xmrig | 0ea79796ba0e730ce291034f1d58a564bab6f6a36d32a2a1dc2ee863e091991b

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 21:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
Size

2.8MB
MD5

0fb64975531db9b1c364419bdd5cef70
SHA1

dd605a7625c5db178932fc2519787474510d5518
SHA256

0ea79796ba0e730ce291034f1d58a564bab6f6a36d32a2a1dc2ee863e091991b
SHA512

e7b1605eaa6642f01454b765456a5c3ff34926361a69ff1b643d050406d0c44ebc5485c4cfd2d1528c9d70993bdcaf46423a89faaf6be0eebb29d9bbbf4a7cc5
SSDEEP

49152:71G1NtyBwTI3ySZbrkXV1etEKLlWUTOfeiRA2R76zHrWax9hMkHC0IEFToChvLx:71ONtyBeSFkXV1etEKLlWUTOfeiRA2R0

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/2336-0-0x00007FF7C4F80000-0x00007FF7C5376000-memory.dmp	xmrig
behavioral2/files/0x00080000000235ba-6.dat	xmrig
behavioral2/files/0x00070000000235bf-10.dat	xmrig
behavioral2/files/0x00070000000235be-11.dat	xmrig
behavioral2/files/0x00070000000235c1-25.dat	xmrig
behavioral2/files/0x00070000000235c0-26.dat	xmrig
behavioral2/memory/3876-32-0x00007FF6C5AE0000-0x00007FF6C5ED6000-memory.dmp	xmrig
behavioral2/files/0x00070000000235c6-57.dat	xmrig
behavioral2/files/0x00070000000235cc-86.dat	xmrig
behavioral2/files/0x00070000000235ce-96.dat	xmrig
behavioral2/files/0x00070000000235cf-106.dat	xmrig
behavioral2/files/0x00070000000235d0-119.dat	xmrig
behavioral2/files/0x00070000000235d4-131.dat	xmrig
behavioral2/files/0x00070000000235d5-144.dat	xmrig
behavioral2/files/0x00070000000235d7-154.dat	xmrig
behavioral2/files/0x00070000000235db-174.dat	xmrig
behavioral2/memory/3928-797-0x00007FF6F7030000-0x00007FF6F7426000-memory.dmp	xmrig
behavioral2/memory/896-798-0x00007FF6319E0000-0x00007FF631DD6000-memory.dmp	xmrig
behavioral2/memory/4816-800-0x00007FF72FA90000-0x00007FF72FE86000-memory.dmp	xmrig
behavioral2/memory/2280-801-0x00007FF75C110000-0x00007FF75C506000-memory.dmp	xmrig
behavioral2/files/0x00070000000235dd-176.dat	xmrig
behavioral2/files/0x00070000000235dc-171.dat	xmrig
behavioral2/files/0x00070000000235da-169.dat	xmrig
behavioral2/files/0x00070000000235d9-164.dat	xmrig
behavioral2/files/0x00070000000235d8-159.dat	xmrig
behavioral2/files/0x00070000000235d6-149.dat	xmrig
behavioral2/files/0x00070000000235d3-134.dat	xmrig
behavioral2/files/0x00070000000235d2-129.dat	xmrig
behavioral2/files/0x00070000000235d1-124.dat	xmrig
behavioral2/files/0x00080000000235ca-109.dat	xmrig
behavioral2/files/0x00070000000235cd-99.dat	xmrig
behavioral2/files/0x00080000000235cb-87.dat	xmrig
behavioral2/files/0x00070000000235c9-82.dat	xmrig
behavioral2/files/0x00070000000235c8-77.dat	xmrig
behavioral2/files/0x00070000000235c7-71.dat	xmrig
behavioral2/files/0x00070000000235c5-52.dat	xmrig
behavioral2/files/0x00070000000235c4-47.dat	xmrig
behavioral2/files/0x00070000000235c3-42.dat	xmrig
behavioral2/files/0x00070000000235c2-37.dat	xmrig
behavioral2/memory/4628-16-0x00007FF636D40000-0x00007FF637136000-memory.dmp	xmrig
behavioral2/memory/2792-8-0x00007FF6BFBE0000-0x00007FF6BFFD6000-memory.dmp	xmrig
behavioral2/memory/3948-802-0x00007FF7627D0000-0x00007FF762BC6000-memory.dmp	xmrig
behavioral2/memory/2812-803-0x00007FF7212D0000-0x00007FF7216C6000-memory.dmp	xmrig
behavioral2/memory/2852-804-0x00007FF6FCDC0000-0x00007FF6FD1B6000-memory.dmp	xmrig
behavioral2/memory/1684-865-0x00007FF71E860000-0x00007FF71EC56000-memory.dmp	xmrig
behavioral2/memory/3644-857-0x00007FF6A9CB0000-0x00007FF6AA0A6000-memory.dmp	xmrig
behavioral2/memory/3664-850-0x00007FF6E6440000-0x00007FF6E6836000-memory.dmp	xmrig
behavioral2/memory/956-881-0x00007FF747290000-0x00007FF747686000-memory.dmp	xmrig
behavioral2/memory/932-892-0x00007FF7AC700000-0x00007FF7ACAF6000-memory.dmp	xmrig
behavioral2/memory/1088-874-0x00007FF678850000-0x00007FF678C46000-memory.dmp	xmrig
behavioral2/memory/224-870-0x00007FF69AD70000-0x00007FF69B166000-memory.dmp	xmrig
behavioral2/memory/384-899-0x00007FF7B4E80000-0x00007FF7B5276000-memory.dmp	xmrig
behavioral2/memory/2172-1157-0x00007FF7A64A0000-0x00007FF7A6896000-memory.dmp	xmrig
behavioral2/memory/3192-1160-0x00007FF6CAFC0000-0x00007FF6CB3B6000-memory.dmp	xmrig
behavioral2/memory/4720-1166-0x00007FF68A580000-0x00007FF68A976000-memory.dmp	xmrig
behavioral2/memory/3080-1173-0x00007FF768A40000-0x00007FF768E36000-memory.dmp	xmrig
behavioral2/memory/1484-1171-0x00007FF63F560000-0x00007FF63F956000-memory.dmp	xmrig
behavioral2/memory/2352-1163-0x00007FF6BEA70000-0x00007FF6BEE66000-memory.dmp	xmrig
behavioral2/memory/2792-2177-0x00007FF6BFBE0000-0x00007FF6BFFD6000-memory.dmp	xmrig
behavioral2/memory/4628-2178-0x00007FF636D40000-0x00007FF637136000-memory.dmp	xmrig
behavioral2/memory/3876-2179-0x00007FF6C5AE0000-0x00007FF6C5ED6000-memory.dmp	xmrig
behavioral2/memory/3928-2180-0x00007FF6F7030000-0x00007FF6F7426000-memory.dmp	xmrig
behavioral2/memory/896-2181-0x00007FF6319E0000-0x00007FF631DD6000-memory.dmp	xmrig
behavioral2/memory/4816-2184-0x00007FF72FA90000-0x00007FF72FE86000-memory.dmp	xmrig

Blocklisted process makes network request 5 IoCs

flow	pid	Process
7	2832	powershell.exe
9	2832	powershell.exe
15	2832	powershell.exe
16	2832	powershell.exe
19	2832	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2832	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
2792	CsbwyDI.exe
4628	yfzlHrv.exe
3876	GCaTGyO.exe
3928	wuLpulF.exe
896	qGkLyux.exe
4816	OHWejPc.exe
3080	xGjlTON.exe
2280	qNAGcQd.exe
3948	pLzFbjb.exe
2812	AywqGCB.exe
2852	CjCYdCe.exe
3664	qeqJfyX.exe
3644	sayumET.exe
1684	oFGVvMT.exe
224	MHysuOm.exe
1088	loEUEiZ.exe
956	ZoocFml.exe
932	bRrnWrN.exe
384	JjhIevm.exe
2172	tJxuGRE.exe
3192	LfeBGKJ.exe
2352	CtVzZpy.exe
4720	WtkFJFp.exe
1484	xeSzhvh.exe
4940	DJvcDJX.exe
2308	RfAEhjo.exe
2380	TNjNlJg.exe
2348	RoAaBIw.exe
3888	YMEIFcy.exe
1952	JfGUBae.exe
4408	WHfMXHH.exe
4648	XnZNYfH.exe
2484	jgWZxLi.exe
2388	gNpCjWA.exe
2572	HcwoPLD.exe
4148	PksJCFn.exe
4676	ERLaBNx.exe
2156	gvQiLeA.exe
1648	bMDkFQS.exe
2712	nYCppgJ.exe
4572	hfoBkUM.exe
4100	VhBZnTh.exe
436	UiTxqAv.exe
4456	tcBqEzs.exe
4604	ObHTTZZ.exe
788	qeCqNOO.exe
4500	BfJNUHk.exe
4340	IafMxlF.exe
5156	QkDfDqp.exe
5192	EzsBPTP.exe
5216	NyiGIqa.exe
5236	iUTFayl.exe
5268	XtrzAra.exe
5292	ZpncYMV.exe
5320	laXsOqJ.exe
5348	ZeHuGIu.exe
5376	OZWXNnJ.exe
5400	bCWYRdp.exe
5432	tFFDXkF.exe
5464	kiGmHGf.exe
5492	UVHoiqN.exe
5520	FKpBqrJ.exe
5548	UHCGDVv.exe
5576	krunNbZ.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2336-0-0x00007FF7C4F80000-0x00007FF7C5376000-memory.dmp	upx
behavioral2/files/0x00080000000235ba-6.dat	upx
behavioral2/files/0x00070000000235bf-10.dat	upx
behavioral2/files/0x00070000000235be-11.dat	upx
behavioral2/files/0x00070000000235c1-25.dat	upx
behavioral2/files/0x00070000000235c0-26.dat	upx
behavioral2/memory/3876-32-0x00007FF6C5AE0000-0x00007FF6C5ED6000-memory.dmp	upx
behavioral2/files/0x00070000000235c6-57.dat	upx
behavioral2/files/0x00070000000235cc-86.dat	upx
behavioral2/files/0x00070000000235ce-96.dat	upx
behavioral2/files/0x00070000000235cf-106.dat	upx
behavioral2/files/0x00070000000235d0-119.dat	upx
behavioral2/files/0x00070000000235d4-131.dat	upx
behavioral2/files/0x00070000000235d5-144.dat	upx
behavioral2/files/0x00070000000235d7-154.dat	upx
behavioral2/files/0x00070000000235db-174.dat	upx
behavioral2/memory/3928-797-0x00007FF6F7030000-0x00007FF6F7426000-memory.dmp	upx
behavioral2/memory/896-798-0x00007FF6319E0000-0x00007FF631DD6000-memory.dmp	upx
behavioral2/memory/4816-800-0x00007FF72FA90000-0x00007FF72FE86000-memory.dmp	upx
behavioral2/memory/2280-801-0x00007FF75C110000-0x00007FF75C506000-memory.dmp	upx
behavioral2/files/0x00070000000235dd-176.dat	upx
behavioral2/files/0x00070000000235dc-171.dat	upx
behavioral2/files/0x00070000000235da-169.dat	upx
behavioral2/files/0x00070000000235d9-164.dat	upx
behavioral2/files/0x00070000000235d8-159.dat	upx
behavioral2/files/0x00070000000235d6-149.dat	upx
behavioral2/files/0x00070000000235d3-134.dat	upx
behavioral2/files/0x00070000000235d2-129.dat	upx
behavioral2/files/0x00070000000235d1-124.dat	upx
behavioral2/files/0x00080000000235ca-109.dat	upx
behavioral2/files/0x00070000000235cd-99.dat	upx
behavioral2/files/0x00080000000235cb-87.dat	upx
behavioral2/files/0x00070000000235c9-82.dat	upx
behavioral2/files/0x00070000000235c8-77.dat	upx
behavioral2/files/0x00070000000235c7-71.dat	upx
behavioral2/files/0x00070000000235c5-52.dat	upx
behavioral2/files/0x00070000000235c4-47.dat	upx
behavioral2/files/0x00070000000235c3-42.dat	upx
behavioral2/files/0x00070000000235c2-37.dat	upx
behavioral2/memory/4628-16-0x00007FF636D40000-0x00007FF637136000-memory.dmp	upx
behavioral2/memory/2792-8-0x00007FF6BFBE0000-0x00007FF6BFFD6000-memory.dmp	upx
behavioral2/memory/3948-802-0x00007FF7627D0000-0x00007FF762BC6000-memory.dmp	upx
behavioral2/memory/2812-803-0x00007FF7212D0000-0x00007FF7216C6000-memory.dmp	upx
behavioral2/memory/2852-804-0x00007FF6FCDC0000-0x00007FF6FD1B6000-memory.dmp	upx
behavioral2/memory/1684-865-0x00007FF71E860000-0x00007FF71EC56000-memory.dmp	upx
behavioral2/memory/3644-857-0x00007FF6A9CB0000-0x00007FF6AA0A6000-memory.dmp	upx
behavioral2/memory/3664-850-0x00007FF6E6440000-0x00007FF6E6836000-memory.dmp	upx
behavioral2/memory/956-881-0x00007FF747290000-0x00007FF747686000-memory.dmp	upx
behavioral2/memory/932-892-0x00007FF7AC700000-0x00007FF7ACAF6000-memory.dmp	upx
behavioral2/memory/1088-874-0x00007FF678850000-0x00007FF678C46000-memory.dmp	upx
behavioral2/memory/224-870-0x00007FF69AD70000-0x00007FF69B166000-memory.dmp	upx
behavioral2/memory/384-899-0x00007FF7B4E80000-0x00007FF7B5276000-memory.dmp	upx
behavioral2/memory/2172-1157-0x00007FF7A64A0000-0x00007FF7A6896000-memory.dmp	upx
behavioral2/memory/3192-1160-0x00007FF6CAFC0000-0x00007FF6CB3B6000-memory.dmp	upx
behavioral2/memory/4720-1166-0x00007FF68A580000-0x00007FF68A976000-memory.dmp	upx
behavioral2/memory/3080-1173-0x00007FF768A40000-0x00007FF768E36000-memory.dmp	upx
behavioral2/memory/1484-1171-0x00007FF63F560000-0x00007FF63F956000-memory.dmp	upx
behavioral2/memory/2352-1163-0x00007FF6BEA70000-0x00007FF6BEE66000-memory.dmp	upx
behavioral2/memory/2792-2177-0x00007FF6BFBE0000-0x00007FF6BFFD6000-memory.dmp	upx
behavioral2/memory/4628-2178-0x00007FF636D40000-0x00007FF637136000-memory.dmp	upx
behavioral2/memory/3876-2179-0x00007FF6C5AE0000-0x00007FF6C5ED6000-memory.dmp	upx
behavioral2/memory/3928-2180-0x00007FF6F7030000-0x00007FF6F7426000-memory.dmp	upx
behavioral2/memory/896-2181-0x00007FF6319E0000-0x00007FF631DD6000-memory.dmp	upx
behavioral2/memory/4816-2184-0x00007FF72FA90000-0x00007FF72FE86000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	raw.githubusercontent.com
6	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\kfIxQQV.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\MnNxduZ.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\GswCsjp.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\nMzTxdD.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\GqgANsl.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\eMUKQsS.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\rCZErcL.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\ECbIHbi.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\ekWjdRm.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\yvGtAWx.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\hRTglPi.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\sdorWdN.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\IrzCbnp.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\ahvqSXP.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\GoXWklZ.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\MtXkCyT.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\URgDiey.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\cnLsaHK.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\zXUDNDp.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\rvrsOmG.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\oxytWIB.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\McMfKez.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\dtWdaSr.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\qoEcXTA.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\QwrAZqg.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\UxGrZTh.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\uClBngK.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\wsRLleP.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\tmlZKBZ.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\laFBmAh.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\GAyLQPG.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\TXvrMtH.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\sacnPjd.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\wjYqjVV.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\zIVyHZJ.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\XpfHkjY.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\TpMpBhn.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\wCGRiWy.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\DAqurHU.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\luXeelu.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\uRCDgdd.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\iuoGQhH.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\cGUMiLO.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\uJCZZcE.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\ilbQFnP.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\sXQUbsr.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\EMdIIFs.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\zgjucbf.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\UjLOjPQ.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\RGNlLht.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\cxFDAOt.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\WDWfkBU.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\RUBauqL.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\OXCJDva.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\bNluiyP.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\orNsHpR.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\JoxUmyg.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\gRpeDCI.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\CIZdvLY.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\ogZhaaM.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\Mlgnhty.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\rdxfcCE.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\kFYhcBh.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
File created	C:\Windows\System\eYlOQAE.exe	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFaultSecure.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFaultSecure.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2832	powershell.exe
2832	powershell.exe
2832	powershell.exe
2832	powershell.exe
12684	WerFaultSecure.exe
12684	WerFaultSecure.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
Token: SeDebugPrivilege	2832	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2336 wrote to memory of 2832	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	92
PID 2336 wrote to memory of 2832	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	92
PID 2336 wrote to memory of 2792	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	93
PID 2336 wrote to memory of 2792	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	93
PID 2336 wrote to memory of 4628	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	94
PID 2336 wrote to memory of 4628	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	94
PID 2336 wrote to memory of 3876	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	95
PID 2336 wrote to memory of 3876	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	95
PID 2336 wrote to memory of 3928	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	96
PID 2336 wrote to memory of 3928	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	96
PID 2336 wrote to memory of 896	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	97
PID 2336 wrote to memory of 896	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	97
PID 2336 wrote to memory of 4816	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	98
PID 2336 wrote to memory of 4816	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	98
PID 2336 wrote to memory of 3080	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	99
PID 2336 wrote to memory of 3080	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	99
PID 2336 wrote to memory of 2280	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	100
PID 2336 wrote to memory of 2280	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	100
PID 2336 wrote to memory of 3948	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	101
PID 2336 wrote to memory of 3948	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	101
PID 2336 wrote to memory of 2812	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	102
PID 2336 wrote to memory of 2812	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	102
PID 2336 wrote to memory of 2852	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	103
PID 2336 wrote to memory of 2852	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	103
PID 2336 wrote to memory of 3664	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	104
PID 2336 wrote to memory of 3664	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	104
PID 2336 wrote to memory of 3644	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	105
PID 2336 wrote to memory of 3644	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	105
PID 2336 wrote to memory of 1684	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	106
PID 2336 wrote to memory of 1684	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	106
PID 2336 wrote to memory of 224	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	107
PID 2336 wrote to memory of 224	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	107
PID 2336 wrote to memory of 1088	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	108
PID 2336 wrote to memory of 1088	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	108
PID 2336 wrote to memory of 956	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	109
PID 2336 wrote to memory of 956	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	109
PID 2336 wrote to memory of 932	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	110
PID 2336 wrote to memory of 932	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	110
PID 2336 wrote to memory of 384	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	111
PID 2336 wrote to memory of 384	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	111
PID 2336 wrote to memory of 2172	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	112
PID 2336 wrote to memory of 2172	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	112
PID 2336 wrote to memory of 3192	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	113
PID 2336 wrote to memory of 3192	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	113
PID 2336 wrote to memory of 2352	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	114
PID 2336 wrote to memory of 2352	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	114
PID 2336 wrote to memory of 4720	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	115
PID 2336 wrote to memory of 4720	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	115
PID 2336 wrote to memory of 1484	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	116
PID 2336 wrote to memory of 1484	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	116
PID 2336 wrote to memory of 4940	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	117
PID 2336 wrote to memory of 4940	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	117
PID 2336 wrote to memory of 2308	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	118
PID 2336 wrote to memory of 2308	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	118
PID 2336 wrote to memory of 2380	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	119
PID 2336 wrote to memory of 2380	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	119
PID 2336 wrote to memory of 2348	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	120
PID 2336 wrote to memory of 2348	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	120
PID 2336 wrote to memory of 3888	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	121
PID 2336 wrote to memory of 3888	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	121
PID 2336 wrote to memory of 1952	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	122
PID 2336 wrote to memory of 1952	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	122
PID 2336 wrote to memory of 4408	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	123
PID 2336 wrote to memory of 4408	2336	0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe	123

