xmrig | 7b6bcd721e5cddc0d74b38a76cab8224e1b2ba3b39ad7e0f382cbc5314c1f17e

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2024, 11:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
Size

1.7MB
MD5

175cfc2db509885fafdd38d98ca61fb9
SHA1

0c9ca4eab86f44f0a7d5ca795cd1f5b6c0dbc85a
SHA256

7b6bcd721e5cddc0d74b38a76cab8224e1b2ba3b39ad7e0f382cbc5314c1f17e
SHA512

5d528640af3f0b18fb48a5c0b03a724a84df399a53e36004f3769028549bf691b308eed07828c8d24856b755444d6ca146637e386d892d6e84dc951c4933143c
SSDEEP

49152:Lz071uv4BPMkibTIA5lCx7kvRWa4pxtUp:NABk

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 51 IoCs

miner

resource	yara_rule
behavioral2/memory/2232-62-0x00007FF63EA10000-0x00007FF63EE02000-memory.dmp	xmrig
behavioral2/memory/4164-478-0x00007FF7D7680000-0x00007FF7D7A72000-memory.dmp	xmrig
behavioral2/memory/5000-479-0x00007FF669890000-0x00007FF669C82000-memory.dmp	xmrig
behavioral2/memory/3268-480-0x00007FF7D5BC0000-0x00007FF7D5FB2000-memory.dmp	xmrig
behavioral2/memory/3056-481-0x00007FF65F6A0000-0x00007FF65FA92000-memory.dmp	xmrig
behavioral2/memory/1792-483-0x00007FF780C20000-0x00007FF781012000-memory.dmp	xmrig
behavioral2/memory/4928-484-0x00007FF780610000-0x00007FF780A02000-memory.dmp	xmrig
behavioral2/memory/2944-482-0x00007FF678E70000-0x00007FF679262000-memory.dmp	xmrig
behavioral2/memory/4732-54-0x00007FF6C8050000-0x00007FF6C8442000-memory.dmp	xmrig
behavioral2/memory/5088-46-0x00007FF67C380000-0x00007FF67C772000-memory.dmp	xmrig
behavioral2/memory/3684-42-0x00007FF7B8C60000-0x00007FF7B9052000-memory.dmp	xmrig
behavioral2/memory/3108-40-0x00007FF6E70C0000-0x00007FF6E74B2000-memory.dmp	xmrig
behavioral2/memory/844-485-0x00007FF617C80000-0x00007FF618072000-memory.dmp	xmrig
behavioral2/memory/1092-488-0x00007FF639690000-0x00007FF639A82000-memory.dmp	xmrig
behavioral2/memory/4596-490-0x00007FF64BE60000-0x00007FF64C252000-memory.dmp	xmrig
behavioral2/memory/3288-489-0x00007FF60B600000-0x00007FF60B9F2000-memory.dmp	xmrig
behavioral2/memory/4712-487-0x00007FF6AB4F0000-0x00007FF6AB8E2000-memory.dmp	xmrig
behavioral2/memory/3608-486-0x00007FF641480000-0x00007FF641872000-memory.dmp	xmrig
behavioral2/memory/2004-15-0x00007FF77C460000-0x00007FF77C852000-memory.dmp	xmrig
behavioral2/memory/932-2117-0x00007FF6D1340000-0x00007FF6D1732000-memory.dmp	xmrig
behavioral2/memory/2004-2138-0x00007FF77C460000-0x00007FF77C852000-memory.dmp	xmrig
behavioral2/memory/3496-2139-0x00007FF711CF0000-0x00007FF7120E2000-memory.dmp	xmrig
behavioral2/memory/4732-2149-0x00007FF6C8050000-0x00007FF6C8442000-memory.dmp	xmrig
behavioral2/memory/2884-2150-0x00007FF786B60000-0x00007FF786F52000-memory.dmp	xmrig
behavioral2/memory/2876-2148-0x00007FF6E8930000-0x00007FF6E8D22000-memory.dmp	xmrig
behavioral2/memory/8-2174-0x00007FF6A54D0000-0x00007FF6A58C2000-memory.dmp	xmrig
behavioral2/memory/3592-2175-0x00007FF78A260000-0x00007FF78A652000-memory.dmp	xmrig
behavioral2/memory/2004-2189-0x00007FF77C460000-0x00007FF77C852000-memory.dmp	xmrig
behavioral2/memory/3684-2194-0x00007FF7B8C60000-0x00007FF7B9052000-memory.dmp	xmrig
behavioral2/memory/3496-2195-0x00007FF711CF0000-0x00007FF7120E2000-memory.dmp	xmrig
behavioral2/memory/2876-2199-0x00007FF6E8930000-0x00007FF6E8D22000-memory.dmp	xmrig
behavioral2/memory/5088-2198-0x00007FF67C380000-0x00007FF67C772000-memory.dmp	xmrig
behavioral2/memory/3108-2192-0x00007FF6E70C0000-0x00007FF6E74B2000-memory.dmp	xmrig
behavioral2/memory/8-2202-0x00007FF6A54D0000-0x00007FF6A58C2000-memory.dmp	xmrig
behavioral2/memory/4732-2205-0x00007FF6C8050000-0x00007FF6C8442000-memory.dmp	xmrig
behavioral2/memory/5000-2213-0x00007FF669890000-0x00007FF669C82000-memory.dmp	xmrig
behavioral2/memory/844-2221-0x00007FF617C80000-0x00007FF618072000-memory.dmp	xmrig
behavioral2/memory/3056-2225-0x00007FF65F6A0000-0x00007FF65FA92000-memory.dmp	xmrig
behavioral2/memory/3608-2227-0x00007FF641480000-0x00007FF641872000-memory.dmp	xmrig
behavioral2/memory/2944-2223-0x00007FF678E70000-0x00007FF679262000-memory.dmp	xmrig
behavioral2/memory/1792-2219-0x00007FF780C20000-0x00007FF781012000-memory.dmp	xmrig
behavioral2/memory/4928-2218-0x00007FF780610000-0x00007FF780A02000-memory.dmp	xmrig
behavioral2/memory/3268-2215-0x00007FF7D5BC0000-0x00007FF7D5FB2000-memory.dmp	xmrig
behavioral2/memory/2884-2210-0x00007FF786B60000-0x00007FF786F52000-memory.dmp	xmrig
behavioral2/memory/2232-2208-0x00007FF63EA10000-0x00007FF63EE02000-memory.dmp	xmrig
behavioral2/memory/3592-2203-0x00007FF78A260000-0x00007FF78A652000-memory.dmp	xmrig
behavioral2/memory/4164-2211-0x00007FF7D7680000-0x00007FF7D7A72000-memory.dmp	xmrig
behavioral2/memory/4596-2241-0x00007FF64BE60000-0x00007FF64C252000-memory.dmp	xmrig
behavioral2/memory/4712-2231-0x00007FF6AB4F0000-0x00007FF6AB8E2000-memory.dmp	xmrig
behavioral2/memory/3288-2243-0x00007FF60B600000-0x00007FF60B9F2000-memory.dmp	xmrig
behavioral2/memory/1092-2230-0x00007FF639690000-0x00007FF639A82000-memory.dmp	xmrig

Blocklisted process makes network request 5 IoCs

flow	pid	Process
8	3048	powershell.exe
10	3048	powershell.exe
16	3048	powershell.exe
17	3048	powershell.exe
19	3048	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
3048	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
2004	QFDrvRc.exe
3496	DxXgquV.exe
5088	oOpnygc.exe
2876	ClHDkBo.exe
3108	WIAFhaI.exe
3684	BwZEuvl.exe
4732	rPTANTC.exe
2884	LKpHMJP.exe
2232	ifgUImG.exe
8	DBNPBDW.exe
3592	HyMiYzd.exe
4164	wCIvMsA.exe
5000	xPmwbnd.exe
3268	cmaBQTc.exe
3056	qVzgJML.exe
2944	UeVqvqh.exe
1792	oaAeTtF.exe
4928	vaIKqaG.exe
844	pYMlefO.exe
3608	KdRwqlw.exe
4712	nMKTqdh.exe
1092	DXjXged.exe
3288	CXGSNDH.exe
4596	PvZqgnd.exe
4212	JLZypJt.exe
1968	BxrbaJk.exe
1564	VYPbxPr.exe
4648	ZtzpjDz.exe
4540	YlboIHD.exe
2152	HoatAaz.exe
3552	pOHzCYk.exe
4868	AHtETYV.exe
380	bTcYYdx.exe
852	tjLgXeD.exe
2772	tWJyHRQ.exe
1004	XdsJWrA.exe
2212	zzyipxI.exe
628	iwGffBv.exe
1220	vXRYRfM.exe
3976	JFAKVuH.exe
2336	ogTHJap.exe
1272	BTXRAAd.exe
4388	XIksYvv.exe
1368	HaVtgTY.exe
2888	mzwBrbV.exe
4884	KebYRcO.exe
5012	dXIbbmN.exe
468	UvofLiN.exe
912	znrAGxJ.exe
2532	mMjgINZ.exe
1500	YlliPsD.exe
3464	YVmEpwo.exe
2744	scOXXGA.exe
536	NHiucYD.exe
4520	vzHrdOL.exe
3460	sSfjPfj.exe
3224	hbVHhis.exe
892	VMNRTSB.exe
4500	gjoivbn.exe
2556	CLGWeUn.exe
2020	vYBnexP.exe
3864	lnFJMvn.exe
3404	lHJDyMm.exe
4536	DywnyJY.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/932-0-0x00007FF6D1340000-0x00007FF6D1732000-memory.dmp	upx
behavioral2/files/0x000b000000023b98-5.dat	upx
behavioral2/files/0x000a000000023b9d-8.dat	upx
behavioral2/files/0x000a000000023b9e-21.dat	upx
behavioral2/files/0x000a000000023b9f-22.dat	upx
behavioral2/files/0x000a000000023ba1-47.dat	upx
behavioral2/files/0x000a000000023ba3-48.dat	upx
behavioral2/files/0x000a000000023ba4-56.dat	upx
behavioral2/memory/2232-62-0x00007FF63EA10000-0x00007FF63EE02000-memory.dmp	upx
behavioral2/files/0x000a000000023ba5-66.dat	upx
behavioral2/files/0x000a000000023ba8-79.dat	upx
behavioral2/files/0x000a000000023baa-89.dat	upx
behavioral2/files/0x000a000000023baf-119.dat	upx
behavioral2/files/0x000a000000023bb0-132.dat	upx
behavioral2/files/0x0031000000023bb5-162.dat	upx
behavioral2/files/0x000a000000023bb8-177.dat	upx
behavioral2/memory/4164-478-0x00007FF7D7680000-0x00007FF7D7A72000-memory.dmp	upx
behavioral2/memory/5000-479-0x00007FF669890000-0x00007FF669C82000-memory.dmp	upx
behavioral2/memory/3268-480-0x00007FF7D5BC0000-0x00007FF7D5FB2000-memory.dmp	upx
behavioral2/memory/3056-481-0x00007FF65F6A0000-0x00007FF65FA92000-memory.dmp	upx
behavioral2/memory/1792-483-0x00007FF780C20000-0x00007FF781012000-memory.dmp	upx
behavioral2/memory/4928-484-0x00007FF780610000-0x00007FF780A02000-memory.dmp	upx
behavioral2/memory/2944-482-0x00007FF678E70000-0x00007FF679262000-memory.dmp	upx
behavioral2/files/0x000a000000023bbb-184.dat	upx
behavioral2/files/0x000a000000023bb9-182.dat	upx
behavioral2/files/0x000a000000023bba-179.dat	upx
behavioral2/files/0x0031000000023bb7-172.dat	upx
behavioral2/files/0x0031000000023bb6-167.dat	upx
behavioral2/files/0x000b000000023bac-157.dat	upx
behavioral2/files/0x000a000000023bb4-152.dat	upx
behavioral2/files/0x000a000000023bb3-147.dat	upx
behavioral2/files/0x000a000000023bb2-142.dat	upx
behavioral2/files/0x000a000000023bb1-137.dat	upx
behavioral2/files/0x000b000000023bad-122.dat	upx
behavioral2/files/0x000a000000023bae-117.dat	upx
behavioral2/files/0x000a000000023bab-112.dat	upx
behavioral2/files/0x000a000000023ba9-102.dat	upx
behavioral2/files/0x000a000000023ba7-82.dat	upx
behavioral2/files/0x000a000000023ba6-77.dat	upx
behavioral2/memory/3592-68-0x00007FF78A260000-0x00007FF78A652000-memory.dmp	upx
behavioral2/memory/8-65-0x00007FF6A54D0000-0x00007FF6A58C2000-memory.dmp	upx
behavioral2/memory/2884-60-0x00007FF786B60000-0x00007FF786F52000-memory.dmp	upx
behavioral2/files/0x000a000000023ba2-55.dat	upx
behavioral2/memory/4732-54-0x00007FF6C8050000-0x00007FF6C8442000-memory.dmp	upx
behavioral2/memory/5088-46-0x00007FF67C380000-0x00007FF67C772000-memory.dmp	upx
behavioral2/memory/3684-42-0x00007FF7B8C60000-0x00007FF7B9052000-memory.dmp	upx
behavioral2/memory/3108-40-0x00007FF6E70C0000-0x00007FF6E74B2000-memory.dmp	upx
behavioral2/memory/2876-34-0x00007FF6E8930000-0x00007FF6E8D22000-memory.dmp	upx
behavioral2/files/0x000a000000023ba0-26.dat	upx
behavioral2/memory/844-485-0x00007FF617C80000-0x00007FF618072000-memory.dmp	upx
behavioral2/memory/3496-25-0x00007FF711CF0000-0x00007FF7120E2000-memory.dmp	upx
behavioral2/memory/1092-488-0x00007FF639690000-0x00007FF639A82000-memory.dmp	upx
behavioral2/memory/4596-490-0x00007FF64BE60000-0x00007FF64C252000-memory.dmp	upx
behavioral2/memory/3288-489-0x00007FF60B600000-0x00007FF60B9F2000-memory.dmp	upx
behavioral2/memory/4712-487-0x00007FF6AB4F0000-0x00007FF6AB8E2000-memory.dmp	upx
behavioral2/memory/3608-486-0x00007FF641480000-0x00007FF641872000-memory.dmp	upx
behavioral2/files/0x000a000000023b9c-18.dat	upx
behavioral2/memory/2004-15-0x00007FF77C460000-0x00007FF77C852000-memory.dmp	upx
behavioral2/memory/932-2117-0x00007FF6D1340000-0x00007FF6D1732000-memory.dmp	upx
behavioral2/memory/2004-2138-0x00007FF77C460000-0x00007FF77C852000-memory.dmp	upx
behavioral2/memory/3496-2139-0x00007FF711CF0000-0x00007FF7120E2000-memory.dmp	upx
behavioral2/memory/4732-2149-0x00007FF6C8050000-0x00007FF6C8442000-memory.dmp	upx
behavioral2/memory/2884-2150-0x00007FF786B60000-0x00007FF786F52000-memory.dmp	upx
behavioral2/memory/2876-2148-0x00007FF6E8930000-0x00007FF6E8D22000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	raw.githubusercontent.com
8	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\bTcYYdx.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\YlliPsD.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\fxMkxmh.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\tVQJHgg.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\VBQSEPf.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\pgUOWGT.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\BkPQNAo.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\VmjkRBS.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\fVHoaHo.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\ffgFwQF.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\nCPqtOF.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\peQRfPp.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\vXRYRfM.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\sWDAkco.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\nYnfINp.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\OtKSldc.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\bsJDKlt.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\AyKSszh.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\wdJmnkM.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\kFrbkKJ.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\nMKTqdh.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\zzyipxI.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\kwMMGdg.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\ukqrwGl.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\EAfcuRu.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\BdaqTRn.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\QVFIdUi.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\oaAeTtF.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\ISOngSs.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\ITZQfTk.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\CoEWJjt.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\PndpjMB.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\uhdSdgq.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\NrPcQmF.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\gJNVNDl.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\fGnGVKh.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\JLZypJt.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\rTFSgqx.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\ETlizuj.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\NaNYXZG.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\enizlAT.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\IHpeJRf.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\mMjgINZ.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\cWpJlZn.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\AKPzBUF.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\WPgGAKl.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\aRWCaNo.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\FyjsSUq.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\IpfVTwJ.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\MRrLlKF.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\cJZrnnH.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\WlGSEGq.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\XGkxXxa.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\EZALLPX.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\hbVHhis.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\lGbmmyL.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\IfuIGYF.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\bOPyIuC.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\HZrDrIA.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\rUdjAwV.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\prPmIYf.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\sitUCpm.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\LkdqQPn.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
File created	C:\Windows\System\wFWaLcq.exe	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3048	powershell.exe
3048	powershell.exe
3048	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeCreateGlobalPrivilege	3128	dwm.exe
Token: SeChangeNotifyPrivilege	3128	dwm.exe
Token: 33	3128	dwm.exe
Token: SeIncBasePriorityPrivilege	3128	dwm.exe
Token: SeShutdownPrivilege	3128	dwm.exe
Token: SeCreatePagefilePrivilege	3128	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 932 wrote to memory of 3048	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	85
PID 932 wrote to memory of 3048	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	85
PID 932 wrote to memory of 2004	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	86
PID 932 wrote to memory of 2004	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	86
PID 932 wrote to memory of 3496	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	87
PID 932 wrote to memory of 3496	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	87
PID 932 wrote to memory of 3684	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	88
PID 932 wrote to memory of 3684	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	88
PID 932 wrote to memory of 5088	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	89
PID 932 wrote to memory of 5088	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	89
PID 932 wrote to memory of 2876	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	90
PID 932 wrote to memory of 2876	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	90
PID 932 wrote to memory of 3108	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	91
PID 932 wrote to memory of 3108	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	91
PID 932 wrote to memory of 4732	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	92
PID 932 wrote to memory of 4732	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	92
PID 932 wrote to memory of 2884	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	93
PID 932 wrote to memory of 2884	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	93
PID 932 wrote to memory of 2232	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	94
PID 932 wrote to memory of 2232	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	94
PID 932 wrote to memory of 8	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	95
PID 932 wrote to memory of 8	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	95
PID 932 wrote to memory of 3592	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	96
PID 932 wrote to memory of 3592	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	96
PID 932 wrote to memory of 4164	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	97
PID 932 wrote to memory of 4164	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	97
PID 932 wrote to memory of 5000	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	98
PID 932 wrote to memory of 5000	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	98
PID 932 wrote to memory of 3268	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	99
PID 932 wrote to memory of 3268	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	99
PID 932 wrote to memory of 3056	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	100
PID 932 wrote to memory of 3056	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	100
PID 932 wrote to memory of 2944	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	101
PID 932 wrote to memory of 2944	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	101
PID 932 wrote to memory of 1792	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	102
PID 932 wrote to memory of 1792	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	102
PID 932 wrote to memory of 4928	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	103
PID 932 wrote to memory of 4928	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	103
PID 932 wrote to memory of 844	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	104
PID 932 wrote to memory of 844	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	104
PID 932 wrote to memory of 3608	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	105
PID 932 wrote to memory of 3608	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	105
PID 932 wrote to memory of 4712	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	106
PID 932 wrote to memory of 4712	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	106
PID 932 wrote to memory of 1092	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	107
PID 932 wrote to memory of 1092	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	107
PID 932 wrote to memory of 3288	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	108
PID 932 wrote to memory of 3288	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	108
PID 932 wrote to memory of 4596	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	109
PID 932 wrote to memory of 4596	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	109
PID 932 wrote to memory of 4212	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	110
PID 932 wrote to memory of 4212	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	110
PID 932 wrote to memory of 1968	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	111
PID 932 wrote to memory of 1968	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	111
PID 932 wrote to memory of 1564	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	112
PID 932 wrote to memory of 1564	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	112
PID 932 wrote to memory of 4648	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	113
PID 932 wrote to memory of 4648	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	113
PID 932 wrote to memory of 4540	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	114
PID 932 wrote to memory of 4540	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	114
PID 932 wrote to memory of 2152	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	115
PID 932 wrote to memory of 2152	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	115
PID 932 wrote to memory of 3552	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	116
PID 932 wrote to memory of 3552	932	175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe	116

