xmrig | bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4

Analysis

max time kernel
60s
max time network
35s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 19:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
Size

1.8MB
MD5

f1c3a0f6b5d39ca61fc220d0c73cb50e
SHA1

fbabcbcf8ba86104b1a0ffe8821f4e0a684ba776
SHA256

bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4
SHA512

bfc3094e61592335f19a3f0b056177868cf046458af1714bcaaeac0d93d0968eddc1c64e3b43ba6a4acf5c5616b0235adf9db658e0a89ab1d4bd5185aa2cda43
SSDEEP

49152:oezaTF8FcNkNdfE0pZ9ozt4wIXIqndvMJtCgpKr:oemTLkNdfE0pZrT

Score

10^/10

xmrig miner persistence privilege_escalation upx

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/3924-0-0x00007FF62A730000-0x00007FF62AA84000-memory.dmp	xmrig
behavioral2/files/0x000b000000023b7a-4.dat	xmrig
behavioral2/memory/5112-7-0x00007FF6A9910000-0x00007FF6A9C64000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b7f-10.dat	xmrig
behavioral2/files/0x000a000000023b7e-14.dat	xmrig
behavioral2/files/0x000a000000023b81-26.dat	xmrig
behavioral2/files/0x000a000000023b82-34.dat	xmrig
behavioral2/files/0x000a000000023b85-50.dat	xmrig
behavioral2/files/0x000a000000023b89-66.dat	xmrig
behavioral2/files/0x000a000000023b92-109.dat	xmrig
behavioral2/files/0x000a000000023b94-127.dat	xmrig
behavioral2/files/0x000a000000023b99-144.dat	xmrig
behavioral2/files/0x000a000000023b9b-162.dat	xmrig
behavioral2/memory/3340-648-0x00007FF66BED0000-0x00007FF66C224000-memory.dmp	xmrig
behavioral2/memory/3212-649-0x00007FF6C2E20000-0x00007FF6C3174000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b9d-164.dat	xmrig
behavioral2/files/0x000a000000023b9c-159.dat	xmrig
behavioral2/files/0x000a000000023b9a-157.dat	xmrig
behavioral2/files/0x000a000000023b98-147.dat	xmrig
behavioral2/files/0x000a000000023b97-142.dat	xmrig
behavioral2/files/0x000a000000023b96-137.dat	xmrig
behavioral2/memory/740-650-0x00007FF7321C0000-0x00007FF732514000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b95-132.dat	xmrig
behavioral2/files/0x000a000000023b93-122.dat	xmrig
behavioral2/files/0x000a000000023b91-112.dat	xmrig
behavioral2/files/0x000a000000023b90-107.dat	xmrig
behavioral2/files/0x000a000000023b8f-102.dat	xmrig
behavioral2/files/0x000a000000023b8e-97.dat	xmrig
behavioral2/files/0x000a000000023b8d-92.dat	xmrig
behavioral2/files/0x000a000000023b8c-87.dat	xmrig
behavioral2/files/0x000a000000023b8b-79.dat	xmrig
behavioral2/files/0x000a000000023b8a-74.dat	xmrig
behavioral2/memory/1868-659-0x00007FF679C10000-0x00007FF679F64000-memory.dmp	xmrig
behavioral2/memory/1968-665-0x00007FF69EBE0000-0x00007FF69EF34000-memory.dmp	xmrig
behavioral2/memory/1536-672-0x00007FF755320000-0x00007FF755674000-memory.dmp	xmrig
behavioral2/memory/3828-701-0x00007FF78FB10000-0x00007FF78FE64000-memory.dmp	xmrig
behavioral2/memory/3776-752-0x00007FF7E83A0000-0x00007FF7E86F4000-memory.dmp	xmrig
behavioral2/memory/2108-772-0x00007FF6DF070000-0x00007FF6DF3C4000-memory.dmp	xmrig
behavioral2/memory/3968-779-0x00007FF6D3820000-0x00007FF6D3B74000-memory.dmp	xmrig
behavioral2/memory/4388-783-0x00007FF6374B0000-0x00007FF637804000-memory.dmp	xmrig
behavioral2/memory/3004-784-0x00007FF6169D0000-0x00007FF616D24000-memory.dmp	xmrig
behavioral2/memory/1116-782-0x00007FF7407B0000-0x00007FF740B04000-memory.dmp	xmrig
behavioral2/memory/2736-778-0x00007FF7D5450000-0x00007FF7D57A4000-memory.dmp	xmrig
behavioral2/memory/2088-767-0x00007FF763000000-0x00007FF763354000-memory.dmp	xmrig
behavioral2/memory/4612-764-0x00007FF78B0A0000-0x00007FF78B3F4000-memory.dmp	xmrig
behavioral2/memory/720-751-0x00007FF7DB4E0000-0x00007FF7DB834000-memory.dmp	xmrig
behavioral2/memory/532-745-0x00007FF68A110000-0x00007FF68A464000-memory.dmp	xmrig
behavioral2/memory/1528-740-0x00007FF7637A0000-0x00007FF763AF4000-memory.dmp	xmrig
behavioral2/memory/2632-732-0x00007FF622330000-0x00007FF622684000-memory.dmp	xmrig
behavioral2/memory/4888-729-0x00007FF7DE230000-0x00007FF7DE584000-memory.dmp	xmrig
behavioral2/memory/2264-724-0x00007FF6C2B90000-0x00007FF6C2EE4000-memory.dmp	xmrig
behavioral2/memory/5016-717-0x00007FF6FC150000-0x00007FF6FC4A4000-memory.dmp	xmrig
behavioral2/memory/3876-713-0x00007FF733F10000-0x00007FF734264000-memory.dmp	xmrig
behavioral2/memory/1200-712-0x00007FF78D770000-0x00007FF78DAC4000-memory.dmp	xmrig
behavioral2/memory/2440-693-0x00007FF726010000-0x00007FF726364000-memory.dmp	xmrig
behavioral2/memory/2616-686-0x00007FF784D40000-0x00007FF785094000-memory.dmp	xmrig
behavioral2/memory/1248-671-0x00007FF6DA8F0000-0x00007FF6DAC44000-memory.dmp	xmrig
behavioral2/files/0x000a000000023b88-64.dat	xmrig
behavioral2/files/0x000a000000023b87-60.dat	xmrig
behavioral2/files/0x000a000000023b86-54.dat	xmrig
behavioral2/files/0x000a000000023b84-44.dat	xmrig
behavioral2/files/0x000a000000023b83-40.dat	xmrig
behavioral2/files/0x000a000000023b80-23.dat	xmrig
behavioral2/memory/3924-1712-0x00007FF62A730000-0x00007FF62AA84000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
5112	VywDrsw.exe
3340	HNoIyQQ.exe
3004	KvFefor.exe
3212	ojdgjGA.exe
740	PBAHLKg.exe
1868	TVcPOoT.exe
1968	QjztzKP.exe
1248	DuzRSaV.exe
1536	PruGjkp.exe
2616	MLtdwWe.exe
2440	GPzFNyJ.exe
3828	TRKuDEw.exe
1200	LebjeZi.exe
3876	AZJZOdh.exe
5016	bmzsWTg.exe
2264	IXjpgAl.exe
4888	HsaqUVP.exe
2632	pjsHDtS.exe
1528	QIgUdUF.exe
532	FPjgjns.exe
720	OQgqUKl.exe
3776	YRwVwdE.exe
4612	raNHWKD.exe
2088	Befnjht.exe
2108	jJUveFa.exe
2736	qpWzGzX.exe
3968	DnRrXpy.exe
1116	XLOuCoy.exe
4388	zptKVjp.exe
1792	jdvKusJ.exe
5036	pswdpam.exe
388	pyGzZcQ.exe
4448	fCrOXMG.exe
692	qCwwuus.exe
2276	PpvCAoW.exe
4496	yTOnwxE.exe
1936	JTZLLJK.exe
4452	ZdmubhY.exe
4520	MYlBRSn.exe
4552	UFwVNUV.exe
2164	GGoIeoa.exe
2620	ABYzsVG.exe
2572	xEUVpSV.exe
1436	bJiwOKO.exe
5104	GmItmhh.exe
2400	VqkLYeG.exe
3612	tymNtZO.exe
2564	kSwpLjK.exe
5008	OStOTYQ.exe
3104	zcbbIbR.exe
1344	MNjmpFg.exe
1156	xahtfjB.exe
1764	wtvqKcg.exe
3844	HquerdI.exe
3044	uJlhJhe.exe
4020	MMEUEbh.exe
2940	rIWZFqn.exe
2080	VothcBc.exe
3364	NdGJxrP.exe
5084	AbTEwYt.exe
1628	RkWINHg.exe
2832	fEEqWJx.exe
3388	glHjwqr.exe
3620	RwNobzf.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3924-0-0x00007FF62A730000-0x00007FF62AA84000-memory.dmp	upx
behavioral2/files/0x000b000000023b7a-4.dat	upx
behavioral2/memory/5112-7-0x00007FF6A9910000-0x00007FF6A9C64000-memory.dmp	upx
behavioral2/files/0x000a000000023b7f-10.dat	upx
behavioral2/files/0x000a000000023b7e-14.dat	upx
behavioral2/files/0x000a000000023b81-26.dat	upx
behavioral2/files/0x000a000000023b82-34.dat	upx
behavioral2/files/0x000a000000023b85-50.dat	upx
behavioral2/files/0x000a000000023b89-66.dat	upx
behavioral2/files/0x000a000000023b92-109.dat	upx
behavioral2/files/0x000a000000023b94-127.dat	upx
behavioral2/files/0x000a000000023b99-144.dat	upx
behavioral2/files/0x000a000000023b9b-162.dat	upx
behavioral2/memory/3340-648-0x00007FF66BED0000-0x00007FF66C224000-memory.dmp	upx
behavioral2/memory/3212-649-0x00007FF6C2E20000-0x00007FF6C3174000-memory.dmp	upx
behavioral2/files/0x000a000000023b9d-164.dat	upx
behavioral2/files/0x000a000000023b9c-159.dat	upx
behavioral2/files/0x000a000000023b9a-157.dat	upx
behavioral2/files/0x000a000000023b98-147.dat	upx
behavioral2/files/0x000a000000023b97-142.dat	upx
behavioral2/files/0x000a000000023b96-137.dat	upx
behavioral2/memory/740-650-0x00007FF7321C0000-0x00007FF732514000-memory.dmp	upx
behavioral2/files/0x000a000000023b95-132.dat	upx
behavioral2/files/0x000a000000023b93-122.dat	upx
behavioral2/files/0x000a000000023b91-112.dat	upx
behavioral2/files/0x000a000000023b90-107.dat	upx
behavioral2/files/0x000a000000023b8f-102.dat	upx
behavioral2/files/0x000a000000023b8e-97.dat	upx
behavioral2/files/0x000a000000023b8d-92.dat	upx
behavioral2/files/0x000a000000023b8c-87.dat	upx
behavioral2/files/0x000a000000023b8b-79.dat	upx
behavioral2/files/0x000a000000023b8a-74.dat	upx
behavioral2/memory/1868-659-0x00007FF679C10000-0x00007FF679F64000-memory.dmp	upx
behavioral2/memory/1968-665-0x00007FF69EBE0000-0x00007FF69EF34000-memory.dmp	upx
behavioral2/memory/1536-672-0x00007FF755320000-0x00007FF755674000-memory.dmp	upx
behavioral2/memory/3828-701-0x00007FF78FB10000-0x00007FF78FE64000-memory.dmp	upx
behavioral2/memory/3776-752-0x00007FF7E83A0000-0x00007FF7E86F4000-memory.dmp	upx
behavioral2/memory/2108-772-0x00007FF6DF070000-0x00007FF6DF3C4000-memory.dmp	upx
behavioral2/memory/3968-779-0x00007FF6D3820000-0x00007FF6D3B74000-memory.dmp	upx
behavioral2/memory/4388-783-0x00007FF6374B0000-0x00007FF637804000-memory.dmp	upx
behavioral2/memory/3004-784-0x00007FF6169D0000-0x00007FF616D24000-memory.dmp	upx
behavioral2/memory/1116-782-0x00007FF7407B0000-0x00007FF740B04000-memory.dmp	upx
behavioral2/memory/2736-778-0x00007FF7D5450000-0x00007FF7D57A4000-memory.dmp	upx
behavioral2/memory/2088-767-0x00007FF763000000-0x00007FF763354000-memory.dmp	upx
behavioral2/memory/4612-764-0x00007FF78B0A0000-0x00007FF78B3F4000-memory.dmp	upx
behavioral2/memory/720-751-0x00007FF7DB4E0000-0x00007FF7DB834000-memory.dmp	upx
behavioral2/memory/532-745-0x00007FF68A110000-0x00007FF68A464000-memory.dmp	upx
behavioral2/memory/1528-740-0x00007FF7637A0000-0x00007FF763AF4000-memory.dmp	upx
behavioral2/memory/2632-732-0x00007FF622330000-0x00007FF622684000-memory.dmp	upx
behavioral2/memory/4888-729-0x00007FF7DE230000-0x00007FF7DE584000-memory.dmp	upx
behavioral2/memory/2264-724-0x00007FF6C2B90000-0x00007FF6C2EE4000-memory.dmp	upx
behavioral2/memory/5016-717-0x00007FF6FC150000-0x00007FF6FC4A4000-memory.dmp	upx
behavioral2/memory/3876-713-0x00007FF733F10000-0x00007FF734264000-memory.dmp	upx
behavioral2/memory/1200-712-0x00007FF78D770000-0x00007FF78DAC4000-memory.dmp	upx
behavioral2/memory/2440-693-0x00007FF726010000-0x00007FF726364000-memory.dmp	upx
behavioral2/memory/2616-686-0x00007FF784D40000-0x00007FF785094000-memory.dmp	upx
behavioral2/memory/1248-671-0x00007FF6DA8F0000-0x00007FF6DAC44000-memory.dmp	upx
behavioral2/files/0x000a000000023b88-64.dat	upx
behavioral2/files/0x000a000000023b87-60.dat	upx
behavioral2/files/0x000a000000023b86-54.dat	upx
behavioral2/files/0x000a000000023b84-44.dat	upx
behavioral2/files/0x000a000000023b83-40.dat	upx
behavioral2/files/0x000a000000023b80-23.dat	upx
behavioral2/memory/3924-1712-0x00007FF62A730000-0x00007FF62AA84000-memory.dmp	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\bKfrkbo.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\PzFRVtg.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\UzFAiFt.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\NFjyJEE.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\lZlokmX.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\nGzBCXo.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\perGJSZ.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\mXWKPjY.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\pOtnRne.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\NDaDWlh.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\CRUEJyn.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\PzSBOJU.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\imKsekp.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\jhsYzdJ.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\zFbNskL.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\IoWzgkC.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\VywDrsw.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\FemqomE.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\ULsLnag.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\KHepdvX.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\JsgCqlN.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\jSQUAJT.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\qPqEZCU.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\TSGRNWU.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\kfOvVrc.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\tQJPLDU.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\WAJsUwe.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\pxxvJFV.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\KYNkrBD.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\hsIaspM.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\yenUemI.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\TfIUqHx.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\mFKdoIG.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\FvuDkfK.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\Aqjgzca.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\JxVlOao.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\jPgPPdE.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\dVAtBRQ.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\vXdoGZE.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\shvivkN.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\jnrSsgK.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\RkWINHg.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\nuKiaUa.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\bRFPmKB.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\HccLfwn.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\cjhknsV.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\sZAUlqB.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\tymNtZO.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\xcskUJn.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\uxARUFJ.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\yhVrgld.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\xEYAqMv.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\oQQeliu.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\zOdZuRP.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\hpAZvyM.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\TRKuDEw.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\AlttZIw.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\qpZCICJ.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\vgOyHiR.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\zziSRWN.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\csgexwz.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\ijPPWAX.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\ucsTdOj.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
File created	C:\Windows\System\ANOhwVH.exe	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	15284	dwm.exe
Token: SeChangeNotifyPrivilege	15284	dwm.exe
Token: 33	15284	dwm.exe
Token: SeIncBasePriorityPrivilege	15284	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3924 wrote to memory of 5112	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	84
PID 3924 wrote to memory of 5112	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	84
PID 3924 wrote to memory of 3340	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	85
PID 3924 wrote to memory of 3340	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	85
PID 3924 wrote to memory of 3004	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	86
PID 3924 wrote to memory of 3004	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	86
PID 3924 wrote to memory of 3212	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	87
PID 3924 wrote to memory of 3212	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	87
PID 3924 wrote to memory of 740	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	88
PID 3924 wrote to memory of 740	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	88
PID 3924 wrote to memory of 1868	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	89
PID 3924 wrote to memory of 1868	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	89
PID 3924 wrote to memory of 1968	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	90
PID 3924 wrote to memory of 1968	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	90
PID 3924 wrote to memory of 1248	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	91
PID 3924 wrote to memory of 1248	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	91
PID 3924 wrote to memory of 1536	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	92
PID 3924 wrote to memory of 1536	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	92
PID 3924 wrote to memory of 2616	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	93
PID 3924 wrote to memory of 2616	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	93
PID 3924 wrote to memory of 2440	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	94
PID 3924 wrote to memory of 2440	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	94
PID 3924 wrote to memory of 3828	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	95
PID 3924 wrote to memory of 3828	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	95
PID 3924 wrote to memory of 1200	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	96
PID 3924 wrote to memory of 1200	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	96
PID 3924 wrote to memory of 3876	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	97
PID 3924 wrote to memory of 3876	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	97
PID 3924 wrote to memory of 5016	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	98
PID 3924 wrote to memory of 5016	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	98
PID 3924 wrote to memory of 2264	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	99
PID 3924 wrote to memory of 2264	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	99
PID 3924 wrote to memory of 4888	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	100
PID 3924 wrote to memory of 4888	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	100
PID 3924 wrote to memory of 2632	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	101
PID 3924 wrote to memory of 2632	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	101
PID 3924 wrote to memory of 1528	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	102
PID 3924 wrote to memory of 1528	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	102
PID 3924 wrote to memory of 532	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	103
PID 3924 wrote to memory of 532	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	103
PID 3924 wrote to memory of 720	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	104
PID 3924 wrote to memory of 720	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	104
PID 3924 wrote to memory of 3776	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	105
PID 3924 wrote to memory of 3776	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	105
PID 3924 wrote to memory of 4612	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	106
PID 3924 wrote to memory of 4612	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	106
PID 3924 wrote to memory of 2088	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	107
PID 3924 wrote to memory of 2088	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	107
PID 3924 wrote to memory of 2108	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	108
PID 3924 wrote to memory of 2108	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	108
PID 3924 wrote to memory of 2736	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	109
PID 3924 wrote to memory of 2736	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	109
PID 3924 wrote to memory of 3968	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	110
PID 3924 wrote to memory of 3968	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	110
PID 3924 wrote to memory of 1116	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	111
PID 3924 wrote to memory of 1116	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	111
PID 3924 wrote to memory of 4388	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	112
PID 3924 wrote to memory of 4388	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	112
PID 3924 wrote to memory of 1792	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	113
PID 3924 wrote to memory of 1792	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	113
PID 3924 wrote to memory of 5036	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	114
PID 3924 wrote to memory of 5036	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	114
PID 3924 wrote to memory of 388	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	115
PID 3924 wrote to memory of 388	3924	bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe	115

