xmrig | 817d881d612228a9e059b2c8461e925bda24793e91786e510bac72684efa3660

Analysis

max time kernel
64s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
27-04-2024 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
Size

2.2MB
MD5

02f0e154b5af11cefdd1e87c3dbd5eb5
SHA1

fc050ff0c1ed4e00ec07230f7a40d9faabc04796
SHA256

817d881d612228a9e059b2c8461e925bda24793e91786e510bac72684efa3660
SHA512

e982679e7f1b56fe9137408f40fdea97c3ced312149f4840c96649f61ecf5894a753bd76bc8d28dc1be0f82b5249897190470f0687fd58bb60b143970d2b291e
SSDEEP

49152:Lz071uv4BPMkibTIA5sf6r+WVc2HhG82g1Vr5s1PTl//aD0:NABv

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 42 IoCs

miner

resource	yara_rule
behavioral2/memory/748-84-0x00007FF7B78E0000-0x00007FF7B7CD2000-memory.dmp	xmrig
behavioral2/memory/2176-90-0x00007FF6A7B90000-0x00007FF6A7F82000-memory.dmp	xmrig
behavioral2/memory/4148-97-0x00007FF7AD040000-0x00007FF7AD432000-memory.dmp	xmrig
behavioral2/memory/4736-620-0x00007FF717D90000-0x00007FF718182000-memory.dmp	xmrig
behavioral2/memory/4908-632-0x00007FF623590000-0x00007FF623982000-memory.dmp	xmrig
behavioral2/memory/1480-636-0x00007FF7A21A0000-0x00007FF7A2592000-memory.dmp	xmrig
behavioral2/memory/2392-660-0x00007FF6BCC90000-0x00007FF6BD082000-memory.dmp	xmrig
behavioral2/memory/4848-673-0x00007FF6635D0000-0x00007FF6639C2000-memory.dmp	xmrig
behavioral2/memory/1544-642-0x00007FF68D200000-0x00007FF68D5F2000-memory.dmp	xmrig
behavioral2/memory/1240-104-0x00007FF74C320000-0x00007FF74C712000-memory.dmp	xmrig
behavioral2/memory/4932-103-0x00007FF650E10000-0x00007FF651202000-memory.dmp	xmrig
behavioral2/memory/1236-100-0x00007FF6F5240000-0x00007FF6F5632000-memory.dmp	xmrig
behavioral2/memory/4812-79-0x00007FF63C2A0000-0x00007FF63C692000-memory.dmp	xmrig
behavioral2/memory/3120-74-0x00007FF7B8EF0000-0x00007FF7B92E2000-memory.dmp	xmrig
behavioral2/memory/4940-60-0x00007FF648350000-0x00007FF648742000-memory.dmp	xmrig
behavioral2/memory/1300-43-0x00007FF61FF20000-0x00007FF620312000-memory.dmp	xmrig
behavioral2/memory/3084-40-0x00007FF7BBCC0000-0x00007FF7BC0B2000-memory.dmp	xmrig
behavioral2/memory/4276-34-0x00007FF6E9D00000-0x00007FF6EA0F2000-memory.dmp	xmrig
behavioral2/memory/1788-25-0x00007FF7A7B10000-0x00007FF7A7F02000-memory.dmp	xmrig
behavioral2/memory/1676-2621-0x00007FF608D40000-0x00007FF609132000-memory.dmp	xmrig
behavioral2/memory/2160-2622-0x00007FF6C5560000-0x00007FF6C5952000-memory.dmp	xmrig
behavioral2/memory/1788-2625-0x00007FF7A7B10000-0x00007FF7A7F02000-memory.dmp	xmrig
behavioral2/memory/4276-2627-0x00007FF6E9D00000-0x00007FF6EA0F2000-memory.dmp	xmrig
behavioral2/memory/3084-2629-0x00007FF7BBCC0000-0x00007FF7BC0B2000-memory.dmp	xmrig
behavioral2/memory/1676-2639-0x00007FF608D40000-0x00007FF609132000-memory.dmp	xmrig
behavioral2/memory/4940-2643-0x00007FF648350000-0x00007FF648742000-memory.dmp	xmrig
behavioral2/memory/748-2641-0x00007FF7B78E0000-0x00007FF7B7CD2000-memory.dmp	xmrig
behavioral2/memory/4812-2637-0x00007FF63C2A0000-0x00007FF63C692000-memory.dmp	xmrig
behavioral2/memory/3120-2633-0x00007FF7B8EF0000-0x00007FF7B92E2000-memory.dmp	xmrig
behavioral2/memory/1300-2631-0x00007FF61FF20000-0x00007FF620312000-memory.dmp	xmrig
behavioral2/memory/2176-2635-0x00007FF6A7B90000-0x00007FF6A7F82000-memory.dmp	xmrig
behavioral2/memory/2160-2645-0x00007FF6C5560000-0x00007FF6C5952000-memory.dmp	xmrig
behavioral2/memory/1240-2647-0x00007FF74C320000-0x00007FF74C712000-memory.dmp	xmrig
behavioral2/memory/1236-2651-0x00007FF6F5240000-0x00007FF6F5632000-memory.dmp	xmrig
behavioral2/memory/4932-2670-0x00007FF650E10000-0x00007FF651202000-memory.dmp	xmrig
behavioral2/memory/4848-2666-0x00007FF6635D0000-0x00007FF6639C2000-memory.dmp	xmrig
behavioral2/memory/4736-2661-0x00007FF717D90000-0x00007FF718182000-memory.dmp	xmrig
behavioral2/memory/4908-2659-0x00007FF623590000-0x00007FF623982000-memory.dmp	xmrig
behavioral2/memory/4148-2658-0x00007FF7AD040000-0x00007FF7AD432000-memory.dmp	xmrig
behavioral2/memory/1480-2655-0x00007FF7A21A0000-0x00007FF7A2592000-memory.dmp	xmrig
behavioral2/memory/2392-2653-0x00007FF6BCC90000-0x00007FF6BD082000-memory.dmp	xmrig
behavioral2/memory/1544-2649-0x00007FF68D200000-0x00007FF68D5F2000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
1788	waapcFx.exe
4276	rMvLYEc.exe
3084	CyiIhqb.exe
1300	BXjLBYc.exe
4812	tJUIxDN.exe
4940	QmMxsLN.exe
748	uFwTCdU.exe
2176	UoCcKgc.exe
1676	WyhfyjF.exe
3120	jXdgUyC.exe
4148	rRvhowC.exe
2160	cUvMtkt.exe
1236	xpbmrPx.exe
4932	vtwPXlr.exe
1240	PunDmVh.exe
4736	HOMnPvE.exe
4908	LOVpliR.exe
1480	fEaeQZK.exe
1544	CYBzBNQ.exe
2392	xFJgpIu.exe
4848	EZmzPwA.exe
2468	iYemgYa.exe
3560	HXMROsL.exe
3916	tSrcFNO.exe
628	BerEUwZ.exe
4964	RlQSwYV.exe
4408	bvICkVv.exe
3616	uUAUjZm.exe
4984	uwLOapn.exe
3652	mURmCVb.exe
3872	BKFaAIy.exe
4484	WRrRFPn.exe
1112	APxQQQV.exe
4532	KwFDiKc.exe
2708	kZfonIm.exe
3132	tvPLiLU.exe
3176	SGzUNUg.exe
532	wPtcOox.exe
3004	kjvGsgf.exe
4588	abuGsea.exe
4280	ZCUUMqj.exe
428	texgqma.exe
64	WwkYweD.exe
4792	jGuniwq.exe
1444	gwIGUxe.exe
5024	lyxZfDM.exe
1696	nwJCwCb.exe
3956	VHihPMl.exe
1684	prvlrka.exe
2424	dGCrrjv.exe
856	YaYtGsz.exe
3324	dPFGBLA.exe
1288	ySGpJHt.exe
1700	sdTlAwn.exe
1964	oMnjiwj.exe
3440	dvYnNUu.exe
4852	xTAGvdm.exe
3252	fkskeZt.exe
2184	hlBTYVm.exe
4552	TxBstYG.exe
3876	POWbXTR.exe
4424	TrCfYkt.exe
5044	XULdRLt.exe
2308	KSdSGVy.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/468-0-0x00007FF6A8250000-0x00007FF6A8642000-memory.dmp	upx
behavioral2/files/0x000d000000023b9d-5.dat	upx
behavioral2/files/0x000a000000023bb0-8.dat	upx
behavioral2/files/0x000a000000023baf-12.dat	upx
behavioral2/files/0x000a000000023bb3-55.dat	upx
behavioral2/files/0x0031000000023bb6-66.dat	upx
behavioral2/memory/1676-71-0x00007FF608D40000-0x00007FF609132000-memory.dmp	upx
behavioral2/files/0x000a000000023bb8-76.dat	upx
behavioral2/memory/748-84-0x00007FF7B78E0000-0x00007FF7B7CD2000-memory.dmp	upx
behavioral2/memory/2176-90-0x00007FF6A7B90000-0x00007FF6A7F82000-memory.dmp	upx
behavioral2/memory/4148-97-0x00007FF7AD040000-0x00007FF7AD432000-memory.dmp	upx
behavioral2/files/0x000a000000023bbd-107.dat	upx
behavioral2/files/0x000c000000023bac-116.dat	upx
behavioral2/files/0x000a000000023bbf-126.dat	upx
behavioral2/files/0x000a000000023bc4-151.dat	upx
behavioral2/files/0x000a000000023bca-181.dat	upx
behavioral2/memory/4736-620-0x00007FF717D90000-0x00007FF718182000-memory.dmp	upx
behavioral2/memory/4908-632-0x00007FF623590000-0x00007FF623982000-memory.dmp	upx
behavioral2/memory/1480-636-0x00007FF7A21A0000-0x00007FF7A2592000-memory.dmp	upx
behavioral2/memory/2392-660-0x00007FF6BCC90000-0x00007FF6BD082000-memory.dmp	upx
behavioral2/memory/4848-673-0x00007FF6635D0000-0x00007FF6639C2000-memory.dmp	upx
behavioral2/memory/1544-642-0x00007FF68D200000-0x00007FF68D5F2000-memory.dmp	upx
behavioral2/files/0x000a000000023bcd-190.dat	upx
behavioral2/files/0x000a000000023bcb-186.dat	upx
behavioral2/files/0x000a000000023bcc-185.dat	upx
behavioral2/files/0x000a000000023bc9-176.dat	upx
behavioral2/files/0x000a000000023bc8-171.dat	upx
behavioral2/files/0x000a000000023bc7-166.dat	upx
behavioral2/files/0x000a000000023bc6-161.dat	upx
behavioral2/files/0x000a000000023bc5-155.dat	upx
behavioral2/files/0x000a000000023bc3-146.dat	upx
behavioral2/files/0x000a000000023bc2-141.dat	upx
behavioral2/files/0x000a000000023bc1-136.dat	upx
behavioral2/files/0x000a000000023bc0-131.dat	upx
behavioral2/files/0x000a000000023bbe-121.dat	upx
behavioral2/memory/1240-104-0x00007FF74C320000-0x00007FF74C712000-memory.dmp	upx
behavioral2/memory/4932-103-0x00007FF650E10000-0x00007FF651202000-memory.dmp	upx
behavioral2/files/0x000b000000023bb9-101.dat	upx
behavioral2/memory/1236-100-0x00007FF6F5240000-0x00007FF6F5632000-memory.dmp	upx
behavioral2/files/0x000a000000023bbc-98.dat	upx
behavioral2/memory/2160-96-0x00007FF6C5560000-0x00007FF6C5952000-memory.dmp	upx
behavioral2/files/0x000a000000023bbb-91.dat	upx
behavioral2/files/0x000b000000023bba-85.dat	upx
behavioral2/memory/4812-79-0x00007FF63C2A0000-0x00007FF63C692000-memory.dmp	upx
behavioral2/memory/3120-74-0x00007FF7B8EF0000-0x00007FF7B92E2000-memory.dmp	upx
behavioral2/files/0x000a000000023bb4-69.dat	upx
behavioral2/memory/4940-60-0x00007FF648350000-0x00007FF648742000-memory.dmp	upx
behavioral2/files/0x0031000000023bb7-59.dat	upx
behavioral2/files/0x0031000000023bb5-61.dat	upx
behavioral2/memory/1300-43-0x00007FF61FF20000-0x00007FF620312000-memory.dmp	upx
behavioral2/memory/3084-40-0x00007FF7BBCC0000-0x00007FF7BC0B2000-memory.dmp	upx
behavioral2/files/0x000a000000023bb1-36.dat	upx
behavioral2/files/0x000a000000023bb2-45.dat	upx
behavioral2/memory/4276-34-0x00007FF6E9D00000-0x00007FF6EA0F2000-memory.dmp	upx
behavioral2/memory/1788-25-0x00007FF7A7B10000-0x00007FF7A7F02000-memory.dmp	upx
behavioral2/memory/1676-2621-0x00007FF608D40000-0x00007FF609132000-memory.dmp	upx
behavioral2/memory/2160-2622-0x00007FF6C5560000-0x00007FF6C5952000-memory.dmp	upx
behavioral2/memory/1788-2625-0x00007FF7A7B10000-0x00007FF7A7F02000-memory.dmp	upx
behavioral2/memory/4276-2627-0x00007FF6E9D00000-0x00007FF6EA0F2000-memory.dmp	upx
behavioral2/memory/3084-2629-0x00007FF7BBCC0000-0x00007FF7BC0B2000-memory.dmp	upx
behavioral2/memory/1676-2639-0x00007FF608D40000-0x00007FF609132000-memory.dmp	upx
behavioral2/memory/4940-2643-0x00007FF648350000-0x00007FF648742000-memory.dmp	upx
behavioral2/memory/748-2641-0x00007FF7B78E0000-0x00007FF7B7CD2000-memory.dmp	upx
behavioral2/memory/4812-2637-0x00007FF63C2A0000-0x00007FF63C692000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
3	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\QhlIhkm.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\iLqlapI.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\cyhnaoZ.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\HQqdpFQ.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\oDXUUGO.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\YYWzutt.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\fpVqKRi.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\lljstcR.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\JuiHTtF.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\BOBBqLe.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\eSjYStQ.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\vfpMLWt.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\SJvQLep.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\NdAXWoP.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\QUrYlow.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\EUWqzxy.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\tLcLXIq.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\ejigANH.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\CXKseLb.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\pcrTQsd.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\njhDUeh.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\dxNUgQJ.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\rxSlpEN.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\VCRnGTu.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\TRlreYO.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\RHVAxLO.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\CJpYuxE.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\PPdJljI.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\ttbjzhp.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\LoGOLAQ.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\wmLBqQE.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\wWUedsZ.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\TNksGBc.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\QWIDtFr.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\JHxAKpZ.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\EWUFKlp.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\IfcjrPu.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\TfEUNYI.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\vkEqZGW.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\HJYtwOQ.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\cMMbIQW.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\IvvyVlN.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\Hgchdtd.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\ZQJPuAr.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\ioaiFBu.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\trtbGGN.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\uETeAPY.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\Gjzsafd.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\CTRVuPG.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\NbJELqH.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\dzZqwWt.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\iXLuRyi.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\PfdMzrd.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\vsMFhtY.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\xzTKkDM.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\vhhLUJX.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\VSkXZkj.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\RvtQPKb.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\aNXDwXE.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\fkarNKk.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\BliYxGk.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\tTclNMp.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\bxkpaLz.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
File created	C:\Windows\System\jZhLpOh.exe	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1532	powershell.exe
1532	powershell.exe
1532	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeLockMemoryPrivilege	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	12320	dwm.exe
Token: SeChangeNotifyPrivilege	12320	dwm.exe
Token: 33	12320	dwm.exe
Token: SeIncBasePriorityPrivilege	12320	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 468 wrote to memory of 1532	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	85
PID 468 wrote to memory of 1532	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	85
PID 468 wrote to memory of 1788	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	86
PID 468 wrote to memory of 1788	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	86
PID 468 wrote to memory of 4276	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	87
PID 468 wrote to memory of 4276	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	87
PID 468 wrote to memory of 3084	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	88
PID 468 wrote to memory of 3084	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	88
PID 468 wrote to memory of 1300	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	89
PID 468 wrote to memory of 1300	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	89
PID 468 wrote to memory of 4812	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	90
PID 468 wrote to memory of 4812	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	90
PID 468 wrote to memory of 4940	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	91
PID 468 wrote to memory of 4940	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	91
PID 468 wrote to memory of 748	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	92
PID 468 wrote to memory of 748	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	92
PID 468 wrote to memory of 2176	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	93
PID 468 wrote to memory of 2176	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	93
PID 468 wrote to memory of 1676	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	94
PID 468 wrote to memory of 1676	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	94
PID 468 wrote to memory of 3120	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	95
PID 468 wrote to memory of 3120	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	95
PID 468 wrote to memory of 2160	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	96
PID 468 wrote to memory of 2160	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	96
PID 468 wrote to memory of 4148	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	97
PID 468 wrote to memory of 4148	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	97
PID 468 wrote to memory of 1236	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	98
PID 468 wrote to memory of 1236	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	98
PID 468 wrote to memory of 4932	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	99
PID 468 wrote to memory of 4932	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	99
PID 468 wrote to memory of 1240	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	100
PID 468 wrote to memory of 1240	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	100
PID 468 wrote to memory of 4736	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	101
PID 468 wrote to memory of 4736	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	101
PID 468 wrote to memory of 4908	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	102
PID 468 wrote to memory of 4908	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	102
PID 468 wrote to memory of 1480	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	103
PID 468 wrote to memory of 1480	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	103
PID 468 wrote to memory of 1544	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	104
PID 468 wrote to memory of 1544	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	104
PID 468 wrote to memory of 2392	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	105
PID 468 wrote to memory of 2392	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	105
PID 468 wrote to memory of 4848	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	106
PID 468 wrote to memory of 4848	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	106
PID 468 wrote to memory of 2468	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	107
PID 468 wrote to memory of 2468	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	107
PID 468 wrote to memory of 3560	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	108
PID 468 wrote to memory of 3560	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	108
PID 468 wrote to memory of 3916	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	109
PID 468 wrote to memory of 3916	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	109
PID 468 wrote to memory of 628	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	110
PID 468 wrote to memory of 628	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	110
PID 468 wrote to memory of 4964	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	111
PID 468 wrote to memory of 4964	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	111
PID 468 wrote to memory of 4408	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	112
PID 468 wrote to memory of 4408	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	112
PID 468 wrote to memory of 3616	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	113
PID 468 wrote to memory of 3616	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	113
PID 468 wrote to memory of 4984	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	114
PID 468 wrote to memory of 4984	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	114
PID 468 wrote to memory of 3652	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	115
PID 468 wrote to memory of 3652	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	115
PID 468 wrote to memory of 3872	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	116
PID 468 wrote to memory of 3872	468	02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe	116

