xmrig | 265179604493c718ff76d7e31467fe866294d414e320eb015031cbf63174df63

Analysis

max time kernel
127s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
Size

2.0MB
MD5

12134060b4e3d09aedb7e1f404a8976a
SHA1

0c6ea60f888a1a483e908c23483692883b61e17b
SHA256

265179604493c718ff76d7e31467fe866294d414e320eb015031cbf63174df63
SHA512

69d9849b2fb5c2b2443191c81b89888673aac30a52036980b1fea0efcfd960bee9d532b8274c4d1319afdd420c47d81ce8ce75972938f6d2bed614b1c0c7d4f8
SSDEEP

49152:Lz071uv4BPMkibTIA5lCx7kvRWa4pXHafHt:NAB4

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/1360-80-0x00007FF673FD0000-0x00007FF6743C2000-memory.dmp	xmrig
behavioral2/memory/2060-89-0x00007FF693460000-0x00007FF693852000-memory.dmp	xmrig
behavioral2/memory/5028-105-0x00007FF6610A0000-0x00007FF661492000-memory.dmp	xmrig
behavioral2/memory/4740-121-0x00007FF7E6060000-0x00007FF7E6452000-memory.dmp	xmrig
behavioral2/memory/1404-134-0x00007FF6AEE50000-0x00007FF6AF242000-memory.dmp	xmrig
behavioral2/memory/3988-147-0x00007FF738680000-0x00007FF738A72000-memory.dmp	xmrig
behavioral2/memory/3744-576-0x00007FF7BF280000-0x00007FF7BF672000-memory.dmp	xmrig
behavioral2/memory/4348-154-0x00007FF7E4F80000-0x00007FF7E5372000-memory.dmp	xmrig
behavioral2/memory/4708-151-0x00007FF7C93A0000-0x00007FF7C9792000-memory.dmp	xmrig
behavioral2/memory/4696-148-0x00007FF7EAD60000-0x00007FF7EB152000-memory.dmp	xmrig
behavioral2/memory/2512-144-0x00007FF6DB690000-0x00007FF6DBA82000-memory.dmp	xmrig
behavioral2/memory/4496-140-0x00007FF75E8A0000-0x00007FF75EC92000-memory.dmp	xmrig
behavioral2/memory/1380-133-0x00007FF721AF0000-0x00007FF721EE2000-memory.dmp	xmrig
behavioral2/memory/4636-129-0x00007FF627530000-0x00007FF627922000-memory.dmp	xmrig
behavioral2/memory/4836-125-0x00007FF66A9D0000-0x00007FF66ADC2000-memory.dmp	xmrig
behavioral2/memory/4812-124-0x00007FF686FD0000-0x00007FF6873C2000-memory.dmp	xmrig
behavioral2/memory/2332-117-0x00007FF790510000-0x00007FF790902000-memory.dmp	xmrig
behavioral2/memory/1356-114-0x00007FF6BDD70000-0x00007FF6BE162000-memory.dmp	xmrig
behavioral2/memory/2024-110-0x00007FF7A2F30000-0x00007FF7A3322000-memory.dmp	xmrig
behavioral2/memory/1968-109-0x00007FF628170000-0x00007FF628562000-memory.dmp	xmrig
behavioral2/memory/3476-98-0x00007FF74F1A0000-0x00007FF74F592000-memory.dmp	xmrig
behavioral2/memory/4500-93-0x00007FF718AF0000-0x00007FF718EE2000-memory.dmp	xmrig
behavioral2/memory/4220-76-0x00007FF7131F0000-0x00007FF7135E2000-memory.dmp	xmrig
behavioral2/memory/4368-2028-0x00007FF65F760000-0x00007FF65FB52000-memory.dmp	xmrig
behavioral2/memory/4740-2051-0x00007FF7E6060000-0x00007FF7E6452000-memory.dmp	xmrig
behavioral2/memory/5028-2055-0x00007FF6610A0000-0x00007FF661492000-memory.dmp	xmrig
behavioral2/memory/4220-2054-0x00007FF7131F0000-0x00007FF7135E2000-memory.dmp	xmrig
behavioral2/memory/2060-2057-0x00007FF693460000-0x00007FF693852000-memory.dmp	xmrig
behavioral2/memory/3476-2059-0x00007FF74F1A0000-0x00007FF74F592000-memory.dmp	xmrig
behavioral2/memory/1360-2061-0x00007FF673FD0000-0x00007FF6743C2000-memory.dmp	xmrig
behavioral2/memory/4500-2063-0x00007FF718AF0000-0x00007FF718EE2000-memory.dmp	xmrig
behavioral2/memory/4812-2065-0x00007FF686FD0000-0x00007FF6873C2000-memory.dmp	xmrig
behavioral2/memory/2024-2067-0x00007FF7A2F30000-0x00007FF7A3322000-memory.dmp	xmrig
behavioral2/memory/2332-2072-0x00007FF790510000-0x00007FF790902000-memory.dmp	xmrig
behavioral2/memory/1356-2075-0x00007FF6BDD70000-0x00007FF6BE162000-memory.dmp	xmrig
behavioral2/memory/1968-2074-0x00007FF628170000-0x00007FF628562000-memory.dmp	xmrig
behavioral2/memory/4636-2077-0x00007FF627530000-0x00007FF627922000-memory.dmp	xmrig
behavioral2/memory/4836-2070-0x00007FF66A9D0000-0x00007FF66ADC2000-memory.dmp	xmrig
behavioral2/memory/4496-2082-0x00007FF75E8A0000-0x00007FF75EC92000-memory.dmp	xmrig
behavioral2/memory/1380-2086-0x00007FF721AF0000-0x00007FF721EE2000-memory.dmp	xmrig
behavioral2/memory/3988-2087-0x00007FF738680000-0x00007FF738A72000-memory.dmp	xmrig
behavioral2/memory/4696-2089-0x00007FF7EAD60000-0x00007FF7EB152000-memory.dmp	xmrig
behavioral2/memory/1404-2084-0x00007FF6AEE50000-0x00007FF6AF242000-memory.dmp	xmrig
behavioral2/memory/2512-2080-0x00007FF6DB690000-0x00007FF6DBA82000-memory.dmp	xmrig
behavioral2/memory/4348-2096-0x00007FF7E4F80000-0x00007FF7E5372000-memory.dmp	xmrig
behavioral2/memory/4708-2095-0x00007FF7C93A0000-0x00007FF7C9792000-memory.dmp	xmrig
behavioral2/memory/3744-2104-0x00007FF7BF280000-0x00007FF7BF672000-memory.dmp	xmrig
behavioral2/memory/4368-2292-0x00007FF65F760000-0x00007FF65FB52000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
9	3252	powershell.exe
11	3252	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
3252	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
4740	XebRPQT.exe
4220	OsDqamA.exe
1360	ocmzWIx.exe
2060	OFFMFXD.exe
4500	OdjrWCg.exe
3476	SQktZMr.exe
5028	dbwshFX.exe
4812	hTphZsw.exe
1968	GkKIzdp.exe
2024	iupAifF.exe
1356	cRdYZGR.exe
4836	fujOjKT.exe
2332	ExiEhSu.exe
4636	wMcZEOK.exe
1380	YJTXOEi.exe
4368	gjBCRtK.exe
1404	HJmbsoY.exe
4496	FgRCCAN.exe
2512	eqSnPYi.exe
3988	VWkDNWn.exe
4696	IKneRwz.exe
4708	aJjfVAv.exe
4348	mIJGtFD.exe
3744	TRenWQa.exe
2244	mfRiaQx.exe
852	AXBtEJY.exe
3220	lciOXIB.exe
2172	aZuhjNz.exe
1792	FEMavfa.exe
4424	vCzvVZs.exe
2568	dGyokse.exe
4384	tffXqbq.exe
3244	bQSwePR.exe
4376	ukZYRSP.exe
1544	VUMvNHT.exe
2904	bpPwTox.exe
968	ZVLOSWJ.exe
920	WYhzfko.exe
612	PUMxHcU.exe
1700	npHJEFQ.exe
4292	yPahHEy.exe
5112	ULCFhpy.exe
3740	GphaTvD.exe
720	tflHmfy.exe
4616	RgzTccw.exe
1156	nhkWNyE.exe
1732	pxHwWVA.exe
1420	UskNcWD.exe
1272	GVcJGwA.exe
1812	hNAIZAk.exe
3648	gIDMeYZ.exe
3532	jdCfkNQ.exe
4772	wPtlSke.exe
4604	erjgPyt.exe
4564	KzDaxNg.exe
3008	UMmzlmS.exe
1664	uRNtWnU.exe
1228	OjIYfNC.exe
512	jkrHZcC.exe
2112	gGXnaHl.exe
624	tQimCNE.exe
2944	EhcbAGJ.exe
3768	mLFjIOy.exe
2452	ObNBbMM.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4072-0-0x00007FF680090000-0x00007FF680482000-memory.dmp	upx
behavioral2/files/0x000c000000023b5f-6.dat	upx
behavioral2/files/0x000a000000023bc1-18.dat	upx
behavioral2/files/0x000a000000023bc4-35.dat	upx
behavioral2/files/0x000a000000023bc3-21.dat	upx
behavioral2/files/0x000a000000023bc2-16.dat	upx
behavioral2/files/0x000a000000023bc9-57.dat	upx
behavioral2/files/0x000a000000023bcb-69.dat	upx
behavioral2/memory/1360-80-0x00007FF673FD0000-0x00007FF6743C2000-memory.dmp	upx
behavioral2/memory/2060-89-0x00007FF693460000-0x00007FF693852000-memory.dmp	upx
behavioral2/files/0x000b000000023bc6-94.dat	upx
behavioral2/files/0x000a000000023bcd-99.dat	upx
behavioral2/memory/5028-105-0x00007FF6610A0000-0x00007FF661492000-memory.dmp	upx
behavioral2/files/0x000a000000023bd1-111.dat	upx
behavioral2/files/0x000a000000023bd0-115.dat	upx
behavioral2/memory/4740-121-0x00007FF7E6060000-0x00007FF7E6452000-memory.dmp	upx
behavioral2/memory/1404-134-0x00007FF6AEE50000-0x00007FF6AF242000-memory.dmp	upx
behavioral2/files/0x000a000000023bd5-141.dat	upx
behavioral2/memory/3988-147-0x00007FF738680000-0x00007FF738A72000-memory.dmp	upx
behavioral2/files/0x000a000000023bd6-155.dat	upx
behavioral2/files/0x000a000000023bd8-169.dat	upx
behavioral2/memory/3744-576-0x00007FF7BF280000-0x00007FF7BF672000-memory.dmp	upx
behavioral2/files/0x000a000000023bde-198.dat	upx
behavioral2/files/0x000a000000023bdd-194.dat	upx
behavioral2/files/0x000a000000023bdc-189.dat	upx
behavioral2/files/0x000a000000023bdb-183.dat	upx
behavioral2/files/0x000a000000023bda-179.dat	upx
behavioral2/files/0x000a000000023bd9-174.dat	upx
behavioral2/files/0x000a000000023bd7-164.dat	upx
behavioral2/memory/4348-154-0x00007FF7E4F80000-0x00007FF7E5372000-memory.dmp	upx
behavioral2/memory/4708-151-0x00007FF7C93A0000-0x00007FF7C9792000-memory.dmp	upx
behavioral2/memory/4696-148-0x00007FF7EAD60000-0x00007FF7EB152000-memory.dmp	upx
behavioral2/files/0x000a000000023bd4-145.dat	upx
behavioral2/memory/2512-144-0x00007FF6DB690000-0x00007FF6DBA82000-memory.dmp	upx
behavioral2/files/0x000a000000023bd3-142.dat	upx
behavioral2/memory/4496-140-0x00007FF75E8A0000-0x00007FF75EC92000-memory.dmp	upx
behavioral2/files/0x000a000000023bd2-135.dat	upx
behavioral2/memory/1380-133-0x00007FF721AF0000-0x00007FF721EE2000-memory.dmp	upx
behavioral2/memory/4636-129-0x00007FF627530000-0x00007FF627922000-memory.dmp	upx
behavioral2/memory/4836-125-0x00007FF66A9D0000-0x00007FF66ADC2000-memory.dmp	upx
behavioral2/memory/4812-124-0x00007FF686FD0000-0x00007FF6873C2000-memory.dmp	upx
behavioral2/memory/4368-120-0x00007FF65F760000-0x00007FF65FB52000-memory.dmp	upx
behavioral2/memory/2332-117-0x00007FF790510000-0x00007FF790902000-memory.dmp	upx
behavioral2/memory/1356-114-0x00007FF6BDD70000-0x00007FF6BE162000-memory.dmp	upx
behavioral2/files/0x000a000000023bcf-112.dat	upx
behavioral2/memory/2024-110-0x00007FF7A2F30000-0x00007FF7A3322000-memory.dmp	upx
behavioral2/memory/1968-109-0x00007FF628170000-0x00007FF628562000-memory.dmp	upx
behavioral2/files/0x000a000000023bce-101.dat	upx
behavioral2/memory/3476-98-0x00007FF74F1A0000-0x00007FF74F592000-memory.dmp	upx
behavioral2/memory/4500-93-0x00007FF718AF0000-0x00007FF718EE2000-memory.dmp	upx
behavioral2/files/0x000a000000023bcc-82.dat	upx
behavioral2/memory/4220-76-0x00007FF7131F0000-0x00007FF7135E2000-memory.dmp	upx
behavioral2/files/0x000b000000023bc7-74.dat	upx
behavioral2/files/0x000a000000023bca-73.dat	upx
behavioral2/files/0x000b000000023bbe-71.dat	upx
behavioral2/files/0x000a000000023bc5-45.dat	upx
behavioral2/files/0x000a000000023bc8-39.dat	upx
behavioral2/memory/4368-2028-0x00007FF65F760000-0x00007FF65FB52000-memory.dmp	upx
behavioral2/memory/4740-2051-0x00007FF7E6060000-0x00007FF7E6452000-memory.dmp	upx
behavioral2/memory/5028-2055-0x00007FF6610A0000-0x00007FF661492000-memory.dmp	upx
behavioral2/memory/4220-2054-0x00007FF7131F0000-0x00007FF7135E2000-memory.dmp	upx
behavioral2/memory/2060-2057-0x00007FF693460000-0x00007FF693852000-memory.dmp	upx
behavioral2/memory/3476-2059-0x00007FF74F1A0000-0x00007FF74F592000-memory.dmp	upx
behavioral2/memory/1360-2061-0x00007FF673FD0000-0x00007FF6743C2000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	raw.githubusercontent.com
9	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\UAwtILk.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\DDXdTvL.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\rwLgfRP.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\FjkTjTh.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\OFFMFXD.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\xpMyGRG.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\ZEUJvrM.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\GUsxsRx.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\PFhqkQL.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\JzFPabt.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\hUXeBLp.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\gxmHQYx.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\YVVaPpY.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\eqSnPYi.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\UeDUZAS.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\SbinWfr.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\HUXRHlw.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\QeHDFUt.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\oXCrquV.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\AXPntkH.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\sjhbvnB.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\fnioshm.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\BDhdMBR.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\ZdShdOV.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\AcnzlUQ.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\xxSZrcu.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\UtuHPAC.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\baSDeqh.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\BKiJlPb.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\kvkNUFR.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\FEMavfa.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\IAzwhOq.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\ZEQlBog.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\opGwgBB.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\knbqxYF.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\kkpjbgF.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\pOkHgIu.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\jWToflx.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\ZVLOSWJ.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\eaAsPjv.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\iHjwoYz.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\vZJdUIo.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\hekRRpP.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\YLgJuGF.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\dksBJMx.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\YNEmoAi.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\ThNdCAu.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\cWIpJjQ.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\KfJbQYy.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\siGmtex.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\CaHiTlx.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\feExFvj.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\zongQpf.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\tnooDBC.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\wMcZEOK.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\gjBCRtK.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\xhggsWN.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\yAzRmsF.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\qptdgnU.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\pdmCMIo.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\BfteUsO.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\aJjfVAv.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\jkDMxtA.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
File created	C:\Windows\System\uRaLqFk.exe	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3252	powershell.exe
3252	powershell.exe
3252	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
Token: SeDebugPrivilege	3252	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4072 wrote to memory of 3252	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	86
PID 4072 wrote to memory of 3252	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	86
PID 4072 wrote to memory of 4740	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	87
PID 4072 wrote to memory of 4740	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	87
PID 4072 wrote to memory of 4220	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	88
PID 4072 wrote to memory of 4220	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	88
PID 4072 wrote to memory of 1360	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	89
PID 4072 wrote to memory of 1360	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	89
PID 4072 wrote to memory of 2060	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	90
PID 4072 wrote to memory of 2060	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	90
PID 4072 wrote to memory of 4500	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	91
PID 4072 wrote to memory of 4500	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	91
PID 4072 wrote to memory of 3476	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	92
PID 4072 wrote to memory of 3476	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	92
PID 4072 wrote to memory of 5028	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	93
PID 4072 wrote to memory of 5028	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	93
PID 4072 wrote to memory of 4812	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	94
PID 4072 wrote to memory of 4812	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	94
PID 4072 wrote to memory of 1968	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	95
PID 4072 wrote to memory of 1968	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	95
PID 4072 wrote to memory of 2024	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	96
PID 4072 wrote to memory of 2024	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	96
PID 4072 wrote to memory of 1356	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	97
PID 4072 wrote to memory of 1356	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	97
PID 4072 wrote to memory of 4836	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	98
PID 4072 wrote to memory of 4836	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	98
PID 4072 wrote to memory of 2332	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	99
PID 4072 wrote to memory of 2332	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	99
PID 4072 wrote to memory of 4636	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	100
PID 4072 wrote to memory of 4636	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	100
PID 4072 wrote to memory of 1380	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	101
PID 4072 wrote to memory of 1380	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	101
PID 4072 wrote to memory of 4368	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	102
PID 4072 wrote to memory of 4368	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	102
PID 4072 wrote to memory of 1404	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	103
PID 4072 wrote to memory of 1404	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	103
PID 4072 wrote to memory of 4496	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	104
PID 4072 wrote to memory of 4496	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	104
PID 4072 wrote to memory of 2512	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	105
PID 4072 wrote to memory of 2512	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	105
PID 4072 wrote to memory of 3988	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	106
PID 4072 wrote to memory of 3988	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	106
PID 4072 wrote to memory of 4696	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	107
PID 4072 wrote to memory of 4696	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	107
PID 4072 wrote to memory of 4708	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	108
PID 4072 wrote to memory of 4708	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	108
PID 4072 wrote to memory of 4348	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	109
PID 4072 wrote to memory of 4348	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	109
PID 4072 wrote to memory of 3744	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	110
PID 4072 wrote to memory of 3744	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	110
PID 4072 wrote to memory of 2244	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	111
PID 4072 wrote to memory of 2244	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	111
PID 4072 wrote to memory of 852	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	112
PID 4072 wrote to memory of 852	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	112
PID 4072 wrote to memory of 3220	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	113
PID 4072 wrote to memory of 3220	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	113
PID 4072 wrote to memory of 2172	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	114
PID 4072 wrote to memory of 2172	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	114
PID 4072 wrote to memory of 1792	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	115
PID 4072 wrote to memory of 1792	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	115
PID 4072 wrote to memory of 4424	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	116
PID 4072 wrote to memory of 4424	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	116
PID 4072 wrote to memory of 2568	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	117
PID 4072 wrote to memory of 2568	4072	12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe	117

