xmrig | 34aafd4cdcc39447ef4d3c2f626bacd94ad03e8510aeb31c79b742ad517f7f5e

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
01/05/2024, 16:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
Size

1.9MB
MD5

0c4789c8a38e2c3827c33c1845a67e66
SHA1

5653d77fa4b28eb05f99bfda581683d73da5a82f
SHA256

34aafd4cdcc39447ef4d3c2f626bacd94ad03e8510aeb31c79b742ad517f7f5e
SHA512

d51fe20506bb7439cafdebe746a69730b4c47f782e98ee933e45e4f6d3f847b06457e3061f858b78d6ae876d38e35eb2aa13768e9a73067cb4691932d1991fc1
SSDEEP

49152:Lz071uv4BPMkibTIA5sf6r+WVc2HhG82SflDrlZ:NABg

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 49 IoCs

miner

resource	yara_rule
behavioral2/memory/4592-20-0x00007FF633460000-0x00007FF633852000-memory.dmp	xmrig
behavioral2/memory/5096-109-0x00007FF6F1950000-0x00007FF6F1D42000-memory.dmp	xmrig
behavioral2/memory/4236-112-0x00007FF6C04B0000-0x00007FF6C08A2000-memory.dmp	xmrig
behavioral2/memory/2036-115-0x00007FF6224C0000-0x00007FF6228B2000-memory.dmp	xmrig
behavioral2/memory/1504-117-0x00007FF7BDFD0000-0x00007FF7BE3C2000-memory.dmp	xmrig
behavioral2/memory/948-364-0x00007FF73A520000-0x00007FF73A912000-memory.dmp	xmrig
behavioral2/memory/3760-363-0x00007FF6044C0000-0x00007FF6048B2000-memory.dmp	xmrig
behavioral2/memory/5108-366-0x00007FF604BE0000-0x00007FF604FD2000-memory.dmp	xmrig
behavioral2/memory/2924-367-0x00007FF71CBF0000-0x00007FF71CFE2000-memory.dmp	xmrig
behavioral2/memory/4604-365-0x00007FF6D6630000-0x00007FF6D6A22000-memory.dmp	xmrig
behavioral2/memory/836-369-0x00007FF602A50000-0x00007FF602E42000-memory.dmp	xmrig
behavioral2/memory/4076-368-0x00007FF72CF50000-0x00007FF72D342000-memory.dmp	xmrig
behavioral2/memory/3748-114-0x00007FF621740000-0x00007FF621B32000-memory.dmp	xmrig
behavioral2/memory/4124-113-0x00007FF7F5060000-0x00007FF7F5452000-memory.dmp	xmrig
behavioral2/memory/808-111-0x00007FF6382F0000-0x00007FF6386E2000-memory.dmp	xmrig
behavioral2/memory/1056-110-0x00007FF7012C0000-0x00007FF7016B2000-memory.dmp	xmrig
behavioral2/memory/2440-108-0x00007FF6BB620000-0x00007FF6BBA12000-memory.dmp	xmrig
behavioral2/memory/3688-105-0x00007FF611A30000-0x00007FF611E22000-memory.dmp	xmrig
behavioral2/memory/4000-104-0x00007FF60B260000-0x00007FF60B652000-memory.dmp	xmrig
behavioral2/memory/4024-103-0x00007FF7A3190000-0x00007FF7A3582000-memory.dmp	xmrig
behavioral2/memory/2504-99-0x00007FF78DEE0000-0x00007FF78E2D2000-memory.dmp	xmrig
behavioral2/memory/3564-26-0x00007FF6401B0000-0x00007FF6405A2000-memory.dmp	xmrig
behavioral2/memory/628-12-0x00007FF73C150000-0x00007FF73C542000-memory.dmp	xmrig
behavioral2/memory/3564-3058-0x00007FF6401B0000-0x00007FF6405A2000-memory.dmp	xmrig
behavioral2/memory/3612-3059-0x00007FF63DB40000-0x00007FF63DF32000-memory.dmp	xmrig
behavioral2/memory/628-3123-0x00007FF73C150000-0x00007FF73C542000-memory.dmp	xmrig
behavioral2/memory/4592-3125-0x00007FF633460000-0x00007FF633852000-memory.dmp	xmrig
behavioral2/memory/3564-3127-0x00007FF6401B0000-0x00007FF6405A2000-memory.dmp	xmrig
behavioral2/memory/3748-3129-0x00007FF621740000-0x00007FF621B32000-memory.dmp	xmrig
behavioral2/memory/3612-3131-0x00007FF63DB40000-0x00007FF63DF32000-memory.dmp	xmrig
behavioral2/memory/2504-3135-0x00007FF78DEE0000-0x00007FF78E2D2000-memory.dmp	xmrig
behavioral2/memory/2036-3134-0x00007FF6224C0000-0x00007FF6228B2000-memory.dmp	xmrig
behavioral2/memory/4000-3139-0x00007FF60B260000-0x00007FF60B652000-memory.dmp	xmrig
behavioral2/memory/4024-3138-0x00007FF7A3190000-0x00007FF7A3582000-memory.dmp	xmrig
behavioral2/memory/3688-3143-0x00007FF611A30000-0x00007FF611E22000-memory.dmp	xmrig
behavioral2/memory/2440-3142-0x00007FF6BB620000-0x00007FF6BBA12000-memory.dmp	xmrig
behavioral2/memory/5096-3145-0x00007FF6F1950000-0x00007FF6F1D42000-memory.dmp	xmrig
behavioral2/memory/1504-3147-0x00007FF7BDFD0000-0x00007FF7BE3C2000-memory.dmp	xmrig
behavioral2/memory/1056-3153-0x00007FF7012C0000-0x00007FF7016B2000-memory.dmp	xmrig
behavioral2/memory/4236-3151-0x00007FF6C04B0000-0x00007FF6C08A2000-memory.dmp	xmrig
behavioral2/memory/808-3150-0x00007FF6382F0000-0x00007FF6386E2000-memory.dmp	xmrig
behavioral2/memory/4124-3155-0x00007FF7F5060000-0x00007FF7F5452000-memory.dmp	xmrig
behavioral2/memory/3760-3157-0x00007FF6044C0000-0x00007FF6048B2000-memory.dmp	xmrig
behavioral2/memory/948-3159-0x00007FF73A520000-0x00007FF73A912000-memory.dmp	xmrig
behavioral2/memory/5108-3163-0x00007FF604BE0000-0x00007FF604FD2000-memory.dmp	xmrig
behavioral2/memory/4604-3161-0x00007FF6D6630000-0x00007FF6D6A22000-memory.dmp	xmrig
behavioral2/memory/2924-3165-0x00007FF71CBF0000-0x00007FF71CFE2000-memory.dmp	xmrig
behavioral2/memory/4076-3167-0x00007FF72CF50000-0x00007FF72D342000-memory.dmp	xmrig
behavioral2/memory/836-3169-0x00007FF602A50000-0x00007FF602E42000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	900	powershell.exe
6	900	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
628	OMYIbaG.exe
4592	lWziOCU.exe
3564	IpuUrDQ.exe
3748	PLnriUD.exe
3612	baPLRgl.exe
2036	BjyHqYM.exe
2504	fonHIHP.exe
4024	oFTBTCp.exe
4000	QDflYMd.exe
3688	dfQqdck.exe
2440	IhHmtoM.exe
5096	COLSRVa.exe
1504	uTxeWzZ.exe
1056	dXOUtqO.exe
808	bGkeMQP.exe
4236	CrxZfza.exe
4124	HFnmyXC.exe
3760	kIIWwWK.exe
948	tTEVIRr.exe
4604	vDZCJOq.exe
5108	FtakviS.exe
2924	nlglxez.exe
4076	tTCVSUL.exe
836	QQNDZSN.exe
1892	NRLseAO.exe
3360	CcaQvId.exe
4696	axucDPy.exe
4980	VtKaPyn.exe
5016	NewJEZY.exe
4372	NHRCMIm.exe
4452	dvtoscR.exe
1440	xWghZzK.exe
5116	GJlQXgR.exe
2156	QjsdGmi.exe
4068	BrTGyIE.exe
3216	ehFYhjq.exe
464	kSQpnoU.exe
2124	idTadIj.exe
5036	QqAdAla.exe
1604	cGoAQrI.exe
1716	gVhkRTj.exe
4300	JZMqCND.exe
3004	rPmQjhT.exe
4572	cOfprio.exe
1880	SKGkXhu.exe
1412	EGAJRSN.exe
3416	OqjBWxS.exe
3276	DvuvHUJ.exe
2428	ToYawDA.exe
1476	ZrpLQeJ.exe
2104	quETWdl.exe
536	wtcImMA.exe
4496	cyTCRTX.exe
920	gekQhMt.exe
5008	BINcuwP.exe
2972	VfUzvzB.exe
3876	JYJBvHu.exe
5104	rqkkiNd.exe
1744	irYVeYu.exe
1864	kDDzHkU.exe
4440	avjppMV.exe
3624	KhiYgTt.exe
3208	oycvKja.exe
552	srlALoD.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2896-0-0x00007FF720070000-0x00007FF720462000-memory.dmp	upx
behavioral2/files/0x000600000002327d-5.dat	upx
behavioral2/files/0x000700000002340c-9.dat	upx
behavioral2/files/0x000800000002340b-16.dat	upx
behavioral2/memory/4592-20-0x00007FF633460000-0x00007FF633852000-memory.dmp	upx
behavioral2/files/0x000700000002340d-34.dat	upx
behavioral2/files/0x000700000002340f-41.dat	upx
behavioral2/files/0x0007000000023411-46.dat	upx
behavioral2/files/0x0007000000023412-54.dat	upx
behavioral2/files/0x0007000000023413-58.dat	upx
behavioral2/files/0x0007000000023414-64.dat	upx
behavioral2/files/0x0007000000023416-82.dat	upx
behavioral2/files/0x0008000000023418-91.dat	upx
behavioral2/files/0x0008000000023409-101.dat	upx
behavioral2/files/0x0008000000023417-106.dat	upx
behavioral2/memory/5096-109-0x00007FF6F1950000-0x00007FF6F1D42000-memory.dmp	upx
behavioral2/memory/4236-112-0x00007FF6C04B0000-0x00007FF6C08A2000-memory.dmp	upx
behavioral2/memory/2036-115-0x00007FF6224C0000-0x00007FF6228B2000-memory.dmp	upx
behavioral2/memory/1504-117-0x00007FF7BDFD0000-0x00007FF7BE3C2000-memory.dmp	upx
behavioral2/files/0x000700000002341c-134.dat	upx
behavioral2/files/0x000700000002341f-149.dat	upx
behavioral2/files/0x0007000000023421-159.dat	upx
behavioral2/files/0x0007000000023427-183.dat	upx
behavioral2/memory/948-364-0x00007FF73A520000-0x00007FF73A912000-memory.dmp	upx
behavioral2/memory/3760-363-0x00007FF6044C0000-0x00007FF6048B2000-memory.dmp	upx
behavioral2/memory/5108-366-0x00007FF604BE0000-0x00007FF604FD2000-memory.dmp	upx
behavioral2/memory/2924-367-0x00007FF71CBF0000-0x00007FF71CFE2000-memory.dmp	upx
behavioral2/memory/4604-365-0x00007FF6D6630000-0x00007FF6D6A22000-memory.dmp	upx
behavioral2/memory/836-369-0x00007FF602A50000-0x00007FF602E42000-memory.dmp	upx
behavioral2/memory/4076-368-0x00007FF72CF50000-0x00007FF72D342000-memory.dmp	upx
behavioral2/files/0x0007000000023429-193.dat	upx
behavioral2/files/0x0007000000023428-188.dat	upx
behavioral2/files/0x0007000000023426-186.dat	upx
behavioral2/files/0x0007000000023425-181.dat	upx
behavioral2/files/0x0007000000023424-176.dat	upx
behavioral2/files/0x0007000000023423-171.dat	upx
behavioral2/files/0x0007000000023422-166.dat	upx
behavioral2/files/0x0007000000023420-154.dat	upx
behavioral2/files/0x000700000002341e-144.dat	upx
behavioral2/files/0x000700000002341d-139.dat	upx
behavioral2/files/0x000700000002341b-129.dat	upx
behavioral2/files/0x000700000002341a-123.dat	upx
behavioral2/memory/3748-114-0x00007FF621740000-0x00007FF621B32000-memory.dmp	upx
behavioral2/memory/4124-113-0x00007FF7F5060000-0x00007FF7F5452000-memory.dmp	upx
behavioral2/memory/808-111-0x00007FF6382F0000-0x00007FF6386E2000-memory.dmp	upx
behavioral2/memory/1056-110-0x00007FF7012C0000-0x00007FF7016B2000-memory.dmp	upx
behavioral2/memory/2440-108-0x00007FF6BB620000-0x00007FF6BBA12000-memory.dmp	upx
behavioral2/memory/3688-105-0x00007FF611A30000-0x00007FF611E22000-memory.dmp	upx
behavioral2/memory/4000-104-0x00007FF60B260000-0x00007FF60B652000-memory.dmp	upx
behavioral2/memory/4024-103-0x00007FF7A3190000-0x00007FF7A3582000-memory.dmp	upx
behavioral2/memory/2504-99-0x00007FF78DEE0000-0x00007FF78E2D2000-memory.dmp	upx
behavioral2/files/0x0007000000023419-87.dat	upx
behavioral2/files/0x0007000000023415-78.dat	upx
behavioral2/files/0x0007000000023410-44.dat	upx
behavioral2/files/0x000700000002340e-36.dat	upx
behavioral2/memory/3612-31-0x00007FF63DB40000-0x00007FF63DF32000-memory.dmp	upx
behavioral2/memory/3564-26-0x00007FF6401B0000-0x00007FF6405A2000-memory.dmp	upx
behavioral2/memory/628-12-0x00007FF73C150000-0x00007FF73C542000-memory.dmp	upx
behavioral2/memory/3564-3058-0x00007FF6401B0000-0x00007FF6405A2000-memory.dmp	upx
behavioral2/memory/3612-3059-0x00007FF63DB40000-0x00007FF63DF32000-memory.dmp	upx
behavioral2/memory/628-3123-0x00007FF73C150000-0x00007FF73C542000-memory.dmp	upx
behavioral2/memory/4592-3125-0x00007FF633460000-0x00007FF633852000-memory.dmp	upx
behavioral2/memory/3564-3127-0x00007FF6401B0000-0x00007FF6405A2000-memory.dmp	upx
behavioral2/memory/3748-3129-0x00007FF621740000-0x00007FF621B32000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
3	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\vNSChqn.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\yXcRsKO.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\WVVCOSj.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\qxScZAz.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\pqkfpZO.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\yZvgHLp.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\HlAMntr.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\abXeVmI.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\AUdbltF.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\TyjIWIN.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\iStWmrX.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\OyoYiFN.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\IDeEwZF.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\XdAfAuD.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\sFBrhyE.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\hSQDhIl.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\IYMkXjP.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\KZHJdaN.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\pjPgTXi.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\wYgJiDX.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\zMPoThD.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\AohKsZP.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\rySGFnq.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\QGvCjLG.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\MuqLobK.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\glfCPQh.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\SlfgZzA.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\EpMYhVP.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\TAAnKZP.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\PsDAuum.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\GdLlmzm.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\qUCNZJj.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\QELLGTt.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\tQtNPDF.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\XCXblsp.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\UJeyIrd.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\dPgdPPG.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\psQzCfw.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\NcIjFBW.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\aMDtFTe.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\NJnugOz.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\VUpfzbj.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\DWEIQSq.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\xCOdSwI.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\MTgNRli.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\zSCcuMw.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\WUWDEvs.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\IOCaDkH.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\iPYUNRA.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\rSjnDCo.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\MgXLilx.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\GDEobee.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\YijzDRl.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\yhjxmVw.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\UFqeTdI.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\JzOvQmU.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\ZOsKCjV.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\iSpNPDE.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\wfMcdLQ.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\csAITGj.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\EKAAYOt.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\dnKmLYl.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\QrghoiL.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
File created	C:\Windows\System\qhXxLmA.exe	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
900	powershell.exe
900	powershell.exe
900	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
Token: SeDebugPrivilege	900	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 900	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	82
PID 2896 wrote to memory of 900	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	82
PID 2896 wrote to memory of 628	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	83
PID 2896 wrote to memory of 628	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	83
PID 2896 wrote to memory of 3564	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	84
PID 2896 wrote to memory of 3564	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	84
PID 2896 wrote to memory of 4592	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	85
PID 2896 wrote to memory of 4592	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	85
PID 2896 wrote to memory of 3748	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	86
PID 2896 wrote to memory of 3748	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	86
PID 2896 wrote to memory of 3612	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	87
PID 2896 wrote to memory of 3612	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	87
PID 2896 wrote to memory of 2036	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	88
PID 2896 wrote to memory of 2036	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	88
PID 2896 wrote to memory of 2504	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	89
PID 2896 wrote to memory of 2504	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	89
PID 2896 wrote to memory of 4024	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	90
PID 2896 wrote to memory of 4024	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	90
PID 2896 wrote to memory of 4000	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	91
PID 2896 wrote to memory of 4000	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	91
PID 2896 wrote to memory of 3688	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	92
PID 2896 wrote to memory of 3688	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	92
PID 2896 wrote to memory of 2440	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	93
PID 2896 wrote to memory of 2440	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	93
PID 2896 wrote to memory of 5096	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	94
PID 2896 wrote to memory of 5096	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	94
PID 2896 wrote to memory of 1504	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	95
PID 2896 wrote to memory of 1504	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	95
PID 2896 wrote to memory of 1056	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	96
PID 2896 wrote to memory of 1056	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	96
PID 2896 wrote to memory of 808	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	97
PID 2896 wrote to memory of 808	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	97
PID 2896 wrote to memory of 4236	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	98
PID 2896 wrote to memory of 4236	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	98
PID 2896 wrote to memory of 4124	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	99
PID 2896 wrote to memory of 4124	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	99
PID 2896 wrote to memory of 3760	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	100
PID 2896 wrote to memory of 3760	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	100
PID 2896 wrote to memory of 948	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	101
PID 2896 wrote to memory of 948	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	101
PID 2896 wrote to memory of 4604	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	102
PID 2896 wrote to memory of 4604	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	102
PID 2896 wrote to memory of 5108	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	103
PID 2896 wrote to memory of 5108	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	103
PID 2896 wrote to memory of 2924	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	104
PID 2896 wrote to memory of 2924	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	104
PID 2896 wrote to memory of 4076	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	105
PID 2896 wrote to memory of 4076	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	105
PID 2896 wrote to memory of 836	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	106
PID 2896 wrote to memory of 836	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	106
PID 2896 wrote to memory of 1892	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	107
PID 2896 wrote to memory of 1892	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	107
PID 2896 wrote to memory of 3360	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	108
PID 2896 wrote to memory of 3360	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	108
PID 2896 wrote to memory of 4696	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	109
PID 2896 wrote to memory of 4696	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	109
PID 2896 wrote to memory of 4980	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	110
PID 2896 wrote to memory of 4980	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	110
PID 2896 wrote to memory of 5016	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	111
PID 2896 wrote to memory of 5016	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	111
PID 2896 wrote to memory of 4372	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	112
PID 2896 wrote to memory of 4372	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	112
PID 2896 wrote to memory of 4452	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	113
PID 2896 wrote to memory of 4452	2896	0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe	113

