xmrig | 7dc3203b6adf542fee6e64ed5aba4cbb0925de348ad63c2fd0f64c92c09c59bb

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
Size

1.6MB
MD5

a39020901e9d4ae00273300f66285e90
SHA1

4ac3dcd95c589515a8689434e9f34e3a38110b9c
SHA256

7dc3203b6adf542fee6e64ed5aba4cbb0925de348ad63c2fd0f64c92c09c59bb
SHA512

5f7bcecee75895c35cf9a5a11c4594bf9d075ae367cae789151721a492094ada1e3bfb8f7ce91a2eea44b91c7d97f37d7b0bc78f642ad6b736f0fb5a25b405b4
SSDEEP

24576:zv3/fTLF671TilQFG4P5PMkyW1HU/ek5Q1szp5NnNvZWNChZ7fI+BJBxyODsbJEU:Lz071uv4BPMkyW10/w16BvZXBCurmo8Z

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 13184 created 4480	13184	WerFaultSecure.exe	77

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/4780-424-0x00007FF7FCF10000-0x00007FF7FD302000-memory.dmp	xmrig
behavioral2/memory/5104-461-0x00007FF7E5D10000-0x00007FF7E6102000-memory.dmp	xmrig
behavioral2/memory/2928-472-0x00007FF729810000-0x00007FF729C02000-memory.dmp	xmrig
behavioral2/memory/2596-484-0x00007FF761D00000-0x00007FF7620F2000-memory.dmp	xmrig
behavioral2/memory/4520-496-0x00007FF77F220000-0x00007FF77F612000-memory.dmp	xmrig
behavioral2/memory/440-525-0x00007FF6AB6E0000-0x00007FF6ABAD2000-memory.dmp	xmrig
behavioral2/memory/4620-522-0x00007FF6A2E30000-0x00007FF6A3222000-memory.dmp	xmrig
behavioral2/memory/2684-518-0x00007FF6D8530000-0x00007FF6D8922000-memory.dmp	xmrig
behavioral2/memory/556-511-0x00007FF650B30000-0x00007FF650F22000-memory.dmp	xmrig
behavioral2/memory/4488-493-0x00007FF6F7E00000-0x00007FF6F81F2000-memory.dmp	xmrig
behavioral2/memory/2764-489-0x00007FF6050E0000-0x00007FF6054D2000-memory.dmp	xmrig
behavioral2/memory/4724-530-0x00007FF7B5480000-0x00007FF7B5872000-memory.dmp	xmrig
behavioral2/memory/840-590-0x00007FF653890000-0x00007FF653C82000-memory.dmp	xmrig
behavioral2/memory/3528-622-0x00007FF7F07E0000-0x00007FF7F0BD2000-memory.dmp	xmrig
behavioral2/memory/3136-635-0x00007FF710890000-0x00007FF710C82000-memory.dmp	xmrig
behavioral2/memory/3208-640-0x00007FF725E90000-0x00007FF726282000-memory.dmp	xmrig
behavioral2/memory/712-674-0x00007FF6A6140000-0x00007FF6A6532000-memory.dmp	xmrig
behavioral2/memory/4932-671-0x00007FF72B1B0000-0x00007FF72B5A2000-memory.dmp	xmrig
behavioral2/memory/4232-668-0x00007FF799820000-0x00007FF799C12000-memory.dmp	xmrig
behavioral2/memory/3132-661-0x00007FF708C10000-0x00007FF709002000-memory.dmp	xmrig
behavioral2/memory/2380-631-0x00007FF756710000-0x00007FF756B02000-memory.dmp	xmrig
behavioral2/memory/4188-597-0x00007FF760E00000-0x00007FF7611F2000-memory.dmp	xmrig
behavioral2/memory/640-583-0x00007FF65B1E0000-0x00007FF65B5D2000-memory.dmp	xmrig
behavioral2/memory/4296-2857-0x00007FF6612B0000-0x00007FF6616A2000-memory.dmp	xmrig
behavioral2/memory/4232-2859-0x00007FF799820000-0x00007FF799C12000-memory.dmp	xmrig
behavioral2/memory/4932-2863-0x00007FF72B1B0000-0x00007FF72B5A2000-memory.dmp	xmrig
behavioral2/memory/4780-2862-0x00007FF7FCF10000-0x00007FF7FD302000-memory.dmp	xmrig
behavioral2/memory/5104-2865-0x00007FF7E5D10000-0x00007FF7E6102000-memory.dmp	xmrig
behavioral2/memory/712-2867-0x00007FF6A6140000-0x00007FF6A6532000-memory.dmp	xmrig
behavioral2/memory/2928-2869-0x00007FF729810000-0x00007FF729C02000-memory.dmp	xmrig
behavioral2/memory/556-2872-0x00007FF650B30000-0x00007FF650F22000-memory.dmp	xmrig
behavioral2/memory/440-2877-0x00007FF6AB6E0000-0x00007FF6ABAD2000-memory.dmp	xmrig
behavioral2/memory/4620-2885-0x00007FF6A2E30000-0x00007FF6A3222000-memory.dmp	xmrig
behavioral2/memory/4724-2887-0x00007FF7B5480000-0x00007FF7B5872000-memory.dmp	xmrig
behavioral2/memory/3528-2895-0x00007FF7F07E0000-0x00007FF7F0BD2000-memory.dmp	xmrig
behavioral2/memory/2380-2897-0x00007FF756710000-0x00007FF756B02000-memory.dmp	xmrig
behavioral2/memory/3136-2899-0x00007FF710890000-0x00007FF710C82000-memory.dmp	xmrig
behavioral2/memory/4188-2893-0x00007FF760E00000-0x00007FF7611F2000-memory.dmp	xmrig
behavioral2/memory/840-2892-0x00007FF653890000-0x00007FF653C82000-memory.dmp	xmrig
behavioral2/memory/640-2889-0x00007FF65B1E0000-0x00007FF65B5D2000-memory.dmp	xmrig
behavioral2/memory/3208-2913-0x00007FF725E90000-0x00007FF726282000-memory.dmp	xmrig
behavioral2/memory/3132-2909-0x00007FF708C10000-0x00007FF709002000-memory.dmp	xmrig
behavioral2/memory/4520-2883-0x00007FF77F220000-0x00007FF77F612000-memory.dmp	xmrig
behavioral2/memory/2596-2881-0x00007FF761D00000-0x00007FF7620F2000-memory.dmp	xmrig
behavioral2/memory/2764-2876-0x00007FF6050E0000-0x00007FF6054D2000-memory.dmp	xmrig
behavioral2/memory/4488-2874-0x00007FF6F7E00000-0x00007FF6F81F2000-memory.dmp	xmrig
behavioral2/memory/2684-2880-0x00007FF6D8530000-0x00007FF6D8922000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
7	4472	powershell.exe
9	4472	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
4472	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
4296	RqPNnAr.exe
4232	KNcQURY.exe
4780	inLHoqw.exe
4932	klCwYRf.exe
5104	kwyBWqC.exe
712	KZAhqXq.exe
2928	igCNBVY.exe
2596	CidFdUU.exe
2764	LpMrrPF.exe
4488	RBTkdNI.exe
4520	SbGHVDE.exe
556	aFHvQOS.exe
2684	ypopjfw.exe
4620	xdGgyNI.exe
440	zLsNras.exe
4724	zXsZZgJ.exe
640	VlhcLtk.exe
840	GtCJSmQ.exe
4188	WIAtMaZ.exe
3528	sAnAIgF.exe
2380	OHYTnXs.exe
3136	Lcnybwp.exe
3208	ISdzDOw.exe
3132	MNrERDt.exe
4476	VoUhHpz.exe
492	BqyryEl.exe
4336	UCYhIdT.exe
3940	YtnfGgl.exe
1432	VnePufD.exe
1216	HbgJzmm.exe
4008	ZpgWbIA.exe
1552	nVOtQZY.exe
3968	gUMDNVu.exe
3552	UDpunOb.exe
3448	jKlCxkR.exe
3344	jllssBk.exe
3000	UooVaOe.exe
4536	WBVjpNw.exe
2888	PVlIAXA.exe
496	wgOKfWN.exe
3424	vVpWOXm.exe
1068	lCCkoIp.exe
4688	OwHBQir.exe
2584	EHRpMbp.exe
656	mxlCObu.exe
4524	rPovkyG.exe
2180	jNAvOar.exe
4224	acPSegB.exe
1692	kjirbzM.exe
868	WjsEJFs.exe
4976	ORkGyHt.exe
1376	hJYLcCs.exe
2620	ebKfmef.exe
1252	nHMvwTA.exe
404	QgjobSn.exe
4924	BYJjHrf.exe
4812	xLaEpMZ.exe
4360	gafaKoL.exe
1600	iPBbksg.exe
4088	egjtVZY.exe
2956	qMIxaVu.exe
3620	naWmOcH.exe
1684	MTJqQMt.exe
4684	ebEfXCm.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1628-0-0x00007FF6F5450000-0x00007FF6F5842000-memory.dmp	upx
behavioral2/files/0x0008000000023404-5.dat	upx
behavioral2/files/0x0007000000023406-16.dat	upx
behavioral2/files/0x0007000000023407-20.dat	upx
behavioral2/files/0x0007000000023405-13.dat	upx
behavioral2/memory/4296-14-0x00007FF6612B0000-0x00007FF6616A2000-memory.dmp	upx
behavioral2/files/0x0007000000023408-28.dat	upx
behavioral2/files/0x0007000000023409-38.dat	upx
behavioral2/files/0x000700000002340a-44.dat	upx
behavioral2/files/0x000700000002340e-66.dat	upx
behavioral2/files/0x0007000000023412-88.dat	upx
behavioral2/files/0x0007000000023413-97.dat	upx
behavioral2/files/0x0007000000023419-123.dat	upx
behavioral2/files/0x000700000002341d-141.dat	upx
behavioral2/files/0x000700000002341f-151.dat	upx
behavioral2/files/0x0007000000023422-165.dat	upx
behavioral2/files/0x0007000000023424-177.dat	upx
behavioral2/memory/4780-424-0x00007FF7FCF10000-0x00007FF7FD302000-memory.dmp	upx
behavioral2/memory/5104-461-0x00007FF7E5D10000-0x00007FF7E6102000-memory.dmp	upx
behavioral2/memory/2928-472-0x00007FF729810000-0x00007FF729C02000-memory.dmp	upx
behavioral2/memory/2596-484-0x00007FF761D00000-0x00007FF7620F2000-memory.dmp	upx
behavioral2/memory/4520-496-0x00007FF77F220000-0x00007FF77F612000-memory.dmp	upx
behavioral2/memory/440-525-0x00007FF6AB6E0000-0x00007FF6ABAD2000-memory.dmp	upx
behavioral2/memory/4620-522-0x00007FF6A2E30000-0x00007FF6A3222000-memory.dmp	upx
behavioral2/memory/2684-518-0x00007FF6D8530000-0x00007FF6D8922000-memory.dmp	upx
behavioral2/memory/556-511-0x00007FF650B30000-0x00007FF650F22000-memory.dmp	upx
behavioral2/memory/4488-493-0x00007FF6F7E00000-0x00007FF6F81F2000-memory.dmp	upx
behavioral2/memory/2764-489-0x00007FF6050E0000-0x00007FF6054D2000-memory.dmp	upx
behavioral2/files/0x0007000000023423-174.dat	upx
behavioral2/memory/4724-530-0x00007FF7B5480000-0x00007FF7B5872000-memory.dmp	upx
behavioral2/memory/840-590-0x00007FF653890000-0x00007FF653C82000-memory.dmp	upx
behavioral2/memory/3528-622-0x00007FF7F07E0000-0x00007FF7F0BD2000-memory.dmp	upx
behavioral2/memory/3136-635-0x00007FF710890000-0x00007FF710C82000-memory.dmp	upx
behavioral2/memory/3208-640-0x00007FF725E90000-0x00007FF726282000-memory.dmp	upx
behavioral2/memory/712-674-0x00007FF6A6140000-0x00007FF6A6532000-memory.dmp	upx
behavioral2/memory/4932-671-0x00007FF72B1B0000-0x00007FF72B5A2000-memory.dmp	upx
behavioral2/memory/4232-668-0x00007FF799820000-0x00007FF799C12000-memory.dmp	upx
behavioral2/memory/3132-661-0x00007FF708C10000-0x00007FF709002000-memory.dmp	upx
behavioral2/memory/2380-631-0x00007FF756710000-0x00007FF756B02000-memory.dmp	upx
behavioral2/memory/4188-597-0x00007FF760E00000-0x00007FF7611F2000-memory.dmp	upx
behavioral2/memory/640-583-0x00007FF65B1E0000-0x00007FF65B5D2000-memory.dmp	upx
behavioral2/files/0x0007000000023421-167.dat	upx
behavioral2/files/0x0007000000023420-163.dat	upx
behavioral2/files/0x000700000002341e-154.dat	upx
behavioral2/files/0x000700000002341c-144.dat	upx
behavioral2/files/0x000700000002341b-139.dat	upx
behavioral2/files/0x000700000002341a-132.dat	upx
behavioral2/files/0x0007000000023418-121.dat	upx
behavioral2/files/0x0007000000023417-117.dat	upx
behavioral2/files/0x0007000000023416-112.dat	upx
behavioral2/files/0x0007000000023415-107.dat	upx
behavioral2/files/0x0007000000023414-102.dat	upx
behavioral2/files/0x0007000000023411-86.dat	upx
behavioral2/files/0x0007000000023410-82.dat	upx
behavioral2/files/0x000700000002340f-77.dat	upx
behavioral2/files/0x000800000002340c-67.dat	upx
behavioral2/files/0x000800000002340b-61.dat	upx
behavioral2/files/0x000700000002340d-57.dat	upx
behavioral2/memory/4296-2857-0x00007FF6612B0000-0x00007FF6616A2000-memory.dmp	upx
behavioral2/memory/4232-2859-0x00007FF799820000-0x00007FF799C12000-memory.dmp	upx
behavioral2/memory/4932-2863-0x00007FF72B1B0000-0x00007FF72B5A2000-memory.dmp	upx
behavioral2/memory/4780-2862-0x00007FF7FCF10000-0x00007FF7FD302000-memory.dmp	upx
behavioral2/memory/5104-2865-0x00007FF7E5D10000-0x00007FF7E6102000-memory.dmp	upx
behavioral2/memory/712-2867-0x00007FF6A6140000-0x00007FF6A6532000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	raw.githubusercontent.com
7	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\SRtjMqN.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\VaHIQvv.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\vRDcTyX.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\UqTPgtQ.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\fJvWeIh.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\kAaUocp.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\hYdurzO.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\QKHYxxs.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\xACitGv.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\GtBbzvj.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\SzmQrkz.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\JSynBJh.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\uYoJARk.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\FLGFaTw.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\umpoeNx.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\yMMThlg.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\zVUVIWQ.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\jDyttAP.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\lTCSZnS.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\WszROfv.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\eAfiujQ.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\WhjJKPQ.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\QggkyWZ.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\QVwIGkV.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\JswYWeI.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\lWTlEGz.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\frYzWoG.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\Nydycmg.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\NdPGsdF.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\CLbntJp.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\GOQlgKW.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\cODjLcJ.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\shEXHUa.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\fHAjiQJ.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\PqELahw.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\PiNKEBp.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\hFkUrwr.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\fCRXBVe.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\NFasZBk.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\ftIgzYT.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\iFmYNvM.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\JzimDlc.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\DpbTbhG.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\nibbRbc.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\PXUObcb.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\iIRPXTK.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\eCavRbK.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\wxaWNgd.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\iuNNYZa.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\ocaERJp.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\IosilHC.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\XqGgyBP.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\ycNsLyW.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\WXbwKEK.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\kNNUfvA.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\wRgDnED.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\wvwWczc.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\QDQzqvu.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\vqhXmka.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\DlaBYMV.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\ZaHygbZ.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\vZHtaPj.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\hNvINQC.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
File created	C:\Windows\System\hhasdQa.exe	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFaultSecure.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFaultSecure.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4472	powershell.exe
4472	powershell.exe
12816	WerFaultSecure.exe
12816	WerFaultSecure.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
Token: SeDebugPrivilege	4472	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 4472	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	84
PID 1628 wrote to memory of 4472	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	84
PID 1628 wrote to memory of 4296	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	85
PID 1628 wrote to memory of 4296	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	85
PID 1628 wrote to memory of 4232	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	86
PID 1628 wrote to memory of 4232	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	86
PID 1628 wrote to memory of 4780	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	87
PID 1628 wrote to memory of 4780	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	87
PID 1628 wrote to memory of 4932	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	88
PID 1628 wrote to memory of 4932	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	88
PID 1628 wrote to memory of 5104	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	89
PID 1628 wrote to memory of 5104	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	89
PID 1628 wrote to memory of 712	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	90
PID 1628 wrote to memory of 712	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	90
PID 1628 wrote to memory of 2928	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	91
PID 1628 wrote to memory of 2928	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	91
PID 1628 wrote to memory of 2596	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	92
PID 1628 wrote to memory of 2596	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	92
PID 1628 wrote to memory of 2764	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	93
PID 1628 wrote to memory of 2764	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	93
PID 1628 wrote to memory of 4488	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	94
PID 1628 wrote to memory of 4488	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	94
PID 1628 wrote to memory of 4520	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	95
PID 1628 wrote to memory of 4520	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	95
PID 1628 wrote to memory of 556	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	96
PID 1628 wrote to memory of 556	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	96
PID 1628 wrote to memory of 2684	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	97
PID 1628 wrote to memory of 2684	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	97
PID 1628 wrote to memory of 4620	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	98
PID 1628 wrote to memory of 4620	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	98
PID 1628 wrote to memory of 440	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	99
PID 1628 wrote to memory of 440	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	99
PID 1628 wrote to memory of 4724	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	100
PID 1628 wrote to memory of 4724	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	100
PID 1628 wrote to memory of 640	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	101
PID 1628 wrote to memory of 640	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	101
PID 1628 wrote to memory of 840	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	102
PID 1628 wrote to memory of 840	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	102
PID 1628 wrote to memory of 4188	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	103
PID 1628 wrote to memory of 4188	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	103
PID 1628 wrote to memory of 3528	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	104
PID 1628 wrote to memory of 3528	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	104
PID 1628 wrote to memory of 2380	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	105
PID 1628 wrote to memory of 2380	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	105
PID 1628 wrote to memory of 3136	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	106
PID 1628 wrote to memory of 3136	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	106
PID 1628 wrote to memory of 3208	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	107
PID 1628 wrote to memory of 3208	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	107
PID 1628 wrote to memory of 3132	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	108
PID 1628 wrote to memory of 3132	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	108
PID 1628 wrote to memory of 4476	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	109
PID 1628 wrote to memory of 4476	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	109
PID 1628 wrote to memory of 492	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	110
PID 1628 wrote to memory of 492	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	110
PID 1628 wrote to memory of 4336	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	111
PID 1628 wrote to memory of 4336	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	111
PID 1628 wrote to memory of 3940	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	112
PID 1628 wrote to memory of 3940	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	112
PID 1628 wrote to memory of 1432	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	113
PID 1628 wrote to memory of 1432	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	113
PID 1628 wrote to memory of 1216	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	114
PID 1628 wrote to memory of 1216	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	114
PID 1628 wrote to memory of 4008	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	115
PID 1628 wrote to memory of 4008	1628	a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe	115

