xmrig | 426c1fac61ecb64674dd4fbd8698ac5dd9b8adfe93176c0da6aa39d901a567cf

Analysis

max time kernel
147s
max time network
50s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
29/04/2024, 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
Size

1.9MB
MD5

08715424633fc24a52a10e381e16a0f2
SHA1

2a41d59b04f35bce5cf19ab1d59de230abfb874e
SHA256

426c1fac61ecb64674dd4fbd8698ac5dd9b8adfe93176c0da6aa39d901a567cf
SHA512

4b5408d9248435edf546cbeae1e341151325f6144946d394f94e6087f6cc9ae38efeb23de60717ce6a8186ad8f0f4c08c5347c35d10f88990999afc491c6466a
SSDEEP

49152:Lz071uv4BPMkibTIA5KIP7nTrmBhihM5xC+UG:NABD

Score

10^/10

xmrig miner upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3176 created 4020	3176	WerFaultSecure.exe	79

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 43 IoCs

miner

resource	yara_rule
behavioral2/memory/3968-20-0x00007FF706E20000-0x00007FF707212000-memory.dmp	xmrig
behavioral2/memory/5056-83-0x00007FF7E27F0000-0x00007FF7E2BE2000-memory.dmp	xmrig
behavioral2/memory/2616-531-0x00007FF63E680000-0x00007FF63EA72000-memory.dmp	xmrig
behavioral2/memory/2492-533-0x00007FF79C1B0000-0x00007FF79C5A2000-memory.dmp	xmrig
behavioral2/memory/2176-534-0x00007FF608530000-0x00007FF608922000-memory.dmp	xmrig
behavioral2/memory/4280-535-0x00007FF7D6AF0000-0x00007FF7D6EE2000-memory.dmp	xmrig
behavioral2/memory/3424-536-0x00007FF7ED000000-0x00007FF7ED3F2000-memory.dmp	xmrig
behavioral2/memory/2776-88-0x00007FF7AFC00000-0x00007FF7AFFF2000-memory.dmp	xmrig
behavioral2/memory/4268-538-0x00007FF6BCAD0000-0x00007FF6BCEC2000-memory.dmp	xmrig
behavioral2/memory/1996-537-0x00007FF68D6E0000-0x00007FF68DAD2000-memory.dmp	xmrig
behavioral2/memory/4464-77-0x00007FF75CDE0000-0x00007FF75D1D2000-memory.dmp	xmrig
behavioral2/memory/3480-66-0x00007FF7B3F70000-0x00007FF7B4362000-memory.dmp	xmrig
behavioral2/memory/3508-59-0x00007FF66CD60000-0x00007FF66D152000-memory.dmp	xmrig
behavioral2/memory/1556-50-0x00007FF7DFDC0000-0x00007FF7E01B2000-memory.dmp	xmrig
behavioral2/memory/2780-18-0x00007FF6F3BC0000-0x00007FF6F3FB2000-memory.dmp	xmrig
behavioral2/memory/3748-539-0x00007FF7C78B0000-0x00007FF7C7CA2000-memory.dmp	xmrig
behavioral2/memory/3044-542-0x00007FF667C00000-0x00007FF667FF2000-memory.dmp	xmrig
behavioral2/memory/3992-541-0x00007FF7EF780000-0x00007FF7EFB72000-memory.dmp	xmrig
behavioral2/memory/3544-540-0x00007FF7B1F40000-0x00007FF7B2332000-memory.dmp	xmrig
behavioral2/memory/4400-2092-0x00007FF79A4A0000-0x00007FF79A892000-memory.dmp	xmrig
behavioral2/memory/3508-2127-0x00007FF66CD60000-0x00007FF66D152000-memory.dmp	xmrig
behavioral2/memory/880-2128-0x00007FF72E5E0000-0x00007FF72E9D2000-memory.dmp	xmrig
behavioral2/memory/3968-2130-0x00007FF706E20000-0x00007FF707212000-memory.dmp	xmrig
behavioral2/memory/2780-2132-0x00007FF6F3BC0000-0x00007FF6F3FB2000-memory.dmp	xmrig
behavioral2/memory/1556-2136-0x00007FF7DFDC0000-0x00007FF7E01B2000-memory.dmp	xmrig
behavioral2/memory/5076-2135-0x00007FF79B4C0000-0x00007FF79B8B2000-memory.dmp	xmrig
behavioral2/memory/3480-2142-0x00007FF7B3F70000-0x00007FF7B4362000-memory.dmp	xmrig
behavioral2/memory/4464-2140-0x00007FF75CDE0000-0x00007FF75D1D2000-memory.dmp	xmrig
behavioral2/memory/3508-2138-0x00007FF66CD60000-0x00007FF66D152000-memory.dmp	xmrig
behavioral2/memory/5056-2145-0x00007FF7E27F0000-0x00007FF7E2BE2000-memory.dmp	xmrig
behavioral2/memory/2492-2154-0x00007FF79C1B0000-0x00007FF79C5A2000-memory.dmp	xmrig
behavioral2/memory/4280-2156-0x00007FF7D6AF0000-0x00007FF7D6EE2000-memory.dmp	xmrig
behavioral2/memory/3992-2158-0x00007FF7EF780000-0x00007FF7EFB72000-memory.dmp	xmrig
behavioral2/memory/2616-2151-0x00007FF63E680000-0x00007FF63EA72000-memory.dmp	xmrig
behavioral2/memory/2176-2149-0x00007FF608530000-0x00007FF608922000-memory.dmp	xmrig
behavioral2/memory/2776-2152-0x00007FF7AFC00000-0x00007FF7AFFF2000-memory.dmp	xmrig
behavioral2/memory/880-2147-0x00007FF72E5E0000-0x00007FF72E9D2000-memory.dmp	xmrig
behavioral2/memory/1996-2164-0x00007FF68D6E0000-0x00007FF68DAD2000-memory.dmp	xmrig
behavioral2/memory/4268-2166-0x00007FF6BCAD0000-0x00007FF6BCEC2000-memory.dmp	xmrig
behavioral2/memory/3424-2162-0x00007FF7ED000000-0x00007FF7ED3F2000-memory.dmp	xmrig
behavioral2/memory/3044-2160-0x00007FF667C00000-0x00007FF667FF2000-memory.dmp	xmrig
behavioral2/memory/3748-2179-0x00007FF7C78B0000-0x00007FF7C7CA2000-memory.dmp	xmrig
behavioral2/memory/3544-2177-0x00007FF7B1F40000-0x00007FF7B2332000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
3968	rFeGckd.exe
2780	jDUtnnW.exe
5076	MQIaIMP.exe
1556	fulVIDA.exe
2776	ThAeNhC.exe
3508	kiTMwxa.exe
3480	IEBHrxk.exe
4464	EBmvUGR.exe
2616	oRCIPWh.exe
5056	kTTUNrL.exe
2492	dCSjUfP.exe
2176	aCyjOvh.exe
880	qqyrTpd.exe
4280	DYEVtpV.exe
3992	nlEvZUs.exe
3044	PVZEMbj.exe
3424	dQbsdNZ.exe
1996	qnHnRnZ.exe
4268	ptuydTw.exe
3748	yQTphEk.exe
3544	CratFyO.exe
4412	bSoVbTH.exe
4304	bNNquqM.exe
1448	ZcQtHxA.exe
772	iTRFxBB.exe
4896	Sitprkg.exe
4688	TlLxGgf.exe
1472	fHwUTlZ.exe
4988	UiSRrwH.exe
3400	YfDpYYh.exe
384	LwsQdFl.exe
3496	ReuhPES.exe
1316	RTyYEQJ.exe
976	pCAsIbu.exe
4616	ZcOlDym.exe
1244	jJOarzG.exe
1780	PhuXPtt.exe
3148	ocBJHgm.exe
4600	kRkpOmd.exe
4200	xDFQGjY.exe
3904	XLLGTHO.exe
4224	aXwyOcB.exe
636	ZkiniPJ.exe
2084	LZKjYsS.exe
4344	CHukypf.exe
3040	lmJqGsq.exe
4500	zrLYpsv.exe
532	ImLczun.exe
1548	rKZAJvF.exe
832	tdztuAk.exe
4088	DRRympG.exe
3772	kbYuVzf.exe
2484	PuedysY.exe
3940	nwTOfgT.exe
2188	CmJLIyY.exe
1168	KBHuWkd.exe
4376	qmQgWDG.exe
2604	scmEEQU.exe
116	wzbkNAk.exe
4784	dUnFmQW.exe
4644	guvGfKc.exe
4760	ShEycaN.exe
5068	HiQseMJ.exe
1408	ANKsdAy.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4400-0-0x00007FF79A4A0000-0x00007FF79A892000-memory.dmp	upx
behavioral2/files/0x000c000000023ba4-6.dat	upx
behavioral2/files/0x000a000000023bb5-10.dat	upx
behavioral2/files/0x000a000000023bb6-17.dat	upx
behavioral2/memory/3968-20-0x00007FF706E20000-0x00007FF707212000-memory.dmp	upx
behavioral2/files/0x000a000000023bba-57.dat	upx
behavioral2/files/0x0031000000023bbf-76.dat	upx
behavioral2/memory/5056-83-0x00007FF7E27F0000-0x00007FF7E2BE2000-memory.dmp	upx
behavioral2/files/0x000a000000023bc2-99.dat	upx
behavioral2/files/0x000a000000023bc8-131.dat	upx
behavioral2/files/0x000a000000023bc9-144.dat	upx
behavioral2/files/0x000a000000023bcb-154.dat	upx
behavioral2/files/0x000a000000023bd1-184.dat	upx
behavioral2/memory/2616-531-0x00007FF63E680000-0x00007FF63EA72000-memory.dmp	upx
behavioral2/memory/2492-533-0x00007FF79C1B0000-0x00007FF79C5A2000-memory.dmp	upx
behavioral2/memory/2176-534-0x00007FF608530000-0x00007FF608922000-memory.dmp	upx
behavioral2/memory/4280-535-0x00007FF7D6AF0000-0x00007FF7D6EE2000-memory.dmp	upx
behavioral2/memory/3424-536-0x00007FF7ED000000-0x00007FF7ED3F2000-memory.dmp	upx
behavioral2/files/0x000a000000023bd3-186.dat	upx
behavioral2/files/0x000a000000023bd2-181.dat	upx
behavioral2/files/0x000a000000023bd0-179.dat	upx
behavioral2/files/0x000a000000023bcf-174.dat	upx
behavioral2/files/0x000a000000023bce-169.dat	upx
behavioral2/files/0x000a000000023bcd-164.dat	upx
behavioral2/files/0x000a000000023bcc-159.dat	upx
behavioral2/files/0x000a000000023bca-149.dat	upx
behavioral2/files/0x000a000000023bc7-134.dat	upx
behavioral2/files/0x000a000000023bc6-129.dat	upx
behavioral2/files/0x000a000000023bc5-124.dat	upx
behavioral2/files/0x000a000000023bc4-119.dat	upx
behavioral2/files/0x000c000000023bb1-114.dat	upx
behavioral2/files/0x000a000000023bc3-109.dat	upx
behavioral2/files/0x0032000000023bbd-104.dat	upx
behavioral2/files/0x000a000000023bc1-94.dat	upx
behavioral2/files/0x000a000000023bc0-92.dat	upx
behavioral2/memory/2776-88-0x00007FF7AFC00000-0x00007FF7AFFF2000-memory.dmp	upx
behavioral2/memory/880-87-0x00007FF72E5E0000-0x00007FF72E9D2000-memory.dmp	upx
behavioral2/memory/4268-538-0x00007FF6BCAD0000-0x00007FF6BCEC2000-memory.dmp	upx
behavioral2/memory/1996-537-0x00007FF68D6E0000-0x00007FF68DAD2000-memory.dmp	upx
behavioral2/files/0x000a000000023bbc-82.dat	upx
behavioral2/memory/4464-77-0x00007FF75CDE0000-0x00007FF75D1D2000-memory.dmp	upx
behavioral2/files/0x0032000000023bbe-69.dat	upx
behavioral2/memory/3480-66-0x00007FF7B3F70000-0x00007FF7B4362000-memory.dmp	upx
behavioral2/files/0x000a000000023bbb-64.dat	upx
behavioral2/files/0x000a000000023bb8-62.dat	upx
behavioral2/memory/3508-59-0x00007FF66CD60000-0x00007FF66D152000-memory.dmp	upx
behavioral2/files/0x000a000000023bb9-54.dat	upx
behavioral2/memory/1556-50-0x00007FF7DFDC0000-0x00007FF7E01B2000-memory.dmp	upx
behavioral2/memory/5076-32-0x00007FF79B4C0000-0x00007FF79B8B2000-memory.dmp	upx
behavioral2/files/0x000a000000023bb7-24.dat	upx
behavioral2/memory/2780-18-0x00007FF6F3BC0000-0x00007FF6F3FB2000-memory.dmp	upx
behavioral2/memory/3748-539-0x00007FF7C78B0000-0x00007FF7C7CA2000-memory.dmp	upx
behavioral2/memory/3044-542-0x00007FF667C00000-0x00007FF667FF2000-memory.dmp	upx
behavioral2/memory/3992-541-0x00007FF7EF780000-0x00007FF7EFB72000-memory.dmp	upx
behavioral2/memory/3544-540-0x00007FF7B1F40000-0x00007FF7B2332000-memory.dmp	upx
behavioral2/memory/4400-2092-0x00007FF79A4A0000-0x00007FF79A892000-memory.dmp	upx
behavioral2/memory/3508-2127-0x00007FF66CD60000-0x00007FF66D152000-memory.dmp	upx
behavioral2/memory/880-2128-0x00007FF72E5E0000-0x00007FF72E9D2000-memory.dmp	upx
behavioral2/memory/3968-2130-0x00007FF706E20000-0x00007FF707212000-memory.dmp	upx
behavioral2/memory/2780-2132-0x00007FF6F3BC0000-0x00007FF6F3FB2000-memory.dmp	upx
behavioral2/memory/1556-2136-0x00007FF7DFDC0000-0x00007FF7E01B2000-memory.dmp	upx
behavioral2/memory/5076-2135-0x00007FF79B4C0000-0x00007FF79B8B2000-memory.dmp	upx
behavioral2/memory/3480-2142-0x00007FF7B3F70000-0x00007FF7B4362000-memory.dmp	upx
behavioral2/memory/4464-2140-0x00007FF75CDE0000-0x00007FF75D1D2000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\zgjfikB.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\LcvIJYW.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\utOPMcR.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\PsshsGW.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\fJnGOhW.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\rDUQWZg.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\ncrgtzt.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\QvWXjlo.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\PaWkYbn.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\PRjOlMY.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\CZbhcGl.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\iKzNkVp.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\HQBpJQZ.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\BeVZPzF.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\TtDnOtd.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\cPiIgqC.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\iYihkJQ.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\JXqqtEA.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\twFAXSC.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\SVSxyma.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\oRCIPWh.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\RTyYEQJ.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\NqWsPmB.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\LCVdBfe.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\vXwBWuw.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\xSCyOcq.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\ceHGHOY.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\Rllvncm.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\dHKvPMV.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\uxKvvOv.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\niLkabQ.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\sMmjRxn.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\JdZWSVo.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\NLnErqr.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\tTASeOU.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\QRgOTte.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\RxFHEQU.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\kvPtsja.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\qZdrdbC.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\agxpPxs.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\tMOouab.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\RuTBcoq.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\RWWEehl.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\kAwdAYu.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\nmKSXnG.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\SqCXeKl.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\EMfkybT.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\hVKMxLZ.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\rZVVBdX.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\ZkiniPJ.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\UUcinni.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\RjDlwJu.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\EHApflC.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\NKdMAPP.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\RlSwZyC.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\VFQQxlu.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\viLYmDF.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\rAXsixM.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\ujBksGW.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\jTypCdx.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\PMxpVsB.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\VOrffVG.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\MCKnvhE.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
File created	C:\Windows\System\DUCYnzh.exe	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4764	powershell.exe
4764	powershell.exe
4764	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
Token: SeDebugPrivilege	4764	powershell.exe
Token: SeCreateGlobalPrivilege	13124	dwm.exe
Token: SeChangeNotifyPrivilege	13124	dwm.exe
Token: 33	13124	dwm.exe
Token: SeIncBasePriorityPrivilege	13124	dwm.exe
Token: SeShutdownPrivilege	13124	dwm.exe
Token: SeCreatePagefilePrivilege	13124	dwm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3888	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4400 wrote to memory of 4764	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	84
PID 4400 wrote to memory of 4764	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	84
PID 4400 wrote to memory of 3968	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	85
PID 4400 wrote to memory of 3968	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	85
PID 4400 wrote to memory of 2780	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	86
PID 4400 wrote to memory of 2780	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	86
PID 4400 wrote to memory of 5076	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	87
PID 4400 wrote to memory of 5076	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	87
PID 4400 wrote to memory of 1556	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	88
PID 4400 wrote to memory of 1556	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	88
PID 4400 wrote to memory of 2776	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	89
PID 4400 wrote to memory of 2776	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	89
PID 4400 wrote to memory of 3508	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	90
PID 4400 wrote to memory of 3508	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	90
PID 4400 wrote to memory of 3480	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	91
PID 4400 wrote to memory of 3480	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	91
PID 4400 wrote to memory of 4464	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	92
PID 4400 wrote to memory of 4464	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	92
PID 4400 wrote to memory of 2616	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	93
PID 4400 wrote to memory of 2616	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	93
PID 4400 wrote to memory of 5056	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	94
PID 4400 wrote to memory of 5056	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	94
PID 4400 wrote to memory of 2492	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	95
PID 4400 wrote to memory of 2492	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	95
PID 4400 wrote to memory of 2176	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	96
PID 4400 wrote to memory of 2176	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	96
PID 4400 wrote to memory of 880	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	97
PID 4400 wrote to memory of 880	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	97
PID 4400 wrote to memory of 4280	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	98
PID 4400 wrote to memory of 4280	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	98
PID 4400 wrote to memory of 3992	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	99
PID 4400 wrote to memory of 3992	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	99
PID 4400 wrote to memory of 3044	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	100
PID 4400 wrote to memory of 3044	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	100
PID 4400 wrote to memory of 3424	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	101
PID 4400 wrote to memory of 3424	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	101
PID 4400 wrote to memory of 1996	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	102
PID 4400 wrote to memory of 1996	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	102
PID 4400 wrote to memory of 4268	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	103
PID 4400 wrote to memory of 4268	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	103
PID 4400 wrote to memory of 3748	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	104
PID 4400 wrote to memory of 3748	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	104
PID 4400 wrote to memory of 3544	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	105
PID 4400 wrote to memory of 3544	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	105
PID 4400 wrote to memory of 4412	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	106
PID 4400 wrote to memory of 4412	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	106
PID 4400 wrote to memory of 4304	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	107
PID 4400 wrote to memory of 4304	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	107
PID 4400 wrote to memory of 1448	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	108
PID 4400 wrote to memory of 1448	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	108
PID 4400 wrote to memory of 772	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	109
PID 4400 wrote to memory of 772	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	109
PID 4400 wrote to memory of 4896	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	110
PID 4400 wrote to memory of 4896	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	110
PID 4400 wrote to memory of 4688	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	111
PID 4400 wrote to memory of 4688	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	111
PID 4400 wrote to memory of 1472	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	112
PID 4400 wrote to memory of 1472	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	112
PID 4400 wrote to memory of 4988	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	113
PID 4400 wrote to memory of 4988	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	113
PID 4400 wrote to memory of 3400	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	114
PID 4400 wrote to memory of 3400	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	114
PID 4400 wrote to memory of 384	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	115
PID 4400 wrote to memory of 384	4400	08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe	115

