:12248
- C:\Windows\System\UhQPzpz.exe
  C:\Windows\System\UhQPzpz.exe
  2⤵
  PID:12272
- C:\Windows\System\zHLLMwj.exe
  C:\Windows\System\zHLLMwj.exe
  2⤵
  PID:11212
- C:\Windows\System\FyIlmwQ.exe
  C:\Windows\System\FyIlmwQ.exe
  2⤵
  PID:10716
- C:\Windows\System\egplEHI.exe
  C:\Windows\System\egplEHI.exe
  2⤵
  PID:11352
- C:\Windows\System\bYbFJtV.exe
  C:\Windows\System\bYbFJtV.exe
  2⤵
  PID:11444
- C:\Windows\System\sfGEAPL.exe
  C:\Windows\System\sfGEAPL.exe
  2⤵
  PID:11480
- C:\Windows\System\ZuOyBiV.exe
  C:\Windows\System\ZuOyBiV.exe
  2⤵
  PID:11544
- C:\Windows\System\mPYkEAP.exe
  C:\Windows\System\mPYkEAP.exe
  2⤵
  PID:11596
- C:\Windows\System\QVyYYIc.exe
  C:\Windows\System\QVyYYIc.exe
  2⤵
  PID:11660
- C:\Windows\System\HvvMjxr.exe
  C:\Windows\System\HvvMjxr.exe
  2⤵
  PID:11724
- C:\Windows\System\DFMtndm.exe
  C:\Windows\System\DFMtndm.exe
  2⤵
  PID:11824
- C:\Windows\System\xkjMfqw.exe
  C:\Windows\System\xkjMfqw.exe
  2⤵
  PID:11880
- C:\Windows\System\QeYmvAo.exe
  C:\Windows\System\QeYmvAo.exe
  2⤵
  PID:11932
- C:\Windows\System\WzQaKFY.exe
  C:\Windows\System\WzQaKFY.exe
  2⤵
  PID:12040
- C:\Windows\System\nGBcKhZ.exe
  C:\Windows\System\nGBcKhZ.exe
  2⤵
  PID:12088
- C:\Windows\System\VLARBkt.exe
  C:\Windows\System\VLARBkt.exe
  2⤵
  PID:12208
- C:\Windows\System\JSWTcLv.exe
  C:\Windows\System\JSWTcLv.exe
  2⤵
  PID:12204
- C:\Windows\System\VWZyFFG.exe
  C:\Windows\System\VWZyFFG.exe
  2⤵
  PID:11288
- C:\Windows\System\pbeFQSt.exe
  C:\Windows\System\pbeFQSt.exe
  2⤵
  PID:11380
- C:\Windows\System\qlvpGhU.exe
  C:\Windows\System\qlvpGhU.exe
  2⤵
  PID:10284
- C:\Windows\System\BZGFpJB.exe
  C:\Windows\System\BZGFpJB.exe
  2⤵
  PID:11472
- C:\Windows\System\UNMMcyr.exe
  C:\Windows\System\UNMMcyr.exe
  2⤵
  PID:11788
- C:\Windows\System\rKSKZBq.exe
  C:\Windows\System\rKSKZBq.exe
  2⤵
  PID:11800
- C:\Windows\System\shNuPXO.exe
  C:\Windows\System\shNuPXO.exe
  2⤵
  PID:12020
- C:\Windows\System\UOdFZlS.exe
  C:\Windows\System\UOdFZlS.exe
  2⤵
  PID:12140
- C:\Windows\System\MVHCnsA.exe
  C:\Windows\System\MVHCnsA.exe
  2⤵
  PID:12244
- C:\Windows\System\IAOXlbd.exe
  C:\Windows\System\IAOXlbd.exe
  2⤵
  PID:11536
- C:\Windows\System\hlHxJzF.exe
  C:\Windows\System\hlHxJzF.exe
  2⤵
  PID:11768
- C:\Windows\System\tBKnBXX.exe
  C:\Windows\System\tBKnBXX.exe
  2⤵
  PID:11960
- C:\Windows\System\BAtGmWH.exe
  C:\Windows\System\BAtGmWH.exe
  2⤵
  PID:12304
- C:\Windows\System\TypPZtM.exe
  C:\Windows\System\TypPZtM.exe
  2⤵
  PID:12332
- C:\Windows\System\FpxCtaB.exe
  C:\Windows\System\FpxCtaB.exe
  2⤵
  PID:12356
- C:\Windows\System\VfGSpWR.exe
  C:\Windows\System\VfGSpWR.exe
  2⤵
  PID:12388
- C:\Windows\System\CnlygMf.exe
  C:\Windows\System\CnlygMf.exe
  2⤵
  PID:12420
- C:\Windows\System\oBgsKmI.exe
  C:\Windows\System\oBgsKmI.exe
  2⤵
  PID:12444
- C:\Windows\System\koGpcKp.exe
  C:\Windows\System\koGpcKp.exe
  2⤵
  PID:12480
- C:\Windows\System\hfamCmM.exe
  C:\Windows\System\hfamCmM.exe
  2⤵
  PID:12504
- C:\Windows\System\rWoeDGb.exe
  C:\Windows\System\rWoeDGb.exe
  2⤵
  PID:12524
- C:\Windows\System\yOCWMIr.exe
  C:\Windows\System\yOCWMIr.exe
  2⤵
  PID:12552
- C:\Windows\System\sMkthRc.exe
  C:\Windows\System\sMkthRc.exe
  2⤵
  PID:12592
- C:\Windows\System\myxWaJm.exe
  C:\Windows\System\myxWaJm.exe
  2⤵
  PID:12612
- C:\Windows\System\MiYstRN.exe
  C:\Windows\System\MiYstRN.exe
  2⤵
  PID:12640
- C:\Windows\System\yvwWQzi.exe
  C:\Windows\System\yvwWQzi.exe
  2⤵
  PID:12660
- C:\Windows\System\EPkopej.exe
  C:\Windows\System\EPkopej.exe
  2⤵
  PID:12692
- C:\Windows\System\pSOZkAY.exe
  C:\Windows\System\pSOZkAY.exe
  2⤵
  PID:12712
- C:\Windows\System\ikWYBqQ.exe
  C:\Windows\System\ikWYBqQ.exe
  2⤵
  PID:12736
- C:\Windows\System\CTadmme.exe
  C:\Windows\System\CTadmme.exe
  2⤵
  PID:12760
- C:\Windows\System\TujUdcM.exe
  C:\Windows\System\TujUdcM.exe
  2⤵
  PID:12804
- C:\Windows\System\RtwDnCd.exe
  C:\Windows\System\RtwDnCd.exe
  2⤵
  PID:12832
- C:\Windows\System\MCNueQQ.exe
  C:\Windows\System\MCNueQQ.exe
  2⤵
  PID:12860
- C:\Windows\System\NcrVpYN.exe
  C:\Windows\System\NcrVpYN.exe
  2⤵
  PID:12896
- C:\Windows\System\WIQOhzI.exe
  C:\Windows\System\WIQOhzI.exe
  2⤵
  PID:12928
- C:\Windows\System\reQxbMi.exe
  C:\Windows\System\reQxbMi.exe
  2⤵
  PID:12948
- C:\Windows\System\feKMhgm.exe
  C:\Windows\System\feKMhgm.exe
  2⤵
  PID:12984
- C:\Windows\System\mONMKMD.exe
  C:\Windows\System\mONMKMD.exe
  2⤵
  PID:13012
- C:\Windows\System\mMXRyTv.exe
  C:\Windows\System\mMXRyTv.exe
  2⤵
  PID:13040
- C:\Windows\System\tmfJYub.exe
  C:\Windows\System\tmfJYub.exe
  2⤵
  PID:13080
- C:\Windows\System\VxfwWtH.exe
  C:\Windows\System\VxfwWtH.exe
  2⤵
  PID:13100
- C:\Windows\System\GMOfSgb.exe
