xmrig | cb45ba969a3ed67ef818a8c9072540f6766138e682f72a2c585a327a379b961e

Analysis

max time kernel
142s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2024 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
Size

2.3MB
MD5

1581b5eef39d6545f5ec2763a8ff7b7a
SHA1

a962700d7d0400347411b0de7a98ac34379202aa
SHA256

cb45ba969a3ed67ef818a8c9072540f6766138e682f72a2c585a327a379b961e
SHA512

3fb43b736f639e56ccb12cc12bfdae16166bd23c2a7f4ae9eba12f3afa14ecfabde6ff50b80a146ddf6a2cc375343722105ce23a5588907fdfaf83f75338f029
SSDEEP

49152:Lz071uv4BPMkibTIA5sf6r+WVc2HhG82g1Vr5s1PTWsuT9ce+:NAB3

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 49 IoCs

miner

resource	yara_rule
behavioral2/memory/1124-61-0x00007FF7E6100000-0x00007FF7E64F2000-memory.dmp	xmrig
behavioral2/memory/4640-62-0x00007FF7BD310000-0x00007FF7BD702000-memory.dmp	xmrig
behavioral2/memory/4732-56-0x00007FF7187B0000-0x00007FF718BA2000-memory.dmp	xmrig
behavioral2/memory/3028-43-0x00007FF71B910000-0x00007FF71BD02000-memory.dmp	xmrig
behavioral2/memory/2896-25-0x00007FF777F70000-0x00007FF778362000-memory.dmp	xmrig
behavioral2/memory/1624-21-0x00007FF6E16D0000-0x00007FF6E1AC2000-memory.dmp	xmrig
behavioral2/memory/4600-10-0x00007FF6063D0000-0x00007FF6067C2000-memory.dmp	xmrig
behavioral2/memory/2160-157-0x00007FF6FC2C0000-0x00007FF6FC6B2000-memory.dmp	xmrig
behavioral2/memory/2680-161-0x00007FF732BB0000-0x00007FF732FA2000-memory.dmp	xmrig
behavioral2/memory/4920-166-0x00007FF7860E0000-0x00007FF7864D2000-memory.dmp	xmrig
behavioral2/memory/3240-164-0x00007FF73B7B0000-0x00007FF73BBA2000-memory.dmp	xmrig
behavioral2/memory/3580-158-0x00007FF7B81F0000-0x00007FF7B85E2000-memory.dmp	xmrig
behavioral2/memory/3464-156-0x00007FF71F660000-0x00007FF71FA52000-memory.dmp	xmrig
behavioral2/memory/4220-152-0x00007FF669860000-0x00007FF669C52000-memory.dmp	xmrig
behavioral2/memory/1552-2100-0x00007FF67F4F0000-0x00007FF67F8E2000-memory.dmp	xmrig
behavioral2/memory/4256-2119-0x00007FF61B770000-0x00007FF61BB62000-memory.dmp	xmrig
behavioral2/memory/552-2120-0x00007FF664920000-0x00007FF664D12000-memory.dmp	xmrig
behavioral2/memory/2348-2136-0x00007FF7A5890000-0x00007FF7A5C82000-memory.dmp	xmrig
behavioral2/memory/4344-2137-0x00007FF716750000-0x00007FF716B42000-memory.dmp	xmrig
behavioral2/memory/992-2147-0x00007FF6F71B0000-0x00007FF6F75A2000-memory.dmp	xmrig
behavioral2/memory/548-2148-0x00007FF6AF0A0000-0x00007FF6AF492000-memory.dmp	xmrig
behavioral2/memory/4664-2150-0x00007FF7F1840000-0x00007FF7F1C32000-memory.dmp	xmrig
behavioral2/memory/532-2151-0x00007FF69BC80000-0x00007FF69C072000-memory.dmp	xmrig
behavioral2/memory/4600-2154-0x00007FF6063D0000-0x00007FF6067C2000-memory.dmp	xmrig
behavioral2/memory/2896-2157-0x00007FF777F70000-0x00007FF778362000-memory.dmp	xmrig
behavioral2/memory/1624-2158-0x00007FF6E16D0000-0x00007FF6E1AC2000-memory.dmp	xmrig
behavioral2/memory/3028-2163-0x00007FF71B910000-0x00007FF71BD02000-memory.dmp	xmrig
behavioral2/memory/4256-2164-0x00007FF61B770000-0x00007FF61BB62000-memory.dmp	xmrig
behavioral2/memory/4732-2166-0x00007FF7187B0000-0x00007FF718BA2000-memory.dmp	xmrig
behavioral2/memory/552-2161-0x00007FF664920000-0x00007FF664D12000-memory.dmp	xmrig
behavioral2/memory/1124-2168-0x00007FF7E6100000-0x00007FF7E64F2000-memory.dmp	xmrig
behavioral2/memory/2348-2174-0x00007FF7A5890000-0x00007FF7A5C82000-memory.dmp	xmrig
behavioral2/memory/4640-2172-0x00007FF7BD310000-0x00007FF7BD702000-memory.dmp	xmrig
behavioral2/memory/4344-2171-0x00007FF716750000-0x00007FF716B42000-memory.dmp	xmrig
behavioral2/memory/3216-2221-0x00007FF62AE40000-0x00007FF62B232000-memory.dmp	xmrig
behavioral2/memory/512-2226-0x00007FF67E0D0000-0x00007FF67E4C2000-memory.dmp	xmrig
behavioral2/memory/2160-2228-0x00007FF6FC2C0000-0x00007FF6FC6B2000-memory.dmp	xmrig
behavioral2/memory/992-2230-0x00007FF6F71B0000-0x00007FF6F75A2000-memory.dmp	xmrig
behavioral2/memory/548-2232-0x00007FF6AF0A0000-0x00007FF6AF492000-memory.dmp	xmrig
behavioral2/memory/3216-2235-0x00007FF62AE40000-0x00007FF62B232000-memory.dmp	xmrig
behavioral2/memory/532-2246-0x00007FF69BC80000-0x00007FF69C072000-memory.dmp	xmrig
behavioral2/memory/3240-2250-0x00007FF73B7B0000-0x00007FF73BBA2000-memory.dmp	xmrig
behavioral2/memory/4920-2252-0x00007FF7860E0000-0x00007FF7864D2000-memory.dmp	xmrig
behavioral2/memory/3464-2248-0x00007FF71F660000-0x00007FF71FA52000-memory.dmp	xmrig
behavioral2/memory/3580-2240-0x00007FF7B81F0000-0x00007FF7B85E2000-memory.dmp	xmrig
behavioral2/memory/4664-2238-0x00007FF7F1840000-0x00007FF7F1C32000-memory.dmp	xmrig
behavioral2/memory/512-2244-0x00007FF67E0D0000-0x00007FF67E4C2000-memory.dmp	xmrig
behavioral2/memory/2680-2243-0x00007FF732BB0000-0x00007FF732FA2000-memory.dmp	xmrig
behavioral2/memory/4220-2237-0x00007FF669860000-0x00007FF669C52000-memory.dmp	xmrig

Blocklisted process makes network request 7 IoCs

flow	pid	Process
8	4432	powershell.exe
10	4432	powershell.exe
15	4432	powershell.exe
16	4432	powershell.exe
18	4432	powershell.exe
24	4432	powershell.exe
25	4432	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
4432	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
4600	bybxsFN.exe
1624	vqwQUUH.exe
2896	ndOKDZQ.exe
4732	SJDRCXT.exe
4256	OhkwHBa.exe
1124	DIxvLtO.exe
3028	zcxUoXz.exe
552	syIotah.exe
4640	engeFDP.exe
4344	kXthoWM.exe
2348	Cryivhh.exe
992	iQBSwfQ.exe
2160	pqtDJlV.exe
3580	CRBXLsn.exe
3216	ondLVmT.exe
548	ZuXoxJo.exe
4664	bCnhSCt.exe
2680	QAgAdgm.exe
512	UALzYVP.exe
532	bpWrqOB.exe
4220	ugxdpqA.exe
3240	itfzooT.exe
3464	eoVCGIu.exe
4920	XHHigJG.exe
3964	BFCFLGB.exe
2272	hyUONBD.exe
2948	Upkmczo.exe
2312	tdRKIBu.exe
2044	ItJPBAS.exe
2080	StPPrDD.exe
2784	sAMLAom.exe
516	HalcDTc.exe
1656	hCLRljL.exe
1156	pUTSTTe.exe
1580	tluZxoO.exe
4352	NpnEWcp.exe
1460	HTUTnCw.exe
4712	ziIfcRF.exe
4708	iNamzYt.exe
2908	JEZrKFj.exe
4900	erJedUA.exe
3140	uErizBJ.exe
380	vTPfHdC.exe
4580	TBceqwe.exe
1220	ADqHiHo.exe
1092	BidHaIr.exe
4392	GAtrviJ.exe
3496	QtcKbjK.exe
2804	bRNBmSb.exe
1644	dcMknoM.exe
2940	SYxgbHJ.exe
1368	pexnqLA.exe
3328	ARXRdND.exe
3060	uSMvIaL.exe
2232	OdTuzAz.exe
2284	bjJDQJf.exe
1584	ESunmgj.exe
5076	WtPPNgL.exe
1752	RWabUPo.exe
3468	ejPZazW.exe
428	vUbhZEX.exe
3504	MJVaSZa.exe
5088	jaHnTVB.exe
2132	sCxAmZH.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1552-0-0x00007FF67F4F0000-0x00007FF67F8E2000-memory.dmp	upx
behavioral2/files/0x000b000000023b98-5.dat	upx
behavioral2/files/0x000a000000023b9d-8.dat	upx
behavioral2/files/0x000a000000023b9c-14.dat	upx
behavioral2/files/0x000a000000023b9e-29.dat	upx
behavioral2/memory/4256-41-0x00007FF61B770000-0x00007FF61BB62000-memory.dmp	upx
behavioral2/files/0x000a000000023ba0-52.dat	upx
behavioral2/files/0x000a000000023ba5-58.dat	upx
behavioral2/memory/1124-61-0x00007FF7E6100000-0x00007FF7E64F2000-memory.dmp	upx
behavioral2/files/0x000a000000023ba4-67.dat	upx
behavioral2/memory/4344-66-0x00007FF716750000-0x00007FF716B42000-memory.dmp	upx
behavioral2/memory/2348-65-0x00007FF7A5890000-0x00007FF7A5C82000-memory.dmp	upx
behavioral2/memory/4640-62-0x00007FF7BD310000-0x00007FF7BD702000-memory.dmp	upx
behavioral2/files/0x000a000000023ba3-59.dat	upx
behavioral2/memory/4732-56-0x00007FF7187B0000-0x00007FF718BA2000-memory.dmp	upx
behavioral2/memory/552-50-0x00007FF664920000-0x00007FF664D12000-memory.dmp	upx
behavioral2/memory/3028-43-0x00007FF71B910000-0x00007FF71BD02000-memory.dmp	upx
behavioral2/files/0x000a000000023ba2-44.dat	upx
behavioral2/files/0x000a000000023ba1-40.dat	upx
behavioral2/files/0x000a000000023b9f-33.dat	upx
behavioral2/memory/2896-25-0x00007FF777F70000-0x00007FF778362000-memory.dmp	upx
behavioral2/memory/1624-21-0x00007FF6E16D0000-0x00007FF6E1AC2000-memory.dmp	upx
behavioral2/memory/4600-10-0x00007FF6063D0000-0x00007FF6067C2000-memory.dmp	upx
behavioral2/files/0x000a000000023ba6-83.dat	upx
behavioral2/files/0x000c000000023b99-86.dat	upx
behavioral2/files/0x000a000000023ba9-95.dat	upx
behavioral2/files/0x000b000000023ba7-115.dat	upx
behavioral2/files/0x000a000000023bab-131.dat	upx
behavioral2/memory/512-140-0x00007FF67E0D0000-0x00007FF67E4C2000-memory.dmp	upx
behavioral2/files/0x000a000000023bb0-146.dat	upx
behavioral2/files/0x000a000000023bb2-153.dat	upx
behavioral2/memory/2160-157-0x00007FF6FC2C0000-0x00007FF6FC6B2000-memory.dmp	upx
behavioral2/memory/2680-161-0x00007FF732BB0000-0x00007FF732FA2000-memory.dmp	upx
behavioral2/files/0x000a000000023bb3-165.dat	upx
behavioral2/memory/4920-166-0x00007FF7860E0000-0x00007FF7864D2000-memory.dmp	upx
behavioral2/memory/3240-164-0x00007FF73B7B0000-0x00007FF73BBA2000-memory.dmp	upx
behavioral2/memory/3580-158-0x00007FF7B81F0000-0x00007FF7B85E2000-memory.dmp	upx
behavioral2/memory/3464-156-0x00007FF71F660000-0x00007FF71FA52000-memory.dmp	upx
behavioral2/files/0x000a000000023bb1-154.dat	upx
behavioral2/memory/4220-152-0x00007FF669860000-0x00007FF669C52000-memory.dmp	upx
behavioral2/memory/532-148-0x00007FF69BC80000-0x00007FF69C072000-memory.dmp	upx
behavioral2/files/0x000a000000023baf-144.dat	upx
behavioral2/files/0x000a000000023bad-143.dat	upx
behavioral2/files/0x000a000000023bae-138.dat	upx
behavioral2/files/0x000a000000023bac-132.dat	upx
behavioral2/memory/4664-129-0x00007FF7F1840000-0x00007FF7F1C32000-memory.dmp	upx
behavioral2/files/0x000a000000023baa-126.dat	upx
behavioral2/memory/548-120-0x00007FF6AF0A0000-0x00007FF6AF492000-memory.dmp	upx
behavioral2/files/0x000a000000023ba8-116.dat	upx
behavioral2/memory/3216-110-0x00007FF62AE40000-0x00007FF62B232000-memory.dmp	upx
behavioral2/memory/992-107-0x00007FF6F71B0000-0x00007FF6F75A2000-memory.dmp	upx
behavioral2/files/0x000a000000023bb4-369.dat	upx
behavioral2/files/0x000b000000023c79-377.dat	upx
behavioral2/files/0x0008000000023c80-383.dat	upx
behavioral2/files/0x0008000000023c63-389.dat	upx
behavioral2/files/0x0008000000023c90-394.dat	upx
behavioral2/files/0x000f000000011964-401.dat	upx
behavioral2/memory/1552-2100-0x00007FF67F4F0000-0x00007FF67F8E2000-memory.dmp	upx
behavioral2/memory/4256-2119-0x00007FF61B770000-0x00007FF61BB62000-memory.dmp	upx
behavioral2/memory/552-2120-0x00007FF664920000-0x00007FF664D12000-memory.dmp	upx
behavioral2/memory/2348-2136-0x00007FF7A5890000-0x00007FF7A5C82000-memory.dmp	upx
behavioral2/memory/4344-2137-0x00007FF716750000-0x00007FF716B42000-memory.dmp	upx
behavioral2/memory/992-2147-0x00007FF6F71B0000-0x00007FF6F75A2000-memory.dmp	upx
behavioral2/memory/548-2148-0x00007FF6AF0A0000-0x00007FF6AF492000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	raw.githubusercontent.com
8	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\vUbhZEX.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\iXHGPLI.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\osCUcIl.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\vrTTVSu.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\tgLPllo.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\wMuriVj.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\mHPAWdv.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\zkngbQW.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\OkkbzAy.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\FbSTiZM.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\HYQzZfU.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\HalcDTc.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\bjJDQJf.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\ZGaBJUj.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\vjmFqTt.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\JbmFmvT.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\ncVjPCR.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\yNXZpNt.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\jsNEAov.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\IkCVGrX.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\EPvqPCs.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\sYNqHXa.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\JzOBsmk.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\qIFkYeU.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\yxeLrkr.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\MJVaSZa.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\GfgnNqH.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\uxaYoLH.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\TkLMHMV.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\GcYdRVX.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\ugAoUOh.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\uEsUcWw.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\XGAyDar.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\BjZyoSM.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\nzHwvFT.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\vQtzfXs.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\ksUZmtq.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\JFioqwM.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\VmPehsO.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\ZUzWmfJ.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\cHPwPAo.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\HZZrpaO.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\ubdwoGi.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\IIIJdqm.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\bNMQyaG.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\zatWCDM.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\HCGkNgf.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\sMsSdyZ.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\YxUDipr.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\LNbfaCO.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\oBhNWkJ.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\vWwtjKm.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\XwAJXqF.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\gLcTnOk.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\qUWBhEb.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\vZxkNMY.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\WJbpUtX.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\bpWrqOB.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\dTdrltM.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\yWbLMcd.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\yBwRgls.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\YnhhaRF.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\BidHaIr.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
File created	C:\Windows\System\DHUHbHX.exe	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4432	powershell.exe
4432	powershell.exe
4432	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
Token: SeDebugPrivilege	4432	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
9924	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 4432	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	85
PID 1552 wrote to memory of 4432	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	85
PID 1552 wrote to memory of 4600	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	86
PID 1552 wrote to memory of 4600	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	86
PID 1552 wrote to memory of 1624	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	87
PID 1552 wrote to memory of 1624	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	87
PID 1552 wrote to memory of 2896	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	88
PID 1552 wrote to memory of 2896	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	88
PID 1552 wrote to memory of 4732	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	89
PID 1552 wrote to memory of 4732	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	89
PID 1552 wrote to memory of 4256	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	90
PID 1552 wrote to memory of 4256	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	90
PID 1552 wrote to memory of 1124	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	91
PID 1552 wrote to memory of 1124	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	91
PID 1552 wrote to memory of 3028	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	92
PID 1552 wrote to memory of 3028	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	92
PID 1552 wrote to memory of 552	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	93
PID 1552 wrote to memory of 552	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	93
PID 1552 wrote to memory of 4640	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	94
PID 1552 wrote to memory of 4640	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	94
PID 1552 wrote to memory of 4344	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	95
PID 1552 wrote to memory of 4344	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	95
PID 1552 wrote to memory of 2348	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	96
PID 1552 wrote to memory of 2348	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	96
PID 1552 wrote to memory of 992	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	97
PID 1552 wrote to memory of 992	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	97
PID 1552 wrote to memory of 2160	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	98
PID 1552 wrote to memory of 2160	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	98
PID 1552 wrote to memory of 548	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	99
PID 1552 wrote to memory of 548	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	99
PID 1552 wrote to memory of 3580	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	100
PID 1552 wrote to memory of 3580	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	100
PID 1552 wrote to memory of 3216	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	101
PID 1552 wrote to memory of 3216	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	101
PID 1552 wrote to memory of 4664	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	102
PID 1552 wrote to memory of 4664	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	102
PID 1552 wrote to memory of 2680	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	103
PID 1552 wrote to memory of 2680	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	103
PID 1552 wrote to memory of 512	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	104
PID 1552 wrote to memory of 512	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	104
PID 1552 wrote to memory of 532	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	105
PID 1552 wrote to memory of 532	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	105
PID 1552 wrote to memory of 4220	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	106
PID 1552 wrote to memory of 4220	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	106
PID 1552 wrote to memory of 3240	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	107
PID 1552 wrote to memory of 3240	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	107
PID 1552 wrote to memory of 3464	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	108
PID 1552 wrote to memory of 3464	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	108
PID 1552 wrote to memory of 4920	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	109
PID 1552 wrote to memory of 4920	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	109
PID 1552 wrote to memory of 3964	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	110
PID 1552 wrote to memory of 3964	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	110
PID 1552 wrote to memory of 2272	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	112
PID 1552 wrote to memory of 2272	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	112
PID 1552 wrote to memory of 2948	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	113
PID 1552 wrote to memory of 2948	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	113
PID 1552 wrote to memory of 2312	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	115
PID 1552 wrote to memory of 2312	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	115
PID 1552 wrote to memory of 2044	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	116
PID 1552 wrote to memory of 2044	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	116
PID 1552 wrote to memory of 2080	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	117
PID 1552 wrote to memory of 2080	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	117
PID 1552 wrote to memory of 2784	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	118
PID 1552 wrote to memory of 2784	1552	1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe	118

