xmrig | 61afe9dcf326f010c39c1c3ecb0063abd022cefb7cc29b6a9777d83b0ef27a79

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
Size

1.6MB
MD5

35960d9c8978b20e715367987017fa80
SHA1

fd49878d3aac2f6da59fd8e98a3d942c7cece3b2
SHA256

61afe9dcf326f010c39c1c3ecb0063abd022cefb7cc29b6a9777d83b0ef27a79
SHA512

4611ff9896a8a7c333f4fb5249c5a0c328fc27fb31164d46108483ab6e43266380998ae0f2b3d10eb730da6b396918a3368be1450c254beed870bd1d69b77a99
SSDEEP

24576:zv3/fTLF671TilQFG4P5PxtG8PEpklLvYl8UywjwCIlaa+F551HfyeoxwOUzPlnH:Lz071uv4BPjGhql0lQGQK5BKrwH

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

WerFaultSecure.exe

description pid process target process

PID 13248 created 4104 13248 WerFaultSecure.exe svchost.exe
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

description	pid	process	target process
PID 13248 created 4104	13248	WerFaultSecure.exe	svchost.exe

XMRig Miner payload 49 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1044-80-0x00007FF7D4330000-0x00007FF7D4722000-memory.dmp	xmrig
behavioral2/memory/2924-137-0x00007FF6DDF80000-0x00007FF6DE372000-memory.dmp	xmrig
behavioral2/memory/3692-149-0x00007FF6C9A10000-0x00007FF6C9E02000-memory.dmp	xmrig
behavioral2/memory/792-160-0x00007FF7274A0000-0x00007FF727892000-memory.dmp	xmrig
behavioral2/memory/2444-184-0x00007FF7AB110000-0x00007FF7AB502000-memory.dmp	xmrig
behavioral2/memory/2712-205-0x00007FF6EC8B0000-0x00007FF6ECCA2000-memory.dmp	xmrig
behavioral2/memory/1256-201-0x00007FF671C30000-0x00007FF672022000-memory.dmp	xmrig
behavioral2/memory/1448-195-0x00007FF6374A0000-0x00007FF637892000-memory.dmp	xmrig
behavioral2/memory/3208-183-0x00007FF655A40000-0x00007FF655E32000-memory.dmp	xmrig
behavioral2/memory/4068-172-0x00007FF7842B0000-0x00007FF7846A2000-memory.dmp	xmrig
behavioral2/memory/492-166-0x00007FF6D6280000-0x00007FF6D6672000-memory.dmp	xmrig
behavioral2/memory/4804-143-0x00007FF716CA0000-0x00007FF717092000-memory.dmp	xmrig
behavioral2/memory/4996-131-0x00007FF795450000-0x00007FF795842000-memory.dmp	xmrig
behavioral2/memory/1920-125-0x00007FF62D7D0000-0x00007FF62DBC2000-memory.dmp	xmrig
behavioral2/memory/2148-114-0x00007FF707710000-0x00007FF707B02000-memory.dmp	xmrig
behavioral2/memory/4396-110-0x00007FF718C00000-0x00007FF718FF2000-memory.dmp	xmrig
behavioral2/memory/3520-102-0x00007FF6D0DA0000-0x00007FF6D1192000-memory.dmp	xmrig
behavioral2/memory/2544-99-0x00007FF7D0650000-0x00007FF7D0A42000-memory.dmp	xmrig
behavioral2/memory/4992-94-0x00007FF6C28B0000-0x00007FF6C2CA2000-memory.dmp	xmrig
behavioral2/memory/3948-88-0x00007FF725B80000-0x00007FF725F72000-memory.dmp	xmrig
behavioral2/memory/924-84-0x00007FF689050000-0x00007FF689442000-memory.dmp	xmrig
behavioral2/memory/4672-75-0x00007FF75A800000-0x00007FF75ABF2000-memory.dmp	xmrig
behavioral2/memory/2364-72-0x00007FF6D2EC0000-0x00007FF6D32B2000-memory.dmp	xmrig
behavioral2/memory/4992-2810-0x00007FF6C28B0000-0x00007FF6C2CA2000-memory.dmp	xmrig
behavioral2/memory/1236-2823-0x00007FF736CD0000-0x00007FF7370C2000-memory.dmp	xmrig
behavioral2/memory/1236-2827-0x00007FF736CD0000-0x00007FF7370C2000-memory.dmp	xmrig
behavioral2/memory/2364-2829-0x00007FF6D2EC0000-0x00007FF6D32B2000-memory.dmp	xmrig
behavioral2/memory/3520-2831-0x00007FF6D0DA0000-0x00007FF6D1192000-memory.dmp	xmrig
behavioral2/memory/1044-2841-0x00007FF7D4330000-0x00007FF7D4722000-memory.dmp	xmrig
behavioral2/memory/4396-2836-0x00007FF718C00000-0x00007FF718FF2000-memory.dmp	xmrig
behavioral2/memory/4672-2837-0x00007FF75A800000-0x00007FF75ABF2000-memory.dmp	xmrig
behavioral2/memory/924-2843-0x00007FF689050000-0x00007FF689442000-memory.dmp	xmrig
behavioral2/memory/2544-2849-0x00007FF7D0650000-0x00007FF7D0A42000-memory.dmp	xmrig
behavioral2/memory/1920-2853-0x00007FF62D7D0000-0x00007FF62DBC2000-memory.dmp	xmrig
behavioral2/memory/2148-2852-0x00007FF707710000-0x00007FF707B02000-memory.dmp	xmrig
behavioral2/memory/3948-2847-0x00007FF725B80000-0x00007FF725F72000-memory.dmp	xmrig
behavioral2/memory/4992-2857-0x00007FF6C28B0000-0x00007FF6C2CA2000-memory.dmp	xmrig
behavioral2/memory/4996-2859-0x00007FF795450000-0x00007FF795842000-memory.dmp	xmrig
behavioral2/memory/2924-2861-0x00007FF6DDF80000-0x00007FF6DE372000-memory.dmp	xmrig
behavioral2/memory/3692-2866-0x00007FF6C9A10000-0x00007FF6C9E02000-memory.dmp	xmrig
behavioral2/memory/3208-2874-0x00007FF655A40000-0x00007FF655E32000-memory.dmp	xmrig
behavioral2/memory/4068-2872-0x00007FF7842B0000-0x00007FF7846A2000-memory.dmp	xmrig
behavioral2/memory/1448-2878-0x00007FF6374A0000-0x00007FF637892000-memory.dmp	xmrig
behavioral2/memory/1256-2880-0x00007FF671C30000-0x00007FF672022000-memory.dmp	xmrig
behavioral2/memory/2712-2882-0x00007FF6EC8B0000-0x00007FF6ECCA2000-memory.dmp	xmrig
behavioral2/memory/2444-2876-0x00007FF7AB110000-0x00007FF7AB502000-memory.dmp	xmrig
behavioral2/memory/492-2870-0x00007FF6D6280000-0x00007FF6D6672000-memory.dmp	xmrig
behavioral2/memory/792-2868-0x00007FF7274A0000-0x00007FF727892000-memory.dmp	xmrig
behavioral2/memory/4804-2864-0x00007FF716CA0000-0x00007FF717092000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

9 2156 powershell.exe
12 2156 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Powershell Invoke Web Request.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2156 powershell.exe

flow	pid	process
9	2156	powershell.exe
12	2156	powershell.exe

pid	process
2156	powershell.exe

Executes dropped EXE 64 IoCs

Processes:

ifQndzY.exeipWXVFr.exejaAuCtC.exeLgfzDBn.exeokmMnPl.exeMhLqYRz.exeHKqdahk.exeGNUWyHB.exexkjhmwC.exeAmxBrUH.exeoDWnPfE.exeuOgSixk.exerJydOJW.exeFAROysU.exePNpnkwR.exewOIpRBT.exeTZCAEHl.exeYAnlios.exemTuDxUL.exezSPoBFR.exeCmdKrOa.exeivvBPaY.exezMedrBD.exevIAhSLq.exejUMVpNd.exeuFEkMbr.exeRTqRbLm.exeUnNFDEl.exeVbSEeme.exejJIBQXE.exeEymKlZn.exekNCxyGB.exeeqroqCr.exeuuGccWN.exevdjwwvj.exeerSJxWX.exembTooqp.exenqiYQch.exeJRbqhLS.exeWYQyfou.exefKqXrXf.exeorndOFF.exenTmThpr.exeWwxVUgV.exeEQrCocv.exenvCJULy.exeitIQtXw.exeNcxJKEj.exeQafOrHJ.exedGQMWel.exeHsvotfc.exeAoGdRUL.exeKucEzuS.exeOeVsRaD.exexFEUpAY.exeghrYUAq.exeSWZPwLk.exekXwdUHk.exeizrqqEY.exeuqBEqbW.exekHIgBmL.execiyQNTx.exeHEXUmhe.exebHlPGAF.exe

pid	process
1236	ifQndzY.exe
3520	ipWXVFr.exe
4396	jaAuCtC.exe
2364	LgfzDBn.exe
4672	okmMnPl.exe
1044	MhLqYRz.exe
924	HKqdahk.exe
3948	GNUWyHB.exe
4992	xkjhmwC.exe
2148	AmxBrUH.exe
2544	oDWnPfE.exe
1920	uOgSixk.exe
4996	rJydOJW.exe
2924	FAROysU.exe
4804	PNpnkwR.exe
3692	wOIpRBT.exe
492	TZCAEHl.exe
792	YAnlios.exe
4068	mTuDxUL.exe
3208	zSPoBFR.exe
2444	CmdKrOa.exe
1448	ivvBPaY.exe
1256	zMedrBD.exe
2712	vIAhSLq.exe
3916	jUMVpNd.exe
4172	uFEkMbr.exe
1404	RTqRbLm.exe
4984	UnNFDEl.exe
3592	VbSEeme.exe
4972	jJIBQXE.exe
3416	EymKlZn.exe
3556	kNCxyGB.exe
1412	eqroqCr.exe
5108	uuGccWN.exe
3244	vdjwwvj.exe
4900	erSJxWX.exe
3068	mbTooqp.exe
3204	nqiYQch.exe
4808	JRbqhLS.exe
4364	WYQyfou.exe
632	fKqXrXf.exe
4304	orndOFF.exe
4292	nTmThpr.exe
4208	WwxVUgV.exe
4592	EQrCocv.exe
1420	nvCJULy.exe
3144	itIQtXw.exe
4656	NcxJKEj.exe
2456	QafOrHJ.exe
4964	dGQMWel.exe
2576	Hsvotfc.exe
3644	AoGdRUL.exe
1272	KucEzuS.exe
1276	OeVsRaD.exe
4848	xFEUpAY.exe
4704	ghrYUAq.exe
1196	SWZPwLk.exe
1872	kXwdUHk.exe
3436	izrqqEY.exe
3928	uqBEqbW.exe
5052	kHIgBmL.exe
4660	ciyQNTx.exe
2396	HEXUmhe.exe
3096	bHlPGAF.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/208-0-0x00007FF6A9CA0000-0x00007FF6AA092000-memory.dmp	upx
C:\Windows\System\jaAuCtC.exe	upx
C:\Windows\System\ifQndzY.exe	upx
C:\Windows\System\LgfzDBn.exe	upx
C:\Windows\System\HKqdahk.exe	upx
C:\Windows\System\MhLqYRz.exe	upx
C:\Windows\System\AmxBrUH.exe	upx
behavioral2/memory/1044-80-0x00007FF7D4330000-0x00007FF7D4722000-memory.dmp	upx
C:\Windows\System\rJydOJW.exe	upx
C:\Windows\System\wOIpRBT.exe	upx
C:\Windows\System\mTuDxUL.exe	upx
behavioral2/memory/2924-137-0x00007FF6DDF80000-0x00007FF6DE372000-memory.dmp	upx
behavioral2/memory/3692-149-0x00007FF6C9A10000-0x00007FF6C9E02000-memory.dmp	upx
behavioral2/memory/792-160-0x00007FF7274A0000-0x00007FF727892000-memory.dmp	upx
behavioral2/memory/2444-184-0x00007FF7AB110000-0x00007FF7AB502000-memory.dmp	upx
behavioral2/memory/2712-205-0x00007FF6EC8B0000-0x00007FF6ECCA2000-memory.dmp	upx
behavioral2/memory/1256-201-0x00007FF671C30000-0x00007FF672022000-memory.dmp	upx
C:\Windows\System\eqroqCr.exe	upx
C:\Windows\System\EymKlZn.exe	upx
behavioral2/memory/1448-195-0x00007FF6374A0000-0x00007FF637892000-memory.dmp	upx
C:\Windows\System\kNCxyGB.exe	upx
C:\Windows\System\jJIBQXE.exe	upx
C:\Windows\System\VbSEeme.exe	upx
behavioral2/memory/3208-183-0x00007FF655A40000-0x00007FF655E32000-memory.dmp	upx
C:\Windows\System\UnNFDEl.exe	upx
C:\Windows\System\RTqRbLm.exe	upx
behavioral2/memory/4068-172-0x00007FF7842B0000-0x00007FF7846A2000-memory.dmp	upx
C:\Windows\System\uFEkMbr.exe	upx
behavioral2/memory/492-166-0x00007FF6D6280000-0x00007FF6D6672000-memory.dmp	upx
C:\Windows\System\jUMVpNd.exe	upx
C:\Windows\System\vIAhSLq.exe	upx
C:\Windows\System\zMedrBD.exe	upx
C:\Windows\System\ivvBPaY.exe	upx
behavioral2/memory/4804-143-0x00007FF716CA0000-0x00007FF717092000-memory.dmp	upx
C:\Windows\System\CmdKrOa.exe	upx
C:\Windows\System\zSPoBFR.exe	upx
behavioral2/memory/4996-131-0x00007FF795450000-0x00007FF795842000-memory.dmp	upx
behavioral2/memory/1920-125-0x00007FF62D7D0000-0x00007FF62DBC2000-memory.dmp	upx
C:\Windows\System\YAnlios.exe	upx
C:\Windows\System\TZCAEHl.exe	upx
behavioral2/memory/2148-114-0x00007FF707710000-0x00007FF707B02000-memory.dmp	upx
behavioral2/memory/4396-110-0x00007FF718C00000-0x00007FF718FF2000-memory.dmp	upx
C:\Windows\System\PNpnkwR.exe	upx
behavioral2/memory/3520-102-0x00007FF6D0DA0000-0x00007FF6D1192000-memory.dmp	upx
behavioral2/memory/2544-99-0x00007FF7D0650000-0x00007FF7D0A42000-memory.dmp	upx
C:\Windows\System\FAROysU.exe	upx
behavioral2/memory/4992-94-0x00007FF6C28B0000-0x00007FF6C2CA2000-memory.dmp	upx
behavioral2/memory/3948-88-0x00007FF725B80000-0x00007FF725F72000-memory.dmp	upx
behavioral2/memory/924-84-0x00007FF689050000-0x00007FF689442000-memory.dmp	upx
C:\Windows\System\uOgSixk.exe	upx
behavioral2/memory/4672-75-0x00007FF75A800000-0x00007FF75ABF2000-memory.dmp	upx
C:\Windows\System\oDWnPfE.exe	upx
behavioral2/memory/2364-72-0x00007FF6D2EC0000-0x00007FF6D32B2000-memory.dmp	upx
C:\Windows\System\GNUWyHB.exe	upx
C:\Windows\System\xkjhmwC.exe	upx
C:\Windows\System\okmMnPl.exe	upx
C:\Windows\System\ipWXVFr.exe	upx
behavioral2/memory/1236-12-0x00007FF736CD0000-0x00007FF7370C2000-memory.dmp	upx
behavioral2/memory/4992-2810-0x00007FF6C28B0000-0x00007FF6C2CA2000-memory.dmp	upx
behavioral2/memory/1236-2823-0x00007FF736CD0000-0x00007FF7370C2000-memory.dmp	upx
behavioral2/memory/1236-2827-0x00007FF736CD0000-0x00007FF7370C2000-memory.dmp	upx
behavioral2/memory/2364-2829-0x00007FF6D2EC0000-0x00007FF6D32B2000-memory.dmp	upx
behavioral2/memory/3520-2831-0x00007FF6D0DA0000-0x00007FF6D1192000-memory.dmp	upx
behavioral2/memory/1044-2841-0x00007FF7D4330000-0x00007FF7D4722000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

