xmrig | 904a878e7b0a066e0bf9ba76400a35c9d18aa5d2d7cb9a3bcc115a11298479a2

Analysis

max time kernel
104s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
27-04-2024 22:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
Size

1.9MB
MD5

03c7e7e8016bcb72c69cf85052f2a180
SHA1

d845d9e1408e2507176df706e99aa7fe84b7f0c0
SHA256

904a878e7b0a066e0bf9ba76400a35c9d18aa5d2d7cb9a3bcc115a11298479a2
SHA512

2f0c0454cc3e384301f9a0416f17106e4223796b848a2d38da8c1d95b8f4ebf37895ee56bf48054a30ebe873573d01ce87e85a1b90a94c7fa8a2f5e31f3b9d74
SSDEEP

49152:Lz071uv4BPMkibTIA5sf6r+WVc2HhG82SflDrl/S:NABH

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 42 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1080-30-0x00007FF79CB50000-0x00007FF79CF42000-memory.dmp	xmrig
behavioral2/memory/456-85-0x00007FF67ED00000-0x00007FF67F0F2000-memory.dmp	xmrig
behavioral2/memory/3500-94-0x00007FF6110B0000-0x00007FF6114A2000-memory.dmp	xmrig
behavioral2/memory/2372-335-0x00007FF61CDD0000-0x00007FF61D1C2000-memory.dmp	xmrig
behavioral2/memory/1584-354-0x00007FF7D5500000-0x00007FF7D58F2000-memory.dmp	xmrig
behavioral2/memory/1048-357-0x00007FF64DF80000-0x00007FF64E372000-memory.dmp	xmrig
behavioral2/memory/4112-362-0x00007FF71B600000-0x00007FF71B9F2000-memory.dmp	xmrig
behavioral2/memory/5004-353-0x00007FF78AE50000-0x00007FF78B242000-memory.dmp	xmrig
behavioral2/memory/3960-346-0x00007FF67A100000-0x00007FF67A4F2000-memory.dmp	xmrig
behavioral2/memory/4708-327-0x00007FF719520000-0x00007FF719912000-memory.dmp	xmrig
behavioral2/memory/2144-101-0x00007FF672E00000-0x00007FF6731F2000-memory.dmp	xmrig
behavioral2/memory/1240-98-0x00007FF64CD00000-0x00007FF64D0F2000-memory.dmp	xmrig
behavioral2/memory/424-97-0x00007FF612080000-0x00007FF612472000-memory.dmp	xmrig
behavioral2/memory/1608-93-0x00007FF629E40000-0x00007FF62A232000-memory.dmp	xmrig
behavioral2/memory/2668-88-0x00007FF6112D0000-0x00007FF6116C2000-memory.dmp	xmrig
behavioral2/memory/4996-74-0x00007FF720AC0000-0x00007FF720EB2000-memory.dmp	xmrig
behavioral2/memory/2104-62-0x00007FF76D040000-0x00007FF76D432000-memory.dmp	xmrig
behavioral2/memory/3888-28-0x00007FF640370000-0x00007FF640762000-memory.dmp	xmrig
behavioral2/memory/920-2608-0x00007FF7C4BD0000-0x00007FF7C4FC2000-memory.dmp	xmrig
behavioral2/memory/1544-2609-0x00007FF720300000-0x00007FF7206F2000-memory.dmp	xmrig
behavioral2/memory/2308-2610-0x00007FF7D3C00000-0x00007FF7D3FF2000-memory.dmp	xmrig
behavioral2/memory/1080-2665-0x00007FF79CB50000-0x00007FF79CF42000-memory.dmp	xmrig
behavioral2/memory/3888-2667-0x00007FF640370000-0x00007FF640762000-memory.dmp	xmrig
behavioral2/memory/2104-2669-0x00007FF76D040000-0x00007FF76D432000-memory.dmp	xmrig
behavioral2/memory/920-2671-0x00007FF7C4BD0000-0x00007FF7C4FC2000-memory.dmp	xmrig
behavioral2/memory/1544-2673-0x00007FF720300000-0x00007FF7206F2000-memory.dmp	xmrig
behavioral2/memory/1608-2675-0x00007FF629E40000-0x00007FF62A232000-memory.dmp	xmrig
behavioral2/memory/4996-2677-0x00007FF720AC0000-0x00007FF720EB2000-memory.dmp	xmrig
behavioral2/memory/456-2679-0x00007FF67ED00000-0x00007FF67F0F2000-memory.dmp	xmrig
behavioral2/memory/2668-2681-0x00007FF6112D0000-0x00007FF6116C2000-memory.dmp	xmrig
behavioral2/memory/424-2685-0x00007FF612080000-0x00007FF612472000-memory.dmp	xmrig
behavioral2/memory/3500-2687-0x00007FF6110B0000-0x00007FF6114A2000-memory.dmp	xmrig
behavioral2/memory/1240-2683-0x00007FF64CD00000-0x00007FF64D0F2000-memory.dmp	xmrig
behavioral2/memory/2308-2691-0x00007FF7D3C00000-0x00007FF7D3FF2000-memory.dmp	xmrig
behavioral2/memory/2144-2690-0x00007FF672E00000-0x00007FF6731F2000-memory.dmp	xmrig
behavioral2/memory/4708-2693-0x00007FF719520000-0x00007FF719912000-memory.dmp	xmrig
behavioral2/memory/2372-2695-0x00007FF61CDD0000-0x00007FF61D1C2000-memory.dmp	xmrig
behavioral2/memory/3960-2697-0x00007FF67A100000-0x00007FF67A4F2000-memory.dmp	xmrig
behavioral2/memory/5004-2699-0x00007FF78AE50000-0x00007FF78B242000-memory.dmp	xmrig
behavioral2/memory/1584-2701-0x00007FF7D5500000-0x00007FF7D58F2000-memory.dmp	xmrig
behavioral2/memory/4112-2710-0x00007FF71B600000-0x00007FF71B9F2000-memory.dmp	xmrig
behavioral2/memory/1048-2708-0x00007FF64DF80000-0x00007FF64E372000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

3 2076 powershell.exe
5 2076 powershell.exe

flow	pid	process
3	2076	powershell.exe
5	2076	powershell.exe

Executes dropped EXE 64 IoCs

Processes:

EPzdxmJ.exelEphIFM.exeNLmhtHW.exeGaDeUOV.exeFCIlfiz.exePpQLMbf.exeaLVJRel.exekniHjbz.exeMZBDbbn.exeYCWAzCK.exeYCQPCkW.exeoJKZSaj.exexlaKyRL.exeiMwOmKV.exeDJSRmCJ.exeuqbIoDo.exeILxUQZF.exeoctEPVJ.exeihFXJbC.exeSrKvmVn.exeZvONovo.exedtAAipU.exeNPFhJtL.exenkRiAVH.exejSBHmVm.exepdYcMdK.exeuWZnljm.exeZjuDlfz.exeRllVBWv.exegevnQJc.exeEGLkfBq.exedJwAbiB.exeKcDVBgi.exezQlwXPb.exeRJrOYjV.exeRwcUjTt.exesFaXCeW.exekFKhBGU.exeQaBgSKa.exeMLUtovq.exesWHvpHa.exeZPsUxhc.exezEVFhGx.execocwQFb.exewxtPVCw.exexEvPYbG.exexewRAKe.exeeJOHVru.exeaCihzoy.exebAYIqay.exeTNzCBDg.exeSsStims.exeyWRcpSb.exeBzvCewk.exeBXZNMVK.exeXsrhVBQ.exeSXVeist.exeLpilbuL.exexWaMUHI.exelemBfVQ.exejdonHqO.exeeYJwEDu.exelIVltdz.exejHFcuUK.exe

pid	process
1080	EPzdxmJ.exe
3888	lEphIFM.exe
920	NLmhtHW.exe
1544	GaDeUOV.exe
2104	FCIlfiz.exe
1608	PpQLMbf.exe
4996	aLVJRel.exe
456	kniHjbz.exe
2668	MZBDbbn.exe
3500	YCWAzCK.exe
424	YCQPCkW.exe
1240	oJKZSaj.exe
2308	xlaKyRL.exe
2144	iMwOmKV.exe
4708	DJSRmCJ.exe
2372	uqbIoDo.exe
3960	ILxUQZF.exe
5004	octEPVJ.exe
1584	ihFXJbC.exe
1048	SrKvmVn.exe
4112	ZvONovo.exe
1476	dtAAipU.exe
1612	NPFhJtL.exe
2316	nkRiAVH.exe
1744	jSBHmVm.exe
4504	pdYcMdK.exe
3228	uWZnljm.exe
4104	ZjuDlfz.exe
1036	RllVBWv.exe
1120	gevnQJc.exe
2576	EGLkfBq.exe
916	dJwAbiB.exe
3648	KcDVBgi.exe
1592	zQlwXPb.exe
4752	RJrOYjV.exe
388	RwcUjTt.exe
3424	sFaXCeW.exe
4672	kFKhBGU.exe
3576	QaBgSKa.exe
572	MLUtovq.exe
4028	sWHvpHa.exe
1160	ZPsUxhc.exe
4644	zEVFhGx.exe
3276	cocwQFb.exe
4512	wxtPVCw.exe
2236	xEvPYbG.exe
4964	xewRAKe.exe
2352	eJOHVru.exe
4832	aCihzoy.exe
3852	bAYIqay.exe
1772	TNzCBDg.exe
2832	SsStims.exe
4588	yWRcpSb.exe
1132	BzvCewk.exe
3704	BXZNMVK.exe
3620	XsrhVBQ.exe
1932	SXVeist.exe
4144	LpilbuL.exe
1964	xWaMUHI.exe
2940	lemBfVQ.exe
4088	jdonHqO.exe
3968	eYJwEDu.exe
3132	lIVltdz.exe
3824	jHFcuUK.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1792-0-0x00007FF782DD0000-0x00007FF7831C2000-memory.dmp	upx
C:\Windows\System\EPzdxmJ.exe	upx
C:\Windows\System\lEphIFM.exe	upx
C:\Windows\System\NLmhtHW.exe	upx
behavioral2/memory/1080-30-0x00007FF79CB50000-0x00007FF79CF42000-memory.dmp	upx
C:\Windows\System\kniHjbz.exe	upx
C:\Windows\System\MZBDbbn.exe	upx
C:\Windows\System\YCWAzCK.exe	upx
C:\Windows\System\YCQPCkW.exe	upx
behavioral2/memory/456-85-0x00007FF67ED00000-0x00007FF67F0F2000-memory.dmp	upx
behavioral2/memory/2308-92-0x00007FF7D3C00000-0x00007FF7D3FF2000-memory.dmp	upx
behavioral2/memory/3500-94-0x00007FF6110B0000-0x00007FF6114A2000-memory.dmp	upx
C:\Windows\System\DJSRmCJ.exe	upx
C:\Windows\System\ILxUQZF.exe	upx
C:\Windows\System\dtAAipU.exe	upx
C:\Windows\System\nkRiAVH.exe	upx
C:\Windows\System\uWZnljm.exe	upx
C:\Windows\System\gevnQJc.exe	upx
behavioral2/memory/2372-335-0x00007FF61CDD0000-0x00007FF61D1C2000-memory.dmp	upx
behavioral2/memory/1584-354-0x00007FF7D5500000-0x00007FF7D58F2000-memory.dmp	upx
behavioral2/memory/1048-357-0x00007FF64DF80000-0x00007FF64E372000-memory.dmp	upx
behavioral2/memory/4112-362-0x00007FF71B600000-0x00007FF71B9F2000-memory.dmp	upx
behavioral2/memory/5004-353-0x00007FF78AE50000-0x00007FF78B242000-memory.dmp	upx
behavioral2/memory/3960-346-0x00007FF67A100000-0x00007FF67A4F2000-memory.dmp	upx
behavioral2/memory/4708-327-0x00007FF719520000-0x00007FF719912000-memory.dmp	upx
C:\Windows\System\KcDVBgi.exe	upx
C:\Windows\System\EGLkfBq.exe	upx
C:\Windows\System\dJwAbiB.exe	upx
C:\Windows\System\RllVBWv.exe	upx
C:\Windows\System\ZjuDlfz.exe	upx
C:\Windows\System\pdYcMdK.exe	upx
C:\Windows\System\jSBHmVm.exe	upx
C:\Windows\System\NPFhJtL.exe	upx
C:\Windows\System\ZvONovo.exe	upx
C:\Windows\System\SrKvmVn.exe	upx
C:\Windows\System\ihFXJbC.exe	upx
C:\Windows\System\octEPVJ.exe	upx
C:\Windows\System\uqbIoDo.exe	upx
behavioral2/memory/2144-101-0x00007FF672E00000-0x00007FF6731F2000-memory.dmp	upx
behavioral2/memory/1240-98-0x00007FF64CD00000-0x00007FF64D0F2000-memory.dmp	upx
behavioral2/memory/424-97-0x00007FF612080000-0x00007FF612472000-memory.dmp	upx
behavioral2/memory/1608-93-0x00007FF629E40000-0x00007FF62A232000-memory.dmp	upx
C:\Windows\System\iMwOmKV.exe	upx
C:\Windows\System\xlaKyRL.exe	upx
behavioral2/memory/2668-88-0x00007FF6112D0000-0x00007FF6116C2000-memory.dmp	upx
C:\Windows\System\oJKZSaj.exe	upx
behavioral2/memory/4996-74-0x00007FF720AC0000-0x00007FF720EB2000-memory.dmp	upx
C:\Windows\System\aLVJRel.exe	upx
C:\Windows\System\PpQLMbf.exe	upx
behavioral2/memory/2104-62-0x00007FF76D040000-0x00007FF76D432000-memory.dmp	upx
C:\Windows\System\GaDeUOV.exe	upx
behavioral2/memory/1544-45-0x00007FF720300000-0x00007FF7206F2000-memory.dmp	upx
C:\Windows\System\FCIlfiz.exe	upx
behavioral2/memory/920-37-0x00007FF7C4BD0000-0x00007FF7C4FC2000-memory.dmp	upx
behavioral2/memory/3888-28-0x00007FF640370000-0x00007FF640762000-memory.dmp	upx
behavioral2/memory/920-2608-0x00007FF7C4BD0000-0x00007FF7C4FC2000-memory.dmp	upx
behavioral2/memory/1544-2609-0x00007FF720300000-0x00007FF7206F2000-memory.dmp	upx
behavioral2/memory/2308-2610-0x00007FF7D3C00000-0x00007FF7D3FF2000-memory.dmp	upx
behavioral2/memory/1080-2665-0x00007FF79CB50000-0x00007FF79CF42000-memory.dmp	upx
behavioral2/memory/3888-2667-0x00007FF640370000-0x00007FF640762000-memory.dmp	upx
behavioral2/memory/2104-2669-0x00007FF76D040000-0x00007FF76D432000-memory.dmp	upx
behavioral2/memory/920-2671-0x00007FF7C4BD0000-0x00007FF7C4FC2000-memory.dmp	upx
behavioral2/memory/1544-2673-0x00007FF720300000-0x00007FF7206F2000-memory.dmp	upx
behavioral2/memory/1608-2675-0x00007FF629E40000-0x00007FF62A232000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

2 raw.githubusercontent.com
3 raw.githubusercontent.com

flow	ioc
2	raw.githubusercontent.com
3	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

Processes:

