xmrig | c2be5e89dbdeea8beb800a041bf67e7c2d133ede3193995c47c0fd302ac218d0

Analysis

max time kernel
91s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2024, 02:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
Size

3.1MB
MD5

8921e5cf8a1621a783e03cb5b2f9ab50
SHA1

e554bb937a1efe634421444e2447edbf66bb3bfa
SHA256

c2be5e89dbdeea8beb800a041bf67e7c2d133ede3193995c47c0fd302ac218d0
SHA512

23756f76000850eacb323010beb8dd080099639b4dd174cc1796fd3df69d9a6e6be2a152814c170cefaae476a90b3ba1034ffb2c34e30e0e3cade1e95049b5f0
SSDEEP

98304:N0GnJMOWPClFdx6e0EALKWVTffZiPAcRq6jHjc4Y:NFWPClFI

Score

10^/10

xmrig miner upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 12944 created 12672	12944	WerFaultSecure.exe	680

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/5072-0-0x00007FF6FE910000-0x00007FF6FED05000-memory.dmp	xmrig
behavioral2/files/0x00080000000233e1-5.dat	xmrig
behavioral2/files/0x00070000000233e5-9.dat	xmrig
behavioral2/memory/1472-7-0x00007FF695210000-0x00007FF695605000-memory.dmp	xmrig
behavioral2/files/0x00070000000233e6-8.dat	xmrig
behavioral2/files/0x00070000000233e8-21.dat	xmrig
behavioral2/memory/228-20-0x00007FF602F70000-0x00007FF603365000-memory.dmp	xmrig
behavioral2/files/0x00070000000233e9-28.dat	xmrig
behavioral2/files/0x00080000000233e2-30.dat	xmrig
behavioral2/files/0x00070000000233ea-36.dat	xmrig
behavioral2/files/0x00070000000233eb-39.dat	xmrig
behavioral2/files/0x00070000000233ed-50.dat	xmrig
behavioral2/files/0x00070000000233ee-54.dat	xmrig
behavioral2/memory/1168-61-0x00007FF70D0E0000-0x00007FF70D4D5000-memory.dmp	xmrig
behavioral2/memory/1920-67-0x00007FF71D4D0000-0x00007FF71D8C5000-memory.dmp	xmrig
behavioral2/files/0x00070000000233f1-83.dat	xmrig
behavioral2/files/0x00070000000233f2-90.dat	xmrig
behavioral2/files/0x00070000000233f4-103.dat	xmrig
behavioral2/memory/1352-112-0x00007FF72FBA0000-0x00007FF72FF95000-memory.dmp	xmrig
behavioral2/files/0x00070000000233f8-128.dat	xmrig
behavioral2/files/0x00070000000233f9-135.dat	xmrig
behavioral2/files/0x00070000000233fc-145.dat	xmrig
behavioral2/files/0x00070000000233fe-160.dat	xmrig
behavioral2/files/0x0007000000023403-181.dat	xmrig
behavioral2/files/0x0007000000023404-186.dat	xmrig
behavioral2/files/0x0007000000023402-183.dat	xmrig
behavioral2/files/0x0007000000023401-178.dat	xmrig
behavioral2/files/0x0007000000023400-173.dat	xmrig
behavioral2/files/0x00070000000233ff-168.dat	xmrig
behavioral2/files/0x00070000000233fd-155.dat	xmrig
behavioral2/memory/2980-150-0x00007FF639060000-0x00007FF639455000-memory.dmp	xmrig
behavioral2/files/0x00070000000233fb-147.dat	xmrig
behavioral2/memory/1320-144-0x00007FF79A3C0000-0x00007FF79A7B5000-memory.dmp	xmrig
behavioral2/files/0x00070000000233fa-141.dat	xmrig
behavioral2/memory/1744-140-0x00007FF744860000-0x00007FF744C55000-memory.dmp	xmrig
behavioral2/memory/920-134-0x00007FF64A350000-0x00007FF64A745000-memory.dmp	xmrig
behavioral2/memory/456-131-0x00007FF7A9760000-0x00007FF7A9B55000-memory.dmp	xmrig
behavioral2/memory/1292-125-0x00007FF799410000-0x00007FF799805000-memory.dmp	xmrig
behavioral2/files/0x00070000000233f7-122.dat	xmrig
behavioral2/memory/1804-121-0x00007FF70A1D0000-0x00007FF70A5C5000-memory.dmp	xmrig
behavioral2/files/0x00070000000233f6-116.dat	xmrig
behavioral2/memory/1648-115-0x00007FF631380000-0x00007FF631775000-memory.dmp	xmrig
behavioral2/files/0x00070000000233f5-109.dat	xmrig
behavioral2/memory/4136-108-0x00007FF7BFE60000-0x00007FF7C0255000-memory.dmp	xmrig
behavioral2/memory/2128-102-0x00007FF7C9A80000-0x00007FF7C9E75000-memory.dmp	xmrig
behavioral2/memory/2020-99-0x00007FF7FB020000-0x00007FF7FB415000-memory.dmp	xmrig
behavioral2/files/0x00070000000233f3-96.dat	xmrig
behavioral2/memory/3868-95-0x00007FF66BDF0000-0x00007FF66C1E5000-memory.dmp	xmrig
behavioral2/memory/3468-89-0x00007FF62BE20000-0x00007FF62C215000-memory.dmp	xmrig
behavioral2/memory/3160-86-0x00007FF78CE40000-0x00007FF78D235000-memory.dmp	xmrig
behavioral2/memory/3572-82-0x00007FF701DC0000-0x00007FF7021B5000-memory.dmp	xmrig
behavioral2/files/0x00070000000233f0-77.dat	xmrig
behavioral2/memory/2728-76-0x00007FF660140000-0x00007FF660535000-memory.dmp	xmrig
behavioral2/memory/4108-73-0x00007FF798210000-0x00007FF798605000-memory.dmp	xmrig
behavioral2/files/0x00070000000233ef-70.dat	xmrig
behavioral2/memory/2796-69-0x00007FF7A3800000-0x00007FF7A3BF5000-memory.dmp	xmrig
behavioral2/memory/852-63-0x00007FF763220000-0x00007FF763615000-memory.dmp	xmrig
behavioral2/files/0x00070000000233ec-48.dat	xmrig
behavioral2/memory/5072-1914-0x00007FF6FE910000-0x00007FF6FED05000-memory.dmp	xmrig
behavioral2/memory/1472-1924-0x00007FF695210000-0x00007FF695605000-memory.dmp	xmrig
behavioral2/memory/228-1925-0x00007FF602F70000-0x00007FF603365000-memory.dmp	xmrig
behavioral2/memory/3468-1926-0x00007FF62BE20000-0x00007FF62C215000-memory.dmp	xmrig
behavioral2/memory/1168-1927-0x00007FF70D0E0000-0x00007FF70D4D5000-memory.dmp	xmrig
behavioral2/memory/3868-1928-0x00007FF66BDF0000-0x00007FF66C1E5000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
1472	zhOQqYl.exe
228	SjPYCJX.exe
3468	afswMxm.exe
1168	GNSIoxf.exe
3868	itzQFxL.exe
852	lXojQiM.exe
1920	fFNFOLq.exe
2796	qLmBGfe.exe
4108	ZsFXICg.exe
2728	HdfJafZ.exe
3572	Zsryhnq.exe
3160	RqYYqNM.exe
2020	MNcHEJm.exe
2128	razYipv.exe
4136	ItySQTL.exe
1352	LLvjGtc.exe
1648	iFepuSK.exe
1804	cEbAZoW.exe
1292	uivapAL.exe
456	HoTqZzZ.exe
920	AhWGIYQ.exe
1744	AgbOzLL.exe
1320	fNxDzZa.exe
2980	jVneEVJ.exe
1420	IJTHmMV.exe
1456	SpbxNrX.exe
2744	aDnZdBt.exe
4636	gIHuVjg.exe
2292	WZUlgKv.exe
3156	bGpPSJd.exe
3204	yBkDtXM.exe
652	NQxAlEJ.exe
1988	bzRdSil.exe
2880	VvhvXTj.exe
4972	LnfOoYo.exe
3732	pcrJgTY.exe
2820	kRLTUyD.exe
1672	dpUlspc.exe
1344	ukLXdOs.exe
2116	nmFnoQN.exe
2524	DgdkOJd.exe
1172	ipVrJMX.exe
4868	hgWgxfP.exe
2892	IjFsRnF.exe
4960	tbRYMdL.exe
1992	DComYpJ.exe
740	npadytk.exe
4852	rqHeQQK.exe
4948	dbbKjol.exe
2044	LYAdBpY.exe
4440	pkRXqeM.exe
3820	GkevnfB.exe
2052	phOjAKP.exe
5012	oZAvsPR.exe
4808	UYupCdZ.exe
1032	ZcEfNIC.exe
3708	VLpSpuI.exe
1112	zpIffwg.exe
1788	QaIANpI.exe
1900	znWpJMi.exe
1888	dIKRXED.exe
1088	gWXAUef.exe
4976	DsBOIaK.exe
3864	UwpaNBr.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5072-0-0x00007FF6FE910000-0x00007FF6FED05000-memory.dmp	upx
behavioral2/files/0x00080000000233e1-5.dat	upx
behavioral2/files/0x00070000000233e5-9.dat	upx
behavioral2/memory/1472-7-0x00007FF695210000-0x00007FF695605000-memory.dmp	upx
behavioral2/files/0x00070000000233e6-8.dat	upx
behavioral2/files/0x00070000000233e8-21.dat	upx
behavioral2/memory/228-20-0x00007FF602F70000-0x00007FF603365000-memory.dmp	upx
behavioral2/files/0x00070000000233e9-28.dat	upx
behavioral2/files/0x00080000000233e2-30.dat	upx
behavioral2/files/0x00070000000233ea-36.dat	upx
behavioral2/files/0x00070000000233eb-39.dat	upx
behavioral2/files/0x00070000000233ed-50.dat	upx
behavioral2/files/0x00070000000233ee-54.dat	upx
behavioral2/memory/1168-61-0x00007FF70D0E0000-0x00007FF70D4D5000-memory.dmp	upx
behavioral2/memory/1920-67-0x00007FF71D4D0000-0x00007FF71D8C5000-memory.dmp	upx
behavioral2/files/0x00070000000233f1-83.dat	upx
behavioral2/files/0x00070000000233f2-90.dat	upx
behavioral2/files/0x00070000000233f4-103.dat	upx
behavioral2/memory/1352-112-0x00007FF72FBA0000-0x00007FF72FF95000-memory.dmp	upx
behavioral2/files/0x00070000000233f8-128.dat	upx
behavioral2/files/0x00070000000233f9-135.dat	upx
behavioral2/files/0x00070000000233fc-145.dat	upx
behavioral2/files/0x00070000000233fe-160.dat	upx
behavioral2/files/0x0007000000023403-181.dat	upx
behavioral2/files/0x0007000000023404-186.dat	upx
behavioral2/files/0x0007000000023402-183.dat	upx
behavioral2/files/0x0007000000023401-178.dat	upx
behavioral2/files/0x0007000000023400-173.dat	upx
behavioral2/files/0x00070000000233ff-168.dat	upx
behavioral2/files/0x00070000000233fd-155.dat	upx
behavioral2/memory/2980-150-0x00007FF639060000-0x00007FF639455000-memory.dmp	upx
behavioral2/files/0x00070000000233fb-147.dat	upx
behavioral2/memory/1320-144-0x00007FF79A3C0000-0x00007FF79A7B5000-memory.dmp	upx
behavioral2/files/0x00070000000233fa-141.dat	upx
behavioral2/memory/1744-140-0x00007FF744860000-0x00007FF744C55000-memory.dmp	upx
behavioral2/memory/920-134-0x00007FF64A350000-0x00007FF64A745000-memory.dmp	upx
behavioral2/memory/456-131-0x00007FF7A9760000-0x00007FF7A9B55000-memory.dmp	upx
behavioral2/memory/1292-125-0x00007FF799410000-0x00007FF799805000-memory.dmp	upx
behavioral2/files/0x00070000000233f7-122.dat	upx
behavioral2/memory/1804-121-0x00007FF70A1D0000-0x00007FF70A5C5000-memory.dmp	upx
behavioral2/files/0x00070000000233f6-116.dat	upx
behavioral2/memory/1648-115-0x00007FF631380000-0x00007FF631775000-memory.dmp	upx
behavioral2/files/0x00070000000233f5-109.dat	upx
behavioral2/memory/4136-108-0x00007FF7BFE60000-0x00007FF7C0255000-memory.dmp	upx
behavioral2/memory/2128-102-0x00007FF7C9A80000-0x00007FF7C9E75000-memory.dmp	upx
behavioral2/memory/2020-99-0x00007FF7FB020000-0x00007FF7FB415000-memory.dmp	upx
behavioral2/files/0x00070000000233f3-96.dat	upx
behavioral2/memory/3868-95-0x00007FF66BDF0000-0x00007FF66C1E5000-memory.dmp	upx
behavioral2/memory/3468-89-0x00007FF62BE20000-0x00007FF62C215000-memory.dmp	upx
behavioral2/memory/3160-86-0x00007FF78CE40000-0x00007FF78D235000-memory.dmp	upx
behavioral2/memory/3572-82-0x00007FF701DC0000-0x00007FF7021B5000-memory.dmp	upx
behavioral2/files/0x00070000000233f0-77.dat	upx
behavioral2/memory/2728-76-0x00007FF660140000-0x00007FF660535000-memory.dmp	upx
behavioral2/memory/4108-73-0x00007FF798210000-0x00007FF798605000-memory.dmp	upx
behavioral2/files/0x00070000000233ef-70.dat	upx
behavioral2/memory/2796-69-0x00007FF7A3800000-0x00007FF7A3BF5000-memory.dmp	upx
behavioral2/memory/852-63-0x00007FF763220000-0x00007FF763615000-memory.dmp	upx
behavioral2/files/0x00070000000233ec-48.dat	upx
behavioral2/memory/5072-1914-0x00007FF6FE910000-0x00007FF6FED05000-memory.dmp	upx
behavioral2/memory/1472-1924-0x00007FF695210000-0x00007FF695605000-memory.dmp	upx
behavioral2/memory/228-1925-0x00007FF602F70000-0x00007FF603365000-memory.dmp	upx
behavioral2/memory/3468-1926-0x00007FF62BE20000-0x00007FF62C215000-memory.dmp	upx
behavioral2/memory/1168-1927-0x00007FF70D0E0000-0x00007FF70D4D5000-memory.dmp	upx
behavioral2/memory/3868-1928-0x00007FF66BDF0000-0x00007FF66C1E5000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\DComYpJ.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\YHjoZIL.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\saEXakf.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\RZEiDlX.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\IgUqIEU.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\YHiLyVC.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\DSAnDJC.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\GkevnfB.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\MFkhxNS.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\yDLUuRl.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\ktHHYvI.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\tmdviMl.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\oTMfjCP.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\vlncWVk.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\tPuoFYD.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\MVkwqGM.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\gCkxItL.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\FhkffVM.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\wFNbaZN.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\RNbkONw.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\OUCRCwz.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\JLcJzjS.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\KuvYalm.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\YEmFrkd.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\tAsuHQC.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\JgoVijM.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\StvYlAs.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\IZGUtjE.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\cUnEsCD.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\Zsryhnq.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\fgEgdmL.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\MtHiCmP.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\txragJc.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\LLvjGtc.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\PBkODPb.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\lgZVpfD.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\SAiTCwI.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\gWXAUef.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\YkWeIHy.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\Hrkosww.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\oMuDpdM.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\dVreJPu.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\KlfJLby.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\JnErynq.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\zxRaoaZ.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\otOohpm.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\afswMxm.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\razYipv.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\UYupCdZ.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\yWeTLfM.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\HrJBezQ.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\xAixJRO.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\GroAkHV.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\kxoFMTT.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\wsksJoX.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\twlSWcV.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\Buadenu.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\ytXGyBk.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\IOqeFCO.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\xjuHvlT.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\CpBedqL.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\GofObHV.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\Camtoku.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
File created	C:\Windows\System32\sVoOKhc.exe	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFaultSecure.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFaultSecure.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFaultSecure.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
13180	WerFaultSecure.exe
13180	WerFaultSecure.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 1472	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	85
PID 5072 wrote to memory of 1472	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	85
PID 5072 wrote to memory of 228	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	86
PID 5072 wrote to memory of 228	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	86
PID 5072 wrote to memory of 3468	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	87
PID 5072 wrote to memory of 3468	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	87
PID 5072 wrote to memory of 1168	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	88
PID 5072 wrote to memory of 1168	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	88
PID 5072 wrote to memory of 3868	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	89
PID 5072 wrote to memory of 3868	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	89
PID 5072 wrote to memory of 852	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	90
PID 5072 wrote to memory of 852	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	90
PID 5072 wrote to memory of 1920	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	91
PID 5072 wrote to memory of 1920	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	91
PID 5072 wrote to memory of 2796	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	92
PID 5072 wrote to memory of 2796	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	92
PID 5072 wrote to memory of 4108	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	93
PID 5072 wrote to memory of 4108	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	93
PID 5072 wrote to memory of 2728	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	94
PID 5072 wrote to memory of 2728	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	94
PID 5072 wrote to memory of 3572	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	95
PID 5072 wrote to memory of 3572	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	95
PID 5072 wrote to memory of 3160	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	96
PID 5072 wrote to memory of 3160	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	96
PID 5072 wrote to memory of 2020	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	97
PID 5072 wrote to memory of 2020	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	97
PID 5072 wrote to memory of 2128	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	98
PID 5072 wrote to memory of 2128	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	98
PID 5072 wrote to memory of 4136	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	99
PID 5072 wrote to memory of 4136	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	99
PID 5072 wrote to memory of 1352	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	100
PID 5072 wrote to memory of 1352	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	100
PID 5072 wrote to memory of 1648	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	101
PID 5072 wrote to memory of 1648	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	101
PID 5072 wrote to memory of 1804	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	102
PID 5072 wrote to memory of 1804	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	102
PID 5072 wrote to memory of 1292	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	103
PID 5072 wrote to memory of 1292	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	103
PID 5072 wrote to memory of 456	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	104
PID 5072 wrote to memory of 456	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	104
PID 5072 wrote to memory of 920	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	105
PID 5072 wrote to memory of 920	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	105
PID 5072 wrote to memory of 1744	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	106
PID 5072 wrote to memory of 1744	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	106
PID 5072 wrote to memory of 1320	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	107
PID 5072 wrote to memory of 1320	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	107
PID 5072 wrote to memory of 2980	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	108
PID 5072 wrote to memory of 2980	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	108
PID 5072 wrote to memory of 1420	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	109
PID 5072 wrote to memory of 1420	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	109
PID 5072 wrote to memory of 1456	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	110
PID 5072 wrote to memory of 1456	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	110
PID 5072 wrote to memory of 2744	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	111
PID 5072 wrote to memory of 2744	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	111
PID 5072 wrote to memory of 4636	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	112
PID 5072 wrote to memory of 4636	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	112
PID 5072 wrote to memory of 2292	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	113
PID 5072 wrote to memory of 2292	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	113
PID 5072 wrote to memory of 3156	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	114
PID 5072 wrote to memory of 3156	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	114
PID 5072 wrote to memory of 3204	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	115
PID 5072 wrote to memory of 3204	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	115
PID 5072 wrote to memory of 652	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	116
PID 5072 wrote to memory of 652	5072	8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe	116