  C:\Windows\System\GMOfSgb.exe
  2⤵
  PID:13120
- C:\Windows\System\lbaHdup.exe
  C:\Windows\System\lbaHdup.exe
  2⤵
  PID:13152
- C:\Windows\System\lugEJdT.exe
  C:\Windows\System\lugEJdT.exe
  2⤵
  PID:13180
- C:\Windows\System\VFsxbhb.exe
  C:\Windows\System\VFsxbhb.exe
  2⤵
  PID:13208
- C:\Windows\System\DCqcsZA.exe
  C:\Windows\System\DCqcsZA.exe
  2⤵
  PID:13248
- C:\Windows\System\gRwLozs.exe
  C:\Windows\System\gRwLozs.exe
  2⤵
  PID:13268
- C:\Windows\System\vazfEOc.exe
  C:\Windows\System\vazfEOc.exe
  2⤵
  PID:13304
- C:\Windows\System\VNrOCuK.exe
  C:\Windows\System\VNrOCuK.exe
  2⤵
  PID:12240
- C:\Windows\System\eFjnCkc.exe
  C:\Windows\System\eFjnCkc.exe
  2⤵
  PID:12344
- C:\Windows\System\ODkniXS.exe
  C:\Windows\System\ODkniXS.exe
  2⤵
  PID:12328
- C:\Windows\System\XMJJBFj.exe
  C:\Windows\System\XMJJBFj.exe
  2⤵
  PID:12468
- C:\Windows\System\LLtCzdc.exe
  C:\Windows\System\LLtCzdc.exe
  2⤵
  PID:12548
- C:\Windows\System\IUBWEYP.exe
  C:\Windows\System\IUBWEYP.exe
  2⤵
  PID:12516
- C:\Windows\System\jazXSZm.exe
  C:\Windows\System\jazXSZm.exe
  2⤵
  PID:12636
- C:\Windows\System\ZwQZQAp.exe
  C:\Windows\System\ZwQZQAp.exe
  2⤵
  PID:12700
- C:\Windows\System\ciFDYLE.exe
  C:\Windows\System\ciFDYLE.exe
  2⤵
  PID:12688
- C:\Windows\System\IToObUT.exe
  C:\Windows\System\IToObUT.exe
  2⤵
  PID:12748
- C:\Windows\System\VKfsuqm.exe
  C:\Windows\System\VKfsuqm.exe
  2⤵
  PID:12848
- C:\Windows\System\KrcArnX.exe
  C:\Windows\System\KrcArnX.exe
  2⤵
  PID:12972
- C:\Windows\System\WJWHAtP.exe
  C:\Windows\System\WJWHAtP.exe
  2⤵
  PID:13064
- C:\Windows\System\Zvffmaa.exe
  C:\Windows\System\Zvffmaa.exe
  2⤵
  PID:13060
- C:\Windows\System\RfweLPE.exe
  C:\Windows\System\RfweLPE.exe
  2⤵
  PID:13148
- C:\Windows\System\RgtXkRh.exe
  C:\Windows\System\RgtXkRh.exe
  2⤵
  PID:13160
- C:\Windows\System\VlDRcDG.exe
  C:\Windows\System\VlDRcDG.exe
  2⤵
  PID:13236
- C:\Windows\System\tNgdNyH.exe
  C:\Windows\System\tNgdNyH.exe
  2⤵
  PID:11988
- C:\Windows\System\sPPOEue.exe
  C:\Windows\System\sPPOEue.exe
  2⤵
  PID:12380
- C:\Windows\System\QesNPst.exe
  C:\Windows\System\QesNPst.exe
  2⤵
  PID:12492
- C:\Windows\System\Rusifyo.exe
  C:\Windows\System\Rusifyo.exe
  2⤵
  PID:12792
- C:\Windows\System\eaOpTmI.exe
  C:\Windows\System\eaOpTmI.exe
  2⤵
  PID:12876
- C:\Windows\System\QfULIUT.exe
  C:\Windows\System\QfULIUT.exe
  2⤵
  PID:13028
- C:\Windows\System\VpDQjKl.exe
  C:\Windows\System\VpDQjKl.exe
  2⤵
  PID:11572
- C:\Windows\System\jkHQAup.exe
  C:\Windows\System\jkHQAup.exe
  2⤵
  PID:12608
- C:\Windows\System\JdzbbSZ.exe
  C:\Windows\System\JdzbbSZ.exe
  2⤵
  PID:13228
- C:\Windows\System\AvNxePc.exe
  C:\Windows\System\AvNxePc.exe
  2⤵
  PID:12440
- C:\Windows\System\BnNsejo.exe
  C:\Windows\System\BnNsejo.exe
  2⤵
  PID:13004
- C:\Windows\System\YxbmOfQ.exe
  C:\Windows\System\YxbmOfQ.exe
  2⤵
  PID:13324
- C:\Windows\System\qeplgGZ.exe
  C:\Windows\System\qeplgGZ.exe
  2⤵
  PID:13360
- C:\Windows\System\wNFLihf.exe
  C:\Windows\System\wNFLihf.exe
  2⤵
  PID:13380
- C:\Windows\System\gXNsvYU.exe
  C:\Windows\System\gXNsvYU.exe
  2⤵
  PID:13408
- C:\Windows\System\XBMTClH.exe
  C:\Windows\System\XBMTClH.exe
  2⤵
  PID:13436
- C:\Windows\System\qEQQyHN.exe
  C:\Windows\System\qEQQyHN.exe
  2⤵
  PID:13460
- C:\Windows\System\kYaajIN.exe
  C:\Windows\System\kYaajIN.exe
  2⤵
  PID:13492
- C:\Windows\System\NnlFAIZ.exe
  C:\Windows\System\NnlFAIZ.exe
  2⤵
  PID:13512
- C:\Windows\System\WCQysyl.exe
  C:\Windows\System\WCQysyl.exe
  2⤵
  PID:13540
- C:\Windows\System\UvVAnWO.exe
  C:\Windows\System\UvVAnWO.exe
  2⤵
  PID:13576
- C:\Windows\System\hOYiFvt.exe
  C:\Windows\System\hOYiFvt.exe
  2⤵
  PID:13600
- C:\Windows\System\VAlXJoK.exe
  C:\Windows\System\VAlXJoK.exe
  2⤵
  PID:13628
- C:\Windows\System\OCETgJs.exe
  C:\Windows\System\OCETgJs.exe
  2⤵
  PID:13652
- C:\Windows\System\pybwTou.exe
  C:\Windows\System\pybwTou.exe
  2⤵
  PID:13680
- C:\Windows\System\TQnqoNh.exe
  C:\Windows\System\TQnqoNh.exe
  2⤵
  PID:13704
- C:\Windows\System\uKuDUXY.exe
  C:\Windows\System\uKuDUXY.exe
  2⤵
  PID:13724
- C:\Windows\System\grXlylu.exe
  C:\Windows\System\grXlylu.exe
  2⤵
  PID:13752
- C:\Windows\System\RZaTgtW.exe
  C:\Windows\System\RZaTgtW.exe
  2⤵
  PID:13792
- C:\Windows\System\RjlGjKK.exe
  C:\Windows\System\RjlGjKK.exe
  2⤵
  PID:13820
- C:\Windows\System\NbMakdH.exe
  C:\Windows\System\NbMakdH.exe
  2⤵
  PID:13848
- C:\Windows\System\csPfZaN.exe
  C:\Windows\System\csPfZaN.exe
  2⤵
  PID:13884
- C:\Windows\System\ViabTAA.exe
  C:\Windows\System\ViabTAA.exe
  2⤵
  PID:13908
- C:\Windows\System\QzFOslh.exe
  C:\Windows\System\QzFOslh.exe
  2⤵
  PID:13944
- C:\Windows\System\bDoRQIV.exe
  C:\Windows\System\bDoRQIV.exe
  2⤵
  PID:13980
- C:\Windows\System\PbPbVFA.exe
