xmrig | 997306dc9459058b4fbaaf469a3668ba545d6b4f5610d2284a219193e38c1433

Analysis

max time kernel
114s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
03/05/2024, 08:52

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
Size

1.5MB
MD5

10214426b5f78533b05e135f6cbcf96e
SHA1

f57d504f8fa8c0e8ace8b1e693d52e4d530eca00
SHA256

997306dc9459058b4fbaaf469a3668ba545d6b4f5610d2284a219193e38c1433
SHA512

008b6609b988215bee835159615aaed7d136301dedf2b05ea7ac482806b3db605642aba1c2a2688c8620c18f273ee9dcdc5eb52bb578f4adcb29b839996c89f9
SSDEEP

24576:zv3/fTLF671TilQFG4P5PMkibTJH+2Q/ynKeWYKpGncHBN/VxjzSRLgx893+Gk:Lz071uv4BPMkibTIA5CJKGL

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/3060-33-0x00007FF729CA0000-0x00007FF72A092000-memory.dmp	xmrig
behavioral2/memory/2304-59-0x00007FF675780000-0x00007FF675B72000-memory.dmp	xmrig
behavioral2/memory/1872-67-0x00007FF70E2D0000-0x00007FF70E6C2000-memory.dmp	xmrig
behavioral2/memory/4832-72-0x00007FF7E0250000-0x00007FF7E0642000-memory.dmp	xmrig
behavioral2/memory/4840-440-0x00007FF7D7340000-0x00007FF7D7732000-memory.dmp	xmrig
behavioral2/memory/3320-483-0x00007FF61A390000-0x00007FF61A782000-memory.dmp	xmrig
behavioral2/memory/2160-503-0x00007FF616CE0000-0x00007FF6170D2000-memory.dmp	xmrig
behavioral2/memory/3492-509-0x00007FF6498D0000-0x00007FF649CC2000-memory.dmp	xmrig
behavioral2/memory/3448-519-0x00007FF788D50000-0x00007FF789142000-memory.dmp	xmrig
behavioral2/memory/228-530-0x00007FF680C50000-0x00007FF681042000-memory.dmp	xmrig
behavioral2/memory/4720-544-0x00007FF790ED0000-0x00007FF7912C2000-memory.dmp	xmrig
behavioral2/memory/4820-551-0x00007FF76AE40000-0x00007FF76B232000-memory.dmp	xmrig
behavioral2/memory/4992-554-0x00007FF69F300000-0x00007FF69F6F2000-memory.dmp	xmrig
behavioral2/memory/3740-541-0x00007FF619B20000-0x00007FF619F12000-memory.dmp	xmrig
behavioral2/memory/1908-479-0x00007FF7469F0000-0x00007FF746DE2000-memory.dmp	xmrig
behavioral2/memory/2316-469-0x00007FF6F5D80000-0x00007FF6F6172000-memory.dmp	xmrig
behavioral2/memory/2188-463-0x00007FF650010000-0x00007FF650402000-memory.dmp	xmrig
behavioral2/memory/1880-456-0x00007FF6235A0000-0x00007FF623992000-memory.dmp	xmrig
behavioral2/memory/3852-453-0x00007FF7F3FB0000-0x00007FF7F43A2000-memory.dmp	xmrig
behavioral2/memory/3496-446-0x00007FF7CB360000-0x00007FF7CB752000-memory.dmp	xmrig
behavioral2/memory/2356-436-0x00007FF6CD7C0000-0x00007FF6CDBB2000-memory.dmp	xmrig
behavioral2/memory/1888-433-0x00007FF721670000-0x00007FF721A62000-memory.dmp	xmrig
behavioral2/memory/2088-429-0x00007FF795320000-0x00007FF795712000-memory.dmp	xmrig
behavioral2/memory/3640-62-0x00007FF6CB9D0000-0x00007FF6CBDC2000-memory.dmp	xmrig
behavioral2/memory/228-2560-0x00007FF680C50000-0x00007FF681042000-memory.dmp	xmrig
behavioral2/memory/2304-2562-0x00007FF675780000-0x00007FF675B72000-memory.dmp	xmrig
behavioral2/memory/3060-2559-0x00007FF729CA0000-0x00007FF72A092000-memory.dmp	xmrig
behavioral2/memory/3740-2568-0x00007FF619B20000-0x00007FF619F12000-memory.dmp	xmrig
behavioral2/memory/4720-2570-0x00007FF790ED0000-0x00007FF7912C2000-memory.dmp	xmrig
behavioral2/memory/2088-2572-0x00007FF795320000-0x00007FF795712000-memory.dmp	xmrig
behavioral2/memory/3640-2567-0x00007FF6CB9D0000-0x00007FF6CBDC2000-memory.dmp	xmrig
behavioral2/memory/1872-2565-0x00007FF70E2D0000-0x00007FF70E6C2000-memory.dmp	xmrig
behavioral2/memory/4820-2578-0x00007FF76AE40000-0x00007FF76B232000-memory.dmp	xmrig
behavioral2/memory/2188-2577-0x00007FF650010000-0x00007FF650402000-memory.dmp	xmrig
behavioral2/memory/4992-2592-0x00007FF69F300000-0x00007FF69F6F2000-memory.dmp	xmrig
behavioral2/memory/2316-2604-0x00007FF6F5D80000-0x00007FF6F6172000-memory.dmp	xmrig
behavioral2/memory/2356-2602-0x00007FF6CD7C0000-0x00007FF6CDBB2000-memory.dmp	xmrig
behavioral2/memory/4840-2601-0x00007FF7D7340000-0x00007FF7D7732000-memory.dmp	xmrig
behavioral2/memory/3852-2597-0x00007FF7F3FB0000-0x00007FF7F43A2000-memory.dmp	xmrig
behavioral2/memory/1880-2595-0x00007FF6235A0000-0x00007FF623992000-memory.dmp	xmrig
behavioral2/memory/3448-2590-0x00007FF788D50000-0x00007FF789142000-memory.dmp	xmrig
behavioral2/memory/3320-2586-0x00007FF61A390000-0x00007FF61A782000-memory.dmp	xmrig
behavioral2/memory/3492-2582-0x00007FF6498D0000-0x00007FF649CC2000-memory.dmp	xmrig
behavioral2/memory/3496-2599-0x00007FF7CB360000-0x00007FF7CB752000-memory.dmp	xmrig
behavioral2/memory/1908-2589-0x00007FF7469F0000-0x00007FF746DE2000-memory.dmp	xmrig
behavioral2/memory/2160-2585-0x00007FF616CE0000-0x00007FF6170D2000-memory.dmp	xmrig
behavioral2/memory/1888-2580-0x00007FF721670000-0x00007FF721A62000-memory.dmp	xmrig
behavioral2/memory/4832-2574-0x00007FF7E0250000-0x00007FF7E0642000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
8	1496	powershell.exe
10	1496	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
1496	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
3060	PWKzfmb.exe
228	oEAtQct.exe
2304	nZMZMzk.exe
3640	ELcizPP.exe
3740	GHdgNRD.exe
1872	HmzxOvK.exe
4720	oTSrFUm.exe
4832	IPsLIGx.exe
2088	bGruRHu.exe
4820	ytJlfpS.exe
4992	zDIBqjp.exe
1888	wOHqnQG.exe
2356	pHKqqwY.exe
4840	YHsUeWV.exe
3496	LbNFpec.exe
3852	OpwqPnF.exe
1880	LrjBcIt.exe
2188	HeEOJdW.exe
2316	pWAucFT.exe
1908	SMYobDw.exe
3320	tTlWfuF.exe
2160	CrODkyq.exe
3492	CJGyGyG.exe
3448	ZcyUzKs.exe
4160	iwkqwSs.exe
1444	uQOKzfm.exe
5004	ldSxyaA.exe
2616	vrcAhCy.exe
1884	edELVOz.exe
3580	nCwqAnb.exe
4504	nXzExCb.exe
1176	OPBBVPC.exe
4984	YfZxHrg.exe
3512	zZpsEWC.exe
2112	ongfxnA.exe
1576	DfkLIEK.exe
3260	itfQXVz.exe
4332	TxxdXxX.exe
1112	SFlExZo.exe
2940	QYJUEMY.exe
4488	ZUBBZdL.exe
4608	iLSFqOb.exe
1656	mSpUjvj.exe
1736	vJRFjPT.exe
5052	yNbdDqC.exe
512	SLYcxVg.exe
3868	optVgyR.exe
2924	nQcILZq.exe
464	sSUXnkq.exe
4616	JZVbsla.exe
2500	aYNrGbr.exe
3312	sQcqstK.exe
536	NaFXSjG.exe
2520	MMfXcTT.exe
4320	UeWrkGw.exe
1132	cLrjLeJ.exe
948	YnFkAlr.exe
1588	KnULqQj.exe
5008	nuubxpQ.exe
3812	hrlsium.exe
5108	yJafluY.exe
2380	qVpXeZV.exe
4612	yLSMLkR.exe
4860	pQvsmvc.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2192-0-0x00007FF79D280000-0x00007FF79D672000-memory.dmp	upx
behavioral2/files/0x000d000000023bac-6.dat	upx
behavioral2/files/0x000a000000023bb1-8.dat	upx
behavioral2/files/0x000a000000023bb0-14.dat	upx
behavioral2/files/0x000a000000023bb2-21.dat	upx
behavioral2/files/0x000a000000023bb3-27.dat	upx
behavioral2/memory/3060-33-0x00007FF729CA0000-0x00007FF72A092000-memory.dmp	upx
behavioral2/files/0x0031000000023bb5-50.dat	upx
behavioral2/memory/2304-59-0x00007FF675780000-0x00007FF675B72000-memory.dmp	upx
behavioral2/memory/1872-67-0x00007FF70E2D0000-0x00007FF70E6C2000-memory.dmp	upx
behavioral2/memory/4832-72-0x00007FF7E0250000-0x00007FF7E0642000-memory.dmp	upx
behavioral2/files/0x000b000000023bb8-81.dat	upx
behavioral2/files/0x000a000000023bbf-107.dat	upx
behavioral2/files/0x000a000000023bc2-116.dat	upx
behavioral2/files/0x000a000000023bca-156.dat	upx
behavioral2/files/0x000a000000023bcd-171.dat	upx
behavioral2/memory/4840-440-0x00007FF7D7340000-0x00007FF7D7732000-memory.dmp	upx
behavioral2/memory/3320-483-0x00007FF61A390000-0x00007FF61A782000-memory.dmp	upx
behavioral2/memory/2160-503-0x00007FF616CE0000-0x00007FF6170D2000-memory.dmp	upx
behavioral2/memory/3492-509-0x00007FF6498D0000-0x00007FF649CC2000-memory.dmp	upx
behavioral2/memory/3448-519-0x00007FF788D50000-0x00007FF789142000-memory.dmp	upx
behavioral2/memory/228-530-0x00007FF680C50000-0x00007FF681042000-memory.dmp	upx
behavioral2/memory/4720-544-0x00007FF790ED0000-0x00007FF7912C2000-memory.dmp	upx
behavioral2/memory/4820-551-0x00007FF76AE40000-0x00007FF76B232000-memory.dmp	upx
behavioral2/memory/4992-554-0x00007FF69F300000-0x00007FF69F6F2000-memory.dmp	upx
behavioral2/memory/3740-541-0x00007FF619B20000-0x00007FF619F12000-memory.dmp	upx
behavioral2/memory/1908-479-0x00007FF7469F0000-0x00007FF746DE2000-memory.dmp	upx
behavioral2/memory/2316-469-0x00007FF6F5D80000-0x00007FF6F6172000-memory.dmp	upx
behavioral2/memory/2188-463-0x00007FF650010000-0x00007FF650402000-memory.dmp	upx
behavioral2/memory/1880-456-0x00007FF6235A0000-0x00007FF623992000-memory.dmp	upx
behavioral2/memory/3852-453-0x00007FF7F3FB0000-0x00007FF7F43A2000-memory.dmp	upx
behavioral2/memory/3496-446-0x00007FF7CB360000-0x00007FF7CB752000-memory.dmp	upx
behavioral2/memory/2356-436-0x00007FF6CD7C0000-0x00007FF6CDBB2000-memory.dmp	upx
behavioral2/memory/1888-433-0x00007FF721670000-0x00007FF721A62000-memory.dmp	upx
behavioral2/memory/2088-429-0x00007FF795320000-0x00007FF795712000-memory.dmp	upx
behavioral2/files/0x000a000000023bcf-181.dat	upx
behavioral2/files/0x000a000000023bce-176.dat	upx
behavioral2/files/0x000a000000023bcc-174.dat	upx
behavioral2/files/0x000a000000023bcb-169.dat	upx
behavioral2/files/0x000a000000023bc9-159.dat	upx
behavioral2/files/0x000a000000023bc8-154.dat	upx
behavioral2/files/0x000a000000023bc7-146.dat	upx
behavioral2/files/0x000a000000023bc6-142.dat	upx
behavioral2/files/0x000a000000023bc5-136.dat	upx
behavioral2/files/0x000a000000023bc4-132.dat	upx
behavioral2/files/0x000a000000023bc3-127.dat	upx
behavioral2/files/0x000a000000023bc1-117.dat	upx
behavioral2/files/0x000a000000023bc0-111.dat	upx
behavioral2/files/0x000a000000023bbe-101.dat	upx
behavioral2/files/0x000a000000023bbd-97.dat	upx
behavioral2/files/0x000a000000023bbc-91.dat	upx
behavioral2/files/0x000b000000023bb7-87.dat	upx
behavioral2/files/0x000a000000023bbb-79.dat	upx
behavioral2/files/0x000a000000023bba-70.dat	upx
behavioral2/files/0x000a000000023bb9-63.dat	upx
behavioral2/memory/3640-62-0x00007FF6CB9D0000-0x00007FF6CBDC2000-memory.dmp	upx
behavioral2/files/0x0031000000023bb6-61.dat	upx
behavioral2/files/0x0031000000023bb4-35.dat	upx
behavioral2/memory/228-2560-0x00007FF680C50000-0x00007FF681042000-memory.dmp	upx
behavioral2/memory/2304-2562-0x00007FF675780000-0x00007FF675B72000-memory.dmp	upx
behavioral2/memory/3060-2559-0x00007FF729CA0000-0x00007FF72A092000-memory.dmp	upx
behavioral2/memory/3740-2568-0x00007FF619B20000-0x00007FF619F12000-memory.dmp	upx
behavioral2/memory/4720-2570-0x00007FF790ED0000-0x00007FF7912C2000-memory.dmp	upx
behavioral2/memory/2088-2572-0x00007FF795320000-0x00007FF795712000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	raw.githubusercontent.com
8	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\WWXyErH.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\WzFPYGr.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\uoxDSqe.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\LeRfBbN.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\KeJElHD.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\VqSAykF.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\aHDmcQQ.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\IPsLIGx.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\kdnUGDw.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\wrjvpLF.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\MuyxKBy.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\fGGVktm.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\yCCnlaI.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\HiLylGF.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\QsPnloz.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\MNFgfXy.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\UoAJizM.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\qXnsvFB.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\yueRVmg.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\PQKHQGb.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\PbaZKvL.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\tcIJaZU.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\HEJKUhh.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\VSpEzEH.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\TbMtJdx.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\ljcljLh.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\MpcnwQB.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\nCwqAnb.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\OoTgjoi.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\ZtppCXv.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\WWHBFiR.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\qVlGNQC.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\FyhUPoc.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\gzCjsSb.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\WStYBxx.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\mZtnmTZ.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\LAlgdTr.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\WAqhUqz.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\hsGeCTa.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\eDmDpgw.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\YhVafjN.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\orQMDOm.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\KRfXzJb.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\KXcfsav.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\sQtMsKl.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\XDfeODX.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\snIskwT.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\LsKyrAB.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\VxTGQZX.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\BDjlQOs.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\hTwgAGM.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\KptNEPC.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\tvSQMIM.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\qJUvdrC.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\XwLNrWQ.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\bjDFZSe.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\JpOcWKh.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\fUCUvmx.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\csbhDdO.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\favQlAC.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\ksuqcAY.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\jKJJwfO.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\HFByyun.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
File created	C:\Windows\System\VvgBFjR.exe	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1496	powershell.exe
1496	powershell.exe
1496	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeLockMemoryPrivilege	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 1496	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	84
PID 2192 wrote to memory of 1496	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	84
PID 2192 wrote to memory of 3060	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	85
PID 2192 wrote to memory of 3060	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	85
PID 2192 wrote to memory of 228	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	86
PID 2192 wrote to memory of 228	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	86
PID 2192 wrote to memory of 2304	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	87
PID 2192 wrote to memory of 2304	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	87
PID 2192 wrote to memory of 3640	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	88
PID 2192 wrote to memory of 3640	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	88
PID 2192 wrote to memory of 3740	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	89
PID 2192 wrote to memory of 3740	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	89
PID 2192 wrote to memory of 1872	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	90
PID 2192 wrote to memory of 1872	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	90
PID 2192 wrote to memory of 4720	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	91
PID 2192 wrote to memory of 4720	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	91
PID 2192 wrote to memory of 4832	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	92
PID 2192 wrote to memory of 4832	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	92
PID 2192 wrote to memory of 2088	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	93
PID 2192 wrote to memory of 2088	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	93
PID 2192 wrote to memory of 4820	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	94
PID 2192 wrote to memory of 4820	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	94
PID 2192 wrote to memory of 1888	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	95
PID 2192 wrote to memory of 1888	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	95
PID 2192 wrote to memory of 4992	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	96
PID 2192 wrote to memory of 4992	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	96
PID 2192 wrote to memory of 2356	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	97
PID 2192 wrote to memory of 2356	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	97
PID 2192 wrote to memory of 4840	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	98
PID 2192 wrote to memory of 4840	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	98
PID 2192 wrote to memory of 3496	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	99
PID 2192 wrote to memory of 3496	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	99
PID 2192 wrote to memory of 3852	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	100
PID 2192 wrote to memory of 3852	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	100
PID 2192 wrote to memory of 1880	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	101
PID 2192 wrote to memory of 1880	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	101
PID 2192 wrote to memory of 2188	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	102
PID 2192 wrote to memory of 2188	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	102
PID 2192 wrote to memory of 2316	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	103
PID 2192 wrote to memory of 2316	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	103
PID 2192 wrote to memory of 1908	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	104
PID 2192 wrote to memory of 1908	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	104
PID 2192 wrote to memory of 3320	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	105
PID 2192 wrote to memory of 3320	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	105
PID 2192 wrote to memory of 2160	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	106
PID 2192 wrote to memory of 2160	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	106
PID 2192 wrote to memory of 3492	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	107
PID 2192 wrote to memory of 3492	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	107
PID 2192 wrote to memory of 3448	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	108
PID 2192 wrote to memory of 3448	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	108
PID 2192 wrote to memory of 4160	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	109
PID 2192 wrote to memory of 4160	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	109
PID 2192 wrote to memory of 1444	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	110
PID 2192 wrote to memory of 1444	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	110
PID 2192 wrote to memory of 5004	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	111
PID 2192 wrote to memory of 5004	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	111
PID 2192 wrote to memory of 2616	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	112
PID 2192 wrote to memory of 2616	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	112
PID 2192 wrote to memory of 1884	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	113
PID 2192 wrote to memory of 1884	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	113
PID 2192 wrote to memory of 3580	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	114
PID 2192 wrote to memory of 3580	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	114
PID 2192 wrote to memory of 4504	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	115
PID 2192 wrote to memory of 4504	2192	10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe	115

