xmrig | cdfb5eceef238cb0fc3e5941435bd89b333081f1b7a5bee85ce46621c12d2043

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
03-05-2024 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
Size

2.2MB
MD5

0f6eae8a93f85560ce2df141cc74ec62
SHA1

811005a214c7299fec98d73d3a435b8c3db0a369
SHA256

cdfb5eceef238cb0fc3e5941435bd89b333081f1b7a5bee85ce46621c12d2043
SHA512

c9a7a88244e08a9ed9ce41374079fbadda51a8f2b1a7e2090e79bdf3eaaffdde31c0593b9e1ba1ef252d2bf0cbae0658f8e78d280a28129aa04c762277bb1413
SSDEEP

49152:Lz071uv4BPMkibTIA5sf6r+WVc2HhG82g1VQx7Va4qrfKb:NAB1

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 14420 created 100	14420	WerFaultSecure.exe	79
PID 14320 created 12652	14320	WerFaultSecure.exe	663

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 44 IoCs

miner

resource	yara_rule
behavioral2/memory/2880-88-0x00007FF636200000-0x00007FF6365F2000-memory.dmp	xmrig
behavioral2/memory/4552-99-0x00007FF7DD4A0000-0x00007FF7DD892000-memory.dmp	xmrig
behavioral2/memory/4380-135-0x00007FF694DF0000-0x00007FF6951E2000-memory.dmp	xmrig
behavioral2/memory/3940-172-0x00007FF678E60000-0x00007FF679252000-memory.dmp	xmrig
behavioral2/memory/688-166-0x00007FF74A8E0000-0x00007FF74ACD2000-memory.dmp	xmrig
behavioral2/memory/2332-160-0x00007FF709860000-0x00007FF709C52000-memory.dmp	xmrig
behavioral2/memory/2264-154-0x00007FF65EEE0000-0x00007FF65F2D2000-memory.dmp	xmrig
behavioral2/memory/3672-148-0x00007FF6A9920000-0x00007FF6A9D12000-memory.dmp	xmrig
behavioral2/memory/4452-147-0x00007FF6CD7A0000-0x00007FF6CDB92000-memory.dmp	xmrig
behavioral2/memory/4532-136-0x00007FF7FE820000-0x00007FF7FEC12000-memory.dmp	xmrig
behavioral2/memory/1476-129-0x00007FF76C310000-0x00007FF76C702000-memory.dmp	xmrig
behavioral2/memory/3496-125-0x00007FF783770000-0x00007FF783B62000-memory.dmp	xmrig
behavioral2/memory/4148-119-0x00007FF691230000-0x00007FF691622000-memory.dmp	xmrig
behavioral2/memory/4616-114-0x00007FF62C920000-0x00007FF62CD12000-memory.dmp	xmrig
behavioral2/memory/5108-113-0x00007FF7DFC10000-0x00007FF7E0002000-memory.dmp	xmrig
behavioral2/memory/4596-109-0x00007FF762350000-0x00007FF762742000-memory.dmp	xmrig
behavioral2/memory/2592-95-0x00007FF6973A0000-0x00007FF697792000-memory.dmp	xmrig
behavioral2/memory/2652-89-0x00007FF68BA30000-0x00007FF68BE22000-memory.dmp	xmrig
behavioral2/memory/4036-50-0x00007FF749C20000-0x00007FF74A012000-memory.dmp	xmrig
behavioral2/memory/2184-41-0x00007FF7AD2C0000-0x00007FF7AD6B2000-memory.dmp	xmrig
behavioral2/memory/3036-2739-0x00007FF6533E0000-0x00007FF6537D2000-memory.dmp	xmrig
behavioral2/memory/3356-2743-0x00007FF697FE0000-0x00007FF6983D2000-memory.dmp	xmrig
behavioral2/memory/4036-3048-0x00007FF749C20000-0x00007FF74A012000-memory.dmp	xmrig
behavioral2/memory/2652-3052-0x00007FF68BA30000-0x00007FF68BE22000-memory.dmp	xmrig
behavioral2/memory/4552-3051-0x00007FF7DD4A0000-0x00007FF7DD892000-memory.dmp	xmrig
behavioral2/memory/2064-3061-0x00007FF66DB50000-0x00007FF66DF42000-memory.dmp	xmrig
behavioral2/memory/2592-3062-0x00007FF6973A0000-0x00007FF697792000-memory.dmp	xmrig
behavioral2/memory/3356-3064-0x00007FF697FE0000-0x00007FF6983D2000-memory.dmp	xmrig
behavioral2/memory/1048-3059-0x00007FF6CF120000-0x00007FF6CF512000-memory.dmp	xmrig
behavioral2/memory/5108-3055-0x00007FF7DFC10000-0x00007FF7E0002000-memory.dmp	xmrig
behavioral2/memory/4596-3057-0x00007FF762350000-0x00007FF762742000-memory.dmp	xmrig
behavioral2/memory/3036-3066-0x00007FF6533E0000-0x00007FF6537D2000-memory.dmp	xmrig
behavioral2/memory/4616-3077-0x00007FF62C920000-0x00007FF62CD12000-memory.dmp	xmrig
behavioral2/memory/4452-3080-0x00007FF6CD7A0000-0x00007FF6CDB92000-memory.dmp	xmrig
behavioral2/memory/3672-3082-0x00007FF6A9920000-0x00007FF6A9D12000-memory.dmp	xmrig
behavioral2/memory/4148-3075-0x00007FF691230000-0x00007FF691622000-memory.dmp	xmrig
behavioral2/memory/1476-3073-0x00007FF76C310000-0x00007FF76C702000-memory.dmp	xmrig
behavioral2/memory/4380-3071-0x00007FF694DF0000-0x00007FF6951E2000-memory.dmp	xmrig
behavioral2/memory/3496-3078-0x00007FF783770000-0x00007FF783B62000-memory.dmp	xmrig
behavioral2/memory/4532-3069-0x00007FF7FE820000-0x00007FF7FEC12000-memory.dmp	xmrig
behavioral2/memory/2332-3090-0x00007FF709860000-0x00007FF709C52000-memory.dmp	xmrig
behavioral2/memory/3940-3086-0x00007FF678E60000-0x00007FF679252000-memory.dmp	xmrig
behavioral2/memory/2264-3094-0x00007FF65EEE0000-0x00007FF65F2D2000-memory.dmp	xmrig
behavioral2/memory/688-3088-0x00007FF74A8E0000-0x00007FF74ACD2000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
8	3592	powershell.exe
10	3592	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
3592	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
2880	OQYsIMP.exe
2184	tzSvbrH.exe
4036	deAfXNK.exe
2652	NxPpBgz.exe
2592	MyeonzW.exe
4552	eiPHEdv.exe
1048	tmlETFE.exe
2064	adFpOCD.exe
3036	vpJHUEI.exe
4596	jYvFRtT.exe
3356	MoXevwd.exe
5108	QXLMYif.exe
3496	ISXGlhZ.exe
4616	kCvlVcp.exe
4148	rGBDhuZ.exe
1476	CMzRxqx.exe
4380	YUUrVnU.exe
4532	PHUymtX.exe
4452	dpAQVVL.exe
3672	rUlXgYA.exe
2264	TbKvPjB.exe
2332	uqWrlGL.exe
688	PZdvVUQ.exe
3940	fusHbpZ.exe
4952	iDRzcZc.exe
4568	ZBwsumB.exe
2296	GqdCEbu.exe
1392	TnioYNe.exe
5092	bHKsjIO.exe
2440	iPsEimO.exe
4192	nVpEcCz.exe
4272	IgYuJcf.exe
2512	sapLbFr.exe
1540	IKcaTEx.exe
2404	mWQxksv.exe
808	ryfmveB.exe
4560	ltOZvWu.exe
3844	YCJEKaL.exe
2560	FrsYRMD.exe
544	JbrkOxl.exe
4004	OXKUIux.exe
3784	PzeZMOD.exe
4480	oPUZDKL.exe
3904	DXmQsjC.exe
3544	EoEWThz.exe
4888	xWVFaNN.exe
1272	ExqvKEc.exe
1204	YjDSfkd.exe
1220	FSmyBzo.exe
4276	wBSupUF.exe
2180	tGBfXrd.exe
3860	lUWezKP.exe
2312	XBvccKb.exe
4360	UwzdIXw.exe
3372	BmXsbDx.exe
1344	jrZWqtm.exe
1444	cPznqQu.exe
3104	jPgvmLB.exe
3288	EAKsAgF.exe
2500	qApsiQO.exe
744	sgMFIJx.exe
3952	glsZSsc.exe
3700	MENpqbZ.exe
3560	dClucDw.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3516-0-0x00007FF69DCC0000-0x00007FF69E0B2000-memory.dmp	upx
behavioral2/files/0x000d000000023b23-6.dat	upx
behavioral2/files/0x000a000000023b8a-8.dat	upx
behavioral2/files/0x000a000000023b89-10.dat	upx
behavioral2/files/0x000a000000023b8b-28.dat	upx
behavioral2/files/0x000a000000023b8e-40.dat	upx
behavioral2/files/0x000a000000023b90-55.dat	upx
behavioral2/files/0x000a000000023b92-65.dat	upx
behavioral2/files/0x000a000000023b93-73.dat	upx
behavioral2/memory/2880-88-0x00007FF636200000-0x00007FF6365F2000-memory.dmp	upx
behavioral2/memory/4552-99-0x00007FF7DD4A0000-0x00007FF7DD892000-memory.dmp	upx
behavioral2/files/0x000a000000023b97-115.dat	upx
behavioral2/files/0x000a000000023b99-122.dat	upx
behavioral2/memory/4380-135-0x00007FF694DF0000-0x00007FF6951E2000-memory.dmp	upx
behavioral2/files/0x000a000000023b9b-142.dat	upx
behavioral2/files/0x000a000000023b9e-151.dat	upx
behavioral2/files/0x000a000000023ba0-163.dat	upx
behavioral2/files/0x000a000000023ba5-190.dat	upx
behavioral2/files/0x000a000000023ba7-200.dat	upx
behavioral2/files/0x000a000000023ba6-195.dat	upx
behavioral2/files/0x000a000000023ba4-193.dat	upx
behavioral2/files/0x000a000000023ba3-188.dat	upx
behavioral2/files/0x000a000000023ba2-183.dat	upx
behavioral2/files/0x000a000000023ba1-178.dat	upx
behavioral2/memory/3940-172-0x00007FF678E60000-0x00007FF679252000-memory.dmp	upx
behavioral2/files/0x000a000000023b9f-167.dat	upx
behavioral2/memory/688-166-0x00007FF74A8E0000-0x00007FF74ACD2000-memory.dmp	upx
behavioral2/memory/2332-160-0x00007FF709860000-0x00007FF709C52000-memory.dmp	upx
behavioral2/files/0x000a000000023b9d-155.dat	upx
behavioral2/memory/2264-154-0x00007FF65EEE0000-0x00007FF65F2D2000-memory.dmp	upx
behavioral2/files/0x000a000000023b9c-149.dat	upx
behavioral2/memory/3672-148-0x00007FF6A9920000-0x00007FF6A9D12000-memory.dmp	upx
behavioral2/memory/4452-147-0x00007FF6CD7A0000-0x00007FF6CDB92000-memory.dmp	upx
behavioral2/files/0x000a000000023b9a-137.dat	upx
behavioral2/memory/4532-136-0x00007FF7FE820000-0x00007FF7FEC12000-memory.dmp	upx
behavioral2/memory/1476-129-0x00007FF76C310000-0x00007FF76C702000-memory.dmp	upx
behavioral2/memory/3496-125-0x00007FF783770000-0x00007FF783B62000-memory.dmp	upx
behavioral2/files/0x000a000000023b98-120.dat	upx
behavioral2/memory/4148-119-0x00007FF691230000-0x00007FF691622000-memory.dmp	upx
behavioral2/memory/4616-114-0x00007FF62C920000-0x00007FF62CD12000-memory.dmp	upx
behavioral2/memory/5108-113-0x00007FF7DFC10000-0x00007FF7E0002000-memory.dmp	upx
behavioral2/files/0x000a000000023b96-111.dat	upx
behavioral2/memory/4596-109-0x00007FF762350000-0x00007FF762742000-memory.dmp	upx
behavioral2/files/0x000a000000023b95-103.dat	upx
behavioral2/files/0x000b000000023b86-102.dat	upx
behavioral2/files/0x000a000000023b94-100.dat	upx
behavioral2/memory/2592-95-0x00007FF6973A0000-0x00007FF697792000-memory.dmp	upx
behavioral2/memory/2652-89-0x00007FF68BA30000-0x00007FF68BE22000-memory.dmp	upx
behavioral2/memory/3356-76-0x00007FF697FE0000-0x00007FF6983D2000-memory.dmp	upx
behavioral2/files/0x000a000000023b91-71.dat	upx
behavioral2/files/0x000b000000023b8d-70.dat	upx
behavioral2/memory/3036-69-0x00007FF6533E0000-0x00007FF6537D2000-memory.dmp	upx
behavioral2/files/0x000a000000023b8f-66.dat	upx
behavioral2/memory/2064-61-0x00007FF66DB50000-0x00007FF66DF42000-memory.dmp	upx
behavioral2/memory/1048-57-0x00007FF6CF120000-0x00007FF6CF512000-memory.dmp	upx
behavioral2/memory/4036-50-0x00007FF749C20000-0x00007FF74A012000-memory.dmp	upx
behavioral2/files/0x000b000000023b8c-46.dat	upx
behavioral2/memory/2184-41-0x00007FF7AD2C0000-0x00007FF7AD6B2000-memory.dmp	upx
behavioral2/memory/3036-2739-0x00007FF6533E0000-0x00007FF6537D2000-memory.dmp	upx
behavioral2/memory/3356-2743-0x00007FF697FE0000-0x00007FF6983D2000-memory.dmp	upx
behavioral2/memory/4036-3048-0x00007FF749C20000-0x00007FF74A012000-memory.dmp	upx
behavioral2/memory/2652-3052-0x00007FF68BA30000-0x00007FF68BE22000-memory.dmp	upx
behavioral2/memory/4552-3051-0x00007FF7DD4A0000-0x00007FF7DD892000-memory.dmp	upx
behavioral2/memory/2064-3061-0x00007FF66DB50000-0x00007FF66DF42000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	raw.githubusercontent.com
8	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\zKlZVCs.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\OIQdASX.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\gFkauII.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\INuEHmQ.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\CUZAxAt.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\ZXSlQfj.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\bEeXuRn.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\cVhLyRg.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\CYnEeBs.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\XuSnLec.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\Jpkdeny.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\VnsiESt.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\DNiGUVl.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\aRfjoTR.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\slSKniQ.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\ckcCMav.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\GqdCEbu.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\lLBwJIQ.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\VQpguSd.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\Zaommss.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\NHnlxgg.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\kKvvBsl.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\oifgMMl.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\Qmcbkgo.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\ybCbaHn.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\WzoPeMQ.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\DfuYpdM.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\FXhZfZU.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\RxvuzHn.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\euflDJK.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\cmlvjWj.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\vFapUKC.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\UvSUEpK.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\GFQPalC.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\fmejpRB.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\raSPVuy.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\WOmXpxN.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\EaldeOA.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\BlcyBNd.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\CEeeMPv.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\qPMrgPE.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\prJkoMM.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\WxdSVyG.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\YLXTaPI.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\BYvqzwB.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\vHFxbMd.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\srDrUMK.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\AyXnUam.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\pOzVlVt.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\WGArWxi.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\HsOwsWC.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\UftJFUO.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\ueCcBVk.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\PtAjEkr.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\QwDZrQR.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\ieZhIkM.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\mLnEDrJ.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\bMmYLoI.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\WJAgvsy.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\eSpCnqe.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\GeOBlFs.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\CZzjKZN.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\AkDYFHx.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
File created	C:\Windows\System\yeiGFAQ.exe	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFaultSecure.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFaultSecure.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFaultSecure.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFaultSecure.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFaultSecure.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFaultSecure.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
14684	WerFaultSecure.exe
14684	WerFaultSecure.exe
14676	WerFaultSecure.exe
14676	WerFaultSecure.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
Token: SeDebugPrivilege	3592	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3516 wrote to memory of 3592	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	84
PID 3516 wrote to memory of 3592	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	84
PID 3516 wrote to memory of 2880	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	85
PID 3516 wrote to memory of 2880	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	85
PID 3516 wrote to memory of 2184	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	86
PID 3516 wrote to memory of 2184	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	86
PID 3516 wrote to memory of 4036	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	87
PID 3516 wrote to memory of 4036	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	87
PID 3516 wrote to memory of 2652	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	88
PID 3516 wrote to memory of 2652	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	88
PID 3516 wrote to memory of 2592	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	89
PID 3516 wrote to memory of 2592	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	89
PID 3516 wrote to memory of 4552	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	90
PID 3516 wrote to memory of 4552	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	90
PID 3516 wrote to memory of 1048	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	91
PID 3516 wrote to memory of 1048	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	91
PID 3516 wrote to memory of 2064	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	92
PID 3516 wrote to memory of 2064	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	92
PID 3516 wrote to memory of 3036	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	93
PID 3516 wrote to memory of 3036	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	93
PID 3516 wrote to memory of 4596	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	94
PID 3516 wrote to memory of 4596	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	94
PID 3516 wrote to memory of 3356	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	95
PID 3516 wrote to memory of 3356	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	95
PID 3516 wrote to memory of 5108	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	96
PID 3516 wrote to memory of 5108	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	96
PID 3516 wrote to memory of 3496	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	97
PID 3516 wrote to memory of 3496	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	97
PID 3516 wrote to memory of 4616	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	98
PID 3516 wrote to memory of 4616	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	98
PID 3516 wrote to memory of 4148	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	99
PID 3516 wrote to memory of 4148	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	99
PID 3516 wrote to memory of 1476	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	100
PID 3516 wrote to memory of 1476	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	100
PID 3516 wrote to memory of 4380	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	101
PID 3516 wrote to memory of 4380	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	101
PID 3516 wrote to memory of 4532	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	102
PID 3516 wrote to memory of 4532	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	102
PID 3516 wrote to memory of 4452	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	103
PID 3516 wrote to memory of 4452	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	103
PID 3516 wrote to memory of 3672	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	104
PID 3516 wrote to memory of 3672	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	104
PID 3516 wrote to memory of 2264	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	105
PID 3516 wrote to memory of 2264	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	105
PID 3516 wrote to memory of 2332	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	106
PID 3516 wrote to memory of 2332	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	106
PID 3516 wrote to memory of 688	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	107
PID 3516 wrote to memory of 688	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	107
PID 3516 wrote to memory of 3940	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	108
PID 3516 wrote to memory of 3940	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	108
PID 3516 wrote to memory of 4952	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	109
PID 3516 wrote to memory of 4952	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	109
PID 3516 wrote to memory of 4568	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	110
PID 3516 wrote to memory of 4568	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	110
PID 3516 wrote to memory of 2296	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	111
PID 3516 wrote to memory of 2296	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	111
PID 3516 wrote to memory of 1392	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	112
PID 3516 wrote to memory of 1392	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	112
PID 3516 wrote to memory of 5092	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	113
PID 3516 wrote to memory of 5092	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	113
PID 3516 wrote to memory of 2440	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	114
PID 3516 wrote to memory of 2440	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	114
PID 3516 wrote to memory of 4192	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	115
PID 3516 wrote to memory of 4192	3516	0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe	115