C:\Users\Admin\AppData\Local\Temp\0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0fb64975531db9b1c364419bdd5cef70_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2832
- C:\Windows\System\CsbwyDI.exe
  C:\Windows\System\CsbwyDI.exe
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\System\yfzlHrv.exe
  C:\Windows\System\yfzlHrv.exe
  2⤵
  - Executes dropped EXE
  PID:4628
- C:\Windows\System\GCaTGyO.exe
  C:\Windows\System\GCaTGyO.exe
  2⤵
  - Executes dropped EXE
  PID:3876
- C:\Windows\System\wuLpulF.exe
  C:\Windows\System\wuLpulF.exe
  2⤵
  - Executes dropped EXE
  PID:3928
- C:\Windows\System\qGkLyux.exe
  C:\Windows\System\qGkLyux.exe
  2⤵
  - Executes dropped EXE
  PID:896
- C:\Windows\System\OHWejPc.exe
  C:\Windows\System\OHWejPc.exe
  2⤵
  - Executes dropped EXE
  PID:4816
- C:\Windows\System\xGjlTON.exe
  C:\Windows\System\xGjlTON.exe
  2⤵
  - Executes dropped EXE
  PID:3080
- C:\Windows\System\qNAGcQd.exe
  C:\Windows\System\qNAGcQd.exe
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Windows\System\pLzFbjb.exe
  C:\Windows\System\pLzFbjb.exe
  2⤵
  - Executes dropped EXE
  PID:3948
- C:\Windows\System\AywqGCB.exe
  C:\Windows\System\AywqGCB.exe
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\System\CjCYdCe.exe
  C:\Windows\System\CjCYdCe.exe
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\System\qeqJfyX.exe
  C:\Windows\System\qeqJfyX.exe
  2⤵
  - Executes dropped EXE
  PID:3664
- C:\Windows\System\sayumET.exe
  C:\Windows\System\sayumET.exe
  2⤵
  - Executes dropped EXE
  PID:3644
- C:\Windows\System\oFGVvMT.exe
  C:\Windows\System\oFGVvMT.exe
  2⤵
  - Executes dropped EXE
  PID:1684
- C:\Windows\System\MHysuOm.exe
  C:\Windows\System\MHysuOm.exe
  2⤵
  - Executes dropped EXE
  PID:224
- C:\Windows\System\loEUEiZ.exe
  C:\Windows\System\loEUEiZ.exe
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Windows\System\ZoocFml.exe
  C:\Windows\System\ZoocFml.exe
  2⤵
  - Executes dropped EXE
  PID:956
- C:\Windows\System\bRrnWrN.exe
  C:\Windows\System\bRrnWrN.exe
  2⤵
  - Executes dropped EXE
  PID:932
- C:\Windows\System\JjhIevm.exe
  C:\Windows\System\JjhIevm.exe
  2⤵
  - Executes dropped EXE
  PID:384
- C:\Windows\System\tJxuGRE.exe
  C:\Windows\System\tJxuGRE.exe
  2⤵
  - Executes dropped EXE
  PID:2172
- C:\Windows\System\LfeBGKJ.exe
  C:\Windows\System\LfeBGKJ.exe
  2⤵
  - Executes dropped EXE
  PID:3192
- C:\Windows\System\CtVzZpy.exe
  C:\Windows\System\CtVzZpy.exe
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\System\WtkFJFp.exe
  C:\Windows\System\WtkFJFp.exe
  2⤵
  - Executes dropped EXE
  PID:4720
- C:\Windows\System\xeSzhvh.exe
  C:\Windows\System\xeSzhvh.exe
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\Windows\System\DJvcDJX.exe
  C:\Windows\System\DJvcDJX.exe
  2⤵
  - Executes dropped EXE
  PID:4940
- C:\Windows\System\RfAEhjo.exe
  C:\Windows\System\RfAEhjo.exe
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Windows\System\TNjNlJg.exe
  C:\Windows\System\TNjNlJg.exe
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\System\RoAaBIw.exe
  C:\Windows\System\RoAaBIw.exe
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\System\YMEIFcy.exe
  C:\Windows\System\YMEIFcy.exe
  2⤵
  - Executes dropped EXE
  PID:3888
- C:\Windows\System\JfGUBae.exe
  C:\Windows\System\JfGUBae.exe
  2⤵
  - Executes dropped EXE
  PID:1952
- C:\Windows\System\WHfMXHH.exe
  C:\Windows\System\WHfMXHH.exe
  2⤵
  - Executes dropped EXE
  PID:4408
- C:\Windows\System\XnZNYfH.exe
  C:\Windows\System\XnZNYfH.exe
  2⤵
  - Executes dropped EXE
  PID:4648
- C:\Windows\System\jgWZxLi.exe
  C:\Windows\System\jgWZxLi.exe
  2⤵
  - Executes dropped EXE
  PID:2484
- C:\Windows\System\gNpCjWA.exe
  C:\Windows\System\gNpCjWA.exe
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\System\HcwoPLD.exe
  C:\Windows\System\HcwoPLD.exe
  2⤵
  - Executes dropped EXE
  PID:2572
- C:\Windows\System\PksJCFn.exe
  C:\Windows\System\PksJCFn.exe
  2⤵
  - Executes dropped EXE
  PID:4148
- C:\Windows\System\ERLaBNx.exe
  C:\Windows\System\ERLaBNx.exe
  2⤵
  - Executes dropped EXE
  PID:4676
- C:\Windows\System\gvQiLeA.exe
  C:\Windows\System\gvQiLeA.exe
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\System\bMDkFQS.exe
  C:\Windows\System\bMDkFQS.exe
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\System\nYCppgJ.exe
  C:\Windows\System\nYCppgJ.exe
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\System\hfoBkUM.exe
  C:\Windows\System\hfoBkUM.exe
  2⤵
  - Executes dropped EXE
  PID:4572
- C:\Windows\System\VhBZnTh.exe
  C:\Windows\System\VhBZnTh.exe
  2⤵
  - Executes dropped EXE
  PID:4100
- C:\Windows\System\UiTxqAv.exe
  C:\Windows\System\UiTxqAv.exe
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Windows\System\tcBqEzs.exe
  C:\Windows\System\tcBqEzs.exe
  2⤵
  - Executes dropped EXE
  PID:4456
- C:\Windows\System\ObHTTZZ.exe
  C:\Windows\System\ObHTTZZ.exe
  2⤵
  - Executes dropped EXE
  PID:4604
- C:\Windows\System\qeCqNOO.exe
  C:\Windows\System\qeCqNOO.exe
  2⤵
  - Executes dropped EXE
  PID:788
- C:\Windows\System\BfJNUHk.exe
  C:\Windows\System\BfJNUHk.exe
  2⤵
  - Executes dropped EXE
  PID:4500
- C:\Windows\System\IafMxlF.exe
  C:\Windows\System\IafMxlF.exe
  2⤵
  - Executes dropped EXE
  PID:4340
- C:\Windows\System\QkDfDqp.exe
  C:\Windows\System\QkDfDqp.exe
  2⤵
  - Executes dropped EXE
  PID:5156
- C:\Windows\System\EzsBPTP.exe
  C:\Windows\System\EzsBPTP.exe
  2⤵
  - Executes dropped EXE
  PID:5192
- C:\Windows\System\NyiGIqa.exe
  C:\Windows\System\NyiGIqa.exe
  2⤵
  - Executes dropped EXE
  PID:5216
- C:\Windows\System\iUTFayl.exe
  C:\Windows\System\iUTFayl.exe
  2⤵
  - Executes dropped EXE
  PID:5236
- C:\Windows\System\XtrzAra.exe
  C:\Windows\System\XtrzAra.exe
  2⤵
  - Executes dropped EXE
  PID:5268
- C:\Windows\System\ZpncYMV.exe
  C:\Windows\System\ZpncYMV.exe
  2⤵
  - Executes dropped EXE
  PID:5292
- C:\Windows\System\laXsOqJ.exe
  C:\Windows\System\laXsOqJ.exe
  2⤵
  - Executes dropped EXE
  PID:5320
- C:\Windows\System\ZeHuGIu.exe
  C:\Windows\System\ZeHuGIu.exe
  2⤵
  - Executes dropped EXE
  PID:5348
- C:\Windows\System\OZWXNnJ.exe
  C:\Windows\System\OZWXNnJ.exe
  2⤵
  - Executes dropped EXE
  PID:5376
- C:\Windows\System\bCWYRdp.exe
  C:\Windows\System\bCWYRdp.exe
  2⤵
  - Executes dropped EXE
  PID:5400
- C:\Windows\System\tFFDXkF.exe
  C:\Windows\System\tFFDXkF.exe
  2⤵
  - Executes dropped EXE
  PID:5432
- C:\Windows\System\kiGmHGf.exe
  C:\Windows\System\kiGmHGf.exe
  2⤵
  - Executes dropped EXE
  PID:5464
- C:\Windows\System\UVHoiqN.exe
  C:\Windows\System\UVHoiqN.exe
  2⤵
  - Executes dropped EXE
  PID:5492
- C:\Windows\System\FKpBqrJ.exe
  C:\Windows\System\FKpBqrJ.exe
  2⤵
  - Executes dropped EXE
  PID:5520
- C:\Windows\System\UHCGDVv.exe
  C:\Windows\System\UHCGDVv.exe
  2⤵
  - Executes dropped EXE
  PID:5548
- C:\Windows\System\krunNbZ.exe
  C:\Windows\System\krunNbZ.exe
  2⤵
  - Executes dropped EXE
  PID:5576
- C:\Windows\System\luCqmkq.exe
  C:\Windows\System\luCqmkq.exe
  2⤵
  PID:5604
- C:\Windows\System\pAhNNnq.exe
  C:\Windows\System\pAhNNnq.exe
  2⤵
  PID:5632
- C:\Windows\System\JvnWAKZ.exe
  C:\Windows\System\JvnWAKZ.exe
  2⤵
  PID:5660
- C:\Windows\System\JTBzQyb.exe
  C:\Windows\System\JTBzQyb.exe
  2⤵
  PID:5692
- C:\Windows\System\vGCmIxI.exe
  C:\Windows\System\vGCmIxI.exe
  2⤵
  PID:5720
- C:\Windows\System\hUvWKPD.exe
  C:\Windows\System\hUvWKPD.exe
  2⤵
  PID:5752
- C:\Windows\System\DjRgIXc.exe
  C:\Windows\System\DjRgIXc.exe
  2⤵
  PID:5780
- C:\Windows\System\kDhvtVL.exe
  C:\Windows\System\kDhvtVL.exe
  2⤵
  PID:5808
- C:\Windows\System\Qtazdco.exe
  C:\Windows\System\Qtazdco.exe
  2⤵
  PID:5836
- C:\Windows\System\guhfePb.exe
  C:\Windows\System\guhfePb.exe
  2⤵
  PID:5864
- C:\Windows\System\GumLCTH.exe
  C:\Windows\System\GumLCTH.exe
  2⤵
  PID:5892
- C:\Windows\System\TFgkJhf.exe
  C:\Windows\System\TFgkJhf.exe
  2⤵
  PID:5924
- C:\Windows\System\heaMJEP.exe
  C:\Windows\System\heaMJEP.exe
  2⤵
  PID:5952
- C:\Windows\System\hhOAGzx.exe
  C:\Windows\System\hhOAGzx.exe
  2⤵
  PID:5980
- C:\Windows\System\ImCYigy.exe
  C:\Windows\System\ImCYigy.exe
  2⤵
  PID:6008
- C:\Windows\System\GmOuofX.exe
  C:\Windows\System\GmOuofX.exe
  2⤵
  PID:6036
- C:\Windows\System\RcjtNeC.exe
  C:\Windows\System\RcjtNeC.exe
  2⤵
  PID:6064
- C:\Windows\System\dtJFyzp.exe
  C:\Windows\System\dtJFyzp.exe
  2⤵
  PID:6092
- C:\Windows\System\ZxjPIIg.exe
  C:\Windows\System\ZxjPIIg.exe
  2⤵
  PID:6120
- C:\Windows\System\sDybRHv.exe
  C:\Windows\System\sDybRHv.exe
  2⤵
  PID:4012
- C:\Windows\System\iFLywAY.exe
  C:\Windows\System\iFLywAY.exe
  2⤵
  PID:1476
- C:\Windows\System\SVacHQR.exe
  C:\Windows\System\SVacHQR.exe
  2⤵
  PID:1548
- C:\Windows\System\dBPOuVI.exe
  C:\Windows\System\dBPOuVI.exe
  2⤵
  PID:4356
- C:\Windows\System\DAqurHU.exe
  C:\Windows\System\DAqurHU.exe
  2⤵
  PID:2804
- C:\Windows\System\oOYVoKh.exe
  C:\Windows\System\oOYVoKh.exe
  2⤵
  PID:5184
- C:\Windows\System\KDiYcss.exe
  C:\Windows\System\KDiYcss.exe
  2⤵
  PID:5252
- C:\Windows\System\XUvvobf.exe
  C:\Windows\System\XUvvobf.exe
  2⤵
  PID:5312
- C:\Windows\System\LbIIfGA.exe
  C:\Windows\System\LbIIfGA.exe
