xmrig | 433ce21b724766a3ac588bf49d3bd4b63b1239653be98e0a900b398964f68e23

Analysis

max time kernel
121s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
Size

1.6MB
MD5

4e7b8ce90d5d3a0bc2e9db1a891564a0
SHA1

5ec8d9b8fc004dd3ed8c9844f263315b023687f4
SHA256

433ce21b724766a3ac588bf49d3bd4b63b1239653be98e0a900b398964f68e23
SHA512

3c25f82743c0db636ed8aa73c13d90170157a263109479221fd92657b893aa08c751b09d341ea66e2b2b6669a297579477ddac663fbc8ed9e824dab6326ba6aa
SSDEEP

24576:zv3/fTLF671TilQFG4P5PMkipBh8tGxHIBWGlTqTGzk+lOagppeTb2T4BqSOBGI:Lz071uv4BPMkiFGlObQI

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/1128-124-0x00007FF6FA080000-0x00007FF6FA472000-memory.dmp	xmrig
behavioral2/memory/2000-132-0x00007FF61C3B0000-0x00007FF61C7A2000-memory.dmp	xmrig
behavioral2/memory/2528-154-0x00007FF6CD670000-0x00007FF6CDA62000-memory.dmp	xmrig
behavioral2/memory/2576-216-0x00007FF721410000-0x00007FF721802000-memory.dmp	xmrig
behavioral2/memory/1444-212-0x00007FF79B610000-0x00007FF79BA02000-memory.dmp	xmrig
behavioral2/memory/2156-208-0x00007FF79C690000-0x00007FF79CA82000-memory.dmp	xmrig
behavioral2/memory/4176-204-0x00007FF7E2CB0000-0x00007FF7E30A2000-memory.dmp	xmrig
behavioral2/memory/1704-200-0x00007FF7ED6E0000-0x00007FF7EDAD2000-memory.dmp	xmrig
behavioral2/memory/1960-196-0x00007FF719960000-0x00007FF719D52000-memory.dmp	xmrig
behavioral2/memory/2752-190-0x00007FF70D2E0000-0x00007FF70D6D2000-memory.dmp	xmrig
behavioral2/memory/1608-179-0x00007FF78BD70000-0x00007FF78C162000-memory.dmp	xmrig
behavioral2/memory/2100-173-0x00007FF65D7F0000-0x00007FF65DBE2000-memory.dmp	xmrig
behavioral2/memory/2136-172-0x00007FF616F70000-0x00007FF617362000-memory.dmp	xmrig
behavioral2/memory/2452-160-0x00007FF7C3D20000-0x00007FF7C4112000-memory.dmp	xmrig
behavioral2/memory/4060-148-0x00007FF6CFA20000-0x00007FF6CFE12000-memory.dmp	xmrig
behavioral2/memory/2152-142-0x00007FF602620000-0x00007FF602A12000-memory.dmp	xmrig
behavioral2/memory/2912-136-0x00007FF750780000-0x00007FF750B72000-memory.dmp	xmrig
behavioral2/memory/3644-128-0x00007FF74A780000-0x00007FF74AB72000-memory.dmp	xmrig
behavioral2/memory/1688-125-0x00007FF7DA2D0000-0x00007FF7DA6C2000-memory.dmp	xmrig
behavioral2/memory/60-119-0x00007FF7EEAD0000-0x00007FF7EEEC2000-memory.dmp	xmrig
behavioral2/memory/4004-113-0x00007FF7C9F70000-0x00007FF7CA362000-memory.dmp	xmrig
behavioral2/memory/4784-23-0x00007FF603190000-0x00007FF603582000-memory.dmp	xmrig
behavioral2/memory/2088-2560-0x00007FF7AB610000-0x00007FF7ABA02000-memory.dmp	xmrig
behavioral2/memory/4784-2572-0x00007FF603190000-0x00007FF603582000-memory.dmp	xmrig
behavioral2/memory/2752-2576-0x00007FF70D2E0000-0x00007FF70D6D2000-memory.dmp	xmrig
behavioral2/memory/2088-2574-0x00007FF7AB610000-0x00007FF7ABA02000-memory.dmp	xmrig
behavioral2/memory/2000-2587-0x00007FF61C3B0000-0x00007FF61C7A2000-memory.dmp	xmrig
behavioral2/memory/1688-2588-0x00007FF7DA2D0000-0x00007FF7DA6C2000-memory.dmp	xmrig
behavioral2/memory/2912-2594-0x00007FF750780000-0x00007FF750B72000-memory.dmp	xmrig
behavioral2/memory/4060-2596-0x00007FF6CFA20000-0x00007FF6CFE12000-memory.dmp	xmrig
behavioral2/memory/2528-2625-0x00007FF6CD670000-0x00007FF6CDA62000-memory.dmp	xmrig
behavioral2/memory/4176-2649-0x00007FF7E2CB0000-0x00007FF7E30A2000-memory.dmp	xmrig
behavioral2/memory/2156-2667-0x00007FF79C690000-0x00007FF79CA82000-memory.dmp	xmrig
behavioral2/memory/2976-2710-0x00007FF66BDB0000-0x00007FF66C1A2000-memory.dmp	xmrig
behavioral2/memory/2576-2704-0x00007FF721410000-0x00007FF721802000-memory.dmp	xmrig
behavioral2/memory/1444-2686-0x00007FF79B610000-0x00007FF79BA02000-memory.dmp	xmrig
behavioral2/memory/2452-2632-0x00007FF7C3D20000-0x00007FF7C4112000-memory.dmp	xmrig
behavioral2/memory/2100-2629-0x00007FF65D7F0000-0x00007FF65DBE2000-memory.dmp	xmrig
behavioral2/memory/2136-2627-0x00007FF616F70000-0x00007FF617362000-memory.dmp	xmrig
behavioral2/memory/1608-2638-0x00007FF78BD70000-0x00007FF78C162000-memory.dmp	xmrig
behavioral2/memory/1704-2614-0x00007FF7ED6E0000-0x00007FF7EDAD2000-memory.dmp	xmrig
behavioral2/memory/2152-2592-0x00007FF602620000-0x00007FF602A12000-memory.dmp	xmrig
behavioral2/memory/1128-2590-0x00007FF6FA080000-0x00007FF6FA472000-memory.dmp	xmrig
behavioral2/memory/1960-2584-0x00007FF719960000-0x00007FF719D52000-memory.dmp	xmrig
behavioral2/memory/4004-2580-0x00007FF7C9F70000-0x00007FF7CA362000-memory.dmp	xmrig
behavioral2/memory/3644-2583-0x00007FF74A780000-0x00007FF74AB72000-memory.dmp	xmrig
behavioral2/memory/60-2579-0x00007FF7EEAD0000-0x00007FF7EEEC2000-memory.dmp	xmrig
behavioral2/memory/2976-2886-0x00007FF66BDB0000-0x00007FF66C1A2000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	3328	powershell.exe
7	3328	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
3328	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
2088	KQzDUJG.exe
2752	DhiokcB.exe
4784	mHjMcQs.exe
1960	dJQBXRe.exe
4004	wWnzVnR.exe
60	AMdrYxf.exe
1128	zCltSTV.exe
1688	VbCxFjJ.exe
3644	cXfoonJ.exe
2000	kPqfxtK.exe
2912	rMlfvpb.exe
2152	TqIptbU.exe
4060	JuJqqbA.exe
1704	CnHGrZh.exe
2528	IHUTkTV.exe
2452	tcxzBDK.exe
2976	lqIHszY.exe
2136	loxaFBv.exe
2100	wpCYlXg.exe
1608	CdJeCzy.exe
4176	Hagmema.exe
2156	SDfVavs.exe
1444	BnByhEm.exe
2576	qfGUUxl.exe
2868	LXpoKjI.exe
3816	JYejKGe.exe
1676	WhirmKQ.exe
1508	GIgiyBz.exe
4116	VwYHtyG.exe
3032	fiXMdAw.exe
1192	GGKqoGb.exe
4472	DYjpGAO.exe
456	IoIlGnP.exe
4572	aWOpGpK.exe
452	KzVtKMX.exe
4620	ntkXzrr.exe
4704	tIicxXx.exe
4880	wFHLgXN.exe
4576	TGjWEyf.exe
960	WwyflNz.exe
4432	lbVAnyL.exe
5064	ksDWVxK.exe
1464	XpRTGLv.exe
4664	HChIxyA.exe
2760	pVMWmeG.exe
2984	kmyTmuL.exe
2880	NuStBpB.exe
412	bXHEqtc.exe
4212	pRcvjUI.exe
3532	MgoMtqq.exe
4672	xlkwqra.exe
5048	cNdjEyP.exe
936	DpAdLrI.exe
3676	BTkrBNo.exe
3100	lUTsTwS.exe
2648	PrEGmig.exe
3340	xzZYMCz.exe
3928	PuEHvST.exe
2316	JNzpRlT.exe
3964	bYflcXX.exe
1604	ZyxDWpC.exe
2148	BHajmjB.exe
2256	dfPTJny.exe
3288	EbntQbN.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/808-0-0x00007FF7102A0000-0x00007FF710692000-memory.dmp	upx
behavioral2/files/0x000a000000023b9d-7.dat	upx
behavioral2/files/0x000a000000023b9f-27.dat	upx
behavioral2/files/0x000a000000023ba0-40.dat	upx
behavioral2/files/0x000a000000023ba2-39.dat	upx
behavioral2/files/0x000a000000023ba4-68.dat	upx
behavioral2/files/0x000a000000023ba3-77.dat	upx
behavioral2/files/0x000a000000023ba9-82.dat	upx
behavioral2/files/0x000a000000023baa-103.dat	upx
behavioral2/files/0x000a000000023bad-110.dat	upx
behavioral2/files/0x000a000000023bac-117.dat	upx
behavioral2/memory/1128-124-0x00007FF6FA080000-0x00007FF6FA472000-memory.dmp	upx
behavioral2/memory/2000-132-0x00007FF61C3B0000-0x00007FF61C7A2000-memory.dmp	upx
behavioral2/files/0x000a000000023bb0-143.dat	upx
behavioral2/memory/2528-154-0x00007FF6CD670000-0x00007FF6CDA62000-memory.dmp	upx
behavioral2/files/0x000a000000023bb5-163.dat	upx
behavioral2/files/0x000a000000023bb9-187.dat	upx
behavioral2/memory/2576-216-0x00007FF721410000-0x00007FF721802000-memory.dmp	upx
behavioral2/memory/1444-212-0x00007FF79B610000-0x00007FF79BA02000-memory.dmp	upx
behavioral2/memory/2156-208-0x00007FF79C690000-0x00007FF79CA82000-memory.dmp	upx
behavioral2/memory/4176-204-0x00007FF7E2CB0000-0x00007FF7E30A2000-memory.dmp	upx
behavioral2/memory/1704-200-0x00007FF7ED6E0000-0x00007FF7EDAD2000-memory.dmp	upx
behavioral2/memory/1960-196-0x00007FF719960000-0x00007FF719D52000-memory.dmp	upx
behavioral2/files/0x000a000000023bba-193.dat	upx
behavioral2/files/0x000a000000023bb8-191.dat	upx
behavioral2/memory/2752-190-0x00007FF70D2E0000-0x00007FF70D6D2000-memory.dmp	upx
behavioral2/files/0x000a000000023bb7-185.dat	upx
behavioral2/files/0x000a000000023bb6-180.dat	upx
behavioral2/memory/1608-179-0x00007FF78BD70000-0x00007FF78C162000-memory.dmp	upx
behavioral2/memory/2100-173-0x00007FF65D7F0000-0x00007FF65DBE2000-memory.dmp	upx
behavioral2/memory/2136-172-0x00007FF616F70000-0x00007FF617362000-memory.dmp	upx
behavioral2/files/0x000a000000023bb4-167.dat	upx
behavioral2/memory/2976-166-0x00007FF66BDB0000-0x00007FF66C1A2000-memory.dmp	upx
behavioral2/files/0x000a000000023bb3-161.dat	upx
behavioral2/memory/2452-160-0x00007FF7C3D20000-0x00007FF7C4112000-memory.dmp	upx
behavioral2/files/0x000a000000023bb2-155.dat	upx
behavioral2/files/0x000a000000023bb1-149.dat	upx
behavioral2/memory/4060-148-0x00007FF6CFA20000-0x00007FF6CFE12000-memory.dmp	upx
behavioral2/memory/2152-142-0x00007FF602620000-0x00007FF602A12000-memory.dmp	upx
behavioral2/files/0x000a000000023baf-137.dat	upx
behavioral2/memory/2912-136-0x00007FF750780000-0x00007FF750B72000-memory.dmp	upx
behavioral2/memory/3644-128-0x00007FF74A780000-0x00007FF74AB72000-memory.dmp	upx
behavioral2/memory/1688-125-0x00007FF7DA2D0000-0x00007FF7DA6C2000-memory.dmp	upx
behavioral2/files/0x000a000000023bae-122.dat	upx
behavioral2/memory/60-119-0x00007FF7EEAD0000-0x00007FF7EEEC2000-memory.dmp	upx
behavioral2/files/0x000a000000023bab-114.dat	upx
behavioral2/memory/4004-113-0x00007FF7C9F70000-0x00007FF7CA362000-memory.dmp	upx
behavioral2/files/0x000b000000023ba8-109.dat	upx
behavioral2/files/0x000b000000023b99-107.dat	upx
behavioral2/files/0x000b000000023ba7-105.dat	upx
behavioral2/files/0x000a000000023ba6-80.dat	upx
behavioral2/files/0x000a000000023ba5-76.dat	upx
behavioral2/files/0x000a000000023ba1-43.dat	upx
behavioral2/files/0x000a000000023b9e-29.dat	upx
behavioral2/memory/4784-23-0x00007FF603190000-0x00007FF603582000-memory.dmp	upx
behavioral2/files/0x000a000000023b9c-15.dat	upx
behavioral2/files/0x000c000000023b94-13.dat	upx
behavioral2/memory/2088-12-0x00007FF7AB610000-0x00007FF7ABA02000-memory.dmp	upx
behavioral2/memory/2088-2560-0x00007FF7AB610000-0x00007FF7ABA02000-memory.dmp	upx
behavioral2/memory/4784-2572-0x00007FF603190000-0x00007FF603582000-memory.dmp	upx
behavioral2/memory/2752-2576-0x00007FF70D2E0000-0x00007FF70D6D2000-memory.dmp	upx
behavioral2/memory/2088-2574-0x00007FF7AB610000-0x00007FF7ABA02000-memory.dmp	upx
behavioral2/memory/2000-2587-0x00007FF61C3B0000-0x00007FF61C7A2000-memory.dmp	upx
behavioral2/memory/1688-2588-0x00007FF7DA2D0000-0x00007FF7DA6C2000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
4	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\vNfafUI.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\GNJaBlx.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\LFRPFpZ.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\wQXerQu.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\EaqAiqS.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\YQDpFvL.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\ImxHrGn.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\zTCxIAb.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\eJLQIal.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\kmRqkzr.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\vWOkuiZ.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\EbCNhrl.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\nHsFZqw.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\UrKZmiO.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\jDHiLXC.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\zPpRjTZ.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\PSKHcPn.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\KUTuyaq.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\cczvlRC.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\eDTXNEQ.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\emFJmdp.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\hpwLVcL.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\kPqfxtK.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\cNdjEyP.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\bcAjotd.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\KZNnrmH.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\ezwCSXp.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\RfnwrIs.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\ACsrSBW.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\DhLzdhi.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\JKGpWpf.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\TOLshxF.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\wBCZHKy.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\sQDpIyG.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\IIbIPBC.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\qqknIiw.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\ZIRlfrl.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\vUSBKYU.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\LNhaIDv.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\aGtpehI.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\SHpqUdB.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\vAjlMgJ.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\aglVfNu.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\qyEmlLI.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\TzHukMs.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\IyvXlgv.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\tTWNljg.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\IfQmDxI.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\wIQBiCo.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\GIgiyBz.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\bYflcXX.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\ivUBjUa.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\aRTquli.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\UXEtxKz.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\QlWSMKY.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\ZqlbTfQ.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\pRcvjUI.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\AiIfZbR.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\lIkOQKy.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\kKVpZly.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\GcTmqBf.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\XVmsxvb.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\mVmgtEd.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
File created	C:\Windows\System\imjGyMl.exe	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3328	powershell.exe
3328	powershell.exe
3328	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
Token: SeLockMemoryPrivilege	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
Token: SeDebugPrivilege	3328	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 808 wrote to memory of 3328	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	84
PID 808 wrote to memory of 3328	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	84
PID 808 wrote to memory of 2088	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	85
PID 808 wrote to memory of 2088	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	85
PID 808 wrote to memory of 2752	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	86
PID 808 wrote to memory of 2752	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	86
PID 808 wrote to memory of 4784	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	87
PID 808 wrote to memory of 4784	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	87
PID 808 wrote to memory of 1960	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	88
PID 808 wrote to memory of 1960	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	88
PID 808 wrote to memory of 4004	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	89
PID 808 wrote to memory of 4004	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	89
PID 808 wrote to memory of 60	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	90
PID 808 wrote to memory of 60	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	90
PID 808 wrote to memory of 1128	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	91
PID 808 wrote to memory of 1128	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	91
PID 808 wrote to memory of 1688	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	92
PID 808 wrote to memory of 1688	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	92
PID 808 wrote to memory of 3644	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	93
PID 808 wrote to memory of 3644	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	93
PID 808 wrote to memory of 2000	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	94
PID 808 wrote to memory of 2000	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	94
PID 808 wrote to memory of 2912	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	95
PID 808 wrote to memory of 2912	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	95
PID 808 wrote to memory of 2152	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	96
PID 808 wrote to memory of 2152	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	96
PID 808 wrote to memory of 4060	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	97
PID 808 wrote to memory of 4060	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	97
PID 808 wrote to memory of 1704	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	98
PID 808 wrote to memory of 1704	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	98
PID 808 wrote to memory of 2528	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	99
PID 808 wrote to memory of 2528	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	99
PID 808 wrote to memory of 2452	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	100
PID 808 wrote to memory of 2452	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	100
PID 808 wrote to memory of 2976	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	101
PID 808 wrote to memory of 2976	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	101
PID 808 wrote to memory of 2136	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	102
PID 808 wrote to memory of 2136	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	102
PID 808 wrote to memory of 2100	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	103
PID 808 wrote to memory of 2100	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	103
PID 808 wrote to memory of 1608	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	104
PID 808 wrote to memory of 1608	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	104
PID 808 wrote to memory of 4176	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	105
PID 808 wrote to memory of 4176	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	105
PID 808 wrote to memory of 2156	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	106
PID 808 wrote to memory of 2156	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	106
PID 808 wrote to memory of 1444	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	107
PID 808 wrote to memory of 1444	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	107
PID 808 wrote to memory of 2576	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	108
PID 808 wrote to memory of 2576	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	108
PID 808 wrote to memory of 2868	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	109
PID 808 wrote to memory of 2868	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	109
PID 808 wrote to memory of 3816	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	110
PID 808 wrote to memory of 3816	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	110
PID 808 wrote to memory of 1676	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	111
PID 808 wrote to memory of 1676	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	111
PID 808 wrote to memory of 1508	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	112
PID 808 wrote to memory of 1508	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	112
PID 808 wrote to memory of 4116	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	113
PID 808 wrote to memory of 4116	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	113
PID 808 wrote to memory of 3032	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	114
PID 808 wrote to memory of 3032	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	114
PID 808 wrote to memory of 1192	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	115
PID 808 wrote to memory of 1192	808	4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe	115

