xmrig | b86ea2531392b122da2a922cc89c707e5da8e764445ba4e0cbfeef0b401dd8ea

Analysis

max time kernel
121s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 08:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
Size

1.7MB
MD5

11d19c7d16003fb05c1ade6e5cd76b9c
SHA1

a7b35583d37d4cbf0804900d7bd10261bcd669a5
SHA256

b86ea2531392b122da2a922cc89c707e5da8e764445ba4e0cbfeef0b401dd8ea
SHA512

7732ef7d1f1895b5c9801bcdc561f3c5cd9ed06c3a4bf75165bfbb6591b56993b7d4898fe65eb066d8544c42c758c532b124f4f842aced7742e62bdeec34d958
SSDEEP

49152:Lz071uv4BPMkibTIA5I4TNrpDGgDQzKyD:NABJ

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/5076-102-0x00007FF6ACDC0000-0x00007FF6AD1B2000-memory.dmp	xmrig
behavioral2/memory/1896-113-0x00007FF6BB5B0000-0x00007FF6BB9A2000-memory.dmp	xmrig
behavioral2/memory/4808-121-0x00007FF610610000-0x00007FF610A02000-memory.dmp	xmrig
behavioral2/memory/3000-140-0x00007FF6A19B0000-0x00007FF6A1DA2000-memory.dmp	xmrig
behavioral2/memory/2172-170-0x00007FF6416F0000-0x00007FF641AE2000-memory.dmp	xmrig
behavioral2/memory/3116-193-0x00007FF6E2540000-0x00007FF6E2932000-memory.dmp	xmrig
behavioral2/memory/2156-199-0x00007FF7D1590000-0x00007FF7D1982000-memory.dmp	xmrig
behavioral2/memory/2756-194-0x00007FF615B60000-0x00007FF615F52000-memory.dmp	xmrig
behavioral2/memory/4928-189-0x00007FF723610000-0x00007FF723A02000-memory.dmp	xmrig
behavioral2/memory/4488-183-0x00007FF6DBF10000-0x00007FF6DC302000-memory.dmp	xmrig
behavioral2/memory/4840-177-0x00007FF752700000-0x00007FF752AF2000-memory.dmp	xmrig
behavioral2/memory/2200-171-0x00007FF699300000-0x00007FF6996F2000-memory.dmp	xmrig
behavioral2/memory/1976-164-0x00007FF713120000-0x00007FF713512000-memory.dmp	xmrig
behavioral2/memory/1180-158-0x00007FF6ADA30000-0x00007FF6ADE22000-memory.dmp	xmrig
behavioral2/memory/3256-141-0x00007FF780410000-0x00007FF780802000-memory.dmp	xmrig
behavioral2/memory/3208-134-0x00007FF67DC10000-0x00007FF67E002000-memory.dmp	xmrig
behavioral2/memory/4368-128-0x00007FF69E970000-0x00007FF69ED62000-memory.dmp	xmrig
behavioral2/memory/3892-127-0x00007FF76F2B0000-0x00007FF76F6A2000-memory.dmp	xmrig
behavioral2/memory/1660-117-0x00007FF7D9BB0000-0x00007FF7D9FA2000-memory.dmp	xmrig
behavioral2/memory/2556-108-0x00007FF6CD140000-0x00007FF6CD532000-memory.dmp	xmrig
behavioral2/memory/3580-107-0x00007FF79B9D0000-0x00007FF79BDC2000-memory.dmp	xmrig
behavioral2/memory/4424-106-0x00007FF7B0E10000-0x00007FF7B1202000-memory.dmp	xmrig
behavioral2/memory/3992-95-0x00007FF7CA8E0000-0x00007FF7CACD2000-memory.dmp	xmrig
behavioral2/memory/3440-3566-0x00007FF7E3990000-0x00007FF7E3D82000-memory.dmp	xmrig
behavioral2/memory/3440-3591-0x00007FF7E3990000-0x00007FF7E3D82000-memory.dmp	xmrig
behavioral2/memory/3992-3593-0x00007FF7CA8E0000-0x00007FF7CACD2000-memory.dmp	xmrig
behavioral2/memory/1896-3600-0x00007FF6BB5B0000-0x00007FF6BB9A2000-memory.dmp	xmrig
behavioral2/memory/4424-3603-0x00007FF7B0E10000-0x00007FF7B1202000-memory.dmp	xmrig
behavioral2/memory/1660-3605-0x00007FF7D9BB0000-0x00007FF7D9FA2000-memory.dmp	xmrig
behavioral2/memory/2556-3607-0x00007FF6CD140000-0x00007FF6CD532000-memory.dmp	xmrig
behavioral2/memory/3580-3601-0x00007FF79B9D0000-0x00007FF79BDC2000-memory.dmp	xmrig
behavioral2/memory/1180-3597-0x00007FF6ADA30000-0x00007FF6ADE22000-memory.dmp	xmrig
behavioral2/memory/5076-3595-0x00007FF6ACDC0000-0x00007FF6AD1B2000-memory.dmp	xmrig
behavioral2/memory/1976-3612-0x00007FF713120000-0x00007FF713512000-memory.dmp	xmrig
behavioral2/memory/3116-3631-0x00007FF6E2540000-0x00007FF6E2932000-memory.dmp	xmrig
behavioral2/memory/4928-3633-0x00007FF723610000-0x00007FF723A02000-memory.dmp	xmrig
behavioral2/memory/2756-3635-0x00007FF615B60000-0x00007FF615F52000-memory.dmp	xmrig
behavioral2/memory/4488-3632-0x00007FF6DBF10000-0x00007FF6DC302000-memory.dmp	xmrig
behavioral2/memory/4840-3629-0x00007FF752700000-0x00007FF752AF2000-memory.dmp	xmrig
behavioral2/memory/3892-3628-0x00007FF76F2B0000-0x00007FF76F6A2000-memory.dmp	xmrig
behavioral2/memory/4808-3625-0x00007FF610610000-0x00007FF610A02000-memory.dmp	xmrig
behavioral2/memory/3000-3620-0x00007FF6A19B0000-0x00007FF6A1DA2000-memory.dmp	xmrig
behavioral2/memory/4368-3619-0x00007FF69E970000-0x00007FF69ED62000-memory.dmp	xmrig
behavioral2/memory/2172-3616-0x00007FF6416F0000-0x00007FF641AE2000-memory.dmp	xmrig
behavioral2/memory/3208-3615-0x00007FF67DC10000-0x00007FF67E002000-memory.dmp	xmrig
behavioral2/memory/3256-3623-0x00007FF780410000-0x00007FF780802000-memory.dmp	xmrig
behavioral2/memory/2200-3610-0x00007FF699300000-0x00007FF6996F2000-memory.dmp	xmrig
behavioral2/memory/2156-3637-0x00007FF7D1590000-0x00007FF7D1982000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
9	772	powershell.exe
11	772	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
772	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
3440	WhybDii.exe
1180	gqdwvEJ.exe
3992	svEEHyJ.exe
5076	kuhaqat.exe
4424	XHLyNzK.exe
3580	dqpktLG.exe
2556	XKLlWtA.exe
1896	TRLJcSt.exe
1660	aQXjJHW.exe
4808	PcCJrxK.exe
3892	ozsBBPU.exe
4368	yhYDmHf.exe
3208	jeRBRfY.exe
3000	ucmTCKF.exe
3256	LXPRUVo.exe
1976	vijwMIz.exe
2172	suYPXYI.exe
2200	vxKfjar.exe
4840	OzgCOpM.exe
4488	EyYIMXw.exe
4928	DiCKPMO.exe
3116	MeFdPJB.exe
2756	sRgexoJ.exe
2156	vvaObMC.exe
4456	yFCyPeA.exe
4360	ioHmJLK.exe
3692	zDmXDbg.exe
4460	zHlDXls.exe
3856	BTVMYLt.exe
3172	xrTdafI.exe
3708	dkLXDFk.exe
4940	wwTAhEe.exe
2900	gLXRKBt.exe
624	PhmVBPr.exe
3464	KZuDieJ.exe
3812	BSIlavp.exe
2180	pwcNMJG.exe
4396	OIIgUBO.exe
4400	WBLrxzS.exe
3948	paawRDr.exe
3864	eapyJeK.exe
2360	WWrurMZ.exe
1404	sfrpnRM.exe
2684	jJXvZyc.exe
2812	HdhAyrJ.exe
4580	cOWlnOh.exe
5016	SwRaamn.exe
4568	otwtQGj.exe
4768	IQdeDQQ.exe
4724	xdGYUsu.exe
4392	lOsiQsW.exe
1392	gzydCvN.exe
4512	txCEIha.exe
1548	hbWPOrS.exe
5112	toBOTGf.exe
2760	BkdlNty.exe
3380	sywvPYK.exe
3672	tyNdrbh.exe
3052	bruwIih.exe
4484	RGsSycJ.exe
4748	oHyinGa.exe
4140	vFyAVJi.exe
924	uyBEJAX.exe
3972	SkWTkos.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1300-0-0x00007FF6A4050000-0x00007FF6A4442000-memory.dmp	upx
behavioral2/files/0x000b000000023b8b-5.dat	upx
behavioral2/files/0x000a000000023b8f-20.dat	upx
behavioral2/files/0x000a000000023b94-32.dat	upx
behavioral2/files/0x000a000000023b9b-66.dat	upx
behavioral2/files/0x000a000000023b9c-81.dat	upx
behavioral2/files/0x000a000000023b9a-89.dat	upx
behavioral2/memory/5076-102-0x00007FF6ACDC0000-0x00007FF6AD1B2000-memory.dmp	upx
behavioral2/memory/1896-113-0x00007FF6BB5B0000-0x00007FF6BB9A2000-memory.dmp	upx
behavioral2/memory/4808-121-0x00007FF610610000-0x00007FF610A02000-memory.dmp	upx
behavioral2/files/0x000b000000023b9e-129.dat	upx
behavioral2/memory/3000-140-0x00007FF6A19B0000-0x00007FF6A1DA2000-memory.dmp	upx
behavioral2/files/0x000a000000023ba4-147.dat	upx
behavioral2/memory/2172-170-0x00007FF6416F0000-0x00007FF641AE2000-memory.dmp	upx
behavioral2/memory/3116-193-0x00007FF6E2540000-0x00007FF6E2932000-memory.dmp	upx
behavioral2/files/0x000a000000023bae-200.dat	upx
behavioral2/memory/2156-199-0x00007FF7D1590000-0x00007FF7D1982000-memory.dmp	upx
behavioral2/files/0x000a000000023bac-197.dat	upx
behavioral2/memory/2756-194-0x00007FF615B60000-0x00007FF615F52000-memory.dmp	upx
behavioral2/files/0x000a000000023bad-192.dat	upx
behavioral2/files/0x000a000000023bab-190.dat	upx
behavioral2/memory/4928-189-0x00007FF723610000-0x00007FF723A02000-memory.dmp	upx
behavioral2/files/0x000a000000023baa-184.dat	upx
behavioral2/memory/4488-183-0x00007FF6DBF10000-0x00007FF6DC302000-memory.dmp	upx
behavioral2/files/0x000a000000023ba9-178.dat	upx
behavioral2/memory/4840-177-0x00007FF752700000-0x00007FF752AF2000-memory.dmp	upx
behavioral2/files/0x000a000000023ba8-172.dat	upx
behavioral2/memory/2200-171-0x00007FF699300000-0x00007FF6996F2000-memory.dmp	upx
behavioral2/files/0x000a000000023ba7-165.dat	upx
behavioral2/memory/1976-164-0x00007FF713120000-0x00007FF713512000-memory.dmp	upx
behavioral2/files/0x000a000000023ba6-159.dat	upx
behavioral2/memory/1180-158-0x00007FF6ADA30000-0x00007FF6ADE22000-memory.dmp	upx
behavioral2/files/0x000a000000023ba5-153.dat	upx
behavioral2/files/0x000a000000023ba3-142.dat	upx
behavioral2/memory/3256-141-0x00007FF780410000-0x00007FF780802000-memory.dmp	upx
behavioral2/files/0x000a000000023ba2-135.dat	upx
behavioral2/memory/3208-134-0x00007FF67DC10000-0x00007FF67E002000-memory.dmp	upx
behavioral2/memory/4368-128-0x00007FF69E970000-0x00007FF69ED62000-memory.dmp	upx
behavioral2/memory/3892-127-0x00007FF76F2B0000-0x00007FF76F6A2000-memory.dmp	upx
behavioral2/files/0x000a000000023ba1-122.dat	upx
behavioral2/memory/1660-117-0x00007FF7D9BB0000-0x00007FF7D9FA2000-memory.dmp	upx
behavioral2/files/0x000b000000023b9f-109.dat	upx
behavioral2/memory/2556-108-0x00007FF6CD140000-0x00007FF6CD532000-memory.dmp	upx
behavioral2/memory/3580-107-0x00007FF79B9D0000-0x00007FF79BDC2000-memory.dmp	upx
behavioral2/memory/4424-106-0x00007FF7B0E10000-0x00007FF7B1202000-memory.dmp	upx
behavioral2/files/0x000a000000023ba0-103.dat	upx
behavioral2/files/0x000a000000023b9d-97.dat	upx
behavioral2/memory/3992-95-0x00007FF7CA8E0000-0x00007FF7CACD2000-memory.dmp	upx
behavioral2/files/0x000a000000023b99-84.dat	upx
behavioral2/files/0x000a000000023b98-69.dat	upx
behavioral2/files/0x000a000000023b97-64.dat	upx
behavioral2/files/0x000a000000023b95-54.dat	upx
behavioral2/files/0x000a000000023b96-51.dat	upx
behavioral2/files/0x000a000000023b91-45.dat	upx
behavioral2/files/0x000a000000023b93-39.dat	upx
behavioral2/files/0x000a000000023b92-28.dat	upx
behavioral2/files/0x000a000000023b90-24.dat	upx
behavioral2/memory/3440-15-0x00007FF7E3990000-0x00007FF7E3D82000-memory.dmp	upx
behavioral2/memory/3440-3566-0x00007FF7E3990000-0x00007FF7E3D82000-memory.dmp	upx
behavioral2/memory/3440-3591-0x00007FF7E3990000-0x00007FF7E3D82000-memory.dmp	upx
behavioral2/memory/3992-3593-0x00007FF7CA8E0000-0x00007FF7CACD2000-memory.dmp	upx
behavioral2/memory/1896-3600-0x00007FF6BB5B0000-0x00007FF6BB9A2000-memory.dmp	upx
behavioral2/memory/4424-3603-0x00007FF7B0E10000-0x00007FF7B1202000-memory.dmp	upx
behavioral2/memory/1660-3605-0x00007FF7D9BB0000-0x00007FF7D9FA2000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	raw.githubusercontent.com
9	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\wxWFLXa.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\XiUMczt.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\YduDvtt.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\qkztIXh.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\kWiGNHv.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\rJAmntp.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\ZoNxeoS.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\ZGEWFyF.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\HZZXZWS.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\xWPcRjY.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\TatCujl.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\wXidGrS.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\igrqPxG.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\EAcJBOT.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\GHNFqYc.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\wmZRNvb.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\BtWeewA.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\bgbODof.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\upRaedl.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\AAjxTeM.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\WqwTwZM.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\DwXvzdI.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\SXoNrFr.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\OvtmOBB.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\LUMmHfc.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\BVmjqRV.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\dUZiMeS.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\ObQZhSD.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\ZiDlwCu.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\ULTFhxO.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\tPlQqhr.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\GWBQPrC.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\BxPNUQC.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\agOcPaR.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\UoCNjHF.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\njXMgee.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\EnYibxS.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\GZHeOLG.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\GOQQaQV.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\gQJiZPJ.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\JmcsUka.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\zvkpOGt.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\VDqWfzR.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\yEaRznL.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\LahgjYL.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\lfFoxsK.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\QElEbnh.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\iyIgBhK.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\UagZGYD.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\RGVlijw.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\gkLYPQm.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\IpUvzwb.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\pqHxFom.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\TCgTgIm.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\VEVfObt.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\SPXqjmt.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\nKBAGhC.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\zXCUBbz.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\yKAptLN.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\UUmvsjg.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\QTNarNh.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\UgzAYnd.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\nSVAljs.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
File created	C:\Windows\System\wNpfTvC.exe	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
772	powershell.exe
772	powershell.exe
772	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
Token: SeDebugPrivilege	772	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 772	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	84
PID 1300 wrote to memory of 772	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	84
PID 1300 wrote to memory of 3440	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	85
PID 1300 wrote to memory of 3440	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	85
PID 1300 wrote to memory of 1180	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	86
PID 1300 wrote to memory of 1180	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	86
PID 1300 wrote to memory of 3992	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	87
PID 1300 wrote to memory of 3992	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	87
PID 1300 wrote to memory of 1896	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	88
PID 1300 wrote to memory of 1896	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	88
PID 1300 wrote to memory of 5076	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	89
PID 1300 wrote to memory of 5076	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	89
PID 1300 wrote to memory of 4424	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	90
PID 1300 wrote to memory of 4424	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	90
PID 1300 wrote to memory of 3580	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	91
PID 1300 wrote to memory of 3580	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	91
PID 1300 wrote to memory of 2556	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	92
PID 1300 wrote to memory of 2556	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	92
PID 1300 wrote to memory of 1660	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	93
PID 1300 wrote to memory of 1660	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	93
PID 1300 wrote to memory of 4808	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	94
PID 1300 wrote to memory of 4808	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	94
PID 1300 wrote to memory of 3892	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	95
PID 1300 wrote to memory of 3892	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	95
PID 1300 wrote to memory of 4368	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	96
PID 1300 wrote to memory of 4368	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	96
PID 1300 wrote to memory of 3208	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	97
PID 1300 wrote to memory of 3208	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	97
PID 1300 wrote to memory of 3000	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	98
PID 1300 wrote to memory of 3000	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	98
PID 1300 wrote to memory of 3256	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	99
PID 1300 wrote to memory of 3256	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	99
PID 1300 wrote to memory of 1976	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	100
PID 1300 wrote to memory of 1976	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	100
PID 1300 wrote to memory of 2172	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	101
PID 1300 wrote to memory of 2172	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	101
PID 1300 wrote to memory of 2200	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	102
PID 1300 wrote to memory of 2200	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	102
PID 1300 wrote to memory of 4840	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	103
PID 1300 wrote to memory of 4840	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	103
PID 1300 wrote to memory of 4488	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	104
PID 1300 wrote to memory of 4488	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	104
PID 1300 wrote to memory of 4928	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	105
PID 1300 wrote to memory of 4928	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	105
PID 1300 wrote to memory of 3116	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	106
PID 1300 wrote to memory of 3116	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	106
PID 1300 wrote to memory of 2756	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	107
PID 1300 wrote to memory of 2756	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	107
PID 1300 wrote to memory of 2156	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	108
PID 1300 wrote to memory of 2156	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	108
PID 1300 wrote to memory of 4456	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	109
PID 1300 wrote to memory of 4456	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	109
PID 1300 wrote to memory of 4360	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	110
PID 1300 wrote to memory of 4360	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	110
PID 1300 wrote to memory of 3692	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	111
PID 1300 wrote to memory of 3692	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	111
PID 1300 wrote to memory of 4460	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	112
PID 1300 wrote to memory of 4460	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	112
PID 1300 wrote to memory of 3856	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	113
PID 1300 wrote to memory of 3856	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	113
PID 1300 wrote to memory of 3172	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	114
PID 1300 wrote to memory of 3172	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	114
PID 1300 wrote to memory of 3708	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	115
PID 1300 wrote to memory of 3708	1300	11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe	115

