xmrig | 5fe725151b1e0b8d7de236b4667874046fe45d78b3ca016a8b730c227ea4c290

Analysis

max time kernel
131s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 07:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
Size

1.8MB
MD5

11a61efed27723f15b6b91199acd97c8
SHA1

22605bc7718048f4c1c887dcf3ae315e96b60b65
SHA256

5fe725151b1e0b8d7de236b4667874046fe45d78b3ca016a8b730c227ea4c290
SHA512

49f8b9bea34f77e5bc20b362d3ae7517d4c278cabb0b31e450ad0c9a90d4e8fec31e89637a53ce9127301d01187fc1b23131fe7f6bee0d657ed8e949b3be89f4
SSDEEP

49152:Lz071uv4BPMkibTIA5I4TNrpDGgDQG00y0:NABS

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 50 IoCs

miner

resource	yara_rule
behavioral2/memory/4552-75-0x00007FF6765A0000-0x00007FF676992000-memory.dmp	xmrig
behavioral2/memory/4620-80-0x00007FF76ED90000-0x00007FF76F182000-memory.dmp	xmrig
behavioral2/memory/1840-87-0x00007FF692A60000-0x00007FF692E52000-memory.dmp	xmrig
behavioral2/memory/5092-94-0x00007FF7FB960000-0x00007FF7FBD52000-memory.dmp	xmrig
behavioral2/memory/2272-148-0x00007FF73A720000-0x00007FF73AB12000-memory.dmp	xmrig
behavioral2/memory/1688-197-0x00007FF7B7060000-0x00007FF7B7452000-memory.dmp	xmrig
behavioral2/memory/772-191-0x00007FF7CAD80000-0x00007FF7CB172000-memory.dmp	xmrig
behavioral2/memory/648-185-0x00007FF6B0800000-0x00007FF6B0BF2000-memory.dmp	xmrig
behavioral2/memory/1672-179-0x00007FF7D9400000-0x00007FF7D97F2000-memory.dmp	xmrig
behavioral2/memory/1116-173-0x00007FF7427B0000-0x00007FF742BA2000-memory.dmp	xmrig
behavioral2/memory/1488-167-0x00007FF797050000-0x00007FF797442000-memory.dmp	xmrig
behavioral2/memory/4788-161-0x00007FF6685F0000-0x00007FF6689E2000-memory.dmp	xmrig
behavioral2/memory/4476-155-0x00007FF6890A0000-0x00007FF689492000-memory.dmp	xmrig
behavioral2/memory/1632-154-0x00007FF7B8230000-0x00007FF7B8622000-memory.dmp	xmrig
behavioral2/memory/2560-142-0x00007FF708140000-0x00007FF708532000-memory.dmp	xmrig
behavioral2/memory/4184-136-0x00007FF6BF670000-0x00007FF6BFA62000-memory.dmp	xmrig
behavioral2/memory/436-130-0x00007FF718DB0000-0x00007FF7191A2000-memory.dmp	xmrig
behavioral2/memory/3472-124-0x00007FF743430000-0x00007FF743822000-memory.dmp	xmrig
behavioral2/memory/3408-105-0x00007FF6D1C30000-0x00007FF6D2022000-memory.dmp	xmrig
behavioral2/memory/4716-100-0x00007FF6E8820000-0x00007FF6E8C12000-memory.dmp	xmrig
behavioral2/memory/1012-88-0x00007FF65B8A0000-0x00007FF65BC92000-memory.dmp	xmrig
behavioral2/memory/4992-67-0x00007FF6A7780000-0x00007FF6A7B72000-memory.dmp	xmrig
behavioral2/memory/2996-61-0x00007FF620420000-0x00007FF620812000-memory.dmp	xmrig
behavioral2/memory/1880-13-0x00007FF691440000-0x00007FF691832000-memory.dmp	xmrig
behavioral2/memory/1880-2516-0x00007FF691440000-0x00007FF691832000-memory.dmp	xmrig
behavioral2/memory/3408-2518-0x00007FF6D1C30000-0x00007FF6D2022000-memory.dmp	xmrig
behavioral2/memory/1880-2534-0x00007FF691440000-0x00007FF691832000-memory.dmp	xmrig
behavioral2/memory/2996-2536-0x00007FF620420000-0x00007FF620812000-memory.dmp	xmrig
behavioral2/memory/3472-2540-0x00007FF743430000-0x00007FF743822000-memory.dmp	xmrig
behavioral2/memory/4992-2539-0x00007FF6A7780000-0x00007FF6A7B72000-memory.dmp	xmrig
behavioral2/memory/4620-2544-0x00007FF76ED90000-0x00007FF76F182000-memory.dmp	xmrig
behavioral2/memory/4552-2550-0x00007FF6765A0000-0x00007FF676992000-memory.dmp	xmrig
behavioral2/memory/436-2552-0x00007FF718DB0000-0x00007FF7191A2000-memory.dmp	xmrig
behavioral2/memory/1840-2546-0x00007FF692A60000-0x00007FF692E52000-memory.dmp	xmrig
behavioral2/memory/1012-2548-0x00007FF65B8A0000-0x00007FF65BC92000-memory.dmp	xmrig
behavioral2/memory/5092-2543-0x00007FF7FB960000-0x00007FF7FBD52000-memory.dmp	xmrig
behavioral2/memory/4716-2567-0x00007FF6E8820000-0x00007FF6E8C12000-memory.dmp	xmrig
behavioral2/memory/1116-2570-0x00007FF7427B0000-0x00007FF742BA2000-memory.dmp	xmrig
behavioral2/memory/648-2576-0x00007FF6B0800000-0x00007FF6B0BF2000-memory.dmp	xmrig
behavioral2/memory/772-2578-0x00007FF7CAD80000-0x00007FF7CB172000-memory.dmp	xmrig
behavioral2/memory/4184-2574-0x00007FF6BF670000-0x00007FF6BFA62000-memory.dmp	xmrig
behavioral2/memory/1672-2569-0x00007FF7D9400000-0x00007FF7D97F2000-memory.dmp	xmrig
behavioral2/memory/3408-2565-0x00007FF6D1C30000-0x00007FF6D2022000-memory.dmp	xmrig
behavioral2/memory/2560-2573-0x00007FF708140000-0x00007FF708532000-memory.dmp	xmrig
behavioral2/memory/4476-2559-0x00007FF6890A0000-0x00007FF689492000-memory.dmp	xmrig
behavioral2/memory/4788-2555-0x00007FF6685F0000-0x00007FF6689E2000-memory.dmp	xmrig
behavioral2/memory/1632-2563-0x00007FF7B8230000-0x00007FF7B8622000-memory.dmp	xmrig
behavioral2/memory/2272-2561-0x00007FF73A720000-0x00007FF73AB12000-memory.dmp	xmrig
behavioral2/memory/1488-2557-0x00007FF797050000-0x00007FF797442000-memory.dmp	xmrig
behavioral2/memory/1688-2592-0x00007FF7B7060000-0x00007FF7B7452000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
8	2808	powershell.exe
10	2808	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2808	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
1880	DmOoThh.exe
2996	xjssVkM.exe
3472	nkyWktW.exe
4992	PIcbpPD.exe
4552	ivSIKai.exe
4620	CqKtpAo.exe
1840	vcjumLd.exe
1012	ptKZvAq.exe
5092	KtjNUqb.exe
436	MUjBfkX.exe
4184	JJDMIgV.exe
4716	Ycsuopq.exe
3408	nirNYFr.exe
2560	mlcFnjF.exe
2272	AOGlSKU.exe
1632	IbVPESY.exe
4476	rMfGNmN.exe
1488	LFoPLsI.exe
1116	TDokdKA.exe
4788	NDJSoju.exe
1672	baYFLaT.exe
648	dKaeHGL.exe
772	NHgHoYk.exe
1688	JwVpuIl.exe
2880	jpZaEfI.exe
1608	DWpvMeo.exe
3464	ZpWzedy.exe
1252	zwRLPim.exe
1892	UfGhSkL.exe
4520	DIkXQFp.exe
2904	HMXQFsG.exe
3036	oSpVXWX.exe
4424	pYwgAfO.exe
2792	oHUzDrT.exe
4872	jWKXoRU.exe
3612	CgNhqfc.exe
3044	EyxIOjN.exe
4212	ELUPULe.exe
5036	CprTBZh.exe
5020	KXarQuF.exe
3272	sxVXoav.exe
2020	atEQGRy.exe
4180	MbqBPUO.exe
2336	wIZAwJy.exe
4108	npflmnb.exe
4356	wLqKkRq.exe
4912	qeMdMEq.exe
316	tlxfVJc.exe
3688	PtRRQaz.exe
1464	PrWwQPK.exe
2844	ltkEvrZ.exe
3852	KwcUHPC.exe
3456	FNABzFw.exe
3536	ULgLqPP.exe
4988	uxYSrTe.exe
4924	mQPOPCU.exe
2648	yBLuTZk.exe
3232	cVpmeAp.exe
876	zdecHKU.exe
4860	TQVUrgS.exe
5124	pVgxrLK.exe
5152	zcIdBEt.exe
5180	ikGyIAG.exe
5208	xoWhbfx.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3140-0-0x00007FF6B2960000-0x00007FF6B2D52000-memory.dmp	upx
behavioral2/files/0x000c000000023b6e-5.dat	upx
behavioral2/files/0x000a000000023b73-17.dat	upx
behavioral2/files/0x000a000000023b74-18.dat	upx
behavioral2/files/0x000a000000023b75-27.dat	upx
behavioral2/files/0x000a000000023b76-32.dat	upx
behavioral2/files/0x000a000000023b78-41.dat	upx
behavioral2/files/0x000a000000023b79-46.dat	upx
behavioral2/memory/4552-75-0x00007FF6765A0000-0x00007FF676992000-memory.dmp	upx
behavioral2/memory/4620-80-0x00007FF76ED90000-0x00007FF76F182000-memory.dmp	upx
behavioral2/memory/1840-87-0x00007FF692A60000-0x00007FF692E52000-memory.dmp	upx
behavioral2/memory/5092-94-0x00007FF7FB960000-0x00007FF7FBD52000-memory.dmp	upx
behavioral2/files/0x000b000000023b6f-102.dat	upx
behavioral2/files/0x000b000000023b7c-110.dat	upx
behavioral2/files/0x000a000000023b84-127.dat	upx
behavioral2/memory/2272-148-0x00007FF73A720000-0x00007FF73AB12000-memory.dmp	upx
behavioral2/files/0x000a000000023b89-158.dat	upx
behavioral2/files/0x000a000000023b8b-170.dat	upx
behavioral2/files/0x000a000000023b8d-182.dat	upx
behavioral2/memory/1688-197-0x00007FF7B7060000-0x00007FF7B7452000-memory.dmp	upx
behavioral2/files/0x000a000000023b90-200.dat	upx
behavioral2/files/0x000a000000023b8e-198.dat	upx
behavioral2/files/0x000a000000023b8f-194.dat	upx
behavioral2/memory/772-191-0x00007FF7CAD80000-0x00007FF7CB172000-memory.dmp	upx
behavioral2/files/0x000a000000023b8c-186.dat	upx
behavioral2/memory/648-185-0x00007FF6B0800000-0x00007FF6B0BF2000-memory.dmp	upx
behavioral2/memory/1672-179-0x00007FF7D9400000-0x00007FF7D97F2000-memory.dmp	upx
behavioral2/files/0x000a000000023b8a-174.dat	upx
behavioral2/memory/1116-173-0x00007FF7427B0000-0x00007FF742BA2000-memory.dmp	upx
behavioral2/memory/1488-167-0x00007FF797050000-0x00007FF797442000-memory.dmp	upx
behavioral2/files/0x000a000000023b88-162.dat	upx
behavioral2/memory/4788-161-0x00007FF6685F0000-0x00007FF6689E2000-memory.dmp	upx
behavioral2/files/0x000a000000023b87-156.dat	upx
behavioral2/memory/4476-155-0x00007FF6890A0000-0x00007FF689492000-memory.dmp	upx
behavioral2/memory/1632-154-0x00007FF7B8230000-0x00007FF7B8622000-memory.dmp	upx
behavioral2/files/0x000a000000023b86-149.dat	upx
behavioral2/files/0x000a000000023b85-143.dat	upx
behavioral2/memory/2560-142-0x00007FF708140000-0x00007FF708532000-memory.dmp	upx
behavioral2/memory/4184-136-0x00007FF6BF670000-0x00007FF6BFA62000-memory.dmp	upx
behavioral2/files/0x000a000000023b83-131.dat	upx
behavioral2/memory/436-130-0x00007FF718DB0000-0x00007FF7191A2000-memory.dmp	upx
behavioral2/files/0x000a000000023b82-125.dat	upx
behavioral2/memory/3472-124-0x00007FF743430000-0x00007FF743822000-memory.dmp	upx
behavioral2/files/0x000a000000023b80-108.dat	upx
behavioral2/files/0x000a000000023b81-106.dat	upx
behavioral2/memory/3408-105-0x00007FF6D1C30000-0x00007FF6D2022000-memory.dmp	upx
behavioral2/memory/4716-100-0x00007FF6E8820000-0x00007FF6E8C12000-memory.dmp	upx
behavioral2/files/0x000a000000023b7b-90.dat	upx
behavioral2/memory/1012-88-0x00007FF65B8A0000-0x00007FF65BC92000-memory.dmp	upx
behavioral2/files/0x000a000000023b7f-95.dat	upx
behavioral2/files/0x000b000000023b7d-86.dat	upx
behavioral2/files/0x000a000000023b7e-84.dat	upx
behavioral2/files/0x000a000000023b7a-78.dat	upx
behavioral2/memory/4992-67-0x00007FF6A7780000-0x00007FF6A7B72000-memory.dmp	upx
behavioral2/memory/2996-61-0x00007FF620420000-0x00007FF620812000-memory.dmp	upx
behavioral2/files/0x000a000000023b77-40.dat	upx
behavioral2/files/0x000a000000023b72-19.dat	upx
behavioral2/memory/1880-13-0x00007FF691440000-0x00007FF691832000-memory.dmp	upx
behavioral2/memory/1880-2516-0x00007FF691440000-0x00007FF691832000-memory.dmp	upx
behavioral2/memory/3408-2518-0x00007FF6D1C30000-0x00007FF6D2022000-memory.dmp	upx
behavioral2/memory/1880-2534-0x00007FF691440000-0x00007FF691832000-memory.dmp	upx
behavioral2/memory/2996-2536-0x00007FF620420000-0x00007FF620812000-memory.dmp	upx
behavioral2/memory/3472-2540-0x00007FF743430000-0x00007FF743822000-memory.dmp	upx
behavioral2/memory/4992-2539-0x00007FF6A7780000-0x00007FF6A7B72000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	raw.githubusercontent.com
8	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\feaVhHw.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\XZMoest.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\OlRFQrK.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\dtXExvU.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\swFHjRv.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\DTgDcWR.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\VigaBrb.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\rTrruNS.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\YNUWFgW.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\mlcFnjF.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\aRuqZiq.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\lQxwfAb.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\yJfTkSJ.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\gQRgRWQ.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\NKtQnKp.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\jpZaEfI.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\plQQbnT.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\wnQQjkL.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\SurrznR.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\uyrshCZ.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\CflIRzl.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\glohWYU.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\lygivze.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\OYzsmBw.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\loAcYVw.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\TWieHWT.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\PtRRQaz.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\KPrKPbY.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\VVItUrC.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\CoWSWTQ.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\XLIAWPP.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\zisuwOv.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\sIbMJkz.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\DHjpcSM.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\pfCxQQX.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\sayXYdz.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\dOKYiJi.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\LFoPLsI.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\lZnJQEX.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\XtAurCs.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\JnUdpWN.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\hZpvthT.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\AURqgyA.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\KtjNUqb.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\UfGhSkL.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\cVpmeAp.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\UEwbdSP.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\IARTUev.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\TOJFXLJ.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\UuzWSwG.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\NtozNZe.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\jwxCapO.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\XDyttnf.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\nCSiFiE.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\IYtxEGc.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\RQjTfRn.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\KZGrJQY.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\idQRMfn.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\dAXQiRh.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\gNiecIi.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\zFuVtNj.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\npflmnb.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\titlqnj.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
File created	C:\Windows\System\ghVLkaK.exe	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2808	powershell.exe
2808	powershell.exe
2808	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
Token: SeDebugPrivilege	2808	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3140 wrote to memory of 2808	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	85
PID 3140 wrote to memory of 2808	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	85
PID 3140 wrote to memory of 1880	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	86
PID 3140 wrote to memory of 1880	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	86
PID 3140 wrote to memory of 2996	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	87
PID 3140 wrote to memory of 2996	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	87
PID 3140 wrote to memory of 3472	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	88
PID 3140 wrote to memory of 3472	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	88
PID 3140 wrote to memory of 4992	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	89
PID 3140 wrote to memory of 4992	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	89
PID 3140 wrote to memory of 4552	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	90
PID 3140 wrote to memory of 4552	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	90
PID 3140 wrote to memory of 4620	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	91
PID 3140 wrote to memory of 4620	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	91
PID 3140 wrote to memory of 1840	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	92
PID 3140 wrote to memory of 1840	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	92
PID 3140 wrote to memory of 1012	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	93
PID 3140 wrote to memory of 1012	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	93
PID 3140 wrote to memory of 5092	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	94
PID 3140 wrote to memory of 5092	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	94
PID 3140 wrote to memory of 436	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	95
PID 3140 wrote to memory of 436	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	95
PID 3140 wrote to memory of 4184	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	96
PID 3140 wrote to memory of 4184	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	96
PID 3140 wrote to memory of 4716	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	97
PID 3140 wrote to memory of 4716	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	97
PID 3140 wrote to memory of 3408	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	98
PID 3140 wrote to memory of 3408	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	98
PID 3140 wrote to memory of 2560	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	99
PID 3140 wrote to memory of 2560	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	99
PID 3140 wrote to memory of 2272	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	100
PID 3140 wrote to memory of 2272	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	100
PID 3140 wrote to memory of 1632	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	101
PID 3140 wrote to memory of 1632	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	101
PID 3140 wrote to memory of 4476	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	102
PID 3140 wrote to memory of 4476	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	102
PID 3140 wrote to memory of 1488	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	103
PID 3140 wrote to memory of 1488	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	103
PID 3140 wrote to memory of 1116	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	104
PID 3140 wrote to memory of 1116	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	104
PID 3140 wrote to memory of 4788	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	105
PID 3140 wrote to memory of 4788	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	105
PID 3140 wrote to memory of 1672	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	106
PID 3140 wrote to memory of 1672	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	106
PID 3140 wrote to memory of 648	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	107
PID 3140 wrote to memory of 648	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	107
PID 3140 wrote to memory of 772	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	108
PID 3140 wrote to memory of 772	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	108
PID 3140 wrote to memory of 1688	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	109
PID 3140 wrote to memory of 1688	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	109
PID 3140 wrote to memory of 2880	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	110
PID 3140 wrote to memory of 2880	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	110
PID 3140 wrote to memory of 1608	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	111
PID 3140 wrote to memory of 1608	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	111
PID 3140 wrote to memory of 3464	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	112
PID 3140 wrote to memory of 3464	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	112
PID 3140 wrote to memory of 1252	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	113
PID 3140 wrote to memory of 1252	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	113
PID 3140 wrote to memory of 1892	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	114
PID 3140 wrote to memory of 1892	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	114
PID 3140 wrote to memory of 4520	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	115
PID 3140 wrote to memory of 4520	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	115
PID 3140 wrote to memory of 2904	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	116
PID 3140 wrote to memory of 2904	3140	11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe	116