  C:\Windows\System\PbPbVFA.exe
  2⤵
  PID:14004
- C:\Windows\System\ohxAEQR.exe
  C:\Windows\System\ohxAEQR.exe
  2⤵
  PID:14036
- C:\Windows\System\ilKUklC.exe
  C:\Windows\System\ilKUklC.exe
  2⤵
  PID:14060
- C:\Windows\System\MnIVNxS.exe
  C:\Windows\System\MnIVNxS.exe
  2⤵
  PID:14096
- C:\Windows\System\UksiWhn.exe
  C:\Windows\System\UksiWhn.exe
  2⤵
  PID:14120
- C:\Windows\System\kPJAAOq.exe
  C:\Windows\System\kPJAAOq.exe
  2⤵
  PID:14136
- C:\Windows\System\uQcApeF.exe
  C:\Windows\System\uQcApeF.exe
  2⤵
  PID:14160
- C:\Windows\System\AjXrSlQ.exe
  C:\Windows\System\AjXrSlQ.exe
  2⤵
  PID:14248
- C:\Windows\System\nhlhzAU.exe
  C:\Windows\System\nhlhzAU.exe
  2⤵
  PID:14276
- C:\Windows\System\kboWCXU.exe
  C:\Windows\System\kboWCXU.exe
  2⤵
  PID:14296
- C:\Windows\System\xiPIgtJ.exe
  C:\Windows\System\xiPIgtJ.exe
  2⤵
  PID:14320
- C:\Windows\System\fySXuch.exe
  C:\Windows\System\fySXuch.exe
  2⤵
  PID:13320
- C:\Windows\System\JOlEnDK.exe
  C:\Windows\System\JOlEnDK.exe
  2⤵
  PID:13392
- C:\Windows\System\TEvlvGL.exe
  C:\Windows\System\TEvlvGL.exe
  2⤵
  PID:13448
- C:\Windows\System\TENXUoU.exe
  C:\Windows\System\TENXUoU.exe
  2⤵
  PID:13564
- C:\Windows\System\lJyXmiu.exe
  C:\Windows\System\lJyXmiu.exe
  2⤵
  PID:13584
- C:\Windows\System\vnJXlxA.exe
  C:\Windows\System\vnJXlxA.exe
  2⤵
  PID:13672
- C:\Windows\System\tvkOzCr.exe
  C:\Windows\System\tvkOzCr.exe
  2⤵
  PID:13744
- C:\Windows\System\YQwuzcB.exe
  C:\Windows\System\YQwuzcB.exe
  2⤵
  PID:13780
- C:\Windows\System\mQgmlZo.exe
  C:\Windows\System\mQgmlZo.exe
  2⤵
  PID:13840
- C:\Windows\System\rfyuFRm.exe
  C:\Windows\System\rfyuFRm.exe
  2⤵
  PID:13896
- C:\Windows\System\IspYdMG.exe
  C:\Windows\System\IspYdMG.exe
  2⤵
  PID:13988
- C:\Windows\System\rBViaZI.exe
  C:\Windows\System\rBViaZI.exe
  2⤵
  PID:14068
- C:\Windows\System\yuAQvZM.exe
  C:\Windows\System\yuAQvZM.exe
  2⤵
  PID:14104
- C:\Windows\System\uzNEMyt.exe
  C:\Windows\System\uzNEMyt.exe
  2⤵
  PID:14168
- C:\Windows\System\VlVBxzd.exe
  C:\Windows\System\VlVBxzd.exe
  2⤵
  PID:60
- C:\Windows\System\sfBdgkO.exe
  C:\Windows\System\sfBdgkO.exe
  2⤵
  PID:14312
- C:\Windows\System\KBKMfNl.exe
  C:\Windows\System\KBKMfNl.exe
  2⤵
  PID:14332
- C:\Windows\System\MyozSpk.exe
  C:\Windows\System\MyozSpk.exe
  2⤵
  PID:13620
- C:\Windows\System\BvANUvs.exe
  C:\Windows\System\BvANUvs.exe
  2⤵
  PID:13676
- C:\Windows\System\XLaZauB.exe
  C:\Windows\System\XLaZauB.exe
  2⤵
  PID:13940
- C:\Windows\System\ltZhCyT.exe
  C:\Windows\System\ltZhCyT.exe
  2⤵
  PID:13816
- C:\Windows\System\RzZUFDc.exe
  C:\Windows\System\RzZUFDc.exe
  2⤵
  PID:468
- C:\Windows\System\oMhhtuP.exe
  C:\Windows\System\oMhhtuP.exe
  2⤵
  PID:3948
- C:\Windows\System\VMoFKeb.exe
  C:\Windows\System\VMoFKeb.exe
  2⤵
  PID:13768
- C:\Windows\System\SsjYoEE.exe
  C:\Windows\System\SsjYoEE.exe
  2⤵
  PID:14340
- C:\Windows\System\PQqlKbr.exe
  C:\Windows\System\PQqlKbr.exe
  2⤵
  PID:14364
- C:\Windows\System\tmohUjH.exe
  C:\Windows\System\tmohUjH.exe
  2⤵
  PID:14404
- C:\Windows\System\FOuPKzA.exe
  C:\Windows\System\FOuPKzA.exe
  2⤵
  PID:14432
- C:\Windows\System\wyzYjWm.exe
  C:\Windows\System\wyzYjWm.exe
  2⤵
  PID:14460
- C:\Windows\System\UzOedVF.exe
  C:\Windows\System\UzOedVF.exe
  2⤵
  PID:14484
- C:\Windows\System\UAJmgeM.exe
  C:\Windows\System\UAJmgeM.exe
  2⤵
  PID:14504
- C:\Windows\System\LIWJpGj.exe
  C:\Windows\System\LIWJpGj.exe
  2⤵
  PID:14532
- C:\Windows\System\TjBvqrW.exe
  C:\Windows\System\TjBvqrW.exe
  2⤵
  PID:14560
- C:\Windows\System\nYuCHSn.exe
  C:\Windows\System\nYuCHSn.exe
  2⤵
  PID:14584
- C:\Windows\System\LGQMNiC.exe
  C:\Windows\System\LGQMNiC.exe
  2⤵
  PID:14616
- C:\Windows\System\LNpyLqD.exe
  C:\Windows\System\LNpyLqD.exe
  2⤵
  PID:14640
- C:\Windows\System\YVwTPWb.exe
  C:\Windows\System\YVwTPWb.exe
  2⤵
  PID:14656
- C:\Windows\System\hdouLCP.exe
  C:\Windows\System\hdouLCP.exe
  2⤵
  PID:14684
- C:\Windows\System\AtPgOTz.exe
  C:\Windows\System\AtPgOTz.exe
  2⤵
  PID:14720
- C:\Windows\System\uACgmPd.exe
  C:\Windows\System\uACgmPd.exe
  2⤵
  PID:14752
- C:\Windows\System\pYvEdAK.exe
  C:\Windows\System\pYvEdAK.exe
  2⤵
  PID:14784
- C:\Windows\System\mkbYAJJ.exe
  C:\Windows\System\mkbYAJJ.exe
  2⤵
  PID:14808
- C:\Windows\System\rRzjpQB.exe
  C:\Windows\System\rRzjpQB.exe
  2⤵
  PID:14840
- C:\Windows\System\IxROccg.exe
  C:\Windows\System\IxROccg.exe
  2⤵
  PID:14876
- C:\Windows\System\VYVRQxh.exe
  C:\Windows\System\VYVRQxh.exe
  2⤵
  PID:14896
- C:\Windows\System\yfwnteo.exe
  C:\Windows\System\yfwnteo.exe
  2⤵
  PID:14924
- C:\Windows\System\GIBYpTb.exe
  C:\Windows\System\GIBYpTb.exe
  2⤵
  PID:14956
- C:\Windows\System\EMzpyvM.exe
  C:\Windows\System\EMzpyvM.exe
  2⤵
  PID:15180