8 raw.githubusercontent.com
9 raw.githubusercontent.com

flow	ioc
8	raw.githubusercontent.com
9	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

Processes:

35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\System\ZuPfcre.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\QfBFXhp.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\jlpBHqX.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\ujGjvOX.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\hfwdfLp.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\GrrWAtN.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\fEDAaJn.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\nyPwSpT.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\ciyQNTx.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\yEXyFoM.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\MrjoqrT.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\LgiTcHa.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\YlPgjNu.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\cXtUiPC.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\tQkouFY.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\JfTloLu.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\oZDuTQZ.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\jgHxtKR.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\vHnSviP.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\LxVbXQC.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\QwQupGs.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\dipMmNZ.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\mAmgwZC.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\cDpJQJa.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\sEDVaxe.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\fDgujPM.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\zaFKyYV.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\DGlDBVS.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\shyRiFn.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\FfocKiQ.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\sXWyTJn.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\ngyJDrm.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\FHfkDbW.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\NOuaHtd.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\uuGccWN.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\DVKAUZs.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\TnWSRrP.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\BMZGCqW.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\JwTirrs.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\VKNmdWS.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\yKgHpGt.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\OfnploN.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\fvuVukb.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\UyVHQos.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\CCgluTE.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\xYeGHYY.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\URfXLKu.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\GIsEIpH.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\tcsNLeY.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\LiVgiDR.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\VIiuTQe.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\JNwEHgn.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\LWSZikN.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\olGwKaL.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\YPATatU.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\tweRinh.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\BvXujDW.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\kFELYKx.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\oLUjTcM.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\VvPaXDD.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\CMpgkGZ.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\ZZUTnVy.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\XchTulP.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
File created	C:\Windows\System\whTYoyy.exe	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wermgr.exeWerFaultSecure.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFaultSecure.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFaultSecure.exewermgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFaultSecure.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exeWerFaultSecure.exe

pid process

2156 powershell.exe
2156 powershell.exe
2356 WerFaultSecure.exe
2356 WerFaultSecure.exe

pid	process
2156	powershell.exe
2156	powershell.exe
2356	WerFaultSecure.exe
2356	WerFaultSecure.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

35960d9c8978b20e715367987017fa80_NeikiAnalytics.exepowershell.exe

description	pid	process
Token: SeLockMemoryPrivilege	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
Token: SeDebugPrivilege	2156	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe

description	pid	process	target process
PID 208 wrote to memory of 2156	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	powershell.exe
PID 208 wrote to memory of 2156	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	powershell.exe
PID 208 wrote to memory of 1236	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	ifQndzY.exe
PID 208 wrote to memory of 1236	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	ifQndzY.exe
PID 208 wrote to memory of 3520	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	ipWXVFr.exe
PID 208 wrote to memory of 3520	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	ipWXVFr.exe
PID 208 wrote to memory of 4396	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	jaAuCtC.exe
PID 208 wrote to memory of 4396	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	jaAuCtC.exe
PID 208 wrote to memory of 2364	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	LgfzDBn.exe
PID 208 wrote to memory of 2364	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	LgfzDBn.exe
PID 208 wrote to memory of 4672	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	okmMnPl.exe
PID 208 wrote to memory of 4672	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	okmMnPl.exe
PID 208 wrote to memory of 1044	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	MhLqYRz.exe
PID 208 wrote to memory of 1044	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	MhLqYRz.exe
PID 208 wrote to memory of 924	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	HKqdahk.exe
PID 208 wrote to memory of 924	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	HKqdahk.exe
PID 208 wrote to memory of 3948	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	GNUWyHB.exe
PID 208 wrote to memory of 3948	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	GNUWyHB.exe
PID 208 wrote to memory of 4992	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	xkjhmwC.exe
PID 208 wrote to memory of 4992	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	xkjhmwC.exe
PID 208 wrote to memory of 2148	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	AmxBrUH.exe
PID 208 wrote to memory of 2148	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	AmxBrUH.exe
PID 208 wrote to memory of 2544	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	oDWnPfE.exe
PID 208 wrote to memory of 2544	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	oDWnPfE.exe
PID 208 wrote to memory of 1920	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	uOgSixk.exe
PID 208 wrote to memory of 1920	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	uOgSixk.exe
PID 208 wrote to memory of 4996	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	rJydOJW.exe
PID 208 wrote to memory of 4996	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	rJydOJW.exe
PID 208 wrote to memory of 2924	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	FAROysU.exe
PID 208 wrote to memory of 2924	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	FAROysU.exe
PID 208 wrote to memory of 4804	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	PNpnkwR.exe
PID 208 wrote to memory of 4804	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	PNpnkwR.exe
PID 208 wrote to memory of 3692	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	wOIpRBT.exe
PID 208 wrote to memory of 3692	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	wOIpRBT.exe
PID 208 wrote to memory of 492	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	TZCAEHl.exe
PID 208 wrote to memory of 492	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	TZCAEHl.exe
PID 208 wrote to memory of 792	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	YAnlios.exe
PID 208 wrote to memory of 792	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	YAnlios.exe
PID 208 wrote to memory of 4068	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	mTuDxUL.exe
PID 208 wrote to memory of 4068	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	mTuDxUL.exe
PID 208 wrote to memory of 3208	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	zSPoBFR.exe
PID 208 wrote to memory of 3208	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	zSPoBFR.exe
PID 208 wrote to memory of 2444	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	CmdKrOa.exe
PID 208 wrote to memory of 2444	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	CmdKrOa.exe
PID 208 wrote to memory of 1448	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	ivvBPaY.exe
PID 208 wrote to memory of 1448	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	ivvBPaY.exe
PID 208 wrote to memory of 1256	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	zMedrBD.exe
PID 208 wrote to memory of 1256	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	zMedrBD.exe
PID 208 wrote to memory of 2712	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	vIAhSLq.exe
PID 208 wrote to memory of 2712	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	vIAhSLq.exe
PID 208 wrote to memory of 3916	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	jUMVpNd.exe
PID 208 wrote to memory of 3916	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	jUMVpNd.exe
PID 208 wrote to memory of 4172	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	uFEkMbr.exe
PID 208 wrote to memory of 4172	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	uFEkMbr.exe
PID 208 wrote to memory of 1404	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	RTqRbLm.exe
PID 208 wrote to memory of 1404	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	RTqRbLm.exe
PID 208 wrote to memory of 4984	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	UnNFDEl.exe
PID 208 wrote to memory of 4984	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	UnNFDEl.exe
PID 208 wrote to memory of 3592	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	VbSEeme.exe
PID 208 wrote to memory of 3592	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	VbSEeme.exe
PID 208 wrote to memory of 4972	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	jJIBQXE.exe
PID 208 wrote to memory of 4972	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	jJIBQXE.exe
PID 208 wrote to memory of 3416	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	EymKlZn.exe
PID 208 wrote to memory of 3416	208	35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe	EymKlZn.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
1⤵
PID:4104

C:\Windows\system32\WerFaultSecure.exe
C:\Windows\system32\WerFaultSecure.exe -u -p 4104 -s 920
2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:2356

C:\Users\Admin\AppData\Local\Temp\35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\35960d9c8978b20e715367987017fa80_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "2156" "2908" "2844" "2912" "0" "0" "2916" "0" "0" "0" "0" "0"
3⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:12996

C:\Windows\System\ifQndzY.exe
C:\Windows\System\ifQndzY.exe
2⤵
- Executes dropped EXE
PID:1236

C:\Windows\System\ipWXVFr.exe
C:\Windows\System\ipWXVFr.exe
2⤵
- Executes dropped EXE
PID:3520

C:\Windows\System\jaAuCtC.exe
C:\Windows\System\jaAuCtC.exe
2⤵
- Executes dropped EXE
PID:4396

C:\Windows\System\LgfzDBn.exe
C:\Windows\System\LgfzDBn.exe
2⤵
- Executes dropped EXE
PID:2364

C:\Windows\System\okmMnPl.exe
C:\Windows\System\okmMnPl.exe
2⤵
- Executes dropped EXE
PID:4672

C:\Windows\System\MhLqYRz.exe
C:\Windows\System\MhLqYRz.exe
2⤵
- Executes dropped EXE
PID:1044

C:\Windows\System\HKqdahk.exe
C:\Windows\System\HKqdahk.exe
2⤵
- Executes dropped EXE
PID:924

C:\Windows\System\GNUWyHB.exe
C:\Windows\System\GNUWyHB.exe
2⤵
- Executes dropped EXE
PID:3948

C:\Windows\System\xkjhmwC.exe
C:\Windows\System\xkjhmwC.exe
2⤵
- Executes dropped EXE
PID:4992

C:\Windows\System\AmxBrUH.exe
C:\Windows\System\AmxBrUH.exe
2⤵
- Executes dropped EXE
PID:2148

C:\Windows\System\oDWnPfE.exe
C:\Windows\System\oDWnPfE.exe
2⤵
- Executes dropped EXE
PID:2544

C:\Windows\System\uOgSixk.exe
C:\Windows\System\uOgSixk.exe
2⤵
- Executes dropped EXE
PID:1920

C:\Windows\System\rJydOJW.exe
C:\Windows\System\rJydOJW.exe
2⤵
- Executes dropped EXE
PID:4996

C:\Windows\System\FAROysU.exe
C:\Windows\System\FAROysU.exe
2⤵
- Executes dropped EXE
PID:2924

C:\Windows\System\PNpnkwR.exe
C:\Windows\System\PNpnkwR.exe
2⤵
- Executes dropped EXE
PID:4804

C:\Windows\System\wOIpRBT.exe
C:\Windows\System\wOIpRBT.exe
2⤵
- Executes dropped EXE
PID:3692

C:\Windows\System\TZCAEHl.exe
C:\Windows\System\TZCAEHl.exe
2⤵
- Executes dropped EXE
PID:492

C:\Windows\System\YAnlios.exe
C:\Windows\System\YAnlios.exe
2⤵
- Executes dropped EXE
PID:792

C:\Windows\System\mTuDxUL.exe
C:\Windows\System\mTuDxUL.exe
2⤵
- Executes dropped EXE
PID:4068

C:\Windows\System\zSPoBFR.exe
C:\Windows\System\zSPoBFR.exe
2⤵
- Executes dropped EXE
PID:3208

C:\Windows\System\CmdKrOa.exe
C:\Windows\System\CmdKrOa.exe
2⤵
- Executes dropped EXE
PID:2444

C:\Windows\System\ivvBPaY.exe
C:\Windows\System\ivvBPaY.exe
2⤵
- Executes dropped EXE
PID:1448

C:\Windows\System\zMedrBD.exe
C:\Windows\System\zMedrBD.exe
2⤵
- Executes dropped EXE
PID:1256

C:\Windows\System\vIAhSLq.exe
C:\Windows\System\vIAhSLq.exe
2⤵
- Executes dropped EXE
PID:2712

C:\Windows\System\jUMVpNd.exe
C:\Windows\System\jUMVpNd.exe
2⤵
- Executes dropped EXE
PID:3916

C:\Windows\System\uFEkMbr.exe
C:\Windows\System\uFEkMbr.exe
2⤵
- Executes dropped EXE
PID:4172

C:\Windows\System\RTqRbLm.exe
C:\Windows\System\RTqRbLm.exe
2⤵
- Executes dropped EXE
PID:1404

C:\Windows\System\UnNFDEl.exe
C:\Windows\System\UnNFDEl.exe
2⤵
- Executes dropped EXE
PID:4984

C:\Windows\System\VbSEeme.exe
C:\Windows\System\VbSEeme.exe
2⤵
- Executes dropped EXE
PID:3592

C:\Windows\System\jJIBQXE.exe
C:\Windows\System\jJIBQXE.exe
2⤵
- Executes dropped EXE
PID:4972

C:\Windows\System\EymKlZn.exe
C:\Windows\System\EymKlZn.exe
2⤵
- Executes dropped EXE
PID:3416

C:\Windows\System\kNCxyGB.exe
C:\Windows\System\kNCxyGB.exe
2⤵
- Executes dropped EXE
PID:3556

C:\Windows\System\eqroqCr.exe
C:\Windows\System\eqroqCr.exe
2⤵
- Executes dropped EXE
PID:1412

C:\Windows\System\uuGccWN.exe
C:\Windows\System\uuGccWN.exe
2⤵
- Executes dropped EXE
PID:5108

C:\Windows\System\vdjwwvj.exe
C:\Windows\System\vdjwwvj.exe
2⤵
- Executes dropped EXE
PID:3244

C:\Windows\System\erSJxWX.exe
C:\Windows\System\erSJxWX.exe
2⤵
- Executes dropped EXE
PID:4900

C:\Windows\System\mbTooqp.exe
C:\Windows\System\mbTooqp.exe
2⤵
- Executes dropped EXE
PID:3068

C:\Windows\System\nqiYQch.exe
C:\Windows\System\nqiYQch.exe
2⤵
- Executes dropped EXE
PID:3204

C:\Windows\System\JRbqhLS.exe
C:\Windows\System\JRbqhLS.exe
2⤵
- Executes dropped EXE
PID:4808

C:\Windows\System\WYQyfou.exe
C:\Windows\System\WYQyfou.exe
2⤵
- Executes dropped EXE
PID:4364

C:\Windows\System\fKqXrXf.exe
C:\Windows\System\fKqXrXf.exe
2⤵
- Executes dropped EXE
PID:632

C:\Windows\System\orndOFF.exe
C:\Windows\System\orndOFF.exe
2⤵
- Executes dropped EXE
PID:4304

C:\Windows\System\nTmThpr.exe
C:\Windows\System\nTmThpr.exe
2⤵
- Executes dropped EXE
PID:4292

C:\Windows\System\WwxVUgV.exe
C:\Windows\System\WwxVUgV.exe
2⤵
- Executes dropped EXE
PID:4208

C:\Windows\System\EQrCocv.exe
C:\Windows\System\EQrCocv.exe
2⤵
- Executes dropped EXE
PID:4592

C:\Windows\System\nvCJULy.exe
C:\Windows\System\nvCJULy.exe
2⤵
- Executes dropped EXE
PID:1420

C:\Windows\System\itIQtXw.exe
C:\Windows\System\itIQtXw.exe
2⤵
- Executes dropped EXE
PID:3144

C:\Windows\System\NcxJKEj.exe
C:\Windows\System\NcxJKEj.exe
2⤵
- Executes dropped EXE
PID:4656