C:\Users\Admin\AppData\Local\Temp\0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0c4789c8a38e2c3827c33c1845a67e66_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:900
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "900" "2920" "2868" "2924" "0" "0" "2928" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:12564
- C:\Windows\System\OMYIbaG.exe
  C:\Windows\System\OMYIbaG.exe
  2⤵
  - Executes dropped EXE
  PID:628
- C:\Windows\System\IpuUrDQ.exe
  C:\Windows\System\IpuUrDQ.exe
  2⤵
  - Executes dropped EXE
  PID:3564
- C:\Windows\System\lWziOCU.exe
  C:\Windows\System\lWziOCU.exe
  2⤵
  - Executes dropped EXE
  PID:4592
- C:\Windows\System\PLnriUD.exe
  C:\Windows\System\PLnriUD.exe
  2⤵
  - Executes dropped EXE
  PID:3748
- C:\Windows\System\baPLRgl.exe
  C:\Windows\System\baPLRgl.exe
  2⤵
  - Executes dropped EXE
  PID:3612
- C:\Windows\System\BjyHqYM.exe
  C:\Windows\System\BjyHqYM.exe
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\System\fonHIHP.exe
  C:\Windows\System\fonHIHP.exe
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\System\oFTBTCp.exe
  C:\Windows\System\oFTBTCp.exe
  2⤵
  - Executes dropped EXE
  PID:4024
- C:\Windows\System\QDflYMd.exe
  C:\Windows\System\QDflYMd.exe
  2⤵
  - Executes dropped EXE
  PID:4000
- C:\Windows\System\dfQqdck.exe
  C:\Windows\System\dfQqdck.exe
  2⤵
  - Executes dropped EXE
  PID:3688
- C:\Windows\System\IhHmtoM.exe
  C:\Windows\System\IhHmtoM.exe
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\System\COLSRVa.exe
  C:\Windows\System\COLSRVa.exe
  2⤵
  - Executes dropped EXE
  PID:5096
- C:\Windows\System\uTxeWzZ.exe
  C:\Windows\System\uTxeWzZ.exe
  2⤵
  - Executes dropped EXE
  PID:1504
- C:\Windows\System\dXOUtqO.exe
  C:\Windows\System\dXOUtqO.exe
  2⤵
  - Executes dropped EXE
  PID:1056
- C:\Windows\System\bGkeMQP.exe
  C:\Windows\System\bGkeMQP.exe
  2⤵
  - Executes dropped EXE
  PID:808
- C:\Windows\System\CrxZfza.exe
  C:\Windows\System\CrxZfza.exe
  2⤵
  - Executes dropped EXE
  PID:4236
- C:\Windows\System\HFnmyXC.exe
  C:\Windows\System\HFnmyXC.exe
  2⤵
  - Executes dropped EXE
  PID:4124
- C:\Windows\System\kIIWwWK.exe
  C:\Windows\System\kIIWwWK.exe
  2⤵
  - Executes dropped EXE
  PID:3760
- C:\Windows\System\tTEVIRr.exe
  C:\Windows\System\tTEVIRr.exe
  2⤵
  - Executes dropped EXE
  PID:948
- C:\Windows\System\vDZCJOq.exe
  C:\Windows\System\vDZCJOq.exe
  2⤵
  - Executes dropped EXE
  PID:4604
- C:\Windows\System\FtakviS.exe
  C:\Windows\System\FtakviS.exe
  2⤵
  - Executes dropped EXE
  PID:5108
- C:\Windows\System\nlglxez.exe
  C:\Windows\System\nlglxez.exe
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Windows\System\tTCVSUL.exe
  C:\Windows\System\tTCVSUL.exe
  2⤵
  - Executes dropped EXE
  PID:4076
- C:\Windows\System\QQNDZSN.exe
  C:\Windows\System\QQNDZSN.exe
  2⤵
  - Executes dropped EXE
  PID:836
- C:\Windows\System\NRLseAO.exe
  C:\Windows\System\NRLseAO.exe
  2⤵
  - Executes dropped EXE
  PID:1892
- C:\Windows\System\CcaQvId.exe
  C:\Windows\System\CcaQvId.exe
  2⤵
  - Executes dropped EXE
  PID:3360
- C:\Windows\System\axucDPy.exe
  C:\Windows\System\axucDPy.exe
  2⤵
  - Executes dropped EXE
  PID:4696
- C:\Windows\System\VtKaPyn.exe
  C:\Windows\System\VtKaPyn.exe
  2⤵
  - Executes dropped EXE
  PID:4980
- C:\Windows\System\NewJEZY.exe
  C:\Windows\System\NewJEZY.exe
  2⤵
  - Executes dropped EXE
  PID:5016
- C:\Windows\System\NHRCMIm.exe
  C:\Windows\System\NHRCMIm.exe
  2⤵
  - Executes dropped EXE
  PID:4372
- C:\Windows\System\dvtoscR.exe
  C:\Windows\System\dvtoscR.exe
  2⤵
  - Executes dropped EXE
  PID:4452
- C:\Windows\System\xWghZzK.exe
  C:\Windows\System\xWghZzK.exe
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Windows\System\GJlQXgR.exe
  C:\Windows\System\GJlQXgR.exe
  2⤵
  - Executes dropped EXE
  PID:5116
- C:\Windows\System\QjsdGmi.exe
  C:\Windows\System\QjsdGmi.exe
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\System\BrTGyIE.exe
  C:\Windows\System\BrTGyIE.exe
  2⤵
  - Executes dropped EXE
  PID:4068
- C:\Windows\System\ehFYhjq.exe
  C:\Windows\System\ehFYhjq.exe
  2⤵
  - Executes dropped EXE
  PID:3216
- C:\Windows\System\kSQpnoU.exe
  C:\Windows\System\kSQpnoU.exe
  2⤵
  - Executes dropped EXE
  PID:464
- C:\Windows\System\idTadIj.exe
  C:\Windows\System\idTadIj.exe
  2⤵
  - Executes dropped EXE
  PID:2124
- C:\Windows\System\QqAdAla.exe
  C:\Windows\System\QqAdAla.exe
  2⤵
  - Executes dropped EXE
  PID:5036
- C:\Windows\System\cGoAQrI.exe
  C:\Windows\System\cGoAQrI.exe
  2⤵
  - Executes dropped EXE
  PID:1604
- C:\Windows\System\gVhkRTj.exe
  C:\Windows\System\gVhkRTj.exe
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\Windows\System\JZMqCND.exe
  C:\Windows\System\JZMqCND.exe
  2⤵
  - Executes dropped EXE
  PID:4300
- C:\Windows\System\rPmQjhT.exe
  C:\Windows\System\rPmQjhT.exe
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\System\cOfprio.exe
  C:\Windows\System\cOfprio.exe
  2⤵
  - Executes dropped EXE
  PID:4572
- C:\Windows\System\SKGkXhu.exe
  C:\Windows\System\SKGkXhu.exe
  2⤵
  - Executes dropped EXE
  PID:1880
- C:\Windows\System\EGAJRSN.exe
  C:\Windows\System\EGAJRSN.exe
  2⤵
  - Executes dropped EXE
  PID:1412
- C:\Windows\System\OqjBWxS.exe
  C:\Windows\System\OqjBWxS.exe
  2⤵
  - Executes dropped EXE
  PID:3416
- C:\Windows\System\DvuvHUJ.exe
  C:\Windows\System\DvuvHUJ.exe
  2⤵
  - Executes dropped EXE
  PID:3276
- C:\Windows\System\ToYawDA.exe
  C:\Windows\System\ToYawDA.exe
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\System\ZrpLQeJ.exe
  C:\Windows\System\ZrpLQeJ.exe
  2⤵
  - Executes dropped EXE
  PID:1476
- C:\Windows\System\quETWdl.exe
  C:\Windows\System\quETWdl.exe
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\Windows\System\wtcImMA.exe
  C:\Windows\System\wtcImMA.exe
  2⤵
  - Executes dropped EXE
  PID:536
- C:\Windows\System\cyTCRTX.exe
  C:\Windows\System\cyTCRTX.exe
  2⤵
  - Executes dropped EXE
  PID:4496
- C:\Windows\System\gekQhMt.exe
  C:\Windows\System\gekQhMt.exe
  2⤵
  - Executes dropped EXE
  PID:920
- C:\Windows\System\BINcuwP.exe
  C:\Windows\System\BINcuwP.exe
  2⤵
  - Executes dropped EXE
  PID:5008
- C:\Windows\System\VfUzvzB.exe
  C:\Windows\System\VfUzvzB.exe
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\System\JYJBvHu.exe
  C:\Windows\System\JYJBvHu.exe
  2⤵
  - Executes dropped EXE
  PID:3876
- C:\Windows\System\rqkkiNd.exe
  C:\Windows\System\rqkkiNd.exe
  2⤵
  - Executes dropped EXE
  PID:5104
- C:\Windows\System\irYVeYu.exe
  C:\Windows\System\irYVeYu.exe
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\System\kDDzHkU.exe
  C:\Windows\System\kDDzHkU.exe
  2⤵
  - Executes dropped EXE
  PID:1864
- C:\Windows\System\avjppMV.exe
  C:\Windows\System\avjppMV.exe
  2⤵
  - Executes dropped EXE
  PID:4440
- C:\Windows\System\KhiYgTt.exe
  C:\Windows\System\KhiYgTt.exe
  2⤵
  - Executes dropped EXE
  PID:3624
- C:\Windows\System\oycvKja.exe
  C:\Windows\System\oycvKja.exe
  2⤵
  - Executes dropped EXE
  PID:3208
- C:\Windows\System\srlALoD.exe
  C:\Windows\System\srlALoD.exe
  2⤵
  - Executes dropped EXE
  PID:552
- C:\Windows\System\UsLRCXL.exe
  C:\Windows\System\UsLRCXL.exe
  2⤵
  PID:3436
- C:\Windows\System\XlRAhwj.exe
  C:\Windows\System\XlRAhwj.exe
  2⤵
  PID:4832
- C:\Windows\System\mQhsRsX.exe
  C:\Windows\System\mQhsRsX.exe
  2⤵
  PID:4756
- C:\Windows\System\vGvmWDa.exe
  C:\Windows\System\vGvmWDa.exe
  2⤵
  PID:1676
- C:\Windows\System\pVnFkfH.exe
  C:\Windows\System\pVnFkfH.exe
  2⤵
  PID:3728
- C:\Windows\System\teQCjQM.exe
  C:\Windows\System\teQCjQM.exe
  2⤵
  PID:3488
- C:\Windows\System\vItLKXW.exe
  C:\Windows\System\vItLKXW.exe
  2⤵
  PID:4956
- C:\Windows\System\iOtxCAw.exe
  C:\Windows\System\iOtxCAw.exe
  2⤵
  PID:5072
- C:\Windows\System\uDIAIsa.exe
  C:\Windows\System\uDIAIsa.exe
  2⤵
  PID:1840
- C:\Windows\System\IdiasiJ.exe
  C:\Windows\System\IdiasiJ.exe
  2⤵
  PID:4576
- C:\Windows\System\ztaAHwL.exe
  C:\Windows\System\ztaAHwL.exe
  2⤵
  PID:2624
- C:\Windows\System\roTLXrL.exe
  C:\Windows\System\roTLXrL.exe
  2⤵
  PID:2948
- C:\Windows\System\FuBazOC.exe
  C:\Windows\System\FuBazOC.exe
  2⤵
  PID:4356
- C:\Windows\System\JYVgRUq.exe
  C:\Windows\System\JYVgRUq.exe
  2⤵
  PID:4688
- C:\Windows\System\SPFOEcM.exe
  C:\Windows\System\SPFOEcM.exe
  2⤵
  PID:3224
- C:\Windows\System\wheZKVv.exe
  C:\Windows\System\wheZKVv.exe
  2⤵
  PID:3996
- C:\Windows\System\bAcFBOi.exe
  C:\Windows\System\bAcFBOi.exe
  2⤵
  PID:768
- C:\Windows\System\mpaVGXM.exe
  C:\Windows\System\mpaVGXM.exe
  2⤵
  PID:4724
- C:\Windows\System\XEzShSH.exe
  C:\Windows\System\XEzShSH.exe
  2⤵
  PID:2928
- C:\Windows\System\wbVRHRa.exe
  C:\Windows\System\wbVRHRa.exe
  2⤵
  PID:3048
- C:\Windows\System\CoXFaIe.exe
  C:\Windows\System\CoXFaIe.exe
  2⤵
  PID:832
- C:\Windows\System\KTrKykm.exe
  C:\Windows\System\KTrKykm.exe
  2⤵
  PID:4164
- C:\Windows\System\EEyoIjN.exe
  C:\Windows\System\EEyoIjN.exe
  2⤵
  PID:3800
- C:\Windows\System\VnlCYEc.exe
  C:\Windows\System\VnlCYEc.exe
  2⤵
  PID:4028
- C:\Windows\System\ydPiqTj.exe
  C:\Windows\System\ydPiqTj.exe
  2⤵
  PID:4384
- C:\Windows\System\KZQJDsn.exe
  C:\Windows\System\KZQJDsn.exe
  2⤵
  PID:924
- C:\Windows\System\qPVzRQd.exe
  C:\Windows\System\qPVzRQd.exe
  2⤵
  PID:3256
- C:\Windows\System\PstyCng.exe
  C:\Windows\System\PstyCng.exe
  2⤵
  PID:4352
- C:\Windows\System\brHSkFn.exe
  C:\Windows\System\brHSkFn.exe
  2⤵
  PID:1824
- C:\Windows\System\cImFlxF.exe
  C:\Windows\System\cImFlxF.exe
  2⤵
  PID:5132
- C:\Windows\System\aEEuLSA.exe
  C:\Windows\System\aEEuLSA.exe
  2⤵
  PID:5156
- C:\Windows\System\pRzZbYN.exe
  C:\Windows\System\pRzZbYN.exe