C:\Users\Admin\AppData\Local\Temp\10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\10214426b5f78533b05e135f6cbcf96e_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1496
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "1496" "2960" "2896" "2964" "0" "0" "2968" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:2596
- C:\Windows\System\PWKzfmb.exe
  C:\Windows\System\PWKzfmb.exe
  2⤵
  - Executes dropped EXE
  PID:3060
- C:\Windows\System\oEAtQct.exe
  C:\Windows\System\oEAtQct.exe
  2⤵
  - Executes dropped EXE
  PID:228
- C:\Windows\System\nZMZMzk.exe
  C:\Windows\System\nZMZMzk.exe
  2⤵
  - Executes dropped EXE
  PID:2304
- C:\Windows\System\ELcizPP.exe
  C:\Windows\System\ELcizPP.exe
  2⤵
  - Executes dropped EXE
  PID:3640
- C:\Windows\System\GHdgNRD.exe
  C:\Windows\System\GHdgNRD.exe
  2⤵
  - Executes dropped EXE
  PID:3740
- C:\Windows\System\HmzxOvK.exe
  C:\Windows\System\HmzxOvK.exe
  2⤵
  - Executes dropped EXE
  PID:1872
- C:\Windows\System\oTSrFUm.exe
  C:\Windows\System\oTSrFUm.exe
  2⤵
  - Executes dropped EXE
  PID:4720
- C:\Windows\System\IPsLIGx.exe
  C:\Windows\System\IPsLIGx.exe
  2⤵
  - Executes dropped EXE
  PID:4832
- C:\Windows\System\bGruRHu.exe
  C:\Windows\System\bGruRHu.exe
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\System\ytJlfpS.exe
  C:\Windows\System\ytJlfpS.exe
  2⤵
  - Executes dropped EXE
  PID:4820
- C:\Windows\System\wOHqnQG.exe
  C:\Windows\System\wOHqnQG.exe
  2⤵
  - Executes dropped EXE
  PID:1888
- C:\Windows\System\zDIBqjp.exe
  C:\Windows\System\zDIBqjp.exe
  2⤵
  - Executes dropped EXE
  PID:4992
- C:\Windows\System\pHKqqwY.exe
  C:\Windows\System\pHKqqwY.exe
  2⤵
  - Executes dropped EXE
  PID:2356
- C:\Windows\System\YHsUeWV.exe
  C:\Windows\System\YHsUeWV.exe
  2⤵
  - Executes dropped EXE
  PID:4840
- C:\Windows\System\LbNFpec.exe
  C:\Windows\System\LbNFpec.exe
  2⤵
  - Executes dropped EXE
  PID:3496
- C:\Windows\System\OpwqPnF.exe
  C:\Windows\System\OpwqPnF.exe
  2⤵
  - Executes dropped EXE
  PID:3852
- C:\Windows\System\LrjBcIt.exe
  C:\Windows\System\LrjBcIt.exe
  2⤵
  - Executes dropped EXE
  PID:1880
- C:\Windows\System\HeEOJdW.exe
  C:\Windows\System\HeEOJdW.exe
  2⤵
  - Executes dropped EXE
  PID:2188
- C:\Windows\System\pWAucFT.exe
  C:\Windows\System\pWAucFT.exe
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\System\SMYobDw.exe
  C:\Windows\System\SMYobDw.exe
  2⤵
  - Executes dropped EXE
  PID:1908
- C:\Windows\System\tTlWfuF.exe
  C:\Windows\System\tTlWfuF.exe
  2⤵
  - Executes dropped EXE
  PID:3320
- C:\Windows\System\CrODkyq.exe
  C:\Windows\System\CrODkyq.exe
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\System\CJGyGyG.exe
  C:\Windows\System\CJGyGyG.exe
  2⤵
  - Executes dropped EXE
  PID:3492
- C:\Windows\System\ZcyUzKs.exe
  C:\Windows\System\ZcyUzKs.exe
  2⤵
  - Executes dropped EXE
  PID:3448
- C:\Windows\System\iwkqwSs.exe
  C:\Windows\System\iwkqwSs.exe
  2⤵
  - Executes dropped EXE
  PID:4160
- C:\Windows\System\uQOKzfm.exe
  C:\Windows\System\uQOKzfm.exe
  2⤵
  - Executes dropped EXE
  PID:1444
- C:\Windows\System\ldSxyaA.exe
  C:\Windows\System\ldSxyaA.exe
  2⤵
  - Executes dropped EXE
  PID:5004
- C:\Windows\System\vrcAhCy.exe
  C:\Windows\System\vrcAhCy.exe
  2⤵
  - Executes dropped EXE
  PID:2616
- C:\Windows\System\edELVOz.exe
  C:\Windows\System\edELVOz.exe
  2⤵
  - Executes dropped EXE
  PID:1884
- C:\Windows\System\nCwqAnb.exe
  C:\Windows\System\nCwqAnb.exe
  2⤵
  - Executes dropped EXE
  PID:3580
- C:\Windows\System\nXzExCb.exe
  C:\Windows\System\nXzExCb.exe
  2⤵
  - Executes dropped EXE
  PID:4504
- C:\Windows\System\OPBBVPC.exe
  C:\Windows\System\OPBBVPC.exe
  2⤵
  - Executes dropped EXE
  PID:1176
- C:\Windows\System\YfZxHrg.exe
  C:\Windows\System\YfZxHrg.exe
  2⤵
  - Executes dropped EXE
  PID:4984
- C:\Windows\System\zZpsEWC.exe
  C:\Windows\System\zZpsEWC.exe
  2⤵
  - Executes dropped EXE
  PID:3512
- C:\Windows\System\ongfxnA.exe
  C:\Windows\System\ongfxnA.exe
  2⤵
  - Executes dropped EXE
  PID:2112
- C:\Windows\System\DfkLIEK.exe
  C:\Windows\System\DfkLIEK.exe
  2⤵
  - Executes dropped EXE
  PID:1576
- C:\Windows\System\itfQXVz.exe
  C:\Windows\System\itfQXVz.exe
  2⤵
  - Executes dropped EXE
  PID:3260
- C:\Windows\System\TxxdXxX.exe
  C:\Windows\System\TxxdXxX.exe
  2⤵
  - Executes dropped EXE
  PID:4332
- C:\Windows\System\SFlExZo.exe
  C:\Windows\System\SFlExZo.exe
  2⤵
  - Executes dropped EXE
  PID:1112
- C:\Windows\System\QYJUEMY.exe
  C:\Windows\System\QYJUEMY.exe
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\System\ZUBBZdL.exe
  C:\Windows\System\ZUBBZdL.exe
  2⤵
  - Executes dropped EXE
  PID:4488
- C:\Windows\System\iLSFqOb.exe
  C:\Windows\System\iLSFqOb.exe
  2⤵
  - Executes dropped EXE
  PID:4608
- C:\Windows\System\mSpUjvj.exe
  C:\Windows\System\mSpUjvj.exe
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Windows\System\vJRFjPT.exe
  C:\Windows\System\vJRFjPT.exe
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\Windows\System\yNbdDqC.exe
  C:\Windows\System\yNbdDqC.exe
  2⤵
  - Executes dropped EXE
  PID:5052
- C:\Windows\System\SLYcxVg.exe
  C:\Windows\System\SLYcxVg.exe
  2⤵
  - Executes dropped EXE
  PID:512
- C:\Windows\System\optVgyR.exe
  C:\Windows\System\optVgyR.exe
  2⤵
  - Executes dropped EXE
  PID:3868
- C:\Windows\System\nQcILZq.exe
  C:\Windows\System\nQcILZq.exe
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Windows\System\sSUXnkq.exe
  C:\Windows\System\sSUXnkq.exe
  2⤵
  - Executes dropped EXE
  PID:464
- C:\Windows\System\JZVbsla.exe
  C:\Windows\System\JZVbsla.exe
  2⤵
  - Executes dropped EXE
  PID:4616
- C:\Windows\System\aYNrGbr.exe
  C:\Windows\System\aYNrGbr.exe
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\System\sQcqstK.exe
  C:\Windows\System\sQcqstK.exe
  2⤵
  - Executes dropped EXE
  PID:3312
- C:\Windows\System\NaFXSjG.exe
  C:\Windows\System\NaFXSjG.exe
  2⤵
  - Executes dropped EXE
  PID:536
- C:\Windows\System\MMfXcTT.exe
  C:\Windows\System\MMfXcTT.exe
  2⤵
  - Executes dropped EXE
  PID:2520
- C:\Windows\System\UeWrkGw.exe
  C:\Windows\System\UeWrkGw.exe
  2⤵
  - Executes dropped EXE
  PID:4320
- C:\Windows\System\cLrjLeJ.exe
  C:\Windows\System\cLrjLeJ.exe
  2⤵
  - Executes dropped EXE
  PID:1132
- C:\Windows\System\YnFkAlr.exe
  C:\Windows\System\YnFkAlr.exe
  2⤵
  - Executes dropped EXE
  PID:948
- C:\Windows\System\KnULqQj.exe
  C:\Windows\System\KnULqQj.exe
  2⤵
  - Executes dropped EXE
  PID:1588
- C:\Windows\System\nuubxpQ.exe
  C:\Windows\System\nuubxpQ.exe
  2⤵
  - Executes dropped EXE
  PID:5008
- C:\Windows\System\hrlsium.exe
  C:\Windows\System\hrlsium.exe
  2⤵
  - Executes dropped EXE
  PID:3812
- C:\Windows\System\yJafluY.exe
  C:\Windows\System\yJafluY.exe
  2⤵
  - Executes dropped EXE
  PID:5108
- C:\Windows\System\qVpXeZV.exe
  C:\Windows\System\qVpXeZV.exe
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\System\yLSMLkR.exe
  C:\Windows\System\yLSMLkR.exe
  2⤵
  - Executes dropped EXE
  PID:4612
- C:\Windows\System\pQvsmvc.exe
  C:\Windows\System\pQvsmvc.exe
  2⤵
  - Executes dropped EXE
  PID:4860
- C:\Windows\System\BSGseiD.exe
  C:\Windows\System\BSGseiD.exe
  2⤵
  PID:1956
- C:\Windows\System\GbsvUhK.exe
  C:\Windows\System\GbsvUhK.exe
  2⤵
  PID:3940
- C:\Windows\System\JzupKee.exe
  C:\Windows\System\JzupKee.exe
  2⤵
  PID:4292
- C:\Windows\System\QzzBEUE.exe
  C:\Windows\System\QzzBEUE.exe
  2⤵
  PID:2968
- C:\Windows\System\snDbLIV.exe
  C:\Windows\System\snDbLIV.exe
  2⤵
  PID:3304
- C:\Windows\System\uTeDUli.exe
  C:\Windows\System\uTeDUli.exe
  2⤵
  PID:3980
- C:\Windows\System\RSMZkDJ.exe
  C:\Windows\System\RSMZkDJ.exe
  2⤵
  PID:5064
- C:\Windows\System\RsiKPAf.exe
  C:\Windows\System\RsiKPAf.exe
  2⤵
  PID:4732
- C:\Windows\System\TyDyPKv.exe
  C:\Windows\System\TyDyPKv.exe
  2⤵
  PID:4420
- C:\Windows\System\KEjfuwk.exe
  C:\Windows\System\KEjfuwk.exe
  2⤵
  PID:2420
- C:\Windows\System\uvtqONa.exe
  C:\Windows\System\uvtqONa.exe
  2⤵
  PID:4492
- C:\Windows\System\sWEOfPf.exe
  C:\Windows\System\sWEOfPf.exe
  2⤵
  PID:3156
- C:\Windows\System\SdXwUcL.exe
  C:\Windows\System\SdXwUcL.exe
  2⤵
  PID:2580
- C:\Windows\System\AjPnBiy.exe
  C:\Windows\System\AjPnBiy.exe
  2⤵
  PID:3676
- C:\Windows\System\BgxMlCL.exe
  C:\Windows\System\BgxMlCL.exe
  2⤵
  PID:5124
- C:\Windows\System\VtnTRZr.exe
  C:\Windows\System\VtnTRZr.exe
  2⤵
  PID:5152
- C:\Windows\System\ZjGdrTs.exe
  C:\Windows\System\ZjGdrTs.exe
  2⤵
  PID:5180
- C:\Windows\System\gkTtNzH.exe
  C:\Windows\System\gkTtNzH.exe
  2⤵
  PID:5204
- C:\Windows\System\RJTihXj.exe
  C:\Windows\System\RJTihXj.exe
  2⤵
  PID:5236
- C:\Windows\System\MmsDmiv.exe
  C:\Windows\System\MmsDmiv.exe
  2⤵
  PID:5264
- C:\Windows\System\ehxxBGu.exe
  C:\Windows\System\ehxxBGu.exe
  2⤵
  PID:5292
- C:\Windows\System\cEkXanp.exe
  C:\Windows\System\cEkXanp.exe
  2⤵
  PID:5320
- C:\Windows\System\XBIYTEB.exe
  C:\Windows\System\XBIYTEB.exe
  2⤵
  PID:5348
- C:\Windows\System\CjHlrGy.exe
  C:\Windows\System\CjHlrGy.exe
  2⤵
  PID:5380
- C:\Windows\System\bBoavdn.exe
  C:\Windows\System\bBoavdn.exe
  2⤵
  PID:5408
- C:\Windows\System\YmceIYx.exe
  C:\Windows\System\YmceIYx.exe
  2⤵
  PID:5436
- C:\Windows\System\xNIHWdh.exe
  C:\Windows\System\xNIHWdh.exe
  2⤵
  PID:5464
- C:\Windows\System\ccVNISU.exe
  C:\Windows\System\ccVNISU.exe
  2⤵
  PID:5488
- C:\Windows\System\DdousTa.exe
  C:\Windows\System\DdousTa.exe
  2⤵
  PID:5516
- C:\Windows\System\rHzhZDc.exe
  C:\Windows\System\rHzhZDc.exe
  2⤵
  PID:5548
- C:\Windows\System\kMLOJBO.exe
  C:\Windows\System\kMLOJBO.exe
  2⤵
  PID:5572
- C:\Windows\System\hBbbumc.exe
