xmrig | b5082b670081e3704c26423bbad36b6c1ff00f296f088ed83218c1e6daa642cb

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 11:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
Size

1.7MB
MD5

2069be33c575e608f01bafe25c281371
SHA1

9456fa711f0aa3237c56db95b28927d02effea84
SHA256

b5082b670081e3704c26423bbad36b6c1ff00f296f088ed83218c1e6daa642cb
SHA512

e2158fa82ade2a4783fb3b3bbe634fb66eb73aeb3b1f7c1455f15f79fd5d9a057303e7bd1691d55517b98e0f511b6a7e76ea8ed381d1f73db9b3df83795c2364
SSDEEP

24576:zv3/fTLF671TilQFG4P5PMkibTJH+2Q/ynKeWY1s38kQu12bPxvyuzaBgJ9pcFtj:Lz071uv4BPMkibTIA5I4TNrpDGgDQzlB

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/2608-51-0x00007FF636140000-0x00007FF636532000-memory.dmp	xmrig
behavioral2/memory/4068-66-0x00007FF70DFD0000-0x00007FF70E3C2000-memory.dmp	xmrig
behavioral2/memory/432-93-0x00007FF6A8EF0000-0x00007FF6A92E2000-memory.dmp	xmrig
behavioral2/memory/4844-403-0x00007FF71E080000-0x00007FF71E472000-memory.dmp	xmrig
behavioral2/memory/1060-405-0x00007FF6B0050000-0x00007FF6B0442000-memory.dmp	xmrig
behavioral2/memory/3956-406-0x00007FF6E2DD0000-0x00007FF6E31C2000-memory.dmp	xmrig
behavioral2/memory/4684-407-0x00007FF6288B0000-0x00007FF628CA2000-memory.dmp	xmrig
behavioral2/memory/1848-409-0x00007FF615940000-0x00007FF615D32000-memory.dmp	xmrig
behavioral2/memory/696-408-0x00007FF7720E0000-0x00007FF7724D2000-memory.dmp	xmrig
behavioral2/memory/2840-404-0x00007FF7C59D0000-0x00007FF7C5DC2000-memory.dmp	xmrig
behavioral2/memory/4132-92-0x00007FF71C710000-0x00007FF71CB02000-memory.dmp	xmrig
behavioral2/memory/5020-410-0x00007FF629F50000-0x00007FF62A342000-memory.dmp	xmrig
behavioral2/memory/3656-411-0x00007FF73D710000-0x00007FF73DB02000-memory.dmp	xmrig
behavioral2/memory/1436-413-0x00007FF66F150000-0x00007FF66F542000-memory.dmp	xmrig
behavioral2/memory/3020-412-0x00007FF68D750000-0x00007FF68DB42000-memory.dmp	xmrig
behavioral2/memory/2824-414-0x00007FF7BF740000-0x00007FF7BFB32000-memory.dmp	xmrig
behavioral2/memory/4956-415-0x00007FF78B9F0000-0x00007FF78BDE2000-memory.dmp	xmrig
behavioral2/memory/428-416-0x00007FF610990000-0x00007FF610D82000-memory.dmp	xmrig
behavioral2/memory/4100-417-0x00007FF777450000-0x00007FF777842000-memory.dmp	xmrig
behavioral2/memory/4764-418-0x00007FF62BEB0000-0x00007FF62C2A2000-memory.dmp	xmrig
behavioral2/memory/2336-424-0x00007FF67E7D0000-0x00007FF67EBC2000-memory.dmp	xmrig
behavioral2/memory/2360-437-0x00007FF68B130000-0x00007FF68B522000-memory.dmp	xmrig
behavioral2/memory/1120-440-0x00007FF6C10A0000-0x00007FF6C1492000-memory.dmp	xmrig
behavioral2/memory/4836-432-0x00007FF77D070000-0x00007FF77D462000-memory.dmp	xmrig
behavioral2/memory/2608-2945-0x00007FF636140000-0x00007FF636532000-memory.dmp	xmrig
behavioral2/memory/4764-2947-0x00007FF62BEB0000-0x00007FF62C2A2000-memory.dmp	xmrig
behavioral2/memory/4068-2949-0x00007FF70DFD0000-0x00007FF70E3C2000-memory.dmp	xmrig
behavioral2/memory/432-2951-0x00007FF6A8EF0000-0x00007FF6A92E2000-memory.dmp	xmrig
behavioral2/memory/4132-2957-0x00007FF71C710000-0x00007FF71CB02000-memory.dmp	xmrig
behavioral2/memory/2336-2955-0x00007FF67E7D0000-0x00007FF67EBC2000-memory.dmp	xmrig
behavioral2/memory/4844-2953-0x00007FF71E080000-0x00007FF71E472000-memory.dmp	xmrig
behavioral2/memory/2840-2961-0x00007FF7C59D0000-0x00007FF7C5DC2000-memory.dmp	xmrig
behavioral2/memory/4836-2959-0x00007FF77D070000-0x00007FF77D462000-memory.dmp	xmrig
behavioral2/memory/3956-2966-0x00007FF6E2DD0000-0x00007FF6E31C2000-memory.dmp	xmrig
behavioral2/memory/1848-2975-0x00007FF615940000-0x00007FF615D32000-memory.dmp	xmrig
behavioral2/memory/1120-2973-0x00007FF6C10A0000-0x00007FF6C1492000-memory.dmp	xmrig
behavioral2/memory/1060-2969-0x00007FF6B0050000-0x00007FF6B0442000-memory.dmp	xmrig
behavioral2/memory/696-2968-0x00007FF7720E0000-0x00007FF7724D2000-memory.dmp	xmrig
behavioral2/memory/4684-2965-0x00007FF6288B0000-0x00007FF628CA2000-memory.dmp	xmrig
behavioral2/memory/2360-2971-0x00007FF68B130000-0x00007FF68B522000-memory.dmp	xmrig
behavioral2/memory/2824-2997-0x00007FF7BF740000-0x00007FF7BFB32000-memory.dmp	xmrig
behavioral2/memory/3020-2995-0x00007FF68D750000-0x00007FF68DB42000-memory.dmp	xmrig
behavioral2/memory/3656-2993-0x00007FF73D710000-0x00007FF73DB02000-memory.dmp	xmrig
behavioral2/memory/1436-2991-0x00007FF66F150000-0x00007FF66F542000-memory.dmp	xmrig
behavioral2/memory/4956-2981-0x00007FF78B9F0000-0x00007FF78BDE2000-memory.dmp	xmrig
behavioral2/memory/428-2977-0x00007FF610990000-0x00007FF610D82000-memory.dmp	xmrig
behavioral2/memory/5020-2988-0x00007FF629F50000-0x00007FF62A342000-memory.dmp	xmrig
behavioral2/memory/4100-2979-0x00007FF777450000-0x00007FF777842000-memory.dmp	xmrig

Blocklisted process makes network request 6 IoCs

flow	pid	Process
8	2816	powershell.exe
10	2816	powershell.exe
16	2816	powershell.exe
17	2816	powershell.exe
20	2816	powershell.exe
21	2816	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2816	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
2608	uMePNDT.exe
4764	EYfErSo.exe
4068	ctedPmx.exe
4132	KzvdJir.exe
432	qBAFrGp.exe
2336	zfLXNCZ.exe
4844	ZoOebmC.exe
2840	OvzLEzq.exe
4836	JsCkvOp.exe
2360	ZKgLJoj.exe
1060	LyNiJxe.exe
3956	EvzvgAO.exe
4684	JHGDyvQ.exe
696	JfmdGVQ.exe
1120	BGCoRVT.exe
1848	tgaVnCP.exe
5020	OkbbYrU.exe
3656	eNYpmsB.exe
3020	akupQAc.exe
1436	RkaXmZQ.exe
2824	HbCCKbX.exe
4956	SgyprKt.exe
428	GNoQUTF.exe
4100	ZVTrOGw.exe
1100	KndNaiV.exe
3084	BkfqXuO.exe
4284	jqxJEAA.exe
1368	aBXOERE.exe
3188	XJdQThp.exe
3920	BJIeXPC.exe
4632	qFXBYxC.exe
1944	FDeDCXe.exe
1512	vkRuycX.exe
4216	qvtsJLm.exe
2268	WjQvErZ.exe
3408	VUhKTNX.exe
2108	GXxfIWR.exe
768	WYmGTjw.exe
372	GkYBwDC.exe
4420	RZgiqKK.exe
1600	GlNgVQc.exe
3184	iODvcQN.exe
376	vkeIrHh.exe
1188	prCDaMq.exe
4532	gtBRRON.exe
3724	ficfErC.exe
2160	HtJidcE.exe
2472	pvrcqrq.exe
4816	jKVraqO.exe
4352	BOtYZne.exe
3992	mInbgoX.exe
2788	BfpSyIE.exe
1768	LsJhMmV.exe
3692	evQStVz.exe
1708	jNSPKUs.exe
3296	thnyhqS.exe
400	odavoaC.exe
1700	DuOozwq.exe
60	ZGXquNy.exe
5084	RLgLhjZ.exe
220	SgfeUOc.exe
3928	fQqnWmP.exe
3172	bdOpRSe.exe
464	RyyoTjP.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4752-0-0x00007FF61C360000-0x00007FF61C752000-memory.dmp	upx
behavioral2/files/0x000b000000023bc0-5.dat	upx
behavioral2/files/0x000a000000023bc4-12.dat	upx
behavioral2/files/0x000a000000023bc6-28.dat	upx
behavioral2/files/0x000a000000023bc5-25.dat	upx
behavioral2/files/0x000b000000023bc7-45.dat	upx
behavioral2/memory/2608-51-0x00007FF636140000-0x00007FF636532000-memory.dmp	upx
behavioral2/files/0x000a000000023bca-53.dat	upx
behavioral2/files/0x000a000000023bcb-62.dat	upx
behavioral2/memory/4068-66-0x00007FF70DFD0000-0x00007FF70E3C2000-memory.dmp	upx
behavioral2/files/0x000a000000023bcc-79.dat	upx
behavioral2/files/0x000a000000023bcf-86.dat	upx
behavioral2/files/0x000a000000023bd1-94.dat	upx
behavioral2/files/0x000b000000023bc1-107.dat	upx
behavioral2/files/0x000a000000023bd8-132.dat	upx
behavioral2/files/0x000a000000023bda-142.dat	upx
behavioral2/files/0x000a000000023bdb-153.dat	upx
behavioral2/files/0x000b000000023bde-168.dat	upx
behavioral2/files/0x000e000000023bef-180.dat	upx
behavioral2/memory/432-93-0x00007FF6A8EF0000-0x00007FF6A92E2000-memory.dmp	upx
behavioral2/memory/4844-403-0x00007FF71E080000-0x00007FF71E472000-memory.dmp	upx
behavioral2/memory/1060-405-0x00007FF6B0050000-0x00007FF6B0442000-memory.dmp	upx
behavioral2/memory/3956-406-0x00007FF6E2DD0000-0x00007FF6E31C2000-memory.dmp	upx
behavioral2/memory/4684-407-0x00007FF6288B0000-0x00007FF628CA2000-memory.dmp	upx
behavioral2/memory/1848-409-0x00007FF615940000-0x00007FF615D32000-memory.dmp	upx
behavioral2/memory/696-408-0x00007FF7720E0000-0x00007FF7724D2000-memory.dmp	upx
behavioral2/memory/2840-404-0x00007FF7C59D0000-0x00007FF7C5DC2000-memory.dmp	upx
behavioral2/files/0x000b000000023be0-178.dat	upx
behavioral2/files/0x000a000000023be8-175.dat	upx
behavioral2/files/0x000b000000023bdf-173.dat	upx
behavioral2/files/0x000a000000023bdd-163.dat	upx
behavioral2/files/0x000a000000023bdc-158.dat	upx
behavioral2/files/0x000a000000023bd9-140.dat	upx
behavioral2/files/0x000a000000023bd7-130.dat	upx
behavioral2/files/0x000a000000023bd6-126.dat	upx
behavioral2/files/0x000a000000023bd5-121.dat	upx
behavioral2/files/0x000a000000023bd4-116.dat	upx
behavioral2/files/0x000a000000023bd3-105.dat	upx
behavioral2/files/0x000a000000023bd2-101.dat	upx
behavioral2/memory/4132-92-0x00007FF71C710000-0x00007FF71CB02000-memory.dmp	upx
behavioral2/files/0x000a000000023bd0-88.dat	upx
behavioral2/files/0x000a000000023bce-84.dat	upx
behavioral2/files/0x000a000000023bcd-72.dat	upx
behavioral2/files/0x000b000000023bc8-44.dat	upx
behavioral2/files/0x000a000000023bc9-36.dat	upx
behavioral2/memory/5020-410-0x00007FF629F50000-0x00007FF62A342000-memory.dmp	upx
behavioral2/memory/3656-411-0x00007FF73D710000-0x00007FF73DB02000-memory.dmp	upx
behavioral2/memory/1436-413-0x00007FF66F150000-0x00007FF66F542000-memory.dmp	upx
behavioral2/memory/3020-412-0x00007FF68D750000-0x00007FF68DB42000-memory.dmp	upx
behavioral2/memory/2824-414-0x00007FF7BF740000-0x00007FF7BFB32000-memory.dmp	upx
behavioral2/memory/4956-415-0x00007FF78B9F0000-0x00007FF78BDE2000-memory.dmp	upx
behavioral2/memory/428-416-0x00007FF610990000-0x00007FF610D82000-memory.dmp	upx
behavioral2/memory/4100-417-0x00007FF777450000-0x00007FF777842000-memory.dmp	upx
behavioral2/memory/4764-418-0x00007FF62BEB0000-0x00007FF62C2A2000-memory.dmp	upx
behavioral2/memory/2336-424-0x00007FF67E7D0000-0x00007FF67EBC2000-memory.dmp	upx
behavioral2/memory/2360-437-0x00007FF68B130000-0x00007FF68B522000-memory.dmp	upx
behavioral2/memory/1120-440-0x00007FF6C10A0000-0x00007FF6C1492000-memory.dmp	upx
behavioral2/memory/4836-432-0x00007FF77D070000-0x00007FF77D462000-memory.dmp	upx
behavioral2/memory/2608-2945-0x00007FF636140000-0x00007FF636532000-memory.dmp	upx
behavioral2/memory/4764-2947-0x00007FF62BEB0000-0x00007FF62C2A2000-memory.dmp	upx
behavioral2/memory/4068-2949-0x00007FF70DFD0000-0x00007FF70E3C2000-memory.dmp	upx
behavioral2/memory/432-2951-0x00007FF6A8EF0000-0x00007FF6A92E2000-memory.dmp	upx
behavioral2/memory/4132-2957-0x00007FF71C710000-0x00007FF71CB02000-memory.dmp	upx
behavioral2/memory/2336-2955-0x00007FF67E7D0000-0x00007FF67EBC2000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	raw.githubusercontent.com
7	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\FpPzbWD.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\HbrSpWl.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\NOSXZtX.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\QVLPKEo.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\JYKTOLI.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\CgcVYmC.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\SDpPMsz.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\wxhPmHN.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\UXgAxCt.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\XpWttHT.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\JPBelTs.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\RPkKxeF.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\bQiBPqH.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\aGcwpOp.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\LkyIaHC.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\TYwcjBa.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\Wtkeyix.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\oTcdsUF.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\CKNCQHc.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\YpCXmnz.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\AIXnISg.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\SBKcLli.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\pZFstlc.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\gyJDNyK.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\VslGiGb.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\LIOXvaq.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\ZGUpSwC.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\BpZGFAE.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\akGHuqy.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\aFiAtWe.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\DFpBlzD.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\JaWnEBT.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\KgYuGyI.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\Autrdct.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\jYPnEaK.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\GYXVHxU.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\uusfFFq.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\fpFOLnT.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\tVGjrFL.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\vJzYsOl.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\oPoTVzg.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\eDiyXan.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\LUwEaCK.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\TdpSres.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\GlkTVSa.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\RtgbIzc.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\SSscjjF.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\eHJyFcD.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\vwmFAOR.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\wPzORSf.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\mxTRpFM.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\JtQrZje.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\zUPcvRE.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\SzcgpsL.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\QSQPApu.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\fPbAKgX.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\HbCCKbX.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\WtQmpKg.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\sJDaCyz.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\cakhIah.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\DTTgLmJ.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\KRNWKUm.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\HUTnHVv.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
File created	C:\Windows\System\nEZwKlE.exe	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2816	powershell.exe
2816	powershell.exe
2816	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeCreateGlobalPrivilege	13168	dwm.exe
Token: SeChangeNotifyPrivilege	13168	dwm.exe
Token: 33	13168	dwm.exe
Token: SeIncBasePriorityPrivilege	13168	dwm.exe
Token: SeShutdownPrivilege	13168	dwm.exe
Token: SeCreatePagefilePrivilege	13168	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 2816	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	87
PID 4752 wrote to memory of 2816	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	87
PID 4752 wrote to memory of 2608	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	88
PID 4752 wrote to memory of 2608	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	88
PID 4752 wrote to memory of 4764	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	89
PID 4752 wrote to memory of 4764	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	89
PID 4752 wrote to memory of 4068	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	90
PID 4752 wrote to memory of 4068	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	90
PID 4752 wrote to memory of 4132	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	91
PID 4752 wrote to memory of 4132	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	91
PID 4752 wrote to memory of 432	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	92
PID 4752 wrote to memory of 432	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	92
PID 4752 wrote to memory of 2336	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	93
PID 4752 wrote to memory of 2336	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	93
PID 4752 wrote to memory of 4844	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	94
PID 4752 wrote to memory of 4844	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	94
PID 4752 wrote to memory of 2840	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	95
PID 4752 wrote to memory of 2840	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	95
PID 4752 wrote to memory of 4836	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	96
PID 4752 wrote to memory of 4836	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	96
PID 4752 wrote to memory of 1060	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	97
PID 4752 wrote to memory of 1060	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	97
PID 4752 wrote to memory of 2360	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	98
PID 4752 wrote to memory of 2360	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	98
PID 4752 wrote to memory of 3956	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	99
PID 4752 wrote to memory of 3956	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	99
PID 4752 wrote to memory of 4684	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	100
PID 4752 wrote to memory of 4684	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	100
PID 4752 wrote to memory of 696	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	101
PID 4752 wrote to memory of 696	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	101
PID 4752 wrote to memory of 1120	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	102
PID 4752 wrote to memory of 1120	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	102
PID 4752 wrote to memory of 1848	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	103
PID 4752 wrote to memory of 1848	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	103
PID 4752 wrote to memory of 5020	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	104
PID 4752 wrote to memory of 5020	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	104
PID 4752 wrote to memory of 3656	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	105
PID 4752 wrote to memory of 3656	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	105
PID 4752 wrote to memory of 3020	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	106
PID 4752 wrote to memory of 3020	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	106
PID 4752 wrote to memory of 1436	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	107
PID 4752 wrote to memory of 1436	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	107
PID 4752 wrote to memory of 2824	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	108
PID 4752 wrote to memory of 2824	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	108
PID 4752 wrote to memory of 4956	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	109
PID 4752 wrote to memory of 4956	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	109
PID 4752 wrote to memory of 428	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	110
PID 4752 wrote to memory of 428	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	110
PID 4752 wrote to memory of 4100	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	111
PID 4752 wrote to memory of 4100	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	111
PID 4752 wrote to memory of 1100	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	112
PID 4752 wrote to memory of 1100	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	112
PID 4752 wrote to memory of 3084	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	113
PID 4752 wrote to memory of 3084	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	113
PID 4752 wrote to memory of 4284	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	114
PID 4752 wrote to memory of 4284	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	114
PID 4752 wrote to memory of 1368	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	115
PID 4752 wrote to memory of 1368	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	115
PID 4752 wrote to memory of 3188	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	116
PID 4752 wrote to memory of 3188	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	116
PID 4752 wrote to memory of 3920	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	117
PID 4752 wrote to memory of 3920	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	117
PID 4752 wrote to memory of 4632	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	118
PID 4752 wrote to memory of 4632	4752	2069be33c575e608f01bafe25c281371_JaffaCakes118.exe	118

