xmrig | 2a913034144adf9ada7897fd27af2012a4984424de68ee32f917488be0d4c472

Analysis

max time kernel
94s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 21:38 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
Size

1.7MB
MD5

2bd408f3551d1cf6a5ffcec07be9b8a5
SHA1

dc20f96899d7c004cdf029d987bbdaaf0eb74130
SHA256

2a913034144adf9ada7897fd27af2012a4984424de68ee32f917488be0d4c472
SHA512

3a0a13786bef0cf720e4f8bca2f3c54163b7e5ff934b264bb3a86fa2f09e9a3bdab249693465baa40e481c794c3c3cfabf5bf03243f75fbe7dfe73810e891b1e
SSDEEP

24576:zv3/fTLF671TilQFG4P5PMkibTJH+2Q/ynKeWY1s38kQu12bPxvyuzaBgJ9pcFtC:Lz071uv4BPMkibTIA5I4TNrpDGKh

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/2788-512-0x00007FF6F74D0000-0x00007FF6F78C2000-memory.dmp	xmrig
behavioral2/memory/3424-525-0x00007FF730870000-0x00007FF730C62000-memory.dmp	xmrig
behavioral2/memory/3620-545-0x00007FF7698C0000-0x00007FF769CB2000-memory.dmp	xmrig
behavioral2/memory/2756-581-0x00007FF6BE980000-0x00007FF6BED72000-memory.dmp	xmrig
behavioral2/memory/3972-587-0x00007FF6A9ED0000-0x00007FF6AA2C2000-memory.dmp	xmrig
behavioral2/memory/1448-594-0x00007FF72C430000-0x00007FF72C822000-memory.dmp	xmrig
behavioral2/memory/1552-627-0x00007FF704F60000-0x00007FF705352000-memory.dmp	xmrig
behavioral2/memory/2104-630-0x00007FF6B41B0000-0x00007FF6B45A2000-memory.dmp	xmrig
behavioral2/memory/4996-700-0x00007FF649590000-0x00007FF649982000-memory.dmp	xmrig
behavioral2/memory/2928-620-0x00007FF700FD0000-0x00007FF7013C2000-memory.dmp	xmrig
behavioral2/memory/4332-576-0x00007FF77A310000-0x00007FF77A702000-memory.dmp	xmrig
behavioral2/memory/2028-562-0x00007FF77F4C0000-0x00007FF77F8B2000-memory.dmp	xmrig
behavioral2/memory/2296-558-0x00007FF7D5DD0000-0x00007FF7D61C2000-memory.dmp	xmrig
behavioral2/memory/5056-553-0x00007FF761BE0000-0x00007FF761FD2000-memory.dmp	xmrig
behavioral2/memory/1540-534-0x00007FF76F170000-0x00007FF76F562000-memory.dmp	xmrig
behavioral2/memory/528-489-0x00007FF7D5C00000-0x00007FF7D5FF2000-memory.dmp	xmrig
behavioral2/memory/512-472-0x00007FF68B930000-0x00007FF68BD22000-memory.dmp	xmrig
behavioral2/memory/1120-463-0x00007FF744CC0000-0x00007FF7450B2000-memory.dmp	xmrig
behavioral2/memory/3528-41-0x00007FF716040000-0x00007FF716432000-memory.dmp	xmrig
behavioral2/memory/4392-814-0x00007FF781000000-0x00007FF7813F2000-memory.dmp	xmrig
behavioral2/memory/3188-811-0x00007FF78DD50000-0x00007FF78E142000-memory.dmp	xmrig
behavioral2/memory/4684-806-0x00007FF74CC20000-0x00007FF74D012000-memory.dmp	xmrig
behavioral2/memory/2500-805-0x00007FF78DD80000-0x00007FF78E172000-memory.dmp	xmrig
behavioral2/memory/692-1998-0x00007FF79FBB0000-0x00007FF79FFA2000-memory.dmp	xmrig
behavioral2/memory/692-2005-0x00007FF79FBB0000-0x00007FF79FFA2000-memory.dmp	xmrig
behavioral2/memory/3528-2007-0x00007FF716040000-0x00007FF716432000-memory.dmp	xmrig
behavioral2/memory/512-2010-0x00007FF68B930000-0x00007FF68BD22000-memory.dmp	xmrig
behavioral2/memory/4684-2013-0x00007FF74CC20000-0x00007FF74D012000-memory.dmp	xmrig
behavioral2/memory/1120-2012-0x00007FF744CC0000-0x00007FF7450B2000-memory.dmp	xmrig
behavioral2/memory/528-2015-0x00007FF7D5C00000-0x00007FF7D5FF2000-memory.dmp	xmrig
behavioral2/memory/5056-2024-0x00007FF761BE0000-0x00007FF761FD2000-memory.dmp	xmrig
behavioral2/memory/4392-2032-0x00007FF781000000-0x00007FF7813F2000-memory.dmp	xmrig
behavioral2/memory/1448-2041-0x00007FF72C430000-0x00007FF72C822000-memory.dmp	xmrig
behavioral2/memory/1552-2043-0x00007FF704F60000-0x00007FF705352000-memory.dmp	xmrig
behavioral2/memory/3972-2039-0x00007FF6A9ED0000-0x00007FF6AA2C2000-memory.dmp	xmrig
behavioral2/memory/2756-2037-0x00007FF6BE980000-0x00007FF6BED72000-memory.dmp	xmrig
behavioral2/memory/3188-2034-0x00007FF78DD50000-0x00007FF78E142000-memory.dmp	xmrig
behavioral2/memory/2788-2030-0x00007FF6F74D0000-0x00007FF6F78C2000-memory.dmp	xmrig
behavioral2/memory/3424-2027-0x00007FF730870000-0x00007FF730C62000-memory.dmp	xmrig
behavioral2/memory/4332-2035-0x00007FF77A310000-0x00007FF77A702000-memory.dmp	xmrig
behavioral2/memory/1540-2025-0x00007FF76F170000-0x00007FF76F562000-memory.dmp	xmrig
behavioral2/memory/3620-2022-0x00007FF7698C0000-0x00007FF769CB2000-memory.dmp	xmrig
behavioral2/memory/2296-2020-0x00007FF7D5DD0000-0x00007FF7D61C2000-memory.dmp	xmrig
behavioral2/memory/2028-2018-0x00007FF77F4C0000-0x00007FF77F8B2000-memory.dmp	xmrig
behavioral2/memory/2928-2049-0x00007FF700FD0000-0x00007FF7013C2000-memory.dmp	xmrig
behavioral2/memory/4996-2054-0x00007FF649590000-0x00007FF649982000-memory.dmp	xmrig
behavioral2/memory/2104-2055-0x00007FF6B41B0000-0x00007FF6B45A2000-memory.dmp	xmrig
behavioral2/memory/2500-2090-0x00007FF78DD80000-0x00007FF78E172000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	3080	powershell.exe
5	3080	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
3080	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
692	kwFHSzy.exe
3528	edGLxPF.exe
4684	cLWQQFv.exe
1120	gmPRjtn.exe
512	CdJpKxy.exe
528	yRgvUQi.exe
3188	znTSCIY.exe
4392	CpzljVk.exe
2788	Vazywze.exe
3424	KvplWlG.exe
1540	faCvQzo.exe
3620	iTUWXOz.exe
5056	sDglKOj.exe
2296	AXYYzKi.exe
2028	UxXRwOK.exe
4332	AbQGgfo.exe
2756	htznWYO.exe
3972	YFWhXWf.exe
1448	ddopcOv.exe
2928	NfVmbed.exe
1552	TMvYVJm.exe
2104	WzfjDUE.exe
4996	dxGnmqd.exe
2500	XiIfcYs.exe
548	jZIKWlC.exe
3700	PruFKWw.exe
1868	vBiWvDL.exe
216	RzTNdTH.exe
4664	GbCyKSw.exe
1632	yWEFdOU.exe
1068	FnhNcTQ.exe
4372	UJEuAoq.exe
700	HKKEqBp.exe
4312	nsxsfZs.exe
624	SzBaLBx.exe
4052	ZCjdTLp.exe
3488	ItwtiLQ.exe
856	qAdaivJ.exe
1396	UktWYVw.exe
4060	NNtcKXm.exe
4548	gYKFnIT.exe
3240	XNSccmO.exe
1452	vovvhhn.exe
3104	UKhVnxA.exe
4448	zcZWQpa.exe
3000	KCpEaDq.exe
228	AsFoLEi.exe
3408	ZqSlGkj.exe
4424	HWdoPny.exe
4368	uhGtpWA.exe
4500	STljrBY.exe
3616	WHvLliK.exe
5020	UNRWipX.exe
5068	iFpqfoO.exe
1504	AhYOkcd.exe
3412	LHdZWEX.exe
4036	pRlvLJK.exe
2816	VNlxIUu.exe
5072	cyJPPWp.exe
4692	rwrWDOy.exe
4064	SJhRkvJ.exe
1948	htctEJI.exe
1876	PSMUwzV.exe
852	HMBLnbx.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2840-0-0x00007FF7C3B70000-0x00007FF7C3F62000-memory.dmp	upx
behavioral2/memory/692-11-0x00007FF79FBB0000-0x00007FF79FFA2000-memory.dmp	upx
behavioral2/files/0x00090000000233db-13.dat	upx
behavioral2/files/0x00070000000233df-19.dat	upx
behavioral2/files/0x00070000000233e0-26.dat	upx
behavioral2/files/0x00070000000233e1-24.dat	upx
behavioral2/files/0x00070000000233e2-37.dat	upx
behavioral2/files/0x00070000000233e3-36.dat	upx
behavioral2/files/0x00090000000233d3-75.dat	upx
behavioral2/files/0x00070000000233e9-85.dat	upx
behavioral2/files/0x00070000000233ef-112.dat	upx
behavioral2/files/0x00070000000233f1-122.dat	upx
behavioral2/files/0x00070000000233f3-140.dat	upx
behavioral2/files/0x00070000000233fa-167.dat	upx
behavioral2/memory/2788-512-0x00007FF6F74D0000-0x00007FF6F78C2000-memory.dmp	upx
behavioral2/memory/3424-525-0x00007FF730870000-0x00007FF730C62000-memory.dmp	upx
behavioral2/memory/3620-545-0x00007FF7698C0000-0x00007FF769CB2000-memory.dmp	upx
behavioral2/memory/2756-581-0x00007FF6BE980000-0x00007FF6BED72000-memory.dmp	upx
behavioral2/memory/3972-587-0x00007FF6A9ED0000-0x00007FF6AA2C2000-memory.dmp	upx
behavioral2/memory/1448-594-0x00007FF72C430000-0x00007FF72C822000-memory.dmp	upx
behavioral2/memory/1552-627-0x00007FF704F60000-0x00007FF705352000-memory.dmp	upx
behavioral2/memory/2104-630-0x00007FF6B41B0000-0x00007FF6B45A2000-memory.dmp	upx
behavioral2/memory/4996-700-0x00007FF649590000-0x00007FF649982000-memory.dmp	upx
behavioral2/memory/2928-620-0x00007FF700FD0000-0x00007FF7013C2000-memory.dmp	upx
behavioral2/memory/4332-576-0x00007FF77A310000-0x00007FF77A702000-memory.dmp	upx
behavioral2/memory/2028-562-0x00007FF77F4C0000-0x00007FF77F8B2000-memory.dmp	upx
behavioral2/memory/2296-558-0x00007FF7D5DD0000-0x00007FF7D61C2000-memory.dmp	upx
behavioral2/memory/5056-553-0x00007FF761BE0000-0x00007FF761FD2000-memory.dmp	upx
behavioral2/memory/1540-534-0x00007FF76F170000-0x00007FF76F562000-memory.dmp	upx
behavioral2/memory/528-489-0x00007FF7D5C00000-0x00007FF7D5FF2000-memory.dmp	upx
behavioral2/memory/512-472-0x00007FF68B930000-0x00007FF68BD22000-memory.dmp	upx
behavioral2/memory/1120-463-0x00007FF744CC0000-0x00007FF7450B2000-memory.dmp	upx
behavioral2/files/0x00070000000233fc-177.dat	upx
behavioral2/files/0x00070000000233fb-172.dat	upx
behavioral2/files/0x00070000000233f9-170.dat	upx
behavioral2/files/0x00070000000233f8-165.dat	upx
behavioral2/files/0x00070000000233f7-160.dat	upx
behavioral2/files/0x00070000000233f6-155.dat	upx
behavioral2/files/0x00070000000233f5-150.dat	upx
behavioral2/files/0x00070000000233f4-145.dat	upx
behavioral2/files/0x00070000000233f2-135.dat	upx
behavioral2/files/0x00070000000233f0-125.dat	upx
behavioral2/files/0x00070000000233ee-115.dat	upx
behavioral2/files/0x00070000000233ed-110.dat	upx
behavioral2/files/0x00070000000233ec-105.dat	upx
behavioral2/files/0x00070000000233eb-100.dat	upx
behavioral2/files/0x00080000000233e6-95.dat	upx
behavioral2/files/0x00070000000233ea-90.dat	upx
behavioral2/files/0x00080000000233e7-80.dat	upx
behavioral2/files/0x00070000000233e8-70.dat	upx
behavioral2/files/0x00070000000233e5-62.dat	upx
behavioral2/files/0x00070000000233e4-58.dat	upx
behavioral2/memory/3528-41-0x00007FF716040000-0x00007FF716432000-memory.dmp	upx
behavioral2/files/0x0006000000023278-9.dat	upx
behavioral2/memory/4392-814-0x00007FF781000000-0x00007FF7813F2000-memory.dmp	upx
behavioral2/memory/3188-811-0x00007FF78DD50000-0x00007FF78E142000-memory.dmp	upx
behavioral2/memory/4684-806-0x00007FF74CC20000-0x00007FF74D012000-memory.dmp	upx
behavioral2/memory/2500-805-0x00007FF78DD80000-0x00007FF78E172000-memory.dmp	upx
behavioral2/memory/692-1998-0x00007FF79FBB0000-0x00007FF79FFA2000-memory.dmp	upx
behavioral2/memory/692-2005-0x00007FF79FBB0000-0x00007FF79FFA2000-memory.dmp	upx
behavioral2/memory/3528-2007-0x00007FF716040000-0x00007FF716432000-memory.dmp	upx
behavioral2/memory/512-2010-0x00007FF68B930000-0x00007FF68BD22000-memory.dmp	upx
behavioral2/memory/4684-2013-0x00007FF74CC20000-0x00007FF74D012000-memory.dmp	upx
behavioral2/memory/1120-2012-0x00007FF744CC0000-0x00007FF7450B2000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
3	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\VNlxIUu.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\urmxHRy.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\KUHiZxe.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\QjgqwQC.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\bMlQSGs.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\BXxQpMJ.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\QuznOgz.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\MQOWvXf.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\hScudhE.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\gmCwWvf.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\dxGnmqd.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\HKKEqBp.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\uwwuqIt.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\pCMlIDP.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\EgGXyqC.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\BeMxtug.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\rBntzQk.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\FAXhSXn.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\BPdcawf.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\ShGyOdH.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\dcgTJlF.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\hzoZPAd.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\VZAUhbS.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\XTvgQKW.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\xbWdAbB.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\wrPROVl.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\DTYsqMb.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\dvIVheQ.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\mZLKrHf.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\yBHUnuK.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\qzQxppC.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\AfPTNjp.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\LTadcTa.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\qrjHtGB.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\oeckghX.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\gEZHwXQ.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\xaaXsLx.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\HylLXdT.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\PByoLTf.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\HKFTdcd.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\yjvdnBC.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\KaJRZwr.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\gRbziuj.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\zdyfOAa.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\BizPWZS.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\JJYWNDe.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\QZpulLN.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\jIBiJlF.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\tquluYE.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\oCmVibX.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\aotJzHj.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\IKDzSkr.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\bSBnkSh.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\GBjiKJv.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\pVnDbJa.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\RkZlIWC.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\kYIUrhf.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\HJiITSi.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\cLWQQFv.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\iFpqfoO.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\nuhcEbY.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\UYdNVgN.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\hJlsjcG.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
File created	C:\Windows\System\udfXpTk.exe	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3080	powershell.exe
3080	powershell.exe
3080	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
Token: SeDebugPrivilege	3080	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 3080	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	83
PID 2840 wrote to memory of 3080	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	83
PID 2840 wrote to memory of 692	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	84
PID 2840 wrote to memory of 692	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	84
PID 2840 wrote to memory of 3528	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	85
PID 2840 wrote to memory of 3528	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	85
PID 2840 wrote to memory of 4684	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	86
PID 2840 wrote to memory of 4684	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	86
PID 2840 wrote to memory of 1120	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	87
PID 2840 wrote to memory of 1120	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	87
PID 2840 wrote to memory of 512	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	88
PID 2840 wrote to memory of 512	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	88
PID 2840 wrote to memory of 528	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	89
PID 2840 wrote to memory of 528	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	89
PID 2840 wrote to memory of 3188	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	90
PID 2840 wrote to memory of 3188	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	90
PID 2840 wrote to memory of 4392	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	91
PID 2840 wrote to memory of 4392	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	91
PID 2840 wrote to memory of 2788	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	92
PID 2840 wrote to memory of 2788	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	92
PID 2840 wrote to memory of 3424	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	93
PID 2840 wrote to memory of 3424	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	93
PID 2840 wrote to memory of 1540	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	94
PID 2840 wrote to memory of 1540	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	94
PID 2840 wrote to memory of 3620	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	95
PID 2840 wrote to memory of 3620	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	95
PID 2840 wrote to memory of 5056	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	96
PID 2840 wrote to memory of 5056	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	96
PID 2840 wrote to memory of 2296	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	97
PID 2840 wrote to memory of 2296	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	97
PID 2840 wrote to memory of 2028	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	98
PID 2840 wrote to memory of 2028	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	98
PID 2840 wrote to memory of 4332	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	99
PID 2840 wrote to memory of 4332	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	99
PID 2840 wrote to memory of 2756	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	100
PID 2840 wrote to memory of 2756	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	100
PID 2840 wrote to memory of 3972	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	101
PID 2840 wrote to memory of 3972	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	101
PID 2840 wrote to memory of 1448	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	102
PID 2840 wrote to memory of 1448	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	102
PID 2840 wrote to memory of 2928	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	103
PID 2840 wrote to memory of 2928	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	103
PID 2840 wrote to memory of 1552	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	104
PID 2840 wrote to memory of 1552	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	104
PID 2840 wrote to memory of 2104	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	105
PID 2840 wrote to memory of 2104	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	105
PID 2840 wrote to memory of 4996	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	106
PID 2840 wrote to memory of 4996	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	106
PID 2840 wrote to memory of 2500	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	107
PID 2840 wrote to memory of 2500	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	107
PID 2840 wrote to memory of 548	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	108
PID 2840 wrote to memory of 548	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	108
PID 2840 wrote to memory of 3700	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	109
PID 2840 wrote to memory of 3700	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	109
PID 2840 wrote to memory of 1868	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	110
PID 2840 wrote to memory of 1868	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	110
PID 2840 wrote to memory of 216	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	111
PID 2840 wrote to memory of 216	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	111
PID 2840 wrote to memory of 4664	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	112
PID 2840 wrote to memory of 4664	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	112
PID 2840 wrote to memory of 1632	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	113
PID 2840 wrote to memory of 1632	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	113
PID 2840 wrote to memory of 1068	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	114
PID 2840 wrote to memory of 1068	2840	2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe	114