C:\Windows\System32\Upfc.exe
C:\Windows\System32\Upfc.exe /launchtype periodic /cv 0jrLFhXeP0m+1wgOZgxGKA.0
1⤵
PID:4480
- C:\Windows\system32\WerFaultSecure.exe
  C:\Windows\system32\WerFaultSecure.exe -u -p 4480 -s 592
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:12816

C:\Users\Admin\AppData\Local\Temp\a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a39020901e9d4ae00273300f66285e90_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4472
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4472" "2968" "2900" "2972" "0" "0" "2976" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:13048
- C:\Windows\System\RqPNnAr.exe
  C:\Windows\System\RqPNnAr.exe
  2⤵
  - Executes dropped EXE
  PID:4296
- C:\Windows\System\KNcQURY.exe
  C:\Windows\System\KNcQURY.exe
  2⤵
  - Executes dropped EXE
  PID:4232
- C:\Windows\System\inLHoqw.exe
  C:\Windows\System\inLHoqw.exe
  2⤵
  - Executes dropped EXE
  PID:4780
- C:\Windows\System\klCwYRf.exe
  C:\Windows\System\klCwYRf.exe
  2⤵
  - Executes dropped EXE
  PID:4932
- C:\Windows\System\kwyBWqC.exe
  C:\Windows\System\kwyBWqC.exe
  2⤵
  - Executes dropped EXE
  PID:5104
- C:\Windows\System\KZAhqXq.exe
  C:\Windows\System\KZAhqXq.exe
  2⤵
  - Executes dropped EXE
  PID:712
- C:\Windows\System\igCNBVY.exe
  C:\Windows\System\igCNBVY.exe
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\System\CidFdUU.exe
  C:\Windows\System\CidFdUU.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\System\LpMrrPF.exe
  C:\Windows\System\LpMrrPF.exe
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\System\RBTkdNI.exe
  C:\Windows\System\RBTkdNI.exe
  2⤵
  - Executes dropped EXE
  PID:4488
- C:\Windows\System\SbGHVDE.exe
  C:\Windows\System\SbGHVDE.exe
  2⤵
  - Executes dropped EXE
  PID:4520
- C:\Windows\System\aFHvQOS.exe
  C:\Windows\System\aFHvQOS.exe
  2⤵
  - Executes dropped EXE
  PID:556
- C:\Windows\System\ypopjfw.exe
  C:\Windows\System\ypopjfw.exe
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\System\xdGgyNI.exe
  C:\Windows\System\xdGgyNI.exe
  2⤵
  - Executes dropped EXE
  PID:4620
- C:\Windows\System\zLsNras.exe
  C:\Windows\System\zLsNras.exe
  2⤵
  - Executes dropped EXE
  PID:440
- C:\Windows\System\zXsZZgJ.exe
  C:\Windows\System\zXsZZgJ.exe
  2⤵
  - Executes dropped EXE
  PID:4724
- C:\Windows\System\VlhcLtk.exe
  C:\Windows\System\VlhcLtk.exe
  2⤵
  - Executes dropped EXE
  PID:640
- C:\Windows\System\GtCJSmQ.exe
  C:\Windows\System\GtCJSmQ.exe
  2⤵
  - Executes dropped EXE
  PID:840
- C:\Windows\System\WIAtMaZ.exe
  C:\Windows\System\WIAtMaZ.exe
  2⤵
  - Executes dropped EXE
  PID:4188
- C:\Windows\System\sAnAIgF.exe
  C:\Windows\System\sAnAIgF.exe
  2⤵
  - Executes dropped EXE
  PID:3528
- C:\Windows\System\OHYTnXs.exe
  C:\Windows\System\OHYTnXs.exe
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\System\Lcnybwp.exe
  C:\Windows\System\Lcnybwp.exe
  2⤵
  - Executes dropped EXE
  PID:3136
- C:\Windows\System\ISdzDOw.exe
  C:\Windows\System\ISdzDOw.exe
  2⤵
  - Executes dropped EXE
  PID:3208
- C:\Windows\System\MNrERDt.exe
  C:\Windows\System\MNrERDt.exe
  2⤵
  - Executes dropped EXE
  PID:3132
- C:\Windows\System\VoUhHpz.exe
  C:\Windows\System\VoUhHpz.exe
  2⤵
  - Executes dropped EXE
  PID:4476
- C:\Windows\System\BqyryEl.exe
  C:\Windows\System\BqyryEl.exe
  2⤵
  - Executes dropped EXE
  PID:492
- C:\Windows\System\UCYhIdT.exe
  C:\Windows\System\UCYhIdT.exe
  2⤵
  - Executes dropped EXE
  PID:4336
- C:\Windows\System\YtnfGgl.exe
  C:\Windows\System\YtnfGgl.exe
  2⤵
  - Executes dropped EXE
  PID:3940
- C:\Windows\System\VnePufD.exe
  C:\Windows\System\VnePufD.exe
  2⤵
  - Executes dropped EXE
  PID:1432
- C:\Windows\System\HbgJzmm.exe
  C:\Windows\System\HbgJzmm.exe
  2⤵
  - Executes dropped EXE
  PID:1216
- C:\Windows\System\ZpgWbIA.exe
  C:\Windows\System\ZpgWbIA.exe
  2⤵
  - Executes dropped EXE
  PID:4008
- C:\Windows\System\nVOtQZY.exe
  C:\Windows\System\nVOtQZY.exe
  2⤵
  - Executes dropped EXE
  PID:1552
- C:\Windows\System\gUMDNVu.exe
  C:\Windows\System\gUMDNVu.exe
  2⤵
  - Executes dropped EXE
  PID:3968
- C:\Windows\System\UDpunOb.exe
  C:\Windows\System\UDpunOb.exe
  2⤵
  - Executes dropped EXE
  PID:3552
- C:\Windows\System\jKlCxkR.exe
  C:\Windows\System\jKlCxkR.exe
  2⤵
  - Executes dropped EXE
  PID:3448
- C:\Windows\System\jllssBk.exe
  C:\Windows\System\jllssBk.exe
  2⤵
  - Executes dropped EXE
  PID:3344
- C:\Windows\System\UooVaOe.exe
  C:\Windows\System\UooVaOe.exe
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\System\WBVjpNw.exe
  C:\Windows\System\WBVjpNw.exe
  2⤵
  - Executes dropped EXE
  PID:4536
- C:\Windows\System\PVlIAXA.exe
  C:\Windows\System\PVlIAXA.exe
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\System\wgOKfWN.exe
  C:\Windows\System\wgOKfWN.exe
  2⤵
  - Executes dropped EXE
  PID:496
- C:\Windows\System\vVpWOXm.exe
  C:\Windows\System\vVpWOXm.exe
  2⤵
  - Executes dropped EXE
  PID:3424
- C:\Windows\System\lCCkoIp.exe
  C:\Windows\System\lCCkoIp.exe
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\System\OwHBQir.exe
  C:\Windows\System\OwHBQir.exe
  2⤵
  - Executes dropped EXE
  PID:4688
- C:\Windows\System\EHRpMbp.exe
  C:\Windows\System\EHRpMbp.exe
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\Windows\System\mxlCObu.exe
  C:\Windows\System\mxlCObu.exe
  2⤵
  - Executes dropped EXE
  PID:656
- C:\Windows\System\rPovkyG.exe
  C:\Windows\System\rPovkyG.exe
  2⤵
  - Executes dropped EXE
  PID:4524
- C:\Windows\System\jNAvOar.exe
  C:\Windows\System\jNAvOar.exe
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Windows\System\acPSegB.exe
  C:\Windows\System\acPSegB.exe
  2⤵
  - Executes dropped EXE
  PID:4224
- C:\Windows\System\kjirbzM.exe
  C:\Windows\System\kjirbzM.exe
  2⤵
  - Executes dropped EXE
  PID:1692
- C:\Windows\System\WjsEJFs.exe
  C:\Windows\System\WjsEJFs.exe
  2⤵
  - Executes dropped EXE
  PID:868
- C:\Windows\System\ORkGyHt.exe
  C:\Windows\System\ORkGyHt.exe
  2⤵
  - Executes dropped EXE
  PID:4976
- C:\Windows\System\hJYLcCs.exe
  C:\Windows\System\hJYLcCs.exe
  2⤵
  - Executes dropped EXE
  PID:1376
- C:\Windows\System\ebKfmef.exe
  C:\Windows\System\ebKfmef.exe
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\System\nHMvwTA.exe
  C:\Windows\System\nHMvwTA.exe
  2⤵
  - Executes dropped EXE
  PID:1252
- C:\Windows\System\QgjobSn.exe
  C:\Windows\System\QgjobSn.exe
  2⤵
  - Executes dropped EXE
  PID:404
- C:\Windows\System\BYJjHrf.exe
  C:\Windows\System\BYJjHrf.exe
  2⤵
  - Executes dropped EXE
  PID:4924
- C:\Windows\System\xLaEpMZ.exe
  C:\Windows\System\xLaEpMZ.exe
  2⤵
  - Executes dropped EXE
  PID:4812
- C:\Windows\System\gafaKoL.exe
  C:\Windows\System\gafaKoL.exe
  2⤵
  - Executes dropped EXE
  PID:4360
- C:\Windows\System\iPBbksg.exe
  C:\Windows\System\iPBbksg.exe
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\System\egjtVZY.exe
  C:\Windows\System\egjtVZY.exe
  2⤵
  - Executes dropped EXE
  PID:4088
- C:\Windows\System\qMIxaVu.exe
  C:\Windows\System\qMIxaVu.exe
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\System\naWmOcH.exe
  C:\Windows\System\naWmOcH.exe
  2⤵
  - Executes dropped EXE
  PID:3620
- C:\Windows\System\MTJqQMt.exe
  C:\Windows\System\MTJqQMt.exe
  2⤵
  - Executes dropped EXE
  PID:1684
- C:\Windows\System\ebEfXCm.exe
  C:\Windows\System\ebEfXCm.exe
  2⤵
  - Executes dropped EXE
  PID:4684
- C:\Windows\System\YunqkQw.exe
  C:\Windows\System\YunqkQw.exe
  2⤵
  PID:4504
- C:\Windows\System\YjBrrQO.exe
  C:\Windows\System\YjBrrQO.exe
  2⤵
  PID:4316
- C:\Windows\System\dwHsITm.exe
  C:\Windows\System\dwHsITm.exe
  2⤵
  PID:2232
- C:\Windows\System\DmmczbY.exe
  C:\Windows\System\DmmczbY.exe
  2⤵
  PID:4216
- C:\Windows\System\MJtnwXY.exe
  C:\Windows\System\MJtnwXY.exe
  2⤵
  PID:1832
- C:\Windows\System\TdpDKSG.exe
  C:\Windows\System\TdpDKSG.exe
  2⤵
  PID:3896
- C:\Windows\System\ouAYAwF.exe
  C:\Windows\System\ouAYAwF.exe
  2⤵
  PID:2256
- C:\Windows\System\HLkIQfr.exe
  C:\Windows\System\HLkIQfr.exe
  2⤵
  PID:2108
- C:\Windows\System\kzxSIbT.exe
  C:\Windows\System\kzxSIbT.exe
  2⤵
  PID:2220
- C:\Windows\System\Pqqtmdu.exe
  C:\Windows\System\Pqqtmdu.exe
  2⤵
  PID:4160
- C:\Windows\System\unByplx.exe
  C:\Windows\System\unByplx.exe
  2⤵
  PID:4464
- C:\Windows\System\Jktelzx.exe
  C:\Windows\System\Jktelzx.exe
  2⤵
  PID:1028
- C:\Windows\System\zgBPEAT.exe
  C:\Windows\System\zgBPEAT.exe
  2⤵
  PID:4640
- C:\Windows\System\PeuXJnr.exe
  C:\Windows\System\PeuXJnr.exe
  2⤵
  PID:4808
- C:\Windows\System\tOUMoHs.exe
  C:\Windows\System\tOUMoHs.exe
  2⤵
  PID:5124
- C:\Windows\System\vVCsKGw.exe
  C:\Windows\System\vVCsKGw.exe
  2⤵
  PID:5152
- C:\Windows\System\aikSbqh.exe
  C:\Windows\System\aikSbqh.exe
  2⤵
  PID:5180
- C:\Windows\System\DCfgswa.exe
  C:\Windows\System\DCfgswa.exe
  2⤵
  PID:5208
- C:\Windows\System\BbqkwQy.exe
  C:\Windows\System\BbqkwQy.exe
  2⤵
  PID:5236
- C:\Windows\System\YQQsXIg.exe
  C:\Windows\System\YQQsXIg.exe
  2⤵
  PID:5264
- C:\Windows\System\MznrcOt.exe
  C:\Windows\System\MznrcOt.exe
  2⤵
  PID:5292
- C:\Windows\System\eePeBrE.exe
  C:\Windows\System\eePeBrE.exe
  2⤵
  PID:5316
- C:\Windows\System\djgsmCS.exe
  C:\Windows\System\djgsmCS.exe
  2⤵
  PID:5344
- C:\Windows\System\YeCArFA.exe
  C:\Windows\System\YeCArFA.exe
  2⤵
  PID:5372
- C:\Windows\System\tFZvUyx.exe
  C:\Windows\System\tFZvUyx.exe
  2⤵
  PID:5404
- C:\Windows\System\LEJwrbQ.exe
  C:\Windows\System\LEJwrbQ.exe
  2⤵
  PID:5428
- C:\Windows\System\YXDVEaG.exe
  C:\Windows\System\YXDVEaG.exe
  2⤵
  PID:5456
- C:\Windows\System\mKtIuiw.exe
  C:\Windows\System\mKtIuiw.exe
  2⤵
  PID:5488
- C:\Windows\System\sfHdHTz.exe
  C:\Windows\System\sfHdHTz.exe
  2⤵
  PID:5516
- C:\Windows\System\UUkPypK.exe