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
1⤵
PID:100
- C:\Windows\system32\WerFaultSecure.exe
  C:\Windows\system32\WerFaultSecure.exe -u -p 100 -s 1672
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:14676

C:\Users\Admin\AppData\Local\Temp\0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f6eae8a93f85560ce2df141cc74ec62_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3592
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3592" "2980" "2920" "2984" "0" "0" "2988" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:14576
- C:\Windows\System\OQYsIMP.exe
  C:\Windows\System\OQYsIMP.exe
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\System\tzSvbrH.exe
  C:\Windows\System\tzSvbrH.exe
  2⤵
  - Executes dropped EXE
  PID:2184
- C:\Windows\System\deAfXNK.exe
  C:\Windows\System\deAfXNK.exe
  2⤵
  - Executes dropped EXE
  PID:4036
- C:\Windows\System\NxPpBgz.exe
  C:\Windows\System\NxPpBgz.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System\MyeonzW.exe
  C:\Windows\System\MyeonzW.exe
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\System\eiPHEdv.exe
  C:\Windows\System\eiPHEdv.exe
  2⤵
  - Executes dropped EXE
  PID:4552
- C:\Windows\System\tmlETFE.exe
  C:\Windows\System\tmlETFE.exe
  2⤵
  - Executes dropped EXE
  PID:1048
- C:\Windows\System\adFpOCD.exe
  C:\Windows\System\adFpOCD.exe
  2⤵
  - Executes dropped EXE
  PID:2064
- C:\Windows\System\vpJHUEI.exe
  C:\Windows\System\vpJHUEI.exe
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Windows\System\jYvFRtT.exe
  C:\Windows\System\jYvFRtT.exe
  2⤵
  - Executes dropped EXE
  PID:4596
- C:\Windows\System\MoXevwd.exe
  C:\Windows\System\MoXevwd.exe
  2⤵
  - Executes dropped EXE
  PID:3356
- C:\Windows\System\QXLMYif.exe
  C:\Windows\System\QXLMYif.exe
  2⤵
  - Executes dropped EXE
  PID:5108
- C:\Windows\System\ISXGlhZ.exe
  C:\Windows\System\ISXGlhZ.exe
  2⤵
  - Executes dropped EXE
  PID:3496
- C:\Windows\System\kCvlVcp.exe
  C:\Windows\System\kCvlVcp.exe
  2⤵
  - Executes dropped EXE
  PID:4616
- C:\Windows\System\rGBDhuZ.exe
  C:\Windows\System\rGBDhuZ.exe
  2⤵
  - Executes dropped EXE
  PID:4148
- C:\Windows\System\CMzRxqx.exe
  C:\Windows\System\CMzRxqx.exe
  2⤵
  - Executes dropped EXE
  PID:1476
- C:\Windows\System\YUUrVnU.exe
  C:\Windows\System\YUUrVnU.exe
  2⤵
  - Executes dropped EXE
  PID:4380
- C:\Windows\System\PHUymtX.exe
  C:\Windows\System\PHUymtX.exe
  2⤵
  - Executes dropped EXE
  PID:4532
- C:\Windows\System\dpAQVVL.exe
  C:\Windows\System\dpAQVVL.exe
  2⤵
  - Executes dropped EXE
  PID:4452
- C:\Windows\System\rUlXgYA.exe
  C:\Windows\System\rUlXgYA.exe
  2⤵
  - Executes dropped EXE
  PID:3672
- C:\Windows\System\TbKvPjB.exe
  C:\Windows\System\TbKvPjB.exe
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\System\uqWrlGL.exe
  C:\Windows\System\uqWrlGL.exe
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Windows\System\PZdvVUQ.exe
  C:\Windows\System\PZdvVUQ.exe
  2⤵
  - Executes dropped EXE
  PID:688
- C:\Windows\System\fusHbpZ.exe
  C:\Windows\System\fusHbpZ.exe
  2⤵
  - Executes dropped EXE
  PID:3940
- C:\Windows\System\iDRzcZc.exe
  C:\Windows\System\iDRzcZc.exe
  2⤵
  - Executes dropped EXE
  PID:4952
- C:\Windows\System\ZBwsumB.exe
  C:\Windows\System\ZBwsumB.exe
  2⤵
  - Executes dropped EXE
  PID:4568
- C:\Windows\System\GqdCEbu.exe
  C:\Windows\System\GqdCEbu.exe
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\System\TnioYNe.exe
  C:\Windows\System\TnioYNe.exe
  2⤵
  - Executes dropped EXE
  PID:1392
- C:\Windows\System\bHKsjIO.exe
  C:\Windows\System\bHKsjIO.exe
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Windows\System\iPsEimO.exe
  C:\Windows\System\iPsEimO.exe
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\System\nVpEcCz.exe
  C:\Windows\System\nVpEcCz.exe
  2⤵
  - Executes dropped EXE
  PID:4192
- C:\Windows\System\IgYuJcf.exe
  C:\Windows\System\IgYuJcf.exe
  2⤵
  - Executes dropped EXE
  PID:4272
- C:\Windows\System\sapLbFr.exe
  C:\Windows\System\sapLbFr.exe
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\System\IKcaTEx.exe
  C:\Windows\System\IKcaTEx.exe
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Windows\System\mWQxksv.exe
  C:\Windows\System\mWQxksv.exe
  2⤵
  - Executes dropped EXE
  PID:2404
- C:\Windows\System\ryfmveB.exe
  C:\Windows\System\ryfmveB.exe
  2⤵
  - Executes dropped EXE
  PID:808
- C:\Windows\System\ltOZvWu.exe
  C:\Windows\System\ltOZvWu.exe
  2⤵
  - Executes dropped EXE
  PID:4560
- C:\Windows\System\YCJEKaL.exe
  C:\Windows\System\YCJEKaL.exe
  2⤵
  - Executes dropped EXE
  PID:3844
- C:\Windows\System\FrsYRMD.exe
  C:\Windows\System\FrsYRMD.exe
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\System\JbrkOxl.exe
  C:\Windows\System\JbrkOxl.exe
  2⤵
  - Executes dropped EXE
  PID:544
- C:\Windows\System\OXKUIux.exe
  C:\Windows\System\OXKUIux.exe
  2⤵
  - Executes dropped EXE
  PID:4004
- C:\Windows\System\PzeZMOD.exe
  C:\Windows\System\PzeZMOD.exe
  2⤵
  - Executes dropped EXE
  PID:3784
- C:\Windows\System\oPUZDKL.exe
  C:\Windows\System\oPUZDKL.exe
  2⤵
  - Executes dropped EXE
  PID:4480
- C:\Windows\System\DXmQsjC.exe
  C:\Windows\System\DXmQsjC.exe
  2⤵
  - Executes dropped EXE
  PID:3904
- C:\Windows\System\EoEWThz.exe
  C:\Windows\System\EoEWThz.exe
  2⤵
  - Executes dropped EXE
  PID:3544
- C:\Windows\System\xWVFaNN.exe
  C:\Windows\System\xWVFaNN.exe
  2⤵
  - Executes dropped EXE
  PID:4888
- C:\Windows\System\ExqvKEc.exe
  C:\Windows\System\ExqvKEc.exe
  2⤵
  - Executes dropped EXE
  PID:1272
- C:\Windows\System\YjDSfkd.exe
  C:\Windows\System\YjDSfkd.exe
  2⤵
  - Executes dropped EXE
  PID:1204
- C:\Windows\System\FSmyBzo.exe
  C:\Windows\System\FSmyBzo.exe
  2⤵
  - Executes dropped EXE
  PID:1220
- C:\Windows\System\wBSupUF.exe
  C:\Windows\System\wBSupUF.exe
  2⤵
  - Executes dropped EXE
  PID:4276
- C:\Windows\System\tGBfXrd.exe
  C:\Windows\System\tGBfXrd.exe
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Windows\System\lUWezKP.exe
  C:\Windows\System\lUWezKP.exe
  2⤵
  - Executes dropped EXE
  PID:3860
- C:\Windows\System\XBvccKb.exe
  C:\Windows\System\XBvccKb.exe
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\Windows\System\UwzdIXw.exe
  C:\Windows\System\UwzdIXw.exe
  2⤵
  - Executes dropped EXE
  PID:4360
- C:\Windows\System\BmXsbDx.exe
  C:\Windows\System\BmXsbDx.exe
  2⤵
  - Executes dropped EXE
  PID:3372
- C:\Windows\System\jrZWqtm.exe
  C:\Windows\System\jrZWqtm.exe
  2⤵
  - Executes dropped EXE
  PID:1344
- C:\Windows\System\cPznqQu.exe
  C:\Windows\System\cPznqQu.exe
  2⤵
  - Executes dropped EXE
  PID:1444
- C:\Windows\System\jPgvmLB.exe
  C:\Windows\System\jPgvmLB.exe
  2⤵
  - Executes dropped EXE
  PID:3104
- C:\Windows\System\EAKsAgF.exe
  C:\Windows\System\EAKsAgF.exe
  2⤵
  - Executes dropped EXE
  PID:3288
- C:\Windows\System\qApsiQO.exe
  C:\Windows\System\qApsiQO.exe
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\System\sgMFIJx.exe
  C:\Windows\System\sgMFIJx.exe
  2⤵
  - Executes dropped EXE
  PID:744
- C:\Windows\System\glsZSsc.exe
  C:\Windows\System\glsZSsc.exe
  2⤵
  - Executes dropped EXE
  PID:3952
- C:\Windows\System\MENpqbZ.exe
  C:\Windows\System\MENpqbZ.exe
  2⤵
  - Executes dropped EXE
  PID:3700
- C:\Windows\System\dClucDw.exe
  C:\Windows\System\dClucDw.exe
  2⤵
  - Executes dropped EXE
  PID:3560
- C:\Windows\System\OnUdqKr.exe
  C:\Windows\System\OnUdqKr.exe
  2⤵
  PID:3756
- C:\Windows\System\ftTTrpU.exe
  C:\Windows\System\ftTTrpU.exe
  2⤵
  PID:1188
- C:\Windows\System\gvJZyHN.exe
  C:\Windows\System\gvJZyHN.exe
  2⤵
  PID:4216
- C:\Windows\System\ryfuwAY.exe
  C:\Windows\System\ryfuwAY.exe
  2⤵
  PID:3504
- C:\Windows\System\JFtmeHr.exe
  C:\Windows\System\JFtmeHr.exe
  2⤵
  PID:5028
- C:\Windows\System\OoOswxJ.exe
  C:\Windows\System\OoOswxJ.exe
  2⤵
  PID:3596
- C:\Windows\System\rKjCSzm.exe
  C:\Windows\System\rKjCSzm.exe
  2⤵
  PID:5132
- C:\Windows\System\VErOgGi.exe
  C:\Windows\System\VErOgGi.exe
  2⤵
  PID:5160
- C:\Windows\System\lixJJVh.exe
  C:\Windows\System\lixJJVh.exe
  2⤵
  PID:5188
- C:\Windows\System\kYYHxbM.exe
  C:\Windows\System\kYYHxbM.exe
  2⤵
  PID:5220
- C:\Windows\System\jXRZRiR.exe
  C:\Windows\System\jXRZRiR.exe
  2⤵
  PID:5248
- C:\Windows\System\JNUuvAt.exe
  C:\Windows\System\JNUuvAt.exe
  2⤵
  PID:5276
- C:\Windows\System\cCaoioD.exe
  C:\Windows\System\cCaoioD.exe
  2⤵
  PID:5304
- C:\Windows\System\xVdsnli.exe
  C:\Windows\System\xVdsnli.exe
  2⤵
  PID:5332
- C:\Windows\System\vNZsoZd.exe
  C:\Windows\System\vNZsoZd.exe
  2⤵
  PID:5364
- C:\Windows\System\bjlVjPz.exe
  C:\Windows\System\bjlVjPz.exe
  2⤵
  PID:5388
- C:\Windows\System\QbKvkPj.exe
  C:\Windows\System\QbKvkPj.exe
  2⤵
  PID:5416
- C:\Windows\System\mGftibW.exe
  C:\Windows\System\mGftibW.exe
  2⤵
  PID:5444
- C:\Windows\System\PSFOvaD.exe
  C:\Windows\System\PSFOvaD.exe
  2⤵
  PID:5472
- C:\Windows\System\QSQmhoN.exe
  C:\Windows\System\QSQmhoN.exe
  2⤵
  PID:5500
- C:\Windows\System\fCyDaPL.exe
  C:\Windows\System\fCyDaPL.exe
  2⤵
  PID:5528
- C:\Windows\System\nvrAZsv.exe
  C:\Windows\System\nvrAZsv.exe
  2⤵
  PID:5560
- C:\Windows\System\eSONhxg.exe
  C:\Windows\System\eSONhxg.exe
  2⤵
  PID:5588
- C:\Windows\System\zeAWGxG.exe
  C:\Windows\System\zeAWGxG.exe
  2⤵
  PID:5616
- C:\Windows\System\FUvBfkw.exe
  C:\Windows\System\FUvBfkw.exe
  2⤵
  PID:5644
- C:\Windows\System\MkIBlGq.exe
  C:\Windows\System\MkIBlGq.exe
  2⤵
  PID:5672
- C:\Windows\System\HsOwsWC.exe
  C:\Windows\System\HsOwsWC.exe
  2⤵
  PID:5700
- C:\Windows\System\JtZHdCf.exe
  C:\Windows\System\JtZHdCf.exe
  2⤵
  PID:5752
- C:\Windows\System\ggEJcwq.exe
  C:\Windows\System\ggEJcwq.exe
  2⤵
  PID:5780
- C:\Windows\System\AeIAhXC.exe
  C:\Windows\System\AeIAhXC.exe
  2⤵
  PID:5796
- C:\Windows\System\wYeNEeU.exe