C:\Windows\System\QafOrHJ.exe
C:\Windows\System\QafOrHJ.exe
2⤵
- Executes dropped EXE
PID:2456

C:\Windows\System\dGQMWel.exe
C:\Windows\System\dGQMWel.exe
2⤵
- Executes dropped EXE
PID:4964

C:\Windows\System\Hsvotfc.exe
C:\Windows\System\Hsvotfc.exe
2⤵
- Executes dropped EXE
PID:2576

C:\Windows\System\AoGdRUL.exe
C:\Windows\System\AoGdRUL.exe
2⤵
- Executes dropped EXE
PID:3644

C:\Windows\System\KucEzuS.exe
C:\Windows\System\KucEzuS.exe
2⤵
- Executes dropped EXE
PID:1272

C:\Windows\System\OeVsRaD.exe
C:\Windows\System\OeVsRaD.exe
2⤵
- Executes dropped EXE
PID:1276

C:\Windows\System\xFEUpAY.exe
C:\Windows\System\xFEUpAY.exe
2⤵
- Executes dropped EXE
PID:4848

C:\Windows\System\ghrYUAq.exe
C:\Windows\System\ghrYUAq.exe
2⤵
- Executes dropped EXE
PID:4704

C:\Windows\System\SWZPwLk.exe
C:\Windows\System\SWZPwLk.exe
2⤵
- Executes dropped EXE
PID:1196

C:\Windows\System\kXwdUHk.exe
C:\Windows\System\kXwdUHk.exe
2⤵
- Executes dropped EXE
PID:1872

C:\Windows\System\izrqqEY.exe
C:\Windows\System\izrqqEY.exe
2⤵
- Executes dropped EXE
PID:3436

C:\Windows\System\uqBEqbW.exe
C:\Windows\System\uqBEqbW.exe
2⤵
- Executes dropped EXE
PID:3928

C:\Windows\System\kHIgBmL.exe
C:\Windows\System\kHIgBmL.exe
2⤵
- Executes dropped EXE
PID:5052

C:\Windows\System\ciyQNTx.exe
C:\Windows\System\ciyQNTx.exe
2⤵
- Executes dropped EXE
PID:4660

C:\Windows\System\HEXUmhe.exe
C:\Windows\System\HEXUmhe.exe
2⤵
- Executes dropped EXE
PID:2396

C:\Windows\System\bHlPGAF.exe
C:\Windows\System\bHlPGAF.exe
2⤵
- Executes dropped EXE
PID:3096

