xmrig | 07ca0092b65374334a2bf1820aa2f301c080510b3f8b82428d874b2bdce3be72

Analysis

max time kernel
70s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
26/04/2024, 16:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
Size

1.9MB
MD5

01262bd6b016f0b3316f91089fbba886
SHA1

5bbe36fe1adbbe14c873e185e77f60578442dc62
SHA256

07ca0092b65374334a2bf1820aa2f301c080510b3f8b82428d874b2bdce3be72
SHA512

1ae5e8ca586580e73eaf58d14eaa5f17799bb17d5317c3fa0c7d78dcc9c2c6f95ab9b2db7c0278e3d8d5adab7de90ea7b10634e6f526191de099fb6c12eacdb8
SSDEEP

49152:Lz071uv4BPMkibTIA5KIP7nTrmBhihM5xC+UM:NABB

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 49 IoCs

miner

resource	yara_rule
behavioral2/memory/4852-30-0x00007FF60F210000-0x00007FF60F602000-memory.dmp	xmrig
behavioral2/memory/2356-18-0x00007FF6D75F0000-0x00007FF6D79E2000-memory.dmp	xmrig
behavioral2/memory/1448-52-0x00007FF776A30000-0x00007FF776E22000-memory.dmp	xmrig
behavioral2/memory/2044-34-0x00007FF713BA0000-0x00007FF713F92000-memory.dmp	xmrig
behavioral2/memory/1588-489-0x00007FF745DB0000-0x00007FF7461A2000-memory.dmp	xmrig
behavioral2/memory/2036-490-0x00007FF615560000-0x00007FF615952000-memory.dmp	xmrig
behavioral2/memory/4648-494-0x00007FF734100000-0x00007FF7344F2000-memory.dmp	xmrig
behavioral2/memory/2844-501-0x00007FF6D4ED0000-0x00007FF6D52C2000-memory.dmp	xmrig
behavioral2/memory/2536-518-0x00007FF7B5F00000-0x00007FF7B62F2000-memory.dmp	xmrig
behavioral2/memory/2404-512-0x00007FF777390000-0x00007FF777782000-memory.dmp	xmrig
behavioral2/memory/4644-531-0x00007FF61FD60000-0x00007FF620152000-memory.dmp	xmrig
behavioral2/memory/5060-528-0x00007FF75FC30000-0x00007FF760022000-memory.dmp	xmrig
behavioral2/memory/3940-525-0x00007FF6241A0000-0x00007FF624592000-memory.dmp	xmrig
behavioral2/memory/1000-541-0x00007FF64DB80000-0x00007FF64DF72000-memory.dmp	xmrig
behavioral2/memory/2928-571-0x00007FF69CA80000-0x00007FF69CE72000-memory.dmp	xmrig
behavioral2/memory/640-581-0x00007FF653570000-0x00007FF653962000-memory.dmp	xmrig
behavioral2/memory/4156-578-0x00007FF640840000-0x00007FF640C32000-memory.dmp	xmrig
behavioral2/memory/3428-559-0x00007FF69AF30000-0x00007FF69B322000-memory.dmp	xmrig
behavioral2/memory/4392-553-0x00007FF7A93B0000-0x00007FF7A97A2000-memory.dmp	xmrig
behavioral2/memory/232-550-0x00007FF797B50000-0x00007FF797F42000-memory.dmp	xmrig
behavioral2/memory/2936-535-0x00007FF7DD830000-0x00007FF7DDC22000-memory.dmp	xmrig
behavioral2/memory/3536-3111-0x00007FF7BE350000-0x00007FF7BE742000-memory.dmp	xmrig
behavioral2/memory/2356-3114-0x00007FF6D75F0000-0x00007FF6D79E2000-memory.dmp	xmrig
behavioral2/memory/2068-3115-0x00007FF703FF0000-0x00007FF7043E2000-memory.dmp	xmrig
behavioral2/memory/4812-3116-0x00007FF74B5D0000-0x00007FF74B9C2000-memory.dmp	xmrig
behavioral2/memory/3536-3118-0x00007FF7BE350000-0x00007FF7BE742000-memory.dmp	xmrig
behavioral2/memory/2356-3120-0x00007FF6D75F0000-0x00007FF6D79E2000-memory.dmp	xmrig
behavioral2/memory/2044-3125-0x00007FF713BA0000-0x00007FF713F92000-memory.dmp	xmrig
behavioral2/memory/1448-3123-0x00007FF776A30000-0x00007FF776E22000-memory.dmp	xmrig
behavioral2/memory/4852-3126-0x00007FF60F210000-0x00007FF60F602000-memory.dmp	xmrig
behavioral2/memory/2068-3128-0x00007FF703FF0000-0x00007FF7043E2000-memory.dmp	xmrig
behavioral2/memory/4156-3138-0x00007FF640840000-0x00007FF640C32000-memory.dmp	xmrig
behavioral2/memory/640-3144-0x00007FF653570000-0x00007FF653962000-memory.dmp	xmrig
behavioral2/memory/5060-3148-0x00007FF75FC30000-0x00007FF760022000-memory.dmp	xmrig
behavioral2/memory/3940-3150-0x00007FF6241A0000-0x00007FF624592000-memory.dmp	xmrig
behavioral2/memory/4644-3152-0x00007FF61FD60000-0x00007FF620152000-memory.dmp	xmrig
behavioral2/memory/2536-3147-0x00007FF7B5F00000-0x00007FF7B62F2000-memory.dmp	xmrig
behavioral2/memory/2404-3140-0x00007FF777390000-0x00007FF777782000-memory.dmp	xmrig
behavioral2/memory/4812-3136-0x00007FF74B5D0000-0x00007FF74B9C2000-memory.dmp	xmrig
behavioral2/memory/2036-3135-0x00007FF615560000-0x00007FF615952000-memory.dmp	xmrig
behavioral2/memory/1588-3142-0x00007FF745DB0000-0x00007FF7461A2000-memory.dmp	xmrig
behavioral2/memory/4648-3132-0x00007FF734100000-0x00007FF7344F2000-memory.dmp	xmrig
behavioral2/memory/2844-3131-0x00007FF6D4ED0000-0x00007FF6D52C2000-memory.dmp	xmrig
behavioral2/memory/232-3171-0x00007FF797B50000-0x00007FF797F42000-memory.dmp	xmrig
behavioral2/memory/2936-3174-0x00007FF7DD830000-0x00007FF7DDC22000-memory.dmp	xmrig
behavioral2/memory/3428-3181-0x00007FF69AF30000-0x00007FF69B322000-memory.dmp	xmrig
behavioral2/memory/2928-3176-0x00007FF69CA80000-0x00007FF69CE72000-memory.dmp	xmrig
behavioral2/memory/1000-3172-0x00007FF64DB80000-0x00007FF64DF72000-memory.dmp	xmrig
behavioral2/memory/4392-3169-0x00007FF7A93B0000-0x00007FF7A97A2000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
3536	SdkEVEO.exe
2356	GJOWQBh.exe
4852	DCUTpsk.exe
2044	IxvLoTE.exe
2068	yqnNJfe.exe
4812	dpUDmVN.exe
1448	UqiYgOv.exe
4156	VnVemNy.exe
640	GEONdgk.exe
1588	TwhlRTI.exe
2036	weuhRfr.exe
4648	cwPJMUx.exe
2844	STgKVBv.exe
2404	UxDWovM.exe
2536	VqNtVjv.exe
3940	BTMQQcp.exe
5060	NDBmtlj.exe
4644	rtrLdLC.exe
2936	ExeKNVt.exe
1000	RNfWJxW.exe
232	BRWPgzA.exe
4392	XLQHUKN.exe
3428	xDowzTa.exe
2928	yGxUhKp.exe
1932	HVUMObw.exe
3676	gmoiTOr.exe
3496	FQASksQ.exe
3324	NiLlplC.exe
3620	WHXZXgl.exe
2780	XCprKzE.exe
3136	qDAsbeR.exe
468	alaIThM.exe
3416	EfljVTx.exe
1508	HvjuUCz.exe
1572	EQwCKnS.exe
4040	pGRywLT.exe
548	WNzNQIb.exe
4408	rTCpVKg.exe
2492	KaMzbgq.exe
4400	sGuIxze.exe
2264	wmAwUDE.exe
2768	vaKfZix.exe
2428	ackDsLw.exe
4060	ksnGmsi.exe
2512	ilPuUQN.exe
1040	edFOFVc.exe
4200	ZkOPEXI.exe
2360	mqPOudN.exe
4452	GVVpiRw.exe
2760	YYtaFRt.exe
2504	WEmULmx.exe
3336	eLYqKrv.exe
3488	YanzzyV.exe
924	IGVlWTa.exe
4988	aaJKeBj.exe
1240	BdLNRxa.exe
4576	ikfQofd.exe
892	uFyOaqz.exe
3708	yimrliJ.exe
1476	tHAvOOv.exe
2912	decrrcF.exe
4828	PoOWbUC.exe
752	txgWaXZ.exe
3848	HGjeNoZ.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1288-0-0x00007FF7D2310000-0x00007FF7D2702000-memory.dmp	upx
behavioral2/files/0x000b000000023b7b-5.dat	upx
behavioral2/files/0x000a000000023b80-7.dat	upx
behavioral2/memory/3536-9-0x00007FF7BE350000-0x00007FF7BE742000-memory.dmp	upx
behavioral2/files/0x000a000000023b82-25.dat	upx
behavioral2/files/0x000a000000023b81-26.dat	upx
behavioral2/files/0x000a000000023b83-33.dat	upx
behavioral2/memory/4852-30-0x00007FF60F210000-0x00007FF60F602000-memory.dmp	upx
behavioral2/memory/2356-18-0x00007FF6D75F0000-0x00007FF6D79E2000-memory.dmp	upx
behavioral2/files/0x000a000000023b7f-14.dat	upx
behavioral2/files/0x000a000000023b84-36.dat	upx
behavioral2/files/0x000a000000023b85-42.dat	upx
behavioral2/files/0x000a000000023b86-48.dat	upx
behavioral2/files/0x000a000000023b88-60.dat	upx
behavioral2/files/0x000a000000023b89-73.dat	upx
behavioral2/files/0x000a000000023b8c-80.dat	upx
behavioral2/files/0x000a000000023b8e-98.dat	upx
behavioral2/files/0x000a000000023b95-125.dat	upx
behavioral2/files/0x000a000000023b99-150.dat	upx
behavioral2/files/0x000a000000023b9a-163.dat	upx
behavioral2/files/0x000a000000023b9c-178.dat	upx
behavioral2/files/0x000a000000023b9e-180.dat	upx
behavioral2/files/0x000a000000023b9d-175.dat	upx
behavioral2/files/0x000a000000023b9b-173.dat	upx
behavioral2/files/0x000b000000023b93-168.dat	upx
behavioral2/files/0x000a000000023b98-153.dat	upx
behavioral2/files/0x000a000000023b97-148.dat	upx
behavioral2/files/0x000a000000023b96-143.dat	upx
behavioral2/files/0x000b000000023b94-138.dat	upx
behavioral2/files/0x000a000000023b92-128.dat	upx
behavioral2/files/0x000a000000023b91-123.dat	upx
behavioral2/files/0x000a000000023b90-118.dat	upx
behavioral2/files/0x000a000000023b8f-103.dat	upx
behavioral2/files/0x000a000000023b8d-93.dat	upx
behavioral2/files/0x000a000000023b8b-83.dat	upx
behavioral2/files/0x000a000000023b8a-78.dat	upx
behavioral2/files/0x000a000000023b87-63.dat	upx
behavioral2/memory/1448-52-0x00007FF776A30000-0x00007FF776E22000-memory.dmp	upx
behavioral2/memory/4812-46-0x00007FF74B5D0000-0x00007FF74B9C2000-memory.dmp	upx
behavioral2/memory/2068-40-0x00007FF703FF0000-0x00007FF7043E2000-memory.dmp	upx
behavioral2/memory/2044-34-0x00007FF713BA0000-0x00007FF713F92000-memory.dmp	upx
behavioral2/memory/1588-489-0x00007FF745DB0000-0x00007FF7461A2000-memory.dmp	upx
behavioral2/memory/2036-490-0x00007FF615560000-0x00007FF615952000-memory.dmp	upx
behavioral2/memory/4648-494-0x00007FF734100000-0x00007FF7344F2000-memory.dmp	upx
behavioral2/memory/2844-501-0x00007FF6D4ED0000-0x00007FF6D52C2000-memory.dmp	upx
behavioral2/memory/2536-518-0x00007FF7B5F00000-0x00007FF7B62F2000-memory.dmp	upx
behavioral2/memory/2404-512-0x00007FF777390000-0x00007FF777782000-memory.dmp	upx
behavioral2/memory/4644-531-0x00007FF61FD60000-0x00007FF620152000-memory.dmp	upx
behavioral2/memory/5060-528-0x00007FF75FC30000-0x00007FF760022000-memory.dmp	upx
behavioral2/memory/3940-525-0x00007FF6241A0000-0x00007FF624592000-memory.dmp	upx
behavioral2/memory/1000-541-0x00007FF64DB80000-0x00007FF64DF72000-memory.dmp	upx
behavioral2/memory/2928-571-0x00007FF69CA80000-0x00007FF69CE72000-memory.dmp	upx
behavioral2/memory/640-581-0x00007FF653570000-0x00007FF653962000-memory.dmp	upx
behavioral2/memory/4156-578-0x00007FF640840000-0x00007FF640C32000-memory.dmp	upx
behavioral2/memory/3428-559-0x00007FF69AF30000-0x00007FF69B322000-memory.dmp	upx
behavioral2/memory/4392-553-0x00007FF7A93B0000-0x00007FF7A97A2000-memory.dmp	upx
behavioral2/memory/232-550-0x00007FF797B50000-0x00007FF797F42000-memory.dmp	upx
behavioral2/memory/2936-535-0x00007FF7DD830000-0x00007FF7DDC22000-memory.dmp	upx
behavioral2/memory/3536-3111-0x00007FF7BE350000-0x00007FF7BE742000-memory.dmp	upx
behavioral2/memory/2356-3114-0x00007FF6D75F0000-0x00007FF6D79E2000-memory.dmp	upx
behavioral2/memory/2068-3115-0x00007FF703FF0000-0x00007FF7043E2000-memory.dmp	upx
behavioral2/memory/4812-3116-0x00007FF74B5D0000-0x00007FF74B9C2000-memory.dmp	upx
behavioral2/memory/3536-3118-0x00007FF7BE350000-0x00007FF7BE742000-memory.dmp	upx
behavioral2/memory/2356-3120-0x00007FF6D75F0000-0x00007FF6D79E2000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
3	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\yUHDEfg.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\wqmfqgy.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\VRbFQKE.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\FUgnUNw.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\cLDngKN.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\cnfpotY.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\uicUPjh.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\BDzljlc.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\cOfCAVF.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\oEFwzIw.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\hSDgtmN.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\BAWvZHy.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\pvzoadI.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\EQwCKnS.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\KXCvVPJ.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\WnhArSC.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\wxRXdzL.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\arLYNof.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\MUDwnFB.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\CLXPsbW.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\NNBChKd.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\LcCIemL.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\ATbtoFp.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\FPQEGvv.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\qIcRPve.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\UXrbcOq.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\TNMhvVX.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\VMSsshB.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\Nokapul.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\uFyOaqz.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\IvwKtXi.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\SQYHMXX.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\OEhHQsw.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\beyHWgR.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\fcOgZuU.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\EusRKxi.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\CTGlVLz.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\WcdEgrD.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\TcRnSWf.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\zIYBvdK.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\Lrkieiu.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\TrjrzXN.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\EMLfqQQ.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\cmAYJDj.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\KObWOzo.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\qnGGNyA.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\wThWWHq.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\dXZHpzY.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\qyhOsPH.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\jYOKsMT.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\KnQGcQO.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\lfFsDpA.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\JEtSTgR.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\OhOXxlz.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\DrcIXXd.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\DBsECpJ.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\oEYytLv.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\KelqoJH.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\jStVftV.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\XLGBKwr.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\SnRkBTj.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\yhzUSGh.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\tIBhdmT.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
File created	C:\Windows\System\OzNjIgU.exe	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4384	powershell.exe
4384	powershell.exe
4384	powershell.exe
4384	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
Token: SeDebugPrivilege	4384	powershell.exe
Token: SeCreateGlobalPrivilege	1260	dwm.exe
Token: SeChangeNotifyPrivilege	1260	dwm.exe
Token: 33	1260	dwm.exe
Token: SeIncBasePriorityPrivilege	1260	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 4384	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	86
PID 1288 wrote to memory of 4384	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	86
PID 1288 wrote to memory of 3536	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	87
PID 1288 wrote to memory of 3536	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	87
PID 1288 wrote to memory of 2356	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	88
PID 1288 wrote to memory of 2356	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	88
PID 1288 wrote to memory of 4852	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	89
PID 1288 wrote to memory of 4852	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	89
PID 1288 wrote to memory of 2044	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	90
PID 1288 wrote to memory of 2044	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	90
PID 1288 wrote to memory of 2068	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	91
PID 1288 wrote to memory of 2068	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	91
PID 1288 wrote to memory of 4812	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	92
PID 1288 wrote to memory of 4812	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	92
PID 1288 wrote to memory of 1448	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	93
PID 1288 wrote to memory of 1448	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	93
PID 1288 wrote to memory of 4156	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	94
PID 1288 wrote to memory of 4156	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	94
PID 1288 wrote to memory of 640	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	95
PID 1288 wrote to memory of 640	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	95
PID 1288 wrote to memory of 1588	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	96
PID 1288 wrote to memory of 1588	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	96
PID 1288 wrote to memory of 2036	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	97
PID 1288 wrote to memory of 2036	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	97
PID 1288 wrote to memory of 4648	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	98
PID 1288 wrote to memory of 4648	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	98
PID 1288 wrote to memory of 2844	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	99
PID 1288 wrote to memory of 2844	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	99
PID 1288 wrote to memory of 2404	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	100
PID 1288 wrote to memory of 2404	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	100
PID 1288 wrote to memory of 2536	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	101
PID 1288 wrote to memory of 2536	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	101
PID 1288 wrote to memory of 3940	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	102
PID 1288 wrote to memory of 3940	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	102
PID 1288 wrote to memory of 5060	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	103
PID 1288 wrote to memory of 5060	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	103
PID 1288 wrote to memory of 4644	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	104
PID 1288 wrote to memory of 4644	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	104
PID 1288 wrote to memory of 2936	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	105
PID 1288 wrote to memory of 2936	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	105
PID 1288 wrote to memory of 1000	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	106
PID 1288 wrote to memory of 1000	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	106
PID 1288 wrote to memory of 232	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	107
PID 1288 wrote to memory of 232	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	107
PID 1288 wrote to memory of 4392	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	108
PID 1288 wrote to memory of 4392	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	108
PID 1288 wrote to memory of 3428	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	109
PID 1288 wrote to memory of 3428	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	109
PID 1288 wrote to memory of 2928	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	110
PID 1288 wrote to memory of 2928	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	110
PID 1288 wrote to memory of 1932	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	111
PID 1288 wrote to memory of 1932	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	111
PID 1288 wrote to memory of 3676	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	112
PID 1288 wrote to memory of 3676	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	112
PID 1288 wrote to memory of 3496	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	113
PID 1288 wrote to memory of 3496	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	113
PID 1288 wrote to memory of 3324	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	114
PID 1288 wrote to memory of 3324	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	114
PID 1288 wrote to memory of 3620	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	115
PID 1288 wrote to memory of 3620	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	115
PID 1288 wrote to memory of 2780	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	116
PID 1288 wrote to memory of 2780	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	116
PID 1288 wrote to memory of 3136	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	117
PID 1288 wrote to memory of 3136	1288	01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe	117