  2⤵
  PID:5388
- C:\Windows\System\ADrMeQH.exe
  C:\Windows\System\ADrMeQH.exe
  2⤵
  PID:5452
- C:\Windows\System\oubuAxx.exe
  C:\Windows\System\oubuAxx.exe
  2⤵
  PID:5512
- C:\Windows\System\CZYeuZO.exe
  C:\Windows\System\CZYeuZO.exe
  2⤵
  PID:5588
- C:\Windows\System\avcNNay.exe
  C:\Windows\System\avcNNay.exe
  2⤵
  PID:5648
- C:\Windows\System\ZBlVqzZ.exe
  C:\Windows\System\ZBlVqzZ.exe
  2⤵
  PID:5712
- C:\Windows\System\DtDQajx.exe
  C:\Windows\System\DtDQajx.exe
  2⤵
  PID:5772
- C:\Windows\System\CJtearX.exe
  C:\Windows\System\CJtearX.exe
  2⤵
  PID:5848
- C:\Windows\System\PwKZsZd.exe
  C:\Windows\System\PwKZsZd.exe
  2⤵
  PID:5912
- C:\Windows\System\bnUKvze.exe
  C:\Windows\System\bnUKvze.exe
  2⤵
  PID:5972
- C:\Windows\System\WDVvzyJ.exe
  C:\Windows\System\WDVvzyJ.exe
  2⤵
  PID:6048
- C:\Windows\System\OGxqoib.exe
  C:\Windows\System\OGxqoib.exe
  2⤵
  PID:6108
- C:\Windows\System\COHAnig.exe
  C:\Windows\System\COHAnig.exe
  2⤵
  PID:4496
- C:\Windows\System\FGwfIjE.exe
  C:\Windows\System\FGwfIjE.exe
  2⤵
  PID:4536
- C:\Windows\System\bTJGeWC.exe
  C:\Windows\System\bTJGeWC.exe
  2⤵
  PID:5228
- C:\Windows\System\OSOgNUP.exe
  C:\Windows\System\OSOgNUP.exe
  2⤵
  PID:5364
- C:\Windows\System\TUxlYzj.exe
  C:\Windows\System\TUxlYzj.exe
  2⤵
  PID:5540
- C:\Windows\System\nHwjnGi.exe
  C:\Windows\System\nHwjnGi.exe
  2⤵
  PID:5744
- C:\Windows\System\ByHAHLz.exe
  C:\Windows\System\ByHAHLz.exe
  2⤵
  PID:6164
- C:\Windows\System\gUceUJl.exe
  C:\Windows\System\gUceUJl.exe
  2⤵
  PID:6192
- C:\Windows\System\DaTXxgy.exe
  C:\Windows\System\DaTXxgy.exe
  2⤵
  PID:6220
- C:\Windows\System\jwidWif.exe
  C:\Windows\System\jwidWif.exe
  2⤵
  PID:6248
- C:\Windows\System\mKWAXzG.exe
  C:\Windows\System\mKWAXzG.exe
  2⤵
  PID:6276
- C:\Windows\System\hcVcTTp.exe
  C:\Windows\System\hcVcTTp.exe
  2⤵
  PID:6304
- C:\Windows\System\FJMQIDg.exe
  C:\Windows\System\FJMQIDg.exe
  2⤵
  PID:6332
- C:\Windows\System\EoKPOUU.exe
  C:\Windows\System\EoKPOUU.exe
  2⤵
  PID:6360
- C:\Windows\System\wHgXiTh.exe
  C:\Windows\System\wHgXiTh.exe
  2⤵
  PID:6388
- C:\Windows\System\KvkBpIX.exe
  C:\Windows\System\KvkBpIX.exe
  2⤵
  PID:6412
- C:\Windows\System\yfDkpFv.exe
  C:\Windows\System\yfDkpFv.exe
  2⤵
  PID:6444
- C:\Windows\System\YXIHpam.exe
  C:\Windows\System\YXIHpam.exe
  2⤵
  PID:6476
- C:\Windows\System\lhWAbZk.exe
  C:\Windows\System\lhWAbZk.exe
  2⤵
  PID:6508
- C:\Windows\System\rWotxVU.exe
  C:\Windows\System\rWotxVU.exe
  2⤵
  PID:6536
- C:\Windows\System\fKHrzOW.exe
  C:\Windows\System\fKHrzOW.exe
  2⤵
  PID:6568
- C:\Windows\System\AoLWAGc.exe
  C:\Windows\System\AoLWAGc.exe
  2⤵
  PID:6600
- C:\Windows\System\qmISkQe.exe
  C:\Windows\System\qmISkQe.exe
  2⤵
  PID:6628
- C:\Windows\System\AgpxOWw.exe
  C:\Windows\System\AgpxOWw.exe
  2⤵
  PID:6656
- C:\Windows\System\FxIfZpz.exe
  C:\Windows\System\FxIfZpz.exe
  2⤵
  PID:6684
- C:\Windows\System\CmLkXsh.exe
  C:\Windows\System\CmLkXsh.exe
  2⤵
  PID:6712
- C:\Windows\System\YUowwlo.exe
  C:\Windows\System\YUowwlo.exe
  2⤵
  PID:6740
- C:\Windows\System\FwZiVDG.exe
  C:\Windows\System\FwZiVDG.exe
  2⤵
  PID:6768
- C:\Windows\System\RjLLmeN.exe
  C:\Windows\System\RjLLmeN.exe
  2⤵
  PID:6796
- C:\Windows\System\EJuutWt.exe
  C:\Windows\System\EJuutWt.exe
  2⤵
  PID:6824
- C:\Windows\System\KvuFRnQ.exe
  C:\Windows\System\KvuFRnQ.exe
  2⤵
  PID:6852
- C:\Windows\System\TlZlJbE.exe
  C:\Windows\System\TlZlJbE.exe
  2⤵
  PID:6880
- C:\Windows\System\LNytbPs.exe
  C:\Windows\System\LNytbPs.exe
  2⤵
  PID:6908
- C:\Windows\System\dVTsXVH.exe
  C:\Windows\System\dVTsXVH.exe
  2⤵
  PID:6936
- C:\Windows\System\lHMgURf.exe
  C:\Windows\System\lHMgURf.exe
  2⤵
  PID:6964
- C:\Windows\System\qcDOkui.exe
  C:\Windows\System\qcDOkui.exe
  2⤵
  PID:6992
- C:\Windows\System\yWRmwzU.exe
  C:\Windows\System\yWRmwzU.exe
  2⤵
  PID:7020
- C:\Windows\System\eysHCSZ.exe
  C:\Windows\System\eysHCSZ.exe
  2⤵
  PID:7048
- C:\Windows\System\dGtVayg.exe
  C:\Windows\System\dGtVayg.exe
  2⤵
  PID:7076
- C:\Windows\System\aKEreec.exe
  C:\Windows\System\aKEreec.exe
  2⤵
  PID:7104
- C:\Windows\System\gEgNTlk.exe
  C:\Windows\System\gEgNTlk.exe
  2⤵
  PID:7132
- C:\Windows\System\qGqIYVU.exe
  C:\Windows\System\qGqIYVU.exe
  2⤵
  PID:7160
- C:\Windows\System\TgzPLMd.exe
  C:\Windows\System\TgzPLMd.exe
  2⤵
  PID:5884
- C:\Windows\System\RXXDobt.exe
  C:\Windows\System\RXXDobt.exe
  2⤵
  PID:6076
- C:\Windows\System\uDDwgse.exe
  C:\Windows\System\uDDwgse.exe
  2⤵
  PID:1804
- C:\Windows\System\ZGRvxbi.exe
  C:\Windows\System\ZGRvxbi.exe
  2⤵
  PID:5340
- C:\Windows\System\DSTximJ.exe
  C:\Windows\System\DSTximJ.exe
  2⤵
  PID:6148
- C:\Windows\System\bQiKKZV.exe
  C:\Windows\System\bQiKKZV.exe
  2⤵
  PID:6208
- C:\Windows\System\wgCCnhv.exe
  C:\Windows\System\wgCCnhv.exe
  2⤵
  PID:6268
- C:\Windows\System\mNPxKmk.exe
  C:\Windows\System\mNPxKmk.exe
  2⤵
  PID:6324
- C:\Windows\System\izNBJjk.exe
  C:\Windows\System\izNBJjk.exe
  2⤵
  PID:6380
- C:\Windows\System\zPAtRaS.exe
  C:\Windows\System\zPAtRaS.exe
  2⤵
  PID:6456
- C:\Windows\System\UfLoyku.exe
  C:\Windows\System\UfLoyku.exe
  2⤵
  PID:6524
- C:\Windows\System\QZYolhU.exe
  C:\Windows\System\QZYolhU.exe
  2⤵
  PID:6584
- C:\Windows\System\KfwOEcA.exe
  C:\Windows\System\KfwOEcA.exe
  2⤵
  PID:6648
- C:\Windows\System\VUbudqo.exe
  C:\Windows\System\VUbudqo.exe
  2⤵
  PID:6724
- C:\Windows\System\NLxxsOz.exe
  C:\Windows\System\NLxxsOz.exe
  2⤵
  PID:6784
- C:\Windows\System\NMWbGIM.exe
  C:\Windows\System\NMWbGIM.exe
  2⤵
  PID:6844
- C:\Windows\System\DZvyLGc.exe
  C:\Windows\System\DZvyLGc.exe
  2⤵
  PID:6920
- C:\Windows\System\RBAskdy.exe
  C:\Windows\System\RBAskdy.exe
  2⤵
  PID:6980
- C:\Windows\System\eKvbSCo.exe
  C:\Windows\System\eKvbSCo.exe
  2⤵
  PID:7040
- C:\Windows\System\aXyaCvP.exe
  C:\Windows\System\aXyaCvP.exe
  2⤵
  PID:7116
- C:\Windows\System\GYUvGRi.exe
  C:\Windows\System\GYUvGRi.exe
  2⤵
  PID:5828
- C:\Windows\System\zlTTvQC.exe
  C:\Windows\System\zlTTvQC.exe
  2⤵
  PID:1784
- C:\Windows\System\YMJgGRO.exe
  C:\Windows\System\YMJgGRO.exe
  2⤵
  PID:6176
- C:\Windows\System\raMXEpd.exe
  C:\Windows\System\raMXEpd.exe
  2⤵
  PID:6296
- C:\Windows\System\eZKcMEO.exe
  C:\Windows\System\eZKcMEO.exe
  2⤵
  PID:6432
- C:\Windows\System\wHlIvCW.exe
  C:\Windows\System\wHlIvCW.exe
  2⤵
  PID:6560
- C:\Windows\System\nloWNnr.exe
  C:\Windows\System\nloWNnr.exe
  2⤵
  PID:6752
- C:\Windows\System\cjejSZC.exe
  C:\Windows\System\cjejSZC.exe
  2⤵
  PID:6872
- C:\Windows\System\CBXgkbl.exe
  C:\Windows\System\CBXgkbl.exe
  2⤵
  PID:7012
- C:\Windows\System\pceyIvn.exe
  C:\Windows\System\pceyIvn.exe
  2⤵
  PID:7192
- C:\Windows\System\zhMSWRn.exe
  C:\Windows\System\zhMSWRn.exe
  2⤵
  PID:7220
- C:\Windows\System\zgsZatm.exe
  C:\Windows\System\zgsZatm.exe
  2⤵
  PID:7248
- C:\Windows\System\ctdVBBf.exe
  C:\Windows\System\ctdVBBf.exe
  2⤵
  PID:7276
- C:\Windows\System\NFtagOY.exe
  C:\Windows\System\NFtagOY.exe
  2⤵
  PID:7304
- C:\Windows\System\aTYmnxd.exe
  C:\Windows\System\aTYmnxd.exe
  2⤵
  PID:7332
- C:\Windows\System\KCXdCOy.exe
  C:\Windows\System\KCXdCOy.exe
  2⤵
  PID:7360
- C:\Windows\System\gHQZRFK.exe
  C:\Windows\System\gHQZRFK.exe
  2⤵
  PID:7388
- C:\Windows\System\oCIkLyO.exe
  C:\Windows\System\oCIkLyO.exe
  2⤵
  PID:7416
- C:\Windows\System\AgweOPL.exe
  C:\Windows\System\AgweOPL.exe
  2⤵
  PID:7444
- C:\Windows\System\TzpeRsH.exe
  C:\Windows\System\TzpeRsH.exe
  2⤵
  PID:7472
- C:\Windows\System\UXImDGj.exe
  C:\Windows\System\UXImDGj.exe
  2⤵
  PID:7500
- C:\Windows\System\RqgINXe.exe
  C:\Windows\System\RqgINXe.exe
  2⤵
  PID:7528
- C:\Windows\System\NGoPkBS.exe
  C:\Windows\System\NGoPkBS.exe
  2⤵
  PID:7556
- C:\Windows\System\gbRRohi.exe
  C:\Windows\System\gbRRohi.exe
  2⤵
  PID:7592
- C:\Windows\System\ocSdVtE.exe
  C:\Windows\System\ocSdVtE.exe
  2⤵
  PID:7624
- C:\Windows\System\piAHJjZ.exe
  C:\Windows\System\piAHJjZ.exe
  2⤵
  PID:7652
- C:\Windows\System\eePLbJU.exe
  C:\Windows\System\eePLbJU.exe
  2⤵
  PID:7668
- C:\Windows\System\ZPIkctN.exe
  C:\Windows\System\ZPIkctN.exe
  2⤵
  PID:7696
- C:\Windows\System\DsAZuZB.exe
  C:\Windows\System\DsAZuZB.exe
  2⤵
  PID:7724
- C:\Windows\System\IQNnrNX.exe
  C:\Windows\System\IQNnrNX.exe
  2⤵
  PID:7756
- C:\Windows\System\qrAfYWN.exe
  C:\Windows\System\qrAfYWN.exe
  2⤵
  PID:7780
- C:\Windows\System\lbDTfdB.exe
  C:\Windows\System\lbDTfdB.exe
  2⤵
  PID:7808
- C:\Windows\System\VnBahqW.exe
  C:\Windows\System\VnBahqW.exe
  2⤵
  PID:7836
- C:\Windows\System\dSNFWOq.exe
  C:\Windows\System\dSNFWOq.exe
  2⤵
  PID:7864
- C:\Windows\System\RPEXQPL.exe
  C:\Windows\System\RPEXQPL.exe
  2⤵
  PID:7892
- C:\Windows\System\kOEElpO.exe
  C:\Windows\System\kOEElpO.exe
  2⤵
  PID:7920
- C:\Windows\System\ZrXjlxD.exe
  C:\Windows\System\ZrXjlxD.exe
  2⤵
  PID:7948
- C:\Windows\System\SatKBTV.exe
  C:\Windows\System\SatKBTV.exe
  2⤵
  PID:7976
- C:\Windows\System\fQGSGxm.exe
  C:\Windows\System\fQGSGxm.exe
  2⤵
  PID:8004
- C:\Windows\System\zlypeqT.exe
  C:\Windows\System\zlypeqT.exe
  2⤵
  PID:8032
- C:\Windows\System\fOndCAo.exe
  C:\Windows\System\fOndCAo.exe
  2⤵
