xmrig | 173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
Size

2.0MB
MD5

cb4b981d4395d4c8e4155224ac8f5240
SHA1

8f8c72ec64e63fb5c77daaab3bb674e0b7277f8b
SHA256

173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673
SHA512

8c7ad6be1c16df7863b664ac6096a02cc1779c24934a70a3c7d03177eedeb8c94ab0db8f0b1abba668397f42f045d19e6378f1cac92697d7e21cff3c1d6d34bc
SSDEEP

49152:Lz071uv4BPMkibTIA5I4TNrpDGfFzcVWCB8:NABT

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 12940 created 1460	12940	WerFaultSecure.exe	77

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 49 IoCs

miner

resource	yara_rule
behavioral2/memory/4424-64-0x00007FF7B15B0000-0x00007FF7B19A2000-memory.dmp	xmrig
behavioral2/memory/820-70-0x00007FF7C5FF0000-0x00007FF7C63E2000-memory.dmp	xmrig
behavioral2/memory/1832-76-0x00007FF6265F0000-0x00007FF6269E2000-memory.dmp	xmrig
behavioral2/memory/3924-81-0x00007FF77CB80000-0x00007FF77CF72000-memory.dmp	xmrig
behavioral2/memory/1152-88-0x00007FF7DE210000-0x00007FF7DE602000-memory.dmp	xmrig
behavioral2/memory/4584-742-0x00007FF7604E0000-0x00007FF7608D2000-memory.dmp	xmrig
behavioral2/memory/764-758-0x00007FF6AAF60000-0x00007FF6AB352000-memory.dmp	xmrig
behavioral2/memory/2840-762-0x00007FF64A950000-0x00007FF64AD42000-memory.dmp	xmrig
behavioral2/memory/4952-779-0x00007FF7A7410000-0x00007FF7A7802000-memory.dmp	xmrig
behavioral2/memory/1792-784-0x00007FF7F0620000-0x00007FF7F0A12000-memory.dmp	xmrig
behavioral2/memory/1172-761-0x00007FF714730000-0x00007FF714B22000-memory.dmp	xmrig
behavioral2/memory/2788-744-0x00007FF62ABE0000-0x00007FF62AFD2000-memory.dmp	xmrig
behavioral2/memory/4552-749-0x00007FF690AB0000-0x00007FF690EA2000-memory.dmp	xmrig
behavioral2/memory/4428-107-0x00007FF7F4170000-0x00007FF7F4562000-memory.dmp	xmrig
behavioral2/memory/208-104-0x00007FF791090000-0x00007FF791482000-memory.dmp	xmrig
behavioral2/memory/1464-103-0x00007FF7DA160000-0x00007FF7DA552000-memory.dmp	xmrig
behavioral2/memory/3040-101-0x00007FF60CB90000-0x00007FF60CF82000-memory.dmp	xmrig
behavioral2/memory/4196-96-0x00007FF780300000-0x00007FF7806F2000-memory.dmp	xmrig
behavioral2/memory/2608-91-0x00007FF798480000-0x00007FF798872000-memory.dmp	xmrig
behavioral2/memory/1136-90-0x00007FF7E55D0000-0x00007FF7E59C2000-memory.dmp	xmrig
behavioral2/memory/1004-75-0x00007FF69AF60000-0x00007FF69B352000-memory.dmp	xmrig
behavioral2/memory/3220-71-0x00007FF6BD210000-0x00007FF6BD602000-memory.dmp	xmrig
behavioral2/memory/2924-11-0x00007FF6D0000000-0x00007FF6D03F2000-memory.dmp	xmrig
behavioral2/memory/208-3231-0x00007FF791090000-0x00007FF791482000-memory.dmp	xmrig
behavioral2/memory/2800-3257-0x00007FF62D400000-0x00007FF62D7F2000-memory.dmp	xmrig
behavioral2/memory/2924-3261-0x00007FF6D0000000-0x00007FF6D03F2000-memory.dmp	xmrig
behavioral2/memory/3924-3263-0x00007FF77CB80000-0x00007FF77CF72000-memory.dmp	xmrig
behavioral2/memory/1152-3268-0x00007FF7DE210000-0x00007FF7DE602000-memory.dmp	xmrig
behavioral2/memory/3220-3273-0x00007FF6BD210000-0x00007FF6BD602000-memory.dmp	xmrig
behavioral2/memory/4196-3278-0x00007FF780300000-0x00007FF7806F2000-memory.dmp	xmrig
behavioral2/memory/3040-3280-0x00007FF60CB90000-0x00007FF60CF82000-memory.dmp	xmrig
behavioral2/memory/2608-3283-0x00007FF798480000-0x00007FF798872000-memory.dmp	xmrig
behavioral2/memory/1004-3282-0x00007FF69AF60000-0x00007FF69B352000-memory.dmp	xmrig
behavioral2/memory/1832-3275-0x00007FF6265F0000-0x00007FF6269E2000-memory.dmp	xmrig
behavioral2/memory/1136-3272-0x00007FF7E55D0000-0x00007FF7E59C2000-memory.dmp	xmrig
behavioral2/memory/4424-3270-0x00007FF7B15B0000-0x00007FF7B19A2000-memory.dmp	xmrig
behavioral2/memory/820-3266-0x00007FF7C5FF0000-0x00007FF7C63E2000-memory.dmp	xmrig
behavioral2/memory/4952-3315-0x00007FF7A7410000-0x00007FF7A7802000-memory.dmp	xmrig
behavioral2/memory/1172-3309-0x00007FF714730000-0x00007FF714B22000-memory.dmp	xmrig
behavioral2/memory/4428-3319-0x00007FF7F4170000-0x00007FF7F4562000-memory.dmp	xmrig
behavioral2/memory/1792-3318-0x00007FF7F0620000-0x00007FF7F0A12000-memory.dmp	xmrig
behavioral2/memory/2788-3306-0x00007FF62ABE0000-0x00007FF62AFD2000-memory.dmp	xmrig
behavioral2/memory/2840-3313-0x00007FF64A950000-0x00007FF64AD42000-memory.dmp	xmrig
behavioral2/memory/764-3311-0x00007FF6AAF60000-0x00007FF6AB352000-memory.dmp	xmrig
behavioral2/memory/4552-3305-0x00007FF690AB0000-0x00007FF690EA2000-memory.dmp	xmrig
behavioral2/memory/4584-3287-0x00007FF7604E0000-0x00007FF7608D2000-memory.dmp	xmrig
behavioral2/memory/2800-3290-0x00007FF62D400000-0x00007FF62D7F2000-memory.dmp	xmrig
behavioral2/memory/1464-3286-0x00007FF7DA160000-0x00007FF7DA552000-memory.dmp	xmrig
behavioral2/memory/208-3555-0x00007FF791090000-0x00007FF791482000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
9	5072	powershell.exe
11	5072	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
5072	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
2924	XOJfVBX.exe
3924	wSTyMHK.exe
1152	bkiRxtZ.exe
4424	SDfWyfy.exe
820	RkmjjyF.exe
3220	VrrknLS.exe
1004	GoTntIp.exe
1136	yVdGqwU.exe
1832	uAjorOB.exe
2608	hnVvPlt.exe
4196	XKCbOxw.exe
3040	pyDONoF.exe
1464	bMzIGBV.exe
208	ExXsBcN.exe
4428	MOipUbU.exe
2800	dIgesud.exe
4584	tOsEKRP.exe
2788	WNzyKfo.exe
4552	dLxUIyi.exe
764	mcgkOlZ.exe
1172	zRYauNC.exe
2840	pwXxged.exe
4952	FEOzFIG.exe
1792	JMNmHhW.exe
588	LLtLXjI.exe
3692	aoDlinZ.exe
4628	mTZFFRM.exe
4464	Ionhijs.exe
1104	XgqfZJd.exe
5068	aujtWmA.exe
4976	SChxFeX.exe
4672	MMwgYqh.exe
3592	EPLopwk.exe
3936	bnnDYwx.exe
5032	uhoAVTW.exe
2668	RjxFpHL.exe
1640	jqUQvkC.exe
4796	LrHSjDl.exe
616	XMrPsjy.exe
184	wPqIozc.exe
944	NzHxLdC.exe
976	QURYhrn.exe
3268	UMroArg.exe
1652	PRarCwe.exe
1184	yOnyFkB.exe
884	poIVLdv.exe
4480	TjqyYZm.exe
1108	urmFvOF.exe
5060	idZAXRf.exe
448	jzVZqOF.exe
2672	kIWfpyq.exe
2616	rXhogAp.exe
4048	HfYqQmx.exe
3808	sdhnTfn.exe
3708	BhKQRgN.exe
1508	UkUmzmD.exe
4076	tkiofcp.exe
4460	eTzYSfz.exe
1148	BrDMRaw.exe
3008	twoykOK.exe
1748	IFAXwOO.exe
2084	Pxzwucd.exe
3404	OFcaCJS.exe
4360	DzjLHGS.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3468-0-0x00007FF6A2540000-0x00007FF6A2932000-memory.dmp	upx
behavioral2/files/0x000800000002344d-5.dat	upx
behavioral2/files/0x000700000002344f-8.dat	upx
behavioral2/files/0x0007000000023451-25.dat	upx
behavioral2/files/0x0007000000023454-41.dat	upx
behavioral2/files/0x0007000000023453-43.dat	upx
behavioral2/files/0x0007000000023452-56.dat	upx
behavioral2/memory/4424-64-0x00007FF7B15B0000-0x00007FF7B19A2000-memory.dmp	upx
behavioral2/memory/820-70-0x00007FF7C5FF0000-0x00007FF7C63E2000-memory.dmp	upx
behavioral2/memory/1832-76-0x00007FF6265F0000-0x00007FF6269E2000-memory.dmp	upx
behavioral2/memory/3924-81-0x00007FF77CB80000-0x00007FF77CF72000-memory.dmp	upx
behavioral2/memory/1152-88-0x00007FF7DE210000-0x00007FF7DE602000-memory.dmp	upx
behavioral2/files/0x000700000002345a-92.dat	upx
behavioral2/files/0x000700000002345b-102.dat	upx
behavioral2/files/0x0007000000023464-151.dat	upx
behavioral2/files/0x000700000002346a-187.dat	upx
behavioral2/memory/4584-742-0x00007FF7604E0000-0x00007FF7608D2000-memory.dmp	upx
behavioral2/memory/764-758-0x00007FF6AAF60000-0x00007FF6AB352000-memory.dmp	upx
behavioral2/memory/2840-762-0x00007FF64A950000-0x00007FF64AD42000-memory.dmp	upx
behavioral2/memory/4952-779-0x00007FF7A7410000-0x00007FF7A7802000-memory.dmp	upx
behavioral2/memory/1792-784-0x00007FF7F0620000-0x00007FF7F0A12000-memory.dmp	upx
behavioral2/memory/1172-761-0x00007FF714730000-0x00007FF714B22000-memory.dmp	upx
behavioral2/memory/2788-744-0x00007FF62ABE0000-0x00007FF62AFD2000-memory.dmp	upx
behavioral2/memory/4552-749-0x00007FF690AB0000-0x00007FF690EA2000-memory.dmp	upx
behavioral2/files/0x000700000002346c-191.dat	upx
behavioral2/files/0x000700000002346b-186.dat	upx
behavioral2/files/0x0007000000023469-182.dat	upx
behavioral2/files/0x0007000000023468-177.dat	upx
behavioral2/files/0x0007000000023467-172.dat	upx
behavioral2/files/0x0007000000023466-167.dat	upx
behavioral2/files/0x0007000000023465-162.dat	upx
behavioral2/files/0x0007000000023463-152.dat	upx
behavioral2/files/0x0007000000023462-146.dat	upx
behavioral2/files/0x0007000000023461-142.dat	upx
behavioral2/files/0x0007000000023460-137.dat	upx
behavioral2/files/0x000700000002345f-132.dat	upx
behavioral2/files/0x000700000002345e-127.dat	upx
behavioral2/files/0x000700000002345d-121.dat	upx
behavioral2/files/0x000700000002345c-117.dat	upx
behavioral2/memory/2800-110-0x00007FF62D400000-0x00007FF62D7F2000-memory.dmp	upx
behavioral2/memory/4428-107-0x00007FF7F4170000-0x00007FF7F4562000-memory.dmp	upx
behavioral2/files/0x0008000000023457-105.dat	upx
behavioral2/memory/208-104-0x00007FF791090000-0x00007FF791482000-memory.dmp	upx
behavioral2/memory/1464-103-0x00007FF7DA160000-0x00007FF7DA552000-memory.dmp	upx
behavioral2/memory/3040-101-0x00007FF60CB90000-0x00007FF60CF82000-memory.dmp	upx
behavioral2/files/0x000800000002344b-97.dat	upx
behavioral2/memory/4196-96-0x00007FF780300000-0x00007FF7806F2000-memory.dmp	upx
behavioral2/memory/2608-91-0x00007FF798480000-0x00007FF798872000-memory.dmp	upx
behavioral2/memory/1136-90-0x00007FF7E55D0000-0x00007FF7E59C2000-memory.dmp	upx
behavioral2/files/0x0008000000023458-84.dat	upx
behavioral2/files/0x0007000000023459-77.dat	upx
behavioral2/memory/1004-75-0x00007FF69AF60000-0x00007FF69B352000-memory.dmp	upx
behavioral2/files/0x0007000000023456-72.dat	upx
behavioral2/memory/3220-71-0x00007FF6BD210000-0x00007FF6BD602000-memory.dmp	upx
behavioral2/files/0x0007000000023455-66.dat	upx
behavioral2/files/0x0007000000023450-26.dat	upx
behavioral2/files/0x000700000002344e-13.dat	upx
behavioral2/memory/2924-11-0x00007FF6D0000000-0x00007FF6D03F2000-memory.dmp	upx
behavioral2/memory/208-3231-0x00007FF791090000-0x00007FF791482000-memory.dmp	upx
behavioral2/memory/2800-3257-0x00007FF62D400000-0x00007FF62D7F2000-memory.dmp	upx
behavioral2/memory/2924-3261-0x00007FF6D0000000-0x00007FF6D03F2000-memory.dmp	upx
behavioral2/memory/3924-3263-0x00007FF77CB80000-0x00007FF77CF72000-memory.dmp	upx
behavioral2/memory/1152-3268-0x00007FF7DE210000-0x00007FF7DE602000-memory.dmp	upx
behavioral2/memory/3220-3273-0x00007FF6BD210000-0x00007FF6BD602000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
9	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\YSpAroE.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\MJLCMER.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\RwRXlCj.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\HCGktYB.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\jGnLgER.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\BgrAipg.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\scPJqUu.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\ZgBoNru.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\hjyxrpx.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\uSdCFJY.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\HlKVwZr.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\iHBsjHj.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\uHwZaoC.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\ubWxUno.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\ckYDCAI.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\VoFezkN.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\WqwaODU.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\MGeGLKW.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\SmhLniW.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\fFcpCbl.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\tWrRqHk.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\XmXmUTe.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\GCQzJdX.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\sakBMrx.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\UaMaxdn.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\QWJrdtD.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\PrdSggy.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\gYYGBWS.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\kbISqph.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\ykLVKYs.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\fnqrjhC.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\AtJinuA.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\xZzXgcM.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\ufnpGJW.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\nuSGral.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\tokQKtk.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\WYAhtFO.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\LrHSjDl.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\JBjlSUX.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\YMOjvIa.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\dwSgDVA.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\HkdlPqF.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\rwjZrII.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\bZZmgUz.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\pmtPxIB.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\ryZefcd.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\DjRtHBx.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\hhBXvAT.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\HbpQyBS.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\hetDiZd.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\zoWvBEH.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\CPkSjMp.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\hKnpzvH.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\rSKUGey.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\MnPwXha.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\DBkNZLU.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\nDzCRRG.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\pvJqLtO.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\cmidwTe.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\kvDawqx.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\CxJZlHe.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\hAgkITF.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\gMXcxLW.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
File created	C:\Windows\System\qgLkYnZ.exe	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFaultSecure.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFaultSecure.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFaultSecure.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFaultSecure.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5072	powershell.exe
5072	powershell.exe
13132	WerFaultSecure.exe
13132	WerFaultSecure.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
Token: SeDebugPrivilege	5072	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3468 wrote to memory of 5072	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	84
PID 3468 wrote to memory of 5072	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	84
PID 3468 wrote to memory of 2924	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	85
PID 3468 wrote to memory of 2924	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	85
PID 3468 wrote to memory of 3924	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	86
PID 3468 wrote to memory of 3924	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	86
PID 3468 wrote to memory of 1152	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	87
PID 3468 wrote to memory of 1152	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	87
PID 3468 wrote to memory of 4424	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	88
PID 3468 wrote to memory of 4424	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	88
PID 3468 wrote to memory of 820	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	89
PID 3468 wrote to memory of 820	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	89
PID 3468 wrote to memory of 1004	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	90
PID 3468 wrote to memory of 1004	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	90
PID 3468 wrote to memory of 3220	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	91
PID 3468 wrote to memory of 3220	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	91
PID 3468 wrote to memory of 1136	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	92
PID 3468 wrote to memory of 1136	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	92
PID 3468 wrote to memory of 1832	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	93
PID 3468 wrote to memory of 1832	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	93
PID 3468 wrote to memory of 2608	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	94
PID 3468 wrote to memory of 2608	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	94
PID 3468 wrote to memory of 4196	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	95
PID 3468 wrote to memory of 4196	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	95
PID 3468 wrote to memory of 3040	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	96
PID 3468 wrote to memory of 3040	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	96
PID 3468 wrote to memory of 1464	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	97
PID 3468 wrote to memory of 1464	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	97
PID 3468 wrote to memory of 208	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	98
PID 3468 wrote to memory of 208	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	98
PID 3468 wrote to memory of 4428	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	99
PID 3468 wrote to memory of 4428	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	99
PID 3468 wrote to memory of 2800	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	100
PID 3468 wrote to memory of 2800	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	100
PID 3468 wrote to memory of 4584	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	101
PID 3468 wrote to memory of 4584	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	101
PID 3468 wrote to memory of 2788	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	102
PID 3468 wrote to memory of 2788	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	102
PID 3468 wrote to memory of 4552	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	103
PID 3468 wrote to memory of 4552	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	103
PID 3468 wrote to memory of 764	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	104
PID 3468 wrote to memory of 764	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	104
PID 3468 wrote to memory of 1172	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	105
PID 3468 wrote to memory of 1172	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	105
PID 3468 wrote to memory of 2840	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	106
PID 3468 wrote to memory of 2840	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	106
PID 3468 wrote to memory of 4952	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	107
PID 3468 wrote to memory of 4952	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	107
PID 3468 wrote to memory of 1792	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	108
PID 3468 wrote to memory of 1792	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	108
PID 3468 wrote to memory of 588	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	109
PID 3468 wrote to memory of 588	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	109
PID 3468 wrote to memory of 3692	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	110
PID 3468 wrote to memory of 3692	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	110
PID 3468 wrote to memory of 4628	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	111
PID 3468 wrote to memory of 4628	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	111
PID 3468 wrote to memory of 4464	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	112
PID 3468 wrote to memory of 4464	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	112
PID 3468 wrote to memory of 1104	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	113
PID 3468 wrote to memory of 1104	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	113
PID 3468 wrote to memory of 5068	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	114
PID 3468 wrote to memory of 5068	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	114
PID 3468 wrote to memory of 4976	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	115
PID 3468 wrote to memory of 4976	3468	173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe	115