C:\Users\Admin\AppData\Local\Temp\01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01262bd6b016f0b3316f91089fbba886_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4384
- C:\Windows\System\SdkEVEO.exe
  C:\Windows\System\SdkEVEO.exe
  2⤵
  - Executes dropped EXE
  PID:3536
- C:\Windows\System\GJOWQBh.exe
  C:\Windows\System\GJOWQBh.exe
  2⤵
  - Executes dropped EXE
  PID:2356
- C:\Windows\System\DCUTpsk.exe
  C:\Windows\System\DCUTpsk.exe
  2⤵
  - Executes dropped EXE
  PID:4852
- C:\Windows\System\IxvLoTE.exe
  C:\Windows\System\IxvLoTE.exe
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\System\yqnNJfe.exe
  C:\Windows\System\yqnNJfe.exe
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\System\dpUDmVN.exe
  C:\Windows\System\dpUDmVN.exe
  2⤵
  - Executes dropped EXE
  PID:4812
- C:\Windows\System\UqiYgOv.exe
  C:\Windows\System\UqiYgOv.exe
  2⤵
  - Executes dropped EXE
  PID:1448
- C:\Windows\System\VnVemNy.exe
  C:\Windows\System\VnVemNy.exe
  2⤵
  - Executes dropped EXE
  PID:4156
- C:\Windows\System\GEONdgk.exe
  C:\Windows\System\GEONdgk.exe
  2⤵
  - Executes dropped EXE
  PID:640
- C:\Windows\System\TwhlRTI.exe
  C:\Windows\System\TwhlRTI.exe
  2⤵
  - Executes dropped EXE
  PID:1588
- C:\Windows\System\weuhRfr.exe
  C:\Windows\System\weuhRfr.exe
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\System\cwPJMUx.exe
  C:\Windows\System\cwPJMUx.exe
  2⤵
  - Executes dropped EXE
  PID:4648
- C:\Windows\System\STgKVBv.exe
  C:\Windows\System\STgKVBv.exe
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Windows\System\UxDWovM.exe
  C:\Windows\System\UxDWovM.exe
  2⤵
  - Executes dropped EXE
  PID:2404
- C:\Windows\System\VqNtVjv.exe
  C:\Windows\System\VqNtVjv.exe
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\System\BTMQQcp.exe
  C:\Windows\System\BTMQQcp.exe
  2⤵
  - Executes dropped EXE
  PID:3940
- C:\Windows\System\NDBmtlj.exe
  C:\Windows\System\NDBmtlj.exe
  2⤵
  - Executes dropped EXE
  PID:5060
- C:\Windows\System\rtrLdLC.exe
  C:\Windows\System\rtrLdLC.exe
  2⤵
  - Executes dropped EXE
  PID:4644
- C:\Windows\System\ExeKNVt.exe
  C:\Windows\System\ExeKNVt.exe
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Windows\System\RNfWJxW.exe
  C:\Windows\System\RNfWJxW.exe
  2⤵
  - Executes dropped EXE
  PID:1000
- C:\Windows\System\BRWPgzA.exe
  C:\Windows\System\BRWPgzA.exe
  2⤵
  - Executes dropped EXE
  PID:232
- C:\Windows\System\XLQHUKN.exe
  C:\Windows\System\XLQHUKN.exe
  2⤵
  - Executes dropped EXE
  PID:4392
- C:\Windows\System\xDowzTa.exe
  C:\Windows\System\xDowzTa.exe
  2⤵
  - Executes dropped EXE
  PID:3428
- C:\Windows\System\yGxUhKp.exe
  C:\Windows\System\yGxUhKp.exe
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\System\HVUMObw.exe
  C:\Windows\System\HVUMObw.exe
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Windows\System\gmoiTOr.exe
  C:\Windows\System\gmoiTOr.exe
  2⤵
  - Executes dropped EXE
  PID:3676
- C:\Windows\System\FQASksQ.exe
  C:\Windows\System\FQASksQ.exe
  2⤵
  - Executes dropped EXE
  PID:3496
- C:\Windows\System\NiLlplC.exe
  C:\Windows\System\NiLlplC.exe
  2⤵
  - Executes dropped EXE
  PID:3324
- C:\Windows\System\WHXZXgl.exe
  C:\Windows\System\WHXZXgl.exe
  2⤵
  - Executes dropped EXE
  PID:3620
- C:\Windows\System\XCprKzE.exe
  C:\Windows\System\XCprKzE.exe
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\System\qDAsbeR.exe
  C:\Windows\System\qDAsbeR.exe
  2⤵
  - Executes dropped EXE
  PID:3136
- C:\Windows\System\alaIThM.exe
  C:\Windows\System\alaIThM.exe
  2⤵
  - Executes dropped EXE
  PID:468
- C:\Windows\System\EfljVTx.exe
  C:\Windows\System\EfljVTx.exe
  2⤵
  - Executes dropped EXE
  PID:3416
- C:\Windows\System\HvjuUCz.exe
  C:\Windows\System\HvjuUCz.exe
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Windows\System\EQwCKnS.exe
  C:\Windows\System\EQwCKnS.exe
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\System\pGRywLT.exe
  C:\Windows\System\pGRywLT.exe
  2⤵
  - Executes dropped EXE
  PID:4040
- C:\Windows\System\WNzNQIb.exe
  C:\Windows\System\WNzNQIb.exe
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\System\rTCpVKg.exe
  C:\Windows\System\rTCpVKg.exe
  2⤵
  - Executes dropped EXE
  PID:4408
- C:\Windows\System\KaMzbgq.exe
  C:\Windows\System\KaMzbgq.exe
  2⤵
  - Executes dropped EXE
  PID:2492
- C:\Windows\System\sGuIxze.exe
  C:\Windows\System\sGuIxze.exe
  2⤵
  - Executes dropped EXE
  PID:4400
- C:\Windows\System\wmAwUDE.exe
  C:\Windows\System\wmAwUDE.exe
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\System\vaKfZix.exe
  C:\Windows\System\vaKfZix.exe
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\System\ackDsLw.exe
  C:\Windows\System\ackDsLw.exe
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\System\ksnGmsi.exe
  C:\Windows\System\ksnGmsi.exe
  2⤵
  - Executes dropped EXE
  PID:4060
- C:\Windows\System\ilPuUQN.exe
  C:\Windows\System\ilPuUQN.exe
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\System\edFOFVc.exe
  C:\Windows\System\edFOFVc.exe
  2⤵
  - Executes dropped EXE
  PID:1040
- C:\Windows\System\ZkOPEXI.exe
  C:\Windows\System\ZkOPEXI.exe
  2⤵
  - Executes dropped EXE
  PID:4200
- C:\Windows\System\mqPOudN.exe
  C:\Windows\System\mqPOudN.exe
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\System\GVVpiRw.exe
  C:\Windows\System\GVVpiRw.exe
  2⤵
  - Executes dropped EXE
  PID:4452
- C:\Windows\System\YYtaFRt.exe
  C:\Windows\System\YYtaFRt.exe
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\System\WEmULmx.exe
  C:\Windows\System\WEmULmx.exe
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\System\eLYqKrv.exe
  C:\Windows\System\eLYqKrv.exe
  2⤵
  - Executes dropped EXE
  PID:3336
- C:\Windows\System\YanzzyV.exe
  C:\Windows\System\YanzzyV.exe
  2⤵
  - Executes dropped EXE
  PID:3488
- C:\Windows\System\IGVlWTa.exe
  C:\Windows\System\IGVlWTa.exe
  2⤵
  - Executes dropped EXE
  PID:924
- C:\Windows\System\aaJKeBj.exe
  C:\Windows\System\aaJKeBj.exe
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Windows\System\BdLNRxa.exe
  C:\Windows\System\BdLNRxa.exe
  2⤵
  - Executes dropped EXE
  PID:1240
- C:\Windows\System\ikfQofd.exe
  C:\Windows\System\ikfQofd.exe
  2⤵
  - Executes dropped EXE
  PID:4576
- C:\Windows\System\uFyOaqz.exe
  C:\Windows\System\uFyOaqz.exe
  2⤵
  - Executes dropped EXE
  PID:892
- C:\Windows\System\yimrliJ.exe
  C:\Windows\System\yimrliJ.exe
  2⤵
  - Executes dropped EXE
  PID:3708
- C:\Windows\System\tHAvOOv.exe
  C:\Windows\System\tHAvOOv.exe
  2⤵
  - Executes dropped EXE
  PID:1476
- C:\Windows\System\decrrcF.exe
  C:\Windows\System\decrrcF.exe
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\System\PoOWbUC.exe
  C:\Windows\System\PoOWbUC.exe
  2⤵
  - Executes dropped EXE
  PID:4828
- C:\Windows\System\txgWaXZ.exe
  C:\Windows\System\txgWaXZ.exe
  2⤵
  - Executes dropped EXE
  PID:752
- C:\Windows\System\HGjeNoZ.exe
  C:\Windows\System\HGjeNoZ.exe
  2⤵
  - Executes dropped EXE
  PID:3848
- C:\Windows\System\kXdzDQR.exe
  C:\Windows\System\kXdzDQR.exe
  2⤵
  PID:5144
- C:\Windows\System\dfFQTid.exe
  C:\Windows\System\dfFQTid.exe
  2⤵
  PID:5172
- C:\Windows\System\ZoaydwT.exe
  C:\Windows\System\ZoaydwT.exe
  2⤵
  PID:5204
- C:\Windows\System\gwxeeOi.exe
  C:\Windows\System\gwxeeOi.exe
  2⤵
  PID:5232
- C:\Windows\System\dZqKcDK.exe
  C:\Windows\System\dZqKcDK.exe
  2⤵
  PID:5260
- C:\Windows\System\DgWDkCk.exe
  C:\Windows\System\DgWDkCk.exe
  2⤵
  PID:5292
- C:\Windows\System\WrsfFcI.exe
  C:\Windows\System\WrsfFcI.exe
  2⤵
  PID:5320
- C:\Windows\System\lgqWofv.exe
  C:\Windows\System\lgqWofv.exe
  2⤵
  PID:5348
- C:\Windows\System\CqSeZVC.exe
  C:\Windows\System\CqSeZVC.exe
  2⤵
  PID:5376
- C:\Windows\System\giCXclS.exe
  C:\Windows\System\giCXclS.exe
  2⤵
  PID:5404
- C:\Windows\System\ICmWEFY.exe
  C:\Windows\System\ICmWEFY.exe
  2⤵
  PID:5432
- C:\Windows\System\oYdgcZm.exe
  C:\Windows\System\oYdgcZm.exe
  2⤵
  PID:5460
- C:\Windows\System\KHALOqv.exe
  C:\Windows\System\KHALOqv.exe
  2⤵
  PID:5488
- C:\Windows\System\KATIEWh.exe
  C:\Windows\System\KATIEWh.exe
  2⤵
  PID:5516
- C:\Windows\System\iJIMuYw.exe
  C:\Windows\System\iJIMuYw.exe
  2⤵
  PID:5540
- C:\Windows\System\NYswgCt.exe
  C:\Windows\System\NYswgCt.exe
  2⤵
  PID:5572
- C:\Windows\System\XIFYNtY.exe
  C:\Windows\System\XIFYNtY.exe
  2⤵
  PID:5604
- C:\Windows\System\zOvnjAa.exe
  C:\Windows\System\zOvnjAa.exe
  2⤵
  PID:5628
- C:\Windows\System\lMoGizT.exe
  C:\Windows\System\lMoGizT.exe
  2⤵
  PID:5656
- C:\Windows\System\mtapGmg.exe
  C:\Windows\System\mtapGmg.exe
  2⤵
  PID:5684
- C:\Windows\System\wmGFKyn.exe
  C:\Windows\System\wmGFKyn.exe
  2⤵
  PID:5712
- C:\Windows\System\IhxCbVm.exe
  C:\Windows\System\IhxCbVm.exe
  2⤵
  PID:5740
- C:\Windows\System\Goieiye.exe
  C:\Windows\System\Goieiye.exe
  2⤵
  PID:5768
- C:\Windows\System\kDDXEEK.exe
  C:\Windows\System\kDDXEEK.exe
  2⤵
  PID:5792
- C:\Windows\System\vEwhpoJ.exe
  C:\Windows\System\vEwhpoJ.exe
  2⤵
  PID:5820
- C:\Windows\System\wVYbrNW.exe
  C:\Windows\System\wVYbrNW.exe
  2⤵
  PID:5852
- C:\Windows\System\jQjKLbL.exe
  C:\Windows\System\jQjKLbL.exe
  2⤵
  PID:5880
- C:\Windows\System\BnknsSl.exe
  C:\Windows\System\BnknsSl.exe
  2⤵
  PID:5908
- C:\Windows\System\zORYQRa.exe
  C:\Windows\System\zORYQRa.exe
  2⤵
  PID:5936
- C:\Windows\System\VIFskTY.exe
  C:\Windows\System\VIFskTY.exe
  2⤵
  PID:5960
- C:\Windows\System\GpXEmmF.exe
  C:\Windows\System\GpXEmmF.exe
  2⤵
  PID:5988
- C:\Windows\System\HUkNBec.exe
  C:\Windows\System\HUkNBec.exe
  2⤵
  PID:6020
- C:\Windows\System\blXtEMR.exe
  C:\Windows\System\blXtEMR.exe
  2⤵
  PID:6048
- C:\Windows\System\HBYDApG.exe
  C:\Windows\System\HBYDApG.exe
  2⤵
  PID:6072
- C:\Windows\System\OnscLBs.exe
  C:\Windows\System\OnscLBs.exe
  2⤵
  PID:6104
- C:\Windows\System\ENrrYjT.exe
  C:\Windows\System\ENrrYjT.exe
  2⤵
  PID:6136
- C:\Windows\System\LuSnHYD.exe
  C:\Windows\System\LuSnHYD.exe
  2⤵
  PID:4004
- C:\Windows\System\RyEnfLd.exe
  C:\Windows\System\RyEnfLd.exe
  2⤵
  PID:4016
- C:\Windows\System\eNgGHxe.exe
  C:\Windows\System\eNgGHxe.exe
  2⤵
  PID:4880
- C:\Windows\System\lEcoZLC.exe
  C:\Windows\System\lEcoZLC.exe