C:\Users\Admin\AppData\Local\Temp\11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\11a61efed27723f15b6b91199acd97c8_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2808
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2808" "2940" "2880" "2944" "0" "0" "2948" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:12704
- C:\Windows\System\DmOoThh.exe
  C:\Windows\System\DmOoThh.exe
  2⤵
  - Executes dropped EXE
  PID:1880
- C:\Windows\System\xjssVkM.exe
  C:\Windows\System\xjssVkM.exe
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\System\nkyWktW.exe
  C:\Windows\System\nkyWktW.exe
  2⤵
  - Executes dropped EXE
  PID:3472
- C:\Windows\System\PIcbpPD.exe
  C:\Windows\System\PIcbpPD.exe
  2⤵
  - Executes dropped EXE
  PID:4992
- C:\Windows\System\ivSIKai.exe
  C:\Windows\System\ivSIKai.exe
  2⤵
  - Executes dropped EXE
  PID:4552
- C:\Windows\System\CqKtpAo.exe
  C:\Windows\System\CqKtpAo.exe
  2⤵
  - Executes dropped EXE
  PID:4620
- C:\Windows\System\vcjumLd.exe
  C:\Windows\System\vcjumLd.exe
  2⤵
  - Executes dropped EXE
  PID:1840
- C:\Windows\System\ptKZvAq.exe
  C:\Windows\System\ptKZvAq.exe
  2⤵
  - Executes dropped EXE
  PID:1012
- C:\Windows\System\KtjNUqb.exe
  C:\Windows\System\KtjNUqb.exe
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Windows\System\MUjBfkX.exe
  C:\Windows\System\MUjBfkX.exe
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Windows\System\JJDMIgV.exe
  C:\Windows\System\JJDMIgV.exe
  2⤵
  - Executes dropped EXE
  PID:4184
- C:\Windows\System\Ycsuopq.exe
  C:\Windows\System\Ycsuopq.exe
  2⤵
  - Executes dropped EXE
  PID:4716
- C:\Windows\System\nirNYFr.exe
  C:\Windows\System\nirNYFr.exe
  2⤵
  - Executes dropped EXE
  PID:3408
- C:\Windows\System\mlcFnjF.exe
  C:\Windows\System\mlcFnjF.exe
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\System\AOGlSKU.exe
  C:\Windows\System\AOGlSKU.exe
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\System\IbVPESY.exe
  C:\Windows\System\IbVPESY.exe
  2⤵
  - Executes dropped EXE
  PID:1632
- C:\Windows\System\rMfGNmN.exe
  C:\Windows\System\rMfGNmN.exe
  2⤵
  - Executes dropped EXE
  PID:4476
- C:\Windows\System\LFoPLsI.exe
  C:\Windows\System\LFoPLsI.exe
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Windows\System\TDokdKA.exe
  C:\Windows\System\TDokdKA.exe
  2⤵
  - Executes dropped EXE
  PID:1116
- C:\Windows\System\NDJSoju.exe
  C:\Windows\System\NDJSoju.exe
  2⤵
  - Executes dropped EXE
  PID:4788
- C:\Windows\System\baYFLaT.exe
  C:\Windows\System\baYFLaT.exe
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Windows\System\dKaeHGL.exe
  C:\Windows\System\dKaeHGL.exe
  2⤵
  - Executes dropped EXE
  PID:648
- C:\Windows\System\NHgHoYk.exe
  C:\Windows\System\NHgHoYk.exe
  2⤵
  - Executes dropped EXE
  PID:772
- C:\Windows\System\JwVpuIl.exe
  C:\Windows\System\JwVpuIl.exe
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\System\jpZaEfI.exe
  C:\Windows\System\jpZaEfI.exe
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\System\DWpvMeo.exe
  C:\Windows\System\DWpvMeo.exe
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\System\ZpWzedy.exe
  C:\Windows\System\ZpWzedy.exe
  2⤵
  - Executes dropped EXE
  PID:3464
- C:\Windows\System\zwRLPim.exe
  C:\Windows\System\zwRLPim.exe
  2⤵
  - Executes dropped EXE
  PID:1252
- C:\Windows\System\UfGhSkL.exe
  C:\Windows\System\UfGhSkL.exe
  2⤵
  - Executes dropped EXE
  PID:1892
- C:\Windows\System\DIkXQFp.exe
  C:\Windows\System\DIkXQFp.exe
  2⤵
  - Executes dropped EXE
  PID:4520
- C:\Windows\System\HMXQFsG.exe
  C:\Windows\System\HMXQFsG.exe
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\System\oSpVXWX.exe
  C:\Windows\System\oSpVXWX.exe
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Windows\System\pYwgAfO.exe
  C:\Windows\System\pYwgAfO.exe
  2⤵
  - Executes dropped EXE
  PID:4424
- C:\Windows\System\oHUzDrT.exe
  C:\Windows\System\oHUzDrT.exe
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\System\jWKXoRU.exe
  C:\Windows\System\jWKXoRU.exe
  2⤵
  - Executes dropped EXE
  PID:4872
- C:\Windows\System\CgNhqfc.exe
  C:\Windows\System\CgNhqfc.exe
  2⤵
  - Executes dropped EXE
  PID:3612
- C:\Windows\System\EyxIOjN.exe
  C:\Windows\System\EyxIOjN.exe
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\System\ELUPULe.exe
  C:\Windows\System\ELUPULe.exe
  2⤵
  - Executes dropped EXE
  PID:4212
- C:\Windows\System\CprTBZh.exe
  C:\Windows\System\CprTBZh.exe
  2⤵
  - Executes dropped EXE
  PID:5036
- C:\Windows\System\KXarQuF.exe
  C:\Windows\System\KXarQuF.exe
  2⤵
  - Executes dropped EXE
  PID:5020
- C:\Windows\System\sxVXoav.exe
  C:\Windows\System\sxVXoav.exe
  2⤵
  - Executes dropped EXE
  PID:3272
- C:\Windows\System\atEQGRy.exe
  C:\Windows\System\atEQGRy.exe
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\Windows\System\MbqBPUO.exe
  C:\Windows\System\MbqBPUO.exe
  2⤵
  - Executes dropped EXE
  PID:4180
- C:\Windows\System\wIZAwJy.exe
  C:\Windows\System\wIZAwJy.exe
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\System\npflmnb.exe
  C:\Windows\System\npflmnb.exe
  2⤵
  - Executes dropped EXE
  PID:4108
- C:\Windows\System\wLqKkRq.exe
  C:\Windows\System\wLqKkRq.exe
  2⤵
  - Executes dropped EXE
  PID:4356
- C:\Windows\System\qeMdMEq.exe
  C:\Windows\System\qeMdMEq.exe
  2⤵
  - Executes dropped EXE
  PID:4912
- C:\Windows\System\tlxfVJc.exe
  C:\Windows\System\tlxfVJc.exe
  2⤵
  - Executes dropped EXE
  PID:316
- C:\Windows\System\PtRRQaz.exe
  C:\Windows\System\PtRRQaz.exe
  2⤵
  - Executes dropped EXE
  PID:3688
- C:\Windows\System\PrWwQPK.exe
  C:\Windows\System\PrWwQPK.exe
  2⤵
  - Executes dropped EXE
  PID:1464
- C:\Windows\System\ltkEvrZ.exe
  C:\Windows\System\ltkEvrZ.exe
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Windows\System\KwcUHPC.exe
  C:\Windows\System\KwcUHPC.exe
  2⤵
  - Executes dropped EXE
  PID:3852
- C:\Windows\System\FNABzFw.exe
  C:\Windows\System\FNABzFw.exe
  2⤵
  - Executes dropped EXE
  PID:3456
- C:\Windows\System\ULgLqPP.exe
  C:\Windows\System\ULgLqPP.exe
  2⤵
  - Executes dropped EXE
  PID:3536
- C:\Windows\System\uxYSrTe.exe
  C:\Windows\System\uxYSrTe.exe
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Windows\System\mQPOPCU.exe
  C:\Windows\System\mQPOPCU.exe
  2⤵
  - Executes dropped EXE
  PID:4924
- C:\Windows\System\yBLuTZk.exe
  C:\Windows\System\yBLuTZk.exe
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\System\cVpmeAp.exe
  C:\Windows\System\cVpmeAp.exe
  2⤵
  - Executes dropped EXE
  PID:3232
- C:\Windows\System\zdecHKU.exe
  C:\Windows\System\zdecHKU.exe
  2⤵
  - Executes dropped EXE
  PID:876
- C:\Windows\System\TQVUrgS.exe
  C:\Windows\System\TQVUrgS.exe
  2⤵
  - Executes dropped EXE
  PID:4860
- C:\Windows\System\pVgxrLK.exe
  C:\Windows\System\pVgxrLK.exe
  2⤵
  - Executes dropped EXE
  PID:5124
- C:\Windows\System\zcIdBEt.exe
  C:\Windows\System\zcIdBEt.exe
  2⤵
  - Executes dropped EXE
  PID:5152
- C:\Windows\System\ikGyIAG.exe
  C:\Windows\System\ikGyIAG.exe
  2⤵
  - Executes dropped EXE
  PID:5180
- C:\Windows\System\xoWhbfx.exe
  C:\Windows\System\xoWhbfx.exe
  2⤵
  - Executes dropped EXE
  PID:5208
- C:\Windows\System\KqnfQiT.exe
  C:\Windows\System\KqnfQiT.exe
  2⤵
  PID:5236
- C:\Windows\System\CflIRzl.exe
  C:\Windows\System\CflIRzl.exe
  2⤵
  PID:5264
- C:\Windows\System\pGMGFjA.exe
  C:\Windows\System\pGMGFjA.exe
  2⤵
  PID:5296
- C:\Windows\System\RptNmgq.exe
  C:\Windows\System\RptNmgq.exe
  2⤵
  PID:5324
- C:\Windows\System\cScFbgq.exe
  C:\Windows\System\cScFbgq.exe
  2⤵
  PID:5356
- C:\Windows\System\pyUfAPx.exe
  C:\Windows\System\pyUfAPx.exe
  2⤵
  PID:5384
- C:\Windows\System\ARvqEwJ.exe
  C:\Windows\System\ARvqEwJ.exe
  2⤵
  PID:5412
- C:\Windows\System\DIRWoAG.exe
  C:\Windows\System\DIRWoAG.exe
  2⤵
  PID:5440
- C:\Windows\System\wGrjbTN.exe
  C:\Windows\System\wGrjbTN.exe
  2⤵
  PID:5468
- C:\Windows\System\Xharrli.exe
  C:\Windows\System\Xharrli.exe
  2⤵
  PID:5500
- C:\Windows\System\rtZkCVA.exe
  C:\Windows\System\rtZkCVA.exe
  2⤵
  PID:5528
- C:\Windows\System\TYYYqkB.exe
  C:\Windows\System\TYYYqkB.exe
  2⤵
  PID:5552
- C:\Windows\System\ZawxAPj.exe
  C:\Windows\System\ZawxAPj.exe
  2⤵
  PID:5584
- C:\Windows\System\WiktbKV.exe
  C:\Windows\System\WiktbKV.exe
  2⤵
  PID:5612
- C:\Windows\System\VyrVrpG.exe
  C:\Windows\System\VyrVrpG.exe
  2⤵
  PID:5640
- C:\Windows\System\BVqOnjI.exe
  C:\Windows\System\BVqOnjI.exe
  2⤵
  PID:5668
- C:\Windows\System\wJnguVY.exe
  C:\Windows\System\wJnguVY.exe
  2⤵
  PID:5696
- C:\Windows\System\LEfysyp.exe
  C:\Windows\System\LEfysyp.exe
  2⤵
  PID:5720
- C:\Windows\System\WuOBDMP.exe
  C:\Windows\System\WuOBDMP.exe
  2⤵
  PID:5752
- C:\Windows\System\xwbVKdc.exe
  C:\Windows\System\xwbVKdc.exe
  2⤵
  PID:5784
- C:\Windows\System\nHCJJWy.exe
  C:\Windows\System\nHCJJWy.exe
  2⤵
  PID:5812
- C:\Windows\System\ForgtfS.exe
  C:\Windows\System\ForgtfS.exe
  2⤵
  PID:5840
- C:\Windows\System\TWsXukS.exe
  C:\Windows\System\TWsXukS.exe
  2⤵
  PID:5864
- C:\Windows\System\aRuqZiq.exe
  C:\Windows\System\aRuqZiq.exe
  2⤵
  PID:5896
- C:\Windows\System\fpqjUjo.exe
  C:\Windows\System\fpqjUjo.exe
  2⤵
  PID:5924
- C:\Windows\System\OFSqzvA.exe
  C:\Windows\System\OFSqzvA.exe
  2⤵
  PID:5952
- C:\Windows\System\YLrvXmV.exe
  C:\Windows\System\YLrvXmV.exe
  2⤵
  PID:5980
- C:\Windows\System\IiMwNAz.exe
  C:\Windows\System\IiMwNAz.exe
  2⤵
  PID:6008
- C:\Windows\System\idhtcQb.exe
  C:\Windows\System\idhtcQb.exe
  2⤵
  PID:6036
- C:\Windows\System\pbVDwPI.exe
  C:\Windows\System\pbVDwPI.exe
  2⤵
  PID:6064
- C:\Windows\System\VBnTOqL.exe
  C:\Windows\System\VBnTOqL.exe
  2⤵
  PID:6092
- C:\Windows\System\TKOSvBl.exe