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
1⤵
PID:4020
- C:\Windows\system32\WerFaultSecure.exe
  C:\Windows\system32\WerFaultSecure.exe -u -p 4020 -s 1244
  2⤵
  PID:12756

C:\Users\Admin\AppData\Local\Temp\08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\08715424633fc24a52a10e381e16a0f2_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4764
- C:\Windows\System\rFeGckd.exe
  C:\Windows\System\rFeGckd.exe
  2⤵
  - Executes dropped EXE
  PID:3968
- C:\Windows\System\jDUtnnW.exe
  C:\Windows\System\jDUtnnW.exe
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\System\MQIaIMP.exe
  C:\Windows\System\MQIaIMP.exe
  2⤵
  - Executes dropped EXE
  PID:5076
- C:\Windows\System\fulVIDA.exe
  C:\Windows\System\fulVIDA.exe
  2⤵
  - Executes dropped EXE
  PID:1556
- C:\Windows\System\ThAeNhC.exe
  C:\Windows\System\ThAeNhC.exe
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Windows\System\kiTMwxa.exe
  C:\Windows\System\kiTMwxa.exe
  2⤵
  - Executes dropped EXE
  PID:3508
- C:\Windows\System\IEBHrxk.exe
  C:\Windows\System\IEBHrxk.exe
  2⤵
  - Executes dropped EXE
  PID:3480
- C:\Windows\System\EBmvUGR.exe
  C:\Windows\System\EBmvUGR.exe
  2⤵
  - Executes dropped EXE
  PID:4464
- C:\Windows\System\oRCIPWh.exe
  C:\Windows\System\oRCIPWh.exe
  2⤵
  - Executes dropped EXE
  PID:2616
- C:\Windows\System\kTTUNrL.exe
  C:\Windows\System\kTTUNrL.exe
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Windows\System\dCSjUfP.exe
  C:\Windows\System\dCSjUfP.exe
  2⤵
  - Executes dropped EXE
  PID:2492
- C:\Windows\System\aCyjOvh.exe
  C:\Windows\System\aCyjOvh.exe
  2⤵
  - Executes dropped EXE
  PID:2176
- C:\Windows\System\qqyrTpd.exe
  C:\Windows\System\qqyrTpd.exe
  2⤵
  - Executes dropped EXE
  PID:880
- C:\Windows\System\DYEVtpV.exe
  C:\Windows\System\DYEVtpV.exe
  2⤵
  - Executes dropped EXE
  PID:4280
- C:\Windows\System\nlEvZUs.exe
  C:\Windows\System\nlEvZUs.exe
  2⤵
  - Executes dropped EXE
  PID:3992
- C:\Windows\System\PVZEMbj.exe
  C:\Windows\System\PVZEMbj.exe
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\System\dQbsdNZ.exe
  C:\Windows\System\dQbsdNZ.exe
  2⤵
  - Executes dropped EXE
  PID:3424
- C:\Windows\System\qnHnRnZ.exe
  C:\Windows\System\qnHnRnZ.exe
  2⤵
  - Executes dropped EXE
  PID:1996
- C:\Windows\System\ptuydTw.exe
  C:\Windows\System\ptuydTw.exe
  2⤵
  - Executes dropped EXE
  PID:4268
- C:\Windows\System\yQTphEk.exe
  C:\Windows\System\yQTphEk.exe
  2⤵
  - Executes dropped EXE
  PID:3748
- C:\Windows\System\CratFyO.exe
  C:\Windows\System\CratFyO.exe
  2⤵
  - Executes dropped EXE
  PID:3544
- C:\Windows\System\bSoVbTH.exe
  C:\Windows\System\bSoVbTH.exe
  2⤵
  - Executes dropped EXE
  PID:4412
- C:\Windows\System\bNNquqM.exe
  C:\Windows\System\bNNquqM.exe
  2⤵
  - Executes dropped EXE
  PID:4304
- C:\Windows\System\ZcQtHxA.exe
  C:\Windows\System\ZcQtHxA.exe
  2⤵
  - Executes dropped EXE
  PID:1448
- C:\Windows\System\iTRFxBB.exe
  C:\Windows\System\iTRFxBB.exe
  2⤵
  - Executes dropped EXE
  PID:772
- C:\Windows\System\Sitprkg.exe
  C:\Windows\System\Sitprkg.exe
  2⤵
  - Executes dropped EXE
  PID:4896
- C:\Windows\System\TlLxGgf.exe
  C:\Windows\System\TlLxGgf.exe
  2⤵
  - Executes dropped EXE
  PID:4688
- C:\Windows\System\fHwUTlZ.exe
  C:\Windows\System\fHwUTlZ.exe
  2⤵
  - Executes dropped EXE
  PID:1472
- C:\Windows\System\UiSRrwH.exe
  C:\Windows\System\UiSRrwH.exe
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Windows\System\YfDpYYh.exe
  C:\Windows\System\YfDpYYh.exe
  2⤵
  - Executes dropped EXE
  PID:3400
- C:\Windows\System\LwsQdFl.exe
  C:\Windows\System\LwsQdFl.exe
  2⤵
  - Executes dropped EXE
  PID:384
- C:\Windows\System\ReuhPES.exe
  C:\Windows\System\ReuhPES.exe
  2⤵
  - Executes dropped EXE
  PID:3496
- C:\Windows\System\RTyYEQJ.exe
  C:\Windows\System\RTyYEQJ.exe
  2⤵
  - Executes dropped EXE
  PID:1316
- C:\Windows\System\pCAsIbu.exe
  C:\Windows\System\pCAsIbu.exe
  2⤵
  - Executes dropped EXE
  PID:976
- C:\Windows\System\ZcOlDym.exe
  C:\Windows\System\ZcOlDym.exe
  2⤵
  - Executes dropped EXE
  PID:4616
- C:\Windows\System\jJOarzG.exe
  C:\Windows\System\jJOarzG.exe
  2⤵
  - Executes dropped EXE
  PID:1244
- C:\Windows\System\PhuXPtt.exe
  C:\Windows\System\PhuXPtt.exe
  2⤵
  - Executes dropped EXE
  PID:1780
- C:\Windows\System\ocBJHgm.exe
  C:\Windows\System\ocBJHgm.exe
  2⤵
  - Executes dropped EXE
  PID:3148
- C:\Windows\System\kRkpOmd.exe
  C:\Windows\System\kRkpOmd.exe
  2⤵
  - Executes dropped EXE
  PID:4600
- C:\Windows\System\xDFQGjY.exe
  C:\Windows\System\xDFQGjY.exe
  2⤵
  - Executes dropped EXE
  PID:4200
- C:\Windows\System\XLLGTHO.exe
  C:\Windows\System\XLLGTHO.exe
  2⤵
  - Executes dropped EXE
  PID:3904
- C:\Windows\System\aXwyOcB.exe
  C:\Windows\System\aXwyOcB.exe
  2⤵
  - Executes dropped EXE
  PID:4224
- C:\Windows\System\ZkiniPJ.exe
  C:\Windows\System\ZkiniPJ.exe
  2⤵
  - Executes dropped EXE
  PID:636
- C:\Windows\System\LZKjYsS.exe
  C:\Windows\System\LZKjYsS.exe
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Windows\System\CHukypf.exe
  C:\Windows\System\CHukypf.exe
  2⤵
  - Executes dropped EXE
  PID:4344
- C:\Windows\System\lmJqGsq.exe
  C:\Windows\System\lmJqGsq.exe
  2⤵
  - Executes dropped EXE
  PID:3040
- C:\Windows\System\zrLYpsv.exe
  C:\Windows\System\zrLYpsv.exe
  2⤵
  - Executes dropped EXE
  PID:4500
- C:\Windows\System\ImLczun.exe
  C:\Windows\System\ImLczun.exe
  2⤵
  - Executes dropped EXE
  PID:532
- C:\Windows\System\rKZAJvF.exe
  C:\Windows\System\rKZAJvF.exe
  2⤵
  - Executes dropped EXE
  PID:1548
- C:\Windows\System\tdztuAk.exe
  C:\Windows\System\tdztuAk.exe
  2⤵
  - Executes dropped EXE
  PID:832
- C:\Windows\System\DRRympG.exe
  C:\Windows\System\DRRympG.exe
  2⤵
  - Executes dropped EXE
  PID:4088
- C:\Windows\System\kbYuVzf.exe
  C:\Windows\System\kbYuVzf.exe
  2⤵
  - Executes dropped EXE
  PID:3772
- C:\Windows\System\PuedysY.exe
  C:\Windows\System\PuedysY.exe
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\System\nwTOfgT.exe
  C:\Windows\System\nwTOfgT.exe
  2⤵
  - Executes dropped EXE
  PID:3940
- C:\Windows\System\CmJLIyY.exe
  C:\Windows\System\CmJLIyY.exe
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\System\KBHuWkd.exe
  C:\Windows\System\KBHuWkd.exe
  2⤵
  - Executes dropped EXE
  PID:1168
- C:\Windows\System\qmQgWDG.exe
  C:\Windows\System\qmQgWDG.exe
  2⤵
  - Executes dropped EXE
  PID:4376
- C:\Windows\System\scmEEQU.exe
  C:\Windows\System\scmEEQU.exe
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\System\wzbkNAk.exe
  C:\Windows\System\wzbkNAk.exe
  2⤵
  - Executes dropped EXE
  PID:116
- C:\Windows\System\dUnFmQW.exe
  C:\Windows\System\dUnFmQW.exe
  2⤵
  - Executes dropped EXE
  PID:4784
- C:\Windows\System\guvGfKc.exe
  C:\Windows\System\guvGfKc.exe
  2⤵
  - Executes dropped EXE
  PID:4644
- C:\Windows\System\ShEycaN.exe
  C:\Windows\System\ShEycaN.exe
  2⤵
  - Executes dropped EXE
  PID:4760
- C:\Windows\System\HiQseMJ.exe
  C:\Windows\System\HiQseMJ.exe
  2⤵
  - Executes dropped EXE
  PID:5068
- C:\Windows\System\ANKsdAy.exe
  C:\Windows\System\ANKsdAy.exe
  2⤵
  - Executes dropped EXE
  PID:1408
- C:\Windows\System\lRDgueK.exe
  C:\Windows\System\lRDgueK.exe
  2⤵
  PID:1768
- C:\Windows\System\hsyDzrY.exe
  C:\Windows\System\hsyDzrY.exe
  2⤵
  PID:3256
- C:\Windows\System\vGdQgte.exe
  C:\Windows\System\vGdQgte.exe
  2⤵
  PID:4336
- C:\Windows\System\tjhSQth.exe
  C:\Windows\System\tjhSQth.exe
  2⤵
  PID:1184
- C:\Windows\System\MnsXrlo.exe
  C:\Windows\System\MnsXrlo.exe
  2⤵
  PID:4276
- C:\Windows\System\tTkddQj.exe
  C:\Windows\System\tTkddQj.exe
  2⤵
  PID:4264
- C:\Windows\System\xVbFCdS.exe
  C:\Windows\System\xVbFCdS.exe
  2⤵
  PID:3804
- C:\Windows\System\pOjsRqv.exe
  C:\Windows\System\pOjsRqv.exe
  2⤵
  PID:1452
- C:\Windows\System\NGyXdvs.exe
  C:\Windows\System\NGyXdvs.exe
  2⤵
  PID:2200
- C:\Windows\System\HrLdOal.exe
  C:\Windows\System\HrLdOal.exe
  2⤵
  PID:1852
- C:\Windows\System\qzSPmOz.exe
  C:\Windows\System\qzSPmOz.exe
  2⤵
  PID:4332
- C:\Windows\System\FfLQbPC.exe
  C:\Windows\System\FfLQbPC.exe
  2⤵
  PID:4468
- C:\Windows\System\DWMJbWI.exe
  C:\Windows\System\DWMJbWI.exe
  2⤵
  PID:5148
- C:\Windows\System\OYXuaXC.exe
  C:\Windows\System\OYXuaXC.exe
  2⤵
  PID:5172
- C:\Windows\System\mjYJGhe.exe
  C:\Windows\System\mjYJGhe.exe
  2⤵
  PID:5200
- C:\Windows\System\kivChLK.exe
  C:\Windows\System\kivChLK.exe
  2⤵
  PID:5228
- C:\Windows\System\BJOgSGB.exe
  C:\Windows\System\BJOgSGB.exe
  2⤵
  PID:5256
- C:\Windows\System\jjfGoMO.exe
  C:\Windows\System\jjfGoMO.exe
  2⤵
  PID:5284
- C:\Windows\System\WYLIKsr.exe
  C:\Windows\System\WYLIKsr.exe
  2⤵
  PID:5316
- C:\Windows\System\pYfmVTV.exe
  C:\Windows\System\pYfmVTV.exe
  2⤵
  PID:5344
- C:\Windows\System\AcXvPbe.exe
  C:\Windows\System\AcXvPbe.exe
  2⤵
  PID:5368
- C:\Windows\System\qQmmTWS.exe
  C:\Windows\System\qQmmTWS.exe
  2⤵
  PID:5400
- C:\Windows\System\cPiIgqC.exe
  C:\Windows\System\cPiIgqC.exe
  2⤵
  PID:5424
- C:\Windows\System\tkPofLR.exe
  C:\Windows\System\tkPofLR.exe
  2⤵
  PID:5452
- C:\Windows\System\OdwQrbD.exe
  C:\Windows\System\OdwQrbD.exe
  2⤵
  PID:5480
- C:\Windows\System\IjEIEJx.exe
  C:\Windows\System\IjEIEJx.exe
  2⤵
  PID:5508
- C:\Windows\System\ciCUAmH.exe
  C:\Windows\System\ciCUAmH.exe
  2⤵
  PID:5536
- C:\Windows\System\CZbhcGl.exe
  C:\Windows\System\CZbhcGl.exe
  2⤵
  PID:5564
- C:\Windows\System\EmmRqbs.exe
  C:\Windows\System\EmmRqbs.exe
  2⤵
  PID:5592
- C:\Windows\System\jaVvtxG.exe
  C:\Windows\System\jaVvtxG.exe
  2⤵
  PID:5620
- C:\Windows\System\lzNxVex.exe
  C:\Windows\System\lzNxVex.exe
  2⤵
  PID:5648
- C:\Windows\System\gdlLDoC.exe
  C:\Windows\System\gdlLDoC.exe
  2⤵
  PID:5676
- C:\Windows\System\tTASeOU.exe
  C:\Windows\System\tTASeOU.exe
  2⤵
  PID:5704
- C:\Windows\System\jwBPQQv.exe
  C:\Windows\System\jwBPQQv.exe
  2⤵
  PID:5732
- C:\Windows\System\oDRIbJI.exe
  C:\Windows\System\oDRIbJI.exe
  2⤵
  PID:5760
- C:\Windows\System\YBvnOpx.exe
  C:\Windows\System\YBvnOpx.exe
  2⤵
  PID:5788
