xmrig | f773e06ac5d222d790f2860dde63dc55fd34d8ddd23ef846ed40b80cb317244b

Analysis

max time kernel
139s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 14:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
Size

2.8MB
MD5

eedd4d8554ac9412df43da6550bf8970
SHA1

b10fef16ee107d83011673d4384a19e98ea7bb3c
SHA256

f773e06ac5d222d790f2860dde63dc55fd34d8ddd23ef846ed40b80cb317244b
SHA512

6b85f67e9867a75cdf16d27767f40c7d2a1b9a2f0318313060d5e82107212bb3704596677155fd1f476cc5cc23a9f1d2b6f3d4aef50ded723b19a2dbe71af55f
SSDEEP

49152:S1G1NtyBwTI3ySZbrkXV1etEKLlWUTOfeiRA2R76zHrWax9hm6lg6EW7ET6:S1ONtyBeSFkXV1etEKLlWUTOfeiRA2R+

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/1216-0-0x00007FF611020000-0x00007FF611416000-memory.dmp	xmrig
behavioral2/files/0x0005000000023284-9.dat	xmrig
behavioral2/files/0x0007000000023428-8.dat	xmrig
behavioral2/files/0x0008000000023424-15.dat	xmrig
behavioral2/files/0x000700000002342b-32.dat	xmrig
behavioral2/files/0x000700000002342c-44.dat	xmrig
behavioral2/memory/2652-46-0x00007FF6D6A20000-0x00007FF6D6E16000-memory.dmp	xmrig
behavioral2/files/0x000700000002342f-54.dat	xmrig
behavioral2/files/0x0007000000023430-76.dat	xmrig
behavioral2/files/0x0007000000023437-104.dat	xmrig
behavioral2/files/0x0008000000023433-118.dat	xmrig
behavioral2/files/0x000700000002343e-138.dat	xmrig
behavioral2/files/0x0007000000023440-148.dat	xmrig
behavioral2/files/0x0007000000023441-161.dat	xmrig
behavioral2/files/0x0007000000023444-176.dat	xmrig
behavioral2/memory/4844-469-0x00007FF7DD230000-0x00007FF7DD626000-memory.dmp	xmrig
behavioral2/memory/4704-475-0x00007FF6D6B60000-0x00007FF6D6F56000-memory.dmp	xmrig
behavioral2/memory/1032-480-0x00007FF69FF70000-0x00007FF6A0366000-memory.dmp	xmrig
behavioral2/memory/3536-478-0x00007FF7465B0000-0x00007FF7469A6000-memory.dmp	xmrig
behavioral2/memory/2712-497-0x00007FF6745B0000-0x00007FF6749A6000-memory.dmp	xmrig
behavioral2/memory/3448-505-0x00007FF644080000-0x00007FF644476000-memory.dmp	xmrig
behavioral2/memory/5096-519-0x00007FF7D7580000-0x00007FF7D7976000-memory.dmp	xmrig
behavioral2/memory/1256-553-0x00007FF74E9C0000-0x00007FF74EDB6000-memory.dmp	xmrig
behavioral2/memory/4740-572-0x00007FF741420000-0x00007FF741816000-memory.dmp	xmrig
behavioral2/memory/4176-567-0x00007FF6A42B0000-0x00007FF6A46A6000-memory.dmp	xmrig
behavioral2/memory/4756-563-0x00007FF7EE6E0000-0x00007FF7EEAD6000-memory.dmp	xmrig
behavioral2/memory/1228-549-0x00007FF76B580000-0x00007FF76B976000-memory.dmp	xmrig
behavioral2/memory/3496-540-0x00007FF639A30000-0x00007FF639E26000-memory.dmp	xmrig
behavioral2/memory/2956-543-0x00007FF76F270000-0x00007FF76F666000-memory.dmp	xmrig
behavioral2/memory/3848-531-0x00007FF7DEF60000-0x00007FF7DF356000-memory.dmp	xmrig
behavioral2/memory/3872-529-0x00007FF7DBC50000-0x00007FF7DC046000-memory.dmp	xmrig
behavioral2/memory/1596-526-0x00007FF6722C0000-0x00007FF6726B6000-memory.dmp	xmrig
behavioral2/memory/2424-513-0x00007FF794120000-0x00007FF794516000-memory.dmp	xmrig
behavioral2/memory/4260-508-0x00007FF6F0E30000-0x00007FF6F1226000-memory.dmp	xmrig
behavioral2/memory/4072-502-0x00007FF747FE0000-0x00007FF7483D6000-memory.dmp	xmrig
behavioral2/memory/3704-487-0x00007FF605160000-0x00007FF605556000-memory.dmp	xmrig
behavioral2/memory/3076-484-0x00007FF7B3BE0000-0x00007FF7B3FD6000-memory.dmp	xmrig
behavioral2/files/0x0007000000023446-178.dat	xmrig
behavioral2/files/0x0007000000023445-173.dat	xmrig
behavioral2/files/0x0007000000023443-171.dat	xmrig
behavioral2/files/0x0007000000023442-166.dat	xmrig
behavioral2/files/0x000700000002343f-151.dat	xmrig
behavioral2/files/0x000700000002343d-141.dat	xmrig
behavioral2/files/0x000700000002343c-134.dat	xmrig
behavioral2/files/0x000700000002343b-129.dat	xmrig
behavioral2/files/0x000700000002343a-124.dat	xmrig
behavioral2/files/0x0007000000023439-114.dat	xmrig
behavioral2/files/0x0007000000023438-109.dat	xmrig
behavioral2/files/0x0007000000023436-99.dat	xmrig
behavioral2/files/0x0008000000023434-94.dat	xmrig
behavioral2/files/0x0007000000023435-89.dat	xmrig
behavioral2/files/0x0007000000023432-84.dat	xmrig
behavioral2/files/0x0007000000023431-78.dat	xmrig
behavioral2/files/0x000700000002342e-57.dat	xmrig
behavioral2/memory/2736-56-0x00007FF6731B0000-0x00007FF6735A6000-memory.dmp	xmrig
behavioral2/files/0x000700000002342d-52.dat	xmrig
behavioral2/files/0x000700000002342a-38.dat	xmrig
behavioral2/files/0x0007000000023429-23.dat	xmrig
behavioral2/memory/1228-2179-0x00007FF76B580000-0x00007FF76B976000-memory.dmp	xmrig
behavioral2/memory/2736-2180-0x00007FF6731B0000-0x00007FF6735A6000-memory.dmp	xmrig
behavioral2/memory/4844-2181-0x00007FF7DD230000-0x00007FF7DD626000-memory.dmp	xmrig
behavioral2/memory/2652-2182-0x00007FF6D6A20000-0x00007FF6D6E16000-memory.dmp	xmrig
behavioral2/memory/4704-2184-0x00007FF6D6B60000-0x00007FF6D6F56000-memory.dmp	xmrig
behavioral2/memory/1256-2183-0x00007FF74E9C0000-0x00007FF74EDB6000-memory.dmp	xmrig

Blocklisted process makes network request 12 IoCs

flow	pid	Process
8	1140	powershell.exe
13	1140	powershell.exe
29	1140	powershell.exe
30	1140	powershell.exe
31	1140	powershell.exe
41	1140	powershell.exe
44	1140	powershell.exe
56	1140	powershell.exe
57	1140	powershell.exe
58	1140	powershell.exe
59	1140	powershell.exe
60	1140	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
1140	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
1228	pZadfXN.exe
2652	XSFSUZj.exe
2736	OtmhkJS.exe
4844	dGDPHdR.exe
4704	PXGugVF.exe
1256	YunotFO.exe
3536	ErWlCIy.exe
1032	PImZCau.exe
4756	ECIqgIm.exe
4176	CVaoGVk.exe
3076	SiZCfjV.exe
4740	QPRITGh.exe
3704	fymKlwf.exe
2712	khQoeeg.exe
4072	TFrgVzZ.exe
3448	JaUotTT.exe
4260	mGRrWQN.exe
2424	RGyGUmN.exe
5096	QpIOklb.exe
1596	okNnrHk.exe
3872	BCcZRWQ.exe
3848	WYaTmzo.exe
3496	NCsrPCU.exe
2956	snfmiuq.exe
4152	MBYfIrW.exe
4168	peaYhIk.exe
2644	JbYtEfg.exe
2912	YAQzFKV.exe
836	EjDfBcK.exe
1788	JEDBocX.exe
2628	hdbjhRO.exe
3592	LayKGCw.exe
4988	XXuukGi.exe
3144	JSvnFDT.exe
4344	zVyowtI.exe
2000	TSwjGhq.exe
4336	eJuGoVz.exe
1484	QyqGBkR.exe
3992	HzcGwCs.exe
2160	uYYuawR.exe
2888	XJTVRja.exe
4444	sZDvkgt.exe
4316	FoUcufh.exe
4268	VyFQIyx.exe
556	UJdjcZH.exe
4204	ONANjxL.exe
2092	RVCqJXN.exe
3400	XuPIRRM.exe
5020	MFIGTqt.exe
1448	rAHLGgU.exe
1608	NwgTWHr.exe
2828	AinaLXV.exe
1916	wWNVLlr.exe
4196	PBkjdNm.exe
2072	bxEiDTw.exe
2612	uFVfnQN.exe
2296	YYTzQrO.exe
1656	rTzXZtF.exe
2608	MHXmxmM.exe
4924	CIsrNrd.exe
3320	slGJJum.exe
1468	TDkzbrt.exe
1532	nGlSAIV.exe
2184	OAKrJYv.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1216-0-0x00007FF611020000-0x00007FF611416000-memory.dmp	upx
behavioral2/files/0x0005000000023284-9.dat	upx
behavioral2/files/0x0007000000023428-8.dat	upx
behavioral2/files/0x0008000000023424-15.dat	upx
behavioral2/files/0x000700000002342b-32.dat	upx
behavioral2/files/0x000700000002342c-44.dat	upx
behavioral2/memory/2652-46-0x00007FF6D6A20000-0x00007FF6D6E16000-memory.dmp	upx
behavioral2/files/0x000700000002342f-54.dat	upx
behavioral2/files/0x0007000000023430-76.dat	upx
behavioral2/files/0x0007000000023437-104.dat	upx
behavioral2/files/0x0008000000023433-118.dat	upx
behavioral2/files/0x000700000002343e-138.dat	upx
behavioral2/files/0x0007000000023440-148.dat	upx
behavioral2/files/0x0007000000023441-161.dat	upx
behavioral2/files/0x0007000000023444-176.dat	upx
behavioral2/memory/4844-469-0x00007FF7DD230000-0x00007FF7DD626000-memory.dmp	upx
behavioral2/memory/4704-475-0x00007FF6D6B60000-0x00007FF6D6F56000-memory.dmp	upx
behavioral2/memory/1032-480-0x00007FF69FF70000-0x00007FF6A0366000-memory.dmp	upx
behavioral2/memory/3536-478-0x00007FF7465B0000-0x00007FF7469A6000-memory.dmp	upx
behavioral2/memory/2712-497-0x00007FF6745B0000-0x00007FF6749A6000-memory.dmp	upx
behavioral2/memory/3448-505-0x00007FF644080000-0x00007FF644476000-memory.dmp	upx
behavioral2/memory/5096-519-0x00007FF7D7580000-0x00007FF7D7976000-memory.dmp	upx
behavioral2/memory/1256-553-0x00007FF74E9C0000-0x00007FF74EDB6000-memory.dmp	upx
behavioral2/memory/4740-572-0x00007FF741420000-0x00007FF741816000-memory.dmp	upx
behavioral2/memory/4176-567-0x00007FF6A42B0000-0x00007FF6A46A6000-memory.dmp	upx
behavioral2/memory/4756-563-0x00007FF7EE6E0000-0x00007FF7EEAD6000-memory.dmp	upx
behavioral2/memory/1228-549-0x00007FF76B580000-0x00007FF76B976000-memory.dmp	upx
behavioral2/memory/3496-540-0x00007FF639A30000-0x00007FF639E26000-memory.dmp	upx
behavioral2/memory/2956-543-0x00007FF76F270000-0x00007FF76F666000-memory.dmp	upx
behavioral2/memory/3848-531-0x00007FF7DEF60000-0x00007FF7DF356000-memory.dmp	upx
behavioral2/memory/3872-529-0x00007FF7DBC50000-0x00007FF7DC046000-memory.dmp	upx
behavioral2/memory/1596-526-0x00007FF6722C0000-0x00007FF6726B6000-memory.dmp	upx
behavioral2/memory/2424-513-0x00007FF794120000-0x00007FF794516000-memory.dmp	upx
behavioral2/memory/4260-508-0x00007FF6F0E30000-0x00007FF6F1226000-memory.dmp	upx
behavioral2/memory/4072-502-0x00007FF747FE0000-0x00007FF7483D6000-memory.dmp	upx
behavioral2/memory/3704-487-0x00007FF605160000-0x00007FF605556000-memory.dmp	upx
behavioral2/memory/3076-484-0x00007FF7B3BE0000-0x00007FF7B3FD6000-memory.dmp	upx
behavioral2/files/0x0007000000023446-178.dat	upx
behavioral2/files/0x0007000000023445-173.dat	upx
behavioral2/files/0x0007000000023443-171.dat	upx
behavioral2/files/0x0007000000023442-166.dat	upx
behavioral2/files/0x000700000002343f-151.dat	upx
behavioral2/files/0x000700000002343d-141.dat	upx
behavioral2/files/0x000700000002343c-134.dat	upx
behavioral2/files/0x000700000002343b-129.dat	upx
behavioral2/files/0x000700000002343a-124.dat	upx
behavioral2/files/0x0007000000023439-114.dat	upx
behavioral2/files/0x0007000000023438-109.dat	upx
behavioral2/files/0x0007000000023436-99.dat	upx
behavioral2/files/0x0008000000023434-94.dat	upx
behavioral2/files/0x0007000000023435-89.dat	upx
behavioral2/files/0x0007000000023432-84.dat	upx
behavioral2/files/0x0007000000023431-78.dat	upx
behavioral2/files/0x000700000002342e-57.dat	upx
behavioral2/memory/2736-56-0x00007FF6731B0000-0x00007FF6735A6000-memory.dmp	upx
behavioral2/files/0x000700000002342d-52.dat	upx
behavioral2/files/0x000700000002342a-38.dat	upx
behavioral2/files/0x0007000000023429-23.dat	upx
behavioral2/memory/1228-2179-0x00007FF76B580000-0x00007FF76B976000-memory.dmp	upx
behavioral2/memory/2736-2180-0x00007FF6731B0000-0x00007FF6735A6000-memory.dmp	upx
behavioral2/memory/4844-2181-0x00007FF7DD230000-0x00007FF7DD626000-memory.dmp	upx
behavioral2/memory/2652-2182-0x00007FF6D6A20000-0x00007FF6D6E16000-memory.dmp	upx
behavioral2/memory/4704-2184-0x00007FF6D6B60000-0x00007FF6D6F56000-memory.dmp	upx
behavioral2/memory/1256-2183-0x00007FF74E9C0000-0x00007FF74EDB6000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	raw.githubusercontent.com
8	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\wWFhmWJ.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\dznOruB.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\nGjycgM.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\YyYdgNx.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\okNnrHk.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\NkwpzHD.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\cTPFWgR.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\HYaHEyC.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\idoXUAV.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\YAQzFKV.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\eFjzCjE.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\nUfsBQa.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\mBdiOGD.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\kpMltet.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\mUXalrs.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\UmNkqOl.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\kuliVYr.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\OYxSwki.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\PeGtMSY.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\vogvqLC.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\LkmkDSv.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\SVcBHGm.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\VfOSimW.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\ibNtyUz.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\mrjiUNy.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\ihbnqIR.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\NCiLGcf.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\rOcolJV.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\IgNlKsm.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\MHVtkHS.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\yADooqb.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\PvGCwoM.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\pZncHlb.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\QmJnggV.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\hFvwvze.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\JdNgwQa.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\WmxLwgN.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\JSvnFDT.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\VyPKiVN.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\vcCaktB.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\nEUIhco.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\vRFbOhm.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\BgSDHTw.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\aycoqmu.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\PlFWoYH.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\ynNFnLk.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\QyqGBkR.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\xSRRUTJ.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\MHxHcbK.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\VNUKldF.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\CLZLpcv.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\AbhotGe.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\vlozhUb.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\BkorsAG.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\MPhBOsB.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\zGwXADB.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\ChxLqMB.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\YsIRQyg.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\bNNTIwX.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\yjrXqSA.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\sZbGxJu.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\lJxndcs.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\Eurvkzk.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
File created	C:\Windows\System\pgQZerH.exe	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1140	powershell.exe
1140	powershell.exe
1140	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
Token: SeDebugPrivilege	1140	powershell.exe
Token: SeCreateGlobalPrivilege	12828	dwm.exe
Token: SeChangeNotifyPrivilege	12828	dwm.exe
Token: 33	12828	dwm.exe
Token: SeIncBasePriorityPrivilege	12828	dwm.exe
Token: SeShutdownPrivilege	12828	dwm.exe
Token: SeCreatePagefilePrivilege	12828	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1216 wrote to memory of 1140	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	83
PID 1216 wrote to memory of 1140	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	83
PID 1216 wrote to memory of 1228	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	84
PID 1216 wrote to memory of 1228	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	84
PID 1216 wrote to memory of 2652	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	85
PID 1216 wrote to memory of 2652	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	85
PID 1216 wrote to memory of 2736	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	86
PID 1216 wrote to memory of 2736	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	86
PID 1216 wrote to memory of 4844	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	87
PID 1216 wrote to memory of 4844	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	87
PID 1216 wrote to memory of 4704	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	88
PID 1216 wrote to memory of 4704	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	88
PID 1216 wrote to memory of 1256	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	89
PID 1216 wrote to memory of 1256	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	89
PID 1216 wrote to memory of 3536	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	90
PID 1216 wrote to memory of 3536	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	90
PID 1216 wrote to memory of 1032	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	91
PID 1216 wrote to memory of 1032	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	91
PID 1216 wrote to memory of 4756	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	92
PID 1216 wrote to memory of 4756	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	92
PID 1216 wrote to memory of 4176	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	93
PID 1216 wrote to memory of 4176	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	93
PID 1216 wrote to memory of 3076	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	94
PID 1216 wrote to memory of 3076	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	94
PID 1216 wrote to memory of 4740	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	95
PID 1216 wrote to memory of 4740	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	95
PID 1216 wrote to memory of 3704	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	96
PID 1216 wrote to memory of 3704	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	96
PID 1216 wrote to memory of 2712	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	97
PID 1216 wrote to memory of 2712	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	97
PID 1216 wrote to memory of 4072	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	98
PID 1216 wrote to memory of 4072	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	98
PID 1216 wrote to memory of 3448	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	99
PID 1216 wrote to memory of 3448	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	99
PID 1216 wrote to memory of 4260	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	100
PID 1216 wrote to memory of 4260	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	100
PID 1216 wrote to memory of 2424	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	101
PID 1216 wrote to memory of 2424	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	101
PID 1216 wrote to memory of 5096	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	102
PID 1216 wrote to memory of 5096	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	102
PID 1216 wrote to memory of 1596	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	103
PID 1216 wrote to memory of 1596	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	103
PID 1216 wrote to memory of 3872	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	104
PID 1216 wrote to memory of 3872	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	104
PID 1216 wrote to memory of 3848	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	105
PID 1216 wrote to memory of 3848	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	105
PID 1216 wrote to memory of 3496	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	106
PID 1216 wrote to memory of 3496	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	106
PID 1216 wrote to memory of 2956	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	107
PID 1216 wrote to memory of 2956	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	107
PID 1216 wrote to memory of 4152	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	108
PID 1216 wrote to memory of 4152	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	108
PID 1216 wrote to memory of 4168	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	109
PID 1216 wrote to memory of 4168	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	109
PID 1216 wrote to memory of 2644	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	110
PID 1216 wrote to memory of 2644	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	110
PID 1216 wrote to memory of 2912	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	111
PID 1216 wrote to memory of 2912	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	111
PID 1216 wrote to memory of 836	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	112
PID 1216 wrote to memory of 836	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	112
PID 1216 wrote to memory of 1788	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	113
PID 1216 wrote to memory of 1788	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	113
PID 1216 wrote to memory of 2628	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	114
PID 1216 wrote to memory of 2628	1216	eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe	114