C:\Users\Admin\AppData\Local\Temp\8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8921e5cf8a1621a783e03cb5b2f9ab50_NeikiAnalytics.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Windows\System32\zhOQqYl.exe
  C:\Windows\System32\zhOQqYl.exe
  2⤵
  - Executes dropped EXE
  PID:1472
- C:\Windows\System32\SjPYCJX.exe
  C:\Windows\System32\SjPYCJX.exe
  2⤵
  - Executes dropped EXE
  PID:228
- C:\Windows\System32\afswMxm.exe
  C:\Windows\System32\afswMxm.exe
  2⤵
  - Executes dropped EXE
  PID:3468
- C:\Windows\System32\GNSIoxf.exe
  C:\Windows\System32\GNSIoxf.exe
  2⤵
  - Executes dropped EXE
  PID:1168
- C:\Windows\System32\itzQFxL.exe
  C:\Windows\System32\itzQFxL.exe
  2⤵
  - Executes dropped EXE
  PID:3868
- C:\Windows\System32\lXojQiM.exe
  C:\Windows\System32\lXojQiM.exe
  2⤵
  - Executes dropped EXE
  PID:852
- C:\Windows\System32\fFNFOLq.exe
  C:\Windows\System32\fFNFOLq.exe
  2⤵
  - Executes dropped EXE
  PID:1920
- C:\Windows\System32\qLmBGfe.exe
  C:\Windows\System32\qLmBGfe.exe
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\System32\ZsFXICg.exe
  C:\Windows\System32\ZsFXICg.exe
  2⤵
  - Executes dropped EXE
  PID:4108
- C:\Windows\System32\HdfJafZ.exe
  C:\Windows\System32\HdfJafZ.exe
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\System32\Zsryhnq.exe
  C:\Windows\System32\Zsryhnq.exe
  2⤵
  - Executes dropped EXE
  PID:3572
- C:\Windows\System32\RqYYqNM.exe
  C:\Windows\System32\RqYYqNM.exe
  2⤵
  - Executes dropped EXE
  PID:3160
- C:\Windows\System32\MNcHEJm.exe
  C:\Windows\System32\MNcHEJm.exe
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\Windows\System32\razYipv.exe
  C:\Windows\System32\razYipv.exe
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\System32\ItySQTL.exe
  C:\Windows\System32\ItySQTL.exe
  2⤵
  - Executes dropped EXE
  PID:4136
- C:\Windows\System32\LLvjGtc.exe
  C:\Windows\System32\LLvjGtc.exe
  2⤵
  - Executes dropped EXE
  PID:1352
- C:\Windows\System32\iFepuSK.exe
  C:\Windows\System32\iFepuSK.exe
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\System32\cEbAZoW.exe
  C:\Windows\System32\cEbAZoW.exe
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\Windows\System32\uivapAL.exe
  C:\Windows\System32\uivapAL.exe
  2⤵
  - Executes dropped EXE
  PID:1292
- C:\Windows\System32\HoTqZzZ.exe
  C:\Windows\System32\HoTqZzZ.exe
  2⤵
  - Executes dropped EXE
  PID:456
- C:\Windows\System32\AhWGIYQ.exe
  C:\Windows\System32\AhWGIYQ.exe
  2⤵
  - Executes dropped EXE
  PID:920
- C:\Windows\System32\AgbOzLL.exe
  C:\Windows\System32\AgbOzLL.exe
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\System32\fNxDzZa.exe
  C:\Windows\System32\fNxDzZa.exe
  2⤵
  - Executes dropped EXE
  PID:1320
- C:\Windows\System32\jVneEVJ.exe
  C:\Windows\System32\jVneEVJ.exe
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\System32\IJTHmMV.exe
  C:\Windows\System32\IJTHmMV.exe
  2⤵
  - Executes dropped EXE
  PID:1420
- C:\Windows\System32\SpbxNrX.exe
  C:\Windows\System32\SpbxNrX.exe
  2⤵
  - Executes dropped EXE
  PID:1456
- C:\Windows\System32\aDnZdBt.exe
  C:\Windows\System32\aDnZdBt.exe
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\System32\gIHuVjg.exe
  C:\Windows\System32\gIHuVjg.exe
  2⤵
  - Executes dropped EXE
  PID:4636
- C:\Windows\System32\WZUlgKv.exe
  C:\Windows\System32\WZUlgKv.exe
  2⤵
  - Executes dropped EXE
  PID:2292
- C:\Windows\System32\bGpPSJd.exe
  C:\Windows\System32\bGpPSJd.exe
  2⤵
  - Executes dropped EXE
  PID:3156
- C:\Windows\System32\yBkDtXM.exe
  C:\Windows\System32\yBkDtXM.exe
  2⤵
  - Executes dropped EXE
  PID:3204
- C:\Windows\System32\NQxAlEJ.exe
  C:\Windows\System32\NQxAlEJ.exe
  2⤵
  - Executes dropped EXE
  PID:652
- C:\Windows\System32\bzRdSil.exe
  C:\Windows\System32\bzRdSil.exe
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\System32\VvhvXTj.exe
  C:\Windows\System32\VvhvXTj.exe
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\System32\LnfOoYo.exe
  C:\Windows\System32\LnfOoYo.exe
  2⤵
  - Executes dropped EXE
  PID:4972
- C:\Windows\System32\pcrJgTY.exe
  C:\Windows\System32\pcrJgTY.exe
  2⤵
  - Executes dropped EXE
  PID:3732
- C:\Windows\System32\kRLTUyD.exe
  C:\Windows\System32\kRLTUyD.exe
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\System32\dpUlspc.exe
  C:\Windows\System32\dpUlspc.exe
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Windows\System32\ukLXdOs.exe
  C:\Windows\System32\ukLXdOs.exe
  2⤵
  - Executes dropped EXE
  PID:1344
- C:\Windows\System32\nmFnoQN.exe
  C:\Windows\System32\nmFnoQN.exe
  2⤵
  - Executes dropped EXE
  PID:2116
- C:\Windows\System32\DgdkOJd.exe
  C:\Windows\System32\DgdkOJd.exe
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\System32\ipVrJMX.exe
  C:\Windows\System32\ipVrJMX.exe
  2⤵
  - Executes dropped EXE
  PID:1172
- C:\Windows\System32\hgWgxfP.exe
  C:\Windows\System32\hgWgxfP.exe
  2⤵
  - Executes dropped EXE
  PID:4868
- C:\Windows\System32\IjFsRnF.exe
  C:\Windows\System32\IjFsRnF.exe
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\System32\tbRYMdL.exe
  C:\Windows\System32\tbRYMdL.exe
  2⤵
  - Executes dropped EXE
  PID:4960
- C:\Windows\System32\DComYpJ.exe
  C:\Windows\System32\DComYpJ.exe
  2⤵
  - Executes dropped EXE
  PID:1992
- C:\Windows\System32\npadytk.exe
  C:\Windows\System32\npadytk.exe
  2⤵
  - Executes dropped EXE
  PID:740
- C:\Windows\System32\rqHeQQK.exe
  C:\Windows\System32\rqHeQQK.exe
  2⤵
  - Executes dropped EXE
  PID:4852
- C:\Windows\System32\dbbKjol.exe
  C:\Windows\System32\dbbKjol.exe
  2⤵
  - Executes dropped EXE
  PID:4948
- C:\Windows\System32\LYAdBpY.exe
  C:\Windows\System32\LYAdBpY.exe
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\System32\pkRXqeM.exe
  C:\Windows\System32\pkRXqeM.exe
  2⤵
  - Executes dropped EXE
  PID:4440
- C:\Windows\System32\GkevnfB.exe
  C:\Windows\System32\GkevnfB.exe
  2⤵
  - Executes dropped EXE
  PID:3820
- C:\Windows\System32\phOjAKP.exe
  C:\Windows\System32\phOjAKP.exe
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Windows\System32\oZAvsPR.exe
  C:\Windows\System32\oZAvsPR.exe
  2⤵
  - Executes dropped EXE
  PID:5012
- C:\Windows\System32\UYupCdZ.exe
  C:\Windows\System32\UYupCdZ.exe
  2⤵
  - Executes dropped EXE
  PID:4808
- C:\Windows\System32\ZcEfNIC.exe
  C:\Windows\System32\ZcEfNIC.exe
  2⤵
  - Executes dropped EXE
  PID:1032
- C:\Windows\System32\VLpSpuI.exe
  C:\Windows\System32\VLpSpuI.exe
  2⤵
  - Executes dropped EXE
  PID:3708
- C:\Windows\System32\zpIffwg.exe
  C:\Windows\System32\zpIffwg.exe
  2⤵
  - Executes dropped EXE
  PID:1112
- C:\Windows\System32\QaIANpI.exe
  C:\Windows\System32\QaIANpI.exe
  2⤵
  - Executes dropped EXE
  PID:1788
- C:\Windows\System32\znWpJMi.exe
  C:\Windows\System32\znWpJMi.exe
  2⤵
  - Executes dropped EXE
  PID:1900
- C:\Windows\System32\dIKRXED.exe
  C:\Windows\System32\dIKRXED.exe
  2⤵
  - Executes dropped EXE
  PID:1888
- C:\Windows\System32\gWXAUef.exe
  C:\Windows\System32\gWXAUef.exe
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Windows\System32\DsBOIaK.exe
  C:\Windows\System32\DsBOIaK.exe
  2⤵
  - Executes dropped EXE
  PID:4976
- C:\Windows\System32\UwpaNBr.exe
  C:\Windows\System32\UwpaNBr.exe
  2⤵
  - Executes dropped EXE
  PID:3864
- C:\Windows\System32\CpBedqL.exe
  C:\Windows\System32\CpBedqL.exe
  2⤵
  PID:3944
- C:\Windows\System32\DNoEbbT.exe
  C:\Windows\System32\DNoEbbT.exe
  2⤵
  PID:2456
- C:\Windows\System32\kifWYUT.exe
  C:\Windows\System32\kifWYUT.exe
  2⤵
  PID:1312
- C:\Windows\System32\zQAlDXJ.exe
  C:\Windows\System32\zQAlDXJ.exe
  2⤵
  PID:4836
- C:\Windows\System32\gfjPOTG.exe
  C:\Windows\System32\gfjPOTG.exe
  2⤵
  PID:1620
- C:\Windows\System32\JHwbcyQ.exe
  C:\Windows\System32\JHwbcyQ.exe
  2⤵
  PID:2932
- C:\Windows\System32\XyzQqPB.exe
  C:\Windows\System32\XyzQqPB.exe
  2⤵
  PID:4056
- C:\Windows\System32\htTTDtv.exe
  C:\Windows\System32\htTTDtv.exe
  2⤵
  PID:4528
- C:\Windows\System32\ZWeePPL.exe
  C:\Windows\System32\ZWeePPL.exe
  2⤵
  PID:1972
- C:\Windows\System32\CmRYcjv.exe
  C:\Windows\System32\CmRYcjv.exe
  2⤵
  PID:5008
- C:\Windows\System32\DCsjkar.exe
  C:\Windows\System32\DCsjkar.exe
  2⤵
  PID:1104
- C:\Windows\System32\pvBQSCJ.exe
  C:\Windows\System32\pvBQSCJ.exe
  2⤵
  PID:1536
- C:\Windows\System32\xNzAriS.exe
  C:\Windows\System32\xNzAriS.exe
  2⤵
  PID:4304
- C:\Windows\System32\zSSFvUM.exe
  C:\Windows\System32\zSSFvUM.exe
  2⤵
  PID:3056
- C:\Windows\System32\qPnfukb.exe
  C:\Windows\System32\qPnfukb.exe
  2⤵
  PID:3264
- C:\Windows\System32\wNZeLtq.exe
  C:\Windows\System32\wNZeLtq.exe
  2⤵
  PID:1028
- C:\Windows\System32\Buadenu.exe
  C:\Windows\System32\Buadenu.exe
  2⤵
  PID:4668
- C:\Windows\System32\wtCjWlU.exe
  C:\Windows\System32\wtCjWlU.exe
  2⤵
  PID:4944
- C:\Windows\System32\CPtaMbE.exe
  C:\Windows\System32\CPtaMbE.exe
  2⤵
  PID:688
- C:\Windows\System32\aGoSyPz.exe
  C:\Windows\System32\aGoSyPz.exe
  2⤵
  PID:4400
- C:\Windows\System32\lBzAFOP.exe
  C:\Windows\System32\lBzAFOP.exe
  2⤵
  PID:540
- C:\Windows\System32\oYvEfnd.exe
  C:\Windows\System32\oYvEfnd.exe
  2⤵
  PID:5140
- C:\Windows\System32\wwFNhlJ.exe
  C:\Windows\System32\wwFNhlJ.exe
  2⤵
  PID:5172
- C:\Windows\System32\TqlPdck.exe
  C:\Windows\System32\TqlPdck.exe
  2⤵
  PID:5196
- C:\Windows\System32\oleQmtH.exe
  C:\Windows\System32\oleQmtH.exe
  2⤵
  PID:5228
- C:\Windows\System32\WTIgEOk.exe
  C:\Windows\System32\WTIgEOk.exe
  2⤵
  PID:5256
- C:\Windows\System32\VRHzdnI.exe
  C:\Windows\System32\VRHzdnI.exe
  2⤵
  PID:5284
- C:\Windows\System32\hmKtFRL.exe
  C:\Windows\System32\hmKtFRL.exe
  2⤵
  PID:5312
- C:\Windows\System32\UgnOMhV.exe
  C:\Windows\System32\UgnOMhV.exe
  2⤵
  PID:5340
- C:\Windows\System32\Hhnthto.exe
  C:\Windows\System32\Hhnthto.exe
  2⤵
  PID:5368
- C:\Windows\System32\McRmuoZ.exe
  C:\Windows\System32\McRmuoZ.exe
  2⤵
  PID:5396
- C:\Windows\System32\ytXGyBk.exe
  C:\Windows\System32\ytXGyBk.exe
  2⤵
  PID:5424
- C:\Windows\System32\vPRgYMA.exe
  C:\Windows\System32\vPRgYMA.exe
  2⤵
  PID:5452
- C:\Windows\System32\wRgnOBZ.exe
  C:\Windows\System32\wRgnOBZ.exe
  2⤵
  PID:5480
- C:\Windows\System32\sbGxAtL.exe
  C:\Windows\System32\sbGxAtL.exe
  2⤵
  PID:5508
- C:\Windows\System32\orZCBSz.exe
  C:\Windows\System32\orZCBSz.exe
  2⤵
  PID:5536
- C:\Windows\System32\yWnGuXo.exe
  C:\Windows\System32\yWnGuXo.exe
