xmrig | 611428587e3fcebcb94ec26a9c7f75447b34998ec8e68a5467fdaf12db830591

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29/04/2024, 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
Size

1.9MB
MD5

084f1d66597f73c4f92ce7b154ab6862
SHA1

e071d12a8ec66d745dcb426aff00f30240273ab7
SHA256

611428587e3fcebcb94ec26a9c7f75447b34998ec8e68a5467fdaf12db830591
SHA512

130d7f17ad7dfd3e847cf4d7954d011579dbe11547d3a2ad2f618a3ea0a2bd35916f41500bba20a9daaca5c876013bdb8e5702ac4091b0a0b072e5f63c616f19
SSDEEP

49152:Lz071uv4BPMkibTIA5KIP7nTrmBhihM5xC+U1I:NABH

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 21 IoCs

miner

resource	yara_rule
behavioral2/memory/724-204-0x00007FF668FD0000-0x00007FF6693C2000-memory.dmp	xmrig
behavioral2/memory/3244-147-0x00007FF7A0D40000-0x00007FF7A1132000-memory.dmp	xmrig
behavioral2/memory/8-217-0x00007FF7FEC30000-0x00007FF7FF022000-memory.dmp	xmrig
behavioral2/memory/2352-300-0x00007FF692020000-0x00007FF692412000-memory.dmp	xmrig
behavioral2/memory/4148-292-0x00007FF71F4C0000-0x00007FF71F8B2000-memory.dmp	xmrig
behavioral2/memory/4836-248-0x00007FF7F1E90000-0x00007FF7F2282000-memory.dmp	xmrig
behavioral2/memory/3656-548-0x00007FF787710000-0x00007FF787B02000-memory.dmp	xmrig
behavioral2/memory/4932-1273-0x00007FF61C920000-0x00007FF61CD12000-memory.dmp	xmrig
behavioral2/memory/4848-1745-0x00007FF700690000-0x00007FF700A82000-memory.dmp	xmrig
behavioral2/memory/2576-1691-0x00007FF659470000-0x00007FF659862000-memory.dmp	xmrig
behavioral2/memory/3672-1690-0x00007FF7A1710000-0x00007FF7A1B02000-memory.dmp	xmrig
behavioral2/memory/2064-1051-0x00007FF604C40000-0x00007FF605032000-memory.dmp	xmrig
behavioral2/memory/4820-1048-0x00007FF6D4D60000-0x00007FF6D5152000-memory.dmp	xmrig
behavioral2/memory/5104-990-0x00007FF7F1210000-0x00007FF7F1602000-memory.dmp	xmrig
behavioral2/memory/4424-987-0x00007FF675DC0000-0x00007FF6761B2000-memory.dmp	xmrig
behavioral2/memory/1848-553-0x00007FF6ED7F0000-0x00007FF6EDBE2000-memory.dmp	xmrig
behavioral2/memory/5088-451-0x00007FF626C50000-0x00007FF627042000-memory.dmp	xmrig
behavioral2/memory/2732-381-0x00007FF7AE3A0000-0x00007FF7AE792000-memory.dmp	xmrig
behavioral2/memory/1920-377-0x00007FF7D7270000-0x00007FF7D7662000-memory.dmp	xmrig
behavioral2/memory/852-3862-0x00007FF735F10000-0x00007FF736302000-memory.dmp	xmrig
behavioral2/memory/3772-3860-0x00007FF76DDC0000-0x00007FF76E1B2000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
852	abKCdai.exe
2576	dQkzuPx.exe
3244	nHRumdE.exe
724	bxvUiRd.exe
8	OCpzTeX.exe
4836	SKpgoDX.exe
4148	UJKbzJn.exe
2352	iNNrEyZ.exe
1920	ZDClVMq.exe
2732	MycOFTw.exe
5088	nWiayrS.exe
3656	TyxKkkt.exe
1848	lUdmQTb.exe
4424	zCuRDHS.exe
5104	medEXaW.exe
4820	eStNwgH.exe
4848	vkZFGvG.exe
2064	VTRKFZv.exe
4932	TWzDdiG.exe
4236	yvSEbtR.exe
3672	aQRqntT.exe
428	srnTfwt.exe
2884	OeBMLHo.exe
2880	HLHUoBu.exe
1624	QULSZSL.exe
2876	ASAcLIN.exe
1420	ddOJBtS.exe
4776	Cwlkcbz.exe
3004	uZuJzXA.exe
2360	cXJKzlP.exe
2236	GZdQPwh.exe
2384	cmmEVTM.exe
4580	GZHOCHy.exe
1440	CHqCgZL.exe
4600	HwqXNvN.exe
1712	aEBlehY.exe
4012	TTnBpDK.exe
1952	lAWPMJn.exe
1092	oVQdlGl.exe
3348	aCopGtf.exe
1620	oeSNIKr.exe
2536	mICAgWg.exe
1512	MmAUBsp.exe
4572	EENCEWA.exe
2700	eSuLUsc.exe
4372	hYmmLJn.exe
2824	CvKSBVO.exe
3304	lZqogNz.exe
4980	HGkhNSM.exe
3768	fChiwpC.exe
2720	aNKHxqy.exe
4996	jFeAbMY.exe
4192	fwBQRMB.exe
1072	eSdDUpt.exe
940	ptbLHTs.exe
1644	xwvSShM.exe
216	YunDAAA.exe
4304	mfyumpS.exe
3844	blEzcfD.exe
3060	nZSdEDZ.exe
4332	xKrarxY.exe
3352	MvgaHOX.exe
4476	EiyTIXb.exe
404	SinxoEq.exe

UPX packed file 63 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3772-0-0x00007FF76DDC0000-0x00007FF76E1B2000-memory.dmp	upx
behavioral2/files/0x0008000000023410-5.dat	upx
behavioral2/memory/852-14-0x00007FF735F10000-0x00007FF736302000-memory.dmp	upx
behavioral2/files/0x0007000000023416-23.dat	upx
behavioral2/files/0x0007000000023414-7.dat	upx
behavioral2/files/0x0008000000023413-17.dat	upx
behavioral2/files/0x0007000000023422-88.dat	upx
behavioral2/files/0x0007000000023421-81.dat	upx
behavioral2/files/0x000700000002341b-45.dat	upx
behavioral2/files/0x0007000000023420-74.dat	upx
behavioral2/files/0x0007000000023423-93.dat	upx
behavioral2/files/0x000700000002342e-155.dat	upx
behavioral2/files/0x000700000002342d-153.dat	upx
behavioral2/files/0x000700000002341d-150.dat	upx
behavioral2/memory/724-204-0x00007FF668FD0000-0x00007FF6693C2000-memory.dmp	upx
behavioral2/files/0x000700000002343b-201.dat	upx
behavioral2/files/0x000700000002342c-141.dat	upx
behavioral2/files/0x000700000002342b-135.dat	upx
behavioral2/files/0x0007000000023429-126.dat	upx
behavioral2/files/0x000700000002341c-125.dat	upx
behavioral2/files/0x0007000000023428-119.dat	upx
behavioral2/files/0x0007000000023419-115.dat	upx
behavioral2/files/0x0007000000023427-114.dat	upx
behavioral2/files/0x0007000000023434-176.dat	upx
behavioral2/files/0x0007000000023425-101.dat	upx
behavioral2/memory/3244-147-0x00007FF7A0D40000-0x00007FF7A1132000-memory.dmp	upx
behavioral2/memory/8-217-0x00007FF7FEC30000-0x00007FF7FF022000-memory.dmp	upx
behavioral2/files/0x000700000002343a-198.dat	upx
behavioral2/files/0x0007000000023439-196.dat	upx
behavioral2/files/0x0007000000023438-195.dat	upx
behavioral2/files/0x0007000000023437-192.dat	upx
behavioral2/files/0x0007000000023436-191.dat	upx
behavioral2/files/0x000700000002342a-188.dat	upx
behavioral2/files/0x0007000000023435-187.dat	upx
behavioral2/files/0x0007000000023426-175.dat	upx
behavioral2/files/0x0007000000023430-174.dat	upx
behavioral2/files/0x0007000000023431-173.dat	upx
behavioral2/files/0x0007000000023424-170.dat	upx
behavioral2/files/0x000700000002341f-168.dat	upx
behavioral2/files/0x000700000002341a-166.dat	upx
behavioral2/files/0x000700000002341e-165.dat	upx
behavioral2/files/0x000700000002342f-161.dat	upx
behavioral2/files/0x0007000000023418-66.dat	upx
behavioral2/files/0x0007000000023415-65.dat	upx
behavioral2/files/0x0007000000023417-56.dat	upx
behavioral2/memory/2352-300-0x00007FF692020000-0x00007FF692412000-memory.dmp	upx
behavioral2/memory/4148-292-0x00007FF71F4C0000-0x00007FF71F8B2000-memory.dmp	upx
behavioral2/memory/4836-248-0x00007FF7F1E90000-0x00007FF7F2282000-memory.dmp	upx
behavioral2/memory/3656-548-0x00007FF787710000-0x00007FF787B02000-memory.dmp	upx
behavioral2/memory/4932-1273-0x00007FF61C920000-0x00007FF61CD12000-memory.dmp	upx
behavioral2/memory/4848-1745-0x00007FF700690000-0x00007FF700A82000-memory.dmp	upx
behavioral2/memory/2576-1691-0x00007FF659470000-0x00007FF659862000-memory.dmp	upx
behavioral2/memory/3672-1690-0x00007FF7A1710000-0x00007FF7A1B02000-memory.dmp	upx
behavioral2/memory/2064-1051-0x00007FF604C40000-0x00007FF605032000-memory.dmp	upx
behavioral2/memory/4820-1048-0x00007FF6D4D60000-0x00007FF6D5152000-memory.dmp	upx
behavioral2/memory/5104-990-0x00007FF7F1210000-0x00007FF7F1602000-memory.dmp	upx
behavioral2/memory/4424-987-0x00007FF675DC0000-0x00007FF6761B2000-memory.dmp	upx
behavioral2/memory/1848-553-0x00007FF6ED7F0000-0x00007FF6EDBE2000-memory.dmp	upx
behavioral2/memory/5088-451-0x00007FF626C50000-0x00007FF627042000-memory.dmp	upx
behavioral2/memory/2732-381-0x00007FF7AE3A0000-0x00007FF7AE792000-memory.dmp	upx
behavioral2/memory/1920-377-0x00007FF7D7270000-0x00007FF7D7662000-memory.dmp	upx
behavioral2/memory/852-3862-0x00007FF735F10000-0x00007FF736302000-memory.dmp	upx
behavioral2/memory/3772-3860-0x00007FF76DDC0000-0x00007FF76E1B2000-memory.dmp	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\bCTIgkS.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\tlDyatn.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\ZphtNAn.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\egstVSu.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\RCdgcJg.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\MfjGUeB.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\GUrkqOz.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\lUdmQTb.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\JunaAqK.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\NGEbqkA.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\jixIpyS.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\xUcRJXO.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\rSgfRgw.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\xAeXuGM.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\bCQEHfv.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\zLKHDVB.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\FgARZkg.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\gqaNwkj.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\VJdpxjU.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\tvSpzjg.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\iSzvGlV.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\AhMbIqo.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\sirNWrw.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\zUAxVlV.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\JMZeTAd.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\gEVdJdm.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\RpGTNNI.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\cXJKzlP.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\npDDyha.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\FKqntrj.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\GmZuoMn.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\HDzTdra.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\KLBfZDx.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\abKCdai.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\shyGhKm.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\XDiQXoW.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\YNwbxFL.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\RrdrUgd.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\XOhPWMh.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\vqBfCAy.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\QGDkbMC.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\gzgyGHJ.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\MtWGHlM.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\oBiZjEK.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\XyrJgxY.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\naTkjmk.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\LYKJRRP.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\gDakxDC.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\WUUrtdQ.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\lAWPMJn.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\WwjZLsu.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\PPpxMJo.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\stFqIYx.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\zwdFrgW.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\uxPiGtN.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\ojTeAuz.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\pAspIxt.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\WpCUOze.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\AtEIzGq.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\MJJltbw.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\FogeahE.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\XXNSkmK.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\VSNlghb.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
File created	C:\Windows\System\WinlwMH.exe	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 16 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1056	powershell.exe
1056	powershell.exe
1056	powershell.exe
1056	powershell.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
376	Process not Found
2644	Process not Found
6764	Process not Found
4056	Process not Found
3428	Process not Found
5768	Process not Found
6108	Process not Found
6132	Process not Found
3012	Process not Found
5652	Process not Found
3528	Process not Found
4352	Process not Found
2896	Process not Found
5736	Process not Found
5780	Process not Found
6168	Process not Found
5208	Process not Found
6388	Process not Found
6420	Process not Found
8252	Process not Found
7240	Process not Found
5252	Process not Found
7280	Process not Found
7276	Process not Found
7268	Process not Found
6192	Process not Found
8292	Process not Found
8208	Process not Found
7296	Process not Found
8304	Process not Found
8324	Process not Found
8248	Process not Found
8236	Process not Found
8424	Process not Found
12096	Process not Found
8348	Process not Found
8356	Process not Found
3572	Process not Found
8300	Process not Found
9960	Process not Found
7772	Process not Found
7812	Process not Found
8400	Process not Found
9120	Process not Found
8396	Process not Found
664	Process not Found
6248	Process not Found
11888	Process not Found
7924	Process not Found
2308	Process not Found
6924	Process not Found
12340	Process not Found
11136	Process not Found
2316	Process not Found
9140	Process not Found
9364	Process not Found
9396	Process not Found
7352	Process not Found
11560	Process not Found
11632	Process not Found
1456	Process not Found
9152	Process not Found
9800	Process not Found
11792	Process not Found

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeLockMemoryPrivilege	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	11068	dwm.exe
Token: SeChangeNotifyPrivilege	11068	dwm.exe
Token: 33	11068	dwm.exe
Token: SeIncBasePriorityPrivilege	11068	dwm.exe
Token: SeCreateGlobalPrivilege	13704	dwm.exe
Token: SeChangeNotifyPrivilege	13704	dwm.exe
Token: 33	13704	dwm.exe
Token: SeIncBasePriorityPrivilege	13704	dwm.exe
Token: SeCreateGlobalPrivilege	14056	dwm.exe
Token: SeChangeNotifyPrivilege	14056	dwm.exe
Token: 33	14056	dwm.exe
Token: SeIncBasePriorityPrivilege	14056	dwm.exe
Token: SeCreateGlobalPrivilege	1376	dwm.exe
Token: SeChangeNotifyPrivilege	1376	dwm.exe
Token: 33	1376	dwm.exe
Token: SeIncBasePriorityPrivilege	1376	dwm.exe
Token: SeCreateGlobalPrivilege	6648	dwm.exe
Token: SeChangeNotifyPrivilege	6648	dwm.exe
Token: 33	6648	dwm.exe
Token: SeIncBasePriorityPrivilege	6648	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3772 wrote to memory of 1056	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	84
PID 3772 wrote to memory of 1056	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	84
PID 3772 wrote to memory of 852	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	85
PID 3772 wrote to memory of 852	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	85
PID 3772 wrote to memory of 2576	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	86
PID 3772 wrote to memory of 2576	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	86
PID 3772 wrote to memory of 3244	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	87
PID 3772 wrote to memory of 3244	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	87
PID 3772 wrote to memory of 4836	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	88
PID 3772 wrote to memory of 4836	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	88
PID 3772 wrote to memory of 724	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	89
PID 3772 wrote to memory of 724	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	89
PID 3772 wrote to memory of 8	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	90
PID 3772 wrote to memory of 8	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	90
PID 3772 wrote to memory of 4148	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	91
PID 3772 wrote to memory of 4148	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	91
PID 3772 wrote to memory of 2352	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	92
PID 3772 wrote to memory of 2352	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	92
PID 3772 wrote to memory of 1848	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	93
PID 3772 wrote to memory of 1848	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	93
PID 3772 wrote to memory of 1920	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	94
PID 3772 wrote to memory of 1920	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	94
PID 3772 wrote to memory of 2732	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	95
PID 3772 wrote to memory of 2732	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	95
PID 3772 wrote to memory of 5088	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	96
PID 3772 wrote to memory of 5088	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	96
PID 3772 wrote to memory of 3656	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	97
PID 3772 wrote to memory of 3656	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	97
PID 3772 wrote to memory of 4424	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	98
PID 3772 wrote to memory of 4424	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	98
PID 3772 wrote to memory of 5104	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	99
PID 3772 wrote to memory of 5104	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	99
PID 3772 wrote to memory of 4820	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	100
PID 3772 wrote to memory of 4820	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	100
PID 3772 wrote to memory of 4848	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	101
PID 3772 wrote to memory of 4848	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	101
PID 3772 wrote to memory of 2064	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	102
PID 3772 wrote to memory of 2064	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	102
PID 3772 wrote to memory of 4932	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	103
PID 3772 wrote to memory of 4932	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	103
PID 3772 wrote to memory of 4236	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	104
PID 3772 wrote to memory of 4236	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	104
PID 3772 wrote to memory of 3672	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	105
PID 3772 wrote to memory of 3672	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	105
PID 3772 wrote to memory of 428	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	106
PID 3772 wrote to memory of 428	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	106
PID 3772 wrote to memory of 2884	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	107
PID 3772 wrote to memory of 2884	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	107
PID 3772 wrote to memory of 2880	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	108
PID 3772 wrote to memory of 2880	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	108
PID 3772 wrote to memory of 1440	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	109
PID 3772 wrote to memory of 1440	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	109
PID 3772 wrote to memory of 1624	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	110
PID 3772 wrote to memory of 1624	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	110
PID 3772 wrote to memory of 2876	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	111
PID 3772 wrote to memory of 2876	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	111
PID 3772 wrote to memory of 1420	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	112
PID 3772 wrote to memory of 1420	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	112
PID 3772 wrote to memory of 4776	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	113
PID 3772 wrote to memory of 4776	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	113
PID 3772 wrote to memory of 3004	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	114
PID 3772 wrote to memory of 3004	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	114
PID 3772 wrote to memory of 2360	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	115
PID 3772 wrote to memory of 2360	3772	084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe	115