C:\Users\Admin\AppData\Local\Temp\11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\11d19c7d16003fb05c1ade6e5cd76b9c_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:772
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "772" "2940" "2884" "2944" "0" "0" "2948" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:12852
- C:\Windows\System\WhybDii.exe
  C:\Windows\System\WhybDii.exe
  2⤵
  - Executes dropped EXE
  PID:3440
- C:\Windows\System\gqdwvEJ.exe
  C:\Windows\System\gqdwvEJ.exe
  2⤵
  - Executes dropped EXE
  PID:1180
- C:\Windows\System\svEEHyJ.exe
  C:\Windows\System\svEEHyJ.exe
  2⤵
  - Executes dropped EXE
  PID:3992
- C:\Windows\System\TRLJcSt.exe
  C:\Windows\System\TRLJcSt.exe
  2⤵
  - Executes dropped EXE
  PID:1896
- C:\Windows\System\kuhaqat.exe
  C:\Windows\System\kuhaqat.exe
  2⤵
  - Executes dropped EXE
  PID:5076
- C:\Windows\System\XHLyNzK.exe
  C:\Windows\System\XHLyNzK.exe
  2⤵
  - Executes dropped EXE
  PID:4424
- C:\Windows\System\dqpktLG.exe
  C:\Windows\System\dqpktLG.exe
  2⤵
  - Executes dropped EXE
  PID:3580
- C:\Windows\System\XKLlWtA.exe
  C:\Windows\System\XKLlWtA.exe
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Windows\System\aQXjJHW.exe
  C:\Windows\System\aQXjJHW.exe
  2⤵
  - Executes dropped EXE
  PID:1660
- C:\Windows\System\PcCJrxK.exe
  C:\Windows\System\PcCJrxK.exe
  2⤵
  - Executes dropped EXE
  PID:4808
- C:\Windows\System\ozsBBPU.exe
  C:\Windows\System\ozsBBPU.exe
  2⤵
  - Executes dropped EXE
  PID:3892
- C:\Windows\System\yhYDmHf.exe
  C:\Windows\System\yhYDmHf.exe
  2⤵
  - Executes dropped EXE
  PID:4368
- C:\Windows\System\jeRBRfY.exe
  C:\Windows\System\jeRBRfY.exe
  2⤵
  - Executes dropped EXE
  PID:3208
- C:\Windows\System\ucmTCKF.exe
  C:\Windows\System\ucmTCKF.exe
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\System\LXPRUVo.exe
  C:\Windows\System\LXPRUVo.exe
  2⤵
  - Executes dropped EXE
  PID:3256
- C:\Windows\System\vijwMIz.exe
  C:\Windows\System\vijwMIz.exe
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\System\suYPXYI.exe
  C:\Windows\System\suYPXYI.exe
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\Windows\System\vxKfjar.exe
  C:\Windows\System\vxKfjar.exe
  2⤵
  - Executes dropped EXE
  PID:2200
- C:\Windows\System\OzgCOpM.exe
  C:\Windows\System\OzgCOpM.exe
  2⤵
  - Executes dropped EXE
  PID:4840
- C:\Windows\System\EyYIMXw.exe
  C:\Windows\System\EyYIMXw.exe
  2⤵
  - Executes dropped EXE
  PID:4488
- C:\Windows\System\DiCKPMO.exe
  C:\Windows\System\DiCKPMO.exe
  2⤵
  - Executes dropped EXE
  PID:4928
- C:\Windows\System\MeFdPJB.exe
  C:\Windows\System\MeFdPJB.exe
  2⤵
  - Executes dropped EXE
  PID:3116
- C:\Windows\System\sRgexoJ.exe
  C:\Windows\System\sRgexoJ.exe
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Windows\System\vvaObMC.exe
  C:\Windows\System\vvaObMC.exe
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\System\yFCyPeA.exe
  C:\Windows\System\yFCyPeA.exe
  2⤵
  - Executes dropped EXE
  PID:4456
- C:\Windows\System\ioHmJLK.exe
  C:\Windows\System\ioHmJLK.exe
  2⤵
  - Executes dropped EXE
  PID:4360
- C:\Windows\System\zDmXDbg.exe
  C:\Windows\System\zDmXDbg.exe
  2⤵
  - Executes dropped EXE
  PID:3692
- C:\Windows\System\zHlDXls.exe
  C:\Windows\System\zHlDXls.exe
  2⤵
  - Executes dropped EXE
  PID:4460
- C:\Windows\System\BTVMYLt.exe
  C:\Windows\System\BTVMYLt.exe
  2⤵
  - Executes dropped EXE
  PID:3856
- C:\Windows\System\xrTdafI.exe
  C:\Windows\System\xrTdafI.exe
  2⤵
  - Executes dropped EXE
  PID:3172
- C:\Windows\System\dkLXDFk.exe
  C:\Windows\System\dkLXDFk.exe
  2⤵
  - Executes dropped EXE
  PID:3708
- C:\Windows\System\wwTAhEe.exe
  C:\Windows\System\wwTAhEe.exe
  2⤵
  - Executes dropped EXE
  PID:4940
- C:\Windows\System\gLXRKBt.exe
  C:\Windows\System\gLXRKBt.exe
  2⤵
  - Executes dropped EXE
  PID:2900
- C:\Windows\System\PhmVBPr.exe
  C:\Windows\System\PhmVBPr.exe
  2⤵
  - Executes dropped EXE
  PID:624
- C:\Windows\System\KZuDieJ.exe
  C:\Windows\System\KZuDieJ.exe
  2⤵
  - Executes dropped EXE
  PID:3464
- C:\Windows\System\BSIlavp.exe
  C:\Windows\System\BSIlavp.exe
  2⤵
  - Executes dropped EXE
  PID:3812
- C:\Windows\System\pwcNMJG.exe
  C:\Windows\System\pwcNMJG.exe
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Windows\System\OIIgUBO.exe
  C:\Windows\System\OIIgUBO.exe
  2⤵
  - Executes dropped EXE
  PID:4396
- C:\Windows\System\WBLrxzS.exe
  C:\Windows\System\WBLrxzS.exe
  2⤵
  - Executes dropped EXE
  PID:4400
- C:\Windows\System\paawRDr.exe
  C:\Windows\System\paawRDr.exe
  2⤵
  - Executes dropped EXE
  PID:3948
- C:\Windows\System\eapyJeK.exe
  C:\Windows\System\eapyJeK.exe
  2⤵
  - Executes dropped EXE
  PID:3864
- C:\Windows\System\WWrurMZ.exe
  C:\Windows\System\WWrurMZ.exe
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\System\sfrpnRM.exe
  C:\Windows\System\sfrpnRM.exe
  2⤵
  - Executes dropped EXE
  PID:1404
- C:\Windows\System\jJXvZyc.exe
  C:\Windows\System\jJXvZyc.exe
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\System\HdhAyrJ.exe
  C:\Windows\System\HdhAyrJ.exe
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\System\cOWlnOh.exe
  C:\Windows\System\cOWlnOh.exe
  2⤵
  - Executes dropped EXE
  PID:4580
- C:\Windows\System\SwRaamn.exe
  C:\Windows\System\SwRaamn.exe
  2⤵
  - Executes dropped EXE
  PID:5016
- C:\Windows\System\otwtQGj.exe
  C:\Windows\System\otwtQGj.exe
  2⤵
  - Executes dropped EXE
  PID:4568
- C:\Windows\System\IQdeDQQ.exe
  C:\Windows\System\IQdeDQQ.exe
  2⤵
  - Executes dropped EXE
  PID:4768
- C:\Windows\System\xdGYUsu.exe
  C:\Windows\System\xdGYUsu.exe
  2⤵
  - Executes dropped EXE
  PID:4724
- C:\Windows\System\lOsiQsW.exe
  C:\Windows\System\lOsiQsW.exe
  2⤵
  - Executes dropped EXE
  PID:4392
- C:\Windows\System\gzydCvN.exe
  C:\Windows\System\gzydCvN.exe
  2⤵
  - Executes dropped EXE
  PID:1392
- C:\Windows\System\txCEIha.exe
  C:\Windows\System\txCEIha.exe
  2⤵
  - Executes dropped EXE
  PID:4512
- C:\Windows\System\hbWPOrS.exe
  C:\Windows\System\hbWPOrS.exe
  2⤵
  - Executes dropped EXE
  PID:1548
- C:\Windows\System\toBOTGf.exe
  C:\Windows\System\toBOTGf.exe
  2⤵
  - Executes dropped EXE
  PID:5112
- C:\Windows\System\BkdlNty.exe
  C:\Windows\System\BkdlNty.exe
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\System\sywvPYK.exe
  C:\Windows\System\sywvPYK.exe
  2⤵
  - Executes dropped EXE
  PID:3380
- C:\Windows\System\tyNdrbh.exe
  C:\Windows\System\tyNdrbh.exe
  2⤵
  - Executes dropped EXE
  PID:3672
- C:\Windows\System\bruwIih.exe
  C:\Windows\System\bruwIih.exe
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Windows\System\RGsSycJ.exe
  C:\Windows\System\RGsSycJ.exe
  2⤵
  - Executes dropped EXE
  PID:4484
- C:\Windows\System\oHyinGa.exe
  C:\Windows\System\oHyinGa.exe
  2⤵
  - Executes dropped EXE
  PID:4748
- C:\Windows\System\vFyAVJi.exe
  C:\Windows\System\vFyAVJi.exe
  2⤵
  - Executes dropped EXE
  PID:4140
- C:\Windows\System\uyBEJAX.exe
  C:\Windows\System\uyBEJAX.exe
  2⤵
  - Executes dropped EXE
  PID:924
- C:\Windows\System\SkWTkos.exe
  C:\Windows\System\SkWTkos.exe
  2⤵
  - Executes dropped EXE
  PID:3972
- C:\Windows\System\TVwpKEq.exe
  C:\Windows\System\TVwpKEq.exe
  2⤵
  PID:5152
- C:\Windows\System\XTjulUo.exe
  C:\Windows\System\XTjulUo.exe
  2⤵
  PID:5176
- C:\Windows\System\YKeWSQD.exe
  C:\Windows\System\YKeWSQD.exe
  2⤵
  PID:5212
- C:\Windows\System\aTGaTsh.exe
  C:\Windows\System\aTGaTsh.exe
  2⤵
  PID:5232
- C:\Windows\System\yRMUkoE.exe
  C:\Windows\System\yRMUkoE.exe
  2⤵
  PID:5264
- C:\Windows\System\deGYQyA.exe
  C:\Windows\System\deGYQyA.exe
  2⤵
  PID:5292
- C:\Windows\System\dUZiMeS.exe
  C:\Windows\System\dUZiMeS.exe
  2⤵
  PID:5320
- C:\Windows\System\pzxVoyv.exe
  C:\Windows\System\pzxVoyv.exe
  2⤵
  PID:5352
- C:\Windows\System\OvtmOBB.exe
  C:\Windows\System\OvtmOBB.exe
  2⤵
  PID:5380
- C:\Windows\System\ylLwAba.exe
  C:\Windows\System\ylLwAba.exe
  2⤵
  PID:5408
- C:\Windows\System\jirMgNI.exe
  C:\Windows\System\jirMgNI.exe
  2⤵
  PID:5436
- C:\Windows\System\aNZsscw.exe
  C:\Windows\System\aNZsscw.exe
  2⤵
  PID:5472
- C:\Windows\System\HvriXOM.exe
  C:\Windows\System\HvriXOM.exe
  2⤵
  PID:5504
- C:\Windows\System\DNEtRDX.exe
  C:\Windows\System\DNEtRDX.exe
  2⤵
  PID:5536
- C:\Windows\System\fdOaKBK.exe
  C:\Windows\System\fdOaKBK.exe
  2⤵
  PID:5564
- C:\Windows\System\adcWlsB.exe
  C:\Windows\System\adcWlsB.exe
  2⤵
  PID:5592
- C:\Windows\System\iwgcwyS.exe
  C:\Windows\System\iwgcwyS.exe
  2⤵
  PID:5620
- C:\Windows\System\yPCqjeV.exe
  C:\Windows\System\yPCqjeV.exe
  2⤵
  PID:5644
- C:\Windows\System\iMLEUkL.exe
  C:\Windows\System\iMLEUkL.exe
  2⤵
  PID:5676
- C:\Windows\System\hMXtOoo.exe
  C:\Windows\System\hMXtOoo.exe
  2⤵
  PID:5704
- C:\Windows\System\FYNDylk.exe
  C:\Windows\System\FYNDylk.exe
  2⤵
  PID:5732
- C:\Windows\System\LUmFkAq.exe
  C:\Windows\System\LUmFkAq.exe
  2⤵
  PID:5764
- C:\Windows\System\ypEMTkI.exe
  C:\Windows\System\ypEMTkI.exe
  2⤵
  PID:5792
- C:\Windows\System\PVRPzcA.exe
  C:\Windows\System\PVRPzcA.exe
  2⤵
  PID:5820
- C:\Windows\System\AHXcKxA.exe
  C:\Windows\System\AHXcKxA.exe
  2⤵
  PID:5844
- C:\Windows\System\AbgHJgC.exe
  C:\Windows\System\AbgHJgC.exe
  2⤵
  PID:5872
- C:\Windows\System\ZHZHOVI.exe
  C:\Windows\System\ZHZHOVI.exe
  2⤵
  PID:5900
- C:\Windows\System\wicDfIE.exe
  C:\Windows\System\wicDfIE.exe
  2⤵
  PID:5924
- C:\Windows\System\mBWRQVA.exe
  C:\Windows\System\mBWRQVA.exe
  2⤵
  PID:5952
- C:\Windows\System\PbYLPSE.exe
  C:\Windows\System\PbYLPSE.exe
  2⤵
  PID:5980
- C:\Windows\System\apHqHGU.exe
  C:\Windows\System\apHqHGU.exe
  2⤵
  PID:6004
- C:\Windows\System\HypVDCK.exe