C:\Users\Admin\AppData\Local\Temp\1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1581b5eef39d6545f5ec2763a8ff7b7a_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4432
- C:\Windows\System\bybxsFN.exe
  C:\Windows\System\bybxsFN.exe
  2⤵
  - Executes dropped EXE
  PID:4600
- C:\Windows\System\vqwQUUH.exe
  C:\Windows\System\vqwQUUH.exe
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Windows\System\ndOKDZQ.exe
  C:\Windows\System\ndOKDZQ.exe
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\System\SJDRCXT.exe
  C:\Windows\System\SJDRCXT.exe
  2⤵
  - Executes dropped EXE
  PID:4732
- C:\Windows\System\OhkwHBa.exe
  C:\Windows\System\OhkwHBa.exe
  2⤵
  - Executes dropped EXE
  PID:4256
- C:\Windows\System\DIxvLtO.exe
  C:\Windows\System\DIxvLtO.exe
  2⤵
  - Executes dropped EXE
  PID:1124
- C:\Windows\System\zcxUoXz.exe
  C:\Windows\System\zcxUoXz.exe
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\System\syIotah.exe
  C:\Windows\System\syIotah.exe
  2⤵
  - Executes dropped EXE
  PID:552
- C:\Windows\System\engeFDP.exe
  C:\Windows\System\engeFDP.exe
  2⤵
  - Executes dropped EXE
  PID:4640
- C:\Windows\System\kXthoWM.exe
  C:\Windows\System\kXthoWM.exe
  2⤵
  - Executes dropped EXE
  PID:4344
- C:\Windows\System\Cryivhh.exe
  C:\Windows\System\Cryivhh.exe
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\System\iQBSwfQ.exe
  C:\Windows\System\iQBSwfQ.exe
  2⤵
  - Executes dropped EXE
  PID:992
- C:\Windows\System\pqtDJlV.exe
  C:\Windows\System\pqtDJlV.exe
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\System\ZuXoxJo.exe
  C:\Windows\System\ZuXoxJo.exe
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\System\CRBXLsn.exe
  C:\Windows\System\CRBXLsn.exe
  2⤵
  - Executes dropped EXE
  PID:3580
- C:\Windows\System\ondLVmT.exe
  C:\Windows\System\ondLVmT.exe
  2⤵
  - Executes dropped EXE
  PID:3216
- C:\Windows\System\bCnhSCt.exe
  C:\Windows\System\bCnhSCt.exe
  2⤵
  - Executes dropped EXE
  PID:4664
- C:\Windows\System\QAgAdgm.exe
  C:\Windows\System\QAgAdgm.exe
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\System\UALzYVP.exe
  C:\Windows\System\UALzYVP.exe
  2⤵
  - Executes dropped EXE
  PID:512
- C:\Windows\System\bpWrqOB.exe
  C:\Windows\System\bpWrqOB.exe
  2⤵
  - Executes dropped EXE
  PID:532
- C:\Windows\System\ugxdpqA.exe
  C:\Windows\System\ugxdpqA.exe
  2⤵
  - Executes dropped EXE
  PID:4220
- C:\Windows\System\itfzooT.exe
  C:\Windows\System\itfzooT.exe
  2⤵
  - Executes dropped EXE
  PID:3240
- C:\Windows\System\eoVCGIu.exe
  C:\Windows\System\eoVCGIu.exe
  2⤵
  - Executes dropped EXE
  PID:3464
- C:\Windows\System\XHHigJG.exe
  C:\Windows\System\XHHigJG.exe
  2⤵
  - Executes dropped EXE
  PID:4920
- C:\Windows\System\BFCFLGB.exe
  C:\Windows\System\BFCFLGB.exe
  2⤵
  - Executes dropped EXE
  PID:3964
- C:\Windows\System\hyUONBD.exe
  C:\Windows\System\hyUONBD.exe
  2⤵
  - Executes dropped EXE
  PID:2272
- C:\Windows\System\Upkmczo.exe
  C:\Windows\System\Upkmczo.exe
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Windows\System\tdRKIBu.exe
  C:\Windows\System\tdRKIBu.exe
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\Windows\System\ItJPBAS.exe
  C:\Windows\System\ItJPBAS.exe
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\System\StPPrDD.exe
  C:\Windows\System\StPPrDD.exe
  2⤵
  - Executes dropped EXE
  PID:2080
- C:\Windows\System\sAMLAom.exe
  C:\Windows\System\sAMLAom.exe
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\System\HalcDTc.exe
  C:\Windows\System\HalcDTc.exe
  2⤵
  - Executes dropped EXE
  PID:516
- C:\Windows\System\hCLRljL.exe
  C:\Windows\System\hCLRljL.exe
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Windows\System\pUTSTTe.exe
  C:\Windows\System\pUTSTTe.exe
  2⤵
  - Executes dropped EXE
  PID:1156
- C:\Windows\System\tluZxoO.exe
  C:\Windows\System\tluZxoO.exe
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\System\NpnEWcp.exe
  C:\Windows\System\NpnEWcp.exe
  2⤵
  - Executes dropped EXE
  PID:4352
- C:\Windows\System\HTUTnCw.exe
  C:\Windows\System\HTUTnCw.exe
  2⤵
  - Executes dropped EXE
  PID:1460
- C:\Windows\System\ziIfcRF.exe
  C:\Windows\System\ziIfcRF.exe
  2⤵
  - Executes dropped EXE
  PID:4712
- C:\Windows\System\iNamzYt.exe
  C:\Windows\System\iNamzYt.exe
  2⤵
  - Executes dropped EXE
  PID:4708
- C:\Windows\System\JEZrKFj.exe
  C:\Windows\System\JEZrKFj.exe
  2⤵
  - Executes dropped EXE
  PID:2908
- C:\Windows\System\erJedUA.exe
  C:\Windows\System\erJedUA.exe
  2⤵
  - Executes dropped EXE
  PID:4900
- C:\Windows\System\uErizBJ.exe
  C:\Windows\System\uErizBJ.exe
  2⤵
  - Executes dropped EXE
  PID:3140
- C:\Windows\System\vTPfHdC.exe
  C:\Windows\System\vTPfHdC.exe
  2⤵
  - Executes dropped EXE
  PID:380
- C:\Windows\System\TBceqwe.exe
  C:\Windows\System\TBceqwe.exe
  2⤵
  - Executes dropped EXE
  PID:4580
- C:\Windows\System\ADqHiHo.exe
  C:\Windows\System\ADqHiHo.exe
  2⤵
  - Executes dropped EXE
  PID:1220
- C:\Windows\System\BidHaIr.exe
  C:\Windows\System\BidHaIr.exe
  2⤵
  - Executes dropped EXE
  PID:1092
- C:\Windows\System\GAtrviJ.exe
  C:\Windows\System\GAtrviJ.exe
  2⤵
  - Executes dropped EXE
  PID:4392
- C:\Windows\System\QtcKbjK.exe
  C:\Windows\System\QtcKbjK.exe
  2⤵
  - Executes dropped EXE
  PID:3496
- C:\Windows\System\bRNBmSb.exe
  C:\Windows\System\bRNBmSb.exe
  2⤵
  - Executes dropped EXE
  PID:2804
- C:\Windows\System\dcMknoM.exe
  C:\Windows\System\dcMknoM.exe
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Windows\System\SYxgbHJ.exe
  C:\Windows\System\SYxgbHJ.exe
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\System\pexnqLA.exe
  C:\Windows\System\pexnqLA.exe
  2⤵
  - Executes dropped EXE
  PID:1368
- C:\Windows\System\ARXRdND.exe
  C:\Windows\System\ARXRdND.exe
  2⤵
  - Executes dropped EXE
  PID:3328
- C:\Windows\System\uSMvIaL.exe
  C:\Windows\System\uSMvIaL.exe
  2⤵
  - Executes dropped EXE
  PID:3060
- C:\Windows\System\OdTuzAz.exe
  C:\Windows\System\OdTuzAz.exe
  2⤵
  - Executes dropped EXE
  PID:2232
- C:\Windows\System\bjJDQJf.exe
  C:\Windows\System\bjJDQJf.exe
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\System\ESunmgj.exe
  C:\Windows\System\ESunmgj.exe
  2⤵
  - Executes dropped EXE
  PID:1584
- C:\Windows\System\WtPPNgL.exe
  C:\Windows\System\WtPPNgL.exe
  2⤵
  - Executes dropped EXE
  PID:5076
- C:\Windows\System\RWabUPo.exe
  C:\Windows\System\RWabUPo.exe
  2⤵
  - Executes dropped EXE
  PID:1752
- C:\Windows\System\ejPZazW.exe
  C:\Windows\System\ejPZazW.exe
  2⤵
  - Executes dropped EXE
  PID:3468
- C:\Windows\System\vUbhZEX.exe
  C:\Windows\System\vUbhZEX.exe
  2⤵
  - Executes dropped EXE
  PID:428
- C:\Windows\System\MJVaSZa.exe
  C:\Windows\System\MJVaSZa.exe
  2⤵
  - Executes dropped EXE
  PID:3504
- C:\Windows\System\jaHnTVB.exe
  C:\Windows\System\jaHnTVB.exe
  2⤵
  - Executes dropped EXE
  PID:5088
- C:\Windows\System\sCxAmZH.exe
  C:\Windows\System\sCxAmZH.exe
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\System\dyUmRqM.exe
  C:\Windows\System\dyUmRqM.exe
  2⤵
  PID:684
- C:\Windows\System\bpBgFyw.exe
  C:\Windows\System\bpBgFyw.exe
  2⤵
  PID:1204
- C:\Windows\System\ubdwoGi.exe
  C:\Windows\System\ubdwoGi.exe
  2⤵
  PID:2168
- C:\Windows\System\atxwdTV.exe
  C:\Windows\System\atxwdTV.exe
  2⤵
  PID:3472
- C:\Windows\System\mbpZtvs.exe
  C:\Windows\System\mbpZtvs.exe
  2⤵
  PID:892
- C:\Windows\System\SfFgwyf.exe
  C:\Windows\System\SfFgwyf.exe
  2⤵
  PID:3708
- C:\Windows\System\ztfqtKQ.exe
  C:\Windows\System\ztfqtKQ.exe
  2⤵
  PID:4020
- C:\Windows\System\ElWlkRC.exe
  C:\Windows\System\ElWlkRC.exe
  2⤵
  PID:5036
- C:\Windows\System\amavVsE.exe
  C:\Windows\System\amavVsE.exe
  2⤵
  PID:1084
- C:\Windows\System\PpdBsOO.exe
  C:\Windows\System\PpdBsOO.exe
  2⤵
  PID:1452
- C:\Windows\System\CAeQNUF.exe
  C:\Windows\System\CAeQNUF.exe
  2⤵
  PID:3956
- C:\Windows\System\OLYHHdi.exe
  C:\Windows\System\OLYHHdi.exe
  2⤵
  PID:1344
- C:\Windows\System\YSxzzJh.exe
  C:\Windows\System\YSxzzJh.exe
  2⤵
  PID:3280
- C:\Windows\System\qTJQPhv.exe
  C:\Windows\System\qTJQPhv.exe
  2⤵
  PID:844
- C:\Windows\System\WcxiIZs.exe
  C:\Windows\System\WcxiIZs.exe
  2⤵
  PID:2260
- C:\Windows\System\RSWimBE.exe
  C:\Windows\System\RSWimBE.exe
  2⤵
  PID:4724
- C:\Windows\System\BVPBEyD.exe
  C:\Windows\System\BVPBEyD.exe
  2⤵
  PID:5132
- C:\Windows\System\kBhlbLj.exe
  C:\Windows\System\kBhlbLj.exe
  2⤵
  PID:5176
- C:\Windows\System\yjYckuU.exe
  C:\Windows\System\yjYckuU.exe
  2⤵
  PID:5200
- C:\Windows\System\dLxOrnA.exe
  C:\Windows\System\dLxOrnA.exe
  2⤵
  PID:5220
- C:\Windows\System\lUNmbRq.exe
  C:\Windows\System\lUNmbRq.exe
  2⤵
  PID:5256
- C:\Windows\System\FPyvFUb.exe
  C:\Windows\System\FPyvFUb.exe
  2⤵
  PID:5276
- C:\Windows\System\rnHYwbD.exe
  C:\Windows\System\rnHYwbD.exe
  2⤵
  PID:5300
- C:\Windows\System\OMBgvmf.exe
  C:\Windows\System\OMBgvmf.exe
  2⤵
  PID:5316
- C:\Windows\System\eJvOkzO.exe
  C:\Windows\System\eJvOkzO.exe
  2⤵
  PID:5340
- C:\Windows\System\RwgEPnC.exe
  C:\Windows\System\RwgEPnC.exe
  2⤵
  PID:5400
- C:\Windows\System\auEJMcN.exe
  C:\Windows\System\auEJMcN.exe
  2⤵
  PID:5424
- C:\Windows\System\uBVHZLF.exe
  C:\Windows\System\uBVHZLF.exe
  2⤵
  PID:5444
- C:\Windows\System\njRlPRm.exe
  C:\Windows\System\njRlPRm.exe
  2⤵
  PID:5476
- C:\Windows\System\sYNqHXa.exe
  C:\Windows\System\sYNqHXa.exe
  2⤵
  PID:5504
