xmrig | 0541fa3d9b3d0687ed0e349885bb08b23d71382ac3cdc1ed95eb3616a0580659

Analysis

max time kernel
71s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 23:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
Size

1.9MB
MD5

5c90f5ff772a5077d3b36bb22635db10
SHA1

d73ce4b4680eaff8e0c0ab12a64f2caac8c72f55
SHA256

0541fa3d9b3d0687ed0e349885bb08b23d71382ac3cdc1ed95eb3616a0580659
SHA512

abaa31e8b23f19a6617facea2e9de5dc3f6eede30571bffbcb2d89a2911779d1701fab17d955ad1324e9a93dda1b26011a29ebe3a7d94bd0c83ddcb27cbe08f4
SSDEEP

49152:Lz071uv4BPMkibTIA5I4TNrpDGfFzcoYc:NABD

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/4740-215-0x00007FF6F6E60000-0x00007FF6F7252000-memory.dmp	xmrig
behavioral2/memory/2844-258-0x00007FF643240000-0x00007FF643632000-memory.dmp	xmrig
behavioral2/memory/2988-421-0x00007FF717060000-0x00007FF717452000-memory.dmp	xmrig
behavioral2/memory/4832-452-0x00007FF6BE6C0000-0x00007FF6BEAB2000-memory.dmp	xmrig
behavioral2/memory/3852-455-0x00007FF6E0F20000-0x00007FF6E1312000-memory.dmp	xmrig
behavioral2/memory/2432-461-0x00007FF79A200000-0x00007FF79A5F2000-memory.dmp	xmrig
behavioral2/memory/4420-464-0x00007FF606790000-0x00007FF606B82000-memory.dmp	xmrig
behavioral2/memory/4592-592-0x00007FF6B6AF0000-0x00007FF6B6EE2000-memory.dmp	xmrig
behavioral2/memory/4892-596-0x00007FF7E9BA0000-0x00007FF7E9F92000-memory.dmp	xmrig
behavioral2/memory/2056-614-0x00007FF7ADA20000-0x00007FF7ADE12000-memory.dmp	xmrig
behavioral2/memory/4844-676-0x00007FF714330000-0x00007FF714722000-memory.dmp	xmrig
behavioral2/memory/2916-485-0x00007FF79CAC0000-0x00007FF79CEB2000-memory.dmp	xmrig
behavioral2/memory/2872-463-0x00007FF745ED0000-0x00007FF7462C2000-memory.dmp	xmrig
behavioral2/memory/1856-462-0x00007FF7AD2B0000-0x00007FF7AD6A2000-memory.dmp	xmrig
behavioral2/memory/2396-460-0x00007FF6B8280000-0x00007FF6B8672000-memory.dmp	xmrig
behavioral2/memory/1020-459-0x00007FF60E370000-0x00007FF60E762000-memory.dmp	xmrig
behavioral2/memory/1172-458-0x00007FF6827D0000-0x00007FF682BC2000-memory.dmp	xmrig
behavioral2/memory/2196-457-0x00007FF7A8000000-0x00007FF7A83F2000-memory.dmp	xmrig
behavioral2/memory/456-456-0x00007FF6E2A70000-0x00007FF6E2E62000-memory.dmp	xmrig
behavioral2/memory/4912-454-0x00007FF6D63E0000-0x00007FF6D67D2000-memory.dmp	xmrig
behavioral2/memory/4536-453-0x00007FF7A90A0000-0x00007FF7A9492000-memory.dmp	xmrig
behavioral2/memory/2008-383-0x00007FF7064A0000-0x00007FF706892000-memory.dmp	xmrig
behavioral2/memory/3048-177-0x00007FF790240000-0x00007FF790632000-memory.dmp	xmrig
behavioral2/memory/1180-20-0x00007FF702130000-0x00007FF702522000-memory.dmp	xmrig
behavioral2/memory/1180-3177-0x00007FF702130000-0x00007FF702522000-memory.dmp	xmrig
behavioral2/memory/2056-3179-0x00007FF7ADA20000-0x00007FF7ADE12000-memory.dmp	xmrig
behavioral2/memory/4740-3181-0x00007FF6F6E60000-0x00007FF6F7252000-memory.dmp	xmrig
behavioral2/memory/4536-3183-0x00007FF7A90A0000-0x00007FF7A9492000-memory.dmp	xmrig
behavioral2/memory/4844-3186-0x00007FF714330000-0x00007FF714722000-memory.dmp	xmrig
behavioral2/memory/2988-3187-0x00007FF717060000-0x00007FF717452000-memory.dmp	xmrig
behavioral2/memory/1172-3194-0x00007FF6827D0000-0x00007FF682BC2000-memory.dmp	xmrig
behavioral2/memory/3048-3199-0x00007FF790240000-0x00007FF790632000-memory.dmp	xmrig
behavioral2/memory/1020-3203-0x00007FF60E370000-0x00007FF60E762000-memory.dmp	xmrig
behavioral2/memory/3852-3209-0x00007FF6E0F20000-0x00007FF6E1312000-memory.dmp	xmrig
behavioral2/memory/2432-3207-0x00007FF79A200000-0x00007FF79A5F2000-memory.dmp	xmrig
behavioral2/memory/4912-3205-0x00007FF6D63E0000-0x00007FF6D67D2000-memory.dmp	xmrig
behavioral2/memory/2008-3197-0x00007FF7064A0000-0x00007FF706892000-memory.dmp	xmrig
behavioral2/memory/2844-3196-0x00007FF643240000-0x00007FF643632000-memory.dmp	xmrig
behavioral2/memory/4832-3190-0x00007FF6BE6C0000-0x00007FF6BEAB2000-memory.dmp	xmrig
behavioral2/memory/2196-3192-0x00007FF7A8000000-0x00007FF7A83F2000-memory.dmp	xmrig
behavioral2/memory/2916-3239-0x00007FF79CAC0000-0x00007FF79CEB2000-memory.dmp	xmrig
behavioral2/memory/2872-3219-0x00007FF745ED0000-0x00007FF7462C2000-memory.dmp	xmrig
behavioral2/memory/4592-3245-0x00007FF6B6AF0000-0x00007FF6B6EE2000-memory.dmp	xmrig
behavioral2/memory/4420-3251-0x00007FF606790000-0x00007FF606B82000-memory.dmp	xmrig
behavioral2/memory/4892-3253-0x00007FF7E9BA0000-0x00007FF7E9F92000-memory.dmp	xmrig
behavioral2/memory/2396-3216-0x00007FF6B8280000-0x00007FF6B8672000-memory.dmp	xmrig
behavioral2/memory/1856-3212-0x00007FF7AD2B0000-0x00007FF7AD6A2000-memory.dmp	xmrig
behavioral2/memory/456-3214-0x00007FF6E2A70000-0x00007FF6E2E62000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
640	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
1180	ApNDZim.exe
2056	AITgVyc.exe
3048	xJoUZhG.exe
4740	gvYeQKm.exe
4844	RRLHOIt.exe
2844	dUnkmAw.exe
2008	QVdbVtx.exe
2988	pbXjSCw.exe
4832	RTXMoNB.exe
4536	AvEOOng.exe
4912	xCoNgeg.exe
3852	JgeqAcx.exe
456	jPhkgMP.exe
2196	gZsIoOa.exe
1172	QRzcpqS.exe
1020	bzomDOx.exe
2396	RMjKfSN.exe
2432	AklKZtx.exe
1856	XMuStmb.exe
2872	qvBnMoB.exe
4420	IvihCoe.exe
2916	PkaJpNA.exe
4592	xCxWnwh.exe
4892	ehjmqyb.exe
3716	mfOaJUA.exe
3516	FofQBtt.exe
3240	yNZDkuG.exe
4944	DLFTLtD.exe
3676	zJRsMCh.exe
1168	DFgUvBr.exe
4788	BtrGtrw.exe
728	kXgqRQq.exe
2776	dlDtMZL.exe
1320	sYVknVw.exe
1148	kYhDHGf.exe
1136	LiGdElG.exe
3400	SrTyjBL.exe
2736	FIkpggu.exe
1616	KoOwHNw.exe
3824	pPgZGht.exe
3116	nLEbmAb.exe
2024	vHpOMmH.exe
332	IYuJTMK.exe
3312	qBFBbEW.exe
3548	hUspFLo.exe
3896	HBvMkqT.exe
4600	PYuKoZF.exe
1340	BHQdgCa.exe
4356	HdCWDAn.exe
3112	RdBHXSp.exe
3864	uMhKsyK.exe
3084	AQFAIZr.exe
3396	FvUwtRY.exe
3736	PkXXtlg.exe
4876	eqcEhQi.exe
1936	dvyrhDC.exe
4840	oKGBIAB.exe
4584	TxkxykR.exe
4848	PfRSbBG.exe
4780	ttyNdkm.exe
4312	ecZcJuC.exe
1820	bqQzdkE.exe
4984	fzLQJLr.exe
1928	WDviQSl.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/408-0-0x00007FF67BB30000-0x00007FF67BF22000-memory.dmp	upx
behavioral2/files/0x000900000002340d-5.dat	upx
behavioral2/files/0x0007000000023416-8.dat	upx
behavioral2/files/0x000700000002341a-33.dat	upx
behavioral2/files/0x0007000000023425-89.dat	upx
behavioral2/files/0x0007000000023424-133.dat	upx
behavioral2/memory/4740-215-0x00007FF6F6E60000-0x00007FF6F7252000-memory.dmp	upx
behavioral2/memory/2844-258-0x00007FF643240000-0x00007FF643632000-memory.dmp	upx
behavioral2/memory/2988-421-0x00007FF717060000-0x00007FF717452000-memory.dmp	upx
behavioral2/memory/4832-452-0x00007FF6BE6C0000-0x00007FF6BEAB2000-memory.dmp	upx
behavioral2/memory/3852-455-0x00007FF6E0F20000-0x00007FF6E1312000-memory.dmp	upx
behavioral2/memory/2432-461-0x00007FF79A200000-0x00007FF79A5F2000-memory.dmp	upx
behavioral2/memory/4420-464-0x00007FF606790000-0x00007FF606B82000-memory.dmp	upx
behavioral2/memory/4592-592-0x00007FF6B6AF0000-0x00007FF6B6EE2000-memory.dmp	upx
behavioral2/memory/4892-596-0x00007FF7E9BA0000-0x00007FF7E9F92000-memory.dmp	upx
behavioral2/memory/2056-614-0x00007FF7ADA20000-0x00007FF7ADE12000-memory.dmp	upx
behavioral2/memory/4844-676-0x00007FF714330000-0x00007FF714722000-memory.dmp	upx
behavioral2/memory/2916-485-0x00007FF79CAC0000-0x00007FF79CEB2000-memory.dmp	upx
behavioral2/memory/2872-463-0x00007FF745ED0000-0x00007FF7462C2000-memory.dmp	upx
behavioral2/memory/1856-462-0x00007FF7AD2B0000-0x00007FF7AD6A2000-memory.dmp	upx
behavioral2/memory/2396-460-0x00007FF6B8280000-0x00007FF6B8672000-memory.dmp	upx
behavioral2/memory/1020-459-0x00007FF60E370000-0x00007FF60E762000-memory.dmp	upx
behavioral2/memory/1172-458-0x00007FF6827D0000-0x00007FF682BC2000-memory.dmp	upx
behavioral2/memory/2196-457-0x00007FF7A8000000-0x00007FF7A83F2000-memory.dmp	upx
behavioral2/memory/456-456-0x00007FF6E2A70000-0x00007FF6E2E62000-memory.dmp	upx
behavioral2/memory/4912-454-0x00007FF6D63E0000-0x00007FF6D67D2000-memory.dmp	upx
behavioral2/memory/4536-453-0x00007FF7A90A0000-0x00007FF7A9492000-memory.dmp	upx
behavioral2/memory/2008-383-0x00007FF7064A0000-0x00007FF706892000-memory.dmp	upx
behavioral2/files/0x0007000000023430-192.dat	upx
behavioral2/files/0x000700000002343e-191.dat	upx
behavioral2/files/0x000700000002343d-190.dat	upx
behavioral2/files/0x000700000002343c-189.dat	upx
behavioral2/files/0x000700000002343b-188.dat	upx
behavioral2/files/0x000700000002343a-187.dat	upx
behavioral2/files/0x0007000000023439-186.dat	upx
behavioral2/memory/3048-177-0x00007FF790240000-0x00007FF790632000-memory.dmp	upx
behavioral2/files/0x0007000000023438-176.dat	upx
behavioral2/files/0x0007000000023437-175.dat	upx
behavioral2/files/0x0007000000023436-172.dat	upx
behavioral2/files/0x000700000002342c-171.dat	upx
behavioral2/files/0x0007000000023435-169.dat	upx
behavioral2/files/0x0007000000023434-167.dat	upx
behavioral2/files/0x0007000000023433-164.dat	upx
behavioral2/files/0x0007000000023432-163.dat	upx
behavioral2/files/0x000700000002341f-155.dat	upx
behavioral2/files/0x0007000000023431-154.dat	upx
behavioral2/files/0x0007000000023426-148.dat	upx
behavioral2/files/0x000700000002341e-140.dat	upx
behavioral2/files/0x000700000002342f-139.dat	upx
behavioral2/files/0x000700000002342e-126.dat	upx
behavioral2/files/0x0007000000023422-111.dat	upx
behavioral2/files/0x0007000000023421-107.dat	upx
behavioral2/files/0x000700000002341c-105.dat	upx
behavioral2/files/0x0007000000023419-103.dat	upx
behavioral2/files/0x000700000002342b-102.dat	upx
behavioral2/files/0x0007000000023420-159.dat	upx
behavioral2/files/0x000700000002342a-101.dat	upx
behavioral2/files/0x0007000000023429-100.dat	upx
behavioral2/files/0x0007000000023428-99.dat	upx
behavioral2/files/0x0007000000023427-98.dat	upx
behavioral2/files/0x0007000000023423-131.dat	upx
behavioral2/files/0x000700000002342d-121.dat	upx
behavioral2/files/0x000700000002341b-67.dat	upx
behavioral2/files/0x0007000000023418-65.dat	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\roMMuvw.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\UyqmfkN.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\UbgxztA.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\Lruhzfo.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\JTVjgmO.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\kDVEPbN.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\sNyOWhY.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\QTpySIC.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\dvyrhDC.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\gCTwOPJ.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\wQumxjI.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\TIqmzss.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\NKGWqqO.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\WgQbdez.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\cehgbPP.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\NkfavTx.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\WBAaXUy.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\BekXoQi.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\DZFklTI.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\WKLCInz.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\zHDAOtV.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\StSoOYF.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\qFYbcRT.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\fJLkeFN.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\eZRxPSg.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\MaduiWe.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\BTzJbhK.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\zzozoDB.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\oPsoHIY.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\fbrogsz.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\gSRClnI.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\opyxTEX.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\GRZBEai.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\tfIqdxN.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\jMsULUI.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\tsOcQIG.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\bpRWejp.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\DyUFyIw.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\eqcEhQi.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\QSlPopn.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\AYgSlWr.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\lnYBpTQ.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\QgFRBfl.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\HRJewbt.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\aGBZLue.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\cJMphuh.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\DdeWXak.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\gCNiRBs.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\oQpjaXt.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\QiCnUKm.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\lvKmFYh.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\UEaIqYv.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\piutaTq.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\mzWSCXG.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\KuYhWvC.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\nBqhFgz.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\IYuJTMK.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\yaDyZKp.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\NRiqbvL.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\fqlnEte.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\xomPyTI.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\OwGtxCu.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\vtPeYtu.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
File created	C:\Windows\System\BmfWpLK.exe	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe

Modifies data under HKEY_USERS 26 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
640	powershell.exe
640	powershell.exe
640	powershell.exe
640	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
Token: SeDebugPrivilege	640	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 408 wrote to memory of 640	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	84
PID 408 wrote to memory of 640	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	84
PID 408 wrote to memory of 1180	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	85
PID 408 wrote to memory of 1180	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	85
PID 408 wrote to memory of 2056	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	86
PID 408 wrote to memory of 2056	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	86
PID 408 wrote to memory of 3048	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	87
PID 408 wrote to memory of 3048	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	87
PID 408 wrote to memory of 4740	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	88
PID 408 wrote to memory of 4740	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	88
PID 408 wrote to memory of 4844	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	89
PID 408 wrote to memory of 4844	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	89
PID 408 wrote to memory of 2844	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	90
PID 408 wrote to memory of 2844	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	90
PID 408 wrote to memory of 2008	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	91
PID 408 wrote to memory of 2008	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	91
PID 408 wrote to memory of 2988	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	92
PID 408 wrote to memory of 2988	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	92
PID 408 wrote to memory of 4832	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	93
PID 408 wrote to memory of 4832	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	93
PID 408 wrote to memory of 4536	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	94
PID 408 wrote to memory of 4536	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	94
PID 408 wrote to memory of 4912	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	95
PID 408 wrote to memory of 4912	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	95
PID 408 wrote to memory of 3852	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	96
PID 408 wrote to memory of 3852	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	96
PID 408 wrote to memory of 456	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	97
PID 408 wrote to memory of 456	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	97
PID 408 wrote to memory of 2196	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	98
PID 408 wrote to memory of 2196	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	98
PID 408 wrote to memory of 1172	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	99
PID 408 wrote to memory of 1172	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	99
PID 408 wrote to memory of 1020	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	100
PID 408 wrote to memory of 1020	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	100
PID 408 wrote to memory of 3240	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	101
PID 408 wrote to memory of 3240	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	101
PID 408 wrote to memory of 2396	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	102
PID 408 wrote to memory of 2396	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	102
PID 408 wrote to memory of 2432	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	103
PID 408 wrote to memory of 2432	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	103
PID 408 wrote to memory of 1856	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	104
PID 408 wrote to memory of 1856	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	104
PID 408 wrote to memory of 2872	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	105
PID 408 wrote to memory of 2872	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	105
PID 408 wrote to memory of 4420	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	106
PID 408 wrote to memory of 4420	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	106
PID 408 wrote to memory of 2916	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	107
PID 408 wrote to memory of 2916	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	107
PID 408 wrote to memory of 4592	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	108
PID 408 wrote to memory of 4592	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	108
PID 408 wrote to memory of 4892	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	109
PID 408 wrote to memory of 4892	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	109
PID 408 wrote to memory of 3716	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	110
PID 408 wrote to memory of 3716	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	110
PID 408 wrote to memory of 3516	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	111
PID 408 wrote to memory of 3516	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	111
PID 408 wrote to memory of 4944	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	112
PID 408 wrote to memory of 4944	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	112
PID 408 wrote to memory of 332	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	113
PID 408 wrote to memory of 332	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	113
PID 408 wrote to memory of 3676	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	114
PID 408 wrote to memory of 3676	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	114
PID 408 wrote to memory of 1168	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	115
PID 408 wrote to memory of 1168	408	5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe	115

C:\Users\Admin\AppData\Local\Temp\5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5c90f5ff772a5077d3b36bb22635db10_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:640
- C:\Windows\System\ApNDZim.exe
  C:\Windows\System\ApNDZim.exe
  2⤵
  - Executes dropped EXE
  PID:1180
- C:\Windows\System\AITgVyc.exe
  C:\Windows\System\AITgVyc.exe
  2⤵
  - Executes dropped EXE
  PID:2056
- C:\Windows\System\xJoUZhG.exe
  C:\Windows\System\xJoUZhG.exe
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\System\gvYeQKm.exe
  C:\Windows\System\gvYeQKm.exe
  2⤵
  - Executes dropped EXE
  PID:4740
- C:\Windows\System\RRLHOIt.exe
  C:\Windows\System\RRLHOIt.exe
  2⤵
  - Executes dropped EXE
  PID:4844
- C:\Windows\System\dUnkmAw.exe
  C:\Windows\System\dUnkmAw.exe
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Windows\System\QVdbVtx.exe
  C:\Windows\System\QVdbVtx.exe
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Windows\System\pbXjSCw.exe
  C:\Windows\System\pbXjSCw.exe
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Windows\System\RTXMoNB.exe
  C:\Windows\System\RTXMoNB.exe
  2⤵
  - Executes dropped EXE
  PID:4832
- C:\Windows\System\AvEOOng.exe
  C:\Windows\System\AvEOOng.exe
  2⤵
  - Executes dropped EXE
  PID:4536
- C:\Windows\System\xCoNgeg.exe
  C:\Windows\System\xCoNgeg.exe
  2⤵
  - Executes dropped EXE
  PID:4912
- C:\Windows\System\JgeqAcx.exe
  C:\Windows\System\JgeqAcx.exe
  2⤵
  - Executes dropped EXE
  PID:3852
- C:\Windows\System\jPhkgMP.exe
  C:\Windows\System\jPhkgMP.exe
  2⤵
  - Executes dropped EXE
  PID:456
- C:\Windows\System\gZsIoOa.exe
  C:\Windows\System\gZsIoOa.exe
  2⤵
  - Executes dropped EXE
  PID:2196
- C:\Windows\System\QRzcpqS.exe
  C:\Windows\System\QRzcpqS.exe
  2⤵
  - Executes dropped EXE
  PID:1172
- C:\Windows\System\bzomDOx.exe
  C:\Windows\System\bzomDOx.exe
  2⤵
  - Executes dropped EXE
  PID:1020
- C:\Windows\System\yNZDkuG.exe
  C:\Windows\System\yNZDkuG.exe
  2⤵
  - Executes dropped EXE
  PID:3240
- C:\Windows\System\RMjKfSN.exe
  C:\Windows\System\RMjKfSN.exe
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\Windows\System\AklKZtx.exe
  C:\Windows\System\AklKZtx.exe
  2⤵
  - Executes dropped EXE
  PID:2432
- C:\Windows\System\XMuStmb.exe
  C:\Windows\System\XMuStmb.exe
  2⤵
  - Executes dropped EXE
  PID:1856
- C:\Windows\System\qvBnMoB.exe
  C:\Windows\System\qvBnMoB.exe
  2⤵
  - Executes dropped EXE
  PID:2872
- C:\Windows\System\IvihCoe.exe
  C:\Windows\System\IvihCoe.exe
  2⤵
  - Executes dropped EXE
  PID:4420
- C:\Windows\System\PkaJpNA.exe
  C:\Windows\System\PkaJpNA.exe
  2⤵
  - Executes dropped EXE
  PID:2916
- C:\Windows\System\xCxWnwh.exe
  C:\Windows\System\xCxWnwh.exe
  2⤵
  - Executes dropped EXE
  PID:4592
- C:\Windows\System\ehjmqyb.exe
  C:\Windows\System\ehjmqyb.exe
  2⤵
  - Executes dropped EXE
  PID:4892
- C:\Windows\System\mfOaJUA.exe
  C:\Windows\System\mfOaJUA.exe
  2⤵
  - Executes dropped EXE
  PID:3716
- C:\Windows\System\FofQBtt.exe
  C:\Windows\System\FofQBtt.exe
  2⤵
  - Executes dropped EXE
  PID:3516
- C:\Windows\System\DLFTLtD.exe
  C:\Windows\System\DLFTLtD.exe
  2⤵
  - Executes dropped EXE
  PID:4944
- C:\Windows\System\IYuJTMK.exe
  C:\Windows\System\IYuJTMK.exe
  2⤵
  - Executes dropped EXE
  PID:332
- C:\Windows\System\zJRsMCh.exe
  C:\Windows\System\zJRsMCh.exe
  2⤵
  - Executes dropped EXE
  PID:3676
- C:\Windows\System\DFgUvBr.exe
  C:\Windows\System\DFgUvBr.exe
  2⤵
  - Executes dropped EXE
  PID:1168
- C:\Windows\System\BtrGtrw.exe
  C:\Windows\System\BtrGtrw.exe
  2⤵
  - Executes dropped EXE
  PID:4788
- C:\Windows\System\kXgqRQq.exe
  C:\Windows\System\kXgqRQq.exe
  2⤵
  - Executes dropped EXE
  PID:728
- C:\Windows\System\dlDtMZL.exe
  C:\Windows\System\dlDtMZL.exe
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Windows\System\sYVknVw.exe
  C:\Windows\System\sYVknVw.exe
  2⤵
  - Executes dropped EXE
  PID:1320
- C:\Windows\System\kYhDHGf.exe
  C:\Windows\System\kYhDHGf.exe
  2⤵
  - Executes dropped EXE
  PID:1148
- C:\Windows\System\LiGdElG.exe
  C:\Windows\System\LiGdElG.exe
  2⤵
  - Executes dropped EXE
  PID:1136
- C:\Windows\System\SrTyjBL.exe
  C:\Windows\System\SrTyjBL.exe
  2⤵
  - Executes dropped EXE
  PID:3400
- C:\Windows\System\FIkpggu.exe
  C:\Windows\System\FIkpggu.exe
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\System\KoOwHNw.exe
  C:\Windows\System\KoOwHNw.exe
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\System\pPgZGht.exe
  C:\Windows\System\pPgZGht.exe
  2⤵
  - Executes dropped EXE
  PID:3824
- C:\Windows\System\nLEbmAb.exe
  C:\Windows\System\nLEbmAb.exe
  2⤵
  - Executes dropped EXE
  PID:3116
- C:\Windows\System\vHpOMmH.exe
  C:\Windows\System\vHpOMmH.exe
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\Windows\System\qBFBbEW.exe
  C:\Windows\System\qBFBbEW.exe
  2⤵
  - Executes dropped EXE
  PID:3312
- C:\Windows\System\hUspFLo.exe
  C:\Windows\System\hUspFLo.exe
  2⤵
  - Executes dropped EXE
  PID:3548
- C:\Windows\System\HBvMkqT.exe
  C:\Windows\System\HBvMkqT.exe
  2⤵
  - Executes dropped EXE
  PID:3896
- C:\Windows\System\PYuKoZF.exe
  C:\Windows\System\PYuKoZF.exe
  2⤵
  - Executes dropped EXE
  PID:4600
- C:\Windows\System\BHQdgCa.exe
  C:\Windows\System\BHQdgCa.exe
  2⤵
  - Executes dropped EXE
  PID:1340
- C:\Windows\System\HdCWDAn.exe
  C:\Windows\System\HdCWDAn.exe
  2⤵
  - Executes dropped EXE
  PID:4356
- C:\Windows\System\RdBHXSp.exe
  C:\Windows\System\RdBHXSp.exe
  2⤵
  - Executes dropped EXE
  PID:3112
- C:\Windows\System\uMhKsyK.exe
  C:\Windows\System\uMhKsyK.exe
  2⤵
  - Executes dropped EXE
  PID:3864
- C:\Windows\System\AQFAIZr.exe
  C:\Windows\System\AQFAIZr.exe
  2⤵
  - Executes dropped EXE
  PID:3084
- C:\Windows\System\FvUwtRY.exe
  C:\Windows\System\FvUwtRY.exe
  2⤵
  - Executes dropped EXE
  PID:3396
- C:\Windows\System\PkXXtlg.exe
  C:\Windows\System\PkXXtlg.exe
  2⤵
  - Executes dropped EXE
  PID:3736
- C:\Windows\System\eqcEhQi.exe
  C:\Windows\System\eqcEhQi.exe
  2⤵
  - Executes dropped EXE
  PID:4876
- C:\Windows\System\dvyrhDC.exe
  C:\Windows\System\dvyrhDC.exe
  2⤵
  - Executes dropped EXE
  PID:1936
- C:\Windows\System\oKGBIAB.exe
  C:\Windows\System\oKGBIAB.exe
  2⤵
  - Executes dropped EXE
  PID:4840
- C:\Windows\System\TxkxykR.exe
  C:\Windows\System\TxkxykR.exe
  2⤵
  - Executes dropped EXE
  PID:4584
- C:\Windows\System\PfRSbBG.exe
  C:\Windows\System\PfRSbBG.exe
  2⤵
  - Executes dropped EXE
  PID:4848
- C:\Windows\System\ttyNdkm.exe
  C:\Windows\System\ttyNdkm.exe
  2⤵
  - Executes dropped EXE
  PID:4780
- C:\Windows\System\JUIGdDQ.exe
  C:\Windows\System\JUIGdDQ.exe
  2⤵
  PID:4408
- C:\Windows\System\ecZcJuC.exe
  C:\Windows\System\ecZcJuC.exe
  2⤵
  - Executes dropped EXE
  PID:4312
- C:\Windows\System\bqQzdkE.exe
  C:\Windows\System\bqQzdkE.exe
  2⤵
  - Executes dropped EXE
  PID:1820
- C:\Windows\System\fzLQJLr.exe
  C:\Windows\System\fzLQJLr.exe
  2⤵
  - Executes dropped EXE
  PID:4984
- C:\Windows\System\WDviQSl.exe
  C:\Windows\System\WDviQSl.exe
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Windows\System\AvnzOvu.exe
  C:\Windows\System\AvnzOvu.exe
  2⤵
  PID:4148
- C:\Windows\System\BAyUDsc.exe
  C:\Windows\System\BAyUDsc.exe
  2⤵
  PID:4836
- C:\Windows\System\FiupqNk.exe
  C:\Windows\System\FiupqNk.exe
  2⤵
  PID:4412
- C:\Windows\System\HJtCEyZ.exe
  C:\Windows\System\HJtCEyZ.exe
  2⤵
  PID:1704
- C:\Windows\System\qwLWaHH.exe
  C:\Windows\System\qwLWaHH.exe
  2⤵
  PID:1840
- C:\Windows\System\nbhnUGu.exe
  C:\Windows\System\nbhnUGu.exe
  2⤵
  PID:2020
- C:\Windows\System\dooQSkB.exe
  C:\Windows\System\dooQSkB.exe
  2⤵
  PID:4512
- C:\Windows\System\FKucnra.exe
  C:\Windows\System\FKucnra.exe
  2⤵
  PID:3656
- C:\Windows\System\pUZFhkv.exe
  C:\Windows\System\pUZFhkv.exe
  2⤵
  PID:4580
- C:\Windows\System\XPBdfQB.exe
  C:\Windows\System\XPBdfQB.exe
  2⤵
  PID:2064
- C:\Windows\System\FHuhXwW.exe
  C:\Windows\System\FHuhXwW.exe
  2⤵
  PID:4464
- C:\Windows\System\doIOKkJ.exe
  C:\Windows\System\doIOKkJ.exe
  2⤵
  PID:4444
- C:\Windows\System\eEPygDe.exe
  C:\Windows\System\eEPygDe.exe
  2⤵
  PID:2080
- C:\Windows\System\WmqQkTH.exe
  C:\Windows\System\WmqQkTH.exe
  2⤵
  PID:3496
- C:\Windows\System\PjmhElb.exe
  C:\Windows\System\PjmhElb.exe
  2⤵
  PID:5128
- C:\Windows\System\UBspPHq.exe
  C:\Windows\System\UBspPHq.exe
  2⤵
  PID:5164
- C:\Windows\System\xgIioXz.exe
  C:\Windows\System\xgIioXz.exe
  2⤵
  PID:5184
- C:\Windows\System\uWeBJdG.exe
  C:\Windows\System\uWeBJdG.exe
  2⤵
  PID:5208
- C:\Windows\System\gYiBQrg.exe
  C:\Windows\System\gYiBQrg.exe
  2⤵
  PID:5228
- C:\Windows\System\nofqGJB.exe
  C:\Windows\System\nofqGJB.exe
  2⤵
  PID:5248
- C:\Windows\System\dZWJdtP.exe
  C:\Windows\System\dZWJdtP.exe
  2⤵
  PID:5268
- C:\Windows\System\dqbhdVo.exe
  C:\Windows\System\dqbhdVo.exe
  2⤵
  PID:5292
- C:\Windows\System\cgvwvFI.exe
  C:\Windows\System\cgvwvFI.exe
  2⤵
  PID:5312
- C:\Windows\System\jrENnWG.exe
  C:\Windows\System\jrENnWG.exe
  2⤵
  PID:5332
- C:\Windows\System\LDNsuZW.exe
  C:\Windows\System\LDNsuZW.exe
  2⤵
  PID:5360
- C:\Windows\System\JThKpfI.exe
  C:\Windows\System\JThKpfI.exe
  2⤵
  PID:5384
- C:\Windows\System\HmfaTkO.exe
  C:\Windows\System\HmfaTkO.exe
  2⤵
  PID:5408
- C:\Windows\System\uuzsgnW.exe
  C:\Windows\System\uuzsgnW.exe
  2⤵
  PID:5424
- C:\Windows\System\WIqZAVS.exe
  C:\Windows\System\WIqZAVS.exe
  2⤵
  PID:5568
- C:\Windows\System\dtXHlQl.exe
  C:\Windows\System\dtXHlQl.exe
  2⤵
  PID:5584
- C:\Windows\System\bdhhKcq.exe
  C:\Windows\System\bdhhKcq.exe
  2⤵
  PID:5608
- C:\Windows\System\iklQOAp.exe
  C:\Windows\System\iklQOAp.exe
  2⤵
  PID:5628
- C:\Windows\System\qcnxjHp.exe
  C:\Windows\System\qcnxjHp.exe
  2⤵
  PID:5652
- C:\Windows\System\GXylTBv.exe
  C:\Windows\System\GXylTBv.exe
  2⤵
  PID:5672
- C:\Windows\System\ElWdaEJ.exe
  C:\Windows\System\ElWdaEJ.exe
  2⤵
  PID:5692
- C:\Windows\System\IImaieB.exe
  C:\Windows\System\IImaieB.exe
  2⤵
  PID:5716
- C:\Windows\System\QSlPopn.exe
  C:\Windows\System\QSlPopn.exe
  2⤵
  PID:5732
- C:\Windows\System\JHRvXQK.exe
  C:\Windows\System\JHRvXQK.exe
  2⤵
  PID:5756
- C:\Windows\System\kRfCZAB.exe
  C:\Windows\System\kRfCZAB.exe
  2⤵
  PID:5776
- C:\Windows\System\UvkqERo.exe
  C:\Windows\System\UvkqERo.exe
  2⤵
  PID:5800
- C:\Windows\System\HCjZxAo.exe
  C:\Windows\System\HCjZxAo.exe
  2⤵
  PID:5820
- C:\Windows\System\pePIXTv.exe
  C:\Windows\System\pePIXTv.exe
  2⤵
  PID:5844
- C:\Windows\System\hpeGKyM.exe
  C:\Windows\System\hpeGKyM.exe
  2⤵
  PID:5860
- C:\Windows\System\wZwnNQb.exe
  C:\Windows\System\wZwnNQb.exe
  2⤵
  PID:5884
- C:\Windows\System\UiXMvYd.exe
  C:\Windows\System\UiXMvYd.exe
  2⤵
  PID:5900
- C:\Windows\System\aEXSUPC.exe
  C:\Windows\System\aEXSUPC.exe
  2⤵
  PID:5924
- C:\Windows\System\sFcSCvu.exe
  C:\Windows\System\sFcSCvu.exe
  2⤵
  PID:5948
- C:\Windows\System\VUTrfNb.exe
  C:\Windows\System\VUTrfNb.exe
  2⤵
  PID:6076
- C:\Windows\System\StSoOYF.exe
  C:\Windows\System\StSoOYF.exe
  2⤵
  PID:6096
- C:\Windows\System\qCJGHMB.exe
  C:\Windows\System\qCJGHMB.exe
  2⤵
  PID:6120
- C:\Windows\System\ZKkXpTc.exe
  C:\Windows\System\ZKkXpTc.exe
  2⤵
  PID:6140
- C:\Windows\System\gVnpSQU.exe
  C:\Windows\System\gVnpSQU.exe
  2⤵
  PID:1596
- C:\Windows\System\rxunGSk.exe
  C:\Windows\System\rxunGSk.exe
  2⤵
  PID:1124
- C:\Windows\System\vRqWtez.exe
  C:\Windows\System\vRqWtez.exe
  2⤵
  PID:1348
- C:\Windows\System\usAqrZV.exe
  C:\Windows\System\usAqrZV.exe
  2⤵
  PID:4672
- C:\Windows\System\vVESrSK.exe
  C:\Windows\System\vVESrSK.exe
  2⤵
  PID:5440
- C:\Windows\System\wjVZDMp.exe
  C:\Windows\System\wjVZDMp.exe
  2⤵
  PID:4268
- C:\Windows\System\mcFvjSE.exe
  C:\Windows\System\mcFvjSE.exe
  2⤵
  PID:4852
- C:\Windows\System\IBIKVEP.exe
  C:\Windows\System\IBIKVEP.exe
  2⤵
  PID:4936
- C:\Windows\System\keAxpsd.exe
  C:\Windows\System\keAxpsd.exe
  2⤵
  PID:3492
- C:\Windows\System\LoinBPi.exe
  C:\Windows\System\LoinBPi.exe
  2⤵
  PID:2368
- C:\Windows\System\hNqdMHF.exe
  C:\Windows\System\hNqdMHF.exe
  2⤵
  PID:4472
- C:\Windows\System\BhKZuDM.exe
  C:\Windows\System\BhKZuDM.exe
  2⤵
  PID:3924
- C:\Windows\System\NLjLyeQ.exe
  C:\Windows\System\NLjLyeQ.exe
  2⤵
  PID:4060
- C:\Windows\System\feXXPiF.exe
  C:\Windows\System\feXXPiF.exe
  2⤵
  PID:5144
- C:\Windows\System\szvdGJg.exe
  C:\Windows\System\szvdGJg.exe
  2⤵
  PID:5180
- C:\Windows\System\ymBnKXW.exe
  C:\Windows\System\ymBnKXW.exe
  2⤵
  PID:5236
- C:\Windows\System\PWeOfHM.exe
  C:\Windows\System\PWeOfHM.exe
  2⤵
  PID:5328
- C:\Windows\System\IZfPdiC.exe
  C:\Windows\System\IZfPdiC.exe
  2⤵
  PID:5284
- C:\Windows\System\lYTEuIU.exe
  C:\Windows\System\lYTEuIU.exe
  2⤵
  PID:5392
- C:\Windows\System\bYYqlMb.exe
  C:\Windows\System\bYYqlMb.exe
  2⤵
  PID:5356
- C:\Windows\System\raSrZFW.exe
  C:\Windows\System\raSrZFW.exe
  2⤵
  PID:6152
- C:\Windows\System\ZhWOOLP.exe
  C:\Windows\System\ZhWOOLP.exe
  2⤵
  PID:6168
- C:\Windows\System\ckYXBYE.exe
  C:\Windows\System\ckYXBYE.exe
  2⤵
  PID:6184
- C:\Windows\System\qgYbSgy.exe
  C:\Windows\System\qgYbSgy.exe
  2⤵
  PID:6200
- C:\Windows\System\yhTJAKR.exe
  C:\Windows\System\yhTJAKR.exe
  2⤵
  PID:6216
- C:\Windows\System\GisLOTh.exe
  C:\Windows\System\GisLOTh.exe
  2⤵
  PID:6232
- C:\Windows\System\RmOHEhX.exe
  C:\Windows\System\RmOHEhX.exe
  2⤵
  PID:6248
- C:\Windows\System\BTzJbhK.exe
  C:\Windows\System\BTzJbhK.exe
  2⤵
  PID:6264
- C:\Windows\System\OXENksm.exe
  C:\Windows\System\OXENksm.exe
  2⤵
  PID:6280
- C:\Windows\System\zYRXhiM.exe
  C:\Windows\System\zYRXhiM.exe
  2⤵
  PID:6296
- C:\Windows\System\vEaeazO.exe
  C:\Windows\System\vEaeazO.exe
  2⤵
  PID:6312
- C:\Windows\System\fJLkeFN.exe
  C:\Windows\System\fJLkeFN.exe
  2⤵
  PID:6340
- C:\Windows\System\BAEeTjM.exe
  C:\Windows\System\BAEeTjM.exe
  2⤵
  PID:6360
- C:\Windows\System\KljBkZT.exe
  C:\Windows\System\KljBkZT.exe
  2⤵
  PID:6380
- C:\Windows\System\MOKRgwT.exe
  C:\Windows\System\MOKRgwT.exe
  2⤵
  PID:6404
- C:\Windows\System\OhVTTsD.exe
  C:\Windows\System\OhVTTsD.exe
  2⤵
  PID:6420
- C:\Windows\System\dHCkReo.exe
  C:\Windows\System\dHCkReo.exe
  2⤵
  PID:6444
- C:\Windows\System\LyweXRY.exe
  C:\Windows\System\LyweXRY.exe
  2⤵
  PID:6460
- C:\Windows\System\aqOGNox.exe
  C:\Windows\System\aqOGNox.exe
  2⤵
  PID:6484
- C:\Windows\System\QnWwmCQ.exe
  C:\Windows\System\QnWwmCQ.exe
  2⤵
  PID:6508
- C:\Windows\System\LcLkGJv.exe
  C:\Windows\System\LcLkGJv.exe
  2⤵
  PID:6524
- C:\Windows\System\FRkqjoU.exe
  C:\Windows\System\FRkqjoU.exe
  2⤵
  PID:6548
- C:\Windows\System\zDIltbS.exe
  C:\Windows\System\zDIltbS.exe
  2⤵
  PID:6564
- C:\Windows\System\lNCxcsp.exe
  C:\Windows\System\lNCxcsp.exe
  2⤵
  PID:6592
- C:\Windows\System\GjQRNcM.exe
  C:\Windows\System\GjQRNcM.exe
  2⤵
  PID:6612
- C:\Windows\System\qwfRLYR.exe
  C:\Windows\System\qwfRLYR.exe
  2⤵
  PID:6640
- C:\Windows\System\OCTOULE.exe
  C:\Windows\System\OCTOULE.exe
  2⤵
  PID:6660
- C:\Windows\System\JBoWIzP.exe
  C:\Windows\System\JBoWIzP.exe
  2⤵
  PID:6680
- C:\Windows\System\nGOtVFS.exe
  C:\Windows\System\nGOtVFS.exe
  2⤵
  PID:6704
- C:\Windows\System\iChsEwS.exe
  C:\Windows\System\iChsEwS.exe
  2⤵
  PID:6720
- C:\Windows\System\OhXpkAN.exe
  C:\Windows\System\OhXpkAN.exe
  2⤵
  PID:6744
- C:\Windows\System\nxkYztM.exe
  C:\Windows\System\nxkYztM.exe
  2⤵
  PID:6768
- C:\Windows\System\cENyiSa.exe
  C:\Windows\System\cENyiSa.exe
  2⤵
  PID:6784
- C:\Windows\System\yOGQCyU.exe
  C:\Windows\System\yOGQCyU.exe
  2⤵
  PID:6808
- C:\Windows\System\txJEiGB.exe
  C:\Windows\System\txJEiGB.exe
  2⤵
  PID:6824
- C:\Windows\System\EUYlAJn.exe
  C:\Windows\System\EUYlAJn.exe
  2⤵
  PID:6848
- C:\Windows\System\HGXbhHU.exe
  C:\Windows\System\HGXbhHU.exe
  2⤵
  PID:6876
- C:\Windows\System\uJdqNPG.exe
  C:\Windows\System\uJdqNPG.exe
  2⤵
  PID:6900
- C:\Windows\System\lLXIONq.exe
  C:\Windows\System\lLXIONq.exe
  2⤵
  PID:6916
- C:\Windows\System\iPzoonk.exe
  C:\Windows\System\iPzoonk.exe
  2⤵
  PID:6940
- C:\Windows\System\bymrayz.exe
  C:\Windows\System\bymrayz.exe
  2⤵
  PID:6964
- C:\Windows\System\VdqtGkC.exe
  C:\Windows\System\VdqtGkC.exe
  2⤵
  PID:6984
- C:\Windows\System\oQpjaXt.exe
  C:\Windows\System\oQpjaXt.exe
  2⤵
  PID:7004
- C:\Windows\System\wDUtAVk.exe
  C:\Windows\System\wDUtAVk.exe
  2⤵
  PID:7028
- C:\Windows\System\igmkVCB.exe
  C:\Windows\System\igmkVCB.exe
  2⤵
  PID:7048
- C:\Windows\System\ZMuKKWY.exe
  C:\Windows\System\ZMuKKWY.exe
  2⤵
  PID:7072
- C:\Windows\System\gJSTXgg.exe
  C:\Windows\System\gJSTXgg.exe
  2⤵
  PID:7088
- C:\Windows\System\lCRhqqq.exe
  C:\Windows\System\lCRhqqq.exe
  2⤵
  PID:7112
- C:\Windows\System\DiauBoy.exe
  C:\Windows\System\DiauBoy.exe
  2⤵
  PID:7136
- C:\Windows\System\zYuHBPL.exe
  C:\Windows\System\zYuHBPL.exe
  2⤵
  PID:7152
- C:\Windows\System\rFMxvJw.exe
  C:\Windows\System\rFMxvJw.exe
  2⤵
  PID:5368
- C:\Windows\System\bvQqjZX.exe
  C:\Windows\System\bvQqjZX.exe
  2⤵
  PID:5668
- C:\Windows\System\SQIWpHz.exe
  C:\Windows\System\SQIWpHz.exe
  2⤵
  PID:5636
- C:\Windows\System\FPBqToJ.exe
  C:\Windows\System\FPBqToJ.exe
  2⤵
  PID:5600
- C:\Windows\System\XOWbaWn.exe
  C:\Windows\System\XOWbaWn.exe
  2⤵
  PID:5560
- C:\Windows\System\GLFsMqO.exe
  C:\Windows\System\GLFsMqO.exe
  2⤵
  PID:6308
- C:\Windows\System\hgocmar.exe
  C:\Windows\System\hgocmar.exe
  2⤵
  PID:6352
- C:\Windows\System\YhawNQh.exe
  C:\Windows\System\YhawNQh.exe
  2⤵
  PID:6400
- C:\Windows\System\OKAIVgR.exe
  C:\Windows\System\OKAIVgR.exe
  2⤵
  PID:6452
- C:\Windows\System\zxqEhmf.exe
  C:\Windows\System\zxqEhmf.exe
  2⤵
  PID:6492
- C:\Windows\System\iqkHyVT.exe
  C:\Windows\System\iqkHyVT.exe
  2⤵
  PID:6532
- C:\Windows\System\fZWXquJ.exe
  C:\Windows\System\fZWXquJ.exe
  2⤵
  PID:6572
- C:\Windows\System\VuKnLOJ.exe
  C:\Windows\System\VuKnLOJ.exe
  2⤵
  PID:6624
- C:\Windows\System\EgNBmmn.exe
  C:\Windows\System\EgNBmmn.exe
  2⤵
  PID:6656
- C:\Windows\System\FdMUCfG.exe
  C:\Windows\System\FdMUCfG.exe
  2⤵
  PID:6700
- C:\Windows\System\iLTvCgR.exe
  C:\Windows\System\iLTvCgR.exe
  2⤵
  PID:6820
- C:\Windows\System\cJMphuh.exe
  C:\Windows\System\cJMphuh.exe
  2⤵
  PID:6856
- C:\Windows\System\XoHNLZW.exe
  C:\Windows\System\XoHNLZW.exe
  2⤵
  PID:6888
- C:\Windows\System\SSytaij.exe
  C:\Windows\System\SSytaij.exe
  2⤵
  PID:6924
- C:\Windows\System\CWOMvUI.exe
  C:\Windows\System\CWOMvUI.exe
  2⤵
  PID:6952
- C:\Windows\System\VzUJAXL.exe
  C:\Windows\System\VzUJAXL.exe
  2⤵
  PID:6996
- C:\Windows\System\iEMlaoj.exe
  C:\Windows\System\iEMlaoj.exe
  2⤵
  PID:7040
- C:\Windows\System\JXlpohS.exe
  C:\Windows\System\JXlpohS.exe
  2⤵
  PID:7080
- C:\Windows\System\gFxOjfG.exe
  C:\Windows\System\gFxOjfG.exe
  2⤵
  PID:7128
- C:\Windows\System\ajhfTEa.exe
  C:\Windows\System\ajhfTEa.exe
  2⤵
  PID:5352
- C:\Windows\System\lwmyzqR.exe
  C:\Windows\System\lwmyzqR.exe
  2⤵
  PID:2112
- C:\Windows\System\nwNDiYg.exe
  C:\Windows\System\nwNDiYg.exe
  2⤵
  PID:5748
- C:\Windows\System\kTCoRmP.exe
  C:\Windows\System\kTCoRmP.exe
  2⤵
  PID:6520
- C:\Windows\System\nYmAFkG.exe
  C:\Windows\System\nYmAFkG.exe
  2⤵
  PID:6608
- C:\Windows\System\HiOIsCI.exe
  C:\Windows\System\HiOIsCI.exe
  2⤵
  PID:7188
- C:\Windows\System\reppfmK.exe
  C:\Windows\System\reppfmK.exe
  2⤵
  PID:7212
- C:\Windows\System\yaDyZKp.exe
  C:\Windows\System\yaDyZKp.exe
  2⤵
  PID:7236
- C:\Windows\System\fhwCdbM.exe
  C:\Windows\System\fhwCdbM.exe
  2⤵
  PID:7256
- C:\Windows\System\FFHKswe.exe
  C:\Windows\System\FFHKswe.exe
  2⤵
  PID:7280
- C:\Windows\System\ayHWRJq.exe
  C:\Windows\System\ayHWRJq.exe
  2⤵
  PID:7300
- C:\Windows\System\NgoKVjN.exe
  C:\Windows\System\NgoKVjN.exe
  2⤵
  PID:7324
- C:\Windows\System\CfmWMGL.exe
  C:\Windows\System\CfmWMGL.exe
  2⤵
  PID:7400
- C:\Windows\System\UNXyqhq.exe
  C:\Windows\System\UNXyqhq.exe
  2⤵
  PID:7420
- C:\Windows\System\SYsBeUS.exe
  C:\Windows\System\SYsBeUS.exe
  2⤵
  PID:7444
- C:\Windows\System\ZDyffzq.exe
  C:\Windows\System\ZDyffzq.exe
  2⤵
  PID:7468
- C:\Windows\System\FegFVXq.exe
  C:\Windows\System\FegFVXq.exe
  2⤵
  PID:7488
- C:\Windows\System\TbvDYBM.exe
  C:\Windows\System\TbvDYBM.exe
  2⤵
  PID:7508
- C:\Windows\System\FFcEpuM.exe
  C:\Windows\System\FFcEpuM.exe
  2⤵
  PID:7532
- C:\Windows\System\xBSXHUF.exe
  C:\Windows\System\xBSXHUF.exe
  2⤵
  PID:7556
- C:\Windows\System\AETeQko.exe
  C:\Windows\System\AETeQko.exe
  2⤵
  PID:7576
- C:\Windows\System\eicMWjF.exe
  C:\Windows\System\eicMWjF.exe
  2⤵
  PID:7596
- C:\Windows\System\MMQyaeD.exe
  C:\Windows\System\MMQyaeD.exe
  2⤵
  PID:7620
- C:\Windows\System\jtlcjGB.exe
  C:\Windows\System\jtlcjGB.exe
  2⤵
  PID:7640
- C:\Windows\System\hYCZyDE.exe
  C:\Windows\System\hYCZyDE.exe
  2⤵
  PID:7660
- C:\Windows\System\TYMZgDZ.exe
  C:\Windows\System\TYMZgDZ.exe
  2⤵
  PID:7684
- C:\Windows\System\oXWnzka.exe
  C:\Windows\System\oXWnzka.exe
  2⤵
  PID:7708
- C:\Windows\System\UdkwFyz.exe
  C:\Windows\System\UdkwFyz.exe
  2⤵
  PID:7728
- C:\Windows\System\BvvuDUK.exe
  C:\Windows\System\BvvuDUK.exe
  2⤵
  PID:7748
- C:\Windows\System\npVsfpQ.exe
  C:\Windows\System\npVsfpQ.exe
  2⤵
  PID:7772
- C:\Windows\System\CVmizbL.exe
  C:\Windows\System\CVmizbL.exe
  2⤵
  PID:7796
- C:\Windows\System\gCTwOPJ.exe
  C:\Windows\System\gCTwOPJ.exe
  2⤵
  PID:7816
- C:\Windows\System\ZXEOBte.exe
  C:\Windows\System\ZXEOBte.exe
  2⤵
  PID:7840
- C:\Windows\System\zZKqaSU.exe
  C:\Windows\System\zZKqaSU.exe
  2⤵
  PID:7860
- C:\Windows\System\HKRwUic.exe
  C:\Windows\System\HKRwUic.exe
  2⤵
  PID:7884
- C:\Windows\System\TmHZYjb.exe
  C:\Windows\System\TmHZYjb.exe
  2⤵
  PID:7908
- C:\Windows\System\OlTcEGF.exe
  C:\Windows\System\OlTcEGF.exe
  2⤵
  PID:7932
- C:\Windows\System\jHqOhYU.exe
  C:\Windows\System\jHqOhYU.exe
  2⤵
  PID:7956
- C:\Windows\System\IFXVCjd.exe
  C:\Windows\System\IFXVCjd.exe
  2⤵
  PID:7980
- C:\Windows\System\piehTTy.exe
  C:\Windows\System\piehTTy.exe
  2⤵
  PID:7996
- C:\Windows\System\DycRADy.exe
  C:\Windows\System\DycRADy.exe
  2⤵
  PID:8020
- C:\Windows\System\PPeBctX.exe
  C:\Windows\System\PPeBctX.exe
  2⤵
  PID:8044
- C:\Windows\System\XHPonkr.exe
  C:\Windows\System\XHPonkr.exe
  2⤵
  PID:8064
- C:\Windows\System\nLqLENE.exe
  C:\Windows\System\nLqLENE.exe
  2⤵
  PID:8092
- C:\Windows\System\aBLviyI.exe
  C:\Windows\System\aBLviyI.exe
  2⤵
  PID:8112
- C:\Windows\System\dizoCau.exe
  C:\Windows\System\dizoCau.exe
  2⤵
  PID:8140
- C:\Windows\System\JEbsJWp.exe
  C:\Windows\System\JEbsJWp.exe
  2⤵
  PID:8160
- C:\Windows\System\glpmEUc.exe
  C:\Windows\System\glpmEUc.exe
  2⤵
  PID:8180
- C:\Windows\System\rVsPdxY.exe
  C:\Windows\System\rVsPdxY.exe
  2⤵
  PID:5700
- C:\Windows\System\lOsEKRg.exe
  C:\Windows\System\lOsEKRg.exe
  2⤵
  PID:5540
- C:\Windows\System\fTcVGFl.exe
  C:\Windows\System\fTcVGFl.exe
  2⤵
  PID:5304
- C:\Windows\System\iLGaWao.exe
  C:\Windows\System\iLGaWao.exe
  2⤵
  PID:6652
- C:\Windows\System\dDmFjQt.exe
  C:\Windows\System\dDmFjQt.exe
  2⤵
  PID:7252
- C:\Windows\System\sVUhrSl.exe
  C:\Windows\System\sVUhrSl.exe
  2⤵
  PID:8280
- C:\Windows\System\nCIVVWe.exe
  C:\Windows\System\nCIVVWe.exe
  2⤵
  PID:8308
- C:\Windows\System\PFHqITB.exe
  C:\Windows\System\PFHqITB.exe
  2⤵
  PID:8336
- C:\Windows\System\nyPQdun.exe
  C:\Windows\System\nyPQdun.exe
  2⤵
  PID:8360
- C:\Windows\System\htsVeNi.exe
  C:\Windows\System\htsVeNi.exe
  2⤵
  PID:8388
- C:\Windows\System\dYNmWtC.exe
  C:\Windows\System\dYNmWtC.exe
  2⤵
  PID:8408
- C:\Windows\System\usubPRT.exe
  C:\Windows\System\usubPRT.exe
  2⤵
  PID:8436
- C:\Windows\System\FzAXSmn.exe
  C:\Windows\System\FzAXSmn.exe
  2⤵
  PID:8456
- C:\Windows\System\CwIgVZS.exe
  C:\Windows\System\CwIgVZS.exe
  2⤵
  PID:8480
- C:\Windows\System\MmcLiKt.exe
  C:\Windows\System\MmcLiKt.exe
  2⤵
  PID:8508
- C:\Windows\System\UNdZSKW.exe
  C:\Windows\System\UNdZSKW.exe
  2⤵
  PID:8536
- C:\Windows\System\YRNmtnx.exe
  C:\Windows\System\YRNmtnx.exe
  2⤵
  PID:8556
- C:\Windows\System\BebyWMl.exe
  C:\Windows\System\BebyWMl.exe
  2⤵
  PID:8576
- C:\Windows\System\jBSeNTa.exe
  C:\Windows\System\jBSeNTa.exe
  2⤵
  PID:8596
- C:\Windows\System\OIGuICq.exe
  C:\Windows\System\OIGuICq.exe
  2⤵
  PID:8616
- C:\Windows\System\AYEWqww.exe
  C:\Windows\System\AYEWqww.exe
  2⤵
  PID:8644
- C:\Windows\System\iMClxBz.exe
  C:\Windows\System\iMClxBz.exe
  2⤵
  PID:8664
- C:\Windows\System\hWjCjqP.exe
  C:\Windows\System\hWjCjqP.exe
  2⤵
  PID:8688
- C:\Windows\System\bWhfQmj.exe
  C:\Windows\System\bWhfQmj.exe
  2⤵
  PID:8716
- C:\Windows\System\ascUXHQ.exe
  C:\Windows\System\ascUXHQ.exe
  2⤵
  PID:8736
- C:\Windows\System\vuhKIXA.exe
  C:\Windows\System\vuhKIXA.exe
  2⤵
  PID:8756
- C:\Windows\System\tlOglvD.exe
  C:\Windows\System\tlOglvD.exe
  2⤵
  PID:8780
- C:\Windows\System\mayZVCp.exe
  C:\Windows\System\mayZVCp.exe
  2⤵
  PID:8804
- C:\Windows\System\RRDeGxQ.exe
  C:\Windows\System\RRDeGxQ.exe
  2⤵
  PID:8824
- C:\Windows\System\rNHlItF.exe
  C:\Windows\System\rNHlItF.exe
  2⤵
  PID:8844
- C:\Windows\System\yKRVGoQ.exe
  C:\Windows\System\yKRVGoQ.exe
  2⤵
  PID:8872
- C:\Windows\System\OHZGoDa.exe
  C:\Windows\System\OHZGoDa.exe
  2⤵
  PID:8892
- C:\Windows\System\DRgWvJG.exe
  C:\Windows\System\DRgWvJG.exe
  2⤵
  PID:9060
- C:\Windows\System\CflinMB.exe
  C:\Windows\System\CflinMB.exe
  2⤵
  PID:9080
- C:\Windows\System\eIvdpOw.exe
  C:\Windows\System\eIvdpOw.exe
  2⤵
  PID:9132
- C:\Windows\System\pWVaUfT.exe
  C:\Windows\System\pWVaUfT.exe
  2⤵
  PID:9160
- C:\Windows\System\WKsBvEy.exe
  C:\Windows\System\WKsBvEy.exe
  2⤵
  PID:9176
- C:\Windows\System\bGfopdj.exe
  C:\Windows\System\bGfopdj.exe
  2⤵
  PID:9208
- C:\Windows\System\NSNohSB.exe
  C:\Windows\System\NSNohSB.exe
  2⤵
  PID:6440
- C:\Windows\System\vBbFFYP.exe
  C:\Windows\System\vBbFFYP.exe
  2⤵
  PID:7940
- C:\Windows\System\urPvGeR.exe
  C:\Windows\System\urPvGeR.exe
  2⤵
  PID:6516
- C:\Windows\System\UzmHnyy.exe
  C:\Windows\System\UzmHnyy.exe
  2⤵
  PID:8120
- C:\Windows\System\YIIdwcq.exe
  C:\Windows\System\YIIdwcq.exe
  2⤵
  PID:5680
- C:\Windows\System\fwtpolw.exe
  C:\Windows\System\fwtpolw.exe
  2⤵
  PID:4828
- C:\Windows\System\GSiLOqy.exe
  C:\Windows\System\GSiLOqy.exe
  2⤵
  PID:7288
- C:\Windows\System\qkMIjdt.exe
  C:\Windows\System\qkMIjdt.exe
  2⤵
  PID:6696
- C:\Windows\System\WOswHgK.exe
  C:\Windows\System\WOswHgK.exe
  2⤵
  PID:6884
- C:\Windows\System\dWyFLHx.exe
  C:\Windows\System\dWyFLHx.exe
  2⤵
  PID:6976
- C:\Windows\System\ghnFaVK.exe
  C:\Windows\System\ghnFaVK.exe
  2⤵
  PID:7104
- C:\Windows\System\yuySXMc.exe
  C:\Windows\System\yuySXMc.exe
  2⤵
  PID:6480
- C:\Windows\System\CFkdDcN.exe
  C:\Windows\System\CFkdDcN.exe
  2⤵
  PID:7208
- C:\Windows\System\GNnWVQb.exe
  C:\Windows\System\GNnWVQb.exe
  2⤵
  PID:8672
- C:\Windows\System\keiQDAx.exe
  C:\Windows\System\keiQDAx.exe
  2⤵
  PID:7320
- C:\Windows\System\MNPUoxf.exe
  C:\Windows\System\MNPUoxf.exe
  2⤵
  PID:1788
- C:\Windows\System\JbpMRho.exe
  C:\Windows\System\JbpMRho.exe
  2⤵
  PID:7344
- C:\Windows\System\eQWZSST.exe
  C:\Windows\System\eQWZSST.exe
  2⤵
  PID:9224
- C:\Windows\System\RHiFljx.exe
  C:\Windows\System\RHiFljx.exe
  2⤵
  PID:9280
- C:\Windows\System\bNpTQWe.exe
  C:\Windows\System\bNpTQWe.exe
  2⤵
  PID:9300
- C:\Windows\System\TNPHYXV.exe
  C:\Windows\System\TNPHYXV.exe
  2⤵
  PID:9316
- C:\Windows\System\SJQAYCW.exe
  C:\Windows\System\SJQAYCW.exe
  2⤵
  PID:9352
- C:\Windows\System\qSiPhZI.exe
  C:\Windows\System\qSiPhZI.exe
  2⤵
  PID:9368
- C:\Windows\System\GAylVxg.exe
  C:\Windows\System\GAylVxg.exe
  2⤵
  PID:9388
- C:\Windows\System\ayXDSSX.exe
  C:\Windows\System\ayXDSSX.exe
  2⤵
  PID:9408
- C:\Windows\System\XswebWM.exe
  C:\Windows\System\XswebWM.exe
  2⤵
  PID:9432
- C:\Windows\System\CZsIlYN.exe
  C:\Windows\System\CZsIlYN.exe
  2⤵
  PID:9456
- C:\Windows\System\ARJDrIp.exe
  C:\Windows\System\ARJDrIp.exe
  2⤵
  PID:9480
- C:\Windows\System\nbNwzcP.exe
  C:\Windows\System\nbNwzcP.exe
  2⤵
  PID:9500
- C:\Windows\System\CjIcZNm.exe
  C:\Windows\System\CjIcZNm.exe
  2⤵
  PID:9520
- C:\Windows\System\JNZvFSp.exe
  C:\Windows\System\JNZvFSp.exe
  2⤵
  PID:9548
- C:\Windows\System\qSkSlkI.exe
  C:\Windows\System\qSkSlkI.exe
  2⤵
  PID:9564
- C:\Windows\System\Kdymfwt.exe
  C:\Windows\System\Kdymfwt.exe
  2⤵
  PID:9580
- C:\Windows\System\iDDuCdX.exe
  C:\Windows\System\iDDuCdX.exe
  2⤵
  PID:9596
- C:\Windows\System\ADVlSMG.exe
  C:\Windows\System\ADVlSMG.exe
  2⤵
  PID:9616
- C:\Windows\System\QtDxpqO.exe
  C:\Windows\System\QtDxpqO.exe
  2⤵
  PID:9636
- C:\Windows\System\OFbEqdX.exe
  C:\Windows\System\OFbEqdX.exe
  2⤵
  PID:9656
- C:\Windows\System\TDkJFOV.exe
  C:\Windows\System\TDkJFOV.exe
  2⤵
  PID:9676
- C:\Windows\System\isFrzMy.exe
  C:\Windows\System\isFrzMy.exe
  2⤵
  PID:9704
- C:\Windows\System\VoMvRAi.exe
  C:\Windows\System\VoMvRAi.exe
  2⤵
  PID:9776
- C:\Windows\System\ouVdzbc.exe
  C:\Windows\System\ouVdzbc.exe
  2⤵
  PID:9792
- C:\Windows\System\yKpepAH.exe
  C:\Windows\System\yKpepAH.exe
  2⤵
  PID:9816
- C:\Windows\System\NkfavTx.exe
  C:\Windows\System\NkfavTx.exe
  2⤵
  PID:9840
- C:\Windows\System\EJiKQqp.exe
  C:\Windows\System\EJiKQqp.exe
  2⤵
  PID:9864
- C:\Windows\System\ZOupVEh.exe
  C:\Windows\System\ZOupVEh.exe
  2⤵
  PID:9888
- C:\Windows\System\VGwXHHl.exe
  C:\Windows\System\VGwXHHl.exe
  2⤵
  PID:9916
- C:\Windows\System\ceIAcEz.exe
  C:\Windows\System\ceIAcEz.exe
  2⤵
  PID:9932
- C:\Windows\System\wWLPrLE.exe
  C:\Windows\System\wWLPrLE.exe
  2⤵
  PID:9956
- C:\Windows\System\xNpmZbs.exe
  C:\Windows\System\xNpmZbs.exe
  2⤵
  PID:9980
- C:\Windows\System\rpPJLAn.exe
  C:\Windows\System\rpPJLAn.exe
  2⤵
  PID:10000
- C:\Windows\System\cfVvUmC.exe
  C:\Windows\System\cfVvUmC.exe
  2⤵
  PID:10028
- C:\Windows\System\CGVKXel.exe
  C:\Windows\System\CGVKXel.exe
  2⤵
  PID:10044
- C:\Windows\System\VrprZfd.exe
  C:\Windows\System\VrprZfd.exe
  2⤵
  PID:10060
- C:\Windows\System\HhtUclm.exe
  C:\Windows\System\HhtUclm.exe
  2⤵
  PID:10076
- C:\Windows\System\dpoGTdo.exe
  C:\Windows\System\dpoGTdo.exe
  2⤵
  PID:10096
- C:\Windows\System\EOXwoGa.exe
  C:\Windows\System\EOXwoGa.exe
  2⤵
  PID:10116
- C:\Windows\System\LcJHhky.exe
  C:\Windows\System\LcJHhky.exe
  2⤵
  PID:10140
- C:\Windows\System\qGDCRuS.exe
  C:\Windows\System\qGDCRuS.exe
  2⤵
  PID:10160
- C:\Windows\System\XxUrKSM.exe
  C:\Windows\System\XxUrKSM.exe
  2⤵
  PID:10180
- C:\Windows\System\JVIpBjB.exe
  C:\Windows\System\JVIpBjB.exe
  2⤵
  PID:10200
- C:\Windows\System\Bipfaba.exe
  C:\Windows\System\Bipfaba.exe
  2⤵
  PID:10220
- C:\Windows\System\lhCYUzF.exe
  C:\Windows\System\lhCYUzF.exe
  2⤵
  PID:7368
- C:\Windows\System\BSEoFwU.exe
  C:\Windows\System\BSEoFwU.exe
  2⤵
  PID:7436
- C:\Windows\System\KLiiqIz.exe
  C:\Windows\System\KLiiqIz.exe
  2⤵
  PID:7480
- C:\Windows\System\jqjOKvy.exe
  C:\Windows\System\jqjOKvy.exe
  2⤵
  PID:7540
- C:\Windows\System\NhUQjBn.exe
  C:\Windows\System\NhUQjBn.exe
  2⤵
  PID:7592
- C:\Windows\System\zvLmfsD.exe
  C:\Windows\System\zvLmfsD.exe
  2⤵
  PID:7616
- C:\Windows\System\NXCYkxc.exe
  C:\Windows\System\NXCYkxc.exe
  2⤵
  PID:7680
- C:\Windows\System\KOefHRc.exe
  C:\Windows\System\KOefHRc.exe
  2⤵
  PID:7724
- C:\Windows\System\zlbxJsc.exe
  C:\Windows\System\zlbxJsc.exe
  2⤵
  PID:7764
- C:\Windows\System\DjOjwgd.exe
  C:\Windows\System\DjOjwgd.exe
  2⤵
  PID:7804
- C:\Windows\System\DeiyjPk.exe
  C:\Windows\System\DeiyjPk.exe
  2⤵
  PID:7852
- C:\Windows\System\OeEmxRg.exe
  C:\Windows\System\OeEmxRg.exe
  2⤵
  PID:7892
- C:\Windows\System\sDuWxxX.exe
  C:\Windows\System\sDuWxxX.exe
  2⤵
  PID:8472
- C:\Windows\System\OoeSynC.exe
  C:\Windows\System\OoeSynC.exe
  2⤵
  PID:8496
- C:\Windows\System\blPuOaI.exe
  C:\Windows\System\blPuOaI.exe
  2⤵
  PID:9012
- C:\Windows\System\UcWXfsT.exe
  C:\Windows\System\UcWXfsT.exe
  2⤵
  PID:8592
- C:\Windows\System\dWETFhC.exe
  C:\Windows\System\dWETFhC.exe
  2⤵
  PID:9404
- C:\Windows\System\rlzKhGd.exe
  C:\Windows\System\rlzKhGd.exe
  2⤵
  PID:9464
- C:\Windows\System\vXbnNcd.exe
  C:\Windows\System\vXbnNcd.exe
  2⤵
  PID:8656
- C:\Windows\System\qvIpjon.exe
  C:\Windows\System\qvIpjon.exe
  2⤵
  PID:9632
- C:\Windows\System\piutaTq.exe
  C:\Windows\System\piutaTq.exe
  2⤵
  PID:8764
- C:\Windows\System\GVxestC.exe
  C:\Windows\System\GVxestC.exe
  2⤵
  PID:8800
- C:\Windows\System\QdmgCbB.exe
  C:\Windows\System\QdmgCbB.exe
  2⤵
  PID:9068
- C:\Windows\System\JoVHLkk.exe
  C:\Windows\System\JoVHLkk.exe
  2⤵
  PID:9944
- C:\Windows\System\OyQAKHc.exe
  C:\Windows\System\OyQAKHc.exe
  2⤵
  PID:8936
- C:\Windows\System\PKqqXkE.exe
  C:\Windows\System\PKqqXkE.exe
  2⤵
  PID:8972
- C:\Windows\System\fvbngBP.exe
  C:\Windows\System\fvbngBP.exe
  2⤵
  PID:9440
- C:\Windows\System\HWphOmF.exe
  C:\Windows\System\HWphOmF.exe
  2⤵
  PID:9624
- C:\Windows\System\ogmqDlV.exe
  C:\Windows\System\ogmqDlV.exe
  2⤵
  PID:9684
- C:\Windows\System\HFHySuH.exe
  C:\Windows\System\HFHySuH.exe
  2⤵
  PID:8728
- C:\Windows\System\AryRRPN.exe
  C:\Windows\System\AryRRPN.exe
  2⤵
  PID:10256
- C:\Windows\System\pQpREsc.exe
  C:\Windows\System\pQpREsc.exe
  2⤵
  PID:10280
- C:\Windows\System\qNbiqpA.exe
  C:\Windows\System\qNbiqpA.exe
  2⤵
  PID:10296
- C:\Windows\System\uidTyIN.exe
  C:\Windows\System\uidTyIN.exe
  2⤵
  PID:10328
- C:\Windows\System\bGLEvMJ.exe
  C:\Windows\System\bGLEvMJ.exe
  2⤵
  PID:10352
- C:\Windows\System\uiRRMnP.exe
  C:\Windows\System\uiRRMnP.exe
  2⤵
  PID:10368
- C:\Windows\System\MlrrtUm.exe
  C:\Windows\System\MlrrtUm.exe
  2⤵
  PID:10388
- C:\Windows\System\XRgnjRT.exe
  C:\Windows\System\XRgnjRT.exe
  2⤵
  PID:10408
- C:\Windows\System\jCnQyfd.exe
  C:\Windows\System\jCnQyfd.exe
  2⤵
  PID:10456
- C:\Windows\System\FjBHGEJ.exe
  C:\Windows\System\FjBHGEJ.exe
  2⤵
  PID:10484
- C:\Windows\System\dCzDFDb.exe
  C:\Windows\System\dCzDFDb.exe
  2⤵
  PID:10536
- C:\Windows\System\cAEXirJ.exe
  C:\Windows\System\cAEXirJ.exe
  2⤵
  PID:10552
- C:\Windows\System\iRMHWWn.exe
  C:\Windows\System\iRMHWWn.exe
  2⤵
  PID:10568
- C:\Windows\System\thkKbJS.exe
  C:\Windows\System\thkKbJS.exe
  2⤵
  PID:10584
- C:\Windows\System\nWskBjm.exe
  C:\Windows\System\nWskBjm.exe
  2⤵
  PID:10600
- C:\Windows\System\IqSHHqP.exe
  C:\Windows\System\IqSHHqP.exe
  2⤵
  PID:10616
- C:\Windows\System\VXmhBYg.exe
  C:\Windows\System\VXmhBYg.exe
  2⤵
  PID:10632
- C:\Windows\System\mzWSCXG.exe
  C:\Windows\System\mzWSCXG.exe
  2⤵
  PID:10652
- C:\Windows\System\BLoHncA.exe
  C:\Windows\System\BLoHncA.exe
  2⤵
  PID:10672
- C:\Windows\System\qilkOBk.exe
  C:\Windows\System\qilkOBk.exe
  2⤵
  PID:10696
- C:\Windows\System\xYTDRzu.exe
  C:\Windows\System\xYTDRzu.exe
  2⤵
  PID:10720
- C:\Windows\System\xJOZHwd.exe
  C:\Windows\System\xJOZHwd.exe
  2⤵
  PID:10744
- C:\Windows\System\hJUEbUl.exe
  C:\Windows\System\hJUEbUl.exe
  2⤵
  PID:10768
- C:\Windows\System\QjZnXTW.exe
  C:\Windows\System\QjZnXTW.exe
  2⤵
  PID:10788
- C:\Windows\System\iTrMhFW.exe
  C:\Windows\System\iTrMhFW.exe
  2⤵
  PID:10808
- C:\Windows\System\sWYcepJ.exe
  C:\Windows\System\sWYcepJ.exe
  2⤵
  PID:10832
- C:\Windows\System\RPxZdMV.exe
  C:\Windows\System\RPxZdMV.exe
  2⤵
  PID:10852
- C:\Windows\System\uggEWkQ.exe
  C:\Windows\System\uggEWkQ.exe
  2⤵
  PID:10868
- C:\Windows\System\ryPATKA.exe
  C:\Windows\System\ryPATKA.exe
  2⤵
  PID:10896
- C:\Windows\System\RPWxKFT.exe
  C:\Windows\System\RPWxKFT.exe
  2⤵
  PID:10916
- C:\Windows\System\tyuTvnZ.exe
  C:\Windows\System\tyuTvnZ.exe
  2⤵
  PID:10940
- C:\Windows\System\mYTJVYj.exe
  C:\Windows\System\mYTJVYj.exe
  2⤵
  PID:10964
- C:\Windows\System\FusTRmd.exe
  C:\Windows\System\FusTRmd.exe
  2⤵
  PID:10984
- C:\Windows\System\PdPGkjp.exe
  C:\Windows\System\PdPGkjp.exe
  2⤵
  PID:11008
- C:\Windows\System\KuYhWvC.exe
  C:\Windows\System\KuYhWvC.exe
  2⤵
  PID:11028
- C:\Windows\System\BzQjBUO.exe
  C:\Windows\System\BzQjBUO.exe
  2⤵
  PID:11044
- C:\Windows\System\oYFJSlZ.exe
  C:\Windows\System\oYFJSlZ.exe
  2⤵
  PID:11072
- C:\Windows\System\VYnXGDC.exe
  C:\Windows\System\VYnXGDC.exe
  2⤵
  PID:11096
- C:\Windows\System\nZGbiTl.exe
  C:\Windows\System\nZGbiTl.exe
  2⤵
  PID:11124
- C:\Windows\System\eqvORHT.exe
  C:\Windows\System\eqvORHT.exe
  2⤵
  PID:11144
- C:\Windows\System\WSfgNQQ.exe
  C:\Windows\System\WSfgNQQ.exe
  2⤵
  PID:11160
- C:\Windows\System\TInbtZT.exe
  C:\Windows\System\TInbtZT.exe
  2⤵
  PID:11188
- C:\Windows\System\nUjUpbP.exe
  C:\Windows\System\nUjUpbP.exe
  2⤵
  PID:11212
- C:\Windows\System\FqMDNPI.exe
  C:\Windows\System\FqMDNPI.exe
  2⤵
  PID:11232
- C:\Windows\System\jVjldEE.exe
  C:\Windows\System\jVjldEE.exe
  2⤵
  PID:9108
- C:\Windows\System\bEJaOCe.exe
  C:\Windows\System\bEJaOCe.exe
  2⤵
  PID:9152
- C:\Windows\System\jkZkXmr.exe
  C:\Windows\System\jkZkXmr.exe
  2⤵
  PID:9204
- C:\Windows\System\zzozoDB.exe
  C:\Windows\System\zzozoDB.exe
  2⤵
  PID:7924
- C:\Windows\System\MJqQwkn.exe
  C:\Windows\System\MJqQwkn.exe
  2⤵
  PID:8080
- C:\Windows\System\wfoacyr.exe
  C:\Windows\System\wfoacyr.exe
  2⤵
  PID:7172
- C:\Windows\System\JeKvbqE.exe
  C:\Windows\System\JeKvbqE.exe
  2⤵
  PID:7020
- C:\Windows\System\rmFEyYB.exe
  C:\Windows\System\rmFEyYB.exe
  2⤵
  PID:9976
- C:\Windows\System\hFGvFUg.exe
  C:\Windows\System\hFGvFUg.exe
  2⤵
  PID:10016
- C:\Windows\System\AsWOgSC.exe
  C:\Windows\System\AsWOgSC.exe
  2⤵
  PID:7296
- C:\Windows\System\jUlDmSO.exe
  C:\Windows\System\jUlDmSO.exe
  2⤵
  PID:952
- C:\Windows\System\maDpjxs.exe
  C:\Windows\System\maDpjxs.exe
  2⤵
  PID:9260
- C:\Windows\System\KHksrfs.exe
  C:\Windows\System\KHksrfs.exe
  2⤵
  PID:2164
- C:\Windows\System\JCgwWDh.exe
  C:\Windows\System\JCgwWDh.exe
  2⤵
  PID:9360
- C:\Windows\System\aUNHOoC.exe
  C:\Windows\System\aUNHOoC.exe
  2⤵
  PID:9428
- C:\Windows\System\oPsoHIY.exe
  C:\Windows\System\oPsoHIY.exe
  2⤵
  PID:9576
- C:\Windows\System\aFtCdEU.exe
  C:\Windows\System\aFtCdEU.exe
  2⤵
  PID:8816
- C:\Windows\System\ZtBLFze.exe
  C:\Windows\System\ZtBLFze.exe
  2⤵
  PID:3136
- C:\Windows\System\kscwXwF.exe
  C:\Windows\System\kscwXwF.exe
  2⤵
  PID:9692
- C:\Windows\System\TsyJgVj.exe
  C:\Windows\System\TsyJgVj.exe
  2⤵
  PID:3592
- C:\Windows\System\ACCePuN.exe
  C:\Windows\System\ACCePuN.exe
  2⤵
  PID:4380
- C:\Windows\System\PlQOyDe.exe
  C:\Windows\System\PlQOyDe.exe
  2⤵
  PID:9824
- C:\Windows\System\rVUyKpZ.exe
  C:\Windows\System\rVUyKpZ.exe
  2⤵
  PID:9860
- C:\Windows\System\MZGLZfV.exe
  C:\Windows\System\MZGLZfV.exe
  2⤵
  PID:9912
- C:\Windows\System\mXKAeqP.exe
  C:\Windows\System\mXKAeqP.exe
  2⤵
  PID:10472
- C:\Windows\System\GplnvNm.exe
  C:\Windows\System\GplnvNm.exe
  2⤵
  PID:10052
- C:\Windows\System\JXOtoma.exe
  C:\Windows\System\JXOtoma.exe
  2⤵
  PID:10092
- C:\Windows\System\GSJWxLC.exe
  C:\Windows\System\GSJWxLC.exe
  2⤵
  PID:10148
- C:\Windows\System\fStiRIL.exe
  C:\Windows\System\fStiRIL.exe
  2⤵
  PID:10196
- C:\Windows\System\TAqwUtK.exe
  C:\Windows\System\TAqwUtK.exe
  2⤵
  PID:7384
- C:\Windows\System\IiYQdVN.exe
  C:\Windows\System\IiYQdVN.exe
  2⤵
  PID:7524
- C:\Windows\System\SShiEVc.exe
  C:\Windows\System\SShiEVc.exe
  2⤵
  PID:7588
- C:\Windows\System\xOLcbxf.exe
  C:\Windows\System\xOLcbxf.exe
  2⤵
  PID:7876
- C:\Windows\System\WGYyayA.exe
  C:\Windows\System\WGYyayA.exe
  2⤵
  PID:7788
- C:\Windows\System\HzDvCVD.exe
  C:\Windows\System\HzDvCVD.exe
  2⤵
  PID:7668
- C:\Windows\System\KFgyGDa.exe
  C:\Windows\System\KFgyGDa.exe
  2⤵
  PID:10680
- C:\Windows\System\KzoPsLD.exe
  C:\Windows\System\KzoPsLD.exe
  2⤵
  PID:8548
- C:\Windows\System\useIHtR.exe
  C:\Windows\System\useIHtR.exe
  2⤵
  PID:10844
- C:\Windows\System\NNqibVG.exe
  C:\Windows\System\NNqibVG.exe
  2⤵
  PID:11268
- C:\Windows\System\wpMkSFy.exe
  C:\Windows\System\wpMkSFy.exe
  2⤵
  PID:11292
- C:\Windows\System\kOWENVu.exe
  C:\Windows\System\kOWENVu.exe
  2⤵
  PID:11316
- C:\Windows\System\ZQcHzMZ.exe
  C:\Windows\System\ZQcHzMZ.exe
  2⤵
  PID:11340
- C:\Windows\System\uWlxLuI.exe
  C:\Windows\System\uWlxLuI.exe
  2⤵
  PID:11368
- C:\Windows\System\zGdQqez.exe
  C:\Windows\System\zGdQqez.exe
  2⤵
  PID:11388
- C:\Windows\System\qaGGNrv.exe
  C:\Windows\System\qaGGNrv.exe
  2⤵
  PID:11412
- C:\Windows\System\ylCyzJX.exe
  C:\Windows\System\ylCyzJX.exe
  2⤵
  PID:11436
- C:\Windows\System\YvkdJjV.exe
  C:\Windows\System\YvkdJjV.exe
  2⤵
  PID:11464
- C:\Windows\System\rEpCTEo.exe
  C:\Windows\System\rEpCTEo.exe
  2⤵
  PID:11484
- C:\Windows\System\yDWmgcw.exe
  C:\Windows\System\yDWmgcw.exe
  2⤵
  PID:11508
- C:\Windows\System\HwoSKxA.exe
  C:\Windows\System\HwoSKxA.exe
  2⤵
  PID:11528
- C:\Windows\System\OWrRyOV.exe
  C:\Windows\System\OWrRyOV.exe
  2⤵
  PID:11548
- C:\Windows\System\DgOBlNT.exe
  C:\Windows\System\DgOBlNT.exe
  2⤵
  PID:11572
- C:\Windows\System\lsOIYax.exe
  C:\Windows\System\lsOIYax.exe
  2⤵
  PID:11592
- C:\Windows\System\YghWSlq.exe
  C:\Windows\System\YghWSlq.exe
  2⤵
  PID:11608
- C:\Windows\System\HRgNnTA.exe
  C:\Windows\System\HRgNnTA.exe
  2⤵
  PID:11632
- C:\Windows\System\NPfEXIj.exe
  C:\Windows\System\NPfEXIj.exe
  2⤵
  PID:11652
- C:\Windows\System\xVQdoQY.exe
  C:\Windows\System\xVQdoQY.exe
  2⤵
  PID:11672
- C:\Windows\System\fFsrQoy.exe
  C:\Windows\System\fFsrQoy.exe
  2⤵
  PID:11696
- C:\Windows\System\qVTAqYd.exe
  C:\Windows\System\qVTAqYd.exe
  2⤵
  PID:11728
- C:\Windows\System\jKbMXFN.exe
  C:\Windows\System\jKbMXFN.exe
  2⤵
  PID:11752
- C:\Windows\System\kDVEPbN.exe
  C:\Windows\System\kDVEPbN.exe
  2⤵
  PID:11768
- C:\Windows\System\DZFklTI.exe
  C:\Windows\System\DZFklTI.exe
  2⤵
  PID:11784
- C:\Windows\System\EuteMbb.exe
  C:\Windows\System\EuteMbb.exe
  2⤵
  PID:11804
- C:\Windows\System\HLPZUyC.exe
  C:\Windows\System\HLPZUyC.exe
  2⤵
  PID:11820
- C:\Windows\System\iggpmqW.exe
  C:\Windows\System\iggpmqW.exe
  2⤵
  PID:11836
- C:\Windows\System\dgwmucM.exe
  C:\Windows\System\dgwmucM.exe
  2⤵
  PID:11856
- C:\Windows\System\fdjompR.exe
  C:\Windows\System\fdjompR.exe
  2⤵
  PID:11872
- C:\Windows\System\qCaGqRR.exe
  C:\Windows\System\qCaGqRR.exe
  2⤵
  PID:11892
- C:\Windows\System\hYDmQXF.exe
  C:\Windows\System\hYDmQXF.exe
  2⤵
  PID:11912
- C:\Windows\System\IuxPZPY.exe
  C:\Windows\System\IuxPZPY.exe
  2⤵
  PID:11936
- C:\Windows\System\ZcKGgnG.exe
  C:\Windows\System\ZcKGgnG.exe
  2⤵
  PID:11960
- C:\Windows\System\PSZNFrU.exe
  C:\Windows\System\PSZNFrU.exe
  2⤵
  PID:11980
- C:\Windows\System\uzKZPrQ.exe
  C:\Windows\System\uzKZPrQ.exe
  2⤵
  PID:12016
- C:\Windows\System\DwFyjZc.exe
  C:\Windows\System\DwFyjZc.exe
  2⤵
  PID:12036
- C:\Windows\System\jaESGLk.exe
  C:\Windows\System\jaESGLk.exe
  2⤵
  PID:12052
- C:\Windows\System\QcIxyzM.exe
  C:\Windows\System\QcIxyzM.exe
  2⤵
  PID:12068
- C:\Windows\System\YIkrahj.exe
  C:\Windows\System\YIkrahj.exe
  2⤵
  PID:12084
- C:\Windows\System\wtiGysH.exe
  C:\Windows\System\wtiGysH.exe
  2⤵
  PID:12108
- C:\Windows\System\zdhJyND.exe
  C:\Windows\System\zdhJyND.exe
  2⤵
  PID:12124
- C:\Windows\System\tTUxOoH.exe
  C:\Windows\System\tTUxOoH.exe
  2⤵
  PID:12196
- C:\Windows\System\DMOSNdT.exe
  C:\Windows\System\DMOSNdT.exe
  2⤵
  PID:12212
- C:\Windows\System\cFrTOLH.exe
  C:\Windows\System\cFrTOLH.exe
  2⤵
  PID:12236
- C:\Windows\System\ekuXswp.exe
  C:\Windows\System\ekuXswp.exe
  2⤵
  PID:12264
- C:\Windows\System\yERpSLk.exe
  C:\Windows\System\yERpSLk.exe
  2⤵
  PID:9492
- C:\Windows\System\EMLzPRd.exe
  C:\Windows\System\EMLzPRd.exe
  2⤵
  PID:10932
- C:\Windows\System\yWINVIW.exe
  C:\Windows\System\yWINVIW.exe
  2⤵
  PID:8840
- C:\Windows\System\lPvSQKq.exe
  C:\Windows\System\lPvSQKq.exe
  2⤵
  PID:10292
- C:\Windows\System\rKSGztc.exe
  C:\Windows\System\rKSGztc.exe
  2⤵
  PID:6416
- C:\Windows\System\hcYMKnL.exe
  C:\Windows\System\hcYMKnL.exe
  2⤵
  PID:10648
- C:\Windows\System\zLYlJgc.exe
  C:\Windows\System\zLYlJgc.exe
  2⤵
  PID:10728
- C:\Windows\System\gxgwgdh.exe
  C:\Windows\System\gxgwgdh.exe
  2⤵
  PID:10228
- C:\Windows\System\TorVsEX.exe
  C:\Windows\System\TorVsEX.exe
  2⤵
  PID:10784
- C:\Windows\System\vYQXrxC.exe
  C:\Windows\System\vYQXrxC.exe
  2⤵
  PID:10864
- C:\Windows\System\QSvRpUj.exe
  C:\Windows\System\QSvRpUj.exe
  2⤵
  PID:10976
- C:\Windows\System\vEHkDCq.exe
  C:\Windows\System\vEHkDCq.exe
  2⤵
  PID:11444
- C:\Windows\System\VCzYVwS.exe
  C:\Windows\System\VCzYVwS.exe
  2⤵
  PID:11720
- C:\Windows\System\jGWbVbc.exe
  C:\Windows\System\jGWbVbc.exe
  2⤵
  PID:11948
- C:\Windows\System\QluFuIm.exe
  C:\Windows\System\QluFuIm.exe
  2⤵
  PID:12096
- C:\Windows\System\RISHrhN.exe
  C:\Windows\System\RISHrhN.exe
  2⤵
  PID:11088
- C:\Windows\System\qUCpbvD.exe
  C:\Windows\System\qUCpbvD.exe
  2⤵
  PID:10880
- C:\Windows\System\sRHtFpi.exe
  C:\Windows\System\sRHtFpi.exe
  2⤵
  PID:12300
- C:\Windows\System\NdpbMsN.exe
  C:\Windows\System\NdpbMsN.exe
  2⤵
  PID:12324
- C:\Windows\System\CilJpCU.exe
  C:\Windows\System\CilJpCU.exe
  2⤵
  PID:12340
- C:\Windows\System\OWZGMxD.exe
  C:\Windows\System\OWZGMxD.exe
  2⤵
  PID:12360
- C:\Windows\System\ygpKslr.exe
  C:\Windows\System\ygpKslr.exe
  2⤵
  PID:12380
- C:\Windows\System\OpwBBNV.exe
  C:\Windows\System\OpwBBNV.exe
  2⤵
  PID:12408
- C:\Windows\System\CiamIaY.exe
  C:\Windows\System\CiamIaY.exe
  2⤵
  PID:12440
- C:\Windows\System\taIimbe.exe
  C:\Windows\System\taIimbe.exe
  2⤵
  PID:12468
- C:\Windows\System\OsnXIzX.exe
  C:\Windows\System\OsnXIzX.exe
  2⤵
  PID:12484
- C:\Windows\System\TfwEdcq.exe
  C:\Windows\System\TfwEdcq.exe
  2⤵
  PID:12512
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 12512 -s 28
    3⤵
    PID:10312
- C:\Windows\System\TgMdIDw.exe
  C:\Windows\System\TgMdIDw.exe
  2⤵
  PID:12528
- C:\Windows\System\Vnzzbcj.exe
  C:\Windows\System\Vnzzbcj.exe
  2⤵
  PID:12552
- C:\Windows\System\uEtZRgR.exe
  C:\Windows\System\uEtZRgR.exe
  2⤵
  PID:12580
- C:\Windows\System\qPEmRmt.exe
  C:\Windows\System\qPEmRmt.exe
  2⤵
  PID:12616
- C:\Windows\System\iCpNasC.exe
  C:\Windows\System\iCpNasC.exe
  2⤵
  PID:12640
- C:\Windows\System\YEdpOru.exe
  C:\Windows\System\YEdpOru.exe
  2⤵
  PID:12668
- C:\Windows\System\qNOMNRV.exe
  C:\Windows\System\qNOMNRV.exe
  2⤵
  PID:12692
- C:\Windows\System\rfaHlht.exe
  C:\Windows\System\rfaHlht.exe
  2⤵
  PID:12720
- C:\Windows\System\BjVUbcc.exe
  C:\Windows\System\BjVUbcc.exe
  2⤵
  PID:12740
- C:\Windows\System\iavQFZc.exe
  C:\Windows\System\iavQFZc.exe
  2⤵
  PID:12756
- C:\Windows\System\ROWyeuB.exe
  C:\Windows\System\ROWyeuB.exe
  2⤵
  PID:12776
- C:\Windows\System\HjvyKda.exe
  C:\Windows\System\HjvyKda.exe
  2⤵
  PID:12792
- C:\Windows\System\ZqftKbW.exe
  C:\Windows\System\ZqftKbW.exe
  2⤵
  PID:12808
- C:\Windows\System\sNyOWhY.exe
  C:\Windows\System\sNyOWhY.exe
  2⤵
  PID:12824
- C:\Windows\System\fuezVmV.exe
  C:\Windows\System\fuezVmV.exe
  2⤵
  PID:12840
- C:\Windows\System\VbVWdLT.exe
  C:\Windows\System\VbVWdLT.exe
  2⤵
  PID:12860
- C:\Windows\System\JNEARma.exe
  C:\Windows\System\JNEARma.exe
  2⤵
  PID:12876
- C:\Windows\System\GugTOcU.exe
  C:\Windows\System\GugTOcU.exe
  2⤵
  PID:12896
- C:\Windows\System\EixCpfG.exe
  C:\Windows\System\EixCpfG.exe
  2⤵
  PID:12912
- C:\Windows\System\TGBtUKO.exe
  C:\Windows\System\TGBtUKO.exe
  2⤵
  PID:12928
- C:\Windows\System\juuQalY.exe
  C:\Windows\System\juuQalY.exe
  2⤵
  PID:12944
- C:\Windows\System\slHSVhj.exe
  C:\Windows\System\slHSVhj.exe
  2⤵
  PID:12964
- C:\Windows\System\XaxvPhc.exe
  C:\Windows\System\XaxvPhc.exe
  2⤵
  PID:12988
- C:\Windows\System\lRyknRX.exe
  C:\Windows\System\lRyknRX.exe
  2⤵
  PID:13016
- C:\Windows\System\jMsULUI.exe
  C:\Windows\System\jMsULUI.exe
  2⤵
  PID:13040
- C:\Windows\System\dLvAcbd.exe
  C:\Windows\System\dLvAcbd.exe
  2⤵
  PID:4732
- C:\Windows\System\CykjPDx.exe
  C:\Windows\System\CykjPDx.exe
  2⤵
  PID:8904
- C:\Windows\System\UAprIuf.exe
  C:\Windows\System\UAprIuf.exe
  2⤵
  PID:11724
- C:\Windows\System\AEAMshD.exe
  C:\Windows\System\AEAMshD.exe
  2⤵
  PID:4860
- C:\Windows\System\KcjzsXX.exe
  C:\Windows\System\KcjzsXX.exe
  2⤵
  PID:11920
- C:\Windows\System\QpbBQLg.exe
  C:\Windows\System\QpbBQLg.exe
  2⤵
  PID:708
- C:\Windows\System\oPBakuy.exe
  C:\Windows\System\oPBakuy.exe
  2⤵
  PID:3464
- C:\Windows\System\KmRAeej.exe
  C:\Windows\System\KmRAeej.exe
  2⤵
  PID:12208
- C:\Windows\System\WVsUpXt.exe
  C:\Windows\System\WVsUpXt.exe
  2⤵
  PID:12276
- C:\Windows\System\EEVzRSD.exe
  C:\Windows\System\EEVzRSD.exe
  2⤵
  PID:11600
- C:\Windows\System\GFPVneQ.exe
  C:\Windows\System\GFPVneQ.exe
  2⤵
  PID:13216
- C:\Windows\System\ydORmOJ.exe
  C:\Windows\System\ydORmOJ.exe
  2⤵
  PID:13228
- C:\Windows\System\saSVGji.exe
  C:\Windows\System\saSVGji.exe
  2⤵
  PID:13080
- C:\Windows\System\uAXbXki.exe
  C:\Windows\System\uAXbXki.exe
  2⤵
  PID:13164
- C:\Windows\System\DXoLVkk.exe
  C:\Windows\System\DXoLVkk.exe
  2⤵
  PID:13212
- C:\Windows\System\VPCxdzt.exe
  C:\Windows\System\VPCxdzt.exe
  2⤵
  PID:13264
- C:\Windows\System\YyovaYJ.exe
  C:\Windows\System\YyovaYJ.exe
  2⤵
  PID:9184
- C:\Windows\System\vKEkNSw.exe
  C:\Windows\System\vKEkNSw.exe
  2⤵
  PID:3976
- C:\Windows\System\bXgYsaj.exe
  C:\Windows\System\bXgYsaj.exe
  2⤵
  PID:10136
- C:\Windows\System\cBucvts.exe
  C:\Windows\System\cBucvts.exe
  2⤵
  PID:12292
- C:\Windows\System\EvxTaAB.exe
  C:\Windows\System\EvxTaAB.exe
  2⤵
  PID:12496
- C:\Windows\System\RfmzXeh.exe
  C:\Windows\System\RfmzXeh.exe
  2⤵
  PID:12548
- C:\Windows\System\zLBLVjO.exe
  C:\Windows\System\zLBLVjO.exe
  2⤵
  PID:12608
- C:\Windows\System\bjRqXBJ.exe
  C:\Windows\System\bjRqXBJ.exe
  2⤵
  PID:12648
- C:\Windows\System\bFwiIRp.exe
  C:\Windows\System\bFwiIRp.exe
  2⤵
  PID:12688
- C:\Windows\System\qsBtcsV.exe
  C:\Windows\System\qsBtcsV.exe
  2⤵
  PID:12728
- C:\Windows\System\eaTaJSV.exe
  C:\Windows\System\eaTaJSV.exe
  2⤵
  PID:12752
- C:\Windows\System\WfxpHXl.exe
  C:\Windows\System\WfxpHXl.exe
  2⤵
  PID:12868
- C:\Windows\System\dXrBLKk.exe
  C:\Windows\System\dXrBLKk.exe
  2⤵
  PID:12952
- C:\Windows\System\jcJlpez.exe
  C:\Windows\System\jcJlpez.exe
  2⤵
  PID:13024
- C:\Windows\System\CeBayTy.exe
  C:\Windows\System\CeBayTy.exe
  2⤵
  PID:13072
- C:\Windows\System\qrYXtVq.exe
  C:\Windows\System\qrYXtVq.exe
  2⤵
  PID:6468
- C:\Windows\System\iiXEOxq.exe
  C:\Windows\System\iiXEOxq.exe
  2⤵
  PID:10608
- C:\Windows\System\wAsUpqA.exe
  C:\Windows\System\wAsUpqA.exe
  2⤵
  PID:4272
- C:\Windows\System\kdXekwS.exe
  C:\Windows\System\kdXekwS.exe
  2⤵
  PID:13256
- C:\Windows\System\MsCYanx.exe
  C:\Windows\System\MsCYanx.exe
  2⤵
  PID:12748
- C:\Windows\System\dKqUWnI.exe
  C:\Windows\System\dKqUWnI.exe
  2⤵
  PID:12024
- C:\Windows\System\aqjlcZv.exe
  C:\Windows\System\aqjlcZv.exe
  2⤵
  PID:12076
- C:\Windows\System\YHejQFU.exe
  C:\Windows\System\YHejQFU.exe
  2⤵
  PID:3008
- C:\Windows\System\hUcEbbO.exe
  C:\Windows\System\hUcEbbO.exe
  2⤵
  PID:13148
- C:\Windows\System\LBhLHFz.exe
  C:\Windows\System\LBhLHFz.exe
  2⤵
  PID:4056
- C:\Windows\System\fBAHXtE.exe
  C:\Windows\System\fBAHXtE.exe
  2⤵
  PID:11300
- C:\Windows\System\SEotDrR.exe
  C:\Windows\System\SEotDrR.exe
  2⤵
  PID:11276
- C:\Windows\System\fWhLNgO.exe
  C:\Windows\System\fWhLNgO.exe
  2⤵
  PID:8040
- C:\Windows\System\XBBNqqf.exe
  C:\Windows\System\XBBNqqf.exe
  2⤵
  PID:11520
- C:\Windows\System\ryTIvYx.exe
  C:\Windows\System\ryTIvYx.exe
  2⤵
  PID:10236
- C:\Windows\System\hYTYZvi.exe
  C:\Windows\System\hYTYZvi.exe
  2⤵
  PID:11780
- C:\Windows\System\cAGbTPr.exe
  C:\Windows\System\cAGbTPr.exe
  2⤵
  PID:2592
- C:\Windows\System\JgLiQIP.exe
  C:\Windows\System\JgLiQIP.exe
  2⤵
  PID:12376
- C:\Windows\System\gMLpuuU.exe
  C:\Windows\System\gMLpuuU.exe
  2⤵
  PID:12788
- C:\Windows\System\mskUFJG.exe
  C:\Windows\System\mskUFJG.exe
  2⤵
  PID:13288
- C:\Windows\System\eZRxPSg.exe
  C:\Windows\System\eZRxPSg.exe
  2⤵
  PID:9876
- C:\Windows\System\ZTncwZr.exe
  C:\Windows\System\ZTncwZr.exe
  2⤵
  PID:1968
- C:\Windows\System\AyhEHhA.exe
  C:\Windows\System\AyhEHhA.exe
  2⤵
  PID:11348
- C:\Windows\System\RvhzJoU.exe
  C:\Windows\System\RvhzJoU.exe
  2⤵
  PID:11052
- C:\Windows\System\KGNFWHY.exe
  C:\Windows\System\KGNFWHY.exe
  2⤵
  PID:11688
- C:\Windows\System\atcKESv.exe
  C:\Windows\System\atcKESv.exe
  2⤵
  PID:4724
- C:\Windows\System\gODBFvy.exe
  C:\Windows\System\gODBFvy.exe
  2⤵
  PID:13144
- C:\Windows\System\PRtxSVF.exe
  C:\Windows\System\PRtxSVF.exe
  2⤵
  PID:10924
- C:\Windows\System\VHpuLcl.exe
  C:\Windows\System\VHpuLcl.exe
  2⤵
  PID:9092
- C:\Windows\System\AScpaxr.exe
  C:\Windows\System\AScpaxr.exe
  2⤵
  PID:11640
- C:\Windows\System\BOfVuQt.exe
  C:\Windows\System\BOfVuQt.exe
  2⤵
  PID:13064
- C:\Windows\System\yffqzjA.exe
  C:\Windows\System\yffqzjA.exe
  2⤵
  PID:11308
- C:\Windows\System\DIBkCBM.exe
  C:\Windows\System\DIBkCBM.exe
  2⤵
  PID:4676
- C:\Windows\System\yCczGPq.exe
  C:\Windows\System\yCczGPq.exe
  2⤵
  PID:12836
- C:\Windows\System\lxzAbnf.exe
  C:\Windows\System\lxzAbnf.exe
  2⤵
  PID:11060
- C:\Windows\System\UZbAgmG.exe
  C:\Windows\System\UZbAgmG.exe
  2⤵
  PID:11684
- C:\Windows\System\FUiUbQJ.exe
  C:\Windows\System\FUiUbQJ.exe
  2⤵
  PID:4736
- C:\Windows\System\ckwTkIz.exe
  C:\Windows\System\ckwTkIz.exe
  2⤵
  PID:12352
- C:\Windows\System\zLOovbj.exe
  C:\Windows\System\zLOovbj.exe
  2⤵
  PID:10312
- C:\Windows\System\OFZznhj.exe
  C:\Windows\System\OFZznhj.exe
  2⤵
  PID:12404
- C:\Windows\System\lENbzKR.exe
  C:\Windows\System\lENbzKR.exe
  2⤵
  PID:13132
- C:\Windows\System\qEBUYXH.exe
  C:\Windows\System\qEBUYXH.exe
  2⤵
  PID:9612
- C:\Windows\System\zzICFNF.exe
  C:\Windows\System\zzICFNF.exe
  2⤵
  PID:1196
- C:\Windows\System\sWrzXHC.exe
  C:\Windows\System\sWrzXHC.exe
  2⤵
  PID:6368
- C:\Windows\System\yyhKHQm.exe
  C:\Windows\System\yyhKHQm.exe
  2⤵
  PID:11800
- C:\Windows\System\DLUgboO.exe
  C:\Windows\System\DLUgboO.exe
  2⤵
  PID:10860
- C:\Windows\System\wbDNDfK.exe
  C:\Windows\System\wbDNDfK.exe
  2⤵
  PID:4364
- C:\Windows\System\GRZBEai.exe
  C:\Windows\System\GRZBEai.exe
  2⤵
  PID:12980
- C:\Windows\System\aVgMZfi.exe
  C:\Windows\System\aVgMZfi.exe
  2⤵
  PID:12544
- C:\Windows\System\aLbEAYm.exe
  C:\Windows\System\aLbEAYm.exe
  2⤵
  PID:8832
- C:\Windows\System\uSjTreY.exe
  C:\Windows\System\uSjTreY.exe
  2⤵
  PID:13200
- C:\Windows\System\MlEgykd.exe
  C:\Windows\System\MlEgykd.exe
  2⤵
  PID:8488
- C:\Windows\System\RBfVDQu.exe
  C:\Windows\System\RBfVDQu.exe
  2⤵
  PID:12388
- C:\Windows\System\WRuyLBf.exe
  C:\Windows\System\WRuyLBf.exe
  2⤵
  PID:11924
- C:\Windows\System\cgXLFZO.exe
  C:\Windows\System\cgXLFZO.exe
  2⤵
  PID:772
- C:\Windows\System\THMucSP.exe
  C:\Windows\System\THMucSP.exe
  2⤵
  PID:12524
- C:\Windows\System\qzMBugs.exe
  C:\Windows\System\qzMBugs.exe
  2⤵
  PID:668
- C:\Windows\System\gtDNfvg.exe
  C:\Windows\System\gtDNfvg.exe
  2⤵
  PID:10592
- C:\Windows\System\TGulrWw.exe
  C:\Windows\System\TGulrWw.exe
  2⤵
  PID:5256
- C:\Windows\System\uVkbIaw.exe
  C:\Windows\System\uVkbIaw.exe
  2⤵
  PID:412
- C:\Windows\System\iaooUbh.exe
  C:\Windows\System\iaooUbh.exe
  2⤵
  PID:13356
- C:\Windows\System\cjGBdST.exe
  C:\Windows\System\cjGBdST.exe
  2⤵
  PID:13372
- C:\Windows\System\eVnFzrd.exe
  C:\Windows\System\eVnFzrd.exe
  2⤵
  PID:13388
- C:\Windows\System\VhXNdat.exe
  C:\Windows\System\VhXNdat.exe
  2⤵
  PID:13484
- C:\Windows\System\sYtITSC.exe
  C:\Windows\System\sYtITSC.exe
  2⤵
  PID:13500
- C:\Windows\System\UEYGnbc.exe
  C:\Windows\System\UEYGnbc.exe
  2⤵
  PID:13600
- C:\Windows\System\eaOnvUu.exe
  C:\Windows\System\eaOnvUu.exe
  2⤵
  PID:13724
- C:\Windows\System\gTPHSVU.exe
  C:\Windows\System\gTPHSVU.exe
  2⤵
  PID:13720
- C:\Windows\System\gCrGSsM.exe
  C:\Windows\System\gCrGSsM.exe
  2⤵
  PID:13748
- C:\Windows\System\jolNwVi.exe
  C:\Windows\System\jolNwVi.exe
  2⤵
  PID:13768

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 504 -p 12776 -ip 12776
1⤵
PID:11688

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 440 -p 12380 -ip 12380
1⤵
PID:12836

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Modifies data under HKEY_USERS
PID:13700

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:13932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i4apf50e.vcp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\AITgVyc.exe

Filesize
1.9MB

MD5
fbd1a8672489d34ee66bc04a35213e7c

SHA1
405f6045e1f9b7e66b8e3765c0cc6f7f1410cb9d

SHA256
c8742160a2a41a17727712e4400714458ecf327db992449d9b1feb9c01fca357

SHA512
8400feb93dc68a1f450b4b4488071bd247ddef9522a09fc7eb03289273c7e87fd7eb59394e155df586a1fb1d421870fa33f6e21cc2a17e6104a12c42895684c0

Download Submit
C:\Windows\System\AklKZtx.exe

Filesize
1.9MB

MD5
9e79611794908c803fbaeee32329bc8f

SHA1
1ee993d1fe874820e61577f7bb0e8ea904c1d1f6

SHA256
f54469f234416e3960e5e1e9a6443eb5453e610e7891f7119217ac686d579bb7

SHA512
c1546dc993614e8ccff7295795761a1d1d3cd7efb3a9e8659f427ed9b03b941fc1b93d5ff3688c06c071d7a2bf56ffb52185188eedd2db0d4324efd318029e88

Download Submit
C:\Windows\System\ApNDZim.exe

Filesize
1.9MB

MD5
b5a229dc254e2630d30924560cc2c0af

SHA1
edc743aad6ca914e5175dad56d5f05bde5a4b93a

SHA256
209b0ce0af8b4c676f8db4c8aa5c57c2d128bb4f4a7126566554fb3fff26cae1

SHA512
48343b987297a845b55275a2a91dadeba38f51a7370a64f515433ef1e1bd5fc7e7025ecea251a64d2e78bc5474a585d0a363c5fdab89bdfaffee046302329aff

Download Submit
C:\Windows\System\AvEOOng.exe

Filesize
1.9MB

MD5
0bdf9b9552b349d94d03f9e520fb48cf

SHA1
7b4a774882205fc420d72be845702e1886a924c4

SHA256
13d58f9a332e1285fb6fd20dcdfc3c4833302c805129d6e5d8db9bd2d84bf8be

SHA512
c153322098ab40c53b9a98dab3123459d3f304ef648daf91ede554f162bc2d8077f83e37107d0f48d4fda40e7193fb8431c34c6ae32ad5451c82c6233180cdf3

Download Submit
C:\Windows\System\BtrGtrw.exe

Filesize
1.9MB

MD5
3e382a777d03cc44b247b10da54a550d

SHA1
113be923689eff7af3f956f6a99a239713a3c5aa

SHA256
d490a7ad1e13fee053c47ae2e37fe7d2d520568172d7bb6ae53bd08dbd6e2b29

SHA512
7380abb623139130f5fb52125b0acdf667dcad7098f3416c860b44ce81fca0791bc7bef48a8e98b749de40f6551038ad26272bd48f935cc3f67dd8e90dd25b85

Download Submit
C:\Windows\System\DFgUvBr.exe

Filesize
1.9MB

MD5
f027f70bdf4c26733a4792b53ef3230e

SHA1
1063ed3eb14ce08d053a7e5c0230ed4b2174c8e9

SHA256
d4b7bd1b1c741fb6a098f2325421f406bf36d10354fbadb65b183309e55608e7

SHA512
5990672248b592ed964f023371196193d48246752a0b64169fc603a6ea8124d7daea1d384770307528d0db3e8e34fd739a9ea4635b12cd4c78f0ee0bd6645402

Download Submit
C:\Windows\System\DLFTLtD.exe

Filesize
1.9MB

MD5
552929a07c2b5ec2015a4465b2670da5

SHA1
e0fc4beaf45bf27c43aeed9cdc8ec9d01fe9ddd6

SHA256
d738fdff8e5dc625dbf02d8733797a8d2b2c98ef797aa06c74914878db8bca37

SHA512
0c2fa7b32d34da84dced600d47d9c495a2e5912a549b8b5fc450607b2c325114a8125a66665f3bf8c6d01f89e820963a4d916f3035672549c4335a673b4895cc

Download Submit
C:\Windows\System\FIkpggu.exe

Filesize
1.9MB

MD5
843fad923a8b763f1f1335aefe367f42

SHA1
928187253abcacb78f75cd9137474ea3272a2aca

SHA256
8c1f5570d68dfb828bacbfe309941a4d36516840f977072c80b3fbffa242fddc

SHA512
f952b0b9bcb282c48bd000e8048b011d7dcf0be86fa901ed9af09352883e32e109676815c60460a195748c2b34e7b46d733bf0fead206229b22ac91ef0a7c427

Download Submit
C:\Windows\System\FofQBtt.exe

Filesize
1.9MB

MD5
794b5fcecf3ae0c4a615b1221ae1bb65

SHA1
cc5bdd5270dd08d62e5487613851ed8e488dec39

SHA256
85f823b8737143348b2aa0a2dd3fba0f195085ddf72a9e516b9c0cfde3a5e83a

SHA512
8d845f87e8bfb6bbbf6359c4ed53551c77c651a37ed20f4cf30fc6156fb96d7cd59a53d66694a079b507ac5011af133e2fb323e3bed8d51768b98aa0a2625324

Download Submit
C:\Windows\System\IYuJTMK.exe

Filesize
1.9MB

MD5
f81d50eee5b2089d979ee125b8293365

SHA1
9702ccf3bcc4fad484cf92adbcedd8a33ad3c79e

SHA256
4676a58a7a1587f417f1b9b4fb4cfc26b8ae3bb94e1f6a22a6b9803cc5ef76ef

SHA512
73e417359d3b74db674b8bebf948da5517ad5917d1f4456a1df0c2364d97fa0902dc8b68d6f6c6d32cb1238f95b38a5919b2cb95aa6d1538a73a3ff9b8022d9b

Download Submit
C:\Windows\System\IvihCoe.exe

Filesize
1.9MB

MD5
87ad6b7922e8d63eaff135d97d1513ff

SHA1
2669040e3e7f927fe7b0488caf254b037634f37f

SHA256
26d28ca702623f7f40d60faddcb398809617e514bf2fc6675a7041b91ebc5288

SHA512
409fa28ca58b9a088bfe82858857acaaa7ca430bcc536e891b0b7dd62364d224fdb1e854af769c09959497b301430373e1081c3a227918b25d85558b302410a5

Download Submit
C:\Windows\System\JgeqAcx.exe

Filesize
1.9MB

MD5
8730166804385d41fb971d59cd145ca0

SHA1
99634a4c1e4adf1d4760ec701dae9d742e1ee9a4

SHA256
81005784546379e690ec6d11f80df5c95f5118d61c183743920863f2e2e1792c

SHA512
e37f58e7bc3574424a1f095978ae0107bc9bd9bd6f5fb81fcf47de2f96f68687e5b866bdf374c1fee245b792b026bbe9bed7c3e0db149a99d482a417a11cb3ee

Download Submit
C:\Windows\System\KoOwHNw.exe

Filesize
1.9MB

MD5
21f2c51327376c4f7a2aaf9f0ae8095e

SHA1
ee8ab29b6abe0827dab02832f7c93d2ce1f13799

SHA256
46df8f17b169e74f6efbb16a887402536ddd82f40b73e1642c1d87ba6024fbdd

SHA512
9bf132ab0f9fcea88769d5c02fd2816360ea6520ecc1a0ac4f690435da184df166887e8ff46d505c47c2c5b58de868843df3e94ddb79785571cfbc40e030ff66

Download Submit
C:\Windows\System\LiGdElG.exe

Filesize
1.9MB

MD5
ea3954e30037c841517879f3bed0a7ed

SHA1
5300a4f595ed3791c79e0fb74ae36dba6e524700

SHA256
e3266dce17ee6b819a9530b2adb1e905d0852c49c959d140a034eab7bfa732a4

SHA512
e1eeb2b93ab740d520768c6026025d05947ad508fed2ca02f3cee186097847712a0f851a93fd8a0ea3333b5812ea0a93e3b52abce5e6802b97db60498131b935

Download Submit
C:\Windows\System\PkaJpNA.exe

Filesize
1.9MB

MD5
b066b60336cea1cb421fcc21a58cd9cf

SHA1
df59974acf7e4565d47d7df0412621ef0207551f

SHA256
53138602f74fe184aba788fde437ea87f58da91a966454f9b9535557097ef627

SHA512
6834ec3b960d23f322103baaa223d5d3c41ca466f27fd2b7487d13f84aa5f192b43f2d88001d826e25587c025442e0ac937647783cc4a8baa7e126e27b51ce20

Download Submit
C:\Windows\System\QRzcpqS.exe

Filesize
1.9MB

MD5
cbe02961d9fe8c78fd97dc91a3103d82

SHA1
cc936cbf23ed699807535827088e82aeef362533

SHA256
a1fbde7f571f2ef4718814c4148e35e467196afa83f1a287be3d6c6d702f7bca

SHA512
34342266cab3f235f897a04544c9d59abb0b4b182857db01fc75f8971141d26dfc73a57eaadd519f6ae4c5237d746373e3c5c1448ad76472bc4318ea84243cdc

Download Submit
C:\Windows\System\QVdbVtx.exe

Filesize
1.9MB

MD5
00ea08a25e87ea623bac5d7a97579eb7

SHA1
fe39787a15bb12293bd9fc51b9f14d6230859318

SHA256
7094420a4b595ecca4cfdc4a0a66a64f1de4b1e75a8cd46cc7530bdecfef491f

SHA512
37a0443e2fb0f2e4d56795af85713d557d4aa0551edb3bdbbb8f37e71b2d4fb64f52c9c5655e3c049772c2bc836724853c462355783306196513ec339ce76e9d

Download Submit
C:\Windows\System\RMjKfSN.exe

Filesize
1.9MB

MD5
b0579c3ffa9a47f9c35c13fb8df469b6

SHA1
2e010bc297b4d18ca06e730a1fc695db6b181cc8

SHA256
b0e7d0b37ce6606c6bc9610843cd094286f6d4478e4d98dab247913b39f26396

SHA512
5ac5988950cddd44a4c356c72cae460799b6f921ea6d3d4de0defa3c0b3ad743ecad4e3b25a297ac367d5e6233644154806bd74bc31cf0f04ae5b1b57c9bf153

Download Submit
C:\Windows\System\RRLHOIt.exe

Filesize
1.9MB

MD5
70ce2fd148faa36bfe318b06be958cee

SHA1
27150e4f5dd20585469fa92fa671817aff249a92

SHA256
7e28bce8a9b11b693ca280a3645a4a915befbef41b3296274f5b4c7fc3353d84

SHA512
170017343f2226691127c8e4e7f9bdbc55e9bf6d58dfa0d662848ac8a0584f84dd6079e56b3b948ef4247da4ca7fa9073f121898dd815a637de3552c52ec3191

Download Submit
C:\Windows\System\RTXMoNB.exe

Filesize
1.9MB

MD5
45810712df1857b5413fe8362b840780

SHA1
61bb2ee92be4e9e4bc8962e3e48a1839ce686134

SHA256
d2d665004cf7ef4275b8eab2c384106d7088ea3e3f3951890e2932fb0e83875b

SHA512
63fa5b8c8b8b1cc3e9776bc64b2b19a125267743011c116da9ebe4a2a1ba8dd515584185ffcb553a629e297c03f25e13fd4948ed734709c51b8f6498f72ebeed

Download Submit
C:\Windows\System\SrTyjBL.exe

Filesize
1.9MB

MD5
1591252a4f82cce7b6116ff9649bbf82

SHA1
eb074b8db750ce3241606522abac6b04de33ece0

SHA256
08de9cbad8fdc4cd9240ffb24a18098fad0a378d2fe517b805ba36f283228267

SHA512
72cb43db458972420ed1adda518bc8d8e826d3f0eb74b502344f0c26a098996d4c6724f6faea2c78a1af64a41ba3ba0c5f1b3b850d9936dac049b78c78c95723

Download Submit
C:\Windows\System\XMuStmb.exe

Filesize
1.9MB

MD5
b071275ba9abf79c6a7ffb3a7ff49e19

SHA1
123e020166d798271612c269cff01381d0898619

SHA256
c7d2862d1bb230e6f9409e9a8a4d36ad894164201679d7c0c2b6c572a0187dd2

SHA512
7cc2d4edc032f280c595a15dc0a60a4e40403782c62d5fdecf81f5fa3db5585a5dd9ca4af62ff812c018806da8f67874c3ffe3ef7e6dcedc524e71e3e59beed1

Download Submit
C:\Windows\System\bzomDOx.exe

Filesize
1.9MB

MD5
c9b7380ce1937ba7a6cba35a0689d3f7

SHA1
33911b15893ea6793030cedf6e14481df430cef2

SHA256
7aaee23b0ba5f53fbb47a11400e4260a5c07da6dd96431ba7d4a2a8f9ed65cf4

SHA512
8a0a5ef0acf9062b401652bce96f6dc5ba4ee5fd253e0996c3949aeba6e1a6a9f8ef7b48c1e7758fdcaea007da5fe8a063207a026362ff70ac014ce19fd60c50

Download Submit
C:\Windows\System\dUnkmAw.exe

Filesize
1.9MB

MD5
72c63710d1bafd6841ab7f76c7d0da1d

SHA1
9e2d5901ccaad345d341f82d864b0de3a748583b

SHA256
a62ffea613712173171d8e3b5222fabb825e43b0dbf6a54d075971fe52e8ce80

SHA512
a2964132393cdfb2f4b8fcccd411f5457db9a3414013d63c9544757734c230cc3d9c9026f4c6b6b4b8631d1116e4be03b277c795fa9da553fcdccc1293b7d07c

Download Submit
C:\Windows\System\dlDtMZL.exe

Filesize
1.9MB

MD5
49b6d9d952a9c1f94f72b9a0286c5827

SHA1
c6c81a6696707d96d272b464fb032a85b52e7e4e

SHA256
227cb39c619bb6eb0aab55c8a23b60d88accfa405454079089fcd346ebac4630

SHA512
0d4e643b2f519889bb506395020cb3873e3b171416380197772dddb185611b3663b9eba98c6216b6b3a211850231828471f579f661028979b20641e0d6ec0aac

Download Submit
C:\Windows\System\ehjmqyb.exe

Filesize
1.9MB

MD5
efe7e3cabe31d367e7ef40ae8e70bfc1

SHA1
2ea3cc19f84258a423e4698971f7479d2d77d827

SHA256
e1219ea3d5667c034e532c6f315e2fed298bd164dddd96992d9854a955e0e42c

SHA512
5e79f6375dd1993aa37be41d585b0f30a56583760e52820bf6ea1bcb9391e910ea6d5d2cf930e57de4baa67cb6cd3085daf7d23d16957bbbfbe22256f214eda1

Download Submit
C:\Windows\System\gZsIoOa.exe

Filesize
1.9MB

MD5
d311b7b4429045e287abeca435a685e1

SHA1
332d75276df47bdea9d1a0343a90fed31cc74bdf

SHA256
6131fcc8db7609ba96891afe16461c9c0657d7c2bd477644941a29e7cbd8bdbf

SHA512
ae7a00341739bb3ac644a366878751b9deb408431ef4257cbd57c256df6ef28490aad402927941f091235f540d7d9703d738fdeca62a7304bdd2f7ed9784127f

Download Submit
C:\Windows\System\gvYeQKm.exe

Filesize
1.9MB

MD5
4f4ec539e5504093e6dae3d2d86578c9

SHA1
b8bd07ae9b96176f896c2a0bf0ba7daf79923acd

SHA256
55384dd6615bdd8dcba800db4dfea660c7f9e14e27838d08075e5d0f4bd74e45

SHA512
e6a41144a266097d000f9c65bb011465eda98ba0e13d385c3895b40ce7e80085907f45785e6e144f7456cce264efb0e17cc89e42b913c83f9622a46618a894a3

Download Submit
C:\Windows\System\jPhkgMP.exe

Filesize
1.9MB

MD5
26bf0f7d0db1d557581cdb38d206431e

SHA1
206ef4a02395f9d98c7c67f43bf4291285124636

SHA256
dd99f176204975021b2a329477ceb81b36f93509d4737190d16e0aa988085ec6

SHA512
0e4d0bc4172e37a3322afde6b8d38680d0ea5e6dde5f8cbeecd6e905e0dfa88357d4ec0a3fae19ffc5aa449f109de370bc396379726e59be69d8d18f6641e8f9

Download Submit
C:\Windows\System\kXgqRQq.exe

Filesize
1.9MB

MD5
6761874b6913a7b2e611ae93d7756010

SHA1
1a39629a9cc03b1e03689c3b2ad52d017c0a6a0b

SHA256
48cbed99dc88c9f61c0492327fcaf54224d7993bcb424ccf960aa9851bfdd93e

SHA512
91452f527c34e1d5628bf35a5bbcf27ceff3f18075e705388a5f32afde0e5d63806827a6ab877a2444aef390a8540176c5baeec6dde5faa3a9711bb0198aed3c

Download Submit
C:\Windows\System\kYhDHGf.exe

Filesize
1.9MB

MD5
cb55e158599a25fd85ce42e6f1025a6e

SHA1
3e8660cdcc81960412f6539b32cf124dcd082ec3

SHA256
941c325d3d8afeeecb4aaa22177ad7c2292e1a790259a523e31ea7af83faac13

SHA512
bdf2ddc0922475001760ae9ccfcad58fcc0e0e497de3d8bcaba65eb9511ea02c848dd190cb64907d949d73098ff17ed814c543f019c436d13df7accf7c8bbe29

Download Submit
C:\Windows\System\mYyHXBc.exe

Filesize
8B

MD5
70d32c5686563edbb854aed29ea9d85c

SHA1
bd541445a50c65f1a6670fe5c95bea5d00e91b07

SHA256
7838364f90f7a979e688eff5ec314b7556d64c92bdfbd76fb1ec9602cec23e30

SHA512
23991ce500626bded4e2dc15b31393a89cfbbdda0d797292f12ec97001984de33a442b02e485bb8bd2704c63b7c242ef2cf2fc4fd62f7f428d253fd4da79e7f5

Download Submit
C:\Windows\System\mfOaJUA.exe

Filesize
1.9MB

MD5
2d5f2cad3e6172f92af22a598ec3ff2f

SHA1
3d4508343ab25bead662e0b49d054ef903477c54

SHA256
15030b92f29986c2e40847deb5070597620088358a9ff00d10813459e4e3cc22

SHA512
c26a424232d66cefeb2fdc7e7b5c95b4c33479e0cc7598807be99b467cc9107a870b6dba9232686c954d406821ebbe9b17292290fdded514fe9600933c07203e

Download Submit
C:\Windows\System\nLEbmAb.exe

Filesize
1.9MB

MD5
08023c36b92d139f4dd42bee36ca29cd

SHA1
1a677d80ea4c0cfe6619981ab037abc41de70f31

SHA256
5b54f3e6f455efa161b92a75303e359a0bdee1b075a79dd582c66492f04570b2

SHA512
c4d7c7829a7b94ef75365527caca12edf00a972701c3af6ba896c5c7720e5aeb6eb670ebabff657d6a8b5739515dc6e117cb404946ba318e017891e2464e65d9

Download Submit
C:\Windows\System\pPgZGht.exe

Filesize
1.9MB

MD5
4dfa7c65f3803cc1b1be7baeb90ca44f

SHA1
f868a1ec4fc61284f00d66404a491ffb339a672b

SHA256
25f8f36dc729f027f7ee93b9b6e9547ce53bdede9ee3f0fe0d7871108206b9d9

SHA512
0ba41daed3e9f14bd316f65f93afa2b467188190efeb1eaa975f4bf15a4640ed8623ccc3530eb7d545a8c5d997c5e5a4620711b73cccc8c29acc1d790deacb1e

Download Submit
C:\Windows\System\pbXjSCw.exe

Filesize
1.9MB

MD5
985423406309f84ae51333af30a512e4

SHA1
a5f74bd24e48da63648fcf6e2688f6cdbcc530c6

SHA256
0554619d5c76148311bd982fae8e81f52788fe4bd36d885386ae6ba7b81ac1dc

SHA512
ac03f2c7df061a027fbec81cdfd0c4c3c6c85659663fc0905aaa756c0ef5403f0e43bb735bdaa28b259c091a62bd86048e2e65d96ffbe638f8c367b4fff1d925

Download Submit
C:\Windows\System\qvBnMoB.exe

Filesize
1.9MB

MD5
a8d1dc74cc7b14e61e7c480fdff59767

SHA1
a02b13539880f3e2d665a17826a9a9604daa98dc

SHA256
2ad267bc5fee67f3e4beadf64459658d81729f3e681caf278eae81b1b7101e34

SHA512
1e2d19b3ae56ff228e31f627be8c30dbdf56963743613096c0ddaf09e2112611befb52c3ed5cf12672c67bf3d68fd5434fbcbef6fe3f041fc676b38235cba8e7

Download Submit
C:\Windows\System\sYVknVw.exe

Filesize
1.9MB

MD5
d536043a1049be39523c45f32be06d85

SHA1
2e0caa4f196405e2556dbe9441f7b71a41c0ca5c

SHA256
b541d2ade30232d205f64508892152bbd3ab723f1fcbdf88398ec6a8c67bbf5b

SHA512
a1150506dc4edfd08303bdc444042e8a47f090911e78d93c82e5b208cf06af065fd086e7639ae46a41df14421e329e3c93b1705881c2b56e5705554edea63f58

Download Submit
C:\Windows\System\vHpOMmH.exe

Filesize
1.9MB

MD5
24e40b1b885c576b5bae5cef72b702a8

SHA1
f8db2d9c51657105e289e97e5d982d7aed39f0ee

SHA256
4244a84f42ef233bda207583e100e8b48499cab64cc10657f2b840a1ed4fda20

SHA512
f138bf75cb5284d8af0f60adec6c8c6e04a39f621e2781a16696c8dccb11c3cc5932311bdca97e099a31bc51d1158ce2e35c2705839ba6510869f437d867cb5c

Download Submit
C:\Windows\System\xCoNgeg.exe

Filesize
1.9MB

MD5
caa0aa6ae1b32b106420a0cdd5b1e73e

SHA1
3b08f31521f59ccc76d8ea671be8f741c3b8dbfb

SHA256
9f09c582ba27bddbb5e07c10d0192a04b1588f0a751f3468352f2f8d86f1dd05

SHA512
737ef0ad543b73c0ae8fa678e1d8aa4e857805ae47f4c9b0408e8b5c2b3403ca58b4457af48dbf9b9af25d6de54123be8b430f605e43f540ad7a0196af64d5e4

Download Submit
C:\Windows\System\xCxWnwh.exe

Filesize
1.9MB

MD5
64c0788c0ab1e27dedfd8f9a56c02c71

SHA1
cb1c5304bbd71c84f86f6668446558530b73694e

SHA256
893b42b173bfaad26195b467af11f4805626ca5b4628451675c06c3c44a7edd8

SHA512
00388d27194e1a4a61d71315bbab864dee7c01f0694945e0db330c550ad79383412fdf970f041e1d857fde756971abd4f4ce6386d14b55c94f996d9f36e9cc74

Download Submit
C:\Windows\System\xJoUZhG.exe

Filesize
1.9MB

MD5
6be2b6a1347c21adcbae13c4fd5b2e83

SHA1
6ff761003a87ec9b3df85209213de20fb6a46cd1

SHA256
575ed842c786993e50ee660f29b6ac52cef6eca8dadabb5d48e19467fd95411a

SHA512
956520b1a63a8166a7fdf23beeb0db3428552e7354763a800899dc72dfc6612fdca455496d3e21633078a6550a25e199741f4c9a8288f9fcbdaa6167571918b2

Download Submit
C:\Windows\System\yNZDkuG.exe

Filesize
1.9MB

MD5
7696f34f0ca737184f90389d52a11622

SHA1
b56997826499c92763812ffdf95cc850591321cc

SHA256
2e81b7dedc0c14be3c504e8f2be5122922db35d1d9478592b14be7d9d00b6dcc

SHA512
955ad13fdcb03b66e088894e7ef17fa418edba7adf9f56fd7f40f85c9546e7a6487a9421493d2ea0cb5487f69566714c833d2fc2bd2c4367bba1e5cd50e1e981

Download Submit
C:\Windows\System\zJRsMCh.exe

Filesize
1.9MB

MD5
a0a4a604b4786093f7a6e59b7f7dccb0

SHA1
c189de8d6a714d268d2f683692a85925655357c6

SHA256
63323ec9e8b7bf5dae51af03bc45d5457b7058d5fd2872d3577ef4349e347920

SHA512
61bcc6ad6c61b55326d24aeb3cdf049006dc57c8cfb9f5ff015f66675eb0948000f277cf8e7406ee82d9f6000dc974d36ba83ac07da728c2958569a495da9f80

Download Submit
memory/408-0-0x00007FF67BB30000-0x00007FF67BF22000-memory.dmp

Filesize
3.9MB

Download
memory/408-1-0x00000248AC320000-0x00000248AC330000-memory.dmp

Filesize
64KB

Download
memory/456-3214-0x00007FF6E2A70000-0x00007FF6E2E62000-memory.dmp

Filesize
3.9MB

Download
memory/456-456-0x00007FF6E2A70000-0x00007FF6E2E62000-memory.dmp

Filesize
3.9MB

Download
memory/640-21-0x00007FFE83653000-0x00007FFE83655000-memory.dmp

Filesize
8KB

Download
memory/640-411-0x000001EC3BB30000-0x000001EC3BB52000-memory.dmp

Filesize
136KB

Download
memory/640-335-0x00007FFE83650000-0x00007FFE84111000-memory.dmp

Filesize
10.8MB

Download
memory/640-122-0x00007FFE83650000-0x00007FFE84111000-memory.dmp

Filesize
10.8MB

Download
memory/1020-459-0x00007FF60E370000-0x00007FF60E762000-memory.dmp

Filesize
3.9MB

Download
memory/1020-3203-0x00007FF60E370000-0x00007FF60E762000-memory.dmp

Filesize
3.9MB

Download
memory/1172-458-0x00007FF6827D0000-0x00007FF682BC2000-memory.dmp

Filesize
3.9MB

Download
memory/1172-3194-0x00007FF6827D0000-0x00007FF682BC2000-memory.dmp

Filesize
3.9MB

Download
memory/1180-3177-0x00007FF702130000-0x00007FF702522000-memory.dmp

Filesize
3.9MB

Download
memory/1180-20-0x00007FF702130000-0x00007FF702522000-memory.dmp

Filesize
3.9MB

Download
memory/1856-3212-0x00007FF7AD2B0000-0x00007FF7AD6A2000-memory.dmp

Filesize
3.9MB

Download
memory/1856-462-0x00007FF7AD2B0000-0x00007FF7AD6A2000-memory.dmp

Filesize
3.9MB

Download
memory/2008-383-0x00007FF7064A0000-0x00007FF706892000-memory.dmp

Filesize
3.9MB

Download
memory/2008-3197-0x00007FF7064A0000-0x00007FF706892000-memory.dmp

Filesize
3.9MB

Download
memory/2056-614-0x00007FF7ADA20000-0x00007FF7ADE12000-memory.dmp

Filesize
3.9MB

Download
memory/2056-3179-0x00007FF7ADA20000-0x00007FF7ADE12000-memory.dmp

Filesize
3.9MB

Download
memory/2196-3192-0x00007FF7A8000000-0x00007FF7A83F2000-memory.dmp

Filesize
3.9MB

Download
memory/2196-457-0x00007FF7A8000000-0x00007FF7A83F2000-memory.dmp

Filesize
3.9MB

Download
memory/2396-460-0x00007FF6B8280000-0x00007FF6B8672000-memory.dmp

Filesize
3.9MB

Download
memory/2396-3216-0x00007FF6B8280000-0x00007FF6B8672000-memory.dmp

Filesize
3.9MB

Download
memory/2432-3207-0x00007FF79A200000-0x00007FF79A5F2000-memory.dmp

Filesize
3.9MB

Download
memory/2432-461-0x00007FF79A200000-0x00007FF79A5F2000-memory.dmp

Filesize
3.9MB

Download
memory/2844-3196-0x00007FF643240000-0x00007FF643632000-memory.dmp

Filesize
3.9MB

Download
memory/2844-258-0x00007FF643240000-0x00007FF643632000-memory.dmp

Filesize
3.9MB

Download
memory/2872-463-0x00007FF745ED0000-0x00007FF7462C2000-memory.dmp

Filesize
3.9MB

Download
memory/2872-3219-0x00007FF745ED0000-0x00007FF7462C2000-memory.dmp

Filesize
3.9MB

Download
memory/2916-485-0x00007FF79CAC0000-0x00007FF79CEB2000-memory.dmp

Filesize
3.9MB

Download
memory/2916-3239-0x00007FF79CAC0000-0x00007FF79CEB2000-memory.dmp

Filesize
3.9MB

Download
memory/2988-3187-0x00007FF717060000-0x00007FF717452000-memory.dmp

Filesize
3.9MB

Download
memory/2988-421-0x00007FF717060000-0x00007FF717452000-memory.dmp

Filesize
3.9MB

Download
memory/3048-177-0x00007FF790240000-0x00007FF790632000-memory.dmp

Filesize
3.9MB

Download
memory/3048-3199-0x00007FF790240000-0x00007FF790632000-memory.dmp

Filesize
3.9MB

Download
memory/3852-3209-0x00007FF6E0F20000-0x00007FF6E1312000-memory.dmp

Filesize
3.9MB

Download
memory/3852-455-0x00007FF6E0F20000-0x00007FF6E1312000-memory.dmp

Filesize
3.9MB

Download
memory/4420-464-0x00007FF606790000-0x00007FF606B82000-memory.dmp

Filesize
3.9MB

Download
memory/4420-3251-0x00007FF606790000-0x00007FF606B82000-memory.dmp

Filesize
3.9MB

Download
memory/4536-453-0x00007FF7A90A0000-0x00007FF7A9492000-memory.dmp

Filesize
3.9MB

Download
memory/4536-3183-0x00007FF7A90A0000-0x00007FF7A9492000-memory.dmp

Filesize
3.9MB

Download
memory/4592-3245-0x00007FF6B6AF0000-0x00007FF6B6EE2000-memory.dmp

Filesize
3.9MB

Download
memory/4592-592-0x00007FF6B6AF0000-0x00007FF6B6EE2000-memory.dmp

Filesize
3.9MB

Download
memory/4740-3181-0x00007FF6F6E60000-0x00007FF6F7252000-memory.dmp

Filesize
3.9MB

Download
memory/4740-215-0x00007FF6F6E60000-0x00007FF6F7252000-memory.dmp

Filesize
3.9MB

Download
memory/4832-3190-0x00007FF6BE6C0000-0x00007FF6BEAB2000-memory.dmp

Filesize
3.9MB

Download
memory/4832-452-0x00007FF6BE6C0000-0x00007FF6BEAB2000-memory.dmp

Filesize
3.9MB

Download
memory/4844-676-0x00007FF714330000-0x00007FF714722000-memory.dmp

Filesize
3.9MB

Download
memory/4844-3186-0x00007FF714330000-0x00007FF714722000-memory.dmp

Filesize
3.9MB

Download
memory/4892-596-0x00007FF7E9BA0000-0x00007FF7E9F92000-memory.dmp

Filesize
3.9MB

Download
memory/4892-3253-0x00007FF7E9BA0000-0x00007FF7E9F92000-memory.dmp

Filesize
3.9MB

Download
memory/4912-3205-0x00007FF6D63E0000-0x00007FF6D67D2000-memory.dmp

Filesize
3.9MB

Download
memory/4912-454-0x00007FF6D63E0000-0x00007FF6D67D2000-memory.dmp

Filesize
3.9MB

Download