C:\Users\Admin\AppData\Local\Temp\eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\eedd4d8554ac9412df43da6550bf8970_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1140
- C:\Windows\System\pZadfXN.exe
  C:\Windows\System\pZadfXN.exe
  2⤵
  - Executes dropped EXE
  PID:1228
- C:\Windows\System\XSFSUZj.exe
  C:\Windows\System\XSFSUZj.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System\OtmhkJS.exe
  C:\Windows\System\OtmhkJS.exe
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Windows\System\dGDPHdR.exe
  C:\Windows\System\dGDPHdR.exe
  2⤵
  - Executes dropped EXE
  PID:4844
- C:\Windows\System\PXGugVF.exe
  C:\Windows\System\PXGugVF.exe
  2⤵
  - Executes dropped EXE
  PID:4704
- C:\Windows\System\YunotFO.exe
  C:\Windows\System\YunotFO.exe
  2⤵
  - Executes dropped EXE
  PID:1256
- C:\Windows\System\ErWlCIy.exe
  C:\Windows\System\ErWlCIy.exe
  2⤵
  - Executes dropped EXE
  PID:3536
- C:\Windows\System\PImZCau.exe
  C:\Windows\System\PImZCau.exe
  2⤵
  - Executes dropped EXE
  PID:1032
- C:\Windows\System\ECIqgIm.exe
  C:\Windows\System\ECIqgIm.exe
  2⤵
  - Executes dropped EXE
  PID:4756
- C:\Windows\System\CVaoGVk.exe
  C:\Windows\System\CVaoGVk.exe
  2⤵
  - Executes dropped EXE
  PID:4176
- C:\Windows\System\SiZCfjV.exe
  C:\Windows\System\SiZCfjV.exe
  2⤵
  - Executes dropped EXE
  PID:3076
- C:\Windows\System\QPRITGh.exe
  C:\Windows\System\QPRITGh.exe
  2⤵
  - Executes dropped EXE
  PID:4740
- C:\Windows\System\fymKlwf.exe
  C:\Windows\System\fymKlwf.exe
  2⤵
  - Executes dropped EXE
  PID:3704
- C:\Windows\System\khQoeeg.exe
  C:\Windows\System\khQoeeg.exe
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\System\TFrgVzZ.exe
  C:\Windows\System\TFrgVzZ.exe
  2⤵
  - Executes dropped EXE
  PID:4072
- C:\Windows\System\JaUotTT.exe
  C:\Windows\System\JaUotTT.exe
  2⤵
  - Executes dropped EXE
  PID:3448
- C:\Windows\System\mGRrWQN.exe
  C:\Windows\System\mGRrWQN.exe
  2⤵
  - Executes dropped EXE
  PID:4260
- C:\Windows\System\RGyGUmN.exe
  C:\Windows\System\RGyGUmN.exe
  2⤵
  - Executes dropped EXE
  PID:2424
- C:\Windows\System\QpIOklb.exe
  C:\Windows\System\QpIOklb.exe
  2⤵
  - Executes dropped EXE
  PID:5096
- C:\Windows\System\okNnrHk.exe
  C:\Windows\System\okNnrHk.exe
  2⤵
  - Executes dropped EXE
  PID:1596
- C:\Windows\System\BCcZRWQ.exe
  C:\Windows\System\BCcZRWQ.exe
  2⤵
  - Executes dropped EXE
  PID:3872
- C:\Windows\System\WYaTmzo.exe
  C:\Windows\System\WYaTmzo.exe
  2⤵
  - Executes dropped EXE
  PID:3848
- C:\Windows\System\NCsrPCU.exe
  C:\Windows\System\NCsrPCU.exe
  2⤵
  - Executes dropped EXE
  PID:3496
- C:\Windows\System\snfmiuq.exe
  C:\Windows\System\snfmiuq.exe
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\System\MBYfIrW.exe
  C:\Windows\System\MBYfIrW.exe
  2⤵
  - Executes dropped EXE
  PID:4152
- C:\Windows\System\peaYhIk.exe
  C:\Windows\System\peaYhIk.exe
  2⤵
  - Executes dropped EXE
  PID:4168
- C:\Windows\System\JbYtEfg.exe
  C:\Windows\System\JbYtEfg.exe
  2⤵
  - Executes dropped EXE
  PID:2644
- C:\Windows\System\YAQzFKV.exe
  C:\Windows\System\YAQzFKV.exe
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\System\EjDfBcK.exe
  C:\Windows\System\EjDfBcK.exe
  2⤵
  - Executes dropped EXE
  PID:836
- C:\Windows\System\JEDBocX.exe
  C:\Windows\System\JEDBocX.exe
  2⤵
  - Executes dropped EXE
  PID:1788
- C:\Windows\System\hdbjhRO.exe
  C:\Windows\System\hdbjhRO.exe
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\System\LayKGCw.exe
  C:\Windows\System\LayKGCw.exe
  2⤵
  - Executes dropped EXE
  PID:3592
- C:\Windows\System\XXuukGi.exe
  C:\Windows\System\XXuukGi.exe
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Windows\System\JSvnFDT.exe
  C:\Windows\System\JSvnFDT.exe
  2⤵
  - Executes dropped EXE
  PID:3144
- C:\Windows\System\zVyowtI.exe
  C:\Windows\System\zVyowtI.exe
  2⤵
  - Executes dropped EXE
  PID:4344
- C:\Windows\System\TSwjGhq.exe
  C:\Windows\System\TSwjGhq.exe
  2⤵
  - Executes dropped EXE
  PID:2000
- C:\Windows\System\eJuGoVz.exe
  C:\Windows\System\eJuGoVz.exe
  2⤵
  - Executes dropped EXE
  PID:4336
- C:\Windows\System\QyqGBkR.exe
  C:\Windows\System\QyqGBkR.exe
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\Windows\System\HzcGwCs.exe
  C:\Windows\System\HzcGwCs.exe
  2⤵
  - Executes dropped EXE
  PID:3992
- C:\Windows\System\uYYuawR.exe
  C:\Windows\System\uYYuawR.exe
  2⤵
  - Executes dropped EXE
  PID:2160
- C:\Windows\System\XJTVRja.exe
  C:\Windows\System\XJTVRja.exe
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\System\sZDvkgt.exe
  C:\Windows\System\sZDvkgt.exe
  2⤵
  - Executes dropped EXE
  PID:4444
- C:\Windows\System\FoUcufh.exe
  C:\Windows\System\FoUcufh.exe
  2⤵
  - Executes dropped EXE
  PID:4316
- C:\Windows\System\VyFQIyx.exe
  C:\Windows\System\VyFQIyx.exe
  2⤵
  - Executes dropped EXE
  PID:4268
- C:\Windows\System\UJdjcZH.exe
  C:\Windows\System\UJdjcZH.exe
  2⤵
  - Executes dropped EXE
  PID:556
- C:\Windows\System\ONANjxL.exe
  C:\Windows\System\ONANjxL.exe
  2⤵
  - Executes dropped EXE
  PID:4204
- C:\Windows\System\RVCqJXN.exe
  C:\Windows\System\RVCqJXN.exe
  2⤵
  - Executes dropped EXE
  PID:2092
- C:\Windows\System\XuPIRRM.exe
  C:\Windows\System\XuPIRRM.exe
  2⤵
  - Executes dropped EXE
  PID:3400
- C:\Windows\System\MFIGTqt.exe
  C:\Windows\System\MFIGTqt.exe
  2⤵
  - Executes dropped EXE
  PID:5020
- C:\Windows\System\rAHLGgU.exe
  C:\Windows\System\rAHLGgU.exe
  2⤵
  - Executes dropped EXE
  PID:1448
- C:\Windows\System\NwgTWHr.exe
  C:\Windows\System\NwgTWHr.exe
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\System\AinaLXV.exe
  C:\Windows\System\AinaLXV.exe
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\System\wWNVLlr.exe
  C:\Windows\System\wWNVLlr.exe
  2⤵
  - Executes dropped EXE
  PID:1916
- C:\Windows\System\PBkjdNm.exe
  C:\Windows\System\PBkjdNm.exe
  2⤵
  - Executes dropped EXE
  PID:4196
- C:\Windows\System\bxEiDTw.exe
  C:\Windows\System\bxEiDTw.exe
  2⤵
  - Executes dropped EXE
  PID:2072
- C:\Windows\System\uFVfnQN.exe
  C:\Windows\System\uFVfnQN.exe
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Windows\System\YYTzQrO.exe
  C:\Windows\System\YYTzQrO.exe
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\System\rTzXZtF.exe
  C:\Windows\System\rTzXZtF.exe
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Windows\System\MHXmxmM.exe
  C:\Windows\System\MHXmxmM.exe
  2⤵
  - Executes dropped EXE
  PID:2608
- C:\Windows\System\CIsrNrd.exe
  C:\Windows\System\CIsrNrd.exe
  2⤵
  - Executes dropped EXE
  PID:4924
- C:\Windows\System\slGJJum.exe
  C:\Windows\System\slGJJum.exe
  2⤵
  - Executes dropped EXE
  PID:3320
- C:\Windows\System\TDkzbrt.exe
  C:\Windows\System\TDkzbrt.exe
  2⤵
  - Executes dropped EXE
  PID:1468
- C:\Windows\System\nGlSAIV.exe
  C:\Windows\System\nGlSAIV.exe
  2⤵
  - Executes dropped EXE
  PID:1532
- C:\Windows\System\OAKrJYv.exe
  C:\Windows\System\OAKrJYv.exe
  2⤵
  - Executes dropped EXE
  PID:2184
- C:\Windows\System\DFOLssu.exe
  C:\Windows\System\DFOLssu.exe
  2⤵
  PID:2832
- C:\Windows\System\zEdflaT.exe
  C:\Windows\System\zEdflaT.exe
  2⤵
  PID:3168
- C:\Windows\System\MPiqUyY.exe
  C:\Windows\System\MPiqUyY.exe
  2⤵
  PID:4812
- C:\Windows\System\UlxoAQb.exe
  C:\Windows\System\UlxoAQb.exe
  2⤵
  PID:3172
- C:\Windows\System\nEOMyhl.exe
  C:\Windows\System\nEOMyhl.exe
  2⤵
  PID:1512
- C:\Windows\System\nVMMICo.exe
  C:\Windows\System\nVMMICo.exe
  2⤵
  PID:4348
- C:\Windows\System\nrMuwZK.exe
  C:\Windows\System\nrMuwZK.exe
  2⤵
  PID:2964
- C:\Windows\System\bNNTIwX.exe
  C:\Windows\System\bNNTIwX.exe
  2⤵
  PID:2500
- C:\Windows\System\tmHuOif.exe
  C:\Windows\System\tmHuOif.exe
  2⤵
  PID:4884
- C:\Windows\System\bYJBmcE.exe
  C:\Windows\System\bYJBmcE.exe
  2⤵
  PID:5144
- C:\Windows\System\ztKwTPk.exe
  C:\Windows\System\ztKwTPk.exe
  2⤵
  PID:5172
- C:\Windows\System\vVQPDvR.exe
  C:\Windows\System\vVQPDvR.exe
  2⤵
  PID:5200
- C:\Windows\System\QrdLWwg.exe
  C:\Windows\System\QrdLWwg.exe
  2⤵
  PID:5224
- C:\Windows\System\ErISxwA.exe
  C:\Windows\System\ErISxwA.exe
  2⤵
  PID:5252
- C:\Windows\System\jfnKawe.exe
  C:\Windows\System\jfnKawe.exe
  2⤵
  PID:5284
- C:\Windows\System\FBXclNj.exe
  C:\Windows\System\FBXclNj.exe
  2⤵
  PID:5308
- C:\Windows\System\bTmaAEA.exe
  C:\Windows\System\bTmaAEA.exe
  2⤵
  PID:5340
- C:\Windows\System\qnrSlFz.exe
  C:\Windows\System\qnrSlFz.exe
  2⤵
  PID:5364
- C:\Windows\System\wYTVaLB.exe
  C:\Windows\System\wYTVaLB.exe
  2⤵
  PID:5420
- C:\Windows\System\hSWoboe.exe
  C:\Windows\System\hSWoboe.exe
  2⤵
  PID:5472
- C:\Windows\System\gWYhqaR.exe
  C:\Windows\System\gWYhqaR.exe
  2⤵
  PID:5488
- C:\Windows\System\FAXpuTr.exe
  C:\Windows\System\FAXpuTr.exe
  2⤵
  PID:5504
- C:\Windows\System\QYdGPvR.exe
  C:\Windows\System\QYdGPvR.exe
  2⤵
  PID:5532
- C:\Windows\System\nrIbsCN.exe
  C:\Windows\System\nrIbsCN.exe
  2⤵
  PID:5556
- C:\Windows\System\xjJWLpF.exe
  C:\Windows\System\xjJWLpF.exe
  2⤵
  PID:5588
- C:\Windows\System\XhkzPaj.exe
  C:\Windows\System\XhkzPaj.exe
  2⤵
  PID:5612
- C:\Windows\System\nmvwGiK.exe
  C:\Windows\System\nmvwGiK.exe
  2⤵
  PID:5640
