xmrig | 5e11b619c6ec7683fe55f0e61dbebeda414d2a2917d5873c7567fb0341d1a5a0

Analysis

max time kernel
142s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
29/04/2024, 04:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
Size

1.8MB
MD5

06d0ab6a3e82d72a9fa32a8a126093ed
SHA1

d36d641b92a9710e03828afa17c098bf5050c3ec
SHA256

5e11b619c6ec7683fe55f0e61dbebeda414d2a2917d5873c7567fb0341d1a5a0
SHA512

db55e407cc2754e737b0bfe0d61c6170df1cfb1e1743792bc8ab1379564de9a657ee0691a8f6d9320dc6edc335c4d72bdba2c0f52a94a68eefb7d72d01926921
SSDEEP

49152:Lz071uv4BPMkibTIA5sf6r+WVc2HhG82SflDrl7:NABc

Score

10^/10

xmrig miner upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 13428 created 2288	13428	WerFaultSecure.exe	79

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 42 IoCs

miner

resource	yara_rule
behavioral2/memory/2360-62-0x00007FF6BFEC0000-0x00007FF6C02B2000-memory.dmp	xmrig
behavioral2/memory/3052-103-0x00007FF735600000-0x00007FF7359F2000-memory.dmp	xmrig
behavioral2/memory/1596-107-0x00007FF72D170000-0x00007FF72D562000-memory.dmp	xmrig
behavioral2/memory/4376-110-0x00007FF67B440000-0x00007FF67B832000-memory.dmp	xmrig
behavioral2/memory/1180-117-0x00007FF762D50000-0x00007FF763142000-memory.dmp	xmrig
behavioral2/memory/3232-119-0x00007FF72F140000-0x00007FF72F532000-memory.dmp	xmrig
behavioral2/memory/2824-118-0x00007FF71C7F0000-0x00007FF71CBE2000-memory.dmp	xmrig
behavioral2/memory/4756-116-0x00007FF6760C0000-0x00007FF6764B2000-memory.dmp	xmrig
behavioral2/memory/2820-115-0x00007FF774280000-0x00007FF774672000-memory.dmp	xmrig
behavioral2/memory/3804-112-0x00007FF6E6330000-0x00007FF6E6722000-memory.dmp	xmrig
behavioral2/memory/4496-111-0x00007FF7CDD90000-0x00007FF7CE182000-memory.dmp	xmrig
behavioral2/memory/5092-109-0x00007FF788620000-0x00007FF788A12000-memory.dmp	xmrig
behavioral2/memory/2312-108-0x00007FF717350000-0x00007FF717742000-memory.dmp	xmrig
behavioral2/memory/2684-106-0x00007FF744410000-0x00007FF744802000-memory.dmp	xmrig
behavioral2/memory/3184-105-0x00007FF7EB420000-0x00007FF7EB812000-memory.dmp	xmrig
behavioral2/memory/2568-47-0x00007FF723840000-0x00007FF723C32000-memory.dmp	xmrig
behavioral2/memory/5052-154-0x00007FF79A920000-0x00007FF79AD12000-memory.dmp	xmrig
behavioral2/memory/3976-174-0x00007FF62DB70000-0x00007FF62DF62000-memory.dmp	xmrig
behavioral2/memory/4556-153-0x00007FF644BC0000-0x00007FF644FB2000-memory.dmp	xmrig
behavioral2/memory/1644-2634-0x00007FF6B0740000-0x00007FF6B0B32000-memory.dmp	xmrig
behavioral2/memory/1924-2635-0x00007FF75A390000-0x00007FF75A782000-memory.dmp	xmrig
behavioral2/memory/2568-2650-0x00007FF723840000-0x00007FF723C32000-memory.dmp	xmrig
behavioral2/memory/4756-2654-0x00007FF6760C0000-0x00007FF6764B2000-memory.dmp	xmrig
behavioral2/memory/2820-2653-0x00007FF774280000-0x00007FF774672000-memory.dmp	xmrig
behavioral2/memory/2684-2699-0x00007FF744410000-0x00007FF744802000-memory.dmp	xmrig
behavioral2/memory/2824-2684-0x00007FF71C7F0000-0x00007FF71CBE2000-memory.dmp	xmrig
behavioral2/memory/3052-2666-0x00007FF735600000-0x00007FF7359F2000-memory.dmp	xmrig
behavioral2/memory/1180-2663-0x00007FF762D50000-0x00007FF763142000-memory.dmp	xmrig
behavioral2/memory/2360-2659-0x00007FF6BFEC0000-0x00007FF6C02B2000-memory.dmp	xmrig
behavioral2/memory/3184-2686-0x00007FF7EB420000-0x00007FF7EB812000-memory.dmp	xmrig
behavioral2/memory/2312-2708-0x00007FF717350000-0x00007FF717742000-memory.dmp	xmrig
behavioral2/memory/1596-2703-0x00007FF72D170000-0x00007FF72D562000-memory.dmp	xmrig
behavioral2/memory/3232-2701-0x00007FF72F140000-0x00007FF72F532000-memory.dmp	xmrig
behavioral2/memory/5092-2715-0x00007FF788620000-0x00007FF788A12000-memory.dmp	xmrig
behavioral2/memory/4376-2717-0x00007FF67B440000-0x00007FF67B832000-memory.dmp	xmrig
behavioral2/memory/3804-2721-0x00007FF6E6330000-0x00007FF6E6722000-memory.dmp	xmrig
behavioral2/memory/4496-2719-0x00007FF7CDD90000-0x00007FF7CE182000-memory.dmp	xmrig
behavioral2/memory/1924-2730-0x00007FF75A390000-0x00007FF75A782000-memory.dmp	xmrig
behavioral2/memory/1644-2734-0x00007FF6B0740000-0x00007FF6B0B32000-memory.dmp	xmrig
behavioral2/memory/4556-2758-0x00007FF644BC0000-0x00007FF644FB2000-memory.dmp	xmrig
behavioral2/memory/3976-2760-0x00007FF62DB70000-0x00007FF62DF62000-memory.dmp	xmrig
behavioral2/memory/5052-2763-0x00007FF79A920000-0x00007FF79AD12000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
2568	RYuXviN.exe
2820	sBimsDO.exe
4756	JwVnIXR.exe
2360	qoAsEBx.exe
3052	xMBsSqB.exe
1180	JfDrtMp.exe
2824	JCUxnES.exe
3184	ybMEuZi.exe
2684	atSbeXr.exe
3232	MKmpwZe.exe
1596	izpdeuq.exe
2312	pyXZLcR.exe
5092	wyUlSAq.exe
4376	hExSJLC.exe
4496	kLbUWTD.exe
3804	AzwniHT.exe
1644	vYIWADP.exe
1924	VtaYGLs.exe
4556	AwzxKDH.exe
3976	GDxaOdG.exe
5052	EeBONDr.exe
1412	rfXCLPL.exe
3584	NiAiEdW.exe
2944	OkrODEJ.exe
3928	WPHKxBc.exe
3676	TUOSRsU.exe
628	iyGcNWH.exe
2436	rCAUCzJ.exe
4456	tLDgBDL.exe
1432	QLYZwJI.exe
3024	qCwJNSv.exe
2336	fOclqeX.exe
4144	hwBZbKx.exe
4404	FsIMWGH.exe
2728	bhhwxny.exe
3064	ESOzWmL.exe
5000	Zcfxeno.exe
4620	omvfaqF.exe
1156	kvfVxlz.exe
2012	DMGfGOu.exe
1820	WlwnbVf.exe
4560	NfRycMG.exe
4240	TQvEtjB.exe
3120	XUaOhkB.exe
3968	gIgmYJH.exe
4828	vSCQQkc.exe
3560	dVDJfoi.exe
4716	KcRtpBp.exe
4476	xKtbzIn.exe
4172	wlQPjDC.exe
4868	gQUDWMw.exe
5040	LsyRwgc.exe
1652	gEgXIEW.exe
3236	MQYpqGj.exe
4864	VFnTboo.exe
4752	FetOBAr.exe
4872	RPnUxrc.exe
1472	UxMewzX.exe
1816	wbWKULn.exe
212	aUnqKaT.exe
4980	vTrCKpq.exe
4472	anVagXU.exe
552	pyhKTZW.exe
1676	loiMtVh.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4596-0-0x00007FF634DC0000-0x00007FF6351B2000-memory.dmp	upx
behavioral2/files/0x000a000000023b8a-6.dat	upx
behavioral2/files/0x000d000000023b22-7.dat	upx
behavioral2/files/0x000c000000023b77-8.dat	upx
behavioral2/files/0x000a000000023b8b-21.dat	upx
behavioral2/files/0x000a000000023b8c-31.dat	upx
behavioral2/files/0x000a000000023b8d-35.dat	upx
behavioral2/files/0x000a000000023b8f-52.dat	upx
behavioral2/files/0x000a000000023b92-59.dat	upx
behavioral2/memory/2360-62-0x00007FF6BFEC0000-0x00007FF6C02B2000-memory.dmp	upx
behavioral2/files/0x000a000000023b95-83.dat	upx
behavioral2/files/0x000a000000023b96-94.dat	upx
behavioral2/memory/3052-103-0x00007FF735600000-0x00007FF7359F2000-memory.dmp	upx
behavioral2/memory/1596-107-0x00007FF72D170000-0x00007FF72D562000-memory.dmp	upx
behavioral2/memory/4376-110-0x00007FF67B440000-0x00007FF67B832000-memory.dmp	upx
behavioral2/memory/1644-113-0x00007FF6B0740000-0x00007FF6B0B32000-memory.dmp	upx
behavioral2/memory/1180-117-0x00007FF762D50000-0x00007FF763142000-memory.dmp	upx
behavioral2/files/0x000a000000023b99-122.dat	upx
behavioral2/files/0x000a000000023b98-120.dat	upx
behavioral2/memory/3232-119-0x00007FF72F140000-0x00007FF72F532000-memory.dmp	upx
behavioral2/memory/2824-118-0x00007FF71C7F0000-0x00007FF71CBE2000-memory.dmp	upx
behavioral2/memory/4756-116-0x00007FF6760C0000-0x00007FF6764B2000-memory.dmp	upx
behavioral2/memory/2820-115-0x00007FF774280000-0x00007FF774672000-memory.dmp	upx
behavioral2/memory/1924-114-0x00007FF75A390000-0x00007FF75A782000-memory.dmp	upx
behavioral2/memory/3804-112-0x00007FF6E6330000-0x00007FF6E6722000-memory.dmp	upx
behavioral2/memory/4496-111-0x00007FF7CDD90000-0x00007FF7CE182000-memory.dmp	upx
behavioral2/memory/5092-109-0x00007FF788620000-0x00007FF788A12000-memory.dmp	upx
behavioral2/memory/2312-108-0x00007FF717350000-0x00007FF717742000-memory.dmp	upx
behavioral2/memory/2684-106-0x00007FF744410000-0x00007FF744802000-memory.dmp	upx
behavioral2/memory/3184-105-0x00007FF7EB420000-0x00007FF7EB812000-memory.dmp	upx
behavioral2/files/0x000a000000023b97-99.dat	upx
behavioral2/files/0x000b000000023b90-84.dat	upx
behavioral2/files/0x000a000000023b94-78.dat	upx
behavioral2/files/0x000a000000023b93-74.dat	upx
behavioral2/files/0x000b000000023b91-72.dat	upx
behavioral2/files/0x000a000000023b8e-55.dat	upx
behavioral2/memory/2568-47-0x00007FF723840000-0x00007FF723C32000-memory.dmp	upx
behavioral2/files/0x000a000000023b9a-126.dat	upx
behavioral2/files/0x000a000000023b9d-137.dat	upx
behavioral2/files/0x000a000000023b9c-140.dat	upx
behavioral2/memory/5052-154-0x00007FF79A920000-0x00007FF79AD12000-memory.dmp	upx
behavioral2/files/0x000a000000023b9e-158.dat	upx
behavioral2/files/0x000a000000023b9f-162.dat	upx
behavioral2/files/0x000a000000023ba1-165.dat	upx
behavioral2/files/0x000a000000023ba2-173.dat	upx
behavioral2/files/0x000a000000023ba5-181.dat	upx
behavioral2/files/0x000a000000023ba6-189.dat	upx
behavioral2/files/0x000a000000023ba4-185.dat	upx
behavioral2/files/0x000a000000023ba3-178.dat	upx
behavioral2/memory/3976-174-0x00007FF62DB70000-0x00007FF62DF62000-memory.dmp	upx
behavioral2/files/0x000a000000023ba0-164.dat	upx
behavioral2/memory/4556-153-0x00007FF644BC0000-0x00007FF644FB2000-memory.dmp	upx
behavioral2/files/0x000d000000023b83-138.dat	upx
behavioral2/files/0x000a000000023ba7-193.dat	upx
behavioral2/memory/1644-2634-0x00007FF6B0740000-0x00007FF6B0B32000-memory.dmp	upx
behavioral2/memory/1924-2635-0x00007FF75A390000-0x00007FF75A782000-memory.dmp	upx
behavioral2/memory/2568-2650-0x00007FF723840000-0x00007FF723C32000-memory.dmp	upx
behavioral2/memory/4756-2654-0x00007FF6760C0000-0x00007FF6764B2000-memory.dmp	upx
behavioral2/memory/2820-2653-0x00007FF774280000-0x00007FF774672000-memory.dmp	upx
behavioral2/memory/2684-2699-0x00007FF744410000-0x00007FF744802000-memory.dmp	upx
behavioral2/memory/2824-2684-0x00007FF71C7F0000-0x00007FF71CBE2000-memory.dmp	upx
behavioral2/memory/3052-2666-0x00007FF735600000-0x00007FF7359F2000-memory.dmp	upx
behavioral2/memory/1180-2663-0x00007FF762D50000-0x00007FF763142000-memory.dmp	upx
behavioral2/memory/2360-2659-0x00007FF6BFEC0000-0x00007FF6C02B2000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
3	raw.githubusercontent.com

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-shm	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-wal	OfficeClickToRun.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\KUfaUWE.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\MUWHRCL.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\nRfWWOB.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\GDvlonY.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\DORRtRc.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\qETxMoO.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\DAsERqr.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\hzUpHLu.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\cpkHjwb.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\HnfvTKu.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\UnldoEF.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\TiLFByt.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\AyGhplq.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\jfxTJsx.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\yobvHPp.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\bsUJMgt.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\RvKsyGe.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\xvvfAHu.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\YGsFNPk.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\wMsuQNY.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\wXeIdfy.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\Aphvzwm.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\tNVhuIz.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\muRPdsv.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\RsYDyTY.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\kakQfVN.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\WRGlclS.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\ZUnWaxr.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\gcDnnNL.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\LicHjhH.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\tmfpUCJ.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\lBPRTUV.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\WYQolIA.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\qsMRCRC.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\WDuHybw.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\JMnUXez.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\QuskmRZ.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\WzfgPDO.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\ByNSEye.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\hooATIG.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\kVGQJsh.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\hvPJcVI.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\AUexXBf.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\CsLJVfh.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\SahPiUP.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\ITXCthi.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\pfmyOCv.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\lvqwbyu.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\hExSJLC.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\DFYxzHH.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\lKUuONF.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\YYtiTlV.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\hByKfQs.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\KBPHOlH.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\BKuDeTQ.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\bPeLpKv.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\pISJeCF.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\FUXlujo.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\uYNLFyR.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\tTQaOrx.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\PrGlaJl.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\ewaerFj.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\ZMrgijY.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
File created	C:\Windows\System\pffWqjI.exe	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	OfficeClickToRun.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFaultSecure.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OfficeClickToRun.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	OfficeClickToRun.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFaultSecure.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	OfficeClickToRun.exe