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:15120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AUNQfiS.exe

Filesize
2.2MB

MD5
7da867d01df5be7530daf461b0b2f48a

SHA1
c5f45218c66b9f797b8410a5fcd5b97b420f1b36

SHA256
54c03442828a443f9094a15bbb27e04fc15ba4d576fad58aa4e05671e02d4b5f

SHA512
72ada458b164839e86d40ba29a7d560754c48c6cebbf2666b7055772cda45a1400300b0f0839c834340c0bfee525d0fd6e3e89cf1388e018b956b19ff1470072

Download Submit
C:\Windows\System\AXwVSTR.exe

Filesize
2.2MB

MD5
0b55bd846909cd6a38878d264785a689

SHA1
2e44bb7d6470f6a21a140f618a5cd96bbc852a6b

SHA256
7f900d1d026e1935f64cb6510ef0c5eb3c5cde49d13a53bcabb365ee885304e2

SHA512
b0940c79b07fa9fb8eddc232715600470a3aeca26257adbe209156014c1f831cb3d011acb71898fe34939a4258c39350ca790d6ef703d454313a5519aeb3ea6b

Download Submit
C:\Windows\System\BcJqiql.exe

Filesize
2.2MB

MD5
3cc9775bae743f6e2c756409e03ad47f

SHA1
5ee97f7d7975afce57c83dea4493cb710b450144

SHA256
0145a4b416d5162eb744d01f01b2f2d3b3edeb0fd713861beeda67faafa8a237

SHA512
b4c5f2195ffe927c604a86900b213cf8c3d28f39160828b48996c904203217c1622225ef2c6f495a510a8cc68fe267cd2074272d5d170c5e7eccdf350c28fc38

Download Submit
C:\Windows\System\EDidAwL.exe

Filesize
2.2MB

MD5
03efb6d4889ebe718c037e6c0e635a9f

SHA1
d19c1fb6c8a0f7e479fe2b45b984eb85771d9aea

SHA256
19e9e451a18398f4222c9aab514fe54331548fc5f10ce81f2d08f7d36f85cfaf

SHA512
0ac38c75209bbf57ee96cc59e83b1467b458c6c1069c5ad010ffbd3fb51e6d73a3aba6680ed8f8bf8df1e6950f56f10edf4eabfb9059fba78360ae83ceef6d3f