- C:\Windows\System\GOebtsR.exe
  C:\Windows\System\GOebtsR.exe
  2⤵
  PID:5816
- C:\Windows\System\vyPjFvF.exe
  C:\Windows\System\vyPjFvF.exe
  2⤵
  PID:5848
- C:\Windows\System\OLdODBP.exe
  C:\Windows\System\OLdODBP.exe
  2⤵
  PID:5872
- C:\Windows\System\uQUvEke.exe
  C:\Windows\System\uQUvEke.exe
  2⤵
  PID:5900
- C:\Windows\System\FFTHLLp.exe
  C:\Windows\System\FFTHLLp.exe
  2⤵
  PID:5932
- C:\Windows\System\yfYBlCQ.exe
  C:\Windows\System\yfYBlCQ.exe
  2⤵
  PID:5956
- C:\Windows\System\UXaDSKe.exe
  C:\Windows\System\UXaDSKe.exe
  2⤵
  PID:5984
- C:\Windows\System\ILibHfr.exe
  C:\Windows\System\ILibHfr.exe
  2⤵
  PID:6012
- C:\Windows\System\zgjfikB.exe
  C:\Windows\System\zgjfikB.exe
  2⤵
  PID:6040
- C:\Windows\System\uMoSRsE.exe
  C:\Windows\System\uMoSRsE.exe
  2⤵
  PID:6068
- C:\Windows\System\thwSeWL.exe
  C:\Windows\System\thwSeWL.exe
  2⤵
  PID:6096
- C:\Windows\System\vexxvZz.exe
  C:\Windows\System\vexxvZz.exe
  2⤵
  PID:6124
- C:\Windows\System\uDddCdX.exe
  C:\Windows\System\uDddCdX.exe
  2⤵
  PID:1180
- C:\Windows\System\mmKeGLk.exe
  C:\Windows\System\mmKeGLk.exe
  2⤵
  PID:1332
- C:\Windows\System\kIUlcbI.exe
  C:\Windows\System\kIUlcbI.exe
  2⤵
  PID:1708
- C:\Windows\System\FaYDxKr.exe
  C:\Windows\System\FaYDxKr.exe
  2⤵
  PID:4608
- C:\Windows\System\ghHGCYK.exe
  C:\Windows\System\ghHGCYK.exe
  2⤵
  PID:5140
- C:\Windows\System\JifGzjU.exe
  C:\Windows\System\JifGzjU.exe
  2⤵
  PID:5184
- C:\Windows\System\EJdAkJe.exe
  C:\Windows\System\EJdAkJe.exe
  2⤵
  PID:1508
- C:\Windows\System\mhwODfa.exe
  C:\Windows\System\mhwODfa.exe
  2⤵
  PID:5300
- C:\Windows\System\viLYmDF.exe
  C:\Windows\System\viLYmDF.exe
  2⤵
  PID:5364
- C:\Windows\System\UHpeIpP.exe
  C:\Windows\System\UHpeIpP.exe
  2⤵
  PID:5420
- C:\Windows\System\DznSiuN.exe
  C:\Windows\System\DznSiuN.exe
  2⤵
  PID:5472
- C:\Windows\System\ZXBYpzK.exe
  C:\Windows\System\ZXBYpzK.exe
  2⤵
  PID:5556
- C:\Windows\System\cyVWjvg.exe
  C:\Windows\System\cyVWjvg.exe
  2⤵
  PID:5612
- C:\Windows\System\eVlBGOq.exe
  C:\Windows\System\eVlBGOq.exe
  2⤵
  PID:5664
- C:\Windows\System\cNzVdVH.exe
  C:\Windows\System\cNzVdVH.exe
  2⤵
  PID:5720
- C:\Windows\System\ZjNFLUv.exe
  C:\Windows\System\ZjNFLUv.exe
  2⤵
  PID:5780
- C:\Windows\System\oVOlUZU.exe
  C:\Windows\System\oVOlUZU.exe
  2⤵
  PID:5856
- C:\Windows\System\PChzoid.exe
  C:\Windows\System\PChzoid.exe
  2⤵
  PID:5916
- C:\Windows\System\aFetRej.exe
  C:\Windows\System\aFetRej.exe
  2⤵
  PID:856
- C:\Windows\System\VnPDbnH.exe
  C:\Windows\System\VnPDbnH.exe
  2⤵
  PID:6000
- C:\Windows\System\gKIncAh.exe
  C:\Windows\System\gKIncAh.exe
  2⤵
  PID:6052
- C:\Windows\System\jsvumYt.exe
  C:\Windows\System\jsvumYt.exe
  2⤵
  PID:6112
- C:\Windows\System\cQXooed.exe
  C:\Windows\System\cQXooed.exe
  2⤵
  PID:2368
- C:\Windows\System\KPcUEJg.exe
  C:\Windows\System\KPcUEJg.exe
  2⤵
  PID:1148
- C:\Windows\System\oFmCzlE.exe
  C:\Windows\System\oFmCzlE.exe
  2⤵
  PID:704
- C:\Windows\System\BdnHIsh.exe
  C:\Windows\System\BdnHIsh.exe
  2⤵
  PID:5272
- C:\Windows\System\zlCBhhW.exe
  C:\Windows\System\zlCBhhW.exe
  2⤵
  PID:5352
- C:\Windows\System\ryKWEgr.exe
  C:\Windows\System\ryKWEgr.exe
  2⤵
  PID:5520
- C:\Windows\System\onLFwux.exe
  C:\Windows\System\onLFwux.exe
  2⤵
  PID:5636
- C:\Windows\System\gkFgWtQ.exe
  C:\Windows\System\gkFgWtQ.exe
  2⤵
  PID:5748
- C:\Windows\System\vMizKkM.exe
  C:\Windows\System\vMizKkM.exe
  2⤵
  PID:5884
- C:\Windows\System\thlxUWa.exe
  C:\Windows\System\thlxUWa.exe
  2⤵
  PID:3416
- C:\Windows\System\auDRnoB.exe
  C:\Windows\System\auDRnoB.exe
  2⤵
  PID:6024
- C:\Windows\System\AFokNth.exe
  C:\Windows\System\AFokNth.exe
  2⤵
  PID:6140
- C:\Windows\System\KlkQBNh.exe
  C:\Windows\System\KlkQBNh.exe
  2⤵
  PID:1104
- C:\Windows\System\ZSoMNSU.exe
  C:\Windows\System\ZSoMNSU.exe
  2⤵
  PID:3988
- C:\Windows\System\XNJjmTw.exe
  C:\Windows\System\XNJjmTw.exe
  2⤵
  PID:448
- C:\Windows\System\LijeDlu.exe
  C:\Windows\System\LijeDlu.exe
  2⤵
  PID:5976
- C:\Windows\System\CEtnjEA.exe
  C:\Windows\System\CEtnjEA.exe
  2⤵
  PID:3288
- C:\Windows\System\dEPFGXJ.exe
  C:\Windows\System\dEPFGXJ.exe
  2⤵
  PID:2248
- C:\Windows\System\VSmuBVm.exe
  C:\Windows\System\VSmuBVm.exe
  2⤵
  PID:4168
- C:\Windows\System\aBHVqhZ.exe
  C:\Windows\System\aBHVqhZ.exe
  2⤵
  PID:5128
- C:\Windows\System\ZYKtIXO.exe
  C:\Windows\System\ZYKtIXO.exe
  2⤵
  PID:4876
- C:\Windows\System\bapDJPx.exe
  C:\Windows\System\bapDJPx.exe
  2⤵
  PID:5948
- C:\Windows\System\wunbXBY.exe
  C:\Windows\System\wunbXBY.exe
  2⤵
  PID:3412
- C:\Windows\System\AgpllYv.exe
  C:\Windows\System\AgpllYv.exe
  2⤵
  PID:1088
- C:\Windows\System\MuZeEXe.exe
  C:\Windows\System\MuZeEXe.exe
  2⤵
  PID:4648
- C:\Windows\System\OmlLswg.exe
  C:\Windows\System\OmlLswg.exe
  2⤵
  PID:5772
- C:\Windows\System\HyNjYKA.exe
  C:\Windows\System\HyNjYKA.exe
  2⤵
  PID:3060
- C:\Windows\System\QftEPpn.exe
  C:\Windows\System\QftEPpn.exe
  2⤵
  PID:216
- C:\Windows\System\jGEShrQ.exe
  C:\Windows\System\jGEShrQ.exe
  2⤵
  PID:6148
- C:\Windows\System\LcvIJYW.exe
  C:\Windows\System\LcvIJYW.exe
  2⤵
  PID:6172
- C:\Windows\System\YcKKIzD.exe
  C:\Windows\System\YcKKIzD.exe
  2⤵
  PID:6196
- C:\Windows\System\IuUsOsB.exe
  C:\Windows\System\IuUsOsB.exe
  2⤵
  PID:6220
- C:\Windows\System\eQhHXly.exe
  C:\Windows\System\eQhHXly.exe
  2⤵
  PID:6244
- C:\Windows\System\qCjvccP.exe
  C:\Windows\System\qCjvccP.exe
  2⤵
  PID:6264
- C:\Windows\System\tOuLfYB.exe
  C:\Windows\System\tOuLfYB.exe
  2⤵
  PID:6288
- C:\Windows\System\SrYzKfq.exe
  C:\Windows\System\SrYzKfq.exe
  2⤵
  PID:6328
- C:\Windows\System\ngjApUL.exe
  C:\Windows\System\ngjApUL.exe
  2⤵
  PID:6368
- C:\Windows\System\aYxuprI.exe
  C:\Windows\System\aYxuprI.exe
  2⤵
  PID:6384
- C:\Windows\System\YxYwkWq.exe
  C:\Windows\System\YxYwkWq.exe
  2⤵
  PID:6424
- C:\Windows\System\YpVlzhn.exe
  C:\Windows\System\YpVlzhn.exe
  2⤵
  PID:6444
- C:\Windows\System\dSPYeWI.exe
  C:\Windows\System\dSPYeWI.exe
  2⤵
  PID:6468
- C:\Windows\System\BrEzokF.exe
  C:\Windows\System\BrEzokF.exe
  2⤵
  PID:6496
- C:\Windows\System\CfUprnu.exe
  C:\Windows\System\CfUprnu.exe
  2⤵
  PID:6544
- C:\Windows\System\igJIwuq.exe
  C:\Windows\System\igJIwuq.exe
  2⤵
  PID:6576
- C:\Windows\System\QRgOTte.exe
  C:\Windows\System\QRgOTte.exe
  2⤵
  PID:6592
- C:\Windows\System\YMjhtzL.exe
  C:\Windows\System\YMjhtzL.exe
  2⤵
  PID:6616
- C:\Windows\System\MRtpQMl.exe
  C:\Windows\System\MRtpQMl.exe
  2⤵
  PID:6652
- C:\Windows\System\MDVKLDe.exe
  C:\Windows\System\MDVKLDe.exe
  2⤵
  PID:6688
- C:\Windows\System\vEbNEWM.exe
  C:\Windows\System\vEbNEWM.exe
  2⤵
  PID:6708
- C:\Windows\System\RWWEehl.exe
  C:\Windows\System\RWWEehl.exe
  2⤵
  PID:6724
- C:\Windows\System\GxYJihs.exe
  C:\Windows\System\GxYJihs.exe
  2⤵
  PID:6756
- C:\Windows\System\QIFvtdM.exe
  C:\Windows\System\QIFvtdM.exe
  2⤵
  PID:6784
- C:\Windows\System\CsbSpCV.exe
  C:\Windows\System\CsbSpCV.exe
  2⤵
  PID:6800
- C:\Windows\System\HmrgLXv.exe
  C:\Windows\System\HmrgLXv.exe
  2⤵
  PID:6840
- C:\Windows\System\sjgpYiD.exe
  C:\Windows\System\sjgpYiD.exe
  2⤵
  PID:6860
- C:\Windows\System\vRBporo.exe
  C:\Windows\System\vRBporo.exe
  2⤵
  PID:6884
- C:\Windows\System\iikSRkS.exe
  C:\Windows\System\iikSRkS.exe
  2⤵
  PID:6936
- C:\Windows\System\NWFMrrP.exe
  C:\Windows\System\NWFMrrP.exe
  2⤵
  PID:6964
- C:\Windows\System\kEdbyhm.exe
  C:\Windows\System\kEdbyhm.exe
  2⤵
  PID:6988
- C:\Windows\System\QuQpToM.exe
  C:\Windows\System\QuQpToM.exe
  2⤵
  PID:7008
- C:\Windows\System\pZALcFL.exe
  C:\Windows\System\pZALcFL.exe
  2⤵
  PID:7068
- C:\Windows\System\iWYUtby.exe
  C:\Windows\System\iWYUtby.exe
  2⤵
  PID:7088
- C:\Windows\System\kvxYmCt.exe
  C:\Windows\System\kvxYmCt.exe
  2⤵
  PID:7120
- C:\Windows\System\HkFgnRL.exe
  C:\Windows\System\HkFgnRL.exe
  2⤵
  PID:7140
- C:\Windows\System\tGHjSQM.exe
  C:\Windows\System\tGHjSQM.exe
  2⤵
  PID:316
- C:\Windows\System\GeSqgbw.exe
  C:\Windows\System\GeSqgbw.exe
  2⤵
  PID:6204
- C:\Windows\System\wkIElBY.exe
  C:\Windows\System\wkIElBY.exe
  2⤵
  PID:6276
- C:\Windows\System\GYEgHwg.exe
  C:\Windows\System\GYEgHwg.exe
  2⤵
  PID:6312
- C:\Windows\System\wYsmWXI.exe
  C:\Windows\System\wYsmWXI.exe
  2⤵
  PID:6356
- C:\Windows\System\qBUIULR.exe
  C:\Windows\System\qBUIULR.exe
  2⤵
  PID:6392
- C:\Windows\System\NqWsPmB.exe
  C:\Windows\System\NqWsPmB.exe
  2⤵
  PID:6436
- C:\Windows\System\yHGKSFj.exe
  C:\Windows\System\yHGKSFj.exe
  2⤵
  PID:6488
- C:\Windows\System\ahThOYo.exe
  C:\Windows\System\ahThOYo.exe
  2⤵
  PID:6568
- C:\Windows\System\VoxjgMi.exe
  C:\Windows\System\VoxjgMi.exe
  2⤵
  PID:6604
- C:\Windows\System\ltfyLnt.exe
  C:\Windows\System\ltfyLnt.exe
  2⤵
  PID:6700
- C:\Windows\System\IAhHbRv.exe
  C:\Windows\System\IAhHbRv.exe
  2⤵
  PID:6748
- C:\Windows\System\xSCyOcq.exe
  C:\Windows\System\xSCyOcq.exe
  2⤵
  PID:6848
- C:\Windows\System\LYtyRnm.exe
  C:\Windows\System\LYtyRnm.exe
  2⤵
  PID:6916
- C:\Windows\System\AgXtSqt.exe
  C:\Windows\System\AgXtSqt.exe
  2⤵
  PID:7000
- C:\Windows\System\VOrffVG.exe
  C:\Windows\System\VOrffVG.exe
  2⤵
  PID:7048
- C:\Windows\System\qsrGhLe.exe
  C:\Windows\System\qsrGhLe.exe
  2⤵
  PID:7132
- C:\Windows\System\MefwCvT.exe
  C:\Windows\System\MefwCvT.exe
  2⤵
  PID:7160
- C:\Windows\System\xXaRLlK.exe
  C:\Windows\System\xXaRLlK.exe
  2⤵
  PID:6256
- C:\Windows\System\rAXsixM.exe
  C:\Windows\System\rAXsixM.exe
  2⤵
  PID:6408
- C:\Windows\System\uLKMlQD.exe
  C:\Windows\System\uLKMlQD.exe
  2⤵
  PID:6516
- C:\Windows\System\BbyYFmq.exe
  C:\Windows\System\BbyYFmq.exe
  2⤵
  PID:6520
- C:\Windows\System\IcNLZDP.exe
  C:\Windows\System\IcNLZDP.exe
  2⤵
  PID:6628
- C:\Windows\System\SsoLdIR.exe
  C:\Windows\System\SsoLdIR.exe
  2⤵
  PID:6876
- C:\Windows\System\lPwPbCE.exe
  C:\Windows\System\lPwPbCE.exe
  2⤵
  PID:6948
- C:\Windows\System\wbiljXO.exe
  C:\Windows\System\wbiljXO.exe
  2⤵
  PID:2876
- C:\Windows\System\DBNBVWR.exe
  C:\Windows\System\DBNBVWR.exe
  2⤵
