xmrig | e81b746af331095207d84ba53a7ab9d25585c49e0ff9b11a2e736c7a3b37d787

Analysis

max time kernel
92s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29/04/2024, 17:26 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
Size

1.9MB
MD5

08377e9296f614b33f74d8cbc937d626
SHA1

f6248ab89cea3b08ae723ed02504e03f4745fd2a
SHA256

e81b746af331095207d84ba53a7ab9d25585c49e0ff9b11a2e736c7a3b37d787
SHA512

dd69d539f98f873a5a4779a76e01ba775888a03da3be60bf84864f1ac9372a1f95ad07c16f5b82d8386b22dd2abe68129888aae151aa324c9524d70868ac2d94
SSDEEP

49152:Lz071uv4BPMkibTIA5KIP7nTrmBhihM5xC+UO:NAB/

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 42 IoCs

miner

resource	yara_rule
behavioral2/memory/3096-42-0x00007FF7E00A0000-0x00007FF7E0492000-memory.dmp	xmrig
behavioral2/memory/3536-32-0x00007FF6DF520000-0x00007FF6DF912000-memory.dmp	xmrig
behavioral2/memory/2236-419-0x00007FF765FE0000-0x00007FF7663D2000-memory.dmp	xmrig
behavioral2/memory/1748-435-0x00007FF65D590000-0x00007FF65D982000-memory.dmp	xmrig
behavioral2/memory/2068-444-0x00007FF708BA0000-0x00007FF708F92000-memory.dmp	xmrig
behavioral2/memory/4184-439-0x00007FF68D830000-0x00007FF68DC22000-memory.dmp	xmrig
behavioral2/memory/3052-430-0x00007FF6D3D20000-0x00007FF6D4112000-memory.dmp	xmrig
behavioral2/memory/1464-427-0x00007FF634D40000-0x00007FF635132000-memory.dmp	xmrig
behavioral2/memory/428-421-0x00007FF7008E0000-0x00007FF700CD2000-memory.dmp	xmrig
behavioral2/memory/3024-456-0x00007FF72A1F0000-0x00007FF72A5E2000-memory.dmp	xmrig
behavioral2/memory/980-448-0x00007FF654F00000-0x00007FF6552F2000-memory.dmp	xmrig
behavioral2/memory/2604-469-0x00007FF71DDE0000-0x00007FF71E1D2000-memory.dmp	xmrig
behavioral2/memory/2556-491-0x00007FF7CE290000-0x00007FF7CE682000-memory.dmp	xmrig
behavioral2/memory/3176-508-0x00007FF7BA520000-0x00007FF7BA912000-memory.dmp	xmrig
behavioral2/memory/5104-506-0x00007FF660FE0000-0x00007FF6613D2000-memory.dmp	xmrig
behavioral2/memory/640-499-0x00007FF646A60000-0x00007FF646E52000-memory.dmp	xmrig
behavioral2/memory/3344-496-0x00007FF6A5D00000-0x00007FF6A60F2000-memory.dmp	xmrig
behavioral2/memory/4552-476-0x00007FF631F90000-0x00007FF632382000-memory.dmp	xmrig
behavioral2/memory/4016-468-0x00007FF73E020000-0x00007FF73E412000-memory.dmp	xmrig
behavioral2/memory/1940-3060-0x00007FF6D99A0000-0x00007FF6D9D92000-memory.dmp	xmrig
behavioral2/memory/2252-3061-0x00007FF6F41B0000-0x00007FF6F45A2000-memory.dmp	xmrig
behavioral2/memory/2556-3091-0x00007FF7CE290000-0x00007FF7CE682000-memory.dmp	xmrig
behavioral2/memory/3536-3093-0x00007FF6DF520000-0x00007FF6DF912000-memory.dmp	xmrig
behavioral2/memory/3096-3095-0x00007FF7E00A0000-0x00007FF7E0492000-memory.dmp	xmrig
behavioral2/memory/1940-3099-0x00007FF6D99A0000-0x00007FF6D9D92000-memory.dmp	xmrig
behavioral2/memory/3344-3098-0x00007FF6A5D00000-0x00007FF6A60F2000-memory.dmp	xmrig
behavioral2/memory/2236-3101-0x00007FF765FE0000-0x00007FF7663D2000-memory.dmp	xmrig
behavioral2/memory/640-3103-0x00007FF646A60000-0x00007FF646E52000-memory.dmp	xmrig
behavioral2/memory/428-3106-0x00007FF7008E0000-0x00007FF700CD2000-memory.dmp	xmrig
behavioral2/memory/2252-3107-0x00007FF6F41B0000-0x00007FF6F45A2000-memory.dmp	xmrig
behavioral2/memory/5104-3109-0x00007FF660FE0000-0x00007FF6613D2000-memory.dmp	xmrig
behavioral2/memory/1748-3113-0x00007FF65D590000-0x00007FF65D982000-memory.dmp	xmrig
behavioral2/memory/1464-3117-0x00007FF634D40000-0x00007FF635132000-memory.dmp	xmrig
behavioral2/memory/3052-3112-0x00007FF6D3D20000-0x00007FF6D4112000-memory.dmp	xmrig
behavioral2/memory/3176-3115-0x00007FF7BA520000-0x00007FF7BA912000-memory.dmp	xmrig
behavioral2/memory/4184-3121-0x00007FF68D830000-0x00007FF68DC22000-memory.dmp	xmrig
behavioral2/memory/2068-3120-0x00007FF708BA0000-0x00007FF708F92000-memory.dmp	xmrig
behavioral2/memory/3024-3126-0x00007FF72A1F0000-0x00007FF72A5E2000-memory.dmp	xmrig
behavioral2/memory/4016-3127-0x00007FF73E020000-0x00007FF73E412000-memory.dmp	xmrig
behavioral2/memory/980-3124-0x00007FF654F00000-0x00007FF6552F2000-memory.dmp	xmrig
behavioral2/memory/2604-3129-0x00007FF71DDE0000-0x00007FF71E1D2000-memory.dmp	xmrig
behavioral2/memory/4552-3131-0x00007FF631F90000-0x00007FF632382000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	60	powershell.exe
5	60	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
2556	peSPVcU.exe
3536	yrxyQln.exe
3096	cwuPvmu.exe
1940	zIkCEcu.exe
3344	JHDOgMK.exe
2252	PcRkiGx.exe
2236	AudLtPA.exe
640	zSrzvcw.exe
428	NiTGXEy.exe
5104	JsZZFeu.exe
3176	onNNOTB.exe
1464	fsQxJvI.exe
3052	FkhFpyv.exe
1748	jKdnVCx.exe
4184	VWWnXXr.exe
2068	olzBTHU.exe
980	AdFiDrG.exe
3024	DjFXMqm.exe
4016	CFEPnrh.exe
2604	yqyfQae.exe
4552	inXZtZM.exe
1368	OccljFM.exe
4188	gJpQpso.exe
744	ydqTWYO.exe
1904	cbwqCWg.exe
3272	qLaWLcK.exe
4948	JujCSOM.exe
2700	HRKBNvY.exe
380	gXHAZgx.exe
1484	wunNlsd.exe
3508	YgWAgjJ.exe
2440	LWmwNAb.exe
4132	EycgeQY.exe
3688	RRmnLXT.exe
2924	bIVqybq.exe
2636	NyOeLmJ.exe
4628	bnZDEyH.exe
2008	wfKHAlf.exe
4012	XctxFyS.exe
2640	qxRfPho.exe
4476	HxPfqBY.exe
3208	QjIsBll.exe
5092	zYQBZaG.exe
4756	gqPXCag.exe
460	gVrEwba.exe
4872	lEbqewf.exe
4152	NBybmEY.exe
3180	snSqMWi.exe
4636	CQcFoUF.exe
2084	VPVvKlP.exe
2080	UfnajyE.exe
5028	owZhcCe.exe
3424	IBuUvXZ.exe
3032	eeDuhhC.exe
812	lWgFjAE.exe
1144	MnTlulg.exe
4652	FDqXVyK.exe
2028	qZMaDOr.exe
748	gutHagb.exe
3540	vgyHpCv.exe
4228	OFoLPWh.exe
4928	HPhxsRA.exe
1620	LVLKKxd.exe
1600	gdBEoLQ.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5116-0-0x00007FF6B1080000-0x00007FF6B1472000-memory.dmp	upx
behavioral2/files/0x0008000000023420-5.dat	upx
behavioral2/files/0x0007000000023424-7.dat	upx
behavioral2/files/0x0008000000023423-9.dat	upx
behavioral2/files/0x0007000000023426-27.dat	upx
behavioral2/files/0x0007000000023427-30.dat	upx
behavioral2/files/0x0007000000023425-35.dat	upx
behavioral2/files/0x0007000000023428-57.dat	upx
behavioral2/files/0x000700000002342a-62.dat	upx
behavioral2/files/0x000700000002342d-72.dat	upx
behavioral2/files/0x000800000002342c-77.dat	upx
behavioral2/files/0x000700000002342e-82.dat	upx
behavioral2/files/0x000700000002342f-87.dat	upx
behavioral2/files/0x000800000002342b-85.dat	upx
behavioral2/files/0x0007000000023431-100.dat	upx
behavioral2/files/0x0007000000023434-111.dat	upx
behavioral2/files/0x0007000000023435-120.dat	upx
behavioral2/files/0x0007000000023437-130.dat	upx
behavioral2/files/0x000700000002343b-150.dat	upx
behavioral2/files/0x0007000000023440-177.dat	upx
behavioral2/files/0x0007000000023442-179.dat	upx
behavioral2/files/0x0007000000023441-174.dat	upx
behavioral2/files/0x000700000002343f-169.dat	upx
behavioral2/files/0x000700000002343e-165.dat	upx
behavioral2/files/0x000700000002343d-160.dat	upx
behavioral2/files/0x000700000002343c-155.dat	upx
behavioral2/files/0x000700000002343a-145.dat	upx
behavioral2/files/0x0007000000023439-140.dat	upx
behavioral2/files/0x0007000000023438-135.dat	upx
behavioral2/files/0x0007000000023436-124.dat	upx
behavioral2/files/0x0007000000023433-109.dat	upx
behavioral2/files/0x0007000000023432-105.dat	upx
behavioral2/files/0x0007000000023430-94.dat	upx
behavioral2/memory/2252-67-0x00007FF6F41B0000-0x00007FF6F45A2000-memory.dmp	upx
behavioral2/files/0x0007000000023429-60.dat	upx
behavioral2/memory/1940-56-0x00007FF6D99A0000-0x00007FF6D9D92000-memory.dmp	upx
behavioral2/memory/3096-42-0x00007FF7E00A0000-0x00007FF7E0492000-memory.dmp	upx
behavioral2/memory/3536-32-0x00007FF6DF520000-0x00007FF6DF912000-memory.dmp	upx
behavioral2/memory/2236-419-0x00007FF765FE0000-0x00007FF7663D2000-memory.dmp	upx
behavioral2/memory/1748-435-0x00007FF65D590000-0x00007FF65D982000-memory.dmp	upx
behavioral2/memory/2068-444-0x00007FF708BA0000-0x00007FF708F92000-memory.dmp	upx
behavioral2/memory/4184-439-0x00007FF68D830000-0x00007FF68DC22000-memory.dmp	upx
behavioral2/memory/3052-430-0x00007FF6D3D20000-0x00007FF6D4112000-memory.dmp	upx
behavioral2/memory/1464-427-0x00007FF634D40000-0x00007FF635132000-memory.dmp	upx
behavioral2/memory/428-421-0x00007FF7008E0000-0x00007FF700CD2000-memory.dmp	upx
behavioral2/memory/3024-456-0x00007FF72A1F0000-0x00007FF72A5E2000-memory.dmp	upx
behavioral2/memory/980-448-0x00007FF654F00000-0x00007FF6552F2000-memory.dmp	upx
behavioral2/memory/2604-469-0x00007FF71DDE0000-0x00007FF71E1D2000-memory.dmp	upx
behavioral2/memory/2556-491-0x00007FF7CE290000-0x00007FF7CE682000-memory.dmp	upx
behavioral2/memory/3176-508-0x00007FF7BA520000-0x00007FF7BA912000-memory.dmp	upx
behavioral2/memory/5104-506-0x00007FF660FE0000-0x00007FF6613D2000-memory.dmp	upx
behavioral2/memory/640-499-0x00007FF646A60000-0x00007FF646E52000-memory.dmp	upx
behavioral2/memory/3344-496-0x00007FF6A5D00000-0x00007FF6A60F2000-memory.dmp	upx
behavioral2/memory/4552-476-0x00007FF631F90000-0x00007FF632382000-memory.dmp	upx
behavioral2/memory/4016-468-0x00007FF73E020000-0x00007FF73E412000-memory.dmp	upx
behavioral2/memory/1940-3060-0x00007FF6D99A0000-0x00007FF6D9D92000-memory.dmp	upx
behavioral2/memory/2252-3061-0x00007FF6F41B0000-0x00007FF6F45A2000-memory.dmp	upx
behavioral2/memory/2556-3091-0x00007FF7CE290000-0x00007FF7CE682000-memory.dmp	upx
behavioral2/memory/3536-3093-0x00007FF6DF520000-0x00007FF6DF912000-memory.dmp	upx
behavioral2/memory/3096-3095-0x00007FF7E00A0000-0x00007FF7E0492000-memory.dmp	upx
behavioral2/memory/1940-3099-0x00007FF6D99A0000-0x00007FF6D9D92000-memory.dmp	upx
behavioral2/memory/3344-3098-0x00007FF6A5D00000-0x00007FF6A60F2000-memory.dmp	upx
behavioral2/memory/2236-3101-0x00007FF765FE0000-0x00007FF7663D2000-memory.dmp	upx
behavioral2/memory/640-3103-0x00007FF646A60000-0x00007FF646E52000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
3	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\GdkpbZu.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\UAkUbEe.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\kzgcino.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\QqoKaMS.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\XRMpDal.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\WffcBMl.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\JaHMCfV.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\wUFYsUU.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\ahqAysv.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\OLfJzRk.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\DIklldT.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\OfbgwBV.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\GtYFqHe.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\RVmlNpe.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\clivnHl.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\xNRygOk.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\bpOhqCd.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\zTgpQtq.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\cnhSVgZ.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\mGjvnIQ.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\poHgQHA.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\SpsnRqI.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\uJVvFbI.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\vegThVI.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\AhPCOQh.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\AoPbOuK.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\hEIgNOC.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\IfkoLKl.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\NLntuCC.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\dzaquiq.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\IAqmMJN.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\otpLFxi.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\ESvgcGA.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\vefFEUB.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\AzfBoDj.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\rHUOSXv.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\NfJroti.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\GpKYnmi.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\tVQnnAW.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\hbzkbbJ.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\mDBTCSh.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\zSNWEIo.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\XFbnHjK.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\WvtpiXe.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\XpWsfUX.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\npoRmDL.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\HmMMagK.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\zokxZDj.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\VYjopxf.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\qaTAWnf.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\DMCJnnZ.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\sOSvBzy.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\PxJIVFX.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\nyUcWzE.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\vNakmpH.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\YqXqeys.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\wvyfeWg.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\VNHbpyK.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\thdzOWr.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\dSNCqmU.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\TiyAACe.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\leopCpi.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\MuZAyjD.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
File created	C:\Windows\System\HEPhkPT.exe	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
60	powershell.exe
60	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
Token: SeDebugPrivilege	60	powershell.exe
Token: SeLockMemoryPrivilege	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5116 wrote to memory of 60	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	83
PID 5116 wrote to memory of 60	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	83
PID 5116 wrote to memory of 2556	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	84
PID 5116 wrote to memory of 2556	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	84
PID 5116 wrote to memory of 3536	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	85
PID 5116 wrote to memory of 3536	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	85
PID 5116 wrote to memory of 3096	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	86
PID 5116 wrote to memory of 3096	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	86
PID 5116 wrote to memory of 1940	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	87
PID 5116 wrote to memory of 1940	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	87
PID 5116 wrote to memory of 3344	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	88
PID 5116 wrote to memory of 3344	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	88
PID 5116 wrote to memory of 2252	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	89
PID 5116 wrote to memory of 2252	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	89
PID 5116 wrote to memory of 2236	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	90
PID 5116 wrote to memory of 2236	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	90
PID 5116 wrote to memory of 640	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	91
PID 5116 wrote to memory of 640	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	91
PID 5116 wrote to memory of 428	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	92
PID 5116 wrote to memory of 428	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	92
PID 5116 wrote to memory of 5104	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	93
PID 5116 wrote to memory of 5104	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	93
PID 5116 wrote to memory of 3176	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	94
PID 5116 wrote to memory of 3176	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	94
PID 5116 wrote to memory of 1464	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	95
PID 5116 wrote to memory of 1464	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	95
PID 5116 wrote to memory of 3052	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	96
PID 5116 wrote to memory of 3052	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	96
PID 5116 wrote to memory of 1748	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	97
PID 5116 wrote to memory of 1748	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	97
PID 5116 wrote to memory of 4184	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	98
PID 5116 wrote to memory of 4184	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	98
PID 5116 wrote to memory of 2068	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	99
PID 5116 wrote to memory of 2068	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	99
PID 5116 wrote to memory of 980	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	100
PID 5116 wrote to memory of 980	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	100
PID 5116 wrote to memory of 3024	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	101
PID 5116 wrote to memory of 3024	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	101
PID 5116 wrote to memory of 4016	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	102
PID 5116 wrote to memory of 4016	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	102
PID 5116 wrote to memory of 2604	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	103
PID 5116 wrote to memory of 2604	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	103
PID 5116 wrote to memory of 4552	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	104
PID 5116 wrote to memory of 4552	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	104
PID 5116 wrote to memory of 1368	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	105
PID 5116 wrote to memory of 1368	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	105
PID 5116 wrote to memory of 4188	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	106
PID 5116 wrote to memory of 4188	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	106
PID 5116 wrote to memory of 744	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	107
PID 5116 wrote to memory of 744	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	107
PID 5116 wrote to memory of 1904	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	108
PID 5116 wrote to memory of 1904	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	108
PID 5116 wrote to memory of 3272	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	109
PID 5116 wrote to memory of 3272	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	109
PID 5116 wrote to memory of 4948	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	110
PID 5116 wrote to memory of 4948	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	110
PID 5116 wrote to memory of 2700	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	111
PID 5116 wrote to memory of 2700	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	111
PID 5116 wrote to memory of 380	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	112
PID 5116 wrote to memory of 380	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	112
PID 5116 wrote to memory of 1484	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	113
PID 5116 wrote to memory of 1484	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	113
PID 5116 wrote to memory of 3508	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	114
PID 5116 wrote to memory of 3508	5116	08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe	114