Download Submit
C:\Windows\System\EHLyqBN.exe

Filesize
2.2MB

MD5
344bd36d0d4d8b861799203cba1eeb58

SHA1
f652a811e9726f9793eb05b9ff3167b59da66c1f

SHA256
9a3b54b9aa70e7dd49d1630c5165d6ec6f621faeda121ed8bbf9e99e6b3dee9d

SHA512
5d43a61e69d2523d1c9710be2736b6f41931f17e80bc6b5d2e8656f06c089bda1a0caaddfa5acdd1d2b9b2a1af87107ce5c3d44f06d979a6df3445c84688652f

Download Submit
C:\Windows\System\HCVgvma.exe

Filesize
2.2MB

MD5
613902cf91531ca7d0fb76f6941e3826

SHA1
bc428a81700fe32db19787564c8236a5948594df

SHA256
b22ffd8988f30cdf90032eac36d42da5dd6fd94cde37abee91fcaa91776b87d2

SHA512
e7f7d9b4f4c1f7e465e479b216217eec951def548ff1c09af64123beb761b357554cf7c23d8d46ce64d78508fc43b2e42b312d3768b7baa45c3c321cbf55420e

Download Submit
C:\Windows\System\HMHetJj.exe

Filesize
2.2MB

MD5
6cbeb1043074c6de9c587b13ec07bcaf

SHA1
cbad9087049acf518e22a179d5f42778d0a4c49f

SHA256
51094e64c19b09cc864503440ba3be548e0a0d70034fc73e53929fc765883949

SHA512
9150203fcf3aa4b5cc0e580b028a78bce585930ce544a4fba79c4801308c97fdc1693a41f97817c43867a0ebcabc1270f6d8f5fc9937924bfe3984a8d8f26495

Download Submit
C:\Windows\System\LoUsbcq.exe

Filesize
2.2MB

MD5
ec1423946d2e71e96f5541558b552c35

SHA1
d4c925f602dd09582e8c49e5afdd470e2ac49cb1

SHA256
c11b82c00741bce58df272fccbd539d02fb8d0e314880c8f6f81f215e086f300

SHA512
af7e8ec21423c1836460937997380a347951aaa0b051599d84f0030dfb4a2083d3bb43730acc3dcbb0f3a232b13e816b0d399761b2ca854aa49be308b475b829

Download Submit
C:\Windows\System\NPqdJsj.exe

Filesize
2.2MB

MD5
2ca0acdc9974862f5813da9771a58fae

SHA1
441da5ae8013aba19ae38a906a1cc685c2ce0ce1

SHA256
bf6cbf6736c56490da9635639a6d218c48dfd2db1113d1cf98534e4384ce662b

SHA512
bc7c53b3110e0ad2e005c57febeccb86d330adc97a886f52e5d7d36fd828d5264f6b189e9c7f5b15183a1e077f487f90567b9d02651df8c6e631cc7d574d3852

Download Submit
C:\Windows\System\OGaQSZy.exe

Filesize
2.2MB

MD5
653565643fe01a4c7e7feae6b33acd01

SHA1
d40630707508563b69b763c3f70e1e5f7a16d571

SHA256
081a7488209dd21a9e2d8a9099996e110265985fdde5234b1c2c389baca0c307

SHA512
86f8a5b80bf442e2a7b24796907c4ba0b54dadbc8ffc6ee4d1cad1ce5a9a4c574893d3184d3ed376f74cd137b6f07090689a9684c48874f0a9173b1c780113b0

Download Submit
C:\Windows\System\OqiwRpq.exe

Filesize
2.2MB

MD5
9e4a2a6422ad5923cc944b48c6d2389b

SHA1
10c6bc6a7f8cc92df786b83a03cda8d61c85c302

SHA256
e6abc811b9f2190ca2a044b03d29d4b6e987e6afd7bdd0a7abbc244b6c0a981d

SHA512
7c5b4f64c6ff41391667cd91346d3a8d4597c6738146ee8993112b65929667d34598753e239d1d8974e32e0d1025c888243498752ffce18de71b8eb47451bc54

Download Submit
C:\Windows\System\RVtfsuj.exe

Filesize
2.2MB

MD5
d89b5e71dfca9b7cb5fc9d7f27360f4d

SHA1
09b6a358b8fefb2df04209f06c26ff0423cf78b9

SHA256
118f1f7aa4f3d0fd11230d9bdb1351f52282ec9e2a0272cf75c28d846c1a6ca8

SHA512
f34ea2ab8dcb44df7bf7b0d20aaa23825c15424afd358d63feefd8e8d43a8d968486579a140097f72f0dd02048be245444c77281c69a3341049a2d145e90b571

Download Submit
C:\Windows\System\RwaEwLn.exe

Filesize
2.2MB

MD5
ebee61150ae334ffb0a385cc3a14b64b

SHA1
dd5ca7bdeee3aed1735cbbdbab1e0c8e1963d45c

SHA256
4fa73678ec355d34d05d8e94d76c1678aed1bd783f408252c988a2e1a8c6b112

SHA512
2dd939fd4974a868764229027e3d50d4abc682c53b9f9adc8559351fb1ed3dd7bf8328480b0b810b0dacaa4858d53c1fb4a1c03f87e2e2ff721dd8d5c3589b4a

Download Submit
C:\Windows\System\SfMczif.exe

Filesize
2.2MB

MD5
6417b9132185556760ad3e60afcf4584

SHA1
e94e1ed51337d25b1ea48e7a5c51ab442687ed2f

SHA256
91fe94790a169492ebd32ccafa96b10bb04a3a5f46fe421331ec44f02d1f35bf

SHA512
7e8e73c48b95ab487ae2a1f416d034be8591eaab8680d2c18a435177ef4bfca50db6456f904c1c6d9cd58965347a8420df7e1aa3cbdb0c7dd08de2becad66a68

Download Submit
C:\Windows\System\VbUOAEL.exe

Filesize
2.2MB

MD5
ba0189c93e4c0b6af0407a02fb6a5239

SHA1
a8eb6576b1bb259a0267f774b1f9023a474bac65

SHA256
ef88a8738441969c2e4f5b48d778f00eeba8e1daf6d1afe84ece7e62e26357c4

SHA512
405748a617e826c0beacb9b1e11bfc7c3d67807cea9f6bcdd6c71bfb480f0f77780fc18461cd54ce9ac0536e987127066d455f3741da8c76f15c472520a1a662