03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\System\sAXgHqQ.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\qFNhSoK.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\RIdfIZZ.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\hphsbhW.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\FfSBPGO.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\dlxQglf.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\QtfhCnE.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\xwSukKs.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\sazWwMd.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\sEcKDVU.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\EuwfQuO.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\KNBUsGS.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\RphSDDK.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\VsrjsEK.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\ZYWsClU.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\WWwDZii.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\VSnroWp.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\UXsggxN.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\nfohsiF.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\fnFwYWH.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\ywXQpQv.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\RQauZuC.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\Zvheuzo.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\rhgRyCL.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\GJmspTX.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\IamFUrN.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\QdRZetz.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\VtvqSwI.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\PqGxKYu.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\GNLUYiy.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\YllRteP.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\AvgfXZB.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\oYJbNYP.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\vKAisxl.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\WoSlEml.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\yPADulo.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\yqfNECy.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\QcnLYsq.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\bBwEzLD.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\pPaOMWF.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\XsjhGEX.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\BnfzGXc.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\rCmgujf.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\kfDPoLA.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\CAfuZnK.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\qaRdBJu.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\qFAgaxO.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\SaHYWYj.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\gnCIkcX.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\lMsKEHq.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\BHOgDYh.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\qblvRSV.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\GbPSjyZ.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\SsStims.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\cJkiDTA.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\wzgbfTv.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\dkgguZg.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\fnHJGLN.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\IIWbtZH.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\brMKfhV.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\SlTQMNV.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\wRDMiiN.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\RcCAaKg.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
File created	C:\Windows\System\MyvoQQW.exe	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

dwm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wermgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

wermgr.exedwm.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe

Modifies data under HKEY_USERS 18 IoCs

Processes:

dwm.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

2076 powershell.exe
2076 powershell.exe

pid	process
2076	powershell.exe
2076	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exepowershell.exedwm.exe

description	pid	process
Token: SeLockMemoryPrivilege	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeLockMemoryPrivilege	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	3404	dwm.exe
Token: SeChangeNotifyPrivilege	3404	dwm.exe
Token: 33	3404	dwm.exe
Token: SeIncBasePriorityPrivilege	3404	dwm.exe
Token: SeShutdownPrivilege	3404	dwm.exe
Token: SeCreatePagefilePrivilege	3404	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe

description	pid	process	target process
PID 1792 wrote to memory of 2076	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	powershell.exe
PID 1792 wrote to memory of 2076	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	powershell.exe
PID 1792 wrote to memory of 1080	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	EPzdxmJ.exe
PID 1792 wrote to memory of 1080	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	EPzdxmJ.exe
PID 1792 wrote to memory of 3888	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	lEphIFM.exe
PID 1792 wrote to memory of 3888	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	lEphIFM.exe
PID 1792 wrote to memory of 920	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	NLmhtHW.exe
PID 1792 wrote to memory of 920	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	NLmhtHW.exe
PID 1792 wrote to memory of 1544	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	GaDeUOV.exe
PID 1792 wrote to memory of 1544	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	GaDeUOV.exe
PID 1792 wrote to memory of 2104	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	FCIlfiz.exe
PID 1792 wrote to memory of 2104	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	FCIlfiz.exe
PID 1792 wrote to memory of 1608	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	PpQLMbf.exe
PID 1792 wrote to memory of 1608	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	PpQLMbf.exe
PID 1792 wrote to memory of 4996	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	aLVJRel.exe
PID 1792 wrote to memory of 4996	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	aLVJRel.exe
PID 1792 wrote to memory of 456	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	kniHjbz.exe
PID 1792 wrote to memory of 456	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	kniHjbz.exe
PID 1792 wrote to memory of 2668	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	MZBDbbn.exe
PID 1792 wrote to memory of 2668	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	MZBDbbn.exe
PID 1792 wrote to memory of 3500	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	YCWAzCK.exe
PID 1792 wrote to memory of 3500	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	YCWAzCK.exe
PID 1792 wrote to memory of 424	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	YCQPCkW.exe
PID 1792 wrote to memory of 424	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	YCQPCkW.exe
PID 1792 wrote to memory of 1240	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	oJKZSaj.exe
PID 1792 wrote to memory of 1240	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	oJKZSaj.exe
PID 1792 wrote to memory of 2308	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	xlaKyRL.exe
PID 1792 wrote to memory of 2308	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	xlaKyRL.exe
PID 1792 wrote to memory of 2144	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	iMwOmKV.exe
PID 1792 wrote to memory of 2144	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	iMwOmKV.exe
PID 1792 wrote to memory of 4708	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	DJSRmCJ.exe
PID 1792 wrote to memory of 4708	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	DJSRmCJ.exe
PID 1792 wrote to memory of 2372	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	uqbIoDo.exe
PID 1792 wrote to memory of 2372	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	uqbIoDo.exe
PID 1792 wrote to memory of 3960	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	ILxUQZF.exe
PID 1792 wrote to memory of 3960	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	ILxUQZF.exe
PID 1792 wrote to memory of 5004	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	octEPVJ.exe
PID 1792 wrote to memory of 5004	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	octEPVJ.exe
PID 1792 wrote to memory of 1584	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	ihFXJbC.exe
PID 1792 wrote to memory of 1584	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	ihFXJbC.exe
PID 1792 wrote to memory of 1048	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	SrKvmVn.exe
PID 1792 wrote to memory of 1048	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	SrKvmVn.exe
PID 1792 wrote to memory of 4112	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	ZvONovo.exe
PID 1792 wrote to memory of 4112	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	ZvONovo.exe
PID 1792 wrote to memory of 1476	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	dtAAipU.exe
PID 1792 wrote to memory of 1476	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	dtAAipU.exe
PID 1792 wrote to memory of 1612	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	NPFhJtL.exe
PID 1792 wrote to memory of 1612	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	NPFhJtL.exe
PID 1792 wrote to memory of 2316	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	nkRiAVH.exe
PID 1792 wrote to memory of 2316	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	nkRiAVH.exe
PID 1792 wrote to memory of 1744	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	jSBHmVm.exe
PID 1792 wrote to memory of 1744	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	jSBHmVm.exe
PID 1792 wrote to memory of 4504	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	pdYcMdK.exe
PID 1792 wrote to memory of 4504	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	pdYcMdK.exe
PID 1792 wrote to memory of 3228	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	uWZnljm.exe
PID 1792 wrote to memory of 3228	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	uWZnljm.exe
PID 1792 wrote to memory of 4104	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	ZjuDlfz.exe
PID 1792 wrote to memory of 4104	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	ZjuDlfz.exe
PID 1792 wrote to memory of 1036	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	RllVBWv.exe
PID 1792 wrote to memory of 1036	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	RllVBWv.exe
PID 1792 wrote to memory of 1120	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	gevnQJc.exe
PID 1792 wrote to memory of 1120	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	gevnQJc.exe
PID 1792 wrote to memory of 2576	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	EGLkfBq.exe
PID 1792 wrote to memory of 2576	1792	03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe	EGLkfBq.exe

C:\Users\Admin\AppData\Local\Temp\03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\03c7e7e8016bcb72c69cf85052f2a180_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2076

C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "2076" "2964" "2900" "2968" "0" "0" "2972" "0" "0" "0" "0" "0"
3⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:12716

C:\Windows\System\EPzdxmJ.exe
C:\Windows\System\EPzdxmJ.exe
2⤵
- Executes dropped EXE
PID:1080

C:\Windows\System\lEphIFM.exe
C:\Windows\System\lEphIFM.exe
2⤵
- Executes dropped EXE
PID:3888

C:\Windows\System\NLmhtHW.exe
C:\Windows\System\NLmhtHW.exe
2⤵
- Executes dropped EXE
PID:920

C:\Windows\System\GaDeUOV.exe
C:\Windows\System\GaDeUOV.exe
2⤵
- Executes dropped EXE
PID:1544

C:\Windows\System\FCIlfiz.exe
C:\Windows\System\FCIlfiz.exe
2⤵
- Executes dropped EXE
PID:2104

C:\Windows\System\PpQLMbf.exe
C:\Windows\System\PpQLMbf.exe
2⤵
- Executes dropped EXE
PID:1608

C:\Windows\System\aLVJRel.exe
C:\Windows\System\aLVJRel.exe
2⤵
- Executes dropped EXE
PID:4996

C:\Windows\System\kniHjbz.exe
C:\Windows\System\kniHjbz.exe
2⤵
- Executes dropped EXE
PID:456

C:\Windows\System\MZBDbbn.exe
C:\Windows\System\MZBDbbn.exe
2⤵
- Executes dropped EXE
PID:2668

C:\Windows\System\YCWAzCK.exe
C:\Windows\System\YCWAzCK.exe
2⤵
- Executes dropped EXE
PID:3500

C:\Windows\System\YCQPCkW.exe
C:\Windows\System\YCQPCkW.exe
2⤵
- Executes dropped EXE
PID:424

C:\Windows\System\oJKZSaj.exe
C:\Windows\System\oJKZSaj.exe
2⤵
- Executes dropped EXE
PID:1240

C:\Windows\System\xlaKyRL.exe
C:\Windows\System\xlaKyRL.exe
2⤵
- Executes dropped EXE
PID:2308

C:\Windows\System\iMwOmKV.exe
C:\Windows\System\iMwOmKV.exe
2⤵
- Executes dropped EXE
PID:2144

C:\Windows\System\DJSRmCJ.exe
C:\Windows\System\DJSRmCJ.exe
2⤵
- Executes dropped EXE
PID:4708

C:\Windows\System\uqbIoDo.exe
C:\Windows\System\uqbIoDo.exe
2⤵
- Executes dropped EXE
PID:2372

C:\Windows\System\ILxUQZF.exe
C:\Windows\System\ILxUQZF.exe
2⤵
- Executes dropped EXE
PID:3960

C:\Windows\System\octEPVJ.exe
C:\Windows\System\octEPVJ.exe
2⤵
- Executes dropped EXE
PID:5004

C:\Windows\System\ihFXJbC.exe
C:\Windows\System\ihFXJbC.exe
2⤵
- Executes dropped EXE
PID:1584

C:\Windows\System\SrKvmVn.exe
C:\Windows\System\SrKvmVn.exe
2⤵
- Executes dropped EXE
PID:1048

C:\Windows\System\ZvONovo.exe
C:\Windows\System\ZvONovo.exe
2⤵
- Executes dropped EXE
PID:4112

C:\Windows\System\dtAAipU.exe
C:\Windows\System\dtAAipU.exe
2⤵
- Executes dropped EXE
PID:1476

C:\Windows\System\NPFhJtL.exe
C:\Windows\System\NPFhJtL.exe
2⤵
- Executes dropped EXE
PID:1612

C:\Windows\System\nkRiAVH.exe
C:\Windows\System\nkRiAVH.exe
2⤵
- Executes dropped EXE
PID:2316

C:\Windows\System\jSBHmVm.exe
C:\Windows\System\jSBHmVm.exe
2⤵
- Executes dropped EXE
PID:1744

C:\Windows\System\pdYcMdK.exe
C:\Windows\System\pdYcMdK.exe
2⤵
- Executes dropped EXE
PID:4504

C:\Windows\System\uWZnljm.exe
C:\Windows\System\uWZnljm.exe
2⤵
- Executes dropped EXE
PID:3228

C:\Windows\System\ZjuDlfz.exe
C:\Windows\System\ZjuDlfz.exe
2⤵
- Executes dropped EXE
PID:4104

C:\Windows\System\RllVBWv.exe
C:\Windows\System\RllVBWv.exe
2⤵
- Executes dropped EXE
PID:1036

C:\Windows\System\gevnQJc.exe
C:\Windows\System\gevnQJc.exe
2⤵
- Executes dropped EXE
PID:1120

C:\Windows\System\EGLkfBq.exe
C:\Windows\System\EGLkfBq.exe
2⤵
- Executes dropped EXE
PID:2576

C:\Windows\System\dJwAbiB.exe
C:\Windows\System\dJwAbiB.exe
2⤵
- Executes dropped EXE
PID:916

C:\Windows\System\KcDVBgi.exe
C:\Windows\System\KcDVBgi.exe
2⤵
- Executes dropped EXE
PID:3648

C:\Windows\System\zQlwXPb.exe
C:\Windows\System\zQlwXPb.exe
2⤵
- Executes dropped EXE
PID:1592

C:\Windows\System\RJrOYjV.exe
C:\Windows\System\RJrOYjV.exe
2⤵
- Executes dropped EXE
PID:4752

C:\Windows\System\RwcUjTt.exe
C:\Windows\System\RwcUjTt.exe
2⤵
- Executes dropped EXE
PID:388

C:\Windows\System\sFaXCeW.exe
C:\Windows\System\sFaXCeW.exe
2⤵
- Executes dropped EXE
PID:3424

C:\Windows\System\kFKhBGU.exe
C:\Windows\System\kFKhBGU.exe
2⤵
- Executes dropped EXE
PID:4672

C:\Windows\System\QaBgSKa.exe
C:\Windows\System\QaBgSKa.exe
2⤵
- Executes dropped EXE
PID:3576

C:\Windows\System\MLUtovq.exe
C:\Windows\System\MLUtovq.exe
2⤵
- Executes dropped EXE
PID:572

C:\Windows\System\sWHvpHa.exe
C:\Windows\System\sWHvpHa.exe
2⤵
- Executes dropped EXE
PID:4028

C:\Windows\System\ZPsUxhc.exe
C:\Windows\System\ZPsUxhc.exe
2⤵
- Executes dropped EXE
PID:1160

C:\Windows\System\zEVFhGx.exe
C:\Windows\System\zEVFhGx.exe
2⤵
- Executes dropped EXE
PID:4644

C:\Windows\System\cocwQFb.exe
C:\Windows\System\cocwQFb.exe
2⤵
- Executes dropped EXE
PID:3276

C:\Windows\System\wxtPVCw.exe
C:\Windows\System\wxtPVCw.exe
2⤵
- Executes dropped EXE
PID:4512

C:\Windows\System\xEvPYbG.exe
C:\Windows\System\xEvPYbG.exe
2⤵
- Executes dropped EXE
PID:2236

C:\Windows\System\xewRAKe.exe
C:\Windows\System\xewRAKe.exe
2⤵
- Executes dropped EXE
PID:4964

C:\Windows\System\eJOHVru.exe
C:\Windows\System\eJOHVru.exe
2⤵
- Executes dropped EXE
PID:2352

C:\Windows\System\aCihzoy.exe
C:\Windows\System\aCihzoy.exe
2⤵
- Executes dropped EXE
PID:4832

C:\Windows\System\bAYIqay.exe
C:\Windows\System\bAYIqay.exe
2⤵
- Executes dropped EXE
PID:3852

C:\Windows\System\TNzCBDg.exe
C:\Windows\System\TNzCBDg.exe
2⤵
- Executes dropped EXE
PID:1772

C:\Windows\System\SsStims.exe
C:\Windows\System\SsStims.exe
2⤵
- Executes dropped EXE
PID:2832

C:\Windows\System\yWRcpSb.exe
C:\Windows\System\yWRcpSb.exe
2⤵
- Executes dropped EXE
PID:4588

C:\Windows\System\BzvCewk.exe
C:\Windows\System\BzvCewk.exe
2⤵
- Executes dropped EXE
PID:1132