C:\Users\Admin\AppData\Local\Temp\2069be33c575e608f01bafe25c281371_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2069be33c575e608f01bafe25c281371_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2816
- C:\Windows\System\uMePNDT.exe
  C:\Windows\System\uMePNDT.exe
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\System\EYfErSo.exe
  C:\Windows\System\EYfErSo.exe
  2⤵
  - Executes dropped EXE
  PID:4764
- C:\Windows\System\ctedPmx.exe
  C:\Windows\System\ctedPmx.exe
  2⤵
  - Executes dropped EXE
  PID:4068
- C:\Windows\System\KzvdJir.exe
  C:\Windows\System\KzvdJir.exe
  2⤵
  - Executes dropped EXE
  PID:4132
- C:\Windows\System\qBAFrGp.exe
  C:\Windows\System\qBAFrGp.exe
  2⤵
  - Executes dropped EXE
  PID:432
- C:\Windows\System\zfLXNCZ.exe
  C:\Windows\System\zfLXNCZ.exe
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\System\ZoOebmC.exe
  C:\Windows\System\ZoOebmC.exe
  2⤵
  - Executes dropped EXE
  PID:4844
- C:\Windows\System\OvzLEzq.exe
  C:\Windows\System\OvzLEzq.exe
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Windows\System\JsCkvOp.exe
  C:\Windows\System\JsCkvOp.exe
  2⤵
  - Executes dropped EXE
  PID:4836
- C:\Windows\System\LyNiJxe.exe
  C:\Windows\System\LyNiJxe.exe
  2⤵
  - Executes dropped EXE
  PID:1060
- C:\Windows\System\ZKgLJoj.exe
  C:\Windows\System\ZKgLJoj.exe
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\System\EvzvgAO.exe
  C:\Windows\System\EvzvgAO.exe
  2⤵
  - Executes dropped EXE
  PID:3956
- C:\Windows\System\JHGDyvQ.exe
  C:\Windows\System\JHGDyvQ.exe
  2⤵
  - Executes dropped EXE
  PID:4684
- C:\Windows\System\JfmdGVQ.exe
  C:\Windows\System\JfmdGVQ.exe
  2⤵
  - Executes dropped EXE
  PID:696
- C:\Windows\System\BGCoRVT.exe
  C:\Windows\System\BGCoRVT.exe
  2⤵
  - Executes dropped EXE
  PID:1120
- C:\Windows\System\tgaVnCP.exe
  C:\Windows\System\tgaVnCP.exe
  2⤵
  - Executes dropped EXE
  PID:1848
- C:\Windows\System\OkbbYrU.exe
  C:\Windows\System\OkbbYrU.exe
  2⤵
  - Executes dropped EXE
  PID:5020
- C:\Windows\System\eNYpmsB.exe
  C:\Windows\System\eNYpmsB.exe
  2⤵
  - Executes dropped EXE
  PID:3656
- C:\Windows\System\akupQAc.exe
  C:\Windows\System\akupQAc.exe
  2⤵
  - Executes dropped EXE
  PID:3020
- C:\Windows\System\RkaXmZQ.exe
  C:\Windows\System\RkaXmZQ.exe
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\System\HbCCKbX.exe
  C:\Windows\System\HbCCKbX.exe
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\System\SgyprKt.exe
  C:\Windows\System\SgyprKt.exe
  2⤵
  - Executes dropped EXE
  PID:4956
- C:\Windows\System\GNoQUTF.exe
  C:\Windows\System\GNoQUTF.exe
  2⤵
  - Executes dropped EXE
  PID:428
- C:\Windows\System\ZVTrOGw.exe
  C:\Windows\System\ZVTrOGw.exe
  2⤵
  - Executes dropped EXE
  PID:4100
- C:\Windows\System\KndNaiV.exe
  C:\Windows\System\KndNaiV.exe
  2⤵
  - Executes dropped EXE
  PID:1100
- C:\Windows\System\BkfqXuO.exe
  C:\Windows\System\BkfqXuO.exe
  2⤵
  - Executes dropped EXE
  PID:3084
- C:\Windows\System\jqxJEAA.exe
  C:\Windows\System\jqxJEAA.exe
  2⤵
  - Executes dropped EXE
  PID:4284
- C:\Windows\System\aBXOERE.exe
  C:\Windows\System\aBXOERE.exe
  2⤵
  - Executes dropped EXE
  PID:1368
- C:\Windows\System\XJdQThp.exe
  C:\Windows\System\XJdQThp.exe
  2⤵
  - Executes dropped EXE
  PID:3188
- C:\Windows\System\BJIeXPC.exe
  C:\Windows\System\BJIeXPC.exe
  2⤵
  - Executes dropped EXE
  PID:3920
- C:\Windows\System\qFXBYxC.exe
  C:\Windows\System\qFXBYxC.exe
  2⤵
  - Executes dropped EXE
  PID:4632
- C:\Windows\System\FDeDCXe.exe
  C:\Windows\System\FDeDCXe.exe
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\System\vkRuycX.exe
  C:\Windows\System\vkRuycX.exe
  2⤵
  - Executes dropped EXE
  PID:1512
- C:\Windows\System\qvtsJLm.exe
  C:\Windows\System\qvtsJLm.exe
  2⤵
  - Executes dropped EXE
  PID:4216
- C:\Windows\System\WjQvErZ.exe
  C:\Windows\System\WjQvErZ.exe
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\System\VUhKTNX.exe
  C:\Windows\System\VUhKTNX.exe
  2⤵
  - Executes dropped EXE
  PID:3408
- C:\Windows\System\GXxfIWR.exe
  C:\Windows\System\GXxfIWR.exe
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\System\WYmGTjw.exe
  C:\Windows\System\WYmGTjw.exe
  2⤵
  - Executes dropped EXE
  PID:768
- C:\Windows\System\GkYBwDC.exe
  C:\Windows\System\GkYBwDC.exe
  2⤵
  - Executes dropped EXE
  PID:372
- C:\Windows\System\RZgiqKK.exe
  C:\Windows\System\RZgiqKK.exe
  2⤵
  - Executes dropped EXE
  PID:4420
- C:\Windows\System\GlNgVQc.exe
  C:\Windows\System\GlNgVQc.exe
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\System\iODvcQN.exe
  C:\Windows\System\iODvcQN.exe
  2⤵
  - Executes dropped EXE
  PID:3184
- C:\Windows\System\vkeIrHh.exe
  C:\Windows\System\vkeIrHh.exe
  2⤵
  - Executes dropped EXE
  PID:376
- C:\Windows\System\prCDaMq.exe
  C:\Windows\System\prCDaMq.exe
  2⤵
  - Executes dropped EXE
  PID:1188
- C:\Windows\System\gtBRRON.exe
  C:\Windows\System\gtBRRON.exe
  2⤵
  - Executes dropped EXE
  PID:4532
- C:\Windows\System\ficfErC.exe
  C:\Windows\System\ficfErC.exe
  2⤵
  - Executes dropped EXE
  PID:3724
- C:\Windows\System\HtJidcE.exe
  C:\Windows\System\HtJidcE.exe
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\System\pvrcqrq.exe
  C:\Windows\System\pvrcqrq.exe
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\System\jKVraqO.exe
  C:\Windows\System\jKVraqO.exe
  2⤵
  - Executes dropped EXE
  PID:4816
- C:\Windows\System\BOtYZne.exe
  C:\Windows\System\BOtYZne.exe
  2⤵
  - Executes dropped EXE
  PID:4352
- C:\Windows\System\mInbgoX.exe
  C:\Windows\System\mInbgoX.exe
  2⤵
  - Executes dropped EXE
  PID:3992
- C:\Windows\System\BfpSyIE.exe
  C:\Windows\System\BfpSyIE.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\System\LsJhMmV.exe
  C:\Windows\System\LsJhMmV.exe
  2⤵
  - Executes dropped EXE
  PID:1768
- C:\Windows\System\evQStVz.exe
  C:\Windows\System\evQStVz.exe
  2⤵
  - Executes dropped EXE
  PID:3692
- C:\Windows\System\jNSPKUs.exe
  C:\Windows\System\jNSPKUs.exe
  2⤵
  - Executes dropped EXE
  PID:1708
- C:\Windows\System\thnyhqS.exe
  C:\Windows\System\thnyhqS.exe
  2⤵
  - Executes dropped EXE
  PID:3296
- C:\Windows\System\odavoaC.exe
  C:\Windows\System\odavoaC.exe
  2⤵
  - Executes dropped EXE
  PID:400
- C:\Windows\System\DuOozwq.exe
  C:\Windows\System\DuOozwq.exe
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Windows\System\ZGXquNy.exe
  C:\Windows\System\ZGXquNy.exe
  2⤵
  - Executes dropped EXE
  PID:60
- C:\Windows\System\RLgLhjZ.exe
  C:\Windows\System\RLgLhjZ.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System\SgfeUOc.exe
  C:\Windows\System\SgfeUOc.exe
  2⤵
  - Executes dropped EXE
  PID:220
- C:\Windows\System\fQqnWmP.exe
  C:\Windows\System\fQqnWmP.exe
  2⤵
  - Executes dropped EXE
  PID:3928
- C:\Windows\System\bdOpRSe.exe
  C:\Windows\System\bdOpRSe.exe
  2⤵
  - Executes dropped EXE
  PID:3172
- C:\Windows\System\RyyoTjP.exe
  C:\Windows\System\RyyoTjP.exe
  2⤵
  - Executes dropped EXE
  PID:464
- C:\Windows\System\JEgkuym.exe
  C:\Windows\System\JEgkuym.exe
  2⤵
  PID:2888
- C:\Windows\System\qjeDrlW.exe
  C:\Windows\System\qjeDrlW.exe
  2⤵
  PID:1000
- C:\Windows\System\uhErCsy.exe
  C:\Windows\System\uhErCsy.exe
  2⤵
  PID:1196
- C:\Windows\System\xYcrAmW.exe
  C:\Windows\System\xYcrAmW.exe
  2⤵
  PID:1208
- C:\Windows\System\XfDYUZW.exe
  C:\Windows\System\XfDYUZW.exe
  2⤵
  PID:4884
- C:\Windows\System\iFwdeQJ.exe
  C:\Windows\System\iFwdeQJ.exe
  2⤵
  PID:1524
- C:\Windows\System\urtfyjr.exe
  C:\Windows\System\urtfyjr.exe
  2⤵
  PID:2368
- C:\Windows\System\cedqGXu.exe
  C:\Windows\System\cedqGXu.exe
  2⤵
  PID:1580
- C:\Windows\System\fWsoXfX.exe
  C:\Windows\System\fWsoXfX.exe
  2⤵
  PID:5128
- C:\Windows\System\JMcOdGv.exe
  C:\Windows\System\JMcOdGv.exe
  2⤵
  PID:5156
- C:\Windows\System\vdFkYZX.exe
  C:\Windows\System\vdFkYZX.exe
  2⤵
  PID:5192
- C:\Windows\System\FDNFGDo.exe
  C:\Windows\System\FDNFGDo.exe
  2⤵
  PID:5216
- C:\Windows\System\dbnjexD.exe
  C:\Windows\System\dbnjexD.exe
  2⤵
  PID:5240
- C:\Windows\System\bSWxdzz.exe
  C:\Windows\System\bSWxdzz.exe
  2⤵
  PID:5264
- C:\Windows\System\PRzGhZq.exe
  C:\Windows\System\PRzGhZq.exe
  2⤵
  PID:5292
- C:\Windows\System\wQZVLXn.exe
  C:\Windows\System\wQZVLXn.exe
  2⤵
  PID:5316
- C:\Windows\System\uqaoNMa.exe
  C:\Windows\System\uqaoNMa.exe
  2⤵
  PID:5344
- C:\Windows\System\smsYnJO.exe
  C:\Windows\System\smsYnJO.exe
  2⤵
  PID:5376
- C:\Windows\System\GDhWryN.exe
  C:\Windows\System\GDhWryN.exe
  2⤵
  PID:5400
- C:\Windows\System\PAmeqZl.exe
  C:\Windows\System\PAmeqZl.exe
  2⤵
  PID:5428
- C:\Windows\System\vyQcsYy.exe
  C:\Windows\System\vyQcsYy.exe
  2⤵
  PID:5456
- C:\Windows\System\TLdkEaV.exe
  C:\Windows\System\TLdkEaV.exe
  2⤵
  PID:5488
- C:\Windows\System\lexeHWW.exe
  C:\Windows\System\lexeHWW.exe
  2⤵
  PID:5516
- C:\Windows\System\XaVDGEK.exe
  C:\Windows\System\XaVDGEK.exe
  2⤵
  PID:5552
- C:\Windows\System\qvBLvpk.exe
  C:\Windows\System\qvBLvpk.exe
  2⤵
  PID:5576
- C:\Windows\System\TjvkXRr.exe
  C:\Windows\System\TjvkXRr.exe
  2⤵
  PID:5604
- C:\Windows\System\VbuDqYW.exe
  C:\Windows\System\VbuDqYW.exe
  2⤵
  PID:5640
- C:\Windows\System\parpiDu.exe
  C:\Windows\System\parpiDu.exe
  2⤵
  PID:5668
- C:\Windows\System\mCqhtxK.exe
  C:\Windows\System\mCqhtxK.exe
  2⤵
  PID:5696
- C:\Windows\System\MxPvzUB.exe