  C:\Windows\System\HypVDCK.exe
  2⤵
  PID:6032
- C:\Windows\System\hFjemns.exe
  C:\Windows\System\hFjemns.exe
  2⤵
  PID:6064
- C:\Windows\System\ShaXhYv.exe
  C:\Windows\System\ShaXhYv.exe
  2⤵
  PID:6096
- C:\Windows\System\zzzWeXf.exe
  C:\Windows\System\zzzWeXf.exe
  2⤵
  PID:6136
- C:\Windows\System\DKaUNYf.exe
  C:\Windows\System\DKaUNYf.exe
  2⤵
  PID:756
- C:\Windows\System\CsXspRT.exe
  C:\Windows\System\CsXspRT.exe
  2⤵
  PID:2020
- C:\Windows\System\UiNFnaz.exe
  C:\Windows\System\UiNFnaz.exe
  2⤵
  PID:856
- C:\Windows\System\nbbqGGG.exe
  C:\Windows\System\nbbqGGG.exe
  2⤵
  PID:2428
- C:\Windows\System\IuSARgu.exe
  C:\Windows\System\IuSARgu.exe
  2⤵
  PID:5004
- C:\Windows\System\gZfRgNv.exe
  C:\Windows\System\gZfRgNv.exe
  2⤵
  PID:5128
- C:\Windows\System\sAWeUUW.exe
  C:\Windows\System\sAWeUUW.exe
  2⤵
  PID:5188
- C:\Windows\System\KPHltyl.exe
  C:\Windows\System\KPHltyl.exe
  2⤵
  PID:5252
- C:\Windows\System\UVXZFJC.exe
  C:\Windows\System\UVXZFJC.exe
  2⤵
  PID:5328
- C:\Windows\System\vRLflKl.exe
  C:\Windows\System\vRLflKl.exe
  2⤵
  PID:5400
- C:\Windows\System\OvDoBVz.exe
  C:\Windows\System\OvDoBVz.exe
  2⤵
  PID:5452
- C:\Windows\System\mRViRdk.exe
  C:\Windows\System\mRViRdk.exe
  2⤵
  PID:5524
- C:\Windows\System\ZJqgkgj.exe
  C:\Windows\System\ZJqgkgj.exe
  2⤵
  PID:5604
- C:\Windows\System\ywmhPKB.exe
  C:\Windows\System\ywmhPKB.exe
  2⤵
  PID:1148
- C:\Windows\System\tKtutro.exe
  C:\Windows\System\tKtutro.exe
  2⤵
  PID:412
- C:\Windows\System\NnVjvjl.exe
  C:\Windows\System\NnVjvjl.exe
  2⤵
  PID:5744
- C:\Windows\System\tDfNdKg.exe
  C:\Windows\System\tDfNdKg.exe
  2⤵
  PID:5808
- C:\Windows\System\ZgHbSos.exe
  C:\Windows\System\ZgHbSos.exe
  2⤵
  PID:5856
- C:\Windows\System\kDJiHpl.exe
  C:\Windows\System\kDJiHpl.exe
  2⤵
  PID:5896
- C:\Windows\System\fZAwjrc.exe
  C:\Windows\System\fZAwjrc.exe
  2⤵
  PID:5968
- C:\Windows\System\gRDlixH.exe
  C:\Windows\System\gRDlixH.exe
  2⤵
  PID:5008
- C:\Windows\System\TcBmkZa.exe
  C:\Windows\System\TcBmkZa.exe
  2⤵
  PID:6072
- C:\Windows\System\hWPHnvX.exe
  C:\Windows\System\hWPHnvX.exe
  2⤵
  PID:1952
- C:\Windows\System\LgGupDW.exe
  C:\Windows\System\LgGupDW.exe
  2⤵
  PID:1644
- C:\Windows\System\cRXrZUy.exe
  C:\Windows\System\cRXrZUy.exe
  2⤵
  PID:2144
- C:\Windows\System\eUWignh.exe
  C:\Windows\System\eUWignh.exe
  2⤵
  PID:5160
- C:\Windows\System\XZuKtZT.exe
  C:\Windows\System\XZuKtZT.exe
  2⤵
  PID:5284
- C:\Windows\System\SEXiNgq.exe
  C:\Windows\System\SEXiNgq.exe
  2⤵
  PID:5372
- C:\Windows\System\bnluRIW.exe
  C:\Windows\System\bnluRIW.exe
  2⤵
  PID:668
- C:\Windows\System\XaelCNz.exe
  C:\Windows\System\XaelCNz.exe
  2⤵
  PID:4208
- C:\Windows\System\VqmMipj.exe
  C:\Windows\System\VqmMipj.exe
  2⤵
  PID:5716
- C:\Windows\System\GPWYnxR.exe
  C:\Windows\System\GPWYnxR.exe
  2⤵
  PID:2208
- C:\Windows\System\ExCkTUb.exe
  C:\Windows\System\ExCkTUb.exe
  2⤵
  PID:5936
- C:\Windows\System\QWwMNPL.exe
  C:\Windows\System\QWwMNPL.exe
  2⤵
  PID:6000
- C:\Windows\System\jGUfzbU.exe
  C:\Windows\System\jGUfzbU.exe
  2⤵
  PID:6120
- C:\Windows\System\fOuxUGj.exe
  C:\Windows\System\fOuxUGj.exe
  2⤵
  PID:3800
- C:\Windows\System\ELToFjp.exe
  C:\Windows\System\ELToFjp.exe
  2⤵
  PID:3652
- C:\Windows\System\ZCHXfuL.exe
  C:\Windows\System\ZCHXfuL.exe
  2⤵
  PID:5360
- C:\Windows\System\LUiltNB.exe
  C:\Windows\System\LUiltNB.exe
  2⤵
  PID:5556
- C:\Windows\System\fSwVCHw.exe
  C:\Windows\System\fSwVCHw.exe
  2⤵
  PID:5668
- C:\Windows\System\RplSSIb.exe
  C:\Windows\System\RplSSIb.exe
  2⤵
  PID:5868
- C:\Windows\System\bnUJcMQ.exe
  C:\Windows\System\bnUJcMQ.exe
  2⤵
  PID:6052
- C:\Windows\System\Wjtotrd.exe
  C:\Windows\System\Wjtotrd.exe
  2⤵
  PID:2220
- C:\Windows\System\TEwtyLS.exe
  C:\Windows\System\TEwtyLS.exe
  2⤵
  PID:1780
- C:\Windows\System\lGWmFjb.exe
  C:\Windows\System\lGWmFjb.exe
  2⤵
  PID:5492
- C:\Windows\System\bPwOxfq.exe
  C:\Windows\System\bPwOxfq.exe
  2⤵
  PID:1600
- C:\Windows\System\azQkSRf.exe
  C:\Windows\System\azQkSRf.exe
  2⤵
  PID:6044
- C:\Windows\System\GrncduW.exe
  C:\Windows\System\GrncduW.exe
  2⤵
  PID:3664
- C:\Windows\System\OKGEFWy.exe
  C:\Windows\System\OKGEFWy.exe
  2⤵
  PID:6168
- C:\Windows\System\DwXvzdI.exe
  C:\Windows\System\DwXvzdI.exe
  2⤵
  PID:6200
- C:\Windows\System\tdjnAhI.exe
  C:\Windows\System\tdjnAhI.exe
  2⤵
  PID:6228
- C:\Windows\System\xTLjxKx.exe
  C:\Windows\System\xTLjxKx.exe
  2⤵
  PID:6252
- C:\Windows\System\ahCHFcJ.exe
  C:\Windows\System\ahCHFcJ.exe
  2⤵
  PID:6316
- C:\Windows\System\pJbURvs.exe
  C:\Windows\System\pJbURvs.exe
  2⤵
  PID:6348
- C:\Windows\System\qUDSkPV.exe
  C:\Windows\System\qUDSkPV.exe
  2⤵
  PID:6372
- C:\Windows\System\XRVeGXr.exe
  C:\Windows\System\XRVeGXr.exe
  2⤵
  PID:6400
- C:\Windows\System\gusdIxy.exe
  C:\Windows\System\gusdIxy.exe
  2⤵
  PID:6428
- C:\Windows\System\wElRaOK.exe
  C:\Windows\System\wElRaOK.exe
  2⤵
  PID:6448
- C:\Windows\System\wDEpWPC.exe
  C:\Windows\System\wDEpWPC.exe
  2⤵
  PID:6476
- C:\Windows\System\ylzHTty.exe
  C:\Windows\System\ylzHTty.exe
  2⤵
  PID:6504
- C:\Windows\System\bvBOAYS.exe
  C:\Windows\System\bvBOAYS.exe
  2⤵
  PID:6532
- C:\Windows\System\hDuEimQ.exe
  C:\Windows\System\hDuEimQ.exe
  2⤵
  PID:6556
- C:\Windows\System\dXwMTxW.exe
  C:\Windows\System\dXwMTxW.exe
  2⤵
  PID:6588
- C:\Windows\System\cnyrcRJ.exe
  C:\Windows\System\cnyrcRJ.exe
  2⤵
  PID:6616
- C:\Windows\System\cqTdlEQ.exe
  C:\Windows\System\cqTdlEQ.exe
  2⤵
  PID:6640
- C:\Windows\System\CugnJSA.exe
  C:\Windows\System\CugnJSA.exe
  2⤵
  PID:6668
- C:\Windows\System\BPBTLWS.exe
  C:\Windows\System\BPBTLWS.exe
  2⤵
  PID:6700
- C:\Windows\System\SJAuBgt.exe
  C:\Windows\System\SJAuBgt.exe
  2⤵
  PID:6728
- C:\Windows\System\TdYiPBI.exe
  C:\Windows\System\TdYiPBI.exe
  2⤵
  PID:6756
- C:\Windows\System\ggUqorR.exe
  C:\Windows\System\ggUqorR.exe
  2⤵
  PID:6780
- C:\Windows\System\CJqxYUA.exe
  C:\Windows\System\CJqxYUA.exe
  2⤵
  PID:6812
- C:\Windows\System\EYdATOj.exe
  C:\Windows\System\EYdATOj.exe
  2⤵
  PID:6840
- C:\Windows\System\ICkwatB.exe
  C:\Windows\System\ICkwatB.exe
  2⤵
  PID:6868
- C:\Windows\System\gAeKnAd.exe
  C:\Windows\System\gAeKnAd.exe
  2⤵
  PID:6896
- C:\Windows\System\LlJzHhS.exe
  C:\Windows\System\LlJzHhS.exe
  2⤵
  PID:6924
- C:\Windows\System\liJbdrW.exe
  C:\Windows\System\liJbdrW.exe
  2⤵
  PID:6952
- C:\Windows\System\zfRWwmb.exe
  C:\Windows\System\zfRWwmb.exe
  2⤵
  PID:6976
- C:\Windows\System\SQMpRmr.exe
  C:\Windows\System\SQMpRmr.exe
  2⤵
  PID:7020
- C:\Windows\System\BxKAVry.exe
  C:\Windows\System\BxKAVry.exe
  2⤵
  PID:7044
- C:\Windows\System\CBcPlqH.exe
  C:\Windows\System\CBcPlqH.exe
  2⤵
  PID:7100
- C:\Windows\System\FsAWgcI.exe
  C:\Windows\System\FsAWgcI.exe
  2⤵
  PID:7132
- C:\Windows\System\yxNxOqD.exe
  C:\Windows\System\yxNxOqD.exe
  2⤵
  PID:7160
- C:\Windows\System\pTQGslG.exe
  C:\Windows\System\pTQGslG.exe
  2⤵
  PID:4636
- C:\Windows\System\YyTEsGp.exe
  C:\Windows\System\YyTEsGp.exe
  2⤵
  PID:1536
- C:\Windows\System\EAXwqJM.exe
  C:\Windows\System\EAXwqJM.exe
  2⤵
  PID:6188
- C:\Windows\System\VChKOoD.exe
  C:\Windows\System\VChKOoD.exe
  2⤵
  PID:3728
- C:\Windows\System\KAmUVPk.exe
  C:\Windows\System\KAmUVPk.exe
  2⤵
  PID:6212
- C:\Windows\System\AvXTBHb.exe
  C:\Windows\System\AvXTBHb.exe
  2⤵
  PID:6284
- C:\Windows\System\hUKBAqJ.exe
  C:\Windows\System\hUKBAqJ.exe
  2⤵
  PID:6248
- C:\Windows\System\EvMqwpH.exe
  C:\Windows\System\EvMqwpH.exe
  2⤵
  PID:6344
- C:\Windows\System\dleJBYK.exe
  C:\Windows\System\dleJBYK.exe
  2⤵
  PID:6392
- C:\Windows\System\GTFteyb.exe
  C:\Windows\System\GTFteyb.exe
  2⤵
  PID:6464
- C:\Windows\System\lJuwZEc.exe
  C:\Windows\System\lJuwZEc.exe
  2⤵
  PID:6548
- C:\Windows\System\OmfBXne.exe
  C:\Windows\System\OmfBXne.exe
  2⤵
  PID:6636
- C:\Windows\System\dgHpxye.exe
  C:\Windows\System\dgHpxye.exe
  2⤵
  PID:6684
- C:\Windows\System\PObBCPC.exe
  C:\Windows\System\PObBCPC.exe
  2⤵
  PID:6720
- C:\Windows\System\UTMbDiy.exe
  C:\Windows\System\UTMbDiy.exe
  2⤵
  PID:6796
- C:\Windows\System\QlNgYCq.exe
  C:\Windows\System\QlNgYCq.exe
  2⤵
  PID:4432
- C:\Windows\System\jGbsvFJ.exe
  C:\Windows\System\jGbsvFJ.exe
  2⤵
  PID:6860
- C:\Windows\System\cUmixof.exe
  C:\Windows\System\cUmixof.exe
  2⤵
  PID:6888
- C:\Windows\System\LEQCkMT.exe
  C:\Windows\System\LEQCkMT.exe
  2⤵
  PID:3192
- C:\Windows\System\LpgwJom.exe
  C:\Windows\System\LpgwJom.exe
  2⤵
  PID:3112
- C:\Windows\System\LafCMrF.exe
  C:\Windows\System\LafCMrF.exe
  2⤵
  PID:7036
- C:\Windows\System\IVLSHWD.exe
  C:\Windows\System\IVLSHWD.exe
  2⤵
  PID:5052
- C:\Windows\System\KqKxiuc.exe
  C:\Windows\System\KqKxiuc.exe
  2⤵
  PID:7096
- C:\Windows\System\UgGfXqj.exe
  C:\Windows\System\UgGfXqj.exe
  2⤵
  PID:1060
- C:\Windows\System\wcWVuYO.exe
  C:\Windows\System\wcWVuYO.exe
  2⤵
  PID:1184
- C:\Windows\System\IjBcCkH.exe
  C:\Windows\System\IjBcCkH.exe
  2⤵
  PID:6184
- C:\Windows\System\FteaAHp.exe
  C:\Windows\System\FteaAHp.exe
  2⤵
  PID:4852
- C:\Windows\System\SxHgDSU.exe
  C:\Windows\System\SxHgDSU.exe
  2⤵
  PID:6304
- C:\Windows\System\GxLGLJx.exe
  C:\Windows\System\GxLGLJx.exe
  2⤵
  PID:6524
- C:\Windows\System\fxUgsRs.exe
  C:\Windows\System\fxUgsRs.exe
  2⤵
  PID:4468
- C:\Windows\System\hwFzBfK.exe
  C:\Windows\System\hwFzBfK.exe
  2⤵
  PID:6856
- C:\Windows\System\TvuPfGF.exe
  C:\Windows\System\TvuPfGF.exe
  2⤵
  PID:1584
- C:\Windows\System\KLzlmwg.exe
  C:\Windows\System\KLzlmwg.exe
  2⤵
  PID:6968
- C:\Windows\System\wUmDcSo.exe
  C:\Windows\System\wUmDcSo.exe
  2⤵
  PID:7120
