xmrig | 89b0bccfed7ae3bd81691509a6a08279e23325bf003a16523fdb6a0bafb492b6

Analysis

max time kernel
150s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02/06/2024, 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
Size

3.0MB
MD5

8ef6ea27d02a5bfed61d37b126afd840
SHA1

2c21358d2cb2fa1bdf2e825f5eeb03b13905fc81
SHA256

89b0bccfed7ae3bd81691509a6a08279e23325bf003a16523fdb6a0bafb492b6
SHA512

43361dac12aa5613bf4b718e678b88fb63b4c7c22c90a91daa55c82f49b9d21cc284e991500918e957bbbe5cdefa3d33b36f411fddd5a84d9ad6b8d01f47ab17
SSDEEP

49152:Lz071uv4BPMkibTIA5sf6r+WVc2HhG82g1Vr5s1PTleLWrJ5HYTCtTa:NABC

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 13884 created 4648	13884	WerFaultSecure.exe	80

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 44 IoCs

miner

resource	yara_rule
behavioral2/memory/2400-309-0x00007FF6A8320000-0x00007FF6A8712000-memory.dmp	xmrig
behavioral2/memory/3460-342-0x00007FF641DD0000-0x00007FF6421C2000-memory.dmp	xmrig
behavioral2/memory/4540-348-0x00007FF7434B0000-0x00007FF7438A2000-memory.dmp	xmrig
behavioral2/memory/1120-359-0x00007FF7465F0000-0x00007FF7469E2000-memory.dmp	xmrig
behavioral2/memory/1652-364-0x00007FF64BE30000-0x00007FF64C222000-memory.dmp	xmrig
behavioral2/memory/1004-363-0x00007FF7889B0000-0x00007FF788DA2000-memory.dmp	xmrig
behavioral2/memory/3640-362-0x00007FF6D3EC0000-0x00007FF6D42B2000-memory.dmp	xmrig
behavioral2/memory/428-361-0x00007FF6E6730000-0x00007FF6E6B22000-memory.dmp	xmrig
behavioral2/memory/1740-351-0x00007FF7D6910000-0x00007FF7D6D02000-memory.dmp	xmrig
behavioral2/memory/3680-347-0x00007FF7579F0000-0x00007FF757DE2000-memory.dmp	xmrig
behavioral2/memory/3720-326-0x00007FF780B70000-0x00007FF780F62000-memory.dmp	xmrig
behavioral2/memory/1840-308-0x00007FF6C6F90000-0x00007FF6C7382000-memory.dmp	xmrig
behavioral2/memory/3428-302-0x00007FF66F7E0000-0x00007FF66FBD2000-memory.dmp	xmrig
behavioral2/memory/3116-280-0x00007FF7E40A0000-0x00007FF7E4492000-memory.dmp	xmrig
behavioral2/memory/4488-232-0x00007FF7B6F50000-0x00007FF7B7342000-memory.dmp	xmrig
behavioral2/memory/3668-256-0x00007FF6CE480000-0x00007FF6CE872000-memory.dmp	xmrig
behavioral2/memory/1716-215-0x00007FF69E5E0000-0x00007FF69E9D2000-memory.dmp	xmrig
behavioral2/memory/2336-186-0x00007FF623760000-0x00007FF623B52000-memory.dmp	xmrig
behavioral2/memory/1532-185-0x00007FF68E6C0000-0x00007FF68EAB2000-memory.dmp	xmrig
behavioral2/memory/1400-161-0x00007FF7271E0000-0x00007FF7275D2000-memory.dmp	xmrig
behavioral2/memory/3592-145-0x00007FF627100000-0x00007FF6274F2000-memory.dmp	xmrig
behavioral2/memory/3524-112-0x00007FF6E2B20000-0x00007FF6E2F12000-memory.dmp	xmrig
behavioral2/memory/4480-93-0x00007FF7A7660000-0x00007FF7A7A52000-memory.dmp	xmrig
behavioral2/memory/3592-3056-0x00007FF627100000-0x00007FF6274F2000-memory.dmp	xmrig
behavioral2/memory/3116-3091-0x00007FF7E40A0000-0x00007FF7E4492000-memory.dmp	xmrig
behavioral2/memory/1716-3079-0x00007FF69E5E0000-0x00007FF69E9D2000-memory.dmp	xmrig
behavioral2/memory/1532-3083-0x00007FF68E6C0000-0x00007FF68EAB2000-memory.dmp	xmrig
behavioral2/memory/3668-3076-0x00007FF6CE480000-0x00007FF6CE872000-memory.dmp	xmrig
behavioral2/memory/4488-3065-0x00007FF7B6F50000-0x00007FF7B7342000-memory.dmp	xmrig
behavioral2/memory/1400-3071-0x00007FF7271E0000-0x00007FF7275D2000-memory.dmp	xmrig
behavioral2/memory/2336-3067-0x00007FF623760000-0x00007FF623B52000-memory.dmp	xmrig
behavioral2/memory/3524-3058-0x00007FF6E2B20000-0x00007FF6E2F12000-memory.dmp	xmrig
behavioral2/memory/3680-3191-0x00007FF7579F0000-0x00007FF757DE2000-memory.dmp	xmrig
behavioral2/memory/1740-3187-0x00007FF7D6910000-0x00007FF7D6D02000-memory.dmp	xmrig
behavioral2/memory/1120-3167-0x00007FF7465F0000-0x00007FF7469E2000-memory.dmp	xmrig
behavioral2/memory/1652-3161-0x00007FF64BE30000-0x00007FF64C222000-memory.dmp	xmrig
behavioral2/memory/4540-3136-0x00007FF7434B0000-0x00007FF7438A2000-memory.dmp	xmrig
behavioral2/memory/3640-3128-0x00007FF6D3EC0000-0x00007FF6D42B2000-memory.dmp	xmrig
behavioral2/memory/3720-3122-0x00007FF780B70000-0x00007FF780F62000-memory.dmp	xmrig
behavioral2/memory/2400-3117-0x00007FF6A8320000-0x00007FF6A8712000-memory.dmp	xmrig
behavioral2/memory/1840-3102-0x00007FF6C6F90000-0x00007FF6C7382000-memory.dmp	xmrig
behavioral2/memory/3428-3100-0x00007FF66F7E0000-0x00007FF66FBD2000-memory.dmp	xmrig
behavioral2/memory/1004-3110-0x00007FF7889B0000-0x00007FF788DA2000-memory.dmp	xmrig
behavioral2/memory/4368-4614-0x00007FF6A12A0000-0x00007FF6A1692000-memory.dmp	xmrig

Blocklisted process makes network request 8 IoCs

flow	pid	Process
9	5096	powershell.exe
11	5096	powershell.exe
13	5096	powershell.exe
14	5096	powershell.exe
16	5096	powershell.exe
17	5096	powershell.exe
18	5096	powershell.exe
19	5096	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
5096	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
2484	SaVNOkg.exe
428	wklCoyl.exe
4480	rtmkACc.exe
3524	KjHExPk.exe
3592	ppBKMpO.exe
1400	eKjsjLn.exe
1532	GXULOAj.exe
2336	TBeIsYj.exe
1716	NIrNexm.exe
4488	LRbDBdj.exe
3668	csKCVuQ.exe
3116	vVmuUXA.exe
3428	MFPkUrx.exe
3640	mubempN.exe
1840	xzGtKva.exe
1004	juoXbeu.exe
2400	PmsOTMS.exe
3720	KcHObkJ.exe
3460	FhiZJOU.exe
3680	kYgELkk.exe
4540	IeyIwnL.exe
1652	stnfuvH.exe
1740	smxpJkJ.exe
1120	xpeVauA.exe
4252	ZLAaoqX.exe
4992	vDXGOfd.exe
3616	wNsoHjs.exe
3180	OGflcib.exe
1564	cgZEOuz.exe
4696	AnjiLlh.exe
3288	otKSOdr.exe
1632	SHMlkRQ.exe
1504	QrBzRLt.exe
3344	CcLvdBx.exe
1072	syLNezZ.exe
2968	ZXsLHiZ.exe
1660	OgzRKaV.exe
3740	PfmtOeS.exe
2364	SPTFzhB.exe
3588	oJSYNGn.exe
3048	pkKxocQ.exe
4396	qyhvFlz.exe
4980	kUdcvmQ.exe
3184	NjQnhFD.exe
3380	nkMUhDX.exe
1148	NSkPOvL.exe
4888	aulDswE.exe
4772	VzufBQu.exe
4212	FdwQsvV.exe
5072	MKuzPQt.exe
4596	QyldDxC.exe
3228	Ryxabij.exe
4108	CxvWRqb.exe
1884	keZEjHZ.exe
5060	ylJpUSg.exe
3924	iyMqmvV.exe
2424	tmbecxz.exe
208	ifVkzcB.exe
1708	RPEOxiN.exe
3764	hHmVGRC.exe
4720	HWqhUgj.exe
4216	ThuZthk.exe
2900	akenElF.exe
4920	phoqkyV.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4368-0-0x00007FF6A12A0000-0x00007FF6A1692000-memory.dmp	upx
behavioral2/files/0x00070000000233f3-7.dat	upx
behavioral2/files/0x000a0000000233ea-5.dat	upx
behavioral2/files/0x00070000000233f2-18.dat	upx
behavioral2/files/0x00070000000233f6-29.dat	upx
behavioral2/files/0x00070000000233fa-41.dat	upx
behavioral2/files/0x00070000000233fd-48.dat	upx
behavioral2/files/0x0007000000023403-95.dat	upx
behavioral2/files/0x0007000000023409-124.dat	upx
behavioral2/files/0x0007000000023412-151.dat	upx
behavioral2/files/0x0007000000023406-174.dat	upx
behavioral2/files/0x0007000000023416-193.dat	upx
behavioral2/memory/2400-309-0x00007FF6A8320000-0x00007FF6A8712000-memory.dmp	upx
behavioral2/memory/3460-342-0x00007FF641DD0000-0x00007FF6421C2000-memory.dmp	upx
behavioral2/memory/4540-348-0x00007FF7434B0000-0x00007FF7438A2000-memory.dmp	upx
behavioral2/memory/1120-359-0x00007FF7465F0000-0x00007FF7469E2000-memory.dmp	upx
behavioral2/memory/1652-364-0x00007FF64BE30000-0x00007FF64C222000-memory.dmp	upx
behavioral2/memory/1004-363-0x00007FF7889B0000-0x00007FF788DA2000-memory.dmp	upx
behavioral2/memory/3640-362-0x00007FF6D3EC0000-0x00007FF6D42B2000-memory.dmp	upx
behavioral2/memory/428-361-0x00007FF6E6730000-0x00007FF6E6B22000-memory.dmp	upx
behavioral2/memory/1740-351-0x00007FF7D6910000-0x00007FF7D6D02000-memory.dmp	upx
behavioral2/memory/3680-347-0x00007FF7579F0000-0x00007FF757DE2000-memory.dmp	upx
behavioral2/memory/3720-326-0x00007FF780B70000-0x00007FF780F62000-memory.dmp	upx
behavioral2/memory/1840-308-0x00007FF6C6F90000-0x00007FF6C7382000-memory.dmp	upx
behavioral2/memory/3428-302-0x00007FF66F7E0000-0x00007FF66FBD2000-memory.dmp	upx
behavioral2/memory/3116-280-0x00007FF7E40A0000-0x00007FF7E4492000-memory.dmp	upx
behavioral2/memory/4488-232-0x00007FF7B6F50000-0x00007FF7B7342000-memory.dmp	upx
behavioral2/memory/3668-256-0x00007FF6CE480000-0x00007FF6CE872000-memory.dmp	upx
behavioral2/memory/1716-215-0x00007FF69E5E0000-0x00007FF69E9D2000-memory.dmp	upx
behavioral2/files/0x000700000002340e-192.dat	upx
behavioral2/files/0x000700000002340d-188.dat	upx
behavioral2/memory/2336-186-0x00007FF623760000-0x00007FF623B52000-memory.dmp	upx
behavioral2/memory/1532-185-0x00007FF68E6C0000-0x00007FF68EAB2000-memory.dmp	upx
behavioral2/files/0x0007000000023415-183.dat	upx
behavioral2/files/0x0007000000023414-180.dat	upx
behavioral2/files/0x00080000000233ef-176.dat	upx
behavioral2/files/0x000700000002340a-165.dat	upx
behavioral2/memory/1400-161-0x00007FF7271E0000-0x00007FF7275D2000-memory.dmp	upx
behavioral2/files/0x000700000002340b-160.dat	upx
behavioral2/files/0x0007000000023413-154.dat	upx
behavioral2/files/0x0007000000023405-152.dat	upx
behavioral2/files/0x0007000000023411-150.dat	upx
behavioral2/files/0x000700000002340c-173.dat	upx
behavioral2/files/0x0007000000023410-149.dat	upx
behavioral2/memory/3592-145-0x00007FF627100000-0x00007FF6274F2000-memory.dmp	upx
behavioral2/files/0x0007000000023408-144.dat	upx
behavioral2/files/0x0007000000023407-140.dat	upx
behavioral2/files/0x00070000000233fe-136.dat	upx
behavioral2/files/0x0007000000023404-127.dat	upx
behavioral2/files/0x000700000002340f-148.dat	upx
behavioral2/files/0x0007000000023402-115.dat	upx
behavioral2/files/0x0007000000023401-107.dat	upx
behavioral2/memory/3524-112-0x00007FF6E2B20000-0x00007FF6E2F12000-memory.dmp	upx
behavioral2/files/0x00070000000233fc-86.dat	upx
behavioral2/files/0x00070000000233f7-82.dat	upx
behavioral2/files/0x00070000000233fb-75.dat	upx
behavioral2/files/0x00070000000233f9-74.dat	upx
behavioral2/files/0x00070000000233f8-65.dat	upx
behavioral2/files/0x00070000000233f5-62.dat	upx
behavioral2/memory/4480-93-0x00007FF7A7660000-0x00007FF7A7A52000-memory.dmp	upx
behavioral2/files/0x00070000000233f4-47.dat	upx
behavioral2/memory/2484-10-0x00007FF78DCA0000-0x00007FF78E092000-memory.dmp	upx
behavioral2/memory/3592-3056-0x00007FF627100000-0x00007FF6274F2000-memory.dmp	upx
behavioral2/memory/3116-3091-0x00007FF7E40A0000-0x00007FF7E4492000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	raw.githubusercontent.com
9	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\NUmrmOC.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\AqRNzdD.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\RartEUY.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\hWgHguG.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\WhDAZFb.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\BeHyczx.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\EiInDMC.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\TBmimQv.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\pbWzYYw.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\EExLGCt.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\pgvtbyU.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\ZTAwmfP.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\VywEVdq.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\XCFfShO.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\bfDSchC.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\dqglQxv.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\xlSEJDm.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\qWYSpTK.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\mPRsZJl.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\zXfDbQd.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\MpcpmoJ.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\nwNeIcd.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\CcnOrQb.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\KBrblqa.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\OACQsGh.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\wJGIMzW.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\mwDerEo.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\nGdLEra.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\KYCnRyO.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\MPkENnV.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\lNyBRgh.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\qptEvVo.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\aiBaXkZ.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\YZulfpS.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\abZyZWY.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\TVbisFd.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\DGdwgsn.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\IMvIozL.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\ivRuPhB.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\ZaQHvsf.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\daNnJRB.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\FTasyUG.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\KvJJsDM.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\SBGaqXk.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\FXnjpZI.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\QLrUsEs.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\pvUqasc.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\WTuDgcn.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\axFwZkR.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\mVdQepq.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\rMLrVhy.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\SzjdVfF.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\DrFLgIX.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\VKXermT.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\zYPvghm.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\IMAnUvn.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\EWjEpFW.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\BGyFXqg.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\kRuNYwy.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\OxdifLr.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\BosJQDq.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\gcnkzNQ.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\qQlJbJa.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
File created	C:\Windows\System\oMJtzLV.exe	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 36 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
5096	powershell.exe
5096	powershell.exe
5096	powershell.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
4940	Process not Found
1400	Process not Found
3592	Process not Found
1532	Process not Found
2336	Process not Found
1716	Process not Found
4488	Process not Found
3116	Process not Found
3428	Process not Found
3668	Process not Found
3640	Process not Found
1004	Process not Found
2400	Process not Found
1840	Process not Found
3720	Process not Found
4724	Process not Found
3460	Process not Found
4540	Process not Found
4768	Process not Found
4252	Process not Found
1652	Process not Found
4224	Process not Found
1120	Process not Found
404	Process not Found
5004	Process not Found
3636	Process not Found
1200	Process not Found
2152	Process not Found
3932	Process not Found
3384	Process not Found
4684	Process not Found
4988	Process not Found
1632	Process not Found
364	Process not Found
1924	Process not Found
1072	Process not Found
4484	Process not Found
1660	Process not Found
1592	Process not Found
4204	Process not Found
4116	Process not Found
924	Process not Found
3184	Process not Found
4652	Process not Found
4980	Process not Found
620	Process not Found
2976	Process not Found
4408	Process not Found
3056	Process not Found
2056	Process not Found
624	Process not Found
1416	Process not Found
1936	Process not Found
2724	Process not Found
4828	Process not Found
2244	Process not Found
2508	Process not Found
2324	Process not Found
2148	Process not Found
4092	Process not Found
1640	Process not Found
5220	Process not Found
2692	Process not Found
3796	Process not Found

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	5096	powershell.exe
Token: SeLockMemoryPrivilege	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	14096	dwm.exe
Token: SeChangeNotifyPrivilege	14096	dwm.exe
Token: 33	14096	dwm.exe
Token: SeIncBasePriorityPrivilege	14096	dwm.exe
Token: SeCreateGlobalPrivilege	14012	dwm.exe
Token: SeChangeNotifyPrivilege	14012	dwm.exe
Token: 33	14012	dwm.exe
Token: SeIncBasePriorityPrivilege	14012	dwm.exe
Token: SeCreateGlobalPrivilege	14032	dwm.exe
Token: SeChangeNotifyPrivilege	14032	dwm.exe
Token: 33	14032	dwm.exe
Token: SeIncBasePriorityPrivilege	14032	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4368 wrote to memory of 5096	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	84
PID 4368 wrote to memory of 5096	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	84
PID 4368 wrote to memory of 2484	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	85
PID 4368 wrote to memory of 2484	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	85
PID 4368 wrote to memory of 428	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	86
PID 4368 wrote to memory of 428	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	86
PID 4368 wrote to memory of 4480	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	87
PID 4368 wrote to memory of 4480	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	87
PID 4368 wrote to memory of 3524	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	88
PID 4368 wrote to memory of 3524	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	88
PID 4368 wrote to memory of 3592	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	89
PID 4368 wrote to memory of 3592	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	89
PID 4368 wrote to memory of 1400	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	90
PID 4368 wrote to memory of 1400	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	90
PID 4368 wrote to memory of 1532	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	91
PID 4368 wrote to memory of 1532	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	91
PID 4368 wrote to memory of 2336	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	92
PID 4368 wrote to memory of 2336	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	92
PID 4368 wrote to memory of 1716	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	93
PID 4368 wrote to memory of 1716	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	93
PID 4368 wrote to memory of 4488	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	94
PID 4368 wrote to memory of 4488	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	94
PID 4368 wrote to memory of 3668	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	95
PID 4368 wrote to memory of 3668	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	95
PID 4368 wrote to memory of 3116	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	96
PID 4368 wrote to memory of 3116	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	96
PID 4368 wrote to memory of 3428	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	97
PID 4368 wrote to memory of 3428	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	97
PID 4368 wrote to memory of 3640	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	98
PID 4368 wrote to memory of 3640	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	98
PID 4368 wrote to memory of 1840	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	99
PID 4368 wrote to memory of 1840	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	99
PID 4368 wrote to memory of 1004	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	100
PID 4368 wrote to memory of 1004	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	100
PID 4368 wrote to memory of 2400	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	101
PID 4368 wrote to memory of 2400	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	101
PID 4368 wrote to memory of 3720	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	102
PID 4368 wrote to memory of 3720	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	102
PID 4368 wrote to memory of 3460	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	103
PID 4368 wrote to memory of 3460	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	103
PID 4368 wrote to memory of 3680	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	104
PID 4368 wrote to memory of 3680	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	104
PID 4368 wrote to memory of 4540	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	105
PID 4368 wrote to memory of 4540	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	105
PID 4368 wrote to memory of 4252	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	106
PID 4368 wrote to memory of 4252	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	106
PID 4368 wrote to memory of 1652	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	107
PID 4368 wrote to memory of 1652	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	107
PID 4368 wrote to memory of 1740	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	108
PID 4368 wrote to memory of 1740	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	108
PID 4368 wrote to memory of 1120	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	109
PID 4368 wrote to memory of 1120	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	109
PID 4368 wrote to memory of 1504	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	110
PID 4368 wrote to memory of 1504	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	110
PID 4368 wrote to memory of 3344	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	111
PID 4368 wrote to memory of 3344	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	111
PID 4368 wrote to memory of 4992	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	112
PID 4368 wrote to memory of 4992	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	112
PID 4368 wrote to memory of 3616	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	113
PID 4368 wrote to memory of 3616	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	113
PID 4368 wrote to memory of 3180	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	114
PID 4368 wrote to memory of 3180	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	114
PID 4368 wrote to memory of 1564	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	115
PID 4368 wrote to memory of 1564	4368	8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe	115