C:\Windows\System\ZxMpngt.exe
C:\Windows\System\ZxMpngt.exe
2⤵
PID:1948

C:\Windows\System\ZqvyWeq.exe
C:\Windows\System\ZqvyWeq.exe
2⤵
PID:3168

C:\Windows\System\pbxfNej.exe
C:\Windows\System\pbxfNej.exe
2⤵
PID:3736

C:\Windows\System\TqwPOvy.exe
C:\Windows\System\TqwPOvy.exe
2⤵
PID:4504

C:\Windows\System\qNtAQfy.exe
C:\Windows\System\qNtAQfy.exe
2⤵
PID:3664

C:\Windows\System\ckccYqy.exe
C:\Windows\System\ckccYqy.exe
2⤵
PID:2368

C:\Windows\System\VTwmyed.exe
C:\Windows\System\VTwmyed.exe
2⤵
PID:4432

C:\Windows\System\vFjuNdx.exe
C:\Windows\System\vFjuNdx.exe
2⤵
PID:5124

C:\Windows\System\phXuFCc.exe
C:\Windows\System\phXuFCc.exe
2⤵
PID:5148

C:\Windows\System\sNhtppn.exe
C:\Windows\System\sNhtppn.exe
2⤵
PID:5180

C:\Windows\System\kaXcJkT.exe
C:\Windows\System\kaXcJkT.exe
2⤵
PID:5208

C:\Windows\System\QniOnhb.exe
C:\Windows\System\QniOnhb.exe
2⤵
PID:5236

C:\Windows\System\NLbdhVo.exe
C:\Windows\System\NLbdhVo.exe
2⤵
PID:5264

C:\Windows\System\VwNrTiM.exe
C:\Windows\System\VwNrTiM.exe
2⤵
PID:5288

C:\Windows\System\snymHoi.exe
C:\Windows\System\snymHoi.exe
2⤵
PID:5320

C:\Windows\System\CVlARpz.exe
C:\Windows\System\CVlARpz.exe
2⤵
PID:5348

C:\Windows\System\tNclyUp.exe
C:\Windows\System\tNclyUp.exe
2⤵
PID:5376

C:\Windows\System\IisDznT.exe
C:\Windows\System\IisDznT.exe
2⤵
PID:5404

C:\Windows\System\SHEJyuW.exe
C:\Windows\System\SHEJyuW.exe
2⤵
PID:5432

C:\Windows\System\RVdXKxJ.exe
C:\Windows\System\RVdXKxJ.exe
2⤵
PID:5464

C:\Windows\System\qCGsMYi.exe
C:\Windows\System\qCGsMYi.exe
2⤵
PID:5488

C:\Windows\System\GIiHAzi.exe
C:\Windows\System\GIiHAzi.exe
2⤵
PID:5516

C:\Windows\System\ugobPLs.exe
C:\Windows\System\ugobPLs.exe
2⤵
PID:5544

C:\Windows\System\IYNkhQF.exe
C:\Windows\System\IYNkhQF.exe
2⤵
PID:5568

C:\Windows\System\bcbLBkM.exe
C:\Windows\System\bcbLBkM.exe
2⤵
PID:5596

C:\Windows\System\LyojzET.exe
C:\Windows\System\LyojzET.exe
2⤵
PID:5628

C:\Windows\System\bzzeGga.exe
C:\Windows\System\bzzeGga.exe
2⤵
PID:5656

C:\Windows\System\DiriFpX.exe
C:\Windows\System\DiriFpX.exe
2⤵
PID:5684

C:\Windows\System\IZyfVlI.exe
C:\Windows\System\IZyfVlI.exe
2⤵
PID:5712

C:\Windows\System\fEcSVSA.exe
C:\Windows\System\fEcSVSA.exe
2⤵
PID:5740

C:\Windows\System\gGNgHFv.exe
C:\Windows\System\gGNgHFv.exe
2⤵
PID:5768

C:\Windows\System\UAEqxIj.exe
C:\Windows\System\UAEqxIj.exe
2⤵
PID:5796

C:\Windows\System\TCSAjhk.exe
C:\Windows\System\TCSAjhk.exe
2⤵
PID:5824

C:\Windows\System\raLSQzu.exe
C:\Windows\System\raLSQzu.exe
2⤵
PID:5848

C:\Windows\System\jpRouTe.exe
C:\Windows\System\jpRouTe.exe
2⤵
PID:5880

C:\Windows\System\LHzAWrK.exe
C:\Windows\System\LHzAWrK.exe
2⤵
PID:5908

C:\Windows\System\HpEtvcy.exe
C:\Windows\System\HpEtvcy.exe
2⤵
PID:5936

C:\Windows\System\MzanzYg.exe
C:\Windows\System\MzanzYg.exe
2⤵
PID:5964

C:\Windows\System\ThqvlcO.exe
C:\Windows\System\ThqvlcO.exe
2⤵
PID:5992

C:\Windows\System\RKyWZCs.exe
C:\Windows\System\RKyWZCs.exe
2⤵
PID:6020

C:\Windows\System\yGHIqSQ.exe
C:\Windows\System\yGHIqSQ.exe
2⤵
PID:6048

C:\Windows\System\cfFmhRY.exe
C:\Windows\System\cfFmhRY.exe
2⤵
PID:6076

C:\Windows\System\XvZWDLC.exe
C:\Windows\System\XvZWDLC.exe
2⤵
PID:6104

C:\Windows\System\TFNVZoG.exe
C:\Windows\System\TFNVZoG.exe
2⤵
PID:6132

C:\Windows\System\wctBukv.exe
C:\Windows\System\wctBukv.exe
2⤵
PID:2676

C:\Windows\System\SbPlFdM.exe
C:\Windows\System\SbPlFdM.exe
2⤵
PID:4456

C:\Windows\System\TEspKSh.exe
C:\Windows\System\TEspKSh.exe
2⤵
PID:3404

C:\Windows\System\yrLKDeW.exe
C:\Windows\System\yrLKDeW.exe
2⤵
PID:2532

C:\Windows\System\PzNVPzR.exe
C:\Windows\System\PzNVPzR.exe
2⤵
PID:2940

C:\Windows\System\DPlBqlV.exe
C:\Windows\System\DPlBqlV.exe
2⤵
PID:5136

C:\Windows\System\NfBxFgM.exe
C:\Windows\System\NfBxFgM.exe
2⤵
PID:5196

C:\Windows\System\mEDOvgH.exe
C:\Windows\System\mEDOvgH.exe
2⤵
PID:5256

C:\Windows\System\WHjPNCi.exe
C:\Windows\System\WHjPNCi.exe
2⤵
PID:5312

C:\Windows\System\yoIDbiR.exe
C:\Windows\System\yoIDbiR.exe
2⤵
PID:5368

C:\Windows\System\fZbeWSP.exe
C:\Windows\System\fZbeWSP.exe
2⤵
PID:5444

C:\Windows\System\PzteiBv.exe
C:\Windows\System\PzteiBv.exe
2⤵
PID:5504

C:\Windows\System\hhOJkEJ.exe
C:\Windows\System\hhOJkEJ.exe
2⤵
PID:2072

C:\Windows\System\kEGuhiQ.exe
C:\Windows\System\kEGuhiQ.exe
2⤵
PID:5592

C:\Windows\System\DUTQCGI.exe
C:\Windows\System\DUTQCGI.exe
2⤵
PID:5668

C:\Windows\System\rNEBscX.exe
C:\Windows\System\rNEBscX.exe
2⤵
PID:5704

C:\Windows\System\wAtBrES.exe
C:\Windows\System\wAtBrES.exe
2⤵
PID:5784

C:\Windows\System\HliWnnD.exe
C:\Windows\System\HliWnnD.exe
2⤵
PID:5840

C:\Windows\System\cFZUjIv.exe
C:\Windows\System\cFZUjIv.exe
2⤵
PID:5892

C:\Windows\System\nONJmMr.exe
C:\Windows\System\nONJmMr.exe
2⤵
PID:5952

C:\Windows\System\CjCChOZ.exe
C:\Windows\System\CjCChOZ.exe
2⤵
PID:6008

C:\Windows\System\gtafduI.exe
C:\Windows\System\gtafduI.exe
2⤵
PID:6068

C:\Windows\System\zejeNhD.exe
C:\Windows\System\zejeNhD.exe
2⤵
PID:6124

C:\Windows\System\BMfYoHR.exe
C:\Windows\System\BMfYoHR.exe
2⤵
PID:1624

C:\Windows\System\CDkTvam.exe
C:\Windows\System\CDkTvam.exe
2⤵
PID:1244

C:\Windows\System\OWbeJtF.exe
C:\Windows\System\OWbeJtF.exe
2⤵
PID:5168

C:\Windows\System\pAtzmED.exe
C:\Windows\System\pAtzmED.exe
2⤵
PID:5304

C:\Windows\System\wRmRyaH.exe
C:\Windows\System\wRmRyaH.exe
2⤵
PID:5416

C:\Windows\System\KJePwyj.exe
C:\Windows\System\KJePwyj.exe
2⤵
PID:5532

C:\Windows\System\chtDluZ.exe
C:\Windows\System\chtDluZ.exe
2⤵
PID:5644

C:\Windows\System\MyZEzYO.exe
C:\Windows\System\MyZEzYO.exe
2⤵
PID:1648

C:\Windows\System\UTMqYmC.exe
C:\Windows\System\UTMqYmC.exe
2⤵
PID:5872

C:\Windows\System\jdRbaBx.exe
C:\Windows\System\jdRbaBx.exe
2⤵
PID:6036

C:\Windows\System\qYTHHpw.exe
C:\Windows\System\qYTHHpw.exe
2⤵
PID:4524

C:\Windows\System\TwZxyiw.exe
C:\Windows\System\TwZxyiw.exe
2⤵
PID:1928

C:\Windows\System\HSFOGFF.exe
C:\Windows\System\HSFOGFF.exe
2⤵
PID:5484

C:\Windows\System\ukZeQmx.exe
C:\Windows\System\ukZeQmx.exe
2⤵
PID:5640

C:\Windows\System\ehRyWyY.exe
C:\Windows\System\ehRyWyY.exe
2⤵
PID:1616

C:\Windows\System\ZcrQFWc.exe
C:\Windows\System\ZcrQFWc.exe
2⤵
PID:6160

C:\Windows\System\ATtCuDJ.exe
C:\Windows\System\ATtCuDJ.exe
2⤵
PID:6184

C:\Windows\System\NQzAWut.exe
C:\Windows\System\NQzAWut.exe
2⤵
PID:6212

C:\Windows\System\LwMpcGk.exe
C:\Windows\System\LwMpcGk.exe
2⤵
PID:6240

C:\Windows\System\XXdlUqR.exe
C:\Windows\System\XXdlUqR.exe
2⤵
PID:6272

C:\Windows\System\taLBXbA.exe
C:\Windows\System\taLBXbA.exe
2⤵
PID:6300

C:\Windows\System\RbdNJaz.exe
C:\Windows\System\RbdNJaz.exe
2⤵
PID:6328

C:\Windows\System\EAhloZq.exe
C:\Windows\System\EAhloZq.exe
2⤵
PID:6356

C:\Windows\System\wJtFWsV.exe
C:\Windows\System\wJtFWsV.exe
2⤵
PID:6380

C:\Windows\System\DFMwjUK.exe
C:\Windows\System\DFMwjUK.exe
2⤵
PID:6412

C:\Windows\System\BkgfajV.exe
C:\Windows\System\BkgfajV.exe
2⤵
PID:6440

C:\Windows\System\keSICSc.exe
C:\Windows\System\keSICSc.exe
2⤵
PID:6468

C:\Windows\System\GFvfJro.exe
C:\Windows\System\GFvfJro.exe
2⤵
PID:6496

C:\Windows\System\UjXNChl.exe
C:\Windows\System\UjXNChl.exe
2⤵
PID:6524

C:\Windows\System\odMzTtB.exe
C:\Windows\System\odMzTtB.exe
2⤵
PID:6552

C:\Windows\System\AzqCxWZ.exe
C:\Windows\System\AzqCxWZ.exe
2⤵
PID:6576

C:\Windows\System\eLPadqD.exe
C:\Windows\System\eLPadqD.exe
2⤵
PID:6604

C:\Windows\System\uXRzmtF.exe
C:\Windows\System\uXRzmtF.exe
2⤵
PID:6632

C:\Windows\System\rMZVCNB.exe
C:\Windows\System\rMZVCNB.exe
2⤵
PID:6660

C:\Windows\System\uPdjRtH.exe
C:\Windows\System\uPdjRtH.exe
2⤵
PID:6688

C:\Windows\System\iFVUciu.exe
C:\Windows\System\iFVUciu.exe
2⤵
PID:6716

C:\Windows\System\kGtssSL.exe
C:\Windows\System\kGtssSL.exe
2⤵
PID:6744

C:\Windows\System\SSDGpum.exe
C:\Windows\System\SSDGpum.exe
2⤵
PID:6776

C:\Windows\System\LcAdpPi.exe
C:\Windows\System\LcAdpPi.exe
2⤵
PID:6808

C:\Windows\System\XchTulP.exe
C:\Windows\System\XchTulP.exe
2⤵
PID:6832

C:\Windows\System\qwDxlBD.exe
C:\Windows\System\qwDxlBD.exe
2⤵
PID:6860

C:\Windows\System\MykWRny.exe
C:\Windows\System\MykWRny.exe
2⤵
PID:6884

C:\Windows\System\mXeGNhn.exe
C:\Windows\System\mXeGNhn.exe
2⤵
PID:6916

C:\Windows\System\CDmdOyf.exe
C:\Windows\System\CDmdOyf.exe
2⤵
PID:6944

C:\Windows\System\DQOkVzQ.exe
C:\Windows\System\DQOkVzQ.exe
2⤵
PID:6972

C:\Windows\System\ZcFlPvN.exe
C:\Windows\System\ZcFlPvN.exe
2⤵
PID:7000

C:\Windows\System\zImvgLo.exe
C:\Windows\System\zImvgLo.exe
2⤵
PID:7024

C:\Windows\System\TyMASsf.exe
C:\Windows\System\TyMASsf.exe
2⤵
PID:7120

C:\Windows\System\rgmTKAT.exe
C:\Windows\System\rgmTKAT.exe
2⤵
PID:7152

C:\Windows\System\lNPQIMb.exe
C:\Windows\System\lNPQIMb.exe
2⤵
PID:5976

C:\Windows\System\AuBbGfj.exe
C:\Windows\System\AuBbGfj.exe
2⤵
PID:2472

C:\Windows\System\GIFwGSn.exe
C:\Windows\System\GIFwGSn.exe
2⤵
PID:5528

C:\Windows\System\pfDSKMf.exe
C:\Windows\System\pfDSKMf.exe
2⤵
PID:5816

C:\Windows\System\OwhYsOq.exe
C:\Windows\System\OwhYsOq.exe
2⤵
PID:1644

C:\Windows\System\VqpVudG.exe
C:\Windows\System\VqpVudG.exe
2⤵
PID:6232

C:\Windows\System\AuPFXIC.exe
C:\Windows\System\AuPFXIC.exe
2⤵
PID:3080

C:\Windows\System\uHWitPA.exe
C:\Windows\System\uHWitPA.exe
2⤵
PID:6292

C:\Windows\System\YdOpfCM.exe
C:\Windows\System\YdOpfCM.exe
2⤵
PID:6340

C:\Windows\System\rbuzzou.exe
C:\Windows\System\rbuzzou.exe
2⤵
PID:4696

C:\Windows\System\rxOlzNo.exe
C:\Windows\System\rxOlzNo.exe
2⤵
PID:6396

C:\Windows\System\TWSlIvs.exe
C:\Windows\System\TWSlIvs.exe
2⤵
PID:6460

C:\Windows\System\lDPEvBz.exe
C:\Windows\System\lDPEvBz.exe
2⤵
PID:6508

C:\Windows\System\TAoCJhQ.exe
C:\Windows\System\TAoCJhQ.exe
2⤵
PID:3548

C:\Windows\System\cmVUXwW.exe
C:\Windows\System\cmVUXwW.exe
2⤵
PID:6648

C:\Windows\System\FWJdDPQ.exe
C:\Windows\System\FWJdDPQ.exe
2⤵
PID:6680

C:\Windows\System\TbcngVR.exe
C:\Windows\System\TbcngVR.exe
2⤵
PID:6764

C:\Windows\System\VUFvVgs.exe
C:\Windows\System\VUFvVgs.exe
2⤵
PID:6816

C:\Windows\System\zXNcNWd.exe
C:\Windows\System\zXNcNWd.exe
2⤵
PID:6904

C:\Windows\System\pTVyYOU.exe
C:\Windows\System\pTVyYOU.exe
2⤵
PID:1440

C:\Windows\System\aAzASDP.exe
C:\Windows\System\aAzASDP.exe
2⤵
PID:6988

C:\Windows\System\zTWHeve.exe
C:\Windows\System\zTWHeve.exe
2⤵
PID:2232

C:\Windows\System\IMziUze.exe
C:\Windows\System\IMziUze.exe
2⤵
PID:1028

C:\Windows\System\xOTmkEx.exe
C:\Windows\System\xOTmkEx.exe
2⤵
PID:3280

C:\Windows\System\wdgjIvR.exe
C:\Windows\System\wdgjIvR.exe
2⤵
PID:4688

C:\Windows\System\hDQcvZN.exe
C:\Windows\System\hDQcvZN.exe
2⤵
PID:2724

C:\Windows\System\DhPHrsT.exe
C:\Windows\System\DhPHrsT.exe
2⤵
PID:6284

C:\Windows\System\XrXZVUv.exe
C:\Windows\System\XrXZVUv.exe
2⤵
PID:3660

C:\Windows\System\kjVseGZ.exe
C:\Windows\System\kjVseGZ.exe
2⤵
PID:6536

C:\Windows\System\tIXgjUZ.exe
C:\Windows\System\tIXgjUZ.exe
2⤵
PID:6628

C:\Windows\System\ZmOWplc.exe
C:\Windows\System\ZmOWplc.exe
2⤵
PID:6732

C:\Windows\System\xcANeKm.exe
C:\Windows\System\xcANeKm.exe
2⤵
PID:6932

C:\Windows\System\pjdOWuq.exe
C:\Windows\System\pjdOWuq.exe
2⤵
PID:6900

C:\Windows\System\CjRqEpj.exe
C:\Windows\System\CjRqEpj.exe
2⤵
PID:4548

C:\Windows\System\tiojYKk.exe
C:\Windows\System\tiojYKk.exe
2⤵
PID:2572

C:\Windows\System\dMiJmCs.exe
C:\Windows\System\dMiJmCs.exe
2⤵
PID:1036

C:\Windows\System\QdyoAMn.exe
C:\Windows\System\QdyoAMn.exe
2⤵
PID:5928

C:\Windows\System\gqaxTFk.exe
C:\Windows\System\gqaxTFk.exe
2⤵
PID:4856

C:\Windows\System\EIzjcPe.exe