- C:\Windows\System\XbNtOAq.exe
  C:\Windows\System\XbNtOAq.exe
  2⤵
  PID:4032
- C:\Windows\System\wzjlRzv.exe
  C:\Windows\System\wzjlRzv.exe
  2⤵
  PID:6244
- C:\Windows\System\NbPdWpo.exe
  C:\Windows\System\NbPdWpo.exe
  2⤵
  PID:6944
- C:\Windows\System\WJTkiuS.exe
  C:\Windows\System\WJTkiuS.exe
  2⤵
  PID:6972
- C:\Windows\System\jxvslEa.exe
  C:\Windows\System\jxvslEa.exe
  2⤵
  PID:7188
- C:\Windows\System\aqGEbHA.exe
  C:\Windows\System\aqGEbHA.exe
  2⤵
  PID:7208
- C:\Windows\System\IUEVAqO.exe
  C:\Windows\System\IUEVAqO.exe
  2⤵
  PID:7232
- C:\Windows\System\FujhoOJ.exe
  C:\Windows\System\FujhoOJ.exe
  2⤵
  PID:7248
- C:\Windows\System\fmeRXya.exe
  C:\Windows\System\fmeRXya.exe
  2⤵
  PID:7268
- C:\Windows\System\feNPzIS.exe
  C:\Windows\System\feNPzIS.exe
  2⤵
  PID:7308
- C:\Windows\System\oAwpUul.exe
  C:\Windows\System\oAwpUul.exe
  2⤵
  PID:7328
- C:\Windows\System\fBmzFXm.exe
  C:\Windows\System\fBmzFXm.exe
  2⤵
  PID:7372
- C:\Windows\System\kqjiuxR.exe
  C:\Windows\System\kqjiuxR.exe
  2⤵
  PID:7396
- C:\Windows\System\AGvkwPw.exe
  C:\Windows\System\AGvkwPw.exe
  2⤵
  PID:7432
- C:\Windows\System\MFpKoEG.exe
  C:\Windows\System\MFpKoEG.exe
  2⤵
  PID:7480
- C:\Windows\System\sDfTkPl.exe
  C:\Windows\System\sDfTkPl.exe
  2⤵
  PID:7504
- C:\Windows\System\KpLwILp.exe
  C:\Windows\System\KpLwILp.exe
  2⤵
  PID:7536
- C:\Windows\System\bIdQEyJ.exe
  C:\Windows\System\bIdQEyJ.exe
  2⤵
  PID:7572
- C:\Windows\System\RLjoWdc.exe
  C:\Windows\System\RLjoWdc.exe
  2⤵
  PID:7592
- C:\Windows\System\vUhCfLz.exe
  C:\Windows\System\vUhCfLz.exe
  2⤵
  PID:7608
- C:\Windows\System\KiHzYwf.exe
  C:\Windows\System\KiHzYwf.exe
  2⤵
  PID:7628
- C:\Windows\System\RIrEcvs.exe
  C:\Windows\System\RIrEcvs.exe
  2⤵
  PID:7660
- C:\Windows\System\GqNoqgb.exe
  C:\Windows\System\GqNoqgb.exe
  2⤵
  PID:7712
- C:\Windows\System\GbpVpCy.exe
  C:\Windows\System\GbpVpCy.exe
  2⤵
  PID:7728
- C:\Windows\System\FImXyse.exe
  C:\Windows\System\FImXyse.exe
  2⤵
  PID:7752
- C:\Windows\System\ZhVTjYg.exe
  C:\Windows\System\ZhVTjYg.exe
  2⤵
  PID:7796
- C:\Windows\System\uCABgfI.exe
  C:\Windows\System\uCABgfI.exe
  2⤵
  PID:7816
- C:\Windows\System\rCcbCUl.exe
  C:\Windows\System\rCcbCUl.exe
  2⤵
  PID:7840
- C:\Windows\System\LsFgEPm.exe
  C:\Windows\System\LsFgEPm.exe
  2⤵
  PID:7864
- C:\Windows\System\YplOmlJ.exe
  C:\Windows\System\YplOmlJ.exe
  2⤵
  PID:7884
- C:\Windows\System\xGmEOIJ.exe
  C:\Windows\System\xGmEOIJ.exe
  2⤵
  PID:7912
- C:\Windows\System\oPuwJbZ.exe
  C:\Windows\System\oPuwJbZ.exe
  2⤵
  PID:7940
- C:\Windows\System\VtVvMJh.exe
  C:\Windows\System\VtVvMJh.exe
  2⤵
  PID:7976
- C:\Windows\System\eoBQIhf.exe
  C:\Windows\System\eoBQIhf.exe
  2⤵
  PID:8016
- C:\Windows\System\nMoErHV.exe
  C:\Windows\System\nMoErHV.exe
  2⤵
  PID:8040
- C:\Windows\System\JQKnAoA.exe
  C:\Windows\System\JQKnAoA.exe
  2⤵
  PID:8084
- C:\Windows\System\lIVgEee.exe
  C:\Windows\System\lIVgEee.exe
  2⤵
  PID:8100
- C:\Windows\System\mInduKd.exe
  C:\Windows\System\mInduKd.exe
  2⤵
  PID:8124
- C:\Windows\System\yOaNaUS.exe
  C:\Windows\System\yOaNaUS.exe
  2⤵
  PID:8144
- C:\Windows\System\DiSaLql.exe
  C:\Windows\System\DiSaLql.exe
  2⤵
  PID:8184
- C:\Windows\System\oFEZkwl.exe
  C:\Windows\System\oFEZkwl.exe
  2⤵
  PID:5840
- C:\Windows\System\fDEbMYr.exe
  C:\Windows\System\fDEbMYr.exe
  2⤵
  PID:1812
- C:\Windows\System\lLuUIXF.exe
  C:\Windows\System\lLuUIXF.exe
  2⤵
  PID:7196
- C:\Windows\System\mMiRcZD.exe
  C:\Windows\System\mMiRcZD.exe
  2⤵
  PID:7316
- C:\Windows\System\TKfvRPG.exe
  C:\Windows\System\TKfvRPG.exe
  2⤵
  PID:7288
- C:\Windows\System\jeMbusA.exe
  C:\Windows\System\jeMbusA.exe
  2⤵
  PID:7344
- C:\Windows\System\dBpVQKw.exe
  C:\Windows\System\dBpVQKw.exe
  2⤵
  PID:7496
- C:\Windows\System\jKxYCRT.exe
  C:\Windows\System\jKxYCRT.exe
  2⤵
  PID:7560
- C:\Windows\System\TAubytw.exe
  C:\Windows\System\TAubytw.exe
  2⤵
  PID:7624
- C:\Windows\System\cEETAtn.exe
  C:\Windows\System\cEETAtn.exe
  2⤵
  PID:7652
- C:\Windows\System\oOKOCtv.exe
  C:\Windows\System\oOKOCtv.exe
  2⤵
  PID:7724
- C:\Windows\System\ZejKOZB.exe
  C:\Windows\System\ZejKOZB.exe
  2⤵
  PID:7744
- C:\Windows\System\ROdutBS.exe
  C:\Windows\System\ROdutBS.exe
  2⤵
  PID:7824
- C:\Windows\System\qoKBFxi.exe
  C:\Windows\System\qoKBFxi.exe
  2⤵
  PID:7836
- C:\Windows\System\tebSjEk.exe
  C:\Windows\System\tebSjEk.exe
  2⤵
  PID:7984
- C:\Windows\System\JenJeaJ.exe
  C:\Windows\System\JenJeaJ.exe
  2⤵
  PID:8064
- C:\Windows\System\OLUpxcm.exe
  C:\Windows\System\OLUpxcm.exe
  2⤵
  PID:8096
- C:\Windows\System\wcOwxzP.exe
  C:\Windows\System\wcOwxzP.exe
  2⤵
  PID:8136
- C:\Windows\System\zNUibxe.exe
  C:\Windows\System\zNUibxe.exe
  2⤵
  PID:3916
- C:\Windows\System\RpzzSoq.exe
  C:\Windows\System\RpzzSoq.exe
  2⤵
  PID:5056
- C:\Windows\System\XfvrJCz.exe
  C:\Windows\System\XfvrJCz.exe
  2⤵
  PID:7260
- C:\Windows\System\fMmpmTF.exe
  C:\Windows\System\fMmpmTF.exe
  2⤵
  PID:7556
- C:\Windows\System\RhXVUdl.exe
  C:\Windows\System\RhXVUdl.exe
  2⤵
  PID:7700
- C:\Windows\System\dZokfYU.exe
  C:\Windows\System\dZokfYU.exe
  2⤵
  PID:7696
- C:\Windows\System\EXeTice.exe
  C:\Windows\System\EXeTice.exe
  2⤵
  PID:7848
- C:\Windows\System\KFGXOFf.exe
  C:\Windows\System\KFGXOFf.exe
  2⤵
  PID:8028
- C:\Windows\System\IwFyvfi.exe
  C:\Windows\System\IwFyvfi.exe
  2⤵
  PID:8076
- C:\Windows\System\hMPKrtZ.exe
  C:\Windows\System\hMPKrtZ.exe
  2⤵
  PID:2592
- C:\Windows\System\AdtLLZw.exe
  C:\Windows\System\AdtLLZw.exe
  2⤵
  PID:7636
- C:\Windows\System\wfUTTte.exe
  C:\Windows\System\wfUTTte.exe
  2⤵
  PID:7908
- C:\Windows\System\KYsBsAj.exe
  C:\Windows\System\KYsBsAj.exe
  2⤵
  PID:8244
- C:\Windows\System\ybOEaxz.exe
  C:\Windows\System\ybOEaxz.exe
  2⤵
  PID:8284
- C:\Windows\System\IXpAgkd.exe
  C:\Windows\System\IXpAgkd.exe
  2⤵
  PID:8308
- C:\Windows\System\jAwsBDm.exe
  C:\Windows\System\jAwsBDm.exe
  2⤵
  PID:8328
- C:\Windows\System\tnBQQrb.exe
  C:\Windows\System\tnBQQrb.exe
  2⤵
  PID:8352
- C:\Windows\System\ZBzzkdH.exe
  C:\Windows\System\ZBzzkdH.exe
  2⤵
  PID:8396
- C:\Windows\System\yCDhPMx.exe
  C:\Windows\System\yCDhPMx.exe
  2⤵
  PID:8420
- C:\Windows\System\OEXcNLU.exe
  C:\Windows\System\OEXcNLU.exe
  2⤵
  PID:8440
- C:\Windows\System\azBqtYw.exe
  C:\Windows\System\azBqtYw.exe
  2⤵
  PID:8464
- C:\Windows\System\lBTtXlO.exe
  C:\Windows\System\lBTtXlO.exe
  2⤵
  PID:8484
- C:\Windows\System\aogEDsH.exe
  C:\Windows\System\aogEDsH.exe
  2⤵
  PID:8532
- C:\Windows\System\lfFoxsK.exe
  C:\Windows\System\lfFoxsK.exe
  2⤵
  PID:8552
- C:\Windows\System\FYbRbRJ.exe
  C:\Windows\System\FYbRbRJ.exe
  2⤵
  PID:8576
- C:\Windows\System\KKaYVzM.exe
  C:\Windows\System\KKaYVzM.exe
  2⤵
  PID:8596
- C:\Windows\System\nzvtKpe.exe
  C:\Windows\System\nzvtKpe.exe
  2⤵
  PID:8612
- C:\Windows\System\rjZhfZu.exe
  C:\Windows\System\rjZhfZu.exe
  2⤵
  PID:8640
- C:\Windows\System\UgmGpJi.exe
  C:\Windows\System\UgmGpJi.exe
  2⤵
  PID:8660
- C:\Windows\System\eoAEmsA.exe
  C:\Windows\System\eoAEmsA.exe
  2⤵
  PID:8724
- C:\Windows\System\kCkXaSJ.exe
  C:\Windows\System\kCkXaSJ.exe
  2⤵
  PID:8756
- C:\Windows\System\aFtJKsO.exe
  C:\Windows\System\aFtJKsO.exe
  2⤵
  PID:8792
- C:\Windows\System\ftYVpLF.exe
  C:\Windows\System\ftYVpLF.exe
  2⤵
  PID:8816
- C:\Windows\System\tluldfj.exe
  C:\Windows\System\tluldfj.exe
  2⤵
  PID:8840
- C:\Windows\System\IkRvlFy.exe
  C:\Windows\System\IkRvlFy.exe
  2⤵
  PID:8860
- C:\Windows\System\KrGaQMv.exe
  C:\Windows\System\KrGaQMv.exe
  2⤵
  PID:8912
- C:\Windows\System\LWLSgYR.exe
  C:\Windows\System\LWLSgYR.exe
  2⤵
  PID:8936
- C:\Windows\System\mFYSfyS.exe
  C:\Windows\System\mFYSfyS.exe
  2⤵
  PID:8952
- C:\Windows\System\rxgwJmJ.exe
  C:\Windows\System\rxgwJmJ.exe
  2⤵
  PID:8968
- C:\Windows\System\piwuTAc.exe
  C:\Windows\System\piwuTAc.exe
  2⤵
  PID:9008
- C:\Windows\System\paeLScR.exe
  C:\Windows\System\paeLScR.exe
  2⤵
  PID:9028
- C:\Windows\System\LwOitos.exe
  C:\Windows\System\LwOitos.exe
  2⤵
  PID:9056
- C:\Windows\System\UkflIxA.exe
  C:\Windows\System\UkflIxA.exe
  2⤵
  PID:9108
- C:\Windows\System\dzkqPAT.exe
  C:\Windows\System\dzkqPAT.exe
  2⤵
  PID:9128
- C:\Windows\System\eHGacOR.exe
  C:\Windows\System\eHGacOR.exe
  2⤵
  PID:9164
- C:\Windows\System\YyrvRQx.exe
  C:\Windows\System\YyrvRQx.exe
  2⤵
  PID:9184
- C:\Windows\System\vTgpBEG.exe
  C:\Windows\System\vTgpBEG.exe
  2⤵
  PID:9200
- C:\Windows\System\HfpauqB.exe
  C:\Windows\System\HfpauqB.exe
  2⤵
  PID:8012
- C:\Windows\System\VlKjYkX.exe
  C:\Windows\System\VlKjYkX.exe
  2⤵
  PID:7996
- C:\Windows\System\pzWRxzI.exe
  C:\Windows\System\pzWRxzI.exe
  2⤵
  PID:8320
- C:\Windows\System\NcJQyFx.exe
  C:\Windows\System\NcJQyFx.exe
  2⤵
  PID:8388
- C:\Windows\System\oNJJzfW.exe
  C:\Windows\System\oNJJzfW.exe
  2⤵
  PID:8408
- C:\Windows\System\qtiMSBB.exe
  C:\Windows\System\qtiMSBB.exe
  2⤵
  PID:8496
- C:\Windows\System\dVQnIYa.exe
  C:\Windows\System\dVQnIYa.exe
  2⤵
  PID:8544
- C:\Windows\System\UmSHHrp.exe
  C:\Windows\System\UmSHHrp.exe
  2⤵
  PID:8608
- C:\Windows\System\zscXLnF.exe
  C:\Windows\System\zscXLnF.exe
  2⤵
  PID:8700
- C:\Windows\System\iTaZSsS.exe
  C:\Windows\System\iTaZSsS.exe
  2⤵
  PID:8672
- C:\Windows\System\LpNYIrD.exe
  C:\Windows\System\LpNYIrD.exe
  2⤵
  PID:8748
- C:\Windows\System\fPoUKrm.exe
  C:\Windows\System\fPoUKrm.exe
  2⤵
  PID:8824
- C:\Windows\System\EFLNOws.exe
  C:\Windows\System\EFLNOws.exe
  2⤵
  PID:8884
- C:\Windows\System\AsXVZGP.exe
  C:\Windows\System\AsXVZGP.exe
  2⤵
  PID:9152
- C:\Windows\System\QNkbAHO.exe
  C:\Windows\System\QNkbAHO.exe
  2⤵
  PID:9124
