xmrig | 882f1f42221b37a2f078d472bfe69542caaccc655ac244898617d88a6a217809

Analysis

max time kernel
121s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 01:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
Size

1.5MB
MD5

84812147a4292d1edbf9fbe285ff61f0
SHA1

252ef0fa2d725085f013353d308728977a608d4b
SHA256

882f1f42221b37a2f078d472bfe69542caaccc655ac244898617d88a6a217809
SHA512

2652f9d6c29c9e00fd0140bdea79ec1520648de8ac64b53e76cd8fc8a1e27d2b45ca8503594b7334f5358123c822162ab77ac3be2f6d273b10c458ef0de57cdb
SSDEEP

24576:zv3/fTLF671TilQFG4P5PMkibTJH+2Q/ynKeWYBLIgBCDDcljfmoyxW8GMm3P3kr:Lz071uv4BPMkibTIA5tIgcHS/8GD0

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 12492 created 4924	12492	WerFaultSecure.exe	79

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/220-13-0x00007FF6620F0000-0x00007FF6624E2000-memory.dmp	xmrig
behavioral2/memory/2012-639-0x00007FF6BC350000-0x00007FF6BC742000-memory.dmp	xmrig
behavioral2/memory/2996-1249-0x00007FF623450000-0x00007FF623842000-memory.dmp	xmrig
behavioral2/memory/988-1112-0x00007FF6F70F0000-0x00007FF6F74E2000-memory.dmp	xmrig
behavioral2/memory/384-1117-0x00007FF629D70000-0x00007FF62A162000-memory.dmp	xmrig
behavioral2/memory/2400-1426-0x00007FF772E70000-0x00007FF773262000-memory.dmp	xmrig
behavioral2/memory/3748-1448-0x00007FF7EFBA0000-0x00007FF7EFF92000-memory.dmp	xmrig
behavioral2/memory/4120-1455-0x00007FF77C840000-0x00007FF77CC32000-memory.dmp	xmrig
behavioral2/memory/1568-1466-0x00007FF77FC00000-0x00007FF77FFF2000-memory.dmp	xmrig
behavioral2/memory/744-1461-0x00007FF76EAC0000-0x00007FF76EEB2000-memory.dmp	xmrig
behavioral2/memory/764-1460-0x00007FF629730000-0x00007FF629B22000-memory.dmp	xmrig
behavioral2/memory/740-1454-0x00007FF63A1A0000-0x00007FF63A592000-memory.dmp	xmrig
behavioral2/memory/2540-1447-0x00007FF76ADC0000-0x00007FF76B1B2000-memory.dmp	xmrig
behavioral2/memory/3300-1425-0x00007FF735BA0000-0x00007FF735F92000-memory.dmp	xmrig
behavioral2/memory/1948-1416-0x00007FF64D460000-0x00007FF64D852000-memory.dmp	xmrig
behavioral2/memory/1820-1415-0x00007FF707250000-0x00007FF707642000-memory.dmp	xmrig
behavioral2/memory/4952-1356-0x00007FF736680000-0x00007FF736A72000-memory.dmp	xmrig
behavioral2/memory/4696-1355-0x00007FF773BC0000-0x00007FF773FB2000-memory.dmp	xmrig
behavioral2/memory/1988-1293-0x00007FF6215A0000-0x00007FF621992000-memory.dmp	xmrig
behavioral2/memory/3236-1245-0x00007FF602B60000-0x00007FF602F52000-memory.dmp	xmrig
behavioral2/memory/3060-562-0x00007FF6619C0000-0x00007FF661DB2000-memory.dmp	xmrig
behavioral2/memory/1720-522-0x00007FF76B0B0000-0x00007FF76B4A2000-memory.dmp	xmrig
behavioral2/memory/1572-42-0x00007FF779190000-0x00007FF779582000-memory.dmp	xmrig
behavioral2/memory/1664-2680-0x00007FF66BAF0000-0x00007FF66BEE2000-memory.dmp	xmrig
behavioral2/memory/220-2682-0x00007FF6620F0000-0x00007FF6624E2000-memory.dmp	xmrig
behavioral2/memory/2680-2689-0x00007FF774E40000-0x00007FF775232000-memory.dmp	xmrig
behavioral2/memory/744-2693-0x00007FF76EAC0000-0x00007FF76EEB2000-memory.dmp	xmrig
behavioral2/memory/764-2692-0x00007FF629730000-0x00007FF629B22000-memory.dmp	xmrig
behavioral2/memory/1572-2695-0x00007FF779190000-0x00007FF779582000-memory.dmp	xmrig
behavioral2/memory/988-2698-0x00007FF6F70F0000-0x00007FF6F74E2000-memory.dmp	xmrig
behavioral2/memory/2012-2701-0x00007FF6BC350000-0x00007FF6BC742000-memory.dmp	xmrig
behavioral2/memory/3236-2709-0x00007FF602B60000-0x00007FF602F52000-memory.dmp	xmrig
behavioral2/memory/1720-2708-0x00007FF76B0B0000-0x00007FF76B4A2000-memory.dmp	xmrig
behavioral2/memory/1988-2713-0x00007FF6215A0000-0x00007FF621992000-memory.dmp	xmrig
behavioral2/memory/4696-2715-0x00007FF773BC0000-0x00007FF773FB2000-memory.dmp	xmrig
behavioral2/memory/2996-2711-0x00007FF623450000-0x00007FF623842000-memory.dmp	xmrig
behavioral2/memory/3060-2705-0x00007FF6619C0000-0x00007FF661DB2000-memory.dmp	xmrig
behavioral2/memory/384-2704-0x00007FF629D70000-0x00007FF62A162000-memory.dmp	xmrig
behavioral2/memory/1568-2700-0x00007FF77FC00000-0x00007FF77FFF2000-memory.dmp	xmrig
behavioral2/memory/1820-2730-0x00007FF707250000-0x00007FF707642000-memory.dmp	xmrig
behavioral2/memory/4952-2742-0x00007FF736680000-0x00007FF736A72000-memory.dmp	xmrig
behavioral2/memory/4120-2744-0x00007FF77C840000-0x00007FF77CC32000-memory.dmp	xmrig
behavioral2/memory/3300-2740-0x00007FF735BA0000-0x00007FF735F92000-memory.dmp	xmrig
behavioral2/memory/2540-2737-0x00007FF76ADC0000-0x00007FF76B1B2000-memory.dmp	xmrig
behavioral2/memory/740-2733-0x00007FF63A1A0000-0x00007FF63A592000-memory.dmp	xmrig
behavioral2/memory/1948-2729-0x00007FF64D460000-0x00007FF64D852000-memory.dmp	xmrig
behavioral2/memory/2400-2739-0x00007FF772E70000-0x00007FF773262000-memory.dmp	xmrig
behavioral2/memory/3748-2735-0x00007FF7EFBA0000-0x00007FF7EFF92000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
8	1732	powershell.exe
10	1732	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
1732	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
220	hSWBpSJ.exe
2680	lCVxooy.exe
764	dfaKBid.exe
744	AQzgcNI.exe
1572	PyWRhcF.exe
1720	JrzJGAR.exe
3060	fvuzRND.exe
2012	vAFupNf.exe
1568	SuBkMCu.exe
988	YwyHxUY.exe
384	ykgAQWe.exe
3236	HvgjsBC.exe
2996	KNUexeO.exe
1988	NnJAoVW.exe
4696	cQKfukf.exe
4952	keRWOyx.exe
1820	FZyLlJT.exe
1948	ZCbTIpn.exe
3300	mUrrtlL.exe
2400	LKgopsF.exe
2540	NaWEkIJ.exe
3748	gPVsnaR.exe
740	tHhgjpa.exe
4120	mFRUlVp.exe
4400	dojxrUU.exe
4644	LPEhCRA.exe
2776	XolSpuX.exe
468	OfysYSc.exe
2696	exYHTIf.exe
1972	QCtlRBa.exe
4904	HPmpLfL.exe
3188	iVKhGnG.exe
3088	wmaQcQz.exe
696	XarylRJ.exe
3204	KRknOtB.exe
4504	mPixXGt.exe
2256	TuPwHhz.exe
4684	mNHaGWA.exe
4704	PIRJCMb.exe
1404	PipzeFx.exe
4548	nXcIvWk.exe
3124	OrHgoYp.exe
4648	BwFDlol.exe
4996	tsgCaXX.exe
2284	GtZpvkq.exe
4440	iePcbBk.exe
4680	ukqidhL.exe
4160	rrFOrJG.exe
560	SsyxZmW.exe
916	mJuWjLf.exe
5048	EvOfqvN.exe
3656	wQJgldk.exe
672	XaCRSlO.exe
2408	xcCacLv.exe
4580	fEWrNGT.exe
848	izNPkqw.exe
1436	gKyKfif.exe
1388	xgyjQwW.exe
4392	LOYhoXi.exe
2420	ZZWMCPe.exe
4004	GIakaCE.exe
3360	GUiAaYY.exe
3804	ztqASwk.exe
2580	SeAquzc.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1664-0-0x00007FF66BAF0000-0x00007FF66BEE2000-memory.dmp	upx
behavioral2/files/0x00080000000233f7-5.dat	upx
behavioral2/files/0x00070000000233fc-8.dat	upx
behavioral2/memory/220-13-0x00007FF6620F0000-0x00007FF6624E2000-memory.dmp	upx
behavioral2/files/0x00070000000233fe-33.dat	upx
behavioral2/files/0x0007000000023400-35.dat	upx
behavioral2/files/0x0007000000023401-38.dat	upx
behavioral2/files/0x0007000000023402-56.dat	upx
behavioral2/files/0x0007000000023403-61.dat	upx
behavioral2/files/0x0007000000023407-83.dat	upx
behavioral2/files/0x000700000002340b-103.dat	upx
behavioral2/files/0x0008000000023408-113.dat	upx
behavioral2/files/0x0007000000023410-141.dat	upx
behavioral2/memory/2012-639-0x00007FF6BC350000-0x00007FF6BC742000-memory.dmp	upx
behavioral2/memory/2996-1249-0x00007FF623450000-0x00007FF623842000-memory.dmp	upx
behavioral2/memory/988-1112-0x00007FF6F70F0000-0x00007FF6F74E2000-memory.dmp	upx
behavioral2/memory/384-1117-0x00007FF629D70000-0x00007FF62A162000-memory.dmp	upx
behavioral2/memory/2400-1426-0x00007FF772E70000-0x00007FF773262000-memory.dmp	upx
behavioral2/memory/3748-1448-0x00007FF7EFBA0000-0x00007FF7EFF92000-memory.dmp	upx
behavioral2/memory/4120-1455-0x00007FF77C840000-0x00007FF77CC32000-memory.dmp	upx
behavioral2/memory/1568-1466-0x00007FF77FC00000-0x00007FF77FFF2000-memory.dmp	upx
behavioral2/memory/744-1461-0x00007FF76EAC0000-0x00007FF76EEB2000-memory.dmp	upx
behavioral2/memory/764-1460-0x00007FF629730000-0x00007FF629B22000-memory.dmp	upx
behavioral2/memory/740-1454-0x00007FF63A1A0000-0x00007FF63A592000-memory.dmp	upx
behavioral2/memory/2540-1447-0x00007FF76ADC0000-0x00007FF76B1B2000-memory.dmp	upx
behavioral2/memory/3300-1425-0x00007FF735BA0000-0x00007FF735F92000-memory.dmp	upx
behavioral2/memory/1948-1416-0x00007FF64D460000-0x00007FF64D852000-memory.dmp	upx
behavioral2/memory/1820-1415-0x00007FF707250000-0x00007FF707642000-memory.dmp	upx
behavioral2/memory/4952-1356-0x00007FF736680000-0x00007FF736A72000-memory.dmp	upx
behavioral2/memory/4696-1355-0x00007FF773BC0000-0x00007FF773FB2000-memory.dmp	upx
behavioral2/memory/1988-1293-0x00007FF6215A0000-0x00007FF621992000-memory.dmp	upx
behavioral2/memory/3236-1245-0x00007FF602B60000-0x00007FF602F52000-memory.dmp	upx
behavioral2/memory/3060-562-0x00007FF6619C0000-0x00007FF661DB2000-memory.dmp	upx
behavioral2/memory/1720-522-0x00007FF76B0B0000-0x00007FF76B4A2000-memory.dmp	upx
behavioral2/files/0x0007000000023419-178.dat	upx
behavioral2/files/0x0007000000023417-176.dat	upx
behavioral2/files/0x0007000000023418-173.dat	upx
behavioral2/files/0x0007000000023416-171.dat	upx
behavioral2/files/0x0007000000023415-166.dat	upx
behavioral2/files/0x0007000000023414-161.dat	upx
behavioral2/files/0x0007000000023413-156.dat	upx
behavioral2/files/0x0007000000023412-151.dat	upx
behavioral2/files/0x0007000000023411-146.dat	upx
behavioral2/files/0x000700000002340f-136.dat	upx
behavioral2/files/0x000700000002340e-131.dat	upx
behavioral2/files/0x000700000002340d-126.dat	upx
behavioral2/files/0x000700000002340c-116.dat	upx
behavioral2/files/0x0008000000023409-106.dat	upx
behavioral2/files/0x00080000000233f8-101.dat	upx
behavioral2/files/0x000700000002340a-96.dat	upx
behavioral2/files/0x0007000000023406-86.dat	upx
behavioral2/files/0x0007000000023405-81.dat	upx
behavioral2/files/0x0007000000023404-76.dat	upx
behavioral2/files/0x00070000000233ff-43.dat	upx
behavioral2/memory/1572-42-0x00007FF779190000-0x00007FF779582000-memory.dmp	upx
behavioral2/files/0x00070000000233fd-22.dat	upx
behavioral2/memory/2680-19-0x00007FF774E40000-0x00007FF775232000-memory.dmp	upx
behavioral2/files/0x00070000000233fb-17.dat	upx
behavioral2/memory/1664-2680-0x00007FF66BAF0000-0x00007FF66BEE2000-memory.dmp	upx
behavioral2/memory/220-2682-0x00007FF6620F0000-0x00007FF6624E2000-memory.dmp	upx
behavioral2/memory/2680-2689-0x00007FF774E40000-0x00007FF775232000-memory.dmp	upx
behavioral2/memory/744-2693-0x00007FF76EAC0000-0x00007FF76EEB2000-memory.dmp	upx
behavioral2/memory/764-2692-0x00007FF629730000-0x00007FF629B22000-memory.dmp	upx
behavioral2/memory/1572-2695-0x00007FF779190000-0x00007FF779582000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	raw.githubusercontent.com
8	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\BkuViqP.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\SINmCXj.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\MeIcWCQ.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\TCGleNi.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\ayRsZaZ.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\fWYCQzb.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\CjmUvpV.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\ehGnUuZ.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\MNfRVmd.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\CzrBRLD.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\VTMdJhJ.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\chKOPio.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\DnKtQaq.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\FtDJaaE.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\FoKEGak.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\RBQzVZX.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\TcRqaco.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\VjknPIJ.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\gTBUDZl.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\QysIJzz.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\NpZlMIS.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\YjSjEIk.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\mhcOHLe.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\eTNlGXT.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\wGgMsAy.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\OfysYSc.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\ibUGTsp.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\zhIYFCc.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\ZGPInlA.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\xiSPipQ.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\AOJPlov.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\UlNwGBh.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\XiwKaxB.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\nkUxiYi.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\RjZSTyG.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\ErrdiUr.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\fmoRjps.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\ooGuEQh.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\EDnnrIo.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\XHFVeod.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\HraExYK.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\LkHWICF.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\EWHSPIb.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\REqIelr.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\NWVmrUe.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\nBvWnee.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\sOtNeiR.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\eikNvgP.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\XolSpuX.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\TdwEFdE.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\SmoTWFW.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\QhjAFNS.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\KoDQYjH.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\XyBjncI.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\zzhYYsT.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\jbmGrVL.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\NMTqNNH.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\gXxluaF.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\MKFrgtF.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\xXTBTTj.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\GQJEqrH.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\AzGeGkM.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\iIgfTfC.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
File created	C:\Windows\System\EnXzkgO.exe	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFaultSecure.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFaultSecure.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFaultSecure.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1732	powershell.exe
1732	powershell.exe
1732	powershell.exe
13032	WerFaultSecure.exe
13032	WerFaultSecure.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
Token: SeDebugPrivilege	1732	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 1732	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	84
PID 1664 wrote to memory of 1732	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	84
PID 1664 wrote to memory of 220	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	85
PID 1664 wrote to memory of 220	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	85
PID 1664 wrote to memory of 2680	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	86
PID 1664 wrote to memory of 2680	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	86
PID 1664 wrote to memory of 764	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	87
PID 1664 wrote to memory of 764	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	87
PID 1664 wrote to memory of 744	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	88
PID 1664 wrote to memory of 744	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	88
PID 1664 wrote to memory of 1572	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	89
PID 1664 wrote to memory of 1572	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	89
PID 1664 wrote to memory of 3060	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	90
PID 1664 wrote to memory of 3060	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	90
PID 1664 wrote to memory of 1720	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	91
PID 1664 wrote to memory of 1720	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	91
PID 1664 wrote to memory of 2012	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	92
PID 1664 wrote to memory of 2012	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	92
PID 1664 wrote to memory of 1568	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	93
PID 1664 wrote to memory of 1568	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	93
PID 1664 wrote to memory of 988	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	94
PID 1664 wrote to memory of 988	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	94
PID 1664 wrote to memory of 384	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	95
PID 1664 wrote to memory of 384	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	95
PID 1664 wrote to memory of 3236	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	96
PID 1664 wrote to memory of 3236	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	96
PID 1664 wrote to memory of 2996	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	97
PID 1664 wrote to memory of 2996	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	97
PID 1664 wrote to memory of 1988	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	98
PID 1664 wrote to memory of 1988	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	98
PID 1664 wrote to memory of 4696	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	99
PID 1664 wrote to memory of 4696	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	99
PID 1664 wrote to memory of 4952	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	100
PID 1664 wrote to memory of 4952	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	100
PID 1664 wrote to memory of 1820	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	101
PID 1664 wrote to memory of 1820	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	101
PID 1664 wrote to memory of 1948	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	102
PID 1664 wrote to memory of 1948	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	102
PID 1664 wrote to memory of 3300	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	103
PID 1664 wrote to memory of 3300	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	103
PID 1664 wrote to memory of 2400	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	104
PID 1664 wrote to memory of 2400	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	104
PID 1664 wrote to memory of 2540	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	105
PID 1664 wrote to memory of 2540	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	105
PID 1664 wrote to memory of 3748	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	106
PID 1664 wrote to memory of 3748	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	106
PID 1664 wrote to memory of 740	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	107
PID 1664 wrote to memory of 740	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	107
PID 1664 wrote to memory of 4120	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	108
PID 1664 wrote to memory of 4120	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	108
PID 1664 wrote to memory of 4400	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	109
PID 1664 wrote to memory of 4400	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	109
PID 1664 wrote to memory of 4644	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	110
PID 1664 wrote to memory of 4644	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	110
PID 1664 wrote to memory of 2776	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	111
PID 1664 wrote to memory of 2776	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	111
PID 1664 wrote to memory of 468	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	112
PID 1664 wrote to memory of 468	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	112
PID 1664 wrote to memory of 2696	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	113
PID 1664 wrote to memory of 2696	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	113
PID 1664 wrote to memory of 1972	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	114
PID 1664 wrote to memory of 1972	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	114
PID 1664 wrote to memory of 4904	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	115
PID 1664 wrote to memory of 4904	1664	84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe	115