C:\Windows\System32\Upfc.exe
C:\Windows\System32\Upfc.exe /launchtype periodic /cv MHEO5vZm2UmGnTdzfTWSRg.0
1⤵
PID:1460
- C:\Windows\system32\WerFaultSecure.exe
  C:\Windows\system32\WerFaultSecure.exe -u -p 1460 -s 556
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:13132

C:\Users\Admin\AppData\Local\Temp\173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\173ad7bfeb28d820e88b2655bb8bb2868b01934449f3aba690c9fba41ba6e673_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5072
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5072" "2872" "1360" "2876" "0" "0" "2880" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:12712
- C:\Windows\System\XOJfVBX.exe
  C:\Windows\System\XOJfVBX.exe
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Windows\System\wSTyMHK.exe
  C:\Windows\System\wSTyMHK.exe
  2⤵
  - Executes dropped EXE
  PID:3924
- C:\Windows\System\bkiRxtZ.exe
  C:\Windows\System\bkiRxtZ.exe
  2⤵
  - Executes dropped EXE
  PID:1152
- C:\Windows\System\SDfWyfy.exe
  C:\Windows\System\SDfWyfy.exe
  2⤵
  - Executes dropped EXE
  PID:4424
- C:\Windows\System\RkmjjyF.exe
  C:\Windows\System\RkmjjyF.exe
  2⤵
  - Executes dropped EXE
  PID:820
- C:\Windows\System\GoTntIp.exe
  C:\Windows\System\GoTntIp.exe
  2⤵
  - Executes dropped EXE
  PID:1004
- C:\Windows\System\VrrknLS.exe
  C:\Windows\System\VrrknLS.exe
  2⤵
  - Executes dropped EXE
  PID:3220
- C:\Windows\System\yVdGqwU.exe
  C:\Windows\System\yVdGqwU.exe
  2⤵
  - Executes dropped EXE
  PID:1136
- C:\Windows\System\uAjorOB.exe
  C:\Windows\System\uAjorOB.exe
  2⤵
  - Executes dropped EXE
  PID:1832
- C:\Windows\System\hnVvPlt.exe
  C:\Windows\System\hnVvPlt.exe
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\System\XKCbOxw.exe
  C:\Windows\System\XKCbOxw.exe
  2⤵
  - Executes dropped EXE
  PID:4196
- C:\Windows\System\pyDONoF.exe
  C:\Windows\System\pyDONoF.exe
  2⤵
  - Executes dropped EXE
  PID:3040
- C:\Windows\System\bMzIGBV.exe
  C:\Windows\System\bMzIGBV.exe
  2⤵
  - Executes dropped EXE
  PID:1464
- C:\Windows\System\ExXsBcN.exe
  C:\Windows\System\ExXsBcN.exe
  2⤵
  - Executes dropped EXE
  PID:208
- C:\Windows\System\MOipUbU.exe
  C:\Windows\System\MOipUbU.exe
  2⤵
  - Executes dropped EXE
  PID:4428
- C:\Windows\System\dIgesud.exe
  C:\Windows\System\dIgesud.exe
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\System\tOsEKRP.exe
  C:\Windows\System\tOsEKRP.exe
  2⤵
  - Executes dropped EXE
  PID:4584
- C:\Windows\System\WNzyKfo.exe
  C:\Windows\System\WNzyKfo.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\System\dLxUIyi.exe
  C:\Windows\System\dLxUIyi.exe
  2⤵
  - Executes dropped EXE
  PID:4552
- C:\Windows\System\mcgkOlZ.exe
  C:\Windows\System\mcgkOlZ.exe
  2⤵
  - Executes dropped EXE
  PID:764
- C:\Windows\System\zRYauNC.exe
  C:\Windows\System\zRYauNC.exe
  2⤵
  - Executes dropped EXE
  PID:1172
- C:\Windows\System\pwXxged.exe
  C:\Windows\System\pwXxged.exe
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Windows\System\FEOzFIG.exe
  C:\Windows\System\FEOzFIG.exe
  2⤵
  - Executes dropped EXE
  PID:4952
- C:\Windows\System\JMNmHhW.exe
  C:\Windows\System\JMNmHhW.exe
  2⤵
  - Executes dropped EXE
  PID:1792
- C:\Windows\System\LLtLXjI.exe
  C:\Windows\System\LLtLXjI.exe
  2⤵
  - Executes dropped EXE
  PID:588
- C:\Windows\System\aoDlinZ.exe
  C:\Windows\System\aoDlinZ.exe
  2⤵
  - Executes dropped EXE
  PID:3692
- C:\Windows\System\mTZFFRM.exe
  C:\Windows\System\mTZFFRM.exe
  2⤵
  - Executes dropped EXE
  PID:4628
- C:\Windows\System\Ionhijs.exe
  C:\Windows\System\Ionhijs.exe
  2⤵
  - Executes dropped EXE
  PID:4464
- C:\Windows\System\XgqfZJd.exe
  C:\Windows\System\XgqfZJd.exe
  2⤵
  - Executes dropped EXE
  PID:1104
- C:\Windows\System\aujtWmA.exe
  C:\Windows\System\aujtWmA.exe
  2⤵
  - Executes dropped EXE
  PID:5068
- C:\Windows\System\SChxFeX.exe
  C:\Windows\System\SChxFeX.exe
  2⤵
  - Executes dropped EXE
  PID:4976
- C:\Windows\System\MMwgYqh.exe
  C:\Windows\System\MMwgYqh.exe
  2⤵
  - Executes dropped EXE
  PID:4672
- C:\Windows\System\EPLopwk.exe
  C:\Windows\System\EPLopwk.exe
  2⤵
  - Executes dropped EXE
  PID:3592
- C:\Windows\System\bnnDYwx.exe
  C:\Windows\System\bnnDYwx.exe
  2⤵
  - Executes dropped EXE
  PID:3936
- C:\Windows\System\uhoAVTW.exe
  C:\Windows\System\uhoAVTW.exe
  2⤵
  - Executes dropped EXE
  PID:5032
- C:\Windows\System\RjxFpHL.exe
  C:\Windows\System\RjxFpHL.exe
  2⤵
  - Executes dropped EXE
  PID:2668
- C:\Windows\System\jqUQvkC.exe
  C:\Windows\System\jqUQvkC.exe
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Windows\System\LrHSjDl.exe
  C:\Windows\System\LrHSjDl.exe
  2⤵
  - Executes dropped EXE
  PID:4796
- C:\Windows\System\XMrPsjy.exe
  C:\Windows\System\XMrPsjy.exe
  2⤵
  - Executes dropped EXE
  PID:616
- C:\Windows\System\wPqIozc.exe
  C:\Windows\System\wPqIozc.exe
  2⤵
  - Executes dropped EXE
  PID:184
- C:\Windows\System\NzHxLdC.exe
  C:\Windows\System\NzHxLdC.exe
  2⤵
  - Executes dropped EXE
  PID:944
- C:\Windows\System\QURYhrn.exe
  C:\Windows\System\QURYhrn.exe
  2⤵
  - Executes dropped EXE
  PID:976
- C:\Windows\System\UMroArg.exe
  C:\Windows\System\UMroArg.exe
  2⤵
  - Executes dropped EXE
  PID:3268
- C:\Windows\System\PRarCwe.exe
  C:\Windows\System\PRarCwe.exe
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Windows\System\yOnyFkB.exe
  C:\Windows\System\yOnyFkB.exe
  2⤵
  - Executes dropped EXE
  PID:1184
- C:\Windows\System\poIVLdv.exe
  C:\Windows\System\poIVLdv.exe
  2⤵
  - Executes dropped EXE
  PID:884
- C:\Windows\System\TjqyYZm.exe
  C:\Windows\System\TjqyYZm.exe
  2⤵
  - Executes dropped EXE
  PID:4480
- C:\Windows\System\urmFvOF.exe
  C:\Windows\System\urmFvOF.exe
  2⤵
  - Executes dropped EXE
  PID:1108
- C:\Windows\System\idZAXRf.exe
  C:\Windows\System\idZAXRf.exe
  2⤵
  - Executes dropped EXE
  PID:5060
- C:\Windows\System\jzVZqOF.exe
  C:\Windows\System\jzVZqOF.exe
  2⤵
  - Executes dropped EXE
  PID:448
- C:\Windows\System\kIWfpyq.exe
  C:\Windows\System\kIWfpyq.exe
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Windows\System\rXhogAp.exe
  C:\Windows\System\rXhogAp.exe
  2⤵
  - Executes dropped EXE
  PID:2616
- C:\Windows\System\HfYqQmx.exe
  C:\Windows\System\HfYqQmx.exe
  2⤵
  - Executes dropped EXE
  PID:4048
- C:\Windows\System\sdhnTfn.exe
  C:\Windows\System\sdhnTfn.exe
  2⤵
  - Executes dropped EXE
  PID:3808
- C:\Windows\System\BhKQRgN.exe
  C:\Windows\System\BhKQRgN.exe
  2⤵
  - Executes dropped EXE
  PID:3708
- C:\Windows\System\UkUmzmD.exe
  C:\Windows\System\UkUmzmD.exe
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Windows\System\tkiofcp.exe
  C:\Windows\System\tkiofcp.exe
  2⤵
  - Executes dropped EXE
  PID:4076
- C:\Windows\System\eTzYSfz.exe
  C:\Windows\System\eTzYSfz.exe
  2⤵
  - Executes dropped EXE
  PID:4460
- C:\Windows\System\BrDMRaw.exe
  C:\Windows\System\BrDMRaw.exe
  2⤵
  - Executes dropped EXE
  PID:1148
- C:\Windows\System\twoykOK.exe
  C:\Windows\System\twoykOK.exe
  2⤵
  - Executes dropped EXE
  PID:3008
- C:\Windows\System\IFAXwOO.exe
  C:\Windows\System\IFAXwOO.exe
  2⤵
  - Executes dropped EXE
  PID:1748
- C:\Windows\System\Pxzwucd.exe
  C:\Windows\System\Pxzwucd.exe
  2⤵
  - Executes dropped EXE
  PID:2084
- C:\Windows\System\OFcaCJS.exe
  C:\Windows\System\OFcaCJS.exe
  2⤵
  - Executes dropped EXE
  PID:3404
- C:\Windows\System\DzjLHGS.exe
  C:\Windows\System\DzjLHGS.exe
  2⤵
  - Executes dropped EXE
  PID:4360
- C:\Windows\System\OkAZGjL.exe
  C:\Windows\System\OkAZGjL.exe
  2⤵
  PID:1676
- C:\Windows\System\XoZVkSF.exe
  C:\Windows\System\XoZVkSF.exe
  2⤵
  PID:3820
- C:\Windows\System\eALdVqi.exe
  C:\Windows\System\eALdVqi.exe
  2⤵
  PID:436
- C:\Windows\System\roFVQzx.exe
  C:\Windows\System\roFVQzx.exe
  2⤵
  PID:4492
- C:\Windows\System\OUKgpbH.exe
  C:\Windows\System\OUKgpbH.exe
  2⤵
  PID:3796
- C:\Windows\System\cfxdWfn.exe
  C:\Windows\System\cfxdWfn.exe
  2⤵
  PID:4568
- C:\Windows\System\nApNBef.exe
  C:\Windows\System\nApNBef.exe
  2⤵
  PID:5136
- C:\Windows\System\okvTrJN.exe
  C:\Windows\System\okvTrJN.exe
  2⤵
  PID:5168
- C:\Windows\System\gPqmchI.exe
  C:\Windows\System\gPqmchI.exe
  2⤵
  PID:5196
- C:\Windows\System\oHXhUuG.exe
  C:\Windows\System\oHXhUuG.exe
  2⤵
  PID:5224
- C:\Windows\System\aVZgkaT.exe
  C:\Windows\System\aVZgkaT.exe
  2⤵
  PID:5252
- C:\Windows\System\ZTgXLbz.exe
  C:\Windows\System\ZTgXLbz.exe
  2⤵
  PID:5280
- C:\Windows\System\fClooUo.exe
  C:\Windows\System\fClooUo.exe
  2⤵
  PID:5308
- C:\Windows\System\tUgWGol.exe
  C:\Windows\System\tUgWGol.exe
  2⤵
  PID:5336
- C:\Windows\System\PeaWWqa.exe
  C:\Windows\System\PeaWWqa.exe
  2⤵
  PID:5360
- C:\Windows\System\BAeOrYC.exe
  C:\Windows\System\BAeOrYC.exe
  2⤵
  PID:5392
- C:\Windows\System\QWmGEcS.exe
  C:\Windows\System\QWmGEcS.exe
  2⤵
  PID:5420
- C:\Windows\System\rUzabAs.exe
  C:\Windows\System\rUzabAs.exe
  2⤵
  PID:5444
- C:\Windows\System\FXOPHDn.exe
  C:\Windows\System\FXOPHDn.exe
  2⤵
  PID:5472
- C:\Windows\System\RdUOUhQ.exe
  C:\Windows\System\RdUOUhQ.exe
  2⤵
  PID:5504
- C:\Windows\System\tqCDPTg.exe
  C:\Windows\System\tqCDPTg.exe
  2⤵
  PID:5532
- C:\Windows\System\zExoSXx.exe
  C:\Windows\System\zExoSXx.exe
  2⤵
  PID:5556
- C:\Windows\System\obiOvhK.exe
  C:\Windows\System\obiOvhK.exe
  2⤵
  PID:5588
- C:\Windows\System\VhMtLEk.exe
  C:\Windows\System\VhMtLEk.exe
  2⤵
  PID:5620
- C:\Windows\System\udcPfFa.exe
  C:\Windows\System\udcPfFa.exe
  2⤵
  PID:5644
- C:\Windows\System\VWYOtzU.exe
  C:\Windows\System\VWYOtzU.exe
  2⤵
  PID:5668
- C:\Windows\System\FNEUNxF.exe
  C:\Windows\System\FNEUNxF.exe
  2⤵
  PID:5700
- C:\Windows\System\pfpAvSJ.exe
  C:\Windows\System\pfpAvSJ.exe
  2⤵
  PID:5724
- C:\Windows\System\BZuZgPl.exe
  C:\Windows\System\BZuZgPl.exe
  2⤵
  PID:5752
- C:\Windows\System\bAlhqJv.exe
  C:\Windows\System\bAlhqJv.exe
  2⤵
  PID:5788
- C:\Windows\System\FICaECT.exe
  C:\Windows\System\FICaECT.exe
  2⤵
  PID:5812
- C:\Windows\System\uarBTmq.exe
  C:\Windows\System\uarBTmq.exe
  2⤵
  PID:5840
- C:\Windows\System\cNQFfbX.exe
  C:\Windows\System\cNQFfbX.exe