C:\Users\Admin\AppData\Local\Temp\4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\4e7b8ce90d5d3a0bc2e9db1a891564a0_NEIKI.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3328
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3328" "2904" "2892" "2840" "0" "0" "2944" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:12916
- C:\Windows\System\KQzDUJG.exe
  C:\Windows\System\KQzDUJG.exe
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\System\DhiokcB.exe
  C:\Windows\System\DhiokcB.exe
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\System\mHjMcQs.exe
  C:\Windows\System\mHjMcQs.exe
  2⤵
  - Executes dropped EXE
  PID:4784
- C:\Windows\System\dJQBXRe.exe
  C:\Windows\System\dJQBXRe.exe
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Windows\System\wWnzVnR.exe
  C:\Windows\System\wWnzVnR.exe
  2⤵
  - Executes dropped EXE
  PID:4004
- C:\Windows\System\AMdrYxf.exe
  C:\Windows\System\AMdrYxf.exe
  2⤵
  - Executes dropped EXE
  PID:60
- C:\Windows\System\zCltSTV.exe
  C:\Windows\System\zCltSTV.exe
  2⤵
  - Executes dropped EXE
  PID:1128
- C:\Windows\System\VbCxFjJ.exe
  C:\Windows\System\VbCxFjJ.exe
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\System\cXfoonJ.exe
  C:\Windows\System\cXfoonJ.exe
  2⤵
  - Executes dropped EXE
  PID:3644
- C:\Windows\System\kPqfxtK.exe
  C:\Windows\System\kPqfxtK.exe
  2⤵
  - Executes dropped EXE
  PID:2000
- C:\Windows\System\rMlfvpb.exe
  C:\Windows\System\rMlfvpb.exe
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\System\TqIptbU.exe
  C:\Windows\System\TqIptbU.exe
  2⤵
  - Executes dropped EXE
  PID:2152
- C:\Windows\System\JuJqqbA.exe
  C:\Windows\System\JuJqqbA.exe
  2⤵
  - Executes dropped EXE
  PID:4060
- C:\Windows\System\CnHGrZh.exe
  C:\Windows\System\CnHGrZh.exe
  2⤵
  - Executes dropped EXE
  PID:1704
- C:\Windows\System\IHUTkTV.exe
  C:\Windows\System\IHUTkTV.exe
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\System\tcxzBDK.exe
  C:\Windows\System\tcxzBDK.exe
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\System\lqIHszY.exe
  C:\Windows\System\lqIHszY.exe
  2⤵
  - Executes dropped EXE
  PID:2976
- C:\Windows\System\loxaFBv.exe
  C:\Windows\System\loxaFBv.exe
  2⤵
  - Executes dropped EXE
  PID:2136
- C:\Windows\System\wpCYlXg.exe
  C:\Windows\System\wpCYlXg.exe
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Windows\System\CdJeCzy.exe
  C:\Windows\System\CdJeCzy.exe
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\System\Hagmema.exe
  C:\Windows\System\Hagmema.exe
  2⤵
  - Executes dropped EXE
  PID:4176
- C:\Windows\System\SDfVavs.exe
  C:\Windows\System\SDfVavs.exe
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\System\BnByhEm.exe
  C:\Windows\System\BnByhEm.exe
  2⤵
  - Executes dropped EXE
  PID:1444
- C:\Windows\System\qfGUUxl.exe
  C:\Windows\System\qfGUUxl.exe
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Windows\System\LXpoKjI.exe
  C:\Windows\System\LXpoKjI.exe
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\System\JYejKGe.exe
  C:\Windows\System\JYejKGe.exe
  2⤵
  - Executes dropped EXE
  PID:3816
- C:\Windows\System\WhirmKQ.exe
  C:\Windows\System\WhirmKQ.exe
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\System\GIgiyBz.exe
  C:\Windows\System\GIgiyBz.exe
  2⤵
  - Executes dropped EXE
  PID:1508
- C:\Windows\System\VwYHtyG.exe
  C:\Windows\System\VwYHtyG.exe
  2⤵
  - Executes dropped EXE
  PID:4116
- C:\Windows\System\fiXMdAw.exe
  C:\Windows\System\fiXMdAw.exe
  2⤵
  - Executes dropped EXE
  PID:3032
- C:\Windows\System\GGKqoGb.exe
  C:\Windows\System\GGKqoGb.exe
  2⤵
  - Executes dropped EXE
  PID:1192
- C:\Windows\System\DYjpGAO.exe
  C:\Windows\System\DYjpGAO.exe
  2⤵
  - Executes dropped EXE
  PID:4472
- C:\Windows\System\IoIlGnP.exe
  C:\Windows\System\IoIlGnP.exe
  2⤵
  - Executes dropped EXE
  PID:456
- C:\Windows\System\aWOpGpK.exe
  C:\Windows\System\aWOpGpK.exe
  2⤵
  - Executes dropped EXE
  PID:4572
- C:\Windows\System\KzVtKMX.exe
  C:\Windows\System\KzVtKMX.exe
  2⤵
  - Executes dropped EXE
  PID:452
- C:\Windows\System\ntkXzrr.exe
  C:\Windows\System\ntkXzrr.exe
  2⤵
  - Executes dropped EXE
  PID:4620
- C:\Windows\System\tIicxXx.exe
  C:\Windows\System\tIicxXx.exe
  2⤵
  - Executes dropped EXE
  PID:4704
- C:\Windows\System\wFHLgXN.exe
  C:\Windows\System\wFHLgXN.exe
  2⤵
  - Executes dropped EXE
  PID:4880
- C:\Windows\System\TGjWEyf.exe
  C:\Windows\System\TGjWEyf.exe
  2⤵
  - Executes dropped EXE
  PID:4576
- C:\Windows\System\WwyflNz.exe
  C:\Windows\System\WwyflNz.exe
  2⤵
  - Executes dropped EXE
  PID:960
- C:\Windows\System\lbVAnyL.exe
  C:\Windows\System\lbVAnyL.exe
  2⤵
  - Executes dropped EXE
  PID:4432
- C:\Windows\System\ksDWVxK.exe
  C:\Windows\System\ksDWVxK.exe
  2⤵
  - Executes dropped EXE
  PID:5064
- C:\Windows\System\XpRTGLv.exe
  C:\Windows\System\XpRTGLv.exe
  2⤵
  - Executes dropped EXE
  PID:1464
- C:\Windows\System\HChIxyA.exe
  C:\Windows\System\HChIxyA.exe
  2⤵
  - Executes dropped EXE
  PID:4664
- C:\Windows\System\pVMWmeG.exe
  C:\Windows\System\pVMWmeG.exe
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\System\kmyTmuL.exe
  C:\Windows\System\kmyTmuL.exe
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Windows\System\NuStBpB.exe
  C:\Windows\System\NuStBpB.exe
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\System\bXHEqtc.exe
  C:\Windows\System\bXHEqtc.exe
  2⤵
  - Executes dropped EXE
  PID:412
- C:\Windows\System\pRcvjUI.exe
  C:\Windows\System\pRcvjUI.exe
  2⤵
  - Executes dropped EXE
  PID:4212
- C:\Windows\System\MgoMtqq.exe
  C:\Windows\System\MgoMtqq.exe
  2⤵
  - Executes dropped EXE
  PID:3532
- C:\Windows\System\xlkwqra.exe
  C:\Windows\System\xlkwqra.exe
  2⤵
  - Executes dropped EXE
  PID:4672
- C:\Windows\System\cNdjEyP.exe
  C:\Windows\System\cNdjEyP.exe
  2⤵
  - Executes dropped EXE
  PID:5048
- C:\Windows\System\DpAdLrI.exe
  C:\Windows\System\DpAdLrI.exe
  2⤵
  - Executes dropped EXE
  PID:936
- C:\Windows\System\BTkrBNo.exe
  C:\Windows\System\BTkrBNo.exe
  2⤵
  - Executes dropped EXE
  PID:3676
- C:\Windows\System\lUTsTwS.exe
  C:\Windows\System\lUTsTwS.exe
  2⤵
  - Executes dropped EXE
  PID:3100
- C:\Windows\System\PrEGmig.exe
  C:\Windows\System\PrEGmig.exe
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\System\xzZYMCz.exe
  C:\Windows\System\xzZYMCz.exe
  2⤵
  - Executes dropped EXE
  PID:3340
- C:\Windows\System\PuEHvST.exe
  C:\Windows\System\PuEHvST.exe
  2⤵
  - Executes dropped EXE
  PID:3928
- C:\Windows\System\JNzpRlT.exe
  C:\Windows\System\JNzpRlT.exe
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\System\bYflcXX.exe
  C:\Windows\System\bYflcXX.exe
  2⤵
  - Executes dropped EXE
  PID:3964
- C:\Windows\System\ZyxDWpC.exe
  C:\Windows\System\ZyxDWpC.exe
  2⤵
  - Executes dropped EXE
  PID:1604
- C:\Windows\System\BHajmjB.exe
  C:\Windows\System\BHajmjB.exe
  2⤵
  - Executes dropped EXE
  PID:2148
- C:\Windows\System\dfPTJny.exe
  C:\Windows\System\dfPTJny.exe
  2⤵
  - Executes dropped EXE
  PID:2256
- C:\Windows\System\EbntQbN.exe
  C:\Windows\System\EbntQbN.exe
  2⤵
  - Executes dropped EXE
  PID:3288
- C:\Windows\System\ZTocqNC.exe
  C:\Windows\System\ZTocqNC.exe
  2⤵
  PID:2840
- C:\Windows\System\qyEmlLI.exe
  C:\Windows\System\qyEmlLI.exe
  2⤵
  PID:700
- C:\Windows\System\DfuONbb.exe
  C:\Windows\System\DfuONbb.exe
  2⤵
  PID:5144
- C:\Windows\System\cczvlRC.exe
  C:\Windows\System\cczvlRC.exe
  2⤵
  PID:5176
- C:\Windows\System\DBNStKF.exe
  C:\Windows\System\DBNStKF.exe
  2⤵
  PID:5204
- C:\Windows\System\HNpaJNs.exe
  C:\Windows\System\HNpaJNs.exe
  2⤵
  PID:5232
- C:\Windows\System\tYwQSrd.exe
  C:\Windows\System\tYwQSrd.exe
  2⤵
  PID:5260
- C:\Windows\System\iDdtrFb.exe
  C:\Windows\System\iDdtrFb.exe
  2⤵
  PID:5288
- C:\Windows\System\FwwNteU.exe
  C:\Windows\System\FwwNteU.exe
  2⤵
  PID:5316
- C:\Windows\System\mKvQKHM.exe
  C:\Windows\System\mKvQKHM.exe
  2⤵
  PID:5340
- C:\Windows\System\PofiwsF.exe
  C:\Windows\System\PofiwsF.exe
  2⤵
  PID:5376
- C:\Windows\System\IJuNhjH.exe
  C:\Windows\System\IJuNhjH.exe
  2⤵
  PID:5404
- C:\Windows\System\lwoIppl.exe
  C:\Windows\System\lwoIppl.exe
  2⤵
  PID:5432
- C:\Windows\System\dGqfxzw.exe
  C:\Windows\System\dGqfxzw.exe
  2⤵
  PID:5460
- C:\Windows\System\mVmgtEd.exe
  C:\Windows\System\mVmgtEd.exe
  2⤵
  PID:5488
- C:\Windows\System\GvxJRsQ.exe
  C:\Windows\System\GvxJRsQ.exe
  2⤵
  PID:5516
- C:\Windows\System\fUdXBnT.exe
  C:\Windows\System\fUdXBnT.exe
  2⤵
  PID:5544
- C:\Windows\System\TpWQbds.exe
  C:\Windows\System\TpWQbds.exe
  2⤵
  PID:5572
- C:\Windows\System\JKGpWpf.exe
  C:\Windows\System\JKGpWpf.exe
  2⤵
  PID:5600
- C:\Windows\System\vuiJVxk.exe
  C:\Windows\System\vuiJVxk.exe
  2⤵
  PID:5628
- C:\Windows\System\fIbkqJT.exe
  C:\Windows\System\fIbkqJT.exe
  2⤵
  PID:5652
- C:\Windows\System\xoTOYVc.exe
  C:\Windows\System\xoTOYVc.exe
  2⤵
  PID:5684
- C:\Windows\System\UBWhoVR.exe
  C:\Windows\System\UBWhoVR.exe
  2⤵
  PID:5712
- C:\Windows\System\FjUUvcA.exe
  C:\Windows\System\FjUUvcA.exe
  2⤵
  PID:5744
- C:\Windows\System\ZxbJLoT.exe
  C:\Windows\System\ZxbJLoT.exe
  2⤵
  PID:5768
- C:\Windows\System\yFvISGG.exe
  C:\Windows\System\yFvISGG.exe
  2⤵
  PID:5796
- C:\Windows\System\RazqlgI.exe
  C:\Windows\System\RazqlgI.exe
  2⤵
  PID:5824
- C:\Windows\System\ocTiWqx.exe
  C:\Windows\System\ocTiWqx.exe
  2⤵
  PID:5852
- C:\Windows\System\ESNERCc.exe
  C:\Windows\System\ESNERCc.exe
  2⤵
  PID:5880
- C:\Windows\System\smHCvMn.exe
  C:\Windows\System\smHCvMn.exe
  2⤵
  PID:5908
- C:\Windows\System\AQcbTza.exe
  C:\Windows\System\AQcbTza.exe
  2⤵
  PID:5932