C:\Windows\System\EIzjcPe.exe
2⤵
PID:7016

C:\Windows\System\JfTloLu.exe
C:\Windows\System\JfTloLu.exe
2⤵
PID:2136

C:\Windows\System\jomShEg.exe
C:\Windows\System\jomShEg.exe
2⤵
PID:7108

C:\Windows\System\sseJvwV.exe
C:\Windows\System\sseJvwV.exe
2⤵
PID:6908

C:\Windows\System\CbMubmW.exe
C:\Windows\System\CbMubmW.exe
2⤵
PID:4784

C:\Windows\System\skvSkKo.exe
C:\Windows\System\skvSkKo.exe
2⤵
PID:4904

C:\Windows\System\gfwnKjn.exe
C:\Windows\System\gfwnKjn.exe
2⤵
PID:4132

C:\Windows\System\YJZQMpH.exe
C:\Windows\System\YJZQMpH.exe
2⤵
PID:6116

C:\Windows\System\WJZzlYP.exe
C:\Windows\System\WJZzlYP.exe
2⤵
PID:4496

C:\Windows\System\KtTqGAx.exe
C:\Windows\System\KtTqGAx.exe
2⤵
PID:7188

C:\Windows\System\UkMKQWr.exe
C:\Windows\System\UkMKQWr.exe
2⤵
PID:7216

C:\Windows\System\yZSHDST.exe
C:\Windows\System\yZSHDST.exe
2⤵
PID:7240

C:\Windows\System\WNqurFK.exe
C:\Windows\System\WNqurFK.exe
2⤵
PID:7260

C:\Windows\System\mGFUiie.exe
C:\Windows\System\mGFUiie.exe
2⤵
PID:7296

C:\Windows\System\cthzocg.exe
C:\Windows\System\cthzocg.exe
2⤵
PID:7316

C:\Windows\System\qagrbJm.exe
C:\Windows\System\qagrbJm.exe
2⤵
PID:7332

C:\Windows\System\PCueEWX.exe
C:\Windows\System\PCueEWX.exe
2⤵
PID:7360

C:\Windows\System\SngSCQJ.exe
C:\Windows\System\SngSCQJ.exe
2⤵
PID:7380

C:\Windows\System\sEDVaxe.exe
C:\Windows\System\sEDVaxe.exe
2⤵
PID:7416

C:\Windows\System\UNNasef.exe
C:\Windows\System\UNNasef.exe
2⤵
PID:7460

C:\Windows\System\rlTaKgO.exe
C:\Windows\System\rlTaKgO.exe
2⤵
PID:7476

C:\Windows\System\kKyhNPJ.exe
C:\Windows\System\kKyhNPJ.exe
2⤵
PID:7500

C:\Windows\System\IwMkCVW.exe
C:\Windows\System\IwMkCVW.exe
2⤵
PID:7520

C:\Windows\System\MWYMvou.exe
C:\Windows\System\MWYMvou.exe
2⤵
PID:7564

C:\Windows\System\EXsRqbl.exe
C:\Windows\System\EXsRqbl.exe
2⤵
PID:7588

C:\Windows\System\IuBswRQ.exe
C:\Windows\System\IuBswRQ.exe
2⤵
PID:7612

C:\Windows\System\UtbvleE.exe
C:\Windows\System\UtbvleE.exe
2⤵
PID:7636

C:\Windows\System\cmRjTNf.exe
C:\Windows\System\cmRjTNf.exe
2⤵
PID:7656

C:\Windows\System\XRmaSmY.exe
C:\Windows\System\XRmaSmY.exe
2⤵
PID:7708

C:\Windows\System\UkCNEOJ.exe
C:\Windows\System\UkCNEOJ.exe
2⤵
PID:7732

C:\Windows\System\oZDuTQZ.exe
C:\Windows\System\oZDuTQZ.exe
2⤵
PID:7848

C:\Windows\System\JFlpGyr.exe
C:\Windows\System\JFlpGyr.exe
2⤵
PID:7864

C:\Windows\System\ctngVsW.exe
C:\Windows\System\ctngVsW.exe
2⤵
PID:7884

C:\Windows\System\XBrkXvO.exe
C:\Windows\System\XBrkXvO.exe
2⤵
PID:7916

C:\Windows\System\DkdDsiZ.exe
C:\Windows\System\DkdDsiZ.exe
2⤵
PID:7932

C:\Windows\System\hEsRoqO.exe
C:\Windows\System\hEsRoqO.exe
2⤵
PID:7968

C:\Windows\System\jZOujGi.exe
C:\Windows\System\jZOujGi.exe
2⤵
PID:8032

C:\Windows\System\unkzzJT.exe
C:\Windows\System\unkzzJT.exe
2⤵
PID:8052

C:\Windows\System\xHjJhxN.exe
C:\Windows\System\xHjJhxN.exe
2⤵
PID:8072

C:\Windows\System\FlkAPrg.exe
C:\Windows\System\FlkAPrg.exe
2⤵
PID:8092

C:\Windows\System\mggsHKr.exe
C:\Windows\System\mggsHKr.exe
2⤵
PID:8136

C:\Windows\System\muifxll.exe
C:\Windows\System\muifxll.exe
2⤵
PID:8156

C:\Windows\System\jfYCiHW.exe
C:\Windows\System\jfYCiHW.exe
2⤵
PID:8176

C:\Windows\System\OUtFlAF.exe
C:\Windows\System\OUtFlAF.exe
2⤵
PID:6452

C:\Windows\System\SOstQGk.exe
C:\Windows\System\SOstQGk.exe
2⤵
PID:7208

C:\Windows\System\BbZJcFk.exe
C:\Windows\System\BbZJcFk.exe
2⤵
PID:7256

C:\Windows\System\urWixlE.exe
C:\Windows\System\urWixlE.exe
2⤵
PID:7308

C:\Windows\System\WxMZhKO.exe
C:\Windows\System\WxMZhKO.exe
2⤵
PID:7408

C:\Windows\System\TCmPyZK.exe
C:\Windows\System\TCmPyZK.exe
2⤵
PID:7484

C:\Windows\System\coanVrN.exe
C:\Windows\System\coanVrN.exe
2⤵
PID:7516

C:\Windows\System\SWUNLET.exe
C:\Windows\System\SWUNLET.exe
2⤵
PID:7600

C:\Windows\System\ShYluyn.exe
C:\Windows\System\ShYluyn.exe
2⤵
PID:4652

C:\Windows\System\Qscqdsq.exe
C:\Windows\System\Qscqdsq.exe
2⤵
PID:7752

C:\Windows\System\MtRPJKu.exe
C:\Windows\System\MtRPJKu.exe
2⤵
PID:7780

C:\Windows\System\QYHioaL.exe
C:\Windows\System\QYHioaL.exe
2⤵
PID:7792

C:\Windows\System\jNWglVr.exe
C:\Windows\System\jNWglVr.exe
2⤵
PID:7820

C:\Windows\System\EiuDvQn.exe
C:\Windows\System\EiuDvQn.exe
2⤵
PID:7880

C:\Windows\System\wcJAqWD.exe
C:\Windows\System\wcJAqWD.exe
2⤵
PID:7940

C:\Windows\System\vDMegGe.exe
C:\Windows\System\vDMegGe.exe
2⤵
PID:7984

C:\Windows\System\ihAYoWe.exe
C:\Windows\System\ihAYoWe.exe
2⤵
PID:8028

C:\Windows\System\wPeJMvH.exe
C:\Windows\System\wPeJMvH.exe
2⤵
PID:8112

C:\Windows\System\xzlDqEw.exe
C:\Windows\System\xzlDqEw.exe
2⤵
PID:8152

C:\Windows\System\ZCJmLLI.exe
C:\Windows\System\ZCJmLLI.exe
2⤵
PID:7456

C:\Windows\System\YeMOfAs.exe
C:\Windows\System\YeMOfAs.exe
2⤵
PID:7428

C:\Windows\System\IzurHVa.exe
C:\Windows\System\IzurHVa.exe
2⤵
PID:7604

C:\Windows\System\ctBOBvW.exe
C:\Windows\System\ctBOBvW.exe
2⤵
PID:7788

C:\Windows\System\sFkvNoK.exe
C:\Windows\System\sFkvNoK.exe
2⤵
PID:7812

C:\Windows\System\BRmXraf.exe
C:\Windows\System\BRmXraf.exe
2⤵
PID:7840

C:\Windows\System\jgHxtKR.exe
C:\Windows\System\jgHxtKR.exe
2⤵
PID:8172

C:\Windows\System\DiDRkqb.exe
C:\Windows\System\DiDRkqb.exe
2⤵
PID:8164

C:\Windows\System\JErLCGp.exe
C:\Windows\System\JErLCGp.exe
2⤵
PID:7396

C:\Windows\System\pQtRdmL.exe
C:\Windows\System\pQtRdmL.exe
2⤵
PID:7784

C:\Windows\System\kxdKEpO.exe
C:\Windows\System\kxdKEpO.exe
2⤵
PID:8208

C:\Windows\System\snHyCdy.exe
C:\Windows\System\snHyCdy.exe
2⤵
PID:8224

C:\Windows\System\XFOuLlv.exe
C:\Windows\System\XFOuLlv.exe
2⤵
PID:8256

C:\Windows\System\MjaztBc.exe
C:\Windows\System\MjaztBc.exe
2⤵
PID:8280

C:\Windows\System\EfyrqWH.exe
C:\Windows\System\EfyrqWH.exe
2⤵
PID:8304

C:\Windows\System\kwmKNZj.exe
C:\Windows\System\kwmKNZj.exe
2⤵
PID:8324

C:\Windows\System\kKGopvD.exe
C:\Windows\System\kKGopvD.exe
2⤵
PID:8344

C:\Windows\System\VJgGDix.exe
C:\Windows\System\VJgGDix.exe
2⤵
PID:8368

C:\Windows\System\eVnXymK.exe
C:\Windows\System\eVnXymK.exe
2⤵
PID:8392

C:\Windows\System\slYyukj.exe
C:\Windows\System\slYyukj.exe
2⤵
PID:8416

C:\Windows\System\bAzzUWC.exe
C:\Windows\System\bAzzUWC.exe
2⤵
PID:8432

C:\Windows\System\fDuXYzv.exe
C:\Windows\System\fDuXYzv.exe
2⤵
PID:8472

C:\Windows\System\KWDbJCC.exe
C:\Windows\System\KWDbJCC.exe
2⤵
PID:8504

C:\Windows\System\QpKICfU.exe
C:\Windows\System\QpKICfU.exe
2⤵
PID:8532

C:\Windows\System\ADlIKof.exe
C:\Windows\System\ADlIKof.exe
2⤵
PID:8552

C:\Windows\System\oCzvMBy.exe
C:\Windows\System\oCzvMBy.exe
2⤵
PID:8616

C:\Windows\System\pBJgath.exe
C:\Windows\System\pBJgath.exe
2⤵
PID:8640

C:\Windows\System\oQJydkS.exe
C:\Windows\System\oQJydkS.exe
2⤵
PID:8684

C:\Windows\System\jJUkfgT.exe
C:\Windows\System\jJUkfgT.exe
2⤵
PID:8708

C:\Windows\System\lqfjZIO.exe
C:\Windows\System\lqfjZIO.exe
2⤵
PID:8728

C:\Windows\System\RHNoeIN.exe
C:\Windows\System\RHNoeIN.exe
2⤵
PID:8752

C:\Windows\System\JOiWjUZ.exe
C:\Windows\System\JOiWjUZ.exe
2⤵
PID:8772

C:\Windows\System\MOItGgY.exe
C:\Windows\System\MOItGgY.exe
2⤵
PID:8812

C:\Windows\System\BaREfPr.exe
C:\Windows\System\BaREfPr.exe
2⤵
PID:8844

C:\Windows\System\UqkIFgi.exe
C:\Windows\System\UqkIFgi.exe
2⤵
PID:8888

C:\Windows\System\VWSVzMV.exe
C:\Windows\System\VWSVzMV.exe
2⤵
PID:8908

C:\Windows\System\iYorfGE.exe
C:\Windows\System\iYorfGE.exe
2⤵
PID:8936

C:\Windows\System\NZkHkVO.exe
C:\Windows\System\NZkHkVO.exe
2⤵
PID:8964

C:\Windows\System\BPFrqJV.exe
C:\Windows\System\BPFrqJV.exe
2⤵
PID:8984

C:\Windows\System\mCLEHPl.exe
C:\Windows\System\mCLEHPl.exe
2⤵
PID:9020

C:\Windows\System\DChXyys.exe
C:\Windows\System\DChXyys.exe
2⤵
PID:9044

C:\Windows\System\rzkDicJ.exe
C:\Windows\System\rzkDicJ.exe
2⤵
PID:9068

C:\Windows\System\aunFkuL.exe
C:\Windows\System\aunFkuL.exe
2⤵
PID:9088

C:\Windows\System\YlaYqkt.exe
C:\Windows\System\YlaYqkt.exe
2⤵
PID:9120

C:\Windows\System\ulGjeoO.exe
C:\Windows\System\ulGjeoO.exe
2⤵
PID:9140

C:\Windows\System\dvgnwGO.exe
C:\Windows\System\dvgnwGO.exe
2⤵
PID:9180

C:\Windows\System\XYxyCDc.exe
C:\Windows\System\XYxyCDc.exe
2⤵
PID:9200

C:\Windows\System\tzGDaQv.exe
C:\Windows\System\tzGDaQv.exe
2⤵
PID:8084

C:\Windows\System\RIZLWQZ.exe
C:\Windows\System\RIZLWQZ.exe
2⤵
PID:8204

C:\Windows\System\AhuFdwY.exe
C:\Windows\System\AhuFdwY.exe
2⤵
PID:8268

C:\Windows\System\uOtdujg.exe
C:\Windows\System\uOtdujg.exe
2⤵
PID:8424

C:\Windows\System\ZuPfcre.exe
C:\Windows\System\ZuPfcre.exe
2⤵
PID:8376

C:\Windows\System\aQYCpJw.exe
C:\Windows\System\aQYCpJw.exe
2⤵
PID:8512

C:\Windows\System\MWOldNR.exe
C:\Windows\System\MWOldNR.exe
2⤵
PID:8564

C:\Windows\System\UCrZCtC.exe
C:\Windows\System\UCrZCtC.exe
2⤵
PID:8660

C:\Windows\System\QFfHDHB.exe
C:\Windows\System\QFfHDHB.exe
2⤵
PID:8628

C:\Windows\System\VhQgxkk.exe
C:\Windows\System\VhQgxkk.exe
2⤵
PID:8764

C:\Windows\System\FgBChZV.exe
C:\Windows\System\FgBChZV.exe
2⤵
PID:8780

C:\Windows\System\HSjJvqA.exe
C:\Windows\System\HSjJvqA.exe
2⤵
PID:8900

C:\Windows\System\gThAiLJ.exe
C:\Windows\System\gThAiLJ.exe
2⤵
PID:8932

C:\Windows\System\iQPVnYg.exe
C:\Windows\System\iQPVnYg.exe
2⤵
PID:8960

C:\Windows\System\sCySvsv.exe
C:\Windows\System\sCySvsv.exe
2⤵
PID:9012

C:\Windows\System\eELjnxa.exe
C:\Windows\System\eELjnxa.exe
2⤵
PID:9060

C:\Windows\System\BYVCIJS.exe
C:\Windows\System\BYVCIJS.exe
2⤵
PID:9128

C:\Windows\System\cmXFCft.exe
C:\Windows\System\cmXFCft.exe
2⤵
PID:8220

C:\Windows\System\rjTixub.exe
C:\Windows\System\rjTixub.exe
2⤵
PID:8360

C:\Windows\System\kkGMASJ.exe
C:\Windows\System\kkGMASJ.exe
2⤵
PID:8544

C:\Windows\System\lduQKdj.exe
C:\Windows\System\lduQKdj.exe
2⤵
PID:8724

C:\Windows\System\hIfCmwe.exe
C:\Windows\System\hIfCmwe.exe
2⤵
PID:8824

C:\Windows\System\nxPRjCa.exe
C:\Windows\System\nxPRjCa.exe
2⤵
PID:8976

C:\Windows\System\KEtsmfL.exe
C:\Windows\System\KEtsmfL.exe
2⤵
PID:7808

C:\Windows\System\yEXyFoM.exe
C:\Windows\System\yEXyFoM.exe
2⤵
PID:7292

C:\Windows\System\QwQupGs.exe
C:\Windows\System\QwQupGs.exe
2⤵
PID:8520

C:\Windows\System\MdlrLLy.exe
C:\Windows\System\MdlrLLy.exe
2⤵
PID:8876

C:\Windows\System\vGxeUyz.exe
C:\Windows\System\vGxeUyz.exe
2⤵
PID:9028

C:\Windows\System\LUSxhiT.exe
C:\Windows\System\LUSxhiT.exe
2⤵
PID:8500

C:\Windows\System\LjmQYXu.exe
C:\Windows\System\LjmQYXu.exe
2⤵
PID:9244

C:\Windows\System\oUcvGNZ.exe
C:\Windows\System\oUcvGNZ.exe
2⤵
PID:9260

C:\Windows\System\sgEgIvV.exe
C:\Windows\System\sgEgIvV.exe
2⤵
PID:9284

C:\Windows\System\WXHfZXz.exe
C:\Windows\System\WXHfZXz.exe
2⤵
PID:9304

C:\Windows\System\Rnuujim.exe
C:\Windows\System\Rnuujim.exe
2⤵
PID:9328

C:\Windows\System\UJMjsqD.exe
C:\Windows\System\UJMjsqD.exe
2⤵
PID:9348

C:\Windows\System\sRgzvdv.exe
C:\Windows\System\sRgzvdv.exe
2⤵
PID:9388

C:\Windows\System\kimjxxG.exe
C:\Windows\System\kimjxxG.exe
2⤵
PID:9420

C:\Windows\System\lwryZeM.exe
C:\Windows\System\lwryZeM.exe
2⤵
PID:9448

C:\Windows\System\UTRUCqf.exe
C:\Windows\System\UTRUCqf.exe
2⤵
PID:9468

C:\Windows\System\GeCxApC.exe
C:\Windows\System\GeCxApC.exe
2⤵
PID:9492

C:\Windows\System\AZnANdO.exe
C:\Windows\System\AZnANdO.exe
2⤵
PID:9516

C:\Windows\System\yByAUQm.exe
C:\Windows\System\yByAUQm.exe
2⤵
PID:9572

C:\Windows\System\HOLALcM.exe
C:\Windows\System\HOLALcM.exe
2⤵
PID:9592

C:\Windows\System\ZwCtJCY.exe
C:\Windows\System\ZwCtJCY.exe
2⤵
PID:9616

C:\Windows\System\golzzUp.exe
C:\Windows\System\golzzUp.exe
2⤵
PID:9660

C:\Windows\System\ZjyQgEN.exe