C:\Users\Admin\AppData\Local\Temp\12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\12134060b4e3d09aedb7e1f404a8976a_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3252
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3252" "2944" "2880" "2948" "0" "0" "2952" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:12960
- C:\Windows\System\XebRPQT.exe
  C:\Windows\System\XebRPQT.exe
  2⤵
  - Executes dropped EXE
  PID:4740
- C:\Windows\System\OsDqamA.exe
  C:\Windows\System\OsDqamA.exe
  2⤵
  - Executes dropped EXE
  PID:4220
- C:\Windows\System\ocmzWIx.exe
  C:\Windows\System\ocmzWIx.exe
  2⤵
  - Executes dropped EXE
  PID:1360
- C:\Windows\System\OFFMFXD.exe
  C:\Windows\System\OFFMFXD.exe
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\Windows\System\OdjrWCg.exe
  C:\Windows\System\OdjrWCg.exe
  2⤵
  - Executes dropped EXE
  PID:4500
- C:\Windows\System\SQktZMr.exe
  C:\Windows\System\SQktZMr.exe
  2⤵
  - Executes dropped EXE
  PID:3476
- C:\Windows\System\dbwshFX.exe
  C:\Windows\System\dbwshFX.exe
  2⤵
  - Executes dropped EXE
  PID:5028
- C:\Windows\System\hTphZsw.exe
  C:\Windows\System\hTphZsw.exe
  2⤵
  - Executes dropped EXE
  PID:4812
- C:\Windows\System\GkKIzdp.exe
  C:\Windows\System\GkKIzdp.exe
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\System\iupAifF.exe
  C:\Windows\System\iupAifF.exe
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Windows\System\cRdYZGR.exe
  C:\Windows\System\cRdYZGR.exe
  2⤵
  - Executes dropped EXE
  PID:1356
- C:\Windows\System\fujOjKT.exe
  C:\Windows\System\fujOjKT.exe
  2⤵
  - Executes dropped EXE
  PID:4836
- C:\Windows\System\ExiEhSu.exe
  C:\Windows\System\ExiEhSu.exe
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Windows\System\wMcZEOK.exe
  C:\Windows\System\wMcZEOK.exe
  2⤵
  - Executes dropped EXE
  PID:4636
- C:\Windows\System\YJTXOEi.exe
  C:\Windows\System\YJTXOEi.exe
  2⤵
  - Executes dropped EXE
  PID:1380
- C:\Windows\System\gjBCRtK.exe
  C:\Windows\System\gjBCRtK.exe
  2⤵
  - Executes dropped EXE
  PID:4368
- C:\Windows\System\HJmbsoY.exe
  C:\Windows\System\HJmbsoY.exe
  2⤵
  - Executes dropped EXE
  PID:1404
- C:\Windows\System\FgRCCAN.exe
  C:\Windows\System\FgRCCAN.exe
  2⤵
  - Executes dropped EXE
  PID:4496
- C:\Windows\System\eqSnPYi.exe
  C:\Windows\System\eqSnPYi.exe
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\System\VWkDNWn.exe
  C:\Windows\System\VWkDNWn.exe
  2⤵
  - Executes dropped EXE
  PID:3988
- C:\Windows\System\IKneRwz.exe
  C:\Windows\System\IKneRwz.exe
  2⤵
  - Executes dropped EXE
  PID:4696
- C:\Windows\System\aJjfVAv.exe
  C:\Windows\System\aJjfVAv.exe
  2⤵
  - Executes dropped EXE
  PID:4708
- C:\Windows\System\mIJGtFD.exe
  C:\Windows\System\mIJGtFD.exe
  2⤵
  - Executes dropped EXE
  PID:4348
- C:\Windows\System\TRenWQa.exe
  C:\Windows\System\TRenWQa.exe
  2⤵
  - Executes dropped EXE
  PID:3744
- C:\Windows\System\mfRiaQx.exe
  C:\Windows\System\mfRiaQx.exe
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Windows\System\AXBtEJY.exe
  C:\Windows\System\AXBtEJY.exe
  2⤵
  - Executes dropped EXE
  PID:852
- C:\Windows\System\lciOXIB.exe
  C:\Windows\System\lciOXIB.exe
  2⤵
  - Executes dropped EXE
  PID:3220
- C:\Windows\System\aZuhjNz.exe
  C:\Windows\System\aZuhjNz.exe
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\Windows\System\FEMavfa.exe
  C:\Windows\System\FEMavfa.exe
  2⤵
  - Executes dropped EXE
  PID:1792
- C:\Windows\System\vCzvVZs.exe
  C:\Windows\System\vCzvVZs.exe
  2⤵
  - Executes dropped EXE
  PID:4424
- C:\Windows\System\dGyokse.exe
  C:\Windows\System\dGyokse.exe
  2⤵
  - Executes dropped EXE
  PID:2568
- C:\Windows\System\tffXqbq.exe
  C:\Windows\System\tffXqbq.exe
  2⤵
  - Executes dropped EXE
  PID:4384
- C:\Windows\System\bQSwePR.exe
  C:\Windows\System\bQSwePR.exe
  2⤵
  - Executes dropped EXE
  PID:3244
- C:\Windows\System\ukZYRSP.exe
  C:\Windows\System\ukZYRSP.exe
  2⤵
  - Executes dropped EXE
  PID:4376
- C:\Windows\System\VUMvNHT.exe
  C:\Windows\System\VUMvNHT.exe
  2⤵
  - Executes dropped EXE
  PID:1544
- C:\Windows\System\bpPwTox.exe
  C:\Windows\System\bpPwTox.exe
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\System\ZVLOSWJ.exe
  C:\Windows\System\ZVLOSWJ.exe
  2⤵
  - Executes dropped EXE
  PID:968
- C:\Windows\System\WYhzfko.exe
  C:\Windows\System\WYhzfko.exe
  2⤵
  - Executes dropped EXE
  PID:920
- C:\Windows\System\PUMxHcU.exe
  C:\Windows\System\PUMxHcU.exe
  2⤵
  - Executes dropped EXE
  PID:612
- C:\Windows\System\npHJEFQ.exe
  C:\Windows\System\npHJEFQ.exe
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Windows\System\yPahHEy.exe
  C:\Windows\System\yPahHEy.exe
  2⤵
  - Executes dropped EXE
  PID:4292
- C:\Windows\System\ULCFhpy.exe
  C:\Windows\System\ULCFhpy.exe
  2⤵
  - Executes dropped EXE
  PID:5112
- C:\Windows\System\GphaTvD.exe
  C:\Windows\System\GphaTvD.exe
  2⤵
  - Executes dropped EXE
  PID:3740
- C:\Windows\System\tflHmfy.exe
  C:\Windows\System\tflHmfy.exe
  2⤵
  - Executes dropped EXE
  PID:720
- C:\Windows\System\RgzTccw.exe
  C:\Windows\System\RgzTccw.exe
  2⤵
  - Executes dropped EXE
  PID:4616
- C:\Windows\System\nhkWNyE.exe
  C:\Windows\System\nhkWNyE.exe
  2⤵
  - Executes dropped EXE
  PID:1156
- C:\Windows\System\pxHwWVA.exe
  C:\Windows\System\pxHwWVA.exe
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\System\UskNcWD.exe
  C:\Windows\System\UskNcWD.exe
  2⤵
  - Executes dropped EXE
  PID:1420
- C:\Windows\System\GVcJGwA.exe
  C:\Windows\System\GVcJGwA.exe
  2⤵
  - Executes dropped EXE
  PID:1272
- C:\Windows\System\hNAIZAk.exe
  C:\Windows\System\hNAIZAk.exe
  2⤵
  - Executes dropped EXE
  PID:1812
- C:\Windows\System\gIDMeYZ.exe
  C:\Windows\System\gIDMeYZ.exe
  2⤵
  - Executes dropped EXE
  PID:3648
- C:\Windows\System\jdCfkNQ.exe
  C:\Windows\System\jdCfkNQ.exe
  2⤵
  - Executes dropped EXE
  PID:3532
- C:\Windows\System\wPtlSke.exe
  C:\Windows\System\wPtlSke.exe
  2⤵
  - Executes dropped EXE
  PID:4772
- C:\Windows\System\erjgPyt.exe
  C:\Windows\System\erjgPyt.exe
  2⤵
  - Executes dropped EXE
  PID:4604
- C:\Windows\System\KzDaxNg.exe
  C:\Windows\System\KzDaxNg.exe
  2⤵
  - Executes dropped EXE
  PID:4564
- C:\Windows\System\UMmzlmS.exe
  C:\Windows\System\UMmzlmS.exe
  2⤵
  - Executes dropped EXE
  PID:3008
- C:\Windows\System\uRNtWnU.exe
  C:\Windows\System\uRNtWnU.exe
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\System\OjIYfNC.exe
  C:\Windows\System\OjIYfNC.exe
  2⤵
  - Executes dropped EXE
  PID:1228
- C:\Windows\System\jkrHZcC.exe
  C:\Windows\System\jkrHZcC.exe
  2⤵
  - Executes dropped EXE
  PID:512
- C:\Windows\System\gGXnaHl.exe
  C:\Windows\System\gGXnaHl.exe
  2⤵
  - Executes dropped EXE
  PID:2112
- C:\Windows\System\tQimCNE.exe
  C:\Windows\System\tQimCNE.exe
  2⤵
  - Executes dropped EXE
  PID:624
- C:\Windows\System\EhcbAGJ.exe
  C:\Windows\System\EhcbAGJ.exe
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Windows\System\mLFjIOy.exe
  C:\Windows\System\mLFjIOy.exe
  2⤵
  - Executes dropped EXE
  PID:3768
- C:\Windows\System\ObNBbMM.exe
  C:\Windows\System\ObNBbMM.exe
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\System\GOfSCRX.exe
  C:\Windows\System\GOfSCRX.exe
  2⤵
  PID:3748
- C:\Windows\System\jrPGhbf.exe
  C:\Windows\System\jrPGhbf.exe
  2⤵
  PID:628
- C:\Windows\System\TGfswbd.exe
  C:\Windows\System\TGfswbd.exe
  2⤵
  PID:3316
- C:\Windows\System\BFwvmHY.exe
  C:\Windows\System\BFwvmHY.exe
  2⤵
  PID:3692
- C:\Windows\System\zqRFezq.exe
  C:\Windows\System\zqRFezq.exe
  2⤵
  PID:4060
- C:\Windows\System\aJBgFEV.exe
  C:\Windows\System\aJBgFEV.exe
  2⤵
  PID:1764
- C:\Windows\System\cguLjVY.exe
  C:\Windows\System\cguLjVY.exe
  2⤵
  PID:3068
- C:\Windows\System\HwSgbqq.exe
  C:\Windows\System\HwSgbqq.exe
  2⤵
  PID:3392
- C:\Windows\System\MajjhjA.exe
  C:\Windows\System\MajjhjA.exe
  2⤵
  PID:1036
- C:\Windows\System\LzUHVxJ.exe
  C:\Windows\System\LzUHVxJ.exe
  2⤵
  PID:5136
- C:\Windows\System\jkDMxtA.exe
  C:\Windows\System\jkDMxtA.exe
  2⤵
  PID:5164
- C:\Windows\System\iMMFJrQ.exe
  C:\Windows\System\iMMFJrQ.exe
  2⤵
  PID:5196
- C:\Windows\System\tjfwhnu.exe
  C:\Windows\System\tjfwhnu.exe
  2⤵
  PID:5220
- C:\Windows\System\HcQZana.exe
  C:\Windows\System\HcQZana.exe
  2⤵
  PID:5248
- C:\Windows\System\cWIpJjQ.exe
  C:\Windows\System\cWIpJjQ.exe
  2⤵
  PID:5276
- C:\Windows\System\FoxBpOl.exe
  C:\Windows\System\FoxBpOl.exe
  2⤵
  PID:5328
- C:\Windows\System\DaCMLFZ.exe
  C:\Windows\System\DaCMLFZ.exe
  2⤵
  PID:5344
- C:\Windows\System\kDpIXHR.exe
  C:\Windows\System\kDpIXHR.exe
  2⤵
  PID:5360
- C:\Windows\System\wmyQZTZ.exe
  C:\Windows\System\wmyQZTZ.exe
  2⤵
  PID:5384
- C:\Windows\System\WtBAmsS.exe
  C:\Windows\System\WtBAmsS.exe
  2⤵
  PID:5412
- C:\Windows\System\qzoaary.exe
  C:\Windows\System\qzoaary.exe
  2⤵
  PID:5432
- C:\Windows\System\vArmGsB.exe
  C:\Windows\System\vArmGsB.exe
  2⤵
  PID:5460
- C:\Windows\System\XHNKhVG.exe
  C:\Windows\System\XHNKhVG.exe
  2⤵
  PID:5488
- C:\Windows\System\OCpMpBJ.exe
  C:\Windows\System\OCpMpBJ.exe
  2⤵
  PID:5512
- C:\Windows\System\ajPCuIN.exe
  C:\Windows\System\ajPCuIN.exe
  2⤵
  PID:5540
- C:\Windows\System\Tttzeuz.exe
  C:\Windows\System\Tttzeuz.exe
  2⤵
  PID:5572
- C:\Windows\System\DAxlNWR.exe
  C:\Windows\System\DAxlNWR.exe
  2⤵
  PID:5600
- C:\Windows\System\zMJxPUX.exe
  C:\Windows\System\zMJxPUX.exe
  2⤵
  PID:5628
- C:\Windows\System\HWiYwGT.exe
  C:\Windows\System\HWiYwGT.exe
  2⤵
  PID:5656
- C:\Windows\System\QXcsieN.exe
  C:\Windows\System\QXcsieN.exe
  2⤵
  PID:5684
- C:\Windows\System\OsHWBLp.exe
  C:\Windows\System\OsHWBLp.exe
  2⤵
  PID:5712
- C:\Windows\System\HmLfgBN.exe
  C:\Windows\System\HmLfgBN.exe