  PID:8056
- C:\Windows\System\mpGcOQj.exe
  C:\Windows\System\mpGcOQj.exe
  2⤵
  PID:8088
- C:\Windows\System\FlLxzhE.exe
  C:\Windows\System\FlLxzhE.exe
  2⤵
  PID:8116
- C:\Windows\System\SCkBAlc.exe
  C:\Windows\System\SCkBAlc.exe
  2⤵
  PID:8144
- C:\Windows\System\tajlefE.exe
  C:\Windows\System\tajlefE.exe
  2⤵
  PID:8172
- C:\Windows\System\VAPgWHG.exe
  C:\Windows\System\VAPgWHG.exe
  2⤵
  PID:7092
- C:\Windows\System\eoGfrNf.exe
  C:\Windows\System\eoGfrNf.exe
  2⤵
  PID:6136
- C:\Windows\System\NCoBNUg.exe
  C:\Windows\System\NCoBNUg.exe
  2⤵
  PID:6372
- C:\Windows\System\ngOwIQK.exe
  C:\Windows\System\ngOwIQK.exe
  2⤵
  PID:3900
- C:\Windows\System\qDzMrVn.exe
  C:\Windows\System\qDzMrVn.exe
  2⤵
  PID:6948
- C:\Windows\System\GZUDFwI.exe
  C:\Windows\System\GZUDFwI.exe
  2⤵
  PID:7208
- C:\Windows\System\TdqfInX.exe
  C:\Windows\System\TdqfInX.exe
  2⤵
  PID:7264
- C:\Windows\System\DjZCkfq.exe
  C:\Windows\System\DjZCkfq.exe
  2⤵
  PID:7324
- C:\Windows\System\HFjscfP.exe
  C:\Windows\System\HFjscfP.exe
  2⤵
  PID:7400
- C:\Windows\System\yZpTcCZ.exe
  C:\Windows\System\yZpTcCZ.exe
  2⤵
  PID:7456
- C:\Windows\System\wImBaUj.exe
  C:\Windows\System\wImBaUj.exe
  2⤵
  PID:7512
- C:\Windows\System\qSnIYGR.exe
  C:\Windows\System\qSnIYGR.exe
  2⤵
  PID:7588
- C:\Windows\System\JVpRAqq.exe
  C:\Windows\System\JVpRAqq.exe
  2⤵
  PID:7640
- C:\Windows\System\gmempdI.exe
  C:\Windows\System\gmempdI.exe
  2⤵
  PID:7708
- C:\Windows\System\rIOwzDd.exe
  C:\Windows\System\rIOwzDd.exe
  2⤵
  PID:7752
- C:\Windows\System\ugsRiCn.exe
  C:\Windows\System\ugsRiCn.exe
  2⤵
  PID:7820
- C:\Windows\System\FyIPLoc.exe
  C:\Windows\System\FyIPLoc.exe
  2⤵
  PID:7876
- C:\Windows\System\qGkvrBA.exe
  C:\Windows\System\qGkvrBA.exe
  2⤵
  PID:7912
- C:\Windows\System\aMVvIxj.exe
  C:\Windows\System\aMVvIxj.exe
  2⤵
  PID:7988
- C:\Windows\System\srymZkp.exe
  C:\Windows\System\srymZkp.exe
  2⤵
  PID:8048
- C:\Windows\System\qydyKxC.exe
  C:\Windows\System\qydyKxC.exe
  2⤵
  PID:8104
- C:\Windows\System\nqgxgKr.exe
  C:\Windows\System\nqgxgKr.exe
  2⤵
  PID:4028
- C:\Windows\System\nAOyEsP.exe
  C:\Windows\System\nAOyEsP.exe
  2⤵
  PID:1892
- C:\Windows\System\UTMXYKl.exe
  C:\Windows\System\UTMXYKl.exe
  2⤵
  PID:6240
- C:\Windows\System\eTeIOZg.exe
  C:\Windows\System\eTeIOZg.exe
  2⤵
  PID:7176
- C:\Windows\System\RoqhVvg.exe
  C:\Windows\System\RoqhVvg.exe
  2⤵
  PID:7296
- C:\Windows\System\piRJHlh.exe
  C:\Windows\System\piRJHlh.exe
  2⤵
  PID:3660
- C:\Windows\System\JBHjqjE.exe
  C:\Windows\System\JBHjqjE.exe
  2⤵
  PID:7488
- C:\Windows\System\cJcBMZT.exe
  C:\Windows\System\cJcBMZT.exe
  2⤵
  PID:7616
- C:\Windows\System\mouamEi.exe
  C:\Windows\System\mouamEi.exe
  2⤵
  PID:7716
- C:\Windows\System\CDVcqkW.exe
  C:\Windows\System\CDVcqkW.exe
  2⤵
  PID:8136
- C:\Windows\System\ScNuOtr.exe
  C:\Windows\System\ScNuOtr.exe
  2⤵
  PID:3104
- C:\Windows\System\OXCJDva.exe
  C:\Windows\System\OXCJDva.exe
  2⤵
  PID:2972
- C:\Windows\System\BAnqWhq.exe
  C:\Windows\System\BAnqWhq.exe
  2⤵
  PID:6700
- C:\Windows\System\LZcjEWf.exe
  C:\Windows\System\LZcjEWf.exe
  2⤵
  PID:1996
- C:\Windows\System\rxLdvrE.exe
  C:\Windows\System\rxLdvrE.exe
  2⤵
  PID:544
- C:\Windows\System\ZfbyyTq.exe
  C:\Windows\System\ZfbyyTq.exe
  2⤵
  PID:692
- C:\Windows\System\qwuJBTy.exe
  C:\Windows\System\qwuJBTy.exe
  2⤵
  PID:7684
- C:\Windows\System\BkeDpOJ.exe
  C:\Windows\System\BkeDpOJ.exe
  2⤵
  PID:2544
- C:\Windows\System\SBXHBFd.exe
  C:\Windows\System\SBXHBFd.exe
  2⤵
  PID:4952
- C:\Windows\System\TitjwmP.exe
  C:\Windows\System\TitjwmP.exe
  2⤵
  PID:1216
- C:\Windows\System\clfNolL.exe
  C:\Windows\System\clfNolL.exe
  2⤵
  PID:6460
- C:\Windows\System\otfUmUD.exe
  C:\Windows\System\otfUmUD.exe
  2⤵
  PID:3176
- C:\Windows\System\twrzDZP.exe
  C:\Windows\System\twrzDZP.exe
  2⤵
  PID:8128
- C:\Windows\System\tdmQFAk.exe
  C:\Windows\System\tdmQFAk.exe
  2⤵
  PID:1816
- C:\Windows\System\AfLhvGA.exe
  C:\Windows\System\AfLhvGA.exe
  2⤵
  PID:7372
- C:\Windows\System\GKIiNcP.exe
  C:\Windows\System\GKIiNcP.exe
  2⤵
  PID:3344
- C:\Windows\System\zbaKHuB.exe
  C:\Windows\System\zbaKHuB.exe
  2⤵
  PID:2112
- C:\Windows\System\zkhEQVv.exe
  C:\Windows\System\zkhEQVv.exe
  2⤵
  PID:4184
- C:\Windows\System\CSzwdON.exe
  C:\Windows\System\CSzwdON.exe
  2⤵
  PID:8212
- C:\Windows\System\TBwoEdh.exe
  C:\Windows\System\TBwoEdh.exe
  2⤵
  PID:8232
- C:\Windows\System\iBvKkRt.exe
  C:\Windows\System\iBvKkRt.exe
  2⤵
  PID:8260
- C:\Windows\System\lYrvvyw.exe
  C:\Windows\System\lYrvvyw.exe
  2⤵
  PID:8276
- C:\Windows\System\ggAiaJi.exe
  C:\Windows\System\ggAiaJi.exe
  2⤵
  PID:8304
- C:\Windows\System\eJVqrZX.exe
  C:\Windows\System\eJVqrZX.exe
  2⤵
  PID:8352
- C:\Windows\System\qOkKcTu.exe
  C:\Windows\System\qOkKcTu.exe
  2⤵
  PID:8400
- C:\Windows\System\Xksqnhz.exe
  C:\Windows\System\Xksqnhz.exe
  2⤵
  PID:8424
- C:\Windows\System\mYFNByu.exe
  C:\Windows\System\mYFNByu.exe
  2⤵
  PID:8512
- C:\Windows\System\kIKVUbw.exe
  C:\Windows\System\kIKVUbw.exe
  2⤵
  PID:8540
- C:\Windows\System\kSEcOKO.exe
  C:\Windows\System\kSEcOKO.exe
  2⤵
  PID:8564
- C:\Windows\System\MtXkCyT.exe
  C:\Windows\System\MtXkCyT.exe
  2⤵
  PID:8596
- C:\Windows\System\iCLpOeT.exe
  C:\Windows\System\iCLpOeT.exe
  2⤵
  PID:8612
- C:\Windows\System\UDsBAzk.exe
  C:\Windows\System\UDsBAzk.exe
  2⤵
  PID:8648
- C:\Windows\System\YxHxYHV.exe
  C:\Windows\System\YxHxYHV.exe
  2⤵
  PID:8680
- C:\Windows\System\yJBheYB.exe
  C:\Windows\System\yJBheYB.exe
  2⤵
  PID:8704
- C:\Windows\System\RfxUlJF.exe
  C:\Windows\System\RfxUlJF.exe
  2⤵
  PID:8724
- C:\Windows\System\QmYHKLk.exe
  C:\Windows\System\QmYHKLk.exe
  2⤵
  PID:8756
- C:\Windows\System\YZZuTel.exe
  C:\Windows\System\YZZuTel.exe
  2⤵
  PID:8780
- C:\Windows\System\UtPtlwx.exe
  C:\Windows\System\UtPtlwx.exe
  2⤵
  PID:8820
- C:\Windows\System\kdLcNdx.exe
  C:\Windows\System\kdLcNdx.exe
  2⤵
  PID:8848
- C:\Windows\System\qoEcXTA.exe
  C:\Windows\System\qoEcXTA.exe
  2⤵
  PID:8876
- C:\Windows\System\jDeYxVQ.exe
  C:\Windows\System\jDeYxVQ.exe
  2⤵
  PID:8904
- C:\Windows\System\DuTkRak.exe
  C:\Windows\System\DuTkRak.exe
  2⤵
  PID:8920
- C:\Windows\System\jsaxnzs.exe
  C:\Windows\System\jsaxnzs.exe
  2⤵
  PID:8960
- C:\Windows\System\Mlgnhty.exe
  C:\Windows\System\Mlgnhty.exe
  2⤵
  PID:8976
- C:\Windows\System\DWqeEwn.exe
  C:\Windows\System\DWqeEwn.exe
  2⤵
  PID:9004
- C:\Windows\System\Iffzzvp.exe
  C:\Windows\System\Iffzzvp.exe
  2⤵
  PID:9044
- C:\Windows\System\ctJLMgQ.exe
  C:\Windows\System\ctJLMgQ.exe
  2⤵
  PID:9060
- C:\Windows\System\spqAwLv.exe
  C:\Windows\System\spqAwLv.exe
  2⤵
  PID:9092
- C:\Windows\System\BnSEHck.exe
  C:\Windows\System\BnSEHck.exe
  2⤵
  PID:9116
- C:\Windows\System\IlJzVBC.exe
  C:\Windows\System\IlJzVBC.exe
  2⤵
  PID:9144
- C:\Windows\System\xrLWCJR.exe
  C:\Windows\System\xrLWCJR.exe
  2⤵
  PID:9176
- C:\Windows\System\pkNhogz.exe
  C:\Windows\System\pkNhogz.exe
  2⤵
  PID:9200
- C:\Windows\System\sYzrhvI.exe
  C:\Windows\System\sYzrhvI.exe
  2⤵
  PID:3100
- C:\Windows\System\XZlAJfs.exe
  C:\Windows\System\XZlAJfs.exe
  2⤵
  PID:4596
- C:\Windows\System\mfIaXEY.exe
  C:\Windows\System\mfIaXEY.exe
  2⤵
  PID:8300
- C:\Windows\System\lwAfJVe.exe
  C:\Windows\System\lwAfJVe.exe
  2⤵
  PID:8268
- C:\Windows\System\jQcapbI.exe
  C:\Windows\System\jQcapbI.exe
  2⤵
  PID:8380
- C:\Windows\System\cSwlUuG.exe
  C:\Windows\System\cSwlUuG.exe
  2⤵
  PID:8448
- C:\Windows\System\SJDwOee.exe
  C:\Windows\System\SJDwOee.exe
  2⤵
  PID:8252
- C:\Windows\System\aFJHFfn.exe
  C:\Windows\System\aFJHFfn.exe
  2⤵
  PID:8444
- C:\Windows\System\jqZFkHA.exe
  C:\Windows\System\jqZFkHA.exe
  2⤵
  PID:8608
- C:\Windows\System\NggmFmb.exe
  C:\Windows\System\NggmFmb.exe
  2⤵
  PID:8656
- C:\Windows\System\CrpLHot.exe
  C:\Windows\System\CrpLHot.exe
  2⤵
  PID:8692
- C:\Windows\System\zrxByWX.exe
  C:\Windows\System\zrxByWX.exe
  2⤵
  PID:8800
- C:\Windows\System\FuKzJyP.exe
  C:\Windows\System\FuKzJyP.exe
  2⤵
  PID:8868
- C:\Windows\System\mvgNIWP.exe
  C:\Windows\System\mvgNIWP.exe
  2⤵
  PID:8936
- C:\Windows\System\Olxpdqs.exe
  C:\Windows\System\Olxpdqs.exe
  2⤵
  PID:8968
- C:\Windows\System\QjLGhov.exe
  C:\Windows\System\QjLGhov.exe
  2⤵
  PID:9056
- C:\Windows\System\QUZkCgf.exe
  C:\Windows\System\QUZkCgf.exe
  2⤵
  PID:9136
- C:\Windows\System\spFayEk.exe
  C:\Windows\System\spFayEk.exe
  2⤵
  PID:9196
- C:\Windows\System\okVYaFM.exe
  C:\Windows\System\okVYaFM.exe
  2⤵
  PID:3792
- C:\Windows\System\tLtURoB.exe
  C:\Windows\System\tLtURoB.exe
  2⤵
  PID:8348
- C:\Windows\System\VqmqNqK.exe
  C:\Windows\System\VqmqNqK.exe
  2⤵
  PID:8024
- C:\Windows\System\mlrDwQz.exe
  C:\Windows\System\mlrDwQz.exe
  2⤵
  PID:8556
- C:\Windows\System\aFWuZUt.exe
  C:\Windows\System\aFWuZUt.exe
  2⤵
  PID:8764
- C:\Windows\System\ASWFrGP.exe
  C:\Windows\System\ASWFrGP.exe
  2⤵
  PID:8892
- C:\Windows\System\QZckFwf.exe
  C:\Windows\System\QZckFwf.exe
  2⤵
  PID:8952
- C:\Windows\System\zaUzUgM.exe
  C:\Windows\System\zaUzUgM.exe
  2⤵
  PID:9104
- C:\Windows\System\twUKRdT.exe
  C:\Windows\System\twUKRdT.exe
  2⤵
  PID:8480
