xmrig | e686d993a803c34452a13339b7c4627fc7c09de2be9686aa6b4b4372c0bc41c2

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13/05/2024, 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
Size

1.7MB
MD5

3ec342b8ca93f2a55450e84f3b25de2a
SHA1

aacc1e68a505953734383af839663b0c6ff5326a
SHA256

e686d993a803c34452a13339b7c4627fc7c09de2be9686aa6b4b4372c0bc41c2
SHA512

fd17211d8fa76669e1452d81ea3ad8722b06b9d1075b03c7ad06175e4096bb8ee6684fd7eb83c5e5ed183c912a4bb20441920b99393d5284a4b3f6c284acb99d
SSDEEP

24576:zv3/fTLF671TilQFG4P5PMkibTJH+2Q/ynKeWY1s38kQu12bPxvyuzaBgJ9pcFt9:Lz071uv4BPMkibTIA5I4TNrpDGKI

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 49 IoCs

miner

resource	yara_rule
behavioral2/memory/3632-53-0x00007FF72F730000-0x00007FF72FB22000-memory.dmp	xmrig
behavioral2/memory/1968-79-0x00007FF71C230000-0x00007FF71C622000-memory.dmp	xmrig
behavioral2/memory/2656-88-0x00007FF763A90000-0x00007FF763E82000-memory.dmp	xmrig
behavioral2/memory/1616-113-0x00007FF67A620000-0x00007FF67AA12000-memory.dmp	xmrig
behavioral2/memory/3448-177-0x00007FF6AE290000-0x00007FF6AE682000-memory.dmp	xmrig
behavioral2/memory/3444-171-0x00007FF79B780000-0x00007FF79BB72000-memory.dmp	xmrig
behavioral2/memory/5104-165-0x00007FF70F5D0000-0x00007FF70F9C2000-memory.dmp	xmrig
behavioral2/memory/4256-159-0x00007FF71B460000-0x00007FF71B852000-memory.dmp	xmrig
behavioral2/memory/4672-151-0x00007FF737660000-0x00007FF737A52000-memory.dmp	xmrig
behavioral2/memory/4656-150-0x00007FF7F1B90000-0x00007FF7F1F82000-memory.dmp	xmrig
behavioral2/memory/224-141-0x00007FF79B430000-0x00007FF79B822000-memory.dmp	xmrig
behavioral2/memory/2760-109-0x00007FF64DE70000-0x00007FF64E262000-memory.dmp	xmrig
behavioral2/memory/344-102-0x00007FF7BD420000-0x00007FF7BD812000-memory.dmp	xmrig
behavioral2/memory/3932-99-0x00007FF649700000-0x00007FF649AF2000-memory.dmp	xmrig
behavioral2/memory/4864-92-0x00007FF682E90000-0x00007FF683282000-memory.dmp	xmrig
behavioral2/memory/3048-85-0x00007FF7845F0000-0x00007FF7849E2000-memory.dmp	xmrig
behavioral2/memory/3772-82-0x00007FF6A3C80000-0x00007FF6A4072000-memory.dmp	xmrig
behavioral2/memory/4688-78-0x00007FF658160000-0x00007FF658552000-memory.dmp	xmrig
behavioral2/memory/2512-71-0x00007FF747A90000-0x00007FF747E82000-memory.dmp	xmrig
behavioral2/memory/1168-1983-0x00007FF75CEF0000-0x00007FF75D2E2000-memory.dmp	xmrig
behavioral2/memory/4148-1993-0x00007FF6CA070000-0x00007FF6CA462000-memory.dmp	xmrig
behavioral2/memory/2344-1994-0x00007FF761EF0000-0x00007FF7622E2000-memory.dmp	xmrig
behavioral2/memory/4464-2027-0x00007FF7EFE50000-0x00007FF7F0242000-memory.dmp	xmrig
behavioral2/memory/2884-2029-0x00007FF6439A0000-0x00007FF643D92000-memory.dmp	xmrig
behavioral2/memory/1912-2028-0x00007FF7FA3E0000-0x00007FF7FA7D2000-memory.dmp	xmrig
behavioral2/memory/2344-2045-0x00007FF761EF0000-0x00007FF7622E2000-memory.dmp	xmrig
behavioral2/memory/3632-2047-0x00007FF72F730000-0x00007FF72FB22000-memory.dmp	xmrig
behavioral2/memory/4148-2049-0x00007FF6CA070000-0x00007FF6CA462000-memory.dmp	xmrig
behavioral2/memory/4688-2052-0x00007FF658160000-0x00007FF658552000-memory.dmp	xmrig
behavioral2/memory/2512-2053-0x00007FF747A90000-0x00007FF747E82000-memory.dmp	xmrig
behavioral2/memory/2656-2055-0x00007FF763A90000-0x00007FF763E82000-memory.dmp	xmrig
behavioral2/memory/3048-2062-0x00007FF7845F0000-0x00007FF7849E2000-memory.dmp	xmrig
behavioral2/memory/3772-2061-0x00007FF6A3C80000-0x00007FF6A4072000-memory.dmp	xmrig
behavioral2/memory/1968-2065-0x00007FF71C230000-0x00007FF71C622000-memory.dmp	xmrig
behavioral2/memory/4864-2064-0x00007FF682E90000-0x00007FF683282000-memory.dmp	xmrig
behavioral2/memory/3932-2058-0x00007FF649700000-0x00007FF649AF2000-memory.dmp	xmrig
behavioral2/memory/4256-2082-0x00007FF71B460000-0x00007FF71B852000-memory.dmp	xmrig
behavioral2/memory/344-2085-0x00007FF7BD420000-0x00007FF7BD812000-memory.dmp	xmrig
behavioral2/memory/5104-2091-0x00007FF70F5D0000-0x00007FF70F9C2000-memory.dmp	xmrig
behavioral2/memory/3444-2089-0x00007FF79B780000-0x00007FF79BB72000-memory.dmp	xmrig
behavioral2/memory/3448-2087-0x00007FF6AE290000-0x00007FF6AE682000-memory.dmp	xmrig
behavioral2/memory/2760-2083-0x00007FF64DE70000-0x00007FF64E262000-memory.dmp	xmrig
behavioral2/memory/1616-2081-0x00007FF67A620000-0x00007FF67AA12000-memory.dmp	xmrig
behavioral2/memory/4464-2077-0x00007FF7EFE50000-0x00007FF7F0242000-memory.dmp	xmrig
behavioral2/memory/2884-2076-0x00007FF6439A0000-0x00007FF643D92000-memory.dmp	xmrig
behavioral2/memory/4656-2073-0x00007FF7F1B90000-0x00007FF7F1F82000-memory.dmp	xmrig
behavioral2/memory/1912-2071-0x00007FF7FA3E0000-0x00007FF7FA7D2000-memory.dmp	xmrig
behavioral2/memory/4672-2070-0x00007FF737660000-0x00007FF737A52000-memory.dmp	xmrig
behavioral2/memory/224-2068-0x00007FF79B430000-0x00007FF79B822000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2524	powershell.exe
5	2524	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2524	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
2344	lgEMyMV.exe
3632	vRAarKU.exe
4148	ZnTszoX.exe
2512	DNSyPyY.exe
2656	RQLWPsW.exe
4688	jJrAdzX.exe
4864	kUlVEbz.exe
3932	AmZGoBg.exe
1968	pjcBSnk.exe
3772	NBDkENV.exe
3048	uqwdJSY.exe
344	PTMArfq.exe
2760	piQxPnO.exe
1616	XWcrXEI.exe
4464	IqaOtWe.exe
1912	CQtaedz.exe
2884	aOgEGrx.exe
224	HjVWpeB.exe
4656	lrJAjLH.exe
4672	EBeslQK.exe
4256	KtxEAtC.exe
5104	AwPhaAx.exe
3444	sVPjhGX.exe
3448	yHqZlRx.exe
1036	cZAPiKg.exe
4216	nfIAhNi.exe
4976	RdtZDrw.exe
3356	MhtJstK.exe
2508	qVSuyQY.exe
3104	MASltkD.exe
3428	ArBrHtr.exe
3644	flZdVyA.exe
1068	cLBdvmi.exe
5048	jVTjeQR.exe
3320	uxqAooM.exe
1940	XwddMFo.exe
3844	lqdGuwG.exe
3088	VCAJBpO.exe
2364	PkZfnvE.exe
948	sQlBGmx.exe
2800	wAtnPCt.exe
3784	ZddAirc.exe
2544	KdHuHDo.exe
3744	NjFhXje.exe
772	qJBSuIw.exe
4344	Latyuly.exe
4108	Xpxajls.exe
1284	qfSGiHd.exe
2396	LiXNtnN.exe
2540	mVShkmD.exe
4680	BQjasbW.exe
4028	trdnBXq.exe
4368	QLJzKJT.exe
1720	ySzlQla.exe
4916	UwSPvWP.exe
4568	kvtJScz.exe
1948	uMjsEDR.exe
4412	cVLjcKR.exe
3432	aucgnXX.exe
1800	BUoqgDD.exe
1684	xWklQLf.exe
4212	OtzuGxH.exe
2948	EonivtD.exe
1500	ZMEQQDD.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1168-0-0x00007FF75CEF0000-0x00007FF75D2E2000-memory.dmp	upx
behavioral2/files/0x0008000000022f51-4.dat	upx
behavioral2/memory/2344-7-0x00007FF761EF0000-0x00007FF7622E2000-memory.dmp	upx
behavioral2/files/0x00080000000233f5-10.dat	upx
behavioral2/files/0x00090000000233e2-12.dat	upx
behavioral2/files/0x00080000000233f6-25.dat	upx
behavioral2/files/0x00070000000233f7-41.dat	upx
behavioral2/files/0x00080000000233fa-54.dat	upx
behavioral2/memory/3632-53-0x00007FF72F730000-0x00007FF72FB22000-memory.dmp	upx
behavioral2/files/0x00080000000233f9-67.dat	upx
behavioral2/files/0x00070000000233fc-75.dat	upx
behavioral2/memory/1968-79-0x00007FF71C230000-0x00007FF71C622000-memory.dmp	upx
behavioral2/files/0x00070000000233fe-84.dat	upx
behavioral2/memory/2656-88-0x00007FF763A90000-0x00007FF763E82000-memory.dmp	upx
behavioral2/files/0x00090000000233e9-100.dat	upx
behavioral2/memory/1616-113-0x00007FF67A620000-0x00007FF67AA12000-memory.dmp	upx
behavioral2/files/0x0007000000023405-118.dat	upx
behavioral2/files/0x0007000000023406-126.dat	upx
behavioral2/files/0x0007000000023403-139.dat	upx
behavioral2/files/0x0007000000023407-157.dat	upx
behavioral2/files/0x000700000002340c-168.dat	upx
behavioral2/files/0x000700000002340e-180.dat	upx
behavioral2/files/0x0007000000023412-200.dat	upx
behavioral2/files/0x0007000000023410-198.dat	upx
behavioral2/files/0x0007000000023411-195.dat	upx
behavioral2/files/0x000700000002340f-193.dat	upx
behavioral2/files/0x000700000002340d-183.dat	upx
behavioral2/memory/3448-177-0x00007FF6AE290000-0x00007FF6AE682000-memory.dmp	upx
behavioral2/files/0x000700000002340b-172.dat	upx
behavioral2/memory/3444-171-0x00007FF79B780000-0x00007FF79BB72000-memory.dmp	upx
behavioral2/files/0x000700000002340a-166.dat	upx
behavioral2/memory/5104-165-0x00007FF70F5D0000-0x00007FF70F9C2000-memory.dmp	upx
behavioral2/files/0x0007000000023409-160.dat	upx
behavioral2/memory/4256-159-0x00007FF71B460000-0x00007FF71B852000-memory.dmp	upx
behavioral2/files/0x0007000000023408-152.dat	upx
behavioral2/memory/4672-151-0x00007FF737660000-0x00007FF737A52000-memory.dmp	upx
behavioral2/memory/4656-150-0x00007FF7F1B90000-0x00007FF7F1F82000-memory.dmp	upx
behavioral2/memory/224-141-0x00007FF79B430000-0x00007FF79B822000-memory.dmp	upx
behavioral2/memory/2884-133-0x00007FF6439A0000-0x00007FF643D92000-memory.dmp	upx
behavioral2/files/0x0007000000023402-131.dat	upx
behavioral2/files/0x0007000000023401-129.dat	upx
behavioral2/memory/1912-125-0x00007FF7FA3E0000-0x00007FF7FA7D2000-memory.dmp	upx
behavioral2/files/0x0007000000023404-123.dat	upx
behavioral2/files/0x0007000000023400-121.dat	upx
behavioral2/memory/4464-117-0x00007FF7EFE50000-0x00007FF7F0242000-memory.dmp	upx
behavioral2/memory/2760-109-0x00007FF64DE70000-0x00007FF64E262000-memory.dmp	upx
behavioral2/memory/344-102-0x00007FF7BD420000-0x00007FF7BD812000-memory.dmp	upx
behavioral2/memory/3932-99-0x00007FF649700000-0x00007FF649AF2000-memory.dmp	upx
behavioral2/files/0x00070000000233ff-97.dat	upx
behavioral2/memory/4864-92-0x00007FF682E90000-0x00007FF683282000-memory.dmp	upx
behavioral2/memory/3048-85-0x00007FF7845F0000-0x00007FF7849E2000-memory.dmp	upx
behavioral2/memory/3772-82-0x00007FF6A3C80000-0x00007FF6A4072000-memory.dmp	upx
behavioral2/memory/4688-78-0x00007FF658160000-0x00007FF658552000-memory.dmp	upx
behavioral2/memory/2512-71-0x00007FF747A90000-0x00007FF747E82000-memory.dmp	upx
behavioral2/files/0x00070000000233fd-70.dat	upx
behavioral2/files/0x00070000000233fb-57.dat	upx
behavioral2/files/0x00070000000233f8-45.dat	upx
behavioral2/memory/4148-24-0x00007FF6CA070000-0x00007FF6CA462000-memory.dmp	upx
behavioral2/memory/1168-1983-0x00007FF75CEF0000-0x00007FF75D2E2000-memory.dmp	upx
behavioral2/memory/4148-1993-0x00007FF6CA070000-0x00007FF6CA462000-memory.dmp	upx
behavioral2/memory/2344-1994-0x00007FF761EF0000-0x00007FF7622E2000-memory.dmp	upx
behavioral2/memory/4464-2027-0x00007FF7EFE50000-0x00007FF7F0242000-memory.dmp	upx
behavioral2/memory/2884-2029-0x00007FF6439A0000-0x00007FF643D92000-memory.dmp	upx
behavioral2/memory/1912-2028-0x00007FF7FA3E0000-0x00007FF7FA7D2000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
3	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\JoYIqzS.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\oNBwJWg.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\rwpseKH.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\VsJhByy.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\GRlpoYY.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\qaSavLO.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\zvgMrLY.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\LHHuCTa.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\nyRCuMz.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\FOboAqM.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\KzKTmPz.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\MdcbpIM.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\SpULLLh.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\jclUtaI.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\URltnsu.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\Ujddmqh.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\DNSyPyY.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\sggSgOr.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\llLWrma.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\xjeWKsJ.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\UKXemOo.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\jwFVYRW.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\EeOktkd.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\HtOJIRg.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\jRJQqUz.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\rVFgyLD.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\vTqJQfz.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\PDFOiyc.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\aCInzQm.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\GLvVBQs.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\qGzpKKI.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\dPitfDb.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\NPPzdTc.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\XTHAkNz.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\gikniqp.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\OvJKPLq.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\jLGbSWz.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\XFFCKaA.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\vaDPwah.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\kLluCPN.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\wZlUjTH.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\OBUWOQe.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\OKsJycv.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\jfZwmPi.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\dldpnGR.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\fUczESy.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\iuqvtvU.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\UTraKpu.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\bJPkHfP.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\RnXkGLo.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\PIUMLPs.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\sVtrIup.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\yHqZlRx.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\wXkneRZ.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\eqGDhYw.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\jZwGeBR.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\pgkEPOS.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\ddcoYuC.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\dNbaDFq.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\rGVxLGh.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\NjFhXje.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\dEGPJyY.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\IAuJfwv.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
File created	C:\Windows\System\WabuhDF.exe	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2524	powershell.exe
2524	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeLockMemoryPrivilege	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 2524	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	82
PID 1168 wrote to memory of 2524	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	82
PID 1168 wrote to memory of 2344	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	83
PID 1168 wrote to memory of 2344	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	83
PID 1168 wrote to memory of 3632	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	84
PID 1168 wrote to memory of 3632	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	84
PID 1168 wrote to memory of 4148	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	85
PID 1168 wrote to memory of 4148	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	85
PID 1168 wrote to memory of 2512	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	86
PID 1168 wrote to memory of 2512	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	86
PID 1168 wrote to memory of 2656	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	87
PID 1168 wrote to memory of 2656	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	87
PID 1168 wrote to memory of 4688	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	88
PID 1168 wrote to memory of 4688	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	88
PID 1168 wrote to memory of 4864	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	89
PID 1168 wrote to memory of 4864	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	89
PID 1168 wrote to memory of 3932	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	90
PID 1168 wrote to memory of 3932	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	90
PID 1168 wrote to memory of 1968	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	91
PID 1168 wrote to memory of 1968	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	91
PID 1168 wrote to memory of 3772	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	92
PID 1168 wrote to memory of 3772	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	92
PID 1168 wrote to memory of 3048	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	93
PID 1168 wrote to memory of 3048	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	93
PID 1168 wrote to memory of 344	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	94
PID 1168 wrote to memory of 344	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	94
PID 1168 wrote to memory of 2760	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	95
PID 1168 wrote to memory of 2760	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	95
PID 1168 wrote to memory of 1616	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	96
PID 1168 wrote to memory of 1616	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	96
PID 1168 wrote to memory of 4464	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	97
PID 1168 wrote to memory of 4464	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	97
PID 1168 wrote to memory of 1912	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	98
PID 1168 wrote to memory of 1912	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	98
PID 1168 wrote to memory of 2884	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	99
PID 1168 wrote to memory of 2884	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	99
PID 1168 wrote to memory of 224	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	100
PID 1168 wrote to memory of 224	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	100
PID 1168 wrote to memory of 4656	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	101
PID 1168 wrote to memory of 4656	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	101
PID 1168 wrote to memory of 4672	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	102
PID 1168 wrote to memory of 4672	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	102
PID 1168 wrote to memory of 4256	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	103
PID 1168 wrote to memory of 4256	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	103
PID 1168 wrote to memory of 5104	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	104
PID 1168 wrote to memory of 5104	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	104
PID 1168 wrote to memory of 3444	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	105
PID 1168 wrote to memory of 3444	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	105
PID 1168 wrote to memory of 3448	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	106
PID 1168 wrote to memory of 3448	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	106
PID 1168 wrote to memory of 1036	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	107
PID 1168 wrote to memory of 1036	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	107
PID 1168 wrote to memory of 4216	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	108
PID 1168 wrote to memory of 4216	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	108
PID 1168 wrote to memory of 4976	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	109
PID 1168 wrote to memory of 4976	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	109
PID 1168 wrote to memory of 3356	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	110
PID 1168 wrote to memory of 3356	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	110
PID 1168 wrote to memory of 2508	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	111
PID 1168 wrote to memory of 2508	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	111
PID 1168 wrote to memory of 3104	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	112
PID 1168 wrote to memory of 3104	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	112
PID 1168 wrote to memory of 3428	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	113
PID 1168 wrote to memory of 3428	1168	3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe	113