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
1⤵
PID:4924
- C:\Windows\system32\WerFaultSecure.exe
  C:\Windows\system32\WerFaultSecure.exe -u -p 4924 -s 920
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:13032

C:\Users\Admin\AppData\Local\Temp\84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\84812147a4292d1edbf9fbe285ff61f0_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1732
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "1732" "2928" "2884" "2936" "0" "0" "2960" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:13292
- C:\Windows\System\hSWBpSJ.exe
  C:\Windows\System\hSWBpSJ.exe
  2⤵
  - Executes dropped EXE
  PID:220
- C:\Windows\System\lCVxooy.exe
  C:\Windows\System\lCVxooy.exe
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\System\dfaKBid.exe
  C:\Windows\System\dfaKBid.exe
  2⤵
  - Executes dropped EXE
  PID:764
- C:\Windows\System\AQzgcNI.exe
  C:\Windows\System\AQzgcNI.exe
  2⤵
  - Executes dropped EXE
  PID:744
- C:\Windows\System\PyWRhcF.exe
  C:\Windows\System\PyWRhcF.exe
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\System\fvuzRND.exe
  C:\Windows\System\fvuzRND.exe
  2⤵
  - Executes dropped EXE
  PID:3060
- C:\Windows\System\JrzJGAR.exe
  C:\Windows\System\JrzJGAR.exe
  2⤵
  - Executes dropped EXE
  PID:1720
- C:\Windows\System\vAFupNf.exe
  C:\Windows\System\vAFupNf.exe
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\System\SuBkMCu.exe
  C:\Windows\System\SuBkMCu.exe
  2⤵
  - Executes dropped EXE
  PID:1568
- C:\Windows\System\YwyHxUY.exe
  C:\Windows\System\YwyHxUY.exe
  2⤵
  - Executes dropped EXE
  PID:988
- C:\Windows\System\ykgAQWe.exe
  C:\Windows\System\ykgAQWe.exe
  2⤵
  - Executes dropped EXE
  PID:384
- C:\Windows\System\HvgjsBC.exe
  C:\Windows\System\HvgjsBC.exe
  2⤵
  - Executes dropped EXE
  PID:3236
- C:\Windows\System\KNUexeO.exe
  C:\Windows\System\KNUexeO.exe
  2⤵
  - Executes dropped EXE
  PID:2996
- C:\Windows\System\NnJAoVW.exe
  C:\Windows\System\NnJAoVW.exe
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\System\cQKfukf.exe
  C:\Windows\System\cQKfukf.exe
  2⤵
  - Executes dropped EXE
  PID:4696
- C:\Windows\System\keRWOyx.exe
  C:\Windows\System\keRWOyx.exe
  2⤵
  - Executes dropped EXE
  PID:4952
- C:\Windows\System\FZyLlJT.exe
  C:\Windows\System\FZyLlJT.exe
  2⤵
  - Executes dropped EXE
  PID:1820
- C:\Windows\System\ZCbTIpn.exe
  C:\Windows\System\ZCbTIpn.exe
  2⤵
  - Executes dropped EXE
  PID:1948
- C:\Windows\System\mUrrtlL.exe
  C:\Windows\System\mUrrtlL.exe
  2⤵
  - Executes dropped EXE
  PID:3300
- C:\Windows\System\LKgopsF.exe
  C:\Windows\System\LKgopsF.exe
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\System\NaWEkIJ.exe
  C:\Windows\System\NaWEkIJ.exe
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\System\gPVsnaR.exe
  C:\Windows\System\gPVsnaR.exe
  2⤵
  - Executes dropped EXE
  PID:3748
- C:\Windows\System\tHhgjpa.exe
  C:\Windows\System\tHhgjpa.exe
  2⤵
  - Executes dropped EXE
  PID:740
- C:\Windows\System\mFRUlVp.exe
  C:\Windows\System\mFRUlVp.exe
  2⤵
  - Executes dropped EXE
  PID:4120
- C:\Windows\System\dojxrUU.exe
  C:\Windows\System\dojxrUU.exe
  2⤵
  - Executes dropped EXE
  PID:4400
- C:\Windows\System\LPEhCRA.exe
  C:\Windows\System\LPEhCRA.exe
  2⤵
  - Executes dropped EXE
  PID:4644
- C:\Windows\System\XolSpuX.exe
  C:\Windows\System\XolSpuX.exe
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Windows\System\OfysYSc.exe
  C:\Windows\System\OfysYSc.exe
  2⤵
  - Executes dropped EXE
  PID:468
- C:\Windows\System\exYHTIf.exe
  C:\Windows\System\exYHTIf.exe
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\System\QCtlRBa.exe
  C:\Windows\System\QCtlRBa.exe
  2⤵
  - Executes dropped EXE
  PID:1972
- C:\Windows\System\HPmpLfL.exe
  C:\Windows\System\HPmpLfL.exe
  2⤵
  - Executes dropped EXE
  PID:4904
- C:\Windows\System\iVKhGnG.exe
  C:\Windows\System\iVKhGnG.exe
  2⤵
  - Executes dropped EXE
  PID:3188
- C:\Windows\System\wmaQcQz.exe
  C:\Windows\System\wmaQcQz.exe
  2⤵
  - Executes dropped EXE
  PID:3088
- C:\Windows\System\XarylRJ.exe
  C:\Windows\System\XarylRJ.exe
  2⤵
  - Executes dropped EXE
  PID:696
- C:\Windows\System\KRknOtB.exe
  C:\Windows\System\KRknOtB.exe
  2⤵
  - Executes dropped EXE
  PID:3204
- C:\Windows\System\mPixXGt.exe
  C:\Windows\System\mPixXGt.exe
  2⤵
  - Executes dropped EXE
  PID:4504
- C:\Windows\System\TuPwHhz.exe
  C:\Windows\System\TuPwHhz.exe
  2⤵
  - Executes dropped EXE
  PID:2256
- C:\Windows\System\mNHaGWA.exe
  C:\Windows\System\mNHaGWA.exe
  2⤵
  - Executes dropped EXE
  PID:4684
- C:\Windows\System\PIRJCMb.exe
  C:\Windows\System\PIRJCMb.exe
  2⤵
  - Executes dropped EXE
  PID:4704
- C:\Windows\System\PipzeFx.exe
  C:\Windows\System\PipzeFx.exe
  2⤵
  - Executes dropped EXE
  PID:1404
- C:\Windows\System\nXcIvWk.exe
  C:\Windows\System\nXcIvWk.exe
  2⤵
  - Executes dropped EXE
  PID:4548
- C:\Windows\System\OrHgoYp.exe
  C:\Windows\System\OrHgoYp.exe
  2⤵
  - Executes dropped EXE
  PID:3124
- C:\Windows\System\BwFDlol.exe
  C:\Windows\System\BwFDlol.exe
  2⤵
  - Executes dropped EXE
  PID:4648
- C:\Windows\System\tsgCaXX.exe
  C:\Windows\System\tsgCaXX.exe
  2⤵
  - Executes dropped EXE
  PID:4996
- C:\Windows\System\GtZpvkq.exe
  C:\Windows\System\GtZpvkq.exe
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\System\iePcbBk.exe
  C:\Windows\System\iePcbBk.exe
  2⤵
  - Executes dropped EXE
  PID:4440
- C:\Windows\System\ukqidhL.exe
  C:\Windows\System\ukqidhL.exe
  2⤵
  - Executes dropped EXE
  PID:4680
- C:\Windows\System\rrFOrJG.exe
  C:\Windows\System\rrFOrJG.exe
  2⤵
  - Executes dropped EXE
  PID:4160
- C:\Windows\System\SsyxZmW.exe
  C:\Windows\System\SsyxZmW.exe
  2⤵
  - Executes dropped EXE
  PID:560
- C:\Windows\System\mJuWjLf.exe
  C:\Windows\System\mJuWjLf.exe
  2⤵
  - Executes dropped EXE
  PID:916
- C:\Windows\System\EvOfqvN.exe
  C:\Windows\System\EvOfqvN.exe
  2⤵
  - Executes dropped EXE
  PID:5048
- C:\Windows\System\wQJgldk.exe
  C:\Windows\System\wQJgldk.exe
  2⤵
  - Executes dropped EXE
  PID:3656
- C:\Windows\System\XaCRSlO.exe
  C:\Windows\System\XaCRSlO.exe
  2⤵
  - Executes dropped EXE
  PID:672
- C:\Windows\System\xcCacLv.exe
  C:\Windows\System\xcCacLv.exe
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\System\fEWrNGT.exe
  C:\Windows\System\fEWrNGT.exe
  2⤵
  - Executes dropped EXE
  PID:4580
- C:\Windows\System\izNPkqw.exe
  C:\Windows\System\izNPkqw.exe
  2⤵
  - Executes dropped EXE
  PID:848
- C:\Windows\System\gKyKfif.exe
  C:\Windows\System\gKyKfif.exe
  2⤵
  - Executes dropped EXE
  PID:1436
- C:\Windows\System\xgyjQwW.exe
  C:\Windows\System\xgyjQwW.exe
  2⤵
  - Executes dropped EXE
  PID:1388
- C:\Windows\System\LOYhoXi.exe
  C:\Windows\System\LOYhoXi.exe
  2⤵
  - Executes dropped EXE
  PID:4392
- C:\Windows\System\ZZWMCPe.exe
  C:\Windows\System\ZZWMCPe.exe
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Windows\System\GIakaCE.exe
  C:\Windows\System\GIakaCE.exe
  2⤵
  - Executes dropped EXE
  PID:4004
- C:\Windows\System\GUiAaYY.exe
  C:\Windows\System\GUiAaYY.exe
  2⤵
  - Executes dropped EXE
  PID:3360
- C:\Windows\System\ztqASwk.exe
  C:\Windows\System\ztqASwk.exe
  2⤵
  - Executes dropped EXE
  PID:3804
- C:\Windows\System\SeAquzc.exe
  C:\Windows\System\SeAquzc.exe
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\System\kZLFBhb.exe
  C:\Windows\System\kZLFBhb.exe
  2⤵
  PID:1316
- C:\Windows\System\xajbwQz.exe
  C:\Windows\System\xajbwQz.exe
  2⤵
  PID:2440
- C:\Windows\System\gDchyUJ.exe
  C:\Windows\System\gDchyUJ.exe
  2⤵
  PID:2332
- C:\Windows\System\BTkEEjN.exe
  C:\Windows\System\BTkEEjN.exe
  2⤵
  PID:5052
- C:\Windows\System\odnHZkX.exe
  C:\Windows\System\odnHZkX.exe
  2⤵
  PID:4560
- C:\Windows\System\matIsIv.exe
  C:\Windows\System\matIsIv.exe
  2⤵
  PID:536
- C:\Windows\System\NbIfHsv.exe
  C:\Windows\System\NbIfHsv.exe
  2⤵
  PID:4112
- C:\Windows\System\iTcgOab.exe
  C:\Windows\System\iTcgOab.exe
  2⤵
  PID:1384
- C:\Windows\System\dLxjFnN.exe
  C:\Windows\System\dLxjFnN.exe
  2⤵
  PID:660
- C:\Windows\System\SbUrlEa.exe
  C:\Windows\System\SbUrlEa.exe
  2⤵
  PID:404
- C:\Windows\System\dnHFjYJ.exe
  C:\Windows\System\dnHFjYJ.exe
  2⤵
  PID:3940
- C:\Windows\System\ubYVLpG.exe
  C:\Windows\System\ubYVLpG.exe
  2⤵
  PID:4280
- C:\Windows\System\ypSdOBF.exe
  C:\Windows\System\ypSdOBF.exe
  2⤵
  PID:2484
- C:\Windows\System\enQgniq.exe
  C:\Windows\System\enQgniq.exe
  2⤵
  PID:3704
- C:\Windows\System\eUVauJn.exe
  C:\Windows\System\eUVauJn.exe
  2⤵
  PID:440
- C:\Windows\System\kyFQDZO.exe
  C:\Windows\System\kyFQDZO.exe
  2⤵
  PID:5148
- C:\Windows\System\ibCSXJV.exe
  C:\Windows\System\ibCSXJV.exe
  2⤵
  PID:5172
- C:\Windows\System\TrInStQ.exe
  C:\Windows\System\TrInStQ.exe
  2⤵
  PID:5200
- C:\Windows\System\tommHdl.exe
  C:\Windows\System\tommHdl.exe
  2⤵
  PID:5228
- C:\Windows\System\AWCQdRD.exe
  C:\Windows\System\AWCQdRD.exe
  2⤵
  PID:5260
- C:\Windows\System\QCRbGbG.exe
  C:\Windows\System\QCRbGbG.exe
  2⤵
  PID:5288
- C:\Windows\System\RiYwEvx.exe
  C:\Windows\System\RiYwEvx.exe
  2⤵
  PID:5312
- C:\Windows\System\HIGqqMR.exe
  C:\Windows\System\HIGqqMR.exe
  2⤵
  PID:5340
- C:\Windows\System\TRTrIbq.exe
  C:\Windows\System\TRTrIbq.exe
  2⤵
  PID:5368
- C:\Windows\System\mFHQbvP.exe
  C:\Windows\System\mFHQbvP.exe
  2⤵
  PID:5396
- C:\Windows\System\QMOlKJz.exe
  C:\Windows\System\QMOlKJz.exe
  2⤵
  PID:5428
- C:\Windows\System\wlxaXUW.exe
  C:\Windows\System\wlxaXUW.exe
  2⤵
  PID:5456
- C:\Windows\System\nylveQj.exe
  C:\Windows\System\nylveQj.exe
  2⤵
  PID:5480
- C:\Windows\System\EzdAOaq.exe
  C:\Windows\System\EzdAOaq.exe
  2⤵
  PID:5512
- C:\Windows\System\sinRDIW.exe
  C:\Windows\System\sinRDIW.exe