- C:\Windows\System\xOrTuIt.exe
  C:\Windows\System\xOrTuIt.exe
  2⤵
  PID:8672
- C:\Windows\System\mCYgNtg.exe
  C:\Windows\System\mCYgNtg.exe
  2⤵
  PID:8992
- C:\Windows\System\LQHmrDK.exe
  C:\Windows\System\LQHmrDK.exe
  2⤵
  PID:4996
- C:\Windows\System\kuyNglL.exe
  C:\Windows\System\kuyNglL.exe
  2⤵
  PID:8912
- C:\Windows\System\UjLOjPQ.exe
  C:\Windows\System\UjLOjPQ.exe
  2⤵
  PID:8340
- C:\Windows\System\JoYxkju.exe
  C:\Windows\System\JoYxkju.exe
  2⤵
  PID:9228
- C:\Windows\System\HzxEcIA.exe
  C:\Windows\System\HzxEcIA.exe
  2⤵
  PID:9268
- C:\Windows\System\vZoVfAo.exe
  C:\Windows\System\vZoVfAo.exe
  2⤵
  PID:9300
- C:\Windows\System\JRELlpJ.exe
  C:\Windows\System\JRELlpJ.exe
  2⤵
  PID:9324
- C:\Windows\System\rZapgmY.exe
  C:\Windows\System\rZapgmY.exe
  2⤵
  PID:9364
- C:\Windows\System\TxZsAJk.exe
  C:\Windows\System\TxZsAJk.exe
  2⤵
  PID:9384
- C:\Windows\System\DWQOgnf.exe
  C:\Windows\System\DWQOgnf.exe
  2⤵
  PID:9408
- C:\Windows\System\CHvhcKU.exe
  C:\Windows\System\CHvhcKU.exe
  2⤵
  PID:9448
- C:\Windows\System\yxQxNMN.exe
  C:\Windows\System\yxQxNMN.exe
  2⤵
  PID:9476
- C:\Windows\System\EaTnrLE.exe
  C:\Windows\System\EaTnrLE.exe
  2⤵
  PID:9504
- C:\Windows\System\wfVKLxx.exe
  C:\Windows\System\wfVKLxx.exe
  2⤵
  PID:9532
- C:\Windows\System\HSskUJi.exe
  C:\Windows\System\HSskUJi.exe
  2⤵
  PID:9560
- C:\Windows\System\OrdJICX.exe
  C:\Windows\System\OrdJICX.exe
  2⤵
  PID:9588
- C:\Windows\System\PZostck.exe
  C:\Windows\System\PZostck.exe
  2⤵
  PID:9616
- C:\Windows\System\NvzIluU.exe
  C:\Windows\System\NvzIluU.exe
  2⤵
  PID:9632
- C:\Windows\System\oSpKNjw.exe
  C:\Windows\System\oSpKNjw.exe
  2⤵
  PID:9656
- C:\Windows\System\UqvGBXQ.exe
  C:\Windows\System\UqvGBXQ.exe
  2⤵
  PID:9700
- C:\Windows\System\cwvJWzK.exe
  C:\Windows\System\cwvJWzK.exe
  2⤵
  PID:9716
- C:\Windows\System\ChieQAh.exe
  C:\Windows\System\ChieQAh.exe
  2⤵
  PID:9748
- C:\Windows\System\ynRjFGu.exe
  C:\Windows\System\ynRjFGu.exe
  2⤵
  PID:9772
- C:\Windows\System\IqAXAFA.exe
  C:\Windows\System\IqAXAFA.exe
  2⤵
  PID:9792
- C:\Windows\System\jsTExSg.exe
  C:\Windows\System\jsTExSg.exe
  2⤵
  PID:9828
- C:\Windows\System\qFrNCgZ.exe
  C:\Windows\System\qFrNCgZ.exe
  2⤵
  PID:9848
- C:\Windows\System\xvhFHzv.exe
  C:\Windows\System\xvhFHzv.exe
  2⤵
  PID:9884
- C:\Windows\System\rIIpUKW.exe
  C:\Windows\System\rIIpUKW.exe
  2⤵
  PID:9912
- C:\Windows\System\hDcjjfl.exe
  C:\Windows\System\hDcjjfl.exe
  2⤵
  PID:9944
- C:\Windows\System\oQZldCT.exe
  C:\Windows\System\oQZldCT.exe
  2⤵
  PID:9976
- C:\Windows\System\ilVPtOm.exe
  C:\Windows\System\ilVPtOm.exe
  2⤵
  PID:10008
- C:\Windows\System\VGlEHwx.exe
  C:\Windows\System\VGlEHwx.exe
  2⤵
  PID:10024
- C:\Windows\System\kJjHNky.exe
  C:\Windows\System\kJjHNky.exe
  2⤵
  PID:10056
- C:\Windows\System\SuSYEkL.exe
  C:\Windows\System\SuSYEkL.exe
  2⤵
  PID:10076
- C:\Windows\System\BMHnyER.exe
  C:\Windows\System\BMHnyER.exe
  2⤵
  PID:10100
- C:\Windows\System\mKwzJRR.exe
  C:\Windows\System\mKwzJRR.exe
  2⤵
  PID:10124
- C:\Windows\System\OKswovS.exe
  C:\Windows\System\OKswovS.exe
  2⤵
  PID:10224
- C:\Windows\System\EspEBQj.exe
  C:\Windows\System\EspEBQj.exe
  2⤵
  PID:9240
- C:\Windows\System\hFdbxbm.exe
  C:\Windows\System\hFdbxbm.exe
  2⤵
  PID:9352
- C:\Windows\System\mFIyxpV.exe
  C:\Windows\System\mFIyxpV.exe
  2⤵
  PID:9580
- C:\Windows\System\rJLycRa.exe
  C:\Windows\System\rJLycRa.exe
  2⤵
  PID:9652
- C:\Windows\System\YvbdjBl.exe
  C:\Windows\System\YvbdjBl.exe
  2⤵
  PID:9764
- C:\Windows\System\bXupqfF.exe
  C:\Windows\System\bXupqfF.exe
  2⤵
  PID:9872
- C:\Windows\System\GGPmGDt.exe
  C:\Windows\System\GGPmGDt.exe
  2⤵
  PID:9952
- C:\Windows\System\dIcetjt.exe
  C:\Windows\System\dIcetjt.exe
  2⤵
  PID:10036
- C:\Windows\System\lOJgrWO.exe
  C:\Windows\System\lOJgrWO.exe
  2⤵
  PID:10156
- C:\Windows\System\OohKagt.exe
  C:\Windows\System\OohKagt.exe
  2⤵
  PID:5064
- C:\Windows\System\bXRhutF.exe
  C:\Windows\System\bXRhutF.exe
  2⤵
  PID:9628
- C:\Windows\System\nIENImn.exe
  C:\Windows\System\nIENImn.exe
  2⤵
  PID:9732
- C:\Windows\System\FBWmsWc.exe
  C:\Windows\System\FBWmsWc.exe
  2⤵
  PID:10000
- C:\Windows\System\qQOdXzO.exe
  C:\Windows\System\qQOdXzO.exe
  2⤵
  PID:10232
- C:\Windows\System\CZeiNeb.exe
  C:\Windows\System\CZeiNeb.exe
  2⤵
  PID:10084
- C:\Windows\System\plCpBpa.exe
  C:\Windows\System\plCpBpa.exe
  2⤵
  PID:9968
- C:\Windows\System\xACcmBK.exe
  C:\Windows\System\xACcmBK.exe
  2⤵
  PID:9608
- C:\Windows\System\HEgWmVp.exe
  C:\Windows\System\HEgWmVp.exe
  2⤵
  PID:9728
- C:\Windows\System\QDbxPta.exe
  C:\Windows\System\QDbxPta.exe
  2⤵
  PID:9900
- C:\Windows\System\AUbEnvC.exe
  C:\Windows\System\AUbEnvC.exe
  2⤵
  PID:10184
- C:\Windows\System\mXcGSHB.exe
  C:\Windows\System\mXcGSHB.exe
  2⤵
  PID:9992
- C:\Windows\System\dAjNhhS.exe
  C:\Windows\System\dAjNhhS.exe
  2⤵
  PID:9316
- C:\Windows\System\tTjbbEF.exe
  C:\Windows\System\tTjbbEF.exe
  2⤵
  PID:10256
- C:\Windows\System\GhEgIEF.exe
  C:\Windows\System\GhEgIEF.exe
  2⤵
  PID:10320
- C:\Windows\System\LQulhtS.exe
  C:\Windows\System\LQulhtS.exe
  2⤵
  PID:10360
- C:\Windows\System\DgafrPp.exe
  C:\Windows\System\DgafrPp.exe
  2⤵
  PID:10412
- C:\Windows\System\iUkutpD.exe
  C:\Windows\System\iUkutpD.exe
  2⤵
  PID:10472
- C:\Windows\System\TzNxALU.exe
  C:\Windows\System\TzNxALU.exe
  2⤵
  PID:10512
- C:\Windows\System\zkNAagW.exe
  C:\Windows\System\zkNAagW.exe
  2⤵
  PID:10544
- C:\Windows\System\uhzkonu.exe
  C:\Windows\System\uhzkonu.exe
  2⤵
  PID:10592
- C:\Windows\System\PqcOIlj.exe
  C:\Windows\System\PqcOIlj.exe
  2⤵
  PID:10632
- C:\Windows\System\cMWYhjB.exe
  C:\Windows\System\cMWYhjB.exe
  2⤵
  PID:10648
- C:\Windows\System\mGyieBV.exe
  C:\Windows\System\mGyieBV.exe
  2⤵
  PID:10692
- C:\Windows\System\uDemAMT.exe
  C:\Windows\System\uDemAMT.exe
  2⤵
  PID:10748
- C:\Windows\System\AoRhnzd.exe
  C:\Windows\System\AoRhnzd.exe
  2⤵
  PID:10828
- C:\Windows\System\XmCpPio.exe
  C:\Windows\System\XmCpPio.exe
  2⤵
  PID:10880
- C:\Windows\System\DpmuzbI.exe
  C:\Windows\System\DpmuzbI.exe
  2⤵
  PID:10936
- C:\Windows\System\bNluiyP.exe
  C:\Windows\System\bNluiyP.exe
  2⤵
  PID:10980
- C:\Windows\System\atjBKtA.exe
  C:\Windows\System\atjBKtA.exe
  2⤵
  PID:11004
- C:\Windows\System\XxOgjEG.exe
  C:\Windows\System\XxOgjEG.exe
  2⤵
  PID:11048
- C:\Windows\System\ibooxWO.exe
  C:\Windows\System\ibooxWO.exe
  2⤵
  PID:11100
- C:\Windows\System\pWDKIvR.exe
  C:\Windows\System\pWDKIvR.exe
  2⤵
  PID:11120
- C:\Windows\System\Jcgpqtr.exe
  C:\Windows\System\Jcgpqtr.exe
  2⤵
  PID:11172
- C:\Windows\System\jKouhYm.exe
  C:\Windows\System\jKouhYm.exe
  2⤵
  PID:11200
- C:\Windows\System\vKAbUxI.exe
  C:\Windows\System\vKAbUxI.exe
  2⤵
  PID:11228
- C:\Windows\System\HKTabRC.exe
  C:\Windows\System\HKTabRC.exe
  2⤵
  PID:11248
- C:\Windows\System\aWDBgAh.exe
  C:\Windows\System\aWDBgAh.exe
  2⤵
  PID:10280
- C:\Windows\System\qIOPbBP.exe
  C:\Windows\System\qIOPbBP.exe
  2⤵
  PID:10300
- C:\Windows\System\whkcgck.exe
  C:\Windows\System\whkcgck.exe
  2⤵
  PID:10332
- C:\Windows\System\BtZNvFB.exe
  C:\Windows\System\BtZNvFB.exe
  2⤵
  PID:10460
- C:\Windows\System\VtnXyWw.exe
  C:\Windows\System\VtnXyWw.exe
  2⤵
  PID:10508
- C:\Windows\System\ocFVuUT.exe
  C:\Windows\System\ocFVuUT.exe
  2⤵
  PID:10532
- C:\Windows\System\PcCwZEP.exe
  C:\Windows\System\PcCwZEP.exe
  2⤵
  PID:10616
- C:\Windows\System\FsOYSrI.exe
  C:\Windows\System\FsOYSrI.exe
  2⤵
  PID:10612
- C:\Windows\System\RrRUozG.exe
  C:\Windows\System\RrRUozG.exe
  2⤵
  PID:10708
- C:\Windows\System\QskKmPf.exe
  C:\Windows\System\QskKmPf.exe
  2⤵
  PID:10808
- C:\Windows\System\nSugRtB.exe
  C:\Windows\System\nSugRtB.exe
  2⤵
  PID:10800
- C:\Windows\System\nxWMThS.exe
  C:\Windows\System\nxWMThS.exe
  2⤵
  PID:10876
- C:\Windows\System\FtRBsNV.exe
  C:\Windows\System\FtRBsNV.exe
  2⤵
  PID:10948
- C:\Windows\System\IwOArAO.exe
  C:\Windows\System\IwOArAO.exe
  2⤵
  PID:10928
- C:\Windows\System\RvHVCvH.exe
  C:\Windows\System\RvHVCvH.exe
  2⤵
  PID:10972
- C:\Windows\System\ALxOOTy.exe
  C:\Windows\System\ALxOOTy.exe
  2⤵
  PID:11024
- C:\Windows\System\juUKdbT.exe
  C:\Windows\System\juUKdbT.exe
  2⤵
  PID:11116
- C:\Windows\System\gkPHsYh.exe
  C:\Windows\System\gkPHsYh.exe
  2⤵
  PID:11240
- C:\Windows\System\EUDyNSa.exe
  C:\Windows\System\EUDyNSa.exe
  2⤵
  PID:10072
- C:\Windows\System\wodixco.exe
  C:\Windows\System\wodixco.exe
  2⤵
  PID:10312
- C:\Windows\System\ZuODLcC.exe
  C:\Windows\System\ZuODLcC.exe
  2⤵
  PID:10368
- C:\Windows\System\BAPlKhO.exe
  C:\Windows\System\BAPlKhO.exe
  2⤵
  PID:10456
- C:\Windows\System\ocDAoPN.exe
  C:\Windows\System\ocDAoPN.exe
  2⤵
  PID:10604
- C:\Windows\System\dRJMFwp.exe
  C:\Windows\System\dRJMFwp.exe
  2⤵
  PID:10660
- C:\Windows\System\sXgBoeD.exe
  C:\Windows\System\sXgBoeD.exe
  2⤵
  PID:10676
- C:\Windows\System\OSmFyAI.exe
  C:\Windows\System\OSmFyAI.exe
  2⤵
  PID:10784
- C:\Windows\System\JgKGhmn.exe
  C:\Windows\System\JgKGhmn.exe
  2⤵
  PID:10944
- C:\Windows\System\nAvoWaQ.exe
  C:\Windows\System\nAvoWaQ.exe
  2⤵
  PID:10956
- C:\Windows\System\KhoEBmL.exe