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
1⤵
PID:4648
- C:\Windows\system32\WerFaultSecure.exe
  C:\Windows\system32\WerFaultSecure.exe -u -p 4648 -s 1488
  2⤵
  PID:12220

C:\Users\Admin\AppData\Local\Temp\8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8ef6ea27d02a5bfed61d37b126afd840_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5096
- C:\Windows\System\SaVNOkg.exe
  C:\Windows\System\SaVNOkg.exe
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\System\wklCoyl.exe
  C:\Windows\System\wklCoyl.exe
  2⤵
  - Executes dropped EXE
  PID:428
- C:\Windows\System\rtmkACc.exe
  C:\Windows\System\rtmkACc.exe
  2⤵
  - Executes dropped EXE
  PID:4480
- C:\Windows\System\KjHExPk.exe
  C:\Windows\System\KjHExPk.exe
  2⤵
  - Executes dropped EXE
  PID:3524
- C:\Windows\System\ppBKMpO.exe
  C:\Windows\System\ppBKMpO.exe
  2⤵
  - Executes dropped EXE
  PID:3592
- C:\Windows\System\eKjsjLn.exe
  C:\Windows\System\eKjsjLn.exe
  2⤵
  - Executes dropped EXE
  PID:1400
- C:\Windows\System\GXULOAj.exe
  C:\Windows\System\GXULOAj.exe
  2⤵
  - Executes dropped EXE
  PID:1532
- C:\Windows\System\TBeIsYj.exe
  C:\Windows\System\TBeIsYj.exe
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\System\NIrNexm.exe
  C:\Windows\System\NIrNexm.exe
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Windows\System\LRbDBdj.exe
  C:\Windows\System\LRbDBdj.exe
  2⤵
  - Executes dropped EXE
  PID:4488
- C:\Windows\System\csKCVuQ.exe
  C:\Windows\System\csKCVuQ.exe
  2⤵
  - Executes dropped EXE
  PID:3668
- C:\Windows\System\vVmuUXA.exe
  C:\Windows\System\vVmuUXA.exe
  2⤵
  - Executes dropped EXE
  PID:3116
- C:\Windows\System\MFPkUrx.exe
  C:\Windows\System\MFPkUrx.exe
  2⤵
  - Executes dropped EXE
  PID:3428
- C:\Windows\System\mubempN.exe
  C:\Windows\System\mubempN.exe
  2⤵
  - Executes dropped EXE
  PID:3640
- C:\Windows\System\xzGtKva.exe
  C:\Windows\System\xzGtKva.exe
  2⤵
  - Executes dropped EXE
  PID:1840
- C:\Windows\System\juoXbeu.exe
  C:\Windows\System\juoXbeu.exe
  2⤵
  - Executes dropped EXE
  PID:1004
- C:\Windows\System\PmsOTMS.exe
  C:\Windows\System\PmsOTMS.exe
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\System\KcHObkJ.exe
  C:\Windows\System\KcHObkJ.exe
  2⤵
  - Executes dropped EXE
  PID:3720
- C:\Windows\System\FhiZJOU.exe
  C:\Windows\System\FhiZJOU.exe
  2⤵
  - Executes dropped EXE
  PID:3460
- C:\Windows\System\kYgELkk.exe
  C:\Windows\System\kYgELkk.exe
  2⤵
  - Executes dropped EXE
  PID:3680
- C:\Windows\System\IeyIwnL.exe
  C:\Windows\System\IeyIwnL.exe
  2⤵
  - Executes dropped EXE
  PID:4540
- C:\Windows\System\ZLAaoqX.exe
  C:\Windows\System\ZLAaoqX.exe
  2⤵
  - Executes dropped EXE
  PID:4252
- C:\Windows\System\stnfuvH.exe
  C:\Windows\System\stnfuvH.exe
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Windows\System\smxpJkJ.exe
  C:\Windows\System\smxpJkJ.exe
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Windows\System\xpeVauA.exe
  C:\Windows\System\xpeVauA.exe
  2⤵
  - Executes dropped EXE
  PID:1120
- C:\Windows\System\QrBzRLt.exe
  C:\Windows\System\QrBzRLt.exe
  2⤵
  - Executes dropped EXE
  PID:1504
- C:\Windows\System\CcLvdBx.exe
  C:\Windows\System\CcLvdBx.exe
  2⤵
  - Executes dropped EXE
  PID:3344
- C:\Windows\System\vDXGOfd.exe
  C:\Windows\System\vDXGOfd.exe
  2⤵
  - Executes dropped EXE
  PID:4992
- C:\Windows\System\wNsoHjs.exe
  C:\Windows\System\wNsoHjs.exe
  2⤵
  - Executes dropped EXE
  PID:3616
- C:\Windows\System\OGflcib.exe
  C:\Windows\System\OGflcib.exe
  2⤵
  - Executes dropped EXE
  PID:3180
- C:\Windows\System\cgZEOuz.exe
  C:\Windows\System\cgZEOuz.exe
  2⤵
  - Executes dropped EXE
  PID:1564
- C:\Windows\System\AnjiLlh.exe
  C:\Windows\System\AnjiLlh.exe
  2⤵
  - Executes dropped EXE
  PID:4696
- C:\Windows\System\otKSOdr.exe
  C:\Windows\System\otKSOdr.exe
  2⤵
  - Executes dropped EXE
  PID:3288
- C:\Windows\System\SHMlkRQ.exe
  C:\Windows\System\SHMlkRQ.exe
  2⤵
  - Executes dropped EXE
  PID:1632
- C:\Windows\System\syLNezZ.exe
  C:\Windows\System\syLNezZ.exe
  2⤵
  - Executes dropped EXE
  PID:1072
- C:\Windows\System\ZXsLHiZ.exe
  C:\Windows\System\ZXsLHiZ.exe
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\System\OgzRKaV.exe
  C:\Windows\System\OgzRKaV.exe
  2⤵
  - Executes dropped EXE
  PID:1660
- C:\Windows\System\PfmtOeS.exe
  C:\Windows\System\PfmtOeS.exe
  2⤵
  - Executes dropped EXE
  PID:3740
- C:\Windows\System\SPTFzhB.exe
  C:\Windows\System\SPTFzhB.exe
  2⤵
  - Executes dropped EXE
  PID:2364
- C:\Windows\System\oJSYNGn.exe
  C:\Windows\System\oJSYNGn.exe
  2⤵
  - Executes dropped EXE
  PID:3588
- C:\Windows\System\pkKxocQ.exe
  C:\Windows\System\pkKxocQ.exe
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\System\qyhvFlz.exe
  C:\Windows\System\qyhvFlz.exe
  2⤵
  - Executes dropped EXE
  PID:4396
- C:\Windows\System\kUdcvmQ.exe
  C:\Windows\System\kUdcvmQ.exe
  2⤵
  - Executes dropped EXE
  PID:4980
- C:\Windows\System\NjQnhFD.exe
  C:\Windows\System\NjQnhFD.exe
  2⤵
  - Executes dropped EXE
  PID:3184
- C:\Windows\System\nkMUhDX.exe
  C:\Windows\System\nkMUhDX.exe
  2⤵
  - Executes dropped EXE
  PID:3380
- C:\Windows\System\NSkPOvL.exe
  C:\Windows\System\NSkPOvL.exe
  2⤵
  - Executes dropped EXE
  PID:1148
- C:\Windows\System\aulDswE.exe
  C:\Windows\System\aulDswE.exe
  2⤵
  - Executes dropped EXE
  PID:4888
- C:\Windows\System\VzufBQu.exe
  C:\Windows\System\VzufBQu.exe
  2⤵
  - Executes dropped EXE
  PID:4772
- C:\Windows\System\FdwQsvV.exe
  C:\Windows\System\FdwQsvV.exe
  2⤵
  - Executes dropped EXE
  PID:4212
- C:\Windows\System\MKuzPQt.exe
  C:\Windows\System\MKuzPQt.exe
  2⤵
  - Executes dropped EXE
  PID:5072
- C:\Windows\System\QyldDxC.exe
  C:\Windows\System\QyldDxC.exe
  2⤵
  - Executes dropped EXE
  PID:4596
- C:\Windows\System\Ryxabij.exe
  C:\Windows\System\Ryxabij.exe
  2⤵
  - Executes dropped EXE
  PID:3228
- C:\Windows\System\CxvWRqb.exe
  C:\Windows\System\CxvWRqb.exe
  2⤵
  - Executes dropped EXE
  PID:4108
- C:\Windows\System\keZEjHZ.exe
  C:\Windows\System\keZEjHZ.exe
  2⤵
  - Executes dropped EXE
  PID:1884
- C:\Windows\System\ylJpUSg.exe
  C:\Windows\System\ylJpUSg.exe
  2⤵
  - Executes dropped EXE
  PID:5060
- C:\Windows\System\iyMqmvV.exe
  C:\Windows\System\iyMqmvV.exe
  2⤵
  - Executes dropped EXE
  PID:3924
- C:\Windows\System\tmbecxz.exe
  C:\Windows\System\tmbecxz.exe
  2⤵
  - Executes dropped EXE
  PID:2424
- C:\Windows\System\ifVkzcB.exe
  C:\Windows\System\ifVkzcB.exe
  2⤵
  - Executes dropped EXE
  PID:208
- C:\Windows\System\RPEOxiN.exe
  C:\Windows\System\RPEOxiN.exe
  2⤵
  - Executes dropped EXE
  PID:1708
- C:\Windows\System\hHmVGRC.exe
  C:\Windows\System\hHmVGRC.exe
  2⤵
  - Executes dropped EXE
  PID:3764
- C:\Windows\System\HWqhUgj.exe
  C:\Windows\System\HWqhUgj.exe
  2⤵
  - Executes dropped EXE
  PID:4720
- C:\Windows\System\ThuZthk.exe
  C:\Windows\System\ThuZthk.exe
  2⤵
  - Executes dropped EXE
  PID:4216
- C:\Windows\System\akenElF.exe
  C:\Windows\System\akenElF.exe
  2⤵
  - Executes dropped EXE
  PID:2900
- C:\Windows\System\phoqkyV.exe
  C:\Windows\System\phoqkyV.exe
  2⤵
  - Executes dropped EXE
  PID:4920
- C:\Windows\System\kaZXZRi.exe
  C:\Windows\System\kaZXZRi.exe
  2⤵
  PID:1732
- C:\Windows\System\dhjFsfR.exe
  C:\Windows\System\dhjFsfR.exe
  2⤵
  PID:2668
- C:\Windows\System\vJtzrcU.exe
  C:\Windows\System\vJtzrcU.exe
  2⤵
  PID:4636
- C:\Windows\System\DpKSvPD.exe
  C:\Windows\System\DpKSvPD.exe
  2⤵
  PID:2212
- C:\Windows\System\JIYQgRC.exe
  C:\Windows\System\JIYQgRC.exe
  2⤵
  PID:3548
- C:\Windows\System\wLaWKna.exe
  C:\Windows\System\wLaWKna.exe
  2⤵
  PID:2720
- C:\Windows\System\opnRmUi.exe
  C:\Windows\System\opnRmUi.exe
  2⤵
  PID:4840
- C:\Windows\System\drQGMRa.exe
  C:\Windows\System\drQGMRa.exe
  2⤵
  PID:4632
- C:\Windows\System\ZTAwmfP.exe
  C:\Windows\System\ZTAwmfP.exe
  2⤵
  PID:4424
- C:\Windows\System\cOQPmVb.exe
  C:\Windows\System\cOQPmVb.exe
  2⤵
  PID:1640
- C:\Windows\System\pCEokwW.exe
  C:\Windows\System\pCEokwW.exe
  2⤵
  PID:4104
- C:\Windows\System\qrauKRV.exe
  C:\Windows\System\qrauKRV.exe
  2⤵
  PID:5180
- C:\Windows\System\TxyXmOj.exe
  C:\Windows\System\TxyXmOj.exe
  2⤵
  PID:5196
- C:\Windows\System\thqYNpZ.exe
  C:\Windows\System\thqYNpZ.exe
  2⤵
  PID:5216
- C:\Windows\System\cZIeNBB.exe
  C:\Windows\System\cZIeNBB.exe
  2⤵
  PID:5332
- C:\Windows\System\psRhZOO.exe
  C:\Windows\System\psRhZOO.exe
  2⤵
  PID:5356
- C:\Windows\System\BxXUxUG.exe
  C:\Windows\System\BxXUxUG.exe
  2⤵
  PID:5392
- C:\Windows\System\xhbppRp.exe
  C:\Windows\System\xhbppRp.exe
  2⤵
  PID:5420
- C:\Windows\System\GPlbryJ.exe
  C:\Windows\System\GPlbryJ.exe
  2⤵
  PID:5472
- C:\Windows\System\LXZdutj.exe
  C:\Windows\System\LXZdutj.exe
  2⤵
  PID:5496
- C:\Windows\System\OYJGYWG.exe
  C:\Windows\System\OYJGYWG.exe
  2⤵
  PID:5512
- C:\Windows\System\wkBrqOW.exe
  C:\Windows\System\wkBrqOW.exe
  2⤵
  PID:5532
- C:\Windows\System\IHZOxvz.exe
  C:\Windows\System\IHZOxvz.exe
  2⤵
  PID:5560
- C:\Windows\System\lMTzTtY.exe
  C:\Windows\System\lMTzTtY.exe
  2⤵
  PID:5588
- C:\Windows\System\jMbhHIO.exe
  C:\Windows\System\jMbhHIO.exe
  2⤵
  PID:4012
- C:\Windows\System\ZNkZMvy.exe
  C:\Windows\System\ZNkZMvy.exe
  2⤵
  PID:6012
- C:\Windows\System\LjrrasI.exe
  C:\Windows\System\LjrrasI.exe
  2⤵
  PID:4924
- C:\Windows\System\HSvYlak.exe
  C:\Windows\System\HSvYlak.exe
  2⤵
  PID:6036
- C:\Windows\System\idNczmy.exe
  C:\Windows\System\idNczmy.exe
  2⤵
  PID:3952
- C:\Windows\System\eBKMPKl.exe
  C:\Windows\System\eBKMPKl.exe
  2⤵
  PID:6060
- C:\Windows\System\jplRYLS.exe
  C:\Windows\System\jplRYLS.exe
  2⤵
  PID:2224
- C:\Windows\System\LQUsdwb.exe
  C:\Windows\System\LQUsdwb.exe
  2⤵
  PID:6088
- C:\Windows\System\EFZnlfR.exe
  C:\Windows\System\EFZnlfR.exe
  2⤵
  PID:6116
- C:\Windows\System\NByoNYl.exe
  C:\Windows\System\NByoNYl.exe
  2⤵
  PID:6136
- C:\Windows\System\EEDkhrV.exe
  C:\Windows\System\EEDkhrV.exe
  2⤵
  PID:2572
- C:\Windows\System\AOzcITV.exe
  C:\Windows\System\AOzcITV.exe
  2⤵
  PID:4060
- C:\Windows\System\ouwlkCt.exe
  C:\Windows\System\ouwlkCt.exe
  2⤵
  PID:1808
- C:\Windows\System\ApYecjB.exe
  C:\Windows\System\ApYecjB.exe
  2⤵
  PID:376
- C:\Windows\System\lTbHJwS.exe
  C:\Windows\System\lTbHJwS.exe
  2⤵
  PID:3052
- C:\Windows\System\SBPFSKX.exe
  C:\Windows\System\SBPFSKX.exe
  2⤵
  PID:2044
- C:\Windows\System\uIwEmRD.exe
  C:\Windows\System\uIwEmRD.exe
  2⤵
  PID:4952
- C:\Windows\System\FycMAJe.exe
  C:\Windows\System\FycMAJe.exe
  2⤵
  PID:540
- C:\Windows\System\HeNjZou.exe
  C:\Windows\System\HeNjZou.exe
  2⤵
  PID:4516
- C:\Windows\System\gYhkxiX.exe
  C:\Windows\System\gYhkxiX.exe
  2⤵
  PID:4416
- C:\Windows\System\ahQjkRX.exe
  C:\Windows\System\ahQjkRX.exe
  2⤵
  PID:5192
- C:\Windows\System\VbnNfeN.exe
  C:\Windows\System\VbnNfeN.exe
  2⤵
  PID:5292
- C:\Windows\System\fIGSebT.exe
  C:\Windows\System\fIGSebT.exe
  2⤵
  PID:5340
- C:\Windows\System\XZiHGAV.exe
  C:\Windows\System\XZiHGAV.exe
  2⤵
  PID:5368
- C:\Windows\System\aZSNKhB.exe
  C:\Windows\System\aZSNKhB.exe
  2⤵
  PID:5412
- C:\Windows\System\KMOONjO.exe
  C:\Windows\System\KMOONjO.exe
  2⤵
  PID:5460
- C:\Windows\System\JNrzdDE.exe
  C:\Windows\System\JNrzdDE.exe
  2⤵
  PID:5672
- C:\Windows\System\aCQdFdR.exe
  C:\Windows\System\aCQdFdR.exe
  2⤵
  PID:5828
- C:\Windows\System\pjoKsxx.exe
  C:\Windows\System\pjoKsxx.exe
  2⤵
  PID:5520
- C:\Windows\System\BHNBcBZ.exe
  C:\Windows\System\BHNBcBZ.exe
  2⤵
  PID:5652
- C:\Windows\System\OVIgtBX.exe
  C:\Windows\System\OVIgtBX.exe
  2⤵
  PID:5732
- C:\Windows\System\ixmAoPh.exe
  C:\Windows\System\ixmAoPh.exe
  2⤵
  PID:5760
- C:\Windows\System\nDATOSA.exe
  C:\Windows\System\nDATOSA.exe
  2⤵
  PID:4892
- C:\Windows\System\VYBAARs.exe
  C:\Windows\System\VYBAARs.exe
  2⤵
  PID:2132
- C:\Windows\System\AKCwcWr.exe
  C:\Windows\System\AKCwcWr.exe
  2⤵
  PID:5928
- C:\Windows\System\FATUuPg.exe
  C:\Windows\System\FATUuPg.exe
  2⤵
  PID:5940
- C:\Windows\System\Noypkee.exe
  C:\Windows\System\Noypkee.exe
  2⤵
  PID:5960
- C:\Windows\System\MuORxFM.exe
  C:\Windows\System\MuORxFM.exe
  2⤵
  PID:5872
- C:\Windows\System\zliyiUk.exe
  C:\Windows\System\zliyiUk.exe
  2⤵
  PID:3060
- C:\Windows\System\Ohbdldz.exe
  C:\Windows\System\Ohbdldz.exe
  2⤵
  PID:5996
- C:\Windows\System\kfzOrkV.exe
  C:\Windows\System\kfzOrkV.exe
  2⤵
  PID:3912
- C:\Windows\System\octHGdQ.exe
  C:\Windows\System\octHGdQ.exe
  2⤵
  PID:380
- C:\Windows\System\LQZeLqB.exe
  C:\Windows\System\LQZeLqB.exe
  2⤵
  PID:1248
- C:\Windows\System\xcIdwVv.exe
  C:\Windows\System\xcIdwVv.exe
  2⤵
  PID:6056
- C:\Windows\System\gaXRoFt.exe
  C:\Windows\System\gaXRoFt.exe
  2⤵
  PID:6100
- C:\Windows\System\oJThgyU.exe
  C:\Windows\System\oJThgyU.exe
  2⤵
  PID:2448
- C:\Windows\System\oXQggSE.exe
  C:\Windows\System\oXQggSE.exe
  2⤵
  PID:6128
- C:\Windows\System\TTtOqEX.exe
  C:\Windows\System\TTtOqEX.exe
  2⤵
  PID:1428
- C:\Windows\System\iWXoZmo.exe
  C:\Windows\System\iWXoZmo.exe
  2⤵
  PID:5100
- C:\Windows\System\dBpCQat.exe
  C:\Windows\System\dBpCQat.exe
  2⤵
  PID:2432
- C:\Windows\System\CfNmkqb.exe
  C:\Windows\System\CfNmkqb.exe
  2⤵
  PID:2928
- C:\Windows\System\dqhkIOz.exe
  C:\Windows\System\dqhkIOz.exe
  2⤵
  PID:4552
- C:\Windows\System\OwmyKas.exe
  C:\Windows\System\OwmyKas.exe
  2⤵
  PID:5276
- C:\Windows\System\Ohnjgfd.exe
  C:\Windows\System\Ohnjgfd.exe
  2⤵
  PID:5316