  C:\Windows\System\wYeNEeU.exe
  2⤵
  PID:5824
- C:\Windows\System\RYCHfMC.exe
  C:\Windows\System\RYCHfMC.exe
  2⤵
  PID:5848
- C:\Windows\System\XzCpdhp.exe
  C:\Windows\System\XzCpdhp.exe
  2⤵
  PID:5876
- C:\Windows\System\FNeeLxR.exe
  C:\Windows\System\FNeeLxR.exe
  2⤵
  PID:5908
- C:\Windows\System\sNbKAqQ.exe
  C:\Windows\System\sNbKAqQ.exe
  2⤵
  PID:5932
- C:\Windows\System\vErtQgM.exe
  C:\Windows\System\vErtQgM.exe
  2⤵
  PID:5960
- C:\Windows\System\bQtwEvU.exe
  C:\Windows\System\bQtwEvU.exe
  2⤵
  PID:5988
- C:\Windows\System\PZpjRgk.exe
  C:\Windows\System\PZpjRgk.exe
  2⤵
  PID:6016
- C:\Windows\System\zKlZVCs.exe
  C:\Windows\System\zKlZVCs.exe
  2⤵
  PID:6036
- C:\Windows\System\zsiwUIW.exe
  C:\Windows\System\zsiwUIW.exe
  2⤵
  PID:6064
- C:\Windows\System\rvdZvia.exe
  C:\Windows\System\rvdZvia.exe
  2⤵
  PID:6088
- C:\Windows\System\lvXvHcQ.exe
  C:\Windows\System\lvXvHcQ.exe
  2⤵
  PID:6116
- C:\Windows\System\BeqwDZs.exe
  C:\Windows\System\BeqwDZs.exe
  2⤵
  PID:3052
- C:\Windows\System\YUBWhSc.exe
  C:\Windows\System\YUBWhSc.exe
  2⤵
  PID:1736
- C:\Windows\System\MdhbYrQ.exe
  C:\Windows\System\MdhbYrQ.exe
  2⤵
  PID:2584
- C:\Windows\System\dLiXpvO.exe
  C:\Windows\System\dLiXpvO.exe
  2⤵
  PID:2112
- C:\Windows\System\DyTqgtp.exe
  C:\Windows\System\DyTqgtp.exe
  2⤵
  PID:5032
- C:\Windows\System\jNEysjg.exe
  C:\Windows\System\jNEysjg.exe
  2⤵
  PID:5172
- C:\Windows\System\wmMoTtp.exe
  C:\Windows\System\wmMoTtp.exe
  2⤵
  PID:5236
- C:\Windows\System\OqLfixz.exe
  C:\Windows\System\OqLfixz.exe
  2⤵
  PID:5292
- C:\Windows\System\qsoJOrP.exe
  C:\Windows\System\qsoJOrP.exe
  2⤵
  PID:5348
- C:\Windows\System\MsRXcBG.exe
  C:\Windows\System\MsRXcBG.exe
  2⤵
  PID:5408
- C:\Windows\System\AtXIpzi.exe
  C:\Windows\System\AtXIpzi.exe
  2⤵
  PID:5464
- C:\Windows\System\njBMUvm.exe
  C:\Windows\System\njBMUvm.exe
  2⤵
  PID:5540
- C:\Windows\System\ERaqAQV.exe
  C:\Windows\System\ERaqAQV.exe
  2⤵
  PID:5604
- C:\Windows\System\eSPoNBy.exe
  C:\Windows\System\eSPoNBy.exe
  2⤵
  PID:5684
- C:\Windows\System\vnbNecN.exe
  C:\Windows\System\vnbNecN.exe
  2⤵
  PID:4432
- C:\Windows\System\vyLELfy.exe
  C:\Windows\System\vyLELfy.exe
  2⤵
  PID:5792
- C:\Windows\System\KCPCelp.exe
  C:\Windows\System\KCPCelp.exe
  2⤵
  PID:5844
- C:\Windows\System\ExmSYyq.exe
  C:\Windows\System\ExmSYyq.exe
  2⤵
  PID:1956
- C:\Windows\System\JEPMOsj.exe
  C:\Windows\System\JEPMOsj.exe
  2⤵
  PID:5956
- C:\Windows\System\SILkDRM.exe
  C:\Windows\System\SILkDRM.exe
  2⤵
  PID:6028
- C:\Windows\System\zovQxWI.exe
  C:\Windows\System\zovQxWI.exe
  2⤵
  PID:6084
- C:\Windows\System\MyHIdUw.exe
  C:\Windows\System\MyHIdUw.exe
  2⤵
  PID:1340
- C:\Windows\System\fRuwfko.exe
  C:\Windows\System\fRuwfko.exe
  2⤵
  PID:2748
- C:\Windows\System\zzHdfAn.exe
  C:\Windows\System\zzHdfAn.exe
  2⤵
  PID:5148
- C:\Windows\System\tQVtaMp.exe
  C:\Windows\System\tQVtaMp.exe
  2⤵
  PID:5288
- C:\Windows\System\iJEfNJY.exe
  C:\Windows\System\iJEfNJY.exe
  2⤵
  PID:1732
- C:\Windows\System\Ujoadma.exe
  C:\Windows\System\Ujoadma.exe
  2⤵
  PID:5520
- C:\Windows\System\XwvdScz.exe
  C:\Windows\System\XwvdScz.exe
  2⤵
  PID:5656
- C:\Windows\System\xYXmfFP.exe
  C:\Windows\System\xYXmfFP.exe
  2⤵
  PID:5768
- C:\Windows\System\PHhZWQi.exe
  C:\Windows\System\PHhZWQi.exe
  2⤵
  PID:5896
- C:\Windows\System\iNullud.exe
  C:\Windows\System\iNullud.exe
  2⤵
  PID:6004
- C:\Windows\System\LFsWfef.exe
  C:\Windows\System\LFsWfef.exe
  2⤵
  PID:6136
- C:\Windows\System\NifdAKL.exe
  C:\Windows\System\NifdAKL.exe
  2⤵
  PID:5216
- C:\Windows\System\ecOUdTn.exe
  C:\Windows\System\ecOUdTn.exe
  2⤵
  PID:6164
- C:\Windows\System\zuJDbRa.exe
  C:\Windows\System\zuJDbRa.exe
  2⤵
  PID:6192
- C:\Windows\System\KFUxUvb.exe
  C:\Windows\System\KFUxUvb.exe
  2⤵
  PID:6216
- C:\Windows\System\cDnEuLH.exe
  C:\Windows\System\cDnEuLH.exe
  2⤵
  PID:6248
- C:\Windows\System\nGmyqrn.exe
  C:\Windows\System\nGmyqrn.exe
  2⤵
  PID:6276
- C:\Windows\System\ZkpOVHt.exe
  C:\Windows\System\ZkpOVHt.exe
  2⤵
  PID:6304
- C:\Windows\System\DSqtfML.exe
  C:\Windows\System\DSqtfML.exe
  2⤵
  PID:6336
- C:\Windows\System\DmdCWtX.exe
  C:\Windows\System\DmdCWtX.exe
  2⤵
  PID:6360
- C:\Windows\System\hyhIYkp.exe
  C:\Windows\System\hyhIYkp.exe
  2⤵
  PID:6388
- C:\Windows\System\ueCcBVk.exe
  C:\Windows\System\ueCcBVk.exe
  2⤵
  PID:6416
- C:\Windows\System\MzlBtCT.exe
  C:\Windows\System\MzlBtCT.exe
  2⤵
  PID:6444
- C:\Windows\System\ZFIDcFc.exe
  C:\Windows\System\ZFIDcFc.exe
  2⤵
  PID:6472
- C:\Windows\System\ZjbbZHI.exe
  C:\Windows\System\ZjbbZHI.exe
  2⤵
  PID:6500
- C:\Windows\System\ssvfEQz.exe
  C:\Windows\System\ssvfEQz.exe
  2⤵
  PID:6528
- C:\Windows\System\JoHvkjA.exe
  C:\Windows\System\JoHvkjA.exe
  2⤵
  PID:6556
- C:\Windows\System\PeafxEH.exe
  C:\Windows\System\PeafxEH.exe
  2⤵
  PID:6584
- C:\Windows\System\rhptMsU.exe
  C:\Windows\System\rhptMsU.exe
  2⤵
  PID:6612
- C:\Windows\System\PStSuGY.exe
  C:\Windows\System\PStSuGY.exe
  2⤵
  PID:6640
- C:\Windows\System\WPiGQbi.exe
  C:\Windows\System\WPiGQbi.exe
  2⤵
  PID:6668
- C:\Windows\System\hyppOLF.exe
  C:\Windows\System\hyppOLF.exe
  2⤵
  PID:6696
- C:\Windows\System\VQchGzj.exe
  C:\Windows\System\VQchGzj.exe
  2⤵
  PID:6724
- C:\Windows\System\qNZaRNn.exe
  C:\Windows\System\qNZaRNn.exe
  2⤵
  PID:6752
- C:\Windows\System\ttpiHfy.exe
  C:\Windows\System\ttpiHfy.exe
  2⤵
  PID:6776
- C:\Windows\System\NkNhwqP.exe
  C:\Windows\System\NkNhwqP.exe
  2⤵
  PID:6808
- C:\Windows\System\EYNblDC.exe
  C:\Windows\System\EYNblDC.exe
  2⤵
  PID:6836
- C:\Windows\System\MCYkeXw.exe
  C:\Windows\System\MCYkeXw.exe
  2⤵
  PID:6864
- C:\Windows\System\zqqavKX.exe
  C:\Windows\System\zqqavKX.exe
  2⤵
  PID:6892
- C:\Windows\System\tokpDgt.exe
  C:\Windows\System\tokpDgt.exe
  2⤵
  PID:6916
- C:\Windows\System\AAmZWlR.exe
  C:\Windows\System\AAmZWlR.exe
  2⤵
  PID:6948
- C:\Windows\System\ixVxMXW.exe
  C:\Windows\System\ixVxMXW.exe
  2⤵
  PID:6976
- C:\Windows\System\mQPqnxE.exe
  C:\Windows\System\mQPqnxE.exe
  2⤵
  PID:7004
- C:\Windows\System\wJrFMWG.exe
  C:\Windows\System\wJrFMWG.exe
  2⤵
  PID:7032
- C:\Windows\System\WfizEcK.exe
  C:\Windows\System\WfizEcK.exe
  2⤵
  PID:7060
- C:\Windows\System\KXWIqXm.exe
  C:\Windows\System\KXWIqXm.exe
  2⤵
  PID:7088
- C:\Windows\System\evwUHRm.exe
  C:\Windows\System\evwUHRm.exe
  2⤵
  PID:7116
- C:\Windows\System\SBxkilp.exe
  C:\Windows\System\SBxkilp.exe
  2⤵
  PID:7144
- C:\Windows\System\hwtwJHU.exe
  C:\Windows\System\hwtwJHU.exe
  2⤵
  PID:5384
- C:\Windows\System\UQIkQrZ.exe
  C:\Windows\System\UQIkQrZ.exe
  2⤵
  PID:4468
- C:\Windows\System\rIfCnwX.exe
  C:\Windows\System\rIfCnwX.exe
  2⤵
  PID:3648
- C:\Windows\System\RXSzhNL.exe
  C:\Windows\System\RXSzhNL.exe
  2⤵
  PID:6152
- C:\Windows\System\ztzWjHU.exe
  C:\Windows\System\ztzWjHU.exe
  2⤵
  PID:6204
- C:\Windows\System\hYOevnX.exe
  C:\Windows\System\hYOevnX.exe
  2⤵
  PID:4588
- C:\Windows\System\TQYzvrs.exe
  C:\Windows\System\TQYzvrs.exe
  2⤵
  PID:6296
- C:\Windows\System\zLjroVt.exe
  C:\Windows\System\zLjroVt.exe
  2⤵
  PID:6352
- C:\Windows\System\wdkTQCj.exe
  C:\Windows\System\wdkTQCj.exe
  2⤵
  PID:1560
- C:\Windows\System\CuqOBkg.exe
  C:\Windows\System\CuqOBkg.exe
  2⤵
  PID:6456
- C:\Windows\System\WOmXpxN.exe
  C:\Windows\System\WOmXpxN.exe
  2⤵
  PID:6492
- C:\Windows\System\HgPyaIv.exe
  C:\Windows\System\HgPyaIv.exe
  2⤵
  PID:6572
- C:\Windows\System\nlqYdgT.exe
  C:\Windows\System\nlqYdgT.exe
  2⤵
  PID:6624
- C:\Windows\System\wcisNVM.exe
  C:\Windows\System\wcisNVM.exe
  2⤵
  PID:6680
- C:\Windows\System\YcEyLiA.exe
  C:\Windows\System\YcEyLiA.exe
  2⤵
  PID:6792
- C:\Windows\System\ymDtLNP.exe
  C:\Windows\System\ymDtLNP.exe
  2⤵
  PID:6820
- C:\Windows\System\ZuAXmwC.exe
  C:\Windows\System\ZuAXmwC.exe
  2⤵
  PID:6876
- C:\Windows\System\MstCSHc.exe
  C:\Windows\System\MstCSHc.exe
  2⤵
  PID:6912
- C:\Windows\System\ycDIfmb.exe
  C:\Windows\System\ycDIfmb.exe
  2⤵
  PID:6960
- C:\Windows\System\xRpJHTz.exe
  C:\Windows\System\xRpJHTz.exe
  2⤵
  PID:1464
- C:\Windows\System\qZfacpV.exe
  C:\Windows\System\qZfacpV.exe
  2⤵
  PID:7016
- C:\Windows\System\WGXLJLm.exe
  C:\Windows\System\WGXLJLm.exe
  2⤵
  PID:3788
- C:\Windows\System\xrKBUkl.exe
  C:\Windows\System\xrKBUkl.exe
  2⤵
  PID:7072
- C:\Windows\System\vBpOePn.exe
  C:\Windows\System\vBpOePn.exe
  2⤵
  PID:7128
- C:\Windows\System\TJyYUoP.exe
  C:\Windows\System\TJyYUoP.exe
  2⤵
  PID:2956
- C:\Windows\System\dCRJHXd.exe
  C:\Windows\System\dCRJHXd.exe
  2⤵
  PID:7164
- C:\Windows\System\KxkxMon.exe
  C:\Windows\System\KxkxMon.exe
  2⤵
  PID:5492
- C:\Windows\System\mhkiHpK.exe
  C:\Windows\System\mhkiHpK.exe
  2⤵
  PID:3140
- C:\Windows\System\MOeAVmQ.exe
  C:\Windows\System\MOeAVmQ.exe
  2⤵
  PID:2108
- C:\Windows\System\RSMfhhf.exe
  C:\Windows\System\RSMfhhf.exe
  2⤵
  PID:6400
- C:\Windows\System\zkRKXZL.exe
  C:\Windows\System\zkRKXZL.exe
  2⤵
  PID:3024
- C:\Windows\System\hviMPeq.exe
  C:\Windows\System\hviMPeq.exe
  2⤵
  PID:4164
- C:\Windows\System\eBecxAc.exe
  C:\Windows\System\eBecxAc.exe
  2⤵
  PID:6540
- C:\Windows\System\vwCkdnr.exe
  C:\Windows\System\vwCkdnr.exe
  2⤵
  PID:4456
- C:\Windows\System\HOIaxiG.exe
  C:\Windows\System\HOIaxiG.exe
  2⤵
  PID:4860
- C:\Windows\System\hbBryDG.exe
  C:\Windows\System\hbBryDG.exe
  2⤵
  PID:1212
- C:\Windows\System\eFzdDtl.exe
  C:\Windows\System\eFzdDtl.exe
  2⤵
  PID:884
- C:\Windows\System\EVteJxh.exe
  C:\Windows\System\EVteJxh.exe
  2⤵
  PID:6908
- C:\Windows\System\WRJteAP.exe
  C:\Windows\System\WRJteAP.exe
  2⤵
  PID:6936
- C:\Windows\System\dxsvNSQ.exe
  C:\Windows\System\dxsvNSQ.exe
  2⤵
  PID:7024
- C:\Windows\System\SUiNIcc.exe
  C:\Windows\System\SUiNIcc.exe
  2⤵
  PID:2220
- C:\Windows\System\bmMfdAB.exe