- C:\Windows\System\kirLhQP.exe
  C:\Windows\System\kirLhQP.exe
  2⤵
  PID:9196
- C:\Windows\System\NeUCYbY.exe
  C:\Windows\System\NeUCYbY.exe
  2⤵
  PID:4536
- C:\Windows\System\NnnihGf.exe
  C:\Windows\System\NnnihGf.exe
  2⤵
  PID:8300
- C:\Windows\System\LPctrDz.exe
  C:\Windows\System\LPctrDz.exe
  2⤵
  PID:8448
- C:\Windows\System\PNRtKfh.exe
  C:\Windows\System\PNRtKfh.exe
  2⤵
  PID:8776
- C:\Windows\System\DeNbTsg.exe
  C:\Windows\System\DeNbTsg.exe
  2⤵
  PID:8812
- C:\Windows\System\zbjqXRs.exe
  C:\Windows\System\zbjqXRs.exe
  2⤵
  PID:8636
- C:\Windows\System\ZruibMW.exe
  C:\Windows\System\ZruibMW.exe
  2⤵
  PID:8988
- C:\Windows\System\RSMcExq.exe
  C:\Windows\System\RSMcExq.exe
  2⤵
  PID:9144
- C:\Windows\System\bQJKkaR.exe
  C:\Windows\System\bQJKkaR.exe
  2⤵
  PID:8256
- C:\Windows\System\MrYjGNV.exe
  C:\Windows\System\MrYjGNV.exe
  2⤵
  PID:8624
- C:\Windows\System\hocnALX.exe
  C:\Windows\System\hocnALX.exe
  2⤵
  PID:9148
- C:\Windows\System\sdrsSBz.exe
  C:\Windows\System\sdrsSBz.exe
  2⤵
  PID:9236
- C:\Windows\System\oRPcdXv.exe
  C:\Windows\System\oRPcdXv.exe
  2⤵
  PID:9260
- C:\Windows\System\TBfbEPu.exe
  C:\Windows\System\TBfbEPu.exe
  2⤵
  PID:9288
- C:\Windows\System\GxdINWh.exe
  C:\Windows\System\GxdINWh.exe
  2⤵
  PID:9332
- C:\Windows\System\tuyBtOn.exe
  C:\Windows\System\tuyBtOn.exe
  2⤵
  PID:9356
- C:\Windows\System\SrqJbZP.exe
  C:\Windows\System\SrqJbZP.exe
  2⤵
  PID:9380
- C:\Windows\System\SvcWGkl.exe
  C:\Windows\System\SvcWGkl.exe
  2⤵
  PID:9408
- C:\Windows\System\pgKGXjv.exe
  C:\Windows\System\pgKGXjv.exe
  2⤵
  PID:9428
- C:\Windows\System\jfLpdua.exe
  C:\Windows\System\jfLpdua.exe
  2⤵
  PID:9464
- C:\Windows\System\ptcgZgE.exe
  C:\Windows\System\ptcgZgE.exe
  2⤵
  PID:9480
- C:\Windows\System\CtlfLqD.exe
  C:\Windows\System\CtlfLqD.exe
  2⤵
  PID:9496
- C:\Windows\System\cYiQcJm.exe
  C:\Windows\System\cYiQcJm.exe
  2⤵
  PID:9528
- C:\Windows\System\bRrslmn.exe
  C:\Windows\System\bRrslmn.exe
  2⤵
  PID:9564
- C:\Windows\System\BDtEDsu.exe
  C:\Windows\System\BDtEDsu.exe
  2⤵
  PID:9588
- C:\Windows\System\ZjsajZN.exe
  C:\Windows\System\ZjsajZN.exe
  2⤵
  PID:9640
- C:\Windows\System\DudcugY.exe
  C:\Windows\System\DudcugY.exe
  2⤵
  PID:9680
- C:\Windows\System\rQmjxIi.exe
  C:\Windows\System\rQmjxIi.exe
  2⤵
  PID:9716
- C:\Windows\System\FseRZMp.exe
  C:\Windows\System\FseRZMp.exe
  2⤵
  PID:9736
- C:\Windows\System\YKqBpUD.exe
  C:\Windows\System\YKqBpUD.exe
  2⤵
  PID:9764
- C:\Windows\System\whyoPjD.exe
  C:\Windows\System\whyoPjD.exe
  2⤵
  PID:9804
- C:\Windows\System\cbcHZgf.exe
  C:\Windows\System\cbcHZgf.exe
  2⤵
  PID:9828
- C:\Windows\System\CeiNJqN.exe
  C:\Windows\System\CeiNJqN.exe
  2⤵
  PID:9852
- C:\Windows\System\JHtJwMS.exe
  C:\Windows\System\JHtJwMS.exe
  2⤵
  PID:9872
- C:\Windows\System\DWmbPCs.exe
  C:\Windows\System\DWmbPCs.exe
  2⤵
  PID:9892
- C:\Windows\System\opVLWtY.exe
  C:\Windows\System\opVLWtY.exe
  2⤵
  PID:9916
- C:\Windows\System\NmlFcPp.exe
  C:\Windows\System\NmlFcPp.exe
  2⤵
  PID:9948
- C:\Windows\System\YmNiXzv.exe
  C:\Windows\System\YmNiXzv.exe
  2⤵
  PID:9964
- C:\Windows\System\LmmQxDA.exe
  C:\Windows\System\LmmQxDA.exe
  2⤵
  PID:9992
- C:\Windows\System\FCdNNWZ.exe
  C:\Windows\System\FCdNNWZ.exe
  2⤵
  PID:10032
- C:\Windows\System\XtTqruS.exe
  C:\Windows\System\XtTqruS.exe
  2⤵
  PID:10060
- C:\Windows\System\DrjadIR.exe
  C:\Windows\System\DrjadIR.exe
  2⤵
  PID:10084
- C:\Windows\System\FpsEZZA.exe
  C:\Windows\System\FpsEZZA.exe
  2⤵
  PID:10108
- C:\Windows\System\ZUlStBs.exe
  C:\Windows\System\ZUlStBs.exe
  2⤵
  PID:10124
- C:\Windows\System\xUunOCs.exe
  C:\Windows\System\xUunOCs.exe
  2⤵
  PID:10148
- C:\Windows\System\oTdJunI.exe
  C:\Windows\System\oTdJunI.exe
  2⤵
  PID:10200
- C:\Windows\System\XJYqcAn.exe
  C:\Windows\System\XJYqcAn.exe
  2⤵
  PID:10216
- C:\Windows\System\DjxchhS.exe
  C:\Windows\System\DjxchhS.exe
  2⤵
  PID:8432
- C:\Windows\System\ekVehTt.exe
  C:\Windows\System\ekVehTt.exe
  2⤵
  PID:8208
- C:\Windows\System\KRgNIJx.exe
  C:\Windows\System\KRgNIJx.exe
  2⤵
  PID:9024
- C:\Windows\System\tUIrFVA.exe
  C:\Windows\System\tUIrFVA.exe
  2⤵
  PID:9324
- C:\Windows\System\ljXKhWR.exe
  C:\Windows\System\ljXKhWR.exe
  2⤵
  PID:9476
- C:\Windows\System\NjcWuyr.exe
  C:\Windows\System\NjcWuyr.exe
  2⤵
  PID:9584
- C:\Windows\System\OCAAwaz.exe
  C:\Windows\System\OCAAwaz.exe
  2⤵
  PID:9604
- C:\Windows\System\aDXrzcy.exe
  C:\Windows\System\aDXrzcy.exe
  2⤵
  PID:9580
- C:\Windows\System\BKvnSAC.exe
  C:\Windows\System\BKvnSAC.exe
  2⤵
  PID:9696
- C:\Windows\System\UbMsnAt.exe
  C:\Windows\System\UbMsnAt.exe
  2⤵
  PID:9820
- C:\Windows\System\hrMrVin.exe
  C:\Windows\System\hrMrVin.exe
  2⤵
  PID:10072
- C:\Windows\System\RWQGBaR.exe
  C:\Windows\System\RWQGBaR.exe
  2⤵
  PID:10160
- C:\Windows\System\skziLzz.exe
  C:\Windows\System\skziLzz.exe
  2⤵
  PID:10120
- C:\Windows\System\vlephCb.exe
  C:\Windows\System\vlephCb.exe
  2⤵
  PID:10192
- C:\Windows\System\CFTwPeU.exe
  C:\Windows\System\CFTwPeU.exe
  2⤵
  PID:8200
- C:\Windows\System\CdAFNes.exe
  C:\Windows\System\CdAFNes.exe
  2⤵
  PID:10224
- C:\Windows\System\uQMcLQP.exe
  C:\Windows\System\uQMcLQP.exe
  2⤵
  PID:9220
- C:\Windows\System\kdWwUUm.exe
  C:\Windows\System\kdWwUUm.exe
  2⤵
  PID:9340
- C:\Windows\System\vInpiGs.exe
  C:\Windows\System\vInpiGs.exe
  2⤵
  PID:9504
- C:\Windows\System\CPPemCc.exe
  C:\Windows\System\CPPemCc.exe
  2⤵
  PID:9544
- C:\Windows\System\qorAYua.exe
  C:\Windows\System\qorAYua.exe
  2⤵
  PID:9652
- C:\Windows\System\AjYoDNo.exe
  C:\Windows\System\AjYoDNo.exe
  2⤵
  PID:9776
- C:\Windows\System\QNWwGaN.exe
  C:\Windows\System\QNWwGaN.exe
  2⤵
  PID:10256
- C:\Windows\System\DwgBouh.exe
  C:\Windows\System\DwgBouh.exe
  2⤵
  PID:10276
- C:\Windows\System\cyQppiy.exe
  C:\Windows\System\cyQppiy.exe
  2⤵
  PID:10304
- C:\Windows\System\mikueoA.exe
  C:\Windows\System\mikueoA.exe
  2⤵
  PID:10328
- C:\Windows\System\JBlbHQC.exe
  C:\Windows\System\JBlbHQC.exe
  2⤵
  PID:10348
- C:\Windows\System\SPXqjmt.exe
  C:\Windows\System\SPXqjmt.exe
  2⤵
  PID:10376
- C:\Windows\System\vZVChOc.exe
  C:\Windows\System\vZVChOc.exe
  2⤵
  PID:10432
- C:\Windows\System\ExpFmdw.exe
  C:\Windows\System\ExpFmdw.exe
  2⤵
  PID:10584
- C:\Windows\System\fyeSQdb.exe
  C:\Windows\System\fyeSQdb.exe
  2⤵
  PID:10604
- C:\Windows\System\gyPlIOG.exe
  C:\Windows\System\gyPlIOG.exe
  2⤵
  PID:10668
- C:\Windows\System\ffAaQUq.exe
  C:\Windows\System\ffAaQUq.exe
  2⤵
  PID:10700
- C:\Windows\System\kycgWRm.exe
  C:\Windows\System\kycgWRm.exe
  2⤵
  PID:10720
- C:\Windows\System\nKBAGhC.exe
  C:\Windows\System\nKBAGhC.exe
  2⤵
  PID:10756
- C:\Windows\System\lMnMDhD.exe
  C:\Windows\System\lMnMDhD.exe
  2⤵
  PID:10808
- C:\Windows\System\fkTuItB.exe
  C:\Windows\System\fkTuItB.exe
  2⤵
  PID:10832
- C:\Windows\System\IbIfPNP.exe
  C:\Windows\System\IbIfPNP.exe
  2⤵
  PID:10852
- C:\Windows\System\lXsONek.exe
  C:\Windows\System\lXsONek.exe
  2⤵
  PID:10876
- C:\Windows\System\CPRFxrv.exe
  C:\Windows\System\CPRFxrv.exe
  2⤵
  PID:10920
- C:\Windows\System\RIHLKno.exe
  C:\Windows\System\RIHLKno.exe
  2⤵
  PID:10936
- C:\Windows\System\guFlFyu.exe
  C:\Windows\System\guFlFyu.exe
  2⤵
  PID:10960
- C:\Windows\System\uMyuxGF.exe
  C:\Windows\System\uMyuxGF.exe
  2⤵
  PID:10980
- C:\Windows\System\rMFsmNo.exe
  C:\Windows\System\rMFsmNo.exe
  2⤵
  PID:11012
- C:\Windows\System\dJhWsJo.exe
  C:\Windows\System\dJhWsJo.exe
  2⤵
  PID:11040
- C:\Windows\System\VTTFaHm.exe
  C:\Windows\System\VTTFaHm.exe
  2⤵
  PID:11088
- C:\Windows\System\grmxyJB.exe
  C:\Windows\System\grmxyJB.exe
  2⤵
  PID:11104
- C:\Windows\System\Rftumhc.exe
  C:\Windows\System\Rftumhc.exe
  2⤵
  PID:11124
- C:\Windows\System\wxWFLXa.exe
  C:\Windows\System\wxWFLXa.exe
  2⤵
  PID:11144
- C:\Windows\System\IHGWVjG.exe
  C:\Windows\System\IHGWVjG.exe
  2⤵
  PID:11184
- C:\Windows\System\gyojLgK.exe
  C:\Windows\System\gyojLgK.exe
  2⤵
  PID:11220
- C:\Windows\System\utTLfGB.exe
  C:\Windows\System\utTLfGB.exe
  2⤵
  PID:11248
- C:\Windows\System\meEYXvn.exe
  C:\Windows\System\meEYXvn.exe
  2⤵
  PID:9668
- C:\Windows\System\pEuwraG.exe
  C:\Windows\System\pEuwraG.exe
  2⤵
  PID:10080
- C:\Windows\System\YnemjrS.exe
  C:\Windows\System\YnemjrS.exe
  2⤵
  PID:9812
- C:\Windows\System\PoIIAiF.exe
  C:\Windows\System\PoIIAiF.exe
  2⤵
  PID:10340
- C:\Windows\System\TCkkHfs.exe
  C:\Windows\System\TCkkHfs.exe
  2⤵
  PID:10208
- C:\Windows\System\UQtmXBe.exe
  C:\Windows\System\UQtmXBe.exe
  2⤵
  PID:9284
- C:\Windows\System\SZxjGVB.exe
  C:\Windows\System\SZxjGVB.exe
  2⤵
  PID:9424
- C:\Windows\System\IxsdTqA.exe
  C:\Windows\System\IxsdTqA.exe
  2⤵
  PID:9552
- C:\Windows\System\dALpHwu.exe
  C:\Windows\System\dALpHwu.exe
  2⤵
  PID:10008
- C:\Windows\System\ZcqAxsp.exe
  C:\Windows\System\ZcqAxsp.exe
  2⤵
  PID:10292
- C:\Windows\System\JozoJmK.exe
  C:\Windows\System\JozoJmK.exe
  2⤵
  PID:10100
- C:\Windows\System\dwkZjjS.exe
  C:\Windows\System\dwkZjjS.exe
  2⤵
  PID:10384
- C:\Windows\System\LlQjDpC.exe
  C:\Windows\System\LlQjDpC.exe
  2⤵
  PID:10516
- C:\Windows\System\DJJnUOX.exe
  C:\Windows\System\DJJnUOX.exe
  2⤵
  PID:10460
- C:\Windows\System\gvLaGrq.exe
  C:\Windows\System\gvLaGrq.exe
  2⤵
  PID:10616
- C:\Windows\System\JwYcTHw.exe
  C:\Windows\System\JwYcTHw.exe
  2⤵
  PID:10776
- C:\Windows\System\glUKUYG.exe
  C:\Windows\System\glUKUYG.exe
  2⤵
  PID:10828
- C:\Windows\System\DCcKQqg.exe
  C:\Windows\System\DCcKQqg.exe
  2⤵
  PID:10864
- C:\Windows\System\EqpBDFn.exe
  C:\Windows\System\EqpBDFn.exe
  2⤵
  PID:10932