C:\Users\Admin\AppData\Local\Temp\02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\02f0e154b5af11cefdd1e87c3dbd5eb5_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1532
- C:\Windows\System\waapcFx.exe
  C:\Windows\System\waapcFx.exe
  2⤵
  - Executes dropped EXE
  PID:1788
- C:\Windows\System\rMvLYEc.exe
  C:\Windows\System\rMvLYEc.exe
  2⤵
  - Executes dropped EXE
  PID:4276
- C:\Windows\System\CyiIhqb.exe
  C:\Windows\System\CyiIhqb.exe
  2⤵
  - Executes dropped EXE
  PID:3084
- C:\Windows\System\BXjLBYc.exe
  C:\Windows\System\BXjLBYc.exe
  2⤵
  - Executes dropped EXE
  PID:1300
- C:\Windows\System\tJUIxDN.exe
  C:\Windows\System\tJUIxDN.exe
  2⤵
  - Executes dropped EXE
  PID:4812
- C:\Windows\System\QmMxsLN.exe
  C:\Windows\System\QmMxsLN.exe
  2⤵
  - Executes dropped EXE
  PID:4940
- C:\Windows\System\uFwTCdU.exe
  C:\Windows\System\uFwTCdU.exe
  2⤵
  - Executes dropped EXE
  PID:748
- C:\Windows\System\UoCcKgc.exe
  C:\Windows\System\UoCcKgc.exe
  2⤵
  - Executes dropped EXE
  PID:2176
- C:\Windows\System\WyhfyjF.exe
  C:\Windows\System\WyhfyjF.exe
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\System\jXdgUyC.exe
  C:\Windows\System\jXdgUyC.exe
  2⤵
  - Executes dropped EXE
  PID:3120
- C:\Windows\System\cUvMtkt.exe
  C:\Windows\System\cUvMtkt.exe
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\System\rRvhowC.exe
  C:\Windows\System\rRvhowC.exe
  2⤵
  - Executes dropped EXE
  PID:4148
- C:\Windows\System\xpbmrPx.exe
  C:\Windows\System\xpbmrPx.exe
  2⤵
  - Executes dropped EXE
  PID:1236
- C:\Windows\System\vtwPXlr.exe
  C:\Windows\System\vtwPXlr.exe
  2⤵
  - Executes dropped EXE
  PID:4932
- C:\Windows\System\PunDmVh.exe
  C:\Windows\System\PunDmVh.exe
  2⤵
  - Executes dropped EXE
  PID:1240
- C:\Windows\System\HOMnPvE.exe
  C:\Windows\System\HOMnPvE.exe
  2⤵
  - Executes dropped EXE
  PID:4736
- C:\Windows\System\LOVpliR.exe
  C:\Windows\System\LOVpliR.exe
  2⤵
  - Executes dropped EXE
  PID:4908
- C:\Windows\System\fEaeQZK.exe
  C:\Windows\System\fEaeQZK.exe
  2⤵
  - Executes dropped EXE
  PID:1480
- C:\Windows\System\CYBzBNQ.exe
  C:\Windows\System\CYBzBNQ.exe
  2⤵
  - Executes dropped EXE
  PID:1544
- C:\Windows\System\xFJgpIu.exe
  C:\Windows\System\xFJgpIu.exe
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Windows\System\EZmzPwA.exe
  C:\Windows\System\EZmzPwA.exe
  2⤵
  - Executes dropped EXE
  PID:4848
- C:\Windows\System\iYemgYa.exe
  C:\Windows\System\iYemgYa.exe
  2⤵
  - Executes dropped EXE
  PID:2468
- C:\Windows\System\HXMROsL.exe
  C:\Windows\System\HXMROsL.exe
  2⤵
  - Executes dropped EXE
  PID:3560
- C:\Windows\System\tSrcFNO.exe
  C:\Windows\System\tSrcFNO.exe
  2⤵
  - Executes dropped EXE
  PID:3916
- C:\Windows\System\BerEUwZ.exe
  C:\Windows\System\BerEUwZ.exe
  2⤵
  - Executes dropped EXE
  PID:628
- C:\Windows\System\RlQSwYV.exe
  C:\Windows\System\RlQSwYV.exe
  2⤵
  - Executes dropped EXE
  PID:4964
- C:\Windows\System\bvICkVv.exe
  C:\Windows\System\bvICkVv.exe
  2⤵
  - Executes dropped EXE
  PID:4408
- C:\Windows\System\uUAUjZm.exe
  C:\Windows\System\uUAUjZm.exe
  2⤵
  - Executes dropped EXE
  PID:3616
- C:\Windows\System\uwLOapn.exe
  C:\Windows\System\uwLOapn.exe
  2⤵
  - Executes dropped EXE
  PID:4984
- C:\Windows\System\mURmCVb.exe
  C:\Windows\System\mURmCVb.exe
  2⤵
  - Executes dropped EXE
  PID:3652
- C:\Windows\System\BKFaAIy.exe
  C:\Windows\System\BKFaAIy.exe
  2⤵
  - Executes dropped EXE
  PID:3872
- C:\Windows\System\WRrRFPn.exe
  C:\Windows\System\WRrRFPn.exe
  2⤵
  - Executes dropped EXE
  PID:4484
- C:\Windows\System\APxQQQV.exe
  C:\Windows\System\APxQQQV.exe
  2⤵
  - Executes dropped EXE
  PID:1112
- C:\Windows\System\KwFDiKc.exe
  C:\Windows\System\KwFDiKc.exe
  2⤵
  - Executes dropped EXE
  PID:4532
- C:\Windows\System\kZfonIm.exe
  C:\Windows\System\kZfonIm.exe
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\System\tvPLiLU.exe
  C:\Windows\System\tvPLiLU.exe
  2⤵
  - Executes dropped EXE
  PID:3132
- C:\Windows\System\SGzUNUg.exe
  C:\Windows\System\SGzUNUg.exe
  2⤵
  - Executes dropped EXE
  PID:3176
- C:\Windows\System\wPtcOox.exe
  C:\Windows\System\wPtcOox.exe
  2⤵
  - Executes dropped EXE
  PID:532
- C:\Windows\System\kjvGsgf.exe
  C:\Windows\System\kjvGsgf.exe
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\System\abuGsea.exe
  C:\Windows\System\abuGsea.exe
  2⤵
  - Executes dropped EXE
  PID:4588
- C:\Windows\System\ZCUUMqj.exe
  C:\Windows\System\ZCUUMqj.exe
  2⤵
  - Executes dropped EXE
  PID:4280
- C:\Windows\System\texgqma.exe
  C:\Windows\System\texgqma.exe
  2⤵
  - Executes dropped EXE
  PID:428
- C:\Windows\System\WwkYweD.exe
  C:\Windows\System\WwkYweD.exe
  2⤵
  - Executes dropped EXE
  PID:64
- C:\Windows\System\jGuniwq.exe
  C:\Windows\System\jGuniwq.exe
  2⤵
  - Executes dropped EXE
  PID:4792
- C:\Windows\System\gwIGUxe.exe
  C:\Windows\System\gwIGUxe.exe
  2⤵
  - Executes dropped EXE
  PID:1444
- C:\Windows\System\lyxZfDM.exe
  C:\Windows\System\lyxZfDM.exe
  2⤵
  - Executes dropped EXE
  PID:5024
- C:\Windows\System\nwJCwCb.exe
  C:\Windows\System\nwJCwCb.exe
  2⤵
  - Executes dropped EXE
  PID:1696
- C:\Windows\System\VHihPMl.exe
  C:\Windows\System\VHihPMl.exe
  2⤵
  - Executes dropped EXE
  PID:3956
- C:\Windows\System\prvlrka.exe
  C:\Windows\System\prvlrka.exe
  2⤵
  - Executes dropped EXE
  PID:1684
- C:\Windows\System\dGCrrjv.exe
  C:\Windows\System\dGCrrjv.exe
  2⤵
  - Executes dropped EXE
  PID:2424
- C:\Windows\System\YaYtGsz.exe
  C:\Windows\System\YaYtGsz.exe
  2⤵
  - Executes dropped EXE
  PID:856
- C:\Windows\System\dPFGBLA.exe
  C:\Windows\System\dPFGBLA.exe
  2⤵
  - Executes dropped EXE
  PID:3324
- C:\Windows\System\ySGpJHt.exe
  C:\Windows\System\ySGpJHt.exe
  2⤵
  - Executes dropped EXE
  PID:1288
- C:\Windows\System\sdTlAwn.exe
  C:\Windows\System\sdTlAwn.exe
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Windows\System\oMnjiwj.exe
  C:\Windows\System\oMnjiwj.exe
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Windows\System\dvYnNUu.exe
  C:\Windows\System\dvYnNUu.exe
  2⤵
  - Executes dropped EXE
  PID:3440
- C:\Windows\System\xTAGvdm.exe
  C:\Windows\System\xTAGvdm.exe
  2⤵
  - Executes dropped EXE
  PID:4852
- C:\Windows\System\fkskeZt.exe
  C:\Windows\System\fkskeZt.exe
  2⤵
  - Executes dropped EXE
  PID:3252
- C:\Windows\System\hlBTYVm.exe
  C:\Windows\System\hlBTYVm.exe
  2⤵
  - Executes dropped EXE
  PID:2184
- C:\Windows\System\TxBstYG.exe
  C:\Windows\System\TxBstYG.exe
  2⤵
  - Executes dropped EXE
  PID:4552
- C:\Windows\System\POWbXTR.exe
  C:\Windows\System\POWbXTR.exe
  2⤵
  - Executes dropped EXE
  PID:3876
- C:\Windows\System\TrCfYkt.exe
  C:\Windows\System\TrCfYkt.exe
  2⤵
  - Executes dropped EXE
  PID:4424
- C:\Windows\System\XULdRLt.exe
  C:\Windows\System\XULdRLt.exe
  2⤵
  - Executes dropped EXE
  PID:5044
- C:\Windows\System\KSdSGVy.exe
  C:\Windows\System\KSdSGVy.exe
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Windows\System\JODtdxh.exe
  C:\Windows\System\JODtdxh.exe
  2⤵
  PID:3052
- C:\Windows\System\zeDePFl.exe
  C:\Windows\System\zeDePFl.exe
  2⤵
  PID:4628
- C:\Windows\System\vlPrJsu.exe
  C:\Windows\System\vlPrJsu.exe
  2⤵
  PID:4132
- C:\Windows\System\oJLuxEa.exe
  C:\Windows\System\oJLuxEa.exe
  2⤵
  PID:3240
- C:\Windows\System\XkpaQaw.exe
  C:\Windows\System\XkpaQaw.exe
  2⤵
  PID:4936
- C:\Windows\System\lhGBsHg.exe
  C:\Windows\System\lhGBsHg.exe
  2⤵
  PID:5124
- C:\Windows\System\cxuqWcQ.exe
  C:\Windows\System\cxuqWcQ.exe
  2⤵
  PID:5156
- C:\Windows\System\DufdURv.exe
  C:\Windows\System\DufdURv.exe
  2⤵
  PID:5184
- C:\Windows\System\mgckJnZ.exe
  C:\Windows\System\mgckJnZ.exe
  2⤵
  PID:5208
- C:\Windows\System\FBpgpZU.exe
  C:\Windows\System\FBpgpZU.exe
  2⤵
  PID:5236
- C:\Windows\System\scEtGOh.exe
  C:\Windows\System\scEtGOh.exe
  2⤵
  PID:5264
- C:\Windows\System\wbsnXGQ.exe
  C:\Windows\System\wbsnXGQ.exe
  2⤵
  PID:5292
- C:\Windows\System\vZBpfhU.exe
  C:\Windows\System\vZBpfhU.exe
  2⤵
  PID:5324
- C:\Windows\System\eZvORsp.exe
  C:\Windows\System\eZvORsp.exe
  2⤵
  PID:5348
- C:\Windows\System\DxFlCaS.exe
  C:\Windows\System\DxFlCaS.exe
  2⤵
  PID:5376
- C:\Windows\System\tMTsDfl.exe
  C:\Windows\System\tMTsDfl.exe
  2⤵
  PID:5408
- C:\Windows\System\EgzBblt.exe
  C:\Windows\System\EgzBblt.exe
  2⤵
  PID:5432
- C:\Windows\System\lNftzxA.exe
  C:\Windows\System\lNftzxA.exe
  2⤵
  PID:5460
- C:\Windows\System\ojQgoQF.exe
  C:\Windows\System\ojQgoQF.exe
  2⤵
  PID:5488
- C:\Windows\System\dIsZtxL.exe
  C:\Windows\System\dIsZtxL.exe
  2⤵
  PID:5516
- C:\Windows\System\SNyLmRx.exe
  C:\Windows\System\SNyLmRx.exe
  2⤵
  PID:5544
- C:\Windows\System\eyuhezx.exe
  C:\Windows\System\eyuhezx.exe
  2⤵
  PID:5572
- C:\Windows\System\pqYZxjf.exe
  C:\Windows\System\pqYZxjf.exe
  2⤵
  PID:5600
- C:\Windows\System\RvtQPKb.exe
  C:\Windows\System\RvtQPKb.exe
  2⤵
  PID:5632
- C:\Windows\System\CTRVuPG.exe
  C:\Windows\System\CTRVuPG.exe
  2⤵
  PID:5656
- C:\Windows\System\qPmTuIW.exe
  C:\Windows\System\qPmTuIW.exe
  2⤵
  PID:5684
- C:\Windows\System\JjNcLDT.exe
  C:\Windows\System\JjNcLDT.exe
  2⤵
  PID:5712
- C:\Windows\System\PdAekml.exe
  C:\Windows\System\PdAekml.exe
  2⤵
  PID:5740
- C:\Windows\System\bmGwymE.exe
  C:\Windows\System\bmGwymE.exe
  2⤵
  PID:5764
- C:\Windows\System\hTDeKEC.exe
  C:\Windows\System\hTDeKEC.exe
  2⤵
  PID:5792
- C:\Windows\System\sXQbSYP.exe
  C:\Windows\System\sXQbSYP.exe
  2⤵
  PID:5824
- C:\Windows\System\NQttdtR.exe
  C:\Windows\System\NQttdtR.exe
  2⤵
  PID:5852
- C:\Windows\System\JtDtDsn.exe
  C:\Windows\System\JtDtDsn.exe
  2⤵
  PID:5880
- C:\Windows\System\MtAIDbP.exe
  C:\Windows\System\MtAIDbP.exe
  2⤵
  PID:5908
- C:\Windows\System\rbHNSWx.exe
  C:\Windows\System\rbHNSWx.exe
  2⤵
  PID:5936
- C:\Windows\System\kFjYwnk.exe
  C:\Windows\System\kFjYwnk.exe
  2⤵
  PID:5964
- C:\Windows\System\vukVWuE.exe
  C:\Windows\System\vukVWuE.exe
  2⤵
  PID:5992
- C:\Windows\System\hsAhcwq.exe
  C:\Windows\System\hsAhcwq.exe
  2⤵