C:\Users\Admin\AppData\Local\Temp\175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\175cfc2db509885fafdd38d98ca61fb9_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3048
- C:\Windows\System\QFDrvRc.exe
  C:\Windows\System\QFDrvRc.exe
  2⤵
  - Executes dropped EXE
  PID:2004
- C:\Windows\System\DxXgquV.exe
  C:\Windows\System\DxXgquV.exe
  2⤵
  - Executes dropped EXE
  PID:3496
- C:\Windows\System\BwZEuvl.exe
  C:\Windows\System\BwZEuvl.exe
  2⤵
  - Executes dropped EXE
  PID:3684
- C:\Windows\System\oOpnygc.exe
  C:\Windows\System\oOpnygc.exe
  2⤵
  - Executes dropped EXE
  PID:5088
- C:\Windows\System\ClHDkBo.exe
  C:\Windows\System\ClHDkBo.exe
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Windows\System\WIAFhaI.exe
  C:\Windows\System\WIAFhaI.exe
  2⤵
  - Executes dropped EXE
  PID:3108
- C:\Windows\System\rPTANTC.exe
  C:\Windows\System\rPTANTC.exe
  2⤵
  - Executes dropped EXE
  PID:4732
- C:\Windows\System\LKpHMJP.exe
  C:\Windows\System\LKpHMJP.exe
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\System\ifgUImG.exe
  C:\Windows\System\ifgUImG.exe
  2⤵
  - Executes dropped EXE
  PID:2232
- C:\Windows\System\DBNPBDW.exe
  C:\Windows\System\DBNPBDW.exe
  2⤵
  - Executes dropped EXE
  PID:8
- C:\Windows\System\HyMiYzd.exe
  C:\Windows\System\HyMiYzd.exe
  2⤵
  - Executes dropped EXE
  PID:3592
- C:\Windows\System\wCIvMsA.exe
  C:\Windows\System\wCIvMsA.exe
  2⤵
  - Executes dropped EXE
  PID:4164
- C:\Windows\System\xPmwbnd.exe
  C:\Windows\System\xPmwbnd.exe
  2⤵
  - Executes dropped EXE
  PID:5000
- C:\Windows\System\cmaBQTc.exe
  C:\Windows\System\cmaBQTc.exe
  2⤵
  - Executes dropped EXE
  PID:3268
- C:\Windows\System\qVzgJML.exe
  C:\Windows\System\qVzgJML.exe
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\Windows\System\UeVqvqh.exe
  C:\Windows\System\UeVqvqh.exe
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Windows\System\oaAeTtF.exe
  C:\Windows\System\oaAeTtF.exe
  2⤵
  - Executes dropped EXE
  PID:1792
- C:\Windows\System\vaIKqaG.exe
  C:\Windows\System\vaIKqaG.exe
  2⤵
  - Executes dropped EXE
  PID:4928
- C:\Windows\System\pYMlefO.exe
  C:\Windows\System\pYMlefO.exe
  2⤵
  - Executes dropped EXE
  PID:844
- C:\Windows\System\KdRwqlw.exe
  C:\Windows\System\KdRwqlw.exe
  2⤵
  - Executes dropped EXE
  PID:3608
- C:\Windows\System\nMKTqdh.exe
  C:\Windows\System\nMKTqdh.exe
  2⤵
  - Executes dropped EXE
  PID:4712
- C:\Windows\System\DXjXged.exe
  C:\Windows\System\DXjXged.exe
  2⤵
  - Executes dropped EXE
  PID:1092
- C:\Windows\System\CXGSNDH.exe
  C:\Windows\System\CXGSNDH.exe
  2⤵
  - Executes dropped EXE
  PID:3288
- C:\Windows\System\PvZqgnd.exe
  C:\Windows\System\PvZqgnd.exe
  2⤵
  - Executes dropped EXE
  PID:4596
- C:\Windows\System\JLZypJt.exe
  C:\Windows\System\JLZypJt.exe
  2⤵
  - Executes dropped EXE
  PID:4212
- C:\Windows\System\BxrbaJk.exe
  C:\Windows\System\BxrbaJk.exe
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\System\VYPbxPr.exe
  C:\Windows\System\VYPbxPr.exe
  2⤵
  - Executes dropped EXE
  PID:1564
- C:\Windows\System\ZtzpjDz.exe
  C:\Windows\System\ZtzpjDz.exe
  2⤵
  - Executes dropped EXE
  PID:4648
- C:\Windows\System\YlboIHD.exe
  C:\Windows\System\YlboIHD.exe
  2⤵
  - Executes dropped EXE
  PID:4540
- C:\Windows\System\HoatAaz.exe
  C:\Windows\System\HoatAaz.exe
  2⤵
  - Executes dropped EXE
  PID:2152
- C:\Windows\System\pOHzCYk.exe
  C:\Windows\System\pOHzCYk.exe
  2⤵
  - Executes dropped EXE
  PID:3552
- C:\Windows\System\AHtETYV.exe
  C:\Windows\System\AHtETYV.exe
  2⤵
  - Executes dropped EXE
  PID:4868
- C:\Windows\System\bTcYYdx.exe
  C:\Windows\System\bTcYYdx.exe
  2⤵
  - Executes dropped EXE
  PID:380
- C:\Windows\System\tjLgXeD.exe
  C:\Windows\System\tjLgXeD.exe
  2⤵
  - Executes dropped EXE
  PID:852
- C:\Windows\System\tWJyHRQ.exe
  C:\Windows\System\tWJyHRQ.exe
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\System\XdsJWrA.exe
  C:\Windows\System\XdsJWrA.exe
  2⤵
  - Executes dropped EXE
  PID:1004
- C:\Windows\System\zzyipxI.exe
  C:\Windows\System\zzyipxI.exe
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Windows\System\iwGffBv.exe
  C:\Windows\System\iwGffBv.exe
  2⤵
  - Executes dropped EXE
  PID:628
- C:\Windows\System\vXRYRfM.exe
  C:\Windows\System\vXRYRfM.exe
  2⤵
  - Executes dropped EXE
  PID:1220
- C:\Windows\System\JFAKVuH.exe
  C:\Windows\System\JFAKVuH.exe
  2⤵
  - Executes dropped EXE
  PID:3976
- C:\Windows\System\ogTHJap.exe
  C:\Windows\System\ogTHJap.exe
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\System\BTXRAAd.exe
  C:\Windows\System\BTXRAAd.exe
  2⤵
  - Executes dropped EXE
  PID:1272
- C:\Windows\System\XIksYvv.exe
  C:\Windows\System\XIksYvv.exe
  2⤵
  - Executes dropped EXE
  PID:4388
- C:\Windows\System\HaVtgTY.exe
  C:\Windows\System\HaVtgTY.exe
  2⤵
  - Executes dropped EXE
  PID:1368
- C:\Windows\System\mzwBrbV.exe
  C:\Windows\System\mzwBrbV.exe
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\System\KebYRcO.exe
  C:\Windows\System\KebYRcO.exe
  2⤵
  - Executes dropped EXE
  PID:4884
- C:\Windows\System\dXIbbmN.exe
  C:\Windows\System\dXIbbmN.exe
  2⤵
  - Executes dropped EXE
  PID:5012
- C:\Windows\System\UvofLiN.exe
  C:\Windows\System\UvofLiN.exe
  2⤵
  - Executes dropped EXE
  PID:468
- C:\Windows\System\znrAGxJ.exe
  C:\Windows\System\znrAGxJ.exe
  2⤵
  - Executes dropped EXE
  PID:912
- C:\Windows\System\mMjgINZ.exe
  C:\Windows\System\mMjgINZ.exe
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\System\YlliPsD.exe
  C:\Windows\System\YlliPsD.exe
  2⤵
  - Executes dropped EXE
  PID:1500
- C:\Windows\System\YVmEpwo.exe
  C:\Windows\System\YVmEpwo.exe
  2⤵
  - Executes dropped EXE
  PID:3464
- C:\Windows\System\scOXXGA.exe
  C:\Windows\System\scOXXGA.exe
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\System\NHiucYD.exe
  C:\Windows\System\NHiucYD.exe
  2⤵
  - Executes dropped EXE
  PID:536
- C:\Windows\System\vzHrdOL.exe
  C:\Windows\System\vzHrdOL.exe
  2⤵
  - Executes dropped EXE
  PID:4520
- C:\Windows\System\sSfjPfj.exe
  C:\Windows\System\sSfjPfj.exe
  2⤵
  - Executes dropped EXE
  PID:3460
- C:\Windows\System\hbVHhis.exe
  C:\Windows\System\hbVHhis.exe
  2⤵
  - Executes dropped EXE
  PID:3224
- C:\Windows\System\VMNRTSB.exe
  C:\Windows\System\VMNRTSB.exe
  2⤵
  - Executes dropped EXE
  PID:892
- C:\Windows\System\gjoivbn.exe
  C:\Windows\System\gjoivbn.exe
  2⤵
  - Executes dropped EXE
  PID:4500
- C:\Windows\System\CLGWeUn.exe
  C:\Windows\System\CLGWeUn.exe
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Windows\System\vYBnexP.exe
  C:\Windows\System\vYBnexP.exe
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\Windows\System\lnFJMvn.exe
  C:\Windows\System\lnFJMvn.exe
  2⤵
  - Executes dropped EXE
  PID:3864
- C:\Windows\System\lHJDyMm.exe
  C:\Windows\System\lHJDyMm.exe
  2⤵
  - Executes dropped EXE
  PID:3404
- C:\Windows\System\DywnyJY.exe
  C:\Windows\System\DywnyJY.exe
  2⤵
  - Executes dropped EXE
  PID:4536
- C:\Windows\System\NlVMaBR.exe
  C:\Windows\System\NlVMaBR.exe
  2⤵
  PID:3956
- C:\Windows\System\yQHNkok.exe
  C:\Windows\System\yQHNkok.exe
  2⤵
  PID:5128
- C:\Windows\System\OmWhmQE.exe
  C:\Windows\System\OmWhmQE.exe
  2⤵
  PID:5152
- C:\Windows\System\StpWbdc.exe
  C:\Windows\System\StpWbdc.exe
  2⤵
  PID:5184
- C:\Windows\System\PGPofNz.exe
  C:\Windows\System\PGPofNz.exe
  2⤵
  PID:5212
- C:\Windows\System\jwXMqKa.exe
  C:\Windows\System\jwXMqKa.exe
  2⤵
  PID:5240
- C:\Windows\System\ffgFwQF.exe
  C:\Windows\System\ffgFwQF.exe
  2⤵
  PID:5268
- C:\Windows\System\SabdNPK.exe
  C:\Windows\System\SabdNPK.exe
  2⤵
  PID:5296
- C:\Windows\System\jLalAeh.exe
  C:\Windows\System\jLalAeh.exe
  2⤵
  PID:5324
- C:\Windows\System\bIddVUh.exe
  C:\Windows\System\bIddVUh.exe
  2⤵
  PID:5352
- C:\Windows\System\inzrfHR.exe
  C:\Windows\System\inzrfHR.exe
  2⤵
  PID:5380
- C:\Windows\System\AVAJMcC.exe
  C:\Windows\System\AVAJMcC.exe
  2⤵
  PID:5412
- C:\Windows\System\sWDAkco.exe
  C:\Windows\System\sWDAkco.exe
  2⤵
  PID:5444
- C:\Windows\System\tDHymRV.exe
  C:\Windows\System\tDHymRV.exe
  2⤵
  PID:5472
- C:\Windows\System\lXZLTvd.exe
  C:\Windows\System\lXZLTvd.exe
  2⤵
  PID:5500
- C:\Windows\System\prPmIYf.exe
  C:\Windows\System\prPmIYf.exe
  2⤵
  PID:5532
- C:\Windows\System\dXGnjWT.exe
  C:\Windows\System\dXGnjWT.exe
  2⤵
  PID:5560
- C:\Windows\System\rCYJpXP.exe
  C:\Windows\System\rCYJpXP.exe
  2⤵
  PID:5588
- C:\Windows\System\ZwAeWsU.exe
  C:\Windows\System\ZwAeWsU.exe
  2⤵
  PID:5616
- C:\Windows\System\DsooePq.exe
  C:\Windows\System\DsooePq.exe
  2⤵
  PID:5644
- C:\Windows\System\lwmFOCQ.exe
  C:\Windows\System\lwmFOCQ.exe
  2⤵
  PID:5672
- C:\Windows\System\lGbmmyL.exe
  C:\Windows\System\lGbmmyL.exe
  2⤵
  PID:5700
- C:\Windows\System\kwMMGdg.exe
  C:\Windows\System\kwMMGdg.exe
  2⤵
  PID:5728
- C:\Windows\System\hzkFXwi.exe
  C:\Windows\System\hzkFXwi.exe
  2⤵
  PID:5756
- C:\Windows\System\dOzncal.exe
  C:\Windows\System\dOzncal.exe
  2⤵
  PID:5784
- C:\Windows\System\MIFowti.exe
  C:\Windows\System\MIFowti.exe
  2⤵
  PID:5812
- C:\Windows\System\UKRrraR.exe
  C:\Windows\System\UKRrraR.exe
  2⤵
  PID:5840
- C:\Windows\System\XSxLJYz.exe
  C:\Windows\System\XSxLJYz.exe
  2⤵
  PID:5868
- C:\Windows\System\ZsRiPTC.exe
  C:\Windows\System\ZsRiPTC.exe
  2⤵
  PID:5896
- C:\Windows\System\ySXbcCq.exe
  C:\Windows\System\ySXbcCq.exe
  2⤵
  PID:5924
- C:\Windows\System\twZliOn.exe
  C:\Windows\System\twZliOn.exe
  2⤵