  2⤵
  PID:5868
- C:\Windows\System\YKYqfWk.exe
  C:\Windows\System\YKYqfWk.exe
  2⤵
  PID:5892
- C:\Windows\System\DPjNBeT.exe
  C:\Windows\System\DPjNBeT.exe
  2⤵
  PID:5920
- C:\Windows\System\biQMkpZ.exe
  C:\Windows\System\biQMkpZ.exe
  2⤵
  PID:5948
- C:\Windows\System\gKxLOSq.exe
  C:\Windows\System\gKxLOSq.exe
  2⤵
  PID:5980
- C:\Windows\System\XvTQecm.exe
  C:\Windows\System\XvTQecm.exe
  2⤵
  PID:6004
- C:\Windows\System\YPSKrRA.exe
  C:\Windows\System\YPSKrRA.exe
  2⤵
  PID:6032
- C:\Windows\System\gwOZfjY.exe
  C:\Windows\System\gwOZfjY.exe
  2⤵
  PID:6060
- C:\Windows\System\nlFpMcN.exe
  C:\Windows\System\nlFpMcN.exe
  2⤵
  PID:6088
- C:\Windows\System\fHHEIci.exe
  C:\Windows\System\fHHEIci.exe
  2⤵
  PID:6116
- C:\Windows\System\AXvjfdB.exe
  C:\Windows\System\AXvjfdB.exe
  2⤵
  PID:1092
- C:\Windows\System\WlPSQvc.exe
  C:\Windows\System\WlPSQvc.exe
  2⤵
  PID:2820
- C:\Windows\System\QCsHPKf.exe
  C:\Windows\System\QCsHPKf.exe
  2⤵
  PID:4972
- C:\Windows\System\oGgYnos.exe
  C:\Windows\System\oGgYnos.exe
  2⤵
  PID:3156
- C:\Windows\System\MAwTvlJ.exe
  C:\Windows\System\MAwTvlJ.exe
  2⤵
  PID:4040
- C:\Windows\System\KTEbghA.exe
  C:\Windows\System\KTEbghA.exe
  2⤵
  PID:844
- C:\Windows\System\uddJEKM.exe
  C:\Windows\System\uddJEKM.exe
  2⤵
  PID:5160
- C:\Windows\System\yQFJpel.exe
  C:\Windows\System\yQFJpel.exe
  2⤵
  PID:5236
- C:\Windows\System\JJuqHnq.exe
  C:\Windows\System\JJuqHnq.exe
  2⤵
  PID:5292
- C:\Windows\System\zlPBICr.exe
  C:\Windows\System\zlPBICr.exe
  2⤵
  PID:5356
- C:\Windows\System\xbepblU.exe
  C:\Windows\System\xbepblU.exe
  2⤵
  PID:5412
- C:\Windows\System\ietqYaa.exe
  C:\Windows\System\ietqYaa.exe
  2⤵
  PID:5488
- C:\Windows\System\qvuxfFF.exe
  C:\Windows\System\qvuxfFF.exe
  2⤵
  PID:5548
- C:\Windows\System\SLOoHsM.exe
  C:\Windows\System\SLOoHsM.exe
  2⤵
  PID:5628
- C:\Windows\System\zFBFLKL.exe
  C:\Windows\System\zFBFLKL.exe
  2⤵
  PID:5684
- C:\Windows\System\kFgOiUU.exe
  C:\Windows\System\kFgOiUU.exe
  2⤵
  PID:5744
- C:\Windows\System\Qxulqub.exe
  C:\Windows\System\Qxulqub.exe
  2⤵
  PID:5796
- C:\Windows\System\QiOvRgL.exe
  C:\Windows\System\QiOvRgL.exe
  2⤵
  PID:5832
- C:\Windows\System\QTrtCTR.exe
  C:\Windows\System\QTrtCTR.exe
  2⤵
  PID:5912
- C:\Windows\System\QWsxtKx.exe
  C:\Windows\System\QWsxtKx.exe
  2⤵
  PID:5972
- C:\Windows\System\CTGTDnU.exe
  C:\Windows\System\CTGTDnU.exe
  2⤵
  PID:6028
- C:\Windows\System\UIHZTOQ.exe
  C:\Windows\System\UIHZTOQ.exe
  2⤵
  PID:6104
- C:\Windows\System\nXCNOsg.exe
  C:\Windows\System\nXCNOsg.exe
  2⤵
  PID:4656
- C:\Windows\System\ahJUlGP.exe
  C:\Windows\System\ahJUlGP.exe
  2⤵
  PID:916
- C:\Windows\System\WfxVgwr.exe
  C:\Windows\System\WfxVgwr.exe
  2⤵
  PID:1500
- C:\Windows\System\esyHufJ.exe
  C:\Windows\System\esyHufJ.exe
  2⤵
  PID:5212
- C:\Windows\System\zrwxthk.exe
  C:\Windows\System\zrwxthk.exe
  2⤵
  PID:5384
- C:\Windows\System\krXyvmK.exe
  C:\Windows\System\krXyvmK.exe
  2⤵
  PID:5468
- C:\Windows\System\PmbCcAZ.exe
  C:\Windows\System\PmbCcAZ.exe
  2⤵
  PID:584
- C:\Windows\System\qHFBVfF.exe
  C:\Windows\System\qHFBVfF.exe
  2⤵
  PID:5780
- C:\Windows\System\ZcMkpcM.exe
  C:\Windows\System\ZcMkpcM.exe
  2⤵
  PID:1888
- C:\Windows\System\AKxwUor.exe
  C:\Windows\System\AKxwUor.exe
  2⤵
  PID:6024
- C:\Windows\System\eYlBIoK.exe
  C:\Windows\System\eYlBIoK.exe
  2⤵
  PID:6152
- C:\Windows\System\IRwkNyp.exe
  C:\Windows\System\IRwkNyp.exe
  2⤵
  PID:6180
- C:\Windows\System\LkwWpRK.exe
  C:\Windows\System\LkwWpRK.exe
  2⤵
  PID:6208
- C:\Windows\System\opgzjLu.exe
  C:\Windows\System\opgzjLu.exe
  2⤵
  PID:6232
- C:\Windows\System\VoalPYE.exe
  C:\Windows\System\VoalPYE.exe
  2⤵
  PID:6260
- C:\Windows\System\BoNedwC.exe
  C:\Windows\System\BoNedwC.exe
  2⤵
  PID:6292
- C:\Windows\System\MvAeTrZ.exe
  C:\Windows\System\MvAeTrZ.exe
  2⤵
  PID:6320
- C:\Windows\System\EvtOpXT.exe
  C:\Windows\System\EvtOpXT.exe
  2⤵
  PID:6348
- C:\Windows\System\NKMPwur.exe
  C:\Windows\System\NKMPwur.exe
  2⤵
  PID:6372
- C:\Windows\System\Sonqiht.exe
  C:\Windows\System\Sonqiht.exe
  2⤵
  PID:6400
- C:\Windows\System\PXVgDPd.exe
  C:\Windows\System\PXVgDPd.exe
  2⤵
  PID:6432
- C:\Windows\System\jiChtQP.exe
  C:\Windows\System\jiChtQP.exe
  2⤵
  PID:6460
- C:\Windows\System\soJNkTv.exe
  C:\Windows\System\soJNkTv.exe
  2⤵
  PID:6488
- C:\Windows\System\RCBYKBh.exe
  C:\Windows\System\RCBYKBh.exe
  2⤵
  PID:6512
- C:\Windows\System\XQbCzHZ.exe
  C:\Windows\System\XQbCzHZ.exe
  2⤵
  PID:6544
- C:\Windows\System\vIlOWFj.exe
  C:\Windows\System\vIlOWFj.exe
  2⤵
  PID:6572
- C:\Windows\System\AbrYruG.exe
  C:\Windows\System\AbrYruG.exe
  2⤵
  PID:6600
- C:\Windows\System\sbGGEUj.exe
  C:\Windows\System\sbGGEUj.exe
  2⤵
  PID:6628
- C:\Windows\System\DoQQtur.exe
  C:\Windows\System\DoQQtur.exe
  2⤵
  PID:6652
- C:\Windows\System\Osyshvj.exe
  C:\Windows\System\Osyshvj.exe
  2⤵
  PID:6684
- C:\Windows\System\OXpHkmj.exe
  C:\Windows\System\OXpHkmj.exe
  2⤵
  PID:6708
- C:\Windows\System\rzjptXG.exe
  C:\Windows\System\rzjptXG.exe
  2⤵
  PID:6736
- C:\Windows\System\WaEQiun.exe
  C:\Windows\System\WaEQiun.exe
  2⤵
  PID:6764
- C:\Windows\System\pNCywVu.exe
  C:\Windows\System\pNCywVu.exe
  2⤵
  PID:6796
- C:\Windows\System\hwAuHwM.exe
  C:\Windows\System\hwAuHwM.exe
  2⤵
  PID:6824
- C:\Windows\System\IKHpcyj.exe
  C:\Windows\System\IKHpcyj.exe
  2⤵
  PID:6852
- C:\Windows\System\BhvrnVR.exe
  C:\Windows\System\BhvrnVR.exe
  2⤵
  PID:6876
- C:\Windows\System\MEasZln.exe
  C:\Windows\System\MEasZln.exe
  2⤵
  PID:6904
- C:\Windows\System\gMXcxLW.exe
  C:\Windows\System\gMXcxLW.exe
  2⤵
  PID:6936
- C:\Windows\System\UdkPEQQ.exe
  C:\Windows\System\UdkPEQQ.exe
  2⤵
  PID:6976
- C:\Windows\System\ScGDRaG.exe
  C:\Windows\System\ScGDRaG.exe
  2⤵
  PID:7000
- C:\Windows\System\jOedVrI.exe
  C:\Windows\System\jOedVrI.exe
  2⤵
  PID:7028
- C:\Windows\System\wBETMjS.exe
  C:\Windows\System\wBETMjS.exe
  2⤵
  PID:7052
- C:\Windows\System\zmToSdT.exe
  C:\Windows\System\zmToSdT.exe
  2⤵
  PID:7080
- C:\Windows\System\XWtkWiR.exe
  C:\Windows\System\XWtkWiR.exe
  2⤵
  PID:7112
- C:\Windows\System\uuMTIAd.exe
  C:\Windows\System\uuMTIAd.exe
  2⤵
  PID:7136
- C:\Windows\System\bKFunRf.exe
  C:\Windows\System\bKFunRf.exe
  2⤵
  PID:7164
- C:\Windows\System\XTUyrql.exe
  C:\Windows\System\XTUyrql.exe
  2⤵
  PID:4496
- C:\Windows\System\rzsZobK.exe
  C:\Windows\System\rzsZobK.exe
  2⤵
  PID:5188
- C:\Windows\System\ZRNKSPM.exe
  C:\Windows\System\ZRNKSPM.exe
  2⤵
  PID:5464
- C:\Windows\System\LuXGTMZ.exe
  C:\Windows\System\LuXGTMZ.exe
  2⤵
  PID:2656
- C:\Windows\System\dNTtQzW.exe
  C:\Windows\System\dNTtQzW.exe
  2⤵
  PID:6084
- C:\Windows\System\vAeZEOf.exe
  C:\Windows\System\vAeZEOf.exe
  2⤵
  PID:6200
- C:\Windows\System\PlcflJe.exe
  C:\Windows\System\PlcflJe.exe
  2⤵
  PID:6276
- C:\Windows\System\yWgpgCH.exe
  C:\Windows\System\yWgpgCH.exe
  2⤵
  PID:6316
- C:\Windows\System\damDVcR.exe
  C:\Windows\System\damDVcR.exe
  2⤵
  PID:6392
- C:\Windows\System\zDfZfgL.exe
  C:\Windows\System\zDfZfgL.exe
  2⤵
  PID:6448
- C:\Windows\System\LnqxFqk.exe
  C:\Windows\System\LnqxFqk.exe
  2⤵
  PID:6528
- C:\Windows\System\jGnLgER.exe
  C:\Windows\System\jGnLgER.exe
  2⤵
  PID:6564
- C:\Windows\System\CmLaeBN.exe
  C:\Windows\System\CmLaeBN.exe
  2⤵
  PID:4396
- C:\Windows\System\BgrAipg.exe
  C:\Windows\System\BgrAipg.exe
  2⤵
  PID:6676
- C:\Windows\System\aMhVlkK.exe
  C:\Windows\System\aMhVlkK.exe
  2⤵
  PID:6752
- C:\Windows\System\UrrWtJI.exe
  C:\Windows\System\UrrWtJI.exe
  2⤵
  PID:6812
- C:\Windows\System\KBUEZMW.exe
  C:\Windows\System\KBUEZMW.exe
  2⤵
  PID:2496
- C:\Windows\System\CMcrPVa.exe
  C:\Windows\System\CMcrPVa.exe
  2⤵
  PID:6924
- C:\Windows\System\xWlodRt.exe
  C:\Windows\System\xWlodRt.exe
  2⤵
  PID:6992
- C:\Windows\System\dKsWVpo.exe
  C:\Windows\System\dKsWVpo.exe
  2⤵
  PID:7040
- C:\Windows\System\ElrnEWD.exe
  C:\Windows\System\ElrnEWD.exe
  2⤵
  PID:7096
- C:\Windows\System\EbfPfOR.exe
  C:\Windows\System\EbfPfOR.exe
  2⤵
  PID:7132
- C:\Windows\System\PiHxUVC.exe
  C:\Windows\System\PiHxUVC.exe
  2⤵
  PID:1668
- C:\Windows\System\NqtJTSv.exe
  C:\Windows\System\NqtJTSv.exe
  2⤵
  PID:5716
- C:\Windows\System\pmtPxIB.exe
  C:\Windows\System\pmtPxIB.exe
  2⤵
  PID:2744
- C:\Windows\System\LGZrjiS.exe
  C:\Windows\System\LGZrjiS.exe
  2⤵
  PID:3140
- C:\Windows\System\vFwzWEK.exe
  C:\Windows\System\vFwzWEK.exe
  2⤵
  PID:4696
- C:\Windows\System\WzPvDbE.exe
  C:\Windows\System\WzPvDbE.exe
  2⤵
  PID:6444
- C:\Windows\System\MiYfbFl.exe
  C:\Windows\System\MiYfbFl.exe
  2⤵
  PID:6556
- C:\Windows\System\DpYAzEP.exe
  C:\Windows\System\DpYAzEP.exe
  2⤵
  PID:6960
- C:\Windows\System\UszrXmM.exe
  C:\Windows\System\UszrXmM.exe
  2⤵
  PID:7016
- C:\Windows\System\lTIsVlA.exe
  C:\Windows\System\lTIsVlA.exe
  2⤵
  PID:3224
- C:\Windows\System\acNjNyB.exe
  C:\Windows\System\acNjNyB.exe
  2⤵
  PID:7072
- C:\Windows\System\zZVmpGO.exe
  C:\Windows\System\zZVmpGO.exe
  2⤵
  PID:7128
- C:\Windows\System\paALRnO.exe
  C:\Windows\System\paALRnO.exe
  2⤵
  PID:6252
- C:\Windows\System\kJwYoCq.exe
  C:\Windows\System\kJwYoCq.exe
  2⤵
  PID:2724
- C:\Windows\System\poFdEse.exe
  C:\Windows\System\poFdEse.exe
  2⤵
  PID:4100
- C:\Windows\System\pfBzJcl.exe
  C:\Windows\System\pfBzJcl.exe
  2⤵
  PID:5080
- C:\Windows\System\UeGhwRF.exe
  C:\Windows\System\UeGhwRF.exe
  2⤵
  PID:1884
- C:\Windows\System\LyDWuLp.exe
  C:\Windows\System\LyDWuLp.exe
  2⤵
  PID:4832
- C:\Windows\System\xDvnzbl.exe
  C:\Windows\System\xDvnzbl.exe
  2⤵
  PID:6840
- C:\Windows\System\ipsnYwe.exe
  C:\Windows\System\ipsnYwe.exe
  2⤵
  PID:3452
- C:\Windows\System\CCQMeck.exe
  C:\Windows\System\CCQMeck.exe
  2⤵
  PID:3980
- C:\Windows\System\vIgUzlR.exe
  C:\Windows\System\vIgUzlR.exe
  2⤵
  PID:7188
- C:\Windows\System\JOnHWxe.exe
  C:\Windows\System\JOnHWxe.exe
  2⤵
  PID:7252
- C:\Windows\System\lomTEbh.exe
  C:\Windows\System\lomTEbh.exe
  2⤵
  PID:7292
- C:\Windows\System\gRqtRBl.exe
  C:\Windows\System\gRqtRBl.exe
  2⤵