C:\Users\Admin\AppData\Local\Temp\bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe
"C:\Users\Admin\AppData\Local\Temp\bf375f216c80bf8f45a6ead4eff726f53d7d0d619ffaad692a87c27f9c37e1c4.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3924
- C:\Windows\System\VywDrsw.exe
  C:\Windows\System\VywDrsw.exe
  2⤵
  - Executes dropped EXE
  PID:5112
- C:\Windows\System\HNoIyQQ.exe
  C:\Windows\System\HNoIyQQ.exe
  2⤵
  - Executes dropped EXE
  PID:3340
- C:\Windows\System\KvFefor.exe
  C:\Windows\System\KvFefor.exe
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\System\ojdgjGA.exe
  C:\Windows\System\ojdgjGA.exe
  2⤵
  - Executes dropped EXE
  PID:3212
- C:\Windows\System\PBAHLKg.exe
  C:\Windows\System\PBAHLKg.exe
  2⤵
  - Executes dropped EXE
  PID:740
- C:\Windows\System\TVcPOoT.exe
  C:\Windows\System\TVcPOoT.exe
  2⤵
  - Executes dropped EXE
  PID:1868
- C:\Windows\System\QjztzKP.exe
  C:\Windows\System\QjztzKP.exe
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\System\DuzRSaV.exe
  C:\Windows\System\DuzRSaV.exe
  2⤵
  - Executes dropped EXE
  PID:1248
- C:\Windows\System\PruGjkp.exe
  C:\Windows\System\PruGjkp.exe
  2⤵
  - Executes dropped EXE
  PID:1536
- C:\Windows\System\MLtdwWe.exe
  C:\Windows\System\MLtdwWe.exe
  2⤵
  - Executes dropped EXE
  PID:2616
- C:\Windows\System\GPzFNyJ.exe
  C:\Windows\System\GPzFNyJ.exe
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\System\TRKuDEw.exe
  C:\Windows\System\TRKuDEw.exe
  2⤵
  - Executes dropped EXE
  PID:3828
- C:\Windows\System\LebjeZi.exe
  C:\Windows\System\LebjeZi.exe
  2⤵
  - Executes dropped EXE
  PID:1200
- C:\Windows\System\AZJZOdh.exe
  C:\Windows\System\AZJZOdh.exe
  2⤵
  - Executes dropped EXE
  PID:3876
- C:\Windows\System\bmzsWTg.exe
  C:\Windows\System\bmzsWTg.exe
  2⤵
  - Executes dropped EXE
  PID:5016
- C:\Windows\System\IXjpgAl.exe
  C:\Windows\System\IXjpgAl.exe
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\System\HsaqUVP.exe
  C:\Windows\System\HsaqUVP.exe
  2⤵
  - Executes dropped EXE
  PID:4888
- C:\Windows\System\pjsHDtS.exe
  C:\Windows\System\pjsHDtS.exe
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\System\QIgUdUF.exe
  C:\Windows\System\QIgUdUF.exe
  2⤵
  - Executes dropped EXE
  PID:1528
- C:\Windows\System\FPjgjns.exe
  C:\Windows\System\FPjgjns.exe
  2⤵
  - Executes dropped EXE
  PID:532
- C:\Windows\System\OQgqUKl.exe
  C:\Windows\System\OQgqUKl.exe
  2⤵
  - Executes dropped EXE
  PID:720
- C:\Windows\System\YRwVwdE.exe
  C:\Windows\System\YRwVwdE.exe
  2⤵
  - Executes dropped EXE
  PID:3776
- C:\Windows\System\raNHWKD.exe
  C:\Windows\System\raNHWKD.exe
  2⤵
  - Executes dropped EXE
  PID:4612
- C:\Windows\System\Befnjht.exe
  C:\Windows\System\Befnjht.exe
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\System\jJUveFa.exe
  C:\Windows\System\jJUveFa.exe
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\System\qpWzGzX.exe
  C:\Windows\System\qpWzGzX.exe
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\System\DnRrXpy.exe
  C:\Windows\System\DnRrXpy.exe
  2⤵
  - Executes dropped EXE
  PID:3968
- C:\Windows\System\XLOuCoy.exe
  C:\Windows\System\XLOuCoy.exe
  2⤵
  - Executes dropped EXE
  PID:1116
- C:\Windows\System\zptKVjp.exe
  C:\Windows\System\zptKVjp.exe
  2⤵
  - Executes dropped EXE
  PID:4388
- C:\Windows\System\jdvKusJ.exe
  C:\Windows\System\jdvKusJ.exe
  2⤵
  - Executes dropped EXE
  PID:1792
- C:\Windows\System\pswdpam.exe
  C:\Windows\System\pswdpam.exe
  2⤵
  - Executes dropped EXE
  PID:5036
- C:\Windows\System\pyGzZcQ.exe
  C:\Windows\System\pyGzZcQ.exe
  2⤵
  - Executes dropped EXE
  PID:388
- C:\Windows\System\fCrOXMG.exe
  C:\Windows\System\fCrOXMG.exe
  2⤵
  - Executes dropped EXE
  PID:4448
- C:\Windows\System\qCwwuus.exe
  C:\Windows\System\qCwwuus.exe
  2⤵
  - Executes dropped EXE
  PID:692
- C:\Windows\System\PpvCAoW.exe
  C:\Windows\System\PpvCAoW.exe
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\Windows\System\yTOnwxE.exe
  C:\Windows\System\yTOnwxE.exe
  2⤵
  - Executes dropped EXE
  PID:4496
- C:\Windows\System\JTZLLJK.exe
  C:\Windows\System\JTZLLJK.exe
  2⤵
  - Executes dropped EXE
  PID:1936
- C:\Windows\System\ZdmubhY.exe
  C:\Windows\System\ZdmubhY.exe
  2⤵
  - Executes dropped EXE
  PID:4452
- C:\Windows\System\MYlBRSn.exe
  C:\Windows\System\MYlBRSn.exe
  2⤵
  - Executes dropped EXE
  PID:4520
- C:\Windows\System\UFwVNUV.exe
  C:\Windows\System\UFwVNUV.exe
  2⤵
  - Executes dropped EXE
  PID:4552
- C:\Windows\System\GGoIeoa.exe
  C:\Windows\System\GGoIeoa.exe
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Windows\System\ABYzsVG.exe
  C:\Windows\System\ABYzsVG.exe
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\System\xEUVpSV.exe
  C:\Windows\System\xEUVpSV.exe
  2⤵
  - Executes dropped EXE
  PID:2572
- C:\Windows\System\bJiwOKO.exe
  C:\Windows\System\bJiwOKO.exe
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\System\GmItmhh.exe
  C:\Windows\System\GmItmhh.exe
  2⤵
  - Executes dropped EXE
  PID:5104
- C:\Windows\System\VqkLYeG.exe
  C:\Windows\System\VqkLYeG.exe
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\System\tymNtZO.exe
  C:\Windows\System\tymNtZO.exe
  2⤵
  - Executes dropped EXE
  PID:3612
- C:\Windows\System\kSwpLjK.exe
  C:\Windows\System\kSwpLjK.exe
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Windows\System\OStOTYQ.exe
  C:\Windows\System\OStOTYQ.exe
  2⤵
  - Executes dropped EXE
  PID:5008
- C:\Windows\System\zcbbIbR.exe
  C:\Windows\System\zcbbIbR.exe
  2⤵
  - Executes dropped EXE
  PID:3104
- C:\Windows\System\MNjmpFg.exe
  C:\Windows\System\MNjmpFg.exe
  2⤵
  - Executes dropped EXE
  PID:1344
- C:\Windows\System\xahtfjB.exe
  C:\Windows\System\xahtfjB.exe
  2⤵
  - Executes dropped EXE
  PID:1156
- C:\Windows\System\wtvqKcg.exe
  C:\Windows\System\wtvqKcg.exe
  2⤵
  - Executes dropped EXE
  PID:1764
- C:\Windows\System\HquerdI.exe
  C:\Windows\System\HquerdI.exe
  2⤵
  - Executes dropped EXE
  PID:3844
- C:\Windows\System\uJlhJhe.exe
  C:\Windows\System\uJlhJhe.exe
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\System\MMEUEbh.exe
  C:\Windows\System\MMEUEbh.exe
  2⤵
  - Executes dropped EXE
  PID:4020
- C:\Windows\System\rIWZFqn.exe
  C:\Windows\System\rIWZFqn.exe
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\System\VothcBc.exe
  C:\Windows\System\VothcBc.exe
  2⤵
  - Executes dropped EXE
  PID:2080
- C:\Windows\System\NdGJxrP.exe
  C:\Windows\System\NdGJxrP.exe
  2⤵
  - Executes dropped EXE
  PID:3364
- C:\Windows\System\AbTEwYt.exe
  C:\Windows\System\AbTEwYt.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System\RkWINHg.exe
  C:\Windows\System\RkWINHg.exe
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\System\fEEqWJx.exe
  C:\Windows\System\fEEqWJx.exe
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\System\glHjwqr.exe
  C:\Windows\System\glHjwqr.exe
  2⤵
  - Executes dropped EXE
  PID:3388
- C:\Windows\System\RwNobzf.exe
  C:\Windows\System\RwNobzf.exe
  2⤵
  - Executes dropped EXE
  PID:3620
- C:\Windows\System\jrugdKI.exe
  C:\Windows\System\jrugdKI.exe
  2⤵
  PID:1828
- C:\Windows\System\cjfugFs.exe
  C:\Windows\System\cjfugFs.exe
  2⤵
  PID:2528
- C:\Windows\System\bpRBJhO.exe
  C:\Windows\System\bpRBJhO.exe
  2⤵
  PID:1180
- C:\Windows\System\vTEePDI.exe
  C:\Windows\System\vTEePDI.exe
  2⤵
  PID:4568
- C:\Windows\System\ETGFmLP.exe
  C:\Windows\System\ETGFmLP.exe
  2⤵
  PID:4416
- C:\Windows\System\vMQajFh.exe
  C:\Windows\System\vMQajFh.exe
  2⤵
  PID:2600
- C:\Windows\System\JfmAQzf.exe
  C:\Windows\System\JfmAQzf.exe
  2⤵
  PID:932
- C:\Windows\System\ONPKnOn.exe
  C:\Windows\System\ONPKnOn.exe
  2⤵
  PID:2900
- C:\Windows\System\AtYaucN.exe
  C:\Windows\System\AtYaucN.exe
  2⤵
  PID:3760
- C:\Windows\System\jnTBdWk.exe
  C:\Windows\System\jnTBdWk.exe
  2⤵
  PID:4808
- C:\Windows\System\qGtRwCx.exe
  C:\Windows\System\qGtRwCx.exe
  2⤵
  PID:2248
- C:\Windows\System\JxVlOao.exe
  C:\Windows\System\JxVlOao.exe
  2⤵
  PID:4716
- C:\Windows\System\wFSZQjl.exe
  C:\Windows\System\wFSZQjl.exe
  2⤵
  PID:3532
- C:\Windows\System\mEDhSLJ.exe
  C:\Windows\System\mEDhSLJ.exe
  2⤵
  PID:4180
- C:\Windows\System\VAfoWrm.exe
  C:\Windows\System\VAfoWrm.exe
  2⤵
  PID:2280
- C:\Windows\System\AFPlLcq.exe
  C:\Windows\System\AFPlLcq.exe
  2⤵
  PID:4424
- C:\Windows\System\NKJduzk.exe
  C:\Windows\System\NKJduzk.exe
  2⤵
  PID:4464
- C:\Windows\System\vZoJuoz.exe
  C:\Windows\System\vZoJuoz.exe
  2⤵
  PID:748
- C:\Windows\System\LvMwayP.exe
  C:\Windows\System\LvMwayP.exe
  2⤵
  PID:1416
- C:\Windows\System\hHBBdnP.exe
  C:\Windows\System\hHBBdnP.exe
  2⤵
  PID:1664
- C:\Windows\System\KtDeyUN.exe
  C:\Windows\System\KtDeyUN.exe
  2⤵
  PID:3632
- C:\Windows\System\ANOhwVH.exe
  C:\Windows\System\ANOhwVH.exe
  2⤵
  PID:3672
- C:\Windows\System\hISEBAC.exe
  C:\Windows\System\hISEBAC.exe
  2⤵
  PID:5140
- C:\Windows\System\ksNUZSx.exe
  C:\Windows\System\ksNUZSx.exe
  2⤵
  PID:5172
- C:\Windows\System\BRHdKBr.exe
  C:\Windows\System\BRHdKBr.exe
  2⤵
  PID:5196
- C:\Windows\System\ZtXIliJ.exe
  C:\Windows\System\ZtXIliJ.exe
  2⤵
  PID:5228
- C:\Windows\System\AmFcMbJ.exe
  C:\Windows\System\AmFcMbJ.exe
  2⤵
  PID:5252
- C:\Windows\System\yJcveYF.exe
  C:\Windows\System\yJcveYF.exe
  2⤵
  PID:5304
- C:\Windows\System\BHxwTzy.exe
  C:\Windows\System\BHxwTzy.exe
  2⤵
  PID:5320
- C:\Windows\System\tBLEEXX.exe
  C:\Windows\System\tBLEEXX.exe
  2⤵
  PID:5336
- C:\Windows\System\abVtSdp.exe
  C:\Windows\System\abVtSdp.exe
  2⤵
  PID:5360
- C:\Windows\System\jLqykhm.exe
  C:\Windows\System\jLqykhm.exe
  2⤵
  PID:5388
- C:\Windows\System\CQFATHT.exe
  C:\Windows\System\CQFATHT.exe
  2⤵
  PID:5408
- C:\Windows\System\mmPEDxV.exe
  C:\Windows\System\mmPEDxV.exe
  2⤵
  PID:5436
- C:\Windows\System\ygcPCrO.exe
  C:\Windows\System\ygcPCrO.exe
  2⤵
  PID:5464
- C:\Windows\System\SYZxKsE.exe
  C:\Windows\System\SYZxKsE.exe
  2⤵
  PID:5492
- C:\Windows\System\GViELOB.exe
  C:\Windows\System\GViELOB.exe
  2⤵
  PID:5520
- C:\Windows\System\fwqOeUi.exe
  C:\Windows\System\fwqOeUi.exe
  2⤵
  PID:5548
- C:\Windows\System\YGaGyKK.exe
  C:\Windows\System\YGaGyKK.exe
  2⤵
  PID:5576
- C:\Windows\System\lthMGmB.exe
  C:\Windows\System\lthMGmB.exe
  2⤵
  PID:5604
- C:\Windows\System\WdYKSDN.exe
  C:\Windows\System\WdYKSDN.exe
  2⤵
  PID:5632
- C:\Windows\System\DwRnDJJ.exe
  C:\Windows\System\DwRnDJJ.exe
  2⤵
  PID:5660
- C:\Windows\System\AadIWmN.exe
  C:\Windows\System\AadIWmN.exe
  2⤵
  PID:5688
- C:\Windows\System\ZQEKpYK.exe
  C:\Windows\System\ZQEKpYK.exe
  2⤵
  PID:5716
- C:\Windows\System\Gmvkjea.exe
  C:\Windows\System\Gmvkjea.exe
  2⤵
  PID:5744
- C:\Windows\System\uDklljx.exe
  C:\Windows\System\uDklljx.exe
  2⤵
  PID:5772
- C:\Windows\System\VsepHOU.exe
  C:\Windows\System\VsepHOU.exe
  2⤵
  PID:5800
- C:\Windows\System\zbLVcTE.exe
  C:\Windows\System\zbLVcTE.exe
  2⤵
  PID:5828
- C:\Windows\System\RAQivbD.exe
  C:\Windows\System\RAQivbD.exe
  2⤵
  PID:5856
- C:\Windows\System\MGsjKIA.exe
  C:\Windows\System\MGsjKIA.exe
  2⤵
  PID:5884
- C:\Windows\System\uOYwJlZ.exe
  C:\Windows\System\uOYwJlZ.exe
  2⤵
  PID:5912
- C:\Windows\System\SCzvcHY.exe
  C:\Windows\System\SCzvcHY.exe
  2⤵
  PID:5940
- C:\Windows\System\wVYuSiP.exe
  C:\Windows\System\wVYuSiP.exe
  2⤵
  PID:5968
- C:\Windows\System\lrvmTXs.exe
  C:\Windows\System\lrvmTXs.exe
  2⤵
  PID:5996
- C:\Windows\System\HdIcMOj.exe
  C:\Windows\System\HdIcMOj.exe
  2⤵
  PID:6024
- C:\Windows\System\WXXDpvv.exe
  C:\Windows\System\WXXDpvv.exe
  2⤵
  PID:6052
- C:\Windows\System\smnhaZD.exe
  C:\Windows\System\smnhaZD.exe
  2⤵
  PID:6080
- C:\Windows\System\xMIJdPO.exe
  C:\Windows\System\xMIJdPO.exe
  2⤵
  PID:6108
- C:\Windows\System\CLpuvKV.exe
