xmrig | 9d4af826b38b0dbf3d2500c7a3f4ed497ea191fef0ed04043423758ba7dad668

Analysis

max time kernel
93s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
13/05/2024, 20:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
Size

1.4MB
MD5

3c87cabaeec0caab05649d3217b23ba0
SHA1

ef1a3e4958e96ca52a110f2010f8dd6f57981331
SHA256

9d4af826b38b0dbf3d2500c7a3f4ed497ea191fef0ed04043423758ba7dad668
SHA512

7332539692f907550d15b99b98fb7249188252f1c4394efa9834d1ef62f046afb6b6857dc8d4384a3cf29161fa2530470505f92e5995967adaa0b101fbb9616d
SSDEEP

24576:zv3/fTLF671TilQFG4P5PMkibTJH+2Q/ynKeWYKpGncHBN/VPwK:Lz071uv4BPMkibTIA5CJr

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/5096-66-0x00007FF71BE10000-0x00007FF71C202000-memory.dmp	xmrig
behavioral2/memory/1976-158-0x00007FF7C06E0000-0x00007FF7C0AD2000-memory.dmp	xmrig
behavioral2/memory/1652-170-0x00007FF7EEA90000-0x00007FF7EEE82000-memory.dmp	xmrig
behavioral2/memory/892-2917-0x00007FF602890000-0x00007FF602C82000-memory.dmp	xmrig
behavioral2/memory/3168-187-0x00007FF697130000-0x00007FF697522000-memory.dmp	xmrig
behavioral2/memory/2400-181-0x00007FF7A66C0000-0x00007FF7A6AB2000-memory.dmp	xmrig
behavioral2/memory/2004-175-0x00007FF6F3B10000-0x00007FF6F3F02000-memory.dmp	xmrig
behavioral2/memory/5052-171-0x00007FF7372F0000-0x00007FF7376E2000-memory.dmp	xmrig
behavioral2/memory/4164-162-0x00007FF74F8F0000-0x00007FF74FCE2000-memory.dmp	xmrig
behavioral2/memory/5032-161-0x00007FF6C0E90000-0x00007FF6C1282000-memory.dmp	xmrig
behavioral2/memory/3320-139-0x00007FF62E320000-0x00007FF62E712000-memory.dmp	xmrig
behavioral2/memory/444-135-0x00007FF776680000-0x00007FF776A72000-memory.dmp	xmrig
behavioral2/memory/4976-126-0x00007FF751300000-0x00007FF7516F2000-memory.dmp	xmrig
behavioral2/memory/3560-97-0x00007FF7A6990000-0x00007FF7A6D82000-memory.dmp	xmrig
behavioral2/memory/2280-91-0x00007FF6E94E0000-0x00007FF6E98D2000-memory.dmp	xmrig
behavioral2/memory/3620-90-0x00007FF725010000-0x00007FF725402000-memory.dmp	xmrig
behavioral2/memory/3140-67-0x00007FF7E08B0000-0x00007FF7E0CA2000-memory.dmp	xmrig
behavioral2/memory/1208-50-0x00007FF7FD770000-0x00007FF7FDB62000-memory.dmp	xmrig
behavioral2/memory/4616-41-0x00007FF74E3A0000-0x00007FF74E792000-memory.dmp	xmrig
behavioral2/memory/4648-2950-0x00007FF6E4040000-0x00007FF6E4432000-memory.dmp	xmrig
behavioral2/memory/4660-2952-0x00007FF7B64C0000-0x00007FF7B68B2000-memory.dmp	xmrig
behavioral2/memory/4800-2965-0x00007FF6BFF40000-0x00007FF6C0332000-memory.dmp	xmrig
behavioral2/memory/4168-2967-0x00007FF6F9430000-0x00007FF6F9822000-memory.dmp	xmrig
behavioral2/memory/4420-2966-0x00007FF7E9C20000-0x00007FF7EA012000-memory.dmp	xmrig
behavioral2/memory/4648-2975-0x00007FF6E4040000-0x00007FF6E4432000-memory.dmp	xmrig
behavioral2/memory/5096-2977-0x00007FF71BE10000-0x00007FF71C202000-memory.dmp	xmrig
behavioral2/memory/4616-2979-0x00007FF74E3A0000-0x00007FF74E792000-memory.dmp	xmrig
behavioral2/memory/1208-2981-0x00007FF7FD770000-0x00007FF7FDB62000-memory.dmp	xmrig
behavioral2/memory/3620-2987-0x00007FF725010000-0x00007FF725402000-memory.dmp	xmrig
behavioral2/memory/3140-2986-0x00007FF7E08B0000-0x00007FF7E0CA2000-memory.dmp	xmrig
behavioral2/memory/892-2984-0x00007FF602890000-0x00007FF602C82000-memory.dmp	xmrig
behavioral2/memory/2280-2989-0x00007FF6E94E0000-0x00007FF6E98D2000-memory.dmp	xmrig
behavioral2/memory/1652-2991-0x00007FF7EEA90000-0x00007FF7EEE82000-memory.dmp	xmrig
behavioral2/memory/4800-2996-0x00007FF6BFF40000-0x00007FF6C0332000-memory.dmp	xmrig
behavioral2/memory/3560-2994-0x00007FF7A6990000-0x00007FF7A6D82000-memory.dmp	xmrig
behavioral2/memory/4164-2997-0x00007FF74F8F0000-0x00007FF74FCE2000-memory.dmp	xmrig
behavioral2/memory/444-3001-0x00007FF776680000-0x00007FF776A72000-memory.dmp	xmrig
behavioral2/memory/4660-3003-0x00007FF7B64C0000-0x00007FF7B68B2000-memory.dmp	xmrig
behavioral2/memory/5052-3007-0x00007FF7372F0000-0x00007FF7376E2000-memory.dmp	xmrig
behavioral2/memory/4976-3005-0x00007FF751300000-0x00007FF7516F2000-memory.dmp	xmrig
behavioral2/memory/2004-3009-0x00007FF6F3B10000-0x00007FF6F3F02000-memory.dmp	xmrig
behavioral2/memory/3320-2999-0x00007FF62E320000-0x00007FF62E712000-memory.dmp	xmrig
behavioral2/memory/3168-3013-0x00007FF697130000-0x00007FF697522000-memory.dmp	xmrig
behavioral2/memory/1976-3023-0x00007FF7C06E0000-0x00007FF7C0AD2000-memory.dmp	xmrig
behavioral2/memory/4420-3020-0x00007FF7E9C20000-0x00007FF7EA012000-memory.dmp	xmrig
behavioral2/memory/4168-3017-0x00007FF6F9430000-0x00007FF6F9822000-memory.dmp	xmrig
behavioral2/memory/5032-3015-0x00007FF6C0E90000-0x00007FF6C1282000-memory.dmp	xmrig
behavioral2/memory/2400-3019-0x00007FF7A66C0000-0x00007FF7A6AB2000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	4404	powershell.exe
6	4404	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
4404	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
4648	BTpSnDd.exe
5096	oivOPOm.exe
4616	rfNeNED.exe
1208	tZNpODj.exe
3140	PEmJfWL.exe
3620	yDYlnfg.exe
892	bgLsGBq.exe
2280	bvYTZdH.exe
4164	XUMiuCc.exe
3560	ZnhOVMX.exe
1652	fwUBVAy.exe
4800	cHyeLZw.exe
4660	cWodovs.exe
4976	lumAxmc.exe
444	lnrpUlO.exe
3320	YMylJmS.exe
5052	FgGqKml.exe
2004	FXgXxpv.exe
4420	IENDyTz.exe
2400	ZZqQlGL.exe
4168	sJdjwdR.exe
1976	laRSkjC.exe
5032	bzVfOkA.exe
3168	xcLFzJK.exe
4428	QcZDcVa.exe
460	RjdmjeG.exe
1036	CUDdtBt.exe
3952	CRimeXS.exe
4240	gzjIHky.exe
3788	BGDlsWy.exe
3944	LGTlXLi.exe
3096	CwTcHUn.exe
728	qDXrJSt.exe
1984	mJcoaIo.exe
4388	cQaLuJj.exe
3260	zIRsDYQ.exe
5000	IwsbpBE.exe
3988	owcKVKv.exe
4036	iNcGFDS.exe
4996	tyxkpKB.exe
5012	RYHzNYs.exe
5028	oYbZdnn.exe
4652	fiubKLC.exe
4916	fQsgGHC.exe
776	AymtjHQ.exe
3608	ysNVjdi.exe
4540	BkwBQNi.exe
1944	htXLezv.exe
3888	fRdieTd.exe
4584	ZopqpAU.exe
5092	grTpqJm.exe
2084	mcIMJtl.exe
4932	xXYkGkg.exe
2008	wOmqdHB.exe
784	ibaZKDS.exe
1800	kgHeRbm.exe
556	WUWixKt.exe
2824	nwUdVxp.exe
560	zqoURLL.exe
3512	MymvsVM.exe
2564	iBOwAhv.exe
4360	GSdifWL.exe
4780	VxNgptK.exe
4836	ieiKjhc.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4596-0-0x00007FF64F400000-0x00007FF64F7F2000-memory.dmp	upx
behavioral2/files/0x0006000000023305-4.dat	upx
behavioral2/files/0x0007000000023465-11.dat	upx
behavioral2/files/0x0007000000023464-12.dat	upx
behavioral2/files/0x0007000000023466-22.dat	upx
behavioral2/files/0x000700000002346b-49.dat	upx
behavioral2/memory/5096-66-0x00007FF71BE10000-0x00007FF71C202000-memory.dmp	upx
behavioral2/files/0x0007000000023468-58.dat	upx
behavioral2/files/0x000700000002346c-70.dat	upx
behavioral2/files/0x0007000000023471-88.dat	upx
behavioral2/files/0x0008000000023461-125.dat	upx
behavioral2/files/0x0007000000023473-122.dat	upx
behavioral2/files/0x0007000000023474-133.dat	upx
behavioral2/memory/1976-158-0x00007FF7C06E0000-0x00007FF7C0AD2000-memory.dmp	upx
behavioral2/memory/1652-170-0x00007FF7EEA90000-0x00007FF7EEE82000-memory.dmp	upx
behavioral2/files/0x000700000002347e-178.dat	upx
behavioral2/files/0x0007000000023480-190.dat	upx
behavioral2/memory/892-2917-0x00007FF602890000-0x00007FF602C82000-memory.dmp	upx
behavioral2/files/0x0007000000023482-200.dat	upx
behavioral2/files/0x0007000000023481-195.dat	upx
behavioral2/files/0x000700000002347f-193.dat	upx
behavioral2/memory/3168-187-0x00007FF697130000-0x00007FF697522000-memory.dmp	upx
behavioral2/files/0x000700000002347d-182.dat	upx
behavioral2/memory/2400-181-0x00007FF7A66C0000-0x00007FF7A6AB2000-memory.dmp	upx
behavioral2/files/0x000700000002347c-176.dat	upx
behavioral2/memory/2004-175-0x00007FF6F3B10000-0x00007FF6F3F02000-memory.dmp	upx
behavioral2/memory/5052-171-0x00007FF7372F0000-0x00007FF7376E2000-memory.dmp	upx
behavioral2/files/0x000700000002347a-168.dat	upx
behavioral2/files/0x000700000002347b-166.dat	upx
behavioral2/memory/4164-162-0x00007FF74F8F0000-0x00007FF74FCE2000-memory.dmp	upx
behavioral2/memory/5032-161-0x00007FF6C0E90000-0x00007FF6C1282000-memory.dmp	upx
behavioral2/memory/4168-155-0x00007FF6F9430000-0x00007FF6F9822000-memory.dmp	upx
behavioral2/files/0x0007000000023479-150.dat	upx
behavioral2/files/0x0007000000023478-148.dat	upx
behavioral2/files/0x0007000000023477-147.dat	upx
behavioral2/files/0x0007000000023476-145.dat	upx
behavioral2/files/0x0007000000023475-143.dat	upx
behavioral2/memory/4420-140-0x00007FF7E9C20000-0x00007FF7EA012000-memory.dmp	upx
behavioral2/memory/3320-139-0x00007FF62E320000-0x00007FF62E712000-memory.dmp	upx
behavioral2/memory/444-135-0x00007FF776680000-0x00007FF776A72000-memory.dmp	upx
behavioral2/memory/4976-126-0x00007FF751300000-0x00007FF7516F2000-memory.dmp	upx
behavioral2/files/0x0008000000023469-117.dat	upx
behavioral2/files/0x0007000000023472-110.dat	upx
behavioral2/memory/4660-106-0x00007FF7B64C0000-0x00007FF7B68B2000-memory.dmp	upx
behavioral2/memory/4800-103-0x00007FF6BFF40000-0x00007FF6C0332000-memory.dmp	upx
behavioral2/files/0x0007000000023470-100.dat	upx
behavioral2/files/0x000700000002346f-98.dat	upx
behavioral2/memory/3560-97-0x00007FF7A6990000-0x00007FF7A6D82000-memory.dmp	upx
behavioral2/files/0x000700000002346e-93.dat	upx
behavioral2/memory/2280-91-0x00007FF6E94E0000-0x00007FF6E98D2000-memory.dmp	upx
behavioral2/memory/3620-90-0x00007FF725010000-0x00007FF725402000-memory.dmp	upx
behavioral2/files/0x000700000002346d-83.dat	upx
behavioral2/files/0x000800000002346a-76.dat	upx
behavioral2/memory/3140-67-0x00007FF7E08B0000-0x00007FF7E0CA2000-memory.dmp	upx
behavioral2/memory/892-52-0x00007FF602890000-0x00007FF602C82000-memory.dmp	upx
behavioral2/memory/1208-50-0x00007FF7FD770000-0x00007FF7FDB62000-memory.dmp	upx
behavioral2/files/0x0007000000023467-47.dat	upx
behavioral2/memory/4616-41-0x00007FF74E3A0000-0x00007FF74E792000-memory.dmp	upx
behavioral2/memory/4648-8-0x00007FF6E4040000-0x00007FF6E4432000-memory.dmp	upx
behavioral2/memory/4648-2950-0x00007FF6E4040000-0x00007FF6E4432000-memory.dmp	upx
behavioral2/memory/4660-2952-0x00007FF7B64C0000-0x00007FF7B68B2000-memory.dmp	upx
behavioral2/memory/4800-2965-0x00007FF6BFF40000-0x00007FF6C0332000-memory.dmp	upx
behavioral2/memory/4168-2967-0x00007FF6F9430000-0x00007FF6F9822000-memory.dmp	upx
behavioral2/memory/4420-2966-0x00007FF7E9C20000-0x00007FF7EA012000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
3	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\IXGJSwU.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\AbvpSty.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\vAPwhoV.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\VxNgptK.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\MpQoGtm.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\lnIJBPM.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\HsxwhhT.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\WjSJEWK.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\OEckMAS.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\cVGCXdg.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\hkTstDJ.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\OqjRVRa.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\BiEEkOr.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\QptFohl.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\ICllaBS.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\VTQJSfw.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\SXCsfry.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\WHwKqLY.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\YuzJlFW.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\kAFONWX.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\jlOGinu.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\bPHFrnN.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\zqoURLL.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\hCYLjaf.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\QMQaGXo.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\TDjWRct.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\xdSnQvI.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\LMiZNIh.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\LRkMrwv.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\PbWwVkT.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\wacwVLt.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\suICuAl.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\IoWgHaK.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\pGSzsSh.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\mFnfvLv.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\XgeXZdJ.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\LMyTTUB.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\dwRELdq.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\FvRszrt.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\dvtBntW.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\ZcGGJKf.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\KLkZrqZ.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\cccADhJ.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\BnBIAMn.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\yjVfYqG.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\lFkkbmi.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\KjFVKEJ.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\dvtKZzI.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\JxhSSTN.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\zuIqJjT.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\KydYTsq.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\CqGsPiy.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\rnPXctQ.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\EMMWhJF.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\pKkNjWJ.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\NIYhTSJ.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\GoflnYZ.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\mttbSSV.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\hrDptYI.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\mSlqQqT.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\hxCswCc.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\ILROiyv.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\igVdydF.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
File created	C:\Windows\System\ATvZLEd.exe	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4404	powershell.exe
4404	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
Token: SeDebugPrivilege	4404	powershell.exe
Token: SeLockMemoryPrivilege	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 4404	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	84
PID 4596 wrote to memory of 4404	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	84
PID 4596 wrote to memory of 4648	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	85
PID 4596 wrote to memory of 4648	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	85
PID 4596 wrote to memory of 5096	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	86
PID 4596 wrote to memory of 5096	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	86
PID 4596 wrote to memory of 4616	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	87
PID 4596 wrote to memory of 4616	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	87
PID 4596 wrote to memory of 1208	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	88
PID 4596 wrote to memory of 1208	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	88
PID 4596 wrote to memory of 3140	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	89
PID 4596 wrote to memory of 3140	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	89
PID 4596 wrote to memory of 3620	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	90
PID 4596 wrote to memory of 3620	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	90
PID 4596 wrote to memory of 892	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	91
PID 4596 wrote to memory of 892	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	91
PID 4596 wrote to memory of 2280	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	92
PID 4596 wrote to memory of 2280	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	92
PID 4596 wrote to memory of 1652	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	93
PID 4596 wrote to memory of 1652	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	93
PID 4596 wrote to memory of 4164	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	94
PID 4596 wrote to memory of 4164	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	94
PID 4596 wrote to memory of 3560	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	95
PID 4596 wrote to memory of 3560	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	95
PID 4596 wrote to memory of 4800	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	96
PID 4596 wrote to memory of 4800	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	96
PID 4596 wrote to memory of 4660	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	97
PID 4596 wrote to memory of 4660	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	97
PID 4596 wrote to memory of 4976	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	98
PID 4596 wrote to memory of 4976	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	98
PID 4596 wrote to memory of 444	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	99
PID 4596 wrote to memory of 444	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	99
PID 4596 wrote to memory of 3320	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	100
PID 4596 wrote to memory of 3320	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	100
PID 4596 wrote to memory of 5052	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	101
PID 4596 wrote to memory of 5052	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	101
PID 4596 wrote to memory of 2004	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	102
PID 4596 wrote to memory of 2004	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	102
PID 4596 wrote to memory of 4420	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	103
PID 4596 wrote to memory of 4420	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	103
PID 4596 wrote to memory of 2400	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	104
PID 4596 wrote to memory of 2400	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	104
PID 4596 wrote to memory of 4168	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	105
PID 4596 wrote to memory of 4168	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	105
PID 4596 wrote to memory of 1976	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	106
PID 4596 wrote to memory of 1976	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	106
PID 4596 wrote to memory of 5032	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	107
PID 4596 wrote to memory of 5032	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	107
PID 4596 wrote to memory of 3168	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	108
PID 4596 wrote to memory of 3168	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	108
PID 4596 wrote to memory of 460	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	109
PID 4596 wrote to memory of 460	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	109
PID 4596 wrote to memory of 4428	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	110
PID 4596 wrote to memory of 4428	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	110
PID 4596 wrote to memory of 1036	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	111
PID 4596 wrote to memory of 1036	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	111
PID 4596 wrote to memory of 3952	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	112
PID 4596 wrote to memory of 3952	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	112
PID 4596 wrote to memory of 4240	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	113
PID 4596 wrote to memory of 4240	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	113
PID 4596 wrote to memory of 3788	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	114
PID 4596 wrote to memory of 3788	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	114
PID 4596 wrote to memory of 3944	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	115
PID 4596 wrote to memory of 3944	4596	3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe	115

