xmrig | 5d3d88fc22bec3f39635cd2020653728b4be9d482509b09ac04634f46fe1d544

Analysis

max time kernel
121s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
05/06/2024, 05:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
Size

1.7MB
MD5

3f03b079791134232a2d2b9b7575cf80
SHA1

da1d3216ce2becdc74db8489a31b73c2170e4afa
SHA256

5d3d88fc22bec3f39635cd2020653728b4be9d482509b09ac04634f46fe1d544
SHA512

c53f53dd53ef95a1ab8f8f0bad59657d46d9f7bf8511b12c5b00f9ec792c107b4e0a5343f5d4e69674da51c273e62ddacccc1330251d47b6d7f8fae24d591502
SSDEEP

24576:zv3/fTLF671TilQFG4P5PMkFfkeMGvGr1t4oAirbNIjTqaQV/cets/p1GeliO:Lz071uv4BPMkFfdk2auTqao/c/pmO

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 12368 created 1052	12368	WerFaultSecure.exe	79

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/3552-21-0x00007FF78E3F0000-0x00007FF78E7E2000-memory.dmp	xmrig
behavioral2/memory/1404-415-0x00007FF773A00000-0x00007FF773DF2000-memory.dmp	xmrig
behavioral2/memory/5080-429-0x00007FF63D750000-0x00007FF63DB42000-memory.dmp	xmrig
behavioral2/memory/3228-454-0x00007FF7D03D0000-0x00007FF7D07C2000-memory.dmp	xmrig
behavioral2/memory/3136-457-0x00007FF743D90000-0x00007FF744182000-memory.dmp	xmrig
behavioral2/memory/3976-467-0x00007FF62CD10000-0x00007FF62D102000-memory.dmp	xmrig
behavioral2/memory/3904-449-0x00007FF606410000-0x00007FF606802000-memory.dmp	xmrig
behavioral2/memory/4000-428-0x00007FF79E4F0000-0x00007FF79E8E2000-memory.dmp	xmrig
behavioral2/memory/1748-473-0x00007FF633C20000-0x00007FF634012000-memory.dmp	xmrig
behavioral2/memory/2864-482-0x00007FF730850000-0x00007FF730C42000-memory.dmp	xmrig
behavioral2/memory/2712-506-0x00007FF7F1690000-0x00007FF7F1A82000-memory.dmp	xmrig
behavioral2/memory/4968-517-0x00007FF668790000-0x00007FF668B82000-memory.dmp	xmrig
behavioral2/memory/1664-502-0x00007FF65B350000-0x00007FF65B742000-memory.dmp	xmrig
behavioral2/memory/4704-494-0x00007FF66E4C0000-0x00007FF66E8B2000-memory.dmp	xmrig
behavioral2/memory/5064-490-0x00007FF7DBCF0000-0x00007FF7DC0E2000-memory.dmp	xmrig
behavioral2/memory/4796-489-0x00007FF6C6180000-0x00007FF6C6572000-memory.dmp	xmrig
behavioral2/memory/60-549-0x00007FF66DAB0000-0x00007FF66DEA2000-memory.dmp	xmrig
behavioral2/memory/2596-571-0x00007FF7F48F0000-0x00007FF7F4CE2000-memory.dmp	xmrig
behavioral2/memory/1864-574-0x00007FF77CF50000-0x00007FF77D342000-memory.dmp	xmrig
behavioral2/memory/1820-559-0x00007FF7B33D0000-0x00007FF7B37C2000-memory.dmp	xmrig
behavioral2/memory/4524-553-0x00007FF7F9890000-0x00007FF7F9C82000-memory.dmp	xmrig
behavioral2/memory/1376-547-0x00007FF7CC340000-0x00007FF7CC732000-memory.dmp	xmrig
behavioral2/memory/1228-539-0x00007FF63C7A0000-0x00007FF63CB92000-memory.dmp	xmrig
behavioral2/memory/3196-3030-0x00007FF7CB2B0000-0x00007FF7CB6A2000-memory.dmp	xmrig
behavioral2/memory/1404-3044-0x00007FF773A00000-0x00007FF773DF2000-memory.dmp	xmrig
behavioral2/memory/3552-3046-0x00007FF78E3F0000-0x00007FF78E7E2000-memory.dmp	xmrig
behavioral2/memory/1864-3082-0x00007FF77CF50000-0x00007FF77D342000-memory.dmp	xmrig
behavioral2/memory/4000-3091-0x00007FF79E4F0000-0x00007FF79E8E2000-memory.dmp	xmrig
behavioral2/memory/3228-3093-0x00007FF7D03D0000-0x00007FF7D07C2000-memory.dmp	xmrig
behavioral2/memory/3904-3099-0x00007FF606410000-0x00007FF606802000-memory.dmp	xmrig
behavioral2/memory/3976-3111-0x00007FF62CD10000-0x00007FF62D102000-memory.dmp	xmrig
behavioral2/memory/2864-3126-0x00007FF730850000-0x00007FF730C42000-memory.dmp	xmrig
behavioral2/memory/1748-3123-0x00007FF633C20000-0x00007FF634012000-memory.dmp	xmrig
behavioral2/memory/2712-3162-0x00007FF7F1690000-0x00007FF7F1A82000-memory.dmp	xmrig
behavioral2/memory/4968-3164-0x00007FF668790000-0x00007FF668B82000-memory.dmp	xmrig
behavioral2/memory/1228-3166-0x00007FF63C7A0000-0x00007FF63CB92000-memory.dmp	xmrig
behavioral2/memory/1376-3168-0x00007FF7CC340000-0x00007FF7CC732000-memory.dmp	xmrig
behavioral2/memory/60-3170-0x00007FF66DAB0000-0x00007FF66DEA2000-memory.dmp	xmrig
behavioral2/memory/1664-3160-0x00007FF65B350000-0x00007FF65B742000-memory.dmp	xmrig
behavioral2/memory/4704-3145-0x00007FF66E4C0000-0x00007FF66E8B2000-memory.dmp	xmrig
behavioral2/memory/5064-3143-0x00007FF7DBCF0000-0x00007FF7DC0E2000-memory.dmp	xmrig
behavioral2/memory/4796-3139-0x00007FF6C6180000-0x00007FF6C6572000-memory.dmp	xmrig
behavioral2/memory/3136-3115-0x00007FF743D90000-0x00007FF744182000-memory.dmp	xmrig
behavioral2/memory/5080-3081-0x00007FF63D750000-0x00007FF63DB42000-memory.dmp	xmrig
behavioral2/memory/3196-3076-0x00007FF7CB2B0000-0x00007FF7CB6A2000-memory.dmp	xmrig
behavioral2/memory/4524-3189-0x00007FF7F9890000-0x00007FF7F9C82000-memory.dmp	xmrig
behavioral2/memory/2596-3180-0x00007FF7F48F0000-0x00007FF7F4CE2000-memory.dmp	xmrig
behavioral2/memory/1820-3178-0x00007FF7B33D0000-0x00007FF7B37C2000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
7	3604	powershell.exe
9	3604	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
3604	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
1404	DhFhYGM.exe
3552	OlLcXKS.exe
3196	cCCkOfI.exe
4000	hHjDZuw.exe
5080	YGjgPPS.exe
1864	zTbTKpG.exe
3904	wTiNfDi.exe
3228	uXLVMhR.exe
3136	KBZqZOi.exe
3976	mYGcbvS.exe
1748	PuRscAM.exe
2864	zZNHDfj.exe
4796	ycMmhdp.exe
5064	LznAblu.exe
4704	MMfQAqb.exe
1664	ERSpFIX.exe
2712	zjrbJeB.exe
4968	SlFfYIi.exe
1228	nTBdQfO.exe
1376	XfsFsOA.exe
60	LACnCLh.exe
4524	MHNbMlr.exe
1820	ktEZQES.exe
2596	ofxcecP.exe
4080	GguCbeH.exe
1560	QNQRxFH.exe
1400	kBKWUMj.exe
2540	nzNkcSN.exe
4040	AHxkHMk.exe
2180	tZvgzJm.exe
2100	AtvxXiG.exe
1080	tXuElDF.exe
1504	rtBccZF.exe
1744	AhiwMem.exe
2824	sVbbaiW.exe
1284	cOlADRP.exe
3148	svfhvhe.exe
4512	hOvIrDW.exe
1808	ceAhalr.exe
3376	uBNFKCd.exe
3176	IeYZvbM.exe
4280	CzmsvJh.exe
4872	lRRzrDB.exe
796	FfFQbSB.exe
4404	YmGykPs.exe
1888	adWHJim.exe
2708	sPEKaZz.exe
3920	VEpAnRq.exe
2732	LtIxplp.exe
8	oifOdDK.exe
3584	oauRjma.exe
5012	MpNZuLP.exe
2684	rzcNlxc.exe
3320	OkvOlvq.exe
4600	EcMWLtn.exe
3028	tSznijb.exe
3788	rgltDcu.exe
2968	ytQnXBo.exe
2196	VInIViK.exe
3704	VfahmiI.exe
4172	SJZcZUg.exe
2820	BDVAaJx.exe
4504	NNVuBNZ.exe
1724	JkzsGkI.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2108-0-0x00007FF6DEAA0000-0x00007FF6DEE92000-memory.dmp	upx
behavioral2/files/0x0008000000022f51-6.dat	upx
behavioral2/files/0x0008000000023402-10.dat	upx
behavioral2/files/0x0007000000023405-24.dat	upx
behavioral2/files/0x0007000000023403-25.dat	upx
behavioral2/files/0x0007000000023406-42.dat	upx
behavioral2/files/0x0007000000023407-49.dat	upx
behavioral2/files/0x0008000000023408-62.dat	upx
behavioral2/files/0x000700000002340b-73.dat	upx
behavioral2/files/0x0007000000023412-102.dat	upx
behavioral2/files/0x0007000000023414-120.dat	upx
behavioral2/files/0x0007000000023417-127.dat	upx
behavioral2/files/0x0007000000023418-140.dat	upx
behavioral2/files/0x000700000002341b-155.dat	upx
behavioral2/files/0x0007000000023421-177.dat	upx
behavioral2/files/0x000700000002341f-175.dat	upx
behavioral2/files/0x0007000000023420-172.dat	upx
behavioral2/files/0x000700000002341e-170.dat	upx
behavioral2/files/0x000700000002341d-165.dat	upx
behavioral2/files/0x000700000002341c-160.dat	upx
behavioral2/files/0x000700000002341a-150.dat	upx
behavioral2/files/0x0007000000023419-145.dat	upx
behavioral2/files/0x0007000000023416-130.dat	upx
behavioral2/files/0x0007000000023415-125.dat	upx
behavioral2/files/0x0007000000023413-115.dat	upx
behavioral2/files/0x0007000000023411-105.dat	upx
behavioral2/files/0x0007000000023410-100.dat	upx
behavioral2/files/0x000700000002340f-95.dat	upx
behavioral2/files/0x000700000002340e-90.dat	upx
behavioral2/files/0x000700000002340d-83.dat	upx
behavioral2/files/0x000700000002340c-78.dat	upx
behavioral2/files/0x0008000000023409-63.dat	upx
behavioral2/files/0x000700000002340a-55.dat	upx
behavioral2/files/0x0007000000023404-28.dat	upx
behavioral2/memory/3196-26-0x00007FF7CB2B0000-0x00007FF7CB6A2000-memory.dmp	upx
behavioral2/memory/3552-21-0x00007FF78E3F0000-0x00007FF78E7E2000-memory.dmp	upx
behavioral2/memory/1404-415-0x00007FF773A00000-0x00007FF773DF2000-memory.dmp	upx
behavioral2/memory/5080-429-0x00007FF63D750000-0x00007FF63DB42000-memory.dmp	upx
behavioral2/memory/3228-454-0x00007FF7D03D0000-0x00007FF7D07C2000-memory.dmp	upx
behavioral2/memory/3136-457-0x00007FF743D90000-0x00007FF744182000-memory.dmp	upx
behavioral2/memory/3976-467-0x00007FF62CD10000-0x00007FF62D102000-memory.dmp	upx
behavioral2/memory/3904-449-0x00007FF606410000-0x00007FF606802000-memory.dmp	upx
behavioral2/memory/4000-428-0x00007FF79E4F0000-0x00007FF79E8E2000-memory.dmp	upx
behavioral2/memory/1748-473-0x00007FF633C20000-0x00007FF634012000-memory.dmp	upx
behavioral2/memory/2864-482-0x00007FF730850000-0x00007FF730C42000-memory.dmp	upx
behavioral2/memory/2712-506-0x00007FF7F1690000-0x00007FF7F1A82000-memory.dmp	upx
behavioral2/memory/4968-517-0x00007FF668790000-0x00007FF668B82000-memory.dmp	upx
behavioral2/memory/1664-502-0x00007FF65B350000-0x00007FF65B742000-memory.dmp	upx
behavioral2/memory/4704-494-0x00007FF66E4C0000-0x00007FF66E8B2000-memory.dmp	upx
behavioral2/memory/5064-490-0x00007FF7DBCF0000-0x00007FF7DC0E2000-memory.dmp	upx
behavioral2/memory/4796-489-0x00007FF6C6180000-0x00007FF6C6572000-memory.dmp	upx
behavioral2/memory/60-549-0x00007FF66DAB0000-0x00007FF66DEA2000-memory.dmp	upx
behavioral2/memory/2596-571-0x00007FF7F48F0000-0x00007FF7F4CE2000-memory.dmp	upx
behavioral2/memory/1864-574-0x00007FF77CF50000-0x00007FF77D342000-memory.dmp	upx
behavioral2/memory/1820-559-0x00007FF7B33D0000-0x00007FF7B37C2000-memory.dmp	upx
behavioral2/memory/4524-553-0x00007FF7F9890000-0x00007FF7F9C82000-memory.dmp	upx
behavioral2/memory/1376-547-0x00007FF7CC340000-0x00007FF7CC732000-memory.dmp	upx
behavioral2/memory/1228-539-0x00007FF63C7A0000-0x00007FF63CB92000-memory.dmp	upx
behavioral2/memory/3196-3030-0x00007FF7CB2B0000-0x00007FF7CB6A2000-memory.dmp	upx
behavioral2/memory/1404-3044-0x00007FF773A00000-0x00007FF773DF2000-memory.dmp	upx
behavioral2/memory/3552-3046-0x00007FF78E3F0000-0x00007FF78E7E2000-memory.dmp	upx
behavioral2/memory/1864-3082-0x00007FF77CF50000-0x00007FF77D342000-memory.dmp	upx
behavioral2/memory/4000-3091-0x00007FF79E4F0000-0x00007FF79E8E2000-memory.dmp	upx
behavioral2/memory/3228-3093-0x00007FF7D03D0000-0x00007FF7D07C2000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	raw.githubusercontent.com
7	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\koDOyFO.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\peIItWK.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\OzmIRIO.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\VOrLgmj.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\XUrJcyi.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\NufJnbl.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\cCCkOfI.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\AXKxMwY.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\jgMBKvl.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\jGjgGAZ.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\bLohOnP.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\zSUIBTw.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\biQXZsA.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\HptxgdL.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\eDFpdov.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\YgcmTyo.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\QnZLOdh.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\oPyOhAj.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\mkTAwWC.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\VIDOzbL.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\mUjnHLB.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\jzDxvfc.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\UCClmlL.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\fwSxgtt.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\URznFQm.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\PhCwITk.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\UZyAngn.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\BfmLdix.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\foaODDI.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\foNVqeb.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\VHxgPzS.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\sPsSqLy.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\slNdxXJ.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\OoUXiaX.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\WWOVNpQ.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\JdXbeux.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\pPNyFZp.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\dbHlscq.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\gmkKUmB.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\aqnUwUe.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\ChVzDcP.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\jrkXaaC.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\RkFYHvH.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\VcmfAmI.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\ixlTpTT.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\NqoPOmd.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\ylsVUJm.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\HxzjFfD.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\IxNYDZp.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\pLzteFj.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\WhUlQbY.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\tdTbGsz.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\sSZanuE.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\cKXhTBB.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\UPkQETV.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\iXmuRNZ.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\iRKxONE.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\qnlswXP.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\LeKIhJl.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\LJFCiDc.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\sGjQHbf.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\KdBXIbd.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\VgCUWwv.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
File created	C:\Windows\System\pmLPfAP.exe	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFaultSecure.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFaultSecure.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3604	powershell.exe
3604	powershell.exe
12752	WerFaultSecure.exe
12752	WerFaultSecure.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3604	powershell.exe
Token: SeLockMemoryPrivilege	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 3604	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	84
PID 2108 wrote to memory of 3604	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	84
PID 2108 wrote to memory of 1404	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	85
PID 2108 wrote to memory of 1404	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	85
PID 2108 wrote to memory of 3552	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	86
PID 2108 wrote to memory of 3552	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	86
PID 2108 wrote to memory of 3196	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	87
PID 2108 wrote to memory of 3196	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	87
PID 2108 wrote to memory of 4000	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	88
PID 2108 wrote to memory of 4000	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	88
PID 2108 wrote to memory of 5080	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	89
PID 2108 wrote to memory of 5080	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	89
PID 2108 wrote to memory of 1864	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	90
PID 2108 wrote to memory of 1864	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	90
PID 2108 wrote to memory of 3904	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	91
PID 2108 wrote to memory of 3904	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	91
PID 2108 wrote to memory of 3228	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	92
PID 2108 wrote to memory of 3228	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	92
PID 2108 wrote to memory of 3136	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	93
PID 2108 wrote to memory of 3136	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	93
PID 2108 wrote to memory of 3976	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	94
PID 2108 wrote to memory of 3976	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	94
PID 2108 wrote to memory of 1748	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	95
PID 2108 wrote to memory of 1748	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	95
PID 2108 wrote to memory of 2864	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	96
PID 2108 wrote to memory of 2864	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	96
PID 2108 wrote to memory of 4796	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	97
PID 2108 wrote to memory of 4796	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	97
PID 2108 wrote to memory of 5064	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	98
PID 2108 wrote to memory of 5064	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	98
PID 2108 wrote to memory of 4704	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	99
PID 2108 wrote to memory of 4704	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	99
PID 2108 wrote to memory of 1664	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	100
PID 2108 wrote to memory of 1664	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	100
PID 2108 wrote to memory of 2712	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	101
PID 2108 wrote to memory of 2712	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	101
PID 2108 wrote to memory of 4968	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	102
PID 2108 wrote to memory of 4968	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	102
PID 2108 wrote to memory of 1228	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	103
PID 2108 wrote to memory of 1228	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	103
PID 2108 wrote to memory of 1376	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	104
PID 2108 wrote to memory of 1376	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	104
PID 2108 wrote to memory of 60	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	105
PID 2108 wrote to memory of 60	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	105
PID 2108 wrote to memory of 4524	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	106
PID 2108 wrote to memory of 4524	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	106
PID 2108 wrote to memory of 1820	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	107
PID 2108 wrote to memory of 1820	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	107
PID 2108 wrote to memory of 2596	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	108
PID 2108 wrote to memory of 2596	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	108
PID 2108 wrote to memory of 4080	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	109
PID 2108 wrote to memory of 4080	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	109
PID 2108 wrote to memory of 1560	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	110
PID 2108 wrote to memory of 1560	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	110
PID 2108 wrote to memory of 1400	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	111
PID 2108 wrote to memory of 1400	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	111
PID 2108 wrote to memory of 2540	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	112
PID 2108 wrote to memory of 2540	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	112
PID 2108 wrote to memory of 4040	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	113
PID 2108 wrote to memory of 4040	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	113
PID 2108 wrote to memory of 2180	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	114
PID 2108 wrote to memory of 2180	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	114
PID 2108 wrote to memory of 2100	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	115
PID 2108 wrote to memory of 2100	2108	3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe	115

