xmrig | deea3d65d35797d90c5ebbfe31eccb78bc932c7b34673641725e471549180150

Analysis

max time kernel
92s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
Size

1.9MB
MD5

df936cc84bbbc6e94b146e3aed199140
SHA1

475ea8e74a9f63046e4bc93c6a48658f84c8c1cd
SHA256

deea3d65d35797d90c5ebbfe31eccb78bc932c7b34673641725e471549180150
SHA512

d5f7e08eaaa9c90b8fc3405acbd2d81d92ea46a7d154414c4b1dfaa71c1a6a0ee7bda9af6d0beb39fcac7d4150e37cf62adc3a56065cb9602c4c906808487b89
SSDEEP

24576:JanwhSe11QSONCpGJCjETPlWXWZ5Pbcq92zMWfmDzrmXYVCY+li7Sa60kRoZzpN7:knw9oUUEEDl37jcq4QXDT6hEdPIit9ks

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/3352-14-0x00007FF627290000-0x00007FF627681000-memory.dmp	xmrig
behavioral2/memory/3956-488-0x00007FF759170000-0x00007FF759561000-memory.dmp	xmrig
behavioral2/memory/1580-23-0x00007FF735FF0000-0x00007FF7363E1000-memory.dmp	xmrig
behavioral2/memory/2896-489-0x00007FF72A940000-0x00007FF72AD31000-memory.dmp	xmrig
behavioral2/memory/3544-490-0x00007FF7DAD70000-0x00007FF7DB161000-memory.dmp	xmrig
behavioral2/memory/2880-491-0x00007FF679E90000-0x00007FF67A281000-memory.dmp	xmrig
behavioral2/memory/2836-492-0x00007FF6CF8D0000-0x00007FF6CFCC1000-memory.dmp	xmrig
behavioral2/memory/1076-493-0x00007FF676D30000-0x00007FF677121000-memory.dmp	xmrig
behavioral2/memory/2424-494-0x00007FF755F70000-0x00007FF756361000-memory.dmp	xmrig
behavioral2/memory/4956-504-0x00007FF77B4D0000-0x00007FF77B8C1000-memory.dmp	xmrig
behavioral2/memory/2120-501-0x00007FF66ECC0000-0x00007FF66F0B1000-memory.dmp	xmrig
behavioral2/memory/3820-509-0x00007FF7F0400000-0x00007FF7F07F1000-memory.dmp	xmrig
behavioral2/memory/3156-506-0x00007FF6AC380000-0x00007FF6AC771000-memory.dmp	xmrig
behavioral2/memory/2900-515-0x00007FF739D80000-0x00007FF73A171000-memory.dmp	xmrig
behavioral2/memory/4884-520-0x00007FF724410000-0x00007FF724801000-memory.dmp	xmrig
behavioral2/memory/4844-524-0x00007FF746A20000-0x00007FF746E11000-memory.dmp	xmrig
behavioral2/memory/2284-521-0x00007FF7ABB60000-0x00007FF7ABF51000-memory.dmp	xmrig
behavioral2/memory/4996-528-0x00007FF76DE20000-0x00007FF76E211000-memory.dmp	xmrig
behavioral2/memory/3492-540-0x00007FF7DFA10000-0x00007FF7DFE01000-memory.dmp	xmrig
behavioral2/memory/4828-543-0x00007FF615620000-0x00007FF615A11000-memory.dmp	xmrig
behavioral2/memory/4768-547-0x00007FF68BF50000-0x00007FF68C341000-memory.dmp	xmrig
behavioral2/memory/64-560-0x00007FF73CFC0000-0x00007FF73D3B1000-memory.dmp	xmrig
behavioral2/memory/4764-554-0x00007FF7244D0000-0x00007FF7248C1000-memory.dmp	xmrig
behavioral2/memory/1412-1982-0x00007FF77B270000-0x00007FF77B661000-memory.dmp	xmrig
behavioral2/memory/3352-1984-0x00007FF627290000-0x00007FF627681000-memory.dmp	xmrig
behavioral2/memory/3956-1989-0x00007FF759170000-0x00007FF759561000-memory.dmp	xmrig
behavioral2/memory/1580-1994-0x00007FF735FF0000-0x00007FF7363E1000-memory.dmp	xmrig
behavioral2/memory/2880-1996-0x00007FF679E90000-0x00007FF67A281000-memory.dmp	xmrig
behavioral2/memory/2896-1992-0x00007FF72A940000-0x00007FF72AD31000-memory.dmp	xmrig
behavioral2/memory/3544-1991-0x00007FF7DAD70000-0x00007FF7DB161000-memory.dmp	xmrig
behavioral2/memory/64-1987-0x00007FF73CFC0000-0x00007FF73D3B1000-memory.dmp	xmrig
behavioral2/memory/1076-1998-0x00007FF676D30000-0x00007FF677121000-memory.dmp	xmrig
behavioral2/memory/2424-2002-0x00007FF755F70000-0x00007FF756361000-memory.dmp	xmrig
behavioral2/memory/2120-2006-0x00007FF66ECC0000-0x00007FF66F0B1000-memory.dmp	xmrig
behavioral2/memory/3820-2010-0x00007FF7F0400000-0x00007FF7F07F1000-memory.dmp	xmrig
behavioral2/memory/3156-2008-0x00007FF6AC380000-0x00007FF6AC771000-memory.dmp	xmrig
behavioral2/memory/4956-2004-0x00007FF77B4D0000-0x00007FF77B8C1000-memory.dmp	xmrig
behavioral2/memory/2836-2000-0x00007FF6CF8D0000-0x00007FF6CFCC1000-memory.dmp	xmrig
behavioral2/memory/3492-2012-0x00007FF7DFA10000-0x00007FF7DFE01000-memory.dmp	xmrig
behavioral2/memory/2284-2029-0x00007FF7ABB60000-0x00007FF7ABF51000-memory.dmp	xmrig
behavioral2/memory/4828-2022-0x00007FF615620000-0x00007FF615A11000-memory.dmp	xmrig
behavioral2/memory/4768-2021-0x00007FF68BF50000-0x00007FF68C341000-memory.dmp	xmrig
behavioral2/memory/4764-2019-0x00007FF7244D0000-0x00007FF7248C1000-memory.dmp	xmrig
behavioral2/memory/4884-2031-0x00007FF724410000-0x00007FF724801000-memory.dmp	xmrig
behavioral2/memory/4844-2027-0x00007FF746A20000-0x00007FF746E11000-memory.dmp	xmrig
behavioral2/memory/4996-2024-0x00007FF76DE20000-0x00007FF76E211000-memory.dmp	xmrig
behavioral2/memory/2900-2017-0x00007FF739D80000-0x00007FF73A171000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
1412	ixvfFzi.exe
3352	jhYdyNT.exe
1580	bUVCGNF.exe
3956	cerLsWu.exe
64	TkfecVk.exe
2896	kUBYHxF.exe
3544	PyvhNhY.exe
2880	MtwYtmz.exe
2836	IKAjPmb.exe
1076	XkQjJbX.exe
2424	NTvAWHH.exe
2120	fjPqVth.exe
4956	ibetkRT.exe
3156	QwrrRLA.exe
3820	OUwzSzE.exe
2900	PMeRhvQ.exe
4884	WoVahDr.exe
2284	ABMjfJW.exe
4844	eUraguH.exe
4996	UmeCpOc.exe
3492	JNJfRWj.exe
4828	ycyPPUb.exe
4768	cUuDpAm.exe
4764	xAxchsK.exe
3008	enDpUFn.exe
2256	BcfmnaG.exe
2248	UlxoWVE.exe
1004	zpktakz.exe
5056	TErDbmT.exe
2212	uydxMIC.exe
2660	OQdEnPc.exe
3836	cCrNrdq.exe
2720	JBCkOPH.exe
1608	LWclDDU.exe
4340	XogNWGX.exe
4544	lgHiWnN.exe
3508	hZxiHaD.exe
3608	QUawYAE.exe
4924	jcFOXFR.exe
4784	zmFkEuR.exe
872	fIqAXxl.exe
764	qABmpkj.exe
1708	jGKwwcq.exe
4436	ZbrACqH.exe
4708	vugdOXH.exe
4312	mFVzqZO.exe
2528	RGCnBth.exe
2892	uLTsXHb.exe
2148	cYpehRK.exe
4380	fxyrPhY.exe
3656	OzKWUHD.exe
3564	sVXMfXS.exe
1084	zcciZMw.exe
4900	JYkaTmU.exe
3560	qnLkFIA.exe
1816	rlsoTeB.exe
5088	hnVEoWs.exe
4516	kakkrQU.exe
2532	mmHrQzc.exe
4584	DIZNXSo.exe
4860	iWPXEPo.exe
640	ugKETVg.exe
1900	PawzJUL.exe
4676	wDknqMz.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/432-0-0x00007FF671FC0000-0x00007FF6723B1000-memory.dmp	upx
behavioral2/files/0x00080000000233f3-4.dat	upx
behavioral2/memory/1412-7-0x00007FF77B270000-0x00007FF77B661000-memory.dmp	upx
behavioral2/files/0x00070000000233f4-11.dat	upx
behavioral2/memory/3352-14-0x00007FF627290000-0x00007FF627681000-memory.dmp	upx
behavioral2/files/0x00070000000233f5-16.dat	upx
behavioral2/files/0x00070000000233f6-21.dat	upx
behavioral2/files/0x00070000000233f7-29.dat	upx
behavioral2/files/0x00070000000233f8-34.dat	upx
behavioral2/files/0x00070000000233f9-39.dat	upx
behavioral2/files/0x00070000000233fa-44.dat	upx
behavioral2/files/0x00070000000233fd-59.dat	upx
behavioral2/files/0x00070000000233fe-64.dat	upx
behavioral2/files/0x00070000000233ff-69.dat	upx
behavioral2/files/0x0007000000023401-79.dat	upx
behavioral2/files/0x0007000000023402-84.dat	upx
behavioral2/files/0x0007000000023403-89.dat	upx
behavioral2/files/0x0007000000023404-94.dat	upx
behavioral2/files/0x0007000000023406-102.dat	upx
behavioral2/files/0x0007000000023407-109.dat	upx
behavioral2/files/0x000700000002340c-134.dat	upx
behavioral2/files/0x000700000002340f-149.dat	upx
behavioral2/files/0x0007000000023412-162.dat	upx
behavioral2/memory/3956-488-0x00007FF759170000-0x00007FF759561000-memory.dmp	upx
behavioral2/files/0x0007000000023411-159.dat	upx
behavioral2/files/0x0007000000023410-154.dat	upx
behavioral2/files/0x000700000002340e-144.dat	upx
behavioral2/files/0x000700000002340d-139.dat	upx
behavioral2/files/0x000700000002340b-129.dat	upx
behavioral2/files/0x000700000002340a-125.dat	upx
behavioral2/files/0x0007000000023409-119.dat	upx
behavioral2/files/0x0007000000023408-114.dat	upx
behavioral2/files/0x0007000000023405-99.dat	upx
behavioral2/files/0x0007000000023400-75.dat	upx
behavioral2/files/0x00070000000233fc-54.dat	upx
behavioral2/files/0x00070000000233fb-49.dat	upx
behavioral2/memory/1580-23-0x00007FF735FF0000-0x00007FF7363E1000-memory.dmp	upx
behavioral2/memory/2896-489-0x00007FF72A940000-0x00007FF72AD31000-memory.dmp	upx
behavioral2/memory/3544-490-0x00007FF7DAD70000-0x00007FF7DB161000-memory.dmp	upx
behavioral2/memory/2880-491-0x00007FF679E90000-0x00007FF67A281000-memory.dmp	upx
behavioral2/memory/2836-492-0x00007FF6CF8D0000-0x00007FF6CFCC1000-memory.dmp	upx
behavioral2/memory/1076-493-0x00007FF676D30000-0x00007FF677121000-memory.dmp	upx
behavioral2/memory/2424-494-0x00007FF755F70000-0x00007FF756361000-memory.dmp	upx
behavioral2/memory/4956-504-0x00007FF77B4D0000-0x00007FF77B8C1000-memory.dmp	upx
behavioral2/memory/2120-501-0x00007FF66ECC0000-0x00007FF66F0B1000-memory.dmp	upx
behavioral2/memory/3820-509-0x00007FF7F0400000-0x00007FF7F07F1000-memory.dmp	upx
behavioral2/memory/3156-506-0x00007FF6AC380000-0x00007FF6AC771000-memory.dmp	upx
behavioral2/memory/2900-515-0x00007FF739D80000-0x00007FF73A171000-memory.dmp	upx
behavioral2/memory/4884-520-0x00007FF724410000-0x00007FF724801000-memory.dmp	upx
behavioral2/memory/4844-524-0x00007FF746A20000-0x00007FF746E11000-memory.dmp	upx
behavioral2/memory/2284-521-0x00007FF7ABB60000-0x00007FF7ABF51000-memory.dmp	upx
behavioral2/memory/4996-528-0x00007FF76DE20000-0x00007FF76E211000-memory.dmp	upx
behavioral2/memory/3492-540-0x00007FF7DFA10000-0x00007FF7DFE01000-memory.dmp	upx
behavioral2/memory/4828-543-0x00007FF615620000-0x00007FF615A11000-memory.dmp	upx
behavioral2/memory/4768-547-0x00007FF68BF50000-0x00007FF68C341000-memory.dmp	upx
behavioral2/memory/64-560-0x00007FF73CFC0000-0x00007FF73D3B1000-memory.dmp	upx
behavioral2/memory/4764-554-0x00007FF7244D0000-0x00007FF7248C1000-memory.dmp	upx
behavioral2/memory/1412-1982-0x00007FF77B270000-0x00007FF77B661000-memory.dmp	upx
behavioral2/memory/3352-1984-0x00007FF627290000-0x00007FF627681000-memory.dmp	upx
behavioral2/memory/3956-1989-0x00007FF759170000-0x00007FF759561000-memory.dmp	upx
behavioral2/memory/1580-1994-0x00007FF735FF0000-0x00007FF7363E1000-memory.dmp	upx
behavioral2/memory/2880-1996-0x00007FF679E90000-0x00007FF67A281000-memory.dmp	upx
behavioral2/memory/2896-1992-0x00007FF72A940000-0x00007FF72AD31000-memory.dmp	upx
behavioral2/memory/3544-1991-0x00007FF7DAD70000-0x00007FF7DB161000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\BpXniGG.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\ItFAsAz.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\mgHCiIB.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\xDbPsCp.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\PDXrtid.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\rwhXaFx.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\JsVArwp.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\CmkgpOT.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\sscgBMS.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\FsyVJjB.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\cZPBdRz.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\xdhbWfo.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\hoEwtrx.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\vKHtSKF.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\rmVfsWI.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\yJKKdPm.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\lMGrpdz.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\EfjgYwN.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\WHnPXyg.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\ksKiqaH.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\CUDwanP.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\rdnBYzR.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\SgHmijH.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\iCTXldq.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\NnYCGcR.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\ykOJKVH.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\fjBwdhv.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\bjOrZxk.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\UqGEFOd.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\ZDkikAV.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\fnHkXxu.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\BFxzMMW.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\oRKKqoW.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\KEqRQLI.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\BzGwdGK.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\LfgoVBq.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\MgblyTM.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\zqiYiGc.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\ZLaWbAv.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\oWJRDHd.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\KfaDgAh.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\aldUhEv.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\MtMynkS.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\UlxoWVE.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\MrluyAG.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\MlXMHXd.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\zBgpVre.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\ibetkRT.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\fIqAXxl.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\WimzKrH.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\oRbUMxv.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\xrOvFRd.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\enDpUFn.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\pctqKvc.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\mLHZOcC.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\sIDbQfZ.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\eeAnQjE.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\ugKETVg.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\RPHLtgZ.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\SzPraai.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\vtNBdMA.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\vnZPliS.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\qzzZTlz.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
File created	C:\Windows\System32\fMeSKDC.exe	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFaultSecure.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFaultSecure.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
13200	WerFaultSecure.exe
13200	WerFaultSecure.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 432 wrote to memory of 1412	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	84
PID 432 wrote to memory of 1412	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	84
PID 432 wrote to memory of 3352	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	85
PID 432 wrote to memory of 3352	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	85
PID 432 wrote to memory of 1580	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	86
PID 432 wrote to memory of 1580	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	86
PID 432 wrote to memory of 3956	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	87
PID 432 wrote to memory of 3956	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	87
PID 432 wrote to memory of 64	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	88
PID 432 wrote to memory of 64	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	88
PID 432 wrote to memory of 2896	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	89
PID 432 wrote to memory of 2896	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	89
PID 432 wrote to memory of 3544	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	90
PID 432 wrote to memory of 3544	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	90
PID 432 wrote to memory of 2880	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	91
PID 432 wrote to memory of 2880	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	91
PID 432 wrote to memory of 2836	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	92
PID 432 wrote to memory of 2836	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	92
PID 432 wrote to memory of 1076	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	93
PID 432 wrote to memory of 1076	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	93
PID 432 wrote to memory of 2424	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	94
PID 432 wrote to memory of 2424	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	94
PID 432 wrote to memory of 2120	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	95
PID 432 wrote to memory of 2120	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	95
PID 432 wrote to memory of 4956	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	96
PID 432 wrote to memory of 4956	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	96
PID 432 wrote to memory of 3156	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	97
PID 432 wrote to memory of 3156	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	97
PID 432 wrote to memory of 3820	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	98
PID 432 wrote to memory of 3820	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	98
PID 432 wrote to memory of 2900	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	99
PID 432 wrote to memory of 2900	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	99
PID 432 wrote to memory of 4884	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	100
PID 432 wrote to memory of 4884	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	100
PID 432 wrote to memory of 2284	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	101
PID 432 wrote to memory of 2284	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	101
PID 432 wrote to memory of 4844	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	102
PID 432 wrote to memory of 4844	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	102
PID 432 wrote to memory of 4996	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	103
PID 432 wrote to memory of 4996	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	103
PID 432 wrote to memory of 3492	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	104
PID 432 wrote to memory of 3492	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	104
PID 432 wrote to memory of 4828	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	105
PID 432 wrote to memory of 4828	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	105
PID 432 wrote to memory of 4768	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	106
PID 432 wrote to memory of 4768	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	106
PID 432 wrote to memory of 4764	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	107
PID 432 wrote to memory of 4764	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	107
PID 432 wrote to memory of 3008	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	108
PID 432 wrote to memory of 3008	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	108
PID 432 wrote to memory of 2256	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	109
PID 432 wrote to memory of 2256	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	109
PID 432 wrote to memory of 2248	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	110
PID 432 wrote to memory of 2248	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	110
PID 432 wrote to memory of 1004	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	111
PID 432 wrote to memory of 1004	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	111
PID 432 wrote to memory of 5056	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	112
PID 432 wrote to memory of 5056	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	112
PID 432 wrote to memory of 2212	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	113
PID 432 wrote to memory of 2212	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	113
PID 432 wrote to memory of 2660	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	114
PID 432 wrote to memory of 2660	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	114
PID 432 wrote to memory of 3836	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	115
PID 432 wrote to memory of 3836	432	df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe	115