- C:\Windows\System\sksECrH.exe
  C:\Windows\System\sksECrH.exe
  2⤵
  PID:5668
- C:\Windows\System\trQArbN.exe
  C:\Windows\System\trQArbN.exe
  2⤵
  PID:5700
- C:\Windows\System\uEYxpOG.exe
  C:\Windows\System\uEYxpOG.exe
  2⤵
  PID:5728
- C:\Windows\System\cwTCCZU.exe
  C:\Windows\System\cwTCCZU.exe
  2⤵
  PID:5756
- C:\Windows\System\WABpCRN.exe
  C:\Windows\System\WABpCRN.exe
  2⤵
  PID:5784
- C:\Windows\System\avmwkok.exe
  C:\Windows\System\avmwkok.exe
  2⤵
  PID:5812
- C:\Windows\System\kpMltet.exe
  C:\Windows\System\kpMltet.exe
  2⤵
  PID:5840
- C:\Windows\System\YIerjdQ.exe
  C:\Windows\System\YIerjdQ.exe
  2⤵
  PID:5868
- C:\Windows\System\oUydlax.exe
  C:\Windows\System\oUydlax.exe
  2⤵
  PID:5896
- C:\Windows\System\ulNDbYH.exe
  C:\Windows\System\ulNDbYH.exe
  2⤵
  PID:5924
- C:\Windows\System\ptqjbzg.exe
  C:\Windows\System\ptqjbzg.exe
  2⤵
  PID:5952
- C:\Windows\System\hiYtXaG.exe
  C:\Windows\System\hiYtXaG.exe
  2⤵
  PID:5980
- C:\Windows\System\UipIUvU.exe
  C:\Windows\System\UipIUvU.exe
  2⤵
  PID:6008
- C:\Windows\System\KrsQvQd.exe
  C:\Windows\System\KrsQvQd.exe
  2⤵
  PID:6036
- C:\Windows\System\KfJkpfQ.exe
  C:\Windows\System\KfJkpfQ.exe
  2⤵
  PID:6064
- C:\Windows\System\uHopvXg.exe
  C:\Windows\System\uHopvXg.exe
  2⤵
  PID:6092
- C:\Windows\System\nOyqEGE.exe
  C:\Windows\System\nOyqEGE.exe
  2⤵
  PID:6120
- C:\Windows\System\gjeeQAh.exe
  C:\Windows\System\gjeeQAh.exe
  2⤵
  PID:4888
- C:\Windows\System\qqQZvWz.exe
  C:\Windows\System\qqQZvWz.exe
  2⤵
  PID:4496
- C:\Windows\System\uTCIEpG.exe
  C:\Windows\System\uTCIEpG.exe
  2⤵
  PID:3876
- C:\Windows\System\UZEcrfY.exe
  C:\Windows\System\UZEcrfY.exe
  2⤵
  PID:5184
- C:\Windows\System\zqdluXp.exe
  C:\Windows\System\zqdluXp.exe
  2⤵
  PID:5244
- C:\Windows\System\evZpGhM.exe
  C:\Windows\System\evZpGhM.exe
  2⤵
  PID:5300
- C:\Windows\System\cFAPEiG.exe
  C:\Windows\System\cFAPEiG.exe
  2⤵
  PID:5332
- C:\Windows\System\iULUoBU.exe
  C:\Windows\System\iULUoBU.exe
  2⤵
  PID:5412
- C:\Windows\System\DVQByKE.exe
  C:\Windows\System\DVQByKE.exe
  2⤵
  PID:5468
- C:\Windows\System\bdVpzyz.exe
  C:\Windows\System\bdVpzyz.exe
  2⤵
  PID:5520
- C:\Windows\System\ZlWIrjA.exe
  C:\Windows\System\ZlWIrjA.exe
  2⤵
  PID:5580
- C:\Windows\System\YbHhpxR.exe
  C:\Windows\System\YbHhpxR.exe
  2⤵
  PID:5656
- C:\Windows\System\kAeQsJL.exe
  C:\Windows\System\kAeQsJL.exe
  2⤵
  PID:1700
- C:\Windows\System\KOwFwzo.exe
  C:\Windows\System\KOwFwzo.exe
  2⤵
  PID:5772
- C:\Windows\System\GipxAtq.exe
  C:\Windows\System\GipxAtq.exe
  2⤵
  PID:5828
- C:\Windows\System\ByOHiHK.exe
  C:\Windows\System\ByOHiHK.exe
  2⤵
  PID:5884
- C:\Windows\System\sKQUmvS.exe
  C:\Windows\System\sKQUmvS.exe
  2⤵
  PID:5964
- C:\Windows\System\ztneQwv.exe
  C:\Windows\System\ztneQwv.exe
  2⤵
  PID:6024
- C:\Windows\System\LuZCUpU.exe
  C:\Windows\System\LuZCUpU.exe
  2⤵
  PID:6104
- C:\Windows\System\ZFTxybQ.exe
  C:\Windows\System\ZFTxybQ.exe
  2⤵
  PID:1604
- C:\Windows\System\fxZGyOR.exe
  C:\Windows\System\fxZGyOR.exe
  2⤵
  PID:2992
- C:\Windows\System\wkvyNPf.exe
  C:\Windows\System\wkvyNPf.exe
  2⤵
  PID:5276
- C:\Windows\System\XPvOaUV.exe
  C:\Windows\System\XPvOaUV.exe
  2⤵
  PID:5432
- C:\Windows\System\yjrXqSA.exe
  C:\Windows\System\yjrXqSA.exe
  2⤵
  PID:5632
- C:\Windows\System\cTPFWgR.exe
  C:\Windows\System\cTPFWgR.exe
  2⤵
  PID:5740
- C:\Windows\System\ZsxqQpI.exe
  C:\Windows\System\ZsxqQpI.exe
  2⤵
  PID:5804
- C:\Windows\System\hDaYHIn.exe
  C:\Windows\System\hDaYHIn.exe
  2⤵
  PID:6020
- C:\Windows\System\zbGnlZw.exe
  C:\Windows\System\zbGnlZw.exe
  2⤵
  PID:6140
- C:\Windows\System\UOlHZSF.exe
  C:\Windows\System\UOlHZSF.exe
  2⤵
  PID:3996
- C:\Windows\System\ZiOmpUf.exe
  C:\Windows\System\ZiOmpUf.exe
  2⤵
  PID:5572
- C:\Windows\System\ESIdOfn.exe
  C:\Windows\System\ESIdOfn.exe
  2⤵
  PID:1008
- C:\Windows\System\VbDYXmO.exe
  C:\Windows\System\VbDYXmO.exe
  2⤵
  PID:3736
- C:\Windows\System\uqjMmhQ.exe
  C:\Windows\System\uqjMmhQ.exe
  2⤵
  PID:2672
- C:\Windows\System\nNeGtDK.exe
  C:\Windows\System\nNeGtDK.exe
  2⤵
  PID:5360
- C:\Windows\System\JlCZwah.exe
  C:\Windows\System\JlCZwah.exe
  2⤵
  PID:5628
- C:\Windows\System\GDXnNbf.exe
  C:\Windows\System\GDXnNbf.exe
  2⤵
  PID:1952
- C:\Windows\System\XLyeyuc.exe
  C:\Windows\System\XLyeyuc.exe
  2⤵
  PID:1632
- C:\Windows\System\PHexVYk.exe
  C:\Windows\System\PHexVYk.exe
  2⤵
  PID:6164
- C:\Windows\System\xCoXjJW.exe
  C:\Windows\System\xCoXjJW.exe
  2⤵
  PID:6188
- C:\Windows\System\UjfizvR.exe
  C:\Windows\System\UjfizvR.exe
  2⤵
  PID:6224
- C:\Windows\System\zHuVOri.exe
  C:\Windows\System\zHuVOri.exe
  2⤵
  PID:6248
- C:\Windows\System\CMVoOmc.exe
  C:\Windows\System\CMVoOmc.exe
  2⤵
  PID:6276
- C:\Windows\System\aqlzzHF.exe
  C:\Windows\System\aqlzzHF.exe
  2⤵
  PID:6296
- C:\Windows\System\IdurudH.exe
  C:\Windows\System\IdurudH.exe
  2⤵
  PID:6348
- C:\Windows\System\odthnOd.exe
  C:\Windows\System\odthnOd.exe
  2⤵
  PID:6368
- C:\Windows\System\XALNrdh.exe
  C:\Windows\System\XALNrdh.exe
  2⤵
  PID:6400
- C:\Windows\System\NUwWDpg.exe
  C:\Windows\System\NUwWDpg.exe
  2⤵
  PID:6440
- C:\Windows\System\WdBjnWG.exe
  C:\Windows\System\WdBjnWG.exe
  2⤵
  PID:6468
- C:\Windows\System\DuGhban.exe
  C:\Windows\System\DuGhban.exe
  2⤵
  PID:6512
- C:\Windows\System\aBIuuzb.exe
  C:\Windows\System\aBIuuzb.exe
  2⤵
  PID:6532
- C:\Windows\System\mUXalrs.exe
  C:\Windows\System\mUXalrs.exe
  2⤵
  PID:6580
- C:\Windows\System\GAJblwu.exe
  C:\Windows\System\GAJblwu.exe
  2⤵
  PID:6616
- C:\Windows\System\jDdkIrz.exe
  C:\Windows\System\jDdkIrz.exe
  2⤵
  PID:6664
- C:\Windows\System\QOKuARO.exe
  C:\Windows\System\QOKuARO.exe
  2⤵
  PID:6700
- C:\Windows\System\hpVkFcf.exe
  C:\Windows\System\hpVkFcf.exe
  2⤵
  PID:6728
- C:\Windows\System\bfUYNla.exe
  C:\Windows\System\bfUYNla.exe
  2⤵
  PID:6756
- C:\Windows\System\nrhUBQb.exe
  C:\Windows\System\nrhUBQb.exe
  2⤵
  PID:6784
- C:\Windows\System\HAHOlDN.exe
  C:\Windows\System\HAHOlDN.exe
  2⤵
  PID:6804
- C:\Windows\System\iUkGysK.exe
  C:\Windows\System\iUkGysK.exe
  2⤵
  PID:6856
- C:\Windows\System\fWDSgTj.exe
  C:\Windows\System\fWDSgTj.exe
  2⤵
  PID:6872
- C:\Windows\System\cBonyQu.exe
  C:\Windows\System\cBonyQu.exe
  2⤵
  PID:6900
- C:\Windows\System\QYVoVOn.exe
  C:\Windows\System\QYVoVOn.exe
  2⤵
  PID:6916
- C:\Windows\System\XbpCYne.exe
  C:\Windows\System\XbpCYne.exe
  2⤵
  PID:6932
- C:\Windows\System\ITeVkEE.exe
  C:\Windows\System\ITeVkEE.exe
  2⤵
  PID:6948
- C:\Windows\System\kjEpXzH.exe
  C:\Windows\System\kjEpXzH.exe
  2⤵
  PID:6964
- C:\Windows\System\EmdnXUc.exe
  C:\Windows\System\EmdnXUc.exe
  2⤵
  PID:7028
- C:\Windows\System\pilLpJt.exe
  C:\Windows\System\pilLpJt.exe
  2⤵
  PID:7068
- C:\Windows\System\MFrXzJo.exe
  C:\Windows\System\MFrXzJo.exe
  2⤵
  PID:7084
- C:\Windows\System\AfhazGN.exe
  C:\Windows\System\AfhazGN.exe
  2⤵
  PID:7104
- C:\Windows\System\xjNNiGX.exe
  C:\Windows\System\xjNNiGX.exe
  2⤵
  PID:7148
- C:\Windows\System\LUGnoqN.exe
  C:\Windows\System\LUGnoqN.exe
  2⤵
  PID:2748
- C:\Windows\System\bhgGTKo.exe
  C:\Windows\System\bhgGTKo.exe
  2⤵
  PID:1316
- C:\Windows\System\LhUcrix.exe
  C:\Windows\System\LhUcrix.exe
  2⤵
  PID:704
- C:\Windows\System\ZRXROWh.exe
  C:\Windows\System\ZRXROWh.exe
  2⤵
  PID:1280
- C:\Windows\System\jFgskui.exe
  C:\Windows\System\jFgskui.exe
  2⤵
  PID:6336
- C:\Windows\System\rmOTqrq.exe
  C:\Windows\System\rmOTqrq.exe
  2⤵
  PID:3148
- C:\Windows\System\eEgGYkX.exe
  C:\Windows\System\eEgGYkX.exe
  2⤵
  PID:6492
- C:\Windows\System\VfOSimW.exe
  C:\Windows\System\VfOSimW.exe
  2⤵
  PID:6424
- C:\Windows\System\YuIiqwn.exe
  C:\Windows\System\YuIiqwn.exe
  2⤵
  PID:6544
- C:\Windows\System\vZYccVk.exe
  C:\Windows\System\vZYccVk.exe
  2⤵
  PID:6660
- C:\Windows\System\ouDmSUy.exe
  C:\Windows\System\ouDmSUy.exe
  2⤵
  PID:6696
- C:\Windows\System\WDFuqbG.exe
  C:\Windows\System\WDFuqbG.exe
  2⤵
  PID:6768
- C:\Windows\System\yBJykgx.exe
  C:\Windows\System\yBJykgx.exe
  2⤵
  PID:6864
- C:\Windows\System\tdvXKmU.exe
  C:\Windows\System\tdvXKmU.exe
  2⤵
  PID:6928
- C:\Windows\System\GRsiFnB.exe
  C:\Windows\System\GRsiFnB.exe
  2⤵
  PID:7012
- C:\Windows\System\WWyYnbe.exe
  C:\Windows\System\WWyYnbe.exe
  2⤵
  PID:7076
- C:\Windows\System\euGhzOW.exe
  C:\Windows\System\euGhzOW.exe
  2⤵
  PID:7156
- C:\Windows\System\aaguYWd.exe
  C:\Windows\System\aaguYWd.exe
  2⤵
  PID:6152
- C:\Windows\System\ZsaItgx.exe
  C:\Windows\System\ZsaItgx.exe
  2⤵
  PID:6232
- C:\Windows\System\Zfxlhbx.exe
  C:\Windows\System\Zfxlhbx.exe
  2⤵
  PID:4232
- C:\Windows\System\NDUEbqN.exe
  C:\Windows\System\NDUEbqN.exe
  2⤵
  PID:6672
- C:\Windows\System\QMJmwro.exe
  C:\Windows\System\QMJmwro.exe
  2⤵
  PID:6848
- C:\Windows\System\VqYhkcd.exe
  C:\Windows\System\VqYhkcd.exe
  2⤵
  PID:6924
- C:\Windows\System\glFKajm.exe
  C:\Windows\System\glFKajm.exe
  2⤵
  PID:7112
- C:\Windows\System\lGIhwzt.exe
  C:\Windows\System\lGIhwzt.exe
  2⤵
  PID:6240
- C:\Windows\System\xSRRUTJ.exe
  C:\Windows\System\xSRRUTJ.exe
  2⤵
  PID:6652
- C:\Windows\System\NntoQqs.exe
