xmrig | 27c4562db25500ad05545d81508d7db103cd16e42436ade48d8517b35b154c88

Analysis

max time kernel
150s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
01/05/2024, 04:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
Size

2.2MB
MD5

0b0fa200d65a38454bf1859a83e06ecf
SHA1

bc0464730cc58c57baafae5c49e30b5b96b69194
SHA256

27c4562db25500ad05545d81508d7db103cd16e42436ade48d8517b35b154c88
SHA512

c6fc8033b8c9ba8cbf33f748e79ce3b46e1165cf22d999be0251914f4ac9ad3b5bca2af2c6c7aab5c29137b6b755268e516d99e21c40a659fd4bb040e726df5d
SSDEEP

49152:Lz071uv4BPMkibTIA5sf6r+WVc2HhG82g1VQx7Va4qrf/:NABw

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 41 IoCs

miner

resource	yara_rule
behavioral2/memory/2832-12-0x00007FF6628C0000-0x00007FF662CB2000-memory.dmp	xmrig
behavioral2/memory/2128-57-0x00007FF60D790000-0x00007FF60DB82000-memory.dmp	xmrig
behavioral2/memory/1964-546-0x00007FF71C1E0000-0x00007FF71C5D2000-memory.dmp	xmrig
behavioral2/memory/4016-547-0x00007FF7FE480000-0x00007FF7FE872000-memory.dmp	xmrig
behavioral2/memory/4060-54-0x00007FF740D30000-0x00007FF741122000-memory.dmp	xmrig
behavioral2/memory/3168-46-0x00007FF6ADBD0000-0x00007FF6ADFC2000-memory.dmp	xmrig
behavioral2/memory/2692-42-0x00007FF6ECE40000-0x00007FF6ED232000-memory.dmp	xmrig
behavioral2/memory/4432-41-0x00007FF650E00000-0x00007FF6511F2000-memory.dmp	xmrig
behavioral2/memory/624-549-0x00007FF7BB970000-0x00007FF7BBD62000-memory.dmp	xmrig
behavioral2/memory/4856-551-0x00007FF61A2A0000-0x00007FF61A692000-memory.dmp	xmrig
behavioral2/memory/4496-550-0x00007FF705D20000-0x00007FF706112000-memory.dmp	xmrig
behavioral2/memory/2816-553-0x00007FF61E9E0000-0x00007FF61EDD2000-memory.dmp	xmrig
behavioral2/memory/5040-555-0x00007FF7A7F90000-0x00007FF7A8382000-memory.dmp	xmrig
behavioral2/memory/1000-556-0x00007FF67ABE0000-0x00007FF67AFD2000-memory.dmp	xmrig
behavioral2/memory/3480-557-0x00007FF7F1F80000-0x00007FF7F2372000-memory.dmp	xmrig
behavioral2/memory/2220-554-0x00007FF7F76B0000-0x00007FF7F7AA2000-memory.dmp	xmrig
behavioral2/memory/3120-552-0x00007FF6EF0A0000-0x00007FF6EF492000-memory.dmp	xmrig
behavioral2/memory/876-548-0x00007FF766B60000-0x00007FF766F52000-memory.dmp	xmrig
behavioral2/memory/2128-3066-0x00007FF60D790000-0x00007FF60DB82000-memory.dmp	xmrig
behavioral2/memory/2836-4065-0x00007FF768A20000-0x00007FF768E12000-memory.dmp	xmrig
behavioral2/memory/2832-4207-0x00007FF6628C0000-0x00007FF662CB2000-memory.dmp	xmrig
behavioral2/memory/4060-4213-0x00007FF740D30000-0x00007FF741122000-memory.dmp	xmrig
behavioral2/memory/2692-4235-0x00007FF6ECE40000-0x00007FF6ED232000-memory.dmp	xmrig
behavioral2/memory/3168-4238-0x00007FF6ADBD0000-0x00007FF6ADFC2000-memory.dmp	xmrig
behavioral2/memory/4812-4250-0x00007FF79B980000-0x00007FF79BD72000-memory.dmp	xmrig
behavioral2/memory/2128-4248-0x00007FF60D790000-0x00007FF60DB82000-memory.dmp	xmrig
behavioral2/memory/2412-4253-0x00007FF693BE0000-0x00007FF693FD2000-memory.dmp	xmrig
behavioral2/memory/1964-4260-0x00007FF71C1E0000-0x00007FF71C5D2000-memory.dmp	xmrig
behavioral2/memory/4016-4265-0x00007FF7FE480000-0x00007FF7FE872000-memory.dmp	xmrig
behavioral2/memory/624-4276-0x00007FF7BB970000-0x00007FF7BBD62000-memory.dmp	xmrig
behavioral2/memory/3120-4292-0x00007FF6EF0A0000-0x00007FF6EF492000-memory.dmp	xmrig
behavioral2/memory/4856-4287-0x00007FF61A2A0000-0x00007FF61A692000-memory.dmp	xmrig
behavioral2/memory/4496-4283-0x00007FF705D20000-0x00007FF706112000-memory.dmp	xmrig
behavioral2/memory/876-4271-0x00007FF766B60000-0x00007FF766F52000-memory.dmp	xmrig
behavioral2/memory/2220-4302-0x00007FF7F76B0000-0x00007FF7F7AA2000-memory.dmp	xmrig
behavioral2/memory/3480-4318-0x00007FF7F1F80000-0x00007FF7F2372000-memory.dmp	xmrig
behavioral2/memory/1000-4311-0x00007FF67ABE0000-0x00007FF67AFD2000-memory.dmp	xmrig
behavioral2/memory/5040-4306-0x00007FF7A7F90000-0x00007FF7A8382000-memory.dmp	xmrig
behavioral2/memory/2816-4298-0x00007FF61E9E0000-0x00007FF61EDD2000-memory.dmp	xmrig
behavioral2/memory/2836-4902-0x00007FF768A20000-0x00007FF768E12000-memory.dmp	xmrig
behavioral2/memory/4104-4919-0x00007FF62A0D0000-0x00007FF62A4C2000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
2832	stdyZUF.exe
4060	RHElwIp.exe
4432	ftcdIfo.exe
2692	RVNFETJ.exe
3168	xieZhcc.exe
2128	PRcovzA.exe
2412	KQqSTfe.exe
4812	jnqKIsl.exe
2836	nQvcNGA.exe
1964	sABysjj.exe
4016	OVVKcIU.exe
876	tFTYoPF.exe
624	WCoMjoC.exe
4496	McFyAKE.exe
4856	uBjCEAB.exe
3120	lCLzzEq.exe
2816	lLHBpfc.exe
2220	NIgFzkw.exe
5040	IvbjJZy.exe
1000	mBgpdUN.exe
3480	DGmgNkL.exe
868	evWYKJY.exe
912	sCJstBA.exe
4364	StBZOiV.exe
4712	NGMQNAC.exe
512	FwURhiz.exe
3928	kvSUpxa.exe
3524	BqQEiCf.exe
1728	xbsraMz.exe
3500	iyGhOMI.exe
2980	dOmXiRE.exe
2976	SbnaCJP.exe
2040	fVQjMPP.exe
3512	AVhGZhp.exe
3600	lefhjTt.exe
5116	qyOTuIN.exe
3116	ssyuPuh.exe
2288	QntAQap.exe
4504	qnyOQPM.exe
2716	MesunWH.exe
2728	PmeKlmw.exe
3880	oPDVpyX.exe
4896	ZUiTuQm.exe
1608	jDhhOBs.exe
2868	vhfYpOQ.exe
1932	QbgbnWj.exe
2684	pfkGfHW.exe
5092	jbRoWPv.exe
4240	fnxqMYD.exe
4480	PIekQrW.exe
4084	KHAFNQz.exe
3968	HZHImjs.exe
2796	LzFqgVb.exe
3944	CoCkCuy.exe
3208	SVZebjx.exe
4472	OuAPZCi.exe
2140	wxCUhIv.exe
5064	wczbmWG.exe
2180	yDchYsk.exe
3404	SSwgjhH.exe
4808	spRUMQR.exe
1532	voOaHuG.exe
4604	OESHVuZ.exe
5044	wybMKJk.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4104-0-0x00007FF62A0D0000-0x00007FF62A4C2000-memory.dmp	upx
behavioral2/files/0x000d000000023b22-5.dat	upx
behavioral2/files/0x000b000000023b89-13.dat	upx
behavioral2/memory/2832-12-0x00007FF6628C0000-0x00007FF662CB2000-memory.dmp	upx
behavioral2/files/0x000a000000023b8a-18.dat	upx
behavioral2/files/0x000a000000023b8b-36.dat	upx
behavioral2/files/0x000a000000023b8c-25.dat	upx
behavioral2/files/0x000b000000023b8e-51.dat	upx
behavioral2/files/0x000b000000023b8f-56.dat	upx
behavioral2/memory/2128-57-0x00007FF60D790000-0x00007FF60DB82000-memory.dmp	upx
behavioral2/memory/4812-66-0x00007FF79B980000-0x00007FF79BD72000-memory.dmp	upx
behavioral2/files/0x000a000000023b91-72.dat	upx
behavioral2/files/0x000a000000023b95-94.dat	upx
behavioral2/files/0x000a000000023b97-104.dat	upx
behavioral2/files/0x000a000000023b99-114.dat	upx
behavioral2/files/0x000a000000023b9e-139.dat	upx
behavioral2/files/0x000a000000023ba2-165.dat	upx
behavioral2/memory/1964-546-0x00007FF71C1E0000-0x00007FF71C5D2000-memory.dmp	upx
behavioral2/memory/4016-547-0x00007FF7FE480000-0x00007FF7FE872000-memory.dmp	upx
behavioral2/files/0x000a000000023ba7-184.dat	upx
behavioral2/files/0x000a000000023ba6-181.dat	upx
behavioral2/files/0x000a000000023ba5-179.dat	upx
behavioral2/files/0x000a000000023ba4-175.dat	upx
behavioral2/files/0x000a000000023ba3-169.dat	upx
behavioral2/files/0x000a000000023ba1-162.dat	upx
behavioral2/files/0x000a000000023ba0-157.dat	upx
behavioral2/files/0x000a000000023b9f-152.dat	upx
behavioral2/files/0x000a000000023b9d-142.dat	upx
behavioral2/files/0x000a000000023b9c-137.dat	upx
behavioral2/files/0x000a000000023b9b-132.dat	upx
behavioral2/files/0x000a000000023b9a-127.dat	upx
behavioral2/files/0x000a000000023b98-117.dat	upx
behavioral2/files/0x000a000000023b96-107.dat	upx
behavioral2/files/0x000a000000023b94-97.dat	upx
behavioral2/files/0x000a000000023b93-89.dat	upx
behavioral2/files/0x000a000000023b92-85.dat	upx
behavioral2/files/0x000d000000023b83-79.dat	upx
behavioral2/files/0x000a000000023b90-70.dat	upx
behavioral2/memory/2836-69-0x00007FF768A20000-0x00007FF768E12000-memory.dmp	upx
behavioral2/memory/2412-60-0x00007FF693BE0000-0x00007FF693FD2000-memory.dmp	upx
behavioral2/memory/4060-54-0x00007FF740D30000-0x00007FF741122000-memory.dmp	upx
behavioral2/files/0x000a000000023b8d-49.dat	upx
behavioral2/memory/3168-46-0x00007FF6ADBD0000-0x00007FF6ADFC2000-memory.dmp	upx
behavioral2/memory/2692-42-0x00007FF6ECE40000-0x00007FF6ED232000-memory.dmp	upx
behavioral2/memory/4432-41-0x00007FF650E00000-0x00007FF6511F2000-memory.dmp	upx
behavioral2/memory/624-549-0x00007FF7BB970000-0x00007FF7BBD62000-memory.dmp	upx
behavioral2/memory/4856-551-0x00007FF61A2A0000-0x00007FF61A692000-memory.dmp	upx
behavioral2/memory/4496-550-0x00007FF705D20000-0x00007FF706112000-memory.dmp	upx
behavioral2/memory/2816-553-0x00007FF61E9E0000-0x00007FF61EDD2000-memory.dmp	upx
behavioral2/memory/5040-555-0x00007FF7A7F90000-0x00007FF7A8382000-memory.dmp	upx
behavioral2/memory/1000-556-0x00007FF67ABE0000-0x00007FF67AFD2000-memory.dmp	upx
behavioral2/memory/3480-557-0x00007FF7F1F80000-0x00007FF7F2372000-memory.dmp	upx
behavioral2/memory/2220-554-0x00007FF7F76B0000-0x00007FF7F7AA2000-memory.dmp	upx
behavioral2/memory/3120-552-0x00007FF6EF0A0000-0x00007FF6EF492000-memory.dmp	upx
behavioral2/memory/876-548-0x00007FF766B60000-0x00007FF766F52000-memory.dmp	upx
behavioral2/memory/2128-3066-0x00007FF60D790000-0x00007FF60DB82000-memory.dmp	upx
behavioral2/memory/2836-4065-0x00007FF768A20000-0x00007FF768E12000-memory.dmp	upx
behavioral2/memory/2832-4207-0x00007FF6628C0000-0x00007FF662CB2000-memory.dmp	upx
behavioral2/memory/4060-4213-0x00007FF740D30000-0x00007FF741122000-memory.dmp	upx
behavioral2/memory/2692-4235-0x00007FF6ECE40000-0x00007FF6ED232000-memory.dmp	upx
behavioral2/memory/3168-4238-0x00007FF6ADBD0000-0x00007FF6ADFC2000-memory.dmp	upx
behavioral2/memory/4812-4250-0x00007FF79B980000-0x00007FF79BD72000-memory.dmp	upx
behavioral2/memory/2128-4248-0x00007FF60D790000-0x00007FF60DB82000-memory.dmp	upx
behavioral2/memory/2412-4253-0x00007FF693BE0000-0x00007FF693FD2000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
3	raw.githubusercontent.com

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-wal	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-shm	OfficeClickToRun.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\BbMpJxp.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\zpKATht.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\ZFiXluK.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\rhTQubg.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\efYQCgf.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\SSwgjhH.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\TjWkCIW.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\VEghUdR.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\jlwGNSJ.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\kZvpCav.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\bcxSKmg.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\qwsPqcT.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\aTqocUy.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\jJvVrrw.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\nFsnVXS.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\gYUAcXy.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\SFPPQIq.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\BrUYzKp.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\YUXaAEo.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\TPCHgsw.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\TSwPejq.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\efjLPrr.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\FnHOzft.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\ydiMOuC.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\erhcbzT.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\lefTvRh.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\BpQXmVI.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\jfVMgyE.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\ebEARJj.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\XltLezT.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\VZiUzkW.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\YjkGBTa.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\aQXpjGP.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\MPrvqGi.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\fvvBJng.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\iPydxsV.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\iWAhNtD.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\DdTzOnb.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\zhJjaxJ.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\RjzCPEb.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\DRflOFT.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\IaLoBIo.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\HVxxrIN.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\Vtsrfmv.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\QAfryCM.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\DMElHBz.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\ThpBCtV.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\pWiGsDR.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\FUpznzh.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\VxxzZFb.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\WobnsBF.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\adDKrFt.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\RPGVcBe.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\iuqyBxk.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\mcpSbsr.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\PCiVNzO.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\CfVqiat.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\GhPvimU.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\xbsraMz.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\oBMyIrH.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\elInNgr.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\bFiKHQV.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\LyDxSBL.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
File created	C:\Windows\System\KSCmefb.exe	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	OfficeClickToRun.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	OfficeClickToRun.exe

Modifies data under HKEY_USERS 48 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeClickToRun.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3420	powershell.exe
3420	powershell.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
4992	Process not Found
2660	Process not Found
4072	Process not Found
2832	Process not Found
4060	Process not Found
4432	Process not Found
2692	Process not Found
3168	Process not Found
5952	Process not Found
2448	Process not Found
944	Process not Found
2128	Process not Found
2412	Process not Found
2012	Process not Found
2836	Process not Found
1964	Process not Found
4016	Process not Found
876	Process not Found
624	Process not Found
4496	Process not Found
4856	Process not Found
3120	Process not Found
2816	Process not Found
2220	Process not Found
5040	Process not Found
1000	Process not Found
3480	Process not Found
868	Process not Found
912	Process not Found
4364	Process not Found
4712	Process not Found
512	Process not Found
3928	Process not Found
3524	Process not Found
1728	Process not Found
3500	Process not Found
2980	Process not Found
2976	Process not Found
6772	Process not Found
2040	Process not Found
3512	Process not Found
3600	Process not Found
5116	Process not Found
3116	Process not Found
2288	Process not Found
4504	Process not Found
2716	Process not Found
2728	Process not Found
3880	Process not Found
4896	Process not Found
1608	Process not Found
2868	Process not Found
1932	Process not Found
2684	Process not Found
5092	Process not Found
4240	Process not Found
4480	Process not Found
4084	Process not Found
3968	Process not Found
2796	Process not Found
3944	Process not Found
3208	Process not Found
4472	Process not Found
2140	Process not Found

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
Token: SeDebugPrivilege	3420	powershell.exe
Token: SeLockMemoryPrivilege	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	4624	dwm.exe
Token: SeChangeNotifyPrivilege	4624	dwm.exe
Token: 33	4624	dwm.exe
Token: SeIncBasePriorityPrivilege	4624	dwm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4932	OfficeClickToRun.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4104 wrote to memory of 3420	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	86
PID 4104 wrote to memory of 3420	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	86
PID 4104 wrote to memory of 2832	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	87
PID 4104 wrote to memory of 2832	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	87
PID 4104 wrote to memory of 4060	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	88
PID 4104 wrote to memory of 4060	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	88
PID 4104 wrote to memory of 4432	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	89
PID 4104 wrote to memory of 4432	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	89
PID 4104 wrote to memory of 3168	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	90
PID 4104 wrote to memory of 3168	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	90
PID 4104 wrote to memory of 2692	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	91
PID 4104 wrote to memory of 2692	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	91
PID 4104 wrote to memory of 2128	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	92
PID 4104 wrote to memory of 2128	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	92
PID 4104 wrote to memory of 2412	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	93
PID 4104 wrote to memory of 2412	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	93
PID 4104 wrote to memory of 4812	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	94
PID 4104 wrote to memory of 4812	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	94
PID 4104 wrote to memory of 2836	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	95
PID 4104 wrote to memory of 2836	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	95
PID 4104 wrote to memory of 1964	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	96
PID 4104 wrote to memory of 1964	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	96
PID 4104 wrote to memory of 4016	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	97
PID 4104 wrote to memory of 4016	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	97
PID 4104 wrote to memory of 876	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	98
PID 4104 wrote to memory of 876	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	98
PID 4104 wrote to memory of 624	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	99
PID 4104 wrote to memory of 624	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	99
PID 4104 wrote to memory of 4496	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	100
PID 4104 wrote to memory of 4496	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	100
PID 4104 wrote to memory of 4856	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	101
PID 4104 wrote to memory of 4856	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	101
PID 4104 wrote to memory of 3120	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	102
PID 4104 wrote to memory of 3120	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	102
PID 4104 wrote to memory of 2816	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	103
PID 4104 wrote to memory of 2816	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	103
PID 4104 wrote to memory of 2220	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	104
PID 4104 wrote to memory of 2220	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	104
PID 4104 wrote to memory of 5040	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	105
PID 4104 wrote to memory of 5040	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	105
PID 4104 wrote to memory of 1000	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	106
PID 4104 wrote to memory of 1000	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	106
PID 4104 wrote to memory of 3480	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	107
PID 4104 wrote to memory of 3480	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	107
PID 4104 wrote to memory of 868	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	108
PID 4104 wrote to memory of 868	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	108
PID 4104 wrote to memory of 912	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	109
PID 4104 wrote to memory of 912	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	109
PID 4104 wrote to memory of 4364	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	110
PID 4104 wrote to memory of 4364	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	110
PID 4104 wrote to memory of 4712	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	111
PID 4104 wrote to memory of 4712	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	111
PID 4104 wrote to memory of 512	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	112
PID 4104 wrote to memory of 512	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	112
PID 4104 wrote to memory of 3928	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	113
PID 4104 wrote to memory of 3928	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	113
PID 4104 wrote to memory of 3524	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	114
PID 4104 wrote to memory of 3524	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	114
PID 4104 wrote to memory of 1728	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	115
PID 4104 wrote to memory of 1728	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	115
PID 4104 wrote to memory of 3500	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	116
PID 4104 wrote to memory of 3500	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	116
PID 4104 wrote to memory of 2980	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	117
PID 4104 wrote to memory of 2980	4104	0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe	117