C:\Windows\System\BXZNMVK.exe
C:\Windows\System\BXZNMVK.exe
2⤵
- Executes dropped EXE
PID:3704

C:\Windows\System\XsrhVBQ.exe
C:\Windows\System\XsrhVBQ.exe
2⤵
- Executes dropped EXE
PID:3620

C:\Windows\System\SXVeist.exe
C:\Windows\System\SXVeist.exe
2⤵
- Executes dropped EXE
PID:1932

C:\Windows\System\LpilbuL.exe
C:\Windows\System\LpilbuL.exe
2⤵
- Executes dropped EXE
PID:4144

C:\Windows\System\xWaMUHI.exe
C:\Windows\System\xWaMUHI.exe
2⤵
- Executes dropped EXE
PID:1964

C:\Windows\System\lemBfVQ.exe
C:\Windows\System\lemBfVQ.exe
2⤵
- Executes dropped EXE
PID:2940

C:\Windows\System\jdonHqO.exe
C:\Windows\System\jdonHqO.exe
2⤵
- Executes dropped EXE
PID:4088

C:\Windows\System\eYJwEDu.exe
C:\Windows\System\eYJwEDu.exe
2⤵
- Executes dropped EXE
PID:3968

C:\Windows\System\lIVltdz.exe
C:\Windows\System\lIVltdz.exe
2⤵
- Executes dropped EXE
PID:3132

C:\Windows\System\jHFcuUK.exe
C:\Windows\System\jHFcuUK.exe
2⤵
- Executes dropped EXE
PID:3824