  2⤵
  PID:5564
- C:\Windows\System32\XUEWins.exe
  C:\Windows\System32\XUEWins.exe
  2⤵
  PID:5592
- C:\Windows\System32\xAixJRO.exe
  C:\Windows\System32\xAixJRO.exe
  2⤵
  PID:5616
- C:\Windows\System32\RwHKYcw.exe
  C:\Windows\System32\RwHKYcw.exe
  2⤵
  PID:5648
- C:\Windows\System32\GgrFwFz.exe
  C:\Windows\System32\GgrFwFz.exe
  2⤵
  PID:5676
- C:\Windows\System32\iRTNfgN.exe
  C:\Windows\System32\iRTNfgN.exe
  2⤵
  PID:5704
- C:\Windows\System32\cBuFySj.exe
  C:\Windows\System32\cBuFySj.exe
  2⤵
  PID:5732
- C:\Windows\System32\MVUUlYk.exe
  C:\Windows\System32\MVUUlYk.exe
  2⤵
  PID:5760
- C:\Windows\System32\dRBPaMh.exe
  C:\Windows\System32\dRBPaMh.exe
  2⤵
  PID:5788
- C:\Windows\System32\qEasWns.exe
  C:\Windows\System32\qEasWns.exe
  2⤵
  PID:5816
- C:\Windows\System32\KvjcOrY.exe
  C:\Windows\System32\KvjcOrY.exe
  2⤵
  PID:5844
- C:\Windows\System32\JgoVijM.exe
  C:\Windows\System32\JgoVijM.exe
  2⤵
  PID:5868
- C:\Windows\System32\FXvmlix.exe
  C:\Windows\System32\FXvmlix.exe
  2⤵
  PID:5900
- C:\Windows\System32\jWPVJQI.exe
  C:\Windows\System32\jWPVJQI.exe
  2⤵
  PID:5928
- C:\Windows\System32\fKPlAcn.exe
  C:\Windows\System32\fKPlAcn.exe
  2⤵
  PID:5956
- C:\Windows\System32\vyzYCoL.exe
  C:\Windows\System32\vyzYCoL.exe
  2⤵
  PID:5984
- C:\Windows\System32\axOEStK.exe
  C:\Windows\System32\axOEStK.exe
  2⤵
  PID:6012
- C:\Windows\System32\JKBOSAj.exe
  C:\Windows\System32\JKBOSAj.exe
  2⤵
  PID:6040
- C:\Windows\System32\LesWvkW.exe
  C:\Windows\System32\LesWvkW.exe
  2⤵
  PID:6080
- C:\Windows\System32\XazuJVz.exe
  C:\Windows\System32\XazuJVz.exe
  2⤵
  PID:6096
- C:\Windows\System32\BxxKhOJ.exe
  C:\Windows\System32\BxxKhOJ.exe
  2⤵
  PID:6124
- C:\Windows\System32\cqwbkft.exe
  C:\Windows\System32\cqwbkft.exe
  2⤵
  PID:4760
- C:\Windows\System32\rcntfDz.exe
  C:\Windows\System32\rcntfDz.exe
  2⤵
  PID:3488
- C:\Windows\System32\vDunKVs.exe
  C:\Windows\System32\vDunKVs.exe
  2⤵
  PID:3688
- C:\Windows\System32\AlrQidb.exe
  C:\Windows\System32\AlrQidb.exe
  2⤵
  PID:3384
- C:\Windows\System32\cfStnNA.exe
  C:\Windows\System32\cfStnNA.exe
  2⤵
  PID:2604
- C:\Windows\System32\ObCGMAD.exe
  C:\Windows\System32\ObCGMAD.exe
  2⤵
  PID:5128
- C:\Windows\System32\moJjXBu.exe
  C:\Windows\System32\moJjXBu.exe
  2⤵
  PID:5184
- C:\Windows\System32\MFkhxNS.exe
  C:\Windows\System32\MFkhxNS.exe
  2⤵
  PID:5264
- C:\Windows\System32\UEXShLY.exe
  C:\Windows\System32\UEXShLY.exe
  2⤵
  PID:5352
- C:\Windows\System32\yWeTLfM.exe
  C:\Windows\System32\yWeTLfM.exe
  2⤵
  PID:5376
- C:\Windows\System32\EGCnbwg.exe
  C:\Windows\System32\EGCnbwg.exe
  2⤵
  PID:5460
- C:\Windows\System32\CPxSlYX.exe
  C:\Windows\System32\CPxSlYX.exe
  2⤵
  PID:5516
- C:\Windows\System32\vqbNcZJ.exe
  C:\Windows\System32\vqbNcZJ.exe
  2⤵
  PID:5572
- C:\Windows\System32\VokZrJP.exe
  C:\Windows\System32\VokZrJP.exe
  2⤵
  PID:5656
- C:\Windows\System32\hJJLiiU.exe
  C:\Windows\System32\hJJLiiU.exe
  2⤵
  PID:5716
- C:\Windows\System32\jIyWWOI.exe
  C:\Windows\System32\jIyWWOI.exe
  2⤵
  PID:5768
- C:\Windows\System32\yximIvh.exe
  C:\Windows\System32\yximIvh.exe
  2⤵
  PID:5836
- C:\Windows\System32\WGzAmuS.exe
  C:\Windows\System32\WGzAmuS.exe
  2⤵
  PID:5892
- C:\Windows\System32\YfGyqeH.exe
  C:\Windows\System32\YfGyqeH.exe
  2⤵
  PID:5976
- C:\Windows\System32\TnzYEiq.exe
  C:\Windows\System32\TnzYEiq.exe
  2⤵
  PID:6032
- C:\Windows\System32\VTSKVNW.exe
  C:\Windows\System32\VTSKVNW.exe
  2⤵
  PID:6108
- C:\Windows\System32\PBkODPb.exe
  C:\Windows\System32\PBkODPb.exe
  2⤵
  PID:3764
- C:\Windows\System32\iWoLbUQ.exe
  C:\Windows\System32\iWoLbUQ.exe
  2⤵
  PID:5112
- C:\Windows\System32\qnWKKWH.exe
  C:\Windows\System32\qnWKKWH.exe
  2⤵
  PID:1096
- C:\Windows\System32\qUbNSea.exe
  C:\Windows\System32\qUbNSea.exe
  2⤵
  PID:5220
- C:\Windows\System32\GNchCDQ.exe
  C:\Windows\System32\GNchCDQ.exe
  2⤵
  PID:5408
- C:\Windows\System32\IDZoINN.exe
  C:\Windows\System32\IDZoINN.exe
  2⤵
  PID:5556
- C:\Windows\System32\XIaxsNm.exe
  C:\Windows\System32\XIaxsNm.exe
  2⤵
  PID:5696
- C:\Windows\System32\XZAHvhA.exe
  C:\Windows\System32\XZAHvhA.exe
  2⤵
  PID:5856
- C:\Windows\System32\zYUcnDc.exe
  C:\Windows\System32\zYUcnDc.exe
  2⤵
  PID:6152
- C:\Windows\System32\zNVMVYb.exe
  C:\Windows\System32\zNVMVYb.exe
  2⤵
  PID:6180
- C:\Windows\System32\TdQCWBS.exe
  C:\Windows\System32\TdQCWBS.exe
  2⤵
  PID:6208
- C:\Windows\System32\kynHipZ.exe
  C:\Windows\System32\kynHipZ.exe
  2⤵
  PID:6232
- C:\Windows\System32\ZioMFOr.exe
  C:\Windows\System32\ZioMFOr.exe
  2⤵
  PID:6264
- C:\Windows\System32\IRUhKZT.exe
  C:\Windows\System32\IRUhKZT.exe
  2⤵
  PID:6292
- C:\Windows\System32\KOlqSYn.exe
  C:\Windows\System32\KOlqSYn.exe
  2⤵
  PID:6320
- C:\Windows\System32\OwIEcqs.exe
  C:\Windows\System32\OwIEcqs.exe
  2⤵
  PID:6348
- C:\Windows\System32\IPLWIuf.exe
  C:\Windows\System32\IPLWIuf.exe
  2⤵
  PID:6376
- C:\Windows\System32\PYbKaOf.exe
  C:\Windows\System32\PYbKaOf.exe
  2⤵
  PID:6404
- C:\Windows\System32\yDLUuRl.exe
  C:\Windows\System32\yDLUuRl.exe
  2⤵
  PID:6432
- C:\Windows\System32\rKAHQOf.exe
  C:\Windows\System32\rKAHQOf.exe
  2⤵
  PID:6460
- C:\Windows\System32\IRXcWWm.exe
  C:\Windows\System32\IRXcWWm.exe
  2⤵
  PID:6488
- C:\Windows\System32\ShyALMv.exe
  C:\Windows\System32\ShyALMv.exe
  2⤵
  PID:6516
- C:\Windows\System32\lijUvtC.exe
  C:\Windows\System32\lijUvtC.exe
  2⤵
  PID:6544
- C:\Windows\System32\zAXUVOX.exe
  C:\Windows\System32\zAXUVOX.exe
  2⤵
  PID:6572
- C:\Windows\System32\nnKEOOO.exe
  C:\Windows\System32\nnKEOOO.exe
  2⤵
  PID:6612
- C:\Windows\System32\bluJCHr.exe
  C:\Windows\System32\bluJCHr.exe
  2⤵
  PID:6628
- C:\Windows\System32\cMVQsHP.exe
  C:\Windows\System32\cMVQsHP.exe
  2⤵
  PID:6660
- C:\Windows\System32\HHOaAwf.exe
  C:\Windows\System32\HHOaAwf.exe
  2⤵
  PID:6684
- C:\Windows\System32\DAXNteO.exe
  C:\Windows\System32\DAXNteO.exe
  2⤵
  PID:6708
- C:\Windows\System32\twjolee.exe
  C:\Windows\System32\twjolee.exe
  2⤵
  PID:6740
- C:\Windows\System32\pYxVCaf.exe
  C:\Windows\System32\pYxVCaf.exe
  2⤵
  PID:6768
- C:\Windows\System32\PnLslHJ.exe
  C:\Windows\System32\PnLslHJ.exe
  2⤵
  PID:6808
- C:\Windows\System32\dhPfevR.exe
  C:\Windows\System32\dhPfevR.exe
  2⤵
  PID:6824
- C:\Windows\System32\YkWeIHy.exe
  C:\Windows\System32\YkWeIHy.exe
  2⤵
  PID:6852
- C:\Windows\System32\fYXAcyj.exe
  C:\Windows\System32\fYXAcyj.exe
  2⤵
  PID:6880
- C:\Windows\System32\mOthsLs.exe
  C:\Windows\System32\mOthsLs.exe
  2⤵
  PID:6908
- C:\Windows\System32\yNvZdZF.exe
  C:\Windows\System32\yNvZdZF.exe
  2⤵
  PID:6936
- C:\Windows\System32\mrIymzG.exe
  C:\Windows\System32\mrIymzG.exe
  2⤵
  PID:6964
- C:\Windows\System32\MfXBnHU.exe
  C:\Windows\System32\MfXBnHU.exe
  2⤵
  PID:6992
- C:\Windows\System32\JqJlxTX.exe
  C:\Windows\System32\JqJlxTX.exe
  2⤵
  PID:7020
- C:\Windows\System32\KvdLiCw.exe
  C:\Windows\System32\KvdLiCw.exe
  2⤵
  PID:7048
- C:\Windows\System32\prTAFXM.exe
  C:\Windows\System32\prTAFXM.exe
  2⤵
  PID:7076
- C:\Windows\System32\fLBKGRT.exe
  C:\Windows\System32\fLBKGRT.exe
  2⤵
  PID:7104
- C:\Windows\System32\WwOxKCK.exe
  C:\Windows\System32\WwOxKCK.exe
  2⤵
  PID:7132
- C:\Windows\System32\wrjejKJ.exe
  C:\Windows\System32\wrjejKJ.exe
  2⤵
  PID:7160
- C:\Windows\System32\lHfxzRA.exe
  C:\Windows\System32\lHfxzRA.exe
  2⤵
  PID:6088
- C:\Windows\System32\VTxWTKG.exe
  C:\Windows\System32\VTxWTKG.exe
  2⤵
  PID:2792
- C:\Windows\System32\ezaHLBc.exe
  C:\Windows\System32\ezaHLBc.exe
  2⤵
  PID:5204
- C:\Windows\System32\kizzgou.exe
  C:\Windows\System32\kizzgou.exe
  2⤵
  PID:5612
- C:\Windows\System32\PGcfsqA.exe
  C:\Windows\System32\PGcfsqA.exe
  2⤵
  PID:5936
- C:\Windows\System32\QNvembj.exe
  C:\Windows\System32\QNvembj.exe
  2⤵
  PID:6192
- C:\Windows\System32\GWMrzWr.exe
  C:\Windows\System32\GWMrzWr.exe
  2⤵
  PID:6272
- C:\Windows\System32\yqkbhPY.exe
  C:\Windows\System32\yqkbhPY.exe
  2⤵
  PID:6340
- C:\Windows\System32\rRHePHt.exe
  C:\Windows\System32\rRHePHt.exe
  2⤵
  PID:6384
- C:\Windows\System32\qeNLrON.exe
  C:\Windows\System32\qeNLrON.exe
  2⤵
  PID:6480
- C:\Windows\System32\hiislyU.exe
  C:\Windows\System32\hiislyU.exe
  2⤵
  PID:6524
- C:\Windows\System32\aOReYch.exe
  C:\Windows\System32\aOReYch.exe
  2⤵
  PID:6552
- C:\Windows\System32\eeBnYsJ.exe
  C:\Windows\System32\eeBnYsJ.exe
  2⤵
  PID:6648
- C:\Windows\System32\QmunafD.exe
  C:\Windows\System32\QmunafD.exe
  2⤵
  PID:6704
- C:\Windows\System32\LaEzKXL.exe
  C:\Windows\System32\LaEzKXL.exe
  2⤵
  PID:6788
- C:\Windows\System32\mwTXuWa.exe
  C:\Windows\System32\mwTXuWa.exe
  2⤵
  PID:6832
- C:\Windows\System32\VDuFGYL.exe
  C:\Windows\System32\VDuFGYL.exe
  2⤵
  PID:6892
- C:\Windows\System32\GroAkHV.exe
  C:\Windows\System32\GroAkHV.exe
  2⤵
  PID:6956
- C:\Windows\System32\OkFEcAd.exe
  C:\Windows\System32\OkFEcAd.exe
  2⤵
  PID:7056
- C:\Windows\System32\vnUuaoW.exe
  C:\Windows\System32\vnUuaoW.exe
  2⤵
  PID:7088
- C:\Windows\System32\VNJYJAu.exe
  C:\Windows\System32\VNJYJAu.exe
  2⤵
  PID:7140
- C:\Windows\System32\eIKMPLV.exe
  C:\Windows\System32\eIKMPLV.exe
  2⤵
  PID:2296
- C:\Windows\System32\QxFOsbA.exe
  C:\Windows\System32\QxFOsbA.exe
  2⤵
  PID:5740
- C:\Windows\System32\USxvCeV.exe
  C:\Windows\System32\USxvCeV.exe
  2⤵
  PID:6248
- C:\Windows\System32\dxxKmKe.exe
  C:\Windows\System32\dxxKmKe.exe
  2⤵
  PID:6360
- C:\Windows\System32\yBahOYE.exe
  C:\Windows\System32\yBahOYE.exe
  2⤵
  PID:6500
- C:\Windows\System32\EVjHsVs.exe
  C:\Windows\System32\EVjHsVs.exe
  2⤵
  PID:6640
- C:\Windows\System32\osfwRsG.exe
  C:\Windows\System32\osfwRsG.exe
  2⤵
  PID:6800
- C:\Windows\System32\vfmPAfl.exe
  C:\Windows\System32\vfmPAfl.exe
  2⤵
  PID:6920
- C:\Windows\System32\MlWODbw.exe
  C:\Windows\System32\MlWODbw.exe
  2⤵
  PID:7196
- C:\Windows\System32\uEMNiwW.exe
  C:\Windows\System32\uEMNiwW.exe
  2⤵
  PID:7224
- C:\Windows\System32\usTAbgJ.exe
  C:\Windows\System32\usTAbgJ.exe
  2⤵
  PID:7252
- C:\Windows\System32\CvWvogO.exe
  C:\Windows\System32\CvWvogO.exe
  2⤵
  PID:7280
- C:\Windows\System32\RykOaDl.exe
  C:\Windows\System32\RykOaDl.exe
  2⤵
  PID:7308
- C:\Windows\System32\wKBFIGG.exe
  C:\Windows\System32\wKBFIGG.exe
  2⤵
  PID:7336
- C:\Windows\System32\nugDPni.exe
  C:\Windows\System32\nugDPni.exe
  2⤵
  PID:7364