  C:\Windows\System\UUkPypK.exe
  2⤵
  PID:5544
- C:\Windows\System\tWkbXcY.exe
  C:\Windows\System\tWkbXcY.exe
  2⤵
  PID:5568
- C:\Windows\System\BCnHywH.exe
  C:\Windows\System\BCnHywH.exe
  2⤵
  PID:5600
- C:\Windows\System\tQYhVjF.exe
  C:\Windows\System\tQYhVjF.exe
  2⤵
  PID:5628
- C:\Windows\System\VGZzekj.exe
  C:\Windows\System\VGZzekj.exe
  2⤵
  PID:5656
- C:\Windows\System\dBLdtwS.exe
  C:\Windows\System\dBLdtwS.exe
  2⤵
  PID:5684
- C:\Windows\System\BnVKTsO.exe
  C:\Windows\System\BnVKTsO.exe
  2⤵
  PID:5712
- C:\Windows\System\JVoTnZc.exe
  C:\Windows\System\JVoTnZc.exe
  2⤵
  PID:5740
- C:\Windows\System\puPzgTl.exe
  C:\Windows\System\puPzgTl.exe
  2⤵
  PID:5768
- C:\Windows\System\VPZOUmN.exe
  C:\Windows\System\VPZOUmN.exe
  2⤵
  PID:5796
- C:\Windows\System\wTeEWQO.exe
  C:\Windows\System\wTeEWQO.exe
  2⤵
  PID:5824
- C:\Windows\System\IOwVlHk.exe
  C:\Windows\System\IOwVlHk.exe
  2⤵
  PID:5852
- C:\Windows\System\lrlVYAQ.exe
  C:\Windows\System\lrlVYAQ.exe
  2⤵
  PID:5880
- C:\Windows\System\vMYkugp.exe
  C:\Windows\System\vMYkugp.exe
  2⤵
  PID:5908
- C:\Windows\System\XJirWwj.exe
  C:\Windows\System\XJirWwj.exe
  2⤵
  PID:5936
- C:\Windows\System\SWknczE.exe
  C:\Windows\System\SWknczE.exe
  2⤵
  PID:5964
- C:\Windows\System\NwjqBMN.exe
  C:\Windows\System\NwjqBMN.exe
  2⤵
  PID:5992
- C:\Windows\System\zatwXJu.exe
  C:\Windows\System\zatwXJu.exe
  2⤵
  PID:6020
- C:\Windows\System\bXaOxLx.exe
  C:\Windows\System\bXaOxLx.exe
  2⤵
  PID:6048
- C:\Windows\System\HRuvOJf.exe
  C:\Windows\System\HRuvOJf.exe
  2⤵
  PID:6076
- C:\Windows\System\SaMZrlt.exe
  C:\Windows\System\SaMZrlt.exe
  2⤵
  PID:6104
- C:\Windows\System\kqgInYo.exe
  C:\Windows\System\kqgInYo.exe
  2⤵
  PID:6128
- C:\Windows\System\TKVJfvw.exe
  C:\Windows\System\TKVJfvw.exe
  2⤵
  PID:3248
- C:\Windows\System\MfkgdiZ.exe
  C:\Windows\System\MfkgdiZ.exe
  2⤵
  PID:5140
- C:\Windows\System\sedQqQR.exe
  C:\Windows\System\sedQqQR.exe
  2⤵
  PID:5172
- C:\Windows\System\FYwhbmx.exe
  C:\Windows\System\FYwhbmx.exe
  2⤵
  PID:5248
- C:\Windows\System\kndxVYR.exe
  C:\Windows\System\kndxVYR.exe
  2⤵
  PID:5308
- C:\Windows\System\lGZpXqA.exe
  C:\Windows\System\lGZpXqA.exe
  2⤵
  PID:5360
- C:\Windows\System\bMWkuQc.exe
  C:\Windows\System\bMWkuQc.exe
  2⤵
  PID:5392
- C:\Windows\System\DggrOnr.exe
  C:\Windows\System\DggrOnr.exe
  2⤵
  PID:5444
- C:\Windows\System\gJfCzTU.exe
  C:\Windows\System\gJfCzTU.exe
  2⤵
  PID:5500
- C:\Windows\System\pOqeDIR.exe
  C:\Windows\System\pOqeDIR.exe
  2⤵
  PID:5532
- C:\Windows\System\NVRISXj.exe
  C:\Windows\System\NVRISXj.exe
  2⤵
  PID:5556
- C:\Windows\System\upatzHz.exe
  C:\Windows\System\upatzHz.exe
  2⤵
  PID:5584
- C:\Windows\System\dANWEDa.exe
  C:\Windows\System\dANWEDa.exe
  2⤵
  PID:5616
- C:\Windows\System\bfktURJ.exe
  C:\Windows\System\bfktURJ.exe
  2⤵
  PID:5668
- C:\Windows\System\IsTKbhx.exe
  C:\Windows\System\IsTKbhx.exe
  2⤵
  PID:5696
- C:\Windows\System\iteakLm.exe
  C:\Windows\System\iteakLm.exe
  2⤵
  PID:5732
- C:\Windows\System\cFngpFA.exe
  C:\Windows\System\cFngpFA.exe
  2⤵
  PID:5788
- C:\Windows\System\SqZRPPj.exe
  C:\Windows\System\SqZRPPj.exe
  2⤵
  PID:5816
- C:\Windows\System\VQfDoqM.exe
  C:\Windows\System\VQfDoqM.exe
  2⤵
  PID:5868
- C:\Windows\System\CTwJSbT.exe
  C:\Windows\System\CTwJSbT.exe
  2⤵
  PID:924
- C:\Windows\System\uEaRnpT.exe
  C:\Windows\System\uEaRnpT.exe
  2⤵
  PID:6096
- C:\Windows\System\WzbRgvs.exe
  C:\Windows\System\WzbRgvs.exe
  2⤵
  PID:4856
- C:\Windows\System\gcAWcbi.exe
  C:\Windows\System\gcAWcbi.exe
  2⤵
  PID:3484
- C:\Windows\System\pbOVBlj.exe
  C:\Windows\System\pbOVBlj.exe
  2⤵
  PID:2460
- C:\Windows\System\tRwIBsX.exe
  C:\Windows\System\tRwIBsX.exe
  2⤵
  PID:5196
- C:\Windows\System\GDmWenJ.exe
  C:\Windows\System\GDmWenJ.exe
  2⤵
  PID:5052
- C:\Windows\System\VqHyDFu.exe
  C:\Windows\System\VqHyDFu.exe
  2⤵
  PID:3980
- C:\Windows\System\zAGOwog.exe
  C:\Windows\System\zAGOwog.exe
  2⤵
  PID:5168
- C:\Windows\System\ucpMnyJ.exe
  C:\Windows\System\ucpMnyJ.exe
  2⤵
  PID:5304
- C:\Windows\System\gpBfZay.exe
  C:\Windows\System\gpBfZay.exe
  2⤵
  PID:5480
- C:\Windows\System\GIhHfnB.exe
  C:\Windows\System\GIhHfnB.exe
  2⤵
  PID:5672
- C:\Windows\System\fiHYKQg.exe
  C:\Windows\System\fiHYKQg.exe
  2⤵
  PID:6008
- C:\Windows\System\NmHoaIe.exe
  C:\Windows\System\NmHoaIe.exe
  2⤵
  PID:1080
- C:\Windows\System\wPBJVQZ.exe
  C:\Windows\System\wPBJVQZ.exe
  2⤵
  PID:6088
- C:\Windows\System\aCoojnD.exe
  C:\Windows\System\aCoojnD.exe
  2⤵
  PID:4972
- C:\Windows\System\TjMsTWw.exe
  C:\Windows\System\TjMsTWw.exe
  2⤵
  PID:5612
- C:\Windows\System\KzcNpFl.exe
  C:\Windows\System\KzcNpFl.exe
  2⤵
  PID:4272
- C:\Windows\System\RPLbfzA.exe
  C:\Windows\System\RPLbfzA.exe
  2⤵
  PID:4996
- C:\Windows\System\TCMeVNW.exe
  C:\Windows\System\TCMeVNW.exe
  2⤵
  PID:5844
- C:\Windows\System\WZxawGp.exe
  C:\Windows\System\WZxawGp.exe
  2⤵
  PID:5728
- C:\Windows\System\ZFxJeQv.exe
  C:\Windows\System\ZFxJeQv.exe
  2⤵
  PID:6156
- C:\Windows\System\BmTYoQw.exe
  C:\Windows\System\BmTYoQw.exe
  2⤵
  PID:6180
- C:\Windows\System\SmPhjsO.exe
  C:\Windows\System\SmPhjsO.exe
  2⤵
  PID:6200
- C:\Windows\System\JlWTxBw.exe
  C:\Windows\System\JlWTxBw.exe
  2⤵
  PID:6228
- C:\Windows\System\CUVPCmn.exe
  C:\Windows\System\CUVPCmn.exe
  2⤵
  PID:6248
- C:\Windows\System\TjfacCM.exe
  C:\Windows\System\TjfacCM.exe
  2⤵
  PID:6340
- C:\Windows\System\ZNchqoF.exe
  C:\Windows\System\ZNchqoF.exe
  2⤵
  PID:6360
- C:\Windows\System\pIUKeTl.exe
  C:\Windows\System\pIUKeTl.exe
  2⤵
  PID:6380
- C:\Windows\System\nHDngsQ.exe
  C:\Windows\System\nHDngsQ.exe
  2⤵
  PID:6396
- C:\Windows\System\ZCbCUut.exe
  C:\Windows\System\ZCbCUut.exe
  2⤵
  PID:6416
- C:\Windows\System\RCaFmEm.exe
  C:\Windows\System\RCaFmEm.exe
  2⤵
  PID:6432
- C:\Windows\System\gTUsgZC.exe
  C:\Windows\System\gTUsgZC.exe
  2⤵
  PID:6452
- C:\Windows\System\XieLdVp.exe
  C:\Windows\System\XieLdVp.exe
  2⤵
  PID:6532
- C:\Windows\System\iltSfnZ.exe
  C:\Windows\System\iltSfnZ.exe
  2⤵
  PID:6584
- C:\Windows\System\XYzbsbR.exe
  C:\Windows\System\XYzbsbR.exe
  2⤵
  PID:6648
- C:\Windows\System\vMicFWI.exe
  C:\Windows\System\vMicFWI.exe
  2⤵
  PID:6688
- C:\Windows\System\rpUpfBV.exe
  C:\Windows\System\rpUpfBV.exe
  2⤵
  PID:6704
- C:\Windows\System\cQOUyBI.exe
  C:\Windows\System\cQOUyBI.exe
  2⤵
  PID:6728
- C:\Windows\System\kPfAcar.exe
  C:\Windows\System\kPfAcar.exe
  2⤵
  PID:6808
- C:\Windows\System\noUYyYL.exe
  C:\Windows\System\noUYyYL.exe
  2⤵
  PID:6852
- C:\Windows\System\ElgjUkS.exe
  C:\Windows\System\ElgjUkS.exe
  2⤵
  PID:6896
- C:\Windows\System\rRIaMkC.exe
  C:\Windows\System\rRIaMkC.exe
  2⤵
  PID:6928
- C:\Windows\System\FqrDWUP.exe
  C:\Windows\System\FqrDWUP.exe
  2⤵
  PID:6956
- C:\Windows\System\qXvrBHK.exe
  C:\Windows\System\qXvrBHK.exe
  2⤵
  PID:6976
- C:\Windows\System\CtRyBBs.exe
  C:\Windows\System\CtRyBBs.exe
  2⤵
  PID:7004
- C:\Windows\System\unOaQAR.exe
  C:\Windows\System\unOaQAR.exe
  2⤵
  PID:7044
- C:\Windows\System\rvcorCm.exe
  C:\Windows\System\rvcorCm.exe
  2⤵
  PID:7100
- C:\Windows\System\jDHdSCD.exe
  C:\Windows\System\jDHdSCD.exe
  2⤵
  PID:7144
- C:\Windows\System\JGpRfjU.exe
  C:\Windows\System\JGpRfjU.exe
  2⤵
  PID:7160
- C:\Windows\System\OkHqcTi.exe
  C:\Windows\System\OkHqcTi.exe
  2⤵
  PID:4612
- C:\Windows\System\JutDKqi.exe
  C:\Windows\System\JutDKqi.exe
  2⤵
  PID:2204
- C:\Windows\System\vJCYtvs.exe
  C:\Windows\System\vJCYtvs.exe
  2⤵
  PID:6168
- C:\Windows\System\oHKmrJf.exe
  C:\Windows\System\oHKmrJf.exe
  2⤵
  PID:5508
- C:\Windows\System\mzJEUtB.exe
  C:\Windows\System\mzJEUtB.exe
  2⤵
  PID:2536
- C:\Windows\System\rfilhHm.exe
  C:\Windows\System\rfilhHm.exe
  2⤵
  PID:6424
- C:\Windows\System\dxkCZOJ.exe
  C:\Windows\System\dxkCZOJ.exe
  2⤵
  PID:6324
- C:\Windows\System\jVyWheK.exe
  C:\Windows\System\jVyWheK.exe
  2⤵
  PID:6404
- C:\Windows\System\wzwQfOa.exe
  C:\Windows\System\wzwQfOa.exe
  2⤵
  PID:6608
- C:\Windows\System\QuMKnMx.exe
  C:\Windows\System\QuMKnMx.exe
  2⤵
  PID:6744
- C:\Windows\System\COJppgD.exe
  C:\Windows\System\COJppgD.exe
  2⤵
  PID:6680
- C:\Windows\System\oWKHtfH.exe
  C:\Windows\System\oWKHtfH.exe
  2⤵
  PID:6780
- C:\Windows\System\UfIlulB.exe
  C:\Windows\System\UfIlulB.exe
  2⤵
  PID:6864
- C:\Windows\System\LEjYCiX.exe
  C:\Windows\System\LEjYCiX.exe
  2⤵
  PID:6924
- C:\Windows\System\ZnpGquQ.exe
  C:\Windows\System\ZnpGquQ.exe
  2⤵
  PID:6888
- C:\Windows\System\cdcXnhh.exe
  C:\Windows\System\cdcXnhh.exe
  2⤵
  PID:6968
- C:\Windows\System\AZLybkV.exe
  C:\Windows\System\AZLybkV.exe
  2⤵
  PID:7032
- C:\Windows\System\kNNUfvA.exe
  C:\Windows\System\kNNUfvA.exe
  2⤵
  PID:1188
- C:\Windows\System\SIkCCTn.exe
  C:\Windows\System\SIkCCTn.exe
  2⤵
  PID:1420
- C:\Windows\System\NIpdndd.exe
  C:\Windows\System\NIpdndd.exe
  2⤵
  PID:7128
- C:\Windows\System\wDemQhz.exe
  C:\Windows\System\wDemQhz.exe
  2⤵
  PID:5476
- C:\Windows\System\kpDYXQE.exe
  C:\Windows\System\kpDYXQE.exe
  2⤵
  PID:6544
- C:\Windows\System\iTSsbFA.exe
  C:\Windows\System\iTSsbFA.exe
  2⤵
  PID:6564
- C:\Windows\System\ImnBkNL.exe
  C:\Windows\System\ImnBkNL.exe
  2⤵
  PID:6592
- C:\Windows\System\CPosDXa.exe
  C:\Windows\System\CPosDXa.exe
  2⤵
  PID:6756
- C:\Windows\System\chmUCoa.exe
  C:\Windows\System\chmUCoa.exe
  2⤵
  PID:6876
- C:\Windows\System\UdoKoCk.exe
  C:\Windows\System\UdoKoCk.exe
  2⤵
  PID:7016
- C:\Windows\System\efLjLED.exe
  C:\Windows\System\efLjLED.exe
  2⤵
  PID:6220
- C:\Windows\System\HoDMPzd.exe
  C:\Windows\System\HoDMPzd.exe
  2⤵
  PID:6368
- C:\Windows\System\yormrSV.exe
  C:\Windows\System\yormrSV.exe
  2⤵
  PID:3912
- C:\Windows\System\dMywXea.exe