  2⤵
  PID:5740
- C:\Windows\System\BsgDyGc.exe
  C:\Windows\System\BsgDyGc.exe
  2⤵
  PID:5768
- C:\Windows\System\xpMyGRG.exe
  C:\Windows\System\xpMyGRG.exe
  2⤵
  PID:5792
- C:\Windows\System\QvRzhwn.exe
  C:\Windows\System\QvRzhwn.exe
  2⤵
  PID:5820
- C:\Windows\System\aBMQJmy.exe
  C:\Windows\System\aBMQJmy.exe
  2⤵
  PID:5848
- C:\Windows\System\NqWRqUK.exe
  C:\Windows\System\NqWRqUK.exe
  2⤵
  PID:5880
- C:\Windows\System\qHfUriZ.exe
  C:\Windows\System\qHfUriZ.exe
  2⤵
  PID:5908
- C:\Windows\System\vvijfne.exe
  C:\Windows\System\vvijfne.exe
  2⤵
  PID:5940
- C:\Windows\System\SowCMmX.exe
  C:\Windows\System\SowCMmX.exe
  2⤵
  PID:5968
- C:\Windows\System\OnPTYGG.exe
  C:\Windows\System\OnPTYGG.exe
  2⤵
  PID:6004
- C:\Windows\System\ofOskDV.exe
  C:\Windows\System\ofOskDV.exe
  2⤵
  PID:6032
- C:\Windows\System\EInOWnU.exe
  C:\Windows\System\EInOWnU.exe
  2⤵
  PID:6060
- C:\Windows\System\SnCSnQJ.exe
  C:\Windows\System\SnCSnQJ.exe
  2⤵
  PID:6088
- C:\Windows\System\awgRSwU.exe
  C:\Windows\System\awgRSwU.exe
  2⤵
  PID:6116
- C:\Windows\System\MbYUOPd.exe
  C:\Windows\System\MbYUOPd.exe
  2⤵
  PID:4320
- C:\Windows\System\ViyvaFJ.exe
  C:\Windows\System\ViyvaFJ.exe
  2⤵
  PID:2020
- C:\Windows\System\ocaPFjM.exe
  C:\Windows\System\ocaPFjM.exe
  2⤵
  PID:5048
- C:\Windows\System\hWWjbyf.exe
  C:\Windows\System\hWWjbyf.exe
  2⤵
  PID:5032
- C:\Windows\System\xhggsWN.exe
  C:\Windows\System\xhggsWN.exe
  2⤵
  PID:4388
- C:\Windows\System\uRaLqFk.exe
  C:\Windows\System\uRaLqFk.exe
  2⤵
  PID:5124
- C:\Windows\System\IIWwaor.exe
  C:\Windows\System\IIWwaor.exe
  2⤵
  PID:5184
- C:\Windows\System\ZqAAbzC.exe
  C:\Windows\System\ZqAAbzC.exe
  2⤵
  PID:5240
- C:\Windows\System\bHpoRfy.exe
  C:\Windows\System\bHpoRfy.exe
  2⤵
  PID:5308
- C:\Windows\System\kguVoIU.exe
  C:\Windows\System\kguVoIU.exe
  2⤵
  PID:5376
- C:\Windows\System\xzvGCll.exe
  C:\Windows\System\xzvGCll.exe
  2⤵
  PID:5444
- C:\Windows\System\IAzwhOq.exe
  C:\Windows\System\IAzwhOq.exe
  2⤵
  PID:5500
- C:\Windows\System\IQhfJjX.exe
  C:\Windows\System\IQhfJjX.exe
  2⤵
  PID:4580
- C:\Windows\System\sfshLmZ.exe
  C:\Windows\System\sfshLmZ.exe
  2⤵
  PID:5616
- C:\Windows\System\ToGDtgd.exe
  C:\Windows\System\ToGDtgd.exe
  2⤵
  PID:5676
- C:\Windows\System\YLgJuGF.exe
  C:\Windows\System\YLgJuGF.exe
  2⤵
  PID:5724
- C:\Windows\System\PBSafrA.exe
  C:\Windows\System\PBSafrA.exe
  2⤵
  PID:5784
- C:\Windows\System\nJwimnH.exe
  C:\Windows\System\nJwimnH.exe
  2⤵
  PID:4756
- C:\Windows\System\DWXFcqN.exe
  C:\Windows\System\DWXFcqN.exe
  2⤵
  PID:5000
- C:\Windows\System\lyAaaxp.exe
  C:\Windows\System\lyAaaxp.exe
  2⤵
  PID:4308
- C:\Windows\System\itNjoBa.exe
  C:\Windows\System\itNjoBa.exe
  2⤵
  PID:5996
- C:\Windows\System\vziCqWN.exe
  C:\Windows\System\vziCqWN.exe
  2⤵
  PID:2132
- C:\Windows\System\PyvsRrr.exe
  C:\Windows\System\PyvsRrr.exe
  2⤵
  PID:6100
- C:\Windows\System\KPWMRKB.exe
  C:\Windows\System\KPWMRKB.exe
  2⤵
  PID:1240
- C:\Windows\System\aAxaivJ.exe
  C:\Windows\System\aAxaivJ.exe
  2⤵
  PID:2572
- C:\Windows\System\Kxwoabn.exe
  C:\Windows\System\Kxwoabn.exe
  2⤵
  PID:4524
- C:\Windows\System\XwvWcex.exe
  C:\Windows\System\XwvWcex.exe
  2⤵
  PID:5232
- C:\Windows\System\CFETNtp.exe
  C:\Windows\System\CFETNtp.exe
  2⤵
  PID:5404
- C:\Windows\System\KfJbQYy.exe
  C:\Windows\System\KfJbQYy.exe
  2⤵
  PID:5528
- C:\Windows\System\kqbwglv.exe
  C:\Windows\System\kqbwglv.exe
  2⤵
  PID:1672
- C:\Windows\System\tWOrcbo.exe
  C:\Windows\System\tWOrcbo.exe
  2⤵
  PID:5704
- C:\Windows\System\cHonMhO.exe
  C:\Windows\System\cHonMhO.exe
  2⤵
  PID:5808
- C:\Windows\System\RURfSuc.exe
  C:\Windows\System\RURfSuc.exe
  2⤵
  PID:5924
- C:\Windows\System\rYleuBQ.exe
  C:\Windows\System\rYleuBQ.exe
  2⤵
  PID:1588
- C:\Windows\System\wbkEOwk.exe
  C:\Windows\System\wbkEOwk.exe
  2⤵
  PID:6076
- C:\Windows\System\qEbDlYo.exe
  C:\Windows\System\qEbDlYo.exe
  2⤵
  PID:212
- C:\Windows\System\clEvsUO.exe
  C:\Windows\System\clEvsUO.exe
  2⤵
  PID:5340
- C:\Windows\System\bRUueql.exe
  C:\Windows\System\bRUueql.exe
  2⤵
  PID:5612
- C:\Windows\System\ApfeMFh.exe
  C:\Windows\System\ApfeMFh.exe
  2⤵
  PID:3212
- C:\Windows\System\luJRWeE.exe
  C:\Windows\System\luJRWeE.exe
  2⤵
  PID:5988
- C:\Windows\System\xMwnlzS.exe
  C:\Windows\System\xMwnlzS.exe
  2⤵
  PID:6172
- C:\Windows\System\nvonfkD.exe
  C:\Windows\System\nvonfkD.exe
  2⤵
  PID:6200
- C:\Windows\System\QOuFgLR.exe
  C:\Windows\System\QOuFgLR.exe
  2⤵
  PID:6228
- C:\Windows\System\xUpjIGY.exe
  C:\Windows\System\xUpjIGY.exe
  2⤵
  PID:6268
- C:\Windows\System\ANEOsIq.exe
  C:\Windows\System\ANEOsIq.exe
  2⤵
  PID:6288
- C:\Windows\System\yuvMDtC.exe
  C:\Windows\System\yuvMDtC.exe
  2⤵
  PID:6316
- C:\Windows\System\AZgsJBI.exe
  C:\Windows\System\AZgsJBI.exe
  2⤵
  PID:6344
- C:\Windows\System\PCnGCut.exe
  C:\Windows\System\PCnGCut.exe
  2⤵
  PID:6372
- C:\Windows\System\guKugWB.exe
  C:\Windows\System\guKugWB.exe
  2⤵
  PID:6400
- C:\Windows\System\fDxObZC.exe
  C:\Windows\System\fDxObZC.exe
  2⤵
  PID:6428
- C:\Windows\System\KkhzpUU.exe
  C:\Windows\System\KkhzpUU.exe
  2⤵
  PID:6496
- C:\Windows\System\UtuHPAC.exe
  C:\Windows\System\UtuHPAC.exe
  2⤵
  PID:6532
- C:\Windows\System\NtOZrSO.exe
  C:\Windows\System\NtOZrSO.exe
  2⤵
  PID:6608
- C:\Windows\System\xioeoiQ.exe
  C:\Windows\System\xioeoiQ.exe
  2⤵
  PID:6636
- C:\Windows\System\siGmtex.exe
  C:\Windows\System\siGmtex.exe
  2⤵
  PID:6660
- C:\Windows\System\qqkXNcj.exe
  C:\Windows\System\qqkXNcj.exe
  2⤵
  PID:6680
- C:\Windows\System\emuOqnV.exe
  C:\Windows\System\emuOqnV.exe
  2⤵
  PID:6704
- C:\Windows\System\LTlnRVS.exe
  C:\Windows\System\LTlnRVS.exe
  2⤵
  PID:6720
- C:\Windows\System\CaHiTlx.exe
  C:\Windows\System\CaHiTlx.exe
  2⤵
  PID:6756
- C:\Windows\System\StJXWLx.exe
  C:\Windows\System\StJXWLx.exe
  2⤵
  PID:6772
- C:\Windows\System\ZrBkGXY.exe
  C:\Windows\System\ZrBkGXY.exe
  2⤵
  PID:6792
- C:\Windows\System\DBJWBXR.exe
  C:\Windows\System\DBJWBXR.exe
  2⤵
  PID:6816
- C:\Windows\System\fkovJkz.exe
  C:\Windows\System\fkovJkz.exe
  2⤵
  PID:6836
- C:\Windows\System\yKTfroB.exe
  C:\Windows\System\yKTfroB.exe
  2⤵
  PID:6856
- C:\Windows\System\ICtVIOc.exe
  C:\Windows\System\ICtVIOc.exe
  2⤵
  PID:6920
- C:\Windows\System\EMuJQlJ.exe
  C:\Windows\System\EMuJQlJ.exe
  2⤵
  PID:6944
- C:\Windows\System\ZfqrxyF.exe
  C:\Windows\System\ZfqrxyF.exe
  2⤵
  PID:6968
- C:\Windows\System\VpBfBgB.exe
  C:\Windows\System\VpBfBgB.exe
  2⤵
  PID:7008
- C:\Windows\System\eNWZrtG.exe
  C:\Windows\System\eNWZrtG.exe
  2⤵
  PID:7036
- C:\Windows\System\uRDvhXg.exe
  C:\Windows\System\uRDvhXg.exe
  2⤵
  PID:7068
- C:\Windows\System\BxCkpjE.exe
  C:\Windows\System\BxCkpjE.exe
  2⤵
  PID:7116
- C:\Windows\System\OJicDsk.exe
  C:\Windows\System\OJicDsk.exe
  2⤵
  PID:7136
- C:\Windows\System\sQoqAAf.exe
  C:\Windows\System\sQoqAAf.exe
  2⤵
  PID:7156
- C:\Windows\System\DWGFMXa.exe
  C:\Windows\System\DWGFMXa.exe
  2⤵
  PID:5156
- C:\Windows\System\zRAVPNF.exe
  C:\Windows\System\zRAVPNF.exe
  2⤵
  PID:5472
- C:\Windows\System\KUpUWEe.exe
  C:\Windows\System\KUpUWEe.exe
  2⤵
  PID:4432
- C:\Windows\System\XxOxDlQ.exe
  C:\Windows\System\XxOxDlQ.exe
  2⤵
  PID:6168
- C:\Windows\System\quzwoCd.exe
  C:\Windows\System\quzwoCd.exe
  2⤵
  PID:2888
- C:\Windows\System\VnVwudI.exe
  C:\Windows\System\VnVwudI.exe
  2⤵
  PID:4316
- C:\Windows\System\hekRRpP.exe
  C:\Windows\System\hekRRpP.exe
  2⤵
  PID:6284
- C:\Windows\System\dKATMjN.exe
  C:\Windows\System\dKATMjN.exe
  2⤵
  PID:6304
- C:\Windows\System\ntogVWM.exe
  C:\Windows\System\ntogVWM.exe
  2⤵
  PID:3412
- C:\Windows\System\dAiJKin.exe
  C:\Windows\System\dAiJKin.exe
  2⤵
  PID:2724
- C:\Windows\System\TUJDYNu.exe
  C:\Windows\System\TUJDYNu.exe
  2⤵
  PID:6476
- C:\Windows\System\jzigvcX.exe
  C:\Windows\System\jzigvcX.exe
  2⤵
  PID:6416
- C:\Windows\System\crVYrna.exe
  C:\Windows\System\crVYrna.exe
  2⤵
  PID:6492
- C:\Windows\System\VbkbVxq.exe
  C:\Windows\System\VbkbVxq.exe
  2⤵
  PID:4404
- C:\Windows\System\yfFSImY.exe
  C:\Windows\System\yfFSImY.exe
  2⤵
  PID:2180
- C:\Windows\System\KYzFJho.exe
  C:\Windows\System\KYzFJho.exe
  2⤵
  PID:2372
- C:\Windows\System\UbITnVh.exe
  C:\Windows\System\UbITnVh.exe
  2⤵
  PID:6548
- C:\Windows\System\osCFVDU.exe
  C:\Windows\System\osCFVDU.exe
  2⤵
  PID:1940
- C:\Windows\System\baSDeqh.exe
  C:\Windows\System\baSDeqh.exe
  2⤵
  PID:6732
- C:\Windows\System\qTBvfQw.exe
  C:\Windows\System\qTBvfQw.exe
  2⤵
  PID:6800
- C:\Windows\System\unmYSWz.exe
  C:\Windows\System\unmYSWz.exe
  2⤵
  PID:6828
- C:\Windows\System\ceBnKPH.exe
  C:\Windows\System\ceBnKPH.exe
  2⤵
  PID:6876
- C:\Windows\System\EDGjjwY.exe
  C:\Windows\System\EDGjjwY.exe
  2⤵
  PID:6952
- C:\Windows\System\PpWzQhx.exe
  C:\Windows\System\PpWzQhx.exe
  2⤵
  PID:7016
- C:\Windows\System\TPLUhyb.exe
  C:\Windows\System\TPLUhyb.exe
  2⤵
  PID:7060
- C:\Windows\System\syZfaTs.exe
  C:\Windows\System\syZfaTs.exe
  2⤵
  PID:3712
- C:\Windows\System\VDMgozp.exe
  C:\Windows\System\VDMgozp.exe
  2⤵
  PID:3196
- C:\Windows\System\SCRKBBn.exe
  C:\Windows\System\SCRKBBn.exe
  2⤵
  PID:5024
- C:\Windows\System\sjhbvnB.exe
  C:\Windows\System\sjhbvnB.exe
  2⤵
  PID:6280
- C:\Windows\System\QOlDQFm.exe
  C:\Windows\System\QOlDQFm.exe
  2⤵
  PID:6328
- C:\Windows\System\pgUBqog.exe
  C:\Windows\System\pgUBqog.exe
  2⤵
  PID:6488
- C:\Windows\System\VySmWlN.exe
  C:\Windows\System\VySmWlN.exe
  2⤵
  PID:2852
- C:\Windows\System\jvkfvGG.exe
  C:\Windows\System\jvkfvGG.exe
  2⤵
  PID:3508
- C:\Windows\System\uOhiTyl.exe
  C:\Windows\System\uOhiTyl.exe
  2⤵
  PID:4996
- C:\Windows\System\JXwzkYW.exe