- C:\Windows\System32\tuMKEPa.exe
  C:\Windows\System32\tuMKEPa.exe
  2⤵
  PID:7392
- C:\Windows\System32\cnOxCAv.exe
  C:\Windows\System32\cnOxCAv.exe
  2⤵
  PID:7420
- C:\Windows\System32\UcxGBfZ.exe
  C:\Windows\System32\UcxGBfZ.exe
  2⤵
  PID:7448
- C:\Windows\System32\GhpSXUU.exe
  C:\Windows\System32\GhpSXUU.exe
  2⤵
  PID:7476
- C:\Windows\System32\SwEcaYs.exe
  C:\Windows\System32\SwEcaYs.exe
  2⤵
  PID:7504
- C:\Windows\System32\lfGZTPv.exe
  C:\Windows\System32\lfGZTPv.exe
  2⤵
  PID:7532
- C:\Windows\System32\dTdEYAn.exe
  C:\Windows\System32\dTdEYAn.exe
  2⤵
  PID:7560
- C:\Windows\System32\bHgwYVE.exe
  C:\Windows\System32\bHgwYVE.exe
  2⤵
  PID:7588
- C:\Windows\System32\GofObHV.exe
  C:\Windows\System32\GofObHV.exe
  2⤵
  PID:7616
- C:\Windows\System32\ktHHYvI.exe
  C:\Windows\System32\ktHHYvI.exe
  2⤵
  PID:7644
- C:\Windows\System32\gobTcQd.exe
  C:\Windows\System32\gobTcQd.exe
  2⤵
  PID:7672
- C:\Windows\System32\HZXkypt.exe
  C:\Windows\System32\HZXkypt.exe
  2⤵
  PID:7700
- C:\Windows\System32\qmwiSbc.exe
  C:\Windows\System32\qmwiSbc.exe
  2⤵
  PID:7728
- C:\Windows\System32\epoGKaN.exe
  C:\Windows\System32\epoGKaN.exe
  2⤵
  PID:7756
- C:\Windows\System32\gCkxItL.exe
  C:\Windows\System32\gCkxItL.exe
  2⤵
  PID:7780
- C:\Windows\System32\NzzgbeU.exe
  C:\Windows\System32\NzzgbeU.exe
  2⤵
  PID:7812
- C:\Windows\System32\PmRjDrQ.exe
  C:\Windows\System32\PmRjDrQ.exe
  2⤵
  PID:7840
- C:\Windows\System32\JpKSkxu.exe
  C:\Windows\System32\JpKSkxu.exe
  2⤵
  PID:7868
- C:\Windows\System32\fgEgdmL.exe
  C:\Windows\System32\fgEgdmL.exe
  2⤵
  PID:7896
- C:\Windows\System32\GrlhlrL.exe
  C:\Windows\System32\GrlhlrL.exe
  2⤵
  PID:7924
- C:\Windows\System32\YVgcHhP.exe
  C:\Windows\System32\YVgcHhP.exe
  2⤵
  PID:7952
- C:\Windows\System32\bXqJGum.exe
  C:\Windows\System32\bXqJGum.exe
  2⤵
  PID:7980
- C:\Windows\System32\rDMGNQI.exe
  C:\Windows\System32\rDMGNQI.exe
  2⤵
  PID:8008
- C:\Windows\System32\aJmdVhg.exe
  C:\Windows\System32\aJmdVhg.exe
  2⤵
  PID:8036
- C:\Windows\System32\YxdhrFI.exe
  C:\Windows\System32\YxdhrFI.exe
  2⤵
  PID:8076
- C:\Windows\System32\YWdUbiL.exe
  C:\Windows\System32\YWdUbiL.exe
  2⤵
  PID:8092
- C:\Windows\System32\QdNecNW.exe
  C:\Windows\System32\QdNecNW.exe
  2⤵
  PID:8120
- C:\Windows\System32\RZEiDlX.exe
  C:\Windows\System32\RZEiDlX.exe
  2⤵
  PID:8148
- C:\Windows\System32\eUXJdud.exe
  C:\Windows\System32\eUXJdud.exe
  2⤵
  PID:8172
- C:\Windows\System32\awFLvbG.exe
  C:\Windows\System32\awFLvbG.exe
  2⤵
  PID:7032
- C:\Windows\System32\XAoaHoQ.exe
  C:\Windows\System32\XAoaHoQ.exe
  2⤵
  PID:5488
- C:\Windows\System32\RhQNtez.exe
  C:\Windows\System32\RhQNtez.exe
  2⤵
  PID:6160
- C:\Windows\System32\qvwfnvv.exe
  C:\Windows\System32\qvwfnvv.exe
  2⤵
  PID:6468
- C:\Windows\System32\TJJQADi.exe
  C:\Windows\System32\TJJQADi.exe
  2⤵
  PID:6724
- C:\Windows\System32\IZqYvtn.exe
  C:\Windows\System32\IZqYvtn.exe
  2⤵
  PID:7180
- C:\Windows\System32\NTbfVeo.exe
  C:\Windows\System32\NTbfVeo.exe
  2⤵
  PID:7232
- C:\Windows\System32\IgUqIEU.exe
  C:\Windows\System32\IgUqIEU.exe
  2⤵
  PID:7292
- C:\Windows\System32\qmCoEoC.exe
  C:\Windows\System32\qmCoEoC.exe
  2⤵
  PID:7356
- C:\Windows\System32\RZtoqlB.exe
  C:\Windows\System32\RZtoqlB.exe
  2⤵
  PID:7412
- C:\Windows\System32\SQKxiKS.exe
  C:\Windows\System32\SQKxiKS.exe
  2⤵
  PID:7488
- C:\Windows\System32\DuKKFGJ.exe
  C:\Windows\System32\DuKKFGJ.exe
  2⤵
  PID:7540
- C:\Windows\System32\LwlZabb.exe
  C:\Windows\System32\LwlZabb.exe
  2⤵
  PID:7596
- C:\Windows\System32\VtofrDg.exe
  C:\Windows\System32\VtofrDg.exe
  2⤵
  PID:7656
- C:\Windows\System32\awZeJFt.exe
  C:\Windows\System32\awZeJFt.exe
  2⤵
  PID:7708
- C:\Windows\System32\YEmFrkd.exe
  C:\Windows\System32\YEmFrkd.exe
  2⤵
  PID:7776
- C:\Windows\System32\eGELXhh.exe
  C:\Windows\System32\eGELXhh.exe
  2⤵
  PID:7848
- C:\Windows\System32\RVQLfKy.exe
  C:\Windows\System32\RVQLfKy.exe
  2⤵
  PID:7908
- C:\Windows\System32\VlgfhQC.exe
  C:\Windows\System32\VlgfhQC.exe
  2⤵
  PID:7960
- C:\Windows\System32\dGTcmwL.exe
  C:\Windows\System32\dGTcmwL.exe
  2⤵
  PID:8016
- C:\Windows\System32\ohhCdDl.exe
  C:\Windows\System32\ohhCdDl.exe
  2⤵
  PID:8084
- C:\Windows\System32\vwlGUQW.exe
  C:\Windows\System32\vwlGUQW.exe
  2⤵
  PID:8156
- C:\Windows\System32\mYkcNWE.exe
  C:\Windows\System32\mYkcNWE.exe
  2⤵
  PID:7124
- C:\Windows\System32\YHJZJAk.exe
  C:\Windows\System32\YHJZJAk.exe
  2⤵
  PID:6312
- C:\Windows\System32\xYngGzW.exe
  C:\Windows\System32\xYngGzW.exe
  2⤵
  PID:6844
- C:\Windows\System32\bCXMyce.exe
  C:\Windows\System32\bCXMyce.exe
  2⤵
  PID:7260
- C:\Windows\System32\cARtBKh.exe
  C:\Windows\System32\cARtBKh.exe
  2⤵
  PID:7384
- C:\Windows\System32\FSVKxHr.exe
  C:\Windows\System32\FSVKxHr.exe
  2⤵
  PID:7552
- C:\Windows\System32\dVreJPu.exe
  C:\Windows\System32\dVreJPu.exe
  2⤵
  PID:4480
- C:\Windows\System32\YYmFJzC.exe
  C:\Windows\System32\YYmFJzC.exe
  2⤵
  PID:7740
- C:\Windows\System32\XlTXTjv.exe
  C:\Windows\System32\XlTXTjv.exe
  2⤵
  PID:7876
- C:\Windows\System32\emEBScx.exe
  C:\Windows\System32\emEBScx.exe
  2⤵
  PID:8000
- C:\Windows\System32\xkZIZOq.exe
  C:\Windows\System32\xkZIZOq.exe
  2⤵
  PID:8104
- C:\Windows\System32\QVCrBcm.exe
  C:\Windows\System32\QVCrBcm.exe
  2⤵
  PID:1504
- C:\Windows\System32\ZZBaKqY.exe
  C:\Windows\System32\ZZBaKqY.exe
  2⤵
  PID:7208
- C:\Windows\System32\IRjVdMg.exe
  C:\Windows\System32\IRjVdMg.exe
  2⤵
  PID:7456
- C:\Windows\System32\EHgTpVm.exe
  C:\Windows\System32\EHgTpVm.exe
  2⤵
  PID:1668
- C:\Windows\System32\BxcgAoa.exe
  C:\Windows\System32\BxcgAoa.exe
  2⤵
  PID:8220
- C:\Windows\System32\IDJDTFt.exe
  C:\Windows\System32\IDJDTFt.exe
  2⤵
  PID:8260
- C:\Windows\System32\hzZFxWA.exe
  C:\Windows\System32\hzZFxWA.exe
  2⤵
  PID:8276
- C:\Windows\System32\pmiptZI.exe
  C:\Windows\System32\pmiptZI.exe
  2⤵
  PID:8304
- C:\Windows\System32\Hrkosww.exe
  C:\Windows\System32\Hrkosww.exe
  2⤵
  PID:8332
- C:\Windows\System32\ejTJzWf.exe
  C:\Windows\System32\ejTJzWf.exe
  2⤵
  PID:8360
- C:\Windows\System32\NhhLPvv.exe
  C:\Windows\System32\NhhLPvv.exe
  2⤵
  PID:8388
- C:\Windows\System32\WZsgVGj.exe
  C:\Windows\System32\WZsgVGj.exe
  2⤵
  PID:8428
- C:\Windows\System32\aCCrnci.exe
  C:\Windows\System32\aCCrnci.exe
  2⤵
  PID:8444
- C:\Windows\System32\bQDWPJY.exe
  C:\Windows\System32\bQDWPJY.exe
  2⤵
  PID:8484
- C:\Windows\System32\lBOYbed.exe
  C:\Windows\System32\lBOYbed.exe
  2⤵
  PID:8500
- C:\Windows\System32\QtMOXNi.exe
  C:\Windows\System32\QtMOXNi.exe
  2⤵
  PID:8528
- C:\Windows\System32\LlkHDWf.exe
  C:\Windows\System32\LlkHDWf.exe
  2⤵
  PID:8556
- C:\Windows\System32\tOblgaV.exe
  C:\Windows\System32\tOblgaV.exe
  2⤵
  PID:8584
- C:\Windows\System32\zyjiSUh.exe
  C:\Windows\System32\zyjiSUh.exe
  2⤵
  PID:8612
- C:\Windows\System32\AORJslP.exe
  C:\Windows\System32\AORJslP.exe
  2⤵
  PID:8640
- C:\Windows\System32\kBMWduH.exe
  C:\Windows\System32\kBMWduH.exe
  2⤵
  PID:8668
- C:\Windows\System32\iGIDDEJ.exe
  C:\Windows\System32\iGIDDEJ.exe
  2⤵
  PID:8696
- C:\Windows\System32\NDspcYm.exe
  C:\Windows\System32\NDspcYm.exe
  2⤵
  PID:8724
- C:\Windows\System32\zRGAUFk.exe
  C:\Windows\System32\zRGAUFk.exe
  2⤵
  PID:8752
- C:\Windows\System32\YHjoZIL.exe
  C:\Windows\System32\YHjoZIL.exe
  2⤵
  PID:8780
- C:\Windows\System32\qPmBdHy.exe
  C:\Windows\System32\qPmBdHy.exe
  2⤵
  PID:8808
- C:\Windows\System32\wStinrI.exe
  C:\Windows\System32\wStinrI.exe
  2⤵
  PID:8836
- C:\Windows\System32\LIIXpht.exe
  C:\Windows\System32\LIIXpht.exe
  2⤵
  PID:8864
- C:\Windows\System32\PciDMki.exe
  C:\Windows\System32\PciDMki.exe
  2⤵
  PID:8932
- C:\Windows\System32\yRMJNAB.exe
  C:\Windows\System32\yRMJNAB.exe
  2⤵
  PID:8968
- C:\Windows\System32\qVKusWj.exe
  C:\Windows\System32\qVKusWj.exe
  2⤵
  PID:8984
- C:\Windows\System32\kHWjZEt.exe
  C:\Windows\System32\kHWjZEt.exe
  2⤵
  PID:9020
- C:\Windows\System32\Wxrictj.exe
  C:\Windows\System32\Wxrictj.exe
  2⤵
  PID:9056
- C:\Windows\System32\UxtgueB.exe
  C:\Windows\System32\UxtgueB.exe
  2⤵
  PID:9084
- C:\Windows\System32\RtCRdNl.exe
  C:\Windows\System32\RtCRdNl.exe
  2⤵
  PID:9112
- C:\Windows\System32\odXmWFz.exe
  C:\Windows\System32\odXmWFz.exe
  2⤵
  PID:9140
- C:\Windows\System32\YHiLyVC.exe
  C:\Windows\System32\YHiLyVC.exe
  2⤵
  PID:9184
- C:\Windows\System32\KunVkWA.exe
  C:\Windows\System32\KunVkWA.exe
  2⤵
  PID:9200
- C:\Windows\System32\IWVgJTk.exe
  C:\Windows\System32\IWVgJTk.exe
  2⤵
  PID:3588
- C:\Windows\System32\zEtXoqO.exe
  C:\Windows\System32\zEtXoqO.exe
  2⤵
  PID:8068
- C:\Windows\System32\nxvxVGg.exe
  C:\Windows\System32\nxvxVGg.exe
  2⤵
  PID:4280
- C:\Windows\System32\gquJVfI.exe
  C:\Windows\System32\gquJVfI.exe
  2⤵
  PID:1540
- C:\Windows\System32\xVSUsIh.exe
  C:\Windows\System32\xVSUsIh.exe
  2⤵
  PID:8240
- C:\Windows\System32\VXAMzAF.exe
  C:\Windows\System32\VXAMzAF.exe
  2⤵
  PID:8316
- C:\Windows\System32\rGpaPbN.exe
  C:\Windows\System32\rGpaPbN.exe
  2⤵
  PID:8344
- C:\Windows\System32\mmhHfNU.exe
  C:\Windows\System32\mmhHfNU.exe
  2⤵
  PID:8372
- C:\Windows\System32\jJViRCI.exe
  C:\Windows\System32\jJViRCI.exe
  2⤵
  PID:3040
- C:\Windows\System32\GKtUomj.exe
  C:\Windows\System32\GKtUomj.exe
  2⤵
  PID:8476
- C:\Windows\System32\XWikLBl.exe
  C:\Windows\System32\XWikLBl.exe
  2⤵
  PID:8492
- C:\Windows\System32\pMzmwFT.exe
  C:\Windows\System32\pMzmwFT.exe
  2⤵
  PID:1908
- C:\Windows\System32\RNbkONw.exe
  C:\Windows\System32\RNbkONw.exe
  2⤵
  PID:8536
- C:\Windows\System32\tacvHYP.exe
  C:\Windows\System32\tacvHYP.exe
  2⤵
  PID:5088
- C:\Windows\System32\mWKWICT.exe
  C:\Windows\System32\mWKWICT.exe
  2⤵
  PID:8676
- C:\Windows\System32\EJgITSU.exe
  C:\Windows\System32\EJgITSU.exe
  2⤵
  PID:8708
- C:\Windows\System32\OxlaFtf.exe
  C:\Windows\System32\OxlaFtf.exe
  2⤵
  PID:8760
- C:\Windows\System32\FZfPCeI.exe
  C:\Windows\System32\FZfPCeI.exe
  2⤵
  PID:4876
- C:\Windows\System32\dvumQka.exe
  C:\Windows\System32\dvumQka.exe
  2⤵
  PID:3876
- C:\Windows\System32\rknHRvd.exe
  C:\Windows\System32\rknHRvd.exe
  2⤵
  PID:3712
- C:\Windows\System32\joycFLl.exe
  C:\Windows\System32\joycFLl.exe
  2⤵
  PID:4988
- C:\Windows\System32\DSAnDJC.exe
  C:\Windows\System32\DSAnDJC.exe
  2⤵
  PID:1728
- C:\Windows\System32\guudWei.exe