  C:\Windows\System\KhoEBmL.exe
  2⤵
  PID:11044
- C:\Windows\System\sUkuNzD.exe
  C:\Windows\System\sUkuNzD.exe
  2⤵
  PID:11112
- C:\Windows\System\PSniUlt.exe
  C:\Windows\System\PSniUlt.exe
  2⤵
  PID:10196
- C:\Windows\System\AyjFAnQ.exe
  C:\Windows\System\AyjFAnQ.exe
  2⤵
  PID:10340
- C:\Windows\System\YvPGYeE.exe
  C:\Windows\System\YvPGYeE.exe
  2⤵
  PID:10468
- C:\Windows\System\oWWbkJi.exe
  C:\Windows\System\oWWbkJi.exe
  2⤵
  PID:10732
- C:\Windows\System\AvbBHiW.exe
  C:\Windows\System\AvbBHiW.exe
  2⤵
  PID:10900
- C:\Windows\System\fKdoyqj.exe
  C:\Windows\System\fKdoyqj.exe
  2⤵
  PID:11160
- C:\Windows\System\PvREYRa.exe
  C:\Windows\System\PvREYRa.exe
  2⤵
  PID:11244
- C:\Windows\System\frrtHUd.exe
  C:\Windows\System\frrtHUd.exe
  2⤵
  PID:10772
- C:\Windows\System\orNsHpR.exe
  C:\Windows\System\orNsHpR.exe
  2⤵
  PID:10728
- C:\Windows\System\pFdryWR.exe
  C:\Windows\System\pFdryWR.exe
  2⤵
  PID:11140
- C:\Windows\System\MYGltDo.exe
  C:\Windows\System\MYGltDo.exe
  2⤵
  PID:11280
- C:\Windows\System\chrRbPn.exe
  C:\Windows\System\chrRbPn.exe
  2⤵
  PID:11308
- C:\Windows\System\NQeQEXP.exe
  C:\Windows\System\NQeQEXP.exe
  2⤵
  PID:11336
- C:\Windows\System\GAXBopt.exe
  C:\Windows\System\GAXBopt.exe
  2⤵
  PID:11364
- C:\Windows\System\CDZNMHo.exe
  C:\Windows\System\CDZNMHo.exe
  2⤵
  PID:11380
- C:\Windows\System\zGxovMx.exe
  C:\Windows\System\zGxovMx.exe
  2⤵
  PID:11412
- C:\Windows\System\hLOyovS.exe
  C:\Windows\System\hLOyovS.exe
  2⤵
  PID:11436
- C:\Windows\System\EyokPUr.exe
  C:\Windows\System\EyokPUr.exe
  2⤵
  PID:11464
- C:\Windows\System\ikraAjq.exe
  C:\Windows\System\ikraAjq.exe
  2⤵
  PID:11504
- C:\Windows\System\OHCqTFH.exe
  C:\Windows\System\OHCqTFH.exe
  2⤵
  PID:11520
- C:\Windows\System\ZKZCfLC.exe
  C:\Windows\System\ZKZCfLC.exe
  2⤵
  PID:11560
- C:\Windows\System\ebEYGvX.exe
  C:\Windows\System\ebEYGvX.exe
  2⤵
  PID:11576
- C:\Windows\System\NbBCQVR.exe
  C:\Windows\System\NbBCQVR.exe
  2⤵
  PID:11608
- C:\Windows\System\YfNEZVH.exe
  C:\Windows\System\YfNEZVH.exe
  2⤵
  PID:11632
- C:\Windows\System\weClygb.exe
  C:\Windows\System\weClygb.exe
  2⤵
  PID:11672
- C:\Windows\System\tfUYCQt.exe
  C:\Windows\System\tfUYCQt.exe
  2⤵
  PID:11688
- C:\Windows\System\VrFveSh.exe
  C:\Windows\System\VrFveSh.exe
  2⤵
  PID:11716
- C:\Windows\System\HiEQYEe.exe
  C:\Windows\System\HiEQYEe.exe
  2⤵
  PID:11732
- C:\Windows\System\IXnSKYu.exe
  C:\Windows\System\IXnSKYu.exe
  2⤵
  PID:11760
- C:\Windows\System\ONdqxtR.exe
  C:\Windows\System\ONdqxtR.exe
  2⤵
  PID:11800
- C:\Windows\System\oVMmSTi.exe
  C:\Windows\System\oVMmSTi.exe
  2⤵
  PID:11816
- C:\Windows\System\opFRIzr.exe
  C:\Windows\System\opFRIzr.exe
  2⤵
  PID:11840
- C:\Windows\System\ANIczVm.exe
  C:\Windows\System\ANIczVm.exe
  2⤵
  PID:11872
- C:\Windows\System\TJnCWRo.exe
  C:\Windows\System\TJnCWRo.exe
  2⤵
  PID:11900
- C:\Windows\System\uvHWrJL.exe
  C:\Windows\System\uvHWrJL.exe
  2⤵
  PID:11916
- C:\Windows\System\GqgANsl.exe
  C:\Windows\System\GqgANsl.exe
  2⤵
  PID:11956
- C:\Windows\System\OEGfHGS.exe
  C:\Windows\System\OEGfHGS.exe
  2⤵
  PID:12012
- C:\Windows\System\PwIyyYa.exe
  C:\Windows\System\PwIyyYa.exe
  2⤵
  PID:12028
- C:\Windows\System\OXwftFr.exe
  C:\Windows\System\OXwftFr.exe
  2⤵
  PID:12068
- C:\Windows\System\tlgDKvZ.exe
  C:\Windows\System\tlgDKvZ.exe
  2⤵
  PID:12084
- C:\Windows\System\OQZZMcf.exe
  C:\Windows\System\OQZZMcf.exe
  2⤵
  PID:12112
- C:\Windows\System\qBAospE.exe
  C:\Windows\System\qBAospE.exe
  2⤵
  PID:12140
- C:\Windows\System\JQRhITf.exe
  C:\Windows\System\JQRhITf.exe
  2⤵
  PID:12176
- C:\Windows\System\VofUGmC.exe
  C:\Windows\System\VofUGmC.exe
  2⤵
  PID:12208
- C:\Windows\System\zQkjCye.exe
  C:\Windows\System\zQkjCye.exe
  2⤵
  PID:12232
- C:\Windows\System\RszIsnv.exe
  C:\Windows\System\RszIsnv.exe
  2⤵
  PID:12256
- C:\Windows\System\wDrWcUU.exe
  C:\Windows\System\wDrWcUU.exe
  2⤵
  PID:12280
- C:\Windows\System\IDaRDuE.exe
  C:\Windows\System\IDaRDuE.exe
  2⤵
  PID:11300
- C:\Windows\System\GJQUwpb.exe
  C:\Windows\System\GJQUwpb.exe
  2⤵
  PID:11372
- C:\Windows\System\oqtJgTn.exe
  C:\Windows\System\oqtJgTn.exe
  2⤵
  PID:11424
- C:\Windows\System\CEObBse.exe
  C:\Windows\System\CEObBse.exe
  2⤵
  PID:11500
- C:\Windows\System\IPYpDwG.exe
  C:\Windows\System\IPYpDwG.exe
  2⤵
  PID:11596
- C:\Windows\System\DEzCLVA.exe
  C:\Windows\System\DEzCLVA.exe
  2⤵
  PID:11656
- C:\Windows\System\BcQDqoi.exe
  C:\Windows\System\BcQDqoi.exe
  2⤵
  PID:11752
- C:\Windows\System\sWdAvyG.exe
  C:\Windows\System\sWdAvyG.exe
  2⤵
  PID:11772
- C:\Windows\System\UnUDevh.exe
  C:\Windows\System\UnUDevh.exe
  2⤵
  PID:11884
- C:\Windows\System\zhJKxVD.exe
  C:\Windows\System\zhJKxVD.exe
  2⤵
  PID:11888
- C:\Windows\System\PHggDfF.exe
  C:\Windows\System\PHggDfF.exe
  2⤵
  PID:11996
- C:\Windows\System\LRArCcD.exe
  C:\Windows\System\LRArCcD.exe
  2⤵
  PID:12020
- C:\Windows\System\yJcuHMY.exe
  C:\Windows\System\yJcuHMY.exe
  2⤵
  PID:12100
- C:\Windows\System\NWMIlXD.exe
  C:\Windows\System\NWMIlXD.exe
  2⤵
  PID:12196
- C:\Windows\System\eVhqHkN.exe
  C:\Windows\System\eVhqHkN.exe
  2⤵
  PID:12244
- C:\Windows\System\piNUagU.exe
  C:\Windows\System\piNUagU.exe
  2⤵
  PID:11276
- C:\Windows\System\JnCkJzd.exe
  C:\Windows\System\JnCkJzd.exe
  2⤵
  PID:11488
- C:\Windows\System\vMGNrgj.exe
  C:\Windows\System\vMGNrgj.exe
  2⤵
  PID:11624
- C:\Windows\System\eWNKLmq.exe
  C:\Windows\System\eWNKLmq.exe
  2⤵
  PID:11808
- C:\Windows\System\XTalHna.exe
  C:\Windows\System\XTalHna.exe
  2⤵
  PID:4836
- C:\Windows\System\RtSHopr.exe
  C:\Windows\System\RtSHopr.exe
  2⤵
  PID:4728
- C:\Windows\System\GyyKPIy.exe
  C:\Windows\System\GyyKPIy.exe
  2⤵
  PID:12168
- C:\Windows\System\BKSvbPq.exe
  C:\Windows\System\BKSvbPq.exe
  2⤵
  PID:11396
- C:\Windows\System\KPwBaKI.exe
  C:\Windows\System\KPwBaKI.exe
  2⤵
  PID:11700
- C:\Windows\System\CGknSCq.exe
  C:\Windows\System\CGknSCq.exe
  2⤵
  PID:12152
- C:\Windows\System\EAmxMDD.exe
  C:\Windows\System\EAmxMDD.exe
  2⤵
  PID:12076
- C:\Windows\System\qdocxwK.exe
  C:\Windows\System\qdocxwK.exe
  2⤵
  PID:12292
- C:\Windows\System\xCrpYtn.exe
  C:\Windows\System\xCrpYtn.exe
  2⤵
  PID:12336
- C:\Windows\System\BTeLLaG.exe
  C:\Windows\System\BTeLLaG.exe
  2⤵
  PID:12364
- C:\Windows\System\jYLjBWM.exe
  C:\Windows\System\jYLjBWM.exe
  2⤵
  PID:12380
- C:\Windows\System\wVjuqwX.exe
  C:\Windows\System\wVjuqwX.exe
  2⤵
  PID:12420
- C:\Windows\System\hlDVsXx.exe
  C:\Windows\System\hlDVsXx.exe
  2⤵
  PID:12448
- C:\Windows\System\LVqHozB.exe
  C:\Windows\System\LVqHozB.exe
  2⤵
  PID:12476
- C:\Windows\System\WYaKDZX.exe
  C:\Windows\System\WYaKDZX.exe
  2⤵
  PID:12504
- C:\Windows\System\mfDrYPb.exe
  C:\Windows\System\mfDrYPb.exe
  2⤵
  PID:12532
- C:\Windows\System\cNhBMEl.exe
  C:\Windows\System\cNhBMEl.exe
  2⤵
  PID:12560
- C:\Windows\System\rsVrYnO.exe
  C:\Windows\System\rsVrYnO.exe
  2⤵
  PID:12588
- C:\Windows\System\UKtIifB.exe
  C:\Windows\System\UKtIifB.exe
  2⤵
  PID:12616
- C:\Windows\System\QokpdNB.exe
  C:\Windows\System\QokpdNB.exe
  2⤵
  PID:12644
- C:\Windows\System\qtrIPZQ.exe
  C:\Windows\System\qtrIPZQ.exe
  2⤵
  PID:12672
- C:\Windows\System\pzlnkiy.exe
  C:\Windows\System\pzlnkiy.exe
  2⤵
  PID:12688
- C:\Windows\System\sRqrJrr.exe
  C:\Windows\System\sRqrJrr.exe
  2⤵
  PID:12728
- C:\Windows\System\eMUKQsS.exe
  C:\Windows\System\eMUKQsS.exe
  2⤵
  PID:12756
- C:\Windows\System\iufUqeT.exe
  C:\Windows\System\iufUqeT.exe
  2⤵
  PID:12784
- C:\Windows\System\Ospntoy.exe
  C:\Windows\System\Ospntoy.exe
  2⤵
  PID:12800
- C:\Windows\System\Crwhyki.exe
  C:\Windows\System\Crwhyki.exe
  2⤵
  PID:12844
- C:\Windows\System\cMXQVOO.exe
  C:\Windows\System\cMXQVOO.exe
  2⤵
  PID:12864
- C:\Windows\System\yimwsyE.exe
  C:\Windows\System\yimwsyE.exe
  2⤵
  PID:12888
- C:\Windows\System\xpvVlDT.exe
  C:\Windows\System\xpvVlDT.exe
  2⤵
  PID:12916
- C:\Windows\System\fTvQjwg.exe
  C:\Windows\System\fTvQjwg.exe
  2⤵
  PID:12956
- C:\Windows\System\LbDvgGt.exe
  C:\Windows\System\LbDvgGt.exe
  2⤵
  PID:12984
- C:\Windows\System\luXeelu.exe
  C:\Windows\System\luXeelu.exe
  2⤵
  PID:13012
- C:\Windows\System\wqIQKlM.exe
  C:\Windows\System\wqIQKlM.exe
  2⤵
  PID:13040
- C:\Windows\System\AbtOnFv.exe
  C:\Windows\System\AbtOnFv.exe
  2⤵
  PID:13068
- C:\Windows\System\mBHZNuL.exe
  C:\Windows\System\mBHZNuL.exe
  2⤵
  PID:13096
- C:\Windows\System\XRVvDlJ.exe
  C:\Windows\System\XRVvDlJ.exe
  2⤵
  PID:13124
- C:\Windows\System\pFwFQsK.exe
  C:\Windows\System\pFwFQsK.exe
  2⤵
  PID:13152
- C:\Windows\System\jaHiDMz.exe
  C:\Windows\System\jaHiDMz.exe
  2⤵
  PID:13180
- C:\Windows\System\WZDAIsH.exe
  C:\Windows\System\WZDAIsH.exe
  2⤵
  PID:13208
- C:\Windows\System\kfIxQQV.exe
  C:\Windows\System\kfIxQQV.exe
  2⤵
  PID:13236
- C:\Windows\System\EcxkGJF.exe
  C:\Windows\System\EcxkGJF.exe
  2⤵
  PID:13256
- C:\Windows\System\DVXTqoe.exe
  C:\Windows\System\DVXTqoe.exe
  2⤵
  PID:13280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3772,i,11746347647270949551,7786733067759450703,262144 --variations-seed-version --mojo-platform-channel-handle=4288 /prefetch:8
1⤵
PID:8080