  C:\Windows\System\JXwzkYW.exe
  2⤵
  PID:7088
- C:\Windows\System\aBCRRnh.exe
  C:\Windows\System\aBCRRnh.exe
  2⤵
  PID:7112
- C:\Windows\System\XwTHQBg.exe
  C:\Windows\System\XwTHQBg.exe
  2⤵
  PID:7064
- C:\Windows\System\EjXQJtF.exe
  C:\Windows\System\EjXQJtF.exe
  2⤵
  PID:4024
- C:\Windows\System\pejHnIH.exe
  C:\Windows\System\pejHnIH.exe
  2⤵
  PID:6544
- C:\Windows\System\gSgiMik.exe
  C:\Windows\System\gSgiMik.exe
  2⤵
  PID:6692
- C:\Windows\System\TPvsTCp.exe
  C:\Windows\System\TPvsTCp.exe
  2⤵
  PID:6812
- C:\Windows\System\vmWTShw.exe
  C:\Windows\System\vmWTShw.exe
  2⤵
  PID:6988
- C:\Windows\System\avyChoC.exe
  C:\Windows\System\avyChoC.exe
  2⤵
  PID:6456
- C:\Windows\System\yMCMoYz.exe
  C:\Windows\System\yMCMoYz.exe
  2⤵
  PID:7172
- C:\Windows\System\jPhunpR.exe
  C:\Windows\System\jPhunpR.exe
  2⤵
  PID:7196
- C:\Windows\System\iVkKCmK.exe
  C:\Windows\System\iVkKCmK.exe
  2⤵
  PID:7212
- C:\Windows\System\tVBWDMQ.exe
  C:\Windows\System\tVBWDMQ.exe
  2⤵
  PID:7240
- C:\Windows\System\enirmWX.exe
  C:\Windows\System\enirmWX.exe
  2⤵
  PID:7268
- C:\Windows\System\jAExZqO.exe
  C:\Windows\System\jAExZqO.exe
  2⤵
  PID:7284
- C:\Windows\System\InaDSIp.exe
  C:\Windows\System\InaDSIp.exe
  2⤵
  PID:7304
- C:\Windows\System\tEXVWwK.exe
  C:\Windows\System\tEXVWwK.exe
  2⤵
  PID:7328
- C:\Windows\System\Myyrdbc.exe
  C:\Windows\System\Myyrdbc.exe
  2⤵
  PID:7352
- C:\Windows\System\lWRuvwL.exe
  C:\Windows\System\lWRuvwL.exe
  2⤵
  PID:7388
- C:\Windows\System\ozLetfv.exe
  C:\Windows\System\ozLetfv.exe
  2⤵
  PID:7460
- C:\Windows\System\fnJoUmW.exe
  C:\Windows\System\fnJoUmW.exe
  2⤵
  PID:7480
- C:\Windows\System\UeDUZAS.exe
  C:\Windows\System\UeDUZAS.exe
  2⤵
  PID:7508
- C:\Windows\System\HjeYzYz.exe
  C:\Windows\System\HjeYzYz.exe
  2⤵
  PID:7532
- C:\Windows\System\IllexyI.exe
  C:\Windows\System\IllexyI.exe
  2⤵
  PID:7556
- C:\Windows\System\koUNZYa.exe
  C:\Windows\System\koUNZYa.exe
  2⤵
  PID:7576
- C:\Windows\System\hMbuqFr.exe
  C:\Windows\System\hMbuqFr.exe
  2⤵
  PID:7616
- C:\Windows\System\IxsfcLw.exe
  C:\Windows\System\IxsfcLw.exe
  2⤵
  PID:7636
- C:\Windows\System\yqaypUh.exe
  C:\Windows\System\yqaypUh.exe
  2⤵
  PID:7676
- C:\Windows\System\GXyseFt.exe
  C:\Windows\System\GXyseFt.exe
  2⤵
  PID:7696
- C:\Windows\System\UukaibF.exe
  C:\Windows\System\UukaibF.exe
  2⤵
  PID:7720
- C:\Windows\System\IqHkilX.exe
  C:\Windows\System\IqHkilX.exe
  2⤵
  PID:7748
- C:\Windows\System\CpSIErq.exe
  C:\Windows\System\CpSIErq.exe
  2⤵
  PID:7764
- C:\Windows\System\LFRTped.exe
  C:\Windows\System\LFRTped.exe
  2⤵
  PID:7792
- C:\Windows\System\dAwgolG.exe
  C:\Windows\System\dAwgolG.exe
  2⤵
  PID:7812
- C:\Windows\System\JzFPabt.exe
  C:\Windows\System\JzFPabt.exe
  2⤵
  PID:7832
- C:\Windows\System\QMZcRRW.exe
  C:\Windows\System\QMZcRRW.exe
  2⤵
  PID:7908
- C:\Windows\System\jPjVURq.exe
  C:\Windows\System\jPjVURq.exe
  2⤵
  PID:7928
- C:\Windows\System\edabPHB.exe
  C:\Windows\System\edabPHB.exe
  2⤵
  PID:7964
- C:\Windows\System\PpcfVpn.exe
  C:\Windows\System\PpcfVpn.exe
  2⤵
  PID:7980
- C:\Windows\System\EBppiLB.exe
  C:\Windows\System\EBppiLB.exe
  2⤵
  PID:8004
- C:\Windows\System\hLCfLXJ.exe
  C:\Windows\System\hLCfLXJ.exe
  2⤵
  PID:8024
- C:\Windows\System\NAeVqgX.exe
  C:\Windows\System\NAeVqgX.exe
  2⤵
  PID:8052
- C:\Windows\System\TKyiUAI.exe
  C:\Windows\System\TKyiUAI.exe
  2⤵
  PID:8088
- C:\Windows\System\eaAsPjv.exe
  C:\Windows\System\eaAsPjv.exe
  2⤵
  PID:8116
- C:\Windows\System\sOvtTXY.exe
  C:\Windows\System\sOvtTXY.exe
  2⤵
  PID:8136
- C:\Windows\System\elZPyGF.exe
  C:\Windows\System\elZPyGF.exe
  2⤵
  PID:8164
- C:\Windows\System\GzHNehB.exe
  C:\Windows\System\GzHNehB.exe
  2⤵
  PID:7232
- C:\Windows\System\jvvoNpE.exe
  C:\Windows\System\jvvoNpE.exe
  2⤵
  PID:7280
- C:\Windows\System\MDkkpaI.exe
  C:\Windows\System\MDkkpaI.exe
  2⤵
  PID:7312
- C:\Windows\System\DdYyVZa.exe
  C:\Windows\System\DdYyVZa.exe
  2⤵
  PID:7384
- C:\Windows\System\iHjwoYz.exe
  C:\Windows\System\iHjwoYz.exe
  2⤵
  PID:7380
- C:\Windows\System\SXIqdFx.exe
  C:\Windows\System\SXIqdFx.exe
  2⤵
  PID:7500
- C:\Windows\System\ySkfSZd.exe
  C:\Windows\System\ySkfSZd.exe
  2⤵
  PID:7552
- C:\Windows\System\ZEUJvrM.exe
  C:\Windows\System\ZEUJvrM.exe
  2⤵
  PID:7648
- C:\Windows\System\yLCtZGc.exe
  C:\Windows\System\yLCtZGc.exe
  2⤵
  PID:7688
- C:\Windows\System\qYVeCvc.exe
  C:\Windows\System\qYVeCvc.exe
  2⤵
  PID:7736
- C:\Windows\System\ogePFuB.exe
  C:\Windows\System\ogePFuB.exe
  2⤵
  PID:7900
- C:\Windows\System\CLudRHh.exe
  C:\Windows\System\CLudRHh.exe
  2⤵
  PID:7924
- C:\Windows\System\GUsxsRx.exe
  C:\Windows\System\GUsxsRx.exe
  2⤵
  PID:7972
- C:\Windows\System\dksBJMx.exe
  C:\Windows\System\dksBJMx.exe
  2⤵
  PID:8020
- C:\Windows\System\AGFQRyk.exe
  C:\Windows\System\AGFQRyk.exe
  2⤵
  PID:8180
- C:\Windows\System\WQAzQin.exe
  C:\Windows\System\WQAzQin.exe
  2⤵
  PID:7180
- C:\Windows\System\vZJdUIo.exe
  C:\Windows\System\vZJdUIo.exe
  2⤵
  PID:7264
- C:\Windows\System\rIfTSGa.exe
  C:\Windows\System\rIfTSGa.exe
  2⤵
  PID:7340
- C:\Windows\System\UCDJddW.exe
  C:\Windows\System\UCDJddW.exe
  2⤵
  PID:7520
- C:\Windows\System\uVaDOsm.exe
  C:\Windows\System\uVaDOsm.exe
  2⤵
  PID:7652
- C:\Windows\System\NqKKBan.exe
  C:\Windows\System\NqKKBan.exe
  2⤵
  PID:7776
- C:\Windows\System\gmUPGRg.exe
  C:\Windows\System\gmUPGRg.exe
  2⤵
  PID:8080
- C:\Windows\System\AVxxEuC.exe
  C:\Windows\System\AVxxEuC.exe
  2⤵
  PID:7184
- C:\Windows\System\ofPpdJZ.exe
  C:\Windows\System\ofPpdJZ.exe
  2⤵
  PID:7524
- C:\Windows\System\zURYsyg.exe
  C:\Windows\System\zURYsyg.exe
  2⤵
  PID:7880
- C:\Windows\System\BWyLniN.exe
  C:\Windows\System\BWyLniN.exe
  2⤵
  PID:8156
- C:\Windows\System\MjmSdwU.exe
  C:\Windows\System\MjmSdwU.exe
  2⤵
  PID:8016
- C:\Windows\System\JqlvIqg.exe
  C:\Windows\System\JqlvIqg.exe
  2⤵
  PID:8208
- C:\Windows\System\zgJqWRz.exe
  C:\Windows\System\zgJqWRz.exe
  2⤵
  PID:8232
- C:\Windows\System\vwDtRNu.exe
  C:\Windows\System\vwDtRNu.exe
  2⤵
  PID:8276
- C:\Windows\System\qAIIWpS.exe
  C:\Windows\System\qAIIWpS.exe
  2⤵
  PID:8300
- C:\Windows\System\hIaljZY.exe
  C:\Windows\System\hIaljZY.exe
  2⤵
  PID:8324
- C:\Windows\System\Likqbao.exe
  C:\Windows\System\Likqbao.exe
  2⤵
  PID:8344
- C:\Windows\System\YLWUgYl.exe
  C:\Windows\System\YLWUgYl.exe
  2⤵
  PID:8368
- C:\Windows\System\EANuULi.exe
  C:\Windows\System\EANuULi.exe
  2⤵
  PID:8408
- C:\Windows\System\QMqrbVI.exe
  C:\Windows\System\QMqrbVI.exe
  2⤵
  PID:8448
- C:\Windows\System\jecCNLu.exe
  C:\Windows\System\jecCNLu.exe
  2⤵
  PID:8468
- C:\Windows\System\MeOvDJy.exe
  C:\Windows\System\MeOvDJy.exe
  2⤵
  PID:8500
- C:\Windows\System\NkaqVlw.exe
  C:\Windows\System\NkaqVlw.exe
  2⤵
  PID:8532
- C:\Windows\System\XjdRXiv.exe
  C:\Windows\System\XjdRXiv.exe
  2⤵
  PID:8560
- C:\Windows\System\GYrikCI.exe
  C:\Windows\System\GYrikCI.exe
  2⤵
  PID:8576
- C:\Windows\System\BKiJlPb.exe
  C:\Windows\System\BKiJlPb.exe
  2⤵
  PID:8596
- C:\Windows\System\iNcWHcC.exe
  C:\Windows\System\iNcWHcC.exe
  2⤵
  PID:8624
- C:\Windows\System\NGGXYGW.exe
  C:\Windows\System\NGGXYGW.exe
  2⤵
  PID:8648
- C:\Windows\System\XfvLjHB.exe
  C:\Windows\System\XfvLjHB.exe
  2⤵
  PID:8668
- C:\Windows\System\CJPFIxA.exe
  C:\Windows\System\CJPFIxA.exe
  2⤵
  PID:8696
- C:\Windows\System\LpZvuIs.exe
  C:\Windows\System\LpZvuIs.exe
  2⤵
  PID:8724
- C:\Windows\System\FJdsNCz.exe
  C:\Windows\System\FJdsNCz.exe
  2⤵
  PID:8772
- C:\Windows\System\imUNWeK.exe
  C:\Windows\System\imUNWeK.exe
  2⤵
  PID:8792
- C:\Windows\System\HBgjQyj.exe
  C:\Windows\System\HBgjQyj.exe
  2⤵
  PID:8836
- C:\Windows\System\sXsIdia.exe
  C:\Windows\System\sXsIdia.exe
  2⤵
  PID:8856
- C:\Windows\System\YvmTNiJ.exe
  C:\Windows\System\YvmTNiJ.exe
  2⤵
  PID:8896
- C:\Windows\System\TMtzeRa.exe
  C:\Windows\System\TMtzeRa.exe
  2⤵
  PID:8936
- C:\Windows\System\qWWNJgT.exe
  C:\Windows\System\qWWNJgT.exe
  2⤵
  PID:8960
- C:\Windows\System\DbkpKqR.exe
  C:\Windows\System\DbkpKqR.exe
  2⤵
  PID:9008
- C:\Windows\System\wgyJTto.exe
  C:\Windows\System\wgyJTto.exe
  2⤵
  PID:9024
- C:\Windows\System\mHOokOM.exe
  C:\Windows\System\mHOokOM.exe
  2⤵
  PID:9048
- C:\Windows\System\NROZTuM.exe
  C:\Windows\System\NROZTuM.exe
  2⤵
  PID:9076
- C:\Windows\System\GHsFQgP.exe
  C:\Windows\System\GHsFQgP.exe
  2⤵
  PID:9108
- C:\Windows\System\ljEqACF.exe
  C:\Windows\System\ljEqACF.exe
  2⤵
  PID:9128
- C:\Windows\System\oVZfFbS.exe
  C:\Windows\System\oVZfFbS.exe
  2⤵
  PID:9164
- C:\Windows\System\veeHHHq.exe
  C:\Windows\System\veeHHHq.exe
  2⤵
  PID:9188
- C:\Windows\System\boQgRwk.exe
  C:\Windows\System\boQgRwk.exe
  2⤵
  PID:9208
- C:\Windows\System\hUXeBLp.exe
  C:\Windows\System\hUXeBLp.exe
  2⤵
  PID:7612
- C:\Windows\System\vMAAWxo.exe
  C:\Windows\System\vMAAWxo.exe
  2⤵
  PID:8284
- C:\Windows\System\AcnzlUQ.exe
  C:\Windows\System\AcnzlUQ.exe
  2⤵
  PID:8360
- C:\Windows\System\xSHTNZV.exe
  C:\Windows\System\xSHTNZV.exe
  2⤵
  PID:8356
- C:\Windows\System\felGSLk.exe
  C:\Windows\System\felGSLk.exe
  2⤵
  PID:8440
- C:\Windows\System\kzrsybs.exe
  C:\Windows\System\kzrsybs.exe
  2⤵
  PID:8572
- C:\Windows\System\UZbGpHh.exe
  C:\Windows\System\UZbGpHh.exe
  2⤵
  PID:8604
- C:\Windows\System\FUUPwuY.exe
  C:\Windows\System\FUUPwuY.exe
  2⤵
  PID:8676
- C:\Windows\System\aIKxcAv.exe
  C:\Windows\System\aIKxcAv.exe
  2⤵
  PID:8704
- C:\Windows\System\YsRUqGV.exe
  C:\Windows\System\YsRUqGV.exe
  2⤵
  PID:8828
- C:\Windows\System\JtQGVQm.exe
  C:\Windows\System\JtQGVQm.exe
  2⤵
  PID:8848
- C:\Windows\System\qtkcfLk.exe
  C:\Windows\System\qtkcfLk.exe