- C:\Windows\System\sMoUzGs.exe
  C:\Windows\System\sMoUzGs.exe
  2⤵
  PID:5776
- C:\Windows\System\hZfuUTU.exe
  C:\Windows\System\hZfuUTU.exe
  2⤵
  PID:5440
- C:\Windows\System\ZJYEqvd.exe
  C:\Windows\System\ZJYEqvd.exe
  2⤵
  PID:5480
- C:\Windows\System\TresjHY.exe
  C:\Windows\System\TresjHY.exe
  2⤵
  PID:4168
- C:\Windows\System\vzgtSyQ.exe
  C:\Windows\System\vzgtSyQ.exe
  2⤵
  PID:4848
- C:\Windows\System\zYPvghm.exe
  C:\Windows\System\zYPvghm.exe
  2⤵
  PID:2368
- C:\Windows\System\LdwTRVA.exe
  C:\Windows\System\LdwTRVA.exe
  2⤵
  PID:6080
- C:\Windows\System\EiInDMC.exe
  C:\Windows\System\EiInDMC.exe
  2⤵
  PID:3892
- C:\Windows\System\lSqDAWw.exe
  C:\Windows\System\lSqDAWw.exe
  2⤵
  PID:2460
- C:\Windows\System\tAaZpYE.exe
  C:\Windows\System\tAaZpYE.exe
  2⤵
  PID:3124
- C:\Windows\System\xHmnaBB.exe
  C:\Windows\System\xHmnaBB.exe
  2⤵
  PID:4884
- C:\Windows\System\NNOGYRo.exe
  C:\Windows\System\NNOGYRo.exe
  2⤵
  PID:5308
- C:\Windows\System\DMCKUYF.exe
  C:\Windows\System\DMCKUYF.exe
  2⤵
  PID:5208
- C:\Windows\System\cRtcGvA.exe
  C:\Windows\System\cRtcGvA.exe
  2⤵
  PID:3864
- C:\Windows\System\jXuwwrT.exe
  C:\Windows\System\jXuwwrT.exe
  2⤵
  PID:4460
- C:\Windows\System\IkiQdma.exe
  C:\Windows\System\IkiQdma.exe
  2⤵
  PID:6172
- C:\Windows\System\nPErxQi.exe
  C:\Windows\System\nPErxQi.exe
  2⤵
  PID:6196
- C:\Windows\System\xUqKUEE.exe
  C:\Windows\System\xUqKUEE.exe
  2⤵
  PID:6220
- C:\Windows\System\uqjJfcQ.exe
  C:\Windows\System\uqjJfcQ.exe
  2⤵
  PID:6248
- C:\Windows\System\oRlyzQN.exe
  C:\Windows\System\oRlyzQN.exe
  2⤵
  PID:6276
- C:\Windows\System\YsbLCgA.exe
  C:\Windows\System\YsbLCgA.exe
  2⤵
  PID:6300
- C:\Windows\System\htESNzF.exe
  C:\Windows\System\htESNzF.exe
  2⤵
  PID:6328
- C:\Windows\System\snxYMnH.exe
  C:\Windows\System\snxYMnH.exe
  2⤵
  PID:6356
- C:\Windows\System\XkAAWAI.exe
  C:\Windows\System\XkAAWAI.exe
  2⤵
  PID:6380
- C:\Windows\System\agxolpK.exe
  C:\Windows\System\agxolpK.exe
  2⤵
  PID:6404
- C:\Windows\System\DbFeEOl.exe
  C:\Windows\System\DbFeEOl.exe
  2⤵
  PID:6428
- C:\Windows\System\PeZRPMZ.exe
  C:\Windows\System\PeZRPMZ.exe
  2⤵
  PID:6452
- C:\Windows\System\bpjRgqj.exe
  C:\Windows\System\bpjRgqj.exe
  2⤵
  PID:6472
- C:\Windows\System\BGdnnvS.exe
  C:\Windows\System\BGdnnvS.exe
  2⤵
  PID:6500
- C:\Windows\System\YJlXMaq.exe
  C:\Windows\System\YJlXMaq.exe
  2⤵
  PID:6536
- C:\Windows\System\UlEqgjt.exe
  C:\Windows\System\UlEqgjt.exe
  2⤵
  PID:6556
- C:\Windows\System\DdtJTsT.exe
  C:\Windows\System\DdtJTsT.exe
  2⤵
  PID:6584
- C:\Windows\System\ynWLIdS.exe
  C:\Windows\System\ynWLIdS.exe
  2⤵
  PID:6608
- C:\Windows\System\ZttCbli.exe
  C:\Windows\System\ZttCbli.exe
  2⤵
  PID:6628
- C:\Windows\System\cFmwHtM.exe
  C:\Windows\System\cFmwHtM.exe
  2⤵
  PID:6652
- C:\Windows\System\ofllozZ.exe
  C:\Windows\System\ofllozZ.exe
  2⤵
  PID:6688
- C:\Windows\System\dDCNFqV.exe
  C:\Windows\System\dDCNFqV.exe
  2⤵
  PID:6712
- C:\Windows\System\piSCGbg.exe
  C:\Windows\System\piSCGbg.exe
  2⤵
  PID:6736
- C:\Windows\System\baFVPtO.exe
  C:\Windows\System\baFVPtO.exe
  2⤵
  PID:6760
- C:\Windows\System\MZrvNNR.exe
  C:\Windows\System\MZrvNNR.exe
  2⤵
  PID:6788
- C:\Windows\System\wmyeFzd.exe
  C:\Windows\System\wmyeFzd.exe
  2⤵
  PID:6816
- C:\Windows\System\eyNhTwe.exe
  C:\Windows\System\eyNhTwe.exe
  2⤵
  PID:6836
- C:\Windows\System\OEsdLyB.exe
  C:\Windows\System\OEsdLyB.exe
  2⤵
  PID:6868
- C:\Windows\System\bbiHLfq.exe
  C:\Windows\System\bbiHLfq.exe
  2⤵
  PID:6888
- C:\Windows\System\GXwJFCn.exe
  C:\Windows\System\GXwJFCn.exe
  2⤵
  PID:6916
- C:\Windows\System\KFeEdch.exe
  C:\Windows\System\KFeEdch.exe
  2⤵
  PID:6940
- C:\Windows\System\ezzJKcA.exe
  C:\Windows\System\ezzJKcA.exe
  2⤵
  PID:6968
- C:\Windows\System\vMjyJoo.exe
  C:\Windows\System\vMjyJoo.exe
  2⤵
  PID:6992
- C:\Windows\System\ebDEyOs.exe
  C:\Windows\System\ebDEyOs.exe
  2⤵
  PID:7012
- C:\Windows\System\GAzJHVD.exe
  C:\Windows\System\GAzJHVD.exe
  2⤵
  PID:7048
- C:\Windows\System\AcUfRqn.exe
  C:\Windows\System\AcUfRqn.exe
  2⤵
  PID:7076
- C:\Windows\System\bBcAkjx.exe
  C:\Windows\System\bBcAkjx.exe
  2⤵
  PID:7096
- C:\Windows\System\aaNwAVl.exe
  C:\Windows\System\aaNwAVl.exe
  2⤵
  PID:7120
- C:\Windows\System\IMAnUvn.exe
  C:\Windows\System\IMAnUvn.exe
  2⤵
  PID:7148
- C:\Windows\System\qmSqaKO.exe
  C:\Windows\System\qmSqaKO.exe
  2⤵
  PID:5724
- C:\Windows\System\tYuCuYb.exe
  C:\Windows\System\tYuCuYb.exe
  2⤵
  PID:5808
- C:\Windows\System\qijpuSr.exe
  C:\Windows\System\qijpuSr.exe
  2⤵
  PID:2596
- C:\Windows\System\orTPwiC.exe
  C:\Windows\System\orTPwiC.exe
  2⤵
  PID:5448
- C:\Windows\System\pRRiwto.exe
  C:\Windows\System\pRRiwto.exe
  2⤵
  PID:1192
- C:\Windows\System\UYCRaLx.exe
  C:\Windows\System\UYCRaLx.exe
  2⤵
  PID:6268
- C:\Windows\System\JnXDVSS.exe
  C:\Windows\System\JnXDVSS.exe
  2⤵
  PID:6292
- C:\Windows\System\CeBUxtp.exe
  C:\Windows\System\CeBUxtp.exe
  2⤵
  PID:6344
- C:\Windows\System\IeqtHDH.exe
  C:\Windows\System\IeqtHDH.exe
  2⤵
  PID:6212
- C:\Windows\System\YVaYJJV.exe
  C:\Windows\System\YVaYJJV.exe
  2⤵
  PID:6372
- C:\Windows\System\tzXUINW.exe
  C:\Windows\System\tzXUINW.exe
  2⤵
  PID:6392
- C:\Windows\System\cQgjEMI.exe
  C:\Windows\System\cQgjEMI.exe
  2⤵
  PID:6572
- C:\Windows\System\dRnhLld.exe
  C:\Windows\System\dRnhLld.exe
  2⤵
  PID:6416
- C:\Windows\System\hwuHXRs.exe
  C:\Windows\System\hwuHXRs.exe
  2⤵
  PID:6468
- C:\Windows\System\zXXmPXR.exe
  C:\Windows\System\zXXmPXR.exe
  2⤵
  PID:6320
- C:\Windows\System\hpUSxsF.exe
  C:\Windows\System\hpUSxsF.exe
  2⤵
  PID:6776
- C:\Windows\System\yInYzOv.exe
  C:\Windows\System\yInYzOv.exe
  2⤵
  PID:6828
- C:\Windows\System\ZgqgDly.exe
  C:\Windows\System\ZgqgDly.exe
  2⤵
  PID:6900
- C:\Windows\System\AJBxmrs.exe
  C:\Windows\System\AJBxmrs.exe
  2⤵
  PID:6796
- C:\Windows\System\tHompvj.exe
  C:\Windows\System\tHompvj.exe
  2⤵
  PID:6640
- C:\Windows\System\dfzmssI.exe
  C:\Windows\System\dfzmssI.exe
  2⤵
  PID:7036
- C:\Windows\System\ZIBnBHl.exe
  C:\Windows\System\ZIBnBHl.exe
  2⤵
  PID:6884
- C:\Windows\System\bUSBHEB.exe
  C:\Windows\System\bUSBHEB.exe
  2⤵
  PID:7116
- C:\Windows\System\WZWEPXc.exe
  C:\Windows\System\WZWEPXc.exe
  2⤵
  PID:7160
- C:\Windows\System\MULDufF.exe
  C:\Windows\System\MULDufF.exe
  2⤵
  PID:3676
- C:\Windows\System\fBQqSXV.exe
  C:\Windows\System\fBQqSXV.exe
  2⤵
  PID:7064
- C:\Windows\System\EuNUheW.exe
  C:\Windows\System\EuNUheW.exe
  2⤵
  PID:6240
- C:\Windows\System\bSrzlAz.exe
  C:\Windows\System\bSrzlAz.exe
  2⤵
  PID:6616
- C:\Windows\System\BUfRsXP.exe
  C:\Windows\System\BUfRsXP.exe
  2⤵
  PID:6724
- C:\Windows\System\bwvDalv.exe
  C:\Windows\System\bwvDalv.exe
  2⤵
  PID:7172
- C:\Windows\System\eHbdTBp.exe
  C:\Windows\System\eHbdTBp.exe
  2⤵
  PID:7204
- C:\Windows\System\TVbisFd.exe
  C:\Windows\System\TVbisFd.exe
  2⤵
  PID:7232
- C:\Windows\System\grabQAn.exe
  C:\Windows\System\grabQAn.exe
  2⤵
  PID:7256
- C:\Windows\System\qDSfbWv.exe
  C:\Windows\System\qDSfbWv.exe
  2⤵
  PID:7284
- C:\Windows\System\YuRZlNj.exe
  C:\Windows\System\YuRZlNj.exe
  2⤵
  PID:7308
- C:\Windows\System\EnrOCEJ.exe
  C:\Windows\System\EnrOCEJ.exe
  2⤵
  PID:7332
- C:\Windows\System\GQIQcuN.exe
  C:\Windows\System\GQIQcuN.exe
  2⤵
  PID:7356
- C:\Windows\System\syyGmLP.exe
  C:\Windows\System\syyGmLP.exe
  2⤵
  PID:7384
- C:\Windows\System\mNZGHyH.exe
  C:\Windows\System\mNZGHyH.exe
  2⤵
  PID:7404
- C:\Windows\System\dHODSNS.exe
  C:\Windows\System\dHODSNS.exe
  2⤵
  PID:7432
- C:\Windows\System\lcYAZSh.exe
  C:\Windows\System\lcYAZSh.exe
  2⤵
  PID:7452
- C:\Windows\System\VQxWeBB.exe
  C:\Windows\System\VQxWeBB.exe
  2⤵
  PID:7476
- C:\Windows\System\WjXSdet.exe
  C:\Windows\System\WjXSdet.exe
  2⤵
  PID:7500
- C:\Windows\System\KblJuPF.exe
  C:\Windows\System\KblJuPF.exe
  2⤵
  PID:7520
- C:\Windows\System\IiYgygw.exe
  C:\Windows\System\IiYgygw.exe
  2⤵
  PID:7540
- C:\Windows\System\VCBnUYL.exe
  C:\Windows\System\VCBnUYL.exe
  2⤵
  PID:7568
- C:\Windows\System\kPSKOtb.exe
  C:\Windows\System\kPSKOtb.exe
  2⤵
  PID:7608
- C:\Windows\System\ZntYDXb.exe
  C:\Windows\System\ZntYDXb.exe
  2⤵
  PID:7636
- C:\Windows\System\oBajwCs.exe
  C:\Windows\System\oBajwCs.exe
  2⤵
  PID:7660
- C:\Windows\System\zrgbMXh.exe
  C:\Windows\System\zrgbMXh.exe
  2⤵
  PID:7688
- C:\Windows\System\XzOpFzI.exe
  C:\Windows\System\XzOpFzI.exe
  2⤵
  PID:7708
- C:\Windows\System\lKMabFO.exe
  C:\Windows\System\lKMabFO.exe
  2⤵
  PID:7736
- C:\Windows\System\OzXaLAa.exe
  C:\Windows\System\OzXaLAa.exe
  2⤵
  PID:7784
- C:\Windows\System\YGrJeiS.exe
  C:\Windows\System\YGrJeiS.exe
  2⤵
  PID:7808
- C:\Windows\System\DuKmTKi.exe
  C:\Windows\System\DuKmTKi.exe
  2⤵
  PID:7832
- C:\Windows\System\ZjvuPHn.exe
  C:\Windows\System\ZjvuPHn.exe
  2⤵
  PID:7852
- C:\Windows\System\yCQEInn.exe
  C:\Windows\System\yCQEInn.exe
  2⤵
  PID:7880
- C:\Windows\System\KHmVkVI.exe
  C:\Windows\System\KHmVkVI.exe
  2⤵
  PID:7904
- C:\Windows\System\meTDhms.exe
  C:\Windows\System\meTDhms.exe
  2⤵
  PID:7928
- C:\Windows\System\AJWnOGo.exe
  C:\Windows\System\AJWnOGo.exe
  2⤵
  PID:7952
- C:\Windows\System\RKbixbe.exe
  C:\Windows\System\RKbixbe.exe
  2⤵
  PID:7980
- C:\Windows\System\EBTiAic.exe
  C:\Windows\System\EBTiAic.exe
  2⤵
  PID:8012
- C:\Windows\System\cuRmvtj.exe
  C:\Windows\System\cuRmvtj.exe
  2⤵
  PID:8036
- C:\Windows\System\NBTdrmL.exe
  C:\Windows\System\NBTdrmL.exe
  2⤵
  PID:8064
- C:\Windows\System\bJlupoh.exe
  C:\Windows\System\bJlupoh.exe
  2⤵
  PID:8136
- C:\Windows\System\fEHIyAq.exe
  C:\Windows\System\fEHIyAq.exe
  2⤵
  PID:8160
- C:\Windows\System\sOQMwOS.exe
  C:\Windows\System\sOQMwOS.exe
  2⤵
  PID:8180
- C:\Windows\System\cIljnis.exe
  C:\Windows\System\cIljnis.exe
  2⤵
  PID:6964
- C:\Windows\System\AeVeGWK.exe
  C:\Windows\System\AeVeGWK.exe
  2⤵
  PID:6808
- C:\Windows\System\XEzYiEI.exe
  C:\Windows\System\XEzYiEI.exe
  2⤵
  PID:7156
- C:\Windows\System\cdFcYdX.exe
  C:\Windows\System\cdFcYdX.exe
  2⤵
  PID:6756
- C:\Windows\System\Xqghdnj.exe
  C:\Windows\System\Xqghdnj.exe
  2⤵
  PID:5540
- C:\Windows\System\gGOTIcM.exe
  C:\Windows\System\gGOTIcM.exe
  2⤵
  PID:7088
- C:\Windows\System\OynKGQp.exe
  C:\Windows\System\OynKGQp.exe
  2⤵
  PID:7340
- C:\Windows\System\fzjZJXF.exe
  C:\Windows\System\fzjZJXF.exe
  2⤵
  PID:7396
- C:\Windows\System\PGiEFae.exe
  C:\Windows\System\PGiEFae.exe
  2⤵
  PID:6544
- C:\Windows\System\LLMoCld.exe
  C:\Windows\System\LLMoCld.exe
  2⤵
  PID:1304
- C:\Windows\System\dsONwgy.exe
  C:\Windows\System\dsONwgy.exe
  2⤵
  PID:7488
- C:\Windows\System\GIGfYdV.exe
  C:\Windows\System\GIGfYdV.exe
  2⤵
  PID:524
- C:\Windows\System\PijrxCM.exe
  C:\Windows\System\PijrxCM.exe
  2⤵
  PID:6852
- C:\Windows\System\RhucWvp.exe
  C:\Windows\System\RhucWvp.exe
  2⤵
  PID:7112
- C:\Windows\System\zCBPaZC.exe
  C:\Windows\System\zCBPaZC.exe
  2⤵
  PID:7620
- C:\Windows\System\LVOFPzF.exe
  C:\Windows\System\LVOFPzF.exe
  2⤵
  PID:2356
- C:\Windows\System\QVjbBSA.exe
  C:\Windows\System\QVjbBSA.exe
  2⤵
  PID:8028
- C:\Windows\System\NriHKmr.exe
  C:\Windows\System\NriHKmr.exe
  2⤵
  PID:8056
- C:\Windows\System\cFozPmY.exe
  C:\Windows\System\cFozPmY.exe
  2⤵
  PID:7668
- C:\Windows\System\VbqkMhG.exe
  C:\Windows\System\VbqkMhG.exe
  2⤵
  PID:7804
- C:\Windows\System\dVkjCqg.exe
  C:\Windows\System\dVkjCqg.exe
  2⤵
  PID:7920
- C:\Windows\System\PUcCNQa.exe
  C:\Windows\System\PUcCNQa.exe
  2⤵
  PID:8004
- C:\Windows\System\AKVWmcL.exe
  C:\Windows\System\AKVWmcL.exe
  2⤵
  PID:8208
- C:\Windows\System\nNPtEwu.exe
  C:\Windows\System\nNPtEwu.exe
  2⤵
  PID:8236
- C:\Windows\System\PSVXONb.exe
  C:\Windows\System\PSVXONb.exe
  2⤵
  PID:8272
- C:\Windows\System\lKYOUdW.exe
  C:\Windows\System\lKYOUdW.exe
  2⤵
  PID:8296
- C:\Windows\System\giiAyaX.exe
  C:\Windows\System\giiAyaX.exe
  2⤵
  PID:8320
- C:\Windows\System\wIHvOfI.exe
  C:\Windows\System\wIHvOfI.exe
  2⤵
  PID:8344
- C:\Windows\System\KSgUPqt.exe
  C:\Windows\System\KSgUPqt.exe
  2⤵
  PID:8560
- C:\Windows\System\LpoxVuF.exe
  C:\Windows\System\LpoxVuF.exe
  2⤵
  PID:8584
- C:\Windows\System\jXmkPUS.exe
  C:\Windows\System\jXmkPUS.exe
  2⤵
  PID:8612
- C:\Windows\System\qYQszkM.exe
  C:\Windows\System\qYQszkM.exe
  2⤵
  PID:8640
- C:\Windows\System\fCNWqpX.exe
  C:\Windows\System\fCNWqpX.exe
  2⤵
  PID:8668
- C:\Windows\System\quIYjKM.exe
  C:\Windows\System\quIYjKM.exe
  2⤵
  PID:8692
- C:\Windows\System\FChmAdQ.exe
  C:\Windows\System\FChmAdQ.exe
  2⤵
  PID:8720
- C:\Windows\System\TTpUUrv.exe
  C:\Windows\System\TTpUUrv.exe
  2⤵
  PID:8744
- C:\Windows\System\wOKhAiW.exe
  C:\Windows\System\wOKhAiW.exe
  2⤵
  PID:8776
- C:\Windows\System\pikiIhb.exe
  C:\Windows\System\pikiIhb.exe
  2⤵
  PID:8800
- C:\Windows\System\ELPOMQb.exe
  C:\Windows\System\ELPOMQb.exe
  2⤵
  PID:8824
- C:\Windows\System\WjmuUtM.exe
  C:\Windows\System\WjmuUtM.exe
  2⤵
  PID:8856
- C:\Windows\System\mxIsmpK.exe
  C:\Windows\System\mxIsmpK.exe
  2⤵
  PID:8880
- C:\Windows\System\UDsONKQ.exe
  C:\Windows\System\UDsONKQ.exe
  2⤵
  PID:8896
- C:\Windows\System\JLFJuZu.exe
  C:\Windows\System\JLFJuZu.exe
  2⤵
  PID:8912
- C:\Windows\System\LOJPMVv.exe
  C:\Windows\System\LOJPMVv.exe
  2⤵
  PID:8936
- C:\Windows\System\vdTASNa.exe
  C:\Windows\System\vdTASNa.exe
  2⤵
  PID:8972
- C:\Windows\System\deAWuHJ.exe
  C:\Windows\System\deAWuHJ.exe
  2⤵