- C:\Windows\System\qiYKuQs.exe
  C:\Windows\System\qiYKuQs.exe
  2⤵
  PID:5964
- C:\Windows\System\VcLSQuT.exe
  C:\Windows\System\VcLSQuT.exe
  2⤵
  PID:5996
- C:\Windows\System\wlYJLUC.exe
  C:\Windows\System\wlYJLUC.exe
  2⤵
  PID:6020
- C:\Windows\System\ypcdASc.exe
  C:\Windows\System\ypcdASc.exe
  2⤵
  PID:6048
- C:\Windows\System\smtFcaf.exe
  C:\Windows\System\smtFcaf.exe
  2⤵
  PID:6076
- C:\Windows\System\VfAOzAo.exe
  C:\Windows\System\VfAOzAo.exe
  2⤵
  PID:6104
- C:\Windows\System\FENOjnS.exe
  C:\Windows\System\FENOjnS.exe
  2⤵
  PID:6136
- C:\Windows\System\tgQHMTE.exe
  C:\Windows\System\tgQHMTE.exe
  2⤵
  PID:4076
- C:\Windows\System\pXAYDTB.exe
  C:\Windows\System\pXAYDTB.exe
  2⤵
  PID:2636
- C:\Windows\System\pZKsiKI.exe
  C:\Windows\System\pZKsiKI.exe
  2⤵
  PID:4416
- C:\Windows\System\nZuyxhy.exe
  C:\Windows\System\nZuyxhy.exe
  2⤵
  PID:3300
- C:\Windows\System\vhIBNFf.exe
  C:\Windows\System\vhIBNFf.exe
  2⤵
  PID:2404
- C:\Windows\System\rNoiGHE.exe
  C:\Windows\System\rNoiGHE.exe
  2⤵
  PID:5136
- C:\Windows\System\YOWlcQE.exe
  C:\Windows\System\YOWlcQE.exe
  2⤵
  PID:5216
- C:\Windows\System\jpdrKJs.exe
  C:\Windows\System\jpdrKJs.exe
  2⤵
  PID:5272
- C:\Windows\System\ouSLUtt.exe
  C:\Windows\System\ouSLUtt.exe
  2⤵
  PID:5328
- C:\Windows\System\xLJupvY.exe
  C:\Windows\System\xLJupvY.exe
  2⤵
  PID:5392
- C:\Windows\System\mhfLvfn.exe
  C:\Windows\System\mhfLvfn.exe
  2⤵
  PID:5452
- C:\Windows\System\pjxYDWz.exe
  C:\Windows\System\pjxYDWz.exe
  2⤵
  PID:5500
- C:\Windows\System\phDGDhe.exe
  C:\Windows\System\phDGDhe.exe
  2⤵
  PID:5536
- C:\Windows\System\PYkOJnc.exe
  C:\Windows\System\PYkOJnc.exe
  2⤵
  PID:5612
- C:\Windows\System\BwACpPv.exe
  C:\Windows\System\BwACpPv.exe
  2⤵
  PID:5668
- C:\Windows\System\uufFrdk.exe
  C:\Windows\System\uufFrdk.exe
  2⤵
  PID:5724
- C:\Windows\System\UWZKvrr.exe
  C:\Windows\System\UWZKvrr.exe
  2⤵
  PID:5016
- C:\Windows\System\pbWQlBM.exe
  C:\Windows\System\pbWQlBM.exe
  2⤵
  PID:5836
- C:\Windows\System\utfjyrg.exe
  C:\Windows\System\utfjyrg.exe
  2⤵
  PID:5896
- C:\Windows\System\ynnwgwt.exe
  C:\Windows\System\ynnwgwt.exe
  2⤵
  PID:5948
- C:\Windows\System\VLGwawq.exe
  C:\Windows\System\VLGwawq.exe
  2⤵
  PID:6012
- C:\Windows\System\tsnPGmb.exe
  C:\Windows\System\tsnPGmb.exe
  2⤵
  PID:6068
- C:\Windows\System\njKeGlB.exe
  C:\Windows\System\njKeGlB.exe
  2⤵
  PID:4940
- C:\Windows\System\NzqjwMK.exe
  C:\Windows\System\NzqjwMK.exe
  2⤵
  PID:4876
- C:\Windows\System\pjYATzt.exe
  C:\Windows\System\pjYATzt.exe
  2⤵
  PID:1096
- C:\Windows\System\wuSJjpK.exe
  C:\Windows\System\wuSJjpK.exe
  2⤵
  PID:4508
- C:\Windows\System\YxiKvaO.exe
  C:\Windows\System\YxiKvaO.exe
  2⤵
  PID:5244
- C:\Windows\System\HDiLqpY.exe
  C:\Windows\System\HDiLqpY.exe
  2⤵
  PID:2632
- C:\Windows\System\nsTbyak.exe
  C:\Windows\System\nsTbyak.exe
  2⤵
  PID:5588
- C:\Windows\System\QjqRRSW.exe
  C:\Windows\System\QjqRRSW.exe
  2⤵
  PID:1340
- C:\Windows\System\QFBUtQG.exe
  C:\Windows\System\QFBUtQG.exe
  2⤵
  PID:5696
- C:\Windows\System\mGdZzAx.exe
  C:\Windows\System\mGdZzAx.exe
  2⤵
  PID:5760
- C:\Windows\System\LxZQnlE.exe
  C:\Windows\System\LxZQnlE.exe
  2⤵
  PID:5868
- C:\Windows\System\ARPcaWe.exe
  C:\Windows\System\ARPcaWe.exe
  2⤵
  PID:5924
- C:\Windows\System\VNFmRmP.exe
  C:\Windows\System\VNFmRmP.exe
  2⤵
  PID:5984
- C:\Windows\System\nzAIAEC.exe
  C:\Windows\System\nzAIAEC.exe
  2⤵
  PID:6120
- C:\Windows\System\BtjnVoA.exe
  C:\Windows\System\BtjnVoA.exe
  2⤵
  PID:1932
- C:\Windows\System\BcVlEFu.exe
  C:\Windows\System\BcVlEFu.exe
  2⤵
  PID:5192
- C:\Windows\System\QzedsTH.exe
  C:\Windows\System\QzedsTH.exe
  2⤵
  PID:5428
- C:\Windows\System\Bclqlgb.exe
  C:\Windows\System\Bclqlgb.exe
  2⤵
  PID:5584
- C:\Windows\System\HzRCDXd.exe
  C:\Windows\System\HzRCDXd.exe
  2⤵
  PID:4408
- C:\Windows\System\ljDzBUu.exe
  C:\Windows\System\ljDzBUu.exe
  2⤵
  PID:5864
- C:\Windows\System\WqPrIxy.exe
  C:\Windows\System\WqPrIxy.exe
  2⤵
  PID:6040
- C:\Windows\System\PDLkREN.exe
  C:\Windows\System\PDLkREN.exe
  2⤵
  PID:4536
- C:\Windows\System\FSQTmmP.exe
  C:\Windows\System\FSQTmmP.exe
  2⤵
  PID:5188
- C:\Windows\System\VngYxRQ.exe
  C:\Windows\System\VngYxRQ.exe
  2⤵
  PID:1400
- C:\Windows\System\tXpgiLE.exe
  C:\Windows\System\tXpgiLE.exe
  2⤵
  PID:1684
- C:\Windows\System\AlUwFfv.exe
  C:\Windows\System\AlUwFfv.exe
  2⤵
  PID:6060
- C:\Windows\System\DnApJFQ.exe
  C:\Windows\System\DnApJFQ.exe
  2⤵
  PID:6160
- C:\Windows\System\SGZGzOE.exe
  C:\Windows\System\SGZGzOE.exe
  2⤵
  PID:6188
- C:\Windows\System\ObSbaFy.exe
  C:\Windows\System\ObSbaFy.exe
  2⤵
  PID:6212
- C:\Windows\System\CjcEFFD.exe
  C:\Windows\System\CjcEFFD.exe
  2⤵
  PID:6280
- C:\Windows\System\PdjcYNx.exe
  C:\Windows\System\PdjcYNx.exe
  2⤵
  PID:6320
- C:\Windows\System\ebQbgub.exe
  C:\Windows\System\ebQbgub.exe
  2⤵
  PID:6336
- C:\Windows\System\pauNxFc.exe
  C:\Windows\System\pauNxFc.exe
  2⤵
  PID:6364
- C:\Windows\System\RyQZjyV.exe
  C:\Windows\System\RyQZjyV.exe
  2⤵
  PID:6380
- C:\Windows\System\VavMgHV.exe
  C:\Windows\System\VavMgHV.exe
  2⤵
  PID:6396
- C:\Windows\System\DZleGhb.exe
  C:\Windows\System\DZleGhb.exe
  2⤵
  PID:6412
- C:\Windows\System\WsoPfOH.exe
  C:\Windows\System\WsoPfOH.exe
  2⤵
  PID:6432
- C:\Windows\System\EeJfYKz.exe
  C:\Windows\System\EeJfYKz.exe
  2⤵
  PID:6452
- C:\Windows\System\QJxchRF.exe
  C:\Windows\System\QJxchRF.exe
  2⤵
  PID:6488
- C:\Windows\System\yuLkjuC.exe
  C:\Windows\System\yuLkjuC.exe
  2⤵
  PID:6504
- C:\Windows\System\bwmbdsv.exe
  C:\Windows\System\bwmbdsv.exe
  2⤵
  PID:6524
- C:\Windows\System\yHJhxch.exe
  C:\Windows\System\yHJhxch.exe
  2⤵
  PID:6548
- C:\Windows\System\GZdVbSU.exe
  C:\Windows\System\GZdVbSU.exe
  2⤵
  PID:6568
- C:\Windows\System\HYmBqUI.exe
  C:\Windows\System\HYmBqUI.exe
  2⤵
  PID:6588
- C:\Windows\System\SdNYSfF.exe
  C:\Windows\System\SdNYSfF.exe
  2⤵
  PID:6604
- C:\Windows\System\deAJYtM.exe
  C:\Windows\System\deAJYtM.exe
  2⤵
  PID:6632
- C:\Windows\System\avSKwCQ.exe
  C:\Windows\System\avSKwCQ.exe
  2⤵
  PID:6652
- C:\Windows\System\wkQlOZQ.exe
  C:\Windows\System\wkQlOZQ.exe
  2⤵
  PID:6680
- C:\Windows\System\hgQbfiO.exe
  C:\Windows\System\hgQbfiO.exe
  2⤵
  PID:6704
- C:\Windows\System\zXeobWI.exe
  C:\Windows\System\zXeobWI.exe
  2⤵
  PID:6724
- C:\Windows\System\omQdaCB.exe
  C:\Windows\System\omQdaCB.exe
  2⤵
  PID:6800
- C:\Windows\System\NAlnXul.exe
  C:\Windows\System\NAlnXul.exe
  2⤵
  PID:6820
- C:\Windows\System\btAExEd.exe
  C:\Windows\System\btAExEd.exe
  2⤵
  PID:6840
- C:\Windows\System\cJlNBRq.exe
  C:\Windows\System\cJlNBRq.exe
  2⤵
  PID:6856
- C:\Windows\System\MTFmzCn.exe
  C:\Windows\System\MTFmzCn.exe
  2⤵
  PID:6952
- C:\Windows\System\fSpqBFA.exe
  C:\Windows\System\fSpqBFA.exe
  2⤵
  PID:6980
- C:\Windows\System\IoERbbz.exe
  C:\Windows\System\IoERbbz.exe
  2⤵
  PID:7052
- C:\Windows\System\zleAnHO.exe
  C:\Windows\System\zleAnHO.exe
  2⤵
  PID:7072
- C:\Windows\System\GEDsuzj.exe
  C:\Windows\System\GEDsuzj.exe
  2⤵
  PID:7100
- C:\Windows\System\xkezlfI.exe
  C:\Windows\System\xkezlfI.exe
  2⤵
  PID:7152
- C:\Windows\System\sDvYOmN.exe
  C:\Windows\System\sDvYOmN.exe
  2⤵
  PID:1532
- C:\Windows\System\bShfFhx.exe
  C:\Windows\System\bShfFhx.exe
  2⤵
  PID:5980
- C:\Windows\System\TDERbDS.exe
  C:\Windows\System\TDERbDS.exe
  2⤵
  PID:3160
- C:\Windows\System\TTcVNiz.exe
  C:\Windows\System\TTcVNiz.exe
  2⤵
  PID:2908
- C:\Windows\System\vyyYePN.exe
  C:\Windows\System\vyyYePN.exe
  2⤵
  PID:6208
- C:\Windows\System\maYoxmN.exe
  C:\Windows\System\maYoxmN.exe
  2⤵
  PID:6332
- C:\Windows\System\VXNSHNv.exe
  C:\Windows\System\VXNSHNv.exe
  2⤵
  PID:6304
- C:\Windows\System\ubdoJDP.exe
  C:\Windows\System\ubdoJDP.exe
  2⤵
  PID:5076
- C:\Windows\System\OnxQNCN.exe
  C:\Windows\System\OnxQNCN.exe
  2⤵
  PID:2596
- C:\Windows\System\bvuSjjy.exe
  C:\Windows\System\bvuSjjy.exe
  2⤵
  PID:1652
- C:\Windows\System\MeEbwgb.exe
  C:\Windows\System\MeEbwgb.exe
  2⤵
  PID:3368
- C:\Windows\System\zJjFPRo.exe
  C:\Windows\System\zJjFPRo.exe
  2⤵
  PID:6248
- C:\Windows\System\jSsQRyk.exe
  C:\Windows\System\jSsQRyk.exe
  2⤵
  PID:6560
- C:\Windows\System\pXLQQsA.exe
  C:\Windows\System\pXLQQsA.exe
  2⤵
  PID:6580
- C:\Windows\System\cakwHVy.exe
  C:\Windows\System\cakwHVy.exe
  2⤵
  PID:6644
- C:\Windows\System\BUcyxYJ.exe
  C:\Windows\System\BUcyxYJ.exe
  2⤵
  PID:6772
- C:\Windows\System\WyoRGMN.exe
  C:\Windows\System\WyoRGMN.exe
  2⤵
  PID:6748
- C:\Windows\System\BaMSNiO.exe
  C:\Windows\System\BaMSNiO.exe
  2⤵
  PID:6468
- C:\Windows\System\MAfmeeg.exe
  C:\Windows\System\MAfmeeg.exe
  2⤵
  PID:7064
- C:\Windows\System\quNmgQf.exe
  C:\Windows\System\quNmgQf.exe
  2⤵
  PID:7088
- C:\Windows\System\IIbIPBC.exe
  C:\Windows\System\IIbIPBC.exe
  2⤵
  PID:7124
- C:\Windows\System\lCGNkCI.exe
  C:\Windows\System\lCGNkCI.exe
  2⤵
  PID:6200
- C:\Windows\System\pJgwUbo.exe
  C:\Windows\System\pJgwUbo.exe
  2⤵
  PID:4128
- C:\Windows\System\fpFmGAC.exe
  C:\Windows\System\fpFmGAC.exe
  2⤵
  PID:2832
- C:\Windows\System\tMWZlNg.exe
  C:\Windows\System\tMWZlNg.exe
  2⤵
  PID:3252
- C:\Windows\System\VjujLjU.exe
  C:\Windows\System\VjujLjU.exe
  2⤵
  PID:6516
- C:\Windows\System\PzmBWXl.exe
  C:\Windows\System\PzmBWXl.exe
  2⤵
  PID:6544
- C:\Windows\System\ffDskWn.exe
  C:\Windows\System\ffDskWn.exe
  2⤵
  PID:6600
- C:\Windows\System\mlizety.exe
  C:\Windows\System\mlizety.exe
  2⤵
  PID:6576
- C:\Windows\System\bpWTQcN.exe
  C:\Windows\System\bpWTQcN.exe
  2⤵
  PID:1644
- C:\Windows\System\eBPGMyF.exe
  C:\Windows\System\eBPGMyF.exe