C:\Windows\System\NAFPlkL.exe
C:\Windows\System\NAFPlkL.exe
2⤵
PID:1904

C:\Windows\System\aFZjPci.exe
C:\Windows\System\aFZjPci.exe
2⤵
PID:4472

C:\Windows\System\aJlfNeI.exe
C:\Windows\System\aJlfNeI.exe
2⤵
PID:112

C:\Windows\System\kBFuOIh.exe
C:\Windows\System\kBFuOIh.exe
2⤵
PID:4076

C:\Windows\System\vkwUhFp.exe
C:\Windows\System\vkwUhFp.exe
2⤵
PID:4908

C:\Windows\System\BATZTzB.exe
C:\Windows\System\BATZTzB.exe
2⤵
PID:2040

C:\Windows\System\mzQIzDv.exe
C:\Windows\System\mzQIzDv.exe
2⤵
PID:4248

C:\Windows\System\rZxNlhg.exe
C:\Windows\System\rZxNlhg.exe
2⤵
PID:2688

C:\Windows\System\NQSwSRL.exe
C:\Windows\System\NQSwSRL.exe
2⤵
PID:3004

C:\Windows\System\hjcGycg.exe
C:\Windows\System\hjcGycg.exe
2⤵
PID:2120

C:\Windows\System\yGBJYiN.exe
C:\Windows\System\yGBJYiN.exe
2⤵
PID:4496

C:\Windows\System\YJNPpMu.exe
C:\Windows\System\YJNPpMu.exe
2⤵
PID:1188

C:\Windows\System\seIzFGu.exe
C:\Windows\System\seIzFGu.exe
2⤵
PID:1700

C:\Windows\System\OwNKsWf.exe
C:\Windows\System\OwNKsWf.exe
2⤵
PID:3820

C:\Windows\System\ZszMRyx.exe
C:\Windows\System\ZszMRyx.exe
2⤵
PID:3744

C:\Windows\System\AOHSdkh.exe
C:\Windows\System\AOHSdkh.exe
2⤵
PID:2060

C:\Windows\System\idgMhNR.exe
C:\Windows\System\idgMhNR.exe
2⤵
PID:3948

C:\Windows\System\ffeWskC.exe
C:\Windows\System\ffeWskC.exe
2⤵
PID:5136

C:\Windows\System\bMurqkk.exe
C:\Windows\System\bMurqkk.exe
2⤵
PID:5160

C:\Windows\System\oNIHsPP.exe
C:\Windows\System\oNIHsPP.exe
2⤵
PID:5180

C:\Windows\System\QKuQHyb.exe
C:\Windows\System\QKuQHyb.exe
2⤵
PID:5204

C:\Windows\System\oFgEabz.exe
C:\Windows\System\oFgEabz.exe
2⤵
PID:5220

C:\Windows\System\PLeTNAj.exe
C:\Windows\System\PLeTNAj.exe
2⤵
PID:5296

C:\Windows\System\YxGMsRm.exe
C:\Windows\System\YxGMsRm.exe
2⤵
PID:5328

C:\Windows\System\huAUhzf.exe
C:\Windows\System\huAUhzf.exe
2⤵
PID:5356

C:\Windows\System\BhAkSBD.exe
C:\Windows\System\BhAkSBD.exe
2⤵
PID:5408

C:\Windows\System\CBkqyQc.exe
C:\Windows\System\CBkqyQc.exe
2⤵
PID:5428

C:\Windows\System\TxiETEt.exe
C:\Windows\System\TxiETEt.exe
2⤵
PID:5448

C:\Windows\System\lgQGCgY.exe
C:\Windows\System\lgQGCgY.exe
2⤵
PID:5516

C:\Windows\System\aTNqkIE.exe
C:\Windows\System\aTNqkIE.exe
2⤵
PID:5544

C:\Windows\System\vNPaEKs.exe
C:\Windows\System\vNPaEKs.exe
2⤵
PID:5560

C:\Windows\System\FORbKay.exe
C:\Windows\System\FORbKay.exe
2⤵
PID:5588

C:\Windows\System\AvEJmAp.exe
C:\Windows\System\AvEJmAp.exe
2⤵
PID:5608

C:\Windows\System\ebyeBMj.exe
C:\Windows\System\ebyeBMj.exe
2⤵
PID:5624

C:\Windows\System\AzGvsxY.exe
C:\Windows\System\AzGvsxY.exe
2⤵
PID:5640

C:\Windows\System\oxSCOPe.exe
C:\Windows\System\oxSCOPe.exe
2⤵
PID:5660

C:\Windows\System\yPZPFWM.exe
C:\Windows\System\yPZPFWM.exe
2⤵
PID:5692

C:\Windows\System\imYqBdC.exe
C:\Windows\System\imYqBdC.exe
2⤵
PID:5708

C:\Windows\System\kGRDXnu.exe
C:\Windows\System\kGRDXnu.exe
2⤵
PID:5732

C:\Windows\System\tnQihlV.exe
C:\Windows\System\tnQihlV.exe
2⤵
PID:5752

C:\Windows\System\TJycgqE.exe
C:\Windows\System\TJycgqE.exe
2⤵
PID:5776

C:\Windows\System\qtFUJpC.exe
C:\Windows\System\qtFUJpC.exe
2⤵
PID:5800

C:\Windows\System\tMRnsqQ.exe
C:\Windows\System\tMRnsqQ.exe
2⤵
PID:5816

C:\Windows\System\bkAOvwx.exe
C:\Windows\System\bkAOvwx.exe
2⤵
PID:5884

C:\Windows\System\QJkTiTk.exe
C:\Windows\System\QJkTiTk.exe
2⤵
PID:5916

C:\Windows\System\IopnVnq.exe
C:\Windows\System\IopnVnq.exe
2⤵
PID:5936

C:\Windows\System\rXHnRQn.exe
C:\Windows\System\rXHnRQn.exe
2⤵
PID:5984

C:\Windows\System\oqZrrRW.exe
C:\Windows\System\oqZrrRW.exe
2⤵
PID:6020

C:\Windows\System\xZYremt.exe
C:\Windows\System\xZYremt.exe
2⤵
PID:6088

C:\Windows\System\DBeGaoU.exe
C:\Windows\System\DBeGaoU.exe
2⤵
PID:6108

C:\Windows\System\CGwmZQH.exe
C:\Windows\System\CGwmZQH.exe
2⤵
PID:6132

C:\Windows\System\BnfzGXc.exe
C:\Windows\System\BnfzGXc.exe
2⤵
PID:4200

C:\Windows\System\hVdUJWx.exe
C:\Windows\System\hVdUJWx.exe
2⤵
PID:4944

C:\Windows\System\lDextNj.exe
C:\Windows\System\lDextNj.exe
2⤵
PID:3676

C:\Windows\System\PzLHsak.exe
C:\Windows\System\PzLHsak.exe
2⤵
PID:5176

C:\Windows\System\ansioEh.exe
C:\Windows\System\ansioEh.exe
2⤵
PID:5212

C:\Windows\System\EiyqwaR.exe
C:\Windows\System\EiyqwaR.exe
2⤵
PID:5284

C:\Windows\System\GmFBCnL.exe
C:\Windows\System\GmFBCnL.exe
2⤵
PID:5336

C:\Windows\System\mWwoWRN.exe
C:\Windows\System\mWwoWRN.exe
2⤵
PID:5364

C:\Windows\System\SbYWxKY.exe
C:\Windows\System\SbYWxKY.exe
2⤵
PID:5420

C:\Windows\System\Gznkbgk.exe
C:\Windows\System\Gznkbgk.exe
2⤵
PID:5468

C:\Windows\System\boRnkKt.exe
C:\Windows\System\boRnkKt.exe
2⤵
PID:1124

C:\Windows\System\VldtsdV.exe
C:\Windows\System\VldtsdV.exe
2⤵
PID:536

C:\Windows\System\euQUday.exe
C:\Windows\System\euQUday.exe
2⤵
PID:4152

C:\Windows\System\rNeRkyu.exe
C:\Windows\System\rNeRkyu.exe
2⤵
PID:4600

C:\Windows\System\raSwURQ.exe
C:\Windows\System\raSwURQ.exe
2⤵
PID:2360

C:\Windows\System\ixffnoF.exe
C:\Windows\System\ixffnoF.exe
2⤵
PID:5604

C:\Windows\System\EgvqgbC.exe
C:\Windows\System\EgvqgbC.exe
2⤵
PID:3524

C:\Windows\System\JLlhJTj.exe
C:\Windows\System\JLlhJTj.exe
2⤵
PID:5656

C:\Windows\System\QTZoFkr.exe
C:\Windows\System\QTZoFkr.exe
2⤵
PID:5672

C:\Windows\System\oCeTEog.exe
C:\Windows\System\oCeTEog.exe
2⤵
PID:5744

C:\Windows\System\KwdgwbA.exe
C:\Windows\System\KwdgwbA.exe
2⤵
PID:5852

C:\Windows\System\nuuBhtf.exe
C:\Windows\System\nuuBhtf.exe
2⤵
PID:5952

C:\Windows\System\RRmWHad.exe
C:\Windows\System\RRmWHad.exe
2⤵
PID:5980

C:\Windows\System\jujscYP.exe
C:\Windows\System\jujscYP.exe
2⤵
PID:6068

C:\Windows\System\BVmNUYe.exe
C:\Windows\System\BVmNUYe.exe
2⤵
PID:2724

C:\Windows\System\GFzfZHH.exe
C:\Windows\System\GFzfZHH.exe
2⤵
PID:6120

C:\Windows\System\jzxawjp.exe
C:\Windows\System\jzxawjp.exe
2⤵
PID:3104

C:\Windows\System\gnNEACS.exe
C:\Windows\System\gnNEACS.exe
2⤵
PID:5192

C:\Windows\System\eMcXwLs.exe
C:\Windows\System\eMcXwLs.exe
2⤵
PID:5236

C:\Windows\System\idJhDCY.exe
C:\Windows\System\idJhDCY.exe
2⤵
PID:3140

C:\Windows\System\ijNvwyF.exe
C:\Windows\System\ijNvwyF.exe
2⤵
PID:32

C:\Windows\System\PUEmolE.exe
C:\Windows\System\PUEmolE.exe
2⤵
PID:4920

C:\Windows\System\ctHTCWf.exe
C:\Windows\System\ctHTCWf.exe
2⤵
PID:5528

C:\Windows\System\PTUMovl.exe
C:\Windows\System\PTUMovl.exe
2⤵
PID:5576

C:\Windows\System\sHqxyLG.exe
C:\Windows\System\sHqxyLG.exe
2⤵
PID:5620

C:\Windows\System\PnZtFlm.exe
C:\Windows\System\PnZtFlm.exe
2⤵
PID:5724

C:\Windows\System\QCvkJzs.exe
C:\Windows\System\QCvkJzs.exe
2⤵
PID:5904

C:\Windows\System\epCYrSR.exe
C:\Windows\System\epCYrSR.exe
2⤵
PID:6052

C:\Windows\System\grwqagK.exe
C:\Windows\System\grwqagK.exe
2⤵
PID:6104

C:\Windows\System\DAwvhfk.exe
C:\Windows\System\DAwvhfk.exe
2⤵
PID:5348

C:\Windows\System\qiOmxLj.exe
C:\Windows\System\qiOmxLj.exe
2⤵
PID:4696

C:\Windows\System\JhVGMhn.exe
C:\Windows\System\JhVGMhn.exe
2⤵
PID:5144

C:\Windows\System\CHrRPtg.exe
C:\Windows\System\CHrRPtg.exe
2⤵
PID:5876

C:\Windows\System\YbTEgFC.exe
C:\Windows\System\YbTEgFC.exe
2⤵
PID:5152

C:\Windows\System\npSzOhC.exe
C:\Windows\System\npSzOhC.exe
2⤵
PID:5372

C:\Windows\System\jJMCfCI.exe
C:\Windows\System\jJMCfCI.exe
2⤵
PID:3412

C:\Windows\System\ULHtAFp.exe
C:\Windows\System\ULHtAFp.exe
2⤵
PID:6032

C:\Windows\System\CBRKdzG.exe
C:\Windows\System\CBRKdzG.exe
2⤵
PID:5556

C:\Windows\System\luzkOgT.exe
C:\Windows\System\luzkOgT.exe
2⤵
PID:6164

C:\Windows\System\ATlxpup.exe
C:\Windows\System\ATlxpup.exe
2⤵
PID:6192

C:\Windows\System\uelihAU.exe
C:\Windows\System\uelihAU.exe
2⤵
PID:6216

C:\Windows\System\MUVOwuK.exe
C:\Windows\System\MUVOwuK.exe
2⤵
PID:6236

C:\Windows\System\ZZowTfu.exe
C:\Windows\System\ZZowTfu.exe
2⤵
PID:6268

C:\Windows\System\InHJjKK.exe
C:\Windows\System\InHJjKK.exe
2⤵
PID:6316

C:\Windows\System\qwVRfsa.exe
C:\Windows\System\qwVRfsa.exe
2⤵
PID:6332

C:\Windows\System\uEwswdR.exe
C:\Windows\System\uEwswdR.exe
2⤵
PID:6356

C:\Windows\System\jcLUBAf.exe
C:\Windows\System\jcLUBAf.exe
2⤵
PID:6396

C:\Windows\System\wOLehvv.exe
C:\Windows\System\wOLehvv.exe
2⤵
PID:6416

C:\Windows\System\cvCTKVy.exe
C:\Windows\System\cvCTKVy.exe
2⤵
PID:6432

C:\Windows\System\XnVJtTI.exe
C:\Windows\System\XnVJtTI.exe
2⤵
PID:6456

C:\Windows\System\aoodnaM.exe
C:\Windows\System\aoodnaM.exe
2⤵
PID:6472

C:\Windows\System\qaRdBJu.exe
C:\Windows\System\qaRdBJu.exe
2⤵
PID:6500

C:\Windows\System\UwByweI.exe
C:\Windows\System\UwByweI.exe
2⤵
PID:6516

C:\Windows\System\LxjkXsM.exe
C:\Windows\System\LxjkXsM.exe
2⤵
PID:6536

C:\Windows\System\VhCNptc.exe
C:\Windows\System\VhCNptc.exe
2⤵
PID:6572

C:\Windows\System\zuUtntm.exe
C:\Windows\System\zuUtntm.exe
2⤵
PID:6592

C:\Windows\System\WTwfKPj.exe
C:\Windows\System\WTwfKPj.exe
2⤵
PID:6616

C:\Windows\System\mDwtMDi.exe
C:\Windows\System\mDwtMDi.exe
2⤵
PID:6636

C:\Windows\System\MjaVgSs.exe
C:\Windows\System\MjaVgSs.exe
2⤵
PID:6700

C:\Windows\System\DZoSxKh.exe
C:\Windows\System\DZoSxKh.exe
2⤵
PID:6720

C:\Windows\System\CorsrQi.exe
C:\Windows\System\CorsrQi.exe
2⤵
PID:6740

C:\Windows\System\maSKCGR.exe
C:\Windows\System\maSKCGR.exe
2⤵
PID:6796

C:\Windows\System\AgcLPRU.exe
C:\Windows\System\AgcLPRU.exe
2⤵
PID:6812

C:\Windows\System\TOAbQdg.exe
C:\Windows\System\TOAbQdg.exe
2⤵
PID:6864

C:\Windows\System\ZUjrfjL.exe
C:\Windows\System\ZUjrfjL.exe
2⤵
PID:6904

C:\Windows\System\rhgRyCL.exe
C:\Windows\System\rhgRyCL.exe
2⤵
PID:6940

C:\Windows\System\pZztSLK.exe
C:\Windows\System\pZztSLK.exe
2⤵
PID:6960

C:\Windows\System\YVWUHCV.exe
C:\Windows\System\YVWUHCV.exe
2⤵
PID:6988

C:\Windows\System\jJwmCSD.exe
C:\Windows\System\jJwmCSD.exe
2⤵
PID:7012

C:\Windows\System\SiflLRk.exe
C:\Windows\System\SiflLRk.exe
2⤵
PID:7060

C:\Windows\System\aeCWJng.exe
C:\Windows\System\aeCWJng.exe
2⤵
PID:7084

C:\Windows\System\CrfUWwH.exe
C:\Windows\System\CrfUWwH.exe
2⤵
PID:7108

C:\Windows\System\IhFyOSK.exe
C:\Windows\System\IhFyOSK.exe
2⤵
PID:7140

C:\Windows\System\EsaSQfn.exe
C:\Windows\System\EsaSQfn.exe
2⤵
PID:7156

C:\Windows\System\YluONIf.exe
C:\Windows\System\YluONIf.exe
2⤵
PID:3052

C:\Windows\System\TLEXsRr.exe
C:\Windows\System\TLEXsRr.exe
2⤵
PID:6228

C:\Windows\System\ZhZUFuE.exe
C:\Windows\System\ZhZUFuE.exe
2⤵
PID:6284

C:\Windows\System\APZOhBj.exe
C:\Windows\System\APZOhBj.exe
2⤵
PID:6372

C:\Windows\System\kALvuIn.exe
C:\Windows\System\kALvuIn.exe
2⤵
PID:6412

C:\Windows\System\jhLETKv.exe
C:\Windows\System\jhLETKv.exe
2⤵
PID:6404

C:\Windows\System\miYmZRw.exe
C:\Windows\System\miYmZRw.exe
2⤵
PID:6496

C:\Windows\System\BBLAqEc.exe
C:\Windows\System\BBLAqEc.exe
2⤵
PID:6604

C:\Windows\System\MKlmcuK.exe
C:\Windows\System\MKlmcuK.exe
2⤵
PID:6584

C:\Windows\System\YRhpbkh.exe
C:\Windows\System\YRhpbkh.exe
2⤵
PID:6628

C:\Windows\System\MwjGcIW.exe
C:\Windows\System\MwjGcIW.exe
2⤵
PID:6716

C:\Windows\System\XtjDIJD.exe
C:\Windows\System\XtjDIJD.exe
2⤵
PID:6804

C:\Windows\System\BpKHnik.exe
C:\Windows\System\BpKHnik.exe
2⤵
PID:6860

C:\Windows\System\FEiXTAO.exe
C:\Windows\System\FEiXTAO.exe
2⤵
PID:6932

C:\Windows\System\SQztKfq.exe
C:\Windows\System\SQztKfq.exe
2⤵
PID:7092

C:\Windows\System\xaTzJPX.exe
C:\Windows\System\xaTzJPX.exe
2⤵
PID:7136

C:\Windows\System\RFhKopI.exe
C:\Windows\System\RFhKopI.exe
2⤵
PID:6200

C:\Windows\System\kfyMUWU.exe
C:\Windows\System\kfyMUWU.exe
2⤵
PID:6352

C:\Windows\System\TKyyEDB.exe
C:\Windows\System\TKyyEDB.exe
2⤵
PID:6512

C:\Windows\System\HpQCCiz.exe
C:\Windows\System\HpQCCiz.exe
2⤵