C:\Users\Admin\AppData\Local\Temp\0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0b0fa200d65a38454bf1859a83e06ecf_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3420
- C:\Windows\System\stdyZUF.exe
  C:\Windows\System\stdyZUF.exe
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\System\RHElwIp.exe
  C:\Windows\System\RHElwIp.exe
  2⤵
  - Executes dropped EXE
  PID:4060
- C:\Windows\System\ftcdIfo.exe
  C:\Windows\System\ftcdIfo.exe
  2⤵
  - Executes dropped EXE
  PID:4432
- C:\Windows\System\xieZhcc.exe
  C:\Windows\System\xieZhcc.exe
  2⤵
  - Executes dropped EXE
  PID:3168
- C:\Windows\System\RVNFETJ.exe
  C:\Windows\System\RVNFETJ.exe
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\System\PRcovzA.exe
  C:\Windows\System\PRcovzA.exe
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\System\KQqSTfe.exe
  C:\Windows\System\KQqSTfe.exe
  2⤵
  - Executes dropped EXE
  PID:2412
- C:\Windows\System\jnqKIsl.exe
  C:\Windows\System\jnqKIsl.exe
  2⤵
  - Executes dropped EXE
  PID:4812
- C:\Windows\System\nQvcNGA.exe
  C:\Windows\System\nQvcNGA.exe
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\System\sABysjj.exe
  C:\Windows\System\sABysjj.exe
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Windows\System\OVVKcIU.exe
  C:\Windows\System\OVVKcIU.exe
  2⤵
  - Executes dropped EXE
  PID:4016
- C:\Windows\System\tFTYoPF.exe
  C:\Windows\System\tFTYoPF.exe
  2⤵
  - Executes dropped EXE
  PID:876
- C:\Windows\System\WCoMjoC.exe
  C:\Windows\System\WCoMjoC.exe
  2⤵
  - Executes dropped EXE
  PID:624
- C:\Windows\System\McFyAKE.exe
  C:\Windows\System\McFyAKE.exe
  2⤵
  - Executes dropped EXE
  PID:4496
- C:\Windows\System\uBjCEAB.exe
  C:\Windows\System\uBjCEAB.exe
  2⤵
  - Executes dropped EXE
  PID:4856
- C:\Windows\System\lCLzzEq.exe
  C:\Windows\System\lCLzzEq.exe
  2⤵
  - Executes dropped EXE
  PID:3120
- C:\Windows\System\lLHBpfc.exe
  C:\Windows\System\lLHBpfc.exe
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Windows\System\NIgFzkw.exe
  C:\Windows\System\NIgFzkw.exe
  2⤵
  - Executes dropped EXE
  PID:2220
- C:\Windows\System\IvbjJZy.exe
  C:\Windows\System\IvbjJZy.exe
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Windows\System\mBgpdUN.exe
  C:\Windows\System\mBgpdUN.exe
  2⤵
  - Executes dropped EXE
  PID:1000
- C:\Windows\System\DGmgNkL.exe
  C:\Windows\System\DGmgNkL.exe
  2⤵
  - Executes dropped EXE
  PID:3480
- C:\Windows\System\evWYKJY.exe
  C:\Windows\System\evWYKJY.exe
  2⤵
  - Executes dropped EXE
  PID:868
- C:\Windows\System\sCJstBA.exe
  C:\Windows\System\sCJstBA.exe
  2⤵
  - Executes dropped EXE
  PID:912
- C:\Windows\System\StBZOiV.exe
  C:\Windows\System\StBZOiV.exe
  2⤵
  - Executes dropped EXE
  PID:4364
- C:\Windows\System\NGMQNAC.exe
  C:\Windows\System\NGMQNAC.exe
  2⤵
  - Executes dropped EXE
  PID:4712
- C:\Windows\System\FwURhiz.exe
  C:\Windows\System\FwURhiz.exe
  2⤵
  - Executes dropped EXE
  PID:512
- C:\Windows\System\kvSUpxa.exe
  C:\Windows\System\kvSUpxa.exe
  2⤵
  - Executes dropped EXE
  PID:3928
- C:\Windows\System\BqQEiCf.exe
  C:\Windows\System\BqQEiCf.exe
  2⤵
  - Executes dropped EXE
  PID:3524
- C:\Windows\System\xbsraMz.exe
  C:\Windows\System\xbsraMz.exe
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\System\iyGhOMI.exe
  C:\Windows\System\iyGhOMI.exe
  2⤵
  - Executes dropped EXE
  PID:3500
- C:\Windows\System\dOmXiRE.exe
  C:\Windows\System\dOmXiRE.exe
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\System\SbnaCJP.exe
  C:\Windows\System\SbnaCJP.exe
  2⤵
  - Executes dropped EXE
  PID:2976
- C:\Windows\System\fVQjMPP.exe
  C:\Windows\System\fVQjMPP.exe
  2⤵
  - Executes dropped EXE
  PID:2040
- C:\Windows\System\AVhGZhp.exe
  C:\Windows\System\AVhGZhp.exe
  2⤵
  - Executes dropped EXE
  PID:3512
- C:\Windows\System\lefhjTt.exe
  C:\Windows\System\lefhjTt.exe
  2⤵
  - Executes dropped EXE
  PID:3600
- C:\Windows\System\qyOTuIN.exe
  C:\Windows\System\qyOTuIN.exe
  2⤵
  - Executes dropped EXE
  PID:5116
- C:\Windows\System\ssyuPuh.exe
  C:\Windows\System\ssyuPuh.exe
  2⤵
  - Executes dropped EXE
  PID:3116
- C:\Windows\System\QntAQap.exe
  C:\Windows\System\QntAQap.exe
  2⤵
  - Executes dropped EXE
  PID:2288
- C:\Windows\System\qnyOQPM.exe
  C:\Windows\System\qnyOQPM.exe
  2⤵
  - Executes dropped EXE
  PID:4504
- C:\Windows\System\MesunWH.exe
  C:\Windows\System\MesunWH.exe
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\System\PmeKlmw.exe
  C:\Windows\System\PmeKlmw.exe
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\System\oPDVpyX.exe
  C:\Windows\System\oPDVpyX.exe
  2⤵
  - Executes dropped EXE
  PID:3880
- C:\Windows\System\ZUiTuQm.exe
  C:\Windows\System\ZUiTuQm.exe
  2⤵
  - Executes dropped EXE
  PID:4896
- C:\Windows\System\jDhhOBs.exe
  C:\Windows\System\jDhhOBs.exe
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\System\vhfYpOQ.exe
  C:\Windows\System\vhfYpOQ.exe
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\System\QbgbnWj.exe
  C:\Windows\System\QbgbnWj.exe
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Windows\System\pfkGfHW.exe
  C:\Windows\System\pfkGfHW.exe
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\System\jbRoWPv.exe
  C:\Windows\System\jbRoWPv.exe
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Windows\System\fnxqMYD.exe
  C:\Windows\System\fnxqMYD.exe
  2⤵
  - Executes dropped EXE
  PID:4240
- C:\Windows\System\PIekQrW.exe
  C:\Windows\System\PIekQrW.exe
  2⤵
  - Executes dropped EXE
  PID:4480
- C:\Windows\System\KHAFNQz.exe
  C:\Windows\System\KHAFNQz.exe
  2⤵
  - Executes dropped EXE
  PID:4084
- C:\Windows\System\HZHImjs.exe
  C:\Windows\System\HZHImjs.exe
  2⤵
  - Executes dropped EXE
  PID:3968
- C:\Windows\System\LzFqgVb.exe
  C:\Windows\System\LzFqgVb.exe
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\System\CoCkCuy.exe
  C:\Windows\System\CoCkCuy.exe
  2⤵
  - Executes dropped EXE
  PID:3944
- C:\Windows\System\SVZebjx.exe
  C:\Windows\System\SVZebjx.exe
  2⤵
  - Executes dropped EXE
  PID:3208
- C:\Windows\System\OuAPZCi.exe
  C:\Windows\System\OuAPZCi.exe
  2⤵
  - Executes dropped EXE
  PID:4472
- C:\Windows\System\wxCUhIv.exe
  C:\Windows\System\wxCUhIv.exe
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\System\wczbmWG.exe
  C:\Windows\System\wczbmWG.exe
  2⤵
  - Executes dropped EXE
  PID:5064
- C:\Windows\System\yDchYsk.exe
  C:\Windows\System\yDchYsk.exe
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Windows\System\SSwgjhH.exe
  C:\Windows\System\SSwgjhH.exe
  2⤵
  - Executes dropped EXE
  PID:3404
- C:\Windows\System\spRUMQR.exe
  C:\Windows\System\spRUMQR.exe
  2⤵
  - Executes dropped EXE
  PID:4808
- C:\Windows\System\voOaHuG.exe
  C:\Windows\System\voOaHuG.exe
  2⤵
  - Executes dropped EXE
  PID:1532
- C:\Windows\System\OESHVuZ.exe
  C:\Windows\System\OESHVuZ.exe
  2⤵
  - Executes dropped EXE
  PID:4604
- C:\Windows\System\wybMKJk.exe
  C:\Windows\System\wybMKJk.exe
  2⤵
  - Executes dropped EXE
  PID:5044
- C:\Windows\System\wsdpaDR.exe
  C:\Windows\System\wsdpaDR.exe
  2⤵
  PID:5020
- C:\Windows\System\utgLrOv.exe
  C:\Windows\System\utgLrOv.exe
  2⤵
  PID:2124
- C:\Windows\System\eoYNfnB.exe
  C:\Windows\System\eoYNfnB.exe
  2⤵
  PID:3144
- C:\Windows\System\GOBqfyZ.exe
  C:\Windows\System\GOBqfyZ.exe
  2⤵
  PID:2080
- C:\Windows\System\NhMCRxz.exe
  C:\Windows\System\NhMCRxz.exe
  2⤵
  PID:5144
- C:\Windows\System\twYCEHo.exe
  C:\Windows\System\twYCEHo.exe
  2⤵
  PID:5168
- C:\Windows\System\vErcfwn.exe
  C:\Windows\System\vErcfwn.exe
  2⤵
  PID:5200
- C:\Windows\System\SwnEkDa.exe
  C:\Windows\System\SwnEkDa.exe
  2⤵
  PID:5220
- C:\Windows\System\CPYSFsT.exe
  C:\Windows\System\CPYSFsT.exe
  2⤵
  PID:5248
- C:\Windows\System\gRQRmPm.exe
  C:\Windows\System\gRQRmPm.exe
  2⤵
  PID:5276
- C:\Windows\System\urVCnnq.exe
  C:\Windows\System\urVCnnq.exe
  2⤵
  PID:5292
- C:\Windows\System\asXrevV.exe
  C:\Windows\System\asXrevV.exe
  2⤵
  PID:5320
- C:\Windows\System\uXxPvYx.exe
  C:\Windows\System\uXxPvYx.exe
  2⤵
  PID:5348
- C:\Windows\System\AiFWLAO.exe
  C:\Windows\System\AiFWLAO.exe
  2⤵
  PID:5376
- C:\Windows\System\ALCFZtX.exe
  C:\Windows\System\ALCFZtX.exe
  2⤵
  PID:5412
- C:\Windows\System\OPeemXz.exe
  C:\Windows\System\OPeemXz.exe
  2⤵
  PID:5448
- C:\Windows\System\CzLzjtj.exe
  C:\Windows\System\CzLzjtj.exe
  2⤵
  PID:5472
- C:\Windows\System\GskIHUq.exe
  C:\Windows\System\GskIHUq.exe
  2⤵
  PID:5500
- C:\Windows\System\tHFySZp.exe
  C:\Windows\System\tHFySZp.exe
  2⤵
  PID:5528
- C:\Windows\System\pvXvZKz.exe
  C:\Windows\System\pvXvZKz.exe
  2⤵
  PID:5560
- C:\Windows\System\fvvBJng.exe
  C:\Windows\System\fvvBJng.exe
  2⤵
  PID:5588
- C:\Windows\System\oKusoUk.exe
  C:\Windows\System\oKusoUk.exe
  2⤵
  PID:5612
- C:\Windows\System\LYyaqRy.exe
  C:\Windows\System\LYyaqRy.exe
  2⤵
  PID:5640
- C:\Windows\System\hgFssim.exe
  C:\Windows\System\hgFssim.exe
  2⤵
  PID:5700
- C:\Windows\System\RGNZTOm.exe
  C:\Windows\System\RGNZTOm.exe
  2⤵
  PID:5716
- C:\Windows\System\awkNFmv.exe
  C:\Windows\System\awkNFmv.exe
  2⤵
  PID:5732
- C:\Windows\System\tVvyHtW.exe
  C:\Windows\System\tVvyHtW.exe
  2⤵
  PID:5760
- C:\Windows\System\DCIrVnE.exe
  C:\Windows\System\DCIrVnE.exe
  2⤵
  PID:5784
- C:\Windows\System\hTekAtL.exe
  C:\Windows\System\hTekAtL.exe
  2⤵
  PID:5812
- C:\Windows\System\qFqMqiO.exe
  C:\Windows\System\qFqMqiO.exe
  2⤵
  PID:5844
- C:\Windows\System\bRwdvRx.exe
  C:\Windows\System\bRwdvRx.exe
  2⤵
  PID:5868
- C:\Windows\System\eWABBMA.exe
  C:\Windows\System\eWABBMA.exe
  2⤵
  PID:5896
- C:\Windows\System\JLpJEiZ.exe
  C:\Windows\System\JLpJEiZ.exe
  2⤵
  PID:5916
- C:\Windows\System\bTLYgkp.exe
  C:\Windows\System\bTLYgkp.exe
  2⤵
  PID:5944
- C:\Windows\System\zJAJegE.exe
  C:\Windows\System\zJAJegE.exe
  2⤵
  PID:5972
- C:\Windows\System\hgJTLdn.exe
  C:\Windows\System\hgJTLdn.exe
  2⤵
  PID:5996
- C:\Windows\System\luclGQH.exe
  C:\Windows\System\luclGQH.exe
  2⤵
  PID:6028
- C:\Windows\System\cRWNzmj.exe
  C:\Windows\System\cRWNzmj.exe
  2⤵
  PID:6052
- C:\Windows\System\vshqlFA.exe
  C:\Windows\System\vshqlFA.exe
  2⤵
  PID:6084
- C:\Windows\System\hyKQTyS.exe
  C:\Windows\System\hyKQTyS.exe
  2⤵
  PID:6108
- C:\Windows\System\lxBBuSa.exe
  C:\Windows\System\lxBBuSa.exe
  2⤵
  PID:6140
- C:\Windows\System\kKthFCK.exe
  C:\Windows\System\kKthFCK.exe
  2⤵
  PID:3064
- C:\Windows\System\RXCcLVp.exe
  C:\Windows\System\RXCcLVp.exe
  2⤵
  PID:4768
- C:\Windows\System\IrTWlzE.exe
  C:\Windows\System\IrTWlzE.exe
  2⤵
  PID:2504
- C:\Windows\System\JbaTpiC.exe
  C:\Windows\System\JbaTpiC.exe
  2⤵
  PID:3380
- C:\Windows\System\PRObTuM.exe
  C:\Windows\System\PRObTuM.exe
  2⤵
  PID:5000
- C:\Windows\System\lYsYnAt.exe
  C:\Windows\System\lYsYnAt.exe
  2⤵
  PID:5236
- C:\Windows\System\VxHiPQg.exe
  C:\Windows\System\VxHiPQg.exe
  2⤵
  PID:2820
- C:\Windows\System\txVbYiU.exe
  C:\Windows\System\txVbYiU.exe
  2⤵
  PID:5336
- C:\Windows\System\Lknfsrr.exe
  C:\Windows\System\Lknfsrr.exe
  2⤵
  PID:5388
- C:\Windows\System\SnLMOMA.exe
  C:\Windows\System\SnLMOMA.exe
  2⤵
  PID:5436
- C:\Windows\System\EmfhZBf.exe
  C:\Windows\System\EmfhZBf.exe
  2⤵
  PID:5492
- C:\Windows\System\vyVNjOB.exe
  C:\Windows\System\vyVNjOB.exe
  2⤵
  PID:5568
- C:\Windows\System\aWqvflT.exe
  C:\Windows\System\aWqvflT.exe
  2⤵
  PID:5628
- C:\Windows\System\ELlpmxC.exe
  C:\Windows\System\ELlpmxC.exe
  2⤵
  PID:5660
- C:\Windows\System\EZFtKvG.exe
  C:\Windows\System\EZFtKvG.exe
  2⤵
  PID:5752
- C:\Windows\System\PeVvQYG.exe
  C:\Windows\System\PeVvQYG.exe
  2⤵
  PID:5828
- C:\Windows\System\OaeKIwC.exe
  C:\Windows\System\OaeKIwC.exe
  2⤵
  PID:5860
- C:\Windows\System\EWJEjYZ.exe
  C:\Windows\System\EWJEjYZ.exe
  2⤵
  PID:5932
- C:\Windows\System\RrqgYjY.exe
  C:\Windows\System\RrqgYjY.exe
  2⤵
  PID:5992
- C:\Windows\System\jJrZdJn.exe
  C:\Windows\System\jJrZdJn.exe
  2⤵
  PID:6068
- C:\Windows\System\LUYCImM.exe
  C:\Windows\System\LUYCImM.exe
  2⤵
  PID:6128
- C:\Windows\System\uqokhGk.exe
  C:\Windows\System\uqokhGk.exe
  2⤵
  PID:4000
- C:\Windows\System\aaktjWN.exe
  C:\Windows\System\aaktjWN.exe
  2⤵
  PID:4204
- C:\Windows\System\sxiaeas.exe
  C:\Windows\System\sxiaeas.exe
  2⤵
  PID:5216
- C:\Windows\System\MCnVdGS.exe
  C:\Windows\System\MCnVdGS.exe
  2⤵
  PID:5024
- C:\Windows\System\LPzNdVu.exe
  C:\Windows\System\LPzNdVu.exe
  2⤵
  PID:5464
- C:\Windows\System\LmvBOWY.exe
  C:\Windows\System\LmvBOWY.exe
  2⤵
  PID:5604
- C:\Windows\System\vQdvNZK.exe
  C:\Windows\System\vQdvNZK.exe
  2⤵
  PID:5744
- C:\Windows\System\uUGOyfT.exe
  C:\Windows\System\uUGOyfT.exe
  2⤵
  PID:5892
- C:\Windows\System\MeoIZnX.exe
  C:\Windows\System\MeoIZnX.exe
  2⤵
  PID:1596
- C:\Windows\System\mbqWMDA.exe
  C:\Windows\System\mbqWMDA.exe
  2⤵
  PID:6100
- C:\Windows\System\lMVuHiY.exe
  C:\Windows\System\lMVuHiY.exe
  2⤵
  PID:5196
- C:\Windows\System\ptmjgZC.exe
  C:\Windows\System\ptmjgZC.exe
  2⤵
  PID:5408
- C:\Windows\System\PYkWGSG.exe
  C:\Windows\System\PYkWGSG.exe
  2⤵