C:\Windows\System\ZjyQgEN.exe
2⤵
PID:9704

C:\Windows\System\wNsnORD.exe
C:\Windows\System\wNsnORD.exe
2⤵
PID:9732

C:\Windows\System\dbXnFjP.exe
C:\Windows\System\dbXnFjP.exe
2⤵
PID:9756

C:\Windows\System\jVGlABZ.exe
C:\Windows\System\jVGlABZ.exe
2⤵
PID:9772

C:\Windows\System\GSPrAxD.exe
C:\Windows\System\GSPrAxD.exe
2⤵
PID:9864

C:\Windows\System\sTeVVfp.exe
C:\Windows\System\sTeVVfp.exe
2⤵
PID:9880

C:\Windows\System\QbGrnLc.exe
C:\Windows\System\QbGrnLc.exe
2⤵
PID:9896

C:\Windows\System\pCsLkGI.exe
C:\Windows\System\pCsLkGI.exe
2⤵
PID:9912

C:\Windows\System\odrxHJm.exe
C:\Windows\System\odrxHJm.exe
2⤵
PID:9936

C:\Windows\System\TYThktX.exe
C:\Windows\System\TYThktX.exe
2⤵
PID:9952

C:\Windows\System\xtCUNNI.exe
C:\Windows\System\xtCUNNI.exe
2⤵
PID:9972

C:\Windows\System\IVSuCLt.exe
C:\Windows\System\IVSuCLt.exe
2⤵
PID:10008

C:\Windows\System\PIiJukH.exe
C:\Windows\System\PIiJukH.exe
2⤵
PID:10028

C:\Windows\System\QmFtHcu.exe
C:\Windows\System\QmFtHcu.exe
2⤵
PID:10104

C:\Windows\System\jhgFzmR.exe
C:\Windows\System\jhgFzmR.exe
2⤵
PID:10120

C:\Windows\System\VAQJHMT.exe
C:\Windows\System\VAQJHMT.exe
2⤵
PID:10136

C:\Windows\System\NsYicIQ.exe
C:\Windows\System\NsYicIQ.exe
2⤵
PID:10152

C:\Windows\System\FeaSXYv.exe
C:\Windows\System\FeaSXYv.exe
2⤵
PID:10168

C:\Windows\System\KhYwoRc.exe
C:\Windows\System\KhYwoRc.exe
2⤵
PID:10184

C:\Windows\System\gEHiNpw.exe
C:\Windows\System\gEHiNpw.exe
2⤵
PID:10200

C:\Windows\System\FVqBYpy.exe
C:\Windows\System\FVqBYpy.exe
2⤵
PID:10216

C:\Windows\System\PmtoPyx.exe
C:\Windows\System\PmtoPyx.exe
2⤵
PID:10232

C:\Windows\System\pzttDMM.exe
C:\Windows\System\pzttDMM.exe
2⤵
PID:9220

C:\Windows\System\DeCscob.exe
C:\Windows\System\DeCscob.exe
2⤵
PID:8388

C:\Windows\System\TIwEccL.exe
C:\Windows\System\TIwEccL.exe
2⤵
PID:9316

C:\Windows\System\XyrCcYw.exe
C:\Windows\System\XyrCcYw.exe
2⤵
PID:9372

C:\Windows\System\ZAsNbPm.exe
C:\Windows\System\ZAsNbPm.exe
2⤵
PID:9384

C:\Windows\System\jSKRHHe.exe
C:\Windows\System\jSKRHHe.exe
2⤵
PID:9460

C:\Windows\System\QIbulaj.exe
C:\Windows\System\QIbulaj.exe
2⤵
PID:9528

C:\Windows\System\iXRymgJ.exe
C:\Windows\System\iXRymgJ.exe
2⤵
PID:9608

C:\Windows\System\FcYxkCI.exe
C:\Windows\System\FcYxkCI.exe
2⤵
PID:9696

C:\Windows\System\WBUblSM.exe
C:\Windows\System\WBUblSM.exe
2⤵
PID:9904

C:\Windows\System\gKnBIGh.exe
C:\Windows\System\gKnBIGh.exe
2⤵
PID:10020

C:\Windows\System\UmyZSDf.exe
C:\Windows\System\UmyZSDf.exe
2⤵
PID:9444

C:\Windows\System\UrGWepv.exe
C:\Windows\System\UrGWepv.exe
2⤵
PID:10180

C:\Windows\System\kySEQOO.exe
C:\Windows\System\kySEQOO.exe
2⤵
PID:10112

C:\Windows\System\lVscMdf.exe
C:\Windows\System\lVscMdf.exe
2⤵
PID:9300

C:\Windows\System\SBOoEoF.exe
C:\Windows\System\SBOoEoF.exe
2⤵
PID:9640

C:\Windows\System\kzmMjLW.exe
C:\Windows\System\kzmMjLW.exe
2⤵
PID:9852

C:\Windows\System\gEReifJ.exe
C:\Windows\System\gEReifJ.exe
2⤵
PID:9944

C:\Windows\System\lrDriuO.exe
C:\Windows\System\lrDriuO.exe
2⤵
PID:9908

C:\Windows\System\voonznN.exe
C:\Windows\System\voonznN.exe
2⤵
PID:10196

C:\Windows\System\mPtrLGz.exe
C:\Windows\System\mPtrLGz.exe
2⤵
PID:10192

C:\Windows\System\oRBKZiY.exe
C:\Windows\System\oRBKZiY.exe
2⤵
PID:10060

C:\Windows\System\EgFGnHw.exe
C:\Windows\System\EgFGnHw.exe
2⤵
PID:9720

C:\Windows\System\cKCgXjA.exe
C:\Windows\System\cKCgXjA.exe
2⤵
PID:9668

C:\Windows\System\VUxxKRP.exe
C:\Windows\System\VUxxKRP.exe
2⤵
PID:10252

C:\Windows\System\EozhAZJ.exe
C:\Windows\System\EozhAZJ.exe
2⤵
PID:10276

C:\Windows\System\ODiQatE.exe
C:\Windows\System\ODiQatE.exe
2⤵
PID:10292

C:\Windows\System\BYybbfz.exe
C:\Windows\System\BYybbfz.exe
2⤵
PID:10316

C:\Windows\System\FhhKiuf.exe
C:\Windows\System\FhhKiuf.exe
2⤵
PID:10356

C:\Windows\System\vvIVbMB.exe
C:\Windows\System\vvIVbMB.exe
2⤵
PID:10400

C:\Windows\System\MnMIUPC.exe
C:\Windows\System\MnMIUPC.exe
2⤵
PID:10416

C:\Windows\System\aqSLHxz.exe
C:\Windows\System\aqSLHxz.exe
2⤵
PID:10448

C:\Windows\System\XmfAVvH.exe
C:\Windows\System\XmfAVvH.exe
2⤵
PID:10480

C:\Windows\System\ZmXjQii.exe
C:\Windows\System\ZmXjQii.exe
2⤵
PID:10500

C:\Windows\System\rSMUCFl.exe
C:\Windows\System\rSMUCFl.exe
2⤵
PID:10516

C:\Windows\System\CDLptmc.exe
C:\Windows\System\CDLptmc.exe
2⤵
PID:10548

C:\Windows\System\oRXeXOT.exe
C:\Windows\System\oRXeXOT.exe
2⤵
PID:10564

C:\Windows\System\zzZTGrq.exe
C:\Windows\System\zzZTGrq.exe
2⤵
PID:10588

C:\Windows\System\qOEADSY.exe
C:\Windows\System\qOEADSY.exe
2⤵
PID:10608

C:\Windows\System\LADDTDS.exe
C:\Windows\System\LADDTDS.exe
2⤵
PID:10648

C:\Windows\System\VxPVlCi.exe
C:\Windows\System\VxPVlCi.exe
2⤵
PID:10684

C:\Windows\System\bUrlURo.exe
C:\Windows\System\bUrlURo.exe
2⤵
PID:10712

C:\Windows\System\bVstZTV.exe
C:\Windows\System\bVstZTV.exe
2⤵
PID:10732

C:\Windows\System\IXQbuCs.exe
C:\Windows\System\IXQbuCs.exe
2⤵
PID:10760

C:\Windows\System\naspEzO.exe
C:\Windows\System\naspEzO.exe
2⤵
PID:10776

C:\Windows\System\YpTOTMn.exe
C:\Windows\System\YpTOTMn.exe
2⤵
PID:10800

C:\Windows\System\xQJuSjb.exe
C:\Windows\System\xQJuSjb.exe
2⤵
PID:10824

C:\Windows\System\jCXcdBi.exe
C:\Windows\System\jCXcdBi.exe
2⤵
PID:10840

C:\Windows\System\zORALho.exe
C:\Windows\System\zORALho.exe
2⤵
PID:10868

C:\Windows\System\PFJNExo.exe
C:\Windows\System\PFJNExo.exe
2⤵
PID:10888

C:\Windows\System\GnnFObu.exe
C:\Windows\System\GnnFObu.exe
2⤵
PID:10920

C:\Windows\System\hPlHvaU.exe
C:\Windows\System\hPlHvaU.exe
2⤵
PID:10988

C:\Windows\System\iOmevag.exe
C:\Windows\System\iOmevag.exe
2⤵
PID:11004

C:\Windows\System\aapCKuM.exe
C:\Windows\System\aapCKuM.exe
2⤵
PID:11028

C:\Windows\System\cZxPTwf.exe
C:\Windows\System\cZxPTwf.exe
2⤵
PID:11060

C:\Windows\System\emKgSAl.exe
C:\Windows\System\emKgSAl.exe
2⤵
PID:11080

C:\Windows\System\TaRXDiP.exe
C:\Windows\System\TaRXDiP.exe
2⤵
PID:11112

C:\Windows\System\rhQDEZJ.exe
C:\Windows\System\rhQDEZJ.exe
2⤵
PID:11168

C:\Windows\System\YgCbHvV.exe
C:\Windows\System\YgCbHvV.exe
2⤵
PID:11208

C:\Windows\System\fQHEhEK.exe
C:\Windows\System\fQHEhEK.exe
2⤵
PID:11228

C:\Windows\System\qFHaixg.exe
C:\Windows\System\qFHaixg.exe
2⤵
PID:11248

C:\Windows\System\PXZnaWD.exe
C:\Windows\System\PXZnaWD.exe
2⤵
PID:10244

C:\Windows\System\ewtnVKh.exe
C:\Windows\System\ewtnVKh.exe
2⤵
PID:9552

C:\Windows\System\xUhxTCh.exe
C:\Windows\System\xUhxTCh.exe
2⤵
PID:10388

C:\Windows\System\npCQCDf.exe
C:\Windows\System\npCQCDf.exe
2⤵
PID:10440

C:\Windows\System\beMpHLR.exe
C:\Windows\System\beMpHLR.exe
2⤵
PID:10508

C:\Windows\System\XwOtIrB.exe
C:\Windows\System\XwOtIrB.exe
2⤵
PID:10556

C:\Windows\System\tWGbONI.exe
C:\Windows\System\tWGbONI.exe
2⤵
PID:10544

C:\Windows\System\LpFcXGb.exe
C:\Windows\System\LpFcXGb.exe
2⤵
PID:10632

C:\Windows\System\yoCJZay.exe
C:\Windows\System\yoCJZay.exe
2⤵
PID:10672

C:\Windows\System\YXBwFWa.exe
C:\Windows\System\YXBwFWa.exe
2⤵
PID:10752

C:\Windows\System\rDFUhSH.exe
C:\Windows\System\rDFUhSH.exe
2⤵
PID:10836

C:\Windows\System\jfysvmv.exe
C:\Windows\System\jfysvmv.exe
2⤵
PID:10772

C:\Windows\System\NadHrNr.exe
C:\Windows\System\NadHrNr.exe
2⤵
PID:10932

C:\Windows\System\eFkEvrt.exe
C:\Windows\System\eFkEvrt.exe
2⤵
PID:10972

C:\Windows\System\tudTwjt.exe
C:\Windows\System\tudTwjt.exe
2⤵
PID:11000

C:\Windows\System\BuwgZtI.exe
C:\Windows\System\BuwgZtI.exe
2⤵
PID:11056

C:\Windows\System\nUzoRti.exe
C:\Windows\System\nUzoRti.exe
2⤵
PID:11156

C:\Windows\System\PzLyiwR.exe
C:\Windows\System\PzLyiwR.exe
2⤵
PID:11188

C:\Windows\System\NpiZJUx.exe
C:\Windows\System\NpiZJUx.exe
2⤵
PID:10364

C:\Windows\System\LerOXCG.exe
C:\Windows\System\LerOXCG.exe
2⤵
PID:10572

C:\Windows\System\MrjoqrT.exe
C:\Windows\System\MrjoqrT.exe
2⤵
PID:10696

C:\Windows\System\FYgmzAP.exe
C:\Windows\System\FYgmzAP.exe
2⤵
PID:9292

C:\Windows\System\laTtOQw.exe
C:\Windows\System\laTtOQw.exe
2⤵
PID:11024

C:\Windows\System\ACUDbBj.exe
C:\Windows\System\ACUDbBj.exe
2⤵
PID:10376

C:\Windows\System\KWTnpvO.exe
C:\Windows\System\KWTnpvO.exe
2⤵
PID:10328

C:\Windows\System\yCPnFpA.exe
C:\Windows\System\yCPnFpA.exe
2⤵
PID:10472

C:\Windows\System\jRQuMiU.exe
C:\Windows\System\jRQuMiU.exe
2⤵
PID:10704

C:\Windows\System\jHCbpkd.exe
C:\Windows\System\jHCbpkd.exe
2⤵
PID:11268

C:\Windows\System\PnDcDkb.exe
C:\Windows\System\PnDcDkb.exe
2⤵
PID:11284

C:\Windows\System\cfnvqOA.exe
C:\Windows\System\cfnvqOA.exe
2⤵
PID:11304

C:\Windows\System\oExYHRC.exe
C:\Windows\System\oExYHRC.exe
2⤵
PID:11340

C:\Windows\System\oktzcOO.exe
C:\Windows\System\oktzcOO.exe
2⤵
PID:11392

C:\Windows\System\wwPSHsm.exe
C:\Windows\System\wwPSHsm.exe
2⤵
PID:11416

C:\Windows\System\sfZaJhf.exe
C:\Windows\System\sfZaJhf.exe
2⤵
PID:11440

C:\Windows\System\PZIlvDK.exe
C:\Windows\System\PZIlvDK.exe
2⤵
PID:11460

C:\Windows\System\lpCgRgF.exe
C:\Windows\System\lpCgRgF.exe
2⤵
PID:11504

C:\Windows\System\TiacXae.exe
C:\Windows\System\TiacXae.exe
2⤵
PID:11536

C:\Windows\System\dhafaLJ.exe
C:\Windows\System\dhafaLJ.exe
2⤵
PID:11560

C:\Windows\System\fyEuXQa.exe
C:\Windows\System\fyEuXQa.exe
2⤵
PID:11580

C:\Windows\System\rrLTFYI.exe
C:\Windows\System\rrLTFYI.exe
2⤵
PID:11600

C:\Windows\System\GRfUAMd.exe
C:\Windows\System\GRfUAMd.exe
2⤵
PID:11620

C:\Windows\System\DXWopsk.exe
C:\Windows\System\DXWopsk.exe
2⤵
PID:11640

C:\Windows\System\JHQElZS.exe
C:\Windows\System\JHQElZS.exe
2⤵
PID:11676

C:\Windows\System\dKqObyy.exe
C:\Windows\System\dKqObyy.exe
2⤵
PID:11732

C:\Windows\System\nvvyMbb.exe
C:\Windows\System\nvvyMbb.exe
2⤵
PID:11768

C:\Windows\System\oVvBRyo.exe
C:\Windows\System\oVvBRyo.exe
2⤵
PID:11788

C:\Windows\System\zYqIDFi.exe
C:\Windows\System\zYqIDFi.exe
2⤵
PID:11828

C:\Windows\System\akncSwJ.exe
C:\Windows\System\akncSwJ.exe
2⤵
PID:11852

C:\Windows\System\hvUhTDH.exe
C:\Windows\System\hvUhTDH.exe
2⤵
PID:11868

C:\Windows\System\yyiJkWw.exe
C:\Windows\System\yyiJkWw.exe
2⤵
PID:11888

C:\Windows\System\xaldrHy.exe
C:\Windows\System\xaldrHy.exe
2⤵
PID:11924

C:\Windows\System\eigTUGb.exe
C:\Windows\System\eigTUGb.exe
2⤵
PID:11940

C:\Windows\System\irYXwWZ.exe
C:\Windows\System\irYXwWZ.exe
2⤵
PID:11976

C:\Windows\System\AOwHBot.exe
C:\Windows\System\AOwHBot.exe
2⤵
PID:11996

C:\Windows\System\KESpGVS.exe
C:\Windows\System\KESpGVS.exe
2⤵
PID:12032

C:\Windows\System\xCszBkh.exe
C:\Windows\System\xCszBkh.exe
2⤵
PID:12060

C:\Windows\System\kAiRvJO.exe
C:\Windows\System\kAiRvJO.exe
2⤵
PID:12100

C:\Windows\System\jNnZzxc.exe
C:\Windows\System\jNnZzxc.exe
2⤵
PID:12136

C:\Windows\System\CrQuqOa.exe
C:\Windows\System\CrQuqOa.exe
2⤵
PID:12152

C:\Windows\System\CYCrqMS.exe
C:\Windows\System\CYCrqMS.exe
2⤵
PID:12176

C:\Windows\System\WeDxtHw.exe
C:\Windows\System\WeDxtHw.exe
2⤵
PID:12192

C:\Windows\System\jBROrth.exe
C:\Windows\System\jBROrth.exe
2⤵
PID:12240

C:\Windows\System\XoKCoNY.exe
C:\Windows\System\XoKCoNY.exe
2⤵
PID:12268

C:\Windows\System\MMkjkdq.exe
C:\Windows\System\MMkjkdq.exe
2⤵
PID:11040

C:\Windows\System\yKgHpGt.exe
C:\Windows\System\yKgHpGt.exe
2⤵
PID:11280

C:\Windows\System\mjHVRYs.exe
C:\Windows\System\mjHVRYs.exe
2⤵
PID:11300

C:\Windows\System\KjRzUyz.exe
C:\Windows\System\KjRzUyz.exe
2⤵
PID:11380

C:\Windows\System\dkLseap.exe
C:\Windows\System\dkLseap.exe
2⤵
PID:11432

C:\Windows\System\htpiZjk.exe
C:\Windows\System\htpiZjk.exe
2⤵
PID:11480

C:\Windows\System\WGAHqVS.exe
C:\Windows\System\WGAHqVS.exe
2⤵
PID:11524