  PID:6020
- C:\Windows\System\hbULcIm.exe
  C:\Windows\System\hbULcIm.exe
  2⤵
  PID:6048
- C:\Windows\System\SsSJIkb.exe
  C:\Windows\System\SsSJIkb.exe
  2⤵
  PID:6076
- C:\Windows\System\YIGznwy.exe
  C:\Windows\System\YIGznwy.exe
  2⤵
  PID:6124
- C:\Windows\System\bKenTHQ.exe
  C:\Windows\System\bKenTHQ.exe
  2⤵
  PID:2488
- C:\Windows\System\JlRpziI.exe
  C:\Windows\System\JlRpziI.exe
  2⤵
  PID:1880
- C:\Windows\System\zhKwMkE.exe
  C:\Windows\System\zhKwMkE.exe
  2⤵
  PID:2824
- C:\Windows\System\gPteuHr.exe
  C:\Windows\System\gPteuHr.exe
  2⤵
  PID:3420
- C:\Windows\System\fWPfoIa.exe
  C:\Windows\System\fWPfoIa.exe
  2⤵
  PID:2956
- C:\Windows\System\nargqyS.exe
  C:\Windows\System\nargqyS.exe
  2⤵
  PID:5136
- C:\Windows\System\TyReIuX.exe
  C:\Windows\System\TyReIuX.exe
  2⤵
  PID:5204
- C:\Windows\System\KYqZjic.exe
  C:\Windows\System\KYqZjic.exe
  2⤵
  PID:5252
- C:\Windows\System\UPlDEHV.exe
  C:\Windows\System\UPlDEHV.exe
  2⤵
  PID:5316
- C:\Windows\System\KwSYnTu.exe
  C:\Windows\System\KwSYnTu.exe
  2⤵
  PID:5368
- C:\Windows\System\Zgpgjne.exe
  C:\Windows\System\Zgpgjne.exe
  2⤵
  PID:5448
- C:\Windows\System\ADRVQbb.exe
  C:\Windows\System\ADRVQbb.exe
  2⤵
  PID:5504
- C:\Windows\System\FRbZfuw.exe
  C:\Windows\System\FRbZfuw.exe
  2⤵
  PID:4616
- C:\Windows\System\VHqdpYn.exe
  C:\Windows\System\VHqdpYn.exe
  2⤵
  PID:5640
- C:\Windows\System\bTkFtZB.exe
  C:\Windows\System\bTkFtZB.exe
  2⤵
  PID:5680
- C:\Windows\System\skJVtub.exe
  C:\Windows\System\skJVtub.exe
  2⤵
  PID:5752
- C:\Windows\System\kfWQBnz.exe
  C:\Windows\System\kfWQBnz.exe
  2⤵
  PID:5812
- C:\Windows\System\vCGtbYn.exe
  C:\Windows\System\vCGtbYn.exe
  2⤵
  PID:5868
- C:\Windows\System\fHoAtrw.exe
  C:\Windows\System\fHoAtrw.exe
  2⤵
  PID:5928
- C:\Windows\System\VbifKVF.exe
  C:\Windows\System\VbifKVF.exe
  2⤵
  PID:6008
- C:\Windows\System\lTTmFEQ.exe
  C:\Windows\System\lTTmFEQ.exe
  2⤵
  PID:6064
- C:\Windows\System\PQDXcns.exe
  C:\Windows\System\PQDXcns.exe
  2⤵
  PID:4816
- C:\Windows\System\VmneCxt.exe
  C:\Windows\System\VmneCxt.exe
  2⤵
  PID:4980
- C:\Windows\System\DeOHtUB.exe
  C:\Windows\System\DeOHtUB.exe
  2⤵
  PID:1844
- C:\Windows\System\GXgBjPP.exe
  C:\Windows\System\GXgBjPP.exe
  2⤵
  PID:5228
- C:\Windows\System\IadaXCk.exe
  C:\Windows\System\IadaXCk.exe
  2⤵
  PID:5344
- C:\Windows\System\PtAksvZ.exe
  C:\Windows\System\PtAksvZ.exe
  2⤵
  PID:5480
- C:\Windows\System\jZhLpOh.exe
  C:\Windows\System\jZhLpOh.exe
  2⤵
  PID:5616
- C:\Windows\System\PNquMar.exe
  C:\Windows\System\PNquMar.exe
  2⤵
  PID:5724
- C:\Windows\System\XZlCJdL.exe
  C:\Windows\System\XZlCJdL.exe
  2⤵
  PID:5844
- C:\Windows\System\crtFCgv.exe
  C:\Windows\System\crtFCgv.exe
  2⤵
  PID:1428
- C:\Windows\System\MuGuYyY.exe
  C:\Windows\System\MuGuYyY.exe
  2⤵
  PID:6108
- C:\Windows\System\jqWPOVD.exe
  C:\Windows\System\jqWPOVD.exe
  2⤵
  PID:1560
- C:\Windows\System\WXkWNAw.exe
  C:\Windows\System\WXkWNAw.exe
  2⤵
  PID:5172
- C:\Windows\System\jOsKICq.exe
  C:\Windows\System\jOsKICq.exe
  2⤵
  PID:5428
- C:\Windows\System\FvkbJcA.exe
  C:\Windows\System\FvkbJcA.exe
  2⤵
  PID:4824
- C:\Windows\System\ftxXWyj.exe
  C:\Windows\System\ftxXWyj.exe
  2⤵
  PID:6168
- C:\Windows\System\klQASSH.exe
  C:\Windows\System\klQASSH.exe
  2⤵
  PID:6200
- C:\Windows\System\PMikxLg.exe
  C:\Windows\System\PMikxLg.exe
  2⤵
  PID:6224
- C:\Windows\System\JvgWBXV.exe
  C:\Windows\System\JvgWBXV.exe
  2⤵
  PID:6252
- C:\Windows\System\CoEDTeW.exe
  C:\Windows\System\CoEDTeW.exe
  2⤵
  PID:6284
- C:\Windows\System\kdkQYXj.exe
  C:\Windows\System\kdkQYXj.exe
  2⤵
  PID:6312
- C:\Windows\System\loIYEVT.exe
  C:\Windows\System\loIYEVT.exe
  2⤵
  PID:6340
- C:\Windows\System\nEVbTvL.exe
  C:\Windows\System\nEVbTvL.exe
  2⤵
  PID:6368
- C:\Windows\System\bYvOAhs.exe
  C:\Windows\System\bYvOAhs.exe
  2⤵
  PID:6396
- C:\Windows\System\VWGWWoY.exe
  C:\Windows\System\VWGWWoY.exe
  2⤵
  PID:6424
- C:\Windows\System\heGJmDS.exe
  C:\Windows\System\heGJmDS.exe
  2⤵
  PID:6452
- C:\Windows\System\MhtPEmi.exe
  C:\Windows\System\MhtPEmi.exe
  2⤵
  PID:6480
- C:\Windows\System\aEwPpUl.exe
  C:\Windows\System\aEwPpUl.exe
  2⤵
  PID:6508
- C:\Windows\System\zxPdgJJ.exe
  C:\Windows\System\zxPdgJJ.exe
  2⤵
  PID:6536
- C:\Windows\System\ebyGYbg.exe
  C:\Windows\System\ebyGYbg.exe
  2⤵
  PID:6564
- C:\Windows\System\CfwHsUr.exe
  C:\Windows\System\CfwHsUr.exe
  2⤵
  PID:6592
- C:\Windows\System\WeLTyZl.exe
  C:\Windows\System\WeLTyZl.exe
  2⤵
  PID:6620
- C:\Windows\System\oKOxPvg.exe
  C:\Windows\System\oKOxPvg.exe
  2⤵
  PID:6648
- C:\Windows\System\gmzpeHl.exe
  C:\Windows\System\gmzpeHl.exe
  2⤵
  PID:6676
- C:\Windows\System\wgrXgaV.exe
  C:\Windows\System\wgrXgaV.exe
  2⤵
  PID:6704
- C:\Windows\System\AezYGhR.exe
  C:\Windows\System\AezYGhR.exe
  2⤵
  PID:6732
- C:\Windows\System\BDelOId.exe
  C:\Windows\System\BDelOId.exe
  2⤵
  PID:6760
- C:\Windows\System\cCOylFd.exe
  C:\Windows\System\cCOylFd.exe
  2⤵
  PID:6788
- C:\Windows\System\rFgqjoS.exe
  C:\Windows\System\rFgqjoS.exe
  2⤵
  PID:6816
- C:\Windows\System\QSJblyw.exe
  C:\Windows\System\QSJblyw.exe
  2⤵
  PID:6844
- C:\Windows\System\Douvazq.exe
  C:\Windows\System\Douvazq.exe
  2⤵
  PID:6912
- C:\Windows\System\VolDpvP.exe
  C:\Windows\System\VolDpvP.exe
  2⤵
  PID:6956
- C:\Windows\System\HKLwWYm.exe
  C:\Windows\System\HKLwWYm.exe
  2⤵
  PID:6980
- C:\Windows\System\MUmXOKB.exe
  C:\Windows\System\MUmXOKB.exe
  2⤵
  PID:6996
- C:\Windows\System\HdCZCis.exe
  C:\Windows\System\HdCZCis.exe
  2⤵
  PID:7012
- C:\Windows\System\oUlSZGm.exe
  C:\Windows\System\oUlSZGm.exe
  2⤵
  PID:7028
- C:\Windows\System\vMyPySr.exe
  C:\Windows\System\vMyPySr.exe
  2⤵
  PID:7044
- C:\Windows\System\mrsihHs.exe
  C:\Windows\System\mrsihHs.exe
  2⤵
  PID:7060
- C:\Windows\System\Jgowkdd.exe
  C:\Windows\System\Jgowkdd.exe
  2⤵
  PID:7080
- C:\Windows\System\RUwOWYr.exe
  C:\Windows\System\RUwOWYr.exe
  2⤵
  PID:7104
- C:\Windows\System\gNATaXi.exe
  C:\Windows\System\gNATaXi.exe
  2⤵
  PID:7124
- C:\Windows\System\mpUQDwp.exe
  C:\Windows\System\mpUQDwp.exe
  2⤵
  PID:7144
- C:\Windows\System\stPaFnb.exe
  C:\Windows\System\stPaFnb.exe
  2⤵
  PID:7160
- C:\Windows\System\GGzQsOV.exe
  C:\Windows\System\GGzQsOV.exe
  2⤵
  PID:5840
- C:\Windows\System\wYtdhHu.exe
  C:\Windows\System\wYtdhHu.exe
  2⤵
  PID:3152
- C:\Windows\System\ChSmWLJ.exe
  C:\Windows\System\ChSmWLJ.exe
  2⤵
  PID:4612
- C:\Windows\System\cPTNivA.exe
  C:\Windows\System\cPTNivA.exe
  2⤵
  PID:5284
- C:\Windows\System\UCAjaDD.exe
  C:\Windows\System\UCAjaDD.exe
  2⤵
  PID:4352
- C:\Windows\System\wekeiuQ.exe
  C:\Windows\System\wekeiuQ.exe
  2⤵
  PID:2092
- C:\Windows\System\IRToMqv.exe
  C:\Windows\System\IRToMqv.exe
  2⤵
  PID:6356
- C:\Windows\System\IOMeMpK.exe
  C:\Windows\System\IOMeMpK.exe
  2⤵
  PID:6408
- C:\Windows\System\AVFbpFX.exe
  C:\Windows\System\AVFbpFX.exe
  2⤵
  PID:6444
- C:\Windows\System\KXjHeLL.exe
  C:\Windows\System\KXjHeLL.exe
  2⤵
  PID:4916
- C:\Windows\System\QDSicLj.exe
  C:\Windows\System\QDSicLj.exe
  2⤵
  PID:2648
- C:\Windows\System\rltuXwb.exe
  C:\Windows\System\rltuXwb.exe
  2⤵
  PID:4584
- C:\Windows\System\rexRsiC.exe
  C:\Windows\System\rexRsiC.exe
  2⤵
  PID:3764
- C:\Windows\System\SPfqYNh.exe
  C:\Windows\System\SPfqYNh.exe
  2⤵
  PID:3564
- C:\Windows\System\QWeHslk.exe
  C:\Windows\System\QWeHslk.exe
  2⤵
  PID:6836
- C:\Windows\System\AWaQZZg.exe
  C:\Windows\System\AWaQZZg.exe
  2⤵
  PID:4928
- C:\Windows\System\rNUDXhz.exe
  C:\Windows\System\rNUDXhz.exe
  2⤵
  PID:1476
- C:\Windows\System\rZuIfSs.exe
  C:\Windows\System\rZuIfSs.exe
  2⤵
  PID:1500
- C:\Windows\System\SNhljcf.exe
  C:\Windows\System\SNhljcf.exe
  2⤵
  PID:7020
- C:\Windows\System\kyGwjyD.exe
  C:\Windows\System\kyGwjyD.exe
  2⤵
  PID:6944
- C:\Windows\System\pSrpWHy.exe
  C:\Windows\System\pSrpWHy.exe
  2⤵
  PID:6908
- C:\Windows\System\WBBtZoo.exe
  C:\Windows\System\WBBtZoo.exe
  2⤵
  PID:6040
- C:\Windows\System\rpzGRqh.exe
  C:\Windows\System\rpzGRqh.exe
  2⤵
  PID:6992
- C:\Windows\System\cURKByc.exe
  C:\Windows\System\cURKByc.exe
  2⤵
  PID:5780
- C:\Windows\System\ORdzNZI.exe
  C:\Windows\System\ORdzNZI.exe
  2⤵
  PID:4188
- C:\Windows\System\lbvpzDD.exe
  C:\Windows\System\lbvpzDD.exe
  2⤵
  PID:3888
- C:\Windows\System\AeZVCap.exe
  C:\Windows\System\AeZVCap.exe
  2⤵
  PID:6296
- C:\Windows\System\mmygQsw.exe
  C:\Windows\System\mmygQsw.exe
  2⤵
  PID:6584
- C:\Windows\System\EKxEssV.exe
  C:\Windows\System\EKxEssV.exe
  2⤵
  PID:3036
- C:\Windows\System\nmmgSjR.exe
  C:\Windows\System\nmmgSjR.exe
  2⤵
  PID:6692
- C:\Windows\System\pKtVNfN.exe
  C:\Windows\System\pKtVNfN.exe
  2⤵
  PID:2556
- C:\Windows\System\fJTwpXz.exe
  C:\Windows\System\fJTwpXz.exe
  2⤵
  PID:2012
- C:\Windows\System\fAsouzE.exe
  C:\Windows\System\fAsouzE.exe
  2⤵
  PID:4740
- C:\Windows\System\YKdXQag.exe
  C:\Windows\System\YKdXQag.exe
  2⤵
  PID:7024
- C:\Windows\System\SeHUoFv.exe
  C:\Windows\System\SeHUoFv.exe
  2⤵
  PID:7132
- C:\Windows\System\CSaUrAI.exe
  C:\Windows\System\CSaUrAI.exe
  2⤵
  PID:6964
- C:\Windows\System\fsMpVhH.exe
  C:\Windows\System\fsMpVhH.exe
  2⤵
  PID:6380
- C:\Windows\System\ynHzYbT.exe
  C:\Windows\System\ynHzYbT.exe
  2⤵
  PID:6492
- C:\Windows\System\yXNrOQu.exe
  C:\Windows\System\yXNrOQu.exe
  2⤵
  PID:6780
- C:\Windows\System\LOhzNYx.exe
  C:\Windows\System\LOhzNYx.exe
  2⤵
  PID:6936
- C:\Windows\System\pKGLAdP.exe
  C:\Windows\System\pKGLAdP.exe
  2⤵
  PID:6468
- C:\Windows\System\YiTJeKw.exe
  C:\Windows\System\YiTJeKw.exe
  2⤵
  PID:2928
- C:\Windows\System\QnhqiRI.exe
  C:\Windows\System\QnhqiRI.exe
  2⤵
  PID:6892
- C:\Windows\System\tJxVQsu.exe
  C:\Windows\System\tJxVQsu.exe
  2⤵
  PID:7116
- C:\Windows\System\NKdwsKY.exe
  C:\Windows\System\NKdwsKY.exe
  2⤵
  PID:7184
- C:\Windows\System\jLprdDL.exe
  C:\Windows\System\jLprdDL.exe
  2⤵
  PID:7220
- C:\Windows\System\IMHoRAA.exe
  C:\Windows\System\IMHoRAA.exe
  2⤵
  PID:7244
- C:\Windows\System\viWpjXB.exe