  C:\Windows\System\hBbbumc.exe
  2⤵
  PID:5600
- C:\Windows\System\IdJBRzQ.exe
  C:\Windows\System\IdJBRzQ.exe
  2⤵
  PID:5624
- C:\Windows\System\gEhOXvl.exe
  C:\Windows\System\gEhOXvl.exe
  2⤵
  PID:5656
- C:\Windows\System\hQfDHaI.exe
  C:\Windows\System\hQfDHaI.exe
  2⤵
  PID:5688
- C:\Windows\System\oVgVrhB.exe
  C:\Windows\System\oVgVrhB.exe
  2⤵
  PID:5716
- C:\Windows\System\UCElnmp.exe
  C:\Windows\System\UCElnmp.exe
  2⤵
  PID:5752
- C:\Windows\System\TAhNwnT.exe
  C:\Windows\System\TAhNwnT.exe
  2⤵
  PID:5780
- C:\Windows\System\yhVTVVy.exe
  C:\Windows\System\yhVTVVy.exe
  2⤵
  PID:5804
- C:\Windows\System\IzLjzvc.exe
  C:\Windows\System\IzLjzvc.exe
  2⤵
  PID:5840
- C:\Windows\System\JUMegyc.exe
  C:\Windows\System\JUMegyc.exe
  2⤵
  PID:5868
- C:\Windows\System\DXfiSvB.exe
  C:\Windows\System\DXfiSvB.exe
  2⤵
  PID:5896
- C:\Windows\System\NsSSQab.exe
  C:\Windows\System\NsSSQab.exe
  2⤵
  PID:5924
- C:\Windows\System\fVcMNRU.exe
  C:\Windows\System\fVcMNRU.exe
  2⤵
  PID:5948
- C:\Windows\System\mWWnVWz.exe
  C:\Windows\System\mWWnVWz.exe
  2⤵
  PID:5980
- C:\Windows\System\GbxEqOo.exe
  C:\Windows\System\GbxEqOo.exe
  2⤵
  PID:6008
- C:\Windows\System\vcqvvmN.exe
  C:\Windows\System\vcqvvmN.exe
  2⤵
  PID:6036
- C:\Windows\System\wmnwDGl.exe
  C:\Windows\System\wmnwDGl.exe
  2⤵
  PID:6064
- C:\Windows\System\jhnGxWW.exe
  C:\Windows\System\jhnGxWW.exe
  2⤵
  PID:6112
- C:\Windows\System\ZjJalru.exe
  C:\Windows\System\ZjJalru.exe
  2⤵
  PID:6140
- C:\Windows\System\SueuaON.exe
  C:\Windows\System\SueuaON.exe
  2⤵
  PID:2300
- C:\Windows\System\QNIwaae.exe
  C:\Windows\System\QNIwaae.exe
  2⤵
  PID:2952
- C:\Windows\System\vKhkZtj.exe
  C:\Windows\System\vKhkZtj.exe
  2⤵
  PID:4776
- C:\Windows\System\QoeqlzA.exe
  C:\Windows\System\QoeqlzA.exe
  2⤵
  PID:5168
- C:\Windows\System\yzueyeH.exe
  C:\Windows\System\yzueyeH.exe
  2⤵
  PID:5220
- C:\Windows\System\wdmbHed.exe
  C:\Windows\System\wdmbHed.exe
  2⤵
  PID:5252
- C:\Windows\System\lUwUoFp.exe
  C:\Windows\System\lUwUoFp.exe
  2⤵
  PID:5368
- C:\Windows\System\FPSBkcy.exe
  C:\Windows\System\FPSBkcy.exe
  2⤵
  PID:2044
- C:\Windows\System\sjnPEjS.exe
  C:\Windows\System\sjnPEjS.exe
  2⤵
  PID:5556
- C:\Windows\System\qgoKFwH.exe
  C:\Windows\System\qgoKFwH.exe
  2⤵
  PID:5588
- C:\Windows\System\WNoKwnW.exe
  C:\Windows\System\WNoKwnW.exe
  2⤵
  PID:5612
- C:\Windows\System\bPWPPuR.exe
  C:\Windows\System\bPWPPuR.exe
  2⤵
  PID:5640
- C:\Windows\System\FTKlLCt.exe
  C:\Windows\System\FTKlLCt.exe
  2⤵
  PID:868
- C:\Windows\System\YcpkNIW.exe
  C:\Windows\System\YcpkNIW.exe
  2⤵
  PID:4632
- C:\Windows\System\ybKMHFp.exe
  C:\Windows\System\ybKMHFp.exe
  2⤵
  PID:5760
- C:\Windows\System\piRdLKr.exe
  C:\Windows\System\piRdLKr.exe
  2⤵
  PID:5772
- C:\Windows\System\xQCagOF.exe
  C:\Windows\System\xQCagOF.exe
  2⤵
  PID:5800
- C:\Windows\System\UvGueYk.exe
  C:\Windows\System\UvGueYk.exe
  2⤵
  PID:5828
- C:\Windows\System\PODuNET.exe
  C:\Windows\System\PODuNET.exe
  2⤵
  PID:5876
- C:\Windows\System\AlaOfeL.exe
  C:\Windows\System\AlaOfeL.exe
  2⤵
  PID:5916
- C:\Windows\System\lKbOxsW.exe
  C:\Windows\System\lKbOxsW.exe
  2⤵
  PID:4880
- C:\Windows\System\cfWWFse.exe
  C:\Windows\System\cfWWFse.exe
  2⤵
  PID:3268
- C:\Windows\System\nOotuog.exe
  C:\Windows\System\nOotuog.exe
  2⤵
  PID:6052
- C:\Windows\System\QxLlIfO.exe
  C:\Windows\System\QxLlIfO.exe
  2⤵
  PID:6080
- C:\Windows\System\baBCIjr.exe
  C:\Windows\System\baBCIjr.exe
  2⤵
  PID:4812
- C:\Windows\System\nOWCerv.exe
  C:\Windows\System\nOWCerv.exe
  2⤵
  PID:4628
- C:\Windows\System\hWDixRe.exe
  C:\Windows\System\hWDixRe.exe
  2⤵
  PID:2608
- C:\Windows\System\fUCUvmx.exe
  C:\Windows\System\fUCUvmx.exe
  2⤵
  PID:3452
- C:\Windows\System\OCuiDRs.exe
  C:\Windows\System\OCuiDRs.exe
  2⤵
  PID:5244
- C:\Windows\System\zppJepm.exe
  C:\Windows\System\zppJepm.exe
  2⤵
  PID:5360
- C:\Windows\System\CglXAlS.exe
  C:\Windows\System\CglXAlS.exe
  2⤵
  PID:2728
- C:\Windows\System\ANQIydF.exe
  C:\Windows\System\ANQIydF.exe
  2⤵
  PID:5592
- C:\Windows\System\MKVpxLQ.exe
  C:\Windows\System\MKVpxLQ.exe
  2⤵
  PID:5676
- C:\Windows\System\xhIprPl.exe
  C:\Windows\System\xhIprPl.exe
  2⤵
  PID:3672
- C:\Windows\System\EGwoSeH.exe
  C:\Windows\System\EGwoSeH.exe
  2⤵
  PID:5904
- C:\Windows\System\eizsiLz.exe
  C:\Windows\System\eizsiLz.exe
  2⤵
  PID:656
- C:\Windows\System\QiPAxWf.exe
  C:\Windows\System\QiPAxWf.exe
  2⤵
  PID:1876
- C:\Windows\System\atDhjPc.exe
  C:\Windows\System\atDhjPc.exe
  2⤵
  PID:3336
- C:\Windows\System\cWBIEvI.exe
  C:\Windows\System\cWBIEvI.exe
  2⤵
  PID:5364
- C:\Windows\System\EMpTceV.exe
  C:\Windows\System\EMpTceV.exe
  2⤵
  PID:5824
- C:\Windows\System\rsZpmpL.exe
  C:\Windows\System\rsZpmpL.exe
  2⤵
  PID:3028
- C:\Windows\System\QBWswNR.exe
  C:\Windows\System\QBWswNR.exe
  2⤵
  PID:5428
- C:\Windows\System\CdnACeW.exe
  C:\Windows\System\CdnACeW.exe
  2⤵
  PID:6168
- C:\Windows\System\kFKeUic.exe
  C:\Windows\System\kFKeUic.exe
  2⤵
  PID:6184
- C:\Windows\System\JCfWDWb.exe
  C:\Windows\System\JCfWDWb.exe
  2⤵
  PID:6220
- C:\Windows\System\mzkUoGa.exe
  C:\Windows\System\mzkUoGa.exe
  2⤵
  PID:6248
- C:\Windows\System\nsKMYBs.exe
  C:\Windows\System\nsKMYBs.exe
  2⤵
  PID:6320
- C:\Windows\System\JOcMnxt.exe
  C:\Windows\System\JOcMnxt.exe
  2⤵
  PID:6352
- C:\Windows\System\odAwALh.exe
  C:\Windows\System\odAwALh.exe
  2⤵
  PID:6380
- C:\Windows\System\SNPRNxO.exe
  C:\Windows\System\SNPRNxO.exe
  2⤵
  PID:6404
- C:\Windows\System\wTYemNw.exe
  C:\Windows\System\wTYemNw.exe
  2⤵
  PID:6432
- C:\Windows\System\zlagWsK.exe
  C:\Windows\System\zlagWsK.exe
  2⤵
  PID:6460
- C:\Windows\System\eZuRrwj.exe
  C:\Windows\System\eZuRrwj.exe
  2⤵
  PID:6488
- C:\Windows\System\FaAbOLF.exe
  C:\Windows\System\FaAbOLF.exe
  2⤵
  PID:6520
- C:\Windows\System\tVreots.exe
  C:\Windows\System\tVreots.exe
  2⤵
  PID:6544
- C:\Windows\System\OqXCXFc.exe
  C:\Windows\System\OqXCXFc.exe
  2⤵
  PID:6596
- C:\Windows\System\rZFwUPI.exe
  C:\Windows\System\rZFwUPI.exe
  2⤵
  PID:6612
- C:\Windows\System\OVktNFX.exe
  C:\Windows\System\OVktNFX.exe
  2⤵
  PID:6628
- C:\Windows\System\TbylKot.exe
  C:\Windows\System\TbylKot.exe
  2⤵
  PID:6644
- C:\Windows\System\RtDzgbz.exe
  C:\Windows\System\RtDzgbz.exe
  2⤵
  PID:6660
- C:\Windows\System\JRjEooc.exe
  C:\Windows\System\JRjEooc.exe
  2⤵
  PID:6676
- C:\Windows\System\ybgLWII.exe
  C:\Windows\System\ybgLWII.exe
  2⤵
  PID:6692
- C:\Windows\System\eYnzRbJ.exe
  C:\Windows\System\eYnzRbJ.exe
  2⤵
  PID:6708
- C:\Windows\System\sEglxyl.exe
  C:\Windows\System\sEglxyl.exe
  2⤵
  PID:6724
- C:\Windows\System\fXdOGic.exe
  C:\Windows\System\fXdOGic.exe
  2⤵
  PID:6740
- C:\Windows\System\fKhBZbh.exe
  C:\Windows\System\fKhBZbh.exe
  2⤵
  PID:6756
- C:\Windows\System\WpnGkgU.exe
  C:\Windows\System\WpnGkgU.exe
  2⤵
  PID:6772
- C:\Windows\System\sRxbEXe.exe
  C:\Windows\System\sRxbEXe.exe
  2⤵
  PID:6788
- C:\Windows\System\yZHchFQ.exe
  C:\Windows\System\yZHchFQ.exe
  2⤵
  PID:6804
- C:\Windows\System\aHOoOcO.exe
  C:\Windows\System\aHOoOcO.exe
  2⤵
  PID:6820
- C:\Windows\System\JnrTmVN.exe
  C:\Windows\System\JnrTmVN.exe
  2⤵
  PID:6836
- C:\Windows\System\hymTPgS.exe
  C:\Windows\System\hymTPgS.exe
  2⤵
  PID:6852
- C:\Windows\System\rIbgWVc.exe
  C:\Windows\System\rIbgWVc.exe
  2⤵
  PID:6868
- C:\Windows\System\jiseKsH.exe
  C:\Windows\System\jiseKsH.exe
  2⤵
  PID:6884
- C:\Windows\System\MBgteWo.exe
  C:\Windows\System\MBgteWo.exe
  2⤵
  PID:6900
- C:\Windows\System\bBcpLzh.exe
  C:\Windows\System\bBcpLzh.exe
  2⤵
  PID:6916
- C:\Windows\System\PAWxggg.exe
  C:\Windows\System\PAWxggg.exe
  2⤵
  PID:6932
- C:\Windows\System\SPZnReI.exe
  C:\Windows\System\SPZnReI.exe
  2⤵
  PID:6968
- C:\Windows\System\DFvJhbx.exe
  C:\Windows\System\DFvJhbx.exe
  2⤵
  PID:7004
- C:\Windows\System\dUaLKcJ.exe
  C:\Windows\System\dUaLKcJ.exe
  2⤵
  PID:7056
- C:\Windows\System\eoFqJvM.exe
  C:\Windows\System\eoFqJvM.exe
  2⤵
  PID:7072
- C:\Windows\System\TlWFewX.exe
  C:\Windows\System\TlWFewX.exe
  2⤵
  PID:7088
- C:\Windows\System\ApahKlu.exe
  C:\Windows\System\ApahKlu.exe
  2⤵
  PID:7108
- C:\Windows\System\poPzQrk.exe
  C:\Windows\System\poPzQrk.exe
  2⤵
  PID:6392
- C:\Windows\System\xLadvpG.exe
  C:\Windows\System\xLadvpG.exe
  2⤵
  PID:6244
- C:\Windows\System\QRImUpt.exe
  C:\Windows\System\QRImUpt.exe
  2⤵
  PID:6636
- C:\Windows\System\bUBlbNb.exe
  C:\Windows\System\bUBlbNb.exe
  2⤵
  PID:6732
- C:\Windows\System\QquQaol.exe
  C:\Windows\System\QquQaol.exe
  2⤵
  PID:6768
- C:\Windows\System\NlwCCyw.exe
  C:\Windows\System\NlwCCyw.exe
  2⤵
  PID:6800
- C:\Windows\System\PrrQOxp.exe
  C:\Windows\System\PrrQOxp.exe
  2⤵
  PID:6992
- C:\Windows\System\diBAeDz.exe
  C:\Windows\System\diBAeDz.exe
  2⤵
  PID:7036
- C:\Windows\System\zmasWkP.exe
  C:\Windows\System\zmasWkP.exe
  2⤵
  PID:4544
- C:\Windows\System\WFUOWPN.exe
  C:\Windows\System\WFUOWPN.exe
  2⤵
  PID:7068
- C:\Windows\System\JQWSDdu.exe
  C:\Windows\System\JQWSDdu.exe
  2⤵
  PID:6428
- C:\Windows\System\vKRjnVa.exe
  C:\Windows\System\vKRjnVa.exe
  2⤵
  PID:6288
- C:\Windows\System\JCMsiVv.exe
  C:\Windows\System\JCMsiVv.exe
  2⤵
  PID:5968
- C:\Windows\System\MnVYpDB.exe
  C:\Windows\System\MnVYpDB.exe
  2⤵
  PID:6400
- C:\Windows\System\yxahVDZ.exe
  C:\Windows\System\yxahVDZ.exe
  2⤵
  PID:7160
- C:\Windows\System\cmqsfzt.exe
  C:\Windows\System\cmqsfzt.exe
  2⤵
  PID:6828
- C:\Windows\System\LJzgHOb.exe
  C:\Windows\System\LJzgHOb.exe
  2⤵
  PID:6908
- C:\Windows\System\VQnqlPQ.exe
  C:\Windows\System\VQnqlPQ.exe
  2⤵
  PID:5344
- C:\Windows\System\Cexmqxv.exe