C:\Users\Admin\AppData\Local\Temp\3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3ec342b8ca93f2a55450e84f3b25de2a_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2524
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2524" "2940" "2880" "2944" "0" "0" "2948" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:13136
- C:\Windows\System\lgEMyMV.exe
  C:\Windows\System\lgEMyMV.exe
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\System\vRAarKU.exe
  C:\Windows\System\vRAarKU.exe
  2⤵
  - Executes dropped EXE
  PID:3632
- C:\Windows\System\ZnTszoX.exe
  C:\Windows\System\ZnTszoX.exe
  2⤵
  - Executes dropped EXE
  PID:4148
- C:\Windows\System\DNSyPyY.exe
  C:\Windows\System\DNSyPyY.exe
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\System\RQLWPsW.exe
  C:\Windows\System\RQLWPsW.exe
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\System\jJrAdzX.exe
  C:\Windows\System\jJrAdzX.exe
  2⤵
  - Executes dropped EXE
  PID:4688
- C:\Windows\System\kUlVEbz.exe
  C:\Windows\System\kUlVEbz.exe
  2⤵
  - Executes dropped EXE
  PID:4864
- C:\Windows\System\AmZGoBg.exe
  C:\Windows\System\AmZGoBg.exe
  2⤵
  - Executes dropped EXE
  PID:3932
- C:\Windows\System\pjcBSnk.exe
  C:\Windows\System\pjcBSnk.exe
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\System\NBDkENV.exe
  C:\Windows\System\NBDkENV.exe
  2⤵
  - Executes dropped EXE
  PID:3772
- C:\Windows\System\uqwdJSY.exe
  C:\Windows\System\uqwdJSY.exe
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\System\PTMArfq.exe
  C:\Windows\System\PTMArfq.exe
  2⤵
  - Executes dropped EXE
  PID:344
- C:\Windows\System\piQxPnO.exe
  C:\Windows\System\piQxPnO.exe
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\System\XWcrXEI.exe
  C:\Windows\System\XWcrXEI.exe
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\System\IqaOtWe.exe
  C:\Windows\System\IqaOtWe.exe
  2⤵
  - Executes dropped EXE
  PID:4464
- C:\Windows\System\CQtaedz.exe
  C:\Windows\System\CQtaedz.exe
  2⤵
  - Executes dropped EXE
  PID:1912
- C:\Windows\System\aOgEGrx.exe
  C:\Windows\System\aOgEGrx.exe
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\System\HjVWpeB.exe
  C:\Windows\System\HjVWpeB.exe
  2⤵
  - Executes dropped EXE
  PID:224
- C:\Windows\System\lrJAjLH.exe
  C:\Windows\System\lrJAjLH.exe
  2⤵
  - Executes dropped EXE
  PID:4656
- C:\Windows\System\EBeslQK.exe
  C:\Windows\System\EBeslQK.exe
  2⤵
  - Executes dropped EXE
  PID:4672
- C:\Windows\System\KtxEAtC.exe
  C:\Windows\System\KtxEAtC.exe
  2⤵
  - Executes dropped EXE
  PID:4256
- C:\Windows\System\AwPhaAx.exe
  C:\Windows\System\AwPhaAx.exe
  2⤵
  - Executes dropped EXE
  PID:5104
- C:\Windows\System\sVPjhGX.exe
  C:\Windows\System\sVPjhGX.exe
  2⤵
  - Executes dropped EXE
  PID:3444
- C:\Windows\System\yHqZlRx.exe
  C:\Windows\System\yHqZlRx.exe
  2⤵
  - Executes dropped EXE
  PID:3448
- C:\Windows\System\cZAPiKg.exe
  C:\Windows\System\cZAPiKg.exe
  2⤵
  - Executes dropped EXE
  PID:1036
- C:\Windows\System\nfIAhNi.exe
  C:\Windows\System\nfIAhNi.exe
  2⤵
  - Executes dropped EXE
  PID:4216
- C:\Windows\System\RdtZDrw.exe
  C:\Windows\System\RdtZDrw.exe
  2⤵
  - Executes dropped EXE
  PID:4976
- C:\Windows\System\MhtJstK.exe
  C:\Windows\System\MhtJstK.exe
  2⤵
  - Executes dropped EXE
  PID:3356
- C:\Windows\System\qVSuyQY.exe
  C:\Windows\System\qVSuyQY.exe
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Windows\System\MASltkD.exe
  C:\Windows\System\MASltkD.exe
  2⤵
  - Executes dropped EXE
  PID:3104
- C:\Windows\System\ArBrHtr.exe
  C:\Windows\System\ArBrHtr.exe
  2⤵
  - Executes dropped EXE
  PID:3428
- C:\Windows\System\flZdVyA.exe
  C:\Windows\System\flZdVyA.exe
  2⤵
  - Executes dropped EXE
  PID:3644
- C:\Windows\System\cLBdvmi.exe
  C:\Windows\System\cLBdvmi.exe
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\System\jVTjeQR.exe
  C:\Windows\System\jVTjeQR.exe
  2⤵
  - Executes dropped EXE
  PID:5048
- C:\Windows\System\uxqAooM.exe
  C:\Windows\System\uxqAooM.exe
  2⤵
  - Executes dropped EXE
  PID:3320
- C:\Windows\System\XwddMFo.exe
  C:\Windows\System\XwddMFo.exe
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Windows\System\lqdGuwG.exe
  C:\Windows\System\lqdGuwG.exe
  2⤵
  - Executes dropped EXE
  PID:3844
- C:\Windows\System\VCAJBpO.exe
  C:\Windows\System\VCAJBpO.exe
  2⤵
  - Executes dropped EXE
  PID:3088
- C:\Windows\System\PkZfnvE.exe
  C:\Windows\System\PkZfnvE.exe
  2⤵
  - Executes dropped EXE
  PID:2364
- C:\Windows\System\sQlBGmx.exe
  C:\Windows\System\sQlBGmx.exe
  2⤵
  - Executes dropped EXE
  PID:948
- C:\Windows\System\wAtnPCt.exe
  C:\Windows\System\wAtnPCt.exe
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\System\ZddAirc.exe
  C:\Windows\System\ZddAirc.exe
  2⤵
  - Executes dropped EXE
  PID:3784
- C:\Windows\System\KdHuHDo.exe
  C:\Windows\System\KdHuHDo.exe
  2⤵
  - Executes dropped EXE
  PID:2544
- C:\Windows\System\NjFhXje.exe
  C:\Windows\System\NjFhXje.exe
  2⤵
  - Executes dropped EXE
  PID:3744
- C:\Windows\System\qJBSuIw.exe
  C:\Windows\System\qJBSuIw.exe
  2⤵
  - Executes dropped EXE
  PID:772
- C:\Windows\System\Latyuly.exe
  C:\Windows\System\Latyuly.exe
  2⤵
  - Executes dropped EXE
  PID:4344
- C:\Windows\System\Xpxajls.exe
  C:\Windows\System\Xpxajls.exe
  2⤵
  - Executes dropped EXE
  PID:4108
- C:\Windows\System\qfSGiHd.exe
  C:\Windows\System\qfSGiHd.exe
  2⤵
  - Executes dropped EXE
  PID:1284
- C:\Windows\System\LiXNtnN.exe
  C:\Windows\System\LiXNtnN.exe
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\System\mVShkmD.exe
  C:\Windows\System\mVShkmD.exe
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\System\BQjasbW.exe
  C:\Windows\System\BQjasbW.exe
  2⤵
  - Executes dropped EXE
  PID:4680
- C:\Windows\System\trdnBXq.exe
  C:\Windows\System\trdnBXq.exe
  2⤵
  - Executes dropped EXE
  PID:4028
- C:\Windows\System\QLJzKJT.exe
  C:\Windows\System\QLJzKJT.exe
  2⤵
  - Executes dropped EXE
  PID:4368
- C:\Windows\System\ySzlQla.exe
  C:\Windows\System\ySzlQla.exe
  2⤵
  - Executes dropped EXE
  PID:1720
- C:\Windows\System\UwSPvWP.exe
  C:\Windows\System\UwSPvWP.exe
  2⤵
  - Executes dropped EXE
  PID:4916
- C:\Windows\System\kvtJScz.exe
  C:\Windows\System\kvtJScz.exe
  2⤵
  - Executes dropped EXE
  PID:4568
- C:\Windows\System\uMjsEDR.exe
  C:\Windows\System\uMjsEDR.exe
  2⤵
  - Executes dropped EXE
  PID:1948
- C:\Windows\System\cVLjcKR.exe
  C:\Windows\System\cVLjcKR.exe
  2⤵
  - Executes dropped EXE
  PID:4412
- C:\Windows\System\aucgnXX.exe
  C:\Windows\System\aucgnXX.exe
  2⤵
  - Executes dropped EXE
  PID:3432
- C:\Windows\System\BUoqgDD.exe
  C:\Windows\System\BUoqgDD.exe
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\System\xWklQLf.exe
  C:\Windows\System\xWklQLf.exe
  2⤵
  - Executes dropped EXE
  PID:1684
- C:\Windows\System\OtzuGxH.exe
  C:\Windows\System\OtzuGxH.exe
  2⤵
  - Executes dropped EXE
  PID:4212
- C:\Windows\System\EonivtD.exe
  C:\Windows\System\EonivtD.exe
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Windows\System\ZMEQQDD.exe
  C:\Windows\System\ZMEQQDD.exe
  2⤵
  - Executes dropped EXE
  PID:1500
- C:\Windows\System\aakfGdK.exe
  C:\Windows\System\aakfGdK.exe
  2⤵
  PID:4416
- C:\Windows\System\hxftCDN.exe
  C:\Windows\System\hxftCDN.exe
  2⤵
  PID:1608
- C:\Windows\System\NECQNec.exe
  C:\Windows\System\NECQNec.exe
  2⤵
  PID:3852
- C:\Windows\System\yLcnymS.exe
  C:\Windows\System\yLcnymS.exe
  2⤵
  PID:636
- C:\Windows\System\BgYlEwp.exe
  C:\Windows\System\BgYlEwp.exe
  2⤵
  PID:4860
- C:\Windows\System\cHHOdor.exe
  C:\Windows\System\cHHOdor.exe
  2⤵
  PID:2532
- C:\Windows\System\nrPTXDS.exe
  C:\Windows\System\nrPTXDS.exe
  2⤵
  PID:3052
- C:\Windows\System\XFFCKaA.exe
  C:\Windows\System\XFFCKaA.exe
  2⤵
  PID:5128
- C:\Windows\System\qGzpKKI.exe
  C:\Windows\System\qGzpKKI.exe
  2⤵
  PID:5156
- C:\Windows\System\gLSqtQw.exe
  C:\Windows\System\gLSqtQw.exe
  2⤵
  PID:5180
- C:\Windows\System\PHCmoMm.exe
  C:\Windows\System\PHCmoMm.exe
  2⤵
  PID:5212
- C:\Windows\System\JoYIqzS.exe
  C:\Windows\System\JoYIqzS.exe
  2⤵
  PID:5240
- C:\Windows\System\kcTgcCO.exe
  C:\Windows\System\kcTgcCO.exe
  2⤵
  PID:5268
- C:\Windows\System\zQalvbe.exe
  C:\Windows\System\zQalvbe.exe
  2⤵
  PID:5296
- C:\Windows\System\MTlHwie.exe
  C:\Windows\System\MTlHwie.exe
  2⤵
  PID:5324
- C:\Windows\System\cVGITHH.exe
  C:\Windows\System\cVGITHH.exe
  2⤵
  PID:5352
- C:\Windows\System\ERgEziQ.exe
  C:\Windows\System\ERgEziQ.exe
  2⤵
  PID:5376
- C:\Windows\System\nFzuspT.exe
  C:\Windows\System\nFzuspT.exe
  2⤵
  PID:5404
- C:\Windows\System\RQQjLyW.exe
  C:\Windows\System\RQQjLyW.exe
  2⤵
  PID:5436
- C:\Windows\System\sKBAEMJ.exe
  C:\Windows\System\sKBAEMJ.exe
  2⤵
  PID:5464
- C:\Windows\System\zKsbwDd.exe
  C:\Windows\System\zKsbwDd.exe
  2⤵
  PID:5492
- C:\Windows\System\VnzgUMS.exe
  C:\Windows\System\VnzgUMS.exe
  2⤵
  PID:5520
- C:\Windows\System\wxFXwVW.exe
  C:\Windows\System\wxFXwVW.exe
  2⤵
  PID:5548
- C:\Windows\System\fdlmXku.exe
  C:\Windows\System\fdlmXku.exe
  2⤵
  PID:5576
- C:\Windows\System\CrAcZQv.exe
  C:\Windows\System\CrAcZQv.exe
  2⤵
  PID:5604
- C:\Windows\System\RnaonXS.exe
  C:\Windows\System\RnaonXS.exe
  2⤵
  PID:5636
- C:\Windows\System\YpuYvdU.exe
  C:\Windows\System\YpuYvdU.exe
  2⤵
  PID:5664
- C:\Windows\System\ukiTqXu.exe
  C:\Windows\System\ukiTqXu.exe
  2⤵
  PID:5692
- C:\Windows\System\KpHSItI.exe
  C:\Windows\System\KpHSItI.exe
  2⤵
  PID:5720
- C:\Windows\System\xNSxLxA.exe
  C:\Windows\System\xNSxLxA.exe
  2⤵
  PID:5748
- C:\Windows\System\vqkhLTt.exe
  C:\Windows\System\vqkhLTt.exe
  2⤵
  PID:5776
- C:\Windows\System\qazfhSM.exe
  C:\Windows\System\qazfhSM.exe