  C:\Windows\System\viWpjXB.exe
  2⤵
  PID:7268
- C:\Windows\System\BJeiauh.exe
  C:\Windows\System\BJeiauh.exe
  2⤵
  PID:7288
- C:\Windows\System\uKpPuKm.exe
  C:\Windows\System\uKpPuKm.exe
  2⤵
  PID:7316
- C:\Windows\System\DtwGVnl.exe
  C:\Windows\System\DtwGVnl.exe
  2⤵
  PID:7344
- C:\Windows\System\Gxessxm.exe
  C:\Windows\System\Gxessxm.exe
  2⤵
  PID:7372
- C:\Windows\System\EjVlTOw.exe
  C:\Windows\System\EjVlTOw.exe
  2⤵
  PID:7392
- C:\Windows\System\JiFifLa.exe
  C:\Windows\System\JiFifLa.exe
  2⤵
  PID:7444
- C:\Windows\System\cRXZhtv.exe
  C:\Windows\System\cRXZhtv.exe
  2⤵
  PID:7464
- C:\Windows\System\RQzxmPB.exe
  C:\Windows\System\RQzxmPB.exe
  2⤵
  PID:7484
- C:\Windows\System\KTVadOo.exe
  C:\Windows\System\KTVadOo.exe
  2⤵
  PID:7504
- C:\Windows\System\JAzLXad.exe
  C:\Windows\System\JAzLXad.exe
  2⤵
  PID:7540
- C:\Windows\System\WgjQxtO.exe
  C:\Windows\System\WgjQxtO.exe
  2⤵
  PID:7584
- C:\Windows\System\rTvNYTl.exe
  C:\Windows\System\rTvNYTl.exe
  2⤵
  PID:7608
- C:\Windows\System\pcbCibZ.exe
  C:\Windows\System\pcbCibZ.exe
  2⤵
  PID:7628
- C:\Windows\System\zyXicrc.exe
  C:\Windows\System\zyXicrc.exe
  2⤵
  PID:7656
- C:\Windows\System\bXTDXOc.exe
  C:\Windows\System\bXTDXOc.exe
  2⤵
  PID:7680
- C:\Windows\System\tBZPhXH.exe
  C:\Windows\System\tBZPhXH.exe
  2⤵
  PID:7700
- C:\Windows\System\pdDFEwg.exe
  C:\Windows\System\pdDFEwg.exe
  2⤵
  PID:7724
- C:\Windows\System\Qnxtngw.exe
  C:\Windows\System\Qnxtngw.exe
  2⤵
  PID:7744
- C:\Windows\System\tKjaQaG.exe
  C:\Windows\System\tKjaQaG.exe
  2⤵
  PID:7780
- C:\Windows\System\fTaySIg.exe
  C:\Windows\System\fTaySIg.exe
  2⤵
  PID:7804
- C:\Windows\System\gPcZMWg.exe
  C:\Windows\System\gPcZMWg.exe
  2⤵
  PID:7844
- C:\Windows\System\aYlZitB.exe
  C:\Windows\System\aYlZitB.exe
  2⤵
  PID:7860
- C:\Windows\System\rWFQtlR.exe
  C:\Windows\System\rWFQtlR.exe
  2⤵
  PID:7884
- C:\Windows\System\YoCXiyD.exe
  C:\Windows\System\YoCXiyD.exe
  2⤵
  PID:7904
- C:\Windows\System\WgMnABi.exe
  C:\Windows\System\WgMnABi.exe
  2⤵
  PID:7936
- C:\Windows\System\GZQLgSc.exe
  C:\Windows\System\GZQLgSc.exe
  2⤵
  PID:7960
- C:\Windows\System\wfATjJW.exe
  C:\Windows\System\wfATjJW.exe
  2⤵
  PID:8040
- C:\Windows\System\puuztFX.exe
  C:\Windows\System\puuztFX.exe
  2⤵
  PID:8060
- C:\Windows\System\oPYAavW.exe
  C:\Windows\System\oPYAavW.exe
  2⤵
  PID:8084
- C:\Windows\System\blHjaFh.exe
  C:\Windows\System\blHjaFh.exe
  2⤵
  PID:8104
- C:\Windows\System\JILtOkL.exe
  C:\Windows\System\JILtOkL.exe
  2⤵
  PID:8132
- C:\Windows\System\mwARhYS.exe
  C:\Windows\System\mwARhYS.exe
  2⤵
  PID:8148
- C:\Windows\System\tRlXpFm.exe
  C:\Windows\System\tRlXpFm.exe
  2⤵
  PID:7004
- C:\Windows\System\lsmECIl.exe
  C:\Windows\System\lsmECIl.exe
  2⤵
  PID:7204
- C:\Windows\System\SaZakUm.exe
  C:\Windows\System\SaZakUm.exe
  2⤵
  PID:7256
- C:\Windows\System\SAmcgpO.exe
  C:\Windows\System\SAmcgpO.exe
  2⤵
  PID:7240
- C:\Windows\System\pgtJGqW.exe
  C:\Windows\System\pgtJGqW.exe
  2⤵
  PID:7336
- C:\Windows\System\CsbLyUQ.exe
  C:\Windows\System\CsbLyUQ.exe
  2⤵
  PID:7436
- C:\Windows\System\froYiXZ.exe
  C:\Windows\System\froYiXZ.exe
  2⤵
  PID:7524
- C:\Windows\System\xEeWSSj.exe
  C:\Windows\System\xEeWSSj.exe
  2⤵
  PID:7560
- C:\Windows\System\jxJJtHa.exe
  C:\Windows\System\jxJJtHa.exe
  2⤵
  PID:7644
- C:\Windows\System\pmCLHbo.exe
  C:\Windows\System\pmCLHbo.exe
  2⤵
  PID:7692
- C:\Windows\System\rkaRGuj.exe
  C:\Windows\System\rkaRGuj.exe
  2⤵
  PID:7772
- C:\Windows\System\lQjiyJu.exe
  C:\Windows\System\lQjiyJu.exe
  2⤵
  PID:7072
- C:\Windows\System\Astkgpk.exe
  C:\Windows\System\Astkgpk.exe
  2⤵
  PID:7852
- C:\Windows\System\vufgaGZ.exe
  C:\Windows\System\vufgaGZ.exe
  2⤵
  PID:7972
- C:\Windows\System\MLSnnNG.exe
  C:\Windows\System\MLSnnNG.exe
  2⤵
  PID:7944
- C:\Windows\System\uILcHAm.exe
  C:\Windows\System\uILcHAm.exe
  2⤵
  PID:8076
- C:\Windows\System\ixRuYoM.exe
  C:\Windows\System\ixRuYoM.exe
  2⤵
  PID:8112
- C:\Windows\System\bSUiiBL.exe
  C:\Windows\System\bSUiiBL.exe
  2⤵
  PID:6184
- C:\Windows\System\JuNUAfb.exe
  C:\Windows\System\JuNUAfb.exe
  2⤵
  PID:7260
- C:\Windows\System\vvgQDSh.exe
  C:\Windows\System\vvgQDSh.exe
  2⤵
  PID:7312
- C:\Windows\System\lAusyMy.exe
  C:\Windows\System\lAusyMy.exe
  2⤵
  PID:7592
- C:\Windows\System\itnhIPE.exe
  C:\Windows\System\itnhIPE.exe
  2⤵
  PID:7812
- C:\Windows\System\oxPefal.exe
  C:\Windows\System\oxPefal.exe
  2⤵
  PID:7892
- C:\Windows\System\PtHvvnb.exe
  C:\Windows\System\PtHvvnb.exe
  2⤵
  PID:8016
- C:\Windows\System\exIejri.exe
  C:\Windows\System\exIejri.exe
  2⤵
  PID:7384
- C:\Windows\System\mYOGetn.exe
  C:\Windows\System\mYOGetn.exe
  2⤵
  PID:7496
- C:\Windows\System\WQquUMb.exe
  C:\Windows\System\WQquUMb.exe
  2⤵
  PID:7824
- C:\Windows\System\TwXnwLv.exe
  C:\Windows\System\TwXnwLv.exe
  2⤵
  PID:7676
- C:\Windows\System\aRkKzSh.exe
  C:\Windows\System\aRkKzSh.exe
  2⤵
  PID:8208
- C:\Windows\System\EYdZYex.exe
  C:\Windows\System\EYdZYex.exe
  2⤵
  PID:8224
- C:\Windows\System\rmGgGby.exe
  C:\Windows\System\rmGgGby.exe
  2⤵
  PID:8268
- C:\Windows\System\XHNQSnW.exe
  C:\Windows\System\XHNQSnW.exe
  2⤵
  PID:8292
- C:\Windows\System\LPdDdae.exe
  C:\Windows\System\LPdDdae.exe
  2⤵
  PID:8332
- C:\Windows\System\AKSLhaM.exe
  C:\Windows\System\AKSLhaM.exe
  2⤵
  PID:8356
- C:\Windows\System\sFaUsma.exe
  C:\Windows\System\sFaUsma.exe
  2⤵
  PID:8372
- C:\Windows\System\GPBOchh.exe
  C:\Windows\System\GPBOchh.exe
  2⤵
  PID:8392
- C:\Windows\System\pQxiKeg.exe
  C:\Windows\System\pQxiKeg.exe
  2⤵
  PID:8408
- C:\Windows\System\jdCizUe.exe
  C:\Windows\System\jdCizUe.exe
  2⤵
  PID:8428
- C:\Windows\System\ElIzukw.exe
  C:\Windows\System\ElIzukw.exe
  2⤵
  PID:8460
- C:\Windows\System\FpnxExd.exe
  C:\Windows\System\FpnxExd.exe
  2⤵
  PID:8484
- C:\Windows\System\xvoTxte.exe
  C:\Windows\System\xvoTxte.exe
  2⤵
  PID:8524
- C:\Windows\System\mfsqNOQ.exe
  C:\Windows\System\mfsqNOQ.exe
  2⤵
  PID:8544
- C:\Windows\System\nncaoNQ.exe
  C:\Windows\System\nncaoNQ.exe
  2⤵
  PID:8592
- C:\Windows\System\fPIEbjk.exe
  C:\Windows\System\fPIEbjk.exe
  2⤵
  PID:8620
- C:\Windows\System\xHSayPt.exe
  C:\Windows\System\xHSayPt.exe
  2⤵
  PID:8640
- C:\Windows\System\TlxDmlj.exe
  C:\Windows\System\TlxDmlj.exe
  2⤵
  PID:8680
- C:\Windows\System\kbGbQEM.exe
  C:\Windows\System\kbGbQEM.exe
  2⤵
  PID:8700
- C:\Windows\System\ZLGVJQd.exe
  C:\Windows\System\ZLGVJQd.exe
  2⤵
  PID:8752
- C:\Windows\System\YgdIXkO.exe
  C:\Windows\System\YgdIXkO.exe
  2⤵
  PID:8768
- C:\Windows\System\nwQMCaM.exe
  C:\Windows\System\nwQMCaM.exe
  2⤵
  PID:8800
- C:\Windows\System\BMCeWso.exe
  C:\Windows\System\BMCeWso.exe
  2⤵
  PID:8832
- C:\Windows\System\vsbRWoF.exe
  C:\Windows\System\vsbRWoF.exe
  2⤵
  PID:8852
- C:\Windows\System\PnIKEta.exe
  C:\Windows\System\PnIKEta.exe
  2⤵
  PID:8876
- C:\Windows\System\AXICxuu.exe
  C:\Windows\System\AXICxuu.exe
  2⤵
  PID:8920
- C:\Windows\System\lVwDXoy.exe
  C:\Windows\System\lVwDXoy.exe
  2⤵
  PID:8948
- C:\Windows\System\zpkHVQO.exe
  C:\Windows\System\zpkHVQO.exe
  2⤵
  PID:8964
- C:\Windows\System\mbhZTkd.exe
  C:\Windows\System\mbhZTkd.exe
  2⤵
  PID:8980
- C:\Windows\System\lqNeaJK.exe
  C:\Windows\System\lqNeaJK.exe
  2⤵
  PID:9000
- C:\Windows\System\aFrfdFW.exe
  C:\Windows\System\aFrfdFW.exe
  2⤵
  PID:9072
- C:\Windows\System\koIFzIa.exe
  C:\Windows\System\koIFzIa.exe
  2⤵
  PID:9100
- C:\Windows\System\goWHGxM.exe
  C:\Windows\System\goWHGxM.exe
  2⤵
  PID:9128
- C:\Windows\System\InstrUV.exe
  C:\Windows\System\InstrUV.exe
  2⤵
  PID:9152
- C:\Windows\System\NFAShAz.exe
  C:\Windows\System\NFAShAz.exe
  2⤵
  PID:9176
- C:\Windows\System\EFuumwT.exe
  C:\Windows\System\EFuumwT.exe
  2⤵
  PID:9204
- C:\Windows\System\QrBdOop.exe
  C:\Windows\System\QrBdOop.exe
  2⤵
  PID:8196
- C:\Windows\System\zVHoTFM.exe
  C:\Windows\System\zVHoTFM.exe
  2⤵
  PID:8276
- C:\Windows\System\UUPMFGu.exe
  C:\Windows\System\UUPMFGu.exe
  2⤵
  PID:8316
- C:\Windows\System\EiAWBSu.exe
  C:\Windows\System\EiAWBSu.exe
  2⤵
  PID:8368
- C:\Windows\System\IAjYMyN.exe
  C:\Windows\System\IAjYMyN.exe
  2⤵
  PID:8492
- C:\Windows\System\zNzpWLo.exe
  C:\Windows\System\zNzpWLo.exe
  2⤵
  PID:8572
- C:\Windows\System\ioViPpm.exe
  C:\Windows\System\ioViPpm.exe
  2⤵
  PID:8612
- C:\Windows\System\hbvxgtL.exe
  C:\Windows\System\hbvxgtL.exe
  2⤵
  PID:8652
- C:\Windows\System\YyfmAcI.exe
  C:\Windows\System\YyfmAcI.exe
  2⤵
  PID:8708
- C:\Windows\System\kYREDXD.exe
  C:\Windows\System\kYREDXD.exe
  2⤵
  PID:8784
- C:\Windows\System\KfOjkbl.exe
  C:\Windows\System\KfOjkbl.exe
  2⤵
  PID:8844
- C:\Windows\System\NiBavxs.exe
  C:\Windows\System\NiBavxs.exe
  2⤵
  PID:8892
- C:\Windows\System\fUMwtMF.exe
  C:\Windows\System\fUMwtMF.exe
  2⤵
  PID:8936
- C:\Windows\System\beSyZLx.exe
  C:\Windows\System\beSyZLx.exe
  2⤵
  PID:8996
- C:\Windows\System\KKMsnQN.exe
  C:\Windows\System\KKMsnQN.exe
  2⤵
  PID:9168
- C:\Windows\System\nOLrGdX.exe
  C:\Windows\System\nOLrGdX.exe
  2⤵
  PID:7232
- C:\Windows\System\CGAqFXV.exe
  C:\Windows\System\CGAqFXV.exe
  2⤵
  PID:8216
- C:\Windows\System\xVwBGxI.exe
  C:\Windows\System\xVwBGxI.exe
  2⤵
  PID:8424
- C:\Windows\System\aRRlutO.exe
  C:\Windows\System\aRRlutO.exe
  2⤵
  PID:8692
- C:\Windows\System\fAMqqMC.exe
  C:\Windows\System\fAMqqMC.exe
  2⤵
  PID:8764
- C:\Windows\System\aHMbgTL.exe
  C:\Windows\System\aHMbgTL.exe
  2⤵
  PID:8792
- C:\Windows\System\jtNwCGt.exe
  C:\Windows\System\jtNwCGt.exe
  2⤵
  PID:9144
- C:\Windows\System\WpaFBgH.exe
  C:\Windows\System\WpaFBgH.exe
  2⤵
  PID:8312
- C:\Windows\System\OXNovHQ.exe
  C:\Windows\System\OXNovHQ.exe
  2⤵
  PID:8588
- C:\Windows\System\AYAvQrt.exe
  C:\Windows\System\AYAvQrt.exe
  2⤵
  PID:8188
- C:\Windows\System\TgRDPBx.exe
  C:\Windows\System\TgRDPBx.exe
  2⤵
  PID:8732
- C:\Windows\System\ySsQNmC.exe
  C:\Windows\System\ySsQNmC.exe
  2⤵
  PID:9220
- C:\Windows\System\XFTeKOd.exe