  C:\Windows\System\CLpuvKV.exe
  2⤵
  PID:6136
- C:\Windows\System\jAKUgDv.exe
  C:\Windows\System\jAKUgDv.exe
  2⤵
  PID:1400
- C:\Windows\System\RvOPXGv.exe
  C:\Windows\System\RvOPXGv.exe
  2⤵
  PID:1120
- C:\Windows\System\RSuHIGm.exe
  C:\Windows\System\RSuHIGm.exe
  2⤵
  PID:2988
- C:\Windows\System\LAcQijr.exe
  C:\Windows\System\LAcQijr.exe
  2⤵
  PID:4084
- C:\Windows\System\gXzjgsp.exe
  C:\Windows\System\gXzjgsp.exe
  2⤵
  PID:4908
- C:\Windows\System\MYIrQra.exe
  C:\Windows\System\MYIrQra.exe
  2⤵
  PID:1320
- C:\Windows\System\TLYQlim.exe
  C:\Windows\System\TLYQlim.exe
  2⤵
  PID:5136
- C:\Windows\System\kZEXmWU.exe
  C:\Windows\System\kZEXmWU.exe
  2⤵
  PID:5208
- C:\Windows\System\vsXFJbt.exe
  C:\Windows\System\vsXFJbt.exe
  2⤵
  PID:5264
- C:\Windows\System\xAyVjVa.exe
  C:\Windows\System\xAyVjVa.exe
  2⤵
  PID:5328
- C:\Windows\System\hsIaspM.exe
  C:\Windows\System\hsIaspM.exe
  2⤵
  PID:5384
- C:\Windows\System\RrRMCmx.exe
  C:\Windows\System\RrRMCmx.exe
  2⤵
  PID:5452
- C:\Windows\System\FKKXTix.exe
  C:\Windows\System\FKKXTix.exe
  2⤵
  PID:5512
- C:\Windows\System\ErNnpRm.exe
  C:\Windows\System\ErNnpRm.exe
  2⤵
  PID:5588
- C:\Windows\System\CRUEJyn.exe
  C:\Windows\System\CRUEJyn.exe
  2⤵
  PID:5648
- C:\Windows\System\BzAIeaI.exe
  C:\Windows\System\BzAIeaI.exe
  2⤵
  PID:5708
- C:\Windows\System\GSpWWgv.exe
  C:\Windows\System\GSpWWgv.exe
  2⤵
  PID:5784
- C:\Windows\System\TSGRNWU.exe
  C:\Windows\System\TSGRNWU.exe
  2⤵
  PID:5844
- C:\Windows\System\OCFnLbi.exe
  C:\Windows\System\OCFnLbi.exe
  2⤵
  PID:5900
- C:\Windows\System\FqnAKex.exe
  C:\Windows\System\FqnAKex.exe
  2⤵
  PID:5960
- C:\Windows\System\jhctKhv.exe
  C:\Windows\System\jhctKhv.exe
  2⤵
  PID:6036
- C:\Windows\System\uJYVBHX.exe
  C:\Windows\System\uJYVBHX.exe
  2⤵
  PID:6096
- C:\Windows\System\WcyWcrb.exe
  C:\Windows\System\WcyWcrb.exe
  2⤵
  PID:3480
- C:\Windows\System\ehyoqzB.exe
  C:\Windows\System\ehyoqzB.exe
  2⤵
  PID:3488
- C:\Windows\System\ADbbBQc.exe
  C:\Windows\System\ADbbBQc.exe
  2⤵
  PID:908
- C:\Windows\System\OhPBHPw.exe
  C:\Windows\System\OhPBHPw.exe
  2⤵
  PID:184
- C:\Windows\System\mGuqyQv.exe
  C:\Windows\System\mGuqyQv.exe
  2⤵
  PID:5376
- C:\Windows\System\SWzuEji.exe
  C:\Windows\System\SWzuEji.exe
  2⤵
  PID:5540
- C:\Windows\System\DpRtNUF.exe
  C:\Windows\System\DpRtNUF.exe
  2⤵
  PID:5620
- C:\Windows\System\BFepzbf.exe
  C:\Windows\System\BFepzbf.exe
  2⤵
  PID:5760
- C:\Windows\System\KYNkrBD.exe
  C:\Windows\System\KYNkrBD.exe
  2⤵
  PID:5928
- C:\Windows\System\doLTzWj.exe
  C:\Windows\System\doLTzWj.exe
  2⤵
  PID:6148
- C:\Windows\System\TomyDVG.exe
  C:\Windows\System\TomyDVG.exe
  2⤵
  PID:6176
- C:\Windows\System\PkWQZEG.exe
  C:\Windows\System\PkWQZEG.exe
  2⤵
  PID:6204
- C:\Windows\System\SqjQCDn.exe
  C:\Windows\System\SqjQCDn.exe
  2⤵
  PID:6232
- C:\Windows\System\jaqbODR.exe
  C:\Windows\System\jaqbODR.exe
  2⤵
  PID:6256
- C:\Windows\System\qFQZKzU.exe
  C:\Windows\System\qFQZKzU.exe
  2⤵
  PID:6288
- C:\Windows\System\NNjzcZR.exe
  C:\Windows\System\NNjzcZR.exe
  2⤵
  PID:6312
- C:\Windows\System\LzhXPAJ.exe
  C:\Windows\System\LzhXPAJ.exe
  2⤵
  PID:6344
- C:\Windows\System\KNveifq.exe
  C:\Windows\System\KNveifq.exe
  2⤵
  PID:6372
- C:\Windows\System\oZAxylv.exe
  C:\Windows\System\oZAxylv.exe
  2⤵
  PID:6396
- C:\Windows\System\HxZodzD.exe
  C:\Windows\System\HxZodzD.exe
  2⤵
  PID:6428
- C:\Windows\System\bzqGVUO.exe
  C:\Windows\System\bzqGVUO.exe
  2⤵
  PID:6452
- C:\Windows\System\sISxMEr.exe
  C:\Windows\System\sISxMEr.exe
  2⤵
  PID:6484
- C:\Windows\System\rPUSRMB.exe
  C:\Windows\System\rPUSRMB.exe
  2⤵
  PID:6516
- C:\Windows\System\NFjyJEE.exe
  C:\Windows\System\NFjyJEE.exe
  2⤵
  PID:6540
- C:\Windows\System\axAeopX.exe
  C:\Windows\System\axAeopX.exe
  2⤵
  PID:6568
- C:\Windows\System\JGvGFaY.exe
  C:\Windows\System\JGvGFaY.exe
  2⤵
  PID:6596
- C:\Windows\System\xqBhpkb.exe
  C:\Windows\System\xqBhpkb.exe
  2⤵
  PID:6628
- C:\Windows\System\HQQKDOL.exe
  C:\Windows\System\HQQKDOL.exe
  2⤵
  PID:6652
- C:\Windows\System\qXoxWeR.exe
  C:\Windows\System\qXoxWeR.exe
  2⤵
  PID:6684
- C:\Windows\System\PKiKCGM.exe
  C:\Windows\System\PKiKCGM.exe
  2⤵
  PID:6716
- C:\Windows\System\kajkowx.exe
  C:\Windows\System\kajkowx.exe
  2⤵
  PID:6740
- C:\Windows\System\jnrSsgK.exe
  C:\Windows\System\jnrSsgK.exe
  2⤵
  PID:6768
- C:\Windows\System\VnfCrtW.exe
  C:\Windows\System\VnfCrtW.exe
  2⤵
  PID:6796
- C:\Windows\System\ctWNIQI.exe
  C:\Windows\System\ctWNIQI.exe
  2⤵
  PID:6824
- C:\Windows\System\OKENqqy.exe
  C:\Windows\System\OKENqqy.exe
  2⤵
  PID:6852
- C:\Windows\System\xcskUJn.exe
  C:\Windows\System\xcskUJn.exe
  2⤵
  PID:6880
- C:\Windows\System\MfIcWvR.exe
  C:\Windows\System\MfIcWvR.exe
  2⤵
  PID:6908
- C:\Windows\System\ohDickm.exe
  C:\Windows\System\ohDickm.exe
  2⤵
  PID:6936
- C:\Windows\System\AJIVRzk.exe
  C:\Windows\System\AJIVRzk.exe
  2⤵
  PID:6964
- C:\Windows\System\jjcnrDd.exe
  C:\Windows\System\jjcnrDd.exe
  2⤵
  PID:6992
- C:\Windows\System\hhyVEin.exe
  C:\Windows\System\hhyVEin.exe
  2⤵
  PID:7020
- C:\Windows\System\bYqhEMX.exe
  C:\Windows\System\bYqhEMX.exe
  2⤵
  PID:7048
- C:\Windows\System\gRqeJgH.exe
  C:\Windows\System\gRqeJgH.exe
  2⤵
  PID:7076
- C:\Windows\System\uxARUFJ.exe
  C:\Windows\System\uxARUFJ.exe
  2⤵
  PID:7104
- C:\Windows\System\ttPhXGY.exe
  C:\Windows\System\ttPhXGY.exe
  2⤵
  PID:7132
- C:\Windows\System\poxPuSE.exe
  C:\Windows\System\poxPuSE.exe
  2⤵
  PID:7160
- C:\Windows\System\LBQlLhH.exe
  C:\Windows\System\LBQlLhH.exe
  2⤵
  PID:4408
- C:\Windows\System\IyCzYhJ.exe
  C:\Windows\System\IyCzYhJ.exe
  2⤵
  PID:2004
- C:\Windows\System\GJOYFvB.exe
  C:\Windows\System\GJOYFvB.exe
  2⤵
  PID:5352
- C:\Windows\System\mDjUygJ.exe
  C:\Windows\System\mDjUygJ.exe
  2⤵
  PID:5700
- C:\Windows\System\HpBdGSw.exe
  C:\Windows\System\HpBdGSw.exe
  2⤵
  PID:6244
- C:\Windows\System\XjMBjKQ.exe
  C:\Windows\System\XjMBjKQ.exe
  2⤵
  PID:6308
- C:\Windows\System\LjcXuSN.exe
  C:\Windows\System\LjcXuSN.exe
  2⤵
  PID:6364
- C:\Windows\System\EbzFFzg.exe
  C:\Windows\System\EbzFFzg.exe
  2⤵
  PID:6416
- C:\Windows\System\VJmLRCT.exe
  C:\Windows\System\VJmLRCT.exe
  2⤵
  PID:6472
- C:\Windows\System\mxuJOpY.exe
  C:\Windows\System\mxuJOpY.exe
  2⤵
  PID:6508
- C:\Windows\System\yhVrgld.exe
  C:\Windows\System\yhVrgld.exe
  2⤵
  PID:6560
- C:\Windows\System\qaNaSSD.exe
  C:\Windows\System\qaNaSSD.exe
  2⤵
  PID:6612
- C:\Windows\System\FOIQyTD.exe
  C:\Windows\System\FOIQyTD.exe
  2⤵
  PID:6644
- C:\Windows\System\KVftQMK.exe
  C:\Windows\System\KVftQMK.exe
  2⤵
  PID:6676
- C:\Windows\System\dVjdJFO.exe
  C:\Windows\System\dVjdJFO.exe
  2⤵
  PID:6724
- C:\Windows\System\dczqYmS.exe
  C:\Windows\System\dczqYmS.exe
  2⤵
  PID:6752
- C:\Windows\System\YHfofhY.exe
  C:\Windows\System\YHfofhY.exe
  2⤵
  PID:6784
- C:\Windows\System\BPryZpI.exe
  C:\Windows\System\BPryZpI.exe
  2⤵
  PID:6840
- C:\Windows\System\FemqomE.exe
  C:\Windows\System\FemqomE.exe
  2⤵
  PID:2844
- C:\Windows\System\SdhaYxz.exe
  C:\Windows\System\SdhaYxz.exe
  2⤵
  PID:3588
- C:\Windows\System\Jzgmtci.exe
  C:\Windows\System\Jzgmtci.exe
  2⤵
  PID:3076
- C:\Windows\System\bednadn.exe
  C:\Windows\System\bednadn.exe
  2⤵
  PID:7004
- C:\Windows\System\jObpYix.exe
  C:\Windows\System\jObpYix.exe
  2⤵
  PID:7068
- C:\Windows\System\tcbmbNQ.exe
  C:\Windows\System\tcbmbNQ.exe
  2⤵
  PID:5296
- C:\Windows\System\XwCEBuI.exe
  C:\Windows\System\XwCEBuI.exe
  2⤵
  PID:3448
- C:\Windows\System\AlttZIw.exe
  C:\Windows\System\AlttZIw.exe
  2⤵
  PID:992
- C:\Windows\System\bENXPHA.exe
  C:\Windows\System\bENXPHA.exe
  2⤵
  PID:5484
- C:\Windows\System\WgCCxRh.exe
  C:\Windows\System\WgCCxRh.exe
  2⤵
  PID:456
- C:\Windows\System\ULDSEJt.exe
  C:\Windows\System\ULDSEJt.exe
  2⤵
  PID:4728
- C:\Windows\System\HOBHJwX.exe
  C:\Windows\System\HOBHJwX.exe
  2⤵
  PID:6252
- C:\Windows\System\ynrJhOF.exe
  C:\Windows\System\ynrJhOF.exe
  2⤵
  PID:4672
- C:\Windows\System\mVDOsvM.exe
  C:\Windows\System\mVDOsvM.exe
  2⤵
  PID:6816
- C:\Windows\System\uOHWTAq.exe
  C:\Windows\System\uOHWTAq.exe
  2⤵
  PID:6672
- C:\Windows\System\hXgbKcF.exe
  C:\Windows\System\hXgbKcF.exe
  2⤵
  PID:1496
- C:\Windows\System\gecZanN.exe
  C:\Windows\System\gecZanN.exe
  2⤵
  PID:3016
- C:\Windows\System\GgMcZKS.exe
  C:\Windows\System\GgMcZKS.exe
  2⤵
  PID:2184
- C:\Windows\System\xWOxaxO.exe
  C:\Windows\System\xWOxaxO.exe
  2⤵
  PID:7064
- C:\Windows\System\NDaDWlh.exe
  C:\Windows\System\NDaDWlh.exe
  2⤵
  PID:6128
- C:\Windows\System\SPBoiHQ.exe
  C:\Windows\System\SPBoiHQ.exe
  2⤵
  PID:1172
- C:\Windows\System\SeuFbIh.exe
  C:\Windows\System\SeuFbIh.exe
  2⤵
  PID:6956
- C:\Windows\System\xnlMrmw.exe
  C:\Windows\System\xnlMrmw.exe
  2⤵
  PID:1292
- C:\Windows\System\HZBqKre.exe
  C:\Windows\System\HZBqKre.exe
  2⤵
  PID:7192
- C:\Windows\System\SkQXsoR.exe
  C:\Windows\System\SkQXsoR.exe
  2⤵
  PID:7208
- C:\Windows\System\hoWAaGK.exe
  C:\Windows\System\hoWAaGK.exe
  2⤵
  PID:7224
- C:\Windows\System\ItSqFDi.exe
  C:\Windows\System\ItSqFDi.exe
  2⤵
  PID:7240
- C:\Windows\System\kYvPdHX.exe
  C:\Windows\System\kYvPdHX.exe
  2⤵
  PID:7264
- C:\Windows\System\wkLPUjP.exe
  C:\Windows\System\wkLPUjP.exe
  2⤵
  PID:7292
- C:\Windows\System\YIZAOry.exe
  C:\Windows\System\YIZAOry.exe
  2⤵
  PID:7360
- C:\Windows\System\QbgfioJ.exe
  C:\Windows\System\QbgfioJ.exe
  2⤵
  PID:7388
- C:\Windows\System\cSZICbw.exe
  C:\Windows\System\cSZICbw.exe
  2⤵
  PID:7404
- C:\Windows\System\yenUemI.exe
  C:\Windows\System\yenUemI.exe
  2⤵
  PID:7432
- C:\Windows\System\yViRaos.exe
  C:\Windows\System\yViRaos.exe
  2⤵
  PID:7460
- C:\Windows\System\MKulMPN.exe
  C:\Windows\System\MKulMPN.exe
  2⤵
  PID:7488
- C:\Windows\System\WkdqpLK.exe
  C:\Windows\System\WkdqpLK.exe
  2⤵
  PID:7516
- C:\Windows\System\jPgPPdE.exe
  C:\Windows\System\jPgPPdE.exe
  2⤵
  PID:7556
- C:\Windows\System\SptsHlz.exe
  C:\Windows\System\SptsHlz.exe
  2⤵
  PID:7572
- C:\Windows\System\qJyiYDt.exe
  C:\Windows\System\qJyiYDt.exe
  2⤵
  PID:7608
- C:\Windows\System\qpZCICJ.exe
  C:\Windows\System\qpZCICJ.exe
  2⤵
  PID:7632
- C:\Windows\System\DoxwhZY.exe
  C:\Windows\System\DoxwhZY.exe
  2⤵
  PID:7660
- C:\Windows\System\RPQPbzV.exe
  C:\Windows\System\RPQPbzV.exe
  2⤵
  PID:7700
- C:\Windows\System\TypAfyk.exe
  C:\Windows\System\TypAfyk.exe
  2⤵
  PID:7716
- C:\Windows\System\cskqHnn.exe
  C:\Windows\System\cskqHnn.exe
  2⤵
  PID:7752
- C:\Windows\System\IzZACXl.exe
  C:\Windows\System\IzZACXl.exe
  2⤵
  PID:7776
- C:\Windows\System\VDNaRfL.exe
  C:\Windows\System\VDNaRfL.exe
  2⤵
  PID:7812
- C:\Windows\System\nNCSVHV.exe
  C:\Windows\System\nNCSVHV.exe
  2⤵
  PID:7828
- C:\Windows\System\aQbMEiy.exe
  C:\Windows\System\aQbMEiy.exe
  2⤵
  PID:7856
- C:\Windows\System\lSuEXYT.exe
  C:\Windows\System\lSuEXYT.exe
  2⤵
  PID:7892
- C:\Windows\System\NYpYUOn.exe
  C:\Windows\System\NYpYUOn.exe
  2⤵
  PID:7920
- C:\Windows\System\tSDKxOJ.exe
  C:\Windows\System\tSDKxOJ.exe
  2⤵
  PID:7948
- C:\Windows\System\eADvdvi.exe
  C:\Windows\System\eADvdvi.exe
  2⤵
  PID:7976
- C:\Windows\System\zeDNQqz.exe
  C:\Windows\System\zeDNQqz.exe
  2⤵
  PID:8004
- C:\Windows\System\OLFgASJ.exe
  C:\Windows\System\OLFgASJ.exe
  2⤵
  PID:8036
- C:\Windows\System\WarFuGc.exe
  C:\Windows\System\WarFuGc.exe
  2⤵
  PID:8076
- C:\Windows\System\HDapqLx.exe
  C:\Windows\System\HDapqLx.exe
  2⤵
  PID:8092
- C:\Windows\System\TTFQJVP.exe
  C:\Windows\System\TTFQJVP.exe
  2⤵
  PID:8120
- C:\Windows\System\jELMxia.exe
  C:\Windows\System\jELMxia.exe
  2⤵
  PID:8148
- C:\Windows\System\kPnrPEM.exe
  C:\Windows\System\kPnrPEM.exe
  2⤵
  PID:8164
- C:\Windows\System\SaeQqLR.exe