PID:6768

C:\Windows\System\zJovaei.exe
C:\Windows\System\zJovaei.exe
2⤵
PID:6832

C:\Windows\System\UzltYuo.exe
C:\Windows\System\UzltYuo.exe
2⤵
PID:7164

C:\Windows\System\Iafobuu.exe
C:\Windows\System\Iafobuu.exe
2⤵
PID:5680

C:\Windows\System\KtluNFt.exe
C:\Windows\System\KtluNFt.exe
2⤵
PID:6468

C:\Windows\System\etzCDPd.exe
C:\Windows\System\etzCDPd.exe
2⤵
PID:6600

C:\Windows\System\kjnzYsH.exe
C:\Windows\System\kjnzYsH.exe
2⤵
PID:7076

C:\Windows\System\CYhGdNm.exe
C:\Windows\System\CYhGdNm.exe
2⤵
PID:7172

C:\Windows\System\LFpkjnK.exe
C:\Windows\System\LFpkjnK.exe
2⤵
PID:7196

C:\Windows\System\wNWmtXd.exe
C:\Windows\System\wNWmtXd.exe
2⤵
PID:7224

C:\Windows\System\JkJtLMY.exe
C:\Windows\System\JkJtLMY.exe
2⤵
PID:7244

C:\Windows\System\vGJvtpb.exe
C:\Windows\System\vGJvtpb.exe
2⤵
PID:7276

C:\Windows\System\GymCUBO.exe
C:\Windows\System\GymCUBO.exe
2⤵
PID:7308

C:\Windows\System\GktZqjb.exe
C:\Windows\System\GktZqjb.exe
2⤵
PID:7324

C:\Windows\System\WAHyefZ.exe
C:\Windows\System\WAHyefZ.exe
2⤵
PID:7348

C:\Windows\System\GoTEmGl.exe
C:\Windows\System\GoTEmGl.exe
2⤵
PID:7376

C:\Windows\System\HOVbmTQ.exe
C:\Windows\System\HOVbmTQ.exe
2⤵
PID:7408

C:\Windows\System\IPlKHMe.exe
C:\Windows\System\IPlKHMe.exe
2⤵
PID:7452

C:\Windows\System\zkTmxSU.exe
C:\Windows\System\zkTmxSU.exe
2⤵
PID:7472

C:\Windows\System\iliAKUs.exe
C:\Windows\System\iliAKUs.exe
2⤵
PID:7504

C:\Windows\System\FnuLVPS.exe
C:\Windows\System\FnuLVPS.exe
2⤵
PID:7524

C:\Windows\System\nfohsiF.exe
C:\Windows\System\nfohsiF.exe
2⤵
PID:7544

C:\Windows\System\gAocMim.exe
C:\Windows\System\gAocMim.exe
2⤵
PID:7568

C:\Windows\System\cfoQcbX.exe
C:\Windows\System\cfoQcbX.exe
2⤵
PID:7588

C:\Windows\System\tpJPKIM.exe
C:\Windows\System\tpJPKIM.exe
2⤵
PID:7616

C:\Windows\System\fqEzEjS.exe
C:\Windows\System\fqEzEjS.exe
2⤵
PID:7656

C:\Windows\System\hQUVKfq.exe
C:\Windows\System\hQUVKfq.exe
2⤵
PID:7704

C:\Windows\System\JWgGMyb.exe
C:\Windows\System\JWgGMyb.exe
2⤵
PID:7728

C:\Windows\System\ShLrnid.exe
C:\Windows\System\ShLrnid.exe
2⤵
PID:7748

C:\Windows\System\yEMiyAh.exe
C:\Windows\System\yEMiyAh.exe
2⤵
PID:7768

C:\Windows\System\oPCCzWK.exe
C:\Windows\System\oPCCzWK.exe
2⤵
PID:7796

C:\Windows\System\gcbFtAv.exe
C:\Windows\System\gcbFtAv.exe
2⤵
PID:7824

C:\Windows\System\xvUXsKr.exe
C:\Windows\System\xvUXsKr.exe
2⤵
PID:7852

C:\Windows\System\QTwlcid.exe
C:\Windows\System\QTwlcid.exe
2⤵
PID:7872

C:\Windows\System\JDxoztr.exe
C:\Windows\System\JDxoztr.exe
2⤵
PID:7900

C:\Windows\System\mDpWiZr.exe
C:\Windows\System\mDpWiZr.exe
2⤵
PID:7928

C:\Windows\System\CEyBgVP.exe
C:\Windows\System\CEyBgVP.exe
2⤵
PID:7944

C:\Windows\System\bWXhVzj.exe
C:\Windows\System\bWXhVzj.exe
2⤵
PID:7988

C:\Windows\System\eUTeanZ.exe
C:\Windows\System\eUTeanZ.exe
2⤵
PID:8040

C:\Windows\System\rpXeGhu.exe
C:\Windows\System\rpXeGhu.exe
2⤵
PID:8068

C:\Windows\System\NdjGNxm.exe
C:\Windows\System\NdjGNxm.exe
2⤵
PID:8108

C:\Windows\System\WLNWOEj.exe
C:\Windows\System\WLNWOEj.exe
2⤵
PID:8128

C:\Windows\System\PNJdpop.exe
C:\Windows\System\PNJdpop.exe
2⤵
PID:8148

C:\Windows\System\DhYFwld.exe
C:\Windows\System\DhYFwld.exe
2⤵
PID:8164

C:\Windows\System\xhBCoLF.exe
C:\Windows\System\xhBCoLF.exe
2⤵
PID:8188

C:\Windows\System\qyjlnAl.exe
C:\Windows\System\qyjlnAl.exe
2⤵
PID:7216

C:\Windows\System\EsdAefp.exe
C:\Windows\System\EsdAefp.exe
2⤵
PID:7284

C:\Windows\System\VVFhdij.exe
C:\Windows\System\VVFhdij.exe
2⤵
PID:7332

C:\Windows\System\tiUicxe.exe
C:\Windows\System\tiUicxe.exe
2⤵
PID:7416

C:\Windows\System\wHSKQRs.exe
C:\Windows\System\wHSKQRs.exe
2⤵
PID:7464

C:\Windows\System\wlHEChG.exe
C:\Windows\System\wlHEChG.exe
2⤵
PID:7500

C:\Windows\System\jXZfRds.exe
C:\Windows\System\jXZfRds.exe
2⤵
PID:7628

C:\Windows\System\oxXlkyG.exe
C:\Windows\System\oxXlkyG.exe
2⤵
PID:7672

C:\Windows\System\ZSwEWTO.exe
C:\Windows\System\ZSwEWTO.exe
2⤵
PID:7776

C:\Windows\System\XDoCgnu.exe
C:\Windows\System\XDoCgnu.exe
2⤵
PID:7792

C:\Windows\System\Kevbnkq.exe
C:\Windows\System\Kevbnkq.exe
2⤵
PID:7864

C:\Windows\System\CkCCiUA.exe
C:\Windows\System\CkCCiUA.exe
2⤵
PID:7912

C:\Windows\System\QcnLYsq.exe
C:\Windows\System\QcnLYsq.exe
2⤵
PID:7984

C:\Windows\System\HHkIDwR.exe
C:\Windows\System\HHkIDwR.exe
2⤵
PID:8120

C:\Windows\System\KVHChZy.exe
C:\Windows\System\KVHChZy.exe
2⤵
PID:8136

C:\Windows\System\NgMqoik.exe
C:\Windows\System\NgMqoik.exe
2⤵
PID:8180

C:\Windows\System\NEXGtCX.exe
C:\Windows\System\NEXGtCX.exe
2⤵
PID:7292

C:\Windows\System\wMENxjD.exe
C:\Windows\System\wMENxjD.exe
2⤵
PID:7428

C:\Windows\System\SmHQjEl.exe
C:\Windows\System\SmHQjEl.exe
2⤵
PID:7696

C:\Windows\System\qHmcMnB.exe
C:\Windows\System\qHmcMnB.exe
2⤵
PID:7836

C:\Windows\System\WMUhbPR.exe
C:\Windows\System\WMUhbPR.exe
2⤵
PID:8076

C:\Windows\System\EyzNOZx.exe
C:\Windows\System\EyzNOZx.exe
2⤵
PID:8080

C:\Windows\System\DdaAOhP.exe
C:\Windows\System\DdaAOhP.exe
2⤵
PID:7288

C:\Windows\System\ypCIICw.exe
C:\Windows\System\ypCIICw.exe
2⤵
PID:7444

C:\Windows\System\sOKyDZK.exe
C:\Windows\System\sOKyDZK.exe
2⤵
PID:7580

C:\Windows\System\DLYncPf.exe
C:\Windows\System\DLYncPf.exe
2⤵
PID:8196

C:\Windows\System\oWkSwZa.exe
C:\Windows\System\oWkSwZa.exe
2⤵
PID:8216

C:\Windows\System\luZLTry.exe
C:\Windows\System\luZLTry.exe
2⤵
PID:8248

C:\Windows\System\sAXgHqQ.exe
C:\Windows\System\sAXgHqQ.exe
2⤵
PID:8304

C:\Windows\System\aepHDue.exe
C:\Windows\System\aepHDue.exe
2⤵
PID:8320

C:\Windows\System\SwTAMbv.exe
C:\Windows\System\SwTAMbv.exe
2⤵
PID:8376

C:\Windows\System\qvjVAVg.exe
C:\Windows\System\qvjVAVg.exe
2⤵
PID:8416

C:\Windows\System\uoDnQLB.exe
C:\Windows\System\uoDnQLB.exe
2⤵
PID:8500

C:\Windows\System\zYBgApV.exe
C:\Windows\System\zYBgApV.exe
2⤵
PID:8516

C:\Windows\System\FhRaWPe.exe
C:\Windows\System\FhRaWPe.exe
2⤵
PID:8536

C:\Windows\System\fyeEKZP.exe
C:\Windows\System\fyeEKZP.exe
2⤵
PID:8568

C:\Windows\System\EwRtpWe.exe
C:\Windows\System\EwRtpWe.exe
2⤵
PID:8588

C:\Windows\System\CsQNcwc.exe
C:\Windows\System\CsQNcwc.exe
2⤵
PID:8628

C:\Windows\System\BCccCol.exe
C:\Windows\System\BCccCol.exe
2⤵
PID:8644

C:\Windows\System\wxyhBRZ.exe
C:\Windows\System\wxyhBRZ.exe
2⤵
PID:8664

C:\Windows\System\AvgfXZB.exe
C:\Windows\System\AvgfXZB.exe
2⤵
PID:8700

C:\Windows\System\oUabKAA.exe
C:\Windows\System\oUabKAA.exe
2⤵
PID:8720

C:\Windows\System\bwUEdnE.exe
C:\Windows\System\bwUEdnE.exe
2⤵
PID:8748

C:\Windows\System\SudpWCf.exe
C:\Windows\System\SudpWCf.exe
2⤵
PID:8776

C:\Windows\System\LWEGmfQ.exe
C:\Windows\System\LWEGmfQ.exe
2⤵
PID:8792

C:\Windows\System\bYRvrtl.exe
C:\Windows\System\bYRvrtl.exe
2⤵
PID:8856

C:\Windows\System\xxzVxLT.exe
C:\Windows\System\xxzVxLT.exe
2⤵
PID:8880

C:\Windows\System\trpyidw.exe
C:\Windows\System\trpyidw.exe
2⤵
PID:8908

C:\Windows\System\gavCWgK.exe
C:\Windows\System\gavCWgK.exe
2⤵
PID:8928

C:\Windows\System\fzSjsok.exe
C:\Windows\System\fzSjsok.exe
2⤵
PID:8948

C:\Windows\System\jAPshLL.exe
C:\Windows\System\jAPshLL.exe
2⤵
PID:8976

C:\Windows\System\xpQBTpM.exe
C:\Windows\System\xpQBTpM.exe
2⤵
PID:8992

C:\Windows\System\mSWGcjf.exe
C:\Windows\System\mSWGcjf.exe
2⤵
PID:9032

C:\Windows\System\iAzHwfZ.exe
C:\Windows\System\iAzHwfZ.exe
2⤵
PID:9072

C:\Windows\System\HJxiton.exe
C:\Windows\System\HJxiton.exe
2⤵
PID:9088

C:\Windows\System\PqGxKYu.exe
C:\Windows\System\PqGxKYu.exe
2⤵
PID:9104

C:\Windows\System\ZDjHpiA.exe
C:\Windows\System\ZDjHpiA.exe
2⤵
PID:9124

C:\Windows\System\tWEhwNG.exe
C:\Windows\System\tWEhwNG.exe
2⤵
PID:9196

C:\Windows\System\qNxpwUj.exe
C:\Windows\System\qNxpwUj.exe
2⤵
PID:9212

C:\Windows\System\tUzocBS.exe
C:\Windows\System\tUzocBS.exe
2⤵
PID:7940

C:\Windows\System\zjKnemi.exe
C:\Windows\System\zjKnemi.exe
2⤵
PID:7232

C:\Windows\System\sLtwxLy.exe
C:\Windows\System\sLtwxLy.exe
2⤵
PID:7300

C:\Windows\System\qVmclOx.exe
C:\Windows\System\qVmclOx.exe
2⤵
PID:8316

C:\Windows\System\baHlAwF.exe
C:\Windows\System\baHlAwF.exe
2⤵
PID:8372

C:\Windows\System\UBxTjXd.exe
C:\Windows\System\UBxTjXd.exe
2⤵
PID:8388

C:\Windows\System\fnVawuP.exe
C:\Windows\System\fnVawuP.exe
2⤵
PID:8448

C:\Windows\System\ADJcGNv.exe
C:\Windows\System\ADJcGNv.exe
2⤵
PID:8512

C:\Windows\System\RqAMQcr.exe
C:\Windows\System\RqAMQcr.exe
2⤵
PID:8580

C:\Windows\System\CgPYuka.exe
C:\Windows\System\CgPYuka.exe
2⤵
PID:8728

C:\Windows\System\lHgCTzn.exe
C:\Windows\System\lHgCTzn.exe
2⤵
PID:8764

C:\Windows\System\BEYjRpQ.exe
C:\Windows\System\BEYjRpQ.exe
2⤵
PID:8812

C:\Windows\System\wRiNdOx.exe
C:\Windows\System\wRiNdOx.exe
2⤵
PID:8832

C:\Windows\System\mfuXCYq.exe
C:\Windows\System\mfuXCYq.exe
2⤵
PID:8916

C:\Windows\System\klRPMno.exe
C:\Windows\System\klRPMno.exe
2⤵
PID:9028

C:\Windows\System\klPazYJ.exe
C:\Windows\System\klPazYJ.exe
2⤵
PID:9056

C:\Windows\System\VjmTSuI.exe
C:\Windows\System\VjmTSuI.exe
2⤵
PID:9152

C:\Windows\System\dmfzUKI.exe
C:\Windows\System\dmfzUKI.exe
2⤵
PID:9188

C:\Windows\System\tnbeBef.exe
C:\Windows\System\tnbeBef.exe
2⤵
PID:7844

C:\Windows\System\PRtbgMn.exe
C:\Windows\System\PRtbgMn.exe
2⤵
PID:8212

C:\Windows\System\mJPwubi.exe
C:\Windows\System\mJPwubi.exe
2⤵
PID:8532

C:\Windows\System\IpuBIOB.exe
C:\Windows\System\IpuBIOB.exe
2⤵
PID:8636

C:\Windows\System\lMuZSNn.exe
C:\Windows\System\lMuZSNn.exe
2⤵
PID:8760

C:\Windows\System\kHmAcJd.exe
C:\Windows\System\kHmAcJd.exe
2⤵
PID:8904

C:\Windows\System\lCzrUEN.exe
C:\Windows\System\lCzrUEN.exe
2⤵
PID:9144

C:\Windows\System\vKAisxl.exe
C:\Windows\System\vKAisxl.exe
2⤵
PID:8368

C:\Windows\System\iKFnNUI.exe
C:\Windows\System\iKFnNUI.exe
2⤵
PID:8412

C:\Windows\System\MyvoQQW.exe
C:\Windows\System\MyvoQQW.exe
2⤵
PID:8712

C:\Windows\System\MZZzggc.exe
C:\Windows\System\MZZzggc.exe
2⤵
PID:9204

C:\Windows\System\aAcNQNK.exe
C:\Windows\System\aAcNQNK.exe
2⤵
PID:9132

C:\Windows\System\PHMMocc.exe
C:\Windows\System\PHMMocc.exe
2⤵
PID:9240

C:\Windows\System\dqTYwfh.exe
C:\Windows\System\dqTYwfh.exe
2⤵
PID:9280

C:\Windows\System\VvGNlGf.exe
C:\Windows\System\VvGNlGf.exe
2⤵
PID:9332

C:\Windows\System\CSAfWzb.exe
C:\Windows\System\CSAfWzb.exe
2⤵
PID:9348

C:\Windows\System\GNLUYiy.exe
C:\Windows\System\GNLUYiy.exe
2⤵
PID:9396

C:\Windows\System\fOwNfGX.exe
C:\Windows\System\fOwNfGX.exe
2⤵
PID:9416

C:\Windows\System\QumxMXK.exe
C:\Windows\System\QumxMXK.exe
2⤵
PID:9440

C:\Windows\System\dVJUfJf.exe
C:\Windows\System\dVJUfJf.exe
2⤵
PID:9480

C:\Windows\System\wjuOZpB.exe
C:\Windows\System\wjuOZpB.exe
2⤵
PID:9500

C:\Windows\System\MnLCpgO.exe
C:\Windows\System\MnLCpgO.exe
2⤵
PID:9524

C:\Windows\System\DaIHHZE.exe
C:\Windows\System\DaIHHZE.exe
2⤵
PID:9540

C:\Windows\System\QZcYTZe.exe
C:\Windows\System\QZcYTZe.exe
2⤵
PID:9560

C:\Windows\System\NsVyDJH.exe
C:\Windows\System\NsVyDJH.exe
2⤵
PID:9588

C:\Windows\System\DulZpVk.exe
C:\Windows\System\DulZpVk.exe
2⤵
PID:9628

C:\Windows\System\Fagsgzo.exe
C:\Windows\System\Fagsgzo.exe
2⤵
PID:9644

C:\Windows\System\BVdfHkc.exe
C:\Windows\System\BVdfHkc.exe
2⤵
PID:9684

C:\Windows\System\CLimgHS.exe
C:\Windows\System\CLimgHS.exe
2⤵
PID:9704

C:\Windows\System\HdkSIqY.exe
C:\Windows\System\HdkSIqY.exe
2⤵
PID:9744

C:\Windows\System\fMZRQog.exe
C:\Windows\System\fMZRQog.exe
2⤵
PID:9768

C:\Windows\System\VSTYwIa.exe
C:\Windows\System\VSTYwIa.exe
2⤵
PID:9784

C:\Windows\System\BYrvGpq.exe
C:\Windows\System\BYrvGpq.exe
2⤵
PID:9804

C:\Windows\System\vScIqkp.exe
C:\Windows\System\vScIqkp.exe