C:\Users\Admin\AppData\Local\Temp\df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\df936cc84bbbc6e94b146e3aed199140_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:432
- C:\Windows\System32\ixvfFzi.exe
  C:\Windows\System32\ixvfFzi.exe
  2⤵
  - Executes dropped EXE
  PID:1412
- C:\Windows\System32\jhYdyNT.exe
  C:\Windows\System32\jhYdyNT.exe
  2⤵
  - Executes dropped EXE
  PID:3352
- C:\Windows\System32\bUVCGNF.exe
  C:\Windows\System32\bUVCGNF.exe
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\System32\cerLsWu.exe
  C:\Windows\System32\cerLsWu.exe
  2⤵
  - Executes dropped EXE
  PID:3956
- C:\Windows\System32\TkfecVk.exe
  C:\Windows\System32\TkfecVk.exe
  2⤵
  - Executes dropped EXE
  PID:64
- C:\Windows\System32\kUBYHxF.exe
  C:\Windows\System32\kUBYHxF.exe
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\System32\PyvhNhY.exe
  C:\Windows\System32\PyvhNhY.exe
  2⤵
  - Executes dropped EXE
  PID:3544
- C:\Windows\System32\MtwYtmz.exe
  C:\Windows\System32\MtwYtmz.exe
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\System32\IKAjPmb.exe
  C:\Windows\System32\IKAjPmb.exe
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\System32\XkQjJbX.exe
  C:\Windows\System32\XkQjJbX.exe
  2⤵
  - Executes dropped EXE
  PID:1076
- C:\Windows\System32\NTvAWHH.exe
  C:\Windows\System32\NTvAWHH.exe
  2⤵
  - Executes dropped EXE
  PID:2424
- C:\Windows\System32\fjPqVth.exe
  C:\Windows\System32\fjPqVth.exe
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Windows\System32\ibetkRT.exe
  C:\Windows\System32\ibetkRT.exe
  2⤵
  - Executes dropped EXE
  PID:4956
- C:\Windows\System32\QwrrRLA.exe
  C:\Windows\System32\QwrrRLA.exe
  2⤵
  - Executes dropped EXE
  PID:3156
- C:\Windows\System32\OUwzSzE.exe
  C:\Windows\System32\OUwzSzE.exe
  2⤵
  - Executes dropped EXE
  PID:3820
- C:\Windows\System32\PMeRhvQ.exe
  C:\Windows\System32\PMeRhvQ.exe
  2⤵
  - Executes dropped EXE
  PID:2900
- C:\Windows\System32\WoVahDr.exe
  C:\Windows\System32\WoVahDr.exe
  2⤵
  - Executes dropped EXE
  PID:4884
- C:\Windows\System32\ABMjfJW.exe
  C:\Windows\System32\ABMjfJW.exe
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\System32\eUraguH.exe
  C:\Windows\System32\eUraguH.exe
  2⤵
  - Executes dropped EXE
  PID:4844
- C:\Windows\System32\UmeCpOc.exe
  C:\Windows\System32\UmeCpOc.exe
  2⤵
  - Executes dropped EXE
  PID:4996
- C:\Windows\System32\JNJfRWj.exe
  C:\Windows\System32\JNJfRWj.exe
  2⤵
  - Executes dropped EXE
  PID:3492
- C:\Windows\System32\ycyPPUb.exe
  C:\Windows\System32\ycyPPUb.exe
  2⤵
  - Executes dropped EXE
  PID:4828
- C:\Windows\System32\cUuDpAm.exe
  C:\Windows\System32\cUuDpAm.exe
  2⤵
  - Executes dropped EXE
  PID:4768
- C:\Windows\System32\xAxchsK.exe
  C:\Windows\System32\xAxchsK.exe
  2⤵
  - Executes dropped EXE
  PID:4764
- C:\Windows\System32\enDpUFn.exe
  C:\Windows\System32\enDpUFn.exe
  2⤵
  - Executes dropped EXE
  PID:3008
- C:\Windows\System32\BcfmnaG.exe
  C:\Windows\System32\BcfmnaG.exe
  2⤵
  - Executes dropped EXE
  PID:2256
- C:\Windows\System32\UlxoWVE.exe
  C:\Windows\System32\UlxoWVE.exe
  2⤵
  - Executes dropped EXE
  PID:2248
- C:\Windows\System32\zpktakz.exe
  C:\Windows\System32\zpktakz.exe
  2⤵
  - Executes dropped EXE
  PID:1004
- C:\Windows\System32\TErDbmT.exe
  C:\Windows\System32\TErDbmT.exe
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Windows\System32\uydxMIC.exe
  C:\Windows\System32\uydxMIC.exe
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Windows\System32\OQdEnPc.exe
  C:\Windows\System32\OQdEnPc.exe
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\System32\cCrNrdq.exe
  C:\Windows\System32\cCrNrdq.exe
  2⤵
  - Executes dropped EXE
  PID:3836
- C:\Windows\System32\JBCkOPH.exe
  C:\Windows\System32\JBCkOPH.exe
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Windows\System32\LWclDDU.exe
  C:\Windows\System32\LWclDDU.exe
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\System32\XogNWGX.exe
  C:\Windows\System32\XogNWGX.exe
  2⤵
  - Executes dropped EXE
  PID:4340
- C:\Windows\System32\lgHiWnN.exe
  C:\Windows\System32\lgHiWnN.exe
  2⤵
  - Executes dropped EXE
  PID:4544
- C:\Windows\System32\hZxiHaD.exe
  C:\Windows\System32\hZxiHaD.exe
  2⤵
  - Executes dropped EXE
  PID:3508
- C:\Windows\System32\QUawYAE.exe
  C:\Windows\System32\QUawYAE.exe
  2⤵
  - Executes dropped EXE
  PID:3608
- C:\Windows\System32\jcFOXFR.exe
  C:\Windows\System32\jcFOXFR.exe
  2⤵
  - Executes dropped EXE
  PID:4924
- C:\Windows\System32\zmFkEuR.exe
  C:\Windows\System32\zmFkEuR.exe
  2⤵
  - Executes dropped EXE
  PID:4784
- C:\Windows\System32\fIqAXxl.exe
  C:\Windows\System32\fIqAXxl.exe
  2⤵
  - Executes dropped EXE
  PID:872
- C:\Windows\System32\qABmpkj.exe
  C:\Windows\System32\qABmpkj.exe
  2⤵
  - Executes dropped EXE
  PID:764
- C:\Windows\System32\jGKwwcq.exe
  C:\Windows\System32\jGKwwcq.exe
  2⤵
  - Executes dropped EXE
  PID:1708
- C:\Windows\System32\ZbrACqH.exe
  C:\Windows\System32\ZbrACqH.exe
  2⤵
  - Executes dropped EXE
  PID:4436
- C:\Windows\System32\vugdOXH.exe
  C:\Windows\System32\vugdOXH.exe
  2⤵
  - Executes dropped EXE
  PID:4708
- C:\Windows\System32\mFVzqZO.exe
  C:\Windows\System32\mFVzqZO.exe
  2⤵
  - Executes dropped EXE
  PID:4312
- C:\Windows\System32\RGCnBth.exe
  C:\Windows\System32\RGCnBth.exe
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\System32\uLTsXHb.exe
  C:\Windows\System32\uLTsXHb.exe
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\System32\cYpehRK.exe
  C:\Windows\System32\cYpehRK.exe
  2⤵
  - Executes dropped EXE
  PID:2148
- C:\Windows\System32\fxyrPhY.exe
  C:\Windows\System32\fxyrPhY.exe
  2⤵
  - Executes dropped EXE
  PID:4380
- C:\Windows\System32\OzKWUHD.exe
  C:\Windows\System32\OzKWUHD.exe
  2⤵
  - Executes dropped EXE
  PID:3656
- C:\Windows\System32\sVXMfXS.exe
  C:\Windows\System32\sVXMfXS.exe
  2⤵
  - Executes dropped EXE
  PID:3564
- C:\Windows\System32\zcciZMw.exe
  C:\Windows\System32\zcciZMw.exe
  2⤵
  - Executes dropped EXE
  PID:1084
- C:\Windows\System32\JYkaTmU.exe
  C:\Windows\System32\JYkaTmU.exe
  2⤵
  - Executes dropped EXE
  PID:4900
- C:\Windows\System32\qnLkFIA.exe
  C:\Windows\System32\qnLkFIA.exe
  2⤵
  - Executes dropped EXE
  PID:3560
- C:\Windows\System32\rlsoTeB.exe
  C:\Windows\System32\rlsoTeB.exe
  2⤵
  - Executes dropped EXE
  PID:1816
- C:\Windows\System32\hnVEoWs.exe
  C:\Windows\System32\hnVEoWs.exe
  2⤵
  - Executes dropped EXE
  PID:5088
- C:\Windows\System32\kakkrQU.exe
  C:\Windows\System32\kakkrQU.exe
  2⤵
  - Executes dropped EXE
  PID:4516
- C:\Windows\System32\mmHrQzc.exe
  C:\Windows\System32\mmHrQzc.exe
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\System32\DIZNXSo.exe
  C:\Windows\System32\DIZNXSo.exe
  2⤵
  - Executes dropped EXE
  PID:4584
- C:\Windows\System32\iWPXEPo.exe
  C:\Windows\System32\iWPXEPo.exe
  2⤵
  - Executes dropped EXE
  PID:4860
- C:\Windows\System32\ugKETVg.exe
  C:\Windows\System32\ugKETVg.exe
  2⤵
  - Executes dropped EXE
  PID:640
- C:\Windows\System32\PawzJUL.exe
  C:\Windows\System32\PawzJUL.exe
  2⤵
  - Executes dropped EXE
  PID:1900
- C:\Windows\System32\wDknqMz.exe
  C:\Windows\System32\wDknqMz.exe
  2⤵
  - Executes dropped EXE
  PID:4676
- C:\Windows\System32\OaXQPGh.exe
  C:\Windows\System32\OaXQPGh.exe
  2⤵
  PID:2980
- C:\Windows\System32\eiaCwjo.exe
  C:\Windows\System32\eiaCwjo.exe
  2⤵
  PID:1692
- C:\Windows\System32\FmJFkQR.exe
  C:\Windows\System32\FmJFkQR.exe
  2⤵
  PID:4984
- C:\Windows\System32\QmcwMni.exe
  C:\Windows\System32\QmcwMni.exe
  2⤵
  PID:1884
- C:\Windows\System32\snJmkCz.exe
  C:\Windows\System32\snJmkCz.exe
  2⤵
  PID:684
- C:\Windows\System32\rmVfsWI.exe
  C:\Windows\System32\rmVfsWI.exe
  2⤵
  PID:1848
- C:\Windows\System32\YyYGzrj.exe
  C:\Windows\System32\YyYGzrj.exe
  2⤵
  PID:692
- C:\Windows\System32\gVJEsRv.exe
  C:\Windows\System32\gVJEsRv.exe
  2⤵
  PID:4944
- C:\Windows\System32\WwGWYkL.exe
  C:\Windows\System32\WwGWYkL.exe
  2⤵
  PID:1424
- C:\Windows\System32\xNaoqDz.exe
  C:\Windows\System32\xNaoqDz.exe
  2⤵
  PID:2512
- C:\Windows\System32\fsppUKf.exe
  C:\Windows\System32\fsppUKf.exe
  2⤵
  PID:1588
- C:\Windows\System32\LfgoVBq.exe
  C:\Windows\System32\LfgoVBq.exe
  2⤵
  PID:3984
- C:\Windows\System32\GBxSkHm.exe
  C:\Windows\System32\GBxSkHm.exe
  2⤵
  PID:2028
- C:\Windows\System32\dlNTsrH.exe
  C:\Windows\System32\dlNTsrH.exe
  2⤵
  PID:1472
- C:\Windows\System32\IbdZhoR.exe
  C:\Windows\System32\IbdZhoR.exe
  2⤵
  PID:4972
- C:\Windows\System32\NtbdCnu.exe
  C:\Windows\System32\NtbdCnu.exe
  2⤵
  PID:3972
- C:\Windows\System32\xeAHSxV.exe
  C:\Windows\System32\xeAHSxV.exe
  2⤵
  PID:4124
- C:\Windows\System32\DSBrFFW.exe
  C:\Windows\System32\DSBrFFW.exe
  2⤵
  PID:1788
- C:\Windows\System32\iwJSoHI.exe
  C:\Windows\System32\iwJSoHI.exe
  2⤵
  PID:4156
- C:\Windows\System32\tmYMWpZ.exe
  C:\Windows\System32\tmYMWpZ.exe
  2⤵
  PID:5140
- C:\Windows\System32\QEBskwx.exe
  C:\Windows\System32\QEBskwx.exe
  2⤵
  PID:5168
- C:\Windows\System32\MnxiAyZ.exe
  C:\Windows\System32\MnxiAyZ.exe
  2⤵
  PID:5196
- C:\Windows\System32\iAfOQEl.exe
  C:\Windows\System32\iAfOQEl.exe
  2⤵
  PID:5224
- C:\Windows\System32\AABKYGO.exe
  C:\Windows\System32\AABKYGO.exe
  2⤵
  PID:5252
- C:\Windows\System32\lfQmdNH.exe
  C:\Windows\System32\lfQmdNH.exe
  2⤵
  PID:5280
- C:\Windows\System32\ACCCRmu.exe
  C:\Windows\System32\ACCCRmu.exe
  2⤵
  PID:5308
- C:\Windows\System32\MgblyTM.exe
  C:\Windows\System32\MgblyTM.exe
  2⤵
  PID:5336
- C:\Windows\System32\LBwsfFs.exe
  C:\Windows\System32\LBwsfFs.exe
  2⤵
  PID:5364
- C:\Windows\System32\HpkGGrV.exe
  C:\Windows\System32\HpkGGrV.exe
  2⤵
  PID:5392
- C:\Windows\System32\nuCmQhI.exe
  C:\Windows\System32\nuCmQhI.exe
  2⤵
  PID:5420
- C:\Windows\System32\TlFluII.exe
  C:\Windows\System32\TlFluII.exe
  2⤵
  PID:5448
- C:\Windows\System32\FLKizDa.exe
  C:\Windows\System32\FLKizDa.exe
  2⤵
  PID:5476
- C:\Windows\System32\RrhUyAi.exe
  C:\Windows\System32\RrhUyAi.exe
  2⤵
  PID:5504
- C:\Windows\System32\xNypIte.exe
  C:\Windows\System32\xNypIte.exe
  2⤵
  PID:5532
- C:\Windows\System32\rwhXaFx.exe
  C:\Windows\System32\rwhXaFx.exe
  2⤵
  PID:5560
- C:\Windows\System32\pVXFUGF.exe
  C:\Windows\System32\pVXFUGF.exe
  2⤵
  PID:5588
- C:\Windows\System32\lstmfsG.exe
  C:\Windows\System32\lstmfsG.exe
  2⤵
  PID:5616
- C:\Windows\System32\IciVznn.exe
  C:\Windows\System32\IciVznn.exe
  2⤵
  PID:5644
- C:\Windows\System32\rMzIBIi.exe
  C:\Windows\System32\rMzIBIi.exe
  2⤵
  PID:5672
- C:\Windows\System32\RZSvuNy.exe
  C:\Windows\System32\RZSvuNy.exe
  2⤵
  PID:5700
- C:\Windows\System32\ItFAsAz.exe
  C:\Windows\System32\ItFAsAz.exe
  2⤵
  PID:5728
- C:\Windows\System32\ciiQzue.exe
  C:\Windows\System32\ciiQzue.exe
  2⤵
  PID:5756
- C:\Windows\System32\JYiHGQh.exe
  C:\Windows\System32\JYiHGQh.exe
  2⤵
  PID:5784
- C:\Windows\System32\DTtGien.exe
  C:\Windows\System32\DTtGien.exe
  2⤵
  PID:5812
- C:\Windows\System32\IuTJAhb.exe
  C:\Windows\System32\IuTJAhb.exe
  2⤵
  PID:5840
- C:\Windows\System32\iCTXldq.exe
  C:\Windows\System32\iCTXldq.exe
  2⤵
  PID:5868
- C:\Windows\System32\YbDbRAG.exe
  C:\Windows\System32\YbDbRAG.exe
  2⤵
  PID:5896
- C:\Windows\System32\MZPhRJQ.exe
  C:\Windows\System32\MZPhRJQ.exe
  2⤵
  PID:5924
- C:\Windows\System32\QkeGBLI.exe
  C:\Windows\System32\QkeGBLI.exe
  2⤵
  PID:5952
- C:\Windows\System32\wxEuwNx.exe
  C:\Windows\System32\wxEuwNx.exe
  2⤵
  PID:5980
- C:\Windows\System32\QWIdiKG.exe
  C:\Windows\System32\QWIdiKG.exe
  2⤵
  PID:6008
- C:\Windows\System32\SHMtWZT.exe
  C:\Windows\System32\SHMtWZT.exe
  2⤵
  PID:6036
- C:\Windows\System32\evWUlYp.exe
  C:\Windows\System32\evWUlYp.exe
  2⤵
  PID:6064
- C:\Windows\System32\ARunqmi.exe
  C:\Windows\System32\ARunqmi.exe
  2⤵
  PID:6092
- C:\Windows\System32\yiBDXBR.exe
  C:\Windows\System32\yiBDXBR.exe
  2⤵
  PID:6120
- C:\Windows\System32\ZLNRFDm.exe
  C:\Windows\System32\ZLNRFDm.exe
  2⤵
  PID:768
- C:\Windows\System32\iXwdVie.exe
  C:\Windows\System32\iXwdVie.exe
  2⤵
  PID:1204
- C:\Windows\System32\vwxluGz.exe
  C:\Windows\System32\vwxluGz.exe
  2⤵
  PID:1628
- C:\Windows\System32\htbxYbw.exe
  C:\Windows\System32\htbxYbw.exe
  2⤵
  PID:4440
- C:\Windows\System32\KjiAzYr.exe
  C:\Windows\System32\KjiAzYr.exe
  2⤵
  PID:4308
- C:\Windows\System32\IqNBOsX.exe
  C:\Windows\System32\IqNBOsX.exe
  2⤵
  PID:5184
- C:\Windows\System32\ecMNWHN.exe
  C:\Windows\System32\ecMNWHN.exe
  2⤵
  PID:5232
- C:\Windows\System32\lRrqmsT.exe
  C:\Windows\System32\lRrqmsT.exe
  2⤵
  PID:5300
- C:\Windows\System32\sxpiHnT.exe
  C:\Windows\System32\sxpiHnT.exe
  2⤵
  PID:3940
- C:\Windows\System32\LeFqhhx.exe
  C:\Windows\System32\LeFqhhx.exe
  2⤵
  PID:5436
- C:\Windows\System32\ygNBggz.exe
  C:\Windows\System32\ygNBggz.exe
  2⤵
  PID:5484
- C:\Windows\System32\HeCavrX.exe
  C:\Windows\System32\HeCavrX.exe
  2⤵
  PID:5540
- C:\Windows\System32\VhMNvJu.exe
  C:\Windows\System32\VhMNvJu.exe
  2⤵
  PID:5596
- C:\Windows\System32\ADXfRPt.exe
  C:\Windows\System32\ADXfRPt.exe
  2⤵
  PID:5660
- C:\Windows\System32\IewiRAs.exe
  C:\Windows\System32\IewiRAs.exe
  2⤵
  PID:5720
- C:\Windows\System32\bSIAYfu.exe
  C:\Windows\System32\bSIAYfu.exe
  2⤵
  PID:5772
- C:\Windows\System32\bGnxEMm.exe
  C:\Windows\System32\bGnxEMm.exe
  2⤵
  PID:5804
- C:\Windows\System32\GFXBcIz.exe
  C:\Windows\System32\GFXBcIz.exe
  2⤵
  PID:5848
- C:\Windows\System32\HHZmkrZ.exe
  C:\Windows\System32\HHZmkrZ.exe
  2⤵
  PID:5904
- C:\Windows\System32\JDMhovu.exe
  C:\Windows\System32\JDMhovu.exe
  2⤵
  PID:5972
- C:\Windows\System32\ITjOMKI.exe
  C:\Windows\System32\ITjOMKI.exe
  2⤵
  PID:6028
- C:\Windows\System32\ZrIidFT.exe
  C:\Windows\System32\ZrIidFT.exe
  2⤵
  PID:3524
- C:\Windows\System32\rFxLOoa.exe
  C:\Windows\System32\rFxLOoa.exe
  2⤵
  PID:2656
- C:\Windows\System32\EBBmnNn.exe
  C:\Windows\System32\EBBmnNn.exe
  2⤵
  PID:5272
- C:\Windows\System32\qcVLhWz.exe
  C:\Windows\System32\qcVLhWz.exe
  2⤵
  PID:5344
- C:\Windows\System32\yglhMFs.exe
  C:\Windows\System32\yglhMFs.exe
  2⤵
  PID:3784
- C:\Windows\System32\ytTQhhV.exe
  C:\Windows\System32\ytTQhhV.exe
  2⤵
  PID:5652
- C:\Windows\System32\iefrGWV.exe
  C:\Windows\System32\iefrGWV.exe
  2⤵
  PID:5692
- C:\Windows\System32\QNgvfZe.exe
  C:\Windows\System32\QNgvfZe.exe
  2⤵
  PID:2696
- C:\Windows\System32\vnZPliS.exe
  C:\Windows\System32\vnZPliS.exe
  2⤵
  PID:5108
- C:\Windows\System32\dWHdBsw.exe
  C:\Windows\System32\dWHdBsw.exe
  2⤵
  PID:3964
- C:\Windows\System32\VeyAnpY.exe
  C:\Windows\System32\VeyAnpY.exe
  2⤵
  PID:5968
- C:\Windows\System32\MeGWFzE.exe
  C:\Windows\System32\MeGWFzE.exe
  2⤵
  PID:3012
- C:\Windows\System32\FXMKrxn.exe
  C:\Windows\System32\FXMKrxn.exe
  2⤵
  PID:1948
- C:\Windows\System32\nllgtqR.exe
  C:\Windows\System32\nllgtqR.exe
  2⤵
  PID:4144
- C:\Windows\System32\DcLUDBj.exe
  C:\Windows\System32\DcLUDBj.exe
  2⤵
  PID:2692
- C:\Windows\System32\AHXzLLS.exe
  C:\Windows\System32\AHXzLLS.exe
  2⤵
  PID:5148
- C:\Windows\System32\uQXcMIK.exe
  C:\Windows\System32\uQXcMIK.exe
  2⤵
  PID:5456
- C:\Windows\System32\axWqHrf.exe
  C:\Windows\System32\axWqHrf.exe
  2⤵
  PID:5748
- C:\Windows\System32\KVPvsGs.exe
  C:\Windows\System32\KVPvsGs.exe
  2⤵
  PID:5988
- C:\Windows\System32\yJKKdPm.exe
  C:\Windows\System32\yJKKdPm.exe
  2⤵
  PID:2676
- C:\Windows\System32\cdzLSKm.exe
  C:\Windows\System32\cdzLSKm.exe
  2⤵
  PID:5944
- C:\Windows\System32\NaZrzVT.exe
  C:\Windows\System32\NaZrzVT.exe
  2⤵
  PID:2524
- C:\Windows\System32\aiGnwTA.exe
  C:\Windows\System32\aiGnwTA.exe
  2⤵
  PID:4080
- C:\Windows\System32\UqGEFOd.exe
  C:\Windows\System32\UqGEFOd.exe
  2⤵
  PID:3208
- C:\Windows\System32\VZqVNOv.exe
  C:\Windows\System32\VZqVNOv.exe
  2⤵
  PID:6164
- C:\Windows\System32\qCMWxoL.exe
  C:\Windows\System32\qCMWxoL.exe
  2⤵
  PID:6196
- C:\Windows\System32\FrgaKkb.exe
  C:\Windows\System32\FrgaKkb.exe
  2⤵
  PID:6260
- C:\Windows\System32\OYtAVXG.exe
  C:\Windows\System32\OYtAVXG.exe
  2⤵
  PID:6280
- C:\Windows\System32\neDTAEJ.exe
  C:\Windows\System32\neDTAEJ.exe
  2⤵
  PID:6304
- C:\Windows\System32\ugQjeDD.exe
  C:\Windows\System32\ugQjeDD.exe
  2⤵
  PID:6324
- C:\Windows\System32\PLQDDfb.exe
  C:\Windows\System32\PLQDDfb.exe
  2⤵
  PID:6348
- C:\Windows\System32\jCVUpkH.exe
  C:\Windows\System32\jCVUpkH.exe
  2⤵
  PID:6372
- C:\Windows\System32\NbuQEbx.exe
  C:\Windows\System32\NbuQEbx.exe
  2⤵
  PID:6404
- C:\Windows\System32\vWIrbLc.exe
  C:\Windows\System32\vWIrbLc.exe
  2⤵
  PID:6428
- C:\Windows\System32\wOOGJIP.exe
  C:\Windows\System32\wOOGJIP.exe
  2⤵
  PID:6452
- C:\Windows\System32\twnAdRg.exe
  C:\Windows\System32\twnAdRg.exe
  2⤵
  PID:6484
- C:\Windows\System32\pHmJsxr.exe
  C:\Windows\System32\pHmJsxr.exe
  2⤵
  PID:6504
- C:\Windows\System32\RGybrMC.exe
  C:\Windows\System32\RGybrMC.exe
  2⤵
  PID:6528
- C:\Windows\System32\hSmhrmQ.exe
  C:\Windows\System32\hSmhrmQ.exe
  2⤵
  PID:6568
- C:\Windows\System32\mLjelHd.exe
  C:\Windows\System32\mLjelHd.exe
  2⤵
  PID:6620
- C:\Windows\System32\VHsgyAh.exe
  C:\Windows\System32\VHsgyAh.exe
  2⤵
  PID:6640
- C:\Windows\System32\NVLcwry.exe
  C:\Windows\System32\NVLcwry.exe
  2⤵
  PID:6672
- C:\Windows\System32\wESiumy.exe
  C:\Windows\System32\wESiumy.exe
  2⤵
  PID:6688
- C:\Windows\System32\mbeggwx.exe
  C:\Windows\System32\mbeggwx.exe
  2⤵
  PID:6712
- C:\Windows\System32\hmtRWrJ.exe
  C:\Windows\System32\hmtRWrJ.exe
  2⤵
  PID:6760
- C:\Windows\System32\tArwvzh.exe
  C:\Windows\System32\tArwvzh.exe
  2⤵
  PID:6784
- C:\Windows\System32\sShKatn.exe
  C:\Windows\System32\sShKatn.exe
  2⤵
  PID:6800
- C:\Windows\System32\aRLPTHA.exe
  C:\Windows\System32\aRLPTHA.exe
  2⤵
  PID:6816
- C:\Windows\System32\NnYCGcR.exe
  C:\Windows\System32\NnYCGcR.exe
  2⤵
  PID:6868
- C:\Windows\System32\znxiNFH.exe
  C:\Windows\System32\znxiNFH.exe
  2⤵
  PID:6884
- C:\Windows\System32\NSlqSgs.exe
  C:\Windows\System32\NSlqSgs.exe
  2⤵
  PID:6916
- C:\Windows\System32\pnYXuFe.exe
  C:\Windows\System32\pnYXuFe.exe
  2⤵
  PID:6932
- C:\Windows\System32\mVWsGuS.exe
  C:\Windows\System32\mVWsGuS.exe
  2⤵
  PID:6952
- C:\Windows\System32\MkYfdgF.exe
  C:\Windows\System32\MkYfdgF.exe
  2⤵
  PID:6972
- C:\Windows\System32\EeQNIFM.exe
  C:\Windows\System32\EeQNIFM.exe
  2⤵
  PID:7016
- C:\Windows\System32\ggWKCMC.exe
  C:\Windows\System32\ggWKCMC.exe
  2⤵
  PID:7044
- C:\Windows\System32\ElKrgiC.exe
  C:\Windows\System32\ElKrgiC.exe
  2⤵
  PID:7072
- C:\Windows\System32\THZFhzI.exe
  C:\Windows\System32\THZFhzI.exe
  2⤵
  PID:7092
- C:\Windows\System32\oRKKqoW.exe
  C:\Windows\System32\oRKKqoW.exe
  2⤵
  PID:7132
- C:\Windows\System32\ykOJKVH.exe
  C:\Windows\System32\ykOJKVH.exe
  2⤵
  PID:7156
- C:\Windows\System32\bhClAcT.exe
  C:\Windows\System32\bhClAcT.exe
  2⤵
  PID:5104
- C:\Windows\System32\YKJKRmJ.exe
  C:\Windows\System32\YKJKRmJ.exe
  2⤵
  PID:3596
- C:\Windows\System32\HqUPdHj.exe
  C:\Windows\System32\HqUPdHj.exe
  2⤵
  PID:4236
- C:\Windows\System32\PJVIzQT.exe
  C:\Windows\System32\PJVIzQT.exe
  2⤵
  PID:6252
- C:\Windows\System32\AvLXjeu.exe
  C:\Windows\System32\AvLXjeu.exe
  2⤵
  PID:6292
- C:\Windows\System32\rlvPwGN.exe
  C:\Windows\System32\rlvPwGN.exe
  2⤵
  PID:6316
- C:\Windows\System32\RPHLtgZ.exe
  C:\Windows\System32\RPHLtgZ.exe
  2⤵
  PID:6412
- C:\Windows\System32\sscgBMS.exe
  C:\Windows\System32\sscgBMS.exe
  2⤵
  PID:6492
- C:\Windows\System32\lVMfBaX.exe
  C:\Windows\System32\lVMfBaX.exe
  2⤵
  PID:6600
- C:\Windows\System32\xcasfrb.exe
  C:\Windows\System32\xcasfrb.exe
  2⤵
  PID:6648
- C:\Windows\System32\lMGrpdz.exe
  C:\Windows\System32\lMGrpdz.exe
  2⤵
  PID:6736
- C:\Windows\System32\gkbqYDo.exe
  C:\Windows\System32\gkbqYDo.exe
  2⤵
  PID:6824
- C:\Windows\System32\WYaAIYp.exe
  C:\Windows\System32\WYaAIYp.exe
  2⤵
  PID:6808
- C:\Windows\System32\KgvQlzr.exe
  C:\Windows\System32\KgvQlzr.exe
  2⤵
  PID:6880
- C:\Windows\System32\aQQTlTE.exe
  C:\Windows\System32\aQQTlTE.exe
  2⤵
  PID:6944
- C:\Windows\System32\DEgQPHx.exe
  C:\Windows\System32\DEgQPHx.exe
  2⤵
  PID:7088
- C:\Windows\System32\Hlfbofk.exe
  C:\Windows\System32\Hlfbofk.exe
  2⤵
  PID:7108
- C:\Windows\System32\NOxIfhW.exe
  C:\Windows\System32\NOxIfhW.exe
  2⤵
  PID:5156
- C:\Windows\System32\FgSSZBV.exe
  C:\Windows\System32\FgSSZBV.exe
  2⤵
  PID:5400
- C:\Windows\System32\soVunXp.exe
  C:\Windows\System32\soVunXp.exe
  2⤵
  PID:4292
- C:\Windows\System32\JsVArwp.exe
  C:\Windows\System32\JsVArwp.exe
  2⤵
  PID:6556
- C:\Windows\System32\aoozOCP.exe
  C:\Windows\System32\aoozOCP.exe
  2⤵
  PID:6628
- C:\Windows\System32\GsoMqph.exe
  C:\Windows\System32\GsoMqph.exe
  2⤵
  PID:6596
- C:\Windows\System32\SgiwhnY.exe
  C:\Windows\System32\SgiwhnY.exe
  2⤵
  PID:6912
- C:\Windows\System32\rijHlRX.exe
  C:\Windows\System32\rijHlRX.exe
  2⤵
  PID:7028
- C:\Windows\System32\OMBwPUW.exe
  C:\Windows\System32\OMBwPUW.exe
  2⤵
  PID:5524
- C:\Windows\System32\WdMxgwb.exe
  C:\Windows\System32\WdMxgwb.exe
  2⤵
  PID:6392
- C:\Windows\System32\LCnuZgO.exe
  C:\Windows\System32\LCnuZgO.exe
  2⤵
  PID:6744
- C:\Windows\System32\BTfGFTb.exe
  C:\Windows\System32\BTfGFTb.exe
  2⤵
  PID:6336
- C:\Windows\System32\dsQnPps.exe
  C:\Windows\System32\dsQnPps.exe
  2⤵
  PID:7176
- C:\Windows\System32\oeooXGt.exe
  C:\Windows\System32\oeooXGt.exe
  2⤵
  PID:7208
- C:\Windows\System32\TRXOanw.exe
  C:\Windows\System32\TRXOanw.exe
  2⤵
  PID:7236
- C:\Windows\System32\PtnDotc.exe
  C:\Windows\System32\PtnDotc.exe
  2⤵
  PID:7260
- C:\Windows\System32\HQGsTEr.exe
  C:\Windows\System32\HQGsTEr.exe
  2⤵
  PID:7324
- C:\Windows\System32\EYBWJBI.exe
  C:\Windows\System32\EYBWJBI.exe
  2⤵
  PID:7352
- C:\Windows\System32\hwkmwro.exe
  C:\Windows\System32\hwkmwro.exe
  2⤵
  PID:7368
- C:\Windows\System32\eZKMNvS.exe
  C:\Windows\System32\eZKMNvS.exe
  2⤵
  PID:7424
- C:\Windows\System32\SCAHIJm.exe
  C:\Windows\System32\SCAHIJm.exe
  2⤵
  PID:7444
- C:\Windows\System32\ylkqVFm.exe
  C:\Windows\System32\ylkqVFm.exe
  2⤵
  PID:7460
- C:\Windows\System32\egEWCZn.exe
  C:\Windows\System32\egEWCZn.exe
  2⤵
  PID:7512
- C:\Windows\System32\ZOJdTNb.exe
  C:\Windows\System32\ZOJdTNb.exe
  2⤵
  PID:7528
- C:\Windows\System32\SEJWESl.exe
  C:\Windows\System32\SEJWESl.exe
  2⤵
  PID:7552
- C:\Windows\System32\uzpsdQc.exe
  C:\Windows\System32\uzpsdQc.exe
  2⤵
  PID:7572
- C:\Windows\System32\njafMrr.exe
  C:\Windows\System32\njafMrr.exe
  2⤵
  PID:7588
- C:\Windows\System32\XAMnSuM.exe
  C:\Windows\System32\XAMnSuM.exe
  2⤵
  PID:7608
- C:\Windows\System32\AtipylF.exe
  C:\Windows\System32\AtipylF.exe
  2⤵
  PID:7648
- C:\Windows\System32\sptEghR.exe
  C:\Windows\System32\sptEghR.exe
  2⤵
  PID:7664
- C:\Windows\System32\TdwGpYQ.exe
  C:\Windows\System32\TdwGpYQ.exe
  2⤵
  PID:7692
- C:\Windows\System32\GMJefeI.exe
  C:\Windows\System32\GMJefeI.exe
  2⤵
  PID:7716
- C:\Windows\System32\XOdVVPS.exe
  C:\Windows\System32\XOdVVPS.exe
  2⤵
  PID:7740
- C:\Windows\System32\GjfYRjk.exe
  C:\Windows\System32\GjfYRjk.exe
  2⤵
  PID:7788
- C:\Windows\System32\FtlWbPp.exe
  C:\Windows\System32\FtlWbPp.exe
  2⤵
  PID:7820
- C:\Windows\System32\GWjpcvG.exe
  C:\Windows\System32\GWjpcvG.exe
  2⤵
  PID:7836
- C:\Windows\System32\CtgDAlJ.exe
  C:\Windows\System32\CtgDAlJ.exe
  2⤵
  PID:7860
- C:\Windows\System32\CHZKJiJ.exe
  C:\Windows\System32\CHZKJiJ.exe
  2⤵
  PID:7892
- C:\Windows\System32\BjqSXqP.exe
  C:\Windows\System32\BjqSXqP.exe
  2⤵
  PID:7908
- C:\Windows\System32\vTmyHIL.exe
  C:\Windows\System32\vTmyHIL.exe
  2⤵
  PID:7976
- C:\Windows\System32\zkMqouG.exe
  C:\Windows\System32\zkMqouG.exe
  2⤵
  PID:8024
- C:\Windows\System32\WHnPXyg.exe
  C:\Windows\System32\WHnPXyg.exe
  2⤵
  PID:8040
- C:\Windows\System32\hhbjYsg.exe
  C:\Windows\System32\hhbjYsg.exe
  2⤵
  PID:8064
- C:\Windows\System32\vfRBBQV.exe
  C:\Windows\System32\vfRBBQV.exe
  2⤵
  PID:8096
- C:\Windows\System32\jSRIBXB.exe
  C:\Windows\System32\jSRIBXB.exe
  2⤵
  PID:8116
- C:\Windows\System32\SzPraai.exe
  C:\Windows\System32\SzPraai.exe
  2⤵
  PID:8136
- C:\Windows\System32\pAFrGGn.exe
  C:\Windows\System32\pAFrGGn.exe
  2⤵
  PID:8160
- C:\Windows\System32\bQHZbql.exe
  C:\Windows\System32\bQHZbql.exe
  2⤵
  PID:8180
- C:\Windows\System32\xTpFCEp.exe
  C:\Windows\System32\xTpFCEp.exe
  2⤵
  PID:6448
- C:\Windows\System32\ULsikfK.exe
  C:\Windows\System32\ULsikfK.exe
  2⤵
  PID:7216
- C:\Windows\System32\MrluyAG.exe
  C:\Windows\System32\MrluyAG.exe
  2⤵
  PID:7276
- C:\Windows\System32\vXsqTeA.exe
  C:\Windows\System32\vXsqTeA.exe
  2⤵
  PID:7348
- C:\Windows\System32\MwgPptJ.exe
  C:\Windows\System32\MwgPptJ.exe
  2⤵
  PID:7396
- C:\Windows\System32\fzcFqQz.exe
  C:\Windows\System32\fzcFqQz.exe
  2⤵
  PID:7496
- C:\Windows\System32\ZZrKzdQ.exe
  C:\Windows\System32\ZZrKzdQ.exe
  2⤵
  PID:7536
- C:\Windows\System32\RtCVmsQ.exe
  C:\Windows\System32\RtCVmsQ.exe
  2⤵
  PID:7580
- C:\Windows\System32\PFFrWZb.exe
  C:\Windows\System32\PFFrWZb.exe
  2⤵
  PID:7596
- C:\Windows\System32\YwVhKap.exe
  C:\Windows\System32\YwVhKap.exe
  2⤵
  PID:7656
- C:\Windows\System32\GpwRUJO.exe
  C:\Windows\System32\GpwRUJO.exe
  2⤵
  PID:7808
- C:\Windows\System32\odUwUoP.exe
  C:\Windows\System32\odUwUoP.exe
  2⤵
  PID:7940
- C:\Windows\System32\SdOPoMf.exe
  C:\Windows\System32\SdOPoMf.exe
  2⤵
  PID:4316
- C:\Windows\System32\pctqKvc.exe
  C:\Windows\System32\pctqKvc.exe
  2⤵
  PID:8060
- C:\Windows\System32\psmxrat.exe
  C:\Windows\System32\psmxrat.exe
  2⤵
  PID:8132
- C:\Windows\System32\PnQTkuJ.exe
  C:\Windows\System32\PnQTkuJ.exe
  2⤵
  PID:8176
- C:\Windows\System32\fMeSKDC.exe
  C:\Windows\System32\fMeSKDC.exe
  2⤵
  PID:8172
- C:\Windows\System32\bWTdiwW.exe
  C:\Windows\System32\bWTdiwW.exe
  2⤵
  PID:7292
- C:\Windows\System32\lVtOzoM.exe
  C:\Windows\System32\lVtOzoM.exe
  2⤵
  PID:7480
- C:\Windows\System32\Ppdefjr.exe
  C:\Windows\System32\Ppdefjr.exe
  2⤵
  PID:2680
- C:\Windows\System32\khxsYSY.exe
  C:\Windows\System32\khxsYSY.exe
  2⤵
  PID:7624
- C:\Windows\System32\MzweTGf.exe
  C:\Windows\System32\MzweTGf.exe
  2⤵
  PID:7964
- C:\Windows\System32\RkkQvyk.exe
  C:\Windows\System32\RkkQvyk.exe
  2⤵
  PID:612
- C:\Windows\System32\BFWHMWQ.exe
  C:\Windows\System32\BFWHMWQ.exe
  2⤵
  PID:8128
- C:\Windows\System32\ifROgXA.exe
  C:\Windows\System32\ifROgXA.exe
  2⤵
  PID:7564
- C:\Windows\System32\gZnqxBI.exe
  C:\Windows\System32\gZnqxBI.exe
  2⤵
  PID:7672
- C:\Windows\System32\dJQGuDk.exe
  C:\Windows\System32\dJQGuDk.exe
  2⤵
  PID:8144
- C:\Windows\System32\oWJRDHd.exe
  C:\Windows\System32\oWJRDHd.exe
  2⤵
  PID:7752
- C:\Windows\System32\uQglxEN.exe
  C:\Windows\System32\uQglxEN.exe
  2⤵
  PID:8072
- C:\Windows\System32\lzaFghU.exe
  C:\Windows\System32\lzaFghU.exe
  2⤵
  PID:7828
- C:\Windows\System32\EfjgYwN.exe
  C:\Windows\System32\EfjgYwN.exe
  2⤵
  PID:8220
- C:\Windows\System32\FsmOznQ.exe
  C:\Windows\System32\FsmOznQ.exe
  2⤵
  PID:8244
- C:\Windows\System32\EJwkKTq.exe
  C:\Windows\System32\EJwkKTq.exe
  2⤵
  PID:8264
- C:\Windows\System32\Sdcbluv.exe
  C:\Windows\System32\Sdcbluv.exe
  2⤵
  PID:8316
- C:\Windows\System32\giqYajt.exe
  C:\Windows\System32\giqYajt.exe
  2⤵
  PID:8352
- C:\Windows\System32\rBbOgzJ.exe
  C:\Windows\System32\rBbOgzJ.exe
  2⤵
  PID:8388
- C:\Windows\System32\SMLTuxE.exe
  C:\Windows\System32\SMLTuxE.exe
  2⤵
  PID:8404
- C:\Windows\System32\ZDkikAV.exe
  C:\Windows\System32\ZDkikAV.exe
  2⤵
  PID:8432
- C:\Windows\System32\vtNBdMA.exe
  C:\Windows\System32\vtNBdMA.exe
  2⤵
  PID:8452
- C:\Windows\System32\awPNSpQ.exe
  C:\Windows\System32\awPNSpQ.exe
  2⤵
  PID:8472
- C:\Windows\System32\eHhfioD.exe
  C:\Windows\System32\eHhfioD.exe
  2⤵
  PID:8508
- C:\Windows\System32\jGRhxRW.exe
  C:\Windows\System32\jGRhxRW.exe
  2⤵
  PID:8536
- C:\Windows\System32\WqawyUe.exe
  C:\Windows\System32\WqawyUe.exe
  2⤵
  PID:8556
- C:\Windows\System32\lKobuId.exe
  C:\Windows\System32\lKobuId.exe
  2⤵
  PID:8584
- C:\Windows\System32\ozdbXEe.exe
  C:\Windows\System32\ozdbXEe.exe
  2⤵
  PID:8636
- C:\Windows\System32\FBLztBr.exe
  C:\Windows\System32\FBLztBr.exe
  2⤵
  PID:8660
- C:\Windows\System32\jzDRwfk.exe
  C:\Windows\System32\jzDRwfk.exe
  2⤵
  PID:8680
- C:\Windows\System32\hGonXhQ.exe
  C:\Windows\System32\hGonXhQ.exe
  2⤵
  PID:8700
- C:\Windows\System32\hoEwtrx.exe
  C:\Windows\System32\hoEwtrx.exe
  2⤵
  PID:8732
- C:\Windows\System32\sOmQPEv.exe
  C:\Windows\System32\sOmQPEv.exe
  2⤵
  PID:8752
- C:\Windows\System32\cRzhCUb.exe
  C:\Windows\System32\cRzhCUb.exe
  2⤵
  PID:8776
- C:\Windows\System32\mBzmoyR.exe
  C:\Windows\System32\mBzmoyR.exe
  2⤵
  PID:8796
- C:\Windows\System32\zqiYiGc.exe
  C:\Windows\System32\zqiYiGc.exe
  2⤵
  PID:8812
- C:\Windows\System32\NzkdkBb.exe
  C:\Windows\System32\NzkdkBb.exe
  2⤵
  PID:8836
- C:\Windows\System32\szmzZHv.exe
  C:\Windows\System32\szmzZHv.exe
  2⤵
  PID:8856
- C:\Windows\System32\tlYgHXo.exe
  C:\Windows\System32\tlYgHXo.exe
  2⤵
  PID:8880
- C:\Windows\System32\ZuRMgFp.exe
  C:\Windows\System32\ZuRMgFp.exe
  2⤵
  PID:8908
- C:\Windows\System32\OeaajSS.exe
  C:\Windows\System32\OeaajSS.exe
  2⤵
  PID:8956
- C:\Windows\System32\rmyMGFi.exe
  C:\Windows\System32\rmyMGFi.exe
  2⤵
  PID:8984
- C:\Windows\System32\iyVRfaX.exe
  C:\Windows\System32\iyVRfaX.exe
  2⤵
  PID:9036
- C:\Windows\System32\IsoUEFP.exe
  C:\Windows\System32\IsoUEFP.exe
  2⤵
  PID:9060
- C:\Windows\System32\eQaijdf.exe
  C:\Windows\System32\eQaijdf.exe
  2⤵
  PID:9084
- C:\Windows\System32\HEZbTBB.exe
  C:\Windows\System32\HEZbTBB.exe
  2⤵
  PID:9112
- C:\Windows\System32\zuPMLFX.exe
  C:\Windows\System32\zuPMLFX.exe
  2⤵
  PID:9152
- C:\Windows\System32\uwyquNS.exe
  C:\Windows\System32\uwyquNS.exe
  2⤵
  PID:9176
- C:\Windows\System32\ZJpQcCJ.exe
  C:\Windows\System32\ZJpQcCJ.exe
  2⤵
  PID:8200
- C:\Windows\System32\uUYsAIe.exe
  C:\Windows\System32\uUYsAIe.exe
  2⤵
  PID:8324
- C:\Windows\System32\RxxIhCx.exe
  C:\Windows\System32\RxxIhCx.exe
  2⤵
  PID:8396
- C:\Windows\System32\gyonmBO.exe
  C:\Windows\System32\gyonmBO.exe
  2⤵
  PID:8468
- C:\Windows\System32\UXnDPFq.exe
  C:\Windows\System32\UXnDPFq.exe
  2⤵
  PID:8488
- C:\Windows\System32\JnCPvVU.exe
  C:\Windows\System32\JnCPvVU.exe
  2⤵
  PID:8668
- C:\Windows\System32\TdfvukI.exe
  C:\Windows\System32\TdfvukI.exe
  2⤵
  PID:8728
- C:\Windows\System32\xXMrjOm.exe
  C:\Windows\System32\xXMrjOm.exe
  2⤵
  PID:8744
- C:\Windows\System32\PtilhrR.exe
  C:\Windows\System32\PtilhrR.exe
  2⤵
  PID:8820
- C:\Windows\System32\aiEwIMh.exe
  C:\Windows\System32\aiEwIMh.exe
  2⤵
  PID:8848
- C:\Windows\System32\KMqxhzz.exe
  C:\Windows\System32\KMqxhzz.exe
  2⤵
  PID:8852
- C:\Windows\System32\PxXXQdw.exe
  C:\Windows\System32\PxXXQdw.exe
  2⤵
  PID:8992
- C:\Windows\System32\hUYhcTh.exe
  C:\Windows\System32\hUYhcTh.exe
  2⤵
  PID:9000
- C:\Windows\System32\UxhvVRv.exe
  C:\Windows\System32\UxhvVRv.exe
  2⤵
  PID:9080
- C:\Windows\System32\csYgASv.exe
  C:\Windows\System32\csYgASv.exe
  2⤵
  PID:9096
- C:\Windows\System32\RKnyvYl.exe
  C:\Windows\System32\RKnyvYl.exe
  2⤵
  PID:9168
- C:\Windows\System32\VuYyIbd.exe
  C:\Windows\System32\VuYyIbd.exe
  2⤵
  PID:8208
- C:\Windows\System32\bQftumE.exe
  C:\Windows\System32\bQftumE.exe
  2⤵
  PID:8448
- C:\Windows\System32\dvJaRJX.exe
  C:\Windows\System32\dvJaRJX.exe
  2⤵
  PID:8520
- C:\Windows\System32\IGkyqkB.exe
  C:\Windows\System32\IGkyqkB.exe
  2⤵
  PID:8748
- C:\Windows\System32\IsmQcfW.exe
  C:\Windows\System32\IsmQcfW.exe
  2⤵
  PID:8424
- C:\Windows\System32\ZplWuMD.exe
  C:\Windows\System32\ZplWuMD.exe
  2⤵
  PID:9148
- C:\Windows\System32\wMfPyfC.exe
  C:\Windows\System32\wMfPyfC.exe
  2⤵
  PID:7416
- C:\Windows\System32\KfaDgAh.exe
  C:\Windows\System32\KfaDgAh.exe
  2⤵
  PID:8568
- C:\Windows\System32\XiaUUdv.exe
  C:\Windows\System32\XiaUUdv.exe
  2⤵
  PID:8720
- C:\Windows\System32\gAydGaS.exe
  C:\Windows\System32\gAydGaS.exe
  2⤵
  PID:9068
- C:\Windows\System32\DaXaKKS.exe
  C:\Windows\System32\DaXaKKS.exe
  2⤵
  PID:9008
- C:\Windows\System32\ZIKOqIT.exe
  C:\Windows\System32\ZIKOqIT.exe
  2⤵
  PID:884
- C:\Windows\System32\UwHYIMT.exe
  C:\Windows\System32\UwHYIMT.exe
  2⤵
  PID:8896
- C:\Windows\System32\kezroLt.exe
  C:\Windows\System32\kezroLt.exe
  2⤵
  PID:9256
- C:\Windows\System32\BFAiOXA.exe
  C:\Windows\System32\BFAiOXA.exe
  2⤵
  PID:9276
- C:\Windows\System32\AbfiSeT.exe
  C:\Windows\System32\AbfiSeT.exe
  2⤵
  PID:9300
- C:\Windows\System32\ybfyymB.exe
  C:\Windows\System32\ybfyymB.exe
  2⤵
  PID:9320
- C:\Windows\System32\tymDgoj.exe
  C:\Windows\System32\tymDgoj.exe
  2⤵
  PID:9344
- C:\Windows\System32\HpgXleY.exe
  C:\Windows\System32\HpgXleY.exe
  2⤵
  PID:9364
- C:\Windows\System32\gtkXfJf.exe
  C:\Windows\System32\gtkXfJf.exe
  2⤵
  PID:9408
- C:\Windows\System32\WdzRvMM.exe
  C:\Windows\System32\WdzRvMM.exe
  2⤵
  PID:9460
- C:\Windows\System32\TQbPxOg.exe
  C:\Windows\System32\TQbPxOg.exe
  2⤵
  PID:9480
- C:\Windows\System32\EcvtEzd.exe
  C:\Windows\System32\EcvtEzd.exe
  2⤵
  PID:9496
- C:\Windows\System32\VAtSRsX.exe
  C:\Windows\System32\VAtSRsX.exe
  2⤵
  PID:9516
- C:\Windows\System32\QtugSJo.exe
  C:\Windows\System32\QtugSJo.exe
  2⤵
  PID:9552
- C:\Windows\System32\GQSRgCp.exe
  C:\Windows\System32\GQSRgCp.exe
  2⤵
  PID:9588
- C:\Windows\System32\jKoeZlB.exe
  C:\Windows\System32\jKoeZlB.exe
  2⤵
  PID:9612
- C:\Windows\System32\aldUhEv.exe
  C:\Windows\System32\aldUhEv.exe
  2⤵
  PID:9636
- C:\Windows\System32\NJfnWGf.exe
  C:\Windows\System32\NJfnWGf.exe
  2⤵
  PID:9656
- C:\Windows\System32\LmyHhhk.exe
  C:\Windows\System32\LmyHhhk.exe
  2⤵
  PID:9696
- C:\Windows\System32\hiJbTCU.exe
  C:\Windows\System32\hiJbTCU.exe
  2⤵
  PID:9728
- C:\Windows\System32\qzzZTlz.exe
  C:\Windows\System32\qzzZTlz.exe
  2⤵
  PID:9760
- C:\Windows\System32\iuJHxgy.exe
  C:\Windows\System32\iuJHxgy.exe
  2⤵
  PID:9788
- C:\Windows\System32\mRbphLh.exe
  C:\Windows\System32\mRbphLh.exe
  2⤵
  PID:9808
- C:\Windows\System32\CmDtRvW.exe
  C:\Windows\System32\CmDtRvW.exe
  2⤵
  PID:9828
- C:\Windows\System32\eiTNMgH.exe
  C:\Windows\System32\eiTNMgH.exe
  2⤵
  PID:9876
- C:\Windows\System32\eKNxvVG.exe
  C:\Windows\System32\eKNxvVG.exe
  2⤵
  PID:9892
- C:\Windows\System32\DtWyBvt.exe
  C:\Windows\System32\DtWyBvt.exe
  2⤵
  PID:9908
- C:\Windows\System32\RRdCPvT.exe
  C:\Windows\System32\RRdCPvT.exe
  2⤵
  PID:9932
- C:\Windows\System32\qMSAGCP.exe
  C:\Windows\System32\qMSAGCP.exe
  2⤵
  PID:9976
- C:\Windows\System32\OBlIllv.exe
  C:\Windows\System32\OBlIllv.exe
  2⤵
  PID:9996
- C:\Windows\System32\HmEZQnc.exe
  C:\Windows\System32\HmEZQnc.exe
  2⤵
  PID:10024
- C:\Windows\System32\FHyDXbr.exe
  C:\Windows\System32\FHyDXbr.exe
  2⤵
  PID:10056
- C:\Windows\System32\wVtvfPd.exe
  C:\Windows\System32\wVtvfPd.exe
  2⤵
  PID:10108
- C:\Windows\System32\PQMcLuQ.exe
  C:\Windows\System32\PQMcLuQ.exe
  2⤵
  PID:10128
- C:\Windows\System32\pqtSiEq.exe
  C:\Windows\System32\pqtSiEq.exe
  2⤵
  PID:10160
- C:\Windows\System32\WPispBZ.exe
  C:\Windows\System32\WPispBZ.exe
  2⤵
  PID:10188
- C:\Windows\System32\qfwknaz.exe
  C:\Windows\System32\qfwknaz.exe
  2⤵
  PID:10204
- C:\Windows\System32\ZUCEDoS.exe
  C:\Windows\System32\ZUCEDoS.exe
  2⤵
  PID:9224
- C:\Windows\System32\aYKTSqS.exe
  C:\Windows\System32\aYKTSqS.exe
  2⤵
  PID:9264
- C:\Windows\System32\XoicUoJ.exe
  C:\Windows\System32\XoicUoJ.exe
  2⤵
  PID:9316
- C:\Windows\System32\IriHvus.exe
  C:\Windows\System32\IriHvus.exe
  2⤵
  PID:9352
- C:\Windows\System32\BFOVATW.exe
  C:\Windows\System32\BFOVATW.exe
  2⤵
  PID:9452
- C:\Windows\System32\lKvtYtj.exe
  C:\Windows\System32\lKvtYtj.exe
  2⤵
  PID:9548
- C:\Windows\System32\mLHZOcC.exe
  C:\Windows\System32\mLHZOcC.exe
  2⤵
  PID:9580
- C:\Windows\System32\vmBJRWY.exe
  C:\Windows\System32\vmBJRWY.exe
  2⤵
  PID:9664
- C:\Windows\System32\hqSHBHH.exe
  C:\Windows\System32\hqSHBHH.exe
  2⤵
  PID:9672
- C:\Windows\System32\ztbrMht.exe
  C:\Windows\System32\ztbrMht.exe
  2⤵
  PID:9736
- C:\Windows\System32\kMJdpea.exe
  C:\Windows\System32\kMJdpea.exe
  2⤵
  PID:9768
- C:\Windows\System32\mgHCiIB.exe
  C:\Windows\System32\mgHCiIB.exe
  2⤵
  PID:9884
- C:\Windows\System32\fjBwdhv.exe
  C:\Windows\System32\fjBwdhv.exe
  2⤵
  PID:9964
- C:\Windows\System32\RjJIsac.exe
  C:\Windows\System32\RjJIsac.exe
  2⤵
  PID:10040
- C:\Windows\System32\zAmRoMu.exe
  C:\Windows\System32\zAmRoMu.exe
  2⤵
  PID:10096
- C:\Windows\System32\KSAgNoG.exe
  C:\Windows\System32\KSAgNoG.exe
  2⤵
  PID:10140
- C:\Windows\System32\mOdKLoS.exe
  C:\Windows\System32\mOdKLoS.exe
  2⤵
  PID:8672
- C:\Windows\System32\EbRFRdt.exe
  C:\Windows\System32\EbRFRdt.exe
  2⤵
  PID:10232
- C:\Windows\System32\vmqAhqC.exe
  C:\Windows\System32\vmqAhqC.exe
  2⤵
  PID:9492
- C:\Windows\System32\pOmLEnC.exe
  C:\Windows\System32\pOmLEnC.exe
  2⤵
  PID:9620
- C:\Windows\System32\FRfuhGl.exe
  C:\Windows\System32\FRfuhGl.exe
  2⤵
  PID:9756
- C:\Windows\System32\ofQmLiB.exe
  C:\Windows\System32\ofQmLiB.exe
  2⤵
  PID:10008
- C:\Windows\System32\xDbPsCp.exe
  C:\Windows\System32\xDbPsCp.exe
  2⤵
  PID:9988
- C:\Windows\System32\lRsGxZU.exe
  C:\Windows\System32\lRsGxZU.exe
  2⤵
  PID:10156
- C:\Windows\System32\FsyVJjB.exe
  C:\Windows\System32\FsyVJjB.exe
  2⤵
  PID:9244
- C:\Windows\System32\tNYIFvp.exe
  C:\Windows\System32\tNYIFvp.exe
  2⤵
  PID:9596
- C:\Windows\System32\dLyhDEy.exe
  C:\Windows\System32\dLyhDEy.exe
  2⤵
  PID:9708
- C:\Windows\System32\hjXcbtR.exe
  C:\Windows\System32\hjXcbtR.exe
  2⤵
  PID:9360
- C:\Windows\System32\QsumgxL.exe
  C:\Windows\System32\QsumgxL.exe
  2⤵
  PID:9704
- C:\Windows\System32\HrsgSlM.exe
  C:\Windows\System32\HrsgSlM.exe
  2⤵
  PID:10272
- C:\Windows\System32\OOcWpzx.exe
  C:\Windows\System32\OOcWpzx.exe
  2⤵
  PID:10288
- C:\Windows\System32\kezqkMf.exe
  C:\Windows\System32\kezqkMf.exe
  2⤵
  PID:10308
- C:\Windows\System32\PDXrtid.exe
  C:\Windows\System32\PDXrtid.exe
  2⤵
  PID:10332
- C:\Windows\System32\chRZaau.exe
  C:\Windows\System32\chRZaau.exe
  2⤵
  PID:10356
- C:\Windows\System32\qPKubcM.exe
  C:\Windows\System32\qPKubcM.exe
  2⤵
  PID:10388
- C:\Windows\System32\MqQjvHT.exe
  C:\Windows\System32\MqQjvHT.exe
  2⤵
  PID:10412
- C:\Windows\System32\dtgleAM.exe
  C:\Windows\System32\dtgleAM.exe
  2⤵
  PID:10436
- C:\Windows\System32\PwhvwvC.exe
  C:\Windows\System32\PwhvwvC.exe
  2⤵
  PID:10484
- C:\Windows\System32\ksKiqaH.exe
  C:\Windows\System32\ksKiqaH.exe
  2⤵
  PID:10504
- C:\Windows\System32\RVxYjAG.exe
  C:\Windows\System32\RVxYjAG.exe
  2⤵
  PID:10532
- C:\Windows\System32\cZPBdRz.exe
  C:\Windows\System32\cZPBdRz.exe
  2⤵
  PID:10552
- C:\Windows\System32\ZBobFJh.exe
  C:\Windows\System32\ZBobFJh.exe
  2⤵
  PID:10588
- C:\Windows\System32\NaGjNNL.exe
  C:\Windows\System32\NaGjNNL.exe
  2⤵
  PID:10604
- C:\Windows\System32\yOASlJU.exe
  C:\Windows\System32\yOASlJU.exe
  2⤵
  PID:10644
- C:\Windows\System32\ZLaWbAv.exe
  C:\Windows\System32\ZLaWbAv.exe
  2⤵
  PID:10664
- C:\Windows\System32\LDKLzSq.exe
  C:\Windows\System32\LDKLzSq.exe
  2⤵
  PID:10708
- C:\Windows\System32\GuFUjUZ.exe
  C:\Windows\System32\GuFUjUZ.exe
  2⤵
  PID:10756
- C:\Windows\System32\zoLgSTr.exe
  C:\Windows\System32\zoLgSTr.exe
  2⤵
  PID:10792
- C:\Windows\System32\nTpUCnj.exe
  C:\Windows\System32\nTpUCnj.exe
  2⤵
  PID:10816
- C:\Windows\System32\Bjlwkuo.exe
  C:\Windows\System32\Bjlwkuo.exe
  2⤵
  PID:10844
- C:\Windows\System32\FQQDTon.exe
  C:\Windows\System32\FQQDTon.exe
  2⤵
  PID:10860
- C:\Windows\System32\mOiDNzr.exe
  C:\Windows\System32\mOiDNzr.exe
  2⤵
  PID:10892
- C:\Windows\System32\scmdyiF.exe
  C:\Windows\System32\scmdyiF.exe
  2⤵
  PID:10924
- C:\Windows\System32\uQLnbVb.exe
  C:\Windows\System32\uQLnbVb.exe
  2⤵
  PID:10964
- C:\Windows\System32\LREcjUN.exe
  C:\Windows\System32\LREcjUN.exe
  2⤵
  PID:10984
- C:\Windows\System32\PEoWCGo.exe
  C:\Windows\System32\PEoWCGo.exe
  2⤵
  PID:11016
- C:\Windows\System32\qemMYLD.exe
  C:\Windows\System32\qemMYLD.exe
  2⤵
  PID:11044
- C:\Windows\System32\dRpqBfI.exe
  C:\Windows\System32\dRpqBfI.exe
  2⤵
  PID:11064
- C:\Windows\System32\zJQUdHi.exe
  C:\Windows\System32\zJQUdHi.exe
  2⤵
  PID:11092
- C:\Windows\System32\leFXKbU.exe
  C:\Windows\System32\leFXKbU.exe
  2⤵
  PID:11128
- C:\Windows\System32\SPNGurS.exe
  C:\Windows\System32\SPNGurS.exe
  2⤵
  PID:11148
- C:\Windows\System32\HpqmHyC.exe
  C:\Windows\System32\HpqmHyC.exe
  2⤵
  PID:11172
- C:\Windows\System32\ijswIuE.exe
  C:\Windows\System32\ijswIuE.exe
  2⤵
  PID:11204
- C:\Windows\System32\ueqFqFm.exe
  C:\Windows\System32\ueqFqFm.exe
  2⤵
  PID:11228
- C:\Windows\System32\iMpzfhN.exe
  C:\Windows\System32\iMpzfhN.exe
  2⤵
  PID:11248
- C:\Windows\System32\gjaiYlT.exe
  C:\Windows\System32\gjaiYlT.exe
  2⤵
  PID:9928
- C:\Windows\System32\lotuddb.exe
  C:\Windows\System32\lotuddb.exe
  2⤵
  PID:10372
- C:\Windows\System32\XjrvrNe.exe
  C:\Windows\System32\XjrvrNe.exe
  2⤵
  PID:10472
- C:\Windows\System32\VvGnITL.exe
  C:\Windows\System32\VvGnITL.exe
  2⤵
  PID:10516
- C:\Windows\System32\hqvybnZ.exe
  C:\Windows\System32\hqvybnZ.exe
  2⤵
  PID:10620
- C:\Windows\System32\vodrChg.exe
  C:\Windows\System32\vodrChg.exe
  2⤵
  PID:10736
- C:\Windows\System32\oiiFpdc.exe
  C:\Windows\System32\oiiFpdc.exe
  2⤵
  PID:10812
- C:\Windows\System32\nGEHTmw.exe
  C:\Windows\System32\nGEHTmw.exe
  2⤵
  PID:10872
- C:\Windows\System32\ecULrXW.exe
  C:\Windows\System32\ecULrXW.exe
  2⤵
  PID:10940
- C:\Windows\System32\xdhbWfo.exe
  C:\Windows\System32\xdhbWfo.exe
  2⤵
  PID:11000
- C:\Windows\System32\iKWixof.exe
  C:\Windows\System32\iKWixof.exe
  2⤵
  PID:11124
- C:\Windows\System32\vVWYFQF.exe
  C:\Windows\System32\vVWYFQF.exe
  2⤵
  PID:11144
- C:\Windows\System32\DydPJzn.exe
  C:\Windows\System32\DydPJzn.exe
  2⤵
  PID:11200
- C:\Windows\System32\bTQSHuO.exe
  C:\Windows\System32\bTQSHuO.exe
  2⤵
  PID:11244
- C:\Windows\System32\nDDNtPq.exe
  C:\Windows\System32\nDDNtPq.exe
  2⤵
  PID:11220
- C:\Windows\System32\AXYgtNT.exe
  C:\Windows\System32\AXYgtNT.exe
  2⤵
  PID:10548
- C:\Windows\System32\aJBUnxW.exe
  C:\Windows\System32\aJBUnxW.exe
  2⤵
  PID:10596
- C:\Windows\System32\cPblnKE.exe
  C:\Windows\System32\cPblnKE.exe
  2⤵
  PID:10740
- C:\Windows\System32\MxbUBSt.exe
  C:\Windows\System32\MxbUBSt.exe
  2⤵
  PID:10920
- C:\Windows\System32\UEaYRhA.exe
  C:\Windows\System32\UEaYRhA.exe
  2⤵
  PID:10340
- C:\Windows\System32\jTzlRaW.exe
  C:\Windows\System32\jTzlRaW.exe
  2⤵
  PID:10832
- C:\Windows\System32\rMiwtOI.exe
  C:\Windows\System32\rMiwtOI.exe
  2⤵
  PID:10992
- C:\Windows\System32\cLyTnxK.exe
  C:\Windows\System32\cLyTnxK.exe
  2⤵
  PID:10528
- C:\Windows\System32\fnHkXxu.exe
  C:\Windows\System32\fnHkXxu.exe
  2⤵
  PID:11268
- C:\Windows\System32\ztwwQls.exe
  C:\Windows\System32\ztwwQls.exe
  2⤵
  PID:11300
- C:\Windows\System32\fFWvZGQ.exe
  C:\Windows\System32\fFWvZGQ.exe
  2⤵
  PID:11372
- C:\Windows\System32\DJyhbrU.exe
  C:\Windows\System32\DJyhbrU.exe
  2⤵
  PID:11400
- C:\Windows\System32\aKoEHTT.exe
  C:\Windows\System32\aKoEHTT.exe
  2⤵
  PID:11416
- C:\Windows\System32\jQZbVnJ.exe
  C:\Windows\System32\jQZbVnJ.exe
  2⤵
  PID:11432
- C:\Windows\System32\JqHeThf.exe
  C:\Windows\System32\JqHeThf.exe
  2⤵
  PID:11460
- C:\Windows\System32\sPYMUNV.exe
  C:\Windows\System32\sPYMUNV.exe
  2⤵
  PID:11480
- C:\Windows\System32\KUjTOoo.exe
  C:\Windows\System32\KUjTOoo.exe
  2⤵
  PID:11508
- C:\Windows\System32\oALMIOp.exe
  C:\Windows\System32\oALMIOp.exe
  2⤵
  PID:11524
- C:\Windows\System32\yJxfTFI.exe
  C:\Windows\System32\yJxfTFI.exe
  2⤵
  PID:11576
- C:\Windows\System32\VaiwfGU.exe
  C:\Windows\System32\VaiwfGU.exe
  2⤵
  PID:11640
- C:\Windows\System32\RIIdwCB.exe
  C:\Windows\System32\RIIdwCB.exe
  2⤵
  PID:11664
- C:\Windows\System32\rIhIfbY.exe
  C:\Windows\System32\rIhIfbY.exe
  2⤵
  PID:11688
- C:\Windows\System32\ijfCnOJ.exe
  C:\Windows\System32\ijfCnOJ.exe
  2⤵
  PID:11764
- C:\Windows\System32\cAjzWCz.exe
  C:\Windows\System32\cAjzWCz.exe
  2⤵
  PID:11784
- C:\Windows\System32\vDpVagW.exe
  C:\Windows\System32\vDpVagW.exe
  2⤵
  PID:11804
- C:\Windows\System32\oRtEelW.exe
  C:\Windows\System32\oRtEelW.exe
  2⤵
  PID:11832
- C:\Windows\System32\iQzWbcY.exe
  C:\Windows\System32\iQzWbcY.exe
  2⤵
  PID:11856
- C:\Windows\System32\DRGjigP.exe
  C:\Windows\System32\DRGjigP.exe
  2⤵
  PID:11880
- C:\Windows\System32\TZQhobb.exe
  C:\Windows\System32\TZQhobb.exe
  2⤵
  PID:11916
- C:\Windows\System32\iViFTmT.exe
  C:\Windows\System32\iViFTmT.exe
  2⤵
  PID:11980
- C:\Windows\System32\SgHmijH.exe
  C:\Windows\System32\SgHmijH.exe
  2⤵
  PID:12008
- C:\Windows\System32\MtMynkS.exe
  C:\Windows\System32\MtMynkS.exe
  2⤵
  PID:12064
- C:\Windows\System32\YMdKYyO.exe
  C:\Windows\System32\YMdKYyO.exe
  2⤵
  PID:12088
- C:\Windows\System32\CUDwanP.exe
  C:\Windows\System32\CUDwanP.exe
  2⤵
  PID:12124
- C:\Windows\System32\BXSWLQS.exe
  C:\Windows\System32\BXSWLQS.exe
  2⤵
  PID:12148
- C:\Windows\System32\vYcIWIU.exe
  C:\Windows\System32\vYcIWIU.exe
  2⤵
  PID:12180
- C:\Windows\System32\XNUJkUd.exe
  C:\Windows\System32\XNUJkUd.exe
  2⤵
  PID:12212
- C:\Windows\System32\tAEzmbC.exe
  C:\Windows\System32\tAEzmbC.exe
  2⤵
  PID:12236
- C:\Windows\System32\GYCCTfF.exe
  C:\Windows\System32\GYCCTfF.exe
  2⤵
  PID:12272
- C:\Windows\System32\kJKGMpL.exe
  C:\Windows\System32\kJKGMpL.exe
  2⤵
  PID:11288
- C:\Windows\System32\iAKdRhx.exe
  C:\Windows\System32\iAKdRhx.exe
  2⤵
  PID:11384
- C:\Windows\System32\YDQcCTX.exe
  C:\Windows\System32\YDQcCTX.exe
  2⤵
  PID:11364
- C:\Windows\System32\tvmOgKU.exe
  C:\Windows\System32\tvmOgKU.exe
  2⤵
  PID:11412
- C:\Windows\System32\XBwbYLL.exe
  C:\Windows\System32\XBwbYLL.exe
  2⤵
  PID:11540
- C:\Windows\System32\PZooqOZ.exe
  C:\Windows\System32\PZooqOZ.exe
  2⤵
  PID:11496
- C:\Windows\System32\MtcQFzI.exe
  C:\Windows\System32\MtcQFzI.exe
  2⤵
  PID:11468
- C:\Windows\System32\wjYIScE.exe
  C:\Windows\System32\wjYIScE.exe
  2⤵
  PID:11588
- C:\Windows\System32\STdQaYc.exe
  C:\Windows\System32\STdQaYc.exe
  2⤵
  PID:11812
- C:\Windows\System32\dhjvQNk.exe
  C:\Windows\System32\dhjvQNk.exe
  2⤵
  PID:11868
- C:\Windows\System32\bRtcRtt.exe
  C:\Windows\System32\bRtcRtt.exe
  2⤵
  PID:12020
- C:\Windows\System32\aCXxsqL.exe
  C:\Windows\System32\aCXxsqL.exe
  2⤵
  PID:12116
- C:\Windows\System32\LGHILgp.exe
  C:\Windows\System32\LGHILgp.exe
  2⤵
  PID:12156
- C:\Windows\System32\KEqRQLI.exe
  C:\Windows\System32\KEqRQLI.exe
  2⤵
  PID:12228
- C:\Windows\System32\YrtVsti.exe
  C:\Windows\System32\YrtVsti.exe
  2⤵
  PID:12284
- C:\Windows\System32\mJButMS.exe
  C:\Windows\System32\mJButMS.exe
  2⤵
  PID:11560
- C:\Windows\System32\UPwkvrP.exe
  C:\Windows\System32\UPwkvrP.exe
  2⤵
  PID:11700
- C:\Windows\System32\wOCmWJw.exe
  C:\Windows\System32\wOCmWJw.exe
  2⤵
  PID:11852
- C:\Windows\System32\fqkySuD.exe
  C:\Windows\System32\fqkySuD.exe
  2⤵
  PID:12000
- C:\Windows\System32\erBPsEI.exe
  C:\Windows\System32\erBPsEI.exe
  2⤵
  PID:12144
- C:\Windows\System32\wQjavpG.exe
  C:\Windows\System32\wQjavpG.exe
  2⤵
  PID:11388
- C:\Windows\System32\oCNTuPY.exe
  C:\Windows\System32\oCNTuPY.exe
  2⤵
  PID:11564
- C:\Windows\System32\saOgQTx.exe
  C:\Windows\System32\saOgQTx.exe
  2⤵
  PID:12220
- C:\Windows\System32\BpXniGG.exe
  C:\Windows\System32\BpXniGG.exe
  2⤵
  PID:12324
- C:\Windows\System32\HOOkHNA.exe
  C:\Windows\System32\HOOkHNA.exe
  2⤵
  PID:12348
- C:\Windows\System32\IaKoYlO.exe
  C:\Windows\System32\IaKoYlO.exe
  2⤵
  PID:12364
- C:\Windows\System32\tOjApic.exe
  C:\Windows\System32\tOjApic.exe
  2⤵
  PID:12384
- C:\Windows\System32\BwprKds.exe
  C:\Windows\System32\BwprKds.exe
  2⤵
  PID:12416
- C:\Windows\System32\EfWCOrc.exe
  C:\Windows\System32\EfWCOrc.exe
  2⤵
  PID:12444
- C:\Windows\System32\hvEWhqo.exe
  C:\Windows\System32\hvEWhqo.exe
  2⤵
  PID:12464
- C:\Windows\System32\pnLZRlB.exe
  C:\Windows\System32\pnLZRlB.exe
  2⤵
  PID:12484
- C:\Windows\System32\XYgUXHE.exe
  C:\Windows\System32\XYgUXHE.exe
  2⤵
  PID:12564
- C:\Windows\System32\LHBOXkW.exe
  C:\Windows\System32\LHBOXkW.exe
  2⤵
  PID:12624
- C:\Windows\System32\kEklPGC.exe
  C:\Windows\System32\kEklPGC.exe
  2⤵
  PID:12644
- C:\Windows\System32\LBiffkt.exe
  C:\Windows\System32\LBiffkt.exe
  2⤵
  PID:12660
- C:\Windows\System32\ZoWGhid.exe
  C:\Windows\System32\ZoWGhid.exe
  2⤵
  PID:12688
- C:\Windows\System32\eeAnQjE.exe
  C:\Windows\System32\eeAnQjE.exe
  2⤵
  PID:12704
- C:\Windows\System32\ZEVnGeo.exe
  C:\Windows\System32\ZEVnGeo.exe
  2⤵
  PID:12724
- C:\Windows\System32\GPrxqvg.exe
  C:\Windows\System32\GPrxqvg.exe
  2⤵
  PID:12768
- C:\Windows\System32\lJkSxgd.exe
  C:\Windows\System32\lJkSxgd.exe
  2⤵
  PID:12812
- C:\Windows\System32\DwlgZFe.exe
  C:\Windows\System32\DwlgZFe.exe
  2⤵
  PID:12836
- C:\Windows\System32\ehUUwqN.exe
  C:\Windows\System32\ehUUwqN.exe
  2⤵
  PID:12856
- C:\Windows\System32\iiHrNGl.exe
  C:\Windows\System32\iiHrNGl.exe
  2⤵
  PID:12924
- C:\Windows\System32\ZFQGsVK.exe
  C:\Windows\System32\ZFQGsVK.exe
  2⤵
  PID:12940
- C:\Windows\System32\MlXMHXd.exe
  C:\Windows\System32\MlXMHXd.exe
  2⤵
  PID:12964
- C:\Windows\System32\bDLCahP.exe
  C:\Windows\System32\bDLCahP.exe
  2⤵
  PID:12984
- C:\Windows\System32\CmkgpOT.exe
  C:\Windows\System32\CmkgpOT.exe
  2⤵
  PID:13032
- C:\Windows\System32\SmLWMrA.exe
  C:\Windows\System32\SmLWMrA.exe
  2⤵
  PID:13052
- C:\Windows\System32\uIxpyAH.exe
  C:\Windows\System32\uIxpyAH.exe
  2⤵
  PID:13076
- C:\Windows\System32\SmDmwFT.exe
  C:\Windows\System32\SmDmwFT.exe
  2⤵
  PID:13096
- C:\Windows\System32\WxAWnDL.exe
  C:\Windows\System32\WxAWnDL.exe
  2⤵
  PID:13116
- C:\Windows\System32\WimzKrH.exe
  C:\Windows\System32\WimzKrH.exe
  2⤵
  PID:13140
- C:\Windows\System32\egvNKPe.exe
  C:\Windows\System32\egvNKPe.exe
  2⤵
  PID:13168
- C:\Windows\System32\rVkxocZ.exe
  C:\Windows\System32\rVkxocZ.exe
  2⤵
  PID:13220
- C:\Windows\System32\lzTJgGS.exe
  C:\Windows\System32\lzTJgGS.exe
  2⤵
  PID:13248
- C:\Windows\System32\KuYjVDZ.exe
  C:\Windows\System32\KuYjVDZ.exe
  2⤵
  PID:13268
- C:\Windows\System32\MMRGVsY.exe
  C:\Windows\System32\MMRGVsY.exe
  2⤵
  PID:13292
- C:\Windows\System32\sIDbQfZ.exe
  C:\Windows\System32\sIDbQfZ.exe
  2⤵
  PID:11520
- C:\Windows\System32\oRbUMxv.exe
  C:\Windows\System32\oRbUMxv.exe
  2⤵
  PID:12308
- C:\Windows\System32\nvYcZTY.exe
  C:\Windows\System32\nvYcZTY.exe
  2⤵
  PID:3528
- C:\Windows\System32\nuxqXpJ.exe
  C:\Windows\System32\nuxqXpJ.exe
  2⤵
  PID:12360
- C:\Windows\System32\NuiqiDK.exe
  C:\Windows\System32\NuiqiDK.exe
  2⤵
  PID:12492
- C:\Windows\System32\jFOoDcN.exe
  C:\Windows\System32\jFOoDcN.exe
  2⤵
  PID:12452
- C:\Windows\System32\vKHtSKF.exe
  C:\Windows\System32\vKHtSKF.exe
  2⤵
  PID:1660
- C:\Windows\System32\tXxYeUZ.exe
  C:\Windows\System32\tXxYeUZ.exe
  2⤵
  PID:12636
- C:\Windows\System32\tXIxotC.exe
  C:\Windows\System32\tXIxotC.exe
  2⤵
  PID:12700
- C:\Windows\System32\pgSlzVE.exe
  C:\Windows\System32\pgSlzVE.exe
  2⤵
  PID:12752
- C:\Windows\System32\OXYXNgs.exe
  C:\Windows\System32\OXYXNgs.exe
  2⤵
  PID:12824
- C:\Windows\System32\gghOmJP.exe
  C:\Windows\System32\gghOmJP.exe
  2⤵
  PID:12936
- C:\Windows\System32\xrOvFRd.exe
  C:\Windows\System32\xrOvFRd.exe
  2⤵
  PID:12996
- C:\Windows\System32\FKqNhjB.exe
  C:\Windows\System32\FKqNhjB.exe
  2⤵
  PID:13044
- C:\Windows\System32\rdnBYzR.exe
  C:\Windows\System32\rdnBYzR.exe
  2⤵
  PID:13112
- C:\Windows\System32\RpYykxA.exe
  C:\Windows\System32\RpYykxA.exe
  2⤵
  PID:13216
- C:\Windows\System32\ZgfRfUV.exe
  C:\Windows\System32\ZgfRfUV.exe
  2⤵
  PID:13264

C:\Windows\system32\WerFaultSecure.exe
C:\Windows\system32\WerFaultSecure.exe -u -p 4112 -s 2156
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:13200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\ABMjfJW.exe

Filesize
1.9MB

MD5
496389a0eb91f136283536228682db32

SHA1
59b2951f27e521f08abf1a3275b5ebddafb612ff

SHA256
a061f3d97ebbd3dedb3e346af8e4405556816246124c2174b763b49e92159516

SHA512
f373b655662560e1e1ec4c5cafb1b020a8420590e43a88b8aaa39600e9f93e8dd00aebfe6a0cfc5a7272a0db030c5e98bdaadb79efff198ecd232340e1a6640d

Download Submit
C:\Windows\System32\BcfmnaG.exe

Filesize
1.9MB

MD5
968b589447e26d6d03019aa7e8501c5a

SHA1
a520f3a40706ba356468bd6e1e3cfc233b365085

SHA256
286c6376ad157e55981b48811ea81396bbd781b4a814ce83de8963621dd39107

SHA512
26545199c42942597e0ae36107401344b208fce470581fa8c48e80156d1f4bff2ee863ae339fe8b82a057aa4742698984177c7afb65fd4ee81744458224f2f68

Download Submit
C:\Windows\System32\IKAjPmb.exe

Filesize
1.9MB

MD5
ee58b51c83b5dea9524cbce5553109c4

SHA1
9160f0081f58b6cb4dc73eda952b8493ea94c40b

SHA256
861cfcfdcda23700c728ea3169fe7495581d3abcb79fd937d11d68f7dcced9fa

SHA512
410b0b5b515c89844433146fe4dcef9f3ad952763d8deef58254f92e8c62629d188a44fe90f533f949001ebeac8fa8e9f29af7fd19f1f419d3123e0cd44e3c5d

Download Submit
C:\Windows\System32\JNJfRWj.exe

Filesize
1.9MB

MD5
4777edd605a20d44e89a8b17fb8d215f

SHA1
755c27f458394786686fcf69d568ab347a852336

SHA256
82cff2973f6e4b83a9f638bac18a7913b7a9d91dbfb1e21590a60cf3a464a411

SHA512
d4ccb1631ca43d2ae06d5927b59629b5b336b787e66538f3468df6045c2549e1b5c9fe098385f6b924a9b2099d5abf7b46450b7d903d6186e8bbc412ac07dde6

Download Submit
C:\Windows\System32\MtwYtmz.exe

Filesize
1.9MB

MD5
0de0c0a6f26b9c62bc71f28b226e897c

SHA1
e1165cda6fce4d3e5f0b80510f51a8e811f03676

SHA256
c1a20f48e6830dc6fdfdeaedaf91501b56c3cf3e1fccb2dcc1552e59de57d6a6

SHA512
9b63b1ff800ac7312c8cf3788a696eff60449a595be13e831d366ad646a94491f0d63f72ba9de693e0e4ac3a0ab95812c7b17928209cf276c89ee977bf6a03df

Download Submit
C:\Windows\System32\NTvAWHH.exe

Filesize
1.9MB

MD5
4869e1f4ec31f1d40c20b618b7b1cf33

SHA1
5f68092ef7f373808cdd47d8bc5ea42e5deb9dd1

SHA256
0e1717407667d110fcf42f12dd5db8e4e74ac9be34d973c1f596780b66a6373b

SHA512
f9fbf5c056314f4f5ce27e100b0742975b23809b2196582d25fb6b058370d5d62e7a795108c823cb217fb81c9ad853c295d3720d0f9733ec152eede717bd8188

Download Submit
C:\Windows\System32\OQdEnPc.exe

Filesize
1.9MB

MD5
585475092cf4ea1c8d726cca78aa9f94

SHA1
f27d9af3a1fe6d2341aac14adf10c3d7d5661a35

SHA256
3dd344db1968cdaa33f9ce8199ff24d725e1e0834fa0ccb73d9dd1b0fb974caf

SHA512
336229af27e2ecde2750a20a884322a9fbccb7c612dd09bf6f174b12ebba4ac7f129b110d508a396281cf6439f612ce6e130fd7e5c4ee618f8eb88373417d3fc

Download Submit
C:\Windows\System32\OUwzSzE.exe

Filesize
1.9MB

MD5
64b38d60ce1673fe89510a31a1e0521c

SHA1
11ba5b05da78f3c21960194271aa256108caac77

SHA256
44897ccd22a7e060b66b9042fc641980a8d3568541196323b1beaed620c36763

SHA512
3cec8ffe31b97dd15b7f39f42d55dcb7fdc7dbb39a0f7e13210c8ab3887216405795a1b3d43d431438f830f51e248f37f05aca1c9ccdccd7f1fd4b8a433ef2dd

Download Submit
C:\Windows\System32\PMeRhvQ.exe

Filesize
1.9MB

MD5
e24a34813b0947fec277313fbe305f13

SHA1
556b488bc0a493c2e56c12d92d8a80c26aecbb4c

SHA256
8371349802fbe747cddc15cdf252810eb2a1c08f9fb00e1719a55ed91ea4584b

SHA512
fe87ff497ec7ce0d8d7530ded0272279e0f45d1017f47496078bdfac4f9578c4e5485dd3f10890d1fdffe06151a11d99c2b008dd5c85c62b966ec57b3dbfc878

Download Submit
C:\Windows\System32\PyvhNhY.exe

Filesize
1.9MB

MD5
1a58d12e0b86b5ba48a8bb2aa92b81af

SHA1
471e81822e02ac471985ec14ae3d20fbccab4215

SHA256
36409c81f966da2f5113f78b0cfc7c8d8fc3ce76c485c41201dc07c84f055658

SHA512
d6b1760a9b7e0290ff1c4c78e9d59da08d512d4c3992c76f5edbcc695e267455ecc1b54696911410dabf144e0fd728781ddf450a0704d292d2c247aa38b1cb04

Download Submit
C:\Windows\System32\QwrrRLA.exe

Filesize
1.9MB

MD5
38c7a774f1a7d56a7eedee8c691030db

SHA1
953096049beaee569ea96383ed7ebe0d2dabf975

SHA256
4a36eb7783f022fae3cbf4519b6a2d3a670358d4c892169228be933e0f3a7a00

SHA512
a388afc63f614f49253eeaed81a5f6dde2e729db9fa0d46cfb1b5e5283e2ec739487b29d0be382f960ae29f0e6b4a43d5b990a478dd1d66118884e118a8c14e6

Download Submit
C:\Windows\System32\TErDbmT.exe

Filesize
1.9MB

MD5
b28fe3c3a6068218cbbb30fe25ddd001

SHA1
930fd4775eb25139fdb43ac7e13f31205020d497

SHA256
897f60e5e3f797e6733d0716b242fac9805d58ed4b09637f02c13b1728ebf901

SHA512
d1109deb190b6cb25cbccb91823cd7b457fd703a3da1f90e44c604738d8d96560f4027ca7dc8d08c6539f077eba5f08b31418f3ca45241c796865013a90925d4

Download Submit
C:\Windows\System32\TkfecVk.exe

Filesize
1.9MB

MD5
4314699cb688edca424d7c2fdacd25a5

SHA1
83b59cfe9571d9a4ac805c7067bfe12aeb7e99b2

SHA256
c947f2370395e4919c0d16856a1ce5218b8783e624be4d0e8b5ce4d2a44f6dae

SHA512
38701de02085749107648109cac4cc39a770194500250f7c2e24615823c2e296c67fc0cfefda4ab6d7db4d7fbf5bf7781c2396b66f12c4e539b4678622a4c3ba

Download Submit
C:\Windows\System32\UlxoWVE.exe

Filesize
1.9MB

MD5
2dc7efc71e2666136f88d7c430f8cc90

SHA1
f39a32612c82ddb56169e9ead701c4b380dcedba

SHA256
4365beef74724216f7b4cb46f474a8ed4d859ea7c0c31292e7862893524b78c8

SHA512
380b5fe1dad42792f311348669bf45c0be65fbdf13dfbae17959f63ee3cc4336ca18d6a3309140cd2ff9b335aaaaa29da517765453685c976a416bedb934b15a

Download Submit
C:\Windows\System32\UmeCpOc.exe

Filesize
1.9MB

MD5
6f58965beab57034608c105511c35513

SHA1
1ffa8f3eca425f82b849ac1527d19abb9b1ceb3b

SHA256
b51916f0e1bd649f01cc7bea1530168ade577c1a4e0f1bede6e7761c3913cfa8

SHA512
c00f5e5395ef93354c0e7ac046a3f2ed1546cd3d65ddc5e66983798ad9ca328f06d40a2ad1fb3a15392d00bf6ba1bf7809ec84e643542a40be8bd01cb5a1c329

Download Submit
C:\Windows\System32\WoVahDr.exe

Filesize
1.9MB

MD5
5e22f6d1cfb9e0a046fc8d77c5466fae

SHA1
94b26c5217260cb7d1e8c2835cbcba1556a08fba

SHA256
a53ef8469074e2b80756ac23046ed8129efaeff3aaba4a918ecc493b6360d92b

SHA512
f37edeebcd78df16e7f5137c04580ed89b3f7b7c3895f355f1c081c6573060c7ccb575cab52173715961cbc53467a42cceebfc94413b539b455acbd2b1615958

Download Submit
C:\Windows\System32\XkQjJbX.exe

Filesize
1.9MB

MD5
5737d4849ba25a9443925e427c157f36

SHA1
57e19ed6e21a4de1b72fb3539cd65350c6e07b3e

SHA256
6ea8be2d286f37fafa676affda4fd6ed88573722711f7cd9aa1c67edfc712ecb

SHA512
d023cd6d92fc1f9f6a3882c10c1122aa6fc0ee8ab76b9f8fb980d2fe43ce7d3da0ec2701da46d56e5ca1de2b458308d57c55213e48c59280899d4b2b92762338

Download Submit
C:\Windows\System32\bUVCGNF.exe

Filesize
1.9MB

MD5
c3f34fd33c4f92b480b1338517f86d13

SHA1
09cc79b065727321f9b272d85543aac1b2f25bef

SHA256
bbf772a59ed235aeacb9aba03e6dc75bab42b55709146087295b0a7f543a6802

SHA512
bf717aaeef87290eeee1f686f6fde25f79b8004e1bd56d92a2ef07c5bcd9e6ba543fd4b3e2191a65e3f397c2ec850d9eca509e1c50f0ab4d6403b5920decb089

Download Submit
C:\Windows\System32\cCrNrdq.exe

Filesize
1.9MB

MD5
5bda5d2bb7575c7094324903ed43d3db

SHA1
25b4f452fd2bcf6b75632d5b8e8b9301f7dd5730

SHA256
f461d1c9737bbb93b6d79f984d73a693ef6702d10126c7c43733233dd886d429

SHA512
0ba2e99e64f54dd5cb19c9e87d7abe72786420d16bba931485ee3892faf7264c4b229d1e5340d0b3914880cbe4b06b0317b42fa9945a12e4ff67d43eac8c3beb

Download Submit
C:\Windows\System32\cUuDpAm.exe

Filesize
1.9MB

MD5
ad1aa401cb16503f5832e73467bfe7bd

SHA1
9c54d3c381d8b4ab6bd72be5cc52e4a1a014483f

SHA256
5560ae7b49c546a5431e3ae181b32a6293349847b3be19542134b93442b01df1

SHA512
4ebe3467841ea617c021de79d8dc151864ddcb7e159c9f66c62f9eb8dcc769f88bb23f028b79032d7a40008f5dd92cc466036fa90a67dc13bb5a0cd99b467103

Download Submit
C:\Windows\System32\cerLsWu.exe

Filesize
1.9MB

MD5
91344815b0ddb4d4a9e99a56fafd91b2

SHA1
84245bf2817453e4c56586e9faebdebbd763a509

SHA256
b8ee427998bb1b245102014f197433e6b01e6a73529caa7cf4a61418f6e6a2d6

SHA512
b4e4889c80dcfccbead10278b29eaf9d59d6ace97af1829c409eba8df02fbc917e8b1874d936b989fc70fa9b1c0acc5520fb22c11d80f096d00bdbfb4d1bff38

Download Submit
C:\Windows\System32\eUraguH.exe

Filesize
1.9MB

MD5
5d2a45abb1614352f399da7863a6fffb

SHA1
4e2390292ff710fcef6e002185426c6bffd6e2d5

SHA256
7e3ff0beb2873dd51766d27843608542a248d090a1030c2e7ef19ad06f375f41

SHA512
79d8b574bda307fba1de070bcf3b50652f2cf5f66cbe2b8df78080a4438b5bec088686b154b1243aa1e450ac0bf25fc74be5db86ec508a354d71bef2a95b5550

Download Submit
C:\Windows\System32\enDpUFn.exe

Filesize
1.9MB

MD5
d1d1297e0c965654534fb5b5f2376cf7

SHA1
98d8f9fa549d5502a0ee512e8bc5a1b1db8804d3

SHA256
c1f0cb7732f03d057ecfeaf3b20b2b4f4751bf7f07db2f4bb5ecd713e3d50c9f

SHA512
ec5bcc39330dfb25bbc2ba8affe6a6a4035c65560ac495f366949f5178e69b5d66084eb767a8c5bfce596efd355a59190578142ce93e3bcbc1e5a8a3e9b1927b

Download Submit
C:\Windows\System32\fjPqVth.exe

Filesize
1.9MB

MD5
ce3720219e09fffff932e77a0d38e27e

SHA1
bff7e273a5f21795cb87fd31081bafe72cce9273

SHA256
6a8027b8e8033cc326c7f106e00a8428d3c04d8b2d90fc82cf7fea12b66e0d1b

SHA512
9277da828193526a33c8dac0f3bef5182dcacae037c126c4a2563b1d3505f0e5bcb6451d666fd426a17aab420b4bb0ed066fe9b874051fa8cefc51889daeb08b

Download Submit
C:\Windows\System32\ibetkRT.exe

Filesize
1.9MB

MD5
6d2ebaf1d84f569b6631ec7d3314d56d

SHA1
c747ddc4d113391c008dfbd33d0471c0120e232a

SHA256
b7dcb3eb5c7dab2714ae39806d12471fc1a300b87ba84c0f1e63f461ba85f506

SHA512
81c0cb88940591866f8cc9c5c28814cb9ce9997238ce93dc241c5638deba4b955415437334965ca3163a072d33f763bc2877c4f84e417add2e8bb26335f3ec1c

Download Submit
C:\Windows\System32\ixvfFzi.exe

Filesize
1.9MB

MD5
c46526b1662ccb2717bd9563b1ec40d8

SHA1
e14732b970e5c14cf7e28d28bce298cfc4843ffb

SHA256
066228cbca4e1550f812adaf1c65e4156d39bcd1e978c5d471c9e013a883d4c1

SHA512
f042f45164122bf17a8015f7606c2cdf140dde01707824c51b061e89cfee0d7d3ee9b8d007806f349ef5d730112b7031ebac4a4d09b1fd2b766f8fefddf7b101

Download Submit
C:\Windows\System32\jhYdyNT.exe

Filesize
1.9MB

MD5
1f5f919213aa3fe35d23241ed2c6342b

SHA1
d518d648f624df72a89ee654a01c1bdfb3f5b7cb

SHA256
b4c3f9b713eac2ce28b6e762ef36a5ab888bdafc93cc433f530edfb3874aa99e

SHA512
9aa9b8fdc897a8a4581faccefc82f0dd5ce50c47d675b1f6af3366d6f68fb7466e750b609bc69fe541bcc9a9911c20305af715d231bf243badc0109850875d36

Download Submit
C:\Windows\System32\kUBYHxF.exe

Filesize
1.9MB

MD5
2ecfe6e69ef7ab42b58979393585917f

SHA1
15a182425584dd5ff16e0f9f088931c8323a51c0

SHA256
06972b491c3e89dd206d8519f0758e641ec65646db3278b02be70a0fd0f276c1

SHA512
ff6cfabe6844d8d1ad299528db1ec2b09440ccd8b84a84f57fcf44b3991850df5004e390daf56ef756b34f30f562a8ad7e0a9cac9e02c83d96bdc275ac33bef7

Download Submit
C:\Windows\System32\uydxMIC.exe

Filesize
1.9MB

MD5
036be2f55281ff454fa7aad6777bbe41

SHA1
40c02103ace124027ebb19fdb57712c46db6b817

SHA256
190caeed7573e0c88e6c91d1d63dbfa514b93f581a04b4662f34211464966ca1

SHA512
63a8e2f71dedab17603231fe778a4c583432112b512e97bf59f4b3f7f1415f3f6a1a68823ceca7c4211fbdd10030bd20129c92bb0ce2206546a0f9472d3dca74

Download Submit
C:\Windows\System32\xAxchsK.exe

Filesize
1.9MB

MD5
cb1cf566bef50acf2fcad7784567b004

SHA1
fab1b13e243d98b6577c6b48958ce7b9be6a31f4

SHA256
62456cd70ed250c6568d9b227acd6b40107ea49005f299ca71dbdf2287c64f47

SHA512
d3aa8061ea42b6323f9f14a49ce25b5d0606681a371a5011cbb73d46d5441dc1d43e7db9227cb266982f06c328a30df87c8334cec924b4010f610b538b4a0943

Download Submit
C:\Windows\System32\ycyPPUb.exe

Filesize
1.9MB

MD5
50d04323378ac5e2ce490dc29a6452f9

SHA1
e4952cfce0945244a0663520dec015a7b6819187

SHA256
176062a140f6e9dce895a06ff8fdf6037092293302e84aac2492af9b081952b2

SHA512
f8b19ee472d8935a34db33717d2675b7b5f87b115d278af306a37088b51a777ebf9ede0eff9c1085625b1a4d10221c691f6c75a285b29f7639eb849d26e0fb06

Download Submit
C:\Windows\System32\zpktakz.exe

Filesize
1.9MB

MD5
710f310ba566fe1f16289cc0c91b12cf

SHA1
a8a486b519e7945e0128a7bdb10ad0ea1debea89

SHA256
3c874302a04fedad605b224392977a09a1ac219b2e8ae0dba2add5db184ef69b

SHA512
0f0ce3b996931c85aac196fda60c4ca650b8fff805fd6cf568a835b1af240380d65b04f956d304951c1ef5fdbae8d5817de3804f3ac2cb6164a63af57f2bf869

Download Submit
memory/64-560-0x00007FF73CFC0000-0x00007FF73D3B1000-memory.dmp

Filesize
3.9MB

Download
memory/64-1987-0x00007FF73CFC0000-0x00007FF73D3B1000-memory.dmp

Filesize
3.9MB

Download
memory/432-1-0x00000176F0C70000-0x00000176F0C80000-memory.dmp

Filesize
64KB

Download
memory/432-0-0x00007FF671FC0000-0x00007FF6723B1000-memory.dmp

Filesize
3.9MB

Download
memory/1076-493-0x00007FF676D30000-0x00007FF677121000-memory.dmp

Filesize
3.9MB

Download
memory/1076-1998-0x00007FF676D30000-0x00007FF677121000-memory.dmp

Filesize
3.9MB

Download
memory/1412-7-0x00007FF77B270000-0x00007FF77B661000-memory.dmp

Filesize
3.9MB

Download
memory/1412-1982-0x00007FF77B270000-0x00007FF77B661000-memory.dmp

Filesize
3.9MB

Download
memory/1580-1994-0x00007FF735FF0000-0x00007FF7363E1000-memory.dmp

Filesize
3.9MB

Download
memory/1580-23-0x00007FF735FF0000-0x00007FF7363E1000-memory.dmp

Filesize
3.9MB

Download
memory/2120-2006-0x00007FF66ECC0000-0x00007FF66F0B1000-memory.dmp

Filesize
3.9MB

Download
memory/2120-501-0x00007FF66ECC0000-0x00007FF66F0B1000-memory.dmp

Filesize
3.9MB

Download
memory/2284-521-0x00007FF7ABB60000-0x00007FF7ABF51000-memory.dmp

Filesize
3.9MB

Download
memory/2284-2029-0x00007FF7ABB60000-0x00007FF7ABF51000-memory.dmp

Filesize
3.9MB

Download
memory/2424-494-0x00007FF755F70000-0x00007FF756361000-memory.dmp

Filesize
3.9MB

Download
memory/2424-2002-0x00007FF755F70000-0x00007FF756361000-memory.dmp

Filesize
3.9MB

Download
memory/2836-2000-0x00007FF6CF8D0000-0x00007FF6CFCC1000-memory.dmp

Filesize
3.9MB

Download
memory/2836-492-0x00007FF6CF8D0000-0x00007FF6CFCC1000-memory.dmp

Filesize
3.9MB

Download
memory/2880-491-0x00007FF679E90000-0x00007FF67A281000-memory.dmp

Filesize
3.9MB

Download
memory/2880-1996-0x00007FF679E90000-0x00007FF67A281000-memory.dmp

Filesize
3.9MB

Download
memory/2896-1992-0x00007FF72A940000-0x00007FF72AD31000-memory.dmp

Filesize
3.9MB

Download
memory/2896-489-0x00007FF72A940000-0x00007FF72AD31000-memory.dmp

Filesize
3.9MB

Download
memory/2900-515-0x00007FF739D80000-0x00007FF73A171000-memory.dmp

Filesize
3.9MB

Download
memory/2900-2017-0x00007FF739D80000-0x00007FF73A171000-memory.dmp

Filesize
3.9MB

Download
memory/3156-506-0x00007FF6AC380000-0x00007FF6AC771000-memory.dmp

Filesize
3.9MB

Download
memory/3156-2008-0x00007FF6AC380000-0x00007FF6AC771000-memory.dmp

Filesize
3.9MB

Download
memory/3352-14-0x00007FF627290000-0x00007FF627681000-memory.dmp

Filesize
3.9MB

Download
memory/3352-1984-0x00007FF627290000-0x00007FF627681000-memory.dmp

Filesize
3.9MB

Download
memory/3492-2012-0x00007FF7DFA10000-0x00007FF7DFE01000-memory.dmp

Filesize
3.9MB

Download
memory/3492-540-0x00007FF7DFA10000-0x00007FF7DFE01000-memory.dmp

Filesize
3.9MB

Download
memory/3544-490-0x00007FF7DAD70000-0x00007FF7DB161000-memory.dmp

Filesize
3.9MB

Download
memory/3544-1991-0x00007FF7DAD70000-0x00007FF7DB161000-memory.dmp

Filesize
3.9MB

Download
memory/3820-509-0x00007FF7F0400000-0x00007FF7F07F1000-memory.dmp

Filesize
3.9MB

Download
memory/3820-2010-0x00007FF7F0400000-0x00007FF7F07F1000-memory.dmp

Filesize
3.9MB

Download
memory/3956-488-0x00007FF759170000-0x00007FF759561000-memory.dmp

Filesize
3.9MB

Download
memory/3956-1989-0x00007FF759170000-0x00007FF759561000-memory.dmp

Filesize
3.9MB

Download
memory/4764-2019-0x00007FF7244D0000-0x00007FF7248C1000-memory.dmp

Filesize
3.9MB

Download
memory/4764-554-0x00007FF7244D0000-0x00007FF7248C1000-memory.dmp

Filesize
3.9MB

Download
memory/4768-2021-0x00007FF68BF50000-0x00007FF68C341000-memory.dmp

Filesize
3.9MB

Download
memory/4768-547-0x00007FF68BF50000-0x00007FF68C341000-memory.dmp

Filesize
3.9MB

Download
memory/4828-543-0x00007FF615620000-0x00007FF615A11000-memory.dmp

Filesize
3.9MB

Download
memory/4828-2022-0x00007FF615620000-0x00007FF615A11000-memory.dmp

Filesize
3.9MB

Download
memory/4844-2027-0x00007FF746A20000-0x00007FF746E11000-memory.dmp

Filesize
3.9MB

Download
memory/4844-524-0x00007FF746A20000-0x00007FF746E11000-memory.dmp

Filesize
3.9MB

Download
memory/4884-2031-0x00007FF724410000-0x00007FF724801000-memory.dmp

Filesize
3.9MB

Download
memory/4884-520-0x00007FF724410000-0x00007FF724801000-memory.dmp

Filesize
3.9MB

Download
memory/4956-504-0x00007FF77B4D0000-0x00007FF77B8C1000-memory.dmp

Filesize
3.9MB

Download
memory/4956-2004-0x00007FF77B4D0000-0x00007FF77B8C1000-memory.dmp

Filesize
3.9MB

Download
memory/4996-2024-0x00007FF76DE20000-0x00007FF76E211000-memory.dmp

Filesize
3.9MB

Download
memory/4996-528-0x00007FF76DE20000-0x00007FF76E211000-memory.dmp

Filesize
3.9MB

Download