  2⤵
  PID:5540
- C:\Windows\System\TdwEFdE.exe
  C:\Windows\System\TdwEFdE.exe
  2⤵
  PID:5572
- C:\Windows\System\fNLYIpF.exe
  C:\Windows\System\fNLYIpF.exe
  2⤵
  PID:5600
- C:\Windows\System\QOGEKbC.exe
  C:\Windows\System\QOGEKbC.exe
  2⤵
  PID:5628
- C:\Windows\System\xapRETc.exe
  C:\Windows\System\xapRETc.exe
  2⤵
  PID:5656
- C:\Windows\System\vuqsXyz.exe
  C:\Windows\System\vuqsXyz.exe
  2⤵
  PID:5680
- C:\Windows\System\FpcBBQj.exe
  C:\Windows\System\FpcBBQj.exe
  2⤵
  PID:5708
- C:\Windows\System\FkLGINQ.exe
  C:\Windows\System\FkLGINQ.exe
  2⤵
  PID:5736
- C:\Windows\System\WBOcjKF.exe
  C:\Windows\System\WBOcjKF.exe
  2⤵
  PID:5764
- C:\Windows\System\uvQebPg.exe
  C:\Windows\System\uvQebPg.exe
  2⤵
  PID:5792
- C:\Windows\System\QvNDeNf.exe
  C:\Windows\System\QvNDeNf.exe
  2⤵
  PID:5820
- C:\Windows\System\NGaqdiZ.exe
  C:\Windows\System\NGaqdiZ.exe
  2⤵
  PID:5848
- C:\Windows\System\IMccBwP.exe
  C:\Windows\System\IMccBwP.exe
  2⤵
  PID:5880
- C:\Windows\System\ARXsNJr.exe
  C:\Windows\System\ARXsNJr.exe
  2⤵
  PID:5908
- C:\Windows\System\rKEORCN.exe
  C:\Windows\System\rKEORCN.exe
  2⤵
  PID:5936
- C:\Windows\System\UGwiHVL.exe
  C:\Windows\System\UGwiHVL.exe
  2⤵
  PID:5968
- C:\Windows\System\XDQemcb.exe
  C:\Windows\System\XDQemcb.exe
  2⤵
  PID:6000
- C:\Windows\System\ogxnvLg.exe
  C:\Windows\System\ogxnvLg.exe
  2⤵
  PID:6028
- C:\Windows\System\fmvXBdi.exe
  C:\Windows\System\fmvXBdi.exe
  2⤵
  PID:6056
- C:\Windows\System\omdcwnk.exe
  C:\Windows\System\omdcwnk.exe
  2⤵
  PID:6084
- C:\Windows\System\GcQLVRG.exe
  C:\Windows\System\GcQLVRG.exe
  2⤵
  PID:6116
- C:\Windows\System\uMawbRF.exe
  C:\Windows\System\uMawbRF.exe
  2⤵
  PID:676
- C:\Windows\System\TAHpvXL.exe
  C:\Windows\System\TAHpvXL.exe
  2⤵
  PID:1048
- C:\Windows\System\eQUDlJm.exe
  C:\Windows\System\eQUDlJm.exe
  2⤵
  PID:4792
- C:\Windows\System\nbVGfJI.exe
  C:\Windows\System\nbVGfJI.exe
  2⤵
  PID:2568
- C:\Windows\System\NHAgBzh.exe
  C:\Windows\System\NHAgBzh.exe
  2⤵
  PID:2836
- C:\Windows\System\FJkYymC.exe
  C:\Windows\System\FJkYymC.exe
  2⤵
  PID:5248
- C:\Windows\System\EtFEfxZ.exe
  C:\Windows\System\EtFEfxZ.exe
  2⤵
  PID:5280
- C:\Windows\System\OcYChJJ.exe
  C:\Windows\System\OcYChJJ.exe
  2⤵
  PID:3884
- C:\Windows\System\kSuxIup.exe
  C:\Windows\System\kSuxIup.exe
  2⤵
  PID:5356
- C:\Windows\System\eWLpAco.exe
  C:\Windows\System\eWLpAco.exe
  2⤵
  PID:5392
- C:\Windows\System\qnkipvt.exe
  C:\Windows\System\qnkipvt.exe
  2⤵
  PID:5444
- C:\Windows\System\NZyKlbz.exe
  C:\Windows\System\NZyKlbz.exe
  2⤵
  PID:5476
- C:\Windows\System\DErfyjB.exe
  C:\Windows\System\DErfyjB.exe
  2⤵
  PID:5524
- C:\Windows\System\wpkppBE.exe
  C:\Windows\System\wpkppBE.exe
  2⤵
  PID:5536
- C:\Windows\System\tNjmYSL.exe
  C:\Windows\System\tNjmYSL.exe
  2⤵
  PID:5044
- C:\Windows\System\OYSsWEA.exe
  C:\Windows\System\OYSsWEA.exe
  2⤵
  PID:5616
- C:\Windows\System\zJzIBaQ.exe
  C:\Windows\System\zJzIBaQ.exe
  2⤵
  PID:5648
- C:\Windows\System\CatIICU.exe
  C:\Windows\System\CatIICU.exe
  2⤵
  PID:5696
- C:\Windows\System\TOFwcEw.exe
  C:\Windows\System\TOFwcEw.exe
  2⤵
  PID:5732
- C:\Windows\System\zyEiMtB.exe
  C:\Windows\System\zyEiMtB.exe
  2⤵
  PID:5780
- C:\Windows\System\DAICXev.exe
  C:\Windows\System\DAICXev.exe
  2⤵
  PID:5808
- C:\Windows\System\RFpkJgH.exe
  C:\Windows\System\RFpkJgH.exe
  2⤵
  PID:5836
- C:\Windows\System\mLpPCvZ.exe
  C:\Windows\System\mLpPCvZ.exe
  2⤵
  PID:5868
- C:\Windows\System\kTwrHIo.exe
  C:\Windows\System\kTwrHIo.exe
  2⤵
  PID:5900
- C:\Windows\System\vXByAln.exe
  C:\Windows\System\vXByAln.exe
  2⤵
  PID:5948
- C:\Windows\System\bySVmWG.exe
  C:\Windows\System\bySVmWG.exe
  2⤵
  PID:5964
- C:\Windows\System\PUlwFPA.exe
  C:\Windows\System\PUlwFPA.exe
  2⤵
  PID:1452
- C:\Windows\System\aDLQQZL.exe
  C:\Windows\System\aDLQQZL.exe
  2⤵
  PID:1352
- C:\Windows\System\iIgfTfC.exe
  C:\Windows\System\iIgfTfC.exe
  2⤵
  PID:3536
- C:\Windows\System\tzNZtIG.exe
  C:\Windows\System\tzNZtIG.exe
  2⤵
  PID:64
- C:\Windows\System\ZqEiZEc.exe
  C:\Windows\System\ZqEiZEc.exe
  2⤵
  PID:6104
- C:\Windows\System\hHryXNJ.exe
  C:\Windows\System\hHryXNJ.exe
  2⤵
  PID:6132
- C:\Windows\System\BuzknJS.exe
  C:\Windows\System\BuzknJS.exe
  2⤵
  PID:4716
- C:\Windows\System\IaEyNMg.exe
  C:\Windows\System\IaEyNMg.exe
  2⤵
  PID:2720
- C:\Windows\System\nAWlquf.exe
  C:\Windows\System\nAWlquf.exe
  2⤵
  PID:4192
- C:\Windows\System\ccuZdti.exe
  C:\Windows\System\ccuZdti.exe
  2⤵
  PID:4308
- C:\Windows\System\lpaumQd.exe
  C:\Windows\System\lpaumQd.exe
  2⤵
  PID:5192
- C:\Windows\System\spoOWUK.exe
  C:\Windows\System\spoOWUK.exe
  2⤵
  PID:4436
- C:\Windows\System\OCbVgVk.exe
  C:\Windows\System\OCbVgVk.exe
  2⤵
  PID:1824
- C:\Windows\System\JnDToqG.exe
  C:\Windows\System\JnDToqG.exe
  2⤵
  PID:5332
- C:\Windows\System\iMjBvnZ.exe
  C:\Windows\System\iMjBvnZ.exe
  2⤵
  PID:3120
- C:\Windows\System\vecKYwV.exe
  C:\Windows\System\vecKYwV.exe
  2⤵
  PID:5224
- C:\Windows\System\DqYoEpw.exe
  C:\Windows\System\DqYoEpw.exe
  2⤵
  PID:5304
- C:\Windows\System\uCWdDJA.exe
  C:\Windows\System\uCWdDJA.exe
  2⤵
  PID:5440
- C:\Windows\System\YARAUxV.exe
  C:\Windows\System\YARAUxV.exe
  2⤵
  PID:5704
- C:\Windows\System\RDbpQrI.exe
  C:\Windows\System\RDbpQrI.exe
  2⤵
  PID:3376
- C:\Windows\System\HWxawJa.exe
  C:\Windows\System\HWxawJa.exe
  2⤵
  PID:5644
- C:\Windows\System\QamMWhH.exe
  C:\Windows\System\QamMWhH.exe
  2⤵
  PID:940
- C:\Windows\System\sxeMpWV.exe
  C:\Windows\System\sxeMpWV.exe
  2⤵
  PID:5992
- C:\Windows\System\LYMavxv.exe
  C:\Windows\System\LYMavxv.exe
  2⤵
  PID:5896
- C:\Windows\System\UggTsFW.exe
  C:\Windows\System\UggTsFW.exe
  2⤵
  PID:6168
- C:\Windows\System\JYRWhEg.exe
  C:\Windows\System\JYRWhEg.exe
  2⤵
  PID:6188
- C:\Windows\System\IOSkkAn.exe
  C:\Windows\System\IOSkkAn.exe
  2⤵
  PID:6204
- C:\Windows\System\JZKpgpx.exe
  C:\Windows\System\JZKpgpx.exe
  2⤵
  PID:6224
- C:\Windows\System\NEQMrZE.exe
  C:\Windows\System\NEQMrZE.exe
  2⤵
  PID:6252
- C:\Windows\System\PEDXlUV.exe
  C:\Windows\System\PEDXlUV.exe
  2⤵
  PID:6268
- C:\Windows\System\DEPAbXJ.exe
  C:\Windows\System\DEPAbXJ.exe
  2⤵
  PID:6284
- C:\Windows\System\DQZQoSd.exe
  C:\Windows\System\DQZQoSd.exe
  2⤵
  PID:6304
- C:\Windows\System\TmsSJVb.exe
  C:\Windows\System\TmsSJVb.exe
  2⤵
  PID:6320
- C:\Windows\System\WpUtrCH.exe
  C:\Windows\System\WpUtrCH.exe
  2⤵
  PID:6340
- C:\Windows\System\egrYevn.exe
  C:\Windows\System\egrYevn.exe
  2⤵
  PID:6364
- C:\Windows\System\cinQRom.exe
  C:\Windows\System\cinQRom.exe
  2⤵
  PID:6380
- C:\Windows\System\RhoNJLE.exe
  C:\Windows\System\RhoNJLE.exe
  2⤵
  PID:6400
- C:\Windows\System\HMPfNjx.exe
  C:\Windows\System\HMPfNjx.exe
  2⤵
  PID:6420
- C:\Windows\System\bHojuDF.exe
  C:\Windows\System\bHojuDF.exe
  2⤵
  PID:6440
- C:\Windows\System\EMBDyQI.exe
  C:\Windows\System\EMBDyQI.exe
  2⤵
  PID:6464
- C:\Windows\System\axstOoL.exe
  C:\Windows\System\axstOoL.exe
  2⤵
  PID:6480
- C:\Windows\System\LlHYbVW.exe
  C:\Windows\System\LlHYbVW.exe
  2⤵
  PID:6504
- C:\Windows\System\atDeNLI.exe
  C:\Windows\System\atDeNLI.exe
  2⤵
  PID:6520
- C:\Windows\System\xNBYsmk.exe
  C:\Windows\System\xNBYsmk.exe
  2⤵
  PID:6544
- C:\Windows\System\LYWHJhV.exe
  C:\Windows\System\LYWHJhV.exe
  2⤵
  PID:6560
- C:\Windows\System\gyrYMWc.exe
  C:\Windows\System\gyrYMWc.exe
  2⤵
  PID:6584
- C:\Windows\System\KIHYaEI.exe
  C:\Windows\System\KIHYaEI.exe
  2⤵
  PID:6604
- C:\Windows\System\hUHXrft.exe
  C:\Windows\System\hUHXrft.exe
  2⤵
  PID:6624
- C:\Windows\System\vIgkmEF.exe
  C:\Windows\System\vIgkmEF.exe
  2⤵
  PID:6640
- C:\Windows\System\LTiaNXX.exe
  C:\Windows\System\LTiaNXX.exe
  2⤵
  PID:6664
- C:\Windows\System\WrJrjkk.exe
  C:\Windows\System\WrJrjkk.exe
  2⤵
  PID:6688
- C:\Windows\System\CeOubfz.exe
  C:\Windows\System\CeOubfz.exe
  2⤵
  PID:6712
- C:\Windows\System\asuspNw.exe
  C:\Windows\System\asuspNw.exe
  2⤵
  PID:6732
- C:\Windows\System\zwrQjdh.exe
  C:\Windows\System\zwrQjdh.exe
  2⤵
  PID:6752
- C:\Windows\System\fmoRjps.exe
  C:\Windows\System\fmoRjps.exe
  2⤵
  PID:6772
- C:\Windows\System\xNCSUEB.exe
  C:\Windows\System\xNCSUEB.exe
  2⤵
  PID:6788
- C:\Windows\System\SGtVRdR.exe
  C:\Windows\System\SGtVRdR.exe
  2⤵
  PID:6808
- C:\Windows\System\fNrFYsB.exe
  C:\Windows\System\fNrFYsB.exe
  2⤵
  PID:6828
- C:\Windows\System\xxobBGc.exe
  C:\Windows\System\xxobBGc.exe
  2⤵
  PID:6848
- C:\Windows\System\hQswrin.exe
  C:\Windows\System\hQswrin.exe
  2⤵
  PID:6864
- C:\Windows\System\CgNthwT.exe
  C:\Windows\System\CgNthwT.exe
  2⤵
  PID:6884
- C:\Windows\System\XaRiBoa.exe
  C:\Windows\System\XaRiBoa.exe
  2⤵
  PID:6900
- C:\Windows\System\HxABrnI.exe
  C:\Windows\System\HxABrnI.exe
  2⤵
  PID:6916
- C:\Windows\System\jyRxuKZ.exe
  C:\Windows\System\jyRxuKZ.exe
  2⤵
  PID:6936
- C:\Windows\System\ccCpbOe.exe
  C:\Windows\System\ccCpbOe.exe
  2⤵
  PID:6952
- C:\Windows\System\wWtGdpO.exe
  C:\Windows\System\wWtGdpO.exe
  2⤵
  PID:6972
- C:\Windows\System\ZwaxcES.exe
  C:\Windows\System\ZwaxcES.exe
  2⤵
  PID:6996
- C:\Windows\System\SjARvrO.exe
  C:\Windows\System\SjARvrO.exe
  2⤵
  PID:7016
- C:\Windows\System\PAnAEYl.exe
  C:\Windows\System\PAnAEYl.exe
  2⤵
  PID:7040
- C:\Windows\System\ZEYHnau.exe
  C:\Windows\System\ZEYHnau.exe
  2⤵
  PID:7060
- C:\Windows\System\lGhVtSc.exe
  C:\Windows\System\lGhVtSc.exe
  2⤵
  PID:7076
- C:\Windows\System\WytdJRS.exe
  C:\Windows\System\WytdJRS.exe
  2⤵
  PID:7100
- C:\Windows\System\jwpuRuH.exe
  C:\Windows\System\jwpuRuH.exe
  2⤵
  PID:7124
- C:\Windows\System\BnjAQuB.exe
  C:\Windows\System\BnjAQuB.exe
  2⤵
  PID:7140
- C:\Windows\System\JNOySDb.exe