C:\Windows\system32\WerFaultSecure.exe
C:\Windows\system32\WerFaultSecure.exe -u -p 2024 -s 2180
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:12684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fagzs2f5.0nn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\AywqGCB.exe

Filesize
2.8MB

MD5
1fd0055976df21d826f6d6fd8fab69ac

SHA1
418da76084611f13431bb6de71858b5591f9e398

SHA256
5cf4604e7d99912a9dce9861d37a8855ec423282169c6089ce1a33aad264608c

SHA512
6452533b141cf019b7e874c12b82789c7462d5f3341741411f2a07448c4038f027b18fbd059e6ff80a14b45e876260003ee03c2f7acb2506e145cbbf939e4e53

Download Submit
C:\Windows\System\CjCYdCe.exe

Filesize
2.8MB

MD5
ff6f075bc33f5fd0c08d56b99a1a715a

SHA1
bd88a46199e2ada48668b09d65a9b2e021fee213

SHA256
531ab40c618486d799f93c6d9942c72ee2a8e8c9382cc35819aa0dda0cf7d393

SHA512
8cbde14188a60e4461c219c8b8e0558b77385a7ce1eb1540a6d36421d0d098cd98d30c4ee30286d8b770a308e4b25a65f41a81c72fb99aa9a83935d997e1c31a

Download Submit
C:\Windows\System\CsbwyDI.exe

Filesize
2.8MB

MD5
4f6ac9ebab412f69386c5730232a3133

SHA1
ebacfe2112b5b1f3f5010d6afc516122aec59cdb

SHA256
67d32c77c6964fc63cf2f683d5ab4816c2825c52e5380dc650d64ff6c8c1164e

SHA512
40f7b6cd21ddca93dd59f10fffdb5c4e0494e4c0c8ee13f2705cfe48848ea81425cf8a5b6639aa2a0977cba60d17ff3850b86e2f68a0c63d3555ddfac63b281c

Download Submit
C:\Windows\System\CtVzZpy.exe

Filesize
2.8MB

MD5
0e81814f2af8b7c9b426718faf4c2e98

SHA1
1e30319ae8e2904ea090f1896bf48364c5060c3b

SHA256
c3c3f3ca2360938fdabbe381a36004240d3367d896e88d242d89863021f78c26

SHA512
c34c53ea1bf20e7f1bf2dc2e9bc7b1c580b12c88020fa4bea405d5ca286c905030359f6cc24cb47bfd13aa1d121b7ca06fdae49cb969c5a54d1c44eb18ef8a0f

Download Submit
C:\Windows\System\DJvcDJX.exe

Filesize
2.8MB

MD5
b4c3cd484ca72b5683c2e18a152fbd7b

SHA1
ea86de67e5cdd82b0f0e643d36eee8328d97e4e4

SHA256
d7aa25e321340d70a5d18b28c7736261b2844ca6c2b67f321c675989a1c53c17

SHA512
cfafeef4f8aca7a9f866bd15407320b6409ff7d48e5cc5bb4f5000f339f426574fbe08a2646fb759b4aa24e16893f77a8d26cf65e11a693d51e644088da96d57

Download Submit
C:\Windows\System\GCaTGyO.exe

Filesize
2.8MB

MD5
7ecdbca59f32a2dc462d4db18d4fda2f

SHA1
f30194dc250e6f507092653eb356eb097850beea

SHA256
a0cbf0cf030fc45208befc018b197ea78d79bd9be35ba7ecfbd8513db37e61ab

SHA512
32837bd4dcd186d28359e0ac099dcfe8d714e46c705942a477517c66e7ce3ab5be28eaa1384fe0aa9c77f4814f4e236af53c50b50d01fad1d7ffc208acadb8f5

Download Submit
C:\Windows\System\JfGUBae.exe

Filesize
2.8MB

MD5
5dcf9740c8c1739a4e3221a2c4c37def

SHA1
17a34871c36bf0d24f7aa1df166968e48aa05064

SHA256
ce58f6932d2b350c15a1ddb6a1163dfe741029398542797bf5498e23a4f65971

SHA512
487b71d21f2f8b97d32193fbb6d2a259928cd53fa4f6047a2519a390ebafeb44b4bbfe7616c6c11315d86904fe2702c637dd538c99720a9ed74220e1a77b2aec

Download Submit
C:\Windows\System\JjhIevm.exe

Filesize
2.8MB

MD5
85a30a809b5d77243e3a156eeb150b35

SHA1
4b6d34cbb3af3522378d0dc9024313a2bbc3ec32

SHA256
8904f4113514e3436533eedf08b981e23be1a1a01e339002c300366135820f27

SHA512
f8c25d6fdd3a0623475ebd84be6d403813910e32f9906311a8756187f80f44ab4e1710c243f57322832afdacf3676282327a98d338bf89934401803349201eed

Download Submit
C:\Windows\System\LfeBGKJ.exe

Filesize
2.8MB

MD5
98124c8624b7fcdfd1c7f437aa198375

SHA1
beb3d92aa7b7b2a47bdcb49f1b277fe13486775a

SHA256
5f1e83ae875cd451f0d6af65d75a4f6f0684c5a9ee921f21f67ac276da2c4237

SHA512
4115df68f4de44bc9b8c3df8e0780ad85a25436d48584f7430cada5cc5733aefa040583a0aee8a7440b375f84c481b3b7793801ec3779ee00748cb6f0a200653

Download Submit
C:\Windows\System\MHysuOm.exe

Filesize
2.8MB

MD5
15e52193974ae86f5379d458d38c22c0

SHA1
6ee9ba0e863477d17e5c9d5f9c849e09c39998bd

SHA256
1c9d65aca391dd4fc3bfb32dccd73db9b496ea67132e45b5359a9920656dc8c4

SHA512
f9babbcc8134efa41b8017fc5f5f292e771074517dffdd16915f87099dd32c2a317ccb2c52a9326da21c80111e71a42331ba7641848e742526c765cda5b66164

Download Submit
C:\Windows\System\OHWejPc.exe

Filesize
2.8MB

MD5
09fad93e8cda537cd3740acd3458a4bc

SHA1
22dbd9af0e152d1b23ea401da4d9493b1b5d27b8

SHA256
606d402bc740b28e7b9a2f4298536df5737c858466a82b4ecda1b416eac80bac

SHA512
ed9baf563d214e0580e867a2f8219a387fd7495c5c17d7f8de5280e344484a0c377ad41b5ec8258db5e6c16784cc388b38ca8add2a99c09fb2ec070aa060ce8a

Download Submit
C:\Windows\System\RfAEhjo.exe

Filesize
2.8MB

MD5
3d91c84296451f949c11ea8cb639b2a5

SHA1
19a226598371bebe6e687683aa1b2e0c89075472

SHA256
b04a8945ba4b14bd946a9966d37c67e8eabda26eceac707a0f973890f4b2acc1

SHA512
d309c0d4d75337bcca76ebd91dff82c93ca271f6b9880a72da7c247bf60b1442db5f01113ad1c9afb08289a63472b0d3d26e565a1beb3c301047561a8b020d20

Download Submit
C:\Windows\System\RoAaBIw.exe

Filesize
2.8MB

MD5
12e911e2d01929f6578fc328cfc6f5ab

SHA1
caa4dc44772d9f8969cbd6acca3df12f5281326c

SHA256
3dece7e8510fe6b141551b41a1bbb7aea658077506b339f47f181f1714e129ea

SHA512
abf4eb489d8376abb5907edcc024ada7c13cef07c54226646cdadccbe1e7c1854ba2556f5dca81c7569284f22c18ed5819b3f7044d719ce7a28c114ae1f18499

Download Submit
C:\Windows\System\TNjNlJg.exe

Filesize
2.8MB

MD5
6d46bb5204c62d70dd80361a2b45e259

SHA1
f23a237067ed41d29179f6b5ca55450a2fcd61ea

SHA256
43397dff8a5068c9ac7de7a80063db46424d5f11300c512a005f56cad200abd6

SHA512
24d35d66d00421b204e6c7c6be84775c875c5b8e7987964cdeed117881879f2c33489567f43fb4de7583916044fad66cdf2aceb88647fb8d2ee74720240b1840

Download Submit
C:\Windows\System\WHfMXHH.exe

Filesize
2.8MB

MD5
f844a8e69e8d39efee2d921e17f97fc1

SHA1
42d79d5f69c637b599b306b31d75fdcb1cdd3949

SHA256
d326a3a62a5da08ec4ae1d2f3cab5a92682f0a6a1ff5c8b735f3b857a1776bf4

SHA512
a086982195bfc64ed18f38c54f34e97489301286b0fd7ab22fc26b0a1b2a19747774447996644df44771d8202acd95d3d53a2db37f5b31534e853b07c944926e

Download Submit
C:\Windows\System\WtkFJFp.exe

Filesize
2.8MB

MD5
49ce285b51ba4c64d37d6e8215bce87c

SHA1
9c30498d2f06142bef002b4b0f82faa854f7b9dc

SHA256
bb0a27a2cd00be524b3bb8afbd850ef588799546d6176fbd36b98446977d6053

SHA512
1ab43f569ce0c081973f931a96702fe7b7f61ea2aec6cc3e3a9f64c7e9e353359adead6776c1cc0ebe328847200f07dc193233a762c89ec0a0f1ffb099710f03

Download Submit
C:\Windows\System\XnZNYfH.exe

Filesize
2.8MB

MD5
be3661715d6a77c0b6bc026f6f57ce76

SHA1
b1eeee636b56d188c47edfcbf397efe24be7fdb5

SHA256
6c3249b12a9e0b889ed421042f01d37e680823ac2b28e920b7af0887fc7c06b9

SHA512
327149a8d6dd854816cde6bceeb2df3b704504a59338465b71fae431614eb22c8f0f0b134acac1951f02edc03f437a02622c5a85e5a14a3f54477c797081216c

Download Submit
C:\Windows\System\YMEIFcy.exe

Filesize
2.8MB

MD5
08c8bea1b3212c54a0fc76b950afc04c

SHA1
686607b6645913b3dd7250e6f4395dd29d63f8d4

SHA256
9716c903a186b9dcd2b33b7a90aabc9b4e1ddf5a8c819c7ef1145cee72dd6b76

SHA512
2ba7d3de1f145d8c05f04fa3512eef703ce370e8af9507119ac710a1d588aeb824328b6251f60634289ad042d551efbceb806e6bd7610229e8ab6a22418f638a

Download Submit
C:\Windows\System\ZoocFml.exe

Filesize
2.8MB

MD5
447194c11818840d14f075e21fbe0a7a

SHA1
3d99433c4289f890d1882ddb63b8f1cbad4d501d

SHA256
ad1fc12a44d1f8daa2d81ed9f3aea434502c062cc28da4c453988e70eaa2da40

SHA512
44b1b2e1a9152bb167f4202dfad28aa2692fa3ed1c5ff4d63fa9a9fc51dd1693ea485fd49f348ace0df65bc7434adb29cce301e32054a694da3dc1f30e7d1d80

Download Submit
C:\Windows\System\bRrnWrN.exe

Filesize
2.8MB

MD5
744a53e49d2bd7b4327ad9778b4a76d9

SHA1
ff8ed2498b3d2f4188f9fa64997d974215b37b6a

SHA256
4c1d786ac196dbd04cad1b8c4ae195c2d8409e6ce8e2d48162efb06cc2ebb7b6

SHA512
bd634763d3220de0e0df253037ee64f8e5c9e6005f6120c8db99f3e3864dee3eb0385321084bb08f5eac05dd0407d8da35b1f5c4f264417d34589c901bf6c7dd

Download Submit
C:\Windows\System\dtWdaSr.exe

Filesize
8B

MD5
6c6a33c852f4e05ffd14cdf0dcab7779

SHA1
70449821f99925d7b8d245181569b7ac4d2ffae8

SHA256
889f3baefc9f46c7632a467db8882ec92f1f0df14da91d5a211e7484de261e45

SHA512
92e5654661ef50c470f84dbec4dcad9efdca5e4026c073f08c798af48c0b5d8107a7b2ff4d63fdb982f371e15d79e95f8a6d716a30b5c5123a7273c49d650d19