  2⤵
  PID:8892
- C:\Windows\System\rOkANjY.exe
  C:\Windows\System\rOkANjY.exe
  2⤵
  PID:8996
- C:\Windows\System\DgKrdwv.exe
  C:\Windows\System\DgKrdwv.exe
  2⤵
  PID:9064
- C:\Windows\System\NAwWsXD.exe
  C:\Windows\System\NAwWsXD.exe
  2⤵
  PID:9104
- C:\Windows\System\kDOkQdt.exe
  C:\Windows\System\kDOkQdt.exe
  2⤵
  PID:9156
- C:\Windows\System\aIHuQCg.exe
  C:\Windows\System\aIHuQCg.exe
  2⤵
  PID:8272
- C:\Windows\System\yAzRmsF.exe
  C:\Windows\System\yAzRmsF.exe
  2⤵
  PID:8464
- C:\Windows\System\luQkwfE.exe
  C:\Windows\System\luQkwfE.exe
  2⤵
  PID:8444
- C:\Windows\System\evEsERF.exe
  C:\Windows\System\evEsERF.exe
  2⤵
  PID:8692
- C:\Windows\System\YjderNX.exe
  C:\Windows\System\YjderNX.exe
  2⤵
  PID:8744
- C:\Windows\System\VWwZiRO.exe
  C:\Windows\System\VWwZiRO.exe
  2⤵
  PID:8216
- C:\Windows\System\wWcIpvW.exe
  C:\Windows\System\wWcIpvW.exe
  2⤵
  PID:8404
- C:\Windows\System\FyaXIKq.exe
  C:\Windows\System\FyaXIKq.exe
  2⤵
  PID:9252
- C:\Windows\System\bVnqdjh.exe
  C:\Windows\System\bVnqdjh.exe
  2⤵
  PID:9268
- C:\Windows\System\SThXzdp.exe
  C:\Windows\System\SThXzdp.exe
  2⤵
  PID:9284
- C:\Windows\System\ZmsIXJr.exe
  C:\Windows\System\ZmsIXJr.exe
  2⤵
  PID:9300
- C:\Windows\System\VkupXHG.exe
  C:\Windows\System\VkupXHG.exe
  2⤵
  PID:9316
- C:\Windows\System\WbGaQOG.exe
  C:\Windows\System\WbGaQOG.exe
  2⤵
  PID:9332
- C:\Windows\System\FEQGkip.exe
  C:\Windows\System\FEQGkip.exe
  2⤵
  PID:9352
- C:\Windows\System\AhvVNMN.exe
  C:\Windows\System\AhvVNMN.exe
  2⤵
  PID:9368
- C:\Windows\System\gxmHQYx.exe
  C:\Windows\System\gxmHQYx.exe
  2⤵
  PID:9384
- C:\Windows\System\gDPKerL.exe
  C:\Windows\System\gDPKerL.exe
  2⤵
  PID:9400
- C:\Windows\System\ehxAWCU.exe
  C:\Windows\System\ehxAWCU.exe
  2⤵
  PID:9416
- C:\Windows\System\KbOSaiO.exe
  C:\Windows\System\KbOSaiO.exe
  2⤵
  PID:9476
- C:\Windows\System\eFBoPaV.exe
  C:\Windows\System\eFBoPaV.exe
  2⤵
  PID:9516
- C:\Windows\System\HhoTQYe.exe
  C:\Windows\System\HhoTQYe.exe
  2⤵
  PID:9604
- C:\Windows\System\QFpWrjB.exe
  C:\Windows\System\QFpWrjB.exe
  2⤵
  PID:9624
- C:\Windows\System\vCvCrPf.exe
  C:\Windows\System\vCvCrPf.exe
  2⤵
  PID:9660
- C:\Windows\System\qQCZlRn.exe
  C:\Windows\System\qQCZlRn.exe
  2⤵
  PID:9688
- C:\Windows\System\eJcxmnL.exe
  C:\Windows\System\eJcxmnL.exe
  2⤵
  PID:9704
- C:\Windows\System\saIGfHb.exe
  C:\Windows\System\saIGfHb.exe
  2⤵
  PID:9728
- C:\Windows\System\fnioshm.exe
  C:\Windows\System\fnioshm.exe
  2⤵
  PID:9744
- C:\Windows\System\cTRwejg.exe
  C:\Windows\System\cTRwejg.exe
  2⤵
  PID:9796
- C:\Windows\System\kzQVmYV.exe
  C:\Windows\System\kzQVmYV.exe
  2⤵
  PID:9832
- C:\Windows\System\IBIrRVP.exe
  C:\Windows\System\IBIrRVP.exe
  2⤵
  PID:9864
- C:\Windows\System\WxpLrRJ.exe
  C:\Windows\System\WxpLrRJ.exe
  2⤵
  PID:9892
- C:\Windows\System\WdzHhsf.exe
  C:\Windows\System\WdzHhsf.exe
  2⤵
  PID:9936
- C:\Windows\System\YJOFpsf.exe
  C:\Windows\System\YJOFpsf.exe
  2⤵
  PID:9964
- C:\Windows\System\HUWoUON.exe
  C:\Windows\System\HUWoUON.exe
  2⤵
  PID:9992
- C:\Windows\System\OVYWMyx.exe
  C:\Windows\System\OVYWMyx.exe
  2⤵
  PID:10024
- C:\Windows\System\onhjalC.exe
  C:\Windows\System\onhjalC.exe
  2⤵
  PID:10044
- C:\Windows\System\MBeuBwg.exe
  C:\Windows\System\MBeuBwg.exe
  2⤵
  PID:10068
- C:\Windows\System\RskCLQD.exe
  C:\Windows\System\RskCLQD.exe
  2⤵
  PID:10088
- C:\Windows\System\vQfNPaa.exe
  C:\Windows\System\vQfNPaa.exe
  2⤵
  PID:10124
- C:\Windows\System\BDhdMBR.exe
  C:\Windows\System\BDhdMBR.exe
  2⤵
  PID:10144
- C:\Windows\System\ZdShdOV.exe
  C:\Windows\System\ZdShdOV.exe
  2⤵
  PID:10164
- C:\Windows\System\SSjAQHo.exe
  C:\Windows\System\SSjAQHo.exe
  2⤵
  PID:10192
- C:\Windows\System\YVVaPpY.exe
  C:\Windows\System\YVVaPpY.exe
  2⤵
  PID:8976
- C:\Windows\System\HUXRHlw.exe
  C:\Windows\System\HUXRHlw.exe
  2⤵
  PID:4824
- C:\Windows\System\HaFoNUz.exe
  C:\Windows\System\HaFoNUz.exe
  2⤵
  PID:8200
- C:\Windows\System\qmjSJfp.exe
  C:\Windows\System\qmjSJfp.exe
  2⤵
  PID:9144
- C:\Windows\System\UAwtILk.exe
  C:\Windows\System\UAwtILk.exe
  2⤵
  PID:9348
- C:\Windows\System\YRnHfEe.exe
  C:\Windows\System\YRnHfEe.exe
  2⤵
  PID:2152
- C:\Windows\System\nbOYICg.exe
  C:\Windows\System\nbOYICg.exe
  2⤵
  PID:9276
- C:\Windows\System\YidaQky.exe
  C:\Windows\System\YidaQky.exe
  2⤵
  PID:9248
- C:\Windows\System\KlanNcR.exe
  C:\Windows\System\KlanNcR.exe
  2⤵
  PID:9408
- C:\Windows\System\xVbZvPx.exe
  C:\Windows\System\xVbZvPx.exe
  2⤵
  PID:9492
- C:\Windows\System\UbRaYHA.exe
  C:\Windows\System\UbRaYHA.exe
  2⤵
  PID:9632
- C:\Windows\System\DZuEcjS.exe
  C:\Windows\System\DZuEcjS.exe
  2⤵
  PID:9544
- C:\Windows\System\WYgYHEc.exe
  C:\Windows\System\WYgYHEc.exe
  2⤵
  PID:9672
- C:\Windows\System\fyrTWAT.exe
  C:\Windows\System\fyrTWAT.exe
  2⤵
  PID:9760
- C:\Windows\System\TwJoWZH.exe
  C:\Windows\System\TwJoWZH.exe
  2⤵
  PID:9812
- C:\Windows\System\mGBBOQU.exe
  C:\Windows\System\mGBBOQU.exe
  2⤵
  PID:9884
- C:\Windows\System\qptdgnU.exe
  C:\Windows\System\qptdgnU.exe
  2⤵
  PID:9928
- C:\Windows\System\ccngXnl.exe
  C:\Windows\System\ccngXnl.exe
  2⤵
  PID:10040
- C:\Windows\System\SRikJov.exe
  C:\Windows\System\SRikJov.exe
  2⤵
  PID:3236
- C:\Windows\System\knbqxYF.exe
  C:\Windows\System\knbqxYF.exe
  2⤵
  PID:10140
- C:\Windows\System\ZEQlBog.exe
  C:\Windows\System\ZEQlBog.exe
  2⤵
  PID:10204
- C:\Windows\System\tnooDBC.exe
  C:\Windows\System\tnooDBC.exe
  2⤵
  PID:9044
- C:\Windows\System\dUKsZGr.exe
  C:\Windows\System\dUKsZGr.exe
  2⤵
  PID:9308
- C:\Windows\System\kkpjbgF.exe
  C:\Windows\System\kkpjbgF.exe
  2⤵
  PID:9228
- C:\Windows\System\UGDhRGS.exe
  C:\Windows\System\UGDhRGS.exe
  2⤵
  PID:9392
- C:\Windows\System\YNEmoAi.exe
  C:\Windows\System\YNEmoAi.exe
  2⤵
  PID:9296
- C:\Windows\System\oUylDgs.exe
  C:\Windows\System\oUylDgs.exe
  2⤵
  PID:9524
- C:\Windows\System\ThNdCAu.exe
  C:\Windows\System\ThNdCAu.exe
  2⤵
  PID:9776
- C:\Windows\System\jEOrKtq.exe
  C:\Windows\System\jEOrKtq.exe
  2⤵
  PID:9808
- C:\Windows\System\LTpCEnu.exe
  C:\Windows\System\LTpCEnu.exe
  2⤵
  PID:9944
- C:\Windows\System\KsHxpsv.exe
  C:\Windows\System\KsHxpsv.exe
  2⤵
  PID:10080
- C:\Windows\System\BGFzgss.exe
  C:\Windows\System\BGFzgss.exe
  2⤵
  PID:10156
- C:\Windows\System\ihhQrFh.exe
  C:\Windows\System\ihhQrFh.exe
  2⤵
  PID:3644
- C:\Windows\System\aZHqTWi.exe
  C:\Windows\System\aZHqTWi.exe
  2⤵
  PID:9784
- C:\Windows\System\QMGKrfU.exe
  C:\Windows\System\QMGKrfU.exe
  2⤵
  PID:10116
- C:\Windows\System\ATyKWlw.exe
  C:\Windows\System\ATyKWlw.exe
  2⤵
  PID:9656
- C:\Windows\System\BvwHvdb.exe
  C:\Windows\System\BvwHvdb.exe
  2⤵
  PID:1668
- C:\Windows\System\ESfqRUN.exe
  C:\Windows\System\ESfqRUN.exe
  2⤵
  PID:9876
- C:\Windows\System\DjZVLIx.exe
  C:\Windows\System\DjZVLIx.exe
  2⤵
  PID:10252
- C:\Windows\System\xNOBSEH.exe
  C:\Windows\System\xNOBSEH.exe
  2⤵
  PID:10284
- C:\Windows\System\lJEfUhr.exe
  C:\Windows\System\lJEfUhr.exe
  2⤵
  PID:10308
- C:\Windows\System\NTZlsQO.exe
  C:\Windows\System\NTZlsQO.exe
  2⤵
  PID:10328
- C:\Windows\System\itxvJcb.exe
  C:\Windows\System\itxvJcb.exe
  2⤵
  PID:10360
- C:\Windows\System\GzFTYER.exe
  C:\Windows\System\GzFTYER.exe
  2⤵
  PID:10380
- C:\Windows\System\rwnkAnP.exe
  C:\Windows\System\rwnkAnP.exe
  2⤵
  PID:10432
- C:\Windows\System\kSALxSG.exe
  C:\Windows\System\kSALxSG.exe
  2⤵
  PID:10452
- C:\Windows\System\BVnyQCt.exe
  C:\Windows\System\BVnyQCt.exe
  2⤵
  PID:10476
- C:\Windows\System\CkuQLTJ.exe
  C:\Windows\System\CkuQLTJ.exe
  2⤵
  PID:10516
- C:\Windows\System\vSxkvQW.exe
  C:\Windows\System\vSxkvQW.exe
  2⤵
  PID:10552
- C:\Windows\System\OySMHlA.exe
  C:\Windows\System\OySMHlA.exe
  2⤵
  PID:10572
- C:\Windows\System\XQtGXDA.exe
  C:\Windows\System\XQtGXDA.exe
  2⤵
  PID:10592
- C:\Windows\System\XOczLbF.exe
  C:\Windows\System\XOczLbF.exe
  2⤵
  PID:10620
- C:\Windows\System\xmMbNUZ.exe
  C:\Windows\System\xmMbNUZ.exe
  2⤵
  PID:10660
- C:\Windows\System\WQfvbhy.exe
  C:\Windows\System\WQfvbhy.exe
  2⤵
  PID:10692
- C:\Windows\System\QybzzVN.exe
  C:\Windows\System\QybzzVN.exe
  2⤵
  PID:10712
- C:\Windows\System\DSwhvRF.exe
  C:\Windows\System\DSwhvRF.exe
  2⤵
  PID:10732
- C:\Windows\System\DDXdTvL.exe
  C:\Windows\System\DDXdTvL.exe
  2⤵
  PID:10748
- C:\Windows\System\UXuoGcd.exe
  C:\Windows\System\UXuoGcd.exe
  2⤵
  PID:10772
- C:\Windows\System\mhxBVAY.exe
  C:\Windows\System\mhxBVAY.exe
  2⤵
  PID:10792
- C:\Windows\System\KnORzcJ.exe
  C:\Windows\System\KnORzcJ.exe
  2⤵
  PID:10812
- C:\Windows\System\ZIdfWbY.exe
  C:\Windows\System\ZIdfWbY.exe
  2⤵
  PID:10856
- C:\Windows\System\ENLxWAF.exe
  C:\Windows\System\ENLxWAF.exe
  2⤵
  PID:10916
- C:\Windows\System\xiymRbw.exe
  C:\Windows\System\xiymRbw.exe
  2⤵
  PID:10940
- C:\Windows\System\ACRJJnv.exe
  C:\Windows\System\ACRJJnv.exe
  2⤵
  PID:10964
- C:\Windows\System\MnECfJQ.exe
  C:\Windows\System\MnECfJQ.exe
  2⤵
  PID:11004
- C:\Windows\System\MbjXjRX.exe
  C:\Windows\System\MbjXjRX.exe
  2⤵
  PID:11020
- C:\Windows\System\qIcxzES.exe
  C:\Windows\System\qIcxzES.exe
  2⤵
  PID:11040
- C:\Windows\System\mXkgxgI.exe
  C:\Windows\System\mXkgxgI.exe
  2⤵
  PID:11064
- C:\Windows\System\dOuIHmB.exe
  C:\Windows\System\dOuIHmB.exe
  2⤵
  PID:11084
- C:\Windows\System\PFhqkQL.exe
  C:\Windows\System\PFhqkQL.exe
  2⤵
  PID:11100
- C:\Windows\System\icqMWld.exe
  C:\Windows\System\icqMWld.exe
  2⤵
  PID:11128
- C:\Windows\System\IxmFESz.exe
  C:\Windows\System\IxmFESz.exe
  2⤵
  PID:11148
- C:\Windows\System\mVzWVVT.exe
  C:\Windows\System\mVzWVVT.exe
  2⤵
  PID:11176
- C:\Windows\System\paXwnQX.exe