  C:\Windows\System\bmMfdAB.exe
  2⤵
  PID:7104
- C:\Windows\System\hbmjwab.exe
  C:\Windows\System\hbmjwab.exe
  2⤵
  PID:6184
- C:\Windows\System\BwinrYN.exe
  C:\Windows\System\BwinrYN.exe
  2⤵
  PID:6344
- C:\Windows\System\uMLyCSI.exe
  C:\Windows\System\uMLyCSI.exe
  2⤵
  PID:6520
- C:\Windows\System\NMSJlJP.exe
  C:\Windows\System\NMSJlJP.exe
  2⤵
  PID:2272
- C:\Windows\System\supXBcV.exe
  C:\Windows\System\supXBcV.exe
  2⤵
  PID:4604
- C:\Windows\System\vVBMMjW.exe
  C:\Windows\System\vVBMMjW.exe
  2⤵
  PID:7052
- C:\Windows\System\ccNJmkG.exe
  C:\Windows\System\ccNJmkG.exe
  2⤵
  PID:2788
- C:\Windows\System\yexBnZN.exe
  C:\Windows\System\yexBnZN.exe
  2⤵
  PID:6484
- C:\Windows\System\YxHwwgl.exe
  C:\Windows\System\YxHwwgl.exe
  2⤵
  PID:6712
- C:\Windows\System\YbLIxAc.exe
  C:\Windows\System\YbLIxAc.exe
  2⤵
  PID:116
- C:\Windows\System\mWVkkBY.exe
  C:\Windows\System\mWVkkBY.exe
  2⤵
  PID:7184
- C:\Windows\System\nlqegZx.exe
  C:\Windows\System\nlqegZx.exe
  2⤵
  PID:7220
- C:\Windows\System\LuBMUQn.exe
  C:\Windows\System\LuBMUQn.exe
  2⤵
  PID:7240
- C:\Windows\System\wvtgYaK.exe
  C:\Windows\System\wvtgYaK.exe
  2⤵
  PID:7292
- C:\Windows\System\gRhXxst.exe
  C:\Windows\System\gRhXxst.exe
  2⤵
  PID:7316
- C:\Windows\System\cyqJQwd.exe
  C:\Windows\System\cyqJQwd.exe
  2⤵
  PID:7344
- C:\Windows\System\WZrXHcF.exe
  C:\Windows\System\WZrXHcF.exe
  2⤵
  PID:7368
- C:\Windows\System\yQYvCJa.exe
  C:\Windows\System\yQYvCJa.exe
  2⤵
  PID:7400
- C:\Windows\System\AYFnJPD.exe
  C:\Windows\System\AYFnJPD.exe
  2⤵
  PID:7420
- C:\Windows\System\XVbLUlF.exe
  C:\Windows\System\XVbLUlF.exe
  2⤵
  PID:7476
- C:\Windows\System\kpgkEWe.exe
  C:\Windows\System\kpgkEWe.exe
  2⤵
  PID:7500
- C:\Windows\System\GCRUCaV.exe
  C:\Windows\System\GCRUCaV.exe
  2⤵
  PID:7516
- C:\Windows\System\tntKrOa.exe
  C:\Windows\System\tntKrOa.exe
  2⤵
  PID:7540
- C:\Windows\System\cgmIoGJ.exe
  C:\Windows\System\cgmIoGJ.exe
  2⤵
  PID:7572
- C:\Windows\System\CKHKZBY.exe
  C:\Windows\System\CKHKZBY.exe
  2⤵
  PID:7592
- C:\Windows\System\PqPLliE.exe
  C:\Windows\System\PqPLliE.exe
  2⤵
  PID:7620
- C:\Windows\System\nBmhEKW.exe
  C:\Windows\System\nBmhEKW.exe
  2⤵
  PID:7656
- C:\Windows\System\sMWhpcW.exe
  C:\Windows\System\sMWhpcW.exe
  2⤵
  PID:7672
- C:\Windows\System\jrskErF.exe
  C:\Windows\System\jrskErF.exe
  2⤵
  PID:7692
- C:\Windows\System\nTOrTSQ.exe
  C:\Windows\System\nTOrTSQ.exe
  2⤵
  PID:7716
- C:\Windows\System\cMZYwta.exe
  C:\Windows\System\cMZYwta.exe
  2⤵
  PID:7772
- C:\Windows\System\qXanbkP.exe
  C:\Windows\System\qXanbkP.exe
  2⤵
  PID:7796
- C:\Windows\System\rJdPHWG.exe
  C:\Windows\System\rJdPHWG.exe
  2⤵
  PID:7812
- C:\Windows\System\TqzzFhi.exe
  C:\Windows\System\TqzzFhi.exe
  2⤵
  PID:7864
- C:\Windows\System\mmbBoKz.exe
  C:\Windows\System\mmbBoKz.exe
  2⤵
  PID:7904
- C:\Windows\System\tYcxEDu.exe
  C:\Windows\System\tYcxEDu.exe
  2⤵
  PID:7920
- C:\Windows\System\bGCvBCb.exe
  C:\Windows\System\bGCvBCb.exe
  2⤵
  PID:7940
- C:\Windows\System\eKUGILB.exe
  C:\Windows\System\eKUGILB.exe
  2⤵
  PID:7972
- C:\Windows\System\JyurkWB.exe
  C:\Windows\System\JyurkWB.exe
  2⤵
  PID:7988
- C:\Windows\System\bGmcwBY.exe
  C:\Windows\System\bGmcwBY.exe
  2⤵
  PID:8004
- C:\Windows\System\IuPUwip.exe
  C:\Windows\System\IuPUwip.exe
  2⤵
  PID:8040
- C:\Windows\System\fqhXAsv.exe
  C:\Windows\System\fqhXAsv.exe
  2⤵
  PID:8068
- C:\Windows\System\iZLcjKA.exe
  C:\Windows\System\iZLcjKA.exe
  2⤵
  PID:8116
- C:\Windows\System\LptdWlY.exe
  C:\Windows\System\LptdWlY.exe
  2⤵
  PID:8132
- C:\Windows\System\jHiRvge.exe
  C:\Windows\System\jHiRvge.exe
  2⤵
  PID:8152
- C:\Windows\System\jbYAsxI.exe
  C:\Windows\System\jbYAsxI.exe
  2⤵
  PID:8176
- C:\Windows\System\OkHtviH.exe
  C:\Windows\System\OkHtviH.exe
  2⤵
  PID:7212
- C:\Windows\System\IVZwRYI.exe
  C:\Windows\System\IVZwRYI.exe
  2⤵
  PID:7280
- C:\Windows\System\zqbqvkp.exe
  C:\Windows\System\zqbqvkp.exe
  2⤵
  PID:7332
- C:\Windows\System\tMlMXxb.exe
  C:\Windows\System\tMlMXxb.exe
  2⤵
  PID:7464
- C:\Windows\System\OyTjoYJ.exe
  C:\Windows\System\OyTjoYJ.exe
  2⤵
  PID:7484
- C:\Windows\System\puOgryl.exe
  C:\Windows\System\puOgryl.exe
  2⤵
  PID:7568
- C:\Windows\System\pFgyRKr.exe
  C:\Windows\System\pFgyRKr.exe
  2⤵
  PID:7640
- C:\Windows\System\EVmaSBM.exe
  C:\Windows\System\EVmaSBM.exe
  2⤵
  PID:7704
- C:\Windows\System\MUqDpIr.exe
  C:\Windows\System\MUqDpIr.exe
  2⤵
  PID:7736
- C:\Windows\System\RFspAPZ.exe
  C:\Windows\System\RFspAPZ.exe
  2⤵
  PID:7788
- C:\Windows\System\aGtcEya.exe
  C:\Windows\System\aGtcEya.exe
  2⤵
  PID:7848
- C:\Windows\System\iAJNqmS.exe
  C:\Windows\System\iAJNqmS.exe
  2⤵
  PID:7888
- C:\Windows\System\VhnZABx.exe
  C:\Windows\System\VhnZABx.exe
  2⤵
  PID:7964
- C:\Windows\System\UlAZijR.exe
  C:\Windows\System\UlAZijR.exe
  2⤵
  PID:8048
- C:\Windows\System\JFicTyy.exe
  C:\Windows\System\JFicTyy.exe
  2⤵
  PID:8144
- C:\Windows\System\WUinVMj.exe
  C:\Windows\System\WUinVMj.exe
  2⤵
  PID:7192
- C:\Windows\System\ugJwpyW.exe
  C:\Windows\System\ugJwpyW.exe
  2⤵
  PID:7308
- C:\Windows\System\DGLrTMM.exe
  C:\Windows\System\DGLrTMM.exe
  2⤵
  PID:7364
- C:\Windows\System\UHsHRIM.exe
  C:\Windows\System\UHsHRIM.exe
  2⤵
  PID:7668
- C:\Windows\System\ROCpxiq.exe
  C:\Windows\System\ROCpxiq.exe
  2⤵
  PID:7804
- C:\Windows\System\qAvnrjA.exe
  C:\Windows\System\qAvnrjA.exe
  2⤵
  PID:7884
- C:\Windows\System\WSSAVzk.exe
  C:\Windows\System\WSSAVzk.exe
  2⤵
  PID:8076
- C:\Windows\System\YUSoUto.exe
  C:\Windows\System\YUSoUto.exe
  2⤵
  PID:8172
- C:\Windows\System\pCDmEAJ.exe
  C:\Windows\System\pCDmEAJ.exe
  2⤵
  PID:7412
- C:\Windows\System\VEOFWXm.exe
  C:\Windows\System\VEOFWXm.exe
  2⤵
  PID:7760
- C:\Windows\System\rFPxxZv.exe
  C:\Windows\System\rFPxxZv.exe
  2⤵
  PID:7228
- C:\Windows\System\NNUSJjS.exe
  C:\Windows\System\NNUSJjS.exe
  2⤵
  PID:8200
- C:\Windows\System\aiscjkG.exe
  C:\Windows\System\aiscjkG.exe
  2⤵
  PID:8228
- C:\Windows\System\duuwRQB.exe
  C:\Windows\System\duuwRQB.exe
  2⤵
  PID:8280
- C:\Windows\System\lYgcjZk.exe
  C:\Windows\System\lYgcjZk.exe
  2⤵
  PID:8320
- C:\Windows\System\zvuIHGy.exe
  C:\Windows\System\zvuIHGy.exe
  2⤵
  PID:8340
- C:\Windows\System\cwjbbwW.exe
  C:\Windows\System\cwjbbwW.exe
  2⤵
  PID:8364
- C:\Windows\System\aWsKAhs.exe
  C:\Windows\System\aWsKAhs.exe
  2⤵
  PID:8404
- C:\Windows\System\UgyEWJY.exe
  C:\Windows\System\UgyEWJY.exe
  2⤵
  PID:8428
- C:\Windows\System\spOIMlv.exe
  C:\Windows\System\spOIMlv.exe
  2⤵
  PID:8452
- C:\Windows\System\CAtFwzM.exe
  C:\Windows\System\CAtFwzM.exe
  2⤵
  PID:8488
- C:\Windows\System\XrJKVuP.exe
  C:\Windows\System\XrJKVuP.exe
  2⤵
  PID:8512
- C:\Windows\System\yLjXCuC.exe
  C:\Windows\System\yLjXCuC.exe
  2⤵
  PID:8532
- C:\Windows\System\jlZYTIq.exe
  C:\Windows\System\jlZYTIq.exe
  2⤵
  PID:8556
- C:\Windows\System\WZyggrl.exe
  C:\Windows\System\WZyggrl.exe
  2⤵
  PID:8604
- C:\Windows\System\PrJKFqW.exe
  C:\Windows\System\PrJKFqW.exe
  2⤵
  PID:8620
- C:\Windows\System\gztjGcU.exe
  C:\Windows\System\gztjGcU.exe
  2⤵
  PID:8656
- C:\Windows\System\koLDEBj.exe
  C:\Windows\System\koLDEBj.exe
  2⤵
  PID:8680
- C:\Windows\System\DJpnaYv.exe
  C:\Windows\System\DJpnaYv.exe
  2⤵
  PID:8708
- C:\Windows\System\wmybxsX.exe
  C:\Windows\System\wmybxsX.exe
  2⤵
  PID:8732
- C:\Windows\System\lURgwrO.exe
  C:\Windows\System\lURgwrO.exe
  2⤵
  PID:8760
- C:\Windows\System\conhoDK.exe
  C:\Windows\System\conhoDK.exe
  2⤵
  PID:8788
- C:\Windows\System\IBXCorY.exe
  C:\Windows\System\IBXCorY.exe
  2⤵
  PID:8804
- C:\Windows\System\bWCudnb.exe
  C:\Windows\System\bWCudnb.exe
  2⤵
  PID:8824
- C:\Windows\System\LykGLAp.exe
  C:\Windows\System\LykGLAp.exe
  2⤵
  PID:8844
- C:\Windows\System\nZjrWoA.exe
  C:\Windows\System\nZjrWoA.exe
  2⤵
  PID:8868
- C:\Windows\System\lILRyAE.exe
  C:\Windows\System\lILRyAE.exe
  2⤵
  PID:8900
- C:\Windows\System\WKRJGTO.exe
  C:\Windows\System\WKRJGTO.exe
  2⤵
  PID:8916
- C:\Windows\System\dwincwN.exe
  C:\Windows\System\dwincwN.exe
  2⤵
  PID:8936
- C:\Windows\System\HTWHufJ.exe
  C:\Windows\System\HTWHufJ.exe
  2⤵
  PID:8972
- C:\Windows\System\XNXWTGD.exe
  C:\Windows\System\XNXWTGD.exe
  2⤵
  PID:9032
- C:\Windows\System\bCeACyO.exe
  C:\Windows\System\bCeACyO.exe
  2⤵
  PID:9068
- C:\Windows\System\SqlApXD.exe
  C:\Windows\System\SqlApXD.exe
  2⤵
  PID:9096
- C:\Windows\System\JsLeCok.exe
  C:\Windows\System\JsLeCok.exe
  2⤵
  PID:9116
- C:\Windows\System\YTketXA.exe
  C:\Windows\System\YTketXA.exe
  2⤵
  PID:9136
- C:\Windows\System\DmVKofQ.exe
  C:\Windows\System\DmVKofQ.exe
  2⤵
  PID:9156
- C:\Windows\System\KnjcbuM.exe
  C:\Windows\System\KnjcbuM.exe
  2⤵
  PID:9176
- C:\Windows\System\KarriVH.exe
  C:\Windows\System\KarriVH.exe
  2⤵
  PID:9204
- C:\Windows\System\nMVqtrI.exe
  C:\Windows\System\nMVqtrI.exe
  2⤵
  PID:7548
- C:\Windows\System\sHbfnyQ.exe
  C:\Windows\System\sHbfnyQ.exe
  2⤵
  PID:7984
- C:\Windows\System\crnDsFP.exe
  C:\Windows\System\crnDsFP.exe
  2⤵
  PID:8268
- C:\Windows\System\anqEOys.exe
  C:\Windows\System\anqEOys.exe
  2⤵
  PID:8420
- C:\Windows\System\OPJnAsm.exe
  C:\Windows\System\OPJnAsm.exe
  2⤵
  PID:8480
- C:\Windows\System\SFOmFfa.exe
  C:\Windows\System\SFOmFfa.exe
  2⤵
  PID:8648
- C:\Windows\System\zicXiRd.exe
  C:\Windows\System\zicXiRd.exe
  2⤵
  PID:8668
- C:\Windows\System\kwARecD.exe
  C:\Windows\System\kwARecD.exe
  2⤵
  PID:8740
- C:\Windows\System\GBtsMEa.exe
  C:\Windows\System\GBtsMEa.exe
  2⤵
  PID:8724
- C:\Windows\System\QDuDmlT.exe
  C:\Windows\System\QDuDmlT.exe
  2⤵
  PID:8800
- C:\Windows\System\YFABRoy.exe
  C:\Windows\System\YFABRoy.exe
  2⤵
  PID:8816
- C:\Windows\System\ryjYDxs.exe
  C:\Windows\System\ryjYDxs.exe
  2⤵
  PID:8944
- C:\Windows\System\WREYjMj.exe
