xmrig | e23d8ca335d0451b7f5bb1dd082fbebc1cd1bdc081d9804dc6148118cfb744ba

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
12-05-2024 11:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
Size

1.7MB
MD5

39d5bef7bd1d4018dc6f90446198936b
SHA1

1d545ba25fce7d24225aa33ce44a0c0294b0ddb0
SHA256

e23d8ca335d0451b7f5bb1dd082fbebc1cd1bdc081d9804dc6148118cfb744ba
SHA512

cc4fcf2f1a550c838438033708c23a76434cc93836ac4bab8949de9a068d8f9de675d09fcf4f1f7f6e282a9920d508139d128be3778c143591aebe8e328188fa
SSDEEP

24576:zv3/fTLF671TilQFG4P5PMkibTJH+2Q/ynKeWY1s38kQu12bPxvyuzaBgJ9pcFt0:Lz071uv4BPMkibTIA5I4TNrpDGgDQI

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/4424-39-0x00007FF6980A0000-0x00007FF698492000-memory.dmp	xmrig
behavioral2/memory/2992-43-0x00007FF6C1E80000-0x00007FF6C2272000-memory.dmp	xmrig
behavioral2/memory/4548-76-0x00007FF72E830000-0x00007FF72EC22000-memory.dmp	xmrig
behavioral2/memory/4244-443-0x00007FF7F3F30000-0x00007FF7F4322000-memory.dmp	xmrig
behavioral2/memory/5088-442-0x00007FF7D3470000-0x00007FF7D3862000-memory.dmp	xmrig
behavioral2/memory/3480-451-0x00007FF68BA90000-0x00007FF68BE82000-memory.dmp	xmrig
behavioral2/memory/2700-454-0x00007FF6BDE60000-0x00007FF6BE252000-memory.dmp	xmrig
behavioral2/memory/3508-456-0x00007FF6478B0000-0x00007FF647CA2000-memory.dmp	xmrig
behavioral2/memory/3700-455-0x00007FF77E540000-0x00007FF77E932000-memory.dmp	xmrig
behavioral2/memory/2564-453-0x00007FF7A1FA0000-0x00007FF7A2392000-memory.dmp	xmrig
behavioral2/memory/1556-452-0x00007FF6F3970000-0x00007FF6F3D62000-memory.dmp	xmrig
behavioral2/memory/2340-450-0x00007FF7D7780000-0x00007FF7D7B72000-memory.dmp	xmrig
behavioral2/memory/3372-449-0x00007FF752CF0000-0x00007FF7530E2000-memory.dmp	xmrig
behavioral2/memory/4000-80-0x00007FF7DD600000-0x00007FF7DD9F2000-memory.dmp	xmrig
behavioral2/memory/2888-41-0x00007FF712200000-0x00007FF7125F2000-memory.dmp	xmrig
behavioral2/memory/3948-1986-0x00007FF755AC0000-0x00007FF755EB2000-memory.dmp	xmrig
behavioral2/memory/820-1993-0x00007FF7D3D40000-0x00007FF7D4132000-memory.dmp	xmrig
behavioral2/memory/2056-1996-0x00007FF6A7740000-0x00007FF6A7B32000-memory.dmp	xmrig
behavioral2/memory/764-2022-0x00007FF707D80000-0x00007FF708172000-memory.dmp	xmrig
behavioral2/memory/700-2023-0x00007FF687460000-0x00007FF687852000-memory.dmp	xmrig
behavioral2/memory/1332-2025-0x00007FF6842D0000-0x00007FF6846C2000-memory.dmp	xmrig
behavioral2/memory/392-2036-0x00007FF7C96F0000-0x00007FF7C9AE2000-memory.dmp	xmrig
behavioral2/memory/3664-2038-0x00007FF62D6C0000-0x00007FF62DAB2000-memory.dmp	xmrig
behavioral2/memory/1324-2040-0x00007FF686360000-0x00007FF686752000-memory.dmp	xmrig
behavioral2/memory/820-2042-0x00007FF7D3D40000-0x00007FF7D4132000-memory.dmp	xmrig
behavioral2/memory/4548-2045-0x00007FF72E830000-0x00007FF72EC22000-memory.dmp	xmrig
behavioral2/memory/4424-2046-0x00007FF6980A0000-0x00007FF698492000-memory.dmp	xmrig
behavioral2/memory/2888-2049-0x00007FF712200000-0x00007FF7125F2000-memory.dmp	xmrig
behavioral2/memory/4000-2050-0x00007FF7DD600000-0x00007FF7DD9F2000-memory.dmp	xmrig
behavioral2/memory/3948-2053-0x00007FF755AC0000-0x00007FF755EB2000-memory.dmp	xmrig
behavioral2/memory/2992-2054-0x00007FF6C1E80000-0x00007FF6C2272000-memory.dmp	xmrig
behavioral2/memory/1332-2060-0x00007FF6842D0000-0x00007FF6846C2000-memory.dmp	xmrig
behavioral2/memory/3480-2078-0x00007FF68BA90000-0x00007FF68BE82000-memory.dmp	xmrig
behavioral2/memory/1556-2080-0x00007FF6F3970000-0x00007FF6F3D62000-memory.dmp	xmrig
behavioral2/memory/2564-2082-0x00007FF7A1FA0000-0x00007FF7A2392000-memory.dmp	xmrig
behavioral2/memory/2340-2076-0x00007FF7D7780000-0x00007FF7D7B72000-memory.dmp	xmrig
behavioral2/memory/700-2074-0x00007FF687460000-0x00007FF687852000-memory.dmp	xmrig
behavioral2/memory/3372-2073-0x00007FF752CF0000-0x00007FF7530E2000-memory.dmp	xmrig
behavioral2/memory/392-2068-0x00007FF7C96F0000-0x00007FF7C9AE2000-memory.dmp	xmrig
behavioral2/memory/2056-2066-0x00007FF6A7740000-0x00007FF6A7B32000-memory.dmp	xmrig
behavioral2/memory/5088-2064-0x00007FF7D3470000-0x00007FF7D3862000-memory.dmp	xmrig
behavioral2/memory/3664-2063-0x00007FF62D6C0000-0x00007FF62DAB2000-memory.dmp	xmrig
behavioral2/memory/764-2070-0x00007FF707D80000-0x00007FF708172000-memory.dmp	xmrig
behavioral2/memory/4244-2057-0x00007FF7F3F30000-0x00007FF7F4322000-memory.dmp	xmrig
behavioral2/memory/1324-2059-0x00007FF686360000-0x00007FF686752000-memory.dmp	xmrig
behavioral2/memory/2700-2084-0x00007FF6BDE60000-0x00007FF6BE252000-memory.dmp	xmrig
behavioral2/memory/3700-2099-0x00007FF77E540000-0x00007FF77E932000-memory.dmp	xmrig
behavioral2/memory/3508-2097-0x00007FF6478B0000-0x00007FF647CA2000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
7	5108	powershell.exe
9	5108	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
5108	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
820	UmZmaGo.exe
4424	JVUkWzb.exe
4548	rTlsxeS.exe
2888	vNLMxhR.exe
4000	KgxIqgf.exe
2992	GmdIKiN.exe
3948	JqWyrvK.exe
700	hkTWvkB.exe
2056	ONKcFeU.exe
764	nfnoNnC.exe
1332	BdEOehA.exe
392	YBMevIH.exe
3664	zyTuGzX.exe
1324	lSgTWyf.exe
5088	oRlDOrV.exe
4244	sfEIdRm.exe
3372	oXhaXhx.exe
2340	ZPtMMiz.exe
3480	WowiCxC.exe
1556	tODwOlG.exe
2564	RdJNJbO.exe
2700	fXiwSNz.exe
3700	VQxSzTd.exe
3508	AMIEGXT.exe
3088	ZWqpsLW.exe
2144	ZzHASxL.exe
2228	LbIpfFn.exe
3324	XPMFjJW.exe
1964	bASdtsV.exe
3120	dSfREqT.exe
4016	HZrVxvD.exe
4660	VUhPERt.exe
3908	AZRdWxo.exe
4488	uayMipk.exe
4916	RBoztie.exe
5056	CyGeQJB.exe
3408	vKBrGoa.exe
2012	qflFaMF.exe
4832	ZQudIJv.exe
3868	rbuswnL.exe
3680	pNiXHNh.exe
4368	WwhIxph.exe
5100	wWSKoYl.exe
3704	QuPYTLv.exe
3188	JdQldCp.exe
2192	XIJllTl.exe
2556	dZqprXA.exe
1036	IdznIEj.exe
2140	mPDGsiz.exe
2760	vWAUaLO.exe
3528	KJtvihk.exe
1404	Dppkjod.exe
2916	JVkJKGg.exe
1848	elzOKBo.exe
1836	NnkvLEF.exe
4240	bVTyFtO.exe
4960	rioLAWI.exe
2780	ZhHvRVg.exe
4256	uoUkEGi.exe
1664	CwkkYUD.exe
4160	KyktmyE.exe
2404	QaYsOVk.exe
1112	bqiQvFn.exe
5080	LAriEsA.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1076-0-0x00007FF7E4760000-0x00007FF7E4B52000-memory.dmp	upx
behavioral2/files/0x000900000002347e-5.dat	upx
behavioral2/files/0x000700000002348d-12.dat	upx
behavioral2/files/0x000700000002348f-22.dat	upx
behavioral2/files/0x0007000000023492-34.dat	upx
behavioral2/memory/4424-39-0x00007FF6980A0000-0x00007FF698492000-memory.dmp	upx
behavioral2/memory/2992-43-0x00007FF6C1E80000-0x00007FF6C2272000-memory.dmp	upx
behavioral2/files/0x0007000000023497-63.dat	upx
behavioral2/memory/2056-70-0x00007FF6A7740000-0x00007FF6A7B32000-memory.dmp	upx
behavioral2/memory/4548-76-0x00007FF72E830000-0x00007FF72EC22000-memory.dmp	upx
behavioral2/files/0x0009000000023486-82.dat	upx
behavioral2/memory/392-88-0x00007FF7C96F0000-0x00007FF7C9AE2000-memory.dmp	upx
behavioral2/files/0x0007000000023499-103.dat	upx
behavioral2/files/0x000700000002349f-138.dat	upx
behavioral2/files/0x00070000000234a2-153.dat	upx
behavioral2/files/0x00070000000234a4-163.dat	upx
behavioral2/memory/4244-443-0x00007FF7F3F30000-0x00007FF7F4322000-memory.dmp	upx
behavioral2/memory/5088-442-0x00007FF7D3470000-0x00007FF7D3862000-memory.dmp	upx
behavioral2/memory/3480-451-0x00007FF68BA90000-0x00007FF68BE82000-memory.dmp	upx
behavioral2/memory/2700-454-0x00007FF6BDE60000-0x00007FF6BE252000-memory.dmp	upx
behavioral2/memory/3508-456-0x00007FF6478B0000-0x00007FF647CA2000-memory.dmp	upx
behavioral2/memory/3700-455-0x00007FF77E540000-0x00007FF77E932000-memory.dmp	upx
behavioral2/memory/2564-453-0x00007FF7A1FA0000-0x00007FF7A2392000-memory.dmp	upx
behavioral2/memory/1556-452-0x00007FF6F3970000-0x00007FF6F3D62000-memory.dmp	upx
behavioral2/memory/2340-450-0x00007FF7D7780000-0x00007FF7D7B72000-memory.dmp	upx
behavioral2/memory/3372-449-0x00007FF752CF0000-0x00007FF7530E2000-memory.dmp	upx
behavioral2/files/0x00070000000234ab-190.dat	upx
behavioral2/files/0x00070000000234a9-188.dat	upx
behavioral2/files/0x00070000000234aa-185.dat	upx
behavioral2/files/0x00070000000234a8-183.dat	upx
behavioral2/files/0x00070000000234a7-178.dat	upx
behavioral2/files/0x00070000000234a6-173.dat	upx
behavioral2/files/0x00070000000234a5-168.dat	upx
behavioral2/files/0x00070000000234a3-158.dat	upx
behavioral2/files/0x00070000000234a1-148.dat	upx
behavioral2/files/0x00070000000234a0-143.dat	upx
behavioral2/files/0x000700000002349e-133.dat	upx
behavioral2/files/0x000700000002349d-128.dat	upx
behavioral2/files/0x000700000002349c-123.dat	upx
behavioral2/files/0x000700000002349b-118.dat	upx
behavioral2/files/0x000700000002349a-113.dat	upx
behavioral2/files/0x0008000000023495-106.dat	upx
behavioral2/memory/1324-90-0x00007FF686360000-0x00007FF686752000-memory.dmp	upx
behavioral2/memory/3664-89-0x00007FF62D6C0000-0x00007FF62DAB2000-memory.dmp	upx
behavioral2/memory/1332-86-0x00007FF6842D0000-0x00007FF6846C2000-memory.dmp	upx
behavioral2/files/0x0008000000023496-85.dat	upx
behavioral2/memory/700-81-0x00007FF687460000-0x00007FF687852000-memory.dmp	upx
behavioral2/memory/4000-80-0x00007FF7DD600000-0x00007FF7DD9F2000-memory.dmp	upx
behavioral2/files/0x0007000000023498-79.dat	upx
behavioral2/files/0x0007000000023494-73.dat	upx
behavioral2/files/0x0007000000023493-72.dat	upx
behavioral2/memory/764-71-0x00007FF707D80000-0x00007FF708172000-memory.dmp	upx
behavioral2/memory/3948-66-0x00007FF755AC0000-0x00007FF755EB2000-memory.dmp	upx
behavioral2/memory/2888-41-0x00007FF712200000-0x00007FF7125F2000-memory.dmp	upx
behavioral2/files/0x0007000000023491-37.dat	upx
behavioral2/files/0x0007000000023490-36.dat	upx
behavioral2/files/0x000700000002348e-18.dat	upx
behavioral2/memory/820-6-0x00007FF7D3D40000-0x00007FF7D4132000-memory.dmp	upx
behavioral2/memory/3948-1986-0x00007FF755AC0000-0x00007FF755EB2000-memory.dmp	upx
behavioral2/memory/820-1993-0x00007FF7D3D40000-0x00007FF7D4132000-memory.dmp	upx
behavioral2/memory/2056-1996-0x00007FF6A7740000-0x00007FF6A7B32000-memory.dmp	upx
behavioral2/memory/764-2022-0x00007FF707D80000-0x00007FF708172000-memory.dmp	upx
behavioral2/memory/700-2023-0x00007FF687460000-0x00007FF687852000-memory.dmp	upx
behavioral2/memory/1332-2025-0x00007FF6842D0000-0x00007FF6846C2000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	raw.githubusercontent.com
7	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\CIAUYkl.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\AzmSMPD.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\CgZiSCl.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\KKfFTxI.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\FqvTlGN.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\zzNqzei.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\WaRFRuP.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\NKvGkaS.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\ImJAEix.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\LwFXzhO.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\KJOnUjH.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\yGgsHfO.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\IfJrKHc.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\eXGnffX.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\PrEiIfg.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\SZILuGF.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\uqwfZdl.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\wghfrHj.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\THnEfAS.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\xwljrDA.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\qvTEJCw.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\oWKgpPD.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\NSUMcAn.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\JqWyrvK.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\PtPJiyC.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\rrYXGUf.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\pzIOTjj.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\wspnMrW.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\DglQZEj.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\CbENkrk.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\vNLMxhR.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\IjujuKM.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\eMpYsXX.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\djOCmMu.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\lKgIZyg.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\YTMDHdy.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\eggzWId.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\fIyzWdc.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\jcIWqnE.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\mEDTZet.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\NHKXNFH.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\doYxAGm.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\mSPDmgD.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\XNROSHF.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\xKPeNgj.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\XhtihsR.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\trMPcIr.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\AKLFkFs.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\DUDLjng.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\NnkvLEF.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\XhKwhOX.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\sJjydOc.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\POGfdwz.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\pAxDfPD.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\QhByeUv.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\KlYfeMz.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\sLXfDBR.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\cNXzALh.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\oAYdUWa.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\JTnuJxK.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\rySAeTj.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\jWPWRNA.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\UwtuqRO.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
File created	C:\Windows\System\fkRsONb.exe	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
5108	powershell.exe
5108	powershell.exe
5108	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
Token: SeDebugPrivilege	5108	powershell.exe
Token: SeLockMemoryPrivilege	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 5108	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	84
PID 1076 wrote to memory of 5108	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	84
PID 1076 wrote to memory of 820	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	85
PID 1076 wrote to memory of 820	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	85
PID 1076 wrote to memory of 4424	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	86
PID 1076 wrote to memory of 4424	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	86
PID 1076 wrote to memory of 4548	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	87
PID 1076 wrote to memory of 4548	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	87
PID 1076 wrote to memory of 2888	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	88
PID 1076 wrote to memory of 2888	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	88
PID 1076 wrote to memory of 4000	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	89
PID 1076 wrote to memory of 4000	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	89
PID 1076 wrote to memory of 2992	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	90
PID 1076 wrote to memory of 2992	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	90
PID 1076 wrote to memory of 3948	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	91
PID 1076 wrote to memory of 3948	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	91
PID 1076 wrote to memory of 700	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	92
PID 1076 wrote to memory of 700	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	92
PID 1076 wrote to memory of 2056	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	93
PID 1076 wrote to memory of 2056	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	93
PID 1076 wrote to memory of 764	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	94
PID 1076 wrote to memory of 764	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	94
PID 1076 wrote to memory of 1332	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	95
PID 1076 wrote to memory of 1332	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	95
PID 1076 wrote to memory of 392	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	96
PID 1076 wrote to memory of 392	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	96
PID 1076 wrote to memory of 3664	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	97
PID 1076 wrote to memory of 3664	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	97
PID 1076 wrote to memory of 1324	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	98
PID 1076 wrote to memory of 1324	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	98
PID 1076 wrote to memory of 5088	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	99
PID 1076 wrote to memory of 5088	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	99
PID 1076 wrote to memory of 4244	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	100
PID 1076 wrote to memory of 4244	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	100
PID 1076 wrote to memory of 3372	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	101
PID 1076 wrote to memory of 3372	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	101
PID 1076 wrote to memory of 2340	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	102
PID 1076 wrote to memory of 2340	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	102
PID 1076 wrote to memory of 3480	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	103
PID 1076 wrote to memory of 3480	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	103
PID 1076 wrote to memory of 1556	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	104
PID 1076 wrote to memory of 1556	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	104
PID 1076 wrote to memory of 2564	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	105
PID 1076 wrote to memory of 2564	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	105
PID 1076 wrote to memory of 2700	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	106
PID 1076 wrote to memory of 2700	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	106
PID 1076 wrote to memory of 3700	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	107
PID 1076 wrote to memory of 3700	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	107
PID 1076 wrote to memory of 3508	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	108
PID 1076 wrote to memory of 3508	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	108
PID 1076 wrote to memory of 3088	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	109
PID 1076 wrote to memory of 3088	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	109
PID 1076 wrote to memory of 2144	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	110
PID 1076 wrote to memory of 2144	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	110
PID 1076 wrote to memory of 2228	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	111
PID 1076 wrote to memory of 2228	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	111
PID 1076 wrote to memory of 3324	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	112
PID 1076 wrote to memory of 3324	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	112
PID 1076 wrote to memory of 1964	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	113
PID 1076 wrote to memory of 1964	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	113
PID 1076 wrote to memory of 3120	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	114
PID 1076 wrote to memory of 3120	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	114
PID 1076 wrote to memory of 4016	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	115
PID 1076 wrote to memory of 4016	1076	39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe	115