Modifies data under HKEY_USERS 30 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	OfficeClickToRun.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3044	powershell.exe
3044	powershell.exe
3044	powershell.exe
13784	WerFaultSecure.exe
13784	WerFaultSecure.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeLockMemoryPrivilege	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
13612	OfficeClickToRun.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 3044	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	86
PID 4596 wrote to memory of 3044	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	86
PID 4596 wrote to memory of 2568	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	87
PID 4596 wrote to memory of 2568	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	87
PID 4596 wrote to memory of 2820	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	88
PID 4596 wrote to memory of 2820	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	88
PID 4596 wrote to memory of 4756	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	89
PID 4596 wrote to memory of 4756	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	89
PID 4596 wrote to memory of 2360	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	90
PID 4596 wrote to memory of 2360	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	90
PID 4596 wrote to memory of 3052	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	91
PID 4596 wrote to memory of 3052	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	91
PID 4596 wrote to memory of 1180	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	92
PID 4596 wrote to memory of 1180	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	92
PID 4596 wrote to memory of 2824	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	93
PID 4596 wrote to memory of 2824	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	93
PID 4596 wrote to memory of 3184	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	94
PID 4596 wrote to memory of 3184	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	94
PID 4596 wrote to memory of 2684	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	95
PID 4596 wrote to memory of 2684	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	95
PID 4596 wrote to memory of 3232	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	96
PID 4596 wrote to memory of 3232	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	96
PID 4596 wrote to memory of 1596	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	97
PID 4596 wrote to memory of 1596	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	97
PID 4596 wrote to memory of 2312	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	98
PID 4596 wrote to memory of 2312	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	98
PID 4596 wrote to memory of 5092	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	99
PID 4596 wrote to memory of 5092	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	99
PID 4596 wrote to memory of 4376	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	100
PID 4596 wrote to memory of 4376	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	100
PID 4596 wrote to memory of 4496	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	101
PID 4596 wrote to memory of 4496	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	101
PID 4596 wrote to memory of 3804	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	102
PID 4596 wrote to memory of 3804	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	102
PID 4596 wrote to memory of 1644	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	103
PID 4596 wrote to memory of 1644	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	103
PID 4596 wrote to memory of 1924	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	104
PID 4596 wrote to memory of 1924	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	104
PID 4596 wrote to memory of 4556	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	105
PID 4596 wrote to memory of 4556	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	105
PID 4596 wrote to memory of 3976	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	106
PID 4596 wrote to memory of 3976	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	106
PID 4596 wrote to memory of 5052	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	107
PID 4596 wrote to memory of 5052	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	107
PID 4596 wrote to memory of 1412	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	108
PID 4596 wrote to memory of 1412	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	108
PID 4596 wrote to memory of 3584	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	109
PID 4596 wrote to memory of 3584	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	109
PID 4596 wrote to memory of 2944	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	110
PID 4596 wrote to memory of 2944	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	110
PID 4596 wrote to memory of 3928	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	111
PID 4596 wrote to memory of 3928	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	111
PID 4596 wrote to memory of 3676	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	112
PID 4596 wrote to memory of 3676	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	112
PID 4596 wrote to memory of 2436	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	113
PID 4596 wrote to memory of 2436	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	113
PID 4596 wrote to memory of 628	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	114
PID 4596 wrote to memory of 628	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	114
PID 4596 wrote to memory of 4456	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	115
PID 4596 wrote to memory of 4456	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	115
PID 4596 wrote to memory of 1432	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	116
PID 4596 wrote to memory of 1432	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	116
PID 4596 wrote to memory of 3024	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	117
PID 4596 wrote to memory of 3024	4596	06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe	117

C:\Windows\System32\Upfc.exe
C:\Windows\System32\Upfc.exe /launchtype periodic /cv mbQfcvLTX0K7Eq7lOI71TQ.0
1⤵
PID:2288
- C:\Windows\system32\WerFaultSecure.exe
  C:\Windows\system32\WerFaultSecure.exe -u -p 2288 -s 544
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:13784