C:\Users\Admin\AppData\Local\Temp\084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\084f1d66597f73c4f92ce7b154ab6862_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1056
- C:\Windows\System\abKCdai.exe
  C:\Windows\System\abKCdai.exe
  2⤵
  - Executes dropped EXE
  PID:852
- C:\Windows\System\dQkzuPx.exe
  C:\Windows\System\dQkzuPx.exe
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Windows\System\nHRumdE.exe
  C:\Windows\System\nHRumdE.exe
  2⤵
  - Executes dropped EXE
  PID:3244
- C:\Windows\System\SKpgoDX.exe
  C:\Windows\System\SKpgoDX.exe
  2⤵
  - Executes dropped EXE
  PID:4836
- C:\Windows\System\bxvUiRd.exe
  C:\Windows\System\bxvUiRd.exe
  2⤵
  - Executes dropped EXE
  PID:724
- C:\Windows\System\OCpzTeX.exe
  C:\Windows\System\OCpzTeX.exe
  2⤵
  - Executes dropped EXE
  PID:8
- C:\Windows\System\UJKbzJn.exe
  C:\Windows\System\UJKbzJn.exe
  2⤵
  - Executes dropped EXE
  PID:4148
- C:\Windows\System\iNNrEyZ.exe
  C:\Windows\System\iNNrEyZ.exe
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\System\lUdmQTb.exe
  C:\Windows\System\lUdmQTb.exe
  2⤵
  - Executes dropped EXE
  PID:1848
- C:\Windows\System\ZDClVMq.exe
  C:\Windows\System\ZDClVMq.exe
  2⤵
  - Executes dropped EXE
  PID:1920
- C:\Windows\System\MycOFTw.exe
  C:\Windows\System\MycOFTw.exe
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\System\nWiayrS.exe
  C:\Windows\System\nWiayrS.exe
  2⤵
  - Executes dropped EXE
  PID:5088
- C:\Windows\System\TyxKkkt.exe
  C:\Windows\System\TyxKkkt.exe
  2⤵
  - Executes dropped EXE
  PID:3656
- C:\Windows\System\zCuRDHS.exe
  C:\Windows\System\zCuRDHS.exe
  2⤵
  - Executes dropped EXE
  PID:4424
- C:\Windows\System\medEXaW.exe
  C:\Windows\System\medEXaW.exe
  2⤵
  - Executes dropped EXE
  PID:5104
- C:\Windows\System\eStNwgH.exe
  C:\Windows\System\eStNwgH.exe
  2⤵
  - Executes dropped EXE
  PID:4820
- C:\Windows\System\vkZFGvG.exe
  C:\Windows\System\vkZFGvG.exe
  2⤵
  - Executes dropped EXE
  PID:4848
- C:\Windows\System\VTRKFZv.exe
  C:\Windows\System\VTRKFZv.exe
  2⤵
  - Executes dropped EXE
  PID:2064
- C:\Windows\System\TWzDdiG.exe
  C:\Windows\System\TWzDdiG.exe
  2⤵
  - Executes dropped EXE
  PID:4932
- C:\Windows\System\yvSEbtR.exe
  C:\Windows\System\yvSEbtR.exe
  2⤵
  - Executes dropped EXE
  PID:4236
- C:\Windows\System\aQRqntT.exe
  C:\Windows\System\aQRqntT.exe
  2⤵
  - Executes dropped EXE
  PID:3672
- C:\Windows\System\srnTfwt.exe
  C:\Windows\System\srnTfwt.exe
  2⤵
  - Executes dropped EXE
  PID:428
- C:\Windows\System\OeBMLHo.exe
  C:\Windows\System\OeBMLHo.exe
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\System\HLHUoBu.exe
  C:\Windows\System\HLHUoBu.exe
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\System\CHqCgZL.exe
  C:\Windows\System\CHqCgZL.exe
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Windows\System\QULSZSL.exe
  C:\Windows\System\QULSZSL.exe
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Windows\System\ASAcLIN.exe
  C:\Windows\System\ASAcLIN.exe
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Windows\System\ddOJBtS.exe
  C:\Windows\System\ddOJBtS.exe
  2⤵
  - Executes dropped EXE
  PID:1420
- C:\Windows\System\Cwlkcbz.exe
  C:\Windows\System\Cwlkcbz.exe
  2⤵
  - Executes dropped EXE
  PID:4776
- C:\Windows\System\uZuJzXA.exe
  C:\Windows\System\uZuJzXA.exe
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\System\cXJKzlP.exe
  C:\Windows\System\cXJKzlP.exe
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\System\GZdQPwh.exe
  C:\Windows\System\GZdQPwh.exe
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\System\cmmEVTM.exe
  C:\Windows\System\cmmEVTM.exe
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Windows\System\GZHOCHy.exe
  C:\Windows\System\GZHOCHy.exe
  2⤵
  - Executes dropped EXE
  PID:4580
- C:\Windows\System\HwqXNvN.exe
  C:\Windows\System\HwqXNvN.exe
  2⤵
  - Executes dropped EXE
  PID:4600
- C:\Windows\System\aEBlehY.exe
  C:\Windows\System\aEBlehY.exe
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Windows\System\TTnBpDK.exe
  C:\Windows\System\TTnBpDK.exe
  2⤵
  - Executes dropped EXE
  PID:4012
- C:\Windows\System\lAWPMJn.exe
  C:\Windows\System\lAWPMJn.exe
  2⤵
  - Executes dropped EXE
  PID:1952
- C:\Windows\System\oVQdlGl.exe
  C:\Windows\System\oVQdlGl.exe
  2⤵
  - Executes dropped EXE
  PID:1092
- C:\Windows\System\aCopGtf.exe
  C:\Windows\System\aCopGtf.exe
  2⤵
  - Executes dropped EXE
  PID:3348
- C:\Windows\System\aNKHxqy.exe
  C:\Windows\System\aNKHxqy.exe
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Windows\System\oeSNIKr.exe
  C:\Windows\System\oeSNIKr.exe
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Windows\System\mICAgWg.exe
  C:\Windows\System\mICAgWg.exe
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\System\xwvSShM.exe
  C:\Windows\System\xwvSShM.exe
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Windows\System\MmAUBsp.exe
  C:\Windows\System\MmAUBsp.exe
  2⤵
  - Executes dropped EXE
  PID:1512
- C:\Windows\System\EENCEWA.exe
  C:\Windows\System\EENCEWA.exe
  2⤵
  - Executes dropped EXE
  PID:4572
- C:\Windows\System\eSuLUsc.exe
  C:\Windows\System\eSuLUsc.exe
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\System\hYmmLJn.exe
  C:\Windows\System\hYmmLJn.exe
  2⤵
  - Executes dropped EXE
  PID:4372
- C:\Windows\System\CvKSBVO.exe
  C:\Windows\System\CvKSBVO.exe
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\System\lZqogNz.exe
  C:\Windows\System\lZqogNz.exe
  2⤵
  - Executes dropped EXE
  PID:3304
- C:\Windows\System\HGkhNSM.exe
  C:\Windows\System\HGkhNSM.exe
  2⤵
  - Executes dropped EXE
  PID:4980
- C:\Windows\System\fChiwpC.exe
  C:\Windows\System\fChiwpC.exe
  2⤵
  - Executes dropped EXE
  PID:3768
- C:\Windows\System\RhPdMNw.exe
  C:\Windows\System\RhPdMNw.exe
  2⤵
  PID:1548
- C:\Windows\System\jFeAbMY.exe
  C:\Windows\System\jFeAbMY.exe
  2⤵
  - Executes dropped EXE
  PID:4996
- C:\Windows\System\fwBQRMB.exe
  C:\Windows\System\fwBQRMB.exe
  2⤵
  - Executes dropped EXE
  PID:4192
- C:\Windows\System\eSdDUpt.exe
  C:\Windows\System\eSdDUpt.exe
  2⤵
  - Executes dropped EXE
  PID:1072
- C:\Windows\System\ptbLHTs.exe
  C:\Windows\System\ptbLHTs.exe
  2⤵
  - Executes dropped EXE
  PID:940
- C:\Windows\System\pCMTVNj.exe
  C:\Windows\System\pCMTVNj.exe
  2⤵
  PID:4216
- C:\Windows\System\YunDAAA.exe
  C:\Windows\System\YunDAAA.exe
  2⤵
  - Executes dropped EXE
  PID:216
- C:\Windows\System\mfyumpS.exe
  C:\Windows\System\mfyumpS.exe
  2⤵
  - Executes dropped EXE
  PID:4304
- C:\Windows\System\blEzcfD.exe
  C:\Windows\System\blEzcfD.exe
  2⤵
  - Executes dropped EXE
  PID:3844
- C:\Windows\System\nZSdEDZ.exe
  C:\Windows\System\nZSdEDZ.exe
  2⤵
  - Executes dropped EXE
  PID:3060
- C:\Windows\System\xKrarxY.exe
  C:\Windows\System\xKrarxY.exe
  2⤵
  - Executes dropped EXE
  PID:4332
- C:\Windows\System\MvgaHOX.exe
  C:\Windows\System\MvgaHOX.exe
  2⤵
  - Executes dropped EXE
  PID:3352
- C:\Windows\System\EiyTIXb.exe
  C:\Windows\System\EiyTIXb.exe
  2⤵
  - Executes dropped EXE
  PID:4476
- C:\Windows\System\SinxoEq.exe
  C:\Windows\System\SinxoEq.exe
  2⤵
  - Executes dropped EXE
  PID:404
- C:\Windows\System\neEibbX.exe
  C:\Windows\System\neEibbX.exe
  2⤵
  PID:2444
- C:\Windows\System\nOlTmbA.exe
  C:\Windows\System\nOlTmbA.exe
  2⤵
  PID:4924
- C:\Windows\System\CtgetqI.exe
  C:\Windows\System\CtgetqI.exe
  2⤵
  PID:2356
- C:\Windows\System\NGvtbkG.exe
  C:\Windows\System\NGvtbkG.exe
  2⤵
  PID:1008
- C:\Windows\System\dLMXBas.exe
  C:\Windows\System\dLMXBas.exe
  2⤵
  PID:2572
- C:\Windows\System\EpzHUUo.exe
  C:\Windows\System\EpzHUUo.exe
  2⤵
  PID:880
- C:\Windows\System\ZYEyTfZ.exe
  C:\Windows\System\ZYEyTfZ.exe
  2⤵
  PID:2056
- C:\Windows\System\HEVrWrS.exe
  C:\Windows\System\HEVrWrS.exe
  2⤵
  PID:4804
- C:\Windows\System\jKcTFYJ.exe
  C:\Windows\System\jKcTFYJ.exe
  2⤵
  PID:2548
- C:\Windows\System\UxrXUHj.exe
  C:\Windows\System\UxrXUHj.exe
  2⤵
  PID:432
- C:\Windows\System\dSGMZMx.exe
  C:\Windows\System\dSGMZMx.exe
  2⤵
  PID:1944
- C:\Windows\System\mbUSePl.exe
  C:\Windows\System\mbUSePl.exe
  2⤵
  PID:2208
- C:\Windows\System\CwpRnxy.exe
  C:\Windows\System\CwpRnxy.exe
  2⤵
  PID:5092
- C:\Windows\System\ZphtNAn.exe
  C:\Windows\System\ZphtNAn.exe
  2⤵
  PID:4632
- C:\Windows\System\cJNvOpe.exe
  C:\Windows\System\cJNvOpe.exe
  2⤵
  PID:964
- C:\Windows\System\fiDLKYl.exe
  C:\Windows\System\fiDLKYl.exe
  2⤵
  PID:4340
- C:\Windows\System\thALAcd.exe
  C:\Windows\System\thALAcd.exe
  2⤵
  PID:4092
- C:\Windows\System\zmVwYYv.exe
  C:\Windows\System\zmVwYYv.exe
  2⤵
  PID:5140
- C:\Windows\System\JMwKYkP.exe
  C:\Windows\System\JMwKYkP.exe
  2⤵
  PID:5164
- C:\Windows\System\dRKkEjn.exe
  C:\Windows\System\dRKkEjn.exe
  2⤵
  PID:5180
- C:\Windows\System\DDVLjbt.exe
  C:\Windows\System\DDVLjbt.exe
  2⤵
  PID:5200
- C:\Windows\System\RugTbGs.exe
  C:\Windows\System\RugTbGs.exe
  2⤵
  PID:5220
- C:\Windows\System\BiqRthq.exe
  C:\Windows\System\BiqRthq.exe
  2⤵
  PID:5240
- C:\Windows\System\sMuoGXe.exe
  C:\Windows\System\sMuoGXe.exe
  2⤵
  PID:5264
- C:\Windows\System\VRdBEhV.exe
  C:\Windows\System\VRdBEhV.exe
  2⤵
  PID:5284
- C:\Windows\System\FyAZAwc.exe
  C:\Windows\System\FyAZAwc.exe
  2⤵
  PID:5312
- C:\Windows\System\NpaxYtJ.exe
  C:\Windows\System\NpaxYtJ.exe
  2⤵
  PID:5328
- C:\Windows\System\YotiMqT.exe
  C:\Windows\System\YotiMqT.exe
  2⤵
  PID:5344
- C:\Windows\System\riKOYdO.exe
  C:\Windows\System\riKOYdO.exe
  2⤵
  PID:5360
- C:\Windows\System\ZpMeNRl.exe
  C:\Windows\System\ZpMeNRl.exe
  2⤵
  PID:5384
- C:\Windows\System\BCFTvtl.exe
  C:\Windows\System\BCFTvtl.exe
  2⤵
  PID:5404
- C:\Windows\System\LcZjYmU.exe
  C:\Windows\System\LcZjYmU.exe
  2⤵
  PID:5424
- C:\Windows\System\qgpXDbZ.exe
  C:\Windows\System\qgpXDbZ.exe
  2⤵
  PID:5448
- C:\Windows\System\ZolTvGp.exe
  C:\Windows\System\ZolTvGp.exe
  2⤵
  PID:5472
- C:\Windows\System\IODoaOA.exe
  C:\Windows\System\IODoaOA.exe
  2⤵
  PID:5488
- C:\Windows\System\uZEJfky.exe
  C:\Windows\System\uZEJfky.exe
  2⤵
  PID:5512
- C:\Windows\System\yFTBYmY.exe
  C:\Windows\System\yFTBYmY.exe
  2⤵
  PID:5552
- C:\Windows\System\rzudqKk.exe
  C:\Windows\System\rzudqKk.exe
  2⤵
  PID:5576
- C:\Windows\System\CEWoCGb.exe
  C:\Windows\System\CEWoCGb.exe
  2⤵
  PID:5596
- C:\Windows\System\fbMBwlC.exe
  C:\Windows\System\fbMBwlC.exe
  2⤵
  PID:5616
- C:\Windows\System\rscLrPA.exe
  C:\Windows\System\rscLrPA.exe
  2⤵
  PID:5640
- C:\Windows\System\HwhoFRM.exe
  C:\Windows\System\HwhoFRM.exe
  2⤵
  PID:5664
- C:\Windows\System\qzGWTWB.exe
  C:\Windows\System\qzGWTWB.exe
  2⤵
  PID:5728
- C:\Windows\System\nzrQxeB.exe
  C:\Windows\System\nzrQxeB.exe
  2⤵
  PID:5748
- C:\Windows\System\lgafUsN.exe
  C:\Windows\System\lgafUsN.exe
  2⤵
  PID:5772
- C:\Windows\System\yPITWZp.exe
  C:\Windows\System\yPITWZp.exe
  2⤵
  PID:5788
- C:\Windows\System\tkhskFa.exe
  C:\Windows\System\tkhskFa.exe
  2⤵
  PID:5812
- C:\Windows\System\DljRluH.exe
  C:\Windows\System\DljRluH.exe
  2⤵
  PID:5836
- C:\Windows\System\BmQpAas.exe
  C:\Windows\System\BmQpAas.exe
  2⤵
  PID:5852
- C:\Windows\System\PhXplFZ.exe
  C:\Windows\System\PhXplFZ.exe
  2⤵
  PID:5880
- C:\Windows\System\WwFKrdf.exe
  C:\Windows\System\WwFKrdf.exe
  2⤵
  PID:5896
- C:\Windows\System\fbrwPBq.exe
  C:\Windows\System\fbrwPBq.exe
  2⤵
  PID:5920
- C:\Windows\System\NKpEqAp.exe
  C:\Windows\System\NKpEqAp.exe
  2⤵
  PID:5936
- C:\Windows\System\gqaNwkj.exe
  C:\Windows\System\gqaNwkj.exe
  2⤵
  PID:5960
- C:\Windows\System\gWpcqSF.exe
  C:\Windows\System\gWpcqSF.exe
  2⤵
  PID:5980
- C:\Windows\System\hNObUjA.exe
  C:\Windows\System\hNObUjA.exe
  2⤵
  PID:6000
- C:\Windows\System\zIaefAn.exe
  C:\Windows\System\zIaefAn.exe
  2⤵
  PID:6020
- C:\Windows\System\jKZbzky.exe
  C:\Windows\System\jKZbzky.exe
  2⤵
  PID:6036
- C:\Windows\System\looosHF.exe
  C:\Windows\System\looosHF.exe
  2⤵
  PID:6068
- C:\Windows\System\GiybnRi.exe
  C:\Windows\System\GiybnRi.exe
  2⤵
  PID:6088
- C:\Windows\System\WxvgAGL.exe
  C:\Windows\System\WxvgAGL.exe
  2⤵
  PID:6112
- C:\Windows\System\lTAutES.exe
  C:\Windows\System\lTAutES.exe
  2⤵
  PID:6136
- C:\Windows\System\sirNWrw.exe
  C:\Windows\System\sirNWrw.exe
  2⤵
  PID:2660
- C:\Windows\System\HGmfSBi.exe
  C:\Windows\System\HGmfSBi.exe
  2⤵
  PID:2304
- C:\Windows\System\yHgxmFs.exe
  C:\Windows\System\yHgxmFs.exe
  2⤵
  PID:4556
- C:\Windows\System\YmAcERh.exe
  C:\Windows\System\YmAcERh.exe
  2⤵
  PID:4312
- C:\Windows\System\BDOkBVt.exe
  C:\Windows\System\BDOkBVt.exe
  2⤵
  PID:908
- C:\Windows\System\BrwlPAU.exe
  C:\Windows\System\BrwlPAU.exe
  2⤵
  PID:2680
- C:\Windows\System\YaBoqaJ.exe
  C:\Windows\System\YaBoqaJ.exe
  2⤵
  PID:4868
- C:\Windows\System\hwZDBkS.exe
  C:\Windows\System\hwZDBkS.exe
  2⤵
  PID:2340
- C:\Windows\System\tFVcxzs.exe