2⤵
PID:9848

C:\Windows\System\pTGVBWM.exe
C:\Windows\System\pTGVBWM.exe
2⤵
PID:9876

C:\Windows\System\dFejnEx.exe
C:\Windows\System\dFejnEx.exe
2⤵
PID:9892

C:\Windows\System\XzQXUWW.exe
C:\Windows\System\XzQXUWW.exe
2⤵
PID:9916

C:\Windows\System\lOYazKa.exe
C:\Windows\System\lOYazKa.exe
2⤵
PID:9944

C:\Windows\System\cJkiDTA.exe
C:\Windows\System\cJkiDTA.exe
2⤵
PID:9992

C:\Windows\System\hvuotVl.exe
C:\Windows\System\hvuotVl.exe
2⤵
PID:10024

C:\Windows\System\OXlJauF.exe
C:\Windows\System\OXlJauF.exe
2⤵
PID:10048

C:\Windows\System\LNDVERk.exe
C:\Windows\System\LNDVERk.exe
2⤵
PID:10072

C:\Windows\System\hDAxLVX.exe
C:\Windows\System\hDAxLVX.exe
2⤵
PID:10092

C:\Windows\System\LuxbfMv.exe
C:\Windows\System\LuxbfMv.exe
2⤵
PID:10136

C:\Windows\System\OXvciUf.exe
C:\Windows\System\OXvciUf.exe
2⤵
PID:10180

C:\Windows\System\NvlGHev.exe
C:\Windows\System\NvlGHev.exe
2⤵
PID:10200

C:\Windows\System\TIVJkrt.exe
C:\Windows\System\TIVJkrt.exe
2⤵
PID:9080

C:\Windows\System\OjlDCZh.exe
C:\Windows\System\OjlDCZh.exe
2⤵
PID:8312

C:\Windows\System\cPAyLFS.exe
C:\Windows\System\cPAyLFS.exe
2⤵
PID:3808

C:\Windows\System\YwODRMh.exe
C:\Windows\System\YwODRMh.exe
2⤵
PID:9324

C:\Windows\System\INfpwSt.exe
C:\Windows\System\INfpwSt.exe
2⤵
PID:9424

C:\Windows\System\VccfJOD.exe
C:\Windows\System\VccfJOD.exe
2⤵
PID:9436

C:\Windows\System\jKznFWR.exe
C:\Windows\System\jKznFWR.exe
2⤵
PID:9492

C:\Windows\System\rCmgujf.exe
C:\Windows\System\rCmgujf.exe
2⤵
PID:9608

C:\Windows\System\tiMQOuP.exe
C:\Windows\System\tiMQOuP.exe
2⤵
PID:9636

C:\Windows\System\GYkDbnF.exe
C:\Windows\System\GYkDbnF.exe
2⤵
PID:9696

C:\Windows\System\umuWFDD.exe
C:\Windows\System\umuWFDD.exe
2⤵
PID:9752

C:\Windows\System\JsqIIzd.exe
C:\Windows\System\JsqIIzd.exe
2⤵
PID:9824

C:\Windows\System\eMPNKjR.exe
C:\Windows\System\eMPNKjR.exe
2⤵
PID:9904

C:\Windows\System\yFqcPAr.exe
C:\Windows\System\yFqcPAr.exe
2⤵
PID:9956

C:\Windows\System\jCBccxW.exe
C:\Windows\System\jCBccxW.exe
2⤵
PID:10044

C:\Windows\System\FRUPwSr.exe
C:\Windows\System\FRUPwSr.exe
2⤵
PID:10088

C:\Windows\System\ggqSvnn.exe
C:\Windows\System\ggqSvnn.exe
2⤵
PID:10156

C:\Windows\System\fnFwYWH.exe
C:\Windows\System\fnFwYWH.exe
2⤵
PID:9224

C:\Windows\System\mUnzJsr.exe
C:\Windows\System\mUnzJsr.exe
2⤵
PID:9300

C:\Windows\System\eYSEysh.exe
C:\Windows\System\eYSEysh.exe
2⤵
PID:9380

C:\Windows\System\xdlbBUw.exe
C:\Windows\System\xdlbBUw.exe
2⤵
PID:9652

C:\Windows\System\fvmNYJV.exe
C:\Windows\System\fvmNYJV.exe
2⤵
PID:9760

C:\Windows\System\oEemzQc.exe
C:\Windows\System\oEemzQc.exe
2⤵
PID:9864

C:\Windows\System\RRFiblX.exe
C:\Windows\System\RRFiblX.exe
2⤵
PID:10108

C:\Windows\System\cupJVks.exe
C:\Windows\System\cupJVks.exe
2⤵
PID:9292

C:\Windows\System\dYeUMIy.exe
C:\Windows\System\dYeUMIy.exe
2⤵
PID:9604

C:\Windows\System\xrrsCVl.exe
C:\Windows\System\xrrsCVl.exe
2⤵
PID:10032

C:\Windows\System\mHXjPNN.exe
C:\Windows\System\mHXjPNN.exe
2⤵
PID:10124

C:\Windows\System\bofZzXR.exe
C:\Windows\System\bofZzXR.exe
2⤵
PID:10176

C:\Windows\System\XsECKZs.exe
C:\Windows\System\XsECKZs.exe
2⤵
PID:10264

C:\Windows\System\lNqJANu.exe
C:\Windows\System\lNqJANu.exe
2⤵
PID:10284

C:\Windows\System\aafMTYq.exe
C:\Windows\System\aafMTYq.exe
2⤵
PID:10312

C:\Windows\System\uykUlok.exe
C:\Windows\System\uykUlok.exe
2⤵
PID:10332

C:\Windows\System\WuHhTBX.exe
C:\Windows\System\WuHhTBX.exe
2⤵
PID:10364

C:\Windows\System\ylFCXSR.exe
C:\Windows\System\ylFCXSR.exe
2⤵
PID:10396

C:\Windows\System\NaUuZqQ.exe
C:\Windows\System\NaUuZqQ.exe
2⤵
PID:10412

C:\Windows\System\fpLBvyI.exe
C:\Windows\System\fpLBvyI.exe
2⤵
PID:10440

C:\Windows\System\wzgbfTv.exe
C:\Windows\System\wzgbfTv.exe
2⤵
PID:10468

C:\Windows\System\kRVzLtC.exe
C:\Windows\System\kRVzLtC.exe
2⤵
PID:10488

C:\Windows\System\nPWQZbd.exe
C:\Windows\System\nPWQZbd.exe
2⤵
PID:10524

C:\Windows\System\LrqwCdb.exe
C:\Windows\System\LrqwCdb.exe
2⤵
PID:10568

C:\Windows\System\vpyrIev.exe
C:\Windows\System\vpyrIev.exe
2⤵
PID:10584

C:\Windows\System\fqfFFuI.exe
C:\Windows\System\fqfFFuI.exe
2⤵
PID:10608

C:\Windows\System\pdpawHf.exe
C:\Windows\System\pdpawHf.exe
2⤵
PID:10672

C:\Windows\System\IfwKbXE.exe
C:\Windows\System\IfwKbXE.exe
2⤵
PID:10688

C:\Windows\System\BTjCtpV.exe
C:\Windows\System\BTjCtpV.exe
2⤵
PID:10708

C:\Windows\System\VitxWmw.exe
C:\Windows\System\VitxWmw.exe
2⤵
PID:10736

C:\Windows\System\KQpycYP.exe
C:\Windows\System\KQpycYP.exe
2⤵
PID:10764

C:\Windows\System\zTCMwpR.exe
C:\Windows\System\zTCMwpR.exe
2⤵
PID:10792

C:\Windows\System\TlNzKmx.exe
C:\Windows\System\TlNzKmx.exe
2⤵
PID:10816

C:\Windows\System\qpNJGZm.exe
C:\Windows\System\qpNJGZm.exe
2⤵
PID:10836

C:\Windows\System\fyRniWv.exe
C:\Windows\System\fyRniWv.exe
2⤵
PID:10864

C:\Windows\System\qPtzDIl.exe
C:\Windows\System\qPtzDIl.exe
2⤵
PID:10912

C:\Windows\System\KGuvCqj.exe
C:\Windows\System\KGuvCqj.exe
2⤵
PID:10932

C:\Windows\System\xuKsVaB.exe
C:\Windows\System\xuKsVaB.exe
2⤵
PID:10972

C:\Windows\System\SMtlaDr.exe
C:\Windows\System\SMtlaDr.exe
2⤵
PID:10988

C:\Windows\System\qFAgaxO.exe
C:\Windows\System\qFAgaxO.exe
2⤵
PID:11036

C:\Windows\System\yIieVFI.exe
C:\Windows\System\yIieVFI.exe
2⤵
PID:11052

C:\Windows\System\OfgEWPo.exe
C:\Windows\System\OfgEWPo.exe
2⤵
PID:11080

C:\Windows\System\saJliSV.exe
C:\Windows\System\saJliSV.exe
2⤵
PID:11096

C:\Windows\System\lvaiYzM.exe
C:\Windows\System\lvaiYzM.exe
2⤵
PID:11124

C:\Windows\System\QiqxKNV.exe
C:\Windows\System\QiqxKNV.exe
2⤵
PID:11152

C:\Windows\System\NDdTXsd.exe
C:\Windows\System\NDdTXsd.exe
2⤵
PID:11180

C:\Windows\System\sfZFoPB.exe
C:\Windows\System\sfZFoPB.exe
2⤵
PID:11212

C:\Windows\System\yOPDrdP.exe
C:\Windows\System\yOPDrdP.exe
2⤵
PID:11240

C:\Windows\System\SRgsyWK.exe
C:\Windows\System\SRgsyWK.exe
2⤵
PID:11260

C:\Windows\System\wLEFDes.exe
C:\Windows\System\wLEFDes.exe
2⤵
PID:10320

C:\Windows\System\jPhqKOC.exe
C:\Windows\System\jPhqKOC.exe
2⤵
PID:10392

C:\Windows\System\iLyZflS.exe
C:\Windows\System\iLyZflS.exe
2⤵
PID:10432

C:\Windows\System\ydLxdTV.exe
C:\Windows\System\ydLxdTV.exe
2⤵
PID:10480

C:\Windows\System\SkINOPs.exe
C:\Windows\System\SkINOPs.exe
2⤵
PID:10576

C:\Windows\System\pSgfWAt.exe
C:\Windows\System\pSgfWAt.exe
2⤵
PID:10624

C:\Windows\System\lAUCavq.exe
C:\Windows\System\lAUCavq.exe
2⤵
PID:9664

C:\Windows\System\LMXacwI.exe
C:\Windows\System\LMXacwI.exe
2⤵
PID:10716

C:\Windows\System\SiUsJXx.exe
C:\Windows\System\SiUsJXx.exe
2⤵
PID:10772

C:\Windows\System\DSbVbJC.exe
C:\Windows\System\DSbVbJC.exe
2⤵
PID:10844

C:\Windows\System\ZbvOvZx.exe
C:\Windows\System\ZbvOvZx.exe
2⤵
PID:10952

C:\Windows\System\qoKEOPs.exe
C:\Windows\System\qoKEOPs.exe
2⤵
PID:11016

C:\Windows\System\LGMdDbt.exe
C:\Windows\System\LGMdDbt.exe
2⤵
PID:11088

C:\Windows\System\lGlvLAb.exe
C:\Windows\System\lGlvLAb.exe
2⤵
PID:11136

C:\Windows\System\aikPpAB.exe
C:\Windows\System\aikPpAB.exe
2⤵
PID:11168

C:\Windows\System\bDiMsum.exe
C:\Windows\System\bDiMsum.exe
2⤵
PID:11252

C:\Windows\System\jGsHeui.exe
C:\Windows\System\jGsHeui.exe
2⤵
PID:10900

C:\Windows\System\qiBlABX.exe
C:\Windows\System\qiBlABX.exe
2⤵
PID:10996

C:\Windows\System\NYGirXL.exe
C:\Windows\System\NYGirXL.exe
2⤵
PID:11076

C:\Windows\System\OCWwOHA.exe
C:\Windows\System\OCWwOHA.exe
2⤵
PID:11112

C:\Windows\System\BHcrPJF.exe
C:\Windows\System\BHcrPJF.exe
2⤵
PID:10464

C:\Windows\System\XgJTjEH.exe
C:\Windows\System\XgJTjEH.exe
2⤵
PID:10732

C:\Windows\System\fXkpJLF.exe
C:\Windows\System\fXkpJLF.exe
2⤵
PID:10516

C:\Windows\System\VwmegUr.exe
C:\Windows\System\VwmegUr.exe
2⤵
PID:10960

C:\Windows\System\zSvqdiR.exe
C:\Windows\System\zSvqdiR.exe
2⤵
PID:10760

C:\Windows\System\CiZfofA.exe
C:\Windows\System\CiZfofA.exe
2⤵
PID:11284

C:\Windows\System\AeUUSIy.exe
C:\Windows\System\AeUUSIy.exe
2⤵
PID:11300

C:\Windows\System\EAAZXgB.exe
C:\Windows\System\EAAZXgB.exe
2⤵
PID:11320

C:\Windows\System\pzrqnIE.exe
C:\Windows\System\pzrqnIE.exe
2⤵
PID:11344

C:\Windows\System\PAYRKdW.exe
C:\Windows\System\PAYRKdW.exe
2⤵
PID:11376

C:\Windows\System\CCmmqhr.exe
C:\Windows\System\CCmmqhr.exe
2⤵
PID:11420

C:\Windows\System\nmksFUg.exe
C:\Windows\System\nmksFUg.exe
2⤵
PID:11440

C:\Windows\System\qCbfDxr.exe
C:\Windows\System\qCbfDxr.exe
2⤵
PID:11464

C:\Windows\System\FqSzPQN.exe
C:\Windows\System\FqSzPQN.exe
2⤵
PID:11508

C:\Windows\System\sDDduFL.exe
C:\Windows\System\sDDduFL.exe
2⤵
PID:11548

C:\Windows\System\jusYBQd.exe
C:\Windows\System\jusYBQd.exe
2⤵
PID:11568

C:\Windows\System\ZrgxYDH.exe
C:\Windows\System\ZrgxYDH.exe
2⤵
PID:11592

C:\Windows\System\hvuTOCe.exe
C:\Windows\System\hvuTOCe.exe
2⤵
PID:11616

C:\Windows\System\yqGznUR.exe
C:\Windows\System\yqGznUR.exe
2⤵
PID:11636

C:\Windows\System\LMqdBXQ.exe
C:\Windows\System\LMqdBXQ.exe
2⤵
PID:11668

C:\Windows\System\tcJCwVI.exe
C:\Windows\System\tcJCwVI.exe
2⤵
PID:11688

C:\Windows\System\KsfqDeb.exe
C:\Windows\System\KsfqDeb.exe
2⤵
PID:11728

C:\Windows\System\MHgtiHQ.exe
C:\Windows\System\MHgtiHQ.exe
2⤵
PID:11760

C:\Windows\System\dLheBSw.exe
C:\Windows\System\dLheBSw.exe
2⤵
PID:11780

C:\Windows\System\WLDwnwM.exe
C:\Windows\System\WLDwnwM.exe
2⤵
PID:11808

C:\Windows\System\IYLpWuF.exe
C:\Windows\System\IYLpWuF.exe
2⤵
PID:11848

C:\Windows\System\rcPwGVz.exe
C:\Windows\System\rcPwGVz.exe
2⤵
PID:11868

C:\Windows\System\ECRZQmp.exe
C:\Windows\System\ECRZQmp.exe
2⤵
PID:11892

C:\Windows\System\CQkhELY.exe
C:\Windows\System\CQkhELY.exe
2⤵
PID:11944

C:\Windows\System\sCbqSmp.exe
C:\Windows\System\sCbqSmp.exe
2⤵
PID:11968

C:\Windows\System\KyLqVzK.exe
C:\Windows\System\KyLqVzK.exe
2⤵
PID:11988

C:\Windows\System\bcrAjEv.exe
C:\Windows\System\bcrAjEv.exe
2⤵
PID:12008

C:\Windows\System\oppFQvN.exe
C:\Windows\System\oppFQvN.exe
2⤵
PID:12056

C:\Windows\System\jgrrfkr.exe
C:\Windows\System\jgrrfkr.exe
2⤵
PID:12072

C:\Windows\System\hvudqmT.exe
C:\Windows\System\hvudqmT.exe
2⤵
PID:12092

C:\Windows\System\BYPcQFw.exe
C:\Windows\System\BYPcQFw.exe
2⤵
PID:12120

C:\Windows\System\egEOPDh.exe
C:\Windows\System\egEOPDh.exe
2⤵
PID:12140

C:\Windows\System\jJJFXNf.exe
C:\Windows\System\jJJFXNf.exe
2⤵
PID:12164

C:\Windows\System\XbCrQGB.exe
C:\Windows\System\XbCrQGB.exe
2⤵
PID:12188

C:\Windows\System\VjRdvuR.exe
C:\Windows\System\VjRdvuR.exe
2⤵
PID:12208

C:\Windows\System\ZKCOgaL.exe
C:\Windows\System\ZKCOgaL.exe
2⤵
PID:12236

C:\Windows\System\fLKGCHi.exe
C:\Windows\System\fLKGCHi.exe
2⤵
PID:12256

C:\Windows\System\kYhATdn.exe
C:\Windows\System\kYhATdn.exe
2⤵
PID:12276

C:\Windows\System\wShhRPr.exe
C:\Windows\System\wShhRPr.exe
2⤵
PID:11312

C:\Windows\System\QFxrUnp.exe
C:\Windows\System\QFxrUnp.exe
2⤵
PID:11432

C:\Windows\System\AMCZZOg.exe
C:\Windows\System\AMCZZOg.exe
2⤵
PID:11460

C:\Windows\System\ldzwqOL.exe
C:\Windows\System\ldzwqOL.exe
2⤵
PID:11528

C:\Windows\System\fnHJGLN.exe
C:\Windows\System\fnHJGLN.exe
2⤵
PID:11576

C:\Windows\System\NZMbPdo.exe
C:\Windows\System\NZMbPdo.exe
2⤵
PID:11648

C:\Windows\System\PLywllB.exe
C:\Windows\System\PLywllB.exe
2⤵
PID:11724

C:\Windows\System\sTODznw.exe
C:\Windows\System\sTODznw.exe
2⤵
PID:11820

C:\Windows\System\SWghRec.exe
C:\Windows\System\SWghRec.exe
2⤵
PID:11864

C:\Windows\System\egzQzjX.exe
C:\Windows\System\egzQzjX.exe
2⤵
PID:11904

C:\Windows\System\ecjKpFR.exe
C:\Windows\System\ecjKpFR.exe
2⤵
PID:11980

C:\Windows\System\OkibgRy.exe
C:\Windows\System\OkibgRy.exe