- C:\Windows\System\VqiQqLo.exe
  C:\Windows\System\VqiQqLo.exe
  2⤵
  PID:11020
- C:\Windows\System\DIeFQaC.exe
  C:\Windows\System\DIeFQaC.exe
  2⤵
  PID:11080
- C:\Windows\System\NDEOsTK.exe
  C:\Windows\System\NDEOsTK.exe
  2⤵
  PID:11168
- C:\Windows\System\IFPRrtt.exe
  C:\Windows\System\IFPRrtt.exe
  2⤵
  PID:11232
- C:\Windows\System\JRqQMpn.exe
  C:\Windows\System\JRqQMpn.exe
  2⤵
  PID:9632
- C:\Windows\System\cNCiRWi.exe
  C:\Windows\System\cNCiRWi.exe
  2⤵
  PID:9864
- C:\Windows\System\KTiYfZs.exe
  C:\Windows\System\KTiYfZs.exe
  2⤵
  PID:9944
- C:\Windows\System\uLPhutr.exe
  C:\Windows\System\uLPhutr.exe
  2⤵
  PID:9900
- C:\Windows\System\qAkZQnM.exe
  C:\Windows\System\qAkZQnM.exe
  2⤵
  PID:10312
- C:\Windows\System\gTKEItn.exe
  C:\Windows\System\gTKEItn.exe
  2⤵
  PID:10508
- C:\Windows\System\esUHRHq.exe
  C:\Windows\System\esUHRHq.exe
  2⤵
  PID:10640
- C:\Windows\System\qmRzSSM.exe
  C:\Windows\System\qmRzSSM.exe
  2⤵
  PID:10764
- C:\Windows\System\Vhbqzlt.exe
  C:\Windows\System\Vhbqzlt.exe
  2⤵
  PID:11164
- C:\Windows\System\EnErSfo.exe
  C:\Windows\System\EnErSfo.exe
  2⤵
  PID:10344
- C:\Windows\System\auOgNWf.exe
  C:\Windows\System\auOgNWf.exe
  2⤵
  PID:8716
- C:\Windows\System\THJjeaP.exe
  C:\Windows\System\THJjeaP.exe
  2⤵
  PID:10844
- C:\Windows\System\wmZRNvb.exe
  C:\Windows\System\wmZRNvb.exe
  2⤵
  PID:10796
- C:\Windows\System\TxxcVGp.exe
  C:\Windows\System\TxxcVGp.exe
  2⤵
  PID:8604
- C:\Windows\System\chfzEBh.exe
  C:\Windows\System\chfzEBh.exe
  2⤵
  PID:10492
- C:\Windows\System\aAcSbnw.exe
  C:\Windows\System\aAcSbnw.exe
  2⤵
  PID:11316
- C:\Windows\System\zjTddRi.exe
  C:\Windows\System\zjTddRi.exe
  2⤵
  PID:11340
- C:\Windows\System\stviNiO.exe
  C:\Windows\System\stviNiO.exe
  2⤵
  PID:11360
- C:\Windows\System\JMkMCvV.exe
  C:\Windows\System\JMkMCvV.exe
  2⤵
  PID:11380
- C:\Windows\System\tfkWOlR.exe
  C:\Windows\System\tfkWOlR.exe
  2⤵
  PID:11408
- C:\Windows\System\BkFLXfM.exe
  C:\Windows\System\BkFLXfM.exe
  2⤵
  PID:11432
- C:\Windows\System\yeQuSTA.exe
  C:\Windows\System\yeQuSTA.exe
  2⤵
  PID:11448
- C:\Windows\System\FdOXGXq.exe
  C:\Windows\System\FdOXGXq.exe
  2⤵
  PID:11484
- C:\Windows\System\RXXdCbv.exe
  C:\Windows\System\RXXdCbv.exe
  2⤵
  PID:11520
- C:\Windows\System\RLydnna.exe
  C:\Windows\System\RLydnna.exe
  2⤵
  PID:11544
- C:\Windows\System\pEyEXrR.exe
  C:\Windows\System\pEyEXrR.exe
  2⤵
  PID:11564
- C:\Windows\System\oAhYEfS.exe
  C:\Windows\System\oAhYEfS.exe
  2⤵
  PID:11592
- C:\Windows\System\PNeNcgP.exe
  C:\Windows\System\PNeNcgP.exe
  2⤵
  PID:11616
- C:\Windows\System\rhnnWnF.exe
  C:\Windows\System\rhnnWnF.exe
  2⤵
  PID:11640
- C:\Windows\System\nGplpJk.exe
  C:\Windows\System\nGplpJk.exe
  2⤵
  PID:11660
- C:\Windows\System\quEYkGJ.exe
  C:\Windows\System\quEYkGJ.exe
  2⤵
  PID:11684
- C:\Windows\System\rrGMOvM.exe
  C:\Windows\System\rrGMOvM.exe
  2⤵
  PID:11704
- C:\Windows\System\RIDWlKD.exe
  C:\Windows\System\RIDWlKD.exe
  2⤵
  PID:11744
- C:\Windows\System\mmrHFME.exe
  C:\Windows\System\mmrHFME.exe
  2⤵
  PID:11796
- C:\Windows\System\YEbvpSQ.exe
  C:\Windows\System\YEbvpSQ.exe
  2⤵
  PID:11832
- C:\Windows\System\pFdrsUM.exe
  C:\Windows\System\pFdrsUM.exe
  2⤵
  PID:11848
- C:\Windows\System\RwrMgxi.exe
  C:\Windows\System\RwrMgxi.exe
  2⤵
  PID:11872
- C:\Windows\System\VGVfLtD.exe
  C:\Windows\System\VGVfLtD.exe
  2⤵
  PID:11896
- C:\Windows\System\WQJUiRF.exe
  C:\Windows\System\WQJUiRF.exe
  2⤵
  PID:11916
- C:\Windows\System\fAxcYMC.exe
  C:\Windows\System\fAxcYMC.exe
  2⤵
  PID:11956
- C:\Windows\System\OaaLKBl.exe
  C:\Windows\System\OaaLKBl.exe
  2⤵
  PID:11984
- C:\Windows\System\TGzWSIw.exe
  C:\Windows\System\TGzWSIw.exe
  2⤵
  PID:12012
- C:\Windows\System\BEQVZBS.exe
  C:\Windows\System\BEQVZBS.exe
  2⤵
  PID:12044
- C:\Windows\System\fjSMrGj.exe
  C:\Windows\System\fjSMrGj.exe
  2⤵
  PID:12060
- C:\Windows\System\xaJpQAD.exe
  C:\Windows\System\xaJpQAD.exe
  2⤵
  PID:12084
- C:\Windows\System\CgMbwcj.exe
  C:\Windows\System\CgMbwcj.exe
  2⤵
  PID:12140
- C:\Windows\System\XaEwgHA.exe
  C:\Windows\System\XaEwgHA.exe
  2⤵
  PID:12172
- C:\Windows\System\qOEExmo.exe
  C:\Windows\System\qOEExmo.exe
  2⤵
  PID:12208
- C:\Windows\System\LKhuUjv.exe
  C:\Windows\System\LKhuUjv.exe
  2⤵
  PID:12224
- C:\Windows\System\vwghJpN.exe
  C:\Windows\System\vwghJpN.exe
  2⤵
  PID:12244
- C:\Windows\System\SxUbRWd.exe
  C:\Windows\System\SxUbRWd.exe
  2⤵
  PID:12284
- C:\Windows\System\ISdJtmB.exe
  C:\Windows\System\ISdJtmB.exe
  2⤵
  PID:11300
- C:\Windows\System\hEIGLfX.exe
  C:\Windows\System\hEIGLfX.exe
  2⤵
  PID:11332
- C:\Windows\System\wtNkcKm.exe
  C:\Windows\System\wtNkcKm.exe
  2⤵
  PID:11356
- C:\Windows\System\vSkRknC.exe
  C:\Windows\System\vSkRknC.exe
  2⤵
  PID:11376
- C:\Windows\System\vfljGsn.exe
  C:\Windows\System\vfljGsn.exe
  2⤵
  PID:11492
- C:\Windows\System\iSJNXeX.exe
  C:\Windows\System\iSJNXeX.exe
  2⤵
  PID:11516
- C:\Windows\System\OYFPHdB.exe
  C:\Windows\System\OYFPHdB.exe
  2⤵
  PID:11632
- C:\Windows\System\hIeJsJZ.exe
  C:\Windows\System\hIeJsJZ.exe
  2⤵
  PID:11700
- C:\Windows\System\qaJXiTk.exe
  C:\Windows\System\qaJXiTk.exe
  2⤵
  PID:11756
- C:\Windows\System\nZcqCYv.exe
  C:\Windows\System\nZcqCYv.exe
  2⤵
  PID:11768
- C:\Windows\System\BMLvNEK.exe
  C:\Windows\System\BMLvNEK.exe
  2⤵
  PID:11864
- C:\Windows\System\QXTNtEx.exe
  C:\Windows\System\QXTNtEx.exe
  2⤵
  PID:11884
- C:\Windows\System\cFMljAO.exe
  C:\Windows\System\cFMljAO.exe
  2⤵
  PID:12036
- C:\Windows\System\UqwceYQ.exe
  C:\Windows\System\UqwceYQ.exe
  2⤵
  PID:12052
- C:\Windows\System\WisPfqr.exe
  C:\Windows\System\WisPfqr.exe
  2⤵
  PID:12112
- C:\Windows\System\WrQewUu.exe
  C:\Windows\System\WrQewUu.exe
  2⤵
  PID:12196
- C:\Windows\System\FmSjOdo.exe
  C:\Windows\System\FmSjOdo.exe
  2⤵
  PID:12216
- C:\Windows\System\pMwjzWt.exe
  C:\Windows\System\pMwjzWt.exe
  2⤵
  PID:12280
- C:\Windows\System\TpqfUhj.exe
  C:\Windows\System\TpqfUhj.exe
  2⤵
  PID:11372
- C:\Windows\System\rXhUhNI.exe
  C:\Windows\System\rXhUhNI.exe
  2⤵
  PID:11772
- C:\Windows\System\qfIkwDg.exe
  C:\Windows\System\qfIkwDg.exe
  2⤵
  PID:11840
- C:\Windows\System\xptyEBx.exe
  C:\Windows\System\xptyEBx.exe
  2⤵
  PID:11948
- C:\Windows\System\YBRYkCL.exe
  C:\Windows\System\YBRYkCL.exe
  2⤵
  PID:12068
- C:\Windows\System\lXRneYN.exe
  C:\Windows\System\lXRneYN.exe
  2⤵
  PID:12168
- C:\Windows\System\YKDAecD.exe
  C:\Windows\System\YKDAecD.exe
  2⤵
  PID:3468
- C:\Windows\System\HEunHNR.exe
  C:\Windows\System\HEunHNR.exe
  2⤵
  PID:11424
- C:\Windows\System\KKYSfTk.exe
  C:\Windows\System\KKYSfTk.exe
  2⤵
  PID:11608
- C:\Windows\System\NQhGsTD.exe
  C:\Windows\System\NQhGsTD.exe
  2⤵
  PID:11844
- C:\Windows\System\YyNwalh.exe
  C:\Windows\System\YyNwalh.exe
  2⤵
  PID:3520
- C:\Windows\System\RKijKMz.exe
  C:\Windows\System\RKijKMz.exe
  2⤵
  PID:11880
- C:\Windows\System\XxMSygq.exe
  C:\Windows\System\XxMSygq.exe
  2⤵
  PID:12296
- C:\Windows\System\uwkPsJB.exe
  C:\Windows\System\uwkPsJB.exe
  2⤵
  PID:12324
- C:\Windows\System\qgKkLjh.exe
  C:\Windows\System\qgKkLjh.exe
  2⤵
  PID:12356
- C:\Windows\System\plHHAff.exe
  C:\Windows\System\plHHAff.exe
  2⤵
  PID:12384
- C:\Windows\System\GnWFmuR.exe
  C:\Windows\System\GnWFmuR.exe
  2⤵
  PID:12404
- C:\Windows\System\EcvceHU.exe
  C:\Windows\System\EcvceHU.exe
  2⤵
  PID:12424
- C:\Windows\System\QzLckEE.exe
  C:\Windows\System\QzLckEE.exe
  2⤵
  PID:12448
- C:\Windows\System\mYCVNqy.exe
  C:\Windows\System\mYCVNqy.exe
  2⤵
  PID:12480
- C:\Windows\System\ytJTjXb.exe
  C:\Windows\System\ytJTjXb.exe
  2⤵
  PID:12516
- C:\Windows\System\BKbZIEI.exe
  C:\Windows\System\BKbZIEI.exe
  2⤵
  PID:12548
- C:\Windows\System\oEhCEZb.exe
  C:\Windows\System\oEhCEZb.exe
  2⤵
  PID:12592
- C:\Windows\System\eMBVsBt.exe
  C:\Windows\System\eMBVsBt.exe
  2⤵
  PID:12612
- C:\Windows\System\SlsTLPU.exe
  C:\Windows\System\SlsTLPU.exe
  2⤵
  PID:12640
- C:\Windows\System\aGjoXQZ.exe
  C:\Windows\System\aGjoXQZ.exe
  2⤵
  PID:12664
- C:\Windows\System\dIQGysj.exe
  C:\Windows\System\dIQGysj.exe
  2⤵
  PID:12680
- C:\Windows\System\XCOgCjO.exe
  C:\Windows\System\XCOgCjO.exe
  2⤵
  PID:12732
- C:\Windows\System\FvFgNSV.exe
  C:\Windows\System\FvFgNSV.exe
  2⤵
  PID:12752
- C:\Windows\System\ZjwtnBh.exe
  C:\Windows\System\ZjwtnBh.exe
  2⤵
  PID:12772
- C:\Windows\System\OMEteWt.exe
  C:\Windows\System\OMEteWt.exe
  2⤵
  PID:12800
- C:\Windows\System\DmcQwgz.exe
  C:\Windows\System\DmcQwgz.exe
  2⤵
  PID:12820
- C:\Windows\System\LNmMmkt.exe
  C:\Windows\System\LNmMmkt.exe
  2⤵
  PID:12844
- C:\Windows\System\Ztsbfaq.exe
  C:\Windows\System\Ztsbfaq.exe
  2⤵
  PID:12864
- C:\Windows\System\HzXpbBu.exe
  C:\Windows\System\HzXpbBu.exe
  2⤵
  PID:12884
- C:\Windows\System\TaWWQol.exe
  C:\Windows\System\TaWWQol.exe
  2⤵
  PID:12908
- C:\Windows\System\OfquVWW.exe
  C:\Windows\System\OfquVWW.exe
  2⤵
  PID:12940
- C:\Windows\System\KHYyZhX.exe
  C:\Windows\System\KHYyZhX.exe
  2⤵
  PID:12988
- C:\Windows\System\gPLTMnm.exe
  C:\Windows\System\gPLTMnm.exe
  2⤵
  PID:13012
- C:\Windows\System\ioyPQUK.exe
  C:\Windows\System\ioyPQUK.exe
  2⤵
  PID:13028
- C:\Windows\System\mPWNbdS.exe
  C:\Windows\System\mPWNbdS.exe
  2⤵
  PID:13092
- C:\Windows\System\NFeLSqv.exe
  C:\Windows\System\NFeLSqv.exe
  2⤵
  PID:13148
- C:\Windows\System\uFSMXWL.exe
  C:\Windows\System\uFSMXWL.exe
  2⤵
  PID:13180
- C:\Windows\System\QKIBwpy.exe
  C:\Windows\System\QKIBwpy.exe
  2⤵
  PID:13200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cvbbmqzj.524.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\BTVMYLt.exe