  2⤵
  PID:6448
- C:\Windows\System\NxlTbYB.exe
  C:\Windows\System\NxlTbYB.exe
  2⤵
  PID:6832
- C:\Windows\System\goKxrxg.exe
  C:\Windows\System\goKxrxg.exe
  2⤵
  PID:6780
- C:\Windows\System\gjgrAIl.exe
  C:\Windows\System\gjgrAIl.exe
  2⤵
  PID:6276
- C:\Windows\System\WJDxHKX.exe
  C:\Windows\System\WJDxHKX.exe
  2⤵
  PID:6768
- C:\Windows\System\ErJIQWt.exe
  C:\Windows\System\ErJIQWt.exe
  2⤵
  PID:7184
- C:\Windows\System\YoiUlwM.exe
  C:\Windows\System\YoiUlwM.exe
  2⤵
  PID:7212
- C:\Windows\System\RxikFJH.exe
  C:\Windows\System\RxikFJH.exe
  2⤵
  PID:7236
- C:\Windows\System\PnjdHzD.exe
  C:\Windows\System\PnjdHzD.exe
  2⤵
  PID:7272
- C:\Windows\System\ZqpUrUn.exe
  C:\Windows\System\ZqpUrUn.exe
  2⤵
  PID:7288
- C:\Windows\System\isRKQsx.exe
  C:\Windows\System\isRKQsx.exe
  2⤵
  PID:7316
- C:\Windows\System\WIJkiYp.exe
  C:\Windows\System\WIJkiYp.exe
  2⤵
  PID:7332
- C:\Windows\System\JaNNnzg.exe
  C:\Windows\System\JaNNnzg.exe
  2⤵
  PID:7356
- C:\Windows\System\cuPPQDY.exe
  C:\Windows\System\cuPPQDY.exe
  2⤵
  PID:7376
- C:\Windows\System\TzHukMs.exe
  C:\Windows\System\TzHukMs.exe
  2⤵
  PID:7396
- C:\Windows\System\HJBVYnk.exe
  C:\Windows\System\HJBVYnk.exe
  2⤵
  PID:7420
- C:\Windows\System\URIYwWc.exe
  C:\Windows\System\URIYwWc.exe
  2⤵
  PID:7484
- C:\Windows\System\TOLshxF.exe
  C:\Windows\System\TOLshxF.exe
  2⤵
  PID:7512
- C:\Windows\System\SaERRSN.exe
  C:\Windows\System\SaERRSN.exe
  2⤵
  PID:7536
- C:\Windows\System\gqiOvom.exe
  C:\Windows\System\gqiOvom.exe
  2⤵
  PID:7556
- C:\Windows\System\jDQlHSX.exe
  C:\Windows\System\jDQlHSX.exe
  2⤵
  PID:7604
- C:\Windows\System\VOUMjKD.exe
  C:\Windows\System\VOUMjKD.exe
  2⤵
  PID:7652
- C:\Windows\System\BYwXKku.exe
  C:\Windows\System\BYwXKku.exe
  2⤵
  PID:7668
- C:\Windows\System\PhHJfJD.exe
  C:\Windows\System\PhHJfJD.exe
  2⤵
  PID:7688
- C:\Windows\System\vByoyuM.exe
  C:\Windows\System\vByoyuM.exe
  2⤵
  PID:7704
- C:\Windows\System\LnVWefA.exe
  C:\Windows\System\LnVWefA.exe
  2⤵
  PID:7752
- C:\Windows\System\wpyhZDm.exe
  C:\Windows\System\wpyhZDm.exe
  2⤵
  PID:7776
- C:\Windows\System\djcWrEp.exe
  C:\Windows\System\djcWrEp.exe
  2⤵
  PID:7804
- C:\Windows\System\VLmIgTZ.exe
  C:\Windows\System\VLmIgTZ.exe
  2⤵
  PID:7832
- C:\Windows\System\zAqzrBj.exe
  C:\Windows\System\zAqzrBj.exe
  2⤵
  PID:7876
- C:\Windows\System\yqrYFnI.exe
  C:\Windows\System\yqrYFnI.exe
  2⤵
  PID:7892
- C:\Windows\System\onnfVCM.exe
  C:\Windows\System\onnfVCM.exe
  2⤵
  PID:7920
- C:\Windows\System\ZSDjyNq.exe
  C:\Windows\System\ZSDjyNq.exe
  2⤵
  PID:7956
- C:\Windows\System\LqamxlS.exe
  C:\Windows\System\LqamxlS.exe
  2⤵
  PID:7980
- C:\Windows\System\akrQUCI.exe
  C:\Windows\System\akrQUCI.exe
  2⤵
  PID:8000
- C:\Windows\System\eXbNDOt.exe
  C:\Windows\System\eXbNDOt.exe
  2⤵
  PID:8024
- C:\Windows\System\fQNQklG.exe
  C:\Windows\System\fQNQklG.exe
  2⤵
  PID:8044
- C:\Windows\System\peaNKLh.exe
  C:\Windows\System\peaNKLh.exe
  2⤵
  PID:8064
- C:\Windows\System\hGuMSiO.exe
  C:\Windows\System\hGuMSiO.exe
  2⤵
  PID:8084
- C:\Windows\System\PNrloTw.exe
  C:\Windows\System\PNrloTw.exe
  2⤵
  PID:8104
- C:\Windows\System\wiwwhxA.exe
  C:\Windows\System\wiwwhxA.exe
  2⤵
  PID:8128
- C:\Windows\System\txyGgBq.exe
  C:\Windows\System\txyGgBq.exe
  2⤵
  PID:8148
- C:\Windows\System\BMBqmWz.exe
  C:\Windows\System\BMBqmWz.exe
  2⤵
  PID:7136
- C:\Windows\System\UQGIIBY.exe
  C:\Windows\System\UQGIIBY.exe
  2⤵
  PID:6264
- C:\Windows\System\DWIhNBC.exe
  C:\Windows\System\DWIhNBC.exe
  2⤵
  PID:7284
- C:\Windows\System\HDNUvNa.exe
  C:\Windows\System\HDNUvNa.exe
  2⤵
  PID:7308
- C:\Windows\System\IyvXlgv.exe
  C:\Windows\System\IyvXlgv.exe
  2⤵
  PID:7408
- C:\Windows\System\UrKZmiO.exe
  C:\Windows\System\UrKZmiO.exe
  2⤵
  PID:7440
- C:\Windows\System\aaXdNOL.exe
  C:\Windows\System\aaXdNOL.exe
  2⤵
  PID:7528
- C:\Windows\System\MptarEG.exe
  C:\Windows\System\MptarEG.exe
  2⤵
  PID:7548
- C:\Windows\System\begsScj.exe
  C:\Windows\System\begsScj.exe
  2⤵
  PID:7680
- C:\Windows\System\taXiLyb.exe
  C:\Windows\System\taXiLyb.exe
  2⤵
  PID:7684
- C:\Windows\System\idRhvtB.exe
  C:\Windows\System\idRhvtB.exe
  2⤵
  PID:7748
- C:\Windows\System\fkaDDpj.exe
  C:\Windows\System\fkaDDpj.exe
  2⤵
  PID:7844
- C:\Windows\System\nHHCOOy.exe
  C:\Windows\System\nHHCOOy.exe
  2⤵
  PID:7916
- C:\Windows\System\BsoUgpx.exe
  C:\Windows\System\BsoUgpx.exe
  2⤵
  PID:7952
- C:\Windows\System\HOekPpa.exe
  C:\Windows\System\HOekPpa.exe
  2⤵
  PID:8008
- C:\Windows\System\iwmMHYf.exe
  C:\Windows\System\iwmMHYf.exe
  2⤵
  PID:8140
- C:\Windows\System\kSSagWk.exe
  C:\Windows\System\kSSagWk.exe
  2⤵
  PID:8188
- C:\Windows\System\wphVtuk.exe
  C:\Windows\System\wphVtuk.exe
  2⤵
  PID:8164
- C:\Windows\System\LFzlnkn.exe
  C:\Windows\System\LFzlnkn.exe
  2⤵
  PID:7324
- C:\Windows\System\YXHRFpW.exe
  C:\Windows\System\YXHRFpW.exe
  2⤵
  PID:7532
- C:\Windows\System\QbyYKPq.exe
  C:\Windows\System\QbyYKPq.exe
  2⤵
  PID:7972
- C:\Windows\System\OFdTxuy.exe
  C:\Windows\System\OFdTxuy.exe
  2⤵
  PID:7860
- C:\Windows\System\JeAvmka.exe
  C:\Windows\System\JeAvmka.exe
  2⤵
  PID:8100
- C:\Windows\System\SvZfDer.exe
  C:\Windows\System\SvZfDer.exe
  2⤵
  PID:8184
- C:\Windows\System\OyPNCKR.exe
  C:\Windows\System\OyPNCKR.exe
  2⤵
  PID:3500
- C:\Windows\System\EZqwwXp.exe
  C:\Windows\System\EZqwwXp.exe
  2⤵
  PID:7696
- C:\Windows\System\bTFATej.exe
  C:\Windows\System\bTFATej.exe
  2⤵
  PID:8012
- C:\Windows\System\WqsxKFF.exe
  C:\Windows\System\WqsxKFF.exe
  2⤵
  PID:7740
- C:\Windows\System\BTxpJOO.exe
  C:\Windows\System\BTxpJOO.exe
  2⤵
  PID:8196
- C:\Windows\System\uPZEFuD.exe
  C:\Windows\System\uPZEFuD.exe
  2⤵
  PID:8216
- C:\Windows\System\FkwEgio.exe
  C:\Windows\System\FkwEgio.exe
  2⤵
  PID:8244
- C:\Windows\System\ShMpckM.exe
  C:\Windows\System\ShMpckM.exe
  2⤵
  PID:8264
- C:\Windows\System\kDnpcoD.exe
  C:\Windows\System\kDnpcoD.exe
  2⤵
  PID:8288
- C:\Windows\System\vcFjjFo.exe
  C:\Windows\System\vcFjjFo.exe
  2⤵
  PID:8312
- C:\Windows\System\vxJkkwM.exe
  C:\Windows\System\vxJkkwM.exe
  2⤵
  PID:8328
- C:\Windows\System\Wanrgfu.exe
  C:\Windows\System\Wanrgfu.exe
  2⤵
  PID:8360
- C:\Windows\System\pDXcmTe.exe
  C:\Windows\System\pDXcmTe.exe
  2⤵
  PID:8380
- C:\Windows\System\YLfGCki.exe
  C:\Windows\System\YLfGCki.exe
  2⤵
  PID:8436
- C:\Windows\System\GqEPGky.exe
  C:\Windows\System\GqEPGky.exe
  2⤵
  PID:8464
- C:\Windows\System\paPNEOy.exe
  C:\Windows\System\paPNEOy.exe
  2⤵
  PID:8484
- C:\Windows\System\vSYKxHz.exe
  C:\Windows\System\vSYKxHz.exe
  2⤵
  PID:8512
- C:\Windows\System\JTyuHmy.exe
  C:\Windows\System\JTyuHmy.exe
  2⤵
  PID:8544
- C:\Windows\System\CFYmuGP.exe
  C:\Windows\System\CFYmuGP.exe
  2⤵
  PID:8604
- C:\Windows\System\XoSEDvB.exe
  C:\Windows\System\XoSEDvB.exe
  2⤵
  PID:8624
- C:\Windows\System\WeQLRVH.exe
  C:\Windows\System\WeQLRVH.exe
  2⤵
  PID:8644
- C:\Windows\System\jzljEyF.exe
  C:\Windows\System\jzljEyF.exe
  2⤵
  PID:8664
- C:\Windows\System\fwOQDul.exe
  C:\Windows\System\fwOQDul.exe
  2⤵
  PID:8716
- C:\Windows\System\fPHbopP.exe
  C:\Windows\System\fPHbopP.exe
  2⤵
  PID:8736
- C:\Windows\System\BksczPX.exe
  C:\Windows\System\BksczPX.exe
  2⤵
  PID:8760
- C:\Windows\System\cgOteqJ.exe
  C:\Windows\System\cgOteqJ.exe
  2⤵
  PID:8788
- C:\Windows\System\cdPiwHQ.exe
  C:\Windows\System\cdPiwHQ.exe
  2⤵
  PID:8828
- C:\Windows\System\nSFYLvd.exe
  C:\Windows\System\nSFYLvd.exe
  2⤵
  PID:8852
- C:\Windows\System\lxpwoba.exe
  C:\Windows\System\lxpwoba.exe
  2⤵
  PID:8884
- C:\Windows\System\xxBvRvd.exe
  C:\Windows\System\xxBvRvd.exe
  2⤵
  PID:8900
- C:\Windows\System\NvUeAQt.exe
  C:\Windows\System\NvUeAQt.exe
  2⤵
  PID:8928
- C:\Windows\System\LjlnZPJ.exe
  C:\Windows\System\LjlnZPJ.exe
  2⤵
  PID:8956
- C:\Windows\System\kBFWYsv.exe
  C:\Windows\System\kBFWYsv.exe
  2⤵
  PID:8992
- C:\Windows\System\fBrOwTv.exe
  C:\Windows\System\fBrOwTv.exe
  2⤵
  PID:9012
- C:\Windows\System\yXxbyIA.exe
  C:\Windows\System\yXxbyIA.exe
  2⤵
  PID:9040
- C:\Windows\System\jNlNNrj.exe
  C:\Windows\System\jNlNNrj.exe
  2⤵
  PID:9084
- C:\Windows\System\xEojGkM.exe
  C:\Windows\System\xEojGkM.exe
  2⤵
  PID:9100
- C:\Windows\System\YwGLyES.exe
  C:\Windows\System\YwGLyES.exe
  2⤵
  PID:9132
- C:\Windows\System\gxIGNml.exe
  C:\Windows\System\gxIGNml.exe
  2⤵
  PID:9152
- C:\Windows\System\fQGmnal.exe
  C:\Windows\System\fQGmnal.exe
  2⤵
  PID:9196
- C:\Windows\System\ldupMlo.exe
  C:\Windows\System\ldupMlo.exe
  2⤵
  PID:8256
- C:\Windows\System\HnpReeo.exe
  C:\Windows\System\HnpReeo.exe
  2⤵
  PID:8280
- C:\Windows\System\RoIGPHC.exe
  C:\Windows\System\RoIGPHC.exe
  2⤵
  PID:8232
- C:\Windows\System\nIohuIT.exe
  C:\Windows\System\nIohuIT.exe
  2⤵
  PID:8448
- C:\Windows\System\fLhoadw.exe
  C:\Windows\System\fLhoadw.exe
  2⤵
  PID:8472
- C:\Windows\System\zWPRXps.exe
  C:\Windows\System\zWPRXps.exe
  2⤵
  PID:8576
- C:\Windows\System\VzjHldX.exe
  C:\Windows\System\VzjHldX.exe
  2⤵
  PID:8556
- C:\Windows\System\BUsFWtc.exe
  C:\Windows\System\BUsFWtc.exe
  2⤵
  PID:8692
- C:\Windows\System\ImxHrGn.exe
  C:\Windows\System\ImxHrGn.exe
  2⤵
  PID:8744
- C:\Windows\System\EkdCsbh.exe
  C:\Windows\System\EkdCsbh.exe
  2⤵
  PID:8860
- C:\Windows\System\OjPOlTL.exe
  C:\Windows\System\OjPOlTL.exe
  2⤵
  PID:8844
- C:\Windows\System\UmNKkIT.exe
  C:\Windows\System\UmNKkIT.exe
  2⤵
  PID:8848
- C:\Windows\System\HgfqxAb.exe
  C:\Windows\System\HgfqxAb.exe
  2⤵
  PID:8972
- C:\Windows\System\tqbRjXt.exe
  C:\Windows\System\tqbRjXt.exe
  2⤵
  PID:9064
- C:\Windows\System\BncIglE.exe