C:\Users\Admin\AppData\Local\Temp\39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\39d5bef7bd1d4018dc6f90446198936b_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5108
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5108" "2956" "2888" "2960" "0" "0" "2964" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:4996
- C:\Windows\System\UmZmaGo.exe
  C:\Windows\System\UmZmaGo.exe
  2⤵
  - Executes dropped EXE
  PID:820
- C:\Windows\System\JVUkWzb.exe
  C:\Windows\System\JVUkWzb.exe
  2⤵
  - Executes dropped EXE
  PID:4424
- C:\Windows\System\rTlsxeS.exe
  C:\Windows\System\rTlsxeS.exe
  2⤵
  - Executes dropped EXE
  PID:4548
- C:\Windows\System\vNLMxhR.exe
  C:\Windows\System\vNLMxhR.exe
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\System\KgxIqgf.exe
  C:\Windows\System\KgxIqgf.exe
  2⤵
  - Executes dropped EXE
  PID:4000
- C:\Windows\System\GmdIKiN.exe
  C:\Windows\System\GmdIKiN.exe
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\System\JqWyrvK.exe
  C:\Windows\System\JqWyrvK.exe
  2⤵
  - Executes dropped EXE
  PID:3948
- C:\Windows\System\hkTWvkB.exe
  C:\Windows\System\hkTWvkB.exe
  2⤵
  - Executes dropped EXE
  PID:700
- C:\Windows\System\ONKcFeU.exe
  C:\Windows\System\ONKcFeU.exe
  2⤵
  - Executes dropped EXE
  PID:2056
- C:\Windows\System\nfnoNnC.exe
  C:\Windows\System\nfnoNnC.exe
  2⤵
  - Executes dropped EXE
  PID:764
- C:\Windows\System\BdEOehA.exe
  C:\Windows\System\BdEOehA.exe
  2⤵
  - Executes dropped EXE
  PID:1332
- C:\Windows\System\YBMevIH.exe
  C:\Windows\System\YBMevIH.exe
  2⤵
  - Executes dropped EXE
  PID:392
- C:\Windows\System\zyTuGzX.exe
  C:\Windows\System\zyTuGzX.exe
  2⤵
  - Executes dropped EXE
  PID:3664
- C:\Windows\System\lSgTWyf.exe
  C:\Windows\System\lSgTWyf.exe
  2⤵
  - Executes dropped EXE
  PID:1324
- C:\Windows\System\oRlDOrV.exe
  C:\Windows\System\oRlDOrV.exe
  2⤵
  - Executes dropped EXE
  PID:5088
- C:\Windows\System\sfEIdRm.exe
  C:\Windows\System\sfEIdRm.exe
  2⤵
  - Executes dropped EXE
  PID:4244
- C:\Windows\System\oXhaXhx.exe
  C:\Windows\System\oXhaXhx.exe
  2⤵
  - Executes dropped EXE
  PID:3372
- C:\Windows\System\ZPtMMiz.exe
  C:\Windows\System\ZPtMMiz.exe
  2⤵
  - Executes dropped EXE
  PID:2340
- C:\Windows\System\WowiCxC.exe
  C:\Windows\System\WowiCxC.exe
  2⤵
  - Executes dropped EXE
  PID:3480
- C:\Windows\System\tODwOlG.exe
  C:\Windows\System\tODwOlG.exe
  2⤵
  - Executes dropped EXE
  PID:1556
- C:\Windows\System\RdJNJbO.exe
  C:\Windows\System\RdJNJbO.exe
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Windows\System\fXiwSNz.exe
  C:\Windows\System\fXiwSNz.exe
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\System\VQxSzTd.exe
  C:\Windows\System\VQxSzTd.exe
  2⤵
  - Executes dropped EXE
  PID:3700
- C:\Windows\System\AMIEGXT.exe
  C:\Windows\System\AMIEGXT.exe
  2⤵
  - Executes dropped EXE
  PID:3508
- C:\Windows\System\ZWqpsLW.exe
  C:\Windows\System\ZWqpsLW.exe
  2⤵
  - Executes dropped EXE
  PID:3088
- C:\Windows\System\ZzHASxL.exe
  C:\Windows\System\ZzHASxL.exe
  2⤵
  - Executes dropped EXE
  PID:2144
- C:\Windows\System\LbIpfFn.exe
  C:\Windows\System\LbIpfFn.exe
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Windows\System\XPMFjJW.exe
  C:\Windows\System\XPMFjJW.exe
  2⤵
  - Executes dropped EXE
  PID:3324
- C:\Windows\System\bASdtsV.exe
  C:\Windows\System\bASdtsV.exe
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Windows\System\dSfREqT.exe
  C:\Windows\System\dSfREqT.exe
  2⤵
  - Executes dropped EXE
  PID:3120
- C:\Windows\System\HZrVxvD.exe
  C:\Windows\System\HZrVxvD.exe
  2⤵
  - Executes dropped EXE
  PID:4016
- C:\Windows\System\VUhPERt.exe
  C:\Windows\System\VUhPERt.exe
  2⤵
  - Executes dropped EXE
  PID:4660
- C:\Windows\System\AZRdWxo.exe
  C:\Windows\System\AZRdWxo.exe
  2⤵
  - Executes dropped EXE
  PID:3908
- C:\Windows\System\uayMipk.exe
  C:\Windows\System\uayMipk.exe
  2⤵
  - Executes dropped EXE
  PID:4488
- C:\Windows\System\RBoztie.exe
  C:\Windows\System\RBoztie.exe
  2⤵
  - Executes dropped EXE
  PID:4916
- C:\Windows\System\CyGeQJB.exe
  C:\Windows\System\CyGeQJB.exe
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Windows\System\vKBrGoa.exe
  C:\Windows\System\vKBrGoa.exe
  2⤵
  - Executes dropped EXE
  PID:3408
- C:\Windows\System\qflFaMF.exe
  C:\Windows\System\qflFaMF.exe
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\System\ZQudIJv.exe
  C:\Windows\System\ZQudIJv.exe
  2⤵
  - Executes dropped EXE
  PID:4832
- C:\Windows\System\rbuswnL.exe
  C:\Windows\System\rbuswnL.exe
  2⤵
  - Executes dropped EXE
  PID:3868
- C:\Windows\System\pNiXHNh.exe
  C:\Windows\System\pNiXHNh.exe
  2⤵
  - Executes dropped EXE
  PID:3680
- C:\Windows\System\WwhIxph.exe
  C:\Windows\System\WwhIxph.exe
  2⤵
  - Executes dropped EXE
  PID:4368
- C:\Windows\System\wWSKoYl.exe
  C:\Windows\System\wWSKoYl.exe
  2⤵
  - Executes dropped EXE
  PID:5100
- C:\Windows\System\QuPYTLv.exe
  C:\Windows\System\QuPYTLv.exe
  2⤵
  - Executes dropped EXE
  PID:3704
- C:\Windows\System\JdQldCp.exe
  C:\Windows\System\JdQldCp.exe
  2⤵
  - Executes dropped EXE
  PID:3188
- C:\Windows\System\XIJllTl.exe
  C:\Windows\System\XIJllTl.exe
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Windows\System\dZqprXA.exe
  C:\Windows\System\dZqprXA.exe
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Windows\System\IdznIEj.exe
  C:\Windows\System\IdznIEj.exe
  2⤵
  - Executes dropped EXE
  PID:1036
- C:\Windows\System\mPDGsiz.exe
  C:\Windows\System\mPDGsiz.exe
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\System\vWAUaLO.exe
  C:\Windows\System\vWAUaLO.exe
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\System\KJtvihk.exe
  C:\Windows\System\KJtvihk.exe
  2⤵
  - Executes dropped EXE
  PID:3528
- C:\Windows\System\Dppkjod.exe
  C:\Windows\System\Dppkjod.exe
  2⤵
  - Executes dropped EXE
  PID:1404
- C:\Windows\System\JVkJKGg.exe
  C:\Windows\System\JVkJKGg.exe
  2⤵
  - Executes dropped EXE
  PID:2916
- C:\Windows\System\elzOKBo.exe
  C:\Windows\System\elzOKBo.exe
  2⤵
  - Executes dropped EXE
  PID:1848
- C:\Windows\System\NnkvLEF.exe
  C:\Windows\System\NnkvLEF.exe
  2⤵
  - Executes dropped EXE
  PID:1836
- C:\Windows\System\bVTyFtO.exe
  C:\Windows\System\bVTyFtO.exe
  2⤵
  - Executes dropped EXE
  PID:4240
- C:\Windows\System\rioLAWI.exe
  C:\Windows\System\rioLAWI.exe
  2⤵
  - Executes dropped EXE
  PID:4960
- C:\Windows\System\ZhHvRVg.exe
  C:\Windows\System\ZhHvRVg.exe
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\System\uoUkEGi.exe
  C:\Windows\System\uoUkEGi.exe
  2⤵
  - Executes dropped EXE
  PID:4256
- C:\Windows\System\CwkkYUD.exe
  C:\Windows\System\CwkkYUD.exe
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\System\KyktmyE.exe
  C:\Windows\System\KyktmyE.exe
  2⤵
  - Executes dropped EXE
  PID:4160
- C:\Windows\System\QaYsOVk.exe
  C:\Windows\System\QaYsOVk.exe
  2⤵
  - Executes dropped EXE
  PID:2404
- C:\Windows\System\bqiQvFn.exe
  C:\Windows\System\bqiQvFn.exe
  2⤵
  - Executes dropped EXE
  PID:1112
- C:\Windows\System\LAriEsA.exe
  C:\Windows\System\LAriEsA.exe
  2⤵
  - Executes dropped EXE
  PID:5080
- C:\Windows\System\mXNfoBc.exe
  C:\Windows\System\mXNfoBc.exe
  2⤵
  PID:4828
- C:\Windows\System\doYxAGm.exe
  C:\Windows\System\doYxAGm.exe
  2⤵
  PID:1536
- C:\Windows\System\GkycUWB.exe
  C:\Windows\System\GkycUWB.exe
  2⤵
  PID:2856
- C:\Windows\System\DikDiao.exe
  C:\Windows\System\DikDiao.exe
  2⤵
  PID:5128
- C:\Windows\System\CIAUYkl.exe
  C:\Windows\System\CIAUYkl.exe
  2⤵
  PID:5156
- C:\Windows\System\lwFyvPx.exe
  C:\Windows\System\lwFyvPx.exe
  2⤵
  PID:5216
- C:\Windows\System\JHPKmwK.exe
  C:\Windows\System\JHPKmwK.exe
  2⤵
  PID:5244
- C:\Windows\System\WRBZKEm.exe
  C:\Windows\System\WRBZKEm.exe
  2⤵
  PID:5260
- C:\Windows\System\fBCKhjp.exe
  C:\Windows\System\fBCKhjp.exe
  2⤵
  PID:5276
- C:\Windows\System\FgQOgrC.exe
  C:\Windows\System\FgQOgrC.exe
  2⤵
  PID:5300
- C:\Windows\System\QvGyvWN.exe
  C:\Windows\System\QvGyvWN.exe
  2⤵
  PID:5328
- C:\Windows\System\BJsKIKt.exe
  C:\Windows\System\BJsKIKt.exe
  2⤵
  PID:5356
- C:\Windows\System\uxoKKQf.exe
  C:\Windows\System\uxoKKQf.exe
  2⤵
  PID:5384
- C:\Windows\System\sfnWIfz.exe
  C:\Windows\System\sfnWIfz.exe
  2⤵
  PID:5412
- C:\Windows\System\CzJHszg.exe
  C:\Windows\System\CzJHszg.exe
  2⤵
  PID:5448
- C:\Windows\System\WPeZjds.exe
  C:\Windows\System\WPeZjds.exe
  2⤵
  PID:5472
- C:\Windows\System\wspnMrW.exe
  C:\Windows\System\wspnMrW.exe
  2⤵
  PID:5504
- C:\Windows\System\NtoURdX.exe
  C:\Windows\System\NtoURdX.exe
  2⤵
  PID:5532
- C:\Windows\System\mSPDmgD.exe
  C:\Windows\System\mSPDmgD.exe
  2⤵
  PID:5560
- C:\Windows\System\BZXuJqA.exe
  C:\Windows\System\BZXuJqA.exe
  2⤵
  PID:5588
- C:\Windows\System\LXjDSDc.exe
  C:\Windows\System\LXjDSDc.exe
  2⤵
  PID:5616
- C:\Windows\System\QhByeUv.exe
  C:\Windows\System\QhByeUv.exe
  2⤵
  PID:5644
- C:\Windows\System\UpjXObx.exe
  C:\Windows\System\UpjXObx.exe
  2⤵
  PID:5672
- C:\Windows\System\coKpQwl.exe
  C:\Windows\System\coKpQwl.exe
  2⤵
  PID:5696
- C:\Windows\System\OQUMInQ.exe
  C:\Windows\System\OQUMInQ.exe
  2⤵
  PID:5736
- C:\Windows\System\HDBuFkt.exe
  C:\Windows\System\HDBuFkt.exe
  2⤵
  PID:5756
- C:\Windows\System\NYoNJwb.exe
  C:\Windows\System\NYoNJwb.exe
  2⤵
  PID:5780
- C:\Windows\System\gdoXoKV.exe
  C:\Windows\System\gdoXoKV.exe
  2⤵
  PID:5808
- C:\Windows\System\tSLghCW.exe
  C:\Windows\System\tSLghCW.exe
  2⤵
  PID:5840
- C:\Windows\System\zgDhOik.exe
  C:\Windows\System\zgDhOik.exe
  2⤵
  PID:5868
- C:\Windows\System\ATrZDVu.exe
  C:\Windows\System\ATrZDVu.exe
  2⤵
  PID:5896