  PID:9008
- C:\Windows\System\guCIXcl.exe
  C:\Windows\System\guCIXcl.exe
  2⤵
  PID:9044
- C:\Windows\System\PGcGzHT.exe
  C:\Windows\System\PGcGzHT.exe
  2⤵
  PID:7988
- C:\Windows\System\kdrbALw.exe
  C:\Windows\System\kdrbALw.exe
  2⤵
  PID:6832
- C:\Windows\System\nZffqtH.exe
  C:\Windows\System\nZffqtH.exe
  2⤵
  PID:8052
- C:\Windows\System\cCUYTxc.exe
  C:\Windows\System\cCUYTxc.exe
  2⤵
  PID:7304
- C:\Windows\System\nMMLaoy.exe
  C:\Windows\System\nMMLaoy.exe
  2⤵
  PID:7888
- C:\Windows\System\JubVcpR.exe
  C:\Windows\System\JubVcpR.exe
  2⤵
  PID:6164
- C:\Windows\System\lbencHd.exe
  C:\Windows\System\lbencHd.exe
  2⤵
  PID:2640
- C:\Windows\System\PyYRmVM.exe
  C:\Windows\System\PyYRmVM.exe
  2⤵
  PID:8352
- C:\Windows\System\riZfApU.exe
  C:\Windows\System\riZfApU.exe
  2⤵
  PID:7532
- C:\Windows\System\uZmKark.exe
  C:\Windows\System\uZmKark.exe
  2⤵
  PID:7216
- C:\Windows\System\wNTSVeZ.exe
  C:\Windows\System\wNTSVeZ.exe
  2⤵
  PID:7380
- C:\Windows\System\JIavoRB.exe
  C:\Windows\System\JIavoRB.exe
  2⤵
  PID:7800
- C:\Windows\System\uNSAqVv.exe
  C:\Windows\System\uNSAqVv.exe
  2⤵
  PID:8488
- C:\Windows\System\KqLqhFz.exe
  C:\Windows\System\KqLqhFz.exe
  2⤵
  PID:8520
- C:\Windows\System\zThudKT.exe
  C:\Windows\System\zThudKT.exe
  2⤵
  PID:9052
- C:\Windows\System\iMSMenx.exe
  C:\Windows\System\iMSMenx.exe
  2⤵
  PID:9060
- C:\Windows\System\LKgYcsE.exe
  C:\Windows\System\LKgYcsE.exe
  2⤵
  PID:8708
- C:\Windows\System\DJjzUyT.exe
  C:\Windows\System\DJjzUyT.exe
  2⤵
  PID:8832
- C:\Windows\System\luKPzyf.exe
  C:\Windows\System\luKPzyf.exe
  2⤵
  PID:8952
- C:\Windows\System\ZQAGHTY.exe
  C:\Windows\System\ZQAGHTY.exe
  2⤵
  PID:8592
- C:\Windows\System\qOzAfOi.exe
  C:\Windows\System\qOzAfOi.exe
  2⤵
  PID:8756
- C:\Windows\System\SLlAUzM.exe
  C:\Windows\System\SLlAUzM.exe
  2⤵
  PID:8816
- C:\Windows\System\gkeJbOI.exe
  C:\Windows\System\gkeJbOI.exe
  2⤵
  PID:8872
- C:\Windows\System\KTOOBzG.exe
  C:\Windows\System\KTOOBzG.exe
  2⤵
  PID:8904
- C:\Windows\System\rkdYsXF.exe
  C:\Windows\System\rkdYsXF.exe
  2⤵
  PID:7820
- C:\Windows\System\sbQRQsW.exe
  C:\Windows\System\sbQRQsW.exe
  2⤵
  PID:5628
- C:\Windows\System\SYfdFox.exe
  C:\Windows\System\SYfdFox.exe
  2⤵
  PID:1500
- C:\Windows\System\NDmnyEz.exe
  C:\Windows\System\NDmnyEz.exe
  2⤵
  PID:7444
- C:\Windows\System\gtZMLry.exe
  C:\Windows\System\gtZMLry.exe
  2⤵
  PID:9200
- C:\Windows\System\PRPqIiL.exe
  C:\Windows\System\PRPqIiL.exe
  2⤵
  PID:7592
- C:\Windows\System\HGmEqwd.exe
  C:\Windows\System\HGmEqwd.exe
  2⤵
  PID:7300
- C:\Windows\System\vCrjUUm.exe
  C:\Windows\System\vCrjUUm.exe
  2⤵
  PID:8536
- C:\Windows\System\oVpSrau.exe
  C:\Windows\System\oVpSrau.exe
  2⤵
  PID:8368
- C:\Windows\System\VZSTbmK.exe
  C:\Windows\System\VZSTbmK.exe
  2⤵
  PID:3368
- C:\Windows\System\rIEmfai.exe
  C:\Windows\System\rIEmfai.exe
  2⤵
  PID:7512
- C:\Windows\System\JxbzSaC.exe
  C:\Windows\System\JxbzSaC.exe
  2⤵
  PID:8848
- C:\Windows\System\fJiKSXe.exe
  C:\Windows\System\fJiKSXe.exe
  2⤵
  PID:8504
- C:\Windows\System\FKYjlTI.exe
  C:\Windows\System\FKYjlTI.exe
  2⤵
  PID:9240
- C:\Windows\System\qjRhpOh.exe
  C:\Windows\System\qjRhpOh.exe
  2⤵
  PID:9264
- C:\Windows\System\tfArSvt.exe
  C:\Windows\System\tfArSvt.exe
  2⤵
  PID:9284
- C:\Windows\System\itcFywC.exe
  C:\Windows\System\itcFywC.exe
  2⤵
  PID:9308
- C:\Windows\System\OxerxXO.exe
  C:\Windows\System\OxerxXO.exe
  2⤵
  PID:9332
- C:\Windows\System\KlIRIVh.exe
  C:\Windows\System\KlIRIVh.exe
  2⤵
  PID:9352
- C:\Windows\System\YCBNnUx.exe
  C:\Windows\System\YCBNnUx.exe
  2⤵
  PID:9376
- C:\Windows\System\tgUAyWV.exe
  C:\Windows\System\tgUAyWV.exe
  2⤵
  PID:9404
- C:\Windows\System\avYXtit.exe
  C:\Windows\System\avYXtit.exe
  2⤵
  PID:9432
- C:\Windows\System\cKtPgVO.exe
  C:\Windows\System\cKtPgVO.exe
  2⤵
  PID:9460
- C:\Windows\System\kXYnGYF.exe
  C:\Windows\System\kXYnGYF.exe
  2⤵
  PID:9484
- C:\Windows\System\OWQFVxk.exe
  C:\Windows\System\OWQFVxk.exe
  2⤵
  PID:9504
- C:\Windows\System\qMPBzws.exe
  C:\Windows\System\qMPBzws.exe
  2⤵
  PID:9532
- C:\Windows\System\PSbiRVv.exe
  C:\Windows\System\PSbiRVv.exe
  2⤵
  PID:9552
- C:\Windows\System\xdUGsYA.exe
  C:\Windows\System\xdUGsYA.exe
  2⤵
  PID:9584
- C:\Windows\System\KLNjaHO.exe
  C:\Windows\System\KLNjaHO.exe
  2⤵
  PID:9608
- C:\Windows\System\PZEBkOK.exe
  C:\Windows\System\PZEBkOK.exe
  2⤵
  PID:9636
- C:\Windows\System\hGNYTNz.exe
  C:\Windows\System\hGNYTNz.exe
  2⤵
  PID:9660
- C:\Windows\System\FrQuFBV.exe
  C:\Windows\System\FrQuFBV.exe
  2⤵
  PID:9680
- C:\Windows\System\ogEMnqD.exe
  C:\Windows\System\ogEMnqD.exe
  2⤵
  PID:9704
- C:\Windows\System\hdwKjHq.exe
  C:\Windows\System\hdwKjHq.exe
  2⤵
  PID:9732
- C:\Windows\System\BRyxzSw.exe
  C:\Windows\System\BRyxzSw.exe
  2⤵
  PID:9752
- C:\Windows\System\IjRzsHA.exe
  C:\Windows\System\IjRzsHA.exe
  2⤵
  PID:9784
- C:\Windows\System\ogQLMOC.exe
  C:\Windows\System\ogQLMOC.exe
  2⤵
  PID:9808
- C:\Windows\System\RQDqtbO.exe
  C:\Windows\System\RQDqtbO.exe
  2⤵
  PID:9832
- C:\Windows\System\FptXENA.exe
  C:\Windows\System\FptXENA.exe
  2⤵
  PID:9864
- C:\Windows\System\ONHAxIx.exe
  C:\Windows\System\ONHAxIx.exe
  2⤵
  PID:9884
- C:\Windows\System\NUwUVtW.exe
  C:\Windows\System\NUwUVtW.exe
  2⤵
  PID:9904
- C:\Windows\System\RzSMaJw.exe
  C:\Windows\System\RzSMaJw.exe
  2⤵
  PID:9920
- C:\Windows\System\ylFXMlF.exe
  C:\Windows\System\ylFXMlF.exe
  2⤵
  PID:9936
- C:\Windows\System\zShSBhQ.exe
  C:\Windows\System\zShSBhQ.exe
  2⤵
  PID:9952
- C:\Windows\System\KBePuWh.exe
  C:\Windows\System\KBePuWh.exe
  2⤵
  PID:9968
- C:\Windows\System\plMiBJr.exe
  C:\Windows\System\plMiBJr.exe
  2⤵
  PID:10000
- C:\Windows\System\LXfeQrp.exe
  C:\Windows\System\LXfeQrp.exe
  2⤵
  PID:10028
- C:\Windows\System\xuUYDTZ.exe
  C:\Windows\System\xuUYDTZ.exe
  2⤵
  PID:10048
- C:\Windows\System\pCFWOiU.exe
  C:\Windows\System\pCFWOiU.exe
  2⤵
  PID:10076
- C:\Windows\System\zImUHpq.exe
  C:\Windows\System\zImUHpq.exe
  2⤵
  PID:10108
- C:\Windows\System\IsiksYs.exe
  C:\Windows\System\IsiksYs.exe
  2⤵
  PID:10140
- C:\Windows\System\RmVLCNg.exe
  C:\Windows\System\RmVLCNg.exe
  2⤵
  PID:10160
- C:\Windows\System\umKVnmd.exe
  C:\Windows\System\umKVnmd.exe
  2⤵
  PID:10184
- C:\Windows\System\dbuonWM.exe
  C:\Windows\System\dbuonWM.exe
  2⤵
  PID:10208
- C:\Windows\System\qLIWaei.exe
  C:\Windows\System\qLIWaei.exe
  2⤵
  PID:10228
- C:\Windows\System\CpbaQgQ.exe
  C:\Windows\System\CpbaQgQ.exe
  2⤵
  PID:7276
- C:\Windows\System\AzZlDYf.exe
  C:\Windows\System\AzZlDYf.exe
  2⤵
  PID:8288
- C:\Windows\System\NYBChft.exe
  C:\Windows\System\NYBChft.exe
  2⤵
  PID:8892
- C:\Windows\System\uMKOPck.exe
  C:\Windows\System\uMKOPck.exe
  2⤵
  PID:7212
- C:\Windows\System\yiNYCWb.exe
  C:\Windows\System\yiNYCWb.exe
  2⤵
  PID:9220
- C:\Windows\System\nxBUTvr.exe
  C:\Windows\System\nxBUTvr.exe
  2⤵
  PID:9260
- C:\Windows\System\qMUUOyL.exe
  C:\Windows\System\qMUUOyL.exe
  2⤵
  PID:9360
- C:\Windows\System\XSjPLYF.exe
  C:\Windows\System\XSjPLYF.exe
  2⤵
  PID:9416
- C:\Windows\System\sZTXUkm.exe
  C:\Windows\System\sZTXUkm.exe
  2⤵
  PID:9492
- C:\Windows\System\PRepKyg.exe
  C:\Windows\System\PRepKyg.exe
  2⤵
  PID:9524
- C:\Windows\System\tKZxfjV.exe
  C:\Windows\System\tKZxfjV.exe
  2⤵
  PID:9348
- C:\Windows\System\urJPGdt.exe
  C:\Windows\System\urJPGdt.exe
  2⤵
  PID:9720
- C:\Windows\System\QAuxRgy.exe
  C:\Windows\System\QAuxRgy.exe
  2⤵
  PID:9656
- C:\Windows\System\tgVorGi.exe
  C:\Windows\System\tgVorGi.exe
  2⤵
  PID:10064
- C:\Windows\System\gfujaRK.exe
  C:\Windows\System\gfujaRK.exe
  2⤵
  PID:9548
- C:\Windows\System\lttIACj.exe
  C:\Windows\System\lttIACj.exe
  2⤵
  PID:10132
- C:\Windows\System\rtDJSBa.exe
  C:\Windows\System\rtDJSBa.exe
  2⤵
  PID:9896
- C:\Windows\System\ajaWWTX.exe
  C:\Windows\System\ajaWWTX.exe
  2⤵
  PID:9932
- C:\Windows\System\ioxcabf.exe
  C:\Windows\System\ioxcabf.exe
  2⤵
  PID:8656
- C:\Windows\System\uWniWJi.exe
  C:\Windows\System\uWniWJi.exe
  2⤵
  PID:10096
- C:\Windows\System\OcnvTit.exe
  C:\Windows\System\OcnvTit.exe
  2⤵
  PID:9840
- C:\Windows\System\cBfgsdT.exe
  C:\Windows\System\cBfgsdT.exe
  2⤵
  PID:10252
- C:\Windows\System\KEnBHXk.exe
  C:\Windows\System\KEnBHXk.exe
  2⤵
  PID:10272
- C:\Windows\System\gsfcmRq.exe
  C:\Windows\System\gsfcmRq.exe
  2⤵
  PID:10292
- C:\Windows\System\nBpmkVA.exe
  C:\Windows\System\nBpmkVA.exe
  2⤵
  PID:10316
- C:\Windows\System\bNsifrn.exe
  C:\Windows\System\bNsifrn.exe
  2⤵
  PID:10332
- C:\Windows\System\VbAPZln.exe
  C:\Windows\System\VbAPZln.exe
  2⤵
  PID:10348
- C:\Windows\System\BxOamBE.exe
  C:\Windows\System\BxOamBE.exe
  2⤵
  PID:10364
- C:\Windows\System\IRstqei.exe
  C:\Windows\System\IRstqei.exe
  2⤵
  PID:10384
- C:\Windows\System\RfMWTBk.exe
  C:\Windows\System\RfMWTBk.exe
  2⤵
  PID:10404
- C:\Windows\System\rJBcWAS.exe
  C:\Windows\System\rJBcWAS.exe
  2⤵
  PID:10428
- C:\Windows\System\RartEUY.exe
  C:\Windows\System\RartEUY.exe
  2⤵
  PID:10468
- C:\Windows\System\LYsncng.exe
  C:\Windows\System\LYsncng.exe
  2⤵
  PID:10496
- C:\Windows\System\jyvQONZ.exe
  C:\Windows\System\jyvQONZ.exe
  2⤵
  PID:10520
- C:\Windows\System\XVNMqXa.exe
  C:\Windows\System\XVNMqXa.exe
  2⤵
  PID:10552
- C:\Windows\System\CxQiXLm.exe
  C:\Windows\System\CxQiXLm.exe
  2⤵
  PID:10576
- C:\Windows\System\HnTGlnm.exe
  C:\Windows\System\HnTGlnm.exe
  2⤵
  PID:10600
- C:\Windows\System\xBFMBZm.exe
  C:\Windows\System\xBFMBZm.exe
  2⤵
  PID:10620
- C:\Windows\System\cRYmIYe.exe
  C:\Windows\System\cRYmIYe.exe
  2⤵
  PID:10644
- C:\Windows\System\TVtVkea.exe
  C:\Windows\System\TVtVkea.exe
  2⤵
  PID:10672
- C:\Windows\System\zfSNGyI.exe
  C:\Windows\System\zfSNGyI.exe
  2⤵
  PID:10692
- C:\Windows\System\TGgEdXe.exe
  C:\Windows\System\TGgEdXe.exe
  2⤵
  PID:10712
- C:\Windows\System\EXAYFvb.exe
  C:\Windows\System\EXAYFvb.exe
  2⤵
  PID:10732
- C:\Windows\System\cIjilJk.exe
  C:\Windows\System\cIjilJk.exe
  2⤵
  PID:10756
- C:\Windows\System\TyVEkiY.exe
  C:\Windows\System\TyVEkiY.exe
  2⤵
  PID:10784
- C:\Windows\System\pQAPArz.exe
  C:\Windows\System\pQAPArz.exe
  2⤵
  PID:10808
- C:\Windows\System\YPFNDDV.exe
  C:\Windows\System\YPFNDDV.exe
  2⤵
  PID:10832
- C:\Windows\System\TkzhUAF.exe
  C:\Windows\System\TkzhUAF.exe
  2⤵
  PID:10860
- C:\Windows\System\tayAmuV.exe
  C:\Windows\System\tayAmuV.exe
  2⤵
  PID:10880
- C:\Windows\System\LQqYFNh.exe
  C:\Windows\System\LQqYFNh.exe
  2⤵
  PID:10904
- C:\Windows\System\VHxQiIa.exe
  C:\Windows\System\VHxQiIa.exe
  2⤵
  PID:10944
- C:\Windows\System\lJawljO.exe
  C:\Windows\System\lJawljO.exe
  2⤵
  PID:10968
- C:\Windows\System\WsTbcBb.exe
  C:\Windows\System\WsTbcBb.exe
  2⤵
  PID:10988
- C:\Windows\System\EYwOQkS.exe
  C:\Windows\System\EYwOQkS.exe
  2⤵
  PID:11024
- C:\Windows\System\HxolkgR.exe
  C:\Windows\System\HxolkgR.exe
  2⤵
  PID:11052
- C:\Windows\System\oBkEOUH.exe
  C:\Windows\System\oBkEOUH.exe
  2⤵
  PID:11080
- C:\Windows\System\EyWHjUJ.exe
  C:\Windows\System\EyWHjUJ.exe
  2⤵
  PID:11104
- C:\Windows\System\gTDCqCR.exe
  C:\Windows\System\gTDCqCR.exe
  2⤵
  PID:11124
- C:\Windows\System\vxyOFDa.exe
  C:\Windows\System\vxyOFDa.exe
  2⤵
  PID:11160
- C:\Windows\System\xoTDSkP.exe
  C:\Windows\System\xoTDSkP.exe
  2⤵
  PID:11184
- C:\Windows\System\sasHZGd.exe
  C:\Windows\System\sasHZGd.exe
  2⤵
  PID:11204
- C:\Windows\System\BqzqcXy.exe
  C:\Windows\System\BqzqcXy.exe
  2⤵
  PID:11240
- C:\Windows\System\kCuHLiI.exe
  C:\Windows\System\kCuHLiI.exe
  2⤵
  PID:9948
- C:\Windows\System\xKUCFBQ.exe
  C:\Windows\System\xKUCFBQ.exe
  2⤵
  PID:9984
- C:\Windows\System\ESbBqQs.exe
  C:\Windows\System\ESbBqQs.exe
  2⤵
  PID:8732
- C:\Windows\System\xVFFqXj.exe
  C:\Windows\System\xVFFqXj.exe
  2⤵
  PID:9700
- C:\Windows\System\KuLhYcc.exe
  C:\Windows\System\KuLhYcc.exe
  2⤵
  PID:9452
- C:\Windows\System\hWESyZi.exe
  C:\Windows\System\hWESyZi.exe
  2⤵
  PID:10092
- C:\Windows\System\HLmthJo.exe
  C:\Windows\System\HLmthJo.exe
  2⤵
  PID:10152
- C:\Windows\System\HLwMJFm.exe
  C:\Windows\System\HLwMJFm.exe
  2⤵
  PID:10224
- C:\Windows\System\DihGHkt.exe
  C:\Windows\System\DihGHkt.exe
  2⤵
  PID:8604
- C:\Windows\System\BGHkgLZ.exe
  C:\Windows\System\BGHkgLZ.exe
  2⤵
  PID:6488
- C:\Windows\System\OMvrmvH.exe
  C:\Windows\System\OMvrmvH.exe
  2⤵
  PID:10356
- C:\Windows\System\UndLsoj.exe
  C:\Windows\System\UndLsoj.exe
  2⤵
  PID:9616
- C:\Windows\System\JMrUsfp.exe
  C:\Windows\System\JMrUsfp.exe
  2⤵
  PID:9292
- C:\Windows\System\zeYzfVd.exe
  C:\Windows\System\zeYzfVd.exe
  2⤵
  PID:10528
- C:\Windows\System\WAiChRz.exe
  C:\Windows\System\WAiChRz.exe
  2⤵
  PID:10572
- C:\Windows\System\xhYAsOs.exe
  C:\Windows\System\xhYAsOs.exe
  2⤵
  PID:10640
- C:\Windows\System\WbIZDyO.exe
  C:\Windows\System\WbIZDyO.exe
  2⤵
  PID:10324
- C:\Windows\System\dWlrqZf.exe
  C:\Windows\System\dWlrqZf.exe
  2⤵
  PID:10372
- C:\Windows\System\lahlGpm.exe
  C:\Windows\System\lahlGpm.exe
  2⤵
  PID:10828
- C:\Windows\System\sUdyADo.exe
  C:\Windows\System\sUdyADo.exe
  2⤵
  PID:10896
- C:\Windows\System\yBYPyBT.exe
  C:\Windows\System\yBYPyBT.exe
  2⤵
  PID:10928
- C:\Windows\System\ucdoxLF.exe
  C:\Windows\System\ucdoxLF.exe
  2⤵
  PID:9748
- C:\Windows\System\SdSWAym.exe
  C:\Windows\System\SdSWAym.exe
  2⤵
  PID:10260
- C:\Windows\System\sQfiwIz.exe
  C:\Windows\System\sQfiwIz.exe
  2⤵