C:\Users\Admin\AppData\Local\Temp\3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3c87cabaeec0caab05649d3217b23ba0_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4404
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4404" "2944" "2892" "2948" "0" "0" "2952" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:13100
- C:\Windows\System\BTpSnDd.exe
  C:\Windows\System\BTpSnDd.exe
  2⤵
  - Executes dropped EXE
  PID:4648
- C:\Windows\System\oivOPOm.exe
  C:\Windows\System\oivOPOm.exe
  2⤵
  - Executes dropped EXE
  PID:5096
- C:\Windows\System\rfNeNED.exe
  C:\Windows\System\rfNeNED.exe
  2⤵
  - Executes dropped EXE
  PID:4616
- C:\Windows\System\tZNpODj.exe
  C:\Windows\System\tZNpODj.exe
  2⤵
  - Executes dropped EXE
  PID:1208
- C:\Windows\System\PEmJfWL.exe
  C:\Windows\System\PEmJfWL.exe
  2⤵
  - Executes dropped EXE
  PID:3140
- C:\Windows\System\yDYlnfg.exe
  C:\Windows\System\yDYlnfg.exe
  2⤵
  - Executes dropped EXE
  PID:3620
- C:\Windows\System\bgLsGBq.exe
  C:\Windows\System\bgLsGBq.exe
  2⤵
  - Executes dropped EXE
  PID:892
- C:\Windows\System\bvYTZdH.exe
  C:\Windows\System\bvYTZdH.exe
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Windows\System\fwUBVAy.exe
  C:\Windows\System\fwUBVAy.exe
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Windows\System\XUMiuCc.exe
  C:\Windows\System\XUMiuCc.exe
  2⤵
  - Executes dropped EXE
  PID:4164
- C:\Windows\System\ZnhOVMX.exe
  C:\Windows\System\ZnhOVMX.exe
  2⤵
  - Executes dropped EXE
  PID:3560
- C:\Windows\System\cHyeLZw.exe
  C:\Windows\System\cHyeLZw.exe
  2⤵
  - Executes dropped EXE
  PID:4800
- C:\Windows\System\cWodovs.exe
  C:\Windows\System\cWodovs.exe
  2⤵
  - Executes dropped EXE
  PID:4660
- C:\Windows\System\lumAxmc.exe
  C:\Windows\System\lumAxmc.exe
  2⤵
  - Executes dropped EXE
  PID:4976
- C:\Windows\System\lnrpUlO.exe
  C:\Windows\System\lnrpUlO.exe
  2⤵
  - Executes dropped EXE
  PID:444
- C:\Windows\System\YMylJmS.exe
  C:\Windows\System\YMylJmS.exe
  2⤵
  - Executes dropped EXE
  PID:3320
- C:\Windows\System\FgGqKml.exe
  C:\Windows\System\FgGqKml.exe
  2⤵
  - Executes dropped EXE
  PID:5052
- C:\Windows\System\FXgXxpv.exe
  C:\Windows\System\FXgXxpv.exe
  2⤵
  - Executes dropped EXE
  PID:2004
- C:\Windows\System\IENDyTz.exe
  C:\Windows\System\IENDyTz.exe
  2⤵
  - Executes dropped EXE
  PID:4420
- C:\Windows\System\ZZqQlGL.exe
  C:\Windows\System\ZZqQlGL.exe
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\System\sJdjwdR.exe
  C:\Windows\System\sJdjwdR.exe
  2⤵
  - Executes dropped EXE
  PID:4168
- C:\Windows\System\laRSkjC.exe
  C:\Windows\System\laRSkjC.exe
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\System\bzVfOkA.exe
  C:\Windows\System\bzVfOkA.exe
  2⤵
  - Executes dropped EXE
  PID:5032
- C:\Windows\System\xcLFzJK.exe
  C:\Windows\System\xcLFzJK.exe
  2⤵
  - Executes dropped EXE
  PID:3168
- C:\Windows\System\RjdmjeG.exe
  C:\Windows\System\RjdmjeG.exe
  2⤵
  - Executes dropped EXE
  PID:460
- C:\Windows\System\QcZDcVa.exe
  C:\Windows\System\QcZDcVa.exe
  2⤵
  - Executes dropped EXE
  PID:4428
- C:\Windows\System\CUDdtBt.exe
  C:\Windows\System\CUDdtBt.exe
  2⤵
  - Executes dropped EXE
  PID:1036
- C:\Windows\System\CRimeXS.exe
  C:\Windows\System\CRimeXS.exe
  2⤵
  - Executes dropped EXE
  PID:3952
- C:\Windows\System\gzjIHky.exe
  C:\Windows\System\gzjIHky.exe
  2⤵
  - Executes dropped EXE
  PID:4240
- C:\Windows\System\BGDlsWy.exe
  C:\Windows\System\BGDlsWy.exe
  2⤵
  - Executes dropped EXE
  PID:3788
- C:\Windows\System\LGTlXLi.exe
  C:\Windows\System\LGTlXLi.exe
  2⤵
  - Executes dropped EXE
  PID:3944
- C:\Windows\System\CwTcHUn.exe
  C:\Windows\System\CwTcHUn.exe
  2⤵
  - Executes dropped EXE
  PID:3096
- C:\Windows\System\qDXrJSt.exe
  C:\Windows\System\qDXrJSt.exe
  2⤵
  - Executes dropped EXE
  PID:728
- C:\Windows\System\mJcoaIo.exe
  C:\Windows\System\mJcoaIo.exe
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\Windows\System\cQaLuJj.exe
  C:\Windows\System\cQaLuJj.exe
  2⤵
  - Executes dropped EXE
  PID:4388
- C:\Windows\System\zIRsDYQ.exe
  C:\Windows\System\zIRsDYQ.exe
  2⤵
  - Executes dropped EXE
  PID:3260
- C:\Windows\System\IwsbpBE.exe
  C:\Windows\System\IwsbpBE.exe
  2⤵
  - Executes dropped EXE
  PID:5000
- C:\Windows\System\owcKVKv.exe
  C:\Windows\System\owcKVKv.exe
  2⤵
  - Executes dropped EXE
  PID:3988
- C:\Windows\System\iNcGFDS.exe
  C:\Windows\System\iNcGFDS.exe
  2⤵
  - Executes dropped EXE
  PID:4036
- C:\Windows\System\tyxkpKB.exe
  C:\Windows\System\tyxkpKB.exe
  2⤵
  - Executes dropped EXE
  PID:4996
- C:\Windows\System\RYHzNYs.exe
  C:\Windows\System\RYHzNYs.exe
  2⤵
  - Executes dropped EXE
  PID:5012
- C:\Windows\System\oYbZdnn.exe
  C:\Windows\System\oYbZdnn.exe
  2⤵
  - Executes dropped EXE
  PID:5028
- C:\Windows\System\fiubKLC.exe
  C:\Windows\System\fiubKLC.exe
  2⤵
  - Executes dropped EXE
  PID:4652
- C:\Windows\System\fQsgGHC.exe
  C:\Windows\System\fQsgGHC.exe
  2⤵
  - Executes dropped EXE
  PID:4916
- C:\Windows\System\AymtjHQ.exe
  C:\Windows\System\AymtjHQ.exe
  2⤵
  - Executes dropped EXE
  PID:776
- C:\Windows\System\ysNVjdi.exe
  C:\Windows\System\ysNVjdi.exe
  2⤵
  - Executes dropped EXE
  PID:3608
- C:\Windows\System\BkwBQNi.exe
  C:\Windows\System\BkwBQNi.exe
  2⤵
  - Executes dropped EXE
  PID:4540
- C:\Windows\System\htXLezv.exe
  C:\Windows\System\htXLezv.exe
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\System\fRdieTd.exe
  C:\Windows\System\fRdieTd.exe
  2⤵
  - Executes dropped EXE
  PID:3888
- C:\Windows\System\ZopqpAU.exe
  C:\Windows\System\ZopqpAU.exe
  2⤵
  - Executes dropped EXE
  PID:4584
- C:\Windows\System\grTpqJm.exe
  C:\Windows\System\grTpqJm.exe
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Windows\System\mcIMJtl.exe
  C:\Windows\System\mcIMJtl.exe
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Windows\System\xXYkGkg.exe
  C:\Windows\System\xXYkGkg.exe
  2⤵
  - Executes dropped EXE
  PID:4932
- C:\Windows\System\wOmqdHB.exe
  C:\Windows\System\wOmqdHB.exe
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Windows\System\ibaZKDS.exe
  C:\Windows\System\ibaZKDS.exe
  2⤵
  - Executes dropped EXE
  PID:784
- C:\Windows\System\kgHeRbm.exe
  C:\Windows\System\kgHeRbm.exe
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\System\WUWixKt.exe
  C:\Windows\System\WUWixKt.exe
  2⤵
  - Executes dropped EXE
  PID:556
- C:\Windows\System\nwUdVxp.exe
  C:\Windows\System\nwUdVxp.exe
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\System\zqoURLL.exe
  C:\Windows\System\zqoURLL.exe
  2⤵
  - Executes dropped EXE
  PID:560
- C:\Windows\System\MymvsVM.exe
  C:\Windows\System\MymvsVM.exe
  2⤵
  - Executes dropped EXE
  PID:3512
- C:\Windows\System\iBOwAhv.exe
  C:\Windows\System\iBOwAhv.exe
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Windows\System\GSdifWL.exe
  C:\Windows\System\GSdifWL.exe
  2⤵
  - Executes dropped EXE
  PID:4360
- C:\Windows\System\VxNgptK.exe
  C:\Windows\System\VxNgptK.exe
  2⤵
  - Executes dropped EXE
  PID:4780
- C:\Windows\System\ieiKjhc.exe
  C:\Windows\System\ieiKjhc.exe
  2⤵
  - Executes dropped EXE
  PID:4836
- C:\Windows\System\fLJUQSZ.exe
  C:\Windows\System\fLJUQSZ.exe
  2⤵
  PID:4632
- C:\Windows\System\ZsdZyOA.exe
  C:\Windows\System\ZsdZyOA.exe
  2⤵
  PID:4796
- C:\Windows\System\ZpoxAvs.exe
  C:\Windows\System\ZpoxAvs.exe
  2⤵
  PID:3280
- C:\Windows\System\lMgfhFH.exe
  C:\Windows\System\lMgfhFH.exe
  2⤵
  PID:3556
- C:\Windows\System\WbFNsoI.exe
  C:\Windows\System\WbFNsoI.exe
  2⤵
  PID:5140
- C:\Windows\System\naXvNFi.exe
  C:\Windows\System\naXvNFi.exe
  2⤵
  PID:5172
- C:\Windows\System\RfgSIHd.exe
  C:\Windows\System\RfgSIHd.exe
  2⤵
  PID:5220
- C:\Windows\System\KnAJAop.exe
  C:\Windows\System\KnAJAop.exe
  2⤵
  PID:5240
- C:\Windows\System\qKfFHNk.exe
  C:\Windows\System\qKfFHNk.exe
  2⤵
  PID:5268
- C:\Windows\System\vtHfDzt.exe
  C:\Windows\System\vtHfDzt.exe
  2⤵
  PID:5284
- C:\Windows\System\GoflnYZ.exe
  C:\Windows\System\GoflnYZ.exe
  2⤵
  PID:5312
- C:\Windows\System\rVtZKQj.exe
  C:\Windows\System\rVtZKQj.exe
  2⤵
  PID:5336
- C:\Windows\System\dGlOfRV.exe
  C:\Windows\System\dGlOfRV.exe
  2⤵
  PID:5364
- C:\Windows\System\yIgikVe.exe
  C:\Windows\System\yIgikVe.exe
  2⤵
  PID:5392
- C:\Windows\System\rXaHacM.exe
  C:\Windows\System\rXaHacM.exe
  2⤵
  PID:5424
- C:\Windows\System\kbSMqUL.exe
  C:\Windows\System\kbSMqUL.exe
  2⤵
  PID:5448
- C:\Windows\System\Emjghmk.exe
  C:\Windows\System\Emjghmk.exe
  2⤵
  PID:5480
- C:\Windows\System\NjgFeoz.exe
  C:\Windows\System\NjgFeoz.exe
  2⤵
  PID:5504
- C:\Windows\System\iJXnSXU.exe
  C:\Windows\System\iJXnSXU.exe
  2⤵
  PID:5536
- C:\Windows\System\xVURhbK.exe
  C:\Windows\System\xVURhbK.exe
  2⤵
  PID:5560
- C:\Windows\System\IBpczdu.exe
  C:\Windows\System\IBpczdu.exe
  2⤵
  PID:5592
- C:\Windows\System\DIpXtFG.exe
  C:\Windows\System\DIpXtFG.exe
  2⤵
  PID:5620
- C:\Windows\System\PxZukEa.exe
  C:\Windows\System\PxZukEa.exe
  2⤵
  PID:5644
- C:\Windows\System\SsACFTf.exe
  C:\Windows\System\SsACFTf.exe
  2⤵
  PID:5676
- C:\Windows\System\TpGIINr.exe
  C:\Windows\System\TpGIINr.exe
  2⤵
  PID:5704
- C:\Windows\System\fLrAAyX.exe
  C:\Windows\System\fLrAAyX.exe
  2⤵
  PID:5732
- C:\Windows\System\miozTBL.exe
  C:\Windows\System\miozTBL.exe
  2⤵
  PID:5760
- C:\Windows\System\QKwIcYE.exe
  C:\Windows\System\QKwIcYE.exe
  2⤵
  PID:5788
- C:\Windows\System\rZCAVVU.exe
  C:\Windows\System\rZCAVVU.exe
  2⤵
  PID:5816
- C:\Windows\System\cmrFmaz.exe
  C:\Windows\System\cmrFmaz.exe
  2⤵
  PID:5852
- C:\Windows\System\DFCLkzy.exe