  C:\Windows\System32\guudWei.exe
  2⤵
  PID:8908
- C:\Windows\System32\dsJGSyZ.exe
  C:\Windows\System32\dsJGSyZ.exe
  2⤵
  PID:8996
- C:\Windows\System32\lgZVpfD.exe
  C:\Windows\System32\lgZVpfD.exe
  2⤵
  PID:9072
- C:\Windows\System32\VAHOPZO.exe
  C:\Windows\System32\VAHOPZO.exe
  2⤵
  PID:9124
- C:\Windows\System32\OUCRCwz.exe
  C:\Windows\System32\OUCRCwz.exe
  2⤵
  PID:9168
- C:\Windows\System32\BIFdKnv.exe
  C:\Windows\System32\BIFdKnv.exe
  2⤵
  PID:4356
- C:\Windows\System32\HXkfAdS.exe
  C:\Windows\System32\HXkfAdS.exe
  2⤵
  PID:692
- C:\Windows\System32\DrOOCAo.exe
  C:\Windows\System32\DrOOCAo.exe
  2⤵
  PID:2860
- C:\Windows\System32\ikpBOKP.exe
  C:\Windows\System32\ikpBOKP.exe
  2⤵
  PID:3052
- C:\Windows\System32\XTqnVXr.exe
  C:\Windows\System32\XTqnVXr.exe
  2⤵
  PID:8452
- C:\Windows\System32\amVzhOd.exe
  C:\Windows\System32\amVzhOd.exe
  2⤵
  PID:8548
- C:\Windows\System32\KMcIqjY.exe
  C:\Windows\System32\KMcIqjY.exe
  2⤵
  PID:8680
- C:\Windows\System32\vLeuQyX.exe
  C:\Windows\System32\vLeuQyX.exe
  2⤵
  PID:1956
- C:\Windows\System32\zHpcOdw.exe
  C:\Windows\System32\zHpcOdw.exe
  2⤵
  PID:2364
- C:\Windows\System32\ZcBOGPd.exe
  C:\Windows\System32\ZcBOGPd.exe
  2⤵
  PID:8956
- C:\Windows\System32\UKByuKQ.exe
  C:\Windows\System32\UKByuKQ.exe
  2⤵
  PID:9100
- C:\Windows\System32\syKVQsi.exe
  C:\Windows\System32\syKVQsi.exe
  2⤵
  PID:9172
- C:\Windows\System32\sRqzZRT.exe
  C:\Windows\System32\sRqzZRT.exe
  2⤵
  PID:2056
- C:\Windows\System32\CzHktsK.exe
  C:\Windows\System32\CzHktsK.exe
  2⤵
  PID:8520
- C:\Windows\System32\Camtoku.exe
  C:\Windows\System32\Camtoku.exe
  2⤵
  PID:1132
- C:\Windows\System32\IUAeIox.exe
  C:\Windows\System32\IUAeIox.exe
  2⤵
  PID:8976
- C:\Windows\System32\TMSkChI.exe
  C:\Windows\System32\TMSkChI.exe
  2⤵
  PID:2132
- C:\Windows\System32\vgexnoJ.exe
  C:\Windows\System32\vgexnoJ.exe
  2⤵
  PID:8736
- C:\Windows\System32\rsUegUq.exe
  C:\Windows\System32\rsUegUq.exe
  2⤵
  PID:9164
- C:\Windows\System32\CruvUxq.exe
  C:\Windows\System32\CruvUxq.exe
  2⤵
  PID:1996
- C:\Windows\System32\jsJVcGm.exe
  C:\Windows\System32\jsJVcGm.exe
  2⤵
  PID:9240
- C:\Windows\System32\MtHiCmP.exe
  C:\Windows\System32\MtHiCmP.exe
  2⤵
  PID:9272
- C:\Windows\System32\nxJekgd.exe
  C:\Windows\System32\nxJekgd.exe
  2⤵
  PID:9292
- C:\Windows\System32\XcyHhVk.exe
  C:\Windows\System32\XcyHhVk.exe
  2⤵
  PID:9328
- C:\Windows\System32\IOqeFCO.exe
  C:\Windows\System32\IOqeFCO.exe
  2⤵
  PID:9344
- C:\Windows\System32\IQTdSZb.exe
  C:\Windows\System32\IQTdSZb.exe
  2⤵
  PID:9360
- C:\Windows\System32\ZrHnHWM.exe
  C:\Windows\System32\ZrHnHWM.exe
  2⤵
  PID:9404
- C:\Windows\System32\uJNyDsl.exe
  C:\Windows\System32\uJNyDsl.exe
  2⤵
  PID:9428
- C:\Windows\System32\YToHRLn.exe
  C:\Windows\System32\YToHRLn.exe
  2⤵
  PID:9464
- C:\Windows\System32\gldEnkg.exe
  C:\Windows\System32\gldEnkg.exe
  2⤵
  PID:9484
- C:\Windows\System32\bQGCKVD.exe
  C:\Windows\System32\bQGCKVD.exe
  2⤵
  PID:9520
- C:\Windows\System32\MjNEhFf.exe
  C:\Windows\System32\MjNEhFf.exe
  2⤵
  PID:9540
- C:\Windows\System32\lchMwsl.exe
  C:\Windows\System32\lchMwsl.exe
  2⤵
  PID:9568
- C:\Windows\System32\IylPiKb.exe
  C:\Windows\System32\IylPiKb.exe
  2⤵
  PID:9608
- C:\Windows\System32\UtQatxB.exe
  C:\Windows\System32\UtQatxB.exe
  2⤵
  PID:9640
- C:\Windows\System32\YjYyToZ.exe
  C:\Windows\System32\YjYyToZ.exe
  2⤵
  PID:9664
- C:\Windows\System32\DfeXuVL.exe
  C:\Windows\System32\DfeXuVL.exe
  2⤵
  PID:9680
- C:\Windows\System32\TKJGnkC.exe
  C:\Windows\System32\TKJGnkC.exe
  2⤵
  PID:9704
- C:\Windows\System32\ApqGGUu.exe
  C:\Windows\System32\ApqGGUu.exe
  2⤵
  PID:9756
- C:\Windows\System32\FhkffVM.exe
  C:\Windows\System32\FhkffVM.exe
  2⤵
  PID:9776
- C:\Windows\System32\pUeSRdI.exe
  C:\Windows\System32\pUeSRdI.exe
  2⤵
  PID:9792
- C:\Windows\System32\fViFGSE.exe
  C:\Windows\System32\fViFGSE.exe
  2⤵
  PID:9820
- C:\Windows\System32\StvYlAs.exe
  C:\Windows\System32\StvYlAs.exe
  2⤵
  PID:9856
- C:\Windows\System32\pqAkdMF.exe
  C:\Windows\System32\pqAkdMF.exe
  2⤵
  PID:9880
- C:\Windows\System32\ImyIrJS.exe
  C:\Windows\System32\ImyIrJS.exe
  2⤵
  PID:9900
- C:\Windows\System32\fFUtMKx.exe
  C:\Windows\System32\fFUtMKx.exe
  2⤵
  PID:9948
- C:\Windows\System32\KlfJLby.exe
  C:\Windows\System32\KlfJLby.exe
  2⤵
  PID:9976
- C:\Windows\System32\MvkBUrG.exe
  C:\Windows\System32\MvkBUrG.exe
  2⤵
  PID:9992
- C:\Windows\System32\lGitVFr.exe
  C:\Windows\System32\lGitVFr.exe
  2⤵
  PID:10008
- C:\Windows\System32\muNqpRh.exe
  C:\Windows\System32\muNqpRh.exe
  2⤵
  PID:10024
- C:\Windows\System32\pHKAigf.exe
  C:\Windows\System32\pHKAigf.exe
  2⤵
  PID:10052
- C:\Windows\System32\yNJAOTb.exe
  C:\Windows\System32\yNJAOTb.exe
  2⤵
  PID:10084
- C:\Windows\System32\DIZLDNv.exe
  C:\Windows\System32\DIZLDNv.exe
  2⤵
  PID:10124
- C:\Windows\System32\aPYolcs.exe
  C:\Windows\System32\aPYolcs.exe
  2⤵
  PID:10176
- C:\Windows\System32\BQMkrJF.exe
  C:\Windows\System32\BQMkrJF.exe
  2⤵
  PID:10204
- C:\Windows\System32\ucZePXg.exe
  C:\Windows\System32\ucZePXg.exe
  2⤵
  PID:10232
- C:\Windows\System32\UoJytmD.exe
  C:\Windows\System32\UoJytmD.exe
  2⤵
  PID:9232
- C:\Windows\System32\JLcJzjS.exe
  C:\Windows\System32\JLcJzjS.exe
  2⤵
  PID:9300
- C:\Windows\System32\kOpWKxM.exe
  C:\Windows\System32\kOpWKxM.exe
  2⤵
  PID:9388
- C:\Windows\System32\fKTdSZZ.exe
  C:\Windows\System32\fKTdSZZ.exe
  2⤵
  PID:9456
- C:\Windows\System32\MZVDUxG.exe
  C:\Windows\System32\MZVDUxG.exe
  2⤵
  PID:9556
- C:\Windows\System32\CbSVNQe.exe
  C:\Windows\System32\CbSVNQe.exe
  2⤵
  PID:9652
- C:\Windows\System32\ieLzXwX.exe
  C:\Windows\System32\ieLzXwX.exe
  2⤵
  PID:9744
- C:\Windows\System32\gsOBfam.exe
  C:\Windows\System32\gsOBfam.exe
  2⤵
  PID:9808
- C:\Windows\System32\sslmKbg.exe
  C:\Windows\System32\sslmKbg.exe
  2⤵
  PID:9864
- C:\Windows\System32\frOgKHb.exe
  C:\Windows\System32\frOgKHb.exe
  2⤵
  PID:9908
- C:\Windows\System32\cXHPDhm.exe
  C:\Windows\System32\cXHPDhm.exe
  2⤵
  PID:10048
- C:\Windows\System32\oxnCzUE.exe
  C:\Windows\System32\oxnCzUE.exe
  2⤵
  PID:10068
- C:\Windows\System32\GGVuuVo.exe
  C:\Windows\System32\GGVuuVo.exe
  2⤵
  PID:10144
- C:\Windows\System32\nlZCVFX.exe
  C:\Windows\System32\nlZCVFX.exe
  2⤵
  PID:10196
- C:\Windows\System32\UEnqdJk.exe
  C:\Windows\System32\UEnqdJk.exe
  2⤵
  PID:9324
- C:\Windows\System32\JXXptKI.exe
  C:\Windows\System32\JXXptKI.exe
  2⤵
  PID:9412
- C:\Windows\System32\XsGPWqb.exe
  C:\Windows\System32\XsGPWqb.exe
  2⤵
  PID:9700
- C:\Windows\System32\muudHbC.exe
  C:\Windows\System32\muudHbC.exe
  2⤵
  PID:9836
- C:\Windows\System32\AGyAgtm.exe
  C:\Windows\System32\AGyAgtm.exe
  2⤵
  PID:9984
- C:\Windows\System32\DRYvnhq.exe
  C:\Windows\System32\DRYvnhq.exe
  2⤵
  PID:10040
- C:\Windows\System32\mlezXlN.exe
  C:\Windows\System32\mlezXlN.exe
  2⤵
  PID:9356
- C:\Windows\System32\eakZwfK.exe
  C:\Windows\System32\eakZwfK.exe
  2⤵
  PID:9448
- C:\Windows\System32\hyhQvni.exe
  C:\Windows\System32\hyhQvni.exe
  2⤵
  PID:9220
- C:\Windows\System32\ovwuUBk.exe
  C:\Windows\System32\ovwuUBk.exe
  2⤵
  PID:9832
- C:\Windows\System32\PjpIAmM.exe
  C:\Windows\System32\PjpIAmM.exe
  2⤵
  PID:4240
- C:\Windows\System32\YoqTHsy.exe
  C:\Windows\System32\YoqTHsy.exe
  2⤵
  PID:10256
- C:\Windows\System32\otOohpm.exe
  C:\Windows\System32\otOohpm.exe
  2⤵
  PID:10284
- C:\Windows\System32\oMuDpdM.exe
  C:\Windows\System32\oMuDpdM.exe
  2⤵
  PID:10328
- C:\Windows\System32\hkwKgEj.exe
  C:\Windows\System32\hkwKgEj.exe
  2⤵
  PID:10344
- C:\Windows\System32\aDucluJ.exe
  C:\Windows\System32\aDucluJ.exe
  2⤵
  PID:10376
- C:\Windows\System32\MrITPzW.exe
  C:\Windows\System32\MrITPzW.exe
  2⤵
  PID:10404
- C:\Windows\System32\qFdXqBi.exe
  C:\Windows\System32\qFdXqBi.exe
  2⤵
  PID:10440
- C:\Windows\System32\lwZsqEr.exe
  C:\Windows\System32\lwZsqEr.exe
  2⤵
  PID:10460
- C:\Windows\System32\VReEovW.exe
  C:\Windows\System32\VReEovW.exe
  2⤵
  PID:10488
- C:\Windows\System32\qNlAOFM.exe
  C:\Windows\System32\qNlAOFM.exe
  2⤵
  PID:10516
- C:\Windows\System32\CMhlEvM.exe
  C:\Windows\System32\CMhlEvM.exe
  2⤵
  PID:10544
- C:\Windows\System32\PvrMsiE.exe
  C:\Windows\System32\PvrMsiE.exe
  2⤵
  PID:10564
- C:\Windows\System32\xKwTjTy.exe
  C:\Windows\System32\xKwTjTy.exe
  2⤵
  PID:10588
- C:\Windows\System32\OEuACnt.exe
  C:\Windows\System32\OEuACnt.exe
  2⤵
  PID:10616
- C:\Windows\System32\BUaKgGx.exe
  C:\Windows\System32\BUaKgGx.exe
  2⤵
  PID:10656
- C:\Windows\System32\WsZlfgv.exe
  C:\Windows\System32\WsZlfgv.exe
  2⤵
  PID:10700
- C:\Windows\System32\IZGUtjE.exe
  C:\Windows\System32\IZGUtjE.exe
  2⤵
  PID:10728
- C:\Windows\System32\TaaLojc.exe
  C:\Windows\System32\TaaLojc.exe
  2⤵
  PID:10756
- C:\Windows\System32\gVTgvYn.exe
  C:\Windows\System32\gVTgvYn.exe
  2⤵
  PID:10804
- C:\Windows\System32\sLSsaNe.exe
  C:\Windows\System32\sLSsaNe.exe
  2⤵
  PID:10840
- C:\Windows\System32\ptxiujl.exe
  C:\Windows\System32\ptxiujl.exe
  2⤵
  PID:10860
- C:\Windows\System32\GAsoDui.exe
  C:\Windows\System32\GAsoDui.exe
  2⤵
  PID:10884
- C:\Windows\System32\wNKPrmx.exe
  C:\Windows\System32\wNKPrmx.exe
  2⤵
  PID:10924
- C:\Windows\System32\MKdIFBx.exe
  C:\Windows\System32\MKdIFBx.exe
  2⤵
  PID:10964
- C:\Windows\System32\SDVSqMb.exe
  C:\Windows\System32\SDVSqMb.exe
  2⤵
  PID:11004
- C:\Windows\System32\FQWqHSW.exe
  C:\Windows\System32\FQWqHSW.exe
  2⤵
  PID:11032
- C:\Windows\System32\RPJmmkF.exe
  C:\Windows\System32\RPJmmkF.exe
  2⤵
  PID:11064
- C:\Windows\System32\yJRAeOU.exe
  C:\Windows\System32\yJRAeOU.exe
  2⤵
  PID:11088
- C:\Windows\System32\DWDwjZj.exe
  C:\Windows\System32\DWDwjZj.exe
  2⤵
  PID:11120
- C:\Windows\System32\jGDFuhA.exe
  C:\Windows\System32\jGDFuhA.exe
  2⤵
  PID:11156
- C:\Windows\System32\EUpolnY.exe
  C:\Windows\System32\EUpolnY.exe
  2⤵
  PID:11220
- C:\Windows\System32\jpFWhPT.exe
  C:\Windows\System32\jpFWhPT.exe
  2⤵
  PID:9620
- C:\Windows\System32\XGIIOpV.exe
  C:\Windows\System32\XGIIOpV.exe
  2⤵
  PID:10368
- C:\Windows\System32\fdQOmKo.exe
  C:\Windows\System32\fdQOmKo.exe
  2⤵
  PID:10416
- C:\Windows\System32\XnKOCBU.exe
  C:\Windows\System32\XnKOCBU.exe
  2⤵
  PID:10480
- C:\Windows\System32\XVlyudi.exe
  C:\Windows\System32\XVlyudi.exe
  2⤵
  PID:10560