- C:\Windows\System\ShzuGVO.exe
  C:\Windows\System\ShzuGVO.exe
  2⤵
  PID:5924
- C:\Windows\System\FYnEUXL.exe
  C:\Windows\System\FYnEUXL.exe
  2⤵
  PID:5952
- C:\Windows\System\HIYgVnr.exe
  C:\Windows\System\HIYgVnr.exe
  2⤵
  PID:5980
- C:\Windows\System\IxDzOqg.exe
  C:\Windows\System\IxDzOqg.exe
  2⤵
  PID:6008
- C:\Windows\System\FeivFlz.exe
  C:\Windows\System\FeivFlz.exe
  2⤵
  PID:6036
- C:\Windows\System\ejNpEeW.exe
  C:\Windows\System\ejNpEeW.exe
  2⤵
  PID:6064
- C:\Windows\System\hHfOzrY.exe
  C:\Windows\System\hHfOzrY.exe
  2⤵
  PID:6100
- C:\Windows\System\WsnlhLL.exe
  C:\Windows\System\WsnlhLL.exe
  2⤵
  PID:6124
- C:\Windows\System\AzmSMPD.exe
  C:\Windows\System\AzmSMPD.exe
  2⤵
  PID:464
- C:\Windows\System\IWLuNfj.exe
  C:\Windows\System\IWLuNfj.exe
  2⤵
  PID:916
- C:\Windows\System\rySAeTj.exe
  C:\Windows\System\rySAeTj.exe
  2⤵
  PID:2536
- C:\Windows\System\VApwwQY.exe
  C:\Windows\System\VApwwQY.exe
  2⤵
  PID:3556
- C:\Windows\System\rDTBOdN.exe
  C:\Windows\System\rDTBOdN.exe
  2⤵
  PID:628
- C:\Windows\System\NHnYWvp.exe
  C:\Windows\System\NHnYWvp.exe
  2⤵
  PID:4868
- C:\Windows\System\TJsXWVV.exe
  C:\Windows\System\TJsXWVV.exe
  2⤵
  PID:5172
- C:\Windows\System\SZILuGF.exe
  C:\Windows\System\SZILuGF.exe
  2⤵
  PID:5180
- C:\Windows\System\AuGKyqq.exe
  C:\Windows\System\AuGKyqq.exe
  2⤵
  PID:5272
- C:\Windows\System\WiJpRHz.exe
  C:\Windows\System\WiJpRHz.exe
  2⤵
  PID:5344
- C:\Windows\System\enuvVKl.exe
  C:\Windows\System\enuvVKl.exe
  2⤵
  PID:5400
- C:\Windows\System\mxbDXEx.exe
  C:\Windows\System\mxbDXEx.exe
  2⤵
  PID:5460
- C:\Windows\System\ffysWYB.exe
  C:\Windows\System\ffysWYB.exe
  2⤵
  PID:5520
- C:\Windows\System\BbzYDIE.exe
  C:\Windows\System\BbzYDIE.exe
  2⤵
  PID:5580
- C:\Windows\System\PusXmnz.exe
  C:\Windows\System\PusXmnz.exe
  2⤵
  PID:5656
- C:\Windows\System\qciYwOS.exe
  C:\Windows\System\qciYwOS.exe
  2⤵
  PID:5892
- C:\Windows\System\bgcHxTj.exe
  C:\Windows\System\bgcHxTj.exe
  2⤵
  PID:4152
- C:\Windows\System\pjRbmbb.exe
  C:\Windows\System\pjRbmbb.exe
  2⤵
  PID:4184
- C:\Windows\System\WuiXvuk.exe
  C:\Windows\System\WuiXvuk.exe
  2⤵
  PID:4848
- C:\Windows\System\jicSxIU.exe
  C:\Windows\System\jicSxIU.exe
  2⤵
  PID:5376
- C:\Windows\System\ISZiDmX.exe
  C:\Windows\System\ISZiDmX.exe
  2⤵
  PID:5436
- C:\Windows\System\oDInLER.exe
  C:\Windows\System\oDInLER.exe
  2⤵
  PID:5496
- C:\Windows\System\bkrILHq.exe
  C:\Windows\System\bkrILHq.exe
  2⤵
  PID:5836
- C:\Windows\System\fLsaxrk.exe
  C:\Windows\System\fLsaxrk.exe
  2⤵
  PID:1988
- C:\Windows\System\ufVeVij.exe
  C:\Windows\System\ufVeVij.exe
  2⤵
  PID:5916
- C:\Windows\System\tYZISKG.exe
  C:\Windows\System\tYZISKG.exe
  2⤵
  PID:3740
- C:\Windows\System\yuhRQkQ.exe
  C:\Windows\System\yuhRQkQ.exe
  2⤵
  PID:632
- C:\Windows\System\VvrDqCf.exe
  C:\Windows\System\VvrDqCf.exe
  2⤵
  PID:1640
- C:\Windows\System\ZsWvftd.exe
  C:\Windows\System\ZsWvftd.exe
  2⤵
  PID:1996
- C:\Windows\System\bqpPewf.exe
  C:\Windows\System\bqpPewf.exe
  2⤵
  PID:3540
- C:\Windows\System\jWAoplO.exe
  C:\Windows\System\jWAoplO.exe
  2⤵
  PID:3888
- C:\Windows\System\wTxfBTr.exe
  C:\Windows\System\wTxfBTr.exe
  2⤵
  PID:4852
- C:\Windows\System\rIciPoW.exe
  C:\Windows\System\rIciPoW.exe
  2⤵
  PID:5256
- C:\Windows\System\jWPWRNA.exe
  C:\Windows\System\jWPWRNA.exe
  2⤵
  PID:208
- C:\Windows\System\UGyshUl.exe
  C:\Windows\System\UGyshUl.exe
  2⤵
  PID:5428
- C:\Windows\System\LazOvIW.exe
  C:\Windows\System\LazOvIW.exe
  2⤵
  PID:4484
- C:\Windows\System\laTbJxI.exe
  C:\Windows\System\laTbJxI.exe
  2⤵
  PID:2876
- C:\Windows\System\JXeNddP.exe
  C:\Windows\System\JXeNddP.exe
  2⤵
  PID:4760
- C:\Windows\System\cwRlPaA.exe
  C:\Windows\System\cwRlPaA.exe
  2⤵
  PID:1900
- C:\Windows\System\KVdMEtP.exe
  C:\Windows\System\KVdMEtP.exe
  2⤵
  PID:4748
- C:\Windows\System\SMyhopp.exe
  C:\Windows\System\SMyhopp.exe
  2⤵
  PID:5104
- C:\Windows\System\DFhNiPM.exe
  C:\Windows\System\DFhNiPM.exe
  2⤵
  PID:4180
- C:\Windows\System\wFObddW.exe
  C:\Windows\System\wFObddW.exe
  2⤵
  PID:3444
- C:\Windows\System\KxHLxnd.exe
  C:\Windows\System\KxHLxnd.exe
  2⤵
  PID:5324
- C:\Windows\System\sFaIzGj.exe
  C:\Windows\System\sFaIzGj.exe
  2⤵
  PID:3880
- C:\Windows\System\aqPgHPS.exe
  C:\Windows\System\aqPgHPS.exe
  2⤵
  PID:1712
- C:\Windows\System\JzUdPpd.exe
  C:\Windows\System\JzUdPpd.exe
  2⤵
  PID:4544
- C:\Windows\System\PDtGdmz.exe
  C:\Windows\System\PDtGdmz.exe
  2⤵
  PID:6188
- C:\Windows\System\kSeyQFa.exe
  C:\Windows\System\kSeyQFa.exe
  2⤵
  PID:6220
- C:\Windows\System\hJVdVdF.exe
  C:\Windows\System\hJVdVdF.exe
  2⤵
  PID:6236
- C:\Windows\System\yZlgenC.exe
  C:\Windows\System\yZlgenC.exe
  2⤵
  PID:6256
- C:\Windows\System\JXJBREm.exe
  C:\Windows\System\JXJBREm.exe
  2⤵
  PID:6300
- C:\Windows\System\vnBpJBK.exe
  C:\Windows\System\vnBpJBK.exe
  2⤵
  PID:6324
- C:\Windows\System\satJzQe.exe
  C:\Windows\System\satJzQe.exe
  2⤵
  PID:6352
- C:\Windows\System\bGeexgj.exe
  C:\Windows\System\bGeexgj.exe
  2⤵
  PID:6376
- C:\Windows\System\otLbiyK.exe
  C:\Windows\System\otLbiyK.exe
  2⤵
  PID:6416
- C:\Windows\System\XhKwhOX.exe
  C:\Windows\System\XhKwhOX.exe
  2⤵
  PID:6440
- C:\Windows\System\UbtkqUo.exe
  C:\Windows\System\UbtkqUo.exe
  2⤵
  PID:6464
- C:\Windows\System\sNosHxl.exe
  C:\Windows\System\sNosHxl.exe
  2⤵
  PID:6484
- C:\Windows\System\gfkBcKP.exe
  C:\Windows\System\gfkBcKP.exe
  2⤵
  PID:6508
- C:\Windows\System\CZtiTXC.exe
  C:\Windows\System\CZtiTXC.exe
  2⤵
  PID:6552
- C:\Windows\System\pmGdptG.exe
  C:\Windows\System\pmGdptG.exe
  2⤵
  PID:6592
- C:\Windows\System\OcnfFxU.exe
  C:\Windows\System\OcnfFxU.exe
  2⤵
  PID:6608
- C:\Windows\System\SdEDqAd.exe
  C:\Windows\System\SdEDqAd.exe
  2⤵
  PID:6636
- C:\Windows\System\KlYfeMz.exe
  C:\Windows\System\KlYfeMz.exe
  2⤵
  PID:6652
- C:\Windows\System\NKvGkaS.exe
  C:\Windows\System\NKvGkaS.exe
  2⤵
  PID:6692
- C:\Windows\System\MtNDbiF.exe
  C:\Windows\System\MtNDbiF.exe
  2⤵
  PID:6728
- C:\Windows\System\OwetHkv.exe
  C:\Windows\System\OwetHkv.exe
  2⤵
  PID:6756
- C:\Windows\System\UkyDVux.exe
  C:\Windows\System\UkyDVux.exe
  2⤵
  PID:6772
- C:\Windows\System\RoMHOwc.exe
  C:\Windows\System\RoMHOwc.exe
  2⤵
  PID:6792
- C:\Windows\System\peHojlL.exe
  C:\Windows\System\peHojlL.exe
  2⤵
  PID:6820
- C:\Windows\System\ylePiLz.exe
  C:\Windows\System\ylePiLz.exe
  2⤵
  PID:6872
- C:\Windows\System\CduEPlU.exe
  C:\Windows\System\CduEPlU.exe
  2⤵
  PID:6888
- C:\Windows\System\vpGhDGM.exe
  C:\Windows\System\vpGhDGM.exe
  2⤵
  PID:6912
- C:\Windows\System\TSnaeaM.exe
  C:\Windows\System\TSnaeaM.exe
  2⤵
  PID:6928
- C:\Windows\System\TAiuYUe.exe
  C:\Windows\System\TAiuYUe.exe
  2⤵
  PID:6980
- C:\Windows\System\FInJtLb.exe
  C:\Windows\System\FInJtLb.exe
  2⤵
  PID:6996
- C:\Windows\System\jcIWqnE.exe
  C:\Windows\System\jcIWqnE.exe
  2⤵
  PID:7020
- C:\Windows\System\byJMoDA.exe
  C:\Windows\System\byJMoDA.exe
  2⤵
  PID:7036
- C:\Windows\System\uqwfZdl.exe
  C:\Windows\System\uqwfZdl.exe
  2⤵
  PID:7076
- C:\Windows\System\sJvebos.exe
  C:\Windows\System\sJvebos.exe
  2⤵
  PID:7100
- C:\Windows\System\yxnhViw.exe
  C:\Windows\System\yxnhViw.exe
  2⤵
  PID:7120
- C:\Windows\System\otmWgef.exe
  C:\Windows\System\otmWgef.exe
  2⤵
  PID:4012
- C:\Windows\System\FqvTlGN.exe
  C:\Windows\System\FqvTlGN.exe
  2⤵
  PID:4408
- C:\Windows\System\gwRNnOt.exe
  C:\Windows\System\gwRNnOt.exe
  2⤵
  PID:6152
- C:\Windows\System\gmtAHyJ.exe
  C:\Windows\System\gmtAHyJ.exe
  2⤵
  PID:6212
- C:\Windows\System\JCXehWi.exe
  C:\Windows\System\JCXehWi.exe
  2⤵
  PID:6320
- C:\Windows\System\WvNmcTD.exe
  C:\Windows\System\WvNmcTD.exe
  2⤵
  PID:6408
- C:\Windows\System\uTZCEYd.exe
  C:\Windows\System\uTZCEYd.exe
  2⤵
  PID:6448
- C:\Windows\System\MJsbtiS.exe
  C:\Windows\System\MJsbtiS.exe
  2⤵
  PID:6548
- C:\Windows\System\XOHZjiG.exe
  C:\Windows\System\XOHZjiG.exe
  2⤵
  PID:6580
- C:\Windows\System\pkvxOmK.exe
  C:\Windows\System\pkvxOmK.exe
  2⤵
  PID:6632
- C:\Windows\System\lJiMFaP.exe
  C:\Windows\System\lJiMFaP.exe
  2⤵
  PID:6704
- C:\Windows\System\omLxecA.exe
  C:\Windows\System\omLxecA.exe
  2⤵
  PID:6784
- C:\Windows\System\TUGEXqZ.exe
  C:\Windows\System\TUGEXqZ.exe
  2⤵
  PID:6880
- C:\Windows\System\lwxJNZN.exe
  C:\Windows\System\lwxJNZN.exe
  2⤵
  PID:6944
- C:\Windows\System\NWRXGJq.exe
  C:\Windows\System\NWRXGJq.exe
  2⤵
  PID:6992
- C:\Windows\System\yXLunmt.exe
  C:\Windows\System\yXLunmt.exe
  2⤵
  PID:7012
- C:\Windows\System\ULtJUlZ.exe
  C:\Windows\System\ULtJUlZ.exe
  2⤵
  PID:7152
- C:\Windows\System\aThVVGz.exe
  C:\Windows\System\aThVVGz.exe
  2⤵
  PID:5552
- C:\Windows\System\vLKmTTx.exe
  C:\Windows\System\vLKmTTx.exe
  2⤵
  PID:4128
- C:\Windows\System\yyFqOSy.exe
  C:\Windows\System\yyFqOSy.exe
  2⤵
  PID:6368
- C:\Windows\System\QhASOKf.exe
  C:\Windows\System\QhASOKf.exe
  2⤵
  PID:6296
- C:\Windows\System\KTEjsVB.exe
  C:\Windows\System\KTEjsVB.exe
  2⤵
  PID:6564
- C:\Windows\System\hovVIlh.exe
  C:\Windows\System\hovVIlh.exe
  2⤵
  PID:6780
- C:\Windows\System\UOooINM.exe
  C:\Windows\System\UOooINM.exe
  2⤵
  PID:6920
- C:\Windows\System\xXtpkUJ.exe
  C:\Windows\System\xXtpkUJ.exe
  2⤵
  PID:6052
- C:\Windows\System\zzNqzei.exe
  C:\Windows\System\zzNqzei.exe
  2⤵
  PID:7140
- C:\Windows\System\xwljrDA.exe
  C:\Windows\System\xwljrDA.exe
  2⤵
  PID:7084
- C:\Windows\System\KIlYBPT.exe
  C:\Windows\System\KIlYBPT.exe
  2⤵
  PID:6364
- C:\Windows\System\AKLFkFs.exe
  C:\Windows\System\AKLFkFs.exe
  2⤵
  PID:6504
- C:\Windows\System\oQTNBTP.exe
  C:\Windows\System\oQTNBTP.exe