C:\Users\Admin\AppData\Local\Temp\08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:60
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "60" "2952" "2888" "2956" "0" "0" "2960" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:13164
- C:\Windows\System\peSPVcU.exe
  C:\Windows\System\peSPVcU.exe
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Windows\System\yrxyQln.exe
  C:\Windows\System\yrxyQln.exe
  2⤵
  - Executes dropped EXE
  PID:3536
- C:\Windows\System\cwuPvmu.exe
  C:\Windows\System\cwuPvmu.exe
  2⤵
  - Executes dropped EXE
  PID:3096
- C:\Windows\System\zIkCEcu.exe
  C:\Windows\System\zIkCEcu.exe
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Windows\System\JHDOgMK.exe
  C:\Windows\System\JHDOgMK.exe
  2⤵
  - Executes dropped EXE
  PID:3344
- C:\Windows\System\PcRkiGx.exe
  C:\Windows\System\PcRkiGx.exe
  2⤵
  - Executes dropped EXE
  PID:2252
- C:\Windows\System\AudLtPA.exe
  C:\Windows\System\AudLtPA.exe
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\System\zSrzvcw.exe
  C:\Windows\System\zSrzvcw.exe
  2⤵
  - Executes dropped EXE
  PID:640
- C:\Windows\System\NiTGXEy.exe
  C:\Windows\System\NiTGXEy.exe
  2⤵
  - Executes dropped EXE
  PID:428
- C:\Windows\System\JsZZFeu.exe
  C:\Windows\System\JsZZFeu.exe
  2⤵
  - Executes dropped EXE
  PID:5104
- C:\Windows\System\onNNOTB.exe
  C:\Windows\System\onNNOTB.exe
  2⤵
  - Executes dropped EXE
  PID:3176
- C:\Windows\System\fsQxJvI.exe
  C:\Windows\System\fsQxJvI.exe
  2⤵
  - Executes dropped EXE
  PID:1464
- C:\Windows\System\FkhFpyv.exe
  C:\Windows\System\FkhFpyv.exe
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Windows\System\jKdnVCx.exe
  C:\Windows\System\jKdnVCx.exe
  2⤵
  - Executes dropped EXE
  PID:1748
- C:\Windows\System\VWWnXXr.exe
  C:\Windows\System\VWWnXXr.exe
  2⤵
  - Executes dropped EXE
  PID:4184
- C:\Windows\System\olzBTHU.exe
  C:\Windows\System\olzBTHU.exe
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\System\AdFiDrG.exe
  C:\Windows\System\AdFiDrG.exe
  2⤵
  - Executes dropped EXE
  PID:980
- C:\Windows\System\DjFXMqm.exe
  C:\Windows\System\DjFXMqm.exe
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Windows\System\CFEPnrh.exe
  C:\Windows\System\CFEPnrh.exe
  2⤵
  - Executes dropped EXE
  PID:4016
- C:\Windows\System\yqyfQae.exe
  C:\Windows\System\yqyfQae.exe
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\System\inXZtZM.exe
  C:\Windows\System\inXZtZM.exe
  2⤵
  - Executes dropped EXE
  PID:4552
- C:\Windows\System\OccljFM.exe
  C:\Windows\System\OccljFM.exe
  2⤵
  - Executes dropped EXE
  PID:1368
- C:\Windows\System\gJpQpso.exe
  C:\Windows\System\gJpQpso.exe
  2⤵
  - Executes dropped EXE
  PID:4188
- C:\Windows\System\ydqTWYO.exe
  C:\Windows\System\ydqTWYO.exe
  2⤵
  - Executes dropped EXE
  PID:744
- C:\Windows\System\cbwqCWg.exe
  C:\Windows\System\cbwqCWg.exe
  2⤵
  - Executes dropped EXE
  PID:1904
- C:\Windows\System\qLaWLcK.exe
  C:\Windows\System\qLaWLcK.exe
  2⤵
  - Executes dropped EXE
  PID:3272
- C:\Windows\System\JujCSOM.exe
  C:\Windows\System\JujCSOM.exe
  2⤵
  - Executes dropped EXE
  PID:4948
- C:\Windows\System\HRKBNvY.exe
  C:\Windows\System\HRKBNvY.exe
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\System\gXHAZgx.exe
  C:\Windows\System\gXHAZgx.exe
  2⤵
  - Executes dropped EXE
  PID:380
- C:\Windows\System\wunNlsd.exe
  C:\Windows\System\wunNlsd.exe
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\Windows\System\YgWAgjJ.exe
  C:\Windows\System\YgWAgjJ.exe
  2⤵
  - Executes dropped EXE
  PID:3508
- C:\Windows\System\LWmwNAb.exe
  C:\Windows\System\LWmwNAb.exe
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\System\EycgeQY.exe
  C:\Windows\System\EycgeQY.exe
  2⤵
  - Executes dropped EXE
  PID:4132
- C:\Windows\System\RRmnLXT.exe
  C:\Windows\System\RRmnLXT.exe
  2⤵
  - Executes dropped EXE
  PID:3688
- C:\Windows\System\bIVqybq.exe
  C:\Windows\System\bIVqybq.exe
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Windows\System\NyOeLmJ.exe
  C:\Windows\System\NyOeLmJ.exe
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\System\bnZDEyH.exe
  C:\Windows\System\bnZDEyH.exe
  2⤵
  - Executes dropped EXE
  PID:4628
- C:\Windows\System\wfKHAlf.exe
  C:\Windows\System\wfKHAlf.exe
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Windows\System\XctxFyS.exe
  C:\Windows\System\XctxFyS.exe
  2⤵
  - Executes dropped EXE
  PID:4012
- C:\Windows\System\qxRfPho.exe
  C:\Windows\System\qxRfPho.exe
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\System\HxPfqBY.exe
  C:\Windows\System\HxPfqBY.exe
  2⤵
  - Executes dropped EXE
  PID:4476
- C:\Windows\System\QjIsBll.exe
  C:\Windows\System\QjIsBll.exe
  2⤵
  - Executes dropped EXE
  PID:3208
- C:\Windows\System\zYQBZaG.exe
  C:\Windows\System\zYQBZaG.exe
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Windows\System\gqPXCag.exe
  C:\Windows\System\gqPXCag.exe
  2⤵
  - Executes dropped EXE
  PID:4756
- C:\Windows\System\gVrEwba.exe
  C:\Windows\System\gVrEwba.exe
  2⤵
  - Executes dropped EXE
  PID:460
- C:\Windows\System\lEbqewf.exe
  C:\Windows\System\lEbqewf.exe
  2⤵
  - Executes dropped EXE
  PID:4872
- C:\Windows\System\NBybmEY.exe
  C:\Windows\System\NBybmEY.exe
  2⤵
  - Executes dropped EXE
  PID:4152
- C:\Windows\System\snSqMWi.exe
  C:\Windows\System\snSqMWi.exe
  2⤵
  - Executes dropped EXE
  PID:3180
- C:\Windows\System\CQcFoUF.exe
  C:\Windows\System\CQcFoUF.exe
  2⤵
  - Executes dropped EXE
  PID:4636
- C:\Windows\System\VPVvKlP.exe
  C:\Windows\System\VPVvKlP.exe
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Windows\System\UfnajyE.exe
  C:\Windows\System\UfnajyE.exe
  2⤵
  - Executes dropped EXE
  PID:2080
- C:\Windows\System\owZhcCe.exe
  C:\Windows\System\owZhcCe.exe
  2⤵
  - Executes dropped EXE
  PID:5028
- C:\Windows\System\IBuUvXZ.exe
  C:\Windows\System\IBuUvXZ.exe
  2⤵
  - Executes dropped EXE
  PID:3424
- C:\Windows\System\eeDuhhC.exe
  C:\Windows\System\eeDuhhC.exe
  2⤵
  - Executes dropped EXE
  PID:3032
- C:\Windows\System\lWgFjAE.exe
  C:\Windows\System\lWgFjAE.exe
  2⤵
  - Executes dropped EXE
  PID:812
- C:\Windows\System\MnTlulg.exe
  C:\Windows\System\MnTlulg.exe
  2⤵
  - Executes dropped EXE
  PID:1144
- C:\Windows\System\FDqXVyK.exe
  C:\Windows\System\FDqXVyK.exe
  2⤵
  - Executes dropped EXE
  PID:4652
- C:\Windows\System\qZMaDOr.exe
  C:\Windows\System\qZMaDOr.exe
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Windows\System\gutHagb.exe
  C:\Windows\System\gutHagb.exe
  2⤵
  - Executes dropped EXE
  PID:748
- C:\Windows\System\vgyHpCv.exe
  C:\Windows\System\vgyHpCv.exe
  2⤵
  - Executes dropped EXE
  PID:3540
- C:\Windows\System\OFoLPWh.exe
  C:\Windows\System\OFoLPWh.exe
  2⤵
  - Executes dropped EXE
  PID:4228
- C:\Windows\System\HPhxsRA.exe
  C:\Windows\System\HPhxsRA.exe
  2⤵
  - Executes dropped EXE
  PID:4928
- C:\Windows\System\LVLKKxd.exe
  C:\Windows\System\LVLKKxd.exe
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Windows\System\gdBEoLQ.exe
  C:\Windows\System\gdBEoLQ.exe
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\System\WNARAMg.exe
  C:\Windows\System\WNARAMg.exe
  2⤵
  PID:4344
- C:\Windows\System\XgOCCsD.exe
  C:\Windows\System\XgOCCsD.exe
  2⤵
  PID:1304
- C:\Windows\System\xrobxff.exe
  C:\Windows\System\xrobxff.exe
  2⤵
  PID:3292
- C:\Windows\System\OSiJOfl.exe
  C:\Windows\System\OSiJOfl.exe
  2⤵
  PID:4760
- C:\Windows\System\DXZwJCM.exe
  C:\Windows\System\DXZwJCM.exe
  2⤵
  PID:4020
- C:\Windows\System\dcGfLwh.exe
  C:\Windows\System\dcGfLwh.exe
  2⤵
  PID:3144
- C:\Windows\System\YfqfDYa.exe
  C:\Windows\System\YfqfDYa.exe
  2⤵
  PID:3740
- C:\Windows\System\WLUjhCN.exe
  C:\Windows\System\WLUjhCN.exe
  2⤵
  PID:4584
- C:\Windows\System\hULZlGL.exe
  C:\Windows\System\hULZlGL.exe
  2⤵
  PID:1900
- C:\Windows\System\BrLeOPo.exe
  C:\Windows\System\BrLeOPo.exe
  2⤵
  PID:3828
- C:\Windows\System\RUZmByG.exe
  C:\Windows\System\RUZmByG.exe
  2⤵
  PID:2596
- C:\Windows\System\ntDIZZB.exe
  C:\Windows\System\ntDIZZB.exe
  2⤵
  PID:3716
- C:\Windows\System\nVIaGrl.exe
  C:\Windows\System\nVIaGrl.exe
  2⤵
  PID:3308
- C:\Windows\System\mAYVQtF.exe
  C:\Windows\System\mAYVQtF.exe
  2⤵
  PID:5128
- C:\Windows\System\KjPVvgb.exe
  C:\Windows\System\KjPVvgb.exe
  2⤵
  PID:5156
- C:\Windows\System\aakXQQw.exe
  C:\Windows\System\aakXQQw.exe
  2⤵
  PID:5184
- C:\Windows\System\xKHqLsq.exe
  C:\Windows\System\xKHqLsq.exe
  2⤵
  PID:5212
- C:\Windows\System\ZlnTbNu.exe
  C:\Windows\System\ZlnTbNu.exe
  2⤵
  PID:5240
- C:\Windows\System\xIwplih.exe
  C:\Windows\System\xIwplih.exe
  2⤵
  PID:5268
- C:\Windows\System\YxeutpD.exe
  C:\Windows\System\YxeutpD.exe
  2⤵
  PID:5296
- C:\Windows\System\zIxeOBq.exe
  C:\Windows\System\zIxeOBq.exe
  2⤵
  PID:5324
- C:\Windows\System\APqlZUB.exe
  C:\Windows\System\APqlZUB.exe
  2⤵
  PID:5352
- C:\Windows\System\FGuuauD.exe
  C:\Windows\System\FGuuauD.exe
  2⤵
  PID:5380
- C:\Windows\System\LULKyxl.exe
  C:\Windows\System\LULKyxl.exe
  2⤵
  PID:5408
- C:\Windows\System\doWjWmC.exe
  C:\Windows\System\doWjWmC.exe
  2⤵
  PID:5436
- C:\Windows\System\kXtoLtX.exe
  C:\Windows\System\kXtoLtX.exe
  2⤵
  PID:5464
- C:\Windows\System\MtsPHNT.exe
  C:\Windows\System\MtsPHNT.exe
  2⤵
  PID:5492
- C:\Windows\System\ESuieCn.exe
  C:\Windows\System\ESuieCn.exe
  2⤵
  PID:5520
- C:\Windows\System\mtzKfFr.exe
  C:\Windows\System\mtzKfFr.exe
  2⤵
  PID:5548
- C:\Windows\System\MsjpOiK.exe
  C:\Windows\System\MsjpOiK.exe
  2⤵
  PID:5576
- C:\Windows\System\FRWrlAh.exe
  C:\Windows\System\FRWrlAh.exe
  2⤵
  PID:5604
- C:\Windows\System\BYrGKfn.exe
  C:\Windows\System\BYrGKfn.exe
  2⤵
  PID:5632
- C:\Windows\System\HdDXdAW.exe
  C:\Windows\System\HdDXdAW.exe
  2⤵
  PID:5660
- C:\Windows\System\iedQFQK.exe
  C:\Windows\System\iedQFQK.exe