  PID:7308
- C:\Windows\System\JrLWXJt.exe
  C:\Windows\System\JrLWXJt.exe
  2⤵
  PID:7332
- C:\Windows\System\FQdHYuI.exe
  C:\Windows\System\FQdHYuI.exe
  2⤵
  PID:7348
- C:\Windows\System\GTSmhoP.exe
  C:\Windows\System\GTSmhoP.exe
  2⤵
  PID:7368
- C:\Windows\System\FAdyyqX.exe
  C:\Windows\System\FAdyyqX.exe
  2⤵
  PID:7392
- C:\Windows\System\LJhHvrX.exe
  C:\Windows\System\LJhHvrX.exe
  2⤵
  PID:7452
- C:\Windows\System\mYxRAnb.exe
  C:\Windows\System\mYxRAnb.exe
  2⤵
  PID:7468
- C:\Windows\System\WkeTKGj.exe
  C:\Windows\System\WkeTKGj.exe
  2⤵
  PID:7484
- C:\Windows\System\sXYXMFW.exe
  C:\Windows\System\sXYXMFW.exe
  2⤵
  PID:7548
- C:\Windows\System\lrQJAFx.exe
  C:\Windows\System\lrQJAFx.exe
  2⤵
  PID:7600
- C:\Windows\System\gReGEDP.exe
  C:\Windows\System\gReGEDP.exe
  2⤵
  PID:7620
- C:\Windows\System\oanIGkE.exe
  C:\Windows\System\oanIGkE.exe
  2⤵
  PID:7644
- C:\Windows\System\WJSCocF.exe
  C:\Windows\System\WJSCocF.exe
  2⤵
  PID:7688
- C:\Windows\System\UQWvwgB.exe
  C:\Windows\System\UQWvwgB.exe
  2⤵
  PID:7748
- C:\Windows\System\LxSssoz.exe
  C:\Windows\System\LxSssoz.exe
  2⤵
  PID:7772
- C:\Windows\System\BRUXIbF.exe
  C:\Windows\System\BRUXIbF.exe
  2⤵
  PID:7820
- C:\Windows\System\qPjoJzg.exe
  C:\Windows\System\qPjoJzg.exe
  2⤵
  PID:7836
- C:\Windows\System\MupHOkx.exe
  C:\Windows\System\MupHOkx.exe
  2⤵
  PID:7864
- C:\Windows\System\PrdSggy.exe
  C:\Windows\System\PrdSggy.exe
  2⤵
  PID:7932
- C:\Windows\System\bGDUFbt.exe
  C:\Windows\System\bGDUFbt.exe
  2⤵
  PID:7952
- C:\Windows\System\UmCjqqO.exe
  C:\Windows\System\UmCjqqO.exe
  2⤵
  PID:7976
- C:\Windows\System\lXoXCAY.exe
  C:\Windows\System\lXoXCAY.exe
  2⤵
  PID:8004
- C:\Windows\System\xKjEUYW.exe
  C:\Windows\System\xKjEUYW.exe
  2⤵
  PID:8032
- C:\Windows\System\hQSFGoR.exe
  C:\Windows\System\hQSFGoR.exe
  2⤵
  PID:8052
- C:\Windows\System\GyyqifT.exe
  C:\Windows\System\GyyqifT.exe
  2⤵
  PID:8100
- C:\Windows\System\oTNnKHN.exe
  C:\Windows\System\oTNnKHN.exe
  2⤵
  PID:8116
- C:\Windows\System\bQWLZVU.exe
  C:\Windows\System\bQWLZVU.exe
  2⤵
  PID:8140
- C:\Windows\System\aTgIQRI.exe
  C:\Windows\System\aTgIQRI.exe
  2⤵
  PID:8180
- C:\Windows\System\tgKlNSn.exe
  C:\Windows\System\tgKlNSn.exe
  2⤵
  PID:1488
- C:\Windows\System\KvICBMC.exe
  C:\Windows\System\KvICBMC.exe
  2⤵
  PID:4108
- C:\Windows\System\azGUDbh.exe
  C:\Windows\System\azGUDbh.exe
  2⤵
  PID:7216
- C:\Windows\System\VeccEJd.exe
  C:\Windows\System\VeccEJd.exe
  2⤵
  PID:2352
- C:\Windows\System\DsBDBKo.exe
  C:\Windows\System\DsBDBKo.exe
  2⤵
  PID:7180
- C:\Windows\System\hQTEXWU.exe
  C:\Windows\System\hQTEXWU.exe
  2⤵
  PID:7220
- C:\Windows\System\byOoKgS.exe
  C:\Windows\System\byOoKgS.exe
  2⤵
  PID:7432
- C:\Windows\System\wzUZXlm.exe
  C:\Windows\System\wzUZXlm.exe
  2⤵
  PID:7420
- C:\Windows\System\nrTsDwt.exe
  C:\Windows\System\nrTsDwt.exe
  2⤵
  PID:7384
- C:\Windows\System\lBgkouX.exe
  C:\Windows\System\lBgkouX.exe
  2⤵
  PID:7500
- C:\Windows\System\sMGuCJN.exe
  C:\Windows\System\sMGuCJN.exe
  2⤵
  PID:7608
- C:\Windows\System\RezGUfQ.exe
  C:\Windows\System\RezGUfQ.exe
  2⤵
  PID:7716
- C:\Windows\System\nlLoxHT.exe
  C:\Windows\System\nlLoxHT.exe
  2⤵
  PID:7696
- C:\Windows\System\GrxDSAz.exe
  C:\Windows\System\GrxDSAz.exe
  2⤵
  PID:7756
- C:\Windows\System\vweWwZb.exe
  C:\Windows\System\vweWwZb.exe
  2⤵
  PID:7856
- C:\Windows\System\UyFmsos.exe
  C:\Windows\System\UyFmsos.exe
  2⤵
  PID:7124
- C:\Windows\System\fPFvOGR.exe
  C:\Windows\System\fPFvOGR.exe
  2⤵
  PID:4692
- C:\Windows\System\fxZefYZ.exe
  C:\Windows\System\fxZefYZ.exe
  2⤵
  PID:4648
- C:\Windows\System\HzKVyHe.exe
  C:\Windows\System\HzKVyHe.exe
  2⤵
  PID:2052
- C:\Windows\System\sexagYz.exe
  C:\Windows\System\sexagYz.exe
  2⤵
  PID:7928
- C:\Windows\System\DoCJgBj.exe
  C:\Windows\System\DoCJgBj.exe
  2⤵
  PID:7964
- C:\Windows\System\Xwutrql.exe
  C:\Windows\System\Xwutrql.exe
  2⤵
  PID:8024
- C:\Windows\System\bAqNHBD.exe
  C:\Windows\System\bAqNHBD.exe
  2⤵
  PID:8088
- C:\Windows\System\whCfUUD.exe
  C:\Windows\System\whCfUUD.exe
  2⤵
  PID:8176
- C:\Windows\System\SJoZgNb.exe
  C:\Windows\System\SJoZgNb.exe
  2⤵
  PID:6360
- C:\Windows\System\AsoNRgY.exe
  C:\Windows\System\AsoNRgY.exe
  2⤵
  PID:6080
- C:\Windows\System\yCyDfTJ.exe
  C:\Windows\System\yCyDfTJ.exe
  2⤵
  PID:4740
- C:\Windows\System\vaOpEjt.exe
  C:\Windows\System\vaOpEjt.exe
  2⤵
  PID:7540
- C:\Windows\System\VnOQgoF.exe
  C:\Windows\System\VnOQgoF.exe
  2⤵
  PID:7664
- C:\Windows\System\UyIVgkQ.exe
  C:\Windows\System\UyIVgkQ.exe
  2⤵
  PID:6844
- C:\Windows\System\ifqDSIw.exe
  C:\Windows\System\ifqDSIw.exe
  2⤵
  PID:3680
- C:\Windows\System\vkZjMdn.exe
  C:\Windows\System\vkZjMdn.exe
  2⤵
  PID:8012
- C:\Windows\System\VLUqHNx.exe
  C:\Windows\System\VLUqHNx.exe
  2⤵
  PID:2620
- C:\Windows\System\CdCNQmk.exe
  C:\Windows\System\CdCNQmk.exe
  2⤵
  PID:1284
- C:\Windows\System\AOSqvuO.exe
  C:\Windows\System\AOSqvuO.exe
  2⤵
  PID:7672
- C:\Windows\System\AHyDauS.exe
  C:\Windows\System\AHyDauS.exe
  2⤵
  PID:7832
- C:\Windows\System\nMVZBzz.exe
  C:\Windows\System\nMVZBzz.exe
  2⤵
  PID:7972
- C:\Windows\System\rSFLzUs.exe
  C:\Windows\System\rSFLzUs.exe
  2⤵
  PID:8136
- C:\Windows\System\SovcuqK.exe
  C:\Windows\System\SovcuqK.exe
  2⤵
  PID:3328
- C:\Windows\System\ETArzDN.exe
  C:\Windows\System\ETArzDN.exe
  2⤵
  PID:7476
- C:\Windows\System\yXmTwoH.exe
  C:\Windows\System\yXmTwoH.exe
  2⤵
  PID:8212
- C:\Windows\System\VGwdJjm.exe
  C:\Windows\System\VGwdJjm.exe
  2⤵
  PID:8244
- C:\Windows\System\TIGjdAE.exe
  C:\Windows\System\TIGjdAE.exe
  2⤵
  PID:8300
- C:\Windows\System\DnDwIdA.exe
  C:\Windows\System\DnDwIdA.exe
  2⤵
  PID:8328
- C:\Windows\System\VwxgTNe.exe
  C:\Windows\System\VwxgTNe.exe
  2⤵
  PID:8348
- C:\Windows\System\sjEkjOC.exe
  C:\Windows\System\sjEkjOC.exe
  2⤵
  PID:8384
- C:\Windows\System\VBVdObB.exe
  C:\Windows\System\VBVdObB.exe
  2⤵
  PID:8404
- C:\Windows\System\sFSokeG.exe
  C:\Windows\System\sFSokeG.exe
  2⤵
  PID:8424
- C:\Windows\System\OrzsxWK.exe
  C:\Windows\System\OrzsxWK.exe
  2⤵
  PID:8452
- C:\Windows\System\xZxUVaQ.exe
  C:\Windows\System\xZxUVaQ.exe
  2⤵
  PID:8472
- C:\Windows\System\hZUzzGh.exe
  C:\Windows\System\hZUzzGh.exe
  2⤵
  PID:8528
- C:\Windows\System\wAwCoeh.exe
  C:\Windows\System\wAwCoeh.exe
  2⤵
  PID:8580
- C:\Windows\System\YnlPKRA.exe
  C:\Windows\System\YnlPKRA.exe
  2⤵
  PID:8596
- C:\Windows\System\ecocuDs.exe
  C:\Windows\System\ecocuDs.exe
  2⤵
  PID:8644
- C:\Windows\System\oSWyTkZ.exe
  C:\Windows\System\oSWyTkZ.exe
  2⤵
  PID:8668
- C:\Windows\System\NXBBaHZ.exe
  C:\Windows\System\NXBBaHZ.exe
  2⤵
  PID:8688
- C:\Windows\System\HWhdvHa.exe
  C:\Windows\System\HWhdvHa.exe
  2⤵
  PID:8704
- C:\Windows\System\PosUqxm.exe
  C:\Windows\System\PosUqxm.exe
  2⤵
  PID:8748
- C:\Windows\System\HlKVwZr.exe
  C:\Windows\System\HlKVwZr.exe
  2⤵
  PID:8776
- C:\Windows\System\QTwPrUB.exe
  C:\Windows\System\QTwPrUB.exe
  2⤵
  PID:8792
- C:\Windows\System\DAfgApt.exe
  C:\Windows\System\DAfgApt.exe
  2⤵
  PID:8820
- C:\Windows\System\cmqsYvt.exe
  C:\Windows\System\cmqsYvt.exe
  2⤵
  PID:8848
- C:\Windows\System\yeIUbwX.exe
  C:\Windows\System\yeIUbwX.exe
  2⤵
  PID:8868
- C:\Windows\System\iYsBgWy.exe
  C:\Windows\System\iYsBgWy.exe
  2⤵
  PID:8888
- C:\Windows\System\IVGhocx.exe
  C:\Windows\System\IVGhocx.exe
  2⤵
  PID:8908
- C:\Windows\System\xweJsOL.exe
  C:\Windows\System\xweJsOL.exe
  2⤵
  PID:8928
- C:\Windows\System\dyBRZYa.exe
  C:\Windows\System\dyBRZYa.exe
  2⤵
  PID:8948
- C:\Windows\System\SmGkhWd.exe
  C:\Windows\System\SmGkhWd.exe
  2⤵
  PID:9008
- C:\Windows\System\xSzFxMv.exe
  C:\Windows\System\xSzFxMv.exe
  2⤵
  PID:9060
- C:\Windows\System\HveZRLu.exe
  C:\Windows\System\HveZRLu.exe
  2⤵
  PID:9076
- C:\Windows\System\tqVsJZJ.exe
  C:\Windows\System\tqVsJZJ.exe
  2⤵
  PID:9100
- C:\Windows\System\bHMssdy.exe
  C:\Windows\System\bHMssdy.exe
  2⤵
  PID:9168
- C:\Windows\System\nHearZZ.exe
  C:\Windows\System\nHearZZ.exe
  2⤵
  PID:9188
- C:\Windows\System\JPCftaV.exe
  C:\Windows\System\JPCftaV.exe
  2⤵
  PID:9204
- C:\Windows\System\tYRgsgB.exe
  C:\Windows\System\tYRgsgB.exe
  2⤵
  PID:7264
- C:\Windows\System\mwQZuCL.exe
  C:\Windows\System\mwQZuCL.exe
  2⤵
  PID:7736
- C:\Windows\System\OnOUnYm.exe
  C:\Windows\System\OnOUnYm.exe
  2⤵
  PID:8268
- C:\Windows\System\cOUAJpE.exe
  C:\Windows\System\cOUAJpE.exe
  2⤵
  PID:8324
- C:\Windows\System\yKEuVBt.exe
  C:\Windows\System\yKEuVBt.exe
  2⤵
  PID:8376
- C:\Windows\System\vUQvyKj.exe
  C:\Windows\System\vUQvyKj.exe
  2⤵
  PID:8488
- C:\Windows\System\fZbnkFT.exe
  C:\Windows\System\fZbnkFT.exe
  2⤵
  PID:8464
- C:\Windows\System\vyZBaDJ.exe
  C:\Windows\System\vyZBaDJ.exe
  2⤵
  PID:8512
- C:\Windows\System\IeoZMtk.exe
  C:\Windows\System\IeoZMtk.exe
  2⤵
  PID:8676
- C:\Windows\System\oPopDKe.exe
  C:\Windows\System\oPopDKe.exe
  2⤵
  PID:8764
- C:\Windows\System\ZaTKlnP.exe
  C:\Windows\System\ZaTKlnP.exe
  2⤵
  PID:8800
- C:\Windows\System\rrrgsrr.exe
  C:\Windows\System\rrrgsrr.exe
  2⤵
  PID:8832
- C:\Windows\System\jzdDYeI.exe
  C:\Windows\System\jzdDYeI.exe
  2⤵
  PID:8944
- C:\Windows\System\vLhEvSq.exe
  C:\Windows\System\vLhEvSq.exe
  2⤵
  PID:8900
- C:\Windows\System\PPpjcpk.exe
  C:\Windows\System\PPpjcpk.exe
  2⤵
  PID:9016
- C:\Windows\System\YmimZYJ.exe
  C:\Windows\System\YmimZYJ.exe
  2⤵
  PID:9112
- C:\Windows\System\VqeotGZ.exe
  C:\Windows\System\VqeotGZ.exe
  2⤵
  PID:9160
- C:\Windows\System\CaYhSsb.exe
  C:\Windows\System\CaYhSsb.exe
  2⤵
  PID:8220
- C:\Windows\System\ryZefcd.exe
  C:\Windows\System\ryZefcd.exe
  2⤵
  PID:4816
- C:\Windows\System\rvofDMo.exe
  C:\Windows\System\rvofDMo.exe
  2⤵
  PID:8416
- C:\Windows\System\yvLEEdW.exe
  C:\Windows\System\yvLEEdW.exe
  2⤵
  PID:8548
- C:\Windows\System\TMRKtyS.exe
  C:\Windows\System\TMRKtyS.exe
  2⤵
  PID:8864
- C:\Windows\System\TQJYzUc.exe
  C:\Windows\System\TQJYzUc.exe
  2⤵
  PID:8860
- C:\Windows\System\aVlWhQK.exe
  C:\Windows\System\aVlWhQK.exe
  2⤵
  PID:8968