  2⤵
  PID:6764
- C:\Windows\System\WSPlcvj.exe
  C:\Windows\System\WSPlcvj.exe
  2⤵
  PID:6884
- C:\Windows\System\vXSCThX.exe
  C:\Windows\System\vXSCThX.exe
  2⤵
  PID:2272
- C:\Windows\System\ilqcjBP.exe
  C:\Windows\System\ilqcjBP.exe
  2⤵
  PID:6060
- C:\Windows\System\oUhXUwg.exe
  C:\Windows\System\oUhXUwg.exe
  2⤵
  PID:6600
- C:\Windows\System\xBhxjKA.exe
  C:\Windows\System\xBhxjKA.exe
  2⤵
  PID:7196
- C:\Windows\System\nlpKoyu.exe
  C:\Windows\System\nlpKoyu.exe
  2⤵
  PID:7220
- C:\Windows\System\DglQZEj.exe
  C:\Windows\System\DglQZEj.exe
  2⤵
  PID:7240
- C:\Windows\System\WwyNVdc.exe
  C:\Windows\System\WwyNVdc.exe
  2⤵
  PID:7324
- C:\Windows\System\hufBwGv.exe
  C:\Windows\System\hufBwGv.exe
  2⤵
  PID:7340
- C:\Windows\System\iSGhqWr.exe
  C:\Windows\System\iSGhqWr.exe
  2⤵
  PID:7360
- C:\Windows\System\poibLUL.exe
  C:\Windows\System\poibLUL.exe
  2⤵
  PID:7380
- C:\Windows\System\IjujuKM.exe
  C:\Windows\System\IjujuKM.exe
  2⤵
  PID:7432
- C:\Windows\System\iNrGmDk.exe
  C:\Windows\System\iNrGmDk.exe
  2⤵
  PID:7452
- C:\Windows\System\JrlxUnB.exe
  C:\Windows\System\JrlxUnB.exe
  2⤵
  PID:7476
- C:\Windows\System\uMEtIZu.exe
  C:\Windows\System\uMEtIZu.exe
  2⤵
  PID:7520
- C:\Windows\System\xJNOciU.exe
  C:\Windows\System\xJNOciU.exe
  2⤵
  PID:7536
- C:\Windows\System\QmsbrMr.exe
  C:\Windows\System\QmsbrMr.exe
  2⤵
  PID:7564
- C:\Windows\System\RPfPwss.exe
  C:\Windows\System\RPfPwss.exe
  2⤵
  PID:7580
- C:\Windows\System\irihqpi.exe
  C:\Windows\System\irihqpi.exe
  2⤵
  PID:7604
- C:\Windows\System\wXRtEUK.exe
  C:\Windows\System\wXRtEUK.exe
  2⤵
  PID:7628
- C:\Windows\System\bwRaWkr.exe
  C:\Windows\System\bwRaWkr.exe
  2⤵
  PID:7664
- C:\Windows\System\JneUElT.exe
  C:\Windows\System\JneUElT.exe
  2⤵
  PID:7696
- C:\Windows\System\WLlpdvD.exe
  C:\Windows\System\WLlpdvD.exe
  2⤵
  PID:7716
- C:\Windows\System\pWPYmDY.exe
  C:\Windows\System\pWPYmDY.exe
  2⤵
  PID:7748
- C:\Windows\System\wiQUOTv.exe
  C:\Windows\System\wiQUOTv.exe
  2⤵
  PID:7804
- C:\Windows\System\AMHHhbX.exe
  C:\Windows\System\AMHHhbX.exe
  2⤵
  PID:7832
- C:\Windows\System\fkRsONb.exe
  C:\Windows\System\fkRsONb.exe
  2⤵
  PID:7860
- C:\Windows\System\wdOxLzn.exe
  C:\Windows\System\wdOxLzn.exe
  2⤵
  PID:7884
- C:\Windows\System\lybvcHX.exe
  C:\Windows\System\lybvcHX.exe
  2⤵
  PID:7912
- C:\Windows\System\NvuAsdD.exe
  C:\Windows\System\NvuAsdD.exe
  2⤵
  PID:7932
- C:\Windows\System\dWdvBuy.exe
  C:\Windows\System\dWdvBuy.exe
  2⤵
  PID:7952
- C:\Windows\System\Efiwrra.exe
  C:\Windows\System\Efiwrra.exe
  2⤵
  PID:7976
- C:\Windows\System\xcbFPSJ.exe
  C:\Windows\System\xcbFPSJ.exe
  2⤵
  PID:7996
- C:\Windows\System\xLPvBor.exe
  C:\Windows\System\xLPvBor.exe
  2⤵
  PID:8040
- C:\Windows\System\yGgsHfO.exe
  C:\Windows\System\yGgsHfO.exe
  2⤵
  PID:8056
- C:\Windows\System\XUHfbUd.exe
  C:\Windows\System\XUHfbUd.exe
  2⤵
  PID:8076
- C:\Windows\System\UKgZLkI.exe
  C:\Windows\System\UKgZLkI.exe
  2⤵
  PID:8100
- C:\Windows\System\jHcsFYp.exe
  C:\Windows\System\jHcsFYp.exe
  2⤵
  PID:8132
- C:\Windows\System\JACIjXv.exe
  C:\Windows\System\JACIjXv.exe
  2⤵
  PID:8176
- C:\Windows\System\HXmbQNY.exe
  C:\Windows\System\HXmbQNY.exe
  2⤵
  PID:6436
- C:\Windows\System\CGjBBDA.exe
  C:\Windows\System\CGjBBDA.exe
  2⤵
  PID:7172
- C:\Windows\System\xKPeNgj.exe
  C:\Windows\System\xKPeNgj.exe
  2⤵
  PID:7236
- C:\Windows\System\ZLAMNNQ.exe
  C:\Windows\System\ZLAMNNQ.exe
  2⤵
  PID:7320
- C:\Windows\System\dnQyAPf.exe
  C:\Windows\System\dnQyAPf.exe
  2⤵
  PID:7332
- C:\Windows\System\FbPiMhz.exe
  C:\Windows\System\FbPiMhz.exe
  2⤵
  PID:7500
- C:\Windows\System\CViaJJp.exe
  C:\Windows\System\CViaJJp.exe
  2⤵
  PID:7612
- C:\Windows\System\GLIhmZa.exe
  C:\Windows\System\GLIhmZa.exe
  2⤵
  PID:7708
- C:\Windows\System\Zxydtkh.exe
  C:\Windows\System\Zxydtkh.exe
  2⤵
  PID:7684
- C:\Windows\System\gZADAqV.exe
  C:\Windows\System\gZADAqV.exe
  2⤵
  PID:7776
- C:\Windows\System\jsSktVX.exe
  C:\Windows\System\jsSktVX.exe
  2⤵
  PID:7792
- C:\Windows\System\smzIOOI.exe
  C:\Windows\System\smzIOOI.exe
  2⤵
  PID:7876
- C:\Windows\System\rrYXGUf.exe
  C:\Windows\System\rrYXGUf.exe
  2⤵
  PID:7920
- C:\Windows\System\ckxZuWA.exe
  C:\Windows\System\ckxZuWA.exe
  2⤵
  PID:7972
- C:\Windows\System\bgynqzF.exe
  C:\Windows\System\bgynqzF.exe
  2⤵
  PID:8020
- C:\Windows\System\aWqkzxc.exe
  C:\Windows\System\aWqkzxc.exe
  2⤵
  PID:8048
- C:\Windows\System\IarKRwI.exe
  C:\Windows\System\IarKRwI.exe
  2⤵
  PID:8156
- C:\Windows\System\izePLup.exe
  C:\Windows\System\izePLup.exe
  2⤵
  PID:8172
- C:\Windows\System\UTDnLJi.exe
  C:\Windows\System\UTDnLJi.exe
  2⤵
  PID:6948
- C:\Windows\System\KTmHdgr.exe
  C:\Windows\System\KTmHdgr.exe
  2⤵
  PID:7308
- C:\Windows\System\diBcsFi.exe
  C:\Windows\System\diBcsFi.exe
  2⤵
  PID:4556
- C:\Windows\System\dwnUCTb.exe
  C:\Windows\System\dwnUCTb.exe
  2⤵
  PID:7840
- C:\Windows\System\KcgvHkA.exe
  C:\Windows\System\KcgvHkA.exe
  2⤵
  PID:8004
- C:\Windows\System\CgZiSCl.exe
  C:\Windows\System\CgZiSCl.exe
  2⤵
  PID:7376
- C:\Windows\System\HaUetmZ.exe
  C:\Windows\System\HaUetmZ.exe
  2⤵
  PID:7472
- C:\Windows\System\HsqICNf.exe
  C:\Windows\System\HsqICNf.exe
  2⤵
  PID:7656
- C:\Windows\System\spbJxDW.exe
  C:\Windows\System\spbJxDW.exe
  2⤵
  PID:7768
- C:\Windows\System\vTIguog.exe
  C:\Windows\System\vTIguog.exe
  2⤵
  PID:8068
- C:\Windows\System\ZzqJikX.exe
  C:\Windows\System\ZzqJikX.exe
  2⤵
  PID:7672
- C:\Windows\System\xHcGaZA.exe
  C:\Windows\System\xHcGaZA.exe
  2⤵
  PID:8224
- C:\Windows\System\PlvBjkq.exe
  C:\Windows\System\PlvBjkq.exe
  2⤵
  PID:8260
- C:\Windows\System\QPofZzO.exe
  C:\Windows\System\QPofZzO.exe
  2⤵
  PID:8288
- C:\Windows\System\WaRFRuP.exe
  C:\Windows\System\WaRFRuP.exe
  2⤵
  PID:8316
- C:\Windows\System\MSxBBin.exe
  C:\Windows\System\MSxBBin.exe
  2⤵
  PID:8336
- C:\Windows\System\yBvrWvr.exe
  C:\Windows\System\yBvrWvr.exe
  2⤵
  PID:8356
- C:\Windows\System\nsZuCaF.exe
  C:\Windows\System\nsZuCaF.exe
  2⤵
  PID:8376
- C:\Windows\System\lJKMGrG.exe
  C:\Windows\System\lJKMGrG.exe
  2⤵
  PID:8404
- C:\Windows\System\thReFZf.exe
  C:\Windows\System\thReFZf.exe
  2⤵
  PID:8420
- C:\Windows\System\dHmQypw.exe
  C:\Windows\System\dHmQypw.exe
  2⤵
  PID:8484
- C:\Windows\System\okMkDbx.exe
  C:\Windows\System\okMkDbx.exe
  2⤵
  PID:8504
- C:\Windows\System\qupmfXV.exe
  C:\Windows\System\qupmfXV.exe
  2⤵
  PID:8540
- C:\Windows\System\PRdqXdW.exe
  C:\Windows\System\PRdqXdW.exe
  2⤵
  PID:8556
- C:\Windows\System\YkatAUP.exe
  C:\Windows\System\YkatAUP.exe
  2⤵
  PID:8576
- C:\Windows\System\hvMOjsC.exe
  C:\Windows\System\hvMOjsC.exe
  2⤵
  PID:8608
- C:\Windows\System\LMVhhQM.exe
  C:\Windows\System\LMVhhQM.exe
  2⤵
  PID:8640
- C:\Windows\System\hJnXrJP.exe
  C:\Windows\System\hJnXrJP.exe
  2⤵
  PID:8672
- C:\Windows\System\avaEFmS.exe
  C:\Windows\System\avaEFmS.exe
  2⤵
  PID:8708
- C:\Windows\System\ZhePTbV.exe
  C:\Windows\System\ZhePTbV.exe
  2⤵
  PID:8724
- C:\Windows\System\GqEpbop.exe
  C:\Windows\System\GqEpbop.exe
  2⤵
  PID:8752
- C:\Windows\System\vRkEzOx.exe
  C:\Windows\System\vRkEzOx.exe
  2⤵
  PID:8780
- C:\Windows\System\DfklsuT.exe
  C:\Windows\System\DfklsuT.exe
  2⤵
  PID:8796
- C:\Windows\System\FjYllpC.exe
  C:\Windows\System\FjYllpC.exe
  2⤵
  PID:8832
- C:\Windows\System\mHZeZyr.exe
  C:\Windows\System\mHZeZyr.exe
  2⤵
  PID:8852
- C:\Windows\System\pwfaJCA.exe
  C:\Windows\System\pwfaJCA.exe
  2⤵
  PID:8868
- C:\Windows\System\vcSkFgy.exe
  C:\Windows\System\vcSkFgy.exe
  2⤵
  PID:8892
- C:\Windows\System\GPBHgCm.exe
  C:\Windows\System\GPBHgCm.exe
  2⤵
  PID:8920
- C:\Windows\System\dVXJSzY.exe
  C:\Windows\System\dVXJSzY.exe
  2⤵
  PID:8960
- C:\Windows\System\jlpEzsB.exe
  C:\Windows\System\jlpEzsB.exe
  2⤵
  PID:8980
- C:\Windows\System\UBUmmvo.exe
  C:\Windows\System\UBUmmvo.exe
  2⤵
  PID:9016
- C:\Windows\System\xhXVJQd.exe
  C:\Windows\System\xhXVJQd.exe
  2⤵
  PID:9052
- C:\Windows\System\aAFWUad.exe
  C:\Windows\System\aAFWUad.exe
  2⤵
  PID:9076
- C:\Windows\System\hYITENd.exe
  C:\Windows\System\hYITENd.exe
  2⤵
  PID:9116
- C:\Windows\System\cOAHOfh.exe
  C:\Windows\System\cOAHOfh.exe
  2⤵
  PID:9136
- C:\Windows\System\kPcwFDq.exe
  C:\Windows\System\kPcwFDq.exe
  2⤵
  PID:9172
- C:\Windows\System\zojxotK.exe
  C:\Windows\System\zojxotK.exe
  2⤵
  PID:9200
- C:\Windows\System\HLuuCll.exe
  C:\Windows\System\HLuuCll.exe
  2⤵
  PID:8084
- C:\Windows\System\JXVXBoW.exe
  C:\Windows\System\JXVXBoW.exe
  2⤵
  PID:8324
- C:\Windows\System\cnGpRIF.exe
  C:\Windows\System\cnGpRIF.exe
  2⤵
  PID:8384
- C:\Windows\System\iUXnynx.exe
  C:\Windows\System\iUXnynx.exe
  2⤵
  PID:8436
- C:\Windows\System\fpjCMWJ.exe
  C:\Windows\System\fpjCMWJ.exe
  2⤵
  PID:8480
- C:\Windows\System\phsKWli.exe
  C:\Windows\System\phsKWli.exe
  2⤵
  PID:8532
- C:\Windows\System\spyjGCM.exe
  C:\Windows\System\spyjGCM.exe
  2⤵
  PID:8568
- C:\Windows\System\cdGROSj.exe
  C:\Windows\System\cdGROSj.exe
  2⤵
  PID:8592
- C:\Windows\System\TXApRuU.exe
  C:\Windows\System\TXApRuU.exe
  2⤵
  PID:8664
- C:\Windows\System\TRaKjRL.exe
  C:\Windows\System\TRaKjRL.exe
  2⤵
  PID:8748
- C:\Windows\System\dbNzDPq.exe
  C:\Windows\System\dbNzDPq.exe
  2⤵
  PID:8804
- C:\Windows\System\YZJMdKP.exe
  C:\Windows\System\YZJMdKP.exe
  2⤵
  PID:1100
- C:\Windows\System\ntfyJgQ.exe
  C:\Windows\System\ntfyJgQ.exe
  2⤵
  PID:8860
- C:\Windows\System\UINzIxn.exe
  C:\Windows\System\UINzIxn.exe
  2⤵
  PID:8992
- C:\Windows\System\fTTnruW.exe
  C:\Windows\System\fTTnruW.exe
  2⤵
  PID:9040
- C:\Windows\System\cAmmOox.exe