  C:\Windows\System\WREYjMj.exe
  2⤵
  PID:9024
- C:\Windows\System\IYkhzaA.exe
  C:\Windows\System\IYkhzaA.exe
  2⤵
  PID:9124
- C:\Windows\System\XhHujcu.exe
  C:\Windows\System\XhHujcu.exe
  2⤵
  PID:9112
- C:\Windows\System\kLhaakh.exe
  C:\Windows\System\kLhaakh.exe
  2⤵
  PID:8212
- C:\Windows\System\PddFjFW.exe
  C:\Windows\System\PddFjFW.exe
  2⤵
  PID:8348
- C:\Windows\System\gKEwCnZ.exe
  C:\Windows\System\gKEwCnZ.exe
  2⤵
  PID:8316
- C:\Windows\System\sAAmJsG.exe
  C:\Windows\System\sAAmJsG.exe
  2⤵
  PID:8360
- C:\Windows\System\lbCMaHn.exe
  C:\Windows\System\lbCMaHn.exe
  2⤵
  PID:8472
- C:\Windows\System\dAtHgmc.exe
  C:\Windows\System\dAtHgmc.exe
  2⤵
  PID:8880
- C:\Windows\System\KXNuCND.exe
  C:\Windows\System\KXNuCND.exe
  2⤵
  PID:9004
- C:\Windows\System\GIWhVza.exe
  C:\Windows\System\GIWhVza.exe
  2⤵
  PID:9212
- C:\Windows\System\IkRAKyL.exe
  C:\Windows\System\IkRAKyL.exe
  2⤵
  PID:8224
- C:\Windows\System\ISboelF.exe
  C:\Windows\System\ISboelF.exe
  2⤵
  PID:9076
- C:\Windows\System\wsrfGIw.exe
  C:\Windows\System\wsrfGIw.exe
  2⤵
  PID:8860
- C:\Windows\System\Qmyfdys.exe
  C:\Windows\System\Qmyfdys.exe
  2⤵
  PID:8444
- C:\Windows\System\pZGCbww.exe
  C:\Windows\System\pZGCbww.exe
  2⤵
  PID:9224
- C:\Windows\System\WxdSVyG.exe
  C:\Windows\System\WxdSVyG.exe
  2⤵
  PID:9248
- C:\Windows\System\UsBnBnT.exe
  C:\Windows\System\UsBnBnT.exe
  2⤵
  PID:9280
- C:\Windows\System\NHdMmXc.exe
  C:\Windows\System\NHdMmXc.exe
  2⤵
  PID:9324
- C:\Windows\System\lLBwJIQ.exe
  C:\Windows\System\lLBwJIQ.exe
  2⤵
  PID:9372
- C:\Windows\System\ckCgNKK.exe
  C:\Windows\System\ckCgNKK.exe
  2⤵
  PID:9388
- C:\Windows\System\rfebwIX.exe
  C:\Windows\System\rfebwIX.exe
  2⤵
  PID:9412
- C:\Windows\System\Ytbubvv.exe
  C:\Windows\System\Ytbubvv.exe
  2⤵
  PID:9436
- C:\Windows\System\paZHZQr.exe
  C:\Windows\System\paZHZQr.exe
  2⤵
  PID:9460
- C:\Windows\System\pTdlvvw.exe
  C:\Windows\System\pTdlvvw.exe
  2⤵
  PID:9484
- C:\Windows\System\WoGgsBY.exe
  C:\Windows\System\WoGgsBY.exe
  2⤵
  PID:9500
- C:\Windows\System\AmPkekh.exe
  C:\Windows\System\AmPkekh.exe
  2⤵
  PID:9608
- C:\Windows\System\SXYKNKB.exe
  C:\Windows\System\SXYKNKB.exe
  2⤵
  PID:9644
- C:\Windows\System\gKZQlsF.exe
  C:\Windows\System\gKZQlsF.exe
  2⤵
  PID:9660
- C:\Windows\System\VuJnApT.exe
  C:\Windows\System\VuJnApT.exe
  2⤵
  PID:9680
- C:\Windows\System\ufmxuST.exe
  C:\Windows\System\ufmxuST.exe
  2⤵
  PID:9736
- C:\Windows\System\MiONfaw.exe
  C:\Windows\System\MiONfaw.exe
  2⤵
  PID:9752
- C:\Windows\System\TFCdrlX.exe
  C:\Windows\System\TFCdrlX.exe
  2⤵
  PID:9772
- C:\Windows\System\ByAbcXw.exe
  C:\Windows\System\ByAbcXw.exe
  2⤵
  PID:9796
- C:\Windows\System\VsnNQVs.exe
  C:\Windows\System\VsnNQVs.exe
  2⤵
  PID:9844
- C:\Windows\System\xvbgmEi.exe
  C:\Windows\System\xvbgmEi.exe
  2⤵
  PID:9912
- C:\Windows\System\KhRQDQG.exe
  C:\Windows\System\KhRQDQG.exe
  2⤵
  PID:9944
- C:\Windows\System\IqKMmfh.exe
  C:\Windows\System\IqKMmfh.exe
  2⤵
  PID:9976
- C:\Windows\System\AvzBOUS.exe
  C:\Windows\System\AvzBOUS.exe
  2⤵
  PID:9992
- C:\Windows\System\RFRtupH.exe
  C:\Windows\System\RFRtupH.exe
  2⤵
  PID:10012
- C:\Windows\System\ZbWsPtD.exe
  C:\Windows\System\ZbWsPtD.exe
  2⤵
  PID:10028
- C:\Windows\System\rcdgCGG.exe
  C:\Windows\System\rcdgCGG.exe
  2⤵
  PID:10044
- C:\Windows\System\EcIqwDP.exe
  C:\Windows\System\EcIqwDP.exe
  2⤵
  PID:10068
- C:\Windows\System\bObudYM.exe
  C:\Windows\System\bObudYM.exe
  2⤵
  PID:10092
- C:\Windows\System\gCvBxxM.exe
  C:\Windows\System\gCvBxxM.exe
  2⤵
  PID:10156
- C:\Windows\System\gGvuSRZ.exe
  C:\Windows\System\gGvuSRZ.exe
  2⤵
  PID:10176
- C:\Windows\System\xMVgsGO.exe
  C:\Windows\System\xMVgsGO.exe
  2⤵
  PID:10200
- C:\Windows\System\YaicdMB.exe
  C:\Windows\System\YaicdMB.exe
  2⤵
  PID:8644
- C:\Windows\System\sYrKwwD.exe
  C:\Windows\System\sYrKwwD.exe
  2⤵
  PID:9240
- C:\Windows\System\QZBufPz.exe
  C:\Windows\System\QZBufPz.exe
  2⤵
  PID:9364
- C:\Windows\System\wywUxVd.exe
  C:\Windows\System\wywUxVd.exe
  2⤵
  PID:9448
- C:\Windows\System\OSHVDRP.exe
  C:\Windows\System\OSHVDRP.exe
  2⤵
  PID:9532
- C:\Windows\System\nWDzJFP.exe
  C:\Windows\System\nWDzJFP.exe
  2⤵
  PID:9564
- C:\Windows\System\QiEawcy.exe
  C:\Windows\System\QiEawcy.exe
  2⤵
  PID:9632
- C:\Windows\System\UaHgzme.exe
  C:\Windows\System\UaHgzme.exe
  2⤵
  PID:9672
- C:\Windows\System\VQpguSd.exe
  C:\Windows\System\VQpguSd.exe
  2⤵
  PID:9528
- C:\Windows\System\fPRoRwm.exe
  C:\Windows\System\fPRoRwm.exe
  2⤵
  PID:9580
- C:\Windows\System\BBGQaDK.exe
  C:\Windows\System\BBGQaDK.exe
  2⤵
  PID:9628
- C:\Windows\System\hquHmfP.exe
  C:\Windows\System\hquHmfP.exe
  2⤵
  PID:9788
- C:\Windows\System\seWHNuy.exe
  C:\Windows\System\seWHNuy.exe
  2⤵
  PID:9836
- C:\Windows\System\izNEkbH.exe
  C:\Windows\System\izNEkbH.exe
  2⤵
  PID:9960
- C:\Windows\System\HvxJLBl.exe
  C:\Windows\System\HvxJLBl.exe
  2⤵
  PID:9988
- C:\Windows\System\saStRAH.exe
  C:\Windows\System\saStRAH.exe
  2⤵
  PID:10084
- C:\Windows\System\TqYxyZv.exe
  C:\Windows\System\TqYxyZv.exe
  2⤵
  PID:10104
- C:\Windows\System\lnqldIG.exe
  C:\Windows\System\lnqldIG.exe
  2⤵
  PID:10192
- C:\Windows\System\rtHTWvf.exe
  C:\Windows\System\rtHTWvf.exe
  2⤵
  PID:9340
- C:\Windows\System\URNvlrY.exe
  C:\Windows\System\URNvlrY.exe
  2⤵
  PID:9424
- C:\Windows\System\kHWjESH.exe
  C:\Windows\System\kHWjESH.exe
  2⤵
  PID:9548
- C:\Windows\System\RVmjUOs.exe
  C:\Windows\System\RVmjUOs.exe
  2⤵
  PID:9652
- C:\Windows\System\pjuWfeS.exe
  C:\Windows\System\pjuWfeS.exe
  2⤵
  PID:9828
- C:\Windows\System\egaFNJP.exe
  C:\Windows\System\egaFNJP.exe
  2⤵
  PID:9728
- C:\Windows\System\xvwfEhw.exe
  C:\Windows\System\xvwfEhw.exe
  2⤵
  PID:10052
- C:\Windows\System\jHIjzMs.exe
  C:\Windows\System\jHIjzMs.exe
  2⤵
  PID:10076
- C:\Windows\System\zQrNHMC.exe
  C:\Windows\System\zQrNHMC.exe
  2⤵
  PID:8220
- C:\Windows\System\YPBPulC.exe
  C:\Windows\System\YPBPulC.exe
  2⤵
  PID:9476
- C:\Windows\System\odJTnjt.exe
  C:\Windows\System\odJTnjt.exe
  2⤵
  PID:9688
- C:\Windows\System\gAcwXWI.exe
  C:\Windows\System\gAcwXWI.exe
  2⤵
  PID:9524
- C:\Windows\System\fwPBIYT.exe
  C:\Windows\System\fwPBIYT.exe
  2⤵
  PID:10244
- C:\Windows\System\hZYcPnx.exe
  C:\Windows\System\hZYcPnx.exe
  2⤵
  PID:10264
- C:\Windows\System\fRvPeHM.exe
  C:\Windows\System\fRvPeHM.exe
  2⤵
  PID:10288
- C:\Windows\System\xEawfuQ.exe
  C:\Windows\System\xEawfuQ.exe
  2⤵
  PID:10336
- C:\Windows\System\sMJdYpv.exe
  C:\Windows\System\sMJdYpv.exe
  2⤵
  PID:10356
- C:\Windows\System\gujBuTi.exe
  C:\Windows\System\gujBuTi.exe
  2⤵
  PID:10384
- C:\Windows\System\Thdfdjn.exe
  C:\Windows\System\Thdfdjn.exe
  2⤵
  PID:10408
- C:\Windows\System\BGYVGIN.exe
  C:\Windows\System\BGYVGIN.exe
  2⤵
  PID:10464
- C:\Windows\System\mscgVCF.exe
  C:\Windows\System\mscgVCF.exe
  2⤵
  PID:10484
- C:\Windows\System\sLVibkm.exe
  C:\Windows\System\sLVibkm.exe
  2⤵
  PID:10508
- C:\Windows\System\BPvTspd.exe
  C:\Windows\System\BPvTspd.exe
  2⤵
  PID:10536
- C:\Windows\System\bDliXhR.exe
  C:\Windows\System\bDliXhR.exe
  2⤵
  PID:10560
- C:\Windows\System\yHeSWsg.exe
  C:\Windows\System\yHeSWsg.exe
  2⤵
  PID:10584
- C:\Windows\System\JMaWWNy.exe
  C:\Windows\System\JMaWWNy.exe
  2⤵
  PID:10616
- C:\Windows\System\CnBwtpM.exe
  C:\Windows\System\CnBwtpM.exe
  2⤵
  PID:10636
- C:\Windows\System\NVSutdo.exe
  C:\Windows\System\NVSutdo.exe
  2⤵
  PID:10656
- C:\Windows\System\Btcpnim.exe
  C:\Windows\System\Btcpnim.exe
  2⤵
  PID:10676
- C:\Windows\System\giAKOVW.exe
  C:\Windows\System\giAKOVW.exe
  2⤵
  PID:10700
- C:\Windows\System\zoVMrei.exe
  C:\Windows\System\zoVMrei.exe
  2⤵
  PID:10736
- C:\Windows\System\MsmoVQN.exe
  C:\Windows\System\MsmoVQN.exe
  2⤵
  PID:10756
- C:\Windows\System\DsszFSt.exe
  C:\Windows\System\DsszFSt.exe
  2⤵
  PID:10832
- C:\Windows\System\okNjktv.exe
  C:\Windows\System\okNjktv.exe
  2⤵
  PID:10860
- C:\Windows\System\XckjzYT.exe
  C:\Windows\System\XckjzYT.exe
  2⤵
  PID:10880
- C:\Windows\System\YTESWOV.exe
  C:\Windows\System\YTESWOV.exe
  2⤵
  PID:10908
- C:\Windows\System\RxyUcJl.exe
  C:\Windows\System\RxyUcJl.exe
  2⤵
  PID:10936
- C:\Windows\System\qiECnlQ.exe
  C:\Windows\System\qiECnlQ.exe
  2⤵
  PID:10960
- C:\Windows\System\vNbkajM.exe
  C:\Windows\System\vNbkajM.exe
  2⤵
  PID:10980
- C:\Windows\System\lBJctkn.exe
  C:\Windows\System\lBJctkn.exe
  2⤵
  PID:11016
- C:\Windows\System\EHPCRoI.exe
  C:\Windows\System\EHPCRoI.exe
  2⤵
  PID:11036
- C:\Windows\System\JgRDyVh.exe
  C:\Windows\System\JgRDyVh.exe
  2⤵
  PID:11076
- C:\Windows\System\IuadQKe.exe
  C:\Windows\System\IuadQKe.exe
  2⤵
  PID:11104
- C:\Windows\System\WoCDBMF.exe
  C:\Windows\System\WoCDBMF.exe
  2⤵
  PID:11124
- C:\Windows\System\QvXBxxp.exe
  C:\Windows\System\QvXBxxp.exe
  2⤵
  PID:11148
- C:\Windows\System\lwrruYE.exe
  C:\Windows\System\lwrruYE.exe
  2⤵
  PID:11164
- C:\Windows\System\SZsTwyg.exe
  C:\Windows\System\SZsTwyg.exe
  2⤵
  PID:11188
- C:\Windows\System\CZpPXsn.exe
  C:\Windows\System\CZpPXsn.exe
  2⤵
  PID:11236
- C:\Windows\System\uKOyNUx.exe
  C:\Windows\System\uKOyNUx.exe
  2⤵
  PID:10064
- C:\Windows\System\QatGzfg.exe
  C:\Windows\System\QatGzfg.exe
  2⤵
  PID:9704
- C:\Windows\System\WFoJjFH.exe
  C:\Windows\System\WFoJjFH.exe
  2⤵
  PID:10332
- C:\Windows\System\xHDQXQH.exe
  C:\Windows\System\xHDQXQH.exe
  2⤵
  PID:5004
- C:\Windows\System\PVfqpFv.exe
  C:\Windows\System\PVfqpFv.exe
  2⤵
  PID:10460
- C:\Windows\System\lYYdgUk.exe
  C:\Windows\System\lYYdgUk.exe
  2⤵
  PID:10516
- C:\Windows\System\VhgEecw.exe
  C:\Windows\System\VhgEecw.exe
  2⤵
  PID:10576
- C:\Windows\System\OGdRLzw.exe
  C:\Windows\System\OGdRLzw.exe
  2⤵
  PID:10628
- C:\Windows\System\uDRtQaC.exe