C:\Users\Admin\AppData\Local\Temp\2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3080
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3080" "2968" "2900" "2972" "0" "0" "2976" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:12748
- C:\Windows\System\kwFHSzy.exe
  C:\Windows\System\kwFHSzy.exe
  2⤵
  - Executes dropped EXE
  PID:692
- C:\Windows\System\edGLxPF.exe
  C:\Windows\System\edGLxPF.exe
  2⤵
  - Executes dropped EXE
  PID:3528
- C:\Windows\System\cLWQQFv.exe
  C:\Windows\System\cLWQQFv.exe
  2⤵
  - Executes dropped EXE
  PID:4684
- C:\Windows\System\gmPRjtn.exe
  C:\Windows\System\gmPRjtn.exe
  2⤵
  - Executes dropped EXE
  PID:1120
- C:\Windows\System\CdJpKxy.exe
  C:\Windows\System\CdJpKxy.exe
  2⤵
  - Executes dropped EXE
  PID:512
- C:\Windows\System\yRgvUQi.exe
  C:\Windows\System\yRgvUQi.exe
  2⤵
  - Executes dropped EXE
  PID:528
- C:\Windows\System\znTSCIY.exe
  C:\Windows\System\znTSCIY.exe
  2⤵
  - Executes dropped EXE
  PID:3188
- C:\Windows\System\CpzljVk.exe
  C:\Windows\System\CpzljVk.exe
  2⤵
  - Executes dropped EXE
  PID:4392
- C:\Windows\System\Vazywze.exe
  C:\Windows\System\Vazywze.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\System\KvplWlG.exe
  C:\Windows\System\KvplWlG.exe
  2⤵
  - Executes dropped EXE
  PID:3424
- C:\Windows\System\faCvQzo.exe
  C:\Windows\System\faCvQzo.exe
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Windows\System\iTUWXOz.exe
  C:\Windows\System\iTUWXOz.exe
  2⤵
  - Executes dropped EXE
  PID:3620
- C:\Windows\System\sDglKOj.exe
  C:\Windows\System\sDglKOj.exe
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Windows\System\AXYYzKi.exe
  C:\Windows\System\AXYYzKi.exe
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\System\UxXRwOK.exe
  C:\Windows\System\UxXRwOK.exe
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Windows\System\AbQGgfo.exe
  C:\Windows\System\AbQGgfo.exe
  2⤵
  - Executes dropped EXE
  PID:4332
- C:\Windows\System\htznWYO.exe
  C:\Windows\System\htznWYO.exe
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Windows\System\YFWhXWf.exe
  C:\Windows\System\YFWhXWf.exe
  2⤵
  - Executes dropped EXE
  PID:3972
- C:\Windows\System\ddopcOv.exe
  C:\Windows\System\ddopcOv.exe
  2⤵
  - Executes dropped EXE
  PID:1448
- C:\Windows\System\NfVmbed.exe
  C:\Windows\System\NfVmbed.exe
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\System\TMvYVJm.exe
  C:\Windows\System\TMvYVJm.exe
  2⤵
  - Executes dropped EXE
  PID:1552
- C:\Windows\System\WzfjDUE.exe
  C:\Windows\System\WzfjDUE.exe
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\Windows\System\dxGnmqd.exe
  C:\Windows\System\dxGnmqd.exe
  2⤵
  - Executes dropped EXE
  PID:4996
- C:\Windows\System\XiIfcYs.exe
  C:\Windows\System\XiIfcYs.exe
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\System\jZIKWlC.exe
  C:\Windows\System\jZIKWlC.exe
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\System\PruFKWw.exe
  C:\Windows\System\PruFKWw.exe
  2⤵
  - Executes dropped EXE
  PID:3700
- C:\Windows\System\vBiWvDL.exe
  C:\Windows\System\vBiWvDL.exe
  2⤵
  - Executes dropped EXE
  PID:1868
- C:\Windows\System\RzTNdTH.exe
  C:\Windows\System\RzTNdTH.exe
  2⤵
  - Executes dropped EXE
  PID:216
- C:\Windows\System\GbCyKSw.exe
  C:\Windows\System\GbCyKSw.exe
  2⤵
  - Executes dropped EXE
  PID:4664
- C:\Windows\System\yWEFdOU.exe
  C:\Windows\System\yWEFdOU.exe
  2⤵
  - Executes dropped EXE
  PID:1632
- C:\Windows\System\FnhNcTQ.exe
  C:\Windows\System\FnhNcTQ.exe
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\System\UJEuAoq.exe
  C:\Windows\System\UJEuAoq.exe
  2⤵
  - Executes dropped EXE
  PID:4372
- C:\Windows\System\HKKEqBp.exe
  C:\Windows\System\HKKEqBp.exe
  2⤵
  - Executes dropped EXE
  PID:700
- C:\Windows\System\nsxsfZs.exe
  C:\Windows\System\nsxsfZs.exe
  2⤵
  - Executes dropped EXE
  PID:4312
- C:\Windows\System\SzBaLBx.exe
  C:\Windows\System\SzBaLBx.exe
  2⤵
  - Executes dropped EXE
  PID:624
- C:\Windows\System\ZCjdTLp.exe
  C:\Windows\System\ZCjdTLp.exe
  2⤵
  - Executes dropped EXE
  PID:4052
- C:\Windows\System\ItwtiLQ.exe
  C:\Windows\System\ItwtiLQ.exe
  2⤵
  - Executes dropped EXE
  PID:3488
- C:\Windows\System\qAdaivJ.exe
  C:\Windows\System\qAdaivJ.exe
  2⤵
  - Executes dropped EXE
  PID:856
- C:\Windows\System\UktWYVw.exe
  C:\Windows\System\UktWYVw.exe
  2⤵
  - Executes dropped EXE
  PID:1396
- C:\Windows\System\NNtcKXm.exe
  C:\Windows\System\NNtcKXm.exe
  2⤵
  - Executes dropped EXE
  PID:4060
- C:\Windows\System\gYKFnIT.exe
  C:\Windows\System\gYKFnIT.exe
  2⤵
  - Executes dropped EXE
  PID:4548
- C:\Windows\System\XNSccmO.exe
  C:\Windows\System\XNSccmO.exe
  2⤵
  - Executes dropped EXE
  PID:3240
- C:\Windows\System\vovvhhn.exe
  C:\Windows\System\vovvhhn.exe
  2⤵
  - Executes dropped EXE
  PID:1452
- C:\Windows\System\UKhVnxA.exe
  C:\Windows\System\UKhVnxA.exe
  2⤵
  - Executes dropped EXE
  PID:3104
- C:\Windows\System\zcZWQpa.exe
  C:\Windows\System\zcZWQpa.exe
  2⤵
  - Executes dropped EXE
  PID:4448
- C:\Windows\System\KCpEaDq.exe
  C:\Windows\System\KCpEaDq.exe
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\System\AsFoLEi.exe
  C:\Windows\System\AsFoLEi.exe
  2⤵
  - Executes dropped EXE
  PID:228
- C:\Windows\System\ZqSlGkj.exe
  C:\Windows\System\ZqSlGkj.exe
  2⤵
  - Executes dropped EXE
  PID:3408
- C:\Windows\System\HWdoPny.exe
  C:\Windows\System\HWdoPny.exe
  2⤵
  - Executes dropped EXE
  PID:4424
- C:\Windows\System\uhGtpWA.exe
  C:\Windows\System\uhGtpWA.exe
  2⤵
  - Executes dropped EXE
  PID:4368
- C:\Windows\System\STljrBY.exe
  C:\Windows\System\STljrBY.exe
  2⤵
  - Executes dropped EXE
  PID:4500
- C:\Windows\System\WHvLliK.exe
  C:\Windows\System\WHvLliK.exe
  2⤵
  - Executes dropped EXE
  PID:3616
- C:\Windows\System\UNRWipX.exe
  C:\Windows\System\UNRWipX.exe
  2⤵
  - Executes dropped EXE
  PID:5020
- C:\Windows\System\iFpqfoO.exe
  C:\Windows\System\iFpqfoO.exe
  2⤵
  - Executes dropped EXE
  PID:5068
- C:\Windows\System\AhYOkcd.exe
  C:\Windows\System\AhYOkcd.exe
  2⤵
  - Executes dropped EXE
  PID:1504
- C:\Windows\System\LHdZWEX.exe
  C:\Windows\System\LHdZWEX.exe
  2⤵
  - Executes dropped EXE
  PID:3412
- C:\Windows\System\pRlvLJK.exe
  C:\Windows\System\pRlvLJK.exe
  2⤵
  - Executes dropped EXE
  PID:4036
- C:\Windows\System\VNlxIUu.exe
  C:\Windows\System\VNlxIUu.exe
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Windows\System\cyJPPWp.exe
  C:\Windows\System\cyJPPWp.exe
  2⤵
  - Executes dropped EXE
  PID:5072
- C:\Windows\System\rwrWDOy.exe
  C:\Windows\System\rwrWDOy.exe
  2⤵
  - Executes dropped EXE
  PID:4692
- C:\Windows\System\SJhRkvJ.exe
  C:\Windows\System\SJhRkvJ.exe
  2⤵
  - Executes dropped EXE
  PID:4064
- C:\Windows\System\htctEJI.exe
  C:\Windows\System\htctEJI.exe
  2⤵
  - Executes dropped EXE
  PID:1948
- C:\Windows\System\PSMUwzV.exe
  C:\Windows\System\PSMUwzV.exe
  2⤵
  - Executes dropped EXE
  PID:1876
- C:\Windows\System\HMBLnbx.exe
  C:\Windows\System\HMBLnbx.exe
  2⤵
  - Executes dropped EXE
  PID:852
- C:\Windows\System\wrPROVl.exe
  C:\Windows\System\wrPROVl.exe
  2⤵
  PID:3680
- C:\Windows\System\AKYJoIc.exe
  C:\Windows\System\AKYJoIc.exe
  2⤵
  PID:4884
- C:\Windows\System\ghEvFGh.exe
  C:\Windows\System\ghEvFGh.exe
  2⤵
  PID:952
- C:\Windows\System\waXaSrg.exe
  C:\Windows\System\waXaSrg.exe
  2⤵
  PID:4304
- C:\Windows\System\AAGnZpL.exe
  C:\Windows\System\AAGnZpL.exe
  2⤵
  PID:4376
- C:\Windows\System\deyxhBm.exe
  C:\Windows\System\deyxhBm.exe
  2⤵
  PID:2268
- C:\Windows\System\bzSZJcY.exe
  C:\Windows\System\bzSZJcY.exe
  2⤵
  PID:4920
- C:\Windows\System\ZxDwiMT.exe
  C:\Windows\System\ZxDwiMT.exe
  2⤵
  PID:3500
- C:\Windows\System\urmxHRy.exe
  C:\Windows\System\urmxHRy.exe
  2⤵
  PID:1496
- C:\Windows\System\XglnvqX.exe
  C:\Windows\System\XglnvqX.exe
  2⤵
  PID:2624
- C:\Windows\System\IgvVccu.exe
  C:\Windows\System\IgvVccu.exe
  2⤵
  PID:1728
- C:\Windows\System\MkCjmGj.exe
  C:\Windows\System\MkCjmGj.exe
  2⤵
  PID:3004
- C:\Windows\System\BsvJWGW.exe
  C:\Windows\System\BsvJWGW.exe
  2⤵
  PID:5060
- C:\Windows\System\PhuZyMf.exe
  C:\Windows\System\PhuZyMf.exe
  2⤵
  PID:4284
- C:\Windows\System\PBBqjbp.exe
  C:\Windows\System\PBBqjbp.exe
  2⤵
  PID:4136
- C:\Windows\System\KYRjYrf.exe
  C:\Windows\System\KYRjYrf.exe
  2⤵
  PID:540
- C:\Windows\System\NdWXRiS.exe
  C:\Windows\System\NdWXRiS.exe
  2⤵
  PID:2408
- C:\Windows\System\WhdPQFk.exe
  C:\Windows\System\WhdPQFk.exe
  2⤵
  PID:1676
- C:\Windows\System\MeRKHTV.exe
  C:\Windows\System\MeRKHTV.exe
  2⤵
  PID:5000
- C:\Windows\System\TdnCIdR.exe
  C:\Windows\System\TdnCIdR.exe
  2⤵
  PID:1816
- C:\Windows\System\AhZkMTb.exe
  C:\Windows\System\AhZkMTb.exe
  2⤵
  PID:2372
- C:\Windows\System\SxOGkUW.exe
  C:\Windows\System\SxOGkUW.exe
  2⤵
  PID:5128
- C:\Windows\System\KTLfaGT.exe
  C:\Windows\System\KTLfaGT.exe
  2⤵
  PID:5156
- C:\Windows\System\fyGPcJc.exe
  C:\Windows\System\fyGPcJc.exe
  2⤵
  PID:5184
- C:\Windows\System\RwVvFQt.exe
  C:\Windows\System\RwVvFQt.exe
  2⤵
  PID:5212
- C:\Windows\System\pFgXkWI.exe
  C:\Windows\System\pFgXkWI.exe
  2⤵
  PID:5240
- C:\Windows\System\NDtdofc.exe
  C:\Windows\System\NDtdofc.exe
  2⤵
  PID:5268
- C:\Windows\System\ouAYCQe.exe
  C:\Windows\System\ouAYCQe.exe
  2⤵
  PID:5296
- C:\Windows\System\bXzNjcp.exe
  C:\Windows\System\bXzNjcp.exe
  2⤵
  PID:5324
- C:\Windows\System\aGwoBlr.exe
  C:\Windows\System\aGwoBlr.exe
  2⤵
  PID:5360
- C:\Windows\System\MIIPYoM.exe
  C:\Windows\System\MIIPYoM.exe
  2⤵
  PID:5388
- C:\Windows\System\Npxmgqf.exe
  C:\Windows\System\Npxmgqf.exe
  2⤵
  PID:5420
- C:\Windows\System\wRgbIUA.exe
  C:\Windows\System\wRgbIUA.exe
  2⤵
  PID:5444
- C:\Windows\System\bjEMpUx.exe
  C:\Windows\System\bjEMpUx.exe
  2⤵
  PID:5472
- C:\Windows\System\JjPvDAq.exe
  C:\Windows\System\JjPvDAq.exe
  2⤵
  PID:5500
- C:\Windows\System\CRiHJdH.exe
  C:\Windows\System\CRiHJdH.exe
  2⤵
  PID:5528
- C:\Windows\System\uwwuqIt.exe
  C:\Windows\System\uwwuqIt.exe
  2⤵
  PID:5556
- C:\Windows\System\TxrgWhP.exe
  C:\Windows\System\TxrgWhP.exe
  2⤵
  PID:5584
- C:\Windows\System\sJOjjkH.exe
  C:\Windows\System\sJOjjkH.exe
  2⤵
  PID:5616
- C:\Windows\System\nquRwfi.exe
  C:\Windows\System\nquRwfi.exe
  2⤵
  PID:5644
- C:\Windows\System\YLjrChW.exe
  C:\Windows\System\YLjrChW.exe
  2⤵
  PID:5672
- C:\Windows\System\UdcCuke.exe
  C:\Windows\System\UdcCuke.exe
  2⤵
  PID:5704
- C:\Windows\System\ARWlqbF.exe
  C:\Windows\System\ARWlqbF.exe
  2⤵
  PID:5736
- C:\Windows\System\VNuMLtS.exe
  C:\Windows\System\VNuMLtS.exe
  2⤵
  PID:5764
- C:\Windows\System\ySVHcbL.exe
  C:\Windows\System\ySVHcbL.exe
  2⤵
  PID:5792
- C:\Windows\System\gSVIilt.exe
  C:\Windows\System\gSVIilt.exe
  2⤵
  PID:5820
- C:\Windows\System\IQgypbK.exe
  C:\Windows\System\IQgypbK.exe
  2⤵
  PID:5848
- C:\Windows\System\rrVNmgG.exe
  C:\Windows\System\rrVNmgG.exe
  2⤵
  PID:5876
- C:\Windows\System\AGkYlGX.exe
  C:\Windows\System\AGkYlGX.exe
  2⤵
  PID:5904
- C:\Windows\System\LTadcTa.exe
  C:\Windows\System\LTadcTa.exe
  2⤵
  PID:5936
- C:\Windows\System\XlLSKdF.exe
  C:\Windows\System\XlLSKdF.exe
  2⤵
  PID:5964
- C:\Windows\System\RZxLZiz.exe
  C:\Windows\System\RZxLZiz.exe
  2⤵
  PID:5992
- C:\Windows\System\xddqGrV.exe
  C:\Windows\System\xddqGrV.exe
  2⤵
  PID:6020
- C:\Windows\System\SHQJmJQ.exe
  C:\Windows\System\SHQJmJQ.exe
  2⤵
  PID:6044
- C:\Windows\System\AtjWoXK.exe
  C:\Windows\System\AtjWoXK.exe
  2⤵
  PID:6072
- C:\Windows\System\VkfSxKC.exe
  C:\Windows\System\VkfSxKC.exe
  2⤵
  PID:6100
- C:\Windows\System\yeQfeLz.exe
  C:\Windows\System\yeQfeLz.exe
  2⤵
  PID:6128
- C:\Windows\System\HuKffRZ.exe
  C:\Windows\System\HuKffRZ.exe
  2⤵
  PID:2580
- C:\Windows\System\egrOejJ.exe
  C:\Windows\System\egrOejJ.exe
  2⤵
  PID:1900
- C:\Windows\System\pBVbAif.exe
  C:\Windows\System\pBVbAif.exe
  2⤵
  PID:4612
- C:\Windows\System\ymuuIvY.exe
  C:\Windows\System\ymuuIvY.exe
  2⤵
  PID:1652
- C:\Windows\System\cPmDIDK.exe
  C:\Windows\System\cPmDIDK.exe
  2⤵
  PID:5256