  C:\Windows\System\cAmmOox.exe
  2⤵
  PID:8368
- C:\Windows\System\THnYsqF.exe
  C:\Windows\System\THnYsqF.exe
  2⤵
  PID:8432
- C:\Windows\System\CZmMuHx.exe
  C:\Windows\System\CZmMuHx.exe
  2⤵
  PID:8496
- C:\Windows\System\wiEXhwS.exe
  C:\Windows\System\wiEXhwS.exe
  2⤵
  PID:8616
- C:\Windows\System\vsulTRX.exe
  C:\Windows\System\vsulTRX.exe
  2⤵
  PID:8652
- C:\Windows\System\wgttjRz.exe
  C:\Windows\System\wgttjRz.exe
  2⤵
  PID:8792
- C:\Windows\System\zOYBDVF.exe
  C:\Windows\System\zOYBDVF.exe
  2⤵
  PID:8928
- C:\Windows\System\qvTEJCw.exe
  C:\Windows\System\qvTEJCw.exe
  2⤵
  PID:9220
- C:\Windows\System\ioJMGjs.exe
  C:\Windows\System\ioJMGjs.exe
  2⤵
  PID:9260
- C:\Windows\System\OEfxOvH.exe
  C:\Windows\System\OEfxOvH.exe
  2⤵
  PID:9296
- C:\Windows\System\UfjFbrT.exe
  C:\Windows\System\UfjFbrT.exe
  2⤵
  PID:9312
- C:\Windows\System\ckVyfjd.exe
  C:\Windows\System\ckVyfjd.exe
  2⤵
  PID:9328
- C:\Windows\System\ioQCyNF.exe
  C:\Windows\System\ioQCyNF.exe
  2⤵
  PID:9344
- C:\Windows\System\IFLwSGK.exe
  C:\Windows\System\IFLwSGK.exe
  2⤵
  PID:9360
- C:\Windows\System\UfGQRTh.exe
  C:\Windows\System\UfGQRTh.exe
  2⤵
  PID:9376
- C:\Windows\System\tRHDufR.exe
  C:\Windows\System\tRHDufR.exe
  2⤵
  PID:9392
- C:\Windows\System\SRsdZtk.exe
  C:\Windows\System\SRsdZtk.exe
  2⤵
  PID:9452
- C:\Windows\System\vEZcEPP.exe
  C:\Windows\System\vEZcEPP.exe
  2⤵
  PID:9476
- C:\Windows\System\toPKCSg.exe
  C:\Windows\System\toPKCSg.exe
  2⤵
  PID:9548
- C:\Windows\System\CzeHjxC.exe
  C:\Windows\System\CzeHjxC.exe
  2⤵
  PID:9572
- C:\Windows\System\mVTsNDH.exe
  C:\Windows\System\mVTsNDH.exe
  2⤵
  PID:9596
- C:\Windows\System\icDMJNr.exe
  C:\Windows\System\icDMJNr.exe
  2⤵
  PID:9616
- C:\Windows\System\agkOnkf.exe
  C:\Windows\System\agkOnkf.exe
  2⤵
  PID:9640
- C:\Windows\System\hBnpynP.exe
  C:\Windows\System\hBnpynP.exe
  2⤵
  PID:9660
- C:\Windows\System\aTFfyFf.exe
  C:\Windows\System\aTFfyFf.exe
  2⤵
  PID:9712
- C:\Windows\System\rZQxBWN.exe
  C:\Windows\System\rZQxBWN.exe
  2⤵
  PID:9776
- C:\Windows\System\JhNAhao.exe
  C:\Windows\System\JhNAhao.exe
  2⤵
  PID:9860
- C:\Windows\System\sRHDvnP.exe
  C:\Windows\System\sRHDvnP.exe
  2⤵
  PID:9880
- C:\Windows\System\KrPoHsu.exe
  C:\Windows\System\KrPoHsu.exe
  2⤵
  PID:9912
- C:\Windows\System\mXxYskw.exe
  C:\Windows\System\mXxYskw.exe
  2⤵
  PID:9940
- C:\Windows\System\sOYoprc.exe
  C:\Windows\System\sOYoprc.exe
  2⤵
  PID:9972
- C:\Windows\System\jeQDvhQ.exe
  C:\Windows\System\jeQDvhQ.exe
  2⤵
  PID:10004
- C:\Windows\System\KLJUJQB.exe
  C:\Windows\System\KLJUJQB.exe
  2⤵
  PID:10020
- C:\Windows\System\WLqznkW.exe
  C:\Windows\System\WLqznkW.exe
  2⤵
  PID:10048
- C:\Windows\System\RzolgAJ.exe
  C:\Windows\System\RzolgAJ.exe
  2⤵
  PID:10068
- C:\Windows\System\DEhlyBQ.exe
  C:\Windows\System\DEhlyBQ.exe
  2⤵
  PID:10088
- C:\Windows\System\hwMrJmk.exe
  C:\Windows\System\hwMrJmk.exe
  2⤵
  PID:10108
- C:\Windows\System\nKjeeDb.exe
  C:\Windows\System\nKjeeDb.exe
  2⤵
  PID:10132
- C:\Windows\System\enzYUGt.exe
  C:\Windows\System\enzYUGt.exe
  2⤵
  PID:10156
- C:\Windows\System\KflfrxA.exe
  C:\Windows\System\KflfrxA.exe
  2⤵
  PID:10176
- C:\Windows\System\xTfXqyg.exe
  C:\Windows\System\xTfXqyg.exe
  2⤵
  PID:10212
- C:\Windows\System\eBcphCV.exe
  C:\Windows\System\eBcphCV.exe
  2⤵
  PID:8236
- C:\Windows\System\YTMDHdy.exe
  C:\Windows\System\YTMDHdy.exe
  2⤵
  PID:8552
- C:\Windows\System\QvQlqVv.exe
  C:\Windows\System\QvQlqVv.exe
  2⤵
  PID:8736
- C:\Windows\System\dnQgXQx.exe
  C:\Windows\System\dnQgXQx.exe
  2⤵
  PID:8768
- C:\Windows\System\yGndynb.exe
  C:\Windows\System\yGndynb.exe
  2⤵
  PID:9272
- C:\Windows\System\pAmpBBg.exe
  C:\Windows\System\pAmpBBg.exe
  2⤵
  PID:9484
- C:\Windows\System\yxXsZtH.exe
  C:\Windows\System\yxXsZtH.exe
  2⤵
  PID:8932
- C:\Windows\System\qBXJkrO.exe
  C:\Windows\System\qBXJkrO.exe
  2⤵
  PID:9292
- C:\Windows\System\odTjpor.exe
  C:\Windows\System\odTjpor.exe
  2⤵
  PID:9324
- C:\Windows\System\TFodmKW.exe
  C:\Windows\System\TFodmKW.exe
  2⤵
  PID:9356
- C:\Windows\System\TxJyoLi.exe
  C:\Windows\System\TxJyoLi.exe
  2⤵
  PID:9460
- C:\Windows\System\UUPyCUl.exe
  C:\Windows\System\UUPyCUl.exe
  2⤵
  PID:9564
- C:\Windows\System\HrWqgGZ.exe
  C:\Windows\System\HrWqgGZ.exe
  2⤵
  PID:9608
- C:\Windows\System\IYfWqiD.exe
  C:\Windows\System\IYfWqiD.exe
  2⤵
  PID:1164
- C:\Windows\System\cAweyJY.exe
  C:\Windows\System\cAweyJY.exe
  2⤵
  PID:9796
- C:\Windows\System\huBLYpK.exe
  C:\Windows\System\huBLYpK.exe
  2⤵
  PID:9848
- C:\Windows\System\vLOfJjT.exe
  C:\Windows\System\vLOfJjT.exe
  2⤵
  PID:9968
- C:\Windows\System\dSFiGkI.exe
  C:\Windows\System\dSFiGkI.exe
  2⤵
  PID:10044
- C:\Windows\System\yCSZjsQ.exe
  C:\Windows\System\yCSZjsQ.exe
  2⤵
  PID:10060
- C:\Windows\System\tVsYPpn.exe
  C:\Windows\System\tVsYPpn.exe
  2⤵
  PID:10064
- C:\Windows\System\lOlktYy.exe
  C:\Windows\System\lOlktYy.exe
  2⤵
  PID:10128
- C:\Windows\System\iainVSh.exe
  C:\Windows\System\iainVSh.exe
  2⤵
  PID:10164
- C:\Windows\System\ixQbNKu.exe
  C:\Windows\System\ixQbNKu.exe
  2⤵
  PID:4896
- C:\Windows\System\EXkAMDX.exe
  C:\Windows\System\EXkAMDX.exe
  2⤵
  PID:9008
- C:\Windows\System\BdBZLfs.exe
  C:\Windows\System\BdBZLfs.exe
  2⤵
  PID:8864
- C:\Windows\System\POMzWAy.exe
  C:\Windows\System\POMzWAy.exe
  2⤵
  PID:9288
- C:\Windows\System\CyongIc.exe
  C:\Windows\System\CyongIc.exe
  2⤵
  PID:9684
- C:\Windows\System\mAVpckO.exe
  C:\Windows\System\mAVpckO.exe
  2⤵
  PID:9832
- C:\Windows\System\BgagsJV.exe
  C:\Windows\System\BgagsJV.exe
  2⤵
  PID:9908
- C:\Windows\System\VyvqZlN.exe
  C:\Windows\System\VyvqZlN.exe
  2⤵
  PID:9932
- C:\Windows\System\NtAcsPV.exe
  C:\Windows\System\NtAcsPV.exe
  2⤵
  PID:10104
- C:\Windows\System\WqOTkml.exe
  C:\Windows\System\WqOTkml.exe
  2⤵
  PID:9444
- C:\Windows\System\tztuNRP.exe
  C:\Windows\System\tztuNRP.exe
  2⤵
  PID:9320
- C:\Windows\System\uOvyHeG.exe
  C:\Windows\System\uOvyHeG.exe
  2⤵
  PID:9588
- C:\Windows\System\pCDITWx.exe
  C:\Windows\System\pCDITWx.exe
  2⤵
  PID:10148
- C:\Windows\System\sEkeYty.exe
  C:\Windows\System\sEkeYty.exe
  2⤵
  PID:9308
- C:\Windows\System\WraHuOh.exe
  C:\Windows\System\WraHuOh.exe
  2⤵
  PID:9732
- C:\Windows\System\ZIPGmZZ.exe
  C:\Windows\System\ZIPGmZZ.exe
  2⤵
  PID:10028
- C:\Windows\System\sbZMIaz.exe
  C:\Windows\System\sbZMIaz.exe
  2⤵
  PID:10252
- C:\Windows\System\YICjmir.exe
  C:\Windows\System\YICjmir.exe
  2⤵
  PID:10300
- C:\Windows\System\fsfzbEa.exe
  C:\Windows\System\fsfzbEa.exe
  2⤵
  PID:10328
- C:\Windows\System\DUDLjng.exe
  C:\Windows\System\DUDLjng.exe
  2⤵
  PID:10344
- C:\Windows\System\yEAfwwq.exe
  C:\Windows\System\yEAfwwq.exe
  2⤵
  PID:10364
- C:\Windows\System\cYqvGkQ.exe
  C:\Windows\System\cYqvGkQ.exe
  2⤵
  PID:10392
- C:\Windows\System\egVLhsB.exe
  C:\Windows\System\egVLhsB.exe
  2⤵
  PID:10428
- C:\Windows\System\YIEvWzt.exe
  C:\Windows\System\YIEvWzt.exe
  2⤵
  PID:10444
- C:\Windows\System\pWDrbtd.exe
  C:\Windows\System\pWDrbtd.exe
  2⤵
  PID:10464
- C:\Windows\System\QcMRGij.exe
  C:\Windows\System\QcMRGij.exe
  2⤵
  PID:10548
- C:\Windows\System\XMNeyvv.exe
  C:\Windows\System\XMNeyvv.exe
  2⤵
  PID:10564
- C:\Windows\System\gzskTyu.exe
  C:\Windows\System\gzskTyu.exe
  2⤵
  PID:10584
- C:\Windows\System\sZhWWSD.exe
  C:\Windows\System\sZhWWSD.exe
  2⤵
  PID:10616
- C:\Windows\System\OkTdJsn.exe
  C:\Windows\System\OkTdJsn.exe
  2⤵
  PID:10636
- C:\Windows\System\Norayxe.exe
  C:\Windows\System\Norayxe.exe
  2⤵
  PID:10652
- C:\Windows\System\zbvHIhi.exe
  C:\Windows\System\zbvHIhi.exe
  2⤵
  PID:10672
- C:\Windows\System\QEVnGBx.exe
  C:\Windows\System\QEVnGBx.exe
  2⤵
  PID:10704
- C:\Windows\System\JQBwveO.exe
  C:\Windows\System\JQBwveO.exe
  2⤵
  PID:10724
- C:\Windows\System\aetuurn.exe
  C:\Windows\System\aetuurn.exe
  2⤵
  PID:10744
- C:\Windows\System\xyYOYMl.exe
  C:\Windows\System\xyYOYMl.exe
  2⤵
  PID:10768
- C:\Windows\System\FoUMqJR.exe
  C:\Windows\System\FoUMqJR.exe
  2⤵
  PID:10820
- C:\Windows\System\gLCbEpL.exe
  C:\Windows\System\gLCbEpL.exe
  2⤵
  PID:10860
- C:\Windows\System\rsrDTqA.exe
  C:\Windows\System\rsrDTqA.exe
  2⤵
  PID:10884
- C:\Windows\System\uInbeFP.exe
  C:\Windows\System\uInbeFP.exe
  2⤵
  PID:10932
- C:\Windows\System\sYQxmaX.exe
  C:\Windows\System\sYQxmaX.exe
  2⤵
  PID:10956
- C:\Windows\System\ndIPOWW.exe
  C:\Windows\System\ndIPOWW.exe
  2⤵
  PID:10984
- C:\Windows\System\WyVRlMg.exe
  C:\Windows\System\WyVRlMg.exe
  2⤵
  PID:11008
- C:\Windows\System\EizMAEl.exe
  C:\Windows\System\EizMAEl.exe
  2⤵
  PID:11044
- C:\Windows\System\MKDMeKt.exe
  C:\Windows\System\MKDMeKt.exe
  2⤵
  PID:11068
- C:\Windows\System\pzRCdXw.exe
  C:\Windows\System\pzRCdXw.exe
  2⤵
  PID:11084
- C:\Windows\System\RYFpwrv.exe
  C:\Windows\System\RYFpwrv.exe
  2⤵
  PID:11104
- C:\Windows\System\WzabPIj.exe
  C:\Windows\System\WzabPIj.exe
  2⤵
  PID:11164
- C:\Windows\System\SgRWVYF.exe
  C:\Windows\System\SgRWVYF.exe
  2⤵
  PID:11180
- C:\Windows\System\TlXJKHA.exe
  C:\Windows\System\TlXJKHA.exe
  2⤵
  PID:11200
- C:\Windows\System\biqHabk.exe
  C:\Windows\System\biqHabk.exe
  2⤵
  PID:11224
- C:\Windows\System\oSVsbOQ.exe
  C:\Windows\System\oSVsbOQ.exe
  2⤵
  PID:9268
- C:\Windows\System\zdymmuD.exe
  C:\Windows\System\zdymmuD.exe
  2⤵
  PID:10264
- C:\Windows\System\CZxdAAu.exe
  C:\Windows\System\CZxdAAu.exe
  2⤵
  PID:10356
- C:\Windows\System\qNWsUTC.exe
  C:\Windows\System\qNWsUTC.exe
  2⤵
  PID:10388
- C:\Windows\System\cAbNIXX.exe
  C:\Windows\System\cAbNIXX.exe
  2⤵
  PID:10416
- C:\Windows\System\HrNKePa.exe