  PID:5672
- C:\Windows\System\rEgJuzN.exe
  C:\Windows\System\rEgJuzN.exe
  2⤵
  PID:6148
- C:\Windows\System\nwyfXFC.exe
  C:\Windows\System\nwyfXFC.exe
  2⤵
  PID:6176
- C:\Windows\System\eBOHzem.exe
  C:\Windows\System\eBOHzem.exe
  2⤵
  PID:6204
- C:\Windows\System\abluvuv.exe
  C:\Windows\System\abluvuv.exe
  2⤵
  PID:6232
- C:\Windows\System\UbriBry.exe
  C:\Windows\System\UbriBry.exe
  2⤵
  PID:6260
- C:\Windows\System\asXjHii.exe
  C:\Windows\System\asXjHii.exe
  2⤵
  PID:6288
- C:\Windows\System\VUnITpB.exe
  C:\Windows\System\VUnITpB.exe
  2⤵
  PID:6316
- C:\Windows\System\AXCFgqk.exe
  C:\Windows\System\AXCFgqk.exe
  2⤵
  PID:6344
- C:\Windows\System\MenTjkU.exe
  C:\Windows\System\MenTjkU.exe
  2⤵
  PID:6372
- C:\Windows\System\UcjVFre.exe
  C:\Windows\System\UcjVFre.exe
  2⤵
  PID:6400
- C:\Windows\System\JLuCvSr.exe
  C:\Windows\System\JLuCvSr.exe
  2⤵
  PID:6428
- C:\Windows\System\ZPLWFAr.exe
  C:\Windows\System\ZPLWFAr.exe
  2⤵
  PID:6456
- C:\Windows\System\CXMHMTo.exe
  C:\Windows\System\CXMHMTo.exe
  2⤵
  PID:6484
- C:\Windows\System\gEndfbv.exe
  C:\Windows\System\gEndfbv.exe
  2⤵
  PID:6508
- C:\Windows\System\UsOaJSQ.exe
  C:\Windows\System\UsOaJSQ.exe
  2⤵
  PID:6536
- C:\Windows\System\XCeIcLz.exe
  C:\Windows\System\XCeIcLz.exe
  2⤵
  PID:6644
- C:\Windows\System\xMoMbyc.exe
  C:\Windows\System\xMoMbyc.exe
  2⤵
  PID:6700
- C:\Windows\System\rKasBfU.exe
  C:\Windows\System\rKasBfU.exe
  2⤵
  PID:6720
- C:\Windows\System\GdrtcTr.exe
  C:\Windows\System\GdrtcTr.exe
  2⤵
  PID:6740
- C:\Windows\System\YFLlOdG.exe
  C:\Windows\System\YFLlOdG.exe
  2⤵
  PID:6784
- C:\Windows\System\MgAprgZ.exe
  C:\Windows\System\MgAprgZ.exe
  2⤵
  PID:6804
- C:\Windows\System\DaGhbgJ.exe
  C:\Windows\System\DaGhbgJ.exe
  2⤵
  PID:6840
- C:\Windows\System\ofLmCAm.exe
  C:\Windows\System\ofLmCAm.exe
  2⤵
  PID:6864
- C:\Windows\System\bnQVYez.exe
  C:\Windows\System\bnQVYez.exe
  2⤵
  PID:6884
- C:\Windows\System\YcQlFas.exe
  C:\Windows\System\YcQlFas.exe
  2⤵
  PID:6932
- C:\Windows\System\IugMkCb.exe
  C:\Windows\System\IugMkCb.exe
  2⤵
  PID:6968
- C:\Windows\System\DHIQFNf.exe
  C:\Windows\System\DHIQFNf.exe
  2⤵
  PID:7000
- C:\Windows\System\QaZHfWs.exe
  C:\Windows\System\QaZHfWs.exe
  2⤵
  PID:7024
- C:\Windows\System\EFHKDSi.exe
  C:\Windows\System\EFHKDSi.exe
  2⤵
  PID:7044
- C:\Windows\System\YyNaNhe.exe
  C:\Windows\System\YyNaNhe.exe
  2⤵
  PID:7060
- C:\Windows\System\WTyqkyW.exe
  C:\Windows\System\WTyqkyW.exe
  2⤵
  PID:7076
- C:\Windows\System\DWACQvx.exe
  C:\Windows\System\DWACQvx.exe
  2⤵
  PID:7096
- C:\Windows\System\hwWdOYf.exe
  C:\Windows\System\hwWdOYf.exe
  2⤵
  PID:7124
- C:\Windows\System\xLIrJPl.exe
  C:\Windows\System\xLIrJPl.exe
  2⤵
  PID:5968
- C:\Windows\System\WAZKshY.exe
  C:\Windows\System\WAZKshY.exe
  2⤵
  PID:4476
- C:\Windows\System\UqsYhAH.exe
  C:\Windows\System\UqsYhAH.exe
  2⤵
  PID:5284
- C:\Windows\System\cPbrjnL.exe
  C:\Windows\System\cPbrjnL.exe
  2⤵
  PID:5804
- C:\Windows\System\jsyOfDg.exe
  C:\Windows\System\jsyOfDg.exe
  2⤵
  PID:6168
- C:\Windows\System\IzTeLBk.exe
  C:\Windows\System\IzTeLBk.exe
  2⤵
  PID:6220
- C:\Windows\System\ciJknWK.exe
  C:\Windows\System\ciJknWK.exe
  2⤵
  PID:6252
- C:\Windows\System\FwHUCvF.exe
  C:\Windows\System\FwHUCvF.exe
  2⤵
  PID:6276
- C:\Windows\System\VxxzZFb.exe
  C:\Windows\System\VxxzZFb.exe
  2⤵
  PID:6304
- C:\Windows\System\UFHslvD.exe
  C:\Windows\System\UFHslvD.exe
  2⤵
  PID:6356
- C:\Windows\System\VWhhdGK.exe
  C:\Windows\System\VWhhdGK.exe
  2⤵
  PID:1212
- C:\Windows\System\riOcTcS.exe
  C:\Windows\System\riOcTcS.exe
  2⤵
  PID:6412
- C:\Windows\System\XIpTMHf.exe
  C:\Windows\System\XIpTMHf.exe
  2⤵
  PID:6440
- C:\Windows\System\ZvMxhnT.exe
  C:\Windows\System\ZvMxhnT.exe
  2⤵
  PID:6472
- C:\Windows\System\bNkoBki.exe
  C:\Windows\System\bNkoBki.exe
  2⤵
  PID:6496
- C:\Windows\System\CxubiMb.exe
  C:\Windows\System\CxubiMb.exe
  2⤵
  PID:4920
- C:\Windows\System\AUZpuYt.exe
  C:\Windows\System\AUZpuYt.exe
  2⤵
  PID:4224
- C:\Windows\System\jxDoflh.exe
  C:\Windows\System\jxDoflh.exe
  2⤵
  PID:6620
- C:\Windows\System\dUDfHRe.exe
  C:\Windows\System\dUDfHRe.exe
  2⤵
  PID:4880
- C:\Windows\System\YCnrTZL.exe
  C:\Windows\System\YCnrTZL.exe
  2⤵
  PID:1628
- C:\Windows\System\ouMprwh.exe
  C:\Windows\System\ouMprwh.exe
  2⤵
  PID:6736
- C:\Windows\System\EytgHLd.exe
  C:\Windows\System\EytgHLd.exe
  2⤵
  PID:6768
- C:\Windows\System\NEMBTYY.exe
  C:\Windows\System\NEMBTYY.exe
  2⤵
  PID:6872
- C:\Windows\System\oBHnrOe.exe
  C:\Windows\System\oBHnrOe.exe
  2⤵
  PID:6944
- C:\Windows\System\LOFTpKF.exe
  C:\Windows\System\LOFTpKF.exe
  2⤵
  PID:6948
- C:\Windows\System\CqEnTCJ.exe
  C:\Windows\System\CqEnTCJ.exe
  2⤵
  PID:7016
- C:\Windows\System\xZSGgCS.exe
  C:\Windows\System\xZSGgCS.exe
  2⤵
  PID:7160
- C:\Windows\System\PWEQXgG.exe
  C:\Windows\System\PWEQXgG.exe
  2⤵
  PID:6040
- C:\Windows\System\jJvVrrw.exe
  C:\Windows\System\jJvVrrw.exe
  2⤵
  PID:2648
- C:\Windows\System\IsGuaFe.exe
  C:\Windows\System\IsGuaFe.exe
  2⤵
  PID:1248
- C:\Windows\System\BJiGRXK.exe
  C:\Windows\System\BJiGRXK.exe
  2⤵
  PID:6364
- C:\Windows\System\QOptIxW.exe
  C:\Windows\System\QOptIxW.exe
  2⤵
  PID:6388
- C:\Windows\System\SQtDXan.exe
  C:\Windows\System\SQtDXan.exe
  2⤵
  PID:1620
- C:\Windows\System\xZTXGXp.exe
  C:\Windows\System\xZTXGXp.exe
  2⤵
  PID:6604
- C:\Windows\System\DXGWDqW.exe
  C:\Windows\System\DXGWDqW.exe
  2⤵
  PID:6592
- C:\Windows\System\wmPGTEs.exe
  C:\Windows\System\wmPGTEs.exe
  2⤵
  PID:6764
- C:\Windows\System\ROwQorb.exe
  C:\Windows\System\ROwQorb.exe
  2⤵
  PID:6904
- C:\Windows\System\NfAjSvc.exe
  C:\Windows\System\NfAjSvc.exe
  2⤵
  PID:6924
- C:\Windows\System\NFtwAMk.exe
  C:\Windows\System\NFtwAMk.exe
  2⤵
  PID:7156
- C:\Windows\System\eOAxLJT.exe
  C:\Windows\System\eOAxLJT.exe
  2⤵
  PID:5160
- C:\Windows\System\bImixAJ.exe
  C:\Windows\System\bImixAJ.exe
  2⤵
  PID:6160
- C:\Windows\System\ZoTuMYw.exe
  C:\Windows\System\ZoTuMYw.exe
  2⤵
  PID:6632
- C:\Windows\System\SHlwiPm.exe
  C:\Windows\System\SHlwiPm.exe
  2⤵
  PID:6964
- C:\Windows\System\ksyalif.exe
  C:\Windows\System\ksyalif.exe
  2⤵
  PID:7012
- C:\Windows\System\LPNaEkI.exe
  C:\Windows\System\LPNaEkI.exe
  2⤵
  PID:3664
- C:\Windows\System\YvDaAvR.exe
  C:\Windows\System\YvDaAvR.exe
  2⤵
  PID:6760
- C:\Windows\System\faEaIqo.exe
  C:\Windows\System\faEaIqo.exe
  2⤵
  PID:7192
- C:\Windows\System\fOKIGwm.exe
  C:\Windows\System\fOKIGwm.exe
  2⤵
  PID:7212
- C:\Windows\System\iFYNFil.exe
  C:\Windows\System\iFYNFil.exe
  2⤵
  PID:7236
- C:\Windows\System\FXlIcAH.exe
  C:\Windows\System\FXlIcAH.exe
  2⤵
  PID:7300
- C:\Windows\System\dmGXPvU.exe
  C:\Windows\System\dmGXPvU.exe
  2⤵
  PID:7348
- C:\Windows\System\Lxftmlj.exe
  C:\Windows\System\Lxftmlj.exe
  2⤵
  PID:7368
- C:\Windows\System\ICkPiZY.exe
  C:\Windows\System\ICkPiZY.exe
  2⤵
  PID:7392
- C:\Windows\System\HzqxUdv.exe
  C:\Windows\System\HzqxUdv.exe
  2⤵
  PID:7408
- C:\Windows\System\QsvJNyA.exe
  C:\Windows\System\QsvJNyA.exe
  2⤵
  PID:7432
- C:\Windows\System\mYsepBz.exe
  C:\Windows\System\mYsepBz.exe
  2⤵
  PID:7456
- C:\Windows\System\EOvuRya.exe
  C:\Windows\System\EOvuRya.exe
  2⤵
  PID:7484
- C:\Windows\System\VnuAQsO.exe
  C:\Windows\System\VnuAQsO.exe
  2⤵
  PID:7524
- C:\Windows\System\kixSPKi.exe
  C:\Windows\System\kixSPKi.exe
  2⤵
  PID:7544
- C:\Windows\System\wzKQywj.exe
  C:\Windows\System\wzKQywj.exe
  2⤵
  PID:7568
- C:\Windows\System\WwhJCMG.exe
  C:\Windows\System\WwhJCMG.exe
  2⤵
  PID:7608
- C:\Windows\System\KsCDAwu.exe
  C:\Windows\System\KsCDAwu.exe
  2⤵
  PID:7632
- C:\Windows\System\ioZoMqu.exe
  C:\Windows\System\ioZoMqu.exe
  2⤵
  PID:7656
- C:\Windows\System\VmxCBMA.exe
  C:\Windows\System\VmxCBMA.exe
  2⤵
  PID:7684
- C:\Windows\System\HCwSFyo.exe
  C:\Windows\System\HCwSFyo.exe
  2⤵
  PID:7724
- C:\Windows\System\MZsvrzv.exe
  C:\Windows\System\MZsvrzv.exe
  2⤵
  PID:7752
- C:\Windows\System\TKAzsPj.exe
  C:\Windows\System\TKAzsPj.exe
  2⤵
  PID:7792
- C:\Windows\System\VMqBDuy.exe
  C:\Windows\System\VMqBDuy.exe
  2⤵
  PID:7824
- C:\Windows\System\AwziDDK.exe
  C:\Windows\System\AwziDDK.exe
  2⤵
  PID:7848
- C:\Windows\System\rWOSure.exe
  C:\Windows\System\rWOSure.exe
  2⤵
  PID:7876
- C:\Windows\System\zkRbMFE.exe
  C:\Windows\System\zkRbMFE.exe
  2⤵
  PID:7900
- C:\Windows\System\RGUBZjy.exe
  C:\Windows\System\RGUBZjy.exe
  2⤵
  PID:7920
- C:\Windows\System\FeXSuVX.exe
  C:\Windows\System\FeXSuVX.exe
  2⤵
  PID:7952
- C:\Windows\System\vpYEMou.exe
  C:\Windows\System\vpYEMou.exe
  2⤵
  PID:7968
- C:\Windows\System\znJcHmh.exe
  C:\Windows\System\znJcHmh.exe
  2⤵
  PID:7996
- C:\Windows\System\EPMPTbH.exe
  C:\Windows\System\EPMPTbH.exe
  2⤵
  PID:8032
- C:\Windows\System\WvaizGf.exe
  C:\Windows\System\WvaizGf.exe
  2⤵
  PID:8056
- C:\Windows\System\WfkbKzd.exe
  C:\Windows\System\WfkbKzd.exe
  2⤵
  PID:8084
- C:\Windows\System\wSpEMWf.exe
  C:\Windows\System\wSpEMWf.exe
  2⤵
  PID:8116
- C:\Windows\System\IIBvujV.exe
  C:\Windows\System\IIBvujV.exe
  2⤵
  PID:8132
- C:\Windows\System\iWMOePJ.exe
  C:\Windows\System\iWMOePJ.exe
  2⤵
  PID:8160
- C:\Windows\System\ufnhUXA.exe
  C:\Windows\System\ufnhUXA.exe
  2⤵
  PID:8176
- C:\Windows\System\QAPwiTy.exe
  C:\Windows\System\QAPwiTy.exe
  2⤵
  PID:4424
- C:\Windows\System\ZwxFnZV.exe
  C:\Windows\System\ZwxFnZV.exe
  2⤵
  PID:6188
- C:\Windows\System\bZynxdB.exe
  C:\Windows\System\bZynxdB.exe
  2⤵
  PID:7208
- C:\Windows\System\RJlCpAl.exe
  C:\Windows\System\RJlCpAl.exe
  2⤵
  PID:7288
- C:\Windows\System\NdsZUEW.exe
  C:\Windows\System\NdsZUEW.exe
  2⤵
  PID:7340
- C:\Windows\System\scbiShS.exe
  C:\Windows\System\scbiShS.exe
  2⤵
  PID:7428
- C:\Windows\System\wXkBYMG.exe
  C:\Windows\System\wXkBYMG.exe
  2⤵
  PID:7556
- C:\Windows\System\nsmTBPh.exe
  C:\Windows\System\nsmTBPh.exe
  2⤵
  PID:7648
- C:\Windows\System\pRZHJsv.exe
  C:\Windows\System\pRZHJsv.exe
  2⤵
  PID:7680
- C:\Windows\System\LvBKLut.exe
  C:\Windows\System\LvBKLut.exe
  2⤵
  PID:7716
- C:\Windows\System\FMulBzr.exe
  C:\Windows\System\FMulBzr.exe
  2⤵
  PID:7800
- C:\Windows\System\cSZdPpv.exe
  C:\Windows\System\cSZdPpv.exe
  2⤵
  PID:7856
- C:\Windows\System\WkKCPtj.exe
  C:\Windows\System\WkKCPtj.exe
  2⤵
  PID:7928
- C:\Windows\System\wMTvLXn.exe
  C:\Windows\System\wMTvLXn.exe
  2⤵
  PID:8008
- C:\Windows\System\zviCKRE.exe
  C:\Windows\System\zviCKRE.exe
  2⤵
  PID:8068
- C:\Windows\System\TKZJBDb.exe
  C:\Windows\System\TKZJBDb.exe
  2⤵
  PID:8128
- C:\Windows\System\wBTDhlg.exe
  C:\Windows\System\wBTDhlg.exe
  2⤵
  PID:6580
- C:\Windows\System\acpuJOw.exe
  C:\Windows\System\acpuJOw.exe
  2⤵
  PID:7204
- C:\Windows\System\QVKwXzi.exe
  C:\Windows\System\QVKwXzi.exe
  2⤵
  PID:7176
- C:\Windows\System\nFUzIWw.exe
  C:\Windows\System\nFUzIWw.exe
  2⤵
  PID:7504
- C:\Windows\System\jjqYVDR.exe
  C:\Windows\System\jjqYVDR.exe
  2⤵
  PID:7676
- C:\Windows\System\owhZkpx.exe
  C:\Windows\System\owhZkpx.exe
  2⤵
  PID:8048
- C:\Windows\System\AbjHwHc.exe
  C:\Windows\System\AbjHwHc.exe
  2⤵
  PID:7328
- C:\Windows\System\uvtRikQ.exe
  C:\Windows\System\uvtRikQ.exe
  2⤵
  PID:7404
- C:\Windows\System\boksMAQ.exe
  C:\Windows\System\boksMAQ.exe
  2⤵
  PID:7732
- C:\Windows\System\bsyxxtq.exe
  C:\Windows\System\bsyxxtq.exe
  2⤵
  PID:7228
- C:\Windows\System\CuIybcj.exe
  C:\Windows\System\CuIybcj.exe
  2⤵
  PID:6332
- C:\Windows\System\SlvjjKT.exe
  C:\Windows\System\SlvjjKT.exe
  2⤵
  PID:8204
- C:\Windows\System\VdpMofe.exe
  C:\Windows\System\VdpMofe.exe
  2⤵
  PID:8220
- C:\Windows\System\AmkRumf.exe
  C:\Windows\System\AmkRumf.exe
  2⤵
  PID:8240
- C:\Windows\System\njViVfS.exe
  C:\Windows\System\njViVfS.exe
  2⤵
  PID:8284
- C:\Windows\System\YxPSBQm.exe
  C:\Windows\System\YxPSBQm.exe
  2⤵
  PID:8308
- C:\Windows\System\isqTxZq.exe
  C:\Windows\System\isqTxZq.exe
  2⤵
  PID:8348
- C:\Windows\System\YhskbPl.exe
  C:\Windows\System\YhskbPl.exe
  2⤵
  PID:8372
- C:\Windows\System\FnTggOt.exe
  C:\Windows\System\FnTggOt.exe
  2⤵
  PID:8400
- C:\Windows\System\vlADKoa.exe
  C:\Windows\System\vlADKoa.exe
  2⤵
  PID:8420
- C:\Windows\System\WcQZjaQ.exe
  C:\Windows\System\WcQZjaQ.exe
  2⤵
  PID:8456
- C:\Windows\System\IuosbUE.exe
  C:\Windows\System\IuosbUE.exe
  2⤵
  PID:8476
- C:\Windows\System\uRhKaqP.exe
  C:\Windows\System\uRhKaqP.exe
  2⤵
  PID:8500
- C:\Windows\System\HslvRdn.exe
  C:\Windows\System\HslvRdn.exe
  2⤵
  PID:8528
- C:\Windows\System\wKqMFqe.exe
  C:\Windows\System\wKqMFqe.exe
  2⤵
  PID:8564
- C:\Windows\System\CkoWFCU.exe
  C:\Windows\System\CkoWFCU.exe
  2⤵
  PID:8612
- C:\Windows\System\QsCbkNz.exe
  C:\Windows\System\QsCbkNz.exe
  2⤵
  PID:8628
- C:\Windows\System\HAwIHjL.exe
  C:\Windows\System\HAwIHjL.exe
  2⤵
  PID:8664
- C:\Windows\System\oBMyIrH.exe
  C:\Windows\System\oBMyIrH.exe
  2⤵
  PID:8696
- C:\Windows\System\BRNBVng.exe
  C:\Windows\System\BRNBVng.exe
  2⤵
  PID:8720
- C:\Windows\System\epvuHFg.exe