  C:\Windows\System\JNOySDb.exe
  2⤵
  PID:7156
- C:\Windows\System\SKNnTet.exe
  C:\Windows\System\SKNnTet.exe
  2⤵
  PID:320
- C:\Windows\System\EvTKNRz.exe
  C:\Windows\System\EvTKNRz.exe
  2⤵
  PID:1372
- C:\Windows\System\vItpxLk.exe
  C:\Windows\System\vItpxLk.exe
  2⤵
  PID:5592
- C:\Windows\System\tZuoemj.exe
  C:\Windows\System\tZuoemj.exe
  2⤵
  PID:4200
- C:\Windows\System\VVGDors.exe
  C:\Windows\System\VVGDors.exe
  2⤵
  PID:3020
- C:\Windows\System\TwgDkXD.exe
  C:\Windows\System\TwgDkXD.exe
  2⤵
  PID:3276
- C:\Windows\System\jSAHXgk.exe
  C:\Windows\System\jSAHXgk.exe
  2⤵
  PID:3852
- C:\Windows\System\JkKRMAN.exe
  C:\Windows\System\JkKRMAN.exe
  2⤵
  PID:6232
- C:\Windows\System\DEnOvhH.exe
  C:\Windows\System\DEnOvhH.exe
  2⤵
  PID:5336
- C:\Windows\System\xlNQDdh.exe
  C:\Windows\System\xlNQDdh.exe
  2⤵
  PID:2452
- C:\Windows\System\zvUtmbC.exe
  C:\Windows\System\zvUtmbC.exe
  2⤵
  PID:6448
- C:\Windows\System\HXILfOW.exe
  C:\Windows\System\HXILfOW.exe
  2⤵
  PID:5988
- C:\Windows\System\vfxsCbd.exe
  C:\Windows\System\vfxsCbd.exe
  2⤵
  PID:6128
- C:\Windows\System\rjbXPGH.exe
  C:\Windows\System\rjbXPGH.exe
  2⤵
  PID:6556
- C:\Windows\System\yEgOTVw.exe
  C:\Windows\System\yEgOTVw.exe
  2⤵
  PID:944
- C:\Windows\System\FxsDyMj.exe
  C:\Windows\System\FxsDyMj.exe
  2⤵
  PID:6708
- C:\Windows\System\oKeGapm.exe
  C:\Windows\System\oKeGapm.exe
  2⤵
  PID:6796
- C:\Windows\System\FnpMZxd.exe
  C:\Windows\System\FnpMZxd.exe
  2⤵
  PID:6292
- C:\Windows\System\qCnuPIO.exe
  C:\Windows\System\qCnuPIO.exe
  2⤵
  PID:6856
- C:\Windows\System\aWlDwNi.exe
  C:\Windows\System\aWlDwNi.exe
  2⤵
  PID:7184
- C:\Windows\System\KdhccxS.exe
  C:\Windows\System\KdhccxS.exe
  2⤵
  PID:7200
- C:\Windows\System\PjmJXWU.exe
  C:\Windows\System\PjmJXWU.exe
  2⤵
  PID:7220
- C:\Windows\System\MvQZACp.exe
  C:\Windows\System\MvQZACp.exe
  2⤵
  PID:7244
- C:\Windows\System\egJuBgY.exe
  C:\Windows\System\egJuBgY.exe
  2⤵
  PID:7260
- C:\Windows\System\yhwXgfK.exe
  C:\Windows\System\yhwXgfK.exe
  2⤵
  PID:7284
- C:\Windows\System\IcGfWcS.exe
  C:\Windows\System\IcGfWcS.exe
  2⤵
  PID:7300
- C:\Windows\System\ZfBHotT.exe
  C:\Windows\System\ZfBHotT.exe
  2⤵
  PID:7320
- C:\Windows\System\WAjWIGM.exe
  C:\Windows\System\WAjWIGM.exe
  2⤵
  PID:7340
- C:\Windows\System\UcmHZWH.exe
  C:\Windows\System\UcmHZWH.exe
  2⤵
  PID:7360
- C:\Windows\System\nwptXEn.exe
  C:\Windows\System\nwptXEn.exe
  2⤵
  PID:7380
- C:\Windows\System\CkEHnaZ.exe
  C:\Windows\System\CkEHnaZ.exe
  2⤵
  PID:7404
- C:\Windows\System\xMoWKVF.exe
  C:\Windows\System\xMoWKVF.exe
  2⤵
  PID:7424
- C:\Windows\System\JLUPDSh.exe
  C:\Windows\System\JLUPDSh.exe
  2⤵
  PID:7448
- C:\Windows\System\FjEHili.exe
  C:\Windows\System\FjEHili.exe
  2⤵
  PID:7468
- C:\Windows\System\OWsdWbu.exe
  C:\Windows\System\OWsdWbu.exe
  2⤵
  PID:7488
- C:\Windows\System\JEpSmza.exe
  C:\Windows\System\JEpSmza.exe
  2⤵
  PID:7508
- C:\Windows\System\LmXuCUm.exe
  C:\Windows\System\LmXuCUm.exe
  2⤵
  PID:7524
- C:\Windows\System\pvxlekt.exe
  C:\Windows\System\pvxlekt.exe
  2⤵
  PID:7544
- C:\Windows\System\nByOVJJ.exe
  C:\Windows\System\nByOVJJ.exe
  2⤵
  PID:7564
- C:\Windows\System\wiCJJoY.exe
  C:\Windows\System\wiCJJoY.exe
  2⤵
  PID:7584
- C:\Windows\System\VZCqMWl.exe
  C:\Windows\System\VZCqMWl.exe
  2⤵
  PID:7604
- C:\Windows\System\JAtbeCw.exe
  C:\Windows\System\JAtbeCw.exe
  2⤵
  PID:7624
- C:\Windows\System\AieHnRd.exe
  C:\Windows\System\AieHnRd.exe
  2⤵
  PID:7644
- C:\Windows\System\cxDuMHL.exe
  C:\Windows\System\cxDuMHL.exe
  2⤵
  PID:7664
- C:\Windows\System\iESxusj.exe
  C:\Windows\System\iESxusj.exe
  2⤵
  PID:7684
- C:\Windows\System\hLDAhZm.exe
  C:\Windows\System\hLDAhZm.exe
  2⤵
  PID:7708
- C:\Windows\System\uZWVAyS.exe
  C:\Windows\System\uZWVAyS.exe
  2⤵
  PID:7728
- C:\Windows\System\tmQwjpf.exe
  C:\Windows\System\tmQwjpf.exe
  2⤵
  PID:7752
- C:\Windows\System\OCsjosG.exe
  C:\Windows\System\OCsjosG.exe
  2⤵
  PID:7768
- C:\Windows\System\hhALIMv.exe
  C:\Windows\System\hhALIMv.exe
  2⤵
  PID:7788
- C:\Windows\System\zzhYYsT.exe
  C:\Windows\System\zzhYYsT.exe
  2⤵
  PID:7808
- C:\Windows\System\fOAweEB.exe
  C:\Windows\System\fOAweEB.exe
  2⤵
  PID:7824
- C:\Windows\System\dOirXXx.exe
  C:\Windows\System\dOirXXx.exe
  2⤵
  PID:7848
- C:\Windows\System\irtaMhY.exe
  C:\Windows\System\irtaMhY.exe
  2⤵
  PID:7872
- C:\Windows\System\CmyYCwL.exe
  C:\Windows\System\CmyYCwL.exe
  2⤵
  PID:7888
- C:\Windows\System\GEYgODP.exe
  C:\Windows\System\GEYgODP.exe
  2⤵
  PID:7912
- C:\Windows\System\UtEIbTR.exe
  C:\Windows\System\UtEIbTR.exe
  2⤵
  PID:7928
- C:\Windows\System\wnJePbU.exe
  C:\Windows\System\wnJePbU.exe
  2⤵
  PID:7952
- C:\Windows\System\kcOdVGu.exe
  C:\Windows\System\kcOdVGu.exe
  2⤵
  PID:7972
- C:\Windows\System\SYJGzGd.exe
  C:\Windows\System\SYJGzGd.exe
  2⤵
  PID:8000
- C:\Windows\System\EiiprhV.exe
  C:\Windows\System\EiiprhV.exe
  2⤵
  PID:8032
- C:\Windows\System\MaxODNK.exe
  C:\Windows\System\MaxODNK.exe
  2⤵
  PID:6376
- C:\Windows\System\yNdLGNe.exe
  C:\Windows\System\yNdLGNe.exe
  2⤵
  PID:7656
- C:\Windows\System\TumQwcy.exe
  C:\Windows\System\TumQwcy.exe
  2⤵
  PID:7372
- C:\Windows\System\lpVoipM.exe
  C:\Windows\System\lpVoipM.exe
  2⤵
  PID:7476
- C:\Windows\System\ywGlgfL.exe
  C:\Windows\System\ywGlgfL.exe
  2⤵
  PID:6780
- C:\Windows\System\eUURMkq.exe
  C:\Windows\System\eUURMkq.exe
  2⤵
  PID:6968
- C:\Windows\System\wojZwsB.exe
  C:\Windows\System\wojZwsB.exe
  2⤵
  PID:7268
- C:\Windows\System\rVsxLTc.exe
  C:\Windows\System\rVsxLTc.exe
  2⤵
  PID:7996
- C:\Windows\System\vhyykqd.exe
  C:\Windows\System\vhyykqd.exe
  2⤵
  PID:7052
- C:\Windows\System\jiBiACp.exe
  C:\Windows\System\jiBiACp.exe
  2⤵
  PID:7164
- C:\Windows\System\EnXzkgO.exe
  C:\Windows\System\EnXzkgO.exe
  2⤵
  PID:7620
- C:\Windows\System\iqOGpkl.exe
  C:\Windows\System\iqOGpkl.exe
  2⤵
  PID:7696
- C:\Windows\System\lREwyfZ.exe
  C:\Windows\System\lREwyfZ.exe
  2⤵
  PID:8204
- C:\Windows\System\fSPuCKU.exe
  C:\Windows\System\fSPuCKU.exe
  2⤵
  PID:8228
- C:\Windows\System\iDchDrz.exe
  C:\Windows\System\iDchDrz.exe
  2⤵
  PID:8248
- C:\Windows\System\aqtDiws.exe
  C:\Windows\System\aqtDiws.exe
  2⤵
  PID:8268
- C:\Windows\System\XAoaonv.exe
  C:\Windows\System\XAoaonv.exe
  2⤵
  PID:8284
- C:\Windows\System\OsOPuTe.exe
  C:\Windows\System\OsOPuTe.exe
  2⤵
  PID:8300
- C:\Windows\System\okJbgdh.exe
  C:\Windows\System\okJbgdh.exe
  2⤵
  PID:8320
- C:\Windows\System\rxDDpZv.exe
  C:\Windows\System\rxDDpZv.exe
  2⤵
  PID:8336
- C:\Windows\System\KPmdMYk.exe
  C:\Windows\System\KPmdMYk.exe
  2⤵
  PID:8352
- C:\Windows\System\mxFTcYf.exe
  C:\Windows\System\mxFTcYf.exe
  2⤵
  PID:8368
- C:\Windows\System\bmNhsef.exe
  C:\Windows\System\bmNhsef.exe
  2⤵
  PID:8384
- C:\Windows\System\wHFQRqJ.exe
  C:\Windows\System\wHFQRqJ.exe
  2⤵
  PID:8400
- C:\Windows\System\nnRDqPT.exe
  C:\Windows\System\nnRDqPT.exe
  2⤵
  PID:8416
- C:\Windows\System\FVzPagw.exe
  C:\Windows\System\FVzPagw.exe
  2⤵
  PID:8432
- C:\Windows\System\BwbeRFn.exe
  C:\Windows\System\BwbeRFn.exe
  2⤵
  PID:8448
- C:\Windows\System\YaTmFqB.exe
  C:\Windows\System\YaTmFqB.exe
  2⤵
  PID:8468
- C:\Windows\System\ibUGTsp.exe
  C:\Windows\System\ibUGTsp.exe
  2⤵
  PID:8516
- C:\Windows\System\PgctmAC.exe
  C:\Windows\System\PgctmAC.exe
  2⤵
  PID:8556
- C:\Windows\System\xPMwloO.exe
  C:\Windows\System\xPMwloO.exe
  2⤵
  PID:8576
- C:\Windows\System\WkPrcac.exe
  C:\Windows\System\WkPrcac.exe
  2⤵
  PID:8592
- C:\Windows\System\EioBynm.exe
  C:\Windows\System\EioBynm.exe
  2⤵
  PID:8612
- C:\Windows\System\UDFvtTj.exe
  C:\Windows\System\UDFvtTj.exe
  2⤵
  PID:8640
- C:\Windows\System\jbmGrVL.exe
  C:\Windows\System\jbmGrVL.exe
  2⤵
  PID:8656
- C:\Windows\System\avUWqOe.exe
  C:\Windows\System\avUWqOe.exe
  2⤵
  PID:8684
- C:\Windows\System\ayRsZaZ.exe
  C:\Windows\System\ayRsZaZ.exe
  2⤵
  PID:8712
- C:\Windows\System\GxiZnwI.exe
  C:\Windows\System\GxiZnwI.exe
  2⤵
  PID:8732
- C:\Windows\System\hiNPhWw.exe
  C:\Windows\System\hiNPhWw.exe
  2⤵
  PID:8760
- C:\Windows\System\AgTLqDu.exe
  C:\Windows\System\AgTLqDu.exe
  2⤵
  PID:8796
- C:\Windows\System\cFsdxpl.exe
  C:\Windows\System\cFsdxpl.exe
  2⤵
  PID:8816
- C:\Windows\System\fDZwmGZ.exe
  C:\Windows\System\fDZwmGZ.exe
  2⤵
  PID:8836
- C:\Windows\System\whKAvhy.exe
  C:\Windows\System\whKAvhy.exe
  2⤵
  PID:8860
- C:\Windows\System\EWHSPIb.exe
  C:\Windows\System\EWHSPIb.exe
  2⤵
  PID:8876
- C:\Windows\System\OgYzEBo.exe
  C:\Windows\System\OgYzEBo.exe
  2⤵
  PID:8904
- C:\Windows\System\TWrSmhV.exe
  C:\Windows\System\TWrSmhV.exe
  2⤵
  PID:8928
- C:\Windows\System\VhfSrGN.exe
  C:\Windows\System\VhfSrGN.exe
  2⤵
  PID:8948
- C:\Windows\System\CbGNPef.exe
  C:\Windows\System\CbGNPef.exe
  2⤵
  PID:8972
- C:\Windows\System\KXqzgej.exe
  C:\Windows\System\KXqzgej.exe
  2⤵
  PID:8988
- C:\Windows\System\vVsXeVR.exe
  C:\Windows\System\vVsXeVR.exe
  2⤵
  PID:9012
- C:\Windows\System\zjLLRVs.exe
  C:\Windows\System\zjLLRVs.exe
  2⤵
  PID:9036
- C:\Windows\System\ryWNLGZ.exe
  C:\Windows\System\ryWNLGZ.exe
  2⤵
  PID:9052
- C:\Windows\System\ezbDLGQ.exe
  C:\Windows\System\ezbDLGQ.exe
  2⤵
  PID:9068
- C:\Windows\System\DmdVzIX.exe
  C:\Windows\System\DmdVzIX.exe
  2⤵
  PID:9096
- C:\Windows\System\bRSmPCC.exe
  C:\Windows\System\bRSmPCC.exe
  2⤵
  PID:9124
- C:\Windows\System\fWYCQzb.exe
  C:\Windows\System\fWYCQzb.exe
  2⤵
  PID:9144
- C:\Windows\System\hQZmvEm.exe
  C:\Windows\System\hQZmvEm.exe
  2⤵
  PID:9168
- C:\Windows\System\dTjkolh.exe
  C:\Windows\System\dTjkolh.exe
  2⤵
  PID:9184
- C:\Windows\System\GcBgIMq.exe
  C:\Windows\System\GcBgIMq.exe
  2⤵
  PID:9212
- C:\Windows\System\mxWmiOc.exe