  PID:6792
- C:\Windows\System\uvbbrAO.exe
  C:\Windows\System\uvbbrAO.exe
  2⤵
  PID:6960
- C:\Windows\System\dfRZdUo.exe
  C:\Windows\System\dfRZdUo.exe
  2⤵
  PID:7196
- C:\Windows\System\TPNtcYP.exe
  C:\Windows\System\TPNtcYP.exe
  2⤵
  PID:7224
- C:\Windows\System\yjEOtJH.exe
  C:\Windows\System\yjEOtJH.exe
  2⤵
  PID:7256
- C:\Windows\System\ztHuORB.exe
  C:\Windows\System\ztHuORB.exe
  2⤵
  PID:7272
- C:\Windows\System\wUMEjBy.exe
  C:\Windows\System\wUMEjBy.exe
  2⤵
  PID:7312
- C:\Windows\System\CVkWVIi.exe
  C:\Windows\System\CVkWVIi.exe
  2⤵
  PID:7356
- C:\Windows\System\OHvouxK.exe
  C:\Windows\System\OHvouxK.exe
  2⤵
  PID:7376
- C:\Windows\System\ZEGToEG.exe
  C:\Windows\System\ZEGToEG.exe
  2⤵
  PID:7396
- C:\Windows\System\RdZsclu.exe
  C:\Windows\System\RdZsclu.exe
  2⤵
  PID:7424
- C:\Windows\System\KMGKwgD.exe
  C:\Windows\System\KMGKwgD.exe
  2⤵
  PID:7444
- C:\Windows\System\YsZQcPp.exe
  C:\Windows\System\YsZQcPp.exe
  2⤵
  PID:7488
- C:\Windows\System\LCVdBfe.exe
  C:\Windows\System\LCVdBfe.exe
  2⤵
  PID:7512
- C:\Windows\System\XeROSeC.exe
  C:\Windows\System\XeROSeC.exe
  2⤵
  PID:7528
- C:\Windows\System\DdwUwdy.exe
  C:\Windows\System\DdwUwdy.exe
  2⤵
  PID:7552
- C:\Windows\System\cKNCLTY.exe
  C:\Windows\System\cKNCLTY.exe
  2⤵
  PID:7576
- C:\Windows\System\SAoZPrH.exe
  C:\Windows\System\SAoZPrH.exe
  2⤵
  PID:7592
- C:\Windows\System\vLMRsKm.exe
  C:\Windows\System\vLMRsKm.exe
  2⤵
  PID:7652
- C:\Windows\System\RxFHEQU.exe
  C:\Windows\System\RxFHEQU.exe
  2⤵
  PID:7692
- C:\Windows\System\ceHGHOY.exe
  C:\Windows\System\ceHGHOY.exe
  2⤵
  PID:7712
- C:\Windows\System\dHKvPMV.exe
  C:\Windows\System\dHKvPMV.exe
  2⤵
  PID:7728
- C:\Windows\System\gSMukvz.exe
  C:\Windows\System\gSMukvz.exe
  2⤵
  PID:7748
- C:\Windows\System\kwoBPaH.exe
  C:\Windows\System\kwoBPaH.exe
  2⤵
  PID:7792
- C:\Windows\System\HgIWVrg.exe
  C:\Windows\System\HgIWVrg.exe
  2⤵
  PID:7812
- C:\Windows\System\ndqdYEN.exe
  C:\Windows\System\ndqdYEN.exe
  2⤵
  PID:7844
- C:\Windows\System\oKsgViU.exe
  C:\Windows\System\oKsgViU.exe
  2⤵
  PID:7880
- C:\Windows\System\WUzolEM.exe
  C:\Windows\System\WUzolEM.exe
  2⤵
  PID:7900
- C:\Windows\System\vhomjdF.exe
  C:\Windows\System\vhomjdF.exe
  2⤵
  PID:7924
- C:\Windows\System\OXfxOOe.exe
  C:\Windows\System\OXfxOOe.exe
  2⤵
  PID:7944
- C:\Windows\System\KjYDEra.exe
  C:\Windows\System\KjYDEra.exe
  2⤵
  PID:7964
- C:\Windows\System\ROWpdSV.exe
  C:\Windows\System\ROWpdSV.exe
  2⤵
  PID:8012
- C:\Windows\System\Gtqlvyd.exe
  C:\Windows\System\Gtqlvyd.exe
  2⤵
  PID:8028
- C:\Windows\System\BiHNEFN.exe
  C:\Windows\System\BiHNEFN.exe
  2⤵
  PID:8056
- C:\Windows\System\gfDgFIK.exe
  C:\Windows\System\gfDgFIK.exe
  2⤵
  PID:8084
- C:\Windows\System\qILpIQZ.exe
  C:\Windows\System\qILpIQZ.exe
  2⤵
  PID:8100
- C:\Windows\System\YMPoFIL.exe
  C:\Windows\System\YMPoFIL.exe
  2⤵
  PID:8128
- C:\Windows\System\hXuOMkB.exe
  C:\Windows\System\hXuOMkB.exe
  2⤵
  PID:8148
- C:\Windows\System\vodCUcM.exe
  C:\Windows\System\vodCUcM.exe
  2⤵
  PID:7188
- C:\Windows\System\mphFHcT.exe
  C:\Windows\System\mphFHcT.exe
  2⤵
  PID:7248
- C:\Windows\System\KysbGht.exe
  C:\Windows\System\KysbGht.exe
  2⤵
  PID:7304
- C:\Windows\System\TsOfoEy.exe
  C:\Windows\System\TsOfoEy.exe
  2⤵
  PID:7372
- C:\Windows\System\gQOtQzU.exe
  C:\Windows\System\gQOtQzU.exe
  2⤵
  PID:7464
- C:\Windows\System\eyApQbg.exe
  C:\Windows\System\eyApQbg.exe
  2⤵
  PID:7440
- C:\Windows\System\apiFQlD.exe
  C:\Windows\System\apiFQlD.exe
  2⤵
  PID:7496
- C:\Windows\System\blRYWVT.exe
  C:\Windows\System\blRYWVT.exe
  2⤵
  PID:7564
- C:\Windows\System\ydabCQz.exe
  C:\Windows\System\ydabCQz.exe
  2⤵
  PID:7536
- C:\Windows\System\MpxTOFI.exe
  C:\Windows\System\MpxTOFI.exe
  2⤵
  PID:7684
- C:\Windows\System\CAeiDwj.exe
  C:\Windows\System\CAeiDwj.exe
  2⤵
  PID:7828
- C:\Windows\System\YgDRIQL.exe
  C:\Windows\System\YgDRIQL.exe
  2⤵
  PID:7856
- C:\Windows\System\BlhGUyZ.exe
  C:\Windows\System\BlhGUyZ.exe
  2⤵
  PID:7908
- C:\Windows\System\vpwosdG.exe
  C:\Windows\System\vpwosdG.exe
  2⤵
  PID:7960
- C:\Windows\System\CseBssZ.exe
  C:\Windows\System\CseBssZ.exe
  2⤵
  PID:8020
- C:\Windows\System\peBoqXf.exe
  C:\Windows\System\peBoqXf.exe
  2⤵
  PID:8064
- C:\Windows\System\oAUdiyh.exe
  C:\Windows\System\oAUdiyh.exe
  2⤵
  PID:8140
- C:\Windows\System\PpvCPug.exe
  C:\Windows\System\PpvCPug.exe
  2⤵
  PID:7220
- C:\Windows\System\ujBksGW.exe
  C:\Windows\System\ujBksGW.exe
  2⤵
  PID:7636
- C:\Windows\System\kAwdAYu.exe
  C:\Windows\System\kAwdAYu.exe
  2⤵
  PID:7524
- C:\Windows\System\SEIFoTX.exe
  C:\Windows\System\SEIFoTX.exe
  2⤵
  PID:7780
- C:\Windows\System\pKlylmw.exe
  C:\Windows\System\pKlylmw.exe
  2⤵
  PID:8076
- C:\Windows\System\vzPBmzY.exe
  C:\Windows\System\vzPBmzY.exe
  2⤵
  PID:8180
- C:\Windows\System\iYihkJQ.exe
  C:\Windows\System\iYihkJQ.exe
  2⤵
  PID:7348
- C:\Windows\System\ovRVqnS.exe
  C:\Windows\System\ovRVqnS.exe
  2⤵
  PID:7520
- C:\Windows\System\iKzNkVp.exe
  C:\Windows\System\iKzNkVp.exe
  2⤵
  PID:8004
- C:\Windows\System\cqjbiwX.exe
  C:\Windows\System\cqjbiwX.exe
  2⤵
  PID:8212
- C:\Windows\System\WwFUovX.exe
  C:\Windows\System\WwFUovX.exe
  2⤵
  PID:8232
- C:\Windows\System\odyzHEm.exe
  C:\Windows\System\odyzHEm.exe
  2⤵
  PID:8272
- C:\Windows\System\RQOaWFo.exe
  C:\Windows\System\RQOaWFo.exe
  2⤵
  PID:8316
- C:\Windows\System\PbSxrWL.exe
  C:\Windows\System\PbSxrWL.exe
  2⤵
  PID:8344
- C:\Windows\System\rsRDzoy.exe
  C:\Windows\System\rsRDzoy.exe
  2⤵
  PID:8360
- C:\Windows\System\vDNBWIe.exe
  C:\Windows\System\vDNBWIe.exe
  2⤵
  PID:8384
- C:\Windows\System\ehhbUSA.exe
  C:\Windows\System\ehhbUSA.exe
  2⤵
  PID:8412
- C:\Windows\System\VunGRZT.exe
  C:\Windows\System\VunGRZT.exe
  2⤵
  PID:8432
- C:\Windows\System\ITMAETd.exe
  C:\Windows\System\ITMAETd.exe
  2⤵
  PID:8484
- C:\Windows\System\HovxShj.exe
  C:\Windows\System\HovxShj.exe
  2⤵
  PID:8508
- C:\Windows\System\TnOWBiB.exe
  C:\Windows\System\TnOWBiB.exe
  2⤵
  PID:8528
- C:\Windows\System\pgMuWTP.exe
  C:\Windows\System\pgMuWTP.exe
  2⤵
  PID:8552
- C:\Windows\System\ZuXdSzy.exe
  C:\Windows\System\ZuXdSzy.exe
  2⤵
  PID:8576
- C:\Windows\System\aFmEenE.exe
  C:\Windows\System\aFmEenE.exe
  2⤵
  PID:8596
- C:\Windows\System\BgwzVaZ.exe
  C:\Windows\System\BgwzVaZ.exe
  2⤵
  PID:8624
- C:\Windows\System\fgVLHgE.exe
  C:\Windows\System\fgVLHgE.exe
  2⤵
  PID:8644
- C:\Windows\System\mssIYIf.exe
  C:\Windows\System\mssIYIf.exe
  2⤵
  PID:8684
- C:\Windows\System\euhCzet.exe
  C:\Windows\System\euhCzet.exe
  2⤵
  PID:8716
- C:\Windows\System\nmKSXnG.exe
  C:\Windows\System\nmKSXnG.exe
  2⤵
  PID:8736
- C:\Windows\System\nFmiwkZ.exe
  C:\Windows\System\nFmiwkZ.exe
  2⤵
  PID:8772
- C:\Windows\System\oTOsmGE.exe
  C:\Windows\System\oTOsmGE.exe
  2⤵
  PID:8796
- C:\Windows\System\rrETDxi.exe
  C:\Windows\System\rrETDxi.exe
  2⤵
  PID:8816
- C:\Windows\System\TIDvSio.exe
  C:\Windows\System\TIDvSio.exe
  2⤵
  PID:8836
- C:\Windows\System\mBKbIOw.exe
  C:\Windows\System\mBKbIOw.exe
  2⤵
  PID:8868
- C:\Windows\System\aovdgTP.exe
  C:\Windows\System\aovdgTP.exe
  2⤵
  PID:8888
- C:\Windows\System\eJtknWh.exe
  C:\Windows\System\eJtknWh.exe
  2⤵
  PID:8916
- C:\Windows\System\LdBkLPS.exe
  C:\Windows\System\LdBkLPS.exe
  2⤵
  PID:8976
- C:\Windows\System\vlFiQXa.exe
  C:\Windows\System\vlFiQXa.exe
  2⤵
  PID:9000
- C:\Windows\System\XQJdbVp.exe
  C:\Windows\System\XQJdbVp.exe
  2⤵
  PID:9028
- C:\Windows\System\HLKweEK.exe
  C:\Windows\System\HLKweEK.exe
  2⤵
  PID:9048
- C:\Windows\System\kvPtsja.exe
  C:\Windows\System\kvPtsja.exe
  2⤵
  PID:9088
- C:\Windows\System\qWxDwcd.exe
  C:\Windows\System\qWxDwcd.exe
  2⤵
  PID:9116
- C:\Windows\System\yUoAPOu.exe
  C:\Windows\System\yUoAPOu.exe
  2⤵
  PID:9140
- C:\Windows\System\uxKvvOv.exe
  C:\Windows\System\uxKvvOv.exe
  2⤵
  PID:9160
- C:\Windows\System\mFVaKFp.exe
  C:\Windows\System\mFVaKFp.exe
  2⤵
  PID:9188
- C:\Windows\System\TjFaHlz.exe
  C:\Windows\System\TjFaHlz.exe
  2⤵
  PID:9204
- C:\Windows\System\kZBXIDJ.exe
  C:\Windows\System\kZBXIDJ.exe
  2⤵
  PID:7344
- C:\Windows\System\HQBpJQZ.exe
  C:\Windows\System\HQBpJQZ.exe
  2⤵
  PID:8224
- C:\Windows\System\iOIrCUs.exe
  C:\Windows\System\iOIrCUs.exe
  2⤵
  PID:8284
- C:\Windows\System\yzXDzXD.exe
  C:\Windows\System\yzXDzXD.exe
  2⤵
  PID:8452
- C:\Windows\System\wNMIzXP.exe
  C:\Windows\System\wNMIzXP.exe
  2⤵
  PID:8500
- C:\Windows\System\PlMtZrT.exe
  C:\Windows\System\PlMtZrT.exe
  2⤵
  PID:8520
- C:\Windows\System\prXTUrX.exe
  C:\Windows\System\prXTUrX.exe
  2⤵
  PID:8632
- C:\Windows\System\NWCvyKx.exe
  C:\Windows\System\NWCvyKx.exe
  2⤵
  PID:8692
- C:\Windows\System\dTrGZPb.exe
  C:\Windows\System\dTrGZPb.exe
  2⤵
  PID:8724
- C:\Windows\System\MHwWuzk.exe
  C:\Windows\System\MHwWuzk.exe
  2⤵
  PID:8780
- C:\Windows\System\IyZVyxp.exe
  C:\Windows\System\IyZVyxp.exe
  2⤵
  PID:8876
- C:\Windows\System\MWzXrRF.exe
  C:\Windows\System\MWzXrRF.exe
  2⤵
  PID:8988
- C:\Windows\System\AtJJlGW.exe
  C:\Windows\System\AtJJlGW.exe
  2⤵
  PID:8984
- C:\Windows\System\EIdMPIz.exe
  C:\Windows\System\EIdMPIz.exe
  2⤵
  PID:9080
- C:\Windows\System\QhqDmRm.exe
  C:\Windows\System\QhqDmRm.exe
  2⤵
  PID:9132
- C:\Windows\System\HFxToqb.exe
  C:\Windows\System\HFxToqb.exe
  2⤵
  PID:7484
- C:\Windows\System\DVKoNmM.exe
  C:\Windows\System\DVKoNmM.exe
  2⤵
  PID:3812
- C:\Windows\System\kCHELXZ.exe
  C:\Windows\System\kCHELXZ.exe
  2⤵
  PID:8336
- C:\Windows\System\JdRZmQk.exe
  C:\Windows\System\JdRZmQk.exe
  2⤵
  PID:8492
- C:\Windows\System\pWjkxoa.exe
  C:\Windows\System\pWjkxoa.exe
  2⤵
  PID:8588
- C:\Windows\System\VWZZXxW.exe
  C:\Windows\System\VWZZXxW.exe
  2⤵
  PID:8760
- C:\Windows\System\VlFpJGC.exe
  C:\Windows\System\VlFpJGC.exe
  2⤵
  PID:9016
- C:\Windows\System\fBDMQfq.exe
  C:\Windows\System\fBDMQfq.exe
  2⤵
  PID:9180
- C:\Windows\System\KXaFLHM.exe
  C:\Windows\System\KXaFLHM.exe
  2⤵
  PID:8480
- C:\Windows\System\kHTnjXj.exe
  C:\Windows\System\kHTnjXj.exe