  2⤵
  PID:5804
- C:\Windows\System\jVCwVpq.exe
  C:\Windows\System\jVCwVpq.exe
  2⤵
  PID:5832
- C:\Windows\System\znRTQfh.exe
  C:\Windows\System\znRTQfh.exe
  2⤵
  PID:5856
- C:\Windows\System\NlgsRes.exe
  C:\Windows\System\NlgsRes.exe
  2⤵
  PID:5884
- C:\Windows\System\TzwOBQp.exe
  C:\Windows\System\TzwOBQp.exe
  2⤵
  PID:5912
- C:\Windows\System\JOTbIVf.exe
  C:\Windows\System\JOTbIVf.exe
  2⤵
  PID:5944
- C:\Windows\System\ngxvPQM.exe
  C:\Windows\System\ngxvPQM.exe
  2⤵
  PID:5980
- C:\Windows\System\UdiubbE.exe
  C:\Windows\System\UdiubbE.exe
  2⤵
  PID:6008
- C:\Windows\System\dldpnGR.exe
  C:\Windows\System\dldpnGR.exe
  2⤵
  PID:6036
- C:\Windows\System\oBQoHIt.exe
  C:\Windows\System\oBQoHIt.exe
  2⤵
  PID:6064
- C:\Windows\System\cKUlQTU.exe
  C:\Windows\System\cKUlQTU.exe
  2⤵
  PID:6092
- C:\Windows\System\TJOtDGQ.exe
  C:\Windows\System\TJOtDGQ.exe
  2⤵
  PID:6124
- C:\Windows\System\aHZqGef.exe
  C:\Windows\System\aHZqGef.exe
  2⤵
  PID:3668
- C:\Windows\System\DBWtuRH.exe
  C:\Windows\System\DBWtuRH.exe
  2⤵
  PID:4360
- C:\Windows\System\KXPdaSg.exe
  C:\Windows\System\KXPdaSg.exe
  2⤵
  PID:3344
- C:\Windows\System\pUOGrnn.exe
  C:\Windows\System\pUOGrnn.exe
  2⤵
  PID:1352
- C:\Windows\System\sggSgOr.exe
  C:\Windows\System\sggSgOr.exe
  2⤵
  PID:3524
- C:\Windows\System\xOVMEET.exe
  C:\Windows\System\xOVMEET.exe
  2⤵
  PID:3412
- C:\Windows\System\oEqlyUQ.exe
  C:\Windows\System\oEqlyUQ.exe
  2⤵
  PID:5168
- C:\Windows\System\MXNmLdx.exe
  C:\Windows\System\MXNmLdx.exe
  2⤵
  PID:5228
- C:\Windows\System\iJmKaVT.exe
  C:\Windows\System\iJmKaVT.exe
  2⤵
  PID:5284
- C:\Windows\System\ozYoPwk.exe
  C:\Windows\System\ozYoPwk.exe
  2⤵
  PID:5340
- C:\Windows\System\cyYsgSC.exe
  C:\Windows\System\cyYsgSC.exe
  2⤵
  PID:5400
- C:\Windows\System\DEczWBn.exe
  C:\Windows\System\DEczWBn.exe
  2⤵
  PID:5480
- C:\Windows\System\bTeePGo.exe
  C:\Windows\System\bTeePGo.exe
  2⤵
  PID:5532
- C:\Windows\System\zpDjbhB.exe
  C:\Windows\System\zpDjbhB.exe
  2⤵
  PID:1324
- C:\Windows\System\auFhkBD.exe
  C:\Windows\System\auFhkBD.exe
  2⤵
  PID:5628
- C:\Windows\System\BaadYZd.exe
  C:\Windows\System\BaadYZd.exe
  2⤵
  PID:5708
- C:\Windows\System\qWNtehQ.exe
  C:\Windows\System\qWNtehQ.exe
  2⤵
  PID:5764
- C:\Windows\System\LzwdFzL.exe
  C:\Windows\System\LzwdFzL.exe
  2⤵
  PID:5796
- C:\Windows\System\dEGPJyY.exe
  C:\Windows\System\dEGPJyY.exe
  2⤵
  PID:5964
- C:\Windows\System\ZEcHtpk.exe
  C:\Windows\System\ZEcHtpk.exe
  2⤵
  PID:2464
- C:\Windows\System\DRjZKwk.exe
  C:\Windows\System\DRjZKwk.exe
  2⤵
  PID:5972
- C:\Windows\System\mVLVNOn.exe
  C:\Windows\System\mVLVNOn.exe
  2⤵
  PID:6032
- C:\Windows\System\OdcwWds.exe
  C:\Windows\System\OdcwWds.exe
  2⤵
  PID:6108
- C:\Windows\System\KeLsYqE.exe
  C:\Windows\System\KeLsYqE.exe
  2⤵
  PID:3660
- C:\Windows\System\CDYsVey.exe
  C:\Windows\System\CDYsVey.exe
  2⤵
  PID:4876
- C:\Windows\System\BHSEnPD.exe
  C:\Windows\System\BHSEnPD.exe
  2⤵
  PID:3928
- C:\Windows\System\saazKlv.exe
  C:\Windows\System\saazKlv.exe
  2⤵
  PID:5196
- C:\Windows\System\oqoPWzn.exe
  C:\Windows\System\oqoPWzn.exe
  2⤵
  PID:5312
- C:\Windows\System\uoHihlE.exe
  C:\Windows\System\uoHihlE.exe
  2⤵
  PID:5396
- C:\Windows\System\qqVoShA.exe
  C:\Windows\System\qqVoShA.exe
  2⤵
  PID:5572
- C:\Windows\System\bUlRkwS.exe
  C:\Windows\System\bUlRkwS.exe
  2⤵
  PID:5680
- C:\Windows\System\nYRnZUw.exe
  C:\Windows\System\nYRnZUw.exe
  2⤵
  PID:5792
- C:\Windows\System\guwPOSM.exe
  C:\Windows\System\guwPOSM.exe
  2⤵
  PID:5880
- C:\Windows\System\vaDPwah.exe
  C:\Windows\System\vaDPwah.exe
  2⤵
  PID:6020
- C:\Windows\System\VboeTUU.exe
  C:\Windows\System\VboeTUU.exe
  2⤵
  PID:4124
- C:\Windows\System\OfnXKKr.exe
  C:\Windows\System\OfnXKKr.exe
  2⤵
  PID:5096
- C:\Windows\System\iZAuSvS.exe
  C:\Windows\System\iZAuSvS.exe
  2⤵
  PID:5148
- C:\Windows\System\PVeasdY.exe
  C:\Windows\System\PVeasdY.exe
  2⤵
  PID:5508
- C:\Windows\System\jLGbSWz.exe
  C:\Windows\System\jLGbSWz.exe
  2⤵
  PID:5740
- C:\Windows\System\mlZeMbx.exe
  C:\Windows\System\mlZeMbx.exe
  2⤵
  PID:5848
- C:\Windows\System\myTLfwN.exe
  C:\Windows\System\myTLfwN.exe
  2⤵
  PID:6152
- C:\Windows\System\kCbDOrP.exe
  C:\Windows\System\kCbDOrP.exe
  2⤵
  PID:6180
- C:\Windows\System\kLluCPN.exe
  C:\Windows\System\kLluCPN.exe
  2⤵
  PID:6204
- C:\Windows\System\BwDdWAy.exe
  C:\Windows\System\BwDdWAy.exe
  2⤵
  PID:6236
- C:\Windows\System\UmxrDdC.exe
  C:\Windows\System\UmxrDdC.exe
  2⤵
  PID:6264
- C:\Windows\System\puEdUyr.exe
  C:\Windows\System\puEdUyr.exe
  2⤵
  PID:6292
- C:\Windows\System\LglRfre.exe
  C:\Windows\System\LglRfre.exe
  2⤵
  PID:6320
- C:\Windows\System\IUMXdsH.exe
  C:\Windows\System\IUMXdsH.exe
  2⤵
  PID:6348
- C:\Windows\System\SlzvkdE.exe
  C:\Windows\System\SlzvkdE.exe
  2⤵
  PID:6376
- C:\Windows\System\HNFqcos.exe
  C:\Windows\System\HNFqcos.exe
  2⤵
  PID:6404
- C:\Windows\System\fiYkCOh.exe
  C:\Windows\System\fiYkCOh.exe
  2⤵
  PID:6432
- C:\Windows\System\tjOtXpx.exe
  C:\Windows\System\tjOtXpx.exe
  2⤵
  PID:6468
- C:\Windows\System\VUSWgnj.exe
  C:\Windows\System\VUSWgnj.exe
  2⤵
  PID:6488
- C:\Windows\System\YlnZyEe.exe
  C:\Windows\System\YlnZyEe.exe
  2⤵
  PID:6516
- C:\Windows\System\TAMSYNY.exe
  C:\Windows\System\TAMSYNY.exe
  2⤵
  PID:6544
- C:\Windows\System\nszxzFj.exe
  C:\Windows\System\nszxzFj.exe
  2⤵
  PID:6572
- C:\Windows\System\srqhbNn.exe
  C:\Windows\System\srqhbNn.exe
  2⤵
  PID:6600
- C:\Windows\System\glmwwQG.exe
  C:\Windows\System\glmwwQG.exe
  2⤵
  PID:6628
- C:\Windows\System\koNbtHn.exe
  C:\Windows\System\koNbtHn.exe
  2⤵
  PID:6656
- C:\Windows\System\EkXvaDN.exe
  C:\Windows\System\EkXvaDN.exe
  2⤵
  PID:6684
- C:\Windows\System\jqVJlLs.exe
  C:\Windows\System\jqVJlLs.exe
  2⤵
  PID:6712
- C:\Windows\System\bhqwPLu.exe
  C:\Windows\System\bhqwPLu.exe
  2⤵
  PID:6740
- C:\Windows\System\XzxuIYE.exe
  C:\Windows\System\XzxuIYE.exe
  2⤵
  PID:6768
- C:\Windows\System\YmNkJar.exe
  C:\Windows\System\YmNkJar.exe
  2⤵
  PID:6796
- C:\Windows\System\QpAKStV.exe
  C:\Windows\System\QpAKStV.exe
  2⤵
  PID:6824
- C:\Windows\System\gINMpdO.exe
  C:\Windows\System\gINMpdO.exe
  2⤵
  PID:6852
- C:\Windows\System\rRooykK.exe
  C:\Windows\System\rRooykK.exe
  2⤵
  PID:6880
- C:\Windows\System\IAuJfwv.exe
  C:\Windows\System\IAuJfwv.exe
  2⤵
  PID:6912
- C:\Windows\System\OUXgFvr.exe
  C:\Windows\System\OUXgFvr.exe
  2⤵
  PID:6936
- C:\Windows\System\BXpqfRx.exe
  C:\Windows\System\BXpqfRx.exe
  2⤵
  PID:6964
- C:\Windows\System\OwwufQo.exe
  C:\Windows\System\OwwufQo.exe
  2⤵
  PID:6992
- C:\Windows\System\qKldkgv.exe
  C:\Windows\System\qKldkgv.exe
  2⤵
  PID:7020
- C:\Windows\System\GNBJHLF.exe
  C:\Windows\System\GNBJHLF.exe
  2⤵
  PID:7048
- C:\Windows\System\NPxqWYn.exe
  C:\Windows\System\NPxqWYn.exe
  2⤵
  PID:7064
- C:\Windows\System\FTIlUff.exe
  C:\Windows\System\FTIlUff.exe
  2⤵
  PID:7100
- C:\Windows\System\vpZzIcr.exe
  C:\Windows\System\vpZzIcr.exe
  2⤵
  PID:7128
- C:\Windows\System\PuxIeOU.exe
  C:\Windows\System\PuxIeOU.exe
  2⤵
  PID:7156
- C:\Windows\System\aaClKKm.exe
  C:\Windows\System\aaClKKm.exe
  2⤵
  PID:4796
- C:\Windows\System\ISJNFqA.exe
  C:\Windows\System\ISJNFqA.exe
  2⤵
  PID:1196
- C:\Windows\System\ZdJXQVO.exe
  C:\Windows\System\ZdJXQVO.exe
  2⤵
  PID:1664
- C:\Windows\System\qupCljO.exe
  C:\Windows\System\qupCljO.exe
  2⤵
  PID:2900
- C:\Windows\System\nZVqQdi.exe
  C:\Windows\System\nZVqQdi.exe
  2⤵
  PID:3500
- C:\Windows\System\fUczESy.exe
  C:\Windows\System\fUczESy.exe
  2⤵
  PID:2756
- C:\Windows\System\oyTubNL.exe
  C:\Windows\System\oyTubNL.exe
  2⤵
  PID:4160
- C:\Windows\System\WabuhDF.exe
  C:\Windows\System\WabuhDF.exe
  2⤵
  PID:6304
- C:\Windows\System\YihhkHa.exe
  C:\Windows\System\YihhkHa.exe
  2⤵
  PID:6360
- C:\Windows\System\hImwySb.exe
  C:\Windows\System\hImwySb.exe
  2⤵
  PID:6508
- C:\Windows\System\uzNpyoD.exe
  C:\Windows\System\uzNpyoD.exe
  2⤵
  PID:6568
- C:\Windows\System\lIAOpem.exe
  C:\Windows\System\lIAOpem.exe
  2⤵
  PID:6612
- C:\Windows\System\cqiMgek.exe
  C:\Windows\System\cqiMgek.exe
  2⤵
  PID:6668
- C:\Windows\System\eKATCWU.exe
  C:\Windows\System\eKATCWU.exe
  2⤵
  PID:6724
- C:\Windows\System\vwMeuvI.exe
  C:\Windows\System\vwMeuvI.exe
  2⤵
  PID:6760
- C:\Windows\System\irqezZy.exe
  C:\Windows\System\irqezZy.exe
  2⤵
  PID:6808
- C:\Windows\System\XxHyibm.exe
  C:\Windows\System\XxHyibm.exe
  2⤵
  PID:6872
- C:\Windows\System\hpWchmX.exe
  C:\Windows\System\hpWchmX.exe
  2⤵
  PID:7008
- C:\Windows\System\QQWJIZQ.exe
  C:\Windows\System\QQWJIZQ.exe
  2⤵
  PID:7056
- C:\Windows\System\KzrMNZb.exe
  C:\Windows\System\KzrMNZb.exe
  2⤵
  PID:7116
- C:\Windows\System\CLAalhf.exe
  C:\Windows\System\CLAalhf.exe
  2⤵
  PID:2820
- C:\Windows\System\dcEqjyz.exe
  C:\Windows\System\dcEqjyz.exe
  2⤵
  PID:3092
- C:\Windows\System\jwFVYRW.exe
  C:\Windows\System\jwFVYRW.exe
  2⤵
  PID:2384
- C:\Windows\System\UdcqIZd.exe
  C:\Windows\System\UdcqIZd.exe
  2⤵
  PID:4992
- C:\Windows\System\MTkMVcC.exe
  C:\Windows\System\MTkMVcC.exe
  2⤵
  PID:4436
- C:\Windows\System\nQWcRFu.exe
  C:\Windows\System\nQWcRFu.exe
  2⤵
  PID:3152
- C:\Windows\System\aykfFNy.exe
  C:\Windows\System\aykfFNy.exe
  2⤵
  PID:6200
- C:\Windows\System\SiwEaQi.exe
  C:\Windows\System\SiwEaQi.exe
  2⤵
  PID:1584
- C:\Windows\System\FmwLPYA.exe
  C:\Windows\System\FmwLPYA.exe
  2⤵
  PID:6588
- C:\Windows\System\pJTehFp.exe
  C:\Windows\System\pJTehFp.exe
  2⤵
  PID:6672
- C:\Windows\System\pUXZJmy.exe
  C:\Windows\System\pUXZJmy.exe
  2⤵
  PID:6752
- C:\Windows\System\GKuwVUF.exe
  C:\Windows\System\GKuwVUF.exe