  C:\Windows\System\NntoQqs.exe
  2⤵
  PID:7060
- C:\Windows\System\JIpWWdO.exe
  C:\Windows\System\JIpWWdO.exe
  2⤵
  PID:6364
- C:\Windows\System\KMhwXHJ.exe
  C:\Windows\System\KMhwXHJ.exe
  2⤵
  PID:5752
- C:\Windows\System\LfQCGZj.exe
  C:\Windows\System\LfQCGZj.exe
  2⤵
  PID:7208
- C:\Windows\System\VoNoheu.exe
  C:\Windows\System\VoNoheu.exe
  2⤵
  PID:7244
- C:\Windows\System\ZAevIPV.exe
  C:\Windows\System\ZAevIPV.exe
  2⤵
  PID:7280
- C:\Windows\System\byXUHXj.exe
  C:\Windows\System\byXUHXj.exe
  2⤵
  PID:7308
- C:\Windows\System\OlzdklG.exe
  C:\Windows\System\OlzdklG.exe
  2⤵
  PID:7340
- C:\Windows\System\MHxHcbK.exe
  C:\Windows\System\MHxHcbK.exe
  2⤵
  PID:7380
- C:\Windows\System\KQGkzjr.exe
  C:\Windows\System\KQGkzjr.exe
  2⤵
  PID:7412
- C:\Windows\System\jlgRMpG.exe
  C:\Windows\System\jlgRMpG.exe
  2⤵
  PID:7436
- C:\Windows\System\VyPKiVN.exe
  C:\Windows\System\VyPKiVN.exe
  2⤵
  PID:7464
- C:\Windows\System\yzRiUcE.exe
  C:\Windows\System\yzRiUcE.exe
  2⤵
  PID:7492
- C:\Windows\System\WMMRuPm.exe
  C:\Windows\System\WMMRuPm.exe
  2⤵
  PID:7520
- C:\Windows\System\AYqHaoV.exe
  C:\Windows\System\AYqHaoV.exe
  2⤵
  PID:7560
- C:\Windows\System\jVFHNYj.exe
  C:\Windows\System\jVFHNYj.exe
  2⤵
  PID:7584
- C:\Windows\System\mKHZrdE.exe
  C:\Windows\System\mKHZrdE.exe
  2⤵
  PID:7612
- C:\Windows\System\gphVIFF.exe
  C:\Windows\System\gphVIFF.exe
  2⤵
  PID:7640
- C:\Windows\System\WHvnfLd.exe
  C:\Windows\System\WHvnfLd.exe
  2⤵
  PID:7668
- C:\Windows\System\SLLVODG.exe
  C:\Windows\System\SLLVODG.exe
  2⤵
  PID:7696
- C:\Windows\System\UbrMNBU.exe
  C:\Windows\System\UbrMNBU.exe
  2⤵
  PID:7724
- C:\Windows\System\ABuiJLn.exe
  C:\Windows\System\ABuiJLn.exe
  2⤵
  PID:7752
- C:\Windows\System\eZMNBYC.exe
  C:\Windows\System\eZMNBYC.exe
  2⤵
  PID:7784
- C:\Windows\System\UmNkqOl.exe
  C:\Windows\System\UmNkqOl.exe
  2⤵
  PID:7812
- C:\Windows\System\xDqvRMK.exe
  C:\Windows\System\xDqvRMK.exe
  2⤵
  PID:7840
- C:\Windows\System\FjHlAxz.exe
  C:\Windows\System\FjHlAxz.exe
  2⤵
  PID:7868
- C:\Windows\System\FyfdyRs.exe
  C:\Windows\System\FyfdyRs.exe
  2⤵
  PID:7900
- C:\Windows\System\yMCzKvR.exe
  C:\Windows\System\yMCzKvR.exe
  2⤵
  PID:7936
- C:\Windows\System\NXUoKdF.exe
  C:\Windows\System\NXUoKdF.exe
  2⤵
  PID:7968
- C:\Windows\System\rnaEgOa.exe
  C:\Windows\System\rnaEgOa.exe
  2⤵
  PID:7992
- C:\Windows\System\RuceGvU.exe
  C:\Windows\System\RuceGvU.exe
  2⤵
  PID:8020
- C:\Windows\System\ofOdFwV.exe
  C:\Windows\System\ofOdFwV.exe
  2⤵
  PID:8048
- C:\Windows\System\xyjGFKl.exe
  C:\Windows\System\xyjGFKl.exe
  2⤵
  PID:8084
- C:\Windows\System\ZypyQty.exe
  C:\Windows\System\ZypyQty.exe
  2⤵
  PID:8112
- C:\Windows\System\DYzwmae.exe
  C:\Windows\System\DYzwmae.exe
  2⤵
  PID:8180
- C:\Windows\System\iwntSHn.exe
  C:\Windows\System\iwntSHn.exe
  2⤵
  PID:7200
- C:\Windows\System\occYMTU.exe
  C:\Windows\System\occYMTU.exe
  2⤵
  PID:7264
- C:\Windows\System\qmiZYui.exe
  C:\Windows\System\qmiZYui.exe
  2⤵
  PID:7376
- C:\Windows\System\HNNFLaY.exe
  C:\Windows\System\HNNFLaY.exe
  2⤵
  PID:7488
- C:\Windows\System\CLodeYe.exe
  C:\Windows\System\CLodeYe.exe
  2⤵
  PID:7576
- C:\Windows\System\MUruLjV.exe
  C:\Windows\System\MUruLjV.exe
  2⤵
  PID:7632
- C:\Windows\System\nFzCJoM.exe
  C:\Windows\System\nFzCJoM.exe
  2⤵
  PID:7692
- C:\Windows\System\PdBsZjS.exe
  C:\Windows\System\PdBsZjS.exe
  2⤵
  PID:7768
- C:\Windows\System\mIzoZBe.exe
  C:\Windows\System\mIzoZBe.exe
  2⤵
  PID:7096
- C:\Windows\System\kUONluY.exe
  C:\Windows\System\kUONluY.exe
  2⤵
  PID:7860
- C:\Windows\System\NCiLGcf.exe
  C:\Windows\System\NCiLGcf.exe
  2⤵
  PID:7960
- C:\Windows\System\kiqPirc.exe
  C:\Windows\System\kiqPirc.exe
  2⤵
  PID:8012
- C:\Windows\System\fLeTymQ.exe
  C:\Windows\System\fLeTymQ.exe
  2⤵
  PID:8060
- C:\Windows\System\VMMkRNy.exe
  C:\Windows\System\VMMkRNy.exe
  2⤵
  PID:8108
- C:\Windows\System\cyjbMtj.exe
  C:\Windows\System\cyjbMtj.exe
  2⤵
  PID:7240
- C:\Windows\System\IlpQRJn.exe
  C:\Windows\System\IlpQRJn.exe
  2⤵
  PID:7572
- C:\Windows\System\yKzctVl.exe
  C:\Windows\System\yKzctVl.exe
  2⤵
  PID:7720
- C:\Windows\System\EJHDcCz.exe
  C:\Windows\System\EJHDcCz.exe
  2⤵
  PID:7836
- C:\Windows\System\hzqusEp.exe
  C:\Windows\System\hzqusEp.exe
  2⤵
  PID:8040
- C:\Windows\System\muToWYb.exe
  C:\Windows\System\muToWYb.exe
  2⤵
  PID:8140
- C:\Windows\System\VdBPjER.exe
  C:\Windows\System\VdBPjER.exe
  2⤵
  PID:7664
- C:\Windows\System\GcOrvAk.exe
  C:\Windows\System\GcOrvAk.exe
  2⤵
  PID:7984
- C:\Windows\System\wWFhmWJ.exe
  C:\Windows\System\wWFhmWJ.exe
  2⤵
  PID:7808
- C:\Windows\System\DQRpjpx.exe
  C:\Windows\System\DQRpjpx.exe
  2⤵
  PID:7624
- C:\Windows\System\pnVJOVQ.exe
  C:\Windows\System\pnVJOVQ.exe
  2⤵
  PID:8224
- C:\Windows\System\tOVRkxb.exe
  C:\Windows\System\tOVRkxb.exe
  2⤵
  PID:8248
- C:\Windows\System\vPJyiLQ.exe
  C:\Windows\System\vPJyiLQ.exe
  2⤵
  PID:8276
- C:\Windows\System\MzuVEHH.exe
  C:\Windows\System\MzuVEHH.exe
  2⤵
  PID:8320
- C:\Windows\System\AQOItSF.exe
  C:\Windows\System\AQOItSF.exe
  2⤵
  PID:8360
- C:\Windows\System\EruHWnP.exe
  C:\Windows\System\EruHWnP.exe
  2⤵
  PID:8400
- C:\Windows\System\NOfPDZA.exe
  C:\Windows\System\NOfPDZA.exe
  2⤵
  PID:8432
- C:\Windows\System\BrkKueK.exe
  C:\Windows\System\BrkKueK.exe
  2⤵
  PID:8464
- C:\Windows\System\hFvwvze.exe
  C:\Windows\System\hFvwvze.exe
  2⤵
  PID:8496
- C:\Windows\System\GlVCENp.exe
  C:\Windows\System\GlVCENp.exe
  2⤵
  PID:8524
- C:\Windows\System\nosoqZK.exe
  C:\Windows\System\nosoqZK.exe
  2⤵
  PID:8552
- C:\Windows\System\BkfARBn.exe
  C:\Windows\System\BkfARBn.exe
  2⤵
  PID:8588
- C:\Windows\System\qrLddwR.exe
  C:\Windows\System\qrLddwR.exe
  2⤵
  PID:8632
- C:\Windows\System\YhOBCEK.exe
  C:\Windows\System\YhOBCEK.exe
  2⤵
  PID:8652
- C:\Windows\System\sFraAeA.exe
  C:\Windows\System\sFraAeA.exe
  2⤵
  PID:8680
- C:\Windows\System\WrXUKpk.exe
  C:\Windows\System\WrXUKpk.exe
  2⤵
  PID:8708
- C:\Windows\System\qYkMQZj.exe
  C:\Windows\System\qYkMQZj.exe
  2⤵
  PID:8744
- C:\Windows\System\LJBUJtw.exe
  C:\Windows\System\LJBUJtw.exe
  2⤵
  PID:8772
- C:\Windows\System\PeGtMSY.exe
  C:\Windows\System\PeGtMSY.exe
  2⤵
  PID:8804
- C:\Windows\System\vyGngsd.exe
  C:\Windows\System\vyGngsd.exe
  2⤵
  PID:8832
- C:\Windows\System\jKoAsHG.exe
  C:\Windows\System\jKoAsHG.exe
  2⤵
  PID:8860
- C:\Windows\System\JdNgwQa.exe
  C:\Windows\System\JdNgwQa.exe
  2⤵
  PID:8892
- C:\Windows\System\RGVhuSh.exe
  C:\Windows\System\RGVhuSh.exe
  2⤵
  PID:8920
- C:\Windows\System\dznOruB.exe
  C:\Windows\System\dznOruB.exe
  2⤵
  PID:8948
- C:\Windows\System\rPDtfqm.exe
  C:\Windows\System\rPDtfqm.exe
  2⤵
  PID:8980
- C:\Windows\System\yrOifZf.exe
  C:\Windows\System\yrOifZf.exe
  2⤵
  PID:9008
- C:\Windows\System\xLvpOKw.exe
  C:\Windows\System\xLvpOKw.exe
  2⤵
  PID:9036
- C:\Windows\System\taSJskw.exe
  C:\Windows\System\taSJskw.exe
  2⤵
  PID:9064
- C:\Windows\System\kZRWMdR.exe
  C:\Windows\System\kZRWMdR.exe
  2⤵
  PID:9100
- C:\Windows\System\fGCywMV.exe
  C:\Windows\System\fGCywMV.exe
  2⤵
  PID:9128
- C:\Windows\System\VWSekef.exe
  C:\Windows\System\VWSekef.exe
  2⤵
  PID:9160
- C:\Windows\System\PtWgjvr.exe
  C:\Windows\System\PtWgjvr.exe
  2⤵
  PID:9188
- C:\Windows\System\SMPLLzG.exe
  C:\Windows\System\SMPLLzG.exe
  2⤵
  PID:8104
- C:\Windows\System\dOXSewp.exe
  C:\Windows\System\dOXSewp.exe
  2⤵
  PID:8260
- C:\Windows\System\bPRLRSI.exe
  C:\Windows\System\bPRLRSI.exe
  2⤵
  PID:8308
- C:\Windows\System\MOAFsvS.exe
  C:\Windows\System\MOAFsvS.exe
  2⤵
  PID:8424
- C:\Windows\System\KIJWbyw.exe
  C:\Windows\System\KIJWbyw.exe
  2⤵
  PID:8492
- C:\Windows\System\CeRDehG.exe
  C:\Windows\System\CeRDehG.exe
  2⤵
  PID:8568
- C:\Windows\System\xzxCOAD.exe
  C:\Windows\System\xzxCOAD.exe
  2⤵
  PID:7328
- C:\Windows\System\DXmCHOd.exe
  C:\Windows\System\DXmCHOd.exe
  2⤵
  PID:8616
- C:\Windows\System\YOdesdK.exe
  C:\Windows\System\YOdesdK.exe
  2⤵
  PID:8664
- C:\Windows\System\eFjzCjE.exe
  C:\Windows\System\eFjzCjE.exe
  2⤵
  PID:8704
- C:\Windows\System\iPpctzN.exe
  C:\Windows\System\iPpctzN.exe
  2⤵
  PID:8784
- C:\Windows\System\HYaHEyC.exe
  C:\Windows\System\HYaHEyC.exe
  2⤵
  PID:8848
- C:\Windows\System\sZbGxJu.exe
  C:\Windows\System\sZbGxJu.exe
  2⤵
  PID:8944
- C:\Windows\System\tliYBIp.exe
  C:\Windows\System\tliYBIp.exe
  2⤵
  PID:9032
- C:\Windows\System\uakoxca.exe
  C:\Windows\System\uakoxca.exe
  2⤵
  PID:9184
- C:\Windows\System\SamaHWE.exe
  C:\Windows\System\SamaHWE.exe
  2⤵
  PID:8380
- C:\Windows\System\aHevvPt.exe
  C:\Windows\System\aHevvPt.exe
  2⤵
  PID:8544
- C:\Windows\System\stbBDej.exe
  C:\Windows\System\stbBDej.exe
  2⤵
  PID:8644
- C:\Windows\System\agnWFng.exe
  C:\Windows\System\agnWFng.exe
  2⤵
  PID:8976
- C:\Windows\System\fPFXlGJ.exe
  C:\Windows\System\fPFXlGJ.exe
  2⤵
  PID:8612
- C:\Windows\System\KKjmRgZ.exe
  C:\Windows\System\KKjmRgZ.exe
  2⤵
  PID:9228
- C:\Windows\System\nozgiOB.exe
  C:\Windows\System\nozgiOB.exe
  2⤵
  PID:9256
- C:\Windows\System\EUdmaMS.exe
  C:\Windows\System\EUdmaMS.exe
  2⤵
  PID:9288