- C:\Windows\System32\JJPzGlL.exe
  C:\Windows\System32\JJPzGlL.exe
  2⤵
  PID:10604
- C:\Windows\System32\KpSVQEd.exe
  C:\Windows\System32\KpSVQEd.exe
  2⤵
  PID:10692
- C:\Windows\System32\iNTzTMv.exe
  C:\Windows\System32\iNTzTMv.exe
  2⤵
  PID:10784
- C:\Windows\System32\xRuvCiX.exe
  C:\Windows\System32\xRuvCiX.exe
  2⤵
  PID:10820
- C:\Windows\System32\kxoFMTT.exe
  C:\Windows\System32\kxoFMTT.exe
  2⤵
  PID:10896
- C:\Windows\System32\QnNuBzc.exe
  C:\Windows\System32\QnNuBzc.exe
  2⤵
  PID:11024
- C:\Windows\System32\YwyLBxs.exe
  C:\Windows\System32\YwyLBxs.exe
  2⤵
  PID:11132
- C:\Windows\System32\jQOYdEr.exe
  C:\Windows\System32\jQOYdEr.exe
  2⤵
  PID:11136
- C:\Windows\System32\XqfHZbv.exe
  C:\Windows\System32\XqfHZbv.exe
  2⤵
  PID:10340
- C:\Windows\System32\zacmKIX.exe
  C:\Windows\System32\zacmKIX.exe
  2⤵
  PID:10532
- C:\Windows\System32\QbOmSLz.exe
  C:\Windows\System32\QbOmSLz.exe
  2⤵
  PID:10652
- C:\Windows\System32\KUsgDsK.exe
  C:\Windows\System32\KUsgDsK.exe
  2⤵
  PID:10952
- C:\Windows\System32\QxtFPwY.exe
  C:\Windows\System32\QxtFPwY.exe
  2⤵
  PID:11044
- C:\Windows\System32\wsksJoX.exe
  C:\Windows\System32\wsksJoX.exe
  2⤵
  PID:10476
- C:\Windows\System32\rQHFWJs.exe
  C:\Windows\System32\rQHFWJs.exe
  2⤵
  PID:10748
- C:\Windows\System32\aymQWfA.exe
  C:\Windows\System32\aymQWfA.exe
  2⤵
  PID:11204
- C:\Windows\System32\dkteGts.exe
  C:\Windows\System32\dkteGts.exe
  2⤵
  PID:11272
- C:\Windows\System32\iWAQXvI.exe
  C:\Windows\System32\iWAQXvI.exe
  2⤵
  PID:11296
- C:\Windows\System32\KrgBzRL.exe
  C:\Windows\System32\KrgBzRL.exe
  2⤵
  PID:11324
- C:\Windows\System32\CQgEmSP.exe
  C:\Windows\System32\CQgEmSP.exe
  2⤵
  PID:11352
- C:\Windows\System32\PtmTLrr.exe
  C:\Windows\System32\PtmTLrr.exe
  2⤵
  PID:11396
- C:\Windows\System32\aDCAOGK.exe
  C:\Windows\System32\aDCAOGK.exe
  2⤵
  PID:11424
- C:\Windows\System32\KuvYalm.exe
  C:\Windows\System32\KuvYalm.exe
  2⤵
  PID:11440
- C:\Windows\System32\oTMfjCP.exe
  C:\Windows\System32\oTMfjCP.exe
  2⤵
  PID:11484
- C:\Windows\System32\xpBrLgn.exe
  C:\Windows\System32\xpBrLgn.exe
  2⤵
  PID:11508
- C:\Windows\System32\xgGeMvq.exe
  C:\Windows\System32\xgGeMvq.exe
  2⤵
  PID:11540
- C:\Windows\System32\jSorCgJ.exe
  C:\Windows\System32\jSorCgJ.exe
  2⤵
  PID:11572
- C:\Windows\System32\TVHpcRN.exe
  C:\Windows\System32\TVHpcRN.exe
  2⤵
  PID:11612
- C:\Windows\System32\abYABpe.exe
  C:\Windows\System32\abYABpe.exe
  2⤵
  PID:11628
- C:\Windows\System32\PHYrzrw.exe
  C:\Windows\System32\PHYrzrw.exe
  2⤵
  PID:11644
- C:\Windows\System32\nKPqtxS.exe
  C:\Windows\System32\nKPqtxS.exe
  2⤵
  PID:11672
- C:\Windows\System32\PWYqmeX.exe
  C:\Windows\System32\PWYqmeX.exe
  2⤵
  PID:11696
- C:\Windows\System32\GFBHEAk.exe
  C:\Windows\System32\GFBHEAk.exe
  2⤵
  PID:11736
- C:\Windows\System32\ZbqPFvr.exe
  C:\Windows\System32\ZbqPFvr.exe
  2⤵
  PID:11760
- C:\Windows\System32\OKfwsXC.exe
  C:\Windows\System32\OKfwsXC.exe
  2⤵
  PID:11796
- C:\Windows\System32\cCcHbcp.exe
  C:\Windows\System32\cCcHbcp.exe
  2⤵
  PID:11824
- C:\Windows\System32\XMuFcFh.exe
  C:\Windows\System32\XMuFcFh.exe
  2⤵
  PID:11852
- C:\Windows\System32\lkHWKzX.exe
  C:\Windows\System32\lkHWKzX.exe
  2⤵
  PID:11868
- C:\Windows\System32\zhXjMXn.exe
  C:\Windows\System32\zhXjMXn.exe
  2⤵
  PID:11900
- C:\Windows\System32\vlncWVk.exe
  C:\Windows\System32\vlncWVk.exe
  2⤵
  PID:11932
- C:\Windows\System32\gTmgXNl.exe
  C:\Windows\System32\gTmgXNl.exe
  2⤵
  PID:11968
- C:\Windows\System32\pllZsQv.exe
  C:\Windows\System32\pllZsQv.exe
  2⤵
  PID:11984
- C:\Windows\System32\sVoOKhc.exe
  C:\Windows\System32\sVoOKhc.exe
  2⤵
  PID:12012
- C:\Windows\System32\JnErynq.exe
  C:\Windows\System32\JnErynq.exe
  2⤵
  PID:12032
- C:\Windows\System32\lCAnLZp.exe
  C:\Windows\System32\lCAnLZp.exe
  2⤵
  PID:12060
- C:\Windows\System32\QmSKgYW.exe
  C:\Windows\System32\QmSKgYW.exe
  2⤵
  PID:12084
- C:\Windows\System32\NegZhkZ.exe
  C:\Windows\System32\NegZhkZ.exe
  2⤵
  PID:12100
- C:\Windows\System32\vNLQNRs.exe
  C:\Windows\System32\vNLQNRs.exe
  2⤵
  PID:12124
- C:\Windows\System32\lsZvdlu.exe
  C:\Windows\System32\lsZvdlu.exe
  2⤵
  PID:12168
- C:\Windows\System32\UdQFmAG.exe
  C:\Windows\System32\UdQFmAG.exe
  2⤵
  PID:12192
- C:\Windows\System32\zlHrDid.exe
  C:\Windows\System32\zlHrDid.exe
  2⤵
  PID:12228
- C:\Windows\System32\yZtHRYI.exe
  C:\Windows\System32\yZtHRYI.exe
  2⤵
  PID:12264
- C:\Windows\System32\SkdVFeN.exe
  C:\Windows\System32\SkdVFeN.exe
  2⤵
  PID:11284
- C:\Windows\System32\vLoUSyg.exe
  C:\Windows\System32\vLoUSyg.exe
  2⤵
  PID:11348
- C:\Windows\System32\VvPbSNF.exe
  C:\Windows\System32\VvPbSNF.exe
  2⤵
  PID:11384
- C:\Windows\System32\suuXTmi.exe
  C:\Windows\System32\suuXTmi.exe
  2⤵
  PID:11472
- C:\Windows\System32\FHZpeVD.exe
  C:\Windows\System32\FHZpeVD.exe
  2⤵
  PID:11528
- C:\Windows\System32\hlRhbyy.exe
  C:\Windows\System32\hlRhbyy.exe
  2⤵
  PID:11564
- C:\Windows\System32\OqLMvtM.exe
  C:\Windows\System32\OqLMvtM.exe
  2⤵
  PID:11656
- C:\Windows\System32\PkXfDTO.exe
  C:\Windows\System32\PkXfDTO.exe
  2⤵
  PID:11732
- C:\Windows\System32\lrhAZmF.exe
  C:\Windows\System32\lrhAZmF.exe
  2⤵
  PID:11816
- C:\Windows\System32\QrqpuSL.exe
  C:\Windows\System32\QrqpuSL.exe
  2⤵
  PID:11880
- C:\Windows\System32\AKkrJHr.exe
  C:\Windows\System32\AKkrJHr.exe
  2⤵
  PID:11924
- C:\Windows\System32\ksmYDVw.exe
  C:\Windows\System32\ksmYDVw.exe
  2⤵
  PID:12004
- C:\Windows\System32\vUtbPAs.exe
  C:\Windows\System32\vUtbPAs.exe
  2⤵
  PID:12052
- C:\Windows\System32\sRTlLDC.exe
  C:\Windows\System32\sRTlLDC.exe
  2⤵
  PID:12116
- C:\Windows\System32\UClQvTL.exe
  C:\Windows\System32\UClQvTL.exe
  2⤵
  PID:12188
- C:\Windows\System32\vNvoAxl.exe
  C:\Windows\System32\vNvoAxl.exe
  2⤵
  PID:12244
- C:\Windows\System32\MtdAsAs.exe
  C:\Windows\System32\MtdAsAs.exe
  2⤵
  PID:11332
- C:\Windows\System32\PUROFwB.exe
  C:\Windows\System32\PUROFwB.exe
  2⤵
  PID:11520
- C:\Windows\System32\JUncuob.exe
  C:\Windows\System32\JUncuob.exe
  2⤵
  PID:11708
- C:\Windows\System32\PRhAMYs.exe
  C:\Windows\System32\PRhAMYs.exe
  2⤵
  PID:11788
- C:\Windows\System32\dVbaOgp.exe
  C:\Windows\System32\dVbaOgp.exe
  2⤵
  PID:3812
- C:\Windows\System32\xBXpkwC.exe
  C:\Windows\System32\xBXpkwC.exe
  2⤵
  PID:11976
- C:\Windows\System32\bmNpRBF.exe
  C:\Windows\System32\bmNpRBF.exe
  2⤵
  PID:12068
- C:\Windows\System32\KXEHVYy.exe
  C:\Windows\System32\KXEHVYy.exe
  2⤵
  PID:11316
- C:\Windows\System32\xNXcaqp.exe
  C:\Windows\System32\xNXcaqp.exe
  2⤵
  PID:11504
- C:\Windows\System32\DwFfHyN.exe
  C:\Windows\System32\DwFfHyN.exe
  2⤵
  PID:11744
- C:\Windows\System32\yJdUIvj.exe
  C:\Windows\System32\yJdUIvj.exe
  2⤵
  PID:11844
- C:\Windows\System32\PNRGQxw.exe
  C:\Windows\System32\PNRGQxw.exe
  2⤵
  PID:11624
- C:\Windows\System32\TUwPMLF.exe
  C:\Windows\System32\TUwPMLF.exe
  2⤵
  PID:12316
- C:\Windows\System32\FyDcYuX.exe
  C:\Windows\System32\FyDcYuX.exe
  2⤵
  PID:12348
- C:\Windows\System32\GTBuRlP.exe
  C:\Windows\System32\GTBuRlP.exe
  2⤵
  PID:12376
- C:\Windows\System32\PhAGzDl.exe
  C:\Windows\System32\PhAGzDl.exe
  2⤵
  PID:12396
- C:\Windows\System32\tPuoFYD.exe
  C:\Windows\System32\tPuoFYD.exe
  2⤵
  PID:12440
- C:\Windows\System32\HcaBKJA.exe
  C:\Windows\System32\HcaBKJA.exe
  2⤵
  PID:12460
- C:\Windows\System32\vsBxfea.exe
  C:\Windows\System32\vsBxfea.exe
  2⤵
  PID:12476
- C:\Windows\System32\zKrRmaA.exe
  C:\Windows\System32\zKrRmaA.exe
  2⤵
  PID:12504
- C:\Windows\System32\zMBuvga.exe
  C:\Windows\System32\zMBuvga.exe
  2⤵
  PID:12520
- C:\Windows\System32\dkZmBDi.exe
  C:\Windows\System32\dkZmBDi.exe
  2⤵
  PID:12560
- C:\Windows\System32\sarGEdU.exe
  C:\Windows\System32\sarGEdU.exe
  2⤵
  PID:12592
- C:\Windows\System32\ZsNAjqd.exe
  C:\Windows\System32\ZsNAjqd.exe
  2⤵
  PID:12640
- C:\Windows\System32\IfwMKFZ.exe
  C:\Windows\System32\IfwMKFZ.exe
  2⤵
  PID:12656
- C:\Windows\System32\SAiTCwI.exe
  C:\Windows\System32\SAiTCwI.exe
  2⤵
  PID:12684
- C:\Windows\System32\ijzYkRk.exe
  C:\Windows\System32\ijzYkRk.exe
  2⤵
  PID:12712
- C:\Windows\System32\yTauTsr.exe
  C:\Windows\System32\yTauTsr.exe
  2⤵
  PID:12740
- C:\Windows\System32\hMbcQEB.exe
  C:\Windows\System32\hMbcQEB.exe
  2⤵
  PID:12768
- C:\Windows\System32\bOFSVmP.exe
  C:\Windows\System32\bOFSVmP.exe
  2⤵
  PID:12784
- C:\Windows\System32\mQFXbTn.exe
  C:\Windows\System32\mQFXbTn.exe
  2⤵
  PID:12816
- C:\Windows\System32\axDzBeB.exe
  C:\Windows\System32\axDzBeB.exe
  2⤵
  PID:12856
- C:\Windows\System32\xJgaPQT.exe
  C:\Windows\System32\xJgaPQT.exe
  2⤵
  PID:12880
- C:\Windows\System32\LzdOCij.exe
  C:\Windows\System32\LzdOCij.exe
  2⤵
  PID:12908
- C:\Windows\System32\RhbszOu.exe
  C:\Windows\System32\RhbszOu.exe
  2⤵
  PID:12936
- C:\Windows\System32\fBJLWcF.exe
  C:\Windows\System32\fBJLWcF.exe
  2⤵
  PID:12956
- C:\Windows\System32\awQhMtX.exe
  C:\Windows\System32\awQhMtX.exe
  2⤵
  PID:12992
- C:\Windows\System32\SVFKduF.exe
  C:\Windows\System32\SVFKduF.exe
  2⤵
  PID:13020
- C:\Windows\System32\uvZjyXx.exe
  C:\Windows\System32\uvZjyXx.exe
  2⤵
  PID:13048
- C:\Windows\System32\WPzHavq.exe
  C:\Windows\System32\WPzHavq.exe
  2⤵
  PID:13076
- C:\Windows\System32\zxRaoaZ.exe
  C:\Windows\System32\zxRaoaZ.exe
  2⤵
  PID:13104
- C:\Windows\System32\QjLtZCJ.exe
  C:\Windows\System32\QjLtZCJ.exe
  2⤵
  PID:13120
- C:\Windows\System32\jMTNiAD.exe
  C:\Windows\System32\jMTNiAD.exe
  2⤵
  PID:13148
- C:\Windows\System32\uYOfKym.exe
  C:\Windows\System32\uYOfKym.exe
  2⤵
  PID:13188
- C:\Windows\System32\fzwkdxZ.exe
  C:\Windows\System32\fzwkdxZ.exe
  2⤵
  PID:13216
- C:\Windows\System32\bQpxczN.exe
  C:\Windows\System32\bQpxczN.exe
  2⤵
  PID:13232
- C:\Windows\System32\kqrtTbp.exe
  C:\Windows\System32\kqrtTbp.exe
  2⤵
  PID:13272
- C:\Windows\System32\bsXgPsF.exe
  C:\Windows\System32\bsXgPsF.exe
  2⤵
  PID:13292
- C:\Windows\System32\qyGkrxE.exe
  C:\Windows\System32\qyGkrxE.exe
  2⤵
  PID:12308
- C:\Windows\System32\HidctMV.exe
  C:\Windows\System32\HidctMV.exe
  2⤵
  PID:12404
- C:\Windows\System32\txragJc.exe
  C:\Windows\System32\txragJc.exe
  2⤵
  PID:12456
- C:\Windows\System32\taJkinP.exe
  C:\Windows\System32\taJkinP.exe
  2⤵
  PID:12848
- C:\Windows\System32\IoVwzjk.exe
  C:\Windows\System32\IoVwzjk.exe
  2⤵
  PID:12868