  C:\Windows\System\DFCLkzy.exe
  2⤵
  PID:5880
- C:\Windows\System\fWUhNIh.exe
  C:\Windows\System\fWUhNIh.exe
  2⤵
  PID:5908
- C:\Windows\System\VVOsQZK.exe
  C:\Windows\System\VVOsQZK.exe
  2⤵
  PID:5936
- C:\Windows\System\uLnbMtd.exe
  C:\Windows\System\uLnbMtd.exe
  2⤵
  PID:5956
- C:\Windows\System\MKWydAm.exe
  C:\Windows\System\MKWydAm.exe
  2⤵
  PID:5984
- C:\Windows\System\oqAppOO.exe
  C:\Windows\System\oqAppOO.exe
  2⤵
  PID:6012
- C:\Windows\System\wmmwMJQ.exe
  C:\Windows\System\wmmwMJQ.exe
  2⤵
  PID:6040
- C:\Windows\System\WGXeOja.exe
  C:\Windows\System\WGXeOja.exe
  2⤵
  PID:6064
- C:\Windows\System\slbYsDg.exe
  C:\Windows\System\slbYsDg.exe
  2⤵
  PID:6096
- C:\Windows\System\XltaLVp.exe
  C:\Windows\System\XltaLVp.exe
  2⤵
  PID:6120
- C:\Windows\System\JfIoATF.exe
  C:\Windows\System\JfIoATF.exe
  2⤵
  PID:2384
- C:\Windows\System\IPJpIXJ.exe
  C:\Windows\System\IPJpIXJ.exe
  2⤵
  PID:1632
- C:\Windows\System\BAkMyqd.exe
  C:\Windows\System\BAkMyqd.exe
  2⤵
  PID:3576
- C:\Windows\System\WieZCcg.exe
  C:\Windows\System\WieZCcg.exe
  2⤵
  PID:3468
- C:\Windows\System\QSxGOVv.exe
  C:\Windows\System\QSxGOVv.exe
  2⤵
  PID:4108
- C:\Windows\System\XuFgnpv.exe
  C:\Windows\System\XuFgnpv.exe
  2⤵
  PID:3916
- C:\Windows\System\cWWGUkK.exe
  C:\Windows\System\cWWGUkK.exe
  2⤵
  PID:5184
- C:\Windows\System\yKjsZHR.exe
  C:\Windows\System\yKjsZHR.exe
  2⤵
  PID:5236
- C:\Windows\System\oSaswTN.exe
  C:\Windows\System\oSaswTN.exe
  2⤵
  PID:5300
- C:\Windows\System\ETZfrgC.exe
  C:\Windows\System\ETZfrgC.exe
  2⤵
  PID:5360
- C:\Windows\System\NQeKCqS.exe
  C:\Windows\System\NQeKCqS.exe
  2⤵
  PID:5416
- C:\Windows\System\QmGYYaK.exe
  C:\Windows\System\QmGYYaK.exe
  2⤵
  PID:2856
- C:\Windows\System\qQLTDbq.exe
  C:\Windows\System\qQLTDbq.exe
  2⤵
  PID:5528
- C:\Windows\System\QiXeUxR.exe
  C:\Windows\System\QiXeUxR.exe
  2⤵
  PID:5604
- C:\Windows\System\ruUZMVD.exe
  C:\Windows\System\ruUZMVD.exe
  2⤵
  PID:5668
- C:\Windows\System\UwuYDJk.exe
  C:\Windows\System\UwuYDJk.exe
  2⤵
  PID:5744
- C:\Windows\System\cyhpMvR.exe
  C:\Windows\System\cyhpMvR.exe
  2⤵
  PID:5800
- C:\Windows\System\nkhtwVC.exe
  C:\Windows\System\nkhtwVC.exe
  2⤵
  PID:5868
- C:\Windows\System\syoZZmx.exe
  C:\Windows\System\syoZZmx.exe
  2⤵
  PID:5904
- C:\Windows\System\iMytXEF.exe
  C:\Windows\System\iMytXEF.exe
  2⤵
  PID:5968
- C:\Windows\System\kqCYGaB.exe
  C:\Windows\System\kqCYGaB.exe
  2⤵
  PID:6028
- C:\Windows\System\SbbSKcn.exe
  C:\Windows\System\SbbSKcn.exe
  2⤵
  PID:6088
- C:\Windows\System\aaolMon.exe
  C:\Windows\System\aaolMon.exe
  2⤵
  PID:4856
- C:\Windows\System\RGqZQYT.exe
  C:\Windows\System\RGqZQYT.exe
  2⤵
  PID:2356
- C:\Windows\System\kUlkisQ.exe
  C:\Windows\System\kUlkisQ.exe
  2⤵
  PID:1452
- C:\Windows\System\NyZLYTC.exe
  C:\Windows\System\NyZLYTC.exe
  2⤵
  PID:5192
- C:\Windows\System\BjxNXcF.exe
  C:\Windows\System\BjxNXcF.exe
  2⤵
  PID:5328
- C:\Windows\System\BtMPKmx.exe
  C:\Windows\System\BtMPKmx.exe
  2⤵
  PID:5444
- C:\Windows\System\eeTMdMh.exe
  C:\Windows\System\eeTMdMh.exe
  2⤵
  PID:3676
- C:\Windows\System\GzAyYpy.exe
  C:\Windows\System\GzAyYpy.exe
  2⤵
  PID:5640
- C:\Windows\System\LjCpEBX.exe
  C:\Windows\System\LjCpEBX.exe
  2⤵
  PID:828
- C:\Windows\System\ShlATfQ.exe
  C:\Windows\System\ShlATfQ.exe
  2⤵
  PID:5952
- C:\Windows\System\RqKjLet.exe
  C:\Windows\System\RqKjLet.exe
  2⤵
  PID:4508
- C:\Windows\System\YVNBHao.exe
  C:\Windows\System\YVNBHao.exe
  2⤵
  PID:3980
- C:\Windows\System\pbYfGFg.exe
  C:\Windows\System\pbYfGFg.exe
  2⤵
  PID:984
- C:\Windows\System\qwaHOTp.exe
  C:\Windows\System\qwaHOTp.exe
  2⤵
  PID:4228
- C:\Windows\System\ouxXbkO.exe
  C:\Windows\System\ouxXbkO.exe
  2⤵
  PID:5156
- C:\Windows\System\uSTWoqX.exe
  C:\Windows\System\uSTWoqX.exe
  2⤵
  PID:1628
- C:\Windows\System\sIJOGVO.exe
  C:\Windows\System\sIJOGVO.exe
  2⤵
  PID:5584
- C:\Windows\System\mttbSSV.exe
  C:\Windows\System\mttbSSV.exe
  2⤵
  PID:2332
- C:\Windows\System\DBwhuCA.exe
  C:\Windows\System\DBwhuCA.exe
  2⤵
  PID:3700
- C:\Windows\System\ihuKbww.exe
  C:\Windows\System\ihuKbww.exe
  2⤵
  PID:1324
- C:\Windows\System\qdEIatO.exe
  C:\Windows\System\qdEIatO.exe
  2⤵
  PID:6024
- C:\Windows\System\pmbwGGt.exe
  C:\Windows\System\pmbwGGt.exe
  2⤵
  PID:6136
- C:\Windows\System\CMrFNvI.exe
  C:\Windows\System\CMrFNvI.exe
  2⤵
  PID:1588
- C:\Windows\System\gLSzLuU.exe
  C:\Windows\System\gLSzLuU.exe
  2⤵
  PID:5072
- C:\Windows\System\olgrbvW.exe
  C:\Windows\System\olgrbvW.exe
  2⤵
  PID:4924
- C:\Windows\System\AvMTHlk.exe
  C:\Windows\System\AvMTHlk.exe
  2⤵
  PID:6084
- C:\Windows\System\pkboQkv.exe
  C:\Windows\System\pkboQkv.exe
  2⤵
  PID:2092
- C:\Windows\System\rBDiENB.exe
  C:\Windows\System\rBDiENB.exe
  2⤵
  PID:4560
- C:\Windows\System\FrLySWp.exe
  C:\Windows\System\FrLySWp.exe
  2⤵
  PID:3996
- C:\Windows\System\yUGbkMs.exe
  C:\Windows\System\yUGbkMs.exe
  2⤵
  PID:6176
- C:\Windows\System\tZkczcQ.exe
  C:\Windows\System\tZkczcQ.exe
  2⤵
  PID:6200
- C:\Windows\System\DAPXSVz.exe
  C:\Windows\System\DAPXSVz.exe
  2⤵
  PID:6224
- C:\Windows\System\KMDbyxp.exe
  C:\Windows\System\KMDbyxp.exe
  2⤵
  PID:6240
- C:\Windows\System\ekEinRw.exe
  C:\Windows\System\ekEinRw.exe
  2⤵
  PID:6264
- C:\Windows\System\gwHzJDz.exe
  C:\Windows\System\gwHzJDz.exe
  2⤵
  PID:6296
- C:\Windows\System\sNxJuih.exe
  C:\Windows\System\sNxJuih.exe
  2⤵
  PID:6340
- C:\Windows\System\fDRSndm.exe
  C:\Windows\System\fDRSndm.exe
  2⤵
  PID:6388
- C:\Windows\System\SFgRlmG.exe
  C:\Windows\System\SFgRlmG.exe
  2⤵
  PID:6408
- C:\Windows\System\JSnlKnB.exe
  C:\Windows\System\JSnlKnB.exe
  2⤵
  PID:6424
- C:\Windows\System\HdodMrv.exe
  C:\Windows\System\HdodMrv.exe
  2⤵
  PID:6444
- C:\Windows\System\ZCHBwyl.exe
  C:\Windows\System\ZCHBwyl.exe
  2⤵
  PID:6472
- C:\Windows\System\SnchqRO.exe
  C:\Windows\System\SnchqRO.exe
  2⤵
  PID:6512
- C:\Windows\System\XzaLFxa.exe
  C:\Windows\System\XzaLFxa.exe
  2⤵
  PID:6544
- C:\Windows\System\moqpuME.exe
  C:\Windows\System\moqpuME.exe
  2⤵
  PID:6584
- C:\Windows\System\ZtzwuKo.exe
  C:\Windows\System\ZtzwuKo.exe
  2⤵
  PID:6616
- C:\Windows\System\VNpIfgN.exe
  C:\Windows\System\VNpIfgN.exe
  2⤵
  PID:6636
- C:\Windows\System\GduvZtS.exe
  C:\Windows\System\GduvZtS.exe
  2⤵
  PID:6652
- C:\Windows\System\rYexwsI.exe
  C:\Windows\System\rYexwsI.exe
  2⤵
  PID:6684
- C:\Windows\System\DyBJvhI.exe
  C:\Windows\System\DyBJvhI.exe
  2⤵
  PID:6716
- C:\Windows\System\FBttTYY.exe
  C:\Windows\System\FBttTYY.exe
  2⤵
  PID:6740
- C:\Windows\System\tbEMHyf.exe
  C:\Windows\System\tbEMHyf.exe
  2⤵
  PID:6760
- C:\Windows\System\QptFohl.exe
  C:\Windows\System\QptFohl.exe
  2⤵
  PID:6780
- C:\Windows\System\MsdrlIJ.exe
  C:\Windows\System\MsdrlIJ.exe
  2⤵
  PID:6808
- C:\Windows\System\NxOhMli.exe
  C:\Windows\System\NxOhMli.exe
  2⤵
  PID:6832
- C:\Windows\System\hgFznzN.exe
  C:\Windows\System\hgFznzN.exe
  2⤵
  PID:6848
- C:\Windows\System\YTUhZGx.exe
  C:\Windows\System\YTUhZGx.exe
  2⤵
  PID:6876
- C:\Windows\System\Pumnsaf.exe
  C:\Windows\System\Pumnsaf.exe
  2⤵
  PID:6900
- C:\Windows\System\yTSFAYk.exe
  C:\Windows\System\yTSFAYk.exe
  2⤵
  PID:6920
- C:\Windows\System\utlJsjY.exe
  C:\Windows\System\utlJsjY.exe
  2⤵
  PID:6940
- C:\Windows\System\AExByKA.exe
  C:\Windows\System\AExByKA.exe
  2⤵
  PID:6956
- C:\Windows\System\YQjWFOz.exe
  C:\Windows\System\YQjWFOz.exe
  2⤵
  PID:6984
- C:\Windows\System\YvchIiR.exe
  C:\Windows\System\YvchIiR.exe
  2⤵
  PID:7008
- C:\Windows\System\ASgRwFC.exe
  C:\Windows\System\ASgRwFC.exe
  2⤵
  PID:7024
- C:\Windows\System\JJudHRy.exe
  C:\Windows\System\JJudHRy.exe
  2⤵
  PID:7128
- C:\Windows\System\vkJgBuf.exe
  C:\Windows\System\vkJgBuf.exe
  2⤵
  PID:7160
- C:\Windows\System\heNoAzu.exe
  C:\Windows\System\heNoAzu.exe
  2⤵
  PID:3732
- C:\Windows\System\lGxaueS.exe
  C:\Windows\System\lGxaueS.exe
  2⤵
  PID:6292
- C:\Windows\System\FnwqilJ.exe
  C:\Windows\System\FnwqilJ.exe
  2⤵
  PID:6312
- C:\Windows\System\qQNdpxL.exe
  C:\Windows\System\qQNdpxL.exe
  2⤵
  PID:6420
- C:\Windows\System\EShysKT.exe
  C:\Windows\System\EShysKT.exe
  2⤵
  PID:6464
- C:\Windows\System\xgPsZEW.exe
  C:\Windows\System\xgPsZEW.exe
  2⤵
  PID:6552
- C:\Windows\System\ZgYDuJt.exe
  C:\Windows\System\ZgYDuJt.exe
  2⤵
  PID:6572
- C:\Windows\System\IEgPVmX.exe
  C:\Windows\System\IEgPVmX.exe
  2⤵
  PID:6628
- C:\Windows\System\czCaFAD.exe
  C:\Windows\System\czCaFAD.exe
  2⤵
  PID:6680
- C:\Windows\System\MjXXxOY.exe
  C:\Windows\System\MjXXxOY.exe
  2⤵
  PID:6712
- C:\Windows\System\voyrHFO.exe
  C:\Windows\System\voyrHFO.exe
  2⤵
  PID:6756
- C:\Windows\System\mtTyAnM.exe
  C:\Windows\System\mtTyAnM.exe
  2⤵
  PID:6804
- C:\Windows\System\wIjzgUR.exe
  C:\Windows\System\wIjzgUR.exe
  2⤵
  PID:6872
- C:\Windows\System\FdwMNIg.exe
  C:\Windows\System\FdwMNIg.exe
  2⤵
  PID:6932
- C:\Windows\System\eZGtXPq.exe
  C:\Windows\System\eZGtXPq.exe
  2⤵
  PID:6964
- C:\Windows\System\RTgUTue.exe
  C:\Windows\System\RTgUTue.exe
  2⤵
  PID:7068
- C:\Windows\System\uDaaaeQ.exe
  C:\Windows\System\uDaaaeQ.exe
  2⤵
  PID:7156
- C:\Windows\System\Sdyggco.exe
  C:\Windows\System\Sdyggco.exe
  2⤵
  PID:7136
- C:\Windows\System\mTiUAmB.exe
  C:\Windows\System\mTiUAmB.exe
  2⤵
  PID:6192
- C:\Windows\System\EpMGFYI.exe
  C:\Windows\System\EpMGFYI.exe
  2⤵
  PID:6384
- C:\Windows\System\YoTZBRW.exe
  C:\Windows\System\YoTZBRW.exe
  2⤵
  PID:6508
- C:\Windows\System\GZULjWb.exe
  C:\Windows\System\GZULjWb.exe
  2⤵
  PID:6748
- C:\Windows\System\OfExDjs.exe
  C:\Windows\System\OfExDjs.exe
  2⤵