- C:\Windows\System\cRsrnFT.exe
  C:\Windows\System\cRsrnFT.exe
  2⤵
  PID:9312
- C:\Windows\System\jOeULMU.exe
  C:\Windows\System\jOeULMU.exe
  2⤵
  PID:9340
- C:\Windows\System\EJxdMbz.exe
  C:\Windows\System\EJxdMbz.exe
  2⤵
  PID:9560
- C:\Windows\System\cZJzPFX.exe
  C:\Windows\System\cZJzPFX.exe
  2⤵
  PID:9576
- C:\Windows\System\HVNdZOn.exe
  C:\Windows\System\HVNdZOn.exe
  2⤵
  PID:9604
- C:\Windows\System\iAeZzEm.exe
  C:\Windows\System\iAeZzEm.exe
  2⤵
  PID:9644
- C:\Windows\System\VhkxzzD.exe
  C:\Windows\System\VhkxzzD.exe
  2⤵
  PID:9676
- C:\Windows\System\BiYmYgB.exe
  C:\Windows\System\BiYmYgB.exe
  2⤵
  PID:9712
- C:\Windows\System\ZgayYTH.exe
  C:\Windows\System\ZgayYTH.exe
  2⤵
  PID:9748
- C:\Windows\System\HZHqmjg.exe
  C:\Windows\System\HZHqmjg.exe
  2⤵
  PID:9776
- C:\Windows\System\IjvVlrC.exe
  C:\Windows\System\IjvVlrC.exe
  2⤵
  PID:9804
- C:\Windows\System\vnrEZDa.exe
  C:\Windows\System\vnrEZDa.exe
  2⤵
  PID:9832
- C:\Windows\System\LnpziEU.exe
  C:\Windows\System\LnpziEU.exe
  2⤵
  PID:9864
- C:\Windows\System\aHnsTPj.exe
  C:\Windows\System\aHnsTPj.exe
  2⤵
  PID:9892
- C:\Windows\System\DAAWhou.exe
  C:\Windows\System\DAAWhou.exe
  2⤵
  PID:9920
- C:\Windows\System\ARIKBHX.exe
  C:\Windows\System\ARIKBHX.exe
  2⤵
  PID:9948
- C:\Windows\System\TmigmrG.exe
  C:\Windows\System\TmigmrG.exe
  2⤵
  PID:9980
- C:\Windows\System\zVosCJQ.exe
  C:\Windows\System\zVosCJQ.exe
  2⤵
  PID:10008
- C:\Windows\System\GbchklK.exe
  C:\Windows\System\GbchklK.exe
  2⤵
  PID:10036
- C:\Windows\System\rqYZepu.exe
  C:\Windows\System\rqYZepu.exe
  2⤵
  PID:10064
- C:\Windows\System\XpADubA.exe
  C:\Windows\System\XpADubA.exe
  2⤵
  PID:10092
- C:\Windows\System\CtuiXGt.exe
  C:\Windows\System\CtuiXGt.exe
  2⤵
  PID:10120
- C:\Windows\System\WlwOKhi.exe
  C:\Windows\System\WlwOKhi.exe
  2⤵
  PID:10148
- C:\Windows\System\xpzIXHq.exe
  C:\Windows\System\xpzIXHq.exe
  2⤵
  PID:10180
- C:\Windows\System\YeicMrB.exe
  C:\Windows\System\YeicMrB.exe
  2⤵
  PID:10208
- C:\Windows\System\VNUKldF.exe
  C:\Windows\System\VNUKldF.exe
  2⤵
  PID:10236
- C:\Windows\System\SQYnLUp.exe
  C:\Windows\System\SQYnLUp.exe
  2⤵
  PID:9280
- C:\Windows\System\UzndAZh.exe
  C:\Windows\System\UzndAZh.exe
  2⤵
  PID:9336
- C:\Windows\System\XjAicba.exe
  C:\Windows\System\XjAicba.exe
  2⤵
  PID:9384
- C:\Windows\System\FXrSrxi.exe
  C:\Windows\System\FXrSrxi.exe
  2⤵
  PID:9412
- C:\Windows\System\FKAuBbr.exe
  C:\Windows\System\FKAuBbr.exe
  2⤵
  PID:9428
- C:\Windows\System\xioulEP.exe
  C:\Windows\System\xioulEP.exe
  2⤵
  PID:9468
- C:\Windows\System\unapLzx.exe
  C:\Windows\System\unapLzx.exe
  2⤵
  PID:9496
- C:\Windows\System\ViUFdGO.exe
  C:\Windows\System\ViUFdGO.exe
  2⤵
  PID:9532
- C:\Windows\System\QHgANzU.exe
  C:\Windows\System\QHgANzU.exe
  2⤵
  PID:9568
- C:\Windows\System\GqiXQpQ.exe
  C:\Windows\System\GqiXQpQ.exe
  2⤵
  PID:9636
- C:\Windows\System\ciFMVgi.exe
  C:\Windows\System\ciFMVgi.exe
  2⤵
  PID:8876
- C:\Windows\System\jgaYSOj.exe
  C:\Windows\System\jgaYSOj.exe
  2⤵
  PID:9760
- C:\Windows\System\NazvFfA.exe
  C:\Windows\System\NazvFfA.exe
  2⤵
  PID:9824
- C:\Windows\System\EKCHsUU.exe
  C:\Windows\System\EKCHsUU.exe
  2⤵
  PID:9888
- C:\Windows\System\kfNowon.exe
  C:\Windows\System\kfNowon.exe
  2⤵
  PID:9960
- C:\Windows\System\GWCGHnY.exe
  C:\Windows\System\GWCGHnY.exe
  2⤵
  PID:10020
- C:\Windows\System\zIzSXST.exe
  C:\Windows\System\zIzSXST.exe
  2⤵
  PID:10076
- C:\Windows\System\reqlhKu.exe
  C:\Windows\System\reqlhKu.exe
  2⤵
  PID:4432
- C:\Windows\System\jlWzwor.exe
  C:\Windows\System\jlWzwor.exe
  2⤵
  PID:10232
- C:\Windows\System\jhcIiGt.exe
  C:\Windows\System\jhcIiGt.exe
  2⤵
  PID:9368
- C:\Windows\System\ERsXpov.exe
  C:\Windows\System\ERsXpov.exe
  2⤵
  PID:9424
- C:\Windows\System\jQxTAWt.exe
  C:\Windows\System\jQxTAWt.exe
  2⤵
  PID:9488
- C:\Windows\System\rOcolJV.exe
  C:\Windows\System\rOcolJV.exe
  2⤵
  PID:9352
- C:\Windows\System\DpNmETh.exe
  C:\Windows\System\DpNmETh.exe
  2⤵
  PID:9668
- C:\Windows\System\bSynoMi.exe
  C:\Windows\System\bSynoMi.exe
  2⤵
  PID:9816
- C:\Windows\System\wKeupBb.exe
  C:\Windows\System\wKeupBb.exe
  2⤵
  PID:9944
- C:\Windows\System\hulAhmE.exe
  C:\Windows\System\hulAhmE.exe
  2⤵
  PID:6356
- C:\Windows\System\YDbQucz.exe
  C:\Windows\System\YDbQucz.exe
  2⤵
  PID:8156
- C:\Windows\System\fksAmJR.exe
  C:\Windows\System\fksAmJR.exe
  2⤵
  PID:8176
- C:\Windows\System\JCQDJah.exe
  C:\Windows\System\JCQDJah.exe
  2⤵
  PID:9304
- C:\Windows\System\LGzchnH.exe
  C:\Windows\System\LGzchnH.exe
  2⤵
  PID:9464
- C:\Windows\System\jZqiTdd.exe
  C:\Windows\System\jZqiTdd.exe
  2⤵
  PID:9592
- C:\Windows\System\vlozhUb.exe
  C:\Windows\System\vlozhUb.exe
  2⤵
  PID:9796
- C:\Windows\System\fDuxeeN.exe
  C:\Windows\System\fDuxeeN.exe
  2⤵
  PID:7232
- C:\Windows\System\YyFGHiN.exe
  C:\Windows\System\YyFGHiN.exe
  2⤵
  PID:9456
- C:\Windows\System\chczhBk.exe
  C:\Windows\System\chczhBk.exe
  2⤵
  PID:9916
- C:\Windows\System\JivAOLH.exe
  C:\Windows\System\JivAOLH.exe
  2⤵
  PID:9744
- C:\Windows\System\vXaBmiO.exe
  C:\Windows\System\vXaBmiO.exe
  2⤵
  PID:10260
- C:\Windows\System\zhTXZjQ.exe
  C:\Windows\System\zhTXZjQ.exe
  2⤵
  PID:10284
- C:\Windows\System\BgSDHTw.exe
  C:\Windows\System\BgSDHTw.exe
  2⤵
  PID:10324
- C:\Windows\System\LVioUqo.exe
  C:\Windows\System\LVioUqo.exe
  2⤵
  PID:10340
- C:\Windows\System\zOwWVSd.exe
  C:\Windows\System\zOwWVSd.exe
  2⤵
  PID:10380
- C:\Windows\System\kuliVYr.exe
  C:\Windows\System\kuliVYr.exe
  2⤵
  PID:10408
- C:\Windows\System\eDmgsig.exe
  C:\Windows\System\eDmgsig.exe
  2⤵
  PID:10440
- C:\Windows\System\QtgHicN.exe
  C:\Windows\System\QtgHicN.exe
  2⤵
  PID:10468
- C:\Windows\System\FpXZPEE.exe
  C:\Windows\System\FpXZPEE.exe
  2⤵
  PID:10500
- C:\Windows\System\hNDhSyn.exe
  C:\Windows\System\hNDhSyn.exe
  2⤵
  PID:10536
- C:\Windows\System\OIPDehv.exe
  C:\Windows\System\OIPDehv.exe
  2⤵
  PID:10564
- C:\Windows\System\FfXTWYO.exe
  C:\Windows\System\FfXTWYO.exe
  2⤵
  PID:10592
- C:\Windows\System\rZOtmvk.exe
  C:\Windows\System\rZOtmvk.exe
  2⤵
  PID:10620
- C:\Windows\System\yBWNsMV.exe
  C:\Windows\System\yBWNsMV.exe
  2⤵
  PID:10648
- C:\Windows\System\aycoqmu.exe
  C:\Windows\System\aycoqmu.exe
  2⤵
  PID:10676
- C:\Windows\System\csAnAlJ.exe
  C:\Windows\System\csAnAlJ.exe
  2⤵
  PID:10708
- C:\Windows\System\aACWXTU.exe
  C:\Windows\System\aACWXTU.exe
  2⤵
  PID:10736
- C:\Windows\System\rcbXieX.exe
  C:\Windows\System\rcbXieX.exe
  2⤵
  PID:10784
- C:\Windows\System\OULMsvb.exe
  C:\Windows\System\OULMsvb.exe
  2⤵
  PID:10812
- C:\Windows\System\lkKGZoh.exe
  C:\Windows\System\lkKGZoh.exe
  2⤵
  PID:10840
- C:\Windows\System\mWdsJkO.exe
  C:\Windows\System\mWdsJkO.exe
  2⤵
  PID:10868
- C:\Windows\System\DXEVFVD.exe
  C:\Windows\System\DXEVFVD.exe
  2⤵
  PID:10896
- C:\Windows\System\bfFElKv.exe
  C:\Windows\System\bfFElKv.exe
  2⤵
  PID:10924
- C:\Windows\System\APQmAuN.exe
  C:\Windows\System\APQmAuN.exe
  2⤵
  PID:10952
- C:\Windows\System\RVbcFSe.exe
  C:\Windows\System\RVbcFSe.exe
  2⤵
  PID:10980
- C:\Windows\System\NkwpzHD.exe
  C:\Windows\System\NkwpzHD.exe
  2⤵
  PID:11008
- C:\Windows\System\kQZaxVS.exe
  C:\Windows\System\kQZaxVS.exe
  2⤵
  PID:11048
- C:\Windows\System\sOvbZtE.exe
  C:\Windows\System\sOvbZtE.exe
  2⤵
  PID:11076
- C:\Windows\System\FVIfjge.exe
  C:\Windows\System\FVIfjge.exe
  2⤵
  PID:11104
- C:\Windows\System\gZkZHHK.exe
  C:\Windows\System\gZkZHHK.exe
  2⤵
  PID:11132
- C:\Windows\System\awexfhw.exe
  C:\Windows\System\awexfhw.exe
  2⤵
  PID:11188
- C:\Windows\System\dWFvEyb.exe
  C:\Windows\System\dWFvEyb.exe
  2⤵
  PID:11216
- C:\Windows\System\bvHwgxS.exe
  C:\Windows\System\bvHwgxS.exe
  2⤵
  PID:11256
- C:\Windows\System\DPsOThc.exe
  C:\Windows\System\DPsOThc.exe
  2⤵
  PID:10296
- C:\Windows\System\jrvLbtF.exe
  C:\Windows\System\jrvLbtF.exe
  2⤵
  PID:10392
- C:\Windows\System\srRMXju.exe
  C:\Windows\System\srRMXju.exe
  2⤵
  PID:10460
- C:\Windows\System\EgHIKtc.exe
  C:\Windows\System\EgHIKtc.exe
  2⤵
  PID:10556
- C:\Windows\System\LIGmhNc.exe
  C:\Windows\System\LIGmhNc.exe
  2⤵
  PID:10644
- C:\Windows\System\BjWspRG.exe
  C:\Windows\System\BjWspRG.exe
  2⤵
  PID:10796
- C:\Windows\System\kZJExUG.exe
  C:\Windows\System\kZJExUG.exe
  2⤵
  PID:10852
- C:\Windows\System\VFFShlj.exe
  C:\Windows\System\VFFShlj.exe
  2⤵
  PID:10944
- C:\Windows\System\HOHOqzW.exe
  C:\Windows\System\HOHOqzW.exe
  2⤵
  PID:11004
- C:\Windows\System\nGeBOTl.exe
  C:\Windows\System\nGeBOTl.exe
  2⤵
  PID:11100
- C:\Windows\System\bzRWlZv.exe
  C:\Windows\System\bzRWlZv.exe
  2⤵
  PID:11164
- C:\Windows\System\EbYiIKY.exe
  C:\Windows\System\EbYiIKY.exe
  2⤵
  PID:11244
- C:\Windows\System\nuaVGEA.exe
  C:\Windows\System\nuaVGEA.exe
  2⤵
  PID:10280
- C:\Windows\System\WuHoZwj.exe
  C:\Windows\System\WuHoZwj.exe
  2⤵
  PID:10584
- C:\Windows\System\bFoeiYD.exe
  C:\Windows\System\bFoeiYD.exe
  2⤵
  PID:10636
- C:\Windows\System\sQcxyts.exe
  C:\Windows\System\sQcxyts.exe
  2⤵
  PID:10836
- C:\Windows\System\MRNskln.exe
  C:\Windows\System\MRNskln.exe