  C:\Windows\System\BncIglE.exe
  2⤵
  PID:9096
- C:\Windows\System\TivhDrR.exe
  C:\Windows\System\TivhDrR.exe
  2⤵
  PID:9188
- C:\Windows\System\nDIdlxA.exe
  C:\Windows\System\nDIdlxA.exe
  2⤵
  PID:8228
- C:\Windows\System\vAjlMgJ.exe
  C:\Windows\System\vAjlMgJ.exe
  2⤵
  PID:8368
- C:\Windows\System\FRDvgQv.exe
  C:\Windows\System\FRDvgQv.exe
  2⤵
  PID:8632
- C:\Windows\System\qqknIiw.exe
  C:\Windows\System\qqknIiw.exe
  2⤵
  PID:8616
- C:\Windows\System\FIqYycf.exe
  C:\Windows\System\FIqYycf.exe
  2⤵
  PID:8808
- C:\Windows\System\ldSzlCz.exe
  C:\Windows\System\ldSzlCz.exe
  2⤵
  PID:8948
- C:\Windows\System\QnVcpJW.exe
  C:\Windows\System\QnVcpJW.exe
  2⤵
  PID:9008
- C:\Windows\System\uqfaLbv.exe
  C:\Windows\System\uqfaLbv.exe
  2⤵
  PID:8172
- C:\Windows\System\oOdYflp.exe
  C:\Windows\System\oOdYflp.exe
  2⤵
  PID:8640
- C:\Windows\System\OkwYYBh.exe
  C:\Windows\System\OkwYYBh.exe
  2⤵
  PID:8768
- C:\Windows\System\TDLZKuP.exe
  C:\Windows\System\TDLZKuP.exe
  2⤵
  PID:8344
- C:\Windows\System\tEfoTBE.exe
  C:\Windows\System\tEfoTBE.exe
  2⤵
  PID:9236
- C:\Windows\System\Egvltkg.exe
  C:\Windows\System\Egvltkg.exe
  2⤵
  PID:9256
- C:\Windows\System\LSWYTNK.exe
  C:\Windows\System\LSWYTNK.exe
  2⤵
  PID:9280
- C:\Windows\System\jNzvQGA.exe
  C:\Windows\System\jNzvQGA.exe
  2⤵
  PID:9300
- C:\Windows\System\tOOJwPe.exe
  C:\Windows\System\tOOJwPe.exe
  2⤵
  PID:9332
- C:\Windows\System\pGfomtU.exe
  C:\Windows\System\pGfomtU.exe
  2⤵
  PID:9352
- C:\Windows\System\uKXZVSo.exe
  C:\Windows\System\uKXZVSo.exe
  2⤵
  PID:9372
- C:\Windows\System\EGMaelt.exe
  C:\Windows\System\EGMaelt.exe
  2⤵
  PID:9392
- C:\Windows\System\MBBYZIO.exe
  C:\Windows\System\MBBYZIO.exe
  2⤵
  PID:9440
- C:\Windows\System\hhHBwOV.exe
  C:\Windows\System\hhHBwOV.exe
  2⤵
  PID:9460
- C:\Windows\System\JlyrKGs.exe
  C:\Windows\System\JlyrKGs.exe
  2⤵
  PID:9484
- C:\Windows\System\tpRHLMI.exe
  C:\Windows\System\tpRHLMI.exe
  2⤵
  PID:9520
- C:\Windows\System\dTCZjCJ.exe
  C:\Windows\System\dTCZjCJ.exe
  2⤵
  PID:9548
- C:\Windows\System\sFSQklV.exe
  C:\Windows\System\sFSQklV.exe
  2⤵
  PID:9572
- C:\Windows\System\VxqpzFy.exe
  C:\Windows\System\VxqpzFy.exe
  2⤵
  PID:9592
- C:\Windows\System\zgzrGSs.exe
  C:\Windows\System\zgzrGSs.exe
  2⤵
  PID:9612
- C:\Windows\System\UKBwlfG.exe
  C:\Windows\System\UKBwlfG.exe
  2⤵
  PID:9640
- C:\Windows\System\eJLQIal.exe
  C:\Windows\System\eJLQIal.exe
  2⤵
  PID:9692
- C:\Windows\System\fgxyoQH.exe
  C:\Windows\System\fgxyoQH.exe
  2⤵
  PID:9744
- C:\Windows\System\XfDkLpS.exe
  C:\Windows\System\XfDkLpS.exe
  2⤵
  PID:9760
- C:\Windows\System\KZNnrmH.exe
  C:\Windows\System\KZNnrmH.exe
  2⤵
  PID:9788
- C:\Windows\System\yHgajoq.exe
  C:\Windows\System\yHgajoq.exe
  2⤵
  PID:9816
- C:\Windows\System\JWjjooX.exe
  C:\Windows\System\JWjjooX.exe
  2⤵
  PID:9836
- C:\Windows\System\tTWNljg.exe
  C:\Windows\System\tTWNljg.exe
  2⤵
  PID:9852
- C:\Windows\System\XDRmxaq.exe
  C:\Windows\System\XDRmxaq.exe
  2⤵
  PID:9908
- C:\Windows\System\vWOkuiZ.exe
  C:\Windows\System\vWOkuiZ.exe
  2⤵
  PID:9924
- C:\Windows\System\WucroCB.exe
  C:\Windows\System\WucroCB.exe
  2⤵
  PID:9956
- C:\Windows\System\cIXGpdS.exe
  C:\Windows\System\cIXGpdS.exe
  2⤵
  PID:9984
- C:\Windows\System\ygzDVUF.exe
  C:\Windows\System\ygzDVUF.exe
  2⤵
  PID:10012
- C:\Windows\System\qpkEnMI.exe
  C:\Windows\System\qpkEnMI.exe
  2⤵
  PID:10032
- C:\Windows\System\qtGluDy.exe
  C:\Windows\System\qtGluDy.exe
  2⤵
  PID:10072
- C:\Windows\System\frAwbhU.exe
  C:\Windows\System\frAwbhU.exe
  2⤵
  PID:10092
- C:\Windows\System\qAOiTLg.exe
  C:\Windows\System\qAOiTLg.exe
  2⤵
  PID:10116
- C:\Windows\System\DoOwWOT.exe
  C:\Windows\System\DoOwWOT.exe
  2⤵
  PID:10212
- C:\Windows\System\JmLWxgr.exe
  C:\Windows\System\JmLWxgr.exe
  2⤵
  PID:10228
- C:\Windows\System\wLNKotc.exe
  C:\Windows\System\wLNKotc.exe
  2⤵
  PID:8500
- C:\Windows\System\rWKtJzG.exe
  C:\Windows\System\rWKtJzG.exe
  2⤵
  PID:9232
- C:\Windows\System\EOopBFh.exe
  C:\Windows\System\EOopBFh.exe
  2⤵
  PID:9292
- C:\Windows\System\BorAjTZ.exe
  C:\Windows\System\BorAjTZ.exe
  2⤵
  PID:9272
- C:\Windows\System\RvGuZoU.exe
  C:\Windows\System\RvGuZoU.exe
  2⤵
  PID:9348
- C:\Windows\System\vFoqSnX.exe
  C:\Windows\System\vFoqSnX.exe
  2⤵
  PID:9380
- C:\Windows\System\sBdUqKh.exe
  C:\Windows\System\sBdUqKh.exe
  2⤵
  PID:9496
- C:\Windows\System\fmAvGqN.exe
  C:\Windows\System\fmAvGqN.exe
  2⤵
  PID:9608
- C:\Windows\System\fOEtnBe.exe
  C:\Windows\System\fOEtnBe.exe
  2⤵
  PID:9688
- C:\Windows\System\gYfCeZo.exe
  C:\Windows\System\gYfCeZo.exe
  2⤵
  PID:9844
- C:\Windows\System\tdfjThe.exe
  C:\Windows\System\tdfjThe.exe
  2⤵
  PID:9980
- C:\Windows\System\lTKnKzl.exe
  C:\Windows\System\lTKnKzl.exe
  2⤵
  PID:10044
- C:\Windows\System\FPEZuZf.exe
  C:\Windows\System\FPEZuZf.exe
  2⤵
  PID:10100
- C:\Windows\System\qLkAzoC.exe
  C:\Windows\System\qLkAzoC.exe
  2⤵
  PID:10108
- C:\Windows\System\imdhIYG.exe
  C:\Windows\System\imdhIYG.exe
  2⤵
  PID:9668
- C:\Windows\System\NHTaUBv.exe
  C:\Windows\System\NHTaUBv.exe
  2⤵
  PID:10164
- C:\Windows\System\zXLMXuc.exe
  C:\Windows\System\zXLMXuc.exe
  2⤵
  PID:9228
- C:\Windows\System\jMqRISw.exe
  C:\Windows\System\jMqRISw.exe
  2⤵
  PID:9364
- C:\Windows\System\aruAoRg.exe
  C:\Windows\System\aruAoRg.exe
  2⤵
  PID:9388
- C:\Windows\System\zRvQmWn.exe
  C:\Windows\System\zRvQmWn.exe
  2⤵
  PID:9580
- C:\Windows\System\RTCgJEI.exe
  C:\Windows\System\RTCgJEI.exe
  2⤵
  PID:9796
- C:\Windows\System\hRntRIY.exe
  C:\Windows\System\hRntRIY.exe
  2⤵
  PID:9968
- C:\Windows\System\UiAPLVh.exe
  C:\Windows\System\UiAPLVh.exe
  2⤵
  PID:10140
- C:\Windows\System\dggzKbO.exe
  C:\Windows\System\dggzKbO.exe
  2⤵
  PID:9556
- C:\Windows\System\rIQDred.exe
  C:\Windows\System\rIQDred.exe
  2⤵
  PID:9720
- C:\Windows\System\EGQzDAv.exe
  C:\Windows\System\EGQzDAv.exe
  2⤵
  PID:9736
- C:\Windows\System\mLoJLJU.exe
  C:\Windows\System\mLoJLJU.exe
  2⤵
  PID:10064
- C:\Windows\System\adVTEXn.exe
  C:\Windows\System\adVTEXn.exe
  2⤵
  PID:9536
- C:\Windows\System\hEkOKON.exe
  C:\Windows\System\hEkOKON.exe
  2⤵
  PID:9808
- C:\Windows\System\LrQnunT.exe
  C:\Windows\System\LrQnunT.exe
  2⤵
  PID:10248
- C:\Windows\System\GagERCw.exe
  C:\Windows\System\GagERCw.exe
  2⤵
  PID:10300
- C:\Windows\System\pcjhXpZ.exe
  C:\Windows\System\pcjhXpZ.exe
  2⤵
  PID:10320
- C:\Windows\System\xBzPhIr.exe
  C:\Windows\System\xBzPhIr.exe
  2⤵
  PID:10344
- C:\Windows\System\GQfXdCB.exe
  C:\Windows\System\GQfXdCB.exe
  2⤵
  PID:10368
- C:\Windows\System\aZMViMz.exe
  C:\Windows\System\aZMViMz.exe
  2⤵
  PID:10396
- C:\Windows\System\ClRWaju.exe
  C:\Windows\System\ClRWaju.exe
  2⤵
  PID:10412
- C:\Windows\System\zAuTkyX.exe
  C:\Windows\System\zAuTkyX.exe
  2⤵
  PID:10440
- C:\Windows\System\SsXBZKS.exe
  C:\Windows\System\SsXBZKS.exe
  2⤵
  PID:10460
- C:\Windows\System\YoxUrFl.exe
  C:\Windows\System\YoxUrFl.exe
  2⤵
  PID:10480
- C:\Windows\System\vyapPZQ.exe
  C:\Windows\System\vyapPZQ.exe
  2⤵
  PID:10500
- C:\Windows\System\zZzkaFR.exe
  C:\Windows\System\zZzkaFR.exe
  2⤵
  PID:10548
- C:\Windows\System\zzIgqOl.exe
  C:\Windows\System\zzIgqOl.exe
  2⤵
  PID:10572
- C:\Windows\System\xxoKpde.exe
  C:\Windows\System\xxoKpde.exe
  2⤵
  PID:10616
- C:\Windows\System\nyVWneA.exe
  C:\Windows\System\nyVWneA.exe
  2⤵
  PID:10644
- C:\Windows\System\nIeimGK.exe
  C:\Windows\System\nIeimGK.exe
  2⤵
  PID:10680
- C:\Windows\System\dvdGCMu.exe
  C:\Windows\System\dvdGCMu.exe
  2⤵
  PID:10700
- C:\Windows\System\sSZdcek.exe
  C:\Windows\System\sSZdcek.exe
  2⤵
  PID:10756
- C:\Windows\System\DBCpGPX.exe
  C:\Windows\System\DBCpGPX.exe
  2⤵
  PID:10776
- C:\Windows\System\PJtNSZG.exe
  C:\Windows\System\PJtNSZG.exe
  2⤵
  PID:10796
- C:\Windows\System\XoaaKCV.exe
  C:\Windows\System\XoaaKCV.exe
  2⤵
  PID:10820
- C:\Windows\System\jRJqtod.exe
  C:\Windows\System\jRJqtod.exe
  2⤵
  PID:10844
- C:\Windows\System\oKcHfpm.exe
  C:\Windows\System\oKcHfpm.exe
  2⤵
  PID:10884
- C:\Windows\System\xoxMmvl.exe
  C:\Windows\System\xoxMmvl.exe
  2⤵
  PID:10928
- C:\Windows\System\DAScBjG.exe
  C:\Windows\System\DAScBjG.exe
  2⤵
  PID:10948
- C:\Windows\System\bhauBYu.exe
  C:\Windows\System\bhauBYu.exe
  2⤵
  PID:10972
- C:\Windows\System\kbAUQuc.exe
  C:\Windows\System\kbAUQuc.exe
  2⤵
  PID:11000
- C:\Windows\System\vYCLHkz.exe
  C:\Windows\System\vYCLHkz.exe
  2⤵
  PID:11020
- C:\Windows\System\foUZJla.exe
  C:\Windows\System\foUZJla.exe
  2⤵
  PID:11064
- C:\Windows\System\kugnvRR.exe
  C:\Windows\System\kugnvRR.exe
  2⤵
  PID:11084
- C:\Windows\System\frZjIvK.exe
  C:\Windows\System\frZjIvK.exe
  2⤵
  PID:11108
- C:\Windows\System\FpGrFXk.exe
  C:\Windows\System\FpGrFXk.exe
  2⤵
  PID:11128
- C:\Windows\System\cKvjjeY.exe
  C:\Windows\System\cKvjjeY.exe
  2⤵
  PID:11152
- C:\Windows\System\stvkaLr.exe
  C:\Windows\System\stvkaLr.exe
  2⤵
  PID:11180
- C:\Windows\System\mEdtCpQ.exe
  C:\Windows\System\mEdtCpQ.exe
  2⤵
  PID:11212
- C:\Windows\System\kibuhuj.exe
  C:\Windows\System\kibuhuj.exe
  2⤵
  PID:11244
- C:\Windows\System\yJUyMDc.exe
  C:\Windows\System\yJUyMDc.exe
  2⤵
  PID:8432
- C:\Windows\System\rPLakbU.exe
  C:\Windows\System\rPLakbU.exe
  2⤵
  PID:10268
- C:\Windows\System\JyYWlPH.exe
  C:\Windows\System\JyYWlPH.exe
  2⤵
  PID:10308
- C:\Windows\System\uULIDke.exe
  C:\Windows\System\uULIDke.exe
  2⤵
  PID:10384
- C:\Windows\System\YSiDddS.exe
  C:\Windows\System\YSiDddS.exe
  2⤵
  PID:10392
- C:\Windows\System\YhZDHfw.exe
  C:\Windows\System\YhZDHfw.exe
  2⤵
  PID:10448
- C:\Windows\System\eluNbEh.exe