  C:\Windows\System\tFVcxzs.exe
  2⤵
  PID:436
- C:\Windows\System\TMxpgiM.exe
  C:\Windows\System\TMxpgiM.exe
  2⤵
  PID:5432
- C:\Windows\System\mBBoLKU.exe
  C:\Windows\System\mBBoLKU.exe
  2⤵
  PID:5528
- C:\Windows\System\iYtFpeJ.exe
  C:\Windows\System\iYtFpeJ.exe
  2⤵
  PID:5076
- C:\Windows\System\eFPuLtn.exe
  C:\Windows\System\eFPuLtn.exe
  2⤵
  PID:3368
- C:\Windows\System\OozZBeo.exe
  C:\Windows\System\OozZBeo.exe
  2⤵
  PID:5724
- C:\Windows\System\ICYpWyH.exe
  C:\Windows\System\ICYpWyH.exe
  2⤵
  PID:2100
- C:\Windows\System\PDyQjIJ.exe
  C:\Windows\System\PDyQjIJ.exe
  2⤵
  PID:5828
- C:\Windows\System\GtbkBbX.exe
  C:\Windows\System\GtbkBbX.exe
  2⤵
  PID:6160
- C:\Windows\System\IIsbcHC.exe
  C:\Windows\System\IIsbcHC.exe
  2⤵
  PID:6180
- C:\Windows\System\fmNYArl.exe
  C:\Windows\System\fmNYArl.exe
  2⤵
  PID:6196
- C:\Windows\System\BRXFvmq.exe
  C:\Windows\System\BRXFvmq.exe
  2⤵
  PID:6212
- C:\Windows\System\oDQZiTM.exe
  C:\Windows\System\oDQZiTM.exe
  2⤵
  PID:6232
- C:\Windows\System\kbzaoJl.exe
  C:\Windows\System\kbzaoJl.exe
  2⤵
  PID:6252
- C:\Windows\System\ZfvsWuL.exe
  C:\Windows\System\ZfvsWuL.exe
  2⤵
  PID:6268
- C:\Windows\System\fypOPov.exe
  C:\Windows\System\fypOPov.exe
  2⤵
  PID:6288
- C:\Windows\System\FlBbVPI.exe
  C:\Windows\System\FlBbVPI.exe
  2⤵
  PID:6312
- C:\Windows\System\WuWeMGu.exe
  C:\Windows\System\WuWeMGu.exe
  2⤵
  PID:6328
- C:\Windows\System\RGRmCai.exe
  C:\Windows\System\RGRmCai.exe
  2⤵
  PID:6352
- C:\Windows\System\TDHrXSG.exe
  C:\Windows\System\TDHrXSG.exe
  2⤵
  PID:6368
- C:\Windows\System\jFWaxYc.exe
  C:\Windows\System\jFWaxYc.exe
  2⤵
  PID:6392
- C:\Windows\System\fwOcggu.exe
  C:\Windows\System\fwOcggu.exe
  2⤵
  PID:6408
- C:\Windows\System\bNVcAsO.exe
  C:\Windows\System\bNVcAsO.exe
  2⤵
  PID:6436
- C:\Windows\System\voivFzr.exe
  C:\Windows\System\voivFzr.exe
  2⤵
  PID:6460
- C:\Windows\System\jixIpyS.exe
  C:\Windows\System\jixIpyS.exe
  2⤵
  PID:6484
- C:\Windows\System\jRUdnOA.exe
  C:\Windows\System\jRUdnOA.exe
  2⤵
  PID:6500
- C:\Windows\System\dztODIr.exe
  C:\Windows\System\dztODIr.exe
  2⤵
  PID:6532
- C:\Windows\System\NoDmMlT.exe
  C:\Windows\System\NoDmMlT.exe
  2⤵
  PID:6568
- C:\Windows\System\ZYywtgg.exe
  C:\Windows\System\ZYywtgg.exe
  2⤵
  PID:6592
- C:\Windows\System\xmDwuFR.exe
  C:\Windows\System\xmDwuFR.exe
  2⤵
  PID:6612
- C:\Windows\System\lOJLnJf.exe
  C:\Windows\System\lOJLnJf.exe
  2⤵
  PID:6632
- C:\Windows\System\YkMRQsv.exe
  C:\Windows\System\YkMRQsv.exe
  2⤵
  PID:6660
- C:\Windows\System\TTFrqpr.exe
  C:\Windows\System\TTFrqpr.exe
  2⤵
  PID:6688
- C:\Windows\System\JmqggNz.exe
  C:\Windows\System\JmqggNz.exe
  2⤵
  PID:6712
- C:\Windows\System\wtnWzdG.exe
  C:\Windows\System\wtnWzdG.exe
  2⤵
  PID:6728
- C:\Windows\System\lmAjvjc.exe
  C:\Windows\System\lmAjvjc.exe
  2⤵
  PID:6752
- C:\Windows\System\vnHwxBt.exe
  C:\Windows\System\vnHwxBt.exe
  2⤵
  PID:6776
- C:\Windows\System\wycolMK.exe
  C:\Windows\System\wycolMK.exe
  2⤵
  PID:6800
- C:\Windows\System\denVabF.exe
  C:\Windows\System\denVabF.exe
  2⤵
  PID:6824
- C:\Windows\System\qtzceiS.exe
  C:\Windows\System\qtzceiS.exe
  2⤵
  PID:6844
- C:\Windows\System\ilqLfkb.exe
  C:\Windows\System\ilqLfkb.exe
  2⤵
  PID:6868
- C:\Windows\System\PZpRwAM.exe
  C:\Windows\System\PZpRwAM.exe
  2⤵
  PID:6892
- C:\Windows\System\XoZBVDN.exe
  C:\Windows\System\XoZBVDN.exe
  2⤵
  PID:6916
- C:\Windows\System\PcMZEZz.exe
  C:\Windows\System\PcMZEZz.exe
  2⤵
  PID:6932
- C:\Windows\System\uDrjMAT.exe
  C:\Windows\System\uDrjMAT.exe
  2⤵
  PID:6956
- C:\Windows\System\sNThHoo.exe
  C:\Windows\System\sNThHoo.exe
  2⤵
  PID:6980
- C:\Windows\System\fWhJOVI.exe
  C:\Windows\System\fWhJOVI.exe
  2⤵
  PID:6996
- C:\Windows\System\JorEsEY.exe
  C:\Windows\System\JorEsEY.exe
  2⤵
  PID:7012
- C:\Windows\System\ZTZSXrR.exe
  C:\Windows\System\ZTZSXrR.exe
  2⤵
  PID:7032
- C:\Windows\System\FPguldH.exe
  C:\Windows\System\FPguldH.exe
  2⤵
  PID:7052
- C:\Windows\System\pdIdbSz.exe
  C:\Windows\System\pdIdbSz.exe
  2⤵
  PID:7072
- C:\Windows\System\BRyJXFi.exe
  C:\Windows\System\BRyJXFi.exe
  2⤵
  PID:7092
- C:\Windows\System\zRxJyoK.exe
  C:\Windows\System\zRxJyoK.exe
  2⤵
  PID:7112
- C:\Windows\System\iwUiJGb.exe
  C:\Windows\System\iwUiJGb.exe
  2⤵
  PID:7140
- C:\Windows\System\xRVJTLj.exe
  C:\Windows\System\xRVJTLj.exe
  2⤵
  PID:7164
- C:\Windows\System\kZRhnGc.exe
  C:\Windows\System\kZRhnGc.exe
  2⤵
  PID:4940
- C:\Windows\System\oeHgAaa.exe
  C:\Windows\System\oeHgAaa.exe
  2⤵
  PID:5968
- C:\Windows\System\OhMsWPr.exe
  C:\Windows\System\OhMsWPr.exe
  2⤵
  PID:892
- C:\Windows\System\sfMYSkT.exe
  C:\Windows\System\sfMYSkT.exe
  2⤵
  PID:3516
- C:\Windows\System\XXNSkmK.exe
  C:\Windows\System\XXNSkmK.exe
  2⤵
  PID:2780
- C:\Windows\System\bMkxOwE.exe
  C:\Windows\System\bMkxOwE.exe
  2⤵
  PID:1036
- C:\Windows\System\eJifpHj.exe
  C:\Windows\System\eJifpHj.exe
  2⤵
  PID:1204
- C:\Windows\System\XlTfGcu.exe
  C:\Windows\System\XlTfGcu.exe
  2⤵
  PID:5132
- C:\Windows\System\IWvmLPa.exe
  C:\Windows\System\IWvmLPa.exe
  2⤵
  PID:5156
- C:\Windows\System\fTBwPBy.exe
  C:\Windows\System\fTBwPBy.exe
  2⤵
  PID:972
- C:\Windows\System\fydHASY.exe
  C:\Windows\System\fydHASY.exe
  2⤵
  PID:5820
- C:\Windows\System\YWZRVUd.exe
  C:\Windows\System\YWZRVUd.exe
  2⤵
  PID:5192
- C:\Windows\System\dHaNZMQ.exe
  C:\Windows\System\dHaNZMQ.exe
  2⤵
  PID:5228
- C:\Windows\System\rNhsCLL.exe
  C:\Windows\System\rNhsCLL.exe
  2⤵
  PID:6220
- C:\Windows\System\XmFCSXb.exe
  C:\Windows\System\XmFCSXb.exe
  2⤵
  PID:6300
- C:\Windows\System\iEAZYKU.exe
  C:\Windows\System\iEAZYKU.exe
  2⤵
  PID:6428
- C:\Windows\System\xwDLVul.exe
  C:\Windows\System\xwDLVul.exe
  2⤵
  PID:5376
- C:\Windows\System\tfrGvrv.exe
  C:\Windows\System\tfrGvrv.exe
  2⤵
  PID:5440
- C:\Windows\System\AwiwTnF.exe
  C:\Windows\System\AwiwTnF.exe
  2⤵
  PID:5496
- C:\Windows\System\IGiLxaY.exe
  C:\Windows\System\IGiLxaY.exe
  2⤵
  PID:1104
- C:\Windows\System\gJKEbCs.exe
  C:\Windows\System\gJKEbCs.exe
  2⤵
  PID:6496
- C:\Windows\System\BcQwBUg.exe
  C:\Windows\System\BcQwBUg.exe
  2⤵
  PID:5656
- C:\Windows\System\zeqDzKL.exe
  C:\Windows\System\zeqDzKL.exe
  2⤵
  PID:5684
- C:\Windows\System\sdvajfQ.exe
  C:\Windows\System\sdvajfQ.exe
  2⤵
  PID:6188
- C:\Windows\System\PKCwcmR.exe
  C:\Windows\System\PKCwcmR.exe
  2⤵
  PID:5908
- C:\Windows\System\thbCwfP.exe
  C:\Windows\System\thbCwfP.exe
  2⤵
  PID:6296
- C:\Windows\System\ffqwcxZ.exe
  C:\Windows\System\ffqwcxZ.exe
  2⤵
  PID:7184
- C:\Windows\System\liSjRfi.exe
  C:\Windows\System\liSjRfi.exe
  2⤵
  PID:7200
- C:\Windows\System\xFCKwiU.exe
  C:\Windows\System\xFCKwiU.exe
  2⤵
  PID:7220
- C:\Windows\System\lIvfvcO.exe
  C:\Windows\System\lIvfvcO.exe
  2⤵
  PID:7308
- C:\Windows\System\UYhYfgp.exe
  C:\Windows\System\UYhYfgp.exe
  2⤵
  PID:7324
- C:\Windows\System\sdSbnmq.exe
  C:\Windows\System\sdSbnmq.exe
  2⤵
  PID:7340
- C:\Windows\System\oepMeNA.exe
  C:\Windows\System\oepMeNA.exe
  2⤵
  PID:7356
- C:\Windows\System\jGsameT.exe
  C:\Windows\System\jGsameT.exe
  2⤵
  PID:7372
- C:\Windows\System\mBrWImb.exe
  C:\Windows\System\mBrWImb.exe
  2⤵
  PID:7388
- C:\Windows\System\TcNobus.exe
  C:\Windows\System\TcNobus.exe
  2⤵
  PID:7404
- C:\Windows\System\LGDXcDE.exe
  C:\Windows\System\LGDXcDE.exe
  2⤵
  PID:7420
- C:\Windows\System\gAynpgf.exe
  C:\Windows\System\gAynpgf.exe
  2⤵
  PID:7436
- C:\Windows\System\lAVUgxs.exe
  C:\Windows\System\lAVUgxs.exe
  2⤵
  PID:7452
- C:\Windows\System\aokvoTH.exe
  C:\Windows\System\aokvoTH.exe
  2⤵
  PID:7468
- C:\Windows\System\rjqsuqo.exe
  C:\Windows\System\rjqsuqo.exe
  2⤵
  PID:7484
- C:\Windows\System\FPOLBSs.exe
  C:\Windows\System\FPOLBSs.exe
  2⤵
  PID:7500
- C:\Windows\System\qIYYGJW.exe
  C:\Windows\System\qIYYGJW.exe
  2⤵
  PID:7516
- C:\Windows\System\rOJsFsT.exe
  C:\Windows\System\rOJsFsT.exe
  2⤵
  PID:7532
- C:\Windows\System\hcKPFwQ.exe
  C:\Windows\System\hcKPFwQ.exe
  2⤵
  PID:7564
- C:\Windows\System\TddWlFy.exe
  C:\Windows\System\TddWlFy.exe
  2⤵
  PID:7672
- C:\Windows\System\ZXaeccb.exe
  C:\Windows\System\ZXaeccb.exe
  2⤵
  PID:7864
- C:\Windows\System\uJbNsoa.exe
  C:\Windows\System\uJbNsoa.exe
  2⤵
  PID:7956
- C:\Windows\System\ZFKFcnl.exe
  C:\Windows\System\ZFKFcnl.exe
  2⤵
  PID:7976
- C:\Windows\System\LnxcJRH.exe
  C:\Windows\System\LnxcJRH.exe
  2⤵
  PID:7992
- C:\Windows\System\LfXRbql.exe
  C:\Windows\System\LfXRbql.exe
  2⤵
  PID:8012
- C:\Windows\System\rmSNOAR.exe
  C:\Windows\System\rmSNOAR.exe
  2⤵
  PID:8036
- C:\Windows\System\RlruDiB.exe
  C:\Windows\System\RlruDiB.exe
  2⤵
  PID:8056
- C:\Windows\System\RwwYmNi.exe
  C:\Windows\System\RwwYmNi.exe
  2⤵
  PID:8080
- C:\Windows\System\SsOQdeG.exe
  C:\Windows\System\SsOQdeG.exe
  2⤵
  PID:8128
- C:\Windows\System\DZqAOec.exe
  C:\Windows\System\DZqAOec.exe
  2⤵
  PID:8188
- C:\Windows\System\VdwiuUi.exe
  C:\Windows\System\VdwiuUi.exe
  2⤵
  PID:6156
- C:\Windows\System\CFXegHi.exe
  C:\Windows\System\CFXegHi.exe
  2⤵
  PID:3188
- C:\Windows\System\YrWmDhR.exe
  C:\Windows\System\YrWmDhR.exe
  2⤵
  PID:212
- C:\Windows\System\usDblLe.exe
  C:\Windows\System\usDblLe.exe
  2⤵
  PID:6080
- C:\Windows\System\gaZhuBe.exe
  C:\Windows\System\gaZhuBe.exe
  2⤵
  PID:6052
- C:\Windows\System\QBxFJWN.exe
  C:\Windows\System\QBxFJWN.exe
  2⤵
  PID:6028
- C:\Windows\System\jHofFlQ.exe
  C:\Windows\System\jHofFlQ.exe
  2⤵
  PID:6384
- C:\Windows\System\sJuHKqr.exe
  C:\Windows\System\sJuHKqr.exe
  2⤵
  PID:5004
- C:\Windows\System\jemfLcT.exe
  C:\Windows\System\jemfLcT.exe
  2⤵
  PID:6524
- C:\Windows\System\CPMGonX.exe
  C:\Windows\System\CPMGonX.exe
  2⤵
  PID:6576
- C:\Windows\System\BHzlrub.exe
  C:\Windows\System\BHzlrub.exe
  2⤵
  PID:6608
- C:\Windows\System\NGEbqkA.exe
  C:\Windows\System\NGEbqkA.exe
  2⤵
  PID:6668
- C:\Windows\System\TsMGTdw.exe
  C:\Windows\System\TsMGTdw.exe
  2⤵
  PID:6704
- C:\Windows\System\wIGJcsR.exe
  C:\Windows\System\wIGJcsR.exe
  2⤵
  PID:6740
- C:\Windows\System\NvHeyMW.exe
  C:\Windows\System\NvHeyMW.exe
  2⤵
  PID:6772
- C:\Windows\System\MBUzZZk.exe
  C:\Windows\System\MBUzZZk.exe
  2⤵
  PID:6820
- C:\Windows\System\XHxxqMt.exe
  C:\Windows\System\XHxxqMt.exe
  2⤵
  PID:6860
- C:\Windows\System\CpXxzVZ.exe
  C:\Windows\System\CpXxzVZ.exe
  2⤵
  PID:6900
- C:\Windows\System\KTVEsiK.exe
  C:\Windows\System\KTVEsiK.exe
  2⤵
  PID:6940
- C:\Windows\System\ZuixxwY.exe
  C:\Windows\System\ZuixxwY.exe
  2⤵
  PID:6976
- C:\Windows\System\yQQmYpG.exe
  C:\Windows\System\yQQmYpG.exe
  2⤵
  PID:7020
- C:\Windows\System\uxPiGtN.exe
  C:\Windows\System\uxPiGtN.exe
  2⤵
  PID:7064
- C:\Windows\System\WFQAuXb.exe
  C:\Windows\System\WFQAuXb.exe
  2⤵
  PID:5868
- C:\Windows\System\qsjAJtt.exe
  C:\Windows\System\qsjAJtt.exe
  2⤵
  PID:5236
- C:\Windows\System\VAkOZjj.exe
  C:\Windows\System\VAkOZjj.exe
  2⤵
  PID:5508
- C:\Windows\System\pdZiYGH.exe
  C:\Windows\System\pdZiYGH.exe
  2⤵
  PID:7120
- C:\Windows\System\ggALwsW.exe
  C:\Windows\System\ggALwsW.exe
  2⤵
  PID:5872
- C:\Windows\System\sYDPXWV.exe
  C:\Windows\System\sYDPXWV.exe
  2⤵
  PID:5280
- C:\Windows\System\pCocRVz.exe
  C:\Windows\System\pCocRVz.exe
  2⤵
  PID:2400
- C:\Windows\System\OJAjiNK.exe
  C:\Windows\System\OJAjiNK.exe
  2⤵
  PID:2456
- C:\Windows\System\cNXMZFR.exe
  C:\Windows\System\cNXMZFR.exe
  2⤵
  PID:640
- C:\Windows\System\MjZegqO.exe
  C:\Windows\System\MjZegqO.exe
  2⤵
  PID:5212
- C:\Windows\System\DIYZSIo.exe
  C:\Windows\System\DIYZSIo.exe
  2⤵
  PID:5976
- C:\Windows\System\rBWHLna.exe
  C:\Windows\System\rBWHLna.exe
  2⤵
  PID:5352
- C:\Windows\System\QnTkMcR.exe
  C:\Windows\System\QnTkMcR.exe
  2⤵
  PID:5468
- C:\Windows\System\XMfvlaI.exe
  C:\Windows\System\XMfvlaI.exe
  2⤵
  PID:1752
- C:\Windows\System\FfKnFJv.exe
  C:\Windows\System\FfKnFJv.exe
  2⤵
  PID:1828
- C:\Windows\System\RRYXLAC.exe
  C:\Windows\System\RRYXLAC.exe
  2⤵
  PID:5956
- C:\Windows\System\utGmqjB.exe
  C:\Windows\System\utGmqjB.exe
  2⤵
  PID:8484
- C:\Windows\System\ihFYlyq.exe
  C:\Windows\System\ihFYlyq.exe
  2⤵
  PID:8500
- C:\Windows\System\xucwlov.exe
  C:\Windows\System\xucwlov.exe
  2⤵
  PID:8524
- C:\Windows\System\zQlPGMR.exe
  C:\Windows\System\zQlPGMR.exe
  2⤵
  PID:8540
- C:\Windows\System\IQOulrM.exe
  C:\Windows\System\IQOulrM.exe
  2⤵
  PID:8560
- C:\Windows\System\nthnsUa.exe
  C:\Windows\System\nthnsUa.exe
  2⤵
  PID:8580
- C:\Windows\System\VTJibEB.exe
  C:\Windows\System\VTJibEB.exe
  2⤵
  PID:8600
- C:\Windows\System\rjSJhQP.exe
  C:\Windows\System\rjSJhQP.exe
  2⤵
  PID:8620
- C:\Windows\System\GmZuoMn.exe
  C:\Windows\System\GmZuoMn.exe
  2⤵
  PID:8636
- C:\Windows\System\jSysFrW.exe
  C:\Windows\System\jSysFrW.exe
  2⤵
  PID:8660
- C:\Windows\System\uNYmOpr.exe