2⤵
PID:12068

C:\Windows\System\uAiWSlr.exe
C:\Windows\System\uAiWSlr.exe
2⤵
PID:12112

C:\Windows\System\EVVuufB.exe
C:\Windows\System\EVVuufB.exe
2⤵
PID:12156

C:\Windows\System\SlTQMNV.exe
C:\Windows\System\SlTQMNV.exe
2⤵
PID:12220

C:\Windows\System\sZVOWXl.exe
C:\Windows\System\sZVOWXl.exe
2⤵
PID:10980

C:\Windows\System\geNNLse.exe
C:\Windows\System\geNNLse.exe
2⤵
PID:12248

C:\Windows\System\DNhwoaY.exe
C:\Windows\System\DNhwoaY.exe
2⤵
PID:11488

C:\Windows\System\gDfiGji.exe
C:\Windows\System\gDfiGji.exe
2⤵
PID:11876

C:\Windows\System\LvZNQGH.exe
C:\Windows\System\LvZNQGH.exe
2⤵
PID:11888

C:\Windows\System\ReTUBsy.exe
C:\Windows\System\ReTUBsy.exe
2⤵
PID:12064

C:\Windows\System\nkRUOqv.exe
C:\Windows\System\nkRUOqv.exe
2⤵
PID:11336

C:\Windows\System\YllRteP.exe
C:\Windows\System\YllRteP.exe
2⤵
PID:11584

C:\Windows\System\FJwaFhK.exe
C:\Windows\System\FJwaFhK.exe
2⤵
PID:11860

C:\Windows\System\urVQjxV.exe
C:\Windows\System\urVQjxV.exe
2⤵
PID:12036

C:\Windows\System\QVrrZio.exe
C:\Windows\System\QVrrZio.exe
2⤵
PID:4408

C:\Windows\System\ftaXOql.exe
C:\Windows\System\ftaXOql.exe
2⤵
PID:2108

C:\Windows\System\ujnnYFw.exe
C:\Windows\System\ujnnYFw.exe
2⤵
PID:4760

C:\Windows\System\dOFXQix.exe
C:\Windows\System\dOFXQix.exe
2⤵
PID:5048

C:\Windows\System\uIbnqEr.exe
C:\Windows\System\uIbnqEr.exe
2⤵
PID:12316

C:\Windows\System\zHVanRs.exe
C:\Windows\System\zHVanRs.exe
2⤵
PID:12340

C:\Windows\System\OkpqBpM.exe
C:\Windows\System\OkpqBpM.exe
2⤵
PID:12364

C:\Windows\System\WRlDCAJ.exe
C:\Windows\System\WRlDCAJ.exe
2⤵
PID:12384

C:\Windows\System\BxPSFDv.exe
C:\Windows\System\BxPSFDv.exe
2⤵
PID:12412

C:\Windows\System\fBmcNuz.exe
C:\Windows\System\fBmcNuz.exe
2⤵
PID:12436

C:\Windows\System\eJOURib.exe
C:\Windows\System\eJOURib.exe
2⤵
PID:12476

C:\Windows\System\ZvsEVou.exe
C:\Windows\System\ZvsEVou.exe
2⤵
PID:12496

C:\Windows\System\HvpngSa.exe
C:\Windows\System\HvpngSa.exe
2⤵
PID:12524

C:\Windows\System\HlLylUi.exe
C:\Windows\System\HlLylUi.exe
2⤵
PID:12544

C:\Windows\System\VNNBVWu.exe
C:\Windows\System\VNNBVWu.exe
2⤵
PID:12580

C:\Windows\System\JShNJGC.exe
C:\Windows\System\JShNJGC.exe
2⤵
PID:12604

C:\Windows\System\PscusMu.exe
C:\Windows\System\PscusMu.exe
2⤵
PID:12656

C:\Windows\System\YFQEaKr.exe
C:\Windows\System\YFQEaKr.exe
2⤵
PID:12684

C:\Windows\System\mCdIIdJ.exe
C:\Windows\System\mCdIIdJ.exe
2⤵
PID:12708

C:\Windows\System\hEYhWVT.exe
C:\Windows\System\hEYhWVT.exe
2⤵
PID:12728

C:\Windows\System\tYYHQeI.exe
C:\Windows\System\tYYHQeI.exe
2⤵
PID:12748

C:\Windows\System\eVJOmex.exe
C:\Windows\System\eVJOmex.exe
2⤵
PID:12800

C:\Windows\System\TlRaxsR.exe
C:\Windows\System\TlRaxsR.exe
2⤵
PID:12824

C:\Windows\System\SvsQtCZ.exe
C:\Windows\System\SvsQtCZ.exe
2⤵
PID:12848

C:\Windows\System\KgfLjZN.exe
C:\Windows\System\KgfLjZN.exe
2⤵
PID:12884

C:\Windows\System\DpJhlLR.exe
C:\Windows\System\DpJhlLR.exe
2⤵
PID:12908

C:\Windows\System\OIbBGXw.exe
C:\Windows\System\OIbBGXw.exe
2⤵
PID:12932

C:\Windows\System\HGoApZm.exe
C:\Windows\System\HGoApZm.exe
2⤵
PID:12952

C:\Windows\System\tGsKklZ.exe
C:\Windows\System\tGsKklZ.exe
2⤵
PID:12976

C:\Windows\System\IxuWeHO.exe
C:\Windows\System\IxuWeHO.exe
2⤵
PID:12992

C:\Windows\System\fefcLRG.exe
C:\Windows\System\fefcLRG.exe
2⤵
PID:13052

C:\Windows\System\ZXwWIrI.exe
C:\Windows\System\ZXwWIrI.exe
2⤵
PID:13076

C:\Windows\System\CeIqWLd.exe
C:\Windows\System\CeIqWLd.exe
2⤵
PID:13100

C:\Windows\System\rDfZdAV.exe
C:\Windows\System\rDfZdAV.exe
2⤵
PID:13124

C:\Windows\System\WuAjMCI.exe
C:\Windows\System\WuAjMCI.exe
2⤵
PID:13152

C:\Windows\System\dlkDuJI.exe
C:\Windows\System\dlkDuJI.exe
2⤵
PID:13180

C:\Windows\System\LJhuVcG.exe
C:\Windows\System\LJhuVcG.exe
2⤵
PID:13208

C:\Windows\System\lMYJyGy.exe
C:\Windows\System\lMYJyGy.exe
2⤵
PID:13232

C:\Windows\System\lEcTEhy.exe
C:\Windows\System\lEcTEhy.exe
2⤵
PID:13252

C:\Windows\System\szAdweA.exe
C:\Windows\System\szAdweA.exe
2⤵
PID:13268

C:\Windows\System\PUrXXuB.exe
C:\Windows\System\PUrXXuB.exe
2⤵
PID:12324

C:\Windows\System\GJmspTX.exe
C:\Windows\System\GJmspTX.exe
2⤵
PID:12360

C:\Windows\System\mXzytNz.exe
C:\Windows\System\mXzytNz.exe
2⤵
PID:12928

C:\Windows\System\NUXfwIJ.exe
C:\Windows\System\NUXfwIJ.exe
2⤵
PID:12972

C:\Windows\System\KGJKjZI.exe
C:\Windows\System\KGJKjZI.exe
2⤵
PID:13024

C:\Windows\System\YrembhQ.exe
C:\Windows\System\YrembhQ.exe
2⤵
PID:2092

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3404

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j5vvbke2.r1t.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\DJSRmCJ.exe
Filesize
1.9MB

MD5
e7c1518f9b9fd45ca40aa73315d3f542

SHA1
8564d6a26e3014d7a2723976b432b91074302909

SHA256
1afaa2c57c83aad10a1936d2480c888e65db26deba80299881d2f69fb98dcd9e

SHA512
25837400422d67f8caf9338b9bef0254fcc647ee708df2d616270eea042e00e618881be742fdf8e44cf0efcc991d4230cba0a8594e23a5f1e5079ab8b7fd731c

Download Submit
C:\Windows\System\EGLkfBq.exe
Filesize
1.9MB

MD5
37ae5eff6f9811233ad45d88ce6c5a88

SHA1
3a3e29bd4a7aa864b957f6a085f5079611f8342f

SHA256
5ccacad4d1416b565263514cddc03543ef9d9088ee8d850752d94340bbf530b5

SHA512
ea68c9140ff347d4821217e169326b6999e454cab015ad301735710df4f1712fc4a9ad86a022e7fb29eb97df428c68d31b8b5faad38569bca60f3ced42d8eeab

Download Submit
C:\Windows\System\EPzdxmJ.exe
Filesize
1.9MB

MD5
174511abe6dfecc5fc3d60d4e06dbb01

SHA1
55b4a501bbef1f99b11628bdfdf66420425c50af

SHA256
95429131459712da8b63a3a9af4fd656078743ef90378fbf52de3250c500a946

SHA512
805a8323ac65ebf7124fa60250b063a322f4c7161c618cc8e6f396a855aedda69033c5ec5e4ab8e174c4d88991214c71d9d055e0e7a6921388c0afe6c63dad1d

Download Submit
C:\Windows\System\FCIlfiz.exe
Filesize
1.9MB

MD5
7c40240677491b1096947b7707033fce

SHA1
a7a15ee2fee4ead8b8b19b0bb50043769b795d6b

SHA256
fe05573e2f5a4d769812f96c1f52a4b8fc82a0450059b48fcc06cb5cc4bfef5a

SHA512
b8f377d415f6d5cb310e6b7fbca227b61b9eb058cd1731bbb9187c0a416c3bff7ae8b1a9611f3198a228702f61f004e9dfcb3f4fee4dbb1eb97bd756fcbe375e

Download Submit
C:\Windows\System\GaDeUOV.exe
Filesize
1.9MB

MD5
85b4fc39ca344d64d23ed3eb168832c6

SHA1
bf83b9247db7e87dd2163362f312a2f5e80f52ef

SHA256
84e8e43e34ecada7a7cfefc313915f55c4ceda322905f41104a72832a3b0938e

SHA512
3dfd1cc2a74b35bd7497a4ae24bbf7f01affe501a80e3bf9eb5da1cb71b258d7a22ddbe89182b306c73a45d97e122897d3a23ba6a3e64829e40f0cea21ff8b20

Download Submit
C:\Windows\System\ILxUQZF.exe
Filesize
1.9MB

MD5
ab24e05f660a9c37e8f21813b6813090

SHA1
7e593e5aee2ebe35f15695f8a95cbfdcb117142d

SHA256
c18b480c3ae8e0a39dbcd4ac5884ddc1bcfa6366c2dd17336e9f67cee6e5f3b3

SHA512
38495d74ee3320a533a8cce7e7128265892a65cc3985c2c4434e5dca63094726a1173fd6a8e3edcfed3f2843d89ff16943926e360293347ca379911678d6647e

Download Submit
C:\Windows\System\KcDVBgi.exe
Filesize
1.9MB

MD5
65c52998f47f9dc07cfdde895ced22b9

SHA1
677d11b775a3cf7004f756eaecd042f84fc48f7b

SHA256
943ffa275016108ae39c1f14401a423087d6b11b0136b4f90df5ea32ca542c55

SHA512
6b086731a83d08b5bb3b9f6942ffbdc2ed4ccf7dc4e9c79be663b57cd1f6e7ffa16aabc79912b4c1db41ab8fb61a19d45b64e37d7fa694b928af1c9c9f029448

Download Submit
C:\Windows\System\MZBDbbn.exe
Filesize
1.9MB

MD5
b146883e7a2e56504e524ac8daf059cd

SHA1
50701f5f8638802577034c719e4b52cd2b386d8c

SHA256
6ca35771b4352e32f075dff00c857cd05150f2c82a80fa09ddd556a9f4515211

SHA512
e76e0f655d9ff0a45e74888bed686da2a6d6c0ced24aa842fac08c5f6c071fc799ad34234fab15612c48292d3ef2f57d7ac27ef6f4a502b49ba32157e1f1e6f7

Download Submit
C:\Windows\System\NLmhtHW.exe
Filesize
1.9MB

MD5
9a4bab28ca2dac5ae199aed1dcc825fb

SHA1
51ca9327bd96222833faa9c7061197c137a7c311

SHA256
04b84af63e13905970d2058254cd8a051536cb24d4f8257b3e2e1192c73a49dc

SHA512
eb4823a9d8f6bcd6ea5d5cb3d4d9007e5407ebbfda2ce45d9f02272d4b0a468edd0e7c8d7513245b95cd4f66443ff5e2720c0054cef5f7b7f1d0f9d3313d5ad9

Download Submit
C:\Windows\System\NPFhJtL.exe
Filesize
1.9MB

MD5
a33ab0683da7b37aba6f5d54a26fc55b

SHA1
1923adf67c91ddb0864890ecf9c1664ed1633b0c

SHA256
3eacf09f1f04ab63a289d71fe7187b08540795b134e7d29429a7efc3e8c69196

SHA512
6d2758d8371e071e72e21a886d7744b44452d1986bc217082f36d351dcd1eb7222b76d3662fc56bd1362c73ce9f3ad930af6e649fe8bd5a754e378df92f9fdb7

Download Submit
C:\Windows\System\PpQLMbf.exe
Filesize
1.9MB

MD5
9bbf3810be2dd33e3d9c5c679a70809f

SHA1
77c3a714db8c3aa724acc4b4c30e118357c3cdd6

SHA256
2e885b1140f223d015e8f7a261dd00ff49b0dba12d9f288a55f8349f103e17eb

SHA512
c3354a8b25a4a945a820b146b5cb4cef17733c5c87001fa16097da7d11baa819242044d71d84c9d8e7ee1208264e61a13c2c60b733f5ee08fb953fa16deec38f

Download Submit
C:\Windows\System\RllVBWv.exe
Filesize
1.9MB

MD5
f18c20704064db09566bf764f3880d52

SHA1
b5344933e4ca5c04390f65245c309f464c68ec84

SHA256
c0e90400c4523946b0ae664502ea5c687769133bd5b91c78ff1f22547b0e6445

SHA512
2a2eea72220597613a69cb4872873a6e3a8b6f3d7a4e3c2801b3eae41e236e8b44600a3b912572101802b687025fcb6ad02dc6d4698a51fa2fecf4c4aa461bb9

Download Submit
C:\Windows\System\SrKvmVn.exe
Filesize
1.9MB

MD5
139cdea51cddc8fc8ec045f4117ce0e2

SHA1
f01cedfe9270506497e4c6a61b9c0ef1babdf92b

SHA256
d0fe0a9e7454a390bba8230e52df0a6e34335ef7f1c04b53c23a6ba008c0ce1c

SHA512
743683c51f018ffed257de64f035a3d156b7476776d0b1a067641e1fae5baf11e5df42333cdd4fe3ad62acc6a86c7701c71c9d7885cc89efed942841cf0a089d

Download Submit
C:\Windows\System\YCQPCkW.exe
Filesize
1.9MB

MD5
16818f33304fcb927a5540eb96bb4487

SHA1
a62062785d18fed876e2b31af2c0155e94bd71ac

SHA256
000a19be00299f625a71b60e9ab07a5a8a82147fabfe7ae35b78b034135f23bb

SHA512
78c50ee081d4cd10bad3f680f95dbe31736b0511facf17d536a8b775de630bf71b51c8cab34f1ba28760cbf7fa42d7c20350d419a21353bc31b6168a069f6bc6

Download Submit
C:\Windows\System\YCWAzCK.exe
Filesize
1.9MB

MD5
f9802328548c05b4a89d1dc1f7ad0985

SHA1
febf9491670cb0855a551755021edc2ea8011ad6

SHA256
2e1e5ad359989d1cc4a26e750b9b25174e63dd83d5dacaf26b07c0514d4b6476

SHA512
271be4f542180baaaeb93d922755c082a9ad2f165dcf24e8a174259e035971ab0f4e3e4d2c2050613e94dc68b12a0d9789954579142b2de24b3bffd123698bf4

Download Submit
C:\Windows\System\ZjuDlfz.exe
Filesize
1.9MB

MD5
52db41715340e865967945edc5a35523

SHA1
dfbbba25df82e1226dc6c691dcbb8d0c7f393aae

SHA256
ac58ccc4f584f85aa7ed3745e45a4140fc6393e446b82fab3a0d24ab969fe863

SHA512
a5cf32788284d061266a3e3a6ad15098fbeff9fbe08ca2842b4ac481572c846482bb0ce4d9168cba193014789c721a141aa426ab9e50a2fb7fa96100fea5ef5b

Download Submit
C:\Windows\System\ZvONovo.exe
Filesize
1.9MB

MD5
33f9cb1dff56dc7520a44a335c82ef70

SHA1
a3d5815e18760a9eaf169eccfc3f57c2588273f7

SHA256
4abe3ed48173566eecebc5360c681bbc27607af0ded4259ea4b557ea5873bb4b

SHA512
8adfa6672578a59bb8f967d96a9c47efdeafd3b3cb836c0f73f0e8195e781ff77aad3604261f096217bfc627bc8579f5c8208f0ff61db091e1d0b56d2295bc72

Download Submit
C:\Windows\System\aLVJRel.exe
Filesize
1.9MB

MD5
a6e9858d8483cf3b103cae81cb7a4481

SHA1
183a8192007bdc3164dbd47fdc2f075048a4c45f

SHA256
955d628a088f72cb6ec07fa0a80d18436a4f4aec0972c83ccda81553e56d36d7

SHA512
a502d2c51907f8dafe93a5a7410b64f833e6a42125ca437aa078f4a9e97e401166f78b8076ba4ad8375c78eb224c3cd11306db876a7076aa592fa9af402e639e

Download Submit
C:\Windows\System\dJwAbiB.exe
Filesize
1.9MB

MD5
416f5317843f1e799d649bce2735fd4a

SHA1
070880574cf67c8dcebe76a4dd67e10312656b82

SHA256
e9ebd5c728012b8b1b6acfdd90d4bbefd5342a206a6861f8e01fe4e2fc9a94b1

SHA512
e65295156e77861566a8796b65326a7f513befd47563bf7f42e06081d774e9e5802b282bdb5705a8bd713ee634fb8d7a1e034eb2bc712323869279e62326ab61