  2⤵
  PID:10892
- C:\Windows\System\CiOGXCn.exe
  C:\Windows\System\CiOGXCn.exe
  2⤵
  PID:11156
- C:\Windows\System\zAdIfUi.exe
  C:\Windows\System\zAdIfUi.exe
  2⤵
  PID:10356
- C:\Windows\System\inMjLuk.exe
  C:\Windows\System\inMjLuk.exe
  2⤵
  PID:10368
- C:\Windows\System\ylpMTrW.exe
  C:\Windows\System\ylpMTrW.exe
  2⤵
  PID:10780
- C:\Windows\System\HJBTSVC.exe
  C:\Windows\System\HJBTSVC.exe
  2⤵
  PID:11064
- C:\Windows\System\xpvwuyw.exe
  C:\Windows\System\xpvwuyw.exe
  2⤵
  PID:10424
- C:\Windows\System\CHYTGzJ.exe
  C:\Windows\System\CHYTGzJ.exe
  2⤵
  PID:10692
- C:\Windows\System\XXbwYic.exe
  C:\Windows\System\XXbwYic.exe
  2⤵
  PID:10276
- C:\Windows\System\QVghuXo.exe
  C:\Windows\System\QVghuXo.exe
  2⤵
  PID:11200
- C:\Windows\System\oepxcUl.exe
  C:\Windows\System\oepxcUl.exe
  2⤵
  PID:2128
- C:\Windows\System\tJefDNq.exe
  C:\Windows\System\tJefDNq.exe
  2⤵
  PID:11296
- C:\Windows\System\ZULcnVB.exe
  C:\Windows\System\ZULcnVB.exe
  2⤵
  PID:11324
- C:\Windows\System\QcBhlYB.exe
  C:\Windows\System\QcBhlYB.exe
  2⤵
  PID:11376
- C:\Windows\System\XOxvoUi.exe
  C:\Windows\System\XOxvoUi.exe
  2⤵
  PID:11408
- C:\Windows\System\JOHNRag.exe
  C:\Windows\System\JOHNRag.exe
  2⤵
  PID:11440
- C:\Windows\System\xptEMWr.exe
  C:\Windows\System\xptEMWr.exe
  2⤵
  PID:11504
- C:\Windows\System\bPQlZbv.exe
  C:\Windows\System\bPQlZbv.exe
  2⤵
  PID:11524
- C:\Windows\System\sNcpWXL.exe
  C:\Windows\System\sNcpWXL.exe
  2⤵
  PID:11576
- C:\Windows\System\kEaZawD.exe
  C:\Windows\System\kEaZawD.exe
  2⤵
  PID:11604
- C:\Windows\System\aBDBlOa.exe
  C:\Windows\System\aBDBlOa.exe
  2⤵
  PID:11656
- C:\Windows\System\xeiUlzE.exe
  C:\Windows\System\xeiUlzE.exe
  2⤵
  PID:11684
- C:\Windows\System\jPKLHcL.exe
  C:\Windows\System\jPKLHcL.exe
  2⤵
  PID:11724
- C:\Windows\System\wpqguZc.exe
  C:\Windows\System\wpqguZc.exe
  2⤵
  PID:11764
- C:\Windows\System\nGjycgM.exe
  C:\Windows\System\nGjycgM.exe
  2⤵
  PID:11792
- C:\Windows\System\ZtETTfK.exe
  C:\Windows\System\ZtETTfK.exe
  2⤵
  PID:11844
- C:\Windows\System\dwYOszx.exe
  C:\Windows\System\dwYOszx.exe
  2⤵
  PID:11872
- C:\Windows\System\MhbSufK.exe
  C:\Windows\System\MhbSufK.exe
  2⤵
  PID:11912
- C:\Windows\System\yJpmUVu.exe
  C:\Windows\System\yJpmUVu.exe
  2⤵
  PID:11940
- C:\Windows\System\lJxndcs.exe
  C:\Windows\System\lJxndcs.exe
  2⤵
  PID:11980
- C:\Windows\System\xJpolvP.exe
  C:\Windows\System\xJpolvP.exe
  2⤵
  PID:12020
- C:\Windows\System\GCDCGGW.exe
  C:\Windows\System\GCDCGGW.exe
  2⤵
  PID:12060
- C:\Windows\System\qPZkzgV.exe
  C:\Windows\System\qPZkzgV.exe
  2⤵
  PID:12100
- C:\Windows\System\uIrDcmN.exe
  C:\Windows\System\uIrDcmN.exe
  2⤵
  PID:12140
- C:\Windows\System\SlRsGxZ.exe
  C:\Windows\System\SlRsGxZ.exe
  2⤵
  PID:12180
- C:\Windows\System\vogvqLC.exe
  C:\Windows\System\vogvqLC.exe
  2⤵
  PID:12232
- C:\Windows\System\TspHXDP.exe
  C:\Windows\System\TspHXDP.exe
  2⤵
  PID:12260
- C:\Windows\System\olEElcz.exe
  C:\Windows\System\olEElcz.exe
  2⤵
  PID:10672
- C:\Windows\System\rHqZBrg.exe
  C:\Windows\System\rHqZBrg.exe
  2⤵
  PID:11308
- C:\Windows\System\nOnEZkX.exe
  C:\Windows\System\nOnEZkX.exe
  2⤵
  PID:11348
- C:\Windows\System\ALOgChy.exe
  C:\Windows\System\ALOgChy.exe
  2⤵
  PID:11436
- C:\Windows\System\HhPWfam.exe
  C:\Windows\System\HhPWfam.exe
  2⤵
  PID:11396
- C:\Windows\System\RFhYkRN.exe
  C:\Windows\System\RFhYkRN.exe
  2⤵
  PID:11540
- C:\Windows\System\AmwoNXy.exe
  C:\Windows\System\AmwoNXy.exe
  2⤵
  PID:11584
- C:\Windows\System\BiASViV.exe
  C:\Windows\System\BiASViV.exe
  2⤵
  PID:11636
- C:\Windows\System\KtsBDTM.exe
  C:\Windows\System\KtsBDTM.exe
  2⤵
  PID:11708
- C:\Windows\System\vHkbCyv.exe
  C:\Windows\System\vHkbCyv.exe
  2⤵
  PID:11748
- C:\Windows\System\EAajNgj.exe
  C:\Windows\System\EAajNgj.exe
  2⤵
  PID:11832
- C:\Windows\System\xDSTAyU.exe
  C:\Windows\System\xDSTAyU.exe
  2⤵
  PID:11896
- C:\Windows\System\GCwpXdM.exe
  C:\Windows\System\GCwpXdM.exe
  2⤵
  PID:11964
- C:\Windows\System\vwGxvRp.exe
  C:\Windows\System\vwGxvRp.exe
  2⤵
  PID:12096
- C:\Windows\System\ibNtyUz.exe
  C:\Windows\System\ibNtyUz.exe
  2⤵
  PID:12132
- C:\Windows\System\zcEDEtZ.exe
  C:\Windows\System\zcEDEtZ.exe
  2⤵
  PID:12196
- C:\Windows\System\VGdNAXf.exe
  C:\Windows\System\VGdNAXf.exe
  2⤵
  PID:12280
- C:\Windows\System\MWNUUEU.exe
  C:\Windows\System\MWNUUEU.exe
  2⤵
  PID:11364
- C:\Windows\System\FJnGrQo.exe
  C:\Windows\System\FJnGrQo.exe
  2⤵
  PID:11552
- C:\Windows\System\FJtQJzq.exe
  C:\Windows\System\FJtQJzq.exe
  2⤵
  PID:11628
- C:\Windows\System\lBMabrl.exe
  C:\Windows\System\lBMabrl.exe
  2⤵
  PID:11720
- C:\Windows\System\SyQHXrk.exe
  C:\Windows\System\SyQHXrk.exe
  2⤵
  PID:11816
- C:\Windows\System\lLwiZqN.exe
  C:\Windows\System\lLwiZqN.exe
  2⤵
  PID:11884
- C:\Windows\System\sdrhoxE.exe
  C:\Windows\System\sdrhoxE.exe
  2⤵
  PID:11992
- C:\Windows\System\QbpEgRj.exe
  C:\Windows\System\QbpEgRj.exe
  2⤵
  PID:12016
- C:\Windows\System\CMesLrX.exe
  C:\Windows\System\CMesLrX.exe
  2⤵
  PID:12120
- C:\Windows\System\AJKxeui.exe
  C:\Windows\System\AJKxeui.exe
  2⤵
  PID:12244
- C:\Windows\System\tUKdnLW.exe
  C:\Windows\System\tUKdnLW.exe
  2⤵
  PID:11292
- C:\Windows\System\mWdFRgd.exe
  C:\Windows\System\mWdFRgd.exe
  2⤵
  PID:11496
- C:\Windows\System\pxzGiur.exe
  C:\Windows\System\pxzGiur.exe
  2⤵
  PID:11696
- C:\Windows\System\NWDsXzy.exe
  C:\Windows\System\NWDsXzy.exe
  2⤵
  PID:11828
- C:\Windows\System\dPPvdrP.exe
  C:\Windows\System\dPPvdrP.exe
  2⤵
  PID:12052
- C:\Windows\System\BkorsAG.exe
  C:\Windows\System\BkorsAG.exe
  2⤵
  PID:12212
- C:\Windows\System\QFjadrX.exe
  C:\Windows\System\QFjadrX.exe
  2⤵
  PID:11464
- C:\Windows\System\lLfIoZL.exe
  C:\Windows\System\lLfIoZL.exe
  2⤵
  PID:2040
- C:\Windows\System\xYXRIcG.exe
  C:\Windows\System\xYXRIcG.exe
  2⤵
  PID:11812
- C:\Windows\System\mrjiUNy.exe
  C:\Windows\System\mrjiUNy.exe
  2⤵
  PID:12164
- C:\Windows\System\EjlhzDg.exe
  C:\Windows\System\EjlhzDg.exe
  2⤵
  PID:1848
- C:\Windows\System\YIBfZYm.exe
  C:\Windows\System\YIBfZYm.exe
  2⤵
  PID:11252
- C:\Windows\System\CXnZWJw.exe
  C:\Windows\System\CXnZWJw.exe
  2⤵
  PID:2152
- C:\Windows\System\PrhrSxU.exe
  C:\Windows\System\PrhrSxU.exe
  2⤵
  PID:12316
- C:\Windows\System\nQZYtWY.exe
  C:\Windows\System\nQZYtWY.exe
  2⤵
  PID:12344
- C:\Windows\System\VtEnOUU.exe
  C:\Windows\System\VtEnOUU.exe
  2⤵
  PID:12372
- C:\Windows\System\xJfvUQY.exe
  C:\Windows\System\xJfvUQY.exe
  2⤵
  PID:12404
- C:\Windows\System\XWDHzCe.exe
  C:\Windows\System\XWDHzCe.exe
  2⤵
  PID:12436
- C:\Windows\System\AaBKHOc.exe
  C:\Windows\System\AaBKHOc.exe
  2⤵
  PID:12468
- C:\Windows\System\QJhntBo.exe
  C:\Windows\System\QJhntBo.exe
  2⤵
  PID:12496
- C:\Windows\System\QKuoTFJ.exe
  C:\Windows\System\QKuoTFJ.exe
  2⤵
  PID:12528
- C:\Windows\System\jatZaNC.exe
  C:\Windows\System\jatZaNC.exe
  2⤵
  PID:12560
- C:\Windows\System\IGlbnoF.exe
  C:\Windows\System\IGlbnoF.exe
  2⤵
  PID:12592
- C:\Windows\System\ZNgdWpZ.exe
  C:\Windows\System\ZNgdWpZ.exe
  2⤵
  PID:12620
- C:\Windows\System\kLTbbMf.exe
  C:\Windows\System\kLTbbMf.exe
  2⤵
  PID:12652
- C:\Windows\System\ZdvOIWQ.exe
  C:\Windows\System\ZdvOIWQ.exe
  2⤵
  PID:12680
- C:\Windows\System\QoMOGPF.exe
  C:\Windows\System\QoMOGPF.exe
  2⤵
  PID:12708
- C:\Windows\System\SciWkfn.exe
  C:\Windows\System\SciWkfn.exe
  2⤵
  PID:12744
- C:\Windows\System\DvNeOZW.exe
  C:\Windows\System\DvNeOZW.exe
  2⤵
  PID:12772
- C:\Windows\System\ygFaBDO.exe
  C:\Windows\System\ygFaBDO.exe
  2⤵
  PID:12808
- C:\Windows\System\idoXUAV.exe
  C:\Windows\System\idoXUAV.exe
  2⤵
  PID:12836
- C:\Windows\System\phfgCyu.exe
  C:\Windows\System\phfgCyu.exe
  2⤵
  PID:12864
- C:\Windows\System\IbSZpTN.exe
  C:\Windows\System\IbSZpTN.exe
  2⤵
  PID:12900
- C:\Windows\System\eHdeDQW.exe
  C:\Windows\System\eHdeDQW.exe
  2⤵
  PID:12928
- C:\Windows\System\xrLncjT.exe
  C:\Windows\System\xrLncjT.exe
  2⤵
  PID:12960
- C:\Windows\System\UxZNeyp.exe
  C:\Windows\System\UxZNeyp.exe
  2⤵
  PID:12988
- C:\Windows\System\PGTzwKK.exe
  C:\Windows\System\PGTzwKK.exe
  2⤵
  PID:13020
- C:\Windows\System\HkqsIYA.exe
  C:\Windows\System\HkqsIYA.exe
  2⤵
  PID:13048
- C:\Windows\System\emuDtRb.exe
  C:\Windows\System\emuDtRb.exe
  2⤵
  PID:13076
- C:\Windows\System\oPGmVve.exe
  C:\Windows\System\oPGmVve.exe
  2⤵
  PID:13104
- C:\Windows\System\uScPmKP.exe
  C:\Windows\System\uScPmKP.exe
  2⤵
  PID:13132
- C:\Windows\System\vwPxdOD.exe
  C:\Windows\System\vwPxdOD.exe
  2⤵
  PID:13160
- C:\Windows\System\AUsuYKP.exe
  C:\Windows\System\AUsuYKP.exe
  2⤵
  PID:13188
- C:\Windows\System\PdFxtyq.exe
  C:\Windows\System\PdFxtyq.exe
  2⤵
  PID:13216
- C:\Windows\System\jsvjJCA.exe
  C:\Windows\System\jsvjJCA.exe
  2⤵
  PID:13248
- C:\Windows\System\gemvNvx.exe
  C:\Windows\System\gemvNvx.exe
  2⤵
  PID:13276
- C:\Windows\System\MiMvqpL.exe
  C:\Windows\System\MiMvqpL.exe
  2⤵
  PID:13304
- C:\Windows\System\chxrNpd.exe
  C:\Windows\System\chxrNpd.exe
  2⤵
  PID:12340
- C:\Windows\System\XbUyWdR.exe
  C:\Windows\System\XbUyWdR.exe
  2⤵
  PID:12400

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_efxhiqiv.hr0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\BCcZRWQ.exe

Filesize
2.8MB

MD5
3dbfcff55575aeeb3304ed5137c9c231

SHA1
5a8e83503fbf955f0473299887ec42350a01ca02

SHA256
2e492784c22f4ffecb43d9f25755b706b8a2094448d472f2443d91f47eb370ab

SHA512
963bc0e95be954525bfb558766c155bea8a6643f98bf8ef148ddff17a70603647e9fd27a683f39590e2e53a630cffe8c79aaabae26b956d4276b510640163ca8

Download Submit
C:\Windows\System\CVaoGVk.exe

Filesize
2.8MB

MD5
4f3e0e446895ff47232c7b454c2b051b

SHA1
6a8a9a3bbe98fc6f91a81b37b9dc1f9e599a9198

SHA256
2da25bb5c7c10d2b3098f218ebfaaf6fbee76b5be9b8f3908942647e5546c93a

SHA512
ceedd7bb841aec58e33e9da48267eb91bedcfb46637bd051cb4e5250ad9558d448a723384277b63337ad0688205ca315eaf77bd88cbaca13f16bc4c8e00c7920

Download Submit
C:\Windows\System\ECIqgIm.exe

Filesize
2.8MB

MD5
563e6a482058e1ceebda9d365edc359a

SHA1
37422297ed21103bb51ecc993163f6f98eed1d1a

SHA256
dc2c776fb32183d10cefe1c5c74dc2e9ec74538871efaa70addc36e3b7b4f385

SHA512
2881ee302a0bf71e037636c0c1c77726d3bc7c39accca8c84b872c2a369d20ebd042d90bdfd19356f67faed27696af62cf1a8dd5e2b1cc077408efc1eed09c5c

Download Submit
C:\Windows\System\EjDfBcK.exe

Filesize
2.8MB

MD5
61f1f9f973d87f402e7de7e04338172d

SHA1
7d6c27d0c3fd3abc7ee6cd5a66db98108c8429a5

SHA256
dd008b1297fa0d7106cf335fbe0177f8c127cd171a2ad8cc3d24a7afdfefea6b

SHA512
611bdb2831a1b3139b982aaa6e49cee627d21bef8d3c81b2387a4e297aa98eb13ca8908d98f74748e5bd76f429799435061bedaf551951427b07bc2082f47e46

Download Submit
C:\Windows\System\ErWlCIy.exe

Filesize
2.8MB

MD5
b1b97f7b235ac3c36abe90cbc526a2ca

SHA1
a505aaa9090f9ef47f6ffb4a1921af3c875d5238

SHA256
c063ab94f59f95c7f24a42bae13637a62431a43219c06e43e6fd917fe5943ac2

SHA512
04130eb61259f0c42f134bbafa87cbed37decf4cef5786c0d4366efef435f6f12dd99e93eff61221fb5ecb4bcdbda4798a21f5575676843a1747739bfecf8227

Download Submit
C:\Windows\System\JEDBocX.exe

Filesize
2.8MB

MD5
922f0466b8a4ad669da865ac6be8fd2f

SHA1
3bf84402d2edf3819d797fc1b2a96d9df5d98a0d

SHA256
2e4c183f3e0421678442a686168e8640a88ebf0e55fcd5511c447883f78a94af

SHA512
998b98006b56af2874900b4ba0cdec2d7ceab350a210ec96ede7db2302a1c541fba1732520802a4829bdec549689b864482c81e632825b7e97041f567624cc19

Download Submit
C:\Windows\System\JaUotTT.exe

Filesize
2.8MB

MD5
25a19001fc398704de511f19cee0364a

SHA1
1c23196bfaeb4734f9e5d485a65f0fcb226e7798

SHA256
a8bfae12237750a4469efc730831caf872bff6cadf2fc26ac68fa81aa4a438d1

SHA512
42957783e7abd405b6936f17d7656e65ce936246acffe4dbf35379bcfed8a6663d57e49171f96c42534afb4b493eecc3259ae5134fd8cfe35106a6a42a6b42a2

Download Submit
C:\Windows\System\JbYtEfg.exe

Filesize
2.8MB

MD5
4f52a77561cc45560867dc13dfbd276e

SHA1
cfb98112225e5627b3135474610f204e13303c27

SHA256
ae0b1a4155828eb0c959445bf62bd0542a87ea9984ca34fef32b37a3b83952ef

SHA512
d3347b574832a929c83d0f5209289800ac858a08aa9d8c71007ac53672ef8ff269367a33c4f4ee89397a7bdbcf77e24a11ccfa60e1076c7b375e06f77d9c58ed

Download Submit
C:\Windows\System\LayKGCw.exe

Filesize
2.8MB

MD5
72d2c2f88cd2e892361d17ecad870e19

SHA1
d2fb8c0598fb9408b6269026a38c36aab1ec4405

SHA256
47c07677caa2fb7b69ca53e417432bddfbccfd8423b7100591822f4946d82ec1

SHA512
54af670801e94113b6f93b650c3adb7fdd10057ca82a57264570c73abd07a26ff6270e95fb493c068c134fb6457bce2c3c2bbdbaf9a5de3a996656fd1ee3b7f2

Download Submit
C:\Windows\System\MBYfIrW.exe

Filesize
2.8MB

MD5
9e3986c29402342727c9350e190f1a84

SHA1
c8a555cf902e66045f634cd16b4e91e68d93312c

SHA256
6dffcd5dddf12ad1a262de6278bd8e36d26418f9b03a218ff292bf880050b3f6

SHA512
f8b0be7c8aec409dbf3aaea68625f35739cd52a72bdfb94880c2e8e73ab8cdf0ae64533214d4a8567c0e9ae78be5031d390ad9af36bbf5a995e01fb34b76e9f9

Download Submit
C:\Windows\System\NCsrPCU.exe

Filesize
2.8MB

MD5
ec172a34a5443d6c61025de87b6cdbeb

SHA1
4093b7da375f3d10ebf3f782e44368b1404b3c0d

SHA256
2b9f43becea5a1c01cd9b445d32298dc5484881715ee33e8d6cc6bbe922942ce

SHA512
1b43e070143364b801bc9420f5a429051a7f62ac959be80ed434c329bcde3e43eec850c6d5461b0e0276eee8e47134f78c97df5258060743b1d1f33bb0b0dc3c

Download Submit
C:\Windows\System\OtmhkJS.exe

Filesize
2.8MB

MD5
e03a03b906f6aef44eb792e231fcb41a

SHA1
23434f7915a1d25f6b1ee85df0927c16307e65dc

SHA256
23afd158382bdb43ada2536ab4007e3ab7f0c14e2c0d097b9e1f9ff35215e8c0

SHA512
b5aee860312874a9fdd4554a1ac2c73274f9cdea8bbbd71f621b9a0e11f3c2e99645a3446bd3bd9330bdc882eabdb7d1281f26b727467cdc8ae29ff491134a35

Download Submit
C:\Windows\System\PImZCau.exe

Filesize
2.8MB

MD5
aa1ad04b709163b50700d25e094b05ec

SHA1
88f34a7bc2e3723a26c55c8a6516fb5143e8c5a2

SHA256
56900222469ff5b0f696fa2de83a1b8b5f8985f581b6ed8a5a82d301ac8d2952

SHA512
d8a4068674625fe1472aad8da9eceb4f205d4aa69abb4ff823c3a1da16d0f31e70951f51c7725deaa4da35ba31fae7abeea4b1e2d46938600147b98c33ae6d33

Download Submit
C:\Windows\System\PXGugVF.exe

Filesize
2.8MB

MD5
d56f2260aa92c93521f1c824d7d95f25

SHA1
9224a4ad97bb6419e092b1a8fcb894af824af6f0

SHA256
4e1349fe91930ca54bc72cc084e1e114a5e5b702883c62d0ad5ecbb8b2be0970

SHA512
dc19a572cfd0fa62fdd1c8bff0c2f45afd028751d71dd69651b105a93ff85085f572a5c79af82afaaff7a04c8f640c09be34313dfe630b609e0b1ee18a2c162b

Download Submit
C:\Windows\System\QPRITGh.exe

Filesize
2.8MB

MD5
e0bd470f93e1a5751e09730b529a244d

SHA1
ab8f31d4284fb702f2c1fe873e3a42b92b564c2d

SHA256
5032c121a09411e5366509b3a026e3608cffd8262958784e57c2e4ed51f29889

SHA512
4f99a6283117c66e5c504cca1fbe24a42cacae4f6aef0037e42bfe17334976ecd15c4be6fd274283df260006ea4fec029448e4e3fa76c080958e79140c860a20

Download Submit
C:\Windows\System\QpIOklb.exe

Filesize
2.8MB

MD5
58f3dd0c843d0f1644d0d45b88d7d673

SHA1
cf622d85ab5f110c1b0f2a5ca80bb9f88e8a0a4b

SHA256
044ea8170cfc694554b80a823978d4ff416b3586ca9253efd4385e5e53981e23

SHA512
999feb5846325f0ece4cb8d9aeef8a063738550998813045f7b402f774b9e033410cfab584d3c6a2a5730dd6be119c0ab8c3be818709a2938638d8eff85a6468

Download Submit
C:\Windows\System\RGyGUmN.exe

Filesize
2.8MB

MD5
a2fcd3d68e9553f3d695ec9c98f2c4f3

SHA1
64209d14aaae098c6c074e13f1287de5f125eaf4

SHA256
ef42a738f580da319ba9ae0b32d46296d75a3bf56801d6274d7bcb95a014ee02

SHA512
667be5fd60ed82348a40869895f42bbe5b5a8b742a2c25123e96350decaaad46d41fdaaa79f941b4a1a296011128963819d8b27aadd429afc026bcc9641d445e

Download Submit
C:\Windows\System\SiZCfjV.exe

Filesize
2.8MB

MD5
816db86b98d4a6a3f65c6cc6b4576571

SHA1
efde5a624e7966b22d460632fcf87114f54399d6

SHA256
8083a8240c6253ea20d75d38f397c5a899b8cc0c4cb895847e57b6d9846c1f0f

SHA512
20cf7208755c674ca2e7c84d5e396ef93fcb9cd04faf264f465f6a1ec8843e7964b3e09e4b4d9740c013eabe4cdb1e4bef76add9567825ebe98386dbafd1bbb2