  2⤵
  PID:4524
- C:\Windows\System\mCXOAXp.exe
  C:\Windows\System\mCXOAXp.exe
  2⤵
  PID:5164
- C:\Windows\System\zajWPoD.exe
  C:\Windows\System\zajWPoD.exe
  2⤵
  PID:5240
- C:\Windows\System\RyUVSNd.exe
  C:\Windows\System\RyUVSNd.exe
  2⤵
  PID:5308
- C:\Windows\System\eWTRFja.exe
  C:\Windows\System\eWTRFja.exe
  2⤵
  PID:5368
- C:\Windows\System\yipmUYY.exe
  C:\Windows\System\yipmUYY.exe
  2⤵
  PID:5440
- C:\Windows\System\OtUXsbE.exe
  C:\Windows\System\OtUXsbE.exe
  2⤵
  PID:5556
- C:\Windows\System\GneXDpb.exe
  C:\Windows\System\GneXDpb.exe
  2⤵
  PID:5600
- C:\Windows\System\aFDDKfW.exe
  C:\Windows\System\aFDDKfW.exe
  2⤵
  PID:5644
- C:\Windows\System\wPetSZu.exe
  C:\Windows\System\wPetSZu.exe
  2⤵
  PID:2220
- C:\Windows\System\daPNesc.exe
  C:\Windows\System\daPNesc.exe
  2⤵
  PID:5748
- C:\Windows\System\gRCTnau.exe
  C:\Windows\System\gRCTnau.exe
  2⤵
  PID:5804
- C:\Windows\System\WScHxBH.exe
  C:\Windows\System\WScHxBH.exe
  2⤵
  PID:5860
- C:\Windows\System\mWremVN.exe
  C:\Windows\System\mWremVN.exe
  2⤵
  PID:5900
- C:\Windows\System\NsCmPoE.exe
  C:\Windows\System\NsCmPoE.exe
  2⤵
  PID:5972
- C:\Windows\System\SpNghOq.exe
  C:\Windows\System\SpNghOq.exe
  2⤵
  PID:4364
- C:\Windows\System\TaDrKpe.exe
  C:\Windows\System\TaDrKpe.exe
  2⤵
  PID:6084
- C:\Windows\System\gQnNSvw.exe
  C:\Windows\System\gQnNSvw.exe
  2⤵
  PID:6120
- C:\Windows\System\hyBpqhr.exe
  C:\Windows\System\hyBpqhr.exe
  2⤵
  PID:4660
- C:\Windows\System\fqRExlA.exe
  C:\Windows\System\fqRExlA.exe
  2⤵
  PID:4212
- C:\Windows\System\slgNcCG.exe
  C:\Windows\System\slgNcCG.exe
  2⤵
  PID:5220
- C:\Windows\System\HrcKvnE.exe
  C:\Windows\System\HrcKvnE.exe
  2⤵
  PID:5392
- C:\Windows\System\IJZiojZ.exe
  C:\Windows\System\IJZiojZ.exe
  2⤵
  PID:5480
- C:\Windows\System\lDvMrIq.exe
  C:\Windows\System\lDvMrIq.exe
  2⤵
  PID:5636
- C:\Windows\System\TwAtkJB.exe
  C:\Windows\System\TwAtkJB.exe
  2⤵
  PID:1752
- C:\Windows\System\ravUDXv.exe
  C:\Windows\System\ravUDXv.exe
  2⤵
  PID:5840
- C:\Windows\System\OyvUdjG.exe
  C:\Windows\System\OyvUdjG.exe
  2⤵
  PID:5956
- C:\Windows\System\JQMUgMg.exe
  C:\Windows\System\JQMUgMg.exe
  2⤵
  PID:4736
- C:\Windows\System\zzkmGnc.exe
  C:\Windows\System\zzkmGnc.exe
  2⤵
  PID:5116
- C:\Windows\System\GJVkAzf.exe
  C:\Windows\System\GJVkAzf.exe
  2⤵
  PID:4192
- C:\Windows\System\pbFlorT.exe
  C:\Windows\System\pbFlorT.exe
  2⤵
  PID:5328
- C:\Windows\System\QoqaRcg.exe
  C:\Windows\System\QoqaRcg.exe
  2⤵
  PID:1884
- C:\Windows\System\ErBNDJx.exe
  C:\Windows\System\ErBNDJx.exe
  2⤵
  PID:5692
- C:\Windows\System\SNDIgwK.exe
  C:\Windows\System\SNDIgwK.exe
  2⤵
  PID:4668
- C:\Windows\System\nSSDfXN.exe
  C:\Windows\System\nSSDfXN.exe
  2⤵
  PID:3396
- C:\Windows\System\BQuNDvi.exe
  C:\Windows\System\BQuNDvi.exe
  2⤵
  PID:3688
- C:\Windows\System\ptzzmjN.exe
  C:\Windows\System\ptzzmjN.exe
  2⤵
  PID:5212
- C:\Windows\System\PIwTMAw.exe
  C:\Windows\System\PIwTMAw.exe
  2⤵
  PID:628
- C:\Windows\System\FasqhoV.exe
  C:\Windows\System\FasqhoV.exe
  2⤵
  PID:5468
- C:\Windows\System\HYACGbV.exe
  C:\Windows\System\HYACGbV.exe
  2⤵
  PID:2116
- C:\Windows\System\YagScoT.exe
  C:\Windows\System\YagScoT.exe
  2⤵
  PID:3680
- C:\Windows\System\ZNLWuSv.exe
  C:\Windows\System\ZNLWuSv.exe
  2⤵
  PID:3612
- C:\Windows\System\SFPmihT.exe
  C:\Windows\System\SFPmihT.exe
  2⤵
  PID:2412
- C:\Windows\System\NNaMsdu.exe
  C:\Windows\System\NNaMsdu.exe
  2⤵
  PID:2144
- C:\Windows\System\LcrZSwR.exe
  C:\Windows\System\LcrZSwR.exe
  2⤵
  PID:2792
- C:\Windows\System\FNOSZNr.exe
  C:\Windows\System\FNOSZNr.exe
  2⤵
  PID:2808
- C:\Windows\System\aDbZNmy.exe
  C:\Windows\System\aDbZNmy.exe
  2⤵
  PID:6160
- C:\Windows\System\QdoAQSF.exe
  C:\Windows\System\QdoAQSF.exe
  2⤵
  PID:6180
- C:\Windows\System\XxgxrFl.exe
  C:\Windows\System\XxgxrFl.exe
  2⤵
  PID:6200
- C:\Windows\System\vGymqTs.exe
  C:\Windows\System\vGymqTs.exe
  2⤵
  PID:6232
- C:\Windows\System\KJrfWDW.exe
  C:\Windows\System\KJrfWDW.exe
  2⤵
  PID:6280
- C:\Windows\System\MyZlbCi.exe
  C:\Windows\System\MyZlbCi.exe
  2⤵
  PID:6300
- C:\Windows\System\RrvhhtQ.exe
  C:\Windows\System\RrvhhtQ.exe
  2⤵
  PID:6332
- C:\Windows\System\OzyXKuA.exe
  C:\Windows\System\OzyXKuA.exe
  2⤵
  PID:6384
- C:\Windows\System\gibNYxy.exe
  C:\Windows\System\gibNYxy.exe
  2⤵
  PID:6416
- C:\Windows\System\WLmpIwX.exe
  C:\Windows\System\WLmpIwX.exe
  2⤵
  PID:6432
- C:\Windows\System\KpcSsbN.exe
  C:\Windows\System\KpcSsbN.exe
  2⤵
  PID:6472
- C:\Windows\System\xnFXaXh.exe
  C:\Windows\System\xnFXaXh.exe
  2⤵
  PID:6500
- C:\Windows\System\dtjXJAZ.exe
  C:\Windows\System\dtjXJAZ.exe
  2⤵
  PID:6532
- C:\Windows\System\TjEdtuz.exe
  C:\Windows\System\TjEdtuz.exe
  2⤵
  PID:6552
- C:\Windows\System\APPlhVK.exe
  C:\Windows\System\APPlhVK.exe
  2⤵
  PID:6600
- C:\Windows\System\bCkjnMJ.exe
  C:\Windows\System\bCkjnMJ.exe
  2⤵
  PID:6636
- C:\Windows\System\YlAPoGt.exe
  C:\Windows\System\YlAPoGt.exe
  2⤵
  PID:6660
- C:\Windows\System\OfNRuoe.exe
  C:\Windows\System\OfNRuoe.exe
  2⤵
  PID:6712
- C:\Windows\System\wThWWHq.exe
  C:\Windows\System\wThWWHq.exe
  2⤵
  PID:6740
- C:\Windows\System\ESnERsx.exe
  C:\Windows\System\ESnERsx.exe
  2⤵
  PID:6756
- C:\Windows\System\hlzXOty.exe
  C:\Windows\System\hlzXOty.exe
  2⤵
  PID:6784
- C:\Windows\System\FjXSJPM.exe
  C:\Windows\System\FjXSJPM.exe
  2⤵
  PID:6808
- C:\Windows\System\gJYNrhJ.exe
  C:\Windows\System\gJYNrhJ.exe
  2⤵
  PID:6868
- C:\Windows\System\VRbFQKE.exe
  C:\Windows\System\VRbFQKE.exe
  2⤵
  PID:6888
- C:\Windows\System\TZUmYvM.exe
  C:\Windows\System\TZUmYvM.exe
  2⤵
  PID:6912
- C:\Windows\System\IGeFMpu.exe
  C:\Windows\System\IGeFMpu.exe
  2⤵
  PID:6936
- C:\Windows\System\DPiDGJU.exe
  C:\Windows\System\DPiDGJU.exe
  2⤵
  PID:6956
- C:\Windows\System\uXwClcU.exe
  C:\Windows\System\uXwClcU.exe
  2⤵
  PID:6996
- C:\Windows\System\FlAbLmo.exe
  C:\Windows\System\FlAbLmo.exe
  2⤵
  PID:7016
- C:\Windows\System\knlhutn.exe
  C:\Windows\System\knlhutn.exe
  2⤵
  PID:7040
- C:\Windows\System\TiZJywe.exe
  C:\Windows\System\TiZJywe.exe
  2⤵
  PID:7060
- C:\Windows\System\CwmokoK.exe
  C:\Windows\System\CwmokoK.exe
  2⤵
  PID:7084
- C:\Windows\System\KGFTxeq.exe
  C:\Windows\System\KGFTxeq.exe
  2⤵
  PID:7132
- C:\Windows\System\eHbGqSV.exe
  C:\Windows\System\eHbGqSV.exe
  2⤵
  PID:7160
- C:\Windows\System\EdqMWMH.exe
  C:\Windows\System\EdqMWMH.exe
  2⤵
  PID:376
- C:\Windows\System\iIDWWZv.exe
  C:\Windows\System\iIDWWZv.exe
  2⤵
  PID:4164
- C:\Windows\System\ipoClPn.exe
  C:\Windows\System\ipoClPn.exe
  2⤵
  PID:6192
- C:\Windows\System\qiLZZUY.exe
  C:\Windows\System\qiLZZUY.exe
  2⤵
  PID:6156
- C:\Windows\System\OzNjIgU.exe
  C:\Windows\System\OzNjIgU.exe
  2⤵
  PID:6272
- C:\Windows\System\PNrrnCw.exe
  C:\Windows\System\PNrrnCw.exe
  2⤵
  PID:6352
- C:\Windows\System\oEFwzIw.exe
  C:\Windows\System\oEFwzIw.exe
  2⤵
  PID:6408
- C:\Windows\System\lULkhTK.exe
  C:\Windows\System\lULkhTK.exe
  2⤵
  PID:6460
- C:\Windows\System\FAoXnCb.exe
  C:\Windows\System\FAoXnCb.exe
  2⤵
  PID:6516
- C:\Windows\System\eTmYxCM.exe
  C:\Windows\System\eTmYxCM.exe
  2⤵
  PID:6576
- C:\Windows\System\RfQzALo.exe
  C:\Windows\System\RfQzALo.exe
  2⤵
  PID:6732
- C:\Windows\System\GpEIUcy.exe
  C:\Windows\System\GpEIUcy.exe
  2⤵
  PID:6804
- C:\Windows\System\vxdCQJU.exe
  C:\Windows\System\vxdCQJU.exe
  2⤵
  PID:4488
- C:\Windows\System\skPOYKl.exe
  C:\Windows\System\skPOYKl.exe
  2⤵
  PID:6860
- C:\Windows\System\slFWSjI.exe
  C:\Windows\System\slFWSjI.exe
  2⤵
  PID:6040
- C:\Windows\System\iQGZWyP.exe
  C:\Windows\System\iQGZWyP.exe
  2⤵
  PID:6948
- C:\Windows\System\UzQPuKF.exe
  C:\Windows\System\UzQPuKF.exe
  2⤵
  PID:7036
- C:\Windows\System\yHSnZAO.exe
  C:\Windows\System\yHSnZAO.exe
  2⤵
  PID:7052
- C:\Windows\System\BzWGtcs.exe
  C:\Windows\System\BzWGtcs.exe
  2⤵
  PID:1928
- C:\Windows\System\ZntDmpp.exe
  C:\Windows\System\ZntDmpp.exe
  2⤵
  PID:5284
- C:\Windows\System\RZOjjYY.exe
  C:\Windows\System\RZOjjYY.exe
  2⤵
  PID:6256
- C:\Windows\System\XLGBKwr.exe
  C:\Windows\System\XLGBKwr.exe
  2⤵
  PID:6244
- C:\Windows\System\fcOgZuU.exe
  C:\Windows\System\fcOgZuU.exe
  2⤵
  PID:6004
- C:\Windows\System\UXhKxrZ.exe
  C:\Windows\System\UXhKxrZ.exe
  2⤵
  PID:6800
- C:\Windows\System\UXrbcOq.exe
  C:\Windows\System\UXrbcOq.exe
  2⤵
  PID:2260
- C:\Windows\System\rSxpqKe.exe
  C:\Windows\System\rSxpqKe.exe
  2⤵
  PID:6308
- C:\Windows\System\iBlUhVx.exe
  C:\Windows\System\iBlUhVx.exe
  2⤵
  PID:6944
- C:\Windows\System\yoiphne.exe
  C:\Windows\System\yoiphne.exe
  2⤵
  PID:7032
- C:\Windows\System\DcQlAEJ.exe
  C:\Windows\System\DcQlAEJ.exe
  2⤵
  PID:4596
- C:\Windows\System\ACUZADx.exe
  C:\Windows\System\ACUZADx.exe
  2⤵
  PID:6340
- C:\Windows\System\XUOZMRN.exe
  C:\Windows\System\XUOZMRN.exe
  2⤵
  PID:6676
- C:\Windows\System\TxUvlxX.exe
  C:\Windows\System\TxUvlxX.exe
  2⤵
  PID:6212
- C:\Windows\System\FYgFxHJ.exe
  C:\Windows\System\FYgFxHJ.exe
  2⤵
  PID:6328
- C:\Windows\System\TANXdYn.exe
  C:\Windows\System\TANXdYn.exe
  2⤵
  PID:7216
- C:\Windows\System\ynxyGVz.exe
  C:\Windows\System\ynxyGVz.exe
  2⤵
  PID:7232
- C:\Windows\System\iiDnfVq.exe
  C:\Windows\System\iiDnfVq.exe
  2⤵
  PID:7260
- C:\Windows\System\yHuoAix.exe
  C:\Windows\System\yHuoAix.exe
  2⤵
  PID:7276
- C:\Windows\System\zyfDYea.exe
  C:\Windows\System\zyfDYea.exe
  2⤵
  PID:7296
- C:\Windows\System\GQxPOMY.exe
  C:\Windows\System\GQxPOMY.exe
  2⤵
  PID:7328
- C:\Windows\System\mIODLMZ.exe
  C:\Windows\System\mIODLMZ.exe
  2⤵
  PID:7352
- C:\Windows\System\zsQorvr.exe
  C:\Windows\System\zsQorvr.exe
  2⤵
  PID:7372
- C:\Windows\System\sJtOtYQ.exe
  C:\Windows\System\sJtOtYQ.exe
  2⤵
  PID:7392
- C:\Windows\System\ZfZFKqK.exe
  C:\Windows\System\ZfZFKqK.exe
  2⤵
  PID:7416
- C:\Windows\System\KhqNKYD.exe
  C:\Windows\System\KhqNKYD.exe
  2⤵
  PID:7436
- C:\Windows\System\gKEQwYo.exe
  C:\Windows\System\gKEQwYo.exe
  2⤵
  PID:7456
- C:\Windows\System\dHJKjjL.exe
  C:\Windows\System\dHJKjjL.exe
  2⤵
  PID:7480
- C:\Windows\System\erwbASk.exe
  C:\Windows\System\erwbASk.exe
  2⤵
  PID:7504
- C:\Windows\System\etwhSNg.exe