  C:\Windows\System\mxWmiOc.exe
  2⤵
  PID:7720
- C:\Windows\System\LOLyHsc.exe
  C:\Windows\System\LOLyHsc.exe
  2⤵
  PID:6100
- C:\Windows\System\ROCpGnW.exe
  C:\Windows\System\ROCpGnW.exe
  2⤵
  PID:7884
- C:\Windows\System\HVbVDLx.exe
  C:\Windows\System\HVbVDLx.exe
  2⤵
  PID:7196
- C:\Windows\System\fyTadKS.exe
  C:\Windows\System\fyTadKS.exe
  2⤵
  PID:9220
- C:\Windows\System\pzmaPRO.exe
  C:\Windows\System\pzmaPRO.exe
  2⤵
  PID:9240
- C:\Windows\System\FoKEGak.exe
  C:\Windows\System\FoKEGak.exe
  2⤵
  PID:9264
- C:\Windows\System\MrJrRLv.exe
  C:\Windows\System\MrJrRLv.exe
  2⤵
  PID:9284
- C:\Windows\System\sKeEwbz.exe
  C:\Windows\System\sKeEwbz.exe
  2⤵
  PID:9304
- C:\Windows\System\NpFpeUM.exe
  C:\Windows\System\NpFpeUM.exe
  2⤵
  PID:9336
- C:\Windows\System\NZxpiCg.exe
  C:\Windows\System\NZxpiCg.exe
  2⤵
  PID:9356
- C:\Windows\System\glmqtjP.exe
  C:\Windows\System\glmqtjP.exe
  2⤵
  PID:9372
- C:\Windows\System\GVJIEBm.exe
  C:\Windows\System\GVJIEBm.exe
  2⤵
  PID:9396
- C:\Windows\System\gTmDllG.exe
  C:\Windows\System\gTmDllG.exe
  2⤵
  PID:9420
- C:\Windows\System\quaettf.exe
  C:\Windows\System\quaettf.exe
  2⤵
  PID:9444
- C:\Windows\System\mCzLojQ.exe
  C:\Windows\System\mCzLojQ.exe
  2⤵
  PID:9468
- C:\Windows\System\yKapBmT.exe
  C:\Windows\System\yKapBmT.exe
  2⤵
  PID:9492
- C:\Windows\System\YZCFmQC.exe
  C:\Windows\System\YZCFmQC.exe
  2⤵
  PID:9524
- C:\Windows\System\IDcePwO.exe
  C:\Windows\System\IDcePwO.exe
  2⤵
  PID:9540
- C:\Windows\System\thlzVkL.exe
  C:\Windows\System\thlzVkL.exe
  2⤵
  PID:9556
- C:\Windows\System\nOZYOTk.exe
  C:\Windows\System\nOZYOTk.exe
  2⤵
  PID:9572
- C:\Windows\System\gOyIQXM.exe
  C:\Windows\System\gOyIQXM.exe
  2⤵
  PID:9588
- C:\Windows\System\xAYRWEy.exe
  C:\Windows\System\xAYRWEy.exe
  2⤵
  PID:9612
- C:\Windows\System\CjmUvpV.exe
  C:\Windows\System\CjmUvpV.exe
  2⤵
  PID:9668
- C:\Windows\System\yiJTopc.exe
  C:\Windows\System\yiJTopc.exe
  2⤵
  PID:9692
- C:\Windows\System\TCnIoFQ.exe
  C:\Windows\System\TCnIoFQ.exe
  2⤵
  PID:9712
- C:\Windows\System\CHBMQNc.exe
  C:\Windows\System\CHBMQNc.exe
  2⤵
  PID:9772
- C:\Windows\System\MraTigw.exe
  C:\Windows\System\MraTigw.exe
  2⤵
  PID:9792
- C:\Windows\System\ZpwlfJq.exe
  C:\Windows\System\ZpwlfJq.exe
  2⤵
  PID:9812
- C:\Windows\System\gpTBRUD.exe
  C:\Windows\System\gpTBRUD.exe
  2⤵
  PID:9828
- C:\Windows\System\YLKhNMZ.exe
  C:\Windows\System\YLKhNMZ.exe
  2⤵
  PID:9848
- C:\Windows\System\CpwiyHr.exe
  C:\Windows\System\CpwiyHr.exe
  2⤵
  PID:9864
- C:\Windows\System\zhIYFCc.exe
  C:\Windows\System\zhIYFCc.exe
  2⤵
  PID:9896
- C:\Windows\System\vmtCBOq.exe
  C:\Windows\System\vmtCBOq.exe
  2⤵
  PID:9916
- C:\Windows\System\OTkzuWn.exe
  C:\Windows\System\OTkzuWn.exe
  2⤵
  PID:9940
- C:\Windows\System\BJmpgzF.exe
  C:\Windows\System\BJmpgzF.exe
  2⤵
  PID:9960
- C:\Windows\System\PNDdFlm.exe
  C:\Windows\System\PNDdFlm.exe
  2⤵
  PID:9976
- C:\Windows\System\pZwYHLt.exe
  C:\Windows\System\pZwYHLt.exe
  2⤵
  PID:9992
- C:\Windows\System\wGesqJO.exe
  C:\Windows\System\wGesqJO.exe
  2⤵
  PID:10008
- C:\Windows\System\jHzzNXb.exe
  C:\Windows\System\jHzzNXb.exe
  2⤵
  PID:10028
- C:\Windows\System\UCiLfmT.exe
  C:\Windows\System\UCiLfmT.exe
  2⤵
  PID:10052
- C:\Windows\System\NBCLQZx.exe
  C:\Windows\System\NBCLQZx.exe
  2⤵
  PID:10068
- C:\Windows\System\xxKhCdV.exe
  C:\Windows\System\xxKhCdV.exe
  2⤵
  PID:10092
- C:\Windows\System\leybzFe.exe
  C:\Windows\System\leybzFe.exe
  2⤵
  PID:10120
- C:\Windows\System\feugXFz.exe
  C:\Windows\System\feugXFz.exe
  2⤵
  PID:10140
- C:\Windows\System\PEosyqg.exe
  C:\Windows\System\PEosyqg.exe
  2⤵
  PID:10160
- C:\Windows\System\INAOMwb.exe
  C:\Windows\System\INAOMwb.exe
  2⤵
  PID:10184
- C:\Windows\System\zNXsOlF.exe
  C:\Windows\System\zNXsOlF.exe
  2⤵
  PID:10204
- C:\Windows\System\EqiYgTx.exe
  C:\Windows\System\EqiYgTx.exe
  2⤵
  PID:10224
- C:\Windows\System\uMulqnT.exe
  C:\Windows\System\uMulqnT.exe
  2⤵
  PID:5816
- C:\Windows\System\ShdvCKl.exe
  C:\Windows\System\ShdvCKl.exe
  2⤵
  PID:7356
- C:\Windows\System\rsVJZkQ.exe
  C:\Windows\System\rsVJZkQ.exe
  2⤵
  PID:7640
- C:\Windows\System\peVGKCE.exe
  C:\Windows\System\peVGKCE.exe
  2⤵
  PID:8048
- C:\Windows\System\yZnRpLz.exe
  C:\Windows\System\yZnRpLz.exe
  2⤵
  PID:7296
- C:\Windows\System\rtddojd.exe
  C:\Windows\System\rtddojd.exe
  2⤵
  PID:7744
- C:\Windows\System\AoSDlwL.exe
  C:\Windows\System\AoSDlwL.exe
  2⤵
  PID:5756
- C:\Windows\System\RoRvYND.exe
  C:\Windows\System\RoRvYND.exe
  2⤵
  PID:8552
- C:\Windows\System\qEOMwhL.exe
  C:\Windows\System\qEOMwhL.exe
  2⤵
  PID:8648
- C:\Windows\System\gHcdsdI.exe
  C:\Windows\System\gHcdsdI.exe
  2⤵
  PID:8668
- C:\Windows\System\kmyraMT.exe
  C:\Windows\System\kmyraMT.exe
  2⤵
  PID:7760
- C:\Windows\System\euJuSJu.exe
  C:\Windows\System\euJuSJu.exe
  2⤵
  PID:7532
- C:\Windows\System\YTbwRHD.exe
  C:\Windows\System\YTbwRHD.exe
  2⤵
  PID:8892
- C:\Windows\System\ULUBbVB.exe
  C:\Windows\System\ULUBbVB.exe
  2⤵
  PID:4184
- C:\Windows\System\NRXFnsL.exe
  C:\Windows\System\NRXFnsL.exe
  2⤵
  PID:8980
- C:\Windows\System\enNMPyn.exe
  C:\Windows\System\enNMPyn.exe
  2⤵
  PID:9048
- C:\Windows\System\FRQinzW.exe
  C:\Windows\System\FRQinzW.exe
  2⤵
  PID:9116
- C:\Windows\System\muzIurh.exe
  C:\Windows\System\muzIurh.exe
  2⤵
  PID:6636
- C:\Windows\System\JTyQFgd.exe
  C:\Windows\System\JTyQFgd.exe
  2⤵
  PID:7968
- C:\Windows\System\SfIEgmp.exe
  C:\Windows\System\SfIEgmp.exe
  2⤵
  PID:9364
- C:\Windows\System\QlKwCdF.exe
  C:\Windows\System\QlKwCdF.exe
  2⤵
  PID:9452
- C:\Windows\System\GvGyimY.exe
  C:\Windows\System\GvGyimY.exe
  2⤵
  PID:9500
- C:\Windows\System\QJoDcFq.exe
  C:\Windows\System\QJoDcFq.exe
  2⤵
  PID:9516
- C:\Windows\System\MKFrgtF.exe
  C:\Windows\System\MKFrgtF.exe
  2⤵
  PID:9552
- C:\Windows\System\kebqqGv.exe
  C:\Windows\System\kebqqGv.exe
  2⤵
  PID:10264
- C:\Windows\System\dRwIvHt.exe
  C:\Windows\System\dRwIvHt.exe
  2⤵
  PID:10284
- C:\Windows\System\IVyWAiA.exe
  C:\Windows\System\IVyWAiA.exe
  2⤵
  PID:10304
- C:\Windows\System\pJGstue.exe
  C:\Windows\System\pJGstue.exe
  2⤵
  PID:10320
- C:\Windows\System\JHfIOQv.exe
  C:\Windows\System\JHfIOQv.exe
  2⤵
  PID:10348
- C:\Windows\System\vKzPLHI.exe
  C:\Windows\System\vKzPLHI.exe
  2⤵
  PID:10364
- C:\Windows\System\GigjNAx.exe
  C:\Windows\System\GigjNAx.exe
  2⤵
  PID:10380
- C:\Windows\System\uRcLENt.exe
  C:\Windows\System\uRcLENt.exe
  2⤵
  PID:10400
- C:\Windows\System\FZkXLWC.exe
  C:\Windows\System\FZkXLWC.exe
  2⤵
  PID:10424
- C:\Windows\System\xXTBTTj.exe
  C:\Windows\System\xXTBTTj.exe
  2⤵
  PID:10444
- C:\Windows\System\dYvzeoL.exe
  C:\Windows\System\dYvzeoL.exe
  2⤵
  PID:10460
- C:\Windows\System\nNwBLAP.exe
  C:\Windows\System\nNwBLAP.exe
  2⤵
  PID:10480
- C:\Windows\System\FTlpzcQ.exe
  C:\Windows\System\FTlpzcQ.exe
  2⤵
  PID:10500
- C:\Windows\System\GQJEqrH.exe
  C:\Windows\System\GQJEqrH.exe
  2⤵
  PID:10520
- C:\Windows\System\qefOyfO.exe
  C:\Windows\System\qefOyfO.exe
  2⤵
  PID:10544
- C:\Windows\System\ChGdxRQ.exe
  C:\Windows\System\ChGdxRQ.exe
  2⤵
  PID:10560
- C:\Windows\System\GJcXFMp.exe
  C:\Windows\System\GJcXFMp.exe
  2⤵
  PID:10588
- C:\Windows\System\QLqguJA.exe
  C:\Windows\System\QLqguJA.exe
  2⤵
  PID:10604
- C:\Windows\System\hnsfHOY.exe
  C:\Windows\System\hnsfHOY.exe
  2⤵
  PID:10620
- C:\Windows\System\IkXIxmc.exe
  C:\Windows\System\IkXIxmc.exe
  2⤵
  PID:10644
- C:\Windows\System\FNRxaVG.exe
  C:\Windows\System\FNRxaVG.exe
  2⤵
  PID:10660
- C:\Windows\System\epVAQmo.exe
  C:\Windows\System\epVAQmo.exe
  2⤵
  PID:10684
- C:\Windows\System\mNxQkLc.exe
  C:\Windows\System\mNxQkLc.exe
  2⤵
  PID:10708
- C:\Windows\System\meqJYOi.exe
  C:\Windows\System\meqJYOi.exe
  2⤵
  PID:10724
- C:\Windows\System\ehGnUuZ.exe
  C:\Windows\System\ehGnUuZ.exe
  2⤵
  PID:10748
- C:\Windows\System\xgHYJBJ.exe
  C:\Windows\System\xgHYJBJ.exe
  2⤵
  PID:10768
- C:\Windows\System\BkuViqP.exe
  C:\Windows\System\BkuViqP.exe
  2⤵
  PID:10788
- C:\Windows\System\LhsAqNR.exe
  C:\Windows\System\LhsAqNR.exe
  2⤵
  PID:10808
- C:\Windows\System\YimqbjI.exe
  C:\Windows\System\YimqbjI.exe
  2⤵
  PID:8376
- C:\Windows\System\bFCzBVX.exe
  C:\Windows\System\bFCzBVX.exe
  2⤵
  PID:8344
- C:\Windows\System\SGfqQPB.exe
  C:\Windows\System\SGfqQPB.exe
  2⤵
  PID:8280
- C:\Windows\System\GHeQbzH.exe
  C:\Windows\System\GHeQbzH.exe
  2⤵
  PID:11136
- C:\Windows\System\KlOjovL.exe
  C:\Windows\System\KlOjovL.exe
  2⤵
  PID:4040
- C:\Windows\System\iEAvsjO.exe
  C:\Windows\System\iEAvsjO.exe
  2⤵
  PID:10316
- C:\Windows\System\NJtaUYj.exe
  C:\Windows\System\NJtaUYj.exe
  2⤵
  PID:10732
- C:\Windows\System\RgtLkYp.exe
  C:\Windows\System\RgtLkYp.exe
  2⤵
  PID:9952
- C:\Windows\System\mpSGuQv.exe
  C:\Windows\System\mpSGuQv.exe
  2⤵
  PID:9020
- C:\Windows\System\tQHyOFW.exe
  C:\Windows\System\tQHyOFW.exe
  2⤵
  PID:11152
- C:\Windows\System\tIiVebK.exe
  C:\Windows\System\tIiVebK.exe
  2⤵
  PID:8292
- C:\Windows\System\NMTqNNH.exe
  C:\Windows\System\NMTqNNH.exe
  2⤵
  PID:9988
- C:\Windows\System\BYQnhan.exe
  C:\Windows\System\BYQnhan.exe
  2⤵
  PID:8780
- C:\Windows\System\NqsoqbY.exe
  C:\Windows\System\NqsoqbY.exe
  2⤵
  PID:8996
- C:\Windows\System\dJwbKDl.exe
  C:\Windows\System\dJwbKDl.exe
  2⤵
  PID:3696
- C:\Windows\System\KiIctgP.exe
  C:\Windows\System\KiIctgP.exe
  2⤵
  PID:7252
- C:\Windows\System\UJxOxgq.exe
  C:\Windows\System\UJxOxgq.exe
  2⤵
  PID:10148
- C:\Windows\System\VNHVivv.exe
  C:\Windows\System\VNHVivv.exe
  2⤵
  PID:6076
- C:\Windows\System\odJAwxP.exe
  C:\Windows\System\odJAwxP.exe
  2⤵
  PID:9320
- C:\Windows\System\PAGfVzu.exe
  C:\Windows\System\PAGfVzu.exe
  2⤵
  PID:9596
- C:\Windows\System\sZQGQjn.exe
  C:\Windows\System\sZQGQjn.exe
  2⤵
  PID:1628
- C:\Windows\System\VSAkwdM.exe
  C:\Windows\System\VSAkwdM.exe
  2⤵
  PID:11196
- C:\Windows\System\KJALAXb.exe
  C:\Windows\System\KJALAXb.exe
  2⤵
  PID:6700
- C:\Windows\System\lKGTEaz.exe
  C:\Windows\System\lKGTEaz.exe
  2⤵
  PID:8868
- C:\Windows\System\oomKpuI.exe
  C:\Windows\System\oomKpuI.exe
  2⤵
  PID:8260
- C:\Windows\System\xXhrOOO.exe
  C:\Windows\System\xXhrOOO.exe
  2⤵
  PID:8484
- C:\Windows\System\mVvTzRO.exe
  C:\Windows\System\mVvTzRO.exe
  2⤵
  PID:3156
- C:\Windows\System\VbWUzhx.exe
  C:\Windows\System\VbWUzhx.exe
  2⤵
  PID:3332
- C:\Windows\System\JsFYYUp.exe
  C:\Windows\System\JsFYYUp.exe
  2⤵
  PID:11084
- C:\Windows\System\ooGuEQh.exe
  C:\Windows\System\ooGuEQh.exe
  2⤵
  PID:10784
- C:\Windows\System\cYzKGZh.exe
  C:\Windows\System\cYzKGZh.exe
  2⤵
  PID:6880
- C:\Windows\System\XfcwrbC.exe
  C:\Windows\System\XfcwrbC.exe
  2⤵
  PID:10392
- C:\Windows\System\CpDubNT.exe
  C:\Windows\System\CpDubNT.exe
  2⤵
  PID:11288
- C:\Windows\System\qymsjvO.exe
  C:\Windows\System\qymsjvO.exe
  2⤵
  PID:11336
- C:\Windows\System\miasHcb.exe
  C:\Windows\System\miasHcb.exe
  2⤵
  PID:11364
- C:\Windows\System\tMyhXEv.exe
  C:\Windows\System\tMyhXEv.exe
  2⤵
  PID:11392
- C:\Windows\System\VsRYGrs.exe
  C:\Windows\System\VsRYGrs.exe
  2⤵
  PID:11416
- C:\Windows\System\OWZyaVW.exe
  C:\Windows\System\OWZyaVW.exe
  2⤵
  PID:11444
- C:\Windows\System\ZawVyyp.exe
  C:\Windows\System\ZawVyyp.exe
  2⤵
  PID:11472
- C:\Windows\System\eyvtmFw.exe
  C:\Windows\System\eyvtmFw.exe
  2⤵
  PID:11504
- C:\Windows\System\zyeURYE.exe
  C:\Windows\System\zyeURYE.exe
  2⤵
  PID:11532
- C:\Windows\System\CyzKBDW.exe
  C:\Windows\System\CyzKBDW.exe
  2⤵
  PID:11560
- C:\Windows\System\ptnlzDS.exe
  C:\Windows\System\ptnlzDS.exe
  2⤵
  PID:11588
- C:\Windows\System\vynlyMO.exe
  C:\Windows\System\vynlyMO.exe
  2⤵
  PID:11616
- C:\Windows\System\dxOuUba.exe
  C:\Windows\System\dxOuUba.exe
  2⤵
  PID:11644
- C:\Windows\System\zRMQieE.exe
  C:\Windows\System\zRMQieE.exe
  2⤵
  PID:11668
- C:\Windows\System\CDYTahT.exe
  C:\Windows\System\CDYTahT.exe
  2⤵
  PID:11700
- C:\Windows\System\CZfggQy.exe
  C:\Windows\System\CZfggQy.exe
  2⤵
  PID:11728
- C:\Windows\System\DqXKcJT.exe
  C:\Windows\System\DqXKcJT.exe
  2⤵
  PID:11756
- C:\Windows\System\SoOQrAS.exe
  C:\Windows\System\SoOQrAS.exe
  2⤵
  PID:11784
- C:\Windows\System\habGnCJ.exe
  C:\Windows\System\habGnCJ.exe
  2⤵
  PID:11812
- C:\Windows\System\zqPPYmU.exe
  C:\Windows\System\zqPPYmU.exe
  2⤵
  PID:11840
- C:\Windows\System\IZQDyRF.exe
  C:\Windows\System\IZQDyRF.exe
  2⤵
  PID:11868
- C:\Windows\System\ROFmHWQ.exe
  C:\Windows\System\ROFmHWQ.exe
  2⤵
  PID:11904
- C:\Windows\System\POoXahA.exe
  C:\Windows\System\POoXahA.exe
  2⤵
  PID:11936
- C:\Windows\System\OeKbYVo.exe
  C:\Windows\System\OeKbYVo.exe
  2⤵
  PID:11952
- C:\Windows\System\IrVVOOl.exe
  C:\Windows\System\IrVVOOl.exe
  2⤵
  PID:11980
- C:\Windows\System\OITtHLc.exe
  C:\Windows\System\OITtHLc.exe
  2⤵
  PID:12008
- C:\Windows\System\xiSPipQ.exe
  C:\Windows\System\xiSPipQ.exe
  2⤵
  PID:12036
- C:\Windows\System\utSBdFg.exe
  C:\Windows\System\utSBdFg.exe
  2⤵
  PID:12064
- C:\Windows\System\IELRUkF.exe
  C:\Windows\System\IELRUkF.exe
  2⤵
  PID:12092
- C:\Windows\System\uviULEa.exe
  C:\Windows\System\uviULEa.exe
  2⤵
  PID:12116
- C:\Windows\System\mykBnpE.exe
  C:\Windows\System\mykBnpE.exe
  2⤵
  PID:12144
- C:\Windows\System\VqEUjIv.exe
  C:\Windows\System\VqEUjIv.exe
  2⤵
  PID:12176
- C:\Windows\System\zOqvuLS.exe
  C:\Windows\System\zOqvuLS.exe
  2⤵
  PID:12204
- C:\Windows\System\UMCyQLR.exe
  C:\Windows\System\UMCyQLR.exe
  2⤵
  PID:12232
- C:\Windows\System\UpsiQqA.exe
  C:\Windows\System\UpsiQqA.exe
  2⤵
  PID:12256
- C:\Windows\System\NtjfdLb.exe
  C:\Windows\System\NtjfdLb.exe
  2⤵
  PID:4340
- C:\Windows\System\bcajImr.exe
  C:\Windows\System\bcajImr.exe
  2⤵
  PID:8608
- C:\Windows\System\ucjRdpr.exe
  C:\Windows\System\ucjRdpr.exe
  2⤵
  PID:9436
- C:\Windows\System\HJGFHHM.exe
  C:\Windows\System\HJGFHHM.exe
  2⤵
  PID:10596
- C:\Windows\System\ViEvqaG.exe
  C:\Windows\System\ViEvqaG.exe
  2⤵
  PID:1216
- C:\Windows\System\zRGkQFK.exe
  C:\Windows\System\zRGkQFK.exe
  2⤵
  PID:1692
- C:\Windows\System\AOJPlov.exe
  C:\Windows\System\AOJPlov.exe
  2⤵
  PID:6452
- C:\Windows\System\VgSPCTl.exe
  C:\Windows\System\VgSPCTl.exe
  2⤵
  PID:12192
- C:\Windows\System\ifxXzMw.exe
  C:\Windows\System\ifxXzMw.exe
  2⤵
  PID:12136
- C:\Windows\System\qlmPJEs.exe
  C:\Windows\System\qlmPJEs.exe
  2⤵
  PID:12104
- C:\Windows\System\qMVcQML.exe
  C:\Windows\System\qMVcQML.exe
  2⤵
  PID:12052
- C:\Windows\System\oEtohib.exe
  C:\Windows\System\oEtohib.exe
  2⤵
  PID:12020
- C:\Windows\System\CVLTxYI.exe
  C:\Windows\System\CVLTxYI.exe
  2⤵
  PID:11896
- C:\Windows\System\SDiijtq.exe
  C:\Windows\System\SDiijtq.exe
  2⤵
  PID:11828
- C:\Windows\System\aRUWtJT.exe
  C:\Windows\System\aRUWtJT.exe
  2⤵
  PID:11776
- C:\Windows\System\ibTSlIM.exe
  C:\Windows\System\ibTSlIM.exe
  2⤵
  PID:11744
- C:\Windows\System\iLRPwGD.exe
  C:\Windows\System\iLRPwGD.exe
  2⤵
  PID:11692
- C:\Windows\System\drmNWQi.exe
  C:\Windows\System\drmNWQi.exe
  2⤵
  PID:11608
- C:\Windows\System\wTSrKSv.exe
  C:\Windows\System\wTSrKSv.exe
  2⤵
  PID:11576
- C:\Windows\System\pKvulti.exe
  C:\Windows\System\pKvulti.exe
  2⤵
  PID:11520
- C:\Windows\System\mLTZzQy.exe
  C:\Windows\System\mLTZzQy.exe
  2⤵
  PID:11464
- C:\Windows\System\InbskCY.exe
  C:\Windows\System\InbskCY.exe
  2⤵
  PID:11388
- C:\Windows\System\xYxqiRV.exe
  C:\Windows\System\xYxqiRV.exe
  2⤵
  PID:11320
- C:\Windows\System\KWcankG.exe
  C:\Windows\System\KWcankG.exe
  2⤵
  PID:11280
- C:\Windows\System\ShFwptX.exe
  C:\Windows\System\ShFwptX.exe
  2⤵
  PID:10616
- C:\Windows\System\sIFfSXK.exe
  C:\Windows\System\sIFfSXK.exe
  2⤵
  PID:9476
- C:\Windows\System\qproddL.exe
  C:\Windows\System\qproddL.exe
  2⤵
  PID:7880
- C:\Windows\System\zClzieI.exe
  C:\Windows\System\zClzieI.exe
  2⤵
  PID:3568
- C:\Windows\System\iUPMTXg.exe
  C:\Windows\System\iUPMTXg.exe
  2⤵
  PID:7112
- C:\Windows\System\lQVXMNS.exe
  C:\Windows\System\lQVXMNS.exe
  2⤵
  PID:6768
- C:\Windows\System\VZWpMuB.exe
  C:\Windows\System\VZWpMuB.exe
  2⤵
  PID:10532
- C:\Windows\System\LQUruJt.exe
  C:\Windows\System\LQUruJt.exe
  2⤵
  PID:12272
- C:\Windows\System\qfUKBSZ.exe
  C:\Windows\System\qfUKBSZ.exe
  2⤵
  PID:12164
- C:\Windows\System\kZrIKxb.exe
  C:\Windows\System\kZrIKxb.exe
  2⤵
  PID:12076
- C:\Windows\System\zOjHkim.exe
  C:\Windows\System\zOjHkim.exe
  2⤵
  PID:10668
- C:\Windows\System\DeEbuZu.exe
  C:\Windows\System\DeEbuZu.exe
  2⤵
  PID:5068
- C:\Windows\System\uaXMkdr.exe
  C:\Windows\System\uaXMkdr.exe
  2⤵
  PID:11768
- C:\Windows\System\qjybfjB.exe
  C:\Windows\System\qjybfjB.exe
  2⤵
  PID:11656
- C:\Windows\System\pHvxhVV.exe
  C:\Windows\System\pHvxhVV.exe
  2⤵
  PID:5096
- C:\Windows\System\flKneYy.exe
  C:\Windows\System\flKneYy.exe
  2⤵
  PID:12216
- C:\Windows\System\lIcJCzH.exe
  C:\Windows\System\lIcJCzH.exe
  2⤵
  PID:7212
- C:\Windows\System\MCEeuZh.exe
  C:\Windows\System\MCEeuZh.exe
  2⤵
  PID:11024
- C:\Windows\System\OBaNsFJ.exe
  C:\Windows\System\OBaNsFJ.exe
  2⤵
  PID:5004
- C:\Windows\System\oXGtpGW.exe
  C:\Windows\System\oXGtpGW.exe
  2⤵
  PID:11404
- C:\Windows\System\fMFwONs.exe
  C:\Windows\System\fMFwONs.exe
  2⤵
  PID:10940
- C:\Windows\System\tHaVzaG.exe
  C:\Windows\System\tHaVzaG.exe
  2⤵
  PID:10100
- C:\Windows\System\gwXZBra.exe
  C:\Windows\System\gwXZBra.exe
  2⤵
  PID:10420
- C:\Windows\System\PlfWwgN.exe
  C:\Windows\System\PlfWwgN.exe
  2⤵
  PID:11800
- C:\Windows\System\UKjoTnM.exe
  C:\Windows\System\UKjoTnM.exe
  2⤵
  PID:12328
- C:\Windows\System\YgjRAYS.exe
  C:\Windows\System\YgjRAYS.exe
  2⤵
  PID:12352
- C:\Windows\System\kiucDOv.exe
  C:\Windows\System\kiucDOv.exe
  2⤵
  PID:12372
- C:\Windows\System\CGSScvD.exe
  C:\Windows\System\CGSScvD.exe
  2⤵
  PID:12428
- C:\Windows\System\mAUYjud.exe
  C:\Windows\System\mAUYjud.exe
  2⤵
  PID:12468
- C:\Windows\System\ebDHwUz.exe
  C:\Windows\System\ebDHwUz.exe
  2⤵
  PID:12516
- C:\Windows\System\pSFPsVy.exe
  C:\Windows\System\pSFPsVy.exe
  2⤵
  PID:12540
- C:\Windows\System\eqabgWJ.exe
  C:\Windows\System\eqabgWJ.exe
  2⤵
  PID:12560
- C:\Windows\System\rfvMBly.exe
  C:\Windows\System\rfvMBly.exe
  2⤵
  PID:12580
- C:\Windows\System\ojPdMQL.exe
  C:\Windows\System\ojPdMQL.exe
  2⤵
  PID:12604
- C:\Windows\System\eFYLPvS.exe
  C:\Windows\System\eFYLPvS.exe
  2⤵
  PID:12624
- C:\Windows\System\whbDigx.exe
  C:\Windows\System\whbDigx.exe
  2⤵
  PID:12648
- C:\Windows\System\SKPpJRy.exe
  C:\Windows\System\SKPpJRy.exe
  2⤵
  PID:12692
- C:\Windows\System\qEMMsDF.exe
  C:\Windows\System\qEMMsDF.exe
  2⤵
  PID:12720
- C:\Windows\System\MjSPfsp.exe
  C:\Windows\System\MjSPfsp.exe
  2⤵
  PID:12736
- C:\Windows\System\cBIDMSJ.exe
  C:\Windows\System\cBIDMSJ.exe
  2⤵
  PID:12764
- C:\Windows\System\USqWecm.exe
  C:\Windows\System\USqWecm.exe
  2⤵
  PID:12784
- C:\Windows\System\yUldlEk.exe
  C:\Windows\System\yUldlEk.exe
  2⤵
  PID:12828
- C:\Windows\System\wvwWsuL.exe
  C:\Windows\System\wvwWsuL.exe
  2⤵
  PID:12848
- C:\Windows\System\tkgacLs.exe
  C:\Windows\System\tkgacLs.exe
  2⤵
  PID:12868
- C:\Windows\System\wlGoJmf.exe
  C:\Windows\System\wlGoJmf.exe
  2⤵
  PID:12888
- C:\Windows\System\QXPEdCc.exe
  C:\Windows\System\QXPEdCc.exe
  2⤵
  PID:12932
- C:\Windows\System\pxfZYJp.exe
  C:\Windows\System\pxfZYJp.exe
  2⤵
  PID:12948
- C:\Windows\System\VtvWjhY.exe
  C:\Windows\System\VtvWjhY.exe
  2⤵
  PID:13096

C:\Windows\system32\WerFaultSecure.exe
"C:\Windows\system32\WerFaultSecure.exe" -protectedcrash -p 4924 -i 4924 -h 484 -j 492 -s 476 -d 12436
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:12492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hnetpzok.c2z.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\AQzgcNI.exe

Filesize
1.5MB

MD5
07efd3dcde7a127621e24de2ba89fe81

SHA1
55adc1c068f076d8862227f26921034f6fa7ec8f

SHA256
c6e3556b4150e5eccad2f473483b1ad1657335fdf683b5468d7506b04dfa025b

SHA512
1a7ffa85b5b9d82f6351e14698874b5398bb0f608d578654730a1a626ee22bdc20eff08f01fb2996fafae059256da2b93b780e105063004752098287da7839ea

Download Submit
C:\Windows\System\FZyLlJT.exe

Filesize
1.5MB

MD5
0e16b15ef4eb47ece4dab24081ebc87e

SHA1
b83df5596033698fa712add25bba44eb09326817

SHA256
e871ea33c9c7ce624eabf9fff76f7722b05db9d7a1167d742e223205e3df5482

SHA512
57a3188f4f244a08477f64b0d4d43b7dce8f00b0f21bed44016ffd838419423fea266ec525dad8e9668f4a96cdaaf4acb9813a1c358da0a807ca73b6a66b9a7f

Download Submit
C:\Windows\System\HPmpLfL.exe

Filesize
1.5MB

MD5
ea19f3d423e4c97f4f87d80c18fb4f92

SHA1
34b3f096f709c4f909967bae9366e4b35e733ddd

SHA256
4493c5515823192d63fdb0bc65052a355f5dc2f9d0de86bcd4327890831ec105

SHA512
efaf6f3d3cadbabac4616435e3b47c7d5b2588e3bae206befc8d9c1044076f7adee58ea819574f9fff9c2c9d1a9d664f53aeeead9070febae46b11dc64012714

Download Submit
C:\Windows\System\HvgjsBC.exe

Filesize
1.5MB

MD5
a4026afbb50c0004ef88dbb9bdf4704d

SHA1
c00da6452e345bf14a922efdc69621ff07715d5c

SHA256
132ed8223b7c25a7dfc88c1164c2c8ce1e9eeb7383f9c857bbd2692b9b4379fa

SHA512
8c1835fce49eb24a14f832da3c543083522d6e080727222150dc2d1c697c1968f99b3ad2b4d5533a09956af4f9447070b9a9c5be8544b3ce5e9dc32a6d09b5a9

Download Submit
C:\Windows\System\JrzJGAR.exe

Filesize
1.5MB

MD5
e0636044e005cfcea4de9347ccef3038

SHA1
a008bbd79fe3889f5bb77a7edfd09e19c8d0bcfd

SHA256
f51200ad651dd2163bc49f081308f7ed09db4bed4b4a597ca2c1a0cf7d3cc8d2

SHA512
7131c52800dccf77e56ceec443fce014a5013a10ddfdb72a1861cbd8aa702c2629dd7eb8024dcac51537b962b2ffbaf47458351a1f4fac6d821abdb58fcf703e

Download Submit
C:\Windows\System\KNUexeO.exe

Filesize
1.5MB

MD5
98625528cefe8cfbf65cb7ed0e260b26

SHA1
b0b667e82ff37b73a52dc7875288e3931caf8275

SHA256
f328233754ed82dec15e85b9e24ebd96b0a9ec1e006707440019dea77cd66360

SHA512
82d185848a1399242918ac505f3f790447bcc90d66ffbbd6f3fba973ded12c2ad7bdf80961f82844223594b0517c724878597372673bbb82f9ef1202b59fc2ab

Download Submit
C:\Windows\System\LKgopsF.exe

Filesize
1.5MB

MD5
c1dd7846873fb81ede9477d5817a53ff

SHA1
0eec5b03765f4be0bdf738beb11e8670730d6430

SHA256
e1172e4c4a3d83840d712022d743395fe793b546857ec2a9225512146b5bc25b

SHA512
3f23009badbada97491d350e2cf7af4b173ce2122282229bf71111d1e7d9681b11c84398e41a6fc53f8b6a9e56a1a515dd24969bd66677a4d8cf5d9eff0117e3

Download Submit
C:\Windows\System\LPEhCRA.exe

Filesize
1.5MB

MD5
353796d0a38691d2d9daec24266fe867

SHA1
d7aa8a57bca702d064a6e83490550f89f24712cf

SHA256
586f5e4476fec2822d71d2f67e04dfee740d5e0cf70dfa707cb46c492d8c82c9

SHA512
a4f8f55df08339bdbb9e59cbc44d71524932be31569641b5a486a2633e1583ba9afe2b654574d1e70fdf11466efb3dc092790c608c34c19b96549e6f530d9dc9

Download Submit
C:\Windows\System\NaWEkIJ.exe

Filesize
1.5MB

MD5
7739732efed072b49b714479e0298fcc

SHA1
86f821ff6efe4d518ba7edbbf75f43b11e8d6ce7

SHA256
522ccfebfbcc48cb4ce7aec21b88fe56ce625a98a68dbdcc37cf119b693cc306

SHA512
cfb8d74ba0e9623d77535d9754079564362a412719cd33a4fe53f3cb4ff5c7de92b200ec03b5b67341968db12f04bb1bc5152778755d0e0c7b841667ca7bff39

Download Submit
C:\Windows\System\NnJAoVW.exe

Filesize
1.5MB

MD5
62cd43251bbac55471d928ecf1eb1cec

SHA1
c44eb48e66a067d7fe9a5a7dfd5778c094c93ebf

SHA256
327df0e8f905caa5da04dd8d42e97f9e08d7294a015286b66ac06847701474b5

SHA512
accd1c215efd5f757a0fa6c8eaa5df2427194e950c3bc55047293d7c8a6280a8ef442b637e5d12285d8e607316855b38c20eb3aac19f7017f22c20b4746a239a

Download Submit
C:\Windows\System\OfysYSc.exe

Filesize
1.5MB

MD5
b43891ea04666ae736fd3ca9c3351eb5

SHA1
fc1ccdb0d14bce4a6607e35127d67e4c7c3a2e98

SHA256
99bdb76969b8b8275ceb745f344cc92d6819e9d604ce3f7618e544cd8d33dbcf

SHA512
108b9333eca37da479d3b3e3270c0f3911a6bd879814953af0cd994edf6e12c4d98c5ebb6693904fafb87dbe72edfdc4cd9f6c26651cc661f78b32d7f4057122

Download Submit
C:\Windows\System\PyWRhcF.exe

Filesize
1.5MB

MD5
f90041181937306ae12ec8211ab6ff18

SHA1
80b40321bb352899c3564b85b9a9644ee5497363

SHA256
2d1a72d9499ee63be2e55ee5827f55936909613cdbcc682b43e7e9037813db1c

SHA512
d50ed9f90a03b7825cab679db6f1317d00e57f2af20e262d3be860469dfda115fa09a90b8382e7f3f3033925adad3b50d9e62224923e425dd0f61ac361e94b70

Download Submit
C:\Windows\System\QCtlRBa.exe

Filesize
1.5MB

MD5
914443987b33d3519958d3f126dc2002

SHA1
85f42dfe0f6bd1614f42c1606ef0197de0795c3f

SHA256
2343daa06d37a335c4cc06e0fafa759c1a746d6003164a29026c803da0403804

SHA512
2c40eabf0db357082150a927cac48df1856efdfcd39e99c36b218961de072d04702e11a3791966b94c80ccaa48f12c6d6546cfddc91d8092b53c530525f919d2

Download Submit
C:\Windows\System\SuBkMCu.exe

Filesize
1.5MB

MD5
5c3a2550408a4fbf5c7fc739834e0b36

SHA1
996793cde4d84d4f82bea0d1885720107328abc5

SHA256
2b990211591bbcc167151b3ef9d80dae9b138dda684840eac21afbcfbd0ec6bd

SHA512
57e04d1c2ad215e524888aadf288f34f1a25d5e0c6a7873ea9a82c4b878e53999142a6c727c53a65295ae58cbb923e382e193420f3197c33555d89165c783976

Download Submit
C:\Windows\System\XolSpuX.exe

Filesize
1.5MB

MD5
f5e7613fa5a64746e6edf8c1ef2b739f

SHA1
c1df59ee58479a5f2ec3d93cb46b0522b1b9ccca

SHA256
09a66612b7342cef8a85126c3ca63aae2d06ff4daef8b98584075dcd1d746ea6

SHA512
3533f8600f1a1814883d81fd7a69e5f4c320282712d8a5896989a071cbf2b77548baaf51864b868668415fc56f3228e47fe9965b31cea7edbd32b62eca77707d

Download Submit
C:\Windows\System\YwyHxUY.exe

Filesize
1.5MB

MD5
148c5a88529fe79aa85da90884c76b6a

SHA1
4e8a4703520664db014ea1b544fa51598385bcee

SHA256
d0ad15d51cb741cf7bf5b6f798ec51c6f95b23f416aaf5a959bace4c2328ed62

SHA512
33bbb6228533b978ffe99142e5c1315e465ac1199c951caf7a76b6af57407c52d21a37d2ad74dee4bffcede65a4e034559130b8d0a6aff5f3691f855e6589f33

Download Submit
C:\Windows\System\ZCbTIpn.exe

Filesize
1.5MB

MD5
95c3f18d35e4aba7c38aa9fea70929dc

SHA1
3218fcdd0c7b3979cc547d2cc3034c8ad193a6c1

SHA256
56e097b081695f61f37eea168c267966f0c17b523cb7cda8e66494d5af14ff34

SHA512
86889b42892256d914b4bfeacc2550dec6e3a107c54cd4be0a36f354d09a1f34c673c840c41ccc7167f6374acf73da988f62c93402873b6e0c8562066024fb28

Download Submit
C:\Windows\System\cQKfukf.exe

Filesize
1.5MB

MD5
a3657bf5683a775dfeba382206a8cdde

SHA1
b9dc00a26b5bbba97acd0c92d63a5e82d148386e

SHA256
15962da337f3e9436e2cf2d180c4a7e0cd77f01df97b89a814ee602e9276d2a7

SHA512
94d2c1e7ce06f8c52624967ef34a5048c841f73d7bba4f3afe825af3cc09d41f170c85fc11cba8ccb5fa5704ff730654c74cc53354f80fbea3c7cf5dd092d0c1

Download Submit
C:\Windows\System\dfaKBid.exe

Filesize
1.5MB

MD5
351a026451893d9a442833988cc456c3

SHA1
774cb1f8e903220ce77729fb95c1bf1bf0b46783

SHA256
8ede6c2c2bba01fa4174089f56f61bd9eb6321b3e33a2a8ebd79f3186ea219d1

SHA512
f27b6e5ce7ab32115965cee3eafc7d1e9f892a58ea71778e12598546efb4f27e76621e52993f52d6c8a6a0a85ae388baae486c3603f94c46c970d362af1dddf7

Download Submit
C:\Windows\System\dojxrUU.exe

Filesize
1.5MB

MD5
9176ffc44c66c1e07eb72fbdf7f0fc22

SHA1
9b722f48c2665f37b288ed03a5ff0111a6f112a8

SHA256
b74000305e871f586e68fbd83c6ab47698e47839c18d75826ab3397d712f281e

SHA512
7d9374fca04e0fb1136d1197609318bcebf7cd64968be24c93c04d79b13125e55a161cf47a23d6bfe9b64b37e674bfdd720dd99ed5286097fd99add4462b6695

Download Submit
C:\Windows\System\exYHTIf.exe

Filesize
1.5MB

MD5
f7ec6d763ad598a5733ee40865642e4d

SHA1
37cf5268cfcb9072ca03bf1938a3af03377afe92

SHA256
f15059ddb24932c6e4fe5f762fa2c43523d0e301a3b72c5771a44bf628452a5b

SHA512
f7ad794582020edfb046c80ad80a1ff6e98529ea875820d3bd46a0416b75f1044970b3d966a3c9d9a94d722e9f7452ad49f4a98d92e887dfc6d7ed8615a5a341

Download Submit
C:\Windows\System\fvuzRND.exe

Filesize
1.5MB

MD5
d9b7736aac3cfdaf82f2b0c4091672a3

SHA1
c87631a4c9797c3cf829ab7282b23cd527c3abbf

SHA256
4ffd82909a71988efb602d92a6da7d2433ab39c5c13c35431975267148f4f78a

SHA512
828cf4af092669cc97253167b9dffb9d5ca2ed7b9835a5330cd84f1080dae9d804eab7d2724cd0c7a34d1265cf7265d8256c14adc7ef866f49d96b1aab85165d

Download Submit
C:\Windows\System\gPVsnaR.exe

Filesize
1.5MB

MD5
8aa9e0331d8f5ee62a58d8ba61a917a8

SHA1
bc08fb7f5a2264dc1c31f804a4b502410e99fe13

SHA256
cbf35ffdd5bd00e5bff3e1909e67066bbb0e274f32b7b901a23d400734b6c8b5

SHA512
b307a36934600cd775b9653f13d3218f3c6054bf592217454facbe5df15c55106d430924edd7484f09371900306df76b57154e67c2b39151e3732ffe54092067

Download Submit
C:\Windows\System\hSWBpSJ.exe

Filesize
1.5MB

MD5
a21df49dad4f6db76e277a06c9d8198c

SHA1
c61d643ede67a37936b924a9214b7c3b26534445

SHA256
beff3266d298b3df3d2b8e49d668f63fe2ac5312b479b6d8a2ddea84fa463f8c

SHA512
d4a56a3f3386bb12b45cd5ba946c8d42ca4be0c189f348ed9ba1ecb48d49b1b7304fbdd06f680d30aef9670c79f5b93a8b2d2bbc6b19fa548820696df35c6e84

Download Submit
C:\Windows\System\iVKhGnG.exe

Filesize
1.5MB

MD5
8cd53c592706bc61d87fad1fba4bb5b1

SHA1
3f6146e88b46adf79b17ab2cc191f0222021a844

SHA256
b23ab5e1ddec640ba4eb6beb5d8f91b77775463d0d7e91285b854790dec29042

SHA512
8459bd28f2bcb3a210cd20332960fc337df7e6f66e963e45cf0ac82fe4e79712d963d07657df4585f7513083cea1254128a574920a6eb93c3df35dddb6f31b93

Download Submit
C:\Windows\System\jzBUCqV.exe

Filesize
8B

MD5
2d0c2c2eeafda1eefbc846623106a651

SHA1
ebe1d12cc7355840b98bff551fa1e9b6ea05149b

SHA256
315fe12e8506c9a5679018a241c22762f38597a85e3d6906984d2cd8e0eb0749

SHA512
4747f2fca75d2722dc6b7850f1cf2e05f5ebac7e64d54a9f03247ac705b6e7fd5e4086e67fbc0da577c026e6cfc06192b9232b3f0c023c488535fb6f948376dc

Download Submit
C:\Windows\System\keRWOyx.exe

Filesize
1.5MB

MD5
81e5581f96e18b702e92fa8cdc94ef3c

SHA1
ee1cb9cd6d9547145052e08d59ac981b43dea77c

SHA256
2982e398aaef5b21e21bec51b722b4cfc18949591a28552b2f9731c6c07560d8

SHA512
b1b96fb3a76f7a1fa84e402d1713ad6e80a1d00bf4206fcbe15c1264f44c7e1edf6fa8ac8b28ca8e278b600150eb5f21dfa6db1ca82c288ce70b71fd396dba49

Download Submit
C:\Windows\System\lCVxooy.exe

Filesize
1.5MB

MD5
f426f95af5e85ab1a63d96827660f139

SHA1
9d83fab347a73172af1b1833eaafe078d938b9ab

SHA256
b212f9550befea5f91e537662dd3569e7bb3474221f9962ef2cbc6309f8dcce5

SHA512
0e9fb3f7908fd1176d986d2d7759fcfcebe90c59815d41afaac8aba9ec86d3462bf48bd1110a27420efd60695abeabb1460facc99c9abd2f2cfa9ee073848636

Download Submit
C:\Windows\System\mFRUlVp.exe

Filesize
1.5MB

MD5
653e45947ba7dd1afaa8ff91bba4aac2

SHA1
f193fb09886e4a5c4d722ede142687b13847e515

SHA256
c7e9b91314d55500b7ab0dfa34f2f06e013bbd437940d796e40a24946cbccb0a

SHA512
4e3f98eff79105660a101da8d65e1605e4f5f8203b3539a1869e92d46a35be465f563d82447c3c0a09ea017fe12a85c5c80b609bc0515fac0ab68b30a9d0dfbb

Download Submit
C:\Windows\System\mUrrtlL.exe

Filesize
1.5MB

MD5
0b260429210b74d234473127b2d45f9d

SHA1
5f111964b647b239abb7fe0ebe174ce743dbfa98

SHA256
67cb744a10dc0d14e4c632e13de6d9af0298a91d827f9b2c7f387b270db42a10

SHA512
6731048b9bc91c3b3f2421c638251d66eb11071213bd6fcab0764f185eca464df1110dad53c04e1b23e27b5a5971a0473745584fd802f99281c4709857e18be7

Download Submit
C:\Windows\System\tHhgjpa.exe

Filesize
1.5MB

MD5
2fa5cdea6c17a081f0848b66a38e9b04

SHA1
c0201f25857e8dacd496af42845ae0cf98e729d8

SHA256
64993e0ad45e733ed5624c3b3295feb158cc472088ad1bda52eadc3ea3a2be47

SHA512
8a776097d8849bb879cee3e50613c257f79f60c579c5f7410dadb7a1bf0fc371f76b74120e933592c1ef244f15f74135e8e1eb80f087c913664d2b9216e5cb55

Download Submit
C:\Windows\System\vAFupNf.exe

Filesize
1.5MB

MD5
178e362c357dd68e167f76116eb715a0

SHA1
9dc4efe2d29c193d9eb740c6430fed82a5351291

SHA256
c20decbdc7ffbf51c6b9bc74b93c903641b9a96a734436e23c31a84f2509ba32

SHA512
02f18f2209a12a187a20c008588d7b96f35b7559817366b62b7ee524ff407b887d65737541f76e9d98d749497b7bc880f540ef0423ac89f1a8585e2df62bfb59

Download Submit
C:\Windows\System\wmaQcQz.exe

Filesize
1.5MB

MD5
25ec6b808b1cbb1a0073c4ccc5d6ce18

SHA1
34e843013adb6bab742033ba5660c3e96604124b

SHA256
c63f9324acb8483f1d05cf8ea2248a1b4544fffa500141c1a69c6d590cabbd2c

SHA512
fcadf0595d131486ea0105d77a2b1cbbdce6252f85989e6534a873e85f50061f081136a21a4476cc1d68a1a86970ae45ec1c420eeb92293762d02d37612515ba

Download Submit
C:\Windows\System\ykgAQWe.exe

Filesize
1.5MB

MD5
96e0a6154b36ab99e17ef158bda7f8ea

SHA1
822b15fa59111d1373a0b04e8feeaf9b592fcf35

SHA256
843589c5142f783ccc4e86b5a36f268bdbeb69b77d1bf329a616acbc3064335f

SHA512
591bb0d5c524c3b1e35cb870460a24438da73f7c36576942b5ffd2cffa68d8810ce752ebaa38ac30d1188dc1f5a8fe8fb9b4dc878cb811e72455a6ff0e8021ae

Download Submit
memory/220-2682-0x00007FF6620F0000-0x00007FF6624E2000-memory.dmp

Filesize
3.9MB

Download
memory/220-13-0x00007FF6620F0000-0x00007FF6624E2000-memory.dmp

Filesize
3.9MB

Download
memory/384-2704-0x00007FF629D70000-0x00007FF62A162000-memory.dmp

Filesize
3.9MB

Download
memory/384-1117-0x00007FF629D70000-0x00007FF62A162000-memory.dmp

Filesize
3.9MB

Download
memory/740-1454-0x00007FF63A1A0000-0x00007FF63A592000-memory.dmp

Filesize
3.9MB

Download
memory/740-2733-0x00007FF63A1A0000-0x00007FF63A592000-memory.dmp

Filesize
3.9MB

Download
memory/744-2693-0x00007FF76EAC0000-0x00007FF76EEB2000-memory.dmp

Filesize
3.9MB

Download
memory/744-1461-0x00007FF76EAC0000-0x00007FF76EEB2000-memory.dmp

Filesize
3.9MB

Download
memory/764-2692-0x00007FF629730000-0x00007FF629B22000-memory.dmp

Filesize
3.9MB

Download
memory/764-1460-0x00007FF629730000-0x00007FF629B22000-memory.dmp

Filesize
3.9MB

Download
memory/988-2698-0x00007FF6F70F0000-0x00007FF6F74E2000-memory.dmp

Filesize
3.9MB

Download
memory/988-1112-0x00007FF6F70F0000-0x00007FF6F74E2000-memory.dmp

Filesize
3.9MB

Download
memory/1568-2700-0x00007FF77FC00000-0x00007FF77FFF2000-memory.dmp

Filesize
3.9MB

Download
memory/1568-1466-0x00007FF77FC00000-0x00007FF77FFF2000-memory.dmp

Filesize
3.9MB

Download
memory/1572-2695-0x00007FF779190000-0x00007FF779582000-memory.dmp

Filesize
3.9MB

Download
memory/1572-42-0x00007FF779190000-0x00007FF779582000-memory.dmp

Filesize
3.9MB

Download
memory/1664-1-0x0000023000260000-0x0000023000270000-memory.dmp

Filesize
64KB

Download
memory/1664-2680-0x00007FF66BAF0000-0x00007FF66BEE2000-memory.dmp

Filesize
3.9MB

Download
memory/1664-0-0x00007FF66BAF0000-0x00007FF66BEE2000-memory.dmp

Filesize
3.9MB

Download
memory/1720-522-0x00007FF76B0B0000-0x00007FF76B4A2000-memory.dmp

Filesize
3.9MB

Download
memory/1720-2708-0x00007FF76B0B0000-0x00007FF76B4A2000-memory.dmp

Filesize
3.9MB

Download
memory/1732-391-0x000001CAC0750000-0x000001CAC0EF6000-memory.dmp

Filesize
7.6MB

Download
memory/1732-75-0x000001CABFC10000-0x000001CABFC32000-memory.dmp

Filesize
136KB

Download
memory/1732-466-0x00007FFEC4130000-0x00007FFEC4BF1000-memory.dmp

Filesize
10.8MB

Download
memory/1732-39-0x00007FFEC4130000-0x00007FFEC4BF1000-memory.dmp

Filesize
10.8MB

Download
memory/1732-2726-0x00007FFEC4130000-0x00007FFEC4BF1000-memory.dmp

Filesize
10.8MB

Download
memory/1732-20-0x00007FFEC4133000-0x00007FFEC4135000-memory.dmp

Filesize
8KB

Download
memory/1820-1415-0x00007FF707250000-0x00007FF707642000-memory.dmp

Filesize
3.9MB

Download
memory/1820-2730-0x00007FF707250000-0x00007FF707642000-memory.dmp

Filesize
3.9MB

Download
memory/1948-1416-0x00007FF64D460000-0x00007FF64D852000-memory.dmp

Filesize
3.9MB

Download
memory/1948-2729-0x00007FF64D460000-0x00007FF64D852000-memory.dmp

Filesize
3.9MB

Download
memory/1988-2713-0x00007FF6215A0000-0x00007FF621992000-memory.dmp

Filesize
3.9MB

Download
memory/1988-1293-0x00007FF6215A0000-0x00007FF621992000-memory.dmp

Filesize
3.9MB

Download
memory/2012-639-0x00007FF6BC350000-0x00007FF6BC742000-memory.dmp

Filesize
3.9MB

Download
memory/2012-2701-0x00007FF6BC350000-0x00007FF6BC742000-memory.dmp

Filesize
3.9MB

Download
memory/2400-1426-0x00007FF772E70000-0x00007FF773262000-memory.dmp

Filesize
3.9MB

Download
memory/2400-2739-0x00007FF772E70000-0x00007FF773262000-memory.dmp

Filesize
3.9MB

Download
memory/2540-1447-0x00007FF76ADC0000-0x00007FF76B1B2000-memory.dmp

Filesize
3.9MB

Download
memory/2540-2737-0x00007FF76ADC0000-0x00007FF76B1B2000-memory.dmp

Filesize
3.9MB

Download
memory/2680-2689-0x00007FF774E40000-0x00007FF775232000-memory.dmp

Filesize
3.9MB

Download
memory/2680-19-0x00007FF774E40000-0x00007FF775232000-memory.dmp

Filesize
3.9MB

Download
memory/2996-1249-0x00007FF623450000-0x00007FF623842000-memory.dmp

Filesize
3.9MB

Download
memory/2996-2711-0x00007FF623450000-0x00007FF623842000-memory.dmp

Filesize
3.9MB

Download
memory/3060-2705-0x00007FF6619C0000-0x00007FF661DB2000-memory.dmp

Filesize
3.9MB

Download
memory/3060-562-0x00007FF6619C0000-0x00007FF661DB2000-memory.dmp

Filesize
3.9MB

Download
memory/3236-1245-0x00007FF602B60000-0x00007FF602F52000-memory.dmp

Filesize
3.9MB

Download
memory/3236-2709-0x00007FF602B60000-0x00007FF602F52000-memory.dmp

Filesize
3.9MB

Download
memory/3300-2740-0x00007FF735BA0000-0x00007FF735F92000-memory.dmp

Filesize
3.9MB

Download
memory/3300-1425-0x00007FF735BA0000-0x00007FF735F92000-memory.dmp

Filesize
3.9MB

Download
memory/3748-1448-0x00007FF7EFBA0000-0x00007FF7EFF92000-memory.dmp

Filesize
3.9MB

Download
memory/3748-2735-0x00007FF7EFBA0000-0x00007FF7EFF92000-memory.dmp

Filesize
3.9MB

Download
memory/4120-2744-0x00007FF77C840000-0x00007FF77CC32000-memory.dmp

Filesize
3.9MB

Download
memory/4120-1455-0x00007FF77C840000-0x00007FF77CC32000-memory.dmp

Filesize
3.9MB

Download
memory/4696-1355-0x00007FF773BC0000-0x00007FF773FB2000-memory.dmp

Filesize
3.9MB

Download
memory/4696-2715-0x00007FF773BC0000-0x00007FF773FB2000-memory.dmp

Filesize
3.9MB

Download
memory/4952-2742-0x00007FF736680000-0x00007FF736A72000-memory.dmp

Filesize
3.9MB

Download
memory/4952-1356-0x00007FF736680000-0x00007FF736A72000-memory.dmp

Filesize
3.9MB

Download