xmrig | 08b1fb7571cabe7fed53d86bb881223bb6b6905e0b22ab0bd0c1d8251bc5daaa

Analysis

max time kernel
81s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29/04/2024, 12:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

07a562b703be3290371261ffddb63500_JaffaCakes118.exe
Size

2.2MB
MD5

07a562b703be3290371261ffddb63500
SHA1

49e8e142c7a5a6e176dac7fe67a8b62399acea21
SHA256

08b1fb7571cabe7fed53d86bb881223bb6b6905e0b22ab0bd0c1d8251bc5daaa
SHA512

dcd9412fc3c6e01568528c7ea953f4986f935415b9a0578f71078e19eb2f809c4b6b60a20de9f78eadaa02981eff13fc318b017c0211f674c0b482104a3f4544
SSDEEP

49152:Lz071uv4BPMkibTIA5sf6r+WVc2HhG82g1VQx7Va4qrf6:NABb

Score

10^/10

xmrig miner persistence upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 12604 created 12908	12604	WerFaultSecure.exe	683

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 39 IoCs

miner

resource	yara_rule
behavioral2/memory/3536-8-0x00007FF63D1B0000-0x00007FF63D5A2000-memory.dmp	xmrig
behavioral2/memory/2640-37-0x00007FF6B7C20000-0x00007FF6B8012000-memory.dmp	xmrig
behavioral2/memory/4000-74-0x00007FF762600000-0x00007FF7629F2000-memory.dmp	xmrig
behavioral2/memory/3160-120-0x00007FF6E17B0000-0x00007FF6E1BA2000-memory.dmp	xmrig
behavioral2/memory/3728-142-0x00007FF7D73C0000-0x00007FF7D77B2000-memory.dmp	xmrig
behavioral2/memory/4056-150-0x00007FF782520000-0x00007FF782912000-memory.dmp	xmrig
behavioral2/memory/5112-176-0x00007FF74D090000-0x00007FF74D482000-memory.dmp	xmrig
behavioral2/memory/1800-164-0x00007FF6308A0000-0x00007FF630C92000-memory.dmp	xmrig
behavioral2/memory/3708-157-0x00007FF6B7390000-0x00007FF6B7782000-memory.dmp	xmrig
behavioral2/memory/4424-156-0x00007FF70A350000-0x00007FF70A742000-memory.dmp	xmrig
behavioral2/memory/960-149-0x00007FF77B5F0000-0x00007FF77B9E2000-memory.dmp	xmrig
behavioral2/memory/3400-148-0x00007FF673A50000-0x00007FF673E42000-memory.dmp	xmrig
behavioral2/memory/4796-136-0x00007FF7C7BB0000-0x00007FF7C7FA2000-memory.dmp	xmrig
behavioral2/memory/3324-131-0x00007FF762180000-0x00007FF762572000-memory.dmp	xmrig
behavioral2/memory/4264-130-0x00007FF658460000-0x00007FF658852000-memory.dmp	xmrig
behavioral2/memory/1332-126-0x00007FF602EB0000-0x00007FF6032A2000-memory.dmp	xmrig
behavioral2/memory/1648-125-0x00007FF760080000-0x00007FF760472000-memory.dmp	xmrig
behavioral2/memory/2356-113-0x00007FF796F30000-0x00007FF797322000-memory.dmp	xmrig
behavioral2/memory/4936-98-0x00007FF775E70000-0x00007FF776262000-memory.dmp	xmrig
behavioral2/memory/2464-85-0x00007FF664D60000-0x00007FF665152000-memory.dmp	xmrig
behavioral2/memory/2644-4536-0x00007FF741380000-0x00007FF741772000-memory.dmp	xmrig
behavioral2/memory/2608-4534-0x00007FF78E0D0000-0x00007FF78E4C2000-memory.dmp	xmrig
behavioral2/memory/3856-4799-0x00007FF694AF0000-0x00007FF694EE2000-memory.dmp	xmrig
behavioral2/memory/4816-4806-0x00007FF7AB670000-0x00007FF7ABA62000-memory.dmp	xmrig
behavioral2/memory/4000-4812-0x00007FF762600000-0x00007FF7629F2000-memory.dmp	xmrig
behavioral2/memory/4936-4820-0x00007FF775E70000-0x00007FF776262000-memory.dmp	xmrig
behavioral2/memory/4264-4827-0x00007FF658460000-0x00007FF658852000-memory.dmp	xmrig
behavioral2/memory/1540-4832-0x00007FF614FD0000-0x00007FF6153C2000-memory.dmp	xmrig
behavioral2/memory/3324-4837-0x00007FF762180000-0x00007FF762572000-memory.dmp	xmrig
behavioral2/memory/3160-4839-0x00007FF6E17B0000-0x00007FF6E1BA2000-memory.dmp	xmrig
behavioral2/memory/4796-4842-0x00007FF7C7BB0000-0x00007FF7C7FA2000-memory.dmp	xmrig
behavioral2/memory/1648-4848-0x00007FF760080000-0x00007FF760472000-memory.dmp	xmrig
behavioral2/memory/1332-4851-0x00007FF602EB0000-0x00007FF6032A2000-memory.dmp	xmrig
behavioral2/memory/3400-4856-0x00007FF673A50000-0x00007FF673E42000-memory.dmp	xmrig
behavioral2/memory/4056-4866-0x00007FF782520000-0x00007FF782912000-memory.dmp	xmrig
behavioral2/memory/3728-4859-0x00007FF7D73C0000-0x00007FF7D77B2000-memory.dmp	xmrig
behavioral2/memory/3708-4870-0x00007FF6B7390000-0x00007FF6B7782000-memory.dmp	xmrig
behavioral2/memory/2608-4874-0x00007FF78E0D0000-0x00007FF78E4C2000-memory.dmp	xmrig
behavioral2/memory/2644-4878-0x00007FF741380000-0x00007FF741772000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	3968	powershell.exe
5	3968	powershell.exe

Modifies Installed Components in the registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Active Setup\Installed Components	Process not Found

Executes dropped EXE 64 IoCs

pid	Process
3536	GsINEUh.exe
960	nmuKjoU.exe
1800	XKydOys.exe
4424	Ifwxkpe.exe
5112	RPpSzVG.exe
2640	jedVTgN.exe
3856	mtYKfMY.exe
4816	KjcKJzu.exe
4000	eragLTB.exe
4936	ZtKoRbH.exe
1540	dMcuzDj.exe
2356	yBuTZDa.exe
4264	oGApiwL.exe
3324	qgbTYjr.exe
3160	aeuSrrX.exe
4796	sRVLjDx.exe
1648	MIoliEu.exe
1332	HgPAHtx.exe
3728	aqmneUF.exe
3400	BHMftzC.exe
4056	ZxsEvcT.exe
3708	MulrMZy.exe
2608	rsMWDea.exe
2644	TJulJky.exe
1624	KZIWusW.exe
4340	WMKbMkO.exe
4400	YKNZoQd.exe
1916	TqApkft.exe
920	pKHUTjF.exe
4180	punSaUd.exe
4256	ZaogagY.exe
4776	tVCTSTs.exe
3964	JZynNgd.exe
3064	hISJJoQ.exe
1948	ltkAQKt.exe
4476	oFyKXVv.exe
2936	cahkDQw.exe
4216	vkqcBOk.exe
3380	ybtucSd.exe
4132	yIqXvzC.exe
1040	NZxPFRo.exe
860	cEgeHPK.exe
3224	OUylMSq.exe
2624	TJDkZQS.exe
808	twjQMzR.exe
3520	coqGsOD.exe
3740	QviBPhx.exe
4800	gQXxEPu.exe
4488	ONluLOd.exe
2544	aICIZUS.exe
4896	lkUcoPK.exe
4320	Rubnyff.exe
4012	ehUfolj.exe
3236	fBJYzMV.exe
4792	MLaFbSp.exe
4956	QUkwLCG.exe
1020	wmDSZqB.exe
3956	fbYpCFe.exe
3776	yWFzrEV.exe
5128	ImblnoZ.exe
5148	bymcFhn.exe
5176	oOIRGBT.exe
5204	uLntiHh.exe
5232	jZtefRK.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2464-0-0x00007FF664D60000-0x00007FF665152000-memory.dmp	upx
behavioral2/files/0x0008000000023447-6.dat	upx
behavioral2/files/0x000700000002344b-10.dat	upx
behavioral2/memory/3536-8-0x00007FF63D1B0000-0x00007FF63D5A2000-memory.dmp	upx
behavioral2/files/0x000800000002344a-11.dat	upx
behavioral2/memory/960-14-0x00007FF77B5F0000-0x00007FF77B9E2000-memory.dmp	upx
behavioral2/memory/4424-28-0x00007FF70A350000-0x00007FF70A742000-memory.dmp	upx
behavioral2/files/0x000700000002344d-36.dat	upx
behavioral2/memory/2640-37-0x00007FF6B7C20000-0x00007FF6B8012000-memory.dmp	upx
behavioral2/memory/5112-34-0x00007FF74D090000-0x00007FF74D482000-memory.dmp	upx
behavioral2/files/0x000700000002344e-33.dat	upx
behavioral2/files/0x000700000002344c-27.dat	upx
behavioral2/memory/1800-20-0x00007FF6308A0000-0x00007FF630C92000-memory.dmp	upx
behavioral2/files/0x000700000002344f-52.dat	upx
behavioral2/memory/3856-54-0x00007FF694AF0000-0x00007FF694EE2000-memory.dmp	upx
behavioral2/files/0x0008000000023448-61.dat	upx
behavioral2/memory/4000-74-0x00007FF762600000-0x00007FF7629F2000-memory.dmp	upx
behavioral2/files/0x0008000000023451-78.dat	upx
behavioral2/files/0x0007000000023455-87.dat	upx
behavioral2/files/0x0007000000023456-104.dat	upx
behavioral2/files/0x0007000000023457-106.dat	upx
behavioral2/memory/3160-120-0x00007FF6E17B0000-0x00007FF6E1BA2000-memory.dmp	upx
behavioral2/files/0x000700000002345b-127.dat	upx
behavioral2/files/0x000700000002345c-133.dat	upx
behavioral2/memory/3728-142-0x00007FF7D73C0000-0x00007FF7D77B2000-memory.dmp	upx
behavioral2/memory/4056-150-0x00007FF782520000-0x00007FF782912000-memory.dmp	upx
behavioral2/files/0x000700000002345e-158.dat	upx
behavioral2/files/0x0007000000023462-182.dat	upx
behavioral2/files/0x0007000000023465-197.dat	upx
behavioral2/files/0x0007000000023468-204.dat	upx
behavioral2/files/0x0007000000023466-202.dat	upx
behavioral2/files/0x0007000000023467-199.dat	upx
behavioral2/files/0x0007000000023464-192.dat	upx
behavioral2/files/0x0007000000023463-187.dat	upx
behavioral2/files/0x0007000000023461-177.dat	upx
behavioral2/memory/5112-176-0x00007FF74D090000-0x00007FF74D482000-memory.dmp	upx
behavioral2/files/0x0007000000023460-171.dat	upx
behavioral2/memory/2644-170-0x00007FF741380000-0x00007FF741772000-memory.dmp	upx
behavioral2/files/0x000700000002345f-165.dat	upx
behavioral2/memory/1800-164-0x00007FF6308A0000-0x00007FF630C92000-memory.dmp	upx
behavioral2/memory/2608-163-0x00007FF78E0D0000-0x00007FF78E4C2000-memory.dmp	upx
behavioral2/memory/3708-157-0x00007FF6B7390000-0x00007FF6B7782000-memory.dmp	upx
behavioral2/memory/4424-156-0x00007FF70A350000-0x00007FF70A742000-memory.dmp	upx
behavioral2/files/0x000700000002345d-151.dat	upx
behavioral2/memory/960-149-0x00007FF77B5F0000-0x00007FF77B9E2000-memory.dmp	upx
behavioral2/memory/3400-148-0x00007FF673A50000-0x00007FF673E42000-memory.dmp	upx
behavioral2/memory/4796-136-0x00007FF7C7BB0000-0x00007FF7C7FA2000-memory.dmp	upx
behavioral2/memory/3324-131-0x00007FF762180000-0x00007FF762572000-memory.dmp	upx
behavioral2/memory/4264-130-0x00007FF658460000-0x00007FF658852000-memory.dmp	upx
behavioral2/memory/1332-126-0x00007FF602EB0000-0x00007FF6032A2000-memory.dmp	upx
behavioral2/memory/1648-125-0x00007FF760080000-0x00007FF760472000-memory.dmp	upx
behavioral2/files/0x000700000002345a-123.dat	upx
behavioral2/files/0x0007000000023459-118.dat	upx
behavioral2/memory/2356-113-0x00007FF796F30000-0x00007FF797322000-memory.dmp	upx
behavioral2/files/0x0007000000023458-111.dat	upx
behavioral2/memory/4936-98-0x00007FF775E70000-0x00007FF776262000-memory.dmp	upx
behavioral2/files/0x0007000000023452-95.dat	upx
behavioral2/files/0x0007000000023453-86.dat	upx
behavioral2/memory/2464-85-0x00007FF664D60000-0x00007FF665152000-memory.dmp	upx
behavioral2/files/0x0007000000023454-84.dat	upx
behavioral2/memory/1540-80-0x00007FF614FD0000-0x00007FF6153C2000-memory.dmp	upx
behavioral2/files/0x0008000000023450-66.dat	upx
behavioral2/memory/4816-60-0x00007FF7AB670000-0x00007FF7ABA62000-memory.dmp	upx
behavioral2/memory/2644-4536-0x00007FF741380000-0x00007FF741772000-memory.dmp	upx

Enumerates connected drives 3 TTPs 16 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\D:	Process not Found
File opened (read-only)	\??\D:	Process not Found
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\D:	Process not Found
File opened (read-only)	\??\D:	Process not Found
File opened (read-only)	\??\D:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\D:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found
File opened (read-only)	\??\F:	Process not Found

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
3	raw.githubusercontent.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\WER1818.tmp.WERDataCollectionStatus.txt	WerFaultSecure.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\google\chrome\application\chrome.exe	explorer.exe
File opened for modification	\??\c:\program files\microsoft office\root\vfs\windows\installer\{90160000-000f-0000-1000-0000000ff1ce}\wordicon.exe	explorer.exe
File opened for modification	\??\c:\program files\microsoft office\root\vfs\windows\installer\{90160000-000f-0000-1000-0000000ff1ce}\pptico.exe	explorer.exe
File opened for modification	\??\c:\program files\microsoft office\root\office16\vviewer.dll	explorer.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\yJfimLG.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\tBNjOzU.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\OIUhXRl.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\YaVeOEb.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\edHeTrl.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\ukXJNnR.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\OFnmPxE.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\mkuKHCw.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\SNYStQM.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\uIwbqPk.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\wQJMxtl.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\cGDHwuA.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\VnsOsaU.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\BnrDoQG.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\ksbTGFC.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\ffZtOMM.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\GuEIdqG.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\XmbnTfY.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\ufiOqVT.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\dccCqfg.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\sQoVsdP.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\JgooBxn.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\mpItSsR.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\dHkUGkg.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\wmLuqzY.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\iYxKAOA.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\qsKylfb.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\OuQiHWF.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\WMtTWFm.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\tQCgadb.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\JGrcHQj.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\dYATjjE.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\dqdhHLv.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\xPvxDXC.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\ZfIqUYC.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\ZoXxJap.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\JHAzfbo.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\PxVtRVd.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\ORUllss.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\WKLPcrg.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\sNMiNCM.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\GuiPHbl.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\TQfTLZJ.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\wFMPzuL.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\sqmPwbR.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\kHDNTFp.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\BdlKhxR.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\bkUTqUC.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\KnVVtoT.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\YgPQqBJ.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\WDJTSPM.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\iUEdYLL.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\wsgNRwo.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\DFrhmsS.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\hJTRNfj.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\yXkDdGS.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\fcwPKbT.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\jGLXqQv.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\NkiGFRf.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\hQhKRiO.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\YUNvcRG.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\FLfcykZ.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\KSZWipW.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
File created	C:\Windows\System\hDWapkI.exe	07a562b703be3290371261ffddb63500_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	Process not Found
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	Process not Found

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFaultSecure.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFaultSecure.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost = 6801000088020000	Process not Found
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-711569230-3659488422-571408806-1000\{7787CB79-7ACC-4C67-9F01-169286EACACB}	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-711569230-3659488422-571408806-1000\{8E3872F2-9DD1-497C-B711-D689E5F0B7E6}	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Process not Found
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-711569230-3659488422-571408806-1000\{D0297A68-EA1A-4754-AD68-BAF6E2FEDA9D}	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\MuiCache	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Process not Found
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-711569230-3659488422-571408806-1000\{E9F8BBFB-B2AB-4B39-85E6-40976833D5CE}	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Process not Found
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-711569230-3659488422-571408806-1000\{8EC656DB-1B8B-467A-96CA-B0B3B15067F3}	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost = 6801000088020000	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\MuiCache	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost = 6801000088020000	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3968	powershell.exe
3968	powershell.exe
12764	WerFaultSecure.exe
12764	WerFaultSecure.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe
Token: SeDebugPrivilege	3968	powershell.exe
Token: SeShutdownPrivilege	12812	explorer.exe
Token: SeCreatePagefilePrivilege	12812	explorer.exe
Token: SeShutdownPrivilege	12812	explorer.exe
Token: SeCreatePagefilePrivilege	12812	explorer.exe
Token: SeShutdownPrivilege	12812	explorer.exe
Token: SeCreatePagefilePrivilege	12812	explorer.exe
Token: SeShutdownPrivilege	12812	explorer.exe
Token: SeCreatePagefilePrivilege	12812	explorer.exe
Token: SeShutdownPrivilege	12812	explorer.exe
Token: SeCreatePagefilePrivilege	12812	explorer.exe
Token: SeShutdownPrivilege	12812	explorer.exe
Token: SeCreatePagefilePrivilege	12812	explorer.exe
Token: SeShutdownPrivilege	12812	explorer.exe
Token: SeCreatePagefilePrivilege	12812	explorer.exe
Token: SeShutdownPrivilege	12812	explorer.exe
Token: SeCreatePagefilePrivilege	12812	explorer.exe
Token: SeShutdownPrivilege	12812	explorer.exe
Token: SeCreatePagefilePrivilege	12812	explorer.exe
Token: SeShutdownPrivilege	12812	explorer.exe
Token: SeCreatePagefilePrivilege	12812	explorer.exe
Token: SeShutdownPrivilege	12812	explorer.exe
Token: SeCreatePagefilePrivilege	12812	explorer.exe
Token: SeShutdownPrivilege	12812	explorer.exe
Token: SeCreatePagefilePrivilege	12812	explorer.exe
Token: SeShutdownPrivilege	10072	Process not Found
Token: SeCreatePagefilePrivilege	10072	Process not Found
Token: SeShutdownPrivilege	10072	Process not Found
Token: SeCreatePagefilePrivilege	10072	Process not Found
Token: SeShutdownPrivilege	10072	Process not Found
Token: SeCreatePagefilePrivilege	10072	Process not Found
Token: SeShutdownPrivilege	10072	Process not Found
Token: SeCreatePagefilePrivilege	10072	Process not Found
Token: SeShutdownPrivilege	10072	Process not Found
Token: SeCreatePagefilePrivilege	10072	Process not Found
Token: SeShutdownPrivilege	10072	Process not Found
Token: SeCreatePagefilePrivilege	10072	Process not Found
Token: SeShutdownPrivilege	10072	Process not Found
Token: SeCreatePagefilePrivilege	10072	Process not Found
Token: SeShutdownPrivilege	10072	Process not Found
Token: SeCreatePagefilePrivilege	10072	Process not Found
Token: SeShutdownPrivilege	10072	Process not Found
Token: SeCreatePagefilePrivilege	10072	Process not Found
Token: SeShutdownPrivilege	10072	Process not Found
Token: SeCreatePagefilePrivilege	10072	Process not Found
Token: SeShutdownPrivilege	13476	Process not Found
Token: SeCreatePagefilePrivilege	13476	Process not Found
Token: SeShutdownPrivilege	13476	Process not Found
Token: SeCreatePagefilePrivilege	13476	Process not Found
Token: SeShutdownPrivilege	13476	Process not Found
Token: SeCreatePagefilePrivilege	13476	Process not Found
Token: SeShutdownPrivilege	13476	Process not Found
Token: SeCreatePagefilePrivilege	13476	Process not Found
Token: SeShutdownPrivilege	13476	Process not Found
Token: SeCreatePagefilePrivilege	13476	Process not Found
Token: SeShutdownPrivilege	13800	Process not Found
Token: SeCreatePagefilePrivilege	13800	Process not Found
Token: SeShutdownPrivilege	13800	Process not Found
Token: SeCreatePagefilePrivilege	13800	Process not Found
Token: SeShutdownPrivilege	13800	Process not Found
Token: SeCreatePagefilePrivilege	13800	Process not Found
Token: SeShutdownPrivilege	13800	Process not Found

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
13152	sihost.exe
12812	explorer.exe
12812	explorer.exe
12812	explorer.exe
12812	explorer.exe
12812	explorer.exe
12812	explorer.exe
12812	explorer.exe
12812	explorer.exe
12812	explorer.exe
12812	explorer.exe
12812	explorer.exe
12812	explorer.exe
12812	explorer.exe
12812	explorer.exe
12812	explorer.exe
12812	explorer.exe
12812	explorer.exe
10072	Process not Found
10072	Process not Found
10072	Process not Found
10072	Process not Found
10072	Process not Found
10072	Process not Found
10072	Process not Found
10072	Process not Found
10072	Process not Found
10072	Process not Found
10072	Process not Found
10072	Process not Found
10072	Process not Found
10072	Process not Found
10072	Process not Found
10072	Process not Found
10072	Process not Found
10072	Process not Found
10072	Process not Found
10072	Process not Found
10072	Process not Found
10072	Process not Found
10072	Process not Found
10072	Process not Found
10072	Process not Found
13476	Process not Found
13476	Process not Found
13476	Process not Found
13476	Process not Found
13476	Process not Found
13476	Process not Found
13476	Process not Found
13476	Process not Found
13476	Process not Found
13476	Process not Found
13476	Process not Found
13800	Process not Found
13800	Process not Found
13800	Process not Found
13800	Process not Found
13800	Process not Found
13800	Process not Found
13800	Process not Found
13800	Process not Found
13800	Process not Found
13800	Process not Found

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
12812	explorer.exe
12812	explorer.exe
12812	explorer.exe
12812	explorer.exe
12812	explorer.exe
12812	explorer.exe
12812	explorer.exe
12812	explorer.exe
12812	explorer.exe
12812	explorer.exe
12812	explorer.exe
10072	Process not Found
10072	Process not Found
10072	Process not Found
10072	Process not Found
10072	Process not Found
10072	Process not Found
10072	Process not Found
10072	Process not Found
10072	Process not Found
10072	Process not Found
10072	Process not Found
10072	Process not Found
10072	Process not Found
13476	Process not Found
13476	Process not Found
13476	Process not Found
13476	Process not Found
13476	Process not Found
13476	Process not Found
13476	Process not Found
13476	Process not Found
13476	Process not Found
13476	Process not Found
13476	Process not Found
13800	Process not Found
13800	Process not Found
13800	Process not Found
13800	Process not Found
13800	Process not Found
13800	Process not Found
13800	Process not Found
13800	Process not Found
13800	Process not Found
13800	Process not Found
13800	Process not Found
13800	Process not Found
13800	Process not Found
13800	Process not Found
13800	Process not Found
13800	Process not Found
13800	Process not Found
13800	Process not Found
13800	Process not Found
13800	Process not Found
13800	Process not Found
13800	Process not Found
13800	Process not Found
15488	Process not Found
15488	Process not Found
15488	Process not Found
15488	Process not Found
15488	Process not Found
15488	Process not Found