  C:\Windows\System\etwhSNg.exe
  2⤵
  PID:7520
- C:\Windows\System\aABrveQ.exe
  C:\Windows\System\aABrveQ.exe
  2⤵
  PID:7540
- C:\Windows\System\PeELVfp.exe
  C:\Windows\System\PeELVfp.exe
  2⤵
  PID:7588
- C:\Windows\System\qlmEpaL.exe
  C:\Windows\System\qlmEpaL.exe
  2⤵
  PID:7664
- C:\Windows\System\AZSRwZA.exe
  C:\Windows\System\AZSRwZA.exe
  2⤵
  PID:7688
- C:\Windows\System\XOJhKoX.exe
  C:\Windows\System\XOJhKoX.exe
  2⤵
  PID:7708
- C:\Windows\System\KdjfEFh.exe
  C:\Windows\System\KdjfEFh.exe
  2⤵
  PID:7724
- C:\Windows\System\TNMhvVX.exe
  C:\Windows\System\TNMhvVX.exe
  2⤵
  PID:7792
- C:\Windows\System\NcomPCH.exe
  C:\Windows\System\NcomPCH.exe
  2⤵
  PID:7808
- C:\Windows\System\LmFKKKX.exe
  C:\Windows\System\LmFKKKX.exe
  2⤵
  PID:7836
- C:\Windows\System\EMLfqQQ.exe
  C:\Windows\System\EMLfqQQ.exe
  2⤵
  PID:7908
- C:\Windows\System\OiZIkNY.exe
  C:\Windows\System\OiZIkNY.exe
  2⤵
  PID:7940
- C:\Windows\System\eKjRupa.exe
  C:\Windows\System\eKjRupa.exe
  2⤵
  PID:7956
- C:\Windows\System\IpwgFwv.exe
  C:\Windows\System\IpwgFwv.exe
  2⤵
  PID:7976
- C:\Windows\System\sHcJbeM.exe
  C:\Windows\System\sHcJbeM.exe
  2⤵
  PID:7992
- C:\Windows\System\YbEKGZD.exe
  C:\Windows\System\YbEKGZD.exe
  2⤵
  PID:8016
- C:\Windows\System\KBVthDy.exe
  C:\Windows\System\KBVthDy.exe
  2⤵
  PID:8044
- C:\Windows\System\DaMQjQB.exe
  C:\Windows\System\DaMQjQB.exe
  2⤵
  PID:8064
- C:\Windows\System\VMUIkUp.exe
  C:\Windows\System\VMUIkUp.exe
  2⤵
  PID:8120
- C:\Windows\System\lWmGRVh.exe
  C:\Windows\System\lWmGRVh.exe
  2⤵
  PID:8144
- C:\Windows\System\vpxrZuV.exe
  C:\Windows\System\vpxrZuV.exe
  2⤵
  PID:8184
- C:\Windows\System\xdTGWzl.exe
  C:\Windows\System\xdTGWzl.exe
  2⤵
  PID:7152
- C:\Windows\System\KQNvfUa.exe
  C:\Windows\System\KQNvfUa.exe
  2⤵
  PID:7192
- C:\Windows\System\xcGWduB.exe
  C:\Windows\System\xcGWduB.exe
  2⤵
  PID:7268
- C:\Windows\System\CyUcyfp.exe
  C:\Windows\System\CyUcyfp.exe
  2⤵
  PID:7308
- C:\Windows\System\pNDLuCl.exe
  C:\Windows\System\pNDLuCl.exe
  2⤵
  PID:7404
- C:\Windows\System\lhLOZgI.exe
  C:\Windows\System\lhLOZgI.exe
  2⤵
  PID:7452
- C:\Windows\System\WBQEkob.exe
  C:\Windows\System\WBQEkob.exe
  2⤵
  PID:7512
- C:\Windows\System\iQkbQbQ.exe
  C:\Windows\System\iQkbQbQ.exe
  2⤵
  PID:7568
- C:\Windows\System\DrmrlJM.exe
  C:\Windows\System\DrmrlJM.exe
  2⤵
  PID:7700
- C:\Windows\System\lYruMtw.exe
  C:\Windows\System\lYruMtw.exe
  2⤵
  PID:7732
- C:\Windows\System\KYmNanh.exe
  C:\Windows\System\KYmNanh.exe
  2⤵
  PID:7776
- C:\Windows\System\gkXSaNJ.exe
  C:\Windows\System\gkXSaNJ.exe
  2⤵
  PID:7928
- C:\Windows\System\mZOPVbN.exe
  C:\Windows\System\mZOPVbN.exe
  2⤵
  PID:7968
- C:\Windows\System\uwWuLep.exe
  C:\Windows\System\uwWuLep.exe
  2⤵
  PID:8000
- C:\Windows\System\MSFAMFN.exe
  C:\Windows\System\MSFAMFN.exe
  2⤵
  PID:8060
- C:\Windows\System\vUvIdfx.exe
  C:\Windows\System\vUvIdfx.exe
  2⤵
  PID:8132
- C:\Windows\System\ONqLNaG.exe
  C:\Windows\System\ONqLNaG.exe
  2⤵
  PID:8160
- C:\Windows\System\xoIOoYT.exe
  C:\Windows\System\xoIOoYT.exe
  2⤵
  PID:7228
- C:\Windows\System\yluLqbL.exe
  C:\Windows\System\yluLqbL.exe
  2⤵
  PID:7492
- C:\Windows\System\elbetFo.exe
  C:\Windows\System\elbetFo.exe
  2⤵
  PID:7596
- C:\Windows\System\zFlvULS.exe
  C:\Windows\System\zFlvULS.exe
  2⤵
  PID:7828
- C:\Windows\System\ZKpdwuA.exe
  C:\Windows\System\ZKpdwuA.exe
  2⤵
  PID:7876
- C:\Windows\System\RbboABx.exe
  C:\Windows\System\RbboABx.exe
  2⤵
  PID:7952
- C:\Windows\System\xkeQDoP.exe
  C:\Windows\System\xkeQDoP.exe
  2⤵
  PID:8104
- C:\Windows\System\cOfCAVF.exe
  C:\Windows\System\cOfCAVF.exe
  2⤵
  PID:7248
- C:\Windows\System\GUGzeRT.exe
  C:\Windows\System\GUGzeRT.exe
  2⤵
  PID:7768
- C:\Windows\System\oenxexw.exe
  C:\Windows\System\oenxexw.exe
  2⤵
  PID:8088
- C:\Windows\System\FRZuzUI.exe
  C:\Windows\System\FRZuzUI.exe
  2⤵
  PID:6492
- C:\Windows\System\pGYMofp.exe
  C:\Windows\System\pGYMofp.exe
  2⤵
  PID:8232
- C:\Windows\System\PVtCLCY.exe
  C:\Windows\System\PVtCLCY.exe
  2⤵
  PID:8256
- C:\Windows\System\oePjWzp.exe
  C:\Windows\System\oePjWzp.exe
  2⤵
  PID:8272
- C:\Windows\System\CLkHvTw.exe
  C:\Windows\System\CLkHvTw.exe
  2⤵
  PID:8312
- C:\Windows\System\KqTrFIy.exe
  C:\Windows\System\KqTrFIy.exe
  2⤵
  PID:8332
- C:\Windows\System\bmjPSXq.exe
  C:\Windows\System\bmjPSXq.exe
  2⤵
  PID:8360
- C:\Windows\System\NBxpOhi.exe
  C:\Windows\System\NBxpOhi.exe
  2⤵
  PID:8408
- C:\Windows\System\XxDJZNC.exe
  C:\Windows\System\XxDJZNC.exe
  2⤵
  PID:8428
- C:\Windows\System\qwmSazS.exe
  C:\Windows\System\qwmSazS.exe
  2⤵
  PID:8452
- C:\Windows\System\gGmKSGx.exe
  C:\Windows\System\gGmKSGx.exe
  2⤵
  PID:8468
- C:\Windows\System\vinyQQz.exe
  C:\Windows\System\vinyQQz.exe
  2⤵
  PID:8492
- C:\Windows\System\TNjvQtp.exe
  C:\Windows\System\TNjvQtp.exe
  2⤵
  PID:8512
- C:\Windows\System\wvOvWRt.exe
  C:\Windows\System\wvOvWRt.exe
  2⤵
  PID:8540
- C:\Windows\System\NWdrmuT.exe
  C:\Windows\System\NWdrmuT.exe
  2⤵
  PID:8596
- C:\Windows\System\ptCklcy.exe
  C:\Windows\System\ptCklcy.exe
  2⤵
  PID:8616
- C:\Windows\System\STDmlTK.exe
  C:\Windows\System\STDmlTK.exe
  2⤵
  PID:8636
- C:\Windows\System\GXhaDFr.exe
  C:\Windows\System\GXhaDFr.exe
  2⤵
  PID:8652
- C:\Windows\System\tdPXzUL.exe
  C:\Windows\System\tdPXzUL.exe
  2⤵
  PID:8672
- C:\Windows\System\wfFqsHk.exe
  C:\Windows\System\wfFqsHk.exe
  2⤵
  PID:8724
- C:\Windows\System\BADjbmY.exe
  C:\Windows\System\BADjbmY.exe
  2⤵
  PID:8744
- C:\Windows\System\qEIVIdw.exe
  C:\Windows\System\qEIVIdw.exe
  2⤵
  PID:8780
- C:\Windows\System\lKWnYzP.exe
  C:\Windows\System\lKWnYzP.exe
  2⤵
  PID:8816
- C:\Windows\System\wAWEHAI.exe
  C:\Windows\System\wAWEHAI.exe
  2⤵
  PID:8836
- C:\Windows\System\iaWlZgX.exe
  C:\Windows\System\iaWlZgX.exe
  2⤵
  PID:8856
- C:\Windows\System\APiXOfE.exe
  C:\Windows\System\APiXOfE.exe
  2⤵
  PID:8904
- C:\Windows\System\agvJxBA.exe
  C:\Windows\System\agvJxBA.exe
  2⤵
  PID:8924
- C:\Windows\System\aBkPSuy.exe
  C:\Windows\System\aBkPSuy.exe
  2⤵
  PID:8960
- C:\Windows\System\LXggOMd.exe
  C:\Windows\System\LXggOMd.exe
  2⤵
  PID:9000
- C:\Windows\System\ZsfIqqs.exe
  C:\Windows\System\ZsfIqqs.exe
  2⤵
  PID:9016
- C:\Windows\System\hBVoqYP.exe
  C:\Windows\System\hBVoqYP.exe
  2⤵
  PID:9056
- C:\Windows\System\tIBhdmT.exe
  C:\Windows\System\tIBhdmT.exe
  2⤵
  PID:9076
- C:\Windows\System\WvthChb.exe
  C:\Windows\System\WvthChb.exe
  2⤵
  PID:9092
- C:\Windows\System\wItGUWl.exe
  C:\Windows\System\wItGUWl.exe
  2⤵
  PID:9120
- C:\Windows\System\LvnvpFL.exe
  C:\Windows\System\LvnvpFL.exe
  2⤵
  PID:9148
- C:\Windows\System\mEHpRjs.exe
  C:\Windows\System\mEHpRjs.exe
  2⤵
  PID:9176
- C:\Windows\System\DhxJdcf.exe
  C:\Windows\System\DhxJdcf.exe
  2⤵
  PID:9196
- C:\Windows\System\DPOaGVd.exe
  C:\Windows\System\DPOaGVd.exe
  2⤵
  PID:8244
- C:\Windows\System\ONfGbOw.exe
  C:\Windows\System\ONfGbOw.exe
  2⤵
  PID:8308
- C:\Windows\System\qDBpkdO.exe
  C:\Windows\System\qDBpkdO.exe
  2⤵
  PID:8324
- C:\Windows\System\ymOQRub.exe
  C:\Windows\System\ymOQRub.exe
  2⤵
  PID:8352
- C:\Windows\System\fEditiB.exe
  C:\Windows\System\fEditiB.exe
  2⤵
  PID:8420
- C:\Windows\System\MuQoMbv.exe
  C:\Windows\System\MuQoMbv.exe
  2⤵
  PID:8460
- C:\Windows\System\VVPkfzn.exe
  C:\Windows\System\VVPkfzn.exe
  2⤵
  PID:8464
- C:\Windows\System\ckbkcyI.exe
  C:\Windows\System\ckbkcyI.exe
  2⤵
  PID:8592
- C:\Windows\System\XNZNMDf.exe
  C:\Windows\System\XNZNMDf.exe
  2⤵
  PID:8772
- C:\Windows\System\gJDRDQR.exe
  C:\Windows\System\gJDRDQR.exe
  2⤵
  PID:8740
- C:\Windows\System\dNQgMih.exe
  C:\Windows\System\dNQgMih.exe
  2⤵
  PID:8776
- C:\Windows\System\uPhugqv.exe
  C:\Windows\System\uPhugqv.exe
  2⤵
  PID:8868
- C:\Windows\System\vlGOXQH.exe
  C:\Windows\System\vlGOXQH.exe
  2⤵
  PID:9012
- C:\Windows\System\nJnGUxT.exe
  C:\Windows\System\nJnGUxT.exe
  2⤵
  PID:9100
- C:\Windows\System\WHyEjpL.exe
  C:\Windows\System\WHyEjpL.exe
  2⤵
  PID:9116
- C:\Windows\System\jWojwoW.exe
  C:\Windows\System\jWojwoW.exe
  2⤵
  PID:8264
- C:\Windows\System\DYAEClr.exe
  C:\Windows\System\DYAEClr.exe
  2⤵
  PID:8268
- C:\Windows\System\FLZtegD.exe
  C:\Windows\System\FLZtegD.exe
  2⤵
  PID:7256
- C:\Windows\System\RGaLepQ.exe
  C:\Windows\System\RGaLepQ.exe
  2⤵
  PID:8532
- C:\Windows\System\bfWDjIK.exe
  C:\Windows\System\bfWDjIK.exe
  2⤵
  PID:8700
- C:\Windows\System\jYOKsMT.exe
  C:\Windows\System\jYOKsMT.exe
  2⤵
  PID:8884
- C:\Windows\System\neCpoVm.exe
  C:\Windows\System\neCpoVm.exe
  2⤵
  PID:9032
- C:\Windows\System\dPUrchl.exe
  C:\Windows\System\dPUrchl.exe
  2⤵
  PID:9188
- C:\Windows\System\PSpvtxF.exe
  C:\Windows\System\PSpvtxF.exe
  2⤵
  PID:8384
- C:\Windows\System\ZZfgKMj.exe
  C:\Windows\System\ZZfgKMj.exe
  2⤵
  PID:8612
- C:\Windows\System\tMGEZnj.exe
  C:\Windows\System\tMGEZnj.exe
  2⤵
  PID:8852
- C:\Windows\System\OCMnuvJ.exe
  C:\Windows\System\OCMnuvJ.exe
  2⤵
  PID:9112
- C:\Windows\System\HoMSrqU.exe
  C:\Windows\System\HoMSrqU.exe
  2⤵
  PID:8224
- C:\Windows\System\ERHJfAf.exe
  C:\Windows\System\ERHJfAf.exe
  2⤵
  PID:9256
- C:\Windows\System\wOeRiKh.exe
  C:\Windows\System\wOeRiKh.exe
  2⤵
  PID:9280
- C:\Windows\System\ELbLmJo.exe
  C:\Windows\System\ELbLmJo.exe
  2⤵
  PID:9308
- C:\Windows\System\dWYuLpe.exe
  C:\Windows\System\dWYuLpe.exe
  2⤵
  PID:9336
- C:\Windows\System\bOVXgcR.exe
  C:\Windows\System\bOVXgcR.exe
  2⤵
  PID:9376
- C:\Windows\System\woVNxSv.exe
  C:\Windows\System\woVNxSv.exe
  2⤵
  PID:9400
- C:\Windows\System\smCcJTG.exe
  C:\Windows\System\smCcJTG.exe
  2⤵
  PID:9420
- C:\Windows\System\PWeoJoF.exe
  C:\Windows\System\PWeoJoF.exe
  2⤵
  PID:9468
- C:\Windows\System\rOwCezS.exe
  C:\Windows\System\rOwCezS.exe
  2⤵
  PID:9484
- C:\Windows\System\Lrkieiu.exe
  C:\Windows\System\Lrkieiu.exe
  2⤵
  PID:9532
- C:\Windows\System\rvcxdaC.exe
  C:\Windows\System\rvcxdaC.exe
  2⤵
  PID:9552
- C:\Windows\System\qmkcCKD.exe
  C:\Windows\System\qmkcCKD.exe
  2⤵
  PID:9592
- C:\Windows\System\cRFPWjN.exe
  C:\Windows\System\cRFPWjN.exe
  2⤵
  PID:9612
- C:\Windows\System\LGVMKcc.exe
  C:\Windows\System\LGVMKcc.exe