  C:\Windows\System\MxPvzUB.exe
  2⤵
  PID:5724
- C:\Windows\System\QEuPwHp.exe
  C:\Windows\System\QEuPwHp.exe
  2⤵
  PID:5752
- C:\Windows\System\WoUrYow.exe
  C:\Windows\System\WoUrYow.exe
  2⤵
  PID:5780
- C:\Windows\System\nprFQVr.exe
  C:\Windows\System\nprFQVr.exe
  2⤵
  PID:5804
- C:\Windows\System\BwqOSkT.exe
  C:\Windows\System\BwqOSkT.exe
  2⤵
  PID:5836
- C:\Windows\System\lrHkJPY.exe
  C:\Windows\System\lrHkJPY.exe
  2⤵
  PID:5864
- C:\Windows\System\EIDaguE.exe
  C:\Windows\System\EIDaguE.exe
  2⤵
  PID:5892
- C:\Windows\System\qcnPFlX.exe
  C:\Windows\System\qcnPFlX.exe
  2⤵
  PID:5924
- C:\Windows\System\qKjTRmt.exe
  C:\Windows\System\qKjTRmt.exe
  2⤵
  PID:5948
- C:\Windows\System\RFxIqji.exe
  C:\Windows\System\RFxIqji.exe
  2⤵
  PID:5976
- C:\Windows\System\YZsAWzh.exe
  C:\Windows\System\YZsAWzh.exe
  2⤵
  PID:6004
- C:\Windows\System\pNloJXi.exe
  C:\Windows\System\pNloJXi.exe
  2⤵
  PID:6028
- C:\Windows\System\LDuNwNv.exe
  C:\Windows\System\LDuNwNv.exe
  2⤵
  PID:6060
- C:\Windows\System\EtKqykd.exe
  C:\Windows\System\EtKqykd.exe
  2⤵
  PID:6100
- C:\Windows\System\oxiBPSM.exe
  C:\Windows\System\oxiBPSM.exe
  2⤵
  PID:3164
- C:\Windows\System\AyvIcxr.exe
  C:\Windows\System\AyvIcxr.exe
  2⤵
  PID:868
- C:\Windows\System\HuHcGxc.exe
  C:\Windows\System\HuHcGxc.exe
  2⤵
  PID:5224
- C:\Windows\System\wHPvvFI.exe
  C:\Windows\System\wHPvvFI.exe
  2⤵
  PID:5280
- C:\Windows\System\jqGqKMP.exe
  C:\Windows\System\jqGqKMP.exe
  2⤵
  PID:5332
- C:\Windows\System\zIROkAG.exe
  C:\Windows\System\zIROkAG.exe
  2⤵
  PID:4296
- C:\Windows\System\LwWiYGt.exe
  C:\Windows\System\LwWiYGt.exe
  2⤵
  PID:456
- C:\Windows\System\zgYDhkH.exe
  C:\Windows\System\zgYDhkH.exe
  2⤵
  PID:5532
- C:\Windows\System\XHSssEb.exe
  C:\Windows\System\XHSssEb.exe
  2⤵
  PID:2224
- C:\Windows\System\PlKsWrh.exe
  C:\Windows\System\PlKsWrh.exe
  2⤵
  PID:5676
- C:\Windows\System\XqvHjVQ.exe
  C:\Windows\System\XqvHjVQ.exe
  2⤵
  PID:5076
- C:\Windows\System\ccSKEKh.exe
  C:\Windows\System\ccSKEKh.exe
  2⤵
  PID:4672
- C:\Windows\System\gPSJXuQ.exe
  C:\Windows\System\gPSJXuQ.exe
  2⤵
  PID:5852
- C:\Windows\System\CDRgIYE.exe
  C:\Windows\System\CDRgIYE.exe
  2⤵
  PID:1124
- C:\Windows\System\ckSGurT.exe
  C:\Windows\System\ckSGurT.exe
  2⤵
  PID:5940
- C:\Windows\System\RCsJkih.exe
  C:\Windows\System\RCsJkih.exe
  2⤵
  PID:5984
- C:\Windows\System\SWSmzHI.exe
  C:\Windows\System\SWSmzHI.exe
  2⤵
  PID:800
- C:\Windows\System\aiZKVTA.exe
  C:\Windows\System\aiZKVTA.exe
  2⤵
  PID:1044
- C:\Windows\System\UarANay.exe
  C:\Windows\System\UarANay.exe
  2⤵
  PID:1592
- C:\Windows\System\NYVOqcW.exe
  C:\Windows\System\NYVOqcW.exe
  2⤵
  PID:6068
- C:\Windows\System\FdAQIhu.exe
  C:\Windows\System\FdAQIhu.exe
  2⤵
  PID:4444
- C:\Windows\System\khfGRPn.exe
  C:\Windows\System\khfGRPn.exe
  2⤵
  PID:516
- C:\Windows\System\aBFQeAh.exe
  C:\Windows\System\aBFQeAh.exe
  2⤵
  PID:3680
- C:\Windows\System\jWsMtzo.exe
  C:\Windows\System\jWsMtzo.exe
  2⤵
  PID:2200
- C:\Windows\System\UgqZSPo.exe
  C:\Windows\System\UgqZSPo.exe
  2⤵
  PID:5208
- C:\Windows\System\TLpdlxV.exe
  C:\Windows\System\TLpdlxV.exe
  2⤵
  PID:1096
- C:\Windows\System\annYtEB.exe
  C:\Windows\System\annYtEB.exe
  2⤵
  PID:5528
- C:\Windows\System\MaRSrGv.exe
  C:\Windows\System\MaRSrGv.exe
  2⤵
  PID:5704
- C:\Windows\System\ojzQgPg.exe
  C:\Windows\System\ojzQgPg.exe
  2⤵
  PID:1344
- C:\Windows\System\gsoVyBg.exe
  C:\Windows\System\gsoVyBg.exe
  2⤵
  PID:3704
- C:\Windows\System\MHnUhqh.exe
  C:\Windows\System\MHnUhqh.exe
  2⤵
  PID:4008
- C:\Windows\System\iRRPfDL.exe
  C:\Windows\System\iRRPfDL.exe
  2⤵
  PID:6088
- C:\Windows\System\mCLXigd.exe
  C:\Windows\System\mCLXigd.exe
  2⤵
  PID:2784
- C:\Windows\System\KJvaqrg.exe
  C:\Windows\System\KJvaqrg.exe
  2⤵
  PID:5252
- C:\Windows\System\QoAebcx.exe
  C:\Windows\System\QoAebcx.exe
  2⤵
  PID:5660
- C:\Windows\System\UnxqUcI.exe
  C:\Windows\System\UnxqUcI.exe
  2⤵
  PID:3468
- C:\Windows\System\ydTXzLd.exe
  C:\Windows\System\ydTXzLd.exe
  2⤵
  PID:5964
- C:\Windows\System\GHqyoOr.exe
  C:\Windows\System\GHqyoOr.exe
  2⤵
  PID:2964
- C:\Windows\System\rdWShCD.exe
  C:\Windows\System\rdWShCD.exe
  2⤵
  PID:2340
- C:\Windows\System\QHnVZob.exe
  C:\Windows\System\QHnVZob.exe
  2⤵
  PID:6160
- C:\Windows\System\RPkKxeF.exe
  C:\Windows\System\RPkKxeF.exe
  2⤵
  PID:6180
- C:\Windows\System\ZGUpSwC.exe
  C:\Windows\System\ZGUpSwC.exe
  2⤵
  PID:6208
- C:\Windows\System\AiEvDvI.exe
  C:\Windows\System\AiEvDvI.exe
  2⤵
  PID:6228
- C:\Windows\System\sDkqBLz.exe
  C:\Windows\System\sDkqBLz.exe
  2⤵
  PID:6248
- C:\Windows\System\PwSOaVe.exe
  C:\Windows\System\PwSOaVe.exe
  2⤵
  PID:6276
- C:\Windows\System\pqDACyW.exe
  C:\Windows\System\pqDACyW.exe
  2⤵
  PID:6292
- C:\Windows\System\XJekatw.exe
  C:\Windows\System\XJekatw.exe
  2⤵
  PID:6348
- C:\Windows\System\RafAwZS.exe
  C:\Windows\System\RafAwZS.exe
  2⤵
  PID:6400
- C:\Windows\System\PHXYfSo.exe
  C:\Windows\System\PHXYfSo.exe
  2⤵
  PID:6444
- C:\Windows\System\nxWQPUN.exe
  C:\Windows\System\nxWQPUN.exe
  2⤵
  PID:6460
- C:\Windows\System\rlvAJnY.exe
  C:\Windows\System\rlvAJnY.exe
  2⤵
  PID:6476
- C:\Windows\System\PvZTmiO.exe
  C:\Windows\System\PvZTmiO.exe
  2⤵
  PID:6516
- C:\Windows\System\amdNRKP.exe
  C:\Windows\System\amdNRKP.exe
  2⤵
  PID:6556
- C:\Windows\System\KZXFESm.exe
  C:\Windows\System\KZXFESm.exe
  2⤵
  PID:6572
- C:\Windows\System\OuCWkRl.exe
  C:\Windows\System\OuCWkRl.exe
  2⤵
  PID:6596
- C:\Windows\System\rZpUyzF.exe
  C:\Windows\System\rZpUyzF.exe
  2⤵
  PID:6620
- C:\Windows\System\PZivaZk.exe
  C:\Windows\System\PZivaZk.exe
  2⤵
  PID:6644
- C:\Windows\System\ZCglyMz.exe
  C:\Windows\System\ZCglyMz.exe
  2⤵
  PID:6664
- C:\Windows\System\WLCMljO.exe
  C:\Windows\System\WLCMljO.exe
  2⤵
  PID:6728
- C:\Windows\System\pqEuGNq.exe
  C:\Windows\System\pqEuGNq.exe
  2⤵
  PID:6748
- C:\Windows\System\VTqNOJl.exe
  C:\Windows\System\VTqNOJl.exe
  2⤵
  PID:6772
- C:\Windows\System\hwXxupu.exe
  C:\Windows\System\hwXxupu.exe
  2⤵
  PID:6796
- C:\Windows\System\JhcUltq.exe
  C:\Windows\System\JhcUltq.exe
  2⤵
  PID:6848
- C:\Windows\System\KlBmlBy.exe
  C:\Windows\System\KlBmlBy.exe
  2⤵
  PID:6888
- C:\Windows\System\PdPoCWp.exe
  C:\Windows\System\PdPoCWp.exe
  2⤵
  PID:6952
- C:\Windows\System\XMpfixO.exe
  C:\Windows\System\XMpfixO.exe
  2⤵
  PID:6972
- C:\Windows\System\ayvUnsm.exe
  C:\Windows\System\ayvUnsm.exe
  2⤵
  PID:6992
- C:\Windows\System\yBSxmEY.exe
  C:\Windows\System\yBSxmEY.exe
  2⤵
  PID:7060
- C:\Windows\System\EisVLce.exe
  C:\Windows\System\EisVLce.exe
  2⤵
  PID:7088
- C:\Windows\System\AdZOkzs.exe
  C:\Windows\System\AdZOkzs.exe
  2⤵
  PID:7104
- C:\Windows\System\cAfTUEB.exe
  C:\Windows\System\cAfTUEB.exe
  2⤵
  PID:7128
- C:\Windows\System\GFIJtIH.exe
  C:\Windows\System\GFIJtIH.exe
  2⤵
  PID:7164
- C:\Windows\System\JaYuvOw.exe
  C:\Windows\System\JaYuvOw.exe
  2⤵
  PID:6288
- C:\Windows\System\komikTG.exe
  C:\Windows\System\komikTG.exe
  2⤵
  PID:6328
- C:\Windows\System\wETAXEJ.exe
  C:\Windows\System\wETAXEJ.exe
  2⤵
  PID:6412
- C:\Windows\System\WaDiFSF.exe
  C:\Windows\System\WaDiFSF.exe
  2⤵
  PID:6452
- C:\Windows\System\QGluFNS.exe
  C:\Windows\System\QGluFNS.exe
  2⤵
  PID:6580
- C:\Windows\System\bpVuqMZ.exe
  C:\Windows\System\bpVuqMZ.exe
  2⤵
  PID:6684
- C:\Windows\System\XNcUqWR.exe
  C:\Windows\System\XNcUqWR.exe
  2⤵
  PID:6708
- C:\Windows\System\UbZDKSF.exe
  C:\Windows\System\UbZDKSF.exe
  2⤵
  PID:6912
- C:\Windows\System\OhCezZB.exe
  C:\Windows\System\OhCezZB.exe
  2⤵
  PID:6904
- C:\Windows\System\EezVhQB.exe
  C:\Windows\System\EezVhQB.exe
  2⤵
  PID:7084
- C:\Windows\System\eTKfrsk.exe
  C:\Windows\System\eTKfrsk.exe
  2⤵
  PID:4704
- C:\Windows\System\QHaTZlt.exe
  C:\Windows\System\QHaTZlt.exe
  2⤵
  PID:6240
- C:\Windows\System\keFcyGt.exe
  C:\Windows\System\keFcyGt.exe
  2⤵
  PID:6584
- C:\Windows\System\QBnYOen.exe
  C:\Windows\System\QBnYOen.exe
  2⤵
  PID:6284
- C:\Windows\System\UwjUKjp.exe
  C:\Windows\System\UwjUKjp.exe
  2⤵
  PID:6496
- C:\Windows\System\tFkfgcH.exe
  C:\Windows\System\tFkfgcH.exe
  2⤵
  PID:1556
- C:\Windows\System\fYKrFXy.exe
  C:\Windows\System\fYKrFXy.exe
  2⤵
  PID:6840
- C:\Windows\System\RQpRqQF.exe
  C:\Windows\System\RQpRqQF.exe
  2⤵
  PID:7100
- C:\Windows\System\qgiHvmT.exe
  C:\Windows\System\qgiHvmT.exe
  2⤵
  PID:7080
- C:\Windows\System\NMqxbHf.exe
  C:\Windows\System\NMqxbHf.exe
  2⤵
  PID:1696
- C:\Windows\System\OBTEOpG.exe
  C:\Windows\System\OBTEOpG.exe
  2⤵
  PID:7140
- C:\Windows\System\qVcquhc.exe
  C:\Windows\System\qVcquhc.exe
  2⤵
  PID:4496
- C:\Windows\System\mEItuWQ.exe
  C:\Windows\System\mEItuWQ.exe
  2⤵
  PID:6436
- C:\Windows\System\orgRGIt.exe
  C:\Windows\System\orgRGIt.exe
  2⤵
  PID:6964
- C:\Windows\System\rAmmIfe.exe
  C:\Windows\System\rAmmIfe.exe
  2⤵
  PID:6820
- C:\Windows\System\KQmDLkB.exe
  C:\Windows\System\KQmDLkB.exe
  2⤵
  PID:7040
- C:\Windows\System\ddfTHqu.exe
  C:\Windows\System\ddfTHqu.exe
  2⤵
  PID:7124
- C:\Windows\System\CAplZjN.exe
  C:\Windows\System\CAplZjN.exe
  2⤵
  PID:6484
- C:\Windows\System\hFJkIvw.exe
  C:\Windows\System\hFJkIvw.exe
  2⤵
  PID:6440
- C:\Windows\System\XcPYkmH.exe
  C:\Windows\System\XcPYkmH.exe
  2⤵
  PID:6884
- C:\Windows\System\ZeonSSS.exe