- C:\Windows\System\bPAPmMK.exe
  C:\Windows\System\bPAPmMK.exe
  2⤵
  PID:5292
- C:\Windows\System\ljhCPVJ.exe
  C:\Windows\System\ljhCPVJ.exe
  2⤵
  PID:5348
- C:\Windows\System\LixcOWB.exe
  C:\Windows\System\LixcOWB.exe
  2⤵
  PID:3568
- C:\Windows\System\OikWmpv.exe
  C:\Windows\System\OikWmpv.exe
  2⤵
  PID:5460
- C:\Windows\System\VznKxQH.exe
  C:\Windows\System\VznKxQH.exe
  2⤵
  PID:5492
- C:\Windows\System\XteQmGS.exe
  C:\Windows\System\XteQmGS.exe
  2⤵
  PID:5544
- C:\Windows\System\aJZvGyn.exe
  C:\Windows\System\aJZvGyn.exe
  2⤵
  PID:5572
- C:\Windows\System\bTIjiHE.exe
  C:\Windows\System\bTIjiHE.exe
  2⤵
  PID:4712
- C:\Windows\System\qfJhsSR.exe
  C:\Windows\System\qfJhsSR.exe
  2⤵
  PID:5660
- C:\Windows\System\qEUHMGt.exe
  C:\Windows\System\qEUHMGt.exe
  2⤵
  PID:5664
- C:\Windows\System\WQdZhJj.exe
  C:\Windows\System\WQdZhJj.exe
  2⤵
  PID:5700
- C:\Windows\System\JGSIOsD.exe
  C:\Windows\System\JGSIOsD.exe
  2⤵
  PID:5728
- C:\Windows\System\eUtjqav.exe
  C:\Windows\System\eUtjqav.exe
  2⤵
  PID:5756
- C:\Windows\System\gxwhDBN.exe
  C:\Windows\System\gxwhDBN.exe
  2⤵
  PID:1928
- C:\Windows\System\qrjHtGB.exe
  C:\Windows\System\qrjHtGB.exe
  2⤵
  PID:5812
- C:\Windows\System\dcgTJlF.exe
  C:\Windows\System\dcgTJlF.exe
  2⤵
  PID:3548
- C:\Windows\System\xiMQUrx.exe
  C:\Windows\System\xiMQUrx.exe
  2⤵
  PID:5872
- C:\Windows\System\Zkzvuwf.exe
  C:\Windows\System\Zkzvuwf.exe
  2⤵
  PID:4084
- C:\Windows\System\gxsIRWL.exe
  C:\Windows\System\gxsIRWL.exe
  2⤵
  PID:5952
- C:\Windows\System\pAyMyss.exe
  C:\Windows\System\pAyMyss.exe
  2⤵
  PID:5984
- C:\Windows\System\vUEKGBj.exe
  C:\Windows\System\vUEKGBj.exe
  2⤵
  PID:6032
- C:\Windows\System\TIVXieP.exe
  C:\Windows\System\TIVXieP.exe
  2⤵
  PID:3696
- C:\Windows\System\qxcgAsI.exe
  C:\Windows\System\qxcgAsI.exe
  2⤵
  PID:6068
- C:\Windows\System\zssyGaJ.exe
  C:\Windows\System\zssyGaJ.exe
  2⤵
  PID:6116
- C:\Windows\System\ZYMxzky.exe
  C:\Windows\System\ZYMxzky.exe
  2⤵
  PID:6124
- C:\Windows\System\zQFNGlY.exe
  C:\Windows\System\zQFNGlY.exe
  2⤵
  PID:1772
- C:\Windows\System\dfWuNot.exe
  C:\Windows\System\dfWuNot.exe
  2⤵
  PID:4900
- C:\Windows\System\UwrlBvP.exe
  C:\Windows\System\UwrlBvP.exe
  2⤵
  PID:1576
- C:\Windows\System\kAqnwwU.exe
  C:\Windows\System\kAqnwwU.exe
  2⤵
  PID:5440
- C:\Windows\System\lBMcjXa.exe
  C:\Windows\System\lBMcjXa.exe
  2⤵
  PID:5696
- C:\Windows\System\NmhkLCO.exe
  C:\Windows\System\NmhkLCO.exe
  2⤵
  PID:5980
- C:\Windows\System\oPksyvo.exe
  C:\Windows\System\oPksyvo.exe
  2⤵
  PID:2216
- C:\Windows\System\JqbKYTl.exe
  C:\Windows\System\JqbKYTl.exe
  2⤵
  PID:2260
- C:\Windows\System\DTYsqMb.exe
  C:\Windows\System\DTYsqMb.exe
  2⤵
  PID:4432
- C:\Windows\System\NUdnKWZ.exe
  C:\Windows\System\NUdnKWZ.exe
  2⤵
  PID:4160
- C:\Windows\System\AHwfXLd.exe
  C:\Windows\System\AHwfXLd.exe
  2⤵
  PID:1848
- C:\Windows\System\tJjvuIq.exe
  C:\Windows\System\tJjvuIq.exe
  2⤵
  PID:6148
- C:\Windows\System\eBZFbiG.exe
  C:\Windows\System\eBZFbiG.exe
  2⤵
  PID:6168
- C:\Windows\System\JYSaVkR.exe
  C:\Windows\System\JYSaVkR.exe
  2⤵
  PID:6188
- C:\Windows\System\CulfOwx.exe
  C:\Windows\System\CulfOwx.exe
  2⤵
  PID:6208
- C:\Windows\System\yjvdnBC.exe
  C:\Windows\System\yjvdnBC.exe
  2⤵
  PID:6232
- C:\Windows\System\KaJRZwr.exe
  C:\Windows\System\KaJRZwr.exe
  2⤵
  PID:6252
- C:\Windows\System\HOEBpVW.exe
  C:\Windows\System\HOEBpVW.exe
  2⤵
  PID:6316
- C:\Windows\System\CnYWfuS.exe
  C:\Windows\System\CnYWfuS.exe
  2⤵
  PID:6340
- C:\Windows\System\KUHiZxe.exe
  C:\Windows\System\KUHiZxe.exe
  2⤵
  PID:6384
- C:\Windows\System\JURBYyL.exe
  C:\Windows\System\JURBYyL.exe
  2⤵
  PID:6400
- C:\Windows\System\GqibWFj.exe
  C:\Windows\System\GqibWFj.exe
  2⤵
  PID:6456
- C:\Windows\System\lnVExlP.exe
  C:\Windows\System\lnVExlP.exe
  2⤵
  PID:6472
- C:\Windows\System\OlaEILj.exe
  C:\Windows\System\OlaEILj.exe
  2⤵
  PID:6544
- C:\Windows\System\apnYKRR.exe
  C:\Windows\System\apnYKRR.exe
  2⤵
  PID:6572
- C:\Windows\System\wSveLvW.exe
  C:\Windows\System\wSveLvW.exe
  2⤵
  PID:6632
- C:\Windows\System\kDwjWcl.exe
  C:\Windows\System\kDwjWcl.exe
  2⤵
  PID:6684
- C:\Windows\System\ccDffMB.exe
  C:\Windows\System\ccDffMB.exe
  2⤵
  PID:6700
- C:\Windows\System\OgPlBMW.exe
  C:\Windows\System\OgPlBMW.exe
  2⤵
  PID:6728
- C:\Windows\System\bsbNIMu.exe
  C:\Windows\System\bsbNIMu.exe
  2⤵
  PID:6752
- C:\Windows\System\tquluYE.exe
  C:\Windows\System\tquluYE.exe
  2⤵
  PID:6784
- C:\Windows\System\LdlaFNo.exe
  C:\Windows\System\LdlaFNo.exe
  2⤵
  PID:6808
- C:\Windows\System\AjfSjFI.exe
  C:\Windows\System\AjfSjFI.exe
  2⤵
  PID:6828
- C:\Windows\System\SrHIzHW.exe
  C:\Windows\System\SrHIzHW.exe
  2⤵
  PID:6856
- C:\Windows\System\ukckKVQ.exe
  C:\Windows\System\ukckKVQ.exe
  2⤵
  PID:6884
- C:\Windows\System\JkqAfwB.exe
  C:\Windows\System\JkqAfwB.exe
  2⤵
  PID:6912
- C:\Windows\System\KWfOWgC.exe
  C:\Windows\System\KWfOWgC.exe
  2⤵
  PID:6940
- C:\Windows\System\GKZaTDa.exe
  C:\Windows\System\GKZaTDa.exe
  2⤵
  PID:6968
- C:\Windows\System\pmYJtIq.exe
  C:\Windows\System\pmYJtIq.exe
  2⤵
  PID:6996
- C:\Windows\System\xgffdkF.exe
  C:\Windows\System\xgffdkF.exe
  2⤵
  PID:7024
- C:\Windows\System\HwnYjSN.exe
  C:\Windows\System\HwnYjSN.exe
  2⤵
  PID:7052
- C:\Windows\System\JhKFiFj.exe
  C:\Windows\System\JhKFiFj.exe
  2⤵
  PID:7080
- C:\Windows\System\KTVmvGd.exe
  C:\Windows\System\KTVmvGd.exe
  2⤵
  PID:7104
- C:\Windows\System\rGorXxJ.exe
  C:\Windows\System\rGorXxJ.exe
  2⤵
  PID:7136
- C:\Windows\System\UplbXsD.exe
  C:\Windows\System\UplbXsD.exe
  2⤵
  PID:7164
- C:\Windows\System\pENfCHb.exe
  C:\Windows\System\pENfCHb.exe
  2⤵
  PID:4992
- C:\Windows\System\Ydprssn.exe
  C:\Windows\System\Ydprssn.exe
  2⤵
  PID:2996
- C:\Windows\System\PLnFkuv.exe
  C:\Windows\System\PLnFkuv.exe
  2⤵
  PID:6312
- C:\Windows\System\jNfxMNH.exe
  C:\Windows\System\jNfxMNH.exe
  2⤵
  PID:6324
- C:\Windows\System\wCQuNUb.exe
  C:\Windows\System\wCQuNUb.exe
  2⤵
  PID:6380
- C:\Windows\System\LrwIMSv.exe
  C:\Windows\System\LrwIMSv.exe
  2⤵
  PID:6440
- C:\Windows\System\YyNznAs.exe
  C:\Windows\System\YyNznAs.exe
  2⤵
  PID:6512
- C:\Windows\System\UWiYvhM.exe
  C:\Windows\System\UWiYvhM.exe
  2⤵
  PID:6556
- C:\Windows\System\xYCRuur.exe
  C:\Windows\System\xYCRuur.exe
  2⤵
  PID:6604
- C:\Windows\System\RTCyeZp.exe
  C:\Windows\System\RTCyeZp.exe
  2⤵
  PID:6652
- C:\Windows\System\FqFrVUH.exe
  C:\Windows\System\FqFrVUH.exe
  2⤵
  PID:6740
- C:\Windows\System\gaXOLBm.exe
  C:\Windows\System\gaXOLBm.exe
  2⤵
  PID:6804
- C:\Windows\System\GBjiKJv.exe
  C:\Windows\System\GBjiKJv.exe
  2⤵
  PID:6868
- C:\Windows\System\MRJcYbk.exe
  C:\Windows\System\MRJcYbk.exe
  2⤵
  PID:7040
- C:\Windows\System\PNQVDqR.exe
  C:\Windows\System\PNQVDqR.exe
  2⤵
  PID:7120
- C:\Windows\System\CyntJeP.exe
  C:\Windows\System\CyntJeP.exe
  2⤵
  PID:6204
- C:\Windows\System\gbYmkOp.exe
  C:\Windows\System\gbYmkOp.exe
  2⤵
  PID:6396
- C:\Windows\System\kWqnoSS.exe
  C:\Windows\System\kWqnoSS.exe
  2⤵
  PID:6288
- C:\Windows\System\oeckghX.exe
  C:\Windows\System\oeckghX.exe
  2⤵
  PID:6644
- C:\Windows\System\IshmruY.exe
  C:\Windows\System\IshmruY.exe
  2⤵
  PID:6552
- C:\Windows\System\oCmVibX.exe
  C:\Windows\System\oCmVibX.exe
  2⤵
  PID:6848
- C:\Windows\System\LSIBpMS.exe
  C:\Windows\System\LSIBpMS.exe
  2⤵
  PID:6960
- C:\Windows\System\bPgcDls.exe
  C:\Windows\System\bPgcDls.exe
  2⤵
  PID:7100
- C:\Windows\System\xsDhBBv.exe
  C:\Windows\System\xsDhBBv.exe
  2⤵
  PID:6448
- C:\Windows\System\YnkdtEi.exe
  C:\Windows\System\YnkdtEi.exe
  2⤵
  PID:6468
- C:\Windows\System\ZsvCzOK.exe
  C:\Windows\System\ZsvCzOK.exe
  2⤵
  PID:6492
- C:\Windows\System\MfqzBcZ.exe
  C:\Windows\System\MfqzBcZ.exe
  2⤵
  PID:5176
- C:\Windows\System\BPJOqxr.exe
  C:\Windows\System\BPJOqxr.exe
  2⤵
  PID:6592
- C:\Windows\System\YLLMduM.exe
  C:\Windows\System\YLLMduM.exe
  2⤵
  PID:5604
- C:\Windows\System\ieSUjql.exe
  C:\Windows\System\ieSUjql.exe
  2⤵
  PID:5288
- C:\Windows\System\RNdOUrK.exe
  C:\Windows\System\RNdOUrK.exe
  2⤵
  PID:6508
- C:\Windows\System\VEMcKNj.exe
  C:\Windows\System\VEMcKNj.exe
  2⤵
  PID:6408
- C:\Windows\System\sqJduJB.exe
  C:\Windows\System\sqJduJB.exe
  2⤵
  PID:7184
- C:\Windows\System\EgGXyqC.exe
  C:\Windows\System\EgGXyqC.exe
  2⤵
  PID:7228
- C:\Windows\System\XZnxYsM.exe
  C:\Windows\System\XZnxYsM.exe
  2⤵
  PID:7248
- C:\Windows\System\ZYNhhlW.exe
  C:\Windows\System\ZYNhhlW.exe
  2⤵
  PID:7296
- C:\Windows\System\BeMxtug.exe
  C:\Windows\System\BeMxtug.exe
  2⤵
  PID:7324
- C:\Windows\System\QXSluAu.exe
  C:\Windows\System\QXSluAu.exe
  2⤵
  PID:7348
- C:\Windows\System\chqGIvX.exe
  C:\Windows\System\chqGIvX.exe
  2⤵
  PID:7364
- C:\Windows\System\UoBOdWl.exe
  C:\Windows\System\UoBOdWl.exe
  2⤵
  PID:7388
- C:\Windows\System\zRGmrgL.exe
  C:\Windows\System\zRGmrgL.exe
  2⤵
  PID:7408
- C:\Windows\System\lHwqicZ.exe
  C:\Windows\System\lHwqicZ.exe
  2⤵
  PID:7432
- C:\Windows\System\YpjQLyq.exe
  C:\Windows\System\YpjQLyq.exe
  2⤵
  PID:7464
- C:\Windows\System\meKLoWk.exe
  C:\Windows\System\meKLoWk.exe
  2⤵
  PID:7500
- C:\Windows\System\jmZASDW.exe
  C:\Windows\System\jmZASDW.exe
  2⤵
  PID:7528
- C:\Windows\System\SBfRTJj.exe
  C:\Windows\System\SBfRTJj.exe
  2⤵
  PID:7568
- C:\Windows\System\DyUYYgQ.exe
  C:\Windows\System\DyUYYgQ.exe
  2⤵
  PID:7600
- C:\Windows\System\fDxIGkK.exe
  C:\Windows\System\fDxIGkK.exe
  2⤵
  PID:7624
- C:\Windows\System\lpnzdeP.exe
  C:\Windows\System\lpnzdeP.exe
  2⤵
  PID:7648
- C:\Windows\System\zQsrDFa.exe
  C:\Windows\System\zQsrDFa.exe
  2⤵
  PID:7684
- C:\Windows\System\QlokfQE.exe
  C:\Windows\System\QlokfQE.exe
  2⤵
  PID:7724
- C:\Windows\System\sAQhDbp.exe
  C:\Windows\System\sAQhDbp.exe
  2⤵
  PID:7748
- C:\Windows\System\gRxibxb.exe
  C:\Windows\System\gRxibxb.exe
  2⤵
  PID:7768
- C:\Windows\System\epbAqCn.exe
  C:\Windows\System\epbAqCn.exe
  2⤵
  PID:7796
- C:\Windows\System\ldYQTAN.exe
  C:\Windows\System\ldYQTAN.exe
  2⤵
  PID:7812
- C:\Windows\System\hIEuVBK.exe
  C:\Windows\System\hIEuVBK.exe
  2⤵
  PID:7832
- C:\Windows\System\jsSFQHo.exe
  C:\Windows\System\jsSFQHo.exe
  2⤵
  PID:7852
- C:\Windows\System\aotJzHj.exe
  C:\Windows\System\aotJzHj.exe
  2⤵
  PID:7888
- C:\Windows\System\iKpIlOt.exe
  C:\Windows\System\iKpIlOt.exe
  2⤵
  PID:7936
- C:\Windows\System\eUuNgUx.exe
  C:\Windows\System\eUuNgUx.exe
  2⤵
  PID:7960
- C:\Windows\System\yMHnLOq.exe
  C:\Windows\System\yMHnLOq.exe
  2⤵
  PID:7980
- C:\Windows\System\CPklLvP.exe
  C:\Windows\System\CPklLvP.exe
  2⤵
  PID:8000
- C:\Windows\System\Gjbswrf.exe
  C:\Windows\System\Gjbswrf.exe
  2⤵
  PID:8024
- C:\Windows\System\scrLkwp.exe
  C:\Windows\System\scrLkwp.exe
  2⤵
  PID:8040
- C:\Windows\System\hmfZNsL.exe
  C:\Windows\System\hmfZNsL.exe
  2⤵
  PID:8064
- C:\Windows\System\LuqMDzc.exe
  C:\Windows\System\LuqMDzc.exe
  2⤵
  PID:8088
- C:\Windows\System\MXajFUf.exe
  C:\Windows\System\MXajFUf.exe
  2⤵
  PID:8112
- C:\Windows\System\AUQCLvk.exe
  C:\Windows\System\AUQCLvk.exe
  2⤵
  PID:8136
- C:\Windows\System\pXKYJcA.exe
  C:\Windows\System\pXKYJcA.exe
  2⤵
  PID:8168
- C:\Windows\System\mDArBYj.exe
  C:\Windows\System\mDArBYj.exe
  2⤵
  PID:8188
- C:\Windows\System\HWXTrSZ.exe
  C:\Windows\System\HWXTrSZ.exe
  2⤵
  PID:6156
- C:\Windows\System\ycDQBYd.exe
  C:\Windows\System\ycDQBYd.exe
  2⤵
  PID:7172
- C:\Windows\System\wwuCqSR.exe
  C:\Windows\System\wwuCqSR.exe
  2⤵
  PID:7236
- C:\Windows\System\gRbziuj.exe
  C:\Windows\System\gRbziuj.exe
  2⤵
  PID:7312
- C:\Windows\System\IKDzSkr.exe
  C:\Windows\System\IKDzSkr.exe
  2⤵
  PID:7404
- C:\Windows\System\QelImqZ.exe
  C:\Windows\System\QelImqZ.exe
  2⤵
  PID:7484
- C:\Windows\System\WtEBzJn.exe
  C:\Windows\System\WtEBzJn.exe
  2⤵
  PID:7520
- C:\Windows\System\gEZHwXQ.exe
  C:\Windows\System\gEZHwXQ.exe
  2⤵
  PID:7592
- C:\Windows\System\DkfkOUv.exe
  C:\Windows\System\DkfkOUv.exe
  2⤵
  PID:7740
- C:\Windows\System\MJERoDk.exe
  C:\Windows\System\MJERoDk.exe