  2⤵
  PID:9636
- C:\Windows\System\TnExErY.exe
  C:\Windows\System\TnExErY.exe
  2⤵
  PID:9668
- C:\Windows\System\HkTXKjv.exe
  C:\Windows\System\HkTXKjv.exe
  2⤵
  PID:9740
- C:\Windows\System\nHPNhPg.exe
  C:\Windows\System\nHPNhPg.exe
  2⤵
  PID:9756
- C:\Windows\System\rsuLnGZ.exe
  C:\Windows\System\rsuLnGZ.exe
  2⤵
  PID:9772
- C:\Windows\System\dimoXzv.exe
  C:\Windows\System\dimoXzv.exe
  2⤵
  PID:9788
- C:\Windows\System\UysjTTi.exe
  C:\Windows\System\UysjTTi.exe
  2⤵
  PID:9804
- C:\Windows\System\AlVjIrF.exe
  C:\Windows\System\AlVjIrF.exe
  2⤵
  PID:9820
- C:\Windows\System\KelqoJH.exe
  C:\Windows\System\KelqoJH.exe
  2⤵
  PID:9840
- C:\Windows\System\BXmYeVS.exe
  C:\Windows\System\BXmYeVS.exe
  2⤵
  PID:9936
- C:\Windows\System\APaEEtb.exe
  C:\Windows\System\APaEEtb.exe
  2⤵
  PID:9952
- C:\Windows\System\oFLbvwG.exe
  C:\Windows\System\oFLbvwG.exe
  2⤵
  PID:9968
- C:\Windows\System\MkQjSBm.exe
  C:\Windows\System\MkQjSBm.exe
  2⤵
  PID:9984
- C:\Windows\System\HtLiHYV.exe
  C:\Windows\System\HtLiHYV.exe
  2⤵
  PID:10000
- C:\Windows\System\FCwpWqG.exe
  C:\Windows\System\FCwpWqG.exe
  2⤵
  PID:10016
- C:\Windows\System\iOPEBmx.exe
  C:\Windows\System\iOPEBmx.exe
  2⤵
  PID:10032
- C:\Windows\System\rXFaBBD.exe
  C:\Windows\System\rXFaBBD.exe
  2⤵
  PID:10052
- C:\Windows\System\bYvoedu.exe
  C:\Windows\System\bYvoedu.exe
  2⤵
  PID:10068
- C:\Windows\System\ngelKST.exe
  C:\Windows\System\ngelKST.exe
  2⤵
  PID:10084
- C:\Windows\System\oEJPtld.exe
  C:\Windows\System\oEJPtld.exe
  2⤵
  PID:10100
- C:\Windows\System\eyjevgn.exe
  C:\Windows\System\eyjevgn.exe
  2⤵
  PID:10116
- C:\Windows\System\FXHiVUA.exe
  C:\Windows\System\FXHiVUA.exe
  2⤵
  PID:10180
- C:\Windows\System\Yfcthea.exe
  C:\Windows\System\Yfcthea.exe
  2⤵
  PID:10204
- C:\Windows\System\yUHDEfg.exe
  C:\Windows\System\yUHDEfg.exe
  2⤵
  PID:8524
- C:\Windows\System\lQbUnoY.exe
  C:\Windows\System\lQbUnoY.exe
  2⤵
  PID:9620
- C:\Windows\System\fiAEdyq.exe
  C:\Windows\System\fiAEdyq.exe
  2⤵
  PID:9724
- C:\Windows\System\vXhJKdh.exe
  C:\Windows\System\vXhJKdh.exe
  2⤵
  PID:9644
- C:\Windows\System\bRLnAKu.exe
  C:\Windows\System\bRLnAKu.exe
  2⤵
  PID:9736
- C:\Windows\System\fGneYcu.exe
  C:\Windows\System\fGneYcu.exe
  2⤵
  PID:9856
- C:\Windows\System\ezBjaLw.exe
  C:\Windows\System\ezBjaLw.exe
  2⤵
  PID:9780
- C:\Windows\System\knNpAwJ.exe
  C:\Windows\System\knNpAwJ.exe
  2⤵
  PID:9832
- C:\Windows\System\XitTMCJ.exe
  C:\Windows\System\XitTMCJ.exe
  2⤵
  PID:9872
- C:\Windows\System\REaTQWG.exe
  C:\Windows\System\REaTQWG.exe
  2⤵
  PID:9888
- C:\Windows\System\AnnMNmI.exe
  C:\Windows\System\AnnMNmI.exe
  2⤵
  PID:10128
- C:\Windows\System\dSggYhD.exe
  C:\Windows\System\dSggYhD.exe
  2⤵
  PID:9960
- C:\Windows\System\aiSXvkS.exe
  C:\Windows\System\aiSXvkS.exe
  2⤵
  PID:10092
- C:\Windows\System\TONGkqM.exe
  C:\Windows\System\TONGkqM.exe
  2⤵
  PID:10176
- C:\Windows\System\KpTXiVf.exe
  C:\Windows\System\KpTXiVf.exe
  2⤵
  PID:9352
- C:\Windows\System\FCQwTkF.exe
  C:\Windows\System\FCQwTkF.exe
  2⤵
  PID:10196
- C:\Windows\System\LjmdhCn.exe
  C:\Windows\System\LjmdhCn.exe
  2⤵
  PID:9504
- C:\Windows\System\vDqTNAd.exe
  C:\Windows\System\vDqTNAd.exe
  2⤵
  PID:9700
- C:\Windows\System\sLAwowx.exe
  C:\Windows\System\sLAwowx.exe
  2⤵
  PID:9812
- C:\Windows\System\pUXMMdz.exe
  C:\Windows\System\pUXMMdz.exe
  2⤵
  PID:10160
- C:\Windows\System\WlenNgl.exe
  C:\Windows\System\WlenNgl.exe
  2⤵
  PID:10156
- C:\Windows\System\BRQVGlq.exe
  C:\Windows\System\BRQVGlq.exe
  2⤵
  PID:10108
- C:\Windows\System\cQUQLYn.exe
  C:\Windows\System\cQUQLYn.exe
  2⤵
  PID:8956
- C:\Windows\System\yqLPrZg.exe
  C:\Windows\System\yqLPrZg.exe
  2⤵
  PID:9764
- C:\Windows\System\GTonbdd.exe
  C:\Windows\System\GTonbdd.exe
  2⤵
  PID:9868
- C:\Windows\System\fqerNIs.exe
  C:\Windows\System\fqerNIs.exe
  2⤵
  PID:10076
- C:\Windows\System\YXDhATy.exe
  C:\Windows\System\YXDhATy.exe
  2⤵
  PID:9412
- C:\Windows\System\GjvvCNf.exe
  C:\Windows\System\GjvvCNf.exe
  2⤵
  PID:9864
- C:\Windows\System\gRkKKkK.exe
  C:\Windows\System\gRkKKkK.exe
  2⤵
  PID:10256
- C:\Windows\System\gLBQocV.exe
  C:\Windows\System\gLBQocV.exe
  2⤵
  PID:10300
- C:\Windows\System\SpnRSaN.exe
  C:\Windows\System\SpnRSaN.exe
  2⤵
  PID:10332
- C:\Windows\System\tPXTfPy.exe
  C:\Windows\System\tPXTfPy.exe
  2⤵
  PID:10356
- C:\Windows\System\oVUoVuw.exe
  C:\Windows\System\oVUoVuw.exe
  2⤵
  PID:10380
- C:\Windows\System\YkzyPWO.exe
  C:\Windows\System\YkzyPWO.exe
  2⤵
  PID:10400
- C:\Windows\System\zuUMBbR.exe
  C:\Windows\System\zuUMBbR.exe
  2⤵
  PID:10428
- C:\Windows\System\IOOAnNs.exe
  C:\Windows\System\IOOAnNs.exe
  2⤵
  PID:10484
- C:\Windows\System\uJBdVeE.exe
  C:\Windows\System\uJBdVeE.exe
  2⤵
  PID:10508
- C:\Windows\System\CLXPsbW.exe
  C:\Windows\System\CLXPsbW.exe
  2⤵
  PID:10532
- C:\Windows\System\lqzzqPO.exe
  C:\Windows\System\lqzzqPO.exe
  2⤵
  PID:10552
- C:\Windows\System\nVMXUOD.exe
  C:\Windows\System\nVMXUOD.exe
  2⤵
  PID:10568
- C:\Windows\System\QSaUrnV.exe
  C:\Windows\System\QSaUrnV.exe
  2⤵
  PID:10620
- C:\Windows\System\jEXifqm.exe
  C:\Windows\System\jEXifqm.exe
  2⤵
  PID:10640
- C:\Windows\System\ucsDKkc.exe
  C:\Windows\System\ucsDKkc.exe
  2⤵
  PID:10680
- C:\Windows\System\TdNJdBj.exe
  C:\Windows\System\TdNJdBj.exe
  2⤵
  PID:10712
- C:\Windows\System\rhZtmZZ.exe
  C:\Windows\System\rhZtmZZ.exe
  2⤵
  PID:10740
- C:\Windows\System\ODfwJGK.exe
  C:\Windows\System\ODfwJGK.exe
  2⤵
  PID:10768
- C:\Windows\System\MjmIavL.exe
  C:\Windows\System\MjmIavL.exe
  2⤵
  PID:10792
- C:\Windows\System\JhIaGAN.exe
  C:\Windows\System\JhIaGAN.exe
  2⤵
  PID:10816
- C:\Windows\System\zeKMprM.exe
  C:\Windows\System\zeKMprM.exe
  2⤵
  PID:10840
- C:\Windows\System\lfLLger.exe
  C:\Windows\System\lfLLger.exe
  2⤵
  PID:10868
- C:\Windows\System\KNKVHzC.exe
  C:\Windows\System\KNKVHzC.exe
  2⤵
  PID:10888
- C:\Windows\System\yFbzyby.exe
  C:\Windows\System\yFbzyby.exe
  2⤵
  PID:10912
- C:\Windows\System\GpuBXAA.exe
  C:\Windows\System\GpuBXAA.exe
  2⤵
  PID:10932
- C:\Windows\System\qLfLJWk.exe
  C:\Windows\System\qLfLJWk.exe
  2⤵
  PID:10952
- C:\Windows\System\bngKIhm.exe
  C:\Windows\System\bngKIhm.exe
  2⤵
  PID:11016
- C:\Windows\System\OWUlqFE.exe
  C:\Windows\System\OWUlqFE.exe
  2⤵
  PID:11032
- C:\Windows\System\ToJBLMA.exe
  C:\Windows\System\ToJBLMA.exe
  2⤵
  PID:11064
- C:\Windows\System\QspyQaQ.exe
  C:\Windows\System\QspyQaQ.exe
  2⤵
  PID:11088
- C:\Windows\System\tpawdZN.exe
  C:\Windows\System\tpawdZN.exe
  2⤵
  PID:11108
- C:\Windows\System\PhvmnUy.exe
  C:\Windows\System\PhvmnUy.exe
  2⤵
  PID:11136
- C:\Windows\System\tldieLn.exe
  C:\Windows\System\tldieLn.exe
  2⤵
  PID:11160
- C:\Windows\System\kdsOMAf.exe
  C:\Windows\System\kdsOMAf.exe
  2⤵
  PID:11248
- C:\Windows\System\jZuZtxF.exe
  C:\Windows\System\jZuZtxF.exe
  2⤵
  PID:9996
- C:\Windows\System\MiHoyIq.exe
  C:\Windows\System\MiHoyIq.exe
  2⤵
  PID:9980
- C:\Windows\System\dgEoogu.exe
  C:\Windows\System\dgEoogu.exe
  2⤵
  PID:10324
- C:\Windows\System\RgisExV.exe
  C:\Windows\System\RgisExV.exe
  2⤵
  PID:10392
- C:\Windows\System\UkJglRt.exe
  C:\Windows\System\UkJglRt.exe
  2⤵
  PID:10424
- C:\Windows\System\YvNbJLZ.exe
  C:\Windows\System\YvNbJLZ.exe
  2⤵
  PID:10504
- C:\Windows\System\lHTnwlc.exe
  C:\Windows\System\lHTnwlc.exe
  2⤵
  PID:10592
- C:\Windows\System\bnTiXGQ.exe
  C:\Windows\System\bnTiXGQ.exe
  2⤵
  PID:10660
- C:\Windows\System\lXbcCqT.exe
  C:\Windows\System\lXbcCqT.exe
  2⤵
  PID:10676
- C:\Windows\System\jyzbECI.exe
  C:\Windows\System\jyzbECI.exe
  2⤵
  PID:10784
- C:\Windows\System\LnpWDLi.exe
  C:\Windows\System\LnpWDLi.exe
  2⤵
  PID:10808
- C:\Windows\System\gZszMYp.exe
  C:\Windows\System\gZszMYp.exe
  2⤵
  PID:10904
- C:\Windows\System\iIIEXwy.exe
  C:\Windows\System\iIIEXwy.exe
  2⤵
  PID:11004
- C:\Windows\System\fpkCuND.exe
  C:\Windows\System\fpkCuND.exe
  2⤵
  PID:10928
- C:\Windows\System\PhmfWwV.exe
  C:\Windows\System\PhmfWwV.exe
  2⤵
  PID:11080
- C:\Windows\System\EbcbRNt.exe
  C:\Windows\System\EbcbRNt.exe
  2⤵
  PID:11196
- C:\Windows\System\HBHIyRn.exe
  C:\Windows\System\HBHIyRn.exe
  2⤵
  PID:11240
- C:\Windows\System\RAopftA.exe
  C:\Windows\System\RAopftA.exe
  2⤵
  PID:10408
- C:\Windows\System\wqOgGBi.exe
  C:\Windows\System\wqOgGBi.exe
  2⤵
  PID:10364
- C:\Windows\System\jJFALTM.exe
  C:\Windows\System\jJFALTM.exe
  2⤵
  PID:10636
- C:\Windows\System\Pnjxwig.exe
  C:\Windows\System\Pnjxwig.exe
  2⤵
  PID:10764
- C:\Windows\System\jVEaasj.exe
  C:\Windows\System\jVEaasj.exe
  2⤵
  PID:11028
- C:\Windows\System\LoRKtYo.exe
  C:\Windows\System\LoRKtYo.exe
  2⤵
  PID:11072
- C:\Windows\System\YlfPKrR.exe
  C:\Windows\System\YlfPKrR.exe
  2⤵
  PID:11256
- C:\Windows\System\Nzzsnbu.exe
  C:\Windows\System\Nzzsnbu.exe
  2⤵
  PID:10836
- C:\Windows\System\snQnZVt.exe
  C:\Windows\System\snQnZVt.exe
  2⤵
  PID:11148
- C:\Windows\System\INWaJPK.exe
  C:\Windows\System\INWaJPK.exe
  2⤵
  PID:10280
- C:\Windows\System\XhlUwlO.exe
  C:\Windows\System\XhlUwlO.exe
  2⤵
  PID:11268
- C:\Windows\System\mCyHYYG.exe
  C:\Windows\System\mCyHYYG.exe
  2⤵
  PID:11296
- C:\Windows\System\MynYuGm.exe
  C:\Windows\System\MynYuGm.exe
  2⤵
  PID:11312
- C:\Windows\System\GTlANoe.exe
  C:\Windows\System\GTlANoe.exe
  2⤵
  PID:11340
- C:\Windows\System\hDgZIvE.exe
  C:\Windows\System\hDgZIvE.exe
  2⤵
  PID:11364
- C:\Windows\System\bmWqXCD.exe
  C:\Windows\System\bmWqXCD.exe
  2⤵
  PID:11384
- C:\Windows\System\oFpHgUX.exe
  C:\Windows\System\oFpHgUX.exe
  2⤵
  PID:11408
- C:\Windows\System\lrEJtNe.exe
  C:\Windows\System\lrEJtNe.exe
  2⤵
  PID:11428
- C:\Windows\System\KdQJBBl.exe
  C:\Windows\System\KdQJBBl.exe
  2⤵
  PID:11468
- C:\Windows\System\GyXQAJc.exe
  C:\Windows\System\GyXQAJc.exe
  2⤵
  PID:11492
- C:\Windows\System\lCaYLPL.exe
  C:\Windows\System\lCaYLPL.exe
  2⤵
  PID:11536
- C:\Windows\System\IiFqNxu.exe
  C:\Windows\System\IiFqNxu.exe
  2⤵
  PID:11564
- C:\Windows\System\qIcRPve.exe
  C:\Windows\System\qIcRPve.exe
  2⤵
  PID:11584
- C:\Windows\System\auGcMUv.exe
  C:\Windows\System\auGcMUv.exe
  2⤵