  2⤵
  PID:9256
- C:\Windows\System\AvEWAgc.exe
  C:\Windows\System\AvEWAgc.exe
  2⤵
  PID:9288
- C:\Windows\System\jmEwaOg.exe
  C:\Windows\System\jmEwaOg.exe
  2⤵
  PID:9308
- C:\Windows\System\WLIdLXl.exe
  C:\Windows\System\WLIdLXl.exe
  2⤵
  PID:9352
- C:\Windows\System\jWwovRO.exe
  C:\Windows\System\jWwovRO.exe
  2⤵
  PID:9388
- C:\Windows\System\iIfjiIG.exe
  C:\Windows\System\iIfjiIG.exe
  2⤵
  PID:9408
- C:\Windows\System\Rllvncm.exe
  C:\Windows\System\Rllvncm.exe
  2⤵
  PID:9448
- C:\Windows\System\sBUukLw.exe
  C:\Windows\System\sBUukLw.exe
  2⤵
  PID:9500
- C:\Windows\System\JNRZqcE.exe
  C:\Windows\System\JNRZqcE.exe
  2⤵
  PID:9532
- C:\Windows\System\kBlGhLD.exe
  C:\Windows\System\kBlGhLD.exe
  2⤵
  PID:9556
- C:\Windows\System\JXqqtEA.exe
  C:\Windows\System\JXqqtEA.exe
  2⤵
  PID:9584
- C:\Windows\System\eRhfMpd.exe
  C:\Windows\System\eRhfMpd.exe
  2⤵
  PID:9604
- C:\Windows\System\nmGMuWP.exe
  C:\Windows\System\nmGMuWP.exe
  2⤵
  PID:9628
- C:\Windows\System\pMWRxpH.exe
  C:\Windows\System\pMWRxpH.exe
  2⤵
  PID:9648
- C:\Windows\System\emNynCt.exe
  C:\Windows\System\emNynCt.exe
  2⤵
  PID:9664
- C:\Windows\System\IiaxVio.exe
  C:\Windows\System\IiaxVio.exe
  2⤵
  PID:9716
- C:\Windows\System\UUcinni.exe
  C:\Windows\System\UUcinni.exe
  2⤵
  PID:9752
- C:\Windows\System\GIZXZqX.exe
  C:\Windows\System\GIZXZqX.exe
  2⤵
  PID:9772
- C:\Windows\System\KEZIHyX.exe
  C:\Windows\System\KEZIHyX.exe
  2⤵
  PID:9796
- C:\Windows\System\kFLIeuU.exe
  C:\Windows\System\kFLIeuU.exe
  2⤵
  PID:9820
- C:\Windows\System\BeVZPzF.exe
  C:\Windows\System\BeVZPzF.exe
  2⤵
  PID:9836
- C:\Windows\System\RjDlwJu.exe
  C:\Windows\System\RjDlwJu.exe
  2⤵
  PID:9884
- C:\Windows\System\vpdwizg.exe
  C:\Windows\System\vpdwizg.exe
  2⤵
  PID:9904
- C:\Windows\System\mYqXrRo.exe
  C:\Windows\System\mYqXrRo.exe
  2⤵
  PID:9952
- C:\Windows\System\BpIJMpE.exe
  C:\Windows\System\BpIJMpE.exe
  2⤵
  PID:9972
- C:\Windows\System\PTvwGlS.exe
  C:\Windows\System\PTvwGlS.exe
  2⤵
  PID:9992
- C:\Windows\System\FRToqiH.exe
  C:\Windows\System\FRToqiH.exe
  2⤵
  PID:10016
- C:\Windows\System\ClIBvDh.exe
  C:\Windows\System\ClIBvDh.exe
  2⤵
  PID:10036
- C:\Windows\System\NcUcWMF.exe
  C:\Windows\System\NcUcWMF.exe
  2⤵
  PID:10060
- C:\Windows\System\DtnmGkx.exe
  C:\Windows\System\DtnmGkx.exe
  2⤵
  PID:10080
- C:\Windows\System\lxeQsPd.exe
  C:\Windows\System\lxeQsPd.exe
  2⤵
  PID:10112
- C:\Windows\System\VRmnzoF.exe
  C:\Windows\System\VRmnzoF.exe
  2⤵
  PID:10136
- C:\Windows\System\RZIFQqd.exe
  C:\Windows\System\RZIFQqd.exe
  2⤵
  PID:10204
- C:\Windows\System\eqnOoir.exe
  C:\Windows\System\eqnOoir.exe
  2⤵
  PID:10224
- C:\Windows\System\zylaJci.exe
  C:\Windows\System\zylaJci.exe
  2⤵
  PID:3628
- C:\Windows\System\IqbVMAy.exe
  C:\Windows\System\IqbVMAy.exe
  2⤵
  PID:9252
- C:\Windows\System\WXJkrhl.exe
  C:\Windows\System\WXJkrhl.exe
  2⤵
  PID:9124
- C:\Windows\System\zFKEzmb.exe
  C:\Windows\System\zFKEzmb.exe
  2⤵
  PID:9324
- C:\Windows\System\VFejTMB.exe
  C:\Windows\System\VFejTMB.exe
  2⤵
  PID:9340
- C:\Windows\System\SXUZOsm.exe
  C:\Windows\System\SXUZOsm.exe
  2⤵
  PID:9268
- C:\Windows\System\lqrBbYF.exe
  C:\Windows\System\lqrBbYF.exe
  2⤵
  PID:9372
- C:\Windows\System\dQwQuCa.exe
  C:\Windows\System\dQwQuCa.exe
  2⤵
  PID:9508
- C:\Windows\System\hMozYXs.exe
  C:\Windows\System\hMozYXs.exe
  2⤵
  PID:9528
- C:\Windows\System\gsJOIGF.exe
  C:\Windows\System\gsJOIGF.exe
  2⤵
  PID:9568
- C:\Windows\System\BDvzQOW.exe
  C:\Windows\System\BDvzQOW.exe
  2⤵
  PID:9700
- C:\Windows\System\XErkyuY.exe
  C:\Windows\System\XErkyuY.exe
  2⤵
  PID:9660
- C:\Windows\System\tjdCnRb.exe
  C:\Windows\System\tjdCnRb.exe
  2⤵
  PID:9788
- C:\Windows\System\hgQcCjM.exe
  C:\Windows\System\hgQcCjM.exe
  2⤵
  PID:3852
- C:\Windows\System\dXHowiE.exe
  C:\Windows\System\dXHowiE.exe
  2⤵
  PID:9876
- C:\Windows\System\gtxoBmV.exe
  C:\Windows\System\gtxoBmV.exe
  2⤵
  PID:9860
- C:\Windows\System\HluRUpc.exe
  C:\Windows\System\HluRUpc.exe
  2⤵
  PID:9980
- C:\Windows\System\QrfQOkf.exe
  C:\Windows\System\QrfQOkf.exe
  2⤵
  PID:9984
- C:\Windows\System\XfMPJDM.exe
  C:\Windows\System\XfMPJDM.exe
  2⤵
  PID:10096
- C:\Windows\System\OpthBwI.exe
  C:\Windows\System\OpthBwI.exe
  2⤵
  PID:10200
- C:\Windows\System\XASZJdq.exe
  C:\Windows\System\XASZJdq.exe
  2⤵
  PID:9232
- C:\Windows\System\UPZQVCk.exe
  C:\Windows\System\UPZQVCk.exe
  2⤵
  PID:2424
- C:\Windows\System\OfBNYhC.exe
  C:\Windows\System\OfBNYhC.exe
  2⤵
  PID:9364
- C:\Windows\System\BYonQRi.exe
  C:\Windows\System\BYonQRi.exe
  2⤵
  PID:4432
- C:\Windows\System\DSPnLRv.exe
  C:\Windows\System\DSPnLRv.exe
  2⤵
  PID:9432
- C:\Windows\System\eEQbKvM.exe
  C:\Windows\System\eEQbKvM.exe
  2⤵
  PID:9572
- C:\Windows\System\JUvOUWU.exe
  C:\Windows\System\JUvOUWU.exe
  2⤵
  PID:9804
- C:\Windows\System\EwAqjEf.exe
  C:\Windows\System\EwAqjEf.exe
  2⤵
  PID:9900
- C:\Windows\System\WSfCDhl.exe
  C:\Windows\System\WSfCDhl.exe
  2⤵
  PID:10148
- C:\Windows\System\woBfyVS.exe
  C:\Windows\System\woBfyVS.exe
  2⤵
  PID:9328
- C:\Windows\System\LlmlCuv.exe
  C:\Windows\System\LlmlCuv.exe
  2⤵
  PID:9348
- C:\Windows\System\CCbfeSP.exe
  C:\Windows\System\CCbfeSP.exe
  2⤵
  PID:9620
- C:\Windows\System\cLDgCGt.exe
  C:\Windows\System\cLDgCGt.exe
  2⤵
  PID:9856
- C:\Windows\System\PCHzvvA.exe
  C:\Windows\System\PCHzvvA.exe
  2⤵
  PID:9580
- C:\Windows\System\LWPJgqh.exe
  C:\Windows\System\LWPJgqh.exe
  2⤵
  PID:9988
- C:\Windows\System\DctBCuK.exe
  C:\Windows\System\DctBCuK.exe
  2⤵
  PID:10044
- C:\Windows\System\adjBFfB.exe
  C:\Windows\System\adjBFfB.exe
  2⤵
  PID:10248
- C:\Windows\System\xHzFJKd.exe
  C:\Windows\System\xHzFJKd.exe
  2⤵
  PID:10288
- C:\Windows\System\ZapnapS.exe
  C:\Windows\System\ZapnapS.exe
  2⤵
  PID:10328
- C:\Windows\System\OyTvczV.exe
  C:\Windows\System\OyTvczV.exe
  2⤵
  PID:10348
- C:\Windows\System\EdEnHln.exe
  C:\Windows\System\EdEnHln.exe
  2⤵
  PID:10376
- C:\Windows\System\YjiMXav.exe
  C:\Windows\System\YjiMXav.exe
  2⤵
  PID:10404
- C:\Windows\System\tHBqZvf.exe
  C:\Windows\System\tHBqZvf.exe
  2⤵
  PID:10420
- C:\Windows\System\qZdrdbC.exe
  C:\Windows\System\qZdrdbC.exe
  2⤵
  PID:10444
- C:\Windows\System\nbuacyB.exe
  C:\Windows\System\nbuacyB.exe
  2⤵
  PID:10464
- C:\Windows\System\sMmjRxn.exe
  C:\Windows\System\sMmjRxn.exe
  2⤵
  PID:10512
- C:\Windows\System\EOEecED.exe
  C:\Windows\System\EOEecED.exe
  2⤵
  PID:10532
- C:\Windows\System\BVbNYCS.exe
  C:\Windows\System\BVbNYCS.exe
  2⤵
  PID:10560
- C:\Windows\System\aRSfjZb.exe
  C:\Windows\System\aRSfjZb.exe
  2⤵
  PID:10588
- C:\Windows\System\TGExVdt.exe
  C:\Windows\System\TGExVdt.exe
  2⤵
  PID:10628
- C:\Windows\System\sEzATCO.exe
  C:\Windows\System\sEzATCO.exe
  2⤵
  PID:10680
- C:\Windows\System\nEVXaru.exe
  C:\Windows\System\nEVXaru.exe
  2⤵
  PID:10716
- C:\Windows\System\ZEmuYLf.exe
  C:\Windows\System\ZEmuYLf.exe
  2⤵
  PID:10740
- C:\Windows\System\pNKCHxC.exe
  C:\Windows\System\pNKCHxC.exe
  2⤵
  PID:10764
- C:\Windows\System\nrteDOQ.exe
  C:\Windows\System\nrteDOQ.exe
  2⤵
  PID:10804
- C:\Windows\System\hWEpFxn.exe
  C:\Windows\System\hWEpFxn.exe
  2⤵
  PID:10824
- C:\Windows\System\TOjynwI.exe
  C:\Windows\System\TOjynwI.exe
  2⤵
  PID:10856
- C:\Windows\System\XFzSdYD.exe
  C:\Windows\System\XFzSdYD.exe
  2⤵
  PID:10876
- C:\Windows\System\ntzweBB.exe
  C:\Windows\System\ntzweBB.exe
  2⤵
  PID:10920
- C:\Windows\System\MCKnvhE.exe
  C:\Windows\System\MCKnvhE.exe
  2⤵
  PID:10936
- C:\Windows\System\tkGwJzg.exe
  C:\Windows\System\tkGwJzg.exe
  2⤵
  PID:10956
- C:\Windows\System\TvDqPFP.exe
  C:\Windows\System\TvDqPFP.exe
  2⤵
  PID:10984
- C:\Windows\System\VVHOFwx.exe
  C:\Windows\System\VVHOFwx.exe
  2⤵
  PID:11008
- C:\Windows\System\TtDnOtd.exe
  C:\Windows\System\TtDnOtd.exe
  2⤵
  PID:11024
- C:\Windows\System\qhciokA.exe
  C:\Windows\System\qhciokA.exe
  2⤵
  PID:11060
- C:\Windows\System\biUDAUf.exe
  C:\Windows\System\biUDAUf.exe
  2⤵
  PID:11088
- C:\Windows\System\SPifEga.exe
  C:\Windows\System\SPifEga.exe
  2⤵
  PID:11128
- C:\Windows\System\lJiXomu.exe
  C:\Windows\System\lJiXomu.exe
  2⤵
  PID:11160
- C:\Windows\System\pIRlQdK.exe
  C:\Windows\System\pIRlQdK.exe
  2⤵
  PID:11184
- C:\Windows\System\oAbXejM.exe
  C:\Windows\System\oAbXejM.exe
  2⤵
  PID:11204
- C:\Windows\System\vCDTbBB.exe
  C:\Windows\System\vCDTbBB.exe
  2⤵
  PID:11228
- C:\Windows\System\QvWXjlo.exe
  C:\Windows\System\QvWXjlo.exe
  2⤵
  PID:8292
- C:\Windows\System\EHApflC.exe
  C:\Windows\System\EHApflC.exe
  2⤵
  PID:10268
- C:\Windows\System\PXNdQKE.exe
  C:\Windows\System\PXNdQKE.exe
  2⤵
  PID:10372
- C:\Windows\System\JPCoKHb.exe
  C:\Windows\System\JPCoKHb.exe
  2⤵
  PID:10384
- C:\Windows\System\iXzliQh.exe
  C:\Windows\System\iXzliQh.exe
  2⤵
  PID:2512
- C:\Windows\System\SmiImAj.exe
  C:\Windows\System\SmiImAj.exe
  2⤵
  PID:10496
- C:\Windows\System\QDZvPbH.exe
  C:\Windows\System\QDZvPbH.exe
  2⤵
  PID:10620
- C:\Windows\System\SqCXeKl.exe
  C:\Windows\System\SqCXeKl.exe
  2⤵
  PID:10668
- C:\Windows\System\VaMzcuf.exe
  C:\Windows\System\VaMzcuf.exe
  2⤵
  PID:10736
- C:\Windows\System\BBcrvLW.exe
  C:\Windows\System\BBcrvLW.exe
  2⤵
  PID:10772
- C:\Windows\System\hvRalna.exe
  C:\Windows\System\hvRalna.exe
  2⤵
  PID:10820
- C:\Windows\System\CaMDycQ.exe
  C:\Windows\System\CaMDycQ.exe
  2⤵
  PID:9156
- C:\Windows\System\IDpbfAz.exe
  C:\Windows\System\IDpbfAz.exe
  2⤵
  PID:10976
- C:\Windows\System\bmJIjiU.exe
  C:\Windows\System\bmJIjiU.exe
  2⤵
  PID:11044
- C:\Windows\System\AWaCcuT.exe
  C:\Windows\System\AWaCcuT.exe
  2⤵
  PID:11120
- C:\Windows\System\joPSiKJ.exe
  C:\Windows\System\joPSiKJ.exe
  2⤵
  PID:11156
- C:\Windows\System\bUhbFgH.exe
  C:\Windows\System\bUhbFgH.exe
  2⤵
  PID:11180
- C:\Windows\System\JdZWSVo.exe
  C:\Windows\System\JdZWSVo.exe
  2⤵
  PID:11256
- C:\Windows\System\NJnmKTG.exe
  C:\Windows\System\NJnmKTG.exe
  2⤵
  PID:10396
- C:\Windows\System\BgGqiWa.exe
  C:\Windows\System\BgGqiWa.exe