- C:\Windows\System\RsgMZPT.exe
  C:\Windows\System\RsgMZPT.exe
  2⤵
  PID:8072
- C:\Windows\System\CJqHhqi.exe
  C:\Windows\System\CJqHhqi.exe
  2⤵
  PID:9148
- C:\Windows\System\BAfvlcj.exe
  C:\Windows\System\BAfvlcj.exe
  2⤵
  PID:8236
- C:\Windows\System\GdizXnJ.exe
  C:\Windows\System\GdizXnJ.exe
  2⤵
  PID:8460
- C:\Windows\System\QQjjyRT.exe
  C:\Windows\System\QQjjyRT.exe
  2⤵
  PID:9092
- C:\Windows\System\dwuKeMJ.exe
  C:\Windows\System\dwuKeMJ.exe
  2⤵
  PID:9184
- C:\Windows\System\wRvQLgj.exe
  C:\Windows\System\wRvQLgj.exe
  2⤵
  PID:9224
- C:\Windows\System\nuUElxQ.exe
  C:\Windows\System\nuUElxQ.exe
  2⤵
  PID:9244
- C:\Windows\System\eBCslVC.exe
  C:\Windows\System\eBCslVC.exe
  2⤵
  PID:9272
- C:\Windows\System\hxJSrlo.exe
  C:\Windows\System\hxJSrlo.exe
  2⤵
  PID:9304
- C:\Windows\System\xyqAzlX.exe
  C:\Windows\System\xyqAzlX.exe
  2⤵
  PID:9320
- C:\Windows\System\qxiqLbX.exe
  C:\Windows\System\qxiqLbX.exe
  2⤵
  PID:9344
- C:\Windows\System\pdOpSZW.exe
  C:\Windows\System\pdOpSZW.exe
  2⤵
  PID:9364
- C:\Windows\System\iVRumQO.exe
  C:\Windows\System\iVRumQO.exe
  2⤵
  PID:9392
- C:\Windows\System\ehFrESJ.exe
  C:\Windows\System\ehFrESJ.exe
  2⤵
  PID:9412
- C:\Windows\System\lfRChFN.exe
  C:\Windows\System\lfRChFN.exe
  2⤵
  PID:9432
- C:\Windows\System\IbidyUv.exe
  C:\Windows\System\IbidyUv.exe
  2⤵
  PID:9460
- C:\Windows\System\KOttevM.exe
  C:\Windows\System\KOttevM.exe
  2⤵
  PID:9480
- C:\Windows\System\JzqxfjJ.exe
  C:\Windows\System\JzqxfjJ.exe
  2⤵
  PID:9528
- C:\Windows\System\MzfaqSN.exe
  C:\Windows\System\MzfaqSN.exe
  2⤵
  PID:9584
- C:\Windows\System\dZxatqc.exe
  C:\Windows\System\dZxatqc.exe
  2⤵
  PID:9612
- C:\Windows\System\tJehvze.exe
  C:\Windows\System\tJehvze.exe
  2⤵
  PID:9652
- C:\Windows\System\aqEAXKL.exe
  C:\Windows\System\aqEAXKL.exe
  2⤵
  PID:9672
- C:\Windows\System\ZsUelXy.exe
  C:\Windows\System\ZsUelXy.exe
  2⤵
  PID:9696
- C:\Windows\System\vBcExlS.exe
  C:\Windows\System\vBcExlS.exe
  2⤵
  PID:9712
- C:\Windows\System\aynJCOZ.exe
  C:\Windows\System\aynJCOZ.exe
  2⤵
  PID:9728
- C:\Windows\System\zbjxRmd.exe
  C:\Windows\System\zbjxRmd.exe
  2⤵
  PID:9748
- C:\Windows\System\aaerHfy.exe
  C:\Windows\System\aaerHfy.exe
  2⤵
  PID:9772
- C:\Windows\System\cAHxwId.exe
  C:\Windows\System\cAHxwId.exe
  2⤵
  PID:9800
- C:\Windows\System\FDMpxCu.exe
  C:\Windows\System\FDMpxCu.exe
  2⤵
  PID:9820
- C:\Windows\System\nOkiIAC.exe
  C:\Windows\System\nOkiIAC.exe
  2⤵
  PID:9864
- C:\Windows\System\QcKpxlm.exe
  C:\Windows\System\QcKpxlm.exe
  2⤵
  PID:9896
- C:\Windows\System\RfPkHYT.exe
  C:\Windows\System\RfPkHYT.exe
  2⤵
  PID:9924
- C:\Windows\System\GniEnxx.exe
  C:\Windows\System\GniEnxx.exe
  2⤵
  PID:9952
- C:\Windows\System\OttMBBP.exe
  C:\Windows\System\OttMBBP.exe
  2⤵
  PID:9976
- C:\Windows\System\sAwdHwZ.exe
  C:\Windows\System\sAwdHwZ.exe
  2⤵
  PID:10028
- C:\Windows\System\HuZdyUQ.exe
  C:\Windows\System\HuZdyUQ.exe
  2⤵
  PID:10052
- C:\Windows\System\ZlqrRFw.exe
  C:\Windows\System\ZlqrRFw.exe
  2⤵
  PID:10076
- C:\Windows\System\ivqbCAw.exe
  C:\Windows\System\ivqbCAw.exe
  2⤵
  PID:10104
- C:\Windows\System\GxcKozP.exe
  C:\Windows\System\GxcKozP.exe
  2⤵
  PID:10124
- C:\Windows\System\lSWJTCd.exe
  C:\Windows\System\lSWJTCd.exe
  2⤵
  PID:10168
- C:\Windows\System\oqChbfJ.exe
  C:\Windows\System\oqChbfJ.exe
  2⤵
  PID:10196
- C:\Windows\System\LmUYIqF.exe
  C:\Windows\System\LmUYIqF.exe
  2⤵
  PID:10236
- C:\Windows\System\xXPnoqS.exe
  C:\Windows\System\xXPnoqS.exe
  2⤵
  PID:9240
- C:\Windows\System\QnrasBN.exe
  C:\Windows\System\QnrasBN.exe
  2⤵
  PID:9292
- C:\Windows\System\AoiiLnE.exe
  C:\Windows\System\AoiiLnE.exe
  2⤵
  PID:9388
- C:\Windows\System\nWZYwSk.exe
  C:\Windows\System\nWZYwSk.exe
  2⤵
  PID:9440
- C:\Windows\System\TnaNKAU.exe
  C:\Windows\System\TnaNKAU.exe
  2⤵
  PID:9520
- C:\Windows\System\LLBcHOn.exe
  C:\Windows\System\LLBcHOn.exe
  2⤵
  PID:9640
- C:\Windows\System\VLThclt.exe
  C:\Windows\System\VLThclt.exe
  2⤵
  PID:9688
- C:\Windows\System\cOwNTZp.exe
  C:\Windows\System\cOwNTZp.exe
  2⤵
  PID:9744
- C:\Windows\System\tzXuCsW.exe
  C:\Windows\System\tzXuCsW.exe
  2⤵
  PID:9848
- C:\Windows\System\YhUfOsF.exe
  C:\Windows\System\YhUfOsF.exe
  2⤵
  PID:9828
- C:\Windows\System\sGrXCDu.exe
  C:\Windows\System\sGrXCDu.exe
  2⤵
  PID:9888
- C:\Windows\System\YtfyDir.exe
  C:\Windows\System\YtfyDir.exe
  2⤵
  PID:9972
- C:\Windows\System\lsZEiyR.exe
  C:\Windows\System\lsZEiyR.exe
  2⤵
  PID:10040
- C:\Windows\System\mXSrbEa.exe
  C:\Windows\System\mXSrbEa.exe
  2⤵
  PID:10092
- C:\Windows\System\UdcFyqJ.exe
  C:\Windows\System\UdcFyqJ.exe
  2⤵
  PID:10188
- C:\Windows\System\rjnqWXr.exe
  C:\Windows\System\rjnqWXr.exe
  2⤵
  PID:9232
- C:\Windows\System\kabINQe.exe
  C:\Windows\System\kabINQe.exe
  2⤵
  PID:9328
- C:\Windows\System\fqABnFw.exe
  C:\Windows\System\fqABnFw.exe
  2⤵
  PID:9500
- C:\Windows\System\UWIzxqK.exe
  C:\Windows\System\UWIzxqK.exe
  2⤵
  PID:9680
- C:\Windows\System\DQXoUkD.exe
  C:\Windows\System\DQXoUkD.exe
  2⤵
  PID:9784
- C:\Windows\System\NRJcXgT.exe
  C:\Windows\System\NRJcXgT.exe
  2⤵
  PID:9836
- C:\Windows\System\ETGhGPy.exe
  C:\Windows\System\ETGhGPy.exe
  2⤵
  PID:10148
- C:\Windows\System\dDoEXnC.exe
  C:\Windows\System\dDoEXnC.exe
  2⤵
  PID:9236
- C:\Windows\System\NOJYZBk.exe
  C:\Windows\System\NOJYZBk.exe
  2⤵
  PID:9452
- C:\Windows\System\IbGebqK.exe
  C:\Windows\System\IbGebqK.exe
  2⤵
  PID:9860
- C:\Windows\System\aXkywMv.exe
  C:\Windows\System\aXkywMv.exe
  2⤵
  PID:10100
- C:\Windows\System\zPaMVOV.exe
  C:\Windows\System\zPaMVOV.exe
  2⤵
  PID:10216
- C:\Windows\System\NiBagSN.exe
  C:\Windows\System\NiBagSN.exe
  2⤵
  PID:8256
- C:\Windows\System\pWFoPdZ.exe
  C:\Windows\System\pWFoPdZ.exe
  2⤵
  PID:10252
- C:\Windows\System\HbpQyBS.exe
  C:\Windows\System\HbpQyBS.exe
  2⤵
  PID:10272
- C:\Windows\System\CfrQpes.exe
  C:\Windows\System\CfrQpes.exe
  2⤵
  PID:10324
- C:\Windows\System\TSBbusZ.exe
  C:\Windows\System\TSBbusZ.exe
  2⤵
  PID:10360
- C:\Windows\System\FMYGCAO.exe
  C:\Windows\System\FMYGCAO.exe
  2⤵
  PID:10380
- C:\Windows\System\usfKzZq.exe
  C:\Windows\System\usfKzZq.exe
  2⤵
  PID:10396
- C:\Windows\System\SXDjXFs.exe
  C:\Windows\System\SXDjXFs.exe
  2⤵
  PID:10416
- C:\Windows\System\iWcrhoU.exe
  C:\Windows\System\iWcrhoU.exe
  2⤵
  PID:10456
- C:\Windows\System\uszgGfS.exe
  C:\Windows\System\uszgGfS.exe
  2⤵
  PID:10488
- C:\Windows\System\KXGtwFv.exe
  C:\Windows\System\KXGtwFv.exe
  2⤵
  PID:10536
- C:\Windows\System\NBnVuBW.exe
  C:\Windows\System\NBnVuBW.exe
  2⤵
  PID:10556
- C:\Windows\System\XGaukRn.exe
  C:\Windows\System\XGaukRn.exe
  2⤵
  PID:10592
- C:\Windows\System\zsZIKYK.exe
  C:\Windows\System\zsZIKYK.exe
  2⤵
  PID:10616
- C:\Windows\System\uHhoIRe.exe
  C:\Windows\System\uHhoIRe.exe
  2⤵
  PID:10644
- C:\Windows\System\jFGXgWp.exe
  C:\Windows\System\jFGXgWp.exe
  2⤵
  PID:10676
- C:\Windows\System\lSJHFqq.exe
  C:\Windows\System\lSJHFqq.exe
  2⤵
  PID:10708
- C:\Windows\System\PIxhhzG.exe
  C:\Windows\System\PIxhhzG.exe
  2⤵
  PID:10728
- C:\Windows\System\GgdzZhp.exe
  C:\Windows\System\GgdzZhp.exe
  2⤵
  PID:10764
- C:\Windows\System\FxTzXJl.exe
  C:\Windows\System\FxTzXJl.exe
  2⤵
  PID:10816
- C:\Windows\System\UNHojPt.exe
  C:\Windows\System\UNHojPt.exe
  2⤵
  PID:10844
- C:\Windows\System\WMQVpmU.exe
  C:\Windows\System\WMQVpmU.exe
  2⤵
  PID:10860
- C:\Windows\System\TVHiKaW.exe
  C:\Windows\System\TVHiKaW.exe
  2⤵
  PID:10884
- C:\Windows\System\hMTQGKq.exe
  C:\Windows\System\hMTQGKq.exe
  2⤵
  PID:10908
- C:\Windows\System\uWKcjpT.exe
  C:\Windows\System\uWKcjpT.exe
  2⤵
  PID:10944
- C:\Windows\System\goDVxRh.exe
  C:\Windows\System\goDVxRh.exe
  2⤵
  PID:10988
- C:\Windows\System\DBhmMkW.exe
  C:\Windows\System\DBhmMkW.exe
  2⤵
  PID:11008
- C:\Windows\System\HLGmQFg.exe
  C:\Windows\System\HLGmQFg.exe
  2⤵
  PID:11048
- C:\Windows\System\hKeTBOZ.exe
  C:\Windows\System\hKeTBOZ.exe
  2⤵
  PID:11064
- C:\Windows\System\LaCPJwl.exe
  C:\Windows\System\LaCPJwl.exe
  2⤵
  PID:11084
- C:\Windows\System\ZZbrpBa.exe
  C:\Windows\System\ZZbrpBa.exe
  2⤵
  PID:11112
- C:\Windows\System\QZgAqsP.exe
  C:\Windows\System\QZgAqsP.exe
  2⤵
  PID:11140
- C:\Windows\System\lyHaCdW.exe
  C:\Windows\System\lyHaCdW.exe
  2⤵
  PID:11160
- C:\Windows\System\eLkWVFk.exe
  C:\Windows\System\eLkWVFk.exe
  2⤵
  PID:11180
- C:\Windows\System\DdnLRAH.exe
  C:\Windows\System\DdnLRAH.exe
  2⤵
  PID:11220
- C:\Windows\System\dodeRWO.exe
  C:\Windows\System\dodeRWO.exe
  2⤵
  PID:2312
- C:\Windows\System\ZvNiOLi.exe
  C:\Windows\System\ZvNiOLi.exe
  2⤵
  PID:9428
- C:\Windows\System\whsYIWq.exe
  C:\Windows\System\whsYIWq.exe
  2⤵
  PID:10264
- C:\Windows\System\XAbLtAh.exe
  C:\Windows\System\XAbLtAh.exe
  2⤵
  PID:10352
- C:\Windows\System\zJMgFMq.exe
  C:\Windows\System\zJMgFMq.exe
  2⤵
  PID:10452
- C:\Windows\System\DUlqjhc.exe
  C:\Windows\System\DUlqjhc.exe
  2⤵
  PID:10508
- C:\Windows\System\gYYGBWS.exe
  C:\Windows\System\gYYGBWS.exe
  2⤵
  PID:10580
- C:\Windows\System\YmxlKnf.exe
  C:\Windows\System\YmxlKnf.exe
  2⤵
  PID:10612
- C:\Windows\System\GLAKPqi.exe
  C:\Windows\System\GLAKPqi.exe
  2⤵
  PID:10656
- C:\Windows\System\drMnsXz.exe
  C:\Windows\System\drMnsXz.exe
  2⤵
  PID:10752
- C:\Windows\System\VgbTZgC.exe
  C:\Windows\System\VgbTZgC.exe
  2⤵
  PID:10828
- C:\Windows\System\ZgpiDMk.exe
  C:\Windows\System\ZgpiDMk.exe
  2⤵
  PID:10856
- C:\Windows\System\vzxtVkL.exe
  C:\Windows\System\vzxtVkL.exe
  2⤵
  PID:10928
- C:\Windows\System\hiuisxy.exe
  C:\Windows\System\hiuisxy.exe
  2⤵
  PID:11000
- C:\Windows\System\hetDiZd.exe
  C:\Windows\System\hetDiZd.exe
  2⤵
  PID:11056
- C:\Windows\System\uqAIOqY.exe
  C:\Windows\System\uqAIOqY.exe
  2⤵
  PID:11104
- C:\Windows\System\DfYSpKt.exe
  C:\Windows\System\DfYSpKt.exe
  2⤵
  PID:11176
- C:\Windows\System\JRkYmKq.exe
  C:\Windows\System\JRkYmKq.exe
  2⤵
  PID:11256
- C:\Windows\System\TfRHzDg.exe
  C:\Windows\System\TfRHzDg.exe
  2⤵
  PID:10512
- C:\Windows\System\oBnblSM.exe