  C:\Windows\System\paXwnQX.exe
  2⤵
  PID:11216
- C:\Windows\System\mbTfRTU.exe
  C:\Windows\System\mbTfRTU.exe
  2⤵
  PID:11236
- C:\Windows\System\gPHxlcw.exe
  C:\Windows\System\gPHxlcw.exe
  2⤵
  PID:11260
- C:\Windows\System\zkJdjol.exe
  C:\Windows\System\zkJdjol.exe
  2⤵
  PID:10320
- C:\Windows\System\pOkHgIu.exe
  C:\Windows\System\pOkHgIu.exe
  2⤵
  PID:10460
- C:\Windows\System\MGtAiAP.exe
  C:\Windows\System\MGtAiAP.exe
  2⤵
  PID:10496
- C:\Windows\System\AdxMvGt.exe
  C:\Windows\System\AdxMvGt.exe
  2⤵
  PID:10548
- C:\Windows\System\dEJRzHu.exe
  C:\Windows\System\dEJRzHu.exe
  2⤵
  PID:10600
- C:\Windows\System\SfLSpXN.exe
  C:\Windows\System\SfLSpXN.exe
  2⤵
  PID:10700
- C:\Windows\System\zvmLEGT.exe
  C:\Windows\System\zvmLEGT.exe
  2⤵
  PID:10720
- C:\Windows\System\oVbQBOv.exe
  C:\Windows\System\oVbQBOv.exe
  2⤵
  PID:10760
- C:\Windows\System\smdiDts.exe
  C:\Windows\System\smdiDts.exe
  2⤵
  PID:10904
- C:\Windows\System\keKshXc.exe
  C:\Windows\System\keKshXc.exe
  2⤵
  PID:1136
- C:\Windows\System\kiGzQkt.exe
  C:\Windows\System\kiGzQkt.exe
  2⤵
  PID:11000
- C:\Windows\System\LWMfwHb.exe
  C:\Windows\System\LWMfwHb.exe
  2⤵
  PID:11056
- C:\Windows\System\ViCbXNh.exe
  C:\Windows\System\ViCbXNh.exe
  2⤵
  PID:11140
- C:\Windows\System\qAmHuSS.exe
  C:\Windows\System\qAmHuSS.exe
  2⤵
  PID:11172
- C:\Windows\System\xxSZrcu.exe
  C:\Windows\System\xxSZrcu.exe
  2⤵
  PID:10324
- C:\Windows\System\aIMMKRy.exe
  C:\Windows\System\aIMMKRy.exe
  2⤵
  PID:10296
- C:\Windows\System\POgkQON.exe
  C:\Windows\System\POgkQON.exe
  2⤵
  PID:10508
- C:\Windows\System\rwLgfRP.exe
  C:\Windows\System\rwLgfRP.exe
  2⤵
  PID:10708
- C:\Windows\System\ogsawsk.exe
  C:\Windows\System\ogsawsk.exe
  2⤵
  PID:4044
- C:\Windows\System\oXpmfda.exe
  C:\Windows\System\oXpmfda.exe
  2⤵
  PID:11052
- C:\Windows\System\GLttOqv.exe
  C:\Windows\System\GLttOqv.exe
  2⤵
  PID:11032
- C:\Windows\System\GApaAXo.exe
  C:\Windows\System\GApaAXo.exe
  2⤵
  PID:10408
- C:\Windows\System\kQllvNj.exe
  C:\Windows\System\kQllvNj.exe
  2⤵
  PID:10564
- C:\Windows\System\pdmCMIo.exe
  C:\Windows\System\pdmCMIo.exe
  2⤵
  PID:10956
- C:\Windows\System\xxdQfBT.exe
  C:\Windows\System\xxdQfBT.exe
  2⤵
  PID:10932
- C:\Windows\System\ieyZvQJ.exe
  C:\Windows\System\ieyZvQJ.exe
  2⤵
  PID:11252
- C:\Windows\System\REXKZZF.exe
  C:\Windows\System\REXKZZF.exe
  2⤵
  PID:10228
- C:\Windows\System\vXErJyN.exe
  C:\Windows\System\vXErJyN.exe
  2⤵
  PID:11292
- C:\Windows\System\tjxcRFJ.exe
  C:\Windows\System\tjxcRFJ.exe
  2⤵
  PID:11328
- C:\Windows\System\WyhPjBN.exe
  C:\Windows\System\WyhPjBN.exe
  2⤵
  PID:11368
- C:\Windows\System\AktEGhW.exe
  C:\Windows\System\AktEGhW.exe
  2⤵
  PID:11388
- C:\Windows\System\OYIHheK.exe
  C:\Windows\System\OYIHheK.exe
  2⤵
  PID:11412
- C:\Windows\System\iXAryHW.exe
  C:\Windows\System\iXAryHW.exe
  2⤵
  PID:11436
- C:\Windows\System\jssZcgC.exe
  C:\Windows\System\jssZcgC.exe
  2⤵
  PID:11468
- C:\Windows\System\rNLuKJd.exe
  C:\Windows\System\rNLuKJd.exe
  2⤵
  PID:11484
- C:\Windows\System\EwdllSq.exe
  C:\Windows\System\EwdllSq.exe
  2⤵
  PID:11512
- C:\Windows\System\FNyMFcn.exe
  C:\Windows\System\FNyMFcn.exe
  2⤵
  PID:11540
- C:\Windows\System\ceUvKKs.exe
  C:\Windows\System\ceUvKKs.exe
  2⤵
  PID:11568
- C:\Windows\System\hfcXEwo.exe
  C:\Windows\System\hfcXEwo.exe
  2⤵
  PID:11600
- C:\Windows\System\jirbZfU.exe
  C:\Windows\System\jirbZfU.exe
  2⤵
  PID:11624
- C:\Windows\System\kYXhIzs.exe
  C:\Windows\System\kYXhIzs.exe
  2⤵
  PID:11644
- C:\Windows\System\sHufVbv.exe
  C:\Windows\System\sHufVbv.exe
  2⤵
  PID:11668
- C:\Windows\System\rZGcbhD.exe
  C:\Windows\System\rZGcbhD.exe
  2⤵
  PID:11732
- C:\Windows\System\nmXwTgx.exe
  C:\Windows\System\nmXwTgx.exe
  2⤵
  PID:11752
- C:\Windows\System\VwIpvpT.exe
  C:\Windows\System\VwIpvpT.exe
  2⤵
  PID:11776
- C:\Windows\System\QVYLDue.exe
  C:\Windows\System\QVYLDue.exe
  2⤵
  PID:11800
- C:\Windows\System\mZeopsk.exe
  C:\Windows\System\mZeopsk.exe
  2⤵
  PID:11836
- C:\Windows\System\wNqlLhQ.exe
  C:\Windows\System\wNqlLhQ.exe
  2⤵
  PID:11856
- C:\Windows\System\xRPIvgk.exe
  C:\Windows\System\xRPIvgk.exe
  2⤵
  PID:11892
- C:\Windows\System\pDFezoa.exe
  C:\Windows\System\pDFezoa.exe
  2⤵
  PID:11912
- C:\Windows\System\ytzfOnH.exe
  C:\Windows\System\ytzfOnH.exe
  2⤵
  PID:11940
- C:\Windows\System\rYkpEyV.exe
  C:\Windows\System\rYkpEyV.exe
  2⤵
  PID:11972
- C:\Windows\System\GktTKDp.exe
  C:\Windows\System\GktTKDp.exe
  2⤵
  PID:12008
- C:\Windows\System\QeHDFUt.exe
  C:\Windows\System\QeHDFUt.exe
  2⤵
  PID:12036
- C:\Windows\System\btCSXRp.exe
  C:\Windows\System\btCSXRp.exe
  2⤵
  PID:12056
- C:\Windows\System\AWnSQSA.exe
  C:\Windows\System\AWnSQSA.exe
  2⤵
  PID:12076
- C:\Windows\System\ZRWaLck.exe
  C:\Windows\System\ZRWaLck.exe
  2⤵
  PID:12092
- C:\Windows\System\wABtFli.exe
  C:\Windows\System\wABtFli.exe
  2⤵
  PID:12156
- C:\Windows\System\kxzGBrd.exe
  C:\Windows\System\kxzGBrd.exe
  2⤵
  PID:12176
- C:\Windows\System\MNUnlDW.exe
  C:\Windows\System\MNUnlDW.exe
  2⤵
  PID:12208
- C:\Windows\System\rVDmcTd.exe
  C:\Windows\System\rVDmcTd.exe
  2⤵
  PID:12256
- C:\Windows\System\dskGYpM.exe
  C:\Windows\System\dskGYpM.exe
  2⤵
  PID:12276
- C:\Windows\System\TFwHaBd.exe
  C:\Windows\System\TFwHaBd.exe
  2⤵
  PID:11272
- C:\Windows\System\rczJJzL.exe
  C:\Windows\System\rczJJzL.exe
  2⤵
  PID:11344
- C:\Windows\System\XZOQNfN.exe
  C:\Windows\System\XZOQNfN.exe
  2⤵
  PID:11380
- C:\Windows\System\uiMMNlv.exe
  C:\Windows\System\uiMMNlv.exe
  2⤵
  PID:11424
- C:\Windows\System\cddnQTN.exe
  C:\Windows\System\cddnQTN.exe
  2⤵
  PID:11476
- C:\Windows\System\pmuuRTR.exe
  C:\Windows\System\pmuuRTR.exe
  2⤵
  PID:11508
- C:\Windows\System\KSURNIJ.exe
  C:\Windows\System\KSURNIJ.exe
  2⤵
  PID:11560
- C:\Windows\System\zoPxUlI.exe
  C:\Windows\System\zoPxUlI.exe
  2⤵
  PID:11636
- C:\Windows\System\lAQbDRE.exe
  C:\Windows\System\lAQbDRE.exe
  2⤵
  PID:11708
- C:\Windows\System\BfteUsO.exe
  C:\Windows\System\BfteUsO.exe
  2⤵
  PID:11788
- C:\Windows\System\nUixzhm.exe
  C:\Windows\System\nUixzhm.exe
  2⤵
  PID:11884
- C:\Windows\System\pAuEPFL.exe
  C:\Windows\System\pAuEPFL.exe
  2⤵
  PID:11924
- C:\Windows\System\zZLJlqW.exe
  C:\Windows\System\zZLJlqW.exe
  2⤵
  PID:11964
- C:\Windows\System\BYzxcVL.exe
  C:\Windows\System\BYzxcVL.exe
  2⤵
  PID:12140
- C:\Windows\System\oteAcWo.exe
  C:\Windows\System\oteAcWo.exe
  2⤵
  PID:12216
- C:\Windows\System\EUwxmHt.exe
  C:\Windows\System\EUwxmHt.exe
  2⤵
  PID:372
- C:\Windows\System\LgJQvcZ.exe
  C:\Windows\System\LgJQvcZ.exe
  2⤵
  PID:11308
- C:\Windows\System\PlNsiXv.exe
  C:\Windows\System\PlNsiXv.exe
  2⤵
  PID:11408
- C:\Windows\System\JCjvoST.exe
  C:\Windows\System\JCjvoST.exe
  2⤵
  PID:11532
- C:\Windows\System\BTAyOgE.exe
  C:\Windows\System\BTAyOgE.exe
  2⤵
  PID:11772
- C:\Windows\System\OttZUPI.exe
  C:\Windows\System\OttZUPI.exe
  2⤵
  PID:11816
- C:\Windows\System\alnrfaH.exe
  C:\Windows\System\alnrfaH.exe
  2⤵
  PID:11956
- C:\Windows\System\yIHyioO.exe
  C:\Windows\System\yIHyioO.exe
  2⤵
  PID:12168
- C:\Windows\System\iYYHuvu.exe
  C:\Windows\System\iYYHuvu.exe
  2⤵
  PID:3460
- C:\Windows\System\mqWJNxP.exe
  C:\Windows\System\mqWJNxP.exe
  2⤵
  PID:12232
- C:\Windows\System\PGVrZBs.exe
  C:\Windows\System\PGVrZBs.exe
  2⤵
  PID:11716
- C:\Windows\System\hBOvINq.exe
  C:\Windows\System\hBOvINq.exe
  2⤵
  PID:12028
- C:\Windows\System\lFYYwOS.exe
  C:\Windows\System\lFYYwOS.exe
  2⤵
  PID:11364
- C:\Windows\System\GnShtgF.exe
  C:\Windows\System\GnShtgF.exe
  2⤵
  PID:11580
- C:\Windows\System\pebskel.exe
  C:\Windows\System\pebskel.exe
  2⤵
  PID:12296
- C:\Windows\System\zTImSqs.exe
  C:\Windows\System\zTImSqs.exe
  2⤵
  PID:12324
- C:\Windows\System\gvbsTtk.exe
  C:\Windows\System\gvbsTtk.exe
  2⤵
  PID:12348
- C:\Windows\System\HeIgTrl.exe
  C:\Windows\System\HeIgTrl.exe
  2⤵
  PID:12368
- C:\Windows\System\jhxkttz.exe
  C:\Windows\System\jhxkttz.exe
  2⤵
  PID:12396
- C:\Windows\System\IridiGL.exe
  C:\Windows\System\IridiGL.exe
  2⤵
  PID:12428
- C:\Windows\System\kNYgfLL.exe
  C:\Windows\System\kNYgfLL.exe
  2⤵
  PID:12452
- C:\Windows\System\FjkTjTh.exe
  C:\Windows\System\FjkTjTh.exe
  2⤵
  PID:12476
- C:\Windows\System\RBJbYQS.exe
  C:\Windows\System\RBJbYQS.exe
  2⤵
  PID:12532
- C:\Windows\System\EXuUfhM.exe
  C:\Windows\System\EXuUfhM.exe
  2⤵
  PID:12564
- C:\Windows\System\JMjcSyi.exe
  C:\Windows\System\JMjcSyi.exe
  2⤵
  PID:12588
- C:\Windows\System\gFqVBtp.exe
  C:\Windows\System\gFqVBtp.exe
  2⤵
  PID:12628
- C:\Windows\System\tBYgSwL.exe
  C:\Windows\System\tBYgSwL.exe
  2⤵
  PID:12644
- C:\Windows\System\znvqdoR.exe
  C:\Windows\System\znvqdoR.exe
  2⤵
  PID:12684
- C:\Windows\System\YdvPDqA.exe
  C:\Windows\System\YdvPDqA.exe
  2⤵
  PID:12704
- C:\Windows\System\iMVexEj.exe
  C:\Windows\System\iMVexEj.exe
  2⤵
  PID:12736
- C:\Windows\System\bnbiKNz.exe
  C:\Windows\System\bnbiKNz.exe
  2⤵
  PID:12752
- C:\Windows\System\sRYMxce.exe
  C:\Windows\System\sRYMxce.exe
  2⤵
  PID:12772
- C:\Windows\System\bfSkVSy.exe
  C:\Windows\System\bfSkVSy.exe
  2⤵
  PID:12792
- C:\Windows\System\QzZoUGA.exe
  C:\Windows\System\QzZoUGA.exe
  2⤵
  PID:12924
- C:\Windows\System\AIDoezf.exe
  C:\Windows\System\AIDoezf.exe
  2⤵
  PID:12940
- C:\Windows\System\jeiYPEJ.exe
  C:\Windows\System\jeiYPEJ.exe
  2⤵
  PID:12968
- C:\Windows\System\avktBTk.exe
  C:\Windows\System\avktBTk.exe
  2⤵
  PID:12988
- C:\Windows\System\QABhrVN.exe
  C:\Windows\System\QABhrVN.exe
  2⤵
  PID:13004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yj2aybf3.h4b.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\AXBtEJY.exe