C:\Windows\System\YwMVUTw.exe
C:\Windows\System\YwMVUTw.exe
2⤵
PID:11572

C:\Windows\System\kFELYKx.exe
C:\Windows\System\kFELYKx.exe
2⤵
PID:11628

C:\Windows\System\xnzjwIM.exe
C:\Windows\System\xnzjwIM.exe
2⤵
PID:11688

C:\Windows\System\PRCOZHS.exe
C:\Windows\System\PRCOZHS.exe
2⤵
PID:11760

C:\Windows\System\IJyIKPB.exe
C:\Windows\System\IJyIKPB.exe
2⤵
PID:11808

C:\Windows\System\QfBFXhp.exe
C:\Windows\System\QfBFXhp.exe
2⤵
PID:11824

C:\Windows\System\qjhzGFv.exe
C:\Windows\System\qjhzGFv.exe
2⤵
PID:11988

C:\Windows\System\fitVTnD.exe
C:\Windows\System\fitVTnD.exe
2⤵
PID:12048

C:\Windows\System\wwLaKgL.exe
C:\Windows\System\wwLaKgL.exe
2⤵
PID:12112

C:\Windows\System\nIhXbft.exe
C:\Windows\System\nIhXbft.exe
2⤵
PID:12248

C:\Windows\System\VMQCMgE.exe
C:\Windows\System\VMQCMgE.exe
2⤵
PID:12260

C:\Windows\System\GFBhAkk.exe
C:\Windows\System\GFBhAkk.exe
2⤵
PID:11072

C:\Windows\System\kZeDYEA.exe
C:\Windows\System\kZeDYEA.exe
2⤵
PID:11448

C:\Windows\System\GGoHllw.exe
C:\Windows\System\GGoHllw.exe
2⤵
PID:11452

C:\Windows\System\OkUaFku.exe
C:\Windows\System\OkUaFku.exe
2⤵
PID:11632

C:\Windows\System\MqRTBIw.exe
C:\Windows\System\MqRTBIw.exe
2⤵
PID:11720

C:\Windows\System\kzNDhwN.exe
C:\Windows\System\kzNDhwN.exe
2⤵
PID:11836

C:\Windows\System\AfeCvOk.exe
C:\Windows\System\AfeCvOk.exe
2⤵
PID:11912

C:\Windows\System\EcJHMfr.exe
C:\Windows\System\EcJHMfr.exe
2⤵
PID:11140

C:\Windows\System\ictfnkJ.exe
C:\Windows\System\ictfnkJ.exe
2⤵
PID:12160

C:\Windows\System\tUajrUf.exe
C:\Windows\System\tUajrUf.exe
2⤵
PID:12284

C:\Windows\System\YzMyeKi.exe
C:\Windows\System\YzMyeKi.exe
2⤵
PID:12344

C:\Windows\System\MCaMhZD.exe
C:\Windows\System\MCaMhZD.exe
2⤵
PID:12400

C:\Windows\System\HRcffef.exe
C:\Windows\System\HRcffef.exe
2⤵
PID:12428

C:\Windows\System\QykwLoF.exe
C:\Windows\System\QykwLoF.exe
2⤵
PID:12480

C:\Windows\System\ZDnltHu.exe
C:\Windows\System\ZDnltHu.exe
2⤵
PID:12524

C:\Windows\System\EuqEobm.exe
C:\Windows\System\EuqEobm.exe
2⤵
PID:12544

C:\Windows\System\eRMgqMs.exe
C:\Windows\System\eRMgqMs.exe
2⤵
PID:12568

C:\Windows\System\FNmQNwf.exe
C:\Windows\System\FNmQNwf.exe
2⤵
PID:12588

C:\Windows\System\iRleuRD.exe
C:\Windows\System\iRleuRD.exe
2⤵
PID:12608

C:\Windows\System\woJRKmb.exe
C:\Windows\System\woJRKmb.exe
2⤵
PID:12624

C:\Windows\System\fFAJvhD.exe
C:\Windows\System\fFAJvhD.exe
2⤵
PID:12680

C:\Windows\System\cADvJiB.exe
C:\Windows\System\cADvJiB.exe
2⤵
PID:12700

C:\Windows\System\IBJpnqK.exe
C:\Windows\System\IBJpnqK.exe
2⤵
PID:12732

C:\Windows\System\NVuMEwz.exe
C:\Windows\System\NVuMEwz.exe
2⤵
PID:12748

C:\Windows\System\qyWhnjc.exe
C:\Windows\System\qyWhnjc.exe
2⤵
PID:12772

C:\Windows\System\gPNDoOk.exe
C:\Windows\System\gPNDoOk.exe
2⤵
PID:12804

C:\Windows\System\kFEWSEA.exe
C:\Windows\System\kFEWSEA.exe
2⤵
PID:12836

C:\Windows\System\RNjUUWr.exe
C:\Windows\System\RNjUUWr.exe
2⤵
PID:12888

C:\Windows\System\mmTfiDS.exe
C:\Windows\System\mmTfiDS.exe
2⤵
PID:12912

C:\Windows\System\eIXIPUU.exe
C:\Windows\System\eIXIPUU.exe
2⤵
PID:12932

C:\Windows\System\HulrEyN.exe
C:\Windows\System\HulrEyN.exe
2⤵
PID:12976

C:\Windows\System\tVfqxmn.exe
C:\Windows\System\tVfqxmn.exe
2⤵
PID:13004

C:\Windows\System\YnBgNPF.exe
C:\Windows\System\YnBgNPF.exe
2⤵
PID:13068

C:\Windows\System\cyMBfBQ.exe
C:\Windows\System\cyMBfBQ.exe
2⤵
PID:13084

C:\Windows\System\prkxHeJ.exe
C:\Windows\System\prkxHeJ.exe
2⤵
PID:13108

C:\Windows\System\SQiFTvW.exe
C:\Windows\System\SQiFTvW.exe
2⤵
PID:13128

C:\Windows\system32\WerFaultSecure.exe
"C:\Windows\system32\WerFaultSecure.exe" -protectedcrash -p 4104 -i 4104 -h 500 -j 504 -s 512 -d 12668
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:13248

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u01xhhsc.vcx.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\AmxBrUH.exe
Filesize
1.6MB

MD5
6a50dc679f7f84db912da16ba3448869

SHA1
f981e7dd65dd9c19c9bee516676310b3f1294579

SHA256
7d1298387444cca092da39c66cf20994919c84306085fe5e23aaf98bfa823d6a

SHA512
1f603834bc970f45a06c1c750a08667f7b0a53cbcd96312df5ad3ba32b75db982cb7ed553484ed4a1c014785f6ccbd107a4a024a2fc843e6a55eae87c2fc8f2a

Download Submit
C:\Windows\System\CmdKrOa.exe
Filesize
1.6MB

MD5
3e0e307fc13f3d9f629324e24df5fd27

SHA1
379809baf1d806bbee08c1c5871c84e1a7f74aef

SHA256
8bf705cc706746c1124c92f8aebfc99035e182bd1bff4761e8d44ae7341ee84a

SHA512
d0f1b42bd2ef7a9428c80d1d717e494758a27edbc707f6d50ebad2205083e76c3b82261ae357ae69d1cc3f2bd3918a050b2637e7b5bf3fc26c6e514c1bc65b55

Download Submit
C:\Windows\System\EymKlZn.exe
Filesize
1.6MB

MD5
3da114410cb5293e1b90e2f5369eb76e

SHA1
6291cb9d8fbb2d7da49579160fd26e8f3d5df125

SHA256
6d032a8e24e3b34082f0bce33a72a786f4eb836b25232e08b3a78981a97abc0c

SHA512
e3a161b2a1c8bf3f390b060721587b677889c5aa0dd9e380d4f757375111d084ddaa818597c057ecfc5caecc07341541d61ae5aa3995f589863cdfb2feff73ed

Download Submit
C:\Windows\System\FAROysU.exe
Filesize
1.6MB

MD5
60f96fff759d25a2ceb5df889b4b785b

SHA1
3f0851f76c5564ed21f0c63d0725e2c581c70817

SHA256
de8e7db6afe03f808550c35f1412bbd100de178706c86d1aa48cea863756d2cb

SHA512
07ec99519bd6a27407ece15c6c51584a68f465b177a4ae05df6e3aae3598f18c37b406a3a67a3cccb13b475db149cda41bfbf7ef4c5479a2848e5ca9b2e6cc88

Download Submit
C:\Windows\System\GNUWyHB.exe
Filesize
1.6MB

MD5
4c8bc6cf712b409c46bf63f702abb4cc

SHA1
2ada413636580c830fd5c5a36486217a7d99978f

SHA256
535aba028f172ba40f4c345318900162ff49c2f82f07db9c2ed39ae86e4bc24a

SHA512
a9beca33571feff858e3470cd13d2b221d4a6d4f8df4b66d8c1e7981f7a0bc130c8882d08344b43f0e10b77f0db25dd434ce44f645dec9611dd773e0f633e7ae

Download Submit
C:\Windows\System\HKqdahk.exe
Filesize
1.6MB

MD5
c2febff58eb1064d4098a055d391b8ee

SHA1
a3b09ed18d6ca15cae85c3676e8a100a108aade0

SHA256
d3b2702236b7849477a7f9e50036f34bac7e12b99c8d58219d499ad2cf9b8485

SHA512
74ca7988d01c92d95104c05242d8fa515b6dfccf619de7b2ec5b7358e01ed1eb3e5f39aeb950f23b57f7152778c20bcc144dacd1d5052a3d63e13ee0ac76a572

Download Submit
C:\Windows\System\LgfzDBn.exe
Filesize
1.6MB

MD5
c34616c45bac559b25b62dd446d15bfd

SHA1
cffc1ca453b83d8259fec342ac57880e23232d43

SHA256
23cf05a50c2ae51dab49d3ef6325554da78fa271a6bbda8b6f8527214776c4a4

SHA512
ad348bbcf376146f05b7519d7cc560bc1d9225e4ff0ba714637ed9f1b02653036a7a651c132d9aa66d9f747711782f2acc728857134f96957a4c7a72cb9f036d

Download Submit
C:\Windows\System\MhLqYRz.exe
Filesize
1.6MB

MD5
ba61d6a110d838a552bc637ca7556536

SHA1
b8f292338f1ba028a3ace1e10dc9a3f8315f2108

SHA256
f9d8ae77bb48ae693fc18c86a6adb9c2b3c6f88273a301e19b6c375cbded8ede

SHA512
156792aec0efedf70eb488d39db76f15b5b831c525eb5b2898bcd427c315257741878f51c2edb7388e847797a0d1fbf3484d221e2a0cc8506e84822e270880e2

Download Submit
C:\Windows\System\PNpnkwR.exe
Filesize
1.6MB

MD5
7a5c72b29bb9f9a1bc22aba31b5ad4e3

SHA1
cd3d4213ccc45e02e9bfd50d616311ea7355b0ec

SHA256
8d4b7572239bce47f1cbb396cb606983f7176fc4ca1c58c95b263e4f0d720df8

SHA512
71a5df4a425b8444ee47473afd287163ddbd933874d68d6190b856c184e6cc0fe085c9746f3660c7dda0229785e8aa00e593e64c74e5e18a2a7e7323cf1124ff

Download Submit
C:\Windows\System\RTqRbLm.exe
Filesize
1.6MB

MD5
9595542e96d8fdad28f02676bc712a67

SHA1
e1483f6709848ac34f9aaee7d3346b0081678029

SHA256
0668de0a2778cabadd91cc180a8304750bd1b3050788fc39ac8838bfc360888e

SHA512
a72d7a740a7ef0f867d8644b3d95e2dca470229f16cfc6bcccf2594345e7bcd28d2f60376fc722bace5d0c4a70f3edbb5d4c68e149dbbfbe08e4f755c01100e4

Download Submit
C:\Windows\System\TZCAEHl.exe
Filesize
1.6MB

MD5
4828f839e824576fddde409348a3e63d

SHA1
c6ce1a23520666d629850eb1b5ae9f289abe2080

SHA256
8a228ccb0de4d19fbb99a3e058d8e87990ff4ca8a4c7eea888f225dd3c4182bc

SHA512
b43ef0180fc5be0c2428f17c2222c7b173633e9a2690bb1e44233c7d9c63579c1560f7116ce46ef26b211d0aab5d7ecdcf9a628a79349434161e31d633b7cb1e

Download Submit
C:\Windows\System\UnNFDEl.exe
Filesize
1.6MB

MD5
83f30859977beaca41748cbbe5ea61f5

SHA1
54b551d82d8fc34916f41b6ffbe645721c9ec235

SHA256
648103d1b721503b50b2e88dddd010dbd50e35952171557bb7a0548f81091dd2

SHA512
23043e3a0954a345c617615addb636bfb52d141c18e295b28bedcc6f8b1aa6a1778501087ddf0bf68e6cfe2fa3924b2ca287f842600efbe42f4fa62306fea6dc

Download Submit
C:\Windows\System\VbSEeme.exe
Filesize
1.6MB

MD5
4e122372bf42324331c6e3feee84d005

SHA1
83b384fc5b5a09b73fac9e4fdcdc5445f56ada3e

SHA256
aab0568753443d125c73119fa7270174c86dd25034467e6ce570005ca2cf9796

SHA512
a070838b09bf5949da457e86c3a7b4323f6505c22361585da082f0f02e25c9616a97eccabd150eed624ad82b2600164d7f3dc805230f25fc8b8aeb589586f674

Download Submit
C:\Windows\System\WxHWAkQ.exe
Filesize
8B

MD5
f784b25815939eae756df140ec88bcce

SHA1
959f992ef3b023dc7011c892ef46609e93e446e0

SHA256
b07841838fb38c8a648dce4081c46e746b7428b7dd7a7af6337f780fa28df267

SHA512
d5eae32a5e30d2ab87f7e6f15452bb24385399c780ce67a1cb32fbbe5926efc5a7eeebcaf183f72d069f30884e841fbb8be09ab0434efbd78c17d304e8b87e92

Download Submit
C:\Windows\System\YAnlios.exe
Filesize
1.6MB

MD5
c7d31c9202196274d6407f3b953bb9a5

SHA1
cf7beba5f9f1073bb0044273d50c273f5ec452c3

SHA256
204401aa101205b436453166ac7e227f8978b0e00c4573e725d93d76d69808dc

SHA512
b7f0caaf759c1abd0d92b5193c7078564ff3cc8098f57589145e38b75b4bfbccd7a3d20277435902fecfb569df8007426befadaf31ad4417fac0e0dc16555fbb

Download Submit
C:\Windows\System\eqroqCr.exe
Filesize
1.6MB

MD5
ca01f48a743709b3e022c3a62c34d966

SHA1
99e4feed8234981ac7fc4d77c8a8184c2bd983c4

SHA256
6dc885f708af5d7b179d46fe773c1406da2939edce5fc059c4fa149287908964

SHA512
9c4646d4ca4ff1822ce724bed95e78a31e0684dbe4e6a24b8c0dca3a3945863bf9a00e4623b977eb82ee26f23dda617f6427ba78d51e339f8934117276d756b6

Download Submit
C:\Windows\System\ifQndzY.exe
Filesize
1.6MB

MD5
253b208a376fabcd152effa20ab62ec7

SHA1
939945225f38f9b5a72c587396c52848cd33f4c7

SHA256
4406c4b39521c5e91e023b6fa3b5bc6eaad824dc28d516f80aff2b1c8ab14410

SHA512
da810b4a1973aa456e14c8a01e09b654f0ecd2b79cff9db91464845c627bb68c2d438738995e851c119cae12efd7d0f5118cf940a74b66ad0610df3ed1426294

Download Submit
C:\Windows\System\ipWXVFr.exe
Filesize
1.6MB

MD5
cf48dac287bacf32844c5b9d9908bda0

SHA1
fc093dd28e57f54bef5a89d98838e2b1733a7130

SHA256
b3ea77a040d81616014c50cb21ece7f783f0aa969e2b5c5e19dd58ddcccddd39

SHA512
9766277a0cd17f7144a2c94a29f24843c05c96d82ce2bbd1461c8542fbe57ea8c655f1fb708c1ce909ee3ce62ba2965af613b9bb54c12de970462a7bc7188551

Download Submit
C:\Windows\System\ivvBPaY.exe
Filesize
1.6MB

MD5
6222a97bc69a44ac0956f61a07b3b5aa

SHA1
45ac7a2a15918f5510ca2ee3b41e06b91942ef65

SHA256
7557edfd2de54fd767747b68492c92c6c15ebcfaaa4c406c277e482947640de9

SHA512
5b9f071c79733148e0ef50483768da15d195c3d44a45d9d10c9765a8fa82133ed390daa0cd7f2c2f0aa7433b8cffe7240dc6c83c5db6b686783b3bab5a7fd62f

Download Submit
C:\Windows\System\jJIBQXE.exe
Filesize
1.6MB

MD5
72f3ed7fb14f27fc72118ef33e32c753

SHA1
43b380898fdbb20481145fbf5780fc6236745635

SHA256
0bb7da7f3a94a1bc27ccda4444da0e92a7d028659e9bf1613f1ea72abda0e48c

SHA512
8dcaa0031a3cee6699c83892acc3e3372612a87d7a001fbe89b45f823dbdb92039e5e12a021f35ccd8b4b9d6067da526aa2570f4364d29f6d3f7dfc7ee4b7535

Download Submit
C:\Windows\System\jUMVpNd.exe
Filesize
1.6MB

MD5
896b2f325c558b1774e8a30263e2c92c

SHA1
7e7c9141f7edcb99060a67770b2417ae8d5a6f27

SHA256
7010f9ad7b128ee0333c95179bf1339f0ffe9e561dbe09c756917625ac0ebfbd

SHA512
96273c69e8a532390249abe52d3802dcc1ca51c691da88b3d2caed4014a9b902684e326aab1263b4e5db7e564e8a46c24d9ce7d316eeb504876ce055b7fbcb5f