  C:\Windows\System\eluNbEh.exe
  2⤵
  PID:10568
- C:\Windows\System\JhTEnnA.exe
  C:\Windows\System\JhTEnnA.exe
  2⤵
  PID:10664
- C:\Windows\System\NaNmJxg.exe
  C:\Windows\System\NaNmJxg.exe
  2⤵
  PID:10812
- C:\Windows\System\aQGUptF.exe
  C:\Windows\System\aQGUptF.exe
  2⤵
  PID:10876
- C:\Windows\System\YMKgkrR.exe
  C:\Windows\System\YMKgkrR.exe
  2⤵
  PID:10908
- C:\Windows\System\tcIkUiL.exe
  C:\Windows\System\tcIkUiL.exe
  2⤵
  PID:10964
- C:\Windows\System\rUZUwmv.exe
  C:\Windows\System\rUZUwmv.exe
  2⤵
  PID:11016
- C:\Windows\System\vNLvnBK.exe
  C:\Windows\System\vNLvnBK.exe
  2⤵
  PID:11072
- C:\Windows\System\twZjryV.exe
  C:\Windows\System\twZjryV.exe
  2⤵
  PID:11096
- C:\Windows\System\RbgpkRA.exe
  C:\Windows\System\RbgpkRA.exe
  2⤵
  PID:11124
- C:\Windows\System\tJELxAA.exe
  C:\Windows\System\tJELxAA.exe
  2⤵
  PID:11176
- C:\Windows\System\SMKEirO.exe
  C:\Windows\System\SMKEirO.exe
  2⤵
  PID:11240
- C:\Windows\System\xMTmhvC.exe
  C:\Windows\System\xMTmhvC.exe
  2⤵
  PID:10424
- C:\Windows\System\wbssWkd.exe
  C:\Windows\System\wbssWkd.exe
  2⤵
  PID:10336
- C:\Windows\System\LsyQAIk.exe
  C:\Windows\System\LsyQAIk.exe
  2⤵
  PID:10476
- C:\Windows\System\JtKEEdo.exe
  C:\Windows\System\JtKEEdo.exe
  2⤵
  PID:10712
- C:\Windows\System\IDihCmt.exe
  C:\Windows\System\IDihCmt.exe
  2⤵
  PID:10836
- C:\Windows\System\zEYiuSv.exe
  C:\Windows\System\zEYiuSv.exe
  2⤵
  PID:11144
- C:\Windows\System\HhZbTdh.exe
  C:\Windows\System\HhZbTdh.exe
  2⤵
  PID:316
- C:\Windows\System\cPlSATj.exe
  C:\Windows\System\cPlSATj.exe
  2⤵
  PID:10312
- C:\Windows\System\dwpAApp.exe
  C:\Windows\System\dwpAApp.exe
  2⤵
  PID:10632
- C:\Windows\System\tDbhCtk.exe
  C:\Windows\System\tDbhCtk.exe
  2⤵
  PID:10840
- C:\Windows\System\eMqSSmg.exe
  C:\Windows\System\eMqSSmg.exe
  2⤵
  PID:9428
- C:\Windows\System\lyxJiXV.exe
  C:\Windows\System\lyxJiXV.exe
  2⤵
  PID:10492
- C:\Windows\System\etaXGLj.exe
  C:\Windows\System\etaXGLj.exe
  2⤵
  PID:10168
- C:\Windows\System\jJbDhnR.exe
  C:\Windows\System\jJbDhnR.exe
  2⤵
  PID:11288
- C:\Windows\System\uIboqgu.exe
  C:\Windows\System\uIboqgu.exe
  2⤵
  PID:11320
- C:\Windows\System\zTCxIAb.exe
  C:\Windows\System\zTCxIAb.exe
  2⤵
  PID:11356
- C:\Windows\System\VGSVYHM.exe
  C:\Windows\System\VGSVYHM.exe
  2⤵
  PID:11372
- C:\Windows\System\wMHXuvG.exe
  C:\Windows\System\wMHXuvG.exe
  2⤵
  PID:11392
- C:\Windows\System\UDHrbDE.exe
  C:\Windows\System\UDHrbDE.exe
  2⤵
  PID:11408
- C:\Windows\System\wlviSQi.exe
  C:\Windows\System\wlviSQi.exe
  2⤵
  PID:11432
- C:\Windows\System\YrTorrz.exe
  C:\Windows\System\YrTorrz.exe
  2⤵
  PID:11452
- C:\Windows\System\FIylcEB.exe
  C:\Windows\System\FIylcEB.exe
  2⤵
  PID:11488
- C:\Windows\System\LXxxdFh.exe
  C:\Windows\System\LXxxdFh.exe
  2⤵
  PID:11552
- C:\Windows\System\ugMJUSX.exe
  C:\Windows\System\ugMJUSX.exe
  2⤵
  PID:11576
- C:\Windows\System\jvLODUv.exe
  C:\Windows\System\jvLODUv.exe
  2⤵
  PID:11600
- C:\Windows\System\ILjvFFF.exe
  C:\Windows\System\ILjvFFF.exe
  2⤵
  PID:11624
- C:\Windows\System\DcbLsjN.exe
  C:\Windows\System\DcbLsjN.exe
  2⤵
  PID:11640
- C:\Windows\System\wMuozPw.exe
  C:\Windows\System\wMuozPw.exe
  2⤵
  PID:11672
- C:\Windows\System\XKclSJb.exe
  C:\Windows\System\XKclSJb.exe
  2⤵
  PID:11688
- C:\Windows\System\cbQSmbZ.exe
  C:\Windows\System\cbQSmbZ.exe
  2⤵
  PID:11736
- C:\Windows\System\xxeEBrQ.exe
  C:\Windows\System\xxeEBrQ.exe
  2⤵
  PID:11768
- C:\Windows\System\BXPOiAj.exe
  C:\Windows\System\BXPOiAj.exe
  2⤵
  PID:11784
- C:\Windows\System\yvTCKHx.exe
  C:\Windows\System\yvTCKHx.exe
  2⤵
  PID:11804
- C:\Windows\System\mePRbGo.exe
  C:\Windows\System\mePRbGo.exe
  2⤵
  PID:11824
- C:\Windows\System\AYkjTyC.exe
  C:\Windows\System\AYkjTyC.exe
  2⤵
  PID:11848
- C:\Windows\System\dmpKwnz.exe
  C:\Windows\System\dmpKwnz.exe
  2⤵
  PID:11868
- C:\Windows\System\mICKrnC.exe
  C:\Windows\System\mICKrnC.exe
  2⤵
  PID:11932
- C:\Windows\System\HUSwEwm.exe
  C:\Windows\System\HUSwEwm.exe
  2⤵
  PID:11956
- C:\Windows\System\VVcOtFk.exe
  C:\Windows\System\VVcOtFk.exe
  2⤵
  PID:11996
- C:\Windows\System\OxFiCUp.exe
  C:\Windows\System\OxFiCUp.exe
  2⤵
  PID:12032
- C:\Windows\System\rKCLymH.exe
  C:\Windows\System\rKCLymH.exe
  2⤵
  PID:12052
- C:\Windows\System\WVfNbcp.exe
  C:\Windows\System\WVfNbcp.exe
  2⤵
  PID:12076
- C:\Windows\System\DLWtwGX.exe
  C:\Windows\System\DLWtwGX.exe
  2⤵
  PID:12092
- C:\Windows\System\aMzvfsV.exe
  C:\Windows\System\aMzvfsV.exe
  2⤵
  PID:12128
- C:\Windows\System\kthdiQr.exe
  C:\Windows\System\kthdiQr.exe
  2⤵
  PID:12164
- C:\Windows\System\BznuTst.exe
  C:\Windows\System\BznuTst.exe
  2⤵
  PID:12184
- C:\Windows\System\epmLDAv.exe
  C:\Windows\System\epmLDAv.exe
  2⤵
  PID:12208
- C:\Windows\System\nnQDZyf.exe
  C:\Windows\System\nnQDZyf.exe
  2⤵
  PID:12228
- C:\Windows\System\fddPnfy.exe
  C:\Windows\System\fddPnfy.exe
  2⤵
  PID:12264
- C:\Windows\System\yDQdVxG.exe
  C:\Windows\System\yDQdVxG.exe
  2⤵
  PID:11280
- C:\Windows\System\QOIBaUs.exe
  C:\Windows\System\QOIBaUs.exe
  2⤵
  PID:11348
- C:\Windows\System\xPZgYnM.exe
  C:\Windows\System\xPZgYnM.exe
  2⤵
  PID:11384
- C:\Windows\System\WMyUqtQ.exe
  C:\Windows\System\WMyUqtQ.exe
  2⤵
  PID:11440
- C:\Windows\System\AYzHBbO.exe
  C:\Windows\System\AYzHBbO.exe
  2⤵
  PID:11472
- C:\Windows\System\smuNgAV.exe
  C:\Windows\System\smuNgAV.exe
  2⤵
  PID:11548
- C:\Windows\System\XnTKdgL.exe
  C:\Windows\System\XnTKdgL.exe
  2⤵
  PID:11568
- C:\Windows\System\IPanWeT.exe
  C:\Windows\System\IPanWeT.exe
  2⤵
  PID:11668
- C:\Windows\System\rLndKzd.exe
  C:\Windows\System\rLndKzd.exe
  2⤵
  PID:11776
- C:\Windows\System\htTksKo.exe
  C:\Windows\System\htTksKo.exe
  2⤵
  PID:11816
- C:\Windows\System\SGYLPkq.exe
  C:\Windows\System\SGYLPkq.exe
  2⤵
  PID:11780
- C:\Windows\System\pUXtIQH.exe
  C:\Windows\System\pUXtIQH.exe
  2⤵
  PID:11940
- C:\Windows\System\brJfvSy.exe
  C:\Windows\System\brJfvSy.exe
  2⤵
  PID:3152
- C:\Windows\System\VTigqyp.exe
  C:\Windows\System\VTigqyp.exe
  2⤵
  PID:11980
- C:\Windows\System\lYygann.exe
  C:\Windows\System\lYygann.exe
  2⤵
  PID:12068
- C:\Windows\System\eMmaYIT.exe
  C:\Windows\System\eMmaYIT.exe
  2⤵
  PID:12112
- C:\Windows\System\AAZPrfp.exe
  C:\Windows\System\AAZPrfp.exe
  2⤵
  PID:12156
- C:\Windows\System\VKnPSmL.exe
  C:\Windows\System\VKnPSmL.exe
  2⤵
  PID:3296
- C:\Windows\System\QGvEctQ.exe
  C:\Windows\System\QGvEctQ.exe
  2⤵
  PID:12276
- C:\Windows\System\kSGnXeL.exe
  C:\Windows\System\kSGnXeL.exe
  2⤵
  PID:11276
- C:\Windows\System\SsNBAzY.exe
  C:\Windows\System\SsNBAzY.exe
  2⤵
  PID:11500
- C:\Windows\System\tFdpgJn.exe
  C:\Windows\System\tFdpgJn.exe
  2⤵
  PID:11632
- C:\Windows\System\amzHcfs.exe
  C:\Windows\System\amzHcfs.exe
  2⤵
  PID:11916
- C:\Windows\System\JsIsgOJ.exe
  C:\Windows\System\JsIsgOJ.exe
  2⤵
  PID:12084
- C:\Windows\System\bbWOtUI.exe
  C:\Windows\System\bbWOtUI.exe
  2⤵
  PID:12108
- C:\Windows\System\YGhitXV.exe
  C:\Windows\System\YGhitXV.exe
  2⤵
  PID:12176
- C:\Windows\System\DEodCUr.exe
  C:\Windows\System\DEodCUr.exe
  2⤵
  PID:11344
- C:\Windows\System\jjmZbLQ.exe
  C:\Windows\System\jjmZbLQ.exe
  2⤵
  PID:11976
- C:\Windows\System\dRdQbwT.exe
  C:\Windows\System\dRdQbwT.exe
  2⤵
  PID:11404
- C:\Windows\System\LJmroaT.exe
  C:\Windows\System\LJmroaT.exe
  2⤵
  PID:12292
- C:\Windows\System\tBFfALd.exe
  C:\Windows\System\tBFfALd.exe
  2⤵
  PID:12308
- C:\Windows\System\WAJvevA.exe
  C:\Windows\System\WAJvevA.exe
  2⤵
  PID:12324
- C:\Windows\System\jJbVwry.exe
  C:\Windows\System\jJbVwry.exe
  2⤵
  PID:12352
- C:\Windows\System\PpAGyxu.exe
  C:\Windows\System\PpAGyxu.exe
  2⤵
  PID:12372
- C:\Windows\System\XYnjdGh.exe
  C:\Windows\System\XYnjdGh.exe
  2⤵
  PID:12428
- C:\Windows\System\WXVHiWW.exe
  C:\Windows\System\WXVHiWW.exe
  2⤵
  PID:12444
- C:\Windows\System\EHiujwE.exe
  C:\Windows\System\EHiujwE.exe
  2⤵
  PID:12484
- C:\Windows\System\FyGtJRr.exe
  C:\Windows\System\FyGtJRr.exe
  2⤵
  PID:12512
- C:\Windows\System\AmRFVBe.exe
  C:\Windows\System\AmRFVBe.exe
  2⤵
  PID:12528
- C:\Windows\System\dfEgHNj.exe
  C:\Windows\System\dfEgHNj.exe
  2⤵
  PID:12552
- C:\Windows\System\kjoAxEN.exe
  C:\Windows\System\kjoAxEN.exe
  2⤵
  PID:12572
- C:\Windows\System\lUtKUrI.exe
  C:\Windows\System\lUtKUrI.exe
  2⤵
  PID:12612
- C:\Windows\System\ukjhTil.exe
  C:\Windows\System\ukjhTil.exe
  2⤵
  PID:12632
- C:\Windows\System\MWPlssV.exe
  C:\Windows\System\MWPlssV.exe
  2⤵
  PID:12680
- C:\Windows\System\wYkAwiv.exe
  C:\Windows\System\wYkAwiv.exe
  2⤵
  PID:12720
- C:\Windows\System\mwdYpWU.exe
  C:\Windows\System\mwdYpWU.exe
  2⤵
  PID:12744
- C:\Windows\System\nZfmtjc.exe
  C:\Windows\System\nZfmtjc.exe
  2⤵
  PID:12776
- C:\Windows\System\xaWrgQK.exe
  C:\Windows\System\xaWrgQK.exe
  2⤵
  PID:12792
- C:\Windows\System\ueIRgNr.exe
  C:\Windows\System\ueIRgNr.exe
  2⤵
  PID:12824
- C:\Windows\System\oFLjsOV.exe
  C:\Windows\System\oFLjsOV.exe
  2⤵
  PID:12848
- C:\Windows\System\BAwliVW.exe
  C:\Windows\System\BAwliVW.exe
  2⤵
  PID:12868
- C:\Windows\System\fUMojjj.exe
  C:\Windows\System\fUMojjj.exe
  2⤵
  PID:12888
- C:\Windows\System\iksCLSF.exe
  C:\Windows\System\iksCLSF.exe
  2⤵
  PID:12908
- C:\Windows\System\GcTmqBf.exe
  C:\Windows\System\GcTmqBf.exe
  2⤵
  PID:12932
- C:\Windows\System\EpzKapo.exe
  C:\Windows\System\EpzKapo.exe
  2⤵
  PID:12984
- C:\Windows\System\gbjykpC.exe
  C:\Windows\System\gbjykpC.exe
  2⤵
  PID:13004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vl5nhhi4.bb4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\AMdrYxf.exe