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv rGvy9r0px0q0bymRAH8BfA.0.2
1⤵
PID:12672
- C:\Windows\system32\WerFaultSecure.exe
  C:\Windows\system32\WerFaultSecure.exe -u -p 12672 -s 1012
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:13180

C:\Windows\system32\WerFaultSecure.exe
"C:\Windows\system32\WerFaultSecure.exe" -protectedcrash -p 12672 -i 12672 -h 468 -j 432 -s 476 -d 12776
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:12944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AgbOzLL.exe

Filesize
3.1MB

MD5
144f577333c2d6ffe69544f6d1641249

SHA1
48050d1d1b64e20d5bbc0fb2d620812a8283af28

SHA256
ba4068ccc7a0ad80dfd74499a68f828d4c53a06b3f53b5db9fc4ba9d8fdef01b

SHA512
75f7901ca1a3e24a1bab2f53e4fa67c2208a93a2b3ccc6571ba93a0a554cc63ce8f68f868d27e57b071c73e4fa9d76be4b814f1ce96ed1205a36fbbd44bf8f54

Download Submit
C:\Windows\System32\AhWGIYQ.exe

Filesize
3.1MB

MD5
b3ab1caa756551acfdfa91b0289d9f39

SHA1
ce09650adcec176586c41f93c2b4cbcd82a9844e

SHA256
85b0b868b589376d0ea19b906aa0ac6532f72a02f1264f581ddc534336541f75

SHA512
8d805c050955f381b5c99910ebb3b20c92eb3412d177c8fef79352c387804c646cc3d3023c9ea1835634ea3a4e1d2cce5a9f9f61a47452fa11cc603ea829dfb5

Download Submit
C:\Windows\System32\GNSIoxf.exe

Filesize
3.1MB

MD5
427311eca38cae89643f48635bf022c4

SHA1
04dd9037cbcf3492b11ac2e754b7db3c0e5ab81d

SHA256
e0ea9cd75ea1ec16621f7a6bc237a8c32a3e63870952ef37b0cbea206ee1081a

SHA512
6ce0d9cd34b12ae99b5cfd7471f1e836cc3e0257a719fa1b993decf3cfc3308a6448b32490074f89651cca9da36811b433065b19e6d36a9bbe0c5b1767f398fe

Download Submit
C:\Windows\System32\HdfJafZ.exe

Filesize
3.1MB

MD5
e257d213ea61e5e4ea4f9a91bca5284c

SHA1
00acd29b13b279d09b4aec62f942449df53dd2c4

SHA256
67beb88e96989e89ef6f44398636fd432a3ebaf3c0f28275f2f193457431810a

SHA512
5b22e85312f3d3c25f29008e1a2ebc12588d4d5e730fe0fd4bef085fdf02d533754b0a55248286a03688dc1807f9b7c2d0f178f80a32e260a05252320c7429d1

Download Submit
C:\Windows\System32\HoTqZzZ.exe

Filesize
3.1MB

MD5
96def84f78c1fb897f979f65dbdaf4f7

SHA1
5e61fe3d12dc6046d284c8a1a70358c71549c057

SHA256
9d634509a7cbc95b184aca3f2a02309fe14267d73e0c1acadfedb191ad86cbbd

SHA512
86d209b0e5578cd2bc70f5a01a1eb36227e553f7804546595628c5af5b2424dbdec4e79396fe8cdf822cc70b2a788976980e321514b4ce30ba5a08f96b8f4c35

Download Submit
C:\Windows\System32\IJTHmMV.exe

Filesize
3.1MB

MD5
766061bd121e22cdb7314379e2425fdd

SHA1
924fd0b5820f8ee7cfcb31996e95df63fa6a2c51

SHA256
26e66ec6fed6ef7eb511e6f29183de8632da4503016f7dd28f8c61fdbe744930

SHA512
cd294dee264c6617749f4457668f5e35374fbd2616f1b38a8cd8b8deff1da4f349977ca2852778b10014164f19c9cd2add7bde9014c10275590f31028bc7a4e3

Download Submit
C:\Windows\System32\ItySQTL.exe

Filesize
3.1MB

MD5
dca955b268941e5f72b3e3995aea6246

SHA1
b24148a0fd6f983cf219e825bc03185ac46d054c

SHA256
ade3e60d8951029c89d4fffa5f2ac69a9d5896412fb1b3cd7bb937f11d69753a

SHA512
ace701b3dc8509902c63baa1af6b3ad063aa2c5d8e5fa0d8dadb90afd35e4e2b3dd44ad1598cb63ae7cb7e9b40e4351e440df5f1a650f2dd7ccee82be376455f

Download Submit
C:\Windows\System32\LLvjGtc.exe

Filesize
3.1MB

MD5
fc0bea6fdbe0f94b7a27f5de5ef264c8

SHA1
bcfa3462907a0d529ccfa70c7a9b6659db455f5d

SHA256
0a8ca9081cf4fd4534f88285e6a3d4fccbc19745c73e2b9e509eac91ab47368c

SHA512
60aea6d999017748b4610f724407329903d66b4d6a44b2f4c92f2c137832644ce207121191f12d3dc2adecfa4951bc8b4f124b53ab33edb429b7aa6f33c7aa6a

Download Submit
C:\Windows\System32\MNcHEJm.exe

Filesize
3.1MB

MD5
fecd462bd60539d41239e58d2711a990

SHA1
6794082b6b8f245d1977063e7877443d09d46914

SHA256
f05b7fa34187306904dd19229de370d8d58c169344f7336ed75491b1b9c3c3a3

SHA512
d53514dae2a18f1881cc50151410231517fb9a73ad435fd145d20f1e199a55bf2cd0c87a6e98a2b540ca07fad85ad93961c18a47d01831915f852dc46bd4e0a1

Download Submit
C:\Windows\System32\NQxAlEJ.exe

Filesize
3.1MB

MD5
95be92939d2be51a424c59dd8f2e1ab7

SHA1
61f410615c6260ed6c0bf8883ff622457bad7cfd

SHA256
86f94253ca3476011acd1c03a2080414901ba7edf446c4be52fa425ca8feade1

SHA512
d47241dfaeef940682d643f3d1a3216bfa10729afed55eb4b22740903999a2e9b85e9d9b42841d50c52ae1e249c6f62245ab3bdf671340144e6f092caf651fe1

Download Submit
C:\Windows\System32\RqYYqNM.exe

Filesize
3.1MB

MD5
8992e09db20ea698ba56174f82b74ba6

SHA1
81b9e7524cf5f85a15dcba2677d49c99fc71ee88

SHA256
f0ddb3dc613ef34863e0b4d0c708072305a724a5f7cf35e8316ce83f31546e64

SHA512
3f7483b7c84b1d42dd6fe4488d325727d258357565e805667885b6e35370294d061ffc61ca7e8ae3d367f519ae23cd5bf172ca498bc167f3e6a39f3a531e4ff7

Download Submit
C:\Windows\System32\SjPYCJX.exe

Filesize
3.1MB

MD5
1b13870823637e72c9584bf2af8e9f11

SHA1
8ad47edebb0393ac556f9b2bdcd1a9eeb27bd38d

SHA256
88b262752c6f6a8b58d7db82405c89c1f4e96609fa4452cd5d0c35e138f0a4d9

SHA512
0cf6240087fa424c3856a5a551976d65edd65829dd637995740cd9c72cea984beed990e52e4da2a0dd85d476be946dfd340cd9394c121a5e688e7c0ed3871755

Download Submit
C:\Windows\System32\SpbxNrX.exe

Filesize
3.1MB

MD5
30e450f3d2993ad33e70f434fcdf152e

SHA1
7c73deb7eae1937e06e443c438d28b60d88d6575

SHA256
b280740d4ddc83eb858203e7d63dc1560eaacdaf88d27d064572aeab3e9df13c

SHA512
841e40356c0c69d59e07987cfdd941603755c5a7335769c5ca7ae33b101be66e8232d95e5408037cb8883a11da7fbc3635fb0f413cd42b2c373c6bfce5c641b4

Download Submit
C:\Windows\System32\WZUlgKv.exe

Filesize
3.1MB

MD5
2de09fede971dde6ddc555bc68278805

SHA1
83a1571471a14b67277e2133ec7a09cc23868dd1

SHA256
ddd3bf158df55674f81edf0c1d4da8129b681657a814e5d67deff5e03351fd3f

SHA512
b5efe6edbd3358ad7b3b63aa2fc4f099f14cf2dcc0abe08554d9e7245618fcac32fed9e6de757985fb5c07a4231e33fa502c4be13d5a7a49eee344dbab18e5fb

Download Submit
C:\Windows\System32\ZsFXICg.exe

Filesize
3.1MB

MD5
c058b53db6b33e39682edba39b59f1ab

SHA1
add043d4c8a5bc8aa3e30666dec8d72c18b9e03f

SHA256
6b62d836056e18e233d81ab8427772a71e5981b152f3d96cbc4f94440f1fb002

SHA512
f9a0798f010749a4d4ce1697bd957e7cf1499d448be53f91dfb2a4810d93a56e044d16b8f4d2a84249ba77baf98265a862614f5c8de50244b09311881e3ef48f

Download Submit
C:\Windows\System32\Zsryhnq.exe

Filesize
3.1MB

MD5
2fe2a7bbbab5ec7a7b9722ec3a8ccb73

SHA1
49d9ecf27ac29d3d3196fb26f101e08f60e9da11

SHA256
d743ff46b9f27a55c8f1d67f4bbdf52edac1c6352bbaaa1bef6e803d022ae5f8

SHA512
75c9b9a62ec2c98392334ec068b346c34c9260d15521d76a68b60671dbc079b8f13207165ae917735ea49bc01012c0180a1821569324b6208f995aa03fc0fd26

Download Submit
C:\Windows\System32\aDnZdBt.exe

Filesize
3.1MB

MD5
84ad2fdc24a1ee134ff90f29ae598fe9

SHA1
d4c0bc18b2e619b34696da090dd64aa0a3ce43f0

SHA256
d7bed3d3b1c34c7b2cc85b0b8c6399ef3727e051ba9e5aa038ab40f64ca84e2d

SHA512
ca6abd369981d3204944f06c40e2fff6c1412def14c8bfa0984ccd9422a911eff528b0f68bd6ccd9a01a187331e69b49a8b76ed0ae6f269766d491858bf58048