  PID:10308
- C:\Windows\System\AurdYJI.exe
  C:\Windows\System\AurdYJI.exe
  2⤵
  PID:10340
- C:\Windows\System\RnQudkZ.exe
  C:\Windows\System\RnQudkZ.exe
  2⤵
  PID:10768
- C:\Windows\System\HsoTipW.exe
  C:\Windows\System\HsoTipW.exe
  2⤵
  PID:10484
- C:\Windows\System\BmVtgED.exe
  C:\Windows\System\BmVtgED.exe
  2⤵
  PID:10956
- C:\Windows\System\aUObGgj.exe
  C:\Windows\System\aUObGgj.exe
  2⤵
  PID:11064
- C:\Windows\System\wxacgqb.exe
  C:\Windows\System\wxacgqb.exe
  2⤵
  PID:10416
- C:\Windows\System\jKzdFxM.exe
  C:\Windows\System\jKzdFxM.exe
  2⤵
  PID:11148
- C:\Windows\System\gYRmyIx.exe
  C:\Windows\System\gYRmyIx.exe
  2⤵
  PID:11276
- C:\Windows\System\tANKOJy.exe
  C:\Windows\System\tANKOJy.exe
  2⤵
  PID:11304
- C:\Windows\System\JsYatop.exe
  C:\Windows\System\JsYatop.exe
  2⤵
  PID:11324
- C:\Windows\System\jaztekr.exe
  C:\Windows\System\jaztekr.exe
  2⤵
  PID:11352
- C:\Windows\System\SNssazL.exe
  C:\Windows\System\SNssazL.exe
  2⤵
  PID:11376
- C:\Windows\System\UAvblWn.exe
  C:\Windows\System\UAvblWn.exe
  2⤵
  PID:11404
- C:\Windows\System\habLgvu.exe
  C:\Windows\System\habLgvu.exe
  2⤵
  PID:11432
- C:\Windows\System\tzvJffa.exe
  C:\Windows\System\tzvJffa.exe
  2⤵
  PID:11460
- C:\Windows\System\aPBKtTs.exe
  C:\Windows\System\aPBKtTs.exe
  2⤵
  PID:11484
- C:\Windows\System\hpatPVe.exe
  C:\Windows\System\hpatPVe.exe
  2⤵
  PID:11500
- C:\Windows\System\lStOmva.exe
  C:\Windows\System\lStOmva.exe
  2⤵
  PID:11516
- C:\Windows\System\JYWNpVS.exe
  C:\Windows\System\JYWNpVS.exe
  2⤵
  PID:11848
- C:\Windows\System\Dclxiqu.exe
  C:\Windows\System\Dclxiqu.exe
  2⤵
  PID:11872
- C:\Windows\System\FcgtAfD.exe
  C:\Windows\System\FcgtAfD.exe
  2⤵
  PID:11900
- C:\Windows\System\sHtxxKB.exe
  C:\Windows\System\sHtxxKB.exe
  2⤵
  PID:11928
- C:\Windows\System\YPZBZhi.exe
  C:\Windows\System\YPZBZhi.exe
  2⤵
  PID:11952
- C:\Windows\System\lrvvuxy.exe
  C:\Windows\System\lrvvuxy.exe
  2⤵
  PID:11984
- C:\Windows\System\ZbtqgCZ.exe
  C:\Windows\System\ZbtqgCZ.exe
  2⤵
  PID:12008
- C:\Windows\System\JhRWWDo.exe
  C:\Windows\System\JhRWWDo.exe
  2⤵
  PID:12024
- C:\Windows\System\iKXbaDF.exe
  C:\Windows\System\iKXbaDF.exe
  2⤵
  PID:12044
- C:\Windows\System\mkydhQQ.exe
  C:\Windows\System\mkydhQQ.exe
  2⤵
  PID:12072
- C:\Windows\System\heQDqAu.exe
  C:\Windows\System\heQDqAu.exe
  2⤵
  PID:12092
- C:\Windows\System\WVcLSMI.exe
  C:\Windows\System\WVcLSMI.exe
  2⤵
  PID:12116
- C:\Windows\System\zNYMQyH.exe
  C:\Windows\System\zNYMQyH.exe
  2⤵
  PID:12144
- C:\Windows\System\KyfWuzg.exe
  C:\Windows\System\KyfWuzg.exe
  2⤵
  PID:12176
- C:\Windows\System\eSipfmQ.exe
  C:\Windows\System\eSipfmQ.exe
  2⤵
  PID:12208
- C:\Windows\System\RumONdr.exe
  C:\Windows\System\RumONdr.exe
  2⤵
  PID:12232
- C:\Windows\System\EDepOou.exe
  C:\Windows\System\EDepOou.exe
  2⤵
  PID:12260
- C:\Windows\System\JQArKlB.exe
  C:\Windows\System\JQArKlB.exe
  2⤵
  PID:11176
- C:\Windows\System\mJGvVaQ.exe
  C:\Windows\System\mJGvVaQ.exe
  2⤵
  PID:11220
- C:\Windows\System\TweUnbv.exe
  C:\Windows\System\TweUnbv.exe
  2⤵
  PID:9964
- C:\Windows\System\fZDHtzJ.exe
  C:\Windows\System\fZDHtzJ.exe
  2⤵
  PID:9228
- C:\Windows\System\YhjPHxY.exe
  C:\Windows\System\YhjPHxY.exe
  2⤵
  PID:10996
- C:\Windows\System\JBdtzIw.exe
  C:\Windows\System\JBdtzIw.exe
  2⤵
  PID:8888
- C:\Windows\System\jAoxsdb.exe
  C:\Windows\System\jAoxsdb.exe
  2⤵
  PID:10396
- C:\Windows\System\iwMuHXT.exe
  C:\Windows\System\iwMuHXT.exe
  2⤵
  PID:9796
- C:\Windows\System\ojPirJe.exe
  C:\Windows\System\ojPirJe.exe
  2⤵
  PID:10564
- C:\Windows\System\KadLUWa.exe
  C:\Windows\System\KadLUWa.exe
  2⤵
  PID:11428
- C:\Windows\System\hRsgYhr.exe
  C:\Windows\System\hRsgYhr.exe
  2⤵
  PID:10688
- C:\Windows\System\KSMSZlX.exe
  C:\Windows\System\KSMSZlX.exe
  2⤵
  PID:11528
- C:\Windows\System\SsKzQPA.exe
  C:\Windows\System\SsKzQPA.exe
  2⤵
  PID:11116
- C:\Windows\System\uVMejRn.exe
  C:\Windows\System\uVMejRn.exe
  2⤵
  PID:11320
- C:\Windows\System\vQIQPbq.exe
  C:\Windows\System\vQIQPbq.exe
  2⤵
  PID:11736
- C:\Windows\System\BHwPPuH.exe
  C:\Windows\System\BHwPPuH.exe
  2⤵
  PID:11448
- C:\Windows\System\rCuDVEz.exe
  C:\Windows\System\rCuDVEz.exe
  2⤵
  PID:11496
- C:\Windows\System\EMpjafg.exe
  C:\Windows\System\EMpjafg.exe
  2⤵
  PID:10748
- C:\Windows\System\eJitHMu.exe
  C:\Windows\System\eJitHMu.exe
  2⤵
  PID:10900
- C:\Windows\System\zaWKPye.exe
  C:\Windows\System\zaWKPye.exe
  2⤵
  PID:10248
- C:\Windows\System\JKQnuaE.exe
  C:\Windows\System\JKQnuaE.exe
  2⤵
  PID:11656
- C:\Windows\System\Vbbkgyx.exe
  C:\Windows\System\Vbbkgyx.exe
  2⤵
  PID:11840
- C:\Windows\System\ILlqqlp.exe
  C:\Windows\System\ILlqqlp.exe
  2⤵
  PID:7028
- C:\Windows\System\wnlSyHj.exe
  C:\Windows\System\wnlSyHj.exe
  2⤵
  PID:11880
- C:\Windows\System\RDKVFxd.exe
  C:\Windows\System\RDKVFxd.exe
  2⤵
  PID:3688
- C:\Windows\System\JFwzrPg.exe
  C:\Windows\System\JFwzrPg.exe
  2⤵
  PID:11268
- C:\Windows\System\PXcATbl.exe
  C:\Windows\System\PXcATbl.exe
  2⤵
  PID:11300
- C:\Windows\System\JlelTku.exe
  C:\Windows\System\JlelTku.exe
  2⤵
  PID:12124
- C:\Windows\System\nFHDljh.exe
  C:\Windows\System\nFHDljh.exe
  2⤵
  PID:11524
- C:\Windows\System\UxeiEaw.exe
  C:\Windows\System\UxeiEaw.exe
  2⤵
  PID:11608
- C:\Windows\System\ZqabIAi.exe
  C:\Windows\System\ZqabIAi.exe
  2⤵
  PID:12244
- C:\Windows\System\QkVxLYV.exe
  C:\Windows\System\QkVxLYV.exe
  2⤵
  PID:11864
- C:\Windows\System\gMkRnoX.exe
  C:\Windows\System\gMkRnoX.exe
  2⤵
  PID:11916
- C:\Windows\System\bbAWYvU.exe
  C:\Windows\System\bbAWYvU.exe
  2⤵
  PID:10704
- C:\Windows\System\BqQUFfi.exe
  C:\Windows\System\BqQUFfi.exe
  2⤵
  PID:4404
- C:\Windows\System\kevVSdA.exe
  C:\Windows\System\kevVSdA.exe
  2⤵
  PID:12296
- C:\Windows\System\OQObVxF.exe
  C:\Windows\System\OQObVxF.exe
  2⤵
  PID:12320
- C:\Windows\System\tTrCGhT.exe
  C:\Windows\System\tTrCGhT.exe
  2⤵
  PID:12344
- C:\Windows\System\phqPrtr.exe
  C:\Windows\System\phqPrtr.exe
  2⤵
  PID:12368
- C:\Windows\System\QofpaMz.exe
  C:\Windows\System\QofpaMz.exe
  2⤵
  PID:12388
- C:\Windows\System\BCniBMk.exe
  C:\Windows\System\BCniBMk.exe
  2⤵
  PID:12420
- C:\Windows\System\cBVxZyW.exe
  C:\Windows\System\cBVxZyW.exe
  2⤵
  PID:12448
- C:\Windows\System\FvYCQay.exe
  C:\Windows\System\FvYCQay.exe
  2⤵
  PID:12472
- C:\Windows\System\GBuICso.exe
  C:\Windows\System\GBuICso.exe
  2⤵
  PID:12488
- C:\Windows\System\bvKTKCp.exe
  C:\Windows\System\bvKTKCp.exe
  2⤵
  PID:12520
- C:\Windows\System\oufmhdz.exe
  C:\Windows\System\oufmhdz.exe
  2⤵
  PID:12548
- C:\Windows\System\qKurkdJ.exe
  C:\Windows\System\qKurkdJ.exe
  2⤵
  PID:12572
- C:\Windows\System\JmdacyV.exe
  C:\Windows\System\JmdacyV.exe
  2⤵
  PID:12592
- C:\Windows\System\cTZvLwF.exe
  C:\Windows\System\cTZvLwF.exe
  2⤵
  PID:12616
- C:\Windows\System\eAQqgzN.exe
  C:\Windows\System\eAQqgzN.exe
  2⤵
  PID:12636
- C:\Windows\System\xnOexGR.exe
  C:\Windows\System\xnOexGR.exe
  2⤵
  PID:12656
- C:\Windows\System\deBOjtG.exe
  C:\Windows\System\deBOjtG.exe
  2⤵
  PID:12680
- C:\Windows\System\ktnKUsz.exe
  C:\Windows\System\ktnKUsz.exe
  2⤵
  PID:12704
- C:\Windows\System\DvMoMvQ.exe
  C:\Windows\System\DvMoMvQ.exe
  2⤵
  PID:12728
- C:\Windows\System\hlwbUkW.exe
  C:\Windows\System\hlwbUkW.exe
  2⤵
  PID:13052
- C:\Windows\System\UORmIOH.exe
  C:\Windows\System\UORmIOH.exe
  2⤵
  PID:13092
- C:\Windows\System\PeUXQHP.exe
  C:\Windows\System\PeUXQHP.exe
  2⤵
  PID:13152
- C:\Windows\System\psBGxsx.exe
  C:\Windows\System\psBGxsx.exe
  2⤵
  PID:13304
- C:\Windows\System\xtSYPyN.exe
  C:\Windows\System\xtSYPyN.exe
  2⤵
  PID:10596
- C:\Windows\System\oOwMguI.exe
  C:\Windows\System\oOwMguI.exe
  2⤵
  PID:10488
- C:\Windows\System\xUrBWQj.exe
  C:\Windows\System\xUrBWQj.exe
  2⤵
  PID:12480
- C:\Windows\System\mRkifmW.exe
  C:\Windows\System\mRkifmW.exe
  2⤵
  PID:11476
- C:\Windows\System\ShFvWjW.exe
  C:\Windows\System\ShFvWjW.exe
  2⤵
  PID:9992
- C:\Windows\System\MfutXak.exe
  C:\Windows\System\MfutXak.exe
  2⤵
  PID:9384
- C:\Windows\System\XlipuEc.exe
  C:\Windows\System\XlipuEc.exe
  2⤵
  PID:11968
- C:\Windows\System\YXlrjdb.exe
  C:\Windows\System\YXlrjdb.exe
  2⤵
  PID:12904
- C:\Windows\System\hfZzaOM.exe
  C:\Windows\System\hfZzaOM.exe
  2⤵
  PID:12796
- C:\Windows\System\HfuYaiL.exe
  C:\Windows\System\HfuYaiL.exe
  2⤵
  PID:12932
- C:\Windows\System\HlaBTRQ.exe
  C:\Windows\System\HlaBTRQ.exe
  2⤵
  PID:12976
- C:\Windows\System\EyBlJPc.exe
  C:\Windows\System\EyBlJPc.exe
  2⤵
  PID:13300
- C:\Windows\System\HzUrdIl.exe
  C:\Windows\System\HzUrdIl.exe
  2⤵
  PID:10984
- C:\Windows\System\lbxepJM.exe
  C:\Windows\System\lbxepJM.exe
  2⤵
  PID:12744
- C:\Windows\System\YuGIFVv.exe
  C:\Windows\System\YuGIFVv.exe
  2⤵
  PID:4748
- C:\Windows\System\aezXmmm.exe
  C:\Windows\System\aezXmmm.exe
  2⤵
  PID:12628
- C:\Windows\System\htTpKGs.exe
  C:\Windows\System\htTpKGs.exe
  2⤵
  PID:12828
- C:\Windows\System\lNyBRgh.exe
  C:\Windows\System\lNyBRgh.exe
  2⤵
  PID:10044
- C:\Windows\System\qvLozlg.exe
  C:\Windows\System\qvLozlg.exe
  2⤵
  PID:12360
- C:\Windows\System\XJUGuFt.exe
  C:\Windows\System\XJUGuFt.exe
  2⤵
  PID:12788
- C:\Windows\System\VUlycfM.exe
  C:\Windows\System\VUlycfM.exe
  2⤵
  PID:12688
- C:\Windows\System\yxooQUd.exe
  C:\Windows\System\yxooQUd.exe
  2⤵
  PID:12948
- C:\Windows\System\XyEmBWb.exe
  C:\Windows\System\XyEmBWb.exe
  2⤵
  PID:12956
- C:\Windows\System\zEvtWqB.exe
  C:\Windows\System\zEvtWqB.exe
  2⤵
  PID:13032
- C:\Windows\System\QWaChei.exe
  C:\Windows\System\QWaChei.exe
  2⤵
  PID:13004
- C:\Windows\System\TLFGudN.exe
  C:\Windows\System\TLFGudN.exe
  2⤵
  PID:13192
- C:\Windows\System\megcNyI.exe
  C:\Windows\System\megcNyI.exe
  2⤵
  PID:12876
- C:\Windows\System\WKdJrZF.exe
  C:\Windows\System\WKdJrZF.exe
  2⤵
  PID:13256
- C:\Windows\System\MinbCxI.exe
  C:\Windows\System\MinbCxI.exe
  2⤵
  PID:12928
- C:\Windows\System\yMWbRgk.exe
  C:\Windows\System\yMWbRgk.exe
  2⤵
  PID:4524
- C:\Windows\System\XdGvkZO.exe
  C:\Windows\System\XdGvkZO.exe
  2⤵
  PID:10680
- C:\Windows\System\woRGwCE.exe
  C:\Windows\System\woRGwCE.exe
  2⤵
  PID:13232
- C:\Windows\System\PccUYgM.exe
  C:\Windows\System\PccUYgM.exe
  2⤵
  PID:11440
- C:\Windows\System\snXxPxi.exe
  C:\Windows\System\snXxPxi.exe
  2⤵
  PID:12000
- C:\Windows\System\frKljja.exe
  C:\Windows\System\frKljja.exe
  2⤵
  PID:11540
- C:\Windows\System\oqvZELQ.exe
  C:\Windows\System\oqvZELQ.exe
  2⤵
  PID:10744
- C:\Windows\System\XzQOEFS.exe
  C:\Windows\System\XzQOEFS.exe
  2⤵
  PID:12756
- C:\Windows\System\MnfUZPY.exe
  C:\Windows\System\MnfUZPY.exe
  2⤵
  PID:11868
- C:\Windows\System\shQdWIJ.exe
  C:\Windows\System\shQdWIJ.exe
  2⤵
  PID:11644
- C:\Windows\System\cDheyEi.exe
  C:\Windows\System\cDheyEi.exe
  2⤵
  PID:10448
- C:\Windows\System\FxIdgjp.exe
  C:\Windows\System\FxIdgjp.exe
  2⤵
  PID:12784
- C:\Windows\System\cfRoGSJ.exe
  C:\Windows\System\cfRoGSJ.exe
  2⤵
  PID:12108
- C:\Windows\System\xCXYqYL.exe
  C:\Windows\System\xCXYqYL.exe
  2⤵
  PID:11400
- C:\Windows\System\LCauTlu.exe
  C:\Windows\System\LCauTlu.exe
  2⤵
  PID:13196
- C:\Windows\System\DYcuPxO.exe
  C:\Windows\System\DYcuPxO.exe
  2⤵
  PID:5920
- C:\Windows\System\BizTpea.exe
  C:\Windows\System\BizTpea.exe
  2⤵
  PID:13120
- C:\Windows\System\WPrNKTk.exe
  C:\Windows\System\WPrNKTk.exe
  2⤵
  PID:11236
- C:\Windows\System\LpkLIFV.exe
  C:\Windows\System\LpkLIFV.exe
  2⤵
  PID:12380
- C:\Windows\System\fWleLqP.exe
  C:\Windows\System\fWleLqP.exe
  2⤵
  PID:3132
- C:\Windows\System\GCOmZOn.exe
  C:\Windows\System\GCOmZOn.exe
  2⤵
  PID:2128
- C:\Windows\System\zFKAKzE.exe
  C:\Windows\System\zFKAKzE.exe
  2⤵
  PID:12780
- C:\Windows\System\GpduxXI.exe
  C:\Windows\System\GpduxXI.exe
  2⤵
  PID:1320
- C:\Windows\System\hXhjoaf.exe
  C:\Windows\System\hXhjoaf.exe
  2⤵
  PID:12980
- C:\Windows\System\KvIXHXi.exe
  C:\Windows\System\KvIXHXi.exe
  2⤵
  PID:2280
- C:\Windows\System\pDenzfj.exe
  C:\Windows\System\pDenzfj.exe
  2⤵
  PID:13236
- C:\Windows\System\Jntxurx.exe
  C:\Windows\System\Jntxurx.exe
  2⤵
  PID:13288
- C:\Windows\System\rgjzxOE.exe
  C:\Windows\System\rgjzxOE.exe
  2⤵
  PID:4200
- C:\Windows\System\KRJnuVP.exe
  C:\Windows\System\KRJnuVP.exe
  2⤵
  PID:2332
- C:\Windows\System\aLpqhgn.exe
  C:\Windows\System\aLpqhgn.exe
  2⤵
  PID:10444
- C:\Windows\System\pXrvkbk.exe
  C:\Windows\System\pXrvkbk.exe
  2⤵
  PID:12528
- C:\Windows\System\cqFXzed.exe
  C:\Windows\System\cqFXzed.exe
  2⤵
  PID:4312
- C:\Windows\System\BZspxRY.exe
  C:\Windows\System\BZspxRY.exe
  2⤵
  PID:2708
- C:\Windows\System\DOOFXUM.exe
  C:\Windows\System\DOOFXUM.exe
  2⤵
  PID:9628
- C:\Windows\System\YcRpnnE.exe
  C:\Windows\System\YcRpnnE.exe
  2⤵
  PID:11804
- C:\Windows\System\BPJMnkZ.exe
  C:\Windows\System\BPJMnkZ.exe
  2⤵
  PID:11040
- C:\Windows\System\zAjncQs.exe
  C:\Windows\System\zAjncQs.exe
  2⤵
  PID:3968
- C:\Windows\System\FTMeuLC.exe
  C:\Windows\System\FTMeuLC.exe
  2⤵
  PID:4672
- C:\Windows\System\oJpcfyL.exe
  C:\Windows\System\oJpcfyL.exe
  2⤵
  PID:11856
- C:\Windows\System\BSJclYz.exe
  C:\Windows\System\BSJclYz.exe
  2⤵
  PID:5260
- C:\Windows\System\ziMhdeU.exe
  C:\Windows\System\ziMhdeU.exe
  2⤵
  PID:4432
- C:\Windows\System\THMEfzw.exe
  C:\Windows\System\THMEfzw.exe
  2⤵
  PID:11296
- C:\Windows\System\tmCWXDV.exe
  C:\Windows\System\tmCWXDV.exe
  2⤵
  PID:436