  C:\Windows\System\TKOSvBl.exe
  2⤵
  PID:6120
- C:\Windows\System\whJkbKw.exe
  C:\Windows\System\whJkbKw.exe
  2⤵
  PID:2884
- C:\Windows\System\vdPgoBO.exe
  C:\Windows\System\vdPgoBO.exe
  2⤵
  PID:3324
- C:\Windows\System\hGefvKz.exe
  C:\Windows\System\hGefvKz.exe
  2⤵
  PID:4468
- C:\Windows\System\nqLfcLo.exe
  C:\Windows\System\nqLfcLo.exe
  2⤵
  PID:548
- C:\Windows\System\BuaIbvp.exe
  C:\Windows\System\BuaIbvp.exe
  2⤵
  PID:3032
- C:\Windows\System\KZvybNY.exe
  C:\Windows\System\KZvybNY.exe
  2⤵
  PID:5192
- C:\Windows\System\VMUlRbo.exe
  C:\Windows\System\VMUlRbo.exe
  2⤵
  PID:5256
- C:\Windows\System\hUexWBg.exe
  C:\Windows\System\hUexWBg.exe
  2⤵
  PID:5284
- C:\Windows\System\IOYyKHI.exe
  C:\Windows\System\IOYyKHI.exe
  2⤵
  PID:5348
- C:\Windows\System\bKJeKAd.exe
  C:\Windows\System\bKJeKAd.exe
  2⤵
  PID:5404
- C:\Windows\System\xuEwBWU.exe
  C:\Windows\System\xuEwBWU.exe
  2⤵
  PID:5456
- C:\Windows\System\NAvsBgo.exe
  C:\Windows\System\NAvsBgo.exe
  2⤵
  PID:5492
- C:\Windows\System\CPZGIkp.exe
  C:\Windows\System\CPZGIkp.exe
  2⤵
  PID:5568
- C:\Windows\System\GnVYmEq.exe
  C:\Windows\System\GnVYmEq.exe
  2⤵
  PID:5624
- C:\Windows\System\eThIOGd.exe
  C:\Windows\System\eThIOGd.exe
  2⤵
  PID:5684
- C:\Windows\System\sAdZLYT.exe
  C:\Windows\System\sAdZLYT.exe
  2⤵
  PID:5736
- C:\Windows\System\PYRMdzT.exe
  C:\Windows\System\PYRMdzT.exe
  2⤵
  PID:5796
- C:\Windows\System\cwysLMJ.exe
  C:\Windows\System\cwysLMJ.exe
  2⤵
  PID:5880
- C:\Windows\System\QtnWalq.exe
  C:\Windows\System\QtnWalq.exe
  2⤵
  PID:4344
- C:\Windows\System\OGaDavN.exe
  C:\Windows\System\OGaDavN.exe
  2⤵
  PID:6000
- C:\Windows\System\tOpEJbj.exe
  C:\Windows\System\tOpEJbj.exe
  2⤵
  PID:6076
- C:\Windows\System\AjKNdzb.exe
  C:\Windows\System\AjKNdzb.exe
  2⤵
  PID:6136
- C:\Windows\System\qwujncI.exe
  C:\Windows\System\qwujncI.exe
  2⤵
  PID:4512
- C:\Windows\System\hAsvrUq.exe
  C:\Windows\System\hAsvrUq.exe
  2⤵
  PID:2592
- C:\Windows\System\joZOddc.exe
  C:\Windows\System\joZOddc.exe
  2⤵
  PID:5172
- C:\Windows\System\GNRIgTV.exe
  C:\Windows\System\GNRIgTV.exe
  2⤵
  PID:5312
- C:\Windows\System\IQmKogj.exe
  C:\Windows\System\IQmKogj.exe
  2⤵
  PID:1916
- C:\Windows\System\Bangwau.exe
  C:\Windows\System\Bangwau.exe
  2⤵
  PID:4024
- C:\Windows\System\XZcxrSw.exe
  C:\Windows\System\XZcxrSw.exe
  2⤵
  PID:5660
- C:\Windows\System\CjfvsOL.exe
  C:\Windows\System\CjfvsOL.exe
  2⤵
  PID:5772
- C:\Windows\System\TbuxVkM.exe
  C:\Windows\System\TbuxVkM.exe
  2⤵
  PID:5912
- C:\Windows\System\vYqBCzU.exe
  C:\Windows\System\vYqBCzU.exe
  2⤵
  PID:5996
- C:\Windows\System\loEKbvK.exe
  C:\Windows\System\loEKbvK.exe
  2⤵
  PID:6108
- C:\Windows\System\VxNivxm.exe
  C:\Windows\System\VxNivxm.exe
  2⤵
  PID:2572
- C:\Windows\System\PogHGSd.exe
  C:\Windows\System\PogHGSd.exe
  2⤵
  PID:1596
- C:\Windows\System\ygyPoqT.exe
  C:\Windows\System\ygyPoqT.exe
  2⤵
  PID:5540
- C:\Windows\System\oDXknee.exe
  C:\Windows\System\oDXknee.exe
  2⤵
  PID:6152
- C:\Windows\System\HZDSdDs.exe
  C:\Windows\System\HZDSdDs.exe
  2⤵
  PID:6180
- C:\Windows\System\sjvxzyX.exe
  C:\Windows\System\sjvxzyX.exe
  2⤵
  PID:6208
- C:\Windows\System\bjSosGu.exe
  C:\Windows\System\bjSosGu.exe
  2⤵
  PID:6236
- C:\Windows\System\VTXIfZJ.exe
  C:\Windows\System\VTXIfZJ.exe
  2⤵
  PID:6264
- C:\Windows\System\fCOnmaQ.exe
  C:\Windows\System\fCOnmaQ.exe
  2⤵
  PID:6292
- C:\Windows\System\PJaNXoK.exe
  C:\Windows\System\PJaNXoK.exe
  2⤵
  PID:6320
- C:\Windows\System\JjAxdsy.exe
  C:\Windows\System\JjAxdsy.exe
  2⤵
  PID:6348
- C:\Windows\System\YmXWAPX.exe
  C:\Windows\System\YmXWAPX.exe
  2⤵
  PID:6376
- C:\Windows\System\autdQlk.exe
  C:\Windows\System\autdQlk.exe
  2⤵
  PID:6404
- C:\Windows\System\pwkgxtb.exe
  C:\Windows\System\pwkgxtb.exe
  2⤵
  PID:6432
- C:\Windows\System\jgRvpfP.exe
  C:\Windows\System\jgRvpfP.exe
  2⤵
  PID:6460
- C:\Windows\System\HpTTpxB.exe
  C:\Windows\System\HpTTpxB.exe
  2⤵
  PID:6488
- C:\Windows\System\qfIjtDu.exe
  C:\Windows\System\qfIjtDu.exe
  2⤵
  PID:6516
- C:\Windows\System\qkyYIVu.exe
  C:\Windows\System\qkyYIVu.exe
  2⤵
  PID:6540
- C:\Windows\System\RThcOvh.exe
  C:\Windows\System\RThcOvh.exe
  2⤵
  PID:6568
- C:\Windows\System\RsiySmd.exe
  C:\Windows\System\RsiySmd.exe
  2⤵
  PID:6612
- C:\Windows\System\IYAtZSX.exe
  C:\Windows\System\IYAtZSX.exe
  2⤵
  PID:6640
- C:\Windows\System\BDXOpCP.exe
  C:\Windows\System\BDXOpCP.exe
  2⤵
  PID:6668
- C:\Windows\System\xHsAOTG.exe
  C:\Windows\System\xHsAOTG.exe
  2⤵
  PID:6684
- C:\Windows\System\pfCxQQX.exe
  C:\Windows\System\pfCxQQX.exe
  2⤵
  PID:6712
- C:\Windows\System\zRZntDo.exe
  C:\Windows\System\zRZntDo.exe
  2⤵
  PID:6740
- C:\Windows\System\ciOReRV.exe
  C:\Windows\System\ciOReRV.exe
  2⤵
  PID:6768
- C:\Windows\System\MPxKJyH.exe
  C:\Windows\System\MPxKJyH.exe
  2⤵
  PID:6792
- C:\Windows\System\UoVWRjP.exe
  C:\Windows\System\UoVWRjP.exe
  2⤵
  PID:6824
- C:\Windows\System\uKqvVJF.exe
  C:\Windows\System\uKqvVJF.exe
  2⤵
  PID:6848
- C:\Windows\System\umHNfUp.exe
  C:\Windows\System\umHNfUp.exe
  2⤵
  PID:6876
- C:\Windows\System\UealtrM.exe
  C:\Windows\System\UealtrM.exe
  2⤵
  PID:6904
- C:\Windows\System\KJKHKmh.exe
  C:\Windows\System\KJKHKmh.exe
  2⤵
  PID:6932
- C:\Windows\System\SREKgjZ.exe
  C:\Windows\System\SREKgjZ.exe
  2⤵
  PID:6964
- C:\Windows\System\QbzxCli.exe
  C:\Windows\System\QbzxCli.exe
  2⤵
  PID:6992
- C:\Windows\System\gTUszHi.exe
  C:\Windows\System\gTUszHi.exe
  2⤵
  PID:7016
- C:\Windows\System\HLNazOd.exe
  C:\Windows\System\HLNazOd.exe
  2⤵
  PID:7044
- C:\Windows\System\ESRMEXt.exe
  C:\Windows\System\ESRMEXt.exe
  2⤵
  PID:7076
- C:\Windows\System\qmKaWSy.exe
  C:\Windows\System\qmKaWSy.exe
  2⤵
  PID:7100
- C:\Windows\System\xmIQoze.exe
  C:\Windows\System\xmIQoze.exe
  2⤵
  PID:7128
- C:\Windows\System\SZWpJlf.exe
  C:\Windows\System\SZWpJlf.exe
  2⤵
  PID:7156
- C:\Windows\System\GrNFFmM.exe
  C:\Windows\System\GrNFFmM.exe
  2⤵
  PID:5832
- C:\Windows\System\PzfgxXn.exe
  C:\Windows\System\PzfgxXn.exe
  2⤵
  PID:3384
- C:\Windows\System\VpJHfMQ.exe
  C:\Windows\System\VpJHfMQ.exe
  2⤵
  PID:4232
- C:\Windows\System\ROBFpTI.exe
  C:\Windows\System\ROBFpTI.exe
  2⤵
  PID:3148
- C:\Windows\System\yGQZVLc.exe
  C:\Windows\System\yGQZVLc.exe
  2⤵
  PID:6192
- C:\Windows\System\OXOQBIz.exe
  C:\Windows\System\OXOQBIz.exe
  2⤵
  PID:6228
- C:\Windows\System\NXbsdtv.exe
  C:\Windows\System\NXbsdtv.exe
  2⤵
  PID:6312
- C:\Windows\System\OVJZsNV.exe
  C:\Windows\System\OVJZsNV.exe
  2⤵
  PID:2432
- C:\Windows\System\XpBmptQ.exe
  C:\Windows\System\XpBmptQ.exe
  2⤵
  PID:6508
- C:\Windows\System\EfwZcAM.exe
  C:\Windows\System\EfwZcAM.exe
  2⤵
  PID:784
- C:\Windows\System\titlqnj.exe
  C:\Windows\System\titlqnj.exe
  2⤵
  PID:444
- C:\Windows\System\xYBspDm.exe
  C:\Windows\System\xYBspDm.exe
  2⤵
  PID:3764
- C:\Windows\System\ydnWhoJ.exe
  C:\Windows\System\ydnWhoJ.exe
  2⤵
  PID:6660
- C:\Windows\System\JwcERWY.exe
  C:\Windows\System\JwcERWY.exe
  2⤵
  PID:2472
- C:\Windows\System\EsEeGwN.exe
  C:\Windows\System\EsEeGwN.exe
  2⤵
  PID:6704
- C:\Windows\System\TmsJheB.exe
  C:\Windows\System\TmsJheB.exe
  2⤵
  PID:6756
- C:\Windows\System\ZmTTmoZ.exe
  C:\Windows\System\ZmTTmoZ.exe
  2⤵
  PID:6816
- C:\Windows\System\bfMTfEf.exe
  C:\Windows\System\bfMTfEf.exe
  2⤵
  PID:6892
- C:\Windows\System\LihrCth.exe
  C:\Windows\System\LihrCth.exe
  2⤵
  PID:7004
- C:\Windows\System\OqFbCEn.exe
  C:\Windows\System\OqFbCEn.exe
  2⤵
  PID:7064
- C:\Windows\System\lQxwfAb.exe
  C:\Windows\System\lQxwfAb.exe
  2⤵
  PID:7096
- C:\Windows\System\whivrBL.exe
  C:\Windows\System\whivrBL.exe
  2⤵
  PID:4908
- C:\Windows\System\CgVrIeW.exe
  C:\Windows\System\CgVrIeW.exe
  2⤵
  PID:4372
- C:\Windows\System\bVRVfag.exe
  C:\Windows\System\bVRVfag.exe
  2⤵
  PID:3564
- C:\Windows\System\huHZNmH.exe
  C:\Windows\System\huHZNmH.exe
  2⤵
  PID:6172
- C:\Windows\System\bsLyShK.exe
  C:\Windows\System\bsLyShK.exe
  2⤵
  PID:2356
- C:\Windows\System\paAwMlC.exe
  C:\Windows\System\paAwMlC.exe
  2⤵
  PID:2080
- C:\Windows\System\srBRDmO.exe
  C:\Windows\System\srBRDmO.exe
  2⤵
  PID:6396
- C:\Windows\System\pnFUqAm.exe
  C:\Windows\System\pnFUqAm.exe
  2⤵
  PID:2340
- C:\Windows\System\zJewzlc.exe
  C:\Windows\System\zJewzlc.exe
  2⤵
  PID:4720
- C:\Windows\System\HopdyjX.exe
  C:\Windows\System\HopdyjX.exe
  2⤵
  PID:2032
- C:\Windows\System\kZUZRvX.exe
  C:\Windows\System\kZUZRvX.exe
  2⤵
  PID:3756
- C:\Windows\System\AXtRNkn.exe
  C:\Windows\System\AXtRNkn.exe
  2⤵
  PID:6632
- C:\Windows\System\MtEwPSd.exe
  C:\Windows\System\MtEwPSd.exe
  2⤵
  PID:6732
- C:\Windows\System\vAQKGwl.exe
  C:\Windows\System\vAQKGwl.exe
  2⤵
  PID:6808
- C:\Windows\System\xfcqKGD.exe
  C:\Windows\System\xfcqKGD.exe
  2⤵
  PID:6976
- C:\Windows\System\sQWkuUh.exe
  C:\Windows\System\sQWkuUh.exe
  2⤵
  PID:7088
- C:\Windows\System\ghVLkaK.exe
  C:\Windows\System\ghVLkaK.exe
  2⤵
  PID:4152
- C:\Windows\System\XYKpyez.exe
  C:\Windows\System\XYKpyez.exe
  2⤵
  PID:6200
- C:\Windows\System\SMrsgJc.exe
  C:\Windows\System\SMrsgJc.exe
  2⤵
  PID:6220
- C:\Windows\System\hPAqoCb.exe
  C:\Windows\System\hPAqoCb.exe
  2⤵
  PID:2532
- C:\Windows\System\fYsgYkC.exe
  C:\Windows\System\fYsgYkC.exe
  2⤵
  PID:6608
- C:\Windows\System\slwyXWT.exe
  C:\Windows\System\slwyXWT.exe
  2⤵
  PID:7036
- C:\Windows\System\gOZdqXc.exe
  C:\Windows\System\gOZdqXc.exe
  2⤵
  PID:456
- C:\Windows\System\mMuCKNJ.exe
  C:\Windows\System\mMuCKNJ.exe
  2⤵
  PID:7120
- C:\Windows\System\CXnVJMe.exe
  C:\Windows\System\CXnVJMe.exe
  2⤵
  PID:6840
- C:\Windows\System\dxhffnW.exe