C:\Users\Admin\AppData\Local\Temp\06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\06d0ab6a3e82d72a9fa32a8a126093ed_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3044
- C:\Windows\System\RYuXviN.exe
  C:\Windows\System\RYuXviN.exe
  2⤵
  - Executes dropped EXE
  PID:2568
- C:\Windows\System\sBimsDO.exe
  C:\Windows\System\sBimsDO.exe
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\System\JwVnIXR.exe
  C:\Windows\System\JwVnIXR.exe
  2⤵
  - Executes dropped EXE
  PID:4756
- C:\Windows\System\qoAsEBx.exe
  C:\Windows\System\qoAsEBx.exe
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\System\xMBsSqB.exe
  C:\Windows\System\xMBsSqB.exe
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Windows\System\JfDrtMp.exe
  C:\Windows\System\JfDrtMp.exe
  2⤵
  - Executes dropped EXE
  PID:1180
- C:\Windows\System\JCUxnES.exe
  C:\Windows\System\JCUxnES.exe
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\System\ybMEuZi.exe
  C:\Windows\System\ybMEuZi.exe
  2⤵
  - Executes dropped EXE
  PID:3184
- C:\Windows\System\atSbeXr.exe
  C:\Windows\System\atSbeXr.exe
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\System\MKmpwZe.exe
  C:\Windows\System\MKmpwZe.exe
  2⤵
  - Executes dropped EXE
  PID:3232
- C:\Windows\System\izpdeuq.exe
  C:\Windows\System\izpdeuq.exe
  2⤵
  - Executes dropped EXE
  PID:1596
- C:\Windows\System\pyXZLcR.exe
  C:\Windows\System\pyXZLcR.exe
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\Windows\System\wyUlSAq.exe
  C:\Windows\System\wyUlSAq.exe
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Windows\System\hExSJLC.exe
  C:\Windows\System\hExSJLC.exe
  2⤵
  - Executes dropped EXE
  PID:4376
- C:\Windows\System\kLbUWTD.exe
  C:\Windows\System\kLbUWTD.exe
  2⤵
  - Executes dropped EXE
  PID:4496
- C:\Windows\System\AzwniHT.exe
  C:\Windows\System\AzwniHT.exe
  2⤵
  - Executes dropped EXE
  PID:3804
- C:\Windows\System\vYIWADP.exe
  C:\Windows\System\vYIWADP.exe
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Windows\System\VtaYGLs.exe
  C:\Windows\System\VtaYGLs.exe
  2⤵
  - Executes dropped EXE
  PID:1924
- C:\Windows\System\AwzxKDH.exe
  C:\Windows\System\AwzxKDH.exe
  2⤵
  - Executes dropped EXE
  PID:4556
- C:\Windows\System\GDxaOdG.exe
  C:\Windows\System\GDxaOdG.exe
  2⤵
  - Executes dropped EXE
  PID:3976
- C:\Windows\System\EeBONDr.exe
  C:\Windows\System\EeBONDr.exe
  2⤵
  - Executes dropped EXE
  PID:5052
- C:\Windows\System\rfXCLPL.exe
  C:\Windows\System\rfXCLPL.exe
  2⤵
  - Executes dropped EXE
  PID:1412
- C:\Windows\System\NiAiEdW.exe
  C:\Windows\System\NiAiEdW.exe
  2⤵
  - Executes dropped EXE
  PID:3584
- C:\Windows\System\OkrODEJ.exe
  C:\Windows\System\OkrODEJ.exe
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Windows\System\WPHKxBc.exe
  C:\Windows\System\WPHKxBc.exe
  2⤵
  - Executes dropped EXE
  PID:3928
- C:\Windows\System\TUOSRsU.exe
  C:\Windows\System\TUOSRsU.exe
  2⤵
  - Executes dropped EXE
  PID:3676
- C:\Windows\System\rCAUCzJ.exe
  C:\Windows\System\rCAUCzJ.exe
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\System\iyGcNWH.exe
  C:\Windows\System\iyGcNWH.exe
  2⤵
  - Executes dropped EXE
  PID:628
- C:\Windows\System\tLDgBDL.exe
  C:\Windows\System\tLDgBDL.exe
  2⤵
  - Executes dropped EXE
  PID:4456
- C:\Windows\System\QLYZwJI.exe
  C:\Windows\System\QLYZwJI.exe
  2⤵
  - Executes dropped EXE
  PID:1432
- C:\Windows\System\qCwJNSv.exe
  C:\Windows\System\qCwJNSv.exe
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Windows\System\fOclqeX.exe
  C:\Windows\System\fOclqeX.exe
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\System\hwBZbKx.exe
  C:\Windows\System\hwBZbKx.exe
  2⤵
  - Executes dropped EXE
  PID:4144
- C:\Windows\System\FsIMWGH.exe
  C:\Windows\System\FsIMWGH.exe
  2⤵
  - Executes dropped EXE
  PID:4404
- C:\Windows\System\bhhwxny.exe
  C:\Windows\System\bhhwxny.exe
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\System\ESOzWmL.exe
  C:\Windows\System\ESOzWmL.exe
  2⤵
  - Executes dropped EXE
  PID:3064
- C:\Windows\System\Zcfxeno.exe
  C:\Windows\System\Zcfxeno.exe
  2⤵
  - Executes dropped EXE
  PID:5000
- C:\Windows\System\omvfaqF.exe
  C:\Windows\System\omvfaqF.exe
  2⤵
  - Executes dropped EXE
  PID:4620
- C:\Windows\System\kvfVxlz.exe
  C:\Windows\System\kvfVxlz.exe
  2⤵
  - Executes dropped EXE
  PID:1156
- C:\Windows\System\DMGfGOu.exe
  C:\Windows\System\DMGfGOu.exe
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\System\WlwnbVf.exe
  C:\Windows\System\WlwnbVf.exe
  2⤵
  - Executes dropped EXE
  PID:1820
- C:\Windows\System\NfRycMG.exe
  C:\Windows\System\NfRycMG.exe
  2⤵
  - Executes dropped EXE
  PID:4560
- C:\Windows\System\TQvEtjB.exe
  C:\Windows\System\TQvEtjB.exe
  2⤵
  - Executes dropped EXE
  PID:4240
- C:\Windows\System\XUaOhkB.exe
  C:\Windows\System\XUaOhkB.exe
  2⤵
  - Executes dropped EXE
  PID:3120
- C:\Windows\System\gIgmYJH.exe
  C:\Windows\System\gIgmYJH.exe
  2⤵
  - Executes dropped EXE
  PID:3968
- C:\Windows\System\vSCQQkc.exe
  C:\Windows\System\vSCQQkc.exe
  2⤵
  - Executes dropped EXE
  PID:4828
- C:\Windows\System\dVDJfoi.exe
  C:\Windows\System\dVDJfoi.exe
  2⤵
  - Executes dropped EXE
  PID:3560
- C:\Windows\System\KcRtpBp.exe
  C:\Windows\System\KcRtpBp.exe
  2⤵
  - Executes dropped EXE
  PID:4716
- C:\Windows\System\xKtbzIn.exe
  C:\Windows\System\xKtbzIn.exe
  2⤵
  - Executes dropped EXE
  PID:4476
- C:\Windows\System\wlQPjDC.exe
  C:\Windows\System\wlQPjDC.exe
  2⤵
  - Executes dropped EXE
  PID:4172
- C:\Windows\System\gQUDWMw.exe
  C:\Windows\System\gQUDWMw.exe
  2⤵
  - Executes dropped EXE
  PID:4868
- C:\Windows\System\LsyRwgc.exe
  C:\Windows\System\LsyRwgc.exe
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Windows\System\gEgXIEW.exe
  C:\Windows\System\gEgXIEW.exe
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Windows\System\MQYpqGj.exe
  C:\Windows\System\MQYpqGj.exe
  2⤵
  - Executes dropped EXE
  PID:3236
- C:\Windows\System\VFnTboo.exe
  C:\Windows\System\VFnTboo.exe
  2⤵
  - Executes dropped EXE
  PID:4864
- C:\Windows\System\FetOBAr.exe
  C:\Windows\System\FetOBAr.exe
  2⤵
  - Executes dropped EXE
  PID:4752
- C:\Windows\System\RPnUxrc.exe
  C:\Windows\System\RPnUxrc.exe
  2⤵
  - Executes dropped EXE
  PID:4872
- C:\Windows\System\UxMewzX.exe
  C:\Windows\System\UxMewzX.exe
  2⤵
  - Executes dropped EXE
  PID:1472
- C:\Windows\System\wbWKULn.exe
  C:\Windows\System\wbWKULn.exe
  2⤵
  - Executes dropped EXE
  PID:1816
- C:\Windows\System\aUnqKaT.exe
  C:\Windows\System\aUnqKaT.exe
  2⤵
  - Executes dropped EXE
  PID:212
- C:\Windows\System\vTrCKpq.exe
  C:\Windows\System\vTrCKpq.exe
  2⤵
  - Executes dropped EXE
  PID:4980
- C:\Windows\System\anVagXU.exe
  C:\Windows\System\anVagXU.exe
  2⤵
  - Executes dropped EXE
  PID:4472
- C:\Windows\System\pyhKTZW.exe
  C:\Windows\System\pyhKTZW.exe
  2⤵
  - Executes dropped EXE
  PID:552
- C:\Windows\System\loiMtVh.exe
  C:\Windows\System\loiMtVh.exe
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\System\aewKpBm.exe
  C:\Windows\System\aewKpBm.exe
  2⤵
  PID:4336
- C:\Windows\System\PCqMSgN.exe
  C:\Windows\System\PCqMSgN.exe
  2⤵
  PID:5088
- C:\Windows\System\qTqnrpl.exe
  C:\Windows\System\qTqnrpl.exe
  2⤵
  PID:2908
- C:\Windows\System\vlhJuzl.exe
  C:\Windows\System\vlhJuzl.exe
  2⤵
  PID:3256
- C:\Windows\System\SHUiqNw.exe
  C:\Windows\System\SHUiqNw.exe
  2⤵
  PID:4812
- C:\Windows\System\sHDSExF.exe
  C:\Windows\System\sHDSExF.exe
  2⤵
  PID:1608
- C:\Windows\System\fAkMwcT.exe
  C:\Windows\System\fAkMwcT.exe
  2⤵
  PID:5004
- C:\Windows\System\brXvuWp.exe
  C:\Windows\System\brXvuWp.exe
  2⤵
  PID:1680
- C:\Windows\System\lKfAmwp.exe
  C:\Windows\System\lKfAmwp.exe
  2⤵
  PID:3340
- C:\Windows\System\lWULYfw.exe
  C:\Windows\System\lWULYfw.exe
  2⤵
  PID:4512
- C:\Windows\System\qcssxFc.exe
  C:\Windows\System\qcssxFc.exe
  2⤵
  PID:3512
- C:\Windows\System\FSQoofQ.exe
  C:\Windows\System\FSQoofQ.exe
  2⤵
  PID:3380
- C:\Windows\System\WaBBhoh.exe
  C:\Windows\System\WaBBhoh.exe
  2⤵
  PID:4388
- C:\Windows\System\eiUWmxr.exe
  C:\Windows\System\eiUWmxr.exe
  2⤵
  PID:1172
- C:\Windows\System\mmxwKWH.exe
  C:\Windows\System\mmxwKWH.exe
  2⤵
  PID:3912
- C:\Windows\System\TmQjnDe.exe
  C:\Windows\System\TmQjnDe.exe
  2⤵
  PID:884
- C:\Windows\System\CsLJVfh.exe
  C:\Windows\System\CsLJVfh.exe
  2⤵
  PID:2268
- C:\Windows\System\PbgFjgA.exe
  C:\Windows\System\PbgFjgA.exe
  2⤵
  PID:5108
- C:\Windows\System\IaLyqio.exe
  C:\Windows\System\IaLyqio.exe
  2⤵
  PID:3208
- C:\Windows\System\XpVKBBd.exe
  C:\Windows\System\XpVKBBd.exe
  2⤵
  PID:3048
- C:\Windows\System\GiFyfxj.exe
  C:\Windows\System\GiFyfxj.exe
  2⤵
  PID:2896
- C:\Windows\System\hRAatwR.exe
  C:\Windows\System\hRAatwR.exe
  2⤵
  PID:968
- C:\Windows\System\KrHvwHd.exe
  C:\Windows\System\KrHvwHd.exe
  2⤵
  PID:3144
- C:\Windows\System\tkDUGUb.exe
  C:\Windows\System\tkDUGUb.exe
  2⤵
  PID:5148
- C:\Windows\System\ULiFwsh.exe
  C:\Windows\System\ULiFwsh.exe
  2⤵
  PID:5172
- C:\Windows\System\QpLAVXB.exe
  C:\Windows\System\QpLAVXB.exe
  2⤵
  PID:5200
- C:\Windows\System\rsGKNeW.exe
  C:\Windows\System\rsGKNeW.exe
  2⤵
  PID:5252
- C:\Windows\System\gJGoSPA.exe
  C:\Windows\System\gJGoSPA.exe
  2⤵
  PID:5276
- C:\Windows\System\qgSXvWg.exe
  C:\Windows\System\qgSXvWg.exe
  2⤵
  PID:5300
- C:\Windows\System\rMErYwT.exe
  C:\Windows\System\rMErYwT.exe
  2⤵
  PID:5316
- C:\Windows\System\CbjBvzV.exe
  C:\Windows\System\CbjBvzV.exe
  2⤵
  PID:5344
- C:\Windows\System\bdoXZIz.exe
  C:\Windows\System\bdoXZIz.exe
  2⤵
  PID:5372
- C:\Windows\System\YFHCclf.exe
  C:\Windows\System\YFHCclf.exe
  2⤵
  PID:5392
- C:\Windows\System\DNlmcsY.exe
  C:\Windows\System\DNlmcsY.exe
  2⤵
  PID:5416
- C:\Windows\System\OAbcMOl.exe
  C:\Windows\System\OAbcMOl.exe
  2⤵
  PID:5444
- C:\Windows\System\fOnnXHA.exe
  C:\Windows\System\fOnnXHA.exe
  2⤵
  PID:5488
- C:\Windows\System\qhehURX.exe
  C:\Windows\System\qhehURX.exe
  2⤵
  PID:5524
- C:\Windows\System\eNIZcCW.exe
  C:\Windows\System\eNIZcCW.exe
  2⤵
  PID:5548
- C:\Windows\System\uNhSHWa.exe
  C:\Windows\System\uNhSHWa.exe
  2⤵
  PID:5576
- C:\Windows\System\PDyTRbI.exe
  C:\Windows\System\PDyTRbI.exe
  2⤵
  PID:5632
- C:\Windows\System\hOLlXsV.exe
  C:\Windows\System\hOLlXsV.exe
  2⤵
  PID:5648
- C:\Windows\System\TNGOWtx.exe
  C:\Windows\System\TNGOWtx.exe
  2⤵
  PID:5664
- C:\Windows\System\EzOJGZn.exe
  C:\Windows\System\EzOJGZn.exe
  2⤵
  PID:5684
- C:\Windows\System\TcCRAJb.exe
  C:\Windows\System\TcCRAJb.exe
  2⤵
  PID:5728
- C:\Windows\System\GMTyrWM.exe
  C:\Windows\System\GMTyrWM.exe
  2⤵
  PID:5744
- C:\Windows\System\LlfhKLo.exe
  C:\Windows\System\LlfhKLo.exe
  2⤵
  PID:5764
- C:\Windows\System\tStUaLn.exe
  C:\Windows\System\tStUaLn.exe
  2⤵
  PID:5780
- C:\Windows\System\WZATAzk.exe
  C:\Windows\System\WZATAzk.exe
  2⤵
  PID:5824
- C:\Windows\System\ehwduLr.exe
  C:\Windows\System\ehwduLr.exe
  2⤵
  PID:5844
- C:\Windows\System\VrbsAsp.exe
  C:\Windows\System\VrbsAsp.exe
  2⤵
  PID:5880
- C:\Windows\System\QuloiAG.exe
  C:\Windows\System\QuloiAG.exe
  2⤵
  PID:5904
- C:\Windows\System\RcGktUt.exe
  C:\Windows\System\RcGktUt.exe
  2⤵
  PID:5928
- C:\Windows\System\fFjtkpa.exe
  C:\Windows\System\fFjtkpa.exe
  2⤵
  PID:5948
- C:\Windows\System\UayQnLG.exe
  C:\Windows\System\UayQnLG.exe
  2⤵
  PID:5976
- C:\Windows\System\ebkNTCn.exe
  C:\Windows\System\ebkNTCn.exe
  2⤵
  PID:6028
- C:\Windows\System\TqOMMxc.exe
  C:\Windows\System\TqOMMxc.exe
  2⤵
  PID:6048
- C:\Windows\System\ujFQtsd.exe
  C:\Windows\System\ujFQtsd.exe
  2⤵
  PID:6084
- C:\Windows\System\NAIWHsM.exe
  C:\Windows\System\NAIWHsM.exe
  2⤵
  PID:6100
- C:\Windows\System\gzYWdRA.exe
  C:\Windows\System\gzYWdRA.exe
  2⤵
  PID:6124
- C:\Windows\System\VoZnMlE.exe
  C:\Windows\System\VoZnMlE.exe
  2⤵
  PID:5128
- C:\Windows\System\nHMxcMK.exe
  C:\Windows\System\nHMxcMK.exe
  2⤵
  PID:5192
- C:\Windows\System\dBjlZoW.exe
  C:\Windows\System\dBjlZoW.exe
  2⤵
  PID:5184
- C:\Windows\System\DRwBNJJ.exe
  C:\Windows\System\DRwBNJJ.exe
  2⤵
  PID:5308
- C:\Windows\System\mgiMulh.exe
  C:\Windows\System\mgiMulh.exe
  2⤵
  PID:5412
- C:\Windows\System\CwerIES.exe
  C:\Windows\System\CwerIES.exe
  2⤵
  PID:5516
- C:\Windows\System\sLxXcSE.exe
  C:\Windows\System\sLxXcSE.exe
  2⤵
  PID:5544
- C:\Windows\System\Aphvzwm.exe
  C:\Windows\System\Aphvzwm.exe
  2⤵
  PID:5604
- C:\Windows\System\vkuxpgr.exe
  C:\Windows\System\vkuxpgr.exe
  2⤵
  PID:3520