  C:\Windows\System\dMywXea.exe
  2⤵
  PID:6596
- C:\Windows\System\jEKAYvX.exe
  C:\Windows\System\jEKAYvX.exe
  2⤵
  PID:1788
- C:\Windows\System\eYoYqhW.exe
  C:\Windows\System\eYoYqhW.exe
  2⤵
  PID:6848
- C:\Windows\System\mYjyMwI.exe
  C:\Windows\System\mYjyMwI.exe
  2⤵
  PID:7068
- C:\Windows\System\XOzvBEH.exe
  C:\Windows\System\XOzvBEH.exe
  2⤵
  PID:6216
- C:\Windows\System\MGuxTCi.exe
  C:\Windows\System\MGuxTCi.exe
  2⤵
  PID:7180
- C:\Windows\System\aNHQZMv.exe
  C:\Windows\System\aNHQZMv.exe
  2⤵
  PID:7204
- C:\Windows\System\MTuBLMJ.exe
  C:\Windows\System\MTuBLMJ.exe
  2⤵
  PID:7224
- C:\Windows\System\iGtSryc.exe
  C:\Windows\System\iGtSryc.exe
  2⤵
  PID:7256
- C:\Windows\System\RNSHuOd.exe
  C:\Windows\System\RNSHuOd.exe
  2⤵
  PID:7276
- C:\Windows\System\ZULGiBO.exe
  C:\Windows\System\ZULGiBO.exe
  2⤵
  PID:7300
- C:\Windows\System\IxfMuuF.exe
  C:\Windows\System\IxfMuuF.exe
  2⤵
  PID:7324
- C:\Windows\System\sbhEfXx.exe
  C:\Windows\System\sbhEfXx.exe
  2⤵
  PID:7348
- C:\Windows\System\nBnQQsS.exe
  C:\Windows\System\nBnQQsS.exe
  2⤵
  PID:7372
- C:\Windows\System\zbiqOhH.exe
  C:\Windows\System\zbiqOhH.exe
  2⤵
  PID:7400
- C:\Windows\System\KriDbma.exe
  C:\Windows\System\KriDbma.exe
  2⤵
  PID:7424
- C:\Windows\System\bdEUFxT.exe
  C:\Windows\System\bdEUFxT.exe
  2⤵
  PID:7448
- C:\Windows\System\hhasdQa.exe
  C:\Windows\System\hhasdQa.exe
  2⤵
  PID:7472
- C:\Windows\System\UewbvEC.exe
  C:\Windows\System\UewbvEC.exe
  2⤵
  PID:7496
- C:\Windows\System\zZEmJAH.exe
  C:\Windows\System\zZEmJAH.exe
  2⤵
  PID:7520
- C:\Windows\System\mdrZEdJ.exe
  C:\Windows\System\mdrZEdJ.exe
  2⤵
  PID:7544
- C:\Windows\System\jHfVffb.exe
  C:\Windows\System\jHfVffb.exe
  2⤵
  PID:7576
- C:\Windows\System\xpQTkKK.exe
  C:\Windows\System\xpQTkKK.exe
  2⤵
  PID:7604
- C:\Windows\System\bIlhpJV.exe
  C:\Windows\System\bIlhpJV.exe
  2⤵
  PID:7628
- C:\Windows\System\kFZvkbV.exe
  C:\Windows\System\kFZvkbV.exe
  2⤵
  PID:7648
- C:\Windows\System\LMesEQl.exe
  C:\Windows\System\LMesEQl.exe
  2⤵
  PID:7668
- C:\Windows\System\wLIMtnI.exe
  C:\Windows\System\wLIMtnI.exe
  2⤵
  PID:7684
- C:\Windows\System\GxdKeoH.exe
  C:\Windows\System\GxdKeoH.exe
  2⤵
  PID:7756
- C:\Windows\System\JsSbLQk.exe
  C:\Windows\System\JsSbLQk.exe
  2⤵
  PID:7776
- C:\Windows\System\tXeeNzz.exe
  C:\Windows\System\tXeeNzz.exe
  2⤵
  PID:7800
- C:\Windows\System\OgwGkES.exe
  C:\Windows\System\OgwGkES.exe
  2⤵
  PID:7864
- C:\Windows\System\lacLGUu.exe
  C:\Windows\System\lacLGUu.exe
  2⤵
  PID:7896
- C:\Windows\System\SDcEbrB.exe
  C:\Windows\System\SDcEbrB.exe
  2⤵
  PID:7920
- C:\Windows\System\aBlSPNh.exe
  C:\Windows\System\aBlSPNh.exe
  2⤵
  PID:7936
- C:\Windows\System\XgaBEhI.exe
  C:\Windows\System\XgaBEhI.exe
  2⤵
  PID:7964
- C:\Windows\System\Rlzffri.exe
  C:\Windows\System\Rlzffri.exe
  2⤵
  PID:7992
- C:\Windows\System\JHkHMqK.exe
  C:\Windows\System\JHkHMqK.exe
  2⤵
  PID:8056
- C:\Windows\System\XMWGivF.exe
  C:\Windows\System\XMWGivF.exe
  2⤵
  PID:8080
- C:\Windows\System\hxKHKDL.exe
  C:\Windows\System\hxKHKDL.exe
  2⤵
  PID:8136
- C:\Windows\System\BWoFKWp.exe
  C:\Windows\System\BWoFKWp.exe
  2⤵
  PID:8176
- C:\Windows\System\BHgzeZe.exe
  C:\Windows\System\BHgzeZe.exe
  2⤵
  PID:6676
- C:\Windows\System\ALvTPXx.exe
  C:\Windows\System\ALvTPXx.exe
  2⤵
  PID:6996
- C:\Windows\System\YRdaAji.exe
  C:\Windows\System\YRdaAji.exe
  2⤵
  PID:7192
- C:\Windows\System\SnMksZH.exe
  C:\Windows\System\SnMksZH.exe
  2⤵
  PID:7248
- C:\Windows\System\EHgarob.exe
  C:\Windows\System\EHgarob.exe
  2⤵
  PID:7312
- C:\Windows\System\qdqpkhT.exe
  C:\Windows\System\qdqpkhT.exe
  2⤵
  PID:5560
- C:\Windows\System\HRSmTtL.exe
  C:\Windows\System\HRSmTtL.exe
  2⤵
  PID:4624
- C:\Windows\System\arsvxSx.exe
  C:\Windows\System\arsvxSx.exe
  2⤵
  PID:1592
- C:\Windows\System\JUgOFpQ.exe
  C:\Windows\System\JUgOFpQ.exe
  2⤵
  PID:7708
- C:\Windows\System\lihekHE.exe
  C:\Windows\System\lihekHE.exe
  2⤵
  PID:7588
- C:\Windows\System\jhUKQQi.exe
  C:\Windows\System\jhUKQQi.exe
  2⤵
  PID:7624
- C:\Windows\System\CyLkuFT.exe
  C:\Windows\System\CyLkuFT.exe
  2⤵
  PID:7692
- C:\Windows\System\CcovDft.exe
  C:\Windows\System\CcovDft.exe
  2⤵
  PID:7772
- C:\Windows\System\mpPNvGb.exe
  C:\Windows\System\mpPNvGb.exe
  2⤵
  PID:7784
- C:\Windows\System\gSGHHEI.exe
  C:\Windows\System\gSGHHEI.exe
  2⤵
  PID:7712
- C:\Windows\System\IJXMOWe.exe
  C:\Windows\System\IJXMOWe.exe
  2⤵
  PID:7728
- C:\Windows\System\ihfUIej.exe
  C:\Windows\System\ihfUIej.exe
  2⤵
  PID:4664
- C:\Windows\System\shpsPJb.exe
  C:\Windows\System\shpsPJb.exe
  2⤵
  PID:7988
- C:\Windows\System\FuYnmIa.exe
  C:\Windows\System\FuYnmIa.exe
  2⤵
  PID:8024
- C:\Windows\System\NPOKyQx.exe
  C:\Windows\System\NPOKyQx.exe
  2⤵
  PID:8088
- C:\Windows\System\fMxBPiS.exe
  C:\Windows\System\fMxBPiS.exe
  2⤵
  PID:8144
- C:\Windows\System\HpRZPQx.exe
  C:\Windows\System\HpRZPQx.exe
  2⤵
  PID:7288
- C:\Windows\System\sEFYpQj.exe
  C:\Windows\System\sEFYpQj.exe
  2⤵
  PID:7172
- C:\Windows\System\wswDFGH.exe
  C:\Windows\System\wswDFGH.exe
  2⤵
  PID:1624
- C:\Windows\System\gMJKmvU.exe
  C:\Windows\System\gMJKmvU.exe
  2⤵
  PID:4432
- C:\Windows\System\SiXPoMz.exe
  C:\Windows\System\SiXPoMz.exe
  2⤵
  PID:7556
- C:\Windows\System\InFPrPQ.exe
  C:\Windows\System\InFPrPQ.exe
  2⤵
  PID:7764
- C:\Windows\System\MnZnbmx.exe
  C:\Windows\System\MnZnbmx.exe
  2⤵
  PID:7720
- C:\Windows\System\LINmSDG.exe
  C:\Windows\System\LINmSDG.exe
  2⤵
  PID:7752
- C:\Windows\System\AmZYscs.exe
  C:\Windows\System\AmZYscs.exe
  2⤵
  PID:7908
- C:\Windows\System\BdvurmU.exe
  C:\Windows\System\BdvurmU.exe
  2⤵
  PID:8188
- C:\Windows\System\nVvJuXg.exe
  C:\Windows\System\nVvJuXg.exe
  2⤵
  PID:6548
- C:\Windows\System\QRaAqzf.exe
  C:\Windows\System\QRaAqzf.exe
  2⤵
  PID:7508
- C:\Windows\System\bDyFWUY.exe
  C:\Windows\System\bDyFWUY.exe
  2⤵
  PID:7796
- C:\Windows\System\FftyTvQ.exe
  C:\Windows\System\FftyTvQ.exe
  2⤵
  PID:7860
- C:\Windows\System\BVVMrmN.exe
  C:\Windows\System\BVVMrmN.exe
  2⤵
  PID:7616
- C:\Windows\System\CTqDBaL.exe
  C:\Windows\System\CTqDBaL.exe
  2⤵
  PID:7928
- C:\Windows\System\OpgoqEn.exe
  C:\Windows\System\OpgoqEn.exe
  2⤵
  PID:8212
- C:\Windows\System\UUcrEVX.exe
  C:\Windows\System\UUcrEVX.exe
  2⤵
  PID:8228
- C:\Windows\System\XnUYyAO.exe
  C:\Windows\System\XnUYyAO.exe
  2⤵
  PID:8260
- C:\Windows\System\LmebikL.exe
  C:\Windows\System\LmebikL.exe
  2⤵
  PID:8300
- C:\Windows\System\dRZdaxM.exe
  C:\Windows\System\dRZdaxM.exe
  2⤵
  PID:8320
- C:\Windows\System\riwzdwW.exe
  C:\Windows\System\riwzdwW.exe
  2⤵
  PID:8348
- C:\Windows\System\Dvhqygj.exe
  C:\Windows\System\Dvhqygj.exe
  2⤵
  PID:8372
- C:\Windows\System\zFUYjCj.exe
  C:\Windows\System\zFUYjCj.exe
  2⤵
  PID:8396
- C:\Windows\System\MfoJdQg.exe
  C:\Windows\System\MfoJdQg.exe
  2⤵
  PID:8412
- C:\Windows\System\NLiqQAV.exe
  C:\Windows\System\NLiqQAV.exe
  2⤵
  PID:8440
- C:\Windows\System\jbdKGQD.exe
  C:\Windows\System\jbdKGQD.exe
  2⤵
  PID:8464
- C:\Windows\System\qcnFUmy.exe
  C:\Windows\System\qcnFUmy.exe
  2⤵
  PID:8484
- C:\Windows\System\waXPlFG.exe
  C:\Windows\System\waXPlFG.exe
  2⤵
  PID:8516
- C:\Windows\System\tIFVwKG.exe
  C:\Windows\System\tIFVwKG.exe
  2⤵
  PID:8540
- C:\Windows\System\GFIDCLw.exe
  C:\Windows\System\GFIDCLw.exe
  2⤵
  PID:8556
- C:\Windows\System\seEcOst.exe
  C:\Windows\System\seEcOst.exe
  2⤵
  PID:8580
- C:\Windows\System\tbheEaW.exe
  C:\Windows\System\tbheEaW.exe
  2⤵
  PID:8600
- C:\Windows\System\xwxaNvF.exe
  C:\Windows\System\xwxaNvF.exe
  2⤵
  PID:8616
- C:\Windows\System\RYxqQCq.exe
  C:\Windows\System\RYxqQCq.exe
  2⤵
  PID:8636
- C:\Windows\System\tWiKTzu.exe
  C:\Windows\System\tWiKTzu.exe
  2⤵
  PID:8672
- C:\Windows\System\kxMffFE.exe
  C:\Windows\System\kxMffFE.exe
  2⤵
  PID:8748
- C:\Windows\System\BiuwKyt.exe
  C:\Windows\System\BiuwKyt.exe
  2⤵
  PID:8800
- C:\Windows\System\wLBlFeD.exe
  C:\Windows\System\wLBlFeD.exe
  2⤵
  PID:8840
- C:\Windows\System\mpKmory.exe
  C:\Windows\System\mpKmory.exe
  2⤵
  PID:8860
- C:\Windows\System\vabYAqz.exe
  C:\Windows\System\vabYAqz.exe
  2⤵
  PID:8876
- C:\Windows\System\MKkDNIO.exe
  C:\Windows\System\MKkDNIO.exe
  2⤵
  PID:8904
- C:\Windows\System\JswYWeI.exe
  C:\Windows\System\JswYWeI.exe
  2⤵
  PID:8928
- C:\Windows\System\xnGPpIT.exe
  C:\Windows\System\xnGPpIT.exe
  2⤵
  PID:8956
- C:\Windows\System\zRLZeuN.exe
  C:\Windows\System\zRLZeuN.exe
  2⤵
  PID:8988
- C:\Windows\System\KRzqIXZ.exe
  C:\Windows\System\KRzqIXZ.exe
  2⤵
  PID:9024
- C:\Windows\System\qhNDpcj.exe
  C:\Windows\System\qhNDpcj.exe
  2⤵
  PID:9044
- C:\Windows\System\JFiDlWo.exe
  C:\Windows\System\JFiDlWo.exe
  2⤵
  PID:9072
- C:\Windows\System\MGoXCnS.exe
  C:\Windows\System\MGoXCnS.exe
  2⤵
  PID:9100
- C:\Windows\System\mWEkzPk.exe
  C:\Windows\System\mWEkzPk.exe
  2⤵
  PID:9124
- C:\Windows\System\tkTxIZr.exe
  C:\Windows\System\tkTxIZr.exe
  2⤵
  PID:9156
- C:\Windows\System\hLNFrts.exe
  C:\Windows\System\hLNFrts.exe
  2⤵
  PID:9204
- C:\Windows\System\ckqWhrx.exe
  C:\Windows\System\ckqWhrx.exe
  2⤵
  PID:7748
- C:\Windows\System\GkDOwtT.exe
  C:\Windows\System\GkDOwtT.exe
  2⤵
  PID:8224
- C:\Windows\System\uUsMuhP.exe
  C:\Windows\System\uUsMuhP.exe
  2⤵
  PID:8316
- C:\Windows\System\BpJKtiY.exe
  C:\Windows\System\BpJKtiY.exe
  2⤵
  PID:8312
- C:\Windows\System\nobBjEo.exe
  C:\Windows\System\nobBjEo.exe
  2⤵
  PID:8420
- C:\Windows\System\bWZJPuN.exe
  C:\Windows\System\bWZJPuN.exe
  2⤵
  PID:8388
- C:\Windows\System\AnCocNj.exe
  C:\Windows\System\AnCocNj.exe
  2⤵
  PID:8508
- C:\Windows\System\atmsEbu.exe
  C:\Windows\System\atmsEbu.exe
  2⤵
  PID:8628