  C:\Windows\System\SaeQqLR.exe
  2⤵
  PID:6760
- C:\Windows\System\vIclfFq.exe
  C:\Windows\System\vIclfFq.exe
  2⤵
  PID:6388
- C:\Windows\System\PzSBOJU.exe
  C:\Windows\System\PzSBOJU.exe
  2⤵
  PID:1620
- C:\Windows\System\RrnuvRM.exe
  C:\Windows\System\RrnuvRM.exe
  2⤵
  PID:6072
- C:\Windows\System\HihANxy.exe
  C:\Windows\System\HihANxy.exe
  2⤵
  PID:7220
- C:\Windows\System\VCHyThY.exe
  C:\Windows\System\VCHyThY.exe
  2⤵
  PID:7260
- C:\Windows\System\PjmgtDw.exe
  C:\Windows\System\PjmgtDw.exe
  2⤵
  PID:7352
- C:\Windows\System\FDJPpOP.exe
  C:\Windows\System\FDJPpOP.exe
  2⤵
  PID:7428
- C:\Windows\System\JCNlMIu.exe
  C:\Windows\System\JCNlMIu.exe
  2⤵
  PID:7504
- C:\Windows\System\DLfkTRx.exe
  C:\Windows\System\DLfkTRx.exe
  2⤵
  PID:7548
- C:\Windows\System\vmTXgUL.exe
  C:\Windows\System\vmTXgUL.exe
  2⤵
  PID:7644
- C:\Windows\System\UQBfGkP.exe
  C:\Windows\System\UQBfGkP.exe
  2⤵
  PID:7684
- C:\Windows\System\dZTqiCC.exe
  C:\Windows\System\dZTqiCC.exe
  2⤵
  PID:7792
- C:\Windows\System\NvXyiOs.exe
  C:\Windows\System\NvXyiOs.exe
  2⤵
  PID:7820
- C:\Windows\System\ISDQhke.exe
  C:\Windows\System\ISDQhke.exe
  2⤵
  PID:7876
- C:\Windows\System\yCzUuDx.exe
  C:\Windows\System\yCzUuDx.exe
  2⤵
  PID:7964
- C:\Windows\System\nDmefdL.exe
  C:\Windows\System\nDmefdL.exe
  2⤵
  PID:8072
- C:\Windows\System\kfOvVrc.exe
  C:\Windows\System\kfOvVrc.exe
  2⤵
  PID:8116
- C:\Windows\System\ExTauOz.exe
  C:\Windows\System\ExTauOz.exe
  2⤵
  PID:8176
- C:\Windows\System\yZYjqdr.exe
  C:\Windows\System\yZYjqdr.exe
  2⤵
  PID:6584
- C:\Windows\System\lZlokmX.exe
  C:\Windows\System\lZlokmX.exe
  2⤵
  PID:224
- C:\Windows\System\CIVuIKJ.exe
  C:\Windows\System\CIVuIKJ.exe
  2⤵
  PID:7416
- C:\Windows\System\vOCyOal.exe
  C:\Windows\System\vOCyOal.exe
  2⤵
  PID:7472
- C:\Windows\System\ULsLnag.exe
  C:\Windows\System\ULsLnag.exe
  2⤵
  PID:7564
- C:\Windows\System\UDIRSan.exe
  C:\Windows\System\UDIRSan.exe
  2⤵
  PID:7912
- C:\Windows\System\nyEPSMP.exe
  C:\Windows\System\nyEPSMP.exe
  2⤵
  PID:7940
- C:\Windows\System\vgOyHiR.exe
  C:\Windows\System\vgOyHiR.exe
  2⤵
  PID:8032
- C:\Windows\System\ISEwvYX.exe
  C:\Windows\System\ISEwvYX.exe
  2⤵
  PID:3460
- C:\Windows\System\TpoUPEN.exe
  C:\Windows\System\TpoUPEN.exe
  2⤵
  PID:7284
- C:\Windows\System\HNSgeQj.exe
  C:\Windows\System\HNSgeQj.exe
  2⤵
  PID:7624
- C:\Windows\System\fxUNiSR.exe
  C:\Windows\System\fxUNiSR.exe
  2⤵
  PID:7936
- C:\Windows\System\pUjnCni.exe
  C:\Windows\System\pUjnCni.exe
  2⤵
  PID:6536
- C:\Windows\System\XKrjHUT.exe
  C:\Windows\System\XKrjHUT.exe
  2⤵
  PID:7760
- C:\Windows\System\hRmtHer.exe
  C:\Windows\System\hRmtHer.exe
  2⤵
  PID:8232
- C:\Windows\System\TfIUqHx.exe
  C:\Windows\System\TfIUqHx.exe
  2⤵
  PID:8272
- C:\Windows\System\izkELgp.exe
  C:\Windows\System\izkELgp.exe
  2⤵
  PID:8288
- C:\Windows\System\XcnihYD.exe
  C:\Windows\System\XcnihYD.exe
  2⤵
  PID:8316
- C:\Windows\System\cDpBQsq.exe
  C:\Windows\System\cDpBQsq.exe
  2⤵
  PID:8344
- C:\Windows\System\xEYAqMv.exe
  C:\Windows\System\xEYAqMv.exe
  2⤵
  PID:8364
- C:\Windows\System\FqHmPiS.exe
  C:\Windows\System\FqHmPiS.exe
  2⤵
  PID:8392
- C:\Windows\System\knPzkGB.exe
  C:\Windows\System\knPzkGB.exe
  2⤵
  PID:8432
- C:\Windows\System\MQHXsRt.exe
  C:\Windows\System\MQHXsRt.exe
  2⤵
  PID:8456
- C:\Windows\System\kpmbwYh.exe
  C:\Windows\System\kpmbwYh.exe
  2⤵
  PID:8472
- C:\Windows\System\GHViBru.exe
  C:\Windows\System\GHViBru.exe
  2⤵
  PID:8488
- C:\Windows\System\qoZWfMv.exe
  C:\Windows\System\qoZWfMv.exe
  2⤵
  PID:8512
- C:\Windows\System\BuVBhYQ.exe
  C:\Windows\System\BuVBhYQ.exe
  2⤵
  PID:8548
- C:\Windows\System\EAvdpnC.exe
  C:\Windows\System\EAvdpnC.exe
  2⤵
  PID:8576
- C:\Windows\System\drXwZDH.exe
  C:\Windows\System\drXwZDH.exe
  2⤵
  PID:8612
- C:\Windows\System\SmOLpqV.exe
  C:\Windows\System\SmOLpqV.exe
  2⤵
  PID:8644
- C:\Windows\System\uaOdajH.exe
  C:\Windows\System\uaOdajH.exe
  2⤵
  PID:8692
- C:\Windows\System\wLNTWHs.exe
  C:\Windows\System\wLNTWHs.exe
  2⤵
  PID:8720
- C:\Windows\System\nuKiaUa.exe
  C:\Windows\System\nuKiaUa.exe
  2⤵
  PID:8748
- C:\Windows\System\HWAmQIQ.exe
  C:\Windows\System\HWAmQIQ.exe
  2⤵
  PID:8776
- C:\Windows\System\OZMzQmp.exe
  C:\Windows\System\OZMzQmp.exe
  2⤵
  PID:8804
- C:\Windows\System\ESgrdgM.exe
  C:\Windows\System\ESgrdgM.exe
  2⤵
  PID:8832
- C:\Windows\System\KodEEcH.exe
  C:\Windows\System\KodEEcH.exe
  2⤵
  PID:8860
- C:\Windows\System\ZfYRedc.exe
  C:\Windows\System\ZfYRedc.exe
  2⤵
  PID:8876
- C:\Windows\System\FqtBMQL.exe
  C:\Windows\System\FqtBMQL.exe
  2⤵
  PID:8916
- C:\Windows\System\usvTkzY.exe
  C:\Windows\System\usvTkzY.exe
  2⤵
  PID:8944
- C:\Windows\System\oZmzGGR.exe
  C:\Windows\System\oZmzGGR.exe
  2⤵
  PID:8972
- C:\Windows\System\mFKdoIG.exe
  C:\Windows\System\mFKdoIG.exe
  2⤵
  PID:9000
- C:\Windows\System\kraNlBg.exe
  C:\Windows\System\kraNlBg.exe
  2⤵
  PID:9028
- C:\Windows\System\BDPAuCk.exe
  C:\Windows\System\BDPAuCk.exe
  2⤵
  PID:9056
- C:\Windows\System\kAKzoXH.exe
  C:\Windows\System\kAKzoXH.exe
  2⤵
  PID:9084
- C:\Windows\System\ONPiHue.exe
  C:\Windows\System\ONPiHue.exe
  2⤵
  PID:9112
- C:\Windows\System\TDpeqnZ.exe
  C:\Windows\System\TDpeqnZ.exe
  2⤵
  PID:9140
- C:\Windows\System\LldpAOs.exe
  C:\Windows\System\LldpAOs.exe
  2⤵
  PID:9172
- C:\Windows\System\zyOnRyI.exe
  C:\Windows\System\zyOnRyI.exe
  2⤵
  PID:9188
- C:\Windows\System\HZXrhTe.exe
  C:\Windows\System\HZXrhTe.exe
  2⤵
  PID:7184
- C:\Windows\System\xVSlolv.exe
  C:\Windows\System\xVSlolv.exe
  2⤵
  PID:8248
- C:\Windows\System\BrERsst.exe
  C:\Windows\System\BrERsst.exe
  2⤵
  PID:8332
- C:\Windows\System\jLOomGw.exe
  C:\Windows\System\jLOomGw.exe
  2⤵
  PID:8352
- C:\Windows\System\zziSRWN.exe
  C:\Windows\System\zziSRWN.exe
  2⤵
  PID:8424
- C:\Windows\System\lDSZaSW.exe
  C:\Windows\System\lDSZaSW.exe
  2⤵
  PID:8504
- C:\Windows\System\wJfppCg.exe
  C:\Windows\System\wJfppCg.exe
  2⤵
  PID:8540
- C:\Windows\System\iLecTjG.exe
  C:\Windows\System\iLecTjG.exe
  2⤵
  PID:8600
- C:\Windows\System\hZdZlHu.exe
  C:\Windows\System\hZdZlHu.exe
  2⤵
  PID:8680
- C:\Windows\System\rvvPzdF.exe
  C:\Windows\System\rvvPzdF.exe
  2⤵
  PID:8732
- C:\Windows\System\PaRhBrT.exe
  C:\Windows\System\PaRhBrT.exe
  2⤵
  PID:8760
- C:\Windows\System\gtkKIXq.exe
  C:\Windows\System\gtkKIXq.exe
  2⤵
  PID:8852
- C:\Windows\System\fCAUIaj.exe
  C:\Windows\System\fCAUIaj.exe
  2⤵
  PID:8908
- C:\Windows\System\pANutBp.exe
  C:\Windows\System\pANutBp.exe
  2⤵
  PID:8964
- C:\Windows\System\IsDwJaR.exe
  C:\Windows\System\IsDwJaR.exe
  2⤵
  PID:9044
- C:\Windows\System\bKfrkbo.exe
  C:\Windows\System\bKfrkbo.exe
  2⤵
  PID:9076
- C:\Windows\System\LXyfLlm.exe
  C:\Windows\System\LXyfLlm.exe
  2⤵
  PID:9136
- C:\Windows\System\NMbDsyd.exe
  C:\Windows\System\NMbDsyd.exe
  2⤵
  PID:9180
- C:\Windows\System\ltWjLGD.exe
  C:\Windows\System\ltWjLGD.exe
  2⤵
  PID:8256
- C:\Windows\System\GEiaYZP.exe
  C:\Windows\System\GEiaYZP.exe
  2⤵
  PID:8464
- C:\Windows\System\AdvvUoQ.exe
  C:\Windows\System\AdvvUoQ.exe
  2⤵
  PID:8596
- C:\Windows\System\jKznAng.exe
  C:\Windows\System\jKznAng.exe
  2⤵
  PID:8708
- C:\Windows\System\SmaMzaW.exe
  C:\Windows\System\SmaMzaW.exe
  2⤵
  PID:8828
- C:\Windows\System\oWwnGru.exe
  C:\Windows\System\oWwnGru.exe
  2⤵
  PID:8996
- C:\Windows\System\epVvdzd.exe
  C:\Windows\System\epVvdzd.exe
  2⤵
  PID:9108
- C:\Windows\System\UsitkcU.exe
  C:\Windows\System\UsitkcU.exe
  2⤵
  PID:8416
- C:\Windows\System\ZDmRFeH.exe
  C:\Windows\System\ZDmRFeH.exe
  2⤵
  PID:548
- C:\Windows\System\tLXuMhU.exe
  C:\Windows\System\tLXuMhU.exe
  2⤵
  PID:8744
- C:\Windows\System\JacznVX.exe
  C:\Windows\System\JacznVX.exe
  2⤵
  PID:8620
- C:\Windows\System\VyJIeQg.exe
  C:\Windows\System\VyJIeQg.exe
  2⤵
  PID:8260
- C:\Windows\System\pGLQfpm.exe
  C:\Windows\System\pGLQfpm.exe
  2⤵
  PID:9228
- C:\Windows\System\AgxFrZN.exe
  C:\Windows\System\AgxFrZN.exe
  2⤵
  PID:9252
- C:\Windows\System\dbYSUfz.exe
  C:\Windows\System\dbYSUfz.exe
  2⤵
  PID:9292
- C:\Windows\System\PzFRVtg.exe
  C:\Windows\System\PzFRVtg.exe
  2⤵
  PID:9320
- C:\Windows\System\pRfLVgZ.exe
  C:\Windows\System\pRfLVgZ.exe
  2⤵
  PID:9348
- C:\Windows\System\BOTEXLp.exe
  C:\Windows\System\BOTEXLp.exe
  2⤵
  PID:9368
- C:\Windows\System\isDoSlL.exe
  C:\Windows\System\isDoSlL.exe
  2⤵
  PID:9396
- C:\Windows\System\bNfpKoH.exe
  C:\Windows\System\bNfpKoH.exe
  2⤵
  PID:9424
- C:\Windows\System\wKsbxpx.exe
  C:\Windows\System\wKsbxpx.exe
  2⤵
  PID:9448
- C:\Windows\System\pbvRcHb.exe
  C:\Windows\System\pbvRcHb.exe
  2⤵
  PID:9476
- C:\Windows\System\yKljSAG.exe
  C:\Windows\System\yKljSAG.exe
  2⤵
  PID:9504
- C:\Windows\System\naLGgPZ.exe
  C:\Windows\System\naLGgPZ.exe
  2⤵
  PID:9532
- C:\Windows\System\LbQapWn.exe
  C:\Windows\System\LbQapWn.exe
  2⤵
  PID:9560
- C:\Windows\System\iUhVYOr.exe
  C:\Windows\System\iUhVYOr.exe
  2⤵
  PID:9588
- C:\Windows\System\pSdmKND.exe
  C:\Windows\System\pSdmKND.exe
  2⤵
  PID:9628
- C:\Windows\System\qNivGdq.exe
  C:\Windows\System\qNivGdq.exe
  2⤵
  PID:9656
- C:\Windows\System\GukJPAe.exe
  C:\Windows\System\GukJPAe.exe
  2⤵
  PID:9672
- C:\Windows\System\pHrqJSz.exe
  C:\Windows\System\pHrqJSz.exe
  2⤵
  PID:9692
- C:\Windows\System\CQERBlY.exe
  C:\Windows\System\CQERBlY.exe
  2⤵
  PID:9720
- C:\Windows\System\jVHhLLS.exe
  C:\Windows\System\jVHhLLS.exe
  2⤵
  PID:9744
- C:\Windows\System\cvJJIaE.exe
  C:\Windows\System\cvJJIaE.exe
  2⤵
  PID:9796
- C:\Windows\System\RJbzvpn.exe
  C:\Windows\System\RJbzvpn.exe
  2⤵
  PID:9812
- C:\Windows\System\MpaqRPZ.exe
  C:\Windows\System\MpaqRPZ.exe
  2⤵
  PID:9832
- C:\Windows\System\rGQFAEN.exe
  C:\Windows\System\rGQFAEN.exe
  2⤵
  PID:9868
- C:\Windows\System\YsYQcPI.exe
  C:\Windows\System\YsYQcPI.exe
  2⤵
  PID:9896
- C:\Windows\System\OHfQIWR.exe
  C:\Windows\System\OHfQIWR.exe
  2⤵
  PID:9912
- C:\Windows\System\IvuKumW.exe
  C:\Windows\System\IvuKumW.exe
  2⤵
  PID:9964
- C:\Windows\System\VZwIDat.exe
  C:\Windows\System\VZwIDat.exe
  2⤵
  PID:9992
- C:\Windows\System\bRFPmKB.exe
  C:\Windows\System\bRFPmKB.exe
  2⤵
  PID:10032
- C:\Windows\System\QZYoOpc.exe
  C:\Windows\System\QZYoOpc.exe
  2⤵
  PID:10048
- C:\Windows\System\beezKRw.exe
  C:\Windows\System\beezKRw.exe
  2⤵
  PID:10076
- C:\Windows\System\imKsekp.exe
  C:\Windows\System\imKsekp.exe
  2⤵
  PID:10104
- C:\Windows\System\XATWHJK.exe
  C:\Windows\System\XATWHJK.exe
  2⤵
  PID:10120
- C:\Windows\System\RGBjWWw.exe
  C:\Windows\System\RGBjWWw.exe
  2⤵
  PID:10136
- C:\Windows\System\HccLfwn.exe
  C:\Windows\System\HccLfwn.exe
  2⤵
  PID:10160
- C:\Windows\System\utPHYkz.exe
  C:\Windows\System\utPHYkz.exe
  2⤵
  PID:10188
- C:\Windows\System\zpsdbCx.exe
  C:\Windows\System\zpsdbCx.exe
  2⤵
  PID:10216
- C:\Windows\System\IPSjAoz.exe
  C:\Windows\System\IPSjAoz.exe
  2⤵
  PID:9284
- C:\Windows\System\qPxNcRf.exe
  C:\Windows\System\qPxNcRf.exe
  2⤵
  PID:9336
- C:\Windows\System\eUpvqOh.exe
  C:\Windows\System\eUpvqOh.exe
  2⤵
  PID:9412
- C:\Windows\System\PTOkOaf.exe
  C:\Windows\System\PTOkOaf.exe
  2⤵
  PID:9468
- C:\Windows\System\stYZeZc.exe
  C:\Windows\System\stYZeZc.exe
  2⤵
  PID:9552
- C:\Windows\System\gtnlcWg.exe
  C:\Windows\System\gtnlcWg.exe
  2⤵
  PID:9580
- C:\Windows\System\uKoPztM.exe
  C:\Windows\System\uKoPztM.exe
  2⤵
  PID:9684
- C:\Windows\System\LMJmGyU.exe
  C:\Windows\System\LMJmGyU.exe
  2⤵
  PID:9776
- C:\Windows\System\EcMpvJZ.exe
  C:\Windows\System\EcMpvJZ.exe
  2⤵
  PID:9840
- C:\Windows\System\InQVgXm.exe
  C:\Windows\System\InQVgXm.exe
  2⤵
  PID:9852
- C:\Windows\System\lRLaGWv.exe
  C:\Windows\System\lRLaGWv.exe
  2⤵
  PID:9952