  PID:6896
- C:\Windows\System\YmpLLOF.exe
  C:\Windows\System\YmpLLOF.exe
  2⤵
  PID:6952
- C:\Windows\System\pGuBAVJ.exe
  C:\Windows\System\pGuBAVJ.exe
  2⤵
  PID:6284
- C:\Windows\System\zMWtthx.exe
  C:\Windows\System\zMWtthx.exe
  2⤵
  PID:2540
- C:\Windows\System\tBfMMZz.exe
  C:\Windows\System\tBfMMZz.exe
  2⤵
  PID:6776
- C:\Windows\System\FntVwVz.exe
  C:\Windows\System\FntVwVz.exe
  2⤵
  PID:6236
- C:\Windows\System\wYCwuQD.exe
  C:\Windows\System\wYCwuQD.exe
  2⤵
  PID:3116
- C:\Windows\System\QkAptXQ.exe
  C:\Windows\System\QkAptXQ.exe
  2⤵
  PID:7212
- C:\Windows\System\CPMXcEF.exe
  C:\Windows\System\CPMXcEF.exe
  2⤵
  PID:7232
- C:\Windows\System\whPlNju.exe
  C:\Windows\System\whPlNju.exe
  2⤵
  PID:7264
- C:\Windows\System\LiqThiw.exe
  C:\Windows\System\LiqThiw.exe
  2⤵
  PID:7296
- C:\Windows\System\flUBHAG.exe
  C:\Windows\System\flUBHAG.exe
  2⤵
  PID:7316
- C:\Windows\System\wlVIgJb.exe
  C:\Windows\System\wlVIgJb.exe
  2⤵
  PID:7344
- C:\Windows\System\rcejSfW.exe
  C:\Windows\System\rcejSfW.exe
  2⤵
  PID:7364
- C:\Windows\System\TZJuOKY.exe
  C:\Windows\System\TZJuOKY.exe
  2⤵
  PID:7388
- C:\Windows\System\UOjrUKP.exe
  C:\Windows\System\UOjrUKP.exe
  2⤵
  PID:7408
- C:\Windows\System\QdFNsSf.exe
  C:\Windows\System\QdFNsSf.exe
  2⤵
  PID:7428
- C:\Windows\System\qcAEuMB.exe
  C:\Windows\System\qcAEuMB.exe
  2⤵
  PID:7444
- C:\Windows\System\axyngXM.exe
  C:\Windows\System\axyngXM.exe
  2⤵
  PID:7460
- C:\Windows\System\qRYovbc.exe
  C:\Windows\System\qRYovbc.exe
  2⤵
  PID:7496
- C:\Windows\System\KxicQSP.exe
  C:\Windows\System\KxicQSP.exe
  2⤵
  PID:7536
- C:\Windows\System\blaparH.exe
  C:\Windows\System\blaparH.exe
  2⤵
  PID:7552
- C:\Windows\System\LiVlmPt.exe
  C:\Windows\System\LiVlmPt.exe
  2⤵
  PID:7576
- C:\Windows\System\FMGUwlj.exe
  C:\Windows\System\FMGUwlj.exe
  2⤵
  PID:7628
- C:\Windows\System\XtPtPuO.exe
  C:\Windows\System\XtPtPuO.exe
  2⤵
  PID:7644
- C:\Windows\System\dvtBntW.exe
  C:\Windows\System\dvtBntW.exe
  2⤵
  PID:7668
- C:\Windows\System\ZcGGJKf.exe
  C:\Windows\System\ZcGGJKf.exe
  2⤵
  PID:7692
- C:\Windows\System\yqaFYsE.exe
  C:\Windows\System\yqaFYsE.exe
  2⤵
  PID:7716
- C:\Windows\System\zCDTAvF.exe
  C:\Windows\System\zCDTAvF.exe
  2⤵
  PID:7736
- C:\Windows\System\IjewIjy.exe
  C:\Windows\System\IjewIjy.exe
  2⤵
  PID:7756
- C:\Windows\System\qqmVZPU.exe
  C:\Windows\System\qqmVZPU.exe
  2⤵
  PID:7776
- C:\Windows\System\RAFOLkM.exe
  C:\Windows\System\RAFOLkM.exe
  2⤵
  PID:7800
- C:\Windows\System\naSqwZr.exe
  C:\Windows\System\naSqwZr.exe
  2⤵
  PID:7848
- C:\Windows\System\KMpPRKR.exe
  C:\Windows\System\KMpPRKR.exe
  2⤵
  PID:7864
- C:\Windows\System\JxanFpE.exe
  C:\Windows\System\JxanFpE.exe
  2⤵
  PID:7940
- C:\Windows\System\bCRwCyl.exe
  C:\Windows\System\bCRwCyl.exe
  2⤵
  PID:7956
- C:\Windows\System\resVMxS.exe
  C:\Windows\System\resVMxS.exe
  2⤵
  PID:7984
- C:\Windows\System\xSoPBja.exe
  C:\Windows\System\xSoPBja.exe
  2⤵
  PID:8060
- C:\Windows\System\NXtEerX.exe
  C:\Windows\System\NXtEerX.exe
  2⤵
  PID:8136
- C:\Windows\System\ehCJuBJ.exe
  C:\Windows\System\ehCJuBJ.exe
  2⤵
  PID:8164
- C:\Windows\System\kZCeqlT.exe
  C:\Windows\System\kZCeqlT.exe
  2⤵
  PID:8188
- C:\Windows\System\DnCWLzG.exe
  C:\Windows\System\DnCWLzG.exe
  2⤵
  PID:6600
- C:\Windows\System\iMCfsHK.exe
  C:\Windows\System\iMCfsHK.exe
  2⤵
  PID:7208
- C:\Windows\System\mFnfvLv.exe
  C:\Windows\System\mFnfvLv.exe
  2⤵
  PID:7292
- C:\Windows\System\EbqsTcd.exe
  C:\Windows\System\EbqsTcd.exe
  2⤵
  PID:7312
- C:\Windows\System\hgkGvsO.exe
  C:\Windows\System\hgkGvsO.exe
  2⤵
  PID:7360
- C:\Windows\System\LtGepRf.exe
  C:\Windows\System\LtGepRf.exe
  2⤵
  PID:7400
- C:\Windows\System\EKmvMlk.exe
  C:\Windows\System\EKmvMlk.exe
  2⤵
  PID:7452
- C:\Windows\System\gTmbpPG.exe
  C:\Windows\System\gTmbpPG.exe
  2⤵
  PID:7544
- C:\Windows\System\gTfvItS.exe
  C:\Windows\System\gTfvItS.exe
  2⤵
  PID:1548
- C:\Windows\System\oUtVPys.exe
  C:\Windows\System\oUtVPys.exe
  2⤵
  PID:7680
- C:\Windows\System\ydPSgQa.exe
  C:\Windows\System\ydPSgQa.exe
  2⤵
  PID:7748
- C:\Windows\System\LeJhHCS.exe
  C:\Windows\System\LeJhHCS.exe
  2⤵
  PID:7896
- C:\Windows\System\wLtNCXI.exe
  C:\Windows\System\wLtNCXI.exe
  2⤵
  PID:7908
- C:\Windows\System\mtldMhc.exe
  C:\Windows\System\mtldMhc.exe
  2⤵
  PID:8052
- C:\Windows\System\fuhywZG.exe
  C:\Windows\System\fuhywZG.exe
  2⤵
  PID:8076
- C:\Windows\System\WuhtDzo.exe
  C:\Windows\System\WuhtDzo.exe
  2⤵
  PID:6608
- C:\Windows\System\FyNsOyI.exe
  C:\Windows\System\FyNsOyI.exe
  2⤵
  PID:7256
- C:\Windows\System\ffTpemb.exe
  C:\Windows\System\ffTpemb.exe
  2⤵
  PID:7308
- C:\Windows\System\hGAVnJi.exe
  C:\Windows\System\hGAVnJi.exe
  2⤵
  PID:7608
- C:\Windows\System\XcKOsYb.exe
  C:\Windows\System\XcKOsYb.exe
  2⤵
  PID:7440
- C:\Windows\System\XoPDEov.exe
  C:\Windows\System\XoPDEov.exe
  2⤵
  PID:7768
- C:\Windows\System\rHbQJzV.exe
  C:\Windows\System\rHbQJzV.exe
  2⤵
  PID:1040
- C:\Windows\System\vqQctZC.exe
  C:\Windows\System\vqQctZC.exe
  2⤵
  PID:8096
- C:\Windows\System\acXNkaQ.exe
  C:\Windows\System\acXNkaQ.exe
  2⤵
  PID:7224
- C:\Windows\System\PoawqjX.exe
  C:\Windows\System\PoawqjX.exe
  2⤵
  PID:7340
- C:\Windows\System\jPqCYjz.exe
  C:\Windows\System\jPqCYjz.exe
  2⤵
  PID:7732
- C:\Windows\System\sxcJjOV.exe
  C:\Windows\System\sxcJjOV.exe
  2⤵
  PID:8008
- C:\Windows\System\RVEecqN.exe
  C:\Windows\System\RVEecqN.exe
  2⤵
  PID:8200
- C:\Windows\System\riBMtRa.exe
  C:\Windows\System\riBMtRa.exe
  2⤵
  PID:8228
- C:\Windows\System\JEusoCB.exe
  C:\Windows\System\JEusoCB.exe
  2⤵
  PID:8268
- C:\Windows\System\UXmdyIF.exe
  C:\Windows\System\UXmdyIF.exe
  2⤵
  PID:8288
- C:\Windows\System\hrSlzNG.exe
  C:\Windows\System\hrSlzNG.exe
  2⤵
  PID:8304
- C:\Windows\System\PahWnQH.exe
  C:\Windows\System\PahWnQH.exe
  2⤵
  PID:8336
- C:\Windows\System\mGmNvdt.exe
  C:\Windows\System\mGmNvdt.exe
  2⤵
  PID:8368
- C:\Windows\System\tOSwUNg.exe
  C:\Windows\System\tOSwUNg.exe
  2⤵
  PID:8388
- C:\Windows\System\hZQHBFJ.exe
  C:\Windows\System\hZQHBFJ.exe
  2⤵
  PID:8404
- C:\Windows\System\pDfLnWL.exe
  C:\Windows\System\pDfLnWL.exe
  2⤵
  PID:8448
- C:\Windows\System\IrqCZEy.exe
  C:\Windows\System\IrqCZEy.exe
  2⤵
  PID:8468
- C:\Windows\System\hItsySC.exe
  C:\Windows\System\hItsySC.exe
  2⤵
  PID:8488
- C:\Windows\System\BCiMKcO.exe
  C:\Windows\System\BCiMKcO.exe
  2⤵
  PID:8532
- C:\Windows\System\ePRtWer.exe
  C:\Windows\System\ePRtWer.exe
  2⤵
  PID:8568
- C:\Windows\System\BBqOKxO.exe
  C:\Windows\System\BBqOKxO.exe
  2⤵
  PID:8588
- C:\Windows\System\cPPcDnu.exe
  C:\Windows\System\cPPcDnu.exe
  2⤵
  PID:8608
- C:\Windows\System\rURIldb.exe
  C:\Windows\System\rURIldb.exe
  2⤵
  PID:8632
- C:\Windows\System\CATeidA.exe
  C:\Windows\System\CATeidA.exe
  2⤵
  PID:8652
- C:\Windows\System\lchImaz.exe
  C:\Windows\System\lchImaz.exe
  2⤵
  PID:8680
- C:\Windows\System\mxwBqXT.exe
  C:\Windows\System\mxwBqXT.exe
  2⤵
  PID:8704
- C:\Windows\System\WexuEsw.exe
  C:\Windows\System\WexuEsw.exe
  2⤵
  PID:8720
- C:\Windows\System\oJuYBhV.exe
  C:\Windows\System\oJuYBhV.exe
  2⤵
  PID:8740
- C:\Windows\System\TyRPOii.exe
  C:\Windows\System\TyRPOii.exe
  2⤵
  PID:8760
- C:\Windows\System\iGhdaBH.exe
  C:\Windows\System\iGhdaBH.exe
  2⤵
  PID:8780
- C:\Windows\System\OTLkACB.exe
  C:\Windows\System\OTLkACB.exe
  2⤵
  PID:8884
- C:\Windows\System\qeqBvsD.exe
  C:\Windows\System\qeqBvsD.exe
  2⤵
  PID:8932
- C:\Windows\System\XgeXZdJ.exe
  C:\Windows\System\XgeXZdJ.exe
  2⤵
  PID:8952
- C:\Windows\System\PGQuWCH.exe
  C:\Windows\System\PGQuWCH.exe
  2⤵
  PID:8972
- C:\Windows\System\tVBtEUL.exe
  C:\Windows\System\tVBtEUL.exe
  2⤵
  PID:8988
- C:\Windows\System\eukSltC.exe
  C:\Windows\System\eukSltC.exe
  2⤵
  PID:9012
- C:\Windows\System\WygIefY.exe
  C:\Windows\System\WygIefY.exe
  2⤵
  PID:9068
- C:\Windows\System\wwbdVMB.exe
  C:\Windows\System\wwbdVMB.exe
  2⤵
  PID:9108
- C:\Windows\System\AzBtZwN.exe
  C:\Windows\System\AzBtZwN.exe
  2⤵
  PID:9132
- C:\Windows\System\zDcIMKV.exe
  C:\Windows\System\zDcIMKV.exe
  2⤵
  PID:9152
- C:\Windows\System\egIoCjo.exe
  C:\Windows\System\egIoCjo.exe
  2⤵
  PID:9196
- C:\Windows\System\uXqlDjw.exe
  C:\Windows\System\uXqlDjw.exe
  2⤵
  PID:7332
- C:\Windows\System\yRyxKoX.exe
  C:\Windows\System\yRyxKoX.exe
  2⤵
  PID:7652
- C:\Windows\System\zLQVnYY.exe
  C:\Windows\System\zLQVnYY.exe
  2⤵
  PID:4020
- C:\Windows\System\xSCrvFP.exe
  C:\Windows\System\xSCrvFP.exe
  2⤵
  PID:8264
- C:\Windows\System\uNNteeu.exe
  C:\Windows\System\uNNteeu.exe
  2⤵
  PID:8284
- C:\Windows\System\oySHAQR.exe
  C:\Windows\System\oySHAQR.exe
  2⤵
  PID:8380
- C:\Windows\System\mHemJPJ.exe
  C:\Windows\System\mHemJPJ.exe
  2⤵
  PID:8416
- C:\Windows\System\hFrxKch.exe
  C:\Windows\System\hFrxKch.exe
  2⤵
  PID:8548
- C:\Windows\System\OaUrUYj.exe
  C:\Windows\System\OaUrUYj.exe
  2⤵
  PID:8600
- C:\Windows\System\fHkMRVv.exe
  C:\Windows\System\fHkMRVv.exe
  2⤵
  PID:8668
- C:\Windows\System\RbqhdIA.exe
  C:\Windows\System\RbqhdIA.exe
  2⤵
  PID:8736
- C:\Windows\System\BoKvgpQ.exe
  C:\Windows\System\BoKvgpQ.exe
  2⤵
  PID:8820
- C:\Windows\System\UEpeheX.exe
  C:\Windows\System\UEpeheX.exe
  2⤵
  PID:8848
- C:\Windows\System\JLzHyoe.exe
  C:\Windows\System\JLzHyoe.exe
  2⤵
  PID:8980
- C:\Windows\System\oQxUnIY.exe
  C:\Windows\System\oQxUnIY.exe
  2⤵
  PID:9000
- C:\Windows\System\gbwBBlW.exe
  C:\Windows\System\gbwBBlW.exe
  2⤵
  PID:9128
- C:\Windows\System\rXInuMm.exe
  C:\Windows\System\rXInuMm.exe
  2⤵
  PID:9188