  C:\Windows\System\dxhffnW.exe
  2⤵
  PID:7180
- C:\Windows\System\ThLOuFX.exe
  C:\Windows\System\ThLOuFX.exe
  2⤵
  PID:7200
- C:\Windows\System\gOSNOpo.exe
  C:\Windows\System\gOSNOpo.exe
  2⤵
  PID:7224
- C:\Windows\System\huDYtSR.exe
  C:\Windows\System\huDYtSR.exe
  2⤵
  PID:7272
- C:\Windows\System\TflvieE.exe
  C:\Windows\System\TflvieE.exe
  2⤵
  PID:7292
- C:\Windows\System\EncxFVf.exe
  C:\Windows\System\EncxFVf.exe
  2⤵
  PID:7308
- C:\Windows\System\uDaqrYw.exe
  C:\Windows\System\uDaqrYw.exe
  2⤵
  PID:7348
- C:\Windows\System\KYobaCZ.exe
  C:\Windows\System\KYobaCZ.exe
  2⤵
  PID:7364
- C:\Windows\System\ReMqDXP.exe
  C:\Windows\System\ReMqDXP.exe
  2⤵
  PID:7384
- C:\Windows\System\XbLVzvL.exe
  C:\Windows\System\XbLVzvL.exe
  2⤵
  PID:7400
- C:\Windows\System\qFvPzrM.exe
  C:\Windows\System\qFvPzrM.exe
  2⤵
  PID:7452
- C:\Windows\System\sxzRgam.exe
  C:\Windows\System\sxzRgam.exe
  2⤵
  PID:7472
- C:\Windows\System\HaFZvUm.exe
  C:\Windows\System\HaFZvUm.exe
  2⤵
  PID:7492
- C:\Windows\System\GUydaTh.exe
  C:\Windows\System\GUydaTh.exe
  2⤵
  PID:7516
- C:\Windows\System\ZJgNnej.exe
  C:\Windows\System\ZJgNnej.exe
  2⤵
  PID:7536
- C:\Windows\System\zfIGVpF.exe
  C:\Windows\System\zfIGVpF.exe
  2⤵
  PID:7584
- C:\Windows\System\SgUtQbg.exe
  C:\Windows\System\SgUtQbg.exe
  2⤵
  PID:7636
- C:\Windows\System\UjdsRfs.exe
  C:\Windows\System\UjdsRfs.exe
  2⤵
  PID:7656
- C:\Windows\System\mlqBiuH.exe
  C:\Windows\System\mlqBiuH.exe
  2⤵
  PID:7676
- C:\Windows\System\igpVxuR.exe
  C:\Windows\System\igpVxuR.exe
  2⤵
  PID:7700
- C:\Windows\System\UuzWSwG.exe
  C:\Windows\System\UuzWSwG.exe
  2⤵
  PID:7724
- C:\Windows\System\yyXxdlm.exe
  C:\Windows\System\yyXxdlm.exe
  2⤵
  PID:7744
- C:\Windows\System\CoWSWTQ.exe
  C:\Windows\System\CoWSWTQ.exe
  2⤵
  PID:7792
- C:\Windows\System\lmQiwHD.exe
  C:\Windows\System\lmQiwHD.exe
  2⤵
  PID:7816
- C:\Windows\System\LHvJNNH.exe
  C:\Windows\System\LHvJNNH.exe
  2⤵
  PID:7836
- C:\Windows\System\AVCHkId.exe
  C:\Windows\System\AVCHkId.exe
  2⤵
  PID:7872
- C:\Windows\System\fMOSeHD.exe
  C:\Windows\System\fMOSeHD.exe
  2⤵
  PID:7908
- C:\Windows\System\mYLHCLJ.exe
  C:\Windows\System\mYLHCLJ.exe
  2⤵
  PID:7944
- C:\Windows\System\bxfTEdL.exe
  C:\Windows\System\bxfTEdL.exe
  2⤵
  PID:7960
- C:\Windows\System\uKHNhql.exe
  C:\Windows\System\uKHNhql.exe
  2⤵
  PID:7988
- C:\Windows\System\oNhWPZZ.exe
  C:\Windows\System\oNhWPZZ.exe
  2⤵
  PID:8016
- C:\Windows\System\XoOMgkK.exe
  C:\Windows\System\XoOMgkK.exe
  2⤵
  PID:8036
- C:\Windows\System\AIinEfn.exe
  C:\Windows\System\AIinEfn.exe
  2⤵
  PID:8072
- C:\Windows\System\OnyXJcZ.exe
  C:\Windows\System\OnyXJcZ.exe
  2⤵
  PID:8112
- C:\Windows\System\RPIwaQl.exe
  C:\Windows\System\RPIwaQl.exe
  2⤵
  PID:8152
- C:\Windows\System\yzYtyfb.exe
  C:\Windows\System\yzYtyfb.exe
  2⤵
  PID:8172
- C:\Windows\System\UOnxtRy.exe
  C:\Windows\System\UOnxtRy.exe
  2⤵
  PID:4160
- C:\Windows\System\GgZvIBd.exe
  C:\Windows\System\GgZvIBd.exe
  2⤵
  PID:6700
- C:\Windows\System\rpslYfJ.exe
  C:\Windows\System\rpslYfJ.exe
  2⤵
  PID:7284
- C:\Windows\System\HZLNeiU.exe
  C:\Windows\System\HZLNeiU.exe
  2⤵
  PID:7304
- C:\Windows\System\SFaaykB.exe
  C:\Windows\System\SFaaykB.exe
  2⤵
  PID:7360
- C:\Windows\System\UNvApxr.exe
  C:\Windows\System\UNvApxr.exe
  2⤵
  PID:7428
- C:\Windows\System\KtsmOKk.exe
  C:\Windows\System\KtsmOKk.exe
  2⤵
  PID:7464
- C:\Windows\System\EQsyxCI.exe
  C:\Windows\System\EQsyxCI.exe
  2⤵
  PID:7552
- C:\Windows\System\IvNtthv.exe
  C:\Windows\System\IvNtthv.exe
  2⤵
  PID:7608
- C:\Windows\System\OhCjxNa.exe
  C:\Windows\System\OhCjxNa.exe
  2⤵
  PID:7672
- C:\Windows\System\tfMlpdJ.exe
  C:\Windows\System\tfMlpdJ.exe
  2⤵
  PID:7712
- C:\Windows\System\dJWawQy.exe
  C:\Windows\System\dJWawQy.exe
  2⤵
  PID:7808
- C:\Windows\System\lweKEjL.exe
  C:\Windows\System\lweKEjL.exe
  2⤵
  PID:7904
- C:\Windows\System\weEqTeP.exe
  C:\Windows\System\weEqTeP.exe
  2⤵
  PID:7956
- C:\Windows\System\zmuBqWO.exe
  C:\Windows\System\zmuBqWO.exe
  2⤵
  PID:8008
- C:\Windows\System\lWBsDnM.exe
  C:\Windows\System\lWBsDnM.exe
  2⤵
  PID:8128
- C:\Windows\System\TwQPvxW.exe
  C:\Windows\System\TwQPvxW.exe
  2⤵
  PID:8180
- C:\Windows\System\OdTfAvs.exe
  C:\Windows\System\OdTfAvs.exe
  2⤵
  PID:7300
- C:\Windows\System\KZGrJQY.exe
  C:\Windows\System\KZGrJQY.exe
  2⤵
  PID:7396
- C:\Windows\System\rBWCBrb.exe
  C:\Windows\System\rBWCBrb.exe
  2⤵
  PID:7576
- C:\Windows\System\nYhliPz.exe
  C:\Windows\System\nYhliPz.exe
  2⤵
  PID:7628
- C:\Windows\System\cNgCQGd.exe
  C:\Windows\System\cNgCQGd.exe
  2⤵
  PID:7740
- C:\Windows\System\pvqiikM.exe
  C:\Windows\System\pvqiikM.exe
  2⤵
  PID:7936
- C:\Windows\System\NwwKDRy.exe
  C:\Windows\System\NwwKDRy.exe
  2⤵
  PID:6868
- C:\Windows\System\xFGQdqM.exe
  C:\Windows\System\xFGQdqM.exe
  2⤵
  PID:7508
- C:\Windows\System\QMqJKAX.exe
  C:\Windows\System\QMqJKAX.exe
  2⤵
  PID:7828
- C:\Windows\System\jmwrMsa.exe
  C:\Windows\System\jmwrMsa.exe
  2⤵
  PID:8196
- C:\Windows\System\SWfXCOj.exe
  C:\Windows\System\SWfXCOj.exe
  2⤵
  PID:8212
- C:\Windows\System\aYTIyRb.exe
  C:\Windows\System\aYTIyRb.exe
  2⤵
  PID:8236
- C:\Windows\System\INTKhHe.exe
  C:\Windows\System\INTKhHe.exe
  2⤵
  PID:8256
- C:\Windows\System\PglZevA.exe
  C:\Windows\System\PglZevA.exe
  2⤵
  PID:8288
- C:\Windows\System\jLbhkGl.exe
  C:\Windows\System\jLbhkGl.exe
  2⤵
  PID:8312
- C:\Windows\System\RahjYic.exe
  C:\Windows\System\RahjYic.exe
  2⤵
  PID:8328
- C:\Windows\System\RfUtlBU.exe
  C:\Windows\System\RfUtlBU.exe
  2⤵
  PID:8384
- C:\Windows\System\iOrJzLq.exe
  C:\Windows\System\iOrJzLq.exe
  2⤵
  PID:8400
- C:\Windows\System\dCAFdKQ.exe
  C:\Windows\System\dCAFdKQ.exe
  2⤵
  PID:8432
- C:\Windows\System\szvwMCV.exe
  C:\Windows\System\szvwMCV.exe
  2⤵
  PID:8460
- C:\Windows\System\UIVURMY.exe
  C:\Windows\System\UIVURMY.exe
  2⤵
  PID:8496
- C:\Windows\System\EiUYtGE.exe
  C:\Windows\System\EiUYtGE.exe
  2⤵
  PID:8532
- C:\Windows\System\iTNqYnp.exe
  C:\Windows\System\iTNqYnp.exe
  2⤵
  PID:8572
- C:\Windows\System\ugPygeZ.exe
  C:\Windows\System\ugPygeZ.exe
  2⤵
  PID:8596
- C:\Windows\System\vGdKUjd.exe
  C:\Windows\System\vGdKUjd.exe
  2⤵
  PID:8616
- C:\Windows\System\heiDiiD.exe
  C:\Windows\System\heiDiiD.exe
  2⤵
  PID:8644
- C:\Windows\System\KTGXIQT.exe
  C:\Windows\System\KTGXIQT.exe
  2⤵
  PID:8668
- C:\Windows\System\QPPYYWv.exe
  C:\Windows\System\QPPYYWv.exe
  2⤵
  PID:8692
- C:\Windows\System\IwzjWyX.exe
  C:\Windows\System\IwzjWyX.exe
  2⤵
  PID:8720
- C:\Windows\System\DgOPjdK.exe
  C:\Windows\System\DgOPjdK.exe
  2⤵
  PID:8760
- C:\Windows\System\GtREMkY.exe
  C:\Windows\System\GtREMkY.exe
  2⤵
  PID:8800
- C:\Windows\System\KBaIyFi.exe
  C:\Windows\System\KBaIyFi.exe
  2⤵
  PID:8824
- C:\Windows\System\JKzXYaQ.exe
  C:\Windows\System\JKzXYaQ.exe
  2⤵
  PID:8844
- C:\Windows\System\mgVLDEG.exe
  C:\Windows\System\mgVLDEG.exe
  2⤵
  PID:8872
- C:\Windows\System\CXFFhOt.exe
  C:\Windows\System\CXFFhOt.exe
  2⤵
  PID:8900
- C:\Windows\System\GTpkFsn.exe
  C:\Windows\System\GTpkFsn.exe
  2⤵
  PID:8928
- C:\Windows\System\NsiABAg.exe
  C:\Windows\System\NsiABAg.exe
  2⤵
  PID:8964
- C:\Windows\System\kqkbKhL.exe
  C:\Windows\System\kqkbKhL.exe
  2⤵
  PID:9000
- C:\Windows\System\ZHENuvz.exe
  C:\Windows\System\ZHENuvz.exe
  2⤵
  PID:9016
- C:\Windows\System\xjqVOWM.exe
  C:\Windows\System\xjqVOWM.exe
  2⤵
  PID:9032
- C:\Windows\System\RxWAcMw.exe
  C:\Windows\System\RxWAcMw.exe
  2⤵
  PID:9052
- C:\Windows\System\NFKjRTD.exe
  C:\Windows\System\NFKjRTD.exe
  2⤵
  PID:9108
- C:\Windows\System\NGotsbW.exe
  C:\Windows\System\NGotsbW.exe
  2⤵
  PID:9132
- C:\Windows\System\pZSBdJy.exe
  C:\Windows\System\pZSBdJy.exe
  2⤵
  PID:9152
- C:\Windows\System\patKGmP.exe
  C:\Windows\System\patKGmP.exe
  2⤵
  PID:9180
- C:\Windows\System\mBaniOV.exe
  C:\Windows\System\mBaniOV.exe
  2⤵
  PID:9208
- C:\Windows\System\jAOYzRX.exe
  C:\Windows\System\jAOYzRX.exe
  2⤵
  PID:7424
- C:\Windows\System\sTmAyVA.exe
  C:\Windows\System\sTmAyVA.exe
  2⤵
  PID:8228
- C:\Windows\System\ISjwZoY.exe
  C:\Windows\System\ISjwZoY.exe
  2⤵
  PID:8324
- C:\Windows\System\Mfzdezq.exe
  C:\Windows\System\Mfzdezq.exe
  2⤵
  PID:8440
- C:\Windows\System\KPrKPbY.exe
  C:\Windows\System\KPrKPbY.exe
  2⤵
  PID:8468
- C:\Windows\System\fGBjesE.exe
  C:\Windows\System\fGBjesE.exe
  2⤵
  PID:8564
- C:\Windows\System\MIcmTER.exe
  C:\Windows\System\MIcmTER.exe
  2⤵
  PID:8608
- C:\Windows\System\YgyNxsK.exe
  C:\Windows\System\YgyNxsK.exe
  2⤵
  PID:8656
- C:\Windows\System\yQCQYFO.exe
  C:\Windows\System\yQCQYFO.exe
  2⤵
  PID:8752
- C:\Windows\System\qenhyZr.exe
  C:\Windows\System\qenhyZr.exe
  2⤵
  PID:8840
- C:\Windows\System\FDEWHWO.exe
  C:\Windows\System\FDEWHWO.exe
  2⤵
  PID:8108
- C:\Windows\System\lyrKZHK.exe
  C:\Windows\System\lyrKZHK.exe
  2⤵
  PID:8948
- C:\Windows\System\uoPIGcr.exe
  C:\Windows\System\uoPIGcr.exe
  2⤵
  PID:8988
- C:\Windows\System\vOqSdRU.exe
  C:\Windows\System\vOqSdRU.exe
  2⤵
  PID:9012
- C:\Windows\System\iKNaXld.exe
  C:\Windows\System\iKNaXld.exe
  2⤵
  PID:9044
- C:\Windows\System\mkMaimi.exe
  C:\Windows\System\mkMaimi.exe
  2⤵
  PID:9124
- C:\Windows\System\UIwedmb.exe
  C:\Windows\System\UIwedmb.exe
  2⤵
  PID:9172
- C:\Windows\System\fCsjWKu.exe
  C:\Windows\System\fCsjWKu.exe
  2⤵
  PID:7648
- C:\Windows\System\dwEpVvE.exe
  C:\Windows\System\dwEpVvE.exe
  2⤵
  PID:8552
- C:\Windows\System\CRHpdBh.exe
  C:\Windows\System\CRHpdBh.exe
  2⤵
  PID:8624
- C:\Windows\System\EDwoipm.exe
  C:\Windows\System\EDwoipm.exe
  2⤵
  PID:8756
- C:\Windows\System\ZlXuBrL.exe
  C:\Windows\System\ZlXuBrL.exe