  C:\Windows\System\uDRtQaC.exe
  2⤵
  PID:10672
- C:\Windows\System\VLHbKva.exe
  C:\Windows\System\VLHbKva.exe
  2⤵
  PID:10752
- C:\Windows\System\IdJcuJp.exe
  C:\Windows\System\IdJcuJp.exe
  2⤵
  PID:10812
- C:\Windows\System\yLOMDiw.exe
  C:\Windows\System\yLOMDiw.exe
  2⤵
  PID:10932
- C:\Windows\System\EuMfNDV.exe
  C:\Windows\System\EuMfNDV.exe
  2⤵
  PID:11032
- C:\Windows\System\gKxXUJL.exe
  C:\Windows\System\gKxXUJL.exe
  2⤵
  PID:11068
- C:\Windows\System\Zaommss.exe
  C:\Windows\System\Zaommss.exe
  2⤵
  PID:11132
- C:\Windows\System\aAJuzdn.exe
  C:\Windows\System\aAJuzdn.exe
  2⤵
  PID:11244
- C:\Windows\System\XkgxeMK.exe
  C:\Windows\System\XkgxeMK.exe
  2⤵
  PID:11256
- C:\Windows\System\hRjKYHs.exe
  C:\Windows\System\hRjKYHs.exe
  2⤵
  PID:10324
- C:\Windows\System\wKRYcZt.exe
  C:\Windows\System\wKRYcZt.exe
  2⤵
  PID:10476
- C:\Windows\System\nyIEEgn.exe
  C:\Windows\System\nyIEEgn.exe
  2⤵
  PID:10608
- C:\Windows\System\AkDYFHx.exe
  C:\Windows\System\AkDYFHx.exe
  2⤵
  PID:10624
- C:\Windows\System\EaRCUVw.exe
  C:\Windows\System\EaRCUVw.exe
  2⤵
  PID:10872
- C:\Windows\System\LjlujNK.exe
  C:\Windows\System\LjlujNK.exe
  2⤵
  PID:11000
- C:\Windows\System\bOjwvBt.exe
  C:\Windows\System\bOjwvBt.exe
  2⤵
  PID:4444
- C:\Windows\System\VnsiESt.exe
  C:\Windows\System\VnsiESt.exe
  2⤵
  PID:10416
- C:\Windows\System\URgyLSg.exe
  C:\Windows\System\URgyLSg.exe
  2⤵
  PID:10600
- C:\Windows\System\qBDdjce.exe
  C:\Windows\System\qBDdjce.exe
  2⤵
  PID:10696
- C:\Windows\System\scnQXQn.exe
  C:\Windows\System\scnQXQn.exe
  2⤵
  PID:10728
- C:\Windows\System\MhrNixk.exe
  C:\Windows\System\MhrNixk.exe
  2⤵
  PID:10552
- C:\Windows\System\kWGspvp.exe
  C:\Windows\System\kWGspvp.exe
  2⤵
  PID:11300
- C:\Windows\System\wFzNaxC.exe
  C:\Windows\System\wFzNaxC.exe
  2⤵
  PID:11332
- C:\Windows\System\HUuEPBn.exe
  C:\Windows\System\HUuEPBn.exe
  2⤵
  PID:11352
- C:\Windows\System\cnXmGAw.exe
  C:\Windows\System\cnXmGAw.exe
  2⤵
  PID:11400
- C:\Windows\System\edkbLVu.exe
  C:\Windows\System\edkbLVu.exe
  2⤵
  PID:11432
- C:\Windows\System\tlreIpR.exe
  C:\Windows\System\tlreIpR.exe
  2⤵
  PID:11456
- C:\Windows\System\ryLYyDw.exe
  C:\Windows\System\ryLYyDw.exe
  2⤵
  PID:11480
- C:\Windows\System\gSeHaBw.exe
  C:\Windows\System\gSeHaBw.exe
  2⤵
  PID:11500
- C:\Windows\System\ZYNLFFg.exe
  C:\Windows\System\ZYNLFFg.exe
  2⤵
  PID:11552
- C:\Windows\System\HYeEWYx.exe
  C:\Windows\System\HYeEWYx.exe
  2⤵
  PID:11568
- C:\Windows\System\rycsLIn.exe
  C:\Windows\System\rycsLIn.exe
  2⤵
  PID:11592
- C:\Windows\System\jVTaqnL.exe
  C:\Windows\System\jVTaqnL.exe
  2⤵
  PID:11612
- C:\Windows\System\YWRKOQs.exe
  C:\Windows\System\YWRKOQs.exe
  2⤵
  PID:11636
- C:\Windows\System\GKvpYjX.exe
  C:\Windows\System\GKvpYjX.exe
  2⤵
  PID:11680
- C:\Windows\System\cmlvjWj.exe
  C:\Windows\System\cmlvjWj.exe
  2⤵
  PID:11708
- C:\Windows\System\DNPQINa.exe
  C:\Windows\System\DNPQINa.exe
  2⤵
  PID:11732
- C:\Windows\System\qLQacQM.exe
  C:\Windows\System\qLQacQM.exe
  2⤵
  PID:11768
- C:\Windows\System\FLnsswO.exe
  C:\Windows\System\FLnsswO.exe
  2⤵
  PID:11800
- C:\Windows\System\FXGonhx.exe
  C:\Windows\System\FXGonhx.exe
  2⤵
  PID:11828
- C:\Windows\System\ZQuTttx.exe
  C:\Windows\System\ZQuTttx.exe
  2⤵
  PID:11848
- C:\Windows\System\mkLztbE.exe
  C:\Windows\System\mkLztbE.exe
  2⤵
  PID:11876
- C:\Windows\System\CMLNrlT.exe
  C:\Windows\System\CMLNrlT.exe
  2⤵
  PID:11904
- C:\Windows\System\SYOmXDG.exe
  C:\Windows\System\SYOmXDG.exe
  2⤵
  PID:11928
- C:\Windows\System\DQGhXxn.exe
  C:\Windows\System\DQGhXxn.exe
  2⤵
  PID:11952
- C:\Windows\System\AjSLPdp.exe
  C:\Windows\System\AjSLPdp.exe
  2⤵
  PID:11976
- C:\Windows\System\epsdbYb.exe
  C:\Windows\System\epsdbYb.exe
  2⤵
  PID:12000
- C:\Windows\System\vInKDep.exe
  C:\Windows\System\vInKDep.exe
  2⤵
  PID:12020
- C:\Windows\System\apePDin.exe
  C:\Windows\System\apePDin.exe
  2⤵
  PID:12044
- C:\Windows\System\VxqIrcm.exe
  C:\Windows\System\VxqIrcm.exe
  2⤵
  PID:12068
- C:\Windows\System\xJTzkzf.exe
  C:\Windows\System\xJTzkzf.exe
  2⤵
  PID:12088
- C:\Windows\System\xtBAsoa.exe
  C:\Windows\System\xtBAsoa.exe
  2⤵
  PID:12108
- C:\Windows\System\yDPCKgb.exe
  C:\Windows\System\yDPCKgb.exe
  2⤵
  PID:12156
- C:\Windows\System\qDupfDS.exe
  C:\Windows\System\qDupfDS.exe
  2⤵
  PID:12180
- C:\Windows\System\GXTAPDE.exe
  C:\Windows\System\GXTAPDE.exe
  2⤵
  PID:12244
- C:\Windows\System\LjzGftJ.exe
  C:\Windows\System\LjzGftJ.exe
  2⤵
  PID:12268
- C:\Windows\System\tqpdqeL.exe
  C:\Windows\System\tqpdqeL.exe
  2⤵
  PID:11276
- C:\Windows\System\zxKguyk.exe
  C:\Windows\System\zxKguyk.exe
  2⤵
  PID:11316
- C:\Windows\System\rqyxhqX.exe
  C:\Windows\System\rqyxhqX.exe
  2⤵
  PID:11368
- C:\Windows\System\nWVTDKB.exe
  C:\Windows\System\nWVTDKB.exe
  2⤵
  PID:11444
- C:\Windows\System\oVPvGPZ.exe
  C:\Windows\System\oVPvGPZ.exe
  2⤵
  PID:11560
- C:\Windows\System\yorgnxu.exe
  C:\Windows\System\yorgnxu.exe
  2⤵
  PID:11620
- C:\Windows\System\BuSWXNU.exe
  C:\Windows\System\BuSWXNU.exe
  2⤵
  PID:11604
- C:\Windows\System\XmggmMv.exe
  C:\Windows\System\XmggmMv.exe
  2⤵
  PID:11716
- C:\Windows\System\PQQVelR.exe
  C:\Windows\System\PQQVelR.exe
  2⤵
  PID:11764
- C:\Windows\System\wzwlHpj.exe
  C:\Windows\System\wzwlHpj.exe
  2⤵
  PID:11900
- C:\Windows\System\YCCBHrH.exe
  C:\Windows\System\YCCBHrH.exe
  2⤵
  PID:11936
- C:\Windows\System\zKJnpSE.exe
  C:\Windows\System\zKJnpSE.exe
  2⤵
  PID:11984
- C:\Windows\System\oGrbLzW.exe
  C:\Windows\System\oGrbLzW.exe
  2⤵
  PID:12036
- C:\Windows\System\NYeFtaT.exe
  C:\Windows\System\NYeFtaT.exe
  2⤵
  PID:12084
- C:\Windows\System\WrNZrln.exe
  C:\Windows\System\WrNZrln.exe
  2⤵
  PID:12200
- C:\Windows\System\xyLJile.exe
  C:\Windows\System\xyLJile.exe
  2⤵
  PID:3704
- C:\Windows\System\oxulyxE.exe
  C:\Windows\System\oxulyxE.exe
  2⤵
  PID:4864
- C:\Windows\System\fhZOXqq.exe
  C:\Windows\System\fhZOXqq.exe
  2⤵
  PID:11292
- C:\Windows\System\pGYTrsL.exe
  C:\Windows\System\pGYTrsL.exe
  2⤵
  PID:11344
- C:\Windows\System\eNVYCJU.exe
  C:\Windows\System\eNVYCJU.exe
  2⤵
  PID:11540
- C:\Windows\System\qtVMkGR.exe
  C:\Windows\System\qtVMkGR.exe
  2⤵
  PID:11588
- C:\Windows\System\HWbuFud.exe
  C:\Windows\System\HWbuFud.exe
  2⤵
  PID:11868
- C:\Windows\System\crmbevh.exe
  C:\Windows\System\crmbevh.exe
  2⤵
  PID:11924
- C:\Windows\System\rsVScTs.exe
  C:\Windows\System\rsVScTs.exe
  2⤵
  PID:12140
- C:\Windows\System\PUiTToz.exe
  C:\Windows\System\PUiTToz.exe
  2⤵
  PID:10300
- C:\Windows\System\UgHuBUf.exe
  C:\Windows\System\UgHuBUf.exe
  2⤵
  PID:11296
- C:\Windows\System\DHimxCk.exe
  C:\Windows\System\DHimxCk.exe
  2⤵
  PID:11748
- C:\Windows\System\JVIWxtO.exe
  C:\Windows\System\JVIWxtO.exe
  2⤵
  PID:12080
- C:\Windows\System\DmmaUFT.exe
  C:\Windows\System\DmmaUFT.exe
  2⤵
  PID:11792
- C:\Windows\System\XqLohQt.exe
  C:\Windows\System\XqLohQt.exe
  2⤵
  PID:436
- C:\Windows\System\sWrImAp.exe
  C:\Windows\System\sWrImAp.exe
  2⤵
  PID:12296
- C:\Windows\System\LfuhXJg.exe
  C:\Windows\System\LfuhXJg.exe
  2⤵
  PID:12316
- C:\Windows\System\lsHTOkg.exe
  C:\Windows\System\lsHTOkg.exe
  2⤵
  PID:12344
- C:\Windows\System\HlMGcGH.exe
  C:\Windows\System\HlMGcGH.exe
  2⤵
  PID:12368
- C:\Windows\System\onqTmMq.exe
  C:\Windows\System\onqTmMq.exe
  2⤵
  PID:12408
- C:\Windows\System\dEfLLSj.exe
  C:\Windows\System\dEfLLSj.exe
  2⤵
  PID:12428
- C:\Windows\System\xvrrsnF.exe
  C:\Windows\System\xvrrsnF.exe
  2⤵
  PID:12468
- C:\Windows\System\DjfGyXZ.exe
  C:\Windows\System\DjfGyXZ.exe
  2⤵
  PID:12548
- C:\Windows\System\nRnmmWK.exe
  C:\Windows\System\nRnmmWK.exe
  2⤵
  PID:12592
- C:\Windows\System\eanXUjs.exe
  C:\Windows\System\eanXUjs.exe
  2⤵
  PID:12608
- C:\Windows\System\IVtGInj.exe
  C:\Windows\System\IVtGInj.exe
  2⤵
  PID:12628
- C:\Windows\System\ORMyThI.exe
  C:\Windows\System\ORMyThI.exe
  2⤵
  PID:12664
- C:\Windows\System\DGflClh.exe
  C:\Windows\System\DGflClh.exe
  2⤵
  PID:12756
- C:\Windows\System\vCdwwMt.exe
  C:\Windows\System\vCdwwMt.exe
  2⤵
  PID:12772
- C:\Windows\System\JhlgAel.exe
  C:\Windows\System\JhlgAel.exe
  2⤵
  PID:12792
- C:\Windows\System\VNWFgnC.exe
  C:\Windows\System\VNWFgnC.exe
  2⤵
  PID:12816
- C:\Windows\System\tpVCNMU.exe
  C:\Windows\System\tpVCNMU.exe
  2⤵
  PID:12832
- C:\Windows\System\AzeRfom.exe
  C:\Windows\System\AzeRfom.exe
  2⤵
  PID:12852
- C:\Windows\System\oCVZMEp.exe
  C:\Windows\System\oCVZMEp.exe
  2⤵
  PID:12884
- C:\Windows\System\mRoHqaf.exe
  C:\Windows\System\mRoHqaf.exe
  2⤵
  PID:12908
- C:\Windows\System\hJIOpJC.exe
  C:\Windows\System\hJIOpJC.exe
  2⤵
  PID:12944
- C:\Windows\System\aqtGqZU.exe
  C:\Windows\System\aqtGqZU.exe
  2⤵
  PID:12968
- C:\Windows\System\obLpGjv.exe
  C:\Windows\System\obLpGjv.exe
  2⤵
  PID:13176
- C:\Windows\System\NPjNlww.exe
  C:\Windows\System\NPjNlww.exe
  2⤵
  PID:13192
- C:\Windows\System\VwbObya.exe
  C:\Windows\System\VwbObya.exe
  2⤵
  PID:13308
- C:\Windows\System\JxUCXWw.exe
  C:\Windows\System\JxUCXWw.exe
  2⤵
  PID:12292
- C:\Windows\System\TLOsEca.exe
  C:\Windows\System\TLOsEca.exe
  2⤵
  PID:12504
- C:\Windows\System\khuwLnd.exe
  C:\Windows\System\khuwLnd.exe
  2⤵
  PID:12544
- C:\Windows\System\AhhuOCP.exe
  C:\Windows\System\AhhuOCP.exe
  2⤵
  PID:12508
- C:\Windows\System\nVSphLk.exe
  C:\Windows\System\nVSphLk.exe
  2⤵
  PID:12564
- C:\Windows\System\lBLVvxL.exe
  C:\Windows\System\lBLVvxL.exe
  2⤵
  PID:12568
- C:\Windows\System\KXqJcNO.exe
  C:\Windows\System\KXqJcNO.exe
  2⤵
  PID:12572
- C:\Windows\System\ajjfatN.exe
  C:\Windows\System\ajjfatN.exe
  2⤵
  PID:12588
- C:\Windows\System\ieqzRLd.exe
  C:\Windows\System\ieqzRLd.exe
  2⤵
  PID:12660
- C:\Windows\System\DQiDiSY.exe
  C:\Windows\System\DQiDiSY.exe
  2⤵
  PID:13012