  PID:5952
- C:\Windows\System\xODpxvb.exe
  C:\Windows\System\xODpxvb.exe
  2⤵
  PID:5976
- C:\Windows\System\voxmkLZ.exe
  C:\Windows\System\voxmkLZ.exe
  2⤵
  PID:6008
- C:\Windows\System\IsqvCff.exe
  C:\Windows\System\IsqvCff.exe
  2⤵
  PID:6036
- C:\Windows\System\zByphZA.exe
  C:\Windows\System\zByphZA.exe
  2⤵
  PID:6064
- C:\Windows\System\UlyBwKH.exe
  C:\Windows\System\UlyBwKH.exe
  2⤵
  PID:6092
- C:\Windows\System\jjTTYNF.exe
  C:\Windows\System\jjTTYNF.exe
  2⤵
  PID:6120
- C:\Windows\System\jRbndyU.exe
  C:\Windows\System\jRbndyU.exe
  2⤵
  PID:3620
- C:\Windows\System\uROICvA.exe
  C:\Windows\System\uROICvA.exe
  2⤵
  PID:4400
- C:\Windows\System\yrVqvPn.exe
  C:\Windows\System\yrVqvPn.exe
  2⤵
  PID:4280
- C:\Windows\System\rTFSgqx.exe
  C:\Windows\System\rTFSgqx.exe
  2⤵
  PID:532
- C:\Windows\System\wBQncum.exe
  C:\Windows\System\wBQncum.exe
  2⤵
  PID:5148
- C:\Windows\System\xExpbHt.exe
  C:\Windows\System\xExpbHt.exe
  2⤵
  PID:5200
- C:\Windows\System\pcGCjzz.exe
  C:\Windows\System\pcGCjzz.exe
  2⤵
  PID:5260
- C:\Windows\System\uotsujD.exe
  C:\Windows\System\uotsujD.exe
  2⤵
  PID:5308
- C:\Windows\System\VNQctiJ.exe
  C:\Windows\System\VNQctiJ.exe
  2⤵
  PID:5372
- C:\Windows\System\whAnBif.exe
  C:\Windows\System\whAnBif.exe
  2⤵
  PID:5432
- C:\Windows\System\nYnfINp.exe
  C:\Windows\System\nYnfINp.exe
  2⤵
  PID:5512
- C:\Windows\System\MhjiPHn.exe
  C:\Windows\System\MhjiPHn.exe
  2⤵
  PID:5572
- C:\Windows\System\zgPpSoK.exe
  C:\Windows\System\zgPpSoK.exe
  2⤵
  PID:4824
- C:\Windows\System\ZvMJQsW.exe
  C:\Windows\System\ZvMJQsW.exe
  2⤵
  PID:5660
- C:\Windows\System\MwPdiEl.exe
  C:\Windows\System\MwPdiEl.exe
  2⤵
  PID:5716
- C:\Windows\System\MvfxiQe.exe
  C:\Windows\System\MvfxiQe.exe
  2⤵
  PID:5772
- C:\Windows\System\juoWHBR.exe
  C:\Windows\System\juoWHBR.exe
  2⤵
  PID:5828
- C:\Windows\System\rjmocQN.exe
  C:\Windows\System\rjmocQN.exe
  2⤵
  PID:5908
- C:\Windows\System\KfFlrCI.exe
  C:\Windows\System\KfFlrCI.exe
  2⤵
  PID:5968
- C:\Windows\System\nQsgGrV.exe
  C:\Windows\System\nQsgGrV.exe
  2⤵
  PID:6020
- C:\Windows\System\aHciNLN.exe
  C:\Windows\System\aHciNLN.exe
  2⤵
  PID:1600
- C:\Windows\System\RxLOQPw.exe
  C:\Windows\System\RxLOQPw.exe
  2⤵
  PID:6140
- C:\Windows\System\ufoUbkQ.exe
  C:\Windows\System\ufoUbkQ.exe
  2⤵
  PID:5108
- C:\Windows\System\RMPsDbM.exe
  C:\Windows\System\RMPsDbM.exe
  2⤵
  PID:3076
- C:\Windows\System\CIcSvej.exe
  C:\Windows\System\CIcSvej.exe
  2⤵
  PID:5176
- C:\Windows\System\RiROiEY.exe
  C:\Windows\System\RiROiEY.exe
  2⤵
  PID:5288
- C:\Windows\System\fxMkxmh.exe
  C:\Windows\System\fxMkxmh.exe
  2⤵
  PID:4956
- C:\Windows\System\wfIfqxF.exe
  C:\Windows\System\wfIfqxF.exe
  2⤵
  PID:5552
- C:\Windows\System\GnpPivF.exe
  C:\Windows\System\GnpPivF.exe
  2⤵
  PID:4688
- C:\Windows\System\kDKedSj.exe
  C:\Windows\System\kDKedSj.exe
  2⤵
  PID:5712
- C:\Windows\System\zFmXlZO.exe
  C:\Windows\System\zFmXlZO.exe
  2⤵
  PID:1200
- C:\Windows\System\yCBWxGW.exe
  C:\Windows\System\yCBWxGW.exe
  2⤵
  PID:6112
- C:\Windows\System\jamlBpu.exe
  C:\Windows\System\jamlBpu.exe
  2⤵
  PID:552
- C:\Windows\System\HTGBIcO.exe
  C:\Windows\System\HTGBIcO.exe
  2⤵
  PID:3088
- C:\Windows\System\slYnVGC.exe
  C:\Windows\System\slYnVGC.exe
  2⤵
  PID:5284
- C:\Windows\System\gdMUOhm.exe
  C:\Windows\System\gdMUOhm.exe
  2⤵
  PID:64
- C:\Windows\System\xKIjAOh.exe
  C:\Windows\System\xKIjAOh.exe
  2⤵
  PID:3140
- C:\Windows\System\IfuIGYF.exe
  C:\Windows\System\IfuIGYF.exe
  2⤵
  PID:632
- C:\Windows\System\MOdJybT.exe
  C:\Windows\System\MOdJybT.exe
  2⤵
  PID:5116
- C:\Windows\System\hwDxBzb.exe
  C:\Windows\System\hwDxBzb.exe
  2⤵
  PID:5860
- C:\Windows\System\CoEWJjt.exe
  C:\Windows\System\CoEWJjt.exe
  2⤵
  PID:5804
- C:\Windows\System\hVUsahO.exe
  C:\Windows\System\hVUsahO.exe
  2⤵
  PID:2704
- C:\Windows\System\XMMKSsN.exe
  C:\Windows\System\XMMKSsN.exe
  2⤵
  PID:5092
- C:\Windows\System\OtKSldc.exe
  C:\Windows\System\OtKSldc.exe
  2⤵
  PID:1068
- C:\Windows\System\BkPQNAo.exe
  C:\Windows\System\BkPQNAo.exe
  2⤵
  PID:2216
- C:\Windows\System\PWDLhbW.exe
  C:\Windows\System\PWDLhbW.exe
  2⤵
  PID:5340
- C:\Windows\System\jHPjsVW.exe
  C:\Windows\System\jHPjsVW.exe
  2⤵
  PID:5040
- C:\Windows\System\gTknJtk.exe
  C:\Windows\System\gTknJtk.exe
  2⤵
  PID:556
- C:\Windows\System\aRWCaNo.exe
  C:\Windows\System\aRWCaNo.exe
  2⤵
  PID:2864
- C:\Windows\System\OHXIEiT.exe
  C:\Windows\System\OHXIEiT.exe
  2⤵
  PID:2632
- C:\Windows\System\cWpJlZn.exe
  C:\Windows\System\cWpJlZn.exe
  2⤵
  PID:4832
- C:\Windows\System\jKOKMyk.exe
  C:\Windows\System\jKOKMyk.exe
  2⤵
  PID:992
- C:\Windows\System\sPCxKGP.exe
  C:\Windows\System\sPCxKGP.exe
  2⤵
  PID:6164
- C:\Windows\System\wHhzciP.exe
  C:\Windows\System\wHhzciP.exe
  2⤵
  PID:6196
- C:\Windows\System\NIjstMx.exe
  C:\Windows\System\NIjstMx.exe
  2⤵
  PID:6220
- C:\Windows\System\rqihJzP.exe
  C:\Windows\System\rqihJzP.exe
  2⤵
  PID:6244
- C:\Windows\System\hmGnFsY.exe
  C:\Windows\System\hmGnFsY.exe
  2⤵
  PID:6260
- C:\Windows\System\KoIyDEs.exe
  C:\Windows\System\KoIyDEs.exe
  2⤵
  PID:6296
- C:\Windows\System\kVUmIYe.exe
  C:\Windows\System\kVUmIYe.exe
  2⤵
  PID:6316
- C:\Windows\System\iyKrtQZ.exe
  C:\Windows\System\iyKrtQZ.exe
  2⤵
  PID:6340
- C:\Windows\System\NMTbSMb.exe
  C:\Windows\System\NMTbSMb.exe
  2⤵
  PID:6384
- C:\Windows\System\SQpcyOj.exe
  C:\Windows\System\SQpcyOj.exe
  2⤵
  PID:6436
- C:\Windows\System\liJzHTc.exe
  C:\Windows\System\liJzHTc.exe
  2⤵
  PID:6456
- C:\Windows\System\UHDsyrj.exe
  C:\Windows\System\UHDsyrj.exe
  2⤵
  PID:6472
- C:\Windows\System\HclNhjr.exe
  C:\Windows\System\HclNhjr.exe
  2⤵
  PID:6516
- C:\Windows\System\LMkPlLD.exe
  C:\Windows\System\LMkPlLD.exe
  2⤵
  PID:6568
- C:\Windows\System\IHpeJRf.exe
  C:\Windows\System\IHpeJRf.exe
  2⤵
  PID:6584
- C:\Windows\System\qbbQpZH.exe
  C:\Windows\System\qbbQpZH.exe
  2⤵
  PID:6608
- C:\Windows\System\IvRFHUA.exe
  C:\Windows\System\IvRFHUA.exe
  2⤵
  PID:6632
- C:\Windows\System\qsFHJhQ.exe
  C:\Windows\System\qsFHJhQ.exe
  2⤵
  PID:6652
- C:\Windows\System\mjfRTJZ.exe
  C:\Windows\System\mjfRTJZ.exe
  2⤵
  PID:6668
- C:\Windows\System\MDMTMUD.exe
  C:\Windows\System\MDMTMUD.exe
  2⤵
  PID:6692
- C:\Windows\System\zJpDrgu.exe
  C:\Windows\System\zJpDrgu.exe
  2⤵
  PID:6708
- C:\Windows\System\PARlWFa.exe
  C:\Windows\System\PARlWFa.exe
  2⤵
  PID:6736
- C:\Windows\System\FPeDBpS.exe
  C:\Windows\System\FPeDBpS.exe
  2⤵
  PID:6756
- C:\Windows\System\JYhClsu.exe
  C:\Windows\System\JYhClsu.exe
  2⤵
  PID:6792
- C:\Windows\System\yEdvPEY.exe
  C:\Windows\System\yEdvPEY.exe
  2⤵
  PID:6812
- C:\Windows\System\MDuQdZV.exe
  C:\Windows\System\MDuQdZV.exe
  2⤵
  PID:6832
- C:\Windows\System\wEQthjB.exe
  C:\Windows\System\wEQthjB.exe
  2⤵
  PID:6852
- C:\Windows\System\GOezpLn.exe
  C:\Windows\System\GOezpLn.exe
  2⤵
  PID:6880
- C:\Windows\System\ISOngSs.exe
  C:\Windows\System\ISOngSs.exe
  2⤵
  PID:6896
- C:\Windows\System\bsJDKlt.exe
  C:\Windows\System\bsJDKlt.exe
  2⤵
  PID:6920
- C:\Windows\System\ebRDDit.exe
  C:\Windows\System\ebRDDit.exe
  2⤵
  PID:6944
- C:\Windows\System\nCPqtOF.exe
  C:\Windows\System\nCPqtOF.exe
  2⤵
  PID:6964
- C:\Windows\System\pFbDzdt.exe
  C:\Windows\System\pFbDzdt.exe
  2⤵
  PID:7024
- C:\Windows\System\kJsSyfg.exe
  C:\Windows\System\kJsSyfg.exe
  2⤵
  PID:7108
- C:\Windows\System\BPzQdzn.exe
  C:\Windows\System\BPzQdzn.exe
  2⤵
  PID:7124
- C:\Windows\System\ggbVDjE.exe
  C:\Windows\System\ggbVDjE.exe
  2⤵
  PID:7144
- C:\Windows\System\WnnlXUq.exe
  C:\Windows\System\WnnlXUq.exe
  2⤵
  PID:7164
- C:\Windows\System\VLqQEbI.exe
  C:\Windows\System\VLqQEbI.exe
  2⤵
  PID:6188
- C:\Windows\System\tDqlfDW.exe
  C:\Windows\System\tDqlfDW.exe
  2⤵
  PID:6336
- C:\Windows\System\wlANAHM.exe
  C:\Windows\System\wlANAHM.exe
  2⤵
  PID:6400
- C:\Windows\System\EcBsDfa.exe
  C:\Windows\System\EcBsDfa.exe
  2⤵
  PID:6560
- C:\Windows\System\NnsPwWg.exe
  C:\Windows\System\NnsPwWg.exe
  2⤵
  PID:6704
- C:\Windows\System\gbkylcW.exe
  C:\Windows\System\gbkylcW.exe
  2⤵
  PID:6844
- C:\Windows\System\WaSLToa.exe
  C:\Windows\System\WaSLToa.exe
  2⤵
  PID:6972
- C:\Windows\System\oqiUtvg.exe
  C:\Windows\System\oqiUtvg.exe
  2⤵
  PID:7012
- C:\Windows\System\PAoSeYu.exe
  C:\Windows\System\PAoSeYu.exe
  2⤵
  PID:7136
- C:\Windows\System\XDDZFSK.exe
  C:\Windows\System\XDDZFSK.exe
  2⤵
  PID:6304
- C:\Windows\System\BXyZhMx.exe
  C:\Windows\System\BXyZhMx.exe
  2⤵
  PID:6376
- C:\Windows\System\RDilfJp.exe
  C:\Windows\System\RDilfJp.exe
  2⤵
  PID:6624
- C:\Windows\System\bOPyIuC.exe
  C:\Windows\System\bOPyIuC.exe
  2⤵
  PID:6732
- C:\Windows\System\rTbfdpW.exe
  C:\Windows\System\rTbfdpW.exe
  2⤵
  PID:6936
- C:\Windows\System\nBtCJST.exe
  C:\Windows\System\nBtCJST.exe
  2⤵
  PID:6932
- C:\Windows\System\qOiDakI.exe
  C:\Windows\System\qOiDakI.exe
  2⤵
  PID:6780
- C:\Windows\System\kFrbkKJ.exe
  C:\Windows\System\kFrbkKJ.exe
  2⤵
  PID:7156
- C:\Windows\System\rjYqvUh.exe
  C:\Windows\System\rjYqvUh.exe
  2⤵
  PID:6468
- C:\Windows\System\OVhzAjr.exe
  C:\Windows\System\OVhzAjr.exe
  2⤵
  PID:592
- C:\Windows\System\UdQkIaj.exe
  C:\Windows\System\UdQkIaj.exe
  2⤵
  PID:6676
- C:\Windows\System\XwYcILV.exe
  C:\Windows\System\XwYcILV.exe
  2⤵
  PID:6980
- C:\Windows\System\ukqrwGl.exe
  C:\Windows\System\ukqrwGl.exe
  2⤵
  PID:6524
- C:\Windows\System\NhlSEwk.exe