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc
1⤵
PID:1052
- C:\Windows\system32\WerFaultSecure.exe
  C:\Windows\system32\WerFaultSecure.exe -u -p 1052 -s 1640
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:12752

C:\Users\Admin\AppData\Local\Temp\3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3f03b079791134232a2d2b9b7575cf80_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3604
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3604" "2960" "2896" "2964" "0" "0" "2968" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:13284
- C:\Windows\System\DhFhYGM.exe
  C:\Windows\System\DhFhYGM.exe
  2⤵
  - Executes dropped EXE
  PID:1404
- C:\Windows\System\OlLcXKS.exe
  C:\Windows\System\OlLcXKS.exe
  2⤵
  - Executes dropped EXE
  PID:3552
- C:\Windows\System\cCCkOfI.exe
  C:\Windows\System\cCCkOfI.exe
  2⤵
  - Executes dropped EXE
  PID:3196
- C:\Windows\System\hHjDZuw.exe
  C:\Windows\System\hHjDZuw.exe
  2⤵
  - Executes dropped EXE
  PID:4000
- C:\Windows\System\YGjgPPS.exe
  C:\Windows\System\YGjgPPS.exe
  2⤵
  - Executes dropped EXE
  PID:5080
- C:\Windows\System\zTbTKpG.exe
  C:\Windows\System\zTbTKpG.exe
  2⤵
  - Executes dropped EXE
  PID:1864
- C:\Windows\System\wTiNfDi.exe
  C:\Windows\System\wTiNfDi.exe
  2⤵
  - Executes dropped EXE
  PID:3904
- C:\Windows\System\uXLVMhR.exe
  C:\Windows\System\uXLVMhR.exe
  2⤵
  - Executes dropped EXE
  PID:3228
- C:\Windows\System\KBZqZOi.exe
  C:\Windows\System\KBZqZOi.exe
  2⤵
  - Executes dropped EXE
  PID:3136
- C:\Windows\System\mYGcbvS.exe
  C:\Windows\System\mYGcbvS.exe
  2⤵
  - Executes dropped EXE
  PID:3976
- C:\Windows\System\PuRscAM.exe
  C:\Windows\System\PuRscAM.exe
  2⤵
  - Executes dropped EXE
  PID:1748
- C:\Windows\System\zZNHDfj.exe
  C:\Windows\System\zZNHDfj.exe
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\System\ycMmhdp.exe
  C:\Windows\System\ycMmhdp.exe
  2⤵
  - Executes dropped EXE
  PID:4796
- C:\Windows\System\LznAblu.exe
  C:\Windows\System\LznAblu.exe
  2⤵
  - Executes dropped EXE
  PID:5064
- C:\Windows\System\MMfQAqb.exe
  C:\Windows\System\MMfQAqb.exe
  2⤵
  - Executes dropped EXE
  PID:4704
- C:\Windows\System\ERSpFIX.exe
  C:\Windows\System\ERSpFIX.exe
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\System\zjrbJeB.exe
  C:\Windows\System\zjrbJeB.exe
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\System\SlFfYIi.exe
  C:\Windows\System\SlFfYIi.exe
  2⤵
  - Executes dropped EXE
  PID:4968
- C:\Windows\System\nTBdQfO.exe
  C:\Windows\System\nTBdQfO.exe
  2⤵
  - Executes dropped EXE
  PID:1228
- C:\Windows\System\XfsFsOA.exe
  C:\Windows\System\XfsFsOA.exe
  2⤵
  - Executes dropped EXE
  PID:1376
- C:\Windows\System\LACnCLh.exe
  C:\Windows\System\LACnCLh.exe
  2⤵
  - Executes dropped EXE
  PID:60
- C:\Windows\System\MHNbMlr.exe
  C:\Windows\System\MHNbMlr.exe
  2⤵
  - Executes dropped EXE
  PID:4524
- C:\Windows\System\ktEZQES.exe
  C:\Windows\System\ktEZQES.exe
  2⤵
  - Executes dropped EXE
  PID:1820
- C:\Windows\System\ofxcecP.exe
  C:\Windows\System\ofxcecP.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\System\GguCbeH.exe
  C:\Windows\System\GguCbeH.exe
  2⤵
  - Executes dropped EXE
  PID:4080
- C:\Windows\System\QNQRxFH.exe
  C:\Windows\System\QNQRxFH.exe
  2⤵
  - Executes dropped EXE
  PID:1560
- C:\Windows\System\kBKWUMj.exe
  C:\Windows\System\kBKWUMj.exe
  2⤵
  - Executes dropped EXE
  PID:1400
- C:\Windows\System\nzNkcSN.exe
  C:\Windows\System\nzNkcSN.exe
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\System\AHxkHMk.exe
  C:\Windows\System\AHxkHMk.exe
  2⤵
  - Executes dropped EXE
  PID:4040
- C:\Windows\System\tZvgzJm.exe
  C:\Windows\System\tZvgzJm.exe
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Windows\System\AtvxXiG.exe
  C:\Windows\System\AtvxXiG.exe
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Windows\System\tXuElDF.exe
  C:\Windows\System\tXuElDF.exe
  2⤵
  - Executes dropped EXE
  PID:1080
- C:\Windows\System\rtBccZF.exe
  C:\Windows\System\rtBccZF.exe
  2⤵
  - Executes dropped EXE
  PID:1504
- C:\Windows\System\AhiwMem.exe
  C:\Windows\System\AhiwMem.exe
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\System\sVbbaiW.exe
  C:\Windows\System\sVbbaiW.exe
  2⤵
  - Executes dropped EXE
  PID:2824
- C:\Windows\System\cOlADRP.exe
  C:\Windows\System\cOlADRP.exe
  2⤵
  - Executes dropped EXE
  PID:1284
- C:\Windows\System\svfhvhe.exe
  C:\Windows\System\svfhvhe.exe
  2⤵
  - Executes dropped EXE
  PID:3148
- C:\Windows\System\hOvIrDW.exe
  C:\Windows\System\hOvIrDW.exe
  2⤵
  - Executes dropped EXE
  PID:4512
- C:\Windows\System\ceAhalr.exe
  C:\Windows\System\ceAhalr.exe
  2⤵
  - Executes dropped EXE
  PID:1808
- C:\Windows\System\uBNFKCd.exe
  C:\Windows\System\uBNFKCd.exe
  2⤵
  - Executes dropped EXE
  PID:3376
- C:\Windows\System\IeYZvbM.exe
  C:\Windows\System\IeYZvbM.exe
  2⤵
  - Executes dropped EXE
  PID:3176
- C:\Windows\System\CzmsvJh.exe
  C:\Windows\System\CzmsvJh.exe
  2⤵
  - Executes dropped EXE
  PID:4280
- C:\Windows\System\lRRzrDB.exe
  C:\Windows\System\lRRzrDB.exe
  2⤵
  - Executes dropped EXE
  PID:4872
- C:\Windows\System\FfFQbSB.exe
  C:\Windows\System\FfFQbSB.exe
  2⤵
  - Executes dropped EXE
  PID:796
- C:\Windows\System\YmGykPs.exe
  C:\Windows\System\YmGykPs.exe
  2⤵
  - Executes dropped EXE
  PID:4404
- C:\Windows\System\adWHJim.exe
  C:\Windows\System\adWHJim.exe
  2⤵
  - Executes dropped EXE
  PID:1888
- C:\Windows\System\sPEKaZz.exe
  C:\Windows\System\sPEKaZz.exe
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\System\VEpAnRq.exe
  C:\Windows\System\VEpAnRq.exe
  2⤵
  - Executes dropped EXE
  PID:3920
- C:\Windows\System\LtIxplp.exe
  C:\Windows\System\LtIxplp.exe
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\System\oifOdDK.exe
  C:\Windows\System\oifOdDK.exe
  2⤵
  - Executes dropped EXE
  PID:8
- C:\Windows\System\oauRjma.exe
  C:\Windows\System\oauRjma.exe
  2⤵
  - Executes dropped EXE
  PID:3584
- C:\Windows\System\MpNZuLP.exe
  C:\Windows\System\MpNZuLP.exe
  2⤵
  - Executes dropped EXE
  PID:5012
- C:\Windows\System\rzcNlxc.exe
  C:\Windows\System\rzcNlxc.exe
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Windows\System\OkvOlvq.exe
  C:\Windows\System\OkvOlvq.exe
  2⤵
  - Executes dropped EXE
  PID:3320
- C:\Windows\System\EcMWLtn.exe
  C:\Windows\System\EcMWLtn.exe
  2⤵
  - Executes dropped EXE
  PID:4600
- C:\Windows\System\tSznijb.exe
  C:\Windows\System\tSznijb.exe
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\System\rgltDcu.exe
  C:\Windows\System\rgltDcu.exe
  2⤵
  - Executes dropped EXE
  PID:3788
- C:\Windows\System\ytQnXBo.exe
  C:\Windows\System\ytQnXBo.exe
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\System\VInIViK.exe
  C:\Windows\System\VInIViK.exe
  2⤵
  - Executes dropped EXE
  PID:2196
- C:\Windows\System\VfahmiI.exe
  C:\Windows\System\VfahmiI.exe
  2⤵
  - Executes dropped EXE
  PID:3704
- C:\Windows\System\SJZcZUg.exe
  C:\Windows\System\SJZcZUg.exe
  2⤵
  - Executes dropped EXE
  PID:4172
- C:\Windows\System\BDVAaJx.exe
  C:\Windows\System\BDVAaJx.exe
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\System\NNVuBNZ.exe
  C:\Windows\System\NNVuBNZ.exe
  2⤵
  - Executes dropped EXE
  PID:4504
- C:\Windows\System\JkzsGkI.exe
  C:\Windows\System\JkzsGkI.exe
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\Windows\System\pSVNhVN.exe
  C:\Windows\System\pSVNhVN.exe
  2⤵
  PID:2408
- C:\Windows\System\rzYrsgc.exe
  C:\Windows\System\rzYrsgc.exe
  2⤵
  PID:4812
- C:\Windows\System\YlzaUsn.exe
  C:\Windows\System\YlzaUsn.exe
  2⤵
  PID:1244
- C:\Windows\System\KycXJaV.exe
  C:\Windows\System\KycXJaV.exe
  2⤵
  PID:4820
- C:\Windows\System\hUxcCtG.exe
  C:\Windows\System\hUxcCtG.exe
  2⤵
  PID:2372
- C:\Windows\System\gmkKUmB.exe
  C:\Windows\System\gmkKUmB.exe
  2⤵
  PID:1948
- C:\Windows\System\MWaeogn.exe
  C:\Windows\System\MWaeogn.exe
  2⤵
  PID:1164
- C:\Windows\System\WDUJAOR.exe
  C:\Windows\System\WDUJAOR.exe
  2⤵
  PID:408
- C:\Windows\System\iRhsScW.exe
  C:\Windows\System\iRhsScW.exe
  2⤵
  PID:3492
- C:\Windows\System\QhBbMJu.exe
  C:\Windows\System\QhBbMJu.exe
  2⤵
  PID:4596
- C:\Windows\System\fQcDFXC.exe
  C:\Windows\System\fQcDFXC.exe
  2⤵
  PID:2700
- C:\Windows\System\ZtOjYfh.exe
  C:\Windows\System\ZtOjYfh.exe
  2⤵
  PID:3768
- C:\Windows\System\rlKCmEO.exe
  C:\Windows\System\rlKCmEO.exe
  2⤵
  PID:4348
- C:\Windows\System\ERfxoGi.exe
  C:\Windows\System\ERfxoGi.exe
  2⤵
  PID:1500
- C:\Windows\System\wteFrAI.exe
  C:\Windows\System\wteFrAI.exe
  2⤵
  PID:5152
- C:\Windows\System\HPbfWdT.exe
  C:\Windows\System\HPbfWdT.exe
  2⤵
  PID:5176
- C:\Windows\System\sWECIIa.exe
  C:\Windows\System\sWECIIa.exe
  2⤵
  PID:5204
- C:\Windows\System\ZKliKJq.exe
  C:\Windows\System\ZKliKJq.exe
  2⤵
  PID:5236
- C:\Windows\System\vedRYNx.exe
  C:\Windows\System\vedRYNx.exe
  2⤵
  PID:5260
- C:\Windows\System\BaEawYz.exe
  C:\Windows\System\BaEawYz.exe
  2⤵
  PID:5296
- C:\Windows\System\NQbvYru.exe
  C:\Windows\System\NQbvYru.exe
  2⤵
  PID:5320
- C:\Windows\System\hwnxsoi.exe
  C:\Windows\System\hwnxsoi.exe
  2⤵
  PID:5348
- C:\Windows\System\wKnqjFx.exe
  C:\Windows\System\wKnqjFx.exe
  2⤵
  PID:5372
- C:\Windows\System\jGjgGAZ.exe
  C:\Windows\System\jGjgGAZ.exe
  2⤵
  PID:5404
- C:\Windows\System\dMkBzPj.exe
  C:\Windows\System\dMkBzPj.exe
  2⤵
  PID:5432
- C:\Windows\System\ANrQjLG.exe
  C:\Windows\System\ANrQjLG.exe
  2⤵
  PID:5456
- C:\Windows\System\nGFhXHs.exe
  C:\Windows\System\nGFhXHs.exe
  2⤵
  PID:5484
- C:\Windows\System\iSYFruI.exe
  C:\Windows\System\iSYFruI.exe
  2⤵
  PID:5516
- C:\Windows\System\WSbEhNM.exe
  C:\Windows\System\WSbEhNM.exe
  2⤵
  PID:5548
- C:\Windows\System\epqNAyb.exe
  C:\Windows\System\epqNAyb.exe