  C:\Windows\System\Cexmqxv.exe
  2⤵
  PID:7052
- C:\Windows\System\kdnUGDw.exe
  C:\Windows\System\kdnUGDw.exe
  2⤵
  PID:6200
- C:\Windows\System\BEtLcll.exe
  C:\Windows\System\BEtLcll.exe
  2⤵
  PID:6164
- C:\Windows\System\HHFLibW.exe
  C:\Windows\System\HHFLibW.exe
  2⤵
  PID:2208
- C:\Windows\System\VnkmKfI.exe
  C:\Windows\System\VnkmKfI.exe
  2⤵
  PID:6448
- C:\Windows\System\XIxnntO.exe
  C:\Windows\System\XIxnntO.exe
  2⤵
  PID:2584
- C:\Windows\System\MomtsVD.exe
  C:\Windows\System\MomtsVD.exe
  2⤵
  PID:7184
- C:\Windows\System\xFgAbjf.exe
  C:\Windows\System\xFgAbjf.exe
  2⤵
  PID:7208
- C:\Windows\System\cUzaYLg.exe
  C:\Windows\System\cUzaYLg.exe
  2⤵
  PID:7228
- C:\Windows\System\WIzIRbi.exe
  C:\Windows\System\WIzIRbi.exe
  2⤵
  PID:7244
- C:\Windows\System\JHeShQt.exe
  C:\Windows\System\JHeShQt.exe
  2⤵
  PID:7272
- C:\Windows\System\coQgVgW.exe
  C:\Windows\System\coQgVgW.exe
  2⤵
  PID:7288
- C:\Windows\System\zxkvjhC.exe
  C:\Windows\System\zxkvjhC.exe
  2⤵
  PID:7308
- C:\Windows\System\WPrvRtT.exe
  C:\Windows\System\WPrvRtT.exe
  2⤵
  PID:7344
- C:\Windows\System\aafUmEs.exe
  C:\Windows\System\aafUmEs.exe
  2⤵
  PID:7364
- C:\Windows\System\GDkFOvK.exe
  C:\Windows\System\GDkFOvK.exe
  2⤵
  PID:7380
- C:\Windows\System\QEIDIti.exe
  C:\Windows\System\QEIDIti.exe
  2⤵
  PID:7408
- C:\Windows\System\NTyXesq.exe
  C:\Windows\System\NTyXesq.exe
  2⤵
  PID:7432
- C:\Windows\System\WVpSjpf.exe
  C:\Windows\System\WVpSjpf.exe
  2⤵
  PID:7532
- C:\Windows\System\pZwjvYC.exe
  C:\Windows\System\pZwjvYC.exe
  2⤵
  PID:7552
- C:\Windows\System\BbsXqJx.exe
  C:\Windows\System\BbsXqJx.exe
  2⤵
  PID:7580
- C:\Windows\System\SeqXiHv.exe
  C:\Windows\System\SeqXiHv.exe
  2⤵
  PID:7604
- C:\Windows\System\wLFTEMs.exe
  C:\Windows\System\wLFTEMs.exe
  2⤵
  PID:7668
- C:\Windows\System\MmJzmSO.exe
  C:\Windows\System\MmJzmSO.exe
  2⤵
  PID:7688
- C:\Windows\System\NIMrlAr.exe
  C:\Windows\System\NIMrlAr.exe
  2⤵
  PID:7712
- C:\Windows\System\ZpcOiPX.exe
  C:\Windows\System\ZpcOiPX.exe
  2⤵
  PID:7732
- C:\Windows\System\jkpEgqy.exe
  C:\Windows\System\jkpEgqy.exe
  2⤵
  PID:7752
- C:\Windows\System\eveZezQ.exe
  C:\Windows\System\eveZezQ.exe
  2⤵
  PID:7776
- C:\Windows\System\GRiQiDe.exe
  C:\Windows\System\GRiQiDe.exe
  2⤵
  PID:7804
- C:\Windows\System\PmYDLUD.exe
  C:\Windows\System\PmYDLUD.exe
  2⤵
  PID:7852
- C:\Windows\System\DyFuUVw.exe
  C:\Windows\System\DyFuUVw.exe
  2⤵
  PID:7872
- C:\Windows\System\fktLWno.exe
  C:\Windows\System\fktLWno.exe
  2⤵
  PID:7900
- C:\Windows\System\ebKhhCA.exe
  C:\Windows\System\ebKhhCA.exe
  2⤵
  PID:7920
- C:\Windows\System\uOTkBnU.exe
  C:\Windows\System\uOTkBnU.exe
  2⤵
  PID:7952
- C:\Windows\System\vcxWtOy.exe
  C:\Windows\System\vcxWtOy.exe
  2⤵
  PID:7980
- C:\Windows\System\TUiEfZT.exe
  C:\Windows\System\TUiEfZT.exe
  2⤵
  PID:8004
- C:\Windows\System\DZwcNAl.exe
  C:\Windows\System\DZwcNAl.exe
  2⤵
  PID:8040
- C:\Windows\System\bTXQnOC.exe
  C:\Windows\System\bTXQnOC.exe
  2⤵
  PID:8068
- C:\Windows\System\rtupIXL.exe
  C:\Windows\System\rtupIXL.exe
  2⤵
  PID:8092
- C:\Windows\System\CiLuyYR.exe
  C:\Windows\System\CiLuyYR.exe
  2⤵
  PID:8124
- C:\Windows\System\FBfjHWv.exe
  C:\Windows\System\FBfjHWv.exe
  2⤵
  PID:8144
- C:\Windows\System\LgBdlEp.exe
  C:\Windows\System\LgBdlEp.exe
  2⤵
  PID:8164
- C:\Windows\System\gghCRUQ.exe
  C:\Windows\System\gghCRUQ.exe
  2⤵
  PID:7224
- C:\Windows\System\BzWvuCf.exe
  C:\Windows\System\BzWvuCf.exe
  2⤵
  PID:7280
- C:\Windows\System\GUHOMzw.exe
  C:\Windows\System\GUHOMzw.exe
  2⤵
  PID:7216
- C:\Windows\System\yGAELsm.exe
  C:\Windows\System\yGAELsm.exe
  2⤵
  PID:7264
- C:\Windows\System\CIUHjSX.exe
  C:\Windows\System\CIUHjSX.exe
  2⤵
  PID:7396
- C:\Windows\System\kJKVQtY.exe
  C:\Windows\System\kJKVQtY.exe
  2⤵
  PID:7484
- C:\Windows\System\CWNySnc.exe
  C:\Windows\System\CWNySnc.exe
  2⤵
  PID:7456
- C:\Windows\System\uXboWtp.exe
  C:\Windows\System\uXboWtp.exe
  2⤵
  PID:7560
- C:\Windows\System\pSQWgCx.exe
  C:\Windows\System\pSQWgCx.exe
  2⤵
  PID:7652
- C:\Windows\System\YSdyvma.exe
  C:\Windows\System\YSdyvma.exe
  2⤵
  PID:7728
- C:\Windows\System\KZyXgKz.exe
  C:\Windows\System\KZyXgKz.exe
  2⤵
  PID:7824
- C:\Windows\System\rpWWaWf.exe
  C:\Windows\System\rpWWaWf.exe
  2⤵
  PID:7848
- C:\Windows\System\pxztWqQ.exe
  C:\Windows\System\pxztWqQ.exe
  2⤵
  PID:8012
- C:\Windows\System\GtSbnwM.exe
  C:\Windows\System\GtSbnwM.exe
  2⤵
  PID:8064
- C:\Windows\System\OWdYjrW.exe
  C:\Windows\System\OWdYjrW.exe
  2⤵
  PID:8136
- C:\Windows\System\nZWZHdh.exe
  C:\Windows\System\nZWZHdh.exe
  2⤵
  PID:7296
- C:\Windows\System\XJzntqS.exe
  C:\Windows\System\XJzntqS.exe
  2⤵
  PID:7336
- C:\Windows\System\RXsExFn.exe
  C:\Windows\System\RXsExFn.exe
  2⤵
  PID:7564
- C:\Windows\System\XykilDA.exe
  C:\Windows\System\XykilDA.exe
  2⤵
  PID:7620
- C:\Windows\System\mqmXEeI.exe
  C:\Windows\System\mqmXEeI.exe
  2⤵
  PID:7816
- C:\Windows\System\UtYLbcR.exe
  C:\Windows\System\UtYLbcR.exe
  2⤵
  PID:7832
- C:\Windows\System\hIPijWH.exe
  C:\Windows\System\hIPijWH.exe
  2⤵
  PID:8100
- C:\Windows\System\NuyvcEf.exe
  C:\Windows\System\NuyvcEf.exe
  2⤵
  PID:4244
- C:\Windows\System\tZtKTDr.exe
  C:\Windows\System\tZtKTDr.exe
  2⤵
  PID:7472
- C:\Windows\System\HkrAAGp.exe
  C:\Windows\System\HkrAAGp.exe
  2⤵
  PID:3884
- C:\Windows\System\IwPCBRp.exe
  C:\Windows\System\IwPCBRp.exe
  2⤵
  PID:7192
- C:\Windows\System\BDfdtkS.exe
  C:\Windows\System\BDfdtkS.exe
  2⤵
  PID:8204
- C:\Windows\System\xWaaxCv.exe
  C:\Windows\System\xWaaxCv.exe
  2⤵
  PID:8224
- C:\Windows\System\wQrOCyU.exe
  C:\Windows\System\wQrOCyU.exe
  2⤵
  PID:8240
- C:\Windows\System\ppZdJTK.exe
  C:\Windows\System\ppZdJTK.exe
  2⤵
  PID:8260
- C:\Windows\System\gEdbpdH.exe
  C:\Windows\System\gEdbpdH.exe
  2⤵
  PID:8316
- C:\Windows\System\cShnMbC.exe
  C:\Windows\System\cShnMbC.exe
  2⤵
  PID:8340
- C:\Windows\System\iAaBYYa.exe
  C:\Windows\System\iAaBYYa.exe
  2⤵
  PID:8364
- C:\Windows\System\qHrNyPI.exe
  C:\Windows\System\qHrNyPI.exe
  2⤵
  PID:8380
- C:\Windows\System\XvRPQbI.exe
  C:\Windows\System\XvRPQbI.exe
  2⤵
  PID:8400
- C:\Windows\System\tuIxLGK.exe
  C:\Windows\System\tuIxLGK.exe
  2⤵
  PID:8452
- C:\Windows\System\dtoLffQ.exe
  C:\Windows\System\dtoLffQ.exe
  2⤵
  PID:8472
- C:\Windows\System\JaqLzwQ.exe
  C:\Windows\System\JaqLzwQ.exe
  2⤵
  PID:8492
- C:\Windows\System\ddHbdzA.exe
  C:\Windows\System\ddHbdzA.exe
  2⤵
  PID:8540
- C:\Windows\System\MjfnOOf.exe
  C:\Windows\System\MjfnOOf.exe
  2⤵
  PID:8564
- C:\Windows\System\waOPOpv.exe
  C:\Windows\System\waOPOpv.exe
  2⤵
  PID:8604
- C:\Windows\System\ehwBWTo.exe
  C:\Windows\System\ehwBWTo.exe
  2⤵
  PID:8620
- C:\Windows\System\YClkREO.exe
  C:\Windows\System\YClkREO.exe
  2⤵
  PID:8644
- C:\Windows\System\HhoFaWv.exe
  C:\Windows\System\HhoFaWv.exe
  2⤵
  PID:8672
- C:\Windows\System\TKkqlvo.exe
  C:\Windows\System\TKkqlvo.exe
  2⤵
  PID:8728
- C:\Windows\System\KtEYiae.exe
  C:\Windows\System\KtEYiae.exe
  2⤵
  PID:8744
- C:\Windows\System\TjmanEc.exe
  C:\Windows\System\TjmanEc.exe
  2⤵
  PID:8784
- C:\Windows\System\rHVnlvv.exe
  C:\Windows\System\rHVnlvv.exe
  2⤵
  PID:8804
- C:\Windows\System\lTZkMgn.exe
  C:\Windows\System\lTZkMgn.exe
  2⤵
  PID:8832
- C:\Windows\System\iWnBOFQ.exe
  C:\Windows\System\iWnBOFQ.exe
  2⤵
  PID:8848
- C:\Windows\System\hZxxVGe.exe
  C:\Windows\System\hZxxVGe.exe
  2⤵
  PID:8880
- C:\Windows\System\OnIMeVi.exe
  C:\Windows\System\OnIMeVi.exe
  2⤵
  PID:8896
- C:\Windows\System\epunyLk.exe
  C:\Windows\System\epunyLk.exe
  2⤵
  PID:8920
- C:\Windows\System\LkHYABm.exe
  C:\Windows\System\LkHYABm.exe
  2⤵
  PID:8948
- C:\Windows\System\DXUKYqG.exe
  C:\Windows\System\DXUKYqG.exe
  2⤵
  PID:8968
- C:\Windows\System\CjbkCdy.exe
  C:\Windows\System\CjbkCdy.exe
  2⤵
  PID:8988
- C:\Windows\System\eJDtOJT.exe
  C:\Windows\System\eJDtOJT.exe
  2⤵
  PID:9012
- C:\Windows\System\xHfYsuX.exe
  C:\Windows\System\xHfYsuX.exe
  2⤵
  PID:9048
- C:\Windows\System\uBpEJLD.exe
  C:\Windows\System\uBpEJLD.exe
  2⤵
  PID:9072
- C:\Windows\System\EBRDcfS.exe
  C:\Windows\System\EBRDcfS.exe
  2⤵
  PID:9112
- C:\Windows\System\rKRjPWn.exe
  C:\Windows\System\rKRjPWn.exe
  2⤵
  PID:9136
- C:\Windows\System\csJNHIB.exe
  C:\Windows\System\csJNHIB.exe
  2⤵
  PID:9160
- C:\Windows\System\CHlDBra.exe
  C:\Windows\System\CHlDBra.exe
  2⤵
  PID:9184
- C:\Windows\System\ngPqKwi.exe
  C:\Windows\System\ngPqKwi.exe
  2⤵
  PID:9204
- C:\Windows\System\LUfIbpz.exe
  C:\Windows\System\LUfIbpz.exe
  2⤵
  PID:7972
- C:\Windows\System\iZWvyxU.exe
  C:\Windows\System\iZWvyxU.exe
  2⤵
  PID:8284
- C:\Windows\System\QApqTVD.exe
  C:\Windows\System\QApqTVD.exe
  2⤵
  PID:8308
- C:\Windows\System\ivNsDvW.exe
  C:\Windows\System\ivNsDvW.exe
  2⤵
  PID:8416
- C:\Windows\System\vpKtvVg.exe
  C:\Windows\System\vpKtvVg.exe
  2⤵
  PID:8548
- C:\Windows\System\jILABcx.exe
  C:\Windows\System\jILABcx.exe
  2⤵
  PID:8536
- C:\Windows\System\WThSDeV.exe
  C:\Windows\System\WThSDeV.exe
  2⤵
  PID:8580
- C:\Windows\System\pPWkeBm.exe
  C:\Windows\System\pPWkeBm.exe
  2⤵
  PID:8680
- C:\Windows\System\ghUNeFV.exe
  C:\Windows\System\ghUNeFV.exe
  2⤵
  PID:8776
- C:\Windows\System\KHhHMXx.exe
  C:\Windows\System\KHhHMXx.exe
  2⤵
  PID:8864
- C:\Windows\System\xBNBory.exe
  C:\Windows\System\xBNBory.exe
  2⤵
  PID:8904
- C:\Windows\System\OPBomvh.exe
  C:\Windows\System\OPBomvh.exe
  2⤵
  PID:8976
- C:\Windows\System\QtAhRen.exe
  C:\Windows\System\QtAhRen.exe
  2⤵
  PID:9068
- C:\Windows\System\KeFXSsG.exe
  C:\Windows\System\KeFXSsG.exe
  2⤵
  PID:9120