  C:\Windows\System\XFTeKOd.exe
  2⤵
  PID:9272
- C:\Windows\System\qTmFUGz.exe
  C:\Windows\System\qTmFUGz.exe
  2⤵
  PID:9304
- C:\Windows\System\eEkEXYY.exe
  C:\Windows\System\eEkEXYY.exe
  2⤵
  PID:9320
- C:\Windows\System\cWZfgba.exe
  C:\Windows\System\cWZfgba.exe
  2⤵
  PID:9340
- C:\Windows\System\aMZXtkN.exe
  C:\Windows\System\aMZXtkN.exe
  2⤵
  PID:9356
- C:\Windows\System\XXmmvQX.exe
  C:\Windows\System\XXmmvQX.exe
  2⤵
  PID:9372
- C:\Windows\System\hROviuB.exe
  C:\Windows\System\hROviuB.exe
  2⤵
  PID:9388
- C:\Windows\System\uRBLfYk.exe
  C:\Windows\System\uRBLfYk.exe
  2⤵
  PID:9404
- C:\Windows\System\sKOmoQF.exe
  C:\Windows\System\sKOmoQF.exe
  2⤵
  PID:9436
- C:\Windows\System\qACfXji.exe
  C:\Windows\System\qACfXji.exe
  2⤵
  PID:9460
- C:\Windows\System\GCRIHcu.exe
  C:\Windows\System\GCRIHcu.exe
  2⤵
  PID:9512
- C:\Windows\System\yTqZwcX.exe
  C:\Windows\System\yTqZwcX.exe
  2⤵
  PID:9532
- C:\Windows\System\VtJIvHH.exe
  C:\Windows\System\VtJIvHH.exe
  2⤵
  PID:9616
- C:\Windows\System\lwZKHvQ.exe
  C:\Windows\System\lwZKHvQ.exe
  2⤵
  PID:9688
- C:\Windows\System\XsptoLi.exe
  C:\Windows\System\XsptoLi.exe
  2⤵
  PID:9712
- C:\Windows\System\xJHfaAf.exe
  C:\Windows\System\xJHfaAf.exe
  2⤵
  PID:9744
- C:\Windows\System\DQMdGeI.exe
  C:\Windows\System\DQMdGeI.exe
  2⤵
  PID:9772
- C:\Windows\System\bESdYTg.exe
  C:\Windows\System\bESdYTg.exe
  2⤵
  PID:9792
- C:\Windows\System\krJijFF.exe
  C:\Windows\System\krJijFF.exe
  2⤵
  PID:9812
- C:\Windows\System\oaeuyXG.exe
  C:\Windows\System\oaeuyXG.exe
  2⤵
  PID:9840
- C:\Windows\System\YIIqPip.exe
  C:\Windows\System\YIIqPip.exe
  2⤵
  PID:9864
- C:\Windows\System\hjdQJTl.exe
  C:\Windows\System\hjdQJTl.exe
  2⤵
  PID:9884
- C:\Windows\System\pAMfiQO.exe
  C:\Windows\System\pAMfiQO.exe
  2⤵
  PID:9912
- C:\Windows\System\GWDlKla.exe
  C:\Windows\System\GWDlKla.exe
  2⤵
  PID:9936
- C:\Windows\System\VOGWMie.exe
  C:\Windows\System\VOGWMie.exe
  2⤵
  PID:9964
- C:\Windows\System\NdsPwQC.exe
  C:\Windows\System\NdsPwQC.exe
  2⤵
  PID:9984
- C:\Windows\System\gnucPCL.exe
  C:\Windows\System\gnucPCL.exe
  2⤵
  PID:10008
- C:\Windows\System\OLqqKxM.exe
  C:\Windows\System\OLqqKxM.exe
  2⤵
  PID:10028
- C:\Windows\System\GkiYROg.exe
  C:\Windows\System\GkiYROg.exe
  2⤵
  PID:10072
- C:\Windows\System\evlAUxs.exe
  C:\Windows\System\evlAUxs.exe
  2⤵
  PID:10120
- C:\Windows\System\ryuhihv.exe
  C:\Windows\System\ryuhihv.exe
  2⤵
  PID:10140
- C:\Windows\System\UDhrqDl.exe
  C:\Windows\System\UDhrqDl.exe
  2⤵
  PID:10180
- C:\Windows\System\kStRrFe.exe
  C:\Windows\System\kStRrFe.exe
  2⤵
  PID:10200
- C:\Windows\System\cbstbEE.exe
  C:\Windows\System\cbstbEE.exe
  2⤵
  PID:8864
- C:\Windows\System\WCkZYmq.exe
  C:\Windows\System\WCkZYmq.exe
  2⤵
  PID:9228
- C:\Windows\System\EUKbSEq.exe
  C:\Windows\System\EUKbSEq.exe
  2⤵
  PID:9384
- C:\Windows\System\FMYnAJF.exe
  C:\Windows\System\FMYnAJF.exe
  2⤵
  PID:9264
- C:\Windows\System\oBTJqVs.exe
  C:\Windows\System\oBTJqVs.exe
  2⤵
  PID:9300
- C:\Windows\System\YNIwUMe.exe
  C:\Windows\System\YNIwUMe.exe
  2⤵
  PID:9348
- C:\Windows\System\qeMgJnB.exe
  C:\Windows\System\qeMgJnB.exe
  2⤵
  PID:9400
- C:\Windows\System\oFYpAOG.exe
  C:\Windows\System\oFYpAOG.exe
  2⤵
  PID:9544
- C:\Windows\System\CfZrDHi.exe
  C:\Windows\System\CfZrDHi.exe
  2⤵
  PID:9580
- C:\Windows\System\pxByVEo.exe
  C:\Windows\System\pxByVEo.exe
  2⤵
  PID:9696
- C:\Windows\System\YQqwBfu.exe
  C:\Windows\System\YQqwBfu.exe
  2⤵
  PID:9764
- C:\Windows\System\AMUAUmy.exe
  C:\Windows\System\AMUAUmy.exe
  2⤵
  PID:9824
- C:\Windows\System\XDrPqzy.exe
  C:\Windows\System\XDrPqzy.exe
  2⤵
  PID:9860
- C:\Windows\System\yJUZdws.exe
  C:\Windows\System\yJUZdws.exe
  2⤵
  PID:9960
- C:\Windows\System\fuUWiUM.exe
  C:\Windows\System\fuUWiUM.exe
  2⤵
  PID:9980
- C:\Windows\System\ixVMnjt.exe
  C:\Windows\System\ixVMnjt.exe
  2⤵
  PID:10052
- C:\Windows\System\ZnDLXCx.exe
  C:\Windows\System\ZnDLXCx.exe
  2⤵
  PID:10084
- C:\Windows\System\VkTGzvW.exe
  C:\Windows\System\VkTGzvW.exe
  2⤵
  PID:10168
- C:\Windows\System\UcpVHjn.exe
  C:\Windows\System\UcpVHjn.exe
  2⤵
  PID:9268
- C:\Windows\System\kqjdmrm.exe
  C:\Windows\System\kqjdmrm.exe
  2⤵
  PID:9364
- C:\Windows\System\fUBnwmC.exe
  C:\Windows\System\fUBnwmC.exe
  2⤵
  PID:9508
- C:\Windows\System\jmAIXOD.exe
  C:\Windows\System\jmAIXOD.exe
  2⤵
  PID:9684
- C:\Windows\System\TSjZIZK.exe
  C:\Windows\System\TSjZIZK.exe
  2⤵
  PID:9956
- C:\Windows\System\TSqhMnv.exe
  C:\Windows\System\TSqhMnv.exe
  2⤵
  PID:10100
- C:\Windows\System\eBzesHj.exe
  C:\Windows\System\eBzesHj.exe
  2⤵
  PID:10108
- C:\Windows\System\FRixwLX.exe
  C:\Windows\System\FRixwLX.exe
  2⤵
  PID:9424
- C:\Windows\System\XEIsZDq.exe
  C:\Windows\System\XEIsZDq.exe
  2⤵
  PID:9788
- C:\Windows\System\PgXkfse.exe
  C:\Windows\System\PgXkfse.exe
  2⤵
  PID:3788
- C:\Windows\System\bxbFJGU.exe
  C:\Windows\System\bxbFJGU.exe
  2⤵
  PID:9780
- C:\Windows\System\GYgcxVU.exe
  C:\Windows\System\GYgcxVU.exe
  2⤵
  PID:10248
- C:\Windows\System\bIJoKOq.exe
  C:\Windows\System\bIJoKOq.exe
  2⤵
  PID:10268
- C:\Windows\System\DBlvQXX.exe
  C:\Windows\System\DBlvQXX.exe
  2⤵
  PID:10312
- C:\Windows\System\BjRzJnY.exe
  C:\Windows\System\BjRzJnY.exe
  2⤵
  PID:10332
- C:\Windows\System\ZSQlNlC.exe
  C:\Windows\System\ZSQlNlC.exe
  2⤵
  PID:10356
- C:\Windows\System\NUdGHXk.exe
  C:\Windows\System\NUdGHXk.exe
  2⤵
  PID:10388
- C:\Windows\System\dPZmNdX.exe
  C:\Windows\System\dPZmNdX.exe
  2⤵
  PID:10412
- C:\Windows\System\PTdHlJk.exe
  C:\Windows\System\PTdHlJk.exe
  2⤵
  PID:10432
- C:\Windows\System\uaPzMyD.exe
  C:\Windows\System\uaPzMyD.exe
  2⤵
  PID:10456
- C:\Windows\System\VFTTRdK.exe
  C:\Windows\System\VFTTRdK.exe
  2⤵
  PID:10488
- C:\Windows\System\SNZIHlB.exe
  C:\Windows\System\SNZIHlB.exe
  2⤵
  PID:10512
- C:\Windows\System\NOesEwm.exe
  C:\Windows\System\NOesEwm.exe
  2⤵
  PID:10544
- C:\Windows\System\jnCTNre.exe
  C:\Windows\System\jnCTNre.exe
  2⤵
  PID:10576
- C:\Windows\System\YzHnvhk.exe
  C:\Windows\System\YzHnvhk.exe
  2⤵
  PID:10600
- C:\Windows\System\DvWfzyv.exe
  C:\Windows\System\DvWfzyv.exe
  2⤵
  PID:10620
- C:\Windows\System\SismZju.exe
  C:\Windows\System\SismZju.exe
  2⤵
  PID:10648
- C:\Windows\System\OrmgREe.exe
  C:\Windows\System\OrmgREe.exe
  2⤵
  PID:10664
- C:\Windows\System\sJAlzuV.exe
  C:\Windows\System\sJAlzuV.exe
  2⤵
  PID:10688
- C:\Windows\System\JxZTjEY.exe
  C:\Windows\System\JxZTjEY.exe
  2⤵
  PID:10708
- C:\Windows\System\dAdQPYs.exe
  C:\Windows\System\dAdQPYs.exe
  2⤵
  PID:10760
- C:\Windows\System\fDfmOVY.exe
  C:\Windows\System\fDfmOVY.exe
  2⤵
  PID:10784
- C:\Windows\System\ybxZGzv.exe
  C:\Windows\System\ybxZGzv.exe
  2⤵
  PID:10824
- C:\Windows\System\HwemeAz.exe
  C:\Windows\System\HwemeAz.exe
  2⤵
  PID:10848
- C:\Windows\System\yEgaKAs.exe
  C:\Windows\System\yEgaKAs.exe
  2⤵
  PID:10868
- C:\Windows\System\XnIpzLa.exe
  C:\Windows\System\XnIpzLa.exe
  2⤵
  PID:10900
- C:\Windows\System\NFuttIn.exe
  C:\Windows\System\NFuttIn.exe
  2⤵
  PID:10928
- C:\Windows\System\IoUcOTz.exe
  C:\Windows\System\IoUcOTz.exe
  2⤵
  PID:10968
- C:\Windows\System\fyYkatx.exe
  C:\Windows\System\fyYkatx.exe
  2⤵
  PID:11016
- C:\Windows\System\QTirhsU.exe
  C:\Windows\System\QTirhsU.exe
  2⤵
  PID:11036
- C:\Windows\System\Hvkcmax.exe
  C:\Windows\System\Hvkcmax.exe
  2⤵
  PID:11060
- C:\Windows\System\LXcDaBP.exe
  C:\Windows\System\LXcDaBP.exe
  2⤵
  PID:11088
- C:\Windows\System\cIWdJhU.exe
  C:\Windows\System\cIWdJhU.exe
  2⤵
  PID:11112
- C:\Windows\System\sBoUymZ.exe
  C:\Windows\System\sBoUymZ.exe
  2⤵
  PID:11144
- C:\Windows\System\YNUyOhp.exe
  C:\Windows\System\YNUyOhp.exe
  2⤵
  PID:11176
- C:\Windows\System\pOAnCli.exe
  C:\Windows\System\pOAnCli.exe
  2⤵
  PID:11200
- C:\Windows\System\uIXbZzC.exe
  C:\Windows\System\uIXbZzC.exe
  2⤵
  PID:11248
- C:\Windows\System\aOJXnBC.exe
  C:\Windows\System\aOJXnBC.exe
  2⤵
  PID:9932
- C:\Windows\System\HaHEjFn.exe
  C:\Windows\System\HaHEjFn.exe
  2⤵
  PID:10304
- C:\Windows\System\diawDaq.exe
  C:\Windows\System\diawDaq.exe
  2⤵
  PID:1784
- C:\Windows\System\drnnZyj.exe
  C:\Windows\System\drnnZyj.exe
  2⤵
  PID:10376
- C:\Windows\System\gbdvvDV.exe
  C:\Windows\System\gbdvvDV.exe
  2⤵
  PID:10440
- C:\Windows\System\SJbZRLB.exe
  C:\Windows\System\SJbZRLB.exe
  2⤵
  PID:10452
- C:\Windows\System\ldJlbVe.exe
  C:\Windows\System\ldJlbVe.exe
  2⤵
  PID:10496
- C:\Windows\System\fVbmLVN.exe
  C:\Windows\System\fVbmLVN.exe
  2⤵
  PID:10588
- C:\Windows\System\MfRwrId.exe
  C:\Windows\System\MfRwrId.exe
  2⤵
  PID:10656
- C:\Windows\System\JyUWVKl.exe
  C:\Windows\System\JyUWVKl.exe
  2⤵
  PID:10752
- C:\Windows\System\GoVHELn.exe
  C:\Windows\System\GoVHELn.exe
  2⤵
  PID:10096
- C:\Windows\System\LtFfsFw.exe
  C:\Windows\System\LtFfsFw.exe
  2⤵
  PID:10896
- C:\Windows\System\TcfqQWf.exe
  C:\Windows\System\TcfqQWf.exe
  2⤵
  PID:10916
- C:\Windows\System\pitfznv.exe
  C:\Windows\System\pitfznv.exe
  2⤵
  PID:4384
- C:\Windows\System\IEwfeIP.exe
  C:\Windows\System\IEwfeIP.exe
  2⤵
  PID:11076
- C:\Windows\System\noDubCS.exe
  C:\Windows\System\noDubCS.exe
  2⤵
  PID:11128
- C:\Windows\System\QJSbcyi.exe
  C:\Windows\System\QJSbcyi.exe
  2⤵
  PID:11164
- C:\Windows\System\kJLtVXO.exe
  C:\Windows\System\kJLtVXO.exe
  2⤵
  PID:10264
- C:\Windows\System\kVbAbhD.exe
  C:\Windows\System\kVbAbhD.exe
  2⤵
  PID:10340
- C:\Windows\System\STZajmj.exe
  C:\Windows\System\STZajmj.exe
  2⤵
  PID:10520
- C:\Windows\System\UPQqYLU.exe
  C:\Windows\System\UPQqYLU.exe
  2⤵
  PID:364
- C:\Windows\System\CDzFNzi.exe
  C:\Windows\System\CDzFNzi.exe
  2⤵
  PID:10636
- C:\Windows\System\UBLfSCY.exe
  C:\Windows\System\UBLfSCY.exe
  2⤵
  PID:10892
- C:\Windows\System\JpxosAM.exe
  C:\Windows\System\JpxosAM.exe
  2⤵
  PID:11008
- C:\Windows\System\BRZzleU.exe
  C:\Windows\System\BRZzleU.exe
  2⤵
  PID:11188
- C:\Windows\System\vuSCOSY.exe
  C:\Windows\System\vuSCOSY.exe
  2⤵
  PID:10324