- C:\Windows\System\ZAGwUxd.exe
  C:\Windows\System\ZAGwUxd.exe
  2⤵
  PID:8216
- C:\Windows\System\lDpOqxx.exe
  C:\Windows\System\lDpOqxx.exe
  2⤵
  PID:8312
- C:\Windows\System\VztslgD.exe
  C:\Windows\System\VztslgD.exe
  2⤵
  PID:8328
- C:\Windows\System\PZMQFWb.exe
  C:\Windows\System\PZMQFWb.exe
  2⤵
  PID:8376
- C:\Windows\System\tTLnAMN.exe
  C:\Windows\System\tTLnAMN.exe
  2⤵
  PID:8808
- C:\Windows\System\MpQoGtm.exe
  C:\Windows\System\MpQoGtm.exe
  2⤵
  PID:8856
- C:\Windows\System\xHLJTIb.exe
  C:\Windows\System\xHLJTIb.exe
  2⤵
  PID:9204
- C:\Windows\System\yGKiaiC.exe
  C:\Windows\System\yGKiaiC.exe
  2⤵
  PID:3356
- C:\Windows\System\nmarPxF.exe
  C:\Windows\System\nmarPxF.exe
  2⤵
  PID:8792
- C:\Windows\System\SnkAOYX.exe
  C:\Windows\System\SnkAOYX.exe
  2⤵
  PID:8940
- C:\Windows\System\qkyMxJO.exe
  C:\Windows\System\qkyMxJO.exe
  2⤵
  PID:3364
- C:\Windows\System\UTQjsBd.exe
  C:\Windows\System\UTQjsBd.exe
  2⤵
  PID:8432
- C:\Windows\System\fkxcHwR.exe
  C:\Windows\System\fkxcHwR.exe
  2⤵
  PID:9144
- C:\Windows\System\qJkrCOW.exe
  C:\Windows\System\qJkrCOW.exe
  2⤵
  PID:9236
- C:\Windows\System\FaatZcd.exe
  C:\Windows\System\FaatZcd.exe
  2⤵
  PID:9268
- C:\Windows\System\jNwOLOS.exe
  C:\Windows\System\jNwOLOS.exe
  2⤵
  PID:9288
- C:\Windows\System\rQNdMaB.exe
  C:\Windows\System\rQNdMaB.exe
  2⤵
  PID:9304
- C:\Windows\System\VtbwFIF.exe
  C:\Windows\System\VtbwFIF.exe
  2⤵
  PID:9332
- C:\Windows\System\ytCuASi.exe
  C:\Windows\System\ytCuASi.exe
  2⤵
  PID:9352
- C:\Windows\System\TlQalEI.exe
  C:\Windows\System\TlQalEI.exe
  2⤵
  PID:9368
- C:\Windows\System\ILROiyv.exe
  C:\Windows\System\ILROiyv.exe
  2⤵
  PID:9392
- C:\Windows\System\MSFDdvt.exe
  C:\Windows\System\MSFDdvt.exe
  2⤵
  PID:9412
- C:\Windows\System\ApInVCJ.exe
  C:\Windows\System\ApInVCJ.exe
  2⤵
  PID:9432
- C:\Windows\System\rCmWLHN.exe
  C:\Windows\System\rCmWLHN.exe
  2⤵
  PID:9488
- C:\Windows\System\CFNkiCw.exe
  C:\Windows\System\CFNkiCw.exe
  2⤵
  PID:9504
- C:\Windows\System\vLvgvKM.exe
  C:\Windows\System\vLvgvKM.exe
  2⤵
  PID:9528
- C:\Windows\System\xltlrtp.exe
  C:\Windows\System\xltlrtp.exe
  2⤵
  PID:9548
- C:\Windows\System\JPLJdiy.exe
  C:\Windows\System\JPLJdiy.exe
  2⤵
  PID:9624
- C:\Windows\System\unuJSuf.exe
  C:\Windows\System\unuJSuf.exe
  2⤵
  PID:9640
- C:\Windows\System\XqrLNYp.exe
  C:\Windows\System\XqrLNYp.exe
  2⤵
  PID:9668
- C:\Windows\System\bHSxgjg.exe
  C:\Windows\System\bHSxgjg.exe
  2⤵
  PID:9728
- C:\Windows\System\hKRzAGp.exe
  C:\Windows\System\hKRzAGp.exe
  2⤵
  PID:9840
- C:\Windows\System\xQjyLQs.exe
  C:\Windows\System\xQjyLQs.exe
  2⤵
  PID:9916
- C:\Windows\System\JIvFYQU.exe
  C:\Windows\System\JIvFYQU.exe
  2⤵
  PID:9956
- C:\Windows\System\qIrhDuf.exe
  C:\Windows\System\qIrhDuf.exe
  2⤵
  PID:9972
- C:\Windows\System\avIYetB.exe
  C:\Windows\System\avIYetB.exe
  2⤵
  PID:9992
- C:\Windows\System\AaKGsKl.exe
  C:\Windows\System\AaKGsKl.exe
  2⤵
  PID:10012
- C:\Windows\System\SbEPxCJ.exe
  C:\Windows\System\SbEPxCJ.exe
  2⤵
  PID:10036
- C:\Windows\System\ziDUipF.exe
  C:\Windows\System\ziDUipF.exe
  2⤵
  PID:10056
- C:\Windows\System\bgJGBhM.exe
  C:\Windows\System\bgJGBhM.exe
  2⤵
  PID:10076
- C:\Windows\System\MGBPCXW.exe
  C:\Windows\System\MGBPCXW.exe
  2⤵
  PID:10092
- C:\Windows\System\NtkqxAq.exe
  C:\Windows\System\NtkqxAq.exe
  2⤵
  PID:10132
- C:\Windows\System\wykOqNt.exe
  C:\Windows\System\wykOqNt.exe
  2⤵
  PID:10212
- C:\Windows\System\pHssqig.exe
  C:\Windows\System\pHssqig.exe
  2⤵
  PID:10228
- C:\Windows\System\igVdydF.exe
  C:\Windows\System\igVdydF.exe
  2⤵
  PID:3876
- C:\Windows\System\fbylHNd.exe
  C:\Windows\System\fbylHNd.exe
  2⤵
  PID:9260
- C:\Windows\System\qeWHLWo.exe
  C:\Windows\System\qeWHLWo.exe
  2⤵
  PID:9312
- C:\Windows\System\bociTZT.exe
  C:\Windows\System\bociTZT.exe
  2⤵
  PID:9536
- C:\Windows\System\MTvPTSO.exe
  C:\Windows\System\MTvPTSO.exe
  2⤵
  PID:9380
- C:\Windows\System\jFGXNjs.exe
  C:\Windows\System\jFGXNjs.exe
  2⤵
  PID:9584
- C:\Windows\System\aLxqCYl.exe
  C:\Windows\System\aLxqCYl.exe
  2⤵
  PID:9500
- C:\Windows\System\myDqeVc.exe
  C:\Windows\System\myDqeVc.exe
  2⤵
  PID:9648
- C:\Windows\System\CQJCVCi.exe
  C:\Windows\System\CQJCVCi.exe
  2⤵
  PID:9664
- C:\Windows\System\EduOOoB.exe
  C:\Windows\System\EduOOoB.exe
  2⤵
  PID:9736
- C:\Windows\System\ICllaBS.exe
  C:\Windows\System\ICllaBS.exe
  2⤵
  PID:9804
- C:\Windows\System\lFsHPMP.exe
  C:\Windows\System\lFsHPMP.exe
  2⤵
  PID:9852
- C:\Windows\System\ZQKIbah.exe
  C:\Windows\System\ZQKIbah.exe
  2⤵
  PID:9724
- C:\Windows\System\UzLBPXs.exe
  C:\Windows\System\UzLBPXs.exe
  2⤵
  PID:9872
- C:\Windows\System\EfmWdRt.exe
  C:\Windows\System\EfmWdRt.exe
  2⤵
  PID:9880
- C:\Windows\System\VkSpXfK.exe
  C:\Windows\System\VkSpXfK.exe
  2⤵
  PID:10044
- C:\Windows\System\REjtVrf.exe
  C:\Windows\System\REjtVrf.exe
  2⤵
  PID:10068
- C:\Windows\System\GXIfYRd.exe
  C:\Windows\System\GXIfYRd.exe
  2⤵
  PID:10152
- C:\Windows\System\JXTvYEi.exe
  C:\Windows\System\JXTvYEi.exe
  2⤵
  PID:10184
- C:\Windows\System\YrXxzzt.exe
  C:\Windows\System\YrXxzzt.exe
  2⤵
  PID:9344
- C:\Windows\System\kLHdjHw.exe
  C:\Windows\System\kLHdjHw.exe
  2⤵
  PID:9544
- C:\Windows\System\tILilgx.exe
  C:\Windows\System\tILilgx.exe
  2⤵
  PID:9080
- C:\Windows\System\tlvAAfQ.exe
  C:\Windows\System\tlvAAfQ.exe
  2⤵
  PID:9764
- C:\Windows\System\QEXlACa.exe
  C:\Windows\System\QEXlACa.exe
  2⤵
  PID:9768
- C:\Windows\System\tCkVAVh.exe
  C:\Windows\System\tCkVAVh.exe
  2⤵
  PID:9792
- C:\Windows\System\zeLSAfL.exe
  C:\Windows\System\zeLSAfL.exe
  2⤵
  PID:10000
- C:\Windows\System\fFVEnMM.exe
  C:\Windows\System\fFVEnMM.exe
  2⤵
  PID:10144
- C:\Windows\System\OeLwHAD.exe
  C:\Windows\System\OeLwHAD.exe
  2⤵
  PID:9364
- C:\Windows\System\LJGcAiC.exe
  C:\Windows\System\LJGcAiC.exe
  2⤵
  PID:9688
- C:\Windows\System\VLmhXwC.exe
  C:\Windows\System\VLmhXwC.exe
  2⤵
  PID:9884
- C:\Windows\System\rIviNkt.exe
  C:\Windows\System\rIviNkt.exe
  2⤵
  PID:10088
- C:\Windows\System\JLMYGwv.exe
  C:\Windows\System\JLMYGwv.exe
  2⤵
  PID:10244
- C:\Windows\System\yqEWyTx.exe
  C:\Windows\System\yqEWyTx.exe
  2⤵
  PID:10260
- C:\Windows\System\HGKCnUH.exe
  C:\Windows\System\HGKCnUH.exe
  2⤵
  PID:10288
- C:\Windows\System\xMwRzBo.exe
  C:\Windows\System\xMwRzBo.exe
  2⤵
  PID:10304
- C:\Windows\System\OyEesoU.exe
  C:\Windows\System\OyEesoU.exe
  2⤵
  PID:10332
- C:\Windows\System\hCYLjaf.exe
  C:\Windows\System\hCYLjaf.exe
  2⤵
  PID:10360
- C:\Windows\System\OdhZKzT.exe
  C:\Windows\System\OdhZKzT.exe
  2⤵
  PID:10408
- C:\Windows\System\LQggBbg.exe
  C:\Windows\System\LQggBbg.exe
  2⤵
  PID:10432
- C:\Windows\System\dFLVVWT.exe
  C:\Windows\System\dFLVVWT.exe
  2⤵
  PID:10452
- C:\Windows\System\dVZJqMX.exe
  C:\Windows\System\dVZJqMX.exe
  2⤵
  PID:10496
- C:\Windows\System\lQLICwX.exe
  C:\Windows\System\lQLICwX.exe
  2⤵
  PID:10540
- C:\Windows\System\QNzfjvA.exe
  C:\Windows\System\QNzfjvA.exe
  2⤵
  PID:10564
- C:\Windows\System\jPmkLhh.exe
  C:\Windows\System\jPmkLhh.exe
  2⤵
  PID:10580
- C:\Windows\System\GcgrzWw.exe
  C:\Windows\System\GcgrzWw.exe
  2⤵
  PID:10612
- C:\Windows\System\iIhJmGL.exe
  C:\Windows\System\iIhJmGL.exe
  2⤵
  PID:10632
- C:\Windows\System\efXPcVB.exe
  C:\Windows\System\efXPcVB.exe
  2⤵
  PID:10652
- C:\Windows\System\TrDxEZA.exe
  C:\Windows\System\TrDxEZA.exe
  2⤵
  PID:10676
- C:\Windows\System\Ltydjrw.exe
  C:\Windows\System\Ltydjrw.exe
  2⤵
  PID:10704
- C:\Windows\System\JTtFIQq.exe
  C:\Windows\System\JTtFIQq.exe
  2⤵
  PID:10752
- C:\Windows\System\wzjwQoD.exe
  C:\Windows\System\wzjwQoD.exe
  2⤵
  PID:10776
- C:\Windows\System\lddFZfT.exe
  C:\Windows\System\lddFZfT.exe
  2⤵
  PID:10792
- C:\Windows\System\sbfkfsL.exe
  C:\Windows\System\sbfkfsL.exe
  2⤵
  PID:10820
- C:\Windows\System\DklZtBp.exe
  C:\Windows\System\DklZtBp.exe
  2⤵
  PID:10860
- C:\Windows\System\jkAakEb.exe
  C:\Windows\System\jkAakEb.exe
  2⤵
  PID:10900
- C:\Windows\System\lpkkwEG.exe
  C:\Windows\System\lpkkwEG.exe
  2⤵
  PID:10920
- C:\Windows\System\LRkMrwv.exe
  C:\Windows\System\LRkMrwv.exe
  2⤵
  PID:10948
- C:\Windows\System\jodsLIb.exe
  C:\Windows\System\jodsLIb.exe
  2⤵
  PID:10968
- C:\Windows\System\rGVWsJb.exe
  C:\Windows\System\rGVWsJb.exe
  2⤵
  PID:10988
- C:\Windows\System\IceWwWg.exe
  C:\Windows\System\IceWwWg.exe
  2⤵
  PID:11008
- C:\Windows\System\BgtWlsw.exe
  C:\Windows\System\BgtWlsw.exe
  2⤵
  PID:11024
- C:\Windows\System\vGhloJM.exe
  C:\Windows\System\vGhloJM.exe
  2⤵
  PID:11044
- C:\Windows\System\kGbkypj.exe
  C:\Windows\System\kGbkypj.exe
  2⤵
  PID:11064
- C:\Windows\System\ZHHahaJ.exe
  C:\Windows\System\ZHHahaJ.exe
  2⤵
  PID:11088
- C:\Windows\System\WATxOfN.exe
  C:\Windows\System\WATxOfN.exe
  2⤵
  PID:11120
- C:\Windows\System\BiLyWCO.exe
  C:\Windows\System\BiLyWCO.exe
  2⤵
  PID:11136
- C:\Windows\System\WhiguJK.exe
  C:\Windows\System\WhiguJK.exe
  2⤵
  PID:11196
- C:\Windows\System\lxebkkz.exe
  C:\Windows\System\lxebkkz.exe
  2⤵
  PID:11228
- C:\Windows\System\ONsCDIz.exe
  C:\Windows\System\ONsCDIz.exe
  2⤵
  PID:11248
- C:\Windows\System\yjVfYqG.exe
  C:\Windows\System\yjVfYqG.exe
  2⤵
  PID:9704
- C:\Windows\System\hniiUvT.exe
  C:\Windows\System\hniiUvT.exe
  2⤵
  PID:10280
- C:\Windows\System\RJPZkDM.exe
  C:\Windows\System\RJPZkDM.exe
  2⤵
  PID:10396
- C:\Windows\System\RmTVZNE.exe
  C:\Windows\System\RmTVZNE.exe
  2⤵
  PID:10440
- C:\Windows\System\DSQLHie.exe
  C:\Windows\System\DSQLHie.exe
  2⤵
  PID:10476
- C:\Windows\System\lFkkbmi.exe
  C:\Windows\System\lFkkbmi.exe