- C:\Windows\System\DwCqkUg.exe
  C:\Windows\System\DwCqkUg.exe
  2⤵
  PID:9988
- C:\Windows\System\ktXeVtx.exe
  C:\Windows\System\ktXeVtx.exe
  2⤵
  PID:10040
- C:\Windows\System\cpeHDnj.exe
  C:\Windows\System\cpeHDnj.exe
  2⤵
  PID:10096
- C:\Windows\System\ICzOChw.exe
  C:\Windows\System\ICzOChw.exe
  2⤵
  PID:10204
- C:\Windows\System\bXoftGq.exe
  C:\Windows\System\bXoftGq.exe
  2⤵
  PID:9312
- C:\Windows\System\nGzBCXo.exe
  C:\Windows\System\nGzBCXo.exe
  2⤵
  PID:9444
- C:\Windows\System\EmlHtOl.exe
  C:\Windows\System\EmlHtOl.exe
  2⤵
  PID:9548
- C:\Windows\System\ZCJISwi.exe
  C:\Windows\System\ZCJISwi.exe
  2⤵
  PID:9680
- C:\Windows\System\QNtnDlp.exe
  C:\Windows\System\QNtnDlp.exe
  2⤵
  PID:9828
- C:\Windows\System\QpZqMBs.exe
  C:\Windows\System\QpZqMBs.exe
  2⤵
  PID:10012
- C:\Windows\System\jOzzPkc.exe
  C:\Windows\System\jOzzPkc.exe
  2⤵
  PID:10156
- C:\Windows\System\jhsYzdJ.exe
  C:\Windows\System\jhsYzdJ.exe
  2⤵
  PID:9236
- C:\Windows\System\vMHYKKk.exe
  C:\Windows\System\vMHYKKk.exe
  2⤵
  PID:9572
- C:\Windows\System\sPLpuas.exe
  C:\Windows\System\sPLpuas.exe
  2⤵
  PID:9392
- C:\Windows\System\hxAmNGW.exe
  C:\Windows\System\hxAmNGW.exe
  2⤵
  PID:9864
- C:\Windows\System\fnTFGTb.exe
  C:\Windows\System\fnTFGTb.exe
  2⤵
  PID:10260
- C:\Windows\System\lIdmppk.exe
  C:\Windows\System\lIdmppk.exe
  2⤵
  PID:10300
- C:\Windows\System\SUvZFKB.exe
  C:\Windows\System\SUvZFKB.exe
  2⤵
  PID:10316
- C:\Windows\System\BLmbDZJ.exe
  C:\Windows\System\BLmbDZJ.exe
  2⤵
  PID:10344
- C:\Windows\System\qUPNEat.exe
  C:\Windows\System\qUPNEat.exe
  2⤵
  PID:10368
- C:\Windows\System\GhwlmcM.exe
  C:\Windows\System\GhwlmcM.exe
  2⤵
  PID:10396
- C:\Windows\System\YvznfuR.exe
  C:\Windows\System\YvznfuR.exe
  2⤵
  PID:10440
- C:\Windows\System\WbhnaQx.exe
  C:\Windows\System\WbhnaQx.exe
  2⤵
  PID:10468
- C:\Windows\System\pVKbgMv.exe
  C:\Windows\System\pVKbgMv.exe
  2⤵
  PID:10484
- C:\Windows\System\qqBtngi.exe
  C:\Windows\System\qqBtngi.exe
  2⤵
  PID:10512
- C:\Windows\System\eRuMjkj.exe
  C:\Windows\System\eRuMjkj.exe
  2⤵
  PID:10528
- C:\Windows\System\oQQeliu.exe
  C:\Windows\System\oQQeliu.exe
  2⤵
  PID:10572
- C:\Windows\System\qQTOZWI.exe
  C:\Windows\System\qQTOZWI.exe
  2⤵
  PID:10596
- C:\Windows\System\voHdYFH.exe
  C:\Windows\System\voHdYFH.exe
  2⤵
  PID:10624
- C:\Windows\System\edHTnbp.exe
  C:\Windows\System\edHTnbp.exe
  2⤵
  PID:10664
- C:\Windows\System\dYFcBQM.exe
  C:\Windows\System\dYFcBQM.exe
  2⤵
  PID:10692
- C:\Windows\System\ZwTxAVs.exe
  C:\Windows\System\ZwTxAVs.exe
  2⤵
  PID:10720
- C:\Windows\System\aSEwIse.exe
  C:\Windows\System\aSEwIse.exe
  2⤵
  PID:10748
- C:\Windows\System\yVesjnb.exe
  C:\Windows\System\yVesjnb.exe
  2⤵
  PID:10764
- C:\Windows\System\kOotroS.exe
  C:\Windows\System\kOotroS.exe
  2⤵
  PID:10788
- C:\Windows\System\ccEiVEv.exe
  C:\Windows\System\ccEiVEv.exe
  2⤵
  PID:10820
- C:\Windows\System\RybPOEQ.exe
  C:\Windows\System\RybPOEQ.exe
  2⤵
  PID:10848
- C:\Windows\System\zikkAEQ.exe
  C:\Windows\System\zikkAEQ.exe
  2⤵
  PID:10876
- C:\Windows\System\RAyyIxG.exe
  C:\Windows\System\RAyyIxG.exe
  2⤵
  PID:10904
- C:\Windows\System\HKKTMWM.exe
  C:\Windows\System\HKKTMWM.exe
  2⤵
  PID:10944
- C:\Windows\System\CplStIi.exe
  C:\Windows\System\CplStIi.exe
  2⤵
  PID:10972
- C:\Windows\System\YPWglrB.exe
  C:\Windows\System\YPWglrB.exe
  2⤵
  PID:10988
- C:\Windows\System\ZFdVpuP.exe
  C:\Windows\System\ZFdVpuP.exe
  2⤵
  PID:11028
- C:\Windows\System\AVgrwWy.exe
  C:\Windows\System\AVgrwWy.exe
  2⤵
  PID:11056
- C:\Windows\System\GIsmBif.exe
  C:\Windows\System\GIsmBif.exe
  2⤵
  PID:11072
- C:\Windows\System\GLqSMRv.exe
  C:\Windows\System\GLqSMRv.exe
  2⤵
  PID:11116
- C:\Windows\System\ZOOPgQF.exe
  C:\Windows\System\ZOOPgQF.exe
  2⤵
  PID:11144
- C:\Windows\System\jlaTKKW.exe
  C:\Windows\System\jlaTKKW.exe
  2⤵
  PID:11172
- C:\Windows\System\dvJILCV.exe
  C:\Windows\System\dvJILCV.exe
  2⤵
  PID:11188
- C:\Windows\System\AVnuSDT.exe
  C:\Windows\System\AVnuSDT.exe
  2⤵
  PID:11228
- C:\Windows\System\gLxBJKi.exe
  C:\Windows\System\gLxBJKi.exe
  2⤵
  PID:11248
- C:\Windows\System\cjhknsV.exe
  C:\Windows\System\cjhknsV.exe
  2⤵
  PID:10244
- C:\Windows\System\aZOZLxl.exe
  C:\Windows\System\aZOZLxl.exe
  2⤵
  PID:10288
- C:\Windows\System\cEOGHkE.exe
  C:\Windows\System\cEOGHkE.exe
  2⤵
  PID:10336
- C:\Windows\System\BpmgKgY.exe
  C:\Windows\System\BpmgKgY.exe
  2⤵
  PID:10384
- C:\Windows\System\axQizHy.exe
  C:\Windows\System\axQizHy.exe
  2⤵
  PID:10496
- C:\Windows\System\heJMEYL.exe
  C:\Windows\System\heJMEYL.exe
  2⤵
  PID:10556
- C:\Windows\System\TsMdfkq.exe
  C:\Windows\System\TsMdfkq.exe
  2⤵
  PID:10588
- C:\Windows\System\BGQKEjo.exe
  C:\Windows\System\BGQKEjo.exe
  2⤵
  PID:10652
- C:\Windows\System\dbazeww.exe
  C:\Windows\System\dbazeww.exe
  2⤵
  PID:10716
- C:\Windows\System\zkbRnaQ.exe
  C:\Windows\System\zkbRnaQ.exe
  2⤵
  PID:10780
- C:\Windows\System\fTkKPRm.exe
  C:\Windows\System\fTkKPRm.exe
  2⤵
  PID:10864
- C:\Windows\System\iuJFPox.exe
  C:\Windows\System\iuJFPox.exe
  2⤵
  PID:10956
- C:\Windows\System\vGxUjyz.exe
  C:\Windows\System\vGxUjyz.exe
  2⤵
  PID:11040
- C:\Windows\System\wspSoNF.exe
  C:\Windows\System\wspSoNF.exe
  2⤵
  PID:11064
- C:\Windows\System\WiNEcOl.exe
  C:\Windows\System\WiNEcOl.exe
  2⤵
  PID:11124
- C:\Windows\System\DfavzbV.exe
  C:\Windows\System\DfavzbV.exe
  2⤵
  PID:11164
- C:\Windows\System\UuxdoZn.exe
  C:\Windows\System\UuxdoZn.exe
  2⤵
  PID:11236
- C:\Windows\System\CfbiXew.exe
  C:\Windows\System\CfbiXew.exe
  2⤵
  PID:10284
- C:\Windows\System\KLsGZPu.exe
  C:\Windows\System\KLsGZPu.exe
  2⤵
  PID:10460
- C:\Windows\System\AIovZoC.exe
  C:\Windows\System\AIovZoC.exe
  2⤵
  PID:10732
- C:\Windows\System\jWKKdna.exe
  C:\Windows\System\jWKKdna.exe
  2⤵
  PID:10760
- C:\Windows\System\RLEAJFa.exe
  C:\Windows\System\RLEAJFa.exe
  2⤵
  PID:10984
- C:\Windows\System\BZBoksq.exe
  C:\Windows\System\BZBoksq.exe
  2⤵
  PID:11160
- C:\Windows\System\DiQEKMk.exe
  C:\Windows\System\DiQEKMk.exe
  2⤵
  PID:8816
- C:\Windows\System\BZfaCNZ.exe
  C:\Windows\System\BZfaCNZ.exe
  2⤵
  PID:10688
- C:\Windows\System\nzVeKTR.exe
  C:\Windows\System\nzVeKTR.exe
  2⤵
  PID:3512
- C:\Windows\System\aGLeVBh.exe
  C:\Windows\System\aGLeVBh.exe
  2⤵
  PID:9736
- C:\Windows\System\VJMEmXd.exe
  C:\Windows\System\VJMEmXd.exe
  2⤵
  PID:11200
- C:\Windows\System\TEBmLdD.exe
  C:\Windows\System\TEBmLdD.exe
  2⤵
  PID:10872
- C:\Windows\System\FPPlzzE.exe
  C:\Windows\System\FPPlzzE.exe
  2⤵
  PID:11284
- C:\Windows\System\iCIrSPY.exe
  C:\Windows\System\iCIrSPY.exe
  2⤵
  PID:11312
- C:\Windows\System\oWOZEgZ.exe
  C:\Windows\System\oWOZEgZ.exe
  2⤵
  PID:11352
- C:\Windows\System\yHevmEh.exe
  C:\Windows\System\yHevmEh.exe
  2⤵
  PID:11368
- C:\Windows\System\DKLRqcW.exe
  C:\Windows\System\DKLRqcW.exe
  2⤵
  PID:11412
- C:\Windows\System\YvfMHjW.exe
  C:\Windows\System\YvfMHjW.exe
  2⤵
  PID:11452
- C:\Windows\System\pooBCPq.exe
  C:\Windows\System\pooBCPq.exe
  2⤵
  PID:11472
- C:\Windows\System\CKhTTTo.exe
  C:\Windows\System\CKhTTTo.exe
  2⤵
  PID:11504
- C:\Windows\System\UzFAiFt.exe
  C:\Windows\System\UzFAiFt.exe
  2⤵
  PID:11524
- C:\Windows\System\zFbNskL.exe
  C:\Windows\System\zFbNskL.exe
  2⤵
  PID:11552
- C:\Windows\System\MfLldmN.exe
  C:\Windows\System\MfLldmN.exe
  2⤵
  PID:11580
- C:\Windows\System\WoVpiio.exe
  C:\Windows\System\WoVpiio.exe
  2⤵
  PID:11612
- C:\Windows\System\PYgIeZX.exe
  C:\Windows\System\PYgIeZX.exe
  2⤵
  PID:11648
- C:\Windows\System\sCdmvvJ.exe
  C:\Windows\System\sCdmvvJ.exe
  2⤵
  PID:11680
- C:\Windows\System\tUkuCcZ.exe
  C:\Windows\System\tUkuCcZ.exe
  2⤵
  PID:11720
- C:\Windows\System\KHepdvX.exe
  C:\Windows\System\KHepdvX.exe
  2⤵
  PID:11748
- C:\Windows\System\lKyMDZA.exe
  C:\Windows\System\lKyMDZA.exe
  2⤵
  PID:11776
- C:\Windows\System\hBzaQFX.exe
  C:\Windows\System\hBzaQFX.exe
  2⤵
  PID:11792
- C:\Windows\System\JsgCqlN.exe
  C:\Windows\System\JsgCqlN.exe
  2⤵
  PID:11820
- C:\Windows\System\aReXGib.exe
  C:\Windows\System\aReXGib.exe
  2⤵
  PID:11848
- C:\Windows\System\OmjXHiU.exe
  C:\Windows\System\OmjXHiU.exe
  2⤵
  PID:11876
- C:\Windows\System\IwkNRcM.exe
  C:\Windows\System\IwkNRcM.exe
  2⤵
  PID:11904
- C:\Windows\System\mOkaELC.exe
  C:\Windows\System\mOkaELC.exe
  2⤵
  PID:11944
- C:\Windows\System\perGJSZ.exe
  C:\Windows\System\perGJSZ.exe
  2⤵
  PID:11972
- C:\Windows\System\SlVRvoJ.exe
  C:\Windows\System\SlVRvoJ.exe
  2⤵
  PID:12000
- C:\Windows\System\zxiUtbZ.exe
  C:\Windows\System\zxiUtbZ.exe
  2⤵
  PID:12020
- C:\Windows\System\UEotIxK.exe
  C:\Windows\System\UEotIxK.exe
  2⤵
  PID:12044
- C:\Windows\System\nIOVsSK.exe
  C:\Windows\System\nIOVsSK.exe
  2⤵
  PID:12084
- C:\Windows\System\BCdcyno.exe
  C:\Windows\System\BCdcyno.exe
  2⤵
  PID:12100
- C:\Windows\System\LEPOALf.exe
  C:\Windows\System\LEPOALf.exe
  2⤵
  PID:12128
- C:\Windows\System\XosLwwh.exe
  C:\Windows\System\XosLwwh.exe
  2⤵
  PID:12168
- C:\Windows\System\rUBnPrq.exe
  C:\Windows\System\rUBnPrq.exe
  2⤵
  PID:12196
- C:\Windows\System\huvwUxy.exe
  C:\Windows\System\huvwUxy.exe
  2⤵
  PID:12224
- C:\Windows\System\jWWVwoq.exe
  C:\Windows\System\jWWVwoq.exe
  2⤵
  PID:12240
- C:\Windows\System\ZaCroXz.exe
  C:\Windows\System\ZaCroXz.exe
  2⤵
  PID:12268
- C:\Windows\System\CcRkobg.exe
  C:\Windows\System\CcRkobg.exe
  2⤵
  PID:10292
- C:\Windows\System\lHavDzh.exe
  C:\Windows\System\lHavDzh.exe
  2⤵
  PID:11324
- C:\Windows\System\yxePaOv.exe
  C:\Windows\System\yxePaOv.exe
  2⤵
  PID:11360
- C:\Windows\System\mBMKGDm.exe
  C:\Windows\System\mBMKGDm.exe
  2⤵
  PID:11468
- C:\Windows\System\wCPWgHQ.exe
  C:\Windows\System\wCPWgHQ.exe
  2⤵
  PID:11496
- C:\Windows\System\uFLVXBx.exe
  C:\Windows\System\uFLVXBx.exe
  2⤵
  PID:11548
- C:\Windows\System\eNWkwqg.exe
  C:\Windows\System\eNWkwqg.exe
  2⤵
  PID:11672
- C:\Windows\System\JSBQlmF.exe
  C:\Windows\System\JSBQlmF.exe
  2⤵
  PID:11692
- C:\Windows\System\JWyysTD.exe
  C:\Windows\System\JWyysTD.exe
  2⤵
  PID:11732
- C:\Windows\System\rqKEixo.exe
  C:\Windows\System\rqKEixo.exe
  2⤵
  PID:11784
- C:\Windows\System\kfnwMoR.exe
  C:\Windows\System\kfnwMoR.exe
  2⤵
  PID:11860
- C:\Windows\System\BHsIcuf.exe
  C:\Windows\System\BHsIcuf.exe
  2⤵
  PID:11956
- C:\Windows\System\bkDaBDx.exe
  C:\Windows\System\bkDaBDx.exe
  2⤵
  PID:12016
- C:\Windows\System\csgexwz.exe
  C:\Windows\System\csgexwz.exe
  2⤵
  PID:12028
- C:\Windows\System\ZlclOAB.exe
  C:\Windows\System\ZlclOAB.exe
  2⤵
  PID:12076
- C:\Windows\System\OdmhEiN.exe
  C:\Windows\System\OdmhEiN.exe
  2⤵
  PID:12256
- C:\Windows\System\cEQPXIN.exe
  C:\Windows\System\cEQPXIN.exe
  2⤵
  PID:11052
- C:\Windows\System\xVEkDLZ.exe
  C:\Windows\System\xVEkDLZ.exe
  2⤵
  PID:11448
- C:\Windows\System\cBRkgdC.exe
  C:\Windows\System\cBRkgdC.exe
  2⤵
  PID:11600
- C:\Windows\System\FdoWPCe.exe
  C:\Windows\System\FdoWPCe.exe
  2⤵
  PID:11708
- C:\Windows\System\WKUZEwU.exe
  C:\Windows\System\WKUZEwU.exe
  2⤵
  PID:11836
- C:\Windows\System\sWitHQw.exe
  C:\Windows\System\sWitHQw.exe
  2⤵
  PID:12060
- C:\Windows\System\LIBdTSX.exe
  C:\Windows\System\LIBdTSX.exe
  2⤵
  PID:12148
- C:\Windows\System\OfxrCmp.exe
  C:\Windows\System\OfxrCmp.exe
  2⤵
  PID:11364
- C:\Windows\System\cHLETCB.exe
  C:\Windows\System\cHLETCB.exe
  2⤵
  PID:11520
- C:\Windows\System\OABzhLq.exe
  C:\Windows\System\OABzhLq.exe
  2⤵
  PID:11988
- C:\Windows\System\CJushiM.exe
  C:\Windows\System\CJushiM.exe
  2⤵
  PID:12160
- C:\Windows\System\hgHMSRT.exe
  C:\Windows\System\hgHMSRT.exe
  2⤵
  PID:11716
- C:\Windows\System\rtThEBZ.exe
  C:\Windows\System\rtThEBZ.exe
  2⤵
  PID:12296