  PID:11600
- C:\Windows\System\CSmJquw.exe
  C:\Windows\System\CSmJquw.exe
  2⤵
  PID:11620
- C:\Windows\System\cXbVTJf.exe
  C:\Windows\System\cXbVTJf.exe
  2⤵
  PID:11652
- C:\Windows\System\pgNsrsB.exe
  C:\Windows\System\pgNsrsB.exe
  2⤵
  PID:11720
- C:\Windows\System\VBBuprw.exe
  C:\Windows\System\VBBuprw.exe
  2⤵
  PID:11740
- C:\Windows\System\wGknOwL.exe
  C:\Windows\System\wGknOwL.exe
  2⤵
  PID:11772
- C:\Windows\System\BBtxfDb.exe
  C:\Windows\System\BBtxfDb.exe
  2⤵
  PID:11808
- C:\Windows\System\JhExqUN.exe
  C:\Windows\System\JhExqUN.exe
  2⤵
  PID:11828
- C:\Windows\System\NyOvxHs.exe
  C:\Windows\System\NyOvxHs.exe
  2⤵
  PID:11856
- C:\Windows\System\pdHspYt.exe
  C:\Windows\System\pdHspYt.exe
  2⤵
  PID:11880
- C:\Windows\System\OycPxBr.exe
  C:\Windows\System\OycPxBr.exe
  2⤵
  PID:11924
- C:\Windows\System\SBsHRHZ.exe
  C:\Windows\System\SBsHRHZ.exe
  2⤵
  PID:11956
- C:\Windows\System\TrjrzXN.exe
  C:\Windows\System\TrjrzXN.exe
  2⤵
  PID:11996
- C:\Windows\System\EBBcRus.exe
  C:\Windows\System\EBBcRus.exe
  2⤵
  PID:12020
- C:\Windows\System\SGxWzsQ.exe
  C:\Windows\System\SGxWzsQ.exe
  2⤵
  PID:12040
- C:\Windows\System\BuDmCgB.exe
  C:\Windows\System\BuDmCgB.exe
  2⤵
  PID:12096
- C:\Windows\System\FXNKaCj.exe
  C:\Windows\System\FXNKaCj.exe
  2⤵
  PID:12112
- C:\Windows\System\lAqEmiD.exe
  C:\Windows\System\lAqEmiD.exe
  2⤵
  PID:12128
- C:\Windows\System\gusCWLG.exe
  C:\Windows\System\gusCWLG.exe
  2⤵
  PID:12148
- C:\Windows\System\buvRzPf.exe
  C:\Windows\System\buvRzPf.exe
  2⤵
  PID:12188
- C:\Windows\System\vcnBmHC.exe
  C:\Windows\System\vcnBmHC.exe
  2⤵
  PID:12212
- C:\Windows\System\QpKMjbc.exe
  C:\Windows\System\QpKMjbc.exe
  2⤵
  PID:12232
- C:\Windows\System\sUHgcgh.exe
  C:\Windows\System\sUHgcgh.exe
  2⤵
  PID:12252
- C:\Windows\System\DDqrPuB.exe
  C:\Windows\System\DDqrPuB.exe
  2⤵
  PID:11204
- C:\Windows\System\ecRoKZT.exe
  C:\Windows\System\ecRoKZT.exe
  2⤵
  PID:11292
- C:\Windows\System\KDhFKRw.exe
  C:\Windows\System\KDhFKRw.exe
  2⤵
  PID:11328
- C:\Windows\System\ItzpDyE.exe
  C:\Windows\System\ItzpDyE.exe
  2⤵
  PID:11416
- C:\Windows\System\YCViMiq.exe
  C:\Windows\System\YCViMiq.exe
  2⤵
  PID:11456
- C:\Windows\System\JmKJKeT.exe
  C:\Windows\System\JmKJKeT.exe
  2⤵
  PID:11544
- C:\Windows\System\xjiiaRN.exe
  C:\Windows\System\xjiiaRN.exe
  2⤵
  PID:11644
- C:\Windows\System\mrjyfQz.exe
  C:\Windows\System\mrjyfQz.exe
  2⤵
  PID:11732
- C:\Windows\System\OqjJIqw.exe
  C:\Windows\System\OqjJIqw.exe
  2⤵
  PID:11768
- C:\Windows\System\vsPIdwW.exe
  C:\Windows\System\vsPIdwW.exe
  2⤵
  PID:11844
- C:\Windows\System\PQrtIUr.exe
  C:\Windows\System\PQrtIUr.exe
  2⤵
  PID:11904
- C:\Windows\System\jYLpEdy.exe
  C:\Windows\System\jYLpEdy.exe
  2⤵
  PID:11952
- C:\Windows\System\ycSOsyk.exe
  C:\Windows\System\ycSOsyk.exe
  2⤵
  PID:12004
- C:\Windows\System\VMJdAXr.exe
  C:\Windows\System\VMJdAXr.exe
  2⤵
  PID:12068
- C:\Windows\System\usVhSDe.exe
  C:\Windows\System\usVhSDe.exe
  2⤵
  PID:12124
- C:\Windows\System\eNcCtni.exe
  C:\Windows\System\eNcCtni.exe
  2⤵
  PID:12140
- C:\Windows\System\NvopImA.exe
  C:\Windows\System\NvopImA.exe
  2⤵
  PID:12180
- C:\Windows\System\rGKQhAg.exe
  C:\Windows\System\rGKQhAg.exe
  2⤵
  PID:11284
- C:\Windows\System\IHuUKJh.exe
  C:\Windows\System\IHuUKJh.exe
  2⤵
  PID:11572
- C:\Windows\System\lYbWxKM.exe
  C:\Windows\System\lYbWxKM.exe
  2⤵
  PID:11684
- C:\Windows\System\GsfbaGE.exe
  C:\Windows\System\GsfbaGE.exe
  2⤵
  PID:11760
- C:\Windows\System\WvfHyQD.exe
  C:\Windows\System\WvfHyQD.exe
  2⤵
  PID:11868
- C:\Windows\System\RiLRzEf.exe
  C:\Windows\System\RiLRzEf.exe
  2⤵
  PID:11968
- C:\Windows\System\icHNCQE.exe
  C:\Windows\System\icHNCQE.exe
  2⤵
  PID:12144
- C:\Windows\System\GXnphSk.exe
  C:\Windows\System\GXnphSk.exe
  2⤵
  PID:11576
- C:\Windows\System\YPBLeeZ.exe
  C:\Windows\System\YPBLeeZ.exe
  2⤵
  PID:11592
- C:\Windows\System\UyotMhu.exe
  C:\Windows\System\UyotMhu.exe
  2⤵
  PID:11748
- C:\Windows\System\JOupyDt.exe
  C:\Windows\System\JOupyDt.exe
  2⤵
  PID:12108
- C:\Windows\System\NmrZnRh.exe
  C:\Windows\System\NmrZnRh.exe
  2⤵
  PID:12308
- C:\Windows\System\cSLeeTp.exe
  C:\Windows\System\cSLeeTp.exe
  2⤵
  PID:12332
- C:\Windows\System\DctSNIr.exe
  C:\Windows\System\DctSNIr.exe
  2⤵
  PID:12352
- C:\Windows\System\rXxSNLM.exe
  C:\Windows\System\rXxSNLM.exe
  2⤵
  PID:12376
- C:\Windows\System\KvtdScy.exe
  C:\Windows\System\KvtdScy.exe
  2⤵
  PID:12408
- C:\Windows\System\xsciDKF.exe
  C:\Windows\System\xsciDKF.exe
  2⤵
  PID:12444
- C:\Windows\System\tkmmwdp.exe
  C:\Windows\System\tkmmwdp.exe
  2⤵
  PID:12464
- C:\Windows\System\OFVniaz.exe
  C:\Windows\System\OFVniaz.exe
  2⤵
  PID:12504
- C:\Windows\System\lgNTwAl.exe
  C:\Windows\System\lgNTwAl.exe
  2⤵
  PID:12528
- C:\Windows\System\NWPZxwF.exe
  C:\Windows\System\NWPZxwF.exe
  2⤵
  PID:12548
- C:\Windows\System\mVkdZDM.exe
  C:\Windows\System\mVkdZDM.exe
  2⤵
  PID:12580
- C:\Windows\System\PhIqIce.exe
  C:\Windows\System\PhIqIce.exe
  2⤵
  PID:12604
- C:\Windows\System\dXZHpzY.exe
  C:\Windows\System\dXZHpzY.exe
  2⤵
  PID:12644
- C:\Windows\System\dIBLGcp.exe
  C:\Windows\System\dIBLGcp.exe
  2⤵
  PID:12684
- C:\Windows\System\MccWxld.exe
  C:\Windows\System\MccWxld.exe
  2⤵
  PID:12708
- C:\Windows\System\wPiThgJ.exe
  C:\Windows\System\wPiThgJ.exe
  2⤵
  PID:12732
- C:\Windows\System\KJykHVi.exe
  C:\Windows\System\KJykHVi.exe
  2⤵
  PID:12756
- C:\Windows\System\UyPtfbv.exe
  C:\Windows\System\UyPtfbv.exe
  2⤵
  PID:12784
- C:\Windows\System\ZSPzdoB.exe
  C:\Windows\System\ZSPzdoB.exe
  2⤵
  PID:12812
- C:\Windows\System\lWpTwEX.exe
  C:\Windows\System\lWpTwEX.exe
  2⤵
  PID:12836
- C:\Windows\System\YrXHorA.exe
  C:\Windows\System\YrXHorA.exe
  2⤵
  PID:12856
- C:\Windows\System\gqJwJaG.exe
  C:\Windows\System\gqJwJaG.exe
  2⤵
  PID:12876
- C:\Windows\System\SnRkBTj.exe
  C:\Windows\System\SnRkBTj.exe
  2⤵
  PID:12904
- C:\Windows\System\iSzGbUB.exe
  C:\Windows\System\iSzGbUB.exe
  2⤵
  PID:12948
- C:\Windows\System\mlAaCMf.exe
  C:\Windows\System\mlAaCMf.exe
  2⤵
  PID:12968
- C:\Windows\System\kVuBYtr.exe
  C:\Windows\System\kVuBYtr.exe
  2⤵
  PID:12996
- C:\Windows\System\yGINrPF.exe
  C:\Windows\System\yGINrPF.exe
  2⤵
  PID:13048
- C:\Windows\System\oijOwMB.exe
  C:\Windows\System\oijOwMB.exe
  2⤵
  PID:13068
- C:\Windows\System\cVTPyEd.exe
  C:\Windows\System\cVTPyEd.exe
  2⤵
  PID:13088
- C:\Windows\System\hYRXseN.exe
  C:\Windows\System\hYRXseN.exe
  2⤵
  PID:13104
- C:\Windows\System\KgwtOoD.exe
  C:\Windows\System\KgwtOoD.exe
  2⤵
  PID:13124
- C:\Windows\System\ivQUUjk.exe
  C:\Windows\System\ivQUUjk.exe
  2⤵
  PID:13148
- C:\Windows\System\QlBbvLC.exe
  C:\Windows\System\QlBbvLC.exe
  2⤵
  PID:13172
- C:\Windows\System\lwIuNnj.exe
  C:\Windows\System\lwIuNnj.exe
  2⤵
  PID:13196
- C:\Windows\System\GKxurjA.exe
  C:\Windows\System\GKxurjA.exe
  2⤵
  PID:12360
- C:\Windows\System\ljqdUFn.exe
  C:\Windows\System\ljqdUFn.exe
  2⤵
  PID:2772
- C:\Windows\System\sUfiXpZ.exe
  C:\Windows\System\sUfiXpZ.exe
  2⤵
  PID:12344
- C:\Windows\System\pIazQvd.exe
  C:\Windows\System\pIazQvd.exe
  2⤵
  PID:3404
- C:\Windows\System\QZsqvEP.exe
  C:\Windows\System\QZsqvEP.exe
  2⤵
  PID:12420
- C:\Windows\System\ZyPoYXg.exe
  C:\Windows\System\ZyPoYXg.exe
  2⤵
  PID:12484
- C:\Windows\System\bnNHRKR.exe
  C:\Windows\System\bnNHRKR.exe
  2⤵
  PID:12520
- C:\Windows\System\KbWPqEO.exe
  C:\Windows\System\KbWPqEO.exe
  2⤵
  PID:12568
- C:\Windows\System\aJtjczL.exe
  C:\Windows\System\aJtjczL.exe
  2⤵
  PID:12848
- C:\Windows\System\oEsNaoj.exe
  C:\Windows\System\oEsNaoj.exe
  2⤵
  PID:12896
- C:\Windows\System\LhbCacY.exe
  C:\Windows\System\LhbCacY.exe
  2⤵
  PID:13260
- C:\Windows\System\BCrlUOb.exe
  C:\Windows\System\BCrlUOb.exe
  2⤵
  PID:13288
- C:\Windows\System\tnsepeh.exe
  C:\Windows\System\tnsepeh.exe
  2⤵
  PID:12320
- C:\Windows\System\FHGRbIg.exe
  C:\Windows\System\FHGRbIg.exe
  2⤵
  PID:3140
- C:\Windows\System\LgJJHNQ.exe
  C:\Windows\System\LgJJHNQ.exe
  2⤵
  PID:12460
- C:\Windows\System\hziVShO.exe
  C:\Windows\System\hziVShO.exe
  2⤵
  PID:12512
- C:\Windows\System\QsybYub.exe
  C:\Windows\System\QsybYub.exe
  2⤵
  PID:12628
- C:\Windows\System\jyjtXhx.exe
  C:\Windows\System\jyjtXhx.exe
  2⤵
  PID:10800
- C:\Windows\System\aqkibrX.exe
  C:\Windows\System\aqkibrX.exe
  2⤵
  PID:12304
- C:\Windows\System\zBgHOdI.exe
  C:\Windows\System\zBgHOdI.exe
  2⤵
  PID:12680
- C:\Windows\System\jlLyJEC.exe
  C:\Windows\System\jlLyJEC.exe
  2⤵
  PID:12928
- C:\Windows\System\IvwKtXi.exe
  C:\Windows\System\IvwKtXi.exe
  2⤵
  PID:3460
- C:\Windows\System\WpMscSo.exe
  C:\Windows\System\WpMscSo.exe
  2⤵
  PID:12472
- C:\Windows\System\wmmoTWY.exe
  C:\Windows\System\wmmoTWY.exe
  2⤵
  PID:12324
- C:\Windows\System\wAPJafq.exe
  C:\Windows\System\wAPJafq.exe
  2⤵
  PID:13272
- C:\Windows\System\PZjXAbh.exe
  C:\Windows\System\PZjXAbh.exe
  2⤵
  PID:1924
- C:\Windows\System\QtJNuAr.exe
  C:\Windows\System\QtJNuAr.exe
  2⤵
  PID:3200
- C:\Windows\System\nfvhAtA.exe
  C:\Windows\System\nfvhAtA.exe
  2⤵
  PID:13084
- C:\Windows\System\arWhKwG.exe
  C:\Windows\System\arWhKwG.exe
  2⤵
  PID:992
- C:\Windows\System\FUcKGUz.exe
  C:\Windows\System\FUcKGUz.exe
  2⤵
  PID:1356
- C:\Windows\System\WcdEgrD.exe
  C:\Windows\System\WcdEgrD.exe
  2⤵
  PID:4964
- C:\Windows\System\zoFlXNt.exe
  C:\Windows\System\zoFlXNt.exe
  2⤵
  PID:12364
- C:\Windows\System\lfzWHZA.exe
  C:\Windows\System\lfzWHZA.exe
  2⤵
  PID:2384
- C:\Windows\System\SdIJZyD.exe
  C:\Windows\System\SdIJZyD.exe
  2⤵
  PID:3028
- C:\Windows\System\JoTdgYn.exe
  C:\Windows\System\JoTdgYn.exe
  2⤵
  PID:3344
- C:\Windows\System\KGMwTfD.exe
  C:\Windows\System\KGMwTfD.exe
  2⤵
  PID:3956
- C:\Windows\System\lSQvjPH.exe
  C:\Windows\System\lSQvjPH.exe
  2⤵
  PID:3160
- C:\Windows\System\XUeFKCw.exe
  C:\Windows\System\XUeFKCw.exe
  2⤵
  PID:3928
- C:\Windows\System\XuJAGkf.exe
  C:\Windows\System\XuJAGkf.exe
  2⤵
  PID:4012
- C:\Windows\System\vlfnuPp.exe
  C:\Windows\System\vlfnuPp.exe
  2⤵
  PID:4080
- C:\Windows\System\HcVubLe.exe
  C:\Windows\System\HcVubLe.exe
  2⤵
  PID:4636