  C:\Windows\System\oBnblSM.exe
  2⤵
  PID:10628
- C:\Windows\System\IVXLSiz.exe
  C:\Windows\System\IVXLSiz.exe
  2⤵
  PID:10736
- C:\Windows\System\WsCbQuF.exe
  C:\Windows\System\WsCbQuF.exe
  2⤵
  PID:10868
- C:\Windows\System\RRabHlH.exe
  C:\Windows\System\RRabHlH.exe
  2⤵
  PID:11040
- C:\Windows\System\qgLkYnZ.exe
  C:\Windows\System\qgLkYnZ.exe
  2⤵
  PID:11204
- C:\Windows\System\MBTWGrQ.exe
  C:\Windows\System\MBTWGrQ.exe
  2⤵
  PID:11248
- C:\Windows\System\rSKUGey.exe
  C:\Windows\System\rSKUGey.exe
  2⤵
  PID:10524
- C:\Windows\System\YSpAroE.exe
  C:\Windows\System\YSpAroE.exe
  2⤵
  PID:10812
- C:\Windows\System\YDuiIer.exe
  C:\Windows\System\YDuiIer.exe
  2⤵
  PID:11124
- C:\Windows\System\ITVYIHq.exe
  C:\Windows\System\ITVYIHq.exe
  2⤵
  PID:11268
- C:\Windows\System\OoFZLFb.exe
  C:\Windows\System\OoFZLFb.exe
  2⤵
  PID:11308
- C:\Windows\System\klLcXrW.exe
  C:\Windows\System\klLcXrW.exe
  2⤵
  PID:11352
- C:\Windows\System\OEQOSsC.exe
  C:\Windows\System\OEQOSsC.exe
  2⤵
  PID:11372
- C:\Windows\System\chfvEai.exe
  C:\Windows\System\chfvEai.exe
  2⤵
  PID:11408
- C:\Windows\System\XUcYyeA.exe
  C:\Windows\System\XUcYyeA.exe
  2⤵
  PID:11432
- C:\Windows\System\PdmlJsu.exe
  C:\Windows\System\PdmlJsu.exe
  2⤵
  PID:11452
- C:\Windows\System\HnKjfuG.exe
  C:\Windows\System\HnKjfuG.exe
  2⤵
  PID:11488
- C:\Windows\System\UvYKdmK.exe
  C:\Windows\System\UvYKdmK.exe
  2⤵
  PID:11524
- C:\Windows\System\izBbVLh.exe
  C:\Windows\System\izBbVLh.exe
  2⤵
  PID:11548
- C:\Windows\System\KoBvOdy.exe
  C:\Windows\System\KoBvOdy.exe
  2⤵
  PID:11568
- C:\Windows\System\KkiwjSE.exe
  C:\Windows\System\KkiwjSE.exe
  2⤵
  PID:11588
- C:\Windows\System\YqKqUxT.exe
  C:\Windows\System\YqKqUxT.exe
  2⤵
  PID:11612
- C:\Windows\System\bCChify.exe
  C:\Windows\System\bCChify.exe
  2⤵
  PID:11648
- C:\Windows\System\MrdoCKV.exe
  C:\Windows\System\MrdoCKV.exe
  2⤵
  PID:11668
- C:\Windows\System\PaHSCqj.exe
  C:\Windows\System\PaHSCqj.exe
  2⤵
  PID:11700
- C:\Windows\System\nbRAlVJ.exe
  C:\Windows\System\nbRAlVJ.exe
  2⤵
  PID:11720
- C:\Windows\System\JdfzVgg.exe
  C:\Windows\System\JdfzVgg.exe
  2⤵
  PID:11736
- C:\Windows\System\WbvsMhJ.exe
  C:\Windows\System\WbvsMhJ.exe
  2⤵
  PID:11752
- C:\Windows\System\afVwedW.exe
  C:\Windows\System\afVwedW.exe
  2⤵
  PID:11816
- C:\Windows\System\LAEqnKX.exe
  C:\Windows\System\LAEqnKX.exe
  2⤵
  PID:11856
- C:\Windows\System\LUxKUsD.exe
  C:\Windows\System\LUxKUsD.exe
  2⤵
  PID:11884
- C:\Windows\System\YgGSDVv.exe
  C:\Windows\System\YgGSDVv.exe
  2⤵
  PID:11900
- C:\Windows\System\yGMBviy.exe
  C:\Windows\System\yGMBviy.exe
  2⤵
  PID:11920
- C:\Windows\System\YekJTiU.exe
  C:\Windows\System\YekJTiU.exe
  2⤵
  PID:11956
- C:\Windows\System\luiuYTG.exe
  C:\Windows\System\luiuYTG.exe
  2⤵
  PID:11976
- C:\Windows\System\skNCeke.exe
  C:\Windows\System\skNCeke.exe
  2⤵
  PID:12000
- C:\Windows\System\MgFfGcu.exe
  C:\Windows\System\MgFfGcu.exe
  2⤵
  PID:12016
- C:\Windows\System\MDfsfwm.exe
  C:\Windows\System\MDfsfwm.exe
  2⤵
  PID:12060
- C:\Windows\System\mQLoOKv.exe
  C:\Windows\System\mQLoOKv.exe
  2⤵
  PID:12080
- C:\Windows\System\niqYHYC.exe
  C:\Windows\System\niqYHYC.exe
  2⤵
  PID:12100
- C:\Windows\System\bcBxCry.exe
  C:\Windows\System\bcBxCry.exe
  2⤵
  PID:12144
- C:\Windows\System\aKFIsfH.exe
  C:\Windows\System\aKFIsfH.exe
  2⤵
  PID:12168
- C:\Windows\System\hmhxwHH.exe
  C:\Windows\System\hmhxwHH.exe
  2⤵
  PID:12212
- C:\Windows\System\ickKRNj.exe
  C:\Windows\System\ickKRNj.exe
  2⤵
  PID:12248
- C:\Windows\System\rbzFYei.exe
  C:\Windows\System\rbzFYei.exe
  2⤵
  PID:12272
- C:\Windows\System\PpCzeea.exe
  C:\Windows\System\PpCzeea.exe
  2⤵
  PID:10804
- C:\Windows\System\OhWmTvA.exe
  C:\Windows\System\OhWmTvA.exe
  2⤵
  PID:11288
- C:\Windows\System\IlFpHmK.exe
  C:\Windows\System\IlFpHmK.exe
  2⤵
  PID:11296
- C:\Windows\System\OppogsE.exe
  C:\Windows\System\OppogsE.exe
  2⤵
  PID:11512
- C:\Windows\System\MvwdjNY.exe
  C:\Windows\System\MvwdjNY.exe
  2⤵
  PID:11556
- C:\Windows\System\HoWcvFD.exe
  C:\Windows\System\HoWcvFD.exe
  2⤵
  PID:11632
- C:\Windows\System\chLHClU.exe
  C:\Windows\System\chLHClU.exe
  2⤵
  PID:11660
- C:\Windows\System\riMadEh.exe
  C:\Windows\System\riMadEh.exe
  2⤵
  PID:11708
- C:\Windows\System\rLiPFVn.exe
  C:\Windows\System\rLiPFVn.exe
  2⤵
  PID:11732
- C:\Windows\System\dyrElkT.exe
  C:\Windows\System\dyrElkT.exe
  2⤵
  PID:11784
- C:\Windows\System\TkFafwL.exe
  C:\Windows\System\TkFafwL.exe
  2⤵
  PID:11852
- C:\Windows\System\vFTCBWf.exe
  C:\Windows\System\vFTCBWf.exe
  2⤵
  PID:11968
- C:\Windows\System\caeVUFl.exe
  C:\Windows\System\caeVUFl.exe
  2⤵
  PID:12068
- C:\Windows\System\HjPeDqo.exe
  C:\Windows\System\HjPeDqo.exe
  2⤵
  PID:12180
- C:\Windows\System\hvqrcxj.exe
  C:\Windows\System\hvqrcxj.exe
  2⤵
  PID:12188
- C:\Windows\System\AviBNDv.exe
  C:\Windows\System\AviBNDv.exe
  2⤵
  PID:12240
- C:\Windows\System\yWKvJcN.exe
  C:\Windows\System\yWKvJcN.exe
  2⤵
  PID:9164
- C:\Windows\System\idMiyRm.exe
  C:\Windows\System\idMiyRm.exe
  2⤵
  PID:10684
- C:\Windows\System\xVXtyaE.exe
  C:\Windows\System\xVXtyaE.exe
  2⤵
  PID:11440
- C:\Windows\System\lYSGkMo.exe
  C:\Windows\System\lYSGkMo.exe
  2⤵
  PID:11520
- C:\Windows\System\OOwaLFd.exe
  C:\Windows\System\OOwaLFd.exe
  2⤵
  PID:11824
- C:\Windows\System\hYqgqly.exe
  C:\Windows\System\hYqgqly.exe
  2⤵
  PID:11872
- C:\Windows\System\IcRymYi.exe
  C:\Windows\System\IcRymYi.exe
  2⤵
  PID:12036
- C:\Windows\System\OCPeSne.exe
  C:\Windows\System\OCPeSne.exe
  2⤵
  PID:12120
- C:\Windows\System\vzvUYwp.exe
  C:\Windows\System\vzvUYwp.exe
  2⤵
  PID:12204
- C:\Windows\System\DTdaOit.exe
  C:\Windows\System\DTdaOit.exe
  2⤵
  PID:11484
- C:\Windows\System\mnbosBI.exe
  C:\Windows\System\mnbosBI.exe
  2⤵
  PID:11692
- C:\Windows\System\WpxruZl.exe
  C:\Windows\System\WpxruZl.exe
  2⤵
  PID:12280
- C:\Windows\System\LZsvkcR.exe
  C:\Windows\System\LZsvkcR.exe
  2⤵
  PID:1544
- C:\Windows\System\oQqolWP.exe
  C:\Windows\System\oQqolWP.exe
  2⤵
  PID:11848
- C:\Windows\System\mcvAuSR.exe
  C:\Windows\System\mcvAuSR.exe
  2⤵
  PID:12308
- C:\Windows\System\XuhrDEM.exe
  C:\Windows\System\XuhrDEM.exe
  2⤵
  PID:12324
- C:\Windows\System\CyEPijo.exe
  C:\Windows\System\CyEPijo.exe
  2⤵
  PID:12344
- C:\Windows\System\lbGoGJp.exe
  C:\Windows\System\lbGoGJp.exe
  2⤵
  PID:12372
- C:\Windows\System\zoWvBEH.exe
  C:\Windows\System\zoWvBEH.exe
  2⤵
  PID:12432
- C:\Windows\System\YWKUWJA.exe
  C:\Windows\System\YWKUWJA.exe
  2⤵
  PID:12464
- C:\Windows\System\gBYNjSJ.exe
  C:\Windows\System\gBYNjSJ.exe
  2⤵
  PID:12488
- C:\Windows\System\SIOXeAm.exe
  C:\Windows\System\SIOXeAm.exe
  2⤵
  PID:12528
- C:\Windows\System\vRJSkuZ.exe
  C:\Windows\System\vRJSkuZ.exe
  2⤵
  PID:12564
- C:\Windows\System\UnEaSeK.exe
  C:\Windows\System\UnEaSeK.exe
  2⤵
  PID:12584
- C:\Windows\System\fYDPUyP.exe
  C:\Windows\System\fYDPUyP.exe
  2⤵
  PID:12600
- C:\Windows\System\mUcbjgK.exe
  C:\Windows\System\mUcbjgK.exe
  2⤵
  PID:12620
- C:\Windows\System\fDRHPQB.exe
  C:\Windows\System\fDRHPQB.exe
  2⤵
  PID:12644
- C:\Windows\System\AbhENEz.exe
  C:\Windows\System\AbhENEz.exe
  2⤵
  PID:12664
- C:\Windows\System\ezPgCkZ.exe
  C:\Windows\System\ezPgCkZ.exe
  2⤵
  PID:12704
- C:\Windows\System\sgujjHd.exe
  C:\Windows\System\sgujjHd.exe
  2⤵
  PID:12724
- C:\Windows\System\oOvUtdr.exe
  C:\Windows\System\oOvUtdr.exe
  2⤵
  PID:12744
- C:\Windows\System\ZNwLGsw.exe
  C:\Windows\System\ZNwLGsw.exe
  2⤵
  PID:12772
- C:\Windows\System\COWiQsM.exe
  C:\Windows\System\COWiQsM.exe
  2⤵
  PID:12792
- C:\Windows\System\hYPneMZ.exe
  C:\Windows\System\hYPneMZ.exe
  2⤵
  PID:12816
- C:\Windows\System\JBjlSUX.exe
  C:\Windows\System\JBjlSUX.exe
  2⤵
  PID:12836
- C:\Windows\System\FeWLNwW.exe
  C:\Windows\System\FeWLNwW.exe
  2⤵
  PID:12868
- C:\Windows\System\FyttcBK.exe
  C:\Windows\System\FyttcBK.exe
  2⤵
  PID:12892
- C:\Windows\System\duzZrUN.exe
  C:\Windows\System\duzZrUN.exe
  2⤵
  PID:12912
- C:\Windows\System\nPnMGwT.exe
  C:\Windows\System\nPnMGwT.exe
  2⤵
  PID:12932
- C:\Windows\System\XSMekog.exe
  C:\Windows\System\XSMekog.exe
  2⤵
  PID:12948
- C:\Windows\System\xqqSIzL.exe
  C:\Windows\System\xqqSIzL.exe
  2⤵
  PID:12992
- C:\Windows\System\RoYbiBO.exe
  C:\Windows\System\RoYbiBO.exe
  2⤵
  PID:12944
- C:\Windows\System\ZjYuxli.exe
  C:\Windows\System\ZjYuxli.exe
  2⤵
  PID:12924
- C:\Windows\System\VpkFicc.exe
  C:\Windows\System\VpkFicc.exe
  2⤵
  PID:12908
- C:\Windows\System\rIcWloV.exe
  C:\Windows\System\rIcWloV.exe
  2⤵
  PID:13040
- C:\Windows\System\llTcTlP.exe
  C:\Windows\System\llTcTlP.exe
  2⤵
  PID:12980
- C:\Windows\System\HkzqWcl.exe
  C:\Windows\System\HkzqWcl.exe
  2⤵
  PID:13060
- C:\Windows\System\MGeGLKW.exe
  C:\Windows\System\MGeGLKW.exe
  2⤵
  PID:13104
- C:\Windows\System\gjsciwJ.exe
  C:\Windows\System\gjsciwJ.exe
  2⤵
  PID:13128
- C:\Windows\System\fnijpVA.exe
  C:\Windows\System\fnijpVA.exe
  2⤵
  PID:13108
- C:\Windows\System\FUUsuGs.exe
  C:\Windows\System\FUUsuGs.exe
  2⤵
  PID:13176
- C:\Windows\System\EgCImpB.exe
  C:\Windows\System\EgCImpB.exe
  2⤵
  PID:13204
- C:\Windows\System\ctVXcxw.exe
  C:\Windows\System\ctVXcxw.exe
  2⤵
  PID:13208
- C:\Windows\System\nTvWCyx.exe
  C:\Windows\System\nTvWCyx.exe
  2⤵
  PID:4704
- C:\Windows\System\NOweRMF.exe
  C:\Windows\System\NOweRMF.exe
  2⤵
  PID:2628
- C:\Windows\System\nuSGral.exe
  C:\Windows\System\nuSGral.exe
  2⤵
  PID:13252
- C:\Windows\System\EphxIcG.exe
  C:\Windows\System\EphxIcG.exe
  2⤵
  PID:3496
- C:\Windows\System\gTxvXQe.exe
  C:\Windows\System\gTxvXQe.exe
  2⤵
  PID:2648
- C:\Windows\System\GuhWXbJ.exe
  C:\Windows\System\GuhWXbJ.exe
  2⤵
  PID:13280
- C:\Windows\System\JigOzdq.exe
  C:\Windows\System\JigOzdq.exe
  2⤵
  PID:13296
- C:\Windows\System\PatGSAB.exe
  C:\Windows\System\PatGSAB.exe
  2⤵
  PID:12504
- C:\Windows\System\LQDmoXF.exe
  C:\Windows\System\LQDmoXF.exe
  2⤵
  PID:1280
- C:\Windows\System\MJzEDyG.exe
  C:\Windows\System\MJzEDyG.exe
  2⤵
  PID:12560