- C:\Windows\System\OmRZBHG.exe
  C:\Windows\System\OmRZBHG.exe
  2⤵
  PID:12324
- C:\Windows\System\RJFdqXq.exe
  C:\Windows\System\RJFdqXq.exe
  2⤵
  PID:12356
- C:\Windows\System\exHMxOP.exe
  C:\Windows\System\exHMxOP.exe
  2⤵
  PID:12392
- C:\Windows\System\vFqBXap.exe
  C:\Windows\System\vFqBXap.exe
  2⤵
  PID:12408
- C:\Windows\System\wVzZFgb.exe
  C:\Windows\System\wVzZFgb.exe
  2⤵
  PID:12436
- C:\Windows\System\YICZFKi.exe
  C:\Windows\System\YICZFKi.exe
  2⤵
  PID:12460
- C:\Windows\System\aHlvXan.exe
  C:\Windows\System\aHlvXan.exe
  2⤵
  PID:12492
- C:\Windows\System\ijPPWAX.exe
  C:\Windows\System\ijPPWAX.exe
  2⤵
  PID:12520
- C:\Windows\System\EzykRUS.exe
  C:\Windows\System\EzykRUS.exe
  2⤵
  PID:12548
- C:\Windows\System\pstqXli.exe
  C:\Windows\System\pstqXli.exe
  2⤵
  PID:12576
- C:\Windows\System\cxCWiEB.exe
  C:\Windows\System\cxCWiEB.exe
  2⤵
  PID:12620
- C:\Windows\System\jSQUAJT.exe
  C:\Windows\System\jSQUAJT.exe
  2⤵
  PID:12636
- C:\Windows\System\cVSqmUz.exe
  C:\Windows\System\cVSqmUz.exe
  2⤵
  PID:12664
- C:\Windows\System\IoWzgkC.exe
  C:\Windows\System\IoWzgkC.exe
  2⤵
  PID:12696
- C:\Windows\System\CmoXfHN.exe
  C:\Windows\System\CmoXfHN.exe
  2⤵
  PID:12716
- C:\Windows\System\KLKOYIT.exe
  C:\Windows\System\KLKOYIT.exe
  2⤵
  PID:12740
- C:\Windows\System\zOdZuRP.exe
  C:\Windows\System\zOdZuRP.exe
  2⤵
  PID:12764
- C:\Windows\System\sztbvzC.exe
  C:\Windows\System\sztbvzC.exe
  2⤵
  PID:12792
- C:\Windows\System\NqTdJMC.exe
  C:\Windows\System\NqTdJMC.exe
  2⤵
  PID:12824
- C:\Windows\System\JNyuVsg.exe
  C:\Windows\System\JNyuVsg.exe
  2⤵
  PID:12848
- C:\Windows\System\EtdTqIk.exe
  C:\Windows\System\EtdTqIk.exe
  2⤵
  PID:12872
- C:\Windows\System\XuVsSXc.exe
  C:\Windows\System\XuVsSXc.exe
  2⤵
  PID:12904
- C:\Windows\System\rmUkMxa.exe
  C:\Windows\System\rmUkMxa.exe
  2⤵
  PID:12956
- C:\Windows\System\iugqHVz.exe
  C:\Windows\System\iugqHVz.exe
  2⤵
  PID:12972
- C:\Windows\System\cORxFyG.exe
  C:\Windows\System\cORxFyG.exe
  2⤵
  PID:13012
- C:\Windows\System\rgbavYU.exe
  C:\Windows\System\rgbavYU.exe
  2⤵
  PID:13032
- C:\Windows\System\ePWqcaK.exe
  C:\Windows\System\ePWqcaK.exe
  2⤵
  PID:13048
- C:\Windows\System\SFyOKza.exe
  C:\Windows\System\SFyOKza.exe
  2⤵
  PID:13068
- C:\Windows\System\SCYpqwt.exe
  C:\Windows\System\SCYpqwt.exe
  2⤵
  PID:13132
- C:\Windows\System\iGgSoSk.exe
  C:\Windows\System\iGgSoSk.exe
  2⤵
  PID:13160
- C:\Windows\System\OLDdLvW.exe
  C:\Windows\System\OLDdLvW.exe
  2⤵
  PID:13192
- C:\Windows\System\mDNglSf.exe
  C:\Windows\System\mDNglSf.exe
  2⤵
  PID:13224
- C:\Windows\System\sZAUlqB.exe
  C:\Windows\System\sZAUlqB.exe
  2⤵
  PID:13240
- C:\Windows\System\gZSOVts.exe
  C:\Windows\System\gZSOVts.exe
  2⤵
  PID:13256
- C:\Windows\System\IiOTTGh.exe
  C:\Windows\System\IiOTTGh.exe
  2⤵
  PID:13296
- C:\Windows\System\FvuDkfK.exe
  C:\Windows\System\FvuDkfK.exe
  2⤵
  PID:12316
- C:\Windows\System\FQfpNFY.exe
  C:\Windows\System\FQfpNFY.exe
  2⤵
  PID:12388
- C:\Windows\System\nZtRFjz.exe
  C:\Windows\System\nZtRFjz.exe
  2⤵
  PID:12428
- C:\Windows\System\ucsTdOj.exe
  C:\Windows\System\ucsTdOj.exe
  2⤵
  PID:12456
- C:\Windows\System\MDxTGFE.exe
  C:\Windows\System\MDxTGFE.exe
  2⤵
  PID:12512
- C:\Windows\System\JnBvuXs.exe
  C:\Windows\System\JnBvuXs.exe
  2⤵
  PID:12568
- C:\Windows\System\qVtuHxF.exe
  C:\Windows\System\qVtuHxF.exe
  2⤵
  PID:12676
- C:\Windows\System\cvBfWDE.exe
  C:\Windows\System\cvBfWDE.exe
  2⤵
  PID:12736
- C:\Windows\System\enozcvG.exe
  C:\Windows\System\enozcvG.exe
  2⤵
  PID:12832
- C:\Windows\System\lbzpfhg.exe
  C:\Windows\System\lbzpfhg.exe
  2⤵
  PID:12840
- C:\Windows\System\cSGjpEp.exe
  C:\Windows\System\cSGjpEp.exe
  2⤵
  PID:12928
- C:\Windows\System\UeRmXzl.exe
  C:\Windows\System\UeRmXzl.exe
  2⤵
  PID:13004
- C:\Windows\System\LtkysOt.exe
  C:\Windows\System\LtkysOt.exe
  2⤵
  PID:13064
- C:\Windows\System\nUqgaBT.exe
  C:\Windows\System\nUqgaBT.exe
  2⤵
  PID:13144
- C:\Windows\System\lLRqOuA.exe
  C:\Windows\System\lLRqOuA.exe
  2⤵
  PID:13188
- C:\Windows\System\yoxslqP.exe
  C:\Windows\System\yoxslqP.exe
  2⤵
  PID:11664
- C:\Windows\System\xMpEykX.exe
  C:\Windows\System\xMpEykX.exe
  2⤵
  PID:13056
- C:\Windows\System\FpexmHb.exe
  C:\Windows\System\FpexmHb.exe
  2⤵
  PID:12404
- C:\Windows\System\hnlMMlz.exe
  C:\Windows\System\hnlMMlz.exe
  2⤵
  PID:12560
- C:\Windows\System\jMuUwcS.exe
  C:\Windows\System\jMuUwcS.exe
  2⤵
  PID:12748
- C:\Windows\System\NuFiwjL.exe
  C:\Windows\System\NuFiwjL.exe
  2⤵
  PID:12856
- C:\Windows\System\GRgQVhQ.exe
  C:\Windows\System\GRgQVhQ.exe
  2⤵
  PID:12012
- C:\Windows\System\dVAtBRQ.exe
  C:\Windows\System\dVAtBRQ.exe
  2⤵
  PID:13204
- C:\Windows\System\PLtamVs.exe
  C:\Windows\System\PLtamVs.exe
  2⤵
  PID:13236
- C:\Windows\System\gKyQKCF.exe
  C:\Windows\System\gKyQKCF.exe
  2⤵
  PID:12444
- C:\Windows\System\TfiUOkH.exe
  C:\Windows\System\TfiUOkH.exe
  2⤵
  PID:12632
- C:\Windows\System\sJpTdFQ.exe
  C:\Windows\System\sJpTdFQ.exe
  2⤵
  PID:13092
- C:\Windows\System\LhTUMSt.exe
  C:\Windows\System\LhTUMSt.exe
  2⤵
  PID:12804
- C:\Windows\System\pPoxuXZ.exe
  C:\Windows\System\pPoxuXZ.exe
  2⤵
  PID:12308
- C:\Windows\System\vpGCdmu.exe
  C:\Windows\System\vpGCdmu.exe
  2⤵
  PID:13336
- C:\Windows\System\GHxHkpx.exe
  C:\Windows\System\GHxHkpx.exe
  2⤵
  PID:13364
- C:\Windows\System\WJbxGGK.exe
  C:\Windows\System\WJbxGGK.exe
  2⤵
  PID:13384
- C:\Windows\System\YdMiGkN.exe
  C:\Windows\System\YdMiGkN.exe
  2⤵
  PID:13408
- C:\Windows\System\vXdoGZE.exe
  C:\Windows\System\vXdoGZE.exe
  2⤵
  PID:13436
- C:\Windows\System\GdlTHYD.exe
  C:\Windows\System\GdlTHYD.exe
  2⤵
  PID:13488
- C:\Windows\System\PsIQkhQ.exe
  C:\Windows\System\PsIQkhQ.exe
  2⤵
  PID:13520
- C:\Windows\System\ItFhfjw.exe
  C:\Windows\System\ItFhfjw.exe
  2⤵
  PID:13544
- C:\Windows\System\eMFYENU.exe
  C:\Windows\System\eMFYENU.exe
  2⤵
  PID:13584
- C:\Windows\System\zwBKOGZ.exe
  C:\Windows\System\zwBKOGZ.exe
  2⤵
  PID:13608
- C:\Windows\System\OsgPDwy.exe
  C:\Windows\System\OsgPDwy.exe
  2⤵
  PID:13624
- C:\Windows\System\gOAxJNR.exe
  C:\Windows\System\gOAxJNR.exe
  2⤵
  PID:13640
- C:\Windows\System\axOclIj.exe
  C:\Windows\System\axOclIj.exe
  2⤵
  PID:13668
- C:\Windows\System\cNGsZQB.exe
  C:\Windows\System\cNGsZQB.exe
  2⤵
  PID:13700
- C:\Windows\System\LqVGKSt.exe
  C:\Windows\System\LqVGKSt.exe
  2⤵
  PID:13728
- C:\Windows\System\haNVrWV.exe
  C:\Windows\System\haNVrWV.exe
  2⤵
  PID:13744
- C:\Windows\System\fiPfZHI.exe
  C:\Windows\System\fiPfZHI.exe
  2⤵
  PID:13760
- C:\Windows\System\TIVettW.exe
  C:\Windows\System\TIVettW.exe
  2⤵
  PID:13788
- C:\Windows\System\nFSggmY.exe
  C:\Windows\System\nFSggmY.exe
  2⤵
  PID:13812
- C:\Windows\System\lKQhTev.exe
  C:\Windows\System\lKQhTev.exe
  2⤵
  PID:13832
- C:\Windows\System\GKUyMrj.exe
  C:\Windows\System\GKUyMrj.exe
  2⤵
  PID:13848
- C:\Windows\System\ZwtwUQn.exe
  C:\Windows\System\ZwtwUQn.exe
  2⤵
  PID:13884
- C:\Windows\System\WLRpeTe.exe
  C:\Windows\System\WLRpeTe.exe
  2⤵
  PID:13900
- C:\Windows\System\KOVbJJn.exe
  C:\Windows\System\KOVbJJn.exe
  2⤵
  PID:13928
- C:\Windows\System\NzxqESV.exe
  C:\Windows\System\NzxqESV.exe
  2⤵
  PID:13980
- C:\Windows\System\svzIcFX.exe
  C:\Windows\System\svzIcFX.exe
  2⤵
  PID:14012
- C:\Windows\System\bxdgwVU.exe
  C:\Windows\System\bxdgwVU.exe
  2⤵
  PID:14056
- C:\Windows\System\PbLaTHW.exe
  C:\Windows\System\PbLaTHW.exe
  2⤵
  PID:14080
- C:\Windows\System\qcMpZEV.exe
  C:\Windows\System\qcMpZEV.exe
  2⤵
  PID:14128
- C:\Windows\System\YLgIwpk.exe
  C:\Windows\System\YLgIwpk.exe
  2⤵
  PID:14164
- C:\Windows\System\SNQbxuV.exe
  C:\Windows\System\SNQbxuV.exe
  2⤵
  PID:14180
- C:\Windows\System\fngDvDl.exe
  C:\Windows\System\fngDvDl.exe
  2⤵
  PID:14216
- C:\Windows\System\GEVmSSN.exe
  C:\Windows\System\GEVmSSN.exe
  2⤵
  PID:14252
- C:\Windows\System\ESRDMiX.exe
  C:\Windows\System\ESRDMiX.exe
  2⤵
  PID:14288
- C:\Windows\System\FpigPWN.exe
  C:\Windows\System\FpigPWN.exe
  2⤵
  PID:14312
- C:\Windows\System\lvZlKTM.exe
  C:\Windows\System\lvZlKTM.exe
  2⤵
  PID:12896
- C:\Windows\System\KPNNesj.exe
  C:\Windows\System\KPNNesj.exe
  2⤵
  PID:13316
- C:\Windows\System\qyAwGxx.exe
  C:\Windows\System\qyAwGxx.exe
  2⤵
  PID:13404
- C:\Windows\System\EkVwzmX.exe
  C:\Windows\System\EkVwzmX.exe
  2⤵
  PID:13376
- C:\Windows\System\wMjFopm.exe
  C:\Windows\System\wMjFopm.exe
  2⤵
  PID:13540
- C:\Windows\System\XiDbKnG.exe
  C:\Windows\System\XiDbKnG.exe
  2⤵
  PID:13560
- C:\Windows\System\nCRwgYe.exe
  C:\Windows\System\nCRwgYe.exe
  2⤵
  PID:13680
- C:\Windows\System\tQJPLDU.exe
  C:\Windows\System\tQJPLDU.exe
  2⤵
  PID:13692
- C:\Windows\System\EjQYmns.exe
  C:\Windows\System\EjQYmns.exe
  2⤵
  PID:13824
- C:\Windows\System\TSWWEBX.exe
  C:\Windows\System\TSWWEBX.exe
  2⤵
  PID:13924
- C:\Windows\System\HuUzSzj.exe
  C:\Windows\System\HuUzSzj.exe
  2⤵
  PID:13880
- C:\Windows\System\YfoMKJT.exe
  C:\Windows\System\YfoMKJT.exe
  2⤵
  PID:14036
- C:\Windows\System\ZvRHHsJ.exe
  C:\Windows\System\ZvRHHsJ.exe
  2⤵
  PID:14136
- C:\Windows\System\RgcPsIB.exe
  C:\Windows\System\RgcPsIB.exe
  2⤵
  PID:14176
- C:\Windows\System\gzoFasb.exe
  C:\Windows\System\gzoFasb.exe
  2⤵
  PID:14272
- C:\Windows\System\WuoxDQe.exe
  C:\Windows\System\WuoxDQe.exe
  2⤵
  PID:14328
- C:\Windows\System\vWroHUV.exe
  C:\Windows\System\vWroHUV.exe
  2⤵
  PID:12348
- C:\Windows\System\mXWKPjY.exe
  C:\Windows\System\mXWKPjY.exe
  2⤵
  PID:13512
- C:\Windows\System\IFAswzW.exe
  C:\Windows\System\IFAswzW.exe
  2⤵
  PID:13580
- C:\Windows\System\ytWdLCF.exe
  C:\Windows\System\ytWdLCF.exe
  2⤵
  PID:13720
- C:\Windows\System\uOJwVJw.exe
  C:\Windows\System\uOJwVJw.exe
  2⤵
  PID:13876
- C:\Windows\System\WAJsUwe.exe
  C:\Windows\System\WAJsUwe.exe
  2⤵
  PID:14228
- C:\Windows\System\QsUANcV.exe
  C:\Windows\System\QsUANcV.exe
  2⤵
  PID:14332
- C:\Windows\System\nsdfTnV.exe
  C:\Windows\System\nsdfTnV.exe
  2⤵
  PID:13808
- C:\Windows\System\BUGoFXw.exe
  C:\Windows\System\BUGoFXw.exe
  2⤵
  PID:13860
- C:\Windows\System\sMZrSlD.exe
  C:\Windows\System\sMZrSlD.exe
  2⤵
  PID:13952
- C:\Windows\System\xFHYyaz.exe
  C:\Windows\System\xFHYyaz.exe
  2⤵
  PID:13400
- C:\Windows\System\kYdYJAL.exe
  C:\Windows\System\kYdYJAL.exe
  2⤵
  PID:14364
- C:\Windows\System\Kspqcfz.exe
  C:\Windows\System\Kspqcfz.exe
  2⤵
  PID:14392
- C:\Windows\System\aIWUhWz.exe
  C:\Windows\System\aIWUhWz.exe
  2⤵
  PID:14416
- C:\Windows\System\bcCntyz.exe
  C:\Windows\System\bcCntyz.exe
  2⤵
  PID:14448
- C:\Windows\System\lcLGgob.exe
  C:\Windows\System\lcLGgob.exe
  2⤵
  PID:14476
- C:\Windows\System\SPkFkCl.exe
  C:\Windows\System\SPkFkCl.exe
  2⤵
  PID:14504
- C:\Windows\System\aHYTCBl.exe
  C:\Windows\System\aHYTCBl.exe
  2⤵
  PID:14532
- C:\Windows\System\XyUvBfp.exe
  C:\Windows\System\XyUvBfp.exe
  2⤵
  PID:14548
- C:\Windows\System\JYMTvoA.exe
  C:\Windows\System\JYMTvoA.exe
  2⤵
  PID:14576
- C:\Windows\System\heeQrAK.exe
  C:\Windows\System\heeQrAK.exe
  2⤵
  PID:14604
- C:\Windows\System\vhxmtZw.exe
  C:\Windows\System\vhxmtZw.exe
  2⤵
  PID:14644
- C:\Windows\System\ODihurI.exe
  C:\Windows\System\ODihurI.exe
  2⤵
  PID:14672
- C:\Windows\System\inCSJzd.exe
  C:\Windows\System\inCSJzd.exe
  2⤵
  PID:14700
- C:\Windows\System\JhbyNlH.exe
  C:\Windows\System\JhbyNlH.exe
  2⤵
  PID:14716
- C:\Windows\System\Aqjgzca.exe
  C:\Windows\System\Aqjgzca.exe
  2⤵
  PID:14756
- C:\Windows\System\mzzqzdp.exe
  C:\Windows\System\mzzqzdp.exe
  2⤵
  PID:14772
- C:\Windows\System\jsphBtB.exe
  C:\Windows\System\jsphBtB.exe
  2⤵
  PID:14840
- C:\Windows\System\YYWlmrW.exe
  C:\Windows\System\YYWlmrW.exe
  2⤵
  PID:15016