  2⤵
  PID:9024
- C:\Windows\System\MhovWUl.exe
  C:\Windows\System\MhovWUl.exe
  2⤵
  PID:9164
- C:\Windows\System\mFKYIpS.exe
  C:\Windows\System\mFKYIpS.exe
  2⤵
  PID:8264
- C:\Windows\System\YNzRJtp.exe
  C:\Windows\System\YNzRJtp.exe
  2⤵
  PID:8664
- C:\Windows\System\yoZtgaz.exe
  C:\Windows\System\yoZtgaz.exe
  2⤵
  PID:8936
- C:\Windows\System\ZAgDkLK.exe
  C:\Windows\System\ZAgDkLK.exe
  2⤵
  PID:8528
- C:\Windows\System\geVfXwd.exe
  C:\Windows\System\geVfXwd.exe
  2⤵
  PID:8920
- C:\Windows\System\tMMtlpW.exe
  C:\Windows\System\tMMtlpW.exe
  2⤵
  PID:9244
- C:\Windows\System\UEwbdSP.exe
  C:\Windows\System\UEwbdSP.exe
  2⤵
  PID:9264
- C:\Windows\System\MvESxpL.exe
  C:\Windows\System\MvESxpL.exe
  2⤵
  PID:9292
- C:\Windows\System\nCSiFiE.exe
  C:\Windows\System\nCSiFiE.exe
  2⤵
  PID:9332
- C:\Windows\System\KwkDhhV.exe
  C:\Windows\System\KwkDhhV.exe
  2⤵
  PID:9352
- C:\Windows\System\zLlLviG.exe
  C:\Windows\System\zLlLviG.exe
  2⤵
  PID:9388
- C:\Windows\System\PYfPTfk.exe
  C:\Windows\System\PYfPTfk.exe
  2⤵
  PID:9408
- C:\Windows\System\ogArbbx.exe
  C:\Windows\System\ogArbbx.exe
  2⤵
  PID:9428
- C:\Windows\System\LyESGyZ.exe
  C:\Windows\System\LyESGyZ.exe
  2⤵
  PID:9512
- C:\Windows\System\IZtAozo.exe
  C:\Windows\System\IZtAozo.exe
  2⤵
  PID:9528
- C:\Windows\System\rAaxHCL.exe
  C:\Windows\System\rAaxHCL.exe
  2⤵
  PID:9552
- C:\Windows\System\XLIAWPP.exe
  C:\Windows\System\XLIAWPP.exe
  2⤵
  PID:9568
- C:\Windows\System\QqxhsCZ.exe
  C:\Windows\System\QqxhsCZ.exe
  2⤵
  PID:9592
- C:\Windows\System\LBNPfYV.exe
  C:\Windows\System\LBNPfYV.exe
  2⤵
  PID:9616
- C:\Windows\System\IoicRee.exe
  C:\Windows\System\IoicRee.exe
  2⤵
  PID:9720
- C:\Windows\System\waRYOWm.exe
  C:\Windows\System\waRYOWm.exe
  2⤵
  PID:9748
- C:\Windows\System\NtozNZe.exe
  C:\Windows\System\NtozNZe.exe
  2⤵
  PID:9768
- C:\Windows\System\nLzwKcm.exe
  C:\Windows\System\nLzwKcm.exe
  2⤵
  PID:9824
- C:\Windows\System\QDiRwml.exe
  C:\Windows\System\QDiRwml.exe
  2⤵
  PID:9848
- C:\Windows\System\JPwnfqB.exe
  C:\Windows\System\JPwnfqB.exe
  2⤵
  PID:9884
- C:\Windows\System\sPShyIX.exe
  C:\Windows\System\sPShyIX.exe
  2⤵
  PID:9908
- C:\Windows\System\LjEqrzJ.exe
  C:\Windows\System\LjEqrzJ.exe
  2⤵
  PID:9932
- C:\Windows\System\EGWiHVL.exe
  C:\Windows\System\EGWiHVL.exe
  2⤵
  PID:9952
- C:\Windows\System\IrErqRu.exe
  C:\Windows\System\IrErqRu.exe
  2⤵
  PID:9976
- C:\Windows\System\nSWHUSJ.exe
  C:\Windows\System\nSWHUSJ.exe
  2⤵
  PID:10028
- C:\Windows\System\yAygEdv.exe
  C:\Windows\System\yAygEdv.exe
  2⤵
  PID:10100
- C:\Windows\System\hBntTkU.exe
  C:\Windows\System\hBntTkU.exe
  2⤵
  PID:10128
- C:\Windows\System\qSxupJq.exe
  C:\Windows\System\qSxupJq.exe
  2⤵
  PID:10148
- C:\Windows\System\pCQBuPB.exe
  C:\Windows\System\pCQBuPB.exe
  2⤵
  PID:10188
- C:\Windows\System\BrBWOtc.exe
  C:\Windows\System\BrBWOtc.exe
  2⤵
  PID:10208
- C:\Windows\System\glohWYU.exe
  C:\Windows\System\glohWYU.exe
  2⤵
  PID:10236
- C:\Windows\System\gjMThdn.exe
  C:\Windows\System\gjMThdn.exe
  2⤵
  PID:9256
- C:\Windows\System\FHyYdyg.exe
  C:\Windows\System\FHyYdyg.exe
  2⤵
  PID:9344
- C:\Windows\System\ovDQSBg.exe
  C:\Windows\System\ovDQSBg.exe
  2⤵
  PID:9372
- C:\Windows\System\OQoIhZX.exe
  C:\Windows\System\OQoIhZX.exe
  2⤵
  PID:9404
- C:\Windows\System\JTebNPJ.exe
  C:\Windows\System\JTebNPJ.exe
  2⤵
  PID:9524
- C:\Windows\System\ItbWEVT.exe
  C:\Windows\System\ItbWEVT.exe
  2⤵
  PID:9560
- C:\Windows\System\fsEijal.exe
  C:\Windows\System\fsEijal.exe
  2⤵
  PID:9636
- C:\Windows\System\CBjnlCC.exe
  C:\Windows\System\CBjnlCC.exe
  2⤵
  PID:9684
- C:\Windows\System\sFmxlPU.exe
  C:\Windows\System\sFmxlPU.exe
  2⤵
  PID:9760
- C:\Windows\System\jNErURS.exe
  C:\Windows\System\jNErURS.exe
  2⤵
  PID:9808
- C:\Windows\System\yIxGyXT.exe
  C:\Windows\System\yIxGyXT.exe
  2⤵
  PID:9688
- C:\Windows\System\TMaHOUB.exe
  C:\Windows\System\TMaHOUB.exe
  2⤵
  PID:9736
- C:\Windows\System\jceFkUz.exe
  C:\Windows\System\jceFkUz.exe
  2⤵
  PID:9844
- C:\Windows\System\dtXExvU.exe
  C:\Windows\System\dtXExvU.exe
  2⤵
  PID:9928
- C:\Windows\System\oooeBJc.exe
  C:\Windows\System\oooeBJc.exe
  2⤵
  PID:9880
- C:\Windows\System\RiwDcKv.exe
  C:\Windows\System\RiwDcKv.exe
  2⤵
  PID:10016
- C:\Windows\System\vbpjquC.exe
  C:\Windows\System\vbpjquC.exe
  2⤵
  PID:10088
- C:\Windows\System\vJTaRVW.exe
  C:\Windows\System\vJTaRVW.exe
  2⤵
  PID:10172
- C:\Windows\System\TEjbuGF.exe
  C:\Windows\System\TEjbuGF.exe
  2⤵
  PID:10200
- C:\Windows\System\rJKaoRK.exe
  C:\Windows\System\rJKaoRK.exe
  2⤵
  PID:9312
- C:\Windows\System\LwBESVF.exe
  C:\Windows\System\LwBESVF.exe
  2⤵
  PID:9316
- C:\Windows\System\MTJWvgK.exe
  C:\Windows\System\MTJWvgK.exe
  2⤵
  PID:9400
- C:\Windows\System\qXlLOgv.exe
  C:\Windows\System\qXlLOgv.exe
  2⤵
  PID:9628
- C:\Windows\System\JnUdpWN.exe
  C:\Windows\System\JnUdpWN.exe
  2⤵
  PID:8992
- C:\Windows\System\mDtzvXI.exe
  C:\Windows\System\mDtzvXI.exe
  2⤵
  PID:9788
- C:\Windows\System\hkNqJbz.exe
  C:\Windows\System\hkNqJbz.exe
  2⤵
  PID:9948
- C:\Windows\System\viaBYZP.exe
  C:\Windows\System\viaBYZP.exe
  2⤵
  PID:9968
- C:\Windows\System\IgZftmS.exe
  C:\Windows\System\IgZftmS.exe
  2⤵
  PID:10004
- C:\Windows\System\ZOgMxor.exe
  C:\Windows\System\ZOgMxor.exe
  2⤵
  PID:9272
- C:\Windows\System\hCnWqcd.exe
  C:\Windows\System\hCnWqcd.exe
  2⤵
  PID:9544
- C:\Windows\System\SpAnQPw.exe
  C:\Windows\System\SpAnQPw.exe
  2⤵
  PID:10256
- C:\Windows\System\zINbSFJ.exe
  C:\Windows\System\zINbSFJ.exe
  2⤵
  PID:10300
- C:\Windows\System\HRvezlD.exe
  C:\Windows\System\HRvezlD.exe
  2⤵
  PID:10320
- C:\Windows\System\zkEHMZw.exe
  C:\Windows\System\zkEHMZw.exe
  2⤵
  PID:10344
- C:\Windows\System\LkXAnOE.exe
  C:\Windows\System\LkXAnOE.exe
  2⤵
  PID:10372
- C:\Windows\System\jwxCapO.exe
  C:\Windows\System\jwxCapO.exe
  2⤵
  PID:10396
- C:\Windows\System\YEqpklY.exe
  C:\Windows\System\YEqpklY.exe
  2⤵
  PID:10412
- C:\Windows\System\eZHflnB.exe
  C:\Windows\System\eZHflnB.exe
  2⤵
  PID:10436
- C:\Windows\System\oWCvXjS.exe
  C:\Windows\System\oWCvXjS.exe
  2⤵
  PID:10472
- C:\Windows\System\mJcfxhB.exe
  C:\Windows\System\mJcfxhB.exe
  2⤵
  PID:10540
- C:\Windows\System\upGBJQz.exe
  C:\Windows\System\upGBJQz.exe
  2⤵
  PID:10580
- C:\Windows\System\IARTUev.exe
  C:\Windows\System\IARTUev.exe
  2⤵
  PID:10612
- C:\Windows\System\lQVGHDv.exe
  C:\Windows\System\lQVGHDv.exe
  2⤵
  PID:10628
- C:\Windows\System\Smcnvgg.exe
  C:\Windows\System\Smcnvgg.exe
  2⤵
  PID:10648
- C:\Windows\System\ntlRfrL.exe
  C:\Windows\System\ntlRfrL.exe
  2⤵
  PID:10704
- C:\Windows\System\sGbWDbZ.exe
  C:\Windows\System\sGbWDbZ.exe
  2⤵
  PID:10728
- C:\Windows\System\EkubGfc.exe
  C:\Windows\System\EkubGfc.exe
  2⤵
  PID:10752
- C:\Windows\System\DbeEaHe.exe
  C:\Windows\System\DbeEaHe.exe
  2⤵
  PID:10796
- C:\Windows\System\idQRMfn.exe
  C:\Windows\System\idQRMfn.exe
  2⤵
  PID:10828
- C:\Windows\System\nSDqrds.exe
  C:\Windows\System\nSDqrds.exe
  2⤵
  PID:10864
- C:\Windows\System\kkSmQUx.exe
  C:\Windows\System\kkSmQUx.exe
  2⤵
  PID:10880
- C:\Windows\System\nFVWHSQ.exe
  C:\Windows\System\nFVWHSQ.exe
  2⤵
  PID:10900
- C:\Windows\System\kLERHeR.exe
  C:\Windows\System\kLERHeR.exe
  2⤵
  PID:10924
- C:\Windows\System\SGCsPoT.exe
  C:\Windows\System\SGCsPoT.exe
  2⤵
  PID:10956
- C:\Windows\System\PTvwStx.exe
  C:\Windows\System\PTvwStx.exe
  2⤵
  PID:11004
- C:\Windows\System\gUqzErW.exe
  C:\Windows\System\gUqzErW.exe
  2⤵
  PID:11024
- C:\Windows\System\hYcbubc.exe
  C:\Windows\System\hYcbubc.exe
  2⤵
  PID:11044
- C:\Windows\System\fVYJrfI.exe
  C:\Windows\System\fVYJrfI.exe
  2⤵
  PID:11076
- C:\Windows\System\kyIyhVz.exe
  C:\Windows\System\kyIyhVz.exe
  2⤵
  PID:11100
- C:\Windows\System\pdnJLAz.exe
  C:\Windows\System\pdnJLAz.exe
  2⤵
  PID:11120
- C:\Windows\System\lygivze.exe
  C:\Windows\System\lygivze.exe
  2⤵
  PID:11144
- C:\Windows\System\hZpvthT.exe
  C:\Windows\System\hZpvthT.exe
  2⤵
  PID:11164
- C:\Windows\System\Ruzfvoa.exe
  C:\Windows\System\Ruzfvoa.exe
  2⤵
  PID:11192
- C:\Windows\System\plQQbnT.exe
  C:\Windows\System\plQQbnT.exe
  2⤵
  PID:11212
- C:\Windows\System\DPKCaAF.exe
  C:\Windows\System\DPKCaAF.exe
  2⤵
  PID:11260
- C:\Windows\System\NKtQnKp.exe
  C:\Windows\System\NKtQnKp.exe
  2⤵
  PID:10096
- C:\Windows\System\AuwSNkD.exe
  C:\Windows\System\AuwSNkD.exe
  2⤵
  PID:10232
- C:\Windows\System\zwjtQIB.exe
  C:\Windows\System\zwjtQIB.exe
  2⤵
  PID:10312
- C:\Windows\System\YqtdDjq.exe
  C:\Windows\System\YqtdDjq.exe
  2⤵
  PID:10424
- C:\Windows\System\TjFYsMD.exe
  C:\Windows\System\TjFYsMD.exe
  2⤵
  PID:10352
- C:\Windows\System\xLHjWvE.exe
  C:\Windows\System\xLHjWvE.exe
  2⤵
  PID:10488
- C:\Windows\System\iQJHsDF.exe
  C:\Windows\System\iQJHsDF.exe
  2⤵
  PID:10520
- C:\Windows\System\XRWRpQR.exe
  C:\Windows\System\XRWRpQR.exe
  2⤵
  PID:10672
- C:\Windows\System\sNIEPUa.exe
  C:\Windows\System\sNIEPUa.exe
  2⤵
  PID:10692
- C:\Windows\System\lLZawoa.exe
  C:\Windows\System\lLZawoa.exe
  2⤵
  PID:10772
- C:\Windows\System\dIEZjRv.exe
  C:\Windows\System\dIEZjRv.exe
  2⤵
  PID:10788
- C:\Windows\System\IMFzeLh.exe
  C:\Windows\System\IMFzeLh.exe
  2⤵
  PID:10876
- C:\Windows\System\ZbqxWsN.exe
  C:\Windows\System\ZbqxWsN.exe
  2⤵
  PID:10936
- C:\Windows\System\QJeZJPg.exe
  C:\Windows\System\QJeZJPg.exe
  2⤵
  PID:11036
- C:\Windows\System\CpvaIZL.exe
  C:\Windows\System\CpvaIZL.exe
  2⤵
  PID:11072
- C:\Windows\System\lEJAUtY.exe
  C:\Windows\System\lEJAUtY.exe
  2⤵
  PID:11128
- C:\Windows\System\iRzbqie.exe
  C:\Windows\System\iRzbqie.exe
  2⤵
  PID:11204