  C:\Windows\System\NhlSEwk.exe
  2⤵
  PID:6804
- C:\Windows\System\fdXdYjv.exe
  C:\Windows\System\fdXdYjv.exe
  2⤵
  PID:6272
- C:\Windows\System\AyKSszh.exe
  C:\Windows\System\AyKSszh.exe
  2⤵
  PID:6532
- C:\Windows\System\QLpdOoA.exe
  C:\Windows\System\QLpdOoA.exe
  2⤵
  PID:7200
- C:\Windows\System\KrikaFd.exe
  C:\Windows\System\KrikaFd.exe
  2⤵
  PID:7244
- C:\Windows\System\eBGiAkW.exe
  C:\Windows\System\eBGiAkW.exe
  2⤵
  PID:7268
- C:\Windows\System\xrAYpza.exe
  C:\Windows\System\xrAYpza.exe
  2⤵
  PID:7360
- C:\Windows\System\SwSbjfW.exe
  C:\Windows\System\SwSbjfW.exe
  2⤵
  PID:7444
- C:\Windows\System\vfxIcZM.exe
  C:\Windows\System\vfxIcZM.exe
  2⤵
  PID:7476
- C:\Windows\System\vXhJMaE.exe
  C:\Windows\System\vXhJMaE.exe
  2⤵
  PID:7516
- C:\Windows\System\FNLkNtI.exe
  C:\Windows\System\FNLkNtI.exe
  2⤵
  PID:7548
- C:\Windows\System\NjTQpmd.exe
  C:\Windows\System\NjTQpmd.exe
  2⤵
  PID:7580
- C:\Windows\System\poItsRa.exe
  C:\Windows\System\poItsRa.exe
  2⤵
  PID:7600
- C:\Windows\System\MHfaBnh.exe
  C:\Windows\System\MHfaBnh.exe
  2⤵
  PID:7624
- C:\Windows\System\HZrDrIA.exe
  C:\Windows\System\HZrDrIA.exe
  2⤵
  PID:7688
- C:\Windows\System\qUlfwYQ.exe
  C:\Windows\System\qUlfwYQ.exe
  2⤵
  PID:7720
- C:\Windows\System\kWBOQOB.exe
  C:\Windows\System\kWBOQOB.exe
  2⤵
  PID:7804
- C:\Windows\System\LozhKHh.exe
  C:\Windows\System\LozhKHh.exe
  2⤵
  PID:7864
- C:\Windows\System\lIPMZuE.exe
  C:\Windows\System\lIPMZuE.exe
  2⤵
  PID:7936
- C:\Windows\System\wfDODEQ.exe
  C:\Windows\System\wfDODEQ.exe
  2⤵
  PID:7968
- C:\Windows\System\htuszqc.exe
  C:\Windows\System\htuszqc.exe
  2⤵
  PID:8040
- C:\Windows\System\ScUfFQP.exe
  C:\Windows\System\ScUfFQP.exe
  2⤵
  PID:8060
- C:\Windows\System\UzDYPrr.exe
  C:\Windows\System\UzDYPrr.exe
  2⤵
  PID:8112
- C:\Windows\System\wexuZzN.exe
  C:\Windows\System\wexuZzN.exe
  2⤵
  PID:8136
- C:\Windows\System\XOWVfCX.exe
  C:\Windows\System\XOWVfCX.exe
  2⤵
  PID:8168
- C:\Windows\System\yqojDAm.exe
  C:\Windows\System\yqojDAm.exe
  2⤵
  PID:6288
- C:\Windows\System\SZqZUMB.exe
  C:\Windows\System\SZqZUMB.exe
  2⤵
  PID:6820
- C:\Windows\System\smHjamc.exe
  C:\Windows\System\smHjamc.exe
  2⤵
  PID:7256
- C:\Windows\System\xUXgZkd.exe
  C:\Windows\System\xUXgZkd.exe
  2⤵
  PID:7236
- C:\Windows\System\WbxUYFv.exe
  C:\Windows\System\WbxUYFv.exe
  2⤵
  PID:7304
- C:\Windows\System\YGbwmAA.exe
  C:\Windows\System\YGbwmAA.exe
  2⤵
  PID:7336
- C:\Windows\System\zyCmtVs.exe
  C:\Windows\System\zyCmtVs.exe
  2⤵
  PID:7384
- C:\Windows\System\CLsqoLG.exe
  C:\Windows\System\CLsqoLG.exe
  2⤵
  PID:7436
- C:\Windows\System\lXMfHJT.exe
  C:\Windows\System\lXMfHJT.exe
  2⤵
  PID:7508
- C:\Windows\System\eakIAkc.exe
  C:\Windows\System\eakIAkc.exe
  2⤵
  PID:7536
- C:\Windows\System\vXVZWrH.exe
  C:\Windows\System\vXVZWrH.exe
  2⤵
  PID:7592
- C:\Windows\System\sqXPylA.exe
  C:\Windows\System\sqXPylA.exe
  2⤵
  PID:7564
- C:\Windows\System\mvfhhQW.exe
  C:\Windows\System\mvfhhQW.exe
  2⤵
  PID:7612
- C:\Windows\System\YdQTDNm.exe
  C:\Windows\System\YdQTDNm.exe
  2⤵
  PID:7636
- C:\Windows\System\QCyZGah.exe
  C:\Windows\System\QCyZGah.exe
  2⤵
  PID:7812
- C:\Windows\System\EKFufbJ.exe
  C:\Windows\System\EKFufbJ.exe
  2⤵
  PID:7824
- C:\Windows\System\eyuCNZc.exe
  C:\Windows\System\eyuCNZc.exe
  2⤵
  PID:7888
- C:\Windows\System\JwjUrqn.exe
  C:\Windows\System\JwjUrqn.exe
  2⤵
  PID:7980
- C:\Windows\System\ABDOAWY.exe
  C:\Windows\System\ABDOAWY.exe
  2⤵
  PID:8024
- C:\Windows\System\rEMtoRd.exe
  C:\Windows\System\rEMtoRd.exe
  2⤵
  PID:8124
- C:\Windows\System\wdJmnkM.exe
  C:\Windows\System\wdJmnkM.exe
  2⤵
  PID:8160
- C:\Windows\System\WuZdPno.exe
  C:\Windows\System\WuZdPno.exe
  2⤵
  PID:6480
- C:\Windows\System\MpinvmK.exe
  C:\Windows\System\MpinvmK.exe
  2⤵
  PID:6784
- C:\Windows\System\MEWxpXj.exe
  C:\Windows\System\MEWxpXj.exe
  2⤵
  PID:6752
- C:\Windows\System\LanZrJl.exe
  C:\Windows\System\LanZrJl.exe
  2⤵
  PID:7332
- C:\Windows\System\WffOteV.exe
  C:\Windows\System\WffOteV.exe
  2⤵
  PID:7528
- C:\Windows\System\ksRjQQz.exe
  C:\Windows\System\ksRjQQz.exe
  2⤵
  PID:7340
- C:\Windows\System\hnJYaRH.exe
  C:\Windows\System\hnJYaRH.exe
  2⤵
  PID:7420
- C:\Windows\System\CMybFFy.exe
  C:\Windows\System\CMybFFy.exe
  2⤵
  PID:7732
- C:\Windows\System\gVrHGdc.exe
  C:\Windows\System\gVrHGdc.exe
  2⤵
  PID:7828
- C:\Windows\System\PJaTVuU.exe
  C:\Windows\System\PJaTVuU.exe
  2⤵
  PID:7892
- C:\Windows\System\jurWVvf.exe
  C:\Windows\System\jurWVvf.exe
  2⤵
  PID:7996
- C:\Windows\System\GOpTNIp.exe
  C:\Windows\System\GOpTNIp.exe
  2⤵
  PID:8096
- C:\Windows\System\GenIyjX.exe
  C:\Windows\System\GenIyjX.exe
  2⤵
  PID:8152
- C:\Windows\System\dJeuLmg.exe
  C:\Windows\System\dJeuLmg.exe
  2⤵
  PID:7212
- C:\Windows\System\uKOaZRN.exe
  C:\Windows\System\uKOaZRN.exe
  2⤵
  PID:7192
- C:\Windows\System\xioPGit.exe
  C:\Windows\System\xioPGit.exe
  2⤵
  PID:7572
- C:\Windows\System\olHyHox.exe
  C:\Windows\System\olHyHox.exe
  2⤵
  PID:7680
- C:\Windows\System\aWnWRSD.exe
  C:\Windows\System\aWnWRSD.exe
  2⤵
  PID:7640
- C:\Windows\System\AmosHFx.exe
  C:\Windows\System\AmosHFx.exe
  2⤵
  PID:8120
- C:\Windows\System\UDPpsUh.exe
  C:\Windows\System\UDPpsUh.exe
  2⤵
  PID:8088
- C:\Windows\System\lrjeOKV.exe
  C:\Windows\System\lrjeOKV.exe
  2⤵
  PID:7468
- C:\Windows\System\GAURnEn.exe
  C:\Windows\System\GAURnEn.exe
  2⤵
  PID:7328
- C:\Windows\System\UtmEZXJ.exe
  C:\Windows\System\UtmEZXJ.exe
  2⤵
  PID:8212
- C:\Windows\System\huQHpUh.exe
  C:\Windows\System\huQHpUh.exe
  2⤵
  PID:8228
- C:\Windows\System\sitUCpm.exe
  C:\Windows\System\sitUCpm.exe
  2⤵
  PID:8272
- C:\Windows\System\fNWbCxl.exe
  C:\Windows\System\fNWbCxl.exe
  2⤵
  PID:8292
- C:\Windows\System\UzLHZMt.exe
  C:\Windows\System\UzLHZMt.exe
  2⤵
  PID:8312
- C:\Windows\System\lthBJff.exe
  C:\Windows\System\lthBJff.exe
  2⤵
  PID:8336
- C:\Windows\System\dsrJNhC.exe
  C:\Windows\System\dsrJNhC.exe
  2⤵
  PID:8388
- C:\Windows\System\vIplvVN.exe
  C:\Windows\System\vIplvVN.exe
  2⤵
  PID:8404
- C:\Windows\System\sUHaskT.exe
  C:\Windows\System\sUHaskT.exe
  2⤵
  PID:8424
- C:\Windows\System\UymCbfL.exe
  C:\Windows\System\UymCbfL.exe
  2⤵
  PID:8444
- C:\Windows\System\eSnzzrl.exe
  C:\Windows\System\eSnzzrl.exe
  2⤵
  PID:8516
- C:\Windows\System\ermCTTb.exe
  C:\Windows\System\ermCTTb.exe
  2⤵
  PID:8572
- C:\Windows\System\UAagaxU.exe
  C:\Windows\System\UAagaxU.exe
  2⤵
  PID:8592
- C:\Windows\System\DcOrpCi.exe
  C:\Windows\System\DcOrpCi.exe
  2⤵
  PID:8612
- C:\Windows\System\idaeMww.exe
  C:\Windows\System\idaeMww.exe
  2⤵
  PID:8648
- C:\Windows\System\mikqccR.exe
  C:\Windows\System\mikqccR.exe
  2⤵
  PID:8668
- C:\Windows\System\nPJnbbA.exe
  C:\Windows\System\nPJnbbA.exe
  2⤵
  PID:8692
- C:\Windows\System\KQyOnIC.exe
  C:\Windows\System\KQyOnIC.exe
  2⤵
  PID:8712
- C:\Windows\System\zcwmZWD.exe
  C:\Windows\System\zcwmZWD.exe
  2⤵
  PID:8736
- C:\Windows\System\QrsOBMw.exe
  C:\Windows\System\QrsOBMw.exe
  2⤵
  PID:8756
- C:\Windows\System\MILQgdU.exe
  C:\Windows\System\MILQgdU.exe
  2⤵
  PID:8776
- C:\Windows\System\zMmyEwF.exe
  C:\Windows\System\zMmyEwF.exe
  2⤵
  PID:8840
- C:\Windows\System\wWwILKS.exe
  C:\Windows\System\wWwILKS.exe
  2⤵
  PID:8864
- C:\Windows\System\EAfcuRu.exe
  C:\Windows\System\EAfcuRu.exe
  2⤵
  PID:8884
- C:\Windows\System\pBCZDji.exe
  C:\Windows\System\pBCZDji.exe
  2⤵
  PID:8936
- C:\Windows\System\gZpSEzm.exe
  C:\Windows\System\gZpSEzm.exe
  2⤵
  PID:8960
- C:\Windows\System\OFGnyrl.exe
  C:\Windows\System\OFGnyrl.exe
  2⤵
  PID:8980
- C:\Windows\System\GQsmfXh.exe
  C:\Windows\System\GQsmfXh.exe
  2⤵
  PID:9020
- C:\Windows\System\LIoJrYt.exe
  C:\Windows\System\LIoJrYt.exe
  2⤵
  PID:9048
- C:\Windows\System\tVQJHgg.exe
  C:\Windows\System\tVQJHgg.exe
  2⤵
  PID:9072
- C:\Windows\System\ZORIVji.exe
  C:\Windows\System\ZORIVji.exe
  2⤵
  PID:9092
- C:\Windows\System\ClGbdVK.exe
  C:\Windows\System\ClGbdVK.exe
  2⤵
  PID:9120
- C:\Windows\System\sDIagbF.exe
  C:\Windows\System\sDIagbF.exe
  2⤵
  PID:9136
- C:\Windows\System\cEHmKgf.exe
  C:\Windows\System\cEHmKgf.exe
  2⤵
  PID:9160
- C:\Windows\System\yLnoXco.exe
  C:\Windows\System\yLnoXco.exe
  2⤵
  PID:9180
- C:\Windows\System\XBelMfm.exe
  C:\Windows\System\XBelMfm.exe
  2⤵
  PID:7660
- C:\Windows\System\rwaDztb.exe
  C:\Windows\System\rwaDztb.exe
  2⤵
  PID:8224
- C:\Windows\System\SuSxVCQ.exe
  C:\Windows\System\SuSxVCQ.exe
  2⤵
  PID:8196
- C:\Windows\System\UnSlIzp.exe
  C:\Windows\System\UnSlIzp.exe
  2⤵
  PID:8280
- C:\Windows\System\hOesNxG.exe
  C:\Windows\System\hOesNxG.exe
  2⤵
  PID:8332
- C:\Windows\System\qdRmBmF.exe
  C:\Windows\System\qdRmBmF.exe
  2⤵
  PID:8396
- C:\Windows\System\tJrjsfm.exe
  C:\Windows\System\tJrjsfm.exe
  2⤵
  PID:8472
- C:\Windows\System\uhdSdgq.exe
  C:\Windows\System\uhdSdgq.exe
  2⤵
  PID:8496
- C:\Windows\System\cJZrnnH.exe
  C:\Windows\System\cJZrnnH.exe
  2⤵
  PID:8568
- C:\Windows\System\kZsqeAE.exe
  C:\Windows\System\kZsqeAE.exe
  2⤵
  PID:8632
- C:\Windows\System\nPYYDFJ.exe
  C:\Windows\System\nPYYDFJ.exe
  2⤵
  PID:8664
- C:\Windows\System\FyjsSUq.exe
  C:\Windows\System\FyjsSUq.exe
  2⤵
  PID:8752
- C:\Windows\System\GsBxLjV.exe
  C:\Windows\System\GsBxLjV.exe
  2⤵
  PID:8904
- C:\Windows\System\RIFNhyo.exe
  C:\Windows\System\RIFNhyo.exe
  2⤵
  PID:8956
- C:\Windows\System\ETlizuj.exe
  C:\Windows\System\ETlizuj.exe
  2⤵
  PID:9012