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv 4aRth1f4aEe0PTw57RdQxw.0.2
1⤵
PID:12652
- C:\Windows\system32\WerFaultSecure.exe
  C:\Windows\system32\WerFaultSecure.exe -u -p 12652 -s 508
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:14684

C:\Windows\system32\WerFaultSecure.exe
"C:\Windows\system32\WerFaultSecure.exe" -protectedcrash -p 12652 -i 12652 -h 568 -j 544 -s 576 -d 464
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:14320

C:\Windows\system32\WerFaultSecure.exe
"C:\Windows\system32\WerFaultSecure.exe" -protectedcrash -p 100 -i 100 -h 660 -j 664 -s 672 -d 464
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:14420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2eclwis3.r0o.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\CMzRxqx.exe

Filesize
2.2MB

MD5
7966d0d1b804a6e6a2ac1042435b996f

SHA1
1a4dade37109df65fb9153cb7d0387c88215c314

SHA256
62f6e53f0be7b01cc31997e10588272fbced56cb1e12ab50b78b4794966d59d6

SHA512
bc77e474b61f20528f9487f69362ddbdd6248c2b694e5d057f57747b18dfbc171c3a899a00929a3763c04554563f3956c340d9b85cd3d66f87dd8ece777ae51a

Download Submit
C:\Windows\System\GqdCEbu.exe

Filesize
2.2MB

MD5
c9ee568e62e8a3f5b882843ebf4050b3

SHA1
6d07928cbc45870affbae8a2432cfa0e712d3a8f

SHA256
bc75221673d5c70f17c722e33afc8bf0ecef653db206c02d27dc6a2207986f88

SHA512
e2ca0d51130498b50b83c61f9fb8affff8bc2aa219e51831a535d1c5c75cbdf39c0d0710386089265748f2afa2a2f843e6667df6b52f2f769c963f426c9c8f09

Download Submit
C:\Windows\System\ISXGlhZ.exe

Filesize
2.2MB

MD5
25f401b9ff9974cb0432c7272d64dcfa

SHA1
90830df67d0d08de8ccf5e562bd834f9801e4617

SHA256
a62a8d97b81b56d1d272ccb1c1c3918b938b2be1af8d47b66c888b050fe17cb1

SHA512
493346882c6539ce82928fb41c9e222c74221384bf4b2f4485a438c38ab7b333db6a8db5cbb15970c805e213c337eed024a77ee73ee2bed518e7e2b1b62bf4f7

Download Submit
C:\Windows\System\IgYuJcf.exe

Filesize
2.2MB

MD5
09582b89e56791520474de7328177b91

SHA1
6379873b35fca3889274434c4f3ddf7d3d147f21

SHA256
56870780fe414f36ee6cd0da2608d09de20b8a7b88aeec7116bacc36cccc26c8

SHA512
7a40d36f1284060d8dba7cde5955eee81c96b464edb8e53288b175033443a2f9c9532bb831d37a54d4a413b4fa9bec8188b2692b72b0ab52d2c887140723a38d

Download Submit
C:\Windows\System\MoXevwd.exe

Filesize
2.2MB

MD5
f7994068bef850ed48df0dcd8b0bdd2d

SHA1
ba7a2383759d9cbd8703dc59ea1820469fb0cf05

SHA256
e8c1143ba5f401afec712162e326c2585d431b55f78b9bf5e23e50b48210680c

SHA512
216b00661fcb7aad07a967ce8914a38cf7db7eb1230008db80240e02486a0bfd809c528f95a86b1fcc979039de96853bac723145edc5a01b0a7f05c5d7aca1aa

Download Submit
C:\Windows\System\MyeonzW.exe

Filesize
2.2MB

MD5
3866c3c6666dcf4ef1d1a9543b84c2e9

SHA1
bc2aa2ce935f99e49ce2c02cadc9d1fc4e88cd4a

SHA256
e5b7797820f23f6dfe1fc11f95db32aadecdffc1b38324aaed8e914cfb4bcb08

SHA512
d9cd3bcb48c550e161ed7b41e7cdf4937b4920750cd89ee6baa6034d88428955b9e0cc4b8654388146f2c146dab6cdc7d6ce5fbf26af468f51e21de47aba8589

Download Submit
C:\Windows\System\NxPpBgz.exe

Filesize
2.2MB

MD5
5045edd7c93b37018e20591ac4db3898

SHA1
7562500ac8f1e8c1dc8f9c38073ea9fe60c029d1

SHA256
cdb167c2eb33814b2fdc0cd7cac550af3f0a3241112c68dee77509bd7d67f993

SHA512
509abf9afe491728f1249ba313eb9bb3197ad24335b4a6b0290a72cf23966883ae919a30449f43b5977cbe8c53d5552e16dd35576c800a5737fc8c54e1a6d3ca

Download Submit
C:\Windows\System\OQYsIMP.exe

Filesize
2.2MB

MD5
eb5ec6fe954063b1e08fcb14312dfb4e

SHA1
76013d1fddac61dda04b3039ee537109251df613

SHA256
a004d421571ea0430b721b48bc97cb59e18a92fc9d7d8b95e5101bbddc12b692

SHA512
211038f8ea0b97ca15db16214269393408b96475b806c82c375e4c1954f096f803f34e6e1ed68c4792729f5407605d98814840c47e65e503c787568338409303

Download Submit
C:\Windows\System\PHUymtX.exe

Filesize
2.2MB

MD5
a2328373508b5d04c98744fe29d8ccb5

SHA1
9b5794f3f3d0c445a7b900a0e49b330c6544e3e8

SHA256
f8742cf63c651e75fdf28fba03f5b9ea5d4328e26f2115ee710a0714d8ad066c

SHA512
3cf1b220a9a16a614a05b628ef7d5484c852327f0a77c12476fb8178436e6645f01c1ddaab484c65aaf68e56ac286d916aacdac60cb6c78bb292e155be3a29da

Download Submit
C:\Windows\System\PZdvVUQ.exe

Filesize
2.2MB

MD5
37ad7e4371643b0c723ab51a97d6f48d

SHA1
39a96998100336d7c7e60c512d14d78ca5879476

SHA256
c1359c9be8a04a142449d2d89e6cf6e110e9c1b793ca0f51fe8a40e5b8444e0a

SHA512
42128405a6f8a5450e8756fc6c2d9cd39c43a6671578c8dd2e5b7d7436ee5d0ae03549ec5e952ef392113d8a487272a8897a8797fa1c91d38be435b895b9fc41

Download Submit
C:\Windows\System\QXLMYif.exe

Filesize
2.2MB

MD5
f52db8f06f6bf1d3047954a0111d8d15

SHA1
ce005b7671eb0f2471795d59c7f4227f4d7baead

SHA256
e3380957eb0e50ce0036eaa01e3c47ccbdec7c72982c943a6dc259d733a1270f

SHA512
920e7623c57e69acff2909a42d5c1f0ff8b7d9c82c5eab9c61a5250d56687dadcf4ae51d7c307a680405ca727e8a8539244973e8ebc2ee5840aed01a91e12b20

Download Submit
C:\Windows\System\TbKvPjB.exe

Filesize
2.2MB

MD5
091b5f52d965bac2d1448bc8e653ec2d

SHA1
ed0c27f7ea363048feadd38c10bcf6679b655064

SHA256
afa3a51f84f4b92e5b2776ae97b1ec0843fc6bf226829f9271f8eca40bea0fed

SHA512
0a2d5979c4b3c7cd56cb8ec2430e6f1e6f7c5536fa7f391ad1f1793928a5af7872c30311b4f254fadf72c535ed440089d3cd63acb896a8d1cfae38a74c9153d7

Download Submit
C:\Windows\System\TnioYNe.exe

Filesize
2.2MB

MD5
18a76f3f4b148e6a7cf44a0ee76e7d47

SHA1
8cc377fd26d90fe56f3571f891b53d8daa1266e3

SHA256
d2dbea6fd94edc18adfba3dd591f5e4b610d40f2617d1f49436a4b4b0da3d68b

SHA512
97b17345fa8d6f228ff9e678fba4c132216fd95eab4708e21c1c7a09b2c99dd8af27747e738f0352c963bafa3565268767e75409512f6184b0886d26345da9b2

Download Submit
C:\Windows\System\YInIMUo.exe

Filesize
8B

MD5
0b02220145771e90ebe4310a5742c9eb

SHA1
9bd568d96b03bd5446f96a7b59c08196eb5a57c3

SHA256
6135f164d0697be47c97ab606a7a1adcbc1eb3846ae4debecafb1a6ccfd23e4e

SHA512
cb08dee7f4e4dd1bb8de836a2364c078d9de5aef5dcb329e7e0b8e1cc2bfaa06c42f8b8ddf04bdb30392074759beef091a761854b0812b9a726b3c820c99a5a8

Download Submit
C:\Windows\System\YUUrVnU.exe

Filesize
2.2MB

MD5
6ae120308d648f437c4f6875d8142839

SHA1
a7f61e4a911f51409a2893219fdeb68c7e60dbcd

SHA256
9b5cb8507b844fb4a5d58362ee99f4968c5612b6b491decf8e5d0d47fa4fd772

SHA512
f35da0e9fce6726467636ef09ae83036896a0d0a5a5c43a142d421a95dcdbdfc895946dc0056475f8f7bae233ea583f0dced35dd1cbe91bd55f704eaf0ef079c

Download Submit
C:\Windows\System\ZBwsumB.exe

Filesize
2.2MB

MD5
c80609e3c90958ca2ef0d7b7bab13a87

SHA1
fe0aa3623d67eb40a3d7e4f5e82e906fb3c39776

SHA256
7e3f280156134bd098bd6cee639871a11f8a810147867de79f3b9ac4add6cc1c

SHA512
3c1f17cd0a011fc6b257348aa763fbc6c6408fb306b8ab8c1561944f1b85608c88816c693c19682345e00a896a8c03ea49c34ac62583149e4c741f436d794244

Download Submit
C:\Windows\System\adFpOCD.exe

Filesize
2.2MB

MD5
ec1e5ad4b9ec998478184589c4187b6a

SHA1
0c289ea1e87a731ec20b29ac9b919650c6e0a832

SHA256
9d86ca42cb8f7cd86a979a6f2f1dbbb7595079a73e8526d063639137ec498150

SHA512
e9d42f17cd3493aa9a5fb3b497ce22b3515003cd7999df418381a5ed494bc55f7e934d397308f1c7dd5f2a8b96a32900bb6d1e5c7e5ff02888b8641f615f229a

Download Submit
C:\Windows\System\bHKsjIO.exe

Filesize
2.2MB

MD5
01a78c80a2d5e5e814cc628b291ca7f1

SHA1
bc66e88612c4bdbbdaca5f8728c206ec94badbd1

SHA256
087b5857a28dd8685aa1c189c55f2cfefc89054cd3ddecc433a848fa90816787

SHA512
6f20058cb3d3b5c8e60f05cdb64eccafadb8aa70bff4aafcf7565f33ad6c6b513222001cfb39e23cb0bd4e6dc9dae6375a726c18e2971ffeae7246aebd89fee9

Download Submit
C:\Windows\System\deAfXNK.exe

Filesize
2.2MB

MD5
6e319eb2024176677a61077a2e78f09b

SHA1
9eba2fd46da9e80c740244026571edca9e715478

SHA256
71de24f31c3b83ee46ae35471ba9540719f5c0781f2841d47cff9dd8bd2ccc5e

SHA512
a4445bf05e69d8f89920e7bec87c1c7a13dea1832cc99a2a76307d35392c8a971ab115b3ff5968a389f373f101b3915a784f9c024038a5b12d2b802f7135cc61