Download Submit
C:\Windows\System\jgWZxLi.exe

Filesize
2.8MB

MD5
6a482c031423f84cc86fc4c108d71bab

SHA1
842162eef1ae0839670f9859b0369cc86f8dc529

SHA256
68851bef506489c8f7d5fdf4338003fb956be383ac303d1ea183dc9522fd2a87

SHA512
af33dfab22e3dbef55de4c0b1d953711260574e3d3f9dc2abf440c5daba6879f01d17da350acc29c08c91b6047523e5c1496e5d7592956d225bf0dfdbd5394e5

Download Submit
C:\Windows\System\loEUEiZ.exe

Filesize
2.8MB

MD5
2f2e8c464df4788f1476be51c73913e1

SHA1
48eeaaa4a2123a6ad2dc92f7cb7fa13433272973

SHA256
012e48da2b1bc5e49300452eaadc4e1f9a643babeb56552f961345f6768de52b

SHA512
e1f5ad41106e188f76fbe469b06d75bbcc374e5f95e35b1477b00fd2d97050c7702e653ceac2908037d525b36eec76c31ba5a5bbb7f47433a3ec46e5a16da592

Download Submit
C:\Windows\System\oFGVvMT.exe

Filesize
2.8MB

MD5
359444d1f7e8afd430ba69e89d4621d2

SHA1
b10c5e76706bb79c70686806b8b124866495f281

SHA256
9a982e475c00a62c5f4a0fc8a39f815ddd075b99bca5f865fb79c871d1eab957

SHA512
409b8ca4b9c207f9fe2e1992ca3f523f1ec5ad4b7daacc35ae2bb8c8074fdc9e75a4286197137c38cb341bf8238276c73790e6a0ae0914654d7a9bc0bb6fd289

Download Submit
C:\Windows\System\pLzFbjb.exe

Filesize
2.8MB

MD5
a1e929871b4f8fd5968dd490f36f51a1

SHA1
5a7147838f35237f513c949a8d65fcd585a5c04f

SHA256
8861b46d3345bc9d24ef2900e35ec9a08cd4d3f546f45127c3a10e67af54e138

SHA512
8266c08823d7a6d705ecb8ce2da394c0e1bc5aa602dce238b04c8d6bde03b0b3b9304667a26629364407b67a40e145c854e6e1f587de6a2b44d2dc960426000f

Download Submit
C:\Windows\System\qGkLyux.exe

Filesize
2.8MB

MD5
eeb4fb61346cd8b2ed8347d1ddc22e40

SHA1
ffe3e99a7dc09ad75d9387924b72c25c9142c98a

SHA256
9e6974fedaf2f69cf8a335cd9a3ac35c4c5150867b578b97a2dd76c2b6f9f60e

SHA512
5d7ef849f23c9d2efbd4aaf95474eab7a5119f447d62e92e5746a2a7af293c3f8f7991e54d1c94ade2de3ce5abde607fbe9b92f3d349ee3419ccb62201de9b8d

Download Submit
C:\Windows\System\qNAGcQd.exe

Filesize
2.8MB

MD5
b40fbc9e113b3b11bfc9f663b86f7762

SHA1
5ca92e6818a3ad2594e4b949b93e7e345a912f38

SHA256
95e598f05c5d5a1e37ff3e3a4904562775da75570e7153cc57ca395621ed0e0a

SHA512
7ec3e387b4ffd2bbf60b8a8e452c20a81b7fe8ee289273094bc30425126b7ece70a3d8efbddc3136ae07f8647cc97cbc50536439a3043fba2565a48e5eafdaf4

Download Submit
C:\Windows\System\qeqJfyX.exe

Filesize
2.8MB

MD5
a2d30b243871477832d82c8815a490f0

SHA1
6ecc980614184c925ebe41e5c6421e68cd374c8b

SHA256
d757955ce8881777e3a8dc4e4d4b4d4030832da8e8a3f0250c9fbd627b6af660

SHA512
5e398eb679afc407760f458411666e965003fc8ae2e08543c487530deee7b682c8fc53e608ef15d6698263a1e5df84d27d835c1682042c8b97805b3184646533

Download Submit
C:\Windows\System\sayumET.exe

Filesize
2.8MB

MD5
920b97d287b48608bc809378f49cd560

SHA1
7f968220124b524314777d4edfb2e06414bd2ae2

SHA256
909050d68180e2504646b334098109b5367f95c7f12baf9ff25243565c40dd09

SHA512
0be92691b2535d41f8657bd3e42e0f28b6c14f4d719761e1b2b49ecb4aa5fa16dc0c56a26f4cf5b841da0311c6c77de42d2cc3534baafa9bda157d7fd744a2cc

Download Submit
C:\Windows\System\tJxuGRE.exe

Filesize
2.8MB

MD5
f8ca079a63dab825e7b8b5071a664428

SHA1
490ec485edabe4c9b24bd6de6604ba579b09ff1a

SHA256
6c4d578b9d812971cc33112a75e18af47c113c4bd025fbdefedf01d16df868f7

SHA512
3dd2da6f6dfc58a7533e11000bcc2ce99fa72b7f6a0ae62001e5a1ed9010f481cfc3e79b2636f5d62698fc562e286b2f6cc84d3db9b3f3aac2ba11435ee7fbfb

Download Submit
C:\Windows\System\wuLpulF.exe

Filesize
2.8MB

MD5
d5fc37c867be5c6b04d7d03da4ee12e0

SHA1
c7a098e00da930a2b0d48970a4dde5cb920a31d2

SHA256
80938dc01545fa34185aea6dcf5b2f54115c9658b50fce710d006f93c4404096

SHA512
b757326baeaad733571731ad36416d24c2cad314788f71d72524c867577cb2db985f62ef10d68f69ddb877f14a91d77b79a7b172884366dacefab112361c5864

Download Submit
C:\Windows\System\xGjlTON.exe

Filesize
2.8MB

MD5
e222bca28d97db905e3c4551c77026a5

SHA1
33c814d51c9746a950bced3366c702db70ebbeb3

SHA256
a950d4eedd96a9afa09cd7f916f8e892191dd1ea7cebe6c928923f3c40c3f7c5

SHA512
e8de4f975585a1b46729fc1900ea2056c0c4b1d125f2e2a1e0652352f806e4103b9dfc61b546f5936f3baa99498dee6462d2b6298644370d46b86cc6673eb4fc

Download Submit
C:\Windows\System\xeSzhvh.exe

Filesize
2.8MB

MD5
e0c65cf639dce23a6e3d0e7454f81e2a

SHA1
ce57ae44cc4707572cb085d79ae5bff27c81d63f

SHA256
0ef68ea58ad29df70efe8d62795f1e52cfb84b56b1162988383be9e863c92b9e

SHA512
d897a60c1c95d4d46c070f6fb0003273620b1eb16ee5d1cc2079790c22e2f29211b23ff444cc7975551d0e1d735cf5c1388dc44470fee94563738c1a1cf92f4a

Download Submit
C:\Windows\System\yfzlHrv.exe

Filesize
2.8MB

MD5
4989c1c14c4eff591922492a1bfdb618

SHA1
ce41d6582f884bab7177264c442b33060a69f5ca

SHA256
bad27305e7227b5c0c3e440d249979b623addb1ba08b2f166a54a7989eb967c0

SHA512
aa8e30f679305885b67d9263ee98897f1574c1bd38b2a790e9761be084a474bcee6319acc48da312128e0c8cac3d3a5b6fd5b9bcbbfa24ecd13ed3e19c483184

Download Submit
memory/224-2190-0x00007FF69AD70000-0x00007FF69B166000-memory.dmp

Filesize
4.0MB

Download
memory/224-870-0x00007FF69AD70000-0x00007FF69B166000-memory.dmp

Filesize
4.0MB

Download
memory/384-899-0x00007FF7B4E80000-0x00007FF7B5276000-memory.dmp

Filesize
4.0MB

Download
memory/384-2196-0x00007FF7B4E80000-0x00007FF7B5276000-memory.dmp

Filesize
4.0MB

Download
memory/896-2181-0x00007FF6319E0000-0x00007FF631DD6000-memory.dmp

Filesize
4.0MB

Download
memory/896-798-0x00007FF6319E0000-0x00007FF631DD6000-memory.dmp

Filesize
4.0MB

Download
memory/932-2193-0x00007FF7AC700000-0x00007FF7ACAF6000-memory.dmp

Filesize
4.0MB

Download
memory/932-892-0x00007FF7AC700000-0x00007FF7ACAF6000-memory.dmp

Filesize
4.0MB

Download
memory/956-2192-0x00007FF747290000-0x00007FF747686000-memory.dmp

Filesize
4.0MB

Download
memory/956-881-0x00007FF747290000-0x00007FF747686000-memory.dmp

Filesize
4.0MB

Download
memory/1088-874-0x00007FF678850000-0x00007FF678C46000-memory.dmp

Filesize
4.0MB

Download
memory/1088-2191-0x00007FF678850000-0x00007FF678C46000-memory.dmp

Filesize
4.0MB

Download
memory/1484-2200-0x00007FF63F560000-0x00007FF63F956000-memory.dmp

Filesize
4.0MB

Download
memory/1484-1171-0x00007FF63F560000-0x00007FF63F956000-memory.dmp

Filesize
4.0MB

Download
memory/1684-2189-0x00007FF71E860000-0x00007FF71EC56000-memory.dmp

Filesize
4.0MB

Download
memory/1684-865-0x00007FF71E860000-0x00007FF71EC56000-memory.dmp

Filesize
4.0MB

Download
memory/2172-2194-0x00007FF7A64A0000-0x00007FF7A6896000-memory.dmp

Filesize
4.0MB

Download
memory/2172-1157-0x00007FF7A64A0000-0x00007FF7A6896000-memory.dmp

Filesize
4.0MB

Download
memory/2280-2182-0x00007FF75C110000-0x00007FF75C506000-memory.dmp

Filesize
4.0MB

Download
memory/2280-801-0x00007FF75C110000-0x00007FF75C506000-memory.dmp

Filesize
4.0MB

Download
memory/2336-0-0x00007FF7C4F80000-0x00007FF7C5376000-memory.dmp

Filesize
4.0MB

Download
memory/2336-1-0x0000024459F40000-0x0000024459F50000-memory.dmp

Filesize
64KB

Download
memory/2352-2198-0x00007FF6BEA70000-0x00007FF6BEE66000-memory.dmp

Filesize
4.0MB

Download
memory/2352-1163-0x00007FF6BEA70000-0x00007FF6BEE66000-memory.dmp

Filesize
4.0MB

Download
memory/2792-8-0x00007FF6BFBE0000-0x00007FF6BFFD6000-memory.dmp

Filesize
4.0MB

Download
memory/2792-2177-0x00007FF6BFBE0000-0x00007FF6BFFD6000-memory.dmp

Filesize
4.0MB

Download
memory/2812-803-0x00007FF7212D0000-0x00007FF7216C6000-memory.dmp

Filesize
4.0MB

Download
memory/2812-2187-0x00007FF7212D0000-0x00007FF7216C6000-memory.dmp

Filesize
4.0MB

Download
memory/2832-799-0x000001E557A20000-0x000001E557A30000-memory.dmp

Filesize
64KB

Download
memory/2832-2164-0x000001E557A20000-0x000001E557A30000-memory.dmp

Filesize
64KB

Download
memory/2832-2165-0x000001E557A20000-0x000001E557A30000-memory.dmp

Filesize
64KB

Download
memory/2832-2176-0x00007FF9922D3000-0x00007FF9922D5000-memory.dmp

Filesize
8KB

Download
memory/2832-70-0x000001E53F690000-0x000001E53F6B2000-memory.dmp

Filesize
136KB

Download
memory/2832-1172-0x00007FF9922D3000-0x00007FF9922D5000-memory.dmp

Filesize
8KB

Download
memory/2832-435-0x000001E55A6B0000-0x000001E55AE56000-memory.dmp

Filesize
7.6MB

Download
memory/2852-2186-0x00007FF6FCDC0000-0x00007FF6FD1B6000-memory.dmp

Filesize
4.0MB

Download
memory/2852-804-0x00007FF6FCDC0000-0x00007FF6FD1B6000-memory.dmp

Filesize
4.0MB

Download
memory/3080-1173-0x00007FF768A40000-0x00007FF768E36000-memory.dmp

Filesize
4.0MB

Download
memory/3080-2183-0x00007FF768A40000-0x00007FF768E36000-memory.dmp

Filesize
4.0MB

Download
memory/3192-1160-0x00007FF6CAFC0000-0x00007FF6CB3B6000-memory.dmp

Filesize
4.0MB

Download
memory/3192-2197-0x00007FF6CAFC0000-0x00007FF6CB3B6000-memory.dmp

Filesize
4.0MB

Download
memory/3644-857-0x00007FF6A9CB0000-0x00007FF6AA0A6000-memory.dmp

Filesize
4.0MB

Download
memory/3644-2188-0x00007FF6A9CB0000-0x00007FF6AA0A6000-memory.dmp

Filesize
4.0MB

Download
memory/3664-850-0x00007FF6E6440000-0x00007FF6E6836000-memory.dmp

Filesize
4.0MB

Download
memory/3664-2195-0x00007FF6E6440000-0x00007FF6E6836000-memory.dmp

Filesize
4.0MB

Download
memory/3876-32-0x00007FF6C5AE0000-0x00007FF6C5ED6000-memory.dmp

Filesize
4.0MB

Download
memory/3876-2179-0x00007FF6C5AE0000-0x00007FF6C5ED6000-memory.dmp

Filesize
4.0MB

Download
memory/3928-797-0x00007FF6F7030000-0x00007FF6F7426000-memory.dmp

Filesize
4.0MB

Download
memory/3928-2180-0x00007FF6F7030000-0x00007FF6F7426000-memory.dmp

Filesize
4.0MB

Download
memory/3948-2185-0x00007FF7627D0000-0x00007FF762BC6000-memory.dmp

Filesize
4.0MB

Download
memory/3948-802-0x00007FF7627D0000-0x00007FF762BC6000-memory.dmp

Filesize
4.0MB

Download
memory/4628-16-0x00007FF636D40000-0x00007FF637136000-memory.dmp

Filesize
4.0MB

Download
memory/4628-2178-0x00007FF636D40000-0x00007FF637136000-memory.dmp

Filesize
4.0MB

Download
memory/4720-2199-0x00007FF68A580000-0x00007FF68A976000-memory.dmp

Filesize
4.0MB

Download
memory/4720-1166-0x00007FF68A580000-0x00007FF68A976000-memory.dmp

Filesize
4.0MB

Download
memory/4816-800-0x00007FF72FA90000-0x00007FF72FE86000-memory.dmp

Filesize
4.0MB

Download
memory/4816-2184-0x00007FF72FA90000-0x00007FF72FE86000-memory.dmp

Filesize
4.0MB

Download