- C:\Windows\System\MohnNVz.exe
  C:\Windows\System\MohnNVz.exe
  2⤵
  PID:10404
- C:\Windows\System\nizRhzv.exe
  C:\Windows\System\nizRhzv.exe
  2⤵
  PID:10780
- C:\Windows\System\VRAlcmu.exe
  C:\Windows\System\VRAlcmu.exe
  2⤵
  PID:11108
- C:\Windows\System\CrjZBwx.exe
  C:\Windows\System\CrjZBwx.exe
  2⤵
  PID:10472
- C:\Windows\System\tftOVGA.exe
  C:\Windows\System\tftOVGA.exe
  2⤵
  PID:10328
- C:\Windows\System\feLUwcj.exe
  C:\Windows\System\feLUwcj.exe
  2⤵
  PID:436
- C:\Windows\System\hnjrSQF.exe
  C:\Windows\System\hnjrSQF.exe
  2⤵
  PID:11276
- C:\Windows\System\NupQfYg.exe
  C:\Windows\System\NupQfYg.exe
  2⤵
  PID:11292
- C:\Windows\System\CkFYniK.exe
  C:\Windows\System\CkFYniK.exe
  2⤵
  PID:11364
- C:\Windows\System\NcWVqcV.exe
  C:\Windows\System\NcWVqcV.exe
  2⤵
  PID:11388
- C:\Windows\System\dmNKfwE.exe
  C:\Windows\System\dmNKfwE.exe
  2⤵
  PID:11428
- C:\Windows\System\dmfSRwA.exe
  C:\Windows\System\dmfSRwA.exe
  2⤵
  PID:11448
- C:\Windows\System\KJSgNpl.exe
  C:\Windows\System\KJSgNpl.exe
  2⤵
  PID:11468
- C:\Windows\System\EvykPys.exe
  C:\Windows\System\EvykPys.exe
  2⤵
  PID:11504
- C:\Windows\System\IttQncX.exe
  C:\Windows\System\IttQncX.exe
  2⤵
  PID:11528
- C:\Windows\System\gzAILbz.exe
  C:\Windows\System\gzAILbz.exe
  2⤵
  PID:11552
- C:\Windows\System\pYDpghh.exe
  C:\Windows\System\pYDpghh.exe
  2⤵
  PID:11604
- C:\Windows\System\FYVJayA.exe
  C:\Windows\System\FYVJayA.exe
  2⤵
  PID:11624
- C:\Windows\System\hmYmOCp.exe
  C:\Windows\System\hmYmOCp.exe
  2⤵
  PID:11648
- C:\Windows\System\ZFflMOQ.exe
  C:\Windows\System\ZFflMOQ.exe
  2⤵
  PID:11676
- C:\Windows\System\salrEcI.exe
  C:\Windows\System\salrEcI.exe
  2⤵
  PID:11708
- C:\Windows\System\yXpvTyn.exe
  C:\Windows\System\yXpvTyn.exe
  2⤵
  PID:11728
- C:\Windows\System\irfYBTi.exe
  C:\Windows\System\irfYBTi.exe
  2⤵
  PID:11756
- C:\Windows\System\MnFDqfG.exe
  C:\Windows\System\MnFDqfG.exe
  2⤵
  PID:11780
- C:\Windows\System\AKEKKTL.exe
  C:\Windows\System\AKEKKTL.exe
  2⤵
  PID:11800
- C:\Windows\System\RNRKXsT.exe
  C:\Windows\System\RNRKXsT.exe
  2⤵
  PID:11828
- C:\Windows\System\LpAruSE.exe
  C:\Windows\System\LpAruSE.exe
  2⤵
  PID:11872
- C:\Windows\System\EMvWkKt.exe
  C:\Windows\System\EMvWkKt.exe
  2⤵
  PID:11924
- C:\Windows\System\AfDYzTU.exe
  C:\Windows\System\AfDYzTU.exe
  2⤵
  PID:11948
- C:\Windows\System\rmVQdSB.exe
  C:\Windows\System\rmVQdSB.exe
  2⤵
  PID:11968
- C:\Windows\System\OQPtlZW.exe
  C:\Windows\System\OQPtlZW.exe
  2⤵
  PID:11992
- C:\Windows\System\ymrmwfA.exe
  C:\Windows\System\ymrmwfA.exe
  2⤵
  PID:12036
- C:\Windows\System\QvmHslJ.exe
  C:\Windows\System\QvmHslJ.exe
  2⤵
  PID:12060
- C:\Windows\System\OpCUMwT.exe
  C:\Windows\System\OpCUMwT.exe
  2⤵
  PID:12076
- C:\Windows\System\Zqxisri.exe
  C:\Windows\System\Zqxisri.exe
  2⤵
  PID:12100
- C:\Windows\System\BNyKRlY.exe
  C:\Windows\System\BNyKRlY.exe
  2⤵
  PID:12144
- C:\Windows\System\LRJyRkS.exe
  C:\Windows\System\LRJyRkS.exe
  2⤵
  PID:12164
- C:\Windows\System\UtKAlvW.exe
  C:\Windows\System\UtKAlvW.exe
  2⤵
  PID:12200
- C:\Windows\System\jOFCWkr.exe
  C:\Windows\System\jOFCWkr.exe
  2⤵
  PID:12220
- C:\Windows\System\VXVwiST.exe
  C:\Windows\System\VXVwiST.exe
  2⤵
  PID:12256
- C:\Windows\System\IzEsnEc.exe
  C:\Windows\System\IzEsnEc.exe
  2⤵
  PID:10792
- C:\Windows\System\rKpqLEy.exe
  C:\Windows\System\rKpqLEy.exe
  2⤵
  PID:10860
- C:\Windows\System\zMqCCKn.exe
  C:\Windows\System\zMqCCKn.exe
  2⤵
  PID:11344
- C:\Windows\System\ytLEnCZ.exe
  C:\Windows\System\ytLEnCZ.exe
  2⤵
  PID:11460
- C:\Windows\System\rlKQYjP.exe
  C:\Windows\System\rlKQYjP.exe
  2⤵
  PID:11464
- C:\Windows\System\cNugALy.exe
  C:\Windows\System\cNugALy.exe
  2⤵
  PID:11544
- C:\Windows\System\UdDwMDl.exe
  C:\Windows\System\UdDwMDl.exe
  2⤵
  PID:11568
- C:\Windows\System\ZOhnhmN.exe
  C:\Windows\System\ZOhnhmN.exe
  2⤵
  PID:11664
- C:\Windows\System\AirFuJz.exe
  C:\Windows\System\AirFuJz.exe
  2⤵
  PID:11696
- C:\Windows\System\EHhEEZn.exe
  C:\Windows\System\EHhEEZn.exe
  2⤵
  PID:11752
- C:\Windows\System\ohPuUpM.exe
  C:\Windows\System\ohPuUpM.exe
  2⤵
  PID:11860
- C:\Windows\System\IKDKjcN.exe
  C:\Windows\System\IKDKjcN.exe
  2⤵
  PID:11936
- C:\Windows\System\IMAkFfp.exe
  C:\Windows\System\IMAkFfp.exe
  2⤵
  PID:12032
- C:\Windows\System\jALAfCi.exe
  C:\Windows\System\jALAfCi.exe
  2⤵
  PID:12092
- C:\Windows\System\cMDVlDL.exe
  C:\Windows\System\cMDVlDL.exe
  2⤵
  PID:12184
- C:\Windows\System\fQliUwI.exe
  C:\Windows\System\fQliUwI.exe
  2⤵
  PID:12228
- C:\Windows\System\rSzuGcS.exe
  C:\Windows\System\rSzuGcS.exe
  2⤵
  PID:12280
- C:\Windows\System\FSbKRGh.exe
  C:\Windows\System\FSbKRGh.exe
  2⤵
  PID:11288
- C:\Windows\System\kBcELFH.exe
  C:\Windows\System\kBcELFH.exe
  2⤵
  PID:3012
- C:\Windows\System\KNiMZkW.exe
  C:\Windows\System\KNiMZkW.exe
  2⤵
  PID:11896
- C:\Windows\System\mMqpCvt.exe
  C:\Windows\System\mMqpCvt.exe
  2⤵
  PID:12068
- C:\Windows\System\XAbShpk.exe
  C:\Windows\System\XAbShpk.exe
  2⤵
  PID:12140
- C:\Windows\System\JHlwtNd.exe
  C:\Windows\System\JHlwtNd.exe
  2⤵
  PID:12216
- C:\Windows\System\yGRkwmc.exe
  C:\Windows\System\yGRkwmc.exe
  2⤵
  PID:11640
- C:\Windows\System\taUiAfN.exe
  C:\Windows\System\taUiAfN.exe
  2⤵
  PID:11808
- C:\Windows\System\tbOyhnL.exe
  C:\Windows\System\tbOyhnL.exe
  2⤵
  PID:12028
- C:\Windows\System\jSLlBEm.exe
  C:\Windows\System\jSLlBEm.exe
  2⤵
  PID:11524
- C:\Windows\System\tScIgCt.exe
  C:\Windows\System\tScIgCt.exe
  2⤵
  PID:2368
- C:\Windows\System\oRfqFIq.exe
  C:\Windows\System\oRfqFIq.exe
  2⤵
  PID:12152
- C:\Windows\System\xoSSYSN.exe
  C:\Windows\System\xoSSYSN.exe
  2⤵
  PID:11964
- C:\Windows\System\TaoYKuw.exe
  C:\Windows\System\TaoYKuw.exe
  2⤵
  PID:2492
- C:\Windows\System\VqUXomH.exe
  C:\Windows\System\VqUXomH.exe
  2⤵
  PID:12304
- C:\Windows\System\bcpmiBo.exe
  C:\Windows\System\bcpmiBo.exe
  2⤵
  PID:12328
- C:\Windows\System\PhRxBCW.exe
  C:\Windows\System\PhRxBCW.exe
  2⤵
  PID:12344
- C:\Windows\System\ocixLGn.exe
  C:\Windows\System\ocixLGn.exe
  2⤵
  PID:12372
- C:\Windows\System\aQRmNCG.exe
  C:\Windows\System\aQRmNCG.exe
  2⤵
  PID:12420
- C:\Windows\System\SxpBrku.exe
  C:\Windows\System\SxpBrku.exe
  2⤵
  PID:12444
- C:\Windows\System\WbPMOMk.exe
  C:\Windows\System\WbPMOMk.exe
  2⤵
  PID:12468
- C:\Windows\System\XjfjUgP.exe
  C:\Windows\System\XjfjUgP.exe
  2⤵
  PID:12496
- C:\Windows\System\gdyJwFZ.exe
  C:\Windows\System\gdyJwFZ.exe
  2⤵
  PID:12544
- C:\Windows\System\aExnaON.exe
  C:\Windows\System\aExnaON.exe
  2⤵
  PID:12564
- C:\Windows\System\QbIlusf.exe
  C:\Windows\System\QbIlusf.exe
  2⤵
  PID:12592
- C:\Windows\System\bTdExRh.exe
  C:\Windows\System\bTdExRh.exe
  2⤵
  PID:12616
- C:\Windows\System\OuMezZv.exe
  C:\Windows\System\OuMezZv.exe
  2⤵
  PID:12652
- C:\Windows\System\oVuRUTU.exe
  C:\Windows\System\oVuRUTU.exe
  2⤵
  PID:12688
- C:\Windows\System\yYZBUgY.exe
  C:\Windows\System\yYZBUgY.exe
  2⤵
  PID:12712
- C:\Windows\System\bgafLXt.exe
  C:\Windows\System\bgafLXt.exe
  2⤵
  PID:12736
- C:\Windows\System\VRtZcoS.exe
  C:\Windows\System\VRtZcoS.exe
  2⤵
  PID:12776
- C:\Windows\System\tuHybOd.exe
  C:\Windows\System\tuHybOd.exe
  2⤵
  PID:12792
- C:\Windows\System\dGDvjnD.exe
  C:\Windows\System\dGDvjnD.exe
  2⤵
  PID:12812
- C:\Windows\System\qpNBNyR.exe
  C:\Windows\System\qpNBNyR.exe
  2⤵
  PID:12840
- C:\Windows\System\QsDqRWD.exe
  C:\Windows\System\QsDqRWD.exe
  2⤵
  PID:12872
- C:\Windows\System\ontSHCa.exe
  C:\Windows\System\ontSHCa.exe
  2⤵
  PID:12896
- C:\Windows\System\fIRkhHA.exe
  C:\Windows\System\fIRkhHA.exe
  2⤵
  PID:12928
- C:\Windows\System\JBzMtNT.exe
  C:\Windows\System\JBzMtNT.exe
  2⤵
  PID:12956
- C:\Windows\System\lYNUydw.exe
  C:\Windows\System\lYNUydw.exe
  2⤵
  PID:13000
- C:\Windows\System\TvpSMRV.exe
  C:\Windows\System\TvpSMRV.exe
  2⤵
  PID:13020
- C:\Windows\System\mHMoTlr.exe
  C:\Windows\System\mHMoTlr.exe
  2⤵
  PID:13056
- C:\Windows\System\ZRrUnlp.exe
  C:\Windows\System\ZRrUnlp.exe
  2⤵
  PID:13076
- C:\Windows\System\TIyoHrA.exe
  C:\Windows\System\TIyoHrA.exe
  2⤵
  PID:13100
- C:\Windows\System\vuIDaaO.exe
  C:\Windows\System\vuIDaaO.exe
  2⤵
  PID:13124
- C:\Windows\System\pIYVhHI.exe
  C:\Windows\System\pIYVhHI.exe
  2⤵
  PID:13152
- C:\Windows\System\hDzbsdw.exe
  C:\Windows\System\hDzbsdw.exe
  2⤵
  PID:13180
- C:\Windows\System\NCPYisg.exe
  C:\Windows\System\NCPYisg.exe
  2⤵
  PID:13208
- C:\Windows\System\PLuMQLR.exe
  C:\Windows\System\PLuMQLR.exe
  2⤵
  PID:13228
- C:\Windows\System\CaJngil.exe
  C:\Windows\System\CaJngil.exe
  2⤵
  PID:13248
- C:\Windows\System\dYbZzqz.exe
  C:\Windows\System\dYbZzqz.exe
  2⤵
  PID:13264
- C:\Windows\System\QFSpIjB.exe
  C:\Windows\System\QFSpIjB.exe
  2⤵
  PID:13300
- C:\Windows\System\XyTVbSK.exe
  C:\Windows\System\XyTVbSK.exe
  2⤵
  PID:12612
- C:\Windows\System\JpjYKCk.exe
  C:\Windows\System\JpjYKCk.exe
  2⤵
  PID:12676
- C:\Windows\System\XMgQjET.exe
  C:\Windows\System\XMgQjET.exe
  2⤵
  PID:12724
- C:\Windows\System\nTKcWvY.exe
  C:\Windows\System\nTKcWvY.exe
  2⤵
  PID:12784
- C:\Windows\System\vEabwvk.exe
  C:\Windows\System\vEabwvk.exe
  2⤵
  PID:12888
- C:\Windows\System\ulDntQg.exe
  C:\Windows\System\ulDntQg.exe
  2⤵
  PID:12904
- C:\Windows\System\ArdjIiI.exe
  C:\Windows\System\ArdjIiI.exe
  2⤵
  PID:12936
- C:\Windows\System\AyWHLam.exe
  C:\Windows\System\AyWHLam.exe
  2⤵
  PID:13072
- C:\Windows\System\nhPcbri.exe
  C:\Windows\System\nhPcbri.exe
  2⤵
  PID:13144
- C:\Windows\System\TyKTUro.exe
  C:\Windows\System\TyKTUro.exe
  2⤵
  PID:13172
- C:\Windows\System\rNgtSnE.exe
  C:\Windows\System\rNgtSnE.exe
  2⤵
  PID:13260
- C:\Windows\System\SiiVlWH.exe
  C:\Windows\System\SiiVlWH.exe
  2⤵
  PID:13292
- C:\Windows\System\VGKWJkC.exe
  C:\Windows\System\VGKWJkC.exe
  2⤵
  PID:12416
- C:\Windows\System\syjyNAb.exe
  C:\Windows\System\syjyNAb.exe
  2⤵
  PID:12528
- C:\Windows\System\BvIlCvp.exe
  C:\Windows\System\BvIlCvp.exe
  2⤵
  PID:12584