- C:\Windows\System\XGyROvz.exe
  C:\Windows\System\XGyROvz.exe
  2⤵
  PID:5704
- C:\Windows\System\ARcoCUw.exe
  C:\Windows\System\ARcoCUw.exe
  2⤵
  PID:5756
- C:\Windows\System\VLxmyay.exe
  C:\Windows\System\VLxmyay.exe
  2⤵
  PID:5840
- C:\Windows\System\GlMyRMe.exe
  C:\Windows\System\GlMyRMe.exe
  2⤵
  PID:5892
- C:\Windows\System\bTZbXZP.exe
  C:\Windows\System\bTZbXZP.exe
  2⤵
  PID:5940
- C:\Windows\System\cFZJQfL.exe
  C:\Windows\System\cFZJQfL.exe
  2⤵
  PID:5996
- C:\Windows\System\rIGSkxi.exe
  C:\Windows\System\rIGSkxi.exe
  2⤵
  PID:4036
- C:\Windows\System\cPqJXSF.exe
  C:\Windows\System\cPqJXSF.exe
  2⤵
  PID:5212
- C:\Windows\System\rKlRXVZ.exe
  C:\Windows\System\rKlRXVZ.exe
  2⤵
  PID:5216
- C:\Windows\System\iBbhYmH.exe
  C:\Windows\System\iBbhYmH.exe
  2⤵
  PID:5436
- C:\Windows\System\POzlcZS.exe
  C:\Windows\System\POzlcZS.exe
  2⤵
  PID:5468
- C:\Windows\System\HVWnUvV.exe
  C:\Windows\System\HVWnUvV.exe
  2⤵
  PID:5836
- C:\Windows\System\UtvDGqn.exe
  C:\Windows\System\UtvDGqn.exe
  2⤵
  PID:5988
- C:\Windows\System\CNhjwBt.exe
  C:\Windows\System\CNhjwBt.exe
  2⤵
  PID:6116
- C:\Windows\System\HnKXyaE.exe
  C:\Windows\System\HnKXyaE.exe
  2⤵
  PID:5180
- C:\Windows\System\DARIdlD.exe
  C:\Windows\System\DARIdlD.exe
  2⤵
  PID:5408
- C:\Windows\System\dULvJwf.exe
  C:\Windows\System\dULvJwf.exe
  2⤵
  PID:5736
- C:\Windows\System\ihKzBsx.exe
  C:\Windows\System\ihKzBsx.exe
  2⤵
  PID:3148
- C:\Windows\System\biGKFzO.exe
  C:\Windows\System\biGKFzO.exe
  2⤵
  PID:5620
- C:\Windows\System\TUGPYQK.exe
  C:\Windows\System\TUGPYQK.exe
  2⤵
  PID:6196
- C:\Windows\System\RQOylPB.exe
  C:\Windows\System\RQOylPB.exe
  2⤵
  PID:6216
- C:\Windows\System\SSqSpDD.exe
  C:\Windows\System\SSqSpDD.exe
  2⤵
  PID:6244
- C:\Windows\System\juvNIbb.exe
  C:\Windows\System\juvNIbb.exe
  2⤵
  PID:6260
- C:\Windows\System\ztGHcUk.exe
  C:\Windows\System\ztGHcUk.exe
  2⤵
  PID:6284
- C:\Windows\System\AUcSZnK.exe
  C:\Windows\System\AUcSZnK.exe
  2⤵
  PID:6328
- C:\Windows\System\KrerqXN.exe
  C:\Windows\System\KrerqXN.exe
  2⤵
  PID:6344
- C:\Windows\System\BJGLUCN.exe
  C:\Windows\System\BJGLUCN.exe
  2⤵
  PID:6368
- C:\Windows\System\ZDDmAvI.exe
  C:\Windows\System\ZDDmAvI.exe
  2⤵
  PID:6384
- C:\Windows\System\iaqbiGs.exe
  C:\Windows\System\iaqbiGs.exe
  2⤵
  PID:6412
- C:\Windows\System\GRiZqCN.exe
  C:\Windows\System\GRiZqCN.exe
  2⤵
  PID:6436
- C:\Windows\System\XSLkfJs.exe
  C:\Windows\System\XSLkfJs.exe
  2⤵
  PID:6452
- C:\Windows\System\VzRaJIv.exe
  C:\Windows\System\VzRaJIv.exe
  2⤵
  PID:6484
- C:\Windows\System\hOXtdZD.exe
  C:\Windows\System\hOXtdZD.exe
  2⤵
  PID:6500
- C:\Windows\System\nWlSIlG.exe
  C:\Windows\System\nWlSIlG.exe
  2⤵
  PID:6520
- C:\Windows\System\kdpotyt.exe
  C:\Windows\System\kdpotyt.exe
  2⤵
  PID:6548
- C:\Windows\System\NRpWkhX.exe
  C:\Windows\System\NRpWkhX.exe
  2⤵
  PID:6596
- C:\Windows\System\jogJZGS.exe
  C:\Windows\System\jogJZGS.exe
  2⤵
  PID:6616
- C:\Windows\System\flSSwwc.exe
  C:\Windows\System\flSSwwc.exe
  2⤵
  PID:6676
- C:\Windows\System\ORLdHzV.exe
  C:\Windows\System\ORLdHzV.exe
  2⤵
  PID:6716
- C:\Windows\System\ayePXiH.exe
  C:\Windows\System\ayePXiH.exe
  2⤵
  PID:6756
- C:\Windows\System\pXwyFrS.exe
  C:\Windows\System\pXwyFrS.exe
  2⤵
  PID:6776
- C:\Windows\System\TBUZJFj.exe
  C:\Windows\System\TBUZJFj.exe
  2⤵
  PID:6792
- C:\Windows\System\olEwWtT.exe
  C:\Windows\System\olEwWtT.exe
  2⤵
  PID:6816
- C:\Windows\System\vdaObaY.exe
  C:\Windows\System\vdaObaY.exe
  2⤵
  PID:6836
- C:\Windows\System\ekEmOmR.exe
  C:\Windows\System\ekEmOmR.exe
  2⤵
  PID:6856
- C:\Windows\System\DVVWkiZ.exe
  C:\Windows\System\DVVWkiZ.exe
  2⤵
  PID:6876
- C:\Windows\System\VntRCxe.exe
  C:\Windows\System\VntRCxe.exe
  2⤵
  PID:6948
- C:\Windows\System\jCzNgoQ.exe
  C:\Windows\System\jCzNgoQ.exe
  2⤵
  PID:6968
- C:\Windows\System\jptzIPj.exe
  C:\Windows\System\jptzIPj.exe
  2⤵
  PID:6988
- C:\Windows\System\XUkFWHY.exe
  C:\Windows\System\XUkFWHY.exe
  2⤵
  PID:7012
- C:\Windows\System\OCdBOsc.exe
  C:\Windows\System\OCdBOsc.exe
  2⤵
  PID:7032
- C:\Windows\System\jtbfumd.exe
  C:\Windows\System\jtbfumd.exe
  2⤵
  PID:7056
- C:\Windows\System\jMvWaEE.exe
  C:\Windows\System\jMvWaEE.exe
  2⤵
  PID:7080
- C:\Windows\System\ojHWwqv.exe
  C:\Windows\System\ojHWwqv.exe
  2⤵
  PID:7100
- C:\Windows\System\trEDSUx.exe
  C:\Windows\System\trEDSUx.exe
  2⤵
  PID:7124
- C:\Windows\System\XVsjLHj.exe
  C:\Windows\System\XVsjLHj.exe
  2⤵
  PID:6132
- C:\Windows\System\xnbwVJa.exe
  C:\Windows\System\xnbwVJa.exe
  2⤵
  PID:6192
- C:\Windows\System\DZrSnoI.exe
  C:\Windows\System\DZrSnoI.exe
  2⤵
  PID:6268
- C:\Windows\System\EOYWEDC.exe
  C:\Windows\System\EOYWEDC.exe
  2⤵
  PID:6292
- C:\Windows\System\lYsYyWf.exe
  C:\Windows\System\lYsYyWf.exe
  2⤵
  PID:6340
- C:\Windows\System\bktSCFU.exe
  C:\Windows\System\bktSCFU.exe
  2⤵
  PID:6428
- C:\Windows\System\mDvxdtb.exe
  C:\Windows\System\mDvxdtb.exe
  2⤵
  PID:6516
- C:\Windows\System\HrCjBVz.exe
  C:\Windows\System\HrCjBVz.exe
  2⤵
  PID:6588
- C:\Windows\System\rUACGQw.exe
  C:\Windows\System\rUACGQw.exe
  2⤵
  PID:6648
- C:\Windows\System\DIHrxpP.exe
  C:\Windows\System\DIHrxpP.exe
  2⤵
  PID:6688
- C:\Windows\System\PgtrxbC.exe
  C:\Windows\System\PgtrxbC.exe
  2⤵
  PID:6808
- C:\Windows\System\enrJhIb.exe
  C:\Windows\System\enrJhIb.exe
  2⤵
  PID:6832
- C:\Windows\System\rzsikKn.exe
  C:\Windows\System\rzsikKn.exe
  2⤵
  PID:6928
- C:\Windows\System\ZyHUqUe.exe
  C:\Windows\System\ZyHUqUe.exe
  2⤵
  PID:6976
- C:\Windows\System\UDknngb.exe
  C:\Windows\System\UDknngb.exe
  2⤵
  PID:6912
- C:\Windows\System\akXhKXV.exe
  C:\Windows\System\akXhKXV.exe
  2⤵
  PID:7068
- C:\Windows\System\HpRsoUR.exe
  C:\Windows\System\HpRsoUR.exe
  2⤵
  PID:7160
- C:\Windows\System\RYUlBTF.exe
  C:\Windows\System\RYUlBTF.exe
  2⤵
  PID:6136
- C:\Windows\System\tqHFUux.exe
  C:\Windows\System\tqHFUux.exe
  2⤵
  PID:6280
- C:\Windows\System\gbyRIfP.exe
  C:\Windows\System\gbyRIfP.exe
  2⤵
  PID:6408
- C:\Windows\System\JOLzhBi.exe
  C:\Windows\System\JOLzhBi.exe
  2⤵
  PID:6468
- C:\Windows\System\nvvPSMf.exe
  C:\Windows\System\nvvPSMf.exe
  2⤵
  PID:6576
- C:\Windows\System\TqMxUAn.exe
  C:\Windows\System\TqMxUAn.exe
  2⤵
  PID:6920
- C:\Windows\System\DYjESAS.exe
  C:\Windows\System\DYjESAS.exe
  2⤵
  PID:7096
- C:\Windows\System\zcOIWAE.exe
  C:\Windows\System\zcOIWAE.exe
  2⤵
  PID:6236
- C:\Windows\System\yqJLmZo.exe
  C:\Windows\System\yqJLmZo.exe
  2⤵
  PID:5508
- C:\Windows\System\LmIsOfl.exe
  C:\Windows\System\LmIsOfl.exe
  2⤵
  PID:6772
- C:\Windows\System\jxOXImf.exe
  C:\Windows\System\jxOXImf.exe
  2⤵
  PID:7184
- C:\Windows\System\qaclyvx.exe
  C:\Windows\System\qaclyvx.exe
  2⤵
  PID:7200
- C:\Windows\System\eBvUcUP.exe
  C:\Windows\System\eBvUcUP.exe
  2⤵
  PID:7220
- C:\Windows\System\qWwUcUe.exe
  C:\Windows\System\qWwUcUe.exe
  2⤵
  PID:7244
- C:\Windows\System\GjukGYl.exe
  C:\Windows\System\GjukGYl.exe
  2⤵
  PID:7264
- C:\Windows\System\tPnbcfH.exe
  C:\Windows\System\tPnbcfH.exe
  2⤵
  PID:7328
- C:\Windows\System\BkpxakB.exe
  C:\Windows\System\BkpxakB.exe
  2⤵
  PID:7348
- C:\Windows\System\JTzhVoW.exe
  C:\Windows\System\JTzhVoW.exe
  2⤵
  PID:7372
- C:\Windows\System\gpmcShw.exe
  C:\Windows\System\gpmcShw.exe
  2⤵
  PID:7388
- C:\Windows\System\NolkmPZ.exe
  C:\Windows\System\NolkmPZ.exe
  2⤵
  PID:7404
- C:\Windows\System\IQBdOzU.exe
  C:\Windows\System\IQBdOzU.exe
  2⤵
  PID:7420
- C:\Windows\System\wtdYLSf.exe
  C:\Windows\System\wtdYLSf.exe
  2⤵
  PID:7528
- C:\Windows\System\hAaEFqI.exe
  C:\Windows\System\hAaEFqI.exe
  2⤵
  PID:7548
- C:\Windows\System\PJbSpoK.exe
  C:\Windows\System\PJbSpoK.exe
  2⤵
  PID:7564
- C:\Windows\System\BpzuWmX.exe
  C:\Windows\System\BpzuWmX.exe
  2⤵
  PID:7580
- C:\Windows\System\sXqYKAF.exe
  C:\Windows\System\sXqYKAF.exe
  2⤵
  PID:7596
- C:\Windows\System\tiINmxy.exe
  C:\Windows\System\tiINmxy.exe
  2⤵
  PID:7612
- C:\Windows\System\MXOCzIK.exe
  C:\Windows\System\MXOCzIK.exe
  2⤵
  PID:7632
- C:\Windows\System\xTsvRjB.exe
  C:\Windows\System\xTsvRjB.exe
  2⤵
  PID:7660
- C:\Windows\System\oBMuCbM.exe
  C:\Windows\System\oBMuCbM.exe
  2⤵
  PID:7680
- C:\Windows\System\ShPWTDk.exe
  C:\Windows\System\ShPWTDk.exe
  2⤵
  PID:7704
- C:\Windows\System\dBfvhVT.exe
  C:\Windows\System\dBfvhVT.exe
  2⤵
  PID:7724
- C:\Windows\System\OlBLzOp.exe
  C:\Windows\System\OlBLzOp.exe
  2⤵
  PID:7812
- C:\Windows\System\OqCeGrw.exe
  C:\Windows\System\OqCeGrw.exe
  2⤵
  PID:7832
- C:\Windows\System\jRDfJKV.exe
  C:\Windows\System\jRDfJKV.exe
  2⤵
  PID:7860
- C:\Windows\System\igeoiTh.exe
  C:\Windows\System\igeoiTh.exe
  2⤵
  PID:7880
- C:\Windows\System\iFtFBkC.exe
  C:\Windows\System\iFtFBkC.exe
  2⤵
  PID:7912
- C:\Windows\System\PJWAoZV.exe
  C:\Windows\System\PJWAoZV.exe
  2⤵
  PID:7952
- C:\Windows\System\oTkiebi.exe
  C:\Windows\System\oTkiebi.exe
  2⤵
  PID:7996
- C:\Windows\System\lRMQEue.exe
  C:\Windows\System\lRMQEue.exe
  2⤵
  PID:8016
- C:\Windows\System\UkSujic.exe
  C:\Windows\System\UkSujic.exe
  2⤵
  PID:8076
- C:\Windows\System\eUDIaSI.exe
  C:\Windows\System\eUDIaSI.exe
  2⤵
  PID:8120
- C:\Windows\System\uuzDBFL.exe
  C:\Windows\System\uuzDBFL.exe
  2⤵
  PID:8140
- C:\Windows\System\RHKazJi.exe
  C:\Windows\System\RHKazJi.exe
  2⤵
  PID:8168
- C:\Windows\System\MbCFlXK.exe
  C:\Windows\System\MbCFlXK.exe
  2⤵
  PID:6212
- C:\Windows\System\dwImaGW.exe
  C:\Windows\System\dwImaGW.exe
  2⤵
  PID:7196
- C:\Windows\System\dBycSYo.exe
  C:\Windows\System\dBycSYo.exe
  2⤵
  PID:7192
- C:\Windows\System\RfLgYkN.exe
  C:\Windows\System\RfLgYkN.exe
  2⤵
  PID:7260
- C:\Windows\System\wiRzmTa.exe
  C:\Windows\System\wiRzmTa.exe
  2⤵
  PID:7400
- C:\Windows\System\CRTJvzM.exe
  C:\Windows\System\CRTJvzM.exe
  2⤵
  PID:7304
- C:\Windows\System\dcxdZai.exe
  C:\Windows\System\dcxdZai.exe
  2⤵
  PID:7576
- C:\Windows\System\FztRnBY.exe
  C:\Windows\System\FztRnBY.exe
  2⤵
  PID:7668
- C:\Windows\System\ftNjQWF.exe
  C:\Windows\System\ftNjQWF.exe
  2⤵
  PID:7700
- C:\Windows\System\eKbIndM.exe
  C:\Windows\System\eKbIndM.exe
  2⤵
  PID:7444
- C:\Windows\System\xomrkeN.exe
  C:\Windows\System\xomrkeN.exe
  2⤵
  PID:7488
- C:\Windows\System\bJTmVrw.exe
  C:\Windows\System\bJTmVrw.exe
  2⤵
  PID:7772
- C:\Windows\System\cNKZMgX.exe
  C:\Windows\System\cNKZMgX.exe
  2⤵
  PID:7788
- C:\Windows\System\NTjBNAi.exe
  C:\Windows\System\NTjBNAi.exe
  2⤵
  PID:7872
- C:\Windows\System\jVpLjxc.exe
  C:\Windows\System\jVpLjxc.exe
  2⤵
  PID:7904
- C:\Windows\System\toXmmmQ.exe
  C:\Windows\System\toXmmmQ.exe
  2⤵
  PID:8012
- C:\Windows\System\SuujfPR.exe
  C:\Windows\System\SuujfPR.exe
  2⤵
  PID:8088
- C:\Windows\System\WwWZbJT.exe
  C:\Windows\System\WwWZbJT.exe
  2⤵
  PID:7180
- C:\Windows\System\LeukZVk.exe
  C:\Windows\System\LeukZVk.exe
  2⤵
  PID:7216
- C:\Windows\System\GRNVytg.exe
  C:\Windows\System\GRNVytg.exe
  2⤵
  PID:7416
- C:\Windows\System\geaGnmi.exe
  C:\Windows\System\geaGnmi.exe
  2⤵
  PID:7380
- C:\Windows\System\ponMCoi.exe
  C:\Windows\System\ponMCoi.exe
  2⤵
  PID:7384
- C:\Windows\System\FFibNQr.exe
  C:\Windows\System\FFibNQr.exe
  2⤵
  PID:7716
- C:\Windows\System\hXfkBof.exe
  C:\Windows\System\hXfkBof.exe
  2⤵
  PID:7840
- C:\Windows\System\cKMsnNB.exe
  C:\Windows\System\cKMsnNB.exe
  2⤵
  PID:8008
- C:\Windows\System\uKGHcjq.exe
  C:\Windows\System\uKGHcjq.exe
  2⤵
  PID:8116
- C:\Windows\System\RLXlFLg.exe
  C:\Windows\System\RLXlFLg.exe
  2⤵
  PID:7148
- C:\Windows\System\WVUulqz.exe
  C:\Windows\System\WVUulqz.exe
  2⤵
  PID:7696
- C:\Windows\System\lTpLHOm.exe
  C:\Windows\System\lTpLHOm.exe
  2⤵
  PID:7960
- C:\Windows\System\HYUmtma.exe
  C:\Windows\System\HYUmtma.exe
  2⤵
  PID:7948
- C:\Windows\System\fCyrphq.exe
  C:\Windows\System\fCyrphq.exe
  2⤵
  PID:8216
- C:\Windows\System\eYsQbGc.exe
  C:\Windows\System\eYsQbGc.exe
  2⤵
  PID:8248
- C:\Windows\System\Clwdcwk.exe
  C:\Windows\System\Clwdcwk.exe
  2⤵
  PID:8304
- C:\Windows\System\gZcyUSx.exe
  C:\Windows\System\gZcyUSx.exe
  2⤵
  PID:8332
- C:\Windows\System\OsUWYjo.exe
  C:\Windows\System\OsUWYjo.exe
  2⤵
  PID:8356
- C:\Windows\System\yZhSemA.exe
  C:\Windows\System\yZhSemA.exe
  2⤵
  PID:8380
- C:\Windows\System\TGQdKes.exe
  C:\Windows\System\TGQdKes.exe
  2⤵
  PID:8396
- C:\Windows\System\bsqROZO.exe
  C:\Windows\System\bsqROZO.exe
  2⤵
  PID:8440
- C:\Windows\System\jNvGRei.exe
  C:\Windows\System\jNvGRei.exe
  2⤵
  PID:8476
- C:\Windows\System\WcBSEME.exe