- C:\Windows\System\QKjydRK.exe
  C:\Windows\System\QKjydRK.exe
  2⤵
  PID:11256
- C:\Windows\System\vqHGmGk.exe
  C:\Windows\System\vqHGmGk.exe
  2⤵
  PID:10204
- C:\Windows\System\dwwllaQ.exe
  C:\Windows\System\dwwllaQ.exe
  2⤵
  PID:10340
- C:\Windows\System\ZCQXrcZ.exe
  C:\Windows\System\ZCQXrcZ.exe
  2⤵
  PID:10620
- C:\Windows\System\sjeGfPz.exe
  C:\Windows\System\sjeGfPz.exe
  2⤵
  PID:10640
- C:\Windows\System\WyFjIfJ.exe
  C:\Windows\System\WyFjIfJ.exe
  2⤵
  PID:10744
- C:\Windows\System\tHSZJFx.exe
  C:\Windows\System\tHSZJFx.exe
  2⤵
  PID:2740
- C:\Windows\System\wgjcNaP.exe
  C:\Windows\System\wgjcNaP.exe
  2⤵
  PID:11156
- C:\Windows\System\nAQqxHz.exe
  C:\Windows\System\nAQqxHz.exe
  2⤵
  PID:11252
- C:\Windows\System\jtqnVlS.exe
  C:\Windows\System\jtqnVlS.exe
  2⤵
  PID:10636
- C:\Windows\System\FhIBVGh.exe
  C:\Windows\System\FhIBVGh.exe
  2⤵
  PID:10808
- C:\Windows\System\KYihiWl.exe
  C:\Windows\System\KYihiWl.exe
  2⤵
  PID:11068
- C:\Windows\System\FCvrSwj.exe
  C:\Windows\System\FCvrSwj.exe
  2⤵
  PID:10388
- C:\Windows\System\XAdsSNR.exe
  C:\Windows\System\XAdsSNR.exe
  2⤵
  PID:10508
- C:\Windows\System\qPZmhjC.exe
  C:\Windows\System\qPZmhjC.exe
  2⤵
  PID:11276
- C:\Windows\System\cGIcdpn.exe
  C:\Windows\System\cGIcdpn.exe
  2⤵
  PID:11304
- C:\Windows\System\fJgScwh.exe
  C:\Windows\System\fJgScwh.exe
  2⤵
  PID:11344
- C:\Windows\System\tMayUcH.exe
  C:\Windows\System\tMayUcH.exe
  2⤵
  PID:11372
- C:\Windows\System\aQXqtKV.exe
  C:\Windows\System\aQXqtKV.exe
  2⤵
  PID:11392
- C:\Windows\System\YoNJZHJ.exe
  C:\Windows\System\YoNJZHJ.exe
  2⤵
  PID:11428
- C:\Windows\System\TQXCcpU.exe
  C:\Windows\System\TQXCcpU.exe
  2⤵
  PID:11452
- C:\Windows\System\CrbYCwG.exe
  C:\Windows\System\CrbYCwG.exe
  2⤵
  PID:11480
- C:\Windows\System\KMPqLZT.exe
  C:\Windows\System\KMPqLZT.exe
  2⤵
  PID:11500
- C:\Windows\System\cWNnfng.exe
  C:\Windows\System\cWNnfng.exe
  2⤵
  PID:11528
- C:\Windows\System\fLrxlOT.exe
  C:\Windows\System\fLrxlOT.exe
  2⤵
  PID:11556
- C:\Windows\System\IvGgpvb.exe
  C:\Windows\System\IvGgpvb.exe
  2⤵
  PID:11572
- C:\Windows\System\wEZbzCm.exe
  C:\Windows\System\wEZbzCm.exe
  2⤵
  PID:11596
- C:\Windows\System\hqDUdTJ.exe
  C:\Windows\System\hqDUdTJ.exe
  2⤵
  PID:11616
- C:\Windows\System\smoWLLw.exe
  C:\Windows\System\smoWLLw.exe
  2⤵
  PID:11648
- C:\Windows\System\ObnuVrj.exe
  C:\Windows\System\ObnuVrj.exe
  2⤵
  PID:11728
- C:\Windows\System\kjLBepW.exe
  C:\Windows\System\kjLBepW.exe
  2⤵
  PID:11748
- C:\Windows\System\UhFZmjQ.exe
  C:\Windows\System\UhFZmjQ.exe
  2⤵
  PID:11768
- C:\Windows\System\BwCahXk.exe
  C:\Windows\System\BwCahXk.exe
  2⤵
  PID:11784
- C:\Windows\System\xhsIUTy.exe
  C:\Windows\System\xhsIUTy.exe
  2⤵
  PID:11808
- C:\Windows\System\ZrScRRg.exe
  C:\Windows\System\ZrScRRg.exe
  2⤵
  PID:11824
- C:\Windows\System\mGREXZm.exe
  C:\Windows\System\mGREXZm.exe
  2⤵
  PID:11844
- C:\Windows\System\rqCFtow.exe
  C:\Windows\System\rqCFtow.exe
  2⤵
  PID:11868
- C:\Windows\System\qmhWpUE.exe
  C:\Windows\System\qmhWpUE.exe
  2⤵
  PID:11888
- C:\Windows\System\qETWLZg.exe
  C:\Windows\System\qETWLZg.exe
  2⤵
  PID:11936
- C:\Windows\System\HuuurAI.exe
  C:\Windows\System\HuuurAI.exe
  2⤵
  PID:11988
- C:\Windows\System\WsBuaDb.exe
  C:\Windows\System\WsBuaDb.exe
  2⤵
  PID:12024
- C:\Windows\System\sEEhvan.exe
  C:\Windows\System\sEEhvan.exe
  2⤵
  PID:12060
- C:\Windows\System\xrxgRhZ.exe
  C:\Windows\System\xrxgRhZ.exe
  2⤵
  PID:12076
- C:\Windows\System\QiFXCGB.exe
  C:\Windows\System\QiFXCGB.exe
  2⤵
  PID:12112
- C:\Windows\System\noGYdUO.exe
  C:\Windows\System\noGYdUO.exe
  2⤵
  PID:12144
- C:\Windows\System\vtugXtf.exe
  C:\Windows\System\vtugXtf.exe
  2⤵
  PID:12164
- C:\Windows\System\CegZkEl.exe
  C:\Windows\System\CegZkEl.exe
  2⤵
  PID:12216
- C:\Windows\System\AQzfuHH.exe
  C:\Windows\System\AQzfuHH.exe
  2⤵
  PID:12240
- C:\Windows\System\gxaxQZu.exe
  C:\Windows\System\gxaxQZu.exe
  2⤵
  PID:12260
- C:\Windows\System\bYinBAl.exe
  C:\Windows\System\bYinBAl.exe
  2⤵
  PID:10516
- C:\Windows\System\tqNMwdq.exe
  C:\Windows\System\tqNMwdq.exe
  2⤵
  PID:10460
- C:\Windows\System\failfpH.exe
  C:\Windows\System\failfpH.exe
  2⤵
  PID:11324
- C:\Windows\System\ewGNWpu.exe
  C:\Windows\System\ewGNWpu.exe
  2⤵
  PID:11352
- C:\Windows\System\LkBtXyE.exe
  C:\Windows\System\LkBtXyE.exe
  2⤵
  PID:11420
- C:\Windows\System\dQJtTuc.exe
  C:\Windows\System\dQJtTuc.exe
  2⤵
  PID:11472
- C:\Windows\System\oPVkaMo.exe
  C:\Windows\System\oPVkaMo.exe
  2⤵
  PID:11536
- C:\Windows\System\mbuUOdx.exe
  C:\Windows\System\mbuUOdx.exe
  2⤵
  PID:11720
- C:\Windows\System\HqSSBzD.exe
  C:\Windows\System\HqSSBzD.exe
  2⤵
  PID:11792
- C:\Windows\System\dZSSolH.exe
  C:\Windows\System\dZSSolH.exe
  2⤵
  PID:11756
- C:\Windows\System\DGwAlAc.exe
  C:\Windows\System\DGwAlAc.exe
  2⤵
  PID:11912
- C:\Windows\System\PYgFXZZ.exe
  C:\Windows\System\PYgFXZZ.exe
  2⤵
  PID:11976
- C:\Windows\System\EFIjXGU.exe
  C:\Windows\System\EFIjXGU.exe
  2⤵
  PID:12072
- C:\Windows\System\iyQUnFg.exe
  C:\Windows\System\iyQUnFg.exe
  2⤵
  PID:12068
- C:\Windows\System\tQYsnAF.exe
  C:\Windows\System\tQYsnAF.exe
  2⤵
  PID:12136
- C:\Windows\System\KekiXEj.exe
  C:\Windows\System\KekiXEj.exe
  2⤵
  PID:12208
- C:\Windows\System\TeEtVzB.exe
  C:\Windows\System\TeEtVzB.exe
  2⤵
  PID:12228
- C:\Windows\System\QpqqDaI.exe
  C:\Windows\System\QpqqDaI.exe
  2⤵
  PID:11460
- C:\Windows\System\oaZiDrw.exe
  C:\Windows\System\oaZiDrw.exe
  2⤵
  PID:11492
- C:\Windows\System\pdmJdWh.exe
  C:\Windows\System\pdmJdWh.exe
  2⤵
  PID:2216
- C:\Windows\System\keFLOjK.exe
  C:\Windows\System\keFLOjK.exe
  2⤵
  PID:11776
- C:\Windows\System\LrvaBXx.exe
  C:\Windows\System\LrvaBXx.exe
  2⤵
  PID:11880
- C:\Windows\System\XOBZCWc.exe
  C:\Windows\System\XOBZCWc.exe
  2⤵
  PID:12012
- C:\Windows\System\IqfAWGX.exe
  C:\Windows\System\IqfAWGX.exe
  2⤵
  PID:12016
- C:\Windows\System\KdfzylL.exe
  C:\Windows\System\KdfzylL.exe
  2⤵
  PID:12268
- C:\Windows\System\JYCckHr.exe
  C:\Windows\System\JYCckHr.exe
  2⤵
  PID:12280
- C:\Windows\System\RjKtieZ.exe
  C:\Windows\System\RjKtieZ.exe
  2⤵
  PID:11608
- C:\Windows\System\DIKQMGw.exe
  C:\Windows\System\DIKQMGw.exe
  2⤵
  PID:11736
- C:\Windows\System\LpCjWQV.exe
  C:\Windows\System\LpCjWQV.exe
  2⤵
  PID:11272
- C:\Windows\System\HcPVHBH.exe
  C:\Windows\System\HcPVHBH.exe
  2⤵
  PID:12020
- C:\Windows\System\kcdNTGx.exe
  C:\Windows\System\kcdNTGx.exe
  2⤵
  PID:12300
- C:\Windows\System\ECISldy.exe
  C:\Windows\System\ECISldy.exe
  2⤵
  PID:12320
- C:\Windows\System\Xvvtsdq.exe
  C:\Windows\System\Xvvtsdq.exe
  2⤵
  PID:12340
- C:\Windows\System\FwXcyVm.exe
  C:\Windows\System\FwXcyVm.exe
  2⤵
  PID:12360
- C:\Windows\System\qnRYbax.exe
  C:\Windows\System\qnRYbax.exe
  2⤵
  PID:12392
- C:\Windows\System\iJUqCcY.exe
  C:\Windows\System\iJUqCcY.exe
  2⤵
  PID:12412
- C:\Windows\System\AtRDKXX.exe
  C:\Windows\System\AtRDKXX.exe
  2⤵
  PID:12472
- C:\Windows\System\GiEgXTJ.exe
  C:\Windows\System\GiEgXTJ.exe
  2⤵
  PID:12508
- C:\Windows\System\sayXYdz.exe
  C:\Windows\System\sayXYdz.exe
  2⤵
  PID:12524
- C:\Windows\System\ivARbQi.exe
  C:\Windows\System\ivARbQi.exe
  2⤵
  PID:12556
- C:\Windows\System\hivpTHE.exe
  C:\Windows\System\hivpTHE.exe
  2⤵
  PID:12604
- C:\Windows\System\enfgdTG.exe
  C:\Windows\System\enfgdTG.exe
  2⤵
  PID:12628
- C:\Windows\System\fmZzOel.exe
  C:\Windows\System\fmZzOel.exe
  2⤵
  PID:12648
- C:\Windows\System\XDyttnf.exe
  C:\Windows\System\XDyttnf.exe
  2⤵
  PID:12664
- C:\Windows\System\rrbBoKf.exe
  C:\Windows\System\rrbBoKf.exe
  2⤵
  PID:12684
- C:\Windows\System\EjKNKDe.exe
  C:\Windows\System\EjKNKDe.exe
  2⤵
  PID:12736
- C:\Windows\System\kbYwuFy.exe
  C:\Windows\System\kbYwuFy.exe
  2⤵
  PID:12764
- C:\Windows\System\gmpfpsj.exe
  C:\Windows\System\gmpfpsj.exe
  2⤵
  PID:12788
- C:\Windows\System\CIbVhRu.exe
  C:\Windows\System\CIbVhRu.exe
  2⤵
  PID:12808
- C:\Windows\System\mIOsayM.exe
  C:\Windows\System\mIOsayM.exe
  2⤵
  PID:12832
- C:\Windows\System\HadqDix.exe
  C:\Windows\System\HadqDix.exe
  2⤵
  PID:12856
- C:\Windows\System\CzQyKgF.exe
  C:\Windows\System\CzQyKgF.exe
  2⤵
  PID:12876
- C:\Windows\System\EsiGZDD.exe
  C:\Windows\System\EsiGZDD.exe
  2⤵
  PID:12904
- C:\Windows\System\tfnlxQj.exe
  C:\Windows\System\tfnlxQj.exe
  2⤵
  PID:12920
- C:\Windows\System\BtYLliH.exe
  C:\Windows\System\BtYLliH.exe
  2⤵
  PID:12940
- C:\Windows\System\iLIjrID.exe
  C:\Windows\System\iLIjrID.exe
  2⤵
  PID:12964
- C:\Windows\System\NpJJpHK.exe
  C:\Windows\System\NpJJpHK.exe
  2⤵
  PID:12996
- C:\Windows\System\KUpkZIl.exe
  C:\Windows\System\KUpkZIl.exe
  2⤵
  PID:13036
- C:\Windows\System\TbDELer.exe
  C:\Windows\System\TbDELer.exe
  2⤵
  PID:13056
- C:\Windows\System\NkuooMF.exe
  C:\Windows\System\NkuooMF.exe
  2⤵
  PID:13080
- C:\Windows\System\OLDRXhu.exe
  C:\Windows\System\OLDRXhu.exe
  2⤵
  PID:13104
- C:\Windows\System\PMfoXso.exe
  C:\Windows\System\PMfoXso.exe
  2⤵
  PID:13120
- C:\Windows\System\SleWfYI.exe
  C:\Windows\System\SleWfYI.exe
  2⤵
  PID:13164
- C:\Windows\System\mZWNSWF.exe
  C:\Windows\System\mZWNSWF.exe
  2⤵
  PID:13184
- C:\Windows\System\GxNbDdf.exe
  C:\Windows\System\GxNbDdf.exe
  2⤵
  PID:13204
- C:\Windows\System\zisuwOv.exe
  C:\Windows\System\zisuwOv.exe
  2⤵
  PID:13228
- C:\Windows\System\OzhjuZr.exe
  C:\Windows\System\OzhjuZr.exe
  2⤵
  PID:12452
- C:\Windows\System\gdDDHZa.exe
  C:\Windows\System\gdDDHZa.exe
  2⤵
  PID:12500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rskdgkyk.hxi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\AOGlSKU.exe