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:15284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AZJZOdh.exe

Filesize
1.8MB

MD5
ff6d40fabc0b152d4446b4e041e8c1a2

SHA1
5595b284fbc353c9b1e22e4a09b3f840e7254229

SHA256
91fdadd6f25bfa732aaf49a1f852fa66ec3d0a49c1446668fa9ebe140b179f8b

SHA512
f518cda82e8eacf9a07263e8e1309d06c7ecf9444bd48c7f05c0f84143170a9d527718eb4b8a0e74d955ad51f8019d473c0b5d03c9270b4f624107ff5403514b

Download Submit
C:\Windows\System\Befnjht.exe

Filesize
1.8MB

MD5
b71533b5a24a0b0a02e14a26b0a8d2a9

SHA1
0b467d77eca6f20a93e10bc73147756cef4671d5

SHA256
aa3aa8092a6ada1c3aa88438ba823ea3df59811b4957a1cbe662de35544ce120

SHA512
665a3efeb18daa90c13f1c7bc380a91a8d4cdec084dc0dc24e45df331344fa307708f6c90698d159c6c7a7e5b8b1ac3d5d738ffe6733a023950854c97960ca6d

Download Submit
C:\Windows\System\DnRrXpy.exe

Filesize
1.8MB

MD5
5ef49fa856922619a2b0f865c83fec71

SHA1
9bad517434c01face0ee42122466f135fc41d2a6

SHA256
58483eb4a9e32c15eda323f021ce3f89cac9d7e3f5c63d3b497e0892a50a7f19

SHA512
e384df6f1d2b60670435e1162d1b04c1fcb9444354f524e9e8b1f4afe121586228ae9a749a446f5ce26c9b5457087db16970777b9e00ee0b125f373d4a457d2e

Download Submit
C:\Windows\System\DuzRSaV.exe

Filesize
1.8MB

MD5
030fe5c26fb72bfb5a21e0d56c5cdfd3

SHA1
4a7ea977ece14cd70d3072f3d425f8b1f7ea5c8c

SHA256
74963269fe56b101d7bdd24f7ff9ecdfdfb06e5c3c5278723d007511b549529e

SHA512
5b7d04607205bf118896a0fa96e1ecd8863f36974f0ed770a0731aa5bc04a1a0defe398040d477ca20cfcac8e24c12be8b0d883e61c0c8a696f7b9cafc3723fd

Download Submit
C:\Windows\System\FPjgjns.exe

Filesize
1.8MB

MD5
61553e0d1e706a874c4452d4ade172b6

SHA1
a17b2a875625695bbf292e456f02b2af61ac5425

SHA256
e8aa543fd8bf04fab38fe576b835254424084bd113d4f58d8b8f53cbd4e1c257

SHA512
4dc2e9c2dc8591ee213edf65ea311105a5bee2bfb1d14ca737246742656ef96fa31077bb7b0cda2c171ee5f0ba00e7c156a7460716b5ae4dd39e61b153389e41

Download Submit
C:\Windows\System\GPzFNyJ.exe

Filesize
1.8MB

MD5
39bc5905460b93e8598e7e20d6f9c5bd

SHA1
ce7a7d04e131f7f8056a95ecf1236551137278d6

SHA256
abe6d982f9c709c0fde11eb964e87363b7f01227758cfa3825c9ecebd0396ae0

SHA512
45f28d309eb00414dbcfba1e7cc90f8be581dbfbc43b333be7d8fae5406fcc19107398c02c667d57bbd15f61ad14e04588f58301943398d972d9448aaf7382d5

Download Submit
C:\Windows\System\HNoIyQQ.exe

Filesize
1.8MB

MD5
2e36597de3447aad7abd9968610febe4

SHA1
e0fdc856294a21b16346ca9c433d62d8489a2e91

SHA256
52b2afcec4199b34d4c8fa35f37902ffcac9a4d1bf684f9d902ab95e141e2c97

SHA512
99a392476a273d5584552f65a39133e89f6897419fb445f55f5ff20d881432477218ad8a435ec751c554a1c67479ca6325358e1df266975c213c29aaa0ddc8ff

Download Submit
C:\Windows\System\HsaqUVP.exe

Filesize
1.8MB

MD5
06926138bef940862021a18e3220e271

SHA1
ff2e13d13b01fc6be8712df16846a4fde404f488

SHA256
3274b4b73bb8d75104962d8ebfa654fe06eccd5b45ddb9a8f5c87d3c33032d4e

SHA512
b80515811e7175846c7410323f1a7f93679bbb0a8ba124615459b4c567f5db57d5ff8019a985188b65d6e241c5957afad0f67106f8d78a89d9c83d86376693a4

Download Submit
C:\Windows\System\IXjpgAl.exe

Filesize
1.8MB

MD5
abb35dbed3843b052a77266ac3aebcd7

SHA1
8d6c70d8d77c123f65c5d2a6abce93ae2ade274f

SHA256
eaedfbbb429f94e2b936e5b629c30b9e04f7e838c91fc6d6a692fc4e807a40ff

SHA512
b6173932b9099b240428f3ba1a31bff7cc22ecbf715fabf4d15af9bfc8a5ebbae3aa4009639027fee56f949a5bd4a48d8d51340ace96d28b596ad2a0545dd393

Download Submit
C:\Windows\System\KvFefor.exe

Filesize
1.8MB

MD5
19d5bdfa28cdc76aa90c8575af60d8a3

SHA1
4a2791fe8e6d9dfc782297a2498d80d1ab406f58

SHA256
d75620f6099712eee4f9982f8f65f90b5b0f793c9838785beaaaeb2b3b6b5f18

SHA512
cd528c7d8ed922bb54c977f5f80d500519114063da7ade310e6fbe353e45f840c35bd47f930c994956ee55bc5f5a0b78a82ce06d5503116904531df5efa2f6e8

Download Submit
C:\Windows\System\LebjeZi.exe

Filesize
1.8MB

MD5
cb13a62b7f88407d75c35f0bd40f0887

SHA1
96308fc7c1813d85ffada33904b25328da039c84

SHA256
d2668aa6c3f02ec9786b8b5ff622ab9e91c94ec6ca0622e29647cd0d82296fb0

SHA512
60ea4b2bf415493fc8b1812659a29df13af1f3586e8cfe4576bc7d2f6e399c14e120e81bb5aa0bfbc2649045981de3ee3524bd309bd5c62c4ff5ff44d1263b57

Download Submit
C:\Windows\System\MLtdwWe.exe

Filesize
1.8MB

MD5
546d73da751f62b8fbc29bd3f92dc4a4

SHA1
ceb75daf8b68f8d703bbaa314b4c0e11d1e56ea9

SHA256
674fff22ac1c1c9b70c16f1abf0e9227d8236421900afca630a0411caa1ceefe

SHA512
7e843920c1bdd497b1a49ce2b3b706861ede9276f86f2db55a3bc355c68f89ed4b8558ecf24d7d6068db355cb57a21ac6dabd007c865754951e819ad28fbd501

Download Submit
C:\Windows\System\OQgqUKl.exe

Filesize
1.8MB

MD5
1e8e14df9f6bbe363062b062cbfc1626

SHA1
ff667bc7d2cf3abe1741f23e36fd764c42dbdb4a

SHA256
cb5f5fa3ce7bcd5f51e5a38609ed5a8ffa1384977e56311baf4c7819d16493cc

SHA512
a15406e0b4ea1a0fcb4d6cbade0c3a71a94b5048de1394724216ac1fc120005f922c94353837e2213f2233a8181ac9b243594a8210e26a78e41526883461d803

Download Submit
C:\Windows\System\PBAHLKg.exe

Filesize
1.8MB

MD5
42fc4fa2f8dfbf3a1da5700417687a11

SHA1
279a3eef61b45b0331b5d2824ff7ff05a9713f41

SHA256
794c513e26faebaa7ff89a12f621c9a91d6a9462aa844500c80a9efe5913a89a

SHA512
abed39d1805163b95402a11faadb1fe187fc4aa356f682a285d044e5b7f008b1db210c82008c6d79daafc8cad127d579df01a4ab11e07b6f39c7a17a0a48685f

Download Submit
C:\Windows\System\PruGjkp.exe

Filesize
1.8MB

MD5
54ff8c5e5af72564555c3f4fa84c64e9

SHA1
c9a6e1af8768bb83f5246c1d53b472970b826ff3

SHA256
585281aaf0dc91f1d0effe4daef4441637a135c990e65a6c9c2b35337b39623c

SHA512
42454baaaa62b44d9deb96df705ee6dc7ab93d0f89ea58b5f5f18cdbc9ac6d966345df5385b5f886de794e6f437c9aa8a219ff1e534e33188d6ccdf7277b73ee

Download Submit
C:\Windows\System\QIgUdUF.exe

Filesize
1.8MB

MD5
83d95b3c4b256c565a4651c60adec5c6

SHA1
a02c8c96164f2adf00657815f47db6bcbb23b4db

SHA256
9811a32f249c15a5c6330c8818719739abaf5142f777776acc749d69b5b3799d

SHA512
98462504bf51cd9f2d21b3eb1d51633e5304109e1ebfc28af3ebad5066afb917c21d67e9f45b782945067c18593c4a151e19e2a895927759bb067c007660a247