  2⤵
  PID:7808
- C:\Windows\System\znPbCMm.exe
  C:\Windows\System\znPbCMm.exe
  2⤵
  PID:7928
- C:\Windows\System\zNAtDxF.exe
  C:\Windows\System\zNAtDxF.exe
  2⤵
  PID:7944
- C:\Windows\System\cNEZiLu.exe
  C:\Windows\System\cNEZiLu.exe
  2⤵
  PID:8032
- C:\Windows\System\afgDvWb.exe
  C:\Windows\System\afgDvWb.exe
  2⤵
  PID:7016
- C:\Windows\System\qmyxbAC.exe
  C:\Windows\System\qmyxbAC.exe
  2⤵
  PID:8128
- C:\Windows\System\PJGVDxc.exe
  C:\Windows\System\PJGVDxc.exe
  2⤵
  PID:6952
- C:\Windows\System\LsMdgyw.exe
  C:\Windows\System\LsMdgyw.exe
  2⤵
  PID:7356
- C:\Windows\System\EMunMIj.exe
  C:\Windows\System\EMunMIj.exe
  2⤵
  PID:7396
- C:\Windows\System\zmSGxum.exe
  C:\Windows\System\zmSGxum.exe
  2⤵
  PID:7460
- C:\Windows\System\UMqgBIi.exe
  C:\Windows\System\UMqgBIi.exe
  2⤵
  PID:7524
- C:\Windows\System\bAYgHLC.exe
  C:\Windows\System\bAYgHLC.exe
  2⤵
  PID:7764
- C:\Windows\System\EOvPFnL.exe
  C:\Windows\System\EOvPFnL.exe
  2⤵
  PID:3644
- C:\Windows\System\WerWtsM.exe
  C:\Windows\System\WerWtsM.exe
  2⤵
  PID:7924
- C:\Windows\System\waOhKhZ.exe
  C:\Windows\System\waOhKhZ.exe
  2⤵
  PID:8080
- C:\Windows\System\aztQovF.exe
  C:\Windows\System\aztQovF.exe
  2⤵
  PID:7256
- C:\Windows\System\ikKdlCW.exe
  C:\Windows\System\ikKdlCW.exe
  2⤵
  PID:7692
- C:\Windows\System\YrurGKk.exe
  C:\Windows\System\YrurGKk.exe
  2⤵
  PID:7784
- C:\Windows\System\ZhaJEac.exe
  C:\Windows\System\ZhaJEac.exe
  2⤵
  PID:8060
- C:\Windows\System\CorxFZb.exe
  C:\Windows\System\CorxFZb.exe
  2⤵
  PID:8184
- C:\Windows\System\dsGLLxt.exe
  C:\Windows\System\dsGLLxt.exe
  2⤵
  PID:7096
- C:\Windows\System\RhwxdCY.exe
  C:\Windows\System\RhwxdCY.exe
  2⤵
  PID:8216
- C:\Windows\System\HBYYIaW.exe
  C:\Windows\System\HBYYIaW.exe
  2⤵
  PID:8240
- C:\Windows\System\nxXVMJH.exe
  C:\Windows\System\nxXVMJH.exe
  2⤵
  PID:8264
- C:\Windows\System\hzoZPAd.exe
  C:\Windows\System\hzoZPAd.exe
  2⤵
  PID:8304
- C:\Windows\System\QGCkySz.exe
  C:\Windows\System\QGCkySz.exe
  2⤵
  PID:8324
- C:\Windows\System\HQPlfsS.exe
  C:\Windows\System\HQPlfsS.exe
  2⤵
  PID:8376
- C:\Windows\System\kBUlHuq.exe
  C:\Windows\System\kBUlHuq.exe
  2⤵
  PID:8396
- C:\Windows\System\GJKEJzv.exe
  C:\Windows\System\GJKEJzv.exe
  2⤵
  PID:8432
- C:\Windows\System\trGkKwj.exe
  C:\Windows\System\trGkKwj.exe
  2⤵
  PID:8456
- C:\Windows\System\klUhXbw.exe
  C:\Windows\System\klUhXbw.exe
  2⤵
  PID:8476
- C:\Windows\System\hGrgzcQ.exe
  C:\Windows\System\hGrgzcQ.exe
  2⤵
  PID:8536
- C:\Windows\System\dpqAkzw.exe
  C:\Windows\System\dpqAkzw.exe
  2⤵
  PID:8560
- C:\Windows\System\tYUcYUX.exe
  C:\Windows\System\tYUcYUX.exe
  2⤵
  PID:8580
- C:\Windows\System\jPKCBpa.exe
  C:\Windows\System\jPKCBpa.exe
  2⤵
  PID:8600
- C:\Windows\System\MdirpmZ.exe
  C:\Windows\System\MdirpmZ.exe
  2⤵
  PID:8624
- C:\Windows\System\kwAkiGy.exe
  C:\Windows\System\kwAkiGy.exe
  2⤵
  PID:8644
- C:\Windows\System\puDZVdZ.exe
  C:\Windows\System\puDZVdZ.exe
  2⤵
  PID:8684
- C:\Windows\System\GbJQGLN.exe
  C:\Windows\System\GbJQGLN.exe
  2⤵
  PID:8720
- C:\Windows\System\NtXgmFN.exe
  C:\Windows\System\NtXgmFN.exe
  2⤵
  PID:8744
- C:\Windows\System\DxxPAPc.exe
  C:\Windows\System\DxxPAPc.exe
  2⤵
  PID:8768
- C:\Windows\System\AtATocC.exe
  C:\Windows\System\AtATocC.exe
  2⤵
  PID:8792
- C:\Windows\System\ZXGeRfS.exe
  C:\Windows\System\ZXGeRfS.exe
  2⤵
  PID:8832
- C:\Windows\System\CDLGNXj.exe
  C:\Windows\System\CDLGNXj.exe
  2⤵
  PID:8864
- C:\Windows\System\dNveJCk.exe
  C:\Windows\System\dNveJCk.exe
  2⤵
  PID:8888
- C:\Windows\System\pcUqBBj.exe
  C:\Windows\System\pcUqBBj.exe
  2⤵
  PID:8908
- C:\Windows\System\GgcwlAQ.exe
  C:\Windows\System\GgcwlAQ.exe
  2⤵
  PID:8928
- C:\Windows\System\JCrbsBI.exe
  C:\Windows\System\JCrbsBI.exe
  2⤵
  PID:8952
- C:\Windows\System\bMlQSGs.exe
  C:\Windows\System\bMlQSGs.exe
  2⤵
  PID:8972
- C:\Windows\System\BizPWZS.exe
  C:\Windows\System\BizPWZS.exe
  2⤵
  PID:9032
- C:\Windows\System\NQbKjQT.exe
  C:\Windows\System\NQbKjQT.exe
  2⤵
  PID:9052
- C:\Windows\System\mrPurwx.exe
  C:\Windows\System\mrPurwx.exe
  2⤵
  PID:9076
- C:\Windows\System\GdvmYyF.exe
  C:\Windows\System\GdvmYyF.exe
  2⤵
  PID:9096
- C:\Windows\System\VZAUhbS.exe
  C:\Windows\System\VZAUhbS.exe
  2⤵
  PID:9124
- C:\Windows\System\dUKZsiG.exe
  C:\Windows\System\dUKZsiG.exe
  2⤵
  PID:9144
- C:\Windows\System\mBuuhYh.exe
  C:\Windows\System\mBuuhYh.exe
  2⤵
  PID:9180
- C:\Windows\System\rWjBzVU.exe
  C:\Windows\System\rWjBzVU.exe
  2⤵
  PID:9196
- C:\Windows\System\Davyhjq.exe
  C:\Windows\System\Davyhjq.exe
  2⤵
  PID:3456
- C:\Windows\System\GYIQEVC.exe
  C:\Windows\System\GYIQEVC.exe
  2⤵
  PID:8332
- C:\Windows\System\dvIVheQ.exe
  C:\Windows\System\dvIVheQ.exe
  2⤵
  PID:8404
- C:\Windows\System\Uwdtkzn.exe
  C:\Windows\System\Uwdtkzn.exe
  2⤵
  PID:8392
- C:\Windows\System\USWBlUe.exe
  C:\Windows\System\USWBlUe.exe
  2⤵
  PID:8472
- C:\Windows\System\hSWBDSH.exe
  C:\Windows\System\hSWBDSH.exe
  2⤵
  PID:8592
- C:\Windows\System\ZduNEGc.exe
  C:\Windows\System\ZduNEGc.exe
  2⤵
  PID:1756
- C:\Windows\System\QMdNcbj.exe
  C:\Windows\System\QMdNcbj.exe
  2⤵
  PID:8636
- C:\Windows\System\yBHUnuK.exe
  C:\Windows\System\yBHUnuK.exe
  2⤵
  PID:8664
- C:\Windows\System\IzmIzph.exe
  C:\Windows\System\IzmIzph.exe
  2⤵
  PID:8736
- C:\Windows\System\QjgqwQC.exe
  C:\Windows\System\QjgqwQC.exe
  2⤵
  PID:8764
- C:\Windows\System\obYXpzi.exe
  C:\Windows\System\obYXpzi.exe
  2⤵
  PID:8820
- C:\Windows\System\yJibVYz.exe
  C:\Windows\System\yJibVYz.exe
  2⤵
  PID:8872
- C:\Windows\System\XTvgQKW.exe
  C:\Windows\System\XTvgQKW.exe
  2⤵
  PID:8896
- C:\Windows\System\nDygIzb.exe
  C:\Windows\System\nDygIzb.exe
  2⤵
  PID:9048
- C:\Windows\System\RYJnXiA.exe
  C:\Windows\System\RYJnXiA.exe
  2⤵
  PID:9024
- C:\Windows\System\XnhaJNV.exe
  C:\Windows\System\XnhaJNV.exe
  2⤵
  PID:7884
- C:\Windows\System\flZEjEk.exe
  C:\Windows\System\flZEjEk.exe
  2⤵
  PID:8288
- C:\Windows\System\QuqXOlZ.exe
  C:\Windows\System\QuqXOlZ.exe
  2⤵
  PID:8716
- C:\Windows\System\cKrXDVa.exe
  C:\Windows\System\cKrXDVa.exe
  2⤵
  PID:8632
- C:\Windows\System\GBUahxe.exe
  C:\Windows\System\GBUahxe.exe
  2⤵
  PID:8800
- C:\Windows\System\rBntzQk.exe
  C:\Windows\System\rBntzQk.exe
  2⤵
  PID:9116
- C:\Windows\System\HoilPrw.exe
  C:\Windows\System\HoilPrw.exe
  2⤵
  PID:8108
- C:\Windows\System\WUEXxxT.exe
  C:\Windows\System\WUEXxxT.exe
  2⤵
  PID:9172
- C:\Windows\System\pCMlIDP.exe
  C:\Windows\System\pCMlIDP.exe
  2⤵
  PID:8828
- C:\Windows\System\QTTTlEH.exe
  C:\Windows\System\QTTTlEH.exe
  2⤵
  PID:8964
- C:\Windows\System\QuznOgz.exe
  C:\Windows\System\QuznOgz.exe
  2⤵
  PID:8212
- C:\Windows\System\VKOBYqQ.exe
  C:\Windows\System\VKOBYqQ.exe
  2⤵
  PID:9236
- C:\Windows\System\wFYzaIx.exe
  C:\Windows\System\wFYzaIx.exe
  2⤵
  PID:9256
- C:\Windows\System\XSpuYsx.exe
  C:\Windows\System\XSpuYsx.exe
  2⤵
  PID:9300
- C:\Windows\System\nuhcEbY.exe
  C:\Windows\System\nuhcEbY.exe
  2⤵
  PID:9316
- C:\Windows\System\dfasBMi.exe
  C:\Windows\System\dfasBMi.exe
  2⤵
  PID:9344
- C:\Windows\System\eENGQoe.exe
  C:\Windows\System\eENGQoe.exe
  2⤵
  PID:9360
- C:\Windows\System\oNhZlSQ.exe
  C:\Windows\System\oNhZlSQ.exe
  2⤵
  PID:9388
- C:\Windows\System\nGdvclE.exe
  C:\Windows\System\nGdvclE.exe
  2⤵
  PID:9424
- C:\Windows\System\HOlxpgp.exe
  C:\Windows\System\HOlxpgp.exe
  2⤵
  PID:9456
- C:\Windows\System\lnvUmIT.exe
  C:\Windows\System\lnvUmIT.exe
  2⤵
  PID:9488
- C:\Windows\System\fbvZVMF.exe
  C:\Windows\System\fbvZVMF.exe
  2⤵
  PID:9516
- C:\Windows\System\VkMzMfW.exe
  C:\Windows\System\VkMzMfW.exe
  2⤵
  PID:9536
- C:\Windows\System\XUrVGLE.exe
  C:\Windows\System\XUrVGLE.exe
  2⤵
  PID:9556
- C:\Windows\System\gWnAWvT.exe
  C:\Windows\System\gWnAWvT.exe
  2⤵
  PID:9620
- C:\Windows\System\emvhXmb.exe
  C:\Windows\System\emvhXmb.exe
  2⤵
  PID:9640
- C:\Windows\System\rmTSQqY.exe
  C:\Windows\System\rmTSQqY.exe
  2⤵
  PID:9664
- C:\Windows\System\QJAJsZz.exe
  C:\Windows\System\QJAJsZz.exe
  2⤵
  PID:9704
- C:\Windows\System\RQIdbrU.exe
  C:\Windows\System\RQIdbrU.exe
  2⤵
  PID:9724
- C:\Windows\System\PgMGkxL.exe
  C:\Windows\System\PgMGkxL.exe
  2⤵
  PID:9756
- C:\Windows\System\KnTkjrI.exe
  C:\Windows\System\KnTkjrI.exe
  2⤵
  PID:9776
- C:\Windows\System\szZEnsE.exe
  C:\Windows\System\szZEnsE.exe
  2⤵
  PID:9804
- C:\Windows\System\eDIpDsr.exe
  C:\Windows\System\eDIpDsr.exe
  2⤵
  PID:9828
- C:\Windows\System\yyaFcua.exe
  C:\Windows\System\yyaFcua.exe
  2⤵
  PID:9844
- C:\Windows\System\cBJVKRj.exe
  C:\Windows\System\cBJVKRj.exe
  2⤵
  PID:9868
- C:\Windows\System\JpeJsBv.exe
  C:\Windows\System\JpeJsBv.exe
  2⤵
  PID:9912
- C:\Windows\System\mjgGPuK.exe
  C:\Windows\System\mjgGPuK.exe
  2⤵
  PID:9932
- C:\Windows\System\QMKetON.exe
  C:\Windows\System\QMKetON.exe
  2⤵
  PID:9964
- C:\Windows\System\gEhyKDV.exe
  C:\Windows\System\gEhyKDV.exe
  2⤵
  PID:9984
- C:\Windows\System\cczOwuh.exe
  C:\Windows\System\cczOwuh.exe
  2⤵
  PID:10004
- C:\Windows\System\SjgMSOV.exe
  C:\Windows\System\SjgMSOV.exe
  2⤵
  PID:10032
- C:\Windows\System\yKTZLns.exe
  C:\Windows\System\yKTZLns.exe
  2⤵
  PID:10084
- C:\Windows\System\gfhqpiJ.exe
  C:\Windows\System\gfhqpiJ.exe
  2⤵
  PID:10104
- C:\Windows\System\lUfVJlS.exe
  C:\Windows\System\lUfVJlS.exe
  2⤵
  PID:10132
- C:\Windows\System\nWdojgS.exe
  C:\Windows\System\nWdojgS.exe
  2⤵
  PID:10180
- C:\Windows\System\NXuahkh.exe
  C:\Windows\System\NXuahkh.exe
  2⤵
  PID:10208
- C:\Windows\System\WVjASOh.exe
  C:\Windows\System\WVjASOh.exe
  2⤵
  PID:10228
- C:\Windows\System\CPAXywU.exe
  C:\Windows\System\CPAXywU.exe
  2⤵
  PID:8760
- C:\Windows\System\cBqFOXD.exe
  C:\Windows\System\cBqFOXD.exe
  2⤵
  PID:9248
- C:\Windows\System\ifsnmLn.exe
  C:\Windows\System\ifsnmLn.exe
  2⤵
  PID:3764
- C:\Windows\System\NTBfUNn.exe
  C:\Windows\System\NTBfUNn.exe
  2⤵
  PID:9352
- C:\Windows\System\SEmJJMp.exe
  C:\Windows\System\SEmJJMp.exe
  2⤵
  PID:9452
- C:\Windows\System\qKjOwpS.exe
  C:\Windows\System\qKjOwpS.exe
  2⤵
  PID:9484
- C:\Windows\System\zRCWcBy.exe
  C:\Windows\System\zRCWcBy.exe
  2⤵
  PID:9504
- C:\Windows\System\uQgmhcw.exe
  C:\Windows\System\uQgmhcw.exe
  2⤵
  PID:9632
- C:\Windows\System\fzOrBQc.exe
  C:\Windows\System\fzOrBQc.exe
  2⤵
  PID:9744
- C:\Windows\System\uVYgClW.exe
  C:\Windows\System\uVYgClW.exe
  2⤵
  PID:9768
- C:\Windows\System\AOjxnkH.exe
  C:\Windows\System\AOjxnkH.exe
  2⤵
  PID:9880
- C:\Windows\System\GBDEsjA.exe
  C:\Windows\System\GBDEsjA.exe
  2⤵
  PID:9944
- C:\Windows\System\HSpCKAh.exe
  C:\Windows\System\HSpCKAh.exe
  2⤵
  PID:9976
- C:\Windows\System\lVhOPRZ.exe
  C:\Windows\System\lVhOPRZ.exe
  2⤵
  PID:10056
- C:\Windows\System\FjkeHPE.exe
  C:\Windows\System\FjkeHPE.exe
  2⤵
  PID:10160
- C:\Windows\System\ggdPaUS.exe
  C:\Windows\System\ggdPaUS.exe
  2⤵
  PID:10192
- C:\Windows\System\VfLPPhK.exe
  C:\Windows\System\VfLPPhK.exe
  2⤵
  PID:8940
- C:\Windows\System\XDBYPDU.exe
  C:\Windows\System\XDBYPDU.exe
  2⤵
  PID:9308
- C:\Windows\System\rarZeiz.exe
  C:\Windows\System\rarZeiz.exe
  2⤵
  PID:9416
- C:\Windows\System\LXgbxkB.exe
  C:\Windows\System\LXgbxkB.exe
  2⤵
  PID:9712
- C:\Windows\System\wRcuMUJ.exe
  C:\Windows\System\wRcuMUJ.exe
  2⤵
  PID:9812
- C:\Windows\System\JJYWNDe.exe
  C:\Windows\System\JJYWNDe.exe
  2⤵
  PID:9836
- C:\Windows\System\jWdsXwP.exe
  C:\Windows\System\jWdsXwP.exe
  2⤵
  PID:10052
- C:\Windows\System\JmlGILS.exe
  C:\Windows\System\JmlGILS.exe
  2⤵
  PID:10144
- C:\Windows\System\FgyOCad.exe
  C:\Windows\System\FgyOCad.exe
  2⤵
  PID:9600
- C:\Windows\System\qzQxppC.exe
  C:\Windows\System\qzQxppC.exe
  2⤵
  PID:9956
- C:\Windows\System\GNPrYUM.exe
  C:\Windows\System\GNPrYUM.exe
  2⤵
  PID:9816
- C:\Windows\System\lYKNlCB.exe
  C:\Windows\System\lYKNlCB.exe
  2⤵
  PID:10164
- C:\Windows\System\WiXtHHv.exe
  C:\Windows\System\WiXtHHv.exe
  2⤵
  PID:6800
- C:\Windows\System\GZbWvrI.exe
  C:\Windows\System\GZbWvrI.exe
  2⤵
  PID:10268
- C:\Windows\System\jMHGvGb.exe