- C:\Windows\System\EfTKcSK.exe
  C:\Windows\System\EfTKcSK.exe
  2⤵
  PID:9200
- C:\Windows\System\btgdRUi.exe
  C:\Windows\System\btgdRUi.exe
  2⤵
  PID:8236
- C:\Windows\System\YwciUod.exe
  C:\Windows\System\YwciUod.exe
  2⤵
  PID:7064
- C:\Windows\System\AyCAcny.exe
  C:\Windows\System\AyCAcny.exe
  2⤵
  PID:8424
- C:\Windows\System\fdCGHaJ.exe
  C:\Windows\System\fdCGHaJ.exe
  2⤵
  PID:8612
- C:\Windows\System\eEpCcuv.exe
  C:\Windows\System\eEpCcuv.exe
  2⤵
  PID:8888
- C:\Windows\System\tPhzPmn.exe
  C:\Windows\System\tPhzPmn.exe
  2⤵
  PID:8964
- C:\Windows\System\RIztKFV.exe
  C:\Windows\System\RIztKFV.exe
  2⤵
  PID:9008
- C:\Windows\System\FyhUPoc.exe
  C:\Windows\System\FyhUPoc.exe
  2⤵
  PID:8172
- C:\Windows\System\wHXuEfo.exe
  C:\Windows\System\wHXuEfo.exe
  2⤵
  PID:8464
- C:\Windows\System\fzoIHXz.exe
  C:\Windows\System\fzoIHXz.exe
  2⤵
  PID:8712
- C:\Windows\System\qRTYERt.exe
  C:\Windows\System\qRTYERt.exe
  2⤵
  PID:8844
- C:\Windows\System\wwqyqEv.exe
  C:\Windows\System\wwqyqEv.exe
  2⤵
  PID:8940
- C:\Windows\System\djxGGDh.exe
  C:\Windows\System\djxGGDh.exe
  2⤵
  PID:8484
- C:\Windows\System\DiJhqjg.exe
  C:\Windows\System\DiJhqjg.exe
  2⤵
  PID:9264
- C:\Windows\System\hPrXQqX.exe
  C:\Windows\System\hPrXQqX.exe
  2⤵
  PID:9284
- C:\Windows\System\mzqJFoj.exe
  C:\Windows\System\mzqJFoj.exe
  2⤵
  PID:9312
- C:\Windows\System\uFUQszx.exe
  C:\Windows\System\uFUQszx.exe
  2⤵
  PID:9344
- C:\Windows\System\gjVfuOs.exe
  C:\Windows\System\gjVfuOs.exe
  2⤵
  PID:9360
- C:\Windows\System\alkiSnb.exe
  C:\Windows\System\alkiSnb.exe
  2⤵
  PID:9380
- C:\Windows\System\MpmOSgp.exe
  C:\Windows\System\MpmOSgp.exe
  2⤵
  PID:9404
- C:\Windows\System\tZzKFYn.exe
  C:\Windows\System\tZzKFYn.exe
  2⤵
  PID:9432
- C:\Windows\System\YRqoTdL.exe
  C:\Windows\System\YRqoTdL.exe
  2⤵
  PID:9448
- C:\Windows\System\UpJvCZs.exe
  C:\Windows\System\UpJvCZs.exe
  2⤵
  PID:9496
- C:\Windows\System\wBQfLrf.exe
  C:\Windows\System\wBQfLrf.exe
  2⤵
  PID:9512
- C:\Windows\System\OvEpvDz.exe
  C:\Windows\System\OvEpvDz.exe
  2⤵
  PID:9588
- C:\Windows\System\orikezr.exe
  C:\Windows\System\orikezr.exe
  2⤵
  PID:9624
- C:\Windows\System\ovkghrr.exe
  C:\Windows\System\ovkghrr.exe
  2⤵
  PID:9640
- C:\Windows\System\nqHnlKl.exe
  C:\Windows\System\nqHnlKl.exe
  2⤵
  PID:9660
- C:\Windows\System\pXNrerq.exe
  C:\Windows\System\pXNrerq.exe
  2⤵
  PID:9692
- C:\Windows\System\FPjLwNa.exe
  C:\Windows\System\FPjLwNa.exe
  2⤵
  PID:9724
- C:\Windows\System\TdnLoGl.exe
  C:\Windows\System\TdnLoGl.exe
  2⤵
  PID:9744
- C:\Windows\System\OOQCBhl.exe
  C:\Windows\System\OOQCBhl.exe
  2⤵
  PID:9768
- C:\Windows\System\BWOaiRe.exe
  C:\Windows\System\BWOaiRe.exe
  2⤵
  PID:9788
- C:\Windows\System\EJgLrqt.exe
  C:\Windows\System\EJgLrqt.exe
  2⤵
  PID:9816
- C:\Windows\System\kleRhEJ.exe
  C:\Windows\System\kleRhEJ.exe
  2⤵
  PID:9840
- C:\Windows\System\riEQKth.exe
  C:\Windows\System\riEQKth.exe
  2⤵
  PID:9864
- C:\Windows\System\ezmmgAV.exe
  C:\Windows\System\ezmmgAV.exe
  2⤵
  PID:9880
- C:\Windows\System\YpUKeYC.exe
  C:\Windows\System\YpUKeYC.exe
  2⤵
  PID:9900
- C:\Windows\System\TBiEwdD.exe
  C:\Windows\System\TBiEwdD.exe
  2⤵
  PID:9920
- C:\Windows\System\CiJTaPN.exe
  C:\Windows\System\CiJTaPN.exe
  2⤵
  PID:9940
- C:\Windows\System\VxhVdhT.exe
  C:\Windows\System\VxhVdhT.exe
  2⤵
  PID:9992
- C:\Windows\System\vdffjFw.exe
  C:\Windows\System\vdffjFw.exe
  2⤵
  PID:10032
- C:\Windows\System\oFjJhkD.exe
  C:\Windows\System\oFjJhkD.exe
  2⤵
  PID:10072
- C:\Windows\System\STTXDJC.exe
  C:\Windows\System\STTXDJC.exe
  2⤵
  PID:10100
- C:\Windows\System\zVNqhpx.exe
  C:\Windows\System\zVNqhpx.exe
  2⤵
  PID:10116
- C:\Windows\System\mAtMQUC.exe
  C:\Windows\System\mAtMQUC.exe
  2⤵
  PID:10144
- C:\Windows\System\FpPbRSY.exe
  C:\Windows\System\FpPbRSY.exe
  2⤵
  PID:10164
- C:\Windows\System\gDJbHUS.exe
  C:\Windows\System\gDJbHUS.exe
  2⤵
  PID:10200
- C:\Windows\System\nxeiREL.exe
  C:\Windows\System\nxeiREL.exe
  2⤵
  PID:10216
- C:\Windows\System\NDvTxnX.exe
  C:\Windows\System\NDvTxnX.exe
  2⤵
  PID:10236
- C:\Windows\System\hCsgWqN.exe
  C:\Windows\System\hCsgWqN.exe
  2⤵
  PID:9400
- C:\Windows\System\mFTzoWy.exe
  C:\Windows\System\mFTzoWy.exe
  2⤵
  PID:9328
- C:\Windows\System\HroDrkK.exe
  C:\Windows\System\HroDrkK.exe
  2⤵
  PID:9488
- C:\Windows\System\bvdVlrR.exe
  C:\Windows\System\bvdVlrR.exe
  2⤵
  PID:9576
- C:\Windows\System\GtoBBDx.exe
  C:\Windows\System\GtoBBDx.exe
  2⤵
  PID:9648
- C:\Windows\System\vTYeUuO.exe
  C:\Windows\System\vTYeUuO.exe
  2⤵
  PID:9688
- C:\Windows\System\DwBPcfF.exe
  C:\Windows\System\DwBPcfF.exe
  2⤵
  PID:9764
- C:\Windows\System\EPfgnKl.exe
  C:\Windows\System\EPfgnKl.exe
  2⤵
  PID:9784
- C:\Windows\System\ojsfdRg.exe
  C:\Windows\System\ojsfdRg.exe
  2⤵
  PID:9860
- C:\Windows\System\LpxOVTF.exe
  C:\Windows\System\LpxOVTF.exe
  2⤵
  PID:9888
- C:\Windows\System\vVrCeAD.exe
  C:\Windows\System\vVrCeAD.exe
  2⤵
  PID:10004
- C:\Windows\System\uKWrQKh.exe
  C:\Windows\System\uKWrQKh.exe
  2⤵
  PID:10108
- C:\Windows\System\FEdFjkW.exe
  C:\Windows\System\FEdFjkW.exe
  2⤵
  PID:10092
- C:\Windows\System\ocEEzqA.exe
  C:\Windows\System\ocEEzqA.exe
  2⤵
  PID:10176
- C:\Windows\System\bzyrAii.exe
  C:\Windows\System\bzyrAii.exe
  2⤵
  PID:9248
- C:\Windows\System\KCgKnbJ.exe
  C:\Windows\System\KCgKnbJ.exe
  2⤵
  PID:9304
- C:\Windows\System\FAqgDvN.exe
  C:\Windows\System\FAqgDvN.exe
  2⤵
  PID:9444
- C:\Windows\System\LctxqIV.exe
  C:\Windows\System\LctxqIV.exe
  2⤵
  PID:9616
- C:\Windows\System\WWXyErH.exe
  C:\Windows\System\WWXyErH.exe
  2⤵
  PID:9808
- C:\Windows\System\VFGlCST.exe
  C:\Windows\System\VFGlCST.exe
  2⤵
  PID:9824
- C:\Windows\System\xyJhrjp.exe
  C:\Windows\System\xyJhrjp.exe
  2⤵
  PID:10224
- C:\Windows\System\nsLpFCB.exe
  C:\Windows\System\nsLpFCB.exe
  2⤵
  PID:9708
- C:\Windows\System\UNvQsBH.exe
  C:\Windows\System\UNvQsBH.exe
  2⤵
  PID:9908
- C:\Windows\System\hVEZaus.exe
  C:\Windows\System\hVEZaus.exe
  2⤵
  PID:10232
- C:\Windows\System\ixbvLdt.exe
  C:\Windows\System\ixbvLdt.exe
  2⤵
  PID:9196
- C:\Windows\System\rKqaVoC.exe
  C:\Windows\System\rKqaVoC.exe
  2⤵
  PID:10140
- C:\Windows\System\ezvZqen.exe
  C:\Windows\System\ezvZqen.exe
  2⤵
  PID:10248
- C:\Windows\System\OszTzGC.exe
  C:\Windows\System\OszTzGC.exe
  2⤵
  PID:10272
- C:\Windows\System\oleIdwf.exe
  C:\Windows\System\oleIdwf.exe
  2⤵
  PID:10292
- C:\Windows\System\ZxpzhEo.exe
  C:\Windows\System\ZxpzhEo.exe
  2⤵
  PID:10316
- C:\Windows\System\nYvuGyn.exe
  C:\Windows\System\nYvuGyn.exe
  2⤵
  PID:10344
- C:\Windows\System\RGvyEQi.exe
  C:\Windows\System\RGvyEQi.exe
  2⤵
  PID:10404
- C:\Windows\System\XGoLugi.exe
  C:\Windows\System\XGoLugi.exe
  2⤵
  PID:10428
- C:\Windows\System\klNidpN.exe
  C:\Windows\System\klNidpN.exe
  2⤵
  PID:10460
- C:\Windows\System\kGWoPPI.exe
  C:\Windows\System\kGWoPPI.exe
  2⤵
  PID:10484
- C:\Windows\System\SpFXnuF.exe
  C:\Windows\System\SpFXnuF.exe
  2⤵
  PID:10500
- C:\Windows\System\KCoRixX.exe
  C:\Windows\System\KCoRixX.exe
  2⤵
  PID:10524
- C:\Windows\System\osYbEkq.exe
  C:\Windows\System\osYbEkq.exe
  2⤵
  PID:10552
- C:\Windows\System\pJppqPu.exe
  C:\Windows\System\pJppqPu.exe
  2⤵
  PID:10600
- C:\Windows\System\tnktZyM.exe
  C:\Windows\System\tnktZyM.exe
  2⤵
  PID:10636
- C:\Windows\System\LsCaoMj.exe
  C:\Windows\System\LsCaoMj.exe
  2⤵
  PID:10660
- C:\Windows\System\FrNIPgf.exe
  C:\Windows\System\FrNIPgf.exe
  2⤵
  PID:10736
- C:\Windows\System\tAAZSxD.exe
  C:\Windows\System\tAAZSxD.exe
  2⤵
  PID:10788
- C:\Windows\System\PlkmxeH.exe
  C:\Windows\System\PlkmxeH.exe
  2⤵
  PID:10848
- C:\Windows\System\gJaIfBT.exe
  C:\Windows\System\gJaIfBT.exe
  2⤵
  PID:10896
- C:\Windows\System\OksWrsu.exe
  C:\Windows\System\OksWrsu.exe
  2⤵
  PID:10912
- C:\Windows\System\GWlAkXf.exe
  C:\Windows\System\GWlAkXf.exe
  2⤵
  PID:10928
- C:\Windows\System\tXhjVWH.exe
  C:\Windows\System\tXhjVWH.exe
  2⤵
  PID:10944
- C:\Windows\System\wrjRXcK.exe
  C:\Windows\System\wrjRXcK.exe
  2⤵
  PID:10960
- C:\Windows\System\dkbNQqS.exe
  C:\Windows\System\dkbNQqS.exe
  2⤵
  PID:10976
- C:\Windows\System\wrjvpLF.exe
  C:\Windows\System\wrjvpLF.exe
  2⤵
  PID:10992
- C:\Windows\System\LyOATob.exe
  C:\Windows\System\LyOATob.exe
  2⤵
  PID:11008
- C:\Windows\System\WbCBuxj.exe
  C:\Windows\System\WbCBuxj.exe
  2⤵
  PID:11024
- C:\Windows\System\CcUEolU.exe
  C:\Windows\System\CcUEolU.exe
  2⤵
  PID:11040
- C:\Windows\System\AoOstdy.exe
  C:\Windows\System\AoOstdy.exe
  2⤵
  PID:11056
- C:\Windows\System\GpKWYKD.exe
  C:\Windows\System\GpKWYKD.exe
  2⤵
  PID:11124
- C:\Windows\System\JjmeCUk.exe
  C:\Windows\System\JjmeCUk.exe
  2⤵
  PID:11156
- C:\Windows\System\VNBgDeR.exe
  C:\Windows\System\VNBgDeR.exe
  2⤵
  PID:11172
- C:\Windows\System\vNgiBle.exe
  C:\Windows\System\vNgiBle.exe
  2⤵
  PID:11200
- C:\Windows\System\xXBOKxg.exe
  C:\Windows\System\xXBOKxg.exe
  2⤵
  PID:11220
- C:\Windows\System\KCuOoEB.exe
  C:\Windows\System\KCuOoEB.exe
  2⤵
  PID:11244
- C:\Windows\System\wvPjVPv.exe
  C:\Windows\System\wvPjVPv.exe
  2⤵
  PID:9632
- C:\Windows\System\fjecCSW.exe
  C:\Windows\System\fjecCSW.exe
  2⤵
  PID:10256
- C:\Windows\System\sOOlCWI.exe
  C:\Windows\System\sOOlCWI.exe
  2⤵
  PID:10288
- C:\Windows\System\ZHyFCzS.exe
  C:\Windows\System\ZHyFCzS.exe
  2⤵
  PID:10440
- C:\Windows\System\kwtLCaX.exe
  C:\Windows\System\kwtLCaX.exe
  2⤵
  PID:10456
- C:\Windows\System\LSlLnCs.exe
  C:\Windows\System\LSlLnCs.exe
  2⤵
  PID:10480
- C:\Windows\System\TLkzRPj.exe
  C:\Windows\System\TLkzRPj.exe
  2⤵
  PID:10540
- C:\Windows\System\cySdagX.exe