  C:\Windows\System\epvuHFg.exe
  2⤵
  PID:8740
- C:\Windows\System\OPdqENI.exe
  C:\Windows\System\OPdqENI.exe
  2⤵
  PID:8780
- C:\Windows\System\uuSMsum.exe
  C:\Windows\System\uuSMsum.exe
  2⤵
  PID:8800
- C:\Windows\System\ffMDLPB.exe
  C:\Windows\System\ffMDLPB.exe
  2⤵
  PID:8828
- C:\Windows\System\FSBxNWf.exe
  C:\Windows\System\FSBxNWf.exe
  2⤵
  PID:8852
- C:\Windows\System\kfXRFnA.exe
  C:\Windows\System\kfXRFnA.exe
  2⤵
  PID:8868
- C:\Windows\System\AFAyIIb.exe
  C:\Windows\System\AFAyIIb.exe
  2⤵
  PID:8912
- C:\Windows\System\RWOYxOp.exe
  C:\Windows\System\RWOYxOp.exe
  2⤵
  PID:8936
- C:\Windows\System\qLjxrSG.exe
  C:\Windows\System\qLjxrSG.exe
  2⤵
  PID:8960
- C:\Windows\System\tiWJtkH.exe
  C:\Windows\System\tiWJtkH.exe
  2⤵
  PID:9000
- C:\Windows\System\bRSiCxq.exe
  C:\Windows\System\bRSiCxq.exe
  2⤵
  PID:9020
- C:\Windows\System\SHCXDnw.exe
  C:\Windows\System\SHCXDnw.exe
  2⤵
  PID:9040
- C:\Windows\System\lYfPaHx.exe
  C:\Windows\System\lYfPaHx.exe
  2⤵
  PID:9064
- C:\Windows\System\RjzCPEb.exe
  C:\Windows\System\RjzCPEb.exe
  2⤵
  PID:9096
- C:\Windows\System\jXlJmNt.exe
  C:\Windows\System\jXlJmNt.exe
  2⤵
  PID:9116
- C:\Windows\System\hRxmniB.exe
  C:\Windows\System\hRxmniB.exe
  2⤵
  PID:9156
- C:\Windows\System\BDHbGUp.exe
  C:\Windows\System\BDHbGUp.exe
  2⤵
  PID:9180
- C:\Windows\System\ZqHvWBV.exe
  C:\Windows\System\ZqHvWBV.exe
  2⤵
  PID:9204
- C:\Windows\System\zcQXbkp.exe
  C:\Windows\System\zcQXbkp.exe
  2⤵
  PID:8216
- C:\Windows\System\vaBbvqQ.exe
  C:\Windows\System\vaBbvqQ.exe
  2⤵
  PID:8260
- C:\Windows\System\SZCulQo.exe
  C:\Windows\System\SZCulQo.exe
  2⤵
  PID:8292
- C:\Windows\System\kDUpbba.exe
  C:\Windows\System\kDUpbba.exe
  2⤵
  PID:8464
- C:\Windows\System\rJzCZpe.exe
  C:\Windows\System\rJzCZpe.exe
  2⤵
  PID:8508
- C:\Windows\System\MwzMfcp.exe
  C:\Windows\System\MwzMfcp.exe
  2⤵
  PID:8580
- C:\Windows\System\mcpSbsr.exe
  C:\Windows\System\mcpSbsr.exe
  2⤵
  PID:8620
- C:\Windows\System\TLVBckI.exe
  C:\Windows\System\TLVBckI.exe
  2⤵
  PID:8708
- C:\Windows\System\VWkeXkb.exe
  C:\Windows\System\VWkeXkb.exe
  2⤵
  PID:8764
- C:\Windows\System\bUYkFRF.exe
  C:\Windows\System\bUYkFRF.exe
  2⤵
  PID:8840
- C:\Windows\System\zgFvEGc.exe
  C:\Windows\System\zgFvEGc.exe
  2⤵
  PID:8884
- C:\Windows\System\eEiYrKs.exe
  C:\Windows\System\eEiYrKs.exe
  2⤵
  PID:8948
- C:\Windows\System\kjxeVss.exe
  C:\Windows\System\kjxeVss.exe
  2⤵
  PID:9016
- C:\Windows\System\EgBDQoq.exe
  C:\Windows\System\EgBDQoq.exe
  2⤵
  PID:9108
- C:\Windows\System\VVCihOe.exe
  C:\Windows\System\VVCihOe.exe
  2⤵
  PID:9148
- C:\Windows\System\hoDdTKw.exe
  C:\Windows\System\hoDdTKw.exe
  2⤵
  PID:9188
- C:\Windows\System\ZkcnJzB.exe
  C:\Windows\System\ZkcnJzB.exe
  2⤵
  PID:8280
- C:\Windows\System\lafOmFf.exe
  C:\Windows\System\lafOmFf.exe
  2⤵
  PID:8440
- C:\Windows\System\HVYWkpp.exe
  C:\Windows\System\HVYWkpp.exe
  2⤵
  PID:3788
- C:\Windows\System\XijWTqV.exe
  C:\Windows\System\XijWTqV.exe
  2⤵
  PID:7268
- C:\Windows\System\zoHrlcO.exe
  C:\Windows\System\zoHrlcO.exe
  2⤵
  PID:8932
- C:\Windows\System\OmCnPUq.exe
  C:\Windows\System\OmCnPUq.exe
  2⤵
  PID:9104
- C:\Windows\System\ayzNDyc.exe
  C:\Windows\System\ayzNDyc.exe
  2⤵
  PID:9176
- C:\Windows\System\JKrpacn.exe
  C:\Windows\System\JKrpacn.exe
  2⤵
  PID:8300
- C:\Windows\System\keYWQRw.exe
  C:\Windows\System\keYWQRw.exe
  2⤵
  PID:4820
- C:\Windows\System\JcloouV.exe
  C:\Windows\System\JcloouV.exe
  2⤵
  PID:8816
- C:\Windows\System\pfDgQjp.exe
  C:\Windows\System\pfDgQjp.exe
  2⤵
  PID:9200
- C:\Windows\System\OGVwKSx.exe
  C:\Windows\System\OGVwKSx.exe
  2⤵
  PID:9260
- C:\Windows\System\lUFqcQd.exe
  C:\Windows\System\lUFqcQd.exe
  2⤵
  PID:9280
- C:\Windows\System\BbKZFyr.exe
  C:\Windows\System\BbKZFyr.exe
  2⤵
  PID:9320
- C:\Windows\System\tAxbFYB.exe
  C:\Windows\System\tAxbFYB.exe
  2⤵
  PID:9444
- C:\Windows\System\fZZpoif.exe
  C:\Windows\System\fZZpoif.exe
  2⤵
  PID:9460
- C:\Windows\System\XLrxZyK.exe
  C:\Windows\System\XLrxZyK.exe
  2⤵
  PID:9476
- C:\Windows\System\LUExdvA.exe
  C:\Windows\System\LUExdvA.exe
  2⤵
  PID:9492
- C:\Windows\System\eymaHNV.exe
  C:\Windows\System\eymaHNV.exe
  2⤵
  PID:9508
- C:\Windows\System\JvYevLJ.exe
  C:\Windows\System\JvYevLJ.exe
  2⤵
  PID:9528
- C:\Windows\System\nAYyIku.exe
  C:\Windows\System\nAYyIku.exe
  2⤵
  PID:9544
- C:\Windows\System\GVBdeZF.exe
  C:\Windows\System\GVBdeZF.exe
  2⤵
  PID:9560
- C:\Windows\System\xHGdzAU.exe
  C:\Windows\System\xHGdzAU.exe
  2⤵
  PID:9576
- C:\Windows\System\RWQwjxY.exe
  C:\Windows\System\RWQwjxY.exe
  2⤵
  PID:9592
- C:\Windows\System\UMcgsoN.exe
  C:\Windows\System\UMcgsoN.exe
  2⤵
  PID:9608
- C:\Windows\System\OwIkDKC.exe
  C:\Windows\System\OwIkDKC.exe
  2⤵
  PID:9624
- C:\Windows\System\ZcwCUuE.exe
  C:\Windows\System\ZcwCUuE.exe
  2⤵
  PID:9640
- C:\Windows\System\aeZtZzJ.exe
  C:\Windows\System\aeZtZzJ.exe
  2⤵
  PID:9656
- C:\Windows\System\SVTRQkE.exe
  C:\Windows\System\SVTRQkE.exe
  2⤵
  PID:9672
- C:\Windows\System\dxWKeJi.exe
  C:\Windows\System\dxWKeJi.exe
  2⤵
  PID:9692
- C:\Windows\System\PPUaeag.exe
  C:\Windows\System\PPUaeag.exe
  2⤵
  PID:9708
- C:\Windows\System\vGJDuZn.exe
  C:\Windows\System\vGJDuZn.exe
  2⤵
  PID:9804
- C:\Windows\System\sMzqPjA.exe
  C:\Windows\System\sMzqPjA.exe
  2⤵
  PID:9836
- C:\Windows\System\walRaFq.exe
  C:\Windows\System\walRaFq.exe
  2⤵
  PID:9856
- C:\Windows\System\mFfmMcv.exe
  C:\Windows\System\mFfmMcv.exe
  2⤵
  PID:9880
- C:\Windows\System\qknBrIL.exe
  C:\Windows\System\qknBrIL.exe
  2⤵
  PID:10012
- C:\Windows\System\raaOghK.exe
  C:\Windows\System\raaOghK.exe
  2⤵
  PID:10036
- C:\Windows\System\QgsBGhH.exe
  C:\Windows\System\QgsBGhH.exe
  2⤵
  PID:10096
- C:\Windows\System\BLaNwQf.exe
  C:\Windows\System\BLaNwQf.exe
  2⤵
  PID:10160
- C:\Windows\System\HgZRALb.exe
  C:\Windows\System\HgZRALb.exe
  2⤵
  PID:10176
- C:\Windows\System\cYoxnna.exe
  C:\Windows\System\cYoxnna.exe
  2⤵
  PID:10196
- C:\Windows\System\zeCiWQO.exe
  C:\Windows\System\zeCiWQO.exe
  2⤵
  PID:10216
- C:\Windows\System\jJZOkrz.exe
  C:\Windows\System\jJZOkrz.exe
  2⤵
  PID:10236
- C:\Windows\System\luURICe.exe
  C:\Windows\System\luURICe.exe
  2⤵
  PID:8920
- C:\Windows\System\TfkJfZA.exe
  C:\Windows\System\TfkJfZA.exe
  2⤵
  PID:9268
- C:\Windows\System\lmiHzFU.exe
  C:\Windows\System\lmiHzFU.exe
  2⤵
  PID:9316
- C:\Windows\System\fkUkFmG.exe
  C:\Windows\System\fkUkFmG.exe
  2⤵
  PID:9664
- C:\Windows\System\figQhpW.exe
  C:\Windows\System\figQhpW.exe
  2⤵
  PID:9312
- C:\Windows\System\xydkKxm.exe
  C:\Windows\System\xydkKxm.exe
  2⤵
  PID:9336
- C:\Windows\System\GPIJuIT.exe
  C:\Windows\System\GPIJuIT.exe
  2⤵
  PID:9344
- C:\Windows\System\dStsnYp.exe
  C:\Windows\System\dStsnYp.exe
  2⤵
  PID:9376
- C:\Windows\System\ZoSkMIv.exe
  C:\Windows\System\ZoSkMIv.exe
  2⤵
  PID:9388
- C:\Windows\System\CEgSCzF.exe
  C:\Windows\System\CEgSCzF.exe
  2⤵
  PID:9504
- C:\Windows\System\fRAcdpv.exe
  C:\Windows\System\fRAcdpv.exe
  2⤵
  PID:9600
- C:\Windows\System\LzAnOsk.exe
  C:\Windows\System\LzAnOsk.exe
  2⤵
  PID:9928
- C:\Windows\System\PURhVkm.exe
  C:\Windows\System\PURhVkm.exe
  2⤵
  PID:9700
- C:\Windows\System\MMQCHoR.exe
  C:\Windows\System\MMQCHoR.exe
  2⤵
  PID:9800
- C:\Windows\System\aQhPoyl.exe
  C:\Windows\System\aQhPoyl.exe
  2⤵
  PID:9796
- C:\Windows\System\EENcZUo.exe
  C:\Windows\System\EENcZUo.exe
  2⤵
  PID:9972
- C:\Windows\System\qkDbgZa.exe
  C:\Windows\System\qkDbgZa.exe
  2⤵
  PID:10080
- C:\Windows\System\joquOsK.exe
  C:\Windows\System\joquOsK.exe
  2⤵
  PID:6680
- C:\Windows\System\MxwSvMA.exe
  C:\Windows\System\MxwSvMA.exe
  2⤵
  PID:9252
- C:\Windows\System\JGNizft.exe
  C:\Windows\System\JGNizft.exe
  2⤵
  PID:9292
- C:\Windows\System\uITLOgv.exe
  C:\Windows\System\uITLOgv.exe
  2⤵
  PID:9652
- C:\Windows\System\hwbpugU.exe
  C:\Windows\System\hwbpugU.exe
  2⤵
  PID:9340
- C:\Windows\System\qSyCbRM.exe
  C:\Windows\System\qSyCbRM.exe
  2⤵
  PID:9488
- C:\Windows\System\RGLayfS.exe
  C:\Windows\System\RGLayfS.exe
  2⤵
  PID:9680
- C:\Windows\System\Uqgulji.exe
  C:\Windows\System\Uqgulji.exe
  2⤵
  PID:9852
- C:\Windows\System\ZHurglE.exe
  C:\Windows\System\ZHurglE.exe
  2⤵
  PID:10168
- C:\Windows\System\fShHLyd.exe
  C:\Windows\System\fShHLyd.exe
  2⤵
  PID:10192
- C:\Windows\System\hDBSKLN.exe
  C:\Windows\System\hDBSKLN.exe
  2⤵
  PID:9552
- C:\Windows\System\FPiYUfM.exe
  C:\Windows\System\FPiYUfM.exe
  2⤵
  PID:9716
- C:\Windows\System\UyEyalL.exe
  C:\Windows\System\UyEyalL.exe
  2⤵
  PID:9572
- C:\Windows\System\IDKkkva.exe
  C:\Windows\System\IDKkkva.exe
  2⤵
  PID:10232
- C:\Windows\System\Hezwmda.exe
  C:\Windows\System\Hezwmda.exe
  2⤵
  PID:9424
- C:\Windows\System\baWNQuo.exe
  C:\Windows\System\baWNQuo.exe
  2⤵
  PID:10244
- C:\Windows\System\OZDdvaQ.exe
  C:\Windows\System\OZDdvaQ.exe
  2⤵
  PID:10280
- C:\Windows\System\edyLtWF.exe
  C:\Windows\System\edyLtWF.exe
  2⤵
  PID:10332
- C:\Windows\System\VwoIMrw.exe
  C:\Windows\System\VwoIMrw.exe
  2⤵
  PID:10352
- C:\Windows\System\lZZrdgz.exe
  C:\Windows\System\lZZrdgz.exe
  2⤵
  PID:10380
- C:\Windows\System\PURdOKN.exe
  C:\Windows\System\PURdOKN.exe
  2⤵
  PID:10408
- C:\Windows\System\PyWRGrQ.exe
  C:\Windows\System\PyWRGrQ.exe
  2⤵
  PID:10432
- C:\Windows\System\qFGHLAD.exe
  C:\Windows\System\qFGHLAD.exe
  2⤵
  PID:10448
- C:\Windows\System\pUvdwEw.exe
  C:\Windows\System\pUvdwEw.exe
  2⤵
  PID:10468
- C:\Windows\System\RuXLMDo.exe
  C:\Windows\System\RuXLMDo.exe
  2⤵
  PID:10492
- C:\Windows\System\vJaYbOU.exe
  C:\Windows\System\vJaYbOU.exe
  2⤵
  PID:10516
- C:\Windows\System\OAZYsrm.exe
  C:\Windows\System\OAZYsrm.exe
  2⤵
  PID:10576
- C:\Windows\System\TxIMnlO.exe
  C:\Windows\System\TxIMnlO.exe
  2⤵
  PID:10608
- C:\Windows\System\ffmuteL.exe
  C:\Windows\System\ffmuteL.exe
  2⤵
  PID:10632
- C:\Windows\System\DYTnyHV.exe
  C:\Windows\System\DYTnyHV.exe
  2⤵
  PID:10676
- C:\Windows\System\uJWwKGL.exe
  C:\Windows\System\uJWwKGL.exe
  2⤵
  PID:10700
- C:\Windows\System\ypwWvcv.exe
  C:\Windows\System\ypwWvcv.exe
  2⤵
  PID:10728
- C:\Windows\System\fNXrbfH.exe
  C:\Windows\System\fNXrbfH.exe
  2⤵
  PID:10748
- C:\Windows\System\QTkeazb.exe
  C:\Windows\System\QTkeazb.exe
  2⤵
  PID:10780
- C:\Windows\System\efFyYIx.exe
  C:\Windows\System\efFyYIx.exe
  2⤵
  PID:10800
- C:\Windows\System\dGHmOxm.exe
  C:\Windows\System\dGHmOxm.exe
  2⤵
  PID:10820
- C:\Windows\System\iOiPXYk.exe
  C:\Windows\System\iOiPXYk.exe
  2⤵
  PID:10860
- C:\Windows\System\tFMThTv.exe
  C:\Windows\System\tFMThTv.exe
  2⤵
  PID:10880
- C:\Windows\System\uISGhCZ.exe
  C:\Windows\System\uISGhCZ.exe
  2⤵
  PID:10904
- C:\Windows\System\ivtRRyn.exe
  C:\Windows\System\ivtRRyn.exe
  2⤵
  PID:10928
- C:\Windows\System\PtalvET.exe
  C:\Windows\System\PtalvET.exe
  2⤵
  PID:10948
- C:\Windows\System\neyhOiU.exe
  C:\Windows\System\neyhOiU.exe
  2⤵
  PID:10988
- C:\Windows\System\CCIUdPk.exe
  C:\Windows\System\CCIUdPk.exe
  2⤵
  PID:11012
- C:\Windows\System\UgETAKC.exe
  C:\Windows\System\UgETAKC.exe
  2⤵
  PID:11040
- C:\Windows\System\YwyatFc.exe
  C:\Windows\System\YwyatFc.exe
  2⤵
  PID:11064
- C:\Windows\System\cNlqVjF.exe
  C:\Windows\System\cNlqVjF.exe
  2⤵
  PID:11084
- C:\Windows\System\lcjbDby.exe
  C:\Windows\System\lcjbDby.exe
  2⤵
  PID:11112
- C:\Windows\System\TMxEEqJ.exe
  C:\Windows\System\TMxEEqJ.exe
  2⤵
  PID:11136
- C:\Windows\System\FyFdIaM.exe
  C:\Windows\System\FyFdIaM.exe
  2⤵
  PID:11212
- C:\Windows\System\CxYKfeS.exe
  C:\Windows\System\CxYKfeS.exe
  2⤵
  PID:11232
- C:\Windows\System\avgdZVn.exe
  C:\Windows\System\avgdZVn.exe
  2⤵
  PID:11256
- C:\Windows\System\lLaDroZ.exe
  C:\Windows\System\lLaDroZ.exe
  2⤵
  PID:9740
- C:\Windows\System\vpCEOQW.exe
  C:\Windows\System\vpCEOQW.exe
  2⤵
  PID:10252
- C:\Windows\System\PPCvsPz.exe
  C:\Windows\System\PPCvsPz.exe
  2⤵
  PID:10316
- C:\Windows\System\HMVzXmp.exe
  C:\Windows\System\HMVzXmp.exe
  2⤵
  PID:10372
- C:\Windows\System\UJimphg.exe
  C:\Windows\System\UJimphg.exe
  2⤵
  PID:10480
- C:\Windows\System\TSwPejq.exe
  C:\Windows\System\TSwPejq.exe
  2⤵
  PID:10508
- C:\Windows\System\KMGKgNn.exe
  C:\Windows\System\KMGKgNn.exe
  2⤵
  PID:10588
- C:\Windows\System\oafIJJO.exe
  C:\Windows\System\oafIJJO.exe
  2⤵
  PID:10624
- C:\Windows\System\WqSfwbW.exe
  C:\Windows\System\WqSfwbW.exe
  2⤵
  PID:10744
- C:\Windows\System\vbldVEe.exe
  C:\Windows\System\vbldVEe.exe
  2⤵
  PID:10816
- C:\Windows\System\ifCFWLC.exe
  C:\Windows\System\ifCFWLC.exe
  2⤵
  PID:10840
- C:\Windows\System\tWujLqi.exe
  C:\Windows\System\tWujLqi.exe
  2⤵
  PID:10896
- C:\Windows\System\jIRWIQl.exe
  C:\Windows\System\jIRWIQl.exe
  2⤵
  PID:11004
- C:\Windows\System\pFOHHlB.exe
  C:\Windows\System\pFOHHlB.exe
  2⤵
  PID:11024
- C:\Windows\System\jTMSHzk.exe
  C:\Windows\System\jTMSHzk.exe
  2⤵
  PID:11080
- C:\Windows\System\iGXypVx.exe
  C:\Windows\System\iGXypVx.exe
  2⤵
  PID:11152
- C:\Windows\System\XkCzDBJ.exe
  C:\Windows\System\XkCzDBJ.exe
  2⤵
  PID:11204
- C:\Windows\System\ZpCdJoh.exe
  C:\Windows\System\ZpCdJoh.exe
  2⤵
  PID:4876
- C:\Windows\System\JKxaITB.exe
  C:\Windows\System\JKxaITB.exe
  2⤵
  PID:10444
- C:\Windows\System\ccuwWwh.exe
  C:\Windows\System\ccuwWwh.exe
  2⤵
  PID:10428
- C:\Windows\System\HpASfWg.exe
  C:\Windows\System\HpASfWg.exe
  2⤵
  PID:10796
- C:\Windows\System\sKzqwYG.exe
  C:\Windows\System\sKzqwYG.exe
  2⤵
  PID:10872
- C:\Windows\System\IjMGNLz.exe
  C:\Windows\System\IjMGNLz.exe
  2⤵
  PID:10996
- C:\Windows\System\DbmjEZq.exe
  C:\Windows\System\DbmjEZq.exe
  2⤵
  PID:11100
- C:\Windows\System\IliNfoU.exe
  C:\Windows\System\IliNfoU.exe
  2⤵
  PID:11220
- C:\Windows\System\sCsRNMd.exe
  C:\Windows\System\sCsRNMd.exe
  2⤵
  PID:10712
- C:\Windows\System\IRyTfSz.exe
  C:\Windows\System\IRyTfSz.exe
  2⤵
  PID:2420
- C:\Windows\System\dJIPiqt.exe
  C:\Windows\System\dJIPiqt.exe
  2⤵
  PID:11048
- C:\Windows\System\JaFjmow.exe
  C:\Windows\System\JaFjmow.exe
  2⤵
  PID:10756
- C:\Windows\System\wGnLeuA.exe
  C:\Windows\System\wGnLeuA.exe
  2⤵
  PID:11276
- C:\Windows\System\GoRvKtW.exe
  C:\Windows\System\GoRvKtW.exe
  2⤵
  PID:11296
- C:\Windows\System\LbVtvyT.exe
  C:\Windows\System\LbVtvyT.exe
  2⤵
  PID:11312
- C:\Windows\System\DHsHzRt.exe
  C:\Windows\System\DHsHzRt.exe
  2⤵
  PID:11360
- C:\Windows\System\ulDIlRS.exe
  C:\Windows\System\ulDIlRS.exe
  2⤵
  PID:11388
- C:\Windows\System\twrBGZE.exe
  C:\Windows\System\twrBGZE.exe
  2⤵
  PID:11408
- C:\Windows\System\WivFNap.exe
  C:\Windows\System\WivFNap.exe
  2⤵
  PID:11432
- C:\Windows\System\ikIMNmY.exe
  C:\Windows\System\ikIMNmY.exe
  2⤵
  PID:11452
- C:\Windows\System\cIQnMjn.exe
  C:\Windows\System\cIQnMjn.exe
  2⤵
  PID:11528
- C:\Windows\System\kawFlKF.exe
  C:\Windows\System\kawFlKF.exe
  2⤵
  PID:11564
- C:\Windows\System\RdyowbY.exe
  C:\Windows\System\RdyowbY.exe
  2⤵
  PID:11584
- C:\Windows\System\IRpJxAg.exe
  C:\Windows\System\IRpJxAg.exe
  2⤵
  PID:11612
- C:\Windows\System\qWFqcST.exe
  C:\Windows\System\qWFqcST.exe
  2⤵
  PID:11636
- C:\Windows\System\KqhlrJQ.exe
  C:\Windows\System\KqhlrJQ.exe
  2⤵
  PID:11656
- C:\Windows\System\TIxMBol.exe
  C:\Windows\System\TIxMBol.exe
  2⤵
  PID:11676
- C:\Windows\System\gGGrRmu.exe
  C:\Windows\System\gGGrRmu.exe
  2⤵
  PID:11732
- C:\Windows\System\BbryeDa.exe
  C:\Windows\System\BbryeDa.exe
  2⤵
  PID:11752
- C:\Windows\System\zRmLDrv.exe
  C:\Windows\System\zRmLDrv.exe
  2⤵
  PID:11780
- C:\Windows\System\aHDDqrf.exe
  C:\Windows\System\aHDDqrf.exe
  2⤵
  PID:11824
- C:\Windows\System\NvJfkAf.exe
  C:\Windows\System\NvJfkAf.exe
  2⤵
  PID:11848
- C:\Windows\System\EORKQwb.exe
  C:\Windows\System\EORKQwb.exe
  2⤵
  PID:11868
- C:\Windows\System\BGieXzQ.exe
  C:\Windows\System\BGieXzQ.exe
  2⤵
  PID:11892
- C:\Windows\System\yFmDsqu.exe
  C:\Windows\System\yFmDsqu.exe
  2⤵
  PID:11916
- C:\Windows\System\ISTpWhj.exe
  C:\Windows\System\ISTpWhj.exe
  2⤵
  PID:11932
- C:\Windows\System\RgJRGbL.exe
  C:\Windows\System\RgJRGbL.exe
  2⤵
  PID:11980
- C:\Windows\System\KxqGirT.exe
  C:\Windows\System\KxqGirT.exe
  2⤵
  PID:12012
- C:\Windows\System\wgUUVTR.exe
  C:\Windows\System\wgUUVTR.exe
  2⤵
  PID:12036
- C:\Windows\System\tAwuGvD.exe
  C:\Windows\System\tAwuGvD.exe
  2⤵
  PID:12056
- C:\Windows\System\YxlqVBl.exe
  C:\Windows\System\YxlqVBl.exe
  2⤵
  PID:12084
- C:\Windows\System\kKadYKA.exe
  C:\Windows\System\kKadYKA.exe
  2⤵
  PID:12108
- C:\Windows\System\yISvfiB.exe
  C:\Windows\System\yISvfiB.exe
  2⤵
  PID:12124
- C:\Windows\System\qEXYPyZ.exe
  C:\Windows\System\qEXYPyZ.exe
  2⤵
  PID:12188
- C:\Windows\System\AElWRUg.exe
  C:\Windows\System\AElWRUg.exe
  2⤵
  PID:12212
- C:\Windows\System\uxGnGuK.exe
  C:\Windows\System\uxGnGuK.exe
  2⤵
  PID:12240
- C:\Windows\System\qOayXVJ.exe
  C:\Windows\System\qOayXVJ.exe
  2⤵
  PID:12256
- C:\Windows\System\zCsXezz.exe
  C:\Windows\System\zCsXezz.exe
  2⤵
  PID:12276
- C:\Windows\System\EBxJYTd.exe
  C:\Windows\System\EBxJYTd.exe
  2⤵
  PID:11228
- C:\Windows\System\meWyjDE.exe
  C:\Windows\System\meWyjDE.exe
  2⤵
  PID:11272
- C:\Windows\System\RnuhInP.exe
  C:\Windows\System\RnuhInP.exe
  2⤵
  PID:11308
- C:\Windows\System\cYReZPT.exe
  C:\Windows\System\cYReZPT.exe
  2⤵
  PID:11328
- C:\Windows\System\tEnQCjf.exe
  C:\Windows\System\tEnQCjf.exe
  2⤵
  PID:11556
- C:\Windows\System\hoBqehG.exe
  C:\Windows\System\hoBqehG.exe
  2⤵
  PID:11608
- C:\Windows\System\oMoGjMR.exe
  C:\Windows\System\oMoGjMR.exe
  2⤵
  PID:11628
- C:\Windows\System\lkTgNOF.exe
  C:\Windows\System\lkTgNOF.exe
  2⤵
  PID:11668
- C:\Windows\System\OkCaxaG.exe
  C:\Windows\System\OkCaxaG.exe
  2⤵
  PID:11812
- C:\Windows\System\AVhQXan.exe
  C:\Windows\System\AVhQXan.exe
  2⤵
  PID:11900
- C:\Windows\System\JFPTrCj.exe
  C:\Windows\System\JFPTrCj.exe
  2⤵
  PID:11952
- C:\Windows\System\OOvBnhM.exe
  C:\Windows\System\OOvBnhM.exe
  2⤵
  PID:12008
- C:\Windows\System\bNxfYAY.exe
  C:\Windows\System\bNxfYAY.exe
  2⤵
  PID:12076
- C:\Windows\System\iWAhNtD.exe
  C:\Windows\System\iWAhNtD.exe
  2⤵
  PID:12092
- C:\Windows\System\lefTvRh.exe
  C:\Windows\System\lefTvRh.exe
  2⤵
  PID:536
- C:\Windows\System\QGTGlFR.exe
  C:\Windows\System\QGTGlFR.exe
  2⤵
  PID:12228
- C:\Windows\System\wAxzFDO.exe
  C:\Windows\System\wAxzFDO.exe
  2⤵
  PID:12232
- C:\Windows\System\FZmyAhn.exe
  C:\Windows\System\FZmyAhn.exe
  2⤵
  PID:10328
- C:\Windows\System\tUyxXgf.exe
  C:\Windows\System\tUyxXgf.exe
  2⤵
  PID:11352
- C:\Windows\System\HvGWQyT.exe
  C:\Windows\System\HvGWQyT.exe
  2⤵
  PID:11684
- C:\Windows\System\NATKroa.exe
  C:\Windows\System\NATKroa.exe
  2⤵
  PID:11836
- C:\Windows\System\FBIulrA.exe
  C:\Windows\System\FBIulrA.exe
  2⤵
  PID:11908
- C:\Windows\System\yzWRKzE.exe
  C:\Windows\System\yzWRKzE.exe
  2⤵
  PID:12104
- C:\Windows\System\vsCwIyu.exe
  C:\Windows\System\vsCwIyu.exe
  2⤵
  PID:12180
- C:\Windows\System\IIeBeqx.exe
  C:\Windows\System\IIeBeqx.exe
  2⤵
  PID:12284
- C:\Windows\System\KtobNyt.exe
  C:\Windows\System\KtobNyt.exe
  2⤵
  PID:11292
- C:\Windows\System\aNqzPmj.exe
  C:\Windows\System\aNqzPmj.exe
  2⤵
  PID:12208
- C:\Windows\System\OEHovHh.exe
  C:\Windows\System\OEHovHh.exe
  2⤵
  PID:12300
- C:\Windows\System\AWPCtfo.exe
  C:\Windows\System\AWPCtfo.exe
  2⤵
  PID:12320
- C:\Windows\System\RpSlBnm.exe
  C:\Windows\System\RpSlBnm.exe
  2⤵
  PID:12356
- C:\Windows\System\PhJqinD.exe
  C:\Windows\System\PhJqinD.exe
  2⤵
  PID:12376
- C:\Windows\System\kSJxrFu.exe
  C:\Windows\System\kSJxrFu.exe
  2⤵
  PID:12400
- C:\Windows\System\ScJAePK.exe
  C:\Windows\System\ScJAePK.exe
  2⤵
  PID:12496
- C:\Windows\System\VsvRyst.exe
  C:\Windows\System\VsvRyst.exe
  2⤵
  PID:12516
- C:\Windows\System\GoIWBeY.exe
  C:\Windows\System\GoIWBeY.exe
  2⤵
  PID:12536
- C:\Windows\System\hnYHxpB.exe
  C:\Windows\System\hnYHxpB.exe
  2⤵
  PID:12580
- C:\Windows\System\BNksUAe.exe
  C:\Windows\System\BNksUAe.exe
  2⤵
  PID:12596
- C:\Windows\System\kUrESBN.exe
  C:\Windows\System\kUrESBN.exe
  2⤵
  PID:12636
- C:\Windows\System\tgLXEUH.exe
  C:\Windows\System\tgLXEUH.exe
  2⤵
  PID:12660
- C:\Windows\System\hjiAQVY.exe
  C:\Windows\System\hjiAQVY.exe
  2⤵
  PID:12684
- C:\Windows\System\MDUUASq.exe
  C:\Windows\System\MDUUASq.exe
  2⤵
  PID:12712
- C:\Windows\System\DYdgtFQ.exe
  C:\Windows\System\DYdgtFQ.exe
  2⤵
  PID:12748
- C:\Windows\System\fzcyumJ.exe
  C:\Windows\System\fzcyumJ.exe
  2⤵
  PID:12772
- C:\Windows\System\ASHwmtG.exe
  C:\Windows\System\ASHwmtG.exe
  2⤵
  PID:12804
- C:\Windows\System\wIxYJQN.exe
  C:\Windows\System\wIxYJQN.exe
  2⤵
  PID:12828
- C:\Windows\System\ipMXFDF.exe
  C:\Windows\System\ipMXFDF.exe
  2⤵
  PID:12856
- C:\Windows\System\sapbgvZ.exe
  C:\Windows\System\sapbgvZ.exe
  2⤵
  PID:12876
- C:\Windows\System\ONUbrqL.exe
  C:\Windows\System\ONUbrqL.exe
  2⤵
  PID:12920
- C:\Windows\System\tnNHLfx.exe
  C:\Windows\System\tnNHLfx.exe
  2⤵
  PID:12944
- C:\Windows\System\qOeAWBe.exe
  C:\Windows\System\qOeAWBe.exe
  2⤵
  PID:12968
- C:\Windows\System\lvqiEad.exe
  C:\Windows\System\lvqiEad.exe
  2⤵
  PID:12988
- C:\Windows\System\PAWFndw.exe
  C:\Windows\System\PAWFndw.exe
  2⤵
  PID:13040
- C:\Windows\System\pRLJFzJ.exe
  C:\Windows\System\pRLJFzJ.exe
  2⤵
  PID:13064
- C:\Windows\System\sKiGJvl.exe
  C:\Windows\System\sKiGJvl.exe
  2⤵
  PID:13080
- C:\Windows\System\wxvTgNP.exe
  C:\Windows\System\wxvTgNP.exe
  2⤵
  PID:13100
- C:\Windows\System\OqwUWIW.exe
  C:\Windows\System\OqwUWIW.exe
  2⤵
  PID:13120
- C:\Windows\System\jLxHrFt.exe
  C:\Windows\System\jLxHrFt.exe
  2⤵
  PID:13168
- C:\Windows\System\xnipWnU.exe
  C:\Windows\System\xnipWnU.exe
  2⤵
  PID:13188
- C:\Windows\System\gpqApbS.exe
  C:\Windows\System\gpqApbS.exe
  2⤵
  PID:13220
- C:\Windows\System\UEhbrki.exe
  C:\Windows\System\UEhbrki.exe
  2⤵
  PID:13240
- C:\Windows\System\BKgPxXV.exe
  C:\Windows\System\BKgPxXV.exe
  2⤵
  PID:13272
- C:\Windows\System\hVlWSKl.exe
  C:\Windows\System\hVlWSKl.exe
  2⤵
  PID:11440
- C:\Windows\System\pgXMCbf.exe
  C:\Windows\System\pgXMCbf.exe
  2⤵
  PID:11876
- C:\Windows\System\MFzaSBL.exe
  C:\Windows\System\MFzaSBL.exe
  2⤵
  PID:12336
- C:\Windows\System\CigtEpO.exe
  C:\Windows\System\CigtEpO.exe
  2⤵
  PID:12384
- C:\Windows\System\DIhMpEF.exe
  C:\Windows\System\DIhMpEF.exe
  2⤵
  PID:12352
- C:\Windows\System\mnsBSIg.exe
  C:\Windows\System\mnsBSIg.exe
  2⤵
  PID:12364
- C:\Windows\System\BzOpBTa.exe
  C:\Windows\System\BzOpBTa.exe
  2⤵
  PID:12480
- C:\Windows\System\VwoZGFw.exe
  C:\Windows\System\VwoZGFw.exe
  2⤵
  PID:12576
- C:\Windows\System\DgUklYb.exe
  C:\Windows\System\DgUklYb.exe
  2⤵
  PID:12648
- C:\Windows\System\NdrDIoQ.exe
  C:\Windows\System\NdrDIoQ.exe
  2⤵
  PID:12704
- C:\Windows\System\TQUGbvS.exe
  C:\Windows\System\TQUGbvS.exe
  2⤵
  PID:12812
- C:\Windows\System\gNcqWrs.exe
  C:\Windows\System\gNcqWrs.exe
  2⤵
  PID:12872
- C:\Windows\System\zjiDAGx.exe
  C:\Windows\System\zjiDAGx.exe
  2⤵
  PID:12932
- C:\Windows\System\NupWFyn.exe
  C:\Windows\System\NupWFyn.exe
  2⤵
  PID:13008
- C:\Windows\System\nEzZqfQ.exe
  C:\Windows\System\nEzZqfQ.exe
  2⤵
  PID:12984
- C:\Windows\System\cwGcQzU.exe
  C:\Windows\System\cwGcQzU.exe
  2⤵
  PID:5028
- C:\Windows\System\EqRhsCV.exe
  C:\Windows\System\EqRhsCV.exe
  2⤵
  PID:1344
- C:\Windows\System\yUhPoFV.exe
  C:\Windows\System\yUhPoFV.exe
  2⤵
  PID:4164
- C:\Windows\System\gVsSNtw.exe
  C:\Windows\System\gVsSNtw.exe
  2⤵
  PID:13092
- C:\Windows\System\fDljfWI.exe
  C:\Windows\System\fDljfWI.exe
  2⤵
  PID:13196
- C:\Windows\System\JsQrNIs.exe
  C:\Windows\System\JsQrNIs.exe
  2⤵
  PID:12436
- C:\Windows\System\vmSwTpq.exe
  C:\Windows\System\vmSwTpq.exe
  2⤵
  PID:12528
- C:\Windows\System\BuesUOR.exe
  C:\Windows\System\BuesUOR.exe
  2⤵
  PID:13048
- C:\Windows\System\DqwKKUL.exe
  C:\Windows\System\DqwKKUL.exe
  2⤵
  PID:13156
- C:\Windows\System\VErUvTp.exe
  C:\Windows\System\VErUvTp.exe
  2⤵
  PID:2680
- C:\Windows\System\OeuwTZN.exe
  C:\Windows\System\OeuwTZN.exe
  2⤵
  PID:1956
- C:\Windows\System\HgpufOs.exe
  C:\Windows\System\HgpufOs.exe
  2⤵
  PID:4640
- C:\Windows\System\zRkPhSm.exe
  C:\Windows\System\zRkPhSm.exe
  2⤵
  PID:12980
- C:\Windows\System\JgThtcl.exe
  C:\Windows\System\JgThtcl.exe
  2⤵
  PID:12708
- C:\Windows\System\wzHBDvk.exe
  C:\Windows\System\wzHBDvk.exe
  2⤵
  PID:12292
- C:\Windows\System\NlXbjRK.exe
  C:\Windows\System\NlXbjRK.exe
  2⤵
  PID:10604
- C:\Windows\System\AyyIOQP.exe
  C:\Windows\System\AyyIOQP.exe
  2⤵
  PID:1280
- C:\Windows\System\OIXkjcT.exe
  C:\Windows\System\OIXkjcT.exe
  2⤵
  PID:848
- C:\Windows\System\sopmCQe.exe
  C:\Windows\System\sopmCQe.exe
  2⤵
  PID:1688
- C:\Windows\System\zTDIRZE.exe
  C:\Windows\System\zTDIRZE.exe
  2⤵
  PID:3132
- C:\Windows\System\SsaCXAW.exe
  C:\Windows\System\SsaCXAW.exe
  2⤵
  PID:2264
- C:\Windows\System\dkkapfp.exe
  C:\Windows\System\dkkapfp.exe
  2⤵
  PID:3612
- C:\Windows\System\NwlJIbL.exe
  C:\Windows\System\NwlJIbL.exe
  2⤵
  PID:13300
- C:\Windows\System\CzFXVRE.exe
  C:\Windows\System\CzFXVRE.exe
  2⤵
  PID:11648
- C:\Windows\System\tUrpoqf.exe
  C:\Windows\System\tUrpoqf.exe
  2⤵
  PID:12592
- C:\Windows\System\GJueHoE.exe
  C:\Windows\System\GJueHoE.exe
  2⤵
  PID:4620
- C:\Windows\System\xOZJauX.exe
  C:\Windows\System\xOZJauX.exe
  2⤵
  PID:4612
- C:\Windows\System\vrxfZON.exe
  C:\Windows\System\vrxfZON.exe
  2⤵
  PID:4028
- C:\Windows\System\DKWFFxd.exe
  C:\Windows\System\DKWFFxd.exe
  2⤵
  PID:4112
- C:\Windows\System\lCJJImC.exe
  C:\Windows\System\lCJJImC.exe
  2⤵
  PID:4156
- C:\Windows\System\FQdPkWW.exe
  C:\Windows\System\FQdPkWW.exe
  2⤵
  PID:4248
- C:\Windows\System\fRmbVje.exe
  C:\Windows\System\fRmbVje.exe
  2⤵
  PID:4296
- C:\Windows\System\YXeOzXH.exe
  C:\Windows\System\YXeOzXH.exe
  2⤵
  PID:440
- C:\Windows\System\IfwHPES.exe
  C:\Windows\System\IfwHPES.exe
  2⤵
  PID:1140
- C:\Windows\System\tNhqDtZ.exe
  C:\Windows\System\tNhqDtZ.exe
  2⤵
  PID:844
- C:\Windows\System\OCxuUKu.exe
  C:\Windows\System\OCxuUKu.exe
  2⤵
  PID:3468
- C:\Windows\System\QEoWVtQ.exe
  C:\Windows\System\QEoWVtQ.exe
  2⤵
  PID:916
- C:\Windows\System\SXpHMdq.exe
  C:\Windows\System\SXpHMdq.exe
  2⤵
  PID:3976
- C:\Windows\System\SSywmfM.exe
  C:\Windows\System\SSywmfM.exe
  2⤵
  PID:12616
- C:\Windows\System\nctqGif.exe
  C:\Windows\System\nctqGif.exe
  2⤵
  PID:4752
- C:\Windows\System\Rhprodh.exe
  C:\Windows\System\Rhprodh.exe
  2⤵
  PID:4092
- C:\Windows\System\ThpBCtV.exe
  C:\Windows\System\ThpBCtV.exe
  2⤵
  PID:1012
- C:\Windows\System\aWcVLhA.exe
  C:\Windows\System\aWcVLhA.exe
  2⤵
  PID:1364
- C:\Windows\System\WibDjuh.exe
  C:\Windows\System\WibDjuh.exe
  2⤵
  PID:4184
- C:\Windows\System\ptKZGhO.exe
  C:\Windows\System\ptKZGhO.exe
  2⤵
  PID:5952
- C:\Windows\System\urbSMBk.exe
  C:\Windows\System\urbSMBk.exe
  2⤵
  PID:6752
- C:\Windows\System\iPydxsV.exe
  C:\Windows\System\iPydxsV.exe
  2⤵
  PID:6856
- C:\Windows\System\ZiuWZbl.exe
  C:\Windows\System\ZiuWZbl.exe
  2⤵
  PID:3924
- C:\Windows\System\QLBgNSB.exe
  C:\Windows\System\QLBgNSB.exe
  2⤵
  PID:3316
- C:\Windows\System\qDQGjmp.exe
  C:\Windows\System\qDQGjmp.exe
  2⤵
  PID:3268
- C:\Windows\System\cekjkCr.exe
  C:\Windows\System\cekjkCr.exe
  2⤵
  PID:6684
- C:\Windows\System\vEQEhos.exe
  C:\Windows\System\vEQEhos.exe
  2⤵
  PID:4288
- C:\Windows\System\PEWnNNa.exe
  C:\Windows\System\PEWnNNa.exe
  2⤵
  PID:1892
- C:\Windows\System\oxCoutD.exe
  C:\Windows\System\oxCoutD.exe
  2⤵
  PID:4280
- C:\Windows\System\wBMiyrg.exe
  C:\Windows\System\wBMiyrg.exe
  2⤵
  PID:5696
- C:\Windows\System\QbJfsmF.exe
  C:\Windows\System\QbJfsmF.exe
  2⤵
  PID:4420
- C:\Windows\System\JvIOgDu.exe
  C:\Windows\System\JvIOgDu.exe
  2⤵
  PID:2428
- C:\Windows\System\VIQLnxl.exe
  C:\Windows\System\VIQLnxl.exe
  2⤵
  PID:4828
- C:\Windows\System\sKLsReI.exe
  C:\Windows\System\sKLsReI.exe
  2⤵
  PID:4124
- C:\Windows\System\gexJJlY.exe
  C:\Windows\System\gexJJlY.exe
  2⤵
  PID:4408
- C:\Windows\System\oaoiXkX.exe
  C:\Windows\System\oaoiXkX.exe
  2⤵
  PID:4884
- C:\Windows\System\sSPtjFn.exe
  C:\Windows\System\sSPtjFn.exe
  2⤵
  PID:3656
- C:\Windows\System\stajsgc.exe
  C:\Windows\System\stajsgc.exe
  2⤵
  PID:1472
- C:\Windows\System\GewRKJl.exe
  C:\Windows\System\GewRKJl.exe
  2⤵
  PID:4956
- C:\Windows\System\WYRBBEB.exe
  C:\Windows\System\WYRBBEB.exe
  2⤵
  PID:12612
- C:\Windows\System\BqFhKQY.exe
  C:\Windows\System\BqFhKQY.exe
  2⤵
  PID:1260
- C:\Windows\System\ggmYAuE.exe
  C:\Windows\System\ggmYAuE.exe
  2⤵
  PID:3804
- C:\Windows\System\UcCQgQr.exe
  C:\Windows\System\UcCQgQr.exe
  2⤵
  PID:1320
- C:\Windows\System\aZaAchd.exe
  C:\Windows\System\aZaAchd.exe
  2⤵
  PID:2884
- C:\Windows\System\AXVroKd.exe
  C:\Windows\System\AXVroKd.exe
  2⤵
  PID:4368
- C:\Windows\System\cAjNGKO.exe
  C:\Windows\System\cAjNGKO.exe
  2⤵
  PID:5692
- C:\Windows\System\JUfdhRT.exe
  C:\Windows\System\JUfdhRT.exe
  2⤵
  PID:6660
- C:\Windows\System\gqPJPuu.exe
  C:\Windows\System\gqPJPuu.exe
  2⤵
  PID:4968
- C:\Windows\System\VVeKXho.exe
  C:\Windows\System\VVeKXho.exe
  2⤵
  PID:1980
- C:\Windows\System\aKCaYCW.exe
  C:\Windows\System\aKCaYCW.exe
  2⤵
  PID:3288
- C:\Windows\System\ZjeQNCe.exe
  C:\Windows\System\ZjeQNCe.exe
  2⤵
  PID:4976
- C:\Windows\System\WCAgMIn.exe
  C:\Windows\System\WCAgMIn.exe
  2⤵
  PID:3712
- C:\Windows\System\evgBKRS.exe
  C:\Windows\System\evgBKRS.exe
  2⤵
  PID:968
- C:\Windows\System\ezzLBvf.exe
  C:\Windows\System\ezzLBvf.exe
  2⤵
  PID:4804
- C:\Windows\System\YVvqOZb.exe
  C:\Windows\System\YVvqOZb.exe
  2⤵
  PID:3956
- C:\Windows\System\xkNVGlV.exe
  C:\Windows\System\xkNVGlV.exe
  2⤵
  PID:7948
- C:\Windows\System\fhsESRg.exe
  C:\Windows\System\fhsESRg.exe
  2⤵
  PID:3428
- C:\Windows\System\hiOCFnn.exe
  C:\Windows\System\hiOCFnn.exe
  2⤵
  PID:3228
- C:\Windows\System\ofVzmDE.exe
  C:\Windows\System\ofVzmDE.exe
  2⤵
  PID:1292
- C:\Windows\System\SPQlNKU.exe
  C:\Windows\System\SPQlNKU.exe
  2⤵
  PID:12620
- C:\Windows\System\DKGShcc.exe
  C:\Windows\System\DKGShcc.exe
  2⤵
  PID:4536
- C:\Windows\System\QAfryCM.exe
  C:\Windows\System\QAfryCM.exe
  2⤵
  PID:2644
- C:\Windows\System\pZHLHfp.exe
  C:\Windows\System\pZHLHfp.exe
  2⤵
  PID:3992
- C:\Windows\System\nzGrWkb.exe
  C:\Windows\System\nzGrWkb.exe
  2⤵
  PID:7444
- C:\Windows\System\gigaLEm.exe
  C:\Windows\System\gigaLEm.exe
  2⤵
  PID:1448
- C:\Windows\System\pBxCfaA.exe
  C:\Windows\System\pBxCfaA.exe
  2⤵
  PID:1504
- C:\Windows\System\UDqEDAW.exe
  C:\Windows\System\UDqEDAW.exe
  2⤵
  PID:7640
- C:\Windows\System\ZdGpPDl.exe
  C:\Windows\System\ZdGpPDl.exe
  2⤵
  PID:2824
- C:\Windows\System\BeQnmzP.exe
  C:\Windows\System\BeQnmzP.exe
  2⤵
  PID:1820
- C:\Windows\System\dPJQogl.exe
  C:\Windows\System\dPJQogl.exe
  2⤵
  PID:7424
- C:\Windows\System\xCCrGuJ.exe
  C:\Windows\System\xCCrGuJ.exe
  2⤵
  PID:7740
- C:\Windows\System\gooHZQZ.exe
  C:\Windows\System\gooHZQZ.exe
  2⤵
  PID:6988
- C:\Windows\System\PgazBdF.exe
  C:\Windows\System\PgazBdF.exe
  2⤵
  PID:8276
- C:\Windows\System\inhmBRe.exe
  C:\Windows\System\inhmBRe.exe
  2⤵
  PID:7812
- C:\Windows\System\konfcir.exe
  C:\Windows\System\konfcir.exe
  2⤵
  PID:3332
- C:\Windows\System\UjcmZJo.exe
  C:\Windows\System\UjcmZJo.exe
  2⤵
  PID:668
- C:\Windows\System\mgkoFjR.exe
  C:\Windows\System\mgkoFjR.exe
  2⤵
  PID:3820
- C:\Windows\System\jFiNQvo.exe
  C:\Windows\System\jFiNQvo.exe
  2⤵
  PID:8548
- C:\Windows\System\UakasVb.exe
  C:\Windows\System\UakasVb.exe
  2⤵
  PID:532
- C:\Windows\System\gYmPLwR.exe
  C:\Windows\System\gYmPLwR.exe
  2⤵
  PID:4180
- C:\Windows\System\gxRQXFA.exe
  C:\Windows\System\gxRQXFA.exe
  2⤵
  PID:4336
- C:\Windows\System\BreYfeE.exe
  C:\Windows\System\BreYfeE.exe
  2⤵
  PID:8748
- C:\Windows\System\oBqDaiE.exe
  C:\Windows\System\oBqDaiE.exe
  2⤵
  PID:4452
- C:\Windows\System\FDhCGIX.exe
  C:\Windows\System\FDhCGIX.exe
  2⤵
  PID:8876
- C:\Windows\System\lwyyDKF.exe
  C:\Windows\System\lwyyDKF.exe
  2⤵
  PID:8984
- C:\Windows\System\AAkQWgr.exe
  C:\Windows\System\AAkQWgr.exe
  2⤵
  PID:1676
- C:\Windows\System\lOspIxV.exe
  C:\Windows\System\lOspIxV.exe
  2⤵
  PID:548
- C:\Windows\System\eFGwsqY.exe
  C:\Windows\System\eFGwsqY.exe
  2⤵
  PID:7336
- C:\Windows\System\yDnfNQA.exe
  C:\Windows\System\yDnfNQA.exe
  2⤵
  PID:1952
- C:\Windows\System\iNODLFc.exe
  C:\Windows\System\iNODLFc.exe
  2⤵
  PID:8408
- C:\Windows\System\vqUTcDD.exe
  C:\Windows\System\vqUTcDD.exe
  2⤵
  PID:5136
- C:\Windows\System\exsWvrH.exe
  C:\Windows\System\exsWvrH.exe
  2⤵
  PID:5132
- C:\Windows\System\NQsLzSF.exe
  C:\Windows\System\NQsLzSF.exe
  2⤵
  PID:5192
- C:\Windows\System\vpXDHhU.exe
  C:\Windows\System\vpXDHhU.exe
  2⤵
  PID:8824
- C:\Windows\System\ADZQFBg.exe
  C:\Windows\System\ADZQFBg.exe
  2⤵
  PID:5256
- C:\Windows\System\DTeImig.exe
  C:\Windows\System\DTeImig.exe
  2⤵
  PID:8896
- C:\Windows\System\pxCfgtl.exe
  C:\Windows\System\pxCfgtl.exe
  2⤵
  PID:5344
- C:\Windows\System\nFDuVcR.exe
  C:\Windows\System\nFDuVcR.exe
  2⤵
  PID:9112
- C:\Windows\System\qOUutWb.exe
  C:\Windows\System\qOUutWb.exe
  2⤵
  PID:5372
- C:\Windows\System\YvWZRWE.exe
  C:\Windows\System\YvWZRWE.exe
  2⤵
  PID:1604
- C:\Windows\System\wJqNmMK.exe
  C:\Windows\System\wJqNmMK.exe
  2⤵
  PID:5384
- C:\Windows\System\xAaZObj.exe
  C:\Windows\System\xAaZObj.exe
  2⤵
  PID:5084
- C:\Windows\System\wWKGJPG.exe
  C:\Windows\System\wWKGJPG.exe
  2⤵
  PID:2744
- C:\Windows\System\fWmSWYT.exe
  C:\Windows\System\fWmSWYT.exe
  2⤵
  PID:4492
- C:\Windows\System\swthRge.exe
  C:\Windows\System\swthRge.exe
  2⤵
  PID:116
- C:\Windows\System\mVnnmYv.exe
  C:\Windows\System\mVnnmYv.exe
  2⤵
  PID:8596
- C:\Windows\System\euugflA.exe
  C:\Windows\System\euugflA.exe
  2⤵
  PID:7008
- C:\Windows\System\wDSeUWe.exe
  C:\Windows\System\wDSeUWe.exe
  2⤵
  PID:3400
- C:\Windows\System\jlwGNSJ.exe
  C:\Windows\System\jlwGNSJ.exe
  2⤵
  PID:9224
- C:\Windows\System\IfcrVwb.exe
  C:\Windows\System\IfcrVwb.exe
  2⤵
  PID:8252
- C:\Windows\System\dneaBwT.exe
  C:\Windows\System\dneaBwT.exe
  2⤵
  PID:560
- C:\Windows\System\IgknuYO.exe
  C:\Windows\System\IgknuYO.exe
  2⤵
  PID:5552
- C:\Windows\System\kwiSeYU.exe
  C:\Windows\System\kwiSeYU.exe
  2⤵
  PID:3932
- C:\Windows\System\LICHUbW.exe
  C:\Windows\System\LICHUbW.exe
  2⤵
  PID:4360
- C:\Windows\System\fFYIcyS.exe
  C:\Windows\System\fFYIcyS.exe
  2⤵
  PID:8360
- C:\Windows\System\AlaVPoU.exe
  C:\Windows\System\AlaVPoU.exe
  2⤵
  PID:1696
- C:\Windows\System\sKXtWkV.exe
  C:\Windows\System\sKXtWkV.exe
  2⤵
  PID:8448
- C:\Windows\System\kWWnfvT.exe
  C:\Windows\System\kWWnfvT.exe
  2⤵
  PID:4172
- C:\Windows\System\JQmmiiR.exe
  C:\Windows\System\JQmmiiR.exe
  2⤵
  PID:8672
- C:\Windows\System\fvRJZAV.exe
  C:\Windows\System\fvRJZAV.exe
  2⤵
  PID:3440
- C:\Windows\System\aOiIfoz.exe
  C:\Windows\System\aOiIfoz.exe
  2⤵
  PID:2364
- C:\Windows\System\juQGRly.exe
  C:\Windows\System\juQGRly.exe
  2⤵
  PID:8892
- C:\Windows\System\dlTUzGB.exe
  C:\Windows\System\dlTUzGB.exe
  2⤵
  PID:4344
- C:\Windows\System\pmjIpkv.exe
  C:\Windows\System\pmjIpkv.exe
  2⤵
  PID:9092
- C:\Windows\System\RweHgdB.exe
  C:\Windows\System\RweHgdB.exe
  2⤵
  PID:4616
- C:\Windows\System\SdtLamR.exe
  C:\Windows\System\SdtLamR.exe
  2⤵
  PID:7536
- C:\Windows\System\TFjXnwM.exe
  C:\Windows\System\TFjXnwM.exe
  2⤵
  PID:9128
- C:\Windows\System\CemWnwI.exe
  C:\Windows\System\CemWnwI.exe
  2⤵
  PID:5840
- C:\Windows\System\JZEHWQH.exe
  C:\Windows\System\JZEHWQH.exe
  2⤵
  PID:5980
- C:\Windows\System\GkrxuMA.exe
  C:\Windows\System\GkrxuMA.exe
  2⤵
  PID:4868
- C:\Windows\System\CgVpcUy.exe
  C:\Windows\System\CgVpcUy.exe
  2⤵
  PID:5820
- C:\Windows\System\zvPjhnf.exe
  C:\Windows\System\zvPjhnf.exe
  2⤵
  PID:4304
- C:\Windows\System\EXLWxRT.exe
  C:\Windows\System\EXLWxRT.exe
  2⤵
  PID:8492
- C:\Windows\System\acePYiO.exe
  C:\Windows\System\acePYiO.exe
  2⤵
  PID:8412
- C:\Windows\System\sKxELsg.exe
  C:\Windows\System\sKxELsg.exe
  2⤵
  PID:6064
- C:\Windows\System\ArdAOfA.exe
  C:\Windows\System\ArdAOfA.exe
  2⤵
  PID:6116
- C:\Windows\System\sKJSfVU.exe
  C:\Windows\System\sKJSfVU.exe
  2⤵
  PID:9168
- C:\Windows\System\FVqREpi.exe
  C:\Windows\System\FVqREpi.exe
  2⤵
  PID:8368
- C:\Windows\System\otJcpDz.exe
  C:\Windows\System\otJcpDz.exe
  2⤵
  PID:5180
- C:\Windows\System\XgltXxH.exe
  C:\Windows\System\XgltXxH.exe
  2⤵
  PID:7916
- C:\Windows\System\WpNIVMJ.exe
  C:\Windows\System\WpNIVMJ.exe
  2⤵
  PID:2984
- C:\Windows\System\FhGhHiF.exe
  C:\Windows\System\FhGhHiF.exe
  2⤵
  PID:9616
- C:\Windows\System\OqqyDCX.exe
  C:\Windows\System\OqqyDCX.exe
  2⤵
  PID:9632
- C:\Windows\System\hWROkzo.exe
  C:\Windows\System\hWROkzo.exe
  2⤵
  PID:9668
- C:\Windows\System\JPxsvLF.exe
  C:\Windows\System\JPxsvLF.exe
  2⤵
  PID:9056
- C:\Windows\System\fdUDiUL.exe
  C:\Windows\System\fdUDiUL.exe
  2⤵
  PID:4568
- C:\Windows\System\fFQPOIp.exe
  C:\Windows\System\fFQPOIp.exe
  2⤵
  PID:9368
- C:\Windows\System\RPPCVlT.exe
  C:\Windows\System\RPPCVlT.exe
  2⤵
  PID:8168
- C:\Windows\System\bFiKHQV.exe
  C:\Windows\System\bFiKHQV.exe
  2⤵
  PID:9900
- C:\Windows\System\XNBkdrK.exe
  C:\Windows\System\XNBkdrK.exe
  2⤵
  PID:8100
- C:\Windows\System\PwpuCSw.exe
  C:\Windows\System\PwpuCSw.exe
  2⤵
  PID:5480
- C:\Windows\System\bCKgpny.exe
  C:\Windows\System\bCKgpny.exe
  2⤵
  PID:5460
- C:\Windows\System\IsoaVEr.exe
  C:\Windows\System\IsoaVEr.exe
  2⤵
  PID:7584
- C:\Windows\System\HfsHYBk.exe
  C:\Windows\System\HfsHYBk.exe
  2⤵
  PID:7992
- C:\Windows\System\mAkWshX.exe
  C:\Windows\System\mAkWshX.exe
  2⤵
  PID:9228
- C:\Windows\System\GaRPlkn.exe
  C:\Windows\System\GaRPlkn.exe
  2⤵
  PID:4040
- C:\Windows\System\mqrRobu.exe
  C:\Windows\System\mqrRobu.exe
  2⤵
  PID:8272
- C:\Windows\System\TiUFLyl.exe
  C:\Windows\System\TiUFLyl.exe
  2⤵
  PID:3232
- C:\Windows\System\kzQPZzu.exe
  C:\Windows\System\kzQPZzu.exe
  2⤵
  PID:9012
- C:\Windows\System\QRrlBiH.exe
  C:\Windows\System\QRrlBiH.exe
  2⤵
  PID:5516
- C:\Windows\System\DuKBwow.exe
  C:\Windows\System\DuKBwow.exe
  2⤵
  PID:5600
- C:\Windows\System\tQDiqGg.exe
  C:\Windows\System\tQDiqGg.exe
  2⤵
  PID:3456
- C:\Windows\System\DRHDLVM.exe
  C:\Windows\System\DRHDLVM.exe
  2⤵
  PID:8536
- C:\Windows\System\RSSljKu.exe
  C:\Windows\System\RSSljKu.exe
  2⤵
  PID:5652
- C:\Windows\System\iLAAlgP.exe
  C:\Windows\System\iLAAlgP.exe
  2⤵
  PID:8572
- C:\Windows\System\LbUcUhJ.exe
  C:\Windows\System\LbUcUhJ.exe
  2⤵
  PID:6828
- C:\Windows\System\PcywLYE.exe
  C:\Windows\System\PcywLYE.exe
  2⤵
  PID:1924
- C:\Windows\System\jfIqHps.exe
  C:\Windows\System\jfIqHps.exe
  2⤵
  PID:8848
- C:\Windows\System\oiCuymR.exe
  C:\Windows\System\oiCuymR.exe
  2⤵
  PID:5884
- C:\Windows\System\QQEKCCk.exe
  C:\Windows\System\QQEKCCk.exe
  2⤵
  PID:10396
- C:\Windows\System\qyimDDT.exe
  C:\Windows\System\qyimDDT.exe
  2⤵
  PID:5688
- C:\Windows\System\Eykmjim.exe
  C:\Windows\System\Eykmjim.exe
  2⤵
  PID:5792