  2⤵
  PID:5688
- C:\Windows\System\fbVvBqv.exe
  C:\Windows\System\fbVvBqv.exe
  2⤵
  PID:5716
- C:\Windows\System\PcOtuSj.exe
  C:\Windows\System\PcOtuSj.exe
  2⤵
  PID:5744
- C:\Windows\System\CWYzYfr.exe
  C:\Windows\System\CWYzYfr.exe
  2⤵
  PID:5772
- C:\Windows\System\gzVSBPS.exe
  C:\Windows\System\gzVSBPS.exe
  2⤵
  PID:5800
- C:\Windows\System\QyMjdZw.exe
  C:\Windows\System\QyMjdZw.exe
  2⤵
  PID:5828
- C:\Windows\System\JLksyYJ.exe
  C:\Windows\System\JLksyYJ.exe
  2⤵
  PID:5888
- C:\Windows\System\jhLMWxZ.exe
  C:\Windows\System\jhLMWxZ.exe
  2⤵
  PID:5908
- C:\Windows\System\eIzQoVJ.exe
  C:\Windows\System\eIzQoVJ.exe
  2⤵
  PID:5924
- C:\Windows\System\mgwJrhx.exe
  C:\Windows\System\mgwJrhx.exe
  2⤵
  PID:5940
- C:\Windows\System\UxFAvyt.exe
  C:\Windows\System\UxFAvyt.exe
  2⤵
  PID:5968
- C:\Windows\System\lGhPieH.exe
  C:\Windows\System\lGhPieH.exe
  2⤵
  PID:5992
- C:\Windows\System\EcVKvOL.exe
  C:\Windows\System\EcVKvOL.exe
  2⤵
  PID:6020
- C:\Windows\System\VCZtqJv.exe
  C:\Windows\System\VCZtqJv.exe
  2⤵
  PID:6048
- C:\Windows\System\gbvcAmH.exe
  C:\Windows\System\gbvcAmH.exe
  2⤵
  PID:6104
- C:\Windows\System\yxHhwOw.exe
  C:\Windows\System\yxHhwOw.exe
  2⤵
  PID:6132
- C:\Windows\System\nxtvuCf.exe
  C:\Windows\System\nxtvuCf.exe
  2⤵
  PID:4732
- C:\Windows\System\MWZAdjv.exe
  C:\Windows\System\MWZAdjv.exe
  2⤵
  PID:3928
- C:\Windows\System\FKDgxih.exe
  C:\Windows\System\FKDgxih.exe
  2⤵
  PID:3808
- C:\Windows\System\HAMvzfE.exe
  C:\Windows\System\HAMvzfE.exe
  2⤵
  PID:5148
- C:\Windows\System\TQlWKVY.exe
  C:\Windows\System\TQlWKVY.exe
  2⤵
  PID:2868
- C:\Windows\System\DsApZpn.exe
  C:\Windows\System\DsApZpn.exe
  2⤵
  PID:5280
- C:\Windows\System\lqvFmst.exe
  C:\Windows\System\lqvFmst.exe
  2⤵
  PID:5316
- C:\Windows\System\zmfOWFs.exe
  C:\Windows\System\zmfOWFs.exe
  2⤵
  PID:5372
- C:\Windows\System\upAcRTh.exe
  C:\Windows\System\upAcRTh.exe
  2⤵
  PID:5424
- C:\Windows\System\FQqbuvY.exe
  C:\Windows\System\FQqbuvY.exe
  2⤵
  PID:5452
- C:\Windows\System\NelncAK.exe
  C:\Windows\System\NelncAK.exe
  2⤵
  PID:5012
- C:\Windows\System\sfyRqpv.exe
  C:\Windows\System\sfyRqpv.exe
  2⤵
  PID:5540
- C:\Windows\System\oiUXqRa.exe
  C:\Windows\System\oiUXqRa.exe
  2⤵
  PID:5568
- C:\Windows\System\PCdBzsN.exe
  C:\Windows\System\PCdBzsN.exe
  2⤵
  PID:4916
- C:\Windows\System\UlSwsNB.exe
  C:\Windows\System\UlSwsNB.exe
  2⤵
  PID:5648
- C:\Windows\System\UvxcPNM.exe
  C:\Windows\System\UvxcPNM.exe
  2⤵
  PID:5700
- C:\Windows\System\opYxlPV.exe
  C:\Windows\System\opYxlPV.exe
  2⤵
  PID:5764
- C:\Windows\System\FkWZZsi.exe
  C:\Windows\System\FkWZZsi.exe
  2⤵
  PID:3192
- C:\Windows\System\roflhIg.exe
  C:\Windows\System\roflhIg.exe
  2⤵
  PID:5820
- C:\Windows\System\oIwcnWt.exe
  C:\Windows\System\oIwcnWt.exe
  2⤵
  PID:5860
- C:\Windows\System\vjyODrt.exe
  C:\Windows\System\vjyODrt.exe
  2⤵
  PID:5904
- C:\Windows\System\eGoHmtA.exe
  C:\Windows\System\eGoHmtA.exe
  2⤵
  PID:5932
- C:\Windows\System\FuCdtSe.exe
  C:\Windows\System\FuCdtSe.exe
  2⤵
  PID:5988
- C:\Windows\System\KtXYzVI.exe
  C:\Windows\System\KtXYzVI.exe
  2⤵
  PID:6040
- C:\Windows\System\tSCecfC.exe
  C:\Windows\System\tSCecfC.exe
  2⤵
  PID:1892
- C:\Windows\System\uaJFSca.exe
  C:\Windows\System\uaJFSca.exe
  2⤵
  PID:3092
- C:\Windows\System\MZUAULP.exe
  C:\Windows\System\MZUAULP.exe
  2⤵
  PID:1800
- C:\Windows\System\jbgiJkd.exe
  C:\Windows\System\jbgiJkd.exe
  2⤵
  PID:1972
- C:\Windows\System\zeWkqVV.exe
  C:\Windows\System\zeWkqVV.exe
  2⤵
  PID:1416
- C:\Windows\System\lUrQLBx.exe
  C:\Windows\System\lUrQLBx.exe
  2⤵
  PID:5448
- C:\Windows\System\ElDIOTP.exe
  C:\Windows\System\ElDIOTP.exe
  2⤵
  PID:2884
- C:\Windows\System\wHLprWm.exe
  C:\Windows\System\wHLprWm.exe
  2⤵
  PID:5672
- C:\Windows\System\zjRwXHt.exe
  C:\Windows\System\zjRwXHt.exe
  2⤵
  PID:2792
- C:\Windows\System\AXEBoVX.exe
  C:\Windows\System\AXEBoVX.exe
  2⤵
  PID:1984
- C:\Windows\System\HTdsmtB.exe
  C:\Windows\System\HTdsmtB.exe
  2⤵
  PID:5204
- C:\Windows\System\oRzEhEu.exe
  C:\Windows\System\oRzEhEu.exe
  2⤵
  PID:4660
- C:\Windows\System\PZBBiMp.exe
  C:\Windows\System\PZBBiMp.exe
  2⤵
  PID:5788
- C:\Windows\System\USpYWCv.exe
  C:\Windows\System\USpYWCv.exe
  2⤵
  PID:6088
- C:\Windows\System\ykxrPZB.exe
  C:\Windows\System\ykxrPZB.exe
  2⤵
  PID:2088
- C:\Windows\System\nhBoyHE.exe
  C:\Windows\System\nhBoyHE.exe
  2⤵
  PID:5560
- C:\Windows\System\GBlUAOC.exe
  C:\Windows\System\GBlUAOC.exe
  2⤵
  PID:5956
- C:\Windows\System\PFFbLoJ.exe
  C:\Windows\System\PFFbLoJ.exe
  2⤵
  PID:5420
- C:\Windows\System\zloADjO.exe
  C:\Windows\System\zloADjO.exe
  2⤵
  PID:6160
- C:\Windows\System\wEfdTyU.exe
  C:\Windows\System\wEfdTyU.exe
  2⤵
  PID:6184
- C:\Windows\System\CpeRiwz.exe
  C:\Windows\System\CpeRiwz.exe
  2⤵
  PID:6204
- C:\Windows\System\wcqnJPr.exe
  C:\Windows\System\wcqnJPr.exe
  2⤵
  PID:6228
- C:\Windows\System\CuINJFp.exe
  C:\Windows\System\CuINJFp.exe
  2⤵
  PID:6248
- C:\Windows\System\USdBsaZ.exe
  C:\Windows\System\USdBsaZ.exe
  2⤵
  PID:6268
- C:\Windows\System\WAuHxkg.exe
  C:\Windows\System\WAuHxkg.exe
  2⤵
  PID:6288
- C:\Windows\System\fIOeRlK.exe
  C:\Windows\System\fIOeRlK.exe
  2⤵
  PID:6344
- C:\Windows\System\idotkrB.exe
  C:\Windows\System\idotkrB.exe
  2⤵
  PID:6368
- C:\Windows\System\lSPKSDl.exe
  C:\Windows\System\lSPKSDl.exe
  2⤵
  PID:6388
- C:\Windows\System\aZGZtPh.exe
  C:\Windows\System\aZGZtPh.exe
  2⤵
  PID:6428
- C:\Windows\System\WoauBND.exe
  C:\Windows\System\WoauBND.exe
  2⤵
  PID:6468
- C:\Windows\System\oKZPGGQ.exe
  C:\Windows\System\oKZPGGQ.exe
  2⤵
  PID:6484
- C:\Windows\System\lEOZNjj.exe
  C:\Windows\System\lEOZNjj.exe
  2⤵
  PID:6520
- C:\Windows\System\YKGXeBP.exe
  C:\Windows\System\YKGXeBP.exe
  2⤵
  PID:6540
- C:\Windows\System\hcobvqS.exe
  C:\Windows\System\hcobvqS.exe
  2⤵
  PID:6560
- C:\Windows\System\qiNyIbP.exe
  C:\Windows\System\qiNyIbP.exe
  2⤵
  PID:6584
- C:\Windows\System\OVzkBBn.exe
  C:\Windows\System\OVzkBBn.exe
  2⤵
  PID:6600
- C:\Windows\System\KuGWftc.exe
  C:\Windows\System\KuGWftc.exe
  2⤵
  PID:6652
- C:\Windows\System\ubZwuQT.exe
  C:\Windows\System\ubZwuQT.exe
  2⤵
  PID:6672
- C:\Windows\System\sgqAaxz.exe
  C:\Windows\System\sgqAaxz.exe
  2⤵
  PID:6692
- C:\Windows\System\TxQgfga.exe
  C:\Windows\System\TxQgfga.exe
  2⤵
  PID:6736
- C:\Windows\System\UEVCPaF.exe
  C:\Windows\System\UEVCPaF.exe
  2⤵
  PID:6756
- C:\Windows\System\PKAJdgs.exe
  C:\Windows\System\PKAJdgs.exe
  2⤵
  PID:6776
- C:\Windows\System\HUDjSmJ.exe
  C:\Windows\System\HUDjSmJ.exe
  2⤵
  PID:6812
- C:\Windows\System\OsqBtqR.exe
  C:\Windows\System\OsqBtqR.exe
  2⤵
  PID:6832
- C:\Windows\System\NyyCDSc.exe
  C:\Windows\System\NyyCDSc.exe
  2⤵
  PID:6872
- C:\Windows\System\HyzxoDn.exe
  C:\Windows\System\HyzxoDn.exe
  2⤵
  PID:6904
- C:\Windows\System\EevkoxR.exe
  C:\Windows\System\EevkoxR.exe
  2⤵
  PID:6920
- C:\Windows\System\yhWhANi.exe
  C:\Windows\System\yhWhANi.exe
  2⤵
  PID:6948
- C:\Windows\System\dNAHdrd.exe
  C:\Windows\System\dNAHdrd.exe
  2⤵
  PID:6972
- C:\Windows\System\JzAeoZb.exe
  C:\Windows\System\JzAeoZb.exe
  2⤵
  PID:7008
- C:\Windows\System\YkGWTnu.exe
  C:\Windows\System\YkGWTnu.exe
  2⤵
  PID:7036
- C:\Windows\System\uDhaXHX.exe
  C:\Windows\System\uDhaXHX.exe
  2⤵
  PID:7068
- C:\Windows\System\LdRaReo.exe
  C:\Windows\System\LdRaReo.exe
  2⤵
  PID:7092
- C:\Windows\System\hhFQTfA.exe
  C:\Windows\System\hhFQTfA.exe
  2⤵
  PID:7156
- C:\Windows\System\jvQLCDF.exe
  C:\Windows\System\jvQLCDF.exe
  2⤵
  PID:6008
- C:\Windows\System\QMwjFXl.exe
  C:\Windows\System\QMwjFXl.exe
  2⤵
  PID:6152
- C:\Windows\System\kLGRxQK.exe
  C:\Windows\System\kLGRxQK.exe
  2⤵
  PID:6196
- C:\Windows\System\lxoNiYV.exe
  C:\Windows\System\lxoNiYV.exe
  2⤵
  PID:6284
- C:\Windows\System\lUXZPeU.exe
  C:\Windows\System\lUXZPeU.exe
  2⤵
  PID:6244
- C:\Windows\System\NyAmguE.exe
  C:\Windows\System\NyAmguE.exe
  2⤵
  PID:6316
- C:\Windows\System\whBJLjP.exe
  C:\Windows\System\whBJLjP.exe
  2⤵
  PID:6364
- C:\Windows\System\JhuXcAv.exe
  C:\Windows\System\JhuXcAv.exe
  2⤵
  PID:6400
- C:\Windows\System\MxMVayg.exe
  C:\Windows\System\MxMVayg.exe
  2⤵
  PID:6456
- C:\Windows\System\tRwrkaK.exe
  C:\Windows\System\tRwrkaK.exe
  2⤵
  PID:6480
- C:\Windows\System\QDxcIeR.exe
  C:\Windows\System\QDxcIeR.exe
  2⤵
  PID:6572
- C:\Windows\System\iFavUSh.exe
  C:\Windows\System\iFavUSh.exe
  2⤵
  PID:5680
- C:\Windows\System\LkAbSLS.exe
  C:\Windows\System\LkAbSLS.exe
  2⤵
  PID:6748
- C:\Windows\System\MLVAZUE.exe
  C:\Windows\System\MLVAZUE.exe
  2⤵
  PID:6732
- C:\Windows\System\hiaOkyv.exe
  C:\Windows\System\hiaOkyv.exe
  2⤵
  PID:6808
- C:\Windows\System\ZBtmKci.exe
  C:\Windows\System\ZBtmKci.exe
  2⤵
  PID:6828
- C:\Windows\System\NklHuiB.exe
  C:\Windows\System\NklHuiB.exe
  2⤵
  PID:6892
- C:\Windows\System\szuBeds.exe
  C:\Windows\System\szuBeds.exe
  2⤵
  PID:7052
- C:\Windows\System\IDzcBNy.exe
  C:\Windows\System\IDzcBNy.exe
  2⤵
  PID:7028
- C:\Windows\System\jQpixPM.exe
  C:\Windows\System\jQpixPM.exe
  2⤵
  PID:7164
- C:\Windows\System\opyvryX.exe
  C:\Windows\System\opyvryX.exe
  2⤵
  PID:5512
- C:\Windows\System\VcVdebh.exe
  C:\Windows\System\VcVdebh.exe
  2⤵
  PID:6440
- C:\Windows\System\cqolfBz.exe
  C:\Windows\System\cqolfBz.exe
  2⤵
  PID:6592
- C:\Windows\System\hwnCeeL.exe
  C:\Windows\System\hwnCeeL.exe
  2⤵
  PID:6628
- C:\Windows\System\uRwHdsJ.exe
  C:\Windows\System\uRwHdsJ.exe
  2⤵
  PID:6848
- C:\Windows\System\EJgBBCj.exe
  C:\Windows\System\EJgBBCj.exe
  2⤵
  PID:7148
- C:\Windows\System\soBLSeT.exe
  C:\Windows\System\soBLSeT.exe
  2⤵
  PID:6168
- C:\Windows\System\dyXxTGi.exe
  C:\Windows\System\dyXxTGi.exe
  2⤵
  PID:6100
- C:\Windows\System\rwIVMtN.exe
  C:\Windows\System\rwIVMtN.exe
  2⤵
  PID:6864
- C:\Windows\System\JRUrBxo.exe
  C:\Windows\System\JRUrBxo.exe
  2⤵
  PID:7048
- C:\Windows\System\mZTGKki.exe
  C:\Windows\System\mZTGKki.exe
  2⤵
  PID:6680
- C:\Windows\System\RfnSloF.exe
  C:\Windows\System\RfnSloF.exe
  2⤵
  PID:6956
- C:\Windows\System\LymPaTb.exe
  C:\Windows\System\LymPaTb.exe
  2⤵
  PID:6744
- C:\Windows\System\HzVoSYM.exe
  C:\Windows\System\HzVoSYM.exe
  2⤵
  PID:7204
- C:\Windows\System\CvexuXo.exe
  C:\Windows\System\CvexuXo.exe
  2⤵
  PID:7232
- C:\Windows\System\qyfbQnL.exe
  C:\Windows\System\qyfbQnL.exe
  2⤵
  PID:7260
- C:\Windows\System\fxpBVdH.exe
  C:\Windows\System\fxpBVdH.exe
  2⤵
  PID:7276
- C:\Windows\System\zjnAFiZ.exe
  C:\Windows\System\zjnAFiZ.exe
  2⤵
  PID:7324
- C:\Windows\System\lTzBcjQ.exe
  C:\Windows\System\lTzBcjQ.exe
  2⤵
  PID:7344
- C:\Windows\System\ScfAVie.exe
  C:\Windows\System\ScfAVie.exe
  2⤵
  PID:7372
- C:\Windows\System\qvhEVje.exe
  C:\Windows\System\qvhEVje.exe
  2⤵
  PID:7396
- C:\Windows\System\xRraQyB.exe
  C:\Windows\System\xRraQyB.exe
  2⤵
  PID:7416
- C:\Windows\System\appMFEo.exe
  C:\Windows\System\appMFEo.exe
  2⤵
  PID:7472
- C:\Windows\System\fiOkIfb.exe
  C:\Windows\System\fiOkIfb.exe
  2⤵
  PID:7492
- C:\Windows\System\qPhEwui.exe
  C:\Windows\System\qPhEwui.exe
  2⤵
  PID:7512
- C:\Windows\System\CFKrOyd.exe
  C:\Windows\System\CFKrOyd.exe
  2⤵
  PID:7540
- C:\Windows\System\NwiLDhl.exe
  C:\Windows\System\NwiLDhl.exe
  2⤵
  PID:7568
- C:\Windows\System\tidOhfj.exe
  C:\Windows\System\tidOhfj.exe
  2⤵
  PID:7584
- C:\Windows\System\bSJChPm.exe
  C:\Windows\System\bSJChPm.exe
  2⤵
  PID:7612
- C:\Windows\System\KIkoewy.exe
  C:\Windows\System\KIkoewy.exe
  2⤵
  PID:7636
- C:\Windows\System\OwCPqsC.exe
  C:\Windows\System\OwCPqsC.exe
  2⤵
  PID:7660
- C:\Windows\System\hbzkbbJ.exe
  C:\Windows\System\hbzkbbJ.exe
  2⤵
  PID:7680
- C:\Windows\System\KVqGPUa.exe
  C:\Windows\System\KVqGPUa.exe
  2⤵
  PID:7744
- C:\Windows\System\gVxlYQO.exe
  C:\Windows\System\gVxlYQO.exe
  2⤵
  PID:7764
- C:\Windows\System\UCyeQHn.exe
  C:\Windows\System\UCyeQHn.exe
  2⤵
  PID:7804
- C:\Windows\System\UyQVVLg.exe
  C:\Windows\System\UyQVVLg.exe
  2⤵
  PID:7828
- C:\Windows\System\IAcxbmE.exe
  C:\Windows\System\IAcxbmE.exe
  2⤵
  PID:7848
- C:\Windows\System\PyAIJuO.exe
  C:\Windows\System\PyAIJuO.exe
  2⤵
  PID:7868
- C:\Windows\System\BvgYOrs.exe
  C:\Windows\System\BvgYOrs.exe
  2⤵
  PID:7888
- C:\Windows\System\GPjDgXd.exe
  C:\Windows\System\GPjDgXd.exe
  2⤵
  PID:7936
- C:\Windows\System\tMiyZId.exe
  C:\Windows\System\tMiyZId.exe
  2⤵
  PID:7956
- C:\Windows\System\rUAIREu.exe
  C:\Windows\System\rUAIREu.exe
  2⤵
  PID:7996
- C:\Windows\System\riqJKJG.exe
  C:\Windows\System\riqJKJG.exe
  2⤵
  PID:8020
- C:\Windows\System\MfkIvwh.exe
  C:\Windows\System\MfkIvwh.exe
  2⤵
  PID:8048
- C:\Windows\System\ahqAysv.exe
  C:\Windows\System\ahqAysv.exe
  2⤵
  PID:8068
- C:\Windows\System\REeOHKr.exe
  C:\Windows\System\REeOHKr.exe
  2⤵
  PID:8100
- C:\Windows\System\orlbYRa.exe
  C:\Windows\System\orlbYRa.exe
  2⤵
  PID:8140
- C:\Windows\System\kXgcVsG.exe
  C:\Windows\System\kXgcVsG.exe
  2⤵
  PID:8164
- C:\Windows\System\toGdotx.exe
  C:\Windows\System\toGdotx.exe
  2⤵
  PID:2912
- C:\Windows\System\hqcSxFe.exe
  C:\Windows\System\hqcSxFe.exe
  2⤵
  PID:7224
- C:\Windows\System\qLLMigN.exe
  C:\Windows\System\qLLMigN.exe
  2⤵
  PID:7268
- C:\Windows\System\GEyjaPj.exe
  C:\Windows\System\GEyjaPj.exe
  2⤵
  PID:7380
- C:\Windows\System\KqcHVEW.exe
  C:\Windows\System\KqcHVEW.exe
  2⤵
  PID:7408
- C:\Windows\System\FVNqxLc.exe
  C:\Windows\System\FVNqxLc.exe
  2⤵
  PID:7484
- C:\Windows\System\gpVkqFM.exe
  C:\Windows\System\gpVkqFM.exe
  2⤵
  PID:7508
- C:\Windows\System\qmgSUqb.exe
  C:\Windows\System\qmgSUqb.exe
  2⤵
  PID:7736
- C:\Windows\System\vjDLFEt.exe
  C:\Windows\System\vjDLFEt.exe
  2⤵
  PID:7772
- C:\Windows\System\gjzBrji.exe
  C:\Windows\System\gjzBrji.exe
  2⤵
  PID:7796
- C:\Windows\System\hmNFWlY.exe
  C:\Windows\System\hmNFWlY.exe
  2⤵
  PID:7860
- C:\Windows\System\OAFptgh.exe
  C:\Windows\System\OAFptgh.exe
  2⤵
  PID:7884
- C:\Windows\System\OxRpEEd.exe
  C:\Windows\System\OxRpEEd.exe
  2⤵
  PID:7948
- C:\Windows\System\KaAhBlx.exe
  C:\Windows\System\KaAhBlx.exe
  2⤵
  PID:8036
- C:\Windows\System\VruutVb.exe
  C:\Windows\System\VruutVb.exe
  2⤵
  PID:8156
- C:\Windows\System\RdWKgEH.exe
  C:\Windows\System\RdWKgEH.exe
  2⤵
  PID:6236
- C:\Windows\System\aJmqQIy.exe
  C:\Windows\System\aJmqQIy.exe
  2⤵
  PID:7308
- C:\Windows\System\tclAIwv.exe
  C:\Windows\System\tclAIwv.exe
  2⤵
  PID:7464
- C:\Windows\System\qChxrgR.exe
  C:\Windows\System\qChxrgR.exe
  2⤵
  PID:7364
- C:\Windows\System\HyEBaII.exe
  C:\Windows\System\HyEBaII.exe
  2⤵
  PID:7676
- C:\Windows\System\Jvzxmjb.exe
  C:\Windows\System\Jvzxmjb.exe
  2⤵
  PID:7816
- C:\Windows\System\ZwJqcxT.exe
  C:\Windows\System\ZwJqcxT.exe
  2⤵
  PID:7840
- C:\Windows\System\dEOvydT.exe
  C:\Windows\System\dEOvydT.exe
  2⤵
  PID:8136
- C:\Windows\System\jxuVeTR.exe
  C:\Windows\System\jxuVeTR.exe
  2⤵
  PID:7272
- C:\Windows\System\lXUTIMO.exe
  C:\Windows\System\lXUTIMO.exe
  2⤵
  PID:1292
- C:\Windows\System\GKGbMoa.exe
  C:\Windows\System\GKGbMoa.exe
  2⤵
  PID:7924
- C:\Windows\System\zYuOaVh.exe
  C:\Windows\System\zYuOaVh.exe
  2⤵
  PID:8060
- C:\Windows\System\bFQGVVw.exe
  C:\Windows\System\bFQGVVw.exe
  2⤵
  PID:7504
- C:\Windows\System\wrVWoLq.exe
  C:\Windows\System\wrVWoLq.exe
  2⤵
  PID:8252
- C:\Windows\System\TLpbLPw.exe
  C:\Windows\System\TLpbLPw.exe
  2⤵
  PID:8272
- C:\Windows\System\aHIQdpj.exe
  C:\Windows\System\aHIQdpj.exe
  2⤵
  PID:8308
- C:\Windows\System\aNQXbrn.exe
  C:\Windows\System\aNQXbrn.exe
  2⤵
  PID:8324
- C:\Windows\System\WAZdDVO.exe
  C:\Windows\System\WAZdDVO.exe
  2⤵
  PID:8344
- C:\Windows\System\phvbNRV.exe
  C:\Windows\System\phvbNRV.exe
  2⤵
  PID:8372
- C:\Windows\System\WQJMEFR.exe
  C:\Windows\System\WQJMEFR.exe
  2⤵
  PID:8396
- C:\Windows\System\EEeuRUW.exe
  C:\Windows\System\EEeuRUW.exe
  2⤵
  PID:8416
- C:\Windows\System\QMnncjX.exe
  C:\Windows\System\QMnncjX.exe
  2⤵
  PID:8444
- C:\Windows\System\WKnDbGQ.exe
  C:\Windows\System\WKnDbGQ.exe
  2⤵
  PID:8464
- C:\Windows\System\nqNXRSI.exe
  C:\Windows\System\nqNXRSI.exe
  2⤵
  PID:8496
- C:\Windows\System\BBQOPbd.exe
  C:\Windows\System\BBQOPbd.exe
  2⤵
  PID:8524
- C:\Windows\System\DTaeglW.exe
  C:\Windows\System\DTaeglW.exe
  2⤵
  PID:8560
- C:\Windows\System\GimNFju.exe
  C:\Windows\System\GimNFju.exe
  2⤵
  PID:8584
- C:\Windows\System\SdUQqOQ.exe
  C:\Windows\System\SdUQqOQ.exe
  2⤵
  PID:8612
- C:\Windows\System\JZfxDcg.exe
  C:\Windows\System\JZfxDcg.exe
  2⤵
  PID:8656
- C:\Windows\System\yJNChdc.exe
  C:\Windows\System\yJNChdc.exe
  2⤵
  PID:8692
- C:\Windows\System\XzbslJO.exe
  C:\Windows\System\XzbslJO.exe
  2⤵
  PID:8716
- C:\Windows\System\CNwKfSh.exe
  C:\Windows\System\CNwKfSh.exe
  2⤵
  PID:8744
- C:\Windows\System\zBLZCmw.exe
  C:\Windows\System\zBLZCmw.exe
  2⤵
  PID:8768
- C:\Windows\System\PdPBziL.exe
  C:\Windows\System\PdPBziL.exe
  2⤵
  PID:8788
- C:\Windows\System\rnsSuNc.exe
  C:\Windows\System\rnsSuNc.exe
  2⤵
  PID:8832
- C:\Windows\System\yywjYqA.exe
  C:\Windows\System\yywjYqA.exe
  2⤵
  PID:8856
- C:\Windows\System\zOcNvLx.exe
  C:\Windows\System\zOcNvLx.exe
  2⤵
  PID:8872
- C:\Windows\System\PSivcSm.exe
  C:\Windows\System\PSivcSm.exe
  2⤵
  PID:8892
- C:\Windows\System\CHwoWgy.exe
  C:\Windows\System\CHwoWgy.exe
  2⤵
  PID:8920
- C:\Windows\System\QRqIRSF.exe
  C:\Windows\System\QRqIRSF.exe
  2⤵
  PID:8936
- C:\Windows\System\dMumpgN.exe
  C:\Windows\System\dMumpgN.exe
  2⤵
  PID:8960
- C:\Windows\System\YANKjuS.exe
  C:\Windows\System\YANKjuS.exe
  2⤵
  PID:8984
- C:\Windows\System\PfchVxb.exe
  C:\Windows\System\PfchVxb.exe
  2⤵
  PID:9020
- C:\Windows\System\SLsPswZ.exe
  C:\Windows\System\SLsPswZ.exe
  2⤵
  PID:9080
- C:\Windows\System\VxiorGO.exe
  C:\Windows\System\VxiorGO.exe
  2⤵
  PID:9104
- C:\Windows\System\RdBjLAM.exe
  C:\Windows\System\RdBjLAM.exe
  2⤵
  PID:9132
- C:\Windows\System\szGhASF.exe
  C:\Windows\System\szGhASF.exe
  2⤵
  PID:9172
- C:\Windows\System\gTBsLdU.exe
  C:\Windows\System\gTBsLdU.exe
  2⤵
  PID:9192
- C:\Windows\System\XPcReWh.exe
  C:\Windows\System\XPcReWh.exe
  2⤵
  PID:9212
- C:\Windows\System\XXrZlVi.exe
  C:\Windows\System\XXrZlVi.exe
  2⤵
  PID:7844
- C:\Windows\System\xLxtxbi.exe
  C:\Windows\System\xLxtxbi.exe
  2⤵
  PID:8268
- C:\Windows\System\SjLcFWv.exe
  C:\Windows\System\SjLcFWv.exe
  2⤵
  PID:8336
- C:\Windows\System\MRpEzsD.exe
  C:\Windows\System\MRpEzsD.exe
  2⤵
  PID:8388
- C:\Windows\System\AoPbOuK.exe
  C:\Windows\System\AoPbOuK.exe
  2⤵
  PID:8488
- C:\Windows\System\nrUJyqn.exe
  C:\Windows\System\nrUJyqn.exe
  2⤵
  PID:8576
- C:\Windows\System\uEeCVyF.exe
  C:\Windows\System\uEeCVyF.exe
  2⤵
  PID:8676
- C:\Windows\System\ejagaxf.exe
  C:\Windows\System\ejagaxf.exe
  2⤵
  PID:8700
- C:\Windows\System\xMkjael.exe
  C:\Windows\System\xMkjael.exe
  2⤵
  PID:8776
- C:\Windows\System\EEJPzNa.exe
  C:\Windows\System\EEJPzNa.exe
  2⤵
  PID:8780
- C:\Windows\System\DAHEPVr.exe
  C:\Windows\System\DAHEPVr.exe
  2⤵
  PID:8968
- C:\Windows\System\aWETDdI.exe
  C:\Windows\System\aWETDdI.exe
  2⤵
  PID:8932
- C:\Windows\System\ijBoUhT.exe
  C:\Windows\System\ijBoUhT.exe
  2⤵
  PID:8204
- C:\Windows\System\xQIlXng.exe
  C:\Windows\System\xQIlXng.exe
  2⤵
  PID:7752
- C:\Windows\System\tduOatJ.exe
  C:\Windows\System\tduOatJ.exe
  2⤵
  PID:8476
- C:\Windows\System\XswFgYB.exe
  C:\Windows\System\XswFgYB.exe
  2⤵
  PID:8548
- C:\Windows\System\ChVxAbZ.exe
  C:\Windows\System\ChVxAbZ.exe
  2⤵
  PID:8644
- C:\Windows\System\JMIhwtv.exe
  C:\Windows\System\JMIhwtv.exe
  2⤵
  PID:8712