  2⤵
  PID:5580
- C:\Windows\System\jXYyEFf.exe
  C:\Windows\System\jXYyEFf.exe
  2⤵
  PID:5608
- C:\Windows\System\AfOJhqf.exe
  C:\Windows\System\AfOJhqf.exe
  2⤵
  PID:5636
- C:\Windows\System\BDlACog.exe
  C:\Windows\System\BDlACog.exe
  2⤵
  PID:5664
- C:\Windows\System\zbVVfFy.exe
  C:\Windows\System\zbVVfFy.exe
  2⤵
  PID:5692
- C:\Windows\System\BqCLWrg.exe
  C:\Windows\System\BqCLWrg.exe
  2⤵
  PID:5720
- C:\Windows\System\WOXsZRJ.exe
  C:\Windows\System\WOXsZRJ.exe
  2⤵
  PID:5752
- C:\Windows\System\FqJVzVu.exe
  C:\Windows\System\FqJVzVu.exe
  2⤵
  PID:5780
- C:\Windows\System\KvhICaT.exe
  C:\Windows\System\KvhICaT.exe
  2⤵
  PID:5808
- C:\Windows\System\ipLNWLt.exe
  C:\Windows\System\ipLNWLt.exe
  2⤵
  PID:5836
- C:\Windows\System\gJZKQbg.exe
  C:\Windows\System\gJZKQbg.exe
  2⤵
  PID:5864
- C:\Windows\System\OKnOkmX.exe
  C:\Windows\System\OKnOkmX.exe
  2⤵
  PID:5892
- C:\Windows\System\kZMWldO.exe
  C:\Windows\System\kZMWldO.exe
  2⤵
  PID:5920
- C:\Windows\System\JEAlNDj.exe
  C:\Windows\System\JEAlNDj.exe
  2⤵
  PID:5944
- C:\Windows\System\yzRHvsj.exe
  C:\Windows\System\yzRHvsj.exe
  2⤵
  PID:5972
- C:\Windows\System\ryWYguM.exe
  C:\Windows\System\ryWYguM.exe
  2⤵
  PID:6004
- C:\Windows\System\KKlCiVG.exe
  C:\Windows\System\KKlCiVG.exe
  2⤵
  PID:6032
- C:\Windows\System\oeTdbqX.exe
  C:\Windows\System\oeTdbqX.exe
  2⤵
  PID:6060
- C:\Windows\System\HAKeldn.exe
  C:\Windows\System\HAKeldn.exe
  2⤵
  PID:6084
- C:\Windows\System\dKuJFfk.exe
  C:\Windows\System\dKuJFfk.exe
  2⤵
  PID:2336
- C:\Windows\System\luZHFMl.exe
  C:\Windows\System\luZHFMl.exe
  2⤵
  PID:4120
- C:\Windows\System\hlYWCkw.exe
  C:\Windows\System\hlYWCkw.exe
  2⤵
  PID:2252
- C:\Windows\System\ryWDgEE.exe
  C:\Windows\System\ryWDgEE.exe
  2⤵
  PID:3936
- C:\Windows\System\dUREkgm.exe
  C:\Windows\System\dUREkgm.exe
  2⤵
  PID:5136
- C:\Windows\System\PPeVCpL.exe
  C:\Windows\System\PPeVCpL.exe
  2⤵
  PID:5188
- C:\Windows\System\fraypvC.exe
  C:\Windows\System\fraypvC.exe
  2⤵
  PID:5256
- C:\Windows\System\NEvgdPM.exe
  C:\Windows\System\NEvgdPM.exe
  2⤵
  PID:5340
- C:\Windows\System\tnPSXXa.exe
  C:\Windows\System\tnPSXXa.exe
  2⤵
  PID:5388
- C:\Windows\System\KucKFyF.exe
  C:\Windows\System\KucKFyF.exe
  2⤵
  PID:5444
- C:\Windows\System\rHrrkTA.exe
  C:\Windows\System\rHrrkTA.exe
  2⤵
  PID:4232
- C:\Windows\System\CqkUNoT.exe
  C:\Windows\System\CqkUNoT.exe
  2⤵
  PID:2068
- C:\Windows\System\WUmliKH.exe
  C:\Windows\System\WUmliKH.exe
  2⤵
  PID:5632
- C:\Windows\System\BYLwVfq.exe
  C:\Windows\System\BYLwVfq.exe
  2⤵
  PID:5680
- C:\Windows\System\wCncHss.exe
  C:\Windows\System\wCncHss.exe
  2⤵
  PID:5708
- C:\Windows\System\XdUlnJW.exe
  C:\Windows\System\XdUlnJW.exe
  2⤵
  PID:5736
- C:\Windows\System\QTGqRcH.exe
  C:\Windows\System\QTGqRcH.exe
  2⤵
  PID:5768
- C:\Windows\System\HMwCKHP.exe
  C:\Windows\System\HMwCKHP.exe
  2⤵
  PID:5852
- C:\Windows\System\DWhcAdo.exe
  C:\Windows\System\DWhcAdo.exe
  2⤵
  PID:5940
- C:\Windows\System\MlGwpil.exe
  C:\Windows\System\MlGwpil.exe
  2⤵
  PID:5960
- C:\Windows\System\idHYubs.exe
  C:\Windows\System\idHYubs.exe
  2⤵
  PID:5988
- C:\Windows\System\iZnHdgw.exe
  C:\Windows\System\iZnHdgw.exe
  2⤵
  PID:6016
- C:\Windows\System\JxwNXzR.exe
  C:\Windows\System\JxwNXzR.exe
  2⤵
  PID:3600
- C:\Windows\System\NfWNOwb.exe
  C:\Windows\System\NfWNOwb.exe
  2⤵
  PID:6072
- C:\Windows\System\yGDwrkx.exe
  C:\Windows\System\yGDwrkx.exe
  2⤵
  PID:6080
- C:\Windows\System\RkjoWoc.exe
  C:\Windows\System\RkjoWoc.exe
  2⤵
  PID:4720
- C:\Windows\System\SdiNUyp.exe
  C:\Windows\System\SdiNUyp.exe
  2⤵
  PID:1968
- C:\Windows\System\whMQzKT.exe
  C:\Windows\System\whMQzKT.exe
  2⤵
  PID:5364
- C:\Windows\System\PsdBhzx.exe
  C:\Windows\System\PsdBhzx.exe
  2⤵
  PID:5284
- C:\Windows\System\zqVbpaG.exe
  C:\Windows\System\zqVbpaG.exe
  2⤵
  PID:5568
- C:\Windows\System\UmvlKbi.exe
  C:\Windows\System\UmvlKbi.exe
  2⤵
  PID:2248
- C:\Windows\System\Ajlppvp.exe
  C:\Windows\System\Ajlppvp.exe
  2⤵
  PID:4792
- C:\Windows\System\bBrzalM.exe
  C:\Windows\System\bBrzalM.exe
  2⤵
  PID:1576
- C:\Windows\System\vWSJMPU.exe
  C:\Windows\System\vWSJMPU.exe
  2⤵
  PID:2240
- C:\Windows\System\SXcFKbT.exe
  C:\Windows\System\SXcFKbT.exe
  2⤵
  PID:5908
- C:\Windows\System\VRjRjYa.exe
  C:\Windows\System\VRjRjYa.exe
  2⤵
  PID:3412
- C:\Windows\System\KmEGond.exe
  C:\Windows\System\KmEGond.exe
  2⤵
  PID:1472
- C:\Windows\System\mVIuKdN.exe
  C:\Windows\System\mVIuKdN.exe
  2⤵
  PID:4712
- C:\Windows\System\OxIWtgz.exe
  C:\Windows\System\OxIWtgz.exe
  2⤵
  PID:5396
- C:\Windows\System\EoVfMBR.exe
  C:\Windows\System\EoVfMBR.exe
  2⤵
  PID:5684
- C:\Windows\System\mEZJfcs.exe
  C:\Windows\System\mEZJfcs.exe
  2⤵
  PID:5996
- C:\Windows\System\AsvreWg.exe
  C:\Windows\System\AsvreWg.exe
  2⤵
  PID:6160
- C:\Windows\System\RHZYSyr.exe
  C:\Windows\System\RHZYSyr.exe
  2⤵
  PID:6176
- C:\Windows\System\tBFiJFH.exe
  C:\Windows\System\tBFiJFH.exe
  2⤵
  PID:6208
- C:\Windows\System\wwZvMjJ.exe
  C:\Windows\System\wwZvMjJ.exe
  2⤵
  PID:6232
- C:\Windows\System\NivcPar.exe
  C:\Windows\System\NivcPar.exe
  2⤵
  PID:6248
- C:\Windows\System\nnOhIoB.exe
  C:\Windows\System\nnOhIoB.exe
  2⤵
  PID:6264
- C:\Windows\System\uprSTCO.exe
  C:\Windows\System\uprSTCO.exe
  2⤵
  PID:6280
- C:\Windows\System\hHQGgJU.exe
  C:\Windows\System\hHQGgJU.exe
  2⤵
  PID:6324
- C:\Windows\System\AbbyUMV.exe
  C:\Windows\System\AbbyUMV.exe
  2⤵
  PID:6372
- C:\Windows\System\CLGPEAR.exe
  C:\Windows\System\CLGPEAR.exe
  2⤵
  PID:6460
- C:\Windows\System\RQvOhMk.exe
  C:\Windows\System\RQvOhMk.exe
  2⤵
  PID:6492
- C:\Windows\System\CgjVQmB.exe
  C:\Windows\System\CgjVQmB.exe
  2⤵
  PID:6512
- C:\Windows\System\FsVdpEg.exe
  C:\Windows\System\FsVdpEg.exe
  2⤵
  PID:6540
- C:\Windows\System\elJfVQP.exe
  C:\Windows\System\elJfVQP.exe
  2⤵
  PID:6568
- C:\Windows\System\FMZUsph.exe
  C:\Windows\System\FMZUsph.exe
  2⤵
  PID:6596
- C:\Windows\System\eDldgQX.exe
  C:\Windows\System\eDldgQX.exe
  2⤵
  PID:6624
- C:\Windows\System\gdbDHjp.exe
  C:\Windows\System\gdbDHjp.exe
  2⤵
  PID:6652
- C:\Windows\System\USzbEZI.exe
  C:\Windows\System\USzbEZI.exe
  2⤵
  PID:6680
- C:\Windows\System\IPrnWtd.exe
  C:\Windows\System\IPrnWtd.exe
  2⤵
  PID:6704
- C:\Windows\System\opaVJxL.exe
  C:\Windows\System\opaVJxL.exe
  2⤵
  PID:6736
- C:\Windows\System\vwzveia.exe
  C:\Windows\System\vwzveia.exe
  2⤵
  PID:6776
- C:\Windows\System\BVCBDlq.exe
  C:\Windows\System\BVCBDlq.exe
  2⤵
  PID:6824
- C:\Windows\System\ImXEABa.exe
  C:\Windows\System\ImXEABa.exe
  2⤵
  PID:6852
- C:\Windows\System\sTGmxLc.exe
  C:\Windows\System\sTGmxLc.exe
  2⤵
  PID:6868
- C:\Windows\System\ENYUyuC.exe
  C:\Windows\System\ENYUyuC.exe
  2⤵
  PID:6896
- C:\Windows\System\GClouyd.exe
  C:\Windows\System\GClouyd.exe
  2⤵
  PID:6924
- C:\Windows\System\bPCHAIJ.exe
  C:\Windows\System\bPCHAIJ.exe
  2⤵
  PID:6952
- C:\Windows\System\qULvcKq.exe
  C:\Windows\System\qULvcKq.exe
  2⤵
  PID:6980
- C:\Windows\System\BaAWmiM.exe
  C:\Windows\System\BaAWmiM.exe
  2⤵
  PID:7008
- C:\Windows\System\rtOMLHZ.exe
  C:\Windows\System\rtOMLHZ.exe
  2⤵
  PID:7036
- C:\Windows\System\IVLtVNv.exe
  C:\Windows\System\IVLtVNv.exe
  2⤵
  PID:7064
- C:\Windows\System\xErFeZj.exe
  C:\Windows\System\xErFeZj.exe
  2⤵
  PID:7092
- C:\Windows\System\aOQRdUs.exe
  C:\Windows\System\aOQRdUs.exe
  2⤵
  PID:7120
- C:\Windows\System\BFneRQI.exe
  C:\Windows\System\BFneRQI.exe
  2⤵
  PID:7148
- C:\Windows\System\cKEoTEK.exe
  C:\Windows\System\cKEoTEK.exe
  2⤵
  PID:3216
- C:\Windows\System\llaWbpP.exe
  C:\Windows\System\llaWbpP.exe
  2⤵
  PID:5452
- C:\Windows\System\PhHBwMH.exe
  C:\Windows\System\PhHBwMH.exe
  2⤵
  PID:6172
- C:\Windows\System\wACEZFY.exe
  C:\Windows\System\wACEZFY.exe
  2⤵
  PID:6240
- C:\Windows\System\BhgJagz.exe
  C:\Windows\System\BhgJagz.exe
  2⤵
  PID:6636
- C:\Windows\System\ZsGdwtg.exe
  C:\Windows\System\ZsGdwtg.exe
  2⤵
  PID:6560
- C:\Windows\System\iLlFxyk.exe
  C:\Windows\System\iLlFxyk.exe
  2⤵
  PID:6508
- C:\Windows\System\RpypEaT.exe
  C:\Windows\System\RpypEaT.exe
  2⤵
  PID:6432
- C:\Windows\System\YQTrXsu.exe
  C:\Windows\System\YQTrXsu.exe
  2⤵
  PID:6364
- C:\Windows\System\twhETiH.exe
  C:\Windows\System\twhETiH.exe
  2⤵
  PID:6272
- C:\Windows\System\eoAWNyH.exe
  C:\Windows\System\eoAWNyH.exe
  2⤵
  PID:5056
- C:\Windows\System\bdhuuNP.exe
  C:\Windows\System\bdhuuNP.exe
  2⤵
  PID:6760
- C:\Windows\System\YUtIUDO.exe
  C:\Windows\System\YUtIUDO.exe
  2⤵
  PID:6840
- C:\Windows\System\wTkRbjp.exe
  C:\Windows\System\wTkRbjp.exe
  2⤵
  PID:6908
- C:\Windows\System\hxCyxgp.exe
  C:\Windows\System\hxCyxgp.exe
  2⤵
  PID:6968
- C:\Windows\System\VIROTBf.exe
  C:\Windows\System\VIROTBf.exe
  2⤵
  PID:7028
- C:\Windows\System\ImRXesV.exe
  C:\Windows\System\ImRXesV.exe
  2⤵
  PID:7104
- C:\Windows\System\eizYgeC.exe
  C:\Windows\System\eizYgeC.exe
  2⤵
  PID:7164
- C:\Windows\System\eVyXJlm.exe
  C:\Windows\System\eVyXJlm.exe
  2⤵
  PID:964
- C:\Windows\System\KHayPOf.exe
  C:\Windows\System\KHayPOf.exe
  2⤵
  PID:6608
- C:\Windows\System\xXCCwmK.exe
  C:\Windows\System\xXCCwmK.exe
  2⤵
  PID:6480
- C:\Windows\System\OEwGfha.exe
  C:\Windows\System\OEwGfha.exe
  2⤵
  PID:6292
- C:\Windows\System\UUzcgCw.exe
  C:\Windows\System\UUzcgCw.exe
  2⤵
  PID:6800
- C:\Windows\System\QYIMwWS.exe
  C:\Windows\System\QYIMwWS.exe
  2⤵
  PID:6936
- C:\Windows\System\icnhRvR.exe
  C:\Windows\System\icnhRvR.exe
  2⤵
  PID:7076
- C:\Windows\System\LvRlUoW.exe
  C:\Windows\System\LvRlUoW.exe
  2⤵
  PID:5656
- C:\Windows\System\teuoEio.exe
  C:\Windows\System\teuoEio.exe
  2⤵
  PID:5596
- C:\Windows\System\gMXHjiu.exe