  2⤵
  PID:5180
- C:\Windows\System\rpOewcB.exe
  C:\Windows\System\rpOewcB.exe
  2⤵
  PID:5252
- C:\Windows\System\oYWbuJe.exe
  C:\Windows\System\oYWbuJe.exe
  2⤵
  PID:5428
- C:\Windows\System\yCkWjFQ.exe
  C:\Windows\System\yCkWjFQ.exe
  2⤵
  PID:5444
- C:\Windows\System\iFLMKQF.exe
  C:\Windows\System\iFLMKQF.exe
  2⤵
  PID:5468
- C:\Windows\System\MMtsKsI.exe
  C:\Windows\System\MMtsKsI.exe
  2⤵
  PID:5488
- C:\Windows\System\elHiLKn.exe
  C:\Windows\System\elHiLKn.exe
  2⤵
  PID:5560
- C:\Windows\System\aNedBRK.exe
  C:\Windows\System\aNedBRK.exe
  2⤵
  PID:5584
- C:\Windows\System\LtNmFTU.exe
  C:\Windows\System\LtNmFTU.exe
  2⤵
  PID:5616
- C:\Windows\System\PPBybTp.exe
  C:\Windows\System\PPBybTp.exe
  2⤵
  PID:5648
- C:\Windows\System\bjkNxwD.exe
  C:\Windows\System\bjkNxwD.exe
  2⤵
  PID:5664
- C:\Windows\System\kyHxwBk.exe
  C:\Windows\System\kyHxwBk.exe
  2⤵
  PID:5688
- C:\Windows\System\cGzxonb.exe
  C:\Windows\System\cGzxonb.exe
  2⤵
  PID:5740
- C:\Windows\System\GbhfxPv.exe
  C:\Windows\System\GbhfxPv.exe
  2⤵
  PID:5796
- C:\Windows\System\hRfIBwq.exe
  C:\Windows\System\hRfIBwq.exe
  2⤵
  PID:5828
- C:\Windows\System\kxGjzzq.exe
  C:\Windows\System\kxGjzzq.exe
  2⤵
  PID:5860
- C:\Windows\System\oscwySM.exe
  C:\Windows\System\oscwySM.exe
  2⤵
  PID:5880
- C:\Windows\System\LUfCvQn.exe
  C:\Windows\System\LUfCvQn.exe
  2⤵
  PID:5900
- C:\Windows\System\vuqhUqk.exe
  C:\Windows\System\vuqhUqk.exe
  2⤵
  PID:5916
- C:\Windows\System\VxSZFse.exe
  C:\Windows\System\VxSZFse.exe
  2⤵
  PID:5940
- C:\Windows\System\RyWwAkA.exe
  C:\Windows\System\RyWwAkA.exe
  2⤵
  PID:6012
- C:\Windows\System\fFxgKld.exe
  C:\Windows\System\fFxgKld.exe
  2⤵
  PID:6040
- C:\Windows\System\HpOGjnz.exe
  C:\Windows\System\HpOGjnz.exe
  2⤵
  PID:6096
- C:\Windows\System\LXymyHn.exe
  C:\Windows\System\LXymyHn.exe
  2⤵
  PID:6120
- C:\Windows\System\ngHVYck.exe
  C:\Windows\System\ngHVYck.exe
  2⤵
  PID:3248
- C:\Windows\System\sHFqOOw.exe
  C:\Windows\System\sHFqOOw.exe
  2⤵
  PID:532
- C:\Windows\System\evgAxOd.exe
  C:\Windows\System\evgAxOd.exe
  2⤵
  PID:4288
- C:\Windows\System\sNVcEJI.exe
  C:\Windows\System\sNVcEJI.exe
  2⤵
  PID:4816
- C:\Windows\System\wUtygzy.exe
  C:\Windows\System\wUtygzy.exe
  2⤵
  PID:4488
- C:\Windows\System\lehYzqC.exe
  C:\Windows\System\lehYzqC.exe
  2⤵
  PID:2304
- C:\Windows\System\nVfJMjh.exe
  C:\Windows\System\nVfJMjh.exe
  2⤵
  PID:884
- C:\Windows\System\VMqWqvt.exe
  C:\Windows\System\VMqWqvt.exe
  2⤵
  PID:4600
- C:\Windows\System\zdhYxhs.exe
  C:\Windows\System\zdhYxhs.exe
  2⤵
  PID:5344
- C:\Windows\System\JRmMHMG.exe
  C:\Windows\System\JRmMHMG.exe
  2⤵
  PID:5240
- C:\Windows\System\bMeEPGD.exe
  C:\Windows\System\bMeEPGD.exe
  2⤵
  PID:5460
- C:\Windows\System\NEdzgwf.exe
  C:\Windows\System\NEdzgwf.exe
  2⤵
  PID:5532
- C:\Windows\System\yqkvgKZ.exe
  C:\Windows\System\yqkvgKZ.exe
  2⤵
  PID:5516
- C:\Windows\System\RyoUTnG.exe
  C:\Windows\System\RyoUTnG.exe
  2⤵
  PID:5640
- C:\Windows\System\RaOPdsY.exe
  C:\Windows\System\RaOPdsY.exe
  2⤵
  PID:5680
- C:\Windows\System\SGfyBOv.exe
  C:\Windows\System\SGfyBOv.exe
  2⤵
  PID:5836
- C:\Windows\System\ZblwJsI.exe
  C:\Windows\System\ZblwJsI.exe
  2⤵
  PID:5820
- C:\Windows\System\PblSKMS.exe
  C:\Windows\System\PblSKMS.exe
  2⤵
  PID:5892
- C:\Windows\System\BSsNGqg.exe
  C:\Windows\System\BSsNGqg.exe
  2⤵
  PID:5924
- C:\Windows\System\jUEhUtm.exe
  C:\Windows\System\jUEhUtm.exe
  2⤵
  PID:5996
- C:\Windows\System\lLHDvzz.exe
  C:\Windows\System\lLHDvzz.exe
  2⤵
  PID:6080
- C:\Windows\System\dNbHvOb.exe
  C:\Windows\System\dNbHvOb.exe
  2⤵
  PID:6136
- C:\Windows\System\MKMyvNQ.exe
  C:\Windows\System\MKMyvNQ.exe
  2⤵
  PID:6132
- C:\Windows\System\reLtOwE.exe
  C:\Windows\System\reLtOwE.exe
  2⤵
  PID:3304
- C:\Windows\System\vhFKhbV.exe
  C:\Windows\System\vhFKhbV.exe
  2⤵
  PID:3148
- C:\Windows\System\bEpBCRg.exe
  C:\Windows\System\bEpBCRg.exe
  2⤵
  PID:5352
- C:\Windows\System\pGphMan.exe
  C:\Windows\System\pGphMan.exe
  2⤵
  PID:5644
- C:\Windows\System\zAYmSAY.exe
  C:\Windows\System\zAYmSAY.exe
  2⤵
  PID:3312
- C:\Windows\System\ZVmROXl.exe
  C:\Windows\System\ZVmROXl.exe
  2⤵
  PID:3968
- C:\Windows\System\UvfHzXv.exe
  C:\Windows\System\UvfHzXv.exe
  2⤵
  PID:5140
- C:\Windows\System\NOsckFM.exe
  C:\Windows\System\NOsckFM.exe
  2⤵
  PID:2888
- C:\Windows\System\MmPFMIy.exe
  C:\Windows\System\MmPFMIy.exe
  2⤵
  PID:5452
- C:\Windows\System\AOEOfQL.exe
  C:\Windows\System\AOEOfQL.exe
  2⤵
  PID:5436
- C:\Windows\System\HufuYJG.exe
  C:\Windows\System\HufuYJG.exe
  2⤵
  PID:5552
- C:\Windows\System\rNZRuJV.exe
  C:\Windows\System\rNZRuJV.exe
  2⤵
  PID:5792
- C:\Windows\System\LtTNDSZ.exe
  C:\Windows\System\LtTNDSZ.exe
  2⤵
  PID:4432
- C:\Windows\System\gDszGSv.exe
  C:\Windows\System\gDszGSv.exe
  2⤵
  PID:6168
- C:\Windows\System\PLsDMJw.exe
  C:\Windows\System\PLsDMJw.exe
  2⤵
  PID:6188
- C:\Windows\System\HvFKoBP.exe
  C:\Windows\System\HvFKoBP.exe
  2⤵
  PID:6216
- C:\Windows\System\bSomgUq.exe
  C:\Windows\System\bSomgUq.exe
  2⤵
  PID:6236
- C:\Windows\System\nCIxFth.exe
  C:\Windows\System\nCIxFth.exe
  2⤵
  PID:6260
- C:\Windows\System\AnbGmys.exe
  C:\Windows\System\AnbGmys.exe
  2⤵
  PID:6324
- C:\Windows\System\pAjZyev.exe
  C:\Windows\System\pAjZyev.exe
  2⤵
  PID:6348
- C:\Windows\System\WIszIbY.exe
  C:\Windows\System\WIszIbY.exe
  2⤵
  PID:6420
- C:\Windows\System\JeaCAMW.exe
  C:\Windows\System\JeaCAMW.exe
  2⤵
  PID:6436
- C:\Windows\System\TFkiFsx.exe
  C:\Windows\System\TFkiFsx.exe
  2⤵
  PID:6456
- C:\Windows\System\CFfIWLi.exe
  C:\Windows\System\CFfIWLi.exe
  2⤵
  PID:6484
- C:\Windows\System\EBomvzp.exe
  C:\Windows\System\EBomvzp.exe
  2⤵
  PID:6500
- C:\Windows\System\QPIbitM.exe
  C:\Windows\System\QPIbitM.exe
  2⤵
  PID:6524
- C:\Windows\System\GmizEnu.exe
  C:\Windows\System\GmizEnu.exe
  2⤵
  PID:6544
- C:\Windows\System\aQGxXks.exe
  C:\Windows\System\aQGxXks.exe
  2⤵
  PID:6588
- C:\Windows\System\EBOvdiW.exe
  C:\Windows\System\EBOvdiW.exe
  2⤵
  PID:6616
- C:\Windows\System\fEnMLbY.exe
  C:\Windows\System\fEnMLbY.exe
  2⤵
  PID:6644
- C:\Windows\System\XjPCDaB.exe
  C:\Windows\System\XjPCDaB.exe
  2⤵
  PID:6668
- C:\Windows\System\KGmKOZF.exe
  C:\Windows\System\KGmKOZF.exe
  2⤵
  PID:6688
- C:\Windows\System\KEOzpMF.exe
  C:\Windows\System\KEOzpMF.exe
  2⤵
  PID:6712
- C:\Windows\System\ikhhEdU.exe
  C:\Windows\System\ikhhEdU.exe
  2⤵
  PID:6748
- C:\Windows\System\zZLTVxZ.exe
  C:\Windows\System\zZLTVxZ.exe
  2⤵
  PID:6772
- C:\Windows\System\YodDwDn.exe
  C:\Windows\System\YodDwDn.exe
  2⤵
  PID:6796
- C:\Windows\System\GDHMYlP.exe
  C:\Windows\System\GDHMYlP.exe
  2⤵
  PID:6836
- C:\Windows\System\REVWooS.exe
  C:\Windows\System\REVWooS.exe
  2⤵
  PID:6856
- C:\Windows\System\czKaYZk.exe
  C:\Windows\System\czKaYZk.exe
  2⤵
  PID:6880
- C:\Windows\System\ikdRCyF.exe
  C:\Windows\System\ikdRCyF.exe
  2⤵
  PID:6900
- C:\Windows\System\ggLCZsh.exe
  C:\Windows\System\ggLCZsh.exe
  2⤵
  PID:6928
- C:\Windows\System\vIJqhWP.exe
  C:\Windows\System\vIJqhWP.exe
  2⤵
  PID:6972
- C:\Windows\System\rmxBHkU.exe
  C:\Windows\System\rmxBHkU.exe
  2⤵
  PID:7040
- C:\Windows\System\RbWFpnC.exe
  C:\Windows\System\RbWFpnC.exe
  2⤵
  PID:7056
- C:\Windows\System\EuMLisW.exe
  C:\Windows\System\EuMLisW.exe
  2⤵
  PID:7076
- C:\Windows\System\reVPTOf.exe
  C:\Windows\System\reVPTOf.exe
  2⤵
  PID:7120
- C:\Windows\System\uwGfRKy.exe
  C:\Windows\System\uwGfRKy.exe
  2⤵
  PID:7160
- C:\Windows\System\wSOpNPp.exe
  C:\Windows\System\wSOpNPp.exe
  2⤵
  PID:5696
- C:\Windows\System\ifAsYaS.exe
  C:\Windows\System\ifAsYaS.exe
  2⤵
  PID:1512
- C:\Windows\System\omscjkH.exe
  C:\Windows\System\omscjkH.exe
  2⤵
  PID:6256
- C:\Windows\System\ibGVmdM.exe
  C:\Windows\System\ibGVmdM.exe
  2⤵
  PID:6008
- C:\Windows\System\lqqQIVM.exe
  C:\Windows\System\lqqQIVM.exe
  2⤵
  PID:6232
- C:\Windows\System\VYJeLxL.exe
  C:\Windows\System\VYJeLxL.exe
  2⤵
  PID:6344
- C:\Windows\System\qsGqfDy.exe
  C:\Windows\System\qsGqfDy.exe
  2⤵
  PID:6432
- C:\Windows\System\urljtkB.exe
  C:\Windows\System\urljtkB.exe
  2⤵
  PID:6496
- C:\Windows\System\hHheCGx.exe
  C:\Windows\System\hHheCGx.exe
  2⤵
  PID:4348
- C:\Windows\System\KRxSqIb.exe
  C:\Windows\System\KRxSqIb.exe
  2⤵
  PID:6572
- C:\Windows\System\LaXsrcY.exe
  C:\Windows\System\LaXsrcY.exe
  2⤵
  PID:6636
- C:\Windows\System\IVCGFnw.exe
  C:\Windows\System\IVCGFnw.exe
  2⤵
  PID:6764
- C:\Windows\System\zzUZcrX.exe
  C:\Windows\System\zzUZcrX.exe
  2⤵
  PID:6788
- C:\Windows\System\ylZzVzv.exe
  C:\Windows\System\ylZzVzv.exe
  2⤵
  PID:6832
- C:\Windows\System\uXnkIzS.exe
  C:\Windows\System\uXnkIzS.exe
  2⤵
  PID:6892
- C:\Windows\System\fbBMuAF.exe
  C:\Windows\System\fbBMuAF.exe
  2⤵
  PID:6964
- C:\Windows\System\jlHXfeF.exe
  C:\Windows\System\jlHXfeF.exe
  2⤵
  PID:7052
- C:\Windows\System\hyBaZPS.exe
  C:\Windows\System\hyBaZPS.exe
  2⤵
  PID:7096
- C:\Windows\System\VJILQfj.exe
  C:\Windows\System\VJILQfj.exe
  2⤵
  PID:7156
- C:\Windows\System\zGbsYPB.exe
  C:\Windows\System\zGbsYPB.exe
  2⤵
  PID:6152
- C:\Windows\System\vBQllJb.exe
  C:\Windows\System\vBQllJb.exe
  2⤵
  PID:6248
- C:\Windows\System\ZoEPWfe.exe
  C:\Windows\System\ZoEPWfe.exe
  2⤵
  PID:6400
- C:\Windows\System\FosEPMb.exe
  C:\Windows\System\FosEPMb.exe
  2⤵
  PID:6604
- C:\Windows\System\PEtoZwk.exe
  C:\Windows\System\PEtoZwk.exe
  2⤵
  PID:740
- C:\Windows\System\rShhoGR.exe
  C:\Windows\System\rShhoGR.exe
  2⤵
  PID:6744
- C:\Windows\System\PlBspdi.exe
  C:\Windows\System\PlBspdi.exe
  2⤵
  PID:6952
- C:\Windows\System\NjVStYa.exe
  C:\Windows\System\NjVStYa.exe
  2⤵
  PID:7148