- C:\Windows\System\SyIOXPU.exe
  C:\Windows\System\SyIOXPU.exe
  2⤵
  PID:8784
- C:\Windows\System\DHsHBrS.exe
  C:\Windows\System\DHsHBrS.exe
  2⤵
  PID:8900
- C:\Windows\System\MGbxkUg.exe
  C:\Windows\System\MGbxkUg.exe
  2⤵
  PID:8980
- C:\Windows\System\tzREjOH.exe
  C:\Windows\System\tzREjOH.exe
  2⤵
  PID:9236
- C:\Windows\System\deQCYsy.exe
  C:\Windows\System\deQCYsy.exe
  2⤵
  PID:9296
- C:\Windows\System\BJmvagL.exe
  C:\Windows\System\BJmvagL.exe
  2⤵
  PID:9312
- C:\Windows\System\EchpXUf.exe
  C:\Windows\System\EchpXUf.exe
  2⤵
  PID:9328
- C:\Windows\System\jpMIder.exe
  C:\Windows\System\jpMIder.exe
  2⤵
  PID:9344
- C:\Windows\System\KPoHtrY.exe
  C:\Windows\System\KPoHtrY.exe
  2⤵
  PID:9360
- C:\Windows\System\XXCNhTr.exe
  C:\Windows\System\XXCNhTr.exe
  2⤵
  PID:9376
- C:\Windows\System\tVEwwLZ.exe
  C:\Windows\System\tVEwwLZ.exe
  2⤵
  PID:9392
- C:\Windows\System\JaGKtsx.exe
  C:\Windows\System\JaGKtsx.exe
  2⤵
  PID:9408
- C:\Windows\System\uEumGbY.exe
  C:\Windows\System\uEumGbY.exe
  2⤵
  PID:9424
- C:\Windows\System\otmpxPC.exe
  C:\Windows\System\otmpxPC.exe
  2⤵
  PID:9504
- C:\Windows\System\zTgpQtq.exe
  C:\Windows\System\zTgpQtq.exe
  2⤵
  PID:9528
- C:\Windows\System\TMYYIun.exe
  C:\Windows\System\TMYYIun.exe
  2⤵
  PID:9552
- C:\Windows\System\xAvUqQJ.exe
  C:\Windows\System\xAvUqQJ.exe
  2⤵
  PID:9640
- C:\Windows\System\znwZkfr.exe
  C:\Windows\System\znwZkfr.exe
  2⤵
  PID:9660
- C:\Windows\System\OuVAauL.exe
  C:\Windows\System\OuVAauL.exe
  2⤵
  PID:9696
- C:\Windows\System\hOtAanX.exe
  C:\Windows\System\hOtAanX.exe
  2⤵
  PID:9712
- C:\Windows\System\vHeAzGj.exe
  C:\Windows\System\vHeAzGj.exe
  2⤵
  PID:9736
- C:\Windows\System\qxijoCr.exe
  C:\Windows\System\qxijoCr.exe
  2⤵
  PID:9820
- C:\Windows\System\OCLMAlG.exe
  C:\Windows\System\OCLMAlG.exe
  2⤵
  PID:9844
- C:\Windows\System\BgzIZOe.exe
  C:\Windows\System\BgzIZOe.exe
  2⤵
  PID:9864
- C:\Windows\System\EKBkFhO.exe
  C:\Windows\System\EKBkFhO.exe
  2⤵
  PID:9920
- C:\Windows\System\IzHgmBm.exe
  C:\Windows\System\IzHgmBm.exe
  2⤵
  PID:9936
- C:\Windows\System\EONdoxU.exe
  C:\Windows\System\EONdoxU.exe
  2⤵
  PID:9992
- C:\Windows\System\hFRUTTP.exe
  C:\Windows\System\hFRUTTP.exe
  2⤵
  PID:10044
- C:\Windows\System\jEuLdEr.exe
  C:\Windows\System\jEuLdEr.exe
  2⤵
  PID:10064
- C:\Windows\System\VFLAbDt.exe
  C:\Windows\System\VFLAbDt.exe
  2⤵
  PID:10080
- C:\Windows\System\aYYMXid.exe
  C:\Windows\System\aYYMXid.exe
  2⤵
  PID:10124
- C:\Windows\System\cPZaolq.exe
  C:\Windows\System\cPZaolq.exe
  2⤵
  PID:10152
- C:\Windows\System\xtVnojB.exe
  C:\Windows\System\xtVnojB.exe
  2⤵
  PID:10180
- C:\Windows\System\EkXyANz.exe
  C:\Windows\System\EkXyANz.exe
  2⤵
  PID:10200
- C:\Windows\System\BeQEPRO.exe
  C:\Windows\System\BeQEPRO.exe
  2⤵
  PID:10224
- C:\Windows\System\aDjnenq.exe
  C:\Windows\System\aDjnenq.exe
  2⤵
  PID:9232
- C:\Windows\System\GtYFqHe.exe
  C:\Windows\System\GtYFqHe.exe
  2⤵
  PID:9164
- C:\Windows\System\hqWzYkJ.exe
  C:\Windows\System\hqWzYkJ.exe
  2⤵
  PID:8236
- C:\Windows\System\YyimNQH.exe
  C:\Windows\System\YyimNQH.exe
  2⤵
  PID:9068
- C:\Windows\System\UOFUXIL.exe
  C:\Windows\System\UOFUXIL.exe
  2⤵
  PID:8848
- C:\Windows\System\qLqmZtd.exe
  C:\Windows\System\qLqmZtd.exe
  2⤵
  PID:9320
- C:\Windows\System\siCPSRj.exe
  C:\Windows\System\siCPSRj.exe
  2⤵
  PID:9456
- C:\Windows\System\DBprtYU.exe
  C:\Windows\System\DBprtYU.exe
  2⤵
  PID:9324
- C:\Windows\System\haFItPE.exe
  C:\Windows\System\haFItPE.exe
  2⤵
  PID:9388
- C:\Windows\System\fdJSpIx.exe
  C:\Windows\System\fdJSpIx.exe
  2⤵
  PID:9520
- C:\Windows\System\mvATgbH.exe
  C:\Windows\System\mvATgbH.exe
  2⤵
  PID:9356
- C:\Windows\System\GxfBemM.exe
  C:\Windows\System\GxfBemM.exe
  2⤵
  PID:9612
- C:\Windows\System\gQqpeMy.exe
  C:\Windows\System\gQqpeMy.exe
  2⤵
  PID:9676
- C:\Windows\System\nXhvUuT.exe
  C:\Windows\System\nXhvUuT.exe
  2⤵
  PID:9756
- C:\Windows\System\oxSksmU.exe
  C:\Windows\System\oxSksmU.exe
  2⤵
  PID:9720
- C:\Windows\System\pDkuUft.exe
  C:\Windows\System\pDkuUft.exe
  2⤵
  PID:9772
- C:\Windows\System\vNakmpH.exe
  C:\Windows\System\vNakmpH.exe
  2⤵
  PID:9828
- C:\Windows\System\dUHOirR.exe
  C:\Windows\System\dUHOirR.exe
  2⤵
  PID:9852
- C:\Windows\System\xOBIZIt.exe
  C:\Windows\System\xOBIZIt.exe
  2⤵
  PID:10004
- C:\Windows\System\hFkvcRJ.exe
  C:\Windows\System\hFkvcRJ.exe
  2⤵
  PID:10052
- C:\Windows\System\PDDzsWx.exe
  C:\Windows\System\PDDzsWx.exe
  2⤵
  PID:10108
- C:\Windows\System\iKTmoOW.exe
  C:\Windows\System\iKTmoOW.exe
  2⤵
  PID:10192
- C:\Windows\System\ncSaaYI.exe
  C:\Windows\System\ncSaaYI.exe
  2⤵
  PID:9180
- C:\Windows\System\XKSZRNt.exe
  C:\Windows\System\XKSZRNt.exe
  2⤵
  PID:8732
- C:\Windows\System\KtiVJhP.exe
  C:\Windows\System\KtiVJhP.exe
  2⤵
  PID:8412
- C:\Windows\System\ikzAVLH.exe
  C:\Windows\System\ikzAVLH.exe
  2⤵
  PID:9308
- C:\Windows\System\NobVuHC.exe
  C:\Windows\System\NobVuHC.exe
  2⤵
  PID:9536
- C:\Windows\System\AjzpjAO.exe
  C:\Windows\System\AjzpjAO.exe
  2⤵
  PID:9476
- C:\Windows\System\wGRsmFO.exe
  C:\Windows\System\wGRsmFO.exe
  2⤵
  PID:9608
- C:\Windows\System\wojnrUP.exe
  C:\Windows\System\wojnrUP.exe
  2⤵
  PID:9932
- C:\Windows\System\cgmebHo.exe
  C:\Windows\System\cgmebHo.exe
  2⤵
  PID:10212
- C:\Windows\System\CzgbjBD.exe
  C:\Windows\System\CzgbjBD.exe
  2⤵
  PID:8284
- C:\Windows\System\GUjBxUs.exe
  C:\Windows\System\GUjBxUs.exe
  2⤵
  PID:9304
- C:\Windows\System\OEOuLFE.exe
  C:\Windows\System\OEOuLFE.exe
  2⤵
  PID:9472
- C:\Windows\System\utaDwrb.exe
  C:\Windows\System\utaDwrb.exe
  2⤵
  PID:9928
- C:\Windows\System\xcCzzqk.exe
  C:\Windows\System\xcCzzqk.exe
  2⤵
  PID:10208
- C:\Windows\System\DNzkfXe.exe
  C:\Windows\System\DNzkfXe.exe
  2⤵
  PID:10168
- C:\Windows\System\fUtgoaR.exe
  C:\Windows\System\fUtgoaR.exe
  2⤵
  PID:9948
- C:\Windows\System\kjAJgPr.exe
  C:\Windows\System\kjAJgPr.exe
  2⤵
  PID:10260
- C:\Windows\System\tlEUSCK.exe
  C:\Windows\System\tlEUSCK.exe
  2⤵
  PID:10308
- C:\Windows\System\sILRKKG.exe
  C:\Windows\System\sILRKKG.exe
  2⤵
  PID:10328
- C:\Windows\System\lKMWsfI.exe
  C:\Windows\System\lKMWsfI.exe
  2⤵
  PID:10372
- C:\Windows\System\fKhssyA.exe
  C:\Windows\System\fKhssyA.exe
  2⤵
  PID:10396
- C:\Windows\System\ZYxioDe.exe
  C:\Windows\System\ZYxioDe.exe
  2⤵
  PID:10416
- C:\Windows\System\lMyAEHb.exe
  C:\Windows\System\lMyAEHb.exe
  2⤵
  PID:10464
- C:\Windows\System\pvDLhMb.exe
  C:\Windows\System\pvDLhMb.exe
  2⤵
  PID:10484
- C:\Windows\System\oxtTivc.exe
  C:\Windows\System\oxtTivc.exe
  2⤵
  PID:10508
- C:\Windows\System\zSocptF.exe
  C:\Windows\System\zSocptF.exe
  2⤵
  PID:10556
- C:\Windows\System\VuiGUtb.exe
  C:\Windows\System\VuiGUtb.exe
  2⤵
  PID:10580
- C:\Windows\System\POczvzc.exe
  C:\Windows\System\POczvzc.exe
  2⤵
  PID:10608
- C:\Windows\System\LGeOqQP.exe
  C:\Windows\System\LGeOqQP.exe
  2⤵
  PID:10628
- C:\Windows\System\usyyLXG.exe
  C:\Windows\System\usyyLXG.exe
  2⤵
  PID:10648
- C:\Windows\System\oXzyflk.exe
  C:\Windows\System\oXzyflk.exe
  2⤵
  PID:10676
- C:\Windows\System\UZRNYIm.exe
  C:\Windows\System\UZRNYIm.exe
  2⤵
  PID:10712
- C:\Windows\System\PoSmPAY.exe
  C:\Windows\System\PoSmPAY.exe
  2⤵
  PID:10728
- C:\Windows\System\qnCxQxi.exe
  C:\Windows\System\qnCxQxi.exe
  2⤵
  PID:10756
- C:\Windows\System\lupsRKY.exe
  C:\Windows\System\lupsRKY.exe
  2⤵
  PID:10812
- C:\Windows\System\TvhOcgU.exe
  C:\Windows\System\TvhOcgU.exe
  2⤵
  PID:10832
- C:\Windows\System\WxYqOQF.exe
  C:\Windows\System\WxYqOQF.exe
  2⤵
  PID:10852
- C:\Windows\System\WWKbqzD.exe
  C:\Windows\System\WWKbqzD.exe
  2⤵
  PID:10896
- C:\Windows\System\avFUJlK.exe
  C:\Windows\System\avFUJlK.exe
  2⤵
  PID:10916
- C:\Windows\System\BLZUPYr.exe
  C:\Windows\System\BLZUPYr.exe
  2⤵
  PID:10956
- C:\Windows\System\SWETIDl.exe
  C:\Windows\System\SWETIDl.exe
  2⤵
  PID:10980
- C:\Windows\System\jTznUAp.exe
  C:\Windows\System\jTznUAp.exe
  2⤵
  PID:11000
- C:\Windows\System\MqReuQT.exe
  C:\Windows\System\MqReuQT.exe
  2⤵
  PID:11040
- C:\Windows\System\caitckk.exe
  C:\Windows\System\caitckk.exe
  2⤵
  PID:11060
- C:\Windows\System\cqKTdOq.exe
  C:\Windows\System\cqKTdOq.exe
  2⤵
  PID:11076
- C:\Windows\System\SQmymIp.exe
  C:\Windows\System\SQmymIp.exe
  2⤵
  PID:11104
- C:\Windows\System\gGCVGfe.exe
  C:\Windows\System\gGCVGfe.exe
  2⤵
  PID:11132
- C:\Windows\System\nGmNJOO.exe
  C:\Windows\System\nGmNJOO.exe
  2⤵
  PID:11160
- C:\Windows\System\ciJPlZW.exe
  C:\Windows\System\ciJPlZW.exe
  2⤵
  PID:11184
- C:\Windows\System\pbJeaWu.exe
  C:\Windows\System\pbJeaWu.exe
  2⤵
  PID:11204
- C:\Windows\System\zrjrWNv.exe
  C:\Windows\System\zrjrWNv.exe
  2⤵
  PID:11252
- C:\Windows\System\uoSXAyo.exe
  C:\Windows\System\uoSXAyo.exe
  2⤵
  PID:9384
- C:\Windows\System\gJiIUMQ.exe
  C:\Windows\System\gJiIUMQ.exe
  2⤵
  PID:10316
- C:\Windows\System\bSlefEj.exe
  C:\Windows\System\bSlefEj.exe
  2⤵
  PID:10324
- C:\Windows\System\orQAhUj.exe
  C:\Windows\System\orQAhUj.exe
  2⤵
  PID:10448
- C:\Windows\System\ituDuam.exe
  C:\Windows\System\ituDuam.exe
  2⤵
  PID:10476
- C:\Windows\System\GZydQpe.exe
  C:\Windows\System\GZydQpe.exe
  2⤵
  PID:10548
- C:\Windows\System\TblycDe.exe
  C:\Windows\System\TblycDe.exe
  2⤵
  PID:10596
- C:\Windows\System\sNCAGyz.exe
  C:\Windows\System\sNCAGyz.exe
  2⤵
  PID:10644
- C:\Windows\System\XlxIJGz.exe
  C:\Windows\System\XlxIJGz.exe
  2⤵
  PID:10748
- C:\Windows\System\klsmCCL.exe
  C:\Windows\System\klsmCCL.exe
  2⤵
  PID:10820
- C:\Windows\System\KwyblhS.exe
  C:\Windows\System\KwyblhS.exe
  2⤵
  PID:10884
- C:\Windows\System\OfXOOnG.exe
  C:\Windows\System\OfXOOnG.exe
  2⤵
  PID:10936
- C:\Windows\System\DzWhtsq.exe
  C:\Windows\System\DzWhtsq.exe