- C:\Windows\System\HsKfakR.exe
  C:\Windows\System\HsKfakR.exe
  2⤵
  PID:8632
- C:\Windows\System\dIueVNu.exe
  C:\Windows\System\dIueVNu.exe
  2⤵
  PID:8824
- C:\Windows\System\QZeZjip.exe
  C:\Windows\System\QZeZjip.exe
  2⤵
  PID:8852
- C:\Windows\System\YQFASZR.exe
  C:\Windows\System\YQFASZR.exe
  2⤵
  PID:8912
- C:\Windows\System\yKMqlkJ.exe
  C:\Windows\System\yKMqlkJ.exe
  2⤵
  PID:8964
- C:\Windows\System\ggiFEYT.exe
  C:\Windows\System\ggiFEYT.exe
  2⤵
  PID:9052
- C:\Windows\System\JuTbeSp.exe
  C:\Windows\System\JuTbeSp.exe
  2⤵
  PID:9120
- C:\Windows\System\waOUvzF.exe
  C:\Windows\System\waOUvzF.exe
  2⤵
  PID:9180
- C:\Windows\System\wrwzsnc.exe
  C:\Windows\System\wrwzsnc.exe
  2⤵
  PID:2080
- C:\Windows\System\fEZZWcl.exe
  C:\Windows\System\fEZZWcl.exe
  2⤵
  PID:8344
- C:\Windows\System\YdftLev.exe
  C:\Windows\System\YdftLev.exe
  2⤵
  PID:8408
- C:\Windows\System\dlXDxdH.exe
  C:\Windows\System\dlXDxdH.exe
  2⤵
  PID:8608
- C:\Windows\System\hYdurzO.exe
  C:\Windows\System\hYdurzO.exe
  2⤵
  PID:8744
- C:\Windows\System\KlOIyOq.exe
  C:\Windows\System\KlOIyOq.exe
  2⤵
  PID:8884
- C:\Windows\System\jemcfXa.exe
  C:\Windows\System\jemcfXa.exe
  2⤵
  PID:8872
- C:\Windows\System\KWUaFFq.exe
  C:\Windows\System\KWUaFFq.exe
  2⤵
  PID:9004
- C:\Windows\System\whTsrYJ.exe
  C:\Windows\System\whTsrYJ.exe
  2⤵
  PID:8268
- C:\Windows\System\wMEQmqq.exe
  C:\Windows\System\wMEQmqq.exe
  2⤵
  PID:8592
- C:\Windows\System\RcPpZQg.exe
  C:\Windows\System\RcPpZQg.exe
  2⤵
  PID:9148
- C:\Windows\System\aSGvnnv.exe
  C:\Windows\System\aSGvnnv.exe
  2⤵
  PID:9228
- C:\Windows\System\zXjeINr.exe
  C:\Windows\System\zXjeINr.exe
  2⤵
  PID:9244
- C:\Windows\System\guuKgZI.exe
  C:\Windows\System\guuKgZI.exe
  2⤵
  PID:9268
- C:\Windows\System\FhkbQiy.exe
  C:\Windows\System\FhkbQiy.exe
  2⤵
  PID:9296
- C:\Windows\System\sUtmVEX.exe
  C:\Windows\System\sUtmVEX.exe
  2⤵
  PID:9336
- C:\Windows\System\HkcQAoY.exe
  C:\Windows\System\HkcQAoY.exe
  2⤵
  PID:9356
- C:\Windows\System\fXiiqFj.exe
  C:\Windows\System\fXiiqFj.exe
  2⤵
  PID:9376
- C:\Windows\System\tsmDsFo.exe
  C:\Windows\System\tsmDsFo.exe
  2⤵
  PID:9396
- C:\Windows\System\jGsXoKv.exe
  C:\Windows\System\jGsXoKv.exe
  2⤵
  PID:9432
- C:\Windows\System\eBvkxyJ.exe
  C:\Windows\System\eBvkxyJ.exe
  2⤵
  PID:9448
- C:\Windows\System\jZXrcBq.exe
  C:\Windows\System\jZXrcBq.exe
  2⤵
  PID:9468
- C:\Windows\System\cpytlCQ.exe
  C:\Windows\System\cpytlCQ.exe
  2⤵
  PID:9496
- C:\Windows\System\hNqunBW.exe
  C:\Windows\System\hNqunBW.exe
  2⤵
  PID:9528
- C:\Windows\System\pFhjStY.exe
  C:\Windows\System\pFhjStY.exe
  2⤵
  PID:9548
- C:\Windows\System\nSYZKpP.exe
  C:\Windows\System\nSYZKpP.exe
  2⤵
  PID:9572
- C:\Windows\System\NtaoHQb.exe
  C:\Windows\System\NtaoHQb.exe
  2⤵
  PID:9600
- C:\Windows\System\xXeeiRH.exe
  C:\Windows\System\xXeeiRH.exe
  2⤵
  PID:9640
- C:\Windows\System\RIpgWQR.exe
  C:\Windows\System\RIpgWQR.exe
  2⤵
  PID:9664
- C:\Windows\System\OtOMWfm.exe
  C:\Windows\System\OtOMWfm.exe
  2⤵
  PID:9688
- C:\Windows\System\lvJUUgl.exe
  C:\Windows\System\lvJUUgl.exe
  2⤵
  PID:9780
- C:\Windows\System\VHlDOIH.exe
  C:\Windows\System\VHlDOIH.exe
  2⤵
  PID:9804
- C:\Windows\System\OQrSTaA.exe
  C:\Windows\System\OQrSTaA.exe
  2⤵
  PID:9836
- C:\Windows\System\guRqrEG.exe
  C:\Windows\System\guRqrEG.exe
  2⤵
  PID:9860
- C:\Windows\System\uyXjzva.exe
  C:\Windows\System\uyXjzva.exe
  2⤵
  PID:9888
- C:\Windows\System\GaXnEKk.exe
  C:\Windows\System\GaXnEKk.exe
  2⤵
  PID:9916
- C:\Windows\System\UjPiAUl.exe
  C:\Windows\System\UjPiAUl.exe
  2⤵
  PID:9936
- C:\Windows\System\dcNEksM.exe
  C:\Windows\System\dcNEksM.exe
  2⤵
  PID:9984
- C:\Windows\System\pQKPxKi.exe
  C:\Windows\System\pQKPxKi.exe
  2⤵
  PID:10000
- C:\Windows\System\ZmdBWwT.exe
  C:\Windows\System\ZmdBWwT.exe
  2⤵
  PID:10020
- C:\Windows\System\RucUFfr.exe
  C:\Windows\System\RucUFfr.exe
  2⤵
  PID:10044
- C:\Windows\System\sXHiKIF.exe
  C:\Windows\System\sXHiKIF.exe
  2⤵
  PID:10064
- C:\Windows\System\urVvXex.exe
  C:\Windows\System\urVvXex.exe
  2⤵
  PID:10092
- C:\Windows\System\NucKUqW.exe
  C:\Windows\System\NucKUqW.exe
  2⤵
  PID:10120
- C:\Windows\System\rhYXXxI.exe
  C:\Windows\System\rhYXXxI.exe
  2⤵
  PID:10156
- C:\Windows\System\vMeXJLq.exe
  C:\Windows\System\vMeXJLq.exe
  2⤵
  PID:10176
- C:\Windows\System\uDYDlqQ.exe
  C:\Windows\System\uDYDlqQ.exe
  2⤵
  PID:10200
- C:\Windows\System\iETjLgs.exe
  C:\Windows\System\iETjLgs.exe
  2⤵
  PID:10220
- C:\Windows\System\GBTPXFg.exe
  C:\Windows\System\GBTPXFg.exe
  2⤵
  PID:8952
- C:\Windows\System\SoEwniT.exe
  C:\Windows\System\SoEwniT.exe
  2⤵
  PID:9240
- C:\Windows\System\aNoCWLq.exe
  C:\Windows\System\aNoCWLq.exe
  2⤵
  PID:9260
- C:\Windows\System\mWVucCx.exe
  C:\Windows\System\mWVucCx.exe
  2⤵
  PID:9424
- C:\Windows\System\plpPhxQ.exe
  C:\Windows\System\plpPhxQ.exe
  2⤵
  PID:9388
- C:\Windows\System\gCIQTJN.exe
  C:\Windows\System\gCIQTJN.exe
  2⤵
  PID:9540
- C:\Windows\System\FUaXkgU.exe
  C:\Windows\System\FUaXkgU.exe
  2⤵
  PID:9564
- C:\Windows\System\PvPWWZI.exe
  C:\Windows\System\PvPWWZI.exe
  2⤵
  PID:9684
- C:\Windows\System\xyXgRls.exe
  C:\Windows\System\xyXgRls.exe
  2⤵
  PID:9852
- C:\Windows\System\ZzakSqh.exe
  C:\Windows\System\ZzakSqh.exe
  2⤵
  PID:9832
- C:\Windows\System\ameBwef.exe
  C:\Windows\System\ameBwef.exe
  2⤵
  PID:9884
- C:\Windows\System\xjJZOFq.exe
  C:\Windows\System\xjJZOFq.exe
  2⤵
  PID:9976
- C:\Windows\System\YdaOyZW.exe
  C:\Windows\System\YdaOyZW.exe
  2⤵
  PID:10072
- C:\Windows\System\TpnPcVF.exe
  C:\Windows\System\TpnPcVF.exe
  2⤵
  PID:10040
- C:\Windows\System\UvXbeee.exe
  C:\Windows\System\UvXbeee.exe
  2⤵
  PID:10144
- C:\Windows\System\wyYNfsZ.exe
  C:\Windows\System\wyYNfsZ.exe
  2⤵
  PID:10184
- C:\Windows\System\pNlJxzj.exe
  C:\Windows\System\pNlJxzj.exe
  2⤵
  PID:10212
- C:\Windows\System\CHKadSa.exe
  C:\Windows\System\CHKadSa.exe
  2⤵
  PID:9224
- C:\Windows\System\TwBgcMr.exe
  C:\Windows\System\TwBgcMr.exe
  2⤵
  PID:9252
- C:\Windows\System\KTIcXBR.exe
  C:\Windows\System\KTIcXBR.exe
  2⤵
  PID:9700
- C:\Windows\System\CIjEYlM.exe
  C:\Windows\System\CIjEYlM.exe
  2⤵
  PID:9848
- C:\Windows\System\fZhouAW.exe
  C:\Windows\System\fZhouAW.exe
  2⤵
  PID:10016
- C:\Windows\System\zxHmTbE.exe
  C:\Windows\System\zxHmTbE.exe
  2⤵
  PID:9992
- C:\Windows\System\BmkyWqI.exe
  C:\Windows\System\BmkyWqI.exe
  2⤵
  PID:9348
- C:\Windows\System\vKaXZnr.exe
  C:\Windows\System\vKaXZnr.exe
  2⤵
  PID:9608
- C:\Windows\System\RHJiAmv.exe
  C:\Windows\System\RHJiAmv.exe
  2⤵
  PID:9648
- C:\Windows\System\sMtHrFw.exe
  C:\Windows\System\sMtHrFw.exe
  2⤵
  PID:9944
- C:\Windows\System\NaWEuWk.exe
  C:\Windows\System\NaWEuWk.exe
  2⤵
  PID:8500
- C:\Windows\System\wnHcDFY.exe
  C:\Windows\System\wnHcDFY.exe
  2⤵
  PID:10256
- C:\Windows\System\qjcdraz.exe
  C:\Windows\System\qjcdraz.exe
  2⤵
  PID:10296
- C:\Windows\System\LlKaMYZ.exe
  C:\Windows\System\LlKaMYZ.exe
  2⤵
  PID:10332
- C:\Windows\System\pJaLGXf.exe
  C:\Windows\System\pJaLGXf.exe
  2⤵
  PID:10352
- C:\Windows\System\NQfMuOa.exe
  C:\Windows\System\NQfMuOa.exe
  2⤵
  PID:10384
- C:\Windows\System\DvVQuqO.exe
  C:\Windows\System\DvVQuqO.exe
  2⤵
  PID:10428
- C:\Windows\System\RGiJLcE.exe
  C:\Windows\System\RGiJLcE.exe
  2⤵
  PID:10444
- C:\Windows\System\yXYrRvV.exe
  C:\Windows\System\yXYrRvV.exe
  2⤵
  PID:10468
- C:\Windows\System\cZoWlvm.exe
  C:\Windows\System\cZoWlvm.exe
  2⤵
  PID:10504
- C:\Windows\System\cmgNkXc.exe
  C:\Windows\System\cmgNkXc.exe
  2⤵
  PID:10520
- C:\Windows\System\VAhoeFp.exe
  C:\Windows\System\VAhoeFp.exe
  2⤵
  PID:10576
- C:\Windows\System\sMQudlD.exe
  C:\Windows\System\sMQudlD.exe
  2⤵
  PID:10600
- C:\Windows\System\TcFpQbY.exe
  C:\Windows\System\TcFpQbY.exe
  2⤵
  PID:10620
- C:\Windows\System\yjMZKkQ.exe
  C:\Windows\System\yjMZKkQ.exe
  2⤵
  PID:10652
- C:\Windows\System\utHPJHs.exe
  C:\Windows\System\utHPJHs.exe
  2⤵
  PID:10672
- C:\Windows\System\YZcJalf.exe
  C:\Windows\System\YZcJalf.exe
  2⤵
  PID:10708
- C:\Windows\System\nsfGGqT.exe
  C:\Windows\System\nsfGGqT.exe
  2⤵
  PID:10732
- C:\Windows\System\ulrDUCU.exe
  C:\Windows\System\ulrDUCU.exe
  2⤵
  PID:10828
- C:\Windows\System\CVVUsOA.exe
  C:\Windows\System\CVVUsOA.exe
  2⤵
  PID:10880
- C:\Windows\System\VCzQvAj.exe
  C:\Windows\System\VCzQvAj.exe
  2⤵
  PID:10900
- C:\Windows\System\RYtCtqK.exe
  C:\Windows\System\RYtCtqK.exe
  2⤵
  PID:10952
- C:\Windows\System\goIHvmf.exe
  C:\Windows\System\goIHvmf.exe
  2⤵
  PID:10972
- C:\Windows\System\acozGxS.exe
  C:\Windows\System\acozGxS.exe
  2⤵
  PID:10988
- C:\Windows\System\AEgBxvj.exe
  C:\Windows\System\AEgBxvj.exe
  2⤵
  PID:11004
- C:\Windows\System\majjzXf.exe
  C:\Windows\System\majjzXf.exe
  2⤵
  PID:11032
- C:\Windows\System\wKOSMBK.exe
  C:\Windows\System\wKOSMBK.exe
  2⤵
  PID:11048
- C:\Windows\System\dSpYyWg.exe
  C:\Windows\System\dSpYyWg.exe
  2⤵
  PID:11068
- C:\Windows\System\DuiMDvP.exe
  C:\Windows\System\DuiMDvP.exe
  2⤵
  PID:11088
- C:\Windows\System\WcfJZjq.exe
  C:\Windows\System\WcfJZjq.exe
  2⤵
  PID:11108
- C:\Windows\System\LfZGvOE.exe
  C:\Windows\System\LfZGvOE.exe
  2⤵
  PID:11136
- C:\Windows\System\vVELiJw.exe
  C:\Windows\System\vVELiJw.exe
  2⤵
  PID:11156
- C:\Windows\System\LomhfQC.exe
  C:\Windows\System\LomhfQC.exe
  2⤵
  PID:11200
- C:\Windows\System\qepiGgW.exe
  C:\Windows\System\qepiGgW.exe
  2⤵
  PID:11216
- C:\Windows\System\SBwPrRe.exe
  C:\Windows\System\SBwPrRe.exe
  2⤵
  PID:11244
- C:\Windows\System\qQajNCB.exe
  C:\Windows\System\qQajNCB.exe
  2⤵
  PID:10084
- C:\Windows\System\okaMeYv.exe
  C:\Windows\System\okaMeYv.exe
  2⤵
  PID:10340
- C:\Windows\System\bjMKpaM.exe