- C:\Windows\System\EUUoALY.exe
  C:\Windows\System\EUUoALY.exe
  2⤵
  PID:3184
- C:\Windows\System\ZwouZXw.exe
  C:\Windows\System\ZwouZXw.exe
  2⤵
  PID:6724
- C:\Windows\System\xNocFOm.exe
  C:\Windows\System\xNocFOm.exe
  2⤵
  PID:6948
- C:\Windows\System\BEAXgEB.exe
  C:\Windows\System\BEAXgEB.exe
  2⤵
  PID:6196
- C:\Windows\System\pPgAzDp.exe
  C:\Windows\System\pPgAzDp.exe
  2⤵
  PID:5208
- C:\Windows\System\GevNwET.exe
  C:\Windows\System\GevNwET.exe
  2⤵
  PID:7204
- C:\Windows\System\vFRZrcD.exe
  C:\Windows\System\vFRZrcD.exe
  2⤵
  PID:7256
- C:\Windows\System\njkdrFV.exe
  C:\Windows\System\njkdrFV.exe
  2⤵
  PID:7284
- C:\Windows\System\FCJABMG.exe
  C:\Windows\System\FCJABMG.exe
  2⤵
  PID:7312
- C:\Windows\System\UwaLpHE.exe
  C:\Windows\System\UwaLpHE.exe
  2⤵
  PID:7336
- C:\Windows\System\fNHrQex.exe
  C:\Windows\System\fNHrQex.exe
  2⤵
  PID:7356
- C:\Windows\System\woibAbb.exe
  C:\Windows\System\woibAbb.exe
  2⤵
  PID:7384
- C:\Windows\System\rxGNvCu.exe
  C:\Windows\System\rxGNvCu.exe
  2⤵
  PID:7404
- C:\Windows\System\lmEMAbX.exe
  C:\Windows\System\lmEMAbX.exe
  2⤵
  PID:7428
- C:\Windows\System\pOveytm.exe
  C:\Windows\System\pOveytm.exe
  2⤵
  PID:7464
- C:\Windows\System\Skadikd.exe
  C:\Windows\System\Skadikd.exe
  2⤵
  PID:7512
- C:\Windows\System\tDUWOtF.exe
  C:\Windows\System\tDUWOtF.exe
  2⤵
  PID:7532
- C:\Windows\System\fgUVFGx.exe
  C:\Windows\System\fgUVFGx.exe
  2⤵
  PID:7564
- C:\Windows\System\xuRxCZU.exe
  C:\Windows\System\xuRxCZU.exe
  2⤵
  PID:7588
- C:\Windows\System\OXkwDCQ.exe
  C:\Windows\System\OXkwDCQ.exe
  2⤵
  PID:7620
- C:\Windows\System\KnMpZKb.exe
  C:\Windows\System\KnMpZKb.exe
  2⤵
  PID:7636
- C:\Windows\System\KYemEss.exe
  C:\Windows\System\KYemEss.exe
  2⤵
  PID:7660
- C:\Windows\System\LdbhxMi.exe
  C:\Windows\System\LdbhxMi.exe
  2⤵
  PID:7684
- C:\Windows\System\GQpuHBF.exe
  C:\Windows\System\GQpuHBF.exe
  2⤵
  PID:7704
- C:\Windows\System\yjPvcMh.exe
  C:\Windows\System\yjPvcMh.exe
  2⤵
  PID:7728
- C:\Windows\System\axLtzkj.exe
  C:\Windows\System\axLtzkj.exe
  2⤵
  PID:7748
- C:\Windows\System\gsCTWKh.exe
  C:\Windows\System\gsCTWKh.exe
  2⤵
  PID:7772
- C:\Windows\System\pHlSeHL.exe
  C:\Windows\System\pHlSeHL.exe
  2⤵
  PID:7800
- C:\Windows\System\iAmXpar.exe
  C:\Windows\System\iAmXpar.exe
  2⤵
  PID:7856
- C:\Windows\System\MtMLGEQ.exe
  C:\Windows\System\MtMLGEQ.exe
  2⤵
  PID:7876
- C:\Windows\System\lNZkpha.exe
  C:\Windows\System\lNZkpha.exe
  2⤵
  PID:7896
- C:\Windows\System\FrSsVRL.exe
  C:\Windows\System\FrSsVRL.exe
  2⤵
  PID:7916
- C:\Windows\System\GGCTmRX.exe
  C:\Windows\System\GGCTmRX.exe
  2⤵
  PID:7940
- C:\Windows\System\PSnCgWI.exe
  C:\Windows\System\PSnCgWI.exe
  2⤵
  PID:7960
- C:\Windows\System\COGekAx.exe
  C:\Windows\System\COGekAx.exe
  2⤵
  PID:8016
- C:\Windows\System\CxdGDkj.exe
  C:\Windows\System\CxdGDkj.exe
  2⤵
  PID:8036
- C:\Windows\System\gxlOjuo.exe
  C:\Windows\System\gxlOjuo.exe
  2⤵
  PID:8088
- C:\Windows\System\dQtkEdK.exe
  C:\Windows\System\dQtkEdK.exe
  2⤵
  PID:8104
- C:\Windows\System\qunHIEu.exe
  C:\Windows\System\qunHIEu.exe
  2⤵
  PID:8132
- C:\Windows\System\zOFAUjR.exe
  C:\Windows\System\zOFAUjR.exe
  2⤵
  PID:8160
- C:\Windows\System\ufKozwh.exe
  C:\Windows\System\ufKozwh.exe
  2⤵
  PID:6680
- C:\Windows\System\cfsURRB.exe
  C:\Windows\System\cfsURRB.exe
  2⤵
  PID:7200
- C:\Windows\System\fTzoZqk.exe
  C:\Windows\System\fTzoZqk.exe
  2⤵
  PID:7252
- C:\Windows\System\xWzgAMd.exe
  C:\Windows\System\xWzgAMd.exe
  2⤵
  PID:7292
- C:\Windows\System\VTcWLOZ.exe
  C:\Windows\System\VTcWLOZ.exe
  2⤵
  PID:7352
- C:\Windows\System\IZMjwkW.exe
  C:\Windows\System\IZMjwkW.exe
  2⤵
  PID:7472
- C:\Windows\System\FIthcOF.exe
  C:\Windows\System\FIthcOF.exe
  2⤵
  PID:7496
- C:\Windows\System\BlUItKN.exe
  C:\Windows\System\BlUItKN.exe
  2⤵
  PID:7544
- C:\Windows\System\xodnqZJ.exe
  C:\Windows\System\xodnqZJ.exe
  2⤵
  PID:7600
- C:\Windows\System\HGqtmxq.exe
  C:\Windows\System\HGqtmxq.exe
  2⤵
  PID:7656
- C:\Windows\System\pOBplaf.exe
  C:\Windows\System\pOBplaf.exe
  2⤵
  PID:7736
- C:\Windows\System\PcNoDWz.exe
  C:\Windows\System\PcNoDWz.exe
  2⤵
  PID:7740
- C:\Windows\System\PMktSLv.exe
  C:\Windows\System\PMktSLv.exe
  2⤵
  PID:7820
- C:\Windows\System\lOIWNZx.exe
  C:\Windows\System\lOIWNZx.exe
  2⤵
  PID:7932
- C:\Windows\System\KnIeWda.exe
  C:\Windows\System\KnIeWda.exe
  2⤵
  PID:7872
- C:\Windows\System\nQYQKMa.exe
  C:\Windows\System\nQYQKMa.exe
  2⤵
  PID:8012
- C:\Windows\System\qVuBUUU.exe
  C:\Windows\System\qVuBUUU.exe
  2⤵
  PID:8112
- C:\Windows\System\akxlGBI.exe
  C:\Windows\System\akxlGBI.exe
  2⤵
  PID:8144
- C:\Windows\System\YqvIfzw.exe
  C:\Windows\System\YqvIfzw.exe
  2⤵
  PID:8188
- C:\Windows\System\xTWZNZX.exe
  C:\Windows\System\xTWZNZX.exe
  2⤵
  PID:7196
- C:\Windows\System\FFOWCBO.exe
  C:\Windows\System\FFOWCBO.exe
  2⤵
  PID:7476
- C:\Windows\System\dgGUhJI.exe
  C:\Windows\System\dgGUhJI.exe
  2⤵
  PID:7584
- C:\Windows\System\KBQacdE.exe
  C:\Windows\System\KBQacdE.exe
  2⤵
  PID:7572
- C:\Windows\System\PcRmnaS.exe
  C:\Windows\System\PcRmnaS.exe
  2⤵
  PID:7744
- C:\Windows\System\hrlZVEs.exe
  C:\Windows\System\hrlZVEs.exe
  2⤵
  PID:8028
- C:\Windows\System\qjHDILU.exe
  C:\Windows\System\qjHDILU.exe
  2⤵
  PID:7264
- C:\Windows\System\thnHTOX.exe
  C:\Windows\System\thnHTOX.exe
  2⤵
  PID:5196
- C:\Windows\System\yNkhPGK.exe
  C:\Windows\System\yNkhPGK.exe
  2⤵
  PID:7556
- C:\Windows\System\ISSFzaX.exe
  C:\Windows\System\ISSFzaX.exe
  2⤵
  PID:7436
- C:\Windows\System\MXneWyq.exe
  C:\Windows\System\MXneWyq.exe
  2⤵
  PID:8200
- C:\Windows\System\bSmyfkq.exe
  C:\Windows\System\bSmyfkq.exe
  2⤵
  PID:8228
- C:\Windows\System\syKJgZa.exe
  C:\Windows\System\syKJgZa.exe
  2⤵
  PID:8288
- C:\Windows\System\ViMViFW.exe
  C:\Windows\System\ViMViFW.exe
  2⤵
  PID:8312
- C:\Windows\System\QmIRQip.exe
  C:\Windows\System\QmIRQip.exe
  2⤵
  PID:8332
- C:\Windows\System\OGAMgya.exe
  C:\Windows\System\OGAMgya.exe
  2⤵
  PID:8376
- C:\Windows\System\TfGeixm.exe
  C:\Windows\System\TfGeixm.exe
  2⤵
  PID:8400
- C:\Windows\System\lkTsJdM.exe
  C:\Windows\System\lkTsJdM.exe
  2⤵
  PID:8456
- C:\Windows\System\kpqLKWW.exe
  C:\Windows\System\kpqLKWW.exe
  2⤵
  PID:8472
- C:\Windows\System\xwSwnOq.exe
  C:\Windows\System\xwSwnOq.exe
  2⤵
  PID:8496
- C:\Windows\System\FlbryYO.exe
  C:\Windows\System\FlbryYO.exe
  2⤵
  PID:8516
- C:\Windows\System\cwrTiiD.exe
  C:\Windows\System\cwrTiiD.exe
  2⤵
  PID:8536
- C:\Windows\System\CfbZLwX.exe
  C:\Windows\System\CfbZLwX.exe
  2⤵
  PID:8560
- C:\Windows\System\nXlzOVw.exe
  C:\Windows\System\nXlzOVw.exe
  2⤵
  PID:8604
- C:\Windows\System\szeXxpK.exe
  C:\Windows\System\szeXxpK.exe
  2⤵
  PID:8636
- C:\Windows\System\Ttfwuri.exe
  C:\Windows\System\Ttfwuri.exe
  2⤵
  PID:8668
- C:\Windows\System\DrXDQjA.exe
  C:\Windows\System\DrXDQjA.exe
  2⤵
  PID:8696
- C:\Windows\System\MqRlLcq.exe
  C:\Windows\System\MqRlLcq.exe
  2⤵
  PID:8776
- C:\Windows\System\IOzLJTu.exe
  C:\Windows\System\IOzLJTu.exe
  2⤵
  PID:8808
- C:\Windows\System\KegFUrz.exe
  C:\Windows\System\KegFUrz.exe
  2⤵
  PID:8840
- C:\Windows\System\menTWvU.exe
  C:\Windows\System\menTWvU.exe
  2⤵
  PID:8856
- C:\Windows\System\sIEOAxE.exe
  C:\Windows\System\sIEOAxE.exe
  2⤵
  PID:8876
- C:\Windows\System\hgaIBpb.exe
  C:\Windows\System\hgaIBpb.exe
  2⤵
  PID:8900
- C:\Windows\System\msExisE.exe
  C:\Windows\System\msExisE.exe
  2⤵
  PID:8924
- C:\Windows\System\SzorgxX.exe
  C:\Windows\System\SzorgxX.exe
  2⤵
  PID:8956
- C:\Windows\System\iQkxOQh.exe
  C:\Windows\System\iQkxOQh.exe
  2⤵
  PID:8976
- C:\Windows\System\cBdyduo.exe
  C:\Windows\System\cBdyduo.exe
  2⤵
  PID:9000
- C:\Windows\System\EIsWaaN.exe
  C:\Windows\System\EIsWaaN.exe
  2⤵
  PID:9052
- C:\Windows\System\igjbGiK.exe
  C:\Windows\System\igjbGiK.exe
  2⤵
  PID:9088
- C:\Windows\System\BKmxZtg.exe
  C:\Windows\System\BKmxZtg.exe
  2⤵
  PID:9116
- C:\Windows\System\cxWLWlt.exe
  C:\Windows\System\cxWLWlt.exe
  2⤵
  PID:9164
- C:\Windows\System\AdjtoUK.exe
  C:\Windows\System\AdjtoUK.exe
  2⤵
  PID:9184
- C:\Windows\System\ZLtwxrX.exe
  C:\Windows\System\ZLtwxrX.exe
  2⤵
  PID:9212
- C:\Windows\System\mXXtdFs.exe
  C:\Windows\System\mXXtdFs.exe
  2⤵
  PID:7936
- C:\Windows\System\PSJQFIk.exe
  C:\Windows\System\PSJQFIk.exe
  2⤵
  PID:8248
- C:\Windows\System\abXeVmI.exe
  C:\Windows\System\abXeVmI.exe
  2⤵
  PID:8304
- C:\Windows\System\KrBQKWf.exe
  C:\Windows\System\KrBQKWf.exe
  2⤵
  PID:8416
- C:\Windows\System\SpDvDlG.exe
  C:\Windows\System\SpDvDlG.exe
  2⤵
  PID:5952
- C:\Windows\System\PyyozbE.exe
  C:\Windows\System\PyyozbE.exe
  2⤵
  PID:8444
- C:\Windows\System\qmSUBGp.exe
  C:\Windows\System\qmSUBGp.exe
  2⤵
  PID:8512
- C:\Windows\System\HIlvPFR.exe
  C:\Windows\System\HIlvPFR.exe
  2⤵
  PID:8580
- C:\Windows\System\PpIuEKz.exe
  C:\Windows\System\PpIuEKz.exe
  2⤵
  PID:8616
- C:\Windows\System\aTskXIP.exe
  C:\Windows\System\aTskXIP.exe
  2⤵
  PID:8684
- C:\Windows\System\ZMnjgSk.exe
  C:\Windows\System\ZMnjgSk.exe
  2⤵
  PID:8688
- C:\Windows\System\BdLVswv.exe
  C:\Windows\System\BdLVswv.exe
  2⤵
  PID:8744
- C:\Windows\System\XjHPFmx.exe
  C:\Windows\System\XjHPFmx.exe
  2⤵
  PID:8848
- C:\Windows\System\DDfpcnT.exe
  C:\Windows\System\DDfpcnT.exe
  2⤵
  PID:8872
- C:\Windows\System\dsDKdOD.exe
  C:\Windows\System\dsDKdOD.exe
  2⤵
  PID:8944
- C:\Windows\System\rThicvj.exe
  C:\Windows\System\rThicvj.exe
  2⤵
  PID:8968
- C:\Windows\System\zCozESh.exe
  C:\Windows\System\zCozESh.exe
  2⤵
  PID:9036
- C:\Windows\System\IKoyYaR.exe
  C:\Windows\System\IKoyYaR.exe
  2⤵
  PID:6048
- C:\Windows\System\pkxcBQe.exe