  C:\Windows\System\jMHGvGb.exe
  2⤵
  PID:10304
- C:\Windows\System\fWEdyRj.exe
  C:\Windows\System\fWEdyRj.exe
  2⤵
  PID:10320
- C:\Windows\System\cTsBxuJ.exe
  C:\Windows\System\cTsBxuJ.exe
  2⤵
  PID:10340
- C:\Windows\System\QZpulLN.exe
  C:\Windows\System\QZpulLN.exe
  2⤵
  PID:10360
- C:\Windows\System\HKrOzTM.exe
  C:\Windows\System\HKrOzTM.exe
  2⤵
  PID:10384
- C:\Windows\System\IzGmFSk.exe
  C:\Windows\System\IzGmFSk.exe
  2⤵
  PID:10424
- C:\Windows\System\sdhFniH.exe
  C:\Windows\System\sdhFniH.exe
  2⤵
  PID:10460
- C:\Windows\System\vfYePOY.exe
  C:\Windows\System\vfYePOY.exe
  2⤵
  PID:10484
- C:\Windows\System\XkjEdqm.exe
  C:\Windows\System\XkjEdqm.exe
  2⤵
  PID:10544
- C:\Windows\System\lYClgfl.exe
  C:\Windows\System\lYClgfl.exe
  2⤵
  PID:10584
- C:\Windows\System\fbjTNuK.exe
  C:\Windows\System\fbjTNuK.exe
  2⤵
  PID:10604
- C:\Windows\System\pVnDbJa.exe
  C:\Windows\System\pVnDbJa.exe
  2⤵
  PID:10620
- C:\Windows\System\MBsOpOR.exe
  C:\Windows\System\MBsOpOR.exe
  2⤵
  PID:10648
- C:\Windows\System\ciYTkcF.exe
  C:\Windows\System\ciYTkcF.exe
  2⤵
  PID:10676
- C:\Windows\System\yNDdEoE.exe
  C:\Windows\System\yNDdEoE.exe
  2⤵
  PID:10708
- C:\Windows\System\rWJGyUG.exe
  C:\Windows\System\rWJGyUG.exe
  2⤵
  PID:10736
- C:\Windows\System\kLFkByp.exe
  C:\Windows\System\kLFkByp.exe
  2⤵
  PID:10756
- C:\Windows\System\XPJamES.exe
  C:\Windows\System\XPJamES.exe
  2⤵
  PID:10776
- C:\Windows\System\rteMbGm.exe
  C:\Windows\System\rteMbGm.exe
  2⤵
  PID:10808
- C:\Windows\System\dnFlABk.exe
  C:\Windows\System\dnFlABk.exe
  2⤵
  PID:10864
- C:\Windows\System\SyuAHMc.exe
  C:\Windows\System\SyuAHMc.exe
  2⤵
  PID:10892
- C:\Windows\System\lmGxXKI.exe
  C:\Windows\System\lmGxXKI.exe
  2⤵
  PID:10912
- C:\Windows\System\WDKwWrG.exe
  C:\Windows\System\WDKwWrG.exe
  2⤵
  PID:10932
- C:\Windows\System\rPbHuia.exe
  C:\Windows\System\rPbHuia.exe
  2⤵
  PID:10960
- C:\Windows\System\lyRGRzC.exe
  C:\Windows\System\lyRGRzC.exe
  2⤵
  PID:10976
- C:\Windows\System\FopwHph.exe
  C:\Windows\System\FopwHph.exe
  2⤵
  PID:11000
- C:\Windows\System\MMYmLAM.exe
  C:\Windows\System\MMYmLAM.exe
  2⤵
  PID:11020
- C:\Windows\System\cTnIQXj.exe
  C:\Windows\System\cTnIQXj.exe
  2⤵
  PID:11044
- C:\Windows\System\ZMrJYkW.exe
  C:\Windows\System\ZMrJYkW.exe
  2⤵
  PID:11076
- C:\Windows\System\AweoHzi.exe
  C:\Windows\System\AweoHzi.exe
  2⤵
  PID:11104
- C:\Windows\System\JxdLjsD.exe
  C:\Windows\System\JxdLjsD.exe
  2⤵
  PID:11148
- C:\Windows\System\YEGaUDs.exe
  C:\Windows\System\YEGaUDs.exe
  2⤵
  PID:11168
- C:\Windows\System\aZTGazz.exe
  C:\Windows\System\aZTGazz.exe
  2⤵
  PID:11200
- C:\Windows\System\aYhBNQB.exe
  C:\Windows\System\aYhBNQB.exe
  2⤵
  PID:11232
- C:\Windows\System\sBYORqh.exe
  C:\Windows\System\sBYORqh.exe
  2⤵
  PID:9400
- C:\Windows\System\kbLjaso.exe
  C:\Windows\System\kbLjaso.exe
  2⤵
  PID:9528
- C:\Windows\System\RqsaMby.exe
  C:\Windows\System\RqsaMby.exe
  2⤵
  PID:10404
- C:\Windows\System\jAlHjjX.exe
  C:\Windows\System\jAlHjjX.exe
  2⤵
  PID:10368
- C:\Windows\System\PepMBxO.exe
  C:\Windows\System\PepMBxO.exe
  2⤵
  PID:10380
- C:\Windows\System\GHgNbQo.exe
  C:\Windows\System\GHgNbQo.exe
  2⤵
  PID:10492
- C:\Windows\System\BXbXotp.exe
  C:\Windows\System\BXbXotp.exe
  2⤵
  PID:10536
- C:\Windows\System\Fdmxpix.exe
  C:\Windows\System\Fdmxpix.exe
  2⤵
  PID:10580
- C:\Windows\System\cWqBCga.exe
  C:\Windows\System\cWqBCga.exe
  2⤵
  PID:10716
- C:\Windows\System\PAcOsbF.exe
  C:\Windows\System\PAcOsbF.exe
  2⤵
  PID:10732
- C:\Windows\System\jFjGMoi.exe
  C:\Windows\System\jFjGMoi.exe
  2⤵
  PID:10816
- C:\Windows\System\HQCgvEL.exe
  C:\Windows\System\HQCgvEL.exe
  2⤵
  PID:10900
- C:\Windows\System\zvUYZhj.exe
  C:\Windows\System\zvUYZhj.exe
  2⤵
  PID:10928
- C:\Windows\System\HZMuaca.exe
  C:\Windows\System\HZMuaca.exe
  2⤵
  PID:10968
- C:\Windows\System\CZcrtJB.exe
  C:\Windows\System\CZcrtJB.exe
  2⤵
  PID:11040
- C:\Windows\System\SjmZTeJ.exe
  C:\Windows\System\SjmZTeJ.exe
  2⤵
  PID:11068
- C:\Windows\System\APVNIfO.exe
  C:\Windows\System\APVNIfO.exe
  2⤵
  PID:11176
- C:\Windows\System\cMTKLyS.exe
  C:\Windows\System\cMTKLyS.exe
  2⤵
  PID:11220
- C:\Windows\System\DwxDCKw.exe
  C:\Windows\System\DwxDCKw.exe
  2⤵
  PID:11248
- C:\Windows\System\WRBEYqf.exe
  C:\Windows\System\WRBEYqf.exe
  2⤵
  PID:10592
- C:\Windows\System\RmrsDGz.exe
  C:\Windows\System\RmrsDGz.exe
  2⤵
  PID:10832
- C:\Windows\System\bETcnbD.exe
  C:\Windows\System\bETcnbD.exe
  2⤵
  PID:10940
- C:\Windows\System\zdyfOAa.exe
  C:\Windows\System\zdyfOAa.exe
  2⤵
  PID:11064
- C:\Windows\System\LvxNQzh.exe
  C:\Windows\System\LvxNQzh.exe
  2⤵
  PID:11160
- C:\Windows\System\uYXSQJo.exe
  C:\Windows\System\uYXSQJo.exe
  2⤵
  PID:10288
- C:\Windows\System\EZihtqE.exe
  C:\Windows\System\EZihtqE.exe
  2⤵
  PID:10420
- C:\Windows\System\rHGwXGb.exe
  C:\Windows\System\rHGwXGb.exe
  2⤵
  PID:11060
- C:\Windows\System\YrldIBB.exe
  C:\Windows\System\YrldIBB.exe
  2⤵
  PID:11260
- C:\Windows\System\UYdNVgN.exe
  C:\Windows\System\UYdNVgN.exe
  2⤵
  PID:11280
- C:\Windows\System\SxKmCxt.exe
  C:\Windows\System\SxKmCxt.exe
  2⤵
  PID:11320
- C:\Windows\System\gJXCFtB.exe
  C:\Windows\System\gJXCFtB.exe
  2⤵
  PID:11364
- C:\Windows\System\MQOWvXf.exe
  C:\Windows\System\MQOWvXf.exe
  2⤵
  PID:11392
- C:\Windows\System\xaaXsLx.exe
  C:\Windows\System\xaaXsLx.exe
  2⤵
  PID:11412
- C:\Windows\System\owKecpU.exe
  C:\Windows\System\owKecpU.exe
  2⤵
  PID:11436
- C:\Windows\System\twBMmSh.exe
  C:\Windows\System\twBMmSh.exe
  2⤵
  PID:11460
- C:\Windows\System\cDqeXNd.exe
  C:\Windows\System\cDqeXNd.exe
  2⤵
  PID:11480
- C:\Windows\System\SXqELbc.exe
  C:\Windows\System\SXqELbc.exe
  2⤵
  PID:11500
- C:\Windows\System\RkZlIWC.exe
  C:\Windows\System\RkZlIWC.exe
  2⤵
  PID:11544
- C:\Windows\System\nKZucjP.exe
  C:\Windows\System\nKZucjP.exe
  2⤵
  PID:11568
- C:\Windows\System\aKqiDgf.exe
  C:\Windows\System\aKqiDgf.exe
  2⤵
  PID:11588
- C:\Windows\System\WGvCFrR.exe
  C:\Windows\System\WGvCFrR.exe
  2⤵
  PID:11612
- C:\Windows\System\qSRBCXq.exe
  C:\Windows\System\qSRBCXq.exe
  2⤵
  PID:11652
- C:\Windows\System\EwkdYUN.exe
  C:\Windows\System\EwkdYUN.exe
  2⤵
  PID:11672
- C:\Windows\System\MXhqwkr.exe
  C:\Windows\System\MXhqwkr.exe
  2⤵
  PID:11708
- C:\Windows\System\PLXVTfI.exe
  C:\Windows\System\PLXVTfI.exe
  2⤵
  PID:11724
- C:\Windows\System\kUegNWJ.exe
  C:\Windows\System\kUegNWJ.exe
  2⤵
  PID:11748
- C:\Windows\System\roTocDu.exe
  C:\Windows\System\roTocDu.exe
  2⤵
  PID:11772
- C:\Windows\System\xmZfZNt.exe
  C:\Windows\System\xmZfZNt.exe
  2⤵
  PID:11796
- C:\Windows\System\BHVIYDM.exe
  C:\Windows\System\BHVIYDM.exe
  2⤵
  PID:11816
- C:\Windows\System\QaQgsqg.exe
  C:\Windows\System\QaQgsqg.exe
  2⤵
  PID:11832
- C:\Windows\System\ddGgXjk.exe
  C:\Windows\System\ddGgXjk.exe
  2⤵
  PID:11880
- C:\Windows\System\lYDzlgG.exe
  C:\Windows\System\lYDzlgG.exe
  2⤵
  PID:11940
- C:\Windows\System\PGQVKlA.exe
  C:\Windows\System\PGQVKlA.exe
  2⤵
  PID:11976
- C:\Windows\System\uSXdGjs.exe
  C:\Windows\System\uSXdGjs.exe
  2⤵
  PID:12008
- C:\Windows\System\MefObhi.exe
  C:\Windows\System\MefObhi.exe
  2⤵
  PID:12036
- C:\Windows\System\SVuVaLV.exe
  C:\Windows\System\SVuVaLV.exe
  2⤵
  PID:12056
- C:\Windows\System\SsNGbhx.exe
  C:\Windows\System\SsNGbhx.exe
  2⤵
  PID:12072
- C:\Windows\System\uFLzBxd.exe
  C:\Windows\System\uFLzBxd.exe
  2⤵
  PID:12108
- C:\Windows\System\vmCrFjd.exe
  C:\Windows\System\vmCrFjd.exe
  2⤵
  PID:12148
- C:\Windows\System\SxXCHNY.exe
  C:\Windows\System\SxXCHNY.exe
  2⤵
  PID:12188
- C:\Windows\System\ZUEUpDG.exe
  C:\Windows\System\ZUEUpDG.exe
  2⤵
  PID:12216
- C:\Windows\System\IynMXYD.exe
  C:\Windows\System\IynMXYD.exe
  2⤵
  PID:12244
- C:\Windows\System\jIBiJlF.exe
  C:\Windows\System\jIBiJlF.exe
  2⤵
  PID:12260
- C:\Windows\System\UZttDnw.exe
  C:\Windows\System\UZttDnw.exe
  2⤵
  PID:11008
- C:\Windows\System\wTQvRth.exe
  C:\Windows\System\wTQvRth.exe
  2⤵
  PID:10632
- C:\Windows\System\KrWkJAI.exe
  C:\Windows\System\KrWkJAI.exe
  2⤵
  PID:11316
- C:\Windows\System\qWnPbEC.exe
  C:\Windows\System\qWnPbEC.exe
  2⤵
  PID:11380
- C:\Windows\System\hJlsjcG.exe
  C:\Windows\System\hJlsjcG.exe
  2⤵
  PID:11468
- C:\Windows\System\yrNzDbM.exe
  C:\Windows\System\yrNzDbM.exe
  2⤵
  PID:11524
- C:\Windows\System\kYIUrhf.exe
  C:\Windows\System\kYIUrhf.exe
  2⤵
  PID:11552
- C:\Windows\System\HylLXdT.exe
  C:\Windows\System\HylLXdT.exe
  2⤵
  PID:11632
- C:\Windows\System\YMvgjgo.exe
  C:\Windows\System\YMvgjgo.exe
  2⤵
  PID:11664
- C:\Windows\System\EValEaC.exe
  C:\Windows\System\EValEaC.exe
  2⤵
  PID:3604
- C:\Windows\System\McUUtaM.exe
  C:\Windows\System\McUUtaM.exe
  2⤵
  PID:11780
- C:\Windows\System\FAXhSXn.exe
  C:\Windows\System\FAXhSXn.exe
  2⤵
  PID:11828
- C:\Windows\System\GeBswDQ.exe
  C:\Windows\System\GeBswDQ.exe
  2⤵
  PID:11892
- C:\Windows\System\DWxlQKJ.exe
  C:\Windows\System\DWxlQKJ.exe
  2⤵
  PID:11932
- C:\Windows\System\fdfSiyH.exe
  C:\Windows\System\fdfSiyH.exe
  2⤵
  PID:11988
- C:\Windows\System\lRZnqmu.exe
  C:\Windows\System\lRZnqmu.exe
  2⤵
  PID:12052
- C:\Windows\System\FkxCHvT.exe
  C:\Windows\System\FkxCHvT.exe
  2⤵
  PID:12184
- C:\Windows\System\lHbIVLQ.exe
  C:\Windows\System\lHbIVLQ.exe
  2⤵
  PID:12228
- C:\Windows\System\yMDPTsh.exe
  C:\Windows\System\yMDPTsh.exe
  2⤵
  PID:10256
- C:\Windows\System\VpOqjVX.exe
  C:\Windows\System\VpOqjVX.exe
  2⤵
  PID:11376
- C:\Windows\System\LTuaFpW.exe
  C:\Windows\System\LTuaFpW.exe
  2⤵
  PID:11428
- C:\Windows\System\DRMRUxt.exe
  C:\Windows\System\DRMRUxt.exe
  2⤵
  PID:11668
- C:\Windows\System\LEKjdyW.exe
  C:\Windows\System\LEKjdyW.exe
  2⤵
  PID:3028
- C:\Windows\System\wSwojLM.exe
  C:\Windows\System\wSwojLM.exe
  2⤵
  PID:11812
- C:\Windows\System\XCbcjjH.exe
  C:\Windows\System\XCbcjjH.exe
  2⤵
  PID:11872
- C:\Windows\System\GwczqCJ.exe
  C:\Windows\System\GwczqCJ.exe
  2⤵
  PID:12000
- C:\Windows\System\ajVLnkG.exe
  C:\Windows\System\ajVLnkG.exe
  2⤵
  PID:12160
- C:\Windows\System\yVSSfLM.exe
  C:\Windows\System\yVSSfLM.exe
  2⤵
  PID:12140
- C:\Windows\System\mZLKrHf.exe
  C:\Windows\System\mZLKrHf.exe
  2⤵
  PID:11476
- C:\Windows\System\eZRsiGX.exe
  C:\Windows\System\eZRsiGX.exe
  2⤵
  PID:11744
- C:\Windows\System\VlokcVD.exe
  C:\Windows\System\VlokcVD.exe
  2⤵
  PID:12232
- C:\Windows\System\OvFdFfD.exe
  C:\Windows\System\OvFdFfD.exe
  2⤵
  PID:11720
- C:\Windows\System\mbMxuum.exe
  C:\Windows\System\mbMxuum.exe
  2⤵
  PID:12312
- C:\Windows\System\hScudhE.exe
  C:\Windows\System\hScudhE.exe
  2⤵
  PID:12348
- C:\Windows\System\DJRZWkq.exe
  C:\Windows\System\DJRZWkq.exe
  2⤵
  PID:12368
- C:\Windows\System\udfXpTk.exe
  C:\Windows\System\udfXpTk.exe
  2⤵
  PID:12388
- C:\Windows\System\GMGDFqg.exe
  C:\Windows\System\GMGDFqg.exe
  2⤵
  PID:12456
- C:\Windows\System\hOFCPkN.exe
  C:\Windows\System\hOFCPkN.exe
  2⤵
  PID:12480
- C:\Windows\System\dpBNWku.exe
  C:\Windows\System\dpBNWku.exe
  2⤵
  PID:12500
- C:\Windows\System\oLcgqpj.exe
  C:\Windows\System\oLcgqpj.exe
  2⤵
  PID:12524
- C:\Windows\System\jzjvAAZ.exe
  C:\Windows\System\jzjvAAZ.exe
  2⤵
  PID:12544
- C:\Windows\System\LCzzNah.exe
  C:\Windows\System\LCzzNah.exe
  2⤵
  PID:12584
- C:\Windows\System\bSBnkSh.exe
  C:\Windows\System\bSBnkSh.exe
  2⤵
  PID:12624
- C:\Windows\System\KnAsgPf.exe
  C:\Windows\System\KnAsgPf.exe
  2⤵
  PID:12644
- C:\Windows\System\vHOZUCP.exe
  C:\Windows\System\vHOZUCP.exe
  2⤵
  PID:12668
- C:\Windows\System\aDwkwjL.exe
  C:\Windows\System\aDwkwjL.exe
  2⤵
  PID:12688
- C:\Windows\System\PuKINnR.exe
  C:\Windows\System\PuKINnR.exe
  2⤵
  PID:12712
- C:\Windows\System\FLfwOpr.exe
  C:\Windows\System\FLfwOpr.exe
  2⤵
  PID:12728
- C:\Windows\System\gmCwWvf.exe
  C:\Windows\System\gmCwWvf.exe
  2⤵
  PID:12804
- C:\Windows\System\BVRRaiR.exe
  C:\Windows\System\BVRRaiR.exe
  2⤵
  PID:12824
- C:\Windows\System\gytXvaE.exe
  C:\Windows\System\gytXvaE.exe
  2⤵
  PID:12852