Download Submit
C:\Windows\System\QjztzKP.exe

Filesize
1.8MB

MD5
3fd7f7e00f3e8199db3c8bdb53d61f9f

SHA1
2f9c76e43805e5f9bf2750ad12cc80aa983e64f8

SHA256
bc5039e5dced183b4d7adb4ae85684351815878d8caa05b8770600a502226eca

SHA512
74774b72fe505ce75155fd700b2edbce0b38faf68dd8e4dfcac3f59e0c6655c5f2f9d8c5c9ea923c4bd858515f85ac4543d7e14be1adaf44afcf6553c88537c7

Download Submit
C:\Windows\System\TRKuDEw.exe

Filesize
1.8MB

MD5
c808b122bb104f3118cf2644345f5583

SHA1
c4ac57fc550e893efc2ec2d1e9dd2ca54b1165f3

SHA256
ecbe1b8741521db5240cccc24f677e4493f13fdf7f6b523ead1c18cc608a57b2

SHA512
00c8f07880d5061c56d85655718debb844faa27f8810536b370c7a4b826564fba0bf3b26b395a4bea2e6cc31ec9d8ab59b06e058cf51f689a6196d1bd181bc29

Download Submit
C:\Windows\System\TVcPOoT.exe

Filesize
1.8MB

MD5
80182c7a20b8b777d4aec6001dc14dec

SHA1
28ba28ec84ba13d15ca52fb8f18a1fbb1d5a3a19

SHA256
6ac9910838161758f58edf1be6555ac597b0d7a4ae44048d1d11b97ffdfac6a3

SHA512
3808bd267f11d8f1a46633e7631651ac0b5fc5ddff700f6c735b35bd32bc72fd6abb64914d2f1bbf7f85d3ee8d2fa6d82efa94bdbf632c68688ede7938b13785

Download Submit
C:\Windows\System\VywDrsw.exe

Filesize
1.8MB

MD5
28f4843612abee241f4b5b3176a891ef

SHA1
302bb063059a4d6b6c2becea904be69ccb72d328

SHA256
6bab6adc188ad7814ffd013948a3377f29950287d435014bc8d3766296c4dc7f

SHA512
2bc688708f288e41f7edb73797f1d7bc7c68f6c46bf0c987b4f38ec33316d25f2398aa13ed80060e1a860a886c048e7a414c8b0bc620b615d3d15f1e99250724

Download Submit
C:\Windows\System\XLOuCoy.exe

Filesize
1.8MB

MD5
edfacc48905a5a8feb3b2a74ee7d3cc1

SHA1
f1e58b6f1a82088a7cfa53c8c6383c62c170037f

SHA256
b7246791748b9899513c94dd4d785d74b11513b136505e55b0060f7be98cdf89

SHA512
d799e7d44c64b837f2372615a2504c19b951f01b32608b6c6989043d5a9e10d8622f41a97d97b11508cc0f4b01e6765ba712d47efe19a8ae6699b3a217c83311

Download Submit
C:\Windows\System\YRwVwdE.exe

Filesize
1.8MB

MD5
3f9bcc636e29b5ed3f3bc318f5e00359

SHA1
54fe7ab8f8a7478be6041beb666ac08b3dcaad01

SHA256
3a7bed931f1f2608f21d31be160eec827a65b60f7d25b8dbe66e27a18786dfdb

SHA512
30450931584fb08d1ba9bbc2fb79c5d50bd6db4ded5b850b1f8c838ba269c122073628f3f08977dff55c02acbcf707a5bcd06e0185ad951cc966f6aab2491705

Download Submit
C:\Windows\System\bmzsWTg.exe

Filesize
1.8MB

MD5
0531abb83df5a3b16eb3bb2619d9b93d

SHA1
6fc5d8fca87b3991ba518d7ee61eb7c9629e1cfe

SHA256
c1d317de8ec113ef9da7fda655b4457c9635d758617e409ff5660fb4c3158acb

SHA512
996bd0396139f1f3c5582226d30260edee923749c6d4d1d3f80308edc357b30072617742d1d5c82350277385ff4b251301fcb1679af1303e46da1888373752b0

Download Submit
C:\Windows\System\fCrOXMG.exe

Filesize
1.8MB

MD5
fab383698d913c53089bcfacb4c37faf

SHA1
6e0004c7ee745f8c8fa82c80a1372e137897fc2d

SHA256
9e969afd755469a2097e6c881dd95b210cdc8c0ab538bf07e02878544c889571

SHA512
02a62d7a5d328232f6777046fb5db4ce68c6eb6d0f9a7e0ae8892cfde59eb31ff67d1bec197f56730ac2f8417c9b5ab48fbf9735d6b453bff7b54ef580ed6e34

Download Submit
C:\Windows\System\jJUveFa.exe

Filesize
1.8MB

MD5
7019af5ea9dfa984183596b94545905a

SHA1
ab5d6bdb9eda50148ec640d080aa40e2458084c1

SHA256
1c2193da4586c93e2b0d306300f4ff95f5543bf4c45931204292d805672ae417

SHA512
f21b0c29ed99f52213be1618b79bc263311e9cb701ea2b12a3811e4bc876a9897b56d397db872f399f96f2793b0a397e1b0acbc20838f96bcd4530fc7669f06c

Download Submit
C:\Windows\System\jdvKusJ.exe

Filesize
1.8MB

MD5
6d5b7a7a215fa15b27f221eb8c3e3af7

SHA1
8f57b4bbea9e30232c9eef8434c34f566b90384a

SHA256
3203f112223fe00864ebaaff96954170e5fe73a3f078e979f65a3ce906614747

SHA512
e652817ba39aebcf9c7abc6d8e136006793c490f81d93232d90711ee98f570607b94d7022d998e2e732f09f048a8d17c4a0182dc62586924e418deee60bc0b50

Download Submit
C:\Windows\System\ojdgjGA.exe

Filesize
1.8MB

MD5
0b6cc246da4271492c4cd6a7265ae4c8

SHA1
7ead3699b7d9dbd6a73ae8ddbee1c5e10e83455f

SHA256
291f2e6499fbc71c3f1a920fdca566e73cce334baee7c107d46311b1d8046abf

SHA512
c5df211dd1fdef9b544b3f060fbaf4240ddd4a8c2e826fe36dd98f897ed66264aee5a8557c1bc872f2ce07847b20935043abd5510045b4a48be8eeeb055c493b

Download Submit
C:\Windows\System\pjsHDtS.exe

Filesize
1.8MB

MD5
74be99247725e1c2d918f9a69bf8b705

SHA1
1db12e1d749262a437bbad868e3da030bb9338c7

SHA256
337702bcb28de91f90396c353958313b9b1d6427afc225483d4ed16bacfc8885

SHA512
ccacbb078dfb11d838c7e539e2f38351bfc88b5abb2c73ffd24a87e337f8944d7e9b677d71c18f003da8dd53ced77b985709a7717ef7f06ca32592d09bb766a8

Download Submit
C:\Windows\System\pswdpam.exe

Filesize
1.8MB

MD5
9c85b8d892465bfa16ed3c3c0e958af5

SHA1
85aab800d24a6a066701631bb83dc2016befdf1d

SHA256
9cf34d406ce12d1904d014cd5fe1956697f4ebf83e79f952d15dcbef021cf4a9

SHA512
cdf81a8c410b50c397fb214dd7d55ce7b1c52c8cc615e06aa86d6dab9acc33a6cf9233610a79195f3ab3f17577916198fa6f261c2dface01b70485df83b0b03c

Download Submit
C:\Windows\System\pyGzZcQ.exe

Filesize
1.8MB

MD5
a9a3110e95a2c0d9868c4b53fd7851f9

SHA1
76e874e4c87244719232b06a8503a17d2a4dd4a9

SHA256
47b44b94f54818e5497757fc5247afb577c4a763b636b529a018ef5498d09858

SHA512
0e2ea231fa2ea12339ba326870d4326232043280d7443bdf3c3ada567fd40a5f7db11d43ea2e30adfb9658cb6a0dddce69bea7a7852d2d9bee696e3ea33bd097

Download Submit
C:\Windows\System\qpWzGzX.exe

Filesize
1.8MB

MD5
bff5072facf35389cd1c25b5e66494e7

SHA1
2d70947a2db8d12f4e6972d5ff692ac9334e069e

SHA256
219d6983bb54d7d6fafe0aeedc11a4a58f4b58dfc6b5368fe9fa41e8a04f9e2e

SHA512
5703d77e5e451361a8e10f38cd193221be7eab5ae2cf04a59d477008f562fddc2285dbe286708a78ec63f3feac4622c24ad961c6e45c6cc10be1fd95a428c4f2

Download Submit
C:\Windows\System\raNHWKD.exe

Filesize
1.8MB

MD5
ffeb807c74d13d1afc7bc72f37e695d5

SHA1
58a22a476792859763dfb4b2d15e2c3ab987c14d

SHA256
b4bbddebc6e4abcaaea1da06b850d494023a776f7c8c125fa351bccd6c872a43

SHA512
0864b470d43e228ad95ef24fcc295742ff53e70b796044de9d6358d95c2fcd2d686671d164005cfec9bb91f03491159829362bbea81865dfa557a5e5095dcb1d

Download Submit
C:\Windows\System\zptKVjp.exe

Filesize
1.8MB

MD5
3b26b045bb38871197e611f3d1827062

SHA1
91f90ed862b2b41280371ffe2c710522b469bcfa

SHA256
a282278b9845d31d4478fee428624aed9b27289a4badf910ef09d400f7d7c616

SHA512
abce8e3d22aa3888c922cb94145395f412c712bba0b388afa323b38ede58a649cbf85f70e21043544640431c8e0e31425d488415b891effbdb03810b873210b3

Download Submit
memory/532-745-0x00007FF68A110000-0x00007FF68A464000-memory.dmp

Filesize
3.3MB

Download
memory/532-2323-0x00007FF68A110000-0x00007FF68A464000-memory.dmp

Filesize
3.3MB

Download
memory/720-751-0x00007FF7DB4E0000-0x00007FF7DB834000-memory.dmp

Filesize
3.3MB

Download
memory/720-2322-0x00007FF7DB4E0000-0x00007FF7DB834000-memory.dmp

Filesize
3.3MB

Download
memory/740-650-0x00007FF7321C0000-0x00007FF732514000-memory.dmp

Filesize
3.3MB

Download
memory/740-2308-0x00007FF7321C0000-0x00007FF732514000-memory.dmp

Filesize
3.3MB

Download
memory/1116-782-0x00007FF7407B0000-0x00007FF740B04000-memory.dmp

Filesize
3.3MB

Download
memory/1116-2325-0x00007FF7407B0000-0x00007FF740B04000-memory.dmp

Filesize
3.3MB

Download
memory/1200-2311-0x00007FF78D770000-0x00007FF78DAC4000-memory.dmp

Filesize
3.3MB

Download
memory/1200-712-0x00007FF78D770000-0x00007FF78DAC4000-memory.dmp

Filesize
3.3MB

Download
memory/1248-2307-0x00007FF6DA8F0000-0x00007FF6DAC44000-memory.dmp

Filesize
3.3MB

Download
memory/1248-671-0x00007FF6DA8F0000-0x00007FF6DAC44000-memory.dmp

Filesize
3.3MB

Download
memory/1528-740-0x00007FF7637A0000-0x00007FF763AF4000-memory.dmp

Filesize
3.3MB

Download
memory/1528-2319-0x00007FF7637A0000-0x00007FF763AF4000-memory.dmp

Filesize
3.3MB

Download
memory/1536-672-0x00007FF755320000-0x00007FF755674000-memory.dmp

Filesize
3.3MB

Download
memory/1536-2310-0x00007FF755320000-0x00007FF755674000-memory.dmp

Filesize
3.3MB

Download
memory/1868-2303-0x00007FF679C10000-0x00007FF679F64000-memory.dmp

Filesize
3.3MB

Download
memory/1868-659-0x00007FF679C10000-0x00007FF679F64000-memory.dmp

Filesize
3.3MB

Download
memory/1968-2305-0x00007FF69EBE0000-0x00007FF69EF34000-memory.dmp

Filesize
3.3MB

Download
memory/1968-665-0x00007FF69EBE0000-0x00007FF69EF34000-memory.dmp

Filesize
3.3MB

Download
memory/2088-2329-0x00007FF763000000-0x00007FF763354000-memory.dmp

Filesize
3.3MB

Download
memory/2088-767-0x00007FF763000000-0x00007FF763354000-memory.dmp

Filesize
3.3MB

Download
memory/2108-772-0x00007FF6DF070000-0x00007FF6DF3C4000-memory.dmp

Filesize
3.3MB

Download
memory/2108-2327-0x00007FF6DF070000-0x00007FF6DF3C4000-memory.dmp

Filesize
3.3MB

Download
memory/2264-2315-0x00007FF6C2B90000-0x00007FF6C2EE4000-memory.dmp

Filesize
3.3MB

Download
memory/2264-724-0x00007FF6C2B90000-0x00007FF6C2EE4000-memory.dmp

Filesize
3.3MB

Download
memory/2440-693-0x00007FF726010000-0x00007FF726364000-memory.dmp

Filesize
3.3MB

Download
memory/2440-2313-0x00007FF726010000-0x00007FF726364000-memory.dmp

Filesize
3.3MB

Download
memory/2616-2309-0x00007FF784D40000-0x00007FF785094000-memory.dmp

Filesize
3.3MB

Download
memory/2616-686-0x00007FF784D40000-0x00007FF785094000-memory.dmp

Filesize
3.3MB

Download
memory/2632-732-0x00007FF622330000-0x00007FF622684000-memory.dmp

Filesize
3.3MB

Download
memory/2632-2318-0x00007FF622330000-0x00007FF622684000-memory.dmp

Filesize
3.3MB

Download
memory/2736-2328-0x00007FF7D5450000-0x00007FF7D57A4000-memory.dmp

Filesize
3.3MB

Download
memory/2736-778-0x00007FF7D5450000-0x00007FF7D57A4000-memory.dmp

Filesize
3.3MB

Download
memory/3004-784-0x00007FF6169D0000-0x00007FF616D24000-memory.dmp

Filesize
3.3MB

Download
memory/3004-2304-0x00007FF6169D0000-0x00007FF616D24000-memory.dmp

Filesize
3.3MB

Download
memory/3212-649-0x00007FF6C2E20000-0x00007FF6C3174000-memory.dmp

Filesize
3.3MB

Download
memory/3212-2306-0x00007FF6C2E20000-0x00007FF6C3174000-memory.dmp

Filesize
3.3MB

Download
memory/3340-1846-0x00007FF66BED0000-0x00007FF66C224000-memory.dmp

Filesize
3.3MB

Download
memory/3340-648-0x00007FF66BED0000-0x00007FF66C224000-memory.dmp

Filesize
3.3MB

Download
memory/3340-2302-0x00007FF66BED0000-0x00007FF66C224000-memory.dmp

Filesize
3.3MB

Download
memory/3776-752-0x00007FF7E83A0000-0x00007FF7E86F4000-memory.dmp

Filesize
3.3MB

Download
memory/3776-2321-0x00007FF7E83A0000-0x00007FF7E86F4000-memory.dmp

Filesize
3.3MB

Download
memory/3828-701-0x00007FF78FB10000-0x00007FF78FE64000-memory.dmp

Filesize
3.3MB

Download
memory/3828-2317-0x00007FF78FB10000-0x00007FF78FE64000-memory.dmp

Filesize
3.3MB

Download
memory/3876-2312-0x00007FF733F10000-0x00007FF734264000-memory.dmp

Filesize
3.3MB

Download
memory/3876-713-0x00007FF733F10000-0x00007FF734264000-memory.dmp

Filesize
3.3MB

Download
memory/3924-1-0x00000286E3070000-0x00000286E3080000-memory.dmp

Filesize
64KB

Download
memory/3924-0-0x00007FF62A730000-0x00007FF62AA84000-memory.dmp

Filesize
3.3MB

Download
memory/3924-1712-0x00007FF62A730000-0x00007FF62AA84000-memory.dmp

Filesize
3.3MB

Download
memory/3968-2326-0x00007FF6D3820000-0x00007FF6D3B74000-memory.dmp

Filesize
3.3MB

Download
memory/3968-779-0x00007FF6D3820000-0x00007FF6D3B74000-memory.dmp

Filesize
3.3MB

Download
memory/4388-783-0x00007FF6374B0000-0x00007FF637804000-memory.dmp

Filesize
3.3MB

Download
memory/4388-2324-0x00007FF6374B0000-0x00007FF637804000-memory.dmp

Filesize
3.3MB

Download
memory/4612-764-0x00007FF78B0A0000-0x00007FF78B3F4000-memory.dmp

Filesize
3.3MB

Download
memory/4612-2320-0x00007FF78B0A0000-0x00007FF78B3F4000-memory.dmp

Filesize
3.3MB

Download
memory/4888-729-0x00007FF7DE230000-0x00007FF7DE584000-memory.dmp

Filesize
3.3MB

Download
memory/4888-2314-0x00007FF7DE230000-0x00007FF7DE584000-memory.dmp

Filesize
3.3MB

Download
memory/5016-2316-0x00007FF6FC150000-0x00007FF6FC4A4000-memory.dmp

Filesize
3.3MB

Download
memory/5016-717-0x00007FF6FC150000-0x00007FF6FC4A4000-memory.dmp

Filesize
3.3MB

Download
memory/5112-1841-0x00007FF6A9910000-0x00007FF6A9C64000-memory.dmp

Filesize
3.3MB

Download
memory/5112-2301-0x00007FF6A9910000-0x00007FF6A9C64000-memory.dmp

Filesize
3.3MB

Download
memory/5112-7-0x00007FF6A9910000-0x00007FF6A9C64000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads