xmrig | 5eee6d2cb01cb441760520310c95e468959803a454d88060e780aa6b3b50a9c9

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
01/05/2024, 06:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
Size

2.1MB
MD5

0b37ffb65002bec4638d65e4dde38d74
SHA1

207840d993fe86c1d3a2943e32d9456b1cdf65c4
SHA256

5eee6d2cb01cb441760520310c95e468959803a454d88060e780aa6b3b50a9c9
SHA512

1196f9b82b589046063cbefef48b8568ca695df108aec3401b05c784833110174e998286faa9a0cf1a7c1b117c294700bc2e0e76986efc2c81be95b0afed982a
SSDEEP

49152:Lz071uv4BPMkibTIA5sf6r+WVc2HhG82g1VQx7Va4qr4:NABx

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 42 IoCs

miner

resource	yara_rule
behavioral2/memory/3928-34-0x00007FF698110000-0x00007FF698502000-memory.dmp	xmrig
behavioral2/memory/1776-504-0x00007FF76AFA0000-0x00007FF76B392000-memory.dmp	xmrig
behavioral2/memory/4916-505-0x00007FF6F8C90000-0x00007FF6F9082000-memory.dmp	xmrig
behavioral2/memory/4352-506-0x00007FF693E10000-0x00007FF694202000-memory.dmp	xmrig
behavioral2/memory/3652-507-0x00007FF68FDE0000-0x00007FF6901D2000-memory.dmp	xmrig
behavioral2/memory/1852-508-0x00007FF66EE50000-0x00007FF66F242000-memory.dmp	xmrig
behavioral2/memory/1412-503-0x00007FF68BFF0000-0x00007FF68C3E2000-memory.dmp	xmrig
behavioral2/memory/2900-509-0x00007FF605850000-0x00007FF605C42000-memory.dmp	xmrig
behavioral2/memory/668-510-0x00007FF69E910000-0x00007FF69ED02000-memory.dmp	xmrig
behavioral2/memory/1092-519-0x00007FF6CC7F0000-0x00007FF6CCBE2000-memory.dmp	xmrig
behavioral2/memory/3840-516-0x00007FF6FA790000-0x00007FF6FAB82000-memory.dmp	xmrig
behavioral2/memory/4964-513-0x00007FF690960000-0x00007FF690D52000-memory.dmp	xmrig
behavioral2/memory/3784-529-0x00007FF6E5F30000-0x00007FF6E6322000-memory.dmp	xmrig
behavioral2/memory/2512-540-0x00007FF78ABD0000-0x00007FF78AFC2000-memory.dmp	xmrig
behavioral2/memory/2020-552-0x00007FF72A060000-0x00007FF72A452000-memory.dmp	xmrig
behavioral2/memory/512-556-0x00007FF725590000-0x00007FF725982000-memory.dmp	xmrig
behavioral2/memory/3924-559-0x00007FF76A300000-0x00007FF76A6F2000-memory.dmp	xmrig
behavioral2/memory/1712-578-0x00007FF7722C0000-0x00007FF7726B2000-memory.dmp	xmrig
behavioral2/memory/2360-567-0x00007FF66C640000-0x00007FF66CA32000-memory.dmp	xmrig
behavioral2/memory/3976-2066-0x00007FF6FBE20000-0x00007FF6FC212000-memory.dmp	xmrig
behavioral2/memory/1384-2067-0x00007FF6D7430000-0x00007FF6D7822000-memory.dmp	xmrig
behavioral2/memory/3928-2069-0x00007FF698110000-0x00007FF698502000-memory.dmp	xmrig
behavioral2/memory/2360-2071-0x00007FF66C640000-0x00007FF66CA32000-memory.dmp	xmrig
behavioral2/memory/3976-2073-0x00007FF6FBE20000-0x00007FF6FC212000-memory.dmp	xmrig
behavioral2/memory/1384-2079-0x00007FF6D7430000-0x00007FF6D7822000-memory.dmp	xmrig
behavioral2/memory/1776-2077-0x00007FF76AFA0000-0x00007FF76B392000-memory.dmp	xmrig
behavioral2/memory/1412-2076-0x00007FF68BFF0000-0x00007FF68C3E2000-memory.dmp	xmrig
behavioral2/memory/4916-2081-0x00007FF6F8C90000-0x00007FF6F9082000-memory.dmp	xmrig
behavioral2/memory/512-2108-0x00007FF725590000-0x00007FF725982000-memory.dmp	xmrig
behavioral2/memory/3784-2110-0x00007FF6E5F30000-0x00007FF6E6322000-memory.dmp	xmrig
behavioral2/memory/3924-2106-0x00007FF76A300000-0x00007FF76A6F2000-memory.dmp	xmrig
behavioral2/memory/2512-2103-0x00007FF78ABD0000-0x00007FF78AFC2000-memory.dmp	xmrig
behavioral2/memory/2020-2099-0x00007FF72A060000-0x00007FF72A452000-memory.dmp	xmrig
behavioral2/memory/668-2097-0x00007FF69E910000-0x00007FF69ED02000-memory.dmp	xmrig
behavioral2/memory/1852-2095-0x00007FF66EE50000-0x00007FF66F242000-memory.dmp	xmrig
behavioral2/memory/2900-2092-0x00007FF605850000-0x00007FF605C42000-memory.dmp	xmrig
behavioral2/memory/4964-2089-0x00007FF690960000-0x00007FF690D52000-memory.dmp	xmrig
behavioral2/memory/3652-2087-0x00007FF68FDE0000-0x00007FF6901D2000-memory.dmp	xmrig
behavioral2/memory/1092-2101-0x00007FF6CC7F0000-0x00007FF6CCBE2000-memory.dmp	xmrig
behavioral2/memory/3840-2093-0x00007FF6FA790000-0x00007FF6FAB82000-memory.dmp	xmrig
behavioral2/memory/4352-2085-0x00007FF693E10000-0x00007FF694202000-memory.dmp	xmrig
behavioral2/memory/1712-2083-0x00007FF7722C0000-0x00007FF7726B2000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
3976	xRNSuLo.exe
2360	iNzIZPD.exe
3928	PCDVBMz.exe
1384	qkIxHvB.exe
1412	SWhemyd.exe
1776	sktamOB.exe
4916	TKPaOkO.exe
1712	xlSCBvn.exe
4352	mpQmIuC.exe
3652	STOpwGs.exe
1852	jUwbvuD.exe
2900	HbIOoua.exe
668	HzYrcYU.exe
4964	BLVdedX.exe
3840	ATOobiQ.exe
1092	ANGSwha.exe
3784	aoUXfqI.exe
2512	TzJwEuL.exe
2020	qOqObVM.exe
512	iPFnBDV.exe
3924	FuHWluT.exe
684	WLEHsiD.exe
740	wIBXbQL.exe
4980	pgNUhpl.exe
1012	fSfxnMi.exe
1424	itPsdDW.exe
3672	OftQTOr.exe
3428	auFADUI.exe
1516	jEtBOHi.exe
1268	rHYEFni.exe
2200	VnQpKea.exe
4260	waoXFny.exe
3268	uWSbmDG.exe
2708	WMDPUGu.exe
3472	tslONak.exe
2132	EvuTYpV.exe
3272	YFvbeYC.exe
2148	OVXtGZK.exe
4168	OosvjbZ.exe
992	ElfAoVn.exe
2716	Vkbxeaz.exe
5004	MLVdJSz.exe
2600	KuxvUUE.exe
4872	VQNwfLS.exe
4308	xWxTaLM.exe
1152	NDpTDyz.exe
2456	kYUleyi.exe
4332	ahADsUj.exe
3600	ePmDGPN.exe
5048	ScAQkXN.exe
772	AaYplJZ.exe
2548	XIYaoyp.exe
556	uEAFdwn.exe
3864	HxHEiyE.exe
3592	eFPldDa.exe
1008	YJOntso.exe
4360	PjcbLaZ.exe
1020	VmVxcVW.exe
3232	nGBqLmK.exe
60	hQBywvD.exe
3164	gOyGszd.exe
2252	RPtzWkT.exe
4856	WqKQwwz.exe
1596	NFpDaYC.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2864-0-0x00007FF681E20000-0x00007FF682212000-memory.dmp	upx
behavioral2/files/0x000a000000023b84-8.dat	upx
behavioral2/memory/3976-7-0x00007FF6FBE20000-0x00007FF6FC212000-memory.dmp	upx
behavioral2/files/0x000b000000023b7f-5.dat	upx
behavioral2/files/0x000a000000023b85-26.dat	upx
behavioral2/memory/3928-34-0x00007FF698110000-0x00007FF698502000-memory.dmp	upx
behavioral2/files/0x000a000000023b88-41.dat	upx
behavioral2/files/0x000a000000023b8a-47.dat	upx
behavioral2/files/0x000a000000023b8b-52.dat	upx
behavioral2/files/0x000a000000023b8c-67.dat	upx
behavioral2/files/0x000a000000023b90-83.dat	upx
behavioral2/files/0x000b000000023b8f-91.dat	upx
behavioral2/files/0x000a000000023b94-108.dat	upx
behavioral2/files/0x000a000000023b96-118.dat	upx
behavioral2/files/0x000a000000023b98-128.dat	upx
behavioral2/files/0x000a000000023b99-141.dat	upx
behavioral2/files/0x000a000000023b9f-163.dat	upx
behavioral2/files/0x000a000000023ba2-178.dat	upx
behavioral2/files/0x000a000000023ba0-176.dat	upx
behavioral2/files/0x000a000000023ba1-173.dat	upx
behavioral2/files/0x000a000000023b9e-166.dat	upx
behavioral2/files/0x000a000000023b9d-161.dat	upx
behavioral2/files/0x000a000000023b9c-156.dat	upx
behavioral2/files/0x000a000000023b9b-151.dat	upx
behavioral2/files/0x000a000000023b9a-146.dat	upx
behavioral2/files/0x000a000000023b97-131.dat	upx
behavioral2/files/0x000a000000023b95-121.dat	upx
behavioral2/files/0x000a000000023b93-111.dat	upx
behavioral2/files/0x000b000000023b8e-106.dat	upx
behavioral2/files/0x000a000000023b92-101.dat	upx
behavioral2/files/0x000a000000023b91-96.dat	upx
behavioral2/files/0x000a000000023b8d-78.dat	upx
behavioral2/memory/1384-66-0x00007FF6D7430000-0x00007FF6D7822000-memory.dmp	upx
behavioral2/files/0x000a000000023b89-50.dat	upx
behavioral2/files/0x000a000000023b86-39.dat	upx
behavioral2/files/0x000a000000023b87-33.dat	upx
behavioral2/files/0x000a000000023b83-19.dat	upx
behavioral2/memory/1776-504-0x00007FF76AFA0000-0x00007FF76B392000-memory.dmp	upx
behavioral2/memory/4916-505-0x00007FF6F8C90000-0x00007FF6F9082000-memory.dmp	upx
behavioral2/memory/4352-506-0x00007FF693E10000-0x00007FF694202000-memory.dmp	upx
behavioral2/memory/3652-507-0x00007FF68FDE0000-0x00007FF6901D2000-memory.dmp	upx
behavioral2/memory/1852-508-0x00007FF66EE50000-0x00007FF66F242000-memory.dmp	upx
behavioral2/memory/1412-503-0x00007FF68BFF0000-0x00007FF68C3E2000-memory.dmp	upx
behavioral2/memory/2900-509-0x00007FF605850000-0x00007FF605C42000-memory.dmp	upx
behavioral2/memory/668-510-0x00007FF69E910000-0x00007FF69ED02000-memory.dmp	upx
behavioral2/memory/1092-519-0x00007FF6CC7F0000-0x00007FF6CCBE2000-memory.dmp	upx
behavioral2/memory/3840-516-0x00007FF6FA790000-0x00007FF6FAB82000-memory.dmp	upx
behavioral2/memory/4964-513-0x00007FF690960000-0x00007FF690D52000-memory.dmp	upx
behavioral2/memory/3784-529-0x00007FF6E5F30000-0x00007FF6E6322000-memory.dmp	upx
behavioral2/memory/2512-540-0x00007FF78ABD0000-0x00007FF78AFC2000-memory.dmp	upx
behavioral2/memory/2020-552-0x00007FF72A060000-0x00007FF72A452000-memory.dmp	upx
behavioral2/memory/512-556-0x00007FF725590000-0x00007FF725982000-memory.dmp	upx
behavioral2/memory/3924-559-0x00007FF76A300000-0x00007FF76A6F2000-memory.dmp	upx
behavioral2/memory/1712-578-0x00007FF7722C0000-0x00007FF7726B2000-memory.dmp	upx
behavioral2/memory/2360-567-0x00007FF66C640000-0x00007FF66CA32000-memory.dmp	upx
behavioral2/memory/3976-2066-0x00007FF6FBE20000-0x00007FF6FC212000-memory.dmp	upx
behavioral2/memory/1384-2067-0x00007FF6D7430000-0x00007FF6D7822000-memory.dmp	upx
behavioral2/memory/3928-2069-0x00007FF698110000-0x00007FF698502000-memory.dmp	upx
behavioral2/memory/2360-2071-0x00007FF66C640000-0x00007FF66CA32000-memory.dmp	upx
behavioral2/memory/3976-2073-0x00007FF6FBE20000-0x00007FF6FC212000-memory.dmp	upx
behavioral2/memory/1384-2079-0x00007FF6D7430000-0x00007FF6D7822000-memory.dmp	upx
behavioral2/memory/1776-2077-0x00007FF76AFA0000-0x00007FF76B392000-memory.dmp	upx
behavioral2/memory/1412-2076-0x00007FF68BFF0000-0x00007FF68C3E2000-memory.dmp	upx
behavioral2/memory/4916-2081-0x00007FF6F8C90000-0x00007FF6F9082000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
3	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\okaCuHs.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\bScqYLS.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\WqKQwwz.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\cPUKDgk.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\GJZQZNY.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\dICTnZU.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\OBjiAdg.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\AaYplJZ.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\QmyKLZs.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\xKXBeGl.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\gtaUfUF.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\MeaRJGx.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\zWVbSYZ.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\TFCIgWL.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\DusGuwX.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\itPsdDW.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\HOIpHyA.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\frnCAXN.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\rIfkajt.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\UzGdVhE.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\SkXAGUH.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\wEBsyAe.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\skZGdyh.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\PRvUBKn.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\wpjsLdq.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\gPzwGUR.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\FxJeHOO.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\kmuWpeX.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\jYaEddG.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\ErlogiA.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\RXhqHVr.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\KFCZWDg.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\Nowzdwf.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\HtRbYNG.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\hqtSazn.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\XNziBvu.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\kgscwQC.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\YJGdkXx.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\StbNLvj.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\FGRmhFn.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\myOtToe.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\gGlhYuG.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\HVahJVQ.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\auFADUI.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\kYUleyi.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\Qhgqrnh.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\rOIrImm.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\lMYJdEt.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\glolNNu.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\JzravHR.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\qyCHwku.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\dkQxNee.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\zMVPGth.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\ADisvqa.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\viYjSck.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\IuOrioT.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\ALHJJfa.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\lDKMdBO.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\FsolnWl.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\NmFNqEo.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\uWFtqws.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\CUhZQkN.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\UXNwYUX.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
File created	C:\Windows\System\tDseCFA.exe	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4528	powershell.exe
4528	powershell.exe
4528	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
Token: SeDebugPrivilege	4528	powershell.exe
Token: SeCreateGlobalPrivilege	13456	dwm.exe
Token: SeChangeNotifyPrivilege	13456	dwm.exe
Token: 33	13456	dwm.exe
Token: SeIncBasePriorityPrivilege	13456	dwm.exe
Token: SeShutdownPrivilege	13456	dwm.exe
Token: SeCreatePagefilePrivilege	13456	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 4528	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	84
PID 2864 wrote to memory of 4528	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	84
PID 2864 wrote to memory of 3976	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	85
PID 2864 wrote to memory of 3976	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	85
PID 2864 wrote to memory of 2360	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	86
PID 2864 wrote to memory of 2360	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	86
PID 2864 wrote to memory of 3928	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	87
PID 2864 wrote to memory of 3928	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	87
PID 2864 wrote to memory of 1384	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	88
PID 2864 wrote to memory of 1384	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	88
PID 2864 wrote to memory of 1412	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	89
PID 2864 wrote to memory of 1412	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	89
PID 2864 wrote to memory of 1776	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	90
PID 2864 wrote to memory of 1776	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	90
PID 2864 wrote to memory of 4916	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	91
PID 2864 wrote to memory of 4916	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	91
PID 2864 wrote to memory of 1712	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	92
PID 2864 wrote to memory of 1712	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	92
PID 2864 wrote to memory of 4352	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	93
PID 2864 wrote to memory of 4352	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	93
PID 2864 wrote to memory of 3652	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	94
PID 2864 wrote to memory of 3652	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	94
PID 2864 wrote to memory of 1852	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	95
PID 2864 wrote to memory of 1852	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	95
PID 2864 wrote to memory of 2900	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	96
PID 2864 wrote to memory of 2900	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	96
PID 2864 wrote to memory of 668	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	97
PID 2864 wrote to memory of 668	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	97
PID 2864 wrote to memory of 4964	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	98
PID 2864 wrote to memory of 4964	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	98
PID 2864 wrote to memory of 3840	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	99
PID 2864 wrote to memory of 3840	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	99
PID 2864 wrote to memory of 1092	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	100
PID 2864 wrote to memory of 1092	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	100
PID 2864 wrote to memory of 3784	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	101
PID 2864 wrote to memory of 3784	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	101
PID 2864 wrote to memory of 2512	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	102
PID 2864 wrote to memory of 2512	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	102
PID 2864 wrote to memory of 2020	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	103
PID 2864 wrote to memory of 2020	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	103
PID 2864 wrote to memory of 512	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	104
PID 2864 wrote to memory of 512	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	104
PID 2864 wrote to memory of 3924	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	105
PID 2864 wrote to memory of 3924	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	105
PID 2864 wrote to memory of 684	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	106
PID 2864 wrote to memory of 684	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	106
PID 2864 wrote to memory of 740	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	107
PID 2864 wrote to memory of 740	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	107
PID 2864 wrote to memory of 4980	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	108
PID 2864 wrote to memory of 4980	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	108
PID 2864 wrote to memory of 1012	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	109
PID 2864 wrote to memory of 1012	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	109
PID 2864 wrote to memory of 1424	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	110
PID 2864 wrote to memory of 1424	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	110
PID 2864 wrote to memory of 3672	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	111
PID 2864 wrote to memory of 3672	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	111
PID 2864 wrote to memory of 3428	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	112
PID 2864 wrote to memory of 3428	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	112
PID 2864 wrote to memory of 1516	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	113
PID 2864 wrote to memory of 1516	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	113
PID 2864 wrote to memory of 1268	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	114
PID 2864 wrote to memory of 1268	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	114
PID 2864 wrote to memory of 2200	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	115
PID 2864 wrote to memory of 2200	2864	0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe	115

C:\Users\Admin\AppData\Local\Temp\0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0b37ffb65002bec4638d65e4dde38d74_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4528
- C:\Windows\System\xRNSuLo.exe
  C:\Windows\System\xRNSuLo.exe
  2⤵
  - Executes dropped EXE
  PID:3976
- C:\Windows\System\iNzIZPD.exe
  C:\Windows\System\iNzIZPD.exe
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\System\PCDVBMz.exe
  C:\Windows\System\PCDVBMz.exe
  2⤵
  - Executes dropped EXE
  PID:3928
- C:\Windows\System\qkIxHvB.exe
  C:\Windows\System\qkIxHvB.exe
  2⤵
  - Executes dropped EXE
  PID:1384
- C:\Windows\System\SWhemyd.exe
  C:\Windows\System\SWhemyd.exe
  2⤵
  - Executes dropped EXE
  PID:1412
- C:\Windows\System\sktamOB.exe
  C:\Windows\System\sktamOB.exe
  2⤵
  - Executes dropped EXE
  PID:1776
- C:\Windows\System\TKPaOkO.exe
  C:\Windows\System\TKPaOkO.exe
  2⤵
  - Executes dropped EXE
  PID:4916
- C:\Windows\System\xlSCBvn.exe
  C:\Windows\System\xlSCBvn.exe
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Windows\System\mpQmIuC.exe
  C:\Windows\System\mpQmIuC.exe
  2⤵
  - Executes dropped EXE
  PID:4352
- C:\Windows\System\STOpwGs.exe
  C:\Windows\System\STOpwGs.exe
  2⤵
  - Executes dropped EXE
  PID:3652
- C:\Windows\System\jUwbvuD.exe
  C:\Windows\System\jUwbvuD.exe
  2⤵
  - Executes dropped EXE
  PID:1852
- C:\Windows\System\HbIOoua.exe
  C:\Windows\System\HbIOoua.exe
  2⤵
  - Executes dropped EXE
  PID:2900
- C:\Windows\System\HzYrcYU.exe
  C:\Windows\System\HzYrcYU.exe
  2⤵
  - Executes dropped EXE
  PID:668
- C:\Windows\System\BLVdedX.exe
  C:\Windows\System\BLVdedX.exe
  2⤵
  - Executes dropped EXE
  PID:4964
- C:\Windows\System\ATOobiQ.exe
  C:\Windows\System\ATOobiQ.exe
  2⤵
  - Executes dropped EXE
  PID:3840
- C:\Windows\System\ANGSwha.exe
  C:\Windows\System\ANGSwha.exe
  2⤵
  - Executes dropped EXE
  PID:1092
- C:\Windows\System\aoUXfqI.exe
  C:\Windows\System\aoUXfqI.exe
  2⤵
  - Executes dropped EXE
  PID:3784
- C:\Windows\System\TzJwEuL.exe
  C:\Windows\System\TzJwEuL.exe
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\System\qOqObVM.exe
  C:\Windows\System\qOqObVM.exe
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\Windows\System\iPFnBDV.exe
  C:\Windows\System\iPFnBDV.exe
  2⤵
  - Executes dropped EXE
  PID:512
- C:\Windows\System\FuHWluT.exe
  C:\Windows\System\FuHWluT.exe
  2⤵
  - Executes dropped EXE
  PID:3924
- C:\Windows\System\WLEHsiD.exe
  C:\Windows\System\WLEHsiD.exe
  2⤵
  - Executes dropped EXE
  PID:684
- C:\Windows\System\wIBXbQL.exe
  C:\Windows\System\wIBXbQL.exe
  2⤵
  - Executes dropped EXE
  PID:740
- C:\Windows\System\pgNUhpl.exe
  C:\Windows\System\pgNUhpl.exe
  2⤵
  - Executes dropped EXE
  PID:4980
- C:\Windows\System\fSfxnMi.exe
  C:\Windows\System\fSfxnMi.exe
  2⤵
  - Executes dropped EXE
  PID:1012
- C:\Windows\System\itPsdDW.exe
  C:\Windows\System\itPsdDW.exe
  2⤵
  - Executes dropped EXE
  PID:1424
- C:\Windows\System\OftQTOr.exe
  C:\Windows\System\OftQTOr.exe
  2⤵
  - Executes dropped EXE
  PID:3672
- C:\Windows\System\auFADUI.exe
  C:\Windows\System\auFADUI.exe
  2⤵
  - Executes dropped EXE
  PID:3428
- C:\Windows\System\jEtBOHi.exe
  C:\Windows\System\jEtBOHi.exe
  2⤵
  - Executes dropped EXE
  PID:1516
- C:\Windows\System\rHYEFni.exe
  C:\Windows\System\rHYEFni.exe
  2⤵
  - Executes dropped EXE
  PID:1268
- C:\Windows\System\VnQpKea.exe
  C:\Windows\System\VnQpKea.exe
  2⤵
  - Executes dropped EXE
  PID:2200
- C:\Windows\System\waoXFny.exe
  C:\Windows\System\waoXFny.exe
  2⤵
  - Executes dropped EXE
  PID:4260
- C:\Windows\System\uWSbmDG.exe
  C:\Windows\System\uWSbmDG.exe
  2⤵
  - Executes dropped EXE
  PID:3268
- C:\Windows\System\WMDPUGu.exe
  C:\Windows\System\WMDPUGu.exe
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\System\tslONak.exe
  C:\Windows\System\tslONak.exe
  2⤵
  - Executes dropped EXE
  PID:3472
- C:\Windows\System\EvuTYpV.exe
  C:\Windows\System\EvuTYpV.exe
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\System\YFvbeYC.exe
  C:\Windows\System\YFvbeYC.exe
  2⤵
  - Executes dropped EXE
  PID:3272
- C:\Windows\System\OVXtGZK.exe
  C:\Windows\System\OVXtGZK.exe
  2⤵
  - Executes dropped EXE
  PID:2148
- C:\Windows\System\OosvjbZ.exe
  C:\Windows\System\OosvjbZ.exe
  2⤵
  - Executes dropped EXE
  PID:4168
- C:\Windows\System\ElfAoVn.exe
  C:\Windows\System\ElfAoVn.exe
  2⤵
  - Executes dropped EXE
  PID:992
- C:\Windows\System\Vkbxeaz.exe
  C:\Windows\System\Vkbxeaz.exe
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\System\MLVdJSz.exe
  C:\Windows\System\MLVdJSz.exe
  2⤵
  - Executes dropped EXE
  PID:5004
- C:\Windows\System\KuxvUUE.exe
  C:\Windows\System\KuxvUUE.exe
  2⤵
  - Executes dropped EXE
  PID:2600
- C:\Windows\System\VQNwfLS.exe
  C:\Windows\System\VQNwfLS.exe
  2⤵
  - Executes dropped EXE
  PID:4872
- C:\Windows\System\xWxTaLM.exe
  C:\Windows\System\xWxTaLM.exe
  2⤵
  - Executes dropped EXE
  PID:4308
- C:\Windows\System\NDpTDyz.exe
  C:\Windows\System\NDpTDyz.exe
  2⤵
  - Executes dropped EXE
  PID:1152
- C:\Windows\System\kYUleyi.exe
  C:\Windows\System\kYUleyi.exe
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\System\ahADsUj.exe
  C:\Windows\System\ahADsUj.exe
  2⤵
  - Executes dropped EXE
  PID:4332
- C:\Windows\System\ePmDGPN.exe
  C:\Windows\System\ePmDGPN.exe
  2⤵
  - Executes dropped EXE
  PID:3600
- C:\Windows\System\ScAQkXN.exe
  C:\Windows\System\ScAQkXN.exe
  2⤵
  - Executes dropped EXE
  PID:5048
- C:\Windows\System\AaYplJZ.exe
  C:\Windows\System\AaYplJZ.exe
  2⤵
  - Executes dropped EXE
  PID:772
- C:\Windows\System\XIYaoyp.exe
  C:\Windows\System\XIYaoyp.exe
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\Windows\System\uEAFdwn.exe
  C:\Windows\System\uEAFdwn.exe
  2⤵
  - Executes dropped EXE
  PID:556
- C:\Windows\System\HxHEiyE.exe
  C:\Windows\System\HxHEiyE.exe
  2⤵
  - Executes dropped EXE
  PID:3864
- C:\Windows\System\eFPldDa.exe
  C:\Windows\System\eFPldDa.exe
  2⤵
  - Executes dropped EXE
  PID:3592
- C:\Windows\System\YJOntso.exe
  C:\Windows\System\YJOntso.exe
  2⤵
  - Executes dropped EXE
  PID:1008
- C:\Windows\System\PjcbLaZ.exe
  C:\Windows\System\PjcbLaZ.exe
  2⤵
  - Executes dropped EXE
  PID:4360
- C:\Windows\System\VmVxcVW.exe
  C:\Windows\System\VmVxcVW.exe
  2⤵
  - Executes dropped EXE
  PID:1020
- C:\Windows\System\nGBqLmK.exe
  C:\Windows\System\nGBqLmK.exe
  2⤵
  - Executes dropped EXE
  PID:3232
- C:\Windows\System\hQBywvD.exe
  C:\Windows\System\hQBywvD.exe
  2⤵
  - Executes dropped EXE
  PID:60
- C:\Windows\System\gOyGszd.exe
  C:\Windows\System\gOyGszd.exe
  2⤵
  - Executes dropped EXE
  PID:3164
- C:\Windows\System\RPtzWkT.exe
  C:\Windows\System\RPtzWkT.exe
  2⤵
  - Executes dropped EXE
  PID:2252
- C:\Windows\System\WqKQwwz.exe
  C:\Windows\System\WqKQwwz.exe
  2⤵
  - Executes dropped EXE
  PID:4856
- C:\Windows\System\NFpDaYC.exe
  C:\Windows\System\NFpDaYC.exe
  2⤵
  - Executes dropped EXE
  PID:1596
- C:\Windows\System\pjwnxrT.exe
  C:\Windows\System\pjwnxrT.exe
  2⤵
  PID:2824
- C:\Windows\System\RMANWOE.exe
  C:\Windows\System\RMANWOE.exe
  2⤵
  PID:3688
- C:\Windows\System\jmaiAMY.exe
  C:\Windows\System\jmaiAMY.exe
  2⤵
  PID:4132
- C:\Windows\System\mOKMGKt.exe
  C:\Windows\System\mOKMGKt.exe
  2⤵
  PID:2248
- C:\Windows\System\NPJObCJ.exe
  C:\Windows\System\NPJObCJ.exe
  2⤵
  PID:452
- C:\Windows\System\uhMSxHL.exe
  C:\Windows\System\uhMSxHL.exe
  2⤵
  PID:3880
- C:\Windows\System\GwSicwE.exe
  C:\Windows\System\GwSicwE.exe
  2⤵
  PID:2076
- C:\Windows\System\SimYoEg.exe
  C:\Windows\System\SimYoEg.exe
  2⤵
  PID:908
- C:\Windows\System\LrUjdTx.exe
  C:\Windows\System\LrUjdTx.exe
  2⤵
  PID:1440
- C:\Windows\System\bzalcDg.exe
  C:\Windows\System\bzalcDg.exe
  2⤵
  PID:2784
- C:\Windows\System\IiiZmlD.exe
  C:\Windows\System\IiiZmlD.exe
  2⤵
  PID:3736
- C:\Windows\System\jXnUBTu.exe
  C:\Windows\System\jXnUBTu.exe
  2⤵
  PID:2028
- C:\Windows\System\feujvba.exe
  C:\Windows\System\feujvba.exe
  2⤵
  PID:5148
- C:\Windows\System\PgsJBvs.exe
  C:\Windows\System\PgsJBvs.exe
  2⤵
  PID:5176
- C:\Windows\System\yvFCSJF.exe
  C:\Windows\System\yvFCSJF.exe
  2⤵
  PID:5204
- C:\Windows\System\hPMlgPg.exe
  C:\Windows\System\hPMlgPg.exe
  2⤵
  PID:5232
- C:\Windows\System\dyTobWN.exe
  C:\Windows\System\dyTobWN.exe
  2⤵
  PID:5260
- C:\Windows\System\Xiulwbr.exe
  C:\Windows\System\Xiulwbr.exe
  2⤵
  PID:5288
- C:\Windows\System\FEYWEsn.exe
  C:\Windows\System\FEYWEsn.exe
  2⤵
  PID:5316
- C:\Windows\System\uzvZoQk.exe
  C:\Windows\System\uzvZoQk.exe
  2⤵
  PID:5344
- C:\Windows\System\ALHJJfa.exe
  C:\Windows\System\ALHJJfa.exe
  2⤵
  PID:5376
- C:\Windows\System\TtdHXlK.exe
  C:\Windows\System\TtdHXlK.exe
  2⤵
  PID:5400
- C:\Windows\System\rXcTveL.exe
  C:\Windows\System\rXcTveL.exe
  2⤵
  PID:5428
- C:\Windows\System\LKrpXIa.exe
  C:\Windows\System\LKrpXIa.exe
  2⤵
  PID:5456
- C:\Windows\System\gyzbGDj.exe
  C:\Windows\System\gyzbGDj.exe
  2⤵
  PID:5484
- C:\Windows\System\wLSNxTP.exe
  C:\Windows\System\wLSNxTP.exe
  2⤵
  PID:5512
- C:\Windows\System\NbmjyfU.exe
  C:\Windows\System\NbmjyfU.exe
  2⤵
  PID:5540
- C:\Windows\System\aPHXGby.exe
  C:\Windows\System\aPHXGby.exe
  2⤵
  PID:5568
- C:\Windows\System\HNBJYqI.exe
  C:\Windows\System\HNBJYqI.exe
  2⤵
  PID:5596
- C:\Windows\System\tSHknHe.exe
  C:\Windows\System\tSHknHe.exe
  2⤵
  PID:5628
- C:\Windows\System\FwKiuxY.exe
  C:\Windows\System\FwKiuxY.exe
  2⤵
  PID:5672
- C:\Windows\System\GIeGAJj.exe
  C:\Windows\System\GIeGAJj.exe
  2⤵
  PID:5700
- C:\Windows\System\RrNxcax.exe
  C:\Windows\System\RrNxcax.exe
  2⤵
  PID:5720
- C:\Windows\System\AHgXirw.exe
  C:\Windows\System\AHgXirw.exe
  2⤵
  PID:5744
- C:\Windows\System\FvIWWfO.exe
  C:\Windows\System\FvIWWfO.exe
  2⤵
  PID:5772
- C:\Windows\System\PcssYfR.exe
  C:\Windows\System\PcssYfR.exe
  2⤵
  PID:5800
- C:\Windows\System\RQRvOzp.exe
  C:\Windows\System\RQRvOzp.exe
  2⤵
  PID:5828
- C:\Windows\System\gZOuUGc.exe
  C:\Windows\System\gZOuUGc.exe
  2⤵
  PID:5848
- C:\Windows\System\CeZWooS.exe
  C:\Windows\System\CeZWooS.exe
  2⤵
  PID:5876
- C:\Windows\System\COYQYuq.exe
  C:\Windows\System\COYQYuq.exe
  2⤵
  PID:5904
- C:\Windows\System\rDFZZcl.exe
  C:\Windows\System\rDFZZcl.exe
  2⤵
  PID:5932
- C:\Windows\System\rAgZoKe.exe
  C:\Windows\System\rAgZoKe.exe
  2⤵
  PID:5960
- C:\Windows\System\iZnduOA.exe
  C:\Windows\System\iZnduOA.exe
  2⤵
  PID:5988
- C:\Windows\System\uRJJPOc.exe
  C:\Windows\System\uRJJPOc.exe
  2⤵
  PID:6016
- C:\Windows\System\FasdSmI.exe
  C:\Windows\System\FasdSmI.exe
  2⤵
  PID:6044
- C:\Windows\System\kmuWpeX.exe
  C:\Windows\System\kmuWpeX.exe
  2⤵
  PID:6072
- C:\Windows\System\NomwYlX.exe
  C:\Windows\System\NomwYlX.exe
  2⤵
  PID:6100
- C:\Windows\System\pxtADgV.exe
  C:\Windows\System\pxtADgV.exe
  2⤵
  PID:6128
- C:\Windows\System\jXPVKuS.exe
  C:\Windows\System\jXPVKuS.exe
  2⤵
  PID:2916
- C:\Windows\System\lDKMdBO.exe
  C:\Windows\System\lDKMdBO.exe
  2⤵
  PID:2552
- C:\Windows\System\jonEvtN.exe
  C:\Windows\System\jonEvtN.exe
  2⤵
  PID:4216
- C:\Windows\System\WXuVasd.exe
  C:\Windows\System\WXuVasd.exe
  2⤵
  PID:4456
- C:\Windows\System\nPvloTJ.exe
  C:\Windows\System\nPvloTJ.exe
  2⤵
  PID:5164
- C:\Windows\System\LKgGmVP.exe
  C:\Windows\System\LKgGmVP.exe
  2⤵
  PID:5224
- C:\Windows\System\qdEpTqV.exe
  C:\Windows\System\qdEpTqV.exe
  2⤵
  PID:5300
- C:\Windows\System\XiYDkfm.exe
  C:\Windows\System\XiYDkfm.exe
  2⤵
  PID:5360
- C:\Windows\System\FsmAgKd.exe
  C:\Windows\System\FsmAgKd.exe
  2⤵
  PID:5424
- C:\Windows\System\qyCHwku.exe
  C:\Windows\System\qyCHwku.exe
  2⤵
  PID:5496
- C:\Windows\System\dkQxNee.exe
  C:\Windows\System\dkQxNee.exe
  2⤵
  PID:5556
- C:\Windows\System\KLMwuQX.exe
  C:\Windows\System\KLMwuQX.exe
  2⤵
  PID:5616
- C:\Windows\System\BuisMEQ.exe
  C:\Windows\System\BuisMEQ.exe
  2⤵
  PID:5688
- C:\Windows\System\tjezmeN.exe
  C:\Windows\System\tjezmeN.exe
  2⤵
  PID:5732
- C:\Windows\System\KGHrQza.exe
  C:\Windows\System\KGHrQza.exe
  2⤵
  PID:1000
- C:\Windows\System\hNCqXZW.exe
  C:\Windows\System\hNCqXZW.exe
  2⤵
  PID:5840
- C:\Windows\System\raXGXtM.exe
  C:\Windows\System\raXGXtM.exe
  2⤵
  PID:5892
- C:\Windows\System\jKBfhET.exe
  C:\Windows\System\jKBfhET.exe
  2⤵
  PID:5948
- C:\Windows\System\rkCpWyz.exe
  C:\Windows\System\rkCpWyz.exe
  2⤵
  PID:6008
- C:\Windows\System\AirnCwS.exe
  C:\Windows\System\AirnCwS.exe
  2⤵
  PID:6064
- C:\Windows\System\YFtWqgE.exe
  C:\Windows\System\YFtWqgE.exe
  2⤵
  PID:6112
- C:\Windows\System\vMuFwBK.exe
  C:\Windows\System\vMuFwBK.exe
  2⤵
  PID:4600
- C:\Windows\System\bzVQKrL.exe
  C:\Windows\System\bzVQKrL.exe
  2⤵
  PID:532
- C:\Windows\System\cjsqFDs.exe
  C:\Windows\System\cjsqFDs.exe
  2⤵
  PID:5140
- C:\Windows\System\mwYLZfC.exe
  C:\Windows\System\mwYLZfC.exe
  2⤵
  PID:5328
- C:\Windows\System\HOIpHyA.exe
  C:\Windows\System\HOIpHyA.exe
  2⤵
  PID:3488
- C:\Windows\System\OAyUzdu.exe
  C:\Windows\System\OAyUzdu.exe
  2⤵
  PID:5032
- C:\Windows\System\aZAoLwP.exe
  C:\Windows\System\aZAoLwP.exe
  2⤵
  PID:5668
- C:\Windows\System\vxyTAyM.exe
  C:\Windows\System\vxyTAyM.exe
  2⤵
  PID:5760
- C:\Windows\System\sTarFpG.exe
  C:\Windows\System\sTarFpG.exe
  2⤵
  PID:5860
- C:\Windows\System\GmPLxPv.exe
  C:\Windows\System\GmPLxPv.exe
  2⤵
  PID:3560
- C:\Windows\System\mcbmqLl.exe
  C:\Windows\System\mcbmqLl.exe
  2⤵
  PID:1956
- C:\Windows\System\imYbuVm.exe
  C:\Windows\System\imYbuVm.exe
  2⤵
  PID:2976
- C:\Windows\System\yJFfWmu.exe
  C:\Windows\System\yJFfWmu.exe
  2⤵
  PID:5272
- C:\Windows\System\ASTOfRY.exe
  C:\Windows\System\ASTOfRY.exe
  2⤵
  PID:5396
- C:\Windows\System\tdJJDpU.exe
  C:\Windows\System\tdJJDpU.exe
  2⤵
  PID:5524
- C:\Windows\System\LsAJKNM.exe
  C:\Windows\System\LsAJKNM.exe
  2⤵
  PID:5656
- C:\Windows\System\KEGtPTz.exe
  C:\Windows\System\KEGtPTz.exe
  2⤵
  PID:5100
- C:\Windows\System\frnCAXN.exe
  C:\Windows\System\frnCAXN.exe
  2⤵
  PID:1600
- C:\Windows\System\yLJsEgt.exe
  C:\Windows\System\yLJsEgt.exe
  2⤵
  PID:6036
- C:\Windows\System\jYaEddG.exe
  C:\Windows\System\jYaEddG.exe
  2⤵
  PID:3124
- C:\Windows\System\nsGfkIr.exe
  C:\Windows\System\nsGfkIr.exe
  2⤵
  PID:2856
- C:\Windows\System\hmETvis.exe
  C:\Windows\System\hmETvis.exe
  2⤵
  PID:3972
- C:\Windows\System\YXAYGKe.exe
  C:\Windows\System\YXAYGKe.exe
  2⤵
  PID:1376
- C:\Windows\System\YJGdkXx.exe
  C:\Windows\System\YJGdkXx.exe
  2⤵
  PID:4588
- C:\Windows\System\lHlMhHr.exe
  C:\Windows\System\lHlMhHr.exe
  2⤵
  PID:6140
- C:\Windows\System\kbDKNpn.exe
  C:\Windows\System\kbDKNpn.exe
  2⤵
  PID:5392
- C:\Windows\System\XxNxIhP.exe
  C:\Windows\System\XxNxIhP.exe
  2⤵
  PID:6000
- C:\Windows\System\HVHSfle.exe
  C:\Windows\System\HVHSfle.exe
  2⤵
  PID:3616
- C:\Windows\System\KRmLitV.exe
  C:\Windows\System\KRmLitV.exe
  2⤵
  PID:6164
- C:\Windows\System\duZmJZo.exe
  C:\Windows\System\duZmJZo.exe
  2⤵
  PID:6216
- C:\Windows\System\EiUYcJL.exe
  C:\Windows\System\EiUYcJL.exe
  2⤵
  PID:6236
- C:\Windows\System\uEZUUgE.exe
  C:\Windows\System\uEZUUgE.exe
  2⤵
  PID:6268
- C:\Windows\System\cPUKDgk.exe
  C:\Windows\System\cPUKDgk.exe
  2⤵
  PID:6316
- C:\Windows\System\kGCfARo.exe
  C:\Windows\System\kGCfARo.exe
  2⤵
  PID:6344
- C:\Windows\System\nqadaWf.exe
  C:\Windows\System\nqadaWf.exe
  2⤵
  PID:6372
- C:\Windows\System\skqNrKQ.exe
  C:\Windows\System\skqNrKQ.exe
  2⤵
  PID:6420
- C:\Windows\System\NVNpRUN.exe
  C:\Windows\System\NVNpRUN.exe
  2⤵
  PID:6448
- C:\Windows\System\RBFMJdj.exe
  C:\Windows\System\RBFMJdj.exe
  2⤵
  PID:6464
- C:\Windows\System\mIgxWUc.exe
  C:\Windows\System\mIgxWUc.exe
  2⤵
  PID:6488
- C:\Windows\System\lkQvMHq.exe
  C:\Windows\System\lkQvMHq.exe
  2⤵
  PID:6516
- C:\Windows\System\iRGALVo.exe
  C:\Windows\System\iRGALVo.exe
  2⤵
  PID:6552
- C:\Windows\System\Qhgqrnh.exe
  C:\Windows\System\Qhgqrnh.exe
  2⤵
  PID:6572
- C:\Windows\System\IweIgjF.exe
  C:\Windows\System\IweIgjF.exe
  2⤵
  PID:6592
- C:\Windows\System\bSIZZiI.exe
  C:\Windows\System\bSIZZiI.exe
  2⤵
  PID:6616
- C:\Windows\System\pKhQsFz.exe
  C:\Windows\System\pKhQsFz.exe
  2⤵
  PID:6636
- C:\Windows\System\CCeCrDY.exe
  C:\Windows\System\CCeCrDY.exe
  2⤵
  PID:6676
- C:\Windows\System\AYQmZEC.exe
  C:\Windows\System\AYQmZEC.exe
  2⤵
  PID:6712
- C:\Windows\System\kyORggP.exe
  C:\Windows\System\kyORggP.exe
  2⤵
  PID:6772
- C:\Windows\System\tcRlGbY.exe
  C:\Windows\System\tcRlGbY.exe
  2⤵
  PID:6800
- C:\Windows\System\fWQbyRO.exe
  C:\Windows\System\fWQbyRO.exe
  2⤵
  PID:6828
- C:\Windows\System\twvsKgn.exe
  C:\Windows\System\twvsKgn.exe
  2⤵
  PID:6856
- C:\Windows\System\JXrohWH.exe
  C:\Windows\System\JXrohWH.exe
  2⤵
  PID:6892
- C:\Windows\System\zJltCES.exe
  C:\Windows\System\zJltCES.exe
  2⤵
  PID:6944
- C:\Windows\System\nBVtdoi.exe
  C:\Windows\System\nBVtdoi.exe
  2⤵
  PID:6972
- C:\Windows\System\pzvUvlh.exe
  C:\Windows\System\pzvUvlh.exe
  2⤵
  PID:6996
- C:\Windows\System\ClDalSO.exe
  C:\Windows\System\ClDalSO.exe
  2⤵
  PID:7024
- C:\Windows\System\mAyWiHA.exe
  C:\Windows\System\mAyWiHA.exe
  2⤵
  PID:7060
- C:\Windows\System\MPkprut.exe
  C:\Windows\System\MPkprut.exe
  2⤵
  PID:7076
- C:\Windows\System\YcEmbYu.exe
  C:\Windows\System\YcEmbYu.exe
  2⤵
  PID:7092
- C:\Windows\System\UzoQKQR.exe
  C:\Windows\System\UzoQKQR.exe
  2⤵
  PID:7136
- C:\Windows\System\GHvJGTO.exe
  C:\Windows\System\GHvJGTO.exe
  2⤵
  PID:7156
- C:\Windows\System\vfkYSZH.exe
  C:\Windows\System\vfkYSZH.exe
  2⤵
  PID:4928
- C:\Windows\System\wPfsmuR.exe
  C:\Windows\System\wPfsmuR.exe
  2⤵
  PID:4084
- C:\Windows\System\ThzzXvO.exe
  C:\Windows\System\ThzzXvO.exe
  2⤵
  PID:6208
- C:\Windows\System\uJLDuKC.exe
  C:\Windows\System\uJLDuKC.exe
  2⤵
  PID:2084
- C:\Windows\System\awbUZyg.exe
  C:\Windows\System\awbUZyg.exe
  2⤵
  PID:6264
- C:\Windows\System\FsKNknb.exe
  C:\Windows\System\FsKNknb.exe
  2⤵
  PID:6308
- C:\Windows\System\QavieGH.exe
  C:\Windows\System\QavieGH.exe
  2⤵
  PID:6360
- C:\Windows\System\AFHmvyu.exe
  C:\Windows\System\AFHmvyu.exe
  2⤵
  PID:6480
- C:\Windows\System\ItMPtMR.exe
  C:\Windows\System\ItMPtMR.exe
  2⤵
  PID:6548
- C:\Windows\System\uFpnFgR.exe
  C:\Windows\System\uFpnFgR.exe
  2⤵
  PID:6588
- C:\Windows\System\PALXHYw.exe
  C:\Windows\System\PALXHYw.exe
  2⤵
  PID:6648
- C:\Windows\System\rAUZdOq.exe
  C:\Windows\System\rAUZdOq.exe
  2⤵
  PID:6812
- C:\Windows\System\ptYiElR.exe
  C:\Windows\System\ptYiElR.exe
  2⤵
  PID:5796
- C:\Windows\System\MZffGse.exe
  C:\Windows\System\MZffGse.exe
  2⤵
  PID:6908
- C:\Windows\System\pjYgOtN.exe
  C:\Windows\System\pjYgOtN.exe
  2⤵
  PID:6920
- C:\Windows\System\KEUOPuR.exe
  C:\Windows\System\KEUOPuR.exe
  2⤵
  PID:6992
- C:\Windows\System\HXkbggh.exe
  C:\Windows\System\HXkbggh.exe
  2⤵
  PID:1720
- C:\Windows\System\eUmEWCG.exe
  C:\Windows\System\eUmEWCG.exe
  2⤵
  PID:7068
- C:\Windows\System\yZaNChh.exe
  C:\Windows\System\yZaNChh.exe
  2⤵
  PID:7112
- C:\Windows\System\QmyKLZs.exe
  C:\Windows\System\QmyKLZs.exe
  2⤵
  PID:6440
- C:\Windows\System\CqQjsXk.exe
  C:\Windows\System\CqQjsXk.exe
  2⤵
  PID:6332
- C:\Windows\System\hBwHWZk.exe
  C:\Windows\System\hBwHWZk.exe
  2⤵
  PID:6540
- C:\Windows\System\MABjASq.exe
  C:\Windows\System\MABjASq.exe
  2⤵
  PID:6508
- C:\Windows\System\SZnVJPu.exe
  C:\Windows\System\SZnVJPu.exe
  2⤵
  PID:2576
- C:\Windows\System\llIzWKv.exe
  C:\Windows\System\llIzWKv.exe
  2⤵
  PID:6872
- C:\Windows\System\wEBsyAe.exe
  C:\Windows\System\wEBsyAe.exe
  2⤵
  PID:6924
- C:\Windows\System\FsolnWl.exe
  C:\Windows\System\FsolnWl.exe
  2⤵
  PID:7164
- C:\Windows\System\MRjRTio.exe
  C:\Windows\System\MRjRTio.exe
  2⤵
  PID:6456
- C:\Windows\System\dPiBlfj.exe
  C:\Windows\System\dPiBlfj.exe
  2⤵
  PID:6784
- C:\Windows\System\ISOiXyi.exe
  C:\Windows\System\ISOiXyi.exe
  2⤵
  PID:6960
- C:\Windows\System\WtExGbA.exe
  C:\Windows\System\WtExGbA.exe
  2⤵
  PID:6656
- C:\Windows\System\heZnURZ.exe
  C:\Windows\System\heZnURZ.exe
  2⤵
  PID:7196
- C:\Windows\System\BsfoeZc.exe
  C:\Windows\System\BsfoeZc.exe
  2⤵
  PID:7212
- C:\Windows\System\rOIrImm.exe
  C:\Windows\System\rOIrImm.exe
  2⤵
  PID:7236
- C:\Windows\System\gGlhYuG.exe
  C:\Windows\System\gGlhYuG.exe
  2⤵
  PID:7252
- C:\Windows\System\uWFtqws.exe
  C:\Windows\System\uWFtqws.exe
  2⤵
  PID:7272
- C:\Windows\System\oolfZpf.exe
  C:\Windows\System\oolfZpf.exe
  2⤵
  PID:7312
- C:\Windows\System\tfYmSzA.exe
  C:\Windows\System\tfYmSzA.exe
  2⤵
  PID:7364
- C:\Windows\System\WLuyyck.exe
  C:\Windows\System\WLuyyck.exe
  2⤵
  PID:7384
- C:\Windows\System\YyuzIrb.exe
  C:\Windows\System\YyuzIrb.exe
  2⤵
  PID:7408
- C:\Windows\System\NIFEHaQ.exe
  C:\Windows\System\NIFEHaQ.exe
  2⤵
  PID:7424
- C:\Windows\System\rIfkajt.exe
  C:\Windows\System\rIfkajt.exe
  2⤵
  PID:7452
- C:\Windows\System\lzNiExo.exe
  C:\Windows\System\lzNiExo.exe
  2⤵
  PID:7488
- C:\Windows\System\SXJlpQO.exe
  C:\Windows\System\SXJlpQO.exe
  2⤵
  PID:7520
- C:\Windows\System\tDseCFA.exe
  C:\Windows\System\tDseCFA.exe
  2⤵
  PID:7548
- C:\Windows\System\oPxOzWV.exe
  C:\Windows\System\oPxOzWV.exe
  2⤵
  PID:7568
- C:\Windows\System\aOYIJdP.exe
  C:\Windows\System\aOYIJdP.exe
  2⤵
  PID:7620
- C:\Windows\System\ZomoOGb.exe
  C:\Windows\System\ZomoOGb.exe
  2⤵
  PID:7636
- C:\Windows\System\FHveSKn.exe
  C:\Windows\System\FHveSKn.exe
  2⤵
  PID:7660
- C:\Windows\System\bOQGctI.exe
  C:\Windows\System\bOQGctI.exe
  2⤵
  PID:7684
- C:\Windows\System\StbNLvj.exe
  C:\Windows\System\StbNLvj.exe
  2⤵
  PID:7704
- C:\Windows\System\KoAMetC.exe
  C:\Windows\System\KoAMetC.exe
  2⤵
  PID:7736
- C:\Windows\System\TdrLwDD.exe
  C:\Windows\System\TdrLwDD.exe
  2⤵
  PID:7756
- C:\Windows\System\cVXFtXI.exe
  C:\Windows\System\cVXFtXI.exe
  2⤵
  PID:7772
- C:\Windows\System\PDjDmZF.exe
  C:\Windows\System\PDjDmZF.exe
  2⤵
  PID:7788
- C:\Windows\System\IPwXaRE.exe
  C:\Windows\System\IPwXaRE.exe
  2⤵
  PID:7812
- C:\Windows\System\MqfmPrs.exe
  C:\Windows\System\MqfmPrs.exe
  2⤵
  PID:7836
- C:\Windows\System\GJZQZNY.exe
  C:\Windows\System\GJZQZNY.exe
  2⤵
  PID:7884
- C:\Windows\System\HVahJVQ.exe
  C:\Windows\System\HVahJVQ.exe
  2⤵
  PID:7908
- C:\Windows\System\CXYnKcw.exe
  C:\Windows\System\CXYnKcw.exe
  2⤵
  PID:7940
- C:\Windows\System\faHVrde.exe
  C:\Windows\System\faHVrde.exe
  2⤵
  PID:8000
- C:\Windows\System\orjnlcw.exe
  C:\Windows\System\orjnlcw.exe
  2⤵
  PID:8028
- C:\Windows\System\zapItKj.exe
  C:\Windows\System\zapItKj.exe
  2⤵
  PID:8044
- C:\Windows\System\ZBLsIvv.exe
  C:\Windows\System\ZBLsIvv.exe
  2⤵
  PID:8076
- C:\Windows\System\DFGDYBp.exe
  C:\Windows\System\DFGDYBp.exe
  2⤵
  PID:8096
- C:\Windows\System\zdCUiLs.exe
  C:\Windows\System\zdCUiLs.exe
  2⤵
  PID:8116
- C:\Windows\System\DySFioT.exe
  C:\Windows\System\DySFioT.exe
  2⤵
  PID:8168
- C:\Windows\System\brwXZHz.exe
  C:\Windows\System\brwXZHz.exe
  2⤵
  PID:6296
- C:\Windows\System\TWEYYIZ.exe
  C:\Windows\System\TWEYYIZ.exe
  2⤵
  PID:7172
- C:\Windows\System\PUxQFlq.exe
  C:\Windows\System\PUxQFlq.exe
  2⤵
  PID:7220
- C:\Windows\System\kxgvseO.exe
  C:\Windows\System\kxgvseO.exe
  2⤵
  PID:7308
- C:\Windows\System\JwnwdQD.exe
  C:\Windows\System\JwnwdQD.exe
  2⤵
  PID:7396
- C:\Windows\System\GCqrary.exe
  C:\Windows\System\GCqrary.exe
  2⤵
  PID:7432
- C:\Windows\System\NmFNqEo.exe
  C:\Windows\System\NmFNqEo.exe
  2⤵
  PID:7480
- C:\Windows\System\TqEkkPX.exe
  C:\Windows\System\TqEkkPX.exe
  2⤵
  PID:7540
- C:\Windows\System\weIoCzP.exe
  C:\Windows\System\weIoCzP.exe
  2⤵
  PID:7588
- C:\Windows\System\hPQUvyZ.exe
  C:\Windows\System\hPQUvyZ.exe
  2⤵
  PID:7628
- C:\Windows\System\RCMpsHJ.exe
  C:\Windows\System\RCMpsHJ.exe
  2⤵
  PID:7752
- C:\Windows\System\mKnIWMM.exe
  C:\Windows\System\mKnIWMM.exe
  2⤵
  PID:7920
- C:\Windows\System\xyNFRsW.exe
  C:\Windows\System\xyNFRsW.exe
  2⤵
  PID:7872
- C:\Windows\System\CUhZQkN.exe
  C:\Windows\System\CUhZQkN.exe
  2⤵
  PID:8008
- C:\Windows\System\MeaRJGx.exe
  C:\Windows\System\MeaRJGx.exe
  2⤵
  PID:7968
- C:\Windows\System\qORSXPl.exe
  C:\Windows\System\qORSXPl.exe
  2⤵
  PID:8092
- C:\Windows\System\YsyCnnu.exe
  C:\Windows\System\YsyCnnu.exe
  2⤵
  PID:7148
- C:\Windows\System\zBFzZIf.exe
  C:\Windows\System\zBFzZIf.exe
  2⤵
  PID:6608
- C:\Windows\System\UiRKzwC.exe
  C:\Windows\System\UiRKzwC.exe
  2⤵
  PID:7268
- C:\Windows\System\rxmVfXX.exe
  C:\Windows\System\rxmVfXX.exe
  2⤵
  PID:7536
- C:\Windows\System\VJpEwbk.exe
  C:\Windows\System\VJpEwbk.exe
  2⤵
  PID:7728
- C:\Windows\System\dcwYopp.exe
  C:\Windows\System\dcwYopp.exe
  2⤵
  PID:8064
- C:\Windows\System\fCRzyig.exe
  C:\Windows\System\fCRzyig.exe
  2⤵
  PID:8020
- C:\Windows\System\STbvUPM.exe
  C:\Windows\System\STbvUPM.exe
  2⤵
  PID:7304
- C:\Windows\System\wwnmZZH.exe
  C:\Windows\System\wwnmZZH.exe
  2⤵
  PID:7448
- C:\Windows\System\wBlHZKd.exe
  C:\Windows\System\wBlHZKd.exe
  2⤵
  PID:7716
- C:\Windows\System\CfDnkZI.exe
  C:\Windows\System\CfDnkZI.exe
  2⤵
  PID:7496
- C:\Windows\System\YOsjUZD.exe
  C:\Windows\System\YOsjUZD.exe
  2⤵
  PID:7856
- C:\Windows\System\ErlogiA.exe
  C:\Windows\System\ErlogiA.exe
  2⤵
  PID:8208
- C:\Windows\System\ByiCQiE.exe
  C:\Windows\System\ByiCQiE.exe
  2⤵
  PID:8232
- C:\Windows\System\soPsETy.exe
  C:\Windows\System\soPsETy.exe
  2⤵
  PID:8252
- C:\Windows\System\htafuiD.exe
  C:\Windows\System\htafuiD.exe
  2⤵
  PID:8276
- C:\Windows\System\mURHtde.exe
  C:\Windows\System\mURHtde.exe
  2⤵
  PID:8296
- C:\Windows\System\TDMiiif.exe
  C:\Windows\System\TDMiiif.exe
  2⤵
  PID:8320
- C:\Windows\System\XGwvhRI.exe
  C:\Windows\System\XGwvhRI.exe
  2⤵
  PID:8344
- C:\Windows\System\zMVPGth.exe
  C:\Windows\System\zMVPGth.exe
  2⤵
  PID:8380
- C:\Windows\System\rSURCwY.exe
  C:\Windows\System\rSURCwY.exe
  2⤵
  PID:8456
- C:\Windows\System\BCaojkR.exe
  C:\Windows\System\BCaojkR.exe
  2⤵
  PID:8472
- C:\Windows\System\nygRexv.exe
  C:\Windows\System\nygRexv.exe
  2⤵
  PID:8488
- C:\Windows\System\ttkNatR.exe
  C:\Windows\System\ttkNatR.exe
  2⤵
  PID:8528
- C:\Windows\System\oOborHB.exe
  C:\Windows\System\oOborHB.exe
  2⤵
  PID:8548
- C:\Windows\System\RwMuByh.exe
  C:\Windows\System\RwMuByh.exe
  2⤵
  PID:8572
- C:\Windows\System\gKZUZcM.exe
  C:\Windows\System\gKZUZcM.exe
  2⤵
  PID:8592
- C:\Windows\System\eYvmtsE.exe
  C:\Windows\System\eYvmtsE.exe
  2⤵
  PID:8632
- C:\Windows\System\UCbuVYC.exe
  C:\Windows\System\UCbuVYC.exe
  2⤵
  PID:8648
- C:\Windows\System\RcWiebE.exe
  C:\Windows\System\RcWiebE.exe
  2⤵
  PID:8672
- C:\Windows\System\haMZXtk.exe
  C:\Windows\System\haMZXtk.exe
  2⤵
  PID:8696
- C:\Windows\System\rThSYXv.exe
  C:\Windows\System\rThSYXv.exe
  2⤵
  PID:8728
- C:\Windows\System\xKXBeGl.exe
  C:\Windows\System\xKXBeGl.exe
  2⤵
  PID:8744
- C:\Windows\System\lyyPrRl.exe
  C:\Windows\System\lyyPrRl.exe
  2⤵
  PID:8764
- C:\Windows\System\PSAbHfz.exe
  C:\Windows\System\PSAbHfz.exe
  2⤵
  PID:8824
- C:\Windows\System\gtaUfUF.exe
  C:\Windows\System\gtaUfUF.exe
  2⤵
  PID:8844
- C:\Windows\System\ZyNSEcO.exe
  C:\Windows\System\ZyNSEcO.exe
  2⤵
  PID:8868
- C:\Windows\System\GiSvEYu.exe
  C:\Windows\System\GiSvEYu.exe
  2⤵
  PID:8888
- C:\Windows\System\iwrRPRJ.exe
  C:\Windows\System\iwrRPRJ.exe
  2⤵
  PID:8928
- C:\Windows\System\YACJPSx.exe
  C:\Windows\System\YACJPSx.exe
  2⤵
  PID:8952
- C:\Windows\System\fUurvJy.exe
  C:\Windows\System\fUurvJy.exe
  2⤵
  PID:8972
- C:\Windows\System\NXyszLM.exe
  C:\Windows\System\NXyszLM.exe
  2⤵
  PID:9000
- C:\Windows\System\jGDstuC.exe
  C:\Windows\System\jGDstuC.exe
  2⤵
  PID:9024
- C:\Windows\System\TiZYULH.exe
  C:\Windows\System\TiZYULH.exe
  2⤵
  PID:9044
- C:\Windows\System\facQmNE.exe
  C:\Windows\System\facQmNE.exe
  2⤵
  PID:9116
- C:\Windows\System\fLxzIce.exe
  C:\Windows\System\fLxzIce.exe
  2⤵
  PID:9140
- C:\Windows\System\zWVbSYZ.exe
  C:\Windows\System\zWVbSYZ.exe
  2⤵
  PID:9176
- C:\Windows\System\CKmIjTM.exe
  C:\Windows\System\CKmIjTM.exe
  2⤵
  PID:9192
- C:\Windows\System\mnjycbS.exe
  C:\Windows\System\mnjycbS.exe
  2⤵
  PID:8196
- C:\Windows\System\TmoFHic.exe
  C:\Windows\System\TmoFHic.exe
  2⤵
  PID:8224
- C:\Windows\System\lzCgAQf.exe
  C:\Windows\System\lzCgAQf.exe
  2⤵
  PID:8244
- C:\Windows\System\NSlClEy.exe
  C:\Windows\System\NSlClEy.exe
  2⤵
  PID:8264
- C:\Windows\System\KOMeGIw.exe
  C:\Windows\System\KOMeGIw.exe
  2⤵
  PID:8368
- C:\Windows\System\oStvtJK.exe
  C:\Windows\System\oStvtJK.exe
  2⤵
  PID:8424
- C:\Windows\System\mZQKkAx.exe
  C:\Windows\System\mZQKkAx.exe
  2⤵
  PID:8508
- C:\Windows\System\DwzObru.exe
  C:\Windows\System\DwzObru.exe
  2⤵
  PID:8556
- C:\Windows\System\viYjSck.exe
  C:\Windows\System\viYjSck.exe
  2⤵
  PID:8620
- C:\Windows\System\wmMsqom.exe
  C:\Windows\System\wmMsqom.exe
  2⤵
  PID:8716
- C:\Windows\System\jevXZrH.exe
  C:\Windows\System\jevXZrH.exe
  2⤵
  PID:8720
- C:\Windows\System\BbijeiB.exe
  C:\Windows\System\BbijeiB.exe
  2⤵
  PID:8860
- C:\Windows\System\lULAKUX.exe
  C:\Windows\System\lULAKUX.exe
  2⤵
  PID:8884
- C:\Windows\System\FVArFKQ.exe
  C:\Windows\System\FVArFKQ.exe
  2⤵
  PID:9020
- C:\Windows\System\tEJyUSh.exe
  C:\Windows\System\tEJyUSh.exe
  2⤵
  PID:9032
- C:\Windows\System\hqpnDmM.exe
  C:\Windows\System\hqpnDmM.exe
  2⤵
  PID:9124
- C:\Windows\System\xBEFjci.exe
  C:\Windows\System\xBEFjci.exe
  2⤵
  PID:8360
- C:\Windows\System\GTlKews.exe
  C:\Windows\System\GTlKews.exe
  2⤵
  PID:8428
- C:\Windows\System\jSjPClP.exe
  C:\Windows\System\jSjPClP.exe
  2⤵
  PID:8520
- C:\Windows\System\pTTFycm.exe
  C:\Windows\System\pTTFycm.exe
  2⤵
  PID:8832
- C:\Windows\System\MRQHNBl.exe
  C:\Windows\System\MRQHNBl.exe
  2⤵
  PID:8852
- C:\Windows\System\daeeDAG.exe
  C:\Windows\System\daeeDAG.exe
  2⤵
  PID:8752
- C:\Windows\System\TfLcCcH.exe
  C:\Windows\System\TfLcCcH.exe
  2⤵
  PID:9072
- C:\Windows\System\kyzVCRK.exe
  C:\Windows\System\kyzVCRK.exe
  2⤵
  PID:9188
- C:\Windows\System\XanhDED.exe
  C:\Windows\System\XanhDED.exe
  2⤵
  PID:3816
- C:\Windows\System\Nowzdwf.exe
  C:\Windows\System\Nowzdwf.exe
  2⤵
  PID:9100
- C:\Windows\System\ADisvqa.exe
  C:\Windows\System\ADisvqa.exe
  2⤵
  PID:8484
- C:\Windows\System\gxbTbKX.exe
  C:\Windows\System\gxbTbKX.exe
  2⤵
  PID:9224
- C:\Windows\System\vUqyWhf.exe
  C:\Windows\System\vUqyWhf.exe
  2⤵
  PID:9272
- C:\Windows\System\GrSoWCj.exe
  C:\Windows\System\GrSoWCj.exe
  2⤵
  PID:9292
- C:\Windows\System\UXNwYUX.exe
  C:\Windows\System\UXNwYUX.exe
  2⤵
  PID:9312
- C:\Windows\System\zjNWuMH.exe
  C:\Windows\System\zjNWuMH.exe
  2⤵
  PID:9336
- C:\Windows\System\sGIXIJB.exe
  C:\Windows\System\sGIXIJB.exe
  2⤵
  PID:9380
- C:\Windows\System\XcenbRc.exe
  C:\Windows\System\XcenbRc.exe
  2⤵
  PID:9396
- C:\Windows\System\FGRmhFn.exe
  C:\Windows\System\FGRmhFn.exe
  2⤵
  PID:9416
- C:\Windows\System\iGIuVJg.exe
  C:\Windows\System\iGIuVJg.exe
  2⤵
  PID:9456
- C:\Windows\System\miAHCWk.exe
  C:\Windows\System\miAHCWk.exe
  2⤵
  PID:9580
- C:\Windows\System\lMYJdEt.exe
  C:\Windows\System\lMYJdEt.exe
  2⤵
  PID:9596
- C:\Windows\System\NmdNyuC.exe
  C:\Windows\System\NmdNyuC.exe
  2⤵
  PID:9612
- C:\Windows\System\FDTNPSJ.exe
  C:\Windows\System\FDTNPSJ.exe
  2⤵
  PID:9628
- C:\Windows\System\pvgJmdx.exe
  C:\Windows\System\pvgJmdx.exe
  2⤵
  PID:9680
- C:\Windows\System\OmjvoLK.exe
  C:\Windows\System\OmjvoLK.exe
  2⤵
  PID:9700
- C:\Windows\System\bEiXUbu.exe
  C:\Windows\System\bEiXUbu.exe
  2⤵
  PID:9716
- C:\Windows\System\skZGdyh.exe
  C:\Windows\System\skZGdyh.exe
  2⤵
  PID:9732
- C:\Windows\System\EsKkXRo.exe
  C:\Windows\System\EsKkXRo.exe
  2⤵
  PID:9752
- C:\Windows\System\YwpyRaB.exe
  C:\Windows\System\YwpyRaB.exe
  2⤵
  PID:9772
- C:\Windows\System\dICTnZU.exe
  C:\Windows\System\dICTnZU.exe
  2⤵
  PID:9812
- C:\Windows\System\RJjcidx.exe
  C:\Windows\System\RJjcidx.exe
  2⤵
  PID:9828
- C:\Windows\System\ppBNKjl.exe
  C:\Windows\System\ppBNKjl.exe
  2⤵
  PID:9852
- C:\Windows\System\pgHJKnB.exe
  C:\Windows\System\pgHJKnB.exe
  2⤵
  PID:9920
- C:\Windows\System\myOtToe.exe
  C:\Windows\System\myOtToe.exe
  2⤵
  PID:9948
- C:\Windows\System\CctoVLu.exe
  C:\Windows\System\CctoVLu.exe
  2⤵
  PID:9984
- C:\Windows\System\GLPCAJz.exe
  C:\Windows\System\GLPCAJz.exe
  2⤵
  PID:10008
- C:\Windows\System\pHuVzmG.exe
  C:\Windows\System\pHuVzmG.exe
  2⤵
  PID:10040
- C:\Windows\System\fdTKhsG.exe
  C:\Windows\System\fdTKhsG.exe
  2⤵
  PID:10100
- C:\Windows\System\ZeaxfdJ.exe
  C:\Windows\System\ZeaxfdJ.exe
  2⤵
  PID:10128
- C:\Windows\System\zaXpTlY.exe
  C:\Windows\System\zaXpTlY.exe
  2⤵
  PID:10168
- C:\Windows\System\RpLBMpK.exe
  C:\Windows\System\RpLBMpK.exe
  2⤵
  PID:10212
- C:\Windows\System\nQMWruX.exe
  C:\Windows\System\nQMWruX.exe
  2⤵
  PID:10232
- C:\Windows\System\aYUxzFT.exe
  C:\Windows\System\aYUxzFT.exe
  2⤵
  PID:9168
- C:\Windows\System\GSBUtBs.exe
  C:\Windows\System\GSBUtBs.exe
  2⤵
  PID:9280
- C:\Windows\System\gYigCEC.exe
  C:\Windows\System\gYigCEC.exe
  2⤵
  PID:9388
- C:\Windows\System\eImkOkW.exe
  C:\Windows\System\eImkOkW.exe
  2⤵
  PID:9440
- C:\Windows\System\OOrTvzH.exe
  C:\Windows\System\OOrTvzH.exe
  2⤵
  PID:9512
- C:\Windows\System\UtOrfbx.exe
  C:\Windows\System\UtOrfbx.exe
  2⤵
  PID:9608
- C:\Windows\System\kMECKkw.exe
  C:\Windows\System\kMECKkw.exe
  2⤵
  PID:9560
- C:\Windows\System\zjXZSln.exe
  C:\Windows\System\zjXZSln.exe
  2⤵
  PID:9604
- C:\Windows\System\xRFhuLn.exe
  C:\Windows\System\xRFhuLn.exe
  2⤵
  PID:9692
- C:\Windows\System\wfqNtVj.exe
  C:\Windows\System\wfqNtVj.exe
  2⤵
  PID:9708
- C:\Windows\System\SmWIzgO.exe
  C:\Windows\System\SmWIzgO.exe
  2⤵
  PID:9740
- C:\Windows\System\VeyxefO.exe
  C:\Windows\System\VeyxefO.exe
  2⤵
  PID:9788
- C:\Windows\System\PRvUBKn.exe
  C:\Windows\System\PRvUBKn.exe
  2⤵
  PID:9900
- C:\Windows\System\NAvkOkT.exe
  C:\Windows\System\NAvkOkT.exe
  2⤵
  PID:9928
- C:\Windows\System\EjiLlQp.exe
  C:\Windows\System\EjiLlQp.exe
  2⤵
  PID:9996
- C:\Windows\System\JqKazhB.exe
  C:\Windows\System\JqKazhB.exe
  2⤵
  PID:9956
- C:\Windows\System\HxUJmMn.exe
  C:\Windows\System\HxUJmMn.exe
  2⤵
  PID:10144
- C:\Windows\System\hZKUYJf.exe
  C:\Windows\System\hZKUYJf.exe
  2⤵
  PID:10180
- C:\Windows\System\RRgWpxC.exe
  C:\Windows\System\RRgWpxC.exe
  2⤵
  PID:9348
- C:\Windows\System\wpjsLdq.exe
  C:\Windows\System\wpjsLdq.exe
  2⤵
  PID:9528
- C:\Windows\System\tlXaxOC.exe
  C:\Windows\System\tlXaxOC.exe
  2⤵
  PID:9552
- C:\Windows\System\RXhqHVr.exe
  C:\Windows\System\RXhqHVr.exe
  2⤵
  PID:9688
- C:\Windows\System\viwbnHm.exe
  C:\Windows\System\viwbnHm.exe
  2⤵
  PID:9656
- C:\Windows\System\aiKPDMM.exe
  C:\Windows\System\aiKPDMM.exe
  2⤵
  PID:9912
- C:\Windows\System\gPzwGUR.exe
  C:\Windows\System\gPzwGUR.exe
  2⤵
  PID:9980
- C:\Windows\System\HtRbYNG.exe
  C:\Windows\System\HtRbYNG.exe
  2⤵
  PID:9488
- C:\Windows\System\FUAwJGe.exe
  C:\Windows\System\FUAwJGe.exe
  2⤵
  PID:9480
- C:\Windows\System\OQVkmFH.exe
  C:\Windows\System\OQVkmFH.exe
  2⤵
  PID:9676
- C:\Windows\System\FscLbAE.exe
  C:\Windows\System\FscLbAE.exe
  2⤵
  PID:10220
- C:\Windows\System\MVBnuKB.exe
  C:\Windows\System\MVBnuKB.exe
  2⤵
  PID:9892
- C:\Windows\System\MlVqqWC.exe
  C:\Windows\System\MlVqqWC.exe
  2⤵
  PID:9436
- C:\Windows\System\yPaOgQW.exe
  C:\Windows\System\yPaOgQW.exe
  2⤵
  PID:10248
- C:\Windows\System\GmeCbHA.exe
  C:\Windows\System\GmeCbHA.exe
  2⤵
  PID:10268
- C:\Windows\System\iYtsCOc.exe
  C:\Windows\System\iYtsCOc.exe
  2⤵
  PID:10296
- C:\Windows\System\eIPLRTd.exe
  C:\Windows\System\eIPLRTd.exe
  2⤵
  PID:10340
- C:\Windows\System\FQumxJO.exe
  C:\Windows\System\FQumxJO.exe
  2⤵
  PID:10360
- C:\Windows\System\wcppVbC.exe
  C:\Windows\System\wcppVbC.exe
  2⤵
  PID:10384
- C:\Windows\System\wHOSbhh.exe
  C:\Windows\System\wHOSbhh.exe
  2⤵
  PID:10408
- C:\Windows\System\mGDrIBi.exe
  C:\Windows\System\mGDrIBi.exe
  2⤵
  PID:10432
- C:\Windows\System\XlLBbbx.exe
  C:\Windows\System\XlLBbbx.exe
  2⤵
  PID:10456
- C:\Windows\System\TFCIgWL.exe
  C:\Windows\System\TFCIgWL.exe
  2⤵
  PID:10484
- C:\Windows\System\aeRfrev.exe
  C:\Windows\System\aeRfrev.exe
  2⤵
  PID:10512
- C:\Windows\System\WubiKGo.exe
  C:\Windows\System\WubiKGo.exe
  2⤵
  PID:10532
- C:\Windows\System\tHgrmfa.exe
  C:\Windows\System\tHgrmfa.exe
  2⤵
  PID:10580
- C:\Windows\System\BckCltI.exe
  C:\Windows\System\BckCltI.exe
  2⤵
  PID:10604
- C:\Windows\System\HVdCMrv.exe
  C:\Windows\System\HVdCMrv.exe
  2⤵
  PID:10636
- C:\Windows\System\CJNsAwd.exe
  C:\Windows\System\CJNsAwd.exe
  2⤵
  PID:10664
- C:\Windows\System\DusGuwX.exe
  C:\Windows\System\DusGuwX.exe
  2⤵
  PID:10684
- C:\Windows\System\ZFeEBwH.exe
  C:\Windows\System\ZFeEBwH.exe
  2⤵
  PID:10712
- C:\Windows\System\UxVWXvK.exe
  C:\Windows\System\UxVWXvK.exe
  2⤵
  PID:10736
- C:\Windows\System\vYZUZmJ.exe
  C:\Windows\System\vYZUZmJ.exe
  2⤵
  PID:10764
- C:\Windows\System\fPEfCAu.exe
  C:\Windows\System\fPEfCAu.exe
  2⤵
  PID:10784
- C:\Windows\System\aXTPnNL.exe
  C:\Windows\System\aXTPnNL.exe
  2⤵
  PID:10832
- C:\Windows\System\IuOrioT.exe
  C:\Windows\System\IuOrioT.exe
  2⤵
  PID:10880
- C:\Windows\System\HwQhhQR.exe
  C:\Windows\System\HwQhhQR.exe
  2⤵
  PID:10900
- C:\Windows\System\lGmZpfs.exe
  C:\Windows\System\lGmZpfs.exe
  2⤵
  PID:10920
- C:\Windows\System\ztySKNn.exe
  C:\Windows\System\ztySKNn.exe
  2⤵
  PID:10964
- C:\Windows\System\sFeKqIH.exe
  C:\Windows\System\sFeKqIH.exe
  2⤵
  PID:10992
- C:\Windows\System\DaIgbjC.exe
  C:\Windows\System\DaIgbjC.exe
  2⤵
  PID:11012
- C:\Windows\System\HYiRnHc.exe
  C:\Windows\System\HYiRnHc.exe
  2⤵
  PID:11036
- C:\Windows\System\DAAqZWo.exe
  C:\Windows\System\DAAqZWo.exe
  2⤵
  PID:11052
- C:\Windows\System\FasCElQ.exe
  C:\Windows\System\FasCElQ.exe
  2⤵
  PID:11092
- C:\Windows\System\MxQxAKu.exe
  C:\Windows\System\MxQxAKu.exe
  2⤵
  PID:11112
- C:\Windows\System\zJWVzXf.exe
  C:\Windows\System\zJWVzXf.exe
  2⤵
  PID:11136
- C:\Windows\System\rgSeGWx.exe
  C:\Windows\System\rgSeGWx.exe
  2⤵
  PID:11156
- C:\Windows\System\pqEIGfv.exe
  C:\Windows\System\pqEIGfv.exe
  2⤵
  PID:11212
- C:\Windows\System\ItoBOOe.exe
  C:\Windows\System\ItoBOOe.exe
  2⤵
  PID:11232
- C:\Windows\System\GXzHbNh.exe
  C:\Windows\System\GXzHbNh.exe
  2⤵
  PID:11248
- C:\Windows\System\qNNuUli.exe
  C:\Windows\System\qNNuUli.exe
  2⤵
  PID:10060
- C:\Windows\System\fUIfXrW.exe
  C:\Windows\System\fUIfXrW.exe
  2⤵
  PID:10332
- C:\Windows\System\UzGdVhE.exe
  C:\Windows\System\UzGdVhE.exe
  2⤵
  PID:10420
- C:\Windows\System\tmymicv.exe
  C:\Windows\System\tmymicv.exe
  2⤵
  PID:10476
- C:\Windows\System\zOMSUdB.exe
  C:\Windows\System\zOMSUdB.exe
  2⤵
  PID:10500
- C:\Windows\System\hJhtWoy.exe
  C:\Windows\System\hJhtWoy.exe
  2⤵
  PID:10656
- C:\Windows\System\UeTCGwY.exe
  C:\Windows\System\UeTCGwY.exe
  2⤵
  PID:10704
- C:\Windows\System\OsXjxah.exe
  C:\Windows\System\OsXjxah.exe
  2⤵
  PID:10756
- C:\Windows\System\MSEHkKs.exe
  C:\Windows\System\MSEHkKs.exe
  2⤵
  PID:10780
- C:\Windows\System\YjtPnoL.exe
  C:\Windows\System\YjtPnoL.exe
  2⤵
  PID:10908
- C:\Windows\System\jlghoJw.exe
  C:\Windows\System\jlghoJw.exe
  2⤵
  PID:10976
- C:\Windows\System\XmHucUO.exe
  C:\Windows\System\XmHucUO.exe
  2⤵
  PID:11028
- C:\Windows\System\mRExWeW.exe
  C:\Windows\System\mRExWeW.exe
  2⤵
  PID:4900
- C:\Windows\System\xjitVsK.exe
  C:\Windows\System\xjitVsK.exe
  2⤵
  PID:11128
- C:\Windows\System\YNRqXGg.exe
  C:\Windows\System\YNRqXGg.exe
  2⤵
  PID:11180
- C:\Windows\System\WfxqfAE.exe
  C:\Windows\System\WfxqfAE.exe
  2⤵
  PID:11244
- C:\Windows\System\FdlgFFg.exe
  C:\Windows\System\FdlgFFg.exe
  2⤵
  PID:11260
- C:\Windows\System\bCuCrdl.exe
  C:\Windows\System\bCuCrdl.exe
  2⤵
  PID:10464
- C:\Windows\System\afjvYum.exe
  C:\Windows\System\afjvYum.exe
  2⤵
  PID:10628
- C:\Windows\System\tWmpKsD.exe
  C:\Windows\System\tWmpKsD.exe
  2⤵
  PID:10752
- C:\Windows\System\KVyKRAZ.exe
  C:\Windows\System\KVyKRAZ.exe
  2⤵
  PID:10868
- C:\Windows\System\DAjYSmN.exe
  C:\Windows\System\DAjYSmN.exe
  2⤵
  PID:10944
- C:\Windows\System\aCszBdm.exe
  C:\Windows\System\aCszBdm.exe
  2⤵
  PID:11068
- C:\Windows\System\ecCmySw.exe
  C:\Windows\System\ecCmySw.exe
  2⤵
  PID:10276
- C:\Windows\System\fKbWyOE.exe
  C:\Windows\System\fKbWyOE.exe
  2⤵
  PID:10504
- C:\Windows\System\bRfrYIn.exe
  C:\Windows\System\bRfrYIn.exe
  2⤵
  PID:10720
- C:\Windows\System\xopLWXn.exe
  C:\Windows\System\xopLWXn.exe
  2⤵
  PID:11196
- C:\Windows\System\UvOVTEi.exe
  C:\Windows\System\UvOVTEi.exe
  2⤵
  PID:11132
- C:\Windows\System\SkXAGUH.exe
  C:\Windows\System\SkXAGUH.exe
  2⤵
  PID:11284
- C:\Windows\System\RwkrRQl.exe
  C:\Windows\System\RwkrRQl.exe
  2⤵
  PID:11308
- C:\Windows\System\nlxfiRy.exe
  C:\Windows\System\nlxfiRy.exe
  2⤵
  PID:11372
- C:\Windows\System\NuSfJxR.exe
  C:\Windows\System\NuSfJxR.exe
  2⤵
  PID:11400
- C:\Windows\System\SxKhhHA.exe
  C:\Windows\System\SxKhhHA.exe
  2⤵
  PID:11424
- C:\Windows\System\jNjzSwC.exe
  C:\Windows\System\jNjzSwC.exe
  2⤵
  PID:11448
- C:\Windows\System\zDXlRkq.exe
  C:\Windows\System\zDXlRkq.exe
  2⤵
  PID:11492
- C:\Windows\System\GkfAgXq.exe
  C:\Windows\System\GkfAgXq.exe
  2⤵
  PID:11516
- C:\Windows\System\yiaMoRw.exe
  C:\Windows\System\yiaMoRw.exe
  2⤵
  PID:11540
- C:\Windows\System\dtTjPkZ.exe
  C:\Windows\System\dtTjPkZ.exe
  2⤵
  PID:11560
- C:\Windows\System\qwPoEWO.exe
  C:\Windows\System\qwPoEWO.exe
  2⤵
  PID:11584
- C:\Windows\System\vyLUmMb.exe
  C:\Windows\System\vyLUmMb.exe
  2⤵
  PID:11600
- C:\Windows\System\GxNLOSb.exe
  C:\Windows\System\GxNLOSb.exe
  2⤵
  PID:11640
- C:\Windows\System\QlkZrRl.exe
  C:\Windows\System\QlkZrRl.exe
  2⤵
  PID:11664
- C:\Windows\System\IiqffQB.exe
  C:\Windows\System\IiqffQB.exe
  2⤵
  PID:11696
- C:\Windows\System\vrLyqug.exe
  C:\Windows\System\vrLyqug.exe
  2⤵
  PID:11716
- C:\Windows\System\LDvahyf.exe
  C:\Windows\System\LDvahyf.exe
  2⤵
  PID:11756
- C:\Windows\System\RCOlxLe.exe
  C:\Windows\System\RCOlxLe.exe
  2⤵
  PID:11776
- C:\Windows\System\vszVQcs.exe
  C:\Windows\System\vszVQcs.exe
  2⤵
  PID:11804
- C:\Windows\System\jAJZuHg.exe
  C:\Windows\System\jAJZuHg.exe
  2⤵
  PID:11844
- C:\Windows\System\kYZmDOs.exe
  C:\Windows\System\kYZmDOs.exe
  2⤵
  PID:11876
- C:\Windows\System\pYSoHxx.exe
  C:\Windows\System\pYSoHxx.exe
  2⤵
  PID:11904
- C:\Windows\System\UesAsRb.exe
  C:\Windows\System\UesAsRb.exe
  2⤵
  PID:11928
- C:\Windows\System\FyuAhkh.exe
  C:\Windows\System\FyuAhkh.exe
  2⤵
  PID:11964
- C:\Windows\System\JQunAbK.exe
  C:\Windows\System\JQunAbK.exe
  2⤵
  PID:12016
- C:\Windows\System\dSqPrYm.exe
  C:\Windows\System\dSqPrYm.exe
  2⤵
  PID:12036
- C:\Windows\System\NSOvGcp.exe
  C:\Windows\System\NSOvGcp.exe
  2⤵
  PID:12068
- C:\Windows\System\hMlLquU.exe
  C:\Windows\System\hMlLquU.exe
  2⤵
  PID:12092
- C:\Windows\System\IevTREe.exe
  C:\Windows\System\IevTREe.exe
  2⤵
  PID:12108
- C:\Windows\System\FXndMVJ.exe
  C:\Windows\System\FXndMVJ.exe
  2⤵
  PID:12172
- C:\Windows\System\sfwMIvI.exe
  C:\Windows\System\sfwMIvI.exe
  2⤵
  PID:12188
- C:\Windows\System\XHiotOW.exe
  C:\Windows\System\XHiotOW.exe
  2⤵
  PID:12208
- C:\Windows\System\OtnJKaM.exe
  C:\Windows\System\OtnJKaM.exe
  2⤵
  PID:12232
- C:\Windows\System\BawSaqi.exe
  C:\Windows\System\BawSaqi.exe
  2⤵
  PID:12252
- C:\Windows\System\NZSHNBY.exe
  C:\Windows\System\NZSHNBY.exe
  2⤵
  PID:12276
- C:\Windows\System\xNKqLhB.exe
  C:\Windows\System\xNKqLhB.exe
  2⤵
  PID:11276
- C:\Windows\System\NsdXohE.exe
  C:\Windows\System\NsdXohE.exe
  2⤵
  PID:11340
- C:\Windows\System\IVluuOr.exe
  C:\Windows\System\IVluuOr.exe
  2⤵
  PID:11416
- C:\Windows\System\OMIfMWr.exe
  C:\Windows\System\OMIfMWr.exe
  2⤵
  PID:11472
- C:\Windows\System\cEGAjUu.exe
  C:\Windows\System\cEGAjUu.exe
  2⤵
  PID:11512
- C:\Windows\System\bkvitnR.exe
  C:\Windows\System\bkvitnR.exe
  2⤵
  PID:11568
- C:\Windows\System\qyWJJJg.exe
  C:\Windows\System\qyWJJJg.exe
  2⤵
  PID:11660
- C:\Windows\System\Xhatbbq.exe
  C:\Windows\System\Xhatbbq.exe
  2⤵
  PID:11744
- C:\Windows\System\xHITHtJ.exe
  C:\Windows\System\xHITHtJ.exe
  2⤵
  PID:11788
- C:\Windows\System\gnLryHk.exe
  C:\Windows\System\gnLryHk.exe
  2⤵
  PID:11856
- C:\Windows\System\qYmCgvI.exe
  C:\Windows\System\qYmCgvI.exe
  2⤵
  PID:11936
- C:\Windows\System\MJYxkVQ.exe
  C:\Windows\System\MJYxkVQ.exe
  2⤵
  PID:11980
- C:\Windows\System\FxJeHOO.exe
  C:\Windows\System\FxJeHOO.exe
  2⤵
  PID:12076
- C:\Windows\System\sDUgTAu.exe
  C:\Windows\System\sDUgTAu.exe
  2⤵
  PID:12152
- C:\Windows\System\uDQbUgo.exe
  C:\Windows\System\uDQbUgo.exe
  2⤵
  PID:12184
- C:\Windows\System\sknanVA.exe
  C:\Windows\System\sknanVA.exe
  2⤵
  PID:12268
- C:\Windows\System\hqtSazn.exe
  C:\Windows\System\hqtSazn.exe
  2⤵
  PID:10988
- C:\Windows\System\MkVoPFh.exe
  C:\Windows\System\MkVoPFh.exe
  2⤵
  PID:11360
- C:\Windows\System\HoeokGo.exe
  C:\Windows\System\HoeokGo.exe
  2⤵
  PID:11920
- C:\Windows\System\glolNNu.exe
  C:\Windows\System\glolNNu.exe
  2⤵
  PID:12084
- C:\Windows\System\gWTPHdO.exe
  C:\Windows\System\gWTPHdO.exe
  2⤵
  PID:1396
- C:\Windows\System\lhUqREX.exe
  C:\Windows\System\lhUqREX.exe
  2⤵
  PID:4828
- C:\Windows\System\KDNlNFw.exe
  C:\Windows\System\KDNlNFw.exe
  2⤵
  PID:3564
- C:\Windows\System\CLxLTFI.exe
  C:\Windows\System\CLxLTFI.exe
  2⤵
  PID:11300
- C:\Windows\System\JhrXOaa.exe
  C:\Windows\System\JhrXOaa.exe
  2⤵
  PID:11612
- C:\Windows\System\IIyqsZk.exe
  C:\Windows\System\IIyqsZk.exe
  2⤵
  PID:11740
- C:\Windows\System\MbQeTFi.exe
  C:\Windows\System\MbQeTFi.exe
  2⤵
  PID:11872
- C:\Windows\System\IwBHfod.exe
  C:\Windows\System\IwBHfod.exe
  2⤵
  PID:2940
- C:\Windows\System\mCRIcOo.exe
  C:\Windows\System\mCRIcOo.exe
  2⤵
  PID:11624
- C:\Windows\System\gQwAtAK.exe
  C:\Windows\System\gQwAtAK.exe
  2⤵
  PID:11596
- C:\Windows\System\cUJHNYB.exe
  C:\Windows\System\cUJHNYB.exe
  2⤵
  PID:2100
- C:\Windows\System\TmIjidm.exe
  C:\Windows\System\TmIjidm.exe
  2⤵
  PID:11500
- C:\Windows\System\TyRryAe.exe
  C:\Windows\System\TyRryAe.exe
  2⤵
  PID:12296
- C:\Windows\System\oSXWMyV.exe
  C:\Windows\System\oSXWMyV.exe
  2⤵
  PID:12312
- C:\Windows\System\UZUPegh.exe
  C:\Windows\System\UZUPegh.exe
  2⤵
  PID:12340
- C:\Windows\System\yUiuCaq.exe
  C:\Windows\System\yUiuCaq.exe
  2⤵
  PID:12392
- C:\Windows\System\EyjZnka.exe
  C:\Windows\System\EyjZnka.exe
  2⤵
  PID:12424
- C:\Windows\System\DhKfPpm.exe
  C:\Windows\System\DhKfPpm.exe
  2⤵
  PID:12444
- C:\Windows\System\dESTtrv.exe
  C:\Windows\System\dESTtrv.exe
  2⤵
  PID:12464
- C:\Windows\System\CZUnUrc.exe
  C:\Windows\System\CZUnUrc.exe
  2⤵
  PID:12500
- C:\Windows\System\gjVEnQu.exe
  C:\Windows\System\gjVEnQu.exe
  2⤵
  PID:12528
- C:\Windows\System\jRYZEJE.exe
  C:\Windows\System\jRYZEJE.exe
  2⤵
  PID:12548
- C:\Windows\System\GXfOtWd.exe
  C:\Windows\System\GXfOtWd.exe
  2⤵
  PID:12564
- C:\Windows\System\TdKIvoS.exe
  C:\Windows\System\TdKIvoS.exe
  2⤵
  PID:12628
- C:\Windows\System\fgzWHeH.exe
  C:\Windows\System\fgzWHeH.exe
  2⤵
  PID:12656
- C:\Windows\System\okaCuHs.exe
  C:\Windows\System\okaCuHs.exe
  2⤵
  PID:12696
- C:\Windows\System\RfEhRAC.exe
  C:\Windows\System\RfEhRAC.exe
  2⤵
  PID:12716
- C:\Windows\System\nniQhkl.exe
  C:\Windows\System\nniQhkl.exe
  2⤵
  PID:12756
- C:\Windows\System\GyBbFNE.exe
  C:\Windows\System\GyBbFNE.exe
  2⤵
  PID:12780
- C:\Windows\System\OBjiAdg.exe
  C:\Windows\System\OBjiAdg.exe
  2⤵
  PID:12800
- C:\Windows\System\cUdAPwF.exe
  C:\Windows\System\cUdAPwF.exe
  2⤵
  PID:12824
- C:\Windows\System\ixXuUae.exe
  C:\Windows\System\ixXuUae.exe
  2⤵
  PID:12848
- C:\Windows\System\ANMVsPl.exe
  C:\Windows\System\ANMVsPl.exe
  2⤵
  PID:12880
- C:\Windows\System\KUeLBUT.exe
  C:\Windows\System\KUeLBUT.exe
  2⤵
  PID:12904
- C:\Windows\System\jrotJKI.exe
  C:\Windows\System\jrotJKI.exe
  2⤵
  PID:12940
- C:\Windows\System\AZqbLMf.exe
  C:\Windows\System\AZqbLMf.exe
  2⤵
  PID:12980
- C:\Windows\System\guLvkAt.exe
  C:\Windows\System\guLvkAt.exe
  2⤵
  PID:13004
- C:\Windows\System\qYHGTIT.exe
  C:\Windows\System\qYHGTIT.exe
  2⤵
  PID:13032
- C:\Windows\System\bmpgFsj.exe
  C:\Windows\System\bmpgFsj.exe
  2⤵
  PID:13048
- C:\Windows\System\SqTdhkW.exe
  C:\Windows\System\SqTdhkW.exe
  2⤵
  PID:13088
- C:\Windows\System\zsaDlSw.exe
  C:\Windows\System\zsaDlSw.exe
  2⤵
  PID:13108
- C:\Windows\System\sLrnRCg.exe
  C:\Windows\System\sLrnRCg.exe
  2⤵
  PID:13136
- C:\Windows\System\IieAPLr.exe
  C:\Windows\System\IieAPLr.exe
  2⤵
  PID:13156
- C:\Windows\System\mSeCBSm.exe
  C:\Windows\System\mSeCBSm.exe
  2⤵
  PID:13176
- C:\Windows\System\OIJbYwS.exe
  C:\Windows\System\OIJbYwS.exe
  2⤵
  PID:13232
- C:\Windows\System\VvlEGWZ.exe
  C:\Windows\System\VvlEGWZ.exe
  2⤵
  PID:13252
- C:\Windows\System\UcJTiFe.exe
  C:\Windows\System\UcJTiFe.exe
  2⤵
  PID:13276
- C:\Windows\System\OfUnTyS.exe
  C:\Windows\System\OfUnTyS.exe
  2⤵
  PID:13304
- C:\Windows\System\OqrujSs.exe
  C:\Windows\System\OqrujSs.exe
  2⤵
  PID:2768
- C:\Windows\System\yncATAd.exe
  C:\Windows\System\yncATAd.exe
  2⤵
  PID:12348
- C:\Windows\System\svLWSzt.exe
  C:\Windows\System\svLWSzt.exe
  2⤵
  PID:12332
- C:\Windows\System\xAaEHSb.exe
  C:\Windows\System\xAaEHSb.exe
  2⤵
  PID:12372
- C:\Windows\System\XNziBvu.exe
  C:\Windows\System\XNziBvu.exe
  2⤵
  PID:12460
- C:\Windows\System\hXSrmif.exe
  C:\Windows\System\hXSrmif.exe
  2⤵
  PID:12512
- C:\Windows\System\dGavwWv.exe
  C:\Windows\System\dGavwWv.exe
  2⤵
  PID:12668
- C:\Windows\System\DaAQbwC.exe
  C:\Windows\System\DaAQbwC.exe
  2⤵
  PID:12644
- C:\Windows\System\PEzrQsJ.exe
  C:\Windows\System\PEzrQsJ.exe
  2⤵
  PID:12732
- C:\Windows\System\kWfNXdA.exe
  C:\Windows\System\kWfNXdA.exe
  2⤵
  PID:3608
- C:\Windows\System\yQCxdGd.exe
  C:\Windows\System\yQCxdGd.exe
  2⤵
  PID:12816
- C:\Windows\System\sPCvVxg.exe
  C:\Windows\System\sPCvVxg.exe
  2⤵
  PID:12868
- C:\Windows\System\GQVQOiH.exe
  C:\Windows\System\GQVQOiH.exe
  2⤵
  PID:856
- C:\Windows\System\wGqgkiU.exe
  C:\Windows\System\wGqgkiU.exe
  2⤵
  PID:12216
- C:\Windows\System\lblVAFE.exe
  C:\Windows\System\lblVAFE.exe
  2⤵
  PID:13100

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yl5jqgop.pwn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\ANGSwha.exe

Filesize
2.2MB

MD5
03dff852ee0cabbe4288bd68461fb557

SHA1
8ff829a7b1647f9fc47fa3c2af42bf80341881e8

SHA256
fbaf8057fed2e51cdac9f888f0bff608d11cbdbc0062e2ffa298bf66fef6115b

SHA512
30a39ca0cc9b54fd27c65246da5ad1a42f1d3b56c3a98dc247a44a58e8f3bf8daa849caf99c904b4fbc7ac807f1c7f930c3e8df27a056ccd67dc5f52be535624

Download Submit
C:\Windows\System\ATOobiQ.exe

Filesize
2.1MB

MD5
88b10d7ce883f5bc9578239892c33059

SHA1
4d291a9396bfd8b2b24fcf087ba085ef13c5918e

SHA256
fe1e18628895718005ff8c52d1df44936a9e8115b9f7d33fcf7c1cb85f90a844

SHA512
9c94d98b5f0353244acea0eff4c5ae28cd122be4812c98634d87498a39fccdb9a72d91ebb3c3bb289eb00668dd68daa202c71586da24458adb09e450023a3534

Download Submit
C:\Windows\System\BLVdedX.exe

Filesize
2.1MB

MD5
6b413d8cfc7f76167e005b4ab10e81ef

SHA1
24290bec8b120cedc47758f164197471e084ebf6

SHA256
e90012bb044433cb6925190454cb7198e07257500df6af9547c68f852322bb47

SHA512
6f229a0c69ed85d101ea1f2bfc0980af0c639ff533bbefb804a321e66e797f56c81c522f6667587f8d78c24105e878ca1a5b4b1dbc9aa07a26d27a29eb173c71

Download Submit
C:\Windows\System\FuHWluT.exe

Filesize
2.2MB

MD5
1dc25daa1472fec169093f08e6caab4c

SHA1
e38e881525350835c168ff445f33bafeaf156859

SHA256
eaeec429b1ab01b6bc336fa0245a5af9b6031e4a50376650729701a026a2028d

SHA512
eed92304bcdb17380a16ab1cc2cf6b5a09df316e974cb876eba397b394b3d2964e7fafad7357a2c38c788c1fc04c92e4f8288216f7306853094bfa8c7da73901

Download Submit
C:\Windows\System\HbIOoua.exe

Filesize
2.1MB

MD5
031828082fe2b37a1abfb898acf5d898

SHA1
559222a50aaf6a9a5eb89477308b4335c7991ce5

SHA256
1990f293a78dac9b3937b2dac7ae943d4a5c4b24f13b2ff6571be0da22a32cf1

SHA512
4ec1bf0fde821ee3254d71307725bd9f402a389fb95e97e758a16758cf14289d325f49a619345ba0bc25c6b72794acd4d84bf285e8df4cd4b2a55dc0235fc5da

Download Submit
C:\Windows\System\HzYrcYU.exe

Filesize
2.1MB

MD5
7634c76987c8ed552246e6a2e8ae1f7b

SHA1
666adb0a3cf2a9ff40ff860fc5dbfe6d3c5b46e6

SHA256
ebe500aca6f3703a930a5012f8b6e5e0612a421cedd784c20216877646efd5a1

SHA512
ed2ab8020cd5bf354497bdb658e801d74951b5b53f5c015daf21cbf46a685583e9bbc3bcc72bcf562f66014f6074439711e1fd8b5c264a05123da30e2ac5f328

Download Submit
C:\Windows\System\OftQTOr.exe

Filesize
2.2MB

MD5
4cb17bb5ce83e2c59b4da86129719881

SHA1
72c637fab4b7afa57b7be7b79d4a944e21e22689

SHA256
fd0cfe4851c90777ec9e440b15ed5478ce7c33c1507fb332d9293e77854d8118

SHA512
3d63afbc6f4e02fa1c70bff6126735e1c7558847fa5c936ce1db0726cf2b86cb46d7a6ec6e7a78d40ff0df38362c2a73831f8e63b2504419e516bdaca3fcca29

Download Submit
C:\Windows\System\PCDVBMz.exe

Filesize
2.1MB

MD5
05b45e0c57bce83ee0b481136db13220

SHA1
9598011f648dbb04a06e91fa3cc9826bb2b8174c

SHA256
c461b8870e733d203683865e9ca483f892704b15c0ad5fdcf8d901e5b20b2e94

SHA512
93ca7d3f4eda44f034bbdaa4ce058dcf17ef8982bfc27b5887dea65e89007ae13fd448dddcb3f03065efef39e3a26e9b1621480d1f7ba18b43d8670bd89ee8e9

Download Submit
C:\Windows\System\STOpwGs.exe

Filesize
2.1MB

MD5
79ea44a78de27d3444007217b704316d

SHA1
be3f3c7285a79ae9f09298a8df61ef646df45876

SHA256
fdac44a9d27081d4e9ff1487888778b9d22507fd6edafc54af86587c9cb60a0c

SHA512
c914c5fef5b1ed072c6702f24ad93236442fd9521085c1afae1846d2120d6a4145e4374229263336b4461e2d3abbc17f53d25604768dd4d95909e06b554efe52

Download Submit
C:\Windows\System\SWhemyd.exe

Filesize
2.1MB

MD5
5be468ad6d406e0002372437e8e4c15c

SHA1
1f527625db7b2039b7a0b088f13222d4f4583898

SHA256
f5393ff97e5f1a2cbdfca5303feb045a935f32900cfac9cb847f8df2ded0c12a

SHA512
5c0a4f1f3f72b587a872f8d6aa393ec48ef1c65dbd9651bdfae0c7a587008f0aa3c8301d10f8a8e44d07dfde7e732f9abbdb44ebfcab3f5f5c0531e741bed9b5

Download Submit
C:\Windows\System\TKPaOkO.exe

Filesize
2.1MB

MD5
2ddb84ccb4fcb519f5fba775dc9e5bad

SHA1
d9791be5a3a46aea00dc2874e2eebeb1de1b78f1

SHA256
0dc432813a403aedc2d6f138d87b20b13223b82ffbf348184b5a1b94a476e2af

SHA512
73a9fa91b991afc5a2c5cf6d479de382dae032b75e0de24619ba6e453f01bc882c2d043e2ff7e602a330455cb3a2b63172ab0b5e9670d294091aafefc61416a4

Download Submit
C:\Windows\System\TzJwEuL.exe

Filesize
2.2MB

MD5
e3cc1162febcb0660da995a50f14ce8d

SHA1
669a7074c2134c0ed0d719bbcbd9fdb120a46f3d

SHA256
3720698bde12bd6f32cc1e43f1e669ee7afdc4b2b6697db345849870476c2449

SHA512
2034fe475033c6db126e6bc2dc1be732a4bb23211821097293e314dac6600a4cb4f8477b8e375086cc95411da0a05c4b5161f46f889ad65a7691a1686f2f4e7a

Download Submit
C:\Windows\System\VnQpKea.exe

Filesize
2.2MB

MD5
81976658a17dddd33b82dfbc8f3eb3fd

SHA1
8d1d7232b36e18569f1390d008adafc79c422c2c

SHA256
7ea93115994d48c0c2feccfd11a5c4e5cabd5c5e765445a324d0988b631a6a95

SHA512
c4fe801c4392e391e9c1060b59b6c9a71402e4a5817b52f961db507da6211464ff4efdc7acfd88cae2c74cee773a2b13f19e3e80c8aec021eff69ac1e2061f56

Download Submit
C:\Windows\System\WLEHsiD.exe

Filesize
2.2MB

MD5
08914a9b08763ce92473f675672eb59c

SHA1
3f628eb346d572af106e20eb687e2c2935d1260f

SHA256
8cba0fa090cc8d4e30c86557661faf96c8a183c66c6ab78c1a53935988a69e8f

SHA512
783c2da92eadc1095a276d8878770920bd68637c573787461cd129e8e839cacb92c1aac0f169c56b4f10191f071e457bec599476a23d9d1ebd429af9690ef4a5

Download Submit
C:\Windows\System\aoUXfqI.exe

Filesize
2.2MB

MD5
8f11d5a2ce61334a9fa5928a65f1429d

SHA1
d1cd893a4e5b7197d6b53595c17d93afce141230

SHA256
36ccac97cde809350f1531776046189861df4b289cf142e29c8317ac8cf1dc28

SHA512
bc24136384404c6bf9aaab6bd3c6ccbb3ce12389277bc359980c11e235e0eaaff20123870c28dc679c87090355fd1479e6cadbb225f983e30c3fcfdc01efa2dd

Download Submit
C:\Windows\System\auFADUI.exe

Filesize
2.2MB

MD5
be1b772aca6c01cee04e529d1fd68c38

SHA1
c6cd22d11a5a85bd7841dbb3a81270dadf0f4f38

SHA256
cda89d9b6204dd2002ca84d790dfa71f2076b3ecad6e3aa9f2525c0f415c57b8

SHA512
681b9d8ae29fe34df4596175012197becd0ccc1fb3ec0ae305f676e4bd000de5d95b4ba30131558c3c28944dc09b21d1f523771ee690f22fd7ff21094c7e3962

Download Submit
C:\Windows\System\fSfxnMi.exe

Filesize
2.2MB

MD5
fadd1d53b4b615a5357ae1114988c38a

SHA1
e0628180cc950415ecf65d0046253deaa56b7837

SHA256
81df92998a313826713f4f39dcf26640acd59989879221e4b712809251cc6a7d

SHA512
6a0c895382d1b2cd54d4009c4a13522c5c28a1f5b3cbd0ba4047fe46b4a06ca73d702fb358e72b49a1214c3dba67cb2cac1e3d84b5b509ad1b1d7073ad239061

Download Submit
C:\Windows\System\iNzIZPD.exe

Filesize
2.1MB

MD5
25c960b1418c0bbab713beb9dce02449

SHA1
3f588e1f091c88182b66e05600066b907a5a77ca

SHA256
cc82419053021e34b53161ae9ec1fa8e461ee467b75861732b3372a0e19f835c

SHA512
36ce3470095c6ddc71c583ee20b38bd1cbe52db8e58beb45535331d8183f6190d0430a389ee29be8dd458944eebeae5caa98886b3ad1a4cffa3afb92eb10d7de

Download Submit
C:\Windows\System\iPFnBDV.exe

Filesize
2.2MB

MD5
a8abf28d74f8f0bb1893abfed87d1770

SHA1
1f6235f4cb0cda476c51e9beed9bae81b7b2c6d5

SHA256
0a167bf7931b4d58e11835e630c90a729555fa567994835304b6c6eb8925d64b

SHA512
a49f75e30579ac9bfa6fed81ddda86b99cc22dca419d7e0d7bf0bf7cb76021d30bf77ad550a4e43ab4073dd978ebb5c3bb23daf452cd389ff5bbf02beb619d9e

Download Submit
C:\Windows\System\itPsdDW.exe

Filesize
2.2MB

MD5
d94552b8fca90a8d4eedbf01cca0d33d

SHA1
593b41e3cef601a9cfee7647a9637141c193982f

SHA256
bc917f90094d5c198c88a7d11b543b2cfa38d81dbbf1dd8983ca0792ab26d459

SHA512
86fe28ced8db5f2d2e380ea8123f65b101a285de4cb9782997b10714558cecd104507e991d55c117f2534b80364a6259f316a40ccb108de52e7ad1d654475d39

Download Submit
C:\Windows\System\jEtBOHi.exe

Filesize
2.2MB

MD5
79205e15cb9c35c76d88f102d726c4d7

SHA1
070f0d3f265099f3104ed9ccf1f32f31fb8aa928

SHA256
3e7d5d3077c4e5f27027d9a5bfab9bf3e08962b33581919b00bd9f3fdba41108

SHA512
1cde1dde74679c38b54b874755ed5bda6581217514371c17172101c828cf5abefb415eac33da34e930eba8d2eaf5b75578d559c190b96d9f788f21145b8ff9f3

Download Submit
C:\Windows\System\jUwbvuD.exe

Filesize
2.1MB

MD5
67553dbe5b6f58cf8fa25261e4f863b6

SHA1
914c9a9295ec2c846cf36d08ebfec47366a3081e

SHA256
81e2b9c1f336da60e167844496128462ca08ba71c079ff1c15b2e882ce0b3d38

SHA512
ed4333935f4810b73bd356bac84c0c20a9f3e2bff146b7576777ab465e9db249cf506c1e4569d08072a5259da3ee6bfc71b5e37ceeb8dd4982911478b7ad9f9f

Download Submit
C:\Windows\System\mpQmIuC.exe

Filesize
2.1MB

MD5
13d3f61eafabd89bebe2a1d9d7212453

SHA1
8719b37bbfe55cc742077326dc23b26737f9f9f1

SHA256
8d3fe2e9d611e53fc21bd408580c42e74e909775e83e1031122f16239fb7b82b

SHA512
f16f93b40e15624220afe3c3e0b444ed52143b991db149b806aeeacb8d4f42f287a770ba86d1074a7e8cb85fce214dbb9058e36832688b9a7f36cfc3e25603b7

Download Submit
C:\Windows\System\pgNUhpl.exe

Filesize
2.2MB

MD5
f266d5a69817797cd1f8ca5833383653

SHA1
722089134e3a7374412534029a0c34ace794afd6

SHA256
e6ad05d3d4a9fb0228ffdf7b5954214167acac757147d3509655e45f60b2deb6

SHA512
3a18c761a921bb5706296756f1fe41de0a208f1e51bb3f0b0b97ad1d14b7560cc069c5e0ee8e5dac1bcd2781c160673565da6cfcd1224917c5996e7f1131be9d

Download Submit
C:\Windows\System\qOqObVM.exe

Filesize
2.2MB

MD5
ac66212e9c8516136ceab1f9e9553bff

SHA1
1482e300be2ae0ab9d0f3c04c47e95e0deca927a

SHA256
59767fee8b1d925a66356d776aad4ed1d2bd24ecf5641972c404ebfd21646f13

SHA512
62097933983e047ce5b3b2f26ebfca3cfedf4b583bee0d4a6d2dd9ff39c052d06d34c05b9cff455258f7d3c35e4fa945b0ed79f21c7057268f7f4cf1987a9d6a

Download Submit
C:\Windows\System\qkIxHvB.exe

Filesize
2.1MB

MD5
b3d8a5fe720dd21b061da85de920c19e

SHA1
e8b7dcbf50a940b7d6fb23e726a356cc258e7d0e

SHA256
de1cad43746e8e6eb99656baea64e9213cd287212e1f49b980fd6d5e384d0960

SHA512
56f2c5eeb919ba5a3b123b4427b121ff208f441285861efdb2684e02dc1f717a884c3a2ddd78c7bce45b865c1f224d070e10a6c4f78268cbf7a054c856be88d3

Download Submit
C:\Windows\System\rHYEFni.exe

Filesize
2.2MB

MD5
de86111bd7ba43060484e90eaf39bdec

SHA1
2d1a125d0ba598b807ed59896177f4f419036b28

SHA256
a07f587819d8cbdac76afbd301e318d0a32bc5d0d2f11d29dfbb03147188080b

SHA512
0b8dd38e8310c9446184f17bf1eb1abd04e5365d71f52ab7b2bfe4b00090b8c5522765da986a2c613e60e6ef613e960a67611c1b960dcba1afbb06d272a4ab35

Download Submit
C:\Windows\System\sktamOB.exe

Filesize
2.1MB

MD5
bc7c270e2e4b9178bcfc5819f045708a

SHA1
3cc32d308e765d3a4811c6ae38e1222ad58b394a

SHA256
b7ee346811063088220bb7044b385aec193a29076023827d61ba85a6e634c5b5

SHA512
64f4607dd5382e5def782e85c27ccd42c64c319f73ea0bb40120f7c8de0743f2effbbd549c3c24b6a2ea18a31301507dd50bded37e5ce25df9233649f469f635

Download Submit
C:\Windows\System\uWSbmDG.exe

Filesize
2.2MB

MD5
8a1fa40f01502af01af974b48032b3d8

SHA1
9292a53c6c8e197dd7a9fd5abed66dbb7ef9fae8

SHA256
4cae02d9d6c88059380b0bb3aa6a31fae52d51152604a0fcd66b454d3ea04e9b

SHA512
e5fc46a66b4b87cfa36290683f5a47a89e567ea267768dfb5b588724f02e10137dd76fa140925d6d3b993b0ccc82147d31b2fa2c8d3cd8959571c44f1ff7e09a

Download Submit
C:\Windows\System\wIBXbQL.exe

Filesize
2.2MB

MD5
fe2710d4f7a786fe556a9bcdff001331

SHA1
4089786536878bb64d329a3c1a97765533e0a666

SHA256
e85c688d1eaf2e59c7d862a0958848bc0f8da45177a6b49796015f6231af2f3f

SHA512
edb8e0a3ced3b219c16873a4ef49c48d540bf65d9fcc00bf9ada37876cf4746e584e086e576c0ed11c782cf796516400a55cb904403da91eadb98d383f45c61c

Download Submit
C:\Windows\System\waoXFny.exe

Filesize
2.2MB

MD5
78888716e782d01351541830b4378a99

SHA1
8c88712731399dedd78d9739b8b7821ea1a39f82

SHA256
6f80354873c9350d912766c4c05988e30b823a0e5756c667a78f51ce99f89740

SHA512
795eeee9ca07dd91cc328192972cfa82888092ecc8e04157f060811aa92757d07130f1a370fc99842309a88f71310f0282afc1160ff818fed46828545daad60d

Download Submit
C:\Windows\System\xRNSuLo.exe

Filesize
2.1MB

MD5
ef9c57cdf22b53632e3576ff7ad42c47

SHA1
4a0c5b517346efb3dfafa00b12f070bfeb4b7234

SHA256
ffff03b3e96b5e923536864a4c06a2f74f5c6059c668c982225a38c0d1628721

SHA512
fad7fe749a43e914dca2c1ed2511e336c916f6bf2008288b3e454d278de1cb06174f4f2c33b66bdff908e8b6f93a8180f126cf49284886244b1b4d9e5bb32f2b

Download Submit
C:\Windows\System\xlSCBvn.exe

Filesize
2.1MB

MD5
14401038681fe3b1741bad9db367371b

SHA1
7fcb83eebe3e1815ad08bda45e6c5ae63f6b7953

SHA256
4771ee6c100d7ceaf855a1641bd0042becb6358ab406f43bb9fe305216ccf6aa

SHA512
0e82811d58c0300bba96ef802779e7f71c0edd4aaea4e2d3aa2cf7d61866b2a9351ef6d28d176e3fe56c5e27589f39066f1828d9d47660f82eaa47f812816c47

Download Submit
memory/512-2108-0x00007FF725590000-0x00007FF725982000-memory.dmp

Filesize
3.9MB

Download
memory/512-556-0x00007FF725590000-0x00007FF725982000-memory.dmp

Filesize
3.9MB

Download
memory/668-510-0x00007FF69E910000-0x00007FF69ED02000-memory.dmp

Filesize
3.9MB

Download
memory/668-2097-0x00007FF69E910000-0x00007FF69ED02000-memory.dmp

Filesize
3.9MB

Download
memory/1092-2101-0x00007FF6CC7F0000-0x00007FF6CCBE2000-memory.dmp

Filesize
3.9MB

Download
memory/1092-519-0x00007FF6CC7F0000-0x00007FF6CCBE2000-memory.dmp

Filesize
3.9MB

Download
memory/1384-66-0x00007FF6D7430000-0x00007FF6D7822000-memory.dmp

Filesize
3.9MB

Download
memory/1384-2079-0x00007FF6D7430000-0x00007FF6D7822000-memory.dmp

Filesize
3.9MB

Download
memory/1384-2067-0x00007FF6D7430000-0x00007FF6D7822000-memory.dmp

Filesize
3.9MB

Download
memory/1412-503-0x00007FF68BFF0000-0x00007FF68C3E2000-memory.dmp

Filesize
3.9MB

Download
memory/1412-2076-0x00007FF68BFF0000-0x00007FF68C3E2000-memory.dmp

Filesize
3.9MB

Download
memory/1712-578-0x00007FF7722C0000-0x00007FF7726B2000-memory.dmp

Filesize
3.9MB

Download
memory/1712-2083-0x00007FF7722C0000-0x00007FF7726B2000-memory.dmp

Filesize
3.9MB

Download
memory/1776-504-0x00007FF76AFA0000-0x00007FF76B392000-memory.dmp

Filesize
3.9MB

Download
memory/1776-2077-0x00007FF76AFA0000-0x00007FF76B392000-memory.dmp

Filesize
3.9MB

Download
memory/1852-508-0x00007FF66EE50000-0x00007FF66F242000-memory.dmp

Filesize
3.9MB

Download
memory/1852-2095-0x00007FF66EE50000-0x00007FF66F242000-memory.dmp

Filesize
3.9MB

Download
memory/2020-552-0x00007FF72A060000-0x00007FF72A452000-memory.dmp

Filesize
3.9MB

Download
memory/2020-2099-0x00007FF72A060000-0x00007FF72A452000-memory.dmp

Filesize
3.9MB

Download
memory/2360-567-0x00007FF66C640000-0x00007FF66CA32000-memory.dmp

Filesize
3.9MB

Download
memory/2360-2071-0x00007FF66C640000-0x00007FF66CA32000-memory.dmp

Filesize
3.9MB

Download
memory/2512-540-0x00007FF78ABD0000-0x00007FF78AFC2000-memory.dmp

Filesize
3.9MB

Download
memory/2512-2103-0x00007FF78ABD0000-0x00007FF78AFC2000-memory.dmp

Filesize
3.9MB

Download
memory/2864-1-0x0000026DFF1F0000-0x0000026DFF200000-memory.dmp

Filesize
64KB

Download
memory/2864-0-0x00007FF681E20000-0x00007FF682212000-memory.dmp

Filesize
3.9MB

Download
memory/2900-509-0x00007FF605850000-0x00007FF605C42000-memory.dmp

Filesize
3.9MB

Download
memory/2900-2092-0x00007FF605850000-0x00007FF605C42000-memory.dmp

Filesize
3.9MB

Download
memory/3652-2087-0x00007FF68FDE0000-0x00007FF6901D2000-memory.dmp

Filesize
3.9MB

Download
memory/3652-507-0x00007FF68FDE0000-0x00007FF6901D2000-memory.dmp

Filesize
3.9MB

Download
memory/3784-529-0x00007FF6E5F30000-0x00007FF6E6322000-memory.dmp

Filesize
3.9MB

Download
memory/3784-2110-0x00007FF6E5F30000-0x00007FF6E6322000-memory.dmp

Filesize
3.9MB

Download
memory/3840-2093-0x00007FF6FA790000-0x00007FF6FAB82000-memory.dmp

Filesize
3.9MB

Download
memory/3840-516-0x00007FF6FA790000-0x00007FF6FAB82000-memory.dmp

Filesize
3.9MB

Download
memory/3924-559-0x00007FF76A300000-0x00007FF76A6F2000-memory.dmp

Filesize
3.9MB

Download
memory/3924-2106-0x00007FF76A300000-0x00007FF76A6F2000-memory.dmp

Filesize
3.9MB

Download
memory/3928-2069-0x00007FF698110000-0x00007FF698502000-memory.dmp

Filesize
3.9MB

Download
memory/3928-34-0x00007FF698110000-0x00007FF698502000-memory.dmp

Filesize
3.9MB

Download
memory/3976-7-0x00007FF6FBE20000-0x00007FF6FC212000-memory.dmp

Filesize
3.9MB

Download
memory/3976-2073-0x00007FF6FBE20000-0x00007FF6FC212000-memory.dmp

Filesize
3.9MB

Download
memory/3976-2066-0x00007FF6FBE20000-0x00007FF6FC212000-memory.dmp

Filesize
3.9MB

Download
memory/4352-506-0x00007FF693E10000-0x00007FF694202000-memory.dmp

Filesize
3.9MB

Download
memory/4352-2085-0x00007FF693E10000-0x00007FF694202000-memory.dmp

Filesize
3.9MB

Download
memory/4528-80-0x000001D5C2E40000-0x000001D5C2E62000-memory.dmp

Filesize
136KB

Download
memory/4528-29-0x00007FFC1B380000-0x00007FFC1BE41000-memory.dmp

Filesize
10.8MB

Download
memory/4528-1717-0x00007FFC1B380000-0x00007FFC1BE41000-memory.dmp

Filesize
10.8MB

Download
memory/4528-9-0x000001D5C2EF0000-0x000001D5C2F00000-memory.dmp

Filesize
64KB

Download
memory/4916-2081-0x00007FF6F8C90000-0x00007FF6F9082000-memory.dmp

Filesize
3.9MB

Download
memory/4916-505-0x00007FF6F8C90000-0x00007FF6F9082000-memory.dmp

Filesize
3.9MB

Download
memory/4964-2089-0x00007FF690960000-0x00007FF690D52000-memory.dmp

Filesize
3.9MB

Download
memory/4964-513-0x00007FF690960000-0x00007FF690D52000-memory.dmp

Filesize
3.9MB

Download