  C:\Windows\System\uNYmOpr.exe
  2⤵
  PID:8676
- C:\Windows\System\UghlPGV.exe
  C:\Windows\System\UghlPGV.exe
  2⤵
  PID:8696
- C:\Windows\System\KUKbFKn.exe
  C:\Windows\System\KUKbFKn.exe
  2⤵
  PID:8716
- C:\Windows\System\pBsqLLl.exe
  C:\Windows\System\pBsqLLl.exe
  2⤵
  PID:8736
- C:\Windows\System\iCVOiwA.exe
  C:\Windows\System\iCVOiwA.exe
  2⤵
  PID:8756
- C:\Windows\System\GGLDqxZ.exe
  C:\Windows\System\GGLDqxZ.exe
  2⤵
  PID:8776
- C:\Windows\System\kcrleQN.exe
  C:\Windows\System\kcrleQN.exe
  2⤵
  PID:8796
- C:\Windows\System\xJByhgD.exe
  C:\Windows\System\xJByhgD.exe
  2⤵
  PID:8812
- C:\Windows\System\jkhhmlL.exe
  C:\Windows\System\jkhhmlL.exe
  2⤵
  PID:8840
- C:\Windows\System\GRnPuRA.exe
  C:\Windows\System\GRnPuRA.exe
  2⤵
  PID:8860
- C:\Windows\System\ivNREtb.exe
  C:\Windows\System\ivNREtb.exe
  2⤵
  PID:8880
- C:\Windows\System\TBzkBLz.exe
  C:\Windows\System\TBzkBLz.exe
  2⤵
  PID:8900
- C:\Windows\System\EuPeIXk.exe
  C:\Windows\System\EuPeIXk.exe
  2⤵
  PID:8920
- C:\Windows\System\QvuhduT.exe
  C:\Windows\System\QvuhduT.exe
  2⤵
  PID:8940
- C:\Windows\System\BwWEvOQ.exe
  C:\Windows\System\BwWEvOQ.exe
  2⤵
  PID:8960
- C:\Windows\System\vitxwJb.exe
  C:\Windows\System\vitxwJb.exe
  2⤵
  PID:9012
- C:\Windows\System\FktXpZn.exe
  C:\Windows\System\FktXpZn.exe
  2⤵
  PID:9124
- C:\Windows\System\tgPUMmC.exe
  C:\Windows\System\tgPUMmC.exe
  2⤵
  PID:9144
- C:\Windows\System\WiIgvcx.exe
  C:\Windows\System\WiIgvcx.exe
  2⤵
  PID:9168
- C:\Windows\System\Siixgyb.exe
  C:\Windows\System\Siixgyb.exe
  2⤵
  PID:9192
- C:\Windows\System\IynjxDi.exe
  C:\Windows\System\IynjxDi.exe
  2⤵
  PID:9212
- C:\Windows\System\IAKNVNB.exe
  C:\Windows\System\IAKNVNB.exe
  2⤵
  PID:7952
- C:\Windows\System\RSSaRDq.exe
  C:\Windows\System\RSSaRDq.exe
  2⤵
  PID:784
- C:\Windows\System\JigyrHT.exe
  C:\Windows\System\JigyrHT.exe
  2⤵
  PID:6044
- C:\Windows\System\JlfmMgB.exe
  C:\Windows\System\JlfmMgB.exe
  2⤵
  PID:9224
- C:\Windows\System\hhsVECN.exe
  C:\Windows\System\hhsVECN.exe
  2⤵
  PID:9240
- C:\Windows\System\rTSOFhB.exe
  C:\Windows\System\rTSOFhB.exe
  2⤵
  PID:9256
- C:\Windows\System\NIUJhYE.exe
  C:\Windows\System\NIUJhYE.exe
  2⤵
  PID:9272
- C:\Windows\System\AOWsujZ.exe
  C:\Windows\System\AOWsujZ.exe
  2⤵
  PID:9288
- C:\Windows\System\AGwWsYI.exe
  C:\Windows\System\AGwWsYI.exe
  2⤵
  PID:9308
- C:\Windows\System\oeOnvoG.exe
  C:\Windows\System\oeOnvoG.exe
  2⤵
  PID:9328
- C:\Windows\System\WiTlXdq.exe
  C:\Windows\System\WiTlXdq.exe
  2⤵
  PID:9348
- C:\Windows\System\meQnKld.exe
  C:\Windows\System\meQnKld.exe
  2⤵
  PID:9368
- C:\Windows\System\dcjUTog.exe
  C:\Windows\System\dcjUTog.exe
  2⤵
  PID:9384
- C:\Windows\System\gDakxDC.exe
  C:\Windows\System\gDakxDC.exe
  2⤵
  PID:9400
- C:\Windows\System\xMjZuPZ.exe
  C:\Windows\System\xMjZuPZ.exe
  2⤵
  PID:9420
- C:\Windows\System\bsBpuMg.exe
  C:\Windows\System\bsBpuMg.exe
  2⤵
  PID:9440
- C:\Windows\System\JrMvHjp.exe
  C:\Windows\System\JrMvHjp.exe
  2⤵
  PID:9456
- C:\Windows\System\ZYqwyKq.exe
  C:\Windows\System\ZYqwyKq.exe
  2⤵
  PID:9476
- C:\Windows\System\rscMuOq.exe
  C:\Windows\System\rscMuOq.exe
  2⤵
  PID:9496
- C:\Windows\System\RyZAqyU.exe
  C:\Windows\System\RyZAqyU.exe
  2⤵
  PID:9512
- C:\Windows\System\GYunNvE.exe
  C:\Windows\System\GYunNvE.exe
  2⤵
  PID:9532
- C:\Windows\System\iFmvBxC.exe
  C:\Windows\System\iFmvBxC.exe
  2⤵
  PID:9552
- C:\Windows\System\DBYybWQ.exe
  C:\Windows\System\DBYybWQ.exe
  2⤵
  PID:9572
- C:\Windows\System\mPomyjV.exe
  C:\Windows\System\mPomyjV.exe
  2⤵
  PID:9588
- C:\Windows\System\GPoVwKK.exe
  C:\Windows\System\GPoVwKK.exe
  2⤵
  PID:9608
- C:\Windows\System\edKIqDf.exe
  C:\Windows\System\edKIqDf.exe
  2⤵
  PID:9628
- C:\Windows\System\BOZPVEc.exe
  C:\Windows\System\BOZPVEc.exe
  2⤵
  PID:9648
- C:\Windows\System\qZVXCfS.exe
  C:\Windows\System\qZVXCfS.exe
  2⤵
  PID:9668
- C:\Windows\System\XyrJgxY.exe
  C:\Windows\System\XyrJgxY.exe
  2⤵
  PID:9688
- C:\Windows\System\sVzxqVU.exe
  C:\Windows\System\sVzxqVU.exe
  2⤵
  PID:9704
- C:\Windows\System\xSAfStU.exe
  C:\Windows\System\xSAfStU.exe
  2⤵
  PID:9736
- C:\Windows\System\OOwWlTF.exe
  C:\Windows\System\OOwWlTF.exe
  2⤵
  PID:9752
- C:\Windows\System\hVgLPls.exe
  C:\Windows\System\hVgLPls.exe
  2⤵
  PID:9768
- C:\Windows\System\gatZfMs.exe
  C:\Windows\System\gatZfMs.exe
  2⤵
  PID:9784
- C:\Windows\System\xKiOqtO.exe
  C:\Windows\System\xKiOqtO.exe
  2⤵
  PID:9804
- C:\Windows\System\gxTsorL.exe
  C:\Windows\System\gxTsorL.exe
  2⤵
  PID:9824
- C:\Windows\System\hKoIZhy.exe
  C:\Windows\System\hKoIZhy.exe
  2⤵
  PID:9840
- C:\Windows\System\xCpLIUm.exe
  C:\Windows\System\xCpLIUm.exe
  2⤵
  PID:9856
- C:\Windows\System\rzRBPWO.exe
  C:\Windows\System\rzRBPWO.exe
  2⤵
  PID:9872
- C:\Windows\System\FKqntrj.exe
  C:\Windows\System\FKqntrj.exe
  2⤵
  PID:9888
- C:\Windows\System\wAePvFN.exe
  C:\Windows\System\wAePvFN.exe
  2⤵
  PID:9904
- C:\Windows\System\wuuOcBG.exe
  C:\Windows\System\wuuOcBG.exe
  2⤵
  PID:9920
- C:\Windows\System\iluHVmO.exe
  C:\Windows\System\iluHVmO.exe
  2⤵
  PID:9944
- C:\Windows\System\nBfVecJ.exe
  C:\Windows\System\nBfVecJ.exe
  2⤵
  PID:9964
- C:\Windows\System\lVFtUNO.exe
  C:\Windows\System\lVFtUNO.exe
  2⤵
  PID:9980
- C:\Windows\System\eMQlRjz.exe
  C:\Windows\System\eMQlRjz.exe
  2⤵
  PID:9996
- C:\Windows\System\nzvkqrR.exe
  C:\Windows\System\nzvkqrR.exe
  2⤵
  PID:10012
- C:\Windows\System\cObddzJ.exe
  C:\Windows\System\cObddzJ.exe
  2⤵
  PID:10028
- C:\Windows\System\AtEIzGq.exe
  C:\Windows\System\AtEIzGq.exe
  2⤵
  PID:10048
- C:\Windows\System\ERWefSy.exe
  C:\Windows\System\ERWefSy.exe
  2⤵
  PID:10072
- C:\Windows\System\MJJltbw.exe
  C:\Windows\System\MJJltbw.exe
  2⤵
  PID:10088
- C:\Windows\System\MRsFWUq.exe
  C:\Windows\System\MRsFWUq.exe
  2⤵
  PID:10108
- C:\Windows\System\eIyPKoQ.exe
  C:\Windows\System\eIyPKoQ.exe
  2⤵
  PID:10128
- C:\Windows\System\QyHMaVz.exe
  C:\Windows\System\QyHMaVz.exe
  2⤵
  PID:10148
- C:\Windows\System\xsYrdKH.exe
  C:\Windows\System\xsYrdKH.exe
  2⤵
  PID:10172
- C:\Windows\System\EnSGxBz.exe
  C:\Windows\System\EnSGxBz.exe
  2⤵
  PID:10188
- C:\Windows\System\hdlVlYy.exe
  C:\Windows\System\hdlVlYy.exe
  2⤵
  PID:10204
- C:\Windows\System\dckbQhm.exe
  C:\Windows\System\dckbQhm.exe
  2⤵
  PID:10220
- C:\Windows\System\xTmDmiH.exe
  C:\Windows\System\xTmDmiH.exe
  2⤵
  PID:6876
- C:\Windows\System\vOnUFvu.exe
  C:\Windows\System\vOnUFvu.exe
  2⤵
  PID:6972
- C:\Windows\System\tDeXTrX.exe
  C:\Windows\System\tDeXTrX.exe
  2⤵
  PID:7148
- C:\Windows\System\oADzrdz.exe
  C:\Windows\System\oADzrdz.exe
  2⤵
  PID:2008
- C:\Windows\System\ZztLDJO.exe
  C:\Windows\System\ZztLDJO.exe
  2⤵
  PID:3920
- C:\Windows\System\SQSymcP.exe
  C:\Windows\System\SQSymcP.exe
  2⤵
  PID:6480
- C:\Windows\System\LFLpGUQ.exe
  C:\Windows\System\LFLpGUQ.exe
  2⤵
  PID:5020
- C:\Windows\System\UNXaEYj.exe
  C:\Windows\System\UNXaEYj.exe
  2⤵
  PID:8888
- C:\Windows\System\CHobQrD.exe
  C:\Windows\System\CHobQrD.exe
  2⤵
  PID:7972
- C:\Windows\System\iAxnCDl.exe
  C:\Windows\System\iAxnCDl.exe
  2⤵
  PID:8008
- C:\Windows\System\VDKlKZy.exe
  C:\Windows\System\VDKlKZy.exe
  2⤵
  PID:8064
- C:\Windows\System\MFhKtVV.exe
  C:\Windows\System\MFhKtVV.exe
  2⤵
  PID:8100
- C:\Windows\System\hAUvQFt.exe
  C:\Windows\System\hAUvQFt.exe
  2⤵
  PID:8152
- C:\Windows\System\fFlPjkj.exe
  C:\Windows\System\fFlPjkj.exe
  2⤵
  PID:9164
- C:\Windows\System\PbSqwZq.exe
  C:\Windows\System\PbSqwZq.exe
  2⤵
  PID:6600
- C:\Windows\System\NxTuyPx.exe
  C:\Windows\System\NxTuyPx.exe
  2⤵
  PID:7892
- C:\Windows\System\ZfINJfk.exe
  C:\Windows\System\ZfINJfk.exe
  2⤵
  PID:9316
- C:\Windows\System\fjSOfLD.exe
  C:\Windows\System\fjSOfLD.exe
  2⤵
  PID:7044
- C:\Windows\System\efNIKWS.exe
  C:\Windows\System\efNIKWS.exe
  2⤵
  PID:9412
- C:\Windows\System\VSOxElx.exe
  C:\Windows\System\VSOxElx.exe
  2⤵
  PID:7300
- C:\Windows\System\EKkUMEt.exe
  C:\Windows\System\EKkUMEt.exe
  2⤵
  PID:7332
- C:\Windows\System\yuESXlD.exe
  C:\Windows\System\yuESXlD.exe
  2⤵
  PID:7444
- C:\Windows\System\jQCnOXQ.exe
  C:\Windows\System\jQCnOXQ.exe
  2⤵
  PID:7492
- C:\Windows\System\WUqahXe.exe
  C:\Windows\System\WUqahXe.exe
  2⤵
  PID:7548
- C:\Windows\System\lkvVpSz.exe
  C:\Windows\System\lkvVpSz.exe
  2⤵
  PID:7876
- C:\Windows\System\cnSOFZi.exe
  C:\Windows\System\cnSOFZi.exe
  2⤵
  PID:7912
- C:\Windows\System\NzAyYTd.exe
  C:\Windows\System\NzAyYTd.exe
  2⤵
  PID:7940
- C:\Windows\System\MusSbzb.exe
  C:\Windows\System\MusSbzb.exe
  2⤵
  PID:9764
- C:\Windows\System\BtJtrwN.exe
  C:\Windows\System\BtJtrwN.exe
  2⤵
  PID:3760
- C:\Windows\System\RRGyeXw.exe
  C:\Windows\System\RRGyeXw.exe
  2⤵
  PID:9064
- C:\Windows\System\NtAnecE.exe
  C:\Windows\System\NtAnecE.exe
  2⤵
  PID:4700
- C:\Windows\System\xOMVLft.exe
  C:\Windows\System\xOMVLft.exe
  2⤵
  PID:6104
- C:\Windows\System\EpwmoFh.exe
  C:\Windows\System\EpwmoFh.exe
  2⤵
  PID:6404
- C:\Windows\System\AkjIaHO.exe
  C:\Windows\System\AkjIaHO.exe
  2⤵
  PID:9136
- C:\Windows\System\jknRxFb.exe
  C:\Windows\System\jknRxFb.exe
  2⤵
  PID:6628
- C:\Windows\System\uSXxxil.exe
  C:\Windows\System\uSXxxil.exe
  2⤵
  PID:10252
- C:\Windows\System\eVZSwMu.exe
  C:\Windows\System\eVZSwMu.exe
  2⤵
  PID:10272
- C:\Windows\System\EmJygPw.exe
  C:\Windows\System\EmJygPw.exe
  2⤵
  PID:10296
- C:\Windows\System\fshntKE.exe
  C:\Windows\System\fshntKE.exe
  2⤵
  PID:10320
- C:\Windows\System\gcHKMAs.exe
  C:\Windows\System\gcHKMAs.exe
  2⤵
  PID:10340
- C:\Windows\System\tACKyCu.exe
  C:\Windows\System\tACKyCu.exe
  2⤵
  PID:10364
- C:\Windows\System\bCTIgkS.exe
  C:\Windows\System\bCTIgkS.exe
  2⤵
  PID:10388
- C:\Windows\System\XcZwLFA.exe
  C:\Windows\System\XcZwLFA.exe
  2⤵
  PID:10404
- C:\Windows\System\iegbAPz.exe
  C:\Windows\System\iegbAPz.exe
  2⤵
  PID:10424
- C:\Windows\System\mRqCrep.exe
  C:\Windows\System\mRqCrep.exe
  2⤵
  PID:10444
- C:\Windows\System\CxkhyBF.exe
  C:\Windows\System\CxkhyBF.exe
  2⤵
  PID:10468
- C:\Windows\System\Bcqxiqm.exe
  C:\Windows\System\Bcqxiqm.exe
  2⤵
  PID:10492
- C:\Windows\System\TVqEsZy.exe
  C:\Windows\System\TVqEsZy.exe
  2⤵
  PID:10516
- C:\Windows\System\NQwvIgq.exe
  C:\Windows\System\NQwvIgq.exe
  2⤵
  PID:10532
- C:\Windows\System\MMtKMcA.exe
  C:\Windows\System\MMtKMcA.exe
  2⤵
  PID:10556
- C:\Windows\System\SLwuRqz.exe
  C:\Windows\System\SLwuRqz.exe
  2⤵
  PID:10572
- C:\Windows\System\dxnTGBM.exe
  C:\Windows\System\dxnTGBM.exe
  2⤵
  PID:10588
- C:\Windows\System\bAGJfYI.exe
  C:\Windows\System\bAGJfYI.exe
  2⤵
  PID:10604
- C:\Windows\System\nRfXccF.exe
  C:\Windows\System\nRfXccF.exe
  2⤵
  PID:10620
- C:\Windows\System\qImZGEy.exe
  C:\Windows\System\qImZGEy.exe
  2⤵
  PID:10640
- C:\Windows\System\pzXIzOc.exe
  C:\Windows\System\pzXIzOc.exe
  2⤵
  PID:10660
- C:\Windows\System\xajhcIR.exe
  C:\Windows\System\xajhcIR.exe
  2⤵
  PID:10684
- C:\Windows\System\NqjtvIU.exe
  C:\Windows\System\NqjtvIU.exe
  2⤵
  PID:10704
- C:\Windows\System\zUAxVlV.exe
  C:\Windows\System\zUAxVlV.exe
  2⤵
  PID:10724
- C:\Windows\System\qQRLxhW.exe
  C:\Windows\System\qQRLxhW.exe
  2⤵
  PID:10744
- C:\Windows\System\bRSCCZB.exe
  C:\Windows\System\bRSCCZB.exe
  2⤵
  PID:10768
- C:\Windows\System\ltPtxXp.exe
  C:\Windows\System\ltPtxXp.exe
  2⤵
  PID:10788
- C:\Windows\System\uajYXLb.exe
  C:\Windows\System\uajYXLb.exe
  2⤵
  PID:10808
- C:\Windows\System\ztpfcbg.exe
  C:\Windows\System\ztpfcbg.exe
  2⤵
  PID:10832
- C:\Windows\System\otmXfmD.exe
  C:\Windows\System\otmXfmD.exe
  2⤵
  PID:10852
- C:\Windows\System\RXYVWxL.exe
  C:\Windows\System\RXYVWxL.exe
  2⤵
  PID:10876
- C:\Windows\System\dnOrqrc.exe
  C:\Windows\System\dnOrqrc.exe
  2⤵
  PID:10900
- C:\Windows\System\wgBhEuf.exe
  C:\Windows\System\wgBhEuf.exe
  2⤵
  PID:10920
- C:\Windows\System\gWwgYJX.exe
  C:\Windows\System\gWwgYJX.exe
  2⤵
  PID:10940
- C:\Windows\System\ceAvnAb.exe
  C:\Windows\System\ceAvnAb.exe
  2⤵
  PID:10964
- C:\Windows\System\hxMlwoe.exe
  C:\Windows\System\hxMlwoe.exe
  2⤵
  PID:10992
- C:\Windows\System\waJESjZ.exe
  C:\Windows\System\waJESjZ.exe
  2⤵
  PID:11012
- C:\Windows\System\FFnioGD.exe
  C:\Windows\System\FFnioGD.exe
  2⤵
  PID:11036
- C:\Windows\System\TMOFhUz.exe
  C:\Windows\System\TMOFhUz.exe
  2⤵
  PID:11056
- C:\Windows\System\TJykQFo.exe
  C:\Windows\System\TJykQFo.exe
  2⤵
  PID:11076
- C:\Windows\System\grJxNen.exe
  C:\Windows\System\grJxNen.exe
  2⤵
  PID:11100
- C:\Windows\System\LqhQwjZ.exe
  C:\Windows\System\LqhQwjZ.exe
  2⤵
  PID:6816
- C:\Windows\System\uUjUETJ.exe
  C:\Windows\System\uUjUETJ.exe
  2⤵
  PID:5456
- C:\Windows\System\yeYVijZ.exe
  C:\Windows\System\yeYVijZ.exe
  2⤵
  PID:9416
- C:\Windows\System\bOGmRFk.exe
  C:\Windows\System\bOGmRFk.exe
  2⤵
  PID:9988