- C:\Windows\System\KStFPdO.exe
  C:\Windows\System\KStFPdO.exe
  2⤵
  PID:9056
- C:\Windows\System\VRFZIrY.exe
  C:\Windows\System\VRFZIrY.exe
  2⤵
  PID:9108
- C:\Windows\System\hFGHtZU.exe
  C:\Windows\System\hFGHtZU.exe
  2⤵
  PID:9200
- C:\Windows\System\WfYhNzd.exe
  C:\Windows\System\WfYhNzd.exe
  2⤵
  PID:8080
- C:\Windows\System\oEHwren.exe
  C:\Windows\System\oEHwren.exe
  2⤵
  PID:8300
- C:\Windows\System\sLfnLtt.exe
  C:\Windows\System\sLfnLtt.exe
  2⤵
  PID:8016
- C:\Windows\System\NrPcQmF.exe
  C:\Windows\System\NrPcQmF.exe
  2⤵
  PID:8376
- C:\Windows\System\YZLHJTR.exe
  C:\Windows\System\YZLHJTR.exe
  2⤵
  PID:8640
- C:\Windows\System\vpuzZmK.exe
  C:\Windows\System\vpuzZmK.exe
  2⤵
  PID:8876
- C:\Windows\System\FofbQtk.exe
  C:\Windows\System\FofbQtk.exe
  2⤵
  PID:9084
- C:\Windows\System\cmGzpGO.exe
  C:\Windows\System\cmGzpGO.exe
  2⤵
  PID:9152
- C:\Windows\System\UJtkJdZ.exe
  C:\Windows\System\UJtkJdZ.exe
  2⤵
  PID:7836
- C:\Windows\System\idHRdlQ.exe
  C:\Windows\System\idHRdlQ.exe
  2⤵
  PID:8564
- C:\Windows\System\mhhdwEt.exe
  C:\Windows\System\mhhdwEt.exe
  2⤵
  PID:9088
- C:\Windows\System\iInFCMc.exe
  C:\Windows\System\iInFCMc.exe
  2⤵
  PID:9204
- C:\Windows\System\mLoFysV.exe
  C:\Windows\System\mLoFysV.exe
  2⤵
  PID:9224
- C:\Windows\System\VEdtaFP.exe
  C:\Windows\System\VEdtaFP.exe
  2⤵
  PID:9252
- C:\Windows\System\EOqeLSQ.exe
  C:\Windows\System\EOqeLSQ.exe
  2⤵
  PID:9272
- C:\Windows\System\XSTmrMg.exe
  C:\Windows\System\XSTmrMg.exe
  2⤵
  PID:9348
- C:\Windows\System\aQpTAvJ.exe
  C:\Windows\System\aQpTAvJ.exe
  2⤵
  PID:9384
- C:\Windows\System\gXUQnIr.exe
  C:\Windows\System\gXUQnIr.exe
  2⤵
  PID:9408
- C:\Windows\System\WlGSEGq.exe
  C:\Windows\System\WlGSEGq.exe
  2⤵
  PID:9428
- C:\Windows\System\PRudane.exe
  C:\Windows\System\PRudane.exe
  2⤵
  PID:9448
- C:\Windows\System\inHOxot.exe
  C:\Windows\System\inHOxot.exe
  2⤵
  PID:9472
- C:\Windows\System\auemHLn.exe
  C:\Windows\System\auemHLn.exe
  2⤵
  PID:9496
- C:\Windows\System\STLafuA.exe
  C:\Windows\System\STLafuA.exe
  2⤵
  PID:9532
- C:\Windows\System\zpVVzST.exe
  C:\Windows\System\zpVVzST.exe
  2⤵
  PID:9548
- C:\Windows\System\iCeAZsp.exe
  C:\Windows\System\iCeAZsp.exe
  2⤵
  PID:9576
- C:\Windows\System\jbeTDiz.exe
  C:\Windows\System\jbeTDiz.exe
  2⤵
  PID:9620
- C:\Windows\System\ZsUapRT.exe
  C:\Windows\System\ZsUapRT.exe
  2⤵
  PID:9636
- C:\Windows\System\sGVTYoy.exe
  C:\Windows\System\sGVTYoy.exe
  2⤵
  PID:9660
- C:\Windows\System\YbqwpKu.exe
  C:\Windows\System\YbqwpKu.exe
  2⤵
  PID:9676
- C:\Windows\System\stQYebg.exe
  C:\Windows\System\stQYebg.exe
  2⤵
  PID:9708
- C:\Windows\System\hhPPSgu.exe
  C:\Windows\System\hhPPSgu.exe
  2⤵
  PID:9748
- C:\Windows\System\uhWDaKl.exe
  C:\Windows\System\uhWDaKl.exe
  2⤵
  PID:9772
- C:\Windows\System\hTKrnXG.exe
  C:\Windows\System\hTKrnXG.exe
  2⤵
  PID:9792
- C:\Windows\System\OFvcQnC.exe
  C:\Windows\System\OFvcQnC.exe
  2⤵
  PID:9836
- C:\Windows\System\CVhsyAh.exe
  C:\Windows\System\CVhsyAh.exe
  2⤵
  PID:9852
- C:\Windows\System\AUhnPNe.exe
  C:\Windows\System\AUhnPNe.exe
  2⤵
  PID:9876
- C:\Windows\System\rSKsQeu.exe
  C:\Windows\System\rSKsQeu.exe
  2⤵
  PID:9896
- C:\Windows\System\yKTeyIh.exe
  C:\Windows\System\yKTeyIh.exe
  2⤵
  PID:9920
- C:\Windows\System\NngAnXB.exe
  C:\Windows\System\NngAnXB.exe
  2⤵
  PID:10008
- C:\Windows\System\qMgAZTp.exe
  C:\Windows\System\qMgAZTp.exe
  2⤵
  PID:10024
- C:\Windows\System\BwMEpCI.exe
  C:\Windows\System\BwMEpCI.exe
  2⤵
  PID:10040
- C:\Windows\System\cSONDhq.exe
  C:\Windows\System\cSONDhq.exe
  2⤵
  PID:10064
- C:\Windows\System\rbjxUpN.exe
  C:\Windows\System\rbjxUpN.exe
  2⤵
  PID:10080
- C:\Windows\System\rUdjAwV.exe
  C:\Windows\System\rUdjAwV.exe
  2⤵
  PID:10096
- C:\Windows\System\kQFEPtp.exe
  C:\Windows\System\kQFEPtp.exe
  2⤵
  PID:10112
- C:\Windows\System\yFwoDkO.exe
  C:\Windows\System\yFwoDkO.exe
  2⤵
  PID:10128
- C:\Windows\System\KxizDUS.exe
  C:\Windows\System\KxizDUS.exe
  2⤵
  PID:10144
- C:\Windows\System\CxWEGLu.exe
  C:\Windows\System\CxWEGLu.exe
  2⤵
  PID:10160
- C:\Windows\System\NwPrqVb.exe
  C:\Windows\System\NwPrqVb.exe
  2⤵
  PID:10176
- C:\Windows\System\PndpjMB.exe
  C:\Windows\System\PndpjMB.exe
  2⤵
  PID:9340
- C:\Windows\System\bJUFKWR.exe
  C:\Windows\System\bJUFKWR.exe
  2⤵
  PID:9372
- C:\Windows\System\EiTGoef.exe
  C:\Windows\System\EiTGoef.exe
  2⤵
  PID:9420
- C:\Windows\System\kszVImR.exe
  C:\Windows\System\kszVImR.exe
  2⤵
  PID:9444
- C:\Windows\System\ryHTvDI.exe
  C:\Windows\System\ryHTvDI.exe
  2⤵
  PID:9492
- C:\Windows\System\PdggcYE.exe
  C:\Windows\System\PdggcYE.exe
  2⤵
  PID:9488
- C:\Windows\System\NaNYXZG.exe
  C:\Windows\System\NaNYXZG.exe
  2⤵
  PID:9572
- C:\Windows\System\iSKakpc.exe
  C:\Windows\System\iSKakpc.exe
  2⤵
  PID:9564
- C:\Windows\System\czjIkBO.exe
  C:\Windows\System\czjIkBO.exe
  2⤵
  PID:9632
- C:\Windows\System\mEwXWOr.exe
  C:\Windows\System\mEwXWOr.exe
  2⤵
  PID:9656
- C:\Windows\System\pCxBBpI.exe
  C:\Windows\System\pCxBBpI.exe
  2⤵
  PID:9720
- C:\Windows\System\VmjkRBS.exe
  C:\Windows\System\VmjkRBS.exe
  2⤵
  PID:9744
- C:\Windows\System\GSmbgGp.exe
  C:\Windows\System\GSmbgGp.exe
  2⤵
  PID:9788
- C:\Windows\System\YxcOEGn.exe
  C:\Windows\System\YxcOEGn.exe
  2⤵
  PID:9824
- C:\Windows\System\skVBAAW.exe
  C:\Windows\System\skVBAAW.exe
  2⤵
  PID:9976
- C:\Windows\System\ZdgVCuI.exe
  C:\Windows\System\ZdgVCuI.exe
  2⤵
  PID:9860
- C:\Windows\System\CPYxRpW.exe
  C:\Windows\System\CPYxRpW.exe
  2⤵
  PID:9992
- C:\Windows\System\FXfDDdK.exe
  C:\Windows\System\FXfDDdK.exe
  2⤵
  PID:10032
- C:\Windows\System\RSFPIps.exe
  C:\Windows\System\RSFPIps.exe
  2⤵
  PID:9928
- C:\Windows\System\oQkrXVp.exe
  C:\Windows\System\oQkrXVp.exe
  2⤵
  PID:9952
- C:\Windows\System\jwHxvVH.exe
  C:\Windows\System\jwHxvVH.exe
  2⤵
  PID:9944
- C:\Windows\System\LkdqQPn.exe
  C:\Windows\System\LkdqQPn.exe
  2⤵
  PID:9960
- C:\Windows\System\tBqmjdo.exe
  C:\Windows\System\tBqmjdo.exe
  2⤵
  PID:9968
- C:\Windows\System\IpfVTwJ.exe
  C:\Windows\System\IpfVTwJ.exe
  2⤵
  PID:9308
- C:\Windows\System\KYJxyqa.exe
  C:\Windows\System\KYJxyqa.exe
  2⤵
  PID:9400
- C:\Windows\System\UcsSBWJ.exe
  C:\Windows\System\UcsSBWJ.exe
  2⤵
  PID:9628
- C:\Windows\System\nExhpth.exe
  C:\Windows\System\nExhpth.exe
  2⤵
  PID:10232
- C:\Windows\System\ZGsDjSJ.exe
  C:\Windows\System\ZGsDjSJ.exe
  2⤵
  PID:10384
- C:\Windows\System\jFLGqpn.exe
  C:\Windows\System\jFLGqpn.exe
  2⤵
  PID:10412
- C:\Windows\System\UZXzduE.exe
  C:\Windows\System\UZXzduE.exe
  2⤵
  PID:10432
- C:\Windows\System\cZLdYmS.exe
  C:\Windows\System\cZLdYmS.exe
  2⤵
  PID:10452
- C:\Windows\System\vUmkYKV.exe
  C:\Windows\System\vUmkYKV.exe
  2⤵
  PID:10472
- C:\Windows\System\LXlFWSH.exe
  C:\Windows\System\LXlFWSH.exe
  2⤵
  PID:10496
- C:\Windows\System\oMBIFLD.exe
  C:\Windows\System\oMBIFLD.exe
  2⤵
  PID:10516
- C:\Windows\System\VQayiQk.exe
  C:\Windows\System\VQayiQk.exe
  2⤵
  PID:10616
- C:\Windows\System\CcniDao.exe
  C:\Windows\System\CcniDao.exe
  2⤵
  PID:10660
- C:\Windows\System\sZkunEV.exe
  C:\Windows\System\sZkunEV.exe
  2⤵
  PID:10720
- C:\Windows\System\hUEJhYo.exe
  C:\Windows\System\hUEJhYo.exe
  2⤵
  PID:10744
- C:\Windows\System\vpgjssQ.exe
  C:\Windows\System\vpgjssQ.exe
  2⤵
  PID:10768
- C:\Windows\System\BdaqTRn.exe
  C:\Windows\System\BdaqTRn.exe
  2⤵
  PID:10804
- C:\Windows\System\nHqOdqE.exe
  C:\Windows\System\nHqOdqE.exe
  2⤵
  PID:10836
- C:\Windows\System\WRiztXK.exe
  C:\Windows\System\WRiztXK.exe
  2⤵
  PID:10860
- C:\Windows\System\KPCKvva.exe
  C:\Windows\System\KPCKvva.exe
  2⤵
  PID:10888
- C:\Windows\System\LtdLrty.exe
  C:\Windows\System\LtdLrty.exe
  2⤵
  PID:10908
- C:\Windows\System\zxOivth.exe
  C:\Windows\System\zxOivth.exe
  2⤵
  PID:10932
- C:\Windows\System\pMPbVTT.exe
  C:\Windows\System\pMPbVTT.exe
  2⤵
  PID:10956
- C:\Windows\System\CKgLrLj.exe
  C:\Windows\System\CKgLrLj.exe
  2⤵
  PID:10980
- C:\Windows\System\WoKWHUe.exe
  C:\Windows\System\WoKWHUe.exe
  2⤵
  PID:11000
- C:\Windows\System\wguDbHA.exe
  C:\Windows\System\wguDbHA.exe
  2⤵
  PID:11016
- C:\Windows\System\OtKlKtU.exe
  C:\Windows\System\OtKlKtU.exe
  2⤵
  PID:11056
- C:\Windows\System\vnxDkXA.exe
  C:\Windows\System\vnxDkXA.exe
  2⤵
  PID:11096
- C:\Windows\System\Anjtwyi.exe
  C:\Windows\System\Anjtwyi.exe
  2⤵
  PID:11120
- C:\Windows\System\fTkauJj.exe
  C:\Windows\System\fTkauJj.exe
  2⤵
  PID:11140
- C:\Windows\System\zEfMIrL.exe
  C:\Windows\System\zEfMIrL.exe
  2⤵
  PID:11200
- C:\Windows\System\qrqmvmV.exe
  C:\Windows\System\qrqmvmV.exe
  2⤵
  PID:11216
- C:\Windows\System\VBQSEPf.exe
  C:\Windows\System\VBQSEPf.exe
  2⤵
  PID:11256
- C:\Windows\System\CsUZvnp.exe
  C:\Windows\System\CsUZvnp.exe
  2⤵
  PID:10124
- C:\Windows\System\dgqrGhh.exe
  C:\Windows\System\dgqrGhh.exe
  2⤵
  PID:10212
- C:\Windows\System\OXPqaIL.exe
  C:\Windows\System\OXPqaIL.exe
  2⤵
  PID:10248
- C:\Windows\System\NCZpnzU.exe
  C:\Windows\System\NCZpnzU.exe
  2⤵
  PID:10092
- C:\Windows\System\XGkxXxa.exe
  C:\Windows\System\XGkxXxa.exe
  2⤵
  PID:9740
- C:\Windows\System\snkDZwk.exe
  C:\Windows\System\snkDZwk.exe
  2⤵
  PID:9844
- C:\Windows\System\gJNVNDl.exe
  C:\Windows\System\gJNVNDl.exe
  2⤵
  PID:10448
- C:\Windows\System\cXYmVUR.exe
  C:\Windows\System\cXYmVUR.exe
  2⤵
  PID:10540
- C:\Windows\System\iYUPrkt.exe
  C:\Windows\System\iYUPrkt.exe
  2⤵