  C:\Windows\System\bjMKpaM.exe
  2⤵
  PID:10364
- C:\Windows\System\izaGYPW.exe
  C:\Windows\System\izaGYPW.exe
  2⤵
  PID:10452
- C:\Windows\System\wTUJbIW.exe
  C:\Windows\System\wTUJbIW.exe
  2⤵
  PID:10512
- C:\Windows\System\uOhvbZY.exe
  C:\Windows\System\uOhvbZY.exe
  2⤵
  PID:10500
- C:\Windows\System\YtUNBHV.exe
  C:\Windows\System\YtUNBHV.exe
  2⤵
  PID:10584
- C:\Windows\System\JSLFUHa.exe
  C:\Windows\System\JSLFUHa.exe
  2⤵
  PID:10648
- C:\Windows\System\bmUqXvl.exe
  C:\Windows\System\bmUqXvl.exe
  2⤵
  PID:10756
- C:\Windows\System\EXpsPSm.exe
  C:\Windows\System\EXpsPSm.exe
  2⤵
  PID:10800
- C:\Windows\System\tJgqdAF.exe
  C:\Windows\System\tJgqdAF.exe
  2⤵
  PID:10788
- C:\Windows\System\WhjJKPQ.exe
  C:\Windows\System\WhjJKPQ.exe
  2⤵
  PID:10816
- C:\Windows\System\WweaeYi.exe
  C:\Windows\System\WweaeYi.exe
  2⤵
  PID:10892
- C:\Windows\System\EnYXTwE.exe
  C:\Windows\System\EnYXTwE.exe
  2⤵
  PID:11028
- C:\Windows\System\QWQJSRO.exe
  C:\Windows\System\QWQJSRO.exe
  2⤵
  PID:11084
- C:\Windows\System\UqTPgtQ.exe
  C:\Windows\System\UqTPgtQ.exe
  2⤵
  PID:11124
- C:\Windows\System\TxJlBeD.exe
  C:\Windows\System\TxJlBeD.exe
  2⤵
  PID:11208
- C:\Windows\System\twlVSJG.exe
  C:\Windows\System\twlVSJG.exe
  2⤵
  PID:11252
- C:\Windows\System\cuJTGCc.exe
  C:\Windows\System\cuJTGCc.exe
  2⤵
  PID:10348
- C:\Windows\System\ilMTNQK.exe
  C:\Windows\System\ilMTNQK.exe
  2⤵
  PID:10552
- C:\Windows\System\NHasNEs.exe
  C:\Windows\System\NHasNEs.exe
  2⤵
  PID:10616
- C:\Windows\System\ZRwufkR.exe
  C:\Windows\System\ZRwufkR.exe
  2⤵
  PID:10776
- C:\Windows\System\IJXsloV.exe
  C:\Windows\System\IJXsloV.exe
  2⤵
  PID:10856
- C:\Windows\System\FxMNqNg.exe
  C:\Windows\System\FxMNqNg.exe
  2⤵
  PID:10912
- C:\Windows\System\saRzyTF.exe
  C:\Windows\System\saRzyTF.exe
  2⤵
  PID:11144
- C:\Windows\System\lTCSZnS.exe
  C:\Windows\System\lTCSZnS.exe
  2⤵
  PID:9524
- C:\Windows\System\VQGRffo.exe
  C:\Windows\System\VQGRffo.exe
  2⤵
  PID:10308
- C:\Windows\System\iwQqsds.exe
  C:\Windows\System\iwQqsds.exe
  2⤵
  PID:9796
- C:\Windows\System\toyLerm.exe
  C:\Windows\System\toyLerm.exe
  2⤵
  PID:10660
- C:\Windows\System\rVZWuDr.exe
  C:\Windows\System\rVZWuDr.exe
  2⤵
  PID:11276
- C:\Windows\System\auSxCKk.exe
  C:\Windows\System\auSxCKk.exe
  2⤵
  PID:11316
- C:\Windows\System\jtFKgdv.exe
  C:\Windows\System\jtFKgdv.exe
  2⤵
  PID:11336
- C:\Windows\System\bnlFbio.exe
  C:\Windows\System\bnlFbio.exe
  2⤵
  PID:11400
- C:\Windows\System\nbsMrXS.exe
  C:\Windows\System\nbsMrXS.exe
  2⤵
  PID:11424
- C:\Windows\System\dIVNMll.exe
  C:\Windows\System\dIVNMll.exe
  2⤵
  PID:11448
- C:\Windows\System\YFKupjC.exe
  C:\Windows\System\YFKupjC.exe
  2⤵
  PID:11496
- C:\Windows\System\dgCUiiE.exe
  C:\Windows\System\dgCUiiE.exe
  2⤵
  PID:11520
- C:\Windows\System\rEwVmHw.exe
  C:\Windows\System\rEwVmHw.exe
  2⤵
  PID:11540
- C:\Windows\System\HsWbvRS.exe
  C:\Windows\System\HsWbvRS.exe
  2⤵
  PID:11560
- C:\Windows\System\zYFAaMw.exe
  C:\Windows\System\zYFAaMw.exe
  2⤵
  PID:11584
- C:\Windows\System\rCidyUd.exe
  C:\Windows\System\rCidyUd.exe
  2⤵
  PID:11600
- C:\Windows\System\cljtJQC.exe
  C:\Windows\System\cljtJQC.exe
  2⤵
  PID:11632
- C:\Windows\System\RvmjOjG.exe
  C:\Windows\System\RvmjOjG.exe
  2⤵
  PID:11656
- C:\Windows\System\tSyrpDR.exe
  C:\Windows\System\tSyrpDR.exe
  2⤵
  PID:11672
- C:\Windows\System\uRdTXEm.exe
  C:\Windows\System\uRdTXEm.exe
  2⤵
  PID:11692
- C:\Windows\System\HOdqPSU.exe
  C:\Windows\System\HOdqPSU.exe
  2⤵
  PID:11724
- C:\Windows\System\JSynBJh.exe
  C:\Windows\System\JSynBJh.exe
  2⤵
  PID:11776
- C:\Windows\System\YyHTbvA.exe
  C:\Windows\System\YyHTbvA.exe
  2⤵
  PID:11820
- C:\Windows\System\TsgoBsD.exe
  C:\Windows\System\TsgoBsD.exe
  2⤵
  PID:11848
- C:\Windows\System\uLKrbpA.exe
  C:\Windows\System\uLKrbpA.exe
  2⤵
  PID:11868
- C:\Windows\System\AcvoigC.exe
  C:\Windows\System\AcvoigC.exe
  2⤵
  PID:11904
- C:\Windows\System\cVmvxQk.exe
  C:\Windows\System\cVmvxQk.exe
  2⤵
  PID:11924
- C:\Windows\System\VXJbRTp.exe
  C:\Windows\System\VXJbRTp.exe
  2⤵
  PID:11960
- C:\Windows\System\pipYzyX.exe
  C:\Windows\System\pipYzyX.exe
  2⤵
  PID:11980
- C:\Windows\System\Ebyvlic.exe
  C:\Windows\System\Ebyvlic.exe
  2⤵
  PID:12004
- C:\Windows\System\Cwexgwr.exe
  C:\Windows\System\Cwexgwr.exe
  2⤵
  PID:12024
- C:\Windows\System\muaNial.exe
  C:\Windows\System\muaNial.exe
  2⤵
  PID:12040
- C:\Windows\System\pFgVqbj.exe
  C:\Windows\System\pFgVqbj.exe
  2⤵
  PID:12056
- C:\Windows\System\tWqGGQz.exe
  C:\Windows\System\tWqGGQz.exe
  2⤵
  PID:12108
- C:\Windows\System\iGdMvHm.exe
  C:\Windows\System\iGdMvHm.exe
  2⤵
  PID:12128
- C:\Windows\System\wfXeFHs.exe
  C:\Windows\System\wfXeFHs.exe
  2⤵
  PID:12148
- C:\Windows\System\sWPKPww.exe
  C:\Windows\System\sWPKPww.exe
  2⤵
  PID:12180
- C:\Windows\System\eKEBTeA.exe
  C:\Windows\System\eKEBTeA.exe
  2⤵
  PID:12212
- C:\Windows\System\QzhIGdP.exe
  C:\Windows\System\QzhIGdP.exe
  2⤵
  PID:12264
- C:\Windows\System\wXOfzyl.exe
  C:\Windows\System\wXOfzyl.exe
  2⤵
  PID:10936
- C:\Windows\System\GqMIIkS.exe
  C:\Windows\System\GqMIIkS.exe
  2⤵
  PID:10244
- C:\Windows\System\eJoxgMq.exe
  C:\Windows\System\eJoxgMq.exe
  2⤵
  PID:11296
- C:\Windows\System\cAqPwoa.exe
  C:\Windows\System\cAqPwoa.exe
  2⤵
  PID:11344
- C:\Windows\System\EpYltSr.exe
  C:\Windows\System\EpYltSr.exe
  2⤵
  PID:11392
- C:\Windows\System\hjElfew.exe
  C:\Windows\System\hjElfew.exe
  2⤵
  PID:11432
- C:\Windows\System\PiNKEBp.exe
  C:\Windows\System\PiNKEBp.exe
  2⤵
  PID:11512
- C:\Windows\System\XilTVDl.exe
  C:\Windows\System\XilTVDl.exe
  2⤵
  PID:11592
- C:\Windows\System\hnvTMmZ.exe
  C:\Windows\System\hnvTMmZ.exe
  2⤵
  PID:11624
- C:\Windows\System\SNRxTgc.exe
  C:\Windows\System\SNRxTgc.exe
  2⤵
  PID:11756
- C:\Windows\System\wgMtytD.exe
  C:\Windows\System\wgMtytD.exe
  2⤵
  PID:11832
- C:\Windows\System\UVixsYa.exe
  C:\Windows\System\UVixsYa.exe
  2⤵
  PID:4012
- C:\Windows\System\djZYEkT.exe
  C:\Windows\System\djZYEkT.exe
  2⤵
  PID:224
- C:\Windows\System\ZLfOwBB.exe
  C:\Windows\System\ZLfOwBB.exe
  2⤵
  PID:11896
- C:\Windows\System\ANRrUSO.exe
  C:\Windows\System\ANRrUSO.exe
  2⤵
  PID:11900
- C:\Windows\System\MnfDhjh.exe
  C:\Windows\System\MnfDhjh.exe
  2⤵
  PID:11976
- C:\Windows\System\OqkyujQ.exe
  C:\Windows\System\OqkyujQ.exe
  2⤵
  PID:12020
- C:\Windows\System\mwuEXlR.exe
  C:\Windows\System\mwuEXlR.exe
  2⤵
  PID:12104
- C:\Windows\System\CwJLkPX.exe
  C:\Windows\System\CwJLkPX.exe
  2⤵
  PID:12140
- C:\Windows\System\iYBbVKD.exe
  C:\Windows\System\iYBbVKD.exe
  2⤵
  PID:12260
- C:\Windows\System\dGmZzyX.exe
  C:\Windows\System\dGmZzyX.exe
  2⤵
  PID:11240
- C:\Windows\System\rfFuvoG.exe
  C:\Windows\System\rfFuvoG.exe
  2⤵
  PID:10812
- C:\Windows\System\KeswHLu.exe
  C:\Windows\System\KeswHLu.exe
  2⤵
  PID:11412
- C:\Windows\System\TluDizL.exe
  C:\Windows\System\TluDizL.exe
  2⤵
  PID:11476
- C:\Windows\System\FWFjnDb.exe
  C:\Windows\System\FWFjnDb.exe
  2⤵
  PID:11668
- C:\Windows\System\hflcMFo.exe
  C:\Windows\System\hflcMFo.exe
  2⤵
  PID:11708
- C:\Windows\System\tnFLSyl.exe
  C:\Windows\System\tnFLSyl.exe
  2⤵
  PID:11932
- C:\Windows\System\QIsqfIE.exe
  C:\Windows\System\QIsqfIE.exe
  2⤵
  PID:11952
- C:\Windows\System\JZLrOoa.exe
  C:\Windows\System\JZLrOoa.exe
  2⤵
  PID:12204
- C:\Windows\System\TdstjzA.exe
  C:\Windows\System\TdstjzA.exe
  2⤵
  PID:11420
- C:\Windows\System\UONyPGH.exe
  C:\Windows\System\UONyPGH.exe
  2⤵
  PID:11640
- C:\Windows\System\zTKYlCd.exe
  C:\Windows\System\zTKYlCd.exe
  2⤵
  PID:12236
- C:\Windows\System\efGelpW.exe
  C:\Windows\System\efGelpW.exe
  2⤵
  PID:12324
- C:\Windows\System\qcZohbF.exe
  C:\Windows\System\qcZohbF.exe
  2⤵
  PID:12344
- C:\Windows\System\jXjDsPZ.exe
  C:\Windows\System\jXjDsPZ.exe
  2⤵
  PID:12364
- C:\Windows\System\xRNiqoF.exe
  C:\Windows\System\xRNiqoF.exe
  2⤵
  PID:12388
- C:\Windows\System\eeKBGyX.exe
  C:\Windows\System\eeKBGyX.exe
  2⤵
  PID:12444
- C:\Windows\System\HhjQdVl.exe
  C:\Windows\System\HhjQdVl.exe
  2⤵
  PID:12464
- C:\Windows\System\rcWIDnS.exe
  C:\Windows\System\rcWIDnS.exe
  2⤵
  PID:12528
- C:\Windows\System\FjNYjnK.exe
  C:\Windows\System\FjNYjnK.exe
  2⤵
  PID:12548
- C:\Windows\System\qlkOlbd.exe
  C:\Windows\System\qlkOlbd.exe
  2⤵
  PID:12584
- C:\Windows\System\cQEEooS.exe
  C:\Windows\System\cQEEooS.exe
  2⤵
  PID:12616
- C:\Windows\System\BWOyhxt.exe
  C:\Windows\System\BWOyhxt.exe
  2⤵
  PID:12644
- C:\Windows\System\xvyFHnJ.exe
  C:\Windows\System\xvyFHnJ.exe
  2⤵
  PID:12668
- C:\Windows\System\gpxzyzy.exe
  C:\Windows\System\gpxzyzy.exe
  2⤵
  PID:12688
- C:\Windows\System\ggmQtqn.exe
  C:\Windows\System\ggmQtqn.exe
  2⤵
  PID:12712
- C:\Windows\System\ziDXHoX.exe
  C:\Windows\System\ziDXHoX.exe
  2⤵
  PID:12744
- C:\Windows\System\ePDwemS.exe
  C:\Windows\System\ePDwemS.exe
  2⤵
  PID:12800
- C:\Windows\System\duknWGF.exe
  C:\Windows\System\duknWGF.exe
  2⤵
  PID:12820
- C:\Windows\System\QjOSyyb.exe
  C:\Windows\System\QjOSyyb.exe
  2⤵
  PID:12836
- C:\Windows\System\tMNShwn.exe
  C:\Windows\System\tMNShwn.exe
  2⤵
  PID:12872
- C:\Windows\System\cfBWyeA.exe
  C:\Windows\System\cfBWyeA.exe
  2⤵
  PID:12908
- C:\Windows\System\ueWdJCI.exe
  C:\Windows\System\ueWdJCI.exe
  2⤵
  PID:12932
- C:\Windows\System\lEhsiIK.exe
  C:\Windows\System\lEhsiIK.exe
  2⤵
  PID:12948
- C:\Windows\System\vCSSdIh.exe
  C:\Windows\System\vCSSdIh.exe
  2⤵
  PID:12972
- C:\Windows\System\HKCeZqJ.exe
  C:\Windows\System\HKCeZqJ.exe
  2⤵
  PID:13028
- C:\Windows\System\IdNQEKq.exe
  C:\Windows\System\IdNQEKq.exe
  2⤵
  PID:13052
- C:\Windows\System\nGkBXiT.exe
  C:\Windows\System\nGkBXiT.exe
  2⤵
  PID:13076