  2⤵
  PID:10996
- C:\Windows\System\xBHdbrY.exe
  C:\Windows\System\xBHdbrY.exe
  2⤵
  PID:11068
- C:\Windows\System\ueLJEYF.exe
  C:\Windows\System\ueLJEYF.exe
  2⤵
  PID:11140
- C:\Windows\System\VaoifNe.exe
  C:\Windows\System\VaoifNe.exe
  2⤵
  PID:11172
- C:\Windows\System\lVkJyxL.exe
  C:\Windows\System\lVkJyxL.exe
  2⤵
  PID:11196
- C:\Windows\System\utzjFeu.exe
  C:\Windows\System\utzjFeu.exe
  2⤵
  PID:11232
- C:\Windows\System\jlfMzRG.exe
  C:\Windows\System\jlfMzRG.exe
  2⤵
  PID:10320
- C:\Windows\System\UyyBlsb.exe
  C:\Windows\System\UyyBlsb.exe
  2⤵
  PID:10424
- C:\Windows\System\PCUbuyP.exe
  C:\Windows\System\PCUbuyP.exe
  2⤵
  PID:10568
- C:\Windows\System\IbqAepu.exe
  C:\Windows\System\IbqAepu.exe
  2⤵
  PID:10808
- C:\Windows\System\wINLkJl.exe
  C:\Windows\System\wINLkJl.exe
  2⤵
  PID:11152
- C:\Windows\System\UwgHXTN.exe
  C:\Windows\System\UwgHXTN.exe
  2⤵
  PID:11124
- C:\Windows\System\yIlFUNI.exe
  C:\Windows\System\yIlFUNI.exe
  2⤵
  PID:11156
- C:\Windows\System\DzCSDmi.exe
  C:\Windows\System\DzCSDmi.exe
  2⤵
  PID:10592
- C:\Windows\System\kgVliEK.exe
  C:\Windows\System\kgVliEK.exe
  2⤵
  PID:10444
- C:\Windows\System\raWbjrw.exe
  C:\Windows\System\raWbjrw.exe
  2⤵
  PID:10764
- C:\Windows\System\dFRZCqd.exe
  C:\Windows\System\dFRZCqd.exe
  2⤵
  PID:11280
- C:\Windows\System\TqQtODI.exe
  C:\Windows\System\TqQtODI.exe
  2⤵
  PID:11304
- C:\Windows\System\dREmdwZ.exe
  C:\Windows\System\dREmdwZ.exe
  2⤵
  PID:11324
- C:\Windows\System\dpydato.exe
  C:\Windows\System\dpydato.exe
  2⤵
  PID:11360
- C:\Windows\System\vSTvYfP.exe
  C:\Windows\System\vSTvYfP.exe
  2⤵
  PID:11380
- C:\Windows\System\hcJCJoE.exe
  C:\Windows\System\hcJCJoE.exe
  2⤵
  PID:11396
- C:\Windows\System\kRAGxav.exe
  C:\Windows\System\kRAGxav.exe
  2⤵
  PID:11436
- C:\Windows\System\iZIppXi.exe
  C:\Windows\System\iZIppXi.exe
  2⤵
  PID:11464
- C:\Windows\System\qixDDll.exe
  C:\Windows\System\qixDDll.exe
  2⤵
  PID:11508
- C:\Windows\System\aqUWlFi.exe
  C:\Windows\System\aqUWlFi.exe
  2⤵
  PID:11528
- C:\Windows\System\UPTVVuJ.exe
  C:\Windows\System\UPTVVuJ.exe
  2⤵
  PID:11560
- C:\Windows\System\zoCvGoM.exe
  C:\Windows\System\zoCvGoM.exe
  2⤵
  PID:11588
- C:\Windows\System\XmCNIqI.exe
  C:\Windows\System\XmCNIqI.exe
  2⤵
  PID:11604
- C:\Windows\System\kwRLmdh.exe
  C:\Windows\System\kwRLmdh.exe
  2⤵
  PID:11628
- C:\Windows\System\MRkMqGY.exe
  C:\Windows\System\MRkMqGY.exe
  2⤵
  PID:11656
- C:\Windows\System\bDxdars.exe
  C:\Windows\System\bDxdars.exe
  2⤵
  PID:11672
- C:\Windows\System\unHuiYa.exe
  C:\Windows\System\unHuiYa.exe
  2⤵
  PID:11696
- C:\Windows\System\ZpopZQu.exe
  C:\Windows\System\ZpopZQu.exe
  2⤵
  PID:11736
- C:\Windows\System\saQgNXk.exe
  C:\Windows\System\saQgNXk.exe
  2⤵
  PID:11756
- C:\Windows\System\rdEReiu.exe
  C:\Windows\System\rdEReiu.exe
  2⤵
  PID:11792
- C:\Windows\System\mMsQSTD.exe
  C:\Windows\System\mMsQSTD.exe
  2⤵
  PID:11892
- C:\Windows\System\bnuNSME.exe
  C:\Windows\System\bnuNSME.exe
  2⤵
  PID:11908
- C:\Windows\System\FYEXldX.exe
  C:\Windows\System\FYEXldX.exe
  2⤵
  PID:11924
- C:\Windows\System\ytPUbzV.exe
  C:\Windows\System\ytPUbzV.exe
  2⤵
  PID:11944
- C:\Windows\System\LgjZqWt.exe
  C:\Windows\System\LgjZqWt.exe
  2⤵
  PID:11968
- C:\Windows\System\yLojcPM.exe
  C:\Windows\System\yLojcPM.exe
  2⤵
  PID:11992
- C:\Windows\System\dZiceVC.exe
  C:\Windows\System\dZiceVC.exe
  2⤵
  PID:12024
- C:\Windows\System\XQNeGmJ.exe
  C:\Windows\System\XQNeGmJ.exe
  2⤵
  PID:12052
- C:\Windows\System\yAJzQsG.exe
  C:\Windows\System\yAJzQsG.exe
  2⤵
  PID:12080
- C:\Windows\System\KijsDte.exe
  C:\Windows\System\KijsDte.exe
  2⤵
  PID:12108
- C:\Windows\System\OJISnhX.exe
  C:\Windows\System\OJISnhX.exe
  2⤵
  PID:12140
- C:\Windows\System\rQAsPtE.exe
  C:\Windows\System\rQAsPtE.exe
  2⤵
  PID:12184
- C:\Windows\System\GdRISFH.exe
  C:\Windows\System\GdRISFH.exe
  2⤵
  PID:12204
- C:\Windows\System\ClyrjiF.exe
  C:\Windows\System\ClyrjiF.exe
  2⤵
  PID:12228
- C:\Windows\System\TyicMMj.exe
  C:\Windows\System\TyicMMj.exe
  2⤵
  PID:12272
- C:\Windows\System\fUruehn.exe
  C:\Windows\System\fUruehn.exe
  2⤵
  PID:7136
- C:\Windows\System\kYAixvy.exe
  C:\Windows\System\kYAixvy.exe
  2⤵
  PID:10992
- C:\Windows\System\mQXDuYr.exe
  C:\Windows\System\mQXDuYr.exe
  2⤵
  PID:11336
- C:\Windows\System\NuSWzcW.exe
  C:\Windows\System\NuSWzcW.exe
  2⤵
  PID:11420
- C:\Windows\System\WnrYBLw.exe
  C:\Windows\System\WnrYBLw.exe
  2⤵
  PID:11456
- C:\Windows\System\GzmnIAb.exe
  C:\Windows\System\GzmnIAb.exe
  2⤵
  PID:11572
- C:\Windows\System\pTISoJI.exe
  C:\Windows\System\pTISoJI.exe
  2⤵
  PID:11664
- C:\Windows\System\nNepxSm.exe
  C:\Windows\System\nNepxSm.exe
  2⤵
  PID:11680
- C:\Windows\System\ntNkmkU.exe
  C:\Windows\System\ntNkmkU.exe
  2⤵
  PID:11724
- C:\Windows\System\RozZZdR.exe
  C:\Windows\System\RozZZdR.exe
  2⤵
  PID:11808
- C:\Windows\System\jGtOpnP.exe
  C:\Windows\System\jGtOpnP.exe
  2⤵
  PID:11964
- C:\Windows\System\VPTLOqH.exe
  C:\Windows\System\VPTLOqH.exe
  2⤵
  PID:11952
- C:\Windows\System\gQPPzay.exe
  C:\Windows\System\gQPPzay.exe
  2⤵
  PID:12036
- C:\Windows\System\CrTNlzW.exe
  C:\Windows\System\CrTNlzW.exe
  2⤵
  PID:12072
- C:\Windows\System\mAqglTu.exe
  C:\Windows\System\mAqglTu.exe
  2⤵
  PID:12128
- C:\Windows\System\iTxLMCL.exe
  C:\Windows\System\iTxLMCL.exe
  2⤵
  PID:12196
- C:\Windows\System\dJsqQFX.exe
  C:\Windows\System\dJsqQFX.exe
  2⤵
  PID:12252
- C:\Windows\System\tKlHQGx.exe
  C:\Windows\System\tKlHQGx.exe
  2⤵
  PID:11272
- C:\Windows\System\GLDouvE.exe
  C:\Windows\System\GLDouvE.exe
  2⤵
  PID:11432
- C:\Windows\System\giBYeIw.exe
  C:\Windows\System\giBYeIw.exe
  2⤵
  PID:11356
- C:\Windows\System\mukMaOL.exe
  C:\Windows\System\mukMaOL.exe
  2⤵
  PID:11728
- C:\Windows\System\UmfYdVU.exe
  C:\Windows\System\UmfYdVU.exe
  2⤵
  PID:11852
- C:\Windows\System\kxpDUvG.exe
  C:\Windows\System\kxpDUvG.exe
  2⤵
  PID:11936
- C:\Windows\System\KbHVncq.exe
  C:\Windows\System\KbHVncq.exe
  2⤵
  PID:12136
- C:\Windows\System\lksgQHP.exe
  C:\Windows\System\lksgQHP.exe
  2⤵
  PID:11492
- C:\Windows\System\dcgeTxq.exe
  C:\Windows\System\dcgeTxq.exe
  2⤵
  PID:11388
- C:\Windows\System\jaEWULs.exe
  C:\Windows\System\jaEWULs.exe
  2⤵
  PID:3628
- C:\Windows\System\oefkUUh.exe
  C:\Windows\System\oefkUUh.exe
  2⤵
  PID:12260
- C:\Windows\System\OsCbBbZ.exe
  C:\Windows\System\OsCbBbZ.exe
  2⤵
  PID:11268
- C:\Windows\System\tRbmAfD.exe
  C:\Windows\System\tRbmAfD.exe
  2⤵
  PID:12300
- C:\Windows\System\oBjJUNp.exe
  C:\Windows\System\oBjJUNp.exe
  2⤵
  PID:12344
- C:\Windows\System\kqZfuVr.exe
  C:\Windows\System\kqZfuVr.exe
  2⤵
  PID:12368
- C:\Windows\System\cNEUSpa.exe
  C:\Windows\System\cNEUSpa.exe
  2⤵
  PID:12392
- C:\Windows\System\CuHLWGk.exe
  C:\Windows\System\CuHLWGk.exe
  2⤵
  PID:12408
- C:\Windows\System\jwhWnKC.exe
  C:\Windows\System\jwhWnKC.exe
  2⤵
  PID:12432
- C:\Windows\System\ZxTzQOd.exe
  C:\Windows\System\ZxTzQOd.exe
  2⤵
  PID:12452
- C:\Windows\System\iYDVVWM.exe
  C:\Windows\System\iYDVVWM.exe
  2⤵
  PID:12476
- C:\Windows\System\uXCPRPE.exe
  C:\Windows\System\uXCPRPE.exe
  2⤵
  PID:12496
- C:\Windows\System\eiOtHch.exe
  C:\Windows\System\eiOtHch.exe
  2⤵
  PID:12564
- C:\Windows\System\lBXBcTZ.exe
  C:\Windows\System\lBXBcTZ.exe
  2⤵
  PID:12588
- C:\Windows\System\rFEtfRd.exe
  C:\Windows\System\rFEtfRd.exe
  2⤵
  PID:12616
- C:\Windows\System\rfkgoEG.exe
  C:\Windows\System\rfkgoEG.exe
  2⤵
  PID:12648
- C:\Windows\System\Bbeafmf.exe
  C:\Windows\System\Bbeafmf.exe
  2⤵
  PID:12672
- C:\Windows\System\sKMqkGN.exe
  C:\Windows\System\sKMqkGN.exe
  2⤵
  PID:12692
- C:\Windows\System\lwjDrMw.exe
  C:\Windows\System\lwjDrMw.exe
  2⤵
  PID:12716
- C:\Windows\System\JJwowiS.exe
  C:\Windows\System\JJwowiS.exe
  2⤵
  PID:12760
- C:\Windows\System\EMNJSpa.exe
  C:\Windows\System\EMNJSpa.exe
  2⤵
  PID:12788
- C:\Windows\System\tiGZUZf.exe
  C:\Windows\System\tiGZUZf.exe
  2⤵
  PID:12812
- C:\Windows\System\iMFNjHQ.exe
  C:\Windows\System\iMFNjHQ.exe
  2⤵
  PID:12828
- C:\Windows\System\BaMjhuZ.exe
  C:\Windows\System\BaMjhuZ.exe
  2⤵
  PID:12852
- C:\Windows\System\MiUbETd.exe
  C:\Windows\System\MiUbETd.exe
  2⤵
  PID:12908
- C:\Windows\System\kswmEBG.exe
  C:\Windows\System\kswmEBG.exe
  2⤵
  PID:12928
- C:\Windows\System\XYxXmFS.exe
  C:\Windows\System\XYxXmFS.exe
  2⤵
  PID:12944
- C:\Windows\System\vYgiVyk.exe
  C:\Windows\System\vYgiVyk.exe
  2⤵
  PID:12968
- C:\Windows\System\Pjucgoc.exe
  C:\Windows\System\Pjucgoc.exe
  2⤵
  PID:13024
- C:\Windows\System\XgmgVVC.exe
  C:\Windows\System\XgmgVVC.exe
  2⤵
  PID:13044
- C:\Windows\System\ZRQCNcb.exe
  C:\Windows\System\ZRQCNcb.exe
  2⤵
  PID:13088
- C:\Windows\System\AIZnhrO.exe
  C:\Windows\System\AIZnhrO.exe
  2⤵
  PID:13112
- C:\Windows\System\tchwnyV.exe
  C:\Windows\System\tchwnyV.exe
  2⤵
  PID:13128
- C:\Windows\System\XeFynzX.exe
  C:\Windows\System\XeFynzX.exe
  2⤵
  PID:13148
- C:\Windows\System\TbyuyJk.exe
  C:\Windows\System\TbyuyJk.exe
  2⤵
  PID:13172
- C:\Windows\System\reaPlVp.exe
  C:\Windows\System\reaPlVp.exe
  2⤵
  PID:13220
- C:\Windows\System\tTOTBUE.exe
  C:\Windows\System\tTOTBUE.exe
  2⤵
  PID:13236
- C:\Windows\System\ginHvML.exe
  C:\Windows\System\ginHvML.exe
  2⤵
  PID:13260
- C:\Windows\System\NEauiJs.exe
  C:\Windows\System\NEauiJs.exe
  2⤵
  PID:13280
- C:\Windows\System\vpqHPfi.exe
  C:\Windows\System\vpqHPfi.exe
  2⤵
  PID:932
- C:\Windows\System\rEmopTF.exe
  C:\Windows\System\rEmopTF.exe
  2⤵
  PID:3004
- C:\Windows\System\lZmruYW.exe
  C:\Windows\System\lZmruYW.exe
  2⤵
  PID:4252
- C:\Windows\System\RAOPzWr.exe
  C:\Windows\System\RAOPzWr.exe
  2⤵
  PID:12332
- C:\Windows\System\QwxHeLs.exe
  C:\Windows\System\QwxHeLs.exe
  2⤵
  PID:2312