Network

DNS

raw.githubusercontent.com

powershell.exe

Remote address:

8.8.8.8:53

Request

raw.githubusercontent.com

IN A

Response

raw.githubusercontent.com

IN A

185.199.108.133

raw.githubusercontent.com

IN A

185.199.109.133

raw.githubusercontent.com

IN A

185.199.110.133

raw.githubusercontent.com

IN A

185.199.111.133
GET

https://raw.githubusercontent.com/

powershell.exe

Remote address:

185.199.108.133:443

Request

GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 301 Moved Permanently

Connection: keep-alive
Content-Length: 0
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Location: https://github.com/
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: 74AE:3BC5F2:6834D6:809D26:663D363D
Accept-Ranges: bytes
Date: Thu, 09 May 2024 21:38:36 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600084-LCY
X-Cache: HIT
X-Cache-Hits: 1
X-Timer: S1715290717.970827,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: b4a7effeabab86e0165ca25fb07a853ec5959460
Expires: Thu, 09 May 2024 21:43:36 GMT
Source-Age: 3102
DNS

github.com

powershell.exe

Remote address:

8.8.8.8:53

Request

github.com

IN A

Response

github.com

IN A

20.26.156.215
GET

https://github.com/

powershell.exe

Remote address:

20.26.156.215:443

Request

GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237
Host: github.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Server: GitHub.com
Date: Thu, 09 May 2024 21:38:30 GMT
Content-Type: text/html; charset=utf-8
Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Language, Accept-Encoding, Accept, X-Requested-With
content-language: en-US
ETag: W/"74b084ebf38665de115ffa62378f5f48"
Cache-Control: max-age=0, private, must-revalidate
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: deny
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com api.githubcopilot.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com/v1/engines/copilot-codex/completions *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com github.githubassets.com edge.fullstory.com rs.fullstory.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com github.githubassets.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/
Set-Cookie: _gh_sess=nTXmC%2FhM6KHIYsP9IjAtV2QeX%2FFGKK765aVhIV7x4KiuHXnBP8NT18X3xCcZXDZpTL8ExTUZiv0qzqQV%2FQxmHbMt4pPlf0IOehte2BHkRcVP6G%2Bp4526C%2Bbj1Uc9SeluX3BP%2BikcPh9zlGHDBOpLwOcCOXMXxonl2lEICEKogDyx5ZLg6Bw%2BUNHl%2FT%2Bgs0jyiOk8wi9MZ%2BQTm%2F%2B1X5IuNQCb1ywkcZMOqIgTD0q3jOa31s39EQoQmHSWAOKBhk9g2l1ls3TG8EcTLUw4xJhCpg%3D%3D--6RKqB%2FopvMSZ%2FDCY--k938ugQvx%2B5VGMlOnoLcUw%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
Set-Cookie: _octo=GH1.1.1608478055.1715290717; Path=/; Domain=github.com; Expires=Fri, 09 May 2025 21:38:37 GMT; Secure; SameSite=Lax
Set-Cookie: logged_in=no; Path=/; Domain=github.com; Expires=Fri, 09 May 2025 21:38:37 GMT; HttpOnly; Secure; SameSite=Lax
Accept-Ranges: bytes
Transfer-Encoding: chunked
X-GitHub-Request-Id: CAB0:170BAE:2EEE7D6:329321E:663D425D
DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

133.108.199.185.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.108.199.185.in-addr.arpa

IN PTR

Response

133.108.199.185.in-addr.arpa

IN PTR

cdn-185-199-108-133githubcom
DNS

215.156.26.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

215.156.26.20.in-addr.arpa

IN PTR

Response
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8ZWKfFfByGQ0aAhVYxMQcLTVUCUx6bLkZJpRHf4Gjx1DlEQKqyhCqn3XiMVt_OWzDRX6owgN_UDBSDWx8AuGnryPTyQ6Kjjw_WsnZRdPopomhPWyN9lL6gNuH2p5eBDGn7uzaGFESZAd61OULW6vfunUS3TDg1vP45vDoC8FlspZNGg3D%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D5ff24b92b12a15f5ee1c2da9d19fef97&TIME=20240508T112435Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8ZWKfFfByGQ0aAhVYxMQcLTVUCUx6bLkZJpRHf4Gjx1DlEQKqyhCqn3XiMVt_OWzDRX6owgN_UDBSDWx8AuGnryPTyQ6Kjjw_WsnZRdPopomhPWyN9lL6gNuH2p5eBDGn7uzaGFESZAd61OULW6vfunUS3TDg1vP45vDoC8FlspZNGg3D%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D5ff24b92b12a15f5ee1c2da9d19fef97&TIME=20240508T112435Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=09E27D95E3466E922C4169EFE2A66FCC; domain=.bing.com; expires=Tue, 03-Jun-2025 21:38:59 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 38F3342A764A465EB9C015E772DF029F Ref B: LON04EDGE1106 Ref C: 2024-05-09T21:38:59Z
date: Thu, 09 May 2024 21:38:58 GMT
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8ZWKfFfByGQ0aAhVYxMQcLTVUCUx6bLkZJpRHf4Gjx1DlEQKqyhCqn3XiMVt_OWzDRX6owgN_UDBSDWx8AuGnryPTyQ6Kjjw_WsnZRdPopomhPWyN9lL6gNuH2p5eBDGn7uzaGFESZAd61OULW6vfunUS3TDg1vP45vDoC8FlspZNGg3D%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D5ff24b92b12a15f5ee1c2da9d19fef97&TIME=20240508T112435Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8ZWKfFfByGQ0aAhVYxMQcLTVUCUx6bLkZJpRHf4Gjx1DlEQKqyhCqn3XiMVt_OWzDRX6owgN_UDBSDWx8AuGnryPTyQ6Kjjw_WsnZRdPopomhPWyN9lL6gNuH2p5eBDGn7uzaGFESZAd61OULW6vfunUS3TDg1vP45vDoC8FlspZNGg3D%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D5ff24b92b12a15f5ee1c2da9d19fef97&TIME=20240508T112435Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=09E27D95E3466E922C4169EFE2A66FCC; _EDGE_S=SID=3F10471D643769C1200A536765E568D2