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4624

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:1280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ppjjychh.drc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\BqQEiCf.exe

Filesize
2.2MB

MD5
0e23e1d215a1438101f41b81f7bbef8f

SHA1
a8087971e9be8df92f654ed5329257184c6ec071

SHA256
6f963a63804ddae25f984c768cb3c372501179cefbb432c6b6a3bc7928838e05

SHA512
945ca7a04409d169238f7159f37bf5effa6a4e710d43cabede73684d0217b3938d254344cc4360e4d0b632c225b47b8e58e00123783ae86bf2474f831025eb2b

Download Submit
C:\Windows\System\DGmgNkL.exe

Filesize
2.2MB

MD5
2a05c58795883f3d1dbac1b191346d05

SHA1
26569ccfc7d6ae3748ef08d68f365de9aa3ff916

SHA256
d00270cbd0af6cf3981e0c6a5863ea4be57f8fe3429cc180d2b6f5ff4fd264b0

SHA512
9943fb8b2b2c24096b5f5deda1949b0c882ae24939de4aa155a4a6945324f513c64da44d09f03e4cbac44502d5131ccc8edd840424c9a8201a6ce7339a9569ee

Download Submit
C:\Windows\System\FwURhiz.exe

Filesize
2.2MB

MD5
70d4aba32b3bc8149703fa281b765d17

SHA1
b7d0973ea0ee3afcb48bc32d9de161ebc4b9b903

SHA256
3e6b70b07bdbfae4195d6aa6afc2f5820ab4194fb3682370af4efe6e8a0f5227

SHA512
18e62fffd25f1d205b0e4b83ff3ed20bf405db83d9b72ad78654fa0fb3680c98423255db131c3bac19c15fdf778458e0846e02cd39c1daafa97b66c9631e16cd

Download Submit
C:\Windows\System\IvbjJZy.exe

Filesize
2.2MB

MD5
e7fc27be7a4d45ed050eec2243cde288

SHA1
e2507da6afaf5207b812de0b430a08880f403eee

SHA256
612ea0d849b556e417f6b8091fceb0561cd4209ae7867b22f49f59fac40232dc

SHA512
931224ae0ab2442ea58485b3d2502f7943e178e58611c39ca0bb6f7788db91621555b3d21bdb52f058558553d62e9a5221a8f0970f94b032153aacff7e752a0e

Download Submit
C:\Windows\System\KQqSTfe.exe

Filesize
2.2MB

MD5
40e20004d24b70393a993004967ebd91

SHA1
509506802f443fa95d5ee062becaa9908a98b079

SHA256
7b1b81daf2325d5093e25469be7747a214a66f5fdae1d2d5c1f2181c51a08710

SHA512
f57e956e94221792d1d3db87c0d476f7395406576c84e169c7db3527a9242c0080b733040e4f17f9deafd7672fe167f2aedadeaadf2b359fe57121c69ceed502

Download Submit
C:\Windows\System\McFyAKE.exe

Filesize
2.2MB

MD5
1b76b76260efbc6c40360fd865dc6780

SHA1
10a59e3681964ef0b51a810708c68b411882ceb8

SHA256
d90cc726de4e9b671cd2da7e54e7a15f0f0b4d83315dd8b8525c5199badcf976

SHA512
fb85839a84a4671cca7797646d9b130fcd449108cc4c29a8cfdb7c03d2d36a4292862388d8ef8b6ade6b4777f238117dc85fe5e6d0381d636d24cf711ffbdb2f

Download Submit
C:\Windows\System\NGMQNAC.exe

Filesize
2.2MB

MD5
9d94cd89b5d9d0fab4fcac4db678f7be

SHA1
09e32577aa66bd6ddebe20c585533cd685e4eb3b

SHA256
7401e18d65e23faaec7d3395590b51d56cd1a6b80de19655fcf38c76e3970deb

SHA512
bc562a75afecbce1d3060e90c2fddc61834a81c5ef5e969198aaf1dafd9459c2b3cf12b1d347550ac822bd89294830932ec1d59e9373f658b2234a87877c6ac1

Download Submit
C:\Windows\System\NIgFzkw.exe

Filesize
2.2MB

MD5
03066622a6df18c475b3ed6018b0a7a3

SHA1
27f8373c14964d2da5ca0d5adf2cb7b9d1755da5

SHA256
37affdd5068997af0fe5267a0684a2294a7b3f823b0cfa80d2150aeab5722df7

SHA512
964e77c9640edfb4130736b39ae1f427230a22d311ef56f3319995013770499637cd5afcaff620f86c4788dd857ff296ca8cc772c984947cda91f41b92785794

Download Submit
C:\Windows\System\OVVKcIU.exe

Filesize
2.2MB

MD5
c2d9f76f80feb0effa9a87236853a183

SHA1
cccbca0225471f082a3326f334046d9feb1819f9

SHA256
4b9ce0118ee8b02c7e138445414e131a8e2dbca52f9a7303689db40e2eda8d70

SHA512
1f340fc591fc9fe7148a3672dc69381c631935eacda3e46490d6217fe029a3fb92af8c9f68a846c3520b435184f1b02ea69d7c1aff57d09a07bb2c396aed52ac

Download Submit
C:\Windows\System\PRcovzA.exe

Filesize
2.2MB

MD5
97d8fed6c7ef01d28f4003217f4b678e

SHA1
7a06c81297066c1c2b2740add418292d22601bae

SHA256
44603c46451feb42130fce97fb910cee54f11ebaaa84fd5ea5a45addbcff4818

SHA512
335d488f13f4f03c1171eaa0c26a001a83a5168f7ffc4b0af2051e3623702e04a1762a764ebb8cde815e838a1f6db998c7d80cd7f9b561b62446a359b840dc4f

Download Submit
C:\Windows\System\RHElwIp.exe

Filesize
2.2MB

MD5
e53d7fa60ce5bc39039e03d47e741a83

SHA1
ac6fee8f9406116eae515a92cc7b650b1ecaa62c

SHA256
1345180b3e4a82f4227c6727e5c69bcb9625838edbe5a6ace6c863a271defee9

SHA512
e9de999342be16164b8dadbfe9f5dd4aab6f675309daa32f0de6a4ebb6484bd2741882efa3d82b145a46bff63626de39272477f40d4ec21b3933d53d536fe294

Download Submit
C:\Windows\System\RVNFETJ.exe

Filesize
2.2MB

MD5
204a7a2ddd58137c6dbd64d41a6039a2

SHA1
e082870ec6df47c7d636c607a61cf76fc4c0c1e5

SHA256
1a79cf43f52f3674d8bbaac4165898a3fb6fb1467a5b6ddaba7e58da776ad938

SHA512
21d44dbb678c23cb82f49ddfcb59e68f8c5e1847beedf92fa37e8cd95eac20e836ab6b62a4037ce2fc8fbc1c0d449a4bfe2bbd311863f8ecc7e9b8145c42e4fd

Download Submit
C:\Windows\System\SbnaCJP.exe

Filesize
2.2MB

MD5
ae44559dbc214e5164891941a2f15652

SHA1
5854c455593f8a3042ef7abc148e4ad57ac1ee81

SHA256
816af733634f7c565ccc74e50e39ed0e7e790766589241a4d883e4310b998df1

SHA512
4f7c6afb632ee663923a08d4049e52a772d294ea148af96cafcf352016ebf677bb8fedb5f61f06a0df05f78b0765d5303b4d4c6b3e6ed2fe956f34408ed717e2