  C:\Windows\System\pkxcBQe.exe
  2⤵
  PID:9208
- C:\Windows\System\yGhefPN.exe
  C:\Windows\System\yGhefPN.exe
  2⤵
  PID:8268
- C:\Windows\System\xcQxyMP.exe
  C:\Windows\System\xcQxyMP.exe
  2⤵
  PID:8368
- C:\Windows\System\lkRlhEa.exe
  C:\Windows\System\lkRlhEa.exe
  2⤵
  PID:8504
- C:\Windows\System\sIRgKQo.exe
  C:\Windows\System\sIRgKQo.exe
  2⤵
  PID:8740
- C:\Windows\System\TCJcgEF.exe
  C:\Windows\System\TCJcgEF.exe
  2⤵
  PID:8720
- C:\Windows\System\ZazdcBF.exe
  C:\Windows\System\ZazdcBF.exe
  2⤵
  PID:8728
- C:\Windows\System\vjbuddn.exe
  C:\Windows\System\vjbuddn.exe
  2⤵
  PID:8920
- C:\Windows\System\BPXvoTv.exe
  C:\Windows\System\BPXvoTv.exe
  2⤵
  PID:9060
- C:\Windows\System\QQfcqTQ.exe
  C:\Windows\System\QQfcqTQ.exe
  2⤵
  PID:9160
- C:\Windows\System\vUlyjQg.exe
  C:\Windows\System\vUlyjQg.exe
  2⤵
  PID:5956
- C:\Windows\System\iseyAfe.exe
  C:\Windows\System\iseyAfe.exe
  2⤵
  PID:8656
- C:\Windows\System\lXbeFSZ.exe
  C:\Windows\System\lXbeFSZ.exe
  2⤵
  PID:8992
- C:\Windows\System\OJjdhzM.exe
  C:\Windows\System\OJjdhzM.exe
  2⤵
  PID:8644
- C:\Windows\System\TbENtrM.exe
  C:\Windows\System\TbENtrM.exe
  2⤵
  PID:8352
- C:\Windows\System\vBABAuE.exe
  C:\Windows\System\vBABAuE.exe
  2⤵
  PID:9232
- C:\Windows\System\tfzDJtc.exe
  C:\Windows\System\tfzDJtc.exe
  2⤵
  PID:9272
- C:\Windows\System\OUcbrqT.exe
  C:\Windows\System\OUcbrqT.exe
  2⤵
  PID:9296
- C:\Windows\System\iVQlkoU.exe
  C:\Windows\System\iVQlkoU.exe
  2⤵
  PID:9312
- C:\Windows\System\uPbSZyL.exe
  C:\Windows\System\uPbSZyL.exe
  2⤵
  PID:9344
- C:\Windows\System\cLizfRD.exe
  C:\Windows\System\cLizfRD.exe
  2⤵
  PID:9368
- C:\Windows\System\LtgLTIV.exe
  C:\Windows\System\LtgLTIV.exe
  2⤵
  PID:9388
- C:\Windows\System\uUPgOiI.exe
  C:\Windows\System\uUPgOiI.exe
  2⤵
  PID:9412
- C:\Windows\System\DQyRtNs.exe
  C:\Windows\System\DQyRtNs.exe
  2⤵
  PID:9436
- C:\Windows\System\aueaXLQ.exe
  C:\Windows\System\aueaXLQ.exe
  2⤵
  PID:9460
- C:\Windows\System\qxqRAgW.exe
  C:\Windows\System\qxqRAgW.exe
  2⤵
  PID:9508
- C:\Windows\System\UChWOWc.exe
  C:\Windows\System\UChWOWc.exe
  2⤵
  PID:9532
- C:\Windows\System\LcofcKY.exe
  C:\Windows\System\LcofcKY.exe
  2⤵
  PID:9552
- C:\Windows\System\xzIfmRZ.exe
  C:\Windows\System\xzIfmRZ.exe
  2⤵
  PID:9572
- C:\Windows\System\uHAXaBI.exe
  C:\Windows\System\uHAXaBI.exe
  2⤵
  PID:9596
- C:\Windows\System\lxvcuPl.exe
  C:\Windows\System\lxvcuPl.exe
  2⤵
  PID:9612
- C:\Windows\System\nAnAfNA.exe
  C:\Windows\System\nAnAfNA.exe
  2⤵
  PID:9648
- C:\Windows\System\kTxlfAZ.exe
  C:\Windows\System\kTxlfAZ.exe
  2⤵
  PID:9668
- C:\Windows\System\LlKttjK.exe
  C:\Windows\System\LlKttjK.exe
  2⤵
  PID:9688
- C:\Windows\System\CbMxqoL.exe
  C:\Windows\System\CbMxqoL.exe
  2⤵
  PID:9736
- C:\Windows\System\YVvEWOJ.exe
  C:\Windows\System\YVvEWOJ.exe
  2⤵
  PID:9764
- C:\Windows\System\cvpXyUQ.exe
  C:\Windows\System\cvpXyUQ.exe
  2⤵
  PID:9784
- C:\Windows\System\giMRYdA.exe
  C:\Windows\System\giMRYdA.exe
  2⤵
  PID:9824
- C:\Windows\System\mHknSTP.exe
  C:\Windows\System\mHknSTP.exe
  2⤵
  PID:9856
- C:\Windows\System\NingkPp.exe
  C:\Windows\System\NingkPp.exe
  2⤵
  PID:9900
- C:\Windows\System\ajGQQhW.exe
  C:\Windows\System\ajGQQhW.exe
  2⤵
  PID:9924
- C:\Windows\System\zpxMgLI.exe
  C:\Windows\System\zpxMgLI.exe
  2⤵
  PID:9944
- C:\Windows\System\NgpcOnM.exe
  C:\Windows\System\NgpcOnM.exe
  2⤵
  PID:10000
- C:\Windows\System\eeLeluK.exe
  C:\Windows\System\eeLeluK.exe
  2⤵
  PID:10020
- C:\Windows\System\WIDIUmc.exe
  C:\Windows\System\WIDIUmc.exe
  2⤵
  PID:10040
- C:\Windows\System\ckpivcy.exe
  C:\Windows\System\ckpivcy.exe
  2⤵
  PID:10064
- C:\Windows\System\NdjhTGe.exe
  C:\Windows\System\NdjhTGe.exe
  2⤵
  PID:10108
- C:\Windows\System\EMnwOWQ.exe
  C:\Windows\System\EMnwOWQ.exe
  2⤵
  PID:10140
- C:\Windows\System\yJBOoEy.exe
  C:\Windows\System\yJBOoEy.exe
  2⤵
  PID:10164
- C:\Windows\System\kOttDYy.exe
  C:\Windows\System\kOttDYy.exe
  2⤵
  PID:10196
- C:\Windows\System\omSCYhE.exe
  C:\Windows\System\omSCYhE.exe
  2⤵
  PID:10216
- C:\Windows\System\KSpxvit.exe
  C:\Windows\System\KSpxvit.exe
  2⤵
  PID:8736
- C:\Windows\System\EAnwCmS.exe
  C:\Windows\System\EAnwCmS.exe
  2⤵
  PID:9268
- C:\Windows\System\hwVgkhC.exe
  C:\Windows\System\hwVgkhC.exe
  2⤵
  PID:9304
- C:\Windows\System\BjRpOmi.exe
  C:\Windows\System\BjRpOmi.exe
  2⤵
  PID:9408
- C:\Windows\System\govQkMl.exe
  C:\Windows\System\govQkMl.exe
  2⤵
  PID:9472
- C:\Windows\System\tdjmNWu.exe
  C:\Windows\System\tdjmNWu.exe
  2⤵
  PID:9488
- C:\Windows\System\MnHdRYs.exe
  C:\Windows\System\MnHdRYs.exe
  2⤵
  PID:8888
- C:\Windows\System\uesupMj.exe
  C:\Windows\System\uesupMj.exe
  2⤵
  PID:9568
- C:\Windows\System\DCVdSYF.exe
  C:\Windows\System\DCVdSYF.exe
  2⤵
  PID:9712
- C:\Windows\System\wnwIzry.exe
  C:\Windows\System\wnwIzry.exe
  2⤵
  PID:9664
- C:\Windows\System\xSOJQpD.exe
  C:\Windows\System\xSOJQpD.exe
  2⤵
  PID:9760
- C:\Windows\System\XdAfAuD.exe
  C:\Windows\System\XdAfAuD.exe
  2⤵
  PID:9832
- C:\Windows\System\mfGnldt.exe
  C:\Windows\System\mfGnldt.exe
  2⤵
  PID:9892
- C:\Windows\System\ntplUzv.exe
  C:\Windows\System\ntplUzv.exe
  2⤵
  PID:9972
- C:\Windows\System\gLPGLlG.exe
  C:\Windows\System\gLPGLlG.exe
  2⤵
  PID:10032
- C:\Windows\System\AJEeqGG.exe
  C:\Windows\System\AJEeqGG.exe
  2⤵
  PID:10160
- C:\Windows\System\oaAKHbI.exe
  C:\Windows\System\oaAKHbI.exe
  2⤵
  PID:10208
- C:\Windows\System\YfruGoY.exe
  C:\Windows\System\YfruGoY.exe
  2⤵
  PID:9248
- C:\Windows\System\kGTzBJS.exe
  C:\Windows\System\kGTzBJS.exe
  2⤵
  PID:9360
- C:\Windows\System\DwKrCTB.exe
  C:\Windows\System\DwKrCTB.exe
  2⤵
  PID:9548
- C:\Windows\System\BKMOiNU.exe
  C:\Windows\System\BKMOiNU.exe
  2⤵
  PID:9872
- C:\Windows\System\NEWocOV.exe
  C:\Windows\System\NEWocOV.exe
  2⤵
  PID:9680
- C:\Windows\System\HxbRYUJ.exe
  C:\Windows\System\HxbRYUJ.exe
  2⤵
  PID:9984
- C:\Windows\System\vGhysLr.exe
  C:\Windows\System\vGhysLr.exe
  2⤵
  PID:10228
- C:\Windows\System\SwDcOSQ.exe
  C:\Windows\System\SwDcOSQ.exe
  2⤵
  PID:9696
- C:\Windows\System\nwjUYbo.exe
  C:\Windows\System\nwjUYbo.exe
  2⤵
  PID:9376
- C:\Windows\System\sEEPiwp.exe
  C:\Windows\System\sEEPiwp.exe
  2⤵
  PID:10204
- C:\Windows\System\OOLqoNx.exe
  C:\Windows\System\OOLqoNx.exe
  2⤵
  PID:10244
- C:\Windows\System\fzXydEq.exe
  C:\Windows\System\fzXydEq.exe
  2⤵
  PID:10264
- C:\Windows\System\klDsucu.exe
  C:\Windows\System\klDsucu.exe
  2⤵
  PID:10292
- C:\Windows\System\dRHSpWi.exe
  C:\Windows\System\dRHSpWi.exe
  2⤵
  PID:10352
- C:\Windows\System\EsCerOj.exe
  C:\Windows\System\EsCerOj.exe
  2⤵
  PID:10380
- C:\Windows\System\kwpxCLP.exe
  C:\Windows\System\kwpxCLP.exe
  2⤵
  PID:10408
- C:\Windows\System\tosKAaS.exe
  C:\Windows\System\tosKAaS.exe
  2⤵
  PID:10428
- C:\Windows\System\JKXRxyK.exe
  C:\Windows\System\JKXRxyK.exe
  2⤵
  PID:10448
- C:\Windows\System\WIvyDVd.exe
  C:\Windows\System\WIvyDVd.exe
  2⤵
  PID:10484
- C:\Windows\System\WHjnIwW.exe
  C:\Windows\System\WHjnIwW.exe
  2⤵
  PID:10504
- C:\Windows\System\byuzyPv.exe
  C:\Windows\System\byuzyPv.exe
  2⤵
  PID:10520
- C:\Windows\System\AXfthsF.exe
  C:\Windows\System\AXfthsF.exe
  2⤵
  PID:10544
- C:\Windows\System\OZTwxEM.exe
  C:\Windows\System\OZTwxEM.exe
  2⤵
  PID:10592
- C:\Windows\System\kOzSNfH.exe
  C:\Windows\System\kOzSNfH.exe
  2⤵
  PID:10608
- C:\Windows\System\tElfrdJ.exe
  C:\Windows\System\tElfrdJ.exe
  2⤵
  PID:10644
- C:\Windows\System\yYmpSGO.exe
  C:\Windows\System\yYmpSGO.exe
  2⤵
  PID:10664
- C:\Windows\System\pBNEvEi.exe
  C:\Windows\System\pBNEvEi.exe
  2⤵
  PID:10700
- C:\Windows\System\UxLGUZW.exe
  C:\Windows\System\UxLGUZW.exe
  2⤵
  PID:10724
- C:\Windows\System\HYjLrxZ.exe
  C:\Windows\System\HYjLrxZ.exe
  2⤵
  PID:10752
- C:\Windows\System\qYEIzMU.exe
  C:\Windows\System\qYEIzMU.exe
  2⤵
  PID:10768
- C:\Windows\System\GOjMbpS.exe
  C:\Windows\System\GOjMbpS.exe
  2⤵
  PID:10804
- C:\Windows\System\HkdOIyC.exe
  C:\Windows\System\HkdOIyC.exe
  2⤵
  PID:10840
- C:\Windows\System\ndINiUe.exe
  C:\Windows\System\ndINiUe.exe
  2⤵
  PID:10868
- C:\Windows\System\hCqVJVn.exe
  C:\Windows\System\hCqVJVn.exe
  2⤵
  PID:10888
- C:\Windows\System\GgMsuNQ.exe
  C:\Windows\System\GgMsuNQ.exe
  2⤵
  PID:10912
- C:\Windows\System\TjXyLua.exe
  C:\Windows\System\TjXyLua.exe
  2⤵
  PID:10928
- C:\Windows\System\ULVXLLR.exe
  C:\Windows\System\ULVXLLR.exe
  2⤵
  PID:10952
- C:\Windows\System\RVCRipE.exe
  C:\Windows\System\RVCRipE.exe
  2⤵
  PID:11008
- C:\Windows\System\MGzfKSl.exe
  C:\Windows\System\MGzfKSl.exe
  2⤵
  PID:11028
- C:\Windows\System\oJpbHRF.exe
  C:\Windows\System\oJpbHRF.exe
  2⤵
  PID:11052
- C:\Windows\System\tbaMEOU.exe
  C:\Windows\System\tbaMEOU.exe
  2⤵
  PID:11104
- C:\Windows\System\INSnLgA.exe
  C:\Windows\System\INSnLgA.exe
  2⤵
  PID:11128
- C:\Windows\System\EZcfAZe.exe
  C:\Windows\System\EZcfAZe.exe
  2⤵
  PID:11148
- C:\Windows\System\sqEZylJ.exe
  C:\Windows\System\sqEZylJ.exe
  2⤵
  PID:11172
- C:\Windows\System\RLHDeYb.exe
  C:\Windows\System\RLHDeYb.exe
  2⤵
  PID:11192
- C:\Windows\System\FELhXYh.exe
  C:\Windows\System\FELhXYh.exe
  2⤵
  PID:11220
- C:\Windows\System\KywVBTr.exe
  C:\Windows\System\KywVBTr.exe
  2⤵
  PID:11240
- C:\Windows\System\QkdJtAY.exe
  C:\Windows\System\QkdJtAY.exe
  2⤵
  PID:9720
- C:\Windows\System\wZWPjYD.exe
  C:\Windows\System\wZWPjYD.exe
  2⤵
  PID:9480
- C:\Windows\System\XtjwDED.exe
  C:\Windows\System\XtjwDED.exe
  2⤵
  PID:10272
- C:\Windows\System\LmCCRMh.exe
  C:\Windows\System\LmCCRMh.exe
  2⤵
  PID:10360
- C:\Windows\System\UAgklxM.exe
  C:\Windows\System\UAgklxM.exe
  2⤵