- C:\Windows\System\GWtbBbE.exe
  C:\Windows\System\GWtbBbE.exe
  2⤵
  PID:3152
- C:\Windows\System\GOSIHqy.exe
  C:\Windows\System\GOSIHqy.exe
  2⤵
  PID:5468
- C:\Windows\System\jUuDsFU.exe
  C:\Windows\System\jUuDsFU.exe
  2⤵
  PID:5016
- C:\Windows\System\KVhVgdj.exe
  C:\Windows\System\KVhVgdj.exe
  2⤵
  PID:4964
- C:\Windows\System\ZMzzuOS.exe
  C:\Windows\System\ZMzzuOS.exe
  2⤵
  PID:660
- C:\Windows\System\ZSbYYYM.exe
  C:\Windows\System\ZSbYYYM.exe
  2⤵
  PID:5544
- C:\Windows\System\kvHCOIL.exe
  C:\Windows\System\kvHCOIL.exe
  2⤵
  PID:5388
- C:\Windows\System\dOQopek.exe
  C:\Windows\System\dOQopek.exe
  2⤵
  PID:5404
- C:\Windows\System\qnUunii.exe
  C:\Windows\System\qnUunii.exe
  2⤵
  PID:1412
- C:\Windows\System\MDZaqey.exe
  C:\Windows\System\MDZaqey.exe
  2⤵
  PID:2232
- C:\Windows\System\FfIiMlq.exe
  C:\Windows\System\FfIiMlq.exe
  2⤵
  PID:9444
- C:\Windows\System\dpCQCmg.exe
  C:\Windows\System\dpCQCmg.exe
  2⤵
  PID:12188
- C:\Windows\System\AXkcnVg.exe
  C:\Windows\System\AXkcnVg.exe
  2⤵
  PID:5228
- C:\Windows\System\PngyqFQ.exe
  C:\Windows\System\PngyqFQ.exe
  2⤵
  PID:3828
- C:\Windows\System\ZxfOlpu.exe
  C:\Windows\System\ZxfOlpu.exe
  2⤵
  PID:5772
- C:\Windows\System\yZHGsuO.exe
  C:\Windows\System\yZHGsuO.exe
  2⤵
  PID:13324
- C:\Windows\System\dmeFHfA.exe
  C:\Windows\System\dmeFHfA.exe
  2⤵
  PID:13376
- C:\Windows\System\IeQEdxO.exe
  C:\Windows\System\IeQEdxO.exe
  2⤵
  PID:13404
- C:\Windows\System\cQCmYwm.exe
  C:\Windows\System\cQCmYwm.exe
  2⤵
  PID:13420
- C:\Windows\System\WknLDcz.exe
  C:\Windows\System\WknLDcz.exe
  2⤵
  PID:13444
- C:\Windows\System\isyMmjl.exe
  C:\Windows\System\isyMmjl.exe
  2⤵
  PID:13476
- C:\Windows\System\SdePAtS.exe
  C:\Windows\System\SdePAtS.exe
  2⤵
  PID:13496
- C:\Windows\System\arBtQlp.exe
  C:\Windows\System\arBtQlp.exe
  2⤵
  PID:13520
- C:\Windows\System\eHqrDwP.exe
  C:\Windows\System\eHqrDwP.exe
  2⤵
  PID:13536
- C:\Windows\System\qXJGHwZ.exe
  C:\Windows\System\qXJGHwZ.exe
  2⤵
  PID:13588
- C:\Windows\System\WMdZHIA.exe
  C:\Windows\System\WMdZHIA.exe
  2⤵
  PID:13632
- C:\Windows\System\pSnwXHR.exe
  C:\Windows\System\pSnwXHR.exe
  2⤵
  PID:13668
- C:\Windows\System\YigTViq.exe
  C:\Windows\System\YigTViq.exe
  2⤵
  PID:13948
- C:\Windows\System\AyoUVcI.exe
  C:\Windows\System\AyoUVcI.exe
  2⤵
  PID:13972
- C:\Windows\System\raSgwBH.exe
  C:\Windows\System\raSgwBH.exe
  2⤵
  PID:14048
- C:\Windows\System\tfBIFGg.exe
  C:\Windows\System\tfBIFGg.exe
  2⤵
  PID:14184
- C:\Windows\System\vmGHsPm.exe
  C:\Windows\System\vmGHsPm.exe
  2⤵
  PID:14268
- C:\Windows\System\BGJtCfJ.exe
  C:\Windows\System\BGJtCfJ.exe
  2⤵
  PID:14300
- C:\Windows\System\vbOmqBU.exe
  C:\Windows\System\vbOmqBU.exe
  2⤵
  PID:5780
- C:\Windows\System\vkXnIOv.exe
  C:\Windows\System\vkXnIOv.exe
  2⤵
  PID:5256
- C:\Windows\System\psAXwFK.exe
  C:\Windows\System\psAXwFK.exe
  2⤵
  PID:13008
- C:\Windows\System\UroSdSY.exe
  C:\Windows\System\UroSdSY.exe
  2⤵
  PID:1736
- C:\Windows\System\axBariQ.exe
  C:\Windows\System\axBariQ.exe
  2⤵
  PID:5640
- C:\Windows\System\FyGUSfc.exe
  C:\Windows\System\FyGUSfc.exe
  2⤵
  PID:12960
- C:\Windows\System\mMMvVUF.exe
  C:\Windows\System\mMMvVUF.exe
  2⤵
  PID:12276
- C:\Windows\System\VqboCaD.exe
  C:\Windows\System\VqboCaD.exe
  2⤵
  PID:4220
- C:\Windows\System\EHBXBks.exe
  C:\Windows\System\EHBXBks.exe
  2⤵
  PID:5380
- C:\Windows\System\RUmWAYs.exe
  C:\Windows\System\RUmWAYs.exe
  2⤵
  PID:13348
- C:\Windows\System\vVWnRaG.exe
  C:\Windows\System\vVWnRaG.exe
  2⤵
  PID:13368
- C:\Windows\System\unswISZ.exe
  C:\Windows\System\unswISZ.exe
  2⤵
  PID:5444
- C:\Windows\System\JyYPUbq.exe
  C:\Windows\System\JyYPUbq.exe
  2⤵
  PID:2932
- C:\Windows\System\yDYAayh.exe
  C:\Windows\System\yDYAayh.exe
  2⤵
  PID:13396
- C:\Windows\System\xUjXISU.exe
  C:\Windows\System\xUjXISU.exe
  2⤵
  PID:13652
- C:\Windows\System\fVDxiwx.exe
  C:\Windows\System\fVDxiwx.exe
  2⤵
  PID:13676
- C:\Windows\System\NidDlWY.exe
  C:\Windows\System\NidDlWY.exe
  2⤵
  PID:12308
- C:\Windows\System\aKtLGNq.exe
  C:\Windows\System\aKtLGNq.exe
  2⤵
  PID:12968
- C:\Windows\System\KiMbvLI.exe
  C:\Windows\System\KiMbvLI.exe
  2⤵
  PID:6388
- C:\Windows\System\WggUYii.exe
  C:\Windows\System\WggUYii.exe
  2⤵
  PID:13716
- C:\Windows\System\srmaFmD.exe
  C:\Windows\System\srmaFmD.exe
  2⤵
  PID:12304
- C:\Windows\System\JhGlIQr.exe
  C:\Windows\System\JhGlIQr.exe
  2⤵
  PID:5608
- C:\Windows\System\IPRWsSi.exe
  C:\Windows\System\IPRWsSi.exe
  2⤵
  PID:3516
- C:\Windows\System\LOkWJbJ.exe
  C:\Windows\System\LOkWJbJ.exe
  2⤵
  PID:13356
- C:\Windows\System\dLubqIC.exe
  C:\Windows\System\dLubqIC.exe
  2⤵
  PID:13416
- C:\Windows\System\RUHOmAy.exe
  C:\Windows\System\RUHOmAy.exe
  2⤵
  PID:13548
- C:\Windows\System\BlKXLQc.exe
  C:\Windows\System\BlKXLQc.exe
  2⤵
  PID:13284
- C:\Windows\System\ThbifSD.exe
  C:\Windows\System\ThbifSD.exe
  2⤵
  PID:728
- C:\Windows\System\aVlBkmY.exe
  C:\Windows\System\aVlBkmY.exe
  2⤵
  PID:3112
- C:\Windows\System\RiDodLD.exe
  C:\Windows\System\RiDodLD.exe
  2⤵
  PID:3448
- C:\Windows\System\fomsSIg.exe
  C:\Windows\System\fomsSIg.exe
  2⤵
  PID:13260
- C:\Windows\System\OLzWMwh.exe
  C:\Windows\System\OLzWMwh.exe
  2⤵
  PID:4960
- C:\Windows\System\JeHsmpU.exe
  C:\Windows\System\JeHsmpU.exe
  2⤵
  PID:14256
- C:\Windows\System\gMNEHoU.exe
  C:\Windows\System\gMNEHoU.exe
  2⤵
  PID:14248
- C:\Windows\System\NSjsHqR.exe
  C:\Windows\System\NSjsHqR.exe
  2⤵
  PID:14148
- C:\Windows\System\UemtiNF.exe
  C:\Windows\System\UemtiNF.exe
  2⤵
  PID:4196
- C:\Windows\System\cwAIfzE.exe
  C:\Windows\System\cwAIfzE.exe
  2⤵
  PID:4164
- C:\Windows\System\UNpkgeg.exe
  C:\Windows\System\UNpkgeg.exe
  2⤵
  PID:14108
- C:\Windows\System\PeIFnVa.exe
  C:\Windows\System\PeIFnVa.exe
  2⤵
  PID:4244
- C:\Windows\System\GMlvxLQ.exe
  C:\Windows\System\GMlvxLQ.exe
  2⤵
  PID:4084
- C:\Windows\System\cuVtCLX.exe
  C:\Windows\System\cuVtCLX.exe
  2⤵
  PID:5616
- C:\Windows\System\fgxuUSa.exe
  C:\Windows\System\fgxuUSa.exe
  2⤵
  PID:13568
- C:\Windows\System\QwEvexH.exe
  C:\Windows\System\QwEvexH.exe
  2⤵
  PID:13564
- C:\Windows\System\KMXRRuk.exe
  C:\Windows\System\KMXRRuk.exe
  2⤵
  PID:13708
- C:\Windows\System\iaNPyUk.exe
  C:\Windows\System\iaNPyUk.exe
  2⤵
  PID:13340
- C:\Windows\System\dYpcFtI.exe
  C:\Windows\System\dYpcFtI.exe
  2⤵
  PID:13684
- C:\Windows\System\bSKnFds.exe
  C:\Windows\System\bSKnFds.exe
  2⤵
  PID:13812
- C:\Windows\System\mwfmuLH.exe
  C:\Windows\System\mwfmuLH.exe
  2⤵
  PID:2700
- C:\Windows\System\VjWOxtE.exe
  C:\Windows\System\VjWOxtE.exe
  2⤵
  PID:13920
- C:\Windows\System\uSycVyK.exe
  C:\Windows\System\uSycVyK.exe
  2⤵
  PID:13808
- C:\Windows\System\ePdhVQI.exe
  C:\Windows\System\ePdhVQI.exe
  2⤵
  PID:14196
- C:\Windows\System\JutotiY.exe
  C:\Windows\System\JutotiY.exe
  2⤵
  PID:5272
- C:\Windows\System\eEPsiFo.exe
  C:\Windows\System\eEPsiFo.exe
  2⤵
  PID:4040
- C:\Windows\System\ryGiGij.exe
  C:\Windows\System\ryGiGij.exe
  2⤵
  PID:3956
- C:\Windows\System\qHygsvO.exe
  C:\Windows\System\qHygsvO.exe
  2⤵
  PID:5232
- C:\Windows\System\jHlmJbi.exe
  C:\Windows\System\jHlmJbi.exe
  2⤵
  PID:4192
- C:\Windows\System\LvnHMxi.exe
  C:\Windows\System\LvnHMxi.exe
  2⤵
  PID:4320
- C:\Windows\System\ypCljOg.exe
  C:\Windows\System\ypCljOg.exe
  2⤵
  PID:13780
- C:\Windows\System\vNHMeHk.exe
  C:\Windows\System\vNHMeHk.exe
  2⤵
  PID:14008
- C:\Windows\System\LWDojVe.exe
  C:\Windows\System\LWDojVe.exe
  2⤵
  PID:6644
- C:\Windows\System\oqmQDEI.exe
  C:\Windows\System\oqmQDEI.exe
  2⤵
  PID:6720
- C:\Windows\System\GMVYBXO.exe
  C:\Windows\System\GMVYBXO.exe
  2⤵
  PID:6604
- C:\Windows\System\dnUGcsW.exe
  C:\Windows\System\dnUGcsW.exe
  2⤵
  PID:584
- C:\Windows\System\IqooQeR.exe
  C:\Windows\System\IqooQeR.exe
  2⤵
  PID:13988
- C:\Windows\System\KWRNERQ.exe
  C:\Windows\System\KWRNERQ.exe
  2⤵
  PID:14012
- C:\Windows\System\kzZcLxN.exe
  C:\Windows\System\kzZcLxN.exe
  2⤵
  PID:14316
- C:\Windows\System\skDojPl.exe
  C:\Windows\System\skDojPl.exe
  2⤵
  PID:14308
- C:\Windows\System\CBLVBuF.exe
  C:\Windows\System\CBLVBuF.exe
  2⤵
  PID:13696
- C:\Windows\System\dlgVXQI.exe
  C:\Windows\System\dlgVXQI.exe
  2⤵
  PID:14104
- C:\Windows\System\WHOfPup.exe
  C:\Windows\System\WHOfPup.exe
  2⤵
  PID:2956
- C:\Windows\System\eefLXBC.exe
  C:\Windows\System\eefLXBC.exe
  2⤵
  PID:1688
- C:\Windows\System\boZerar.exe
  C:\Windows\System\boZerar.exe
  2⤵
  PID:14136
- C:\Windows\System\GsmeqqS.exe
  C:\Windows\System\GsmeqqS.exe
  2⤵
  PID:2984
- C:\Windows\System\vxNpUQu.exe
  C:\Windows\System\vxNpUQu.exe
  2⤵
  PID:2788
- C:\Windows\System\TFKkgBL.exe
  C:\Windows\System\TFKkgBL.exe
  2⤵
  PID:3280
- C:\Windows\System\hJNEPmE.exe
  C:\Windows\System\hJNEPmE.exe
  2⤵
  PID:4500
- C:\Windows\System\yHycXPH.exe
  C:\Windows\System\yHycXPH.exe
  2⤵
  PID:892
- C:\Windows\System\mKfdQMl.exe
  C:\Windows\System\mKfdQMl.exe
  2⤵
  PID:6112
- C:\Windows\System\ZDLohSD.exe
  C:\Windows\System\ZDLohSD.exe
  2⤵
  PID:13552
- C:\Windows\System\TEaKowe.exe
  C:\Windows\System\TEaKowe.exe
  2⤵
  PID:1244
- C:\Windows\System\RedZhea.exe
  C:\Windows\System\RedZhea.exe
  2⤵
  PID:1768
- C:\Windows\System\IVfPZQl.exe
  C:\Windows\System\IVfPZQl.exe
  2⤵
  PID:14164
- C:\Windows\System\AqvLSPL.exe
  C:\Windows\System\AqvLSPL.exe
  2⤵
  PID:5148
- C:\Windows\System\ghboIPs.exe
  C:\Windows\System\ghboIPs.exe
  2⤵
  PID:3660
- C:\Windows\System\laTYAah.exe
  C:\Windows\System\laTYAah.exe
  2⤵
  PID:1340
- C:\Windows\System\OtLrUck.exe
  C:\Windows\System\OtLrUck.exe
  2⤵
  PID:3404
- C:\Windows\System\cMuRKXl.exe
  C:\Windows\System\cMuRKXl.exe
  2⤵
  PID:4776
- C:\Windows\System\WBZnMuC.exe
  C:\Windows\System\WBZnMuC.exe
  2⤵
  PID:5188
- C:\Windows\System\giGoKZC.exe
  C:\Windows\System\giGoKZC.exe
  2⤵
  PID:13336
- C:\Windows\System\MXfJKLi.exe
  C:\Windows\System\MXfJKLi.exe
  2⤵
  PID:5576
- C:\Windows\System\barkRKj.exe
  C:\Windows\System\barkRKj.exe
  2⤵
  PID:13580
- C:\Windows\System\aIVjAqc.exe
  C:\Windows\System\aIVjAqc.exe
  2⤵
  PID:13704
- C:\Windows\System\qUJCeor.exe
  C:\Windows\System\qUJCeor.exe
  2⤵
  PID:12836
- C:\Windows\System\jMkZdaD.exe
  C:\Windows\System\jMkZdaD.exe
  2⤵
  PID:4832
- C:\Windows\System\kkxeNjc.exe
  C:\Windows\System\kkxeNjc.exe
  2⤵
  PID:1396
- C:\Windows\System\fdFKxKl.exe
  C:\Windows\System\fdFKxKl.exe
  2⤵
  PID:4464
- C:\Windows\System\GYmRKup.exe
  C:\Windows\System\GYmRKup.exe
  2⤵
  PID:3988
- C:\Windows\System\ymHiADj.exe
  C:\Windows\System\ymHiADj.exe
  2⤵
  PID:13508
- C:\Windows\System\thqLQFt.exe
  C:\Windows\System\thqLQFt.exe
  2⤵
  PID:13788
- C:\Windows\System\ZpOYFDm.exe
  C:\Windows\System\ZpOYFDm.exe
  2⤵
  PID:13984
- C:\Windows\System\ptQHTTV.exe
  C:\Windows\System\ptQHTTV.exe
  2⤵
  PID:720
- C:\Windows\System\LEiNgjp.exe
  C:\Windows\System\LEiNgjp.exe
  2⤵
  PID:4660
- C:\Windows\System\eSzudLH.exe
  C:\Windows\System\eSzudLH.exe
  2⤵
  PID:5792
- C:\Windows\System\VpVRyhp.exe
  C:\Windows\System\VpVRyhp.exe
  2⤵
  PID:6748
- C:\Windows\System\dVlQwdF.exe
  C:\Windows\System\dVlQwdF.exe
  2⤵
  PID:6668
- C:\Windows\System\KeTPJcc.exe
  C:\Windows\System\KeTPJcc.exe
  2⤵
  PID:1208
- C:\Windows\System\furfoOP.exe
  C:\Windows\System\furfoOP.exe
  2⤵
  PID:13760
- C:\Windows\System\IlEfouH.exe
  C:\Windows\System\IlEfouH.exe
  2⤵
  PID:5676
- C:\Windows\System\AxIGsfl.exe
  C:\Windows\System\AxIGsfl.exe
  2⤵
  PID:4620
- C:\Windows\System\TJJDVeJ.exe
  C:\Windows\System\TJJDVeJ.exe
  2⤵
  PID:6028
- C:\Windows\System\lvySZBn.exe
  C:\Windows\System\lvySZBn.exe
  2⤵
  PID:6860
- C:\Windows\System\SNbCSzi.exe
  C:\Windows\System\SNbCSzi.exe
  2⤵
  PID:1176
- C:\Windows\System\JGcMwCL.exe
  C:\Windows\System\JGcMwCL.exe
  2⤵
  PID:4916
- C:\Windows\System\uKOhhPL.exe
  C:\Windows\System\uKOhhPL.exe
  2⤵
  PID:6532
- C:\Windows\System\yecqUdJ.exe
  C:\Windows\System\yecqUdJ.exe
  2⤵
  PID:6160
- C:\Windows\System\VIPohQx.exe
  C:\Windows\System\VIPohQx.exe
  2⤵
  PID:2936
- C:\Windows\System\zxkDNLN.exe
  C:\Windows\System\zxkDNLN.exe
  2⤵
  PID:2504
- C:\Windows\System\uKoKdNN.exe
  C:\Windows\System\uKoKdNN.exe
  2⤵
  PID:5956
- C:\Windows\System\kTaQtCC.exe
  C:\Windows\System\kTaQtCC.exe
  2⤵
  PID:14096
- C:\Windows\System\eXLLmLx.exe
  C:\Windows\System\eXLLmLx.exe
  2⤵
  PID:4588
- C:\Windows\System\EeDdCSX.exe
  C:\Windows\System\EeDdCSX.exe
  2⤵
  PID:2884
- C:\Windows\System\kEfmxuM.exe
  C:\Windows\System\kEfmxuM.exe
  2⤵
  PID:2344
- C:\Windows\System\gBHSrBu.exe
  C:\Windows\System\gBHSrBu.exe
  2⤵
  PID:4400
- C:\Windows\System\PodoJUm.exe
  C:\Windows\System\PodoJUm.exe
  2⤵
  PID:4120
- C:\Windows\System\mtaLHAH.exe
  C:\Windows\System\mtaLHAH.exe
  2⤵
  PID:844
- C:\Windows\System\QgyZJEJ.exe
  C:\Windows\System\QgyZJEJ.exe
  2⤵
  PID:3432
- C:\Windows\System\vYqEGrO.exe
  C:\Windows\System\vYqEGrO.exe
  2⤵
  PID:1112
- C:\Windows\System\VkCIoUU.exe
  C:\Windows\System\VkCIoUU.exe
  2⤵
  PID:5268
- C:\Windows\System\kKmMwnC.exe
  C:\Windows\System\kKmMwnC.exe
  2⤵
  PID:10300
- C:\Windows\System\bJclioD.exe
  C:\Windows\System\bJclioD.exe
  2⤵
  PID:14112
- C:\Windows\System\sVLjZDl.exe
  C:\Windows\System\sVLjZDl.exe
  2⤵
  PID:5452
- C:\Windows\System\YCzYxoz.exe
  C:\Windows\System\YCzYxoz.exe
  2⤵
  PID:3744
- C:\Windows\System\aUACjtb.exe
  C:\Windows\System\aUACjtb.exe
  2⤵
  PID:3240