  C:\Windows\System\ZeonSSS.exe
  2⤵
  PID:7180
- C:\Windows\System\kyNfsev.exe
  C:\Windows\System\kyNfsev.exe
  2⤵
  PID:7212
- C:\Windows\System\EiTXGtQ.exe
  C:\Windows\System\EiTXGtQ.exe
  2⤵
  PID:7232
- C:\Windows\System\urgQoTL.exe
  C:\Windows\System\urgQoTL.exe
  2⤵
  PID:7260
- C:\Windows\System\ZcNiHCX.exe
  C:\Windows\System\ZcNiHCX.exe
  2⤵
  PID:7304
- C:\Windows\System\wPzORSf.exe
  C:\Windows\System\wPzORSf.exe
  2⤵
  PID:7456
- C:\Windows\System\twWjOuj.exe
  C:\Windows\System\twWjOuj.exe
  2⤵
  PID:7476
- C:\Windows\System\JaWnEBT.exe
  C:\Windows\System\JaWnEBT.exe
  2⤵
  PID:7544
- C:\Windows\System\VwUKaMv.exe
  C:\Windows\System\VwUKaMv.exe
  2⤵
  PID:7580
- C:\Windows\System\HGyrqRv.exe
  C:\Windows\System\HGyrqRv.exe
  2⤵
  PID:7600
- C:\Windows\System\SYBUiLC.exe
  C:\Windows\System\SYBUiLC.exe
  2⤵
  PID:7624
- C:\Windows\System\KCAKiDI.exe
  C:\Windows\System\KCAKiDI.exe
  2⤵
  PID:7688
- C:\Windows\System\bIQzOsW.exe
  C:\Windows\System\bIQzOsW.exe
  2⤵
  PID:7736
- C:\Windows\System\JuSjHEH.exe
  C:\Windows\System\JuSjHEH.exe
  2⤵
  PID:7764
- C:\Windows\System\weayGHs.exe
  C:\Windows\System\weayGHs.exe
  2⤵
  PID:7816
- C:\Windows\System\dtDGLas.exe
  C:\Windows\System\dtDGLas.exe
  2⤵
  PID:7832
- C:\Windows\System\pHypRdw.exe
  C:\Windows\System\pHypRdw.exe
  2⤵
  PID:7852
- C:\Windows\System\uBWuTbf.exe
  C:\Windows\System\uBWuTbf.exe
  2⤵
  PID:7884
- C:\Windows\System\XwCsaFG.exe
  C:\Windows\System\XwCsaFG.exe
  2⤵
  PID:7908
- C:\Windows\System\OGBzznf.exe
  C:\Windows\System\OGBzznf.exe
  2⤵
  PID:7932
- C:\Windows\System\uZOiHFv.exe
  C:\Windows\System\uZOiHFv.exe
  2⤵
  PID:7972
- C:\Windows\System\wyweRIx.exe
  C:\Windows\System\wyweRIx.exe
  2⤵
  PID:7996
- C:\Windows\System\AaQNaZu.exe
  C:\Windows\System\AaQNaZu.exe
  2⤵
  PID:8012
- C:\Windows\System\knWPSca.exe
  C:\Windows\System\knWPSca.exe
  2⤵
  PID:8036
- C:\Windows\System\ykpTJxZ.exe
  C:\Windows\System\ykpTJxZ.exe
  2⤵
  PID:8084
- C:\Windows\System\bRsGgCM.exe
  C:\Windows\System\bRsGgCM.exe
  2⤵
  PID:8172
- C:\Windows\System\CWNPIrc.exe
  C:\Windows\System\CWNPIrc.exe
  2⤵
  PID:6568
- C:\Windows\System\oANLpbS.exe
  C:\Windows\System\oANLpbS.exe
  2⤵
  PID:6524
- C:\Windows\System\tpUCmZH.exe
  C:\Windows\System\tpUCmZH.exe
  2⤵
  PID:6040
- C:\Windows\System\cGCjMNW.exe
  C:\Windows\System\cGCjMNW.exe
  2⤵
  PID:7008
- C:\Windows\System\KtdwPcR.exe
  C:\Windows\System\KtdwPcR.exe
  2⤵
  PID:6320
- C:\Windows\System\wCXbWgC.exe
  C:\Windows\System\wCXbWgC.exe
  2⤵
  PID:7336
- C:\Windows\System\mCuPwmC.exe
  C:\Windows\System\mCuPwmC.exe
  2⤵
  PID:7372
- C:\Windows\System\vAbiOPa.exe
  C:\Windows\System\vAbiOPa.exe
  2⤵
  PID:7172
- C:\Windows\System\AEQalqd.exe
  C:\Windows\System\AEQalqd.exe
  2⤵
  PID:7256
- C:\Windows\System\PIiXKKH.exe
  C:\Windows\System\PIiXKKH.exe
  2⤵
  PID:7284
- C:\Windows\System\lScWFDV.exe
  C:\Windows\System\lScWFDV.exe
  2⤵
  PID:7416
- C:\Windows\System\bstzYoN.exe
  C:\Windows\System\bstzYoN.exe
  2⤵
  PID:7444
- C:\Windows\System\fOSzwIp.exe
  C:\Windows\System\fOSzwIp.exe
  2⤵
  PID:7608
- C:\Windows\System\FOeRLFu.exe
  C:\Windows\System\FOeRLFu.exe
  2⤵
  PID:7800
- C:\Windows\System\hLOoddd.exe
  C:\Windows\System\hLOoddd.exe
  2⤵
  PID:7756
- C:\Windows\System\uWUAYZv.exe
  C:\Windows\System\uWUAYZv.exe
  2⤵
  PID:7880
- C:\Windows\System\rwyDtZW.exe
  C:\Windows\System\rwyDtZW.exe
  2⤵
  PID:8024
- C:\Windows\System\loXSSlL.exe
  C:\Windows\System\loXSSlL.exe
  2⤵
  PID:7988
- C:\Windows\System\DlelyDe.exe
  C:\Windows\System\DlelyDe.exe
  2⤵
  PID:8020
- C:\Windows\System\TVLqzjD.exe
  C:\Windows\System\TVLqzjD.exe
  2⤵
  PID:8092
- C:\Windows\System\ZVBWzHu.exe
  C:\Windows\System\ZVBWzHu.exe
  2⤵
  PID:8136
- C:\Windows\System\vFsjSyT.exe
  C:\Windows\System\vFsjSyT.exe
  2⤵
  PID:8164
- C:\Windows\System\tVMbahz.exe
  C:\Windows\System\tVMbahz.exe
  2⤵
  PID:6336
- C:\Windows\System\yNPNXqL.exe
  C:\Windows\System\yNPNXqL.exe
  2⤵
  PID:7224
- C:\Windows\System\qMzrWge.exe
  C:\Windows\System\qMzrWge.exe
  2⤵
  PID:3608
- C:\Windows\System\oTFrsWa.exe
  C:\Windows\System\oTFrsWa.exe
  2⤵
  PID:7244
- C:\Windows\System\yxGLyhN.exe
  C:\Windows\System\yxGLyhN.exe
  2⤵
  PID:7408
- C:\Windows\System\SiQJMxZ.exe
  C:\Windows\System\SiQJMxZ.exe
  2⤵
  PID:7440
- C:\Windows\System\zxGgxwO.exe
  C:\Windows\System\zxGgxwO.exe
  2⤵
  PID:7468
- C:\Windows\System\EGOkJnH.exe
  C:\Windows\System\EGOkJnH.exe
  2⤵
  PID:7560
- C:\Windows\System\yKJdeyR.exe
  C:\Windows\System\yKJdeyR.exe
  2⤵
  PID:7592
- C:\Windows\System\bjKpmwP.exe
  C:\Windows\System\bjKpmwP.exe
  2⤵
  PID:7748
- C:\Windows\System\YTDahfd.exe
  C:\Windows\System\YTDahfd.exe
  2⤵
  PID:7916
- C:\Windows\System\IhYXrIP.exe
  C:\Windows\System\IhYXrIP.exe
  2⤵
  PID:7964
- C:\Windows\System\ymHhNmb.exe
  C:\Windows\System\ymHhNmb.exe
  2⤵
  PID:8180
- C:\Windows\System\YuKKoxx.exe
  C:\Windows\System\YuKKoxx.exe
  2⤵
  PID:8148
- C:\Windows\System\bOZcUjs.exe
  C:\Windows\System\bOZcUjs.exe
  2⤵
  PID:6808
- C:\Windows\System\jdSAjYm.exe
  C:\Windows\System\jdSAjYm.exe
  2⤵
  PID:7812
- C:\Windows\System\UsMGAGu.exe
  C:\Windows\System\UsMGAGu.exe
  2⤵
  PID:7656
- C:\Windows\System\amazUXX.exe
  C:\Windows\System\amazUXX.exe
  2⤵
  PID:7900
- C:\Windows\System\mFfJVNS.exe
  C:\Windows\System\mFfJVNS.exe
  2⤵
  PID:8188
- C:\Windows\System\onvLCvm.exe
  C:\Windows\System\onvLCvm.exe
  2⤵
  PID:8160
- C:\Windows\System\GqKqiTQ.exe
  C:\Windows\System\GqKqiTQ.exe
  2⤵
  PID:8248
- C:\Windows\System\XnYXDPm.exe
  C:\Windows\System\XnYXDPm.exe
  2⤵
  PID:8264
- C:\Windows\System\VlBDuKZ.exe
  C:\Windows\System\VlBDuKZ.exe
  2⤵
  PID:8304
- C:\Windows\System\lsCWvBr.exe
  C:\Windows\System\lsCWvBr.exe
  2⤵
  PID:8328
- C:\Windows\System\KNiYViH.exe
  C:\Windows\System\KNiYViH.exe
  2⤵
  PID:8368
- C:\Windows\System\XQJGkcZ.exe
  C:\Windows\System\XQJGkcZ.exe
  2⤵
  PID:8396
- C:\Windows\System\uMopbBy.exe
  C:\Windows\System\uMopbBy.exe
  2⤵
  PID:8416
- C:\Windows\System\wEWnYuV.exe
  C:\Windows\System\wEWnYuV.exe
  2⤵
  PID:8432
- C:\Windows\System\mQOasyP.exe
  C:\Windows\System\mQOasyP.exe
  2⤵
  PID:8468
- C:\Windows\System\IQIIdzf.exe
  C:\Windows\System\IQIIdzf.exe
  2⤵
  PID:8484
- C:\Windows\System\gjBpAsJ.exe
  C:\Windows\System\gjBpAsJ.exe
  2⤵
  PID:8508
- C:\Windows\System\xNhTjHN.exe
  C:\Windows\System\xNhTjHN.exe
  2⤵
  PID:8532
- C:\Windows\System\WsszTpU.exe
  C:\Windows\System\WsszTpU.exe
  2⤵
  PID:8552
- C:\Windows\System\AWnHEml.exe
  C:\Windows\System\AWnHEml.exe
  2⤵
  PID:8576
- C:\Windows\System\KUbVBPc.exe
  C:\Windows\System\KUbVBPc.exe
  2⤵
  PID:8596
- C:\Windows\System\hsASERp.exe
  C:\Windows\System\hsASERp.exe
  2⤵
  PID:8636
- C:\Windows\System\jRzwYRi.exe
  C:\Windows\System\jRzwYRi.exe
  2⤵
  PID:8668
- C:\Windows\System\saACpRr.exe
  C:\Windows\System\saACpRr.exe
  2⤵
  PID:8708
- C:\Windows\System\aHlkSup.exe
  C:\Windows\System\aHlkSup.exe
  2⤵
  PID:8760
- C:\Windows\System\IOSlUEM.exe
  C:\Windows\System\IOSlUEM.exe
  2⤵
  PID:8784
- C:\Windows\System\NBpsGZm.exe
  C:\Windows\System\NBpsGZm.exe
  2⤵
  PID:8804
- C:\Windows\System\dIZDreP.exe
  C:\Windows\System\dIZDreP.exe
  2⤵
  PID:8856
- C:\Windows\System\BeAbnqI.exe
  C:\Windows\System\BeAbnqI.exe
  2⤵
  PID:8872
- C:\Windows\System\jKleHiX.exe
  C:\Windows\System\jKleHiX.exe
  2⤵
  PID:8896
- C:\Windows\System\BAXwbYe.exe
  C:\Windows\System\BAXwbYe.exe
  2⤵
  PID:8916
- C:\Windows\System\RLbSUjo.exe
  C:\Windows\System\RLbSUjo.exe
  2⤵
  PID:8956
- C:\Windows\System\fUNdgYu.exe
  C:\Windows\System\fUNdgYu.exe
  2⤵
  PID:9008
- C:\Windows\System\pCWtamv.exe
  C:\Windows\System\pCWtamv.exe
  2⤵
  PID:9024
- C:\Windows\System\LREaEUB.exe
  C:\Windows\System\LREaEUB.exe
  2⤵
  PID:9044
- C:\Windows\System\uZZmcyB.exe
  C:\Windows\System\uZZmcyB.exe
  2⤵
  PID:9060
- C:\Windows\System\mjcxtrI.exe
  C:\Windows\System\mjcxtrI.exe
  2⤵
  PID:9088
- C:\Windows\System\pSEzohG.exe
  C:\Windows\System\pSEzohG.exe
  2⤵
  PID:9116
- C:\Windows\System\uwfYpZI.exe
  C:\Windows\System\uwfYpZI.exe
  2⤵
  PID:9156
- C:\Windows\System\hqQEhnk.exe
  C:\Windows\System\hqQEhnk.exe
  2⤵
  PID:9184
- C:\Windows\System\EdXqKGu.exe
  C:\Windows\System\EdXqKGu.exe
  2⤵
  PID:9208
- C:\Windows\System\vOUtdEV.exe
  C:\Windows\System\vOUtdEV.exe
  2⤵
  PID:7808
- C:\Windows\System\YmnihQp.exe
  C:\Windows\System\YmnihQp.exe
  2⤵
  PID:7228
- C:\Windows\System\hzqcStN.exe
  C:\Windows\System\hzqcStN.exe
  2⤵
  PID:8296
- C:\Windows\System\hunwZyi.exe
  C:\Windows\System\hunwZyi.exe
  2⤵
  PID:8340
- C:\Windows\System\HLuWKNe.exe
  C:\Windows\System\HLuWKNe.exe
  2⤵
  PID:8364
- C:\Windows\System\YNidoIG.exe
  C:\Windows\System\YNidoIG.exe
  2⤵
  PID:8524
- C:\Windows\System\tnVROXh.exe
  C:\Windows\System\tnVROXh.exe
  2⤵
  PID:8544
- C:\Windows\System\oFIihkc.exe
  C:\Windows\System\oFIihkc.exe
  2⤵
  PID:8572
- C:\Windows\System\vwiXfgm.exe
  C:\Windows\System\vwiXfgm.exe
  2⤵
  PID:8628
- C:\Windows\System\nEoUSmK.exe
  C:\Windows\System\nEoUSmK.exe
  2⤵
  PID:8688
- C:\Windows\System\tQRlGvN.exe
  C:\Windows\System\tQRlGvN.exe
  2⤵
  PID:8716
- C:\Windows\System\iLhTyLt.exe
  C:\Windows\System\iLhTyLt.exe
  2⤵
  PID:8772
- C:\Windows\System\CnJwZgc.exe
  C:\Windows\System\CnJwZgc.exe
  2⤵
  PID:8984
- C:\Windows\System\DqwEYSa.exe