  PID:10464
- C:\Windows\System\EwlTrAl.exe
  C:\Windows\System\EwlTrAl.exe
  2⤵
  PID:10512
- C:\Windows\System\mFVIAhk.exe
  C:\Windows\System\mFVIAhk.exe
  2⤵
  PID:10648
- C:\Windows\System\heiXXzI.exe
  C:\Windows\System\heiXXzI.exe
  2⤵
  PID:10736
- C:\Windows\System\lycFMzW.exe
  C:\Windows\System\lycFMzW.exe
  2⤵
  PID:10784
- C:\Windows\System\HTAkqbD.exe
  C:\Windows\System\HTAkqbD.exe
  2⤵
  PID:10820
- C:\Windows\System\kJZSUQU.exe
  C:\Windows\System\kJZSUQU.exe
  2⤵
  PID:10868
- C:\Windows\System\YVNhvcx.exe
  C:\Windows\System\YVNhvcx.exe
  2⤵
  PID:11008
- C:\Windows\System\GVEugdZ.exe
  C:\Windows\System\GVEugdZ.exe
  2⤵
  PID:11032
- C:\Windows\System\Iyuxsbm.exe
  C:\Windows\System\Iyuxsbm.exe
  2⤵
  PID:11132
- C:\Windows\System\wFWaLcq.exe
  C:\Windows\System\wFWaLcq.exe
  2⤵
  PID:11196
- C:\Windows\System\yozPiEI.exe
  C:\Windows\System\yozPiEI.exe
  2⤵
  PID:11212
- C:\Windows\System\kmZNFUQ.exe
  C:\Windows\System\kmZNFUQ.exe
  2⤵
  PID:9892
- C:\Windows\System\tDNNdBF.exe
  C:\Windows\System\tDNNdBF.exe
  2⤵
  PID:10280
- C:\Windows\System\RGymXII.exe
  C:\Windows\System\RGymXII.exe
  2⤵
  PID:10532
- C:\Windows\System\gMwPujt.exe
  C:\Windows\System\gMwPujt.exe
  2⤵
  PID:9732
- C:\Windows\System\IUmBwmU.exe
  C:\Windows\System\IUmBwmU.exe
  2⤵
  PID:10816
- C:\Windows\System\ITZQfTk.exe
  C:\Windows\System\ITZQfTk.exe
  2⤵
  PID:10964
- C:\Windows\System\zmjVGoW.exe
  C:\Windows\System\zmjVGoW.exe
  2⤵
  PID:11152
- C:\Windows\System\SGIzgHB.exe
  C:\Windows\System\SGIzgHB.exe
  2⤵
  PID:11252
- C:\Windows\System\dviOAxZ.exe
  C:\Windows\System\dviOAxZ.exe
  2⤵
  PID:10508
- C:\Windows\System\NiDDCUl.exe
  C:\Windows\System\NiDDCUl.exe
  2⤵
  PID:10852
- C:\Windows\System\hclhItL.exe
  C:\Windows\System\hclhItL.exe
  2⤵
  PID:10952
- C:\Windows\System\wCuocXu.exe
  C:\Windows\System\wCuocXu.exe
  2⤵
  PID:9964
- C:\Windows\System\WALclzO.exe
  C:\Windows\System\WALclzO.exe
  2⤵
  PID:11268
- C:\Windows\System\fGnGVKh.exe
  C:\Windows\System\fGnGVKh.exe
  2⤵
  PID:11300
- C:\Windows\System\AKPzBUF.exe
  C:\Windows\System\AKPzBUF.exe
  2⤵
  PID:11348
- C:\Windows\System\VBKoPZG.exe
  C:\Windows\System\VBKoPZG.exe
  2⤵
  PID:11380
- C:\Windows\System\HqRjmrR.exe
  C:\Windows\System\HqRjmrR.exe
  2⤵
  PID:11396
- C:\Windows\System\ktQyFhQ.exe
  C:\Windows\System\ktQyFhQ.exe
  2⤵
  PID:11416
- C:\Windows\System\eWUghkO.exe
  C:\Windows\System\eWUghkO.exe
  2⤵
  PID:11436
- C:\Windows\System\UlsiqIs.exe
  C:\Windows\System\UlsiqIs.exe
  2⤵
  PID:11456
- C:\Windows\System\FdewzoF.exe
  C:\Windows\System\FdewzoF.exe
  2⤵
  PID:11476
- C:\Windows\System\fPPCJKF.exe
  C:\Windows\System\fPPCJKF.exe
  2⤵
  PID:11528
- C:\Windows\System\friFjds.exe
  C:\Windows\System\friFjds.exe
  2⤵
  PID:11544
- C:\Windows\System\PPpGZVw.exe
  C:\Windows\System\PPpGZVw.exe
  2⤵
  PID:11568
- C:\Windows\System\PLoiKHI.exe
  C:\Windows\System\PLoiKHI.exe
  2⤵
  PID:11604
- C:\Windows\System\kbHxUtO.exe
  C:\Windows\System\kbHxUtO.exe
  2⤵
  PID:11632
- C:\Windows\System\VwgpQgM.exe
  C:\Windows\System\VwgpQgM.exe
  2⤵
  PID:11652
- C:\Windows\System\bCDLblH.exe
  C:\Windows\System\bCDLblH.exe
  2⤵
  PID:11692
- C:\Windows\System\LLHocKI.exe
  C:\Windows\System\LLHocKI.exe
  2⤵
  PID:11720
- C:\Windows\System\MRrLlKF.exe
  C:\Windows\System\MRrLlKF.exe
  2⤵
  PID:11764
- C:\Windows\System\LpHeshm.exe
  C:\Windows\System\LpHeshm.exe
  2⤵
  PID:11796
- C:\Windows\System\wuaKMRg.exe
  C:\Windows\System\wuaKMRg.exe
  2⤵
  PID:11832
- C:\Windows\System\YdHYzIe.exe
  C:\Windows\System\YdHYzIe.exe
  2⤵
  PID:11848
- C:\Windows\System\FtwQRBK.exe
  C:\Windows\System\FtwQRBK.exe
  2⤵
  PID:11864
- C:\Windows\System\YlUeTue.exe
  C:\Windows\System\YlUeTue.exe
  2⤵
  PID:11912
- C:\Windows\System\edDHyhZ.exe
  C:\Windows\System\edDHyhZ.exe
  2⤵
  PID:11928
- C:\Windows\System\FRGfMep.exe
  C:\Windows\System\FRGfMep.exe
  2⤵
  PID:11948
- C:\Windows\System\vNdtVDB.exe
  C:\Windows\System\vNdtVDB.exe
  2⤵
  PID:11980
- C:\Windows\System\eAGWuLV.exe
  C:\Windows\System\eAGWuLV.exe
  2⤵
  PID:12032
- C:\Windows\System\XqmQngz.exe
  C:\Windows\System\XqmQngz.exe
  2⤵
  PID:12068
- C:\Windows\System\KvnaZcp.exe
  C:\Windows\System\KvnaZcp.exe
  2⤵
  PID:12084
- C:\Windows\System\BeYOjWg.exe
  C:\Windows\System\BeYOjWg.exe
  2⤵
  PID:12104
- C:\Windows\System\JpKKMiO.exe
  C:\Windows\System\JpKKMiO.exe
  2⤵
  PID:12128
- C:\Windows\System\UqJTubI.exe
  C:\Windows\System\UqJTubI.exe
  2⤵
  PID:12144
- C:\Windows\System\ImObInv.exe
  C:\Windows\System\ImObInv.exe
  2⤵
  PID:12172
- C:\Windows\System\BIziwnt.exe
  C:\Windows\System\BIziwnt.exe
  2⤵
  PID:12196
- C:\Windows\System\JbVzRPY.exe
  C:\Windows\System\JbVzRPY.exe
  2⤵
  PID:12216
- C:\Windows\System\EZALLPX.exe
  C:\Windows\System\EZALLPX.exe
  2⤵
  PID:12232
- C:\Windows\System\CyKiTPi.exe
  C:\Windows\System\CyKiTPi.exe
  2⤵
  PID:12260
- C:\Windows\System\NZdhbrQ.exe
  C:\Windows\System\NZdhbrQ.exe
  2⤵
  PID:12284
- C:\Windows\System\TQeCfwJ.exe
  C:\Windows\System\TQeCfwJ.exe
  2⤵
  PID:11308
- C:\Windows\System\nnuIGyx.exe
  C:\Windows\System\nnuIGyx.exe
  2⤵
  PID:11388
- C:\Windows\System\EuYgNjW.exe
  C:\Windows\System\EuYgNjW.exe
  2⤵
  PID:11536
- C:\Windows\System\peQRfPp.exe
  C:\Windows\System\peQRfPp.exe
  2⤵
  PID:11624
- C:\Windows\System\fVHoaHo.exe
  C:\Windows\System\fVHoaHo.exe
  2⤵
  PID:11680
- C:\Windows\System\rnAFzlU.exe
  C:\Windows\System\rnAFzlU.exe
  2⤵
  PID:11708
- C:\Windows\System\qOMHdIy.exe
  C:\Windows\System\qOMHdIy.exe
  2⤵
  PID:11812
- C:\Windows\System\eSsRLCx.exe
  C:\Windows\System\eSsRLCx.exe
  2⤵
  PID:11884
- C:\Windows\System\NsXMAcE.exe
  C:\Windows\System\NsXMAcE.exe
  2⤵
  PID:11940
- C:\Windows\System\DOcrcih.exe
  C:\Windows\System\DOcrcih.exe
  2⤵
  PID:12020
- C:\Windows\System\gsduqEe.exe
  C:\Windows\System\gsduqEe.exe
  2⤵
  PID:12056
- C:\Windows\System\zMyQmVW.exe
  C:\Windows\System\zMyQmVW.exe
  2⤵
  PID:12120
- C:\Windows\System\mWkeyer.exe
  C:\Windows\System\mWkeyer.exe
  2⤵
  PID:12208
- C:\Windows\System\OYOaLZU.exe
  C:\Windows\System\OYOaLZU.exe
  2⤵
  PID:12256
- C:\Windows\System\PhXvZwE.exe
  C:\Windows\System\PhXvZwE.exe
  2⤵
  PID:11288
- C:\Windows\System\zGKBlDR.exe
  C:\Windows\System\zGKBlDR.exe
  2⤵
  PID:11372
- C:\Windows\System\EDCzdVv.exe
  C:\Windows\System\EDCzdVv.exe
  2⤵
  PID:11596
- C:\Windows\System\GcuvzUx.exe
  C:\Windows\System\GcuvzUx.exe
  2⤵
  PID:11740
- C:\Windows\System\RFEvyDo.exe
  C:\Windows\System\RFEvyDo.exe
  2⤵
  PID:11924
- C:\Windows\System\QKGtWty.exe
  C:\Windows\System\QKGtWty.exe
  2⤵
  PID:12024
- C:\Windows\System\GIKERWS.exe
  C:\Windows\System\GIKERWS.exe
  2⤵
  PID:12124
- C:\Windows\System\enizlAT.exe
  C:\Windows\System\enizlAT.exe
  2⤵
  PID:11344
- C:\Windows\System\hcpghuT.exe
  C:\Windows\System\hcpghuT.exe
  2⤵
  PID:11512
- C:\Windows\System\bEmymQB.exe
  C:\Windows\System\bEmymQB.exe
  2⤵
  PID:11640
- C:\Windows\System\ehbwpWW.exe
  C:\Windows\System\ehbwpWW.exe
  2⤵
  PID:12052
- C:\Windows\System\fcJtOYL.exe
  C:\Windows\System\fcJtOYL.exe
  2⤵
  PID:11408
- C:\Windows\System\WyRNBrR.exe
  C:\Windows\System\WyRNBrR.exe
  2⤵
  PID:12316
- C:\Windows\System\LsczFqi.exe
  C:\Windows\System\LsczFqi.exe
  2⤵
  PID:12340
- C:\Windows\System\pcqsffP.exe
  C:\Windows\System\pcqsffP.exe
  2⤵
  PID:12396
- C:\Windows\System\HaqWjFM.exe
  C:\Windows\System\HaqWjFM.exe
  2⤵
  PID:12416
- C:\Windows\System\txccdmH.exe
  C:\Windows\System\txccdmH.exe
  2⤵
  PID:12436
- C:\Windows\System\DeGcrMa.exe
  C:\Windows\System\DeGcrMa.exe
  2⤵
  PID:12456
- C:\Windows\System\yjZDBne.exe
  C:\Windows\System\yjZDBne.exe
  2⤵
  PID:12476
- C:\Windows\System\wjeLRZN.exe
  C:\Windows\System\wjeLRZN.exe
  2⤵
  PID:12500
- C:\Windows\System\DEluiwS.exe
  C:\Windows\System\DEluiwS.exe
  2⤵
  PID:12520
- C:\Windows\System\fYUwtFU.exe
  C:\Windows\System\fYUwtFU.exe
  2⤵
  PID:12544
- C:\Windows\System\wQweaJb.exe
  C:\Windows\System\wQweaJb.exe
  2⤵
  PID:12568
- C:\Windows\System\yyLKaRR.exe
  C:\Windows\System\yyLKaRR.exe
  2⤵
  PID:12592
- C:\Windows\System\gMDJhnP.exe
  C:\Windows\System\gMDJhnP.exe
  2⤵
  PID:12664
- C:\Windows\System\bitkqVP.exe
  C:\Windows\System\bitkqVP.exe
  2⤵
  PID:12704
- C:\Windows\System\sucPwkW.exe
  C:\Windows\System\sucPwkW.exe
  2⤵
  PID:12724
- C:\Windows\System\KbVpcNi.exe
  C:\Windows\System\KbVpcNi.exe
  2⤵
  PID:12740
- C:\Windows\System\vhdzUYv.exe
  C:\Windows\System\vhdzUYv.exe
  2⤵
  PID:12760
- C:\Windows\System\okvctzx.exe
  C:\Windows\System\okvctzx.exe
  2⤵
  PID:12780
- C:\Windows\System\vwpdqjQ.exe
  C:\Windows\System\vwpdqjQ.exe
  2⤵
  PID:12804
- C:\Windows\System\avrpBjp.exe
  C:\Windows\System\avrpBjp.exe
  2⤵
  PID:12856
- C:\Windows\System\GXaSrwh.exe
  C:\Windows\System\GXaSrwh.exe
  2⤵
  PID:12900
- C:\Windows\System\EWxwryj.exe
  C:\Windows\System\EWxwryj.exe
  2⤵
  PID:12924
- C:\Windows\System\rTDtsCV.exe
  C:\Windows\System\rTDtsCV.exe
  2⤵
  PID:12956
- C:\Windows\System\bEsCFqe.exe
  C:\Windows\System\bEsCFqe.exe
  2⤵
  PID:12992
- C:\Windows\System\mrPayEt.exe
  C:\Windows\System\mrPayEt.exe
  2⤵
  PID:13016
- C:\Windows\System\WPgGAKl.exe
  C:\Windows\System\WPgGAKl.exe
  2⤵
  PID:13064
- C:\Windows\System\oGXXvPF.exe
  C:\Windows\System\oGXXvPF.exe
  2⤵
  PID:13100
- C:\Windows\System\vhcemaJ.exe
  C:\Windows\System\vhcemaJ.exe
  2⤵
  PID:13124
- C:\Windows\System\SKoOMUk.exe
  C:\Windows\System\SKoOMUk.exe
  2⤵
  PID:13144