C:\Windows\system32\WerFaultSecure.exe
"C:\Windows\system32\WerFaultSecure.exe" -protectedcrash -p 1460 -i 1460 -h 452 -j 472 -s 476 -d 12832
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:12940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kmf3wgtj.ja0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\EPLopwk.exe

Filesize
2.0MB

MD5
5e3d3187f3c7e24f62610706b7b83f6f

SHA1
f5c2976fd9e4cee6152653925820602cf6df3262

SHA256
8747f2715ee6a139b86eef249b07752bba996928b441e434abf165ff24f72d60

SHA512
b29a6b814d49935f48f904dd6f221e46bf5e3e928dd1c28a86a08a0ce53956695377ab295899c2c68355e454c70a16d43e2df73359037a8fe35176fc7508b6e9

Download Submit
C:\Windows\System\ExXsBcN.exe

Filesize
2.0MB

MD5
dd516e1ba2537c41e6eef87e05cb9d31

SHA1
3477c753ca07fe2d6a0a44114f490afbfc58a4b6

SHA256
a3f39302870cb0ab321e5e297ade6990f54c2590cf7bb6543af47e33303e31dd

SHA512
36041e35e64733efb36beef6c5dc07befe76589f081d6efcfe0da2bb368975cf551155a480af933c6e8acae4e87905c238e6917605a094d145e924e2f594b4d9

Download Submit
C:\Windows\System\FEOzFIG.exe

Filesize
2.0MB

MD5
6951d08f84e3191cda7203853e3976ef

SHA1
25be2d836d32236a75e7f0d78525b4f9148af127

SHA256
a105080f66cb5c5bb5784bca24d8dfcecaf82e377c7485e6ef5a4c6c4864d502

SHA512
627a2f1624d5cec39c2aed310b56d9160dcc01d3efc5dc04bf996d5ab6ebccc914e4c724f7e7cbf0b3833702cfa54eedaf672c8c70d78f2600de59fac1e83c45

Download Submit
C:\Windows\System\GoTntIp.exe

Filesize
2.0MB

MD5
54ec0eae17ffcd99440188820d44e76c

SHA1
153671af703d3246b8b5db32f5565abc3ae0c858

SHA256
b9f17ba807daf4498e2f9b2c38e5bbad3efc74da33bebbb70ae17d3be23aa3b4

SHA512
e1758003083e1e5c892ee066cf0b1f23164285eeb2db96a1761c7817b1325044adc75936dd9250138ff17ca8add270c105c92f6d0fe0649176b2fb0bf5a3111e

Download Submit
C:\Windows\System\Ionhijs.exe

Filesize
2.0MB

MD5
da1597871642746be9a53251b5183984

SHA1
77367929ec29e51b884573a2c2d53c0c00f984ab

SHA256
9930419515fc81602d0537f75c958804a31c78d62bf0c8612599477b8b7854ed

SHA512
5b36911992c7e7a5593c32cae1cdad1536feb6d1c7c44e40b10cde16c95b980200afb181582b406d9e84874d1278541a66518e5edb4baf92a2d3df7906d16d90

Download Submit
C:\Windows\System\JMNmHhW.exe

Filesize
2.0MB

MD5
59a055c9e4554678ec62c63dd4df1fb0

SHA1
2a96989b1dee62716c9d8ae3f8468680ce804ccc

SHA256
def2365c4606ebf0d26795b2db702adc38eaac363dc62540fe0ac109e55c8b7c

SHA512
3da1ab99a7445916085875ec94fbca998588564de1fd937e78bc441337fe4ab4bca76c2a27ee56c47b6063345ca1731960b4dc1d11d9f7e6af11455dc42794b8

Download Submit
C:\Windows\System\LLtLXjI.exe

Filesize
2.0MB

MD5
6c639ce758999acc36457a09687bf61a

SHA1
03177cd42930288d64550a657d1f9ec76183a917

SHA256
41021f459ee2481435667d88b8ef136a4bf4ec87c92c895f87377b6228a1f453

SHA512
113dc3faa159424aa1358bf82821513a17e4dde2f9fef24ce21557a5dc41920745e4058f46aeb4b86c87ec23034a7019906dc3aec46cef02353458b8bff3103f

Download Submit
C:\Windows\System\MMwgYqh.exe

Filesize
2.0MB

MD5
db1bbd73aa5bcaf7066faa63a383b592

SHA1
7be657f67f8d3a20f028a2646fee7555304c0238

SHA256
5d8bc87da97408f22b70ab9557c77cc926fc371176b518b576165cd9759301e8

SHA512
de59486f2563e6c431da31c00f59542af5adefb85230945eb5854b1458908149d7605fd2c52be014896bf701b55933e57e9ab470e23ac9b77fa0110b051739da

Download Submit
C:\Windows\System\MOipUbU.exe

Filesize
2.0MB

MD5
1fe2d001accf89fbeb08b06bcac4319c

SHA1
439ae19fff90d89ba489f8de087f1b16341ebbe5

SHA256
0f12c208845b6773c0fd9f206765b9f233b08038a40dd78ec496478e417ef368

SHA512
c51c99f62b3b19138559978d8ae06dc5922012755a02a98cfc5308fd151852a46d3739c695a211d0660b76031cd6f65962e2d3e82f1833de17c430556f3135f7

Download Submit
C:\Windows\System\RkmjjyF.exe

Filesize
2.0MB

MD5
a5c52374fae3a983932d16fd001dfea8

SHA1
a35b484ea30f51b660be0c10debaa790841485f1

SHA256
d3c52ac0e64500460a553edb4a99179a94e459503064b45bc2d2b4cfe653c226

SHA512
a516e5257c28d4ec6c64014a5ead25553b975c9a254f383dcc1f63be1f9d1ea578aab8004ad5c457e27aee12090a83d75513df474259612c566a087047c800f4

Download Submit
C:\Windows\System\SChxFeX.exe

Filesize
2.0MB

MD5
723453b3d2fa27afeca815a44c7392d3

SHA1
b8113884dcd9c0587078eee23529067f27673bf6

SHA256
88105c9d245906ee0e9b90f3d51859ae98dcc545dd29897712f769925b26eada

SHA512
35b20ca99e596553642a01a711b7dfed36bd1572267b7a2edfde9fd08a62bcb9911e481ace9bc32921640dc257cd45b3680f25a165cc8938f96cc8e1c6e37f6b

Download Submit
C:\Windows\System\SDfWyfy.exe

Filesize
2.0MB

MD5
125c6b6a473c8181e1424dba59dd5c46

SHA1
4ffb9ec7b1b08cd11a92765e3b2a03dcefef0a55

SHA256
0b489ba31664c637708bc080fd205931ac018d69ddeec00c8ed0e4374976baae

SHA512
166d697be8486cd2b4a257a24e5e70ab23071f7abb86a9a872089addece63887f194dccbff5eb2c5703f26adf1cd746efbd96d72f1ebc8b5c57215b827cd69b6

Download Submit
C:\Windows\System\VrrknLS.exe

Filesize
2.0MB

MD5
81a39bfa0d55d061b7db7d76fa51e586

SHA1
4f764dc7075ccc631b55a94b57202e2089234db4

SHA256
5af7449bcb5e30ebbd7829aad97edf471346995075c7d1d4089298a16b4f3a07

SHA512
22ee81572efdcf276c6cfe14dd3535957ae330610c809cd246cdb7168303e64eef24796930b8f9c520db551dd17d293a9041f2bb6edd5c5fe21b67cd310af5d4

Download Submit
C:\Windows\System\WNzyKfo.exe

Filesize
2.0MB

MD5
bf5b8bb7eafc6209cf1caea453fdc7d1

SHA1
0238aeaaa5122403e1120c24edeede294b7d3f18

SHA256
8bb82d3af75e207226d7a337eb273da6ee429c071db67aff53cd17ff269fc597

SHA512
a1fd5a9938a9fc489ecb7a3c7d73ef680821a84c6529491b1305e0908adee8529c70462ec677fe75f7d38a9623aa6287e77067eb864821e8e77ca1e66d5f311e

Download Submit
C:\Windows\System\XKCbOxw.exe

Filesize
2.0MB

MD5
05eaf4f81b5efb4ea5de10d82763c2f5

SHA1
e2b5b52abecff995cbec81800eed82a836692b4b

SHA256
6dcecbc72ef9a4abd9133a7519088ae6069aa854a955f1a6fe8fd0365ab5b4b0

SHA512
21feeaaa58cda951e4d392c500424582a8d18995f086ffe3a5a5acaf6294192ec340fffa605af33d1e358009179853f98df984f7bd1005645f7aac626efb91b3

Download Submit
C:\Windows\System\XOJfVBX.exe

Filesize
2.0MB

MD5
c0131516a0e6282f01b06b52f8611dd5

SHA1
2871ab8ec1f3108b25e207698f757c6650517a58

SHA256
a257ffdcb91fae489e8a25683f84a56c53c6205cbc701aea5f10269e52e10547

SHA512
d468831d6a3c439e5e5910feb900077994daf2e1200d598e8fc30ff4a3069978ae8baf2d62e0d1a3eca75843a0bf2ff9a5c95488e297a0c590627e5b4cea27c3

Download Submit
C:\Windows\System\XgqfZJd.exe

Filesize
2.0MB

MD5
ef79c229f08c8e4dd4c3d9bc5b98100a

SHA1
4838a4dd98613139e00d34f73013a06edf3087a6

SHA256
84903d62a4b8f6f8d997f4f2c5dbad2fad63ae7d93f3a432faa4dce3969f80ae

SHA512
27f8c5b1a9a6ead5498cc257dc385cdd1e6a6dc864d693f9cd16860e8d247f71e84c7f7d435b906f2e07af46f9949eab6961b0956e04e97eef948d2b9996a648

Download Submit
C:\Windows\System\aoDlinZ.exe

Filesize
2.0MB

MD5
ded153717ee72ce3dd2863d380de3e4e

SHA1
b239f3ab1e0191e30f0f4cf3c44c5cbb4584ed68

SHA256
479bb5afb1d071c8a9d1638f5e34133a1a4c826875edb3249a973f2516e9bf3a

SHA512
bd7d4b15a0ea6397e781180f4f271e4390b7c2c06f6c61dea8571a1f8b0a2191b96dfa75edba12bb2f99efda830f3b8979cb51154dcbc600fff699f61ae59eee

Download Submit
C:\Windows\System\aujtWmA.exe

Filesize
2.0MB

MD5
6b0822a8617250f61cc2493f1741cc44

SHA1
2829b9ab9a11735c76b41780179dafef7068b63f

SHA256
04a937b243156e9d90499f58c3eb18eb102c4c0036f86fc44c0b8795883bddaa

SHA512
05c859f98099dc3d8a113505d69e54fe7ce5c0de15e1c147be0d78b8af2fc61e0ea9ebde2ee22f308c6ef9dc2063e8761435fe52ece0675855ecbe1343792adb