Download Submit
C:\Windows\System\dpAQVVL.exe

Filesize
2.2MB

MD5
78761017b685613d7f50268680395364

SHA1
1ab2659833e79c8c66cffc3ede0701f53c7244da

SHA256
60647c7f4bbf2049dcd866df1c38a1888c0efcbbe2f4031c7dc7e71e11de7342

SHA512
abef25dc4e332f94a2dfc7de7830c695cca5f71b362ca34a3b88b8566f8a381e0bc9b8e6c21edbd630f024a38a0fb07f14e9ae31aee3e0b878510c484ebb5858

Download Submit
C:\Windows\System\eiPHEdv.exe

Filesize
2.2MB

MD5
5604df65ebdd7988a208f761a0c17670

SHA1
cba7b30e7f0f4512e91d7b0d7fe511e163842de0

SHA256
79783daf4e3aec2c3835bd694642b07947a40b3e5c29daab6ea71be291d366a2

SHA512
8e73f24e1de06c01a56a8e5674346e691a13db8b56b6e3375657b15ec6ff259dcc2e3c51cee48035f417402a2dedd99c11da876c98245498db6b3bb890b3256b

Download Submit
C:\Windows\System\fusHbpZ.exe

Filesize
2.2MB

MD5
83142510745eac2515585e172a956848

SHA1
7474be07621c6696170155b8fbc2ea8aa4addf30

SHA256
a0834f1db4a77614c9d7dfde746d56cebef6d840575801853ca8275482815918

SHA512
82cccc39f8ca81fdd02bff243e811bc6350ebad527e843135f759cd943067bbe6c8165c23a9a294db67332fce65eb6cf241c4df4520a9a59c5680c879462a455

Download Submit
C:\Windows\System\iDRzcZc.exe

Filesize
2.2MB

MD5
b9ed356021da7ef244edd456d0e8ad2f

SHA1
c3eb0b7980163443ca722f210b1115af4cd3b0c5

SHA256
9cbc86805777c5b93e6cee1874e28e6226c776cf58cf51b8e07a7745235e3293

SHA512
e78d5939d52d92703bac0187e66548ff523f7c41ad1cd801a2dc18df5537f71d32167bb9ab0f7979f2ef03d2c9a8e23b6da8837edf864a75f120cc049e7d2519

Download Submit
C:\Windows\System\iPsEimO.exe

Filesize
2.2MB

MD5
64334e86d39796a1e4596361a8153dbb

SHA1
5e82ebe93b767e32dd853abfe1fb0ca21188bb4c

SHA256
8c92e61996b4bab168be7eff8322963ed01d67b9f681f09596e5f8e81cb1a332

SHA512
2ff23269446809e1c555914674bf8e2a1d55a80a7b5ada56d56c578a191e659333e953fa30eac18956a8158a8a849cab6d47c3aba1cd9da410831f70585f8de9

Download Submit
C:\Windows\System\jYvFRtT.exe

Filesize
2.2MB

MD5
e4a0397378a99e9e658e1569b9ee09af

SHA1
116cfdf1da68712bc5ae31c0e0a0327e9421b7ce

SHA256
dfdf305afbe391730a1e1954294a7843d5b8cb2e98b2aee6766995961d6929f4

SHA512
36349b512820855c8a57b527c3cf3ffdb2ffc8b66bcd906b9a6f2e994d51bc44258969779b195343d7bc2744b4f77159e31079c4a7dd17e3c72be4d1df0a1288

Download Submit
C:\Windows\System\kCvlVcp.exe

Filesize
2.2MB

MD5
985aec9e9a25d4555247835aae9b938f

SHA1
9a65689894c9c76604a2665dd2388f7d76cc909f

SHA256
5913f2e64169daed28b004fc53f9b25e2e1b0d8efebeaf6745f93701e143ed3e

SHA512
0e953367f886961b3bce89ef0eecf3702689db298fc16932b4f88ceaed289c7d4d037c12d4a34652258886160f45c27dfe41adb8da9c49e12f1607655ca479fe

Download Submit
C:\Windows\System\nVpEcCz.exe

Filesize
2.2MB

MD5
16e127e0f44fd777bb19bed873bbc9b6

SHA1
9a2c6f43e6e3e26aaf4a17d5e6c77cac87d0c795

SHA256
731257d858d2a033278c3e6c5529b17a6103795dadaef66bd1396c629f6690e0

SHA512
cd6b6a394b480836a8c43da72bc5c3e99a9dd39fe37d3517a7578299f1271c1c9a2697f7fd6bc68ed2bb420d01ed5e138de54183abd16f98991a7c512e7b55c9

Download Submit
C:\Windows\System\rGBDhuZ.exe

Filesize
2.2MB

MD5
e8060c12e72c167d86a1cc3929d6b0cc

SHA1
79d50c88dbb821bbc2d4001d649a4f923e850c86

SHA256
26c52e5e62734871ba5c54f08e1a59103b3134f32527bb9be6c816012df6cdb5

SHA512
e10526a0e68b653b6677c27bff4e8415569fe9a726fbc311e12350d5b5c4d30c9650870a516c3e41187a88d079900450cb5844849c5a4a1d5b254dbd76f07d22

Download Submit
C:\Windows\System\rUlXgYA.exe

Filesize
2.2MB

MD5
08c450fd89a551ce39fa35c0c4f9f1de

SHA1
fffdf381d0ad303004fe9f0be80e7fc27d6de80c

SHA256
0a4a66b5ea0fe3914216ec36de3d56f4a9123a46881936948462036329d0e661

SHA512
5273964c3f662dc73910483386648e939caa10b1cf1c7c5011e5ac39aacdb93553decab09497906b273f4a80298741b27995400413440e0b18a565573705bc30

Download Submit
C:\Windows\System\sapLbFr.exe

Filesize
2.2MB

MD5
0438f6804345ce377b030b2f80c2b35c

SHA1
cb581f577543adfacf23fc45eecbef06e8190c32

SHA256
122ec0906e8d17d81255096426fd5fcfa4a2106b9bf1a2077ce3534dcfac3c3b

SHA512
edbaed607937874a8ef800d35304036c0513697f6646c0edafe2940af8e16645bb77d3dd441ded228faeebaf6d9067b4d1daf1e50f75861d4d3a35354b82bb2c

Download Submit
C:\Windows\System\tmlETFE.exe

Filesize
2.2MB

MD5
b0ccf1cdc7310b0ab51dd965b440e1da

SHA1
e2aaa3365db85171930ec4ddc4bf5c3fb64e5d72

SHA256
4e5061c3d5ca6c491977e0638fc5b875ebb63c5a22bfc4674fbe99a19d23e924

SHA512
b67509fc111ac2b0d412bc200f09320743e00e6fbaa8bb720ea7c6b4d90e3817b24eacf09935b828d1e4f664031affb0e9435f714d1a6e16473c869264e5809d

Download Submit
C:\Windows\System\tzSvbrH.exe

Filesize
2.2MB

MD5
7aa388319bb77db3ee35620bdc685f18

SHA1
a3644535074dc2ad7b56c911ea85c8b0376c4812

SHA256
3967b1aa03cd423a67600c39dd02c7d537b3c768296d532ea4392caa28e3042f

SHA512
c3ab61177dd7fde0b91abcb09aa60798026c5fbae3219a4d29ea903d6d0d52965efbba9ebcd961b2d8408d672ed70a3a32e421f27d8a6c34318641473d8c1b61

Download Submit
C:\Windows\System\uqWrlGL.exe

Filesize
2.2MB

MD5
52c3d2e045343b89e949a542b82c5c56

SHA1
bea41b47f6e3386543a5be1fa0d0b618e434590f

SHA256
6d62db0f3fd2730f2f82f91aca3220a3f5d1760dbb3b15eba35367be4f791f32

SHA512
351b04b5ea168b7c2daacb377135f96ed9c40a66ccb0647cb420daf277cdb18962af825ecfc640c5370a6e0890b05647740438ac152178d8e7a124f653674b6f

Download Submit
C:\Windows\System\vpJHUEI.exe

Filesize
2.2MB

MD5
2bc430e6394945865fe214ca3b148088

SHA1
4bd49c808740bff0ff2ffdc55c27962e0e93b40f

SHA256
b376360ea241512e6c27b6833895a0dc394bb5f33a7c2a5cae0bdd790c0f4759

SHA512
c69456fbcb251fcfc15e90683cc3d6923516df064abbc50a6bd66f9e95bf1b257d5b76207de93d461d6d28d8fd128056f1af7e6c11d184e207fe1977437fd3b8

Download Submit
memory/688-166-0x00007FF74A8E0000-0x00007FF74ACD2000-memory.dmp

Filesize
3.9MB

Download
memory/688-3088-0x00007FF74A8E0000-0x00007FF74ACD2000-memory.dmp

Filesize
3.9MB

Download
memory/1048-3059-0x00007FF6CF120000-0x00007FF6CF512000-memory.dmp

Filesize
3.9MB

Download
memory/1048-57-0x00007FF6CF120000-0x00007FF6CF512000-memory.dmp

Filesize
3.9MB

Download
memory/1476-129-0x00007FF76C310000-0x00007FF76C702000-memory.dmp

Filesize
3.9MB

Download
memory/1476-3073-0x00007FF76C310000-0x00007FF76C702000-memory.dmp

Filesize
3.9MB

Download
memory/2064-61-0x00007FF66DB50000-0x00007FF66DF42000-memory.dmp

Filesize
3.9MB

Download
memory/2064-3061-0x00007FF66DB50000-0x00007FF66DF42000-memory.dmp

Filesize
3.9MB

Download
memory/2184-41-0x00007FF7AD2C0000-0x00007FF7AD6B2000-memory.dmp

Filesize
3.9MB

Download
memory/2264-154-0x00007FF65EEE0000-0x00007FF65F2D2000-memory.dmp

Filesize
3.9MB

Download
memory/2264-3094-0x00007FF65EEE0000-0x00007FF65F2D2000-memory.dmp

Filesize
3.9MB

Download
memory/2332-3090-0x00007FF709860000-0x00007FF709C52000-memory.dmp

Filesize
3.9MB

Download
memory/2332-160-0x00007FF709860000-0x00007FF709C52000-memory.dmp

Filesize
3.9MB

Download
memory/2592-95-0x00007FF6973A0000-0x00007FF697792000-memory.dmp

Filesize
3.9MB

Download
memory/2592-3062-0x00007FF6973A0000-0x00007FF697792000-memory.dmp

Filesize
3.9MB

Download
memory/2652-3052-0x00007FF68BA30000-0x00007FF68BE22000-memory.dmp

Filesize
3.9MB

Download
memory/2652-89-0x00007FF68BA30000-0x00007FF68BE22000-memory.dmp

Filesize
3.9MB

Download
memory/2880-88-0x00007FF636200000-0x00007FF6365F2000-memory.dmp

Filesize
3.9MB

Download
memory/3036-69-0x00007FF6533E0000-0x00007FF6537D2000-memory.dmp

Filesize
3.9MB

Download
memory/3036-3066-0x00007FF6533E0000-0x00007FF6537D2000-memory.dmp

Filesize
3.9MB

Download
memory/3036-2739-0x00007FF6533E0000-0x00007FF6537D2000-memory.dmp

Filesize
3.9MB

Download
memory/3356-76-0x00007FF697FE0000-0x00007FF6983D2000-memory.dmp

Filesize
3.9MB

Download
memory/3356-3064-0x00007FF697FE0000-0x00007FF6983D2000-memory.dmp

Filesize
3.9MB

Download
memory/3356-2743-0x00007FF697FE0000-0x00007FF6983D2000-memory.dmp

Filesize
3.9MB

Download
memory/3496-3078-0x00007FF783770000-0x00007FF783B62000-memory.dmp

Filesize
3.9MB

Download
memory/3496-125-0x00007FF783770000-0x00007FF783B62000-memory.dmp

Filesize
3.9MB

Download
memory/3516-1-0x000002164AB70000-0x000002164AB80000-memory.dmp

Filesize
64KB

Download
memory/3516-0-0x00007FF69DCC0000-0x00007FF69E0B2000-memory.dmp

Filesize
3.9MB

Download
memory/3592-56-0x0000010FCCC60000-0x0000010FCCC82000-memory.dmp

Filesize
136KB

Download
memory/3592-30-0x00007FF892140000-0x00007FF892C01000-memory.dmp

Filesize
10.8MB

Download
memory/3592-5-0x00007FF892143000-0x00007FF892145000-memory.dmp

Filesize
8KB

Download
memory/3592-443-0x0000010FCD840000-0x0000010FCDFE6000-memory.dmp

Filesize
7.6MB

Download
memory/3592-3002-0x00007FF892143000-0x00007FF892145000-memory.dmp

Filesize
8KB

Download
memory/3592-3025-0x00007FF892140000-0x00007FF892C01000-memory.dmp

Filesize
10.8MB

Download
memory/3592-21-0x00007FF892140000-0x00007FF892C01000-memory.dmp

Filesize
10.8MB

Download
memory/3672-148-0x00007FF6A9920000-0x00007FF6A9D12000-memory.dmp

Filesize
3.9MB

Download
memory/3672-3082-0x00007FF6A9920000-0x00007FF6A9D12000-memory.dmp

Filesize
3.9MB

Download
memory/3940-3086-0x00007FF678E60000-0x00007FF679252000-memory.dmp

Filesize
3.9MB

Download
memory/3940-172-0x00007FF678E60000-0x00007FF679252000-memory.dmp

Filesize
3.9MB

Download
memory/4036-3048-0x00007FF749C20000-0x00007FF74A012000-memory.dmp

Filesize
3.9MB

Download
memory/4036-50-0x00007FF749C20000-0x00007FF74A012000-memory.dmp

Filesize
3.9MB

Download
memory/4148-119-0x00007FF691230000-0x00007FF691622000-memory.dmp

Filesize
3.9MB

Download
memory/4148-3075-0x00007FF691230000-0x00007FF691622000-memory.dmp

Filesize
3.9MB

Download
memory/4380-3071-0x00007FF694DF0000-0x00007FF6951E2000-memory.dmp

Filesize
3.9MB

Download
memory/4380-135-0x00007FF694DF0000-0x00007FF6951E2000-memory.dmp

Filesize
3.9MB

Download
memory/4452-147-0x00007FF6CD7A0000-0x00007FF6CDB92000-memory.dmp

Filesize
3.9MB

Download
memory/4452-3080-0x00007FF6CD7A0000-0x00007FF6CDB92000-memory.dmp

Filesize
3.9MB

Download
memory/4532-136-0x00007FF7FE820000-0x00007FF7FEC12000-memory.dmp

Filesize
3.9MB

Download
memory/4532-3069-0x00007FF7FE820000-0x00007FF7FEC12000-memory.dmp

Filesize
3.9MB

Download
memory/4552-99-0x00007FF7DD4A0000-0x00007FF7DD892000-memory.dmp

Filesize
3.9MB

Download
memory/4552-3051-0x00007FF7DD4A0000-0x00007FF7DD892000-memory.dmp

Filesize
3.9MB

Download
memory/4596-3057-0x00007FF762350000-0x00007FF762742000-memory.dmp

Filesize
3.9MB

Download
memory/4596-109-0x00007FF762350000-0x00007FF762742000-memory.dmp

Filesize
3.9MB

Download
memory/4616-114-0x00007FF62C920000-0x00007FF62CD12000-memory.dmp

Filesize
3.9MB

Download
memory/4616-3077-0x00007FF62C920000-0x00007FF62CD12000-memory.dmp

Filesize
3.9MB

Download
memory/5108-3055-0x00007FF7DFC10000-0x00007FF7E0002000-memory.dmp

Filesize
3.9MB

Download
memory/5108-113-0x00007FF7DFC10000-0x00007FF7E0002000-memory.dmp

Filesize
3.9MB

Download