C:\Windows\system32\WerFaultSecure.exe
"C:\Windows\system32\WerFaultSecure.exe" -protectedcrash -p 4648 -i 4648 -h 500 -j 504 -s 536 -d 0
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:13884

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:14096

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:14012

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:14032

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:1804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:4268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_imxnpyhy.lys.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\AnjiLlh.exe

Filesize
3.0MB

MD5
a1a8bee75babd9b92fb0e74a84724739

SHA1
58803d49b5df075bc177db1c0c1eb7161aee0f76

SHA256
a4feeb5fdf98f151fc56d8d59335bf562f8681a6ef656752786525026a4a4671

SHA512
604b130e7dd8e6a73780ae53e656555308b52872101004a1cb0cec89718f722bfc1713f7c83b67fe5794e1ebdae60b439787be1c097996d9cfe9f809c7f96f34

Download Submit
C:\Windows\System\CcLvdBx.exe

Filesize
3.0MB

MD5
5d1891ab84a86dc611079b0cc4bc80b2

SHA1
090d1ea4f3dc0a40ccd2e9470326c29d0fca2dc7

SHA256
3bc08aefc7de06fbd6f6cc2640086bf96931a67935eb0b655f3c4df6cf8296fc

SHA512
623b5495215c4f9562202899f7939d86d80d976951a05017f99731260072ab997ede94124dc2e286bfbb5f2fe0228584eb6c2289449f23905d78f0a3def58432

Download Submit
C:\Windows\System\FhiZJOU.exe

Filesize
3.0MB

MD5
af01c14478db6ff92f4e62a54250f7df

SHA1
cba0b049d322cb42df69950502795b46ed50c477

SHA256
faeeca7afa954cd0ae3c2ae3ac36c57c8e11fdf9369cef2a5c54350f246e6078

SHA512
d93c60ce13f03ed8af8c1fb08571c7cf2cb1efb120a98d190a722ab3000ea6898472efbbcfbadcad01ee5523333f9840d69ae5d3ccf7f7e574c26ba60c97b770

Download Submit
C:\Windows\System\GXULOAj.exe

Filesize
3.0MB

MD5
ba01d5b08594a547b4def297ad6d1e59

SHA1
4eb68fefdff1aee4ef5f000b4d4556944d22364f

SHA256
6ed3eca141fd620949fa573ca7642db4fdb20d98cd1dd5d0089278c20bafd09a

SHA512
da80c05aecbf170c83b6fe3ed4011b370d2143767676c4afa965ab57ea5d45c932e17a37a4bbecfe2a31824f53c74d54d5615145abd46999c7e5962004e6d209

Download Submit
C:\Windows\System\IeyIwnL.exe

Filesize
3.0MB

MD5
9cf168d970055def117c58933d026a3d

SHA1
26b30a86b15b25dceb37a792d45c7980e3cc9bfc

SHA256
8b96ae3c8b3d08be382f6e814953edadb2f95842d047e99976f364d80c547feb

SHA512
ce9b9400626deaec6117192d068716fae515518aa64ff3edd68cdc19918dc7a33823895b343e8eadd1bf17abf97a69d38a4a30b4f89292e65161073b2e8fa3d5

Download Submit
C:\Windows\System\KcHObkJ.exe

Filesize
3.0MB

MD5
5d62c76bb876cf66bdd46fe46bbda7e5

SHA1
d844cadef17f57b86e86855562fcea16303da524

SHA256
05ddc787cc239d4673b4d7a60d9575b29e3c9af2620ba530ab9fce6290b1b269

SHA512
0236ddb51204764e7541e1aaf13168da2d9ee50d7df867d70f0fda5ddc8185cdc0fa23cab61ac390fce7ac1301a35184def09f9b033ba6d4f5282d57cfee95fc

Download Submit
C:\Windows\System\KjHExPk.exe

Filesize
3.0MB

MD5
61f278bd0add512b7b50faf5d20d6f35

SHA1
ac9181921e0fc8971ad9922a6a77d1b0ec1ec83e

SHA256
2672f15f376356518a2747649ba06b7590a26622f5bd076cbb668a6c4fa8d8e7

SHA512
9e62e3c7109a5a40579666b2371e3288376765a1e2f59deb7f68c460aea331496e002411bf179de5bc091fe11d8d2398268da0efdc714cc7390a5b3f8919c247

Download Submit
C:\Windows\System\LRbDBdj.exe

Filesize
3.0MB

MD5
c2f0a49020a2611ef0d83f3f0ac6a6b1

SHA1
6749c170719727687a815c0680e6b4bf9441e891

SHA256
d0ea8c424b1a3e32ddcc17d0ca716003361714c0856ff44c042f74091e3e4d97

SHA512
ef2ca55516292c8809e53d8f6eac51a9f45ca9376a757316bfe982fb05efdb35e29af8b762708b04c96b7165ac6a99df4ad03b36c23ea4766fadb2f71b5ddac6

Download Submit
C:\Windows\System\MFPkUrx.exe

Filesize
3.0MB

MD5
34560b53c8dc1a75214d95632ed3887b

SHA1
6a667b2a6fa996d3ace021d0c9b9b2f1d9f4bf65

SHA256
a478cfbb6b7686f2522ac168cd6336e845470ed18f6a68a6c43a534adfbe302d

SHA512
513c0491433f201819b51e32da552f1f3889cc7de091619c4f8b47e436d6e178f8c66126a8f2b8b954fa1f1ca0b68745d1f3d874bff772006a313b0099e938ef

Download Submit
C:\Windows\System\NIrNexm.exe

Filesize
3.0MB

MD5
9e2cdab57a7692269564dd9d32059d9b

SHA1
0168eedfb2f79b8400bd449fb475a96331b051ef

SHA256
62d529dc917f0e6d7669587e82889e2e1a341893c2d4e94c1f125f3f3cc9ac20

SHA512
6d0a0ffbe8f176e48d9218b337b8bd94aff58f960281c559d997a47bcf7e15239f672516ab17df3dcb475b5e5ed76d8c8b2b3cca972ab58b87a05cddcade6582

Download Submit
C:\Windows\System\OGflcib.exe

Filesize
3.0MB

MD5
42f1718f34a2ce89f94936af9bf62bc3

SHA1
fd42c915c68b05ffe9a435e72b538845beb4b3d4

SHA256
56b14f17026513ccee6a150417c9cebc6d297301f5dfe250a024977e4772604d

SHA512
e6e9a5b387cd2a219b905d369af317b00a22028cd14df02a4c6017e22e880df3b81d1aca90e17d809dc59f9a6feba08c2a282accd1f56139bd06a9be113593d2

Download Submit
C:\Windows\System\OgzRKaV.exe

Filesize
3.0MB

MD5
26f3dc63675826cbc24573187fa56550

SHA1
ab47c545268ff05f0c0330596031715863978543

SHA256
f4101525c8b60035f099883d020c2a623d61a58fb2aa12374ddfb42465489c31

SHA512
495a3d11e8d2c555137d6b0a703d07e501ffdfc2abc5b07641769bc85b6d870b1a56f16d5dd54ef442f5e87455887a73f4624d0d700f63b8d37b320f4498fcb9

Download Submit
C:\Windows\System\PmsOTMS.exe

Filesize
3.0MB

MD5
0eb7bac4ef6020f46dae6532e699cdaf

SHA1
84437759bd99add1f8268e5bcf4dc874e8960eff

SHA256
5604ede8eb6aeadb5de0578fa6ec4706a19d0815b16c213ced10ed17ed4b12f7

SHA512
67a2a898b6dec36721cd699c55828b233dce04a46e935d38cddf11b223cda86a9765483ecae871ac6401e47029a2ca27d5cd74a25c42453aab4ab66d7f39e190

Download Submit
C:\Windows\System\QrBzRLt.exe

Filesize
3.0MB

MD5
28fac95c3ecfaecd0ef7ef6edb7ccbd9

SHA1
14f540ac61b4b2e8eb4510f718ddb603ce46fb11

SHA256
38fc89f411b5759ca60b58975b769d79e840d7ddc27157b5e428b7270366ef75

SHA512
380362b10ce96f392fe53830fcafcb7d9157e4e075352d49ba174ed5edb07a30891055cd6672f3d865b516748ca274341e5dead2d92fd46cc977b64ddbabc75f

Download Submit
C:\Windows\System\SHMlkRQ.exe

Filesize
3.0MB

MD5
ff48eebf004ac69204b64a17a5791c73

SHA1
138306810d160edcff70f0683734a1dd8c6ea520

SHA256
cd37ab747f78a89babff63febc944521fda3d6d4fc06990bd32c91b72ee30bd5

SHA512
bde9c2631096dde1d1845a0bafaaab998b03c3409aecd31ee6973ec83fdefef8667dc9b743b86d3fb2f647a60279dd75f6496d2b89cc813d7c332d37c4fc5cb8

Download Submit
C:\Windows\System\SaVNOkg.exe

Filesize
3.0MB

MD5
ecf125a39b2d43cb26a05f1d9440f02d

SHA1
ffc4a3f9a7558cf96a157a8ed79e3ff95bdf0610

SHA256
3990e581a916ac9144324a751323c45cf179295ee09b809e23984c4e6ffd331d

SHA512
c02064ce9c00c220a3dc7a21206d482d8c2ad0d65de5be01db6ba0da7efc0c15db9e5e4cc41d05bce97e7db2b8247e93ec76c0990e0bd765e42535db7199500a