Filesize
1.8MB

MD5
2cb94de554a56ceb56188de377762ef7

SHA1
1d096a0ba628b9898df66cbe2d4ce3830aac5611

SHA256
d3d5b170a327b495c23887d24493cb0407d2b3884db47b61135a0d75f944aee7

SHA512
8a5f0078b7433162a11de84855b485c5846688859a010f4553a62cd611e89b3ed858f682c7196ca37007bb554dcfcf49ee666a973e7ff75a2856476f81732fef

Download Submit
C:\Windows\System\CqKtpAo.exe

Filesize
1.8MB

MD5
3a88fa8b404388f6b5aa462a908550b4

SHA1
64f138083a4fe0031c00f4e32c57fc0164aa5575

SHA256
18c34569feb7b741730da7e3584e3d345e8688997399a5ab46d9ab6f6aec8f88

SHA512
a4c715b11f35a9f1c815e1d84665d4c065b757d6828bcf3047021254e8548f5aa0a1e2cbc11d6404cbd67345508118a4f0defdf86d0575b86fe9540025ee0d7c

Download Submit
C:\Windows\System\DIkXQFp.exe

Filesize
1.8MB

MD5
8dc516be656d0eef9cd52b88dfe7bf6b

SHA1
0c795fbaa62d271b3a233d1852e750a814a91189

SHA256
a72f34e4322650f0bb15d48409d167648dc76cf732c311046c2f62d7d7d22342

SHA512
0b74bcaeac4c35a7d6f838f80eaf295f50c0bb68b00d2689ec85ef329be0a38527aa99e7ba3174a3e5e145890ffb1faad24cf379992882c950a2df286a07372e

Download Submit
C:\Windows\System\DWpvMeo.exe

Filesize
1.8MB

MD5
4c4e847ab4a0a3fa435f4384eeb24ac6

SHA1
c15939f052c6791b45d9fbd4832b8face72c01d2

SHA256
add8fe871e9ee9b770bc5564ab86b8018e78d463794907b3a29b9158d2ab94ea

SHA512
fca87fb79de69788c4a96f5fea6b1179000ea68079f3bb2cf597a36116895099af04c06227a0f3e0c48d1a11b911c44cb74f0d29e582f7ee0ebd883f1ab27008

Download Submit
C:\Windows\System\DcqXbwU.exe

Filesize
8B

MD5
20f50227b408431507e9e4298a89a7d5

SHA1
021be5cef03ca413a261257f3fa674d51e4eaecb

SHA256
f053af72ebaae8c20b4aa760dccbaa50d5e8c1b0612207e6dff562e592b0ee16

SHA512
a69e9f155961cdfb2c580f410cf1f9148255cadde0f420c64800ffc84ebbf2c4fc4d8c24eda7cee14ae357ad0398853cbe4f84f9db0bb9573e1f43351f2da9c0

Download Submit
C:\Windows\System\DmOoThh.exe

Filesize
1.8MB

MD5
2bbe4e7fbee0eb6b40e4a83068b317bf

SHA1
3f767d1cefbb827b0f65ffb06c56ed194a626a32

SHA256
8cb05fa1665627dbd229ca31229651f171663aebb886ea4cb6789088f172bb78

SHA512
b4b3e76a7accf23919155775a11650d6debf18b5fee48d77ab957f711b9eb5170c377ffdee66fef6c43aa1077f0f6c2ceab39d7d0e87305fadf27697ffae87ba

Download Submit
C:\Windows\System\HMXQFsG.exe

Filesize
1.8MB

MD5
742bb3f1b90e48cdc06e5d85423e0488

SHA1
cfa336acbd6f94dd9b6875fee3c16175e0a59974

SHA256
626046e8d2be52eece5925ae25971c019bb69279ab41ea0aa6a2cd4ff780f8f5

SHA512
db353d748e30daaffa7a62516537f04f2824489159b8b950b0c833cce4ae5bf8b0f9a6601e68e3e99fafebb02b02446aeb2834e1875a4484bf848e0766fbc2a5

Download Submit
C:\Windows\System\IbVPESY.exe

Filesize
1.8MB

MD5
ede74c2690462585fd7be7ffe7e42e30

SHA1
8bd10bf073b5dcba711cf9b7357fdc4e50a99c81

SHA256
a045a973f150fcf445e236351220134bc8488bbd89cba3a88a226728a5754d7b

SHA512
23e642fa85b26892cd24d2c44a968ec2e0e1448729eb0fa6630547aed5466337c6a0c98af93472862074688dbede0bcf4e114b4cf8fde4a0b8210189ed8ee206

Download Submit
C:\Windows\System\JJDMIgV.exe

Filesize
1.8MB

MD5
de15494337ff5b298953549220f5ec5a

SHA1
55f3e46abc52996f494b9dba27f99108f6219153

SHA256
9fb2c7260d4069617b77b30bae476b43d884dd4cdacd261b469419256b8197ff

SHA512
981f37db05a05041f858c8b29f7293d04e999b5f62dc7454dff98f97d47a06c42c327d9dbec136919c7d22b545f220bfbe8e868a6a123b4e50d0e416509a9c35

Download Submit
C:\Windows\System\JwVpuIl.exe

Filesize
1.8MB

MD5
89f2dd10ab9595c423c800d18ae60658

SHA1
5985534fac9495ff996f6baa3aeb05ae7657ed5f

SHA256
68db40a2c44786c6f1c7cdd190fbb55e2e31af20cc32d7afbeb91d46f66595e6

SHA512
a0ecf8d570b115bdc471d83c3113fe31dbbfd21773b043932dbf21e42104f17994425b44d021f599fc64adb2b49f219a0218e21ceeabcd8b3234eea5cd236277

Download Submit
C:\Windows\System\KtjNUqb.exe

Filesize
1.8MB

MD5
9d8146b3c758dc61877649b3095e3e60

SHA1
79e13845433cbbd40ebef004ec72118ea41efbf7

SHA256
f47d6ce366a3cb66eae7c1fbcd507d9deb2d698afda436cae7a361a2598236d6

SHA512
5f4689560b5685356172e49da1733e3eb99d4bf7455b0325bfabe262ef2c237ef7b51696885450fda43778fee1d7b58966acd9b30126b153ad594659a75592bc

Download Submit
C:\Windows\System\LFoPLsI.exe

Filesize
1.8MB

MD5
f1098bb87e0aa29087ff7e06e862cf82

SHA1
d9a197b593710b5ec179f4ec12a1489b89caaf54

SHA256
aa892591dc0d4b256838ffb594ff30034b4c306ed143f6f35606e58c79b845b3

SHA512
ca9cb8f5f208f867eb5997f22878a9698396ecf3df110d2f8d735b52cb8bfeb6acd4f0cc81511d20c997f241e36ca2114edb267f3cf2f4b4abcb9e780132f2a9

Download Submit
C:\Windows\System\MUjBfkX.exe

Filesize
1.8MB

MD5
510857365677491f7ebd030aec207868

SHA1
e1660e892b824114667ab1c398e401ef5a705427

SHA256
48b8c632285ccf0519cf25990478090d455749d7df0caef5bdb1fe967e7ec07b

SHA512
37495b9f1e91b0d7186e6df50ad23c3e202dc85f6ee37ebe8d09dd51e66abe34002cc698777ad48a0ee2fae2460fa2c5d6ce4f3010278fc6580a5bbb631ee4a8

Download Submit
C:\Windows\System\NDJSoju.exe

Filesize
1.8MB

MD5
75048e6a091d68beb4b2919dd5277030

SHA1
17b417804a4b42869c2a6a3abcf31cdd119a6493

SHA256
7e062f8ca5bfad10a7d74fc92c3e79ccc2902ae74f1653479ce9aa0e9ea1d912

SHA512
aa5c0c107f0c27bfbd69d427752c7fcf0958f22eee88f0137ac0fb3d376481dac14204febb7870332b816b0fe6dc399bc27c65a34d3b9be944a34c8a042c7ee6

Download Submit
C:\Windows\System\NHgHoYk.exe

Filesize
1.8MB

MD5
de7374436ce2a41b7f3e84eb564d700a

SHA1
93ba97b62a79603500f34275dff8ac709f28a8fa

SHA256
1735c75fe65838a05ac106e0e5eb8d32a9ad5c779baec83781e6f054555dc0e3

SHA512
359b8f986e90468543b670c6ba78fbaced1611b07b8d62889e9e6401cee91c88eaa2fd557e55bac4f7b1ef5357377a22e5331fe5a58cd82490b302e5d8b6f2d2

Download Submit
C:\Windows\System\PIcbpPD.exe

Filesize
1.8MB

MD5
dd8c3968fc48a7ed3547a3cc1c44e429

SHA1
d7287cfad03d3082d7bd107402d5a15079e5d683

SHA256
08434074b402169a6e93a9a8605b88cf0c2057376e7906dd2e4525134be93e12

SHA512
722a3e156894921ba9ad976dfb79be9e3edc58437e7f267832e94dd8a9576dd7291d238bf5f307a6fcdcd39c893ffb559af1d14a36b8974b2caa8adbc8ec236b

Download Submit
C:\Windows\System\TDokdKA.exe

Filesize
1.8MB

MD5
3d4a1a54b06b83b2cd30e8417de8698b

SHA1
e7b1d711234d9c63efe58e45984721cc3553f311

SHA256
00d989f800b21c5181585f0bbd0e9db405452a4f3f843a0a2d25b7d9464a877c

SHA512
dd47117ec8713dd6a5b3759f3f5b6aa8a831796af89dfb1f3902395e6eff0c2e70cd94c178ca036eb027b16e247c68408f9c357e39e7ad6fe4d05db534ad0e4f

Download Submit
C:\Windows\System\UfGhSkL.exe

Filesize
1.8MB

MD5
c1306f050cef591b9ff712ce51ffa6e8

SHA1
30886e85580b1189dd970000de657b6a8a211364

SHA256
662d87aad0d19f4119a8bc0a1fd528b3fd568bfb3fbb4316e6d015bba36b7b60

SHA512
446397f0796a48205229797bc6682ee12039cd661b0dc0fc43c0320d8599a19cf913999b1803def71c51079d869b1d86a2b1fc95ba965dd194de933a0961dd03

Download Submit
C:\Windows\System\Ycsuopq.exe

Filesize
1.8MB

MD5
8e1b2bcad2c6e0ad50db6fc3f83416f1

SHA1
1f5056705f9c01f20b354ae7ce0a586c01b9bfad

SHA256
b512117954e0208f684160b6f35d38283a2e58e7dfdc93f74c50ceb955c6f4c3

SHA512
562f0e55e5e167f0b7c3f3f1b8a0b9345ac0fb7c58f66b333550951cd477d07847f75c2b4c0f6fea075655920e9bb9160777b521344090bfa1f2c4d195afdf7a

Download Submit
C:\Windows\System\ZpWzedy.exe

Filesize
1.8MB

MD5
86ec11154c9a2e491e2f7311a0d896e5

SHA1
8d7821c55bd7436703d7dafc9476cd5fad9ea6db

SHA256
fdffa07d4b3cb994a5c4d8630f33662021b8462aa07601217a0a4ed358ce6475

SHA512
7b9463f7d97b133eed8a577df80cc3d95f6e42fbc492ab1a222e566a1afcf4e7a772a02e5de0723838115a24e854a8442da065a11ce331c2b76a69b5a13675ae

Download Submit
C:\Windows\System\baYFLaT.exe

Filesize
1.8MB

MD5
24060e38bfb60a3d6f8587a2f26299fe

SHA1
22100289a419a08fcedc0fb46a9b20f5da9517d6

SHA256
374e1e32bbe8f4d42b34a28f9588da65e6322bcb65c16481d5cd6a65dfe4074a

SHA512
42a34adf7df8fc3fea72edd2a63a23b828cfcf57ace78bfb870322e02908c14e1a9043e1b4f79182929981ffbc3def8dd99e45eed70e7b7b477dcad9fcf1f9a8