  C:\Windows\System\HrNKePa.exe
  2⤵
  PID:10500
- C:\Windows\System\pjVVijD.exe
  C:\Windows\System\pjVVijD.exe
  2⤵
  PID:10556
- C:\Windows\System\XlRZrwN.exe
  C:\Windows\System\XlRZrwN.exe
  2⤵
  PID:10608
- C:\Windows\System\efjrGOc.exe
  C:\Windows\System\efjrGOc.exe
  2⤵
  PID:10664
- C:\Windows\System\ULEuBFe.exe
  C:\Windows\System\ULEuBFe.exe
  2⤵
  PID:10648
- C:\Windows\System\LHADkfi.exe
  C:\Windows\System\LHADkfi.exe
  2⤵
  PID:10800
- C:\Windows\System\mEDTZet.exe
  C:\Windows\System\mEDTZet.exe
  2⤵
  PID:10924
- C:\Windows\System\xWkpZEP.exe
  C:\Windows\System\xWkpZEP.exe
  2⤵
  PID:10968
- C:\Windows\System\kyFobvc.exe
  C:\Windows\System\kyFobvc.exe
  2⤵
  PID:11000
- C:\Windows\System\aqaaqEf.exe
  C:\Windows\System\aqaaqEf.exe
  2⤵
  PID:11112
- C:\Windows\System\DmpRBQb.exe
  C:\Windows\System\DmpRBQb.exe
  2⤵
  PID:11176
- C:\Windows\System\DUdabzV.exe
  C:\Windows\System\DUdabzV.exe
  2⤵
  PID:11244
- C:\Windows\System\BllGRwJ.exe
  C:\Windows\System\BllGRwJ.exe
  2⤵
  PID:10400
- C:\Windows\System\CeVkFIm.exe
  C:\Windows\System\CeVkFIm.exe
  2⤵
  PID:10580
- C:\Windows\System\BAUUKTQ.exe
  C:\Windows\System\BAUUKTQ.exe
  2⤵
  PID:10712
- C:\Windows\System\rwrbiGF.exe
  C:\Windows\System\rwrbiGF.exe
  2⤵
  PID:10720
- C:\Windows\System\eMpYsXX.exe
  C:\Windows\System\eMpYsXX.exe
  2⤵
  PID:10952
- C:\Windows\System\ecenWML.exe
  C:\Windows\System\ecenWML.exe
  2⤵
  PID:11036
- C:\Windows\System\UPBqnPi.exe
  C:\Windows\System\UPBqnPi.exe
  2⤵
  PID:10292
- C:\Windows\System\Kcuofzf.exe
  C:\Windows\System\Kcuofzf.exe
  2⤵
  PID:10420
- C:\Windows\System\UXWFOis.exe
  C:\Windows\System\UXWFOis.exe
  2⤵
  PID:10872
- C:\Windows\System\yReVutL.exe
  C:\Windows\System\yReVutL.exe
  2⤵
  PID:11160
- C:\Windows\System\mdZTWPq.exe
  C:\Windows\System\mdZTWPq.exe
  2⤵
  PID:11280
- C:\Windows\System\POGfdwz.exe
  C:\Windows\System\POGfdwz.exe
  2⤵
  PID:11304
- C:\Windows\System\pSKjuvG.exe
  C:\Windows\System\pSKjuvG.exe
  2⤵
  PID:11332
- C:\Windows\System\IOsCkGn.exe
  C:\Windows\System\IOsCkGn.exe
  2⤵
  PID:11356
- C:\Windows\System\vOOobVJ.exe
  C:\Windows\System\vOOobVJ.exe
  2⤵
  PID:11376
- C:\Windows\System\jLnYhaV.exe
  C:\Windows\System\jLnYhaV.exe
  2⤵
  PID:11400
- C:\Windows\System\ycMrazb.exe
  C:\Windows\System\ycMrazb.exe
  2⤵
  PID:11432
- C:\Windows\System\XUPRWps.exe
  C:\Windows\System\XUPRWps.exe
  2⤵
  PID:11456
- C:\Windows\System\EhOUqol.exe
  C:\Windows\System\EhOUqol.exe
  2⤵
  PID:11480
- C:\Windows\System\elZbACX.exe
  C:\Windows\System\elZbACX.exe
  2⤵
  PID:11512
- C:\Windows\System\XvaikqS.exe
  C:\Windows\System\XvaikqS.exe
  2⤵
  PID:11532
- C:\Windows\System\alPAfhR.exe
  C:\Windows\System\alPAfhR.exe
  2⤵
  PID:11564
- C:\Windows\System\wVHvZEZ.exe
  C:\Windows\System\wVHvZEZ.exe
  2⤵
  PID:11584
- C:\Windows\System\Hoaqhsa.exe
  C:\Windows\System\Hoaqhsa.exe
  2⤵
  PID:11620
- C:\Windows\System\kjsFrZS.exe
  C:\Windows\System\kjsFrZS.exe
  2⤵
  PID:11636
- C:\Windows\System\aXgexhU.exe
  C:\Windows\System\aXgexhU.exe
  2⤵
  PID:11660
- C:\Windows\System\rlQCJsy.exe
  C:\Windows\System\rlQCJsy.exe
  2⤵
  PID:11696
- C:\Windows\System\CbENkrk.exe
  C:\Windows\System\CbENkrk.exe
  2⤵
  PID:11764
- C:\Windows\System\LpNxjTn.exe
  C:\Windows\System\LpNxjTn.exe
  2⤵
  PID:11780
- C:\Windows\System\yRcOeed.exe
  C:\Windows\System\yRcOeed.exe
  2⤵
  PID:11804
- C:\Windows\System\LgGHYio.exe
  C:\Windows\System\LgGHYio.exe
  2⤵
  PID:11824
- C:\Windows\System\EakUdBm.exe
  C:\Windows\System\EakUdBm.exe
  2⤵
  PID:11876
- C:\Windows\System\BWsbQxj.exe
  C:\Windows\System\BWsbQxj.exe
  2⤵
  PID:11896
- C:\Windows\System\UwtuqRO.exe
  C:\Windows\System\UwtuqRO.exe
  2⤵
  PID:11912
- C:\Windows\System\OWqyRjS.exe
  C:\Windows\System\OWqyRjS.exe
  2⤵
  PID:11956
- C:\Windows\System\jvbRGYF.exe
  C:\Windows\System\jvbRGYF.exe
  2⤵
  PID:12008
- C:\Windows\System\NljZSsY.exe
  C:\Windows\System\NljZSsY.exe
  2⤵
  PID:12028
- C:\Windows\System\QfMrKgl.exe
  C:\Windows\System\QfMrKgl.exe
  2⤵
  PID:12052
- C:\Windows\System\tmktMKX.exe
  C:\Windows\System\tmktMKX.exe
  2⤵
  PID:12072
- C:\Windows\System\CITnuKn.exe
  C:\Windows\System\CITnuKn.exe
  2⤵
  PID:12096
- C:\Windows\System\QwXbcIu.exe
  C:\Windows\System\QwXbcIu.exe
  2⤵
  PID:12112
- C:\Windows\System\KOUCWZL.exe
  C:\Windows\System\KOUCWZL.exe
  2⤵
  PID:12132
- C:\Windows\System\DPAWbCp.exe
  C:\Windows\System\DPAWbCp.exe
  2⤵
  PID:12152
- C:\Windows\System\BxTvEip.exe
  C:\Windows\System\BxTvEip.exe
  2⤵
  PID:12172
- C:\Windows\System\xOaVVWZ.exe
  C:\Windows\System\xOaVVWZ.exe
  2⤵
  PID:12200
- C:\Windows\System\TqfmUKv.exe
  C:\Windows\System\TqfmUKv.exe
  2⤵
  PID:12244
- C:\Windows\System\lOaOyqJ.exe
  C:\Windows\System\lOaOyqJ.exe
  2⤵
  PID:12284
- C:\Windows\System\ogHgBoc.exe
  C:\Windows\System\ogHgBoc.exe
  2⤵
  PID:11272
- C:\Windows\System\bQtZehH.exe
  C:\Windows\System\bQtZehH.exe
  2⤵
  PID:11348
- C:\Windows\System\xNFzSpi.exe
  C:\Windows\System\xNFzSpi.exe
  2⤵
  PID:11440
- C:\Windows\System\IfJrKHc.exe
  C:\Windows\System\IfJrKHc.exe
  2⤵
  PID:11500
- C:\Windows\System\djOCmMu.exe
  C:\Windows\System\djOCmMu.exe
  2⤵
  PID:11528
- C:\Windows\System\ImJAEix.exe
  C:\Windows\System\ImJAEix.exe
  2⤵
  PID:10688
- C:\Windows\System\PxbNlPa.exe
  C:\Windows\System\PxbNlPa.exe
  2⤵
  PID:11688
- C:\Windows\System\ZlvtAuP.exe
  C:\Windows\System\ZlvtAuP.exe
  2⤵
  PID:11676
- C:\Windows\System\uNRpCtw.exe
  C:\Windows\System\uNRpCtw.exe
  2⤵
  PID:11744
- C:\Windows\System\PyobWuz.exe
  C:\Windows\System\PyobWuz.exe
  2⤵
  PID:11892
- C:\Windows\System\STOCraV.exe
  C:\Windows\System\STOCraV.exe
  2⤵
  PID:11952
- C:\Windows\System\tpgbWCC.exe
  C:\Windows\System\tpgbWCC.exe
  2⤵
  PID:11964
- C:\Windows\System\pczKLVI.exe
  C:\Windows\System\pczKLVI.exe
  2⤵
  PID:12080
- C:\Windows\System\hsJOuab.exe
  C:\Windows\System\hsJOuab.exe
  2⤵
  PID:12160
- C:\Windows\System\uFoedbg.exe
  C:\Windows\System\uFoedbg.exe
  2⤵
  PID:12256
- C:\Windows\System\aQnwSJC.exe
  C:\Windows\System\aQnwSJC.exe
  2⤵
  PID:12280
- C:\Windows\System\BZPOQXd.exe
  C:\Windows\System\BZPOQXd.exe
  2⤵
  PID:11324
- C:\Windows\System\oKpfpAq.exe
  C:\Windows\System\oKpfpAq.exe
  2⤵
  PID:11472
- C:\Windows\System\SaPjbEx.exe
  C:\Windows\System\SaPjbEx.exe
  2⤵
  PID:11580
- C:\Windows\System\bUlRhbp.exe
  C:\Windows\System\bUlRhbp.exe
  2⤵
  PID:11820
- C:\Windows\System\lIoiKvt.exe
  C:\Windows\System\lIoiKvt.exe
  2⤵
  PID:1492
- C:\Windows\System\PXuqVJa.exe
  C:\Windows\System\PXuqVJa.exe
  2⤵
  PID:12184
- C:\Windows\System\oWKgpPD.exe
  C:\Windows\System\oWKgpPD.exe
  2⤵
  PID:12088
- C:\Windows\System\dyCBkxB.exe
  C:\Windows\System\dyCBkxB.exe
  2⤵
  PID:11416
- C:\Windows\System\aGJETaV.exe
  C:\Windows\System\aGJETaV.exe
  2⤵
  PID:12232
- C:\Windows\System\KKfFTxI.exe
  C:\Windows\System\KKfFTxI.exe
  2⤵
  PID:11576
- C:\Windows\System\xRCjuaU.exe
  C:\Windows\System\xRCjuaU.exe
  2⤵
  PID:11936
- C:\Windows\System\lMXFgLs.exe
  C:\Windows\System\lMXFgLs.exe
  2⤵
  PID:11992
- C:\Windows\System\CHKzXnt.exe
  C:\Windows\System\CHKzXnt.exe
  2⤵
  PID:4788
- C:\Windows\System\mRkSVGi.exe
  C:\Windows\System\mRkSVGi.exe
  2⤵
  PID:12304
- C:\Windows\System\XNROSHF.exe
  C:\Windows\System\XNROSHF.exe
  2⤵
  PID:12372
- C:\Windows\System\kyrBPCT.exe
  C:\Windows\System\kyrBPCT.exe
  2⤵
  PID:12388
- C:\Windows\System\afWfbYr.exe
  C:\Windows\System\afWfbYr.exe
  2⤵
  PID:12424
- C:\Windows\System\DtuCUGn.exe
  C:\Windows\System\DtuCUGn.exe
  2⤵
  PID:12460
- C:\Windows\System\eneGkVo.exe
  C:\Windows\System\eneGkVo.exe
  2⤵
  PID:12484
- C:\Windows\System\plTlHLX.exe
  C:\Windows\System\plTlHLX.exe
  2⤵
  PID:12508
- C:\Windows\System\VlsCFFZ.exe
  C:\Windows\System\VlsCFFZ.exe
  2⤵
  PID:12524
- C:\Windows\System\oQItycs.exe
  C:\Windows\System\oQItycs.exe
  2⤵
  PID:12552
- C:\Windows\System\JWKVsyh.exe
  C:\Windows\System\JWKVsyh.exe
  2⤵
  PID:12604
- C:\Windows\System\FlfPnlb.exe
  C:\Windows\System\FlfPnlb.exe
  2⤵
  PID:12628
- C:\Windows\System\YuIYvgr.exe
  C:\Windows\System\YuIYvgr.exe
  2⤵
  PID:12648
- C:\Windows\System\xvkPnRN.exe
  C:\Windows\System\xvkPnRN.exe
  2⤵
  PID:12668
- C:\Windows\System\zAzmbRN.exe
  C:\Windows\System\zAzmbRN.exe
  2⤵
  PID:12688
- C:\Windows\System\cTpTVNk.exe
  C:\Windows\System\cTpTVNk.exe
  2⤵
  PID:12704
- C:\Windows\System\VgKyoMF.exe
  C:\Windows\System\VgKyoMF.exe
  2⤵
  PID:12724
- C:\Windows\System\VjNwwwL.exe
  C:\Windows\System\VjNwwwL.exe
  2⤵
  PID:12756
- C:\Windows\System\WeMAFcl.exe
  C:\Windows\System\WeMAFcl.exe
  2⤵
  PID:12776
- C:\Windows\System\YQcTMZZ.exe
  C:\Windows\System\YQcTMZZ.exe
  2⤵
  PID:12844
- C:\Windows\System\iePuvRt.exe
  C:\Windows\System\iePuvRt.exe
  2⤵
  PID:12868
- C:\Windows\System\UZOAqRI.exe
  C:\Windows\System\UZOAqRI.exe
  2⤵
  PID:12912
- C:\Windows\System\YHuMypZ.exe
  C:\Windows\System\YHuMypZ.exe
  2⤵
  PID:12936
- C:\Windows\System\oAYdUWa.exe
  C:\Windows\System\oAYdUWa.exe
  2⤵
  PID:12956
- C:\Windows\System\YAKGifm.exe
  C:\Windows\System\YAKGifm.exe
  2⤵
  PID:12972
- C:\Windows\System\AmhdPVW.exe
  C:\Windows\System\AmhdPVW.exe
  2⤵
  PID:12992
- C:\Windows\System\HqbFUha.exe
  C:\Windows\System\HqbFUha.exe
  2⤵
  PID:13016
- C:\Windows\System\qjgHGwq.exe
  C:\Windows\System\qjgHGwq.exe
  2⤵
  PID:13068
- C:\Windows\System\AuGCcBC.exe
  C:\Windows\System\AuGCcBC.exe
  2⤵
  PID:13180
- C:\Windows\System\xzQBxUw.exe
  C:\Windows\System\xzQBxUw.exe
  2⤵
  PID:13264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qwuih5ag.f1m.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\AMIEGXT.exe