  PID:10444
- C:\Windows\System\UTfymRn.exe
  C:\Windows\System\UTfymRn.exe
  2⤵
  PID:10600
- C:\Windows\System\REJNmNZ.exe
  C:\Windows\System\REJNmNZ.exe
  2⤵
  PID:10660
- C:\Windows\System\DcHcEKe.exe
  C:\Windows\System\DcHcEKe.exe
  2⤵
  PID:10684
- C:\Windows\System\LXRHRBO.exe
  C:\Windows\System\LXRHRBO.exe
  2⤵
  PID:10792
- C:\Windows\System\dNTtlNj.exe
  C:\Windows\System\dNTtlNj.exe
  2⤵
  PID:10864
- C:\Windows\System\KKAjyib.exe
  C:\Windows\System\KKAjyib.exe
  2⤵
  PID:10884
- C:\Windows\System\XClEWJk.exe
  C:\Windows\System\XClEWJk.exe
  2⤵
  PID:10936
- C:\Windows\System\ekOAKRK.exe
  C:\Windows\System\ekOAKRK.exe
  2⤵
  PID:11020
- C:\Windows\System\qbhMJyy.exe
  C:\Windows\System\qbhMJyy.exe
  2⤵
  PID:11100
- C:\Windows\System\sPcLHtx.exe
  C:\Windows\System\sPcLHtx.exe
  2⤵
  PID:11124
- C:\Windows\System\QBOXFSf.exe
  C:\Windows\System\QBOXFSf.exe
  2⤵
  PID:11184
- C:\Windows\System\eFchGFs.exe
  C:\Windows\System\eFchGFs.exe
  2⤵
  PID:11212
- C:\Windows\System\qFMJqgL.exe
  C:\Windows\System\qFMJqgL.exe
  2⤵
  PID:10288
- C:\Windows\System\teXFzKp.exe
  C:\Windows\System\teXFzKp.exe
  2⤵
  PID:10656
- C:\Windows\System\QMTmGlj.exe
  C:\Windows\System\QMTmGlj.exe
  2⤵
  PID:10696
- C:\Windows\System\IoECPOC.exe
  C:\Windows\System\IoECPOC.exe
  2⤵
  PID:10832
- C:\Windows\System\YrVrnMl.exe
  C:\Windows\System\YrVrnMl.exe
  2⤵
  PID:11040
- C:\Windows\System\VJhnerT.exe
  C:\Windows\System\VJhnerT.exe
  2⤵
  PID:10260
- C:\Windows\System\IPghEau.exe
  C:\Windows\System\IPghEau.exe
  2⤵
  PID:10476
- C:\Windows\System\JdGgfFt.exe
  C:\Windows\System\JdGgfFt.exe
  2⤵
  PID:10900
- C:\Windows\System\kktNWWb.exe
  C:\Windows\System\kktNWWb.exe
  2⤵
  PID:10732
- C:\Windows\System\dYtLNjM.exe
  C:\Windows\System\dYtLNjM.exe
  2⤵
  PID:11116
- C:\Windows\System\himZGmw.exe
  C:\Windows\System\himZGmw.exe
  2⤵
  PID:11288
- C:\Windows\System\OEiudoh.exe
  C:\Windows\System\OEiudoh.exe
  2⤵
  PID:11316
- C:\Windows\System\nMkTwWO.exe
  C:\Windows\System\nMkTwWO.exe
  2⤵
  PID:11336
- C:\Windows\System\udtoTsK.exe
  C:\Windows\System\udtoTsK.exe
  2⤵
  PID:11364
- C:\Windows\System\fuMAaCi.exe
  C:\Windows\System\fuMAaCi.exe
  2⤵
  PID:11396
- C:\Windows\System\FHPKhGC.exe
  C:\Windows\System\FHPKhGC.exe
  2⤵
  PID:11424
- C:\Windows\System\AFgVlsi.exe
  C:\Windows\System\AFgVlsi.exe
  2⤵
  PID:11440
- C:\Windows\System\TIPKgrt.exe
  C:\Windows\System\TIPKgrt.exe
  2⤵
  PID:11464
- C:\Windows\System\lWFWhft.exe
  C:\Windows\System\lWFWhft.exe
  2⤵
  PID:11508
- C:\Windows\System\mcUqfbq.exe
  C:\Windows\System\mcUqfbq.exe
  2⤵
  PID:11548
- C:\Windows\System\pTOiuaB.exe
  C:\Windows\System\pTOiuaB.exe
  2⤵
  PID:11580
- C:\Windows\System\gjjmKex.exe
  C:\Windows\System\gjjmKex.exe
  2⤵
  PID:11600
- C:\Windows\System\ZXgaBrd.exe
  C:\Windows\System\ZXgaBrd.exe
  2⤵
  PID:11620
- C:\Windows\System\GSKjbWS.exe
  C:\Windows\System\GSKjbWS.exe
  2⤵
  PID:11644
- C:\Windows\System\TfwuDVW.exe
  C:\Windows\System\TfwuDVW.exe
  2⤵
  PID:11676
- C:\Windows\System\xTsNTjW.exe
  C:\Windows\System\xTsNTjW.exe
  2⤵
  PID:11700
- C:\Windows\System\hCJfWVS.exe
  C:\Windows\System\hCJfWVS.exe
  2⤵
  PID:11732
- C:\Windows\System\PYRPdGR.exe
  C:\Windows\System\PYRPdGR.exe
  2⤵
  PID:11760
- C:\Windows\System\ZniEgpr.exe
  C:\Windows\System\ZniEgpr.exe
  2⤵
  PID:11776
- C:\Windows\System\rpEWNLG.exe
  C:\Windows\System\rpEWNLG.exe
  2⤵
  PID:11804
- C:\Windows\System\qjFvQnr.exe
  C:\Windows\System\qjFvQnr.exe
  2⤵
  PID:11824
- C:\Windows\System\uvTrIOp.exe
  C:\Windows\System\uvTrIOp.exe
  2⤵
  PID:11876
- C:\Windows\System\xvLkOlE.exe
  C:\Windows\System\xvLkOlE.exe
  2⤵
  PID:11908
- C:\Windows\System\lbbrcLO.exe
  C:\Windows\System\lbbrcLO.exe
  2⤵
  PID:11928
- C:\Windows\System\amIOJuw.exe
  C:\Windows\System\amIOJuw.exe
  2⤵
  PID:11956
- C:\Windows\System\biLJpuV.exe
  C:\Windows\System\biLJpuV.exe
  2⤵
  PID:11976
- C:\Windows\System\dAxxINK.exe
  C:\Windows\System\dAxxINK.exe
  2⤵
  PID:12000
- C:\Windows\System\xsVeUEo.exe
  C:\Windows\System\xsVeUEo.exe
  2⤵
  PID:12024
- C:\Windows\System\cXjjCni.exe
  C:\Windows\System\cXjjCni.exe
  2⤵
  PID:12044
- C:\Windows\System\FUYvKfT.exe
  C:\Windows\System\FUYvKfT.exe
  2⤵
  PID:12072
- C:\Windows\System\KtUrEvf.exe
  C:\Windows\System\KtUrEvf.exe
  2⤵
  PID:12088
- C:\Windows\System\rQoGoPs.exe
  C:\Windows\System\rQoGoPs.exe
  2⤵
  PID:12116
- C:\Windows\System\nFRfqMA.exe
  C:\Windows\System\nFRfqMA.exe
  2⤵
  PID:12140
- C:\Windows\System\BaoFWJG.exe
  C:\Windows\System\BaoFWJG.exe
  2⤵
  PID:12172
- C:\Windows\System\kDCHQku.exe
  C:\Windows\System\kDCHQku.exe
  2⤵
  PID:12196
- C:\Windows\System\PigKaoh.exe
  C:\Windows\System\PigKaoh.exe
  2⤵
  PID:12216
- C:\Windows\System\PGddyRr.exe
  C:\Windows\System\PGddyRr.exe
  2⤵
  PID:11236
- C:\Windows\System\lfGHsxm.exe
  C:\Windows\System\lfGHsxm.exe
  2⤵
  PID:10308
- C:\Windows\System\pxvaIjG.exe
  C:\Windows\System\pxvaIjG.exe
  2⤵
  PID:11416
- C:\Windows\System\ZssNYCW.exe
  C:\Windows\System\ZssNYCW.exe
  2⤵
  PID:11484
- C:\Windows\System\wDgVGyq.exe
  C:\Windows\System\wDgVGyq.exe
  2⤵
  PID:11500
- C:\Windows\System\tvsUmff.exe
  C:\Windows\System\tvsUmff.exe
  2⤵
  PID:11692
- C:\Windows\System\EyIMeAq.exe
  C:\Windows\System\EyIMeAq.exe
  2⤵
  PID:11708
- C:\Windows\System\Xoneawb.exe
  C:\Windows\System\Xoneawb.exe
  2⤵
  PID:4880
- C:\Windows\System\pKBXTGx.exe
  C:\Windows\System\pKBXTGx.exe
  2⤵
  PID:11864
- C:\Windows\System\iRszfcO.exe
  C:\Windows\System\iRszfcO.exe
  2⤵
  PID:11896
- C:\Windows\System\XeCjjlU.exe
  C:\Windows\System\XeCjjlU.exe
  2⤵
  PID:11920
- C:\Windows\System\bzbmuaZ.exe
  C:\Windows\System\bzbmuaZ.exe
  2⤵
  PID:11992
- C:\Windows\System\PHLUlwb.exe
  C:\Windows\System\PHLUlwb.exe
  2⤵
  PID:12052
- C:\Windows\System\XnGmHrf.exe
  C:\Windows\System\XnGmHrf.exe
  2⤵
  PID:12112
- C:\Windows\System\zSqWPrc.exe
  C:\Windows\System\zSqWPrc.exe
  2⤵
  PID:12212
- C:\Windows\System\ZSsPPOA.exe
  C:\Windows\System\ZSsPPOA.exe
  2⤵
  PID:12236
- C:\Windows\System\yojMnGr.exe
  C:\Windows\System\yojMnGr.exe
  2⤵
  PID:11312
- C:\Windows\System\BqtTvNz.exe
  C:\Windows\System\BqtTvNz.exe
  2⤵
  PID:11520
- C:\Windows\System\eSEjCnw.exe
  C:\Windows\System\eSEjCnw.exe
  2⤵
  PID:11592
- C:\Windows\System\CkjQLGe.exe
  C:\Windows\System\CkjQLGe.exe
  2⤵
  PID:11684
- C:\Windows\System\uYYArxT.exe
  C:\Windows\System\uYYArxT.exe
  2⤵
  PID:1256
- C:\Windows\System\tBLCXUt.exe
  C:\Windows\System\tBLCXUt.exe
  2⤵
  PID:11840
- C:\Windows\System\vytfWOc.exe
  C:\Windows\System\vytfWOc.exe
  2⤵
  PID:11972
- C:\Windows\System\UsOkHnJ.exe
  C:\Windows\System\UsOkHnJ.exe
  2⤵
  PID:12124
- C:\Windows\System\TIatszR.exe
  C:\Windows\System\TIatszR.exe
  2⤵
  PID:12184
- C:\Windows\System\AjFLMjY.exe
  C:\Windows\System\AjFLMjY.exe
  2⤵
  PID:11448
- C:\Windows\System\dgezsZc.exe
  C:\Windows\System\dgezsZc.exe
  2⤵
  PID:1444
- C:\Windows\System\lFHsZyx.exe
  C:\Windows\System\lFHsZyx.exe
  2⤵
  PID:12084
- C:\Windows\System\HTKaAai.exe
  C:\Windows\System\HTKaAai.exe
  2⤵
  PID:11748
- C:\Windows\System\hAfLIdk.exe
  C:\Windows\System\hAfLIdk.exe
  2⤵
  PID:12152
- C:\Windows\System\eJVYUbc.exe
  C:\Windows\System\eJVYUbc.exe
  2⤵
  PID:12312
- C:\Windows\System\VsBXsUi.exe
  C:\Windows\System\VsBXsUi.exe
  2⤵
  PID:12336
- C:\Windows\System\FjbBNXW.exe
  C:\Windows\System\FjbBNXW.exe
  2⤵
  PID:12360
- C:\Windows\System\ryudNBU.exe
  C:\Windows\System\ryudNBU.exe
  2⤵
  PID:12380
- C:\Windows\System\kRDtpDK.exe
  C:\Windows\System\kRDtpDK.exe
  2⤵
  PID:12416
- C:\Windows\System\dPfxmes.exe
  C:\Windows\System\dPfxmes.exe
  2⤵
  PID:12448
- C:\Windows\System\phfccNj.exe
  C:\Windows\System\phfccNj.exe
  2⤵
  PID:12476
- C:\Windows\System\lBrslot.exe
  C:\Windows\System\lBrslot.exe
  2⤵
  PID:12504
- C:\Windows\System\xgfcYni.exe
  C:\Windows\System\xgfcYni.exe
  2⤵
  PID:12528
- C:\Windows\System\VDxeSVt.exe
  C:\Windows\System\VDxeSVt.exe
  2⤵
  PID:12548
- C:\Windows\System\SYTpDHD.exe
  C:\Windows\System\SYTpDHD.exe
  2⤵
  PID:12592
- C:\Windows\System\XeCCMtn.exe
  C:\Windows\System\XeCCMtn.exe
  2⤵
  PID:12612
- C:\Windows\System\iORyyfI.exe
  C:\Windows\System\iORyyfI.exe
  2⤵
  PID:12652
- C:\Windows\System\MyUUhaS.exe
  C:\Windows\System\MyUUhaS.exe
  2⤵
  PID:12672
- C:\Windows\System\Ethbexw.exe
  C:\Windows\System\Ethbexw.exe
  2⤵
  PID:12708
- C:\Windows\System\TXpxtop.exe
  C:\Windows\System\TXpxtop.exe
  2⤵
  PID:12728
- C:\Windows\System\ySlWfMt.exe
  C:\Windows\System\ySlWfMt.exe
  2⤵
  PID:12756
- C:\Windows\System\xGfNCel.exe
  C:\Windows\System\xGfNCel.exe
  2⤵
  PID:12776
- C:\Windows\System\pQJeATg.exe
  C:\Windows\System\pQJeATg.exe
  2⤵
  PID:12800
- C:\Windows\System\IMmdecn.exe
  C:\Windows\System\IMmdecn.exe
  2⤵
  PID:12828
- C:\Windows\System\THPWhkn.exe
  C:\Windows\System\THPWhkn.exe
  2⤵
  PID:12844
- C:\Windows\System\CSWLhdq.exe
  C:\Windows\System\CSWLhdq.exe
  2⤵
  PID:12868
- C:\Windows\System\JxxTpyq.exe
  C:\Windows\System\JxxTpyq.exe
  2⤵
  PID:12892
- C:\Windows\System\hVgTIGY.exe
  C:\Windows\System\hVgTIGY.exe
  2⤵
  PID:12908
- C:\Windows\System\amBxqCD.exe
  C:\Windows\System\amBxqCD.exe
  2⤵
  PID:12956
- C:\Windows\System\ffbolkw.exe
  C:\Windows\System\ffbolkw.exe
  2⤵
  PID:12996
- C:\Windows\System\ZCGvykM.exe
  C:\Windows\System\ZCGvykM.exe
  2⤵
  PID:13024
- C:\Windows\System\yVbAiVU.exe
  C:\Windows\System\yVbAiVU.exe
  2⤵
  PID:13048
- C:\Windows\System\RhEfsZc.exe
  C:\Windows\System\RhEfsZc.exe
  2⤵
  PID:13092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cisc3wkz.ugq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\BjyHqYM.exe