- C:\Windows\System\SxrKpEu.exe
  C:\Windows\System\SxrKpEu.exe
  2⤵
  PID:6380
- C:\Windows\System\HYpfOlM.exe
  C:\Windows\System\HYpfOlM.exe
  2⤵
  PID:9664
- C:\Windows\System\BoBzoXq.exe
  C:\Windows\System\BoBzoXq.exe
  2⤵
  PID:10196
- C:\Windows\System\FrjtEDV.exe
  C:\Windows\System\FrjtEDV.exe
  2⤵
  PID:7088
- C:\Windows\System\qdxLjpe.exe
  C:\Windows\System\qdxLjpe.exe
  2⤵
  PID:2800
- C:\Windows\System\qElUAKF.exe
  C:\Windows\System\qElUAKF.exe
  2⤵
  PID:11268
- C:\Windows\System\gQkYdvV.exe
  C:\Windows\System\gQkYdvV.exe
  2⤵
  PID:11304
- C:\Windows\System\fYUdHjZ.exe
  C:\Windows\System\fYUdHjZ.exe
  2⤵
  PID:11328
- C:\Windows\System\gxgJIMc.exe
  C:\Windows\System\gxgJIMc.exe
  2⤵
  PID:11352
- C:\Windows\System\SyorMMb.exe
  C:\Windows\System\SyorMMb.exe
  2⤵
  PID:11376
- C:\Windows\System\cnxDbxZ.exe
  C:\Windows\System\cnxDbxZ.exe
  2⤵
  PID:11392
- C:\Windows\System\xdyILKb.exe
  C:\Windows\System\xdyILKb.exe
  2⤵
  PID:11416
- C:\Windows\System\nLyjBdo.exe
  C:\Windows\System\nLyjBdo.exe
  2⤵
  PID:11440
- C:\Windows\System\gQyLyqf.exe
  C:\Windows\System\gQyLyqf.exe
  2⤵
  PID:11464
- C:\Windows\System\HRhpuzo.exe
  C:\Windows\System\HRhpuzo.exe
  2⤵
  PID:11480
- C:\Windows\System\hvIwymA.exe
  C:\Windows\System\hvIwymA.exe
  2⤵
  PID:11496
- C:\Windows\System\TxkHaFH.exe
  C:\Windows\System\TxkHaFH.exe
  2⤵
  PID:11512
- C:\Windows\System\NmQkgEg.exe
  C:\Windows\System\NmQkgEg.exe
  2⤵
  PID:11528
- C:\Windows\System\kCgOxwm.exe
  C:\Windows\System\kCgOxwm.exe
  2⤵
  PID:11544
- C:\Windows\System\UiglRfc.exe
  C:\Windows\System\UiglRfc.exe
  2⤵
  PID:11564
- C:\Windows\System\GYmBwAq.exe
  C:\Windows\System\GYmBwAq.exe
  2⤵
  PID:11592
- C:\Windows\System\zOLEeSa.exe
  C:\Windows\System\zOLEeSa.exe
  2⤵
  PID:11620
- C:\Windows\System\tJeiMVO.exe
  C:\Windows\System\tJeiMVO.exe
  2⤵
  PID:11652
- C:\Windows\System\tTaljyL.exe
  C:\Windows\System\tTaljyL.exe
  2⤵
  PID:11672
- C:\Windows\System\buzAmCe.exe
  C:\Windows\System\buzAmCe.exe
  2⤵
  PID:11696
- C:\Windows\System\VKaPOUr.exe
  C:\Windows\System\VKaPOUr.exe
  2⤵
  PID:11716
- C:\Windows\System\zzMtNvu.exe
  C:\Windows\System\zzMtNvu.exe
  2⤵
  PID:11736
- C:\Windows\System\BhXuAtS.exe
  C:\Windows\System\BhXuAtS.exe
  2⤵
  PID:11760
- C:\Windows\System\AxqMQWG.exe
  C:\Windows\System\AxqMQWG.exe
  2⤵
  PID:11780
- C:\Windows\System\AIpZKhX.exe
  C:\Windows\System\AIpZKhX.exe
  2⤵
  PID:11804
- C:\Windows\System\pnvzDIg.exe
  C:\Windows\System\pnvzDIg.exe
  2⤵
  PID:11824
- C:\Windows\System\XOhPWMh.exe
  C:\Windows\System\XOhPWMh.exe
  2⤵
  PID:11844
- C:\Windows\System\idEpygO.exe
  C:\Windows\System\idEpygO.exe
  2⤵
  PID:11872
- C:\Windows\System\sqUITRO.exe
  C:\Windows\System\sqUITRO.exe
  2⤵
  PID:11892
- C:\Windows\System\JlCdkuA.exe
  C:\Windows\System\JlCdkuA.exe
  2⤵
  PID:11920
- C:\Windows\System\qtNxtIs.exe
  C:\Windows\System\qtNxtIs.exe
  2⤵
  PID:11944
- C:\Windows\System\jvVixFN.exe
  C:\Windows\System\jvVixFN.exe
  2⤵
  PID:11964
- C:\Windows\System\gSByWTK.exe
  C:\Windows\System\gSByWTK.exe
  2⤵
  PID:11988
- C:\Windows\System\mIsFiGA.exe
  C:\Windows\System\mIsFiGA.exe
  2⤵
  PID:12008
- C:\Windows\System\IyOsrqK.exe
  C:\Windows\System\IyOsrqK.exe
  2⤵
  PID:12032
- C:\Windows\System\SvDPOsL.exe
  C:\Windows\System\SvDPOsL.exe
  2⤵
  PID:12060
- C:\Windows\System\sETQEXL.exe
  C:\Windows\System\sETQEXL.exe
  2⤵
  PID:12076
- C:\Windows\System\dgfsjti.exe
  C:\Windows\System\dgfsjti.exe
  2⤵
  PID:12100
- C:\Windows\System\egstVSu.exe
  C:\Windows\System\egstVSu.exe
  2⤵
  PID:12128
- C:\Windows\System\ohfYsZZ.exe
  C:\Windows\System\ohfYsZZ.exe
  2⤵
  PID:12148
- C:\Windows\System\LcyJUjs.exe
  C:\Windows\System\LcyJUjs.exe
  2⤵
  PID:12172
- C:\Windows\System\mdpsNWi.exe
  C:\Windows\System\mdpsNWi.exe
  2⤵
  PID:12188
- C:\Windows\System\WPIszTH.exe
  C:\Windows\System\WPIszTH.exe
  2⤵
  PID:12212
- C:\Windows\System\wPcJWtv.exe
  C:\Windows\System\wPcJWtv.exe
  2⤵
  PID:12232
- C:\Windows\System\tKyJAoe.exe
  C:\Windows\System\tKyJAoe.exe
  2⤵
  PID:12252
- C:\Windows\System\nExuXVG.exe
  C:\Windows\System\nExuXVG.exe
  2⤵
  PID:12276
- C:\Windows\System\nXoingd.exe
  C:\Windows\System\nXoingd.exe
  2⤵
  PID:8512
- C:\Windows\System\pALVGVO.exe
  C:\Windows\System\pALVGVO.exe
  2⤵
  PID:8568
- C:\Windows\System\YwPyOiY.exe
  C:\Windows\System\YwPyOiY.exe
  2⤵
  PID:8592
- C:\Windows\System\jHJEsAV.exe
  C:\Windows\System\jHJEsAV.exe
  2⤵
  PID:8628
- C:\Windows\System\avqnrdj.exe
  C:\Windows\System\avqnrdj.exe
  2⤵
  PID:8668
- C:\Windows\System\VQHbzzL.exe
  C:\Windows\System\VQHbzzL.exe
  2⤵
  PID:8708
- C:\Windows\System\eQrmhpL.exe
  C:\Windows\System\eQrmhpL.exe
  2⤵
  PID:8752
- C:\Windows\System\tFpXlxO.exe
  C:\Windows\System\tFpXlxO.exe
  2⤵
  PID:8792
- C:\Windows\System\XjsNqjX.exe
  C:\Windows\System\XjsNqjX.exe
  2⤵
  PID:8832
- C:\Windows\System\VYVdhpP.exe
  C:\Windows\System\VYVdhpP.exe
  2⤵
  PID:8928
- C:\Windows\System\bIKqchP.exe
  C:\Windows\System\bIKqchP.exe
  2⤵
  PID:7528
- C:\Windows\System\LYKJRRP.exe
  C:\Windows\System\LYKJRRP.exe
  2⤵
  PID:7944
- C:\Windows\System\OivorUA.exe
  C:\Windows\System\OivorUA.exe
  2⤵
  PID:9776
- C:\Windows\System\bTstVso.exe
  C:\Windows\System\bTstVso.exe
  2⤵
  PID:9796
- C:\Windows\System\jmbhNou.exe
  C:\Windows\System\jmbhNou.exe
  2⤵
  PID:10244
- C:\Windows\System\wwvKFKx.exe
  C:\Windows\System\wwvKFKx.exe
  2⤵
  PID:4284
- C:\Windows\System\IavoRys.exe
  C:\Windows\System\IavoRys.exe
  2⤵
  PID:9268
- C:\Windows\System\zwTOsSy.exe
  C:\Windows\System\zwTOsSy.exe
  2⤵
  PID:9880
- C:\Windows\System\GXEILcc.exe
  C:\Windows\System\GXEILcc.exe
  2⤵
  PID:9380
- C:\Windows\System\AqfMSnb.exe
  C:\Windows\System\AqfMSnb.exe
  2⤵
  PID:10584
- C:\Windows\System\ehdSIyZ.exe
  C:\Windows\System\ehdSIyZ.exe
  2⤵
  PID:10652
- C:\Windows\System\AnfWqlB.exe
  C:\Windows\System\AnfWqlB.exe
  2⤵
  PID:9452
- C:\Windows\System\HgtYYZh.exe
  C:\Windows\System\HgtYYZh.exe
  2⤵
  PID:10780
- C:\Windows\System\xUcRJXO.exe
  C:\Windows\System\xUcRJXO.exe
  2⤵
  PID:10804
- C:\Windows\System\pPJXkZE.exe
  C:\Windows\System\pPJXkZE.exe
  2⤵
  PID:9976
- C:\Windows\System\DIEJbol.exe
  C:\Windows\System\DIEJbol.exe
  2⤵
  PID:9568
- C:\Windows\System\tbMuFju.exe
  C:\Windows\System\tbMuFju.exe
  2⤵
  PID:9600
- C:\Windows\System\ZMVWHvW.exe
  C:\Windows\System\ZMVWHvW.exe
  2⤵
  PID:9636
- C:\Windows\System\ONlAFUK.exe
  C:\Windows\System\ONlAFUK.exe
  2⤵
  PID:10872
- C:\Windows\System\UaHFInR.exe
  C:\Windows\System\UaHFInR.exe
  2⤵
  PID:10068
- C:\Windows\System\mDyxXxQ.exe
  C:\Windows\System\mDyxXxQ.exe
  2⤵
  PID:10100
- C:\Windows\System\bJIOUWW.exe
  C:\Windows\System\bJIOUWW.exe
  2⤵
  PID:12312
- C:\Windows\System\xwBVONt.exe
  C:\Windows\System\xwBVONt.exe
  2⤵
  PID:12328
- C:\Windows\System\VpHEwFQ.exe
  C:\Windows\System\VpHEwFQ.exe
  2⤵
  PID:12360
- C:\Windows\System\PHkPQwp.exe
  C:\Windows\System\PHkPQwp.exe
  2⤵
  PID:12376
- C:\Windows\System\WQcBgXy.exe
  C:\Windows\System\WQcBgXy.exe
  2⤵
  PID:12400
- C:\Windows\System\XiAtOcz.exe
  C:\Windows\System\XiAtOcz.exe
  2⤵
  PID:12416
- C:\Windows\System\pRHPwpq.exe
  C:\Windows\System\pRHPwpq.exe
  2⤵
  PID:12436
- C:\Windows\System\yZeSNGv.exe
  C:\Windows\System\yZeSNGv.exe
  2⤵
  PID:12460
- C:\Windows\System\EDtrpsk.exe
  C:\Windows\System\EDtrpsk.exe
  2⤵
  PID:12476
- C:\Windows\System\cOzRilk.exe
  C:\Windows\System\cOzRilk.exe
  2⤵
  PID:12496
- C:\Windows\System\uXXsiCw.exe
  C:\Windows\System\uXXsiCw.exe
  2⤵
  PID:12516
- C:\Windows\System\vlTyatZ.exe
  C:\Windows\System\vlTyatZ.exe
  2⤵
  PID:12532
- C:\Windows\System\swjkISJ.exe
  C:\Windows\System\swjkISJ.exe
  2⤵
  PID:12592
- C:\Windows\System\JzNzrxV.exe
  C:\Windows\System\JzNzrxV.exe
  2⤵
  PID:12608
- C:\Windows\System\QlWNXbu.exe
  C:\Windows\System\QlWNXbu.exe
  2⤵
  PID:12624
- C:\Windows\System\TCblnyl.exe
  C:\Windows\System\TCblnyl.exe
  2⤵
  PID:12640
- C:\Windows\System\JMZeTAd.exe
  C:\Windows\System\JMZeTAd.exe
  2⤵
  PID:12656
- C:\Windows\System\vIUOwHt.exe
  C:\Windows\System\vIUOwHt.exe
  2⤵
  PID:12672
- C:\Windows\System\GwJbYLr.exe
  C:\Windows\System\GwJbYLr.exe
  2⤵
  PID:12688
- C:\Windows\System\dLuHftX.exe
  C:\Windows\System\dLuHftX.exe
  2⤵
  PID:12704
- C:\Windows\System\OszcIxY.exe
  C:\Windows\System\OszcIxY.exe
  2⤵
  PID:12720
- C:\Windows\System\vNzuFLA.exe
  C:\Windows\System\vNzuFLA.exe
  2⤵
  PID:12736
- C:\Windows\System\NNxjAic.exe
  C:\Windows\System\NNxjAic.exe
  2⤵
  PID:12756
- C:\Windows\System\jCOXPgd.exe
  C:\Windows\System\jCOXPgd.exe
  2⤵
  PID:12780
- C:\Windows\System\MhttsDD.exe
  C:\Windows\System\MhttsDD.exe
  2⤵
  PID:12796
- C:\Windows\System\trqwbgp.exe
  C:\Windows\System\trqwbgp.exe
  2⤵
  PID:12820
- C:\Windows\System\MXlKDmc.exe
  C:\Windows\System\MXlKDmc.exe
  2⤵
  PID:12844
- C:\Windows\System\rLcPbCn.exe
  C:\Windows\System\rLcPbCn.exe
  2⤵
  PID:12864
- C:\Windows\System\MXozFNT.exe
  C:\Windows\System\MXozFNT.exe
  2⤵
  PID:12880
- C:\Windows\System\phErteO.exe
  C:\Windows\System\phErteO.exe
  2⤵
  PID:12896
- C:\Windows\System\qWLsFzH.exe
  C:\Windows\System\qWLsFzH.exe
  2⤵
  PID:12912
- C:\Windows\System\lYseAnz.exe
  C:\Windows\System\lYseAnz.exe
  2⤵
  PID:12928
- C:\Windows\System\Tpeefmr.exe
  C:\Windows\System\Tpeefmr.exe
  2⤵
  PID:12944
- C:\Windows\System\KFfEPyh.exe
  C:\Windows\System\KFfEPyh.exe
  2⤵
  PID:12964
- C:\Windows\System\ikKVJCQ.exe
  C:\Windows\System\ikKVJCQ.exe
  2⤵
  PID:13012
- C:\Windows\System\BTRGBbt.exe
  C:\Windows\System\BTRGBbt.exe
  2⤵
  PID:13036
- C:\Windows\System\XEGqYxy.exe
  C:\Windows\System\XEGqYxy.exe
  2⤵
  PID:13056
- C:\Windows\System\xgNkYmV.exe
  C:\Windows\System\xgNkYmV.exe
  2⤵
  PID:13080
- C:\Windows\System\CDGRtbg.exe
  C:\Windows\System\CDGRtbg.exe
  2⤵
  PID:13104
- C:\Windows\System\MqBTubi.exe
  C:\Windows\System\MqBTubi.exe
  2⤵
  PID:13140
- C:\Windows\System\hRRFVrY.exe
  C:\Windows\System\hRRFVrY.exe
  2⤵
  PID:13168
- C:\Windows\System\lOoMZMh.exe
  C:\Windows\System\lOoMZMh.exe
  2⤵
  PID:13184
- C:\Windows\System\qwmOYkz.exe
  C:\Windows\System\qwmOYkz.exe
  2⤵
  PID:13204
- C:\Windows\System\UdszDRd.exe
  C:\Windows\System\UdszDRd.exe
  2⤵
  PID:13220
- C:\Windows\System\MBRgYQr.exe
  C:\Windows\System\MBRgYQr.exe
  2⤵
  PID:13236
- C:\Windows\System\qkCYUbE.exe
  C:\Windows\System\qkCYUbE.exe
  2⤵
  PID:13252
- C:\Windows\System\lqTuMSy.exe
  C:\Windows\System\lqTuMSy.exe
  2⤵
  PID:13268
- C:\Windows\System\NIGFSzL.exe
  C:\Windows\System\NIGFSzL.exe
  2⤵
  PID:13300
- C:\Windows\System\EinQZUM.exe
  C:\Windows\System\EinQZUM.exe
  2⤵
  PID:9680
- C:\Windows\System\fccvXmd.exe
  C:\Windows\System\fccvXmd.exe
  2⤵
  PID:10164
- C:\Windows\System\YpopRIY.exe
  C:\Windows\System\YpopRIY.exe
  2⤵
  PID:9716
- C:\Windows\System\YyNmiav.exe
  C:\Windows\System\YyNmiav.exe
  2⤵
  PID:6964
- C:\Windows\System\XbFfUUA.exe
  C:\Windows\System\XbFfUUA.exe
  2⤵
  PID:7160
- C:\Windows\System\KTzMkrJ.exe
  C:\Windows\System\KTzMkrJ.exe
  2⤵
  PID:9324
- C:\Windows\System\qZYwfZD.exe
  C:\Windows\System\qZYwfZD.exe
  2⤵
  PID:5904
- C:\Windows\System\kYwPHqL.exe
  C:\Windows\System\kYwPHqL.exe
  2⤵
  PID:11708
- C:\Windows\System\LwaIxmJ.exe
  C:\Windows\System\LwaIxmJ.exe
  2⤵
  PID:11812
- C:\Windows\System\OExSthu.exe
  C:\Windows\System\OExSthu.exe
  2⤵
  PID:9156
- C:\Windows\System\rMCNFlx.exe
  C:\Windows\System\rMCNFlx.exe
  2⤵
  PID:11960
- C:\Windows\System\uKEDLWR.exe
  C:\Windows\System\uKEDLWR.exe
  2⤵
  PID:10332
- C:\Windows\System\nNQQtkq.exe
  C:\Windows\System\nNQQtkq.exe
  2⤵
  PID:9484
- C:\Windows\System\EJfoNgT.exe
  C:\Windows\System\EJfoNgT.exe
  2⤵
  PID:9392
- C:\Windows\System\CSsnRsk.exe
  C:\Windows\System\CSsnRsk.exe
  2⤵
  PID:9300
- C:\Windows\System\uviOUrv.exe
  C:\Windows\System\uviOUrv.exe
  2⤵
  PID:9236
- C:\Windows\System\rnBlOtk.exe
  C:\Windows\System\rnBlOtk.exe
  2⤵
  PID:11132
- C:\Windows\System\iLVIacK.exe
  C:\Windows\System\iLVIacK.exe
  2⤵
  PID:11556
- C:\Windows\System\Apbhkhv.exe
  C:\Windows\System\Apbhkhv.exe
  2⤵
  PID:11524
- C:\Windows\System\dGkCCqg.exe
  C:\Windows\System\dGkCCqg.exe
  2⤵
  PID:11408
- C:\Windows\System\hlIqOHO.exe
  C:\Windows\System\hlIqOHO.exe
  2⤵
  PID:11732
- C:\Windows\System\LDAySaD.exe
  C:\Windows\System\LDAySaD.exe
  2⤵
  PID:13384
- C:\Windows\System\YSNgqLr.exe
  C:\Windows\System\YSNgqLr.exe
  2⤵
  PID:12504
- C:\Windows\System\CJFCFbe.exe
  C:\Windows\System\CJFCFbe.exe
  2⤵
  PID:12452
- C:\Windows\System\WUUrtdQ.exe
  C:\Windows\System\WUUrtdQ.exe
  2⤵
  PID:12788
- C:\Windows\System\qTXkkIp.exe
  C:\Windows\System\qTXkkIp.exe
  2⤵
  PID:13048
- C:\Windows\System\tSHxyIX.exe
  C:\Windows\System\tSHxyIX.exe
  2⤵
  PID:13844
- C:\Windows\System\POdXOth.exe
  C:\Windows\System\POdXOth.exe