Network

DNS

raw.githubusercontent.com

powershell.exe

Remote address:

8.8.8.8:53

Request

raw.githubusercontent.com

IN A

Response

raw.githubusercontent.com

IN A

185.199.110.133

raw.githubusercontent.com

IN A

185.199.108.133

raw.githubusercontent.com

IN A

185.199.109.133

raw.githubusercontent.com

IN A

185.199.111.133
GET

https://raw.githubusercontent.com/

powershell.exe

Remote address:

185.199.110.133:443

Request

GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently

Connection: keep-alive
Content-Length: 0
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Location: https://github.com/
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: FF12:153454:D3729:F4535:662FD79A
Accept-Ranges: bytes
Date: Mon, 29 Apr 2024 17:26:55 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600029-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1714411615.335017,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: e78f48f0edf2d8b8507fce8dfdd2004bcb3ba072
Expires: Mon, 29 Apr 2024 17:31:55 GMT
Source-Age: 197
DNS

github.com

powershell.exe

Remote address:

8.8.8.8:53

Request

github.com

IN A

Response

github.com

IN A

20.26.156.215
GET

https://github.com/

powershell.exe

Remote address:

20.26.156.215:443

Request

GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237
Host: github.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: GitHub.com
Date: Mon, 29 Apr 2024 17:26:47 GMT
Content-Type: text/html; charset=utf-8
Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Language, Accept-Encoding, Accept, X-Requested-With
content-language: en-US
ETag: W/"e4e3c23874dd54bf810296a26ad3f9c2"
Cache-Control: max-age=0, private, must-revalidate
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: deny
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com api.githubcopilot.com objects-origin.githubusercontent.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com github.githubassets.com edge.fullstory.com rs.fullstory.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com github.githubassets.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/
Set-Cookie: _gh_sess=FuzG%2BaRVwkTuhxxggEyN56qkmPkPk5ooboc31nDYOlPiElhwNNh%2BQlX26RdvF347s3WnojVhdPtcWOxLNxLo7dHdkdDmTCwKc8SgUMhh3JymINm6a7peJoUiHC6GVkTzh%2BA6ZjPoNWP2NqKELnRJfdw5F7qr7wvGgmCTOshyTI4lsea25R0%2FxbqRS3y0sZXwyM05zjwnz5TGHSc75f1M4Dlwr73W1TCQ0P5I2NgyYtcDO%2FMpuOaMY02J%2F3xBu7kXF3JrdDex9XgyQT3Dmpo6GQ%3D%3D--Pw2C4qc0oF9ejY4S--iWZZOkbeXhpqGPHwNAd30Q%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
Set-Cookie: _octo=GH1.1.1010889632.1714411616; Path=/; Domain=github.com; Expires=Tue, 29 Apr 2025 17:26:56 GMT; Secure; SameSite=Lax
Set-Cookie: logged_in=no; Path=/; Domain=github.com; Expires=Tue, 29 Apr 2025 17:26:56 GMT; HttpOnly; Secure; SameSite=Lax
Accept-Ranges: bytes
Transfer-Encoding: chunked
X-GitHub-Request-Id: D44D:6033F:22D723B:258513E:662FD85F
DNS

133.110.199.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.110.199.185.in-addr.arpa

IN PTR

Response

133.110.199.185.in-addr.arpa

IN PTR

cdn-185-199-110-133githubcom
DNS

215.156.26.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

215.156.26.20.in-addr.arpa

IN PTR

Response

3.120.98.217:8080

08377e9296f614b33f74d8cbc937d626_JaffaCakes118.exe

260 B
5
185.199.110.133:443

https://raw.githubusercontent.com/

tls, http

powershell.exe

841 B
5.8kB
8
10

HTTP Request

GET https://raw.githubusercontent.com/

HTTP Response

301
20.26.156.215:443

https://github.com/

tls, http

powershell.exe

5.0kB
250.5kB
99
185

HTTP Request

GET https://github.com/

HTTP Response

200

8.8.8.8:53

raw.githubusercontent.com

dns

powershell.exe

71 B
135 B
1
1

DNS Request

raw.githubusercontent.com

DNS Response

185.199.110.133

185.199.108.133

185.199.109.133

185.199.111.133
8.8.8.8:53

github.com

dns

powershell.exe

56 B
72 B
1
1

DNS Request

github.com

DNS Response

20.26.156.215
8.8.8.8:53

133.110.199.185.in-addr.arpa

dns

74 B
118 B
1
1

DNS Request

133.110.199.185.in-addr.arpa
8.8.8.8:53

215.156.26.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

215.156.26.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vexxoznw.mj4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\AdFiDrG.exe

Filesize
1.9MB

MD5
6b8af91365645e7ae9a969ab8c560d31

SHA1
c8d2e327fa992e1ae13260d9248520d85a2f61e3

SHA256
d1637058af644d61625491db94d3adafa7227ad504bd5c1ee0846ac4be1f5965

SHA512
fd09ea781a0b6a27fce27bbea6576d533f9519d8e62e7b39077fd6364652042520f12932164e532d765914f6e76dcdadab5e2b4187f284ebf057dced4b2b71a9

Download Submit
C:\Windows\System\AudLtPA.exe

Filesize
1.9MB

MD5
a7083f959f40cd860cbbc26bcbbff4a3

SHA1
caba7631d8520286ce4c83deb2709f9cea1f3e30

SHA256
8358b5b091871f0c97935aec3d2524dbeba34d90afef71e1b10ecfddb953420d

SHA512
8b7b825e4d94c52138decaaec45e0c54288a3ab442ebb1e10b97246ededa5dee6a7d9ae8dc8f4197f9a1b22172736cf56fdd726214b73d21387345ab8d407df4

Download Submit
C:\Windows\System\CFEPnrh.exe

Filesize
1.9MB

MD5
efa2a4cd04224cc9d2abce2efe33eb6c

SHA1
3d968bc0b05b9464867328ef16c8d2aee1266fc0

SHA256
ae5e95eef7c1c17c17b47f565a177d0ce3e6474156991908704f2cb06e35a376

SHA512
326073dd7884c8b74e5ab744f8b16156a6164034223d3dd02fae96673b1510f05d62a0ec049b9d9a6804f5206d0f1f7e6770870f6df413c12ea4bc811a86b61d

Download Submit
C:\Windows\System\DjFXMqm.exe

Filesize
1.9MB

MD5
82bb68aae164994af10c978061ea3c56

SHA1
cc19d970ac27a8b226402df5fa23dbf1f5e16c4d

SHA256
01bfc42346caed604053e60cdcc01b926f76c245044164c8e5bd0541707cc460

SHA512
3207aaeed44fba41e26e8390258127aa7b78b94575b7d6c7b415921d0e684af933883a1a00fd9b30fa90ef5e334bcc90f74e07942a61c44de5b5d991e150ff92

Download Submit
C:\Windows\System\EycgeQY.exe

Filesize
1.9MB

MD5
f3234a409f1447be72f972550f35de33

SHA1
bd6f12b73ffd456fe9e2b15f89c64f5231ef897d

SHA256
291d2c4dcc53e4eee744bbd6c5ba7e334e4f35a1c5113f7e1802c59af29ffc83

SHA512
27598bbbfdf5d871a6835db706e1ede1156fa12eb2898374040c882e87679e958c4ab11165ae054d06698e94024a299c1fb97abb0897c06c937a9d222ec69fdd

Download Submit
C:\Windows\System\FkhFpyv.exe

Filesize
1.9MB

MD5
c157372f18cfaf61111a65691d0ed8c2

SHA1
8e91a718d054b3acdf9ee20683e7a8d0c856485f

SHA256
568037082a2922ba599efe831bc010ba4fd7f8953636380e847c816394003693

SHA512
4a70a3657aa9d724a1e8365e50f4c6499ee56d4bd7baadd253cf5373df9b8991b9f29efd2c6975027c59c5e5daf61b95b77b2094c0ce291888e1a42166688b78

Download Submit
C:\Windows\System\HRKBNvY.exe

Filesize
1.9MB

MD5
a2624124f4cdba0b1be97d7a0ceee722

SHA1
095fabea2e413ded0c27a0a3f72c3439d48c918d

SHA256
861dcfc6d7f5e8424a385e6ae787ea4bf29792aa346a3215d0b4a076098c2bf6

SHA512
4dad9c54d771336d17b59c9de91e2cbc91aef40ee9f7bae1aa5c756ce1715251a3b62ff0ec96bca8a4a9aedca7f89096ca0abaa9d0360aad52849f31a1d38bbd

Download Submit
C:\Windows\System\JHDOgMK.exe

Filesize
1.9MB

MD5
1c0df9535bbd204fb8c14bc9cf636451

SHA1
57cdd5a5c3f943afa514c1c7081deed0ab959a56

SHA256
aeca2a08ac7e75774e4943c243d9d13f49d30ecb8c06afdbd6c45a584e876b96

SHA512
30e8559d5584896c3980da8285f8ea3cb6a634d2097d2784d7ae8c8d87cd9042472ee1671a0b96c5b3d8a3c4058a25dc4dcad0fe6ff8e0ec82b2ac143bddc6ae

Download Submit
C:\Windows\System\JsZZFeu.exe

Filesize
1.9MB

MD5
6a03ae2b0b84427614be85be9d8cfe7e

SHA1
01c50022ceecc3559c258f378a76bf8ca1b8fd2d

SHA256
926dff329b9c41ae83b0e743f5d113095c6385b5b5304049a26f9663e6a49804

SHA512
0c85dbff0ee6177380d7cad8c49e7d8b6af56fa071db93ee6254d60b62c92497653fa6d3db56cf6200a59f988979279dce9042e209e76fb75768761eab521447

Download Submit
C:\Windows\System\JujCSOM.exe

Filesize
1.9MB

MD5
b86da5a1c1db42da72f4361f416c10db

SHA1
85ec70150e0f9f0ec3f18bfab441be9e255a3e1d

SHA256
8e1dca0b02203e234d51984c818032e705ade8a24fa14ef8038d1b955ced91d0

SHA512
000b126f3b3a53d2101b9d9e88d359b936981cb2728bbbb94f29b810a8d53ba0f5bbe412400e2c0890f5813ceb23307e8384aa98f27eca1ee8c79cb6d5b8824d

Download Submit
C:\Windows\System\LWmwNAb.exe

Filesize
1.9MB

MD5
0dd904b7c5cca98d93d7242f9d52f48a

SHA1
e3b5ca82aa008469178cbe52e6c3501bfdaab2f2

SHA256
02f5707e795ed3ed8601479990a0e14c6b24cd56d33402eaa41229a17e402b06

SHA512
8d02cd5ddc1bdd794c61545b248a883c1f4c297cd5f0700fb674efcdb5854ee507f713087f4c86d65f654978fa1a980e8e4f2f68033f7b93449e7cd4b12220b8

Download Submit
C:\Windows\System\NiTGXEy.exe

Filesize
1.9MB

MD5
6ffa8a82384b56da8dea84b40fef638e

SHA1
e9b78325559a1449f180d4799e042c6057b7f8cd

SHA256
f5a0b4e7157d89ca3267d4d9491dac54644515a8271fd3c4354271051b441211

SHA512
f57b1018ff9b87b4084383eb6120d7f9b4587f71e77a834ea6ad1bc4bc053b2328e87ac884c1bb65936de259c854656ba8db2c3c5d9ed2564aade11077c40aee

Download Submit
C:\Windows\System\OccljFM.exe

Filesize
1.9MB

MD5
adac742bcb54e10c6ff908f1751e62df

SHA1
989836a7c07b3edd5b0861436e82fc5336879f12

SHA256
faf48d3ca2c70e4e634de71ee85515121633ec37c1a7529d1379834b1fe6f018

SHA512
048e9380332661af82bae213df12845c97ef8f8b2adf16bb8eb3f2bec57f48403158e857712b197e86db1dcc0f68867b67093b27673e8389e82b41c98e8a9d85

Download Submit
C:\Windows\System\PcRkiGx.exe

Filesize
1.9MB

MD5
4c4ec6bbd1c588fafaa41a3a23325cf3

SHA1
93668a27cc6a4d784ff72d9ebf9b28b64ee7757c

SHA256
bf069cc66ae82e6294a6347ee2626dbdb270e20af81cc1b9c1563d619e3c0250

SHA512
963aeb00e4912a2c6792886ac3c032ee06d2f4ecccbec5da113a17a82f31b9080679e7ba55dcf1714b94fbc080b60681c276cf75a10c2428a249e83e7bb935ab

Download Submit
C:\Windows\System\VWWnXXr.exe

Filesize
1.9MB

MD5
8f0057a0cd33a3facfe0ce72e10feb22

SHA1
a959299760c268d936da67d1d008af5580d5b5a1

SHA256
59709a4fd02622ae363735935fdb6cf771361b8783a5ce7fd15b72ad743ef7c8

SHA512
b48c551c7b99760e4ab2ed31ad30725c41a48c18b035c0f3520acbca0c534ac614b199a935a2c4b61395f212a94307213f77170b8da4cc9b4deb0f1894f2cfe8

Download Submit
C:\Windows\System\YgWAgjJ.exe

Filesize
1.9MB

MD5
14b94ce1e07137e0bd1bd48164fe558a

SHA1
10df5753a0622969f06bc34fc1406af233c1b394

SHA256
c0fe644446f677f00e72ca4b3a6745ec76c3f900f443665c2595463bf411a17c

SHA512
2fa89d1f16550352fac8aa59874d7ca4192090bb849e8813df5f4ea6610e85ef2b2957fe525958b52a03bec7cefe95699bbe890b0cca4d4130896f7efdf23c79

Download Submit
C:\Windows\System\cbwqCWg.exe

Filesize
1.9MB

MD5
cf28611de6013bb2c56b465b342f6490

SHA1
374a08f3615970e3053ef0d017d3536d31c94ec6

SHA256
0c38d205d14e5b2d0a4ea62ddfb63b7aecdf76f1fd760187d07b3cf89f4f80d5

SHA512
528015a3e861441540c3f6d895678ef9d222727aa3c3794aec591e5672354a298cb6e51a702791e677483f9e07c03ae6a0096733e6b1a25ced257a24ced31df6