Filesize
2.0MB

MD5
80e9bdc1265ba568a1d75b2ad09e295f

SHA1
f7793936fe6856c2f328657b3a9a8b372bf53e7b

SHA256
c4b1370dad1f816b4ea0d03c9eb20c594b84a2c5c68af20aa4b486b025720454

SHA512
ffcfab43b0aa59c21bf7d7303aabd00a157e033cbd1474c6435fbc6b0148ce6823d07bb7498e190d08965de623974407dabc49223b8c22bccdd5af0a99b716f5

Download Submit
C:\Windows\System\ExiEhSu.exe

Filesize
2.0MB

MD5
fcf50507dc9e79ce09e499b21fbda641

SHA1
37d9f9466da85c2d7d085b9c278a7256225103c0

SHA256
44e05bcb7be21b6aab3500d10a52d1bf109209e678cc7235eb6c19dc13306650

SHA512
228edcaa7464c472bde5800f70536d24215deef23fb25289fd1a7563585c595822c7cdb0d60e902019b3713f421b1f5221af4dfebb0471c4d91ac49bd0ff6b93

Download Submit
C:\Windows\System\FEMavfa.exe

Filesize
2.0MB

MD5
e74c5da71bf26cab440a944c4b5691df

SHA1
f6bb003e77d832f0fbfca7865b25e1428b7c8044

SHA256
d4d0296ae1be52d91b39e2821470d2d6d2698155ef8abfbee5d2475e7a81b470

SHA512
259a45d9bea0463fe811ff124eb73813c4ba2d33ea1ff034a14e75cd07c0ca08b491af3e62180e6bd892c81b6fe9b39d817ecc29763744d2ce26aa9b643c8b6b

Download Submit
C:\Windows\System\FgRCCAN.exe

Filesize
2.0MB

MD5
84883b4fcd5826036e8ad2b264a090c4

SHA1
ffd8dcff3d0eb2f3b5dcd3fba6f7544ddcbb72c6

SHA256
d92b6b090a96b4eedfd8e7faffedcfb636a4e18f2590be479071c7dffc06956b

SHA512
2428214b85da91042ba37ee9cab9a3b12077cb9c90c83585ef9007d306b4aaf962b20c17c004f20d116fdaf6e314dfd54a14bf3556a64a2df9e18dd90e2649f3

Download Submit
C:\Windows\System\GkKIzdp.exe

Filesize
2.0MB

MD5
0f32490924d35981b97560004a1edb95

SHA1
36fefeaf2304bbab95eff07c68c1b0d795e51bbd

SHA256
38b3876b92648b72b84db8537ec7eba8ac6a224c8196272ddd1c8dcc6ca96f60

SHA512
81e2b5b5ed865a92c660e4b7374c7592b0007cbf72f0ebdbab9e7ad5a162ffdce89aa01965e45379b822b03a6d1533437be08381b03894f8b42e90e3dfad65fb

Download Submit
C:\Windows\System\HJmbsoY.exe

Filesize
2.0MB

MD5
427608af7a527abbd9dc928c06c59a23

SHA1
7cb8e9fe82696be4bb36c0d443466ad5a5a803f1

SHA256
e505e7942347df40c7fdc54d214d7330bb10c078668b3c8d00d576ee7cfe0823

SHA512
23aa7d312dd9f708387ace58964bdb974b70d91f4d609bf5c36e7f68b19d03d1cb9132ab7bebb846467608a546c6c0c3416ab7508762d7a5ce31b280cd529c49

Download Submit
C:\Windows\System\IKneRwz.exe

Filesize
2.0MB

MD5
6bbf1f14eb711aa7619a4189be78b988

SHA1
9a40ffeaf2e385ab09a897582f71303a5eb3ac76

SHA256
d2e512dee4ffc1ed69ba1c63d7a6a32851208f9d4d37511a5777ce922dff1f32

SHA512
96f8a0622c8b27d8c4b60e740e7e8b793a76f608f6508e0c50fc65745b53e3c833d467c7cc8bc98b0a61ebe8c5fd992f72eb46ef58fbe8fb79ca45f3b55d8330

Download Submit
C:\Windows\System\OFFMFXD.exe

Filesize
2.0MB

MD5
d7a5bb36317a64176faef3fb011aa224

SHA1
e03fa5a2e6c4800cae83e07246537767f59bc261

SHA256
cd7f8d3c8f191620178b9cb66ec77826072eee065c0943072144203c87255fac

SHA512
e1e2aaf0e9f90168e3292ba020b15e0840d4849db14c005890708d5dd4715881455360bfa16cef47378ec8f5c482a843d7746d389edcb350c8020d13d143bde9

Download Submit
C:\Windows\System\OdjrWCg.exe

Filesize
2.0MB

MD5
0893c3044f2abbc9b02f421d48ada0cc

SHA1
329f93f234e1fc757009b1179e20c26ceefe4b70

SHA256
8bec60c679cda42636399c88060ecf1b164c6a85d33e74de93ade10c47f19188

SHA512
e469a19292d6e6fbcd7bf4f680d6a08c921a4e85933efc2a530e74fcf11e6491adee371726f2ccfe8926798d8ec4a7197d5e1eb124cfed18499ffbd3e1369729

Download Submit
C:\Windows\System\OsDqamA.exe

Filesize
2.0MB

MD5
b84f682ab2a2e747e405b5b7852c053e

SHA1
22541b19380490e4bc702d4a4fde4a6a21b0425f

SHA256
8e50b711ea7510206be3522ccb734d4c336c6046961d61bddd37adefdc5dfe86

SHA512
01aec2fc2ed30a30993bd53a0877e4a3d7a6fac8a9e3cce168aa6a0f6cf74f02c2dbb57ccde195e178fe55b8c7acedf571a0c3356ed4ca8c34e0918f3fd2f1bb

Download Submit
C:\Windows\System\SQktZMr.exe

Filesize
2.0MB

MD5
41c47203de09fda7b401fb05e6605868

SHA1
0e94d67ce773185f75c36d101b8b22e0754bbd30

SHA256
e6f40d18b3137306fdac4820280784c59ed9f3833c30e55a3da77d19bc6769dc

SHA512
a349f69587694ceff1d8181282b5429e685c02ac8d755a7f7b1b58248597a61ff8186ab85ab9c1f772315c06181b38d5d362db080189b75d9e31a00bbd795829

Download Submit
C:\Windows\System\TRenWQa.exe

Filesize
2.0MB

MD5
d3ccc1ac333a805c3d661665dc449d79

SHA1
65bbdbdade3c50fcb1cedcaec2fd3da6be704a76

SHA256
5f91c785aba56a33ef3782a9443d0c7cf695d6ce68a3f93ffbd9443386c126f0

SHA512
546be119acf06c8b9bc8ace54f14a2c3eebd279757806bb7edbca4a19bc69fff44e6936d234f12050b021405ceca84874c625613a9d9db400a24880cd7032515

Download Submit
C:\Windows\System\VWkDNWn.exe

Filesize
2.0MB

MD5
d90d006ae98ff03dbed1fea4a904e7fc

SHA1
28b04c614081929b12cde3e1f5b5379768e05f66

SHA256
02c52119b0739c71e9db7893435ffe9485bc39e001f6381bd55fb457469f9369

SHA512
06889e4cf2765be78fc6e24e503c2b77600c97b800581a8f76207e97a00f0f4d26c9070a07e27bcb276ed8d52378b5bb2c23b03d560656a5222b6f261833c147

Download Submit
C:\Windows\System\XebRPQT.exe

Filesize
2.0MB

MD5
df45d3597ce931ce1a9cca8f9cdeae7e

SHA1
81889dae9face01de2e5d36e9609d1c265f12075

SHA256
5dceb3f00675dad256cf1c54e43bb68e75d56dc1e5137ee78e9920210e9d8c13

SHA512
496a2fc19d220ef859a8b57a1137000831c23bbc16ed19694ae2c8b3d777a731751bf5727b4968e7495da7798e01462c92ac2ebe09c3a9b83b3ecc71e56e4b5e

Download Submit
C:\Windows\System\YJTXOEi.exe

Filesize
2.0MB

MD5
a0be4b4d23ec505a345e865efe832b4b

SHA1
084bbd8c2d2f0c2b486179d19c4c15eb64aeb1f1

SHA256
ad7957a7b833dd51f11e3f5c5465226100f7cd3992f45a56c3c81805e371cd9e

SHA512
55348470ad3d2b52cc6823ea96e844f0f0b2929b0c8ca45ac9f037b0d1440fd66ea413f26034e550d9e70b291a1a00928444ab843d2fc413bfa557dd00fcccc1

Download Submit
C:\Windows\System\aJjfVAv.exe

Filesize
2.0MB

MD5
7be6f97acae94ae8efbf4197b275f6dd

SHA1
c408c96421c396cf90148edfc69561490a7f2a04

SHA256
becd321fcd78459388574cfc63caf882f2473fff987e538743eca5b30905c40d

SHA512
90932404867f04244dccd637addad6348fd733b0a537360fa8fdbb8d7ffb40134b9bc933888a5a6233e3bc06e60d8391205b2501c58d3a2632b788d17cfb6e41

Download Submit
C:\Windows\System\aZuhjNz.exe

Filesize
2.0MB

MD5
f08d52229bd2a8b8ded42c3c59a023e2

SHA1
078011e056f863d787a0cdcb8d2f8ff3e62a47d5

SHA256
4d5de2a7c9b7b686ec837f565b42e25f29af3605f5b98f3320039a1d233fe941

SHA512
f053b6dd430d5566614d2f92d913fa4d85983b0c2af4ca5c6090f45cf57741ec64c5c9b74fd2701be85ad4e74eaf638e5f411ea91522331186007d803f7f12cb

Download Submit
C:\Windows\System\cRdYZGR.exe

Filesize
2.0MB

MD5
8837ba40ffd6d02acae20b23fbada836

SHA1
fc39c590e923949a82652d4d9bb248802338b926

SHA256
f14f3f03ba61471cb5c9e1e24bd3ab60d87dcb98f1689768ede4d32be84757c0

SHA512
103b53f3d1487060d2dbbec8be09cef0723bbf184c740c9eee31fad4978d190d45060aed069b539b26eaa440627ce4c27b36bbc5564d71b71253268cdd972d0d

Download Submit
C:\Windows\System\dGyokse.exe

Filesize
2.0MB

MD5
c9ec69d6530ffd22b6acd4dc29c907a5

SHA1
6e4628f4d524813ec12571e66323b9fde6f8f9e3

SHA256
d50e16fca3b14c02a376e5206cd3071b13b147bcaf8e77902178163bb1107b14

SHA512
6057de808e96337819dbd63969073af485447d12232f4331b5dea57dc06adece81a74501603fa7d4d3ba09b644bc58e5d62cccccc75fff681d1112ad22238f45