C:\Windows\system32\WerFaultSecure.exe
"C:\Windows\system32\WerFaultSecure.exe" -protectedcrash -p 4480 -i 4480 -h 468 -j 472 -s 480 -d 13120
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:13184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fdxaftrz.fsf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\BqyryEl.exe

Filesize
1.6MB

MD5
e65962de6b516598202ecf082b2daa26

SHA1
abc48dc51221309c65ac4fbb0c3c76a1b06391bb

SHA256
2ff907018916ff7ae519a5d6b46252762e0db7a1551c4ff224bf2d36124bf545

SHA512
b9f57c1382aec03dfa564b03ea268b47d7b7ed72fad9b28c50ecdaba2f04bc26b76d8be9f5093448ac6a668334a96f98a356ec8171007f9e765edc488a8074fd

Download Submit
C:\Windows\System\CidFdUU.exe

Filesize
1.6MB

MD5
227eb92a413056e5423a3fd249566850

SHA1
6deff1759d8648d2b500bcb643f85e4b8db8555f

SHA256
3f69e8db879783634f276cfc5e7dc134c1def9680ea42f4736461dd6fd431920

SHA512
7513b8c1bf95c3b18cebd2afffaa628975bdf37479f32bfcf4e6e4609c46b02e33e1de211f587f7a9b2d8f0d01fe06396fdefc53c5b4d44ca219ff4c01b91490

Download Submit
C:\Windows\System\GAtwGsK.exe

Filesize
8B

MD5
6c6a33c852f4e05ffd14cdf0dcab7779

SHA1
70449821f99925d7b8d245181569b7ac4d2ffae8

SHA256
889f3baefc9f46c7632a467db8882ec92f1f0df14da91d5a211e7484de261e45

SHA512
92e5654661ef50c470f84dbec4dcad9efdca5e4026c073f08c798af48c0b5d8107a7b2ff4d63fdb982f371e15d79e95f8a6d716a30b5c5123a7273c49d650d19

Download Submit
C:\Windows\System\GtCJSmQ.exe

Filesize
1.6MB

MD5
9b5c5bc84ad45a3c2ae7f5976750c132

SHA1
52c610b02c468a7cfba5bcd4feb922a760d2a125

SHA256
b68df21f1306d9b9ddd928730b2c75a046db0d4d83b2dcf192163cf7d66b3f92

SHA512
565c204b929b5d552a60f915f5985ca3c37588828096955b2a59753407c8ee8e0ab22781ba97a3b97662381b90252693b014f1fb8f6f38067d6d048d75b6e6f2

Download Submit
C:\Windows\System\HbgJzmm.exe

Filesize
1.6MB

MD5
b9e3ab34c84589abd91636a2181fed69

SHA1
5ea62abcdd6a9002da388faf3ce3800ec13ad289

SHA256
6a15545e0459999de1d1d18ea377f0a4d5bea6a466478f25adf9ab6717b1ee87

SHA512
507313fe47a9fa03deec08411a04ce85fc2b61cacbb3d55a6766306784ac5b8e53845bd4f4ccd2dc381e89818f63f857a226cc3a856f9ae279bcd99ee678986b

Download Submit
C:\Windows\System\ISdzDOw.exe

Filesize
1.6MB

MD5
15e1a4fea1275e2556e13461f7801982

SHA1
5d556a2909c18c9386af669eef6a5588916d68ba

SHA256
8dd38c5420ab8691b0940728f9448868668fec574033f5fc98e75a8df2c7dbc9

SHA512
52b83e42df5c062a1f9b192c74c93963eaed2041c0f330750cec1f16685e42adffbb2f06d9f8f9bde10423ee840d1a870ef57aa3b5f8ffd0b5c73ceccebccfbf

Download Submit
C:\Windows\System\KNcQURY.exe

Filesize
1.6MB

MD5
5aa0cc3ae4371a344bf6586f184eba93

SHA1
b9d27c28e924d6cb584dbe326ddbc437e074dc7c

SHA256
944db53333c95aded9ef7396f607ab71edb1fb805142f7d9075118d0167a83fa

SHA512
695f1ea73ad1ee10b50404b0e97367758b41c8d921ddee3abd80bd0a73ea5d4d41a8efc914b894b902e20ff024f1f1a118aa65547f98bd237de19106ce0136cf

Download Submit
C:\Windows\System\KZAhqXq.exe

Filesize
1.6MB

MD5
6b2fec7b820f33a2f0badae49fabc387

SHA1
e18dbb601d2b99a0d3a1a5101ad75c7b8548d924

SHA256
e58bd4e4fb0c4dc24a4e6d85c59e7b766360f70b46d5f4d1b58c2eb04b4f5ec9

SHA512
29a2cf3d703e8ff4e04889f9362ed5450dd3979c53a318be97dbd05804edb1668b82c54c8dee380c4b9933c346c5e50c789a488d468132e1e0479fe4c367238c

Download Submit
C:\Windows\System\Lcnybwp.exe

Filesize
1.6MB

MD5
0c5c8048b9689400284e8305b4e41aea

SHA1
9ee141d6481fb1109549fb39c28874a7523859d8

SHA256
8d6b2a84397c5cc89d05b29aa61e491e41b243cba80007a25b36e2c40e187f98

SHA512
1d4d92aa88d8c0a73b561569d0a3536c8276c5bab88d3300298aff5fa6a995db84dda4fafd24d931b7c0664aa35631be4253a2434365736a2c78fd667e015d4f

Download Submit
C:\Windows\System\LpMrrPF.exe

Filesize
1.6MB

MD5
11dde47d6d29a769d3ff6d5d75b74763

SHA1
f536e7bd14aefd7666017fdd00fc4b0629614c7a

SHA256
e29d76141d981ec77a49cd093fe764385572f56260f9ea893b23752d3618473e

SHA512
e291d622765f5581555478d424b276573f37995344be1b4388fb4189a539361edf1bbfa1ac5b068721c1bd139ded32c009e3d78e2bd4146975c42fd3afd9ee71

Download Submit
C:\Windows\System\MNrERDt.exe

Filesize
1.6MB

MD5
5eb1c564df9722ab0dc53b77a5c1955e

SHA1
5674d824c5503e2422ee492d66730aa5594dc352

SHA256
3ad6fb6da855282de9b4221677ceb3909003cba4868df749e6b9a64495ffee93

SHA512
24091138ebde9d89f6be7a0998aadddb92ccfd0ca29f4f56598e818251d01a0a7ed8690788be3fb1275bbc1a13cd0f3bdb6e5975565cfaf955d23929c5080745

Download Submit
C:\Windows\System\OHYTnXs.exe

Filesize
1.6MB

MD5
b9960e7d21ad804b5b86a214d65d2f1a

SHA1
1b911ec0ae5c630bb798c627c9ca82e136b21d71

SHA256
a2f1ea7ed411e5e3e1b5e5ba442c1d946dadb0891a8d65fc11f9dd3d9b4c8e39

SHA512
b1db7eef453c768b2f307229130206234ad1a0dea57267bacd3c1d47e5971f15fa300cb36e261b9d208ed4f04f2d006d3ca16640c8771e97da399bb27ae66b87

Download Submit
C:\Windows\System\RBTkdNI.exe

Filesize
1.6MB

MD5
03a926901ee312a2afccce8c123c291c

SHA1
d3c651a0bae07e338fc93064b24a0260491c98d9

SHA256
3eee4bb13e2c6d4a8fb23ad7228ff29faa5185349206e9d0a4c3d656a85be560

SHA512
a50e7f508b0d57980262039723b7e6630f96a9f03b36aef6f6ca18724a1dae4ed91842267d8f218e7c968df1ef2b27e58131dd3163a3c0e5df41e924af6d6951

Download Submit
C:\Windows\System\RqPNnAr.exe

Filesize
1.6MB

MD5
771e310f0d7e96683e59f6cb9fc097ca

SHA1
d06b73d052d962a0548a4807165340af1d038553

SHA256
45bb7fe2c24008db28737176aceb05faab30adfc61a864d42c0d04a4e9d07477

SHA512
f95cc475d1b3ac3670a9c059d703c1e09e608023b7f4845dbc127b9146ff9381b7f4e9a79f496b9d0f525e4b698e4ee63047cfce97c3fcc9a0e0d0298c2406a2

Download Submit
C:\Windows\System\SbGHVDE.exe

Filesize
1.6MB

MD5
e942382907a3e94b58c4f761cf12d3fd

SHA1
1108a5843b055451a71ac3cc48f5e0ddc819029b

SHA256
2ddd39793ad7c600124342a228ad6f65bef0d8d3bc7b5b1fd30ee079dc2f9a2d

SHA512
d8266296ca2fbfb18d78223d9e6a808ad584043d2da3b7b7767ffdd2ba89b2c9be67dc31da8eb77c420b9055c8df6ce7e66bd05080e4e470b64a8c0b0dfe23f7

Download Submit
C:\Windows\System\UCYhIdT.exe

Filesize
1.6MB

MD5
3778cabb81fb46249ee885254a0519d4

SHA1
d9ff7e9342d75ba90083a24c54b8d182129baa68

SHA256
9becd4fcab161d7a785af0163077e2fdf2e85a2a37db5e14b5c09fcfec71fff1

SHA512
cd2b56d146d252fe8ccdda0bb5b79dc7a2b31d12fac156efc73c908a76563a45fbfa2386d72e2a285e159af8167e27410d8fdf361343e05a5d2a2e42151c8b1d

Download Submit
C:\Windows\System\VlhcLtk.exe

Filesize
1.6MB

MD5
490c41b37d63ee43801184940370e518

SHA1
514b8dc09ec2ef33fc8a0e897f706dacaccb4242

SHA256
a7bf25f21e2286add2285f02ecb292da28f2b50d21a5b945462a6e61440b89da

SHA512
2535a33e18c02513995f47f77e5808969b1c5a9ad0fa3411fca1ca286cbedeeb85fa5f3fb9756efd1278dd6ff374f50f52c57ebc5ebca3fa0cba016e6072868f

Download Submit
C:\Windows\System\VnePufD.exe

Filesize
1.6MB

MD5
57cb8fc9dfeb6ae4ee8f360e51ea9e3f

SHA1
5311271c46273f3cac067e6e594f489fa2ec0048

SHA256
d2499e3602c3462fcbb003158e19dd4ad2f9ce07f301eba789c8feea926bc199

SHA512
1b34d35dddf03a8a548ff66cde962dcd813851d9fca362c373f5d3707411ea7bed94cbc299c8dc8b85d9c330f886367b7d1b2f84f510f7abf86007cc2d66d8bc

Download Submit
C:\Windows\System\VoUhHpz.exe

Filesize
1.6MB

MD5
f065e7ae1b6fc01ef7674517f7779d8b

SHA1
a94fdd483dd92d975bdd75454942e0ddd02e4e36

SHA256
748b268d91c50a7837e5c21aa2c219f85e085745cdc6233be2cc4a5812f986e4

SHA512
8860140f8150b8f61979dd3eb63413be27a010745faf81ab2cb9380d144dfc2bb3c2038c75233ac6c0d6d20d9be6e343244b096dd9bcc6536cade7db8481f442