Download Submit
C:\Windows\System\Xyusgsc.exe

Filesize
2.2MB

MD5
e9b54fef6f0f9a4e5db6ffd37716b635

SHA1
d1838ea82d578dad56e74518c7b4f65d77ef1f78

SHA256
f2756534f6fa0426b3540a543054377ac3fbd7ec5cc3b432425cc5b1791962ee

SHA512
4492d8e287ae7a0831e45e4b2337eca7ad043143bd03f3e2203129317aa7b99ff0dd5ec02e93dc91784ed23561b4c828959ef75822fe10825e49c70dcee82460

Download Submit
C:\Windows\System\YPyWiak.exe

Filesize
2.2MB

MD5
9dc424dfb2d80139ab271775f22189d5

SHA1
f3b50a094f053f6067d7a669e533e18a17750903

SHA256
1c24c381272468802a81a994da113251155a6938ce9bb45c65e470c42937b6c3

SHA512
8e7001b56a4ac3d82ea9e1824acfbaeedc4e1a42410955ff5dfd21b24e35db7130538faec4f26025ff72cfb025ea1339ef7106b1897d125d58d09a7ce5678931

Download Submit
C:\Windows\System\awjphZn.exe

Filesize
2.2MB

MD5
5c3e7046fba8f25ca0c6e055318d4223

SHA1
2fcbf07a5c447dbedb4af2cac162d34ae74c3702

SHA256
075fcfc5b9e0076332ce47364f9828a9e9061eb91fee753a8e8ec90f5d3a92f4

SHA512
3203205ccd9a43697f1e6a9805d9c1002fe144d0ffa99a838f429b90a0de2ba81cc07ba5a674e6be25b04932d22d7b67eb7427b8924e35905cef8224a1355a85

Download Submit
C:\Windows\System\gbZiYky.exe

Filesize
2.2MB

MD5
979a4d8f78b2b62c7bb2eabb3747d468

SHA1
93308e8f96c29f4fab87de59664267bf66c975bf

SHA256
648ef1ce8de40eff76d3ccf248f71a6ed9556fb8931d6a5d2150be3c7d454e84

SHA512
a2cfbef9347410b667aa7b26d54f671436c389619802b55e628289dbe10d1ce706932288cc03a612f714798d60f920af4ced0a88df59c751706b90ceb05d17f0

Download Submit
C:\Windows\System\jQJTyjG.exe

Filesize
2.2MB

MD5
dd32f6500b8d80ffa4a033aa314ce24f

SHA1
f398989a3bf6712816d17ed45ada9934e3fca2e2

SHA256
5c49f6ef33dbb1e7a903dedab56f8f873e3c52a13e2a4c2a3c8a98d3068c240a

SHA512
e2183d0692bf77b9d724e2db6fb5eee86c5529d5f54601438c80698ae18929247be53c75017ba6debaf238276fef66b300dadb8f35dbb89e11970eebd548dfb5

Download Submit
C:\Windows\System\jfnANGC.exe

Filesize
2.2MB

MD5
a8e4ed62fe1ce1e3c575e191df7b33c6

SHA1
5f29ee82fa84b654e325ae83e81d99e497d2a37f

SHA256
37358aa6df67604e71433f0a36f19ec70193f2fcbf22d52297955c2e27cc2ab8

SHA512
fd22074e9de76a9939e31745f240c1e6b859ffe5c644d03ed34ffdfc395fc04739fc0212f8e9a84cab6a887b941b2b54ce7cd6a5bf160d255c91102889ef91fc

Download Submit
C:\Windows\System\kmpWflh.exe

Filesize
2.2MB

MD5
a7d653d3dbed68aabd5cfb0ab97db90e

SHA1
552390cb50b22c7545ac65bf20d69f1a57bca20c

SHA256
9f7b1687bd575d3ee2b8b26c6613457746913a1e580f0921bab5f7bbcc04c2d9

SHA512
9fd55743591089d179993cce2c725a67fb99705eb8ff001889e7890c449d1f4297d35a125369023eac77805b0aa1df413cb63e989c42ad7d973bd0832d576939

Download Submit
C:\Windows\System\kqkwYik.exe

Filesize
2.2MB

MD5
96ded028df3879d835770ba7976ca53b

SHA1
e64ed37017511c48a81a4e67f7c006642d6e19cf

SHA256
7ba8d2c74de70505f7aa8041e27e3694b2540e6e4b7c68fc01143c0c92cc990a

SHA512
ec5dfc385f18f5633b0b1437e74f01529e179f2998fd19bd10f57d2c86255a4bf1bda09865d36eab393998536aeb9bbb81a50f64c8703f1b5cd81d4d6afe5d4f

Download Submit
C:\Windows\System\ktxYVnd.exe

Filesize
2.2MB

MD5
7fae53485c1a8ba39223949f75a966b7

SHA1
5e04a50e9eb83c9792e7ba402d4c45b58e4619a4

SHA256
72b0a3f63acd4218c77048346a5613e46efc5b096373a029f9f41ba0a3dc2dc6

SHA512
61f880b2431c4c327bac6bd75f756c1bbb0a001eccfb0cccd29566c2d11a7f67a073c86b08f74d148376fd62d0b64b59cab174c70d9adcfaae7347c55ea1ed03

Download Submit
C:\Windows\System\mIbHnlC.exe

Filesize
2.2MB

MD5
014b287181452b13970baa49eeef7bc5

SHA1
1a8cd7e91a69dab907dd22f3bcc6d5716be6ddfb

SHA256
4917a0f8a171047c376ead8432dfe295dadb6e9e53d9a68b55cf8f7f4ca419fb

SHA512
3b3f2f66d8adfee858d3b4694fe669bfed15a4718e7d445ccdce1904f88980d6f72c5852d0d17cb243de19344346355fddce2865bd7a775fccc4da3c0e3cfef9

Download Submit
C:\Windows\System\nJpzydt.exe

Filesize
2.2MB

MD5
c6818c2f2bedfd1cac11ce581a30dc14

SHA1
e92edc48b69b44d42d41181e4a3c7d6f4ef05b04

SHA256
527245b698aa4f3d1ecd2df2954f5d74a8170c9eda799e93b9da2b2094ef64db

SHA512
af44d90f3ff3368e3baaace5a5b744604b0d5dd175cfe47833e3fab5ca71907efedfeea972c60c2aec57158274bfb9ce5d2a67bc28292cd3ab5e321b3b4682db

Download Submit
C:\Windows\System\nZKwxeY.exe

Filesize
2.2MB

MD5
ab4dcbe91bddaa82ce815af2c8651a49

SHA1
7a14457b1bd1c4e065cd34e8f739a4d35eafe160

SHA256
16932c1560d367de901841cd8e21c2851ed885d4bcf1999c547f83100920adbd

SHA512
41c9cb4def3729c4360c0a7e8cce59807074d90a9bb6b975ea6a3b038477c4abdc36b300fd575d7409b76e31252aced3097d2bda4226937a68746cbe86b2653d