- C:\Windows\System\QAARqbu.exe
  C:\Windows\System\QAARqbu.exe
  2⤵
  PID:5524
- C:\Windows\System\sTwGcCI.exe
  C:\Windows\System\sTwGcCI.exe
  2⤵
  PID:5544
- C:\Windows\System\woYWVXf.exe
  C:\Windows\System\woYWVXf.exe
  2⤵
  PID:5568
- C:\Windows\System\ArRvfJl.exe
  C:\Windows\System\ArRvfJl.exe
  2⤵
  PID:5596
- C:\Windows\System\DzPTWSW.exe
  C:\Windows\System\DzPTWSW.exe
  2⤵
  PID:5628
- C:\Windows\System\ysFljjg.exe
  C:\Windows\System\ysFljjg.exe
  2⤵
  PID:5652
- C:\Windows\System\DHUHbHX.exe
  C:\Windows\System\DHUHbHX.exe
  2⤵
  PID:5688
- C:\Windows\System\gLcTnOk.exe
  C:\Windows\System\gLcTnOk.exe
  2⤵
  PID:5704
- C:\Windows\System\GfitItl.exe
  C:\Windows\System\GfitItl.exe
  2⤵
  PID:5756
- C:\Windows\System\byIUpIK.exe
  C:\Windows\System\byIUpIK.exe
  2⤵
  PID:5792
- C:\Windows\System\qyVvyKY.exe
  C:\Windows\System\qyVvyKY.exe
  2⤵
  PID:5820
- C:\Windows\System\qUWBhEb.exe
  C:\Windows\System\qUWBhEb.exe
  2⤵
  PID:5844
- C:\Windows\System\kuynaPG.exe
  C:\Windows\System\kuynaPG.exe
  2⤵
  PID:5888
- C:\Windows\System\nUSoWsY.exe
  C:\Windows\System\nUSoWsY.exe
  2⤵
  PID:5928
- C:\Windows\System\uWHUHny.exe
  C:\Windows\System\uWHUHny.exe
  2⤵
  PID:5948
- C:\Windows\System\qjSHFRl.exe
  C:\Windows\System\qjSHFRl.exe
  2⤵
  PID:5976
- C:\Windows\System\kWSxLic.exe
  C:\Windows\System\kWSxLic.exe
  2⤵
  PID:6000
- C:\Windows\System\ziPvuQP.exe
  C:\Windows\System\ziPvuQP.exe
  2⤵
  PID:6068
- C:\Windows\System\bXRxnST.exe
  C:\Windows\System\bXRxnST.exe
  2⤵
  PID:6096
- C:\Windows\System\ZGaBJUj.exe
  C:\Windows\System\ZGaBJUj.exe
  2⤵
  PID:6136
- C:\Windows\System\TfMJLwr.exe
  C:\Windows\System\TfMJLwr.exe
  2⤵
  PID:2556
- C:\Windows\System\pSgdGvB.exe
  C:\Windows\System\pSgdGvB.exe
  2⤵
  PID:5172
- C:\Windows\System\buyBFuF.exe
  C:\Windows\System\buyBFuF.exe
  2⤵
  PID:5236
- C:\Windows\System\OyHvceN.exe
  C:\Windows\System\OyHvceN.exe
  2⤵
  PID:5308
- C:\Windows\System\jYXQVxD.exe
  C:\Windows\System\jYXQVxD.exe
  2⤵
  PID:5412
- C:\Windows\System\hLsVLOm.exe
  C:\Windows\System\hLsVLOm.exe
  2⤵
  PID:5440
- C:\Windows\System\JzOBsmk.exe
  C:\Windows\System\JzOBsmk.exe
  2⤵
  PID:5536
- C:\Windows\System\TEHYgdi.exe
  C:\Windows\System\TEHYgdi.exe
  2⤵
  PID:5588
- C:\Windows\System\nImRZjO.exe
  C:\Windows\System\nImRZjO.exe
  2⤵
  PID:5696
- C:\Windows\System\ukVLQKI.exe
  C:\Windows\System\ukVLQKI.exe
  2⤵
  PID:5748
- C:\Windows\System\JGEiDRK.exe
  C:\Windows\System\JGEiDRK.exe
  2⤵
  PID:5864
- C:\Windows\System\NMSqjuQ.exe
  C:\Windows\System\NMSqjuQ.exe
  2⤵
  PID:5924
- C:\Windows\System\BkPEszT.exe
  C:\Windows\System\BkPEszT.exe
  2⤵
  PID:6092
- C:\Windows\System\qtwMlGg.exe
  C:\Windows\System\qtwMlGg.exe
  2⤵
  PID:988
- C:\Windows\System\ememwLx.exe
  C:\Windows\System\ememwLx.exe
  2⤵
  PID:2612
- C:\Windows\System\pTNhlAp.exe
  C:\Windows\System\pTNhlAp.exe
  2⤵
  PID:5728
- C:\Windows\System\fRQKAhZ.exe
  C:\Windows\System\fRQKAhZ.exe
  2⤵
  PID:5812
- C:\Windows\System\iKXopqe.exe
  C:\Windows\System\iKXopqe.exe
  2⤵
  PID:3108
- C:\Windows\System\vQtzfXs.exe
  C:\Windows\System\vQtzfXs.exe
  2⤵
  PID:5724
- C:\Windows\System\diRAWzD.exe
  C:\Windows\System\diRAWzD.exe
  2⤵
  PID:5788
- C:\Windows\System\WwqqXEv.exe
  C:\Windows\System\WwqqXEv.exe
  2⤵
  PID:6176
- C:\Windows\System\wKniLNP.exe
  C:\Windows\System\wKniLNP.exe
  2⤵
  PID:6196
- C:\Windows\System\iXHGPLI.exe
  C:\Windows\System\iXHGPLI.exe
  2⤵
  PID:6220
- C:\Windows\System\kunmnPU.exe
  C:\Windows\System\kunmnPU.exe
  2⤵
  PID:6240
- C:\Windows\System\ksUZmtq.exe
  C:\Windows\System\ksUZmtq.exe
  2⤵
  PID:6256
- C:\Windows\System\mYpCrXP.exe
  C:\Windows\System\mYpCrXP.exe
  2⤵
  PID:6324
- C:\Windows\System\QEsAEme.exe
  C:\Windows\System\QEsAEme.exe
  2⤵
  PID:6348
- C:\Windows\System\OZxeEkI.exe
  C:\Windows\System\OZxeEkI.exe
  2⤵
  PID:6372
- C:\Windows\System\eJWXzMQ.exe
  C:\Windows\System\eJWXzMQ.exe
  2⤵
  PID:6396
- C:\Windows\System\wgotbFq.exe
  C:\Windows\System\wgotbFq.exe
  2⤵
  PID:6420
- C:\Windows\System\aqAgzmr.exe
  C:\Windows\System\aqAgzmr.exe
  2⤵
  PID:6452
- C:\Windows\System\LWgzQDh.exe
  C:\Windows\System\LWgzQDh.exe
  2⤵
  PID:6496
- C:\Windows\System\KegJYIo.exe
  C:\Windows\System\KegJYIo.exe
  2⤵
  PID:6516
- C:\Windows\System\azQPOHz.exe
  C:\Windows\System\azQPOHz.exe
  2⤵
  PID:6548
- C:\Windows\System\yzPcUNo.exe
  C:\Windows\System\yzPcUNo.exe
  2⤵
  PID:6612
- C:\Windows\System\EvhyUvy.exe
  C:\Windows\System\EvhyUvy.exe
  2⤵
  PID:6632
- C:\Windows\System\DbyXjxv.exe
  C:\Windows\System\DbyXjxv.exe
  2⤵
  PID:6656
- C:\Windows\System\nEWCjjx.exe
  C:\Windows\System\nEWCjjx.exe
  2⤵
  PID:6680
- C:\Windows\System\jPBkHaH.exe
  C:\Windows\System\jPBkHaH.exe
  2⤵
  PID:6696
- C:\Windows\System\jhTXUyB.exe
  C:\Windows\System\jhTXUyB.exe
  2⤵
  PID:6720
- C:\Windows\System\MVjJbvv.exe
  C:\Windows\System\MVjJbvv.exe
  2⤵
  PID:6740
- C:\Windows\System\HrRpTUT.exe
  C:\Windows\System\HrRpTUT.exe
  2⤵
  PID:6788
- C:\Windows\System\cwrGCjn.exe
  C:\Windows\System\cwrGCjn.exe
  2⤵
  PID:6812
- C:\Windows\System\dTdrltM.exe
  C:\Windows\System\dTdrltM.exe
  2⤵
  PID:6844
- C:\Windows\System\IIIJdqm.exe
  C:\Windows\System\IIIJdqm.exe
  2⤵
  PID:6876
- C:\Windows\System\mbNhhOd.exe
  C:\Windows\System\mbNhhOd.exe
  2⤵
  PID:6892
- C:\Windows\System\vjmFqTt.exe
  C:\Windows\System\vjmFqTt.exe
  2⤵
  PID:6928
- C:\Windows\System\BsKzfsp.exe
  C:\Windows\System\BsKzfsp.exe
  2⤵
  PID:6964
- C:\Windows\System\DQrtzln.exe
  C:\Windows\System\DQrtzln.exe
  2⤵
  PID:6984
- C:\Windows\System\cgYhySK.exe
  C:\Windows\System\cgYhySK.exe
  2⤵
  PID:7008
- C:\Windows\System\dVriiaL.exe
  C:\Windows\System\dVriiaL.exe
  2⤵
  PID:7052
- C:\Windows\System\JAwegaw.exe
  C:\Windows\System\JAwegaw.exe
  2⤵
  PID:7088
- C:\Windows\System\dOffTtD.exe
  C:\Windows\System\dOffTtD.exe
  2⤵
  PID:7112
- C:\Windows\System\TrDlPRq.exe
  C:\Windows\System\TrDlPRq.exe
  2⤵
  PID:7132
- C:\Windows\System\WztLIbD.exe
  C:\Windows\System\WztLIbD.exe
  2⤵
  PID:7152
- C:\Windows\System\ziwoiEV.exe
  C:\Windows\System\ziwoiEV.exe
  2⤵
  PID:6168
- C:\Windows\System\GfgnNqH.exe
  C:\Windows\System\GfgnNqH.exe
  2⤵
  PID:6248
- C:\Windows\System\upsQnnQ.exe
  C:\Windows\System\upsQnnQ.exe
  2⤵
  PID:6320
- C:\Windows\System\CsLkJkF.exe
  C:\Windows\System\CsLkJkF.exe
  2⤵
  PID:6364
- C:\Windows\System\CKjymJW.exe
  C:\Windows\System\CKjymJW.exe
  2⤵
  PID:6436
- C:\Windows\System\yNXZpNt.exe
  C:\Windows\System\yNXZpNt.exe
  2⤵
  PID:6544
- C:\Windows\System\TGxAlDl.exe
  C:\Windows\System\TGxAlDl.exe
  2⤵
  PID:6604
- C:\Windows\System\GamaZJV.exe
  C:\Windows\System\GamaZJV.exe
  2⤵
  PID:6664
- C:\Windows\System\SyXCesT.exe
  C:\Windows\System\SyXCesT.exe
  2⤵
  PID:6704
- C:\Windows\System\NAtyeza.exe
  C:\Windows\System\NAtyeza.exe
  2⤵
  PID:1088
- C:\Windows\System\AAktPCJ.exe
  C:\Windows\System\AAktPCJ.exe
  2⤵
  PID:6784
- C:\Windows\System\Bqcscxw.exe
  C:\Windows\System\Bqcscxw.exe
  2⤵
  PID:6868
- C:\Windows\System\nRiIJFd.exe
  C:\Windows\System\nRiIJFd.exe
  2⤵
  PID:6900
- C:\Windows\System\HpUpyUj.exe
  C:\Windows\System\HpUpyUj.exe
  2⤵
  PID:7032
- C:\Windows\System\FrKHuoi.exe
  C:\Windows\System\FrKHuoi.exe
  2⤵
  PID:7064
- C:\Windows\System\uxaYoLH.exe
  C:\Windows\System\uxaYoLH.exe
  2⤵
  PID:6064
- C:\Windows\System\WuJFvDy.exe
  C:\Windows\System\WuJFvDy.exe
  2⤵
  PID:6344
- C:\Windows\System\aCkyKEY.exe
  C:\Windows\System\aCkyKEY.exe
  2⤵
  PID:6716
- C:\Windows\System\XmMeTFh.exe
  C:\Windows\System\XmMeTFh.exe
  2⤵
  PID:6728
- C:\Windows\System\VjvAurZ.exe
  C:\Windows\System\VjvAurZ.exe
  2⤵
  PID:6840
- C:\Windows\System\ygkthOe.exe
  C:\Windows\System\ygkthOe.exe
  2⤵
  PID:6204
- C:\Windows\System\aIPnGRI.exe
  C:\Windows\System\aIPnGRI.exe
  2⤵
  PID:6620
- C:\Windows\System\ZesVUtR.exe
  C:\Windows\System\ZesVUtR.exe
  2⤵
  PID:6772
- C:\Windows\System\LbwMEWc.exe
  C:\Windows\System\LbwMEWc.exe
  2⤵
  PID:6512
- C:\Windows\System\AgrdBwj.exe
  C:\Windows\System\AgrdBwj.exe
  2⤵
  PID:7176
- C:\Windows\System\CJoAFZU.exe
  C:\Windows\System\CJoAFZU.exe
  2⤵
  PID:7192
- C:\Windows\System\tIyDHIh.exe
  C:\Windows\System\tIyDHIh.exe
  2⤵
  PID:7208
- C:\Windows\System\CYbVkIE.exe
  C:\Windows\System\CYbVkIE.exe
  2⤵
  PID:7224
- C:\Windows\System\rCBiGvx.exe
  C:\Windows\System\rCBiGvx.exe
  2⤵
  PID:7240
- C:\Windows\System\xfxcaGt.exe
  C:\Windows\System\xfxcaGt.exe
  2⤵
  PID:7256
- C:\Windows\System\irfDpmJ.exe
  C:\Windows\System\irfDpmJ.exe
  2⤵
  PID:7276
- C:\Windows\System\OkKviGW.exe
  C:\Windows\System\OkKviGW.exe
  2⤵
  PID:7292
- C:\Windows\System\XmovyFL.exe
  C:\Windows\System\XmovyFL.exe
  2⤵
  PID:7376
- C:\Windows\System\vXtTnuv.exe
  C:\Windows\System\vXtTnuv.exe
  2⤵
  PID:7476
- C:\Windows\System\ttNrmEX.exe
  C:\Windows\System\ttNrmEX.exe
  2⤵
  PID:7508
- C:\Windows\System\rKxoxjH.exe
  C:\Windows\System\rKxoxjH.exe
  2⤵
  PID:7540
- C:\Windows\System\GkppiqQ.exe
  C:\Windows\System\GkppiqQ.exe
  2⤵
  PID:7588
- C:\Windows\System\eOcbMHq.exe
  C:\Windows\System\eOcbMHq.exe
  2⤵
  PID:7624
- C:\Windows\System\VGSQsqw.exe
  C:\Windows\System\VGSQsqw.exe
  2⤵
  PID:7668
- C:\Windows\System\jsNEAov.exe
  C:\Windows\System\jsNEAov.exe
  2⤵
  PID:7712
- C:\Windows\System\HCGkNgf.exe
  C:\Windows\System\HCGkNgf.exe
  2⤵
  PID:7736
- C:\Windows\System\XbnGTTm.exe
  C:\Windows\System\XbnGTTm.exe