  2⤵
  PID:14312
- C:\Windows\System\cKouuAe.exe
  C:\Windows\System\cKouuAe.exe
  2⤵
  PID:11788
- C:\Windows\System\UcZRwbo.exe
  C:\Windows\System\UcZRwbo.exe
  2⤵
  PID:9812
- C:\Windows\System\fcgFSir.exe
  C:\Windows\System\fcgFSir.exe
  2⤵
  PID:13712
- C:\Windows\System\gBsdanR.exe
  C:\Windows\System\gBsdanR.exe
  2⤵
  PID:13772
- C:\Windows\System\EUdIrTP.exe
  C:\Windows\System\EUdIrTP.exe
  2⤵
  PID:392
- C:\Windows\System\cSjFHUX.exe
  C:\Windows\System\cSjFHUX.exe
  2⤵
  PID:11048
- C:\Windows\System\giRFrVB.exe
  C:\Windows\System\giRFrVB.exe
  2⤵
  PID:14024
- C:\Windows\System\UzodRbn.exe
  C:\Windows\System\UzodRbn.exe
  2⤵
  PID:14064
- C:\Windows\System\mEvJFbF.exe
  C:\Windows\System\mEvJFbF.exe
  2⤵
  PID:14260
- C:\Windows\System\nmmjOGM.exe
  C:\Windows\System\nmmjOGM.exe
  2⤵
  PID:12904
- C:\Windows\System\PomMkcb.exe
  C:\Windows\System\PomMkcb.exe
  2⤵
  PID:12248
- C:\Windows\System\zYelgCr.exe
  C:\Windows\System\zYelgCr.exe
  2⤵
  PID:8876
- C:\Windows\System\HPEasIf.exe
  C:\Windows\System\HPEasIf.exe
  2⤵
  PID:11120
- C:\Windows\System\hciVngv.exe
  C:\Windows\System\hciVngv.exe
  2⤵
  PID:7004
- C:\Windows\System\mFPcPYc.exe
  C:\Windows\System\mFPcPYc.exe
  2⤵
  PID:9564
- C:\Windows\System\IbXClgs.exe
  C:\Windows\System\IbXClgs.exe
  2⤵
  PID:10024
- C:\Windows\System\ndpBIHh.exe
  C:\Windows\System\ndpBIHh.exe
  2⤵
  PID:13248
- C:\Windows\System\EbqMIfF.exe
  C:\Windows\System\EbqMIfF.exe
  2⤵
  PID:5072
- C:\Windows\System\dWNCMlP.exe
  C:\Windows\System\dWNCMlP.exe
  2⤵
  PID:10376
- C:\Windows\System\VqOgPsC.exe
  C:\Windows\System\VqOgPsC.exe
  2⤵
  PID:12744
- C:\Windows\System\UYAabov.exe
  C:\Windows\System\UYAabov.exe
  2⤵
  PID:12684
- C:\Windows\System\SEIAiAh.exe
  C:\Windows\System\SEIAiAh.exe
  2⤵
  PID:6760
- C:\Windows\System\vDBMOTQ.exe
  C:\Windows\System\vDBMOTQ.exe
  2⤵
  PID:13868
- C:\Windows\System\xsGOOvR.exe
  C:\Windows\System\xsGOOvR.exe
  2⤵
  PID:9320
- C:\Windows\System\FwjCKeN.exe
  C:\Windows\System\FwjCKeN.exe
  2⤵
  PID:7508
- C:\Windows\System\UgEjsPB.exe
  C:\Windows\System\UgEjsPB.exe
  2⤵
  PID:3692
- C:\Windows\System\wjzFIIj.exe
  C:\Windows\System\wjzFIIj.exe
  2⤵
  PID:10716
- C:\Windows\System\skjZBDr.exe
  C:\Windows\System\skjZBDr.exe
  2⤵
  PID:2112
- C:\Windows\System\gxgzIzm.exe
  C:\Windows\System\gxgzIzm.exe
  2⤵
  PID:8820
- C:\Windows\System\xhHTPIj.exe
  C:\Windows\System\xhHTPIj.exe
  2⤵
  PID:11388
- C:\Windows\System\OoAouTN.exe
  C:\Windows\System\OoAouTN.exe
  2⤵
  PID:8576
- C:\Windows\System\CCkzceu.exe
  C:\Windows\System\CCkzceu.exe
  2⤵
  PID:12220
- C:\Windows\System\XPReoMe.exe
  C:\Windows\System\XPReoMe.exe
  2⤵
  PID:9916
- C:\Windows\System\hNRDqhf.exe
  C:\Windows\System\hNRDqhf.exe
  2⤵
  PID:10136
- C:\Windows\System\UvfLRTs.exe
  C:\Windows\System\UvfLRTs.exe
  2⤵
  PID:10096
- C:\Windows\System\lQcZdng.exe
  C:\Windows\System\lQcZdng.exe
  2⤵
  PID:10956
- C:\Windows\System\XkvzkuS.exe
  C:\Windows\System\XkvzkuS.exe
  2⤵
  PID:332
- C:\Windows\System\JajDIVv.exe
  C:\Windows\System\JajDIVv.exe
  2⤵
  PID:11852
- C:\Windows\System\OJzTnNL.exe
  C:\Windows\System\OJzTnNL.exe
  2⤵
  PID:14136
- C:\Windows\System\CiCKPTs.exe
  C:\Windows\System\CiCKPTs.exe
  2⤵
  PID:12988
- C:\Windows\System\RvqaGkA.exe
  C:\Windows\System\RvqaGkA.exe
  2⤵
  PID:13024
- C:\Windows\System\FkmooCZ.exe
  C:\Windows\System\FkmooCZ.exe
  2⤵
  PID:14152
- C:\Windows\System\kqOBOKQ.exe
  C:\Windows\System\kqOBOKQ.exe
  2⤵
  PID:13920
- C:\Windows\System\lFsBtBV.exe
  C:\Windows\System\lFsBtBV.exe
  2⤵
  PID:4692
- C:\Windows\System\kPSInDV.exe
  C:\Windows\System\kPSInDV.exe
  2⤵
  PID:6376
- C:\Windows\System\aLgZSoo.exe
  C:\Windows\System\aLgZSoo.exe
  2⤵
  PID:11096
- C:\Windows\System\qzoTSAH.exe
  C:\Windows\System\qzoTSAH.exe
  2⤵
  PID:636
- C:\Windows\System\ymEQWcS.exe
  C:\Windows\System\ymEQWcS.exe
  2⤵
  PID:11668
- C:\Windows\System\RKCDfAk.exe
  C:\Windows\System\RKCDfAk.exe
  2⤵
  PID:11956
- C:\Windows\System\ZyOKXhs.exe
  C:\Windows\System\ZyOKXhs.exe
  2⤵
  PID:13216
- C:\Windows\System\nghdxvQ.exe
  C:\Windows\System\nghdxvQ.exe
  2⤵
  PID:12508
- C:\Windows\System\gaKXQap.exe
  C:\Windows\System\gaKXQap.exe
  2⤵
  PID:4280
- C:\Windows\System\XDiQXoW.exe
  C:\Windows\System\XDiQXoW.exe
  2⤵
  PID:1156
- C:\Windows\System\VehMhkM.exe
  C:\Windows\System\VehMhkM.exe
  2⤵
  PID:5176
- C:\Windows\System\JCTfsmm.exe
  C:\Windows\System\JCTfsmm.exe
  2⤵
  PID:4080
- C:\Windows\System\ujavmln.exe
  C:\Windows\System\ujavmln.exe
  2⤵
  PID:10972
- C:\Windows\System\IvHWUiy.exe
  C:\Windows\System\IvHWUiy.exe
  2⤵
  PID:13416
- C:\Windows\System\xYIDQPM.exe
  C:\Windows\System\xYIDQPM.exe
  2⤵
  PID:14012
- C:\Windows\System\guZYErQ.exe
  C:\Windows\System\guZYErQ.exe
  2⤵
  PID:13804
- C:\Windows\System\iHdzyzx.exe
  C:\Windows\System\iHdzyzx.exe
  2⤵
  PID:13836
- C:\Windows\System\wvMCyjf.exe
  C:\Windows\System\wvMCyjf.exe
  2⤵
  PID:2232
- C:\Windows\System\AXeHQDT.exe
  C:\Windows\System\AXeHQDT.exe
  2⤵
  PID:5704
- C:\Windows\System\XdmJMhe.exe
  C:\Windows\System\XdmJMhe.exe
  2⤵
  PID:13620
- C:\Windows\System\WwjZLsu.exe
  C:\Windows\System\WwjZLsu.exe
  2⤵
  PID:12348
- C:\Windows\System\McDYIsC.exe
  C:\Windows\System\McDYIsC.exe
  2⤵
  PID:11940
- C:\Windows\System\MaRJUyp.exe
  C:\Windows\System\MaRJUyp.exe
  2⤵
  PID:9712
- C:\Windows\System\oDpyigm.exe
  C:\Windows\System\oDpyigm.exe
  2⤵
  PID:8184
- C:\Windows\System\PmPpuEv.exe
  C:\Windows\System\PmPpuEv.exe
  2⤵
  PID:9520
- C:\Windows\System\lRBBydB.exe
  C:\Windows\System\lRBBydB.exe
  2⤵
  PID:12908
- C:\Windows\System\vqCmHrO.exe
  C:\Windows\System\vqCmHrO.exe
  2⤵
  PID:2432
- C:\Windows\System\XvfGjjq.exe
  C:\Windows\System\XvfGjjq.exe
  2⤵
  PID:512
- C:\Windows\System\PCzrZem.exe
  C:\Windows\System\PCzrZem.exe
  2⤵
  PID:7396
- C:\Windows\System\IVXzYxm.exe
  C:\Windows\System\IVXzYxm.exe
  2⤵
  PID:9504
- C:\Windows\System\ZqlUwyA.exe
  C:\Windows\System\ZqlUwyA.exe
  2⤵
  PID:12016
- C:\Windows\System\AqhnvFr.exe
  C:\Windows\System\AqhnvFr.exe
  2⤵
  PID:12040
- C:\Windows\System\SAjicca.exe
  C:\Windows\System\SAjicca.exe
  2⤵
  PID:1868
- C:\Windows\System\jEcKdcH.exe
  C:\Windows\System\jEcKdcH.exe
  2⤵
  PID:14048
- C:\Windows\System\bKwGhje.exe
  C:\Windows\System\bKwGhje.exe
  2⤵
  PID:11168
- C:\Windows\System\okDSnto.exe
  C:\Windows\System\okDSnto.exe
  2⤵
  PID:1560
- C:\Windows\System\CEpeOHo.exe
  C:\Windows\System\CEpeOHo.exe
  2⤵
  PID:10384
- C:\Windows\System\IBeSCPj.exe
  C:\Windows\System\IBeSCPj.exe
  2⤵
  PID:10292
- C:\Windows\System\sblBFdo.exe
  C:\Windows\System\sblBFdo.exe
  2⤵
  PID:10544
- C:\Windows\System\QCVnijx.exe
  C:\Windows\System\QCVnijx.exe
  2⤵
  PID:5944
- C:\Windows\System\koIwMbO.exe
  C:\Windows\System\koIwMbO.exe
  2⤵
  PID:12976
- C:\Windows\System\xsCgFWv.exe
  C:\Windows\System\xsCgFWv.exe
  2⤵
  PID:12224
- C:\Windows\System\EJHehpe.exe
  C:\Windows\System\EJHehpe.exe
  2⤵
  PID:1540
- C:\Windows\System\zhyzwrb.exe
  C:\Windows\System\zhyzwrb.exe
  2⤵
  PID:13704
- C:\Windows\System\sJqYkOp.exe
  C:\Windows\System\sJqYkOp.exe
  2⤵
  PID:13564
- C:\Windows\System\gLTcWie.exe
  C:\Windows\System\gLTcWie.exe
  2⤵
  PID:10908
- C:\Windows\System\fArWatW.exe
  C:\Windows\System\fArWatW.exe
  2⤵
  PID:14076
- C:\Windows\System\XlgbjKu.exe
  C:\Windows\System\XlgbjKu.exe
  2⤵
  PID:12856
- C:\Windows\System\YNwbxFL.exe
  C:\Windows\System\YNwbxFL.exe
  2⤵
  PID:14016
- C:\Windows\System\gXzvQUj.exe
  C:\Windows\System\gXzvQUj.exe
  2⤵
  PID:11728
- C:\Windows\System\qXViEsl.exe
  C:\Windows\System\qXViEsl.exe
  2⤵
  PID:13288
- C:\Windows\System\jsrxKUV.exe
  C:\Windows\System\jsrxKUV.exe
  2⤵
  PID:13944
- C:\Windows\System\MygEXQl.exe
  C:\Windows\System\MygEXQl.exe
  2⤵
  PID:396
- C:\Windows\System\NjTIMIN.exe
  C:\Windows\System\NjTIMIN.exe
  2⤵
  PID:12940
- C:\Windows\System\otuozyR.exe
  C:\Windows\System\otuozyR.exe
  2⤵
  PID:9852
- C:\Windows\System\tJjMmKk.exe
  C:\Windows\System\tJjMmKk.exe
  2⤵
  PID:13584
- C:\Windows\System\CVCHajB.exe
  C:\Windows\System\CVCHajB.exe
  2⤵
  PID:14280
- C:\Windows\System\ATQOKdI.exe
  C:\Windows\System\ATQOKdI.exe
  2⤵
  PID:13308
- C:\Windows\System\gbmuCdW.exe
  C:\Windows\System\gbmuCdW.exe
  2⤵
  PID:14040
- C:\Windows\System\LTrxtON.exe
  C:\Windows\System\LTrxtON.exe
  2⤵
  PID:464
- C:\Windows\System\htKaxfr.exe
  C:\Windows\System\htKaxfr.exe
  2⤵
  PID:5116
- C:\Windows\System\cQbWqgl.exe
  C:\Windows\System\cQbWqgl.exe
  2⤵
  PID:13096
- C:\Windows\System\KVCtHRB.exe
  C:\Windows\System\KVCtHRB.exe
  2⤵
  PID:6100
- C:\Windows\System\RCdgcJg.exe
  C:\Windows\System\RCdgcJg.exe
  2⤵
  PID:840
- C:\Windows\System\wGyEYhl.exe
  C:\Windows\System\wGyEYhl.exe
  2⤵
  PID:2716
- C:\Windows\System\UnbNqNP.exe
  C:\Windows\System\UnbNqNP.exe
  2⤵
  PID:408
- C:\Windows\System\eUiEKXi.exe
  C:\Windows\System\eUiEKXi.exe
  2⤵
  PID:2872
- C:\Windows\System\dkjrinM.exe
  C:\Windows\System\dkjrinM.exe
  2⤵
  PID:1196
- C:\Windows\System\RsdfVhY.exe
  C:\Windows\System\RsdfVhY.exe
  2⤵
  PID:1308
- C:\Windows\System\vwLcmVc.exe
  C:\Windows\System\vwLcmVc.exe
  2⤵
  PID:14180
- C:\Windows\System\hSRjGhy.exe
  C:\Windows\System\hSRjGhy.exe
  2⤵
  PID:13392
- C:\Windows\System\qkcrZRO.exe
  C:\Windows\System\qkcrZRO.exe
  2⤵
  PID:13324
- C:\Windows\System\qECGZpl.exe
  C:\Windows\System\qECGZpl.exe
  2⤵
  PID:10892
- C:\Windows\System\ulvmnFP.exe
  C:\Windows\System\ulvmnFP.exe
  2⤵
  PID:8788
- C:\Windows\System\JMjJVFq.exe
  C:\Windows\System\JMjJVFq.exe
  2⤵
  PID:13740
- C:\Windows\System\lexMeWc.exe
  C:\Windows\System\lexMeWc.exe
  2⤵
  PID:14300
- C:\Windows\System\EgkyASb.exe
  C:\Windows\System\EgkyASb.exe
  2⤵
  PID:12836
- C:\Windows\System\gXASqYo.exe
  C:\Windows\System\gXASqYo.exe
  2⤵
  PID:12872
- C:\Windows\System\eutqeLd.exe
  C:\Windows\System\eutqeLd.exe
  2⤵
  PID:1468
- C:\Windows\System\nHTSjzs.exe
  C:\Windows\System\nHTSjzs.exe
  2⤵
  PID:4104
- C:\Windows\System\TCZpJUE.exe
  C:\Windows\System\TCZpJUE.exe
  2⤵
  PID:4156
- C:\Windows\System\YNHfCUF.exe
  C:\Windows\System\YNHfCUF.exe
  2⤵
  PID:13616
- C:\Windows\System\dCGfoVA.exe
  C:\Windows\System\dCGfoVA.exe
  2⤵
  PID:10184
- C:\Windows\System\gtoSpSw.exe
  C:\Windows\System\gtoSpSw.exe
  2⤵
  PID:9676
- C:\Windows\System\qXbkIQh.exe
  C:\Windows\System\qXbkIQh.exe
  2⤵
  PID:13520
- C:\Windows\System\KtOrAuj.exe
  C:\Windows\System\KtOrAuj.exe
  2⤵
  PID:12680
- C:\Windows\System\QtaNaxv.exe
  C:\Windows\System\QtaNaxv.exe
  2⤵
  PID:1376
- C:\Windows\System\UQuBtCU.exe
  C:\Windows\System\UQuBtCU.exe
  2⤵
  PID:1984
- C:\Windows\System\LuZAczl.exe
  C:\Windows\System\LuZAczl.exe
  2⤵
  PID:6076
- C:\Windows\System\FmQkkij.exe
  C:\Windows\System\FmQkkij.exe
  2⤵
  PID:776
- C:\Windows\System\NYWVHYX.exe
  C:\Windows\System\NYWVHYX.exe
  2⤵
  PID:4160
- C:\Windows\System\LGLfNFe.exe
  C:\Windows\System\LGLfNFe.exe
  2⤵
  PID:4808
- C:\Windows\System\RvfRZHh.exe
  C:\Windows\System\RvfRZHh.exe
  2⤵
  PID:4244
- C:\Windows\System\pAspIxt.exe
  C:\Windows\System\pAspIxt.exe
  2⤵
  PID:820
- C:\Windows\System\tEZkPaP.exe
  C:\Windows\System\tEZkPaP.exe
  2⤵
  PID:6240
- C:\Windows\System\DbMNmbr.exe
  C:\Windows\System\DbMNmbr.exe
  2⤵
  PID:13912
- C:\Windows\System\GqnoOWp.exe
  C:\Windows\System\GqnoOWp.exe
  2⤵
  PID:4240
- C:\Windows\System\fbnDHgI.exe
  C:\Windows\System\fbnDHgI.exe
  2⤵
  PID:10304
- C:\Windows\System\pdFPLby.exe
  C:\Windows\System\pdFPLby.exe
  2⤵
  PID:9540
- C:\Windows\System\VsobNdN.exe
  C:\Windows\System\VsobNdN.exe
  2⤵
  PID:2556
- C:\Windows\System\yFgbHYR.exe
  C:\Windows\System\yFgbHYR.exe
  2⤵
  PID:8728
- C:\Windows\System\JjFMSbh.exe
  C:\Windows\System\JjFMSbh.exe
  2⤵
  PID:1544
- C:\Windows\System\edpAiEg.exe
  C:\Windows\System\edpAiEg.exe
  2⤵
  PID:11428
- C:\Windows\System\lGgDqzD.exe
  C:\Windows\System\lGgDqzD.exe
  2⤵
  PID:12492
- C:\Windows\System\nOTERVn.exe
  C:\Windows\System\nOTERVn.exe
  2⤵
  PID:3588
- C:\Windows\System\gyRfXsF.exe
  C:\Windows\System\gyRfXsF.exe
  2⤵
  PID:836
- C:\Windows\System\GUrkqOz.exe
  C:\Windows\System\GUrkqOz.exe
  2⤵
  PID:2292
- C:\Windows\System\gKERvQZ.exe
  C:\Windows\System\gKERvQZ.exe
  2⤵
  PID:1780
- C:\Windows\System\vNMhmvV.exe
  C:\Windows\System\vNMhmvV.exe
  2⤵
  PID:2212
- C:\Windows\System\UmdluSX.exe
  C:\Windows\System\UmdluSX.exe
  2⤵
  PID:13572
- C:\Windows\System\GFUAzcT.exe
  C:\Windows\System\GFUAzcT.exe
  2⤵
  PID:13576
- C:\Windows\System\cYCvSJM.exe
  C:\Windows\System\cYCvSJM.exe
  2⤵
  PID:9132
- C:\Windows\System\mlJiFwn.exe
  C:\Windows\System\mlJiFwn.exe
  2⤵
  PID:10676
- C:\Windows\System\IjNzWCV.exe
  C:\Windows\System\IjNzWCV.exe
  2⤵
  PID:14056
- C:\Windows\System\htcNJrc.exe
  C:\Windows\System\htcNJrc.exe
  2⤵
  PID:3220