Filesize
1.9MB

MD5
9665379ec9cce967b183b86c124682e5

SHA1
78ce6f092e35e8331447f1a572d161b573741a2a

SHA256
2fe1d8d17df5d39085aa7f1d56329610b417a846e1e5fa1382843471477844bb

SHA512
e51bbcaabaea8d402246247b7facd6d816c4c21a4d17cafb2d9464d530de1b3630c4895fffc4e53cb5734bd179014651f8dc0a1329e763a34b2208dae9570296

Download Submit
C:\Windows\System\COLSRVa.exe

Filesize
1.9MB

MD5
7b38bad1fa4aba2d54bcb7b4d8fb4b85

SHA1
f6c3ee8928a44f9c8b5a72d606981d6c38214b4d

SHA256
2e2850f7d3fd2d55f7ffcf3462292f15aad4899bed19303aba6f9a2f3e5b5ff8

SHA512
0b170ccf9fb97cb11b8b95094ace63f3f2201369deab5a014b3cab0ac5cb06bd370161edcc18fd8979981c29f594c4c27863557d9415568856bd2081c7b8fef4

Download Submit
C:\Windows\System\CcaQvId.exe

Filesize
1.9MB

MD5
ee61e4998dd36b0d25210457720b4126

SHA1
9965f7f81c2b467c5bbcd042ec3d57ac9c6f87d6

SHA256
3a2e12b1556007227a8ec626c94113c28694eec64074a93d6ebf244bbdf40dc4

SHA512
78dbdc02a17f6af3fad8b41f7806c9ed449439dbf3f861da791b7d5f1b15ebb054fc333b2b1fdbd03668524b3a82adc30cd25e628b5e8c352bf1ad7aef36a4c6

Download Submit
C:\Windows\System\CrxZfza.exe

Filesize
1.9MB

MD5
2d889304dea43a36a73acf0f8f685cf7

SHA1
9efb36d98bd2fdb6e8d530d3e6b1bf93948520b5

SHA256
21b0ec5a238fc67362276bfd4248979f504a9c8e39f980d7871307f94e663af3

SHA512
e58e114c95ee709c3e5c41244b79f8f8772989bd9a4e55f625ed72b95a6d4e6c51de8d788a2617862dfa1b0491288674cc72e3d7a69ea363c00596b849ca6b5b

Download Submit
C:\Windows\System\FtakviS.exe

Filesize
1.9MB

MD5
e937a8dcb6f09cc887cbc1c414531f5e

SHA1
1b15ea7e3c8c8d7eab87227c3ea3b33d581e7cc0

SHA256
65698aa0a86c19a4d6c411019613166bfc6596880d47faa6984dab987b754717

SHA512
f7fadf168aa176802f092899487919935bd72b905f0f1f0373368a693f74815d6a4aa6797e4f8850e8cca272c114a787b91172a7054dc864e5c7e0bfeebad177

Download Submit
C:\Windows\System\GJlQXgR.exe

Filesize
1.9MB

MD5
769b8ffcf28e97f747c5334278f19121

SHA1
966f1c19792c4ae0e88d817fd943e91fc30e0303

SHA256
c3231bf5534cbf0f1d625513ca305ac95269db0574c5b16dbfcc3bc9c1a2c0cb

SHA512
d489d08c909a025e38676153982d7aa57180831f4e6cf69bd039dd41e22ea7f47b8b50dee75aaa955a72b4f6969bc737d622274ad8cf78a4009db243097f6307

Download Submit
C:\Windows\System\HFnmyXC.exe

Filesize
1.9MB

MD5
5c121b111c85349fc8da97fa99d29095

SHA1
c1bb5d4dfda3018a20dafb4d78f6fdefc4d27b5e

SHA256
4d07162b1c5f7f23873df3df1f6f859acd9b1634dad36288de81e5d22349350a

SHA512
ea215308a28f217f3431bf23179d7ffac7106cb0efa3102fe31958a8a685771b660d963065d200262b8b6b8b724788b87f978a41bf53cb643a50562a46f9cbc6

Download Submit
C:\Windows\System\IhHmtoM.exe

Filesize
1.9MB

MD5
2e0eb3427cdcd8f2f719a1289c16f1d7

SHA1
50ba0a6eb4f974b53d9c9b340bc66e8acca1ff47

SHA256
1d82cd58177c91be3477345d4400a4a14f027cd5950211ad8837bdc6dc04b1f2

SHA512
480dad536624b1653a9a6f46230f3adfba6f754acb52e6426cc6830df112ebd66f9d13c253e2b194f27f66d128a9642068f50fccdea6d692857b02bd1d46d5da

Download Submit
C:\Windows\System\IpuUrDQ.exe

Filesize
1.9MB

MD5
ffb8a5f4fc2d074bc2e97cedfa40f94b

SHA1
83aea8b74a5b44b6e40419f9221573af064bd398

SHA256
bcd817817d6f5a937b69418d1181dd69062b3c0e0012405b5befb95e3b25a9ed

SHA512
964c7a886eb48536b212ee0fd90ec6a80d022078994d3f4a4e5cb5d95b6b2946bf0ea0fb2daf3b4a1018da52ad00a2d90ed7b15d6cf8418c59565abbe01b3ae6

Download Submit
C:\Windows\System\NHRCMIm.exe

Filesize
1.9MB

MD5
0a44810da9552d41f7580daae7e48cc1

SHA1
6e68ac97838ebb1487f992b5d7250f8aefe5e32f

SHA256
2ae03e0d9184b67d61c3bd9f2cce74b73dc3922870ae106c6c27a438174fc142

SHA512
34c3dbf58d5fc7db9068ee98b79713c8cf01ba0c888c83e864b737f1db4cdf5a421d82063c55e124247d2036807615e4e3cb466c92e83ebf2d175b9d92ab0857

Download Submit
C:\Windows\System\NRLseAO.exe

Filesize
1.9MB

MD5
e678030477eada6001496ce81b7b9d40

SHA1
9f84f067659ab6a05f9bd31608af8248224021be

SHA256
3a034c8820f585d7d4418342321b668a25a7f3a684e647f6045ab2537cd67945

SHA512
cc172d0bc942caa823b377dcd978b97c0d7c914947691712bea6ee7cd30f21ffb01581fdb4bcb8dffab46c8f6ef29d7f027507bb7ba79db95bdf4be1215dc32b

Download Submit
C:\Windows\System\NewJEZY.exe

Filesize
1.9MB

MD5
f13cb2e98c639fc6f413a49cfde7a196

SHA1
f5bdd0d05483a5c1b5254f58c60a2d45f0ce74c7

SHA256
0b74410660767923332f75b422c6789e7e7869e3f73b4959cdfd4cae3aa9b036

SHA512
8bd4ebba6edf963e0f8d3e22aae6cd0242000ef583976adcffa55a65a469457cf79bad00e325b6e8b1995a3b82007a886a9f5f7c4289a3c237a8f9cb20e21526

Download Submit
C:\Windows\System\OMYIbaG.exe

Filesize
1.9MB

MD5
2804106cb921226639cd0de20e5f0cb0

SHA1
f49cfc5e8b06b60d730c168a3839eecff2001171

SHA256
5654128d965bc823cf639a1c316a9f3e861d6e0fafd4f8cb0969b9d9b2b444fc

SHA512
29cffc912be791e55ed59a3d5fd182aa6d3ec2cc0817ccec7d38f825a94d4aebc38936de94b9a58942e74fa55d588dc95705b673aff8845d72b904f028a10e14

Download Submit
C:\Windows\System\PLnriUD.exe

Filesize
1.9MB

MD5
c17bab2946412b5ec523f61388e49e4e

SHA1
36565f468c5fadb67b5180af298bcfaf7a07a4cd

SHA256
634e86b79cad5ad45e46c3cd661b588aa16040022acd8de1af35ae2a8ffb705f

SHA512
7f21cf40a5e78908e580bd31a683f4fc4fedb126ed4dd14fe799d98a0fde0abe7f6644c913634ff1d4b784325c9833cff9579b3115acf6942e373ca1ea81ab37

Download Submit
C:\Windows\System\QDflYMd.exe

Filesize
1.9MB

MD5
7fccbf541a22e186a2cdd9578112524b

SHA1
8c703ca71e2532d278f4e8d53466ae4601542e8e

SHA256
2b03f722c6893dbfc696a468dbb49d36563a6561c7afadbd5d5611c65b26dbf7

SHA512
287b3bc0c659709f6cf7381f196bdb0538e643efa08c91c1d3fd9fa5fa4226c9cd6a92b89f1e873ac25adb47e7b851134dcb19816dbdd45518f4ff12e77c96fd

Download Submit
C:\Windows\System\QQNDZSN.exe

Filesize
1.9MB

MD5
f588a8ba3319de6ea6fe878714f2641e

SHA1
46d5b51a8dbada75f2db7a0605dc0b2dff580a29

SHA256
2142a0f2b12fd2ad03781154cdd7b74bb4ae29088a6976b7221c2ea4fa66a953

SHA512
5d85420e0e9b80354b8bf1c46323747f00d159c7b65792a615e66b6b399f9456924c4e2abb20bd17afaaf512532b20e588e2ca7ccd0ed1014b74a811a5bf373e

Download Submit
C:\Windows\System\VtKaPyn.exe

Filesize
1.9MB

MD5
e058cff5c83a0a4b723743c3d36cf6e7

SHA1
a139272344557f701e68f12c79f1cc4150dfae9b

SHA256
a5d04bd37cd37607dd8537fff4e480ff5e262137be49bfc57459448f063dbb2d

SHA512
2c6788786e72fa668fc927d4e45dce11c61e0c7c2dc852085820dc7def569985832a999e60bdcd24f54372d173bdc2801ad4374ae2bfea23ad95ec62e5884820

Download Submit
C:\Windows\System\axucDPy.exe

Filesize
1.9MB

MD5
b6cab99c6b8c4aac8d0e5fc9317ce89c

SHA1
3b93c04e40c851e6bd31e50ef495cf2ee8e57b4f

SHA256
c61926a2af20940ac9a707f325eb2e914de623a372e3f16732927518b1bfa626

SHA512
6fbb5f8d0accc935711076520870ac61f1074196c7d6e89373c18ae4d95bb85bdbb76ee248d81e1bf87b02fd5d8085a9859acd959b4cccd30fac5c974da1994c

Download Submit
C:\Windows\System\bGkeMQP.exe

Filesize
1.9MB

MD5
d5e9bfb0fdc8df904bb4992564a6fd72

SHA1
aceb58a72e327038a68585a608d50c3cf720420c

SHA256
edcf4f9501a93f10fd98138baf1a6a8a74a79f5f377205736fb01aead1303894

SHA512
683760e6606c44706bb096659f33e032297f4355b3e6216939173d8ae17789ce74b25106dbaaab1ce73ace064bbfe90da32f63b7429a759cc8e4cf8d7357bc19

Download Submit
C:\Windows\System\baPLRgl.exe

Filesize
1.9MB

MD5
bd6c1e79a8bc3fe21c2f11e9e55bea69

SHA1
7ddb6b1f84d67f74daf68652851e7fbc82a83a7f

SHA256
9012aee77b070e204e08f17ba365f8f1d3edff8c8e796482566f6c0499ac0903

SHA512
e2066e14d595a52b5d65d4edf187db9654c8fa11d00157345e4c3a9f300f6372c12ae0db070fc122ba7af4dd03a34e2e2a2a95b5ebbf8ec5109ffb6360a98c12

Download Submit
C:\Windows\System\dXOUtqO.exe

Filesize
1.9MB

MD5
d265e911f69ce62d630bc354e92a37a4

SHA1
6deb26c1804a457ab6cee8d36a4b7c85f8b91b3f

SHA256
ab8ed2d7181498ccbd55c502981a3fe22ceeac9bd6f3187a34afe2054f3060ad

SHA512
1953e4f2edf16bf99233f3251a3446dad69fed24c8a97659ca17da1658eb6144d78405644430f207ec9e6570912a00df4f9f1883004cd2de0aa69616d052b791