  2⤵
  PID:7752
- C:\Windows\System\PjkCCGA.exe
  C:\Windows\System\PjkCCGA.exe
  2⤵
  PID:7788
- C:\Windows\System\AsgOFqz.exe
  C:\Windows\System\AsgOFqz.exe
  2⤵
  PID:7832
- C:\Windows\System\KrsGkCk.exe
  C:\Windows\System\KrsGkCk.exe
  2⤵
  PID:7852
- C:\Windows\System\LwCBsai.exe
  C:\Windows\System\LwCBsai.exe
  2⤵
  PID:7876
- C:\Windows\System\egBwqln.exe
  C:\Windows\System\egBwqln.exe
  2⤵
  PID:7896
- C:\Windows\System\IBclgxO.exe
  C:\Windows\System\IBclgxO.exe
  2⤵
  PID:7916
- C:\Windows\System\zhUeJTR.exe
  C:\Windows\System\zhUeJTR.exe
  2⤵
  PID:7952
- C:\Windows\System\RYcZGXC.exe
  C:\Windows\System\RYcZGXC.exe
  2⤵
  PID:7972
- C:\Windows\System\vuiObJr.exe
  C:\Windows\System\vuiObJr.exe
  2⤵
  PID:7996
- C:\Windows\System\PZAobWw.exe
  C:\Windows\System\PZAobWw.exe
  2⤵
  PID:8024
- C:\Windows\System\qIBzMPR.exe
  C:\Windows\System\qIBzMPR.exe
  2⤵
  PID:8076
- C:\Windows\System\oaZKinI.exe
  C:\Windows\System\oaZKinI.exe
  2⤵
  PID:8112
- C:\Windows\System\qqNcGHD.exe
  C:\Windows\System\qqNcGHD.exe
  2⤵
  PID:8132
- C:\Windows\System\yPYCVDm.exe
  C:\Windows\System\yPYCVDm.exe
  2⤵
  PID:8152
- C:\Windows\System\zxmwPBt.exe
  C:\Windows\System\zxmwPBt.exe
  2⤵
  PID:6924
- C:\Windows\System\coFTnFJ.exe
  C:\Windows\System\coFTnFJ.exe
  2⤵
  PID:7104
- C:\Windows\System\xMjqbPL.exe
  C:\Windows\System\xMjqbPL.exe
  2⤵
  PID:6488
- C:\Windows\System\JLBCpdn.exe
  C:\Windows\System\JLBCpdn.exe
  2⤵
  PID:6644
- C:\Windows\System\pLZznFQ.exe
  C:\Windows\System\pLZznFQ.exe
  2⤵
  PID:7184
- C:\Windows\System\TPlaYEV.exe
  C:\Windows\System\TPlaYEV.exe
  2⤵
  PID:7220
- C:\Windows\System\QDLrxey.exe
  C:\Windows\System\QDLrxey.exe
  2⤵
  PID:7272
- C:\Windows\System\SheqIXB.exe
  C:\Windows\System\SheqIXB.exe
  2⤵
  PID:7408
- C:\Windows\System\XcYTnQM.exe
  C:\Windows\System\XcYTnQM.exe
  2⤵
  PID:7368
- C:\Windows\System\eMsLQiZ.exe
  C:\Windows\System\eMsLQiZ.exe
  2⤵
  PID:7560
- C:\Windows\System\isoOWZj.exe
  C:\Windows\System\isoOWZj.exe
  2⤵
  PID:7660
- C:\Windows\System\zxSpZjh.exe
  C:\Windows\System\zxSpZjh.exe
  2⤵
  PID:7728
- C:\Windows\System\umpzpZp.exe
  C:\Windows\System\umpzpZp.exe
  2⤵
  PID:7744
- C:\Windows\System\zdZAEQJ.exe
  C:\Windows\System\zdZAEQJ.exe
  2⤵
  PID:7768
- C:\Windows\System\YBKdcvw.exe
  C:\Windows\System\YBKdcvw.exe
  2⤵
  PID:7892
- C:\Windows\System\pyAqkbO.exe
  C:\Windows\System\pyAqkbO.exe
  2⤵
  PID:7888
- C:\Windows\System\BFKEuWA.exe
  C:\Windows\System\BFKEuWA.exe
  2⤵
  PID:8032
- C:\Windows\System\NpdflCW.exe
  C:\Windows\System\NpdflCW.exe
  2⤵
  PID:8072
- C:\Windows\System\PfITqVX.exe
  C:\Windows\System\PfITqVX.exe
  2⤵
  PID:8148
- C:\Windows\System\gGsgrUL.exe
  C:\Windows\System\gGsgrUL.exe
  2⤵
  PID:6416
- C:\Windows\System\LAObMXI.exe
  C:\Windows\System\LAObMXI.exe
  2⤵
  PID:7236
- C:\Windows\System\GeqgMXV.exe
  C:\Windows\System\GeqgMXV.exe
  2⤵
  PID:7488
- C:\Windows\System\bCSNVnr.exe
  C:\Windows\System\bCSNVnr.exe
  2⤵
  PID:7484
- C:\Windows\System\XgzCCPu.exe
  C:\Windows\System\XgzCCPu.exe
  2⤵
  PID:7708
- C:\Windows\System\TIieOii.exe
  C:\Windows\System\TIieOii.exe
  2⤵
  PID:7928
- C:\Windows\System\oChUPfP.exe
  C:\Windows\System\oChUPfP.exe
  2⤵
  PID:7968
- C:\Windows\System\vijgzXI.exe
  C:\Windows\System\vijgzXI.exe
  2⤵
  PID:8016
- C:\Windows\System\OTytvbd.exe
  C:\Windows\System\OTytvbd.exe
  2⤵
  PID:6920
- C:\Windows\System\fxvBptd.exe
  C:\Windows\System\fxvBptd.exe
  2⤵
  PID:7204
- C:\Windows\System\Mcgcayv.exe
  C:\Windows\System\Mcgcayv.exe
  2⤵
  PID:7664
- C:\Windows\System\CHkmuFT.exe
  C:\Windows\System\CHkmuFT.exe
  2⤵
  PID:8052
- C:\Windows\System\oefhyJz.exe
  C:\Windows\System\oefhyJz.exe
  2⤵
  PID:7216
- C:\Windows\System\lcYqdxC.exe
  C:\Windows\System\lcYqdxC.exe
  2⤵
  PID:8212
- C:\Windows\System\WBsqRKQ.exe
  C:\Windows\System\WBsqRKQ.exe
  2⤵
  PID:8244
- C:\Windows\System\wMuriVj.exe
  C:\Windows\System\wMuriVj.exe
  2⤵
  PID:8264
- C:\Windows\System\aDoLlqk.exe
  C:\Windows\System\aDoLlqk.exe
  2⤵
  PID:8288
- C:\Windows\System\twmuUKC.exe
  C:\Windows\System\twmuUKC.exe
  2⤵
  PID:8312
- C:\Windows\System\ksJUwSK.exe
  C:\Windows\System\ksJUwSK.exe
  2⤵
  PID:8336
- C:\Windows\System\WfxojZM.exe
  C:\Windows\System\WfxojZM.exe
  2⤵
  PID:8360
- C:\Windows\System\FKtmzYP.exe
  C:\Windows\System\FKtmzYP.exe
  2⤵
  PID:8384
- C:\Windows\System\jVEYBle.exe
  C:\Windows\System\jVEYBle.exe
  2⤵
  PID:8408
- C:\Windows\System\keYVgBW.exe
  C:\Windows\System\keYVgBW.exe
  2⤵
  PID:8452
- C:\Windows\System\MAjuSfV.exe
  C:\Windows\System\MAjuSfV.exe
  2⤵
  PID:8516
- C:\Windows\System\CfJBhOF.exe
  C:\Windows\System\CfJBhOF.exe
  2⤵
  PID:8536
- C:\Windows\System\WYdHFnC.exe
  C:\Windows\System\WYdHFnC.exe
  2⤵
  PID:8560
- C:\Windows\System\JFioqwM.exe
  C:\Windows\System\JFioqwM.exe
  2⤵
  PID:8584
- C:\Windows\System\YGiPpIL.exe
  C:\Windows\System\YGiPpIL.exe
  2⤵
  PID:8612
- C:\Windows\System\fOvDmBN.exe
  C:\Windows\System\fOvDmBN.exe
  2⤵
  PID:8660
- C:\Windows\System\IdiWtCt.exe
  C:\Windows\System\IdiWtCt.exe
  2⤵
  PID:8684
- C:\Windows\System\JPgnGDY.exe
  C:\Windows\System\JPgnGDY.exe
  2⤵
  PID:8700
- C:\Windows\System\cxNLALz.exe
  C:\Windows\System\cxNLALz.exe
  2⤵
  PID:8724
- C:\Windows\System\QtwoKYb.exe
  C:\Windows\System\QtwoKYb.exe
  2⤵
  PID:8744
- C:\Windows\System\oBhNWkJ.exe
  C:\Windows\System\oBhNWkJ.exe
  2⤵
  PID:8768
- C:\Windows\System\qOydvHf.exe
  C:\Windows\System\qOydvHf.exe
  2⤵
  PID:8808
- C:\Windows\System\mjOiMhS.exe
  C:\Windows\System\mjOiMhS.exe
  2⤵
  PID:8836
- C:\Windows\System\wRfcOir.exe
  C:\Windows\System\wRfcOir.exe
  2⤵
  PID:8864
- C:\Windows\System\BIplKZO.exe
  C:\Windows\System\BIplKZO.exe
  2⤵
  PID:8912
- C:\Windows\System\LTpJRoh.exe
  C:\Windows\System\LTpJRoh.exe
  2⤵
  PID:8932
- C:\Windows\System\LqEAAtO.exe
  C:\Windows\System\LqEAAtO.exe
  2⤵
  PID:8952
- C:\Windows\System\DMMJNuC.exe
  C:\Windows\System\DMMJNuC.exe
  2⤵
  PID:8968
- C:\Windows\System\vZxkNMY.exe
  C:\Windows\System\vZxkNMY.exe
  2⤵
  PID:9024
- C:\Windows\System\TlyCJYJ.exe
  C:\Windows\System\TlyCJYJ.exe
  2⤵
  PID:9044
- C:\Windows\System\sUMzaqR.exe
  C:\Windows\System\sUMzaqR.exe
  2⤵
  PID:9064
- C:\Windows\System\RsjRKNS.exe
  C:\Windows\System\RsjRKNS.exe
  2⤵
  PID:9080
- C:\Windows\System\bNMQyaG.exe
  C:\Windows\System\bNMQyaG.exe
  2⤵
  PID:9100
- C:\Windows\System\IkCVGrX.exe
  C:\Windows\System\IkCVGrX.exe
  2⤵
  PID:9136
- C:\Windows\System\VmPehsO.exe
  C:\Windows\System\VmPehsO.exe
  2⤵
  PID:9156
- C:\Windows\System\mYRKkGc.exe
  C:\Windows\System\mYRKkGc.exe
  2⤵
  PID:9176
- C:\Windows\System\JzuezgK.exe
  C:\Windows\System\JzuezgK.exe
  2⤵
  PID:8084
- C:\Windows\System\qMDnOOE.exe
  C:\Windows\System\qMDnOOE.exe
  2⤵
  PID:8224
- C:\Windows\System\mHPAWdv.exe
  C:\Windows\System\mHPAWdv.exe
  2⤵
  PID:8276
- C:\Windows\System\ZUzWmfJ.exe
  C:\Windows\System\ZUzWmfJ.exe
  2⤵
  PID:8376
- C:\Windows\System\vtTCsiw.exe
  C:\Windows\System\vtTCsiw.exe
  2⤵
  PID:8444
- C:\Windows\System\MIrDbnE.exe
  C:\Windows\System\MIrDbnE.exe
  2⤵
  PID:8524
- C:\Windows\System\EPvqPCs.exe
  C:\Windows\System\EPvqPCs.exe
  2⤵
  PID:8556
- C:\Windows\System\JWvBKet.exe
  C:\Windows\System\JWvBKet.exe
  2⤵
  PID:8652
- C:\Windows\System\aPAOJHD.exe
  C:\Windows\System\aPAOJHD.exe
  2⤵
  PID:8736
- C:\Windows\System\cKkoyRn.exe
  C:\Windows\System\cKkoyRn.exe
  2⤵
  PID:8780
- C:\Windows\System\PDqGGfP.exe
  C:\Windows\System\PDqGGfP.exe
  2⤵
  PID:8816
- C:\Windows\System\ToOAdEJ.exe
  C:\Windows\System\ToOAdEJ.exe
  2⤵
  PID:8928
- C:\Windows\System\lgUuilB.exe
  C:\Windows\System\lgUuilB.exe
  2⤵
  PID:9036
- C:\Windows\System\ntHVoXi.exe
  C:\Windows\System\ntHVoXi.exe
  2⤵
  PID:9072
- C:\Windows\System\lXirTWQ.exe
  C:\Windows\System\lXirTWQ.exe
  2⤵
  PID:9132
- C:\Windows\System\QkzcCBj.exe
  C:\Windows\System\QkzcCBj.exe
  2⤵
  PID:8232
- C:\Windows\System\rYjVBIG.exe
  C:\Windows\System\rYjVBIG.exe
  2⤵
  PID:9212
- C:\Windows\System\qVFFLRx.exe
  C:\Windows\System\qVFFLRx.exe
  2⤵
  PID:8256
- C:\Windows\System\OklzAbw.exe
  C:\Windows\System\OklzAbw.exe
  2⤵
  PID:2180
- C:\Windows\System\nkwWlSD.exe
  C:\Windows\System\nkwWlSD.exe
  2⤵
  PID:8580
- C:\Windows\System\NBRfhGb.exe
  C:\Windows\System\NBRfhGb.exe
  2⤵
  PID:8824
- C:\Windows\System\XGAyDar.exe
  C:\Windows\System\XGAyDar.exe
  2⤵
  PID:9152
- C:\Windows\System\qGbgRUS.exe
  C:\Windows\System\qGbgRUS.exe
  2⤵
  PID:8332
- C:\Windows\System\yWbLMcd.exe
  C:\Windows\System\yWbLMcd.exe
  2⤵
  PID:8628
- C:\Windows\System\MHuMjLk.exe
  C:\Windows\System\MHuMjLk.exe
  2⤵
  PID:8472
- C:\Windows\System\tKqXzvN.exe
  C:\Windows\System\tKqXzvN.exe
  2⤵
  PID:9096
- C:\Windows\System\Vbeftmt.exe
  C:\Windows\System\Vbeftmt.exe
  2⤵
  PID:8508
- C:\Windows\System\EySLGrY.exe
  C:\Windows\System\EySLGrY.exe
  2⤵
  PID:9228
- C:\Windows\System\ojjTwrh.exe
  C:\Windows\System\ojjTwrh.exe
  2⤵
  PID:9260
- C:\Windows\System\osCUcIl.exe
  C:\Windows\System\osCUcIl.exe
  2⤵
  PID:9304
- C:\Windows\System\qEaGDpw.exe
  C:\Windows\System\qEaGDpw.exe
  2⤵
  PID:9336
- C:\Windows\System\QdrxFFy.exe
  C:\Windows\System\QdrxFFy.exe
  2⤵
  PID:9356
- C:\Windows\System\rWUkzgB.exe
  C:\Windows\System\rWUkzgB.exe
  2⤵
  PID:9380
- C:\Windows\System\qqePKeh.exe
  C:\Windows\System\qqePKeh.exe
  2⤵
  PID:9416
- C:\Windows\System\kGJyAgb.exe