Download Submit
C:\Windows\System\WIAtMaZ.exe

Filesize
1.6MB

MD5
e97b2dba6130b8f95658145d53ec45e5

SHA1
7717ccfcaaf2a346c62df5af6d37f4a07805875a

SHA256
09543e832f8934d13ab75ddc8c267617eed1cf4573b15f4e3a70e8cded0dd1f1

SHA512
3d7ded1e7a6f1d643b2eab2451404d58d6fd885d8799470f0f4c517fc8805c4ed4ca9d8466e66a4c505f135d018972cfefd5ccfa90f5fd1540281fc466140619

Download Submit
C:\Windows\System\YtnfGgl.exe

Filesize
1.6MB

MD5
b09d72441eab1e6b1435e61eb960a134

SHA1
be05e79afdb34b019f39c891f73a01b2ae929ffa

SHA256
e65d25f1928fd47626478721d17a0a3b395f6003abe8c53c404381ff0029c93a

SHA512
eca32fbb90f0932aa3e758dc5870b3468741e8206accfe14f9d787455118e8f09c84b847908e5426b588ae3d76533fba1c01f061ba83e2c2cff9545fc6955110

Download Submit
C:\Windows\System\ZpgWbIA.exe

Filesize
1.6MB

MD5
f1b3626df3009567cf9a8175ba288ffe

SHA1
a0d1398aeb626df37bb2d0bfa0e6cc42f6e1518a

SHA256
708ca438706a9f858f0a596f0492e3e225d3c3d8be36c6f39be5a8334f56da09

SHA512
e1a0d6e766cbfb0b9f8b0e6e1d3b3270df4c9e47393d9454e66e578d18e65c4ecba5b2b4a52bc9274976e59baf6211998d5194ba6b7741eb18f2b0989aae1d2f

Download Submit
C:\Windows\System\aFHvQOS.exe

Filesize
1.6MB

MD5
a937af00461d7742efb3fe34845f9d37

SHA1
618b853caa92237ef63d74b1ee1633b22d62ce36

SHA256
60f09828657046004304547d4cf563a3540b2e39da7d2918e41c0153e6acd76e

SHA512
2a52c8d177d433efaf647473f1b8360e12519e1e13d97bc58836be86cca0e1abaad131213df96b57516ad8febc85a109104ac3102cf8110ea45e26991d78ed31

Download Submit
C:\Windows\System\gUMDNVu.exe

Filesize
1.6MB

MD5
ba437ef7175da2eae75980f134e9d4b2

SHA1
7b7eefd513b4ef079bb66791b8f40cac7f9ccc88

SHA256
bcd3d7f77832bc57c78775f4e0bed916581a5e2569ba5b941b4dfe1e3b44fb4a

SHA512
21cd4c6cda732053f1a3f920d8144a94757dafea7d5226944d886497a66f37829e31e56d7105d6526ece12962ff3b06e005a594bd4bf4f14abb36e272ecfbd9c

Download Submit
C:\Windows\System\igCNBVY.exe

Filesize
1.6MB

MD5
a9f896ec156d4145fc44cb9199e15b3c

SHA1
00735eb330c7ea3d1f4bbf835b620b055d2b960b

SHA256
098be851a16bc68c29ce99d4786136dfa5f0e9c19ecef4fe4090e53e4fd92e7c

SHA512
2f74ba5de26e26ee7ec55400ffd5c50feda75ca759b6236296892e96f4d20f80a62fab94ed1cc003fc284f3baa30315957540fefb7baa8d35b4dd252ab478487

Download Submit
C:\Windows\System\inLHoqw.exe

Filesize
1.6MB

MD5
f995d5f9b47cc9ea57070f3832493c2c

SHA1
6cb487dc152f0f7b14a48a9e797e59cfd3794ba0

SHA256
3e7ef6da9b9885cac8c6dd7c86a8db3721e06b23c2b5bfc4109dd165feb3547f

SHA512
f845ce250b85c170da3d7c4c9cacbfb0f1c9e9b375a1f6f97286004a7817b9d3af06ccb8347b489817bcadc119831ec3589106af541971b808934ce324aeb735

Download Submit
C:\Windows\System\klCwYRf.exe

Filesize
1.6MB

MD5
1747323bc2705af181a9ebcbc5cd58fa

SHA1
d8eaea45a0edd58679d44caff55951c263d68965

SHA256
aa792c704de685ba73fd500a2ee2cc895ee9815e741b7fb02503af52d08a8218

SHA512
2c29329095804a1a0026f6b9610d66f9ff6a1db0bfe2126ee5ef0b7fc6436f9a6c706e930de687600bb096cc6e8ea2351cd36aa4529b011fa98c182f4f13e5a2

Download Submit
C:\Windows\System\kwyBWqC.exe

Filesize
1.6MB

MD5
abab4964dbfb8eb48153c81870d9b816

SHA1
4896dcd3eec9ca56ad9d9bd7e7b4e2d36ae24fd5

SHA256
443e23946e354a250d1218ecf74fcba5c401a5782b16929079016ef57525e6a5

SHA512
2425b4cfc8509bd81f6e983b88065bb9074978a3de435b742a8a65ebc39b679d613c86b489c6fa4f47472040a9c8b0d2ef32c6d0ea816aa86a9267cfce83d9ec

Download Submit
C:\Windows\System\nVOtQZY.exe

Filesize
1.6MB

MD5
dc7878c9f14ca0fa3fbb9cfcf55738ae

SHA1
1f82e8d6c684e8836be0168fe71aafcc07d9d696

SHA256
127277f9ae19de9c143e4cedff0f62eb499fac2e2d7d3b49c2bee8ba9809f9ac

SHA512
fa75df0c01f2f9a238aa45e569f5a7b91156e628ab0ff037f7b35efdd4d3e9bcc70483ea5bb6d7b1228272d3ca88f4dbffd0ded52df659fa92d572d808166287

Download Submit
C:\Windows\System\sAnAIgF.exe

Filesize
1.6MB

MD5
dde0f4630a1728714f859c421002521d

SHA1
8bbe5b554265b72724d1639263f0f6de5d2545b2

SHA256
86021658eb4ee962e29e24b301559f1cc41175a21350abd4923d79a31117d89e

SHA512
73c30258a54d6731da01886884c27a9f7c0692758295b0a3826aa2aa004b89ad2ac71a3d28f1a96c369cb521fdeb73f7792dcdde125bc09a9de6d1a433d53e67

Download Submit
C:\Windows\System\xdGgyNI.exe

Filesize
1.6MB

MD5
f85b796eb03dadcd1f92aaed9cb79e6f

SHA1
56d4da1ec16720a6af5d19b19fb7808df3d78db6

SHA256
a719e7d132a59e2d79d90d72ab60fa208c75d3e8b3defbbf19b581d7db480f49

SHA512
9499ed081536015b5ef4881d9cb93b34131cd8c73889d3ba55b536823cfbaeaa28895050ea5fe23b72ce5c0c108176a9c4b61ccbb42b397589de140fbeac4a4e

Download Submit
C:\Windows\System\ypopjfw.exe

Filesize
1.6MB

MD5
99378256a3de27db178cade54301e3ce

SHA1
7160f62407ba252d47fa78963be2ce5ff2b7cab3

SHA256
d4abd54cf467edf7ba303e52f8993a2c9198d2cba387b904c30adfcdb15946d2

SHA512
fd88002450784fb79c9cd5e0bceb036f81086001738eb4903175ef5d19e3bd46c48a1c0fc8a9dc693629b68b2634d9e0826fef82e18dc13b25089fa2dceb922f

Download Submit
C:\Windows\System\zLsNras.exe

Filesize
1.6MB

MD5
9ee2310c76ebf392921d259f99a13dd1

SHA1
d16a82127e1d0006a3510c1f1e0335109645e159

SHA256
05fcbbee44f0442b5b543b8a81a771baaa90af3cb281ccf44b05ade0978edfca

SHA512
c7dc99e897dea9d5911924397a73deb9c9a534e9fbdd8f474aab85b32d80755b968f38852c877a93eb2f1da633b57b2a65ad739277931d30c66721b7734b0d9f

Download Submit
C:\Windows\System\zXsZZgJ.exe

Filesize
1.6MB

MD5
ddca7bf308b3cb642e5452d1d282a713

SHA1
65127e00437c917807ca781099435ac8826d6ab1

SHA256
04fa3ca45645cf7738095ee27f43495e7304c1192cef9a861b8078d485a3f286

SHA512
5dec8394fb018e2b4307e1b296e5069e88e03a3dd6d852f413b47048efc4474c482a206a5bb497d535e3eee0ba7cb6f0d0626211adc0f3238bc499c6691ead75

Download Submit
memory/440-2877-0x00007FF6AB6E0000-0x00007FF6ABAD2000-memory.dmp

Filesize
3.9MB

Download
memory/440-525-0x00007FF6AB6E0000-0x00007FF6ABAD2000-memory.dmp

Filesize
3.9MB

Download
memory/556-511-0x00007FF650B30000-0x00007FF650F22000-memory.dmp

Filesize
3.9MB

Download
memory/556-2872-0x00007FF650B30000-0x00007FF650F22000-memory.dmp

Filesize
3.9MB

Download
memory/640-583-0x00007FF65B1E0000-0x00007FF65B5D2000-memory.dmp

Filesize
3.9MB

Download
memory/640-2889-0x00007FF65B1E0000-0x00007FF65B5D2000-memory.dmp

Filesize
3.9MB

Download
memory/712-2867-0x00007FF6A6140000-0x00007FF6A6532000-memory.dmp

Filesize
3.9MB

Download
memory/712-674-0x00007FF6A6140000-0x00007FF6A6532000-memory.dmp

Filesize
3.9MB

Download
memory/840-2892-0x00007FF653890000-0x00007FF653C82000-memory.dmp

Filesize
3.9MB

Download
memory/840-590-0x00007FF653890000-0x00007FF653C82000-memory.dmp

Filesize
3.9MB

Download
memory/1628-0-0x00007FF6F5450000-0x00007FF6F5842000-memory.dmp

Filesize
3.9MB

Download
memory/1628-1-0x0000021CF5D70000-0x0000021CF5D80000-memory.dmp

Filesize
64KB

Download
memory/2380-631-0x00007FF756710000-0x00007FF756B02000-memory.dmp

Filesize
3.9MB

Download
memory/2380-2897-0x00007FF756710000-0x00007FF756B02000-memory.dmp

Filesize
3.9MB

Download
memory/2596-2881-0x00007FF761D00000-0x00007FF7620F2000-memory.dmp

Filesize
3.9MB

Download
memory/2596-484-0x00007FF761D00000-0x00007FF7620F2000-memory.dmp

Filesize
3.9MB

Download
memory/2684-518-0x00007FF6D8530000-0x00007FF6D8922000-memory.dmp

Filesize
3.9MB

Download
memory/2684-2880-0x00007FF6D8530000-0x00007FF6D8922000-memory.dmp

Filesize
3.9MB

Download
memory/2764-489-0x00007FF6050E0000-0x00007FF6054D2000-memory.dmp

Filesize
3.9MB

Download
memory/2764-2876-0x00007FF6050E0000-0x00007FF6054D2000-memory.dmp

Filesize
3.9MB

Download
memory/2928-2869-0x00007FF729810000-0x00007FF729C02000-memory.dmp

Filesize
3.9MB

Download
memory/2928-472-0x00007FF729810000-0x00007FF729C02000-memory.dmp

Filesize
3.9MB

Download
memory/3132-2909-0x00007FF708C10000-0x00007FF709002000-memory.dmp

Filesize
3.9MB

Download
memory/3132-661-0x00007FF708C10000-0x00007FF709002000-memory.dmp

Filesize
3.9MB

Download
memory/3136-2899-0x00007FF710890000-0x00007FF710C82000-memory.dmp

Filesize
3.9MB

Download
memory/3136-635-0x00007FF710890000-0x00007FF710C82000-memory.dmp

Filesize
3.9MB

Download
memory/3208-2913-0x00007FF725E90000-0x00007FF726282000-memory.dmp

Filesize
3.9MB

Download
memory/3208-640-0x00007FF725E90000-0x00007FF726282000-memory.dmp

Filesize
3.9MB

Download
memory/3528-622-0x00007FF7F07E0000-0x00007FF7F0BD2000-memory.dmp

Filesize
3.9MB

Download
memory/3528-2895-0x00007FF7F07E0000-0x00007FF7F0BD2000-memory.dmp

Filesize
3.9MB

Download
memory/4188-597-0x00007FF760E00000-0x00007FF7611F2000-memory.dmp

Filesize
3.9MB

Download
memory/4188-2893-0x00007FF760E00000-0x00007FF7611F2000-memory.dmp

Filesize
3.9MB

Download
memory/4232-2859-0x00007FF799820000-0x00007FF799C12000-memory.dmp

Filesize
3.9MB

Download
memory/4232-668-0x00007FF799820000-0x00007FF799C12000-memory.dmp

Filesize
3.9MB

Download
memory/4296-2857-0x00007FF6612B0000-0x00007FF6616A2000-memory.dmp

Filesize
3.9MB

Download
memory/4296-14-0x00007FF6612B0000-0x00007FF6616A2000-memory.dmp

Filesize
3.9MB

Download
memory/4472-50-0x00000116BCC30000-0x00000116BCC52000-memory.dmp

Filesize
136KB

Download
memory/4472-17-0x00007FF8010B3000-0x00007FF8010B5000-memory.dmp

Filesize
8KB

Download
memory/4472-2977-0x00007FF8010B0000-0x00007FF801B71000-memory.dmp

Filesize
10.8MB

Download
memory/4472-455-0x00007FF8010B0000-0x00007FF801B71000-memory.dmp

Filesize
10.8MB

Download
memory/4472-30-0x00007FF8010B0000-0x00007FF801B71000-memory.dmp

Filesize
10.8MB

Download
memory/4472-173-0x00000116D5A20000-0x00000116D61C6000-memory.dmp

Filesize
7.6MB

Download
memory/4488-2874-0x00007FF6F7E00000-0x00007FF6F81F2000-memory.dmp

Filesize
3.9MB

Download
memory/4488-493-0x00007FF6F7E00000-0x00007FF6F81F2000-memory.dmp

Filesize
3.9MB

Download
memory/4520-496-0x00007FF77F220000-0x00007FF77F612000-memory.dmp

Filesize
3.9MB

Download
memory/4520-2883-0x00007FF77F220000-0x00007FF77F612000-memory.dmp

Filesize
3.9MB

Download
memory/4620-522-0x00007FF6A2E30000-0x00007FF6A3222000-memory.dmp

Filesize
3.9MB

Download
memory/4620-2885-0x00007FF6A2E30000-0x00007FF6A3222000-memory.dmp

Filesize
3.9MB

Download
memory/4724-2887-0x00007FF7B5480000-0x00007FF7B5872000-memory.dmp

Filesize
3.9MB

Download
memory/4724-530-0x00007FF7B5480000-0x00007FF7B5872000-memory.dmp

Filesize
3.9MB

Download
memory/4780-424-0x00007FF7FCF10000-0x00007FF7FD302000-memory.dmp

Filesize
3.9MB

Download
memory/4780-2862-0x00007FF7FCF10000-0x00007FF7FD302000-memory.dmp

Filesize
3.9MB

Download
memory/4932-2863-0x00007FF72B1B0000-0x00007FF72B5A2000-memory.dmp

Filesize
3.9MB

Download
memory/4932-671-0x00007FF72B1B0000-0x00007FF72B5A2000-memory.dmp

Filesize
3.9MB

Download
memory/5104-461-0x00007FF7E5D10000-0x00007FF7E6102000-memory.dmp

Filesize
3.9MB

Download
memory/5104-2865-0x00007FF7E5D10000-0x00007FF7E6102000-memory.dmp

Filesize
3.9MB

Download