Download Submit
C:\Windows\System\dfQqdck.exe

Filesize
1.9MB

MD5
5df4fa2cda9220261ba8f02ca0ecf715

SHA1
14ab83b0877b173c4f06554958e6a9add503952e

SHA256
0b4247e1a7e56c33331658acb3dd5ee5ce8672a63980b1e711ed42551aa61397

SHA512
4089729f4c8641edf66d1564847357e65e4fac59564dc0c7b54f40d7e88701087f57c495e309f29ac1d09ed1ad0a26c273d6748d6e6cd89a67dfefef929a4adb

Download Submit
C:\Windows\System\dvtoscR.exe

Filesize
1.9MB

MD5
4d6bfb50b9bde895c19a175163e0c6ad

SHA1
2b173efba96ceba82551bfc0c13231e6f7b02a1e

SHA256
779b0ccd210f1b90f00adb253d748aa252bf29dd7f53911ef1ccacc4f50d635a

SHA512
351ab3e00c8005ee7ff2feb49f857dc21f5a3e90e47eef364727a1fd3a1cc66ad0ab856117eef14a7bd84f52bba1fdb91fafb10feffe02d006a45e842b952777

Download Submit
C:\Windows\System\eSeHrZn.exe

Filesize
8B

MD5
3277aa72bb7d7f1eb1043502fbd1c406

SHA1
8712dca2f3fbc82bf0cbbeecdc5d6a26c87f443c

SHA256
e94b62f30c9ce8b0b5cea14d4367a52fe08005d1bd56ca932a1fd7fc15c61bc9

SHA512
9fb0369549dba8937fb796cbc4ade6bacf540f10f98e02675f1b04c615cbb49e396cdbd25cd29de56c7bfb889c8464199939a84fa31434a75c020caeb4f9f503

Download Submit
C:\Windows\System\fonHIHP.exe

Filesize
1.9MB

MD5
4191e89f340785c81db2e6848c8bb37f

SHA1
19b46551cd5ec1bab76e00513e06a2dbe9858c0d

SHA256
ae2b6347f926de7ce8ae9f5425bcc1af1d4904c289d7dfb0f6b7eeff2edf3113

SHA512
ba8e69af4c8324ade97e373fb427145b2d08811fbbfc6ff10428c5e74c20d1d3a1d69d94f77778400bfabbda31c11add71e5b4fec44c2384a91e24ba610c9989

Download Submit
C:\Windows\System\kIIWwWK.exe

Filesize
1.9MB

MD5
2d6940630cb1869047da0f79738f3c7a

SHA1
33969c1c9ede83ad1ba3eac85d6fab331e2def66

SHA256
7d5062e662bbf5830cd1a084cfb8e95178d634ed49ab07ca8a689bb514524bc5

SHA512
fa0157dc174281748e188b6edfd987a0f50a40c841f851e7066a57958a4890eaf87502cbbeb29fa27f552d33ff95d242b3775f254feaa65c41c77ba8e3b33e76

Download Submit
C:\Windows\System\lWziOCU.exe

Filesize
1.9MB

MD5
d8493f9e4e3cfc3191ce3361367f8552

SHA1
7b3bbbbc4c10bdd297f79133214067f23aa44ede

SHA256
8e90aefe74dc70d8465b1c3c47a057bbdfbd39b435417b7711469db86098d101

SHA512
aa6c2740a63a850376448a991e42ebe38bba5a743a68fb64248cc9af6438decef782df1e095d11d73aac8c1e915510ac262fbfa96ba34713b4af0c138aceaeb6

Download Submit
C:\Windows\System\nlglxez.exe

Filesize
1.9MB

MD5
4936201c57aa3037bd47ca7332b21112

SHA1
3e4785d53af724dd757cc974ae4e5eed80641c14

SHA256
a566ef46907c08714f6a024c699f0b28533d8ff64ad5a939a97e0aa4f86d7260

SHA512
149776ac8eb928f85c2b74ee806951af524e0993c51637ff69b34d51d51a385f3139924327d2a6a5ecbce04f092ecbcdf88e0abdc2459a795d5521933cc501b9

Download Submit
C:\Windows\System\oFTBTCp.exe

Filesize
1.9MB

MD5
d067b0601a7e6db097560072cf54698c

SHA1
f48381c408e82542723928515d85c62f1a5f4af1

SHA256
fec21dd870540bcecb3475b351dc72f9aedad4191b8858fe5f7795b231b97d61

SHA512
277bc0a6c028595b1bb845425bc01af78bcc41fd3bf52902d5af02ca5e9d6778d044d5f83bf5aa5f208360d92b1eec47f8f1cf173407af11ffcf55f3a5dbd9ad

Download Submit
C:\Windows\System\tTCVSUL.exe

Filesize
1.9MB

MD5
5d4c03049ca12d52462fa4ba26cc9a2a

SHA1
687033ba31269c42bfa9ded1b8dd06250f4fdf1b

SHA256
65056859b4caae1a393da1d66a1772c4aeb3d5590d0206852e7ba1714655915f

SHA512
8b6bf6e47dd559febec3177b3531d149b4904ad3d905de3e9425cba7977b0a3573e7e915ab8e0b3d8efcff44bc98ae93427d35aa8ce979017925a9839a0af786

Download Submit
C:\Windows\System\tTEVIRr.exe

Filesize
1.9MB

MD5
8f5578007cd2c3768c050e358af4a791

SHA1
2bc3233d5cfac7f197f8ffeb87872e7259ebb7c3

SHA256
3bff47086a75b53419d51b8ffbc2a14a26a1ffbcfbafacca5e1403e61f5cb810

SHA512
03f18c0cfabca9fe1cf70478f61b92c9719211425b791b47da7e292278d999ebf5da1770f957d00d861168ef9a4874f0a8b58927c39db6aded1832d3d571fa71

Download Submit
C:\Windows\System\uTxeWzZ.exe

Filesize
1.9MB

MD5
65e206b6714c993719b286eecbbb92bb

SHA1
cc2e5d78a3af19a9d96750ea5b7858af5374ee69

SHA256
ffd70da2636c46c0e1e1d97b08da36c31fbdbfc502b1b949d9e0d90eb6ac78a5

SHA512
f08ef185195c71b9a3be9d094d8d4415541a76c215981aae3a8e134ac9716bbb0a8526066c0681735dd1b88facbc766df90a7eb48ac7de9772679732369ccbcc

Download Submit
C:\Windows\System\vDZCJOq.exe

Filesize
1.9MB

MD5
9ae34dd5f99b4fad4c0f8843082e1580

SHA1
4949455b98144d7a3c41d0996ebde78a7da92866

SHA256
40a86913a96e64f6e39889956f3b391784dc911325ad6f5ea8624923fa977c46

SHA512
93c2a93804eef3a1cd6fd35cdf808107bddf0e0a8f87b1e8810a5f4041e246bfa9a083b6c197890bea51e4e9e2b24a02dafbfb99af75edfd2c29edccab18251f

Download Submit
C:\Windows\System\xWghZzK.exe

Filesize
1.9MB

MD5
09f8f08463b266ff8cb3f26a86ef90a3

SHA1
4a289834d30129ffa078e51278a0f33d095d6d60

SHA256
20f2df0727cd9b567b00073e17506bf1b22f8692cbf17695af5245ae0caf40bd

SHA512
6d2eef02ebc6149f03622549df9ba58a277ec13ea497269b788f1501a3ad20ab1bed2d2645c4eb28fe15f9c0427223744ac70e6caeaab100ac752b045199eb01

Download Submit
memory/628-12-0x00007FF73C150000-0x00007FF73C542000-memory.dmp

Filesize
3.9MB

Download
memory/628-3123-0x00007FF73C150000-0x00007FF73C542000-memory.dmp

Filesize
3.9MB

Download
memory/808-3150-0x00007FF6382F0000-0x00007FF6386E2000-memory.dmp

Filesize
3.9MB

Download
memory/808-111-0x00007FF6382F0000-0x00007FF6386E2000-memory.dmp

Filesize
3.9MB

Download
memory/836-369-0x00007FF602A50000-0x00007FF602E42000-memory.dmp

Filesize
3.9MB

Download
memory/836-3169-0x00007FF602A50000-0x00007FF602E42000-memory.dmp

Filesize
3.9MB

Download
memory/900-3102-0x00007FFAA3A70000-0x00007FFAA4531000-memory.dmp

Filesize
10.8MB

Download
memory/900-75-0x000001FC57360000-0x000001FC57382000-memory.dmp

Filesize
136KB

Download
memory/900-446-0x000001FC57EC0000-0x000001FC58666000-memory.dmp

Filesize
7.6MB

Download
memory/900-3093-0x00007FFAA3A70000-0x00007FFAA4531000-memory.dmp

Filesize
10.8MB

Download
memory/900-3079-0x00007FFAA3A73000-0x00007FFAA3A75000-memory.dmp

Filesize
8KB

Download
memory/900-116-0x00007FFAA3A70000-0x00007FFAA4531000-memory.dmp

Filesize
10.8MB

Download
memory/900-3060-0x00007FFAA3A70000-0x00007FFAA4531000-memory.dmp

Filesize
10.8MB

Download
memory/900-80-0x00007FFAA3A70000-0x00007FFAA4531000-memory.dmp

Filesize
10.8MB

Download
memory/900-37-0x00007FFAA3A73000-0x00007FFAA3A75000-memory.dmp

Filesize
8KB

Download
memory/948-3159-0x00007FF73A520000-0x00007FF73A912000-memory.dmp

Filesize
3.9MB

Download
memory/948-364-0x00007FF73A520000-0x00007FF73A912000-memory.dmp

Filesize
3.9MB

Download
memory/1056-110-0x00007FF7012C0000-0x00007FF7016B2000-memory.dmp

Filesize
3.9MB

Download
memory/1056-3153-0x00007FF7012C0000-0x00007FF7016B2000-memory.dmp

Filesize
3.9MB

Download
memory/1504-3147-0x00007FF7BDFD0000-0x00007FF7BE3C2000-memory.dmp

Filesize
3.9MB

Download
memory/1504-117-0x00007FF7BDFD0000-0x00007FF7BE3C2000-memory.dmp

Filesize
3.9MB

Download
memory/2036-3134-0x00007FF6224C0000-0x00007FF6228B2000-memory.dmp

Filesize
3.9MB

Download
memory/2036-115-0x00007FF6224C0000-0x00007FF6228B2000-memory.dmp

Filesize
3.9MB

Download
memory/2440-3142-0x00007FF6BB620000-0x00007FF6BBA12000-memory.dmp

Filesize
3.9MB

Download
memory/2440-108-0x00007FF6BB620000-0x00007FF6BBA12000-memory.dmp

Filesize
3.9MB

Download
memory/2504-3135-0x00007FF78DEE0000-0x00007FF78E2D2000-memory.dmp

Filesize
3.9MB

Download
memory/2504-99-0x00007FF78DEE0000-0x00007FF78E2D2000-memory.dmp

Filesize
3.9MB

Download
memory/2896-1-0x0000022A6A330000-0x0000022A6A340000-memory.dmp

Filesize
64KB

Download
memory/2896-0-0x00007FF720070000-0x00007FF720462000-memory.dmp

Filesize
3.9MB

Download
memory/2924-3165-0x00007FF71CBF0000-0x00007FF71CFE2000-memory.dmp

Filesize
3.9MB

Download
memory/2924-367-0x00007FF71CBF0000-0x00007FF71CFE2000-memory.dmp

Filesize
3.9MB

Download
memory/3564-26-0x00007FF6401B0000-0x00007FF6405A2000-memory.dmp

Filesize
3.9MB

Download
memory/3564-3127-0x00007FF6401B0000-0x00007FF6405A2000-memory.dmp

Filesize
3.9MB

Download
memory/3564-3058-0x00007FF6401B0000-0x00007FF6405A2000-memory.dmp

Filesize
3.9MB

Download
memory/3612-3131-0x00007FF63DB40000-0x00007FF63DF32000-memory.dmp

Filesize
3.9MB

Download
memory/3612-31-0x00007FF63DB40000-0x00007FF63DF32000-memory.dmp

Filesize
3.9MB

Download
memory/3612-3059-0x00007FF63DB40000-0x00007FF63DF32000-memory.dmp

Filesize
3.9MB

Download
memory/3688-3143-0x00007FF611A30000-0x00007FF611E22000-memory.dmp

Filesize
3.9MB

Download
memory/3688-105-0x00007FF611A30000-0x00007FF611E22000-memory.dmp

Filesize
3.9MB

Download
memory/3748-3129-0x00007FF621740000-0x00007FF621B32000-memory.dmp

Filesize
3.9MB

Download
memory/3748-114-0x00007FF621740000-0x00007FF621B32000-memory.dmp

Filesize
3.9MB

Download
memory/3760-363-0x00007FF6044C0000-0x00007FF6048B2000-memory.dmp

Filesize
3.9MB

Download
memory/3760-3157-0x00007FF6044C0000-0x00007FF6048B2000-memory.dmp

Filesize
3.9MB

Download
memory/4000-3139-0x00007FF60B260000-0x00007FF60B652000-memory.dmp

Filesize
3.9MB

Download
memory/4000-104-0x00007FF60B260000-0x00007FF60B652000-memory.dmp

Filesize
3.9MB

Download
memory/4024-103-0x00007FF7A3190000-0x00007FF7A3582000-memory.dmp

Filesize
3.9MB

Download
memory/4024-3138-0x00007FF7A3190000-0x00007FF7A3582000-memory.dmp

Filesize
3.9MB

Download
memory/4076-3167-0x00007FF72CF50000-0x00007FF72D342000-memory.dmp

Filesize
3.9MB

Download
memory/4076-368-0x00007FF72CF50000-0x00007FF72D342000-memory.dmp

Filesize
3.9MB

Download
memory/4124-3155-0x00007FF7F5060000-0x00007FF7F5452000-memory.dmp

Filesize
3.9MB

Download
memory/4124-113-0x00007FF7F5060000-0x00007FF7F5452000-memory.dmp

Filesize
3.9MB

Download
memory/4236-3151-0x00007FF6C04B0000-0x00007FF6C08A2000-memory.dmp

Filesize
3.9MB

Download
memory/4236-112-0x00007FF6C04B0000-0x00007FF6C08A2000-memory.dmp

Filesize
3.9MB

Download
memory/4592-20-0x00007FF633460000-0x00007FF633852000-memory.dmp

Filesize
3.9MB

Download
memory/4592-3125-0x00007FF633460000-0x00007FF633852000-memory.dmp

Filesize
3.9MB

Download
memory/4604-3161-0x00007FF6D6630000-0x00007FF6D6A22000-memory.dmp

Filesize
3.9MB

Download
memory/4604-365-0x00007FF6D6630000-0x00007FF6D6A22000-memory.dmp

Filesize
3.9MB

Download
memory/5096-3145-0x00007FF6F1950000-0x00007FF6F1D42000-memory.dmp

Filesize
3.9MB

Download
memory/5096-109-0x00007FF6F1950000-0x00007FF6F1D42000-memory.dmp

Filesize
3.9MB

Download
memory/5108-366-0x00007FF604BE0000-0x00007FF604FD2000-memory.dmp

Filesize
3.9MB

Download
memory/5108-3163-0x00007FF604BE0000-0x00007FF604FD2000-memory.dmp

Filesize
3.9MB

Download