  C:\Windows\System\cySdagX.exe
  2⤵
  PID:10824
- C:\Windows\System\ydNmhLb.exe
  C:\Windows\System\ydNmhLb.exe
  2⤵
  PID:10760
- C:\Windows\System\GKFUkdy.exe
  C:\Windows\System\GKFUkdy.exe
  2⤵
  PID:10820
- C:\Windows\System\etcHfvD.exe
  C:\Windows\System\etcHfvD.exe
  2⤵
  PID:11020
- C:\Windows\System\xytgJho.exe
  C:\Windows\System\xytgJho.exe
  2⤵
  PID:11052
- C:\Windows\System\xXVUIdG.exe
  C:\Windows\System\xXVUIdG.exe
  2⤵
  PID:11100
- C:\Windows\System\aNMMRDq.exe
  C:\Windows\System\aNMMRDq.exe
  2⤵
  PID:11184
- C:\Windows\System\EcYLqFl.exe
  C:\Windows\System\EcYLqFl.exe
  2⤵
  PID:11236
- C:\Windows\System\cUVGtyp.exe
  C:\Windows\System\cUVGtyp.exe
  2⤵
  PID:10360
- C:\Windows\System\FTvivbO.exe
  C:\Windows\System\FTvivbO.exe
  2⤵
  PID:10392
- C:\Windows\System\mmsANPR.exe
  C:\Windows\System\mmsANPR.exe
  2⤵
  PID:10720
- C:\Windows\System\xjnedjK.exe
  C:\Windows\System\xjnedjK.exe
  2⤵
  PID:10704
- C:\Windows\System\ntRcKoo.exe
  C:\Windows\System\ntRcKoo.exe
  2⤵
  PID:10772
- C:\Windows\System\PhxZXgc.exe
  C:\Windows\System\PhxZXgc.exe
  2⤵
  PID:10744
- C:\Windows\System\RWjaLZE.exe
  C:\Windows\System\RWjaLZE.exe
  2⤵
  PID:9912
- C:\Windows\System\hpBmqWt.exe
  C:\Windows\System\hpBmqWt.exe
  2⤵
  PID:11164
- C:\Windows\System\EpvwxBY.exe
  C:\Windows\System\EpvwxBY.exe
  2⤵
  PID:11212
- C:\Windows\System\OWIDrYv.exe
  C:\Windows\System\OWIDrYv.exe
  2⤵
  PID:10572
- C:\Windows\System\vhLhNua.exe
  C:\Windows\System\vhLhNua.exe
  2⤵
  PID:10972
- C:\Windows\System\daiutNn.exe
  C:\Windows\System\daiutNn.exe
  2⤵
  PID:11228
- C:\Windows\System\ontJBbK.exe
  C:\Windows\System\ontJBbK.exe
  2⤵
  PID:11048
- C:\Windows\System\OlngdGr.exe
  C:\Windows\System\OlngdGr.exe
  2⤵
  PID:10652
- C:\Windows\System\hLrQaqi.exe
  C:\Windows\System\hLrQaqi.exe
  2⤵
  PID:10516
- C:\Windows\System\dAxaGVg.exe
  C:\Windows\System\dAxaGVg.exe
  2⤵
  PID:11280
- C:\Windows\System\rlljvGq.exe
  C:\Windows\System\rlljvGq.exe
  2⤵
  PID:11316
- C:\Windows\System\xOTJUqp.exe
  C:\Windows\System\xOTJUqp.exe
  2⤵
  PID:11332
- C:\Windows\System\dBLDZMs.exe
  C:\Windows\System\dBLDZMs.exe
  2⤵
  PID:11356
- C:\Windows\System\XDXVVcd.exe
  C:\Windows\System\XDXVVcd.exe
  2⤵
  PID:11384
- C:\Windows\System\OiScpuW.exe
  C:\Windows\System\OiScpuW.exe
  2⤵
  PID:11404
- C:\Windows\System\nCANHlf.exe
  C:\Windows\System\nCANHlf.exe
  2⤵
  PID:11420
- C:\Windows\System\UjXBNvi.exe
  C:\Windows\System\UjXBNvi.exe
  2⤵
  PID:11484
- C:\Windows\System\MfVkirV.exe
  C:\Windows\System\MfVkirV.exe
  2⤵
  PID:11508
- C:\Windows\System\wBURQcp.exe
  C:\Windows\System\wBURQcp.exe
  2⤵
  PID:11536
- C:\Windows\System\GrubgRC.exe
  C:\Windows\System\GrubgRC.exe
  2⤵
  PID:11560
- C:\Windows\System\OwnvqCT.exe
  C:\Windows\System\OwnvqCT.exe
  2⤵
  PID:11628
- C:\Windows\System\EdderCu.exe
  C:\Windows\System\EdderCu.exe
  2⤵
  PID:11652
- C:\Windows\System\FNSFaKP.exe
  C:\Windows\System\FNSFaKP.exe
  2⤵
  PID:11668
- C:\Windows\System\HxjonUj.exe
  C:\Windows\System\HxjonUj.exe
  2⤵
  PID:11708
- C:\Windows\System\CwCodpc.exe
  C:\Windows\System\CwCodpc.exe
  2⤵
  PID:11736
- C:\Windows\System\MAwvrbr.exe
  C:\Windows\System\MAwvrbr.exe
  2⤵
  PID:11764
- C:\Windows\System\FTnXEjP.exe
  C:\Windows\System\FTnXEjP.exe
  2⤵
  PID:11784
- C:\Windows\System\QxyWcYZ.exe
  C:\Windows\System\QxyWcYZ.exe
  2⤵
  PID:11812
- C:\Windows\System\fvwHgEE.exe
  C:\Windows\System\fvwHgEE.exe
  2⤵
  PID:11840
- C:\Windows\System\LzRbErK.exe
  C:\Windows\System\LzRbErK.exe
  2⤵
  PID:11872
- C:\Windows\System\JvHNKSk.exe
  C:\Windows\System\JvHNKSk.exe
  2⤵
  PID:11888
- C:\Windows\System\OHTcHri.exe
  C:\Windows\System\OHTcHri.exe
  2⤵
  PID:11908
- C:\Windows\System\zVTtfwm.exe
  C:\Windows\System\zVTtfwm.exe
  2⤵
  PID:11936
- C:\Windows\System\MZYrqcH.exe
  C:\Windows\System\MZYrqcH.exe
  2⤵
  PID:11956
- C:\Windows\System\xDiBxHd.exe
  C:\Windows\System\xDiBxHd.exe
  2⤵
  PID:11996
- C:\Windows\System\xNGppUo.exe
  C:\Windows\System\xNGppUo.exe
  2⤵
  PID:12044
- C:\Windows\System\TAdqTcf.exe
  C:\Windows\System\TAdqTcf.exe
  2⤵
  PID:12068
- C:\Windows\System\ysDdpIx.exe
  C:\Windows\System\ysDdpIx.exe
  2⤵
  PID:12084
- C:\Windows\System\UXDqCwR.exe
  C:\Windows\System\UXDqCwR.exe
  2⤵
  PID:12136
- C:\Windows\System\sgYTMye.exe
  C:\Windows\System\sgYTMye.exe
  2⤵
  PID:12156
- C:\Windows\System\dkixtNf.exe
  C:\Windows\System\dkixtNf.exe
  2⤵
  PID:12180
- C:\Windows\System\bHybRap.exe
  C:\Windows\System\bHybRap.exe
  2⤵
  PID:12196
- C:\Windows\System\fUiElxh.exe
  C:\Windows\System\fUiElxh.exe
  2⤵
  PID:12220
- C:\Windows\System\RaEbeHt.exe
  C:\Windows\System\RaEbeHt.exe
  2⤵
  PID:12240
- C:\Windows\System\GLecYYM.exe
  C:\Windows\System\GLecYYM.exe
  2⤵
  PID:12256
- C:\Windows\System\NXTokml.exe
  C:\Windows\System\NXTokml.exe
  2⤵
  PID:10376
- C:\Windows\System\CehepGV.exe
  C:\Windows\System\CehepGV.exe
  2⤵
  PID:11312
- C:\Windows\System\ljMJCVi.exe
  C:\Windows\System\ljMJCVi.exe
  2⤵
  PID:11396
- C:\Windows\System\jkdHqUC.exe
  C:\Windows\System\jkdHqUC.exe
  2⤵
  PID:11440
- C:\Windows\System\HjgfqPZ.exe
  C:\Windows\System\HjgfqPZ.exe
  2⤵
  PID:11616
- C:\Windows\System\SxICwhM.exe
  C:\Windows\System\SxICwhM.exe
  2⤵
  PID:11660
- C:\Windows\System\iDECFCy.exe
  C:\Windows\System\iDECFCy.exe
  2⤵
  PID:11688
- C:\Windows\System\rZtXBqv.exe
  C:\Windows\System\rZtXBqv.exe
  2⤵
  PID:11752
- C:\Windows\System\Wllecxl.exe
  C:\Windows\System\Wllecxl.exe
  2⤵
  PID:11800
- C:\Windows\System\flNVRSh.exe
  C:\Windows\System\flNVRSh.exe
  2⤵
  PID:11832
- C:\Windows\System\meaQprq.exe
  C:\Windows\System\meaQprq.exe
  2⤵
  PID:11864
- C:\Windows\System\yFznEHR.exe
  C:\Windows\System\yFznEHR.exe
  2⤵
  PID:11924
- C:\Windows\System\hMsNlEl.exe
  C:\Windows\System\hMsNlEl.exe
  2⤵
  PID:11984
- C:\Windows\System\bwVQMEy.exe
  C:\Windows\System\bwVQMEy.exe
  2⤵
  PID:12148
- C:\Windows\System\kSlsWKs.exe
  C:\Windows\System\kSlsWKs.exe
  2⤵
  PID:12268
- C:\Windows\System\xBQScET.exe
  C:\Windows\System\xBQScET.exe
  2⤵
  PID:12252
- C:\Windows\System\WTQSDFn.exe
  C:\Windows\System\WTQSDFn.exe
  2⤵
  PID:11272
- C:\Windows\System\cuOwUGB.exe
  C:\Windows\System\cuOwUGB.exe
  2⤵
  PID:12276
- C:\Windows\System\SahnVll.exe
  C:\Windows\System\SahnVll.exe
  2⤵
  PID:11596
- C:\Windows\System\FymZjoh.exe
  C:\Windows\System\FymZjoh.exe
  2⤵
  PID:11636
- C:\Windows\System\BqYcHlC.exe
  C:\Windows\System\BqYcHlC.exe
  2⤵
  PID:11780
- C:\Windows\System\vltJpdi.exe
  C:\Windows\System\vltJpdi.exe
  2⤵
  PID:11952
- C:\Windows\System\XOzogox.exe
  C:\Windows\System\XOzogox.exe
  2⤵
  PID:12056
- C:\Windows\System\dljLwXP.exe
  C:\Windows\System\dljLwXP.exe
  2⤵
  PID:5032
- C:\Windows\System\yaHvDOq.exe
  C:\Windows\System\yaHvDOq.exe
  2⤵
  PID:4132
- C:\Windows\System\UJNQLWw.exe
  C:\Windows\System\UJNQLWw.exe
  2⤵
  PID:12284
- C:\Windows\System\JRskXkk.exe
  C:\Windows\System\JRskXkk.exe
  2⤵
  PID:11728
- C:\Windows\System\qFWkabN.exe
  C:\Windows\System\qFWkabN.exe
  2⤵
  PID:3340
- C:\Windows\System\DMVwnvz.exe
  C:\Windows\System\DMVwnvz.exe
  2⤵
  PID:12188
- C:\Windows\System\GSRDbKj.exe
  C:\Windows\System\GSRDbKj.exe
  2⤵
  PID:4352
- C:\Windows\System\kiTzrQT.exe
  C:\Windows\System\kiTzrQT.exe
  2⤵
  PID:11976
- C:\Windows\System\ZzfvyVb.exe
  C:\Windows\System\ZzfvyVb.exe
  2⤵
  PID:12296
- C:\Windows\System\eEijeYQ.exe
  C:\Windows\System\eEijeYQ.exe
  2⤵
  PID:12332
- C:\Windows\System\aVzFcOa.exe
  C:\Windows\System\aVzFcOa.exe
  2⤵
  PID:12356
- C:\Windows\System\mkvWVEw.exe
  C:\Windows\System\mkvWVEw.exe
  2⤵
  PID:12440
- C:\Windows\System\pmuvCNk.exe
  C:\Windows\System\pmuvCNk.exe
  2⤵
  PID:12456
- C:\Windows\System\FnpTSuU.exe
  C:\Windows\System\FnpTSuU.exe
  2⤵
  PID:12476
- C:\Windows\System\mUdrvWB.exe
  C:\Windows\System\mUdrvWB.exe
  2⤵
  PID:12496
- C:\Windows\System\pYXkIoW.exe
  C:\Windows\System\pYXkIoW.exe
  2⤵
  PID:12524
- C:\Windows\System\EwWDswW.exe
  C:\Windows\System\EwWDswW.exe
  2⤵
  PID:12540
- C:\Windows\System\QYkvlnQ.exe
  C:\Windows\System\QYkvlnQ.exe
  2⤵
  PID:12588
- C:\Windows\System\oNJEYVs.exe
  C:\Windows\System\oNJEYVs.exe
  2⤵
  PID:12616
- C:\Windows\System\ItbhAYK.exe
  C:\Windows\System\ItbhAYK.exe
  2⤵
  PID:12660
- C:\Windows\System\ZYnSYxV.exe
  C:\Windows\System\ZYnSYxV.exe
  2⤵
  PID:12684
- C:\Windows\System\yICyjzq.exe
  C:\Windows\System\yICyjzq.exe
  2⤵
  PID:12700
- C:\Windows\System\SngoWsK.exe
  C:\Windows\System\SngoWsK.exe
  2⤵
  PID:12736
- C:\Windows\System\IhjCNRo.exe
  C:\Windows\System\IhjCNRo.exe
  2⤵
  PID:12764
- C:\Windows\System\QpTpWwm.exe
  C:\Windows\System\QpTpWwm.exe
  2⤵
  PID:12788
- C:\Windows\System\LLASRRe.exe
  C:\Windows\System\LLASRRe.exe
  2⤵
  PID:12804
- C:\Windows\System\MzmFYkz.exe
  C:\Windows\System\MzmFYkz.exe
  2⤵
  PID:12844
- C:\Windows\System\PbACZOx.exe
  C:\Windows\System\PbACZOx.exe
  2⤵
  PID:12872
- C:\Windows\System\UitjMJA.exe
  C:\Windows\System\UitjMJA.exe
  2⤵
  PID:12896
- C:\Windows\System\KcTNuey.exe
  C:\Windows\System\KcTNuey.exe
  2⤵
  PID:12916
- C:\Windows\System\kbzzKpC.exe
  C:\Windows\System\kbzzKpC.exe
  2⤵
  PID:12944
- C:\Windows\System\AujXCMZ.exe
  C:\Windows\System\AujXCMZ.exe
  2⤵
  PID:12968
- C:\Windows\System\OBzqHqg.exe
  C:\Windows\System\OBzqHqg.exe
  2⤵
  PID:12984
- C:\Windows\System\kussdvt.exe
  C:\Windows\System\kussdvt.exe
  2⤵
  PID:13036
- C:\Windows\System\MXTTdmz.exe
  C:\Windows\System\MXTTdmz.exe
  2⤵
  PID:13068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_urcmfm1l.isc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\CJGyGyG.exe