  2⤵
  PID:10576
- C:\Windows\System\VgfLNAr.exe
  C:\Windows\System\VgfLNAr.exe
  2⤵
  PID:10608
- C:\Windows\System\netGbWL.exe
  C:\Windows\System\netGbWL.exe
  2⤵
  PID:10664
- C:\Windows\System\MdPzOkW.exe
  C:\Windows\System\MdPzOkW.exe
  2⤵
  PID:10728
- C:\Windows\System\shdBeuX.exe
  C:\Windows\System\shdBeuX.exe
  2⤵
  PID:10840
- C:\Windows\System\ylFKbEI.exe
  C:\Windows\System\ylFKbEI.exe
  2⤵
  PID:10912
- C:\Windows\System\XPSIHfs.exe
  C:\Windows\System\XPSIHfs.exe
  2⤵
  PID:10964
- C:\Windows\System\lCuPUgb.exe
  C:\Windows\System\lCuPUgb.exe
  2⤵
  PID:11072
- C:\Windows\System\GnWwMaJ.exe
  C:\Windows\System\GnWwMaJ.exe
  2⤵
  PID:11116
- C:\Windows\System\kzPLdIO.exe
  C:\Windows\System\kzPLdIO.exe
  2⤵
  PID:11164
- C:\Windows\System\ynUkkNG.exe
  C:\Windows\System\ynUkkNG.exe
  2⤵
  PID:11236
- C:\Windows\System\gPxdYBv.exe
  C:\Windows\System\gPxdYBv.exe
  2⤵
  PID:2124
- C:\Windows\System\jzrkSHB.exe
  C:\Windows\System\jzrkSHB.exe
  2⤵
  PID:10480
- C:\Windows\System\CdgwAQc.exe
  C:\Windows\System\CdgwAQc.exe
  2⤵
  PID:10624
- C:\Windows\System\DVbvfjA.exe
  C:\Windows\System\DVbvfjA.exe
  2⤵
  PID:10468
- C:\Windows\System\zLyPGqb.exe
  C:\Windows\System\zLyPGqb.exe
  2⤵
  PID:10672
- C:\Windows\System\hrDptYI.exe
  C:\Windows\System\hrDptYI.exe
  2⤵
  PID:10876
- C:\Windows\System\IwCmwDI.exe
  C:\Windows\System\IwCmwDI.exe
  2⤵
  PID:10916
- C:\Windows\System\PJamqHB.exe
  C:\Windows\System\PJamqHB.exe
  2⤵
  PID:11156
- C:\Windows\System\EIFhCjn.exe
  C:\Windows\System\EIFhCjn.exe
  2⤵
  PID:10644
- C:\Windows\System\GPMYdxl.exe
  C:\Windows\System\GPMYdxl.exe
  2⤵
  PID:10996
- C:\Windows\System\FjRqROH.exe
  C:\Windows\System\FjRqROH.exe
  2⤵
  PID:9716
- C:\Windows\System\rEmBkPV.exe
  C:\Windows\System\rEmBkPV.exe
  2⤵
  PID:10508
- C:\Windows\System\CDKKkLc.exe
  C:\Windows\System\CDKKkLc.exe
  2⤵
  PID:11272
- C:\Windows\System\lcWrPde.exe
  C:\Windows\System\lcWrPde.exe
  2⤵
  PID:11312
- C:\Windows\System\MqGnAIi.exe
  C:\Windows\System\MqGnAIi.exe
  2⤵
  PID:11332
- C:\Windows\System\mhPwbVM.exe
  C:\Windows\System\mhPwbVM.exe
  2⤵
  PID:11352
- C:\Windows\System\naYAcRb.exe
  C:\Windows\System\naYAcRb.exe
  2⤵
  PID:11372
- C:\Windows\System\jBMdJpW.exe
  C:\Windows\System\jBMdJpW.exe
  2⤵
  PID:11396
- C:\Windows\System\yayrmYB.exe
  C:\Windows\System\yayrmYB.exe
  2⤵
  PID:11412
- C:\Windows\System\jKgoCTe.exe
  C:\Windows\System\jKgoCTe.exe
  2⤵
  PID:11432
- C:\Windows\System\zUjQGzO.exe
  C:\Windows\System\zUjQGzO.exe
  2⤵
  PID:11452
- C:\Windows\System\AeqFHIp.exe
  C:\Windows\System\AeqFHIp.exe
  2⤵
  PID:11484
- C:\Windows\System\QfsGwZx.exe
  C:\Windows\System\QfsGwZx.exe
  2⤵
  PID:11508
- C:\Windows\System\BFLQNOX.exe
  C:\Windows\System\BFLQNOX.exe
  2⤵
  PID:11532
- C:\Windows\System\azAUHxl.exe
  C:\Windows\System\azAUHxl.exe
  2⤵
  PID:11588
- C:\Windows\System\iFLyEHF.exe
  C:\Windows\System\iFLyEHF.exe
  2⤵
  PID:11624
- C:\Windows\System\TJkTVLV.exe
  C:\Windows\System\TJkTVLV.exe
  2⤵
  PID:11652
- C:\Windows\System\tiAhfSC.exe
  C:\Windows\System\tiAhfSC.exe
  2⤵
  PID:11668
- C:\Windows\System\RUWuyGp.exe
  C:\Windows\System\RUWuyGp.exe
  2⤵
  PID:11720
- C:\Windows\System\ZIFWVwy.exe
  C:\Windows\System\ZIFWVwy.exe
  2⤵
  PID:11736
- C:\Windows\System\jEjLWoK.exe
  C:\Windows\System\jEjLWoK.exe
  2⤵
  PID:11776
- C:\Windows\System\qkzYIGg.exe
  C:\Windows\System\qkzYIGg.exe
  2⤵
  PID:11796
- C:\Windows\System\oqrqjqk.exe
  C:\Windows\System\oqrqjqk.exe
  2⤵
  PID:11820
- C:\Windows\System\OfnIYit.exe
  C:\Windows\System\OfnIYit.exe
  2⤵
  PID:11844
- C:\Windows\System\pMtynvd.exe
  C:\Windows\System\pMtynvd.exe
  2⤵
  PID:11908
- C:\Windows\System\LidzCGZ.exe
  C:\Windows\System\LidzCGZ.exe
  2⤵
  PID:11924
- C:\Windows\System\aDpStUS.exe
  C:\Windows\System\aDpStUS.exe
  2⤵
  PID:11972
- C:\Windows\System\mznegAP.exe
  C:\Windows\System\mznegAP.exe
  2⤵
  PID:11988
- C:\Windows\System\rUsGakK.exe
  C:\Windows\System\rUsGakK.exe
  2⤵
  PID:12028
- C:\Windows\System\bTlbKks.exe
  C:\Windows\System\bTlbKks.exe
  2⤵
  PID:12056
- C:\Windows\System\eceOsKM.exe
  C:\Windows\System\eceOsKM.exe
  2⤵
  PID:12096
- C:\Windows\System\CotuReh.exe
  C:\Windows\System\CotuReh.exe
  2⤵
  PID:12112
- C:\Windows\System\ZEWpZZt.exe
  C:\Windows\System\ZEWpZZt.exe
  2⤵
  PID:12132
- C:\Windows\System\AKsGbKO.exe
  C:\Windows\System\AKsGbKO.exe
  2⤵
  PID:12152
- C:\Windows\System\NRzMQfb.exe
  C:\Windows\System\NRzMQfb.exe
  2⤵
  PID:12188
- C:\Windows\System\eyqPjqX.exe
  C:\Windows\System\eyqPjqX.exe
  2⤵
  PID:12228
- C:\Windows\System\CgWUsJY.exe
  C:\Windows\System\CgWUsJY.exe
  2⤵
  PID:12252
- C:\Windows\System\rdOYQYr.exe
  C:\Windows\System\rdOYQYr.exe
  2⤵
  PID:12268
- C:\Windows\System\lnIJBPM.exe
  C:\Windows\System\lnIJBPM.exe
  2⤵
  PID:10760
- C:\Windows\System\xqaeXMl.exe
  C:\Windows\System\xqaeXMl.exe
  2⤵
  PID:11300
- C:\Windows\System\IgOeEoH.exe
  C:\Windows\System\IgOeEoH.exe
  2⤵
  PID:11392
- C:\Windows\System\uCTMFke.exe
  C:\Windows\System\uCTMFke.exe
  2⤵
  PID:11404
- C:\Windows\System\lqeQAZP.exe
  C:\Windows\System\lqeQAZP.exe
  2⤵
  PID:11448
- C:\Windows\System\DoYxFBJ.exe
  C:\Windows\System\DoYxFBJ.exe
  2⤵
  PID:11576
- C:\Windows\System\UWIPXWj.exe
  C:\Windows\System\UWIPXWj.exe
  2⤵
  PID:11660
- C:\Windows\System\QNNaBxD.exe
  C:\Windows\System\QNNaBxD.exe
  2⤵
  PID:11704
- C:\Windows\System\rQlswcM.exe
  C:\Windows\System\rQlswcM.exe
  2⤵
  PID:11812
- C:\Windows\System\mDjgPsC.exe
  C:\Windows\System\mDjgPsC.exe
  2⤵
  PID:11836
- C:\Windows\System\ngEpNbl.exe
  C:\Windows\System\ngEpNbl.exe
  2⤵
  PID:11900
- C:\Windows\System\eCIWakq.exe
  C:\Windows\System\eCIWakq.exe
  2⤵
  PID:11964
- C:\Windows\System\WsiekUW.exe
  C:\Windows\System\WsiekUW.exe
  2⤵
  PID:12052
- C:\Windows\System\zhrGuQW.exe
  C:\Windows\System\zhrGuQW.exe
  2⤵
  PID:12140
- C:\Windows\System\UZPcuuH.exe
  C:\Windows\System\UZPcuuH.exe
  2⤵
  PID:12128
- C:\Windows\System\wgSFDFP.exe
  C:\Windows\System\wgSFDFP.exe
  2⤵
  PID:12200
- C:\Windows\System\TvwtilM.exe
  C:\Windows\System\TvwtilM.exe
  2⤵
  PID:12224
- C:\Windows\System\HsxwhhT.exe
  C:\Windows\System\HsxwhhT.exe
  2⤵
  PID:12264
- C:\Windows\System\SLZKWmd.exe
  C:\Windows\System\SLZKWmd.exe
  2⤵
  PID:11344
- C:\Windows\System\XSBmKCZ.exe
  C:\Windows\System\XSBmKCZ.exe
  2⤵
  PID:11440
- C:\Windows\System\ZGzZgWh.exe
  C:\Windows\System\ZGzZgWh.exe
  2⤵
  PID:11804
- C:\Windows\System\WjSJEWK.exe
  C:\Windows\System\WjSJEWK.exe
  2⤵
  PID:7484
- C:\Windows\System\ctgIYXi.exe
  C:\Windows\System\ctgIYXi.exe
  2⤵
  PID:11980
- C:\Windows\System\CTDKWrj.exe
  C:\Windows\System\CTDKWrj.exe
  2⤵
  PID:3680
- C:\Windows\System\yeIPvFT.exe
  C:\Windows\System\yeIPvFT.exe
  2⤵
  PID:1408
- C:\Windows\System\DhHeQae.exe
  C:\Windows\System\DhHeQae.exe
  2⤵
  PID:11504
- C:\Windows\System\YtuSCve.exe
  C:\Windows\System\YtuSCve.exe
  2⤵
  PID:11280
- C:\Windows\System\JAyLOtK.exe
  C:\Windows\System\JAyLOtK.exe
  2⤵
  PID:11640
- C:\Windows\System\yftdIrt.exe
  C:\Windows\System\yftdIrt.exe
  2⤵
  PID:11944
- C:\Windows\System\NRwvJoS.exe
  C:\Windows\System\NRwvJoS.exe
  2⤵
  PID:12120
- C:\Windows\System\XhMYcNW.exe
  C:\Windows\System\XhMYcNW.exe
  2⤵
  PID:11292
- C:\Windows\System\zuIqJjT.exe
  C:\Windows\System\zuIqJjT.exe
  2⤵
  PID:12356
- C:\Windows\System\cQEZcWp.exe
  C:\Windows\System\cQEZcWp.exe
  2⤵
  PID:12396
- C:\Windows\System\TewDBdt.exe
  C:\Windows\System\TewDBdt.exe
  2⤵
  PID:12412
- C:\Windows\System\rcPXsZB.exe
  C:\Windows\System\rcPXsZB.exe
  2⤵
  PID:12436
- C:\Windows\System\fyyHSYD.exe
  C:\Windows\System\fyyHSYD.exe
  2⤵
  PID:12460
- C:\Windows\System\QQFdPmN.exe
  C:\Windows\System\QQFdPmN.exe
  2⤵
  PID:12532
- C:\Windows\System\DPKZRXl.exe
  C:\Windows\System\DPKZRXl.exe
  2⤵
  PID:12552
- C:\Windows\System\DLRkAtS.exe
  C:\Windows\System\DLRkAtS.exe
  2⤵
  PID:12568
- C:\Windows\System\ULzDNUM.exe
  C:\Windows\System\ULzDNUM.exe
  2⤵
  PID:12588
- C:\Windows\System\tygCBPm.exe
  C:\Windows\System\tygCBPm.exe
  2⤵
  PID:12608
- C:\Windows\System\DiyplyK.exe
  C:\Windows\System\DiyplyK.exe
  2⤵
  PID:12628
- C:\Windows\System\wkmvcwB.exe
  C:\Windows\System\wkmvcwB.exe
  2⤵
  PID:12656
- C:\Windows\System\tmZCzdB.exe
  C:\Windows\System\tmZCzdB.exe
  2⤵
  PID:12704
- C:\Windows\System\TsKEUEz.exe
  C:\Windows\System\TsKEUEz.exe
  2⤵
  PID:12732
- C:\Windows\System\VmcxofK.exe
  C:\Windows\System\VmcxofK.exe
  2⤵
  PID:12772
- C:\Windows\System\vCUQnSJ.exe
  C:\Windows\System\vCUQnSJ.exe
  2⤵
  PID:12792
- C:\Windows\System\kCniLQo.exe
  C:\Windows\System\kCniLQo.exe
  2⤵
  PID:12828
- C:\Windows\System\lEulTeP.exe
  C:\Windows\System\lEulTeP.exe
  2⤵
  PID:12860
- C:\Windows\System\mSlqQqT.exe
  C:\Windows\System\mSlqQqT.exe
  2⤵
  PID:12892
- C:\Windows\System\jVuvEcL.exe
  C:\Windows\System\jVuvEcL.exe
  2⤵
  PID:12920
- C:\Windows\System\FzItZGs.exe
  C:\Windows\System\FzItZGs.exe
  2⤵
  PID:12940
- C:\Windows\System\XefAalW.exe
  C:\Windows\System\XefAalW.exe
  2⤵
  PID:12964
- C:\Windows\System\VNOVWqn.exe
  C:\Windows\System\VNOVWqn.exe
  2⤵
  PID:12980
- C:\Windows\System\XLiKQKA.exe
  C:\Windows\System\XLiKQKA.exe
  2⤵
  PID:13008
- C:\Windows\System\gfzDFAj.exe
  C:\Windows\System\gfzDFAj.exe
  2⤵
  PID:13028
- C:\Windows\System\PbEdtWA.exe
  C:\Windows\System\PbEdtWA.exe
  2⤵
  PID:13052
- C:\Windows\System\QbTJMeE.exe
  C:\Windows\System\QbTJMeE.exe
  2⤵
  PID:13252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f5vx3s4y.5zp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\BGDlsWy.exe