  C:\Windows\System\kGJyAgb.exe
  2⤵
  PID:9460
- C:\Windows\System\YKlIFtn.exe
  C:\Windows\System\YKlIFtn.exe
  2⤵
  PID:9480
- C:\Windows\System\gcyxnJq.exe
  C:\Windows\System\gcyxnJq.exe
  2⤵
  PID:9504
- C:\Windows\System\iDjrUdg.exe
  C:\Windows\System\iDjrUdg.exe
  2⤵
  PID:9536
- C:\Windows\System\ncVjPCR.exe
  C:\Windows\System\ncVjPCR.exe
  2⤵
  PID:9564
- C:\Windows\System\cPbWWiA.exe
  C:\Windows\System\cPbWWiA.exe
  2⤵
  PID:9636
- C:\Windows\System\FCCQSfj.exe
  C:\Windows\System\FCCQSfj.exe
  2⤵
  PID:9660
- C:\Windows\System\Ipdcqdv.exe
  C:\Windows\System\Ipdcqdv.exe
  2⤵
  PID:9680
- C:\Windows\System\ceJqtkz.exe
  C:\Windows\System\ceJqtkz.exe
  2⤵
  PID:9720
- C:\Windows\System\nuGwuGu.exe
  C:\Windows\System\nuGwuGu.exe
  2⤵
  PID:9744
- C:\Windows\System\nvaQJeJ.exe
  C:\Windows\System\nvaQJeJ.exe
  2⤵
  PID:9768
- C:\Windows\System\SbzwkRS.exe
  C:\Windows\System\SbzwkRS.exe
  2⤵
  PID:9796
- C:\Windows\System\ELejrBa.exe
  C:\Windows\System\ELejrBa.exe
  2⤵
  PID:9836
- C:\Windows\System\JSiCznU.exe
  C:\Windows\System\JSiCznU.exe
  2⤵
  PID:9896
- C:\Windows\System\OEuNRQE.exe
  C:\Windows\System\OEuNRQE.exe
  2⤵
  PID:9944
- C:\Windows\System\pRvTjir.exe
  C:\Windows\System\pRvTjir.exe
  2⤵
  PID:9968
- C:\Windows\System\kkjFjqx.exe
  C:\Windows\System\kkjFjqx.exe
  2⤵
  PID:9988
- C:\Windows\System\YKjQqDQ.exe
  C:\Windows\System\YKjQqDQ.exe
  2⤵
  PID:10044
- C:\Windows\System\oSzkmnr.exe
  C:\Windows\System\oSzkmnr.exe
  2⤵
  PID:10072
- C:\Windows\System\Pwzxbud.exe
  C:\Windows\System\Pwzxbud.exe
  2⤵
  PID:10096
- C:\Windows\System\qTCFfvX.exe
  C:\Windows\System\qTCFfvX.exe
  2⤵
  PID:10120
- C:\Windows\System\FvmHGgV.exe
  C:\Windows\System\FvmHGgV.exe
  2⤵
  PID:10152
- C:\Windows\System\TkLMHMV.exe
  C:\Windows\System\TkLMHMV.exe
  2⤵
  PID:10176
- C:\Windows\System\SdUEBbk.exe
  C:\Windows\System\SdUEBbk.exe
  2⤵
  PID:10200
- C:\Windows\System\YqKGaRP.exe
  C:\Windows\System\YqKGaRP.exe
  2⤵
  PID:9296
- C:\Windows\System\zOXKFes.exe
  C:\Windows\System\zOXKFes.exe
  2⤵
  PID:9292
- C:\Windows\System\JrBNdNH.exe
  C:\Windows\System\JrBNdNH.exe
  2⤵
  PID:9352
- C:\Windows\System\EuNIGtB.exe
  C:\Windows\System\EuNIGtB.exe
  2⤵
  PID:9444
- C:\Windows\System\lFgQJoc.exe
  C:\Windows\System\lFgQJoc.exe
  2⤵
  PID:9492
- C:\Windows\System\FsASmXd.exe
  C:\Windows\System\FsASmXd.exe
  2⤵
  PID:9520
- C:\Windows\System\QwIXhtn.exe
  C:\Windows\System\QwIXhtn.exe
  2⤵
  PID:9616
- C:\Windows\System\onmvJbf.exe
  C:\Windows\System\onmvJbf.exe
  2⤵
  PID:9652
- C:\Windows\System\LVdxvVc.exe
  C:\Windows\System\LVdxvVc.exe
  2⤵
  PID:9812
- C:\Windows\System\MkdMZlU.exe
  C:\Windows\System\MkdMZlU.exe
  2⤵
  PID:9912
- C:\Windows\System\yBwRgls.exe
  C:\Windows\System\yBwRgls.exe
  2⤵
  PID:3128
- C:\Windows\System\HjADBer.exe
  C:\Windows\System\HjADBer.exe
  2⤵
  PID:9936
- C:\Windows\System\rfolCXY.exe
  C:\Windows\System\rfolCXY.exe
  2⤵
  PID:10052
- C:\Windows\System\yVjGqia.exe
  C:\Windows\System\yVjGqia.exe
  2⤵
  PID:10084
- C:\Windows\System\lJsHrVL.exe
  C:\Windows\System\lJsHrVL.exe
  2⤵
  PID:10172
- C:\Windows\System\VJDHcig.exe
  C:\Windows\System\VJDHcig.exe
  2⤵
  PID:8196
- C:\Windows\System\YkUXEtX.exe
  C:\Windows\System\YkUXEtX.exe
  2⤵
  PID:9376
- C:\Windows\System\paBjgUj.exe
  C:\Windows\System\paBjgUj.exe
  2⤵
  PID:9676
- C:\Windows\System\HGQcity.exe
  C:\Windows\System\HGQcity.exe
  2⤵
  PID:9440
- C:\Windows\System\SUImCtX.exe
  C:\Windows\System\SUImCtX.exe
  2⤵
  PID:9932
- C:\Windows\System\wtnpRfM.exe
  C:\Windows\System\wtnpRfM.exe
  2⤵
  PID:10088
- C:\Windows\System\LeFUcbE.exe
  C:\Windows\System\LeFUcbE.exe
  2⤵
  PID:9268
- C:\Windows\System\CNIVLUX.exe
  C:\Windows\System\CNIVLUX.exe
  2⤵
  PID:9472
- C:\Windows\System\BNcIwKE.exe
  C:\Windows\System\BNcIwKE.exe
  2⤵
  PID:10224
- C:\Windows\System\uKLuSAB.exe
  C:\Windows\System\uKLuSAB.exe
  2⤵
  PID:10244
- C:\Windows\System\yWLEyZe.exe
  C:\Windows\System\yWLEyZe.exe
  2⤵
  PID:10276
- C:\Windows\System\lUjIHwx.exe
  C:\Windows\System\lUjIHwx.exe
  2⤵
  PID:10292
- C:\Windows\System\TdClzTz.exe
  C:\Windows\System\TdClzTz.exe
  2⤵
  PID:10308
- C:\Windows\System\GcYdRVX.exe
  C:\Windows\System\GcYdRVX.exe
  2⤵
  PID:10328
- C:\Windows\System\KsOFhKq.exe
  C:\Windows\System\KsOFhKq.exe
  2⤵
  PID:10364
- C:\Windows\System\YnhhaRF.exe
  C:\Windows\System\YnhhaRF.exe
  2⤵
  PID:10400
- C:\Windows\System\JclsfWO.exe
  C:\Windows\System\JclsfWO.exe
  2⤵
  PID:10460
- C:\Windows\System\ZSLouAk.exe
  C:\Windows\System\ZSLouAk.exe
  2⤵
  PID:10508
- C:\Windows\System\wuOvHEb.exe
  C:\Windows\System\wuOvHEb.exe
  2⤵
  PID:10532
- C:\Windows\System\MyeMTHZ.exe
  C:\Windows\System\MyeMTHZ.exe
  2⤵
  PID:10548
- C:\Windows\System\kCLHLrS.exe
  C:\Windows\System\kCLHLrS.exe
  2⤵
  PID:10580
- C:\Windows\System\oeHjKBT.exe
  C:\Windows\System\oeHjKBT.exe
  2⤵
  PID:10596
- C:\Windows\System\oDZnJRP.exe
  C:\Windows\System\oDZnJRP.exe
  2⤵
  PID:10620
- C:\Windows\System\UirkINb.exe
  C:\Windows\System\UirkINb.exe
  2⤵
  PID:10644
- C:\Windows\System\IBHEvRD.exe
  C:\Windows\System\IBHEvRD.exe
  2⤵
  PID:10692
- C:\Windows\System\DUxfFVj.exe
  C:\Windows\System\DUxfFVj.exe
  2⤵
  PID:10716
- C:\Windows\System\nLlHNxF.exe
  C:\Windows\System\nLlHNxF.exe
  2⤵
  PID:10740
- C:\Windows\System\AFXelPm.exe
  C:\Windows\System\AFXelPm.exe
  2⤵
  PID:10788
- C:\Windows\System\aAflwqE.exe
  C:\Windows\System\aAflwqE.exe
  2⤵
  PID:10816
- C:\Windows\System\NJsnewt.exe
  C:\Windows\System\NJsnewt.exe
  2⤵
  PID:10852
- C:\Windows\System\jKVTFXL.exe
  C:\Windows\System\jKVTFXL.exe
  2⤵
  PID:10884
- C:\Windows\System\wwoKRCn.exe
  C:\Windows\System\wwoKRCn.exe
  2⤵
  PID:10908
- C:\Windows\System\zKhZINe.exe
  C:\Windows\System\zKhZINe.exe
  2⤵
  PID:10928
- C:\Windows\System\FguBEcf.exe
  C:\Windows\System\FguBEcf.exe
  2⤵
  PID:10952
- C:\Windows\System\zAhrkSl.exe
  C:\Windows\System\zAhrkSl.exe
  2⤵
  PID:10980
- C:\Windows\System\sMsSdyZ.exe
  C:\Windows\System\sMsSdyZ.exe
  2⤵
  PID:11040
- C:\Windows\System\LuayaXK.exe
  C:\Windows\System\LuayaXK.exe
  2⤵
  PID:11060
- C:\Windows\System\ArgYQtb.exe
  C:\Windows\System\ArgYQtb.exe
  2⤵
  PID:11080
- C:\Windows\System\chzwLcN.exe
  C:\Windows\System\chzwLcN.exe
  2⤵
  PID:11112
- C:\Windows\System\zkngbQW.exe
  C:\Windows\System\zkngbQW.exe
  2⤵
  PID:11132
- C:\Windows\System\EJInRFJ.exe
  C:\Windows\System\EJInRFJ.exe
  2⤵
  PID:11148
- C:\Windows\System\UNmHpjZ.exe
  C:\Windows\System\UNmHpjZ.exe
  2⤵
  PID:11168
- C:\Windows\System\vUzHAvW.exe
  C:\Windows\System\vUzHAvW.exe
  2⤵
  PID:11192
- C:\Windows\System\BMpzaLs.exe
  C:\Windows\System\BMpzaLs.exe
  2⤵
  PID:11240
- C:\Windows\System\AEFhsKq.exe
  C:\Windows\System\AEFhsKq.exe
  2⤵
  PID:9828
- C:\Windows\System\ZtRkzhf.exe
  C:\Windows\System\ZtRkzhf.exe
  2⤵
  PID:10260
- C:\Windows\System\dpjVTec.exe
  C:\Windows\System\dpjVTec.exe
  2⤵
  PID:1328
- C:\Windows\System\LMxiInm.exe
  C:\Windows\System\LMxiInm.exe
  2⤵
  PID:10340
- C:\Windows\System\YbXlziW.exe
  C:\Windows\System\YbXlziW.exe
  2⤵
  PID:10448
- C:\Windows\System\JSiyqmX.exe
  C:\Windows\System\JSiyqmX.exe
  2⤵
  PID:10356
- C:\Windows\System\xarWlLJ.exe
  C:\Windows\System\xarWlLJ.exe
  2⤵
  PID:10480
- C:\Windows\System\UJdyoJN.exe
  C:\Windows\System\UJdyoJN.exe
  2⤵
  PID:10492
- C:\Windows\System\rgTmZJV.exe
  C:\Windows\System\rgTmZJV.exe
  2⤵
  PID:10616
- C:\Windows\System\tJVQSLV.exe
  C:\Windows\System\tJVQSLV.exe
  2⤵
  PID:10668
- C:\Windows\System\BjZyoSM.exe
  C:\Windows\System\BjZyoSM.exe
  2⤵
  PID:10764
- C:\Windows\System\vrTTVSu.exe
  C:\Windows\System\vrTTVSu.exe
  2⤵
  PID:10840
- C:\Windows\System\RKalvss.exe
  C:\Windows\System\RKalvss.exe
  2⤵
  PID:10900
- C:\Windows\System\dDFzsOn.exe
  C:\Windows\System\dDFzsOn.exe
  2⤵
  PID:10936
- C:\Windows\System\yuclGHF.exe
  C:\Windows\System\yuclGHF.exe
  2⤵
  PID:10992
- C:\Windows\System\ugAoUOh.exe
  C:\Windows\System\ugAoUOh.exe
  2⤵
  PID:11036
- C:\Windows\System\YxUDipr.exe
  C:\Windows\System\YxUDipr.exe
  2⤵
  PID:11200
- C:\Windows\System\dVFZNLH.exe
  C:\Windows\System\dVFZNLH.exe
  2⤵
  PID:11248
- C:\Windows\System\UQpXJUP.exe
  C:\Windows\System\UQpXJUP.exe
  2⤵
  PID:10288
- C:\Windows\System\MkIfTGu.exe
  C:\Windows\System\MkIfTGu.exe
  2⤵
  PID:10352
- C:\Windows\System\tgLPllo.exe
  C:\Windows\System\tgLPllo.exe
  2⤵
  PID:10320
- C:\Windows\System\fgRoaQz.exe
  C:\Windows\System\fgRoaQz.exe
  2⤵
  PID:4680
- C:\Windows\System\rSttgrX.exe
  C:\Windows\System\rSttgrX.exe
  2⤵
  PID:10408
- C:\Windows\System\uWPeWOs.exe
  C:\Windows\System\uWPeWOs.exe
  2⤵
  PID:10564
- C:\Windows\System\vnQAkUl.exe
  C:\Windows\System\vnQAkUl.exe
  2⤵
  PID:10684
- C:\Windows\System\dXuuJLe.exe
  C:\Windows\System\dXuuJLe.exe
  2⤵
  PID:10876
- C:\Windows\System\LbJpCil.exe
  C:\Windows\System\LbJpCil.exe
  2⤵
  PID:10972
- C:\Windows\System\toOjrYC.exe
  C:\Windows\System\toOjrYC.exe
  2⤵
  PID:11076
- C:\Windows\System\vWwtjKm.exe
  C:\Windows\System\vWwtjKm.exe
  2⤵
  PID:3888
- C:\Windows\System\lKHQfvo.exe
  C:\Windows\System\lKHQfvo.exe
  2⤵
  PID:10960
- C:\Windows\System\qIFkYeU.exe
  C:\Windows\System\qIFkYeU.exe
  2⤵
  PID:10256
- C:\Windows\System\rnQdMmT.exe
  C:\Windows\System\rnQdMmT.exe
  2⤵
  PID:10636
- C:\Windows\System\RSDPnVc.exe
  C:\Windows\System\RSDPnVc.exe
  2⤵
  PID:11104
- C:\Windows\System\xPRqmgy.exe
  C:\Windows\System\xPRqmgy.exe
  2⤵
  PID:11288
- C:\Windows\System\xuIXqRU.exe
  C:\Windows\System\xuIXqRU.exe
  2⤵
  PID:11328
- C:\Windows\System\LHxvras.exe
  C:\Windows\System\LHxvras.exe
  2⤵
  PID:11348
- C:\Windows\System\OkkbzAy.exe
  C:\Windows\System\OkkbzAy.exe
  2⤵
  PID:11380
- C:\Windows\System\rQiacMo.exe
  C:\Windows\System\rQiacMo.exe
  2⤵
  PID:11412
- C:\Windows\System\oAXmaAK.exe
  C:\Windows\System\oAXmaAK.exe
  2⤵
  PID:11432
- C:\Windows\System\GjSJJLB.exe
  C:\Windows\System\GjSJJLB.exe
  2⤵
  PID:11452
- C:\Windows\System\JbmFmvT.exe
  C:\Windows\System\JbmFmvT.exe
  2⤵
  PID:11476
- C:\Windows\System\dkUKyzB.exe
  C:\Windows\System\dkUKyzB.exe
  2⤵
  PID:11496
- C:\Windows\System\ZTuJtCK.exe
  C:\Windows\System\ZTuJtCK.exe
  2⤵
  PID:11520
- C:\Windows\System\FbSTiZM.exe
  C:\Windows\System\FbSTiZM.exe
  2⤵
  PID:11540
- C:\Windows\System\tNZmdPD.exe
  C:\Windows\System\tNZmdPD.exe
  2⤵
  PID:11564
- C:\Windows\System\gBTVOqT.exe
  C:\Windows\System\gBTVOqT.exe
  2⤵
  PID:11592
- C:\Windows\System\BRuNfIy.exe
  C:\Windows\System\BRuNfIy.exe
  2⤵
  PID:11608
- C:\Windows\System\BaajfKU.exe
  C:\Windows\System\BaajfKU.exe
  2⤵
  PID:11660
- C:\Windows\System\cHPwPAo.exe
  C:\Windows\System\cHPwPAo.exe
  2⤵
  PID:11680
- C:\Windows\System\nzHwvFT.exe
  C:\Windows\System\nzHwvFT.exe
  2⤵
  PID:11704
- C:\Windows\System\wABEdhT.exe
  C:\Windows\System\wABEdhT.exe
  2⤵
  PID:11752
- C:\Windows\System\rsaeZwV.exe
  C:\Windows\System\rsaeZwV.exe
  2⤵
  PID:11776
- C:\Windows\System\VEJlfBP.exe
  C:\Windows\System\VEJlfBP.exe
  2⤵
  PID:11804
- C:\Windows\System\UKKowqA.exe
  C:\Windows\System\UKKowqA.exe
  2⤵
  PID:11820
- C:\Windows\System\buNAnBr.exe
  C:\Windows\System\buNAnBr.exe
  2⤵
  PID:11852
- C:\Windows\System\uMwYcUh.exe
  C:\Windows\System\uMwYcUh.exe
  2⤵
  PID:11876
- C:\Windows\System\ngXfkHl.exe
  C:\Windows\System\ngXfkHl.exe
  2⤵
  PID:11916
- C:\Windows\System\DwvonIK.exe
  C:\Windows\System\DwvonIK.exe
  2⤵
  PID:11936
- C:\Windows\System\hvOyqCm.exe
  C:\Windows\System\hvOyqCm.exe
  2⤵
  PID:11960
- C:\Windows\System\oVtltTe.exe
  C:\Windows\System\oVtltTe.exe
  2⤵
  PID:11984
- C:\Windows\System\mbeydvf.exe
  C:\Windows\System\mbeydvf.exe
  2⤵
  PID:12008
- C:\Windows\System\BhLauaG.exe
  C:\Windows\System\BhLauaG.exe
  2⤵
  PID:12028
- C:\Windows\System\anplPOY.exe
  C:\Windows\System\anplPOY.exe
  2⤵
  PID:12060
- C:\Windows\System\HshKSUL.exe
  C:\Windows\System\HshKSUL.exe
  2⤵
  PID:12096
- C:\Windows\System\PYdeWOL.exe
  C:\Windows\System\PYdeWOL.exe
  2⤵
  PID:12124
- C:\Windows\System\EZkdmCe.exe
  C:\Windows\System\EZkdmCe.exe
  2⤵
  PID:12172
- C:\Windows\System\WeuDjlU.exe
  C:\Windows\System\WeuDjlU.exe
  2⤵
  PID:12200
- C:\Windows\System\OBTGZxB.exe
  C:\Windows\System\OBTGZxB.exe
  2⤵
  PID:12224
- C:\Windows\System\yxeLrkr.exe
  C:\Windows\System\yxeLrkr.exe
  2⤵
  PID:12240
- C:\Windows\System\TqERJYX.exe
  C:\Windows\System\TqERJYX.exe
  2⤵
  PID:12272
- C:\Windows\System\yWcMumd.exe
  C:\Windows\System\yWcMumd.exe
  2⤵
  PID:11320
- C:\Windows\System\VXbXSyY.exe
  C:\Windows\System\VXbXSyY.exe
  2⤵
  PID:11400
- C:\Windows\System\XIkFTaB.exe
  C:\Windows\System\XIkFTaB.exe
  2⤵
  PID:11460
- C:\Windows\System\NbOixZw.exe
  C:\Windows\System\NbOixZw.exe
  2⤵
  PID:11536
- C:\Windows\System\HZZrpaO.exe
  C:\Windows\System\HZZrpaO.exe
  2⤵
  PID:11600
- C:\Windows\System\SKiYyip.exe
  C:\Windows\System\SKiYyip.exe
  2⤵
  PID:11668
- C:\Windows\System\PzWZavI.exe
  C:\Windows\System\PzWZavI.exe
  2⤵
  PID:11716
- C:\Windows\System\EPBRBBZ.exe
  C:\Windows\System\EPBRBBZ.exe
  2⤵
  PID:11828
- C:\Windows\System\YMPbJYW.exe
  C:\Windows\System\YMPbJYW.exe
  2⤵
  PID:11868
- C:\Windows\System\MivrrjL.exe
  C:\Windows\System\MivrrjL.exe
  2⤵
  PID:11932
- C:\Windows\System\OKPoQaT.exe
  C:\Windows\System\OKPoQaT.exe
  2⤵
  PID:11956
- C:\Windows\System\aryEztU.exe
  C:\Windows\System\aryEztU.exe
  2⤵
  PID:12104
- C:\Windows\System\jOGEgzd.exe
  C:\Windows\System\jOGEgzd.exe
  2⤵
  PID:12164
- C:\Windows\System\uEsUcWw.exe
  C:\Windows\System\uEsUcWw.exe
  2⤵
  PID:12208
- C:\Windows\System\VZHCqQm.exe
  C:\Windows\System\VZHCqQm.exe
  2⤵
  PID:11340
- C:\Windows\System\DrsevYI.exe
  C:\Windows\System\DrsevYI.exe
  2⤵
  PID:11404
- C:\Windows\System\Iftuuir.exe
  C:\Windows\System\Iftuuir.exe
  2⤵
  PID:11560
- C:\Windows\System\kGBsNkL.exe
  C:\Windows\System\kGBsNkL.exe
  2⤵
  PID:11784
- C:\Windows\System\dsyBtQL.exe
  C:\Windows\System\dsyBtQL.exe
  2⤵
  PID:11860
- C:\Windows\System\LvVRvdf.exe
  C:\Windows\System\LvVRvdf.exe
  2⤵
  PID:11884
- C:\Windows\System\sCPhrqH.exe
  C:\Windows\System\sCPhrqH.exe
  2⤵
  PID:12092
- C:\Windows\System\YABXlzP.exe
  C:\Windows\System\YABXlzP.exe
  2⤵
  PID:10688
- C:\Windows\System\JccFrib.exe
  C:\Windows\System\JccFrib.exe
  2⤵
  PID:11280
- C:\Windows\System\tiubFyz.exe
  C:\Windows\System\tiubFyz.exe
  2⤵
  PID:11532
- C:\Windows\System\tAFOQft.exe
  C:\Windows\System\tAFOQft.exe
  2⤵
  PID:11744
- C:\Windows\System\WFbnqit.exe
  C:\Windows\System\WFbnqit.exe
  2⤵
  PID:12188
- C:\Windows\System\tgqZyEO.exe
  C:\Windows\System\tgqZyEO.exe
  2⤵
  PID:12304
- C:\Windows\System\rnPkdDo.exe
  C:\Windows\System\rnPkdDo.exe
  2⤵
  PID:12324
- C:\Windows\System\lShleNu.exe
  C:\Windows\System\lShleNu.exe
  2⤵
  PID:12364
- C:\Windows\System\zpaAWRj.exe
  C:\Windows\System\zpaAWRj.exe
  2⤵
  PID:12428
- C:\Windows\System\BtfYueb.exe
  C:\Windows\System\BtfYueb.exe
  2⤵
  PID:12476
- C:\Windows\System\GJUTBgk.exe
  C:\Windows\System\GJUTBgk.exe
  2⤵
  PID:12492
- C:\Windows\System\XUkXmHn.exe
  C:\Windows\System\XUkXmHn.exe
  2⤵
  PID:12520
- C:\Windows\System\KcyyfkO.exe
  C:\Windows\System\KcyyfkO.exe
  2⤵
  PID:12548
- C:\Windows\System\kXsgMpO.exe
  C:\Windows\System\kXsgMpO.exe
  2⤵
  PID:12568
- C:\Windows\System\bAjHcNh.exe
  C:\Windows\System\bAjHcNh.exe
  2⤵
  PID:12592
- C:\Windows\System\cXevdFl.exe
  C:\Windows\System\cXevdFl.exe
  2⤵
  PID:12636
- C:\Windows\System\adRbGIQ.exe
  C:\Windows\System\adRbGIQ.exe
  2⤵
  PID:12664
- C:\Windows\System\SzgnNoC.exe
  C:\Windows\System\SzgnNoC.exe
  2⤵
  PID:12696
- C:\Windows\System\CdrDuht.exe
  C:\Windows\System\CdrDuht.exe
  2⤵
  PID:12716
- C:\Windows\System\XwAJXqF.exe
  C:\Windows\System\XwAJXqF.exe
  2⤵
  PID:12736
- C:\Windows\System\TKIdQNO.exe
  C:\Windows\System\TKIdQNO.exe
  2⤵
  PID:12752
- C:\Windows\System\zatWCDM.exe
  C:\Windows\System\zatWCDM.exe
  2⤵
  PID:12776
- C:\Windows\System\kKPYtyD.exe
  C:\Windows\System\kKPYtyD.exe
  2⤵
  PID:12796
- C:\Windows\System\WJbpUtX.exe
  C:\Windows\System\WJbpUtX.exe
  2⤵
  PID:12828
- C:\Windows\System\NxZtfWm.exe
  C:\Windows\System\NxZtfWm.exe
  2⤵
  PID:12848
- C:\Windows\System\eTWjojm.exe
  C:\Windows\System\eTWjojm.exe
  2⤵
  PID:12892
- C:\Windows\System\prtorQR.exe
  C:\Windows\System\prtorQR.exe
  2⤵
  PID:12924
- C:\Windows\System\qtRPwPP.exe
  C:\Windows\System\qtRPwPP.exe
  2⤵
  PID:12952
- C:\Windows\System\qAjmTDu.exe
  C:\Windows\System\qAjmTDu.exe
  2⤵
  PID:12988
- C:\Windows\System\YROhJXC.exe
  C:\Windows\System\YROhJXC.exe
  2⤵
  PID:13024
- C:\Windows\System\ziqJkrQ.exe
  C:\Windows\System\ziqJkrQ.exe
  2⤵
  PID:13048
- C:\Windows\System\PFYtBEg.exe
  C:\Windows\System\PFYtBEg.exe
  2⤵
  PID:13064
- C:\Windows\System\oToEuJt.exe
  C:\Windows\System\oToEuJt.exe
  2⤵
  PID:13104
- C:\Windows\System\MtRmSkm.exe
  C:\Windows\System\MtRmSkm.exe
  2⤵
  PID:13120
- C:\Windows\System\IMYxnWb.exe
  C:\Windows\System\IMYxnWb.exe
  2⤵
  PID:13152
- C:\Windows\System\dfuwbwE.exe
  C:\Windows\System\dfuwbwE.exe
  2⤵
  PID:13168
- C:\Windows\System\vssyRvm.exe
  C:\Windows\System\vssyRvm.exe
  2⤵
  PID:13216
- C:\Windows\System\gukiTgB.exe
  C:\Windows\System\gukiTgB.exe
  2⤵
  PID:13248
- C:\Windows\System\ypclNGT.exe
  C:\Windows\System\ypclNGT.exe
  2⤵
  PID:13276
- C:\Windows\System\JWYdDCV.exe
  C:\Windows\System\JWYdDCV.exe
  2⤵
  PID:13308
- C:\Windows\System\xPqYNCS.exe
  C:\Windows\System\xPqYNCS.exe
  2⤵
  PID:11672
- C:\Windows\System\gNLPQhO.exe
  C:\Windows\System\gNLPQhO.exe
  2⤵
  PID:12292
- C:\Windows\System\LYiFETT.exe
  C:\Windows\System\LYiFETT.exe
  2⤵
  PID:12360
- C:\Windows\System\bsOvJBL.exe
  C:\Windows\System\bsOvJBL.exe
  2⤵
  PID:12420
- C:\Windows\System\jrMlssD.exe
  C:\Windows\System\jrMlssD.exe
  2⤵
  PID:12456
- C:\Windows\System\EkrINsu.exe
  C:\Windows\System\EkrINsu.exe
  2⤵
  PID:2860
- C:\Windows\System\oppSiey.exe
  C:\Windows\System\oppSiey.exe
  2⤵
  PID:12564
- C:\Windows\System\zWMTPbm.exe
  C:\Windows\System\zWMTPbm.exe
  2⤵
  PID:12632
- C:\Windows\System\ImqQJlJ.exe
  C:\Windows\System\ImqQJlJ.exe
  2⤵
  PID:12676
- C:\Windows\System\LNbfaCO.exe
  C:\Windows\System\LNbfaCO.exe
  2⤵
  PID:12704
- C:\Windows\System\VzHrhwN.exe
  C:\Windows\System\VzHrhwN.exe
  2⤵
  PID:12772
- C:\Windows\System\egzIpsM.exe
  C:\Windows\System\egzIpsM.exe
  2⤵
  PID:12824
- C:\Windows\System\zUArGJJ.exe
  C:\Windows\System\zUArGJJ.exe
  2⤵
  PID:12936
- C:\Windows\System\yLMYgQM.exe
  C:\Windows\System\yLMYgQM.exe
  2⤵
  PID:12984
- C:\Windows\System\YDxtCzo.exe
  C:\Windows\System\YDxtCzo.exe
  2⤵
  PID:13044
- C:\Windows\System\VTWVnfI.exe
  C:\Windows\System\VTWVnfI.exe
  2⤵
  PID:13112
- C:\Windows\System\EuqQrhw.exe
  C:\Windows\System\EuqQrhw.exe
  2⤵
  PID:13136

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:9924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GOM5RXN2\home-993d2c38b2c1[1].css

Filesize
11KB

MD5
6328d6d9a6b00ce7f992230b97b17c1f

SHA1
88837b802bdde407e37e92641072ea2eeec95556

SHA256
c9d9b80794cebd7d97daf52f7f0ce0e31bcf7a6f65a6e07851c688d67f10dba8

SHA512
993d2c38b2c15499aebdb39c1f9c21d0501d4c2a5973caec65be9ddc3ddfd6e46d06449e7483daa4fa9afa17cb81ff27a391519a64629169eb15c52911aab2c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s4roerxj.leo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\BFCFLGB.exe

Filesize
2.3MB

MD5
0d8b00dbee3b42a73a65353f51095d7e

SHA1
f9b0eeaa7dce2a44a50c6c65896e6803edbacd06

SHA256
eecb419d3b77c4d14edc56b05d17cea2309030059bfbd063ee65b2a0dae0319c

SHA512
571f6077cf8852196cb22214188414ed1e74d14a62c41d5912ef7cddb9c47e89b92e5e59cbbdbcbc009312f10799272ac303595050d21ee82e1c3783465e01e4

Download Submit
C:\Windows\System\CRBXLsn.exe

Filesize
2.3MB

MD5
fe6765e59790dd75ccda968f06496a81

SHA1
ed3f2d454046af6f2fb18690a0d1feda9d9fa874

SHA256
c67cd9e533c28704c2567dfe2d945fac9ecdcc0939bb70328f44d205f66252a4

SHA512
4c5f5bbe9972a255ce2158fe4b195921c308716f1fca726680c0f51a57a7f41a32ac61ab9b5866e6d814f1b9ad25b8772fc086e363b2c39cbebd4226407322b8

Download Submit
C:\Windows\System\Cryivhh.exe

Filesize
2.3MB

MD5
aa9019204891981bc66208954e076db6

SHA1
ed502becc7f48b472d469dad468381a954018a2a

SHA256
60a8348f739967fdb83b79889599495a76636ff9d5ae0627331ee2c630015106

SHA512
cc1cfd1fb7d89b71c1ed20c8ed2d57f3e408a56d6680ecd529f651c7df04984b7ae6f5d7ccb332674bdfe6fdacd263564cf95555bbc8c2fb8cd5626d63effab7

Download Submit
C:\Windows\System\DIxvLtO.exe

Filesize
2.3MB

MD5
dbcc53ac777240079981e3681699d73c

SHA1
cee7239c8437c10ca5bf64b18f7d697d38103c8c

SHA256
30fa885311ad035ec3aa3a12a50ca620d7913be854d679ac13eedf410dcb314e

SHA512
f90b8bb3df4311a19fb71150451b1b43da449695e5f0ed00d4c7717751012f88733cca996a307f77143ae57ff6538fab6b3e558b9b282e0b21a770004a1aad5e

Download Submit
C:\Windows\System\HalcDTc.exe

Filesize
2.3MB

MD5
8b38a927c96949a8f877f8975ffa289f

SHA1
15ea8f1d47e4989ecb4df549e5e5c47b470ec765

SHA256
2d722e6e74038ebd6caedc71abe54c6551dd1220b7983a8e992caf89578c701b

SHA512
f1cb5dcd4e2d211c783bf8b8ea6b852fe5494d80fe9d1ff70dbd91aa2799c2e25d9a8897125a9dcd0b395291dd3ef0e529d483fcc34b03b0195e8bb35d6db1ae

Download Submit
C:\Windows\System\ItJPBAS.exe

Filesize
2.3MB

MD5
c9e16c6d2b9357197be9e2dc86fd9e25

SHA1
64e8df288a2553f5a3bfb4bde10118ba82651690

SHA256
bcd90abfcda5765c505e02e79c757dba69ac095a1f200bfad127bb1d60c30667

SHA512
c47cf8a65a205f387f31a17188f6f28d56fb3e68c350d32e6cc69b91978cd11ab756978c0645d35e844e95b84ef73ffdac1f987939073cd73bf4f4e9f2a947f6

Download Submit
C:\Windows\System\OhkwHBa.exe

Filesize
2.3MB

MD5
9b1c1ef6c283fbac0e3560a3954219a5

SHA1
86bac2f0fd8d4c3ec1f92a96d45981d78e76b7e4

SHA256
2ae307f19bea285f262db34d24df3159c15fc3fe1ea6ec9e7c57d3bcf060427f

SHA512
3fc5b867d4022e6f3bf28a3817be514d954e1f6e0e1a0cce7b8eeba6cf770c3c05ee1bcf0537ab2a9741c2c6d3cc20b6c5488ecec290d7855132e6e68c039f90

Download Submit
C:\Windows\System\QAgAdgm.exe

Filesize
2.3MB

MD5
51a74354820977c62e7a82a926f3b264

SHA1
826360b7d8119ec1f60ef7087b2b20a3970d8f2d

SHA256
701ccb2e53e7c7c8cb190b32965cbb7bf7531f79f37b72ed9cee8db5ff0d40b5

SHA512
50c49b687b349370a8dc5ce99143182530047b564b7cf3e8759c75723f4adb5cc26b2b1d120bfdec0c078236260172ec799c6d97c156544b0564f2a547ed80cb

Download Submit
C:\Windows\System\SJDRCXT.exe

Filesize
2.3MB

MD5
79a32a4f867f90458575af5059d00f37

SHA1
6d6e1362ffb5c49ee3d8d57c8e4448a5f4c765f2

SHA256
0b45a1b5c0831a00354603c613d62510115a4bb84cec18a64c995ab2e514c3f2

SHA512
b3d58e1bc082cd089909126d178d0a62aa25846f5671c1e1bd2f1ee324df1e9ba6830ae732ba8cea2ede33d5764c6570c5c3f38367da3ed9e0d6e204481a0417

Download Submit
C:\Windows\System\StPPrDD.exe

Filesize
2.3MB

MD5
548c7c096cceda6a15f9a58674c6744e

SHA1
e1c687214fe4fc272632b55b2b7b0dfefac2bec3

SHA256
6c067665268d1f8ca4eead0bd0af074c816612298717d1542078f0e44cdef35e

SHA512
433072b8f3c640506b79c9a30264c764c2c0c5e0e558caa9ca3dbe2ad64a8443a81c93b3a39834cc7b406b3e27fc4a3208fd4ca8e66fbc044b186374b31b1ad1

Download Submit
C:\Windows\System\UALzYVP.exe

Filesize
2.3MB

MD5
c8d1168d43eb32f0aee491e61b611cab

SHA1
6fb9626a3a4999d3cb98f0c04dd43a1f5dfe54c1

SHA256
a6ce0c537ac380844a1e6a9f52861b304bd55290d12ef876403c76d1ed5ac81e

SHA512
41cfc066b67ad46247071ef7ed7ec9b5bd93bf84d5e13a9d24c10401eb957d9fc918d0cb895053a8a5460f45b5792ebb4f6d8627cfe01c9b2e931446d060b8d1

Download Submit
C:\Windows\System\Upkmczo.exe

Filesize
2.3MB

MD5
4d65f37a04ca38d22055555014b94169

SHA1
3e02055bfc74467180ae8913ee03b19657e4d0cf

SHA256
0b5ee066d3e7bb6ed6e141147d35cc3509a378a3767b3bfc8e7dfe9184a0b628

SHA512
4aa9c0daeb5040bce600907c0d6989a9b08709613a5ead1741e616558b9d7db6da29ac8e64638fec12ec75485fb308ee1ad6affb05208bc68df3c4864d6ca33e

Download Submit
C:\Windows\System\XHHigJG.exe

Filesize
2.3MB

MD5
6dd6c81a7ea8f874b63902b5ef2b202d

SHA1
1164d408c10bdac352f36259c2cd12540f825793

SHA256
92d4ffaaa8a54413e97cd2957b9de56cce31ad1c43d1f03b6253d7776736bbe1

SHA512
2f279449b4a68dd1ae4b132b389a7a0e6f825a0b4e48676214ec19eabbb078f05ed27418dbcfa121e5aa0813eeee8dcc9ad0cc83d8eaab509411111f88a3dc3f

Download Submit
C:\Windows\System\ZuXoxJo.exe

Filesize
2.3MB

MD5
30b8627587d5cc8ce83f670f0f426153

SHA1
0e1651b72ec3331cec2cd3fc62579d3ed3967a68

SHA256
fe8ee1da1e26c647d5dc2301f3efedd68f7d409c590f464ecd54b8272ad3f460

SHA512
2402bd307cba0bfeab3789104b7cc765c0454d562806220c397e7c1a53fe586f15ff0974e16751e7cd33ef6d5ee48d81247704026fd266f3d5159e6c752c1fc0

Download Submit
C:\Windows\System\bCnhSCt.exe

Filesize
2.3MB

MD5
760d6de5e54d7d83fc85aa388319efde

SHA1
7c4819871d022f194def9899a0b8267219155d71

SHA256
40b5ea2db3c55b4f8914ebf6748c5a7cdd57872804e4eb748a2c465da9ec3561

SHA512
089a44a1cb8d54f2955bc80a37e2bcf8faad20ef239ad372f7f4bfa726345b9002070080583c46cf74151b8a3348fe029cf1e9edaf05bb90f2282769dd045245

Download Submit
C:\Windows\System\bpWrqOB.exe

Filesize
2.3MB

MD5
31b6c982fa1cd6295ab16aeb5ab49ec8

SHA1
b5d535e4616ac636557d538b8154dc7d0a6d4b88

SHA256
b20dd10b8bdeb5bc0cbdd29733f5f700af50bcb4c3e9bd8120053ed6b4837c6e

SHA512
b9003e6594d84afbc165eb5ce2045af5cc966d149867781c8d0e576db1fc0431ca983844867493ed9f754862c0a20fb43054e89cf80f5f43d8f24d862a7a468b

Download Submit
C:\Windows\System\bybxsFN.exe

Filesize
2.3MB

MD5
d342c455fe00550298d27d86f84a8bf2

SHA1
5c14d9e393a1ff5d46bdbc0b941699ac0e8511f7

SHA256
dc83ea617a27c9edc477d50ec8840d94c07f17632296983dad26aa1529dd3f58

SHA512
1565acd08db30a2c9dd2a21193df33047263117989d36144cc5fdec440ed7eb0c6f6c930cd0a7f818003a662de1b9693effbfc74c59981864c50c0a7cc302c1c

Download Submit
C:\Windows\System\engeFDP.exe

Filesize
2.3MB

MD5
b9cb1e40ab432dd8e055746fef611008

SHA1
0850b6308954834694240ea1794a6801978895ee

SHA256
9d1059fbd7b54a4e5467a749eabf760dd74ffaba87b5924921d1cf8a1eb0b81d

SHA512
f86e2c955b4800a86a05e1a89b2fba72d00e8a0afa3bb589dda91079b1d92d499ecdbcb3e446d3708e77bca1eb27dd6bae070c95d7b05020ea70a37bc5fea2a5

Download Submit
C:\Windows\System\eoVCGIu.exe

Filesize
2.3MB

MD5
fbc199d7ad07df29f6fa31bcdefb2f25

SHA1
c838f9b04b739e987fe387773176a451c865c5e0

SHA256
54c9845278778bc4701c8fbf5a06e30a119e3ecb2916d0e38495199679b79cfa

SHA512
c3df35aa98e129be8061fb5a14980d0197f38c12fc853f9740c2bca74123e5f4075772d8e224de44e2c257eb7d5ea2573d46bfbd132e0e749b099fe523a205bb

Download Submit
C:\Windows\System\hyUONBD.exe

Filesize
2.3MB

MD5
0a215519d456506cdf0e7cec99e48189

SHA1
2339e3ac09e82772550f6b7c79efec7b4a79021a

SHA256
cd027851460e28bbc1869ff87c6562f534803ea3e08769df23a84315b48e12f2

SHA512
0f5eb588019bb47bfd3d4ed0325120d7c9edfe54735f74e84e8817b845cd4f9d8df6b75b6da88fc1c0009c2b749f09cf273fe7a1186236757129b3116379cfb9

Download Submit
C:\Windows\System\iQBSwfQ.exe

Filesize
2.3MB

MD5
6491d6903fdf162513e1f4a1b7da8986

SHA1
f6b7d4eb84e0530cb0cb0c2bb28e4d065e8f7723

SHA256
5cf2933019aabb788a5cd5ba8952c28386f46457c0dc157c9b112ba84b8a8999

SHA512
c1785c6dc9181b03b3771f7c25a40cc27d04bf1bf91031bfed6d15546208d3a167282de2c005f5e134d8336f7847fcca95a074547febce990e998fabca85c0e6

Download Submit
C:\Windows\System\itfzooT.exe

Filesize
2.3MB

MD5
780f08e1d4a8bcbcf3043df2b204bbb2

SHA1
9f5ee8fe0669634da3738854fc01aee9842cb557

SHA256
77466b8a15451e1136705981fe66587cd02ab1029385f0a8f1cc29542082a043

SHA512
7a07e2fa61b5e494a5580308f56ca683ce9a162289d6a8009625150aeec06c4399ca3d46d24439c7f9bf74ba4a5b19fac795a93c75fe5ad1da0834ea5f874e4a

Download Submit
C:\Windows\System\kXthoWM.exe

Filesize
2.3MB

MD5
66f3c287c0f6ddb2870f858fd3c38021

SHA1
a92fc5e0fdbe18906ebbbce5f04a7245184f72ed

SHA256
a789d31c7a67917d044a3d4435a5105a6ecc44eae6b7ef587b476b87f73af481

SHA512
86ad553f8d6e6d04ffad015826be1fd0bedb04ab0f3ce4a9af57e9d950fa1fc71b2f796c97087eb1e8172138437d9720b2aff4f54dfdffad863300a352af8d37

Download Submit
C:\Windows\System\ndOKDZQ.exe

Filesize
2.3MB

MD5
c72cf9ecbfe654795865ea426df2f1b0

SHA1
30c058135defc36fdf07c3d054e0d2d42e75398d

SHA256
4446878ef844771780d505af343e050efd280e8f012a6b08aa792dd8433242cf

SHA512
ea1c349f7dfc7b5d0fa2a50254fe75ae0716e53ed118d74ad606742d3a98aeddc41d4a24f40dd2ea3e5f8e037a15deba335f3e0da7519d23e76b0037e52689d0

Download Submit
C:\Windows\System\ondLVmT.exe

Filesize
2.3MB

MD5
a63599681a1e048116fd0b4073e8a94f

SHA1
97f1dd705c7ebe2449d48cf108c96fad47df613c

SHA256
b1003d9c05390588f762d2d2b7057d0b2d5b3c074c966203fe2085b8ac5c2078

SHA512
a4dad5673f0a9956d9d56686470e8e673f609d1fddeabd6c1088ceacca7c44e47395e01a762f314184de0074517794799c0cc65cef070e951ee25c0fda9aada2

Download Submit
C:\Windows\System\pqtDJlV.exe

Filesize
2.3MB

MD5
9f637034a1c92f4d8d1cb090c2273095

SHA1
3910cb0fd1ba8db39b889d21b2398e555dc1077f

SHA256
d5b2cf6cd1b3eb6f9a2ed150d1b2af0b6605da4a8f0981741176501ad31fb468

SHA512
72932854574753f282531c418ad05cd0b49bc125963a72164684db4a940530d1511127d974fad57873b11b66eb1f7a0490327a70aec028865232c87a397cace2

Download Submit
C:\Windows\System\sAMLAom.exe

Filesize
2.3MB

MD5
5889d604cfd8105125ea2ffe30d9efeb

SHA1
8f0c7471b6976e72120e4513e26f61cda75740bb

SHA256
7c2aa47f523a252cf25f8eb63748c9b01c68ece8e63e4179a8ac41355375024e

SHA512
59056b04dff3c3ef95a127dfff981c47a21ddc3d53a172b544b352de203f98804bf42e8f487de004c1555997c8931142560240c50a992285476685f96d5bb561

Download Submit
C:\Windows\System\syIotah.exe

Filesize
2.3MB

MD5
c375eaa3152fc50e1b8615f545c4bd4c

SHA1
43de2205e9fda5ec7b03093b30c95a9c074cc84c

SHA256
e2d27dcccc7cac74d8161f62a10242c5ad9528e79f3b1f025134d312709db3d7

SHA512
89c70f76637b5be9b1ed03df1b0ebd9d9d4327a49bbaa4753a14ac2e5836d6722730eeecb9ba507ed855c988c63a23d9c83c085384c834e71a158b69b50d8331

Download Submit
C:\Windows\System\tdRKIBu.exe

Filesize
2.3MB

MD5
97e4deea92e4446961df69e802e70b41

SHA1
4c83e9625f03d047b7fb93bd5818ae95fc519765

SHA256
2aead8f36986daeeca55e099eb10dc7e58144fc6ee9dc09c7731307b945a471a

SHA512
4d0861f3e7a5d234dec16c2d87f9f7ee76658107c9e429f4f370e78dddc585cc2aa30bb69abafd771d9516232642fcafb72c07edee136fc623b1e3b91a8ad404

Download Submit
C:\Windows\System\ugxdpqA.exe

Filesize
2.3MB

MD5
1880b3ae8634129f47e1ea02c7bc727a

SHA1
5a71078aa8c3ab559d4d536a8e50298d2b39e1d5

SHA256
781bcc7883eb7e4c4fb6e10a7be9f9683c35146e66fdefc6f24f27aa3950991a

SHA512
7b23f8518bc06e9c45a07e99a57b727064fea04c6a83ac3c122168277725f6d49597691e3044d8513bd38abdbd89ccaf69ab25ea7e461601bedba705945c053f

Download Submit
C:\Windows\System\vqwQUUH.exe

Filesize
2.3MB

MD5
c8eefca38c1c0143f4bd8e3625865de2

SHA1
6fde036cf2a4e1d3d562f411bd364e604a00ee4b

SHA256
241432fa7fd6a9d24f813ae3bb35914856462b14b82f3c62d8df616240088bbb

SHA512
5d412c817915992aaff4c90a0b97fabc35b0a3174232a6d093b8ea0d08db35723f2cf2fd545ba388720c2d46180bca40132413a6df8e1dc6a9fc806483619a78

Download Submit
C:\Windows\System\zcxUoXz.exe

Filesize
2.3MB

MD5
f81012d5df820e994aec1318b1dc175b

SHA1
c0095e9a4f6b2dff2ded0cae67452dce3ffe6394

SHA256
7896fad9d40336bdfa4172fee3d2716103cf0d4530fffee2a312a5e6687dad57

SHA512
81a7e15f67a1999b5461f078a1df41baa6201af55e777de6b1b5f2ff813fbabd6a3eb32165bda91a39b2a06702a52ef07910d9b5e95ea7c44459b7d2faa0a0e0

Download Submit
memory/512-2244-0x00007FF67E0D0000-0x00007FF67E4C2000-memory.dmp

Filesize
3.9MB

Download
memory/512-140-0x00007FF67E0D0000-0x00007FF67E4C2000-memory.dmp

Filesize
3.9MB

Download
memory/512-2226-0x00007FF67E0D0000-0x00007FF67E4C2000-memory.dmp

Filesize
3.9MB

Download
memory/532-2246-0x00007FF69BC80000-0x00007FF69C072000-memory.dmp

Filesize
3.9MB

Download
memory/532-148-0x00007FF69BC80000-0x00007FF69C072000-memory.dmp

Filesize
3.9MB

Download
memory/532-2151-0x00007FF69BC80000-0x00007FF69C072000-memory.dmp

Filesize
3.9MB

Download
memory/548-2232-0x00007FF6AF0A0000-0x00007FF6AF492000-memory.dmp

Filesize
3.9MB

Download
memory/548-120-0x00007FF6AF0A0000-0x00007FF6AF492000-memory.dmp

Filesize
3.9MB

Download
memory/548-2148-0x00007FF6AF0A0000-0x00007FF6AF492000-memory.dmp

Filesize
3.9MB

Download
memory/552-2161-0x00007FF664920000-0x00007FF664D12000-memory.dmp

Filesize
3.9MB

Download
memory/552-2120-0x00007FF664920000-0x00007FF664D12000-memory.dmp

Filesize
3.9MB

Download
memory/552-50-0x00007FF664920000-0x00007FF664D12000-memory.dmp

Filesize
3.9MB

Download
memory/992-107-0x00007FF6F71B0000-0x00007FF6F75A2000-memory.dmp

Filesize
3.9MB

Download
memory/992-2230-0x00007FF6F71B0000-0x00007FF6F75A2000-memory.dmp

Filesize
3.9MB

Download
memory/992-2147-0x00007FF6F71B0000-0x00007FF6F75A2000-memory.dmp

Filesize
3.9MB

Download
memory/1124-2168-0x00007FF7E6100000-0x00007FF7E64F2000-memory.dmp

Filesize
3.9MB

Download
memory/1124-61-0x00007FF7E6100000-0x00007FF7E64F2000-memory.dmp

Filesize
3.9MB

Download
memory/1552-0-0x00007FF67F4F0000-0x00007FF67F8E2000-memory.dmp

Filesize
3.9MB

Download
memory/1552-2100-0x00007FF67F4F0000-0x00007FF67F8E2000-memory.dmp

Filesize
3.9MB

Download
memory/1552-1-0x0000021035120000-0x0000021035130000-memory.dmp

Filesize
64KB

Download
memory/1624-21-0x00007FF6E16D0000-0x00007FF6E1AC2000-memory.dmp

Filesize
3.9MB

Download
memory/1624-2158-0x00007FF6E16D0000-0x00007FF6E1AC2000-memory.dmp

Filesize
3.9MB

Download
memory/2160-157-0x00007FF6FC2C0000-0x00007FF6FC6B2000-memory.dmp

Filesize
3.9MB

Download
memory/2160-2228-0x00007FF6FC2C0000-0x00007FF6FC6B2000-memory.dmp

Filesize
3.9MB

Download
memory/2348-65-0x00007FF7A5890000-0x00007FF7A5C82000-memory.dmp

Filesize
3.9MB

Download
memory/2348-2136-0x00007FF7A5890000-0x00007FF7A5C82000-memory.dmp

Filesize
3.9MB

Download
memory/2348-2174-0x00007FF7A5890000-0x00007FF7A5C82000-memory.dmp

Filesize
3.9MB

Download
memory/2680-161-0x00007FF732BB0000-0x00007FF732FA2000-memory.dmp

Filesize
3.9MB

Download
memory/2680-2243-0x00007FF732BB0000-0x00007FF732FA2000-memory.dmp

Filesize
3.9MB

Download
memory/2896-2157-0x00007FF777F70000-0x00007FF778362000-memory.dmp

Filesize
3.9MB

Download
memory/2896-25-0x00007FF777F70000-0x00007FF778362000-memory.dmp

Filesize
3.9MB

Download
memory/3028-43-0x00007FF71B910000-0x00007FF71BD02000-memory.dmp

Filesize
3.9MB

Download
memory/3028-2163-0x00007FF71B910000-0x00007FF71BD02000-memory.dmp

Filesize
3.9MB

Download
memory/3216-2235-0x00007FF62AE40000-0x00007FF62B232000-memory.dmp

Filesize
3.9MB

Download
memory/3216-110-0x00007FF62AE40000-0x00007FF62B232000-memory.dmp

Filesize
3.9MB

Download
memory/3216-2221-0x00007FF62AE40000-0x00007FF62B232000-memory.dmp

Filesize
3.9MB

Download
memory/3240-2250-0x00007FF73B7B0000-0x00007FF73BBA2000-memory.dmp

Filesize
3.9MB

Download
memory/3240-164-0x00007FF73B7B0000-0x00007FF73BBA2000-memory.dmp

Filesize
3.9MB

Download
memory/3464-2248-0x00007FF71F660000-0x00007FF71FA52000-memory.dmp

Filesize
3.9MB

Download
memory/3464-156-0x00007FF71F660000-0x00007FF71FA52000-memory.dmp

Filesize
3.9MB

Download
memory/3580-2240-0x00007FF7B81F0000-0x00007FF7B85E2000-memory.dmp

Filesize
3.9MB

Download
memory/3580-158-0x00007FF7B81F0000-0x00007FF7B85E2000-memory.dmp

Filesize
3.9MB

Download
memory/4220-2237-0x00007FF669860000-0x00007FF669C52000-memory.dmp

Filesize
3.9MB

Download
memory/4220-152-0x00007FF669860000-0x00007FF669C52000-memory.dmp

Filesize
3.9MB

Download
memory/4256-2164-0x00007FF61B770000-0x00007FF61BB62000-memory.dmp

Filesize
3.9MB

Download
memory/4256-2119-0x00007FF61B770000-0x00007FF61BB62000-memory.dmp

Filesize
3.9MB

Download
memory/4256-41-0x00007FF61B770000-0x00007FF61BB62000-memory.dmp

Filesize
3.9MB

Download
memory/4344-2171-0x00007FF716750000-0x00007FF716B42000-memory.dmp

Filesize
3.9MB

Download
memory/4344-2137-0x00007FF716750000-0x00007FF716B42000-memory.dmp

Filesize
3.9MB

Download
memory/4344-66-0x00007FF716750000-0x00007FF716B42000-memory.dmp

Filesize
3.9MB

Download
memory/4432-78-0x0000015A18520000-0x0000015A18542000-memory.dmp

Filesize
136KB

Download
memory/4432-79-0x0000015A31AB0000-0x0000015A32256000-memory.dmp

Filesize
7.6MB

Download
memory/4600-10-0x00007FF6063D0000-0x00007FF6067C2000-memory.dmp

Filesize
3.9MB

Download
memory/4600-2154-0x00007FF6063D0000-0x00007FF6067C2000-memory.dmp

Filesize
3.9MB

Download
memory/4640-62-0x00007FF7BD310000-0x00007FF7BD702000-memory.dmp

Filesize
3.9MB

Download
memory/4640-2172-0x00007FF7BD310000-0x00007FF7BD702000-memory.dmp

Filesize
3.9MB

Download
memory/4664-2150-0x00007FF7F1840000-0x00007FF7F1C32000-memory.dmp

Filesize
3.9MB

Download
memory/4664-2238-0x00007FF7F1840000-0x00007FF7F1C32000-memory.dmp

Filesize
3.9MB

Download
memory/4664-129-0x00007FF7F1840000-0x00007FF7F1C32000-memory.dmp

Filesize
3.9MB

Download
memory/4732-2166-0x00007FF7187B0000-0x00007FF718BA2000-memory.dmp

Filesize
3.9MB

Download
memory/4732-56-0x00007FF7187B0000-0x00007FF718BA2000-memory.dmp

Filesize
3.9MB

Download
memory/4920-166-0x00007FF7860E0000-0x00007FF7864D2000-memory.dmp

Filesize
3.9MB

Download
memory/4920-2252-0x00007FF7860E0000-0x00007FF7864D2000-memory.dmp

Filesize
3.9MB

Download