Download Submit
C:\Windows\System\cwuPvmu.exe

Filesize
1.9MB

MD5
37432c14db70a9edf25fc1bc294eb4de

SHA1
e9554b91f58b6f682e33b9a16c801eaffb048fa7

SHA256
b17504702f3e7ae79740c75518f6a3b6592e26a685480c8ea636fb066579a147

SHA512
330fc0b616490aa58467f37457e56d1b655b16c500a2dd1a948c0885ebd2484c3520ef2fd93480b4aa42c6ccfa0ef8c5c0ddb6e7c961fdbe6ead2707e5dd52fb

Download Submit
C:\Windows\System\fsQxJvI.exe

Filesize
1.9MB

MD5
4b47db77aaec8ba80e8fefd5e2143c93

SHA1
f8fc5877fcc0abcec062767b24c9aac739995c20

SHA256
d3262b499e053b7fa8df493fd052b7b7026b09402447dc91919b3b7d85425aca

SHA512
640de0c745dc418a123ec463166b00eec071cbe2f53f7b81f7e084a8f7587b03313ef401f2d5870cf3de088d154000a3af8a54e677db82240e6cd4ccab1efbed

Download Submit
C:\Windows\System\gJpQpso.exe

Filesize
1.9MB

MD5
1adc4e9e6b72f14a50c4e4c2711a2e6a

SHA1
a9e10115d8959d36183bb2c1c18adad575b87411

SHA256
75cf942eb652e82b9a0f880a72ac9901eaa5e792e32e4cfdfd383551ec8448e3

SHA512
085409ffd845bd3a4fb960325783de89d04bf6084050e4fb7de11b5b0bdce7cfc16516e11ff204ad873472d39027c18549151823771287da55712c324d9268be

Download Submit
C:\Windows\System\gXHAZgx.exe

Filesize
1.9MB

MD5
4fcac450f5093221d3abba957a2d75f0

SHA1
5e76d2468ba1778ceaca128ccc00481ddab959b3

SHA256
fb56cf56826ea6ef26887bcebe34325d44058b3fd5892b2a2d09798c024b4820

SHA512
a4677f514cc2c28fb9137fe0a25b6b8e2941dc3d1faf98ad821f9fd82bcd25107e026d265e213e4b75fef2d6521e5a02c450cd5e2f15734b2a8d5dab235077b4

Download Submit
C:\Windows\System\inXZtZM.exe

Filesize
1.9MB

MD5
964bef3bffa1f6ced33dcab38e847b23

SHA1
a267def1fa12051eaa1e1ffc4185466adcd9d2d9

SHA256
5b7bf386806e61d56de29bb7ad41bf7d9aafa1ca29b90d12585ff9552109e885

SHA512
d28030860b154dee81812d5ed3d1c4cad93272e52b59b0be351666093773f3ae7609d6a5d043e2c554f502aacd6d560a77eacf93641cee5ba4da68e2b19fba6f

Download Submit
C:\Windows\System\jKdnVCx.exe

Filesize
1.9MB

MD5
103a9c068b513c2d123ab457c14077e9

SHA1
ed24296ed70d528ff7959926a5f404f106a12545

SHA256
d2a203813a68a92b1d9f33c22908b565ab7c8b4613a4ee5b4e6345bdeb9a62cf

SHA512
5ec0ccd15f9f9306b34679c88847b3646251b35d54fba258653345d1f236018d667066d53a801888e9809c015241d9ebbb992e2bca584945c15c7a1bcdd7bd34

Download Submit
C:\Windows\System\olzBTHU.exe

Filesize
1.9MB

MD5
c75086e7a6c07b1ec87c869e8986c3ae

SHA1
b5132da959b583eb0e756e58139367c8b29b2643

SHA256
983e1653a2c64e77eab5abc2e042c6aad0ab355f19a2424d49771cdd7f268e01

SHA512
dbff82af8a69132e61fd16269ebe2082651f3b45a1bc16a32d605850b79bb3fcf8c3590942f4e6d3da8de6423077e5fa3ddc30a9e169ac591a0daaf6e6c751c5

Download Submit
C:\Windows\System\onNNOTB.exe

Filesize
1.9MB

MD5
36980808ac3d7d01f685ee8b4784beab

SHA1
29b1aa5921f8b0bb8d129e805ca4422129365f4c

SHA256
ead1e52a0089a862eeca80d31687985e309109fcf7d058717c02eed7b6e64430

SHA512
9731462e3d8b2e6350f7a81cc2ffaf3c8d25bf59f106626c0cf7c6243c26e8e0ea4af9d25f40b7d1047c0ea13b5ea47bc67fabad84d95b799d3906a60021ba30

Download Submit
C:\Windows\System\peSPVcU.exe

Filesize
1.9MB

MD5
bce8afd7e5e4a7488b2490224cfc794b

SHA1
970a0f13ee146a09b02b94d360ad94da4cea2e3a

SHA256
7a2fa92b68c6971d654ff0fdea532ec0a9d0ddfdfa5a0177a91e6f54b6e70d6d

SHA512
7694694db4700ab352688bbecab005436ec495d9041789fc79f29142225c0d85cb085fb0a5c895a74498197235e7d40fdd3179634f019b358b6a299b790be8e1

Download Submit
C:\Windows\System\qLaWLcK.exe

Filesize
1.9MB

MD5
419f66c4ddae2ce378aac9d8cdb3664e

SHA1
6185ea8b0c6f3ced0ddb064ef141e95272b81013

SHA256
63efe616379e82c0309a3dac674652b2720866587afae3b2017add9545a0e34a

SHA512
599e88af7ead4e3cf2f6ee13ec6ebf6ab83a6e3caed5effef73c01404ef338fc4ee9e2bd36667f34495708dbb91c60cf97ebea1db23efd8ac8820026f3cfab8d

Download Submit
C:\Windows\System\wunNlsd.exe

Filesize
1.9MB

MD5
42ab29637974a7d351cf6bc048e79be6

SHA1
903fbca4b7c1cf60556ba12f5f5c16ad2212780d

SHA256
cfdddecf9bd83ba44c57d49c64e2dc44d18323a9f24842ac887a41ac0650f156

SHA512
97f8b58d78f6e5baf3d26751a35d889e877cb8b26b335faabda3c5151faed4eb8d454c83f689e6bd0e637bdbbfb747bf86e494244e227327d53f05932118ae04

Download Submit
C:\Windows\System\ydqTWYO.exe

Filesize
1.9MB

MD5
c6505f77630603736e11f7a1872d60e6

SHA1
ecfb02fc45df3a7424b887ace4ac7fb71b0969d0

SHA256
868a76c195226df90001270ae160485db2ecc18badf3f50ac2871f9209d2e2d6

SHA512
8e565ad45ae01fb5cf4653b85bdb567ec63daf4ab2e9458913b8af078605135f605596227cf4a20825fda7567c06084ece78c56f8db32e41cc01f9f7ccac1d38

Download Submit
C:\Windows\System\yqyfQae.exe

Filesize
1.9MB

MD5
a308168050abd5a5eb9b11b7671ae153

SHA1
35ff554f188eee27c943edee4a1412546dc57c6f

SHA256
bb01e2f5fe10fb70ed167e471aa496c7c2f1628265e375281338561cb0dce0f1

SHA512
6ab80a550be6a4d7b5194b431bb3e36f429cac046ba0cc34c99e8ff9f8da6e370e7841508fdc080c07d8c08d727377af33148c1caee74934912de58a900a0e11

Download Submit
C:\Windows\System\yrxyQln.exe

Filesize
1.9MB

MD5
ef8628487ada636320bcbf5a98bbc8c9

SHA1
a0fec082febfa735b30f31083ee626bc588b2a04

SHA256
6a2ffb59555d9389f2c1c5d9493ab2dda3117cd63cf9ab50485e1514e867f2e8

SHA512
b8295d79a27ddde0c1d391211f89570151acca0b61481b2680ac7bb53bc69f0e85a318afdcae8627ea98f6ca509663329a61a1c5653d92f43e3a1c744d57d38b

Download Submit
C:\Windows\System\zIkCEcu.exe

Filesize
1.9MB

MD5
4ae627daae836a04d4677e2865c2f891

SHA1
cd8a59a52328f3133e928037cb21ebd89b4590e4

SHA256
efbe726d30cfe8c0902a52a660dc6c9eefbdf2d6103c55434bf611b53db2afc6

SHA512
284e96910de0beacf23cd80e1ccd2998ef80b334de70059234718f42d3fd3a050230528b91a2f8a4c526adbe15456b6a201212df00e5acea1de6a5a794030a5b

Download Submit
C:\Windows\System\zSrzvcw.exe

Filesize
1.9MB

MD5
3d1737af6d2f20df9d4a28a2de960b87

SHA1
d1305d3fb8bc1173d190490284628de8180ca8aa

SHA256
e9f903fc53b1767da210fcbc767d76d48a80230be2b3844f5eaa3ee17c379199

SHA512
df815ea1438fc56347087e44c657c2852e3f8fde49344f0d874a0b53056163909b95bbd072c514154bd596fa850b728458535baf3a2da383f7b8cef2c39f1555

Download Submit
memory/60-21-0x00007FFD60980000-0x00007FFD61441000-memory.dmp

Filesize
10.8MB

Download
memory/60-3059-0x00007FFD60980000-0x00007FFD61441000-memory.dmp

Filesize
10.8MB

Download
memory/60-236-0x00000195B7A00000-0x00000195B81A6000-memory.dmp

Filesize
7.6MB

Download
memory/60-41-0x00000195B4C30000-0x00000195B4C52000-memory.dmp

Filesize
136KB

Download
memory/60-3062-0x00000195B4C60000-0x00000195B4C70000-memory.dmp

Filesize
64KB

Download
memory/60-24-0x00000195B4C60000-0x00000195B4C70000-memory.dmp

Filesize
64KB

Download
memory/60-3071-0x00007FFD60980000-0x00007FFD61441000-memory.dmp

Filesize
10.8MB

Download
memory/428-3106-0x00007FF7008E0000-0x00007FF700CD2000-memory.dmp

Filesize
3.9MB

Download
memory/428-421-0x00007FF7008E0000-0x00007FF700CD2000-memory.dmp

Filesize
3.9MB

Download
memory/640-499-0x00007FF646A60000-0x00007FF646E52000-memory.dmp

Filesize
3.9MB

Download
memory/640-3103-0x00007FF646A60000-0x00007FF646E52000-memory.dmp

Filesize
3.9MB

Download
memory/980-448-0x00007FF654F00000-0x00007FF6552F2000-memory.dmp

Filesize
3.9MB

Download
memory/980-3124-0x00007FF654F00000-0x00007FF6552F2000-memory.dmp

Filesize
3.9MB

Download
memory/1464-427-0x00007FF634D40000-0x00007FF635132000-memory.dmp

Filesize
3.9MB

Download
memory/1464-3117-0x00007FF634D40000-0x00007FF635132000-memory.dmp

Filesize
3.9MB

Download
memory/1748-435-0x00007FF65D590000-0x00007FF65D982000-memory.dmp

Filesize
3.9MB

Download
memory/1748-3113-0x00007FF65D590000-0x00007FF65D982000-memory.dmp

Filesize
3.9MB

Download
memory/1940-3099-0x00007FF6D99A0000-0x00007FF6D9D92000-memory.dmp

Filesize
3.9MB

Download
memory/1940-3060-0x00007FF6D99A0000-0x00007FF6D9D92000-memory.dmp

Filesize
3.9MB

Download
memory/1940-56-0x00007FF6D99A0000-0x00007FF6D9D92000-memory.dmp

Filesize
3.9MB

Download
memory/2068-444-0x00007FF708BA0000-0x00007FF708F92000-memory.dmp

Filesize
3.9MB

Download
memory/2068-3120-0x00007FF708BA0000-0x00007FF708F92000-memory.dmp

Filesize
3.9MB

Download
memory/2236-3101-0x00007FF765FE0000-0x00007FF7663D2000-memory.dmp

Filesize
3.9MB

Download
memory/2236-419-0x00007FF765FE0000-0x00007FF7663D2000-memory.dmp

Filesize
3.9MB

Download
memory/2252-3107-0x00007FF6F41B0000-0x00007FF6F45A2000-memory.dmp

Filesize
3.9MB

Download
memory/2252-3061-0x00007FF6F41B0000-0x00007FF6F45A2000-memory.dmp

Filesize
3.9MB

Download
memory/2252-67-0x00007FF6F41B0000-0x00007FF6F45A2000-memory.dmp

Filesize
3.9MB

Download
memory/2556-3091-0x00007FF7CE290000-0x00007FF7CE682000-memory.dmp

Filesize
3.9MB

Download
memory/2556-491-0x00007FF7CE290000-0x00007FF7CE682000-memory.dmp

Filesize
3.9MB

Download
memory/2604-469-0x00007FF71DDE0000-0x00007FF71E1D2000-memory.dmp

Filesize
3.9MB

Download
memory/2604-3129-0x00007FF71DDE0000-0x00007FF71E1D2000-memory.dmp

Filesize
3.9MB

Download
memory/3024-3126-0x00007FF72A1F0000-0x00007FF72A5E2000-memory.dmp

Filesize
3.9MB

Download
memory/3024-456-0x00007FF72A1F0000-0x00007FF72A5E2000-memory.dmp

Filesize
3.9MB

Download
memory/3052-3112-0x00007FF6D3D20000-0x00007FF6D4112000-memory.dmp

Filesize
3.9MB

Download
memory/3052-430-0x00007FF6D3D20000-0x00007FF6D4112000-memory.dmp

Filesize
3.9MB

Download
memory/3096-42-0x00007FF7E00A0000-0x00007FF7E0492000-memory.dmp

Filesize
3.9MB

Download
memory/3096-3095-0x00007FF7E00A0000-0x00007FF7E0492000-memory.dmp

Filesize
3.9MB

Download
memory/3176-3115-0x00007FF7BA520000-0x00007FF7BA912000-memory.dmp

Filesize
3.9MB

Download
memory/3176-508-0x00007FF7BA520000-0x00007FF7BA912000-memory.dmp

Filesize
3.9MB

Download
memory/3344-3098-0x00007FF6A5D00000-0x00007FF6A60F2000-memory.dmp

Filesize
3.9MB

Download
memory/3344-496-0x00007FF6A5D00000-0x00007FF6A60F2000-memory.dmp

Filesize
3.9MB

Download
memory/3536-3093-0x00007FF6DF520000-0x00007FF6DF912000-memory.dmp

Filesize
3.9MB

Download
memory/3536-32-0x00007FF6DF520000-0x00007FF6DF912000-memory.dmp

Filesize
3.9MB

Download
memory/4016-468-0x00007FF73E020000-0x00007FF73E412000-memory.dmp

Filesize
3.9MB

Download
memory/4016-3127-0x00007FF73E020000-0x00007FF73E412000-memory.dmp

Filesize
3.9MB

Download
memory/4184-439-0x00007FF68D830000-0x00007FF68DC22000-memory.dmp

Filesize
3.9MB

Download
memory/4184-3121-0x00007FF68D830000-0x00007FF68DC22000-memory.dmp

Filesize
3.9MB

Download
memory/4552-476-0x00007FF631F90000-0x00007FF632382000-memory.dmp

Filesize
3.9MB

Download
memory/4552-3131-0x00007FF631F90000-0x00007FF632382000-memory.dmp

Filesize
3.9MB

Download
memory/5104-3109-0x00007FF660FE0000-0x00007FF6613D2000-memory.dmp

Filesize
3.9MB

Download
memory/5104-506-0x00007FF660FE0000-0x00007FF6613D2000-memory.dmp

Filesize
3.9MB

Download
memory/5116-1-0x000002A3E6070000-0x000002A3E6080000-memory.dmp

Filesize
64KB

Download
memory/5116-0-0x00007FF6B1080000-0x00007FF6B1472000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.