Download Submit
C:\Windows\System\StBZOiV.exe

Filesize
2.2MB

MD5
315f6ba33d8621ddb2f563870f4e80c3

SHA1
51bec4556d9105434bef4dc632de1bfc443c665c

SHA256
03b4aff9d3d3d9062cba731efc1260d620d0add367fa8d789c3740520b0171bc

SHA512
71d94f2aa8fceaf11cc4eb1d092a64265cea50863dffbbaa4cf2e010bc0ad9c6ea1d8f2f0610f9a2a6b64f680b7991aab0972a5509e47f7dda41b89b9985289e

Download Submit
C:\Windows\System\VsKJelv.exe

Filesize
18B

MD5
0f74d26e324b3e4ca82621930feb3f71

SHA1
51c6fa90586c9009cc733bd2843df60120221d7c

SHA256
fd7091421895dbcf3ff7ed5b13b38b3963999338b6384ef6aea7e3d35f76533b

SHA512
4138922aed63819f2a910844c95c594cb337f1a54724135c8e61e94f0fb0e215db86c537da9be91f8c7625d109830aca6217c6d58a22b0f4be237d3c65bc9b67

Download Submit
C:\Windows\System\WCoMjoC.exe

Filesize
2.2MB

MD5
5b25f624cdf43b137b53735c3fb1cc06

SHA1
8d248f4c91e13150bd5f9d5be270baa9c79bcf2e

SHA256
f4aabb02ed9dfc8ad46b1364bf5dc7b3e4534ad39c04904aff9eeb66b466eed4

SHA512
97db154cc5c9c6598702550511b8a7124abb71fab6f31c2ee74dd4be496d1f07c96db2681d18fd3687fd9c5705e95c701625a06a3ae0264351427d02584b8cd9

Download Submit
C:\Windows\System\dOmXiRE.exe

Filesize
2.2MB

MD5
59c9b923b49b261dd0f919eb8c171a23

SHA1
433be5f6ec6584f33d0382a4f9b7e1c7d0929cf6

SHA256
e25785ad7abbb69339afdccba9d518066d30a2f338a75d9a8cf53989db2d1e52

SHA512
97ad891f7a42eccf9ee57b4497f0cba9f999f933ccdda82a0816d3a7570c2be7be9d2a3eb3cf3926378f921f02da331dfa193c5f33b3d4d9e74de7b2cc5fb4dc

Download Submit
C:\Windows\System\evWYKJY.exe

Filesize
2.2MB

MD5
ec51dcf10bea6ee3fbd1b821fdad8b7a

SHA1
5f18fb036e241690172bb3c06a7aa65f5662a7e1

SHA256
d488583d948041f1f3bdc60e375dcbef0014cd53675c2d0a9fdafda093cc1d86

SHA512
4d901b3d389a39f01118e87b467ed4e6507d4dd759dece08f3de918219663b741ef1e5e266e7d0abad9d4c11111ef5b7258fec5f7b158653059d581164daf386

Download Submit
C:\Windows\System\fVQjMPP.exe

Filesize
2.2MB

MD5
64b13ee16a980cc4c6651b7d4306230a

SHA1
9eca0e57661715bea86bfea89fff6b179e7ef23b

SHA256
0f28018957bcce92451efc52a3c724d0e9cef39a120ab70fca4c1a673ded2f8d

SHA512
043eba1bf61d6e706a61c465da6bcb96caeba646131b17ea868e694351d39b1eb51019c912c305ac769cb09e6c4389228b75d393b6d59b9a96e8f8894984be58

Download Submit
C:\Windows\System\ftcdIfo.exe

Filesize
2.2MB

MD5
9ac58db0d8e3b2cbc1e95523a33424be

SHA1
95548058d0c52d559fde95cf4835426226a0c15f

SHA256
5f32bebfdda3a14d76c404bd48e05686e6c9e485e6fac69556b62bc9db991e59

SHA512
26063272129a3e225ab75d73f2386bcb75c199867ec15c59b38e91a72647356ab9b202801bcb2e9e9059d1edfe5b09d84a16bcf57377caa14442ca54c298a1bd

Download Submit
C:\Windows\System\iyGhOMI.exe

Filesize
2.2MB

MD5
24d6c0616f2aa503ae10c7da461fcff2

SHA1
794e57401e921a0417092477ac28774d0370f66a

SHA256
5e29a166cd17f89518dc5816b03b9cf8d53c4ea42c46e43368e011638945e1fb

SHA512
9aff13334c18cfc60fdea83b858f12570ab6d7c55886df5c2469f5e46ec1c50a95602769150b2b5f44ec9aae140350d16e0ba8e8998ca369b2757b80dc8dbdfa

Download Submit
C:\Windows\System\jnqKIsl.exe

Filesize
2.2MB

MD5
f41e6812a6504ad19a704b567b0b24c6

SHA1
52aa2e22234a166648c2d257e16e6b393729cee9

SHA256
37739db5b989b003e3098f862f8220fdb90bbb57f1926b5b6f00cb9a7cb40e96

SHA512
0b5282b3ef4961a10f8c9e00d22348d2044fef4cdd8b5118dff828e80ad74c583c1c12432956962238e27e1384b837830ddf2bf78ba41d741c3aee9322a7e4c8

Download Submit
C:\Windows\System\kvSUpxa.exe

Filesize
2.2MB

MD5
413320f5ff897a4f6d7ea915765708ad

SHA1
3a65c151c12417e0fcd5ce9e3f92fa79b23f6ee1

SHA256
05711db2cb62c9b50ea4ec363ac735ec4e6696b36940a4d6081a489bb444018c

SHA512
5c3147b8fcf057d2fb7690150479cf19d89778c437270d7d24fe7d41d607034272e7c4567aae77675c8db9c2900388c51ec65252198fe44ce9718ae82f1e9f33

Download Submit
C:\Windows\System\lCLzzEq.exe

Filesize
2.2MB

MD5
785a3ac6691a5d765d00d70876ff9890

SHA1
dfc4b6a94fa325ecb8693ab4e3670bd93a214ebd

SHA256
0273e66aa630452dff49bc4bb836e6109406cc2492ffb3647e0e47a44a69d649

SHA512
1b061d5c60fdfc53acbfd2f909341c2dd05f8dc2672c3eceea47ce665eb410c6731702c896b6d4e38ed699834b9c5f77a7c1d86ca1b5a4f0eeabb583081b0761

Download Submit
C:\Windows\System\lLHBpfc.exe

Filesize
2.2MB

MD5
d6fd92ea70fef16b973e46fdab98d522

SHA1
5e8630156924beef70099b822fae76bd68c343c0

SHA256
0236bdce95b8decead5d0680c93590f678502fcab74748c503dec19a33568768

SHA512
f3793e14a8d1bca49e95cafb89e987950e49fe7aac7381bf64118b847e25dcc3e256fc1b00f4f6b36876c711f2fea95041ede272448512a673a1b4f4753366d9

Download Submit
C:\Windows\System\mBgpdUN.exe

Filesize
2.2MB

MD5
947dfcddc9ce5b8d9ad98910c4a50559

SHA1
eb8e23af3ebe2a6b73f4e7f7a2e47fccfc5aaeab

SHA256
455effe4a6b2c3ed7cb89cc2a1e0702c0b6df659dd35eda45537b9eda9109fb6

SHA512
d9632bb060206907cbd7e8b77314e0f45455936d36cd05c73d80c4f05de6585fa5f5ba5256c81888d9e013ed1ecc7e1db39a4d37237bba1652864fd97618ec90

Download Submit
C:\Windows\System\nQvcNGA.exe

Filesize
2.2MB

MD5
e9af6b6cda919e0eb7601ff3e4a99852

SHA1
f5ea63c2023824355757d169af9187a035331cc9

SHA256
c56272833c672d575db3f9138799695ade64b8f9841f36388e588e576b6ad595

SHA512
6226d9e94ecdfa35524d29ecf3df3c24852659ce461d824648960acfb324ef3cad42e3ef2b5e7e247b9892df9d937ab02a33bf0cb348ada69f65d23bbe722812

Download Submit
C:\Windows\System\sABysjj.exe

Filesize
2.2MB

MD5
b9f141250981ed133eea0735a6b195b9

SHA1
839fedf20afa88459272e370b2e87fceaee1ec63

SHA256
c590fb849511d8746112eeeb73ef5833d5efb1589e3efabd492e45337b9250a8

SHA512
9978ebf00ce676bf30f4ae030eb71594a67798286226949873d063a8e2fb9f959956e715e6882833e1be8d47ae59b04049c7aea475af184cd00d8de7c9868107

Download Submit
C:\Windows\System\sCJstBA.exe

Filesize
2.2MB

MD5
772749fa82a0a2991d4c39359a5b109a

SHA1
b879b9b2a728c9dad67b4bab56fc7de382f75a04

SHA256
4c2b3039053d0c84802d6758310fe1bfd6f184ccfd6f251590e369c197a473a4

SHA512
7eb2143fdd6948c7b41d8933ca4c946d9b6ae3c786f0a12d0cb2cc1e76affb5d46575cd33d54100c1671d6794369227b429b9a899284a1fc2120f99f9d2d0212

Download Submit
C:\Windows\System\stdyZUF.exe

Filesize
2.2MB

MD5
f8e59d8f7854243bb457cb01f2c08f04

SHA1
a516c9a805ff8c80807ef310b79dff02143a8a22

SHA256
13533e95553378ce1508b7098481db628687a0839138488a047289e13083b418

SHA512
b23683c58175235d94439e05cf2b27228bb35cd10abf5b5b93f88cd22dc5e2719e4e31d94a587c726afc8f4275afa5e26a4424a45fbdfe4dcac28a62046243df

Download Submit
C:\Windows\System\tFTYoPF.exe

Filesize
2.2MB

MD5
2e99b1f9df05e9d379298aef8eb50326

SHA1
168845f5cfbe4a99c899625f3b09747b13120bd3

SHA256
32bb5aef52e005b405c556f474b9393947c6690c385e1222cb7939c2de0a5d48

SHA512
c2b57b4ddbe6af19db76f8aaaf2b26ef0450367bd0a71a76c8d7cee535773b872f6fc05c85c6fdcaf8b8a1672094bacc2ae98caa108526167b3a47c13904896a

Download Submit
C:\Windows\System\uBjCEAB.exe

Filesize
2.2MB

MD5
c74718a1a2db8680adb222b59cb7bad4

SHA1
5ed16a10b875f41705f03183e5d518cc7e5f3a32

SHA256
5745999f9793325b9960e900ad7717e06cb53327c97c5cfa2f179fc1ea46d51d

SHA512
f9192b078aa7e51937cebaaa5f5da1ed74b5ff1be120e1c83732005c2f2ebbbba3480b1d07f19f92e23812e22d0ecddb3b067e556163cd56b28af1955d9b960d

Download Submit
C:\Windows\System\vMzCdqg.exe

Filesize
8B

MD5
7844449f1717b2590e53c215fcf07352

SHA1
79d0c9d199e3401234813cacf5dd2de0f53d76f4

SHA256
d54f9b9a769720c875f9b7152a74884a4a9e5a4d80da35d3f847cb8b30b14f4d

SHA512
08987ef45e3b930599e24a17bad53cfff0dadf3651ece3e5b0469612e6c0a9a6cc61ef278c49c769a425e8c5349976b197865ce68d78055e84972e2fe8a0851c

Download Submit
C:\Windows\System\xbsraMz.exe

Filesize
2.2MB

MD5
700ab44bbc9f21a29b4d5d81f873e34a

SHA1
ecd5c385145ec650e2ef9c7c369e39cc0bc9ec33

SHA256
6b6e9137682dccac92f60d66c53fd22b498576a3be8a6869908a7b649e758680

SHA512
dee1e4792c894807a1dc67e45c9c6770b430fe81657cf6f0cbb5ac5e5814c399b22c7fa58b8ddc51337a934124dcfa06732ee32a41cd331f53306d734af03e45

Download Submit
C:\Windows\System\xieZhcc.exe

Filesize
2.2MB

MD5
8d322e9917ebac3c84a576b457f71c1a

SHA1
6f578c3109c3fbf6ad8fb309e5933679db410a77

SHA256
98b9e181d1f70aa6a69230063bc420e01e8fa1c0ce963f5125dc59cb4b3d29fc

SHA512
31431fe9448a87fc6971681816c7b6ccec0ead8a52c4822055c91cddc7d960024ca6d854642474b94d56f2a22e5e97fe7e3329b99d4a602542f27e7eb69b8e9b

Download Submit
memory/624-4276-0x00007FF7BB970000-0x00007FF7BBD62000-memory.dmp

Filesize
3.9MB

Download
memory/624-549-0x00007FF7BB970000-0x00007FF7BBD62000-memory.dmp

Filesize
3.9MB

Download
memory/876-548-0x00007FF766B60000-0x00007FF766F52000-memory.dmp

Filesize
3.9MB

Download
memory/876-4271-0x00007FF766B60000-0x00007FF766F52000-memory.dmp

Filesize
3.9MB

Download
memory/1000-4311-0x00007FF67ABE0000-0x00007FF67AFD2000-memory.dmp

Filesize
3.9MB

Download
memory/1000-556-0x00007FF67ABE0000-0x00007FF67AFD2000-memory.dmp

Filesize
3.9MB

Download
memory/1964-546-0x00007FF71C1E0000-0x00007FF71C5D2000-memory.dmp

Filesize
3.9MB

Download
memory/1964-4260-0x00007FF71C1E0000-0x00007FF71C5D2000-memory.dmp

Filesize
3.9MB

Download
memory/2128-3066-0x00007FF60D790000-0x00007FF60DB82000-memory.dmp

Filesize
3.9MB

Download
memory/2128-4248-0x00007FF60D790000-0x00007FF60DB82000-memory.dmp

Filesize
3.9MB

Download
memory/2128-57-0x00007FF60D790000-0x00007FF60DB82000-memory.dmp

Filesize
3.9MB

Download
memory/2220-4302-0x00007FF7F76B0000-0x00007FF7F7AA2000-memory.dmp

Filesize
3.9MB

Download
memory/2220-554-0x00007FF7F76B0000-0x00007FF7F7AA2000-memory.dmp

Filesize
3.9MB

Download
memory/2412-4253-0x00007FF693BE0000-0x00007FF693FD2000-memory.dmp

Filesize
3.9MB

Download
memory/2412-60-0x00007FF693BE0000-0x00007FF693FD2000-memory.dmp

Filesize
3.9MB

Download
memory/2692-42-0x00007FF6ECE40000-0x00007FF6ED232000-memory.dmp

Filesize
3.9MB

Download
memory/2692-4235-0x00007FF6ECE40000-0x00007FF6ED232000-memory.dmp

Filesize
3.9MB

Download
memory/2816-4298-0x00007FF61E9E0000-0x00007FF61EDD2000-memory.dmp

Filesize
3.9MB

Download
memory/2816-553-0x00007FF61E9E0000-0x00007FF61EDD2000-memory.dmp

Filesize
3.9MB

Download
memory/2832-12-0x00007FF6628C0000-0x00007FF662CB2000-memory.dmp

Filesize
3.9MB

Download
memory/2832-4207-0x00007FF6628C0000-0x00007FF662CB2000-memory.dmp

Filesize
3.9MB

Download
memory/2836-4065-0x00007FF768A20000-0x00007FF768E12000-memory.dmp

Filesize
3.9MB

Download
memory/2836-4902-0x00007FF768A20000-0x00007FF768E12000-memory.dmp

Filesize
3.9MB

Download
memory/2836-69-0x00007FF768A20000-0x00007FF768E12000-memory.dmp

Filesize
3.9MB

Download
memory/3120-552-0x00007FF6EF0A0000-0x00007FF6EF492000-memory.dmp

Filesize
3.9MB

Download
memory/3120-4292-0x00007FF6EF0A0000-0x00007FF6EF492000-memory.dmp

Filesize
3.9MB

Download
memory/3168-46-0x00007FF6ADBD0000-0x00007FF6ADFC2000-memory.dmp

Filesize
3.9MB

Download
memory/3168-4238-0x00007FF6ADBD0000-0x00007FF6ADFC2000-memory.dmp

Filesize
3.9MB

Download
memory/3420-40-0x000002D92F030000-0x000002D92F040000-memory.dmp

Filesize
64KB

Download
memory/3420-39-0x00007FFFDFE10000-0x00007FFFE08D1000-memory.dmp

Filesize
10.8MB

Download
memory/3420-50-0x000002D92F030000-0x000002D92F040000-memory.dmp

Filesize
64KB

Download
memory/3420-38-0x000002D92F000000-0x000002D92F022000-memory.dmp

Filesize
136KB

Download
memory/3420-1822-0x00007FFFDFE10000-0x00007FFFE08D1000-memory.dmp

Filesize
10.8MB

Download
memory/3480-557-0x00007FF7F1F80000-0x00007FF7F2372000-memory.dmp

Filesize
3.9MB

Download
memory/3480-4318-0x00007FF7F1F80000-0x00007FF7F2372000-memory.dmp

Filesize
3.9MB

Download
memory/4016-547-0x00007FF7FE480000-0x00007FF7FE872000-memory.dmp

Filesize
3.9MB

Download
memory/4016-4265-0x00007FF7FE480000-0x00007FF7FE872000-memory.dmp

Filesize
3.9MB

Download
memory/4060-54-0x00007FF740D30000-0x00007FF741122000-memory.dmp

Filesize
3.9MB

Download
memory/4060-4213-0x00007FF740D30000-0x00007FF741122000-memory.dmp

Filesize
3.9MB

Download
memory/4104-0-0x00007FF62A0D0000-0x00007FF62A4C2000-memory.dmp

Filesize
3.9MB

Download
memory/4104-4919-0x00007FF62A0D0000-0x00007FF62A4C2000-memory.dmp

Filesize
3.9MB

Download
memory/4104-1-0x000001D76B490000-0x000001D76B4A0000-memory.dmp

Filesize
64KB

Download
memory/4432-41-0x00007FF650E00000-0x00007FF6511F2000-memory.dmp

Filesize
3.9MB

Download
memory/4496-4283-0x00007FF705D20000-0x00007FF706112000-memory.dmp

Filesize
3.9MB

Download
memory/4496-550-0x00007FF705D20000-0x00007FF706112000-memory.dmp

Filesize
3.9MB

Download
memory/4812-4250-0x00007FF79B980000-0x00007FF79BD72000-memory.dmp

Filesize
3.9MB

Download
memory/4812-66-0x00007FF79B980000-0x00007FF79BD72000-memory.dmp

Filesize
3.9MB

Download
memory/4856-4287-0x00007FF61A2A0000-0x00007FF61A692000-memory.dmp

Filesize
3.9MB

Download
memory/4856-551-0x00007FF61A2A0000-0x00007FF61A692000-memory.dmp

Filesize
3.9MB

Download
memory/5040-4306-0x00007FF7A7F90000-0x00007FF7A8382000-memory.dmp

Filesize
3.9MB

Download
memory/5040-555-0x00007FF7A7F90000-0x00007FF7A8382000-memory.dmp

Filesize
3.9MB

Download