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:11068

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13704

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:14056

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:6648

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:996

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:14100

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:13880

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:14284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:5300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oodpr0ui.v3p.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\ASAcLIN.exe

Filesize
1.9MB

MD5
c137e139ffd8f6abe14640c1539c7a96

SHA1
db01037456a25dfb4949ba50ee4e89c7d2cd931c

SHA256
570080efd69ff273e0c99b2155624ce97cda3f678b6e9f4e7f10db24bd6c664a

SHA512
1c846bab0638a95438fcedd78efe7d977744fc21b14289b81cde77e3dda9b8c8f6e469d6790aa51aa5b4cfb2a4d0934089b3595cfa9b55dc852643de082d3a06

Download Submit
C:\Windows\System\CHqCgZL.exe

Filesize
1.9MB

MD5
5624e2668013a75870cf36f5b3e7442d

SHA1
ccdf4ddfccaf8b63e6b98ef34ab9704562b9bcf8

SHA256
8fb269ce63d07342838152f13c8e5446025fb5631bd7117b6a097fa6454eda37

SHA512
9d0dac072890818846c8acc38c0d814da1ef8c858d08a9197cbd41eb581656d6b2521c6c3c31b75e05b8ad807e4bd68199cff3a97a21eb16d7baace30c24e305

Download Submit
C:\Windows\System\Cwlkcbz.exe

Filesize
1.9MB

MD5
b54a363118eabd50f0e846bffe9a48e4

SHA1
3a99d9759c2d3084da968bb4b496d6fc1805acd0

SHA256
3a641703da3b1a93e86cb31c7eb1b3ff4dd5da1d8a8ec573cb7e75a20819efba

SHA512
e924d14a321d5c6aea91821a92fd9db0fe201d43fac9705b0f16652c6d72ec9fdaaab029caae16a59c4c48cf9093e4343270936975e1a897007e4a1d39d34310

Download Submit
C:\Windows\System\GZHOCHy.exe

Filesize
1.9MB

MD5
b1b753e6ee6106fe4106bdc232561be7

SHA1
9e5603b573bd893b5130255937fae21875a20e14

SHA256
efc9453ac5796b5859ffcb87d6c09a225e4c43e4e67b2b6e911402e2e82cbb88

SHA512
3977bc5348a2b3210bcfda74cee0eb16676e62ea1b983d3ea63708f64a2ea90d158e9530d2c3cfb1aa9fb0e762a5eb301108e96c6191a188a54d3edec191f15b

Download Submit
C:\Windows\System\GZdQPwh.exe

Filesize
1.9MB

MD5
0566e6bf9d76635338dcfff19154e2e3

SHA1
401bc80273c5bd21a2dd820264f1e2ee596ac891

SHA256
70c2b5175ee611e6735cd72a1764d84cedb08c495861717169b87f32e5bea1b2

SHA512
e2859450a7ffe5fd1a76c8133e2e2fff5af56ba0168ac18bcaf269817c82cd66399b2973bdb95cddbd94e34858d6da61a80b2ca0fae317750e074b4e854c4509

Download Submit
C:\Windows\System\HLHUoBu.exe

Filesize
1.9MB

MD5
5c0c92ac53ae823805c54a09e6de13ba

SHA1
49a5847685fec355400e00f08c24fa50f1569683

SHA256
48df50301a25029b66c8c43335ddd00b92ab62a3c063925d973def70fdcb4cea

SHA512
44b8e513c22efdb369b14859f8b9595dade68dae3f9626539f360b74d512e8f3c36d48874d48368b2e251243b4eeafdd7732dcebd946cf9bab7dddf9711868da

Download Submit
C:\Windows\System\HwqXNvN.exe

Filesize
1.9MB

MD5
57d6ce9c9a1689a64532feba39876285

SHA1
aa3b483a3f02e8326732678996c2bca733ac15fe

SHA256
cbab1b89f2409baefe9f7f218ef6ab30d7c68a460a867f3adb7d30a6b1cf87f2

SHA512
07a0fc69b3f2db1a9bcedbb8467090bbe225dc3b9ebdfd5466b9267e009eef26ee084a58740e2cafbd06ceba0a509e6fb2ab2743314a84ddb89cea07f4588e90

Download Submit
C:\Windows\System\MycOFTw.exe

Filesize
1.9MB

MD5
eea06f6295a89804ad3b172b72dc2f14

SHA1
4a70b8de79799763a0e3e36ce017aab63d9fc1b4

SHA256
9a2de39b734b366444251314e8532c55008d00d2f9f284a49cc4112628b4bf41

SHA512
c8ca21d20c70a03d6a0178c0012fc2b8330aef0184646996a2412c8cfb4bc0197c3d6e73e09ad592d9c2b8a404749e63e5c896fab8c54c0f58fc8c9c1cd6490a

Download Submit
C:\Windows\System\OCpzTeX.exe

Filesize
1.9MB

MD5
d1974156d6ad6e7fc62577812972e315

SHA1
af635653c0ad8d83933ba63068b8154a78d9fad8

SHA256
f9686a2f9467a226caf99586b6fe30ebb61eb6d5e7178b302716c0ebc1d1676c

SHA512
40501db65e66ad43a42a9d3d64bbda8889958ed608b16a26e82a32f62dd9829d27c1bce19a45a44eee20d8ef134f7c89debe01e1b8386ca1a8ad1ddec35a6ff9

Download Submit
C:\Windows\System\OeBMLHo.exe

Filesize
1.9MB

MD5
a92d1b756acb8c0d464251886ad61339

SHA1
3fed44f81544cf59ff1ebfce3b3e04cbaf6b08a9

SHA256
d4d7658ce3cb240894a63c817bbaa0e548ab42f6cf0d177fc00dde2c852eeb5e

SHA512
575d19b5b462918d3e90256c5b86b5175ab030f970fc1312efcec3b117ac0743c3ef916b7a794af5cc5fb79ff079a02a0916922889198fa0bbb16b9fd1e0c8d5

Download Submit
C:\Windows\System\QULSZSL.exe

Filesize
1.9MB

MD5
5997cbbcff4a80ec5f88a5fbf126f217

SHA1
e31c7cad9a2edb1c057ba20bed37d805bbc0e0cb

SHA256
c8c452c210eff062c00328ae7f32190688138869bc5a3bf186bfaacf7f4b38af

SHA512
553f49eb5b67ca8aaebf38d7bb5d801ce4b2c9f5e24a62e90b730e4c969328bb04879ce504ff6a537342c3554f3dcdcd62e69cfe1fb488293421ac8858793fc7

Download Submit
C:\Windows\System\SKpgoDX.exe

Filesize
1.9MB

MD5
c84e235990104242acd4919fbfc82e18

SHA1
ba5b16aec01542e8729ceb92d5a4d0f1b0ca88bc

SHA256
6de3844d828613f60d666883450900d0543103a8d7afd534e17570b78cb84bda

SHA512
39129aa50c0bdd36bd48282f792f6d7d2d92a569ff26624faf73d3905cb25de49275bf069cfd46dd02b150aa145e14bff234d6167581dd5cea384602209b663e

Download Submit
C:\Windows\System\TTnBpDK.exe

Filesize
1.9MB

MD5
a346128033b4b72c644257f94317d4ed

SHA1
899b95037fb089f90d6f685116b72cd44e563382

SHA256
0620631f4615e203bb5dd88e02e1d62f532c8eba3a458310759ee936df8d38f0

SHA512
3f3216e2de682161658286a29ba5d8420ed65f987ae1ff67063d0dea2e027cc3187c97823877c33cbab01ca147cf5469377d585cbc7922838ca567d1d45f3c79

Download Submit
C:\Windows\System\TWzDdiG.exe

Filesize
1.9MB

MD5
51a57d3052ecddd8d968e0dd60ba6e6f

SHA1
289ea8f022182627be3f51a1a9bbbc5c6bc1d4bb

SHA256
25edd264b2df662bd40ab8923ed46e0c771f8a487c76601360f1765d445ae887

SHA512
2d97ff0add3d6bcab583cb9c3ae0db3c9d20f45ede6c801e159b1461012b956509db1e74138ea41af33e4ab5920efe13d5fc7d3ddeb312e11f883137872a24be

Download Submit
C:\Windows\System\TyxKkkt.exe

Filesize
1.9MB

MD5
7834423338c026c5ff8c77d717d6c7d8

SHA1
379a64bf563d270230896b3d52472c61b27934b8

SHA256
83ede0dfefdd702eb2f80fe9e49ff35fe0db90860df0354d384e0c68c89f1359

SHA512
1d615274ad4eebe9d8fc444bf70f4b3d90f1328da40358038de7595f782ea6732c348ac669b59ca04259465e1ce5d4d41859153bc5c03b6d21053b5d4607bcfd

Download Submit
C:\Windows\System\UJKbzJn.exe

Filesize
1.9MB

MD5
b3ca4c8e771b48bb3131d2e0541d9005

SHA1
0851c647e434d6f9d1724014215cc82ca9162b78

SHA256
37bd46d1cd06984d0612d2d2e7af8397351322176edb1fec2cd22001776f8c40

SHA512
07538ccd08373377c4078ea9214c474667c9208efe342e25e261d9631856dd70a499f58c08914ff9b0c1c7d7e34b1d1029b2221f8c435144e223309792380b56