Filesize
1.5MB

MD5
5f8f9001e49c81ab09a39497b9111ad2

SHA1
1f7947bc7b741f370bc09df783ba2543407b130f

SHA256
cfc5dc537914a4d8a2c53232ef1b1f4d1f6faabb6abc6f992b035ee066c4cf18

SHA512
6477df66dc6b8723962b8c496b004cda0c3d0384b4ef01e6b93cc150df4445480c4ac8f8fe749560f12ad41d8afc8caa8b2114715da3694239cf448b7c8ba70a

Download Submit
C:\Windows\System\CrODkyq.exe

Filesize
1.5MB

MD5
f3b6bdc1f7d1f4abc6cd284bd1dd3fcb

SHA1
35f10d9067deba797ff40ce4462254fc28d40fa9

SHA256
bf1788060bdbde18ffed4de1d0ed404ec30946c95b7b2a78a339c546c3f6cab5

SHA512
254432acadb022235ffec29897160343ea87a04db7acec78a711a36de9b13cd13c2ed7108a615a11c890327f593ff2decd7f2b4f3081cb2eebf06bf9ba6b72cc

Download Submit
C:\Windows\System\ELcizPP.exe

Filesize
1.5MB

MD5
026a52f17d51956823e49175e16b3919

SHA1
1702a436a110c35b75e878b36d4b849bd554ff65

SHA256
232c09b7a84d24ba290a3b6b09a880bdf604de8f699da7c659841587b57741f3

SHA512
066602bc397d4232fa034187cbc8ee7b7e7b7b84216853359b67d5e0d6bda20584228850aea0fba50a0d35bd112451f78094ce5280c1a244304a837752507531

Download Submit
C:\Windows\System\GHdgNRD.exe

Filesize
1.5MB

MD5
00147a5d39b5a613401b93deff24346b

SHA1
082aa0a3b366561654f784a5c27dd024c7d5e4ba

SHA256
883bf335b35f5c3c2002e54c17de7c656c3c326220bb760f2bc2ef943c3437fb

SHA512
ebd12221403eefa800875757bc0614d4d4e1d9cc4f5d59e02c5570baec4d23698b9a641481a2bce3b1b922317aad2d53f26515920922d45a88bfd66fa8e1f11c

Download Submit
C:\Windows\System\HeEOJdW.exe

Filesize
1.5MB

MD5
95b0a0d331f674d5721044b19ce5451e

SHA1
179a2ffac26f234a9a5dfe0436b08ac3a2cc6580

SHA256
193fbd3b18135ad6b88bba3487875bc7feed8b2684801e6a8c48c8dd36090a4a

SHA512
e25dabfc786a04c49f67e0bdc427d2f82147cf804ec4221bb132923cebb69687c4288a495b59df94b386383cf1331c306b4623f3642005db6849500634cd602b

Download Submit
C:\Windows\System\HmzxOvK.exe

Filesize
1.5MB

MD5
d27ca7e2cc0398a506c2655da4e7a84c

SHA1
f710be06926d0db54dd755bb2a32b50feb32b461

SHA256
132a3db1c114d6d6fb76172197aa46cf37d11578779bee33859be20c02394ddd

SHA512
4d70e70bb14129560ceb797f2a74f687b565461e49525b77800dcbd9a685f07e105b1f52afa04c5c0a09134b0ba4078246b449a15855e159669a18001ccd4b3b

Download Submit
C:\Windows\System\IPsLIGx.exe

Filesize
1.5MB

MD5
86c6ee87d6f16dc32726201039eaf3e1

SHA1
a7bba31c2a0b77b49c9426b3a016b5878949c4d9

SHA256
7a3fd129dbe822825155c01448786adf6701c64879863dc1a8407d286cd4d8ea

SHA512
25c9dae2fb2a38547e2db56a32fd537136d885ffc53d935adcf50202099868b344cf930c3e1559274c88dfeb415a6223ad7408b8a7e80b9d8c757cbf967ed439

Download Submit
C:\Windows\System\LbNFpec.exe

Filesize
1.5MB

MD5
ee7c76d96407b5151c3241864f980ad8

SHA1
9bbfc6988cb70c698408e83ac4df63979f878541

SHA256
3da55e09a3f7b3f36cff1c16615187a0373f042702f708b0f5868b0086c863f1

SHA512
d62a3bc704b2a2ead85c686ac9f79a5950354ea1f0299002e8a58de0638be2a1a6726929948edd71a019d99e4f8c41ddc8893795a90125aea83353915b6a0233

Download Submit
C:\Windows\System\LrjBcIt.exe

Filesize
1.5MB

MD5
ddca48f7886a5614037738ef1c108f2c

SHA1
7019ac7caa59ad2d06d302e775adf9fdd417c8ac

SHA256
e4667b9b2f08e7b43a5293018633c75d0d1400a9616d5c98ab4f9c765c5bfc9f

SHA512
d454251f0f02398666edfbdd355d6c37977458947f5b501560d0ef7b1279a6da04f55bb7a02e60e7cec7e288194a1ba78179ff8bf3c8bc9a0a37a852f6b3c9cd

Download Submit
C:\Windows\System\OPBBVPC.exe

Filesize
1.5MB

MD5
21b6053f6a6676d7197bf9c1e5a15389

SHA1
29d6fccec112b974bdb7fd6942fc780fc75b2cd0

SHA256
d75dc4b305a86fa0cade4a79b0f888827ecd0badd68e16ce0bdd548b18c9bd0f

SHA512
4c6c27c3b9fb6c8e0a2701d56077eec54c1cd289cbd06674469987b0710644cdb57de9770ce17a3a4ce3f41de4c145d72fb11331bcc70fccd2f863ce2e80eef8

Download Submit
C:\Windows\System\OpwqPnF.exe

Filesize
1.5MB

MD5
cd967dd2f653e40f6a95168576181404

SHA1
1629fa674ac6c3c8bfcc32b9d8199b64fe61b14b

SHA256
e0697663d8c777a1e301f6d711a5c645e2ea9087f9e062b0d90f60867cf6433b

SHA512
94d1ad7b8a9e2db1317cd196868a77849cd5836d003ecf2e0ad4a96575a7949bfd65448acd2f0a8cbe7d6daf2f69709664d4271ebeb5015c7028a5897d201ccb

Download Submit
C:\Windows\System\PWKzfmb.exe

Filesize
1.5MB

MD5
09a9f35d9655f995e070570cf9127230

SHA1
a38987bc944fbae07a2dc1ca1c6ea3c51cbb8542

SHA256
7adbce8c1367acb1a4bb32c5603fc7bd1033d7dfadf392931aeee84c2ea77650

SHA512
9e9b52d385139fadba954c4b5fab7ad98031114dcd9142fb2bcc5379675d4c8d8c311d38cb086d9659853fc599ba9555a68b9dde81089ab78db40867eb96ae2b

Download Submit
C:\Windows\System\SMYobDw.exe

Filesize
1.5MB

MD5
ec253cc94c2198162dfa4b9b501a7761

SHA1
aa4b9262ffe361d37b7f4f59542d42e7494617f7

SHA256
fc713f6f4df44cecfd3e1093e609a32c7ced2dd8e7a964f5d4807b9e0ff00a23

SHA512
a2113364f16b4c38d2d1344d0223f6062020cf970b62044ae2dda9c82204e4997e4fc1fdd4544d23160ebf6e7e0a3bf3ec2fc40f7d5c197c12b9287d80e8a7f2

Download Submit
C:\Windows\System\YHsUeWV.exe

Filesize
1.5MB

MD5
540491f15f1a08667d2162935a7ed700

SHA1
d2b972302f66c4e719be7e3b8ae3a11d1ac34af3

SHA256
182cd00f170ad9211259d39cd8c0349f3d93612fdbb6930e0cfadaa5747b03de

SHA512
29705595c0fcb04e49e9633486993ceb8ce068a25a709cae756cfb6540d6374819ee3c810d241a4bcec123794f24cb3caf388fb4bacdd7bfe4490d947b97afa0

Download Submit
C:\Windows\System\YfZxHrg.exe

Filesize
1.5MB

MD5
05463136a27bad67b4e8690a509bdf1b

SHA1
797e4ecd7058446e828c8f20975a4254b6a266f7

SHA256
2faa484501a21985812d8c492861677e244ce64da22672dab3f8aee9d7abc979

SHA512
cfaf4b2af1fefc41cf847731ab2e4647314dd4d90cb8c3c17dcc667f40630fcf222e8520d8d61d31eaf5d8cd9a8a6059c4cb3f156d882230842cddcc055ab13e

Download Submit
C:\Windows\System\ZcyUzKs.exe

Filesize
1.5MB

MD5
897b3fc1f390ee0fbc098192ee5fe75a

SHA1
c58e39afaf38f7650cc71767e8b8bb23773bed29

SHA256
938b30438e045c88bd9e6c561735864efb8df526a8dd04580fb816d8db85e0d2

SHA512
4cffc3ca1c09bc3f4d53da120b03a8d3cd46e1da68cc537d004614fce3b6c2a357c722868282ff02e6e58f0a231049a6cb8e5a39b43d1d706f6d0b48f8e62ef0

Download Submit
C:\Windows\System\bGruRHu.exe

Filesize
1.5MB

MD5
a9bc78de61162dde0d53a563224e1220

SHA1
e8f4886f39e9961039c7f974d5c57045ea653237

SHA256
89a3d6e248898cd34042280fdb3cb0d57c4c430ddd63d96f73ddd156dd366c08

SHA512
10f49db844890e9fd69a46f5095b208bea03aca38be755d45681d01051aa8531ca139f87af398af8ea7936b8c357c46874a77777ea9c5b2f5ae3d4a89030c8b3

Download Submit
C:\Windows\System\edELVOz.exe

Filesize
1.5MB

MD5
45080eff8f24ffb5810e05734ee2033c

SHA1
d395d7a28597e433b2f4e22247a7017d611bd523

SHA256
52af1b1e83cfc4c0a1ab9b7633221be1f34b4e405596be41f3a63f8c04257c23

SHA512
cc03a5b7b95e1e53717551a7f4db8ca528962697969816c852770e3794608950fe94e5dd6755703b044c2b41b1d8561f87b341f8fde91bdf1ef0a3e8ea75f2b2

Download Submit
C:\Windows\System\iwkqwSs.exe

Filesize
1.5MB

MD5
2292967d082685acb68fcc6bf994f306

SHA1
84f2929c20bcdfe6a5377a10eead17abb4cf687e

SHA256
45c04ec10193c64ac9f8e6a3f9f381a09ea8d1214f4254341f289bfb92b4212e

SHA512
2d5ed9145de940d8af23d63240330488e9595bbbf7741768ba0735a4716f16ab0b609255c402bee01636d9ff4a27fb69cdfe2ac9a54d29f3f5e049b20ddef9ab

Download Submit
C:\Windows\System\ldSxyaA.exe

Filesize
1.5MB

MD5
7e2c7c205dc9be8fb2ab0fe740f44677

SHA1
bea3637c5ba01d2c37b62cd6cfc438ade92a1ee6

SHA256
2c758876042efbe7815bef8e3d3b949c4ec4ecf290856a6fc7276535d6a8fca3

SHA512
2e182242e9dcad32ea2caf3b8a395b8f99b8a08652539c18b3a4af482b2b841a14b90ec27d15f932a6c92f5d2e837c732b2e9c0f325e487c81a2daaecc0e0d63