Download Submit
C:\Windows\System\pDbikWN.exe

Filesize
2.2MB

MD5
6feb5a0dd897463daa81362aa06c5c3d

SHA1
86f2639ca9eec6adfd21ecca207a454885d9abbd

SHA256
d1f8102236a2813011309b8931b024a03900c85a43517b6d82383671456eaa76

SHA512
c598171a3cf312131a04ca3b38d06971a5fdde206ba6c6448b15a3e422807dd9cb58ba608b5cff2c8f1b350df2449f3b16f869d58bdbc9fa7d9203982e8dbf9a

Download Submit
C:\Windows\System\rCNPpmp.exe

Filesize
2.2MB

MD5
ba7adfcee1bf0ddb04d72f88453aaabe

SHA1
e53a4ad11a31c87e1ada24e40f08d77625ac1127

SHA256
9688d1e32f0dac4ce2382c67d171a01a72f9a8f4bfe0554c93fa9fc5fb0193b2

SHA512
cca909587a656ee788982bf211a7c98ffa25c90620abea7549f68d4922e3b8537d31e24c5f1337be67be3924a90e8ceb0376e51549d742a6e6a99ba99e33729c

Download Submit
C:\Windows\System\rkQbrjO.exe

Filesize
2.2MB

MD5
1999c5d8ba54cab3f3f239f303e6d6b6

SHA1
f532166e6d2271e28108b8cea8541a0d4f699867

SHA256
302d9b3fc2a530f47acea138b14655ea657a3b06493d4312000c0cd092569a60

SHA512
c9318e82eea5df25dc6bd3b8073bdf13056232cf020eb49e0b24f0a97c4728e0a9e26e80100abd6483cd1c150b33e17d5bedcdc5d82f5ec3dc2f809a13bb6b52

Download Submit
C:\Windows\System\yEHiDRR.exe

Filesize
2.2MB

MD5
702d293daed04070490e65a11f17f781

SHA1
bf0cf4b7ccf3ccd7d709fa3ca2421a4a7acca255

SHA256
67c2f4462c9a4bc3541b1c6c4405ed84d15221c369cd3152a3734d628f6148f5

SHA512
a2dd84f43877062a16585ec5168227118cd4b493f7695d7d38a824c1931d0163614a14f4bd5ba6c1e730343672a3ed84b71ddd9d3e1ea2bceed3b21cd5b0fc9e

Download Submit
C:\Windows\System\ybCTdpc.exe

Filesize
2.2MB

MD5
e7f556102382c2f2247abea6898bd4f8

SHA1
6c777838d2976d2bbd552dbda51bd17404fb5f06

SHA256
239548cb43f396bb9191fc94406d657c31e0f146f647e04c9c50c19d60645fec

SHA512
6f198e230a7cd4bace6e2ab1f20d5637673953272b9177b7776cb13a39224398e2f139bacf4adec90796a3a77c27672608aee204b0ae06a055e7225c905b1a6d

Download Submit
C:\Windows\System\yzadbSG.exe

Filesize
2.2MB

MD5
5175d880c4e9db266f44c505b9bece35

SHA1
8128367c32430556a4a11d3959c3ebe27ea3fba9

SHA256
f82139dda7ad67e830aeb06e807605535c66a4ae54d009d92439428577d482a8

SHA512
405e70d336d41d2b292e1dec49d858ade1101c6e910860a972b6d05ce0b6c11442fd91f075d619b8a137c2fcd91843b307b9163f8ae082d000df9a96423eb513

Download Submit
C:\Windows\System\zZwhEjf.exe

Filesize
2.2MB

MD5
04856617af2a77b6d44f4289c070c449

SHA1
62a2f989b568aa9e0a490d1497d4fddf33d01ed8

SHA256
712ba0385ef123db110e5621c6deaa78fb3b48bba91b255cc7b1778ffa9e0ce5

SHA512
470a870ab86bc32599437888dd5819a7661445efb4818d0e98594c82db9ad78d2b6aa7ce815432b1e6e2956b7e6b06e8f75da8238785882fea6ef24b8a4ba33c