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
9448	StartMenuExperienceHost.exe
7904	Process not Found
12732	Process not Found
3848	SearchApp.exe
16068	Process not Found
15600	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 3968	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	85
PID 2464 wrote to memory of 3968	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	85
PID 2464 wrote to memory of 3536	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	86
PID 2464 wrote to memory of 3536	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	86
PID 2464 wrote to memory of 960	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	87
PID 2464 wrote to memory of 960	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	87
PID 2464 wrote to memory of 1800	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	88
PID 2464 wrote to memory of 1800	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	88
PID 2464 wrote to memory of 4424	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	89
PID 2464 wrote to memory of 4424	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	89
PID 2464 wrote to memory of 5112	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	91
PID 2464 wrote to memory of 5112	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	91
PID 2464 wrote to memory of 2640	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	92
PID 2464 wrote to memory of 2640	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	92
PID 2464 wrote to memory of 3856	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	93
PID 2464 wrote to memory of 3856	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	93
PID 2464 wrote to memory of 4816	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	95
PID 2464 wrote to memory of 4816	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	95
PID 2464 wrote to memory of 4000	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	96
PID 2464 wrote to memory of 4000	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	96
PID 2464 wrote to memory of 4936	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	97
PID 2464 wrote to memory of 4936	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	97
PID 2464 wrote to memory of 2356	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	98
PID 2464 wrote to memory of 2356	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	98
PID 2464 wrote to memory of 1540	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	99
PID 2464 wrote to memory of 1540	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	99
PID 2464 wrote to memory of 4264	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	100
PID 2464 wrote to memory of 4264	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	100
PID 2464 wrote to memory of 3324	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	101
PID 2464 wrote to memory of 3324	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	101
PID 2464 wrote to memory of 3160	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	102
PID 2464 wrote to memory of 3160	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	102
PID 2464 wrote to memory of 4796	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	103
PID 2464 wrote to memory of 4796	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	103
PID 2464 wrote to memory of 1648	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	104
PID 2464 wrote to memory of 1648	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	104
PID 2464 wrote to memory of 1332	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	105
PID 2464 wrote to memory of 1332	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	105
PID 2464 wrote to memory of 3728	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	106
PID 2464 wrote to memory of 3728	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	106
PID 2464 wrote to memory of 3400	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	107
PID 2464 wrote to memory of 3400	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	107
PID 2464 wrote to memory of 4056	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	108
PID 2464 wrote to memory of 4056	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	108
PID 2464 wrote to memory of 3708	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	109
PID 2464 wrote to memory of 3708	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	109
PID 2464 wrote to memory of 2608	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	110
PID 2464 wrote to memory of 2608	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	110
PID 2464 wrote to memory of 2644	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	111
PID 2464 wrote to memory of 2644	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	111
PID 2464 wrote to memory of 1624	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	112
PID 2464 wrote to memory of 1624	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	112
PID 2464 wrote to memory of 4340	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	113
PID 2464 wrote to memory of 4340	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	113
PID 2464 wrote to memory of 4400	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	114
PID 2464 wrote to memory of 4400	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	114
PID 2464 wrote to memory of 1916	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	115
PID 2464 wrote to memory of 1916	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	115
PID 2464 wrote to memory of 920	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	116
PID 2464 wrote to memory of 920	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	116
PID 2464 wrote to memory of 4180	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	117
PID 2464 wrote to memory of 4180	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	117
PID 2464 wrote to memory of 4256	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	118
PID 2464 wrote to memory of 4256	2464	07a562b703be3290371261ffddb63500_JaffaCakes118.exe	118

C:\Users\Admin\AppData\Local\Temp\07a562b703be3290371261ffddb63500_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\07a562b703be3290371261ffddb63500_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3968
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3968" "2920" "2872" "2924" "0" "0" "2948" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:1392
- C:\Windows\System\GsINEUh.exe
  C:\Windows\System\GsINEUh.exe
  2⤵
  - Executes dropped EXE
  PID:3536
- C:\Windows\System\nmuKjoU.exe
  C:\Windows\System\nmuKjoU.exe
  2⤵
  - Executes dropped EXE
  PID:960
- C:\Windows\System\XKydOys.exe
  C:\Windows\System\XKydOys.exe
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\System\Ifwxkpe.exe
  C:\Windows\System\Ifwxkpe.exe
  2⤵
  - Executes dropped EXE
  PID:4424
- C:\Windows\System\RPpSzVG.exe
  C:\Windows\System\RPpSzVG.exe
  2⤵
  - Executes dropped EXE
  PID:5112
- C:\Windows\System\jedVTgN.exe
  C:\Windows\System\jedVTgN.exe
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\System\mtYKfMY.exe
  C:\Windows\System\mtYKfMY.exe
  2⤵
  - Executes dropped EXE
  PID:3856
- C:\Windows\System\KjcKJzu.exe
  C:\Windows\System\KjcKJzu.exe
  2⤵
  - Executes dropped EXE
  PID:4816
- C:\Windows\System\eragLTB.exe
  C:\Windows\System\eragLTB.exe
  2⤵
  - Executes dropped EXE
  PID:4000
- C:\Windows\System\ZtKoRbH.exe
  C:\Windows\System\ZtKoRbH.exe
  2⤵
  - Executes dropped EXE
  PID:4936
- C:\Windows\System\yBuTZDa.exe
  C:\Windows\System\yBuTZDa.exe
  2⤵
  - Executes dropped EXE
  PID:2356
- C:\Windows\System\dMcuzDj.exe
  C:\Windows\System\dMcuzDj.exe
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Windows\System\oGApiwL.exe
  C:\Windows\System\oGApiwL.exe
  2⤵
  - Executes dropped EXE
  PID:4264
- C:\Windows\System\qgbTYjr.exe
  C:\Windows\System\qgbTYjr.exe
  2⤵
  - Executes dropped EXE
  PID:3324
- C:\Windows\System\aeuSrrX.exe
  C:\Windows\System\aeuSrrX.exe
  2⤵
  - Executes dropped EXE
  PID:3160
- C:\Windows\System\sRVLjDx.exe
  C:\Windows\System\sRVLjDx.exe
  2⤵
  - Executes dropped EXE
  PID:4796
- C:\Windows\System\MIoliEu.exe
  C:\Windows\System\MIoliEu.exe
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\System\HgPAHtx.exe
  C:\Windows\System\HgPAHtx.exe
  2⤵
  - Executes dropped EXE
  PID:1332
- C:\Windows\System\aqmneUF.exe
  C:\Windows\System\aqmneUF.exe
  2⤵
  - Executes dropped EXE
  PID:3728
- C:\Windows\System\BHMftzC.exe
  C:\Windows\System\BHMftzC.exe
  2⤵
  - Executes dropped EXE
  PID:3400
- C:\Windows\System\ZxsEvcT.exe
  C:\Windows\System\ZxsEvcT.exe
  2⤵
  - Executes dropped EXE
  PID:4056
- C:\Windows\System\MulrMZy.exe
  C:\Windows\System\MulrMZy.exe
  2⤵
  - Executes dropped EXE
  PID:3708
- C:\Windows\System\rsMWDea.exe
  C:\Windows\System\rsMWDea.exe
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\System\TJulJky.exe
  C:\Windows\System\TJulJky.exe
  2⤵
  - Executes dropped EXE
  PID:2644
- C:\Windows\System\KZIWusW.exe
  C:\Windows\System\KZIWusW.exe
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Windows\System\WMKbMkO.exe
  C:\Windows\System\WMKbMkO.exe
  2⤵
  - Executes dropped EXE
  PID:4340
- C:\Windows\System\YKNZoQd.exe
  C:\Windows\System\YKNZoQd.exe
  2⤵
  - Executes dropped EXE
  PID:4400
- C:\Windows\System\TqApkft.exe
  C:\Windows\System\TqApkft.exe
  2⤵
  - Executes dropped EXE
  PID:1916
- C:\Windows\System\pKHUTjF.exe
  C:\Windows\System\pKHUTjF.exe
  2⤵
  - Executes dropped EXE
  PID:920
- C:\Windows\System\punSaUd.exe
  C:\Windows\System\punSaUd.exe
  2⤵
  - Executes dropped EXE
  PID:4180
- C:\Windows\System\ZaogagY.exe
  C:\Windows\System\ZaogagY.exe
  2⤵
  - Executes dropped EXE
  PID:4256
- C:\Windows\System\tVCTSTs.exe
  C:\Windows\System\tVCTSTs.exe
  2⤵
  - Executes dropped EXE
  PID:4776
- C:\Windows\System\JZynNgd.exe
  C:\Windows\System\JZynNgd.exe
  2⤵
  - Executes dropped EXE
  PID:3964
- C:\Windows\System\hISJJoQ.exe
  C:\Windows\System\hISJJoQ.exe
  2⤵
  - Executes dropped EXE
  PID:3064
- C:\Windows\System\ltkAQKt.exe
  C:\Windows\System\ltkAQKt.exe
  2⤵
  - Executes dropped EXE
  PID:1948
- C:\Windows\System\oFyKXVv.exe
  C:\Windows\System\oFyKXVv.exe
  2⤵
  - Executes dropped EXE
  PID:4476
- C:\Windows\System\cahkDQw.exe
  C:\Windows\System\cahkDQw.exe
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Windows\System\vkqcBOk.exe
  C:\Windows\System\vkqcBOk.exe
  2⤵
  - Executes dropped EXE
  PID:4216
- C:\Windows\System\ybtucSd.exe
  C:\Windows\System\ybtucSd.exe
  2⤵
  - Executes dropped EXE
  PID:3380
- C:\Windows\System\yIqXvzC.exe
  C:\Windows\System\yIqXvzC.exe
  2⤵
  - Executes dropped EXE
  PID:4132
- C:\Windows\System\NZxPFRo.exe
  C:\Windows\System\NZxPFRo.exe
  2⤵
  - Executes dropped EXE
  PID:1040
- C:\Windows\System\cEgeHPK.exe
  C:\Windows\System\cEgeHPK.exe
  2⤵
  - Executes dropped EXE
  PID:860
- C:\Windows\System\OUylMSq.exe
  C:\Windows\System\OUylMSq.exe
  2⤵
  - Executes dropped EXE
  PID:3224
- C:\Windows\System\TJDkZQS.exe
  C:\Windows\System\TJDkZQS.exe
  2⤵
  - Executes dropped EXE
  PID:2624
- C:\Windows\System\twjQMzR.exe
  C:\Windows\System\twjQMzR.exe
  2⤵
  - Executes dropped EXE
  PID:808
- C:\Windows\System\coqGsOD.exe
  C:\Windows\System\coqGsOD.exe
  2⤵
  - Executes dropped EXE
  PID:3520
- C:\Windows\System\QviBPhx.exe
  C:\Windows\System\QviBPhx.exe
  2⤵
  - Executes dropped EXE
  PID:3740
- C:\Windows\System\gQXxEPu.exe
  C:\Windows\System\gQXxEPu.exe
  2⤵
  - Executes dropped EXE
  PID:4800
- C:\Windows\System\ONluLOd.exe
  C:\Windows\System\ONluLOd.exe
  2⤵
  - Executes dropped EXE
  PID:4488
- C:\Windows\System\aICIZUS.exe
  C:\Windows\System\aICIZUS.exe
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\System\lkUcoPK.exe
  C:\Windows\System\lkUcoPK.exe
  2⤵
  - Executes dropped EXE
  PID:4896
- C:\Windows\System\Rubnyff.exe
  C:\Windows\System\Rubnyff.exe
  2⤵
  - Executes dropped EXE
  PID:4320
- C:\Windows\System\ehUfolj.exe
  C:\Windows\System\ehUfolj.exe
  2⤵
  - Executes dropped EXE
  PID:4012
- C:\Windows\System\fBJYzMV.exe
  C:\Windows\System\fBJYzMV.exe
  2⤵
  - Executes dropped EXE
  PID:3236
- C:\Windows\System\MLaFbSp.exe
  C:\Windows\System\MLaFbSp.exe
  2⤵
  - Executes dropped EXE
  PID:4792
- C:\Windows\System\QUkwLCG.exe
  C:\Windows\System\QUkwLCG.exe
  2⤵
  - Executes dropped EXE
  PID:4956
- C:\Windows\System\wmDSZqB.exe
  C:\Windows\System\wmDSZqB.exe
  2⤵
  - Executes dropped EXE
  PID:1020
- C:\Windows\System\fbYpCFe.exe
  C:\Windows\System\fbYpCFe.exe
  2⤵
  - Executes dropped EXE
  PID:3956
- C:\Windows\System\yWFzrEV.exe
  C:\Windows\System\yWFzrEV.exe
  2⤵
  - Executes dropped EXE
  PID:3776
- C:\Windows\System\ImblnoZ.exe
  C:\Windows\System\ImblnoZ.exe
  2⤵
  - Executes dropped EXE
  PID:5128
- C:\Windows\System\bymcFhn.exe
  C:\Windows\System\bymcFhn.exe
  2⤵
  - Executes dropped EXE
  PID:5148
- C:\Windows\System\oOIRGBT.exe
  C:\Windows\System\oOIRGBT.exe
  2⤵
  - Executes dropped EXE
  PID:5176
- C:\Windows\System\uLntiHh.exe
  C:\Windows\System\uLntiHh.exe
  2⤵
  - Executes dropped EXE
  PID:5204
- C:\Windows\System\jZtefRK.exe
  C:\Windows\System\jZtefRK.exe
  2⤵
  - Executes dropped EXE
  PID:5232
- C:\Windows\System\mYTvctJ.exe
  C:\Windows\System\mYTvctJ.exe
  2⤵
  PID:5260
- C:\Windows\System\iZhsPip.exe
  C:\Windows\System\iZhsPip.exe
  2⤵
  PID:5292
- C:\Windows\System\ZMlLkIS.exe
  C:\Windows\System\ZMlLkIS.exe
  2⤵
  PID:5316
- C:\Windows\System\GsoIsCU.exe
  C:\Windows\System\GsoIsCU.exe
  2⤵
  PID:5344
- C:\Windows\System\scbslTW.exe
  C:\Windows\System\scbslTW.exe
  2⤵
  PID:5372
- C:\Windows\System\qsLNWDP.exe
  C:\Windows\System\qsLNWDP.exe
  2⤵
  PID:5404
- C:\Windows\System\wukfKgZ.exe
  C:\Windows\System\wukfKgZ.exe
  2⤵
  PID:5428
- C:\Windows\System\SECWDrt.exe
  C:\Windows\System\SECWDrt.exe
  2⤵
  PID:5460
- C:\Windows\System\DOoVuNM.exe
  C:\Windows\System\DOoVuNM.exe
  2⤵
  PID:5492
- C:\Windows\System\WBIECbr.exe
  C:\Windows\System\WBIECbr.exe
  2⤵
  PID:5520
- C:\Windows\System\QjpWGyV.exe
  C:\Windows\System\QjpWGyV.exe
  2⤵
  PID:5552
- C:\Windows\System\JjNTMYp.exe
  C:\Windows\System\JjNTMYp.exe
  2⤵
  PID:5576
- C:\Windows\System\paqvFOr.exe
  C:\Windows\System\paqvFOr.exe
  2⤵
  PID:5604
- C:\Windows\System\ptSAkqY.exe
  C:\Windows\System\ptSAkqY.exe
  2⤵
  PID:5624
- C:\Windows\System\foPcvNg.exe
  C:\Windows\System\foPcvNg.exe
  2⤵
  PID:5652
- C:\Windows\System\zQLjBWv.exe
  C:\Windows\System\zQLjBWv.exe
  2⤵
  PID:5680
- C:\Windows\System\cyTWdKa.exe
  C:\Windows\System\cyTWdKa.exe
  2⤵
  PID:5708
- C:\Windows\System\eBjzgXM.exe
  C:\Windows\System\eBjzgXM.exe
  2⤵
  PID:5736
- C:\Windows\System\hjnMTXm.exe
  C:\Windows\System\hjnMTXm.exe
  2⤵
  PID:5764
- C:\Windows\System\lIrHzEu.exe
  C:\Windows\System\lIrHzEu.exe
  2⤵
  PID:5792
- C:\Windows\System\OSuuxdf.exe
  C:\Windows\System\OSuuxdf.exe
  2⤵
  PID:5820
- C:\Windows\System\usbhSqd.exe
  C:\Windows\System\usbhSqd.exe
  2⤵
  PID:5844
- C:\Windows\System\VsxDOwo.exe
  C:\Windows\System\VsxDOwo.exe
  2⤵
  PID:5872
- C:\Windows\System\EPNPDaL.exe
  C:\Windows\System\EPNPDaL.exe
  2⤵
  PID:5900
- C:\Windows\System\mjQrdnv.exe
  C:\Windows\System\mjQrdnv.exe
  2⤵
  PID:5932
- C:\Windows\System\IWeVOQF.exe
  C:\Windows\System\IWeVOQF.exe
  2⤵
  PID:5960
- C:\Windows\System\rPWaCzH.exe
  C:\Windows\System\rPWaCzH.exe
  2⤵
  PID:5988
- C:\Windows\System\wNuPRqN.exe
  C:\Windows\System\wNuPRqN.exe
  2⤵
  PID:6016
- C:\Windows\System\efyLPwa.exe
  C:\Windows\System\efyLPwa.exe
  2⤵
  PID:6044
- C:\Windows\System\nHYwbBQ.exe
  C:\Windows\System\nHYwbBQ.exe
  2⤵
  PID:6068
- C:\Windows\System\RmhNtKe.exe
  C:\Windows\System\RmhNtKe.exe
  2⤵
  PID:6096
- C:\Windows\System\DYrnHQv.exe
  C:\Windows\System\DYrnHQv.exe
  2⤵
  PID:6124
- C:\Windows\System\esgNmxl.exe
  C:\Windows\System\esgNmxl.exe
  2⤵
  PID:396
- C:\Windows\System\dnlXoba.exe
  C:\Windows\System\dnlXoba.exe
  2⤵
  PID:1724
- C:\Windows\System\QUSeAkw.exe
  C:\Windows\System\QUSeAkw.exe
  2⤵
  PID:4564
- C:\Windows\System\eUBAJHI.exe
  C:\Windows\System\eUBAJHI.exe
  2⤵
  PID:2216
- C:\Windows\System\RudASxj.exe
  C:\Windows\System\RudASxj.exe
  2⤵
  PID:5160
- C:\Windows\System\muKgtNL.exe
  C:\Windows\System\muKgtNL.exe
  2⤵
  PID:5220
- C:\Windows\System\HVNxmwL.exe
  C:\Windows\System\HVNxmwL.exe
  2⤵
  PID:5280
- C:\Windows\System\UlkvHru.exe
  C:\Windows\System\UlkvHru.exe
  2⤵
  PID:5356
- C:\Windows\System\MxoiGlt.exe
  C:\Windows\System\MxoiGlt.exe
  2⤵
  PID:5420
- C:\Windows\System\QSZUACG.exe
  C:\Windows\System\QSZUACG.exe
  2⤵
  PID:5476
- C:\Windows\System\UVXLJjE.exe
  C:\Windows\System\UVXLJjE.exe
  2⤵
  PID:5544
- C:\Windows\System\Rpovtvb.exe
  C:\Windows\System\Rpovtvb.exe
  2⤵
  PID:5616
- C:\Windows\System\oUFvmLB.exe
  C:\Windows\System\oUFvmLB.exe
  2⤵
  PID:5672
- C:\Windows\System\htWxvHd.exe
  C:\Windows\System\htWxvHd.exe
  2⤵
  PID:5728
- C:\Windows\System\uYlPsma.exe
  C:\Windows\System\uYlPsma.exe
  2⤵
  PID:5784
- C:\Windows\System\axiHWUL.exe
  C:\Windows\System\axiHWUL.exe
  2⤵
  PID:5388
- C:\Windows\System\arPTIYi.exe
  C:\Windows\System\arPTIYi.exe
  2⤵
  PID:5472
- C:\Windows\System\GQSjfrp.exe
  C:\Windows\System\GQSjfrp.exe
  2⤵
  PID:5592
- C:\Windows\System\aNlVrbw.exe
  C:\Windows\System\aNlVrbw.exe
  2⤵
  PID:4904
- C:\Windows\System\xCgvuHH.exe
  C:\Windows\System\xCgvuHH.exe
  2⤵
  PID:1480
- C:\Windows\System\uVpTdxm.exe
  C:\Windows\System\uVpTdxm.exe
  2⤵
  PID:3212
- C:\Windows\System\CiqKilA.exe
  C:\Windows\System\CiqKilA.exe
  2⤵
  PID:3704
- C:\Windows\System\pAgPGSB.exe
  C:\Windows\System\pAgPGSB.exe
  2⤵
  PID:1428
- C:\Windows\System\GCzCaCE.exe
  C:\Windows\System\GCzCaCE.exe
  2⤵
  PID:2620
- C:\Windows\System\XNDMHjL.exe
  C:\Windows\System\XNDMHjL.exe
  2⤵
  PID:4552
- C:\Windows\System\wLCxkpo.exe
  C:\Windows\System\wLCxkpo.exe
  2⤵
  PID:4544
- C:\Windows\System\gdUjZqm.exe
  C:\Windows\System\gdUjZqm.exe
  2⤵
  PID:2336
- C:\Windows\System\XamYgdL.exe
  C:\Windows\System\XamYgdL.exe
  2⤵
  PID:5664
- C:\Windows\System\uPpgLMF.exe
  C:\Windows\System\uPpgLMF.exe
  2⤵
  PID:3844
- C:\Windows\System\QoWMCwc.exe
  C:\Windows\System\QoWMCwc.exe
  2⤵
  PID:6060
- C:\Windows\System\znDyPak.exe
  C:\Windows\System\znDyPak.exe
  2⤵
  PID:6008
- C:\Windows\System\kikEttr.exe
  C:\Windows\System\kikEttr.exe
  2⤵
  PID:5980
- C:\Windows\System\TSAAeaM.exe
  C:\Windows\System\TSAAeaM.exe
  2⤵
  PID:5920
- C:\Windows\System\fZQrkrg.exe
  C:\Windows\System\fZQrkrg.exe
  2⤵
  PID:4272
- C:\Windows\System\xPvxDXC.exe
  C:\Windows\System\xPvxDXC.exe
  2⤵
  PID:1132
- C:\Windows\System\RSuWMfN.exe
  C:\Windows\System\RSuWMfN.exe
  2⤵
  PID:4188
- C:\Windows\System\JSdnoUk.exe
  C:\Windows\System\JSdnoUk.exe
  2⤵
  PID:3756
- C:\Windows\System\BFVAnnC.exe
  C:\Windows\System\BFVAnnC.exe
  2⤵
  PID:4356
- C:\Windows\System\PxZUEnV.exe
  C:\Windows\System\PxZUEnV.exe
  2⤵
  PID:1068
- C:\Windows\System\GBwzNsm.exe
  C:\Windows\System\GBwzNsm.exe
  2⤵
  PID:6092
- C:\Windows\System\QHIKDij.exe
  C:\Windows\System\QHIKDij.exe
  2⤵
  PID:1864
- C:\Windows\System\OtCaLxC.exe
  C:\Windows\System\OtCaLxC.exe
  2⤵
  PID:3960
- C:\Windows\System\daQHjqy.exe
  C:\Windows\System\daQHjqy.exe
  2⤵
  PID:1376
- C:\Windows\System\ycvsPFP.exe
  C:\Windows\System\ycvsPFP.exe
  2⤵
  PID:4908
- C:\Windows\System\JCjrWeA.exe
  C:\Windows\System\JCjrWeA.exe
  2⤵
  PID:2912
- C:\Windows\System\MInFDpE.exe
  C:\Windows\System\MInFDpE.exe
  2⤵
  PID:3280
- C:\Windows\System\AcJudKS.exe
  C:\Windows\System\AcJudKS.exe
  2⤵
  PID:3352
- C:\Windows\System\NDDAryX.exe
  C:\Windows\System\NDDAryX.exe
  2⤵
  PID:3764
- C:\Windows\System\EXFffwf.exe
  C:\Windows\System\EXFffwf.exe
  2⤵
  PID:2040
- C:\Windows\System\XOaTJwx.exe
  C:\Windows\System\XOaTJwx.exe
  2⤵
  PID:6000
- C:\Windows\System\HtoVUsl.exe
  C:\Windows\System\HtoVUsl.exe
  2⤵
  PID:5892
- C:\Windows\System\RrfGYAz.exe
  C:\Windows\System\RrfGYAz.exe
  2⤵
  PID:6088
- C:\Windows\System\iUgRqsZ.exe
  C:\Windows\System\iUgRqsZ.exe
  2⤵
  PID:2480
- C:\Windows\System\dnyrTyV.exe
  C:\Windows\System\dnyrTyV.exe
  2⤵
  PID:1368
- C:\Windows\System\ZPUXxNS.exe
  C:\Windows\System\ZPUXxNS.exe
  2⤵
  PID:5448
- C:\Windows\System\npgpBQN.exe
  C:\Windows\System\npgpBQN.exe
  2⤵
  PID:5540
- C:\Windows\System\QjhTHaT.exe
  C:\Windows\System\QjhTHaT.exe
  2⤵
  PID:5832
- C:\Windows\System\drapRPC.exe
  C:\Windows\System\drapRPC.exe
  2⤵
  PID:1088
- C:\Windows\System\gMyBUAy.exe
  C:\Windows\System\gMyBUAy.exe
  2⤵
  PID:5140
- C:\Windows\System\JVeDWZR.exe
  C:\Windows\System\JVeDWZR.exe
  2⤵
  PID:400
- C:\Windows\System\StJYboV.exe
  C:\Windows\System\StJYboV.exe
  2⤵
  PID:5948
- C:\Windows\System\mRewuSj.exe
  C:\Windows\System\mRewuSj.exe
  2⤵
  PID:624
- C:\Windows\System\KdIFrxJ.exe
  C:\Windows\System\KdIFrxJ.exe
  2⤵
  PID:4016
- C:\Windows\System\PvQRInD.exe
  C:\Windows\System\PvQRInD.exe
  2⤵
  PID:4284
- C:\Windows\System\LRsqKeg.exe
  C:\Windows\System\LRsqKeg.exe
  2⤵
  PID:1552
- C:\Windows\System\cfDDLNW.exe
  C:\Windows\System\cfDDLNW.exe
  2⤵
  PID:3180
- C:\Windows\System\SjwBWFQ.exe
  C:\Windows\System\SjwBWFQ.exe
  2⤵
  PID:1524
- C:\Windows\System\GyWmRMa.exe
  C:\Windows\System\GyWmRMa.exe
  2⤵
  PID:6168
- C:\Windows\System\etZltML.exe
  C:\Windows\System\etZltML.exe
  2⤵
  PID:6196
- C:\Windows\System\eSYusZB.exe
  C:\Windows\System\eSYusZB.exe
  2⤵
  PID:6220
- C:\Windows\System\NxXnzNd.exe
  C:\Windows\System\NxXnzNd.exe
  2⤵
  PID:6256
- C:\Windows\System\NLmRfCk.exe
  C:\Windows\System\NLmRfCk.exe
  2⤵
  PID:6280
- C:\Windows\System\ATRcDsO.exe
  C:\Windows\System\ATRcDsO.exe
  2⤵
  PID:6300
- C:\Windows\System\fssUuMg.exe
  C:\Windows\System\fssUuMg.exe
  2⤵
  PID:6316
- C:\Windows\System\EecGTvj.exe
  C:\Windows\System\EecGTvj.exe
  2⤵
  PID:6336
- C:\Windows\System\UooBkyb.exe
  C:\Windows\System\UooBkyb.exe
  2⤵
  PID:6360
- C:\Windows\System\VMqLgIo.exe
  C:\Windows\System\VMqLgIo.exe
  2⤵
  PID:6388
- C:\Windows\System\KtUshso.exe
  C:\Windows\System\KtUshso.exe
  2⤵
  PID:6404
- C:\Windows\System\jvacHcM.exe
  C:\Windows\System\jvacHcM.exe
  2⤵
  PID:6452
- C:\Windows\System\nWJPksd.exe
  C:\Windows\System\nWJPksd.exe
  2⤵
  PID:6496
- C:\Windows\System\SaEmDqe.exe
  C:\Windows\System\SaEmDqe.exe
  2⤵
  PID:6516
- C:\Windows\System\wpZcXAv.exe
  C:\Windows\System\wpZcXAv.exe
  2⤵
  PID:6540
- C:\Windows\System\ezGImps.exe
  C:\Windows\System\ezGImps.exe
  2⤵
  PID:6560
- C:\Windows\System\pQzlEzY.exe
  C:\Windows\System\pQzlEzY.exe
  2⤵
  PID:6588
- C:\Windows\System\dUEIkLa.exe
  C:\Windows\System\dUEIkLa.exe
  2⤵
  PID:6632
- C:\Windows\System\NwkLFyz.exe
  C:\Windows\System\NwkLFyz.exe
  2⤵
  PID:6672
- C:\Windows\System\fIghrxd.exe
  C:\Windows\System\fIghrxd.exe
  2⤵
  PID:6700
- C:\Windows\System\mwOBTEr.exe
  C:\Windows\System\mwOBTEr.exe
  2⤵
  PID:6724
- C:\Windows\System\GqROgwq.exe
  C:\Windows\System\GqROgwq.exe
  2⤵
  PID:6748
- C:\Windows\System\IjcsXTk.exe
  C:\Windows\System\IjcsXTk.exe
  2⤵
  PID:6768
- C:\Windows\System\BjiwUSE.exe
  C:\Windows\System\BjiwUSE.exe
  2⤵
  PID:6796
- C:\Windows\System\CDKuvzN.exe
  C:\Windows\System\CDKuvzN.exe
  2⤵
  PID:6816
- C:\Windows\System\fkHulNg.exe
  C:\Windows\System\fkHulNg.exe
  2⤵
  PID:6872
- C:\Windows\System\erhKhTc.exe
  C:\Windows\System\erhKhTc.exe
  2⤵
  PID:6892
- C:\Windows\System\MscOyxK.exe
  C:\Windows\System\MscOyxK.exe
  2⤵
  PID:6912
- C:\Windows\System\ArHwiDG.exe
  C:\Windows\System\ArHwiDG.exe
  2⤵
  PID:6960
- C:\Windows\System\JeHJzjX.exe
  C:\Windows\System\JeHJzjX.exe
  2⤵
  PID:6980
- C:\Windows\System\PFzXWWx.exe
  C:\Windows\System\PFzXWWx.exe
  2⤵
  PID:7012
- C:\Windows\System\duMZrhP.exe
  C:\Windows\System\duMZrhP.exe
  2⤵
  PID:7032
- C:\Windows\System\dHtriBK.exe
  C:\Windows\System\dHtriBK.exe
  2⤵
  PID:7052
- C:\Windows\System\UHvKUSv.exe
  C:\Windows\System\UHvKUSv.exe
  2⤵
  PID:7080
- C:\Windows\System\tsCGHHw.exe
  C:\Windows\System\tsCGHHw.exe
  2⤵
  PID:7108
- C:\Windows\System\fmEbcbh.exe
  C:\Windows\System\fmEbcbh.exe
  2⤵
  PID:7128
- C:\Windows\System\YCyBnkN.exe
  C:\Windows\System\YCyBnkN.exe
  2⤵
  PID:7148
- C:\Windows\System\mWKhWzZ.exe
  C:\Windows\System\mWKhWzZ.exe
  2⤵
  PID:7164
- C:\Windows\System\whwMiSG.exe
  C:\Windows\System\whwMiSG.exe
  2⤵
  PID:6208
- C:\Windows\System\AtSsdNA.exe
  C:\Windows\System\AtSsdNA.exe
  2⤵
  PID:6268
- C:\Windows\System\MIbQVeB.exe
  C:\Windows\System\MIbQVeB.exe
  2⤵
  PID:6356
- C:\Windows\System\EDdfWxb.exe
  C:\Windows\System\EDdfWxb.exe
  2⤵
  PID:6448
- C:\Windows\System\zddloMo.exe
  C:\Windows\System\zddloMo.exe
  2⤵
  PID:6484
- C:\Windows\System\KqRamEr.exe
  C:\Windows\System\KqRamEr.exe
  2⤵
  PID:6556
- C:\Windows\System\JOAfKxd.exe
  C:\Windows\System\JOAfKxd.exe
  2⤵
  PID:6696
- C:\Windows\System\Jloewyf.exe
  C:\Windows\System\Jloewyf.exe
  2⤵
  PID:6732
- C:\Windows\System\mCeUeyL.exe
  C:\Windows\System\mCeUeyL.exe
  2⤵
  PID:6824
- C:\Windows\System\QHpAeHm.exe
  C:\Windows\System\QHpAeHm.exe
  2⤵
  PID:6888
- C:\Windows\System\OBBgYJe.exe
  C:\Windows\System\OBBgYJe.exe
  2⤵
  PID:6948
- C:\Windows\System\wGBdNBN.exe
  C:\Windows\System\wGBdNBN.exe
  2⤵
  PID:7000
- C:\Windows\System\VdnsHLX.exe
  C:\Windows\System\VdnsHLX.exe
  2⤵
  PID:7048
- C:\Windows\System\dccCqfg.exe
  C:\Windows\System\dccCqfg.exe
  2⤵
  PID:7072
- C:\Windows\System\ZvPZEPp.exe
  C:\Windows\System\ZvPZEPp.exe
  2⤵
  PID:7156
- C:\Windows\System\iWcKXZz.exe
  C:\Windows\System\iWcKXZz.exe
  2⤵
  PID:6244
- C:\Windows\System\kRSGAYZ.exe
  C:\Windows\System\kRSGAYZ.exe
  2⤵
  PID:6492
- C:\Windows\System\YQzpkAP.exe
  C:\Windows\System\YQzpkAP.exe
  2⤵
  PID:6668
- C:\Windows\System\CMHzQdR.exe
  C:\Windows\System\CMHzQdR.exe
  2⤵
  PID:6712
- C:\Windows\System\AiTGwaS.exe
  C:\Windows\System\AiTGwaS.exe
  2⤵
  PID:6904
- C:\Windows\System\KCOMIvd.exe
  C:\Windows\System\KCOMIvd.exe
  2⤵
  PID:7124
- C:\Windows\System\LdgAsAH.exe
  C:\Windows\System\LdgAsAH.exe
  2⤵
  PID:6444
- C:\Windows\System\COwbGYt.exe
  C:\Windows\System\COwbGYt.exe
  2⤵
  PID:6532
- C:\Windows\System\VEViEvT.exe
  C:\Windows\System\VEViEvT.exe
  2⤵
  PID:7020
- C:\Windows\System\pWyvDNU.exe
  C:\Windows\System\pWyvDNU.exe
  2⤵
  PID:7172
- C:\Windows\System\WappsYG.exe
  C:\Windows\System\WappsYG.exe
  2⤵
  PID:7212
- C:\Windows\System\GJgaJmu.exe
  C:\Windows\System\GJgaJmu.exe
  2⤵
  PID:7232
- C:\Windows\System\JBYXQql.exe
  C:\Windows\System\JBYXQql.exe
  2⤵
  PID:7248
- C:\Windows\System\TIDLlRf.exe
  C:\Windows\System\TIDLlRf.exe
  2⤵
  PID:7272
- C:\Windows\System\TPjQXDf.exe
  C:\Windows\System\TPjQXDf.exe
  2⤵
  PID:7300
- C:\Windows\System\IQkUAqP.exe
  C:\Windows\System\IQkUAqP.exe
  2⤵
  PID:7320
- C:\Windows\System\kLnBebW.exe
  C:\Windows\System\kLnBebW.exe
  2⤵
  PID:7344
- C:\Windows\System\JqMZhfb.exe
  C:\Windows\System\JqMZhfb.exe
  2⤵
  PID:7376
- C:\Windows\System\SucSlJw.exe
  C:\Windows\System\SucSlJw.exe
  2⤵
  PID:7428
- C:\Windows\System\YAQnJpu.exe
  C:\Windows\System\YAQnJpu.exe
  2⤵
  PID:7448
- C:\Windows\System\dhbMPsU.exe
  C:\Windows\System\dhbMPsU.exe
  2⤵
  PID:7464
- C:\Windows\System\wnbtGOy.exe
  C:\Windows\System\wnbtGOy.exe
  2⤵
  PID:7504
- C:\Windows\System\OQdkeCg.exe
  C:\Windows\System\OQdkeCg.exe
  2⤵
  PID:7524
- C:\Windows\System\erbwQuN.exe
  C:\Windows\System\erbwQuN.exe
  2⤵
  PID:7548
- C:\Windows\System\HIyRKwu.exe
  C:\Windows\System\HIyRKwu.exe
  2⤵
  PID:7572
- C:\Windows\System\BasWXoa.exe
  C:\Windows\System\BasWXoa.exe
  2⤵
  PID:7592
- C:\Windows\System\IBmLOqS.exe
  C:\Windows\System\IBmLOqS.exe
  2⤵
  PID:7644
- C:\Windows\System\ONwaFAf.exe
  C:\Windows\System\ONwaFAf.exe
  2⤵
  PID:7684
- C:\Windows\System\fYUfCrN.exe
  C:\Windows\System\fYUfCrN.exe
  2⤵
  PID:7708
- C:\Windows\System\QJgMuHu.exe
  C:\Windows\System\QJgMuHu.exe
  2⤵
  PID:7728
- C:\Windows\System\ZyRecVl.exe
  C:\Windows\System\ZyRecVl.exe
  2⤵
  PID:7756
- C:\Windows\System\tyIRwAX.exe
  C:\Windows\System\tyIRwAX.exe
  2⤵
  PID:7776
- C:\Windows\System\TytfMqw.exe
  C:\Windows\System\TytfMqw.exe
  2⤵
  PID:7796
- C:\Windows\System\aXWfHft.exe
  C:\Windows\System\aXWfHft.exe
  2⤵
  PID:7836
- C:\Windows\System\oOcDHsn.exe
  C:\Windows\System\oOcDHsn.exe
  2⤵
  PID:7860
- C:\Windows\System\ObwPpYa.exe
  C:\Windows\System\ObwPpYa.exe
  2⤵
  PID:7884
- C:\Windows\System\DCNcAoG.exe
  C:\Windows\System\DCNcAoG.exe
  2⤵
  PID:7908
- C:\Windows\System\IZGfqec.exe
  C:\Windows\System\IZGfqec.exe
  2⤵
  PID:7940
- C:\Windows\System\pcoBwLE.exe
  C:\Windows\System\pcoBwLE.exe
  2⤵
  PID:7960
- C:\Windows\System\uotJRzL.exe
  C:\Windows\System\uotJRzL.exe
  2⤵
  PID:8004
- C:\Windows\System\DsbUzEq.exe
  C:\Windows\System\DsbUzEq.exe
  2⤵
  PID:8024
- C:\Windows\System\BYxUMTn.exe
  C:\Windows\System\BYxUMTn.exe
  2⤵
  PID:8048
- C:\Windows\System\aluKPpW.exe
  C:\Windows\System\aluKPpW.exe
  2⤵
  PID:8076
- C:\Windows\System\taavCnr.exe
  C:\Windows\System\taavCnr.exe
  2⤵
  PID:8120
- C:\Windows\System\zlkXrnn.exe
  C:\Windows\System\zlkXrnn.exe
  2⤵
  PID:8152
- C:\Windows\System\qdgbxDN.exe
  C:\Windows\System\qdgbxDN.exe
  2⤵
  PID:8176
- C:\Windows\System\ctBtHWk.exe
  C:\Windows\System\ctBtHWk.exe
  2⤵
  PID:6844
- C:\Windows\System\pIwRiaR.exe
  C:\Windows\System\pIwRiaR.exe
  2⤵
  PID:7192
- C:\Windows\System\tThstNz.exe
  C:\Windows\System\tThstNz.exe
  2⤵
  PID:7244
- C:\Windows\System\SVRXxkc.exe
  C:\Windows\System\SVRXxkc.exe
  2⤵
  PID:7264
- C:\Windows\System\KDYDniA.exe
  C:\Windows\System\KDYDniA.exe
  2⤵
  PID:7360
- C:\Windows\System\ydcryQK.exe
  C:\Windows\System\ydcryQK.exe
  2⤵
  PID:7396
- C:\Windows\System\dbypDNI.exe
  C:\Windows\System\dbypDNI.exe
  2⤵
  PID:7476
- C:\Windows\System\LIBMAkg.exe
  C:\Windows\System\LIBMAkg.exe
  2⤵
  PID:7460
- C:\Windows\System\VCbOqqg.exe
  C:\Windows\System\VCbOqqg.exe
  2⤵
  PID:7580
- C:\Windows\System\UFoGFWk.exe
  C:\Windows\System\UFoGFWk.exe
  2⤵
  PID:7640
- C:\Windows\System\qeBYAwK.exe
  C:\Windows\System\qeBYAwK.exe
  2⤵
  PID:7700
- C:\Windows\System\gTtKhDP.exe
  C:\Windows\System\gTtKhDP.exe
  2⤵
  PID:7880
- C:\Windows\System\YFlMkAc.exe
  C:\Windows\System\YFlMkAc.exe
  2⤵
  PID:7948
- C:\Windows\System\bQYBuVe.exe
  C:\Windows\System\bQYBuVe.exe
  2⤵
  PID:8056
- C:\Windows\System\xjXKowO.exe
  C:\Windows\System\xjXKowO.exe
  2⤵
  PID:8044
- C:\Windows\System\cUenBYm.exe
  C:\Windows\System\cUenBYm.exe
  2⤵
  PID:8096
- C:\Windows\System\FaOodcq.exe
  C:\Windows\System\FaOodcq.exe
  2⤵
  PID:8172
- C:\Windows\System\NClhDky.exe
  C:\Windows\System\NClhDky.exe
  2⤵
  PID:7204
- C:\Windows\System\EmpBGtr.exe
  C:\Windows\System\EmpBGtr.exe
  2⤵
  PID:7340
- C:\Windows\System\OnxvETd.exe
  C:\Windows\System\OnxvETd.exe
  2⤵
  PID:7456
- C:\Windows\System\rRWyXRl.exe
  C:\Windows\System\rRWyXRl.exe
  2⤵
  PID:7852
- C:\Windows\System\FlaRSsc.exe
  C:\Windows\System\FlaRSsc.exe
  2⤵
  PID:7848
- C:\Windows\System\dshNuyg.exe
  C:\Windows\System\dshNuyg.exe
  2⤵
  PID:7956
- C:\Windows\System\CkkjhoS.exe
  C:\Windows\System\CkkjhoS.exe
  2⤵
  PID:8188
- C:\Windows\System\NYGHXDU.exe
  C:\Windows\System\NYGHXDU.exe
  2⤵
  PID:8184
- C:\Windows\System\XlgDNvY.exe
  C:\Windows\System\XlgDNvY.exe
  2⤵
  PID:7868
- C:\Windows\System\DRhBdVt.exe
  C:\Windows\System\DRhBdVt.exe
  2⤵
  PID:7480
- C:\Windows\System\NKAREfD.exe
  C:\Windows\System\NKAREfD.exe
  2⤵
  PID:8228
- C:\Windows\System\tFCmeIS.exe
  C:\Windows\System\tFCmeIS.exe
  2⤵
  PID:8248
- C:\Windows\System\yvgiTbD.exe
  C:\Windows\System\yvgiTbD.exe
  2⤵
  PID:8288
- C:\Windows\System\ylvCxFt.exe
  C:\Windows\System\ylvCxFt.exe
  2⤵
  PID:8304
- C:\Windows\System\wgwoZFc.exe
  C:\Windows\System\wgwoZFc.exe
  2⤵
  PID:8328
- C:\Windows\System\yPJEllg.exe
  C:\Windows\System\yPJEllg.exe
  2⤵
  PID:8364
- C:\Windows\System\WdpMWVA.exe
  C:\Windows\System\WdpMWVA.exe
  2⤵
  PID:8424
- C:\Windows\System\dtfizPu.exe
  C:\Windows\System\dtfizPu.exe
  2⤵
  PID:8440
- C:\Windows\System\qgrjwND.exe
  C:\Windows\System\qgrjwND.exe
  2⤵
  PID:8472
- C:\Windows\System\wrkbkhD.exe
  C:\Windows\System\wrkbkhD.exe
  2⤵
  PID:8536
- C:\Windows\System\MmjXBZl.exe
  C:\Windows\System\MmjXBZl.exe
  2⤵
  PID:8576
- C:\Windows\System\weYCTVB.exe
  C:\Windows\System\weYCTVB.exe
  2⤵
  PID:8616
- C:\Windows\System\uUMeWnz.exe
  C:\Windows\System\uUMeWnz.exe
  2⤵
  PID:8644
- C:\Windows\System\dkmAOoF.exe
  C:\Windows\System\dkmAOoF.exe
  2⤵
  PID:8696
- C:\Windows\System\YgVRPWD.exe
  C:\Windows\System\YgVRPWD.exe
  2⤵
  PID:8732
- C:\Windows\System\ZLtPCed.exe
  C:\Windows\System\ZLtPCed.exe
  2⤵
  PID:8760
- C:\Windows\System\ZiXdLCu.exe
  C:\Windows\System\ZiXdLCu.exe
  2⤵
  PID:8776
- C:\Windows\System\gUOYvcV.exe
  C:\Windows\System\gUOYvcV.exe
  2⤵
  PID:8856
- C:\Windows\System\UraXZZv.exe
  C:\Windows\System\UraXZZv.exe
  2⤵
  PID:8872
- C:\Windows\System\jsSvapx.exe
  C:\Windows\System\jsSvapx.exe
  2⤵
  PID:8888
- C:\Windows\System\VDBbdgA.exe
  C:\Windows\System\VDBbdgA.exe
  2⤵
  PID:8924
- C:\Windows\System\MiICfRY.exe
  C:\Windows\System\MiICfRY.exe
  2⤵
  PID:8944
- C:\Windows\System\PdOqOXK.exe
  C:\Windows\System\PdOqOXK.exe
  2⤵
  PID:8984
- C:\Windows\System\QjDfmjB.exe
  C:\Windows\System\QjDfmjB.exe
  2⤵
  PID:9000
- C:\Windows\System\LrLfIlN.exe
  C:\Windows\System\LrLfIlN.exe
  2⤵
  PID:9040
- C:\Windows\System\CNWCThc.exe
  C:\Windows\System\CNWCThc.exe
  2⤵
  PID:9060
- C:\Windows\System\uJILOFH.exe
  C:\Windows\System\uJILOFH.exe
  2⤵
  PID:9084
- C:\Windows\System\tzrMYBh.exe
  C:\Windows\System\tzrMYBh.exe
  2⤵
  PID:9100
- C:\Windows\System\eEcoWSU.exe
  C:\Windows\System\eEcoWSU.exe
  2⤵
  PID:9120
- C:\Windows\System\PKEXAzF.exe
  C:\Windows\System\PKEXAzF.exe
  2⤵
  PID:9144
- C:\Windows\System\TFvzkFN.exe
  C:\Windows\System\TFvzkFN.exe
  2⤵
  PID:9184
- C:\Windows\System\FEtrexc.exe
  C:\Windows\System\FEtrexc.exe
  2⤵
  PID:9204
- C:\Windows\System\bwGeTez.exe
  C:\Windows\System\bwGeTez.exe
  2⤵
  PID:8160
- C:\Windows\System\DFucYfz.exe
  C:\Windows\System\DFucYfz.exe
  2⤵
  PID:8260
- C:\Windows\System\yHBPCkX.exe
  C:\Windows\System\yHBPCkX.exe
  2⤵
  PID:8360
- C:\Windows\System\nTdhsRm.exe
  C:\Windows\System\nTdhsRm.exe
  2⤵
  PID:8480
- C:\Windows\System\wcIXLvS.exe
  C:\Windows\System\wcIXLvS.exe
  2⤵
  PID:8404
- C:\Windows\System\lyDTZmj.exe
  C:\Windows\System\lyDTZmj.exe
  2⤵
  PID:8348
- C:\Windows\System\AlZteea.exe
  C:\Windows\System\AlZteea.exe
  2⤵
  PID:8468
- C:\Windows\System\sqqSyCV.exe
  C:\Windows\System\sqqSyCV.exe
  2⤵
  PID:8416
- C:\Windows\System\FBKAsBk.exe
  C:\Windows\System\FBKAsBk.exe
  2⤵
  PID:8552
- C:\Windows\System\XeOSTNq.exe
  C:\Windows\System\XeOSTNq.exe
  2⤵
  PID:8652
- C:\Windows\System\oYPNpBX.exe
  C:\Windows\System\oYPNpBX.exe
  2⤵
  PID:8716
- C:\Windows\System\VomIpgH.exe
  C:\Windows\System\VomIpgH.exe
  2⤵
  PID:8788
- C:\Windows\System\YFzLbLb.exe
  C:\Windows\System\YFzLbLb.exe
  2⤵
  PID:8848
- C:\Windows\System\ZNShccM.exe
  C:\Windows\System\ZNShccM.exe
  2⤵
  PID:8884
- C:\Windows\System\togaWpw.exe
  C:\Windows\System\togaWpw.exe
  2⤵
  PID:8940
- C:\Windows\System\oQPaWjq.exe
  C:\Windows\System\oQPaWjq.exe
  2⤵
  PID:9020
- C:\Windows\System\pcAGYhI.exe
  C:\Windows\System\pcAGYhI.exe
  2⤵
  PID:9048
- C:\Windows\System\ugVdTwU.exe
  C:\Windows\System\ugVdTwU.exe
  2⤵
  PID:9180
- C:\Windows\System\xlCNjiB.exe
  C:\Windows\System\xlCNjiB.exe
  2⤵
  PID:9196
- C:\Windows\System\wlfUkdt.exe
  C:\Windows\System\wlfUkdt.exe
  2⤵
  PID:8116
- C:\Windows\System\tiGqCdo.exe
  C:\Windows\System\tiGqCdo.exe
  2⤵
  PID:8356
- C:\Windows\System\SDyekeH.exe
  C:\Windows\System\SDyekeH.exe
  2⤵
  PID:8512
- C:\Windows\System\EoHLnoN.exe
  C:\Windows\System\EoHLnoN.exe
  2⤵
  PID:8484
- C:\Windows\System\IFTSUlr.exe
  C:\Windows\System\IFTSUlr.exe
  2⤵
  PID:8636
- C:\Windows\System\SWUWJgT.exe
  C:\Windows\System\SWUWJgT.exe
  2⤵
  PID:7500
- C:\Windows\System\sKGMEcR.exe
  C:\Windows\System\sKGMEcR.exe
  2⤵
  PID:8932
- C:\Windows\System\HIarqAP.exe
  C:\Windows\System\HIarqAP.exe
  2⤵
  PID:9032
- C:\Windows\System\lhaVAJc.exe
  C:\Windows\System\lhaVAJc.exe
  2⤵
  PID:8240
- C:\Windows\System\PZbVVOk.exe
  C:\Windows\System\PZbVVOk.exe
  2⤵
  PID:8564
- C:\Windows\System\IZiwpCm.exe
  C:\Windows\System\IZiwpCm.exe
  2⤵
  PID:9076
- C:\Windows\System\vYQjstR.exe
  C:\Windows\System\vYQjstR.exe
  2⤵
  PID:8464
- C:\Windows\System\eURrtmr.exe
  C:\Windows\System\eURrtmr.exe
  2⤵
  PID:9224
- C:\Windows\System\jedAJTY.exe
  C:\Windows\System\jedAJTY.exe
  2⤵
  PID:9252
- C:\Windows\System\jsLVZvY.exe
  C:\Windows\System\jsLVZvY.exe
  2⤵
  PID:9276
- C:\Windows\System\bLptLBv.exe
  C:\Windows\System\bLptLBv.exe
  2⤵
  PID:9312
- C:\Windows\System\ihirCne.exe
  C:\Windows\System\ihirCne.exe
  2⤵
  PID:9352
- C:\Windows\System\Cmbknpt.exe
  C:\Windows\System\Cmbknpt.exe
  2⤵
  PID:9388
- C:\Windows\System\pesjqyx.exe
  C:\Windows\System\pesjqyx.exe
  2⤵
  PID:9412
- C:\Windows\System\XbmNsCX.exe
  C:\Windows\System\XbmNsCX.exe
  2⤵
  PID:9432
- C:\Windows\System\ixpZgHl.exe
  C:\Windows\System\ixpZgHl.exe
  2⤵
  PID:9456
- C:\Windows\System\NWiSQUi.exe
  C:\Windows\System\NWiSQUi.exe
  2⤵
  PID:9504
- C:\Windows\System\vszRnDg.exe
  C:\Windows\System\vszRnDg.exe
  2⤵
  PID:9532
- C:\Windows\System\VXvbMkI.exe
  C:\Windows\System\VXvbMkI.exe
  2⤵
  PID:9552
- C:\Windows\System\tSoqrVA.exe
  C:\Windows\System\tSoqrVA.exe
  2⤵
  PID:9592
- C:\Windows\System\hSviYwl.exe
  C:\Windows\System\hSviYwl.exe
  2⤵
  PID:9612
- C:\Windows\System\wdUySql.exe
  C:\Windows\System\wdUySql.exe
  2⤵
  PID:9644
- C:\Windows\System\xWPoAsn.exe
  C:\Windows\System\xWPoAsn.exe
  2⤵
  PID:9664
- C:\Windows\System\HpiYqNo.exe
  C:\Windows\System\HpiYqNo.exe
  2⤵
  PID:9688
- C:\Windows\System\nzidFNp.exe
  C:\Windows\System\nzidFNp.exe
  2⤵
  PID:9712
- C:\Windows\System\MimxURy.exe
  C:\Windows\System\MimxURy.exe
  2⤵
  PID:9740
- C:\Windows\System\WPSTjpS.exe
  C:\Windows\System\WPSTjpS.exe
  2⤵
  PID:9760
- C:\Windows\System\WMtTWFm.exe
  C:\Windows\System\WMtTWFm.exe
  2⤵
  PID:9788
- C:\Windows\System\WAklfJu.exe
  C:\Windows\System\WAklfJu.exe
  2⤵
  PID:9824
- C:\Windows\System\sQoVsdP.exe
  C:\Windows\System\sQoVsdP.exe
  2⤵
  PID:9872
- C:\Windows\System\XPspITe.exe
  C:\Windows\System\XPspITe.exe
  2⤵
  PID:9896
- C:\Windows\System\xLiyLRD.exe
  C:\Windows\System\xLiyLRD.exe
  2⤵
  PID:9920
- C:\Windows\System\jHbhJFJ.exe
  C:\Windows\System\jHbhJFJ.exe
  2⤵
  PID:9944
- C:\Windows\System\Okfrcfr.exe
  C:\Windows\System\Okfrcfr.exe
  2⤵
  PID:9960
- C:\Windows\System\kNhqFDA.exe
  C:\Windows\System\kNhqFDA.exe
  2⤵
  PID:9992
- C:\Windows\System\axEsEYl.exe
  C:\Windows\System\axEsEYl.exe
  2⤵
  PID:10016
- C:\Windows\System\JGwzNpD.exe
  C:\Windows\System\JGwzNpD.exe
  2⤵
  PID:10044
- C:\Windows\System\muTMruC.exe
  C:\Windows\System\muTMruC.exe
  2⤵
  PID:10096
- C:\Windows\System\SeUPrmt.exe
  C:\Windows\System\SeUPrmt.exe
  2⤵
  PID:10112
- C:\Windows\System\tatZfrW.exe
  C:\Windows\System\tatZfrW.exe
  2⤵
  PID:10152
- C:\Windows\System\mEcSeXJ.exe
  C:\Windows\System\mEcSeXJ.exe
  2⤵
  PID:10168
- C:\Windows\System\WwXrSDp.exe
  C:\Windows\System\WwXrSDp.exe
  2⤵
  PID:10188
- C:\Windows\System\jChJAKv.exe
  C:\Windows\System\jChJAKv.exe
  2⤵
  PID:10216
- C:\Windows\System\zddcxee.exe
  C:\Windows\System\zddcxee.exe
  2⤵
  PID:9160
- C:\Windows\System\aSdWGPj.exe
  C:\Windows\System\aSdWGPj.exe
  2⤵
  PID:9240
- C:\Windows\System\aWXgRei.exe
  C:\Windows\System\aWXgRei.exe
  2⤵
  PID:9288
- C:\Windows\System\OHJHjoi.exe
  C:\Windows\System\OHJHjoi.exe
  2⤵
  PID:9384
- C:\Windows\System\zTUvJca.exe
  C:\Windows\System\zTUvJca.exe
  2⤵
  PID:9424
- C:\Windows\System\IhLOlEl.exe
  C:\Windows\System\IhLOlEl.exe
  2⤵
  PID:9492
- C:\Windows\System\GJXrKCV.exe
  C:\Windows\System\GJXrKCV.exe
  2⤵
  PID:9524
- C:\Windows\System\EyQaLro.exe
  C:\Windows\System\EyQaLro.exe
  2⤵
  PID:9636
- C:\Windows\System\YhCoIhG.exe
  C:\Windows\System\YhCoIhG.exe
  2⤵
  PID:9756
- C:\Windows\System\lxboYzO.exe
  C:\Windows\System\lxboYzO.exe
  2⤵
  PID:9800
- C:\Windows\System\RRrbZGY.exe
  C:\Windows\System\RRrbZGY.exe
  2⤵
  PID:9852
- C:\Windows\System\ZIvQCaT.exe
  C:\Windows\System\ZIvQCaT.exe
  2⤵
  PID:9932
- C:\Windows\System\GNPeehd.exe
  C:\Windows\System\GNPeehd.exe
  2⤵
  PID:10000
- C:\Windows\System\Fhavjyv.exe
  C:\Windows\System\Fhavjyv.exe
  2⤵
  PID:10040
- C:\Windows\System\fKocDKm.exe
  C:\Windows\System\fKocDKm.exe
  2⤵
  PID:10108
- C:\Windows\System\AdAEDvU.exe
  C:\Windows\System\AdAEDvU.exe
  2⤵
  PID:10164
- C:\Windows\System\TTogYFJ.exe
  C:\Windows\System\TTogYFJ.exe
  2⤵
  PID:10224
- C:\Windows\System\qOospLW.exe
  C:\Windows\System\qOospLW.exe
  2⤵
  PID:9268
- C:\Windows\System\guPGkMb.exe
  C:\Windows\System\guPGkMb.exe
  2⤵
  PID:9520
- C:\Windows\System\uThKYlm.exe
  C:\Windows\System\uThKYlm.exe
  2⤵
  PID:6684
- C:\Windows\System\ECzDQBy.exe
  C:\Windows\System\ECzDQBy.exe
  2⤵
  PID:9816
- C:\Windows\System\BwaWmsn.exe
  C:\Windows\System\BwaWmsn.exe
  2⤵
  PID:9844
- C:\Windows\System\AftLwiO.exe
  C:\Windows\System\AftLwiO.exe
  2⤵
  PID:10140
- C:\Windows\System\LVlIYjq.exe
  C:\Windows\System\LVlIYjq.exe
  2⤵
  PID:9472
- C:\Windows\System\vnbKWxl.exe
  C:\Windows\System\vnbKWxl.exe
  2⤵
  PID:9360
- C:\Windows\System\tofCnLR.exe
  C:\Windows\System\tofCnLR.exe
  2⤵
  PID:9748
- C:\Windows\System\PEzZFlm.exe
  C:\Windows\System\PEzZFlm.exe
  2⤵
  PID:10024
- C:\Windows\System\KMjZwhM.exe
  C:\Windows\System\KMjZwhM.exe
  2⤵
  PID:9396
- C:\Windows\System\iKYJvgp.exe
  C:\Windows\System\iKYJvgp.exe
  2⤵
  PID:10260
- C:\Windows\System\keGIOGy.exe
  C:\Windows\System\keGIOGy.exe
  2⤵
  PID:10280
- C:\Windows\System\HoXNdtH.exe
  C:\Windows\System\HoXNdtH.exe
  2⤵
  PID:10304
- C:\Windows\System\hZpHCHv.exe
  C:\Windows\System\hZpHCHv.exe
  2⤵
  PID:10324
- C:\Windows\System\RtAJnLh.exe
  C:\Windows\System\RtAJnLh.exe
  2⤵
  PID:10368
- C:\Windows\System\MnHCMpm.exe
  C:\Windows\System\MnHCMpm.exe
  2⤵
  PID:10396
- C:\Windows\System\tnxRSce.exe
  C:\Windows\System\tnxRSce.exe
  2⤵
  PID:10420
- C:\Windows\System\OVafHpb.exe
  C:\Windows\System\OVafHpb.exe
  2⤵
  PID:10448
- C:\Windows\System\UUoYjXU.exe
  C:\Windows\System\UUoYjXU.exe
  2⤵
  PID:10496
- C:\Windows\System\GVEXBuJ.exe
  C:\Windows\System\GVEXBuJ.exe
  2⤵
  PID:10540
- C:\Windows\System\eCSJMbq.exe
  C:\Windows\System\eCSJMbq.exe
  2⤵
  PID:10564
- C:\Windows\System\XRQCNUC.exe
  C:\Windows\System\XRQCNUC.exe
  2⤵
  PID:10584
- C:\Windows\System\JboOErN.exe
  C:\Windows\System\JboOErN.exe
  2⤵
  PID:10620
- C:\Windows\System\pynVIGx.exe
  C:\Windows\System\pynVIGx.exe
  2⤵
  PID:10636
- C:\Windows\System\ltnnYIl.exe
  C:\Windows\System\ltnnYIl.exe
  2⤵
  PID:10676
- C:\Windows\System\VroVFgA.exe
  C:\Windows\System\VroVFgA.exe
  2⤵
  PID:10704
- C:\Windows\System\SZtsYbX.exe
  C:\Windows\System\SZtsYbX.exe
  2⤵
  PID:10728
- C:\Windows\System\gRgOTjh.exe
  C:\Windows\System\gRgOTjh.exe
  2⤵
  PID:10772
- C:\Windows\System\uoZIKvs.exe
  C:\Windows\System\uoZIKvs.exe
  2⤵
  PID:10796
- C:\Windows\System\BioyAWA.exe
  C:\Windows\System\BioyAWA.exe
  2⤵
  PID:10816
- C:\Windows\System\PkLxXgy.exe
  C:\Windows\System\PkLxXgy.exe
  2⤵
  PID:10836
- C:\Windows\System\DXpXUyv.exe
  C:\Windows\System\DXpXUyv.exe
  2⤵
  PID:10868
- C:\Windows\System\gomTUZt.exe
  C:\Windows\System\gomTUZt.exe
  2⤵
  PID:10888
- C:\Windows\System\KGdYXiD.exe
  C:\Windows\System\KGdYXiD.exe
  2⤵
  PID:10936
- C:\Windows\System\TVzVTrU.exe
  C:\Windows\System\TVzVTrU.exe
  2⤵
  PID:10952
- C:\Windows\System\hYYzWgA.exe
  C:\Windows\System\hYYzWgA.exe
  2⤵
  PID:10972
- C:\Windows\System\ZfIQpsb.exe
  C:\Windows\System\ZfIQpsb.exe
  2⤵
  PID:10996
- C:\Windows\System\tfchLNA.exe
  C:\Windows\System\tfchLNA.exe
  2⤵
  PID:11028
- C:\Windows\System\JPBetCb.exe
  C:\Windows\System\JPBetCb.exe
  2⤵
  PID:11052
- C:\Windows\System\ZCxKaRF.exe
  C:\Windows\System\ZCxKaRF.exe
  2⤵
  PID:11084
- C:\Windows\System\WgbkxBb.exe
  C:\Windows\System\WgbkxBb.exe
  2⤵
  PID:11112
- C:\Windows\System\YUNvcRG.exe
  C:\Windows\System\YUNvcRG.exe
  2⤵
  PID:11148
- C:\Windows\System\BnyKaRQ.exe
  C:\Windows\System\BnyKaRQ.exe
  2⤵
  PID:11168
- C:\Windows\System\FAhiarE.exe
  C:\Windows\System\FAhiarE.exe
  2⤵
  PID:11192
- C:\Windows\System\cHHHwZN.exe
  C:\Windows\System\cHHHwZN.exe
  2⤵
  PID:11216
- C:\Windows\System\BnrDoQG.exe
  C:\Windows\System\BnrDoQG.exe
  2⤵
  PID:11252
- C:\Windows\System\NXGIPZT.exe
  C:\Windows\System\NXGIPZT.exe
  2⤵
  PID:10236
- C:\Windows\System\otkgtww.exe
  C:\Windows\System\otkgtww.exe
  2⤵
  PID:10256
- C:\Windows\System\VYFIIid.exe
  C:\Windows\System\VYFIIid.exe
  2⤵
  PID:10360
- C:\Windows\System\OpJqIUn.exe
  C:\Windows\System\OpJqIUn.exe
  2⤵
  PID:10456
- C:\Windows\System\MDRnwuP.exe
  C:\Windows\System\MDRnwuP.exe
  2⤵
  PID:10536
- C:\Windows\System\htjlpwk.exe
  C:\Windows\System\htjlpwk.exe
  2⤵
  PID:10560
- C:\Windows\System\DFQtLJS.exe
  C:\Windows\System\DFQtLJS.exe
  2⤵
  PID:10612
- C:\Windows\System\LebykAc.exe
  C:\Windows\System\LebykAc.exe
  2⤵
  PID:10660
- C:\Windows\System\NqSNTEI.exe
  C:\Windows\System\NqSNTEI.exe
  2⤵
  PID:10804
- C:\Windows\System\vWkMQyh.exe
  C:\Windows\System\vWkMQyh.exe
  2⤵
  PID:10828
- C:\Windows\System\FEdIwJk.exe
  C:\Windows\System\FEdIwJk.exe
  2⤵
  PID:10924
- C:\Windows\System\sXaPgpa.exe
  C:\Windows\System\sXaPgpa.exe
  2⤵
  PID:10904
- C:\Windows\System\OUFatwn.exe
  C:\Windows\System\OUFatwn.exe
  2⤵
  PID:4980
- C:\Windows\System\DeAYPVU.exe
  C:\Windows\System\DeAYPVU.exe
  2⤵
  PID:11076
- C:\Windows\System\mtTjDlx.exe
  C:\Windows\System\mtTjDlx.exe
  2⤵
  PID:11164
- C:\Windows\System\nTNHBoq.exe
  C:\Windows\System\nTNHBoq.exe
  2⤵
  PID:9440
- C:\Windows\System\TFIUJKr.exe
  C:\Windows\System\TFIUJKr.exe
  2⤵
  PID:9864
- C:\Windows\System\QMntPIL.exe
  C:\Windows\System\QMntPIL.exe
  2⤵
  PID:10440
- C:\Windows\System\joaGwWE.exe
  C:\Windows\System\joaGwWE.exe
  2⤵
  PID:10632
- C:\Windows\System\GWKKBJh.exe
  C:\Windows\System\GWKKBJh.exe
  2⤵
  PID:10692
- C:\Windows\System\sBNLvkg.exe
  C:\Windows\System\sBNLvkg.exe
  2⤵
  PID:10856
- C:\Windows\System\LiEXxFY.exe
  C:\Windows\System\LiEXxFY.exe
  2⤵
  PID:11064
- C:\Windows\System\GFATOGi.exe
  C:\Windows\System\GFATOGi.exe
  2⤵
  PID:11132
- C:\Windows\System\vosAlLk.exe
  C:\Windows\System\vosAlLk.exe
  2⤵
  PID:11200
- C:\Windows\System\oVsZmjU.exe
  C:\Windows\System\oVsZmjU.exe
  2⤵
  PID:10476
- C:\Windows\System\fJirPlt.exe
  C:\Windows\System\fJirPlt.exe
  2⤵
  PID:10844
- C:\Windows\System\jGGJcpD.exe
  C:\Windows\System\jGGJcpD.exe
  2⤵
  PID:10444
- C:\Windows\System\nTeolSU.exe
  C:\Windows\System\nTeolSU.exe
  2⤵
  PID:11268
- C:\Windows\System\GVQZkdT.exe
  C:\Windows\System\GVQZkdT.exe
  2⤵
  PID:11288
- C:\Windows\System\ELfFByX.exe
  C:\Windows\System\ELfFByX.exe
  2⤵
  PID:11304
- C:\Windows\System\qrPVpgr.exe
  C:\Windows\System\qrPVpgr.exe
  2⤵
  PID:11320
- C:\Windows\System\oqlJwxu.exe
  C:\Windows\System\oqlJwxu.exe
  2⤵
  PID:11348
- C:\Windows\System\zheLJZV.exe
  C:\Windows\System\zheLJZV.exe
  2⤵
  PID:11376
- C:\Windows\System\zxFEMmG.exe
  C:\Windows\System\zxFEMmG.exe
  2⤵
  PID:11392
- C:\Windows\System\xZDPAzC.exe
  C:\Windows\System\xZDPAzC.exe
  2⤵
  PID:11416
- C:\Windows\System\ofODKPh.exe
  C:\Windows\System\ofODKPh.exe
  2⤵
  PID:11476
- C:\Windows\System\DgFZMLf.exe
  C:\Windows\System\DgFZMLf.exe
  2⤵
  PID:11520
- C:\Windows\System\nPqMWuv.exe
  C:\Windows\System\nPqMWuv.exe
  2⤵
  PID:11552
- C:\Windows\System\nnhhUVR.exe
  C:\Windows\System\nnhhUVR.exe
  2⤵
  PID:11576
- C:\Windows\System\hePLtEJ.exe
  C:\Windows\System\hePLtEJ.exe
  2⤵
  PID:11612
- C:\Windows\System\rwUIJDz.exe
  C:\Windows\System\rwUIJDz.exe
  2⤵
  PID:11628
- C:\Windows\System\tpBfscO.exe
  C:\Windows\System\tpBfscO.exe
  2⤵
  PID:11668
- C:\Windows\System\GnFsdrA.exe
  C:\Windows\System\GnFsdrA.exe
  2⤵
  PID:11684
- C:\Windows\System\XBhGbib.exe
  C:\Windows\System\XBhGbib.exe
  2⤵
  PID:11704
- C:\Windows\System\xvGIEOZ.exe
  C:\Windows\System\xvGIEOZ.exe
  2⤵
  PID:11728
- C:\Windows\System\rGyxJHi.exe
  C:\Windows\System\rGyxJHi.exe
  2⤵
  PID:11748
- C:\Windows\System\bzcERck.exe
  C:\Windows\System\bzcERck.exe
  2⤵
  PID:11776
- C:\Windows\System\VjzEjPj.exe
  C:\Windows\System\VjzEjPj.exe
  2⤵
  PID:11804
- C:\Windows\System\zQBossi.exe
  C:\Windows\System\zQBossi.exe
  2⤵
  PID:11840
- C:\Windows\System\NUnEvMx.exe
  C:\Windows\System\NUnEvMx.exe
  2⤵
  PID:11896
- C:\Windows\System\NuOwvBL.exe
  C:\Windows\System\NuOwvBL.exe
  2⤵
  PID:11916
- C:\Windows\System\YhORiPy.exe
  C:\Windows\System\YhORiPy.exe
  2⤵
  PID:11936
- C:\Windows\System\SJdGBpM.exe
  C:\Windows\System\SJdGBpM.exe
  2⤵
  PID:11956
- C:\Windows\System\CIITZkn.exe
  C:\Windows\System\CIITZkn.exe
  2⤵
  PID:11976
- C:\Windows\System\jbMLPnl.exe
  C:\Windows\System\jbMLPnl.exe
  2⤵
  PID:12000
- C:\Windows\System\YzNDIjY.exe
  C:\Windows\System\YzNDIjY.exe
  2⤵
  PID:12052
- C:\Windows\System\PFNZDJL.exe
  C:\Windows\System\PFNZDJL.exe
  2⤵
  PID:12076
- C:\Windows\System\awJYqkM.exe
  C:\Windows\System\awJYqkM.exe
  2⤵
  PID:12096
- C:\Windows\System\uExHGsz.exe
  C:\Windows\System\uExHGsz.exe
  2⤵
  PID:12128
- C:\Windows\System\dxeZZJV.exe
  C:\Windows\System\dxeZZJV.exe
  2⤵
  PID:12144
- C:\Windows\System\utRqMOt.exe
  C:\Windows\System\utRqMOt.exe
  2⤵
  PID:12172
- C:\Windows\System\ONNQvAN.exe
  C:\Windows\System\ONNQvAN.exe
  2⤵
  PID:12212
- C:\Windows\System\IzzMuRC.exe
  C:\Windows\System\IzzMuRC.exe
  2⤵
  PID:12236
- C:\Windows\System\EGHsLmm.exe
  C:\Windows\System\EGHsLmm.exe
  2⤵
  PID:12260
- C:\Windows\System\WCByKaj.exe
  C:\Windows\System\WCByKaj.exe
  2⤵
  PID:12280
- C:\Windows\System\QHZSKQM.exe
  C:\Windows\System\QHZSKQM.exe
  2⤵
  PID:11312
- C:\Windows\System\PTobtCz.exe
  C:\Windows\System\PTobtCz.exe
  2⤵
  PID:11412
- C:\Windows\System\qmFSqyd.exe
  C:\Windows\System\qmFSqyd.exe
  2⤵
  PID:11408
- C:\Windows\System\hIKacEX.exe
  C:\Windows\System\hIKacEX.exe
  2⤵
  PID:11456
- C:\Windows\System\IaHJfkg.exe
  C:\Windows\System\IaHJfkg.exe
  2⤵
  PID:11568
- C:\Windows\System\csEZYPg.exe
  C:\Windows\System\csEZYPg.exe
  2⤵
  PID:11648
- C:\Windows\System\ovbVXiU.exe
  C:\Windows\System\ovbVXiU.exe
  2⤵
  PID:11760
- C:\Windows\System\dHlbvNr.exe
  C:\Windows\System\dHlbvNr.exe
  2⤵
  PID:11736
- C:\Windows\System\KKucvWD.exe
  C:\Windows\System\KKucvWD.exe
  2⤵
  PID:11908
- C:\Windows\System\yRdMyPb.exe
  C:\Windows\System\yRdMyPb.exe
  2⤵
  PID:11928
- C:\Windows\System\FvUaayc.exe
  C:\Windows\System\FvUaayc.exe
  2⤵
  PID:11968
- C:\Windows\System\RBAtPHR.exe
  C:\Windows\System\RBAtPHR.exe
  2⤵
  PID:12032
- C:\Windows\System\MMtjYaK.exe
  C:\Windows\System\MMtjYaK.exe
  2⤵
  PID:12152
- C:\Windows\System\sTaYknK.exe
  C:\Windows\System\sTaYknK.exe
  2⤵
  PID:12232
- C:\Windows\System\PPzYexV.exe
  C:\Windows\System\PPzYexV.exe
  2⤵
  PID:12252
- C:\Windows\System\DovKnWD.exe
  C:\Windows\System\DovKnWD.exe
  2⤵
  PID:11300
- C:\Windows\System\jcIasVU.exe
  C:\Windows\System\jcIasVU.exe
  2⤵
  PID:11332
- C:\Windows\System\qzrBewU.exe
  C:\Windows\System\qzrBewU.exe
  2⤵
  PID:11504
- C:\Windows\System\RcrvTDR.exe
  C:\Windows\System\RcrvTDR.exe
  2⤵
  PID:4944
- C:\Windows\System\hGYatZf.exe
  C:\Windows\System\hGYatZf.exe
  2⤵
  PID:11588
- C:\Windows\System\rtSCDpL.exe
  C:\Windows\System\rtSCDpL.exe
  2⤵
  PID:11800
- C:\Windows\System\LyKFQUH.exe
  C:\Windows\System\LyKFQUH.exe
  2⤵
  PID:11924
- C:\Windows\System\IZGoxzx.exe
  C:\Windows\System\IZGoxzx.exe
  2⤵
  PID:12116
- C:\Windows\System\kbNMaEF.exe
  C:\Windows\System\kbNMaEF.exe
  2⤵
  PID:10576
- C:\Windows\System\yIKqSLF.exe
  C:\Windows\System\yIKqSLF.exe
  2⤵
  PID:11784
- C:\Windows\System\DFTcCQr.exe
  C:\Windows\System\DFTcCQr.exe
  2⤵
  PID:11604
- C:\Windows\System\HHQgyaa.exe
  C:\Windows\System\HHQgyaa.exe
  2⤵
  PID:12036
- C:\Windows\System\nzttwHs.exe
  C:\Windows\System\nzttwHs.exe
  2⤵
  PID:11388
- C:\Windows\System\GLQbANw.exe
  C:\Windows\System\GLQbANw.exe
  2⤵
  PID:3348
- C:\Windows\System\sjvXmpG.exe
  C:\Windows\System\sjvXmpG.exe
  2⤵
  PID:12304
- C:\Windows\System\zUAhpnp.exe
  C:\Windows\System\zUAhpnp.exe
  2⤵
  PID:12336
- C:\Windows\System\XtHTwtX.exe
  C:\Windows\System\XtHTwtX.exe
  2⤵
  PID:12356
- C:\Windows\System\qilBymu.exe
  C:\Windows\System\qilBymu.exe
  2⤵
  PID:12396
- C:\Windows\System\fmHjxJa.exe
  C:\Windows\System\fmHjxJa.exe
  2⤵
  PID:12416
- C:\Windows\System\EIqfaeg.exe
  C:\Windows\System\EIqfaeg.exe
  2⤵
  PID:12436
- C:\Windows\System\qPAaATd.exe
  C:\Windows\System\qPAaATd.exe
  2⤵
  PID:12452
- C:\Windows\System\WCgXoAe.exe
  C:\Windows\System\WCgXoAe.exe
  2⤵
  PID:12488
- C:\Windows\System\rsXfyWa.exe
  C:\Windows\System\rsXfyWa.exe
  2⤵
  PID:12508
- C:\Windows\System\UFMAHUG.exe
  C:\Windows\System\UFMAHUG.exe
  2⤵
  PID:12564
- C:\Windows\System\dNjDApv.exe
  C:\Windows\System\dNjDApv.exe
  2⤵
  PID:12612
- C:\Windows\System\KCgslFC.exe
  C:\Windows\System\KCgslFC.exe
  2⤵
  PID:12636
- C:\Windows\System\XCYAQlb.exe
  C:\Windows\System\XCYAQlb.exe
  2⤵
  PID:12656
- C:\Windows\System\nOdoBWP.exe
  C:\Windows\System\nOdoBWP.exe
  2⤵
  PID:12676
- C:\Windows\System\hTcCfVn.exe
  C:\Windows\System\hTcCfVn.exe
  2⤵
  PID:12708
- C:\Windows\System\dHbQcJl.exe
  C:\Windows\System\dHbQcJl.exe
  2⤵
  PID:12744
- C:\Windows\System\uNqpMXC.exe
  C:\Windows\System\uNqpMXC.exe
  2⤵
  PID:12776
- C:\Windows\System\pCwNxVI.exe
  C:\Windows\System\pCwNxVI.exe
  2⤵
  PID:12796
- C:\Windows\System\OIaZubF.exe
  C:\Windows\System\OIaZubF.exe
  2⤵
  PID:12816
- C:\Windows\System\UvXXNJt.exe
  C:\Windows\System\UvXXNJt.exe
  2⤵
  PID:12852
- C:\Windows\System\CWgcBBB.exe
  C:\Windows\System\CWgcBBB.exe
  2⤵
  PID:12884
- C:\Windows\System\sgHOfpD.exe
  C:\Windows\System\sgHOfpD.exe
  2⤵
  PID:12920
- C:\Windows\System\WDJTSPM.exe
  C:\Windows\System\WDJTSPM.exe
  2⤵
  PID:12940
- C:\Windows\System\qhbcEjx.exe
  C:\Windows\System\qhbcEjx.exe
  2⤵
  PID:12964
- C:\Windows\System\rKZDKQt.exe
  C:\Windows\System\rKZDKQt.exe
  2⤵
  PID:13004
- C:\Windows\System\XOrnXEM.exe
  C:\Windows\System\XOrnXEM.exe
  2⤵
  PID:13020
- C:\Windows\System\kfONxTc.exe
  C:\Windows\System\kfONxTc.exe
  2⤵
  PID:13040
- C:\Windows\System\PtFZMEi.exe
  C:\Windows\System\PtFZMEi.exe
  2⤵
  PID:13064
- C:\Windows\System\WTcidcf.exe
  C:\Windows\System\WTcidcf.exe
  2⤵
  PID:13112
- C:\Windows\System\APubCIW.exe
  C:\Windows\System\APubCIW.exe
  2⤵
  PID:13136
- C:\Windows\System\DaZltku.exe
  C:\Windows\System\DaZltku.exe
  2⤵
  PID:13160
- C:\Windows\System\ihuLMQk.exe
  C:\Windows\System\ihuLMQk.exe
  2⤵
  PID:13200
- C:\Windows\System\LXWWGAx.exe
  C:\Windows\System\LXWWGAx.exe
  2⤵
  PID:13224
- C:\Windows\System\XMwApMU.exe
  C:\Windows\System\XMwApMU.exe
  2⤵
  PID:13244
- C:\Windows\System\JQRglaQ.exe
  C:\Windows\System\JQRglaQ.exe
  2⤵
  PID:13264
- C:\Windows\System\IHzTpVP.exe
  C:\Windows\System\IHzTpVP.exe
  2⤵
  PID:13292
- C:\Windows\System\bBElJCs.exe
  C:\Windows\System\bBElJCs.exe
  2⤵
  PID:11560
- C:\Windows\System\IwtzgLt.exe
  C:\Windows\System\IwtzgLt.exe
  2⤵
  PID:12332
- C:\Windows\System\mEWFwGn.exe
  C:\Windows\System\mEWFwGn.exe
  2⤵
  PID:12392
- C:\Windows\System\wfejfTu.exe
  C:\Windows\System\wfejfTu.exe
  2⤵
  PID:4892
- C:\Windows\System\eILHoib.exe
  C:\Windows\System\eILHoib.exe
  2⤵
  PID:13276
- C:\Windows\System\BTCESNK.exe
  C:\Windows\System\BTCESNK.exe
  2⤵
  PID:4820
- C:\Windows\System\wPrFNVp.exe
  C:\Windows\System\wPrFNVp.exe
  2⤵
  PID:12684
- C:\Windows\System\mLZAxmp.exe
  C:\Windows\System\mLZAxmp.exe
  2⤵
  PID:12752
- C:\Windows\System\YWdVrrJ.exe
  C:\Windows\System\YWdVrrJ.exe
  2⤵
  PID:12740
- C:\Windows\System\aIcZFjH.exe
  C:\Windows\System\aIcZFjH.exe
  2⤵
  PID:12788
- C:\Windows\System\mcWyDPx.exe
  C:\Windows\System\mcWyDPx.exe
  2⤵
  PID:12536
- C:\Windows\System\tftMOxA.exe
  C:\Windows\System\tftMOxA.exe
  2⤵
  PID:1380
- C:\Windows\System\UzbYIdN.exe
  C:\Windows\System\UzbYIdN.exe
  2⤵
  PID:12844
- C:\Windows\System\sJDyGdF.exe
  C:\Windows\System\sJDyGdF.exe
  2⤵
  PID:12892
- C:\Windows\System\uluWJLT.exe
  C:\Windows\System\uluWJLT.exe
  2⤵
  PID:12644
- C:\Windows\System\xhRYOJJ.exe
  C:\Windows\System\xhRYOJJ.exe
  2⤵
  PID:13284
- C:\Windows\System\gqMGpgH.exe
  C:\Windows\System\gqMGpgH.exe
  2⤵
  PID:13240
- C:\Windows\System\wqucEIh.exe
  C:\Windows\System\wqucEIh.exe
  2⤵
  PID:4380
- C:\Windows\System\RcaBwbo.exe
  C:\Windows\System\RcaBwbo.exe
  2⤵
  PID:5072
- C:\Windows\System\gtCjKBs.exe
  C:\Windows\System\gtCjKBs.exe
  2⤵
  PID:5560
- C:\Windows\System\jZSqrVU.exe
  C:\Windows\System\jZSqrVU.exe
  2⤵
  PID:12504
- C:\Windows\System\FuxJOdU.exe
  C:\Windows\System\FuxJOdU.exe
  2⤵
  PID:4836
- C:\Windows\System\diSwWcX.exe
  C:\Windows\System\diSwWcX.exe
  2⤵
  PID:12668
- C:\Windows\System\PImWdig.exe
  C:\Windows\System\PImWdig.exe
  2⤵
  PID:12608
- C:\Windows\System\ZlSXvQy.exe
  C:\Windows\System\ZlSXvQy.exe
  2⤵
  PID:12652
- C:\Windows\System\YVojrre.exe
  C:\Windows\System\YVojrre.exe
  2⤵
  PID:2960
- C:\Windows\System\hnvtQzY.exe
  C:\Windows\System\hnvtQzY.exe
  2⤵
  PID:5400
- C:\Windows\System\AWAjICL.exe
  C:\Windows\System\AWAjICL.exe
  2⤵
  PID:1600
- C:\Windows\System\CNjuJod.exe
  C:\Windows\System\CNjuJod.exe
  2⤵
  PID:4828
- C:\Windows\System\ZDFPcsd.exe
  C:\Windows\System\ZDFPcsd.exe
  2⤵
  PID:13032
- C:\Windows\System\yGrpcAY.exe
  C:\Windows\System\yGrpcAY.exe
  2⤵
  PID:13144
- C:\Windows\System\vQKuSVy.exe
  C:\Windows\System\vQKuSVy.exe
  2⤵
  PID:13196
- C:\Windows\System\OTUXTGA.exe
  C:\Windows\System\OTUXTGA.exe
  2⤵
  PID:2868
- C:\Windows\System\EHPWXeD.exe
  C:\Windows\System\EHPWXeD.exe
  2⤵
  PID:12444
- C:\Windows\System\MGMaiGk.exe
  C:\Windows\System\MGMaiGk.exe
  2⤵
  PID:12532
- C:\Windows\System\nkzknSg.exe
  C:\Windows\System\nkzknSg.exe
  2⤵
  PID:12736
- C:\Windows\System\HQXPlZt.exe
  C:\Windows\System\HQXPlZt.exe
  2⤵
  PID:1792
- C:\Windows\System\lUrhCmH.exe
  C:\Windows\System\lUrhCmH.exe
  2⤵
  PID:1116
- C:\Windows\System\FuSUQOS.exe
  C:\Windows\System\FuSUQOS.exe
  2⤵
  PID:13016
- C:\Windows\System\cLhjYhL.exe
  C:\Windows\System\cLhjYhL.exe
  2⤵
  PID:4632
- C:\Windows\System\MNNsJZD.exe
  C:\Windows\System\MNNsJZD.exe
  2⤵
  PID:4880
- C:\Windows\System\qApFShH.exe
  C:\Windows\System\qApFShH.exe
  2⤵
  PID:2940
- C:\Windows\System\ddfzoeE.exe
  C:\Windows\System\ddfzoeE.exe
  2⤵
  PID:4780
- C:\Windows\System\KRnPCTb.exe
  C:\Windows\System\KRnPCTb.exe
  2⤵
  PID:712
- C:\Windows\System\tzWmseY.exe
  C:\Windows\System\tzWmseY.exe
  2⤵
  PID:13088
- C:\Windows\System\KInVCuN.exe
  C:\Windows\System\KInVCuN.exe
  2⤵
  PID:2180
- C:\Windows\System\qlekHaN.exe
  C:\Windows\System\qlekHaN.exe
  2⤵
  PID:720
- C:\Windows\System\GXEQxUU.exe
  C:\Windows\System\GXEQxUU.exe
  2⤵
  PID:12312
- C:\Windows\System\UPKOOpE.exe
  C:\Windows\System\UPKOOpE.exe
  2⤵
  PID:5116
- C:\Windows\System\snbkUUC.exe
  C:\Windows\System\snbkUUC.exe
  2⤵
  PID:4652
- C:\Windows\System\bHLzsYP.exe
  C:\Windows\System\bHLzsYP.exe
  2⤵
  PID:2388
- C:\Windows\System\alvXkzP.exe
  C:\Windows\System\alvXkzP.exe
  2⤵
  PID:3996
- C:\Windows\System\JgooBxn.exe
  C:\Windows\System\JgooBxn.exe
  2⤵
  PID:5088
- C:\Windows\System\cxldCWP.exe
  C:\Windows\System\cxldCWP.exe
  2⤵
  PID:4064
- C:\Windows\System\oWZzELk.exe
  C:\Windows\System\oWZzELk.exe
  2⤵
  PID:12672
- C:\Windows\System\mzvmUKh.exe
  C:\Windows\System\mzvmUKh.exe
  2⤵
  PID:2728
- C:\Windows\System\PeOIAXi.exe
  C:\Windows\System\PeOIAXi.exe
  2⤵
  PID:2348
- C:\Windows\System\oeVxGqy.exe
  C:\Windows\System\oeVxGqy.exe
  2⤵
  PID:2848
- C:\Windows\System\pnqdGYN.exe
  C:\Windows\System\pnqdGYN.exe
  2⤵
  PID:3444
- C:\Windows\System\uvEJokf.exe
  C:\Windows\System\uvEJokf.exe
  2⤵
  PID:1212
- C:\Windows\System\ZSmkXyx.exe
  C:\Windows\System\ZSmkXyx.exe
  2⤵
  PID:12428
- C:\Windows\System\JuhcgFo.exe
  C:\Windows\System\JuhcgFo.exe
  2⤵
  PID:12704
- C:\Windows\System\PBmJgYp.exe
  C:\Windows\System\PBmJgYp.exe
  2⤵
  PID:5276
- C:\Windows\System\SqpdtgV.exe
  C:\Windows\System\SqpdtgV.exe
  2⤵
  PID:636
- C:\Windows\System\NyTrKGC.exe
  C:\Windows\System\NyTrKGC.exe
  2⤵
  PID:5048
- C:\Windows\System\gLnYChJ.exe
  C:\Windows\System\gLnYChJ.exe
  2⤵
  PID:4088
- C:\Windows\System\IbKMbDg.exe
  C:\Windows\System\IbKMbDg.exe
  2⤵
  PID:3000
- C:\Windows\System\xvnrGEm.exe
  C:\Windows\System\xvnrGEm.exe
  2⤵
  PID:4100
- C:\Windows\System\nMWgRBr.exe
  C:\Windows\System\nMWgRBr.exe
  2⤵
  PID:4232
- C:\Windows\System\wWkKFBF.exe
  C:\Windows\System\wWkKFBF.exe
  2⤵
  PID:3768
- C:\Windows\System\TXYyxIo.exe
  C:\Windows\System\TXYyxIo.exe
  2⤵
  PID:4280
- C:\Windows\System\vhRzaZR.exe
  C:\Windows\System\vhRzaZR.exe
  2⤵
  PID:4208
- C:\Windows\System\sctRAGB.exe
  C:\Windows\System\sctRAGB.exe
  2⤵
  PID:4156
- C:\Windows\System\enzZvZY.exe
  C:\Windows\System\enzZvZY.exe
  2⤵
  PID:4556
- C:\Windows\System\fUmpkak.exe
  C:\Windows\System\fUmpkak.exe
  2⤵
  PID:3784
- C:\Windows\System\riFHllL.exe
  C:\Windows\System\riFHllL.exe
  2⤵
  PID:3720
- C:\Windows\System\xDDHSwN.exe
  C:\Windows\System\xDDHSwN.exe
  2⤵
  PID:3192
- C:\Windows\System\OCNgxaL.exe
  C:\Windows\System\OCNgxaL.exe
  2⤵
  PID:1048
- C:\Windows\System\ohpvtJn.exe
  C:\Windows\System\ohpvtJn.exe
  2⤵
  PID:4868
- C:\Windows\System\ARlXMMS.exe
  C:\Windows\System\ARlXMMS.exe
  2⤵
  PID:5812
- C:\Windows\System\GrFPgDa.exe
  C:\Windows\System\GrFPgDa.exe
  2⤵
  PID:13036
- C:\Windows\System\qpdpqoO.exe
  C:\Windows\System\qpdpqoO.exe
  2⤵
  PID:3424
- C:\Windows\System\IzcVHHm.exe
  C:\Windows\System\IzcVHHm.exe
  2⤵
  PID:3412
- C:\Windows\System\UjnvtFV.exe
  C:\Windows\System\UjnvtFV.exe
  2⤵
  PID:12624
- C:\Windows\System\DdkHqZL.exe
  C:\Windows\System\DdkHqZL.exe
  2⤵
  PID:12448
- C:\Windows\System\aBUcpcj.exe
  C:\Windows\System\aBUcpcj.exe
  2⤵
  PID:4072
- C:\Windows\System\zTfhRFQ.exe
  C:\Windows\System\zTfhRFQ.exe
  2⤵
  PID:4200
- C:\Windows\System\qLVwSEX.exe
  C:\Windows\System\qLVwSEX.exe
  2⤵
  PID:944
- C:\Windows\System\iMBdjeO.exe
  C:\Windows\System\iMBdjeO.exe
  2⤵
  PID:1448
- C:\Windows\System\uQWfSch.exe
  C:\Windows\System\uQWfSch.exe
  2⤵
  PID:1164
- C:\Windows\System\njRRfnj.exe
  C:\Windows\System\njRRfnj.exe
  2⤵
  PID:996
- C:\Windows\System\bOHNbDt.exe
  C:\Windows\System\bOHNbDt.exe
  2⤵
  PID:4720
- C:\Windows\System\DHSIgVh.exe
  C:\Windows\System\DHSIgVh.exe
  2⤵
  PID:4308
- C:\Windows\System\LecTHXU.exe
  C:\Windows\System\LecTHXU.exe
  2⤵
  PID:4808
- C:\Windows\System\WHftoBM.exe
  C:\Windows\System\WHftoBM.exe
  2⤵
  PID:4404
- C:\Windows\System\rFzEznJ.exe
  C:\Windows\System\rFzEznJ.exe
  2⤵
  PID:3888
- C:\Windows\System\inIBXYA.exe
  C:\Windows\System\inIBXYA.exe
  2⤵
  PID:3908
- C:\Windows\System\GIDwgDZ.exe
  C:\Windows\System\GIDwgDZ.exe
  2⤵
  PID:4204
- C:\Windows\System\bTZghuP.exe
  C:\Windows\System\bTZghuP.exe
  2⤵
  PID:4192
- C:\Windows\System\eDAPRsU.exe
  C:\Windows\System\eDAPRsU.exe
  2⤵
  PID:6252
- C:\Windows\System\QVPPGhX.exe
  C:\Windows\System\QVPPGhX.exe
  2⤵
  PID:6276
- C:\Windows\System\GPMYNoN.exe
  C:\Windows\System\GPMYNoN.exe
  2⤵
  PID:2512
- C:\Windows\System\ztsoUyJ.exe
  C:\Windows\System\ztsoUyJ.exe
  2⤵
  PID:6504
- C:\Windows\System\LXdypsN.exe
  C:\Windows\System\LXdypsN.exe
  2⤵
  PID:7224
- C:\Windows\System\LsilRmH.exe
  C:\Windows\System\LsilRmH.exe
  2⤵
  PID:6680
- C:\Windows\System\yAMTNak.exe
  C:\Windows\System\yAMTNak.exe
  2⤵
  PID:7280
- C:\Windows\System\UZpGxjj.exe
  C:\Windows\System\UZpGxjj.exe
  2⤵
  PID:6856
- C:\Windows\System\ITplwlG.exe
  C:\Windows\System\ITplwlG.exe
  2⤵
  PID:3792
- C:\Windows\System\umIqeDn.exe
  C:\Windows\System\umIqeDn.exe
  2⤵
  PID:7400
- C:\Windows\System\clhfBHC.exe
  C:\Windows\System\clhfBHC.exe
  2⤵
  PID:7412
- C:\Windows\System\tnzGPYT.exe
  C:\Windows\System\tnzGPYT.exe
  2⤵
  PID:6944
- C:\Windows\System\JdEQpLF.exe
  C:\Windows\System\JdEQpLF.exe
  2⤵
  PID:7064
- C:\Windows\System\LLbjzeW.exe
  C:\Windows\System\LLbjzeW.exe
  2⤵
  PID:6372
- C:\Windows\System\HFIhHHI.exe
  C:\Windows\System\HFIhHHI.exe
  2⤵
  PID:7600
- C:\Windows\System\PzjcdTh.exe
  C:\Windows\System\PzjcdTh.exe
  2⤵
  PID:1720
- C:\Windows\System\BNSRZZc.exe
  C:\Windows\System\BNSRZZc.exe
  2⤵
  PID:6568
- C:\Windows\System\VLwTrru.exe
  C:\Windows\System\VLwTrru.exe
  2⤵
  PID:6764
- C:\Windows\System\KoOuxbw.exe
  C:\Windows\System\KoOuxbw.exe
  2⤵
  PID:7808
- C:\Windows\System\JlDzUrD.exe
  C:\Windows\System\JlDzUrD.exe
  2⤵
  PID:4024
- C:\Windows\System\PstwTPj.exe
  C:\Windows\System\PstwTPj.exe
  2⤵
  PID:4592
- C:\Windows\System\weusTuN.exe
  C:\Windows\System\weusTuN.exe
  2⤵
  PID:7060
- C:\Windows\System\zCGjcAo.exe
  C:\Windows\System\zCGjcAo.exe
  2⤵
  PID:1060
- C:\Windows\System\PIuMAnI.exe
  C:\Windows\System\PIuMAnI.exe
  2⤵
  PID:2652
- C:\Windows\System\UYtFQwL.exe
  C:\Windows\System\UYtFQwL.exe
  2⤵
  PID:2204
- C:\Windows\System\JROpfct.exe
  C:\Windows\System\JROpfct.exe
  2⤵
  PID:7196
- C:\Windows\System\dazsyKN.exe
  C:\Windows\System\dazsyKN.exe
  2⤵
  PID:3940
- C:\Windows\System\yEZvxzP.exe
  C:\Windows\System\yEZvxzP.exe
  2⤵
  PID:6692
- C:\Windows\System\CTkgauZ.exe
  C:\Windows\System\CTkgauZ.exe
  2⤵
  PID:7844
- C:\Windows\System\CZFYzsx.exe
  C:\Windows\System\CZFYzsx.exe
  2⤵
  PID:8032
- C:\Windows\System\NnvPUfT.exe
  C:\Windows\System\NnvPUfT.exe
  2⤵
  PID:7220
- C:\Windows\System\Ovjhrtq.exe
  C:\Windows\System\Ovjhrtq.exe
  2⤵
  PID:2976
- C:\Windows\System\wEUuime.exe
  C:\Windows\System\wEUuime.exe
  2⤵
  PID:8020
- C:\Windows\System\qXXZaaC.exe
  C:\Windows\System\qXXZaaC.exe
  2⤵
  PID:8200
- C:\Windows\System\QycodSH.exe
  C:\Windows\System\QycodSH.exe
  2⤵
  PID:8256
- C:\Windows\System\UcyZJpG.exe
  C:\Windows\System\UcyZJpG.exe
  2⤵
  PID:2372
- C:\Windows\System\DxciZJm.exe
  C:\Windows\System\DxciZJm.exe
  2⤵
  PID:4372
- C:\Windows\System\rjbpaSs.exe
  C:\Windows\System\rjbpaSs.exe
  2⤵
  PID:4036
- C:\Windows\System\TPCtyxv.exe
  C:\Windows\System\TPCtyxv.exe
  2⤵
  PID:7668
- C:\Windows\System\psKbFIU.exe
  C:\Windows\System\psKbFIU.exe
  2⤵
  PID:6792
- C:\Windows\System\aWzmDoo.exe
  C:\Windows\System\aWzmDoo.exe
  2⤵
  PID:3912
- C:\Windows\System\aPeyYMv.exe
  C:\Windows\System\aPeyYMv.exe
  2⤵
  PID:4028
- C:\Windows\System\SRoRenc.exe
  C:\Windows\System\SRoRenc.exe
  2⤵
  PID:528
- C:\Windows\System\BryeUkQ.exe
  C:\Windows\System\BryeUkQ.exe
  2⤵
  PID:7076
- C:\Windows\System\keabqhF.exe
  C:\Windows\System\keabqhF.exe
  2⤵
  PID:2104
- C:\Windows\System\yOstoXQ.exe
  C:\Windows\System\yOstoXQ.exe
  2⤵
  PID:8680
- C:\Windows\System\iTwOjcf.exe
  C:\Windows\System\iTwOjcf.exe
  2⤵
  PID:4092
- C:\Windows\System\cvkjssc.exe
  C:\Windows\System\cvkjssc.exe
  2⤵
  PID:4824
- C:\Windows\System\rugsUPv.exe
  C:\Windows\System\rugsUPv.exe
  2⤵
  PID:8904
- C:\Windows\System\aElTnSA.exe
  C:\Windows\System\aElTnSA.exe
  2⤵
  PID:8912
- C:\Windows\System\PzlThgm.exe
  C:\Windows\System\PzlThgm.exe
  2⤵
  PID:8952
- C:\Windows\System\aZWbNua.exe
  C:\Windows\System\aZWbNua.exe
  2⤵
  PID:5056
- C:\Windows\System\kcpnxOn.exe
  C:\Windows\System\kcpnxOn.exe
  2⤵
  PID:7140
- C:\Windows\System\pFwkmPU.exe
  C:\Windows\System\pFwkmPU.exe
  2⤵
  PID:9008
- C:\Windows\System\PGOQZrs.exe
  C:\Windows\System\PGOQZrs.exe
  2⤵
  PID:9052
- C:\Windows\System\rRXujKC.exe
  C:\Windows\System\rRXujKC.exe
  2⤵
  PID:9132
- C:\Windows\System\TOHAtqV.exe
  C:\Windows\System\TOHAtqV.exe
  2⤵
  PID:9168
- C:\Windows\System\uYflDjt.exe
  C:\Windows\System\uYflDjt.exe
  2⤵
  PID:8300
- C:\Windows\System\XsiQjGR.exe
  C:\Windows\System\XsiQjGR.exe
  2⤵
  PID:8460
- C:\Windows\System\ZKyDyIh.exe
  C:\Windows\System\ZKyDyIh.exe
  2⤵
  PID:8420
- C:\Windows\System\PcDohVw.exe
  C:\Windows\System\PcDohVw.exe
  2⤵
  PID:2492
- C:\Windows\System\XfnxKUy.exe
  C:\Windows\System\XfnxKUy.exe
  2⤵
  PID:2664
- C:\Windows\System\GmPMwnT.exe
  C:\Windows\System\GmPMwnT.exe
  2⤵
  PID:4124
- C:\Windows\System\ytJRiqu.exe
  C:\Windows\System\ytJRiqu.exe
  2⤵
  PID:8976
- C:\Windows\System\JfzJPZq.exe
  C:\Windows\System\JfzJPZq.exe
  2⤵
  PID:7420
- C:\Windows\System\cDlzTvv.exe
  C:\Windows\System\cDlzTvv.exe
  2⤵
  PID:2200
- C:\Windows\System\WuIQwUv.exe
  C:\Windows\System\WuIQwUv.exe
  2⤵
  PID:6464
- C:\Windows\System\AaVtbLs.exe
  C:\Windows\System\AaVtbLs.exe
  2⤵
  PID:8744
- C:\Windows\System\YEvXfTO.exe
  C:\Windows\System\YEvXfTO.exe
  2⤵
  PID:8400
- C:\Windows\System\iSgAJFn.exe
  C:\Windows\System\iSgAJFn.exe
  2⤵
  PID:8568
- C:\Windows\System\mYgTElS.exe
  C:\Windows\System\mYgTElS.exe
  2⤵
  PID:8212
- C:\Windows\System\MTvxApO.exe
  C:\Windows\System\MTvxApO.exe
  2⤵
  PID:9324
- C:\Windows\System\lHGzgPz.exe
  C:\Windows\System\lHGzgPz.exe
  2⤵
  PID:9336
- C:\Windows\System\mXLbgvB.exe
  C:\Windows\System\mXLbgvB.exe
  2⤵
  PID:4976
- C:\Windows\System\cmPKPku.exe
  C:\Windows\System\cmPKPku.exe
  2⤵
  PID:1868
- C:\Windows\System\hQhKRiO.exe
  C:\Windows\System\hQhKRiO.exe
  2⤵
  PID:9376
- C:\Windows\System\iXGrOPH.exe
  C:\Windows\System\iXGrOPH.exe
  2⤵
  PID:3936
- C:\Windows\System\eFSUOCK.exe
  C:\Windows\System\eFSUOCK.exe
  2⤵
  PID:9484
- C:\Windows\System\pmztRns.exe
  C:\Windows\System\pmztRns.exe
  2⤵
  PID:7832
- C:\Windows\System\BdGRUbR.exe
  C:\Windows\System\BdGRUbR.exe
  2⤵
  PID:8072
- C:\Windows\System\AQiZYvj.exe
  C:\Windows\System\AQiZYvj.exe
  2⤵
  PID:7008
- C:\Windows\System\FdAXtLQ.exe
  C:\Windows\System\FdAXtLQ.exe
  2⤵
  PID:3008
- C:\Windows\System\apmHclA.exe
  C:\Windows\System\apmHclA.exe
  2⤵
  PID:6164
- C:\Windows\System\ZEkNYkc.exe
  C:\Windows\System\ZEkNYkc.exe
  2⤵
  PID:9600
- C:\Windows\System\dJaXrhC.exe
  C:\Windows\System\dJaXrhC.exe
  2⤵
  PID:4580
- C:\Windows\System\MZIPwHX.exe
  C:\Windows\System\MZIPwHX.exe
  2⤵
  PID:220
- C:\Windows\System\DuiVYjC.exe
  C:\Windows\System\DuiVYjC.exe
  2⤵
  PID:6480
- C:\Windows\System\KADraRo.exe
  C:\Windows\System\KADraRo.exe
  2⤵
  PID:9780
- C:\Windows\System\DJkCTav.exe
  C:\Windows\System\DJkCTav.exe
  2⤵
  PID:2236
- C:\Windows\System\pUcnpNj.exe
  C:\Windows\System\pUcnpNj.exe
  2⤵
  PID:9856
- C:\Windows\System\uZBAoSo.exe
  C:\Windows\System\uZBAoSo.exe
  2⤵
  PID:7624
- C:\Windows\System\cWskhMV.exe
  C:\Windows\System\cWskhMV.exe
  2⤵
  PID:8236
- C:\Windows\System\uYxJopQ.exe
  C:\Windows\System\uYxJopQ.exe
  2⤵
  PID:4020
- C:\Windows\System\CmCWKQD.exe
  C:\Windows\System\CmCWKQD.exe
  2⤵
  PID:6616
- C:\Windows\System\LIOzzHB.exe
  C:\Windows\System\LIOzzHB.exe
  2⤵
  PID:116
- C:\Windows\System\SIBybBO.exe
  C:\Windows\System\SIBybBO.exe
  2⤵
  PID:1236
- C:\Windows\System\VfXuixW.exe
  C:\Windows\System\VfXuixW.exe
  2⤵
  PID:10060
- C:\Windows\System\GPqDgel.exe
  C:\Windows\System\GPqDgel.exe
  2⤵
  PID:6640
- C:\Windows\System\jzZpwPH.exe
  C:\Windows\System\jzZpwPH.exe
  2⤵
  PID:10132
- C:\Windows\System\WQDnAZL.exe
  C:\Windows\System\WQDnAZL.exe
  2⤵
  PID:2872
- C:\Windows\System\xmJZQeL.exe
  C:\Windows\System\xmJZQeL.exe
  2⤵
  PID:2340
- C:\Windows\System\XjZLcsU.exe
  C:\Windows\System\XjZLcsU.exe
  2⤵
  PID:9296
- C:\Windows\System\cGDHwuA.exe
  C:\Windows\System\cGDHwuA.exe
  2⤵
  PID:9408
- C:\Windows\System\AamevMJ.exe
  C:\Windows\System\AamevMJ.exe
  2⤵
  PID:6644
- C:\Windows\System\SSnAOmp.exe
  C:\Windows\System\SSnAOmp.exe
  2⤵
  PID:3388
- C:\Windows\System\iOElSBX.exe
  C:\Windows\System\iOElSBX.exe
  2⤵
  PID:9708
- C:\Windows\System\uQEJinH.exe
  C:\Windows\System\uQEJinH.exe
  2⤵
  PID:6924
- C:\Windows\System\wlhtECQ.exe
  C:\Windows\System\wlhtECQ.exe
  2⤵
  PID:1036
- C:\Windows\System\wPZYXQN.exe
  C:\Windows\System\wPZYXQN.exe
  2⤵
  PID:9812
- C:\Windows\System\wVKCYHx.exe
  C:\Windows\System\wVKCYHx.exe
  2⤵
  PID:3896
- C:\Windows\System\OYYAUps.exe
  C:\Windows\System\OYYAUps.exe
  2⤵
  PID:6152
- C:\Windows\System\lVlXoWW.exe
  C:\Windows\System\lVlXoWW.exe
  2⤵
  PID:3608
- C:\Windows\System\noRJhGa.exe
  C:\Windows\System\noRJhGa.exe
  2⤵
  PID:9908
- C:\Windows\System\PcaWUqL.exe
  C:\Windows\System\PcaWUqL.exe
  2⤵
  PID:10148
- C:\Windows\System\yYNzuJL.exe
  C:\Windows\System\yYNzuJL.exe
  2⤵
  PID:8824
- C:\Windows\System\TVkrxwX.exe
  C:\Windows\System\TVkrxwX.exe
  2⤵
  PID:8088
- C:\Windows\System\hzAKiew.exe
  C:\Windows\System\hzAKiew.exe
  2⤵
  PID:8828
- C:\Windows\System\OvSFjQm.exe
  C:\Windows\System\OvSFjQm.exe
  2⤵
  PID:9080
- C:\Windows\System\MEEmhqB.exe
  C:\Windows\System\MEEmhqB.exe
  2⤵
  PID:1352
- C:\Windows\System\rakpNIm.exe
  C:\Windows\System\rakpNIm.exe
  2⤵
  PID:6380
- C:\Windows\System\dFTqMIO.exe
  C:\Windows\System\dFTqMIO.exe
  2⤵
  PID:3664
- C:\Windows\System\mhaojDI.exe
  C:\Windows\System\mhaojDI.exe
  2⤵
  PID:10436
- C:\Windows\System\kxsQedy.exe
  C:\Windows\System\kxsQedy.exe
  2⤵
  PID:8320
- C:\Windows\System\oGBFoEF.exe
  C:\Windows\System\oGBFoEF.exe
  2⤵
  PID:4384
- C:\Windows\System\SdPHXqn.exe
  C:\Windows\System\SdPHXqn.exe
  2⤵
  PID:8324
- C:\Windows\System\BHCcMlM.exe
  C:\Windows\System\BHCcMlM.exe
  2⤵
  PID:8496
- C:\Windows\System\SWFzDfp.exe
  C:\Windows\System\SWFzDfp.exe
  2⤵
  PID:10552
- C:\Windows\System\OjDmTEP.exe
  C:\Windows\System\OjDmTEP.exe
  2⤵
  PID:5284
- C:\Windows\System\qMilPOr.exe
  C:\Windows\System\qMilPOr.exe
  2⤵
  PID:6648
- C:\Windows\System\XALcclS.exe
  C:\Windows\System\XALcclS.exe
  2⤵
  PID:2992
- C:\Windows\System\niEIiVC.exe
  C:\Windows\System\niEIiVC.exe
  2⤵
  PID:3680
- C:\Windows\System\JepmxVh.exe
  C:\Windows\System\JepmxVh.exe
  2⤵
  PID:5304
- C:\Windows\System\GfhbToJ.exe
  C:\Windows\System\GfhbToJ.exe
  2⤵
  PID:7200
- C:\Windows\System\WnHVQKQ.exe
  C:\Windows\System\WnHVQKQ.exe
  2⤵
  PID:10668
- C:\Windows\System\kqzisBd.exe
  C:\Windows\System\kqzisBd.exe
  2⤵
  PID:10644
- C:\Windows\System\UwpOBlW.exe
  C:\Windows\System\UwpOBlW.exe
  2⤵
  PID:10736
- C:\Windows\System\TGVOhVb.exe
  C:\Windows\System\TGVOhVb.exe
  2⤵
  PID:5380
- C:\Windows\System\fkTongu.exe
  C:\Windows\System\fkTongu.exe
  2⤵
  PID:3496
- C:\Windows\System\ziijnvO.exe
  C:\Windows\System\ziijnvO.exe
  2⤵
  PID:8316
- C:\Windows\System\agxSfHI.exe
  C:\Windows\System\agxSfHI.exe
  2⤵
  PID:10896
- C:\Windows\System\ColDOnX.exe
  C:\Windows\System\ColDOnX.exe
  2⤵
  PID:4076
- C:\Windows\System\mXRPYmN.exe
  C:\Windows\System\mXRPYmN.exe
  2⤵
  PID:8772
- C:\Windows\System\bUWPdNx.exe
  C:\Windows\System\bUWPdNx.exe
  2⤵
  PID:8624
- C:\Windows\System\eZTtgbc.exe
  C:\Windows\System\eZTtgbc.exe
  2⤵
  PID:12880
- C:\Windows\System\EcXaSQL.exe
  C:\Windows\System\EcXaSQL.exe
  2⤵
  PID:5504
- C:\Windows\System\otEoVEb.exe
  C:\Windows\System\otEoVEb.exe
  2⤵
  PID:11060
- C:\Windows\System\XSbRInj.exe
  C:\Windows\System\XSbRInj.exe
  2⤵
  PID:3084
- C:\Windows\System\QpZgfHR.exe
  C:\Windows\System\QpZgfHR.exe
  2⤵
  PID:5532
- C:\Windows\System\Teimacd.exe
  C:\Windows\System\Teimacd.exe
  2⤵
  PID:9332
- C:\Windows\System\lZKoiiy.exe
  C:\Windows\System\lZKoiiy.exe
  2⤵
  PID:5612
- C:\Windows\System\gOuzZmN.exe
  C:\Windows\System\gOuzZmN.exe
  2⤵
  PID:12956
- C:\Windows\System\zQOEKgv.exe
  C:\Windows\System\zQOEKgv.exe
  2⤵
  PID:2012
- C:\Windows\System\Mjuakoq.exe
  C:\Windows\System\Mjuakoq.exe
  2⤵
  PID:5648
- C:\Windows\System\lghDRkJ.exe
  C:\Windows\System\lghDRkJ.exe
  2⤵
  PID:7876
- C:\Windows\System\Dvszrju.exe
  C:\Windows\System\Dvszrju.exe
  2⤵
  PID:9420
- C:\Windows\System\cApDJPr.exe
  C:\Windows\System\cApDJPr.exe
  2⤵
  PID:9500
- C:\Windows\System\giEDajY.exe
  C:\Windows\System\giEDajY.exe
  2⤵
  PID:10388
- C:\Windows\System\mdvfvOP.exe
  C:\Windows\System\mdvfvOP.exe
  2⤵
  PID:7996
- C:\Windows\System\zVUZuJD.exe
  C:\Windows\System\zVUZuJD.exe
  2⤵
  PID:10616
- C:\Windows\System\pzOvxFd.exe
  C:\Windows\System\pzOvxFd.exe
  2⤵
  PID:3216
- C:\Windows\System\OFnmPxE.exe
  C:\Windows\System\OFnmPxE.exe
  2⤵
  PID:60
- C:\Windows\System\AEDaJhY.exe
  C:\Windows\System\AEDaJhY.exe
  2⤵
  PID:1232
- C:\Windows\System\VSLfFzd.exe
  C:\Windows\System\VSLfFzd.exe
  2⤵
  PID:10716
- C:\Windows\System\xEzKKVV.exe
  C:\Windows\System\xEzKKVV.exe
  2⤵
  PID:1192
- C:\Windows\System\sMgyKmV.exe
  C:\Windows\System\sMgyKmV.exe
  2⤵
  PID:804
- C:\Windows\System\fOMkjXj.exe
  C:\Windows\System\fOMkjXj.exe
  2⤵
  PID:9580
- C:\Windows\System\qfnzFOa.exe
  C:\Windows\System\qfnzFOa.exe
  2⤵
  PID:9752
- C:\Windows\System\xfTlCww.exe
  C:\Windows\System\xfTlCww.exe
  2⤵
  PID:1408
- C:\Windows\System\qxTuZlN.exe
  C:\Windows\System\qxTuZlN.exe
  2⤵
  PID:5912
- C:\Windows\System\oZoqipj.exe
  C:\Windows\System\oZoqipj.exe
  2⤵
  PID:5940
- C:\Windows\System\JZXZiEU.exe
  C:\Windows\System\JZXZiEU.exe
  2⤵
  PID:5984
- C:\Windows\System\VHlFvtg.exe
  C:\Windows\System\VHlFvtg.exe
  2⤵
  PID:9804
- C:\Windows\System\SYWGkBq.exe
  C:\Windows\System\SYWGkBq.exe
  2⤵
  PID:2344
- C:\Windows\System\lnfHsfD.exe
  C:\Windows\System\lnfHsfD.exe
  2⤵
  PID:10992
- C:\Windows\System\MqWxXYe.exe
  C:\Windows\System\MqWxXYe.exe
  2⤵
  PID:3980
- C:\Windows\System\NetmRIC.exe
  C:\Windows\System\NetmRIC.exe
  2⤵
  PID:8216
- C:\Windows\System\umpiTVn.exe
  C:\Windows\System\umpiTVn.exe
  2⤵
  PID:9880
- C:\Windows\System\ZIxlwRD.exe
  C:\Windows\System\ZIxlwRD.exe
  2⤵
  PID:6136
- C:\Windows\System\AxtqpDJ.exe
  C:\Windows\System\AxtqpDJ.exe
  2⤵
  PID:1556
- C:\Windows\System\kCoQkFM.exe
  C:\Windows\System\kCoQkFM.exe
  2⤵
  PID:11404
- C:\Windows\System\nPJuyYt.exe
  C:\Windows\System\nPJuyYt.exe
  2⤵
  PID:11472
- C:\Windows\System\frrVSRa.exe
  C:\Windows\System\frrVSRa.exe
  2⤵
  PID:3060
- C:\Windows\System\FbWRkZn.exe
  C:\Windows\System\FbWRkZn.exe
  2⤵
  PID:1392
- C:\Windows\System\WpFMNAT.exe
  C:\Windows\System\WpFMNAT.exe
  2⤵
  PID:10120
- C:\Windows\System\DyssEuc.exe
  C:\Windows\System\DyssEuc.exe
  2⤵
  PID:5244
- C:\Windows\System\TrowdiE.exe
  C:\Windows\System\TrowdiE.exe
  2⤵
  PID:11640
- C:\Windows\System\jgHGGUM.exe
  C:\Windows\System\jgHGGUM.exe
  2⤵
  PID:5308
- C:\Windows\System\MyLRxeK.exe
  C:\Windows\System\MyLRxeK.exe
  2⤵
  PID:11712
- C:\Windows\System\CIcsJpq.exe
  C:\Windows\System\CIcsJpq.exe
  2⤵
  PID:5384
- C:\Windows\System\uiCPeuD.exe
  C:\Windows\System\uiCPeuD.exe
  2⤵
  PID:5444
- C:\Windows\System\IgaEljo.exe
  C:\Windows\System\IgaEljo.exe
  2⤵
  PID:11864
- C:\Windows\System\NooetLv.exe
  C:\Windows\System\NooetLv.exe
  2⤵
  PID:9624
- C:\Windows\System\VHWFZoF.exe
  C:\Windows\System\VHWFZoF.exe
  2⤵
  PID:4368
- C:\Windows\System\bNaylVl.exe
  C:\Windows\System\bNaylVl.exe
  2⤵
  PID:12044
- C:\Windows\System\fhfPJyT.exe
  C:\Windows\System\fhfPJyT.exe
  2⤵
  PID:8632
- C:\Windows\System\XOwUnBv.exe
  C:\Windows\System\XOwUnBv.exe
  2⤵
  PID:5808
- C:\Windows\System\azqRjvl.exe
  C:\Windows\System\azqRjvl.exe
  2⤵
  PID:8676
- C:\Windows\System\pghWMLI.exe
  C:\Windows\System\pghWMLI.exe
  2⤵
  PID:4328
- C:\Windows\System\udfvmkB.exe
  C:\Windows\System\udfvmkB.exe
  2⤵
  PID:1248
- C:\Windows\System\LUgrnpo.exe
  C:\Windows\System\LUgrnpo.exe
  2⤵
  PID:10312
- C:\Windows\System\YQTmjse.exe
  C:\Windows\System\YQTmjse.exe
  2⤵
  PID:5864
- C:\Windows\System\muEVBvI.exe
  C:\Windows\System\muEVBvI.exe
  2⤵
  PID:11872
- C:\Windows\System\SFmqcbI.exe
  C:\Windows\System\SFmqcbI.exe
  2⤵
  PID:11188
- C:\Windows\System\rIizMaj.exe
  C:\Windows\System\rIizMaj.exe
  2⤵
  PID:11984
- C:\Windows\System\ONhhGSk.exe
  C:\Windows\System\ONhhGSk.exe
  2⤵
  PID:7636
- C:\Windows\System\hlsevnn.exe
  C:\Windows\System\hlsevnn.exe
  2⤵
  PID:8956
- C:\Windows\System\QPEmoWu.exe
  C:\Windows\System\QPEmoWu.exe
  2⤵
  PID:6572
- C:\Windows\System\iHosqAh.exe
  C:\Windows\System\iHosqAh.exe
  2⤵
  PID:5256
- C:\Windows\System\DmQiBKC.exe
  C:\Windows\System\DmQiBKC.exe
  2⤵
  PID:8640
- C:\Windows\System\dtHrUwM.exe
  C:\Windows\System\dtHrUwM.exe
  2⤵
  PID:10592
- C:\Windows\System\bNRaiNR.exe
  C:\Windows\System\bNRaiNR.exe
  2⤵
  PID:5324
- C:\Windows\System\YGccelu.exe
  C:\Windows\System\YGccelu.exe
  2⤵
  PID:5720
- C:\Windows\System\dMUTPaQ.exe
  C:\Windows\System\dMUTPaQ.exe
  2⤵
  PID:1172
- C:\Windows\System\xnzkdRj.exe
  C:\Windows\System\xnzkdRj.exe
  2⤵
  PID:3508
- C:\Windows\System\qfIHJfB.exe
  C:\Windows\System\qfIHJfB.exe
  2⤵
  PID:12316
- C:\Windows\System\UHhpIAv.exe
  C:\Windows\System\UHhpIAv.exe
  2⤵
  PID:12300
- C:\Windows\System\TMEBDyf.exe
  C:\Windows\System\TMEBDyf.exe
  2⤵
  PID:12344
- C:\Windows\System\TYfoFOu.exe
  C:\Windows\System\TYfoFOu.exe
  2⤵
  PID:1128
- C:\Windows\System\SQKqYdF.exe
  C:\Windows\System\SQKqYdF.exe
  2⤵
  PID:4812
- C:\Windows\System\VbgDPVx.exe
  C:\Windows\System\VbgDPVx.exe
  2⤵
  PID:12496
- C:\Windows\System\yZVvbDz.exe
  C:\Windows\System\yZVvbDz.exe
  2⤵
  PID:9176
- C:\Windows\System\ITZUADi.exe
  C:\Windows\System\ITZUADi.exe
  2⤵
  PID:8996
- C:\Windows\System\XisVAly.exe
  C:\Windows\System\XisVAly.exe
  2⤵
  PID:12688
- C:\Windows\System\ElgnIid.exe
  C:\Windows\System\ElgnIid.exe
  2⤵
  PID:5528
- C:\Windows\System\lpXVBdY.exe
  C:\Windows\System\lpXVBdY.exe
  2⤵
  PID:5484
- C:\Windows\System\XapUdOX.exe
  C:\Windows\System\XapUdOX.exe
  2⤵
  PID:12840
- C:\Windows\System\jkpwGRd.exe
  C:\Windows\System\jkpwGRd.exe
  2⤵
  PID:5700
- C:\Windows\System\dAcDTOr.exe
  C:\Windows\System\dAcDTOr.exe
  2⤵
  PID:9320
- C:\Windows\System\ouiEnYS.exe
  C:\Windows\System\ouiEnYS.exe
  2⤵
  PID:11128
- C:\Windows\System\esDhYmA.exe
  C:\Windows\System\esDhYmA.exe
  2⤵
  PID:13000
- C:\Windows\System\FkQdBMD.exe
  C:\Windows\System\FkQdBMD.exe
  2⤵
  PID:2744
- C:\Windows\System\aPckGhV.exe
  C:\Windows\System\aPckGhV.exe
  2⤵
  PID:4052
- C:\Windows\System\FXUPyAH.exe
  C:\Windows\System\FXUPyAH.exe
  2⤵
  PID:13100
- C:\Windows\System\zKilesf.exe
  C:\Windows\System\zKilesf.exe
  2⤵
  PID:9400
- C:\Windows\System\vaDhIeY.exe
  C:\Windows\System\vaDhIeY.exe
  2⤵
  PID:5660
- C:\Windows\System\QuUHdEk.exe
  C:\Windows\System\QuUHdEk.exe
  2⤵
  PID:11260
- C:\Windows\System\hRBHrJG.exe
  C:\Windows\System\hRBHrJG.exe
  2⤵
  PID:13220
- C:\Windows\System\FMJkeAc.exe
  C:\Windows\System\FMJkeAc.exe
  2⤵
  PID:10344
- C:\Windows\System\mlCTSfX.exe
  C:\Windows\System\mlCTSfX.exe
  2⤵
  PID:10532
- C:\Windows\System\MyCaPXo.exe
  C:\Windows\System\MyCaPXo.exe
  2⤵
  PID:4948
- C:\Windows\System\tpCzaWz.exe
  C:\Windows\System\tpCzaWz.exe
  2⤵
  PID:12500
- C:\Windows\System\gIKPieA.exe
  C:\Windows\System\gIKPieA.exe
  2⤵
  PID:5028
- C:\Windows\System\ezltZye.exe
  C:\Windows\System\ezltZye.exe
  2⤵
  PID:1584
- C:\Windows\System\jwiQCxt.exe
  C:\Windows\System\jwiQCxt.exe
  2⤵
  PID:7972
- C:\Windows\System\CnkvJBi.exe
  C:\Windows\System\CnkvJBi.exe
  2⤵
  PID:5884
- C:\Windows\System\qytpOLk.exe
  C:\Windows\System\qytpOLk.exe
  2⤵
  PID:5928
- C:\Windows\System\rmtCGaw.exe
  C:\Windows\System\rmtCGaw.exe
  2⤵
  PID:2352
- C:\Windows\System\dXquxAL.exe
  C:\Windows\System\dXquxAL.exe
  2⤵
  PID:440
- C:\Windows\System\kGgdZVY.exe
  C:\Windows\System\kGgdZVY.exe
  2⤵
  PID:11180
- C:\Windows\System\xmgmOXc.exe
  C:\Windows\System\xmgmOXc.exe
  2⤵
  PID:10504
- C:\Windows\System\KKWpikh.exe
  C:\Windows\System\KKWpikh.exe
  2⤵
  PID:3128
- C:\Windows\System\CLYaxnq.exe
  C:\Windows\System\CLYaxnq.exe
  2⤵
  PID:4312
- C:\Windows\System\ouQfRaa.exe
  C:\Windows\System\ouQfRaa.exe
  2⤵
  PID:6108
- C:\Windows\System\SbNFaMw.exe
  C:\Windows\System\SbNFaMw.exe
  2⤵
  PID:6216
- C:\Windows\System\fFZaXBu.exe
  C:\Windows\System\fFZaXBu.exe
  2⤵
  PID:6384
- C:\Windows\System\Lruqdyo.exe
  C:\Windows\System\Lruqdyo.exe
  2⤵
  PID:11484
- C:\Windows\System\UoRYwjW.exe
  C:\Windows\System\UoRYwjW.exe
  2⤵
  PID:11528
- C:\Windows\System\oroSsIo.exe
  C:\Windows\System\oroSsIo.exe
  2⤵
  PID:11600
- C:\Windows\System\yrflJkL.exe
  C:\Windows\System\yrflJkL.exe
  2⤵
  PID:6920
- C:\Windows\System\KPIbgIt.exe
  C:\Windows\System\KPIbgIt.exe
  2⤵
  PID:11636
- C:\Windows\System\iAwUOJw.exe
  C:\Windows\System\iAwUOJw.exe
  2⤵
  PID:6612
- C:\Windows\System\MCADBZC.exe
  C:\Windows\System\MCADBZC.exe
  2⤵
  PID:11764
- C:\Windows\System\CMCBkKF.exe
  C:\Windows\System\CMCBkKF.exe
  2⤵
  PID:6608
- C:\Windows\System\JnrXJDk.exe
  C:\Windows\System\JnrXJDk.exe
  2⤵
  PID:5568
- C:\Windows\System\dFtpjQj.exe
  C:\Windows\System\dFtpjQj.exe
  2⤵
  PID:4128
- C:\Windows\System\JxbBWFC.exe
  C:\Windows\System\JxbBWFC.exe
  2⤵
  PID:4084
- C:\Windows\System\DPiSevw.exe
  C:\Windows\System\DPiSevw.exe
  2⤵
  PID:8660
- C:\Windows\System\CKehwPF.exe
  C:\Windows\System\CKehwPF.exe
  2⤵
  PID:9404
- C:\Windows\System\LrfoaDI.exe
  C:\Windows\System\LrfoaDI.exe
  2⤵
  PID:6552
- C:\Windows\System\vZQQLsT.exe
  C:\Windows\System\vZQQLsT.exe
  2⤵
  PID:6376
- C:\Windows\System\BKLXSSk.exe
  C:\Windows\System\BKLXSSk.exe
  2⤵
  PID:6400
- C:\Windows\System\lAVbZKA.exe
  C:\Windows\System\lAVbZKA.exe
  2⤵
  PID:11072
- C:\Windows\System\svYXBpm.exe
  C:\Windows\System\svYXBpm.exe
  2⤵
  PID:9540
- C:\Windows\System\GGbPeyI.exe
  C:\Windows\System\GGbPeyI.exe
  2⤵
  PID:6760
- C:\Windows\System\pjveIUB.exe
  C:\Windows\System\pjveIUB.exe
  2⤵
  PID:1112
- C:\Windows\System\lseGPWr.exe
  C:\Windows\System\lseGPWr.exe
  2⤵
  PID:10408
- C:\Windows\System\VnsOsaU.exe
  C:\Windows\System\VnsOsaU.exe
  2⤵
  PID:2380
- C:\Windows\System\PXBUWli.exe
  C:\Windows\System\PXBUWli.exe
  2⤵
  PID:7160
- C:\Windows\System\RUAdRPp.exe
  C:\Windows\System\RUAdRPp.exe
  2⤵
  PID:11460
- C:\Windows\System\gIYRjse.exe
  C:\Windows\System\gIYRjse.exe
  2⤵
  PID:10696
- C:\Windows\System\xnzQjVX.exe
  C:\Windows\System\xnzQjVX.exe
  2⤵
  PID:388
- C:\Windows\System\qdQvQyY.exe
  C:\Windows\System\qdQvQyY.exe
  2⤵
  PID:7184
- C:\Windows\System\kndoVvr.exe
  C:\Windows\System\kndoVvr.exe
  2⤵
  PID:5340
- C:\Windows\System\TuBhFJU.exe
  C:\Windows\System\TuBhFJU.exe
  2⤵
  PID:2456
- C:\Windows\System\agEBPmv.exe
  C:\Windows\System\agEBPmv.exe
  2⤵
  PID:1052
- C:\Windows\System\mbjMCSe.exe
  C:\Windows\System\mbjMCSe.exe
  2⤵
  PID:12320
- C:\Windows\System\ExlWhxY.exe
  C:\Windows\System\ExlWhxY.exe
  2⤵
  PID:7444
- C:\Windows\System\KiOfQQU.exe
  C:\Windows\System\KiOfQQU.exe
  2⤵
  PID:8992
- C:\Windows\System\IwqkMaa.exe
  C:\Windows\System\IwqkMaa.exe
  2⤵
  PID:12468
- C:\Windows\System\msemcef.exe
  C:\Windows\System\msemcef.exe
  2⤵
  PID:12552
- C:\Windows\System\HdzAhbD.exe
  C:\Windows\System\HdzAhbD.exe
  2⤵
  PID:7680
- C:\Windows\System\juUVQTZ.exe
  C:\Windows\System\juUVQTZ.exe
  2⤵
  PID:7788
- C:\Windows\System\lxVUUNT.exe
  C:\Windows\System\lxVUUNT.exe
  2⤵
  PID:9260
- C:\Windows\System\PsqBmfL.exe
  C:\Windows\System\PsqBmfL.exe
  2⤵
  PID:7804
- C:\Windows\System\lZEcgFR.exe
  C:\Windows\System\lZEcgFR.exe
  2⤵
  PID:6036
- C:\Windows\System\KxKCcGE.exe
  C:\Windows\System\KxKCcGE.exe
  2⤵
  PID:5924
- C:\Windows\System\MLEDtED.exe
  C:\Windows\System\MLEDtED.exe
  2⤵
  PID:12904
- C:\Windows\System\PTTlxhj.exe
  C:\Windows\System\PTTlxhj.exe
  2⤵
  PID:5192
- C:\Windows\System\AgCwOZF.exe
  C:\Windows\System\AgCwOZF.exe
  2⤵
  PID:4560
- C:\Windows\System\nSRSnNc.exe
  C:\Windows\System\nSRSnNc.exe
  2⤵
  PID:4844
- C:\Windows\System\hMbpaUX.exe
  C:\Windows\System\hMbpaUX.exe
  2⤵
  PID:5328
- C:\Windows\System\FfLIQCv.exe
  C:\Windows\System\FfLIQCv.exe
  2⤵
  PID:7328
- C:\Windows\System\uFdCkgU.exe
  C:\Windows\System\uFdCkgU.exe
  2⤵
  PID:5704
- C:\Windows\System\jwLcyrA.exe
  C:\Windows\System\jwLcyrA.exe
  2⤵
  PID:7748
- C:\Windows\System\GUjnbDE.exe
  C:\Windows\System\GUjnbDE.exe
  2⤵
  PID:5392
- C:\Windows\System\EWCKQmk.exe
  C:\Windows\System\EWCKQmk.exe
  2⤵
  PID:5760
- C:\Windows\System\qhZPChZ.exe
  C:\Windows\System\qhZPChZ.exe
  2⤵
  PID:12408
- C:\Windows\System\CDWYjXu.exe
  C:\Windows\System\CDWYjXu.exe
  2⤵
  PID:9528
- C:\Windows\System\zApLDFo.exe
  C:\Windows\System\zApLDFo.exe
  2⤵
  PID:10752
- C:\Windows\System\hgvsnZh.exe
  C:\Windows\System\hgvsnZh.exe
  2⤵
  PID:7040
- C:\Windows\System\fiegrlW.exe
  C:\Windows\System\fiegrlW.exe
  2⤵
  PID:5856
- C:\Windows\System\SkHcjIc.exe
  C:\Windows\System\SkHcjIc.exe
  2⤵
  PID:11240
- C:\Windows\System\cJVdkEn.exe
  C:\Windows\System\cJVdkEn.exe
  2⤵
  PID:9684
- C:\Windows\System\hBaOvPk.exe
  C:\Windows\System\hBaOvPk.exe
  2⤵
  PID:5956
- C:\Windows\System\YjsDsVQ.exe
  C:\Windows\System\YjsDsVQ.exe
  2⤵
  PID:8040
- C:\Windows\System\QxCkgXG.exe
  C:\Windows\System\QxCkgXG.exe
  2⤵
  PID:1364
- C:\Windows\System\uCqfQLm.exe
  C:\Windows\System\uCqfQLm.exe
  2⤵
  PID:6076
- C:\Windows\System\RbVMPjU.exe
  C:\Windows\System\RbVMPjU.exe
  2⤵
  PID:8456
- C:\Windows\System\zUhinJd.exe
  C:\Windows\System\zUhinJd.exe
  2⤵
  PID:8392
- C:\Windows\System\cFkOheI.exe
  C:\Windows\System\cFkOheI.exe
  2⤵
  PID:8584
- C:\Windows\System\TBFbPiS.exe
  C:\Windows\System\TBFbPiS.exe
  2⤵
  PID:10128
- C:\Windows\System\CtEgjpf.exe
  C:\Windows\System\CtEgjpf.exe
  2⤵
  PID:9220
- C:\Windows\System\onLEeGI.exe
  C:\Windows\System\onLEeGI.exe
  2⤵
  PID:5368
- C:\Windows\System\CoHYjqb.exe
  C:\Windows\System\CoHYjqb.exe
  2⤵
  PID:4932
- C:\Windows\System\IRpVcNT.exe
  C:\Windows\System\IRpVcNT.exe
  2⤵
  PID:5512
- C:\Windows\System\dYLInba.exe
  C:\Windows\System\dYLInba.exe
  2⤵
  PID:6140
- C:\Windows\System\bUDRFGh.exe
  C:\Windows\System\bUDRFGh.exe
  2⤵
  PID:12104
- C:\Windows\System\XcbLlQS.exe
  C:\Windows\System\XcbLlQS.exe
  2⤵
  PID:3836
- C:\Windows\System\tkMjoBi.exe
  C:\Windows\System\tkMjoBi.exe
  2⤵
  PID:4496
- C:\Windows\System\KgxCaxk.exe
  C:\Windows\System\KgxCaxk.exe
  2⤵
  PID:6776
- C:\Windows\System\ErVVVIG.exe
  C:\Windows\System\ErVVVIG.exe
  2⤵
  PID:8740

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv IHfcHxU1IkG8O7hNlTgpJA.0.1
1⤵
PID:12908
- C:\Windows\system32\WerFaultSecure.exe
  C:\Windows\system32\WerFaultSecure.exe -u -p 12908 -s 424
  2⤵
  - Drops file in System32 directory
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:12764

C:\Windows\system32\WerFaultSecure.exe
"C:\Windows\system32\WerFaultSecure.exe" -protectedcrash -p 12908 -i 12908 -h 480 -j 464 -s 496 -d 4048
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:12604

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3304

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2348

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:13152
- C:\Windows\explorer.exe
  explorer.exe /LOADSAVEDWINDOWS
  2⤵
  - Modifies Installed Components in the registry
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:12812

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3848

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:9448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\3MKUANJA\microsoft.windows[1].xml

Filesize
97B

MD5
6a517bf11dbd236d703ed9898dd3f910

SHA1
f8d64563b0eaba616dc29496c51f795ede02d767

SHA256
d7b7aa87d942a062dd03f78ade8fab7d8efcba60b8c44c52326eea574eeb182b

SHA512
04f15407222285b97dfff27db7320a590d20c7982d13e2eabc68d3b99fce2863951de8321780e7e70d0d187297c6ee6202014dc0ac6d30a7010bff59be769058

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133588667749687842.txt

Filesize
75KB

MD5
8cdd0e31fdc880d03dd47abc4b0efbf9

SHA1
37648604549b090bc8683dffda89fe8338b18d9c

SHA256
edf5f36d377aa149ebfbf55c896fe8716ea11f49a9ec61df2d327bc43c835bab

SHA512
b7cb49eb50e7b5e0d36c7e971b39bde726d36383f5723ad5bb082c266435550030d5a8b53eda5c2ddfc720d73007aba4ffd36b32949161876104328d98a9a511

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3ip10fkh.kup.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\BHMftzC.exe

Filesize
2.2MB

MD5
c4a2d932660f0bb7a4136da370923845

SHA1
61f6709d495691cf2a928f8bb5fbb97b6e6a3f66

SHA256
1d7c1c40edb7ed1d4b98a112a2b781a303da9c79e8ed93a7bd200d18b5ce6557

SHA512
351db91f63a459f2e19cf8112898a71c89a7d448125e4cdbf3dfc68877cc9965c21ae3da5d885c59e87ab7b1c52c16bb54ed88730832b567c5d78af4a8137f2d

Download Submit
C:\Windows\System\GsINEUh.exe

Filesize
2.2MB

MD5
b79665fa1410ca806f8c867a421872c2

SHA1
4b029605ed4ff6d201c5a0f78a31a0ec7c9599bc

SHA256
d2bc4a2d5b90fef2a64a1bb0f13704c0d414ca558829d0e69337cbe42e2a5c21

SHA512
aa923808babdbf005389b243bb9ae64450bc61f0786163510baf7698723826e9e8a5fcee87d4ab3383ff63536495bca8c5f9e036644f0df7663da56994fb7b3e

Download Submit
C:\Windows\System\HgPAHtx.exe

Filesize
2.2MB

MD5
bc447366ee488a7a0a81c9800f217521

SHA1
e4772b8cc9c624f094a6caa83381ca5de5403f57

SHA256
811ee29cffe091a92e1d94aaac5e2b96c040a1937e512d2cafae505569f7d310

SHA512
c2d19930155ccdb2e59b570984e68ab515314117bdb84d5bf725f1240ee4967692cab7ce42cd64301ca28b84ca4f105067352c2b77cfd8bb8d571570c512ed3f

Download Submit
C:\Windows\System\Ifwxkpe.exe

Filesize
2.2MB

MD5
2ab064e8ddced6687d4b5bace2a42202

SHA1
76fb4027b97970eb09d19684413425971bf2d9b4

SHA256
fe41e1ab2d7f139bdacdb40f84be441d65f2c38cf907a1fc5b76bebb8db70936

SHA512
b99363901a0a7e84e4d65adc1eb3b5ea9bc729b3be6c83bce081401c12a565d78fcefadc0de34b3ef5c0a7a881ff77a439da0a814c607feddd70937ba85b1db1