Filesize
1.4MB

MD5
91f63a637f3c603ba7743c6a8766484e

SHA1
4331d37658ddb4d8334a99392607b38eadf0a0f4

SHA256
3dc6f19505b6feb2799eafb608a39f193528ffae2efe00a276f33b9dd88af93e

SHA512
6e86935ac5b942f7354afddbe60cad7b9402a3a2cb40208bd16f3df35ecbbd5582ffe26c2843a3ac8599f745869ae0afd471e9061dc0fa8cc660dfe18dc92fd1

Download Submit
C:\Windows\System\BTpSnDd.exe

Filesize
1.4MB

MD5
bb38e93687f2d24845d3945b76da7489

SHA1
5e63d2836338586254218f2e6cdd2f9fb88b21df

SHA256
696a5bf7966401a517cb65fb011fc41b4f336106d8059ac76dccd6408ccbfc01

SHA512
adabaf1694c8bfca17467168d7a1f4f91a082cc0244f7f821d45ce212be26819a208d2a5f11f414e1c7664b9ef7977c98dc691dabd8ca93d840ed8084f9b0b7a

Download Submit
C:\Windows\System\CRimeXS.exe

Filesize
1.4MB

MD5
5a8eafcdbe047d11e81c61c249790fd0

SHA1
f57b9c8ede15b49dd3f4f32786e99eb2857184e8

SHA256
de1a2723dd285a4bed40276d4796f388f4f4d44621b1959b8db1ece3efc62524

SHA512
4239ef613823e0a5823f89d5a7fc42c44b7a29836a83908f3471416c317f9df603ad9e987632d9340126db4765c554d2a7518c39b109c7626f35ae9742e6b552

Download Submit
C:\Windows\System\CUDdtBt.exe

Filesize
1.4MB

MD5
bac507001389081309f39fc1564d7672

SHA1
5d5def46dbfb027c81ff0accd371707cbd99d054

SHA256
4deb2da0b42e9fb4285cde4e51970172e747bfde27828b22c518cb5edfc78d9d

SHA512
d9e6b3f1b4650ebc96f0d2ae9a26245ea5c1a95ea9ae725f07025dcd5e2bfb7cd3fca7a12e14a43c2ccf6403489d466ed1307f5ee05b3f0ffe606bd3e9c29c0e

Download Submit
C:\Windows\System\CwTcHUn.exe

Filesize
1.4MB

MD5
d256c27e7abc4225838731d34fe7444f

SHA1
622d8639cc9e213d635a84387bbc7715ae1d4f70

SHA256
b15ffa376802a256452fe534e83459e2e30f5c8a249a43fec40afd91811b32e0

SHA512
213eb4e669912d56c9d87e1a261fdb13c036fc9e5774eae9f2fc119d2a17ebaee99788700be92ac597f57b22342f9d19f3764bb2ffbf32836d46b4dbbd8e0372

Download Submit
C:\Windows\System\FXgXxpv.exe

Filesize
1.4MB

MD5
1e6b66553119ea2ea2e9e42d9327f4f7

SHA1
cdccd635458002d294490e1b6ca9839efeea1da6

SHA256
4189bc27c5510fdec8365e89525369dabeac92459b0151ab4eb9f0e23d4af6aa

SHA512
ea48eee1b3c7cbea312dc3da7a2a229dae0b6f847da91ed220644976e0ce18ea90f37e82d192be8dc4101ca1497891e46efe844f09728e2e2a9e3c2fe16c597a

Download Submit
C:\Windows\System\FgGqKml.exe

Filesize
1.4MB

MD5
aff869e9544b4a6a668cf4a7fb03e1d5

SHA1
76190fe1f1fe7d4b75a8ae0ee80165490093bd7a

SHA256
384b4cb0c3429c7ece78d1d96894491b3ebed17ddd28032dc3620f525de3babf

SHA512
e862c3a89341bb91fae3599a9438504d9d979cca64a91e019f0e546b955ebd541bf58b7c566429dccb15df450313604dc8c4c3654e53f0c8609b97513492fc81

Download Submit
C:\Windows\System\IENDyTz.exe

Filesize
1.4MB

MD5
3f01d51a12b7111be8b5c7d245b25e8b

SHA1
f4396900fcc4f75756e7cb54f4d930e5ee1590c8

SHA256
1d409ceb62be838a2be3104069ce7653af7c90c8b28517d443a33136287815f2

SHA512
7017967f596b6b7c853746739efd8bd74fc9e88012e4e89a01304c3f58e4f2c9e6d0e7119b1dbd031086a3d2f066179b1b69843be2c5b04b5419b3e61aa421db

Download Submit
C:\Windows\System\LGTlXLi.exe

Filesize
1.4MB

MD5
0bd0637fe6b08e499942e12f7b17aef6

SHA1
eb961e9949e952abed574dda0af0965e0627aa7f

SHA256
44a0391481a764b945dd84804b44cc14c934d5efcd6b7cbead1caaae528c8610

SHA512
606b2d52c51fed5cd7cd4e7203f7da3f3f0d03640dff8163142331b9607e2ad564817fb4c59e4e7d2a34f7f0574064b99aaf4745d7950280111fa584a0c85001

Download Submit
C:\Windows\System\PEmJfWL.exe

Filesize
1.4MB

MD5
f1987bbd9f2ddd13089d0e02a4c1dfb6

SHA1
d0478eb8a0c6f0d256085c651f0359440ecca2e5

SHA256
311abe58234dc61a4e2cf5c178f7e5892750402ff3c84266f78a39277e6c56b7

SHA512
1bc284116a6f5f4dcd415772ebbdc36279fbd1ab4c1c529c007d606e03086f7c3d7673afffd99693041602403b34385aa76febb171b41b2605c9841d886e5186

Download Submit
C:\Windows\System\QcZDcVa.exe

Filesize
1.4MB

MD5
6d6c77ca3609f6bde1aeeeddd3483d5b

SHA1
3062008bf62c753b120ff604b76cdb4362ee98fa

SHA256
ba21756a57cd0db50695f2c70fa4c867575e8687a2c4c3a2372f70c48f47ee9b

SHA512
e3631de332e9d02ae3fad2d00a3c295b4ff9f15d3b47fa825164145049abb3ab52fd84ad7a611453b3c5561ff817e7c4d51e49332dcc79ba4622c749caa66fb5

Download Submit
C:\Windows\System\RjdmjeG.exe

Filesize
1.4MB

MD5
07c3ea77e6e6c6db8b46ae27fa9e7090

SHA1
f381017ed85f4487eb45998f4b10fe5eebd257f6

SHA256
db5b0b59a30b34caad13b73d80e935eb11e85dbca7c3e9fd2068da4bcb2e129f

SHA512
505a1e7d54b028ef6d6b82b1dd76b4a54f88aa364bd5fd51cc6aa79259a29b8c269fea5db712459f61f92c5283267687e29ba5a6d0cbceb0b0ab6b574f4a9277

Download Submit
C:\Windows\System\XUMiuCc.exe

Filesize
1.4MB

MD5
828ad0890e0fdd2e4ae5874e10ef552b

SHA1
981b47014db0dc13c9b65cdfad583e561ddeb019

SHA256
7b4c25a0c259f53a7c0b63d2607f84c92189ef0a51e1d293914117a8fef666ac

SHA512
71f1bcaa71ba66d99d47b8496d80ea2e158a50f3f1f3ed335859a3b76a8865d68204fb75070d0900659ef9037264d6d728f22875bf61395bdfe9740bbb1a87af

Download Submit
C:\Windows\System\YMylJmS.exe

Filesize
1.4MB

MD5
6c6c977c9987f4d23c5dec63015db995

SHA1
e8e47229a4348e37f1348cf8324b77a168b5420d

SHA256
2787541b8e63d3e80839ffacf2ae5fe7493a99801bed8e77948ad1817c11ddcf

SHA512
21dcbc34472e2998501216a2ebbd90a52299f812df278bd7a89af21afa25d896a32e98fe148dbce57fa00b24e29e073e811242c683127ec91b3052e78376fb22

Download Submit
C:\Windows\System\ZZqQlGL.exe

Filesize
1.4MB

MD5
9d136493d96cf769a7f2ddce83cd2ac3

SHA1
d5b31a9bc4c4454777ed0fd5b96136ee59359c3a

SHA256
41cf0d5bc28267b4deee08a95d7b22d50a8d4c9626877a038146952d6264cc29

SHA512
cbee0903d29fbc69e28b6893422f30ed699a7ae46bbd17b365865e375a26b9ae9acf832693efaa102b5088e10f9f06d881561e98332e7e210a1623673406c9fd

Download Submit
C:\Windows\System\ZnhOVMX.exe

Filesize
1.4MB

MD5
f2e5bfcd04c826c134c86ad355cc0354

SHA1
205b8ffc205eda653f9f55dde2a2036a94239c3c

SHA256
0732aece4a0bdec4da91d6d53d023082c039a3d44741e8eaed08b341262dfb3d

SHA512
a8ea38834a598f5c97b9130d165085a976172168a344afa16089e86b069a84125f8ba455a23e5887fed90d9fb5dc3246ea3fd963d056ca57f7ca0d5da370c574

Download Submit
C:\Windows\System\bgLsGBq.exe

Filesize
1.4MB

MD5
421fc3ad0a24f85ee280554e1bc6a107

SHA1
4a27e4e41d2cb00aec5695efc3385a4fec2964a3

SHA256
0f93c99a17ecb438f65097413c4bef1389f433fef04ba42f5ed8553182bffafe

SHA512
aed29590ca067c1cb2ee0031d4ec2f388a0f62dd9ca1a1958afde22cf8cba5a7bb47660c1122dceae5f13ada55e100389bc8eceb127085a1608a8630afcf559a

Download Submit
C:\Windows\System\bvYTZdH.exe

Filesize
1.4MB

MD5
c26056b95c7951f62a84af1856958d06

SHA1
de24ef046b2dd7adbf5ad01aae5336bc0219e344

SHA256
bc442e827215f397de359bd669b605c244a408d2330450980b982329e7364334

SHA512
c874a541d4f6fd9b2e10a85df860ac6e5db68d6f0134056534863cfdeaf57f70bc07b58df5dc1c1f2304a103f5cb9cd0895f76a66ae8577db3df843ffcddc32f

Download Submit
C:\Windows\System\bzVfOkA.exe

Filesize
1.4MB

MD5
2a2517b5427b650ee1e8ab4ec79ee296

SHA1
c3c0a223bfb8a17d1554848d0a60f64041ef4c10

SHA256
ef095936cfc76a6ce46a7f7329f6eaa6f589f030a13ad58bbe7d4c99b0e6dc69

SHA512
9f878cf7e8d3f128439946eec7ec22034a5497a0726710a9f5d5830de0adaf1a463eb88281092cb17f45a159516e6c0c25b57e1ae2a7b6570c65a3e463aa8ece

Download Submit
C:\Windows\System\cHyeLZw.exe

Filesize
1.4MB

MD5
85eadfd12c25efda086900319b96ce3d

SHA1
68d2d2a133c7e9002696d4e49178fdc14ecf588c

SHA256
d5db54c1ce38fcca6470ae2872f17081958861e3bbdc3060a70d6dede366c907

SHA512
c6c981adb4a016fab9d7673836bfe4d7256fc4724e8118de72c80e067dc2f4750c4dbc826610a7a52e396909d8999c7d4081e1343837c34b66925549f870aa16

Download Submit
C:\Windows\System\cWodovs.exe

Filesize
1.4MB

MD5
143ed9e214bb6cf51b189cca172fd348

SHA1
f2d9087b851c35dfce2bca8df8b20c61223d25d0

SHA256
f8b5be2f488c3b0aee66dd9aafee7262c5b46ae76c26d5e5425ac5f11d1cde15

SHA512
31875659912798908631fd86ebb47b1dcec97642d190d1acc3711fa583d253e1bb0d1f9d4099b38f8891918b335a5cd29f58adf82afce3efe47b42fb358a0d96

Download Submit
C:\Windows\System\fwUBVAy.exe

Filesize
1.4MB

MD5
2439ecfd96e731d9c233ce796a436680

SHA1
c18f710d7d0324d1fa6eb7fde7194180c5ee1519

SHA256
cfe1301e47f7ab27350679eae85c92d91cea7cde09e8e7216efcb06fe4c55995

SHA512
ca06ec447124be08b9837581bf47106c78940a7663b97c6447132e9423677eb06f9c516f2cb1f93eeceb74c9f8fad0f4e1b699e2f74982381fb6274cfa030af0