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:440

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3588

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:5008

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:1144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nmffa1yb.32d.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\BRWPgzA.exe

Filesize
1.9MB

MD5
d6fa4a0740b01c010739fc5ab8c03573

SHA1
1a58102cd6c0879a6be09707501ce06d1adf5de4

SHA256
ef4108e94aa49cf7959bb5dec24bff88266767f6c785103348fe13476806959b

SHA512
843a122016c58b965085d8d49549008cebeb21b56f85e020248bf0e2f9c6598d584a59a09c2021cc660b118a5726ccd65926261706fbc617de5a997d3b8aae56

Download Submit
C:\Windows\System\BTMQQcp.exe

Filesize
1.9MB

MD5
b55e51485dbc7c9d7d23664c8c85a615

SHA1
dbd217a517259ae16aad86f266cb1fb054194526

SHA256
0f072f21048d9de5d3e349299dbb6cc4d422b492926be860590016a0db577f8c

SHA512
8a9fde5353a7b9d9330b20f39d7b0a0ed8524cdc78ca2e802daf8def51966c3c0a00df2ec423fbd60140c22d8ac7ad5a38856f3004955c1e135856f5ac76f464

Download Submit
C:\Windows\System\DCUTpsk.exe

Filesize
1.9MB

MD5
229441db13cb7528abdecf444e7320ff

SHA1
376481e52d4e83cda9e85f53ae8416c22e0baaff

SHA256
d95dbacf2e2377f4ee77368627dc61a9c45f1bc50dc67d83e0f01e23261a5cbc

SHA512
cea5c053b049d79fc52a60dd103fe4be25a987206bd410a9236ee66acdad814f49ad3d13c07e750a28bdc4ef2b4f1e8f8480c8bbc75d7cdd053401acf8dd079c

Download Submit
C:\Windows\System\EfljVTx.exe

Filesize
1.9MB

MD5
a61d7f72e46618a4e72c526c74dbd81c

SHA1
eb1df39207f8a81120fbb4b9bec241d3a23312e7

SHA256
089b5be40d62d60cc863dc33647229b8a19d2e49b2a5385b6d40197fbb1dccbc

SHA512
1105376c4d4881e009e417833e82c658289e191c77cec902869912e60b6212ae0f931792e56c3a7b69c9319013cd1dcc0da4bbaf0785163861c6c2100f96a13d

Download Submit
C:\Windows\System\ExeKNVt.exe

Filesize
1.9MB

MD5
da24a608f4c328254b763fa92712ffa6

SHA1
6e8afae651bdfeb2680da57e4f418579dfd6db09

SHA256
6a6301eb21f0809f08c259f0a4443007e15a57fbf3c19d06a66694eb15fc45fb

SHA512
eef7a44904ca3243a8c861fd0e16d47bdccea40bc9a2ff091416ab2666b9a66e8054bf0784a78bd9fb46444454a2d66a9a6f1addadb7e51647d098804621353b

Download Submit
C:\Windows\System\FQASksQ.exe

Filesize
1.9MB

MD5
f984a234135f48bcd8c50cbaa5c4bb83

SHA1
5c6d1ee0ad67abd0e3ce574f3e17bfd12bb95f3e

SHA256
1cd9a03821d73b582b52879bc5ddf394641ea908277a8bca8886cbd4191a95d6

SHA512
3c22bcbe678520156919b40a6b218d6a1d329e954745f8182a1950bb81186128dc5ee1fb2517cb37c1a84a60913f9e3c44b978ff14adb5de098cb668ef6147e8

Download Submit
C:\Windows\System\GEONdgk.exe

Filesize
1.9MB

MD5
0ff3086be9ae51e2bdc73b5fa66e2907

SHA1
034c229b1dc0d44458aa61114aceae3a7d482df9

SHA256
6daabbaa34c1822530cb0fd2bf5ce370784503253c723b649765bd20630a3de3

SHA512
feb4d47d10447d14121896fd3fc9591b85bb30b9ee61366aab508a53e069d6d6920a0ffd59a49b5058e2376306a30cd5be21076a3a913f6989646de37e179bb9

Download Submit
C:\Windows\System\GJOWQBh.exe

Filesize
1.9MB

MD5
e9cd7f3a0dc335ac32fd56941fc7f832

SHA1
16c3415f4808a9c1892d517dfa5668e7137ec545

SHA256
c6ff81c6761ee33ffe1bde9ca83e309bfdd9373bc624246f7b7579373c773eed

SHA512
c1ba9558ee4f041e16918e41f653cefbc1e156f44bcb737d27d47169b1321b3a91e52b1ca6388dad98075ea849af98da0a56d87615d9907cc671026a9cf90b8f

Download Submit
C:\Windows\System\HVUMObw.exe

Filesize
1.9MB

MD5
519c0aebf545cb4fb08b1811faec7f50

SHA1
627cb1200e7373658b7764c61f2f3b7ac7b9aea5

SHA256
fe9bacb152dd8e8e92a5df55896743c710e3ac79525b2caceec9aacc6f44b47e

SHA512
81f9a11a59e271545c6595b5db8180af91d5a34b130d8218897e9a3a9e5f3a5769955788f31f2ea4647943821ee77cfc1e625f2ae58230c23aa22f719c489853

Download Submit
C:\Windows\System\IxvLoTE.exe

Filesize
1.9MB

MD5
8a4334c73a505c1c7afcd9a9ca428647

SHA1
ec3d7a772590f551765b6c60480a92aedbdf5541

SHA256
19742a58500d76af4d84a08000469eb780eff43b8046251b0739ebc5c7884b50

SHA512
fd4c0ea2031328dbc050243075ee34992d9ef68a109be16a3ca7b81d5d649f18bf8d2183170c187c13e75cac3432e314c45250eec14f083b14ffc99f79ea1763

Download Submit
C:\Windows\System\LnqsudC.exe

Filesize
8B

MD5
a8f2921c80c15a3d426e5fdff8a56196

SHA1
4dc21bf95e22427a9dafcd4930e81b62e77d5fda

SHA256
7e9bbeeba45dae16f8c444596ee4180d7313e899e46fa6263fde6904f32d92a1

SHA512
996666f646b1878ee129a778184f9520541ee458797b8bfaefed6e1f152a5436e0ff19d28744463b706ffe3e24e429f5af102aa1e7733dbeeb6210754c828802

Download Submit
C:\Windows\System\NDBmtlj.exe

Filesize
1.9MB

MD5
38d2aa4c6d150b66c3ce9df3f4bfc8ba

SHA1
1eb6901b9dc480d82a28d3ef444b03b1488e75c1

SHA256
573c15d513e831ec8e02ef87bba6748c63232b55b96d270139b26c6ead139d05

SHA512
50137b25eb768cc63f59c89e30ec00fb5dbd2e3a8fb4921e51cbaa655ab079f28171b724369e8de46e417d9cf05aee1b31fcc1ff1c52783ab1aad27d85dd78e1

Download Submit
C:\Windows\System\NiLlplC.exe

Filesize
1.9MB

MD5
0211b6bd285ea1b83d04afaaf0494a0b

SHA1
3993e8e77d7516e8bd1ec4cd33d528dd82bec7c6

SHA256
c38a1d5e62ed6494dbdbf836fc77e0dcea31bc2de0859f58221089469ab6cbb6

SHA512
f31c581a18fb393c74f9bf57428298aa74d596cd6e6c2d5ff17c518287ddb6d027a6ebe6f76b25eca1794f79fde7b56ea5e7fc8270e9870dcc1af4d24a201658

Download Submit
C:\Windows\System\RNfWJxW.exe

Filesize
1.9MB

MD5
9612a005bdc0ff9c9d3b646cd538d2c3

SHA1
3b5d4880bae9d03327c9c81a791d2821ccb25252

SHA256
0365dbcc057f2fc8f6bef8b65bae7015567b194c3a959e778f9cd3b2492638ee

SHA512
979da970667595628d1e26fe971ae143dfb8f0948713deab585afc8f9d9e660dcd71e7a81dea728fbfd119c0c15664fa3b4049aade99105637f309c5ce257038

Download Submit
C:\Windows\System\STgKVBv.exe

Filesize
1.9MB

MD5
5ff12ae6bec149330da9da0017556c81

SHA1
f126137d33c04f45ff2559167f0a418a7c4ea92b

SHA256
025d435c8570b569a52babfe0e950c49408c46ff0c013cb86ad20939217ecd0e

SHA512
d4a3885c672ec8d5dd947e57ea9d01852c13f26cdad8f814dc0be07e26c08343ca456f59b89788b8c76e3122bf09c0b450b3139e37870f8c04e17b7d71978c12

Download Submit
C:\Windows\System\SdkEVEO.exe

Filesize
1.9MB

MD5
d0316430f6b0dd3e43d36cd9ef444453

SHA1
7aa22799257ccc80bbc4fca304897652a211dff1

SHA256
b87d00cae8b6577fd24e1e1ee1ab7efec8137b52e84cba990bbd6b002757f36d

SHA512
1a9f60397b928e2a43ea1f3585acb88b9df50b1197f54dc66066de0e3bf0e6a7dbba6ec7e8f34810f8af55f4d24df158a6ccd17eeb2e0babfbfcabae7f4dda86

Download Submit
C:\Windows\System\TwhlRTI.exe

Filesize
1.9MB

MD5
69d4046bb24480e43d3be859757239e0

SHA1
60cb7273f724b32736ed813244c53cbfd1d51d7d

SHA256
0740d7febb5681c9f2fed81de13fb9d60314a6b855e2da0df9aca6c639f29324

SHA512
ffe19b7622c853741eb933b7adb0d1e12b55c0bc8678968701993cdd5aa9dd63758b011b47fcb5708d24b2f112b3f4443ad996df165aee6b07a5ec35dee50114

Download Submit
C:\Windows\System\UqiYgOv.exe

Filesize
1.9MB

MD5
4fa8284cdbfc1a6bd2cc5e9bc06657e6

SHA1
746d754e7c3445d688c18918feeedf95f0f35a2d

SHA256
166b08d99939a09af0847430609c025be8790b4d6a20543c82f741d2b87ef73a

SHA512
2992a5cc742d367430c9dcb7623e5b180aaf3696d25ab8de12b7dfa88e6401224dbf0de4e76269685955a9ead977a161d52fc4fa8443853388c2beafa3b59a13

Download Submit
C:\Windows\System\UxDWovM.exe

Filesize
1.9MB

MD5
ecf0db44b77aee6ae22f642cda7bb574

SHA1
dffce83c406d95516ab36df4c3a28c0343c8d714

SHA256
a517eab6b88ca5e9b8c5bd10b697174651486ada2e5f65865691da9525680d47

SHA512
7174503fbe66bd9c9e63e68b9d21e32b2e5458219486c1bdfdca61f872aa6255d4de87dc502a45fe6733d0cbbf6790a55543904dcc139bdcfae44abfb8d08549