Download Submit
C:\Windows\System\TBeIsYj.exe

Filesize
3.0MB

MD5
48b26d0485f843af6a03eebed190c3e6

SHA1
6ba47b72442967f154710a711ec924189c862c60

SHA256
0de239384d7d9d00b67bc6168ba1fa53153bf90536fdbe69bcc1b68abf18f81d

SHA512
082dbdb3a651c253765a7dbded09f120c74f54c576fe999dc407aee85f3fb21525587669ada6aefc3107d3e1d8b7012e39db5abeeb0762c56e1b9af273e27232

Download Submit
C:\Windows\System\ZLAaoqX.exe

Filesize
3.0MB

MD5
b7eee0fa1e97e723ca54a4e8268f1b41

SHA1
8f02f32395fd32f768abeff7bbb2ebbfab0ec8fe

SHA256
a49b41debd6295c2eaa19ba328db341d62c3cc93e18ebaaf00c1d0f006c47c02

SHA512
f29445298db7febba5283362a23f6f085e3999c3f031d88b31d985ed53801c416f7a0d71e44e0d49ef9c1940caf7b7473d66ca30b6d563b7a7ade02ea61b49d6

Download Submit
C:\Windows\System\ZXsLHiZ.exe

Filesize
3.0MB

MD5
9757bd4ced00d5c34e91f50b3934efa8

SHA1
115fa2c636460ef3a7eff1b5b6270a07447c82e5

SHA256
567f5e2b47f3bc711b2270a9f9c4f91a522e2dc3f4132a4a9f6f2aef7ed89d00

SHA512
952260a65649de2984efeb857ddfc9b1601e4a7c61a7279a356301622163a0f01c059dc2deb584de2b603fe9bb0aa915f63f9e7f000053799165c06048536934

Download Submit
C:\Windows\System\cgZEOuz.exe

Filesize
3.0MB

MD5
f8a95d599fcd9bef0cdb72aaf236e0ac

SHA1
be3eb5ccad78c39a671159515e5b134a13abe078

SHA256
a3662a5fc5008f44eda64032e7d9c66522396ee8ddd58503d1e957a3fd1a6618

SHA512
aae7f693db4cacda182654cbb041716d6e62d17ee2739ec6a58ece53691ddb3b7eaa2fb1000af4f1d629083de146bfe2140248fa7b27fa2841832cb7fc8d1904

Download Submit
C:\Windows\System\csKCVuQ.exe

Filesize
3.0MB

MD5
684d6b650cd16d961fd78056997bb018

SHA1
6aee09c8ab77faa074f91ef56bd64bedb604c01f

SHA256
e86175148bfa93a688f138483d63c07d3f79847b4cc7cba77a65f33fe897e28a

SHA512
161bd3abc584ad461ed220f81743807e32ab574a66a5693e96c6142e4365cf3061464e792946961889308c451335babeb87858bb441572134e335d539c9f021d

Download Submit
C:\Windows\System\eKjsjLn.exe

Filesize
3.0MB

MD5
37690536dcf3c1b8a74868cbb1858b4c

SHA1
c02b3dbde6010e9d5f61a85815d2ebe72ad34c10

SHA256
538df8c22dfe5ee42bcc1d96183fbe3625a28c745b7f0a1025d72300bcbedc2a

SHA512
489c68b3cce441366dc3743d0c8d060017ab8f284f43c1e03a0b2439601fff8a02e0ac80776d5a7cb29affd915f9fe7531dd81898cea97967fd27a0654b014eb

Download Submit
C:\Windows\System\gDscmoB.exe

Filesize
8B

MD5
2f610ed4fd34c7b93dede1793521baba

SHA1
5daae5f3b2625b6a326bfb1be39046cb371fc4a6

SHA256
d587df361f44238ccf5a60428309780a9b6bde224606e4679c94364299985684

SHA512
367244af67370594aa8df8799be42b55afcd8abd950bf66980b9cb155b499d06ebcadc359f153586f1736d1a5dd7bea12b69a39d93e67441419399282c1888bb

Download Submit
C:\Windows\System\juoXbeu.exe

Filesize
3.0MB

MD5
646f0e793ec739a07a2220913fadff53

SHA1
c60bc714b11e7faf078a82bd59572ba8a08e1bff

SHA256
5e41b87ce12f48b70e5f6c8c67523f7cb6d7c71779cf28ed77c04fbbe2f65ee8

SHA512
1c6bdc47b519c3854116e62e1a318dcfa7f0dad946b70882e99664f03b63adf949a711b6790e33c1ee12c6fb611033f28852d9cc7aee07d85ab89198c17adaa7

Download Submit
C:\Windows\System\kYgELkk.exe

Filesize
3.0MB

MD5
0496f52b8af67f5231362c85092dd03a

SHA1
4469a4e996fd388a78cf250c13a823afe7886af4

SHA256
db7902ca3c39666c10defb1f679705cc7e8d99e5c76d7f4ff48f65aaccf6e58f

SHA512
580362df3ad4dc1ce8f34de28c1824ba6e1946ff33b1c8136a5a1e5903153c74fab58d6e4e26333037b1ea2c84d98076669cfd0c200d07062b418540d1679d70

Download Submit
C:\Windows\System\mubempN.exe

Filesize
3.0MB

MD5
9b14ee2ecafdb5f34f0e0720f9fc3225

SHA1
b0e54f6c375fb85dbbb71f0a26b1df17067e699f

SHA256
db6fded4680dc2e515b76fccae1f2c90b4155f587594dd7855af980068457dfd

SHA512
37b9ea2cb87e40d60ba87844e56adda037eb5371cb67a2d98ac399094131279ec3c09b7ff713b80c28033941f3de8c9cf6b68dba0b750a3639e0f9788aa4e231

Download Submit
C:\Windows\System\otKSOdr.exe

Filesize
3.0MB

MD5
daea63d27facbb1a5c974415769fa6f1

SHA1
fae528469adb7fe7d012d04b8b911d918b086ad2

SHA256
c6f20ed5b224cf0a55643b0598d33d7661aa07db91fddbfedec70787d2da5b6a

SHA512
7074427bfb734387670c5407fa216934b08e24a36293f175ff9a03a803c3fc590a722aeb5b890095ad36b0f56f4dc5f44ed082a1fed93797a70ff9008f8cf4c5

Download Submit
C:\Windows\System\ppBKMpO.exe

Filesize
3.0MB

MD5
dc40a5c6d86428532268c599ed7f9920

SHA1
4a9b7201b78d4e84f8e41f887dddb717753bb799

SHA256
6437bfc7bae730586be1020a12e44c2cf08410ef12628717f78aa9e7434f7a0d

SHA512
04af57cff4149dbda9b63008b255d1ed6507d1a3556249b58c0b114ca670374eea63220f4cb726130d1cbd96798956d4ab30bde3ddde17f8ec1a7fd5e35fedc5

Download Submit
C:\Windows\System\pvUqasc.exe

Filesize
18B

MD5
bb03964bb6999f8b59a80d882e7357fc

SHA1
dad034dc7f0131858f69e6358b06741426882979

SHA256
aafca8c5a26ca0a4f2343a68b34cbab73ab7ce8111d1499b75478b370965e892

SHA512
30a183dbbd5795ca8cc218d9efd2598cd95794b3e4640491c47059add19a9447791634cafdcff0b93cee0ce61b3582de4f2649241eb02c5150703db59892bf7d

Download Submit
C:\Windows\System\rtmkACc.exe

Filesize
3.0MB

MD5
b4572951e3c48030fc0981c84c791e40

SHA1
1db1ff13e261538bc0a036b1300c05efe2e574e9

SHA256
a391f678f2bac9608b42497ef2ac92da7e41b81a7ab4df3fc0ad40de35ac5816

SHA512
93208198b22822cd661e20ea4d0f61247d5a75f3f89be7bb61adffb853040802de79e6a85331cafb05cb9921a2f1fb92c1146cb3e77694a73eae8c772f5b3250

Download Submit
C:\Windows\System\smxpJkJ.exe

Filesize
3.0MB

MD5
451ec26566e3cf38ac07f366a098c7ae

SHA1
8b4be6a9de1db426fbb364a5c39f7556e4871a79

SHA256
ee2373a524344705c05d2d99f012033eea80e009ae79f2f61deb97e155fde254

SHA512
cb1dd467dc706a867b57dbde8a40a304f54a90e8a9dfadd3df884b47eb8fd8b9c80b049d1c645fbe5ae04bda951e2f146c1abbdc603a8f962cd205dd5a7a897a

Download Submit
C:\Windows\System\stnfuvH.exe

Filesize
3.0MB

MD5
0a5c58802265c947cbac6e0c612ec57d

SHA1
fade2dde18a64d8f9c7b37e55e1aaa2b4cde8a46

SHA256
b1a75842bd3e19632776aa8a9976069e463bc82c1a460c5a494fadfdba628a15

SHA512
c7f046796163ae64d0a73f9ffa3b8a1bbe79945c6de40988a7378100cb77d2daaab0f3707b31dd5054b3c15ddf21c00248fbdc62442b06dafacec8a94fe546f4

Download Submit
C:\Windows\System\syLNezZ.exe

Filesize
3.0MB

MD5
76f9bf2d11fbc6e53afcfa42fdb2b306

SHA1
0f3aee347cdff5b955a2b0596a588425626b9084

SHA256
549c69070f9a54e0e5eba586eef4cd2e1c6e95a5b2f81f34f42aa05455873e7f

SHA512
18f2d1f1edfce90b421af1103475402bcd4d6c949c0bab1b13ded34739cf8e4703b2d6c7b65d30227d053dbf2ffccd2bfbb60ae32926cfa2bd5e61c0e551feed

Download Submit
C:\Windows\System\vDXGOfd.exe

Filesize
3.0MB

MD5
0db53458e7f5f189a7c45c243c8ab8cf

SHA1
e236fff37aa1c6166befdf7009c2ac38b145f168

SHA256
ec48f6c6889a3c861663fef242a83050a676519bece88005e6ac30688fed3f41

SHA512
3d61ea30751450e5de0b66d7f8545a8175ab4fb28d680a339ff84cc5101e08a15528545e34e3fed7d71763d0a05ac8873dc0944dd6c366121a87fa2737ef6427

Download Submit
C:\Windows\System\vVmuUXA.exe

Filesize
3.0MB

MD5
e1e090a5204c9cfee6bcfaf190d0f964

SHA1
c890d81a2e52c0dee142878b76d03224a1518068

SHA256
07e03820893c724138f7f6a6b6620a518af18e3a56a6cc73bade04b2263ef2e5

SHA512
8e1278f52befe1396d02225c1736940677e539d06ee6d8bf2312e061487e38679c2e0c91b4b91b7cdefcaa2fd6bf97868ed368ef193cdbc72f7bd5ce53184aff

Download Submit
C:\Windows\System\wNsoHjs.exe

Filesize
3.0MB

MD5
5e81164ee333f895aefdcd8059b091f1

SHA1
a900d8ec4ef6967a58528ecbc517aae03b02ee47

SHA256
89ce620c530c7cce71a7351b5f9c7ebc582b3bb839d187f366d98306a5a895a3

SHA512
697ca910f9f119eea6cfab4e130777eaecfe9f5a8369973c1c61273d315aaba6b6523e01221b87f33972d374efcf9600cc58813421601da6a93204c4dc08628e

Download Submit
C:\Windows\System\wklCoyl.exe

Filesize
3.0MB

MD5
cef21855ca30472096e7a22dd3de6873

SHA1
7c21cddac8db3e91ef28836ce103495132ce8b5d

SHA256
e2d2181aaef2fd50c8541275a227420d4a85eb1b056ca5e75243db7da049a888

SHA512
6c31ef316e21f6a2ca1db0c81646adc93946a00b148f67e8148add07517c27d221af351c71ffdaf8545ae284b64de7b299f378ecbdd2ced54f077c1ac3c2c1dc

Download Submit
C:\Windows\System\xpeVauA.exe

Filesize
3.0MB

MD5
d709f224e6bfd369bfbcc03c4dd0c8dc

SHA1
d203d7663a777f2d2b3a05f57630e89637018e40

SHA256
0b74a9fd8ae365182ddb0ca8f0be28d58d448f881fc9e5a61ac49baea6900b21

SHA512
b7aeeb92da33cee7a6717848bc1992d4a9d36c8ee2005024eb9c16f0ebd677b753b45e036825789fc2934b7721989d76bc58fd2fd6fcaf21fa5d079d9db0ab53

Download Submit
C:\Windows\System\xzGtKva.exe

Filesize
3.0MB

MD5
156b42ca4251ae71d341b022b8f09d43

SHA1
1d7efe6ce196c7f6a41e36b5be7e3bb741eacaa5

SHA256
97d1ed6516910f373e3062a230b3077485d7ec08259e7881963f41a2e3526b0b

SHA512
0aeca9aa856de52b8c16e90d22d05059682c38e9556561f81bca0b6cc3cfbf484850ba7483842be62ed02cbc3d0229292aab7c41e3e7129b81607e0b24e5373f

Download Submit
memory/428-361-0x00007FF6E6730000-0x00007FF6E6B22000-memory.dmp

Filesize
3.9MB

Download
memory/1004-3110-0x00007FF7889B0000-0x00007FF788DA2000-memory.dmp

Filesize
3.9MB

Download
memory/1004-363-0x00007FF7889B0000-0x00007FF788DA2000-memory.dmp

Filesize
3.9MB

Download
memory/1120-359-0x00007FF7465F0000-0x00007FF7469E2000-memory.dmp

Filesize
3.9MB

Download
memory/1120-3167-0x00007FF7465F0000-0x00007FF7469E2000-memory.dmp

Filesize
3.9MB

Download
memory/1400-161-0x00007FF7271E0000-0x00007FF7275D2000-memory.dmp

Filesize
3.9MB

Download
memory/1400-3071-0x00007FF7271E0000-0x00007FF7275D2000-memory.dmp

Filesize
3.9MB

Download
memory/1532-185-0x00007FF68E6C0000-0x00007FF68EAB2000-memory.dmp

Filesize
3.9MB

Download
memory/1532-3083-0x00007FF68E6C0000-0x00007FF68EAB2000-memory.dmp

Filesize
3.9MB

Download
memory/1652-364-0x00007FF64BE30000-0x00007FF64C222000-memory.dmp

Filesize
3.9MB

Download
memory/1652-3161-0x00007FF64BE30000-0x00007FF64C222000-memory.dmp

Filesize
3.9MB

Download
memory/1716-3079-0x00007FF69E5E0000-0x00007FF69E9D2000-memory.dmp

Filesize
3.9MB

Download
memory/1716-215-0x00007FF69E5E0000-0x00007FF69E9D2000-memory.dmp

Filesize
3.9MB

Download
memory/1740-3187-0x00007FF7D6910000-0x00007FF7D6D02000-memory.dmp

Filesize
3.9MB

Download
memory/1740-351-0x00007FF7D6910000-0x00007FF7D6D02000-memory.dmp

Filesize
3.9MB

Download
memory/1840-308-0x00007FF6C6F90000-0x00007FF6C7382000-memory.dmp

Filesize
3.9MB

Download
memory/1840-3102-0x00007FF6C6F90000-0x00007FF6C7382000-memory.dmp

Filesize
3.9MB

Download
memory/2336-3067-0x00007FF623760000-0x00007FF623B52000-memory.dmp

Filesize
3.9MB

Download
memory/2336-186-0x00007FF623760000-0x00007FF623B52000-memory.dmp

Filesize
3.9MB

Download
memory/2400-3117-0x00007FF6A8320000-0x00007FF6A8712000-memory.dmp

Filesize
3.9MB

Download
memory/2400-309-0x00007FF6A8320000-0x00007FF6A8712000-memory.dmp

Filesize
3.9MB

Download
memory/2484-10-0x00007FF78DCA0000-0x00007FF78E092000-memory.dmp

Filesize
3.9MB

Download
memory/3116-3091-0x00007FF7E40A0000-0x00007FF7E4492000-memory.dmp

Filesize
3.9MB

Download
memory/3116-280-0x00007FF7E40A0000-0x00007FF7E4492000-memory.dmp

Filesize
3.9MB

Download
memory/3428-302-0x00007FF66F7E0000-0x00007FF66FBD2000-memory.dmp

Filesize
3.9MB

Download
memory/3428-3100-0x00007FF66F7E0000-0x00007FF66FBD2000-memory.dmp

Filesize
3.9MB

Download
memory/3460-342-0x00007FF641DD0000-0x00007FF6421C2000-memory.dmp

Filesize
3.9MB

Download
memory/3524-3058-0x00007FF6E2B20000-0x00007FF6E2F12000-memory.dmp

Filesize
3.9MB

Download
memory/3524-112-0x00007FF6E2B20000-0x00007FF6E2F12000-memory.dmp

Filesize
3.9MB

Download
memory/3592-3056-0x00007FF627100000-0x00007FF6274F2000-memory.dmp

Filesize
3.9MB

Download
memory/3592-145-0x00007FF627100000-0x00007FF6274F2000-memory.dmp

Filesize
3.9MB

Download
memory/3640-3128-0x00007FF6D3EC0000-0x00007FF6D42B2000-memory.dmp

Filesize
3.9MB

Download
memory/3640-362-0x00007FF6D3EC0000-0x00007FF6D42B2000-memory.dmp

Filesize
3.9MB

Download
memory/3668-256-0x00007FF6CE480000-0x00007FF6CE872000-memory.dmp

Filesize
3.9MB

Download
memory/3668-3076-0x00007FF6CE480000-0x00007FF6CE872000-memory.dmp

Filesize
3.9MB

Download
memory/3680-3191-0x00007FF7579F0000-0x00007FF757DE2000-memory.dmp

Filesize
3.9MB

Download
memory/3680-347-0x00007FF7579F0000-0x00007FF757DE2000-memory.dmp

Filesize
3.9MB

Download
memory/3720-3122-0x00007FF780B70000-0x00007FF780F62000-memory.dmp

Filesize
3.9MB

Download
memory/3720-326-0x00007FF780B70000-0x00007FF780F62000-memory.dmp

Filesize
3.9MB

Download
memory/4368-4614-0x00007FF6A12A0000-0x00007FF6A1692000-memory.dmp

Filesize
3.9MB

Download
memory/4368-1-0x00000223F7540000-0x00000223F7550000-memory.dmp

Filesize
64KB

Download
memory/4368-0-0x00007FF6A12A0000-0x00007FF6A1692000-memory.dmp

Filesize
3.9MB

Download
memory/4480-93-0x00007FF7A7660000-0x00007FF7A7A52000-memory.dmp

Filesize
3.9MB

Download
memory/4488-3065-0x00007FF7B6F50000-0x00007FF7B7342000-memory.dmp

Filesize
3.9MB

Download
memory/4488-232-0x00007FF7B6F50000-0x00007FF7B7342000-memory.dmp

Filesize
3.9MB

Download
memory/4540-3136-0x00007FF7434B0000-0x00007FF7438A2000-memory.dmp

Filesize
3.9MB

Download
memory/4540-348-0x00007FF7434B0000-0x00007FF7438A2000-memory.dmp

Filesize
3.9MB

Download
memory/5096-360-0x00007FF841560000-0x00007FF842021000-memory.dmp

Filesize
10.8MB

Download
memory/5096-365-0x000001F9376E0000-0x000001F937E86000-memory.dmp

Filesize
7.6MB

Download
memory/5096-11-0x00007FF841563000-0x00007FF841565000-memory.dmp

Filesize
8KB

Download
memory/5096-61-0x00007FF841560000-0x00007FF842021000-memory.dmp

Filesize
10.8MB

Download
memory/5096-134-0x000001F91C870000-0x000001F91C892000-memory.dmp

Filesize
136KB

Download
memory/5096-4993-0x00007FF841560000-0x00007FF842021000-memory.dmp

Filesize
10.8MB

Download