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\I50YRZD3\home-993d2c38b2c1[1].css

Filesize
11KB

MD5
6328d6d9a6b00ce7f992230b97b17c1f

SHA1
88837b802bdde407e37e92641072ea2eeec95556

SHA256
c9d9b80794cebd7d97daf52f7f0ce0e31bcf7a6f65a6e07851c688d67f10dba8

SHA512
993d2c38b2c15499aebdb39c1f9c21d0501d4c2a5973caec65be9ddc3ddfd6e46d06449e7483daa4fa9afa17cb81ff27a391519a64629169eb15c52911aab2c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y3t30ptd.2mi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\AHtETYV.exe

Filesize
1.7MB

MD5
1883f67e45faad50520ebb777f373481

SHA1
6c9856e38ea09948b1240ce266945d6039ab27d6

SHA256
c879022e4b98d0fee6d8ec348d4ae534f6b6336fe3ff02449e5432f9cdcaeac5

SHA512
3b6bba0cbea566a04ec71c5af755d70bbd83ed2fa82344e21e264e360e473ab3691e91f7a4e56f65c9bf280d3552a7143bdc050eaf9568af081c1b6e9694be69

Download Submit
C:\Windows\System\BwZEuvl.exe

Filesize
1.7MB

MD5
0b48621e08304d5bb685239ac8a03f6f

SHA1
87e633e55bb4954dc9a354f29f0bbf225e7ccfbd

SHA256
83f6e1c21b902f8234edbf4018e295a59d37d04bd945b9ec3c13d3b2386afb30

SHA512
e9f71e3a06579ccb9fbdbef43445babefdbbf41c4d910112ce3f3b94b6fcdde7eb3101b8bed8d78408807a39d0a310fea8a85e4a87fb24ac28a4a9843b985d0a

Download Submit
C:\Windows\System\BxrbaJk.exe

Filesize
1.7MB

MD5
73932c581e3ae0cbe5b952eb5318c1a6

SHA1
e941949ef7ec0d3618351b7c2413531d58870ef2

SHA256
95c5f0c62324f3418635a1f6d2a902db223552e0c7ac44ab73c3a0747723c278

SHA512
5ac13abce950199ad683648f1d0c452ab9085b1ad0f38404aaba92c884ec1a792b4c4337fb84b78ceef7bf9e8c2bc7ed3bd6f16c09e5a5e5a1176ce1af79df18

Download Submit
C:\Windows\System\CXGSNDH.exe

Filesize
1.7MB

MD5
7694269f19aabebe060634fcd0be2ecb

SHA1
473649e08e44c0361429723dbc88135cee8d2699

SHA256
0eb7ebf53ac5939788a57347414358272276b6391307e4665de35b3214651dc8

SHA512
0f7d896952c09fcda6f4a42f81caf68497451763bb8caad9aee8bfcd41f931b39d56b57dd1117a57f72f2cfd75648d190ee91b676c976f9309ebeef71f858efa

Download Submit
C:\Windows\System\ClHDkBo.exe

Filesize
1.7MB

MD5
78972f9558f5abbfa0b333b2fc127ab9

SHA1
17dfe37e7333cb42dd62b97c7a5cc840b0297f07

SHA256
21be42ddded5ce453d3dd04ee48ca81f5f7d78008f9b71127b3634d670425a89

SHA512
2078a407d8b1fc5fc41a9335c92afe8b30ef4bc5bb23902586038181c1c2e39c4b1088c55bf162d623e41312f4487ab5135e5197408d96c36a0b9c7d8950c688

Download Submit
C:\Windows\System\DBNPBDW.exe

Filesize
1.7MB

MD5
e4320facd733773f2a7351101a631522

SHA1
410ce5cedcb77e71b566a20cbf3dc3be69c87894

SHA256
7ea3acaa56ca54ef97559add1630e60db497e0bd729bd46279279960d5d68e18

SHA512
a46662d5c98bf1119f9c6685c8fbca550c576ccceec42407c781a391b41f9d272bbcc91548e0b971cfcd96bba25e2204dc54623be8646fa045d5074ce586403e

Download Submit
C:\Windows\System\DXjXged.exe

Filesize
1.7MB

MD5
1acc95758b1e9ab8711d05c22854cb6a

SHA1
9cf0d9ab60b5452ee091d9d079ffa60800ded467

SHA256
37f7cfbf6bdc21178c5c9292124e7652cdae7b719afefa994f4cd09bbff8f099

SHA512
1bebd8a75c5905188ea5eb9921a63b207426eecc042c633b3e78514972766eda1d854defe816eb361a0f357c65c1291e2cc48463fdf231613afb61111b4f637a

Download Submit
C:\Windows\System\DxXgquV.exe

Filesize
1.7MB

MD5
ff4733ed8b78f0e47503203161ab9a56

SHA1
9f2842fa6db0bf866099594533f59a365c837a2d

SHA256
f3c35369be8d067685ecffc60309938116bef130e4b5cbb68b0249deb817f82c

SHA512
e875d0f62373d34f5b1a768f6e627ab14929d93578067ff28888444a26a68919ccb2f13af66c5a86624f332fecbdb423be30b3c0c8c9fb8f001e2ca124a4f9ca

Download Submit
C:\Windows\System\HoatAaz.exe

Filesize
1.7MB

MD5
5e3792237a23e9794a6c3f7122458931

SHA1
b6ef2f7f3f11c0e78929304afa967c7d54c7f65c

SHA256
411a61ead3fd5e703f73080958924f569231e89adbe4637ef0d42747f00acb1d

SHA512
255257dcc42db06a1921d3b1cf1721faef53dc54c35f4bb5dc6bcb79a832972eb0de314e771475d6eae73734be1c654790d0597bd7f78457afb18e8389b2b758

Download Submit
C:\Windows\System\HyMiYzd.exe

Filesize
1.7MB

MD5
50561f03ab86a0d30549046c27ec8665

SHA1
147b325624fbf18db43f570504f923f148886c28

SHA256
343f287a1e8adc19df923195ef96563fd3bef7c8eae430ee1b203f4a9398f729

SHA512
bd3bfae1958ac2b3d8a891ba453c12c9d4126169f70e804836a48c1fd7a1e2ade44862f399d5b50401b721b84020fc08a8c8c9b9d60051926042ce306c910470

Download Submit
C:\Windows\System\JLZypJt.exe

Filesize
1.7MB

MD5
7584b9aabe0769d7f9a940550dea6ede

SHA1
001c9d0bbd9c74338d31c349127d3af785697ca4

SHA256
ec841515512649b41d9751ff497d2e7ee4b5c5df20429ca5517ecaf8c52887f4

SHA512
981cc14cac0e949cedd2a34501f14961b613088b53af6af7d8df07ddec0a820eadee28e5d100e48c7d09008b71e109634fde1b8899501172a049ca7c3ff16844

Download Submit
C:\Windows\System\KdRwqlw.exe

Filesize
1.7MB

MD5
4c76281adf6a1f1c86acf30021dd8b47

SHA1
5bcabca0387ba795420dc8e2b627ec611cc0a7dc

SHA256
6b5ae70df71184ee1b24282908443337c9a1468be63e720ff49b30083a7ff711

SHA512
7cfb96308698fb0e36cdb6292a4c0c42cb833abf784092576d351919b022bcdeb86012946c33bb5cd646c62fd3017224678994aa230448b36b999e7e0ddc0f3a

Download Submit
C:\Windows\System\LKpHMJP.exe

Filesize
1.7MB

MD5
2821a4c0d6b81f5ef61cb64312071a0b

SHA1
40fe71491fcbbe4b1752b5f22e0d0f92dadba69a

SHA256
fd18383be78e4fdb43ff7ac15571bcf273e053ba53ddc29a88e617f9da16840e

SHA512
a2241887116dec4fd1e42dfce0d8b06e5eb31bc7a4fcdc4509ca9c4776f29937fbe22e1ebf02a49bba6cbdb0b64e9f1122e34db9a87bfe3d08f7e9af1cb06cb9

Download Submit
C:\Windows\System\PvZqgnd.exe

Filesize
1.7MB

MD5
9df6fdb739b95b846a30ed496a1d0c38

SHA1
661afe66b6556c4f70f656a72a7d3db92bb4d062

SHA256
cba860ebab844d2e7e7bd6cc9785002bb54e629efbd2900cf5d9a6ce7c1d2dd1

SHA512
a1896e2b8c07f162e24acb970129819aa22bc8acef1c1b4c0497def9d01b8c611382437a9feb05ef38d7d5a0beec951670f7607aee70eebaf108ca9ed889bf59

Download Submit
C:\Windows\System\QFDrvRc.exe

Filesize
1.7MB

MD5
18c86119e7bc558a5229043b2f7b200e

SHA1
e5765d0d507971d18333324bcb562ea6f138d3ab

SHA256
27257737c7c4dbf49c72725ab90eb4b1cb74039a4d3c11f0b0cfa0e9167beaab

SHA512
2398ff3c191514fe73aab414dbf2cbaeb509b5a906813e5e2ddb5be8081eec2a567917729515a9f314fa693bbcba23c7d07475ee9128f94e8566e52372580cce

Download Submit
C:\Windows\System\UeVqvqh.exe

Filesize
1.7MB

MD5
4a072eb810ca1653affccc7c02fc8a75

SHA1
3b996b0a534dee93b7a11455c03d1ae58c4293ff

SHA256
7eb3e6e6ffb8a9bf3d7d6fd549b134010248e3179fcfab2ddbd62cc84178058c

SHA512
20b96b0a309267e0f17b0392edc32b7648dbfe7194fd29e6f6063c811843ca6cf8f37ea14eca4179dc601247485512207e8052837161df634a2c9731fd0aaaca

Download Submit
C:\Windows\System\VYPbxPr.exe

Filesize
1.7MB

MD5
c96c76f588c75d3ab4a5cbec075b3102

SHA1
bb66faa93ea0ee4f28f6ddf784ae1c310113f0b9

SHA256
7ee32c85be41b96c7b8755de4b86b7c307c08f95a5df8b571e8ecdb45165416c

SHA512
ebd02bc7e1daf2ee2306901e5500b74c1d9c08290db1b0313e14fd17b0d452c450e9cfdfa07505408af1c59c394c256efde97bba26eb501f9f0db06ce13f1f0e

Download Submit
C:\Windows\System\WIAFhaI.exe

Filesize
1.7MB

MD5
8b97d20dd1f969c21faaea621b99e88a

SHA1
1a6a0eb8f12d94389316fd19c9ec075cfdea4cd2

SHA256
978b6764ba2ed0f43eaf5ff8501df2b24c4fc1f2d091db61a9a91c0f5edbc241

SHA512
83d8e4174e6a1af7cef45a9b02c62166277e685c9be965eeae7f443225181dd9866543b58bdbcb1ca970cd37ff64f219bee9dfc8942cab38f70d1930cde46e22

Download Submit
C:\Windows\System\YlboIHD.exe

Filesize
1.7MB

MD5
a9abfd93ad283b8d86a63fb431bcea12

SHA1
559abc8013b3e872247e99f6bf02490d1cbc18c3

SHA256
a85e48f6375326067e77c0af335177e5f592cc2bb20a3c7f2ef9f037d84d5483

SHA512
e45a790b52119a9c9d3df929f97d54f70021848f58b8020b273d3a3fd457abbe57ac828d8808587aebdb73255e83d1281dd13bec9d042b8025474faf04c604e9

Download Submit
C:\Windows\System\ZtzpjDz.exe

Filesize
1.7MB

MD5
36ff2033d6250b886fdd6ce6a1340dc1

SHA1
e1c03d8a7f4946288867f54eefd952e76bac27f6

SHA256
3c5e130a20fcab0300719793f6c9056089c0d3cd2e87064d1e44fbdb8917f2ec

SHA512
637c068040db665b9a8af83acb5e09392d099b584dd08b9d6d1e793b06b7b71fa73eac0569b678a1cf56002a8bbf6802862977e1d65e6e458fc679ffebb1a407