Filesize
1.7MB

MD5
157899fc36442cc880ff5b8a7015339d

SHA1
45d8b4e8dddfbab5aab6ff53b3bfd96477c44118

SHA256
3230a6f3d14aef973f03ac44ab32f17202cb28fc815e42d4101aaeab432e5924

SHA512
6b29626e3beabac630782d7575581d0435caaddef3f10b16506a095ec8708b767f3f7266975615faa77e04dd52c09fd9718009ef81d2ea0d7ad0e662a216af8e

Download Submit
C:\Windows\System\DiCKPMO.exe

Filesize
1.7MB

MD5
a8ec5e78b1b8c86316519dd3776f4259

SHA1
da08d107fd2b8d3c1529fac521b29e6b36ec5535

SHA256
21a46c29f300fbb5376f304ffed7c4d6394ce8efaa08f6ad322766f6de57410a

SHA512
6991be8818189734d4c322a7095e19711d5f7d6d9780904d8552f95043e3f7f2423400cbb857415702d8a9999909d90147da0d89047202c6095e9668133bb57b

Download Submit
C:\Windows\System\EyYIMXw.exe

Filesize
1.7MB

MD5
faaf3b58f20998172f9bb7ef65f2617d

SHA1
4f5f546294502dbb4734b68fe96b837da8253e72

SHA256
c5dd34282e518eb298a1d89e7f2dc0a5e09315ed6d15cf3f977152bfdae8a14a

SHA512
3d4bb670475cd94380cff26bbe300b9a34f387ef1e8b18fe1067fa4cf19526783b01c0cef5520b16f2a99570f2df63b5700003dfbb0ad2c01efe02d991443ad2

Download Submit
C:\Windows\System\LXPRUVo.exe

Filesize
1.7MB

MD5
e61ef68ebf8eb44566f02408d9f0ac01

SHA1
cbff83784cc985f74b8779b1f28a1a1441acf235

SHA256
34224f826628c11fb894a65e0c78254d7753ccd1f2099cb36bfe83e74fc1cfb4

SHA512
89095f968fbbe7270b21b555676d2a2ee37fec5a3699456c3284f6c1f900f07fb43f3dcff7b9cc0cea53a2e08dbb2a04cfdd1e814790ff96303c0fad770b1fee

Download Submit
C:\Windows\System\MeFdPJB.exe

Filesize
1.7MB

MD5
e1f3e79bcb399c49a299cb472b8f7334

SHA1
dc79629ef609085014409c3692f76aaf8d8bf698

SHA256
a3295e34b4f9b86db70828208083b39f98a681a0157af10cd32abb20d72c5434

SHA512
bc240870a6125672c16b9a1673000023b30ff24097c1d1341123bd12f6284722430a9a06b123f678199576ed7c0d870cdd8e0cfbb1ca5ccc0e30dd3fea8d2bc0

Download Submit
C:\Windows\System\OzgCOpM.exe

Filesize
1.7MB

MD5
2cfd9f39f167ae014db1f11aaba19597

SHA1
814399365d10a60b33316ee3e52a748caad21f05

SHA256
bd3426f724e4c59ebfac407e7872211857eab69fd39e320da0f4109e7ddd7e50

SHA512
ce6df0588b674e0101d4c49eb19cb1fd1200b141bccbb473e81adbcf92e9f560d02c9427e3b47bce3f9c9b1f3d168712f01b9a47aba41e1c8628c14d56d4c799

Download Submit
C:\Windows\System\PcCJrxK.exe

Filesize
1.7MB

MD5
03d3a98e154196f12964649d3e400f95

SHA1
f65d7a1a363e637dc246a6e1a4aba6024bfcc64e

SHA256
385f0e99f7bb9115ba2d78b724cd5a3f9f2609e30f37607afdd4ab02d396bb94

SHA512
d60d1b5fea5e925940f9bacde826df9515a5e057762aedad9b54d32c8d22f8b11eaf71d8748a0d5a2746a594ad43146e68b22ec64de7aa50b93b35f36d0ac441

Download Submit
C:\Windows\System\TRLJcSt.exe

Filesize
1.7MB

MD5
b45198ed6489f352f1ad017abfd7f606

SHA1
7ded815ea89aa422d5813ba248864f6722fe60e1

SHA256
28c7022aef00d851470421b690e6c62b5afbe08881b5c5e9eeac418df1643454

SHA512
8cea7631b666a56f802ca826c75704ff99b8fc8910fbf959fb4aaaefe8581ef2a7a101c25ea30d1f33b8a53c2e3152f643029996f83f8e32c4eb78504fbad82d

Download Submit
C:\Windows\System\WhybDii.exe

Filesize
1.7MB

MD5
7bc18c25a39e961845a70ca854dbcc75

SHA1
7e2f97fa27ade50d077312dd92f33be4d3c252a8

SHA256
423f3280be019f11069d51c6223c4318b74a30669e5c737eeb06f2090477f8bd

SHA512
b87a9fb0f8ae7e1553fd753fac1e9ea24d652adf423e5a4e19e21001581ae211d855d8c84d39297a237505cc6f9959732777113dd8c599b226579838c642d83a

Download Submit
C:\Windows\System\XHLyNzK.exe

Filesize
1.7MB

MD5
07663238a61f0e74f5d53ec148c1290d

SHA1
47f38ef32aea9be5c93645f83c91f4a07416c3ea

SHA256
b7e54c12a7b57e9d2a81114d42e7e003e8eb883c47f943c3c0bbd4771038abc6

SHA512
0e499214493e779b2a73a4329827a30d8491575c6fa2cfa21a40208fa993f98139c0f354ae8ea2c999fb7bbbea969b0ea9800b8328251c32ff68c42bff94795f

Download Submit
C:\Windows\System\XKLlWtA.exe

Filesize
1.7MB

MD5
4e9199853fd3162c6be0ad30063f5821

SHA1
0a864e0dcc501b61181b7cdf8f105aeb07fb2235

SHA256
5c196c4f2e1054df01bcaf3131bf3cbefc68cd506d23ecf8ec8e4c2e849b23ea

SHA512
ec8f66fc783321dda3851440464ac7f57dff95938e26a62005aa099738c6eeafcdfe925221b9145f6633efffe10ae06becb54190ba29e80ee31377bc90858e2a

Download Submit
C:\Windows\System\aQXjJHW.exe

Filesize
1.7MB

MD5
ec7653e000047c50651f6f9d9c3343e9

SHA1
40e72b5e219e9d0219f380ea356a8b4a4c33b1b2

SHA256
3176bb2eac1cae97942716ddb5434a4d81fea50dd9666e0714ce544e0b779d9f

SHA512
692b6a4e060b995ff77daf3ca0f3c13822ce9fe14ae01a02c9f3247c2c6444a364af709e0efff22761726e8af7c02c8a5f723d4d1007e7b218fd2614a8e955aa

Download Submit
C:\Windows\System\dkLXDFk.exe

Filesize
1.7MB

MD5
afd538c0eef548da04b94a66f80f3039

SHA1
6945644854ff1d08676342fc7ab503e2a13cdef0

SHA256
8f208b5b1ad9420ba7133d3ee17b05c032298e4177251ae1c5aaeb6e4836b428

SHA512
6beffbc8e6618b62e59d944b39b397401c34dd62a1bfacdf491be02b65c2f10feed9e52c230c3794d82c0624cec2d4758b1e342d20dd54a3b888a8e4bc77f246

Download Submit
C:\Windows\System\dqpktLG.exe

Filesize
1.7MB

MD5
e24671d619b51ac2df29397ec0fbb37b

SHA1
673a8c117f3a14c725c535eb09c9c5ca68687a57

SHA256
fe94ea43bd39b6e39bc434cc4c5d9462d6256feeff37c893d57af82ec1802d84

SHA512
f15c72d3d78a600db840d41f4da5817f18e2caac5a2e7095a8a8a4afc9038b9f916069e021896940de3dbeba9565f198ac9de132363dc47b39c3af506361c2a7

Download Submit
C:\Windows\System\gLXRKBt.exe

Filesize
1.7MB

MD5
c035aae69ffd2c47c6d2e4234e4ce71f

SHA1
ac7aac44f77f294ec2248fcaec0b1a553ec61393

SHA256
b8046de6602b0df829b6fe9c41e3e56b668bce23d99fe4def1b94cd27928f575

SHA512
e4f02101f198355c928e21cf9bf2c418d39d4d844ae44162094d2b52fdceb9f10b72c588f11683e2db2e3126d75f610fc4887c850410155ffe07e099f247ebcc

Download Submit
C:\Windows\System\gqdwvEJ.exe

Filesize
1.7MB

MD5
30a4599b7047b4052577d67fad226b82

SHA1
6f19bd24eeec5a79ce924285b143698f72423ab0

SHA256
246cd83c0f15f8a41c5345eae43a41e313c0c3d8fe3d848ff0ac560144e6ffc8

SHA512
456d87fade9e3b9a0c8c05c293b34bcd9a9feb1e09c3f25a290f3ccdd8cd2057beb7d092aab811e28d30561370c14b2690eb20776ee230f3de996c48e988af4b

Download Submit
C:\Windows\System\ioHmJLK.exe

Filesize
1.7MB

MD5
45605ab303c362ea989d8f51bbc405cc

SHA1
2f40dba25ab9c915bddd0f3fa14347711dbee712

SHA256
703aad2af8c04610fdf27570479fee4bb8fea083e2fdafedb9b14579f6f8b033

SHA512
3050d5a5891b64926ed35a19718df3ed5aadfd6fdcde0c5a868c7f2c7d3c7167059db4cb279a38a2f5b84f30dc0cb8a1af7ddea2588eefe60a1c7769779b170a

Download Submit
C:\Windows\System\jeRBRfY.exe

Filesize
1.7MB

MD5
ee9c055a0c584267755b814f08200afc

SHA1
9ff7325cc066fec2849a296f6365194f65506e7c

SHA256
2bc2dd6dcd45d8e3d431c4235737b3bc2edb7fef74a12f7dc9b532ba652fa368

SHA512
259587518c22a49a481d0c240a858627792150be04c2ff4ee37b458f91ea53ce382f49717725c2e73be51af2015b7599f181d0636b383b134b0d19b54dca8089

Download Submit
C:\Windows\System\kuhaqat.exe

Filesize
1.7MB

MD5
2454a5ce7026ba7e3b5bb01198e0cc47

SHA1
943a83edfd0624700ec6954bcf6914b00eb03e4c

SHA256
50f39e0ed9fb221bdd24b2a1b3a24eb300c9ae7d70eee2521f0c188dd48843fb

SHA512
f09b831596c3c506ff790d8db6ea4e83a8f9a0b084a824630691dad407d6bf4b0d894f3fa7f36a67670606409c9a0b6c876b4fb74c5d6bf27edbab65f479d2d1

Download Submit
C:\Windows\System\mkjQsXV.exe

Filesize
8B

MD5
20f50227b408431507e9e4298a89a7d5

SHA1
021be5cef03ca413a261257f3fa674d51e4eaecb

SHA256
f053af72ebaae8c20b4aa760dccbaa50d5e8c1b0612207e6dff562e592b0ee16

SHA512
a69e9f155961cdfb2c580f410cf1f9148255cadde0f420c64800ffc84ebbf2c4fc4d8c24eda7cee14ae357ad0398853cbe4f84f9db0bb9573e1f43351f2da9c0