  C:\Windows\System\gMXHjiu.exe
  2⤵
  PID:6864
- C:\Windows\System\MMAiOHD.exe
  C:\Windows\System\MMAiOHD.exe
  2⤵
  PID:7176
- C:\Windows\System\EsQXiuM.exe
  C:\Windows\System\EsQXiuM.exe
  2⤵
  PID:7204
- C:\Windows\System\LlzljuA.exe
  C:\Windows\System\LlzljuA.exe
  2⤵
  PID:7232
- C:\Windows\System\KFJPnpI.exe
  C:\Windows\System\KFJPnpI.exe
  2⤵
  PID:7296
- C:\Windows\System\FhBuKeG.exe
  C:\Windows\System\FhBuKeG.exe
  2⤵
  PID:7352
- C:\Windows\System\xxQCkuN.exe
  C:\Windows\System\xxQCkuN.exe
  2⤵
  PID:7368
- C:\Windows\System\NkmcJcY.exe
  C:\Windows\System\NkmcJcY.exe
  2⤵
  PID:7388
- C:\Windows\System\QPnuHVa.exe
  C:\Windows\System\QPnuHVa.exe
  2⤵
  PID:7440
- C:\Windows\System\genamOE.exe
  C:\Windows\System\genamOE.exe
  2⤵
  PID:7456
- C:\Windows\System\KTByVpQ.exe
  C:\Windows\System\KTByVpQ.exe
  2⤵
  PID:7476
- C:\Windows\System\NaarqDp.exe
  C:\Windows\System\NaarqDp.exe
  2⤵
  PID:7500
- C:\Windows\System\GWquDjr.exe
  C:\Windows\System\GWquDjr.exe
  2⤵
  PID:7520
- C:\Windows\System\hOcGhqP.exe
  C:\Windows\System\hOcGhqP.exe
  2⤵
  PID:7552
- C:\Windows\System\NtdxtPO.exe
  C:\Windows\System\NtdxtPO.exe
  2⤵
  PID:7572
- C:\Windows\System\hqLtqld.exe
  C:\Windows\System\hqLtqld.exe
  2⤵
  PID:7616
- C:\Windows\System\qxtqjYA.exe
  C:\Windows\System\qxtqjYA.exe
  2⤵
  PID:7640
- C:\Windows\System\VJZZVsE.exe
  C:\Windows\System\VJZZVsE.exe
  2⤵
  PID:7680
- C:\Windows\System\epsVPQq.exe
  C:\Windows\System\epsVPQq.exe
  2⤵
  PID:7700
- C:\Windows\System\QUqMHhL.exe
  C:\Windows\System\QUqMHhL.exe
  2⤵
  PID:7728
- C:\Windows\System\yzColzP.exe
  C:\Windows\System\yzColzP.exe
  2⤵
  PID:7748
- C:\Windows\System\OdbJIsw.exe
  C:\Windows\System\OdbJIsw.exe
  2⤵
  PID:7768
- C:\Windows\System\QanKTZD.exe
  C:\Windows\System\QanKTZD.exe
  2⤵
  PID:7784
- C:\Windows\System\dHueBiK.exe
  C:\Windows\System\dHueBiK.exe
  2⤵
  PID:7804
- C:\Windows\System\XRGbeqi.exe
  C:\Windows\System\XRGbeqi.exe
  2⤵
  PID:7856
- C:\Windows\System\EShVtBM.exe
  C:\Windows\System\EShVtBM.exe
  2⤵
  PID:7872
- C:\Windows\System\UpFOXyo.exe
  C:\Windows\System\UpFOXyo.exe
  2⤵
  PID:7916
- C:\Windows\System\DbDAgFd.exe
  C:\Windows\System\DbDAgFd.exe
  2⤵
  PID:7940
- C:\Windows\System\FJvRfOU.exe
  C:\Windows\System\FJvRfOU.exe
  2⤵
  PID:7956
- C:\Windows\System\kdLgwOq.exe
  C:\Windows\System\kdLgwOq.exe
  2⤵
  PID:8012
- C:\Windows\System\eycWRWl.exe
  C:\Windows\System\eycWRWl.exe
  2⤵
  PID:8028
- C:\Windows\System\gmXtxBp.exe
  C:\Windows\System\gmXtxBp.exe
  2⤵
  PID:8064
- C:\Windows\System\oJZwwHH.exe
  C:\Windows\System\oJZwwHH.exe
  2⤵
  PID:8092
- C:\Windows\System\dpnGGvl.exe
  C:\Windows\System\dpnGGvl.exe
  2⤵
  PID:8132
- C:\Windows\System\tZdGxUU.exe
  C:\Windows\System\tZdGxUU.exe
  2⤵
  PID:8152
- C:\Windows\System\MlrbTCh.exe
  C:\Windows\System\MlrbTCh.exe
  2⤵
  PID:8180
- C:\Windows\System\iNrsyqe.exe
  C:\Windows\System\iNrsyqe.exe
  2⤵
  PID:6256
- C:\Windows\System\rCzDMny.exe
  C:\Windows\System\rCzDMny.exe
  2⤵
  PID:7020
- C:\Windows\System\rZrTVMW.exe
  C:\Windows\System\rZrTVMW.exe
  2⤵
  PID:7220
- C:\Windows\System\trpdSUc.exe
  C:\Windows\System\trpdSUc.exe
  2⤵
  PID:5792
- C:\Windows\System\Zukhuik.exe
  C:\Windows\System\Zukhuik.exe
  2⤵
  PID:7320
- C:\Windows\System\SYAdJme.exe
  C:\Windows\System\SYAdJme.exe
  2⤵
  PID:7360
- C:\Windows\System\OOkWysO.exe
  C:\Windows\System\OOkWysO.exe
  2⤵
  PID:5652
- C:\Windows\System\FBKDqus.exe
  C:\Windows\System\FBKDqus.exe
  2⤵
  PID:7432
- C:\Windows\System\TYgSlJQ.exe
  C:\Windows\System\TYgSlJQ.exe
  2⤵
  PID:7448
- C:\Windows\System\cIOYZpb.exe
  C:\Windows\System\cIOYZpb.exe
  2⤵
  PID:7568
- C:\Windows\System\YKIEOVR.exe
  C:\Windows\System\YKIEOVR.exe
  2⤵
  PID:7608
- C:\Windows\System\OYzWoOa.exe
  C:\Windows\System\OYzWoOa.exe
  2⤵
  PID:7668
- C:\Windows\System\LCwgIOo.exe
  C:\Windows\System\LCwgIOo.exe
  2⤵
  PID:7696
- C:\Windows\System\WVDKbKc.exe
  C:\Windows\System\WVDKbKc.exe
  2⤵
  PID:7736
- C:\Windows\System\Hpywito.exe
  C:\Windows\System\Hpywito.exe
  2⤵
  PID:7828
- C:\Windows\System\YmpfdEj.exe
  C:\Windows\System\YmpfdEj.exe
  2⤵
  PID:3112
- C:\Windows\System\OypEIxT.exe
  C:\Windows\System\OypEIxT.exe
  2⤵
  PID:7924
- C:\Windows\System\CDYYPwk.exe
  C:\Windows\System\CDYYPwk.exe
  2⤵
  PID:7948
- C:\Windows\System\IvuKVHy.exe
  C:\Windows\System\IvuKVHy.exe
  2⤵
  PID:8000
- C:\Windows\System\vEMVHSa.exe
  C:\Windows\System\vEMVHSa.exe
  2⤵
  PID:8052
- C:\Windows\System\kCYIHzJ.exe
  C:\Windows\System\kCYIHzJ.exe
  2⤵
  PID:8168
- C:\Windows\System\lRUbdds.exe
  C:\Windows\System\lRUbdds.exe
  2⤵
  PID:6700
- C:\Windows\System\flIejbb.exe
  C:\Windows\System\flIejbb.exe
  2⤵
  PID:1068
- C:\Windows\System\EpMmBhO.exe
  C:\Windows\System\EpMmBhO.exe
  2⤵
  PID:7304
- C:\Windows\System\VSkjcyU.exe
  C:\Windows\System\VSkjcyU.exe
  2⤵
  PID:4860
- C:\Windows\System\jNmvyds.exe
  C:\Windows\System\jNmvyds.exe
  2⤵
  PID:7532
- C:\Windows\System\ibXvWSm.exe
  C:\Windows\System\ibXvWSm.exe
  2⤵
  PID:7800
- C:\Windows\System\IpHntsf.exe
  C:\Windows\System\IpHntsf.exe
  2⤵
  PID:6784
- C:\Windows\System\wksZAOF.exe
  C:\Windows\System\wksZAOF.exe
  2⤵
  PID:7984
- C:\Windows\System\wzGNuNg.exe
  C:\Windows\System\wzGNuNg.exe
  2⤵
  PID:5744
- C:\Windows\System\LdlXnzF.exe
  C:\Windows\System\LdlXnzF.exe
  2⤵
  PID:7836
- C:\Windows\System\hVWvJXW.exe
  C:\Windows\System\hVWvJXW.exe
  2⤵
  PID:7896
- C:\Windows\System\rPFNtKz.exe
  C:\Windows\System\rPFNtKz.exe
  2⤵
  PID:7276
- C:\Windows\System\LOyfTGh.exe
  C:\Windows\System\LOyfTGh.exe
  2⤵
  PID:7932
- C:\Windows\System\UQbhByb.exe
  C:\Windows\System\UQbhByb.exe
  2⤵
  PID:5536
- C:\Windows\System\uuLafFt.exe
  C:\Windows\System\uuLafFt.exe
  2⤵
  PID:8220
- C:\Windows\System\eTqwpEM.exe
  C:\Windows\System\eTqwpEM.exe
  2⤵
  PID:8244
- C:\Windows\System\dusuuow.exe
  C:\Windows\System\dusuuow.exe
  2⤵
  PID:8280
- C:\Windows\System\kTUQBsc.exe
  C:\Windows\System\kTUQBsc.exe
  2⤵
  PID:8316
- C:\Windows\System\xPyrJcs.exe
  C:\Windows\System\xPyrJcs.exe
  2⤵
  PID:8340
- C:\Windows\System\ZridDFL.exe
  C:\Windows\System\ZridDFL.exe
  2⤵
  PID:8356
- C:\Windows\System\CkMUlyS.exe
  C:\Windows\System\CkMUlyS.exe
  2⤵
  PID:8376
- C:\Windows\System\XwAMwhN.exe
  C:\Windows\System\XwAMwhN.exe
  2⤵
  PID:8400
- C:\Windows\System\CAPKjVL.exe
  C:\Windows\System\CAPKjVL.exe
  2⤵
  PID:8432
- C:\Windows\System\sCbLhue.exe
  C:\Windows\System\sCbLhue.exe
  2⤵
  PID:8460
- C:\Windows\System\tBuhTEh.exe
  C:\Windows\System\tBuhTEh.exe
  2⤵
  PID:8524
- C:\Windows\System\HnyHqHy.exe
  C:\Windows\System\HnyHqHy.exe
  2⤵
  PID:8548
- C:\Windows\System\mWgBoHa.exe
  C:\Windows\System\mWgBoHa.exe
  2⤵
  PID:8564
- C:\Windows\System\LaVxKhM.exe
  C:\Windows\System\LaVxKhM.exe
  2⤵
  PID:8584
- C:\Windows\System\yuZUmie.exe
  C:\Windows\System\yuZUmie.exe
  2⤵
  PID:8620
- C:\Windows\System\EikaGmy.exe
  C:\Windows\System\EikaGmy.exe
  2⤵
  PID:8640
- C:\Windows\System\VOMeLcm.exe
  C:\Windows\System\VOMeLcm.exe
  2⤵
  PID:8676
- C:\Windows\System\WGwGAuV.exe
  C:\Windows\System\WGwGAuV.exe
  2⤵
  PID:8696
- C:\Windows\System\DSSpGXb.exe
  C:\Windows\System\DSSpGXb.exe
  2⤵
  PID:8752
- C:\Windows\System\icpfhvU.exe
  C:\Windows\System\icpfhvU.exe
  2⤵
  PID:8776
- C:\Windows\System\ZPGQbdW.exe
  C:\Windows\System\ZPGQbdW.exe
  2⤵
  PID:8816
- C:\Windows\System\YjlSyms.exe
  C:\Windows\System\YjlSyms.exe
  2⤵
  PID:8832
- C:\Windows\System\HkHLbXj.exe
  C:\Windows\System\HkHLbXj.exe
  2⤵
  PID:8852
- C:\Windows\System\hjlwXaR.exe
  C:\Windows\System\hjlwXaR.exe
  2⤵
  PID:8880
- C:\Windows\System\BHZqAju.exe
  C:\Windows\System\BHZqAju.exe
  2⤵
  PID:8896
- C:\Windows\System\eFFmRQK.exe
  C:\Windows\System\eFFmRQK.exe
  2⤵
  PID:8924
- C:\Windows\System\PQMidCQ.exe
  C:\Windows\System\PQMidCQ.exe
  2⤵
  PID:8976
- C:\Windows\System\TahpyPE.exe
  C:\Windows\System\TahpyPE.exe
  2⤵
  PID:8992
- C:\Windows\System\RCLFdBA.exe
  C:\Windows\System\RCLFdBA.exe
  2⤵
  PID:9020
- C:\Windows\System\aUrKJBT.exe
  C:\Windows\System\aUrKJBT.exe
  2⤵
  PID:9048
- C:\Windows\System\LLXqQAt.exe
  C:\Windows\System\LLXqQAt.exe
  2⤵
  PID:9072
- C:\Windows\System\YorrVIb.exe
  C:\Windows\System\YorrVIb.exe
  2⤵
  PID:9112
- C:\Windows\System\BRdVfeB.exe
  C:\Windows\System\BRdVfeB.exe
  2⤵
  PID:9132
- C:\Windows\System\AlIERZz.exe
  C:\Windows\System\AlIERZz.exe
  2⤵
  PID:9168
- C:\Windows\System\TgNRmqz.exe
  C:\Windows\System\TgNRmqz.exe
  2⤵
  PID:9188
- C:\Windows\System\NdwsUqk.exe
  C:\Windows\System\NdwsUqk.exe
  2⤵
  PID:9212
- C:\Windows\System\aycVsrW.exe
  C:\Windows\System\aycVsrW.exe
  2⤵
  PID:8208
- C:\Windows\System\fkCDUkc.exe
  C:\Windows\System\fkCDUkc.exe
  2⤵
  PID:8288
- C:\Windows\System\mFvudhg.exe
  C:\Windows\System\mFvudhg.exe
  2⤵
  PID:8324
- C:\Windows\System\Kzenhxt.exe
  C:\Windows\System\Kzenhxt.exe
  2⤵
  PID:8352
- C:\Windows\System\AlYMmlq.exe
  C:\Windows\System\AlYMmlq.exe
  2⤵
  PID:8532
- C:\Windows\System\PbpYFqi.exe
  C:\Windows\System\PbpYFqi.exe
  2⤵
  PID:8560
- C:\Windows\System\vwFVQWF.exe
  C:\Windows\System\vwFVQWF.exe
  2⤵
  PID:8652
- C:\Windows\System\TsbpAps.exe
  C:\Windows\System\TsbpAps.exe
  2⤵
  PID:8664
- C:\Windows\System\WAYYnxI.exe
  C:\Windows\System\WAYYnxI.exe
  2⤵
  PID:8760
- C:\Windows\System\vSMhauR.exe
  C:\Windows\System\vSMhauR.exe
  2⤵
  PID:8824
- C:\Windows\System\EuhawzG.exe
  C:\Windows\System\EuhawzG.exe
  2⤵
  PID:8080
- C:\Windows\System\VuYFPsv.exe
  C:\Windows\System\VuYFPsv.exe
  2⤵
  PID:8932
- C:\Windows\System\NnpwNGq.exe
  C:\Windows\System\NnpwNGq.exe
  2⤵
  PID:9056
- C:\Windows\System\EdPRnKf.exe
  C:\Windows\System\EdPRnKf.exe
  2⤵
  PID:9104
- C:\Windows\System\MZdkzsx.exe
  C:\Windows\System\MZdkzsx.exe
  2⤵
  PID:9160
- C:\Windows\System\RmdMqsh.exe
  C:\Windows\System\RmdMqsh.exe
  2⤵
  PID:3876
- C:\Windows\System\MYSALZe.exe
  C:\Windows\System\MYSALZe.exe
  2⤵
  PID:8272
- C:\Windows\System\SYwylyo.exe
  C:\Windows\System\SYwylyo.exe
  2⤵
  PID:8440
- C:\Windows\System\eiWbTZj.exe
  C:\Windows\System\eiWbTZj.exe
  2⤵
  PID:8704
- C:\Windows\System\BxsxBIL.exe
  C:\Windows\System\BxsxBIL.exe
  2⤵
  PID:8860
- C:\Windows\System\VkyANer.exe
  C:\Windows\System\VkyANer.exe
  2⤵
  PID:8984
- C:\Windows\System\kQPJDpo.exe
  C:\Windows\System\kQPJDpo.exe
  2⤵
  PID:9180
- C:\Windows\System\CJoXzAm.exe
  C:\Windows\System\CJoXzAm.exe
  2⤵
  PID:8428
- C:\Windows\System\ErgAwLW.exe
  C:\Windows\System\ErgAwLW.exe
  2⤵
  PID:8616
- C:\Windows\System\ioKMrwT.exe
  C:\Windows\System\ioKMrwT.exe
  2⤵
  PID:8844
- C:\Windows\System\mfCHxLF.exe
  C:\Windows\System\mfCHxLF.exe
  2⤵
  PID:9092
- C:\Windows\System\WfaBihh.exe
  C:\Windows\System\WfaBihh.exe
  2⤵
  PID:8800
- C:\Windows\System\XuNzTCb.exe
  C:\Windows\System\XuNzTCb.exe
  2⤵
  PID:9236
- C:\Windows\System\hdrSYof.exe
  C:\Windows\System\hdrSYof.exe
  2⤵
  PID:9252
- C:\Windows\System\xUvbTXO.exe
  C:\Windows\System\xUvbTXO.exe
  2⤵
  PID:9276
- C:\Windows\System\YIsJEhW.exe
  C:\Windows\System\YIsJEhW.exe
  2⤵
  PID:9296
- C:\Windows\System\jcRzQKA.exe
  C:\Windows\System\jcRzQKA.exe
  2⤵
  PID:9352
- C:\Windows\System\AXxfJMN.exe
  C:\Windows\System\AXxfJMN.exe
  2⤵
  PID:9376
- C:\Windows\System\zjigghW.exe
  C:\Windows\System\zjigghW.exe
  2⤵
  PID:9428
- C:\Windows\System\gnzznpl.exe
  C:\Windows\System\gnzznpl.exe
  2⤵
  PID:9452
- C:\Windows\System\FOejADG.exe
  C:\Windows\System\FOejADG.exe
  2⤵
  PID:9472
- C:\Windows\System\kzFcLvk.exe
  C:\Windows\System\kzFcLvk.exe
  2⤵
  PID:9496
- C:\Windows\System\rYfiVvk.exe
  C:\Windows\System\rYfiVvk.exe
  2⤵
  PID:9540
- C:\Windows\System\bTmRaMI.exe
  C:\Windows\System\bTmRaMI.exe
  2⤵
  PID:9568
- C:\Windows\System\SSNnoxK.exe
  C:\Windows\System\SSNnoxK.exe
  2⤵
  PID:9592
- C:\Windows\System\IKzGmDA.exe
  C:\Windows\System\IKzGmDA.exe
  2⤵
  PID:9612
- C:\Windows\System\TXgOkcf.exe
  C:\Windows\System\TXgOkcf.exe
  2⤵
  PID:9636
- C:\Windows\System\rxJRSiQ.exe
  C:\Windows\System\rxJRSiQ.exe
  2⤵
  PID:9656
- C:\Windows\System\uAkaHHS.exe
  C:\Windows\System\uAkaHHS.exe
  2⤵
  PID:9672
- C:\Windows\System\peIItWK.exe
  C:\Windows\System\peIItWK.exe
  2⤵
  PID:9696
- C:\Windows\System\XzJnlxd.exe
  C:\Windows\System\XzJnlxd.exe
  2⤵
  PID:9716
- C:\Windows\System\mUkGlpd.exe
  C:\Windows\System\mUkGlpd.exe
  2⤵
  PID:9740
- C:\Windows\System\YPQxqvA.exe
  C:\Windows\System\YPQxqvA.exe
  2⤵
  PID:9760
- C:\Windows\System\VZqIURG.exe
  C:\Windows\System\VZqIURG.exe
  2⤵
  PID:9828
- C:\Windows\System\Cgzixuo.exe
  C:\Windows\System\Cgzixuo.exe
  2⤵
  PID:9844
- C:\Windows\System\uToXhqs.exe
  C:\Windows\System\uToXhqs.exe
  2⤵
  PID:9868
- C:\Windows\System\rnzmimg.exe
  C:\Windows\System\rnzmimg.exe
  2⤵
  PID:9892
- C:\Windows\System\ygBPxAU.exe
  C:\Windows\System\ygBPxAU.exe
  2⤵
  PID:9912
- C:\Windows\System\CqrtodS.exe
  C:\Windows\System\CqrtodS.exe
  2⤵
  PID:9952
- C:\Windows\System\PtYCIhu.exe
  C:\Windows\System\PtYCIhu.exe
  2⤵
  PID:9980
- C:\Windows\System\iUXdich.exe
  C:\Windows\System\iUXdich.exe
  2⤵
  PID:10048
- C:\Windows\System\yarGgMR.exe
  C:\Windows\System\yarGgMR.exe
  2⤵
  PID:10076
- C:\Windows\System\BlQUNMh.exe
  C:\Windows\System\BlQUNMh.exe
  2⤵
  PID:10096
- C:\Windows\System\Yhqwnwx.exe
  C:\Windows\System\Yhqwnwx.exe
  2⤵
  PID:10116
- C:\Windows\System\xRwXScL.exe
  C:\Windows\System\xRwXScL.exe
  2⤵
  PID:10148
- C:\Windows\System\WockMzy.exe
  C:\Windows\System\WockMzy.exe
  2⤵
  PID:10184
- C:\Windows\System\IFeVQKT.exe
  C:\Windows\System\IFeVQKT.exe
  2⤵
  PID:10212
- C:\Windows\System\KYCwkSG.exe
  C:\Windows\System\KYCwkSG.exe
  2⤵
  PID:1952
- C:\Windows\System\wxGUMjy.exe
  C:\Windows\System\wxGUMjy.exe
  2⤵
  PID:9224
- C:\Windows\System\bytTSMV.exe
  C:\Windows\System\bytTSMV.exe
  2⤵
  PID:9244
- C:\Windows\System\DsQTDTV.exe
  C:\Windows\System\DsQTDTV.exe
  2⤵
  PID:9320
- C:\Windows\System\UzquljS.exe
  C:\Windows\System\UzquljS.exe
  2⤵
  PID:9372
- C:\Windows\System\LmRlqaE.exe
  C:\Windows\System\LmRlqaE.exe
  2⤵
  PID:9420
- C:\Windows\System\Omvvwip.exe
  C:\Windows\System\Omvvwip.exe
  2⤵
  PID:9560
- C:\Windows\System\pFYNlsl.exe
  C:\Windows\System\pFYNlsl.exe
  2⤵
  PID:9604
- C:\Windows\System\OaMjCKr.exe
  C:\Windows\System\OaMjCKr.exe
  2⤵
  PID:9668
- C:\Windows\System\wHREBgA.exe
  C:\Windows\System\wHREBgA.exe
  2⤵
  PID:9712
- C:\Windows\System\sibwSrT.exe
  C:\Windows\System\sibwSrT.exe
  2⤵
  PID:9768
- C:\Windows\System\PtbdVsh.exe
  C:\Windows\System\PtbdVsh.exe
  2⤵
  PID:9816
- C:\Windows\System\UAYOMlR.exe
  C:\Windows\System\UAYOMlR.exe
  2⤵
  PID:9876
- C:\Windows\System\RAPHStz.exe
  C:\Windows\System\RAPHStz.exe
  2⤵
  PID:9944
- C:\Windows\System\cHkNKIO.exe
  C:\Windows\System\cHkNKIO.exe
  2⤵
  PID:10008
- C:\Windows\System\hhlzmEp.exe
  C:\Windows\System\hhlzmEp.exe
  2⤵
  PID:10088
- C:\Windows\System\GRXYeYw.exe
  C:\Windows\System\GRXYeYw.exe
  2⤵
  PID:10124
- C:\Windows\System\wjprMbo.exe
  C:\Windows\System\wjprMbo.exe
  2⤵
  PID:10192
- C:\Windows\System\mybBahY.exe
  C:\Windows\System\mybBahY.exe
  2⤵
  PID:9260
- C:\Windows\System\ZwMUKze.exe
  C:\Windows\System\ZwMUKze.exe
  2⤵
  PID:5096
- C:\Windows\System\yPFsWTu.exe
  C:\Windows\System\yPFsWTu.exe
  2⤵
  PID:9368
- C:\Windows\System\LqWaMXb.exe
  C:\Windows\System\LqWaMXb.exe
  2⤵
  PID:9628
- C:\Windows\System\HvHjESW.exe
  C:\Windows\System\HvHjESW.exe
  2⤵
  PID:9736
- C:\Windows\System\idFXezz.exe
  C:\Windows\System\idFXezz.exe
  2⤵
  PID:10040
- C:\Windows\System\EZLhlEL.exe
  C:\Windows\System\EZLhlEL.exe
  2⤵
  PID:1812
- C:\Windows\System\hFdbYOX.exe
  C:\Windows\System\hFdbYOX.exe
  2⤵
  PID:9528
- C:\Windows\System\SBeSrKN.exe
  C:\Windows\System\SBeSrKN.exe
  2⤵
  PID:9680
- C:\Windows\System\JySwFoE.exe
  C:\Windows\System\JySwFoE.exe
  2⤵
  PID:10156
- C:\Windows\System\WJwylqQ.exe
  C:\Windows\System\WJwylqQ.exe
  2⤵
  PID:1572
- C:\Windows\System\tTEBert.exe
  C:\Windows\System\tTEBert.exe
  2⤵
  PID:10248
- C:\Windows\System\UMEzPOk.exe
  C:\Windows\System\UMEzPOk.exe
  2⤵
  PID:10280
- C:\Windows\System\dKuhbLc.exe
  C:\Windows\System\dKuhbLc.exe
  2⤵
  PID:10308
- C:\Windows\System\fVdMOET.exe
  C:\Windows\System\fVdMOET.exe
  2⤵
  PID:10332
- C:\Windows\System\jyEUOqU.exe
  C:\Windows\System\jyEUOqU.exe
  2⤵
  PID:10356
- C:\Windows\System\fiAyvqI.exe
  C:\Windows\System\fiAyvqI.exe
  2⤵
  PID:10376
- C:\Windows\System\QayyKNG.exe
  C:\Windows\System\QayyKNG.exe
  2⤵
  PID:10396
- C:\Windows\System\vPzMMGZ.exe
  C:\Windows\System\vPzMMGZ.exe
  2⤵
  PID:10448
- C:\Windows\System\dDBxBeJ.exe
  C:\Windows\System\dDBxBeJ.exe
  2⤵
  PID:10468
- C:\Windows\System\PTqwOfh.exe
  C:\Windows\System\PTqwOfh.exe
  2⤵
  PID:10612
- C:\Windows\System\zedOBej.exe
  C:\Windows\System\zedOBej.exe
  2⤵
  PID:10632
- C:\Windows\System\FczhmZR.exe
  C:\Windows\System\FczhmZR.exe
  2⤵
  PID:10660
- C:\Windows\System\tWLIodC.exe
  C:\Windows\System\tWLIodC.exe
  2⤵
  PID:10684
- C:\Windows\System\RBTmlSw.exe
  C:\Windows\System\RBTmlSw.exe
  2⤵
  PID:10700
- C:\Windows\System\iEsuwog.exe
  C:\Windows\System\iEsuwog.exe
  2⤵
  PID:10720
- C:\Windows\System\tgrgKBz.exe
  C:\Windows\System\tgrgKBz.exe
  2⤵
  PID:10752
- C:\Windows\System\UttiItN.exe
  C:\Windows\System\UttiItN.exe
  2⤵
  PID:10788
- C:\Windows\System\vTKsxxu.exe
  C:\Windows\System\vTKsxxu.exe
  2⤵
  PID:10816
- C:\Windows\System\wVnSVvR.exe
  C:\Windows\System\wVnSVvR.exe
  2⤵
  PID:10852
- C:\Windows\System\gUGSgTB.exe
  C:\Windows\System\gUGSgTB.exe
  2⤵
  PID:10880
- C:\Windows\System\sLRNyOA.exe
  C:\Windows\System\sLRNyOA.exe
  2⤵
  PID:10900
- C:\Windows\System\RPlbxZT.exe
  C:\Windows\System\RPlbxZT.exe
  2⤵
  PID:10916
- C:\Windows\System\fURKFPJ.exe
  C:\Windows\System\fURKFPJ.exe
  2⤵
  PID:10940
- C:\Windows\System\WPQGGYt.exe
  C:\Windows\System\WPQGGYt.exe
  2⤵
  PID:10956
- C:\Windows\System\ZJNfDst.exe
  C:\Windows\System\ZJNfDst.exe
  2⤵
  PID:10980
- C:\Windows\System\BKTPeXC.exe
  C:\Windows\System\BKTPeXC.exe
  2⤵
  PID:11040
- C:\Windows\System\uLQtGsh.exe
  C:\Windows\System\uLQtGsh.exe
  2⤵
  PID:11068
- C:\Windows\System\uotaZNi.exe
  C:\Windows\System\uotaZNi.exe
  2⤵
  PID:11084
- C:\Windows\System\OPrWKIS.exe
  C:\Windows\System\OPrWKIS.exe
  2⤵
  PID:11104
- C:\Windows\System\aYAvFQZ.exe
  C:\Windows\System\aYAvFQZ.exe
  2⤵
  PID:11128
- C:\Windows\System\vBYRZQG.exe
  C:\Windows\System\vBYRZQG.exe
  2⤵
  PID:11152
- C:\Windows\System\mLjntTE.exe
  C:\Windows\System\mLjntTE.exe
  2⤵
  PID:11176
- C:\Windows\System\gRFXXpA.exe
  C:\Windows\System\gRFXXpA.exe
  2⤵
  PID:11232
- C:\Windows\System\wYAAXiI.exe
  C:\Windows\System\wYAAXiI.exe
  2⤵
  PID:11252
- C:\Windows\System\EVSHfSD.exe
  C:\Windows\System\EVSHfSD.exe
  2⤵
  PID:9724
- C:\Windows\System\gCDnjjH.exe
  C:\Windows\System\gCDnjjH.exe
  2⤵
  PID:10324
- C:\Windows\System\tVDGgqV.exe
  C:\Windows\System\tVDGgqV.exe
  2⤵
  PID:10404
- C:\Windows\System\rQqwKmH.exe
  C:\Windows\System\rQqwKmH.exe
  2⤵
  PID:10536
- C:\Windows\System\qKGzIUh.exe
  C:\Windows\System\qKGzIUh.exe
  2⤵
  PID:10464
- C:\Windows\System\oNoogzL.exe
  C:\Windows\System\oNoogzL.exe
  2⤵
  PID:10512
- C:\Windows\System\PIPoHko.exe
  C:\Windows\System\PIPoHko.exe
  2⤵
  PID:10540
- C:\Windows\System\GkBMsGt.exe
  C:\Windows\System\GkBMsGt.exe
  2⤵
  PID:1676
- C:\Windows\System\jHBIodb.exe
  C:\Windows\System\jHBIodb.exe
  2⤵
  PID:10628
- C:\Windows\System\uCSEITL.exe
  C:\Windows\System\uCSEITL.exe
  2⤵
  PID:10680
- C:\Windows\System\yvKwRhk.exe
  C:\Windows\System\yvKwRhk.exe
  2⤵
  PID:10728
- C:\Windows\System\oiOQNhs.exe
  C:\Windows\System\oiOQNhs.exe
  2⤵
  PID:10772
- C:\Windows\System\GnrVFqP.exe
  C:\Windows\System\GnrVFqP.exe
  2⤵
  PID:10864
- C:\Windows\System\ggizbdT.exe
  C:\Windows\System\ggizbdT.exe
  2⤵
  PID:10976
- C:\Windows\System\AROMunN.exe
  C:\Windows\System\AROMunN.exe
  2⤵
  PID:11048
- C:\Windows\System\tkxvOBC.exe
  C:\Windows\System\tkxvOBC.exe
  2⤵
  PID:11092
- C:\Windows\System\HxYGARD.exe
  C:\Windows\System\HxYGARD.exe
  2⤵
  PID:11124
- C:\Windows\System\HeVDjxY.exe
  C:\Windows\System\HeVDjxY.exe
  2⤵
  PID:1756
- C:\Windows\System\wCvAmxC.exe
  C:\Windows\System\wCvAmxC.exe
  2⤵
  PID:11220
- C:\Windows\System\wbYmmKB.exe
  C:\Windows\System\wbYmmKB.exe
  2⤵
  PID:9684
- C:\Windows\System\QDAKBcL.exe
  C:\Windows\System\QDAKBcL.exe
  2⤵
  PID:10300
- C:\Windows\System\fSeLpNh.exe
  C:\Windows\System\fSeLpNh.exe
  2⤵
  PID:10492
- C:\Windows\System\UGQYxbN.exe
  C:\Windows\System\UGQYxbN.exe
  2⤵
  PID:10576
- C:\Windows\System\ejaXzMW.exe
  C:\Windows\System\ejaXzMW.exe
  2⤵
  PID:10676
- C:\Windows\System\Frhrkci.exe
  C:\Windows\System\Frhrkci.exe
  2⤵
  PID:10784
- C:\Windows\System\xcyKIca.exe
  C:\Windows\System\xcyKIca.exe
  2⤵
  PID:10888
- C:\Windows\System\UxtnLPs.exe
  C:\Windows\System\UxtnLPs.exe
  2⤵
  PID:11120
- C:\Windows\System\tVPmcwh.exe
  C:\Windows\System\tVPmcwh.exe
  2⤵
  PID:10016
- C:\Windows\System\OzCduza.exe
  C:\Windows\System\OzCduza.exe
  2⤵
  PID:10460
- C:\Windows\System\PXnLLSI.exe
  C:\Windows\System\PXnLLSI.exe
  2⤵
  PID:10532
- C:\Windows\System\aKbyiUq.exe
  C:\Windows\System\aKbyiUq.exe
  2⤵
  PID:11076
- C:\Windows\System\MMEuqTp.exe
  C:\Windows\System\MMEuqTp.exe
  2⤵
  PID:1892
- C:\Windows\System\mtbkXfm.exe
  C:\Windows\System\mtbkXfm.exe
  2⤵
  PID:10656
- C:\Windows\System\NcebWzt.exe
  C:\Windows\System\NcebWzt.exe
  2⤵
  PID:11248
- C:\Windows\System\FwWOvJY.exe
  C:\Windows\System\FwWOvJY.exe
  2⤵
  PID:11272
- C:\Windows\System\MzANxkJ.exe
  C:\Windows\System\MzANxkJ.exe
  2⤵
  PID:11304
- C:\Windows\System\cEanhNJ.exe
  C:\Windows\System\cEanhNJ.exe
  2⤵
  PID:11332
- C:\Windows\System\zTVGFyY.exe
  C:\Windows\System\zTVGFyY.exe
  2⤵
  PID:11352
- C:\Windows\System\BiQMMWX.exe
  C:\Windows\System\BiQMMWX.exe
  2⤵
  PID:11388
- C:\Windows\System\IrwKgPz.exe
  C:\Windows\System\IrwKgPz.exe
  2⤵
  PID:11408
- C:\Windows\System\VlRgUwp.exe
  C:\Windows\System\VlRgUwp.exe
  2⤵
  PID:11428
- C:\Windows\System\RbrgUCs.exe
  C:\Windows\System\RbrgUCs.exe
  2⤵
  PID:11448
- C:\Windows\System\yWnzIwS.exe
  C:\Windows\System\yWnzIwS.exe
  2⤵
  PID:11472
- C:\Windows\System\VOiOaXC.exe
  C:\Windows\System\VOiOaXC.exe
  2⤵
  PID:11496
- C:\Windows\System\FnDmxNT.exe
  C:\Windows\System\FnDmxNT.exe
  2⤵
  PID:11512
- C:\Windows\System\lAQwALC.exe
  C:\Windows\System\lAQwALC.exe
  2⤵
  PID:11532
- C:\Windows\System\xxGlnIK.exe
  C:\Windows\System\xxGlnIK.exe
  2⤵
  PID:11560
- C:\Windows\System\CUOtxwr.exe
  C:\Windows\System\CUOtxwr.exe
  2⤵
  PID:11588
- C:\Windows\System\zQYLVXh.exe
  C:\Windows\System\zQYLVXh.exe
  2⤵
  PID:11616
- C:\Windows\System\YHMFRbL.exe
  C:\Windows\System\YHMFRbL.exe
  2⤵
  PID:11640
- C:\Windows\System\onQTpgl.exe
  C:\Windows\System\onQTpgl.exe
  2⤵
  PID:11684
- C:\Windows\System\NHZikzG.exe
  C:\Windows\System\NHZikzG.exe
  2⤵
  PID:11720
- C:\Windows\System\fCUiLpg.exe
  C:\Windows\System\fCUiLpg.exe
  2⤵
  PID:11748
- C:\Windows\System\cnyRTRT.exe
  C:\Windows\System\cnyRTRT.exe
  2⤵
  PID:11776
- C:\Windows\System\FyfEMBA.exe
  C:\Windows\System\FyfEMBA.exe
  2⤵
  PID:11800
- C:\Windows\System\kYbUCFP.exe
  C:\Windows\System\kYbUCFP.exe
  2⤵
  PID:11820
- C:\Windows\System\cRzIseU.exe
  C:\Windows\System\cRzIseU.exe
  2⤵
  PID:11868
- C:\Windows\System\oOhBGZY.exe
  C:\Windows\System\oOhBGZY.exe
  2⤵
  PID:11888
- C:\Windows\System\XamiVPf.exe
  C:\Windows\System\XamiVPf.exe
  2⤵
  PID:11912
- C:\Windows\System\IRsMSlu.exe
  C:\Windows\System\IRsMSlu.exe
  2⤵
  PID:11928
- C:\Windows\System\UwRiHxV.exe
  C:\Windows\System\UwRiHxV.exe
  2⤵
  PID:11980
- C:\Windows\System\KauwbYI.exe
  C:\Windows\System\KauwbYI.exe
  2⤵
  PID:12040
- C:\Windows\System\bPmCOTD.exe
  C:\Windows\System\bPmCOTD.exe
  2⤵
  PID:12056
- C:\Windows\System\HszGdgd.exe
  C:\Windows\System\HszGdgd.exe
  2⤵
  PID:12092
- C:\Windows\System\WGUzMVz.exe
  C:\Windows\System\WGUzMVz.exe
  2⤵
  PID:12136
- C:\Windows\System\KXsRngb.exe
  C:\Windows\System\KXsRngb.exe
  2⤵
  PID:12168
- C:\Windows\System\PhlZzoD.exe
  C:\Windows\System\PhlZzoD.exe
  2⤵
  PID:12200
- C:\Windows\System\iYYBfwT.exe
  C:\Windows\System\iYYBfwT.exe
  2⤵
  PID:12216
- C:\Windows\System\onJTOdb.exe
  C:\Windows\System\onJTOdb.exe
  2⤵
  PID:12240
- C:\Windows\System\xzHfyrk.exe
  C:\Windows\System\xzHfyrk.exe
  2⤵
  PID:12272
- C:\Windows\System\HJONSSO.exe
  C:\Windows\System\HJONSSO.exe
  2⤵
  PID:10528
- C:\Windows\System\rjsPEBV.exe
  C:\Windows\System\rjsPEBV.exe
  2⤵
  PID:11372
- C:\Windows\System\PeQlvYh.exe
  C:\Windows\System\PeQlvYh.exe
  2⤵
  PID:11344
- C:\Windows\System\EJVtUBt.exe
  C:\Windows\System\EJVtUBt.exe
  2⤵
  PID:11484
- C:\Windows\System\xbpVNpg.exe
  C:\Windows\System\xbpVNpg.exe
  2⤵
  PID:11528
- C:\Windows\System\AdxbykT.exe
  C:\Windows\System\AdxbykT.exe
  2⤵
  PID:11556
- C:\Windows\System\QDmZSgv.exe
  C:\Windows\System\QDmZSgv.exe
  2⤵
  PID:11664
- C:\Windows\System\mQhPlIG.exe
  C:\Windows\System\mQhPlIG.exe
  2⤵
  PID:11632
- C:\Windows\System\PIaJruR.exe
  C:\Windows\System\PIaJruR.exe
  2⤵
  PID:11680
- C:\Windows\System\eyMjGtj.exe
  C:\Windows\System\eyMjGtj.exe
  2⤵
  PID:11816
- C:\Windows\System\jymHphp.exe
  C:\Windows\System\jymHphp.exe
  2⤵
  PID:11784
- C:\Windows\System\PfzDQnX.exe
  C:\Windows\System\PfzDQnX.exe
  2⤵
  PID:11972
- C:\Windows\System\RMDPCyw.exe
  C:\Windows\System\RMDPCyw.exe
  2⤵
  PID:12012
- C:\Windows\System\QaSjjEQ.exe
  C:\Windows\System\QaSjjEQ.exe
  2⤵
  PID:12104
- C:\Windows\System\ykMjmSZ.exe
  C:\Windows\System\ykMjmSZ.exe
  2⤵
  PID:12108
- C:\Windows\System\xMZQDNB.exe
  C:\Windows\System\xMZQDNB.exe
  2⤵
  PID:12264
- C:\Windows\System\QMSUgLt.exe
  C:\Windows\System\QMSUgLt.exe
  2⤵
  PID:12284
- C:\Windows\System\vInCcye.exe
  C:\Windows\System\vInCcye.exe
  2⤵
  PID:11488
- C:\Windows\System\RdyUCDq.exe
  C:\Windows\System\RdyUCDq.exe
  2⤵
  PID:11576
- C:\Windows\System\hiUPsBT.exe
  C:\Windows\System\hiUPsBT.exe
  2⤵
  PID:11900
- C:\Windows\System\PkClKXl.exe
  C:\Windows\System\PkClKXl.exe
  2⤵
  PID:11832
- C:\Windows\System\vHLnmbg.exe
  C:\Windows\System\vHLnmbg.exe
  2⤵
  PID:11992
- C:\Windows\System\vfzetWm.exe
  C:\Windows\System\vfzetWm.exe
  2⤵
  PID:12016
- C:\Windows\System\FnRDIlc.exe
  C:\Windows\System\FnRDIlc.exe
  2⤵
  PID:12032
- C:\Windows\System\qkOTACE.exe
  C:\Windows\System\qkOTACE.exe
  2⤵
  PID:12212
- C:\Windows\System\mhdzQGX.exe
  C:\Windows\System\mhdzQGX.exe
  2⤵
  PID:11596
- C:\Windows\System\NMmYOZc.exe
  C:\Windows\System\NMmYOZc.exe
  2⤵
  PID:6756
- C:\Windows\System\iDDhSyd.exe
  C:\Windows\System\iDDhSyd.exe
  2⤵
  PID:11940
- C:\Windows\System\PXVifCh.exe
  C:\Windows\System\PXVifCh.exe
  2⤵
  PID:12316
- C:\Windows\System\lzvsJTM.exe
  C:\Windows\System\lzvsJTM.exe
  2⤵
  PID:12332
- C:\Windows\System\soupaSC.exe
  C:\Windows\System\soupaSC.exe
  2⤵
  PID:12388
- C:\Windows\System\hoKmopY.exe
  C:\Windows\System\hoKmopY.exe
  2⤵
  PID:12408
- C:\Windows\System\UcXFTau.exe
  C:\Windows\System\UcXFTau.exe
  2⤵
  PID:12428
- C:\Windows\System\dsxKtIN.exe
  C:\Windows\System\dsxKtIN.exe
  2⤵
  PID:12456
- C:\Windows\System\ngHUWlf.exe
  C:\Windows\System\ngHUWlf.exe
  2⤵
  PID:12480
- C:\Windows\System\FGwHaAG.exe
  C:\Windows\System\FGwHaAG.exe
  2⤵
  PID:12504
- C:\Windows\System\crBDbFS.exe
  C:\Windows\System\crBDbFS.exe
  2⤵
  PID:12548
- C:\Windows\System\oqhhDAS.exe
  C:\Windows\System\oqhhDAS.exe
  2⤵
  PID:12584
- C:\Windows\System\aUTiKek.exe
  C:\Windows\System\aUTiKek.exe
  2⤵
  PID:12608
- C:\Windows\System\JMqSGHB.exe
  C:\Windows\System\JMqSGHB.exe
  2⤵
  PID:12624
- C:\Windows\System\tQkoTvR.exe
  C:\Windows\System\tQkoTvR.exe
  2⤵
  PID:12652
- C:\Windows\System\qqkAgBD.exe
  C:\Windows\System\qqkAgBD.exe
  2⤵
  PID:12672
- C:\Windows\System\jHjxjKi.exe
  C:\Windows\System\jHjxjKi.exe
  2⤵
  PID:12696
- C:\Windows\System\cZSsbWr.exe
  C:\Windows\System\cZSsbWr.exe
  2⤵
  PID:12716
- C:\Windows\System\qtxzrcZ.exe
  C:\Windows\System\qtxzrcZ.exe
  2⤵
  PID:12736
- C:\Windows\System\TRotQlM.exe
  C:\Windows\System\TRotQlM.exe
  2⤵
  PID:12756
- C:\Windows\System\XaKhWPN.exe
  C:\Windows\System\XaKhWPN.exe
  2⤵
  PID:12784
- C:\Windows\System\bdKTuws.exe
  C:\Windows\System\bdKTuws.exe
  2⤵
  PID:12816
- C:\Windows\System\BtZdPoB.exe
  C:\Windows\System\BtZdPoB.exe
  2⤵
  PID:12868
- C:\Windows\System\RzVjtyl.exe
  C:\Windows\System\RzVjtyl.exe
  2⤵
  PID:12892
- C:\Windows\System\qvUYdeY.exe
  C:\Windows\System\qvUYdeY.exe
  2⤵
  PID:12944
- C:\Windows\System\GfSoJic.exe
  C:\Windows\System\GfSoJic.exe
  2⤵
  PID:12964
- C:\Windows\System\xyyOOck.exe
  C:\Windows\System\xyyOOck.exe
  2⤵
  PID:12992
- C:\Windows\System\ytIwtCS.exe
  C:\Windows\System\ytIwtCS.exe
  2⤵
  PID:13020
- C:\Windows\System\oBJGzGW.exe
  C:\Windows\System\oBJGzGW.exe
  2⤵
  PID:13052
- C:\Windows\System\rBDejUw.exe
  C:\Windows\System\rBDejUw.exe
  2⤵
  PID:13076
- C:\Windows\System\tIEFWlx.exe
  C:\Windows\System\tIEFWlx.exe
  2⤵
  PID:13100
- C:\Windows\System\rZbZnhv.exe
  C:\Windows\System\rZbZnhv.exe
  2⤵
  PID:13116
- C:\Windows\System\SelsUPQ.exe
  C:\Windows\System\SelsUPQ.exe
  2⤵
  PID:13136

C:\Windows\system32\WerFaultSecure.exe
"C:\Windows\system32\WerFaultSecure.exe" -protectedcrash -p 1052 -i 1052 -h 540 -j 544 -s 552 -d 0
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:12368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wbohxjpj.a2r.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\AHxkHMk.exe

Filesize
1.7MB

MD5
9e5c51d156d12616d7a952d3460a4550

SHA1
0d4023993cc752d2b8fa1772d5fd70cefb112002

SHA256
ba0102780eb05e18411c7af4bab789292d0ef013ee8ac56259021ab2fd66f0c0

SHA512
1f073067ea973b977bbd29613610409ed6ef21b411d568b7420b4329ddeeb3a1f0ed423343354a8a4ea7dc60e9ec3ac15b4b8731ffd84116a0022dc48df61eb9

Download Submit
C:\Windows\System\AtvxXiG.exe

Filesize
1.7MB

MD5
195cb89e42c01dc4ffc8d62c2d3d3e1d

SHA1
6e761b0f8819a37294b82e374220198eb3eb540f

SHA256
2712b99d4d7efd017d6d400c234802682dce515615fbda135d514d4d950f4964

SHA512
dded5a3e24114b0c4a52daf8b61ef420f94cd4d09d4051a80a9de5b5de618b91361e3067dd6970d95f163c225c9a9268f3b0aecc123d415dc33d751b994448d4

Download Submit
C:\Windows\System\DhFhYGM.exe

Filesize
1.7MB

MD5
8bd14017581de19b4a20371bedca61bb

SHA1
64b4c2ce249bd696db36bb4582f055e01ea75e6d

SHA256
0df7e87d050b5ada50188e8c57d6ecdacbeaff3cc5362ff20be69a12c9edb841

SHA512
7433969ce93e1d388dac8bc877c3cda4c69717a0142a7a22069caf493ad30247cef74706c592fbd05cddb3d1906e3a3cc3c6314afd3436f3a851c849d1c55a86

Download Submit
C:\Windows\System\ERSpFIX.exe

Filesize
1.7MB

MD5
6ff6978bd313ea5e2d446892f35c1f1f

SHA1
10b7d39d578db6f13db1004531136c24d839f1ea

SHA256
4a0e5d65cd95f75a327137581e6d6cbf930eb03e59f3533a63357a6e8c572214

SHA512
735dff87e636bda754d443bc5dc27f87ccd67f5a89c1c9c976f465f7616fbd1e993a5b70886596067e8c559662c1378c8c07e829ddc750fd6ffe1f7618f73ef5

Download Submit
C:\Windows\System\GguCbeH.exe

Filesize
1.7MB

MD5
a26fc7e95b438f7df80513e76b62433e

SHA1
7352584aa3272703b56deed2b86437be2c760c49

SHA256
8d28fad21a5e61387c7a14828cef689fbf49126cfa675f6e54a47a2781acd4f9

SHA512
ca49c19984dad6d1561d643cfcf86a1df7cc44904fd80518266fac6d6acbf7e985a3c894c1eee485598886fa2658fc7731c2b07b4afa79cc09283b08f007773f

Download Submit
C:\Windows\System\KBZqZOi.exe

Filesize
1.7MB

MD5
c08f1a4565beebc3b1f4e61b9ece3e10

SHA1
5c981f1e87455b2aa31657368bbcf15b9671857b

SHA256
ea2c0424da1c6b29208673d7490d39aad945ad9a0edde82d720220edb21d80ff

SHA512
dd4d9f55613eec42d506ff644cdb0a742d48c946f979011c6ff96a7c9b7e778c7a81b56820b56165a5c823b0446db08a7f8d52d7da117f0784c01fb2f7c4e518

Download Submit
C:\Windows\System\LACnCLh.exe

Filesize
1.7MB

MD5
c68d71915df06b5f89456fed4da6bf16

SHA1
26e434b10ee5148c5382aede6d7700c4e6adc507

SHA256
fabb843f6e01aa23750a22dd1b12894f53c31600f9578c93378a26924b5d82f5

SHA512
276efb4e673019dd393fb0eaebdb95db1f858032ec80fb533321b98a24ba84a20dd213142491bf5a5f3c22381cd2fa83bb6fe0aaeb1029ac8f00dc3ccf8020a9

Download Submit
C:\Windows\System\LznAblu.exe

Filesize
1.7MB

MD5
7517406aa9168fab6c2c43d9fa707916

SHA1
a9bc497c56eb53f4c2f60fa1f55b58a2669b4645

SHA256
81af7aa6bc0dfd5cfdd5f444101e9ecd25d97edf34bebe88b304f6db82178ded

SHA512
16062486dba6de41f5c6ea0e7bffbdbafe4ff24a77ddccff2bab28e94c2a295db9856989607e118f281e976712f3ea4f6df6b9f7a6f8d8b7c245f1ad0e0d8a23

Download Submit
C:\Windows\System\MHNbMlr.exe

Filesize
1.7MB

MD5
aa9a0e18e6acf5ab78355ac4e4130683

SHA1
ee5e9563a5682ebfb98523850904278b73467a5b

SHA256
aed5e5e766c000a65303b47812eeb14b88e49b4068ec3760d837205c27bdd1c1

SHA512
b486c562255b1006e30bd71b445096fffa6a92c4b083af3b355919c9631ae02b7969ed026823f6ad9aba558c6e0728bba95411ce2cb65ec69db900e6c92baeb1

Download Submit
C:\Windows\System\MMfQAqb.exe

Filesize
1.7MB

MD5
48f7ae642ef6d05f4c025f4b86d8c84d

SHA1
aa9ce7080731ea292a375fbbc8a0714c3fd151bd

SHA256
40421594b073d212e72acc1f57cd9cb09313d20b6ec5f49fbc4addd9d8647854

SHA512
3aa287263e73dfb4839d0e906651c0a495b94c0fbe2a1dc68d4c09fb059eac683e88d37b06016a8ac0bdfe7c87ab2bfe31f9f257382aa08a7d09ff70db8ec113

Download Submit
C:\Windows\System\OlLcXKS.exe

Filesize
1.7MB

MD5
8a76b968e4a01c913a799deece8024f5

SHA1
c0a02024ac469dc2f2999152889317698d342fe9

SHA256
976d363d6979cf7fc8a28e4f4d49c57ede4c4c50abdd54b39ca961e4e0abcffd

SHA512
6b85cdf9a2d353c3574278574edcdf262106ede9bcb2a1c8be2ee33dd438463b49cb766d8b23cf6fc43681ea3764b08626c91701783b7be88a05068061e377e6

Download Submit
C:\Windows\System\OoUXiaX.exe

Filesize
8B

MD5
4585af961e6be7f3b03d075298565b62

SHA1
8e84c60639225761f581ea4ec1ff9a2d8e5472c9

SHA256
b8920be4ca9181e84576dfb449141c7d9af40d7ddc5588ea3cac8c68ef3a0a88

SHA512
aca862ef42a6056537a17dcbf9d8778efa38fbecbcb6ce3dce02a2eb0f5b9ffb56a667b21c26a29159a0ebcd14d21a77c5b25a36880c46863acba28da90e75f0

Download Submit
C:\Windows\System\PuRscAM.exe

Filesize
1.7MB

MD5
a6e3f70447b88a28bef82a5db26b382a

SHA1
21ddec1cd63b0511d0a3ffd32276a7b35fddf9e1

SHA256
683fed6df91f3b026239076313eb0eda0f22ef2417ae7b9c039741756cf087f2

SHA512
dd6266268819b54f0b0918946cf46259657da50cb649ed15678fbc861c06910264399fb4594f40113afbbc00480cb916b74432af545377d67bee244fab0ffc4a

Download Submit
C:\Windows\System\QNQRxFH.exe

Filesize
1.7MB

MD5
b3a5cf5bc44003db0361310bb38c2318

SHA1
3a68f809747055b6e6a9bdd906c5302491660c08

SHA256
6acd1ea3b6e8e8e6f2fe5e233e4e5f82cf1a0887f434a53ee2dbe77d3dc2b6bd

SHA512
040f55625da82a8ce5c9fc2c5ffdc473470fe93c365709cddc58490438d34479763a74807e6f2d6a2ed654d7a282a96c4c62d9b9a3af575906ccd85a793f7a17

Download Submit
C:\Windows\System\SlFfYIi.exe

Filesize
1.7MB

MD5
270697fb0496629b8854eea0ec349c9b

SHA1
931bade404b536bb4282751d90ba8b33ce6273f2

SHA256
53faddbf935a5eef49cadfb3f1c31cedf3b80a53d076ae0f07dc31a5c0c9f324

SHA512
23b3145a168534baf7097e3f5100ea4b5b443b62404a97444d5547ded9c1b1554162b10aac3723eb8fad175b0ab50afd0576311b1a8a7b650831e2623f09cd89

Download Submit
C:\Windows\System\XfsFsOA.exe

Filesize
1.7MB

MD5
784de010b1abbdb600b885e90b64db1c

SHA1
ceba8cfa82320e8f9b24078d6d1de1f622e50197

SHA256
c1ccfc27d63ab6890279f65024f501cb95a08264010d0dbbcbf8568a1f55d795

SHA512
7c4d85a3ab90eb5b8432b28b4f98c667bb766276a11d2f08e0e32fe146d7eafb564bbd9db0618d88be75fdf60c5350b86052cddee673a84866e65c803d816ce6

Download Submit
C:\Windows\System\YGjgPPS.exe

Filesize
1.7MB

MD5
f96e55ce2e85fbbd7923ff62df7b803c

SHA1
2768c9cb19d326f93c72e0bac9de10c49f09eec0

SHA256
0864351c5ef3b288d2758a02a05578eff55f8792aaf91ae58fc02e78346f464d

SHA512
7bdbd07c4837ab15effd329e3cd6c17a18c0870ccb67f75cf671b036f2d08e5d94664cc8dc518d1abd8c9df87528cd8a5cb7763974e0aec99bbd66bdbec8e71f

Download Submit
C:\Windows\System\cCCkOfI.exe

Filesize
1.7MB

MD5
3689aee7ab2dc3373923a7b1c4e124b3

SHA1
2733b434c2cf37043170635df38a633cd61b648f

SHA256
3f03f67a93800312813b23634d4f3942ac7f1f949269fa7a00166d348b9ed243

SHA512
c25789e481a2ed1e03f3c5855f8c1f898c97062ab6d839223dfa2073489ebe214045499decab921ebdf17e1b1b46b42da0a22cc55dbc6b510f5c612fa3fb752a

Download Submit
C:\Windows\System\hHjDZuw.exe

Filesize
1.7MB

MD5
ec90834391cda4d0fa78de99bf01cfea

SHA1
6d20f47b67d5ec1773072047b6b77d24398ba63c

SHA256
820b6378e8a1537a52ba97d94f99e198c212f4a2692fa3eac0e32fe9094184e5

SHA512
d26369b39a6b54ac1323183d40170a37f38fc5347625838b2d48753e24fb997f7936b1fa33f5629fda185b4e150f0585ef033a16e43192cbef9bee94249bc217

Download Submit
C:\Windows\System\kBKWUMj.exe

Filesize
1.7MB

MD5
24b59d7c38f1506d9d2fd977f9400e09

SHA1
ccb69ca8a47be983faca4b45a281db945033e69b

SHA256
87a3ba489ac0be3d6eab6aca4cb41fe452420a90f5c4cb45e7f147a91ea6edaa

SHA512
a3d8fa1799847b3e5a434cb6430ac6b220336597cbb639951be5c05a70500b897371fc66d892bb84d098fb31da7bbeb0b2e06ca4fb0a004e31cf135af7099924

Download Submit
C:\Windows\System\ktEZQES.exe

Filesize
1.7MB

MD5
c84522d45c70cf0b329c8babb710beb4

SHA1
08da8a6f6931ee57133f1185c1f2b0236625bdfd

SHA256
bf87ad3f336684f8120edd18054c2c15ec21dc6390392b846addf0dc3467ff9c

SHA512
6fa9cc3776d6471df8d8648ef405e8ff4d41a35ceffb93dff1d03e4a0e551ad22e224738ceede7be33e4bb3dd61201ced2e8295539d61f89c2d4edc2651abf8b

Download Submit
C:\Windows\System\mYGcbvS.exe

Filesize
1.7MB

MD5
5015653a1c2449e202e39d013f964a08

SHA1
05d10be332976efccb0fe30182bb5bc3926cf776

SHA256
69ba4c3c2fcb28d4f078ed671ccac4b24da953fc60c128e00eb0ffe8f3fc24af

SHA512
032f275b5df37f2149bb704e388ffcf57ce75383f180c95ac7eae135fe55ecac10a22ece3c711de6b47235fe9be21d2951d6ebfde7b9cdfce660b744dcf384b8

Download Submit
C:\Windows\System\nTBdQfO.exe

Filesize
1.7MB

MD5
a15c9e6768b6bf22a18244bf309e285c

SHA1
b2ab36a096acb5864e027455ae923599a5759e84

SHA256
3941d35d917874edf63326f6db35aab858226f146db555f35d2ef5ed042a7cca

SHA512
61e7e6b56cd8c39271ee41be06e4e12de8fbb2b0f8da12853878251bfc5dd8cde30d896c2057b40b20f1567e8b1c60494a28b1268473e18b8f66cbb366e28e8f

Download Submit
C:\Windows\System\nzNkcSN.exe

Filesize
1.7MB

MD5
53863109288be6117552a6c9a47740fd

SHA1
21621fc2b7ca6e6f34aba408eab8b4471e7b390f

SHA256
d8d850cc3b31ffa2c89b2b2a1b97916863bc5dab1fc82a5cde6a34140c8e555b

SHA512
be42954f585ba3b710a472f53b89133454095350882e143b54a377778c3f1ee9484a2dcd2da17ee951e8db0ecb1c18caa07ad429f4a3f25180250958bd5c420f

Download Submit
C:\Windows\System\ofxcecP.exe

Filesize
1.7MB

MD5
1715a60f32ec2822c30f8d103e3749dd

SHA1
7f9b621204692b6907d0f318893c365e9014634d

SHA256
cf12b09c1f493943e773e4e0db5f025d53be95f40d5db541b8ef1df763b22949

SHA512
9346d456474c1b921b13d21082affef28ba5ab47837597e5299c1c868648698d0594f237afe4e1c9800059ad5db73187d85a19027a16ed2b5daba3de800deb48

Download Submit
C:\Windows\System\rtBccZF.exe

Filesize
1.7MB

MD5
d478698c91b9f8a8a1e8aeef49f97659

SHA1
1be3e9e9cc317956c9399feafef428025af576a5

SHA256
e16bde0b18067685eb23f3b5ffdaa76a6f8dc1a53843890d044934cfe3cc3461

SHA512
0ed3cc548919b52164e68c84212defa2fed380df6a7f57764f0f401a048b395064f732564f737901852ace443ea4d8d9368b94aeb2973a1fe3368bd08fe227c2

Download Submit
C:\Windows\System\tXuElDF.exe

Filesize
1.7MB

MD5
a2d6ef9e55b627e311e287eda6c8d792

SHA1
739d5ad5a222be6e2c23e0972dc69d435b99dfec

SHA256
c8d9bdac010df6c5b349fda90c9aeff042f5e78820e555993d84d0d8bc0f6c7f

SHA512
76976a1ff9244b3b8145977656873bcc1870305928008bf9b3fcf602be026e1727696474bd226adc38861411e3a40363c2f6319166a36215109262a5b1522cf7

Download Submit
C:\Windows\System\tZvgzJm.exe

Filesize
1.7MB

MD5
19c149010e7b8f6287d684ae3f6a3545

SHA1
d8a6e0c4f6212ecab8a38696dbe2763c4b2fad00

SHA256
05348f28fa25cc701557e1076f0e35e0aafd847a76a9132a8417bbb7a56a4c6c

SHA512
d688c29343af9cfec10b594741b3f668420797329924ada5074af305a4c7d7b27b350130addf710fdc308fa0f4c594d487853392e6e162ea84001bf73083e40a

Download Submit
C:\Windows\System\uXLVMhR.exe

Filesize
1.7MB

MD5
ef89bf1e26cd925ecb1c6d798e813848

SHA1
f3b7fe4400d11f50ed55a7b2dfa992bfe57fddf7

SHA256
b35ae8fd75c56ae22dcf46a6352c78dea55c69a026bdeab1537beaf7ebfa17c1

SHA512
a1aa4798fe465ba4a4069eaeb94ab1e20a941b3f62401df8b44877d7f26e1f90c625639861993fc5d3258cf11ef2e9970f42477d8d14e7ad466ad883157851bc

Download Submit
C:\Windows\System\wTiNfDi.exe

Filesize
1.7MB

MD5
07126252916cf307946bc01ec8410687

SHA1
ca27d76ef3d4434408bd051d1ce5634cd90a2d44

SHA256
a38521e4bc13807d6e266eeb89ddf52544a8bc2007b87cdf8dd1187e3af67ac4

SHA512
e78ff262f643f2c19982edf95a098b2f777025d13f46182ff3d1f67ba7074ff27cc6e6f9b8fa7affd6526cc5042290086bd7a8b03433b69e505ec692816d1fec

Download Submit
C:\Windows\System\ycMmhdp.exe

Filesize
1.7MB

MD5
8a035f035a5b12062997e86522c5fead

SHA1
21485acbe1b34cd3074a7a2452c1c8877b58505a

SHA256
bd5fba9bf0166ac181b6df8fc41413ef44ce56ac0278f7ec84bc001e130b463f

SHA512
a8431c1f39ffc9a365bd36504ce576c28d9d8a157c2e6c76e49de03a9ab6f46e9de8238ccc32d104838dd2360d38e84567d645d6fb19363496133aa0a5f7cd1c

Download Submit
C:\Windows\System\zTbTKpG.exe

Filesize
1.7MB

MD5
3332c6129b584c28a1677a60b5b22475

SHA1
bd85b1bbbcf5926072003a5d77b8b65ba9bdc3be

SHA256
bd160fb2818007e83f5d3fe5da7d55a3a490ad61ac59bbdce8250e326c91c3a5

SHA512
c9a30926d3b1c5a91fa020d1b39a19638d8407b626a8fe13d98e47f03de3664b0283f10a324a3ea7ede2ba5f5df6aaef88ba1b923933259b075644aba1e08349

Download Submit
C:\Windows\System\zZNHDfj.exe

Filesize
1.7MB

MD5
71950b29d3e2c6b6d44f1d25b4d2b228

SHA1
ca6c0b95844187eab2e7a959e72cbb1d5959cb37

SHA256
d5b99bd4a3db03fb8e4c1449077fc0c2d1f99f79ec4fd9c6a9de675cc52b3f70

SHA512
e5e53f1380906d7ab4b85655d008bc49d2001de4ec31a72bb5315ef913f3e213add6f0c2e90c11e583120f7461c3e482f05ea585fc53f26523339d67c4b7ad26

Download Submit
C:\Windows\System\zjrbJeB.exe

Filesize
1.7MB

MD5
f80f1b83db9125df72ae2ae51b642f6b

SHA1
b9c4a87a94c5f7b3f42204762678fc05252da554

SHA256
5fa333f74cdf3e8e454359073ccf591cc3755705fb4f338f8a9295b233d2aaf2

SHA512
ac84b6d984d065fd23f0432e9ef84b1973f3f4e52703e554de13ebaaa38ebba1a7c2a2ecc19c8bf8ff1729b3e4c4a168729ae412886b030819fefba3bad54103

Download Submit
memory/60-3170-0x00007FF66DAB0000-0x00007FF66DEA2000-memory.dmp

Filesize
3.9MB

Download
memory/60-549-0x00007FF66DAB0000-0x00007FF66DEA2000-memory.dmp

Filesize
3.9MB

Download
memory/1228-3166-0x00007FF63C7A0000-0x00007FF63CB92000-memory.dmp

Filesize
3.9MB

Download
memory/1228-539-0x00007FF63C7A0000-0x00007FF63CB92000-memory.dmp

Filesize
3.9MB

Download
memory/1376-3168-0x00007FF7CC340000-0x00007FF7CC732000-memory.dmp

Filesize
3.9MB

Download
memory/1376-547-0x00007FF7CC340000-0x00007FF7CC732000-memory.dmp

Filesize
3.9MB

Download
memory/1404-3044-0x00007FF773A00000-0x00007FF773DF2000-memory.dmp

Filesize
3.9MB

Download
memory/1404-415-0x00007FF773A00000-0x00007FF773DF2000-memory.dmp

Filesize
3.9MB

Download
memory/1664-3160-0x00007FF65B350000-0x00007FF65B742000-memory.dmp

Filesize
3.9MB

Download
memory/1664-502-0x00007FF65B350000-0x00007FF65B742000-memory.dmp

Filesize
3.9MB

Download
memory/1748-3123-0x00007FF633C20000-0x00007FF634012000-memory.dmp

Filesize
3.9MB

Download
memory/1748-473-0x00007FF633C20000-0x00007FF634012000-memory.dmp

Filesize
3.9MB

Download
memory/1820-3178-0x00007FF7B33D0000-0x00007FF7B37C2000-memory.dmp

Filesize
3.9MB

Download
memory/1820-559-0x00007FF7B33D0000-0x00007FF7B37C2000-memory.dmp

Filesize
3.9MB

Download
memory/1864-574-0x00007FF77CF50000-0x00007FF77D342000-memory.dmp

Filesize
3.9MB

Download
memory/1864-3082-0x00007FF77CF50000-0x00007FF77D342000-memory.dmp

Filesize
3.9MB

Download
memory/2108-1-0x000001D8E2250000-0x000001D8E2260000-memory.dmp

Filesize
64KB

Download
memory/2108-0-0x00007FF6DEAA0000-0x00007FF6DEE92000-memory.dmp

Filesize
3.9MB

Download
memory/2596-571-0x00007FF7F48F0000-0x00007FF7F4CE2000-memory.dmp

Filesize
3.9MB

Download
memory/2596-3180-0x00007FF7F48F0000-0x00007FF7F4CE2000-memory.dmp

Filesize
3.9MB

Download
memory/2712-3162-0x00007FF7F1690000-0x00007FF7F1A82000-memory.dmp

Filesize
3.9MB

Download
memory/2712-506-0x00007FF7F1690000-0x00007FF7F1A82000-memory.dmp

Filesize
3.9MB

Download
memory/2864-3126-0x00007FF730850000-0x00007FF730C42000-memory.dmp

Filesize
3.9MB

Download
memory/2864-482-0x00007FF730850000-0x00007FF730C42000-memory.dmp

Filesize
3.9MB

Download
memory/3136-457-0x00007FF743D90000-0x00007FF744182000-memory.dmp

Filesize
3.9MB

Download
memory/3136-3115-0x00007FF743D90000-0x00007FF744182000-memory.dmp

Filesize
3.9MB

Download
memory/3196-3030-0x00007FF7CB2B0000-0x00007FF7CB6A2000-memory.dmp

Filesize
3.9MB

Download
memory/3196-26-0x00007FF7CB2B0000-0x00007FF7CB6A2000-memory.dmp

Filesize
3.9MB

Download
memory/3196-3076-0x00007FF7CB2B0000-0x00007FF7CB6A2000-memory.dmp

Filesize
3.9MB

Download
memory/3228-454-0x00007FF7D03D0000-0x00007FF7D07C2000-memory.dmp

Filesize
3.9MB

Download
memory/3228-3093-0x00007FF7D03D0000-0x00007FF7D07C2000-memory.dmp

Filesize
3.9MB

Download
memory/3552-3046-0x00007FF78E3F0000-0x00007FF78E7E2000-memory.dmp

Filesize
3.9MB

Download
memory/3552-21-0x00007FF78E3F0000-0x00007FF78E7E2000-memory.dmp

Filesize
3.9MB

Download
memory/3604-3029-0x00007FF8EEE20000-0x00007FF8EF8E1000-memory.dmp

Filesize
10.8MB

Download
memory/3604-17-0x00007FF8EEE20000-0x00007FF8EF8E1000-memory.dmp

Filesize
10.8MB

Download
memory/3604-3039-0x00007FF8EEE20000-0x00007FF8EF8E1000-memory.dmp

Filesize
10.8MB

Download
memory/3604-348-0x000001EB6F740000-0x000001EB6FEE6000-memory.dmp

Filesize
7.6MB

Download
memory/3604-5-0x00007FF8EEE23000-0x00007FF8EEE25000-memory.dmp

Filesize
8KB

Download
memory/3604-414-0x00007FF8EEE20000-0x00007FF8EF8E1000-memory.dmp

Filesize
10.8MB

Download
memory/3604-41-0x000001EB6C8E0000-0x000001EB6C902000-memory.dmp

Filesize
136KB

Download
memory/3904-449-0x00007FF606410000-0x00007FF606802000-memory.dmp

Filesize
3.9MB

Download
memory/3904-3099-0x00007FF606410000-0x00007FF606802000-memory.dmp

Filesize
3.9MB

Download
memory/3976-3111-0x00007FF62CD10000-0x00007FF62D102000-memory.dmp

Filesize
3.9MB

Download
memory/3976-467-0x00007FF62CD10000-0x00007FF62D102000-memory.dmp

Filesize
3.9MB

Download
memory/4000-428-0x00007FF79E4F0000-0x00007FF79E8E2000-memory.dmp

Filesize
3.9MB

Download
memory/4000-3091-0x00007FF79E4F0000-0x00007FF79E8E2000-memory.dmp

Filesize
3.9MB

Download
memory/4524-3189-0x00007FF7F9890000-0x00007FF7F9C82000-memory.dmp

Filesize
3.9MB

Download
memory/4524-553-0x00007FF7F9890000-0x00007FF7F9C82000-memory.dmp

Filesize
3.9MB

Download
memory/4704-494-0x00007FF66E4C0000-0x00007FF66E8B2000-memory.dmp

Filesize
3.9MB

Download
memory/4704-3145-0x00007FF66E4C0000-0x00007FF66E8B2000-memory.dmp

Filesize
3.9MB

Download
memory/4796-3139-0x00007FF6C6180000-0x00007FF6C6572000-memory.dmp

Filesize
3.9MB

Download
memory/4796-489-0x00007FF6C6180000-0x00007FF6C6572000-memory.dmp

Filesize
3.9MB

Download
memory/4968-3164-0x00007FF668790000-0x00007FF668B82000-memory.dmp

Filesize
3.9MB

Download
memory/4968-517-0x00007FF668790000-0x00007FF668B82000-memory.dmp

Filesize
3.9MB

Download
memory/5064-3143-0x00007FF7DBCF0000-0x00007FF7DC0E2000-memory.dmp

Filesize
3.9MB

Download
memory/5064-490-0x00007FF7DBCF0000-0x00007FF7DC0E2000-memory.dmp

Filesize
3.9MB

Download
memory/5080-429-0x00007FF63D750000-0x00007FF63DB42000-memory.dmp

Filesize
3.9MB

Download
memory/5080-3081-0x00007FF63D750000-0x00007FF63DB42000-memory.dmp

Filesize
3.9MB

Download