  C:\Windows\System\WcBSEME.exe
  2⤵
  PID:8500
- C:\Windows\System\iMlRQjS.exe
  C:\Windows\System\iMlRQjS.exe
  2⤵
  PID:8516
- C:\Windows\System\XYurYjG.exe
  C:\Windows\System\XYurYjG.exe
  2⤵
  PID:8540
- C:\Windows\System\FozcwIM.exe
  C:\Windows\System\FozcwIM.exe
  2⤵
  PID:8560
- C:\Windows\System\UFCNaHW.exe
  C:\Windows\System\UFCNaHW.exe
  2⤵
  PID:8580
- C:\Windows\System\boqCPEA.exe
  C:\Windows\System\boqCPEA.exe
  2⤵
  PID:8600
- C:\Windows\System\UdARSxT.exe
  C:\Windows\System\UdARSxT.exe
  2⤵
  PID:8692
- C:\Windows\System\CIBkgzp.exe
  C:\Windows\System\CIBkgzp.exe
  2⤵
  PID:8708
- C:\Windows\System\ljiGFtO.exe
  C:\Windows\System\ljiGFtO.exe
  2⤵
  PID:8728
- C:\Windows\System\uTqYLsD.exe
  C:\Windows\System\uTqYLsD.exe
  2⤵
  PID:8756
- C:\Windows\System\rkRWjfQ.exe
  C:\Windows\System\rkRWjfQ.exe
  2⤵
  PID:8780
- C:\Windows\System\QZlfjMw.exe
  C:\Windows\System\QZlfjMw.exe
  2⤵
  PID:8804
- C:\Windows\System\XhtVMEM.exe
  C:\Windows\System\XhtVMEM.exe
  2⤵
  PID:8844
- C:\Windows\System\QmrnBZc.exe
  C:\Windows\System\QmrnBZc.exe
  2⤵
  PID:8864
- C:\Windows\System\VElGcnQ.exe
  C:\Windows\System\VElGcnQ.exe
  2⤵
  PID:8888
- C:\Windows\System\ixnAtbD.exe
  C:\Windows\System\ixnAtbD.exe
  2⤵
  PID:8940
- C:\Windows\System\OGtyIMq.exe
  C:\Windows\System\OGtyIMq.exe
  2⤵
  PID:8956
- C:\Windows\System\mDWCRda.exe
  C:\Windows\System\mDWCRda.exe
  2⤵
  PID:8976
- C:\Windows\System\McJtAee.exe
  C:\Windows\System\McJtAee.exe
  2⤵
  PID:9000
- C:\Windows\System\AudrBHW.exe
  C:\Windows\System\AudrBHW.exe
  2⤵
  PID:9020
- C:\Windows\System\ecaFSgH.exe
  C:\Windows\System\ecaFSgH.exe
  2⤵
  PID:9076
- C:\Windows\System\gjpoCmO.exe
  C:\Windows\System\gjpoCmO.exe
  2⤵
  PID:9108
- C:\Windows\System\ooKBkgv.exe
  C:\Windows\System\ooKBkgv.exe
  2⤵
  PID:9156
- C:\Windows\System\OYyPLRi.exe
  C:\Windows\System\OYyPLRi.exe
  2⤵
  PID:9172
- C:\Windows\System\xQPkRdA.exe
  C:\Windows\System\xQPkRdA.exe
  2⤵
  PID:9192
- C:\Windows\System\gXGjOtG.exe
  C:\Windows\System\gXGjOtG.exe
  2⤵
  PID:7356
- C:\Windows\System\HJEKvLN.exe
  C:\Windows\System\HJEKvLN.exe
  2⤵
  PID:7432
- C:\Windows\System\mzzQeZG.exe
  C:\Windows\System\mzzQeZG.exe
  2⤵
  PID:8312
- C:\Windows\System\mKfoiBS.exe
  C:\Windows\System\mKfoiBS.exe
  2⤵
  PID:8376
- C:\Windows\System\hwZmvGM.exe
  C:\Windows\System\hwZmvGM.exe
  2⤵
  PID:8412
- C:\Windows\System\sLULpFD.exe
  C:\Windows\System\sLULpFD.exe
  2⤵
  PID:8512
- C:\Windows\System\JEyOfTl.exe
  C:\Windows\System\JEyOfTl.exe
  2⤵
  PID:8556
- C:\Windows\System\HxFdztH.exe
  C:\Windows\System\HxFdztH.exe
  2⤵
  PID:8612
- C:\Windows\System\mrJbwZk.exe
  C:\Windows\System\mrJbwZk.exe
  2⤵
  PID:8664
- C:\Windows\System\oxCHDzp.exe
  C:\Windows\System\oxCHDzp.exe
  2⤵
  PID:8704
- C:\Windows\System\PAFfehA.exe
  C:\Windows\System\PAFfehA.exe
  2⤵
  PID:8796
- C:\Windows\System\WXGPtGC.exe
  C:\Windows\System\WXGPtGC.exe
  2⤵
  PID:8872
- C:\Windows\System\zFQQzIR.exe
  C:\Windows\System\zFQQzIR.exe
  2⤵
  PID:8932
- C:\Windows\System\fIaBvlc.exe
  C:\Windows\System\fIaBvlc.exe
  2⤵
  PID:9016
- C:\Windows\System\MzcLioD.exe
  C:\Windows\System\MzcLioD.exe
  2⤵
  PID:9060
- C:\Windows\System\FkkNAAr.exe
  C:\Windows\System\FkkNAAr.exe
  2⤵
  PID:9136
- C:\Windows\System\gbKdhZm.exe
  C:\Windows\System\gbKdhZm.exe
  2⤵
  PID:7028
- C:\Windows\System\CsKDmMA.exe
  C:\Windows\System\CsKDmMA.exe
  2⤵
  PID:8300
- C:\Windows\System\tQkrWhY.exe
  C:\Windows\System\tQkrWhY.exe
  2⤵
  PID:8428
- C:\Windows\System\MVBAiNR.exe
  C:\Windows\System\MVBAiNR.exe
  2⤵
  PID:8532
- C:\Windows\System\mTmqwzb.exe
  C:\Windows\System\mTmqwzb.exe
  2⤵
  PID:8724
- C:\Windows\System\DHkpxSV.exe
  C:\Windows\System\DHkpxSV.exe
  2⤵
  PID:8984
- C:\Windows\System\hRKfcgF.exe
  C:\Windows\System\hRKfcgF.exe
  2⤵
  PID:9012
- C:\Windows\System\OuVAlIg.exe
  C:\Windows\System\OuVAlIg.exe
  2⤵
  PID:9188
- C:\Windows\System\CGCAyqa.exe
  C:\Windows\System\CGCAyqa.exe
  2⤵
  PID:4136
- C:\Windows\System\yNjogUJ.exe
  C:\Windows\System\yNjogUJ.exe
  2⤵
  PID:8324
- C:\Windows\System\ompaYPH.exe
  C:\Windows\System\ompaYPH.exe
  2⤵
  PID:4876
- C:\Windows\System\RfHymvt.exe
  C:\Windows\System\RfHymvt.exe
  2⤵
  PID:8468
- C:\Windows\System\NnXwEhE.exe
  C:\Windows\System\NnXwEhE.exe
  2⤵
  PID:8744
- C:\Windows\System\fAbCGEr.exe
  C:\Windows\System\fAbCGEr.exe
  2⤵
  PID:9232
- C:\Windows\System\XMDcbKf.exe
  C:\Windows\System\XMDcbKf.exe
  2⤵
  PID:9252
- C:\Windows\System\kBLDoqt.exe
  C:\Windows\System\kBLDoqt.exe
  2⤵
  PID:9276
- C:\Windows\System\iRKMVAE.exe
  C:\Windows\System\iRKMVAE.exe
  2⤵
  PID:9344
- C:\Windows\System\nrbsuNV.exe
  C:\Windows\System\nrbsuNV.exe
  2⤵
  PID:9364
- C:\Windows\System\cbhFWOn.exe
  C:\Windows\System\cbhFWOn.exe
  2⤵
  PID:9380
- C:\Windows\System\UVzbFss.exe
  C:\Windows\System\UVzbFss.exe
  2⤵
  PID:9404
- C:\Windows\System\SklAHyL.exe
  C:\Windows\System\SklAHyL.exe
  2⤵
  PID:9440
- C:\Windows\System\tWxjcdE.exe
  C:\Windows\System\tWxjcdE.exe
  2⤵
  PID:9456
- C:\Windows\System\djginXe.exe
  C:\Windows\System\djginXe.exe
  2⤵
  PID:9480
- C:\Windows\System\UEElKeS.exe
  C:\Windows\System\UEElKeS.exe
  2⤵
  PID:9500
- C:\Windows\System\zEaMDPD.exe
  C:\Windows\System\zEaMDPD.exe
  2⤵
  PID:9524
- C:\Windows\System\PpOKEdN.exe
  C:\Windows\System\PpOKEdN.exe
  2⤵
  PID:9572
- C:\Windows\System\HvXcxQV.exe
  C:\Windows\System\HvXcxQV.exe
  2⤵
  PID:9592
- C:\Windows\System\VOmlyxi.exe
  C:\Windows\System\VOmlyxi.exe
  2⤵
  PID:9620
- C:\Windows\System\bOPzcvJ.exe
  C:\Windows\System\bOPzcvJ.exe
  2⤵
  PID:9652
- C:\Windows\System\EhjIXKr.exe
  C:\Windows\System\EhjIXKr.exe
  2⤵
  PID:9672
- C:\Windows\System\STulgRr.exe
  C:\Windows\System\STulgRr.exe
  2⤵
  PID:9728
- C:\Windows\System\YXwVnem.exe
  C:\Windows\System\YXwVnem.exe
  2⤵
  PID:9768
- C:\Windows\System\bhAWuvj.exe
  C:\Windows\System\bhAWuvj.exe
  2⤵
  PID:9792
- C:\Windows\System\YiJGjxx.exe
  C:\Windows\System\YiJGjxx.exe
  2⤵
  PID:9812
- C:\Windows\System\TxWkKGg.exe
  C:\Windows\System\TxWkKGg.exe
  2⤵
  PID:9832
- C:\Windows\System\RewyoZR.exe
  C:\Windows\System\RewyoZR.exe
  2⤵
  PID:9880
- C:\Windows\System\szlLaCk.exe
  C:\Windows\System\szlLaCk.exe
  2⤵
  PID:9896
- C:\Windows\System\UIQYQHb.exe
  C:\Windows\System\UIQYQHb.exe
  2⤵
  PID:9920
- C:\Windows\System\obEHHKK.exe
  C:\Windows\System\obEHHKK.exe
  2⤵
  PID:9940
- C:\Windows\System\cfnxNfg.exe
  C:\Windows\System\cfnxNfg.exe
  2⤵
  PID:9964
- C:\Windows\System\xZUJqZF.exe
  C:\Windows\System\xZUJqZF.exe
  2⤵
  PID:9992
- C:\Windows\System\bDHsTbz.exe
  C:\Windows\System\bDHsTbz.exe
  2⤵
  PID:10040
- C:\Windows\System\jsRMLzb.exe
  C:\Windows\System\jsRMLzb.exe
  2⤵
  PID:10080
- C:\Windows\System\jNNRVxO.exe
  C:\Windows\System\jNNRVxO.exe
  2⤵
  PID:10108
- C:\Windows\System\poHXQfV.exe
  C:\Windows\System\poHXQfV.exe
  2⤵
  PID:10124
- C:\Windows\System\mWSYrtZ.exe
  C:\Windows\System\mWSYrtZ.exe
  2⤵
  PID:10144
- C:\Windows\System\iWxmKEv.exe
  C:\Windows\System\iWxmKEv.exe
  2⤵
  PID:10192
- C:\Windows\System\epnbySH.exe
  C:\Windows\System\epnbySH.exe
  2⤵
  PID:10224
- C:\Windows\System\IvSTpyt.exe
  C:\Windows\System\IvSTpyt.exe
  2⤵
  PID:9228
- C:\Windows\System\rIunXwW.exe
  C:\Windows\System\rIunXwW.exe
  2⤵
  PID:9248
- C:\Windows\System\wYjqZXC.exe
  C:\Windows\System\wYjqZXC.exe
  2⤵
  PID:9312
- C:\Windows\System\zKYKCAN.exe
  C:\Windows\System\zKYKCAN.exe
  2⤵
  PID:9376
- C:\Windows\System\HJMunCS.exe
  C:\Windows\System\HJMunCS.exe
  2⤵
  PID:9472
- C:\Windows\System\ByFikzs.exe
  C:\Windows\System\ByFikzs.exe
  2⤵
  PID:9568
- C:\Windows\System\RcTyDnH.exe
  C:\Windows\System\RcTyDnH.exe
  2⤵
  PID:9628
- C:\Windows\System\KSXWuea.exe
  C:\Windows\System\KSXWuea.exe
  2⤵
  PID:9612
- C:\Windows\System\VeuoeIm.exe
  C:\Windows\System\VeuoeIm.exe
  2⤵
  PID:9644
- C:\Windows\System\IizujWq.exe
  C:\Windows\System\IizujWq.exe
  2⤵
  PID:9764
- C:\Windows\System\EPyTDdb.exe
  C:\Windows\System\EPyTDdb.exe
  2⤵
  PID:9828
- C:\Windows\System\BeOzzLz.exe
  C:\Windows\System\BeOzzLz.exe
  2⤵
  PID:9888
- C:\Windows\System\rtlXBqO.exe
  C:\Windows\System\rtlXBqO.exe
  2⤵
  PID:9916
- C:\Windows\System\djZDbxi.exe
  C:\Windows\System\djZDbxi.exe
  2⤵
  PID:9988
- C:\Windows\System\YLMNaDM.exe
  C:\Windows\System\YLMNaDM.exe
  2⤵
  PID:10064
- C:\Windows\System\iQstCuK.exe
  C:\Windows\System\iQstCuK.exe
  2⤵
  PID:4820
- C:\Windows\System\opGoBOu.exe
  C:\Windows\System\opGoBOu.exe
  2⤵
  PID:10176
- C:\Windows\System\TcFFwMZ.exe
  C:\Windows\System\TcFFwMZ.exe
  2⤵
  PID:8244
- C:\Windows\System\tkwqDtZ.exe
  C:\Windows\System\tkwqDtZ.exe
  2⤵
  PID:9452
- C:\Windows\System\STqGrkB.exe
  C:\Windows\System\STqGrkB.exe
  2⤵
  PID:9388
- C:\Windows\System\wDQfdsi.exe
  C:\Windows\System\wDQfdsi.exe
  2⤵
  PID:9588
- C:\Windows\System\OfJwqQH.exe
  C:\Windows\System\OfJwqQH.exe
  2⤵
  PID:9716
- C:\Windows\System\JdTxETi.exe
  C:\Windows\System\JdTxETi.exe
  2⤵
  PID:9808
- C:\Windows\System\JduZsNi.exe
  C:\Windows\System\JduZsNi.exe
  2⤵
  PID:9932
- C:\Windows\System\foMeWNq.exe
  C:\Windows\System\foMeWNq.exe
  2⤵
  PID:10104
- C:\Windows\System\UfOnDSt.exe
  C:\Windows\System\UfOnDSt.exe
  2⤵
  PID:9616
- C:\Windows\System\RMaLnEb.exe
  C:\Windows\System\RMaLnEb.exe
  2⤵
  PID:9740
- C:\Windows\System\cjWZQEl.exe
  C:\Windows\System\cjWZQEl.exe
  2⤵
  PID:9244
- C:\Windows\System\vOxJkxz.exe
  C:\Windows\System\vOxJkxz.exe
  2⤵
  PID:9516
- C:\Windows\System\XwMwgxO.exe
  C:\Windows\System\XwMwgxO.exe
  2⤵
  PID:2308
- C:\Windows\System\qvFsfPH.exe
  C:\Windows\System\qvFsfPH.exe
  2⤵
  PID:10256
- C:\Windows\System\AVpWxIq.exe
  C:\Windows\System\AVpWxIq.exe
  2⤵
  PID:10276
- C:\Windows\System\OukpcDG.exe
  C:\Windows\System\OukpcDG.exe
  2⤵
  PID:10292
- C:\Windows\System\IkliZhK.exe
  C:\Windows\System\IkliZhK.exe
  2⤵
  PID:10320
- C:\Windows\System\DFYxzHH.exe
  C:\Windows\System\DFYxzHH.exe
  2⤵
  PID:10336
- C:\Windows\System\ViKxiFH.exe
  C:\Windows\System\ViKxiFH.exe
  2⤵
  PID:10360
- C:\Windows\System\IJmozHc.exe
  C:\Windows\System\IJmozHc.exe
  2⤵
  PID:10384
- C:\Windows\System\iBdkFIw.exe
  C:\Windows\System\iBdkFIw.exe
  2⤵
  PID:10404
- C:\Windows\System\jmyxZrw.exe
  C:\Windows\System\jmyxZrw.exe
  2⤵
  PID:10460
- C:\Windows\System\lvqwbyu.exe
  C:\Windows\System\lvqwbyu.exe
  2⤵
  PID:10508
- C:\Windows\System\gWvMLtm.exe
  C:\Windows\System\gWvMLtm.exe
  2⤵
  PID:10528
- C:\Windows\System\RWBhYMZ.exe
  C:\Windows\System\RWBhYMZ.exe
  2⤵
  PID:10548
- C:\Windows\System\GmKsDkH.exe
  C:\Windows\System\GmKsDkH.exe
  2⤵
  PID:10612
- C:\Windows\System\NnSceCE.exe
  C:\Windows\System\NnSceCE.exe
  2⤵
  PID:10632
- C:\Windows\System\QjjwEDI.exe
  C:\Windows\System\QjjwEDI.exe
  2⤵
  PID:10652
- C:\Windows\System\riLtBdC.exe
  C:\Windows\System\riLtBdC.exe
  2⤵
  PID:10680
- C:\Windows\System\erkkZRg.exe
  C:\Windows\System\erkkZRg.exe
  2⤵
  PID:10704
- C:\Windows\System\AWGtZZM.exe
  C:\Windows\System\AWGtZZM.exe
  2⤵
  PID:10724
- C:\Windows\System\EPuLCBe.exe
  C:\Windows\System\EPuLCBe.exe
  2⤵
  PID:10768
- C:\Windows\System\GLjPkbH.exe
  C:\Windows\System\GLjPkbH.exe
  2⤵
  PID:10788
- C:\Windows\System\EHqhRth.exe
  C:\Windows\System\EHqhRth.exe
  2⤵
  PID:10812
- C:\Windows\System\TwzonyQ.exe
  C:\Windows\System\TwzonyQ.exe
  2⤵
  PID:10832
- C:\Windows\System\miRwvck.exe
  C:\Windows\System\miRwvck.exe
  2⤵
  PID:10860
- C:\Windows\System\qwccSxc.exe
  C:\Windows\System\qwccSxc.exe
  2⤵
  PID:10888
- C:\Windows\System\qzhMGhV.exe
  C:\Windows\System\qzhMGhV.exe
  2⤵
  PID:10904
- C:\Windows\System\kMXQTOP.exe
  C:\Windows\System\kMXQTOP.exe
  2⤵
  PID:10940
- C:\Windows\System\AhieZQi.exe
  C:\Windows\System\AhieZQi.exe
  2⤵
  PID:10964
- C:\Windows\System\QJXGSRh.exe
  C:\Windows\System\QJXGSRh.exe
  2⤵
  PID:11012
- C:\Windows\System\CJTmaVB.exe
  C:\Windows\System\CJTmaVB.exe
  2⤵
  PID:11064
- C:\Windows\System\nPcCbVw.exe
  C:\Windows\System\nPcCbVw.exe
  2⤵
  PID:11080
- C:\Windows\System\btsyuis.exe
  C:\Windows\System\btsyuis.exe
  2⤵
  PID:11104
- C:\Windows\System\fNLaIyN.exe
  C:\Windows\System\fNLaIyN.exe
  2⤵
  PID:11136
- C:\Windows\System\NGZCDTq.exe
  C:\Windows\System\NGZCDTq.exe
  2⤵
  PID:11168
- C:\Windows\System\owayOcq.exe
  C:\Windows\System\owayOcq.exe
  2⤵
  PID:11188
- C:\Windows\System\UJiRxSf.exe
  C:\Windows\System\UJiRxSf.exe
  2⤵
  PID:11244
- C:\Windows\System\JvzXnzC.exe
  C:\Windows\System\JvzXnzC.exe