Download Submit
C:\Windows\System\jaAuCtC.exe
Filesize
1.6MB

MD5
aae278e8465072e722f6e14e7e1b5c2b

SHA1
c1f3fa11e27b42bb03993d46ffb084f9ac40f4cc

SHA256
838cfdb6b57c3067765dc3b822ae763e7e4d422c7fe6f572d5aa51cdd69d5f80

SHA512
1fbf3301c8455e3d1200b3de6d570969eead347a686105cee6e449c5766bc6b95fcd5092f99c88856e43cdd4d83ad80a1ab63f653720b569fba44ba18618f202

Download Submit
C:\Windows\System\kNCxyGB.exe
Filesize
1.6MB

MD5
9ed2c5ea6d83b8148f8afbe7c50036bd

SHA1
41098579bbe0cae63c744e1f22492c7afc9b4cfb

SHA256
dfecc22a60c1e78e516058480cb508ce81a19c2cc02a87bd727789ef133d8226

SHA512
1063457663f4c0b6eb4a93acd6f0122978b5c2a9a1a00e0c504a57db304a7beedb28b7dc6ef8cb5f769ba61fb6c324a1575addf3a1a1b48527129f501f7fcb8c

Download Submit
C:\Windows\System\mTuDxUL.exe
Filesize
1.6MB

MD5
0a184d11d5fa239f8358accb900f1ac8

SHA1
3b8fd2520f55ad5aa11433b47d001e2f6ee165c4

SHA256
127378f9efc04699bc5dab9ae13072478c1fa82699aabb8e8d1cee659963c5a4

SHA512
943301da0dc2cf10b3e065b8a267679ddcf9105cb1be421c49f4b35f4a196a0cebd63f884a1f79ff521b8fd0e8ed2e23126795b956533f838872e49baa0a9dd8

Download Submit
C:\Windows\System\oDWnPfE.exe
Filesize
1.6MB

MD5
10b7a2ad3b9c6968b12235971b58b2b8

SHA1
cdd64da38315a8555d0ac59afa172b24b803d42f

SHA256
5156a59141b3c1cb7a37d79995bbb64a7e16d845aa232b505d836315ed3f87f7

SHA512
3d520af69eea6d3c9585ba0cd3e9a51cf960eb08d128a8aa5365bdb6f0ca1bfd0436ce44a5de2c6af6006fcb50e89b67207f0ca288129bc750cd17f8b9b16d8c

Download Submit
C:\Windows\System\okmMnPl.exe
Filesize
1.6MB

MD5
60307c02ee419db10805f2799cfd31ff

SHA1
1dd47437c29210326f37a8df6e0ce3cfbd12df5c

SHA256
08f5f8d3f9574c9327cec740ba6a22948e850ca26a542dc244b27303bb219404

SHA512
7c74dc5aee9bd3861e6c71c8ccf3876d8c4d610ee9aa5698e2b5e26582488c9f470ecb118e8513db9b32d58322cd8b7ff22eaad94aca90efe4fb5a8fa3d57c34

Download Submit
C:\Windows\System\rJydOJW.exe
Filesize
1.6MB

MD5
0f8a59be32a7fcf1aa39cc09816afd72

SHA1
fd8fb195a5d7f842fe19ddbfedc7a296a9f7574f

SHA256
3286aefe96c73a660570a7b77287110b5050a1f85b21293914d28e2192ae00c2

SHA512
dbce2c8df813efa2798d575cb276d59f63c6332e30bdce1c398148df5e751767691a2e98605e60dc1cb1950ed076db7b37556e2bb906cb38c5d3598c24faf222

Download Submit
C:\Windows\System\uFEkMbr.exe
Filesize
1.6MB

MD5
7792515da9f2da69e025154063022674

SHA1
3eb3d311c0ce9eb271d8bf1ffb175660eda44fcf

SHA256
862cfc42cbe8b4ba4425d5511c2f6016fe733406d6ffec6908fab7370ec93e91

SHA512
7e872c2b7f88660e3efc26470854960862f9554ce388c1bb9aade38a8e78f8339664df8b793f7d299395af8637df5e5a7791c9f38725ea205a90fbd9b3a0298c

Download Submit
C:\Windows\System\uOgSixk.exe
Filesize
1.6MB

MD5
c0bbef0bf4d16a6c4991e4be7513f0e0

SHA1
2d8dd692fe27baab1b2a152a94fd4ed638dde344

SHA256
5499f903d73a9c09110b8cd2c311b58e8dfc93e150a968d96c9a44be4b950b0f

SHA512
4502719ffb7d30872f2d99df23b5bd91521e957693746abb8c713ba9e870937fb25979f987077095574847269fbc734b2749176532079f506d9cf4cb04fcc850

Download Submit
C:\Windows\System\vIAhSLq.exe
Filesize
1.6MB

MD5
35ec41b1872528c5fa7d9510cd91dbed

SHA1
28961192f0eb8f39cb7c90a2d75932161a599006

SHA256
03a2b00aeb77f0776af86868b5388a841d738e2a698701e74f07f20cf14dee4c

SHA512
a45e60e94703a43f89a8975979b1974f342a455d101dc1f5180a5fdae5ed41b3ff23a7e899971ccdf4cf109e3e0e11eed1257d9e56e87bb5e0c6ee102f41b231

Download Submit
C:\Windows\System\wOIpRBT.exe
Filesize
1.6MB

MD5
f3f0b4be63f4075ff19cb3ba953668f0

SHA1
6ce1fefae7d28fbdd8aef5acb840e8f561bf619c

SHA256
27367d5eb739969c3278d01e47f6de8f7ae3898e04d6c86a9475aff6419cb33d

SHA512
f54fb62e977af4c043ed80a5a37d6f078c937f699b7a27b9f5d1fce0ac6e0a66098af4ea579429d3c97d57fe72f76090032ee9a2ed5c7b8e98580fa4691b2354

Download Submit
C:\Windows\System\xkjhmwC.exe
Filesize
1.6MB

MD5
1dcb7596c8f3fc6f2cbf7bd2361308f5

SHA1
3b87f2c743a0efa85d4cbfc061b43463687ffc17

SHA256
23476dd17a412aa6e9985e7f3da7547edc35541178a45ccd20a94f8a455c5e9d

SHA512
4befd1ed6f237e2c685364da5c483bc70887e1c1c41f010466bf844ff59c1b95355c8113097fe74245fbf19a0aad923b6bc91e7e8fa66ea35519687ddc31251a

Download Submit
C:\Windows\System\zMedrBD.exe
Filesize
1.6MB

MD5
e99872b08181ec6b960f4ee20470b43f

SHA1
8d60a105d2d355267d1978cf6c42e19da357822e

SHA256
99dde5998b1e0c74e12dec24ef7e0e41f61ce5fb39ad4533f219e67b9b36b82a

SHA512
68d5beb2b189a3077d4146d8b1a62445eb765e7eeba2938d27d50bc580221fba78410fb6fcfd89a090526285c88a14b2ef193fbd86128060b58ccc49590e0222

Download Submit
C:\Windows\System\zSPoBFR.exe
Filesize
1.6MB

MD5
26154685c83a4aaebbcbd0ff8d34b50b

SHA1
b804c7f3619261453f5bf26662673e214eac3925

SHA256
4be0539cd6c07adb2f5f00d46089bf244804569396d3819f68f4cfd7566b6de4

SHA512
9c7d10e0468125bce2b4eebfe22c22705071aae11ad395d319124f34745c3942eb2c32be23e4e58988d332ac424d5a16a584cf5db91d81c6071030f5374edda7

Download Submit
memory/208-0-0x00007FF6A9CA0000-0x00007FF6AA092000-memory.dmp

Filesize
3.9MB

Download
memory/208-1-0x000001DE1C660000-0x000001DE1C670000-memory.dmp

Filesize
64KB

Download
memory/492-166-0x00007FF6D6280000-0x00007FF6D6672000-memory.dmp

Filesize
3.9MB

Download
memory/492-2870-0x00007FF6D6280000-0x00007FF6D6672000-memory.dmp

Filesize
3.9MB

Download
memory/792-160-0x00007FF7274A0000-0x00007FF727892000-memory.dmp

Filesize
3.9MB

Download
memory/792-2868-0x00007FF7274A0000-0x00007FF727892000-memory.dmp

Filesize
3.9MB

Download
memory/924-2843-0x00007FF689050000-0x00007FF689442000-memory.dmp

Filesize
3.9MB

Download
memory/924-84-0x00007FF689050000-0x00007FF689442000-memory.dmp

Filesize
3.9MB

Download
memory/1044-80-0x00007FF7D4330000-0x00007FF7D4722000-memory.dmp

Filesize
3.9MB

Download
memory/1044-2841-0x00007FF7D4330000-0x00007FF7D4722000-memory.dmp

Filesize
3.9MB

Download
memory/1236-2827-0x00007FF736CD0000-0x00007FF7370C2000-memory.dmp

Filesize
3.9MB

Download
memory/1236-2823-0x00007FF736CD0000-0x00007FF7370C2000-memory.dmp

Filesize
3.9MB

Download
memory/1236-12-0x00007FF736CD0000-0x00007FF7370C2000-memory.dmp

Filesize
3.9MB

Download
memory/1256-2880-0x00007FF671C30000-0x00007FF672022000-memory.dmp

Filesize
3.9MB

Download
memory/1256-201-0x00007FF671C30000-0x00007FF672022000-memory.dmp

Filesize
3.9MB

Download
memory/1448-195-0x00007FF6374A0000-0x00007FF637892000-memory.dmp

Filesize
3.9MB

Download
memory/1448-2878-0x00007FF6374A0000-0x00007FF637892000-memory.dmp

Filesize
3.9MB

Download
memory/1920-2853-0x00007FF62D7D0000-0x00007FF62DBC2000-memory.dmp

Filesize
3.9MB

Download
memory/1920-125-0x00007FF62D7D0000-0x00007FF62DBC2000-memory.dmp

Filesize
3.9MB

Download
memory/2148-2852-0x00007FF707710000-0x00007FF707B02000-memory.dmp

Filesize
3.9MB

Download
memory/2148-114-0x00007FF707710000-0x00007FF707B02000-memory.dmp

Filesize
3.9MB

Download
memory/2156-9-0x00007FFFBA0D3000-0x00007FFFBA0D5000-memory.dmp

Filesize
8KB

Download
memory/2156-60-0x0000023F69000000-0x0000023F69022000-memory.dmp

Filesize
136KB

Download
memory/2156-1204-0x0000023F6BDE0000-0x0000023F6C586000-memory.dmp

Filesize
7.6MB

Download
memory/2156-2809-0x00007FFFBA0D0000-0x00007FFFBAB91000-memory.dmp

Filesize
10.8MB

Download
memory/2156-2822-0x00007FFFBA0D3000-0x00007FFFBA0D5000-memory.dmp

Filesize
8KB

Download
memory/2156-44-0x00007FFFBA0D0000-0x00007FFFBAB91000-memory.dmp

Filesize
10.8MB

Download
memory/2156-65-0x00007FFFBA0D0000-0x00007FFFBAB91000-memory.dmp

Filesize
10.8MB

Download
memory/2156-2862-0x00007FFFBA0D0000-0x00007FFFBAB91000-memory.dmp

Filesize
10.8MB

Download
memory/2364-72-0x00007FF6D2EC0000-0x00007FF6D32B2000-memory.dmp

Filesize
3.9MB

Download
memory/2364-2829-0x00007FF6D2EC0000-0x00007FF6D32B2000-memory.dmp

Filesize
3.9MB

Download
memory/2444-2876-0x00007FF7AB110000-0x00007FF7AB502000-memory.dmp

Filesize
3.9MB

Download
memory/2444-184-0x00007FF7AB110000-0x00007FF7AB502000-memory.dmp

Filesize
3.9MB

Download
memory/2544-2849-0x00007FF7D0650000-0x00007FF7D0A42000-memory.dmp

Filesize
3.9MB

Download
memory/2544-99-0x00007FF7D0650000-0x00007FF7D0A42000-memory.dmp

Filesize
3.9MB

Download
memory/2712-2882-0x00007FF6EC8B0000-0x00007FF6ECCA2000-memory.dmp

Filesize
3.9MB

Download
memory/2712-205-0x00007FF6EC8B0000-0x00007FF6ECCA2000-memory.dmp

Filesize
3.9MB

Download
memory/2924-137-0x00007FF6DDF80000-0x00007FF6DE372000-memory.dmp

Filesize
3.9MB

Download
memory/2924-2861-0x00007FF6DDF80000-0x00007FF6DE372000-memory.dmp

Filesize
3.9MB

Download
memory/3208-183-0x00007FF655A40000-0x00007FF655E32000-memory.dmp

Filesize
3.9MB

Download
memory/3208-2874-0x00007FF655A40000-0x00007FF655E32000-memory.dmp

Filesize
3.9MB

Download
memory/3520-102-0x00007FF6D0DA0000-0x00007FF6D1192000-memory.dmp

Filesize
3.9MB

Download
memory/3520-2831-0x00007FF6D0DA0000-0x00007FF6D1192000-memory.dmp

Filesize
3.9MB

Download
memory/3692-149-0x00007FF6C9A10000-0x00007FF6C9E02000-memory.dmp

Filesize
3.9MB

Download
memory/3692-2866-0x00007FF6C9A10000-0x00007FF6C9E02000-memory.dmp

Filesize
3.9MB

Download
memory/3948-2847-0x00007FF725B80000-0x00007FF725F72000-memory.dmp

Filesize
3.9MB

Download
memory/3948-88-0x00007FF725B80000-0x00007FF725F72000-memory.dmp

Filesize
3.9MB

Download
memory/4068-2872-0x00007FF7842B0000-0x00007FF7846A2000-memory.dmp

Filesize
3.9MB

Download
memory/4068-172-0x00007FF7842B0000-0x00007FF7846A2000-memory.dmp

Filesize
3.9MB

Download
memory/4396-2836-0x00007FF718C00000-0x00007FF718FF2000-memory.dmp

Filesize
3.9MB

Download
memory/4396-110-0x00007FF718C00000-0x00007FF718FF2000-memory.dmp

Filesize
3.9MB

Download
memory/4672-2837-0x00007FF75A800000-0x00007FF75ABF2000-memory.dmp

Filesize
3.9MB

Download
memory/4672-75-0x00007FF75A800000-0x00007FF75ABF2000-memory.dmp

Filesize
3.9MB

Download
memory/4804-143-0x00007FF716CA0000-0x00007FF717092000-memory.dmp

Filesize
3.9MB

Download
memory/4804-2864-0x00007FF716CA0000-0x00007FF717092000-memory.dmp

Filesize
3.9MB

Download
memory/4992-2810-0x00007FF6C28B0000-0x00007FF6C2CA2000-memory.dmp

Filesize
3.9MB

Download
memory/4992-2857-0x00007FF6C28B0000-0x00007FF6C2CA2000-memory.dmp

Filesize
3.9MB

Download
memory/4992-94-0x00007FF6C28B0000-0x00007FF6C2CA2000-memory.dmp

Filesize
3.9MB

Download
memory/4996-131-0x00007FF795450000-0x00007FF795842000-memory.dmp

Filesize
3.9MB

Download
memory/4996-2859-0x00007FF795450000-0x00007FF795842000-memory.dmp

Filesize
3.9MB

Download