Download Submit
C:\Windows\System\VTRKFZv.exe

Filesize
1.9MB

MD5
706d93f37ebc6b749b1af53714d6dfaf

SHA1
2609f41f5981d0d625b193926a3755af4657b851

SHA256
cc1adf7699bf5697a3f0e45fcb34b2ced8cbd9cc10e20a9d3ef08e3fb8625f13

SHA512
2bbc7df403f65ec3d8f4f49e37b91251d63734021e56348dbbf1e82af4ae01d0f177ca13b66eb0904bbf2b309d050dd78f3ddc19f43320e68f64638fc215afa9

Download Submit
C:\Windows\System\ZDClVMq.exe

Filesize
1.9MB

MD5
5255f5b303865733511603f0eaec74d3

SHA1
2161d2aedf60dbba637b33fa0dc14f437bd163d7

SHA256
58400e31b4c96b9efd5b5b5679162fccb528f3af4630eb55c891d16e092ca7cf

SHA512
ec716b81241524104c32366ad7c3cc988b3cf161aa08e5501a9c397b407bb9cc3a7cc7eca437ca59d6225bfeca2c8362e4e3c74a7ffe83c5da76355cea830d6b

Download Submit
C:\Windows\System\aCopGtf.exe

Filesize
1.9MB

MD5
280642e427eaf2501a75a980d263c0be

SHA1
4bae63a3c1974559a7600e856280848e1a6414ff

SHA256
c7a483fd5e300d189ef0c3a07c42dca59a0e5bd78d85fdcd174deaae961cdd0e

SHA512
d3a512c66ac879428c17d2fb257972181f89171024c712e2cf35b2814c3ca55a3741ce80b77b3c5acd4bcf271531be56b55926af65ab99d6c5dafe78dbb0e2b7

Download Submit
C:\Windows\System\aEBlehY.exe

Filesize
1.9MB

MD5
3e66b4c23d2825cb5740c528249a2961

SHA1
bc87f4b4da4130143f94fc1109f27dddbf1d5ba9

SHA256
e1a9c2af14e85f768ebb16706e4c027570f90ca39bfbd1622c91b6d626ff94f8

SHA512
9911ad8446b069d70a5dd4bc52bc237efbafa378120c73b72389f7a857f3ab465bd772f9f275a25336cdef3d6afa093b39994cb12f80f114aece3e9dcf586692

Download Submit
C:\Windows\System\aQRqntT.exe

Filesize
1.9MB

MD5
bf5495eeae3f221cafaa4a107f5061f8

SHA1
0d192833854d0b6e54a21c6b6e800a05713a7092

SHA256
75905e11824507238f1a6aabc7be351d7f7974efa7bb20e0c23541bd56703cf1

SHA512
2867bb6c798aab18ea297999439c86c84360aefa86ee102af766002435981b1bbcef000f24014dfb45683f1cd484791fb7d1b505d689faa03e576db8d58b3aef

Download Submit
C:\Windows\System\abKCdai.exe

Filesize
1.9MB

MD5
b76e8631c81f19302633a879f2614b23

SHA1
50fece83b23232ed1dd87a960a9b35bfa0b8937a

SHA256
5e9ceca2231980a1403eb8ec3af9932e92271bc271fae1adf77430861e336c4f

SHA512
a4a8070c1abe5da823476366fb4f21143d20e95b73ce707ad6b20bd7560f3cae7ef443d4b98892fe98f53f730928fce722be54db35ae4685ca9a6d1f1bd3fc74

Download Submit
C:\Windows\System\alZuSEd.exe

Filesize
18B

MD5
b5af15b91ef901dbbad280bf2ec97d3f

SHA1
b8fc44effcf94c604b3a330099fdd05d70ca2290

SHA256
4b241b0358bbe69bc40fb7c8558ef0dacf7a7dd595b9974e7ee1287f6f6a57a6

SHA512
77e9e1cd7604d29efe33ea37dfc85035465c8eb4a6b1edf396f009c9427a6171460e7b24fac454a276653572360ea48634eb43a059b68dd9d91460bd58c1ddf1

Download Submit
C:\Windows\System\bxvUiRd.exe

Filesize
1.9MB

MD5
5f842c8e37fa52e1fefbd2ed8d5742cc

SHA1
bf3a05bd9dc2617f3cc99039bdfae85448c0755b

SHA256
7a62547d7d78383c575bc30972148987a4d3277cdf168e0a47da03d2dd0d5f14

SHA512
d3b43411f8decd49a8df3e1cfb9eec5da8a60835d196ad53374c4de39fe1a22cdf198440a958df8b8c512dd5e5891981882f9603b3bbefd08723990751f3ae8c

Download Submit
C:\Windows\System\cXJKzlP.exe

Filesize
1.9MB

MD5
94f57e4f1f3a6a84a475fc051b5c8d3a

SHA1
6d3801a78a4239c9460dbb54fbb7f9def3e5c4cc

SHA256
d73b6494ed41fafe4044889ff31f996005cbb7bebb5b0f0534b4d5739f3812ae

SHA512
4f5c032b2179de1b78e234667aeef9c3b6d7691bb6581e51955a0a48020f6c1a076a10adc7a9a1dd51c674697c95330c1037fe28f50bc9fe14d5f6a949aff31d

Download Submit
C:\Windows\System\cmmEVTM.exe

Filesize
1.9MB

MD5
0ca1f015ae3816263db9cc76c1a740cc

SHA1
9f4496faed64858e6db32fbc46c40cf74bc4124d

SHA256
58d4520f4f63a219d73e31ce83c8e3a2494896e93515a3eb1a9e31b74127af00

SHA512
7026a75854f8aee69ea416f44f1fd6703ddbcb4383b34d09ced3f5f8e0a369e4d25871575983e2c569e77b5266fef1cc9b9189c3c4ba0bab67557e2d29063dc9

Download Submit
C:\Windows\System\dQkzuPx.exe

Filesize
1.9MB

MD5
68320490365ce3a1e53b1e4edf1a1fe5

SHA1
687da7619e43c800ec806972bc181632c2d830f5

SHA256
080b3673bdf33f14ea854aede84233cda64e96a57ceca657e53a62a1db831c01

SHA512
33e7f2330df2bce66c83a43d157a9801781e333932e80c80874b95dda3a0fd98e1878c8eb3b5bc6d415aa47466e78934bb75fd3f5e65257006b690bd2f10c8b7

Download Submit
C:\Windows\System\ddOJBtS.exe

Filesize
1.9MB

MD5
6a8123c2b60fe0c37180ca586b4c1fa3

SHA1
f9cd0f80959e0002314cd13ecdbdfd16b5fd66d8

SHA256
5bcc76ac94d1aca2029a4c912ec97efeb1287307a5a002c82a941d153b1586c2

SHA512
a8acc3b4d6c8d832ab1febd1f1b94c78dd82c243463a88a1bffda80637229152298629d7b75f32cba6aa7b68787c4806bfa3df790c476f7f2c82c0a776468522

Download Submit
C:\Windows\System\eStNwgH.exe

Filesize
1.9MB

MD5
6d8a678753ba5ddc89ad9eddab0978a2

SHA1
23ad5d6aff3ae876adedf31d0a2bb55a5111ead8

SHA256
820a6cf9a513fa1b9ce18c399555c8b3ae9cf94e320c52f34c41dc3cbcb3e5bb

SHA512
60c33a65b814f1dbdf3043d172ddca4a474be24dc41ffe65a85cbea168181fa81fc79ab1d5e43d065b34991e563081012b0941062ae1107cf132a29fd63a45c9

Download Submit
C:\Windows\System\fIiZJxX.exe

Filesize
8B

MD5
9e16362b7eef9ff59cf4576b688fec20

SHA1
58714a79316bdda8b345ca47c2a7e8087e024871

SHA256
cb157cd47cb9ddacb8fa194262e9cc1364ca68490d93ad041938e77ef90ead7c

SHA512
53056e2e9a952538e1c61538c2bad2166adaf2d4a03d0e97e211329cd7f80967988343aa21690b08c2f1ad6d3fabfdc6095392f57b127d575de79d724d1a09de

Download Submit
C:\Windows\System\iNNrEyZ.exe

Filesize
1.9MB

MD5
79c776fb6bbb20c1ee1a1da3cd0783ec

SHA1
7a0814eb83325ac3ffd7cef01aef56f7aabff05e

SHA256
4862d3c2c33b1f1f0cbc69733da454f7aa55929b1d35ed596415194276ede5ff

SHA512
cfc46a5ab5d4a32628f4bfbfc6255b511c558fdf40649d32dbe06a604a76572ae87ab5037268b53e029c40ebc01de61c96b350aa5a3fa04b4c3a3620a07bde33

Download Submit
C:\Windows\System\lAWPMJn.exe

Filesize
1.9MB

MD5
aa49a7f7a218413809295193324d1488

SHA1
793e1d30c6ebc33f33bdfc0c5fae2ca0977bf06b

SHA256
7200ed0a18282e2b086caa52559f93a3b8be929775c92f7f05099a2677f412cf

SHA512
31cf386dac6e8514dad9f8b911eb52360b62692906243f3ccb242be417cde0fb2ecdc940f11dcab7f64337ca36de213f84ef0cbb0f8afbaeeee5fbfc2fb9a04e

Download Submit
C:\Windows\System\lUdmQTb.exe

Filesize
1.9MB

MD5
3f9122c10757f5086ff62d011096ee03

SHA1
98964d501f0e7c16ea70a72f4dd5a0acf0fd40e5

SHA256
3f02efffc6a0dbe3a570fb579beb2cd31991d0785657f1a4dc45833c294a325e

SHA512
7e9d7f8d9455e8d8098230c3cf404268ceae562171abb9401326283adfb798808918a2eb1fefb46926c4544483369d37ce8e4667e15806515f026d103af4f714

Download Submit
C:\Windows\System\medEXaW.exe

Filesize
1.9MB

MD5
74da07c6fbccdee46b9e04fc4cd1b7cd

SHA1
8237bc80429139fe8f198f0dc9502bb9cfc678f2

SHA256
792c97c67ed4ed866d5fbdfd3feaf0559b421a0cba0121e6b249880d5135e0ee

SHA512
ef33c5f0855cc177afe9cd15fd5bf40bff5e04fcf7dd6a2f5f6047ebccfc1e9258f8b5da36870e180d46bc6639defd73d3a145a5246fab26582c5a46d754ba0e

Download Submit
C:\Windows\System\nHRumdE.exe

Filesize
1.9MB

MD5
d711e0d65675f5f27c3704bcde282c15

SHA1
5a89b071b772178f64d411c1e7e3c5258991c593

SHA256
9107b79d2ebd65420cd8a17c51865191d3bba584dd9ca0354cd2aa38cbc6e3ce

SHA512
0b3b043349916f04ebb7f9f93241767e779aabf83250f70b106d455f7df3b6a75f5efc12f247824d9ff04bef5f97bf17e8f271660fcae115eff0520ae6cd392d

Download Submit
C:\Windows\System\nWiayrS.exe

Filesize
1.9MB

MD5
90d2a434e3cc1c3ee1eeb372dc9cfc13

SHA1
ba1912873d494cfe4e9c628c737b39f4511091bc

SHA256
d33c2ce2b36b9cd550b0084249e57675c401ed05838b9cf492a5eaad81c535d5

SHA512
751948ea5c4459034268fd3769e0b6f9a809f64f14c3d755627d902dfeb0d13504efa7ac4bf571de716a238d6f51b75c1f3ca34c15829b2a2e0b9de82323b5a6

Download Submit
C:\Windows\System\oVQdlGl.exe

Filesize
1.9MB

MD5
2ae0db50491a9ea70bddbaa4935501c8

SHA1
4c30f4a0312f91c9ae1498f22cb9ba6bf83516d1

SHA256
bc957501150c8ced2abe09507448446b01b7d240c7dad4833f1dd06bfc61ab1f

SHA512
0fd89da5c60285caae6de18bb6830c32b4775c82ef855eb6b25a9080ebbcd5bf2f6815522843b8b18ca1b4e9c4618fd1fc970ec74ad199cdae2abaced4d0ddb9

Download Submit
C:\Windows\System\srnTfwt.exe

Filesize
1.9MB

MD5
734db34c8f551d8c6c6ae2bfbbff7bd1

SHA1
02cceefe326d9378be7da28d0c99e66512229dc6

SHA256
4383e0620d5e7b862abc3c25b4a327e4591e583e83dbfe2b3607645b95f90acf

SHA512
cc65a3c74f918fbda41711c90aa00f5fed40c85b0981390595bb13a4b9b1b7f8da39b818a9d3bb5c5f1026fae5d27c536a0ba67bae24d55085cc73e51d46a441

Download Submit
C:\Windows\System\uZuJzXA.exe

Filesize
1.9MB

MD5
e6095e9b092e9d544e133fabbf6cf0ad

SHA1
acef366a0067035d4138efa7a0a22f988bf7adde

SHA256
4137da42100d0e4166976869b2deecf5bcb7e01439d20fd99d152c6ed7360439

SHA512
a01f991068f55b0fbf15845f04fe98a09b4a65a7e0fd35e01f6d4803837297b49cddfa9fe5c6aef1eff6fdc36226e9211a41686a603289e73d96a570d90aaf96

Download Submit
C:\Windows\System\vkZFGvG.exe

Filesize
1.9MB

MD5
e0a2abd4129b163f72a2bff3df391176

SHA1
c1e2f63b5f6160ccb97c59638fcf219feff0724c

SHA256
474aaecf76fbadf032a5718acdccb1a08725adb40ebe9dbe82e11451d42b6dd9

SHA512
23cdbb105fa9e939bd0a42d15e825ca91db04593442ff9241f30df93ef79884b743469506dbb6d8731618e6a20f44b1343840b9e905dc90b5bf8096db0cc25a8

Download Submit
C:\Windows\System\yvSEbtR.exe

Filesize
1.9MB

MD5
9a1e636f4fea2d8e024d0e540fd4b3fc

SHA1
ea3bf46e1312dd6ad46f0d7157ae0af92fd3e989

SHA256
d033554dc874b8510b7328356b71bcbc453b5ab48c148be20650b08589314f2b

SHA512
b03cf2bf4083ec5d46e4e85fe6c69fc7653b6f1ef29027a9b0f0847ac491cd730dc3ff0694223a30d59e3d4f83f5533af21fa3bf0f68d86efc23faf323edee33

Download Submit
C:\Windows\System\zCuRDHS.exe

Filesize
1.9MB

MD5
00c329da522c228e6652385673e5d71a

SHA1
1612b379a10769798ad8db7f8471d5a7c60f3416

SHA256
61d3c46aa3b901040bd2170230df7967abd81339427f64315864170c07832b0f

SHA512
2ee93ef11b26049d487aaa3ad20abed5f4a52908ea87e628fbbf0046a53270392c8e30bcdadbd34471b6d3214baaa3d66408575ed2dadacb422137260a53e6fc

Download Submit
memory/8-217-0x00007FF7FEC30000-0x00007FF7FF022000-memory.dmp

Filesize
3.9MB

Download
memory/724-204-0x00007FF668FD0000-0x00007FF6693C2000-memory.dmp

Filesize
3.9MB

Download
memory/852-14-0x00007FF735F10000-0x00007FF736302000-memory.dmp

Filesize
3.9MB

Download
memory/852-3862-0x00007FF735F10000-0x00007FF736302000-memory.dmp

Filesize
3.9MB

Download
memory/1056-569-0x000002915FC20000-0x000002915FC42000-memory.dmp

Filesize
136KB

Download
memory/1056-84-0x00007FFD30850000-0x00007FFD31311000-memory.dmp

Filesize
10.8MB

Download
memory/1056-211-0x000002915F8C0000-0x000002915F8D0000-memory.dmp

Filesize
64KB

Download
memory/1056-87-0x000002915F8C0000-0x000002915F8D0000-memory.dmp

Filesize
64KB

Download
memory/1848-553-0x00007FF6ED7F0000-0x00007FF6EDBE2000-memory.dmp

Filesize
3.9MB

Download
memory/1920-377-0x00007FF7D7270000-0x00007FF7D7662000-memory.dmp

Filesize
3.9MB

Download
memory/2064-1051-0x00007FF604C40000-0x00007FF605032000-memory.dmp

Filesize
3.9MB

Download
memory/2352-300-0x00007FF692020000-0x00007FF692412000-memory.dmp

Filesize
3.9MB

Download
memory/2576-1691-0x00007FF659470000-0x00007FF659862000-memory.dmp

Filesize
3.9MB

Download
memory/2732-381-0x00007FF7AE3A0000-0x00007FF7AE792000-memory.dmp

Filesize
3.9MB

Download
memory/3244-147-0x00007FF7A0D40000-0x00007FF7A1132000-memory.dmp

Filesize
3.9MB

Download
memory/3656-548-0x00007FF787710000-0x00007FF787B02000-memory.dmp

Filesize
3.9MB

Download
memory/3672-1690-0x00007FF7A1710000-0x00007FF7A1B02000-memory.dmp

Filesize
3.9MB

Download
memory/3772-0-0x00007FF76DDC0000-0x00007FF76E1B2000-memory.dmp

Filesize
3.9MB

Download
memory/3772-1-0x000001EB04E80000-0x000001EB04E90000-memory.dmp

Filesize
64KB

Download
memory/3772-3860-0x00007FF76DDC0000-0x00007FF76E1B2000-memory.dmp

Filesize
3.9MB

Download
memory/4148-292-0x00007FF71F4C0000-0x00007FF71F8B2000-memory.dmp

Filesize
3.9MB

Download
memory/4424-987-0x00007FF675DC0000-0x00007FF6761B2000-memory.dmp

Filesize
3.9MB

Download
memory/4820-1048-0x00007FF6D4D60000-0x00007FF6D5152000-memory.dmp

Filesize
3.9MB

Download
memory/4836-248-0x00007FF7F1E90000-0x00007FF7F2282000-memory.dmp

Filesize
3.9MB

Download
memory/4848-1745-0x00007FF700690000-0x00007FF700A82000-memory.dmp

Filesize
3.9MB

Download
memory/4932-1273-0x00007FF61C920000-0x00007FF61CD12000-memory.dmp

Filesize
3.9MB

Download
memory/5088-451-0x00007FF626C50000-0x00007FF627042000-memory.dmp

Filesize
3.9MB

Download
memory/5104-990-0x00007FF7F1210000-0x00007FF7F1602000-memory.dmp

Filesize
3.9MB

Download