  2⤵
  PID:10456
- C:\Windows\System\vYvOzof.exe
  C:\Windows\System\vYvOzof.exe
  2⤵
  PID:10660
- C:\Windows\System\jTypCdx.exe
  C:\Windows\System\jTypCdx.exe
  2⤵
  PID:10728
- C:\Windows\System\uuxUjrj.exe
  C:\Windows\System\uuxUjrj.exe
  2⤵
  PID:10896
- C:\Windows\System\srrDZCk.exe
  C:\Windows\System\srrDZCk.exe
  2⤵
  PID:10932
- C:\Windows\System\CEsNQGf.exe
  C:\Windows\System\CEsNQGf.exe
  2⤵
  PID:11172
- C:\Windows\System\UhKPbxk.exe
  C:\Windows\System\UhKPbxk.exe
  2⤵
  PID:10344
- C:\Windows\System\stdBzwH.exe
  C:\Windows\System\stdBzwH.exe
  2⤵
  PID:10644
- C:\Windows\System\nyDZTyt.exe
  C:\Windows\System\nyDZTyt.exe
  2⤵
  PID:10712
- C:\Windows\System\EhMZpsb.exe
  C:\Windows\System\EhMZpsb.exe
  2⤵
  PID:11224
- C:\Windows\System\lgcCOQx.exe
  C:\Windows\System\lgcCOQx.exe
  2⤵
  PID:11284
- C:\Windows\System\tDPydAk.exe
  C:\Windows\System\tDPydAk.exe
  2⤵
  PID:11328
- C:\Windows\System\eyuKJzN.exe
  C:\Windows\System\eyuKJzN.exe
  2⤵
  PID:11356
- C:\Windows\System\avoYKMj.exe
  C:\Windows\System\avoYKMj.exe
  2⤵
  PID:11380
- C:\Windows\System\jlbGjBd.exe
  C:\Windows\System\jlbGjBd.exe
  2⤵
  PID:11400
- C:\Windows\System\IUiqBxn.exe
  C:\Windows\System\IUiqBxn.exe
  2⤵
  PID:11428
- C:\Windows\System\fdFjiMS.exe
  C:\Windows\System\fdFjiMS.exe
  2⤵
  PID:11460
- C:\Windows\System\bHZDkxY.exe
  C:\Windows\System\bHZDkxY.exe
  2⤵
  PID:11492
- C:\Windows\System\tEpiMMW.exe
  C:\Windows\System\tEpiMMW.exe
  2⤵
  PID:11520
- C:\Windows\System\bPivUut.exe
  C:\Windows\System\bPivUut.exe
  2⤵
  PID:11548
- C:\Windows\System\mbCuYXZ.exe
  C:\Windows\System\mbCuYXZ.exe
  2⤵
  PID:11576
- C:\Windows\System\NCssPKa.exe
  C:\Windows\System\NCssPKa.exe
  2⤵
  PID:11608
- C:\Windows\System\LQkcJLz.exe
  C:\Windows\System\LQkcJLz.exe
  2⤵
  PID:11632
- C:\Windows\System\rVYGMeH.exe
  C:\Windows\System\rVYGMeH.exe
  2⤵
  PID:11652
- C:\Windows\System\PMxpVsB.exe
  C:\Windows\System\PMxpVsB.exe
  2⤵
  PID:11680
- C:\Windows\System\lLoGtgo.exe
  C:\Windows\System\lLoGtgo.exe
  2⤵
  PID:11696
- C:\Windows\System\kSzpCJv.exe
  C:\Windows\System\kSzpCJv.exe
  2⤵
  PID:11720
- C:\Windows\System\LnjUxdD.exe
  C:\Windows\System\LnjUxdD.exe
  2⤵
  PID:11772
- C:\Windows\System\yjgjtDx.exe
  C:\Windows\System\yjgjtDx.exe
  2⤵
  PID:11792
- C:\Windows\System\IYQPvvY.exe
  C:\Windows\System\IYQPvvY.exe
  2⤵
  PID:11836
- C:\Windows\System\NxUvueR.exe
  C:\Windows\System\NxUvueR.exe
  2⤵
  PID:11856
- C:\Windows\System\DUCYnzh.exe
  C:\Windows\System\DUCYnzh.exe
  2⤵
  PID:11908
- C:\Windows\System\VPCzjIf.exe
  C:\Windows\System\VPCzjIf.exe
  2⤵
  PID:11924
- C:\Windows\System\dBRayWR.exe
  C:\Windows\System\dBRayWR.exe
  2⤵
  PID:11952
- C:\Windows\System\rDUQWZg.exe
  C:\Windows\System\rDUQWZg.exe
  2⤵
  PID:11980
- C:\Windows\System\luaEgAr.exe
  C:\Windows\System\luaEgAr.exe
  2⤵
  PID:12024
- C:\Windows\System\PjEOJay.exe
  C:\Windows\System\PjEOJay.exe
  2⤵
  PID:12044
- C:\Windows\System\dqhZklf.exe
  C:\Windows\System\dqhZklf.exe
  2⤵
  PID:12068
- C:\Windows\System\cerMQSx.exe
  C:\Windows\System\cerMQSx.exe
  2⤵
  PID:12096
- C:\Windows\System\DccdMuE.exe
  C:\Windows\System\DccdMuE.exe
  2⤵
  PID:12136
- C:\Windows\System\twFAXSC.exe
  C:\Windows\System\twFAXSC.exe
  2⤵
  PID:12160
- C:\Windows\System\NLnErqr.exe
  C:\Windows\System\NLnErqr.exe
  2⤵
  PID:12192
- C:\Windows\System\PHHOBuw.exe
  C:\Windows\System\PHHOBuw.exe
  2⤵
  PID:12232
- C:\Windows\System\LGXoYBp.exe
  C:\Windows\System\LGXoYBp.exe
  2⤵
  PID:12248
- C:\Windows\System\LiOOhMO.exe
  C:\Windows\System\LiOOhMO.exe
  2⤵
  PID:12268
- C:\Windows\System\VFebLRq.exe
  C:\Windows\System\VFebLRq.exe
  2⤵
  PID:10964
- C:\Windows\System\anxyHHr.exe
  C:\Windows\System\anxyHHr.exe
  2⤵
  PID:11320
- C:\Windows\System\rNsdMDr.exe
  C:\Windows\System\rNsdMDr.exe
  2⤵
  PID:11376
- C:\Windows\System\QDGjtDg.exe
  C:\Windows\System\QDGjtDg.exe
  2⤵
  PID:11396
- C:\Windows\System\wYQoXGn.exe
  C:\Windows\System\wYQoXGn.exe
  2⤵
  PID:11456
- C:\Windows\System\BURKcsE.exe
  C:\Windows\System\BURKcsE.exe
  2⤵
  PID:11568
- C:\Windows\System\jTwEyeY.exe
  C:\Windows\System\jTwEyeY.exe
  2⤵
  PID:11644
- C:\Windows\System\xhExdXL.exe
  C:\Windows\System\xhExdXL.exe
  2⤵
  PID:11688
- C:\Windows\System\EXyFqbp.exe
  C:\Windows\System\EXyFqbp.exe
  2⤵
  PID:11744
- C:\Windows\System\zGKrzNu.exe
  C:\Windows\System\zGKrzNu.exe
  2⤵
  PID:11848
- C:\Windows\System\IKOXzgm.exe
  C:\Windows\System\IKOXzgm.exe
  2⤵
  PID:1296
- C:\Windows\System\QKVJIXT.exe
  C:\Windows\System\QKVJIXT.exe
  2⤵
  PID:4636
- C:\Windows\System\eSzQojR.exe
  C:\Windows\System\eSzQojR.exe
  2⤵
  PID:3972
- C:\Windows\System\hTneBtW.exe
  C:\Windows\System\hTneBtW.exe
  2⤵
  PID:11920
- C:\Windows\System\sPrTxdK.exe
  C:\Windows\System\sPrTxdK.exe
  2⤵
  PID:11992
- C:\Windows\System\ZkEwcUJ.exe
  C:\Windows\System\ZkEwcUJ.exe
  2⤵
  PID:12040
- C:\Windows\System\bEESdRQ.exe
  C:\Windows\System\bEESdRQ.exe
  2⤵
  PID:12216
- C:\Windows\System\XQRAmcL.exe
  C:\Windows\System\XQRAmcL.exe
  2⤵
  PID:12228
- C:\Windows\System\hpoGOUA.exe
  C:\Windows\System\hpoGOUA.exe
  2⤵
  PID:11344
- C:\Windows\System\BYVciuy.exe
  C:\Windows\System\BYVciuy.exe
  2⤵
  PID:12260
- C:\Windows\System\utOPMcR.exe
  C:\Windows\System\utOPMcR.exe
  2⤵
  PID:11564
- C:\Windows\System\FXcLQZh.exe
  C:\Windows\System\FXcLQZh.exe
  2⤵
  PID:11736
- C:\Windows\System\opJfqQn.exe
  C:\Windows\System\opJfqQn.exe
  2⤵
  PID:11868
- C:\Windows\System\mDUmLwR.exe
  C:\Windows\System\mDUmLwR.exe
  2⤵
  PID:4080
- C:\Windows\System\PNvbpbo.exe
  C:\Windows\System\PNvbpbo.exe
  2⤵
  PID:11948
- C:\Windows\System\chZkisS.exe
  C:\Windows\System\chZkisS.exe
  2⤵
  PID:12224
- C:\Windows\System\QLqUuqn.exe
  C:\Windows\System\QLqUuqn.exe
  2⤵
  PID:12276
- C:\Windows\System\msTzTOt.exe
  C:\Windows\System\msTzTOt.exe
  2⤵
  PID:11448
- C:\Windows\System\VDAHhUE.exe
  C:\Windows\System\VDAHhUE.exe
  2⤵
  PID:11976
- C:\Windows\System\tiPomSd.exe
  C:\Windows\System\tiPomSd.exe
  2⤵
  PID:11712
- C:\Windows\System\dfkBKma.exe
  C:\Windows\System\dfkBKma.exe
  2⤵
  PID:12184
- C:\Windows\System\hpzscnp.exe
  C:\Windows\System\hpzscnp.exe
  2⤵
  PID:12324
- C:\Windows\System\cOcWUbm.exe
  C:\Windows\System\cOcWUbm.exe
  2⤵
  PID:12344
- C:\Windows\System\pKeMUMd.exe
  C:\Windows\System\pKeMUMd.exe
  2⤵
  PID:12360
- C:\Windows\System\FMgPekO.exe
  C:\Windows\System\FMgPekO.exe
  2⤵
  PID:12384
- C:\Windows\System\NkdJEQc.exe
  C:\Windows\System\NkdJEQc.exe
  2⤵
  PID:12404
- C:\Windows\System\PKeNcaI.exe
  C:\Windows\System\PKeNcaI.exe
  2⤵
  PID:12436
- C:\Windows\System\xngPhun.exe
  C:\Windows\System\xngPhun.exe
  2⤵
  PID:12456
- C:\Windows\System\JIPaAHd.exe
  C:\Windows\System\JIPaAHd.exe
  2⤵
  PID:12472
- C:\Windows\System\CQTzkvr.exe
  C:\Windows\System\CQTzkvr.exe
  2⤵
  PID:12492
- C:\Windows\System\KZLvJMz.exe
  C:\Windows\System\KZLvJMz.exe
  2⤵
  PID:12536
- C:\Windows\System\bLLMhUV.exe
  C:\Windows\System\bLLMhUV.exe
  2⤵
  PID:12576
- C:\Windows\System\dYrIrzV.exe
  C:\Windows\System\dYrIrzV.exe
  2⤵
  PID:12616
- C:\Windows\System\htssAdc.exe
  C:\Windows\System\htssAdc.exe
  2⤵
  PID:12656
- C:\Windows\System\bawoHlB.exe
  C:\Windows\System\bawoHlB.exe
  2⤵
  PID:12676
- C:\Windows\System\BKefDoz.exe
  C:\Windows\System\BKefDoz.exe
  2⤵
  PID:12720
- C:\Windows\System\NKdMAPP.exe
  C:\Windows\System\NKdMAPP.exe
  2⤵
  PID:12744
- C:\Windows\System\jrHwmyv.exe
  C:\Windows\System\jrHwmyv.exe
  2⤵
  PID:12776
- C:\Windows\System\RlSwZyC.exe
  C:\Windows\System\RlSwZyC.exe
  2⤵
  PID:12804
- C:\Windows\System\GteGLvA.exe
  C:\Windows\System\GteGLvA.exe
  2⤵
  PID:12824
- C:\Windows\System\HiuZRDY.exe
  C:\Windows\System\HiuZRDY.exe
  2⤵
  PID:12844
- C:\Windows\System\qXVUGLV.exe
  C:\Windows\System\qXVUGLV.exe
  2⤵
  PID:12868
- C:\Windows\System\dsduKxA.exe
  C:\Windows\System\dsduKxA.exe
  2⤵
  PID:12908
- C:\Windows\System\qsNhucU.exe
  C:\Windows\System\qsNhucU.exe
  2⤵
  PID:12928
- C:\Windows\System\PRRQcnC.exe
  C:\Windows\System\PRRQcnC.exe
  2⤵
  PID:12956
- C:\Windows\System\GxTnJSc.exe
  C:\Windows\System\GxTnJSc.exe
  2⤵
  PID:12984
- C:\Windows\System\NHqvZyG.exe
  C:\Windows\System\NHqvZyG.exe
  2⤵
  PID:13000
- C:\Windows\System\esDsaAk.exe
  C:\Windows\System\esDsaAk.exe
  2⤵
  PID:13024
- C:\Windows\System\qGmMHFu.exe
  C:\Windows\System\qGmMHFu.exe
  2⤵
  PID:13052
- C:\Windows\System\ouYTszZ.exe
  C:\Windows\System\ouYTszZ.exe
  2⤵
  PID:13068
- C:\Windows\System\yWxvgcv.exe
  C:\Windows\System\yWxvgcv.exe
  2⤵
  PID:13084
- C:\Windows\System\icEYBoP.exe
  C:\Windows\System\icEYBoP.exe
  2⤵
  PID:13100
- C:\Windows\System\oxQGgiM.exe
  C:\Windows\System\oxQGgiM.exe
  2⤵
  PID:13116
- C:\Windows\System\psZtpSd.exe
  C:\Windows\System\psZtpSd.exe
  2⤵
  PID:13224
- C:\Windows\System\NDOBkwF.exe
  C:\Windows\System\NDOBkwF.exe
  2⤵
  PID:12508
- C:\Windows\System\Yzstxjm.exe
  C:\Windows\System\Yzstxjm.exe
  2⤵
  PID:12668
- C:\Windows\System\FHkmNOn.exe
  C:\Windows\System\FHkmNOn.exe
  2⤵
  PID:12712
- C:\Windows\System\rZVVBdX.exe
  C:\Windows\System\rZVVBdX.exe
  2⤵
  PID:12772
- C:\Windows\System\aCOYAbn.exe
  C:\Windows\System\aCOYAbn.exe
  2⤵
  PID:12796
- C:\Windows\System\bdcLLdq.exe
  C:\Windows\System\bdcLLdq.exe
  2⤵
  PID:12852
- C:\Windows\System\xZrbpBe.exe
  C:\Windows\System\xZrbpBe.exe
  2⤵
  PID:12952
- C:\Windows\System\AwzZlXk.exe
  C:\Windows\System\AwzZlXk.exe
  2⤵
  PID:12972
- C:\Windows\System\wDRCXWV.exe
  C:\Windows\System\wDRCXWV.exe
  2⤵
  PID:13064
- C:\Windows\System\xFZZzdG.exe
  C:\Windows\System\xFZZzdG.exe
  2⤵
  PID:13112
- C:\Windows\System\sJkpXBU.exe
  C:\Windows\System\sJkpXBU.exe
  2⤵
  PID:13144
- C:\Windows\System\pRbJKeV.exe
  C:\Windows\System\pRbJKeV.exe
  2⤵
  PID:13192
- C:\Windows\System\PsshsGW.exe
  C:\Windows\System\PsshsGW.exe
  2⤵
  PID:13236
- C:\Windows\System\awGNLzu.exe
  C:\Windows\System\awGNLzu.exe
  2⤵
  PID:13272
- C:\Windows\System\VqVQPqF.exe
  C:\Windows\System\VqVQPqF.exe
  2⤵
  PID:13268