Download Submit
C:\Windows\System\JZynNgd.exe

Filesize
2.2MB

MD5
39ee51bf4f2aa4e934558ad8885591d1

SHA1
4f183d4692f01b22576da7903d38398ab6530cf0

SHA256
0f8679be8904a71c5a6757d71796aa580869d454bcfe1743d6c959765aa3117a

SHA512
bab14f04c24fb20dd2fb1524f6f0b288393a442b5779584e11a957b980ae1f00fe041362c44c326e7ab4984d2201850374b2dca26328f8999ce0837bedf3c7c4

Download Submit
C:\Windows\System\KZIWusW.exe

Filesize
2.2MB

MD5
52477e3faab9e13d939be9066eac1f39

SHA1
6434969da6c7124901878e3489d2adce89e49dd4

SHA256
87937d98e11cdd38da285621a7de20211ee52578a208b838fd5eb3c2fad4cbfe

SHA512
87fc4574d6ab171f09be771757ac09c76a9b39a9027d030b2c9dfb9f8249688d0c186d8415890724d28dd5c14fca5c240aa1d503f6b6d85cb06e7da7a770bf79

Download Submit
C:\Windows\System\KjcKJzu.exe

Filesize
2.2MB

MD5
635596941ba16be47e937ddc601f03b4

SHA1
68953e6108005e45b6661a4a7570df0dacd49419

SHA256
84d4964acc601e1296363c8b467d5348fc3df8cc83781470d1a5a2a47b17bfbb

SHA512
8bd4308c72cc8d18c826bfcdb37df19a35b9d976731a89e8891a331810d38c8cf2c257d7100ed11e6c56315eaedbf27b1d22402f0a5dcaab3234be9ed79ff98d

Download Submit
C:\Windows\System\MIoliEu.exe

Filesize
2.2MB

MD5
7791473157dbf134b959312dbf50f7be

SHA1
e4725edba512e61feb879734e4c34f3df16f52a3

SHA256
7855b39c4006100e55b199d008cdebb9780bbf05ad769f28ec383059d45de86b

SHA512
0234d0af5858b59945aa7252ecea3d62cc78125fa02bb87375718e6b32cacfd7b1109c460aab05fba9e910a088a52f286624b207b347bf09e7d5176d72404f04

Download Submit
C:\Windows\System\MulrMZy.exe

Filesize
2.2MB

MD5
b0a557bcddb0da341a21903ee5edb375

SHA1
367dea3ebc105d5daa7df12bad1d671eabd526ae

SHA256
7915b52b5f63f225e1d7d361954e61b5e5ab2231ca61a9af7055271b0e38e334

SHA512
0d4528aa4a38aa8ae08f677d6084e7dcf962e847bd708ff26505dd4182900c225278e11b8dbc461cfa110aba3b54fe017d7307a66949d6cf35ae5b66f5e98a4f

Download Submit
C:\Windows\System\RPpSzVG.exe

Filesize
2.2MB

MD5
0264261b80101c8c3b8d4e5ee679059b

SHA1
9453784673814e139ee1908b1bda670a6eb368c7

SHA256
0dfbe8dbd79c960849456ded6cc9e4902e8d3ddf83d0347f348b9e2806dd34b0

SHA512
bf6a079247f4e9e2401d21def8a4c6adc0e84f2156aa6328c6883aa6bb27f002a8be151daa2b2bbf41b598212b7fa67398eeadc3a40696d0b56e7afe9f3ee52c

Download Submit
C:\Windows\System\TJulJky.exe

Filesize
2.2MB

MD5
bd34ff1bda984a3ac791ec80068cfb13

SHA1
c63654cad74b4b9830931990753f86497e52205c

SHA256
bd9e52cd697a2f0480522105c4789e8f19d74c389d6b68ac73d10f2b2aca43ca

SHA512
655b224ead5478418e4691bc3b44d669eadfa864d0e4502b10d445991c1fe568768007758373f80dc2164e41f4c929e51b9f13778b5b56a4fb8d61eb3c6416a5

Download Submit
C:\Windows\System\TqApkft.exe

Filesize
2.2MB

MD5
1e0b1c7d6de67cebca2a71cfd4fcc9ee

SHA1
3563ef5840006903863f05bf47ac0c4fcc1c430b

SHA256
74bafd0d9848cf9feec504dde2b69a8518dce63b4ace1d5793c569400f288fa4

SHA512
e5a7d86d272bb2e3da7cd441be8b33ed521efdfeb03e023ce093c0069fc5c646ad8ac98a60e58edc5d096875ca172e4285824f0314792391c8cddf37dc31015b

Download Submit
C:\Windows\System\WMKbMkO.exe

Filesize
2.2MB

MD5
b92d9a5da0530b37d7b5afbf2e6b561c

SHA1
c75abd738fb13bb6e4ac35b3a53813b28224dc6f

SHA256
46f806d59f09493baec58ac4b46bae28d1d8eb6e992d82f6f8dddd880b52234f

SHA512
61268c7c4081c9644ab3aa31e47c4d3ac61db7d6360084f1dae571f8b184581ac075d50e7c4b976914be09b2b927c059877e536cf2a5792216820a482e8d61d3

Download Submit
C:\Windows\System\XKydOys.exe

Filesize
2.2MB

MD5
63dc8aff4aa2adef6d718b4989eb12f2

SHA1
34c98c54f9fa8938e537e8c0249747940e6ca2fc

SHA256
ce3aad6b18f926e7721f2dec99cb7fcdc267f6e741c88da4492094df878e90b9

SHA512
9814e13387edcd3ac7a51e69c0bb5e0492fe00aaa37de3b8447566e430a78ebda730c461646b3524fb6a4362ca4907ff9e6d16c0feaa4c60de3eade529b8cc0e

Download Submit
C:\Windows\System\YKNZoQd.exe

Filesize
2.2MB

MD5
8cc7710fd84f54ac22e96e02eb06b0ef

SHA1
de2c08af165230a00385809ab6eb66d6adf282fa

SHA256
dc4256fc0098c635f2ab903ef6c333a4013abc8b399782a8dfdd8e044a946ce8

SHA512
1f48c6063e759db22960f99f649265605e1530986aae62ca5625bdc810ce51b2afac56dd8460754b3ccc314a11f2148c0164916db67006f96cf92f61d6babdff

Download Submit
C:\Windows\System\ZaogagY.exe

Filesize
2.2MB

MD5
b69b039adb7da3bb4b30abb5ea1b71b2

SHA1
c5f0842bb0b3764a0752b13f3cc3d5d8387f450b

SHA256
ba2ed3c089ce91d2076918f25f6f752fb846ec3c19d51f4fcd127c31b5c8aaed

SHA512
c221a832bc11b9e253ab0f7e1a30a3b3ca295a716f3dbbb97ccc442cd4b9639926b2c5347b51af74f4a5241071850adc58534c545da797c52bc1ec76180a80f3

Download Submit
C:\Windows\System\ZtKoRbH.exe

Filesize
2.2MB

MD5
e639dd34969c862913fa723c45cee5a4

SHA1
1ca98c58ae029059244fd1ee5d804a2294169c92

SHA256
db86ba867fcf59036886ba3e1c8cb74577dbfae95ace4a983ece0fa7b38b2e1c

SHA512
94a373db884e9e092c6e16eb1bbbd4b55c7a16a6375401bba238313d85b996be60da972aec71f55a21419ca24d59707b7f09b7eba80eaa9dd1301ee613214975

Download Submit
C:\Windows\System\ZxsEvcT.exe

Filesize
2.2MB

MD5
30c76cf7de883f5e49e538cc8d326377

SHA1
cfadb4da2bb8b0504f200f4e7927886217f8c749

SHA256
cab686ad52f87df9d4e7098e88cab4689a54ba9ae6837a333b7a84d2c8df82aa

SHA512
b9d808a24da13e436feb5cc895d94054a53332f074ad6200297f56143472ffd148c6526a386f494aa264e47c9976b159ad10364c040149651eb8d19fb3f686f8

Download Submit
C:\Windows\System\aeuSrrX.exe

Filesize
2.2MB

MD5
c1f8f17681ce930f2543fb66ea9d8439

SHA1
4c95c9f9193708a7b4390dfe0eda56caccb8075a

SHA256
495749942253b7777dd41a5097b3b546c1af67dce14a5aa93177fb6e198366e2

SHA512
c3e6e3f807564d89fb2ceacd1a47dfb6e1b58c863ee1c06eab60fef78fe3583e89615c595590abfe9dbbb19a4e3902e09f7e88f8a1de849cefaf987dd4a73da3

Download Submit
C:\Windows\System\aqmneUF.exe

Filesize
2.2MB

MD5
a3c2b0c1d8c5cf73c8f685884b052e70

SHA1
491ee085a729f2c2e47ca636f49510a0037f3096

SHA256
b75ce200f7e071b423a90a1f977a7984aa2d88aa7426ce0c8ff8215eab77a35d

SHA512
a1460805298875a566466a74c3b579174a0a7eb42a9a9635b9231181966ba4ad05058fcfd1e8c9ceffba0ee3eb47b1ea9b996347fde186858e5a6afc04edc1aa

Download Submit
C:\Windows\System\dMcuzDj.exe

Filesize
2.2MB

MD5
11ef6b567c15b51ad5cc893c1df18d8b

SHA1
31fe616c9edcbb779827a3f4f367700621a2dc97

SHA256
d86e86af1c8ea9a90c9a06cf97fbe5e27a929f1748350e9dfcc9c0c966de6591

SHA512
bfb43d0eea3455e0a38e5a385b6698e25417b4f653bfdeb87645f0ab7c65e00a09127dd2042d7c2f8f40c0dd95c3dcd18bb21a4154cd358a9a4db6c530764a48

Download Submit
C:\Windows\System\eragLTB.exe

Filesize
2.2MB

MD5
c6c30c3d2d70fcb37674050acfb802c1

SHA1
906f30fb0481bc44cdea6b79b6987e64b2237c02

SHA256
11e031d7dac3dc71ab6be4cc2ca51a2948963262a5daf25565755479f6f6b4ef

SHA512
e424b21d2ce483358ba18a91d152dfdcb22e64750d4f93c1b9a1d118a74692e31ec4aa8ad82c917ef58ebab4dda53c842ca720dde7f81fdfb7b51a980ca8b242

Download Submit
C:\Windows\System\jedVTgN.exe

Filesize
2.2MB

MD5
efee92d04a43864ff8be5c786b8ce4d0

SHA1
f770607ae8c57dc84db11951600a461fa2fbd718

SHA256
2e2666c8b9469709cef66b81d8dcb934e9c3b62c43cb17a8d27fed77e1c2a0fa

SHA512
d8a990a6fbb428078bf9987bbfbcf5ee29f2bd163e2baa49d423a789b80d13a8ec63fc7a655b0aa31f7eb56f731c95b13dde7952ad9f3e716592408588b15260

Download Submit
C:\Windows\System\kVhsscq.exe

Filesize
8B

MD5
0b02220145771e90ebe4310a5742c9eb

SHA1
9bd568d96b03bd5446f96a7b59c08196eb5a57c3

SHA256
6135f164d0697be47c97ab606a7a1adcbc1eb3846ae4debecafb1a6ccfd23e4e

SHA512
cb08dee7f4e4dd1bb8de836a2364c078d9de5aef5dcb329e7e0b8e1cc2bfaa06c42f8b8ddf04bdb30392074759beef091a761854b0812b9a726b3c820c99a5a8

Download Submit
C:\Windows\System\mtYKfMY.exe

Filesize
2.2MB

MD5
7d2e8b9c5a20ba45b75d133f8062c6fd

SHA1
8acc110781f18f30dc42e5cfbc64550c71aa2f07

SHA256
8779d1a610d31f45f547119d291145226f779720cdb503ca159b59a094f51ef4

SHA512
2f8c1dbae050ec5d9457fb77c2f1a52836589a1254b34a6fd3c149e890d17f38025c154cbea692a81963e8f9c382d81b8ec848d5f56ca183e81416ccf7edafd6

Download Submit
C:\Windows\System\nmuKjoU.exe

Filesize
2.2MB

MD5
f209fbd837dd8a3632d7ef9cfdb561c0

SHA1
4f9771fea121baf397bec08f3fbbc814ef97b5c2

SHA256
72426673e12013908e8aba46f5d30591149d4704e7ffdb5c8f348bd1252ad647

SHA512
6970e19712734ade5e2ab9bf3b67a8002a38bfaf895d518b75c72ec3ff47527144de9d36272a79c1c3694868885b94547d915c24ab139785a7ff3736ce5a6c9e

Download Submit
C:\Windows\System\oGApiwL.exe

Filesize
2.2MB

MD5
34fa059e3efb3f991d2814d78754da00

SHA1
f643b0ab50953ff41e133691e93a7dfffd7074fd

SHA256
40853961eb1c83ae112b3abb987f5015a3c2289392d5d3e920703276a5f208ae

SHA512
a6f09fb9dfe39fa24f9bdf2828392f32b7bf856c7a2012642fc128d891ad00b60b3ffbd7aedf7b3238b2bc0373572254bc64cd08311903d85b8a08fb87b3b2dd

Download Submit
C:\Windows\System\pKHUTjF.exe

Filesize
2.2MB

MD5
9e3a21828537ebb3ac1f42cd7c077798

SHA1
fc0934e2bcb2ec2b4ab29f6da9da4ce92db0a003

SHA256
2581e852e8743ceb20e2d29563029b0d568dc49b56bfe5f918c1a3079126315c

SHA512
f9f4e5512ec8e3203c0ff311c82b9debe9458e2283036a100d6c65a4a2c019ee12190adc2cabc63f962a813cc6a6d6bfc1643c48c685b71f84e31a14c6a0a626

Download Submit
C:\Windows\System\punSaUd.exe

Filesize
2.2MB

MD5
9f04c6551803168826c3debb2e15299a

SHA1
c33d43a8eaf92462c9116a2b4d717dcdd1128e6c

SHA256
99ca32b9e2e9dfd00b0c9b21496440acca7a8e92cd0723e56dbdf63378aceebd

SHA512
0ea76f60fd0710191abc81a8df1706c212c3548b4f5ded4434ac498ddec5ddd1fbb6137af3ed770005b9723735727f1cd4b60d06d472a83d0d6ca7725a970443

Download Submit
C:\Windows\System\qgbTYjr.exe

Filesize
2.2MB

MD5
ad59437cbc83af47274bed23225fdc99

SHA1
7f4cdc25bbd8a37d39cd4410b0bfde25f35a6cb8

SHA256
48cd4efd5ac18f1b72968bbd2601b904f4cb1be45811804c5bbaa13943870532

SHA512
ea7dc6969efe35f18e1f2872c41205c5dec183456879363a0b10d272cd9836552ed7fe091922b779ca3b9e5c8e97ca1bb89de40266b406dc569d0f4c00714f42

Download Submit
C:\Windows\System\rsMWDea.exe

Filesize
2.2MB

MD5
6d1eff046ab32d3767f7a10cb292cb6a

SHA1
33e13463ae9bbe5ba32c888937150290d923e420

SHA256
f3594d14818115ab7b21714cb7dae9ce0195c8daf297ac8a41d4e3847b119472

SHA512
b7f7562f0d0f9015c6cfd2f96b50e2eb3eb655224da2683eb6c353466cd758e05a4b25f2d0bf6a0aa2613d8166c086035bc645d280a28d98c5462003dd97325e

Download Submit
C:\Windows\System\sRVLjDx.exe

Filesize
2.2MB

MD5
b0cca49a5e70f65657ebd39493300c44

SHA1
ea9e83cff8f3d60cbaee7209c1cea46f5008bc3d

SHA256
96bbb500657f1620aba4e8f10e625b66f17d06a2321a3641c4962b3de6a04423

SHA512
ef090e7b439a11a2a097527f212b6e33fdce7a6d2870dd1a8fc0ca62a760846c0491e432cf375178bbe3459ae848365638c3619b33fc5d6910b38f5e228da694

Download Submit
C:\Windows\System\tVCTSTs.exe

Filesize
2.2MB

MD5
40e486af9dbeeee4ceefac73490ecf56

SHA1
f7686d19f95a3ea5e1054008d7663160bf0ffae9

SHA256
9e062a1250a7a303a77bbdff28386076d9ce41b8b82415c323505ecbd5bb2aa7

SHA512
18dac3704e9892f710638f2474ce2bccf62db91f512aa184b27e3b10733b6d83e74a1afd5535e4452087e5eb75dfc00201ef9010f3211ce093dcc0e286c0674e

Download Submit
C:\Windows\System\yBuTZDa.exe

Filesize
2.2MB

MD5
02ea7de593d3733733932afe1108c798

SHA1
4f2dee40de35c3e4e9e3c83720c0b703493177f4

SHA256
4e3d9467ed3957ad966ddb99620d09b964c9878f13975a90b2ceb99eabfa8c49

SHA512
ea0ce479e62212bfcbe6233f254d214f72e1b51d70beb4ba7717a1f9371a138489a9881b29357087e6fa5ea06d0f61de1e2940642b00de31760a69700b8a03fd

Download Submit
memory/960-14-0x00007FF77B5F0000-0x00007FF77B9E2000-memory.dmp

Filesize
3.9MB

Download
memory/960-149-0x00007FF77B5F0000-0x00007FF77B9E2000-memory.dmp

Filesize
3.9MB

Download
memory/1332-4851-0x00007FF602EB0000-0x00007FF6032A2000-memory.dmp

Filesize
3.9MB

Download
memory/1332-126-0x00007FF602EB0000-0x00007FF6032A2000-memory.dmp

Filesize
3.9MB

Download
memory/1540-80-0x00007FF614FD0000-0x00007FF6153C2000-memory.dmp

Filesize
3.9MB

Download
memory/1540-4832-0x00007FF614FD0000-0x00007FF6153C2000-memory.dmp

Filesize
3.9MB

Download
memory/1648-4848-0x00007FF760080000-0x00007FF760472000-memory.dmp

Filesize
3.9MB

Download
memory/1648-125-0x00007FF760080000-0x00007FF760472000-memory.dmp

Filesize
3.9MB

Download
memory/1800-20-0x00007FF6308A0000-0x00007FF630C92000-memory.dmp

Filesize
3.9MB

Download
memory/1800-164-0x00007FF6308A0000-0x00007FF630C92000-memory.dmp

Filesize
3.9MB

Download
memory/2356-113-0x00007FF796F30000-0x00007FF797322000-memory.dmp

Filesize
3.9MB

Download
memory/2464-85-0x00007FF664D60000-0x00007FF665152000-memory.dmp

Filesize
3.9MB

Download
memory/2464-0-0x00007FF664D60000-0x00007FF665152000-memory.dmp

Filesize
3.9MB

Download
memory/2464-1-0x000002154DED0000-0x000002154DEE0000-memory.dmp

Filesize
64KB

Download
memory/2608-163-0x00007FF78E0D0000-0x00007FF78E4C2000-memory.dmp

Filesize
3.9MB

Download
memory/2608-4874-0x00007FF78E0D0000-0x00007FF78E4C2000-memory.dmp

Filesize
3.9MB

Download
memory/2608-4534-0x00007FF78E0D0000-0x00007FF78E4C2000-memory.dmp

Filesize
3.9MB

Download
memory/2640-37-0x00007FF6B7C20000-0x00007FF6B8012000-memory.dmp

Filesize
3.9MB

Download
memory/2644-170-0x00007FF741380000-0x00007FF741772000-memory.dmp

Filesize
3.9MB

Download
memory/2644-4878-0x00007FF741380000-0x00007FF741772000-memory.dmp

Filesize
3.9MB

Download
memory/2644-4536-0x00007FF741380000-0x00007FF741772000-memory.dmp

Filesize
3.9MB

Download
memory/3160-120-0x00007FF6E17B0000-0x00007FF6E1BA2000-memory.dmp

Filesize
3.9MB

Download
memory/3160-4839-0x00007FF6E17B0000-0x00007FF6E1BA2000-memory.dmp

Filesize
3.9MB

Download
memory/3324-4837-0x00007FF762180000-0x00007FF762572000-memory.dmp

Filesize
3.9MB

Download
memory/3324-131-0x00007FF762180000-0x00007FF762572000-memory.dmp

Filesize
3.9MB

Download
memory/3400-148-0x00007FF673A50000-0x00007FF673E42000-memory.dmp

Filesize
3.9MB

Download
memory/3400-4856-0x00007FF673A50000-0x00007FF673E42000-memory.dmp

Filesize
3.9MB

Download
memory/3536-8-0x00007FF63D1B0000-0x00007FF63D5A2000-memory.dmp

Filesize
3.9MB

Download
memory/3708-4870-0x00007FF6B7390000-0x00007FF6B7782000-memory.dmp

Filesize
3.9MB

Download
memory/3708-157-0x00007FF6B7390000-0x00007FF6B7782000-memory.dmp

Filesize
3.9MB

Download
memory/3728-142-0x00007FF7D73C0000-0x00007FF7D77B2000-memory.dmp

Filesize
3.9MB

Download
memory/3728-4859-0x00007FF7D73C0000-0x00007FF7D77B2000-memory.dmp

Filesize
3.9MB

Download
memory/3856-54-0x00007FF694AF0000-0x00007FF694EE2000-memory.dmp

Filesize
3.9MB

Download
memory/3856-4799-0x00007FF694AF0000-0x00007FF694EE2000-memory.dmp

Filesize
3.9MB

Download
memory/3968-116-0x0000011744E00000-0x00000117455A6000-memory.dmp

Filesize
7.6MB

Download
memory/3968-48-0x0000011744240000-0x0000011744262000-memory.dmp

Filesize
136KB

Download
memory/4000-74-0x00007FF762600000-0x00007FF7629F2000-memory.dmp

Filesize
3.9MB

Download
memory/4000-4812-0x00007FF762600000-0x00007FF7629F2000-memory.dmp

Filesize
3.9MB

Download
memory/4056-4866-0x00007FF782520000-0x00007FF782912000-memory.dmp

Filesize
3.9MB

Download
memory/4056-150-0x00007FF782520000-0x00007FF782912000-memory.dmp

Filesize
3.9MB

Download
memory/4264-130-0x00007FF658460000-0x00007FF658852000-memory.dmp

Filesize
3.9MB

Download
memory/4264-4827-0x00007FF658460000-0x00007FF658852000-memory.dmp

Filesize
3.9MB

Download
memory/4424-156-0x00007FF70A350000-0x00007FF70A742000-memory.dmp

Filesize
3.9MB

Download
memory/4424-28-0x00007FF70A350000-0x00007FF70A742000-memory.dmp

Filesize
3.9MB

Download
memory/4796-4842-0x00007FF7C7BB0000-0x00007FF7C7FA2000-memory.dmp

Filesize
3.9MB

Download
memory/4796-136-0x00007FF7C7BB0000-0x00007FF7C7FA2000-memory.dmp

Filesize
3.9MB

Download
memory/4816-4806-0x00007FF7AB670000-0x00007FF7ABA62000-memory.dmp

Filesize
3.9MB

Download
memory/4816-60-0x00007FF7AB670000-0x00007FF7ABA62000-memory.dmp

Filesize
3.9MB

Download
memory/4936-4820-0x00007FF775E70000-0x00007FF776262000-memory.dmp

Filesize
3.9MB

Download
memory/4936-98-0x00007FF775E70000-0x00007FF776262000-memory.dmp

Filesize
3.9MB

Download
memory/5112-34-0x00007FF74D090000-0x00007FF74D482000-memory.dmp

Filesize
3.9MB

Download
memory/5112-176-0x00007FF74D090000-0x00007FF74D482000-memory.dmp

Filesize
3.9MB

Download