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=HXP_AaANstE05Yh1IZqpq2w7jIDvSzzo7CaNg6WZATo; domain=.bing.com; expires=Tue, 03-Jun-2025 21:38:59 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E7FAD8F69677448B82479E1293BFFB4B Ref B: LON04EDGE1106 Ref C: 2024-05-09T21:38:59Z
date: Thu, 09 May 2024 21:38:59 GMT
DNS

14.160.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

14.160.190.20.in-addr.arpa

IN PTR

Response
DNS

216.183.117.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

216.183.117.104.in-addr.arpa

IN PTR

Response

216.183.117.104.in-addr.arpa

IN PTR

a104-117-183-216deploystaticakamaitechnologiescom
GET

https://www.bing.com/aes/c.gif?RG=5a6d7e1f932b47c1875f2a9cc12447b4&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T112435Z&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981

Remote address:

2.17.196.96:443

Request

GET /aes/c.gif?RG=5a6d7e1f932b47c1875f2a9cc12447b4&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T112435Z&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=09E27D95E3466E922C4169EFE2A66FCC

Response

HTTP/2.0 200

cache-control: private,no-store
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 4F3E41A2BC574FE2BAF414419CF55776 Ref B: FRAEDGE1220 Ref C: 2024-05-09T21:38:59Z
content-length: 0
date: Thu, 09 May 2024 21:38:59 GMT
set-cookie: _EDGE_S=SID=3F10471D643769C1200A536765E568D2; path=/; httponly; domain=bing.com
set-cookie: MUIDB=09E27D95E3466E922C4169EFE2A66FCC; path=/; httponly; expires=Tue, 03-Jun-2025 21:38:59 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.5cc41102.1715290739.3122d547
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
DNS

88.156.103.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.156.103.20.in-addr.arpa

IN PTR

Response
DNS

96.196.17.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

96.196.17.2.in-addr.arpa

IN PTR

Response

96.196.17.2.in-addr.arpa

IN PTR

a2-17-196-96deploystaticakamaitechnologiescom
GET

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

Remote address:

2.17.196.96:443

Request

GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=09E27D95E3466E922C4169EFE2A66FCC; _EDGE_S=SID=3F10471D643769C1200A536765E568D2; MSPTC=HXP_AaANstE05Yh1IZqpq2w7jIDvSzzo7CaNg6WZATo; MUIDB=09E27D95E3466E922C4169EFE2A66FCC
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1107
date: Thu, 09 May 2024 21:39:00 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.5cc41102.1715290740.3122dc8e
DNS

157.123.68.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

157.123.68.40.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

17.14.97.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

17.14.97.104.in-addr.arpa

IN PTR

Response

17.14.97.104.in-addr.arpa

IN PTR

a104-97-14-17deploystaticakamaitechnologiescom
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

48.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

48.229.111.52.in-addr.arpa

IN PTR

Response

3.120.98.217:8080

2bd408f3551d1cf6a5ffcec07be9b8a5_JaffaCakes118.exe

260 B
5
185.199.108.133:443

https://raw.githubusercontent.com/

tls, http

powershell.exe

835 B
5.0kB
8
9

HTTP Request

GET https://raw.githubusercontent.com/

HTTP Response

301
20.26.156.215:443

https://github.com/

tls, http

powershell.exe

5.0kB
250.4kB
99
185

HTTP Request

GET https://github.com/

HTTP Response

200
204.79.197.237:443

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8ZWKfFfByGQ0aAhVYxMQcLTVUCUx6bLkZJpRHf4Gjx1DlEQKqyhCqn3XiMVt_OWzDRX6owgN_UDBSDWx8AuGnryPTyQ6Kjjw_WsnZRdPopomhPWyN9lL6gNuH2p5eBDGn7uzaGFESZAd61OULW6vfunUS3TDg1vP45vDoC8FlspZNGg3D%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D5ff24b92b12a15f5ee1c2da9d19fef97&TIME=20240508T112435Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB

tls, http2

2.5kB
9.1kB
20
18

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8ZWKfFfByGQ0aAhVYxMQcLTVUCUx6bLkZJpRHf4Gjx1DlEQKqyhCqn3XiMVt_OWzDRX6owgN_UDBSDWx8AuGnryPTyQ6Kjjw_WsnZRdPopomhPWyN9lL6gNuH2p5eBDGn7uzaGFESZAd61OULW6vfunUS3TDg1vP45vDoC8FlspZNGg3D%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D5ff24b92b12a15f5ee1c2da9d19fef97&TIME=20240508T112435Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8ZWKfFfByGQ0aAhVYxMQcLTVUCUx6bLkZJpRHf4Gjx1DlEQKqyhCqn3XiMVt_OWzDRX6owgN_UDBSDWx8AuGnryPTyQ6Kjjw_WsnZRdPopomhPWyN9lL6gNuH2p5eBDGn7uzaGFESZAd61OULW6vfunUS3TDg1vP45vDoC8FlspZNGg3D%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D5ff24b92b12a15f5ee1c2da9d19fef97&TIME=20240508T112435Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981&muid=F93159F48ABC3E2BDF7350B998F17BEB

HTTP Response

204
2.17.196.96:443

https://www.bing.com/aes/c.gif?RG=5a6d7e1f932b47c1875f2a9cc12447b4&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T112435Z&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981

tls, http2

1.4kB
5.3kB
16
10

HTTP Request

GET https://www.bing.com/aes/c.gif?RG=5a6d7e1f932b47c1875f2a9cc12447b4&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240508T112435Z&adUnitId=11730597&localId=w:F93159F4-8ABC-3E2B-DF73-50B998F17BEB&deviceId=6825829378917981

HTTP Response

200
2.17.196.96:443

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

tls, http2

1.6kB
6.3kB
16
11

HTTP Request

GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

HTTP Response

200

8.8.8.8:53

raw.githubusercontent.com

dns

powershell.exe

71 B
135 B
1
1

DNS Request

raw.githubusercontent.com

DNS Response

185.199.108.133

185.199.109.133

185.199.110.133

185.199.111.133
8.8.8.8:53

github.com

dns

powershell.exe

56 B
72 B
1
1

DNS Request

github.com

DNS Response

20.26.156.215
8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

133.108.199.185.in-addr.arpa

dns

74 B
118 B
1
1

DNS Request

133.108.199.185.in-addr.arpa
8.8.8.8:53

215.156.26.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

215.156.26.20.in-addr.arpa
8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

14.160.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

14.160.190.20.in-addr.arpa
8.8.8.8:53

216.183.117.104.in-addr.arpa

dns

74 B
141 B
1
1

DNS Request

216.183.117.104.in-addr.arpa
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

88.156.103.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

88.156.103.20.in-addr.arpa
8.8.8.8:53

96.196.17.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

96.196.17.2.in-addr.arpa
8.8.8.8:53

157.123.68.40.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

157.123.68.40.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

17.14.97.104.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

17.14.97.104.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

48.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

48.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nmv4mych.cmc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\AXYYzKi.exe

Filesize
1.7MB

MD5
bcde9b4cd694b9de29569baf2a14374a

SHA1
a3132a108fbbf1977076856b79505e006d706d0e

SHA256
e17a83a801773a4432562412b293422114002742bb90c176205e5818f43dbec7

SHA512
29aabae909e486905b520abf7a709ba261cca17f77a6105cb32c8837fe4a2e38a6f050a41f3c0e89bd97590ba113871ed5ef7644fc0efbb2d5fc8f7847ae0469

Download Submit
C:\Windows\System\AbQGgfo.exe

Filesize
1.7MB

MD5
0d00183b81a1d33d5c62aad0efc316d0

SHA1
3f9ada58a193523c6574f965be76452cc66a1fb9

SHA256
c20ad63e8cd3a6fac7dab7718548148a01025a868a5061d1f3579eb256b2e150

SHA512
b45bfeb0e704677c60cb85059d1deffaaa08a5248988f789ea80278899d6f98fd6247f9071e32359f75bb432b8fd32200bc1b0a494fa66559935cd7afddaa83d

Download Submit
C:\Windows\System\CdJpKxy.exe

Filesize
1.7MB

MD5
f8118aeac67526766dcc1d008714904e

SHA1
dafc4ef2e1e918794eb9072ac73480466b3c065d

SHA256
bbf3c1cfd50af386470f2de53fcf36d8272e3fc50a17d0b40fe9e6ab18e51548

SHA512
749db5a60de4d087b171096492fd056d4911d09ba866f3e89ebf5bcdadc1a7893a790742a86f4173c26947d64c45e95cbc878b437b65d03f7e731ab99e3bfd31

Download Submit
C:\Windows\System\CpzljVk.exe

Filesize
1.7MB

MD5
2f552e6751ddcb0e56e75d4fffe4075a

SHA1
814699e5c3066ba82dfc227aaa4d6d47cb43416a

SHA256
5f3d25d5443871afaf998d6032deebb942edd63c7bdea23d2569150c35e83784

SHA512
e9c719553c9c9fc50279158d9c3d9f91e57a7aefe7b68ff62585d99afafda5646c3c40343352979107cd0801959826649d00010bc58c2c867942b52dfc20c3dc

Download Submit
C:\Windows\System\FnhNcTQ.exe

Filesize
1.7MB

MD5
9dbb00293a3aeb4781738b6c890b720c

SHA1
62cb8bcae33ea54bd41b275de4b2cc1ac61fd39f

SHA256
33cee0bd86e1162e355428c658553c10af05aaa6e13d7bcbc231349465ec20de

SHA512
6b77b102cdc3cf8c0b9f98d8a26b04c3d3152701daaa3df2bef528b083219207e0598eae8ee54f15044d38421873c6aff25b0b668c13adf85b6c5e33ee96f6a0

Download Submit
C:\Windows\System\GbCyKSw.exe

Filesize
1.7MB

MD5
5e921a941f84ec71a3eda7bdd8853d0f

SHA1
0dfc673489ea81a54ef37ebad949b060e7aa8166

SHA256
4ba27606495a74739c70facb82fe4af38feef27fe53d6408fa0b2809e87e867a

SHA512
77c2d2d3b86f0e3cfd2e972706edafe167e84da8e9a5027ec69725b8e1ce9f8af4f6e5ac4da4e55f4d874b0149f35a3076f6f5978e3c856e77da86fdfe00fa04

Download Submit
C:\Windows\System\HKKEqBp.exe

Filesize
1.7MB

MD5
c588e414ded55b2329fc41c315c97f78

SHA1
72a8b43c25f06ef4d3d15641d38e1b9b3da1d581

SHA256
b08632ad8b53d801c9464bba51a7710d27dfdb9280ae33077b5d0af82e7a0ca5

SHA512
bba26cb4a9206bac0c87d3b2585c76c6497e24a1af8c372b50dcb094255b9aec26e18edb185a02e2025439f37663376ec6f87379abc76eb9ebd9aacdd944ca78

Download Submit
C:\Windows\System\KvplWlG.exe

Filesize
1.7MB

MD5
92a2d130e4ce29653e76f3162cd658f2

SHA1
17d8a0c9282c14ec5ac172645f5e406860b77ce8

SHA256
0481610e418e4350dd8ddc42014d96e6eefa2c6fc5a5dc03adb81fefcead4938

SHA512
2996dd5133f39190f0854e018956556d893d0310a4760095149a651bef6ea5a0f1536dff8bde7b628e82ed5f6d1126fb09e06a2b1cd13154e827e113fd763594

Download Submit
C:\Windows\System\NfVmbed.exe

Filesize
1.7MB

MD5
bae52e622d51871a1d760c8127281904

SHA1
0da0d0bffc289983f3a1ad19ddb020e792a726de

SHA256
1a53b92c68cbfa647d9d67ac88104730c618a13b55fdf8692bd50f2735a663ed

SHA512
2f83dce6d861bace66a40dfc2bb5f6e7ab057226d14856b3353654e9684d4dece36cf7a3c7fbf84b688ea22a0383a5085de8e7e753dbcfdfd8001397ecd3a234

Download Submit
C:\Windows\System\PruFKWw.exe

Filesize
1.7MB

MD5
dcf26ff8fcfccaffa7eba5b1bfa7ad5d

SHA1
df6c66f079c8183656939e055fe39bda9785dbd2

SHA256
5d30485ebf20f8487dbd0577d990df9f311c8451b51c019eb0a0486cfbc70fcc

SHA512
126d79a464c8af0365bd8e2d1ac03b96c7cff0df4fb443490fe7aec30865e0253875bbb3051203d72817a06ffaaea9627f52f89870274bcf2463c5c1ff7bd139

Download Submit
C:\Windows\System\RzTNdTH.exe

Filesize
1.7MB

MD5
7781c6f6271dab3263f8d087203d9592

SHA1
38be796b3b2baddf9dfc97e5b5c82592778c6ee3

SHA256
661ee5a88e755299742e297c32f6bc852fc044f2e3497594b30f04fcef9b4cfd

SHA512
dfd51d69ceb3ec3e782a736896f47a73fa0b2456888cb536b79a053a65c1951c593e7aa35ae6d492f96432c30f85408c12fbd1ccbb1d0193ba23da7d2845f8f9

Download Submit
C:\Windows\System\TMvYVJm.exe

Filesize
1.7MB

MD5
26ab625139db3dfb286558c5ee6b8fd1

SHA1
cc689b82e6043f5b0db3103a145d4caa23ff64c8

SHA256
eefa041851ad3ff388fe14e938e4edcadd7b97eec83886144d42b27425dcd1f2

SHA512
fd52a481d3681d3f5f0d0d102f5f4b2a05291b66ffc3fb48e33b635cc66289af34ff5baa9fc5b52b79633fc510a4f2d715fb93a3810191a42d74e4bd43b8d250

Download Submit
C:\Windows\System\UJEuAoq.exe

Filesize
1.7MB

MD5
f17f6c16d954b3cee8120434743ecefc

SHA1
8be055fbaec34d451dfb83bb471db2ab3d61e05d

SHA256
ff4d3e3a9dd74e6b2c8d16ef28de5d7363a3e38425a6a4819f628b6458a2c9e5

SHA512
31cd62cc9a3d13a5f6add1cb074b2e0aa76b0d4cc1f3192f3c91c36192da39c5a3f9e8c52147827fe90e22e816308cbcf3471c602916d916ddb17c2d3724a91d

Download Submit
C:\Windows\System\UxXRwOK.exe

Filesize
1.7MB

MD5
3202d98cf57bb0790fb4662c7e992329

SHA1
04c836269b14e72185cf735a477d9029f00db167

SHA256
1b5609f1ff0622fb0dcd7981a90f0deb6fa04b823ce64ebb12d328ebb8d13e69

SHA512
7531382fb2654f301b4f247576a78bc3e86450ca7fddc63312002ff973b3be390766bbdee482de392096097a757ba0c26f454d5c3c9356e6af365a2b7cad1015

Download Submit
C:\Windows\System\Vazywze.exe

Filesize
1.7MB

MD5
6c293607942799f74bacd458442515ed

SHA1
d5502a3c74c6906cf625c5b48ee1634dd9a01fb2

SHA256
0c7338eecc5a38fdfb071189a8810c654f2e95d097e164a420a5efa63f9c33bd

SHA512
c5a922a8a229157eb3a785e28f3f4a540b204360d7c33af706897d4d4178bd6daf09cb5de0a56ffd90db60ce002c3712bfd07cfc42927562add80cfb5ee09b7c

Download Submit
C:\Windows\System\WzfjDUE.exe

Filesize
1.7MB

MD5
e65660069de5016899d7d1c87c69a7e0

SHA1
a8b4da3770c031d33b2e5b6e3214c0160a1c386d

SHA256
a1b7eebbeebdb206fd0a4d4184050051c3bd1fc1e461660df41bf6681e9265f3

SHA512
f49badb6c85bf96939b162847885200df9c276a02a6958f0344979f195fd90b21a5c4778de5da1cc0a39ef90fe9d87038b7911ed13abb6a73069548236503f94