Download Submit
C:\Windows\System\bTcYYdx.exe

Filesize
1.7MB

MD5
a91b764e312c4e05079b2a82fae72ff2

SHA1
ebf2866b735e2aaf569a75179326a52bc28e5482

SHA256
d73f90bdc88d82b070718946891e6b9dad1b00192f90021bd4e1f26935333e86

SHA512
3cfd82bc2cadb1c308ed87ba8612bd35146655a0703c5ffd3157a1793546f518229ef5f63f4ebe5b438825b7a84b4fca8138066bdb96485f2c1f5f55ed394a11

Download Submit
C:\Windows\System\cmaBQTc.exe

Filesize
1.7MB

MD5
30189d7e0a077c746ea7a9a606301663

SHA1
08503b92ceec1dcb5292ff63c73c1b1dbedd1c00

SHA256
297ea64c33010963b3377ceaecbdf917dc26cea540d1343615dccc2ec9f40ebc

SHA512
0be37574ae728eb5e30c750ea57407036ed10acd0da2b3478fa9ca80d021dc157221781c5401e513e6198a0bca2e54a41e4de99e2ab753c5ec696fbd06a10c1a

Download Submit
C:\Windows\System\ifgUImG.exe

Filesize
1.7MB

MD5
b0b9ad3b8cdcf8ea585164c91b8f4049

SHA1
126969ad2ccd9fcdaec4ec49934db233e9b2070b

SHA256
9ec5d13675469dfc113dc798b10fd1c7d32d97943a58d72b97cc475e2008940f

SHA512
fcb4f4e88074622046f6589592b0f83450b7c34c90b7e07926dfbfde6b84248c9972cff8728b0bb8d5234376e1145c43446a92cd5fa4e86df9c4826c9e235303

Download Submit
C:\Windows\System\nMKTqdh.exe

Filesize
1.7MB

MD5
0d56279dc4964922f576f05ffd81446a

SHA1
020e3e5fa671dee67230a026543c9311cf82a88a

SHA256
b119ac68b65c572bbf4e6222558d60b38a42998ab0c3e86bfbf5e47beebebf37

SHA512
091a85bec669c23f4ae32c6c45ea9d7132f16dd2f77bffee720a7dff82b6c2284d5984d54e756fc1f8d4ae3214754a17bd11637793fc2c292e28c7c745d26f60

Download Submit
C:\Windows\System\oOpnygc.exe

Filesize
1.7MB

MD5
cb5dabfb4c7d4963c86825a11f5316aa

SHA1
430d33ad8862857b60627b7229692478971904f1

SHA256
87ce6abb791ee2369176cfc018dca4b76b4c9d509c4f31a2aabaf4a67f83d3ee

SHA512
5c45e7dd4601d65ef1015ec73efbe3de1446eb0de45710c3d3262616627c9179befdc5ad15ad243b17218c0b86d5a289e2fec651130530abf46aa392292959c1

Download Submit
C:\Windows\System\oaAeTtF.exe

Filesize
1.7MB

MD5
050fc3c73bd4748f71d7edde262720e2

SHA1
3a720388d3cc30cc3b43c8ad13ae664e44fdde39

SHA256
354caf161dbe64fe1d171267079c09fd531fef2bd571982bbbd857d5091b6915

SHA512
cb21515dbf6b5300b6a37265fdc7fffb39c32df22ce24642877b771bc89e4a71ddb9934684d55e75a92ad8003cd33da0bb9bda3287970457170758cf6b28f9de

Download Submit
C:\Windows\System\pOHzCYk.exe

Filesize
1.7MB

MD5
a7d78ddb2d846a9e1a7bced9f921cf11

SHA1
de00c2fde17412b2e0d5a4c0433f9d95da240ef2

SHA256
e551ba69dbeb01a5eb3dbf98b69a883c6bd1a09b11bfc56ac3d146d9f7d4426e

SHA512
83d4b705c666e4dec5befb30417c9e5e1f8b0f0c8b9f17376122b9b7658df829c9683499f433cab209d867d84a1bf27142ab2a692fdd6c942751a8fa5836a392

Download Submit
C:\Windows\System\pYMlefO.exe

Filesize
1.7MB

MD5
50edadc8ee99e09367c459cdc4ba28cf

SHA1
b8e15851a06c447903b9a4ecfa25c8331c629464

SHA256
6ef7dc9a1902233aa7f5c2a67a81fd0c9d703226b1d8a0a20e7febe9dd8d6407

SHA512
d8b48e6c2e3e27b3f043777952e90185a4b11693db8e1f0504cde0473df98292df6148e5f002e2aef1b4d07f19664b27ffecfc291a850198bb9b0c5934e864e9

Download Submit
C:\Windows\System\qVzgJML.exe

Filesize
1.7MB

MD5
9a6ac02a6cb5a13e49f342bfa1ebb052

SHA1
25eeaf5ce97d06373b8a45083c8a02a7566aafc6

SHA256
cae6052fb9893554f4e8fe68e71761ca2f6760695da1f5bd194a4629ff2fdd0a

SHA512
1dc6114c52b75fbf61bd65e4844182dcf5e60c306a712a5ca299cd4af389ee90539e6b6ceabdbeba1147b4656b76dfd912ed4e29ba33cdbc58d3312879fe1849

Download Submit
C:\Windows\System\rPTANTC.exe

Filesize
1.7MB

MD5
fdfa6b41994e705aee206d67caa0ef2c

SHA1
3026ff4b70aa0f105861e02893da19e9de80649b

SHA256
b78f426ede70be32b1ad4f6b6f84b28a051e2a1d603b64e6527bd0e5f83473bb

SHA512
e35e97994f957669b059c3d631240db4e372e1aaefd52688ebab48a2ca25a70574d3b8a288022b4c163e23a8f5c35a7cffa5f09a3354192642cb942beb50b1ef

Download Submit
C:\Windows\System\vaIKqaG.exe

Filesize
1.7MB

MD5
a08c8884ff42709369dce54629128c95

SHA1
ec6b0cd4860caffde3bd3781a58bf82d809300f5

SHA256
da11272f42ca44a95d6d26cc376c04dd9db7ab79bdc896c298923a08e8bf6960

SHA512
3099e213b4793ee62481814056bb903813c7b7c6a83476e2fddea8a84e47ceff8276a3343224cd8071cfe0e32eef476ba544d669707c25c002b845e14c414523

Download Submit
C:\Windows\System\wCIvMsA.exe

Filesize
1.7MB

MD5
c8fad3cde7228cd01d06b63de55c9211

SHA1
777ab1b1a0a0d9d69e01b7d017210fe563845f6f

SHA256
ee7498ee3c2ccb9c1550aa1d3cd1ba88289021eaf19eb198c649ffd406983b4d

SHA512
bbd8f0d8759fa11f8d3377481f1f4636556f81747ab737f1edc0729c79d78362cb1f297d58b376380f68d7d1015d000b0b5a65a39b8c6417e1548cfbae7ebfc9

Download Submit
C:\Windows\System\xPmwbnd.exe

Filesize
1.7MB

MD5
f182fc9913a90ae1f9ae869794a6cf3c

SHA1
0b17d87640d308aa5d87f5f724d65296d681e31a

SHA256
fe42b1c75b785984976ffa163cb6bb528c92e6b86d29b7edf4cb18f542667317

SHA512
848c2526bd59574240d8812d0a00e7df61ca7ec6e0b69273b0353e6f71e9b2bf34aaa6456b85479dbefd22c978106f3821ee9d0fabba10b43642f9f2d78f91e0

Download Submit
memory/8-2174-0x00007FF6A54D0000-0x00007FF6A58C2000-memory.dmp

Filesize
3.9MB

Download
memory/8-2202-0x00007FF6A54D0000-0x00007FF6A58C2000-memory.dmp

Filesize
3.9MB

Download
memory/8-65-0x00007FF6A54D0000-0x00007FF6A58C2000-memory.dmp

Filesize
3.9MB

Download
memory/844-485-0x00007FF617C80000-0x00007FF618072000-memory.dmp

Filesize
3.9MB

Download
memory/844-2221-0x00007FF617C80000-0x00007FF618072000-memory.dmp

Filesize
3.9MB

Download
memory/932-2117-0x00007FF6D1340000-0x00007FF6D1732000-memory.dmp

Filesize
3.9MB

Download
memory/932-0-0x00007FF6D1340000-0x00007FF6D1732000-memory.dmp

Filesize
3.9MB

Download
memory/932-1-0x0000028FDF330000-0x0000028FDF340000-memory.dmp

Filesize
64KB

Download
memory/1092-2230-0x00007FF639690000-0x00007FF639A82000-memory.dmp

Filesize
3.9MB

Download
memory/1092-488-0x00007FF639690000-0x00007FF639A82000-memory.dmp

Filesize
3.9MB

Download
memory/1792-2219-0x00007FF780C20000-0x00007FF781012000-memory.dmp

Filesize
3.9MB

Download
memory/1792-483-0x00007FF780C20000-0x00007FF781012000-memory.dmp

Filesize
3.9MB

Download
memory/2004-2138-0x00007FF77C460000-0x00007FF77C852000-memory.dmp

Filesize
3.9MB

Download
memory/2004-15-0x00007FF77C460000-0x00007FF77C852000-memory.dmp

Filesize
3.9MB

Download
memory/2004-2189-0x00007FF77C460000-0x00007FF77C852000-memory.dmp

Filesize
3.9MB

Download
memory/2232-62-0x00007FF63EA10000-0x00007FF63EE02000-memory.dmp

Filesize
3.9MB

Download
memory/2232-2208-0x00007FF63EA10000-0x00007FF63EE02000-memory.dmp

Filesize
3.9MB

Download
memory/2876-2199-0x00007FF6E8930000-0x00007FF6E8D22000-memory.dmp

Filesize
3.9MB

Download
memory/2876-2148-0x00007FF6E8930000-0x00007FF6E8D22000-memory.dmp

Filesize
3.9MB

Download
memory/2876-34-0x00007FF6E8930000-0x00007FF6E8D22000-memory.dmp

Filesize
3.9MB

Download
memory/2884-60-0x00007FF786B60000-0x00007FF786F52000-memory.dmp

Filesize
3.9MB

Download
memory/2884-2150-0x00007FF786B60000-0x00007FF786F52000-memory.dmp

Filesize
3.9MB

Download
memory/2884-2210-0x00007FF786B60000-0x00007FF786F52000-memory.dmp

Filesize
3.9MB

Download
memory/2944-2223-0x00007FF678E70000-0x00007FF679262000-memory.dmp

Filesize
3.9MB

Download
memory/2944-482-0x00007FF678E70000-0x00007FF679262000-memory.dmp

Filesize
3.9MB

Download
memory/3048-410-0x000002B9B11B0000-0x000002B9B1956000-memory.dmp

Filesize
7.6MB

Download
memory/3048-99-0x000002B9AFAC0000-0x000002B9AFAE2000-memory.dmp

Filesize
136KB

Download
memory/3056-481-0x00007FF65F6A0000-0x00007FF65FA92000-memory.dmp

Filesize
3.9MB

Download
memory/3056-2225-0x00007FF65F6A0000-0x00007FF65FA92000-memory.dmp

Filesize
3.9MB

Download
memory/3108-2192-0x00007FF6E70C0000-0x00007FF6E74B2000-memory.dmp

Filesize
3.9MB

Download
memory/3108-40-0x00007FF6E70C0000-0x00007FF6E74B2000-memory.dmp

Filesize
3.9MB

Download
memory/3268-2215-0x00007FF7D5BC0000-0x00007FF7D5FB2000-memory.dmp

Filesize
3.9MB

Download
memory/3268-480-0x00007FF7D5BC0000-0x00007FF7D5FB2000-memory.dmp

Filesize
3.9MB

Download
memory/3288-2243-0x00007FF60B600000-0x00007FF60B9F2000-memory.dmp

Filesize
3.9MB

Download
memory/3288-489-0x00007FF60B600000-0x00007FF60B9F2000-memory.dmp

Filesize
3.9MB

Download
memory/3496-2139-0x00007FF711CF0000-0x00007FF7120E2000-memory.dmp

Filesize
3.9MB

Download
memory/3496-2195-0x00007FF711CF0000-0x00007FF7120E2000-memory.dmp

Filesize
3.9MB

Download
memory/3496-25-0x00007FF711CF0000-0x00007FF7120E2000-memory.dmp

Filesize
3.9MB

Download
memory/3592-68-0x00007FF78A260000-0x00007FF78A652000-memory.dmp

Filesize
3.9MB

Download
memory/3592-2203-0x00007FF78A260000-0x00007FF78A652000-memory.dmp

Filesize
3.9MB

Download
memory/3592-2175-0x00007FF78A260000-0x00007FF78A652000-memory.dmp

Filesize
3.9MB

Download
memory/3608-486-0x00007FF641480000-0x00007FF641872000-memory.dmp

Filesize
3.9MB

Download
memory/3608-2227-0x00007FF641480000-0x00007FF641872000-memory.dmp

Filesize
3.9MB

Download
memory/3684-42-0x00007FF7B8C60000-0x00007FF7B9052000-memory.dmp

Filesize
3.9MB

Download
memory/3684-2194-0x00007FF7B8C60000-0x00007FF7B9052000-memory.dmp

Filesize
3.9MB

Download
memory/4164-478-0x00007FF7D7680000-0x00007FF7D7A72000-memory.dmp

Filesize
3.9MB

Download
memory/4164-2211-0x00007FF7D7680000-0x00007FF7D7A72000-memory.dmp

Filesize
3.9MB

Download
memory/4596-2241-0x00007FF64BE60000-0x00007FF64C252000-memory.dmp

Filesize
3.9MB

Download
memory/4596-490-0x00007FF64BE60000-0x00007FF64C252000-memory.dmp

Filesize
3.9MB

Download
memory/4712-2231-0x00007FF6AB4F0000-0x00007FF6AB8E2000-memory.dmp

Filesize
3.9MB

Download
memory/4712-487-0x00007FF6AB4F0000-0x00007FF6AB8E2000-memory.dmp

Filesize
3.9MB

Download
memory/4732-2149-0x00007FF6C8050000-0x00007FF6C8442000-memory.dmp

Filesize
3.9MB

Download
memory/4732-2205-0x00007FF6C8050000-0x00007FF6C8442000-memory.dmp

Filesize
3.9MB

Download
memory/4732-54-0x00007FF6C8050000-0x00007FF6C8442000-memory.dmp

Filesize
3.9MB

Download
memory/4928-2218-0x00007FF780610000-0x00007FF780A02000-memory.dmp

Filesize
3.9MB

Download
memory/4928-484-0x00007FF780610000-0x00007FF780A02000-memory.dmp

Filesize
3.9MB

Download
memory/5000-479-0x00007FF669890000-0x00007FF669C82000-memory.dmp

Filesize
3.9MB

Download
memory/5000-2213-0x00007FF669890000-0x00007FF669C82000-memory.dmp

Filesize
3.9MB

Download
memory/5088-46-0x00007FF67C380000-0x00007FF67C772000-memory.dmp

Filesize
3.9MB

Download
memory/5088-2198-0x00007FF67C380000-0x00007FF67C772000-memory.dmp

Filesize
3.9MB

Download