Download Submit
C:\Windows\System\dbwshFX.exe

Filesize
2.0MB

MD5
ed191ece6da214562686d930559bcf1f

SHA1
7f2b0daf04554ea95cd376c98cbdfb4faebdc7aa

SHA256
e8ace5c72093e145dbfbd1316e28dcf714a78dbf2761dc4e0acb5b881510d54e

SHA512
199dfdc69cc537392f0371996d291be0b5ea06b88bd1e528d8e5afc7b564a972513d01e55ff8d8de537af08e9013135118c080a0fe40d15df545b2e84cf2c185

Download Submit
C:\Windows\System\eqSnPYi.exe

Filesize
2.0MB

MD5
0b2c81823d44dfce341f616c9db14013

SHA1
27891539fb246cdeb94a8b6678385a985f6848d3

SHA256
0e25dfb4ca50b9695bf8ce62a1094138c0a5962c05de76d6887a7fb9828bb4ef

SHA512
03cc4acff5b2cc457268a7cead424ea975882f3747b3109608e2c8931e80e18085400ee65dff7c884de175f02bb25d28070e89b060875bbca54b49c1e081646b

Download Submit
C:\Windows\System\fujOjKT.exe

Filesize
2.0MB

MD5
42e7cf6fc6682bc3a46882025a0138d5

SHA1
939e68a8cb8326fd5b757790d5c73d8359eb0460

SHA256
d85677f13b5794289d8d79200a5235b249cb6dd0a2c0232d56560c18e651d781

SHA512
a0d1c8459c29a1829d8bb53c1f2ec9249409ffa02dd6f1d41e5acff75c6b460a61813c757e71a37decfd2f4140e1b4b7604b3b108e02965ee2407bd30b7ef0b3

Download Submit
C:\Windows\System\gjBCRtK.exe

Filesize
2.0MB

MD5
2c39f0d77433b9af573b1ec2d1553639

SHA1
930911c295fc9b6a07fb43706a3b299c7ce2210b

SHA256
369aa0f69444a2dc61f94411d0561bc5ac3e04ba48b3e10704b3ea5fd35fa6ff

SHA512
8b7c77702f5db37b9a39d45f1c05fae27bc1394d5e970d4f2169cd10125d3eedddb9d3d1a8fb5d0502342bbc45a52673a36b8ed71162c51ca8d50de2b9e6b7a4

Download Submit
C:\Windows\System\hTphZsw.exe

Filesize
2.0MB

MD5
f3190738d618ea0d021bdaeb6f6bdd56

SHA1
c087c2eedaffab5eea3ea6d15ed7337fd49eff2a

SHA256
9949c0d8f7a9053d71e154a4c06af90d48404895167dcb0d381bdbb89c34b6cc

SHA512
d7c18aefd0040faa2b5bfcdd0c2474df7ef915622893cd6d62642e9693443eedea1795ec92926ce9f2bc527a2a5d1dcf8b7ee65c8cba1b16548e23584ba56623

Download Submit
C:\Windows\System\iupAifF.exe

Filesize
2.0MB

MD5
58f7dd09ecbb3d50dd2810d22dcc1e23

SHA1
7caa8147c02f8abd18b7e0c2c0d374e354318a24

SHA256
46453b1423b4e15e1e28d1eb03a203f449766ecb9afaa89661f3cb51a144ed0b

SHA512
7499dce88302c5a3fcc6ed0498680dba4a63c95f25f39b6f6085f0a05e17cf2c3fcdf262a03837b068ae7d027be28d56966e60d5c6320ff100bb3f477271c236

Download Submit
C:\Windows\System\jwBbkeL.exe

Filesize
8B

MD5
30a9dfceb37577cb23b97b50ee0ca790

SHA1
b56360a546aafbfa7ce003cd05916a7ab7239259

SHA256
44dda0d0cfe87b066fcb3ae3e2b0cbc86f86ca0fdd14c7ce736c7a63fedce1f4

SHA512
f1ae1743e6029aabc9e7387b476be46b30f000874bca6e0907b605cfb329a40abfc7d4eb3d891027c469be0356b370267e0531be7c50ab8183a5aad8ce1cbe57

Download Submit
C:\Windows\System\lciOXIB.exe

Filesize
2.0MB

MD5
956bf76b4ba9a349bcf41aaa3c70c919

SHA1
9313d621aa820c06507869f31a9784b861df8af1

SHA256
fd8a42b93d1f312d9a1816b97a8b95936de44288046b61bac0279fa516f1a724

SHA512
7e9f255ebb8422480f64eda9bef0ca63f61763bec5c530fadf8913d6773f13e77f2db5a8289c22d2302299462b6653f0037a859249ddee9dcfd27e6015bfd390

Download Submit
C:\Windows\System\mIJGtFD.exe

Filesize
2.0MB

MD5
a9211312e7f008b949be9757dc69ee9b

SHA1
65eab343813ec241686a36e8d6c2d4e6b0a5efda

SHA256
48b35f6e202348189633de80ef15fdb222e86ec25516c6d946a6d4639b59032f

SHA512
dd125d5d72e6d89a4bd19b2e838a480b9858b450df0ab452b59f73c9d622f5e9bba86eba7d11b0ab5ef13339be85b5d0cbe06e4be9fef6cee94e7048190f379f

Download Submit
C:\Windows\System\mfRiaQx.exe

Filesize
2.0MB

MD5
b7921078d865e5d42c00a1ee8f1728fd

SHA1
d9b3c7b61085404ac93b7175e1b4a9bf2cebf50d

SHA256
6de45e333a64034584f52ed509616abc772e7007f2f4d76275121f6219a8b01c

SHA512
959d0c3d9a5e733f20c41b44ac25ae82397762d7d329e3cb8bd48207cab2144c3342bc5387ddc486d7db8b4854d749d844b81a22a72531d2b3c7209266770ec3

Download Submit
C:\Windows\System\ocmzWIx.exe

Filesize
2.0MB

MD5
85c40d4b0e5e62ac95536f2d053486b0

SHA1
f90f5a19cc419ac352600629de58e79bc77972d5

SHA256
518f817fb1291674b04de11492ff5c5f29d38e76bb490a8ec52a7cdfa1b78544

SHA512
888a281a2322039215f0fffbfbba9dac9663988aac5b87e91c5b7a436e41ec7e8e53c0800b4da5a27a96afe3a66100fbd187836bff3df01a389a64cdf70a5456

Download Submit
C:\Windows\System\tffXqbq.exe

Filesize
2.0MB

MD5
bea9a0a7d0f7da4814c8cd429dbf9cb8

SHA1
94290a6aeb5346e8bb015c102723f0bf7324c831

SHA256
8cdeb30d73890055b5e28d6a099f335c504fc56185d5ef78b8f2322b73024a63

SHA512
dace5c47f04f06513fe14dfd34fb24cb830a1f67663c87f69a696d6ea315ccf9d01c189dbd90de10c7f5dcd3972b1d1542386c77d3dbf3ee4bc36c64feff00d1

Download Submit
C:\Windows\System\vCzvVZs.exe

Filesize
2.0MB

MD5
9de302f11ba3dec3b6553a02a2893bc1

SHA1
7f80f790ef9ee47da46dd82c94f17977b95a8e8e

SHA256
6c0f2b78843d9765b66df7fc4b9eeef73cef47e7b2810bf55743492ae724939d

SHA512
7f9b314f3ea11f36d12736f377a478b53216868d8b4ae3005139ec563611163e0cd32dd6770aea1c188dd3c852d18fe07e2866ef8a196cd9fbb9a2a6a0a17cca

Download Submit
C:\Windows\System\wMcZEOK.exe

Filesize
2.0MB

MD5
a790b06f54a973f0c84decff848c5d14

SHA1
062271d877f47290927f8a61d1d32fa5b950edd5

SHA256
59f7c64fb05eefede7278a37b586eb9119786f5bcea0a6fd943e1b34f7e56389

SHA512
c80569b6203a64b96f2b24c0651f2f4429806e382d3be948f9e1fe5a5555a3ef4153e7960882a53600f2f3cc96c543c46b3eb39e2b8e91d0c3b8d3bc20df61e7

Download Submit
memory/1356-2075-0x00007FF6BDD70000-0x00007FF6BE162000-memory.dmp

Filesize
3.9MB

Download
memory/1356-114-0x00007FF6BDD70000-0x00007FF6BE162000-memory.dmp

Filesize
3.9MB

Download
memory/1360-2061-0x00007FF673FD0000-0x00007FF6743C2000-memory.dmp

Filesize
3.9MB

Download
memory/1360-80-0x00007FF673FD0000-0x00007FF6743C2000-memory.dmp

Filesize
3.9MB

Download
memory/1380-133-0x00007FF721AF0000-0x00007FF721EE2000-memory.dmp

Filesize
3.9MB

Download
memory/1380-2086-0x00007FF721AF0000-0x00007FF721EE2000-memory.dmp

Filesize
3.9MB

Download
memory/1404-134-0x00007FF6AEE50000-0x00007FF6AF242000-memory.dmp

Filesize
3.9MB

Download
memory/1404-2084-0x00007FF6AEE50000-0x00007FF6AF242000-memory.dmp

Filesize
3.9MB

Download
memory/1968-2074-0x00007FF628170000-0x00007FF628562000-memory.dmp

Filesize
3.9MB

Download
memory/1968-109-0x00007FF628170000-0x00007FF628562000-memory.dmp

Filesize
3.9MB

Download
memory/2024-2067-0x00007FF7A2F30000-0x00007FF7A3322000-memory.dmp

Filesize
3.9MB

Download
memory/2024-110-0x00007FF7A2F30000-0x00007FF7A3322000-memory.dmp

Filesize
3.9MB

Download
memory/2060-2057-0x00007FF693460000-0x00007FF693852000-memory.dmp

Filesize
3.9MB

Download
memory/2060-89-0x00007FF693460000-0x00007FF693852000-memory.dmp

Filesize
3.9MB

Download
memory/2332-117-0x00007FF790510000-0x00007FF790902000-memory.dmp

Filesize
3.9MB

Download
memory/2332-2072-0x00007FF790510000-0x00007FF790902000-memory.dmp

Filesize
3.9MB

Download
memory/2512-2080-0x00007FF6DB690000-0x00007FF6DBA82000-memory.dmp

Filesize
3.9MB

Download
memory/2512-144-0x00007FF6DB690000-0x00007FF6DBA82000-memory.dmp

Filesize
3.9MB

Download
memory/3252-48-0x00007FFEDAF60000-0x00007FFEDBA21000-memory.dmp

Filesize
10.8MB

Download
memory/3252-3-0x00007FFEDAF63000-0x00007FFEDAF65000-memory.dmp

Filesize
8KB

Download
memory/3252-396-0x0000027075A00000-0x00000270761A6000-memory.dmp

Filesize
7.6MB

Download
memory/3252-66-0x00007FFEDAF60000-0x00007FFEDBA21000-memory.dmp

Filesize
10.8MB

Download
memory/3252-60-0x0000027074240000-0x0000027074262000-memory.dmp

Filesize
136KB

Download
memory/3252-2027-0x00007FFEDAF63000-0x00007FFEDAF65000-memory.dmp

Filesize
8KB

Download
memory/3252-2037-0x00007FFEDAF60000-0x00007FFEDBA21000-memory.dmp

Filesize
10.8MB

Download
memory/3476-98-0x00007FF74F1A0000-0x00007FF74F592000-memory.dmp

Filesize
3.9MB

Download
memory/3476-2059-0x00007FF74F1A0000-0x00007FF74F592000-memory.dmp

Filesize
3.9MB

Download
memory/3744-576-0x00007FF7BF280000-0x00007FF7BF672000-memory.dmp

Filesize
3.9MB

Download
memory/3744-2104-0x00007FF7BF280000-0x00007FF7BF672000-memory.dmp

Filesize
3.9MB

Download
memory/3988-147-0x00007FF738680000-0x00007FF738A72000-memory.dmp

Filesize
3.9MB

Download
memory/3988-2087-0x00007FF738680000-0x00007FF738A72000-memory.dmp

Filesize
3.9MB

Download
memory/4072-0-0x00007FF680090000-0x00007FF680482000-memory.dmp

Filesize
3.9MB

Download
memory/4072-1-0x0000022734680000-0x0000022734690000-memory.dmp

Filesize
64KB

Download
memory/4220-2054-0x00007FF7131F0000-0x00007FF7135E2000-memory.dmp

Filesize
3.9MB

Download
memory/4220-76-0x00007FF7131F0000-0x00007FF7135E2000-memory.dmp

Filesize
3.9MB

Download
memory/4348-2096-0x00007FF7E4F80000-0x00007FF7E5372000-memory.dmp

Filesize
3.9MB

Download
memory/4348-154-0x00007FF7E4F80000-0x00007FF7E5372000-memory.dmp

Filesize
3.9MB

Download
memory/4368-2028-0x00007FF65F760000-0x00007FF65FB52000-memory.dmp

Filesize
3.9MB

Download
memory/4368-120-0x00007FF65F760000-0x00007FF65FB52000-memory.dmp

Filesize
3.9MB

Download
memory/4368-2292-0x00007FF65F760000-0x00007FF65FB52000-memory.dmp

Filesize
3.9MB

Download
memory/4496-140-0x00007FF75E8A0000-0x00007FF75EC92000-memory.dmp

Filesize
3.9MB

Download
memory/4496-2082-0x00007FF75E8A0000-0x00007FF75EC92000-memory.dmp

Filesize
3.9MB

Download
memory/4500-2063-0x00007FF718AF0000-0x00007FF718EE2000-memory.dmp

Filesize
3.9MB

Download
memory/4500-93-0x00007FF718AF0000-0x00007FF718EE2000-memory.dmp

Filesize
3.9MB

Download
memory/4636-129-0x00007FF627530000-0x00007FF627922000-memory.dmp

Filesize
3.9MB

Download
memory/4636-2077-0x00007FF627530000-0x00007FF627922000-memory.dmp

Filesize
3.9MB

Download
memory/4696-148-0x00007FF7EAD60000-0x00007FF7EB152000-memory.dmp

Filesize
3.9MB

Download
memory/4696-2089-0x00007FF7EAD60000-0x00007FF7EB152000-memory.dmp

Filesize
3.9MB

Download
memory/4708-2095-0x00007FF7C93A0000-0x00007FF7C9792000-memory.dmp

Filesize
3.9MB

Download
memory/4708-151-0x00007FF7C93A0000-0x00007FF7C9792000-memory.dmp

Filesize
3.9MB

Download
memory/4740-121-0x00007FF7E6060000-0x00007FF7E6452000-memory.dmp

Filesize
3.9MB

Download
memory/4740-2051-0x00007FF7E6060000-0x00007FF7E6452000-memory.dmp

Filesize
3.9MB

Download
memory/4812-124-0x00007FF686FD0000-0x00007FF6873C2000-memory.dmp

Filesize
3.9MB

Download
memory/4812-2065-0x00007FF686FD0000-0x00007FF6873C2000-memory.dmp

Filesize
3.9MB

Download
memory/4836-2070-0x00007FF66A9D0000-0x00007FF66ADC2000-memory.dmp

Filesize
3.9MB

Download
memory/4836-125-0x00007FF66A9D0000-0x00007FF66ADC2000-memory.dmp

Filesize
3.9MB

Download
memory/5028-2055-0x00007FF6610A0000-0x00007FF661492000-memory.dmp

Filesize
3.9MB

Download
memory/5028-105-0x00007FF6610A0000-0x00007FF661492000-memory.dmp

Filesize
3.9MB

Download