  2⤵
  PID:6904
- C:\Windows\System\LCSIHvg.exe
  C:\Windows\System\LCSIHvg.exe
  2⤵
  PID:7088
- C:\Windows\System\ZPJnaRY.exe
  C:\Windows\System\ZPJnaRY.exe
  2⤵
  PID:5052
- C:\Windows\System\wXkneRZ.exe
  C:\Windows\System\wXkneRZ.exe
  2⤵
  PID:404
- C:\Windows\System\dAeKjHu.exe
  C:\Windows\System\dAeKjHu.exe
  2⤵
  PID:4024
- C:\Windows\System\twgjOhu.exe
  C:\Windows\System\twgjOhu.exe
  2⤵
  PID:3452
- C:\Windows\System\IGJtRaY.exe
  C:\Windows\System\IGJtRaY.exe
  2⤵
  PID:7036
- C:\Windows\System\dpzTACW.exe
  C:\Windows\System\dpzTACW.exe
  2⤵
  PID:6136
- C:\Windows\System\sVnyNmt.exe
  C:\Windows\System\sVnyNmt.exe
  2⤵
  PID:4288
- C:\Windows\System\bnCJTyo.exe
  C:\Windows\System\bnCJTyo.exe
  2⤵
  PID:5372
- C:\Windows\System\rJEvyEy.exe
  C:\Windows\System\rJEvyEy.exe
  2⤵
  PID:6280
- C:\Windows\System\Gmgeclq.exe
  C:\Windows\System\Gmgeclq.exe
  2⤵
  PID:6224
- C:\Windows\System\kNczQHP.exe
  C:\Windows\System\kNczQHP.exe
  2⤵
  PID:7184
- C:\Windows\System\AQeTyhN.exe
  C:\Windows\System\AQeTyhN.exe
  2⤵
  PID:7208
- C:\Windows\System\ChxCjJb.exe
  C:\Windows\System\ChxCjJb.exe
  2⤵
  PID:7224
- C:\Windows\System\qEmoGKb.exe
  C:\Windows\System\qEmoGKb.exe
  2⤵
  PID:7248
- C:\Windows\System\QjCiqWG.exe
  C:\Windows\System\QjCiqWG.exe
  2⤵
  PID:7288
- C:\Windows\System\HCIjHZB.exe
  C:\Windows\System\HCIjHZB.exe
  2⤵
  PID:7316
- C:\Windows\System\KcGgqTS.exe
  C:\Windows\System\KcGgqTS.exe
  2⤵
  PID:7332
- C:\Windows\System\EeOktkd.exe
  C:\Windows\System\EeOktkd.exe
  2⤵
  PID:7360
- C:\Windows\System\BoLptQt.exe
  C:\Windows\System\BoLptQt.exe
  2⤵
  PID:7380
- C:\Windows\System\FnwANSz.exe
  C:\Windows\System\FnwANSz.exe
  2⤵
  PID:7408
- C:\Windows\System\eZcBylK.exe
  C:\Windows\System\eZcBylK.exe
  2⤵
  PID:7424
- C:\Windows\System\iaRSMVU.exe
  C:\Windows\System\iaRSMVU.exe
  2⤵
  PID:7452
- C:\Windows\System\zIrlLGD.exe
  C:\Windows\System\zIrlLGD.exe
  2⤵
  PID:7472
- C:\Windows\System\UmMDvxp.exe
  C:\Windows\System\UmMDvxp.exe
  2⤵
  PID:7516
- C:\Windows\System\QrLAxxz.exe
  C:\Windows\System\QrLAxxz.exe
  2⤵
  PID:7540
- C:\Windows\System\JxpuniA.exe
  C:\Windows\System\JxpuniA.exe
  2⤵
  PID:7600
- C:\Windows\System\LmQJZsN.exe
  C:\Windows\System\LmQJZsN.exe
  2⤵
  PID:7616
- C:\Windows\System\WTWEkOm.exe
  C:\Windows\System\WTWEkOm.exe
  2⤵
  PID:7648
- C:\Windows\System\vqHZkri.exe
  C:\Windows\System\vqHZkri.exe
  2⤵
  PID:7668
- C:\Windows\System\iAxFzes.exe
  C:\Windows\System\iAxFzes.exe
  2⤵
  PID:7732
- C:\Windows\System\mQdWYvP.exe
  C:\Windows\System\mQdWYvP.exe
  2⤵
  PID:7764
- C:\Windows\System\XewiVTn.exe
  C:\Windows\System\XewiVTn.exe
  2⤵
  PID:7784
- C:\Windows\System\KRZgtMU.exe
  C:\Windows\System\KRZgtMU.exe
  2⤵
  PID:7824
- C:\Windows\System\VsJhByy.exe
  C:\Windows\System\VsJhByy.exe
  2⤵
  PID:7840
- C:\Windows\System\brAfjNQ.exe
  C:\Windows\System\brAfjNQ.exe
  2⤵
  PID:7880
- C:\Windows\System\eqGDhYw.exe
  C:\Windows\System\eqGDhYw.exe
  2⤵
  PID:7900
- C:\Windows\System\vjAqreJ.exe
  C:\Windows\System\vjAqreJ.exe
  2⤵
  PID:7924
- C:\Windows\System\JdCEqkG.exe
  C:\Windows\System\JdCEqkG.exe
  2⤵
  PID:7944
- C:\Windows\System\VncEfHs.exe
  C:\Windows\System\VncEfHs.exe
  2⤵
  PID:7972
- C:\Windows\System\scqYkfL.exe
  C:\Windows\System\scqYkfL.exe
  2⤵
  PID:7988
- C:\Windows\System\vDhpDEN.exe
  C:\Windows\System\vDhpDEN.exe
  2⤵
  PID:8012
- C:\Windows\System\HPofFMV.exe
  C:\Windows\System\HPofFMV.exe
  2⤵
  PID:8028
- C:\Windows\System\eXawQJQ.exe
  C:\Windows\System\eXawQJQ.exe
  2⤵
  PID:8048
- C:\Windows\System\YJuMnsd.exe
  C:\Windows\System\YJuMnsd.exe
  2⤵
  PID:8072
- C:\Windows\System\lQtlqaX.exe
  C:\Windows\System\lQtlqaX.exe
  2⤵
  PID:8100
- C:\Windows\System\czvcCWf.exe
  C:\Windows\System\czvcCWf.exe
  2⤵
  PID:8120
- C:\Windows\System\SKyHLHY.exe
  C:\Windows\System\SKyHLHY.exe
  2⤵
  PID:8140
- C:\Windows\System\jZwGeBR.exe
  C:\Windows\System\jZwGeBR.exe
  2⤵
  PID:8188
- C:\Windows\System\IxwoUyC.exe
  C:\Windows\System\IxwoUyC.exe
  2⤵
  PID:7216
- C:\Windows\System\dvbDNQE.exe
  C:\Windows\System\dvbDNQE.exe
  2⤵
  PID:7284
- C:\Windows\System\SwdkhrX.exe
  C:\Windows\System\SwdkhrX.exe
  2⤵
  PID:7296
- C:\Windows\System\BsurVkX.exe
  C:\Windows\System\BsurVkX.exe
  2⤵
  PID:7356
- C:\Windows\System\rTktnrU.exe
  C:\Windows\System\rTktnrU.exe
  2⤵
  PID:7488
- C:\Windows\System\lyRBfUV.exe
  C:\Windows\System\lyRBfUV.exe
  2⤵
  PID:7580
- C:\Windows\System\dFsifVC.exe
  C:\Windows\System\dFsifVC.exe
  2⤵
  PID:7680
- C:\Windows\System\cfhbvaQ.exe
  C:\Windows\System\cfhbvaQ.exe
  2⤵
  PID:7720
- C:\Windows\System\YoDqDhJ.exe
  C:\Windows\System\YoDqDhJ.exe
  2⤵
  PID:7780
- C:\Windows\System\PXPbTJn.exe
  C:\Windows\System\PXPbTJn.exe
  2⤵
  PID:7816
- C:\Windows\System\ctREibQ.exe
  C:\Windows\System\ctREibQ.exe
  2⤵
  PID:7860
- C:\Windows\System\iuqvtvU.exe
  C:\Windows\System\iuqvtvU.exe
  2⤵
  PID:8004
- C:\Windows\System\dpcRjnC.exe
  C:\Windows\System\dpcRjnC.exe
  2⤵
  PID:8128
- C:\Windows\System\qNTxkBk.exe
  C:\Windows\System\qNTxkBk.exe
  2⤵
  PID:8096
- C:\Windows\System\UHdXKIk.exe
  C:\Windows\System\UHdXKIk.exe
  2⤵
  PID:7180
- C:\Windows\System\vFsSnXb.exe
  C:\Windows\System\vFsSnXb.exe
  2⤵
  PID:7420
- C:\Windows\System\rvyVvEe.exe
  C:\Windows\System\rvyVvEe.exe
  2⤵
  PID:7444
- C:\Windows\System\oGMkRLH.exe
  C:\Windows\System\oGMkRLH.exe
  2⤵
  PID:7752
- C:\Windows\System\pUNoqxZ.exe
  C:\Windows\System\pUNoqxZ.exe
  2⤵
  PID:7864
- C:\Windows\System\OmMFGvA.exe
  C:\Windows\System\OmMFGvA.exe
  2⤵
  PID:8000
- C:\Windows\System\nPWthSb.exe
  C:\Windows\System\nPWthSb.exe
  2⤵
  PID:8064
- C:\Windows\System\gtkxsfP.exe
  C:\Windows\System\gtkxsfP.exe
  2⤵
  PID:7232
- C:\Windows\System\CdVqAHy.exe
  C:\Windows\System\CdVqAHy.exe
  2⤵
  PID:7624
- C:\Windows\System\EClbJkP.exe
  C:\Windows\System\EClbJkP.exe
  2⤵
  PID:7756
- C:\Windows\System\jSaonlU.exe
  C:\Windows\System\jSaonlU.exe
  2⤵
  PID:7492
- C:\Windows\System\JlBEDMH.exe
  C:\Windows\System\JlBEDMH.exe
  2⤵
  PID:8196
- C:\Windows\System\uBkENsr.exe
  C:\Windows\System\uBkENsr.exe
  2⤵
  PID:8212
- C:\Windows\System\YiLxurT.exe
  C:\Windows\System\YiLxurT.exe
  2⤵
  PID:8260
- C:\Windows\System\TwfgSoI.exe
  C:\Windows\System\TwfgSoI.exe
  2⤵
  PID:8280
- C:\Windows\System\nqpzyaO.exe
  C:\Windows\System\nqpzyaO.exe
  2⤵
  PID:8300
- C:\Windows\System\irtnpHM.exe
  C:\Windows\System\irtnpHM.exe
  2⤵
  PID:8336
- C:\Windows\System\KlghbSg.exe
  C:\Windows\System\KlghbSg.exe
  2⤵
  PID:8352
- C:\Windows\System\poEyuwA.exe
  C:\Windows\System\poEyuwA.exe
  2⤵
  PID:8376
- C:\Windows\System\VBctcoy.exe
  C:\Windows\System\VBctcoy.exe
  2⤵
  PID:8400
- C:\Windows\System\MgYmhmG.exe
  C:\Windows\System\MgYmhmG.exe
  2⤵
  PID:8456
- C:\Windows\System\yydFcUo.exe
  C:\Windows\System\yydFcUo.exe
  2⤵
  PID:8476
- C:\Windows\System\gKkRGGj.exe
  C:\Windows\System\gKkRGGj.exe
  2⤵
  PID:8508
- C:\Windows\System\VxXqASm.exe
  C:\Windows\System\VxXqASm.exe
  2⤵
  PID:8524
- C:\Windows\System\pgkEPOS.exe
  C:\Windows\System\pgkEPOS.exe
  2⤵
  PID:8552
- C:\Windows\System\UTraKpu.exe
  C:\Windows\System\UTraKpu.exe
  2⤵
  PID:8572
- C:\Windows\System\OZWWWMB.exe
  C:\Windows\System\OZWWWMB.exe
  2⤵
  PID:8612
- C:\Windows\System\YbbbIAY.exe
  C:\Windows\System\YbbbIAY.exe
  2⤵
  PID:8632
- C:\Windows\System\KdaNqxV.exe
  C:\Windows\System\KdaNqxV.exe
  2⤵
  PID:8672
- C:\Windows\System\jCcfzWr.exe
  C:\Windows\System\jCcfzWr.exe
  2⤵
  PID:8720
- C:\Windows\System\reNrBzV.exe
  C:\Windows\System\reNrBzV.exe
  2⤵
  PID:8748
- C:\Windows\System\CotlGgz.exe
  C:\Windows\System\CotlGgz.exe
  2⤵
  PID:8768
- C:\Windows\System\iaOgbuV.exe
  C:\Windows\System\iaOgbuV.exe
  2⤵
  PID:8792
- C:\Windows\System\eTNpcAG.exe
  C:\Windows\System\eTNpcAG.exe
  2⤵
  PID:8816
- C:\Windows\System\QRzxzwT.exe
  C:\Windows\System\QRzxzwT.exe
  2⤵
  PID:8848
- C:\Windows\System\FmmExCh.exe
  C:\Windows\System\FmmExCh.exe
  2⤵
  PID:8864
- C:\Windows\System\mfiRqiM.exe
  C:\Windows\System\mfiRqiM.exe
  2⤵
  PID:8884
- C:\Windows\System\peZYQdt.exe
  C:\Windows\System\peZYQdt.exe
  2⤵
  PID:8912
- C:\Windows\System\NWQraee.exe
  C:\Windows\System\NWQraee.exe
  2⤵
  PID:8960
- C:\Windows\System\QagFImW.exe
  C:\Windows\System\QagFImW.exe
  2⤵
  PID:8980
- C:\Windows\System\sPGHjQz.exe
  C:\Windows\System\sPGHjQz.exe
  2⤵
  PID:9024
- C:\Windows\System\aQXaDSY.exe
  C:\Windows\System\aQXaDSY.exe
  2⤵
  PID:9048
- C:\Windows\System\hphnGfG.exe
  C:\Windows\System\hphnGfG.exe
  2⤵
  PID:9088
- C:\Windows\System\jzQFzBe.exe
  C:\Windows\System\jzQFzBe.exe
  2⤵
  PID:9104
- C:\Windows\System\dDMYIUH.exe
  C:\Windows\System\dDMYIUH.exe
  2⤵
  PID:9140
- C:\Windows\System\svktIzg.exe
  C:\Windows\System\svktIzg.exe
  2⤵
  PID:9160
- C:\Windows\System\Lgpifeb.exe
  C:\Windows\System\Lgpifeb.exe
  2⤵
  PID:9184
- C:\Windows\System\fMJMCBb.exe
  C:\Windows\System\fMJMCBb.exe
  2⤵
  PID:9200
- C:\Windows\System\iAjdBed.exe
  C:\Windows\System\iAjdBed.exe
  2⤵
  PID:8208
- C:\Windows\System\AiwkySO.exe
  C:\Windows\System\AiwkySO.exe
  2⤵
  PID:7396
- C:\Windows\System\TiLtpwG.exe
  C:\Windows\System\TiLtpwG.exe
  2⤵
  PID:8328
- C:\Windows\System\OruasVX.exe
  C:\Windows\System\OruasVX.exe
  2⤵
  PID:8384
- C:\Windows\System\IEKXRxw.exe
  C:\Windows\System\IEKXRxw.exe
  2⤵
  PID:8504
- C:\Windows\System\RAJcWyI.exe
  C:\Windows\System\RAJcWyI.exe
  2⤵
  PID:8568
- C:\Windows\System\cPPqDXl.exe
  C:\Windows\System\cPPqDXl.exe
  2⤵
  PID:8628
- C:\Windows\System\ODlFxTi.exe
  C:\Windows\System\ODlFxTi.exe
  2⤵
  PID:8664
- C:\Windows\System\wISXACv.exe
  C:\Windows\System\wISXACv.exe
  2⤵
  PID:8740
- C:\Windows\System\xtFRATg.exe
  C:\Windows\System\xtFRATg.exe
  2⤵
  PID:8776
- C:\Windows\System\wZlUjTH.exe
  C:\Windows\System\wZlUjTH.exe
  2⤵
  PID:8804
- C:\Windows\System\YfLFzTL.exe
  C:\Windows\System\YfLFzTL.exe
  2⤵
  PID:8876
- C:\Windows\System\hBdPheH.exe
  C:\Windows\System\hBdPheH.exe
  2⤵
  PID:8948
- C:\Windows\System\rVFgyLD.exe
  C:\Windows\System\rVFgyLD.exe
  2⤵
  PID:9016
- C:\Windows\System\aesrORw.exe
  C:\Windows\System\aesrORw.exe
  2⤵
  PID:9212
- C:\Windows\System\apuKuSr.exe
  C:\Windows\System\apuKuSr.exe
  2⤵
  PID:8244
- C:\Windows\System\qbAyUGa.exe
  C:\Windows\System\qbAyUGa.exe
  2⤵
  PID:8388
- C:\Windows\System\OBUWOQe.exe
  C:\Windows\System\OBUWOQe.exe
  2⤵
  PID:8544
- C:\Windows\System\VOUECRz.exe
  C:\Windows\System\VOUECRz.exe
  2⤵
  PID:8668
- C:\Windows\System\IAyNizP.exe
  C:\Windows\System\IAyNizP.exe
  2⤵
  PID:8532
- C:\Windows\System\AqngMGu.exe
  C:\Windows\System\AqngMGu.exe
  2⤵
  PID:9076
- C:\Windows\System\fZmLMjF.exe
  C:\Windows\System\fZmLMjF.exe
  2⤵
  PID:9196
- C:\Windows\System\glFQcSE.exe
  C:\Windows\System\glFQcSE.exe
  2⤵
  PID:8364
- C:\Windows\System\YrTFxLC.exe
  C:\Windows\System\YrTFxLC.exe
  2⤵
  PID:8708
- C:\Windows\System\qWQjhWS.exe
  C:\Windows\System\qWQjhWS.exe
  2⤵
  PID:9180
- C:\Windows\System\nrjMqen.exe
  C:\Windows\System\nrjMqen.exe
  2⤵
  PID:8540
- C:\Windows\System\caNCRPw.exe
  C:\Windows\System\caNCRPw.exe
  2⤵
  PID:9232
- C:\Windows\System\DrcfTbs.exe
  C:\Windows\System\DrcfTbs.exe
  2⤵
  PID:9264
- C:\Windows\System\CGfzrBk.exe
  C:\Windows\System\CGfzrBk.exe
  2⤵
  PID:9308
- C:\Windows\System\ZkWpsjA.exe
  C:\Windows\System\ZkWpsjA.exe
  2⤵
  PID:9328
- C:\Windows\System\OZBodZO.exe
  C:\Windows\System\OZBodZO.exe
  2⤵
  PID:9348
- C:\Windows\System\llmAaYT.exe
  C:\Windows\System\llmAaYT.exe
  2⤵
  PID:9372
- C:\Windows\System\kPJtWRg.exe
  C:\Windows\System\kPJtWRg.exe
  2⤵
  PID:9392
- C:\Windows\System\ShkdkwZ.exe
  C:\Windows\System\ShkdkwZ.exe
  2⤵
  PID:9432
- C:\Windows\System\IJsBZWA.exe
  C:\Windows\System\IJsBZWA.exe
  2⤵
  PID:9460
- C:\Windows\System\rIjaQmC.exe
  C:\Windows\System\rIjaQmC.exe
  2⤵
  PID:9476
- C:\Windows\System\ZPdiFcH.exe
  C:\Windows\System\ZPdiFcH.exe
  2⤵
  PID:9504
- C:\Windows\System\sUqiItX.exe
  C:\Windows\System\sUqiItX.exe
  2⤵
  PID:9532
- C:\Windows\System\zhSHXWK.exe
  C:\Windows\System\zhSHXWK.exe
  2⤵
  PID:9548
- C:\Windows\System\zmUNVnh.exe
  C:\Windows\System\zmUNVnh.exe
  2⤵
  PID:9600
- C:\Windows\System\QnmHSMs.exe
  C:\Windows\System\QnmHSMs.exe
  2⤵
  PID:9616
- C:\Windows\System\rhAzyMd.exe
  C:\Windows\System\rhAzyMd.exe
  2⤵
  PID:9644
- C:\Windows\System\BbvVRJm.exe
  C:\Windows\System\BbvVRJm.exe
  2⤵
  PID:9660
- C:\Windows\System\HtOJIRg.exe
  C:\Windows\System\HtOJIRg.exe
  2⤵
  PID:9684
- C:\Windows\System\wmQTMOj.exe
  C:\Windows\System\wmQTMOj.exe
  2⤵
  PID:9728
- C:\Windows\System\URQHVHE.exe
  C:\Windows\System\URQHVHE.exe
  2⤵
  PID:9756
- C:\Windows\System\qwbQuzy.exe
  C:\Windows\System\qwbQuzy.exe
  2⤵
  PID:9776
- C:\Windows\System\lufMBOG.exe
  C:\Windows\System\lufMBOG.exe
  2⤵
  PID:9800
- C:\Windows\System\aMUwdLe.exe
  C:\Windows\System\aMUwdLe.exe
  2⤵
  PID:9836
- C:\Windows\System\naKmoYy.exe
  C:\Windows\System\naKmoYy.exe
  2⤵
  PID:9856
- C:\Windows\System\ibiCnOi.exe
  C:\Windows\System\ibiCnOi.exe
  2⤵
  PID:9924
- C:\Windows\System\BcEAXSX.exe
  C:\Windows\System\BcEAXSX.exe
  2⤵
  PID:9952
- C:\Windows\System\kzTfpfF.exe
  C:\Windows\System\kzTfpfF.exe
  2⤵
  PID:9968
- C:\Windows\System\QCpnmQK.exe
  C:\Windows\System\QCpnmQK.exe
  2⤵
  PID:9992
- C:\Windows\System\hUIEWqX.exe
  C:\Windows\System\hUIEWqX.exe
  2⤵
  PID:10020
- C:\Windows\System\uoBwXRo.exe
  C:\Windows\System\uoBwXRo.exe
  2⤵
  PID:10052
- C:\Windows\System\PEuqJvx.exe
  C:\Windows\System\PEuqJvx.exe
  2⤵
  PID:10084
- C:\Windows\System\WuSqLiC.exe
  C:\Windows\System\WuSqLiC.exe
  2⤵
  PID:10124
- C:\Windows\System\kcGNsQe.exe
  C:\Windows\System\kcGNsQe.exe
  2⤵
  PID:10144
- C:\Windows\System\UndoXEW.exe
  C:\Windows\System\UndoXEW.exe
  2⤵
  PID:10184
- C:\Windows\System\yeVavOL.exe
  C:\Windows\System\yeVavOL.exe
  2⤵
  PID:10208
- C:\Windows\System\NZXrffO.exe
  C:\Windows\System\NZXrffO.exe
  2⤵
  PID:10228
- C:\Windows\System\bdoKrqk.exe
  C:\Windows\System\bdoKrqk.exe
  2⤵
  PID:9220
- C:\Windows\System\MKSzKPr.exe
  C:\Windows\System\MKSzKPr.exe
  2⤵
  PID:9320
- C:\Windows\System\lxiYxwl.exe
  C:\Windows\System\lxiYxwl.exe
  2⤵
  PID:9364
- C:\Windows\System\ExnGHzL.exe
  C:\Windows\System\ExnGHzL.exe
  2⤵
  PID:9428
- C:\Windows\System\LVrqBrU.exe
  C:\Windows\System\LVrqBrU.exe
  2⤵
  PID:9676
- C:\Windows\System\TahWuLt.exe
  C:\Windows\System\TahWuLt.exe
  2⤵
  PID:9700
- C:\Windows\System\wFyElvn.exe
  C:\Windows\System\wFyElvn.exe
  2⤵
  PID:9748
- C:\Windows\System\EQVhyhj.exe
  C:\Windows\System\EQVhyhj.exe
  2⤵
  PID:9796
- C:\Windows\System\GRlpoYY.exe
  C:\Windows\System\GRlpoYY.exe
  2⤵
  PID:9820
- C:\Windows\System\lIQWIVI.exe
  C:\Windows\System\lIQWIVI.exe
  2⤵
  PID:9808
- C:\Windows\System\qrYMUcq.exe
  C:\Windows\System\qrYMUcq.exe
  2⤵
  PID:9852
- C:\Windows\System\ZYEeStx.exe
  C:\Windows\System\ZYEeStx.exe
  2⤵
  PID:10048
- C:\Windows\System\dpJrJro.exe
  C:\Windows\System\dpJrJro.exe
  2⤵
  PID:9596
- C:\Windows\System\ViZjSyS.exe
  C:\Windows\System\ViZjSyS.exe
  2⤵
  PID:9368
- C:\Windows\System\zyLURUn.exe
  C:\Windows\System\zyLURUn.exe
  2⤵
  PID:9948
- C:\Windows\System\gUFChxW.exe
  C:\Windows\System\gUFChxW.exe
  2⤵
  PID:9484
- C:\Windows\System\WFjbsfr.exe
  C:\Windows\System\WFjbsfr.exe
  2⤵
  PID:9472
- C:\Windows\System\MdcbpIM.exe
  C:\Windows\System\MdcbpIM.exe
  2⤵
  PID:9524
- C:\Windows\System\sWVpdKi.exe
  C:\Windows\System\sWVpdKi.exe
  2⤵
  PID:9960
- C:\Windows\System\OKsJycv.exe
  C:\Windows\System\OKsJycv.exe
  2⤵
  PID:9768
- C:\Windows\System\bJPkHfP.exe
  C:\Windows\System\bJPkHfP.exe
  2⤵
  PID:10116
- C:\Windows\System\kGpXtcP.exe
  C:\Windows\System\kGpXtcP.exe
  2⤵
  PID:10236
- C:\Windows\System\AmcLfun.exe
  C:\Windows\System\AmcLfun.exe
  2⤵
  PID:9360
- C:\Windows\System\hzoNwgl.exe
  C:\Windows\System\hzoNwgl.exe
  2⤵
  PID:10008
- C:\Windows\System\jGEGTti.exe
  C:\Windows\System\jGEGTti.exe
  2⤵
  PID:10104
- C:\Windows\System\aKqXCTy.exe
  C:\Windows\System\aKqXCTy.exe
  2⤵
  PID:9656
- C:\Windows\System\ddcoYuC.exe
  C:\Windows\System\ddcoYuC.exe
  2⤵
  PID:9916
- C:\Windows\System\QVMfsfw.exe
  C:\Windows\System\QVMfsfw.exe
  2⤵
  PID:10248
- C:\Windows\System\gGsQezg.exe
  C:\Windows\System\gGsQezg.exe
  2⤵
  PID:10272
- C:\Windows\System\mEYGSxQ.exe
  C:\Windows\System\mEYGSxQ.exe
  2⤵
  PID:10288
- C:\Windows\System\spOVFhv.exe
  C:\Windows\System\spOVFhv.exe
  2⤵
  PID:10316
- C:\Windows\System\JytZZMw.exe
  C:\Windows\System\JytZZMw.exe
  2⤵
  PID:10336
- C:\Windows\System\LrWjrby.exe
  C:\Windows\System\LrWjrby.exe
  2⤵
  PID:10376
- C:\Windows\System\RnXkGLo.exe
  C:\Windows\System\RnXkGLo.exe
  2⤵
  PID:10392
- C:\Windows\System\eTKIRRM.exe
  C:\Windows\System\eTKIRRM.exe
  2⤵
  PID:10420
- C:\Windows\System\lDSzYYj.exe
  C:\Windows\System\lDSzYYj.exe
  2⤵
  PID:10436
- C:\Windows\System\DQQdxuY.exe
  C:\Windows\System\DQQdxuY.exe
  2⤵
  PID:10496
- C:\Windows\System\MHrIiZK.exe
  C:\Windows\System\MHrIiZK.exe
  2⤵
  PID:10516
- C:\Windows\System\kLsZRaq.exe
  C:\Windows\System\kLsZRaq.exe
  2⤵
  PID:10560
- C:\Windows\System\tOhUvTS.exe
  C:\Windows\System\tOhUvTS.exe
  2⤵
  PID:10596
- C:\Windows\System\haTInDN.exe
  C:\Windows\System\haTInDN.exe
  2⤵
  PID:10620
- C:\Windows\System\HFxiSfe.exe
  C:\Windows\System\HFxiSfe.exe
  2⤵
  PID:10640
- C:\Windows\System\yKlKTPF.exe
  C:\Windows\System\yKlKTPF.exe
  2⤵
  PID:10660
- C:\Windows\System\EdlHGwo.exe
  C:\Windows\System\EdlHGwo.exe
  2⤵
  PID:10680
- C:\Windows\System\jRJQqUz.exe
  C:\Windows\System\jRJQqUz.exe
  2⤵
  PID:10700
- C:\Windows\System\qbGDFzW.exe
  C:\Windows\System\qbGDFzW.exe
  2⤵
  PID:10728
- C:\Windows\System\QFYXCaa.exe
  C:\Windows\System\QFYXCaa.exe
  2⤵
  PID:10752
- C:\Windows\System\isBPlGM.exe
  C:\Windows\System\isBPlGM.exe
  2⤵
  PID:10772
- C:\Windows\System\WAwQaWH.exe
  C:\Windows\System\WAwQaWH.exe
  2⤵
  PID:10788
- C:\Windows\System\KOBekjb.exe
  C:\Windows\System\KOBekjb.exe
  2⤵
  PID:10848
- C:\Windows\System\eGXYsSe.exe
  C:\Windows\System\eGXYsSe.exe
  2⤵
  PID:10868
- C:\Windows\System\eGFXXcI.exe
  C:\Windows\System\eGFXXcI.exe
  2⤵
  PID:10892
- C:\Windows\System\AOeoZdf.exe
  C:\Windows\System\AOeoZdf.exe
  2⤵
  PID:10916
- C:\Windows\System\NacAvhY.exe
  C:\Windows\System\NacAvhY.exe
  2⤵
  PID:10984
- C:\Windows\System\kOgrwHk.exe
  C:\Windows\System\kOgrwHk.exe
  2⤵
  PID:11004
- C:\Windows\System\oCrypAd.exe
  C:\Windows\System\oCrypAd.exe
  2⤵
  PID:11024
- C:\Windows\System\nfCylce.exe
  C:\Windows\System\nfCylce.exe
  2⤵
  PID:11044
- C:\Windows\System\dkOSCPu.exe
  C:\Windows\System\dkOSCPu.exe
  2⤵
  PID:11104
- C:\Windows\System\OfSilsO.exe
  C:\Windows\System\OfSilsO.exe
  2⤵
  PID:11132
- C:\Windows\System\FNEhbxW.exe
  C:\Windows\System\FNEhbxW.exe
  2⤵
  PID:11156
- C:\Windows\System\SpULLLh.exe
  C:\Windows\System\SpULLLh.exe
  2⤵
  PID:11188
- C:\Windows\System\xuIYhoJ.exe
  C:\Windows\System\xuIYhoJ.exe
  2⤵
  PID:11208
- C:\Windows\System\tJNkfhs.exe
  C:\Windows\System\tJNkfhs.exe
  2⤵
  PID:11236
- C:\Windows\System\dKPSFOc.exe
  C:\Windows\System\dKPSFOc.exe
  2⤵
  PID:9444
- C:\Windows\System\SoOEsZC.exe
  C:\Windows\System\SoOEsZC.exe
  2⤵
  PID:10324
- C:\Windows\System\IqeUWOx.exe
  C:\Windows\System\IqeUWOx.exe
  2⤵
  PID:10384
- C:\Windows\System\drZXjag.exe
  C:\Windows\System\drZXjag.exe
  2⤵
  PID:10432
- C:\Windows\System\ySNmYMJ.exe
  C:\Windows\System\ySNmYMJ.exe
  2⤵
  PID:10512
- C:\Windows\System\utUQykt.exe
  C:\Windows\System\utUQykt.exe
  2⤵
  PID:10556
- C:\Windows\System\UYietHa.exe
  C:\Windows\System\UYietHa.exe
  2⤵
  PID:10628
- C:\Windows\System\eEpsVQq.exe
  C:\Windows\System\eEpsVQq.exe
  2⤵
  PID:10692
- C:\Windows\System\gQfTIWp.exe
  C:\Windows\System\gQfTIWp.exe
  2⤵
  PID:10744
- C:\Windows\System\bJOggzk.exe
  C:\Windows\System\bJOggzk.exe
  2⤵
  PID:10816
- C:\Windows\System\agyrTTT.exe
  C:\Windows\System\agyrTTT.exe
  2⤵
  PID:10884
- C:\Windows\System\EqAyecd.exe
  C:\Windows\System\EqAyecd.exe
  2⤵
  PID:10956
- C:\Windows\System\DhjqgZO.exe
  C:\Windows\System\DhjqgZO.exe
  2⤵
  PID:11000
- C:\Windows\System\ldtLJIY.exe
  C:\Windows\System\ldtLJIY.exe
  2⤵
  PID:10964
- C:\Windows\System\OyfxGXA.exe
  C:\Windows\System\OyfxGXA.exe
  2⤵
  PID:11200
- C:\Windows\System\oNBwJWg.exe
  C:\Windows\System\oNBwJWg.exe
  2⤵
  PID:9452
- C:\Windows\System\JqnFSxf.exe
  C:\Windows\System\JqnFSxf.exe
  2⤵
  PID:10284
- C:\Windows\System\XBNyPIn.exe
  C:\Windows\System\XBNyPIn.exe
  2⤵
  PID:10524
- C:\Windows\System\QURKFZJ.exe
  C:\Windows\System\QURKFZJ.exe
  2⤵
  PID:10636
- C:\Windows\System\qaSavLO.exe
  C:\Windows\System\qaSavLO.exe
  2⤵
  PID:10676
- C:\Windows\System\AVfzdPN.exe
  C:\Windows\System\AVfzdPN.exe
  2⤵
  PID:10784
- C:\Windows\System\FXYICzK.exe
  C:\Windows\System\FXYICzK.exe
  2⤵
  PID:10952
- C:\Windows\System\hElpmUG.exe
  C:\Windows\System\hElpmUG.exe
  2⤵
  PID:2816
- C:\Windows\System\XPMAvCq.exe
  C:\Windows\System\XPMAvCq.exe
  2⤵
  PID:11088
- C:\Windows\System\GwktDQY.exe
  C:\Windows\System\GwktDQY.exe
  2⤵
  PID:10404
- C:\Windows\System\McKmjYe.exe
  C:\Windows\System\McKmjYe.exe
  2⤵
  PID:10588
- C:\Windows\System\zvgMrLY.exe
  C:\Windows\System\zvgMrLY.exe
  2⤵
  PID:10876
- C:\Windows\System\opxexnE.exe
  C:\Windows\System\opxexnE.exe
  2⤵
  PID:10940
- C:\Windows\System\MiAOeAy.exe
  C:\Windows\System\MiAOeAy.exe
  2⤵
  PID:11272
- C:\Windows\System\JCdTQgH.exe
  C:\Windows\System\JCdTQgH.exe
  2⤵
  PID:11304
- C:\Windows\System\yWtiPUn.exe
  C:\Windows\System\yWtiPUn.exe
  2⤵
  PID:11324
- C:\Windows\System\YarSjxm.exe
  C:\Windows\System\YarSjxm.exe
  2⤵
  PID:11348
- C:\Windows\System\dPitfDb.exe
  C:\Windows\System\dPitfDb.exe
  2⤵
  PID:11368
- C:\Windows\System\OTidaIm.exe
  C:\Windows\System\OTidaIm.exe
  2⤵
  PID:11392
- C:\Windows\System\wGjLuFr.exe
  C:\Windows\System\wGjLuFr.exe
  2⤵
  PID:11424
- C:\Windows\System\saogzvC.exe
  C:\Windows\System\saogzvC.exe
  2⤵
  PID:11484
- C:\Windows\System\yfwhZtG.exe
  C:\Windows\System\yfwhZtG.exe
  2⤵
  PID:11500
- C:\Windows\System\vTqJQfz.exe
  C:\Windows\System\vTqJQfz.exe
  2⤵
  PID:11540
- C:\Windows\System\pVVjLtA.exe
  C:\Windows\System\pVVjLtA.exe
  2⤵
  PID:11556
- C:\Windows\System\yEHmJva.exe
  C:\Windows\System\yEHmJva.exe
  2⤵
  PID:11592
- C:\Windows\System\LzlLIic.exe
  C:\Windows\System\LzlLIic.exe
  2⤵
  PID:11620
- C:\Windows\System\VoccsCJ.exe
  C:\Windows\System\VoccsCJ.exe
  2⤵
  PID:11672
- C:\Windows\System\ZpkGnmH.exe
  C:\Windows\System\ZpkGnmH.exe
  2⤵
  PID:11692
- C:\Windows\System\McKStEF.exe
  C:\Windows\System\McKStEF.exe
  2⤵
  PID:11712
- C:\Windows\System\PDFOiyc.exe
  C:\Windows\System\PDFOiyc.exe
  2⤵
  PID:11728
- C:\Windows\System\uTQEprS.exe
  C:\Windows\System\uTQEprS.exe
  2⤵
  PID:11744
- C:\Windows\System\dMDmBOI.exe
  C:\Windows\System\dMDmBOI.exe
  2⤵
  PID:11796
- C:\Windows\System\llLWrma.exe
  C:\Windows\System\llLWrma.exe
  2⤵
  PID:11816
- C:\Windows\System\bSLoTSH.exe
  C:\Windows\System\bSLoTSH.exe
  2⤵
  PID:11852
- C:\Windows\System\dNbaDFq.exe
  C:\Windows\System\dNbaDFq.exe
  2⤵
  PID:11876
- C:\Windows\System\tTFXLAd.exe
  C:\Windows\System\tTFXLAd.exe
  2⤵
  PID:11896
- C:\Windows\System\KbfICuO.exe
  C:\Windows\System\KbfICuO.exe
  2⤵
  PID:11912
- C:\Windows\System\ggrWHLa.exe
  C:\Windows\System\ggrWHLa.exe
  2⤵
  PID:11956
- C:\Windows\System\PgzqNCc.exe
  C:\Windows\System\PgzqNCc.exe
  2⤵
  PID:11976
- C:\Windows\System\CfwsJRJ.exe
  C:\Windows\System\CfwsJRJ.exe
  2⤵
  PID:12004
- C:\Windows\System\qCryHnX.exe
  C:\Windows\System\qCryHnX.exe
  2⤵
  PID:12060
- C:\Windows\System\wddGmuU.exe
  C:\Windows\System\wddGmuU.exe
  2⤵
  PID:12096
- C:\Windows\System\ToHLhzS.exe
  C:\Windows\System\ToHLhzS.exe
  2⤵
  PID:12120
- C:\Windows\System\jGJSNUK.exe
  C:\Windows\System\jGJSNUK.exe
  2⤵
  PID:12144
- C:\Windows\System\CucKgLe.exe
  C:\Windows\System\CucKgLe.exe
  2⤵
  PID:12164
- C:\Windows\System\JyuyDDD.exe
  C:\Windows\System\JyuyDDD.exe
  2⤵
  PID:12188
- C:\Windows\System\NPPzdTc.exe
  C:\Windows\System\NPPzdTc.exe
  2⤵
  PID:12208
- C:\Windows\System\jxDsJuQ.exe
  C:\Windows\System\jxDsJuQ.exe
  2⤵
  PID:12252
- C:\Windows\System\GvkDzWC.exe
  C:\Windows\System\GvkDzWC.exe
  2⤵
  PID:12276
- C:\Windows\System\tQQJoSR.exe
  C:\Windows\System\tQQJoSR.exe
  2⤵
  PID:10936
- C:\Windows\System\KlMldwV.exe
  C:\Windows\System\KlMldwV.exe
  2⤵
  PID:11316
- C:\Windows\System\NYiYaDd.exe
  C:\Windows\System\NYiYaDd.exe
  2⤵
  PID:11364
- C:\Windows\System\eUWfYTW.exe
  C:\Windows\System\eUWfYTW.exe
  2⤵
  PID:11508
- C:\Windows\System\GFekEQt.exe
  C:\Windows\System\GFekEQt.exe
  2⤵
  PID:11536
- C:\Windows\System\qwCLeOq.exe
  C:\Windows\System\qwCLeOq.exe
  2⤵
  PID:11608
- C:\Windows\System\aCInzQm.exe
  C:\Windows\System\aCInzQm.exe
  2⤵
  PID:11648
- C:\Windows\System\zIPGpdX.exe
  C:\Windows\System\zIPGpdX.exe
  2⤵
  PID:11736
- C:\Windows\System\LbxasYT.exe
  C:\Windows\System\LbxasYT.exe
  2⤵
  PID:11776
- C:\Windows\System\iyCFljh.exe
  C:\Windows\System\iyCFljh.exe
  2⤵
  PID:11772
- C:\Windows\System\xNzqqpL.exe
  C:\Windows\System\xNzqqpL.exe
  2⤵
  PID:11908
- C:\Windows\System\rEFgOaz.exe
  C:\Windows\System\rEFgOaz.exe
  2⤵
  PID:11888
- C:\Windows\System\TXcsyuZ.exe
  C:\Windows\System\TXcsyuZ.exe
  2⤵
  PID:11984
- C:\Windows\System\qULYfXj.exe
  C:\Windows\System\qULYfXj.exe
  2⤵
  PID:4456
- C:\Windows\System\LNbJZxq.exe
  C:\Windows\System\LNbJZxq.exe
  2⤵
  PID:12068
- C:\Windows\System\LSGSVkb.exe
  C:\Windows\System\LSGSVkb.exe
  2⤵
  PID:12172
- C:\Windows\System\jclUtaI.exe
  C:\Windows\System\jclUtaI.exe
  2⤵
  PID:12228
- C:\Windows\System\PfmPapA.exe
  C:\Windows\System\PfmPapA.exe
  2⤵
  PID:11356
- C:\Windows\System\WklAkWf.exe
  C:\Windows\System\WklAkWf.exe
  2⤵
  PID:11448
- C:\Windows\System\sVtrIup.exe
  C:\Windows\System\sVtrIup.exe
  2⤵
  PID:11636
- C:\Windows\System\hqRDZXT.exe
  C:\Windows\System\hqRDZXT.exe
  2⤵
  PID:11720
- C:\Windows\System\MNawvlx.exe
  C:\Windows\System\MNawvlx.exe
  2⤵
  PID:11804
- C:\Windows\System\ZVyBJxs.exe
  C:\Windows\System\ZVyBJxs.exe
  2⤵
  PID:4968
- C:\Windows\System\AWrcemm.exe
  C:\Windows\System\AWrcemm.exe
  2⤵
  PID:2184
- C:\Windows\System\URltnsu.exe
  C:\Windows\System\URltnsu.exe
  2⤵
  PID:12136
- C:\Windows\System\jTnETKy.exe
  C:\Windows\System\jTnETKy.exe
  2⤵
  PID:11300
- C:\Windows\System\BmJwkKe.exe
  C:\Windows\System\BmJwkKe.exe
  2⤵
  PID:5004
- C:\Windows\System\oAzFNXC.exe
  C:\Windows\System\oAzFNXC.exe
  2⤵
  PID:4152
- C:\Windows\System\FvXGwER.exe
  C:\Windows\System\FvXGwER.exe
  2⤵
  PID:1896
- C:\Windows\System\SljSZMV.exe
  C:\Windows\System\SljSZMV.exe
  2⤵
  PID:3396
- C:\Windows\System\VajmrtB.exe
  C:\Windows\System\VajmrtB.exe
  2⤵
  PID:12000
- C:\Windows\System\fUAxRlD.exe
  C:\Windows\System\fUAxRlD.exe
  2⤵
  PID:11944
- C:\Windows\System\qkrTcsO.exe
  C:\Windows\System\qkrTcsO.exe
  2⤵
  PID:12300
- C:\Windows\System\cYVNlcQ.exe
  C:\Windows\System\cYVNlcQ.exe
  2⤵
  PID:12320
- C:\Windows\System\JCKgyKX.exe
  C:\Windows\System\JCKgyKX.exe
  2⤵
  PID:12348
- C:\Windows\System\KxHgaqA.exe
  C:\Windows\System\KxHgaqA.exe
  2⤵
  PID:12368
- C:\Windows\System\tENgeJO.exe
  C:\Windows\System\tENgeJO.exe
  2⤵
  PID:12388
- C:\Windows\System\iqJqlrl.exe
  C:\Windows\System\iqJqlrl.exe
  2⤵
  PID:12412
- C:\Windows\System\LHHuCTa.exe
  C:\Windows\System\LHHuCTa.exe
  2⤵
  PID:12436
- C:\Windows\System\tsJpdsE.exe
  C:\Windows\System\tsJpdsE.exe
  2⤵
  PID:12452
- C:\Windows\System\JUaWbPZ.exe
  C:\Windows\System\JUaWbPZ.exe
  2⤵
  PID:12476
- C:\Windows\System\qAoaAyX.exe
  C:\Windows\System\qAoaAyX.exe
  2⤵
  PID:12540
- C:\Windows\System\dvToomO.exe
  C:\Windows\System\dvToomO.exe
  2⤵
  PID:12580
- C:\Windows\System\PKXjuTF.exe
  C:\Windows\System\PKXjuTF.exe
  2⤵
  PID:12608
- C:\Windows\System\cuYgiZW.exe
  C:\Windows\System\cuYgiZW.exe
  2⤵
  PID:12628
- C:\Windows\System\VkZhTth.exe
  C:\Windows\System\VkZhTth.exe
  2⤵
  PID:12668
- C:\Windows\System\EcqVKHd.exe
  C:\Windows\System\EcqVKHd.exe
  2⤵
  PID:12692
- C:\Windows\System\xeScpdz.exe
  C:\Windows\System\xeScpdz.exe
  2⤵
  PID:12708
- C:\Windows\System\pMChzgV.exe
  C:\Windows\System\pMChzgV.exe
  2⤵
  PID:12724
- C:\Windows\System\WIGjkfe.exe
  C:\Windows\System\WIGjkfe.exe
  2⤵
  PID:12760
- C:\Windows\System\CiZyTNU.exe
  C:\Windows\System\CiZyTNU.exe
  2⤵
  PID:12792
- C:\Windows\System\SHNpWLM.exe
  C:\Windows\System\SHNpWLM.exe
  2⤵
  PID:12816
- C:\Windows\System\IEhDDCl.exe
  C:\Windows\System\IEhDDCl.exe
  2⤵
  PID:12836
- C:\Windows\System\tedePdQ.exe
  C:\Windows\System\tedePdQ.exe
  2⤵
  PID:12860
- C:\Windows\System\CwSKNjc.exe
  C:\Windows\System\CwSKNjc.exe
  2⤵
  PID:12892
- C:\Windows\System\KzKTmPz.exe
  C:\Windows\System\KzKTmPz.exe
  2⤵
  PID:12916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3z2btbar.r4z.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\AmZGoBg.exe

Filesize
1.7MB

MD5
d11e4f6f9b8790ea5cb8d1fd2fb95a9e

SHA1
e0e5ecd7fb4c3e67329e895a56e249379b69da68

SHA256
4031b501366cd6b24841e7af1d9af0e8b309a68455ccb7613656f18d9f4f2cad

SHA512
a23d05690969491e953a16ac6a1fec2d817fa67aed0a5138966e1ed01e588c16bee8e56317f3381276e8a527157d831523e5efd57a77069c56f7aa2873c784ca

Download Submit
C:\Windows\System\ArBrHtr.exe

Filesize
1.7MB

MD5
5306c6876d90fd66ff516fe4cafa431f

SHA1
5ca1b220cd80559f5e036a1cb0aa6c5c38b702d5

SHA256
7418eba56f25f81ec202c267457305c33a2f59d1ab54f3429055d80c08bda214

SHA512
b19a4ad3547908cccbec2bbb87abf41ca3536c195600a0af2272ed1ed01fed18f345fa788c4c15001590c0286823f1fc25b133d92ac249e44951306dc99ee7ec

Download Submit
C:\Windows\System\AwPhaAx.exe

Filesize
1.7MB

MD5
03ed4341aca79419f734b61d16ca9410

SHA1
39be2af5b247800255d19c0a6158298ab5d1ad7c

SHA256
c700303a37c45209899634be9bc5b3a0b18c9c99719c4893972d3db4cac21da0

SHA512
047dbd70e12d378d324d7bdba04beef33ff8cc1c2ca00ea041002e12a569d7601d9007a7509bd27147b048ad79d714b9966d6fc311e83492d50a80ee62419d67

Download Submit
C:\Windows\System\CQtaedz.exe

Filesize
1.7MB

MD5
ca928f6038e45451661cd978bb8a30a7

SHA1
60d9fe11fff3baf416df5c1e2b53bd267297095d

SHA256
c53071794dd50fcbfce49649f31ca1a96f64106ad5d87cbd0e55859769342bf8

SHA512
15cfa16f8fabda6fdb07c4de3d9747c3a868aa4ad73cb3b796138aa82f7b83a0492919bf55ce9040fcb19a7d062dd47bc69cc9f289ae90cbd511fc6e328f15a5

Download Submit
C:\Windows\System\DNSyPyY.exe

Filesize
1.7MB

MD5
3f52b9c5b665dd9215639ef8ace8edba

SHA1
a8c3599de40a1a4da562bb5a43ee852d236b7734

SHA256
5ac951b516bd3938daab2094e6065aa0e64b3be4fff91ebb99628d63ec5cde17

SHA512
79786da1570a78ccb71e9010b64622d520ea5c23b65d0b329509836423b87f47dbfe6b8ef03155d653aa170c75a35b17e772a9e8f3400d77855582ddcd639626

Download Submit
C:\Windows\System\EBeslQK.exe

Filesize
1.7MB

MD5
ffebf0e56fc2b84aa2d06e3890c47705

SHA1
9d63355ea61cc27104576d9c8e28adad08c4038b

SHA256
043770be37f61cc270eeb98b16f265f2ab1708f3e36327e194dac4bc0c96ce36

SHA512
45d612182b774ea4fe1f2340f283d620478f5cc733d8f1336715c68d83f5366ac39df103ab21784e38dfe039c8e5a71b2fefec604494d82511fa9ab1e99d3028

Download Submit
C:\Windows\System\HjVWpeB.exe

Filesize
1.7MB

MD5
b138095fa2fbaffa19bfc059d6a41e7b

SHA1
33d39098965e3dbe1ca92b153978cf2351f14315

SHA256
1574d408dd5b7d749fea513ccae242f2798fae8742bbed549da7c0cfa4bbebb5

SHA512
8ee3505367cbb98edda25621b06f689fe23686cb5561297bd32d6df0d86543c4137ed589329cef567d75513754bedcd926289ad4c0c6c77f82bb65fce9fad6d9

Download Submit
C:\Windows\System\IqaOtWe.exe

Filesize
1.7MB

MD5
8b589ba941ba676aee207a74c132c520

SHA1
a183e14c455d90e99f2e5b3738a3a2373016f9a0

SHA256
8d7e957d657d8fbc428cf3f021b03af22161b5d7dcd4d733b314d90fd55cfda2

SHA512
e2aeca4f10c6dbd3e78fd970d20256c9f09b15a875db8009dc11ac5d610e02e52c135ac18a434f28082b50953b342e2e5247aaf1b10beed5594396c4012b00c9

Download Submit
C:\Windows\System\KtxEAtC.exe

Filesize
1.7MB

MD5
8f0fa43f011f825bceb2454f5086182b

SHA1
26055d3cd0919f320737e3aa42de429e950837c1

SHA256
c391695b8c7ebdafb7baea273d1495f803b3075b0c1656cc1a3a390d8d2ba3de

SHA512
3c4351e71a04f46a4631893dcc76c2f39c6635db936d02abf8c47ba8fadfa3da8f4b9cdec2f5269feba8931d769850297f439708e02ca93001d9a07a7e47634d

Download Submit
C:\Windows\System\MASltkD.exe

Filesize
1.7MB

MD5
b54dcda5bf20db8365c7e765497a53f6

SHA1
55279ad5263f58e65dd738590130460d807e2b8c

SHA256
605f6f8cb00ca0f4fb199b93a8f8881909e6beffd19bc7a334339a6298876412

SHA512
a0fd787397f48d30d09e0350c564b7d5ac111ad213aa0801c2878ba00e1288ce0fd9d55058d5041626e248d540e0e7cd253e02b00a7700e1083e7bcbfd936ac8

Download Submit
C:\Windows\System\MhtJstK.exe

Filesize
1.7MB

MD5
b9ef885e72814330b5e2c58ebf4e02ef

SHA1
be08f1d9e8b25d620d2035256b1358abb6c37fd7

SHA256
fe547607c09d89341ffde918e7dbcbb96ffa11e5e30b33412fd87b0aa24969ca

SHA512
6de0eb17927b43691ecf7c10a56598a299dd82c7d2c3e01945246ebacb6070bdf1d644bd165121dab7acc5252256a168ec7529cf6849a7396232b4b59339efe9

Download Submit
C:\Windows\System\NBDkENV.exe

Filesize
1.7MB

MD5
731e74a28a6ceafc6ac3c3f6099cb055

SHA1
c93f5bf5bd60461e668d43420f5691d06fb45de7

SHA256
62978f395d2d6cdb84253fd16d6caa944aa0ce53190ddf468d61a237ef17dad5

SHA512
06cfbea68c1183212fa5f92f5b63b08d66b895fb3ee582eecefc9d7cb5d10fc878d114926db979de26a764b4665660225d5a747d02a03256fd3fe1223df2cb9c

Download Submit
C:\Windows\System\PTMArfq.exe

Filesize
1.7MB

MD5
c20a147c036a902b6b11da0747fb580e

SHA1
1a4575066a88bb87605d24696e9c701d35131d36

SHA256
cec630c0a86fb3009054c46cb81ec118be99bfa6c2b6cb9be496c144af9939d4

SHA512
8ee155df458a3529cce2637099584e2d42a204b05cfb90ffdab61ea2566f70bf28f1c3588c8dc8a0750cb01790b90ca69ce65d527293eac6564ea855e842d898

Download Submit
C:\Windows\System\RQLWPsW.exe

Filesize
1.7MB

MD5
e1267280e8815e8cefd0e9c96499fd30

SHA1
7fc536d338b3360e72f3e0557872d2838a943c54

SHA256
9a3c483541013e2b2fb094877f771eead63c0c8349c7ceeb4e7a74adb9c96cf6

SHA512
f5b1cd97b484672ae7864ddae68b5e2599bf2fb98f0c5ce24677244080608285dcd6a82d304bbd1ab7ee120d059779d3a9a3bfe6e501f6a88262480d4a40461f

Download Submit
C:\Windows\System\RdtZDrw.exe

Filesize
1.7MB

MD5
306d114f89415b4e4d74fd581d62105e

SHA1
603ae98ea64bbf59da106060b4b9aa1d486995a6

SHA256
18145ea7e243349bdad3ce4eb333e6a0b0ba3702387529fe381269779c27324c

SHA512
e2dc1c991b76dc8ece9de2afb48937897eef434c1f1b9bafde10438a013a53018476b893d98387cd4f16f0bad27004d28c7274e6d816bcd58b9bc92ed863f2c0

Download Submit
C:\Windows\System\XWcrXEI.exe

Filesize
1.7MB

MD5
af5a01b7124983d2f5736d89a9572ffc

SHA1
89cad5f34bc7d030876c835541d5f271f9f41c68

SHA256
ec61f7f89444bc2772e2bd8764bc2a154c8a9b6750f80751e50cc4da4aeacf61

SHA512
256e4d2ccb2ee733cfe826214b01e5efa8cb94229d3f1b0031242f7fbf3c4c0fb268afe059ff3bcaabe2cc0f4c2686d53db0248181b101c5a913898699c2bda0

Download Submit
C:\Windows\System\ZnTszoX.exe

Filesize
1.7MB

MD5
e73464bc9c862933324bb25da0f696a7

SHA1
583b61192f3e7a3a2d6bdb00be749a8e234662f2

SHA256
8c1cd54ba2e7423009b188e2868e9b7611a4be09693c44ee4a8a75c018dec39a

SHA512
a1f6300dc857e1f71a769275354d30c221c29bea3dc08bdce03219384a8a36a352f356394d1d2e895a0b9db0374bb974951d61e9458eb9c0c0a424fb9e2de7bd

Download Submit
C:\Windows\System\aOgEGrx.exe

Filesize
1.7MB

MD5
67c5b522eb697dc90fafa7f694062201

SHA1
1bbf25d3f80e0d684d87b40176d7777a1374e946

SHA256
f3dccb854a8bd3bb38069ac38d8544cf20adfc88b7725254488d2b4910b981b5

SHA512
7183763d8d33cb0d8633d7ce2ad651389f70c46e725413aa3de54569829749ab4aeec9e95a454d96218dff361ff52335663ff71deed15eb46c0b04f65a1a9e15

Download Submit
C:\Windows\System\cLBdvmi.exe

Filesize
1.7MB

MD5
ac73f679b4417116a84c1cf1697f042d

SHA1
304af8d2f279602e28030c211e6b53fe934601a5

SHA256
c3a756ddf30081573f1b38c29d078a322bf49af6a296cae1ed192c1e5e081d4b

SHA512
2b06a7b6f0d21870a8c30fb402bcf29b875c6d8e56099a7a56782e60c01bebc046a7df7219e07a5e14990ca743812fd20dd2d402630943775b55f418ff8eec3e

Download Submit
C:\Windows\System\cZAPiKg.exe

Filesize
1.7MB

MD5
4133b2e59485eaa177d3c16d5afb5c4f

SHA1
07aaab9e97d13aa53f76c53e7516ec79cfbabd72

SHA256
5bf02360bedc546857b91fbcb883d7d1621f7c1a8449ab124d45d928f2193eec

SHA512
0ba18eb33450ef89fa1a25092708319bead29eb6b4378b40e883ab282b0625076b2526b8ab360695e188657ed5d4e408e4ca0cf095573b067f525e8124ae6911

Download Submit
C:\Windows\System\flZdVyA.exe

Filesize
1.7MB

MD5
10d95a3647241d0deb394b6c724ee27d

SHA1
9f678a1d60e45390167683cd195fb6ad07df8ea1

SHA256
2bd480963bd2cab2a18ae6121a400bf3d7de11b89b9e32354cd6001854d86f54

SHA512
f9d8a2f4169e9f54c8c775b1ea2d8822a92d3f5b5da1631ec4f7b5af8081fb0113454902052e75c33648690f936b0d44b9d340118c9a7b421f1ca0891a8bc8c6

Download Submit
C:\Windows\System\jJrAdzX.exe

Filesize
1.7MB

MD5
3daf6c7ad4a269322e9f51a4927a40d0

SHA1
c6471bcde0ab962252f8282eef72f37de370eda7

SHA256
4a8c54f549dbd7a0b2c9e4a6dfc6f2fc5cc501415c95f2a7393b0ede7996cd0e

SHA512
f51490207a26038641dc6151c4d00ef46a59b78263d6b4bc2ad32ee6d67acc5e62be17706da1865c503b4041c70342050d346a6610c44ceeb6a0f18ecaf08564

Download Submit
C:\Windows\System\kUlVEbz.exe

Filesize
1.7MB

MD5
7d8e97dbf111efa2c479493a593225b2

SHA1
9802b1d82ef2ba8ef2862f10adf48ff3a63d6bf9

SHA256
2aafc7c674fc40e4b1d64974b36f88de76330916d1db80fccd94686568f1a2c3

SHA512
d6cb57a655ecabe79dc20ee1fbbfe4917a6599d9340f23e9530002b640b2d6451d5b20e1b15258783b3c0cd7e62db787c972da0d78032462d4d6ba48e9517c7d

Download Submit
C:\Windows\System\lgEMyMV.exe

Filesize
1.7MB

MD5
df19394aa2f01edaf78cb222ce07f555

SHA1
19598aa00b5859b2085c4d795a8eda00b298309e

SHA256
aebfbbf2029690a9922bbfcef7b360ac55f1fdbc60e86b35140e2671d28196f4

SHA512
febae2cddbdc536677a8bf6412027b7a76f1bb9c3250407dbb89723b9cd67a5ba7265159d36fc461e3c51bee877a1a0eae850dd89239408f46cb2684b8344c8b

Download Submit
C:\Windows\System\lrJAjLH.exe

Filesize
1.7MB

MD5
b5abb30a173ea3a9063a9d442a605891

SHA1
f572066729e5f876468ef66e31c19f8946d5fd3b

SHA256
311fe94d658914cecfc82664a651bce8581e3fce1fa0e8326425fabbe83e5650

SHA512
9eb55be87592ec48f3f5d2cfa835b2daa2462ac3292426c93768572aa0738256862f94d0b595e64dc59a2fa4b519dd9c228e09af8efa6489bd326516daa9d1de

Download Submit
C:\Windows\System\nfIAhNi.exe

Filesize
1.7MB

MD5
fc033beee960fafecbb15b03bf7f7a16

SHA1
5d488c4f20609a357c71eae23e44f358e4fb64ea

SHA256
ee772f479764d7f935046f204fc8c5f705b2ea2c1507b499d82dfa2485907104

SHA512
b654d7432bd1047a41b87b37953fca4753ca5612de5546a727529d10390560820f5e4ada0cb7a4dd9bade8abc34fc4f38570d4e7dabce9d2f124e0506f2d382f

Download Submit
C:\Windows\System\piQxPnO.exe

Filesize
1.7MB

MD5
b9e2d1c589199de4a32e85c8b1f7940e

SHA1
5df388001337fae78b06d117010bbc32258627aa

SHA256
d616dfe8a54af9a7fc4f149f33cd3927f11844fff18858d0b5cd73e54f3d916b

SHA512
a63310728ac23cb3770ba56048c46a85a6005a90b402305e767e07b6e78f1c401cc63ba57698b2942ef583ff2683305d22d30dbcc96ae5a2a57a61af93923fac

Download Submit
C:\Windows\System\pjcBSnk.exe

Filesize
1.7MB

MD5
1e6d082ea3e92dda6ad23663674b34d6

SHA1
990ccbd63a4e530b1afa312cae02e165d322833e

SHA256
2231a8512e0afc954b568d715a59360f82911a2b357c23540d3a716a259f5459

SHA512
e69260f18505db0dd01955eae4c1e519731cc37e04b7dbe5d34297e486535ffd97baddc3faa2911ce876a714afeb5fc1f6e6940b4a5e016ada919c476c51c9d6

Download Submit
C:\Windows\System\qVSuyQY.exe

Filesize
1.7MB

MD5
eb2c5b0df6aa7090ee95857f747d9ae7

SHA1
c8631deede1ab60becd046c13e5de1ff0ab0849f

SHA256
0fb1d87b7c62663b619d2a60bda9e9ca4490b0818e6210376d8eee843e328f6d

SHA512
2cf9bb989466bc55392fefc3eb0e118c238a779309f1de59665fead40c17c4b9b30306af47996b04968399d61ad838d73c19e2b478baa6291a7698c5b65b2dd5

Download Submit
C:\Windows\System\sVPjhGX.exe

Filesize
1.7MB

MD5
6fdd2ba820a6404a0255772b1af4a117

SHA1
1bb32ed9952f481650c8d83d3260eefcb8066ea0

SHA256
91a18b919f971a01eb4dfc89be444836970d13f0ee0d0a6e2fcc40ccc7bcaf6c

SHA512
5abc36bb9ed1813582251082b76e47252c1e86bb0816c40fad1f8b29ebd07ee307d59a47d62ce1be597b77db73227f2303b29eed47be766a4670e2a103a22907

Download Submit
C:\Windows\System\uqwdJSY.exe

Filesize
1.7MB

MD5
68ad44eafc7f68cb57ad8d4db5f23b4f

SHA1
7d560eda791f4d1d0456b4ef51e9b08639b5d9a7

SHA256
13a79504cc425d6566b72015ec48992fd9bd157e0b769e3c3088d3d2cee82feb

SHA512
3b5e294c6fb2cbcd3250f84640380dad367e8c443da265bcad193b07177760e8ee9a5fed121f6951493288c9f7ba1b5d3d75c7fb5917f7b4fef1c2d7d57a351f

Download Submit
C:\Windows\System\vRAarKU.exe

Filesize
1.7MB

MD5
6a1f21d424a14dac6f552cc987c886fe

SHA1
476450c8e1c4c38bc4f53da9f30ba3db332369ba

SHA256
c001d0957f8ddad007744b18a9b6bf85702ba3f1b850fd6d3ce9c4e494fa8daf

SHA512
79d1e9239c9ebc57bcc9ebe0baa9860324d924bfbb1a24b13c862ff961be9e9b05b355a264f7a4c1884bf45dc7c0b8d711d1606f3121c45c3f2b40503e5b4f67

Download Submit
C:\Windows\System\yHqZlRx.exe

Filesize
1.7MB

MD5
f05e44a12503efff9cb732ff1b9a1f33

SHA1
b81e24c4510504cc69e6359e590cb4a34fa8c942

SHA256
c9bbae98cfe218810462a27e46e9f5cc322a6c24af2ffded657fbd3bc72f798f

SHA512
e6b6cc7e8b7dbadc9a3655cf24173243a3cc96f8213aeacef0a55c1818be88a2937e05faa442f185111d17d4c8ee35f1f1ced105178646d59bf0d691e8ba175d

Download Submit
memory/224-141-0x00007FF79B430000-0x00007FF79B822000-memory.dmp

Filesize
3.9MB

Download
memory/224-2068-0x00007FF79B430000-0x00007FF79B822000-memory.dmp

Filesize
3.9MB

Download
memory/344-2085-0x00007FF7BD420000-0x00007FF7BD812000-memory.dmp

Filesize
3.9MB

Download
memory/344-102-0x00007FF7BD420000-0x00007FF7BD812000-memory.dmp

Filesize
3.9MB

Download
memory/1168-0-0x00007FF75CEF0000-0x00007FF75D2E2000-memory.dmp

Filesize
3.9MB

Download
memory/1168-1983-0x00007FF75CEF0000-0x00007FF75D2E2000-memory.dmp

Filesize
3.9MB

Download
memory/1168-1-0x000001BA4F2D0000-0x000001BA4F2E0000-memory.dmp

Filesize
64KB

Download
memory/1616-2081-0x00007FF67A620000-0x00007FF67AA12000-memory.dmp

Filesize
3.9MB

Download
memory/1616-113-0x00007FF67A620000-0x00007FF67AA12000-memory.dmp

Filesize
3.9MB

Download
memory/1912-2028-0x00007FF7FA3E0000-0x00007FF7FA7D2000-memory.dmp

Filesize
3.9MB

Download
memory/1912-125-0x00007FF7FA3E0000-0x00007FF7FA7D2000-memory.dmp

Filesize
3.9MB

Download
memory/1912-2071-0x00007FF7FA3E0000-0x00007FF7FA7D2000-memory.dmp

Filesize
3.9MB

Download
memory/1968-2065-0x00007FF71C230000-0x00007FF71C622000-memory.dmp

Filesize
3.9MB

Download
memory/1968-79-0x00007FF71C230000-0x00007FF71C622000-memory.dmp

Filesize
3.9MB

Download
memory/2344-7-0x00007FF761EF0000-0x00007FF7622E2000-memory.dmp

Filesize
3.9MB

Download
memory/2344-2045-0x00007FF761EF0000-0x00007FF7622E2000-memory.dmp

Filesize
3.9MB

Download
memory/2344-1994-0x00007FF761EF0000-0x00007FF7622E2000-memory.dmp

Filesize
3.9MB

Download
memory/2512-2053-0x00007FF747A90000-0x00007FF747E82000-memory.dmp

Filesize
3.9MB

Download
memory/2512-71-0x00007FF747A90000-0x00007FF747E82000-memory.dmp

Filesize
3.9MB

Download
memory/2524-2038-0x00007FFE895B0000-0x00007FFE8A071000-memory.dmp

Filesize
10.8MB

Download
memory/2524-398-0x0000015DA5820000-0x0000015DA5FC6000-memory.dmp

Filesize
7.6MB

Download
memory/2524-8-0x00007FFE895B3000-0x00007FFE895B5000-memory.dmp

Filesize
8KB

Download
memory/2524-1995-0x00007FFE895B3000-0x00007FFE895B5000-memory.dmp

Filesize
8KB

Download
memory/2524-1992-0x00007FFE895B0000-0x00007FFE8A071000-memory.dmp

Filesize
10.8MB

Download
memory/2524-17-0x00007FFE895B0000-0x00007FFE8A071000-memory.dmp

Filesize
10.8MB

Download
memory/2524-49-0x00007FFE895B0000-0x00007FFE8A071000-memory.dmp

Filesize
10.8MB

Download
memory/2524-34-0x0000015DA2B00000-0x0000015DA2B22000-memory.dmp

Filesize
136KB

Download
memory/2656-88-0x00007FF763A90000-0x00007FF763E82000-memory.dmp

Filesize
3.9MB

Download
memory/2656-2055-0x00007FF763A90000-0x00007FF763E82000-memory.dmp

Filesize
3.9MB

Download
memory/2760-109-0x00007FF64DE70000-0x00007FF64E262000-memory.dmp

Filesize
3.9MB

Download
memory/2760-2083-0x00007FF64DE70000-0x00007FF64E262000-memory.dmp

Filesize
3.9MB

Download
memory/2884-2076-0x00007FF6439A0000-0x00007FF643D92000-memory.dmp

Filesize
3.9MB

Download
memory/2884-133-0x00007FF6439A0000-0x00007FF643D92000-memory.dmp

Filesize
3.9MB

Download
memory/2884-2029-0x00007FF6439A0000-0x00007FF643D92000-memory.dmp

Filesize
3.9MB

Download
memory/3048-85-0x00007FF7845F0000-0x00007FF7849E2000-memory.dmp

Filesize
3.9MB

Download
memory/3048-2062-0x00007FF7845F0000-0x00007FF7849E2000-memory.dmp

Filesize
3.9MB

Download
memory/3444-2089-0x00007FF79B780000-0x00007FF79BB72000-memory.dmp

Filesize
3.9MB

Download
memory/3444-171-0x00007FF79B780000-0x00007FF79BB72000-memory.dmp

Filesize
3.9MB

Download
memory/3448-2087-0x00007FF6AE290000-0x00007FF6AE682000-memory.dmp

Filesize
3.9MB

Download
memory/3448-177-0x00007FF6AE290000-0x00007FF6AE682000-memory.dmp

Filesize
3.9MB

Download
memory/3632-53-0x00007FF72F730000-0x00007FF72FB22000-memory.dmp

Filesize
3.9MB

Download
memory/3632-2047-0x00007FF72F730000-0x00007FF72FB22000-memory.dmp

Filesize
3.9MB

Download
memory/3772-82-0x00007FF6A3C80000-0x00007FF6A4072000-memory.dmp

Filesize
3.9MB

Download
memory/3772-2061-0x00007FF6A3C80000-0x00007FF6A4072000-memory.dmp

Filesize
3.9MB

Download
memory/3932-2058-0x00007FF649700000-0x00007FF649AF2000-memory.dmp

Filesize
3.9MB

Download
memory/3932-99-0x00007FF649700000-0x00007FF649AF2000-memory.dmp

Filesize
3.9MB

Download
memory/4148-2049-0x00007FF6CA070000-0x00007FF6CA462000-memory.dmp

Filesize
3.9MB

Download
memory/4148-24-0x00007FF6CA070000-0x00007FF6CA462000-memory.dmp

Filesize
3.9MB

Download
memory/4148-1993-0x00007FF6CA070000-0x00007FF6CA462000-memory.dmp

Filesize
3.9MB

Download
memory/4256-2082-0x00007FF71B460000-0x00007FF71B852000-memory.dmp

Filesize
3.9MB

Download
memory/4256-159-0x00007FF71B460000-0x00007FF71B852000-memory.dmp

Filesize
3.9MB

Download
memory/4464-117-0x00007FF7EFE50000-0x00007FF7F0242000-memory.dmp

Filesize
3.9MB

Download
memory/4464-2027-0x00007FF7EFE50000-0x00007FF7F0242000-memory.dmp

Filesize
3.9MB

Download
memory/4464-2077-0x00007FF7EFE50000-0x00007FF7F0242000-memory.dmp

Filesize
3.9MB

Download
memory/4656-150-0x00007FF7F1B90000-0x00007FF7F1F82000-memory.dmp

Filesize
3.9MB

Download
memory/4656-2073-0x00007FF7F1B90000-0x00007FF7F1F82000-memory.dmp

Filesize
3.9MB

Download
memory/4672-151-0x00007FF737660000-0x00007FF737A52000-memory.dmp

Filesize
3.9MB

Download
memory/4672-2070-0x00007FF737660000-0x00007FF737A52000-memory.dmp

Filesize
3.9MB

Download
memory/4688-2052-0x00007FF658160000-0x00007FF658552000-memory.dmp

Filesize
3.9MB

Download
memory/4688-78-0x00007FF658160000-0x00007FF658552000-memory.dmp

Filesize
3.9MB

Download
memory/4864-2064-0x00007FF682E90000-0x00007FF683282000-memory.dmp

Filesize
3.9MB

Download
memory/4864-92-0x00007FF682E90000-0x00007FF683282000-memory.dmp

Filesize
3.9MB

Download
memory/5104-2091-0x00007FF70F5D0000-0x00007FF70F9C2000-memory.dmp

Filesize
3.9MB

Download
memory/5104-165-0x00007FF70F5D0000-0x00007FF70F9C2000-memory.dmp

Filesize
3.9MB

Download