Download Submit
C:\Windows\System\VnVemNy.exe

Filesize
1.9MB

MD5
d3e2bd6ce7cffd2407ec3e38ef4dde1a

SHA1
1c74c3a175a7e61d4319c125aef63617f8f2acbe

SHA256
0fdb671bd63707e8057d786e9868a2b6e53fc8ea72dcbeb1d86abe595ce4cc6b

SHA512
7f481aaa2473f608759352bd9dc55596b0888ee4e1f0c9ba382fcaa95714f7f51e126f32454082b602d4f1360f49c0a19f7ffd1c7fdab05c346f47d960d9d7a6

Download Submit
C:\Windows\System\VqNtVjv.exe

Filesize
1.9MB

MD5
9e5272e0c52c3cbe5b98afda26d467d8

SHA1
2207a8cc60a6f214824a2cf9d45f67e9e25bb97c

SHA256
92f7258e828d2c7aab88e303d62febc93608dcff8d1279d4b5d39746145765b7

SHA512
e2a056b4178afd9f7d3d50420196551538fd7b2d653c9db41e701db8d3ceefbd692e7cf9e01c154937e7bcda443e0cec1b9de2315dc39fd988f7875aea1618bd

Download Submit
C:\Windows\System\WHXZXgl.exe

Filesize
1.9MB

MD5
5a69c34c1e4e13cb1d3113fecf6f04fb

SHA1
18ed8d54c884e72f0607f15b830c4a66f959732e

SHA256
bf816ba95af1f7a7f64e4b54b999635f1d9467fa0fae9c1a37cdbbf1ecc2c46f

SHA512
7cfaf5192609805811267bc0f12b742fae3f50416deb9a02e986d263fb9de7befd787b5fe4261f2703171cd4d7b89c688766a5fffe4e4a671fdaebcb96695654

Download Submit
C:\Windows\System\XCprKzE.exe

Filesize
1.9MB

MD5
2e4b744179b221ad9d3bb9e5de04bccc

SHA1
07dedbe002a6417a613ca4bcddbdb5d6e8c32c14

SHA256
244d7d8520179b3437b19d4f6a169a8f934498fca599142a4bf7859c803def9c

SHA512
56f86e99fa4c8d14420cb82df7ae8c61cdff672b06a27aca5ad946ab14e24052909056fbdccd040eca4443d0c84c091922b5bf0a541f8edb233070a42376b643

Download Submit
C:\Windows\System\XLQHUKN.exe

Filesize
1.9MB

MD5
5277fda9c38062c0999146e23345ba29

SHA1
159f8b9f57133eb36e9ce3e005a699115d42e75d

SHA256
48a9ce4f5d7e40633df70a2bdfe85fa4f773dc5b136df435d0445710d565a00e

SHA512
49330896fe3f982bcfdb16466f7cef6eea96d66b2a04931132dbb0ddcb627fcb573f053a5d738b379d7ff2ea0ffe1c7dcc12eafdc4855416e6e578a85d16d78b

Download Submit
C:\Windows\System\alaIThM.exe

Filesize
1.9MB

MD5
b39b88be8f94c184361c5be0fb9a115c

SHA1
cb6794bd7f273dec9bbd58a70a822e466e205a47

SHA256
b5b4d38a67db5f97349d030fafbf3e6c37aec2f5f5ace7d0aec2c6080061c368

SHA512
dc5ae256fd038f5946b6d4dde7d8c8109c7da57d9a38f93a216073eb6c2cb845a4391eb694859d282e8639e06ed42a3b0b38a3c016273564f0c0331f36282921

Download Submit
C:\Windows\System\cwPJMUx.exe

Filesize
1.9MB

MD5
c078b6b5c3487521dadb7178b723a40b

SHA1
8928d7e3efbdbdd150b40e54f02ee80dec683ae4

SHA256
c7fa6945886c204cb8e328c44a372e30faa94dd6fd05c57b69f09e55c13c60bf

SHA512
59803d1083a7b2acc947f434ce088448b50a47b8c19cd8791722465ffa67e5293c404e9e14545b2736424ee229b55d6e6fe9a82b4af0757d20305536205ea9ed

Download Submit
C:\Windows\System\dpUDmVN.exe

Filesize
1.9MB

MD5
d56eae28d9dfe98f92e55e92b9ba240e

SHA1
469609745639e61477c6911c347e73e2e34346c8

SHA256
9a487ca6d63b1595c232875fa988c34b76186af09ede50df6d455c7d30e61ebc

SHA512
e301410ad1c70f09f6e783cdbef569ef669a6f4b3ab513c0ea79dd336d7b1d3f552ea9654e2418d87bb6e5abd1765b5bb1f7e19f8d47c054c3105a89d2e48f1c

Download Submit
C:\Windows\System\gmoiTOr.exe

Filesize
1.9MB

MD5
7bc183dc17b77f316ec78c9d0aec5890

SHA1
06eea5ee080be824d366a75cd119c3d70e1e4227

SHA256
e3ee0b38648a6c8ab61a9342d33a7819d29669053905f383cc0e5cfc4e3ce3cd

SHA512
e189551d81e3b0047a4e7ab989ee5886ffe9fa178fa6af718ec32e1e9e0b2a2c62d3564494f45a546aeec4da57923ab2a7569beb873fa552e60a6cfc28192de5

Download Submit
C:\Windows\System\qDAsbeR.exe

Filesize
1.9MB

MD5
575bccc243d4e98dd069e603bacc70e7

SHA1
9db43a34d34ca768fb11b1267dc9bcd9356b827a

SHA256
b1590f96f03122fc1b226783832c4fcee8165125068cd90ec75fb315b1e76783

SHA512
b518c66fdc50b8df48bfd1c3070462c1a5af6192816e61a2712982ebbdb468a3a12fb2ddaf2008677d93a366c4799bff56f04db18b15f25b7c41e9c5add5368e

Download Submit
C:\Windows\System\rtrLdLC.exe

Filesize
1.9MB

MD5
e7c724d3003ec2c0d08ad887d951c7df

SHA1
771380782d31a25d91c8674da65d71dba512f3af

SHA256
e7dfad0ba0ad9a869fb83416959b620075cd4229958a8ada34d3c64e666f598d

SHA512
6ed1aca5bcabb39b93b276ced04873400fedbd8d2ccae528d273e3f6c58b4388d32e77637cc54b797e5cb9412d13a1c00a63d7c62f3c93e341de3e77d08fca11

Download Submit
C:\Windows\System\weuhRfr.exe

Filesize
1.9MB

MD5
b9627090e2ede038c508b9835f9c40e4

SHA1
4f7712e3b172185bff39c8320270db00de6936a7

SHA256
89e5bcc49a071737ca6af6ea6bd3a59df07a0f89db56c4e9e663607466f9ac1d

SHA512
c5b0237aee333312ea52fe994dfb186a570f668ac81045c8fe933b1d6b46e06e17b095d7115e2d10f7cef1d29c132fcc387e7c6de9eedb31313f6a7776c02ef5

Download Submit
C:\Windows\System\xDowzTa.exe

Filesize
1.9MB

MD5
52e320329372b3a68887970bf6ccd806

SHA1
3e4487702d37227bdf791406280dc1f4d3dc4575

SHA256
81c517d141fc545c6ee2b5ff46d8e20b5ce9538397a4f7ff1e8b0a269b8983f8

SHA512
0c5a15fa04bb52aa697a3af703e3e88cc100e43b5d3dea522fb9963030820bb2052ebb62a24cb9116ffc5e0b907c769f44dfb7bd7347b491dfbe5d4cd195c82c

Download Submit
C:\Windows\System\yGxUhKp.exe

Filesize
1.9MB

MD5
a04f9382f2f81cb29e2a1aa31e9cadbe

SHA1
5a67dd8fddc629c4905927a87809cc0c38a7711b

SHA256
44f7f4f2871cf417f2cb574eddd8951f6778ea9d7b4938b65d5f72e7cea422b4

SHA512
577582e75ef2b7c93209efd7cc8e2661907da8843baee6d67d7f845fd3d6a72e618893a4a724447818656d7e33299c6d1d77d1d009680f5f1c39422b7883e9b6

Download Submit
C:\Windows\System\yqnNJfe.exe

Filesize
1.9MB

MD5
52fece8cb210d427f894e5216ca3eab2

SHA1
8683fa1e4ac4d3c348e2063c2452b646e4441dd6

SHA256
0f3ff255fb712e7b539a317df9874c8b1adb6cf128f28fcc0203f2889cda77fd

SHA512
24f1b204acaf9cd6b6b1975f0c34178422ac6f5205df1a8951bdea74f6d59a6e232882d40e34301bfd8daf2b4d02b81825492f8f2cd48ce2a13a27bda4963d6c

Download Submit
memory/232-550-0x00007FF797B50000-0x00007FF797F42000-memory.dmp

Filesize
3.9MB

Download
memory/232-3171-0x00007FF797B50000-0x00007FF797F42000-memory.dmp

Filesize
3.9MB

Download
memory/640-3144-0x00007FF653570000-0x00007FF653962000-memory.dmp

Filesize
3.9MB

Download
memory/640-581-0x00007FF653570000-0x00007FF653962000-memory.dmp

Filesize
3.9MB

Download
memory/1000-3172-0x00007FF64DB80000-0x00007FF64DF72000-memory.dmp

Filesize
3.9MB

Download
memory/1000-541-0x00007FF64DB80000-0x00007FF64DF72000-memory.dmp

Filesize
3.9MB

Download
memory/1288-1-0x0000019E99000000-0x0000019E99010000-memory.dmp

Filesize
64KB

Download
memory/1288-0-0x00007FF7D2310000-0x00007FF7D2702000-memory.dmp

Filesize
3.9MB

Download
memory/1448-52-0x00007FF776A30000-0x00007FF776E22000-memory.dmp

Filesize
3.9MB

Download
memory/1448-3123-0x00007FF776A30000-0x00007FF776E22000-memory.dmp

Filesize
3.9MB

Download
memory/1588-3142-0x00007FF745DB0000-0x00007FF7461A2000-memory.dmp

Filesize
3.9MB

Download
memory/1588-489-0x00007FF745DB0000-0x00007FF7461A2000-memory.dmp

Filesize
3.9MB

Download
memory/2036-490-0x00007FF615560000-0x00007FF615952000-memory.dmp

Filesize
3.9MB

Download
memory/2036-3135-0x00007FF615560000-0x00007FF615952000-memory.dmp

Filesize
3.9MB

Download
memory/2044-34-0x00007FF713BA0000-0x00007FF713F92000-memory.dmp

Filesize
3.9MB

Download
memory/2044-3125-0x00007FF713BA0000-0x00007FF713F92000-memory.dmp

Filesize
3.9MB

Download
memory/2068-3128-0x00007FF703FF0000-0x00007FF7043E2000-memory.dmp

Filesize
3.9MB

Download
memory/2068-3115-0x00007FF703FF0000-0x00007FF7043E2000-memory.dmp

Filesize
3.9MB

Download
memory/2068-40-0x00007FF703FF0000-0x00007FF7043E2000-memory.dmp

Filesize
3.9MB

Download
memory/2356-18-0x00007FF6D75F0000-0x00007FF6D79E2000-memory.dmp

Filesize
3.9MB

Download
memory/2356-3120-0x00007FF6D75F0000-0x00007FF6D79E2000-memory.dmp

Filesize
3.9MB

Download
memory/2356-3114-0x00007FF6D75F0000-0x00007FF6D79E2000-memory.dmp

Filesize
3.9MB

Download
memory/2404-3140-0x00007FF777390000-0x00007FF777782000-memory.dmp

Filesize
3.9MB

Download
memory/2404-512-0x00007FF777390000-0x00007FF777782000-memory.dmp

Filesize
3.9MB

Download
memory/2536-3147-0x00007FF7B5F00000-0x00007FF7B62F2000-memory.dmp

Filesize
3.9MB

Download
memory/2536-518-0x00007FF7B5F00000-0x00007FF7B62F2000-memory.dmp

Filesize
3.9MB

Download
memory/2844-3131-0x00007FF6D4ED0000-0x00007FF6D52C2000-memory.dmp

Filesize
3.9MB

Download
memory/2844-501-0x00007FF6D4ED0000-0x00007FF6D52C2000-memory.dmp

Filesize
3.9MB

Download
memory/2928-3176-0x00007FF69CA80000-0x00007FF69CE72000-memory.dmp

Filesize
3.9MB

Download
memory/2928-571-0x00007FF69CA80000-0x00007FF69CE72000-memory.dmp

Filesize
3.9MB

Download
memory/2936-535-0x00007FF7DD830000-0x00007FF7DDC22000-memory.dmp

Filesize
3.9MB

Download
memory/2936-3174-0x00007FF7DD830000-0x00007FF7DDC22000-memory.dmp

Filesize
3.9MB

Download
memory/3428-559-0x00007FF69AF30000-0x00007FF69B322000-memory.dmp

Filesize
3.9MB

Download
memory/3428-3181-0x00007FF69AF30000-0x00007FF69B322000-memory.dmp

Filesize
3.9MB

Download
memory/3536-3111-0x00007FF7BE350000-0x00007FF7BE742000-memory.dmp

Filesize
3.9MB

Download
memory/3536-3118-0x00007FF7BE350000-0x00007FF7BE742000-memory.dmp

Filesize
3.9MB

Download
memory/3536-9-0x00007FF7BE350000-0x00007FF7BE742000-memory.dmp

Filesize
3.9MB

Download
memory/3940-525-0x00007FF6241A0000-0x00007FF624592000-memory.dmp

Filesize
3.9MB

Download
memory/3940-3150-0x00007FF6241A0000-0x00007FF624592000-memory.dmp

Filesize
3.9MB

Download
memory/4156-3138-0x00007FF640840000-0x00007FF640C32000-memory.dmp

Filesize
3.9MB

Download
memory/4156-578-0x00007FF640840000-0x00007FF640C32000-memory.dmp

Filesize
3.9MB

Download
memory/4384-115-0x000001AB36E00000-0x000001AB36E22000-memory.dmp

Filesize
136KB

Download
memory/4392-3169-0x00007FF7A93B0000-0x00007FF7A97A2000-memory.dmp

Filesize
3.9MB

Download
memory/4392-553-0x00007FF7A93B0000-0x00007FF7A97A2000-memory.dmp

Filesize
3.9MB

Download
memory/4644-3152-0x00007FF61FD60000-0x00007FF620152000-memory.dmp

Filesize
3.9MB

Download
memory/4644-531-0x00007FF61FD60000-0x00007FF620152000-memory.dmp

Filesize
3.9MB

Download
memory/4648-3132-0x00007FF734100000-0x00007FF7344F2000-memory.dmp

Filesize
3.9MB

Download
memory/4648-494-0x00007FF734100000-0x00007FF7344F2000-memory.dmp

Filesize
3.9MB

Download
memory/4812-3136-0x00007FF74B5D0000-0x00007FF74B9C2000-memory.dmp

Filesize
3.9MB

Download
memory/4812-46-0x00007FF74B5D0000-0x00007FF74B9C2000-memory.dmp

Filesize
3.9MB

Download
memory/4812-3116-0x00007FF74B5D0000-0x00007FF74B9C2000-memory.dmp

Filesize
3.9MB

Download
memory/4852-30-0x00007FF60F210000-0x00007FF60F602000-memory.dmp

Filesize
3.9MB

Download
memory/4852-3126-0x00007FF60F210000-0x00007FF60F602000-memory.dmp

Filesize
3.9MB

Download
memory/5060-3148-0x00007FF75FC30000-0x00007FF760022000-memory.dmp

Filesize
3.9MB

Download
memory/5060-528-0x00007FF75FC30000-0x00007FF760022000-memory.dmp

Filesize
3.9MB

Download