Download Submit
memory/452-192-0x00007FF6515B0000-0x00007FF651904000-memory.dmp

Filesize
3.3MB

Download
memory/452-2365-0x00007FF6515B0000-0x00007FF651904000-memory.dmp

Filesize
3.3MB

Download
memory/564-112-0x00007FF7DAAF0000-0x00007FF7DAE44000-memory.dmp

Filesize
3.3MB

Download
memory/564-1149-0x00007FF7DAAF0000-0x00007FF7DAE44000-memory.dmp

Filesize
3.3MB

Download
memory/564-2373-0x00007FF7DAAF0000-0x00007FF7DAE44000-memory.dmp

Filesize
3.3MB

Download
memory/748-1136-0x00007FF7D8E10000-0x00007FF7D9164000-memory.dmp

Filesize
3.3MB

Download
memory/748-62-0x00007FF7D8E10000-0x00007FF7D9164000-memory.dmp

Filesize
3.3MB

Download
memory/748-2366-0x00007FF7D8E10000-0x00007FF7D9164000-memory.dmp

Filesize
3.3MB

Download
memory/780-2364-0x00007FF782140000-0x00007FF782494000-memory.dmp

Filesize
3.3MB

Download
memory/780-193-0x00007FF782140000-0x00007FF782494000-memory.dmp

Filesize
3.3MB

Download
memory/892-195-0x00007FF7CB310000-0x00007FF7CB664000-memory.dmp

Filesize
3.3MB

Download
memory/892-2375-0x00007FF7CB310000-0x00007FF7CB664000-memory.dmp

Filesize
3.3MB

Download
memory/1056-186-0x00007FF767E20000-0x00007FF768174000-memory.dmp

Filesize
3.3MB

Download
memory/1056-2382-0x00007FF767E20000-0x00007FF768174000-memory.dmp

Filesize
3.3MB

Download
memory/1176-189-0x00007FF735A40000-0x00007FF735D94000-memory.dmp

Filesize
3.3MB

Download
memory/1176-2387-0x00007FF735A40000-0x00007FF735D94000-memory.dmp

Filesize
3.3MB

Download
memory/1268-2376-0x00007FF697EF0000-0x00007FF698244000-memory.dmp

Filesize
3.3MB

Download
memory/1268-185-0x00007FF697EF0000-0x00007FF698244000-memory.dmp

Filesize
3.3MB

Download
memory/1332-2369-0x00007FF6699F0000-0x00007FF669D44000-memory.dmp

Filesize
3.3MB

Download
memory/1332-133-0x00007FF6699F0000-0x00007FF669D44000-memory.dmp

Filesize
3.3MB

Download
memory/1520-989-0x00007FF7CB9B0000-0x00007FF7CBD04000-memory.dmp

Filesize
3.3MB

Download
memory/1520-1-0x0000023B4E0B0000-0x0000023B4E0C0000-memory.dmp

Filesize
64KB

Download
memory/1520-0-0x00007FF7CB9B0000-0x00007FF7CBD04000-memory.dmp

Filesize
3.3MB

Download
memory/1712-2363-0x00007FF740880000-0x00007FF740BD4000-memory.dmp

Filesize
3.3MB

Download
memory/1712-1125-0x00007FF740880000-0x00007FF740BD4000-memory.dmp

Filesize
3.3MB

Download
memory/1712-41-0x00007FF740880000-0x00007FF740BD4000-memory.dmp

Filesize
3.3MB

Download
memory/1960-196-0x00007FF7B6E70000-0x00007FF7B71C4000-memory.dmp

Filesize
3.3MB

Download
memory/1960-2372-0x00007FF7B6E70000-0x00007FF7B71C4000-memory.dmp

Filesize
3.3MB

Download
memory/2188-2374-0x00007FF6A4780000-0x00007FF6A4AD4000-memory.dmp

Filesize
3.3MB

Download
memory/2188-151-0x00007FF6A4780000-0x00007FF6A4AD4000-memory.dmp

Filesize
3.3MB

Download
memory/2440-180-0x00007FF6D39B0000-0x00007FF6D3D04000-memory.dmp

Filesize
3.3MB

Download
memory/2440-2378-0x00007FF6D39B0000-0x00007FF6D3D04000-memory.dmp

Filesize
3.3MB

Download
memory/2444-184-0x00007FF68FFF0000-0x00007FF690344000-memory.dmp

Filesize
3.3MB

Download
memory/2444-2385-0x00007FF68FFF0000-0x00007FF690344000-memory.dmp

Filesize
3.3MB

Download
memory/2608-188-0x00007FF64D2E0000-0x00007FF64D634000-memory.dmp

Filesize
3.3MB

Download
memory/2608-2386-0x00007FF64D2E0000-0x00007FF64D634000-memory.dmp

Filesize
3.3MB

Download
memory/2628-2368-0x00007FF799230000-0x00007FF799584000-memory.dmp

Filesize
3.3MB

Download
memory/2628-132-0x00007FF799230000-0x00007FF799584000-memory.dmp

Filesize
3.3MB

Download
memory/2980-197-0x00007FF6A5720000-0x00007FF6A5A74000-memory.dmp

Filesize
3.3MB

Download
memory/2980-2380-0x00007FF6A5720000-0x00007FF6A5A74000-memory.dmp

Filesize
3.3MB

Download
memory/3024-194-0x00007FF67D0B0000-0x00007FF67D404000-memory.dmp

Filesize
3.3MB

Download
memory/3024-2367-0x00007FF67D0B0000-0x00007FF67D404000-memory.dmp

Filesize
3.3MB

Download
memory/3172-2383-0x00007FF7B96A0000-0x00007FF7B99F4000-memory.dmp

Filesize
3.3MB

Download
memory/3172-182-0x00007FF7B96A0000-0x00007FF7B99F4000-memory.dmp

Filesize
3.3MB

Download
memory/3412-2377-0x00007FF700350000-0x00007FF7006A4000-memory.dmp

Filesize
3.3MB

Download
memory/3412-176-0x00007FF700350000-0x00007FF7006A4000-memory.dmp

Filesize
3.3MB

Download
memory/3608-85-0x00007FF793140000-0x00007FF793494000-memory.dmp

Filesize
3.3MB

Download
memory/3608-2371-0x00007FF793140000-0x00007FF793494000-memory.dmp

Filesize
3.3MB

Download
memory/3608-1147-0x00007FF793140000-0x00007FF793494000-memory.dmp

Filesize
3.3MB

Download
memory/4148-2362-0x00007FF6963A0000-0x00007FF6966F4000-memory.dmp

Filesize
3.3MB

Download
memory/4148-1122-0x00007FF6963A0000-0x00007FF6966F4000-memory.dmp

Filesize
3.3MB

Download
memory/4148-23-0x00007FF6963A0000-0x00007FF6966F4000-memory.dmp

Filesize
3.3MB

Download
memory/4156-181-0x00007FF737010000-0x00007FF737364000-memory.dmp

Filesize
3.3MB

Download
memory/4156-2370-0x00007FF737010000-0x00007FF737364000-memory.dmp

Filesize
3.3MB

Download
memory/4220-187-0x00007FF752BF0000-0x00007FF752F44000-memory.dmp

Filesize
3.3MB

Download
memory/4220-2384-0x00007FF752BF0000-0x00007FF752F44000-memory.dmp

Filesize
3.3MB

Download
memory/4524-1112-0x00007FF65B3E0000-0x00007FF65B734000-memory.dmp

Filesize
3.3MB

Download
memory/4524-2361-0x00007FF65B3E0000-0x00007FF65B734000-memory.dmp

Filesize
3.3MB

Download
memory/4524-11-0x00007FF65B3E0000-0x00007FF65B734000-memory.dmp

Filesize
3.3MB

Download
memory/4612-2388-0x00007FF7DD380000-0x00007FF7DD6D4000-memory.dmp

Filesize
3.3MB

Download
memory/4612-190-0x00007FF7DD380000-0x00007FF7DD6D4000-memory.dmp

Filesize
3.3MB

Download
memory/4964-1271-0x00007FF677D50000-0x00007FF6780A4000-memory.dmp

Filesize
3.3MB

Download
memory/4964-2381-0x00007FF677D50000-0x00007FF6780A4000-memory.dmp

Filesize
3.3MB

Download
memory/4964-172-0x00007FF677D50000-0x00007FF6780A4000-memory.dmp

Filesize
3.3MB

Download
memory/5012-191-0x00007FF74CA60000-0x00007FF74CDB4000-memory.dmp

Filesize
3.3MB

Download
memory/5012-2389-0x00007FF74CA60000-0x00007FF74CDB4000-memory.dmp

Filesize
3.3MB

Download
memory/5036-183-0x00007FF7AED90000-0x00007FF7AF0E4000-memory.dmp

Filesize
3.3MB

Download
memory/5036-2379-0x00007FF7AED90000-0x00007FF7AF0E4000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads