xmrig | d04e097d59023a1ba74884547009c42fc24bba869a70bf5f409094cbedcacb06

Analysis

max time kernel
143s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 21:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
Size

2.7MB
MD5

10bd318d69bbaec0c81cf390cafa3240
SHA1

36f2936a8709b532c7636b471e6836b5d6f050a3
SHA256

d04e097d59023a1ba74884547009c42fc24bba869a70bf5f409094cbedcacb06
SHA512

fdac870fc7686f608d515b7bebc23a7ff0a460827fe4902ac2d7ce16745546b4be3afb578fe4b1619259dc553114ec9178f5af59b66f70ccdbb3ae2d21bb17ce
SSDEEP

49152:S1G1NtyBwTI3ySZbrkXV1etEKLlWUTOfeiRA2R76zHrWax9hMkivwSbakf:S1ONtyBeSFkXV1etEKLlWUTOfeiRA2RX

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/264-0-0x00007FF747190000-0x00007FF747586000-memory.dmp	xmrig
behavioral2/memory/1580-10-0x00007FF71C030000-0x00007FF71C426000-memory.dmp	xmrig
behavioral2/files/0x000700000002349d-15.dat	xmrig
behavioral2/files/0x000700000002349e-21.dat	xmrig
behavioral2/files/0x00070000000234a0-33.dat	xmrig
behavioral2/memory/2016-39-0x00007FF7EB120000-0x00007FF7EB516000-memory.dmp	xmrig
behavioral2/files/0x00070000000234a4-45.dat	xmrig
behavioral2/files/0x00070000000234a5-63.dat	xmrig
behavioral2/files/0x00070000000234a6-71.dat	xmrig
behavioral2/memory/4172-80-0x00007FF796720000-0x00007FF796B16000-memory.dmp	xmrig
behavioral2/memory/2312-81-0x00007FF6B1500000-0x00007FF6B18F6000-memory.dmp	xmrig
behavioral2/memory/4652-79-0x00007FF730B20000-0x00007FF730F16000-memory.dmp	xmrig
behavioral2/memory/3924-78-0x00007FF632850000-0x00007FF632C46000-memory.dmp	xmrig
behavioral2/memory/4288-75-0x00007FF7E8620000-0x00007FF7E8A16000-memory.dmp	xmrig
behavioral2/memory/3452-70-0x00007FF746210000-0x00007FF746606000-memory.dmp	xmrig
behavioral2/memory/2912-60-0x00007FF6C2400000-0x00007FF6C27F6000-memory.dmp	xmrig
behavioral2/files/0x00070000000234a3-59.dat	xmrig
behavioral2/files/0x00070000000234a2-48.dat	xmrig
behavioral2/files/0x00070000000234a1-46.dat	xmrig
behavioral2/memory/4248-42-0x00007FF6EA350000-0x00007FF6EA746000-memory.dmp	xmrig
behavioral2/files/0x000700000002349f-35.dat	xmrig
behavioral2/memory/1280-30-0x00007FF7DD160000-0x00007FF7DD556000-memory.dmp	xmrig
behavioral2/files/0x0009000000023496-8.dat	xmrig
behavioral2/files/0x00070000000234a9-85.dat	xmrig
behavioral2/files/0x000800000002349a-89.dat	xmrig
behavioral2/files/0x00080000000234a7-96.dat	xmrig
behavioral2/files/0x00070000000234aa-108.dat	xmrig
behavioral2/files/0x00070000000234ac-113.dat	xmrig
behavioral2/memory/3296-127-0x00007FF767AB0000-0x00007FF767EA6000-memory.dmp	xmrig
behavioral2/memory/1380-133-0x00007FF6C2550000-0x00007FF6C2946000-memory.dmp	xmrig
behavioral2/files/0x00070000000234ae-136.dat	xmrig
behavioral2/files/0x00070000000234af-138.dat	xmrig
behavioral2/memory/2088-142-0x00007FF69CB00000-0x00007FF69CEF6000-memory.dmp	xmrig
behavioral2/memory/4604-143-0x00007FF71D460000-0x00007FF71D856000-memory.dmp	xmrig
behavioral2/memory/620-137-0x00007FF67EB90000-0x00007FF67EF86000-memory.dmp	xmrig
behavioral2/memory/3492-134-0x00007FF73CF50000-0x00007FF73D346000-memory.dmp	xmrig
behavioral2/files/0x00070000000234ad-129.dat	xmrig
behavioral2/memory/4736-119-0x00007FF692C70000-0x00007FF693066000-memory.dmp	xmrig
behavioral2/files/0x00080000000234a8-118.dat	xmrig
behavioral2/files/0x00070000000234ab-116.dat	xmrig
behavioral2/memory/3652-110-0x00007FF7221E0000-0x00007FF7225D6000-memory.dmp	xmrig
behavioral2/memory/800-99-0x00007FF6CF520000-0x00007FF6CF916000-memory.dmp	xmrig
behavioral2/files/0x00070000000234b0-146.dat	xmrig
behavioral2/files/0x00070000000234b2-153.dat	xmrig
behavioral2/memory/3176-151-0x00007FF74FAE0000-0x00007FF74FED6000-memory.dmp	xmrig
behavioral2/memory/4896-93-0x00007FF783EE0000-0x00007FF7842D6000-memory.dmp	xmrig
behavioral2/memory/264-263-0x00007FF747190000-0x00007FF747586000-memory.dmp	xmrig
behavioral2/memory/4568-297-0x00007FF7CF9A0000-0x00007FF7CFD96000-memory.dmp	xmrig
behavioral2/files/0x00070000000234e0-307.dat	xmrig
behavioral2/files/0x00070000000234e4-337.dat	xmrig
behavioral2/files/0x00070000000234e2-332.dat	xmrig
behavioral2/files/0x00070000000234e3-330.dat	xmrig
behavioral2/files/0x00070000000234e8-356.dat	xmrig
behavioral2/files/0x00070000000234ef-359.dat	xmrig
behavioral2/memory/4248-318-0x00007FF6EA350000-0x00007FF6EA746000-memory.dmp	xmrig
behavioral2/memory/1548-317-0x00007FF6A20E0000-0x00007FF6A24D6000-memory.dmp	xmrig
behavioral2/files/0x00070000000234de-306.dat	xmrig
behavioral2/files/0x00070000000234dc-305.dat	xmrig
behavioral2/files/0x00070000000234b3-288.dat	xmrig
behavioral2/files/0x00070000000234da-291.dat	xmrig
behavioral2/memory/3452-283-0x00007FF746210000-0x00007FF746606000-memory.dmp	xmrig
behavioral2/memory/2912-280-0x00007FF6C2400000-0x00007FF6C27F6000-memory.dmp	xmrig
behavioral2/memory/4896-904-0x00007FF783EE0000-0x00007FF7842D6000-memory.dmp	xmrig
behavioral2/memory/800-1496-0x00007FF6CF520000-0x00007FF6CF916000-memory.dmp	xmrig

Blocklisted process makes network request 6 IoCs

flow	pid	Process
9	412	powershell.exe
11	412	powershell.exe
16	412	powershell.exe
17	412	powershell.exe
20	412	powershell.exe
21	412	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
412	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
1580	vQXbEfc.exe
4288	hrxfHnm.exe
1280	YRDCWHw.exe
2016	EOgByjJ.exe
3924	MsxPAqn.exe
4248	IyzlRVj.exe
2912	ScUWMbw.exe
3452	UXsdeRe.exe
4652	nCnCqXr.exe
4172	YrWgOTX.exe
2312	dynpPEy.exe
4896	kSGNVks.exe
800	yQoQvaB.exe
3652	CMMulpK.exe
3296	FqFWljf.exe
4736	iYiyJvn.exe
1380	cUygsOS.exe
3492	hKnAcdA.exe
2088	GufkAiS.exe
4604	jBtFQNZ.exe
620	qETnAxF.exe
3176	ncEHNJh.exe
4568	mIGuvyj.exe
1548	eIjGXHZ.exe
5096	DPDMfwt.exe
2052	pQwEIkR.exe
2384	OqyyChh.exe
1328	FZINmcH.exe
4860	qZWwWQL.exe
4992	cKhWqFy.exe
2000	qqRAmCV.exe
2324	LdoLzfz.exe
5056	nIkOhkI.exe
2564	hANWbXc.exe
3512	YtNafnU.exe
3528	VxhBpMb.exe
4644	rMRZryR.exe
2448	GlwNJWe.exe
2328	tlLWniA.exe
4304	LaxPlWi.exe
4348	qeWGrhf.exe
3588	hZOxxeS.exe
1772	mBOBpNP.exe
3508	FbJTaHm.exe
2136	cOUfYGs.exe
4036	ptBnSlW.exe
4508	VZxSKvV.exe
3164	gjoRayX.exe
3028	lFIGZeA.exe
4220	VKxFatU.exe
4292	rxYzsat.exe
4740	ttLjDcS.exe
3080	TfQcCYT.exe
1944	qgrGQzq.exe
2032	WmumwrX.exe
1688	gSRvvMv.exe
2924	eufKFqI.exe
3892	miDOJqq.exe
4904	chDeLbh.exe
4308	QhFlzIE.exe
1204	PxIGYjg.exe
1936	dcVGpQr.exe
632	DJOHnkO.exe
4236	CZNnfpT.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/264-0-0x00007FF747190000-0x00007FF747586000-memory.dmp	upx
behavioral2/memory/1580-10-0x00007FF71C030000-0x00007FF71C426000-memory.dmp	upx
behavioral2/files/0x000700000002349d-15.dat	upx
behavioral2/files/0x000700000002349e-21.dat	upx
behavioral2/files/0x00070000000234a0-33.dat	upx
behavioral2/memory/2016-39-0x00007FF7EB120000-0x00007FF7EB516000-memory.dmp	upx
behavioral2/files/0x00070000000234a4-45.dat	upx
behavioral2/files/0x00070000000234a5-63.dat	upx
behavioral2/files/0x00070000000234a6-71.dat	upx
behavioral2/memory/4172-80-0x00007FF796720000-0x00007FF796B16000-memory.dmp	upx
behavioral2/memory/2312-81-0x00007FF6B1500000-0x00007FF6B18F6000-memory.dmp	upx
behavioral2/memory/4652-79-0x00007FF730B20000-0x00007FF730F16000-memory.dmp	upx
behavioral2/memory/3924-78-0x00007FF632850000-0x00007FF632C46000-memory.dmp	upx
behavioral2/memory/4288-75-0x00007FF7E8620000-0x00007FF7E8A16000-memory.dmp	upx
behavioral2/memory/3452-70-0x00007FF746210000-0x00007FF746606000-memory.dmp	upx
behavioral2/memory/2912-60-0x00007FF6C2400000-0x00007FF6C27F6000-memory.dmp	upx
behavioral2/files/0x00070000000234a3-59.dat	upx
behavioral2/files/0x00070000000234a2-48.dat	upx
behavioral2/files/0x00070000000234a1-46.dat	upx
behavioral2/memory/4248-42-0x00007FF6EA350000-0x00007FF6EA746000-memory.dmp	upx
behavioral2/files/0x000700000002349f-35.dat	upx
behavioral2/memory/1280-30-0x00007FF7DD160000-0x00007FF7DD556000-memory.dmp	upx
behavioral2/files/0x0009000000023496-8.dat	upx
behavioral2/files/0x00070000000234a9-85.dat	upx
behavioral2/files/0x000800000002349a-89.dat	upx
behavioral2/files/0x00080000000234a7-96.dat	upx
behavioral2/files/0x00070000000234aa-108.dat	upx
behavioral2/files/0x00070000000234ac-113.dat	upx
behavioral2/memory/3296-127-0x00007FF767AB0000-0x00007FF767EA6000-memory.dmp	upx
behavioral2/memory/1380-133-0x00007FF6C2550000-0x00007FF6C2946000-memory.dmp	upx
behavioral2/files/0x00070000000234ae-136.dat	upx
behavioral2/files/0x00070000000234af-138.dat	upx
behavioral2/memory/2088-142-0x00007FF69CB00000-0x00007FF69CEF6000-memory.dmp	upx
behavioral2/memory/4604-143-0x00007FF71D460000-0x00007FF71D856000-memory.dmp	upx
behavioral2/memory/620-137-0x00007FF67EB90000-0x00007FF67EF86000-memory.dmp	upx
behavioral2/memory/3492-134-0x00007FF73CF50000-0x00007FF73D346000-memory.dmp	upx
behavioral2/files/0x00070000000234ad-129.dat	upx
behavioral2/memory/4736-119-0x00007FF692C70000-0x00007FF693066000-memory.dmp	upx
behavioral2/files/0x00080000000234a8-118.dat	upx
behavioral2/files/0x00070000000234ab-116.dat	upx
behavioral2/memory/3652-110-0x00007FF7221E0000-0x00007FF7225D6000-memory.dmp	upx
behavioral2/memory/800-99-0x00007FF6CF520000-0x00007FF6CF916000-memory.dmp	upx
behavioral2/files/0x00070000000234b0-146.dat	upx
behavioral2/files/0x00070000000234b2-153.dat	upx
behavioral2/memory/3176-151-0x00007FF74FAE0000-0x00007FF74FED6000-memory.dmp	upx
behavioral2/memory/4896-93-0x00007FF783EE0000-0x00007FF7842D6000-memory.dmp	upx
behavioral2/memory/264-263-0x00007FF747190000-0x00007FF747586000-memory.dmp	upx
behavioral2/memory/4568-297-0x00007FF7CF9A0000-0x00007FF7CFD96000-memory.dmp	upx
behavioral2/files/0x00070000000234e0-307.dat	upx
behavioral2/files/0x00070000000234e4-337.dat	upx
behavioral2/files/0x00070000000234e2-332.dat	upx
behavioral2/files/0x00070000000234e3-330.dat	upx
behavioral2/files/0x00070000000234e8-356.dat	upx
behavioral2/files/0x00070000000234ef-359.dat	upx
behavioral2/memory/4248-318-0x00007FF6EA350000-0x00007FF6EA746000-memory.dmp	upx
behavioral2/memory/1548-317-0x00007FF6A20E0000-0x00007FF6A24D6000-memory.dmp	upx
behavioral2/files/0x00070000000234de-306.dat	upx
behavioral2/files/0x00070000000234dc-305.dat	upx
behavioral2/files/0x00070000000234b3-288.dat	upx
behavioral2/files/0x00070000000234da-291.dat	upx
behavioral2/memory/3452-283-0x00007FF746210000-0x00007FF746606000-memory.dmp	upx
behavioral2/memory/2912-280-0x00007FF6C2400000-0x00007FF6C27F6000-memory.dmp	upx
behavioral2/memory/4896-904-0x00007FF783EE0000-0x00007FF7842D6000-memory.dmp	upx
behavioral2/memory/800-1496-0x00007FF6CF520000-0x00007FF6CF916000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	raw.githubusercontent.com
9	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\gSRvvMv.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\NLYjTLo.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\irntxAp.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\BozRuuz.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\zkWUhDW.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\vXLFLzo.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\xzuucFG.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\kKyfOyP.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\iHyShUb.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\uooaMbL.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\OeJleoQ.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\HeHYDBm.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\EaQYQWi.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\ZHqUJOL.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\OUDUEtr.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\JrOtsLt.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\FeCWJfT.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\xzlLszF.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\rFLxApM.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\sYPWeiP.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\BxGxJvh.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\EWivcMm.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\tpUdVGQ.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\aYCmAnF.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\lsiTExL.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\uBEzjKw.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\RcMVyEs.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\OGEkUan.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\OjnhvMq.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\TGYvHGL.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\olKmwhr.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\rTggtXK.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\CjKqgVD.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\cGTEFYT.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\MQLQzcN.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\JmnLMjB.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\usbTZjr.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\lZAZXTA.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\fcNLOGp.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\NoVnPJE.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\QBcZrvU.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\tLuJdai.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\dYRAYYH.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\KOlFbnd.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\YazGHKg.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\TkCOCTy.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\YIlXhdt.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\JQdsxHF.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\rKLtPoQ.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\jfbUZyc.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\zYENtum.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\jjhkdYp.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\dtBgozw.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\SBGhKZI.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\eYsQMru.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\djQFCuW.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\osWnrYv.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\xOfshxm.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\sMKmUKl.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\bZVVqPb.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\pJWvFnN.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\QswSeFE.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\OTyIeZy.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
File created	C:\Windows\System\yJmIthB.exe	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
412	powershell.exe
412	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
Token: SeDebugPrivilege	412	powershell.exe
Token: SeLockMemoryPrivilege	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
Token: SeCreateGlobalPrivilege	13588	dwm.exe
Token: SeChangeNotifyPrivilege	13588	dwm.exe
Token: 33	13588	dwm.exe
Token: SeIncBasePriorityPrivilege	13588	dwm.exe
Token: SeShutdownPrivilege	13588	dwm.exe
Token: SeCreatePagefilePrivilege	13588	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 264 wrote to memory of 412	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	86
PID 264 wrote to memory of 412	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	86
PID 264 wrote to memory of 1580	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	87
PID 264 wrote to memory of 1580	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	87
PID 264 wrote to memory of 4288	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	88
PID 264 wrote to memory of 4288	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	88
PID 264 wrote to memory of 1280	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	89
PID 264 wrote to memory of 1280	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	89
PID 264 wrote to memory of 2016	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	90
PID 264 wrote to memory of 2016	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	90
PID 264 wrote to memory of 3924	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	91
PID 264 wrote to memory of 3924	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	91
PID 264 wrote to memory of 4248	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	92
PID 264 wrote to memory of 4248	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	92
PID 264 wrote to memory of 2912	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	93
PID 264 wrote to memory of 2912	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	93
PID 264 wrote to memory of 3452	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	94
PID 264 wrote to memory of 3452	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	94
PID 264 wrote to memory of 4652	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	95
PID 264 wrote to memory of 4652	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	95
PID 264 wrote to memory of 4172	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	96
PID 264 wrote to memory of 4172	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	96
PID 264 wrote to memory of 2312	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	97
PID 264 wrote to memory of 2312	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	97
PID 264 wrote to memory of 4896	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	98
PID 264 wrote to memory of 4896	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	98
PID 264 wrote to memory of 800	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	99
PID 264 wrote to memory of 800	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	99
PID 264 wrote to memory of 3652	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	100
PID 264 wrote to memory of 3652	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	100
PID 264 wrote to memory of 3296	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	101
PID 264 wrote to memory of 3296	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	101
PID 264 wrote to memory of 4736	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	102
PID 264 wrote to memory of 4736	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	102
PID 264 wrote to memory of 1380	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	103
PID 264 wrote to memory of 1380	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	103
PID 264 wrote to memory of 3492	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	104
PID 264 wrote to memory of 3492	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	104
PID 264 wrote to memory of 2088	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	105
PID 264 wrote to memory of 2088	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	105
PID 264 wrote to memory of 620	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	106
PID 264 wrote to memory of 620	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	106
PID 264 wrote to memory of 4604	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	107
PID 264 wrote to memory of 4604	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	107
PID 264 wrote to memory of 3176	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	108
PID 264 wrote to memory of 3176	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	108
PID 264 wrote to memory of 4568	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	109
PID 264 wrote to memory of 4568	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	109
PID 264 wrote to memory of 1548	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	111
PID 264 wrote to memory of 1548	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	111
PID 264 wrote to memory of 5096	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	113
PID 264 wrote to memory of 5096	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	113
PID 264 wrote to memory of 2052	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	114
PID 264 wrote to memory of 2052	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	114
PID 264 wrote to memory of 2384	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	115
PID 264 wrote to memory of 2384	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	115
PID 264 wrote to memory of 1328	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	116
PID 264 wrote to memory of 1328	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	116
PID 264 wrote to memory of 4860	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	117
PID 264 wrote to memory of 4860	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	117
PID 264 wrote to memory of 4992	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	118
PID 264 wrote to memory of 4992	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	118
PID 264 wrote to memory of 2000	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	119
PID 264 wrote to memory of 2000	264	10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe	119

C:\Users\Admin\AppData\Local\Temp\10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\10bd318d69bbaec0c81cf390cafa3240_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:412
- C:\Windows\System\vQXbEfc.exe
  C:\Windows\System\vQXbEfc.exe
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Windows\System\hrxfHnm.exe
  C:\Windows\System\hrxfHnm.exe
  2⤵
  - Executes dropped EXE
  PID:4288
- C:\Windows\System\YRDCWHw.exe
  C:\Windows\System\YRDCWHw.exe
  2⤵
  - Executes dropped EXE
  PID:1280
- C:\Windows\System\EOgByjJ.exe
  C:\Windows\System\EOgByjJ.exe
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\System\MsxPAqn.exe
  C:\Windows\System\MsxPAqn.exe
  2⤵
  - Executes dropped EXE
  PID:3924
- C:\Windows\System\IyzlRVj.exe
  C:\Windows\System\IyzlRVj.exe
  2⤵
  - Executes dropped EXE
  PID:4248
- C:\Windows\System\ScUWMbw.exe
  C:\Windows\System\ScUWMbw.exe
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\System\UXsdeRe.exe
  C:\Windows\System\UXsdeRe.exe
  2⤵
  - Executes dropped EXE
  PID:3452
- C:\Windows\System\nCnCqXr.exe
  C:\Windows\System\nCnCqXr.exe
  2⤵
  - Executes dropped EXE
  PID:4652
- C:\Windows\System\YrWgOTX.exe
  C:\Windows\System\YrWgOTX.exe
  2⤵
  - Executes dropped EXE
  PID:4172
- C:\Windows\System\dynpPEy.exe
  C:\Windows\System\dynpPEy.exe
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\Windows\System\kSGNVks.exe
  C:\Windows\System\kSGNVks.exe
  2⤵
  - Executes dropped EXE
  PID:4896
- C:\Windows\System\yQoQvaB.exe
  C:\Windows\System\yQoQvaB.exe
  2⤵
  - Executes dropped EXE
  PID:800
- C:\Windows\System\CMMulpK.exe
  C:\Windows\System\CMMulpK.exe
  2⤵
  - Executes dropped EXE
  PID:3652
- C:\Windows\System\FqFWljf.exe
  C:\Windows\System\FqFWljf.exe
  2⤵
  - Executes dropped EXE
  PID:3296
- C:\Windows\System\iYiyJvn.exe
  C:\Windows\System\iYiyJvn.exe
  2⤵
  - Executes dropped EXE
  PID:4736
- C:\Windows\System\cUygsOS.exe
  C:\Windows\System\cUygsOS.exe
  2⤵
  - Executes dropped EXE
  PID:1380
- C:\Windows\System\hKnAcdA.exe
  C:\Windows\System\hKnAcdA.exe
  2⤵
  - Executes dropped EXE
  PID:3492
- C:\Windows\System\GufkAiS.exe
  C:\Windows\System\GufkAiS.exe
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\System\qETnAxF.exe
  C:\Windows\System\qETnAxF.exe
  2⤵
  - Executes dropped EXE
  PID:620
- C:\Windows\System\jBtFQNZ.exe
  C:\Windows\System\jBtFQNZ.exe
  2⤵
  - Executes dropped EXE
  PID:4604
- C:\Windows\System\ncEHNJh.exe
  C:\Windows\System\ncEHNJh.exe
  2⤵
  - Executes dropped EXE
  PID:3176
- C:\Windows\System\mIGuvyj.exe
  C:\Windows\System\mIGuvyj.exe
  2⤵
  - Executes dropped EXE
  PID:4568
- C:\Windows\System\eIjGXHZ.exe
  C:\Windows\System\eIjGXHZ.exe
  2⤵
  - Executes dropped EXE
  PID:1548
- C:\Windows\System\DPDMfwt.exe
  C:\Windows\System\DPDMfwt.exe
  2⤵
  - Executes dropped EXE
  PID:5096
- C:\Windows\System\pQwEIkR.exe
  C:\Windows\System\pQwEIkR.exe
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Windows\System\OqyyChh.exe
  C:\Windows\System\OqyyChh.exe
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Windows\System\FZINmcH.exe
  C:\Windows\System\FZINmcH.exe
  2⤵
  - Executes dropped EXE
  PID:1328
- C:\Windows\System\qZWwWQL.exe
  C:\Windows\System\qZWwWQL.exe
  2⤵
  - Executes dropped EXE
  PID:4860
- C:\Windows\System\cKhWqFy.exe
  C:\Windows\System\cKhWqFy.exe
  2⤵
  - Executes dropped EXE
  PID:4992
- C:\Windows\System\qqRAmCV.exe
  C:\Windows\System\qqRAmCV.exe
  2⤵
  - Executes dropped EXE
  PID:2000
- C:\Windows\System\LdoLzfz.exe
  C:\Windows\System\LdoLzfz.exe
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Windows\System\nIkOhkI.exe
  C:\Windows\System\nIkOhkI.exe
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Windows\System\hANWbXc.exe
  C:\Windows\System\hANWbXc.exe
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\Windows\System\YtNafnU.exe
  C:\Windows\System\YtNafnU.exe
  2⤵
  - Executes dropped EXE
  PID:3512
- C:\Windows\System\VxhBpMb.exe
  C:\Windows\System\VxhBpMb.exe
  2⤵
  - Executes dropped EXE
  PID:3528
- C:\Windows\System\rMRZryR.exe
  C:\Windows\System\rMRZryR.exe
  2⤵
  - Executes dropped EXE
  PID:4644
- C:\Windows\System\GlwNJWe.exe
  C:\Windows\System\GlwNJWe.exe
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\System\tlLWniA.exe
  C:\Windows\System\tlLWniA.exe
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Windows\System\LaxPlWi.exe
  C:\Windows\System\LaxPlWi.exe
  2⤵
  - Executes dropped EXE
  PID:4304
- C:\Windows\System\qeWGrhf.exe
  C:\Windows\System\qeWGrhf.exe
  2⤵
  - Executes dropped EXE
  PID:4348
- C:\Windows\System\hZOxxeS.exe
  C:\Windows\System\hZOxxeS.exe
  2⤵
  - Executes dropped EXE
  PID:3588
- C:\Windows\System\mBOBpNP.exe
  C:\Windows\System\mBOBpNP.exe
  2⤵
  - Executes dropped EXE
  PID:1772
- C:\Windows\System\FbJTaHm.exe
  C:\Windows\System\FbJTaHm.exe
  2⤵
  - Executes dropped EXE
  PID:3508
- C:\Windows\System\cOUfYGs.exe
  C:\Windows\System\cOUfYGs.exe
  2⤵
  - Executes dropped EXE
  PID:2136
- C:\Windows\System\ptBnSlW.exe
  C:\Windows\System\ptBnSlW.exe
  2⤵
  - Executes dropped EXE
  PID:4036
- C:\Windows\System\VZxSKvV.exe
  C:\Windows\System\VZxSKvV.exe
  2⤵
  - Executes dropped EXE
  PID:4508
- C:\Windows\System\gjoRayX.exe
  C:\Windows\System\gjoRayX.exe
  2⤵
  - Executes dropped EXE
  PID:3164
- C:\Windows\System\lFIGZeA.exe
  C:\Windows\System\lFIGZeA.exe
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\System\VKxFatU.exe
  C:\Windows\System\VKxFatU.exe
  2⤵
  - Executes dropped EXE
  PID:4220
- C:\Windows\System\rxYzsat.exe
  C:\Windows\System\rxYzsat.exe
  2⤵
  - Executes dropped EXE
  PID:4292
- C:\Windows\System\ttLjDcS.exe
  C:\Windows\System\ttLjDcS.exe
  2⤵
  - Executes dropped EXE
  PID:4740
- C:\Windows\System\TfQcCYT.exe
  C:\Windows\System\TfQcCYT.exe
  2⤵
  - Executes dropped EXE
  PID:3080
- C:\Windows\System\qgrGQzq.exe
  C:\Windows\System\qgrGQzq.exe
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\System\WmumwrX.exe
  C:\Windows\System\WmumwrX.exe
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\System\gSRvvMv.exe
  C:\Windows\System\gSRvvMv.exe
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\System\eufKFqI.exe
  C:\Windows\System\eufKFqI.exe
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Windows\System\miDOJqq.exe
  C:\Windows\System\miDOJqq.exe
  2⤵
  - Executes dropped EXE
  PID:3892
- C:\Windows\System\chDeLbh.exe
  C:\Windows\System\chDeLbh.exe
  2⤵
  - Executes dropped EXE
  PID:4904
- C:\Windows\System\QhFlzIE.exe
  C:\Windows\System\QhFlzIE.exe
  2⤵
  - Executes dropped EXE
  PID:4308
- C:\Windows\System\PxIGYjg.exe
  C:\Windows\System\PxIGYjg.exe
  2⤵
  - Executes dropped EXE
  PID:1204
- C:\Windows\System\dcVGpQr.exe
  C:\Windows\System\dcVGpQr.exe
  2⤵
  - Executes dropped EXE
  PID:1936
- C:\Windows\System\DJOHnkO.exe
  C:\Windows\System\DJOHnkO.exe
  2⤵
  - Executes dropped EXE
  PID:632
- C:\Windows\System\CZNnfpT.exe
  C:\Windows\System\CZNnfpT.exe
  2⤵
  - Executes dropped EXE
  PID:4236
- C:\Windows\System\JLgsKro.exe
  C:\Windows\System\JLgsKro.exe
  2⤵
  PID:1440
- C:\Windows\System\aLixvcg.exe
  C:\Windows\System\aLixvcg.exe
  2⤵
  PID:3560
- C:\Windows\System\EfkrROi.exe
  C:\Windows\System\EfkrROi.exe
  2⤵
  PID:1456
- C:\Windows\System\VLzVMdW.exe
  C:\Windows\System\VLzVMdW.exe
  2⤵
  PID:1560
- C:\Windows\System\dhZGysv.exe
  C:\Windows\System\dhZGysv.exe
  2⤵
  PID:5072
- C:\Windows\System\PSdEkcZ.exe
  C:\Windows\System\PSdEkcZ.exe
  2⤵
  PID:2036
- C:\Windows\System\fISVBYg.exe
  C:\Windows\System\fISVBYg.exe
  2⤵
  PID:1396
- C:\Windows\System\MxYQaRI.exe
  C:\Windows\System\MxYQaRI.exe
  2⤵
  PID:1468
- C:\Windows\System\ERqDudZ.exe
  C:\Windows\System\ERqDudZ.exe
  2⤵
  PID:3660
- C:\Windows\System\OhgFZee.exe
  C:\Windows\System\OhgFZee.exe
  2⤵
  PID:3740
- C:\Windows\System\nYgFnos.exe
  C:\Windows\System\nYgFnos.exe
  2⤵
  PID:1496
- C:\Windows\System\BiUkOyc.exe
  C:\Windows\System\BiUkOyc.exe
  2⤵
  PID:4392
- C:\Windows\System\dhNUpRk.exe
  C:\Windows\System\dhNUpRk.exe
  2⤵
  PID:4080
- C:\Windows\System\nSPLAcx.exe
  C:\Windows\System\nSPLAcx.exe
  2⤵
  PID:5148
- C:\Windows\System\HcvndKi.exe
  C:\Windows\System\HcvndKi.exe
  2⤵
  PID:5176
- C:\Windows\System\DcoOQOu.exe
  C:\Windows\System\DcoOQOu.exe
  2⤵
  PID:5208
- C:\Windows\System\CyEtPxQ.exe
  C:\Windows\System\CyEtPxQ.exe
  2⤵
  PID:5244
- C:\Windows\System\DEmklvQ.exe
  C:\Windows\System\DEmklvQ.exe
  2⤵
  PID:5268
- C:\Windows\System\wYkOjPk.exe
  C:\Windows\System\wYkOjPk.exe
  2⤵
  PID:5312
- C:\Windows\System\BrRBMmK.exe
  C:\Windows\System\BrRBMmK.exe
  2⤵
  PID:5452
- C:\Windows\System\LDSJCfq.exe
  C:\Windows\System\LDSJCfq.exe
  2⤵
  PID:5504
- C:\Windows\System\msotRJl.exe
  C:\Windows\System\msotRJl.exe
  2⤵
  PID:5612
- C:\Windows\System\BdTpuyq.exe
  C:\Windows\System\BdTpuyq.exe
  2⤵
  PID:5648
- C:\Windows\System\HYNUgkx.exe
  C:\Windows\System\HYNUgkx.exe
  2⤵
  PID:5676
- C:\Windows\System\MrASdQn.exe
  C:\Windows\System\MrASdQn.exe
  2⤵
  PID:5708
- C:\Windows\System\hYhBBdA.exe
  C:\Windows\System\hYhBBdA.exe
  2⤵
  PID:5736
- C:\Windows\System\ybZkUuy.exe
  C:\Windows\System\ybZkUuy.exe
  2⤵
  PID:5780
- C:\Windows\System\jhgEENy.exe
  C:\Windows\System\jhgEENy.exe
  2⤵
  PID:5816
- C:\Windows\System\eURXlLk.exe
  C:\Windows\System\eURXlLk.exe
  2⤵
  PID:5840
- C:\Windows\System\RkBEbjw.exe
  C:\Windows\System\RkBEbjw.exe
  2⤵
  PID:5864
- C:\Windows\System\EHLJjHv.exe
  C:\Windows\System\EHLJjHv.exe
  2⤵
  PID:5884
- C:\Windows\System\kKyfOyP.exe
  C:\Windows\System\kKyfOyP.exe
  2⤵
  PID:5936
- C:\Windows\System\nEpdzDq.exe
  C:\Windows\System\nEpdzDq.exe
  2⤵
  PID:5972
- C:\Windows\System\GnUKDcU.exe
  C:\Windows\System\GnUKDcU.exe
  2⤵
  PID:6000
- C:\Windows\System\fFQGjVx.exe
  C:\Windows\System\fFQGjVx.exe
  2⤵
  PID:6036
- C:\Windows\System\cDYnaXK.exe
  C:\Windows\System\cDYnaXK.exe
  2⤵
  PID:6072
- C:\Windows\System\WNAAoFe.exe
  C:\Windows\System\WNAAoFe.exe
  2⤵
  PID:6100
- C:\Windows\System\biPZnGK.exe
  C:\Windows\System\biPZnGK.exe
  2⤵
  PID:6132
- C:\Windows\System\LlQNyKM.exe
  C:\Windows\System\LlQNyKM.exe
  2⤵
  PID:1732
- C:\Windows\System\PyzMpJS.exe
  C:\Windows\System\PyzMpJS.exe
  2⤵
  PID:3480
- C:\Windows\System\SkTvAiK.exe
  C:\Windows\System\SkTvAiK.exe
  2⤵
  PID:5168
- C:\Windows\System\cuAXqnC.exe
  C:\Windows\System\cuAXqnC.exe
  2⤵
  PID:1124
- C:\Windows\System\uXqtQWV.exe
  C:\Windows\System\uXqtQWV.exe
  2⤵
  PID:4948
- C:\Windows\System\TOGyMNS.exe
  C:\Windows\System\TOGyMNS.exe
  2⤵
  PID:2284
- C:\Windows\System\uRzmGwN.exe
  C:\Windows\System\uRzmGwN.exe
  2⤵
  PID:5264
- C:\Windows\System\xOePKUp.exe
  C:\Windows\System\xOePKUp.exe
  2⤵
  PID:5304
- C:\Windows\System\eAPRiRm.exe
  C:\Windows\System\eAPRiRm.exe
  2⤵
  PID:5388
- C:\Windows\System\nUJFHfT.exe
  C:\Windows\System\nUJFHfT.exe
  2⤵
  PID:1912
- C:\Windows\System\RxvFIfI.exe
  C:\Windows\System\RxvFIfI.exe
  2⤵
  PID:5020
- C:\Windows\System\eitHmWr.exe
  C:\Windows\System\eitHmWr.exe
  2⤵
  PID:5476
- C:\Windows\System\cNDXbOC.exe
  C:\Windows\System\cNDXbOC.exe
  2⤵
  PID:5520
- C:\Windows\System\GdGPzoI.exe
  C:\Windows\System\GdGPzoI.exe
  2⤵
  PID:5564
- C:\Windows\System\hNgJDCZ.exe
  C:\Windows\System\hNgJDCZ.exe
  2⤵
  PID:3964
- C:\Windows\System\ngzBTuf.exe
  C:\Windows\System\ngzBTuf.exe
  2⤵
  PID:4540
- C:\Windows\System\JeJpcry.exe
  C:\Windows\System\JeJpcry.exe
  2⤵
  PID:5660
- C:\Windows\System\RwFjRTd.exe
  C:\Windows\System\RwFjRTd.exe
  2⤵
  PID:5716
- C:\Windows\System\VxbjfzB.exe
  C:\Windows\System\VxbjfzB.exe
  2⤵
  PID:3112
- C:\Windows\System\LKgXYzS.exe
  C:\Windows\System\LKgXYzS.exe
  2⤵
  PID:5768
- C:\Windows\System\ljKlXma.exe
  C:\Windows\System\ljKlXma.exe
  2⤵
  PID:5812
- C:\Windows\System\apkACoy.exe
  C:\Windows\System\apkACoy.exe
  2⤵
  PID:5856
- C:\Windows\System\iWRLYdc.exe
  C:\Windows\System\iWRLYdc.exe
  2⤵
  PID:5920
- C:\Windows\System\ryZzfhI.exe
  C:\Windows\System\ryZzfhI.exe
  2⤵
  PID:5992
- C:\Windows\System\ALxZrsN.exe
  C:\Windows\System\ALxZrsN.exe
  2⤵
  PID:6064
- C:\Windows\System\srnMses.exe
  C:\Windows\System\srnMses.exe
  2⤵
  PID:6140
- C:\Windows\System\cUrxjEx.exe
  C:\Windows\System\cUrxjEx.exe
  2⤵
  PID:5220
- C:\Windows\System\ZbKknrb.exe
  C:\Windows\System\ZbKknrb.exe
  2⤵
  PID:2864
- C:\Windows\System\WIBSdbK.exe
  C:\Windows\System\WIBSdbK.exe
  2⤵
  PID:5368
- C:\Windows\System\GSTUNTX.exe
  C:\Windows\System\GSTUNTX.exe
  2⤵
  PID:5412
- C:\Windows\System\VWTKtZZ.exe
  C:\Windows\System\VWTKtZZ.exe
  2⤵
  PID:1388
- C:\Windows\System\GwZVSSD.exe
  C:\Windows\System\GwZVSSD.exe
  2⤵
  PID:5608
- C:\Windows\System\dfhzRtI.exe
  C:\Windows\System\dfhzRtI.exe
  2⤵
  PID:4400
- C:\Windows\System\wLksGrP.exe
  C:\Windows\System\wLksGrP.exe
  2⤵
  PID:4600
- C:\Windows\System\dmanQOE.exe
  C:\Windows\System\dmanQOE.exe
  2⤵
  PID:5592
- C:\Windows\System\jOmvlYw.exe
  C:\Windows\System\jOmvlYw.exe
  2⤵
  PID:5904
- C:\Windows\System\QugZEWz.exe
  C:\Windows\System\QugZEWz.exe
  2⤵
  PID:6116
- C:\Windows\System\bcHuhck.exe
  C:\Windows\System\bcHuhck.exe
  2⤵
  PID:5228
- C:\Windows\System\eReprKs.exe
  C:\Windows\System\eReprKs.exe
  2⤵
  PID:2516
- C:\Windows\System\caCrFeT.exe
  C:\Windows\System\caCrFeT.exe
  2⤵
  PID:5776
- C:\Windows\System\SsyLwmS.exe
  C:\Windows\System\SsyLwmS.exe
  2⤵
  PID:4724
- C:\Windows\System\Tpkbvcn.exe
  C:\Windows\System\Tpkbvcn.exe
  2⤵
  PID:1848
- C:\Windows\System\trsNFvb.exe
  C:\Windows\System\trsNFvb.exe
  2⤵
  PID:5876
- C:\Windows\System\bvUSePu.exe
  C:\Windows\System\bvUSePu.exe
  2⤵
  PID:940
- C:\Windows\System\daEIKXY.exe
  C:\Windows\System\daEIKXY.exe
  2⤵
  PID:6180
- C:\Windows\System\lDFNAcG.exe
  C:\Windows\System\lDFNAcG.exe
  2⤵
  PID:6204
- C:\Windows\System\PRdyRzR.exe
  C:\Windows\System\PRdyRzR.exe
  2⤵
  PID:6232
- C:\Windows\System\FdoCzic.exe
  C:\Windows\System\FdoCzic.exe
  2⤵
  PID:6260
- C:\Windows\System\owJoHWM.exe
  C:\Windows\System\owJoHWM.exe
  2⤵
  PID:6288
- C:\Windows\System\zoWnuOH.exe
  C:\Windows\System\zoWnuOH.exe
  2⤵
  PID:6316
- C:\Windows\System\PMqylVb.exe
  C:\Windows\System\PMqylVb.exe
  2⤵
  PID:6344
- C:\Windows\System\LdWamMx.exe
  C:\Windows\System\LdWamMx.exe
  2⤵
  PID:6372
- C:\Windows\System\MAUMXid.exe
  C:\Windows\System\MAUMXid.exe
  2⤵
  PID:6400
- C:\Windows\System\KcJTtGB.exe
  C:\Windows\System\KcJTtGB.exe
  2⤵
  PID:6428
- C:\Windows\System\ASMnxkW.exe
  C:\Windows\System\ASMnxkW.exe
  2⤵
  PID:6456
- C:\Windows\System\zGPYKgZ.exe
  C:\Windows\System\zGPYKgZ.exe
  2⤵
  PID:6488
- C:\Windows\System\HaAwjNA.exe
  C:\Windows\System\HaAwjNA.exe
  2⤵
  PID:6516
- C:\Windows\System\rjoWVHd.exe
  C:\Windows\System\rjoWVHd.exe
  2⤵
  PID:6544
- C:\Windows\System\ceVXEeA.exe
  C:\Windows\System\ceVXEeA.exe
  2⤵
  PID:6572
- C:\Windows\System\FpBMLWm.exe
  C:\Windows\System\FpBMLWm.exe
  2⤵
  PID:6600
- C:\Windows\System\odTPPVk.exe
  C:\Windows\System\odTPPVk.exe
  2⤵
  PID:6628
- C:\Windows\System\IjBneXc.exe
  C:\Windows\System\IjBneXc.exe
  2⤵
  PID:6656
- C:\Windows\System\bLvgZjY.exe
  C:\Windows\System\bLvgZjY.exe
  2⤵
  PID:6700
- C:\Windows\System\IJbosHp.exe
  C:\Windows\System\IJbosHp.exe
  2⤵
  PID:6728
- C:\Windows\System\ZmaHTfD.exe
  C:\Windows\System\ZmaHTfD.exe
  2⤵
  PID:6772
- C:\Windows\System\iSojGyk.exe
  C:\Windows\System\iSojGyk.exe
  2⤵
  PID:6816
- C:\Windows\System\IfSjMUb.exe
  C:\Windows\System\IfSjMUb.exe
  2⤵
  PID:6872
- C:\Windows\System\ObKhkps.exe
  C:\Windows\System\ObKhkps.exe
  2⤵
  PID:6904
- C:\Windows\System\glpWnuN.exe
  C:\Windows\System\glpWnuN.exe
  2⤵
  PID:6932
- C:\Windows\System\pjEIhju.exe
  C:\Windows\System\pjEIhju.exe
  2⤵
  PID:6960
- C:\Windows\System\ujeKtnE.exe
  C:\Windows\System\ujeKtnE.exe
  2⤵
  PID:7016
- C:\Windows\System\vWUyNWr.exe
  C:\Windows\System\vWUyNWr.exe
  2⤵
  PID:7044
- C:\Windows\System\zFbqcuY.exe
  C:\Windows\System\zFbqcuY.exe
  2⤵
  PID:7080
- C:\Windows\System\MoyaNKE.exe
  C:\Windows\System\MoyaNKE.exe
  2⤵
  PID:7144
- C:\Windows\System\qionVXY.exe
  C:\Windows\System\qionVXY.exe
  2⤵
  PID:6172
- C:\Windows\System\SzJHABY.exe
  C:\Windows\System\SzJHABY.exe
  2⤵
  PID:6248
- C:\Windows\System\UVlIaxF.exe
  C:\Windows\System\UVlIaxF.exe
  2⤵
  PID:6336
- C:\Windows\System\sSihinH.exe
  C:\Windows\System\sSihinH.exe
  2⤵
  PID:6396
- C:\Windows\System\FQQykDp.exe
  C:\Windows\System\FQQykDp.exe
  2⤵
  PID:6480
- C:\Windows\System\MDUYNBJ.exe
  C:\Windows\System\MDUYNBJ.exe
  2⤵
  PID:6508
- C:\Windows\System\AgOoPbY.exe
  C:\Windows\System\AgOoPbY.exe
  2⤵
  PID:6560
- C:\Windows\System\AiloDFq.exe
  C:\Windows\System\AiloDFq.exe
  2⤵
  PID:6592
- C:\Windows\System\bNdQlDK.exe
  C:\Windows\System\bNdQlDK.exe
  2⤵
  PID:6712
- C:\Windows\System\yfgNcIz.exe
  C:\Windows\System\yfgNcIz.exe
  2⤵
  PID:6812
- C:\Windows\System\IotqUje.exe
  C:\Windows\System\IotqUje.exe
  2⤵
  PID:6944
- C:\Windows\System\BGEKxlN.exe
  C:\Windows\System\BGEKxlN.exe
  2⤵
  PID:7028
- C:\Windows\System\HeupUhx.exe
  C:\Windows\System\HeupUhx.exe
  2⤵
  PID:7160
- C:\Windows\System\KqOjErJ.exe
  C:\Windows\System\KqOjErJ.exe
  2⤵
  PID:6332
- C:\Windows\System\tMyquvU.exe
  C:\Windows\System\tMyquvU.exe
  2⤵
  PID:6448
- C:\Windows\System\ZwhnKEn.exe
  C:\Windows\System\ZwhnKEn.exe
  2⤵
  PID:6808
- C:\Windows\System\XLbYvpF.exe
  C:\Windows\System\XLbYvpF.exe
  2⤵
  PID:7012
- C:\Windows\System\csWZnNE.exe
  C:\Windows\System\csWZnNE.exe
  2⤵
  PID:6272
- C:\Windows\System\XixRVSj.exe
  C:\Windows\System\XixRVSj.exe
  2⤵
  PID:6884
- C:\Windows\System\YvBqcEP.exe
  C:\Windows\System\YvBqcEP.exe
  2⤵
  PID:6696
- C:\Windows\System\jfKPkfA.exe
  C:\Windows\System\jfKPkfA.exe
  2⤵
  PID:7192
- C:\Windows\System\SBGhKZI.exe
  C:\Windows\System\SBGhKZI.exe
  2⤵
  PID:7220
- C:\Windows\System\IjGwUeP.exe
  C:\Windows\System\IjGwUeP.exe
  2⤵
  PID:7248
- C:\Windows\System\ldPenHs.exe
  C:\Windows\System\ldPenHs.exe
  2⤵
  PID:7276
- C:\Windows\System\rNsCpgJ.exe
  C:\Windows\System\rNsCpgJ.exe
  2⤵
  PID:7304
- C:\Windows\System\SfAGNvu.exe
  C:\Windows\System\SfAGNvu.exe
  2⤵
  PID:7336
- C:\Windows\System\jUDzpLM.exe
  C:\Windows\System\jUDzpLM.exe
  2⤵
  PID:7364
- C:\Windows\System\tEgvvaD.exe
  C:\Windows\System\tEgvvaD.exe
  2⤵
  PID:7392
- C:\Windows\System\qKPgCtq.exe
  C:\Windows\System\qKPgCtq.exe
  2⤵
  PID:7420
- C:\Windows\System\RlsimpN.exe
  C:\Windows\System\RlsimpN.exe
  2⤵
  PID:7448
- C:\Windows\System\equWBmw.exe
  C:\Windows\System\equWBmw.exe
  2⤵
  PID:7468
- C:\Windows\System\ZthVLkF.exe
  C:\Windows\System\ZthVLkF.exe
  2⤵
  PID:7504
- C:\Windows\System\wuyxWSp.exe
  C:\Windows\System\wuyxWSp.exe
  2⤵
  PID:7532
- C:\Windows\System\aaScspZ.exe
  C:\Windows\System\aaScspZ.exe
  2⤵
  PID:7560
- C:\Windows\System\ZYdkdwK.exe
  C:\Windows\System\ZYdkdwK.exe
  2⤵
  PID:7588
- C:\Windows\System\teiFOOq.exe
  C:\Windows\System\teiFOOq.exe
  2⤵
  PID:7620
- C:\Windows\System\FoVtlRS.exe
  C:\Windows\System\FoVtlRS.exe
  2⤵
  PID:7648
- C:\Windows\System\JZrSEXU.exe
  C:\Windows\System\JZrSEXU.exe
  2⤵
  PID:7676
- C:\Windows\System\YZwXIai.exe
  C:\Windows\System\YZwXIai.exe
  2⤵
  PID:7704
- C:\Windows\System\xQomcva.exe
  C:\Windows\System\xQomcva.exe
  2⤵
  PID:7740
- C:\Windows\System\qDWOvOI.exe
  C:\Windows\System\qDWOvOI.exe
  2⤵
  PID:7760
- C:\Windows\System\gFewMlD.exe
  C:\Windows\System\gFewMlD.exe
  2⤵
  PID:7784
- C:\Windows\System\dxftLJl.exe
  C:\Windows\System\dxftLJl.exe
  2⤵
  PID:7824
- C:\Windows\System\JkQBJXb.exe
  C:\Windows\System\JkQBJXb.exe
  2⤵
  PID:7844
- C:\Windows\System\ApnnBcv.exe
  C:\Windows\System\ApnnBcv.exe
  2⤵
  PID:7880
- C:\Windows\System\qBXogia.exe
  C:\Windows\System\qBXogia.exe
  2⤵
  PID:7908
- C:\Windows\System\DgJjdzZ.exe
  C:\Windows\System\DgJjdzZ.exe
  2⤵
  PID:7936
- C:\Windows\System\BxGxJvh.exe
  C:\Windows\System\BxGxJvh.exe
  2⤵
  PID:7968
- C:\Windows\System\VXacrBm.exe
  C:\Windows\System\VXacrBm.exe
  2⤵
  PID:7996
- C:\Windows\System\OAbnEne.exe
  C:\Windows\System\OAbnEne.exe
  2⤵
  PID:8024
- C:\Windows\System\Uxxlobs.exe
  C:\Windows\System\Uxxlobs.exe
  2⤵
  PID:8052
- C:\Windows\System\ImUjBzO.exe
  C:\Windows\System\ImUjBzO.exe
  2⤵
  PID:8080
- C:\Windows\System\fsZWWes.exe
  C:\Windows\System\fsZWWes.exe
  2⤵
  PID:8108
- C:\Windows\System\aGRWPcI.exe
  C:\Windows\System\aGRWPcI.exe
  2⤵
  PID:8136
- C:\Windows\System\oeisndm.exe
  C:\Windows\System\oeisndm.exe
  2⤵
  PID:8164
- C:\Windows\System\nylLXWn.exe
  C:\Windows\System\nylLXWn.exe
  2⤵
  PID:8184
- C:\Windows\System\CxXRyCx.exe
  C:\Windows\System\CxXRyCx.exe
  2⤵
  PID:7216
- C:\Windows\System\TFjpiuz.exe
  C:\Windows\System\TFjpiuz.exe
  2⤵
  PID:7272
- C:\Windows\System\VHZcOrr.exe
  C:\Windows\System\VHZcOrr.exe
  2⤵
  PID:7328
- C:\Windows\System\QXLokJx.exe
  C:\Windows\System\QXLokJx.exe
  2⤵
  PID:7444
- C:\Windows\System\WGRXUZl.exe
  C:\Windows\System\WGRXUZl.exe
  2⤵
  PID:7496
- C:\Windows\System\AMptfNd.exe
  C:\Windows\System\AMptfNd.exe
  2⤵
  PID:7556
- C:\Windows\System\tksblsc.exe
  C:\Windows\System\tksblsc.exe
  2⤵
  PID:7632
- C:\Windows\System\kgqlruz.exe
  C:\Windows\System\kgqlruz.exe
  2⤵
  PID:7672
- C:\Windows\System\LCWrhgU.exe
  C:\Windows\System\LCWrhgU.exe
  2⤵
  PID:7752
- C:\Windows\System\gbpxyLe.exe
  C:\Windows\System\gbpxyLe.exe
  2⤵
  PID:4852
- C:\Windows\System\LxTvypq.exe
  C:\Windows\System\LxTvypq.exe
  2⤵
  PID:7864
- C:\Windows\System\jOwqfvw.exe
  C:\Windows\System\jOwqfvw.exe
  2⤵
  PID:7928
- C:\Windows\System\dOvFOeC.exe
  C:\Windows\System\dOvFOeC.exe
  2⤵
  PID:7948
- C:\Windows\System\WMQiVQt.exe
  C:\Windows\System\WMQiVQt.exe
  2⤵
  PID:8044
- C:\Windows\System\csMFJnO.exe
  C:\Windows\System\csMFJnO.exe
  2⤵
  PID:8092
- C:\Windows\System\OQsOhhI.exe
  C:\Windows\System\OQsOhhI.exe
  2⤵
  PID:8180
- C:\Windows\System\zbkDFcW.exe
  C:\Windows\System\zbkDFcW.exe
  2⤵
  PID:7212
- C:\Windows\System\xvYMMyW.exe
  C:\Windows\System\xvYMMyW.exe
  2⤵
  PID:7380
- C:\Windows\System\vxbPyqv.exe
  C:\Windows\System\vxbPyqv.exe
  2⤵
  PID:7528
- C:\Windows\System\pqKMJrz.exe
  C:\Windows\System\pqKMJrz.exe
  2⤵
  PID:7716
- C:\Windows\System\nrOJAYk.exe
  C:\Windows\System\nrOJAYk.exe
  2⤵
  PID:7860
- C:\Windows\System\FZwrDci.exe
  C:\Windows\System\FZwrDci.exe
  2⤵
  PID:8128
- C:\Windows\System\zPxeMbO.exe
  C:\Windows\System\zPxeMbO.exe
  2⤵
  PID:7180
- C:\Windows\System\AZSvQwg.exe
  C:\Windows\System\AZSvQwg.exe
  2⤵
  PID:7604
- C:\Windows\System\adtfaCU.exe
  C:\Windows\System\adtfaCU.exe
  2⤵
  PID:7804
- C:\Windows\System\lNZuBda.exe
  C:\Windows\System\lNZuBda.exe
  2⤵
  PID:7476
- C:\Windows\System\OlRmKrC.exe
  C:\Windows\System\OlRmKrC.exe
  2⤵
  PID:8160
- C:\Windows\System\TjAvSGf.exe
  C:\Windows\System\TjAvSGf.exe
  2⤵
  PID:8216
- C:\Windows\System\UBsNckh.exe
  C:\Windows\System\UBsNckh.exe
  2⤵
  PID:8244
- C:\Windows\System\iXwtdgV.exe
  C:\Windows\System\iXwtdgV.exe
  2⤵
  PID:8272
- C:\Windows\System\fGBpZjS.exe
  C:\Windows\System\fGBpZjS.exe
  2⤵
  PID:8300
- C:\Windows\System\ePiQlyG.exe
  C:\Windows\System\ePiQlyG.exe
  2⤵
  PID:8328
- C:\Windows\System\OSzUwtj.exe
  C:\Windows\System\OSzUwtj.exe
  2⤵
  PID:8356
- C:\Windows\System\cZFaFhv.exe
  C:\Windows\System\cZFaFhv.exe
  2⤵
  PID:8384
- C:\Windows\System\RPWWzWK.exe
  C:\Windows\System\RPWWzWK.exe
  2⤵
  PID:8420
- C:\Windows\System\wvuYTky.exe
  C:\Windows\System\wvuYTky.exe
  2⤵
  PID:8460
- C:\Windows\System\BzjTKiR.exe
  C:\Windows\System\BzjTKiR.exe
  2⤵
  PID:8500
- C:\Windows\System\cCrgtDa.exe
  C:\Windows\System\cCrgtDa.exe
  2⤵
  PID:8532
- C:\Windows\System\GuskCSX.exe
  C:\Windows\System\GuskCSX.exe
  2⤵
  PID:8560
- C:\Windows\System\OhBTASJ.exe
  C:\Windows\System\OhBTASJ.exe
  2⤵
  PID:8576
- C:\Windows\System\onFvdRa.exe
  C:\Windows\System\onFvdRa.exe
  2⤵
  PID:8600
- C:\Windows\System\jIrgCyi.exe
  C:\Windows\System\jIrgCyi.exe
  2⤵
  PID:8644
- C:\Windows\System\HGRxikB.exe
  C:\Windows\System\HGRxikB.exe
  2⤵
  PID:8672
- C:\Windows\System\eLNsywu.exe
  C:\Windows\System\eLNsywu.exe
  2⤵
  PID:8700
- C:\Windows\System\yigINlo.exe
  C:\Windows\System\yigINlo.exe
  2⤵
  PID:8728
- C:\Windows\System\JfDeTcW.exe
  C:\Windows\System\JfDeTcW.exe
  2⤵
  PID:8744
- C:\Windows\System\QMdkWmY.exe
  C:\Windows\System\QMdkWmY.exe
  2⤵
  PID:8772
- C:\Windows\System\OVxTrOT.exe
  C:\Windows\System\OVxTrOT.exe
  2⤵
  PID:8808
- C:\Windows\System\BxoWtuo.exe
  C:\Windows\System\BxoWtuo.exe
  2⤵
  PID:8840
- C:\Windows\System\YiKUDxi.exe
  C:\Windows\System\YiKUDxi.exe
  2⤵
  PID:8868
- C:\Windows\System\hTNfHxz.exe
  C:\Windows\System\hTNfHxz.exe
  2⤵
  PID:8896
- C:\Windows\System\qzlybQV.exe
  C:\Windows\System\qzlybQV.exe
  2⤵
  PID:8924
- C:\Windows\System\goRZmBc.exe
  C:\Windows\System\goRZmBc.exe
  2⤵
  PID:8952
- C:\Windows\System\KeJLJfa.exe
  C:\Windows\System\KeJLJfa.exe
  2⤵
  PID:8980
- C:\Windows\System\bERNOBF.exe
  C:\Windows\System\bERNOBF.exe
  2⤵
  PID:9008
- C:\Windows\System\WCzdKkC.exe
  C:\Windows\System\WCzdKkC.exe
  2⤵
  PID:9036
- C:\Windows\System\XtFwFwD.exe
  C:\Windows\System\XtFwFwD.exe
  2⤵
  PID:9064
- C:\Windows\System\rbYHlmj.exe
  C:\Windows\System\rbYHlmj.exe
  2⤵
  PID:9092
- C:\Windows\System\rFLoNzC.exe
  C:\Windows\System\rFLoNzC.exe
  2⤵
  PID:9120
- C:\Windows\System\FCIiufg.exe
  C:\Windows\System\FCIiufg.exe
  2⤵
  PID:9136
- C:\Windows\System\ZhLlZQK.exe
  C:\Windows\System\ZhLlZQK.exe
  2⤵
  PID:9176
- C:\Windows\System\NCkfWpu.exe
  C:\Windows\System\NCkfWpu.exe
  2⤵
  PID:9200
- C:\Windows\System\MbHMFqF.exe
  C:\Windows\System\MbHMFqF.exe
  2⤵
  PID:8212
- C:\Windows\System\mqKcBnN.exe
  C:\Windows\System\mqKcBnN.exe
  2⤵
  PID:8264
- C:\Windows\System\ZqNDbnG.exe
  C:\Windows\System\ZqNDbnG.exe
  2⤵
  PID:8324
- C:\Windows\System\CKIuhxQ.exe
  C:\Windows\System\CKIuhxQ.exe
  2⤵
  PID:8396
- C:\Windows\System\saIoDrS.exe
  C:\Windows\System\saIoDrS.exe
  2⤵
  PID:8488
- C:\Windows\System\jYwoVzc.exe
  C:\Windows\System\jYwoVzc.exe
  2⤵
  PID:8572
- C:\Windows\System\UFLVQKz.exe
  C:\Windows\System\UFLVQKz.exe
  2⤵
  PID:8632
- C:\Windows\System\HMDLfga.exe
  C:\Windows\System\HMDLfga.exe
  2⤵
  PID:8696
- C:\Windows\System\nxzGYiY.exe
  C:\Windows\System\nxzGYiY.exe
  2⤵
  PID:8760
- C:\Windows\System\aJWYGBQ.exe
  C:\Windows\System\aJWYGBQ.exe
  2⤵
  PID:8836
- C:\Windows\System\yorPDZv.exe
  C:\Windows\System\yorPDZv.exe
  2⤵
  PID:8892
- C:\Windows\System\RkMztKF.exe
  C:\Windows\System\RkMztKF.exe
  2⤵
  PID:8964
- C:\Windows\System\EKJiXws.exe
  C:\Windows\System\EKJiXws.exe
  2⤵
  PID:9028
- C:\Windows\System\akAjbji.exe
  C:\Windows\System\akAjbji.exe
  2⤵
  PID:9088
- C:\Windows\System\HtqRZrB.exe
  C:\Windows\System\HtqRZrB.exe
  2⤵
  PID:9132
- C:\Windows\System\pyZGwLi.exe
  C:\Windows\System\pyZGwLi.exe
  2⤵
  PID:8200
- C:\Windows\System\pDACVYQ.exe
  C:\Windows\System\pDACVYQ.exe
  2⤵
  PID:8416
- C:\Windows\System\qSaeYfz.exe
  C:\Windows\System\qSaeYfz.exe
  2⤵
  PID:8512
- C:\Windows\System\LsQGDpm.exe
  C:\Windows\System\LsQGDpm.exe
  2⤵
  PID:8692
- C:\Windows\System\mQwAByH.exe
  C:\Windows\System\mQwAByH.exe
  2⤵
  PID:8856
- C:\Windows\System\EDlecoa.exe
  C:\Windows\System\EDlecoa.exe
  2⤵
  PID:9020
- C:\Windows\System\Csathkh.exe
  C:\Windows\System\Csathkh.exe
  2⤵
  PID:9164
- C:\Windows\System\GwOdqdY.exe
  C:\Windows\System\GwOdqdY.exe
  2⤵
  PID:8548
- C:\Windows\System\kBtZpCS.exe
  C:\Windows\System\kBtZpCS.exe
  2⤵
  PID:8824
- C:\Windows\System\ezJCoYd.exe
  C:\Windows\System\ezJCoYd.exe
  2⤵
  PID:9112
- C:\Windows\System\GTbTXne.exe
  C:\Windows\System\GTbTXne.exe
  2⤵
  PID:9056
- C:\Windows\System\jRNJvzs.exe
  C:\Windows\System\jRNJvzs.exe
  2⤵
  PID:9220
- C:\Windows\System\oyMZXGW.exe
  C:\Windows\System\oyMZXGW.exe
  2⤵
  PID:9244
- C:\Windows\System\ULxTMTH.exe
  C:\Windows\System\ULxTMTH.exe
  2⤵
  PID:9284
- C:\Windows\System\akRDqQu.exe
  C:\Windows\System\akRDqQu.exe
  2⤵
  PID:9304
- C:\Windows\System\EmiNtSH.exe
  C:\Windows\System\EmiNtSH.exe
  2⤵
  PID:9340
- C:\Windows\System\HHADKrF.exe
  C:\Windows\System\HHADKrF.exe
  2⤵
  PID:9368
- C:\Windows\System\bjJokhE.exe
  C:\Windows\System\bjJokhE.exe
  2⤵
  PID:9396
- C:\Windows\System\NNZsMGC.exe
  C:\Windows\System\NNZsMGC.exe
  2⤵
  PID:9424
- C:\Windows\System\xBIGbvv.exe
  C:\Windows\System\xBIGbvv.exe
  2⤵
  PID:9452
- C:\Windows\System\JahoWZN.exe
  C:\Windows\System\JahoWZN.exe
  2⤵
  PID:9480
- C:\Windows\System\uRdedzW.exe
  C:\Windows\System\uRdedzW.exe
  2⤵
  PID:9508
- C:\Windows\System\sLGXSuN.exe
  C:\Windows\System\sLGXSuN.exe
  2⤵
  PID:9524
- C:\Windows\System\mALULBK.exe
  C:\Windows\System\mALULBK.exe
  2⤵
  PID:9560
- C:\Windows\System\eVIlmKX.exe
  C:\Windows\System\eVIlmKX.exe
  2⤵
  PID:9592
- C:\Windows\System\awYVcqR.exe
  C:\Windows\System\awYVcqR.exe
  2⤵
  PID:9620
- C:\Windows\System\OyxkFSi.exe
  C:\Windows\System\OyxkFSi.exe
  2⤵
  PID:9648
- C:\Windows\System\oKmtHUH.exe
  C:\Windows\System\oKmtHUH.exe
  2⤵
  PID:9676
- C:\Windows\System\wTsxVgs.exe
  C:\Windows\System\wTsxVgs.exe
  2⤵
  PID:9704
- C:\Windows\System\skArGaC.exe
  C:\Windows\System\skArGaC.exe
  2⤵
  PID:9732
- C:\Windows\System\DGRGByl.exe
  C:\Windows\System\DGRGByl.exe
  2⤵
  PID:9760
- C:\Windows\System\BROFGLc.exe
  C:\Windows\System\BROFGLc.exe
  2⤵
  PID:9788
- C:\Windows\System\fXBIWlR.exe
  C:\Windows\System\fXBIWlR.exe
  2⤵
  PID:9816
- C:\Windows\System\SJAQYvZ.exe
  C:\Windows\System\SJAQYvZ.exe
  2⤵
  PID:9844
- C:\Windows\System\GpdlaLh.exe
  C:\Windows\System\GpdlaLh.exe
  2⤵
  PID:9872
- C:\Windows\System\ixkEQLE.exe
  C:\Windows\System\ixkEQLE.exe
  2⤵
  PID:9900
- C:\Windows\System\iKyBzik.exe
  C:\Windows\System\iKyBzik.exe
  2⤵
  PID:9928
- C:\Windows\System\XlPzLji.exe
  C:\Windows\System\XlPzLji.exe
  2⤵
  PID:9956
- C:\Windows\System\KgfbMmS.exe
  C:\Windows\System\KgfbMmS.exe
  2⤵
  PID:9984
- C:\Windows\System\pDTUoZg.exe
  C:\Windows\System\pDTUoZg.exe
  2⤵
  PID:10012
- C:\Windows\System\GKAtgFC.exe
  C:\Windows\System\GKAtgFC.exe
  2⤵
  PID:10040
- C:\Windows\System\AJiiBfZ.exe
  C:\Windows\System\AJiiBfZ.exe
  2⤵
  PID:10068
- C:\Windows\System\BQDyPYV.exe
  C:\Windows\System\BQDyPYV.exe
  2⤵
  PID:10096
- C:\Windows\System\tCFMNvJ.exe
  C:\Windows\System\tCFMNvJ.exe
  2⤵
  PID:10124
- C:\Windows\System\VOJcwfu.exe
  C:\Windows\System\VOJcwfu.exe
  2⤵
  PID:10152
- C:\Windows\System\ZKUwDSZ.exe
  C:\Windows\System\ZKUwDSZ.exe
  2⤵
  PID:10180
- C:\Windows\System\jVKAWDJ.exe
  C:\Windows\System\jVKAWDJ.exe
  2⤵
  PID:10208
- C:\Windows\System\efIFsHN.exe
  C:\Windows\System\efIFsHN.exe
  2⤵
  PID:10236
- C:\Windows\System\kbZTuuZ.exe
  C:\Windows\System\kbZTuuZ.exe
  2⤵
  PID:9256
- C:\Windows\System\gzTreTb.exe
  C:\Windows\System\gzTreTb.exe
  2⤵
  PID:9332
- C:\Windows\System\tLDjUXA.exe
  C:\Windows\System\tLDjUXA.exe
  2⤵
  PID:9388
- C:\Windows\System\wAZYPZr.exe
  C:\Windows\System\wAZYPZr.exe
  2⤵
  PID:9472
- C:\Windows\System\UIYwtuP.exe
  C:\Windows\System\UIYwtuP.exe
  2⤵
  PID:9540
- C:\Windows\System\OUDUEtr.exe
  C:\Windows\System\OUDUEtr.exe
  2⤵
  PID:9604
- C:\Windows\System\XQXLeNu.exe
  C:\Windows\System\XQXLeNu.exe
  2⤵
  PID:9644
- C:\Windows\System\cDREFUC.exe
  C:\Windows\System\cDREFUC.exe
  2⤵
  PID:9724
- C:\Windows\System\SySIKiT.exe
  C:\Windows\System\SySIKiT.exe
  2⤵
  PID:9800
- C:\Windows\System\vczpCZw.exe
  C:\Windows\System\vczpCZw.exe
  2⤵
  PID:9856
- C:\Windows\System\DdahdeL.exe
  C:\Windows\System\DdahdeL.exe
  2⤵
  PID:9912
- C:\Windows\System\ARcnsTy.exe
  C:\Windows\System\ARcnsTy.exe
  2⤵
  PID:9980
- C:\Windows\System\MJOeMHK.exe
  C:\Windows\System\MJOeMHK.exe
  2⤵
  PID:10052
- C:\Windows\System\MOuyYFc.exe
  C:\Windows\System\MOuyYFc.exe
  2⤵
  PID:10112
- C:\Windows\System\eQRztPn.exe
  C:\Windows\System\eQRztPn.exe
  2⤵
  PID:10176
- C:\Windows\System\jzZDUnO.exe
  C:\Windows\System\jzZDUnO.exe
  2⤵
  PID:10232
- C:\Windows\System\JTTCFGW.exe
  C:\Windows\System\JTTCFGW.exe
  2⤵
  PID:9360
- C:\Windows\System\CjhqTUl.exe
  C:\Windows\System\CjhqTUl.exe
  2⤵
  PID:9504
- C:\Windows\System\tVROkfZ.exe
  C:\Windows\System\tVROkfZ.exe
  2⤵
  PID:9716
- C:\Windows\System\rDKQMGK.exe
  C:\Windows\System\rDKQMGK.exe
  2⤵
  PID:9836
- C:\Windows\System\xpwVXZh.exe
  C:\Windows\System\xpwVXZh.exe
  2⤵
  PID:9976
- C:\Windows\System\Lsmmvfq.exe
  C:\Windows\System\Lsmmvfq.exe
  2⤵
  PID:10148
- C:\Windows\System\zErdPle.exe
  C:\Windows\System\zErdPle.exe
  2⤵
  PID:9300
- C:\Windows\System\zxOGIzf.exe
  C:\Windows\System\zxOGIzf.exe
  2⤵
  PID:9668
- C:\Windows\System\JQnDxoW.exe
  C:\Windows\System\JQnDxoW.exe
  2⤵
  PID:9916
- C:\Windows\System\hSzNqcq.exe
  C:\Windows\System\hSzNqcq.exe
  2⤵
  PID:10108
- C:\Windows\System\bEcpDHF.exe
  C:\Windows\System\bEcpDHF.exe
  2⤵
  PID:9616
- C:\Windows\System\XKOeLca.exe
  C:\Windows\System\XKOeLca.exe
  2⤵
  PID:10296
- C:\Windows\System\aPjQpio.exe
  C:\Windows\System\aPjQpio.exe
  2⤵
  PID:10316
- C:\Windows\System\xBYSbod.exe
  C:\Windows\System\xBYSbod.exe
  2⤵
  PID:10352
- C:\Windows\System\uAkbVvt.exe
  C:\Windows\System\uAkbVvt.exe
  2⤵
  PID:10400
- C:\Windows\System\iQXpanP.exe
  C:\Windows\System\iQXpanP.exe
  2⤵
  PID:10448
- C:\Windows\System\hmyFGml.exe
  C:\Windows\System\hmyFGml.exe
  2⤵
  PID:10492
- C:\Windows\System\AZjDLWi.exe
  C:\Windows\System\AZjDLWi.exe
  2⤵
  PID:10524
- C:\Windows\System\ngnBKJc.exe
  C:\Windows\System\ngnBKJc.exe
  2⤵
  PID:10552
- C:\Windows\System\AWjaoJc.exe
  C:\Windows\System\AWjaoJc.exe
  2⤵
  PID:10580
- C:\Windows\System\ogKWEnA.exe
  C:\Windows\System\ogKWEnA.exe
  2⤵
  PID:10604
- C:\Windows\System\ZowDpxc.exe
  C:\Windows\System\ZowDpxc.exe
  2⤵
  PID:10640
- C:\Windows\System\MKIGghj.exe
  C:\Windows\System\MKIGghj.exe
  2⤵
  PID:10680
- C:\Windows\System\asrKoGo.exe
  C:\Windows\System\asrKoGo.exe
  2⤵
  PID:10724
- C:\Windows\System\Cayialc.exe
  C:\Windows\System\Cayialc.exe
  2⤵
  PID:10752
- C:\Windows\System\wZtieeP.exe
  C:\Windows\System\wZtieeP.exe
  2⤵
  PID:10784
- C:\Windows\System\MbQhvkd.exe
  C:\Windows\System\MbQhvkd.exe
  2⤵
  PID:10820
- C:\Windows\System\xMJRTYs.exe
  C:\Windows\System\xMJRTYs.exe
  2⤵
  PID:10860
- C:\Windows\System\mSYfJwY.exe
  C:\Windows\System\mSYfJwY.exe
  2⤵
  PID:10884
- C:\Windows\System\XnraUmF.exe
  C:\Windows\System\XnraUmF.exe
  2⤵
  PID:10928
- C:\Windows\System\mjvorMc.exe
  C:\Windows\System\mjvorMc.exe
  2⤵
  PID:10948
- C:\Windows\System\TERzPnS.exe
  C:\Windows\System\TERzPnS.exe
  2⤵
  PID:10972
- C:\Windows\System\QpMayeP.exe
  C:\Windows\System\QpMayeP.exe
  2⤵
  PID:11008
- C:\Windows\System\XMIQYPi.exe
  C:\Windows\System\XMIQYPi.exe
  2⤵
  PID:11036
- C:\Windows\System\YxFweOV.exe
  C:\Windows\System\YxFweOV.exe
  2⤵
  PID:11076
- C:\Windows\System\TalNngI.exe
  C:\Windows\System\TalNngI.exe
  2⤵
  PID:11104
- C:\Windows\System\TDhqnWz.exe
  C:\Windows\System\TDhqnWz.exe
  2⤵
  PID:11140
- C:\Windows\System\seUXRss.exe
  C:\Windows\System\seUXRss.exe
  2⤵
  PID:11168
- C:\Windows\System\AIYeXXv.exe
  C:\Windows\System\AIYeXXv.exe
  2⤵
  PID:11184
- C:\Windows\System\SeMQaTh.exe
  C:\Windows\System\SeMQaTh.exe
  2⤵
  PID:11204
- C:\Windows\System\ynZGuPi.exe
  C:\Windows\System\ynZGuPi.exe
  2⤵
  PID:11252
- C:\Windows\System\KhNSnBF.exe
  C:\Windows\System\KhNSnBF.exe
  2⤵
  PID:10272
- C:\Windows\System\nZsVdZK.exe
  C:\Windows\System\nZsVdZK.exe
  2⤵
  PID:9828
- C:\Windows\System\NZHCoSJ.exe
  C:\Windows\System\NZHCoSJ.exe
  2⤵
  PID:10376
- C:\Windows\System\nRFiPSi.exe
  C:\Windows\System\nRFiPSi.exe
  2⤵
  PID:10428
- C:\Windows\System\FORJCeS.exe
  C:\Windows\System\FORJCeS.exe
  2⤵
  PID:10536
- C:\Windows\System\BRuBAPy.exe
  C:\Windows\System\BRuBAPy.exe
  2⤵
  PID:10596
- C:\Windows\System\JJmerVG.exe
  C:\Windows\System\JJmerVG.exe
  2⤵
  PID:10420
- C:\Windows\System\MnwymDD.exe
  C:\Windows\System\MnwymDD.exe
  2⤵
  PID:10744
- C:\Windows\System\ZtrpCxN.exe
  C:\Windows\System\ZtrpCxN.exe
  2⤵
  PID:10828
- C:\Windows\System\urnqjwY.exe
  C:\Windows\System\urnqjwY.exe
  2⤵
  PID:10908
- C:\Windows\System\QgakJLj.exe
  C:\Windows\System\QgakJLj.exe
  2⤵
  PID:10968
- C:\Windows\System\ZKljNVg.exe
  C:\Windows\System\ZKljNVg.exe
  2⤵
  PID:11060
- C:\Windows\System\rbBmRVK.exe
  C:\Windows\System\rbBmRVK.exe
  2⤵
  PID:11100
- C:\Windows\System\glwaxEw.exe
  C:\Windows\System\glwaxEw.exe
  2⤵
  PID:11180
- C:\Windows\System\fTWMGIU.exe
  C:\Windows\System\fTWMGIU.exe
  2⤵
  PID:11248
- C:\Windows\System\SCTcgpT.exe
  C:\Windows\System\SCTcgpT.exe
  2⤵
  PID:10260
- C:\Windows\System\iOyPvjE.exe
  C:\Windows\System\iOyPvjE.exe
  2⤵
  PID:10484
- C:\Windows\System\qeprZei.exe
  C:\Windows\System\qeprZei.exe
  2⤵
  PID:10656
- C:\Windows\System\UvYxQIh.exe
  C:\Windows\System\UvYxQIh.exe
  2⤵
  PID:10780
- C:\Windows\System\yGRfAjR.exe
  C:\Windows\System\yGRfAjR.exe
  2⤵
  PID:11024
- C:\Windows\System\nzDgmAW.exe
  C:\Windows\System\nzDgmAW.exe
  2⤵
  PID:11212
- C:\Windows\System\uuINGgo.exe
  C:\Windows\System\uuINGgo.exe
  2⤵
  PID:9516
- C:\Windows\System\rKLtPoQ.exe
  C:\Windows\System\rKLtPoQ.exe
  2⤵
  PID:10736
- C:\Windows\System\tnnWlVq.exe
  C:\Windows\System\tnnWlVq.exe
  2⤵
  PID:11128
- C:\Windows\System\sVgFJNq.exe
  C:\Windows\System\sVgFJNq.exe
  2⤵
  PID:10576
- C:\Windows\System\nvLwRNM.exe
  C:\Windows\System\nvLwRNM.exe
  2⤵
  PID:11268
- C:\Windows\System\EYSAcfl.exe
  C:\Windows\System\EYSAcfl.exe
  2⤵
  PID:11308
- C:\Windows\System\ENDAhFF.exe
  C:\Windows\System\ENDAhFF.exe
  2⤵
  PID:11324
- C:\Windows\System\SOsLrBc.exe
  C:\Windows\System\SOsLrBc.exe
  2⤵
  PID:11352
- C:\Windows\System\pSOnwDL.exe
  C:\Windows\System\pSOnwDL.exe
  2⤵
  PID:11380
- C:\Windows\System\vaFFGsa.exe
  C:\Windows\System\vaFFGsa.exe
  2⤵
  PID:11400
- C:\Windows\System\aAqUJei.exe
  C:\Windows\System\aAqUJei.exe
  2⤵
  PID:11440
- C:\Windows\System\FXTCIkc.exe
  C:\Windows\System\FXTCIkc.exe
  2⤵
  PID:11472
- C:\Windows\System\yCgVzez.exe
  C:\Windows\System\yCgVzez.exe
  2⤵
  PID:11504
- C:\Windows\System\lqViplt.exe
  C:\Windows\System\lqViplt.exe
  2⤵
  PID:11524
- C:\Windows\System\bMJtktj.exe
  C:\Windows\System\bMJtktj.exe
  2⤵
  PID:11560
- C:\Windows\System\wkveBMJ.exe
  C:\Windows\System\wkveBMJ.exe
  2⤵
  PID:11588
- C:\Windows\System\jiARnVs.exe
  C:\Windows\System\jiARnVs.exe
  2⤵
  PID:11616
- C:\Windows\System\fqILsKZ.exe
  C:\Windows\System\fqILsKZ.exe
  2⤵
  PID:11644
- C:\Windows\System\vuOWxZl.exe
  C:\Windows\System\vuOWxZl.exe
  2⤵
  PID:11672
- C:\Windows\System\JOvFwQc.exe
  C:\Windows\System\JOvFwQc.exe
  2⤵
  PID:11688
- C:\Windows\System\XCFXiiH.exe
  C:\Windows\System\XCFXiiH.exe
  2⤵
  PID:11728
- C:\Windows\System\hyjeLnc.exe
  C:\Windows\System\hyjeLnc.exe
  2⤵
  PID:11756
- C:\Windows\System\qmKOnDR.exe
  C:\Windows\System\qmKOnDR.exe
  2⤵
  PID:11784
- C:\Windows\System\PHCNMDv.exe
  C:\Windows\System\PHCNMDv.exe
  2⤵
  PID:11812
- C:\Windows\System\JmnLMjB.exe
  C:\Windows\System\JmnLMjB.exe
  2⤵
  PID:11840
- C:\Windows\System\geepVyp.exe
  C:\Windows\System\geepVyp.exe
  2⤵
  PID:11868
- C:\Windows\System\ulytFIV.exe
  C:\Windows\System\ulytFIV.exe
  2⤵
  PID:11896
- C:\Windows\System\WrENmzQ.exe
  C:\Windows\System\WrENmzQ.exe
  2⤵
  PID:11916
- C:\Windows\System\RTzPJUS.exe
  C:\Windows\System\RTzPJUS.exe
  2⤵
  PID:11944
- C:\Windows\System\vvxtqvk.exe
  C:\Windows\System\vvxtqvk.exe
  2⤵
  PID:11976
- C:\Windows\System\AJkmlby.exe
  C:\Windows\System\AJkmlby.exe
  2⤵
  PID:12000
- C:\Windows\System\NFyaGMx.exe
  C:\Windows\System\NFyaGMx.exe
  2⤵
  PID:12028
- C:\Windows\System\cSDEbKz.exe
  C:\Windows\System\cSDEbKz.exe
  2⤵
  PID:12052
- C:\Windows\System\fLedlqt.exe
  C:\Windows\System\fLedlqt.exe
  2⤵
  PID:12080
- C:\Windows\System\LhdyWjw.exe
  C:\Windows\System\LhdyWjw.exe
  2⤵
  PID:12100
- C:\Windows\System\imaaeQb.exe
  C:\Windows\System\imaaeQb.exe
  2⤵
  PID:12124
- C:\Windows\System\lChhnrL.exe
  C:\Windows\System\lChhnrL.exe
  2⤵
  PID:12164
- C:\Windows\System\oefKclX.exe
  C:\Windows\System\oefKclX.exe
  2⤵
  PID:12196
- C:\Windows\System\LQEdPvH.exe
  C:\Windows\System\LQEdPvH.exe
  2⤵
  PID:12232
- C:\Windows\System\UERJHCi.exe
  C:\Windows\System\UERJHCi.exe
  2⤵
  PID:12260
- C:\Windows\System\eRFZpZs.exe
  C:\Windows\System\eRFZpZs.exe
  2⤵
  PID:9972
- C:\Windows\System\BNhVVTH.exe
  C:\Windows\System\BNhVVTH.exe
  2⤵
  PID:11304
- C:\Windows\System\XfrHOtl.exe
  C:\Windows\System\XfrHOtl.exe
  2⤵
  PID:11372
- C:\Windows\System\ETJVcYE.exe
  C:\Windows\System\ETJVcYE.exe
  2⤵
  PID:11420
- C:\Windows\System\MDMcoFQ.exe
  C:\Windows\System\MDMcoFQ.exe
  2⤵
  PID:11500
- C:\Windows\System\cCvsGWB.exe
  C:\Windows\System\cCvsGWB.exe
  2⤵
  PID:11572
- C:\Windows\System\LExtmzd.exe
  C:\Windows\System\LExtmzd.exe
  2⤵
  PID:11636
- C:\Windows\System\DzGDRBd.exe
  C:\Windows\System\DzGDRBd.exe
  2⤵
  PID:11712
- C:\Windows\System\oIrlhvC.exe
  C:\Windows\System\oIrlhvC.exe
  2⤵
  PID:11772
- C:\Windows\System\YbuwnVJ.exe
  C:\Windows\System\YbuwnVJ.exe
  2⤵
  PID:11828
- C:\Windows\System\BVsFApE.exe
  C:\Windows\System\BVsFApE.exe
  2⤵
  PID:11892
- C:\Windows\System\XZSnoXa.exe
  C:\Windows\System\XZSnoXa.exe
  2⤵
  PID:11932
- C:\Windows\System\iUmHDAG.exe
  C:\Windows\System\iUmHDAG.exe
  2⤵
  PID:11992
- C:\Windows\System\ZbFgSdL.exe
  C:\Windows\System\ZbFgSdL.exe
  2⤵
  PID:12092
- C:\Windows\System\EccnGCu.exe
  C:\Windows\System\EccnGCu.exe
  2⤵
  PID:12136
- C:\Windows\System\iWHBbLG.exe
  C:\Windows\System\iWHBbLG.exe
  2⤵
  PID:12216
- C:\Windows\System\BFCDCXi.exe
  C:\Windows\System\BFCDCXi.exe
  2⤵
  PID:12248
- C:\Windows\System\FODWgXv.exe
  C:\Windows\System\FODWgXv.exe
  2⤵
  PID:9324
- C:\Windows\System\eYGzYMo.exe
  C:\Windows\System\eYGzYMo.exe
  2⤵
  PID:11552
- C:\Windows\System\rdxUytn.exe
  C:\Windows\System\rdxUytn.exe
  2⤵
  PID:11680
- C:\Windows\System\hbEmOjQ.exe
  C:\Windows\System\hbEmOjQ.exe
  2⤵
  PID:11800
- C:\Windows\System\sIZCuBf.exe
  C:\Windows\System\sIZCuBf.exe
  2⤵
  PID:11952
- C:\Windows\System\rHjglNa.exe
  C:\Windows\System\rHjglNa.exe
  2⤵
  PID:12156
- C:\Windows\System\cbgvYph.exe
  C:\Windows\System\cbgvYph.exe
  2⤵
  PID:12276
- C:\Windows\System\fHlPSsE.exe
  C:\Windows\System\fHlPSsE.exe
  2⤵
  PID:11668
- C:\Windows\System\BNwQEkQ.exe
  C:\Windows\System\BNwQEkQ.exe
  2⤵
  PID:11880
- C:\Windows\System\eMxIgUt.exe
  C:\Windows\System\eMxIgUt.exe
  2⤵
  PID:11488
- C:\Windows\System\balTJdu.exe
  C:\Windows\System\balTJdu.exe
  2⤵
  PID:11480
- C:\Windows\System\fuMbeBc.exe
  C:\Windows\System\fuMbeBc.exe
  2⤵
  PID:12024
- C:\Windows\System\avYwTEQ.exe
  C:\Windows\System\avYwTEQ.exe
  2⤵
  PID:12320
- C:\Windows\System\cSFTAom.exe
  C:\Windows\System\cSFTAom.exe
  2⤵
  PID:12352
- C:\Windows\System\rcItLcP.exe
  C:\Windows\System\rcItLcP.exe
  2⤵
  PID:12372
- C:\Windows\System\nLeyPwr.exe
  C:\Windows\System\nLeyPwr.exe
  2⤵
  PID:12412
- C:\Windows\System\xTYJtLY.exe
  C:\Windows\System\xTYJtLY.exe
  2⤵
  PID:12440
- C:\Windows\System\jvfYGsJ.exe
  C:\Windows\System\jvfYGsJ.exe
  2⤵
  PID:12468
- C:\Windows\System\iCYXoll.exe
  C:\Windows\System\iCYXoll.exe
  2⤵
  PID:12484
- C:\Windows\System\owvZYLW.exe
  C:\Windows\System\owvZYLW.exe
  2⤵
  PID:12524
- C:\Windows\System\Xkthazn.exe
  C:\Windows\System\Xkthazn.exe
  2⤵
  PID:12540
- C:\Windows\System\HdnzwRE.exe
  C:\Windows\System\HdnzwRE.exe
  2⤵
  PID:12556
- C:\Windows\System\KjGDhBW.exe
  C:\Windows\System\KjGDhBW.exe
  2⤵
  PID:12576
- C:\Windows\System\opmfvXy.exe
  C:\Windows\System\opmfvXy.exe
  2⤵
  PID:12612
- C:\Windows\System\XIVVSrN.exe
  C:\Windows\System\XIVVSrN.exe
  2⤵
  PID:12652
- C:\Windows\System\iBLyKBo.exe
  C:\Windows\System\iBLyKBo.exe
  2⤵
  PID:12684
- C:\Windows\System\GFwajul.exe
  C:\Windows\System\GFwajul.exe
  2⤵
  PID:12720
- C:\Windows\System\GdOiOEs.exe
  C:\Windows\System\GdOiOEs.exe
  2⤵
  PID:12748
- C:\Windows\System\OvVhtGY.exe
  C:\Windows\System\OvVhtGY.exe
  2⤵
  PID:12776
- C:\Windows\System\TcBPWZA.exe
  C:\Windows\System\TcBPWZA.exe
  2⤵
  PID:12804
- C:\Windows\System\POEctyU.exe
  C:\Windows\System\POEctyU.exe
  2⤵
  PID:12832
- C:\Windows\System\DlcsvWq.exe
  C:\Windows\System\DlcsvWq.exe
  2⤵
  PID:12860
- C:\Windows\System\FPRdgjT.exe
  C:\Windows\System\FPRdgjT.exe
  2⤵
  PID:12888
- C:\Windows\System\TGAILjJ.exe
  C:\Windows\System\TGAILjJ.exe
  2⤵
  PID:12916
- C:\Windows\System\IQxccLF.exe
  C:\Windows\System\IQxccLF.exe
  2⤵
  PID:12948
- C:\Windows\System\NMyboyw.exe
  C:\Windows\System\NMyboyw.exe
  2⤵
  PID:12972
- C:\Windows\System\NhrsILY.exe
  C:\Windows\System\NhrsILY.exe
  2⤵
  PID:12996
- C:\Windows\System\wtQKqQF.exe
  C:\Windows\System\wtQKqQF.exe
  2⤵
  PID:13016
- C:\Windows\System\GUZnVAf.exe
  C:\Windows\System\GUZnVAf.exe
  2⤵
  PID:13056
- C:\Windows\System\sEsoGNd.exe
  C:\Windows\System\sEsoGNd.exe
  2⤵
  PID:13084
- C:\Windows\System\uOMlsGm.exe
  C:\Windows\System\uOMlsGm.exe
  2⤵
  PID:13112
- C:\Windows\System\SbDewNd.exe
  C:\Windows\System\SbDewNd.exe
  2⤵
  PID:13128
- C:\Windows\System\lhqMwJz.exe
  C:\Windows\System\lhqMwJz.exe
  2⤵
  PID:13160
- C:\Windows\System\RTkqwXK.exe
  C:\Windows\System\RTkqwXK.exe
  2⤵
  PID:13196
- C:\Windows\System\SIklEDZ.exe
  C:\Windows\System\SIklEDZ.exe
  2⤵
  PID:13224
- C:\Windows\System\ZBeCMHC.exe
  C:\Windows\System\ZBeCMHC.exe
  2⤵
  PID:13252
- C:\Windows\System\WmabZTv.exe
  C:\Windows\System\WmabZTv.exe
  2⤵
  PID:13280
- C:\Windows\System\RAgSpGR.exe
  C:\Windows\System\RAgSpGR.exe
  2⤵
  PID:13308
- C:\Windows\System\TMuMohg.exe
  C:\Windows\System\TMuMohg.exe
  2⤵
  PID:12340
- C:\Windows\System\RFXKlnY.exe
  C:\Windows\System\RFXKlnY.exe
  2⤵
  PID:12368
- C:\Windows\System\DsTwjyn.exe
  C:\Windows\System\DsTwjyn.exe
  2⤵
  PID:12424
- C:\Windows\System\XJrJXXQ.exe
  C:\Windows\System\XJrJXXQ.exe
  2⤵
  PID:12496
- C:\Windows\System\FhgFSZZ.exe
  C:\Windows\System\FhgFSZZ.exe
  2⤵
  PID:12564
- C:\Windows\System\STJaWGA.exe
  C:\Windows\System\STJaWGA.exe
  2⤵
  PID:12592
- C:\Windows\System\ArOLZNF.exe
  C:\Windows\System\ArOLZNF.exe
  2⤵
  PID:12712
- C:\Windows\System\jNtwZsK.exe
  C:\Windows\System\jNtwZsK.exe
  2⤵
  PID:12768
- C:\Windows\System\oRbTkzV.exe
  C:\Windows\System\oRbTkzV.exe
  2⤵
  PID:12820
- C:\Windows\System\yMKeBCN.exe
  C:\Windows\System\yMKeBCN.exe
  2⤵
  PID:12940
- C:\Windows\System\JjGftQT.exe
  C:\Windows\System\JjGftQT.exe
  2⤵
  PID:4232
- C:\Windows\System\AtFUYiC.exe
  C:\Windows\System\AtFUYiC.exe
  2⤵
  PID:12988
- C:\Windows\System\iHyShUb.exe
  C:\Windows\System\iHyShUb.exe
  2⤵
  PID:13052
- C:\Windows\System\yCwATNJ.exe
  C:\Windows\System\yCwATNJ.exe
  2⤵
  PID:13104
- C:\Windows\System\gFoJKLU.exe
  C:\Windows\System\gFoJKLU.exe
  2⤵
  PID:13192
- C:\Windows\System\XnBzfNX.exe
  C:\Windows\System\XnBzfNX.exe
  2⤵
  PID:13240
- C:\Windows\System\ShEVnPA.exe
  C:\Windows\System\ShEVnPA.exe
  2⤵
  PID:13304
- C:\Windows\System\vwHdqsv.exe
  C:\Windows\System\vwHdqsv.exe
  2⤵
  PID:12408
- C:\Windows\System\fHvgMMS.exe
  C:\Windows\System\fHvgMMS.exe
  2⤵
  PID:12476
- C:\Windows\System\dkeaTeL.exe
  C:\Windows\System\dkeaTeL.exe
  2⤵
  PID:12740
- C:\Windows\System\IyTbrvd.exe
  C:\Windows\System\IyTbrvd.exe
  2⤵
  PID:12844
- C:\Windows\System\PRkXqMA.exe
  C:\Windows\System\PRkXqMA.exe
  2⤵
  PID:528
- C:\Windows\System\cQoavQV.exe
  C:\Windows\System\cQoavQV.exe
  2⤵
  PID:6680
- C:\Windows\System\tZXAEkQ.exe
  C:\Windows\System\tZXAEkQ.exe
  2⤵
  PID:6056
- C:\Windows\System\xMudpFm.exe
  C:\Windows\System\xMudpFm.exe
  2⤵
  PID:13096
- C:\Windows\System\PnMZlwg.exe
  C:\Windows\System\PnMZlwg.exe
  2⤵
  PID:13236
- C:\Windows\System\GNcxrqq.exe
  C:\Windows\System\GNcxrqq.exe
  2⤵
  PID:12548
- C:\Windows\System\igFXvEy.exe
  C:\Windows\System\igFXvEy.exe
  2⤵
  PID:12796
- C:\Windows\System\xczYUhT.exe
  C:\Windows\System\xczYUhT.exe
  2⤵
  PID:5164
- C:\Windows\System\UfMsUll.exe
  C:\Windows\System\UfMsUll.exe
  2⤵
  PID:13152
- C:\Windows\System\KaZYciY.exe
  C:\Windows\System\KaZYciY.exe
  2⤵
  PID:12600
- C:\Windows\System\aZYPpiQ.exe
  C:\Windows\System\aZYPpiQ.exe
  2⤵
  PID:5928
- C:\Windows\System\eIzyNAj.exe
  C:\Windows\System\eIzyNAj.exe
  2⤵
  PID:12536
- C:\Windows\System\yYKvPDz.exe
  C:\Windows\System\yYKvPDz.exe
  2⤵
  PID:13328
- C:\Windows\System\vPrnHdi.exe
  C:\Windows\System\vPrnHdi.exe
  2⤵
  PID:13368
- C:\Windows\System\YinOFCG.exe
  C:\Windows\System\YinOFCG.exe
  2⤵
  PID:13384
- C:\Windows\System\EzHqEjq.exe
  C:\Windows\System\EzHqEjq.exe
  2⤵
  PID:13504
- C:\Windows\System\XVkuPgC.exe
  C:\Windows\System\XVkuPgC.exe
  2⤵
  PID:13748
- C:\Windows\System\BJTjdGc.exe
  C:\Windows\System\BJTjdGc.exe
  2⤵
  PID:13764
- C:\Windows\System\oAzjIoY.exe
  C:\Windows\System\oAzjIoY.exe
  2⤵
  PID:13832
- C:\Windows\System\yvpCDqU.exe
  C:\Windows\System\yvpCDqU.exe
  2⤵
  PID:13436
- C:\Windows\System\JYMaujd.exe
  C:\Windows\System\JYMaujd.exe
  2⤵
  PID:13452
- C:\Windows\System\awOmvPz.exe
  C:\Windows\System\awOmvPz.exe
  2⤵
  PID:13444
- C:\Windows\System\cSczodj.exe
  C:\Windows\System\cSczodj.exe
  2⤵
  PID:14076
- C:\Windows\System\Izpcorh.exe
  C:\Windows\System\Izpcorh.exe
  2⤵
  PID:13520

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xlojhj3u.iw4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\CMMulpK.exe

Filesize
2.7MB

MD5
79c7c68fd436e7f6525f41d4760f4ca9

SHA1
c4e7f52cf9628523e5627dbd8a3ba46081e324d6

SHA256
1ed8b5c6f8e0e26f16af88198a89cc3e9fde71a278075e0f1ad57609928be605

SHA512
bd10be526b4de354a40ff1742b95adc3caf612ac3ed8fcc1a8b9c4bf7a57d685beb07f83f8f0abe69cbd2e840e51f7e00437305bf46d438f3106567b11de3264

Download Submit
C:\Windows\System\DPDMfwt.exe

Filesize
2.7MB

MD5
e65b30f5bfe049073c346ca12bae9799

SHA1
b66ee1ac0b6e05801907d5299e3a31337389e9f3

SHA256
18a6b9406e5777dc5d226f710327f5960a2a942b301cadb2ba63ff5e6c210e15

SHA512
4d4fecf9c2f969090fc26cf3a992649b1f2c407e506e75e8778e58fd922ac4aa62a2448e994a9c692e9480de20ad1bef997cf81c611c19f4fe2edb4f8746a493

Download Submit
C:\Windows\System\EOgByjJ.exe

Filesize
2.7MB

MD5
870012900199509b206f546cc8e593ff

SHA1
40fc5e22ea17bcf777661eda2a903824fe88f622

SHA256
508b8b369e46142fc2610e1229a372d28e4b9b17d978f3f749810d60ba389530

SHA512
f8eaa0416356c435e9a902626af3dc3a4a7782b03a513e33ec729480c7706945f650ec56473a8dea6185dd39907c99f5fefaa73335c108ba0211779eaf6f61d7

Download Submit
C:\Windows\System\FZINmcH.exe

Filesize
2.7MB

MD5
299c4f1f1fc345dd2382e9971980b336

SHA1
b77ca74fda010ef322f309826d6e7e4c77931d58

SHA256
a4c8d94a84b7e20bb4f7fe129dc3c4998193bdeb99b79b0092fb2d17e8362e3b

SHA512
6e75269161ef46fe8d041c86035f5f86627e517e4cfd8b020d1b05c306c048f17f5a494001ed0456738078e00e2f33b49a5391901c6a6294da320a7e342ab12a

Download Submit
C:\Windows\System\FqFWljf.exe

Filesize
2.7MB

MD5
965140a1143616c45b0a1467a656073b

SHA1
2c86ecee00b3e21145c4af24c6e5614e398b5158

SHA256
6634d6993d5b8a487f4fd4c496f6518d9712c9bf9777c11d6acc0cf387202a18

SHA512
21af58ad5c454d2754ea49322ee4cc4b4e1d270122a78b8075f0d5687c687790a68e54cec8588a2ed99939bb954ee32997c6259fe295fa8fdd34a45ecc2b545d

Download Submit
C:\Windows\System\GufkAiS.exe

Filesize
2.7MB

MD5
3e48b7467d4a68612fcb8a94bbeaae6a

SHA1
e93bbd92192d2a8c71b15af58dab705091d1a941

SHA256
823653c0857bde424cd77a4f05205ee3e8ed2b9f9715a48e9b2fff86ef83cc14

SHA512
d99e7025651e5ce5d8b83ec947afc0c4edb3a500b07f5c3c3ffe87bd9a5951f2617ec06cf225965931f5477d8da71b7f58366257eefa2ac221e6b34fd8d99130

Download Submit
C:\Windows\System\IyzlRVj.exe

Filesize
2.7MB

MD5
148b99e2ffb0ec9e1f802247a48a3914

SHA1
10f3fb93491929b728cc2afb7c69b53788444ebc

SHA256
7123553f70b4807f38e6ae777177598d378f14c012d5ae70c84d5b882f47b822

SHA512
30ed62b293d5a23f1239a5cbe1a50c6e1a766c0e28f07fd19996a1df0f120cf887e16b421d4d7cccafbeb6ede94680f99351c987d2583570db666bb1c7800c6c

Download Submit
C:\Windows\System\LdoLzfz.exe

Filesize
2.7MB

MD5
b9df81fd2515e1e8148eff1bfb9dea32

SHA1
0599fe3fd83d518a8e48b8b1fbd42235ae0a3d44

SHA256
fa00f944302b73f188447defd13166f615f97a5c39f4f61985361edd64e1a35d

SHA512
a614ac211b4f0d587bd2cc3ffaf588b8e46b221523104179bcac320d323ac03ef4bd73c4f2332e9e48077e80c752b127509063938292c589a0decfa5c12aebb8

Download Submit
C:\Windows\System\MsxPAqn.exe

Filesize
2.7MB

MD5
62951820ba6bdac4cc3c515f887a4fdb

SHA1
038ac63112cd887f68c7deb51c698c35fd56f611

SHA256
da5b6c343182cc3396e18ea4e2e55b9b72834d469dd951f8311430b45066de50

SHA512
6e2e90a21aaa830c24729188fc0e12a11eafb8f520e4ae9ab7e49c72315b78c931c65d6ac5bd09eca432c488ce0529af0d1a2007b7637ccb1a673e4180a22bc0

Download Submit
C:\Windows\System\OqyyChh.exe

Filesize
2.7MB

MD5
93352e7cb9b7927551ac1aeea2cd1631

SHA1
8666bfb4b9dfe020962705bd378a0fb00fe7338c

SHA256
cac38088a8f9a79476a28dd13a205e5bd4ec82cc64543d0765fb9d3a81a5b4f4

SHA512
365ac4ecf8de8832907087c9035e552f856fe800c24c760dbd1b25fe3618f203e2d9cefecfc490d573f1cb10101968ba90ab6ef4233f0f969783150575faff50

Download Submit
C:\Windows\System\ScUWMbw.exe

Filesize
2.7MB

MD5
ad6246f4aa0966f5e9d49f249147c75b

SHA1
27f3eba35e032a82cb43d02babc3fc205447f15d

SHA256
b90b4eb091fb9d6fc7dfc95a9ea0c6bea0a85b62740d4b674a9280655c114fa4

SHA512
9e07923252a9d7cb9de565be540259c1952d6a2099b7e9258b3b0de124555119d62cd3eccb1ca77efd9538593f18fcda9d63ece6b2d0ff828be70ab2c133ded7

Download Submit
C:\Windows\System\TIaNtdt.exe

Filesize
8B

MD5
81398e1de3555e92fba3484cc3247c66

SHA1
1795bf2f69133b34ba6d312dc83ac951ee6a2eaa

SHA256
aeb8f50427004d636af26a677cdd7c325f3441df8c991df9e0407610a79f3bba

SHA512
fce05245dae47ae7df0de55238dcd2209fda60a9b115d1a9c5ae4ba15efedf3bf5459c20e938aa1e89bf51840c3a38287ad7d2831cf17cdc0458b5e72809d1ab

Download Submit
C:\Windows\System\UXsdeRe.exe

Filesize
2.7MB

MD5
58bb0d9c89ecbe1a2fb6164e9ac1b1c6

SHA1
7d6402d6482130878502844749155b0675a07946

SHA256
c98f08b810f8efc1439a9b8517091d6b42c49d71c283d08554dad672d8842cf8

SHA512
afac784c9eb1c9026c9aee0fce1107499387e37e81433946777f789d6e253f35128bd7ffdd46e554a03d98a0ba599ff207431d7f3d4e12f0d90728c4b0621b7a

Download Submit
C:\Windows\System\YRDCWHw.exe

Filesize
2.7MB

MD5
f043140ad87ed9900c802fd487755ba6

SHA1
3051fc12aa63ee857e43f3d119b9dde1fd4fb94f

SHA256
552b19e1e4adc3dadd1eb73079accb8e074a338b9a8bf200ab86794bae8380cc

SHA512
65721d9f6db9df860358c7479e31ce31ff207971d2a2d6c5e6223ae29ad11821315da3f22bd3f04c15b60b6a27e69967a87d18f4c426443ed3ecb532485aefcf

Download Submit
C:\Windows\System\YrWgOTX.exe

Filesize
2.7MB

MD5
c3cb468034a47f86606a6b0d2c2b6511

SHA1
32daa3d3d64213a687e3a67830420cc8df730b37

SHA256
6c4cb0a91002375103df76f11857c75feec44c82deef88fa495d39ed9023c8d9

SHA512
e03a7548727f4a4de2ce20c1d637db17d96acface2633ba1a35d5faf58921a64be969bac7e5a126985db5b9e5d0c9ad804c4ab28b5c6ec5cf3c13eb92e6db255

Download Submit
C:\Windows\System\cKhWqFy.exe

Filesize
2.7MB

MD5
bec6359c28e9474900564a493e507256

SHA1
8b0316b2e9fe20a08c8da7dd84b970978e6f1055

SHA256
4d227f7ae5bd98f4714a6289249fd106c3b780e12f595a8e31db77423d13d918

SHA512
703c5b3b0a4d4850fcd2f405dcad6db7b594a4bfba018a401d66fe41ef78dedd7b14b31672eab166289fd5ff106817bf953d2eaa32345f8a0e49475990221779

Download Submit
C:\Windows\System\cUygsOS.exe

Filesize
2.7MB

MD5
e85e8fd35087abc56999a0ad54af8f96

SHA1
612f27a40c60653658343f3cf477a80327f95a7b

SHA256
97c53693899880300173c36174d83f9fef6bddd5abc90a8f5e028fdc519249e8

SHA512
0d0d39c463573dee30d972600d7fed3bb142cf48ed472fd4b21d8d0c33ab228e895b8423801d5828b70dd48df3f0467b3c4b88f2cb6bf5c1777190e4614e9b1e

Download Submit
C:\Windows\System\dynpPEy.exe

Filesize
2.7MB

MD5
512d62a1a41d7bb1b48ab6616a5af289

SHA1
7f783f4c8e900e5366a9a00a0e3426e101a9625f

SHA256
e81dad0491e604b854ff405181972e3f6c8e6142b7c4a20cae9e51d161cc305c

SHA512
06bbad58e1db838578582819a3260de97de2c94bcbf1868cc48ceea00f553fd9b23415d4c2e07f4e42759284f9d76fa242662ea1b73a492895c9dd25e3f8ad4b

Download Submit
C:\Windows\System\eIjGXHZ.exe

Filesize
2.7MB

MD5
f9184744591658bd77c96698d7bc5443

SHA1
a2cccda454d16f4141313785fabd3e75a63cbd82

SHA256
8963ea76b31efa463c2c74a8ca52f1dc93066fdbd70a25df12312043cfa642c8

SHA512
d8a5a4c57c98ca65ccac1eb741d96fde803bf8caa8e0cdbdba572949d4c61ac174bd57ab73ffcb7afc3641c61362c18a6b80612eeb6cde5a9a77f4daa7ac2d3a

Download Submit
C:\Windows\System\hKnAcdA.exe

Filesize
2.7MB

MD5
3d62522923316474c64099508827989b

SHA1
85ec9af7a0060875cc356d25aa44fc53b1c405b5

SHA256
e7043036ae70032796eb08a517c5b7b4e8af490f1ea766044b74f15430a414b3

SHA512
3bdae62a7c34965c3239d6a44b5816c0f1f6c7e06867e278aa21923b895c02250b79fa704c381af504d71ea26275eda32997b006ac0c6be7366a1b4ce7b15350

Download Submit
C:\Windows\System\hrxfHnm.exe

Filesize
2.7MB

MD5
260d0b5eee221598127fdda36cf83897

SHA1
af7c876ac156720c6ee4a2dfa4b747ed498154d8

SHA256
67a19b5d81b238e1eb43f10b80232465b68be618442ebf423241c530b502b40f

SHA512
34c5919cc4337c015a8d7127ce63e6c07ca06238e87a04d7eb4d496bad6565d2da260b0035563aa52a0d766e69e67e474f174fba1f91dc57c603f6bbe1e2b706

Download Submit
C:\Windows\System\iYiyJvn.exe

Filesize
2.7MB

MD5
abbd470d32405272f2c494e8b3bc798c

SHA1
abadcd222b67761c57f6082df01ce3296ec025d3

SHA256
0e2244cfd527e4f4ae004284aabbe0d85dd5a67b71a9a0984958c66c0a36d10b

SHA512
e8d9cd56c909809c69267d9ddc76473e26d689a582d001caac4b3d1ff2bf72fcf19c212bd672dd598db2e33249b00dfadb545fafbe751fe5f3b724d4254dc3fe

Download Submit
C:\Windows\System\jBtFQNZ.exe

Filesize
2.7MB

MD5
62882d0fb682f0882b2999b0bb74c395

SHA1
3489ec8bea41e5b219033f7af4fae63e87b3e255

SHA256
f04d2cc80ef16982373294c3f1b5d2725874f87443c020a99868e6be7ab4b9fc

SHA512
116b80296a1b2dc64c89830cdd31467420a3927affa9fcbe673fbb05a63bfd607e8d19386832bf8910de72a2018a8b56c10bbc23a269b4333a041d7e24073387

Download Submit
C:\Windows\System\kSGNVks.exe

Filesize
2.7MB

MD5
526e179c45c2eaf277d26adc3d030601

SHA1
83eb3e31b699c45b241fd37a8d1ba0d3b87068a0

SHA256
e04c8e0c914ddc6e9df38df48bd6addc0ba31eb43a6c4e49bd0423d15c12d34d

SHA512
ebbef1390394c2e37c7a8bbbd76a9a03524837750d6733ccaccdbc690292e24cd408b8916e0ac8ffbde8a705139907f11e45d2cb9ab69e629c463f1a842caf3f

Download Submit
C:\Windows\System\mIGuvyj.exe

Filesize
2.7MB

MD5
762ed636266960b3bf9c638816bcf1ee

SHA1
02f6214104be723376f5a637893f13df049bc1e8

SHA256
340dcdb5900a893fcf7ced0992ebb5f1d0b8c9279145368db960e07f2a977463

SHA512
78bc4bd0a65cb9386e0fe895e200b73895d7ba5ba6ac8387406688a6a4d9f3366673dd8bc719ead2bd40c0f93d2dbc5d06659f70f835cd025ef6cce6fead7e3e

Download Submit
C:\Windows\System\nCnCqXr.exe

Filesize
2.7MB

MD5
00abfb5b38d09fc4a1d3f93a49e32836

SHA1
6efa2221483be0ea09ff29d6ecbdab607cc52125

SHA256
dd088449e11ab536cc6c497c69b1239cb74582f4b44ae06492b4055bc02a285a

SHA512
330a434e841cecef8aebdeeb4e1ff2027dcc90b4fad0642fa19c8e8d8387a7475d379f3485321cd0d4f66d81977cf7184cddf4e65d9208e781b97da3ba48c4a3

Download Submit
C:\Windows\System\nIkOhkI.exe

Filesize
2.7MB

MD5
26734727ba5af608f630b7a86722b1b1

SHA1
fa826595749a018c722b89fe36aaa06507a1d1ee

SHA256
a42fc080f564e8eef8d373ce72203f3c875d1e2ad4f218bccce7dbf226d98573

SHA512
f8424f7095496626231ad28516c516b041e65506a2eb1ec0d4772d325ec6f390f84458e23a23990b9b4b917e7d864e6d969b5bb72e5b2d8845355730e4ca987b

Download Submit
C:\Windows\System\ncEHNJh.exe

Filesize
2.7MB

MD5
25d71b631b8ec1d458d377aacf1c2e96

SHA1
974e467086e78c7a451d6bbea93b2a9fed16a65c

SHA256
3c67d82342d8ad5daba4977235898a547332f38524c2b735c99972a55142a3d9

SHA512
ab90b0713d9a8f8a1e52f6b3ffa0f4d092d9b13ec18d911bd4da8279dc2a16968364f8cee567f187ad2463885ff585c12302fd44c0c76b08730f4ef391549f7c

Download Submit
C:\Windows\System\pQwEIkR.exe

Filesize
2.7MB

MD5
9bbc65c9177017ed845050b2f819b8c4

SHA1
3f79b17777db1ceb231a00163e9723ebd6251dd3

SHA256
5d250cdd84e6618862b826c55e664efb77de84551432915e03bb77710819e9b1

SHA512
4144c76acc741eaea20ff60403eb00743507072d17032ab768209f415939d4cf977ad008c969e4cc0ffae0832343536108f311bdcf079da8e154981245544f64

Download Submit
C:\Windows\System\qETnAxF.exe

Filesize
2.7MB

MD5
1f15508330e9f65613626eedee67bca1

SHA1
126b28e15ab7ca9cffce23c68fb01c9e50cc4115

SHA256
fa02c699ec1b147cc87d44b0b3f5208afd65f608e2bea66a2834ad0f94721ceb

SHA512
b357aeac0966f08a7beb66e29d3155a449b2046f4827701742e1abc24cf8efc3332460bf692835bf4134ec01909972b004a8d8fc85e1d6c4504ce8b87f36471c

Download Submit
C:\Windows\System\qZWwWQL.exe

Filesize
2.7MB

MD5
d6a09ef1f347fb938e1842d85e9938bc

SHA1
0a68cb88c002f687ee0c32f5d8e207efdb6e1e94

SHA256
f42060a24c780856e3f46927f66a33492aa164f70f337d8090264b1584abcbed

SHA512
3b45cfbf71d9f92d7aa2a56890420433b51294ec59e47a4a548d7387da237194e7bfbc803b3105a26ae889fc2ac8aa617e5b5aa29758be7f8b1307f7760b6631

Download Submit
C:\Windows\System\qqRAmCV.exe

Filesize
2.7MB

MD5
c99edec3ae7072d5d8900996ca215106

SHA1
9b005f939aaad1b6a9cfc8f56d638f8793a1583e

SHA256
6ff30a7a85769d43488452c211f74ae708761a5b44e1f85f1257d6f08443b383

SHA512
c85d74d0655f4bb5f213d31163dcd3a6a8cc08106aba3ada1b65e15d4667243773385320a52d96ede44dec41186af9cb42bba09b26da2565e83b27a4a63a385a

Download Submit
C:\Windows\System\vQXbEfc.exe

Filesize
2.7MB

MD5
3d82106604d22069a1915e2ef53320f3

SHA1
b4ff96275d8003aa0ccc0009d07092d158f5ba43

SHA256
9aabb521f3961e01b923cc861db357509472924d182626fe6a303d5ad4246db4

SHA512
6318e3810ef22764796d5f969c23fbe81467073576a7e687e3683373f0559384202f67a0eba64ffae631f64dc097123da2460683fd4f0532a693fa12aa6fa610

Download Submit
C:\Windows\System\yQoQvaB.exe

Filesize
2.7MB

MD5
ed8f1ad66e1ae68f40c20aaa3d8338b4

SHA1
706b0831171f7b7be9bc8db11ca3367e045ce0f7

SHA256
f5be34b48cbc03c441d8e3e2165c8cf7936a8ed8124026b6edc5a5c8faeb673f

SHA512
2e459a438da11b3801630ba84727335ae8b4945d03a17bfefd0e8978f9e691669eb38919c1d151a39583626621d8803d4241ddf4b6a6c8b7157a1704402e5377

Download Submit
memory/264-0-0x00007FF747190000-0x00007FF747586000-memory.dmp

Filesize
4.0MB

Download
memory/264-263-0x00007FF747190000-0x00007FF747586000-memory.dmp

Filesize
4.0MB

Download
memory/264-1-0x000001D8210C0000-0x000001D8210D0000-memory.dmp

Filesize
64KB

Download
memory/264-3266-0x00007FF747190000-0x00007FF747586000-memory.dmp

Filesize
4.0MB

Download
memory/412-328-0x00007FFAC82C0000-0x00007FFAC8D81000-memory.dmp

Filesize
10.8MB

Download
memory/412-275-0x00007FFAC82C0000-0x00007FFAC8D81000-memory.dmp

Filesize
10.8MB

Download
memory/412-57-0x0000022377930000-0x0000022377952000-memory.dmp

Filesize
136KB

Download
memory/412-82-0x0000022379510000-0x0000022379CB6000-memory.dmp

Filesize
7.6MB

Download
memory/412-19-0x00007FFAC82C0000-0x00007FFAC8D81000-memory.dmp

Filesize
10.8MB

Download
memory/412-300-0x00007FFAC82C3000-0x00007FFAC82C5000-memory.dmp

Filesize
8KB

Download
memory/412-7-0x00007FFAC82C3000-0x00007FFAC82C5000-memory.dmp

Filesize
8KB

Download
memory/412-72-0x00007FFAC82C0000-0x00007FFAC8D81000-memory.dmp

Filesize
10.8MB

Download
memory/620-137-0x00007FF67EB90000-0x00007FF67EF86000-memory.dmp

Filesize
4.0MB

Download
memory/620-2297-0x00007FF67EB90000-0x00007FF67EF86000-memory.dmp

Filesize
4.0MB

Download
memory/620-3260-0x00007FF67EB90000-0x00007FF67EF86000-memory.dmp

Filesize
4.0MB

Download
memory/800-99-0x00007FF6CF520000-0x00007FF6CF916000-memory.dmp

Filesize
4.0MB

Download
memory/800-3253-0x00007FF6CF520000-0x00007FF6CF916000-memory.dmp

Filesize
4.0MB

Download
memory/800-1496-0x00007FF6CF520000-0x00007FF6CF916000-memory.dmp

Filesize
4.0MB

Download
memory/1280-30-0x00007FF7DD160000-0x00007FF7DD556000-memory.dmp

Filesize
4.0MB

Download
memory/1380-133-0x00007FF6C2550000-0x00007FF6C2946000-memory.dmp

Filesize
4.0MB

Download
memory/1380-3254-0x00007FF6C2550000-0x00007FF6C2946000-memory.dmp

Filesize
4.0MB

Download
memory/1548-317-0x00007FF6A20E0000-0x00007FF6A24D6000-memory.dmp

Filesize
4.0MB

Download
memory/1548-3263-0x00007FF6A20E0000-0x00007FF6A24D6000-memory.dmp

Filesize
4.0MB

Download
memory/1580-10-0x00007FF71C030000-0x00007FF71C426000-memory.dmp

Filesize
4.0MB

Download
memory/2016-39-0x00007FF7EB120000-0x00007FF7EB516000-memory.dmp

Filesize
4.0MB

Download
memory/2016-3243-0x00007FF7EB120000-0x00007FF7EB516000-memory.dmp

Filesize
4.0MB

Download
memory/2088-142-0x00007FF69CB00000-0x00007FF69CEF6000-memory.dmp

Filesize
4.0MB

Download
memory/2088-3255-0x00007FF69CB00000-0x00007FF69CEF6000-memory.dmp

Filesize
4.0MB

Download
memory/2312-3250-0x00007FF6B1500000-0x00007FF6B18F6000-memory.dmp

Filesize
4.0MB

Download
memory/2312-81-0x00007FF6B1500000-0x00007FF6B18F6000-memory.dmp

Filesize
4.0MB

Download
memory/2912-280-0x00007FF6C2400000-0x00007FF6C27F6000-memory.dmp

Filesize
4.0MB

Download
memory/2912-60-0x00007FF6C2400000-0x00007FF6C27F6000-memory.dmp

Filesize
4.0MB

Download
memory/2912-3245-0x00007FF6C2400000-0x00007FF6C27F6000-memory.dmp

Filesize
4.0MB

Download
memory/3176-3261-0x00007FF74FAE0000-0x00007FF74FED6000-memory.dmp

Filesize
4.0MB

Download
memory/3176-151-0x00007FF74FAE0000-0x00007FF74FED6000-memory.dmp

Filesize
4.0MB

Download
memory/3296-3258-0x00007FF767AB0000-0x00007FF767EA6000-memory.dmp

Filesize
4.0MB

Download
memory/3296-127-0x00007FF767AB0000-0x00007FF767EA6000-memory.dmp

Filesize
4.0MB

Download
memory/3452-283-0x00007FF746210000-0x00007FF746606000-memory.dmp

Filesize
4.0MB

Download
memory/3452-3248-0x00007FF746210000-0x00007FF746606000-memory.dmp

Filesize
4.0MB

Download
memory/3452-70-0x00007FF746210000-0x00007FF746606000-memory.dmp

Filesize
4.0MB

Download
memory/3492-3256-0x00007FF73CF50000-0x00007FF73D346000-memory.dmp

Filesize
4.0MB

Download
memory/3492-134-0x00007FF73CF50000-0x00007FF73D346000-memory.dmp

Filesize
4.0MB

Download
memory/3652-110-0x00007FF7221E0000-0x00007FF7225D6000-memory.dmp

Filesize
4.0MB

Download
memory/3652-3252-0x00007FF7221E0000-0x00007FF7225D6000-memory.dmp

Filesize
4.0MB

Download
memory/3924-78-0x00007FF632850000-0x00007FF632C46000-memory.dmp

Filesize
4.0MB

Download
memory/3924-3244-0x00007FF632850000-0x00007FF632C46000-memory.dmp

Filesize
4.0MB

Download
memory/4172-80-0x00007FF796720000-0x00007FF796B16000-memory.dmp

Filesize
4.0MB

Download
memory/4172-3247-0x00007FF796720000-0x00007FF796B16000-memory.dmp

Filesize
4.0MB

Download
memory/4248-42-0x00007FF6EA350000-0x00007FF6EA746000-memory.dmp

Filesize
4.0MB

Download
memory/4248-3246-0x00007FF6EA350000-0x00007FF6EA746000-memory.dmp

Filesize
4.0MB

Download
memory/4248-318-0x00007FF6EA350000-0x00007FF6EA746000-memory.dmp

Filesize
4.0MB

Download
memory/4288-75-0x00007FF7E8620000-0x00007FF7E8A16000-memory.dmp

Filesize
4.0MB

Download
memory/4568-297-0x00007FF7CF9A0000-0x00007FF7CFD96000-memory.dmp

Filesize
4.0MB

Download
memory/4568-3262-0x00007FF7CF9A0000-0x00007FF7CFD96000-memory.dmp

Filesize
4.0MB

Download
memory/4604-143-0x00007FF71D460000-0x00007FF71D856000-memory.dmp

Filesize
4.0MB

Download
memory/4604-3259-0x00007FF71D460000-0x00007FF71D856000-memory.dmp

Filesize
4.0MB

Download
memory/4652-3249-0x00007FF730B20000-0x00007FF730F16000-memory.dmp

Filesize
4.0MB

Download
memory/4652-79-0x00007FF730B20000-0x00007FF730F16000-memory.dmp

Filesize
4.0MB

Download
memory/4736-3257-0x00007FF692C70000-0x00007FF693066000-memory.dmp

Filesize
4.0MB

Download
memory/4736-2151-0x00007FF692C70000-0x00007FF693066000-memory.dmp

Filesize
4.0MB

Download
memory/4736-119-0x00007FF692C70000-0x00007FF693066000-memory.dmp

Filesize
4.0MB

Download
memory/4896-93-0x00007FF783EE0000-0x00007FF7842D6000-memory.dmp

Filesize
4.0MB

Download
memory/4896-3251-0x00007FF783EE0000-0x00007FF7842D6000-memory.dmp

Filesize
4.0MB

Download
memory/4896-904-0x00007FF783EE0000-0x00007FF7842D6000-memory.dmp

Filesize
4.0MB

Download