Filesize
1.7MB

MD5
d4a1d35300f771c3b579962ccabb97d3

SHA1
0b22d37cb8f1d86f1187207239e6b04a099ac538

SHA256
7118213c6133f311adad5c44bc391ae1a65c8b36d3fe25cee3bb281257812f60

SHA512
ff309853b66741d23fd82f096811ee3ef56aefe700d40c483ed4dcc5c4a1ba7bd89f7946c01eab9b84fc14068d4a7d5f954754cdd389e7e5f7d145e1cacfb72d

Download Submit
C:\Windows\System\AZRdWxo.exe

Filesize
1.7MB

MD5
5d3fbf8815e2811f597489b02d02f3d5

SHA1
05dc9ef0c247eb6415b39e7503922fdaa9e3d33c

SHA256
fe544825159afe979dc1007a47fa7e7f45c91e0931ef848f8565905573d124b0

SHA512
031731256d0db5077630c7cba439fcb39ef4441850707ec98f08f9bfdd1214259d2db024c7f022c7fbd60945c8e241da523e2cbee02d21f742c5f14366ee8044

Download Submit
C:\Windows\System\BdEOehA.exe

Filesize
1.7MB

MD5
caea617c8337913c701dd9bc2d82d8d3

SHA1
493e74840ac661afe25f051c48df96987e67a6c3

SHA256
0047bc1f8e72a1572e2431b87d576590164a9a44a94fe2b33c59bce48c6e3b57

SHA512
b082321b730fa179847f81fcf146cd98af3e24c787a158d5bd0554ee87ed1c9a15dde1c4796e0a157c5dfd1bb6350249ddff46037d60c2e5b5ab5bd3da4c793a

Download Submit
C:\Windows\System\GmdIKiN.exe

Filesize
1.7MB

MD5
866a404ae8128c5d177068449677cf96

SHA1
9191d499626834cae3deb2ef2901225ddb509cd9

SHA256
b7019d91a368b4f9364e1789a6fdca094c6d087f07911e7532bef2eb6be82921

SHA512
8d06870675c7b45b99a6bdb8bb0a584bc7bd92b81d365c813d1da1360ed58a208a440f6fc1e03dfa567b220c92fe8b085518e895450bb18bd523e4d93006846e

Download Submit
C:\Windows\System\HZrVxvD.exe

Filesize
1.7MB

MD5
ca0bbb301ac30d793e00ec6cb54b45c1

SHA1
c54f1f75e5fe19bb552ef72c3018a30d4b6db112

SHA256
84686554af1d949b926264e398af2c64284652f37e483aa28503ad78c425dd37

SHA512
9b2de95e0129ed34138db037da6250e92861a880aea225038df91a7eda21ea94884c9ce65b18ad721481bebcee70d5bfaecd83d74ca967c5396fc7d290b48a2f

Download Submit
C:\Windows\System\JVUkWzb.exe

Filesize
1.7MB

MD5
ffaeefe7c8183b212303b74836a3fa0f

SHA1
57a1f3b75a55d19e34daa7efbf2d737c72f41ada

SHA256
977ab92d6e794c88a92a7518e10d384742b6bba413094fee81544158e1260420

SHA512
7add065e133188207770055ffd63dbefc2d2460c9804213705ff3677f017de7723b38a30e59b8ee7ac6c51ecb528ba3a91d8698547b4924a748b7fabdd5b926f

Download Submit
C:\Windows\System\JqWyrvK.exe

Filesize
1.7MB

MD5
3337085557b7feee0cc5d06ab92ddd1b

SHA1
799682bee2f006b5ea7542580fba2933eed4139d

SHA256
0dcc5ca35e7d2dbaa0713dbae3d47a63b4d0446cebf71f71318690bce13771e2

SHA512
3ca978350999c7215b81c5ce3df2517f4cf07193d70d5e4a8103eea87fe182f37f6ec33936a018b050a4fbb8c9092766d9052272c5f2eda3e1bf1920034d8f90

Download Submit
C:\Windows\System\KgxIqgf.exe

Filesize
1.7MB

MD5
f34657bb2b04385648609eff610201c1

SHA1
2f46f2c0a59bbf6ae12821ee2eb1f163c32999d6

SHA256
8bd68609c8e3a96c4e3316cb263f136f75e7e5422737275cd1b4fdfcff6a8a15

SHA512
5752ec9318b1052892493d2a6b8fe53275ee2fa8fec0997658687b3ef950e7f24aa8be9e582e712bb032f6ca8fd9f8149228f1f21dca45a28eccd4087c9f8699

Download Submit
C:\Windows\System\LbIpfFn.exe

Filesize
1.7MB

MD5
fa95a6697e97eaa10cdf773b8d98ccb2

SHA1
433127a22d6a6d884c8987ec2934c7f640b27b80

SHA256
eed151d17d74cf2f3110eb0bdc6116ca7a6ba64434d265a518bb735345f26486

SHA512
0cdb793545065ede89a8c7ec6d5fb22693d78f28ea38e50972eeac5ccbccf08dec82bc62b9c8a844fcf58745fcc6035d82cb193a6e1e19057a191887d1820ab3

Download Submit
C:\Windows\System\ONKcFeU.exe

Filesize
1.7MB

MD5
5d3e2c349c7a3796d1b4aea9f11b3449

SHA1
7aeaf43b9997e7ff29880a19ffbe00d7cbfbfda4

SHA256
0f2dda528fcfde1de2d0cfe7a049ee7b965ff228a4c2254d7c66b384726a5701

SHA512
8339267d0d39322dae4a32f23f3a47e9d1b187f6a1979d65e46fc1fd7f18edfabaa8b7c75daa7e59f71a8519a4e288797e12b253e3f7c7655c94359f1a81ddf1

Download Submit
C:\Windows\System\RdJNJbO.exe

Filesize
1.7MB

MD5
75a1e1b6029292b79f97f7786b0f592d

SHA1
c52ca81c3f510cb17bdee3642d70af039273ad87

SHA256
2117dd2320ca80732a43df8c70d784893394978cabc81ea1f0965a88e062d60d

SHA512
a8a4c5fcd6fe297a6a55156eb848fd6370f080bc1986ae7f442c4a4c304babe1b538b10f3b5d045a0c521333cfba7bfd958a8a386ebb6be3724fc558aa012988

Download Submit
C:\Windows\System\TUZMWua.exe

Filesize
8B

MD5
20f50227b408431507e9e4298a89a7d5

SHA1
021be5cef03ca413a261257f3fa674d51e4eaecb

SHA256
f053af72ebaae8c20b4aa760dccbaa50d5e8c1b0612207e6dff562e592b0ee16

SHA512
a69e9f155961cdfb2c580f410cf1f9148255cadde0f420c64800ffc84ebbf2c4fc4d8c24eda7cee14ae357ad0398853cbe4f84f9db0bb9573e1f43351f2da9c0

Download Submit
C:\Windows\System\UmZmaGo.exe

Filesize
1.7MB

MD5
6c7b64257868affa99944b00c8ca988b

SHA1
6f9d7119653a24534eb14c3e1aa0004761c489cb

SHA256
7438aad117dbc13a6226160f1af2dd01264dade4b513bed7bfc98acaf23ed3e5

SHA512
0de4bd007371fa3e41ccdb0a3aceb9b0ee769410d4ac5183d4681cde94e356d1da8323cd80c1ee93002281e3027c07b1eb28332dcd176ba3e432ddc32e13feb2

Download Submit
C:\Windows\System\VQxSzTd.exe

Filesize
1.7MB

MD5
11b622f2927c854d68f9bf91d8504136

SHA1
5c0a197d61466e563f84b561d41563d64e83924b

SHA256
b26059b11755ea624ea28695581a1c7cabff8fa4ccad9e1207e784a49387d6e9

SHA512
713524e35463f64cc385d6985a96524c4882c6de0611c8b05dcfdf50adbd442f2cd12bdd891e5eba6f68cf6273728a9f8ef2bc8faaee49685bc2e7c7af5ed6a9

Download Submit
C:\Windows\System\VUhPERt.exe

Filesize
1.7MB

MD5
838792285aaf5d14d6c64c13c2bf07e6

SHA1
d6c7faa1c6280916d846b5812499077527de4b0d

SHA256
c92b41e70c6a1a58bbf8c22fcc2287731a1a0917827111bdc87597db9404a103

SHA512
a46f7551d44c2ef646eb31714e889a9e036f949de80ec8b98f34558ffcf02395852099f711187a894d4a4d6cfeae52220be2b0a66ed1396a53de8b9f0ad937f2

Download Submit
C:\Windows\System\WowiCxC.exe

Filesize
1.7MB

MD5
9a495f8fecd149616ae3c71dd9d106a0

SHA1
1a5eef280111d283dbb0689de0d198fe71325497

SHA256
a691ce398ed21a4eda0fa9d6d045aa155a6c1950b376e786f9037ffd9f87cea7

SHA512
bcd4fdb79f3fd177b0c1d211f9b946d0f36c4aa524d4464effbe1b8a036d284e574fd3192df8074e679662297550002d096c306e56dcf383e774363513cb7fc5

Download Submit
C:\Windows\System\XPMFjJW.exe

Filesize
1.7MB

MD5
dfdce9599ac4a52053764c5d0a0dc39e

SHA1
8907f7df356fcf07e93d1e071bcb9a9be6d7d602

SHA256
cd2ff865b3f361dced3994029284d26097300b54dd1824c05f979c2be9aca2ac

SHA512
97780e1a0982f92b53470cc14bf9eeb250ce8d17170a2b0d710988ac889bb85e610f54f01873351c1358841426d2daea0b30065821ba88ede4d781fbf29c19be

Download Submit
C:\Windows\System\YBMevIH.exe

Filesize
1.7MB

MD5
e7ed8db03e8ef063728c4e73010cd771

SHA1
bd25030820d06474559844fc339fea9dc46be3a7

SHA256
edd7986c1137ae6c573c2e34d16141ae53d2c34f77b351b60f9c6a5b3f211575

SHA512
b01c35031c35a19fc6c190aa54174efbe4c8915c5b643f84e35086a92de549257acc7030be11fcc8041190442e28e602f3d430f880d92a17324965bb6bbc6070

Download Submit
C:\Windows\System\ZPtMMiz.exe

Filesize
1.7MB

MD5
b617c07cabdef54817f748981da91149

SHA1
bae7546d412f48df3c1abc3e35c2d4ca99029db7

SHA256
c0cdf8f27985a7f41bcbdeee9ff45d00521bdbe69e3bdfe8201178b6c4273947

SHA512
dd95a85a6672c0b68646bd8c257a9e4cc373193038ae56883b2fbc97c3aeb3a977d153818c903d50bcdc01a69aa4ffc149d68f30c49cc50b644bbb1da0574701

Download Submit
C:\Windows\System\ZWqpsLW.exe

Filesize
1.7MB

MD5
eee2cb3f95722826bd4076e4d05fc61f

SHA1
9421aa157df5790cf79b2ed2ab7c42a27af9ff8b

SHA256
592962bcd424a8932b13a35782a9f81a3793d6fad51fb5cad50626bd79cbbe3f

SHA512
41e054c47cae27a80d900c128997aa44a439d1c142e88acd56432b0b0168c99417090f456b5a09272f9ec814e3aa86309dbe868c80e2fdec0acddcbf4962bf95

Download Submit
C:\Windows\System\ZzHASxL.exe

Filesize
1.7MB

MD5
725307fda6f7ea0ce2a808efed924d6c

SHA1
5c19bd5c22da0fca974e75274a48be3c5d75f5a0

SHA256
837aeeb353d3149eea0f2d441f8b67fc4bc1dd3446584c62d73ec2daffe0e525

SHA512
bf900a80aba1d065d67818e5c56564565365a0125801368a6cce9adec23f1f880f2f709a4a11f4aa0dabae335711c08bc551946846c1145c58e1fc2054e9da56

Download Submit
C:\Windows\System\bASdtsV.exe

Filesize
1.7MB

MD5
d9c3e9876a799f486742f5eafdf00b07

SHA1
fbc549b327722c1a2dce8cee8966ebbc9601b314

SHA256
abeb9f4d6a3700b58573515d57bf976d182d68151fba427b8471cb4c5452a124

SHA512
3d0cc5094feb90483a9a7f00e9e464fcaff74df7895e698165e13efb425e0411ae27be4d6ba02c87639f76fa0e723358e128c72e39bf775083fee47209060129