Download Submit
C:\Windows\System\ozsBBPU.exe

Filesize
1.7MB

MD5
babfae5046ec4b46444db7e60134e28a

SHA1
6acca82a5cf18ca6ce434e6634ab5c22c90f4b86

SHA256
373850cad2fd635ec7c494375bb878334ccbb49ca1617d7f80e504a2b2e1daf9

SHA512
2021e5eadc0a2a93c2fa3e6ea09d4de0780fdead809cb331483eb0311ea958053b3e83b65d7f8268f8ce93461068acbcee9a20c8e044d6b437704cf66a23b411

Download Submit
C:\Windows\System\sRgexoJ.exe

Filesize
1.7MB

MD5
b7235fab68543983dbb9b5270d64be14

SHA1
845b0e8d3dffef5a081d5ed574c0055f80bf2d9e

SHA256
63ec1514cd962b4adad24e9beb37388d5a1d9589650c65a8b06c7dbd33be6961

SHA512
af444bc1b0d2245ca42a0c4cd559e8eaa78b50e43100b0b04224b8abbb44869332eeffabcb0afe0c46bed15b1c67a5b5ec5bb7a10ca68b1c7782c72259f668c3

Download Submit
C:\Windows\System\suYPXYI.exe

Filesize
1.7MB

MD5
06bf7abf89b3df5891ea7ede38429fdd

SHA1
29546a923fbae4ee500773cefa8956c5757b468d

SHA256
3ba2626f46499c3a0117619a6d7b768dce8abaa1665ac97ab69ccebd7f7ebde7

SHA512
5de32f54ce3639c79dac82a3ac5fed3fb63361c7de1a854376d5534bb5ca989acb4513f13de40adc877579ae998f8478cf10afa2ee809b1e84d95ed27fde56a4

Download Submit
C:\Windows\System\svEEHyJ.exe

Filesize
1.7MB

MD5
ae6f4ba7d931e88cd62629858df22ad6

SHA1
8fe55ec3140d4b03424065ea512c6ff234adf340

SHA256
5c8a1ed9fd04765062711e0b90eddc3e50ee135619761db277aad114f761ae59

SHA512
1fcb0a296be1c54be227cba48c37fce1e1ebf3561709054bd6109c80cf930f9473a30a246c1e85590ed1105f6460fa380eb937813d50600294f400a5f900a54e

Download Submit
C:\Windows\System\ucmTCKF.exe

Filesize
1.7MB

MD5
ec290b05b463b490e58a325a9181919c

SHA1
ef1357d6f04dd9991fca97951daf9d0c7ef21ca3

SHA256
11a26d8d9fc972002059c72a0a52fd363b571c5fd0f9d648589d6131a7464c01

SHA512
0c390ca6011912a7e50da8a744e7d935c53a71cd45bc70fa3dd3af82387028d9cad8e08ae51d5d7b0168f336c207812932d9c650ba39797f9b6cec205e89244a

Download Submit
C:\Windows\System\vijwMIz.exe

Filesize
1.7MB

MD5
17f25dea167585dd5f3fa6c29570755d

SHA1
04c0d6b9366fa2226d882cc3ce84ab61aa3861d5

SHA256
b9e1642b333720374d2e539a784233a6b8a942f65dd391b760ef1f8960daa550

SHA512
94a7153a528f66acd8e9e2f362524205f17c45c37425cf35c6e96320567670422c641d1eeb07b08afa90e6bf79adee2d5ede11d9ccdac8d2d2ab3c103d05d7dc

Download Submit
C:\Windows\System\vvaObMC.exe

Filesize
1.7MB

MD5
6d183af1cbab5df0a2941091d74cc912

SHA1
2329f6b1ea0ac6e6d27262c68d0129d12daa636b

SHA256
d5ea887c316cf3241dc9b7c4f720e5b46f6d1e6475726a9bd5c935aae07da81d

SHA512
a5aba3e3f072038aaa47592313d16f5b76f26c2514e7585f193ea34d6f25ab96bcf80076562f7bddce70e1f562523b37a9778938cb75bc6f399cb116b4041f71

Download Submit
C:\Windows\System\vxKfjar.exe

Filesize
1.7MB

MD5
47b25db62c60f808eea09e600367b8b3

SHA1
b7f32373fd15a2b063ec3070f0ee96993c0b4c67

SHA256
ddf662b00d41ee1be4fa537fd3a2b5f23ef24d2bb6aabee26e7720e1c8a66bcd

SHA512
a1f9d6f45d2d6326bf7c0ae2b085e5769f3381316d986864629e4118492a4b792541fcba69151232839b5809d04e75b0636fef67e4c0c71e520457c88be32c12

Download Submit
C:\Windows\System\wwTAhEe.exe

Filesize
1.7MB

MD5
fc31e68882c286314aa716c2f5f430b9

SHA1
e927bdab0ce92f626f1ce4614d6e993a85261a0a

SHA256
6bee56ef8109370df2adb761e9e036e276c72338300a9d30978355a15fcd8e16

SHA512
842899a73736b594865c16cec3f84971fa2c35c18c5f9e7faad57803f6fbea961ebdda1cd1652e2f58449f64c36fd83b7ba44a7161a15874ed34ac12afe3ed7f

Download Submit
C:\Windows\System\xrTdafI.exe

Filesize
1.7MB

MD5
371b388b4cb1f36419c0cb13b9605696

SHA1
4f01d7176db1d96868999cb84154050e34fb590b

SHA256
e8aabe8240e71d38c15b3d375fff71720ca7a1649d38827ccea491556409d0b4

SHA512
f6e7c1037534af5187ab85519397a7a526c8ef1ceed23b3bbde5abe1f344019729b2f36f44398ce30f13ad2ea7a70c30ee1ca454970d0d72fedcb39fa715b7ef

Download Submit
C:\Windows\System\yFCyPeA.exe

Filesize
1.7MB

MD5
132130914075a759a9387780dc3a0f85

SHA1
cd3a7dc5bde5b6232351b3080e5969949c0ca17f

SHA256
d062018836468453f7bc9d86865dc8d2aaa98ef5b0896e98c7eb0e890c83ea6c

SHA512
40405c6f329c6c1f1fef72e0ca43a4f51083edce6bcaa6478f118be3a7fbfb6d7fb5d09ea7dbfa06ad433774464301704411ec24c44ed2ff45c05d266c916379

Download Submit
C:\Windows\System\yhYDmHf.exe

Filesize
1.7MB

MD5
71183f35472f8661551c47d41573e6b5

SHA1
d9ef45198970582c3410876f8aebcb6ec8ac97cf

SHA256
5f89e1a8178fa3beadf68f5a75fc8bdef4595dfc9a8896e1ba034950e9d749b5

SHA512
6abe987d446123b738e60cd6c4e36b5fde5ec0346569db127d05d1f8b84485b7d2443ba7a6de6609f94641409651b70ce8c70baf1c3b37996463aa9f953fb6aa

Download Submit
C:\Windows\System\zDmXDbg.exe

Filesize
1.7MB

MD5
45bf22aadc1cb65037833128c88992f4

SHA1
3c737641dad309dbd93a7339b22ee46681c02159

SHA256
4baeeddc68543f42a141ce1628ee91dc49f185bfdab5419a6cc5c4dfc5e6dbac

SHA512
012ad3d841d542148189071082d984a61c92a6332425c9468d3d37458e882d3f4deb95df9f2b63ca17004380eba4d51a116a12d17b0cebcef55fe82d918c3557

Download Submit
C:\Windows\System\zHlDXls.exe

Filesize
1.7MB

MD5
0074b80b6748bc95d9dbe825e7d28561

SHA1
086a8640837d9edc449bf119e0bd8b4a521cb8b0

SHA256
9571926fe9754514e33b27ea6ffce4840a0c921ec6b78d30a49f14d3a3506d3c

SHA512
4a979f4116b00abaf68a5eaa7eee0b9d2a9da4d49642a0f749ff20decb1a241479b677f83be537b1c4d4dd91357bb0842bd211c0ae91016527f59c21ae0e565c

Download Submit
memory/772-152-0x00007FF93FD80000-0x00007FF940841000-memory.dmp

Filesize
10.8MB

Download
memory/772-3576-0x00007FF93FD80000-0x00007FF940841000-memory.dmp

Filesize
10.8MB

Download
memory/772-3567-0x00007FF93FD80000-0x00007FF940841000-memory.dmp

Filesize
10.8MB

Download
memory/772-453-0x000001B1FA6E0000-0x000001B1FAE86000-memory.dmp

Filesize
7.6MB

Download
memory/772-80-0x000001B1F9B70000-0x000001B1F9B92000-memory.dmp

Filesize
136KB

Download
memory/772-87-0x00007FF93FD80000-0x00007FF940841000-memory.dmp

Filesize
10.8MB

Download
memory/772-16-0x00007FF93FD83000-0x00007FF93FD85000-memory.dmp

Filesize
8KB

Download
memory/1180-3597-0x00007FF6ADA30000-0x00007FF6ADE22000-memory.dmp

Filesize
3.9MB

Download
memory/1180-158-0x00007FF6ADA30000-0x00007FF6ADE22000-memory.dmp

Filesize
3.9MB

Download
memory/1300-0-0x00007FF6A4050000-0x00007FF6A4442000-memory.dmp

Filesize
3.9MB

Download
memory/1300-1-0x00000137BD8F0000-0x00000137BD900000-memory.dmp

Filesize
64KB

Download
memory/1660-3605-0x00007FF7D9BB0000-0x00007FF7D9FA2000-memory.dmp

Filesize
3.9MB

Download
memory/1660-117-0x00007FF7D9BB0000-0x00007FF7D9FA2000-memory.dmp

Filesize
3.9MB

Download
memory/1896-113-0x00007FF6BB5B0000-0x00007FF6BB9A2000-memory.dmp

Filesize
3.9MB

Download
memory/1896-3600-0x00007FF6BB5B0000-0x00007FF6BB9A2000-memory.dmp

Filesize
3.9MB

Download
memory/1976-3612-0x00007FF713120000-0x00007FF713512000-memory.dmp

Filesize
3.9MB

Download
memory/1976-164-0x00007FF713120000-0x00007FF713512000-memory.dmp

Filesize
3.9MB

Download
memory/2156-3637-0x00007FF7D1590000-0x00007FF7D1982000-memory.dmp

Filesize
3.9MB

Download
memory/2156-199-0x00007FF7D1590000-0x00007FF7D1982000-memory.dmp

Filesize
3.9MB

Download
memory/2172-3616-0x00007FF6416F0000-0x00007FF641AE2000-memory.dmp

Filesize
3.9MB

Download
memory/2172-170-0x00007FF6416F0000-0x00007FF641AE2000-memory.dmp

Filesize
3.9MB

Download
memory/2200-3610-0x00007FF699300000-0x00007FF6996F2000-memory.dmp

Filesize
3.9MB

Download
memory/2200-171-0x00007FF699300000-0x00007FF6996F2000-memory.dmp

Filesize
3.9MB

Download
memory/2556-108-0x00007FF6CD140000-0x00007FF6CD532000-memory.dmp

Filesize
3.9MB

Download
memory/2556-3607-0x00007FF6CD140000-0x00007FF6CD532000-memory.dmp

Filesize
3.9MB

Download
memory/2756-3635-0x00007FF615B60000-0x00007FF615F52000-memory.dmp

Filesize
3.9MB

Download
memory/2756-194-0x00007FF615B60000-0x00007FF615F52000-memory.dmp

Filesize
3.9MB

Download
memory/3000-140-0x00007FF6A19B0000-0x00007FF6A1DA2000-memory.dmp

Filesize
3.9MB

Download
memory/3000-3620-0x00007FF6A19B0000-0x00007FF6A1DA2000-memory.dmp

Filesize
3.9MB

Download
memory/3116-3631-0x00007FF6E2540000-0x00007FF6E2932000-memory.dmp

Filesize
3.9MB

Download
memory/3116-193-0x00007FF6E2540000-0x00007FF6E2932000-memory.dmp

Filesize
3.9MB

Download
memory/3208-3615-0x00007FF67DC10000-0x00007FF67E002000-memory.dmp

Filesize
3.9MB

Download
memory/3208-134-0x00007FF67DC10000-0x00007FF67E002000-memory.dmp

Filesize
3.9MB

Download
memory/3256-3623-0x00007FF780410000-0x00007FF780802000-memory.dmp

Filesize
3.9MB

Download
memory/3256-141-0x00007FF780410000-0x00007FF780802000-memory.dmp

Filesize
3.9MB

Download
memory/3440-3591-0x00007FF7E3990000-0x00007FF7E3D82000-memory.dmp

Filesize
3.9MB

Download
memory/3440-3566-0x00007FF7E3990000-0x00007FF7E3D82000-memory.dmp

Filesize
3.9MB

Download
memory/3440-15-0x00007FF7E3990000-0x00007FF7E3D82000-memory.dmp

Filesize
3.9MB

Download
memory/3580-107-0x00007FF79B9D0000-0x00007FF79BDC2000-memory.dmp

Filesize
3.9MB

Download
memory/3580-3601-0x00007FF79B9D0000-0x00007FF79BDC2000-memory.dmp

Filesize
3.9MB

Download
memory/3892-3628-0x00007FF76F2B0000-0x00007FF76F6A2000-memory.dmp

Filesize
3.9MB

Download
memory/3892-127-0x00007FF76F2B0000-0x00007FF76F6A2000-memory.dmp

Filesize
3.9MB

Download
memory/3992-95-0x00007FF7CA8E0000-0x00007FF7CACD2000-memory.dmp

Filesize
3.9MB

Download
memory/3992-3593-0x00007FF7CA8E0000-0x00007FF7CACD2000-memory.dmp

Filesize
3.9MB

Download
memory/4368-3619-0x00007FF69E970000-0x00007FF69ED62000-memory.dmp

Filesize
3.9MB

Download
memory/4368-128-0x00007FF69E970000-0x00007FF69ED62000-memory.dmp

Filesize
3.9MB

Download
memory/4424-3603-0x00007FF7B0E10000-0x00007FF7B1202000-memory.dmp

Filesize
3.9MB

Download
memory/4424-106-0x00007FF7B0E10000-0x00007FF7B1202000-memory.dmp

Filesize
3.9MB

Download
memory/4488-183-0x00007FF6DBF10000-0x00007FF6DC302000-memory.dmp

Filesize
3.9MB

Download
memory/4488-3632-0x00007FF6DBF10000-0x00007FF6DC302000-memory.dmp

Filesize
3.9MB

Download
memory/4808-3625-0x00007FF610610000-0x00007FF610A02000-memory.dmp

Filesize
3.9MB

Download
memory/4808-121-0x00007FF610610000-0x00007FF610A02000-memory.dmp

Filesize
3.9MB

Download
memory/4840-3629-0x00007FF752700000-0x00007FF752AF2000-memory.dmp

Filesize
3.9MB

Download
memory/4840-177-0x00007FF752700000-0x00007FF752AF2000-memory.dmp

Filesize
3.9MB

Download
memory/4928-3633-0x00007FF723610000-0x00007FF723A02000-memory.dmp

Filesize
3.9MB

Download
memory/4928-189-0x00007FF723610000-0x00007FF723A02000-memory.dmp

Filesize
3.9MB

Download
memory/5076-3595-0x00007FF6ACDC0000-0x00007FF6AD1B2000-memory.dmp

Filesize
3.9MB

Download
memory/5076-102-0x00007FF6ACDC0000-0x00007FF6AD1B2000-memory.dmp

Filesize
3.9MB

Download