Download Submit
C:\Windows\System\dtAAipU.exe
Filesize
1.9MB

MD5
ac5938c055cb187819837d65847456e9

SHA1
77e6bb883bc3d539530aac635981adfb17fa70e4

SHA256
774ab03c6f6d13d528534e9e16b7ff2af259da01fb1e6bdac4a50d944278a551

SHA512
c74c9fea39bc1ed92ff10ff3988c319477d8ddd85a6184eafb0009f1399efe5dfe9adf789282640256e72d8c6d55a476d0870e9eb27145bd2e04905b94f5a898

Download Submit
C:\Windows\System\fLuXlFl.exe
Filesize
8B

MD5
0a4d9fd0cc8fe1472d155d5d981ff235

SHA1
137003f778b74f1b96494293112b43e4307e765e

SHA256
4707e767d70e4899759ce8aba6535007a27f8c132e3f3e05b8b8ae03c23dd080

SHA512
ad9c5b802b25d2a28cbec3d4cc246b638fad901bd44704bb559f8a0cf5c0d25f339a2e2fe9f4b8bbba249477fc11b0b14c51d97cfa76d081fb255f90811dd5c7

Download Submit
C:\Windows\System\gevnQJc.exe
Filesize
1.9MB

MD5
5c86423f22c5a462d07630f72d646f05

SHA1
aef1c1632b852569a535d921a8105a24d9a82cf8

SHA256
de009cbae09b38e6c7e649d0513149de88b6311766954f3e5bc290b48b5cc0d1

SHA512
c982352996ff216397a2b6c3f80e2536d67d3a1ecea4a5e9eb952575e530f33f27e2d84874f9a3925a788551a405586a44ae0787bb42ed7234e173d37bface26

Download Submit
C:\Windows\System\iMwOmKV.exe
Filesize
1.9MB

MD5
bac1a5a5624190b5bec38c03129d2138

SHA1
34445e5ead79c10644b97150d6ae5ae21665c733

SHA256
8cd7fbab4bc0534ac3d084adff43e4cd54c4565f969e8bd9f73912bdcb70de6c

SHA512
04ec8469ec36f575d6599cf24206eb2cf4db801cb0dadd1582a8f95334b41b806116b8af2e2f1d0f8299c716dba5b59fced8ecdf8ecf91ecf64d1c57f1bd051d

Download Submit
C:\Windows\System\ihFXJbC.exe
Filesize
1.9MB

MD5
672db57edca8eb3e7e388deaa2e9e6df

SHA1
aefb5746c7e1099c6513a5d8a5940a11fe6ea532

SHA256
37f82205f400518880ab02b04750c308cf787aaed30da1f07191a59f59b822cd

SHA512
42b5cfcf885e735207cc57632d6a4e29e9dda6dcefe53c28753d929cafe8e9e50696116c1636e3b4317f7132ae88a95a386a387ab913c8b4dc3ae88f3c6f28e6

Download Submit
C:\Windows\System\jSBHmVm.exe
Filesize
1.9MB

MD5
66dd81f550f3669a61de4acfee01dd19

SHA1
b55dc2527da919faba864df04d948f8f10608761

SHA256
51cbfd68d3817bfaaf1bcbbc8b672afe80e2eb954322e9ce8a0ee5b60af2c338

SHA512
72039e237e8c48f2e0b472666bd9de2d61f41e67ef00273589fdd3f15361a276775a09be0c74202123c90693bca45372702418bbe142af7b3e56693599f8b91f

Download Submit
C:\Windows\System\kniHjbz.exe
Filesize
1.9MB

MD5
9c8921cebc0dc5eca18a60f34ac0738b

SHA1
1eaf5aac4f931e6a5b9ee9d0b9ae66612078fdb5

SHA256
085f0843698f9f336366bd6a930be2a1cc8ec64e28a23d02fb059d6f729d031b

SHA512
bd10315b44dfd115d44ab863b1fcd206a5bacc3dc97c3a1e6a975598c4f78d53dc1ac8d58d5461a0487d62526d1a7be6d3a10adf992e86fbe8dcaff9cb759c2b

Download Submit
C:\Windows\System\lEphIFM.exe
Filesize
1.9MB

MD5
147f77c8fc7c2c364087d2b666b4ae3b

SHA1
ebccc4124c7bdce211d7da677f8452b37f2be238

SHA256
2e93436a9368e105c075c19c03cbe7977c9048989c91a62c4d4843417c53a7de

SHA512
f464277c9eb905bdc9050d41b5bf1f502accea2772279dbec5cf8e3c76f45e5b43327ef816817ac5f05b5859a56fabe8d620664b6b6fbb5b8dbbc814ec35f0cc

Download Submit
C:\Windows\System\nkRiAVH.exe
Filesize
1.9MB

MD5
88133a83fcbc42d12f8618cd17218107

SHA1
9caf034410955d311e906e45b458d178b45ce646

SHA256
a1af8349e96154dbd6266770140ce27d91a04886b08e1f6f7fc396d1d87f2fc9

SHA512
c822e767fcddeb57457f9febea25388315505332a95f70e73d4bbcca3f28fd351f404f165936dda67756dbb06f8a3ebdb89150ed43432a43e8b0da9dcaefa580

Download Submit
C:\Windows\System\oJKZSaj.exe
Filesize
1.9MB

MD5
e377218c180c594bcbf0465f42032f54

SHA1
e791740be6902f660c2e65ef3864055f022bf55b

SHA256
a8b4696cf2610904c05e5a5591432c00a5c6bcc02f3b2814fbebd9606f2a8b28

SHA512
66e6f023b231557c52d45db97c49f58a34d684ded6da580eb048c5b79c7f058a5a40351775b0b0b5f0990df148ac550fd3a9609b4117c94eebeb305d7349a558

Download Submit
C:\Windows\System\octEPVJ.exe
Filesize
1.9MB

MD5
84ce75f608420c5f4b9daf759d76918b

SHA1
93bf5df2049e4f7e0e1828c9711d0b9ca2630fc9

SHA256
b8a7aa71db1de689215eed786b137c245419537372a9406bcb0ed67fbf194194

SHA512
9f59a8466c30d0ba62f4c4f1b81473276d45952928cc63c68d32d26e658402b542dce3a6ccc23baa9c3531920f6d395e84cd8f3437befd9179bc764665957927

Download Submit
C:\Windows\System\pdYcMdK.exe
Filesize
1.9MB

MD5
c9c87c8ef02d86fc57f8741df2435aaa

SHA1
b2ce83eedb88c20fd28cb90e02a03aca1b8e0739

SHA256
1bd320b106dda4308bdb3400c344834ad5c0d89ab1c3996c46aac237e3948f0c

SHA512
28e716a924c082231a2b1500727f497c2c4f768ac30a27cc8de6d86cb91516640c42ec4ff5112dc92a0edfbb423b90295e7b2231153de0272eebf37b0552e5ff

Download Submit
C:\Windows\System\uWZnljm.exe
Filesize
1.9MB

MD5
20cf830d1dd982917b62ba4a903b74c1

SHA1
e406194e9c5cbe6c5e995146b524ba31873dae9c

SHA256
389febbeb118580fdae21443a55da7f754816eba7c2c373f11f7b3799cb4f509

SHA512
85f4d15756dcac7087c26f521bab44d01782e0cb2db3aa2ea8879a39b5536f602b8dd1a8717bff594184684ec00dd1afb93d98567c0f974c8ead401a27572574

Download Submit
C:\Windows\System\uqbIoDo.exe
Filesize
1.9MB

MD5
bd48c55e9c615a55cf1e1c93b9976944

SHA1
96e89e7ed2e3cc92eb57b8ba9f993ccd67839e27

SHA256
a99ddcab9f05cb7f779fbedb8f4b6f88f6941ca6f39eaf502a3d7e57a505ce0e

SHA512
6a32b9326b3745c3dfd8f99fa706758db06f1fedde2a6400ce64576301a1b8af805c5d7fe8ace0dce88154a9fdf2d56861b5fd0c977b5a07f4bc72e16b909952

Download Submit
C:\Windows\System\xlaKyRL.exe
Filesize
1.9MB

MD5
1948664b3b5ac11dd8a0c982bcdf9426

SHA1
a615a28b7e0ceb68a3c64218872000dcb62b3900

SHA256
348b0ef9e0fcb0430d5aa20e6a14e70befaa1b3f7f8bcefa1b212d9d62168755

SHA512
bd8ae2e7b527b32a9606cb6e3770346180ca3678e1e5e5b421e4e81441a62e07cd7a4385aa36b22fb7a91fb4b97ae4d6afae7038e57ead55383ee8cb50141a78

Download Submit
memory/424-97-0x00007FF612080000-0x00007FF612472000-memory.dmp

Filesize
3.9MB

Download
memory/424-2685-0x00007FF612080000-0x00007FF612472000-memory.dmp

Filesize
3.9MB

Download
memory/456-85-0x00007FF67ED00000-0x00007FF67F0F2000-memory.dmp

Filesize
3.9MB

Download
memory/456-2679-0x00007FF67ED00000-0x00007FF67F0F2000-memory.dmp

Filesize
3.9MB

Download
memory/920-2608-0x00007FF7C4BD0000-0x00007FF7C4FC2000-memory.dmp

Filesize
3.9MB

Download
memory/920-2671-0x00007FF7C4BD0000-0x00007FF7C4FC2000-memory.dmp

Filesize
3.9MB

Download
memory/920-37-0x00007FF7C4BD0000-0x00007FF7C4FC2000-memory.dmp

Filesize
3.9MB

Download
memory/1048-357-0x00007FF64DF80000-0x00007FF64E372000-memory.dmp

Filesize
3.9MB

Download
memory/1048-2708-0x00007FF64DF80000-0x00007FF64E372000-memory.dmp

Filesize
3.9MB

Download
memory/1080-2665-0x00007FF79CB50000-0x00007FF79CF42000-memory.dmp

Filesize
3.9MB

Download
memory/1080-30-0x00007FF79CB50000-0x00007FF79CF42000-memory.dmp

Filesize
3.9MB

Download
memory/1240-98-0x00007FF64CD00000-0x00007FF64D0F2000-memory.dmp

Filesize
3.9MB

Download
memory/1240-2683-0x00007FF64CD00000-0x00007FF64D0F2000-memory.dmp

Filesize
3.9MB

Download
memory/1544-2673-0x00007FF720300000-0x00007FF7206F2000-memory.dmp

Filesize
3.9MB

Download
memory/1544-2609-0x00007FF720300000-0x00007FF7206F2000-memory.dmp

Filesize
3.9MB

Download
memory/1544-45-0x00007FF720300000-0x00007FF7206F2000-memory.dmp

Filesize
3.9MB

Download
memory/1584-354-0x00007FF7D5500000-0x00007FF7D58F2000-memory.dmp

Filesize
3.9MB

Download
memory/1584-2701-0x00007FF7D5500000-0x00007FF7D58F2000-memory.dmp

Filesize
3.9MB

Download
memory/1608-93-0x00007FF629E40000-0x00007FF62A232000-memory.dmp

Filesize
3.9MB

Download
memory/1608-2675-0x00007FF629E40000-0x00007FF62A232000-memory.dmp

Filesize
3.9MB

Download
memory/1792-0-0x00007FF782DD0000-0x00007FF7831C2000-memory.dmp

Filesize
3.9MB

Download
memory/1792-1-0x000001FE2A390000-0x000001FE2A3A0000-memory.dmp

Filesize
64KB

Download
memory/2076-351-0x000001DBDFE30000-0x000001DBE05D6000-memory.dmp

Filesize
7.6MB

Download
memory/2076-27-0x000001DBC6E30000-0x000001DBC6E40000-memory.dmp

Filesize
64KB

Download
memory/2076-26-0x000001DBC6E30000-0x000001DBC6E40000-memory.dmp

Filesize
64KB

Download
memory/2076-25-0x00007FFD6E660000-0x00007FFD6F121000-memory.dmp

Filesize
10.8MB

Download
memory/2076-24-0x000001DBDF310000-0x000001DBDF332000-memory.dmp

Filesize
136KB

Download
memory/2076-2650-0x00007FFD6E660000-0x00007FFD6F121000-memory.dmp

Filesize
10.8MB

Download
memory/2104-62-0x00007FF76D040000-0x00007FF76D432000-memory.dmp

Filesize
3.9MB

Download
memory/2104-2669-0x00007FF76D040000-0x00007FF76D432000-memory.dmp

Filesize
3.9MB

Download
memory/2144-101-0x00007FF672E00000-0x00007FF6731F2000-memory.dmp

Filesize
3.9MB

Download
memory/2144-2690-0x00007FF672E00000-0x00007FF6731F2000-memory.dmp

Filesize
3.9MB

Download
memory/2308-2691-0x00007FF7D3C00000-0x00007FF7D3FF2000-memory.dmp

Filesize
3.9MB

Download
memory/2308-2610-0x00007FF7D3C00000-0x00007FF7D3FF2000-memory.dmp

Filesize
3.9MB

Download
memory/2308-92-0x00007FF7D3C00000-0x00007FF7D3FF2000-memory.dmp

Filesize
3.9MB

Download
memory/2372-2695-0x00007FF61CDD0000-0x00007FF61D1C2000-memory.dmp

Filesize
3.9MB

Download
memory/2372-335-0x00007FF61CDD0000-0x00007FF61D1C2000-memory.dmp

Filesize
3.9MB

Download
memory/2668-88-0x00007FF6112D0000-0x00007FF6116C2000-memory.dmp

Filesize
3.9MB

Download
memory/2668-2681-0x00007FF6112D0000-0x00007FF6116C2000-memory.dmp

Filesize
3.9MB

Download
memory/3500-94-0x00007FF6110B0000-0x00007FF6114A2000-memory.dmp

Filesize
3.9MB

Download
memory/3500-2687-0x00007FF6110B0000-0x00007FF6114A2000-memory.dmp

Filesize
3.9MB

Download
memory/3888-2667-0x00007FF640370000-0x00007FF640762000-memory.dmp

Filesize
3.9MB

Download
memory/3888-28-0x00007FF640370000-0x00007FF640762000-memory.dmp

Filesize
3.9MB

Download
memory/3960-2697-0x00007FF67A100000-0x00007FF67A4F2000-memory.dmp

Filesize
3.9MB

Download
memory/3960-346-0x00007FF67A100000-0x00007FF67A4F2000-memory.dmp

Filesize
3.9MB

Download
memory/4112-362-0x00007FF71B600000-0x00007FF71B9F2000-memory.dmp

Filesize
3.9MB

Download
memory/4112-2710-0x00007FF71B600000-0x00007FF71B9F2000-memory.dmp

Filesize
3.9MB

Download
memory/4708-2693-0x00007FF719520000-0x00007FF719912000-memory.dmp

Filesize
3.9MB

Download
memory/4708-327-0x00007FF719520000-0x00007FF719912000-memory.dmp

Filesize
3.9MB

Download
memory/4996-2677-0x00007FF720AC0000-0x00007FF720EB2000-memory.dmp

Filesize
3.9MB

Download
memory/4996-74-0x00007FF720AC0000-0x00007FF720EB2000-memory.dmp

Filesize
3.9MB

Download
memory/5004-353-0x00007FF78AE50000-0x00007FF78B242000-memory.dmp

Filesize
3.9MB

Download
memory/5004-2699-0x00007FF78AE50000-0x00007FF78B242000-memory.dmp

Filesize
3.9MB

Download