Download Submit
C:\Windows\System\dSfREqT.exe

Filesize
1.7MB

MD5
80c7e13849d4dcdd18b72fad4f03d19f

SHA1
918e80de007277828236f1091dfc7fb02a097e94

SHA256
2557da57ec04d82c47c333c0552ccf1f45b295abbdcb01126bf50bf8d9b26d44

SHA512
c0c1445ac3faccf76a17d228ba1a0fd33051d39b5854a343f6170075317fcf41f60463a64613c804f0628a90f7b9a503f2a09a2797fba2744ef3ec090af85712

Download Submit
C:\Windows\System\fXiwSNz.exe

Filesize
1.7MB

MD5
736e2e269c9e472017e9de4cb6c86040

SHA1
3cddfe52e67f7b8e11539ae8400eab2a9b62ed8a

SHA256
42357f2dca667ebcbe17b65de9a80e4ed29974fb57d0c173b619b996ddd5bcc6

SHA512
05d46bae2ab7aad1c6f603a17a2e9cdce3a419f2a202d3753d45a877e6149c64f50a6168c57ad006ef8dd9a3829662f880404e3542bd4fc04c128b9f4b85783c

Download Submit
C:\Windows\System\hkTWvkB.exe

Filesize
1.7MB

MD5
025b1fdcbd2b1b1609973ed5dfb76867

SHA1
9d1a683c074b7f7192327ea57b0319bb7a6224ea

SHA256
9e52a1816568dee7b9e0d3abc58fd3e3092f1b7d7bdd69936088c99ce5fbbfa7

SHA512
2b10ec205fea4839b52ec9d36f8cf2c10c9713c60e4d60681ee0add26921356ea236c22e3e20c6d0dd444476ae7af13416ba651570809671d4048d9f6a27dd61

Download Submit
C:\Windows\System\lSgTWyf.exe

Filesize
1.7MB

MD5
457999d48445556eb403476d5603773d

SHA1
987326f4e136299ebdb3766a6b41e4adb6fea400

SHA256
0c58abbdda07c6a4123c85bf07d34a1226ca71e1a551aa0f8923fff899ee9650

SHA512
273f726bd2dc5907f0bef4cba7fd18b4dae18e8153b0685d495f592e93d3433e194d3f733553d029ffe267af048ec4d1d8ba7f4643163e7a6777e2ff63493359

Download Submit
C:\Windows\System\nfnoNnC.exe

Filesize
1.7MB

MD5
379fb0ac2acd06d08be11494076ad164

SHA1
986c04856fae466866a7ac3d89a12897985c6304

SHA256
6e7c60a70d2b465ad0dd48e9c1bf894de81769ab4aac81bc046b3f74efe97d6f

SHA512
895889c911d00bb0f75b20d9fc4071e5f21c0ceba1713cfb5f2a68064d61e8d25af851634c0097713337a983355796280bb1511fcba65d0e36d468e4a62260fa

Download Submit
C:\Windows\System\oRlDOrV.exe

Filesize
1.7MB

MD5
28846e102d569b84b1658d8e52250e1f

SHA1
91c053fded092085bde181552be50c6a4fafa91b

SHA256
3150c24613805d094cd2a57531149fbe854ebb6510ed1e219bb21150efee19fa

SHA512
53077bc3470ea0137141e44b35102556f5749cf696f2c13b52ed71ae7485a7c4a4409bbfd4c471918079084adbc822c68fae0e1ae3b71e1d3055eb0b8605cb91

Download Submit
C:\Windows\System\oXhaXhx.exe

Filesize
1.7MB

MD5
4727402ded028855b5663db22ca30253

SHA1
c970a1fa7aa65fc82311545b2f769874282d19b4

SHA256
e67e51503dd928609a16899ae20811ec36edf6c4e1512f14e8b937f4e31784f9

SHA512
94465af3e35ef6a9624e6a4f9f9e06e786d9c530a288d7f3f677db134dab647556f3233a67395a9a5dec27c048652fbf74fa27cd2e552d0ef892b463bae11c3b

Download Submit
C:\Windows\System\rTlsxeS.exe

Filesize
1.7MB

MD5
e6a2b5c5a51d33cb00c06ef5198428ac

SHA1
5d7a77366c4ae247e9876b33ee6f65cc763cade9

SHA256
0abd78b64e78476395775b546a3656501871ec1e89f34f86106ad86458247376

SHA512
5a71fbf7b71ebc89c24def1359cb8fffade21c95b16a761c3c78969f59cfda0ac64fe014f511419b4b9089fef64b354cabdb2653d947c87c8067867a266e3d50

Download Submit
C:\Windows\System\sfEIdRm.exe

Filesize
1.7MB

MD5
e16e8edc3cb746403df4ffbb7664c32a

SHA1
db2cc283d592029112e6f8c5f453dc11162e9cae

SHA256
40ada995ea5c27a7cf7873958110f8ca9b664bc299b42f951c95fe5798d4cc52

SHA512
9433871ae693397322bb2f31659c1cb9a513f3eab44593010cafee03b97310fdc4418aa1bf6c7a89f18fca1b8c6a11afc275b7e2fc71c1aa4850888b0df5c6c7

Download Submit
C:\Windows\System\tODwOlG.exe

Filesize
1.7MB

MD5
b7f60b12e9ff1402a9b66cec3dd65bb8

SHA1
4cd497d6de9e36305674b936db482756c2944abe

SHA256
e7b65be59561ff7b0089a55ec0871890d0941c72d256f29582db97b5fe35a158

SHA512
669998009c12a19971638e0fb72d04a6ef5ada89dbe0cae228f701cf8a07f55047cc31221048bc245cf0236864e6205720accd8c42d5c489b4b9cde7d366438b

Download Submit
C:\Windows\System\vNLMxhR.exe

Filesize
1.7MB

MD5
0cb418d9556050be0c2eb11a3dd04aa0

SHA1
4e228790605a293489793b3d1747dd10319d87ec

SHA256
e9d4d54346d1129df4bdaab3ed5f0658059fa934437cba3ce8291e8d84616ec8

SHA512
8849ae0db2027514bcc47e367ed09075c98e68e149eed25493bf97b924ac6ffb6e7c60bd5acd6a4e3d04ede6de06acf1f5e4d15e44de8829bf4bacc9206ec80c

Download Submit
C:\Windows\System\zyTuGzX.exe

Filesize
1.7MB

MD5
4ff687f356ca41138beaa8e1085590c0

SHA1
b33cafd8422f0968d965ed96a298965fb6702266

SHA256
70534cdfa60d3834df0d37e05ef34d739421d42d75c099c21158f287ca735bea

SHA512
c144dec1554b41ae2904259f5056ff12d7c08bb7d46fbc80be01b2cab6a8a38ecac7ec80731014749b78cfc892f9e3abb19d4e79804e32836f358663965b314e

Download Submit
memory/392-2036-0x00007FF7C96F0000-0x00007FF7C9AE2000-memory.dmp

Filesize
3.9MB

Download
memory/392-2068-0x00007FF7C96F0000-0x00007FF7C9AE2000-memory.dmp

Filesize
3.9MB

Download
memory/392-88-0x00007FF7C96F0000-0x00007FF7C9AE2000-memory.dmp

Filesize
3.9MB

Download
memory/700-81-0x00007FF687460000-0x00007FF687852000-memory.dmp

Filesize
3.9MB

Download
memory/700-2023-0x00007FF687460000-0x00007FF687852000-memory.dmp

Filesize
3.9MB

Download
memory/700-2074-0x00007FF687460000-0x00007FF687852000-memory.dmp

Filesize
3.9MB

Download
memory/764-71-0x00007FF707D80000-0x00007FF708172000-memory.dmp

Filesize
3.9MB

Download
memory/764-2070-0x00007FF707D80000-0x00007FF708172000-memory.dmp

Filesize
3.9MB

Download
memory/764-2022-0x00007FF707D80000-0x00007FF708172000-memory.dmp

Filesize
3.9MB

Download
memory/820-2042-0x00007FF7D3D40000-0x00007FF7D4132000-memory.dmp

Filesize
3.9MB

Download
memory/820-1993-0x00007FF7D3D40000-0x00007FF7D4132000-memory.dmp

Filesize
3.9MB

Download
memory/820-6-0x00007FF7D3D40000-0x00007FF7D4132000-memory.dmp

Filesize
3.9MB

Download
memory/1076-0-0x00007FF7E4760000-0x00007FF7E4B52000-memory.dmp

Filesize
3.9MB

Download
memory/1076-1-0x00000254659D0000-0x00000254659E0000-memory.dmp

Filesize
64KB

Download
memory/1324-2040-0x00007FF686360000-0x00007FF686752000-memory.dmp

Filesize
3.9MB

Download
memory/1324-90-0x00007FF686360000-0x00007FF686752000-memory.dmp

Filesize
3.9MB

Download
memory/1324-2059-0x00007FF686360000-0x00007FF686752000-memory.dmp

Filesize
3.9MB

Download
memory/1332-86-0x00007FF6842D0000-0x00007FF6846C2000-memory.dmp

Filesize
3.9MB

Download
memory/1332-2060-0x00007FF6842D0000-0x00007FF6846C2000-memory.dmp

Filesize
3.9MB

Download
memory/1332-2025-0x00007FF6842D0000-0x00007FF6846C2000-memory.dmp

Filesize
3.9MB

Download
memory/1556-2080-0x00007FF6F3970000-0x00007FF6F3D62000-memory.dmp

Filesize
3.9MB

Download
memory/1556-452-0x00007FF6F3970000-0x00007FF6F3D62000-memory.dmp

Filesize
3.9MB

Download
memory/2056-1996-0x00007FF6A7740000-0x00007FF6A7B32000-memory.dmp

Filesize
3.9MB

Download
memory/2056-70-0x00007FF6A7740000-0x00007FF6A7B32000-memory.dmp

Filesize
3.9MB

Download
memory/2056-2066-0x00007FF6A7740000-0x00007FF6A7B32000-memory.dmp

Filesize
3.9MB

Download
memory/2340-450-0x00007FF7D7780000-0x00007FF7D7B72000-memory.dmp

Filesize
3.9MB

Download
memory/2340-2076-0x00007FF7D7780000-0x00007FF7D7B72000-memory.dmp

Filesize
3.9MB

Download
memory/2564-453-0x00007FF7A1FA0000-0x00007FF7A2392000-memory.dmp

Filesize
3.9MB

Download
memory/2564-2082-0x00007FF7A1FA0000-0x00007FF7A2392000-memory.dmp

Filesize
3.9MB

Download
memory/2700-2084-0x00007FF6BDE60000-0x00007FF6BE252000-memory.dmp

Filesize
3.9MB

Download
memory/2700-454-0x00007FF6BDE60000-0x00007FF6BE252000-memory.dmp

Filesize
3.9MB

Download
memory/2888-41-0x00007FF712200000-0x00007FF7125F2000-memory.dmp

Filesize
3.9MB

Download
memory/2888-2049-0x00007FF712200000-0x00007FF7125F2000-memory.dmp

Filesize
3.9MB

Download
memory/2992-43-0x00007FF6C1E80000-0x00007FF6C2272000-memory.dmp

Filesize
3.9MB

Download
memory/2992-2054-0x00007FF6C1E80000-0x00007FF6C2272000-memory.dmp

Filesize
3.9MB

Download
memory/3372-2073-0x00007FF752CF0000-0x00007FF7530E2000-memory.dmp

Filesize
3.9MB

Download
memory/3372-449-0x00007FF752CF0000-0x00007FF7530E2000-memory.dmp

Filesize
3.9MB

Download
memory/3480-2078-0x00007FF68BA90000-0x00007FF68BE82000-memory.dmp

Filesize
3.9MB

Download
memory/3480-451-0x00007FF68BA90000-0x00007FF68BE82000-memory.dmp

Filesize
3.9MB

Download
memory/3508-456-0x00007FF6478B0000-0x00007FF647CA2000-memory.dmp

Filesize
3.9MB

Download
memory/3508-2097-0x00007FF6478B0000-0x00007FF647CA2000-memory.dmp

Filesize
3.9MB

Download
memory/3664-89-0x00007FF62D6C0000-0x00007FF62DAB2000-memory.dmp

Filesize
3.9MB

Download
memory/3664-2038-0x00007FF62D6C0000-0x00007FF62DAB2000-memory.dmp

Filesize
3.9MB

Download
memory/3664-2063-0x00007FF62D6C0000-0x00007FF62DAB2000-memory.dmp

Filesize
3.9MB

Download
memory/3700-455-0x00007FF77E540000-0x00007FF77E932000-memory.dmp

Filesize
3.9MB

Download
memory/3700-2099-0x00007FF77E540000-0x00007FF77E932000-memory.dmp

Filesize
3.9MB

Download
memory/3948-2053-0x00007FF755AC0000-0x00007FF755EB2000-memory.dmp

Filesize
3.9MB

Download
memory/3948-1986-0x00007FF755AC0000-0x00007FF755EB2000-memory.dmp

Filesize
3.9MB

Download
memory/3948-66-0x00007FF755AC0000-0x00007FF755EB2000-memory.dmp

Filesize
3.9MB

Download
memory/4000-80-0x00007FF7DD600000-0x00007FF7DD9F2000-memory.dmp

Filesize
3.9MB

Download
memory/4000-2050-0x00007FF7DD600000-0x00007FF7DD9F2000-memory.dmp

Filesize
3.9MB

Download
memory/4244-443-0x00007FF7F3F30000-0x00007FF7F4322000-memory.dmp

Filesize
3.9MB

Download
memory/4244-2057-0x00007FF7F3F30000-0x00007FF7F4322000-memory.dmp

Filesize
3.9MB

Download
memory/4424-39-0x00007FF6980A0000-0x00007FF698492000-memory.dmp

Filesize
3.9MB

Download
memory/4424-2046-0x00007FF6980A0000-0x00007FF698492000-memory.dmp

Filesize
3.9MB

Download
memory/4548-76-0x00007FF72E830000-0x00007FF72EC22000-memory.dmp

Filesize
3.9MB

Download
memory/4548-2045-0x00007FF72E830000-0x00007FF72EC22000-memory.dmp

Filesize
3.9MB

Download
memory/5088-442-0x00007FF7D3470000-0x00007FF7D3862000-memory.dmp

Filesize
3.9MB

Download
memory/5088-2064-0x00007FF7D3470000-0x00007FF7D3862000-memory.dmp

Filesize
3.9MB

Download
memory/5108-1994-0x00007FFAA29F0000-0x00007FFAA34B1000-memory.dmp

Filesize
10.8MB

Download
memory/5108-59-0x000001621CBA0000-0x000001621CBC2000-memory.dmp

Filesize
136KB

Download
memory/5108-441-0x000001621F870000-0x0000016220016000-memory.dmp

Filesize
7.6MB

Download
memory/5108-2021-0x00007FFAA29F3000-0x00007FFAA29F5000-memory.dmp

Filesize
8KB

Download
memory/5108-13-0x00007FFAA29F3000-0x00007FFAA29F5000-memory.dmp

Filesize
8KB

Download
memory/5108-35-0x00007FFAA29F0000-0x00007FFAA34B1000-memory.dmp

Filesize
10.8MB

Download
memory/5108-2034-0x00007FFAA29F0000-0x00007FFAA34B1000-memory.dmp

Filesize
10.8MB

Download
memory/5108-25-0x00007FFAA29F0000-0x00007FFAA34B1000-memory.dmp

Filesize
10.8MB

Download