  2⤵
  PID:11260
- C:\Windows\System\ogeTonC.exe
  C:\Windows\System\ogeTonC.exe
  2⤵
  PID:10372
- C:\Windows\System\cQVmwHP.exe
  C:\Windows\System\cQVmwHP.exe
  2⤵
  PID:10432
- C:\Windows\System\PSSlGAo.exe
  C:\Windows\System\PSSlGAo.exe
  2⤵
  PID:10492
- C:\Windows\System\zNHQBLk.exe
  C:\Windows\System\zNHQBLk.exe
  2⤵
  PID:10524
- C:\Windows\System\dhSLtLH.exe
  C:\Windows\System\dhSLtLH.exe
  2⤵
  PID:10536
- C:\Windows\System\zSkbBvK.exe
  C:\Windows\System\zSkbBvK.exe
  2⤵
  PID:10568
- C:\Windows\System\sbEkqWT.exe
  C:\Windows\System\sbEkqWT.exe
  2⤵
  PID:10624
- C:\Windows\System\xWnmPlg.exe
  C:\Windows\System\xWnmPlg.exe
  2⤵
  PID:10676
- C:\Windows\System\uxWIQdH.exe
  C:\Windows\System\uxWIQdH.exe
  2⤵
  PID:10720
- C:\Windows\System\zaeFHQm.exe
  C:\Windows\System\zaeFHQm.exe
  2⤵
  PID:10880
- C:\Windows\System\FXQePRx.exe
  C:\Windows\System\FXQePRx.exe
  2⤵
  PID:10900
- C:\Windows\System\TatndBO.exe
  C:\Windows\System\TatndBO.exe
  2⤵
  PID:10992
- C:\Windows\System\gUwpQSA.exe
  C:\Windows\System\gUwpQSA.exe
  2⤵
  PID:10072
- C:\Windows\System\BKCZsdd.exe
  C:\Windows\System\BKCZsdd.exe
  2⤵
  PID:10456
- C:\Windows\System\pgLKaag.exe
  C:\Windows\System\pgLKaag.exe
  2⤵
  PID:10344
- C:\Windows\System\aCLwydn.exe
  C:\Windows\System\aCLwydn.exe
  2⤵
  PID:10736
- C:\Windows\System\bUklIrK.exe
  C:\Windows\System\bUklIrK.exe
  2⤵
  PID:10368
- C:\Windows\System\AVbVuDb.exe
  C:\Windows\System\AVbVuDb.exe
  2⤵
  PID:10544
- C:\Windows\System\BKuDeTQ.exe
  C:\Windows\System\BKuDeTQ.exe
  2⤵
  PID:10584
- C:\Windows\System\gsTRswk.exe
  C:\Windows\System\gsTRswk.exe
  2⤵
  PID:10672
- C:\Windows\System\xDkhHRi.exe
  C:\Windows\System\xDkhHRi.exe
  2⤵
  PID:10800
- C:\Windows\System\mHGOMDt.exe
  C:\Windows\System\mHGOMDt.exe
  2⤵
  PID:10936
- C:\Windows\System\LCfLAMI.exe
  C:\Windows\System\LCfLAMI.exe
  2⤵
  PID:10412
- C:\Windows\System\vcIRqRd.exe
  C:\Windows\System\vcIRqRd.exe
  2⤵
  PID:10496
- C:\Windows\System\HRmhlqb.exe
  C:\Windows\System\HRmhlqb.exe
  2⤵
  PID:10804
- C:\Windows\System\mHRBUvc.exe
  C:\Windows\System\mHRBUvc.exe
  2⤵
  PID:10988
- C:\Windows\System\mQFqoKz.exe
  C:\Windows\System\mQFqoKz.exe
  2⤵
  PID:10752
- C:\Windows\System\SulVAMA.exe
  C:\Windows\System\SulVAMA.exe
  2⤵
  PID:10896
- C:\Windows\System\lzXtdLi.exe
  C:\Windows\System\lzXtdLi.exe
  2⤵
  PID:11288
- C:\Windows\System\eopllCI.exe
  C:\Windows\System\eopllCI.exe
  2⤵
  PID:11304
- C:\Windows\System\NFEANlH.exe
  C:\Windows\System\NFEANlH.exe
  2⤵
  PID:11344
- C:\Windows\System\aBZpPfv.exe
  C:\Windows\System\aBZpPfv.exe
  2⤵
  PID:11372
- C:\Windows\System\wbFwMRr.exe
  C:\Windows\System\wbFwMRr.exe
  2⤵
  PID:11388
- C:\Windows\System\BQVOgVI.exe
  C:\Windows\System\BQVOgVI.exe
  2⤵
  PID:11412
- C:\Windows\System\roJTSJV.exe
  C:\Windows\System\roJTSJV.exe
  2⤵
  PID:11436
- C:\Windows\System\vWdeeCP.exe
  C:\Windows\System\vWdeeCP.exe
  2⤵
  PID:11452
- C:\Windows\System\cmpWGSe.exe
  C:\Windows\System\cmpWGSe.exe
  2⤵
  PID:11476
- C:\Windows\System\bkCTsKu.exe
  C:\Windows\System\bkCTsKu.exe
  2⤵
  PID:11516
- C:\Windows\System\tZRXuLY.exe
  C:\Windows\System\tZRXuLY.exe
  2⤵
  PID:11532
- C:\Windows\System\liGkIJF.exe
  C:\Windows\System\liGkIJF.exe
  2⤵
  PID:11560
- C:\Windows\System\nMTdsRd.exe
  C:\Windows\System\nMTdsRd.exe
  2⤵
  PID:11584
- C:\Windows\System\OibFhqh.exe
  C:\Windows\System\OibFhqh.exe
  2⤵
  PID:11620
- C:\Windows\System\TnNZoQO.exe
  C:\Windows\System\TnNZoQO.exe
  2⤵
  PID:11652
- C:\Windows\System\LvLgJgX.exe
  C:\Windows\System\LvLgJgX.exe
  2⤵
  PID:11672
- C:\Windows\System\WgPtAlo.exe
  C:\Windows\System\WgPtAlo.exe
  2⤵
  PID:11720
- C:\Windows\System\CsNxeNe.exe
  C:\Windows\System\CsNxeNe.exe
  2⤵
  PID:11756
- C:\Windows\System\gDqpFLg.exe
  C:\Windows\System\gDqpFLg.exe
  2⤵
  PID:11812
- C:\Windows\System\KvErMnt.exe
  C:\Windows\System\KvErMnt.exe
  2⤵
  PID:11836
- C:\Windows\System\aoZaUCb.exe
  C:\Windows\System\aoZaUCb.exe
  2⤵
  PID:11860
- C:\Windows\System\JHStGaS.exe
  C:\Windows\System\JHStGaS.exe
  2⤵
  PID:11884
- C:\Windows\System\ZVLRzMd.exe
  C:\Windows\System\ZVLRzMd.exe
  2⤵
  PID:11936
- C:\Windows\System\kisiJbE.exe
  C:\Windows\System\kisiJbE.exe
  2⤵
  PID:11964
- C:\Windows\System\rHSvrTe.exe
  C:\Windows\System\rHSvrTe.exe
  2⤵
  PID:12020
- C:\Windows\System\WLOzXPu.exe
  C:\Windows\System\WLOzXPu.exe
  2⤵
  PID:12048
- C:\Windows\System\yXRduCx.exe
  C:\Windows\System\yXRduCx.exe
  2⤵
  PID:12108
- C:\Windows\System\KlWEhdE.exe
  C:\Windows\System\KlWEhdE.exe
  2⤵
  PID:12128
- C:\Windows\System\UKgPMDb.exe
  C:\Windows\System\UKgPMDb.exe
  2⤵
  PID:12148
- C:\Windows\System\ADwydco.exe
  C:\Windows\System\ADwydco.exe
  2⤵
  PID:12172
- C:\Windows\System\wknxYhg.exe
  C:\Windows\System\wknxYhg.exe
  2⤵
  PID:12196
- C:\Windows\System\gRkyTdM.exe
  C:\Windows\System\gRkyTdM.exe
  2⤵
  PID:12224
- C:\Windows\System\PyuRRok.exe
  C:\Windows\System\PyuRRok.exe
  2⤵
  PID:12244
- C:\Windows\System\FjMJGfa.exe
  C:\Windows\System\FjMJGfa.exe
  2⤵
  PID:10472
- C:\Windows\System\bkwSqaf.exe
  C:\Windows\System\bkwSqaf.exe
  2⤵
  PID:11124
- C:\Windows\System\AFDcrrA.exe
  C:\Windows\System\AFDcrrA.exe
  2⤵
  PID:11276
- C:\Windows\System\yHLAnPj.exe
  C:\Windows\System\yHLAnPj.exe
  2⤵
  PID:11320
- C:\Windows\System\gKbAPsv.exe
  C:\Windows\System\gKbAPsv.exe
  2⤵
  PID:11444
- C:\Windows\System\xdqpqOk.exe
  C:\Windows\System\xdqpqOk.exe
  2⤵
  PID:11524
- C:\Windows\System\DOeHwnz.exe
  C:\Windows\System\DOeHwnz.exe
  2⤵
  PID:11556
- C:\Windows\System\FkcDIVK.exe
  C:\Windows\System\FkcDIVK.exe
  2⤵
  PID:11640
- C:\Windows\System\GZMXcTu.exe
  C:\Windows\System\GZMXcTu.exe
  2⤵
  PID:11728
- C:\Windows\System\GAOuDPK.exe
  C:\Windows\System\GAOuDPK.exe
  2⤵
  PID:11708
- C:\Windows\System\zWOFDGT.exe
  C:\Windows\System\zWOFDGT.exe
  2⤵
  PID:11856
- C:\Windows\System\yalUVXI.exe
  C:\Windows\System\yalUVXI.exe
  2⤵
  PID:4412
- C:\Windows\System\FQINsYw.exe
  C:\Windows\System\FQINsYw.exe
  2⤵
  PID:752
- C:\Windows\System\VtGdVhY.exe
  C:\Windows\System\VtGdVhY.exe
  2⤵
  PID:2500
- C:\Windows\System\MyhpIPR.exe
  C:\Windows\System\MyhpIPR.exe
  2⤵
  PID:11908
- C:\Windows\System\EFwbUvT.exe
  C:\Windows\System\EFwbUvT.exe
  2⤵
  PID:11960
- C:\Windows\System\yvXWthZ.exe
  C:\Windows\System\yvXWthZ.exe
  2⤵
  PID:12076
- C:\Windows\System\VgJWFZN.exe
  C:\Windows\System\VgJWFZN.exe
  2⤵
  PID:11156
- C:\Windows\System\HcneoYe.exe
  C:\Windows\System\HcneoYe.exe
  2⤵
  PID:12164
- C:\Windows\System\uztwFWM.exe
  C:\Windows\System\uztwFWM.exe
  2⤵
  PID:10580
- C:\Windows\System\FlVLPQY.exe
  C:\Windows\System\FlVLPQY.exe
  2⤵
  PID:11496
- C:\Windows\System\DkyMuXE.exe
  C:\Windows\System\DkyMuXE.exe
  2⤵
  PID:11512
- C:\Windows\System\SSSoATz.exe
  C:\Windows\System\SSSoATz.exe
  2⤵
  PID:11628
- C:\Windows\System\MizzmeI.exe
  C:\Windows\System\MizzmeI.exe
  2⤵
  PID:11748
- C:\Windows\System\oMwnmSN.exe
  C:\Windows\System\oMwnmSN.exe
  2⤵
  PID:4060
- C:\Windows\System\omqlXyF.exe
  C:\Windows\System\omqlXyF.exe
  2⤵
  PID:11880
- C:\Windows\System\AoUPsRG.exe
  C:\Windows\System\AoUPsRG.exe
  2⤵
  PID:2660
- C:\Windows\System\bloWKhv.exe
  C:\Windows\System\bloWKhv.exe
  2⤵
  PID:4624
- C:\Windows\System\klmkmCy.exe
  C:\Windows\System\klmkmCy.exe
  2⤵
  PID:12192
- C:\Windows\System\zKfbTgH.exe
  C:\Windows\System\zKfbTgH.exe
  2⤵
  PID:12264
- C:\Windows\System\lEWkVEY.exe
  C:\Windows\System\lEWkVEY.exe
  2⤵
  PID:11664
- C:\Windows\System\PgSBIeI.exe
  C:\Windows\System\PgSBIeI.exe
  2⤵
  PID:2524
- C:\Windows\System\BSrgxqm.exe
  C:\Windows\System\BSrgxqm.exe
  2⤵
  PID:4704
- C:\Windows\System\UoDyUOL.exe
  C:\Windows\System\UoDyUOL.exe
  2⤵
  PID:11592
- C:\Windows\System\ewcgsdh.exe
  C:\Windows\System\ewcgsdh.exe
  2⤵
  PID:11792
- C:\Windows\System\HEGvAZA.exe
  C:\Windows\System\HEGvAZA.exe
  2⤵
  PID:12296
- C:\Windows\System\BjieQoA.exe
  C:\Windows\System\BjieQoA.exe
  2⤵
  PID:12320
- C:\Windows\System\XPSjlEa.exe
  C:\Windows\System\XPSjlEa.exe
  2⤵
  PID:12340
- C:\Windows\System\MHaXuHp.exe
  C:\Windows\System\MHaXuHp.exe
  2⤵
  PID:12364
- C:\Windows\System\OrAgMEG.exe
  C:\Windows\System\OrAgMEG.exe
  2⤵
  PID:12408
- C:\Windows\System\GdZlNgq.exe
  C:\Windows\System\GdZlNgq.exe
  2⤵
  PID:12444
- C:\Windows\System\NxDsKLp.exe
  C:\Windows\System\NxDsKLp.exe
  2⤵
  PID:12464
- C:\Windows\System\rhDwwaG.exe
  C:\Windows\System\rhDwwaG.exe
  2⤵
  PID:12488
- C:\Windows\System\GpXJAgs.exe
  C:\Windows\System\GpXJAgs.exe
  2⤵
  PID:12508
- C:\Windows\System\FuYBtxI.exe
  C:\Windows\System\FuYBtxI.exe
  2⤵
  PID:12544
- C:\Windows\System\fenOnaS.exe
  C:\Windows\System\fenOnaS.exe
  2⤵
  PID:12584
- C:\Windows\System\yaMFfiv.exe
  C:\Windows\System\yaMFfiv.exe
  2⤵
  PID:12628
- C:\Windows\System\RvqsoES.exe
  C:\Windows\System\RvqsoES.exe
  2⤵
  PID:12648
- C:\Windows\System\VdsGruI.exe
  C:\Windows\System\VdsGruI.exe
  2⤵
  PID:12672
- C:\Windows\System\AgxWoYw.exe
  C:\Windows\System\AgxWoYw.exe
  2⤵
  PID:12700
- C:\Windows\System\PqIsnUA.exe
  C:\Windows\System\PqIsnUA.exe
  2⤵
  PID:12716
- C:\Windows\System\SxSQPLp.exe
  C:\Windows\System\SxSQPLp.exe
  2⤵
  PID:12756
- C:\Windows\System\isTzYhC.exe
  C:\Windows\System\isTzYhC.exe
  2⤵
  PID:12808
- C:\Windows\System\mzsdHUj.exe
  C:\Windows\System\mzsdHUj.exe
  2⤵
  PID:12832
- C:\Windows\System\SdhauYP.exe
  C:\Windows\System\SdhauYP.exe
  2⤵
  PID:12852
- C:\Windows\System\YANAFkO.exe
  C:\Windows\System\YANAFkO.exe
  2⤵
  PID:12880
- C:\Windows\System\UmLWktm.exe
  C:\Windows\System\UmLWktm.exe
  2⤵
  PID:12912
- C:\Windows\System\IhNSYbQ.exe
  C:\Windows\System\IhNSYbQ.exe
  2⤵
  PID:12932
- C:\Windows\System\eFEeTyP.exe
  C:\Windows\System\eFEeTyP.exe
  2⤵
  PID:12960
- C:\Windows\System\zNgttLj.exe
  C:\Windows\System\zNgttLj.exe
  2⤵
  PID:12980
- C:\Windows\System\DvFjuuL.exe
  C:\Windows\System\DvFjuuL.exe
  2⤵
  PID:12996
- C:\Windows\System\izpAZGU.exe
  C:\Windows\System\izpAZGU.exe
  2⤵
  PID:13024
- C:\Windows\System\hCiXLAq.exe
  C:\Windows\System\hCiXLAq.exe
  2⤵
  PID:13052
- C:\Windows\System\lETexFV.exe
  C:\Windows\System\lETexFV.exe
  2⤵
  PID:13104
- C:\Windows\System\iVYBqDf.exe
  C:\Windows\System\iVYBqDf.exe
  2⤵
  PID:13148
- C:\Windows\System\CMOMKAy.exe
  C:\Windows\System\CMOMKAy.exe
  2⤵
  PID:13180
- C:\Windows\System\lShAHgq.exe
  C:\Windows\System\lShAHgq.exe
  2⤵
  PID:13204
- C:\Windows\System\hpilZNQ.exe
  C:\Windows\System\hpilZNQ.exe
  2⤵
  PID:13220
- C:\Windows\System\AWZcMRi.exe
  C:\Windows\System\AWZcMRi.exe
  2⤵
  PID:13236
- C:\Windows\System\lQJFVeo.exe
  C:\Windows\System\lQJFVeo.exe
  2⤵
  PID:13256
- C:\Windows\System\UwttoaA.exe
  C:\Windows\System\UwttoaA.exe
  2⤵
  PID:13308
- C:\Windows\System\HHslpjj.exe
  C:\Windows\System\HHslpjj.exe
  2⤵
  PID:12260
- C:\Windows\System\mEWAnbr.exe
  C:\Windows\System\mEWAnbr.exe
  2⤵
  PID:12376
- C:\Windows\System\UPplqXA.exe
  C:\Windows\System\UPplqXA.exe
  2⤵
  PID:12360
- C:\Windows\System\EZgEucL.exe
  C:\Windows\System\EZgEucL.exe
  2⤵
  PID:12416
- C:\Windows\System\nvCdSDV.exe
  C:\Windows\System\nvCdSDV.exe
  2⤵
  PID:12472
- C:\Windows\System\zuJPfbJ.exe
  C:\Windows\System\zuJPfbJ.exe
  2⤵
  PID:12556
- C:\Windows\System\GJbgmJM.exe
  C:\Windows\System\GJbgmJM.exe
  2⤵
  PID:12680
- C:\Windows\System\wQmdoAi.exe
  C:\Windows\System\wQmdoAi.exe
  2⤵
  PID:12788
- C:\Windows\System\fZCkZvE.exe
  C:\Windows\System\fZCkZvE.exe
  2⤵
  PID:12820
- C:\Windows\System\kYHGlrC.exe
  C:\Windows\System\kYHGlrC.exe
  2⤵
  PID:12848
- C:\Windows\System\JWHIKnw.exe
  C:\Windows\System\JWHIKnw.exe
  2⤵
  PID:12876
- C:\Windows\System\JlShZTt.exe
  C:\Windows\System\JlShZTt.exe
  2⤵
  PID:12972
- C:\Windows\System\PJyYhWD.exe
  C:\Windows\System\PJyYhWD.exe
  2⤵
  PID:13088
- C:\Windows\System\iKzDRJQ.exe
  C:\Windows\System\iKzDRJQ.exe
  2⤵
  PID:13100
- C:\Windows\System\XFMVCfA.exe
  C:\Windows\System\XFMVCfA.exe
  2⤵
  PID:13176
- C:\Windows\System\btylieV.exe
  C:\Windows\System\btylieV.exe
  2⤵
  PID:13268
- C:\Windows\System\ridjcTJ.exe
  C:\Windows\System\ridjcTJ.exe
  2⤵
  PID:13300
- C:\Windows\System\QctgFjV.exe
  C:\Windows\System\QctgFjV.exe
  2⤵
  PID:12348
- C:\Windows\System\YfmdVnZ.exe
  C:\Windows\System\YfmdVnZ.exe
  2⤵
  PID:12568
- C:\Windows\System\fMDmyvD.exe
  C:\Windows\System\fMDmyvD.exe
  2⤵
  PID:12712
- C:\Windows\System\JEhQAdB.exe
  C:\Windows\System\JEhQAdB.exe
  2⤵
  PID:12708