C:\Windows\system32\WerFaultSecure.exe
"C:\Windows\system32\WerFaultSecure.exe" -protectedcrash -p 4020 -i 4020 -h 412 -j 452 -s 408 -d 0
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:3176

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13124

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fhc4c3nk.e2j.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\CratFyO.exe

Filesize
1.9MB

MD5
f49967b639f5f3b1bae1cf54bf0b6784

SHA1
975263f4770bc174d0b08f8fb4fc784fae12347a

SHA256
21b194107191d96d3baba043a876934b64a47fd98c2704a890dfc1f0951b2b4a

SHA512
64b599f05a20526e7fb7e2810c09a94f9cb459b35d91802b2b05631b41f14782c138fe1b6dd5ad593ace9ffe397c60569a6118ef21eb50984945581ffa947c42

Download Submit
C:\Windows\System\DYEVtpV.exe

Filesize
1.9MB

MD5
87670e87ccb2e36c3ed89056e073b303

SHA1
db51aa3672cf55414904de3c1b075271d004efd2

SHA256
77b39c4d8305c84c9e0a7810a9cf58be78e188de74ad8d727a5cc61ca29aa8f4

SHA512
2e94864799c6c4eaca267955784f63393de893a77a1e3f203bd154df17184f5e11789c196577e060e40f71888cfa5e5842d722dc7964f7b0ffb32838d11c354e

Download Submit
C:\Windows\System\EBmvUGR.exe

Filesize
1.9MB

MD5
ca9257641b9cf0048ca2a1d4da393aa5

SHA1
9ccf0470e65feea85c65ee369d61e696c359d8d4

SHA256
ffdde8334eff47740a0bdad390958f67945b14d3d418caf5331bea2a61e85f15

SHA512
1b7dfe068c44ea89bb064da664110a1d7c84c012cdfe100679800596222be005f9880879c75dbeab7a3fb3d6ba62a8e963b7a92d01255659301ae012bf33748a

Download Submit
C:\Windows\System\IEBHrxk.exe

Filesize
1.9MB

MD5
768dedefe21f1cc0b3b78ce88fca5a64

SHA1
4917685f964a2e4ae37c11978fb44c6f427c086f

SHA256
b667a810858a60f51dd8d4a80c121ade1b04d06fa188ce8c508f54192be7f2d5

SHA512
8d18b218054e52596a72dcbbaade368d61c806eb2c9db5b3133f293b0c3fc0d19e6dbdbf0247082822241c48ff485bdece1ef0469d57c98d6007f7277123cc12

Download Submit
C:\Windows\System\LwsQdFl.exe

Filesize
1.9MB

MD5
c7777afad7b52e076cbf1690cce39ec7

SHA1
2e59fb6fab0f2d39d1d388ed6dbb4f245e37f740

SHA256
066d6dc16a5eb8941015b93119bd5ef5b67b4d1ff48eb168076a1e02d763c574

SHA512
479f355c372911b0b71ffb87266a075e607baa320a1b187a99278988a73ef2d4ae492838ae349bafb1f64e83ba4f89691c74f9c352285a7d52428d70f29adc00

Download Submit
C:\Windows\System\MQIaIMP.exe

Filesize
1.9MB

MD5
62efd89d501cdf3c12b5581fcabb7e06

SHA1
c3b030c0b21329a62721fe11286d284bf65d7fef

SHA256
89b51e11a7dc5629519660d872f7e6c5eb64e1cac38c22300c4ce8b484e586d5

SHA512
695dde575b5f7e1ba1a2f0d9ea40751e7e0e6a5557e831da9ae3fc115b8b464baeec9908759c0566951685336620ae51587611f550fb0e01aeb964a20049caad

Download Submit
C:\Windows\System\PVZEMbj.exe

Filesize
1.9MB

MD5
aa4d236f8b14d09b5accf09758be9c06

SHA1
0eb9635632a1be3bae106042e91dabcfad132592

SHA256
e2bae62d95116fecfedc48f2a6db648894bbdf4828c9182d1f7b3e1f5d6d5907

SHA512
6ecc1eca27c6ea789552e74b53107a6ca6d79d6e1ee70299d02b6ee7d8303a4d55a7f78ac1ae0b8f7d5747c2a81ca9b9b715e02046d8b6bb90f22dd5b73918b0

Download Submit
C:\Windows\System\RTyYEQJ.exe

Filesize
1.9MB

MD5
ecfda0d2cadc89b9365bc19b5f4bc6a0

SHA1
8efa45942d9cc4c479a13b94b3b26f1f4ab76110

SHA256
c83ebea1f456b16219d0489fe45fc8f4805706e4428751570a28d89d9d2ddc4c

SHA512
89a5cd8467e6f9840b0726df54956a489a6e1f397c4328df8d94158bf473bda4c28c4c88cca7c185d47d2b271d414a6e74fc1f4d804f59e5ae0eca1db2a05cf4

Download Submit
C:\Windows\System\ReuhPES.exe

Filesize
1.9MB

MD5
01885d62d085492dae9c476032346df2

SHA1
7023f93fc9532bf4886062e05a0dbb32ac7f9f01

SHA256
e0c6425552a764f33b1529f21a88639e8045fac4638ca432e61b0e9f68da2f2f

SHA512
1a50fa8d90ebc3180128fc763f4e0e28955cecb842a1988adc7896a10d9606412d16998af4c71b84653e58ae94d454a3c0c70d936f16b15fa84467d85ab2124f

Download Submit
C:\Windows\System\Sitprkg.exe

Filesize
1.9MB

MD5
635843faa0afc0afd4a92025214262ad

SHA1
29247830f47061c4bb23bc95debb9a5e1d4d8e3f

SHA256
b424e9b56a368b6d31fb179e08f2fe74e41c0f9224898d1751785d436207610b

SHA512
a46554ecabfbc686f594ebcd5885fc24d8529164eeae60d8c3834890dc13769f3797d130909e7acdd6fca4855642f768422b850b3726bf6c8d27f68156667fac

Download Submit
C:\Windows\System\ThAeNhC.exe

Filesize
1.9MB

MD5
3ae6bc6f7c6efb5e3600392d8e358dba

SHA1
b067ab16474a75858f2c7557a94809a787a5222b

SHA256
0b83c83978509451696ac5238ba898ed0311c5d312fceec8ac7a70546ccb176d

SHA512
6211d1799b16e1cefbbc8f514035ff10f87cc6efa2d904dd88ca097caa663135e1e5d1ba4cbc86538ed7c2dcaa39871d6793e33b5ced9414a3563f7010d37173

Download Submit
C:\Windows\System\TlLxGgf.exe

Filesize
1.9MB

MD5
2bc2b1ef9748d77e87c4cfe42bf2fd08

SHA1
a3f62a83d1508e457ec7787231a9104fbe490964

SHA256
dd7ded8cca23f046dbdc5c0cbb558d4efc4b3f0d70bbdfdf5c65a5d6e9b45e0e

SHA512
09a42ca73e091e332d69630203f6c0d0893365a13d09b7ef179635a13f1fc15a5213c81c9394612a0ee3ee804ef1f7f321a78acf44cca2cec7a185636b1fc946

Download Submit
C:\Windows\System\UiSRrwH.exe

Filesize
1.9MB

MD5
06e630f6fe70fa36a340e9f1fb46d3d3

SHA1
36e28b115b223ca76cc2ac0e78fdae567a0ddbd9

SHA256
a547ff9f2230dd90fd60fb2cf1548fd35264bbb5ed00538e68cec88c7736f64b

SHA512
9a5f382ebf18e178f7830d544e3573644b794551c4b9c9d009c89148b9042e677a56023b0b4f44c8a30011d05ee8cda3c9aba6b8e9cfc3d77e1f0468125efe33

Download Submit
C:\Windows\System\YfDpYYh.exe

Filesize
1.9MB

MD5
851ad71bd0cfd915b2ade4ef85b5f410

SHA1
904dd6f41531ce1fb320ab180fe67a534db242f9

SHA256
444c7ac4d3d98ee6e03094ad34dd04faf5b46b0d94038359ca9f5ef7a22d8d50

SHA512
d6a63892fa74615371d1bc3cb391c5846d56d4ec72b7c9fa77ebbc0e3224c019d3a79df8719d1edff963e82a3543f6e03d789add41271d442a44d30859e068a4

Download Submit
C:\Windows\System\ZcQtHxA.exe

Filesize
1.9MB

MD5
ef12ee943d022335ed05481c2082d4a2

SHA1
b7e8d657a82bc3d4cdcbafa245f9e0b1548115b9

SHA256
71e9aaf65f9b4a29b4b73283469080a5e94664be2bb4f94cfe51be6574421b29

SHA512
ca28eab8837db5c032a94c725542b66dba6d6668014e27a6bf59fdfc4ebf7cc171f0d54c3cd6e0e14dbfe57003808e9e8711306139c210cfaaa0c5314da2c64f

Download Submit
C:\Windows\System\aCyjOvh.exe

Filesize
1.9MB

MD5
68930727b2b30c040d1cca2132042cc3

SHA1
7336d7d68ca0e80276a3990de002b8cd1535b4b8

SHA256
b9c76d69c40d883fa5c615e675e828af2d5048b863786bf73b304f2a531a940c

SHA512
e0be0e25c06cfd83a3aef98448366bdbda72deb343e38322522da35ddeea731423fabb2272d573126db9b6618af634f941f6abd8f528da8e1eafb44c8d376453

Download Submit
C:\Windows\System\bNNquqM.exe

Filesize
1.9MB

MD5
9eca4b9109d6711deb914b74bcf1829b

SHA1
72c62e84263687ec3c91a6f95c6af95163ef4600

SHA256
fa5a8a6b953bcdc3d2af71e31c50171b83b7ba3ff8252c75c6c14592837830dc

SHA512
35f6cc545cd2937cfacad73254f0bd805381c2ec53761f75ddbededfc690f85bc6722112a32b0d8c69cf2889560407b7e0460a6a2a9bc32cbd784f16c5c89bb5

Download Submit
C:\Windows\System\bSoVbTH.exe

Filesize
1.9MB

MD5
e67383c850ccfc4f583a38ba5a5581b6

SHA1
5c940e980625f6d450e3d5b7804bbda5f8d8e921

SHA256
6d17ff40749cbd67af700207f6597f9eb7b51930c242037072efa8626d53f25c

SHA512
1ae5e7e0060d7ad8ebcdd0cde27b8f749cf63bfd344b37f9f6930baadd9922b1e4b57b57f28ba34407dff5958730f817816d328c46d56a8c1b75c7ace8b96636