Download Submit
C:\Windows\System\nCwqAnb.exe

Filesize
1.5MB

MD5
19077c38acbbdd960fc5c31b3a763e27

SHA1
c857737820bda0d6ff4bd78e6da4c4886e096598

SHA256
2f702c385a36c726f10ed1b9f6485ef7c4b1fd089959ea4dcc2a7dd9c578c8ae

SHA512
259948ff2a0f4ad4f9565146e231fa55ccbea0485a6ab54279c1539b8656b72d2e3630ac5a1f2160f907e421704c3c6623240e1481cf7671ccc64f9c5594ba6f

Download Submit
C:\Windows\System\nXzExCb.exe

Filesize
1.5MB

MD5
da925c0ec874d70a817c7412f6ec10d0

SHA1
b435aff907c37ed81250009554f4c0369a2d8832

SHA256
02f4979b9c62c5f658967d9756592e4b89a0b3492751177d2a02e68ef3364ebb

SHA512
73dd6c11f6320eae302a5f621d84b6004e6a79f7945600e469ff24c13ff9571806d3b9d94895bcedde6393ff592c024b9b5944babaf68cdc7d3dc1f260419f09

Download Submit
C:\Windows\System\nZMZMzk.exe

Filesize
1.5MB

MD5
5d9f69e53a7988246c9c1ffb4a218551

SHA1
59597819ce5295c419768c48a7b64f1c4a524b3e

SHA256
7ae06a50ca3ae685302e9d68441b8ecc639d2e45a870724aa6764d35f0b32af0

SHA512
1a5c2b05f2edf31744d8d30a187b09b062e2e92c602341f2b4025ec13b94638f7845e524f439e1c5b87c5eda2423ba38e4ac98aefb7e2017152d5f9b90ef36bf

Download Submit
C:\Windows\System\oEAtQct.exe

Filesize
1.5MB

MD5
3853d5d2ddbf27de6a565f06d80623d1

SHA1
9ed4b4d070fa262f65696d058623d08af8b3ab52

SHA256
a5bc0b4329fa0f61cbf557cf17b8148bf7234d5905eab3787bba76e4c6a015ff

SHA512
49daa6ede2b59127dd3e9ca2b94fbc3c91971fcfee0e533cccb6c4e91c9b82df55a05906862940dae6dc5a823a5e647ac9319b393ce259314fe11b787504a699

Download Submit
C:\Windows\System\oTSrFUm.exe

Filesize
1.5MB

MD5
5ab8f351f90446ed47fede4411abf46a

SHA1
d59f41b9c653eb825238d875d55701eee37c34c0

SHA256
26c3b29566856d7d7ffda11ffaa55ede9e0315ab461bb5a5cad15240c049e2b7

SHA512
68cd1fb37b849f41706ce124aadbd5b9c95a720a2c569daf5863eaf96c3bad7838615ebc1f2751d533927e0672aa83c01ad7faaac26a2f9edcc305eabd84c86f

Download Submit
C:\Windows\System\pHKqqwY.exe

Filesize
1.5MB

MD5
19add9a7726b9202fc64cd46012c1183

SHA1
6c1ed5f16180b1c729b58ae213de01ad6e1662ef

SHA256
795aa71736c6943ed9e446033ff73e2f0a3ed1128e8778aa943c13600324e004

SHA512
af4220a9b8755eedacf3c57f4d8ec3a40f6ee9291c80bbe154c6730062333886950d98bc66f8eb94d86de0009b299ac7ac3eb417f58602d5a6211582c7cdedb9

Download Submit
C:\Windows\System\pWAucFT.exe

Filesize
1.5MB

MD5
eaf4914ba71de0a10e791788dbb787f3

SHA1
426bb2c533c482c42c36924b0957d770770beafa

SHA256
9cf9b529befc40fa0b6ff3881b53451f953d425e6dc6822b76448121ebad0495

SHA512
80dadbdc88df0cd206b7dbb0a14a9e052c625a5e712fd8ddc5a80c9d5e3fd56cf163a0d9b471752636ea3e5cc6133b5ddd0b0d83387abbe930dd505b08143a3b

Download Submit
C:\Windows\System\tTlWfuF.exe

Filesize
1.5MB

MD5
39dd63286e4a9bccf9e62c477b13b300

SHA1
d0dd6679b53fc4714a2a36f8d04f3920d49d882b

SHA256
af6a74717bc5b9c9cc76b084465aceef9e116393540e26a9baa4c884bb6d8147

SHA512
334f2d762df62ac5bfea8c1546d0bf6c872b759725684bd230ab5bbba96fa0722fe71a9d4809dc46fa8973c740128137c87c3ddc6f536d9b649fa18c6af834ef

Download Submit
C:\Windows\System\tyYwBRr.exe

Filesize
8B

MD5
2d0c2c2eeafda1eefbc846623106a651

SHA1
ebe1d12cc7355840b98bff551fa1e9b6ea05149b

SHA256
315fe12e8506c9a5679018a241c22762f38597a85e3d6906984d2cd8e0eb0749

SHA512
4747f2fca75d2722dc6b7850f1cf2e05f5ebac7e64d54a9f03247ac705b6e7fd5e4086e67fbc0da577c026e6cfc06192b9232b3f0c023c488535fb6f948376dc

Download Submit
C:\Windows\System\uQOKzfm.exe

Filesize
1.5MB

MD5
c88e6d833c578370b09d4d106dc17475

SHA1
47b326c54b9c1ff79da16e601dbb21c711244917

SHA256
74423a0fa3a724035916dce2dac98c571963befebafd46865d93fb9107ba9ce7

SHA512
796b32bb5352ff0c5524ad57a178f6eb6f670a190646964256c5d02020403dbb20739c57c10bc2fe59b4fee34e6871a50ecb1a8f9a2bec968699e407f7f7225c

Download Submit
C:\Windows\System\vrcAhCy.exe

Filesize
1.5MB

MD5
e8f77fa4a8f2af0d5d0fbafbe16aa4ad

SHA1
eee0c53ac638366f0ecb6657a66e6dd0fa4fd998

SHA256
34a71ac0915f147ef60dff2a3dfb79ee66d816afab05d15815cc2220f940593f

SHA512
1076f3f3e2a62fffa9f7e56bbab03b8ed196a498cbc1b5fe9c559a17850990d510254c90c5e61baa64d8bf139711d06418ef153e1d8494090376840b7443a87a

Download Submit
C:\Windows\System\wOHqnQG.exe

Filesize
1.5MB

MD5
2df0e977a93c2160a52eeb502b8fb8a8

SHA1
68f8cb4603db24b52636667b765f66f70dff0aa3

SHA256
4d327b77645dd01ab405ad0fbbd2bc432fb43dfb0c0d164eda4f203e1b2373ce

SHA512
000bc68cb5b626db1ca20c9026fde9e307bcaf707e7b15a7a2ef91ac2cba72a86ac9e96dd90cb77f44e5cfc9ec078815057cc5199694b161d55998ffb8d89a93

Download Submit
C:\Windows\System\ytJlfpS.exe

Filesize
1.5MB

MD5
11a29231e076354a47d2937f184c964b

SHA1
fcd26d21c164dbb0797266c8554d86c6d91347dc

SHA256
cc047295fd55b0f682b111d2ba6ab938dd5d44cc178c9f44312181f2cc67da8c

SHA512
990d56add9fc0cb9952b67dca6eee3761eea5d4819a7555f66f5f7d3bb3739f1d56760d1df0b73589fd3e64a8b584d82efd03e36fa5860f99482c8acb150174d

Download Submit
C:\Windows\System\zDIBqjp.exe

Filesize
1.5MB

MD5
6852dc29c8b476c7451247b82f3f2585

SHA1
6cdefb150e455bb3c92c27b6dc06413b260871ba

SHA256
33f0fb9c21ec9d796d8b8dc0da82caceecd570a74525b8a3399d867ee6de8092

SHA512
e3fea5a9fe2f1661b939ca3620452e9233c4cf94d96113247791d433e2a93c09333668d5ae83f481edd56cee595ae95c95403867deeade4731d67cb200ca3df8

Download Submit
memory/228-530-0x00007FF680C50000-0x00007FF681042000-memory.dmp

Filesize
3.9MB

Download
memory/228-2560-0x00007FF680C50000-0x00007FF681042000-memory.dmp

Filesize
3.9MB

Download
memory/1496-2541-0x00007FFE2A0A0000-0x00007FFE2AB61000-memory.dmp

Filesize
10.8MB

Download
memory/1496-49-0x000002CBCB300000-0x000002CBCB322000-memory.dmp

Filesize
136KB

Download
memory/1496-2531-0x00007FFE2A0A3000-0x00007FFE2A0A5000-memory.dmp

Filesize
8KB

Download
memory/1496-2532-0x00007FFE2A0A0000-0x00007FFE2AB61000-memory.dmp

Filesize
10.8MB

Download
memory/1496-371-0x000002CBCBEA0000-0x000002CBCC646000-memory.dmp

Filesize
7.6MB

Download
memory/1496-23-0x00007FFE2A0A0000-0x00007FFE2AB61000-memory.dmp

Filesize
10.8MB

Download
memory/1496-3-0x00007FFE2A0A3000-0x00007FFE2A0A5000-memory.dmp

Filesize
8KB

Download
memory/1496-55-0x00007FFE2A0A0000-0x00007FFE2AB61000-memory.dmp

Filesize
10.8MB

Download
memory/1872-2565-0x00007FF70E2D0000-0x00007FF70E6C2000-memory.dmp

Filesize
3.9MB

Download
memory/1872-67-0x00007FF70E2D0000-0x00007FF70E6C2000-memory.dmp

Filesize
3.9MB

Download
memory/1880-2595-0x00007FF6235A0000-0x00007FF623992000-memory.dmp

Filesize
3.9MB

Download
memory/1880-456-0x00007FF6235A0000-0x00007FF623992000-memory.dmp

Filesize
3.9MB

Download
memory/1888-2580-0x00007FF721670000-0x00007FF721A62000-memory.dmp

Filesize
3.9MB

Download
memory/1888-433-0x00007FF721670000-0x00007FF721A62000-memory.dmp

Filesize
3.9MB

Download
memory/1908-2589-0x00007FF7469F0000-0x00007FF746DE2000-memory.dmp

Filesize
3.9MB

Download
memory/1908-479-0x00007FF7469F0000-0x00007FF746DE2000-memory.dmp

Filesize
3.9MB

Download
memory/2088-2572-0x00007FF795320000-0x00007FF795712000-memory.dmp

Filesize
3.9MB

Download
memory/2088-429-0x00007FF795320000-0x00007FF795712000-memory.dmp

Filesize
3.9MB

Download
memory/2160-503-0x00007FF616CE0000-0x00007FF6170D2000-memory.dmp

Filesize
3.9MB

Download
memory/2160-2585-0x00007FF616CE0000-0x00007FF6170D2000-memory.dmp

Filesize
3.9MB

Download
memory/2188-2577-0x00007FF650010000-0x00007FF650402000-memory.dmp

Filesize
3.9MB

Download
memory/2188-463-0x00007FF650010000-0x00007FF650402000-memory.dmp

Filesize
3.9MB

Download
memory/2192-1-0x000002D8C3220000-0x000002D8C3230000-memory.dmp

Filesize
64KB

Download
memory/2192-0-0x00007FF79D280000-0x00007FF79D672000-memory.dmp

Filesize
3.9MB

Download
memory/2304-59-0x00007FF675780000-0x00007FF675B72000-memory.dmp

Filesize
3.9MB

Download
memory/2304-2562-0x00007FF675780000-0x00007FF675B72000-memory.dmp

Filesize
3.9MB

Download
memory/2316-2604-0x00007FF6F5D80000-0x00007FF6F6172000-memory.dmp

Filesize
3.9MB

Download
memory/2316-469-0x00007FF6F5D80000-0x00007FF6F6172000-memory.dmp

Filesize
3.9MB

Download
memory/2356-436-0x00007FF6CD7C0000-0x00007FF6CDBB2000-memory.dmp

Filesize
3.9MB

Download
memory/2356-2602-0x00007FF6CD7C0000-0x00007FF6CDBB2000-memory.dmp

Filesize
3.9MB

Download
memory/3060-33-0x00007FF729CA0000-0x00007FF72A092000-memory.dmp

Filesize
3.9MB

Download
memory/3060-2559-0x00007FF729CA0000-0x00007FF72A092000-memory.dmp

Filesize
3.9MB

Download
memory/3320-483-0x00007FF61A390000-0x00007FF61A782000-memory.dmp

Filesize
3.9MB

Download
memory/3320-2586-0x00007FF61A390000-0x00007FF61A782000-memory.dmp

Filesize
3.9MB

Download
memory/3448-2590-0x00007FF788D50000-0x00007FF789142000-memory.dmp

Filesize
3.9MB

Download
memory/3448-519-0x00007FF788D50000-0x00007FF789142000-memory.dmp

Filesize
3.9MB

Download
memory/3492-509-0x00007FF6498D0000-0x00007FF649CC2000-memory.dmp

Filesize
3.9MB

Download
memory/3492-2582-0x00007FF6498D0000-0x00007FF649CC2000-memory.dmp

Filesize
3.9MB

Download
memory/3496-446-0x00007FF7CB360000-0x00007FF7CB752000-memory.dmp

Filesize
3.9MB

Download
memory/3496-2599-0x00007FF7CB360000-0x00007FF7CB752000-memory.dmp

Filesize
3.9MB

Download
memory/3640-2567-0x00007FF6CB9D0000-0x00007FF6CBDC2000-memory.dmp

Filesize
3.9MB

Download
memory/3640-62-0x00007FF6CB9D0000-0x00007FF6CBDC2000-memory.dmp

Filesize
3.9MB

Download
memory/3740-2568-0x00007FF619B20000-0x00007FF619F12000-memory.dmp

Filesize
3.9MB

Download
memory/3740-541-0x00007FF619B20000-0x00007FF619F12000-memory.dmp

Filesize
3.9MB

Download
memory/3852-2597-0x00007FF7F3FB0000-0x00007FF7F43A2000-memory.dmp

Filesize
3.9MB

Download
memory/3852-453-0x00007FF7F3FB0000-0x00007FF7F43A2000-memory.dmp

Filesize
3.9MB

Download
memory/4720-544-0x00007FF790ED0000-0x00007FF7912C2000-memory.dmp

Filesize
3.9MB

Download
memory/4720-2570-0x00007FF790ED0000-0x00007FF7912C2000-memory.dmp

Filesize
3.9MB

Download
memory/4820-551-0x00007FF76AE40000-0x00007FF76B232000-memory.dmp

Filesize
3.9MB

Download
memory/4820-2578-0x00007FF76AE40000-0x00007FF76B232000-memory.dmp

Filesize
3.9MB

Download
memory/4832-72-0x00007FF7E0250000-0x00007FF7E0642000-memory.dmp

Filesize
3.9MB

Download
memory/4832-2574-0x00007FF7E0250000-0x00007FF7E0642000-memory.dmp

Filesize
3.9MB

Download
memory/4840-2601-0x00007FF7D7340000-0x00007FF7D7732000-memory.dmp

Filesize
3.9MB

Download
memory/4840-440-0x00007FF7D7340000-0x00007FF7D7732000-memory.dmp

Filesize
3.9MB

Download
memory/4992-2592-0x00007FF69F300000-0x00007FF69F6F2000-memory.dmp

Filesize
3.9MB

Download
memory/4992-554-0x00007FF69F300000-0x00007FF69F6F2000-memory.dmp

Filesize
3.9MB

Download