  C:\Windows\System\DqwEYSa.exe
  2⤵
  PID:8928
- C:\Windows\System\EEgBIYy.exe
  C:\Windows\System\EEgBIYy.exe
  2⤵
  PID:9020
- C:\Windows\System\CDpRPuL.exe
  C:\Windows\System\CDpRPuL.exe
  2⤵
  PID:9128
- C:\Windows\System\yvUuGvZ.exe
  C:\Windows\System\yvUuGvZ.exe
  2⤵
  PID:9144
- C:\Windows\System\ImVzrpG.exe
  C:\Windows\System\ImVzrpG.exe
  2⤵
  PID:9192
- C:\Windows\System\dsbktgH.exe
  C:\Windows\System\dsbktgH.exe
  2⤵
  PID:8132
- C:\Windows\System\BAtebII.exe
  C:\Windows\System\BAtebII.exe
  2⤵
  PID:8236
- C:\Windows\System\kPhiYJj.exe
  C:\Windows\System\kPhiYJj.exe
  2⤵
  PID:8392
- C:\Windows\System\szUQxfi.exe
  C:\Windows\System\szUQxfi.exe
  2⤵
  PID:8564
- C:\Windows\System\NzfzhAA.exe
  C:\Windows\System\NzfzhAA.exe
  2⤵
  PID:8948
- C:\Windows\System\acJChrG.exe
  C:\Windows\System\acJChrG.exe
  2⤵
  PID:9112
- C:\Windows\System\sFBrcbp.exe
  C:\Windows\System\sFBrcbp.exe
  2⤵
  PID:7712
- C:\Windows\System\OMYoSpr.exe
  C:\Windows\System\OMYoSpr.exe
  2⤵
  PID:8592
- C:\Windows\System\HrNXrUZ.exe
  C:\Windows\System\HrNXrUZ.exe
  2⤵
  PID:8892
- C:\Windows\System\grMXGfD.exe
  C:\Windows\System\grMXGfD.exe
  2⤵
  PID:9176
- C:\Windows\System\JPNDFCx.exe
  C:\Windows\System\JPNDFCx.exe
  2⤵
  PID:9236
- C:\Windows\System\owNrfBJ.exe
  C:\Windows\System\owNrfBJ.exe
  2⤵
  PID:9276
- C:\Windows\System\nmdBPhB.exe
  C:\Windows\System\nmdBPhB.exe
  2⤵
  PID:9292
- C:\Windows\System\XQwFbCQ.exe
  C:\Windows\System\XQwFbCQ.exe
  2⤵
  PID:9312
- C:\Windows\System\VTStNfW.exe
  C:\Windows\System\VTStNfW.exe
  2⤵
  PID:9336
- C:\Windows\System\kfCsBpb.exe
  C:\Windows\System\kfCsBpb.exe
  2⤵
  PID:9352
- C:\Windows\System\KXfufnA.exe
  C:\Windows\System\KXfufnA.exe
  2⤵
  PID:9372
- C:\Windows\System\tgUraFl.exe
  C:\Windows\System\tgUraFl.exe
  2⤵
  PID:9400
- C:\Windows\System\XQXWHkL.exe
  C:\Windows\System\XQXWHkL.exe
  2⤵
  PID:9428
- C:\Windows\System\qauKxyn.exe
  C:\Windows\System\qauKxyn.exe
  2⤵
  PID:9480
- C:\Windows\System\XKnNWHa.exe
  C:\Windows\System\XKnNWHa.exe
  2⤵
  PID:9496
- C:\Windows\System\iuMzWkk.exe
  C:\Windows\System\iuMzWkk.exe
  2⤵
  PID:9536
- C:\Windows\System\hQwVOaR.exe
  C:\Windows\System\hQwVOaR.exe
  2⤵
  PID:9572
- C:\Windows\System\uvmABoB.exe
  C:\Windows\System\uvmABoB.exe
  2⤵
  PID:9592
- C:\Windows\System\ohqvZNh.exe
  C:\Windows\System\ohqvZNh.exe
  2⤵
  PID:9616
- C:\Windows\System\pvebKvh.exe
  C:\Windows\System\pvebKvh.exe
  2⤵
  PID:9632
- C:\Windows\System\uXvlKbE.exe
  C:\Windows\System\uXvlKbE.exe
  2⤵
  PID:9672
- C:\Windows\System\XmFjmTw.exe
  C:\Windows\System\XmFjmTw.exe
  2⤵
  PID:9688
- C:\Windows\System\fNSWojs.exe
  C:\Windows\System\fNSWojs.exe
  2⤵
  PID:9728
- C:\Windows\System\eVhRjuU.exe
  C:\Windows\System\eVhRjuU.exe
  2⤵
  PID:9772
- C:\Windows\System\UFfYQeK.exe
  C:\Windows\System\UFfYQeK.exe
  2⤵
  PID:9792
- C:\Windows\System\SswTnwd.exe
  C:\Windows\System\SswTnwd.exe
  2⤵
  PID:9844
- C:\Windows\System\SXaIrGI.exe
  C:\Windows\System\SXaIrGI.exe
  2⤵
  PID:9888
- C:\Windows\System\gyJDNyK.exe
  C:\Windows\System\gyJDNyK.exe
  2⤵
  PID:9936
- C:\Windows\System\sBgYikJ.exe
  C:\Windows\System\sBgYikJ.exe
  2⤵
  PID:9984
- C:\Windows\System\cTCXyMV.exe
  C:\Windows\System\cTCXyMV.exe
  2⤵
  PID:10004
- C:\Windows\System\fgWNzzI.exe
  C:\Windows\System\fgWNzzI.exe
  2⤵
  PID:10020
- C:\Windows\System\ZeRMYrY.exe
  C:\Windows\System\ZeRMYrY.exe
  2⤵
  PID:10052
- C:\Windows\System\CGyfcPb.exe
  C:\Windows\System\CGyfcPb.exe
  2⤵
  PID:10068
- C:\Windows\System\KNabANA.exe
  C:\Windows\System\KNabANA.exe
  2⤵
  PID:10092
- C:\Windows\System\QDjlRZh.exe
  C:\Windows\System\QDjlRZh.exe
  2⤵
  PID:10120
- C:\Windows\System\JVKawKj.exe
  C:\Windows\System\JVKawKj.exe
  2⤵
  PID:10152
- C:\Windows\System\IOdFPIK.exe
  C:\Windows\System\IOdFPIK.exe
  2⤵
  PID:10224
- C:\Windows\System\vlOfDce.exe
  C:\Windows\System\vlOfDce.exe
  2⤵
  PID:8888
- C:\Windows\System\KoMVYgR.exe
  C:\Windows\System\KoMVYgR.exe
  2⤵
  PID:9284
- C:\Windows\System\okDshAQ.exe
  C:\Windows\System\okDshAQ.exe
  2⤵
  PID:9304
- C:\Windows\System\ZzkkaVk.exe
  C:\Windows\System\ZzkkaVk.exe
  2⤵
  PID:9392
- C:\Windows\System\lLzAhSy.exe
  C:\Windows\System\lLzAhSy.exe
  2⤵
  PID:9508
- C:\Windows\System\SBwmlYh.exe
  C:\Windows\System\SBwmlYh.exe
  2⤵
  PID:9560
- C:\Windows\System\uTmyvBl.exe
  C:\Windows\System\uTmyvBl.exe
  2⤵
  PID:9668
- C:\Windows\System\sTdcnZf.exe
  C:\Windows\System\sTdcnZf.exe
  2⤵
  PID:9860
- C:\Windows\System\aSwRHPK.exe
  C:\Windows\System\aSwRHPK.exe
  2⤵
  PID:9880
- C:\Windows\System\slxQwcJ.exe
  C:\Windows\System\slxQwcJ.exe
  2⤵
  PID:9760
- C:\Windows\System\qzySzkP.exe
  C:\Windows\System\qzySzkP.exe
  2⤵
  PID:3320
- C:\Windows\System\DrOnboH.exe
  C:\Windows\System\DrOnboH.exe
  2⤵
  PID:9824
- C:\Windows\System\DIzwSvF.exe
  C:\Windows\System\DIzwSvF.exe
  2⤵
  PID:9932
- C:\Windows\System\hrWcVvH.exe
  C:\Windows\System\hrWcVvH.exe
  2⤵
  PID:10088
- C:\Windows\System\heQzMfY.exe
  C:\Windows\System\heQzMfY.exe
  2⤵
  PID:10016
- C:\Windows\System\HCjAniT.exe
  C:\Windows\System\HCjAniT.exe
  2⤵
  PID:10176
- C:\Windows\System\TGXBXht.exe
  C:\Windows\System\TGXBXht.exe
  2⤵
  PID:9232
- C:\Windows\System\uFwOyaP.exe
  C:\Windows\System\uFwOyaP.exe
  2⤵
  PID:9256
- C:\Windows\System\ueXimMR.exe
  C:\Windows\System\ueXimMR.exe
  2⤵
  PID:9408
- C:\Windows\System\wLcmiQT.exe
  C:\Windows\System\wLcmiQT.exe
  2⤵
  PID:9664
- C:\Windows\System\kTAsswN.exe
  C:\Windows\System\kTAsswN.exe
  2⤵
  PID:9852
- C:\Windows\System\NrDmJEM.exe
  C:\Windows\System\NrDmJEM.exe
  2⤵
  PID:9816
- C:\Windows\System\WGMrsTF.exe
  C:\Windows\System\WGMrsTF.exe
  2⤵
  PID:9980
- C:\Windows\System\WXSrJFs.exe
  C:\Windows\System\WXSrJFs.exe
  2⤵
  PID:10168
- C:\Windows\System\icuLrKN.exe
  C:\Windows\System\icuLrKN.exe
  2⤵
  PID:7732
- C:\Windows\System\zfyhAdS.exe
  C:\Windows\System\zfyhAdS.exe
  2⤵
  PID:9476
- C:\Windows\System\IEsbOOM.exe
  C:\Windows\System\IEsbOOM.exe
  2⤵
  PID:9652
- C:\Windows\System\ZhmYgke.exe
  C:\Windows\System\ZhmYgke.exe
  2⤵
  PID:10064
- C:\Windows\System\qRXAMwd.exe
  C:\Windows\System\qRXAMwd.exe
  2⤵
  PID:10256
- C:\Windows\System\NCcYOtU.exe
  C:\Windows\System\NCcYOtU.exe
  2⤵
  PID:10284
- C:\Windows\System\jhqKlfA.exe
  C:\Windows\System\jhqKlfA.exe
  2⤵
  PID:10312
- C:\Windows\System\neOOjZi.exe
  C:\Windows\System\neOOjZi.exe
  2⤵
  PID:10344
- C:\Windows\System\hBRVTBU.exe
  C:\Windows\System\hBRVTBU.exe
  2⤵
  PID:10364
- C:\Windows\System\jmcXhca.exe
  C:\Windows\System\jmcXhca.exe
  2⤵
  PID:10388
- C:\Windows\System\TdpSres.exe
  C:\Windows\System\TdpSres.exe
  2⤵
  PID:10416
- C:\Windows\System\BlBeIeI.exe
  C:\Windows\System\BlBeIeI.exe
  2⤵
  PID:10432
- C:\Windows\System\YzSOxqN.exe
  C:\Windows\System\YzSOxqN.exe
  2⤵
  PID:10456
- C:\Windows\System\WtQmpKg.exe
  C:\Windows\System\WtQmpKg.exe
  2⤵
  PID:10480
- C:\Windows\System\MHFhInQ.exe
  C:\Windows\System\MHFhInQ.exe
  2⤵
  PID:10512
- C:\Windows\System\RFYYCSe.exe
  C:\Windows\System\RFYYCSe.exe
  2⤵
  PID:10532
- C:\Windows\System\NZimvzj.exe
  C:\Windows\System\NZimvzj.exe
  2⤵
  PID:10584
- C:\Windows\System\qLffFRk.exe
  C:\Windows\System\qLffFRk.exe
  2⤵
  PID:10604
- C:\Windows\System\SDpPMsz.exe
  C:\Windows\System\SDpPMsz.exe
  2⤵
  PID:10628
- C:\Windows\System\VPccaqI.exe
  C:\Windows\System\VPccaqI.exe
  2⤵
  PID:10656
- C:\Windows\System\fUrHkXz.exe
  C:\Windows\System\fUrHkXz.exe
  2⤵
  PID:10688
- C:\Windows\System\maNhKfv.exe
  C:\Windows\System\maNhKfv.exe
  2⤵
  PID:10708
- C:\Windows\System\pNJKEcF.exe
  C:\Windows\System\pNJKEcF.exe
  2⤵
  PID:10728
- C:\Windows\System\BwRxoRf.exe
  C:\Windows\System\BwRxoRf.exe
  2⤵
  PID:10772
- C:\Windows\System\HWBvnbW.exe
  C:\Windows\System\HWBvnbW.exe
  2⤵
  PID:10812
- C:\Windows\System\bQqrdzs.exe
  C:\Windows\System\bQqrdzs.exe
  2⤵
  PID:10836
- C:\Windows\System\HRRIrJJ.exe
  C:\Windows\System\HRRIrJJ.exe
  2⤵
  PID:10852
- C:\Windows\System\xbCDamr.exe
  C:\Windows\System\xbCDamr.exe
  2⤵
  PID:10872
- C:\Windows\System\toHhYro.exe
  C:\Windows\System\toHhYro.exe
  2⤵
  PID:10896
- C:\Windows\System\BRaLSKZ.exe
  C:\Windows\System\BRaLSKZ.exe
  2⤵
  PID:10916
- C:\Windows\System\rFuZhsP.exe
  C:\Windows\System\rFuZhsP.exe
  2⤵
  PID:11000
- C:\Windows\System\jKKhFug.exe
  C:\Windows\System\jKKhFug.exe
  2⤵
  PID:11020
- C:\Windows\System\QBzCXWb.exe
  C:\Windows\System\QBzCXWb.exe
  2⤵
  PID:11052
- C:\Windows\System\xophnxY.exe
  C:\Windows\System\xophnxY.exe
  2⤵
  PID:11076
- C:\Windows\System\yJniliL.exe
  C:\Windows\System\yJniliL.exe
  2⤵
  PID:11100
- C:\Windows\System\jKsakUG.exe
  C:\Windows\System\jKsakUG.exe
  2⤵
  PID:11140
- C:\Windows\System\zkqHYCt.exe
  C:\Windows\System\zkqHYCt.exe
  2⤵
  PID:11156
- C:\Windows\System\Pfnayna.exe
  C:\Windows\System\Pfnayna.exe
  2⤵
  PID:11192
- C:\Windows\System\jiZDAHV.exe
  C:\Windows\System\jiZDAHV.exe
  2⤵
  PID:11208
- C:\Windows\System\yHOZWrP.exe
  C:\Windows\System\yHOZWrP.exe
  2⤵
  PID:11240
- C:\Windows\System\xmTfHZv.exe
  C:\Windows\System\xmTfHZv.exe
  2⤵
  PID:11260
- C:\Windows\System\oFGgKqO.exe
  C:\Windows\System\oFGgKqO.exe
  2⤵
  PID:10196
- C:\Windows\System\NGCMTVO.exe
  C:\Windows\System\NGCMTVO.exe
  2⤵
  PID:10248
- C:\Windows\System\jnkVwjm.exe