Download Submit
C:\Windows\System\XiIfcYs.exe

Filesize
1.7MB

MD5
07e55227efdf4088a8b0b2a35f080c2d

SHA1
8cbf504b1af6d7809aef8ba9817fd4312efc4fe5

SHA256
63128104d5f69316682a79de4030890cdb3bd68b6800031e278620899ab2cc4a

SHA512
1d3c27f194b4637ae742ac3873f4deef23393f8ccbafc79e3f3acd152a29ff352b2ccaef4ed7505761b65279affc9ad168e81277554c5c5db3d2b9beb7b830f0

Download Submit
C:\Windows\System\YFWhXWf.exe

Filesize
1.7MB

MD5
1ef5cf7a6f198b3fca06c9447990922e

SHA1
55bb04f4fb776e78ac43c0d5de9863e554d383b3

SHA256
643ba15df584be69bac363d4feeda1938bcf4bc1807d8cd2b65308dcfe42d039

SHA512
c14109bbaeaec338d04e3f30f3d31345c67ac86eca0c1331fad4f31050255d9f2ec29f37e9167d7547aca34ff0b0d1660226991f23100637da5e6a73a590b018

Download Submit
C:\Windows\System\cLWQQFv.exe

Filesize
1.7MB

MD5
e3491e7bfbec7fc780203c0f22c1525c

SHA1
78c4f70797740a1ab0861507e59b6fff6ccf3cc8

SHA256
91f1e77817d155aacbc7bded19f0705b433a57c23af3b94588fa70a6ffadb0a9

SHA512
4de03b52be092e40647f54a1e0ca8bc9961cc7a85277d99137662643a6f18403e5fedaa64f45d021b4c47a5e9c2f97356f7d2b1b37fdc427db341fbaa9bab2ce

Download Submit
C:\Windows\System\ddopcOv.exe

Filesize
1.7MB

MD5
50e6b675a97c472f71f3f917731dc612

SHA1
3c81a0488a51bc9b458c29eacc4bfdd7c5b4ff28

SHA256
10d2421f5482ef69f5364dd5a66ded9c8abe313f5cfee205ed3f93806926f0d3

SHA512
d892bddd087bb1a63d52684247ff586c64f42a967d1ab1317839ae1e186a87983d8afeaace751d4da96d50c830a45f8c5aa66dca10f5baee630923f827b32e30

Download Submit
C:\Windows\System\dxGnmqd.exe

Filesize
1.7MB

MD5
63d077c45146f06b531b0cf1bab799df

SHA1
f306b7a4610bd28b363d428b14c68aa5b6c56248

SHA256
a44bee7343104c1661d41f1a5faa80d993a89c77a05ae635da2428dbf97c79a8

SHA512
ea5d95d523ab48530fdffaca043b5a241346f75d012c5b71aa34deeb1e09f0b7f2059330e84ff4f6d6f1dcadae9f4a8d6587d6a799f9a50d016766bba84f98dc

Download Submit
C:\Windows\System\edGLxPF.exe

Filesize
1.7MB

MD5
3fbab7ac33c23c9b22ef280527adc89e

SHA1
05419863a6ec804efade9cd0f2eeb86cd7e5e11a

SHA256
f05930229d9095d6add9276338bed1d7796487ef274d826ebbd5c87b55c4dcef

SHA512
7ece2f8a47d0a378e9a0b243cefe3df307b9842cd6ede3ba9824bc4ba1cfeb54554c68c6d14d2e7d3730b5c33f75aab6ec751a56509c08aac848051f3af4a296

Download Submit
C:\Windows\System\faCvQzo.exe

Filesize
1.7MB

MD5
e5b63036fc7c56633e4c73e40b960294

SHA1
79477012b0164a6d86e7612e431865a049204a74

SHA256
1635c5f6fff5bf5b57c9ee4e5a661aff1db13918b90c205991ae5d08587051ac

SHA512
87a843d8e6bdf8913dd1c0cf36079775f7ae15a98ae6adf4b3292e74c9884f3ae8059d72d7fa0e8fb2a79f579ae46dbc70a3ff1561af7a6f139ce906a5933be7

Download Submit
C:\Windows\System\gmPRjtn.exe

Filesize
1.7MB

MD5
246402efdbb563da80010eb6f9af5564

SHA1
aabbb09d40b995040a9169e9d9e3f9d85dce7ca5

SHA256
2dc17d061b89dd662e8be4d25cf5f2fe1de8c1eb93d7db8bca1d4f83cfc76877

SHA512
a59316f9cd7fd6468feb62f02ae9d49ff958257a7e5b6cbab6636b89cb925855f1277e471055deec9326b3ea69f28f46e2407d8ff60a60dd055fa32c70e3b80f

Download Submit
C:\Windows\System\htznWYO.exe

Filesize
1.7MB

MD5
71b6146aba1e1138bb9662b0b73bbf28

SHA1
eb096990ad31c522a9475dd3c40bb6eb5683c499

SHA256
1bc4d1befd9bdfa6467feb0d4c6bfe73470f2d5d104444a473b65e7007396a5e

SHA512
7895bc8dcb3418acb728264967a95613632f87f91a8d37e41ca0e5f37778172e5ddf6cacacaee3a3d8b92a286b0325bd7da5e9e4dfd8186436b6bdc03d1a8833

Download Submit
C:\Windows\System\iTUWXOz.exe

Filesize
1.7MB

MD5
5c23de3fb8794e0f2123978d919c113a

SHA1
31c53cc1cbf2a783bc8c6b34dba329628b7c6154

SHA256
8c4b2f95887b7f91715d7d8321457643373c3d5f58a2839f9a45dc52bfe7928d

SHA512
c1f3371d40f0fafaed405cb5c5c34d8dbcdaa4c2daa9398099172cc0ad97c1cde7aae5f2f0ad644c2dbfea8ce93c325e2eac947e8d2279631aee7ab42be59776

Download Submit
C:\Windows\System\jZIKWlC.exe

Filesize
1.7MB

MD5
690a8819d29fa481966213b5398c7952

SHA1
ef90218178345fe1880c6d743ad102f8cdea555e

SHA256
6f8e1d394c7c8a592a5341ab24ec3ae845b14c41c38de9a05e60cebdec3e674b

SHA512
3d28be87023f8a5d3649e70737a971905315fed1f3189fb38dab25a7b1334b49952b114d0c9f22edd3ee9da623315a04453aca4992c3f69038690560fc468fd3

Download Submit
C:\Windows\System\kwFHSzy.exe

Filesize
1.7MB

MD5
1c35070ebc769ab7b72c3557ad52af70

SHA1
5d8d07c210d1284b73a06d28cf6354de49f9f6b7

SHA256
fa978047891af2900410bf3556a4db83eef0dd4c156a6c9ba32fabe1d0125f0e

SHA512
1f49a217a6ee257e6c2b346d091c183cd83203c452bc8992e109898b02d597d789600a719444158590843dc14066c55822c9e6c5cf1c72f98dfab218de89eee7

Download Submit
C:\Windows\System\sDglKOj.exe

Filesize
1.7MB

MD5
62b0b2d13208653108984c6178d87023

SHA1
7241298398e2ef1d52b17efc0e7fa2fb9466cf91

SHA256
d850658f01a97b890896a0073207f4f590d9e5e2df76287ea5d1eda4c6b9838e

SHA512
a75b33c2a9f31b9c6c5159e984b6e404a695e9628b40ae1ae054da8d80fd1baa3c35d5db5526d417a853503afdbd40e1c3faf1ad33105abc3c5ae9710c0ac2bb

Download Submit
C:\Windows\System\vBiWvDL.exe

Filesize
1.7MB

MD5
152b5d6d63b49bb66110b76aa0f7a321

SHA1
8c1a6f02a0bed21607bebd9d576a18576ee95edd

SHA256
44077aaee2ed240967b5d0ea4cd9253dd90cf9d8c180759d1255b1ec01172af6

SHA512
27195599adae7740140a806043f951dbc15ac7de6665e7b2f7fdf64dfb32782e137db321096d550750dea5ac8574578609c976a9d78a953a5c09069f775be703

Download Submit
C:\Windows\System\yRgvUQi.exe

Filesize
1.7MB

MD5
a4481ae726ca0aaea9e0fb8e0b8704e6

SHA1
57016c40ed4f717f81ed2f13b6bb035dd021373f

SHA256
6d2a5d5101cc5b73e7964c292b8636b66386a9f38dc9760f49a1807b3095147c

SHA512
7c10216a4fe178b936860ea10f6a99c5c22d83e91a7b4acca9068a7f3f3f21da5fc7307f932efbf3139c7c6d3c842fbd5a1880ce0dd63641956126957f62f6c8

Download Submit
C:\Windows\System\yWEFdOU.exe

Filesize
1.7MB

MD5
b98203696375df06afc31f85f1d85213

SHA1
8d7b1bdc2f59101858e1789d00a1df6749b14e3e

SHA256
932b307b9afe24ef0d3421cb7a36273d314a3a04993008d6e791be83afc67b39

SHA512
ad81f77c01537b1c21409d0d30f6c6301dc29c5ddacd26ac3e8a38d31566a58d6c5584f11afd70cff6cd1f7ef1d99d66d285d90f4e1a35b0781396fbf71a6fe2

Download Submit
C:\Windows\System\znTSCIY.exe

Filesize
1.7MB

MD5
ab0094ca83a55d8c270383b11b9578e1

SHA1
c0c3c3bc912f4079d715245050ee0fa2fd6033d2

SHA256
aed898149ef71aa42c8dfad11188832b66ac1ce87764e001142d31e297517d18

SHA512
79a1d3939ee6ae166820498d576d7cff97348c8110ab77653ad524c58aea36c92c821c6afe51838a19a6550284e88817662b2817fb9915851b29e81350541660

Download Submit
memory/512-472-0x00007FF68B930000-0x00007FF68BD22000-memory.dmp

Filesize
3.9MB

Download
memory/512-2010-0x00007FF68B930000-0x00007FF68BD22000-memory.dmp

Filesize
3.9MB

Download
memory/528-489-0x00007FF7D5C00000-0x00007FF7D5FF2000-memory.dmp

Filesize
3.9MB

Download
memory/528-2015-0x00007FF7D5C00000-0x00007FF7D5FF2000-memory.dmp

Filesize
3.9MB

Download
memory/692-2005-0x00007FF79FBB0000-0x00007FF79FFA2000-memory.dmp

Filesize
3.9MB

Download
memory/692-1998-0x00007FF79FBB0000-0x00007FF79FFA2000-memory.dmp

Filesize
3.9MB

Download
memory/692-11-0x00007FF79FBB0000-0x00007FF79FFA2000-memory.dmp

Filesize
3.9MB

Download
memory/1120-2012-0x00007FF744CC0000-0x00007FF7450B2000-memory.dmp

Filesize
3.9MB

Download
memory/1120-463-0x00007FF744CC0000-0x00007FF7450B2000-memory.dmp

Filesize
3.9MB

Download
memory/1448-594-0x00007FF72C430000-0x00007FF72C822000-memory.dmp

Filesize
3.9MB

Download
memory/1448-2041-0x00007FF72C430000-0x00007FF72C822000-memory.dmp

Filesize
3.9MB

Download
memory/1540-534-0x00007FF76F170000-0x00007FF76F562000-memory.dmp

Filesize
3.9MB

Download
memory/1540-2025-0x00007FF76F170000-0x00007FF76F562000-memory.dmp

Filesize
3.9MB

Download
memory/1552-2043-0x00007FF704F60000-0x00007FF705352000-memory.dmp

Filesize
3.9MB

Download
memory/1552-627-0x00007FF704F60000-0x00007FF705352000-memory.dmp

Filesize
3.9MB

Download
memory/2028-562-0x00007FF77F4C0000-0x00007FF77F8B2000-memory.dmp

Filesize
3.9MB

Download
memory/2028-2018-0x00007FF77F4C0000-0x00007FF77F8B2000-memory.dmp

Filesize
3.9MB

Download
memory/2104-630-0x00007FF6B41B0000-0x00007FF6B45A2000-memory.dmp

Filesize
3.9MB

Download
memory/2104-2055-0x00007FF6B41B0000-0x00007FF6B45A2000-memory.dmp

Filesize
3.9MB

Download
memory/2296-2020-0x00007FF7D5DD0000-0x00007FF7D61C2000-memory.dmp

Filesize
3.9MB

Download
memory/2296-558-0x00007FF7D5DD0000-0x00007FF7D61C2000-memory.dmp

Filesize
3.9MB

Download
memory/2500-805-0x00007FF78DD80000-0x00007FF78E172000-memory.dmp

Filesize
3.9MB

Download
memory/2500-2090-0x00007FF78DD80000-0x00007FF78E172000-memory.dmp

Filesize
3.9MB

Download
memory/2756-2037-0x00007FF6BE980000-0x00007FF6BED72000-memory.dmp

Filesize
3.9MB

Download
memory/2756-581-0x00007FF6BE980000-0x00007FF6BED72000-memory.dmp

Filesize
3.9MB

Download
memory/2788-512-0x00007FF6F74D0000-0x00007FF6F78C2000-memory.dmp

Filesize
3.9MB

Download
memory/2788-2030-0x00007FF6F74D0000-0x00007FF6F78C2000-memory.dmp

Filesize
3.9MB

Download
memory/2840-0-0x00007FF7C3B70000-0x00007FF7C3F62000-memory.dmp

Filesize
3.9MB

Download
memory/2840-1-0x0000024660BF0000-0x0000024660C00000-memory.dmp

Filesize
64KB

Download
memory/2928-2049-0x00007FF700FD0000-0x00007FF7013C2000-memory.dmp

Filesize
3.9MB

Download
memory/2928-620-0x00007FF700FD0000-0x00007FF7013C2000-memory.dmp

Filesize
3.9MB

Download
memory/3080-51-0x0000020CB6DC0000-0x0000020CB6DE2000-memory.dmp

Filesize
136KB

Download
memory/3080-453-0x00007FFD08010000-0x00007FFD08AD1000-memory.dmp

Filesize
10.8MB

Download
memory/3080-2000-0x00007FFD08010000-0x00007FFD08AD1000-memory.dmp

Filesize
10.8MB

Download
memory/3080-1997-0x00007FFD08013000-0x00007FFD08015000-memory.dmp

Filesize
8KB

Download
memory/3080-33-0x00007FFD08010000-0x00007FFD08AD1000-memory.dmp

Filesize
10.8MB

Download
memory/3080-2135-0x00007FFD08010000-0x00007FFD08AD1000-memory.dmp

Filesize
10.8MB

Download
memory/3080-6-0x00007FFD08013000-0x00007FFD08015000-memory.dmp

Filesize
8KB

Download
memory/3080-382-0x0000020CB7E20000-0x0000020CB85C6000-memory.dmp

Filesize
7.6MB

Download
memory/3188-811-0x00007FF78DD50000-0x00007FF78E142000-memory.dmp

Filesize
3.9MB

Download
memory/3188-2034-0x00007FF78DD50000-0x00007FF78E142000-memory.dmp

Filesize
3.9MB

Download
memory/3424-2027-0x00007FF730870000-0x00007FF730C62000-memory.dmp

Filesize
3.9MB

Download
memory/3424-525-0x00007FF730870000-0x00007FF730C62000-memory.dmp

Filesize
3.9MB

Download
memory/3528-41-0x00007FF716040000-0x00007FF716432000-memory.dmp

Filesize
3.9MB

Download
memory/3528-2007-0x00007FF716040000-0x00007FF716432000-memory.dmp

Filesize
3.9MB

Download
memory/3620-545-0x00007FF7698C0000-0x00007FF769CB2000-memory.dmp

Filesize
3.9MB

Download
memory/3620-2022-0x00007FF7698C0000-0x00007FF769CB2000-memory.dmp

Filesize
3.9MB

Download
memory/3972-2039-0x00007FF6A9ED0000-0x00007FF6AA2C2000-memory.dmp

Filesize
3.9MB

Download
memory/3972-587-0x00007FF6A9ED0000-0x00007FF6AA2C2000-memory.dmp

Filesize
3.9MB

Download
memory/4332-576-0x00007FF77A310000-0x00007FF77A702000-memory.dmp

Filesize
3.9MB

Download
memory/4332-2035-0x00007FF77A310000-0x00007FF77A702000-memory.dmp

Filesize
3.9MB

Download
memory/4392-2032-0x00007FF781000000-0x00007FF7813F2000-memory.dmp

Filesize
3.9MB

Download
memory/4392-814-0x00007FF781000000-0x00007FF7813F2000-memory.dmp

Filesize
3.9MB

Download
memory/4684-806-0x00007FF74CC20000-0x00007FF74D012000-memory.dmp

Filesize
3.9MB

Download
memory/4684-2013-0x00007FF74CC20000-0x00007FF74D012000-memory.dmp

Filesize
3.9MB

Download
memory/4996-700-0x00007FF649590000-0x00007FF649982000-memory.dmp

Filesize
3.9MB

Download
memory/4996-2054-0x00007FF649590000-0x00007FF649982000-memory.dmp

Filesize
3.9MB

Download
memory/5056-553-0x00007FF761BE0000-0x00007FF761FD2000-memory.dmp

Filesize
3.9MB

Download
memory/5056-2024-0x00007FF761BE0000-0x00007FF761FD2000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.