Filesize
1.6MB

MD5
fa4bc84a2a0653f30dc28d53106363d1

SHA1
40ebaa1456e315eb61c7e38cfad284836a7715d6

SHA256
7de1b71f458b05d0cd33649974f50f31b27523cefd0be18ca6a186ceb6054267

SHA512
c4a5f2aa8ad23b9fbcac6f0abd1b1ed1790b69bb23cd2a16e41e9c78dec7aec7357a185e7d1b8349705afff2abf9e9962c24f4f3773f7dbeef08e24d3a4de6ba

Download Submit
C:\Windows\System\BnByhEm.exe

Filesize
1.6MB

MD5
333c3aef9a0e8193a2529ae639e5b106

SHA1
a99b0d18d140525422407ae2ba61a2958a7093d4

SHA256
e793ad9e07e89b542827123003916a89ee437d9e9312782725b4b8dfad2f0449

SHA512
621e3ebfc20445f03fbd83bab15d47990cfd26ef9b388e7866fb9e216b352ac969b01972b025fdc3c495d824795520b145e65f8b7a220347bfdfac0433cff93f

Download Submit
C:\Windows\System\CdJeCzy.exe

Filesize
1.6MB

MD5
507774633b47da258cca38d419affb99

SHA1
d3158f3b3b8238e6d7986b5c8771708c8a1665c6

SHA256
bfb29d79663fb1cb9882ebf8d3239f9a35b416b74a67e42869c201232acb6335

SHA512
092d17a3220b4b290f4d21393f40d95583e7b9c1a2640133656576e1501537def0db04d53dbf73598da2b2cdef9640b7e48c7cb99f6b7b238f40e467f637a604

Download Submit
C:\Windows\System\CnHGrZh.exe

Filesize
1.6MB

MD5
a16a47cd5ba1b098e31902fea161ec82

SHA1
8a009c36eb30c77452558c5c77c65515b457c9e7

SHA256
7a89902fca73ee1c1c9bc51096f18b7a5ec1ea5c5691189d41bd9cc479853523

SHA512
0b90c8e60bda9776b63084843e18bd273f840cb1273b03926023756f6bf809d8f5f40cc2bd4b43572ca7174a5c183708f6dc7013e3bbbe1a381d3b2ff2b2260c

Download Submit
C:\Windows\System\DYjpGAO.exe

Filesize
1.6MB

MD5
685e9b9b9adb20fd75ebab3afd386d71

SHA1
3dba2fb21f38cf64ab646dc16a0fbc91bbcc9721

SHA256
10b331bbcd92b2fd149275aad96fd021932d1b00a03745659d49ea62fbe08bc4

SHA512
e06359bec6d10a6dbd754625ac801f742b723a3fed6171b97dbad825364b072e1bc10b5f80b14c345006f447088ed668b6cec52fb4f414e84c9783ee6be42fa2

Download Submit
C:\Windows\System\DhiokcB.exe

Filesize
1.6MB

MD5
d639b025dd73b043182c773e118c2097

SHA1
5d853725f9305569a1c7767124e4fceda826b1e3

SHA256
1969af32b67c59034ae951d730034439cf4bcd4d1ba435440c8278af4a3eef41

SHA512
a77c60df364bb8d6d1b132921336b338446f73eb97216a4ef74480f5fcd21250f9b87ffc5e589c83568fd4a693b46cbac74f6ac5fa876fc924c50e71d2253281

Download Submit
C:\Windows\System\GGKqoGb.exe

Filesize
1.6MB

MD5
0102620dd6799e5347148db55901be9d

SHA1
3314ae7392224abaabd5c83b988ebc706ef10713

SHA256
bfa9b2614ae53b7a83f84be6903d258579278739ba4d84c04fb12204c3b71d49

SHA512
ed0ffe87b88aba15dc34da92cfa462acc106cebacd4c9246cf8de4282c7398ef5a30ab03c668288fc48e3f349ac093318e6e9d7252d2245654899d4307bc58ab

Download Submit
C:\Windows\System\GIgiyBz.exe

Filesize
1.6MB

MD5
d843a86d894e67fd247990ad4981f29d

SHA1
c47ce11c5eddf8ac74000b9db465da64e765f2b0

SHA256
545d16507d1c1a7e7bc76ec96c39b369cbc11f5e18f86a47e9192bb733cc472d

SHA512
7234a82dd8e2806d54d71d85f386a86e0e56f6cb9cf3fa5b26e7a425e7ab42043ceb7f89478220cefcb6883cfb5120d41e10fcf029f4000884578a42c92ed482

Download Submit
C:\Windows\System\Hagmema.exe

Filesize
1.6MB

MD5
917493b03b8334167f8b3621e5e53f7b

SHA1
7e301d4f48a1bd67171af686a0806c00e363bac1

SHA256
a0df68994bab280570cecc1ae4c8f1e6d8b9e4a0a5fe2d7a700b0c1f827376e9

SHA512
1e04b58257a9cc2781e951ed8b158274a5d6125a6ebbe5d887c2af9f8cdb7d0ce48ba4829fa9da5577068e44fa0cfd87fdfce4c7390ec5702a140402c10b6fbf

Download Submit
C:\Windows\System\IHUTkTV.exe

Filesize
1.6MB

MD5
bba8baf2c4438e7f49033c6cf3208622

SHA1
047d590c2ce2c9553c81bf652851752312ac1596

SHA256
1d9b266bdcedafdb9526fdf3719da1ead66b752ba0d239d5202665fbf02246a5

SHA512
3f1a7440e3a69a765eab1038926a23f8dd95898a1844ae5e929c628404cedbf332841db3f67fd63d992d0b041632c0e6c257996b84010e261f6166b7eba37189

Download Submit
C:\Windows\System\IoIlGnP.exe

Filesize
1.6MB

MD5
7f06204d2f832d2808bd3bdc03fca251

SHA1
d2fe0f145991a5cc258fadd342eab7259b6c7da2

SHA256
258834db2fc58380947801ce0a296abc2502c73b185af33fc47b82efeb460897

SHA512
e32892ed22b42c544a9e0ad2b60ae7005a526b530a07b9858f431f3dea01aee7eb21dff7790b4f33b51dfd3fcc28400224373f4f4586fda2d619cfc242c959f2

Download Submit
C:\Windows\System\JYejKGe.exe

Filesize
1.6MB

MD5
73a91956e2c63778caf0ddff2092a7f1

SHA1
609d762348398b238b763277a2e7b0ecbfd306d7

SHA256
da0134878b47314f8d8d1d01ec3707b69c34c6ac907ad582bcea702b0bec9ab2

SHA512
b056805a8304e22fb80290e43c4f57d916c5539965895f89727efc50e6038c0f2c5ae51218451075bff8dc3ccef431605428fd7a8294888bb7bf4165ab730b4c

Download Submit
C:\Windows\System\JuJqqbA.exe

Filesize
1.6MB

MD5
7e226f51d77b675303ea69f3eaae9682

SHA1
9382d91ff2fa88194ebc0d80b59dae70e0935cfd

SHA256
c292d05584ef0fd5a23e9a1e1fc97fa6c42a082e14f3f8c9de72e0f0673d3eee

SHA512
98bf878bae7e8eb42019e3919275dbfdd4e0ecc05f815b26a2df3a6b7c21c2a56fb0e872d1280b4dbb858105786beff4bcbfdf425b05745a860a1493b3662fb9

Download Submit
C:\Windows\System\KQzDUJG.exe

Filesize
1.6MB

MD5
b4172b14743e35bc570f7a5027f30390

SHA1
92271d32457a23fdd7b1e1815499f7b08634546b

SHA256
6da177c81ef207efe62688a7003b40444c8a16eaf17411b651cfa6622e24502c

SHA512
ffe43e70061041f334d149c8a1692fb0a1b633d1c796b374a2d79cf6df070b90d67022ab399fecc25081a49b6286a4f32faf1303f523b0a9b626cd3ebba66333

Download Submit
C:\Windows\System\LXpoKjI.exe

Filesize
1.6MB

MD5
193763997fede6334a463f900e8c0b66

SHA1
a93131f90d87da979aded618be3393d6e1d9387f

SHA256
5aa51277a457bb0b9b45fabaf1bb9017818a5d062f9eb66c3bd5d1cb55a58dc5

SHA512
5047be4e0ac7e576d378120452ddab61e261c8e7d5161ab9865bb3459fe593b51111c3ef68422d8c42ff72010431f0e321e69847e69581addebc24994d478b35

Download Submit
C:\Windows\System\SDfVavs.exe

Filesize
1.6MB

MD5
1b074dc22d65293ad51a4ad423e4d180

SHA1
3de488b44037df93106ea89aedcbe1f24e86b0b3

SHA256
a146158d2a4160eaaf4497c176731023f326aa7c8d4a7a785c3364a1269e3b53

SHA512
e6bc6d089430dc13f23590c1c26cfecbb6515bfc1f8c555298c91b8e106e5ab54af1d798965f5105bacda583caa67730e628129e868f418aaea53d6d93f48fb2

Download Submit
C:\Windows\System\TqIptbU.exe

Filesize
1.6MB

MD5
8ac36d8a6e8a7e404c23d0808cc355e5

SHA1
e5054ac25c956a23a6f9c59e99d26d057e91325f

SHA256
e49df105b84c324ec99bf2d06c662c87dc0933c9d0487a8e8c3555198ea7c244

SHA512
96584f7b119e4e3d042208c00013b76e9898a8a3f93974c6e0dbc3b2b5a4a2df74695778880ef590fc3a2c6bffa25a716cb69b4e93104895ac465ddb472d9221

Download Submit
C:\Windows\System\VbCxFjJ.exe

Filesize
1.6MB

MD5
10bdd01e975d62ecc546b0e4e4d33ccc

SHA1
a4a90b7d40e05b91d5f95087fb73f323175e892d

SHA256
d025c062681fde4c071e85248a10752b0be0c79dc84d37af0fbd4126e9ecf6aa

SHA512
7c3f4da5f91e66a670dd661f24bceef9179df5b9fad40c9171a58af8f7bfd7095ca3e9d297e27d4f7d4ab9d8a9f832e5f06f4b5ea0298298a9fb026315f7cc11

Download Submit
C:\Windows\System\VwYHtyG.exe

Filesize
1.6MB

MD5
58dfc8382a6c3d524c63dc8bafa9e296

SHA1
75cc0fbb22f19329e59b7f76d904289923e3390e

SHA256
ffcee6602f3e593756ed9712824bfca7cbbd53360fd094b2b6754dcb16e0e82f

SHA512
0c26dfd0992577b344dc2ac5a2027d65d31f66201259d50f174ddc8c268cf8f80b0deef01114aa57fc99414714e366ff1241943d968b2ec1853befdf2191233b

Download Submit
C:\Windows\System\WhirmKQ.exe

Filesize
1.6MB

MD5
a167ca2bf5afa514ce0a7e63e2010f07

SHA1
deac5b3a26cc0b9accb7a4217280ba2353f8bf08

SHA256
8e750731c555a8a4bdddffd439f23b2fe4acf9f7a264cbeed2d9263a2ab168d8

SHA512
882ab6bfb7f8fbceb1d14f8ef0dc4e043c91159e208b39dcdf60321cdd6151d3cab7f7df5a89057a94484702c50430f01e6da41952e22c234c71b9d9c55865f3