Download Submit
C:\Windows\System\gzjIHky.exe

Filesize
1.4MB

MD5
cd5b71c4406fcfca9703502969905ad4

SHA1
05e9600836c99c8eba20436da91e5fc76971cef1

SHA256
f0ce58347efdd7c601813b55d031afbde8bae495c3b1bd69bf7e55eca3597123

SHA512
b69548ad62d40d30d4de67d6a4278e597b9f7ac0668bac63c704381d4e3529fe8399a9536c03977beec017ad718bea2127d74485d5912da4e26565ccf5331b0d

Download Submit
C:\Windows\System\laRSkjC.exe

Filesize
1.4MB

MD5
1dfe8355b45226a1f711fc4b4aa0dda3

SHA1
e802f5d03ab80848a5b55b7db926908978dedc48

SHA256
85607d60614658340d4c755ea20043f95388778ee9ee0bd8f98bd445eb919b8f

SHA512
10f1b986830ef1cebcb5db1af5f312648c0d7479c8f705a83d2570596a030847f51257a9d82a2c93f4ff215989bf5e489ed7267f551c2d88ee442ca01d6eefa9

Download Submit
C:\Windows\System\lnrpUlO.exe

Filesize
1.4MB

MD5
7888cd9eca7e0596e3a18b71481e33b9

SHA1
b375732b2d9cb6a7297b0a9a362337e42b0c0bfa

SHA256
5887e7c9f7bbff8faa80a92c5f2c26a90aa5ecb151ece1a1d539a87439a9a459

SHA512
c3baa360690a5c2d0dde6d16006af11c9c903982049c392e7b8aac93566450cf8ce4cbdfc51898e7c85ed64c69034e58d29b22c91a33915062cbe1ff5a7b9c1c

Download Submit
C:\Windows\System\lumAxmc.exe

Filesize
1.4MB

MD5
9fe41319dc6425db1f6a15db33b1b7e2

SHA1
bdd0858d37d7166033e03a229b8e53a569663646

SHA256
562032ac16b8c576baf8e6155ca241a62ad65cbb59c234fd6ae15ccfbdf659cb

SHA512
fe33474ac9832dd4b37d6a9c4ad86d59a679aa26187e557846e2a99934c73b5a7f93312ca3207f700a2ef0d4b34815116a1f949ae1a62e16ba3012439e0bd44d

Download Submit
C:\Windows\System\oivOPOm.exe

Filesize
1.4MB

MD5
392fcbf3dd1e05078c36a00beb39b58c

SHA1
3edfe81a2beba9ec6c658c9a7adcf005e0218022

SHA256
8c09bd86c25d451edd02ba2a4ed7c30c10097d1fa3c2fa999141d996b0ec2776

SHA512
2fd9fdf2423ff25628c30768c65a1da881ea3af9f6590ad5d19abfc770fed688835e40edd6ffdc7da7ba4ca41dbd5ce28a91c43c2bd7f17a8ba68e11cd9a3ce6

Download Submit
C:\Windows\System\qDXrJSt.exe

Filesize
1.4MB

MD5
716870de9e085eaaad2cba0d90edc153

SHA1
54b27b1feac56aaf176ee76e75d11632a068b578

SHA256
4ddffdf064538d64bee3ebbf6be023c073b301f6bde9bc2c28becc178b94c269

SHA512
a10c8b3f33189e4241790a1d400ad2554d887eef6454481a763248df20ec26cd9ffe57f89e6c04746476919fd241434e7136851a8da4e2be89424d14a834f468

Download Submit
C:\Windows\System\rfNeNED.exe

Filesize
1.4MB

MD5
7d5368541161531108909aeebe6ac53f

SHA1
909967a4f744a3a6ea1d453482551d6dccdb0851

SHA256
4e1343eba142afdcb1ca3ef832237dfde2fd5168a2e4afe3234a3e206f2a5656

SHA512
b447d52afe9ea7b47339ee54eca227e59713027c75b5967d56b4c57d1b2199127c7330e50a6fa5395919a78c074bc9c6520009333346fd1e6b9ac745a30030ec

Download Submit
C:\Windows\System\sJdjwdR.exe

Filesize
1.4MB

MD5
de7d613024ce32d4612f9eb1cab8895b

SHA1
2739e548d204446973b51083955c6d2e967aa9b2

SHA256
b6250d91f05ad00c2196ce321f13a201c646e91d4d3311f49587b5694ec377c5

SHA512
e968802b8f8fc324ba6abf527ca4e703cfbf911dcb627aa6ea7eaabd1f1a3bc2988da066a6aad25c3fc873a621fec26aff88c7d6f67c0fb8497de4b4eb131c09

Download Submit
C:\Windows\System\tKftvUI.exe

Filesize
8B

MD5
8a9416a5ba3f4513ce86ee25fcd9ed2c

SHA1
a36f3dd1333c8cfee404b646d4c6809d7e653313

SHA256
fb7dd3a16f87fe8b7e98987069f2b605508df1550402bd2a9bfdec4856b1a59a

SHA512
c747d417c3e282ae9ec82b691c8fea9cb7d0729d1dda54d2144fa9c71dd39f2ab11cee5a6768a89cb91fd4a7ae6e579302cb4e4de8d6384014994320074580a4

Download Submit
C:\Windows\System\tZNpODj.exe

Filesize
1.4MB

MD5
34214fe31266c1d79134aae4bd2e7c59

SHA1
549615a5a0d5eaa82d7a18a84fa6333051f1ac1f

SHA256
19e96e5ccb11d5cba5bc85d8ec9b01dcbcfb90ff50aebf9de1f8d5f02058532c

SHA512
c19b588a98cf33ebacf9eb574c3ef2404ee6832e8931d3c42ca14ec54730ac8569583fb7bb3ec0cd911ecf6d4070fb6bc2d395e13a3d9f7e5b72a2ebe7263a2a

Download Submit
C:\Windows\System\xcLFzJK.exe

Filesize
1.4MB

MD5
8cf51df969ac15fa9672d53d6bb49b0f

SHA1
e8b799886f6f62a924748c518de3ec95f24c4810

SHA256
e1ec07777bdef6629c1d9bc19cdd51be1b44781f6cbc8a1f26944430d7e0cfcf

SHA512
8c9bcd41331a1304f73a172beb01c40661dd25671e984977a4162a59583973df971af153fbce62b97537783c41f2029f3530c6ea7d6eb99e931e4c4bed31c279

Download Submit
C:\Windows\System\yDYlnfg.exe

Filesize
1.4MB

MD5
783b8a146eb166c98e77b2ca3ef2daea

SHA1
ddd190551d69d05692537c556600146b25c75f5e

SHA256
d411bce444e615afb16b23358398c973c4bbb22415f78ecf811a87e90b6f6f3e

SHA512
5ddb2c2607c336a06e03fe95e51eb0217ca22c60aaf9b0f4dc8cf37081195912dc02c6e64618c0594cc9329941cbf77f0bdd7dfbbad23fd61b4f769747e58dea

Download Submit
memory/444-135-0x00007FF776680000-0x00007FF776A72000-memory.dmp

Filesize
3.9MB

Download
memory/444-3001-0x00007FF776680000-0x00007FF776A72000-memory.dmp

Filesize
3.9MB

Download
memory/892-2984-0x00007FF602890000-0x00007FF602C82000-memory.dmp

Filesize
3.9MB

Download
memory/892-2917-0x00007FF602890000-0x00007FF602C82000-memory.dmp

Filesize
3.9MB

Download
memory/892-52-0x00007FF602890000-0x00007FF602C82000-memory.dmp

Filesize
3.9MB

Download
memory/1208-50-0x00007FF7FD770000-0x00007FF7FDB62000-memory.dmp

Filesize
3.9MB

Download
memory/1208-2981-0x00007FF7FD770000-0x00007FF7FDB62000-memory.dmp

Filesize
3.9MB

Download
memory/1652-170-0x00007FF7EEA90000-0x00007FF7EEE82000-memory.dmp

Filesize
3.9MB

Download
memory/1652-2991-0x00007FF7EEA90000-0x00007FF7EEE82000-memory.dmp

Filesize
3.9MB

Download
memory/1976-158-0x00007FF7C06E0000-0x00007FF7C0AD2000-memory.dmp

Filesize
3.9MB

Download
memory/1976-3023-0x00007FF7C06E0000-0x00007FF7C0AD2000-memory.dmp

Filesize
3.9MB

Download
memory/2004-175-0x00007FF6F3B10000-0x00007FF6F3F02000-memory.dmp

Filesize
3.9MB

Download
memory/2004-3009-0x00007FF6F3B10000-0x00007FF6F3F02000-memory.dmp

Filesize
3.9MB

Download
memory/2280-2989-0x00007FF6E94E0000-0x00007FF6E98D2000-memory.dmp

Filesize
3.9MB

Download
memory/2280-91-0x00007FF6E94E0000-0x00007FF6E98D2000-memory.dmp

Filesize
3.9MB

Download
memory/2400-181-0x00007FF7A66C0000-0x00007FF7A6AB2000-memory.dmp

Filesize
3.9MB

Download
memory/2400-3019-0x00007FF7A66C0000-0x00007FF7A6AB2000-memory.dmp

Filesize
3.9MB

Download
memory/3140-2986-0x00007FF7E08B0000-0x00007FF7E0CA2000-memory.dmp

Filesize
3.9MB

Download
memory/3140-67-0x00007FF7E08B0000-0x00007FF7E0CA2000-memory.dmp

Filesize
3.9MB

Download
memory/3168-3013-0x00007FF697130000-0x00007FF697522000-memory.dmp

Filesize
3.9MB

Download
memory/3168-187-0x00007FF697130000-0x00007FF697522000-memory.dmp

Filesize
3.9MB

Download
memory/3320-2999-0x00007FF62E320000-0x00007FF62E712000-memory.dmp

Filesize
3.9MB

Download
memory/3320-139-0x00007FF62E320000-0x00007FF62E712000-memory.dmp

Filesize
3.9MB

Download
memory/3560-97-0x00007FF7A6990000-0x00007FF7A6D82000-memory.dmp

Filesize
3.9MB

Download
memory/3560-2994-0x00007FF7A6990000-0x00007FF7A6D82000-memory.dmp

Filesize
3.9MB

Download
memory/3620-2987-0x00007FF725010000-0x00007FF725402000-memory.dmp

Filesize
3.9MB

Download
memory/3620-90-0x00007FF725010000-0x00007FF725402000-memory.dmp

Filesize
3.9MB

Download
memory/4164-162-0x00007FF74F8F0000-0x00007FF74FCE2000-memory.dmp

Filesize
3.9MB

Download
memory/4164-2997-0x00007FF74F8F0000-0x00007FF74FCE2000-memory.dmp

Filesize
3.9MB

Download
memory/4168-3017-0x00007FF6F9430000-0x00007FF6F9822000-memory.dmp

Filesize
3.9MB

Download
memory/4168-2967-0x00007FF6F9430000-0x00007FF6F9822000-memory.dmp

Filesize
3.9MB

Download
memory/4168-155-0x00007FF6F9430000-0x00007FF6F9822000-memory.dmp

Filesize
3.9MB

Download
memory/4404-2961-0x00007FFA8AA40000-0x00007FFA8B501000-memory.dmp

Filesize
10.8MB

Download
memory/4404-9-0x00007FFA8AA43000-0x00007FFA8AA45000-memory.dmp

Filesize
8KB

Download
memory/4404-2951-0x00007FFA8AA43000-0x00007FFA8AA45000-memory.dmp

Filesize
8KB

Download
memory/4404-29-0x00007FFA8AA40000-0x00007FFA8B501000-memory.dmp

Filesize
10.8MB

Download
memory/4404-45-0x000001F09DAE0000-0x000001F09DB02000-memory.dmp

Filesize
136KB

Download
memory/4404-599-0x000001F0B7250000-0x000001F0B79F6000-memory.dmp

Filesize
7.6MB

Download
memory/4404-2922-0x00007FFA8AA40000-0x00007FFA8B501000-memory.dmp

Filesize
10.8MB

Download
memory/4404-24-0x00007FFA8AA40000-0x00007FFA8B501000-memory.dmp

Filesize
10.8MB

Download
memory/4420-3020-0x00007FF7E9C20000-0x00007FF7EA012000-memory.dmp

Filesize
3.9MB

Download
memory/4420-2966-0x00007FF7E9C20000-0x00007FF7EA012000-memory.dmp

Filesize
3.9MB

Download
memory/4420-140-0x00007FF7E9C20000-0x00007FF7EA012000-memory.dmp

Filesize
3.9MB

Download
memory/4596-0-0x00007FF64F400000-0x00007FF64F7F2000-memory.dmp

Filesize
3.9MB

Download
memory/4596-1-0x0000028D4B8F0000-0x0000028D4B900000-memory.dmp

Filesize
64KB

Download
memory/4616-2979-0x00007FF74E3A0000-0x00007FF74E792000-memory.dmp

Filesize
3.9MB

Download
memory/4616-41-0x00007FF74E3A0000-0x00007FF74E792000-memory.dmp

Filesize
3.9MB

Download
memory/4648-2975-0x00007FF6E4040000-0x00007FF6E4432000-memory.dmp

Filesize
3.9MB

Download
memory/4648-8-0x00007FF6E4040000-0x00007FF6E4432000-memory.dmp

Filesize
3.9MB

Download
memory/4648-2950-0x00007FF6E4040000-0x00007FF6E4432000-memory.dmp

Filesize
3.9MB

Download
memory/4660-3003-0x00007FF7B64C0000-0x00007FF7B68B2000-memory.dmp

Filesize
3.9MB

Download
memory/4660-2952-0x00007FF7B64C0000-0x00007FF7B68B2000-memory.dmp

Filesize
3.9MB

Download
memory/4660-106-0x00007FF7B64C0000-0x00007FF7B68B2000-memory.dmp

Filesize
3.9MB

Download
memory/4800-2965-0x00007FF6BFF40000-0x00007FF6C0332000-memory.dmp

Filesize
3.9MB

Download
memory/4800-103-0x00007FF6BFF40000-0x00007FF6C0332000-memory.dmp

Filesize
3.9MB

Download
memory/4800-2996-0x00007FF6BFF40000-0x00007FF6C0332000-memory.dmp

Filesize
3.9MB

Download
memory/4976-3005-0x00007FF751300000-0x00007FF7516F2000-memory.dmp

Filesize
3.9MB

Download
memory/4976-126-0x00007FF751300000-0x00007FF7516F2000-memory.dmp

Filesize
3.9MB

Download
memory/5032-161-0x00007FF6C0E90000-0x00007FF6C1282000-memory.dmp

Filesize
3.9MB

Download
memory/5032-3015-0x00007FF6C0E90000-0x00007FF6C1282000-memory.dmp

Filesize
3.9MB

Download
memory/5052-3007-0x00007FF7372F0000-0x00007FF7376E2000-memory.dmp

Filesize
3.9MB

Download
memory/5052-171-0x00007FF7372F0000-0x00007FF7376E2000-memory.dmp

Filesize
3.9MB

Download
memory/5096-2977-0x00007FF71BE10000-0x00007FF71C202000-memory.dmp

Filesize
3.9MB

Download
memory/5096-66-0x00007FF71BE10000-0x00007FF71C202000-memory.dmp

Filesize
3.9MB

Download