C:\Windows\system32\WerFaultSecure.exe
"C:\Windows\system32\WerFaultSecure.exe" -protectedcrash -p 2288 -i 2288 -h 456 -j 528 -s 536 -d 13360
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:13428

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:13612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yn1viszv.hru.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\AwzxKDH.exe

Filesize
1.8MB

MD5
f6aa898c19dae95869574a2da4c8dba3

SHA1
868aec1b51eb9515724a5065d9c730cd488f0972

SHA256
f4e496949ffa7d36f38578f1d71e00cec602c812664667c0d511474e417b05f3

SHA512
598af4203c78506cf9798c44d506d200e14cfd7ac037962cab319e5f506241a7f224dc407e2e3bc7f07ad2207af62b12cc71390656f84d89e2fdc5da611d0812

Download Submit
C:\Windows\System\AzwniHT.exe

Filesize
1.8MB

MD5
2e222b81659303fc77ad810ce1f7091b

SHA1
f4772e67bfaa4b2aaa79e14c146acb2a1402fd56

SHA256
b6cbf65c83e24ee8d38395a629dfdf60ecbcc66fd0c81b9c68819980e52e14ed

SHA512
3eae4ec7d920be5eb6a790b67aeed90397dc27eed68cdabe4345ea2b9e1a7021cf3ffa2fe6ec81a0cddb19763f3b99d7dc6e7ae55481f7f302b35f59595e0657

Download Submit
C:\Windows\System\EeBONDr.exe

Filesize
1.8MB

MD5
db60c8d1b9b789de8cf6129ae3022627

SHA1
c6b287e0cc9bfc89d04de893d918dc62da0c2394

SHA256
f94628f06ec66f626b9b8e5c08482716383320c9b57ab5f5b3b6a26c01809bf4

SHA512
4ca7cfad80fdcc584fc271998f53cfc1bf210759c36749f40db4880f52284cdb59e564005496d5916f92e7eb9c3cf3d2162a736aa50b20fe55d7c13e1a42fed0

Download Submit
C:\Windows\System\GDxaOdG.exe

Filesize
1.8MB

MD5
8b6f042b5c58cabbd7baf7fd88d9c2a0

SHA1
1ed1a62177e146332c60e35c2a43b65dc2d397b9

SHA256
a0da8371a8e6153e4ce3af2dc80b085653adb0ab50c63dcfca132311e4176d7f

SHA512
a4dc811d6566941d635afad1f2fad669722c2efea70b30e7c6fcf9562aeeccfb44b0e7337636ac8b38e315c7ac8512a1ab16aaea4292ee15b2ef5b392143524e

Download Submit
C:\Windows\System\JCUxnES.exe

Filesize
1.8MB

MD5
3dc9cae2f6e4db7d1188a6658f16ee0b

SHA1
b07b743b656af260af68e226b972c7bc6d5f76dc

SHA256
352159f0092975ac07289cf06603b5dbac40376e1a622fa73a606677db8bda1e

SHA512
d933aeb3c025a028e6dbf7812b5a4e81e158b3f46622a2fe6ebb450b743f2d5c3159b5df90ffc73df7eaa318a1e856abf3beb7c7b7ac65ad4aabe25692732817

Download Submit
C:\Windows\System\JfDrtMp.exe

Filesize
1.8MB

MD5
200eaaab1ff3601887df3c5b13f5346a

SHA1
dcfa5bc88a2a07b3465954eb77122018d6cf1067

SHA256
81c0625c6854198e228c096c1e1f76596ed2014be1304ac9d889daeaa0720956

SHA512
d100f44410a58be2d8b23a7787f7c3d23b798dc2da348d66680e6805e59a729ffb27e0f053f059a510a6a47a9a990f76e4a1c8dd87a6224b69a8135d05f05d45

Download Submit
C:\Windows\System\JwVnIXR.exe

Filesize
1.8MB

MD5
f90fc0bd4a0a85bf7090f939cf803e37

SHA1
91bc0cd0719c2241bf504f770aa5747ee3756e95

SHA256
60b4638e53631846ed37337f09ca875fd57d9f6bdd0abe94f4da587cc39a8a81

SHA512
b0c992fddcc6c7481b2f88166e8973626ae6f79055102cf79902f4ad50cd55f44131f473753d5a922e3c486a834c31f3d4fb8f01eb9ec9b4d4cc6ac7557b3809

Download Submit
C:\Windows\System\MKmpwZe.exe

Filesize
1.8MB

MD5
6e22a7a642a57f348785c4a5b25ce008

SHA1
a1bf846d8481435008b758ce9f79910e6ab399f2

SHA256
b3051bc0319061b176729394db9f369e2abf63dea9153887334645115e09ef8c

SHA512
df828b7ca98437f4232f934afd21b7b28064d921749373d285542885eb58fbd99e8c08ddc3c6bcdd892a84d0a45459629b0550325e92a5027c4bce891c78a82d

Download Submit
C:\Windows\System\MnTMmbK.exe

Filesize
8B

MD5
3277aa72bb7d7f1eb1043502fbd1c406

SHA1
8712dca2f3fbc82bf0cbbeecdc5d6a26c87f443c

SHA256
e94b62f30c9ce8b0b5cea14d4367a52fe08005d1bd56ca932a1fd7fc15c61bc9

SHA512
9fb0369549dba8937fb796cbc4ade6bacf540f10f98e02675f1b04c615cbb49e396cdbd25cd29de56c7bfb889c8464199939a84fa31434a75c020caeb4f9f503

Download Submit
C:\Windows\System\NiAiEdW.exe

Filesize
1.8MB

MD5
9f899da907dd7855b879e0e2ffefafd0

SHA1
c4a904a34399b2a19d22a1f8fd578261caffb936

SHA256
da729c0bc72e5d7c7e7f092ed1ca95b6a08e0b3e2c8dc57e3c9206e8567e10f8

SHA512
d8cd1ec17f611a2490f1f76f51195b1185d067d2d6c5e1815a0fcc8f3272b14b68383a2ef66007c6ece5303cec3b078255f432cdad80a49dab578b9be65eae3e

Download Submit
C:\Windows\System\OkrODEJ.exe

Filesize
1.8MB

MD5
9577099c0f3a361f054c8971f79460e1

SHA1
ecfbd243383c3a291eb310a8a8e605344bb4e3bc

SHA256
6290ec122e32f25c1c7bc281a159edd2c86111e57237a105bc737462e080aee7

SHA512
1259c8094efed6257086a391658bd00a046c21dfb6099d5a4f19f7bae7eccb06241acea5356cb47f58f633ced7b8d910936c76498128084eb2a2aa50aea69964

Download Submit
C:\Windows\System\QLYZwJI.exe

Filesize
1.8MB

MD5
d37c8f0ac65c6fcc7f96dcfb46b6e0aa

SHA1
0d753b64908b153d13a79a190a6a33ad8e86d8f7

SHA256
3cae4b47346a3c0236b556249af54bd9c774224f9e06fee4f95b3e7ea92cff60

SHA512
6c376b950ceed7bc88838d941ad612d6a79156714e4f00c616b52f8e6184d1abcf42c1cf948d70af0d638a94c34ea5c6b69cdb920f67ff75993198432a303883

Download Submit
C:\Windows\System\RYuXviN.exe

Filesize
1.8MB

MD5
9a7838ce1c6c095dab6effb9b964179f

SHA1
cb621c034e55a20d434c5651250c1154ea2ad38d

SHA256
35522f4bf33a8078edec9063b95f678f7fb858cf98610e59d0c6b20756500c4d

SHA512
bf83c9f5c918766a91a3eabef0a77c3e7e68bfc021608ae97516b85b0a4feb30d4141390fc9a5b6a2f13fe5d6d23fd83459305e2bda7643343e6ec0ed811ec37

Download Submit
C:\Windows\System\TUOSRsU.exe

Filesize
1.8MB

MD5
2b26b63ac9e509c1a5bfd430f157fcea

SHA1
b608d40ccab6f8fe47dd3188378adb8ea00789c4

SHA256
a9efcb2dc56c35f0ff787c7b574d6c934e95d700029ecf4419dcbb7007a7b946

SHA512
6562a5690e61a6769e8845fd17e06473a478e1cbc972fd1178ffabafca7ce90452f73da07ffa9ce407ebee7857027821680ac7db8358e4ff605637b9ca4ab29e

Download Submit
C:\Windows\System\VtaYGLs.exe

Filesize
1.8MB

MD5
3448c9836d1b82d93c590469288535af

SHA1
b1577be41c6f850f2ad10efd34a91a203146ab19

SHA256
a01ad5fd853272d337e91e577f9810349022e6bc692e8a1f56222ee9743ac254

SHA512
3be503ac1468f37488b64e4db4d642fe8ee366c6dd30f4d0ba10ed513049a732097722ea61384c6d9d32b4b879433454bbbb4dccf4244c8e2b5104a0ca145014

Download Submit
C:\Windows\System\WPHKxBc.exe

Filesize
1.8MB

MD5
7d5a7b55db1ec9238118a69f848a2b7f

SHA1
f333802d2f8d4d2fd00b4223ba9d7f8f02638609

SHA256
1a2a6110c061b767818eb4a2fee2ba40fdc637355d3171359db0dcab334c097d

SHA512
b833358d9ee40f1bad890601e151898d063447278660a9e5591d4f7367fb9c0f549895205ef4155edcbbfaaf9b8728388db56c3f45faf6e8e65f21b0cd306f95

Download Submit
C:\Windows\System\atSbeXr.exe

Filesize
1.8MB

MD5
f74a6d6d11103a9bbd4c9eb9442b3177

SHA1
246127e3dbcdb6da83d2c54ba61b419360b375ee

SHA256
e0f7efbef99986ae3af2beb128ad80dfba367e4904e46bf3eb0bfd2d59a69a26

SHA512
30085b5c4b07bb4c8018b135a8538b3198caeff4df2d815c7ed6951579a596068101df56c20d7cb1ddd45623042797a9ee38d2be6ac8ac05babcd28e7d667e77