Download Submit
C:\Windows\System\cXfoonJ.exe

Filesize
1.6MB

MD5
05e9308b5ad7e0bdea4a234b2df87bb1

SHA1
2bf6511629338bb70fb257f4c692f7cd433f6f33

SHA256
b3b882ec870e176ae8cea68017ce782978e9b2852bc1fd6fa3edf6793351ab89

SHA512
42c7434dd6d4c57a4533f416b90b5bc7e925f9a250487bc3e1d0e4fa7d7031ec427d22b9799251f5d8f8b3682d536a57ad16088db581fdf43db7e3f7a7f32135

Download Submit
C:\Windows\System\dJQBXRe.exe

Filesize
1.6MB

MD5
0097d96ca8757071e633e92e8e807bae

SHA1
050cfd4149d0339ab0c2ee1b1c7e83366384dc9e

SHA256
1b0a15e3f38238070e98b3f2d17911a231622f88e5b152efb420bdca71765fa5

SHA512
6d6af423c68e697c83cee596dfb5255b9b882e14a4ce35ccf554a05c1d09c8b921eb0072af03949d7cc6dc37a6cb326f52f7f2e7ea8b7aec8acae3790825be8c

Download Submit
C:\Windows\System\fiXMdAw.exe

Filesize
1.6MB

MD5
06f7f51d594e2eca5facf35603a14049

SHA1
25bfc55f32ddd65f579d3baa2381e51a197f4ddd

SHA256
cd4a3137c59d4a6ac4a2683738e6764c855a6e15ada272b35fd63302dc77e1ae

SHA512
dc0c9be1e8184abbced4568e6fd8ae4e2d8c0b92b38e1cc3114b9c2287eab23bf49283150c7cdaedd4bcbd234f11f9b28ef174e94e0c65f3fc4eeb5523a8cb05

Download Submit
C:\Windows\System\kPqfxtK.exe

Filesize
1.6MB

MD5
22f9a383c51ebefae5538752054a5d5a

SHA1
34a092d1125169d7069b3eec8f81c1321046ccad

SHA256
4c611e72d433b0e824927fa97486aa0a332d23144d06f0def2f5659646bfdd42

SHA512
16db09b4c30c46fdf0b032656ab9da41e3b4f0187ac86d499c9a5e22732705dfa0376e24da9a31b6097a99123ee9124a800184a665f0c2315e740f6114cd7d0b

Download Submit
C:\Windows\System\loxaFBv.exe

Filesize
1.6MB

MD5
11243d51c68c9f5843b681bdc7294f15

SHA1
398f310dd3bcc8a0d7cc0e07e04834e3b919e874

SHA256
5a51ac5e743502e2d3712f5b7b8928355553aa417ae3b030be6041a479c2dd34

SHA512
c40bc096da078ff7db65cce8f2ba52974a108431445304600b9945c20e9d84dab52f493b830e36a78a51e2806bf774d23589ae5acc04e4708704458eb7e28c59

Download Submit
C:\Windows\System\lqIHszY.exe

Filesize
1.6MB

MD5
2664bc6cf62eced7ae3db46ba5ec7865

SHA1
45e0e79f08a80c6b230e8033f639a554542bcfd1

SHA256
ed3ba9ba4d6c17f09a1518548555db2e02d6507fb2d42aa1bc527e6e9f2c44ec

SHA512
6f8ecb2401891e90bddd016d6a74dc2840befbd62c2f57c5605643343d6304a1250b4942aa7752cdad1789f68cd791f99580bba4018fb294255f2b53b1dc10a7

Download Submit
C:\Windows\System\mHjMcQs.exe

Filesize
1.6MB

MD5
4991c27a9d9268486a37122c8551f264

SHA1
d2512176da8c4f4f868e70adde622bb02763a2fd

SHA256
ae2cfb96143b20c983150140f229348778b197473bceae0bd20ff0b931e2aedd

SHA512
6afdf95a540905074bed5065d7fac75641b991abbba98816a3711fcdd34184fda6f3f735505911ac8c91fa8d1b03515316dacb16ab63d780fd98103934453967

Download Submit
C:\Windows\System\qfGUUxl.exe

Filesize
1.6MB

MD5
50222b311a83adc86e8651ff735ec480

SHA1
0433f144a479f1b441bb8e5c507966b36a585f09

SHA256
cf2966722819e584429dbdf74a20a930419df2cdd473e3dfffa4d532354dcb75

SHA512
c05422be1e10ff875048a3594061f46d01735ea2125eaa8ffae5f2da874dd4cc8c26f587aa30d4218f53287051d7da3a8a9cbb2b273256b3963cab410ba8a6f4

Download Submit
C:\Windows\System\rMlfvpb.exe

Filesize
1.6MB

MD5
86bce8a2cd907c2aa45d6bf900b30d93

SHA1
aed8268a09e33cdaadc8c0ecc14ebb64276f8e2b

SHA256
e3a14b4c92e1c83d88368ea111efbc97216d8081b3c2ab02796349df875f1524

SHA512
c8f01a4e39f40136b04093d86b7cca25e53535be7f05fcb0bfa6edd9a9903857362e9b2d72b25aaa8f9167281079e37e6e98fa75dddb7fc69527d709cb9ce8af

Download Submit
C:\Windows\System\tcxzBDK.exe

Filesize
1.6MB

MD5
965ca615a40d915e963de35401d67f5b

SHA1
e6bd5440ad4172730e558d6b00a01973ceaedbe4

SHA256
2cd866ad112c26ea4990701f257514b2088f879f1de54d73e4981aa196b7c856

SHA512
fc67963edaa61a658bbc1fbf2f2231ccc6d642cecf1547cd5ed2b58e5bd13c8ef0742cd084d3db765b7a82183aefd476981746f3b2cea20dba7342b7a09bf31e

Download Submit
C:\Windows\System\wWnzVnR.exe

Filesize
1.6MB

MD5
a27feb658a6927422247433fba325fa8

SHA1
23c95bc32cbb0a5040c25ab57cfb474493254c8c

SHA256
6e6bfa2cd2df02dff4a4217465b9469d6369e04c99baac54ff42bb50fcd42211

SHA512
ebec215eaf8c1e7edc9c4ad100145fcc58d041a34e3da61ab676c6f489f17f0505418ce60d67da57637f61adf484776fd0dad6e3d072627373e9c5fc42fa65c2

Download Submit
C:\Windows\System\wpCYlXg.exe

Filesize
1.6MB

MD5
301a33afff9772261160b0617a46b998

SHA1
f9ef56cf0ca26a4ca25a0eac9c69496c0df696f5

SHA256
dbbf3a2d05dee92fc54ca5ef41093b782e63c989d8096bac051ea0df7a5dcf05

SHA512
1979468e27fcd5ee0c45eb23eab263bea17e2affe053f6f121e85aad0507f401a9aa7203e280da3a02e51e988dbde2ac60948f9cdc00515a994d0ab3a55fa8b2

Download Submit
C:\Windows\System\zCltSTV.exe

Filesize
1.6MB

MD5
2fefafd4ab1e7d39f154bc95e47e5c85

SHA1
0bc81f7d80f5e3ccf17b433c8ecbb49a23d88c96

SHA256
04ede0f70c09ee1c9079cf3b11a33482058fc8c44651e9c40740f96d373d0408

SHA512
40055f40fe1a676854602bcc6400da100edf368338f15fd42f7602a8c5c4dc0869c51281b2982250dacd4512ea053aee684c6281928ecd23babf53d0cb2d7cc2

Download Submit
memory/60-119-0x00007FF7EEAD0000-0x00007FF7EEEC2000-memory.dmp

Filesize
3.9MB

Download
memory/60-2579-0x00007FF7EEAD0000-0x00007FF7EEEC2000-memory.dmp

Filesize
3.9MB

Download
memory/808-1-0x0000011041160000-0x0000011041170000-memory.dmp

Filesize
64KB

Download
memory/808-0-0x00007FF7102A0000-0x00007FF710692000-memory.dmp

Filesize
3.9MB

Download
memory/1128-2590-0x00007FF6FA080000-0x00007FF6FA472000-memory.dmp

Filesize
3.9MB

Download
memory/1128-124-0x00007FF6FA080000-0x00007FF6FA472000-memory.dmp

Filesize
3.9MB

Download
memory/1444-212-0x00007FF79B610000-0x00007FF79BA02000-memory.dmp

Filesize
3.9MB

Download
memory/1444-2686-0x00007FF79B610000-0x00007FF79BA02000-memory.dmp

Filesize
3.9MB

Download
memory/1608-179-0x00007FF78BD70000-0x00007FF78C162000-memory.dmp

Filesize
3.9MB

Download
memory/1608-2638-0x00007FF78BD70000-0x00007FF78C162000-memory.dmp

Filesize
3.9MB

Download
memory/1688-125-0x00007FF7DA2D0000-0x00007FF7DA6C2000-memory.dmp

Filesize
3.9MB

Download
memory/1688-2588-0x00007FF7DA2D0000-0x00007FF7DA6C2000-memory.dmp

Filesize
3.9MB

Download
memory/1704-2614-0x00007FF7ED6E0000-0x00007FF7EDAD2000-memory.dmp

Filesize
3.9MB

Download
memory/1704-200-0x00007FF7ED6E0000-0x00007FF7EDAD2000-memory.dmp

Filesize
3.9MB

Download
memory/1960-196-0x00007FF719960000-0x00007FF719D52000-memory.dmp

Filesize
3.9MB

Download
memory/1960-2584-0x00007FF719960000-0x00007FF719D52000-memory.dmp

Filesize
3.9MB

Download
memory/2000-132-0x00007FF61C3B0000-0x00007FF61C7A2000-memory.dmp

Filesize
3.9MB

Download
memory/2000-2587-0x00007FF61C3B0000-0x00007FF61C7A2000-memory.dmp

Filesize
3.9MB

Download
memory/2088-2574-0x00007FF7AB610000-0x00007FF7ABA02000-memory.dmp

Filesize
3.9MB

Download
memory/2088-2560-0x00007FF7AB610000-0x00007FF7ABA02000-memory.dmp

Filesize
3.9MB

Download
memory/2088-12-0x00007FF7AB610000-0x00007FF7ABA02000-memory.dmp

Filesize
3.9MB

Download
memory/2100-173-0x00007FF65D7F0000-0x00007FF65DBE2000-memory.dmp

Filesize
3.9MB

Download
memory/2100-2629-0x00007FF65D7F0000-0x00007FF65DBE2000-memory.dmp

Filesize
3.9MB

Download
memory/2136-172-0x00007FF616F70000-0x00007FF617362000-memory.dmp

Filesize
3.9MB

Download
memory/2136-2627-0x00007FF616F70000-0x00007FF617362000-memory.dmp

Filesize
3.9MB

Download
memory/2152-2592-0x00007FF602620000-0x00007FF602A12000-memory.dmp

Filesize
3.9MB

Download
memory/2152-142-0x00007FF602620000-0x00007FF602A12000-memory.dmp

Filesize
3.9MB

Download
memory/2156-208-0x00007FF79C690000-0x00007FF79CA82000-memory.dmp

Filesize
3.9MB

Download
memory/2156-2667-0x00007FF79C690000-0x00007FF79CA82000-memory.dmp

Filesize
3.9MB

Download
memory/2452-160-0x00007FF7C3D20000-0x00007FF7C4112000-memory.dmp

Filesize
3.9MB

Download
memory/2452-2632-0x00007FF7C3D20000-0x00007FF7C4112000-memory.dmp

Filesize
3.9MB

Download
memory/2528-154-0x00007FF6CD670000-0x00007FF6CDA62000-memory.dmp

Filesize
3.9MB

Download
memory/2528-2625-0x00007FF6CD670000-0x00007FF6CDA62000-memory.dmp

Filesize
3.9MB

Download
memory/2576-216-0x00007FF721410000-0x00007FF721802000-memory.dmp

Filesize
3.9MB

Download
memory/2576-2704-0x00007FF721410000-0x00007FF721802000-memory.dmp

Filesize
3.9MB

Download
memory/2752-190-0x00007FF70D2E0000-0x00007FF70D6D2000-memory.dmp

Filesize
3.9MB

Download
memory/2752-2576-0x00007FF70D2E0000-0x00007FF70D6D2000-memory.dmp

Filesize
3.9MB

Download
memory/2912-2594-0x00007FF750780000-0x00007FF750B72000-memory.dmp

Filesize
3.9MB

Download
memory/2912-136-0x00007FF750780000-0x00007FF750B72000-memory.dmp

Filesize
3.9MB

Download
memory/2976-166-0x00007FF66BDB0000-0x00007FF66C1A2000-memory.dmp

Filesize
3.9MB

Download
memory/2976-2710-0x00007FF66BDB0000-0x00007FF66C1A2000-memory.dmp

Filesize
3.9MB

Download
memory/2976-2886-0x00007FF66BDB0000-0x00007FF66C1A2000-memory.dmp

Filesize
3.9MB

Download
memory/3328-2561-0x00007FFFD5850000-0x00007FFFD6311000-memory.dmp

Filesize
10.8MB

Download
memory/3328-62-0x00007FFFD5850000-0x00007FFFD6311000-memory.dmp

Filesize
10.8MB

Download
memory/3328-14-0x00007FFFD5853000-0x00007FFFD5855000-memory.dmp

Filesize
8KB

Download
memory/3328-2570-0x00007FFFD5850000-0x00007FFFD6311000-memory.dmp

Filesize
10.8MB

Download
memory/3328-61-0x0000017AA9520000-0x0000017AA9542000-memory.dmp

Filesize
136KB

Download
memory/3328-558-0x0000017AAA5A0000-0x0000017AAAD46000-memory.dmp

Filesize
7.6MB

Download
memory/3328-93-0x00007FFFD5850000-0x00007FFFD6311000-memory.dmp

Filesize
10.8MB

Download
memory/3644-128-0x00007FF74A780000-0x00007FF74AB72000-memory.dmp

Filesize
3.9MB

Download
memory/3644-2583-0x00007FF74A780000-0x00007FF74AB72000-memory.dmp

Filesize
3.9MB

Download
memory/4004-2580-0x00007FF7C9F70000-0x00007FF7CA362000-memory.dmp

Filesize
3.9MB

Download
memory/4004-113-0x00007FF7C9F70000-0x00007FF7CA362000-memory.dmp

Filesize
3.9MB

Download
memory/4060-2596-0x00007FF6CFA20000-0x00007FF6CFE12000-memory.dmp

Filesize
3.9MB

Download
memory/4060-148-0x00007FF6CFA20000-0x00007FF6CFE12000-memory.dmp

Filesize
3.9MB

Download
memory/4176-204-0x00007FF7E2CB0000-0x00007FF7E30A2000-memory.dmp

Filesize
3.9MB

Download
memory/4176-2649-0x00007FF7E2CB0000-0x00007FF7E30A2000-memory.dmp

Filesize
3.9MB

Download
memory/4784-23-0x00007FF603190000-0x00007FF603582000-memory.dmp

Filesize
3.9MB

Download
memory/4784-2572-0x00007FF603190000-0x00007FF603582000-memory.dmp

Filesize
3.9MB

Download