Download Submit
C:\Windows\System32\afswMxm.exe

Filesize
3.1MB

MD5
760633dfc555fa0d4686b691aa98849b

SHA1
6612db4cc4ee52e506075fef41c06e64260edbe3

SHA256
abc829f5e17215733324cf0c84dcded4fadbb05201a2d6953b7e6f0d3809371e

SHA512
b54adf5c20965456cbc0d5406d2bc086d707ea54046196c2b300f97017f1a19b85dadc4db733cc420c4f0ebbf344a4b165dee05bcf062f0fca41f37654628ce1

Download Submit
C:\Windows\System32\bGpPSJd.exe

Filesize
3.1MB

MD5
a5e155f9be2b2b4f91c25f9defe56cf7

SHA1
a9d4846f56655d7bab5de96c5d362de93d49a15a

SHA256
764e47f5d35e8f1e2c1265661e92a37c349768674264d09206df964ab8f224e6

SHA512
9b981b3ad66554a7313bd66500f8e3bd35e165db1fc6471a51b0eaa179b626809d8b99d9116d9aa0883fccb4bf38a69e70ed29691d4420a777a822ed9ae6257a

Download Submit
C:\Windows\System32\bzRdSil.exe

Filesize
3.1MB

MD5
596abe41c521ee4513f2b60ab5c8b011

SHA1
2a0d9a605801fc4b11afc3d2d75d6cb87f87927a

SHA256
f9d9af93e6053f6b1f35b2fc751912dedf22f7997546d74b559d5dcdc58e8e7e

SHA512
1a549204036ae0c94473f0d96b147fcd845cbb95bb0d661c1e59b2833ed7db80c8525e12003b2c8b15d261613544b488bda19e361c0e83f64631697155d31257

Download Submit
C:\Windows\System32\cEbAZoW.exe

Filesize
3.1MB

MD5
dcae3c737b2365343336f3b059fd0873

SHA1
4fafe1a1bc65c6f7041727af2abd90d7c275a80c

SHA256
01eb262d12ca296e2fa009a95b25f48ec365de32c8a981b132ade1f36e51755e

SHA512
f6d0ddb3834122dce46353633d0ab32a7308a5b0f697b2d5369ab2c4ca0482057ffd7a2e5f763240707577f8eed5f8cc6bafa8ecc88badd7f5ce298bdbd2ac11

Download Submit
C:\Windows\System32\fFNFOLq.exe

Filesize
3.1MB

MD5
c2e8c236f4696dc949068492d75f4f0c

SHA1
b5c52010d58a98516f2e007788e881fd783afda2

SHA256
b75ade85aa39e85ef9aacf2cb99a6583a6338399dd1417db6dc06fed8d7bae48

SHA512
07fd37cef815ae758361aa54f51b0146ab0569961dfe19505bddfba4f25b1584db093189e1a597834465ae5cc5326ebb83818ec91884aa6f51fe407df4e9d679

Download Submit
C:\Windows\System32\fNxDzZa.exe

Filesize
3.1MB

MD5
3e259e99b1bf1d48fe731bd02b8887e4

SHA1
913ba01bf28d97bdadbf573564ddeb0e4062a10d

SHA256
a8e83c3b4e2966ee8e3aed9122507c8efa4b5cc73808afc5c63b7c1e0f0b7367

SHA512
6420f4c1700e2e5567751501143d975f025c754ae1b870cfe708c3bb96c331c74d0d9540d5dce479af4a71b62bb30da6a457e6b6343b64eb6ba7aff22d182954

Download Submit
C:\Windows\System32\gIHuVjg.exe

Filesize
3.1MB

MD5
7ca77d5f5feb8bf43058913c1d45a1d4

SHA1
695d55453a853981b93272ae993634d46e1b4e06

SHA256
6bea294fce1c29a1a100ec500ddce003ac3727f0c80c5cd14ba225d98478ce64

SHA512
7021a121562262b029e800709202246565eeff4230dcfda8c3d4451bd25a37f6b1f684831d1de13cc4550acb2255f82962861944a5e39232d95776be837eed6d

Download Submit
C:\Windows\System32\iFepuSK.exe

Filesize
3.1MB

MD5
5763ee62ccd050ccc706b046e2c3269e

SHA1
02b4a8e7ccce155fe7fafe438c4f0a9381b687c4

SHA256
b1b6d4558c780d07069c23e47e078a62a494fc8ce900ef4bc9223b68fee0c9af

SHA512
80d033e0d9b7159820ccbc3c1f54e577f6216e03561998ecd150b75548215e9d8c26f8a3da527eb5b50909e4043c876a66d91bd300af184f7c845954fbafad72

Download Submit
C:\Windows\System32\itzQFxL.exe

Filesize
3.1MB

MD5
a4c43b387300caa2ef9ec6da685ed443

SHA1
8b69ace36ffd03c357013196fc6944761e9ee250

SHA256
1f92cc536e5188c547de46f746fd1d439e5978867743e4d058f47192874f8465

SHA512
c7b1e40aed51772d0f804696879410499d2d567883eac9432763612ded78cb332cbaa24e3a42da9bf0adac4341216342c9642bc9053bba43fbcd517d3b93d416

Download Submit
C:\Windows\System32\jVneEVJ.exe

Filesize
3.1MB

MD5
27329ea915e44763799eec4f4ce75e42

SHA1
2a2c710d99205ca008e9acfff7b74f10a216013c

SHA256
5be83f596c4f90c0bef3f0a8cf6a2b449fc2364ed47cfaa1af5d2a20a863a631

SHA512
503129c6d2d31fb3f7365d20cc7d65690e76da65cae1baafc6de4a4479e5549125701c33f587e2dedaf81cc795e3564624a529173b2b7f04368ca3c0b62f392d

Download Submit
C:\Windows\System32\lXojQiM.exe

Filesize
3.1MB

MD5
2e94e57fd27c439cd385b9b99cab38b0

SHA1
e8cff6681180cab538290d3a5c88e668d55b58ea

SHA256
f7a37fb17d83284f738d0a7eabf6788471c4d4501e73f354d69028a8af5cd741

SHA512
72399e10d772b92a1c9dda2b4370271520da83abec39fa77b22dc998fd1954f0e29f4b3ecc32df7e5f66971685750a4f1785fb505ec900b35e472cb0f16ab951

Download Submit
C:\Windows\System32\qLmBGfe.exe

Filesize
3.1MB

MD5
7c1f949b826d8277f27d6beeba9f28de

SHA1
b01634f2e6fd31e949fea35894e1b58893366e20

SHA256
4db9096ea6bc846a680ae6d56169e80b06f715d947b0b285926ae2db39ddbc1b

SHA512
05aaf7d4e0ebd2e2cb5bbafdc598564a90bd66f1d2f2030002217793c86089cb8490890a4581f6d61162a295ff7b4927ad5dc1e21da3d6c87eb0ed8b41371f5d

Download Submit
C:\Windows\System32\razYipv.exe

Filesize
3.1MB

MD5
790697d7aea4e09faf23c8b8f15f106b

SHA1
f803bdd65228802d2ba7f99178402a489440f3fe

SHA256
a770325a0d429e9421f35283120c7405710e4eb96db67e2065478facc4ee2831

SHA512
67ef9af11772addda77e4eb56ba49b65420eec84b0f8f30902d4ede34dcd272edfdab0a30ec89347441166a9cfcf26e0af17f85e3959fcd9ea10ec7836802811

Download Submit
C:\Windows\System32\uivapAL.exe

Filesize
3.1MB

MD5
0e2a3d6913388556fe946607c671a831

SHA1
d6b88f3a90482d7c176056daf88c79a5699a564e

SHA256
c052c24c5f6e6cbd8b8ba8ea9a67c1e69a017da046c4e48c17ad3e590c08b412

SHA512
d8638d507860ae5b0b98db0c837f5e51a81d721dff74c81f3b21ffb46f3697ca8ce7440079f861f800d01d514d7f5ea1c65aebaeb51c9675acdf042c099f1931

Download Submit
C:\Windows\System32\yBkDtXM.exe

Filesize
3.1MB

MD5
7ef4454c77a6ed1409828638eb03892f

SHA1
f5306ee41d6dfd6469e72447f83b3d23ad9d58c4

SHA256
8da032efaedf520018dda172c50df97cd4f3dc121a3c794d6482795879736fc6

SHA512
da0a829d1fdfc8b5355d742b50b8ecbe1391c95a312e7d2389621bb68c2b36a7fcb7dbf8dc5d469bfc6819b49fa5c2746454ba1971d34600424929bc3b4853e7

Download Submit
C:\Windows\System32\zhOQqYl.exe

Filesize
3.1MB

MD5
489957089f3290b0a1a908feba7217f1

SHA1
9c8d7f3e76f88d0e614706357bf8fe29af23a57b

SHA256
c71243c93a59460a48fd68eb83e3b4379755ee87032e04b7ba099846ddc2357f

SHA512
db3891f4f23430dbe6f83066e098a4f9c6e718c56244c38cb133147db47a1544d256b6cc7795108857ef103b28d3f5de9d18c3a535352f2d73b393aa40ddf182

Download Submit
memory/228-20-0x00007FF602F70000-0x00007FF603365000-memory.dmp

Filesize
4.0MB

Download
memory/228-1925-0x00007FF602F70000-0x00007FF603365000-memory.dmp

Filesize
4.0MB

Download
memory/456-131-0x00007FF7A9760000-0x00007FF7A9B55000-memory.dmp

Filesize
4.0MB

Download
memory/456-1944-0x00007FF7A9760000-0x00007FF7A9B55000-memory.dmp

Filesize
4.0MB

Download
memory/852-1929-0x00007FF763220000-0x00007FF763615000-memory.dmp

Filesize
4.0MB

Download
memory/852-63-0x00007FF763220000-0x00007FF763615000-memory.dmp

Filesize
4.0MB

Download
memory/920-134-0x00007FF64A350000-0x00007FF64A745000-memory.dmp

Filesize
4.0MB

Download
memory/920-1945-0x00007FF64A350000-0x00007FF64A745000-memory.dmp

Filesize
4.0MB

Download
memory/1168-61-0x00007FF70D0E0000-0x00007FF70D4D5000-memory.dmp

Filesize
4.0MB

Download
memory/1168-1927-0x00007FF70D0E0000-0x00007FF70D4D5000-memory.dmp

Filesize
4.0MB

Download
memory/1292-1940-0x00007FF799410000-0x00007FF799805000-memory.dmp

Filesize
4.0MB

Download
memory/1292-125-0x00007FF799410000-0x00007FF799805000-memory.dmp

Filesize
4.0MB

Download
memory/1320-1936-0x00007FF79A3C0000-0x00007FF79A7B5000-memory.dmp

Filesize
4.0MB

Download
memory/1320-1948-0x00007FF79A3C0000-0x00007FF79A7B5000-memory.dmp

Filesize
4.0MB

Download
memory/1320-144-0x00007FF79A3C0000-0x00007FF79A7B5000-memory.dmp

Filesize
4.0MB

Download
memory/1352-112-0x00007FF72FBA0000-0x00007FF72FF95000-memory.dmp

Filesize
4.0MB

Download
memory/1352-1943-0x00007FF72FBA0000-0x00007FF72FF95000-memory.dmp

Filesize
4.0MB

Download
memory/1472-7-0x00007FF695210000-0x00007FF695605000-memory.dmp

Filesize
4.0MB

Download
memory/1472-1924-0x00007FF695210000-0x00007FF695605000-memory.dmp

Filesize
4.0MB

Download
memory/1648-115-0x00007FF631380000-0x00007FF631775000-memory.dmp

Filesize
4.0MB

Download
memory/1648-1942-0x00007FF631380000-0x00007FF631775000-memory.dmp

Filesize
4.0MB

Download
memory/1744-1946-0x00007FF744860000-0x00007FF744C55000-memory.dmp

Filesize
4.0MB

Download
memory/1744-140-0x00007FF744860000-0x00007FF744C55000-memory.dmp

Filesize
4.0MB

Download
memory/1804-1941-0x00007FF70A1D0000-0x00007FF70A5C5000-memory.dmp

Filesize
4.0MB

Download
memory/1804-121-0x00007FF70A1D0000-0x00007FF70A5C5000-memory.dmp

Filesize
4.0MB

Download
memory/1920-1932-0x00007FF71D4D0000-0x00007FF71D8C5000-memory.dmp

Filesize
4.0MB

Download
memory/1920-67-0x00007FF71D4D0000-0x00007FF71D8C5000-memory.dmp

Filesize
4.0MB

Download
memory/2020-99-0x00007FF7FB020000-0x00007FF7FB415000-memory.dmp

Filesize
4.0MB

Download
memory/2020-1939-0x00007FF7FB020000-0x00007FF7FB415000-memory.dmp

Filesize
4.0MB

Download
memory/2128-1938-0x00007FF7C9A80000-0x00007FF7C9E75000-memory.dmp

Filesize
4.0MB

Download
memory/2128-102-0x00007FF7C9A80000-0x00007FF7C9E75000-memory.dmp

Filesize
4.0MB

Download
memory/2728-76-0x00007FF660140000-0x00007FF660535000-memory.dmp

Filesize
4.0MB

Download
memory/2728-1933-0x00007FF660140000-0x00007FF660535000-memory.dmp

Filesize
4.0MB

Download
memory/2796-69-0x00007FF7A3800000-0x00007FF7A3BF5000-memory.dmp

Filesize
4.0MB

Download
memory/2796-1930-0x00007FF7A3800000-0x00007FF7A3BF5000-memory.dmp

Filesize
4.0MB

Download
memory/2980-150-0x00007FF639060000-0x00007FF639455000-memory.dmp

Filesize
4.0MB

Download
memory/2980-1947-0x00007FF639060000-0x00007FF639455000-memory.dmp

Filesize
4.0MB

Download
memory/3160-1934-0x00007FF78CE40000-0x00007FF78D235000-memory.dmp

Filesize
4.0MB

Download
memory/3160-86-0x00007FF78CE40000-0x00007FF78D235000-memory.dmp

Filesize
4.0MB

Download
memory/3468-1926-0x00007FF62BE20000-0x00007FF62C215000-memory.dmp

Filesize
4.0MB

Download
memory/3468-89-0x00007FF62BE20000-0x00007FF62C215000-memory.dmp

Filesize
4.0MB

Download
memory/3572-82-0x00007FF701DC0000-0x00007FF7021B5000-memory.dmp

Filesize
4.0MB

Download
memory/3572-1935-0x00007FF701DC0000-0x00007FF7021B5000-memory.dmp

Filesize
4.0MB

Download
memory/3868-95-0x00007FF66BDF0000-0x00007FF66C1E5000-memory.dmp

Filesize
4.0MB

Download
memory/3868-1928-0x00007FF66BDF0000-0x00007FF66C1E5000-memory.dmp

Filesize
4.0MB

Download
memory/4108-73-0x00007FF798210000-0x00007FF798605000-memory.dmp

Filesize
4.0MB

Download
memory/4108-1931-0x00007FF798210000-0x00007FF798605000-memory.dmp

Filesize
4.0MB

Download
memory/4136-1937-0x00007FF7BFE60000-0x00007FF7C0255000-memory.dmp

Filesize
4.0MB

Download
memory/4136-108-0x00007FF7BFE60000-0x00007FF7C0255000-memory.dmp

Filesize
4.0MB

Download
memory/5072-1-0x0000020728430000-0x0000020728440000-memory.dmp

Filesize
64KB

Download
memory/5072-1914-0x00007FF6FE910000-0x00007FF6FED05000-memory.dmp

Filesize
4.0MB

Download
memory/5072-0-0x00007FF6FE910000-0x00007FF6FED05000-memory.dmp

Filesize
4.0MB

Download