Download Submit
C:\Windows\System\fOclqeX.exe

Filesize
1.8MB

MD5
ddc03cb62664e4c5af54aecd469f656a

SHA1
e6d7f2e5decf8a60651e2fe45990e820b2276b78

SHA256
f890925a7d18d954e05cdb1e65af4987c41a3d3816d70b57d89b81be9aafd2e0

SHA512
e65c502b82ee44ed948d9c2fa9079ffe46721293325d0f29bcb8531f63fe3736439b02e93939ec65c58d8f8b515d1de6f679dcc06ca61fc4501375a6723eb177

Download Submit
C:\Windows\System\hExSJLC.exe

Filesize
1.8MB

MD5
8a3070ee1cfd6a226f8e88ec46915ecb

SHA1
8951d038b3aceb023584cbb3e00b3de2484e9131

SHA256
ab5b36e63c44de06046f775608685c8784cbc474ad124f6dd84fd919a7062b83

SHA512
a7cba369afd16c7ed8b7bf36de5fc232ab6eb4753c7ae98f3af7c89e1c443344b4e56eb77bdd062dd2d3e11d1afc7a1bfead3be335f734d00946b2529fd57ac4

Download Submit
C:\Windows\System\iyGcNWH.exe

Filesize
1.8MB

MD5
6099a04e21360105524a47477b3e6fb4

SHA1
7f1328e2911227935e25e15cf68fdaeffcd809ee

SHA256
d38f3c0cd76f5e9b8f5f98b17745ca8d476cc088c3eb446fa322b91baa0c3581

SHA512
0f78ad67ebd394fefc7e50f1a58dc46df98aa7b35398796e13e7de8cd2e9564f0ea0e32f2ec5364a4122d1dd5ce087754e1311baf11a3bce3803483ebaf2f07b

Download Submit
C:\Windows\System\izpdeuq.exe

Filesize
1.8MB

MD5
7e9a1602a44d39c282334af52f9f52ae

SHA1
7dd4664085069667628f3bd597becb910d65359a

SHA256
f86d98e5665d74433f67278dc0ce2ac610e127e89dedf36d3f6f680a09deb57d

SHA512
77c2cf8c9f2a8985319f8484126db3f4ae4c26b0c60bd991ce0c8de907570139d7283904709732fbec9f9d6f1f51b48262fb1897b6e826190f6d674a0f9aa9f9

Download Submit
C:\Windows\System\kLbUWTD.exe

Filesize
1.8MB

MD5
4d1937e4237fc3d4158a6b70e3b9b261

SHA1
49dcae5b5df3df412e482a3b2e6726e5d837a292

SHA256
325539bd72e480c01d4b12ac1d61637f01eac701bf3b1ebd7d1f0f569b4c032e

SHA512
2bc95be99c4f95376a5be8b4f2e2d1f8e8e84cd9321e87a363b7df89700b4c1693727d54c25cadf6ff5c3a5aa378d23f838a0a668cdd880eb24ac7dbfad4c177

Download Submit
C:\Windows\System\pyXZLcR.exe

Filesize
1.8MB

MD5
3651896fc67d110b5d4a52cfdbab8f08

SHA1
f72ca728250cd862e564134eea02648b3766c84f

SHA256
f4bdd660a6008bcf70209e53b235f42557264419119c71a00aad8e8238557541

SHA512
a686d1eb23539b7520fa1f8d9051d739dcc259ed3f46b9bb090f3edabb904a979139af1196245ec5a8dbaa3056de74250573248c9e3d84210ae972c97053f8f3

Download Submit
C:\Windows\System\qCwJNSv.exe

Filesize
1.8MB

MD5
bec17baaf4f542bd93efd41aea169081

SHA1
5702a0d6708597a5a7475501d1c72cdc29f95731

SHA256
da6556cbf8189994b4cc18ae79746b75fda4f48bff3a608736e1a1e5233e6afa

SHA512
8ee4baa335bbea99bc27f95dca268dcb1e235ff0fb41fcc959d3c004ce226f91295bdaa81c4fa362c8c6664e330ea6ab4bfb85d07b010d89f3bbbfafb677ff6d

Download Submit
C:\Windows\System\qoAsEBx.exe

Filesize
1.8MB

MD5
97b9613d6f607de6a92d7efcf3329490

SHA1
e666276436c2aa26fef1b4c2e8970c1b49b3b628

SHA256
eab7f88c279ab5622841ef6c51641fd553332a690bb41fc18a453cda2b87fe98

SHA512
65b467ae89ce46178a8acf767c7b126ff7041ba4f9cc57c0b55d488416614859a19f3488e826d6721794f75788d16b177c046373ef2d4d184bfd2bed1ba90231

Download Submit
C:\Windows\System\rCAUCzJ.exe

Filesize
1.8MB

MD5
41ee64c5bdd7e74b739165ec6adc4f4a

SHA1
98edc325807242ddb7743a825a8fc187644a6ebf

SHA256
9cc5b3b799a2da46759993baaa19558c905cb217392f3296a6180d8a0b5dd296

SHA512
99c7d3c522bf9e9af16a6dfe6a688c0c5118ecb5a5fdb678e0fe71a1d318bdaed750f994903b36608293bea8cdee6cc2dabab75889c8bf2bb56e85752c588d1e

Download Submit
C:\Windows\System\rfXCLPL.exe

Filesize
1.8MB

MD5
49733961ba9d287faa598900d5bd2d9e

SHA1
d69fe8deb2becfbd049daee6db9d9308f5419f8e

SHA256
051e20e565afa37149c7bc6b617c7d085238141685648839e243e5dccc4d3eb6

SHA512
953fcb1a326c8bde0ae7080c577a726b83afbff341937973fead81aafb80aa6a6ea8aab8b89a9b7e1b49b9cce04bee9232e1eb8fa87edfaffb8c534a376b28eb

Download Submit
C:\Windows\System\sBimsDO.exe

Filesize
1.8MB

MD5
9afaf3210e9a5ae49e7bc44f450d9104

SHA1
eb6811c47fba852a2bc5146b8fd15e0469cf8002

SHA256
8fee591b2bc7e7021eb36f46b66d13a8c0d4ecab867583b89fed76feeac8d293

SHA512
b827ec25034726251bf66676026e27091a88df7da97ad1fc8e11b64530d327b28840d59368ba48b684cede84061e85d0895e79254b432e51dc369d56d04f9ae8

Download Submit
C:\Windows\System\tLDgBDL.exe

Filesize
1.8MB

MD5
89abcd75c1815efeded3aae16b1e5a8c

SHA1
69487de7b3a5393fc2e8c6c7ab2c1f817643afa9

SHA256
6ef960761878fda586a6664fb53ea0732172d1d6b944527b17769af940b3012b

SHA512
99871f736832909bce8353bec4e9621e115be27b1e13e1cbd73cdb2a966217e26f51cbdca641eeab8337c09e28163ef287ec5dfed90e29ae115a9f321e07e81d

Download Submit
C:\Windows\System\vYIWADP.exe

Filesize
1.8MB

MD5
079a7e4b0682d9c66bd347dc11478d15

SHA1
d57905d86788e853294637e2551151bf5139c7e0

SHA256
cac0d3c308002a91243db1f1632af30bb4c0a2f6f43fa28d8152a7974312640a

SHA512
a41a6a582c919498961dfee6142c23d9ea37b703aa65e0acff5564d3b4de3bb93f28fbbb3e27d5551c841bdfeda0b2d7eb781e20a7a58565596708a49379cebe

Download Submit
C:\Windows\System\wyUlSAq.exe

Filesize
1.8MB

MD5
ec676e7341c7258c96e27f237aa5fe3c

SHA1
f000ebe28d11b9d164d9d55c54e6c3314a659b19

SHA256
d6518df4ddb38eb18d5f0383c10a469c781b1962f971734d4dcba67c5a729cea

SHA512
b50e68a6b719df45b9386b7b95ebafd51e5a2324955f6daf7174624cb684786d75a91a932eab3f10e83012b8829aad4abc8301a883c329583fe7ba2684ec0805

Download Submit
C:\Windows\System\xMBsSqB.exe

Filesize
1.8MB

MD5
aa8923aae380111df697041c4536faa1

SHA1
a565f392f4f7c7c3d1c364a8dc3da81467b8b84b

SHA256
45f482eabc74b6be9e99fbcb760c8b2cf4090e8fc1ee15652e683f85f65640a6

SHA512
924c5800698409889767157154916b89dfcdc67721d73e50e62dadb13673a1c01d1e1dc389842af5901b3766e4c0160a1681c84286568bbc1d72627534af7aba

Download Submit
C:\Windows\System\ybMEuZi.exe

Filesize
1.8MB

MD5
e8aba57785e55a229150879759dfa573

SHA1
eca78f1031dad27b749ce887f75867365e99175f

SHA256
240fb7635be1e2d8a132a21679aabeea0643b68a5f00572a83aac568323af84c

SHA512
a22f5688f2b654c607a6e1fee515017ebbbf1937a652172383d3bbdb385bcc76ad73e09bd2ce8994581be44d126f53e0dfffdd020c98d52f94832f450e1078f1

Download Submit
memory/1180-2663-0x00007FF762D50000-0x00007FF763142000-memory.dmp

Filesize
3.9MB

Download
memory/1180-117-0x00007FF762D50000-0x00007FF763142000-memory.dmp

Filesize
3.9MB

Download
memory/1596-2703-0x00007FF72D170000-0x00007FF72D562000-memory.dmp

Filesize
3.9MB

Download
memory/1596-107-0x00007FF72D170000-0x00007FF72D562000-memory.dmp

Filesize
3.9MB

Download
memory/1644-2734-0x00007FF6B0740000-0x00007FF6B0B32000-memory.dmp

Filesize
3.9MB

Download
memory/1644-2634-0x00007FF6B0740000-0x00007FF6B0B32000-memory.dmp

Filesize
3.9MB

Download
memory/1644-113-0x00007FF6B0740000-0x00007FF6B0B32000-memory.dmp

Filesize
3.9MB

Download
memory/1924-2730-0x00007FF75A390000-0x00007FF75A782000-memory.dmp

Filesize
3.9MB

Download
memory/1924-2635-0x00007FF75A390000-0x00007FF75A782000-memory.dmp

Filesize
3.9MB

Download
memory/1924-114-0x00007FF75A390000-0x00007FF75A782000-memory.dmp

Filesize
3.9MB

Download
memory/2312-2708-0x00007FF717350000-0x00007FF717742000-memory.dmp

Filesize
3.9MB

Download
memory/2312-108-0x00007FF717350000-0x00007FF717742000-memory.dmp

Filesize
3.9MB

Download
memory/2360-2659-0x00007FF6BFEC0000-0x00007FF6C02B2000-memory.dmp

Filesize
3.9MB

Download
memory/2360-62-0x00007FF6BFEC0000-0x00007FF6C02B2000-memory.dmp

Filesize
3.9MB

Download
memory/2568-47-0x00007FF723840000-0x00007FF723C32000-memory.dmp

Filesize
3.9MB

Download
memory/2568-2650-0x00007FF723840000-0x00007FF723C32000-memory.dmp

Filesize
3.9MB

Download
memory/2684-106-0x00007FF744410000-0x00007FF744802000-memory.dmp

Filesize
3.9MB

Download
memory/2684-2699-0x00007FF744410000-0x00007FF744802000-memory.dmp

Filesize
3.9MB

Download
memory/2820-115-0x00007FF774280000-0x00007FF774672000-memory.dmp

Filesize
3.9MB

Download
memory/2820-2653-0x00007FF774280000-0x00007FF774672000-memory.dmp

Filesize
3.9MB

Download
memory/2824-2684-0x00007FF71C7F0000-0x00007FF71CBE2000-memory.dmp

Filesize
3.9MB

Download
memory/2824-118-0x00007FF71C7F0000-0x00007FF71CBE2000-memory.dmp

Filesize
3.9MB

Download
memory/3044-29-0x0000020218710000-0x0000020218720000-memory.dmp

Filesize
64KB

Download
memory/3044-1613-0x00007FFFDFE10000-0x00007FFFE08D1000-memory.dmp

Filesize
10.8MB

Download
memory/3044-28-0x00007FFFDFE10000-0x00007FFFE08D1000-memory.dmp

Filesize
10.8MB

Download
memory/3044-46-0x000002027FD70000-0x000002027FD92000-memory.dmp

Filesize
136KB

Download
memory/3044-48-0x0000020218710000-0x0000020218720000-memory.dmp

Filesize
64KB

Download
memory/3052-2666-0x00007FF735600000-0x00007FF7359F2000-memory.dmp

Filesize
3.9MB

Download
memory/3052-103-0x00007FF735600000-0x00007FF7359F2000-memory.dmp

Filesize
3.9MB

Download
memory/3184-2686-0x00007FF7EB420000-0x00007FF7EB812000-memory.dmp

Filesize
3.9MB

Download
memory/3184-105-0x00007FF7EB420000-0x00007FF7EB812000-memory.dmp

Filesize
3.9MB

Download
memory/3232-2701-0x00007FF72F140000-0x00007FF72F532000-memory.dmp

Filesize
3.9MB

Download
memory/3232-119-0x00007FF72F140000-0x00007FF72F532000-memory.dmp

Filesize
3.9MB

Download
memory/3804-2721-0x00007FF6E6330000-0x00007FF6E6722000-memory.dmp

Filesize
3.9MB

Download
memory/3804-112-0x00007FF6E6330000-0x00007FF6E6722000-memory.dmp

Filesize
3.9MB

Download
memory/3976-2760-0x00007FF62DB70000-0x00007FF62DF62000-memory.dmp

Filesize
3.9MB

Download
memory/3976-174-0x00007FF62DB70000-0x00007FF62DF62000-memory.dmp

Filesize
3.9MB

Download
memory/4376-110-0x00007FF67B440000-0x00007FF67B832000-memory.dmp

Filesize
3.9MB

Download
memory/4376-2717-0x00007FF67B440000-0x00007FF67B832000-memory.dmp

Filesize
3.9MB

Download
memory/4496-2719-0x00007FF7CDD90000-0x00007FF7CE182000-memory.dmp

Filesize
3.9MB

Download
memory/4496-111-0x00007FF7CDD90000-0x00007FF7CE182000-memory.dmp

Filesize
3.9MB

Download
memory/4556-2758-0x00007FF644BC0000-0x00007FF644FB2000-memory.dmp

Filesize
3.9MB

Download
memory/4556-153-0x00007FF644BC0000-0x00007FF644FB2000-memory.dmp

Filesize
3.9MB

Download
memory/4596-0-0x00007FF634DC0000-0x00007FF6351B2000-memory.dmp

Filesize
3.9MB

Download
memory/4596-1-0x000001D4E9770000-0x000001D4E9780000-memory.dmp

Filesize
64KB

Download
memory/4756-2654-0x00007FF6760C0000-0x00007FF6764B2000-memory.dmp

Filesize
3.9MB

Download
memory/4756-116-0x00007FF6760C0000-0x00007FF6764B2000-memory.dmp

Filesize
3.9MB

Download
memory/5052-154-0x00007FF79A920000-0x00007FF79AD12000-memory.dmp

Filesize
3.9MB

Download
memory/5052-2763-0x00007FF79A920000-0x00007FF79AD12000-memory.dmp

Filesize
3.9MB

Download
memory/5092-2715-0x00007FF788620000-0x00007FF788A12000-memory.dmp

Filesize
3.9MB

Download
memory/5092-109-0x00007FF788620000-0x00007FF788A12000-memory.dmp

Filesize
3.9MB

Download