Download Submit
C:\Windows\System\bMzIGBV.exe

Filesize
2.0MB

MD5
9f23f918c21ac6f69af2317f670d5fd9

SHA1
09a356b23ed61108f3bb610d8740401ddd692c6e

SHA256
e8621cb685e2b63e13f62c95214d2fd994cd89d26e56c032aa3eb661ba2be526

SHA512
e1de0e4585fceee947ec47828a70c4eb019f82026bdceb4ca4108b882bc566842e762ca908ce6ae1c78939000c839278cf2a94b759add2f713232189b1e2b4f4

Download Submit
C:\Windows\System\bkiRxtZ.exe

Filesize
2.0MB

MD5
372af03691b2f393b90e062128a09885

SHA1
97dd0a0f0622f7ef2201c803d70005384833f37c

SHA256
6a23178974cf57a9143bfe6f207acf6c3902951a533827a04db5579cd4e6b1fc

SHA512
f328c82f3a74f0dc09e38cdc6086f2d4a9c5f39f61f9c43085bf9d4137143f11083fccb6c47d593f755e124e0351c3a7a921a47de288a3e71978f6002b311288

Download Submit
C:\Windows\System\dIgesud.exe

Filesize
2.0MB

MD5
ab50c4978362768c242a5fee2f68f2a0

SHA1
0f5514d0ff66ed52ccfc23e8cf175552266fdb9d

SHA256
b71d4256709756be2138af13a6d18d5e38ec97906951af823f0c1eaa505ca1ea

SHA512
e517998c42da0fb2a6e80df7a1c8b641ad17d30725e27c76681f0513998f6c2115bf6d145a6f8454ecc09cbdbb0e29beae4e832106d1fdf84673f41955e1197b

Download Submit
C:\Windows\System\dLxUIyi.exe

Filesize
2.0MB

MD5
deea194acc225c3fb3435db747842b46

SHA1
a3a0e69532ee47aeaa1ec173d74307fb32d9b826

SHA256
0760f27662e5437b90d8bf13a75346852b0314756c013987cc9eefb74026a165

SHA512
6ed2ab1dbecc47d0c89fc35be517caa9c4e4622e8b2d9ca35a5c9f0ad2ef3e063b29d68f7c879735f629d285169456349c6d360637eda4c71429812cc896888c

Download Submit
C:\Windows\System\hnVvPlt.exe

Filesize
2.0MB

MD5
a9092b7ca06e4257cf133638904bd02c

SHA1
238b60637b6393e86b674046329edb1ef94975fa

SHA256
818deb02b40623bc4e9b228f050cde2d0d2acb8bbce076ded01b124bc645a435

SHA512
789a2f319b38b27e2ea9a0f8b9fdab75483b11bd719f36d71d6bbbc63e49abe8051b08498db293343d19a250050f1767c64df48986cacf14d7839c38e4e6dae4

Download Submit
C:\Windows\System\jlpPYxs.exe

Filesize
8B

MD5
f6061fc6a7c99ae821a125be5d34b682

SHA1
cd62deeb3efa237b04e342e9238578fd370ae14d

SHA256
700c9a719b011e50437e2fa1d083a87e3381f4f178b8b9f9899f4bbf7503df60

SHA512
cc6b78f85499cc18661ced0cca34cc6f25b4f82783646930e95bb966639561cabaf13feff5c13c58aa77b6804729d0ec64978f44b9a573d37b44aa1603320b3d

Download Submit
C:\Windows\System\mTZFFRM.exe

Filesize
2.0MB

MD5
fe40db94e3efd7f2a09a1dbfb3ef9f46

SHA1
23e89cefb514cc70f27377c2bc033ea65a8cb3e2

SHA256
a36aab643f5987520c17c9a022091f0b06be488cc09ea3593bf68fc4d853c518

SHA512
1e9de5f336d57ea694ef15e414cdefe6fc280116aeb014bda986b48fd6c335c97aa68a4781494c99697027c44b3183cf96526598c37842baecce9732dbb070ef

Download Submit
C:\Windows\System\mcgkOlZ.exe

Filesize
2.0MB

MD5
c1fc79fad88157515ec16526951cfbc0

SHA1
72a9f56aa7cf422aa2063e6334f965ec4500e647

SHA256
359b0e119183dc2959f94009834dd5f5a50323c911f8a1099a1c910a9ab02630

SHA512
8a61846b2046e7c9b2daa5b475aaa869978755d9556164684eb9886672a0fcccd131ae2cb2d381d09ec947ce953c57d0266efc00f1d0a767c58aca2eceb9285c

Download Submit
C:\Windows\System\pwXxged.exe

Filesize
2.0MB

MD5
13bef396b1b1a0c0dd8b8324ab7ef59d

SHA1
1263d931d9d605822b5f1366d8fe8f62d6cc896c

SHA256
57a5a7635d9da293adf1b4fbeb2ccd31351e29eb4c604f3aead6c38192596909

SHA512
d7c52d130c4a51a2c7387e91b05301fece3138b810b1445c4acb8006fd10ac813a86ee9c9e7948859af641c5b45ef65fb8603b6cda7825bcce9809da5391bb78

Download Submit
C:\Windows\System\pyDONoF.exe

Filesize
2.0MB

MD5
eed8a4aaa7259ccc9b1fe230902ee56d

SHA1
8c030e2ccf3cc4480175e187f415d3a25caa945f

SHA256
853ec4004535d7f0a3c6dd8d1acc1b27f14c2372bb0e20ca11e637a228328107

SHA512
6b67524fe85fdf3507a7267dc8c3a06a7f99a14f014fd13b4af0359c1fa8545b501491c18f11c83b94791e52264df48c340448bc017fee90080bd9dd45427ae0

Download Submit
C:\Windows\System\tOsEKRP.exe

Filesize
2.0MB

MD5
305ec1a196e6bb2b9c1ea6c98e1f579c

SHA1
36d74a12709ee60c7d1a1475916ce0b1fdd1ae0d

SHA256
e52823692a35fcc9b46a054ea0c3bbab90c67421abd3ed2c9153b00b6b17bc50

SHA512
949bb6f515cc6191e8245d2b1b0c09329b35f77864b097ea5563f50fb782ae846e5c99ab5cb4757748adfd37fd143dba01af9ffcb40ae1bbe1a397a8fc1f86ec

Download Submit
C:\Windows\System\uAjorOB.exe

Filesize
2.0MB

MD5
ab96e7ec71a17fe88de7c8fc78c2e44e

SHA1
f7346e33042c7ebdb54af29167712de96d380327

SHA256
658101d4f9e2598a5925fad60ca70b5f73a3924bcc9bb34a7331e79fcb1a2c40

SHA512
924be390cacf9ef8e89b09da62a609395d59bc635f73702e9f9885cbe1d97ef2ae4cc0dbfb9f485945853d179c27e018f426e8e06e41b98965f7113dbf385407

Download Submit
C:\Windows\System\wSTyMHK.exe

Filesize
2.0MB

MD5
286874b9a45b920d956443c9752eab43

SHA1
a3dc515da7d249c79dd25cf4266c62db7eddd324

SHA256
9b09e1f24ca2cc970c9f31531f279e5930c25efa5e8bc64200aae5258f8eb710

SHA512
b493ae43273596b97183285bbf326a6893095080961a1b4dc88fc39c356f50cdc085f6986672b1a117eef5230e7f4f688dba4ecdd7ab2198e2142c2f075ee1eb

Download Submit
C:\Windows\System\yVdGqwU.exe

Filesize
2.0MB

MD5
1018c13b591b878f656aae24d55656ad

SHA1
d951a0341b0bde1a29fc5b83718855f371dcfc69

SHA256
f05b363b22c2549e46a4d73b9229843cf2fe71ec871a92b268f9de515081f27a

SHA512
d4975db30623420ff8c079963a4f7b6772832afb8af44a87edfe6bb75b10a5db925f65baac5cb35b004666e5bab16f73fdf6281b8e1fee2fc2b81c23e31300e0

Download Submit
C:\Windows\System\zRYauNC.exe

Filesize
2.0MB

MD5
a32d7e45b8f93cde289c9b187f67fe5f

SHA1
040896c1ddd84f9d26fa9351fcba91bcaa0c9f3d

SHA256
bf1019d2749662a6724d6d3c792c48d452772c9bfb8ee73aedd365675cd8ef67

SHA512
88dd60815a8260403cae67d2dd59c4707dfa2ce8e4e449315d21e835c9ac91aff10ca3330cbe10f35ccd1f59c842890af641d6b4e160429ebebf6ffcf21b2ace

Download Submit
memory/208-104-0x00007FF791090000-0x00007FF791482000-memory.dmp

Filesize
3.9MB

Download
memory/208-3555-0x00007FF791090000-0x00007FF791482000-memory.dmp

Filesize
3.9MB

Download
memory/208-3231-0x00007FF791090000-0x00007FF791482000-memory.dmp

Filesize
3.9MB

Download
memory/764-758-0x00007FF6AAF60000-0x00007FF6AB352000-memory.dmp

Filesize
3.9MB

Download
memory/764-3311-0x00007FF6AAF60000-0x00007FF6AB352000-memory.dmp

Filesize
3.9MB

Download
memory/820-70-0x00007FF7C5FF0000-0x00007FF7C63E2000-memory.dmp

Filesize
3.9MB

Download
memory/820-3266-0x00007FF7C5FF0000-0x00007FF7C63E2000-memory.dmp

Filesize
3.9MB

Download
memory/1004-3282-0x00007FF69AF60000-0x00007FF69B352000-memory.dmp

Filesize
3.9MB

Download
memory/1004-75-0x00007FF69AF60000-0x00007FF69B352000-memory.dmp

Filesize
3.9MB

Download
memory/1136-90-0x00007FF7E55D0000-0x00007FF7E59C2000-memory.dmp

Filesize
3.9MB

Download
memory/1136-3272-0x00007FF7E55D0000-0x00007FF7E59C2000-memory.dmp

Filesize
3.9MB

Download
memory/1152-3268-0x00007FF7DE210000-0x00007FF7DE602000-memory.dmp

Filesize
3.9MB

Download
memory/1152-88-0x00007FF7DE210000-0x00007FF7DE602000-memory.dmp

Filesize
3.9MB

Download
memory/1172-3309-0x00007FF714730000-0x00007FF714B22000-memory.dmp

Filesize
3.9MB

Download
memory/1172-761-0x00007FF714730000-0x00007FF714B22000-memory.dmp

Filesize
3.9MB

Download
memory/1464-103-0x00007FF7DA160000-0x00007FF7DA552000-memory.dmp

Filesize
3.9MB

Download
memory/1464-3286-0x00007FF7DA160000-0x00007FF7DA552000-memory.dmp

Filesize
3.9MB

Download
memory/1792-784-0x00007FF7F0620000-0x00007FF7F0A12000-memory.dmp

Filesize
3.9MB

Download
memory/1792-3318-0x00007FF7F0620000-0x00007FF7F0A12000-memory.dmp

Filesize
3.9MB

Download
memory/1832-3275-0x00007FF6265F0000-0x00007FF6269E2000-memory.dmp

Filesize
3.9MB

Download
memory/1832-76-0x00007FF6265F0000-0x00007FF6269E2000-memory.dmp

Filesize
3.9MB

Download
memory/2608-91-0x00007FF798480000-0x00007FF798872000-memory.dmp

Filesize
3.9MB

Download
memory/2608-3283-0x00007FF798480000-0x00007FF798872000-memory.dmp

Filesize
3.9MB

Download
memory/2788-744-0x00007FF62ABE0000-0x00007FF62AFD2000-memory.dmp

Filesize
3.9MB

Download
memory/2788-3306-0x00007FF62ABE0000-0x00007FF62AFD2000-memory.dmp

Filesize
3.9MB

Download
memory/2800-3257-0x00007FF62D400000-0x00007FF62D7F2000-memory.dmp

Filesize
3.9MB

Download
memory/2800-3290-0x00007FF62D400000-0x00007FF62D7F2000-memory.dmp

Filesize
3.9MB

Download
memory/2800-110-0x00007FF62D400000-0x00007FF62D7F2000-memory.dmp

Filesize
3.9MB

Download
memory/2840-3313-0x00007FF64A950000-0x00007FF64AD42000-memory.dmp

Filesize
3.9MB

Download
memory/2840-762-0x00007FF64A950000-0x00007FF64AD42000-memory.dmp

Filesize
3.9MB

Download
memory/2924-11-0x00007FF6D0000000-0x00007FF6D03F2000-memory.dmp

Filesize
3.9MB

Download
memory/2924-3261-0x00007FF6D0000000-0x00007FF6D03F2000-memory.dmp

Filesize
3.9MB

Download
memory/3040-101-0x00007FF60CB90000-0x00007FF60CF82000-memory.dmp

Filesize
3.9MB

Download
memory/3040-3280-0x00007FF60CB90000-0x00007FF60CF82000-memory.dmp

Filesize
3.9MB

Download
memory/3220-71-0x00007FF6BD210000-0x00007FF6BD602000-memory.dmp

Filesize
3.9MB

Download
memory/3220-3273-0x00007FF6BD210000-0x00007FF6BD602000-memory.dmp

Filesize
3.9MB

Download
memory/3468-0-0x00007FF6A2540000-0x00007FF6A2932000-memory.dmp

Filesize
3.9MB

Download
memory/3468-1-0x0000019AF3F30000-0x0000019AF3F40000-memory.dmp

Filesize
64KB

Download
memory/3924-81-0x00007FF77CB80000-0x00007FF77CF72000-memory.dmp

Filesize
3.9MB

Download
memory/3924-3263-0x00007FF77CB80000-0x00007FF77CF72000-memory.dmp

Filesize
3.9MB

Download
memory/4196-3278-0x00007FF780300000-0x00007FF7806F2000-memory.dmp

Filesize
3.9MB

Download
memory/4196-96-0x00007FF780300000-0x00007FF7806F2000-memory.dmp

Filesize
3.9MB

Download
memory/4424-64-0x00007FF7B15B0000-0x00007FF7B19A2000-memory.dmp

Filesize
3.9MB

Download
memory/4424-3270-0x00007FF7B15B0000-0x00007FF7B19A2000-memory.dmp

Filesize
3.9MB

Download
memory/4428-3319-0x00007FF7F4170000-0x00007FF7F4562000-memory.dmp

Filesize
3.9MB

Download
memory/4428-107-0x00007FF7F4170000-0x00007FF7F4562000-memory.dmp

Filesize
3.9MB

Download
memory/4552-749-0x00007FF690AB0000-0x00007FF690EA2000-memory.dmp

Filesize
3.9MB

Download
memory/4552-3305-0x00007FF690AB0000-0x00007FF690EA2000-memory.dmp

Filesize
3.9MB

Download
memory/4584-742-0x00007FF7604E0000-0x00007FF7608D2000-memory.dmp

Filesize
3.9MB

Download
memory/4584-3287-0x00007FF7604E0000-0x00007FF7608D2000-memory.dmp

Filesize
3.9MB

Download
memory/4952-779-0x00007FF7A7410000-0x00007FF7A7802000-memory.dmp

Filesize
3.9MB

Download
memory/4952-3315-0x00007FF7A7410000-0x00007FF7A7802000-memory.dmp

Filesize
3.9MB

Download
memory/5072-1301-0x000001E7FEBC0000-0x000001E7FF366000-memory.dmp

Filesize
7.6MB

Download
memory/5072-52-0x000001E7FDF70000-0x000001E7FDF92000-memory.dmp

Filesize
136KB

Download
memory/5072-38-0x00007FFC51410000-0x00007FFC51ED1000-memory.dmp

Filesize
10.8MB

Download
memory/5072-58-0x00007FFC51410000-0x00007FFC51ED1000-memory.dmp

Filesize
10.8MB

Download
memory/5072-12-0x00007FFC51413000-0x00007FFC51415000-memory.dmp

Filesize
8KB

Download
memory/5072-3241-0x00007FFC51410000-0x00007FFC51ED1000-memory.dmp

Filesize
10.8MB

Download