Download Submit
C:\Windows\System\dCSjUfP.exe

Filesize
1.9MB

MD5
0264ab9baecb0e942e9b40c0f92e56cb

SHA1
dd7147cf6c5d65538ee31601d3bddf085d1df553

SHA256
87c04636932620ca5d42136d7198fd0ac731f45dbd91acf55b0b0bc159d40c06

SHA512
7c2da13f8fadeb1c7dfb00ff08b7c5a0ec1b98e51b990a535fe84698b9273a68918bb601ddb418a0c611b43fa30d3d22156092781e4e3051b25d075e5642a89c

Download Submit
C:\Windows\System\dQbsdNZ.exe

Filesize
1.9MB

MD5
77a0a844c1183f7552f14027eaab1ed4

SHA1
fe13654ed0698f477bbb05d6135c4f531312225a

SHA256
6fdddd548afc41d44b6c29327ba0f8b718dfb969680e0c17fb3edf9c3b012dbc

SHA512
75bcd274879519d642293a037477e3991110261c2bf4c00142d229c3dfdd901908ca1b4b9d0f2d8f3709fca42afa9564115d56e149d3b4ef2d5319cc94e20b6d

Download Submit
C:\Windows\System\fHwUTlZ.exe

Filesize
1.9MB

MD5
a0b653414a8dd42f9f4a0bd1d274eb8e

SHA1
2e7cce6f3830133404451c8369d020e6040d7b8d

SHA256
f42c5075a770eabe36ebad59167529abe4c6bea684c8690329bdd135bdaa955f

SHA512
8719f56ca539b0cba5c2acf81ae990e9e288627ad941baac9b5c366f3c6316575722195fa23b1bfb141c90055f8eb90ed2cf1bc1cbef419dc6c4e01bc2a1ca51

Download Submit
C:\Windows\System\fLAUFBV.exe

Filesize
8B

MD5
a8f2921c80c15a3d426e5fdff8a56196

SHA1
4dc21bf95e22427a9dafcd4930e81b62e77d5fda

SHA256
7e9bbeeba45dae16f8c444596ee4180d7313e899e46fa6263fde6904f32d92a1

SHA512
996666f646b1878ee129a778184f9520541ee458797b8bfaefed6e1f152a5436e0ff19d28744463b706ffe3e24e429f5af102aa1e7733dbeeb6210754c828802

Download Submit
C:\Windows\System\fulVIDA.exe

Filesize
1.9MB

MD5
f51df90e6ac67ce2b88c764b131da4c3

SHA1
3a30a7e457f28b5fccd218e65b10c3819bbed1fe

SHA256
c92b025a9459ab178a00b0e36f786c17852ae7e404993a1545354b30c2c19e76

SHA512
337179ee32f41c819e20994c0b8ebc7662d7d666629be2100ddd131e5bfe1bac91c68cef929966bd4c517593c74b3bcf447b57932094e152ff87fd5e4757b96b

Download Submit
C:\Windows\System\iTRFxBB.exe

Filesize
1.9MB

MD5
7c6668527c6a4f85bd6874855ca07b2e

SHA1
c4305b75fe6b0ae331b97247ff034c6e61fad035

SHA256
d7be2ac23657d2ad759e195866f97700ca56852c42146350251564064df8bb7e

SHA512
ce5ddf457da79ac077cec3c94ba202dbf142d6c02aa80be21405defcd83916923beff888e6463cd83815b5e7a8616bb7ad4ce63824e50ad6c393b9953087e872

Download Submit
C:\Windows\System\jDUtnnW.exe

Filesize
1.9MB

MD5
aeaf7eae4f6d2a43607bfabca663720c

SHA1
65f862cb0ffa579ce63d83398dde3591514279f3

SHA256
9a6756b0266d6b7eab49d0cdd5ccc7a026a423ac1fdbceca1b92cf416fbf6f6a

SHA512
b408897d7cac3681351d68c1337253c523ca230068af1d38e04300afb24af14fcd307e21f73bf99d5da2eca48257576478c94626351d68dc16326b5b9c1d81cc

Download Submit
C:\Windows\System\kTTUNrL.exe

Filesize
1.9MB

MD5
94ad8fdc93700365b30f43d2cd2e2b64

SHA1
5f1bc85743ba082a0b477ec6c2da25f060a00c4f

SHA256
7b0ae2a2f012e1ae3d2cd735010c1abafde493620d150e836d9e83215f2d8ef9

SHA512
a178a8b38a7a57019314e38213436a113e7ee41ceccdd6cf7633aa4774ea3878ae6c677382d3e46f5830257dc56d55b55a4d4763c008d7b2efbb9ad072244e18

Download Submit
C:\Windows\System\kiTMwxa.exe

Filesize
1.9MB

MD5
31c3eed55a75fc0f691dc871ace6d593

SHA1
5d6003ac9fb2697b07560394241cd6875a6c1851

SHA256
7cae6ee440f78f9f6978d015eb628ea180b8bf514b04fe1e66c917b5ededf50b

SHA512
cd903d7daa578273955d30e1f8ed8177e1d292572d17c8dac10ac9f1aa7b3b848c21859f6e2af282ffe23e898c4e60305597343def7ae734e599f6dd9a0894c8

Download Submit
C:\Windows\System\nlEvZUs.exe

Filesize
1.9MB

MD5
ebfb3231f5183ee93807b114c73170b1

SHA1
286570910f771dd541f8b8a4ba243076b44e5c16

SHA256
c08a7f2e8b25b65cca6d5e7d28afffee012f5d768c3d663d49b5a1e871f0a9fb

SHA512
aeaa29f11a066c61c832c93b187cdaa5e33ab8bfc1413a054770d18aa7a12dc25555339df030eae9ece58d0229dc523eaab2d00c81473c6d3d696cc151c8141d

Download Submit
C:\Windows\System\oRCIPWh.exe

Filesize
1.9MB

MD5
7522a0ada037605369fe1536ad2abf56

SHA1
8d6113e4c2d2ff376fbdd836a5e0ee07584c230b

SHA256
d959c2298976a3e90a6df506f7319bb9cd2f2fd5c4e59238411e368d3159153f

SHA512
6fc30bda26e5e35f30f56a41ca8c41ddc5a4a3c13cdac4a551d106aa214dea869b9cad3c5204d70ee756c907337a051e380940b9bfc832464d6e0cd1710c702e

Download Submit
C:\Windows\System\ptuydTw.exe

Filesize
1.9MB

MD5
fb73337ccba4b291279ce7160226cfb0

SHA1
074ff777aa4f8cbbf8e7fdec7a9e0f45ba46c936

SHA256
0fe4add65e5a3fb9cfbee01a82ef6f414b3662f7aa1c1fe20b226e3f8cff333b

SHA512
a22fcca88e283ffa743b7e6d33190d5e9a524d77635c5815d775ba166942a2a4d17cd58bed05aa6c1a36cf5722d22bb49255083b45a3db5431652cc5762ff37c

Download Submit
C:\Windows\System\qnHnRnZ.exe

Filesize
1.9MB

MD5
af547dbc02f436cf907c527e346bf280

SHA1
2ee7249367ba61bdb700f3f4d17e97084d2e2930

SHA256
498a845d206f412437156c4f2a74b416a1de2583f6fa226bacb8a0c34634d3d2

SHA512
0b6a57f9351cc0e9566bef597258b50b26aa8fc30765d4986584013c8745da9eede1a7515d5ce329754b2fcde324bed7f4978e16dff00a7cdf2dde95aa7c1fae

Download Submit
C:\Windows\System\qqyrTpd.exe

Filesize
1.9MB

MD5
a7b7320270a2640b10597e9bd0ff4e8f

SHA1
ea94741b38d8213cf1404c4b43b539c23e0cd3b9

SHA256
9455d98667004c265ea3574a6e014273535a24d0a169edc5b38903cdb4d0fe10

SHA512
598df9c9815191190ac522ebb69d58350254cddb85a29a6bc3f6368d60ed36457ac12a4ba41cb915efc445184f581bbd53bc29f33a4014f58ec934f3503a6b1d

Download Submit
C:\Windows\System\rFeGckd.exe

Filesize
1.9MB

MD5
aa01c958661c56f731f0b45cc41fb2d4

SHA1
f5d8ce1fa9dd0e464828cacd9501bcfa17406af3

SHA256
c55e720bea7870c929b7f1e695749ffc50180e14f243dc1f0758d2272faa281c

SHA512
1c270a366c4113244fd46f1a9ffe54eda34a3040dd53b3f9e79815e974c03f0f74e28e061ce2aaa7390beeab8343c6d4688c6200b479a028cea534bda566b26d

Download Submit
C:\Windows\System\yQTphEk.exe

Filesize
1.9MB

MD5
d3f1ebe1297454d9e91d704b83924382

SHA1
dd2311f688c071884d3d4f0605e8e5cc75c0ad2c

SHA256
df5f6358662b68c60485fad7fce706dd49b76192a3be2b10e97c7f7a670d84a8

SHA512
463091ae2a5f0bd1956aebdcce1766c9993fe6c256059b66ebb80f20211c0d559d8b938152cc1b97493d4279609dd17837e3936a32834850bc1e867ac7bb6b8e

Download Submit
memory/880-2147-0x00007FF72E5E0000-0x00007FF72E9D2000-memory.dmp

Filesize
3.9MB

Download
memory/880-87-0x00007FF72E5E0000-0x00007FF72E9D2000-memory.dmp

Filesize
3.9MB

Download
memory/880-2128-0x00007FF72E5E0000-0x00007FF72E9D2000-memory.dmp

Filesize
3.9MB

Download
memory/1556-2136-0x00007FF7DFDC0000-0x00007FF7E01B2000-memory.dmp

Filesize
3.9MB

Download
memory/1556-50-0x00007FF7DFDC0000-0x00007FF7E01B2000-memory.dmp

Filesize
3.9MB

Download
memory/1996-537-0x00007FF68D6E0000-0x00007FF68DAD2000-memory.dmp

Filesize
3.9MB

Download
memory/1996-2164-0x00007FF68D6E0000-0x00007FF68DAD2000-memory.dmp

Filesize
3.9MB

Download
memory/2176-534-0x00007FF608530000-0x00007FF608922000-memory.dmp

Filesize
3.9MB

Download
memory/2176-2149-0x00007FF608530000-0x00007FF608922000-memory.dmp

Filesize
3.9MB

Download
memory/2492-533-0x00007FF79C1B0000-0x00007FF79C5A2000-memory.dmp

Filesize
3.9MB

Download
memory/2492-2154-0x00007FF79C1B0000-0x00007FF79C5A2000-memory.dmp

Filesize
3.9MB

Download
memory/2616-2151-0x00007FF63E680000-0x00007FF63EA72000-memory.dmp

Filesize
3.9MB

Download
memory/2616-531-0x00007FF63E680000-0x00007FF63EA72000-memory.dmp

Filesize
3.9MB

Download
memory/2776-88-0x00007FF7AFC00000-0x00007FF7AFFF2000-memory.dmp

Filesize
3.9MB

Download
memory/2776-2152-0x00007FF7AFC00000-0x00007FF7AFFF2000-memory.dmp

Filesize
3.9MB

Download
memory/2780-18-0x00007FF6F3BC0000-0x00007FF6F3FB2000-memory.dmp

Filesize
3.9MB

Download
memory/2780-2132-0x00007FF6F3BC0000-0x00007FF6F3FB2000-memory.dmp

Filesize
3.9MB

Download
memory/3044-542-0x00007FF667C00000-0x00007FF667FF2000-memory.dmp

Filesize
3.9MB

Download
memory/3044-2160-0x00007FF667C00000-0x00007FF667FF2000-memory.dmp

Filesize
3.9MB

Download
memory/3424-2162-0x00007FF7ED000000-0x00007FF7ED3F2000-memory.dmp

Filesize
3.9MB

Download
memory/3424-536-0x00007FF7ED000000-0x00007FF7ED3F2000-memory.dmp

Filesize
3.9MB

Download
memory/3480-66-0x00007FF7B3F70000-0x00007FF7B4362000-memory.dmp

Filesize
3.9MB

Download
memory/3480-2142-0x00007FF7B3F70000-0x00007FF7B4362000-memory.dmp

Filesize
3.9MB

Download
memory/3508-2138-0x00007FF66CD60000-0x00007FF66D152000-memory.dmp

Filesize
3.9MB

Download
memory/3508-59-0x00007FF66CD60000-0x00007FF66D152000-memory.dmp

Filesize
3.9MB

Download
memory/3508-2127-0x00007FF66CD60000-0x00007FF66D152000-memory.dmp

Filesize
3.9MB

Download
memory/3544-540-0x00007FF7B1F40000-0x00007FF7B2332000-memory.dmp

Filesize
3.9MB

Download
memory/3544-2177-0x00007FF7B1F40000-0x00007FF7B2332000-memory.dmp

Filesize
3.9MB

Download
memory/3748-2179-0x00007FF7C78B0000-0x00007FF7C7CA2000-memory.dmp

Filesize
3.9MB

Download
memory/3748-539-0x00007FF7C78B0000-0x00007FF7C7CA2000-memory.dmp

Filesize
3.9MB

Download
memory/3968-2130-0x00007FF706E20000-0x00007FF707212000-memory.dmp

Filesize
3.9MB

Download
memory/3968-20-0x00007FF706E20000-0x00007FF707212000-memory.dmp

Filesize
3.9MB

Download
memory/3992-2158-0x00007FF7EF780000-0x00007FF7EFB72000-memory.dmp

Filesize
3.9MB

Download
memory/3992-541-0x00007FF7EF780000-0x00007FF7EFB72000-memory.dmp

Filesize
3.9MB

Download
memory/4268-2166-0x00007FF6BCAD0000-0x00007FF6BCEC2000-memory.dmp

Filesize
3.9MB

Download
memory/4268-538-0x00007FF6BCAD0000-0x00007FF6BCEC2000-memory.dmp

Filesize
3.9MB

Download
memory/4280-2156-0x00007FF7D6AF0000-0x00007FF7D6EE2000-memory.dmp

Filesize
3.9MB

Download
memory/4280-535-0x00007FF7D6AF0000-0x00007FF7D6EE2000-memory.dmp

Filesize
3.9MB

Download
memory/4400-1-0x0000026EE6270000-0x0000026EE6280000-memory.dmp

Filesize
64KB

Download
memory/4400-2092-0x00007FF79A4A0000-0x00007FF79A892000-memory.dmp

Filesize
3.9MB

Download
memory/4400-0-0x00007FF79A4A0000-0x00007FF79A892000-memory.dmp

Filesize
3.9MB

Download
memory/4464-77-0x00007FF75CDE0000-0x00007FF75D1D2000-memory.dmp

Filesize
3.9MB

Download
memory/4464-2140-0x00007FF75CDE0000-0x00007FF75D1D2000-memory.dmp

Filesize
3.9MB

Download
memory/4764-13-0x00007FFA894D0000-0x00007FFA89F91000-memory.dmp

Filesize
10.8MB

Download
memory/4764-14-0x00000281F1F10000-0x00000281F1F20000-memory.dmp

Filesize
64KB

Download
memory/4764-15-0x00000281F1F10000-0x00000281F1F20000-memory.dmp

Filesize
64KB

Download
memory/4764-52-0x00000281F41D0000-0x00000281F41F2000-memory.dmp

Filesize
136KB

Download
memory/5056-2145-0x00007FF7E27F0000-0x00007FF7E2BE2000-memory.dmp

Filesize
3.9MB

Download
memory/5056-83-0x00007FF7E27F0000-0x00007FF7E2BE2000-memory.dmp

Filesize
3.9MB

Download
memory/5076-32-0x00007FF79B4C0000-0x00007FF79B8B2000-memory.dmp

Filesize
3.9MB

Download
memory/5076-2135-0x00007FF79B4C0000-0x00007FF79B8B2000-memory.dmp

Filesize
3.9MB

Download