  C:\Windows\System\jnkVwjm.exe
  2⤵
  PID:10300
- C:\Windows\System\liqrpfp.exe
  C:\Windows\System\liqrpfp.exe
  2⤵
  PID:10500
- C:\Windows\System\qREGAuC.exe
  C:\Windows\System\qREGAuC.exe
  2⤵
  PID:10528
- C:\Windows\System\vhCkref.exe
  C:\Windows\System\vhCkref.exe
  2⤵
  PID:10596
- C:\Windows\System\flHCEtw.exe
  C:\Windows\System\flHCEtw.exe
  2⤵
  PID:10572
- C:\Windows\System\MmHtFXF.exe
  C:\Windows\System\MmHtFXF.exe
  2⤵
  PID:10696
- C:\Windows\System\jeWMcjx.exe
  C:\Windows\System\jeWMcjx.exe
  2⤵
  PID:10736
- C:\Windows\System\lCjYxEo.exe
  C:\Windows\System\lCjYxEo.exe
  2⤵
  PID:10784
- C:\Windows\System\nqqgJBY.exe
  C:\Windows\System\nqqgJBY.exe
  2⤵
  PID:10904
- C:\Windows\System\eNxSysa.exe
  C:\Windows\System\eNxSysa.exe
  2⤵
  PID:10880
- C:\Windows\System\AFuelAL.exe
  C:\Windows\System\AFuelAL.exe
  2⤵
  PID:10940
- C:\Windows\System\plAVANq.exe
  C:\Windows\System\plAVANq.exe
  2⤵
  PID:11012
- C:\Windows\System\JlwqIXQ.exe
  C:\Windows\System\JlwqIXQ.exe
  2⤵
  PID:11096
- C:\Windows\System\oiLXNlZ.exe
  C:\Windows\System\oiLXNlZ.exe
  2⤵
  PID:11116
- C:\Windows\System\gmqftpX.exe
  C:\Windows\System\gmqftpX.exe
  2⤵
  PID:11224
- C:\Windows\System\tvoQYqg.exe
  C:\Windows\System\tvoQYqg.exe
  2⤵
  PID:11236
- C:\Windows\System\ivJxfWL.exe
  C:\Windows\System\ivJxfWL.exe
  2⤵
  PID:10356
- C:\Windows\System\yDajZPV.exe
  C:\Windows\System\yDajZPV.exe
  2⤵
  PID:10336
- C:\Windows\System\zPveccq.exe
  C:\Windows\System\zPveccq.exe
  2⤵
  PID:10684
- C:\Windows\System\oTUBnAm.exe
  C:\Windows\System\oTUBnAm.exe
  2⤵
  PID:10748
- C:\Windows\System\qJxnmod.exe
  C:\Windows\System\qJxnmod.exe
  2⤵
  PID:10908
- C:\Windows\System\vMRyfrm.exe
  C:\Windows\System\vMRyfrm.exe
  2⤵
  PID:10844
- C:\Windows\System\BDSDmPL.exe
  C:\Windows\System\BDSDmPL.exe
  2⤵
  PID:11016
- C:\Windows\System\UyuiDoI.exe
  C:\Windows\System\UyuiDoI.exe
  2⤵
  PID:1296
- C:\Windows\System\edUhNzz.exe
  C:\Windows\System\edUhNzz.exe
  2⤵
  PID:10452
- C:\Windows\System\IsOjLHs.exe
  C:\Windows\System\IsOjLHs.exe
  2⤵
  PID:2444
- C:\Windows\System\CnuhFtc.exe
  C:\Windows\System\CnuhFtc.exe
  2⤵
  PID:10720
- C:\Windows\System\uqCpLsz.exe
  C:\Windows\System\uqCpLsz.exe
  2⤵
  PID:11152
- C:\Windows\System\oGaEWbT.exe
  C:\Windows\System\oGaEWbT.exe
  2⤵
  PID:10768
- C:\Windows\System\LljzcjH.exe
  C:\Windows\System\LljzcjH.exe
  2⤵
  PID:11288
- C:\Windows\System\ftMxGSm.exe
  C:\Windows\System\ftMxGSm.exe
  2⤵
  PID:11308
- C:\Windows\System\FLGekOW.exe
  C:\Windows\System\FLGekOW.exe
  2⤵
  PID:11352
- C:\Windows\System\FXYXuTR.exe
  C:\Windows\System\FXYXuTR.exe
  2⤵
  PID:11372
- C:\Windows\System\LkJjlws.exe
  C:\Windows\System\LkJjlws.exe
  2⤵
  PID:11396
- C:\Windows\System\tngboku.exe
  C:\Windows\System\tngboku.exe
  2⤵
  PID:11420
- C:\Windows\System\cDrkPCl.exe
  C:\Windows\System\cDrkPCl.exe
  2⤵
  PID:11436
- C:\Windows\System\FYfFVPe.exe
  C:\Windows\System\FYfFVPe.exe
  2⤵
  PID:11468
- C:\Windows\System\tXXXMup.exe
  C:\Windows\System\tXXXMup.exe
  2⤵
  PID:11508
- C:\Windows\System\NUZRuJh.exe
  C:\Windows\System\NUZRuJh.exe
  2⤵
  PID:11540
- C:\Windows\System\ZpSeOHQ.exe
  C:\Windows\System\ZpSeOHQ.exe
  2⤵
  PID:11556
- C:\Windows\System\FppLJMr.exe
  C:\Windows\System\FppLJMr.exe
  2⤵
  PID:11584
- C:\Windows\System\LzvNayH.exe
  C:\Windows\System\LzvNayH.exe
  2⤵
  PID:11604
- C:\Windows\System\ewnyUFN.exe
  C:\Windows\System\ewnyUFN.exe
  2⤵
  PID:11640
- C:\Windows\System\FYKOlKR.exe
  C:\Windows\System\FYKOlKR.exe
  2⤵
  PID:11664
- C:\Windows\System\KqWlduo.exe
  C:\Windows\System\KqWlduo.exe
  2⤵
  PID:11704
- C:\Windows\System\USlLafW.exe
  C:\Windows\System\USlLafW.exe
  2⤵
  PID:11732
- C:\Windows\System\PneVAlb.exe
  C:\Windows\System\PneVAlb.exe
  2⤵
  PID:11748
- C:\Windows\System\fbnCwFy.exe
  C:\Windows\System\fbnCwFy.exe
  2⤵
  PID:11764
- C:\Windows\System\tElDfwn.exe
  C:\Windows\System\tElDfwn.exe
  2⤵
  PID:11800
- C:\Windows\System\eucuNZI.exe
  C:\Windows\System\eucuNZI.exe
  2⤵
  PID:11860
- C:\Windows\System\SghwqFM.exe
  C:\Windows\System\SghwqFM.exe
  2⤵
  PID:11884
- C:\Windows\System\XcJPjsn.exe
  C:\Windows\System\XcJPjsn.exe
  2⤵
  PID:11908
- C:\Windows\System\UcXoETM.exe
  C:\Windows\System\UcXoETM.exe
  2⤵
  PID:11956
- C:\Windows\System\cfRiPJd.exe
  C:\Windows\System\cfRiPJd.exe
  2⤵
  PID:11976
- C:\Windows\System\MsmiNAX.exe
  C:\Windows\System\MsmiNAX.exe
  2⤵
  PID:12004
- C:\Windows\System\pxJTSFL.exe
  C:\Windows\System\pxJTSFL.exe
  2⤵
  PID:12040
- C:\Windows\System\IeGZeog.exe
  C:\Windows\System\IeGZeog.exe
  2⤵
  PID:12060
- C:\Windows\System\urGdUzP.exe
  C:\Windows\System\urGdUzP.exe
  2⤵
  PID:12088
- C:\Windows\System\RBzNENZ.exe
  C:\Windows\System\RBzNENZ.exe
  2⤵
  PID:12120
- C:\Windows\System\eTFQKFG.exe
  C:\Windows\System\eTFQKFG.exe
  2⤵
  PID:12144
- C:\Windows\System\WqGodBO.exe
  C:\Windows\System\WqGodBO.exe
  2⤵
  PID:12168
- C:\Windows\System\CPVYJvE.exe
  C:\Windows\System\CPVYJvE.exe
  2⤵
  PID:12188
- C:\Windows\System\GlkTVSa.exe
  C:\Windows\System\GlkTVSa.exe
  2⤵
  PID:12216
- C:\Windows\System\cZZbGHS.exe
  C:\Windows\System\cZZbGHS.exe
  2⤵
  PID:12244
- C:\Windows\System\uiqylvj.exe
  C:\Windows\System\uiqylvj.exe
  2⤵
  PID:12268
- C:\Windows\System\TORGRZg.exe
  C:\Windows\System\TORGRZg.exe
  2⤵
  PID:10864
- C:\Windows\System\XfcZGkk.exe
  C:\Windows\System\XfcZGkk.exe
  2⤵
  PID:11284
- C:\Windows\System\pVrzCgI.exe
  C:\Windows\System\pVrzCgI.exe
  2⤵
  PID:11300
- C:\Windows\System\MRcddsn.exe
  C:\Windows\System\MRcddsn.exe
  2⤵
  PID:11360
- C:\Windows\System\WWvOtRX.exe
  C:\Windows\System\WWvOtRX.exe
  2⤵
  PID:11444
- C:\Windows\System\PfwZWUY.exe
  C:\Windows\System\PfwZWUY.exe
  2⤵
  PID:11520
- C:\Windows\System\OvPAXLp.exe
  C:\Windows\System\OvPAXLp.exe
  2⤵
  PID:4244
- C:\Windows\System\HwwFUUk.exe
  C:\Windows\System\HwwFUUk.exe
  2⤵
  PID:11632
- C:\Windows\System\DRzXfBs.exe
  C:\Windows\System\DRzXfBs.exe
  2⤵
  PID:11716
- C:\Windows\System\iMGKsgk.exe
  C:\Windows\System\iMGKsgk.exe
  2⤵
  PID:11792
- C:\Windows\System\JDluSkb.exe
  C:\Windows\System\JDluSkb.exe
  2⤵
  PID:11848
- C:\Windows\System\BXJjGkR.exe
  C:\Windows\System\BXJjGkR.exe
  2⤵
  PID:11876
- C:\Windows\System\QJEKdbL.exe
  C:\Windows\System\QJEKdbL.exe
  2⤵
  PID:11964
- C:\Windows\System\izpaTxm.exe
  C:\Windows\System\izpaTxm.exe
  2⤵
  PID:12024
- C:\Windows\System\qdUqvDA.exe
  C:\Windows\System\qdUqvDA.exe
  2⤵
  PID:12072
- C:\Windows\System\BTfqmHj.exe
  C:\Windows\System\BTfqmHj.exe
  2⤵
  PID:12112
- C:\Windows\System\eXrdmlu.exe
  C:\Windows\System\eXrdmlu.exe
  2⤵
  PID:12160
- C:\Windows\System\fVFhkbZ.exe
  C:\Windows\System\fVFhkbZ.exe
  2⤵
  PID:2936
- C:\Windows\System\psVnovS.exe
  C:\Windows\System\psVnovS.exe
  2⤵
  PID:12252
- C:\Windows\System\BcMtnTU.exe
  C:\Windows\System\BcMtnTU.exe
  2⤵
  PID:9344
- C:\Windows\System\VAtHqhb.exe
  C:\Windows\System\VAtHqhb.exe
  2⤵
  PID:11364
- C:\Windows\System\IbIahfI.exe
  C:\Windows\System\IbIahfI.exe
  2⤵
  PID:11480
- C:\Windows\System\yOXVoLE.exe
  C:\Windows\System\yOXVoLE.exe
  2⤵
  PID:2116
- C:\Windows\System\vEvngfz.exe
  C:\Windows\System\vEvngfz.exe
  2⤵
  PID:11932
- C:\Windows\System\xxjplSk.exe
  C:\Windows\System\xxjplSk.exe
  2⤵
  PID:12140
- C:\Windows\System\EeMQBlx.exe
  C:\Windows\System\EeMQBlx.exe
  2⤵
  PID:11324
- C:\Windows\System\AnGFCjO.exe
  C:\Windows\System\AnGFCjO.exe
  2⤵
  PID:3312
- C:\Windows\System\nwlFhZO.exe
  C:\Windows\System\nwlFhZO.exe
  2⤵
  PID:11384
- C:\Windows\System\guhxPat.exe
  C:\Windows\System\guhxPat.exe
  2⤵
  PID:11836
- C:\Windows\System\PHRBwtW.exe
  C:\Windows\System\PHRBwtW.exe
  2⤵
  PID:11988
- C:\Windows\System\uLyoxRw.exe
  C:\Windows\System\uLyoxRw.exe
  2⤵
  PID:12212
- C:\Windows\System\Fkscueq.exe
  C:\Windows\System\Fkscueq.exe
  2⤵
  PID:12316
- C:\Windows\System\EIDjBBN.exe
  C:\Windows\System\EIDjBBN.exe
  2⤵
  PID:12336
- C:\Windows\System\ZQEUfik.exe
  C:\Windows\System\ZQEUfik.exe
  2⤵
  PID:12352
- C:\Windows\System\LRjDYvq.exe
  C:\Windows\System\LRjDYvq.exe
  2⤵
  PID:12380
- C:\Windows\System\jlVQQIv.exe
  C:\Windows\System\jlVQQIv.exe
  2⤵
  PID:12436
- C:\Windows\System\pwekTTv.exe
  C:\Windows\System\pwekTTv.exe
  2⤵
  PID:12460
- C:\Windows\System\IFPwxrF.exe
  C:\Windows\System\IFPwxrF.exe
  2⤵
  PID:12476
- C:\Windows\System\JBWUcTy.exe
  C:\Windows\System\JBWUcTy.exe
  2⤵
  PID:12504
- C:\Windows\System\hTXTagw.exe
  C:\Windows\System\hTXTagw.exe
  2⤵
  PID:12524
- C:\Windows\System\FXGZgUT.exe
  C:\Windows\System\FXGZgUT.exe
  2⤵
  PID:12544
- C:\Windows\System\YIkSOHA.exe
  C:\Windows\System\YIkSOHA.exe
  2⤵
  PID:12584
- C:\Windows\System\xmoCknj.exe
  C:\Windows\System\xmoCknj.exe
  2⤵
  PID:12608
- C:\Windows\System\GCqrvrf.exe
  C:\Windows\System\GCqrvrf.exe
  2⤵
  PID:12636
- C:\Windows\System\lxLATaO.exe
  C:\Windows\System\lxLATaO.exe
  2⤵
  PID:12676
- C:\Windows\System\jZHEJhi.exe
  C:\Windows\System\jZHEJhi.exe
  2⤵
  PID:12692
- C:\Windows\System\tCBnJox.exe
  C:\Windows\System\tCBnJox.exe
  2⤵
  PID:12752
- C:\Windows\System\tmCMZff.exe
  C:\Windows\System\tmCMZff.exe
  2⤵
  PID:12792
- C:\Windows\System\lilaOzC.exe
  C:\Windows\System\lilaOzC.exe
  2⤵
  PID:12816
- C:\Windows\System\eNfceMc.exe
  C:\Windows\System\eNfceMc.exe
  2⤵
  PID:12836