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pxcds1el.k1b.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\APxQQQV.exe

Filesize
2.2MB

MD5
8233503b516ec31fd7d5c52afd03fc3a

SHA1
7cb8213c4d723fd010b012ee98e308672a26ebde

SHA256
67f444a621322939c6108b9e628045a47da531e1963f8022de5ef51ec4b025a8

SHA512
99ec312c944b834c5499e42bc18c0af462a78bc60695a78ef54374e2a36c77ae99d03f4f3ee90d42378b0f8a959b9c56523f38753dc2106bfd3514582ee8dfae

Download Submit
C:\Windows\System\BKFaAIy.exe

Filesize
2.2MB

MD5
124fe8596f10a92767e9c53445cae901

SHA1
b12b412d2086aba2d7073cefee943ec776918034

SHA256
4c91af045e436fdae33aaa0fa00ab3f9da9cee1e598890b5c0372a0037415548

SHA512
af9380ca060fc5d6508d5514b996c9bc62975174a6e254db3706ecfe8238d9278a3e6a18f1732b70d25a6f3736430cc716697ce42cdfbed90872b5724a735649

Download Submit
C:\Windows\System\BXjLBYc.exe

Filesize
2.2MB

MD5
b7d6d0c4b445875b2180510a34b3f2b2

SHA1
32bd4a71da07a5e4f81ed8248abcca9bbb629d05

SHA256
9a14165308fe13a78a07403a0b463ca5c41e8f47cb476710a18a51ed2b3deddc

SHA512
c849bc4946a6f743fbdcbc69e1263638b5da8850e96e52e5d34bc3906a9e8638668dbae456ea0e18a1a5891420c2195ec59cfb449110c6fabfc7325397850571

Download Submit
C:\Windows\System\BerEUwZ.exe

Filesize
2.2MB

MD5
4e407651d531cc98847b997b6e01d6b5

SHA1
4b594aa6421784d2099425f36a203cc6f29c7e21

SHA256
0b52b8a12d31054431389822977cacf02a46797c306c2e4ecb10cf40db010a11

SHA512
f4697a006d33973b890500821a1a1d445df48e7512fa3ff2c4c55fd4cb118beda51250b2f7b20ac2e8aa4b5884d0e0423963cd786a24c16948798b0d135e8e1b

Download Submit
C:\Windows\System\CYBzBNQ.exe

Filesize
2.2MB

MD5
9b7b89f06e0b1648cb948f19570d88c0

SHA1
1a9a375d9f23e0850d7650a883e84eb5c8455847

SHA256
fd39cc15f8c7dc3e95c60c3afb2e62d610debf42967427808d870964798239c7

SHA512
c5c51c3cd1f3b329f7837052376b150abacee11352be890efdb8dab349d3210d0e59e80782f6bcbe5173f66fb77c4ae049be657f158ee9f64570d4acbd165b87

Download Submit
C:\Windows\System\CyiIhqb.exe

Filesize
2.2MB

MD5
5517f82b5c5eec31a33fdee540acceae

SHA1
dfba32e3a11a49ba0740b727021fcae169ec5caa

SHA256
825381a4e0cfba8f0a432686e27247ef57848cf30e1b1194b51cca3d41c7a7f2

SHA512
1650078efdc3e6638de0dd3a84b2ef68b9410f0fb5ae4b4f6adabd62ea79010a3dbc5cb14728ed21aa0198314b782cebfbfc25b0eef3b8f9dbb48c32c7fe21ed

Download Submit
C:\Windows\System\EZmzPwA.exe

Filesize
2.2MB

MD5
e467e48b5e59d8f4e6f830fe01611e3a

SHA1
558901b9b5a70d4ab25cc75f9b7fc159e7167289

SHA256
a6d046ebd5c9cd626fa0fc384957394f2de7fad4cc09785d049b7a75ce3271d5

SHA512
136dedda185d4f59067a539e79f480d4dca74c120f6f706c3b3d5eb417479a0155634e8b28171d4326045df623507a2e26eed994926a8611ad8275a614d192c9

Download Submit
C:\Windows\System\HOMnPvE.exe

Filesize
2.2MB

MD5
22c774378e2f21f8631475a0354fa5f2

SHA1
ad9a3e51e250dbefc65df9f825a6a46bc792b28a

SHA256
1da05c21ab87670c14ad30870c91bc175775e808553dd222cee59581ce319afb

SHA512
9637e4cc2c877df9e42ca76b57b7354bd5de48cb371e1628c0a0ace8b17323699c7745fb901f81d4293774c2f3292f9964fac920d1e4216e93aaa1b90b82a7ba

Download Submit
C:\Windows\System\HXMROsL.exe

Filesize
2.2MB

MD5
805a588b7b510b4725557d0421517953

SHA1
2d2cbeb3dc5b80cfde7f6bcae9431a0e19e873c2

SHA256
b862d8b3bf2e4f10301fc06a6a69d47ee943f7e3d385ad304155f9eb59908300

SHA512
76bfb95c29daf03dbb14eebfbcaf9c8a14cf7347db5c41e38600154a9e08cf74a9b9b941662400d08fdb3c685d2a46f47f77f21ff4ce642274ac675641427a3e

Download Submit
C:\Windows\System\LOVpliR.exe

Filesize
2.2MB

MD5
e40d756178bd2b6e14a4be2adf72cb27

SHA1
5a20a084c26de8fc0a9d47f7998ada0a06e91ce3

SHA256
eb1edfa896046d0db495ea1ddac7a5046173c47df8bc4765547b78ec16365e03

SHA512
6f9437f787b38749d0342bd334390756fa49485a77c73a2e961516d2458fa41b9c9baea1bcf0fe6f71cf4a52933c9464e633f2b52ae8f71fb35a198c4e831fdf

Download Submit
C:\Windows\System\PunDmVh.exe

Filesize
2.2MB

MD5
7ce223efb4f28eeaa83d650b832fb097

SHA1
52b4ef4480adce8c1e40876ec5a60aeec4058260

SHA256
9e807f8b3485dccc86c7bd36dbf113bc2d31143547545297b05a713a6947a743

SHA512
51a35bfea194c45a0e2d4526bb585c9d8870f94029dfe79d3405c8e52fad2c310d8e22bcd98bcc217b7e2614bc2c6da417490ffcf5c0c53ca4200a858c19c72c

Download Submit
C:\Windows\System\QmMxsLN.exe

Filesize
2.2MB

MD5
2d385b3308d606388628be5258dae40b

SHA1
765cdc950eca38bd20bfa4cdb02cd8486d6135af

SHA256
8205ad481fd5fb2b0c307fde1cc33461c0da7d771bccaad71902d736a620b62e

SHA512
fb8743fdb85f6f192207917f2940bbc67694c3da76f004f5a7222c96eef59118e47c0316e3a1475a95b4978b4339b1cd1ba4762f3b68a391268597c3d37ec9ce

Download Submit
C:\Windows\System\RlQSwYV.exe

Filesize
2.2MB

MD5
32c69a789965162a3834cef6141ad4d4

SHA1
d9f4cef7bc2da0d42091af2e5e4896bbaac43f68

SHA256
33d81dc56aeeee84a74e388247cba5b29ba70195d9e23242e3ebca85211cfbd1

SHA512
c4e5db8ec20b38fd8666937c53e9d1ea741ae11e3235a09fdd68b94bb84ebb6a198edb825a0cc75cc5e091d1793b800545c633d8229fcbf96af5c63ff0c2b8b9

Download Submit
C:\Windows\System\UoCcKgc.exe

Filesize
2.2MB

MD5
9f499e7826bfd74d3a39a812833b6ded

SHA1
cca33342bfb9c52a8eeae4543674518ced298cf2

SHA256
2080e6b8bdb27329ffc8d9c95d8f1670c79d70392385cbd89d6b340a0a893a2a

SHA512
fb13570296a5fcbc7429d903c231c783cc30cfa159ffad774727a3d3c306fcf5dab60200b1cda63eedd4c5f2010a3be4b13cf00bd540edefe93ecf71634ba340

Download Submit
C:\Windows\System\WRrRFPn.exe

Filesize
2.2MB

MD5
409d0bbf3472b41631c58c5ba77c7972

SHA1
8b03cb08541b148fbfef1fca46def01cb57e1e91

SHA256
ce92924adb4823bdc42f768e012d9acf408b33e914146686bb1b79c7603d5359

SHA512
2f702420f70a9a40057f0f318d3852643b494c3dc1ba5e23ad8df45b00ef51508831d1dab09cbfada0a9ab66a9ef7d7ca196af112856ceadf2dffe52ee9dbeb7

Download Submit
C:\Windows\System\WyhfyjF.exe

Filesize
2.2MB

MD5
f7a2858adff0b2a9a217e2cae6b4d911

SHA1
805157786882bfc1d7b1170134bfd6af02812cda

SHA256
b30aff2b988e11f650ba0469af84c9865e6a511b1c2ff450eb24ab0573d39f11

SHA512
8b8f37d30837debb0a7c41d8a3e7b0daacf04aa48cb0fa69a2801c8bec6c0f40545444233027719769554f28d64e07dbba86bd2dacc8d8ca7b2522527d23f1ac

Download Submit
C:\Windows\System\bvICkVv.exe

Filesize
2.2MB

MD5
7ac5a21c690a902355e8e264c2bd94c8

SHA1
874a9cae76034ea42f87a43851caf6943626a0da

SHA256
5176873ca05e3097b6d5a611c7e45e0594c8ae03392ee8d0910744751c3833c7

SHA512
b72e925fe485b7a39e3bf19233ade4d76f497685eb941b8f4300daea71d1351967c10c397d8d885c50085b1ed6eadc0a48aab1e30f7aa5341ae06a0833798f8e

Download Submit
C:\Windows\System\cUvMtkt.exe

Filesize
2.2MB

MD5
47aecddcbd4eb547f6fdd6b2d6261a33

SHA1
d4925602789642bf76501fa49129d94cd3529224

SHA256
391a3e456193df7a47aefd84b371919308a0fecc806c029370287cb6af446dd6

SHA512
9313398397094bbb80df3b1a082e34dffd84fb80068202e0f39b78a930367c1fc5038d777af63df016d04a3a3f81d54e96961a3f422fe79c85e9385c319d7f80