Download Submit
C:\Windows\System\dKaeHGL.exe

Filesize
1.8MB

MD5
c0d2638837625073dbdb1c7fb070a949

SHA1
6493e3081dbd91e21bbb0d806f628da47cdb18ac

SHA256
2fa0670dea9faa6beccd0a54dce686c41f513e363df6a438378b162ae4889902

SHA512
e8fd03c907bca027a95664e7faa204dd6e70b59400273cfa1ca55c449244b083f49c2d293ea14463b005c3641da7c10785d5beec78d8170561bde7007b503b80

Download Submit
C:\Windows\System\ivSIKai.exe

Filesize
1.8MB

MD5
3a28d077cf4e4f61669e64fb345f3021

SHA1
1f7b4b5507bea20aec72048a9cf63be423f275be

SHA256
f8b4d4e795f56dadc4b3dd799e9cc8ad1ffe016b9bb952673e5b4f71b972b1f9

SHA512
e26b76140d5b8069fdb97716ba99da00226489d414079563a9a3400fe78e0bf15cd7ead7ffc4569f403a7bc2fd00c0a6886cb7adc4a19e45212272883b5a0828

Download Submit
C:\Windows\System\jpZaEfI.exe

Filesize
1.8MB

MD5
8d98da3bcfda0bdb66350aab24748577

SHA1
f6c43618ab58cf2f04417bc68a54177992a9de5c

SHA256
3a954b1ae3074f6e01c56c2f9ae3c933a191ab92b8add8e908ebc64729152def

SHA512
08f1812fd80a051782ce1d6f051ded13f17ff44fd2829f4c606fd83554e916b39536ad2f890d05f32478b80f0362ca448a47cb938bb149837800b327d174c3be

Download Submit
C:\Windows\System\mlcFnjF.exe

Filesize
1.8MB

MD5
7ee09ae6ab3c7a58df0d65fd1cabef24

SHA1
69319314779158b30e52ac29fcb52a1d9d08a9cf

SHA256
c0f6c766eb78c814807db5fdd30311c1198b8f5fbe5e0e05259457e9b0c2176a

SHA512
2cf1eba6d173b0379c2882946f935ecf6f16de41b7ce8533769edd3c1fdeb62d6180be5818078936bc1642af8fb3711a0c2ceb1d4a5d22ffb2fc6398c7dea23d

Download Submit
C:\Windows\System\nirNYFr.exe

Filesize
1.8MB

MD5
08bfc6037f49ecd466a47dbb6eedb778

SHA1
db5cb11dfcc4b208355e754f0861c25292f50d3c

SHA256
274a364eedb3f26721ca8a156ca6d5d2042072b1f589d7e93718c5ae2f685e11

SHA512
3506fe008d6e1ef3da6d07530eab750fe8034caea8f3f94cfc663b6f7fdae6c307ec4336a19e95dcafecd6a4622717dccd71431110301bc3f66f1367d7072161

Download Submit
C:\Windows\System\nkyWktW.exe

Filesize
1.8MB

MD5
6e49e18f5f4f826c04e009bea1c9892f

SHA1
04a9771a17d89cf11f32c0236ecec6682a947286

SHA256
1921db1c0d2c7fc418b7e88caff73636cc7ed9b6a96b633fec978184b02414f3

SHA512
d851f21b0e31bf7732971dbacaa99ce1fa92714c222c40b2242260bdeb0b3f31f777b121601662ce50a6eb274d32ec00dec638f82ea0199df9070d55d631d515

Download Submit
C:\Windows\System\oSpVXWX.exe

Filesize
1.8MB

MD5
6534b0796a3516b1c597203a650b74ac

SHA1
60e65ab4ca92e2b6aa98592ecbe96b8eb5f8cfb2

SHA256
e63b590e37b9bf57f04987ba75067c52b883baade7f3e81bb9894886ef4973fb

SHA512
7cdb47b93a99daf136e51bf562b2490f363a6447ce1c9ac31c1c0136c6c86efbd07466273c6cfe7cc4d4a3234110904407a5560df0f1b1edb8cd1aa349fa008c

Download Submit
C:\Windows\System\pYwgAfO.exe

Filesize
1.8MB

MD5
3fb7b41fb0d436c854d1441941711b83

SHA1
62cadd1fab99c5b81bbfca9e29b9f62c0bd9ba92

SHA256
2875a0fa32aaf6a4e5d8722d6f60da44f3cb65d6059676c8b2f1fa2ff1ba0e7e

SHA512
6bf4c5ef476d9c6fab0435279137f9df36120d8053c2839e3b64da21004d6cd7b15503260061242634890bb55ddb6470aeb4d1159cd159cdfad3c9669efc03ed

Download Submit
C:\Windows\System\ptKZvAq.exe

Filesize
1.8MB

MD5
174b0b2b25eb64e2533254518d7746cc

SHA1
eed4816c10ab5d3739da943c528e904e0e3d6a73

SHA256
8740645a0d0a6287d3173ac0eec28c277753c334a93922a1af93b44b5e27e330

SHA512
c12d98a327cb5e424dc080b3f7ee5fda69870d3162f47f73e23ec30ff1d3909b8d36beabb175e5386896fdfcc8157964dabf486692cca6c2f558fffdb4cd9ccc

Download Submit
C:\Windows\System\rMfGNmN.exe

Filesize
1.8MB

MD5
0b845b689897918c2b9e8e707ac3a122

SHA1
feec749ef070a7b5053c5f0ea811efea6672b40d

SHA256
9fca5a58df1a8b10c16f94454bd66414587ff8867d9e9e2fb287b1790caee13c

SHA512
b3ffc1aeee9d7e66987c0ae00b74d7dec4529fe1826731e8d38716e375d09a680b2c9e40eaf6b4a4ce5ab5228d5d25d73c5b6dc93bd628f8e98e03d48ac6bd66

Download Submit
C:\Windows\System\vcjumLd.exe

Filesize
1.8MB

MD5
e8fb646cd4e7107e367c2bca5d39385f

SHA1
8aaf470d7d02b9c7c045529e4688a92c204b84d0

SHA256
ba3f09bda3d1451cabc220f4e3b9d506ba032ef8d54f350ac86f9161fb9ab0a1

SHA512
bbcdbf65b446e4c495646e53fd405b073ea14ede244787673f25a297ed68891317d9a96378c43012be97b953d39b07c3077f45b85d13e78803959615aa1c367d

Download Submit
C:\Windows\System\xjssVkM.exe

Filesize
1.8MB

MD5
259664669f842e8e9e949c8a2ccf63f4

SHA1
3b415cae71dc6f39f39b198d882bd5faa0d4de8d

SHA256
cf9521777e2c4255b027d32b6ff9cea7b16db77b7da6221cbeea485e74decc47

SHA512
3dd0cd436369f4c678362173191b7de484da308cfb3977a34c471d1cb0ea5161831a8e7d23f9068c454521af837c77f8c1f0835abc6774f4d49c5f8e0700fdad

Download Submit
C:\Windows\System\zwRLPim.exe

Filesize
1.8MB

MD5
ff64a58feaf562e45e56476ff7ff1e66

SHA1
96f171267d90567681fb8edc0265305a79d52852

SHA256
f0832716c22dea352f84fcd528f4c680491c90555c96ff1124d4454ab90c3f6c

SHA512
9f52fd56d6e055c75245c286120ebb13536ae623591134d01faab3e71d35c3b073e85f00aa2e51bcfbe75b8830925b9440674e0407ee45c4dfd80c0af99a11bf

Download Submit
memory/436-2552-0x00007FF718DB0000-0x00007FF7191A2000-memory.dmp

Filesize
3.9MB

Download
memory/436-130-0x00007FF718DB0000-0x00007FF7191A2000-memory.dmp

Filesize
3.9MB

Download
memory/648-185-0x00007FF6B0800000-0x00007FF6B0BF2000-memory.dmp

Filesize
3.9MB

Download
memory/648-2576-0x00007FF6B0800000-0x00007FF6B0BF2000-memory.dmp

Filesize
3.9MB

Download
memory/772-2578-0x00007FF7CAD80000-0x00007FF7CB172000-memory.dmp

Filesize
3.9MB

Download
memory/772-191-0x00007FF7CAD80000-0x00007FF7CB172000-memory.dmp

Filesize
3.9MB

Download
memory/1012-2548-0x00007FF65B8A0000-0x00007FF65BC92000-memory.dmp

Filesize
3.9MB

Download
memory/1012-88-0x00007FF65B8A0000-0x00007FF65BC92000-memory.dmp

Filesize
3.9MB

Download
memory/1116-2570-0x00007FF7427B0000-0x00007FF742BA2000-memory.dmp

Filesize
3.9MB

Download
memory/1116-173-0x00007FF7427B0000-0x00007FF742BA2000-memory.dmp

Filesize
3.9MB

Download
memory/1488-167-0x00007FF797050000-0x00007FF797442000-memory.dmp

Filesize
3.9MB

Download
memory/1488-2557-0x00007FF797050000-0x00007FF797442000-memory.dmp

Filesize
3.9MB

Download
memory/1632-154-0x00007FF7B8230000-0x00007FF7B8622000-memory.dmp

Filesize
3.9MB

Download
memory/1632-2563-0x00007FF7B8230000-0x00007FF7B8622000-memory.dmp

Filesize
3.9MB

Download
memory/1672-2569-0x00007FF7D9400000-0x00007FF7D97F2000-memory.dmp

Filesize
3.9MB

Download
memory/1672-179-0x00007FF7D9400000-0x00007FF7D97F2000-memory.dmp

Filesize
3.9MB

Download
memory/1688-197-0x00007FF7B7060000-0x00007FF7B7452000-memory.dmp

Filesize
3.9MB

Download
memory/1688-2592-0x00007FF7B7060000-0x00007FF7B7452000-memory.dmp

Filesize
3.9MB

Download
memory/1840-87-0x00007FF692A60000-0x00007FF692E52000-memory.dmp

Filesize
3.9MB

Download
memory/1840-2546-0x00007FF692A60000-0x00007FF692E52000-memory.dmp

Filesize
3.9MB

Download
memory/1880-2534-0x00007FF691440000-0x00007FF691832000-memory.dmp

Filesize
3.9MB

Download
memory/1880-2516-0x00007FF691440000-0x00007FF691832000-memory.dmp

Filesize
3.9MB

Download
memory/1880-13-0x00007FF691440000-0x00007FF691832000-memory.dmp

Filesize
3.9MB

Download
memory/2272-148-0x00007FF73A720000-0x00007FF73AB12000-memory.dmp

Filesize
3.9MB

Download
memory/2272-2561-0x00007FF73A720000-0x00007FF73AB12000-memory.dmp

Filesize
3.9MB

Download
memory/2560-142-0x00007FF708140000-0x00007FF708532000-memory.dmp

Filesize
3.9MB

Download
memory/2560-2573-0x00007FF708140000-0x00007FF708532000-memory.dmp

Filesize
3.9MB

Download
memory/2808-2529-0x00007FFF5DEC0000-0x00007FFF5E981000-memory.dmp

Filesize
10.8MB

Download
memory/2808-14-0x00007FFF5DEC3000-0x00007FFF5DEC5000-memory.dmp

Filesize
8KB

Download
memory/2808-49-0x00007FFF5DEC0000-0x00007FFF5E981000-memory.dmp

Filesize
10.8MB

Download
memory/2808-60-0x0000019E50CF0000-0x0000019E50D12000-memory.dmp

Filesize
136KB

Download
memory/2808-2517-0x00007FFF5DEC0000-0x00007FFF5E981000-memory.dmp

Filesize
10.8MB

Download
memory/2808-2519-0x00007FFF5DEC3000-0x00007FFF5DEC5000-memory.dmp

Filesize
8KB

Download
memory/2808-2520-0x00007FFF5DEC0000-0x00007FFF5E981000-memory.dmp

Filesize
10.8MB

Download
memory/2808-438-0x0000019E53A50000-0x0000019E541F6000-memory.dmp

Filesize
7.6MB

Download
memory/2808-118-0x00007FFF5DEC0000-0x00007FFF5E981000-memory.dmp

Filesize
10.8MB

Download
memory/2996-61-0x00007FF620420000-0x00007FF620812000-memory.dmp

Filesize
3.9MB

Download
memory/2996-2536-0x00007FF620420000-0x00007FF620812000-memory.dmp

Filesize
3.9MB

Download
memory/3140-1-0x0000028708BE0000-0x0000028708BF0000-memory.dmp

Filesize
64KB

Download
memory/3140-0-0x00007FF6B2960000-0x00007FF6B2D52000-memory.dmp

Filesize
3.9MB

Download
memory/3408-105-0x00007FF6D1C30000-0x00007FF6D2022000-memory.dmp

Filesize
3.9MB

Download
memory/3408-2565-0x00007FF6D1C30000-0x00007FF6D2022000-memory.dmp

Filesize
3.9MB

Download
memory/3408-2518-0x00007FF6D1C30000-0x00007FF6D2022000-memory.dmp

Filesize
3.9MB

Download
memory/3472-124-0x00007FF743430000-0x00007FF743822000-memory.dmp

Filesize
3.9MB

Download
memory/3472-2540-0x00007FF743430000-0x00007FF743822000-memory.dmp

Filesize
3.9MB

Download
memory/4184-2574-0x00007FF6BF670000-0x00007FF6BFA62000-memory.dmp

Filesize
3.9MB

Download
memory/4184-136-0x00007FF6BF670000-0x00007FF6BFA62000-memory.dmp

Filesize
3.9MB

Download
memory/4476-155-0x00007FF6890A0000-0x00007FF689492000-memory.dmp

Filesize
3.9MB

Download
memory/4476-2559-0x00007FF6890A0000-0x00007FF689492000-memory.dmp

Filesize
3.9MB

Download
memory/4552-75-0x00007FF6765A0000-0x00007FF676992000-memory.dmp

Filesize
3.9MB

Download
memory/4552-2550-0x00007FF6765A0000-0x00007FF676992000-memory.dmp

Filesize
3.9MB

Download
memory/4620-80-0x00007FF76ED90000-0x00007FF76F182000-memory.dmp

Filesize
3.9MB

Download
memory/4620-2544-0x00007FF76ED90000-0x00007FF76F182000-memory.dmp

Filesize
3.9MB

Download
memory/4716-2567-0x00007FF6E8820000-0x00007FF6E8C12000-memory.dmp

Filesize
3.9MB

Download
memory/4716-100-0x00007FF6E8820000-0x00007FF6E8C12000-memory.dmp

Filesize
3.9MB

Download
memory/4788-2555-0x00007FF6685F0000-0x00007FF6689E2000-memory.dmp

Filesize
3.9MB

Download
memory/4788-161-0x00007FF6685F0000-0x00007FF6689E2000-memory.dmp

Filesize
3.9MB

Download
memory/4992-67-0x00007FF6A7780000-0x00007FF6A7B72000-memory.dmp

Filesize
3.9MB

Download
memory/4992-2539-0x00007FF6A7780000-0x00007FF6A7B72000-memory.dmp

Filesize
3.9MB

Download
memory/5092-94-0x00007FF7FB960000-0x00007FF7FBD52000-memory.dmp

Filesize
3.9MB

Download
memory/5092-2543-0x00007FF7FB960000-0x00007FF7FBD52000-memory.dmp

Filesize
3.9MB

Download