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LA4X8NGR\home-993d2c38b2c1[1].css

Filesize
11KB

MD5
6328d6d9a6b00ce7f992230b97b17c1f

SHA1
88837b802bdde407e37e92641072ea2eeec95556

SHA256
c9d9b80794cebd7d97daf52f7f0ce0e31bcf7a6f65a6e07851c688d67f10dba8

SHA512
993d2c38b2c15499aebdb39c1f9c21d0501d4c2a5973caec65be9ddc3ddfd6e46d06449e7483daa4fa9afa17cb81ff27a391519a64629169eb15c52911aab2c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s0yj5eoa.nlq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\BGCoRVT.exe

Filesize
1.7MB

MD5
b206395477ca01caa20f86f19bbf22e1

SHA1
15cb14c87859773d7f1d74ddbf7375b2b2575fa1

SHA256
143fc07984889fea722bccf7bda8427abeededb961e4240b730df697f899acd6

SHA512
b31b11939931b219c3a63c0c994942846f598cade06243fd8728f3ad72ab1d67c4630dac55e1e12034491d3bc7935bc493150afc4df1747f6cf1f9563cdef705

Download Submit
C:\Windows\System\BJIeXPC.exe

Filesize
1.7MB

MD5
1329717c7fedaa7154631a7c785a9702

SHA1
b32e5448bdf7c4cd6cd7fe144eb30edd444588ea

SHA256
bdf046c06b718ff3856982eea3405c0a8c54842793b7bc57a7c464eb5519196e

SHA512
183b3702ea1f7f42c2de83bc80e27ccb9618ccdb2d7b16b57cf55d8e37220fb558558dfde2f43ddc0a89dad97675f444fa18ab79af8867f4bd4223b8ae7a2f79

Download Submit
C:\Windows\System\BkfqXuO.exe

Filesize
1.7MB

MD5
2b3d75d02bb3f05178d295add629f6c9

SHA1
1ea1f21ddb708ae08e1c4ebe8d3b10551cf4dcbe

SHA256
1ac2bb75b81b84e28974c3a93b9cee494cc16e2334d5fcae35e18d8341806430

SHA512
6b39e17164423e1751455e93aa6dab35583306e2f361ee73a8036c226b39081a69bc0ea7d43c48a555facff93430276ebc33b89a10123f170f082e929a3c8c89

Download Submit
C:\Windows\System\EYfErSo.exe

Filesize
1.7MB

MD5
28a891ebf057020ba5cde4effd19b623

SHA1
72db2f2624a13748de060005cc6e105e83aed001

SHA256
32c0276487782a394e2391206cbffa09797c807b681677314360cd3a52c38891

SHA512
6cf6f72e856331526cd7040d2d49cd6a995f43e1ada2549ec8a08edd7845125b0fb7e7f843e44c8f0271d1078606b166a3d1bba0f32deb8880112bdfc1b7026e

Download Submit
C:\Windows\System\EvzvgAO.exe

Filesize
1.7MB

MD5
2bff79b44d9b6b07ab3243bc054a2461

SHA1
fcad21f5b12e0fd645a8a0da39e05a6fc26419e4

SHA256
1484b9270788d69df3f1bf4b1036664c2b37dce6addf82d346c382b79956ab6d

SHA512
c4a4639749835a61b787d16093c5ed5d0a3dfe3e2ccc79cc9cf592f8847777f2fa362c184420406a52f17920f6d7a05c45a1fea7ed2d8267b0649cbbadb09f8e

Download Submit
C:\Windows\System\FDeDCXe.exe

Filesize
1.7MB

MD5
cf8d17bcebbbc5fbd6a7df49a6799ecc

SHA1
44b2d5abed748f120447c815619c4d7ac3f908d9

SHA256
61b97962199121a490ecab932b408720cf32d678fbc395cc144cc7ed6bbcd9ab

SHA512
365a23cc8f42f6e14a1edb1aa528c19f6ea5fe145f82bcbe1a6f534ede811246ba5ff98e741a0c6eb0451fd4f09b586fccbc9428cb7f69c1b62e22ee6eda47bc

Download Submit
C:\Windows\System\GNoQUTF.exe

Filesize
1.7MB

MD5
fe0f3a886eff41306472f38c5824e67a

SHA1
5238b7eb104ec40d3c6d980243571247ef13f0eb

SHA256
f87dca896c9fc1e9472adbd14f908b2fdf7353018dd0866ae5d4f2a9d8e7def7

SHA512
9a548c59d48a8553d4f673d9b50cbfc8b215581b8fcb0adf765c9fe314a414a6d8c9c486fe8569ca3c4ef0fd60701dd120047fcaafcfda6ba6286a7e998f396a

Download Submit
C:\Windows\System\HbCCKbX.exe

Filesize
1.7MB

MD5
d87c3b4147784cf616efd08e59af8e2c

SHA1
18420bd4a316c5a7dcf1455355d76d2c30b4ff55

SHA256
53b42fd0e50479d8fea1dd813b32b5575827c633ed0e1f2c262b9dc0edb5991d

SHA512
ebc80f3d71e0af01006f693bbdcf6994e66dcb666604b637bc60c2f3bfccb85d4c21fcbda58a885d9bf0c1f86471096c3882c0727eb2f92235503f563f0c68f3

Download Submit
C:\Windows\System\JHGDyvQ.exe

Filesize
1.7MB

MD5
cf6c1eeb1f7d023ff96e23f42b2ac862

SHA1
48f6e61b7ae9b471bf949d58d05c4255670fbf16

SHA256
bac0e647d31090ab9c4829d272ccbaef71e6cf2bbad24b95b62a0b3b439c9e5b

SHA512
93d5cd47d2180293e7cd3bb7dd0aff663f0288d6c53514840fd358915fb96d51f1900d1469ca14e768c918a0803c80c285345b2cb6462e504cb5a1f27f40096c

Download Submit
C:\Windows\System\JfmdGVQ.exe

Filesize
1.7MB

MD5
db8217992e95ed9fd71c47f0747e0628

SHA1
25fbe240af9c8e225163f440295f4781d000f891

SHA256
8908228f6275e1d19ea1eb021e36085e5d312293a9bca712f1dfaa71b73efa41

SHA512
1522a454ab02959b8566842788dc394e81dba39f6ecd2acd53247e7fd80ad34d1ca941fa806ec2e91aa858daf7ff0860d14b9f3be4fcd1f310fb613f6d3960fd

Download Submit
C:\Windows\System\JsCkvOp.exe

Filesize
1.7MB

MD5
73f97ffabf012c7b09bf90b826aa3071

SHA1
75cb6884faa39c9bff92f60174293ee42fa9f0ca

SHA256
578cc6cf1a679a20a2284d5068706455ec890e4f542cadad4d70ec926441ade5

SHA512
7c6d0c5ddd51261b490f86937c651b327d5e2b8afc6ddbc822f750e60c71f3acc9c05b190a151dafc3dbc01ecb82624a1dc7f99a26319f810f2914bd623a37ba

Download Submit
C:\Windows\System\KndNaiV.exe

Filesize
1.7MB

MD5
9c0629a21693a517c2f2a8568769f7e0

SHA1
230e4df68f1a6faf7884f91d94220b79da598f58

SHA256
cdba6a9a585bebcda8829dfd9fdbb06b157ae4996b96505c0342687e100a1a75

SHA512
d3dc39e9c9e356f1603ef5f11ab0d574a856516dfe4eaff1f56e04da1f7d48d310abf271f777431bfcf79894eadfa8b949978590be3732412253a85e87ab3d45

Download Submit
C:\Windows\System\KzvdJir.exe

Filesize
1.7MB

MD5
eb90c4f035ee712a6ee3567b57f0c188

SHA1
011afb77abd9bb3039cba31e8bf62b7d1d9346b0

SHA256
8c2d2260f6b9af7bb6e3b33d82dac10e921bc3d30bb7e1e10d157f55f1d367b2

SHA512
340641d67feec70e6025252381488e02c916023700437470c48d342ed5c30e96b60dd23f90512e84cc71ba2cb43cfa8ff4bab092e16df6849d95d6165be96328

Download Submit
C:\Windows\System\LyNiJxe.exe

Filesize
1.7MB

MD5
28f01dafc358a452ed5acee95c757f4b

SHA1
d87c2af35fc18967a3367c1887d9e1a3231e1556

SHA256
8400a51e4293d2742c776d838b2a3523b0be169108c5ccfcfcc265445eef1a64

SHA512
2f5c38110572111c0ebd73546911229a663f1c9815dd6893fa2460d6c85e01b4d3db6001ee567e28503cf14bf4e2138758bf67918b6da2b5dcb952240edef6f1

Download Submit
C:\Windows\System\OkbbYrU.exe

Filesize
1.7MB

MD5
f91753b306f14105a0ff55386e319c8b

SHA1
ebe7f07dbbfa04603ddd2a4f66d628f9b047b76a

SHA256
a75c33c75ea12b97dc2b160e7b9c11a02cef536a5e87f01474907ee80b0dc0d3

SHA512
8dc3a21c8f989300aa0794d6ba46d1d88f5b989a7152085ee10318828eb70007add6ed1ffeb9f2832b898a065ec946b539ed1562e26387f72524eca529cd6b93

Download Submit
C:\Windows\System\OvzLEzq.exe

Filesize
1.7MB

MD5
483699aa8e37fc20f4ce0c68f0fc6be2

SHA1
8868f5d78de68989064b6f950571f5689481739f

SHA256
b190a5392347f5d6be3fae80052fe8a4b3f3fd5471b376161f0cf61dd820032c

SHA512
c35b7dac02c0f90d370369888d7448a165ef0224d6b0f8d1024228bab2f82309dc07ae5755b6fc4288abfef92dadf92a0c63e2273d0693f7b97eb4a5db4b6379

Download Submit
C:\Windows\System\RkaXmZQ.exe

Filesize
1.7MB

MD5
37c7dbca7e28782a8e54ffd5b6d1492c

SHA1
2f12631d01ecf5295c0ec47898ce58d87f6629d9

SHA256
6d8e89aba87ea87a05bbc8dba4b245ab46c7b5b87a65ebe9e7caa3bf91c3f1fb

SHA512
180030b495d56aec089485753b5a9d0162fbb2c535528629253a7eb719483bf781ecfadc69d775930bfba53d2f532f5a4c6619befcf36c14f540fa39f437584d

Download Submit
C:\Windows\System\SgyprKt.exe

Filesize
1.7MB

MD5
a513b225d1420375727305ca04e9756f

SHA1
842833cbc55476fe70e6220ead6266720157324e

SHA256
9ada8e4a98e2f39a90b4d51d7f0c981010cba48929af011ee0f15da33ac90421

SHA512
7f70af1bfcb0bec17c2ed3e66d4a5adb7bd1a5ba267045abb3f3d5472e50ff7ca071cbabaa15866a723da186c715d9ff50fc2041b67a7d4b3c3af50ab5ce02e8

Download Submit
C:\Windows\System\XJdQThp.exe

Filesize
1.7MB

MD5
939e7d15f8e2aca43f05a7108a3e5c07

SHA1
a97eb2043f7ef7a480f660e168cad40c6361a19b

SHA256
ed48eb816f220ec52cb014c83a93d5c7611c67c76905f3a74d216c8ff7a745ab

SHA512
27ded69baa6a19c4821e55fb0a476f8595b3bdf665db97568eb0207150e12156ee40da7942a14c078a9528a623812177e92232c8562761e41af2bdb78e1ba777

Download Submit
C:\Windows\System\ZKgLJoj.exe

Filesize
1.7MB

MD5
bc0741503cb078b9b9fac70131dc2b61

SHA1
cd37bc2f85b03ea84b40cefb8349bb1d2b73de22

SHA256
36ca9d8ca23142848f560ff653436d251817e7043761a3b3fe63e5c36302f854

SHA512
83cbfb3a61393d106ae998931b75b802c0eba48d16a47e29903038d1cd2d17fae53102315ef3a3f02928b0a7b19d4051662672e721964f0831fb9bd3167b1813