Download Submit
C:\Windows\System\coVqFww.exe

Filesize
8B

MD5
7844449f1717b2590e53c215fcf07352

SHA1
79d0c9d199e3401234813cacf5dd2de0f53d76f4

SHA256
d54f9b9a769720c875f9b7152a74884a4a9e5a4d80da35d3f847cb8b30b14f4d

SHA512
08987ef45e3b930599e24a17bad53cfff0dadf3651ece3e5b0469612e6c0a9a6cc61ef278c49c769a425e8c5349976b197865ce68d78055e84972e2fe8a0851c

Download Submit
C:\Windows\System\fEaeQZK.exe

Filesize
2.2MB

MD5
3d5e8044486b87ca19f3c7e073fe742f

SHA1
c109e3dc37e81f81c5919cdd32bae7e6c8966656

SHA256
ca4a87a115a73c6a9e29bd532f1800f444255378d135de7df4625366da9c95d7

SHA512
4073b669bceb8efa329eb601e11c066e8523a20fedce62eb377cc1ff223d035ec18cfe10fd75754016040885198cf71d3b77dc4aef5991dc247d88eee00c8821

Download Submit
C:\Windows\System\iYemgYa.exe

Filesize
2.2MB

MD5
7087b73aba9473390057376019640468

SHA1
323cc214d47f72ab6b648fdfc04324ab11b9ada9

SHA256
af238510ee599720abd785c11b21f1f4497b1ae09acd246cd02b22e0dc8e9afa

SHA512
7051ba9a1aadca599ca9659040c4e07a44b77ef95fe0bd4d2b4b473376f70f012a9bd570e877cd5af4a6d9ad574ada860faae094e161b2fedbc983eb282b70b8

Download Submit
C:\Windows\System\jXdgUyC.exe

Filesize
2.2MB

MD5
602707bf6e5b307d0ffd200625aea757

SHA1
655fc0c91ee338eaad1766111773a6675bbd60ef

SHA256
296e1d92e96dda2aeb392f0c63f220ec3733cb4889e0efdb3a9bc1c2509423c2

SHA512
d688f7724bffba46c51c8929b067f6395646223920588ebe147e68bdf5fa370ae1d76cc10a5b54885d108395e80baa537a1e7cdbd5930783e2797504484b89b3

Download Submit
C:\Windows\System\mURmCVb.exe

Filesize
2.2MB

MD5
62c8bee8244895e76bc3b16a5430839c

SHA1
9c0a7e771f2c3586ffaf8274035fe9b88250b9e3

SHA256
2e93fe52c9b56ca80ef1f02c29b3d41e455ba1565b2e7ac950cc8d5a16317078

SHA512
20e28d33b5e59664e4d537aa0f0d8a87dcd81aa5dcfb4f8a639f12d150c3683ea2b54731a5b50fea6eac4ae2e9f0f03eb4f3d9fa66a0125ad548ef4125d962b6

Download Submit
C:\Windows\System\rMvLYEc.exe

Filesize
2.2MB

MD5
486029b4dd9befeaac6fe376f1b290f2

SHA1
125ca884727a0b50d5fc13a8bee0cb3a2e32e688

SHA256
b5a82ca4eabf7d7ee3fab4e49ecabf125477725e4d68814615b35a6ac367a33e

SHA512
d86c540c1a269d75512ed0a2e5bd8f795cbe067794e686e63122b9587fab15d221a925fd17286fbbedac9e2c7591280394c7ae4a863c896f4c85624f746a90d3

Download Submit
C:\Windows\System\rRvhowC.exe

Filesize
2.2MB

MD5
6bdc50139438410c1c972cceedd358e4

SHA1
00ab664e66482753470217cbb12e063c0d091d9a

SHA256
af6c214afb95846a27b4353d0290f5e48353f44761bcef353c8266f8f6e8c36f

SHA512
53b59fa0cb8e7af8838036bdc5384e95b3c43eb5a4f97e796b5ecd76af452b019cb75a188b595b63680b8d75bdfceb4a382bed18f29cb33d2cc491e624f620ba

Download Submit
C:\Windows\System\tJUIxDN.exe

Filesize
2.2MB

MD5
1e0aa7e0b53cbb95d392bd3226d23096

SHA1
0e78f987cc92ed9e4ff3e93231ee5da3e748adae

SHA256
e7ea6cb23bbcca94822af3b7e35f7e86a6aaafa5072a63e10eee74540cf9fac1

SHA512
7fd8fb037b9bf95c5fdc41f0a4c5ba5dc9072f34b8766304ca99c5fa475bb1b43aa76a8e6dc2f284ac923094d422983fb7e98475fb6ab0e79fed8179d3b8fc76

Download Submit
C:\Windows\System\tSrcFNO.exe

Filesize
2.2MB

MD5
20242a9b291d1f7f67973a2b6c0b1e63

SHA1
7d7cb7a7f6a6903a9e58e9563b5e82bfc9a9fd19

SHA256
b1245f93b1ad34e2189fc23f61845e89cee116bf6b5d7127522d7b4e28111a28

SHA512
c7fb5b9358b83b0f139bf4cd1b7f54aade61f331591e35c164682dfdef93001e773bb32ed9b62063b2475255ec9a963465d2948d171f2e273621ba58c1950945

Download Submit
C:\Windows\System\uFwTCdU.exe

Filesize
2.2MB

MD5
b1dce48913285f90dc54bdbb9d637897

SHA1
1c713982d1ac84b0635e6cc76ae8c5c9de9043eb

SHA256
0eb4a89cb709e8910c50f43b3d4dddf4edee4d70a2274a470c28112563aceafd

SHA512
2238c870c1f0f8ea204b343a08960a23d2c319d23b1d76d6a5c782c2fc852868297a31260e8ae7dc00e6793e1c98d216d1afdeeddc3ec6348164a159c59934ea

Download Submit
C:\Windows\System\uUAUjZm.exe

Filesize
2.2MB

MD5
63aa72e61535b9b0ca1d6e59b6d98cea

SHA1
3248335a949ef03e3ea4c36190e112750b2b699e

SHA256
6c2b9bb0c0192763d174e5299ffb5f2b445526f7b601252e5886ff835301e378

SHA512
5c832732f063d6b9b874788e3fe4f65f122077fe5b4861c094933644bec49b1f35aa88e5909ae312e839c2244f72389d4c64d88392d4a115c5a92b8cea98a7f9

Download Submit
C:\Windows\System\uwLOapn.exe

Filesize
2.2MB

MD5
17674c5877bf7ce8385f280d337b57c0

SHA1
282bf0b02a69f0730fcb4aee16affa42f850c93b

SHA256
50ec1a7b2a91ef1d25fd9c4378ede7639ddeaf0bbe517d5d8303d99d2683e7d0

SHA512
8159874efc3477acdf0af65a987ab57eab3ceb799b22badfe15b6893eb01d2e5a9afc2db6c3c7f021eefb57d4715f8059dc3d23aa6af9a84f54c2c7dab81f234

Download Submit
C:\Windows\System\vtwPXlr.exe

Filesize
2.2MB

MD5
2493fdf2e406d55d8e9190266e3e6477

SHA1
62eb8dfb773058e2dfd1cabe0f0866534852c468

SHA256
ae017fba09e5d22c671d06fb9259e70ff73a840bb8b3b67d001a6d19e67a677a

SHA512
25aacfee17a3f4cb62c1f7bb85157765f0c406c5e11f4cb443d1f15add254492bd07266225a1b9ac764934b86f53994d75c33844818325231d2e861ae3b65625

Download Submit
C:\Windows\System\waapcFx.exe

Filesize
2.2MB

MD5
48b0601180f253e7d7d655b791dceffc

SHA1
3ac0e722f20d33913041048ce1afde47ef76e16c

SHA256
f6af9699dad140ec33646a26b327aeb29ce9282217e1e9a3aa3c093f5c25760b

SHA512
bccdb0d9b774e0dc11dda1cbf5c1d9ff60c438ca3c2afd299239bb90c99f181c76f36e4a3b060e0ec3ab66c808e9e2dc10a374ab20484820437a8ae3746cfa43

Download Submit
C:\Windows\System\xFJgpIu.exe

Filesize
2.2MB

MD5
8f14c110f0bff2c45c53caacda533c6e

SHA1
c68cf1b2236a5c175283781a934ee8dc4d6e53b7

SHA256
84e33ab5f3c09ac9122b1ce30f12771c0cef15f8d3ae7ab4546cebae3ee86701

SHA512
6850d943604bed14f33be6d6aaa3de49361ad878cfd3085cdb7f4b1a402fffc92506c64276587312e8595eabb1f80dfd9cab137204d738e5c21cf53d7489a920

Download Submit
C:\Windows\System\xpbmrPx.exe

Filesize
2.2MB

MD5
08e1ca7c78b57be5373d6a9ea54a6ffb

SHA1
2ab604309eed28239769336f3fb53ede476de1cd

SHA256
822856f067bc7a6e1aaa2eb186213f8667ae975b6183f1859459abfe3506a060

SHA512
8fd8209fea033987ce85437725e631ff836139238d91f6e0e93381a7f4145144ac70f765ddc7aee6e4212308d085f07225e71927e0fe899d4c7702e729b4ee5a

Download Submit
memory/468-1-0x000001BD6FD00000-0x000001BD6FD10000-memory.dmp

Filesize
64KB

Download
memory/468-0-0x00007FF6A8250000-0x00007FF6A8642000-memory.dmp

Filesize
3.9MB

Download
memory/748-2641-0x00007FF7B78E0000-0x00007FF7B7CD2000-memory.dmp

Filesize
3.9MB

Download
memory/748-84-0x00007FF7B78E0000-0x00007FF7B7CD2000-memory.dmp

Filesize
3.9MB

Download
memory/1236-100-0x00007FF6F5240000-0x00007FF6F5632000-memory.dmp

Filesize
3.9MB

Download
memory/1236-2651-0x00007FF6F5240000-0x00007FF6F5632000-memory.dmp

Filesize
3.9MB

Download
memory/1240-2647-0x00007FF74C320000-0x00007FF74C712000-memory.dmp

Filesize
3.9MB

Download
memory/1240-104-0x00007FF74C320000-0x00007FF74C712000-memory.dmp

Filesize
3.9MB

Download
memory/1300-43-0x00007FF61FF20000-0x00007FF620312000-memory.dmp

Filesize
3.9MB

Download
memory/1300-2631-0x00007FF61FF20000-0x00007FF620312000-memory.dmp

Filesize
3.9MB

Download
memory/1480-2655-0x00007FF7A21A0000-0x00007FF7A2592000-memory.dmp

Filesize
3.9MB

Download
memory/1480-636-0x00007FF7A21A0000-0x00007FF7A2592000-memory.dmp

Filesize
3.9MB

Download
memory/1532-80-0x000001E3BEBD0000-0x000001E3BEBF2000-memory.dmp

Filesize
136KB

Download
memory/1532-21-0x00007FFF86930000-0x00007FFF873F1000-memory.dmp

Filesize
10.8MB

Download
memory/1532-22-0x000001E3A49F0000-0x000001E3A4A00000-memory.dmp

Filesize
64KB

Download
memory/1544-2649-0x00007FF68D200000-0x00007FF68D5F2000-memory.dmp

Filesize
3.9MB

Download
memory/1544-642-0x00007FF68D200000-0x00007FF68D5F2000-memory.dmp

Filesize
3.9MB

Download
memory/1676-2621-0x00007FF608D40000-0x00007FF609132000-memory.dmp

Filesize
3.9MB

Download
memory/1676-71-0x00007FF608D40000-0x00007FF609132000-memory.dmp

Filesize
3.9MB

Download
memory/1676-2639-0x00007FF608D40000-0x00007FF609132000-memory.dmp

Filesize
3.9MB

Download
memory/1788-25-0x00007FF7A7B10000-0x00007FF7A7F02000-memory.dmp

Filesize
3.9MB

Download
memory/1788-2625-0x00007FF7A7B10000-0x00007FF7A7F02000-memory.dmp

Filesize
3.9MB

Download
memory/2160-2622-0x00007FF6C5560000-0x00007FF6C5952000-memory.dmp

Filesize
3.9MB

Download
memory/2160-96-0x00007FF6C5560000-0x00007FF6C5952000-memory.dmp

Filesize
3.9MB

Download
memory/2160-2645-0x00007FF6C5560000-0x00007FF6C5952000-memory.dmp

Filesize
3.9MB

Download
memory/2176-90-0x00007FF6A7B90000-0x00007FF6A7F82000-memory.dmp

Filesize
3.9MB

Download
memory/2176-2635-0x00007FF6A7B90000-0x00007FF6A7F82000-memory.dmp

Filesize
3.9MB

Download
memory/2392-2653-0x00007FF6BCC90000-0x00007FF6BD082000-memory.dmp

Filesize
3.9MB

Download
memory/2392-660-0x00007FF6BCC90000-0x00007FF6BD082000-memory.dmp

Filesize
3.9MB

Download
memory/3084-40-0x00007FF7BBCC0000-0x00007FF7BC0B2000-memory.dmp

Filesize
3.9MB

Download
memory/3084-2629-0x00007FF7BBCC0000-0x00007FF7BC0B2000-memory.dmp

Filesize
3.9MB

Download
memory/3120-2633-0x00007FF7B8EF0000-0x00007FF7B92E2000-memory.dmp

Filesize
3.9MB

Download
memory/3120-74-0x00007FF7B8EF0000-0x00007FF7B92E2000-memory.dmp

Filesize
3.9MB

Download
memory/4148-97-0x00007FF7AD040000-0x00007FF7AD432000-memory.dmp

Filesize
3.9MB

Download
memory/4148-2658-0x00007FF7AD040000-0x00007FF7AD432000-memory.dmp

Filesize
3.9MB

Download
memory/4276-2627-0x00007FF6E9D00000-0x00007FF6EA0F2000-memory.dmp

Filesize
3.9MB

Download
memory/4276-34-0x00007FF6E9D00000-0x00007FF6EA0F2000-memory.dmp

Filesize
3.9MB

Download
memory/4736-2661-0x00007FF717D90000-0x00007FF718182000-memory.dmp

Filesize
3.9MB

Download
memory/4736-620-0x00007FF717D90000-0x00007FF718182000-memory.dmp

Filesize
3.9MB

Download
memory/4812-79-0x00007FF63C2A0000-0x00007FF63C692000-memory.dmp

Filesize
3.9MB

Download
memory/4812-2637-0x00007FF63C2A0000-0x00007FF63C692000-memory.dmp

Filesize
3.9MB

Download
memory/4848-673-0x00007FF6635D0000-0x00007FF6639C2000-memory.dmp

Filesize
3.9MB

Download
memory/4848-2666-0x00007FF6635D0000-0x00007FF6639C2000-memory.dmp

Filesize
3.9MB

Download
memory/4908-632-0x00007FF623590000-0x00007FF623982000-memory.dmp

Filesize
3.9MB

Download
memory/4908-2659-0x00007FF623590000-0x00007FF623982000-memory.dmp

Filesize
3.9MB

Download
memory/4932-103-0x00007FF650E10000-0x00007FF651202000-memory.dmp

Filesize
3.9MB

Download
memory/4932-2670-0x00007FF650E10000-0x00007FF651202000-memory.dmp

Filesize
3.9MB

Download
memory/4940-2643-0x00007FF648350000-0x00007FF648742000-memory.dmp

Filesize
3.9MB

Download
memory/4940-60-0x00007FF648350000-0x00007FF648742000-memory.dmp

Filesize
3.9MB

Download