Download Submit
C:\Windows\System\ZVTrOGw.exe

Filesize
1.7MB

MD5
faca30d23447b8ea643dffaa4e618000

SHA1
74a5dd6c086ed9c0571c29c6dc75fe51e7215563

SHA256
8c9b024b3983176278b874a71361c72043cc3459a5836d5752df6ad0af75fbf4

SHA512
b59ee173119ce29ab608ee5431e0566dde8b9b6b2008af24774cf365d9812f055bf476a4805b22a8eef30543b224626d84bc3a399ca3e193acc0e082853532b3

Download Submit
C:\Windows\System\ZoOebmC.exe

Filesize
1.7MB

MD5
658ff3009ca44594883fd94196404c9c

SHA1
9cdf838dfd37747bec799e0b6567c1f017feda64

SHA256
ba4828adc1ace1d75f256da9ed7d2556a74ad799ba317b7da71b03666bd4319f

SHA512
c845f4ade8bf4cb7ad87857f5cdee1bb21fa360f585435e18a2dbb36a9090aabf84a07df5bc5851d16f59d941ac998001a3af82c05c8a0d490710743333bfea2

Download Submit
C:\Windows\System\aBXOERE.exe

Filesize
1.7MB

MD5
2cab2038fb454e01633bff81b69e09bc

SHA1
47e771777edccafd12903e00efe62fd1b029c248

SHA256
c5129a16f3755914d2419224eee2d1a452ec160ec7ff9654c5ca90b69d227d64

SHA512
0d957d21ec90d2b01eb69d393f2951d72083a69f6d51afbc944c6290e9bc5aa4f522d02bd749192b30e9d15b4562922aeaebf873bd44447ba7e809200cba4933

Download Submit
C:\Windows\System\akupQAc.exe

Filesize
1.7MB

MD5
45b17933e2b2be6aef8fcbab6dfc9572

SHA1
bd1b678927570f11664769ce9d385a9365d893c2

SHA256
e414fb1e9ce7ba7f22f99875bbc47a15c0b7ca9f98b668a981e311944f0a8793

SHA512
0309835bfaabef15f10e7084b0d54a790386a126ae25cf885aa39b2c362d1b24a50d5db342065f56de5ba970e56348c10d553fafcd9ad6094108a2c51c3795a1

Download Submit
C:\Windows\System\cCzyaDg.exe

Filesize
8B

MD5
9e16362b7eef9ff59cf4576b688fec20

SHA1
58714a79316bdda8b345ca47c2a7e8087e024871

SHA256
cb157cd47cb9ddacb8fa194262e9cc1364ca68490d93ad041938e77ef90ead7c

SHA512
53056e2e9a952538e1c61538c2bad2166adaf2d4a03d0e97e211329cd7f80967988343aa21690b08c2f1ad6d3fabfdc6095392f57b127d575de79d724d1a09de

Download Submit
C:\Windows\System\ctedPmx.exe

Filesize
1.7MB

MD5
4e91f7efe7f5a278424afc17db9101b1

SHA1
3e4f8ac939a15bdbc725537f26a1d61a7679def6

SHA256
54674a6efb58d586ca592865a62961de4c74475f62a3ee7e18be53b0c16ce030

SHA512
d7b0cfa5786abce5df6642854b96a97a30ad84ff77d5d5edcbf91533ec9c6751cbdd1c922e04254df9120ed9a123a6280c1821358cf202523cfeccc8ca846f47

Download Submit
C:\Windows\System\eNYpmsB.exe

Filesize
1.7MB

MD5
dd7c8afa5fbba26334e014d733fa01b7

SHA1
a4dd1269e4ce39859fe280a7f7eb9488d50c8451

SHA256
2bb300b8333b1e70c0c985309cff77206b6bd17cea44cef850caa3c0ac54db44

SHA512
bad1607c00ec996c81a330df008628df75f80dd332368f6e4485f644c0056c97d89471b7b1d3ab13ac722bcd000afa378d918436487c95b0f2aedae5e078181d

Download Submit
C:\Windows\System\jqxJEAA.exe

Filesize
1.7MB

MD5
886ae031bcc7a8868f92e46d1b862abe

SHA1
e07b4dbd68b5b1c34e54e0ed07eb68c3772988aa

SHA256
6c83811a4808c6807179a4741fe5446883c47c024a3bd61f30838f1b788c90f3

SHA512
7e8b686e65b035864948559c66b78c22c8a07a0afd22f164c3174882768d17cf7238728378b3ca869144db07f35fb7cd2e427863fe8cb10bd1847a000274ae2d

Download Submit
C:\Windows\System\qBAFrGp.exe

Filesize
1.7MB

MD5
7c0d024420ec70ff1d8edfe60a43ebea

SHA1
4f5bcecd85894aeddd34491906bc0eff0eafa529

SHA256
d87ff69cb4bd7e0b293ac919ba7a39edc1a302c9719fc69a73c829890f33d0bc

SHA512
865d745adf49cb56d756bc9c754add45ae6600a4f4a8f44dc25a70ce7d67899f2c96961b3097c55fe1bba48be3faee8f1a34713b26a2bd020a0b9168b20871b0

Download Submit
C:\Windows\System\qFXBYxC.exe

Filesize
1.7MB

MD5
3568da6d2d7992a60ee0dc0d4dc95e08

SHA1
95be6a15c17cb597780c9bffff1b18b22a919558

SHA256
49c4ac9c5e5a43a71bd765755b321ef4675b678c50a395f6aafef263a694cca0

SHA512
c109ac4802683509d92faed6d0f3d944c6947efdd383a6c7d89a98e976458eed64d864993cb74e04c5d3d0b7cb2c8d2be0db7c99cf7d1e5c5534dc10d5a222b3

Download Submit
C:\Windows\System\tgaVnCP.exe

Filesize
1.7MB

MD5
b31eea875b378a08351b23ddf5c7e513

SHA1
5770148c32c82f8f5c87a373b7dd9e7eb5105082

SHA256
38b928aa1d8aa7db69c3eb55446f81889fb58d3541f0f808cfc4e42fa20508e7

SHA512
b2108405c36b5bf733efb443e61a4ccc06b3264a1b91e5271d9d1e64ddafecd474a444431089d15d4305f3fae02a2c956b42f27531cf60c0779824ba77608c03

Download Submit
C:\Windows\System\uMePNDT.exe

Filesize
1.7MB

MD5
5934a41ad2468b0ba6694e9957404de7

SHA1
772bc170861825740afcf7131257ff2e1ac28f09

SHA256
404a7a5ef32fa6e9d76e6119149605929c89cacefbdeb52b2adf5ae141f6f1c8

SHA512
daff94ba20580bc5d1335a535f579ad5bb1b0dde06d80ea6f0693c2385ee819cd71c9fc8f2263d311b894f7661f30542f3739cd65c033f398719d0a5b57e59fa

Download Submit
C:\Windows\System\vkRuycX.exe

Filesize
1.7MB

MD5
f57939e914fc475f31229294779fa402

SHA1
83928d11e5bfd401d998c10654626119bfb1fd26

SHA256
0c31c80e5387a635b995c13d7e33a05eb134291754ce9ad0bc5cca18dce6b5ae

SHA512
cdebd6b72d8e8c0d465f500c3a0e81140f08adc944d911bcc7658eb0c47f8872f780ebdb455dc167b2d5950c5294b8595b0969bf0939a877860ca63fd986db96

Download Submit
C:\Windows\System\zfLXNCZ.exe

Filesize
1.7MB

MD5
c3428c58917ee01cb35da8b984faf126

SHA1
7d21667554b5a3357a02fb436eb9acffed7761fb

SHA256
2cef610690a0b9291b0fdc069008b2d6deb6ecd3ce8046ea8682d837d968eb49

SHA512
b1c86b796ae39f680a138105979e381d74f87ef3ae3883304d5bab7ce62c44081334571875b59d7a2ff30c9462e3096cdb869b6dea1efbecd53e36f9709fc6b9

Download Submit
memory/428-416-0x00007FF610990000-0x00007FF610D82000-memory.dmp

Filesize
3.9MB

Download
memory/428-2977-0x00007FF610990000-0x00007FF610D82000-memory.dmp

Filesize
3.9MB

Download
memory/432-2951-0x00007FF6A8EF0000-0x00007FF6A92E2000-memory.dmp

Filesize
3.9MB

Download
memory/432-93-0x00007FF6A8EF0000-0x00007FF6A92E2000-memory.dmp

Filesize
3.9MB

Download
memory/696-408-0x00007FF7720E0000-0x00007FF7724D2000-memory.dmp

Filesize
3.9MB

Download
memory/696-2968-0x00007FF7720E0000-0x00007FF7724D2000-memory.dmp

Filesize
3.9MB

Download
memory/1060-405-0x00007FF6B0050000-0x00007FF6B0442000-memory.dmp

Filesize
3.9MB

Download
memory/1060-2969-0x00007FF6B0050000-0x00007FF6B0442000-memory.dmp

Filesize
3.9MB

Download
memory/1120-2973-0x00007FF6C10A0000-0x00007FF6C1492000-memory.dmp

Filesize
3.9MB

Download
memory/1120-440-0x00007FF6C10A0000-0x00007FF6C1492000-memory.dmp

Filesize
3.9MB

Download
memory/1436-413-0x00007FF66F150000-0x00007FF66F542000-memory.dmp

Filesize
3.9MB

Download
memory/1436-2991-0x00007FF66F150000-0x00007FF66F542000-memory.dmp

Filesize
3.9MB

Download
memory/1848-2975-0x00007FF615940000-0x00007FF615D32000-memory.dmp

Filesize
3.9MB

Download
memory/1848-409-0x00007FF615940000-0x00007FF615D32000-memory.dmp

Filesize
3.9MB

Download
memory/2336-424-0x00007FF67E7D0000-0x00007FF67EBC2000-memory.dmp

Filesize
3.9MB

Download
memory/2336-2955-0x00007FF67E7D0000-0x00007FF67EBC2000-memory.dmp

Filesize
3.9MB

Download
memory/2360-2971-0x00007FF68B130000-0x00007FF68B522000-memory.dmp

Filesize
3.9MB

Download
memory/2360-437-0x00007FF68B130000-0x00007FF68B522000-memory.dmp

Filesize
3.9MB

Download
memory/2608-2945-0x00007FF636140000-0x00007FF636532000-memory.dmp

Filesize
3.9MB

Download
memory/2608-51-0x00007FF636140000-0x00007FF636532000-memory.dmp

Filesize
3.9MB

Download
memory/2816-334-0x000002C1F1BE0000-0x000002C1F2386000-memory.dmp

Filesize
7.6MB

Download
memory/2816-59-0x00007FFA16B80000-0x00007FFA17641000-memory.dmp

Filesize
10.8MB

Download
memory/2816-7-0x00007FFA16B83000-0x00007FFA16B85000-memory.dmp

Filesize
8KB

Download
memory/2816-2943-0x00007FFA16B83000-0x00007FFA16B85000-memory.dmp

Filesize
8KB

Download
memory/2816-2942-0x00007FFA16B80000-0x00007FFA17641000-memory.dmp

Filesize
10.8MB

Download
memory/2816-38-0x00007FFA16B80000-0x00007FFA17641000-memory.dmp

Filesize
10.8MB

Download
memory/2816-34-0x000002C1F1050000-0x000002C1F1072000-memory.dmp

Filesize
136KB

Download
memory/2824-2997-0x00007FF7BF740000-0x00007FF7BFB32000-memory.dmp

Filesize
3.9MB

Download
memory/2824-414-0x00007FF7BF740000-0x00007FF7BFB32000-memory.dmp

Filesize
3.9MB

Download
memory/2840-2961-0x00007FF7C59D0000-0x00007FF7C5DC2000-memory.dmp

Filesize
3.9MB

Download
memory/2840-404-0x00007FF7C59D0000-0x00007FF7C5DC2000-memory.dmp

Filesize
3.9MB

Download
memory/3020-2995-0x00007FF68D750000-0x00007FF68DB42000-memory.dmp

Filesize
3.9MB

Download
memory/3020-412-0x00007FF68D750000-0x00007FF68DB42000-memory.dmp

Filesize
3.9MB

Download
memory/3656-411-0x00007FF73D710000-0x00007FF73DB02000-memory.dmp

Filesize
3.9MB

Download
memory/3656-2993-0x00007FF73D710000-0x00007FF73DB02000-memory.dmp

Filesize
3.9MB

Download
memory/3956-406-0x00007FF6E2DD0000-0x00007FF6E31C2000-memory.dmp

Filesize
3.9MB

Download
memory/3956-2966-0x00007FF6E2DD0000-0x00007FF6E31C2000-memory.dmp

Filesize
3.9MB

Download
memory/4068-66-0x00007FF70DFD0000-0x00007FF70E3C2000-memory.dmp

Filesize
3.9MB

Download
memory/4068-2949-0x00007FF70DFD0000-0x00007FF70E3C2000-memory.dmp

Filesize
3.9MB

Download
memory/4100-417-0x00007FF777450000-0x00007FF777842000-memory.dmp

Filesize
3.9MB

Download
memory/4100-2979-0x00007FF777450000-0x00007FF777842000-memory.dmp

Filesize
3.9MB

Download
memory/4132-2957-0x00007FF71C710000-0x00007FF71CB02000-memory.dmp

Filesize
3.9MB

Download
memory/4132-92-0x00007FF71C710000-0x00007FF71CB02000-memory.dmp

Filesize
3.9MB

Download
memory/4684-407-0x00007FF6288B0000-0x00007FF628CA2000-memory.dmp

Filesize
3.9MB

Download
memory/4684-2965-0x00007FF6288B0000-0x00007FF628CA2000-memory.dmp

Filesize
3.9MB

Download
memory/4752-1-0x0000027B41630000-0x0000027B41640000-memory.dmp

Filesize
64KB

Download
memory/4752-0-0x00007FF61C360000-0x00007FF61C752000-memory.dmp

Filesize
3.9MB

Download
memory/4764-2947-0x00007FF62BEB0000-0x00007FF62C2A2000-memory.dmp

Filesize
3.9MB

Download
memory/4764-418-0x00007FF62BEB0000-0x00007FF62C2A2000-memory.dmp

Filesize
3.9MB

Download
memory/4836-2959-0x00007FF77D070000-0x00007FF77D462000-memory.dmp

Filesize
3.9MB

Download
memory/4836-432-0x00007FF77D070000-0x00007FF77D462000-memory.dmp

Filesize
3.9MB

Download
memory/4844-403-0x00007FF71E080000-0x00007FF71E472000-memory.dmp

Filesize
3.9MB

Download
memory/4844-2953-0x00007FF71E080000-0x00007FF71E472000-memory.dmp

Filesize
3.9MB

Download
memory/4956-415-0x00007FF78B9F0000-0x00007FF78BDE2000-memory.dmp

Filesize
3.9MB

Download
memory/4956-2981-0x00007FF78B9F0000-0x00007FF78BDE2000-memory.dmp

Filesize
3.9MB

Download
memory/5020-410-0x00007FF629F50000-0x00007FF62A342000-memory.dmp

Filesize
3.9MB

Download
memory/5020-2988-0x00007FF629F50000-0x00007FF62A342000-memory.dmp

Filesize
3.9MB

Download