Download Submit
C:\Windows\System\TFrgVzZ.exe

Filesize
2.8MB

MD5
9d82e055c0e828c3b785b76dd84747d0

SHA1
304cd49cc0e575ebf0fe668fd206dbe66ef66994

SHA256
9c214fbcdc9e48b4976d8ffc42769e9bffa90bb28e7de202cfbe989182588f97

SHA512
b54425279d87a883703c1470be8f19fc8ca7d40f4ac3230c504bbd7d17ee37be6187088e814dd3aae57c9d6ebeee7c137465f37c3cd44736fd70734352a0c6b0

Download Submit
C:\Windows\System\WYaTmzo.exe

Filesize
2.8MB

MD5
db981373b0ab49cb3ba08182ce031519

SHA1
994f7461cb02850d5c5b28b6e6bb833427810939

SHA256
ed24376580f788f1183bc767f8c5fd250d64766de97f923b9a1d995c67030822

SHA512
ca0d5d4991e2fd2608f83b0bdd228f72273adfe1ce5880f7fa8d5dda2aed3406c34d442f892981d2557a2bc91767303bdf10efbfe4e8d1fedc541d6ec66a178c

Download Submit
C:\Windows\System\XSFSUZj.exe

Filesize
2.8MB

MD5
ed8088d0cc499489dc517998f4b19201

SHA1
aa5e867707cc588b4fdca2354f8fa57f5898e4b4

SHA256
ff41206c5110bad5bf1e992c5a3e07bbc64f95958527ac13a1c9b2e2479b87d4

SHA512
9c994a4033151b86c741fc3ea7b6cbb0a947be746bc41e333de9760e5ca8cab2869a3f96cbbf605643a6a3d75e0e9a914338e095f5cb2aa0b58ad50265b2e5a3

Download Submit
C:\Windows\System\XXuukGi.exe

Filesize
2.8MB

MD5
16f2bb1b1e675f5ab139ae98dbc05576

SHA1
0cd6e8ddc4a27e9eca5688257912bc2bf6e72342

SHA256
b4aceb205804bdaca0c46f1d8e81393f4dbfaf335b1b2091adc48e4c665a2f61

SHA512
b4e2dccfea0c39ef74f8b3e2a65e24dc4d2399b471390c47b09829f0164c848b9cb91ba404df210a7c0f83150605c42c93d7b1c4815206cade1550690b68feb6

Download Submit
C:\Windows\System\YAQzFKV.exe

Filesize
2.8MB

MD5
100ebec629eff26bdfeaf1bd962f733a

SHA1
e87f94b2a65cd00d320340679cc7bdab0beaafe9

SHA256
75a42ba3690b02db14858e1e5185b79940832f35ae63e1fcfd10789f94fdc311

SHA512
99fbb9126a201c51f2348527adf49f372d815653f826e25ba35276800b9743e6e66410e88e513c144a28540a19c6c54150e0b86899b101a135735de86e756502

Download Submit
C:\Windows\System\YunotFO.exe

Filesize
2.8MB

MD5
34609dcafa728e129fe435b314547f98

SHA1
5d89e8bd282ee15d75d0e890b657afb03c0a9e3e

SHA256
47f5311c7a4a725aa2b936ded93ce04adf2661b933d3d053fb68476ce4a21557

SHA512
2a0147abc30e3b7ab045340d93e4fe7865ba96d9f7302960fb87117788e631ae02a788ac5afbe0a206044b61965467f0b1c26953af6a0fde5633d18847daee44

Download Submit
C:\Windows\System\dGDPHdR.exe

Filesize
2.8MB

MD5
dce3edd4f42a33d5a211d1c6bb8cd383

SHA1
868cc0897f343f2c71e2722e6b5e2307501c3255

SHA256
fd68e7cf266515a5bec880914c92ef20ec3ff1b20d322dff4bf45229ff1eebc9

SHA512
ca58897dbe5ab3787c8d4c54fe241cb8188b30f8243b7aed1c078fd182e4e55b4685c820bdd714a4de4b6b5648024272eb3e282ac5ccd3985f0979b9dbce8499

Download Submit
C:\Windows\System\eyDWXwi.exe

Filesize
8B

MD5
d3dbf6105c6ce63c2d7cf7c729b7aaea

SHA1
f34363f0111e3859fffbd8ecb149220cf87853b4

SHA256
9fc01d283c802ddbc177a6226fadb26c9798b14f0e0538cad54f14dc64f2a76c

SHA512
1c59832449955cb1bffd5a654dd77af612af4eb66c975479552874dcea4e749572058a7fb15c8cbf7730d1a12d1358113bb6087ff6d352e7672f281ac4973677

Download Submit
C:\Windows\System\fymKlwf.exe

Filesize
2.8MB

MD5
42904adb1fdf8ce9bda8d4846b916216

SHA1
4e90aeb2ff00ab980b451441620f0b09f0b31b88

SHA256
842e5f443fd26760bae0e44f3d8843b8141c173ffbd72a30430971e6cdd97b81

SHA512
004c8e8b715894880b1e5e267e3a52b80e1669b359c14182dcf49cbc8c579b3a90c47938968ac09bc098693f604f9a35e2465213c6b994f806e13d68c513ed47

Download Submit
C:\Windows\System\hdbjhRO.exe

Filesize
2.8MB

MD5
9b04b41cec177e7faac5f59287df4505

SHA1
df42686fd2a2268133cacb1e67680dfa49db2402

SHA256
a55d8cd8b4294c2ef92337129529b6f3722034c582406db145ad11e954e859d7

SHA512
3e1eac4fbf081de5da2c1c2e5489c9700125744c52a8924082be83984d32b5795d33cf49b362b048c6f0d7a867ee0497fe8fe2fa928824531ab8e91b5dda33b6

Download Submit
C:\Windows\System\khQoeeg.exe

Filesize
2.8MB

MD5
83624ddbb77913475b182a9df2959577

SHA1
a235395e248968eac03a4866d4b2585e42d7ce6b

SHA256
575d9ffef43279f65f8196637f9d78921a0df95973e9a898a10c1ed4e5a3675a

SHA512
913c6c5bd9c8b153c46216d427aa3d190d12df8d80896892dbb8fdfbd390ab481d27c5ce0b996b15684554a61726b88e3126e7cf6504e41185ddd8f5e60607d2

Download Submit
C:\Windows\System\mGRrWQN.exe

Filesize
2.8MB

MD5
7f2adfec3a1bcf16ac538aa512792ade

SHA1
e109c31dfeac9769312566b31472a95892a97be0

SHA256
5b5c0d3ab0d2b567b073e293fab0d89cb28025cf981a3b1c23622cded4e7abdd

SHA512
fcfc0ba2133fe1f22ed5ce7d0230118942d7c4868cbc1ede61b9b856b34dd6acf26155601f5adb4978a6c8df975359830e30657dc3a999f950cc30082c63bbbd

Download Submit
C:\Windows\System\okNnrHk.exe

Filesize
2.8MB

MD5
4d46c25f45c690999a1d916df34a90f7

SHA1
afaf0288c3fee57344919cc12260c5ccd357a8f7

SHA256
570a7104ad66915da53c7f5c4eb3f93f465fe0f193aad867827cf5d7892a5905

SHA512
0c0a15a23408b5b42b566cb8a7312b54d97bf8d17174f5b3e5335fd9bf46453195f4d911fbd8f496c8afdc7a41a015947fa45aa039b037f1f5fe4a15ee02a63c

Download Submit
C:\Windows\System\pZadfXN.exe

Filesize
2.8MB

MD5
52d73218e4a46f8595d55b00f0715890

SHA1
83f4dc5039673a494339f48197399e17c7231425

SHA256
2fd8bed920e81c35cddd14b6a3e6e303d5b1178ea9de045b5bb64f3f3ce5da29

SHA512
d16db7af0906e6ffb6301669dd0879b01cf475d03340421d4e1e983485b9fd6add392d1d2082e8e896209dfe81661347b41c9587a7ddaf850d61d21ad77c4622

Download Submit
C:\Windows\System\peaYhIk.exe

Filesize
2.8MB

MD5
e59ab3dd23f44f2fa20ca334b387064d

SHA1
d411f1278f3507a87916a290ea3525177564fe85

SHA256
f55a8bf76cc443d9440806591c7211b9732a3dbbe88beb58bb683b24dcbae041

SHA512
cf2e5720cf8de98f9b81d44ab1348f46be447c0ad3bf39ff7d31aecc6f5253b4044ff2420ab7a61405e3e07bfad88fbf6239f58e64c96cd3f1930a91669a36ac

Download Submit
C:\Windows\System\snfmiuq.exe

Filesize
2.8MB

MD5
0e333253c3cdfd6ce96820c8e4e7d892

SHA1
fb6991acd900ad4f7d6bcba1ef2c1d6f85d0ee0f

SHA256
5ce74fefa190bcc6eb46834efb515aa0879ed1a589bd43af8f5fcc919e48cb81

SHA512
d4e365577b7931fc839e26a3d269b5815af5e5a6dafe1eb9819d466537302586f3b054dbc1c183a0e4c0a0702aea7eb5ccefd7b4fa0b75c568616f23a4ac7cb3

Download Submit
memory/1032-480-0x00007FF69FF70000-0x00007FF6A0366000-memory.dmp

Filesize
4.0MB

Download
memory/1032-2186-0x00007FF69FF70000-0x00007FF6A0366000-memory.dmp

Filesize
4.0MB

Download
memory/1140-479-0x00000202E99B0000-0x00000202EA156000-memory.dmp

Filesize
7.6MB

Download
memory/1140-5-0x00007FFF63B63000-0x00007FFF63B65000-memory.dmp

Filesize
8KB

Download
memory/1140-73-0x00000202CEB70000-0x00000202CEB92000-memory.dmp

Filesize
136KB

Download
memory/1140-41-0x00007FFF63B60000-0x00007FFF64621000-memory.dmp

Filesize
10.8MB

Download
memory/1140-31-0x00007FFF63B60000-0x00007FFF64621000-memory.dmp

Filesize
10.8MB

Download
memory/1140-2178-0x00007FFF63B63000-0x00007FFF63B65000-memory.dmp

Filesize
8KB

Download
memory/1140-2177-0x00007FFF63B60000-0x00007FFF64621000-memory.dmp

Filesize
10.8MB

Download
memory/1216-0-0x00007FF611020000-0x00007FF611416000-memory.dmp

Filesize
4.0MB

Download
memory/1216-1-0x0000013A250F0000-0x0000013A25100000-memory.dmp

Filesize
64KB

Download
memory/1228-549-0x00007FF76B580000-0x00007FF76B976000-memory.dmp

Filesize
4.0MB

Download
memory/1228-2179-0x00007FF76B580000-0x00007FF76B976000-memory.dmp

Filesize
4.0MB

Download
memory/1256-553-0x00007FF74E9C0000-0x00007FF74EDB6000-memory.dmp

Filesize
4.0MB

Download
memory/1256-2183-0x00007FF74E9C0000-0x00007FF74EDB6000-memory.dmp

Filesize
4.0MB

Download
memory/1596-526-0x00007FF6722C0000-0x00007FF6726B6000-memory.dmp

Filesize
4.0MB

Download
memory/1596-2197-0x00007FF6722C0000-0x00007FF6726B6000-memory.dmp

Filesize
4.0MB

Download
memory/2424-513-0x00007FF794120000-0x00007FF794516000-memory.dmp

Filesize
4.0MB

Download
memory/2424-2199-0x00007FF794120000-0x00007FF794516000-memory.dmp

Filesize
4.0MB

Download
memory/2652-46-0x00007FF6D6A20000-0x00007FF6D6E16000-memory.dmp

Filesize
4.0MB

Download
memory/2652-2182-0x00007FF6D6A20000-0x00007FF6D6E16000-memory.dmp

Filesize
4.0MB

Download
memory/2712-497-0x00007FF6745B0000-0x00007FF6749A6000-memory.dmp

Filesize
4.0MB

Download
memory/2712-2192-0x00007FF6745B0000-0x00007FF6749A6000-memory.dmp

Filesize
4.0MB

Download
memory/2736-2180-0x00007FF6731B0000-0x00007FF6735A6000-memory.dmp

Filesize
4.0MB

Download
memory/2736-56-0x00007FF6731B0000-0x00007FF6735A6000-memory.dmp

Filesize
4.0MB

Download
memory/2956-2202-0x00007FF76F270000-0x00007FF76F666000-memory.dmp

Filesize
4.0MB

Download
memory/2956-543-0x00007FF76F270000-0x00007FF76F666000-memory.dmp

Filesize
4.0MB

Download
memory/3076-484-0x00007FF7B3BE0000-0x00007FF7B3FD6000-memory.dmp

Filesize
4.0MB

Download
memory/3076-2190-0x00007FF7B3BE0000-0x00007FF7B3FD6000-memory.dmp

Filesize
4.0MB

Download
memory/3448-2194-0x00007FF644080000-0x00007FF644476000-memory.dmp

Filesize
4.0MB

Download
memory/3448-505-0x00007FF644080000-0x00007FF644476000-memory.dmp

Filesize
4.0MB

Download
memory/3496-2200-0x00007FF639A30000-0x00007FF639E26000-memory.dmp

Filesize
4.0MB

Download
memory/3496-540-0x00007FF639A30000-0x00007FF639E26000-memory.dmp

Filesize
4.0MB

Download
memory/3536-2185-0x00007FF7465B0000-0x00007FF7469A6000-memory.dmp

Filesize
4.0MB

Download
memory/3536-478-0x00007FF7465B0000-0x00007FF7469A6000-memory.dmp

Filesize
4.0MB

Download
memory/3704-2191-0x00007FF605160000-0x00007FF605556000-memory.dmp

Filesize
4.0MB

Download
memory/3704-487-0x00007FF605160000-0x00007FF605556000-memory.dmp

Filesize
4.0MB

Download
memory/3848-531-0x00007FF7DEF60000-0x00007FF7DF356000-memory.dmp

Filesize
4.0MB

Download
memory/3848-2201-0x00007FF7DEF60000-0x00007FF7DF356000-memory.dmp

Filesize
4.0MB

Download
memory/3872-2196-0x00007FF7DBC50000-0x00007FF7DC046000-memory.dmp

Filesize
4.0MB

Download
memory/3872-529-0x00007FF7DBC50000-0x00007FF7DC046000-memory.dmp

Filesize
4.0MB

Download
memory/4072-502-0x00007FF747FE0000-0x00007FF7483D6000-memory.dmp

Filesize
4.0MB

Download
memory/4072-2193-0x00007FF747FE0000-0x00007FF7483D6000-memory.dmp

Filesize
4.0MB

Download
memory/4176-567-0x00007FF6A42B0000-0x00007FF6A46A6000-memory.dmp

Filesize
4.0MB

Download
memory/4176-2188-0x00007FF6A42B0000-0x00007FF6A46A6000-memory.dmp

Filesize
4.0MB

Download
memory/4260-2195-0x00007FF6F0E30000-0x00007FF6F1226000-memory.dmp

Filesize
4.0MB

Download
memory/4260-508-0x00007FF6F0E30000-0x00007FF6F1226000-memory.dmp

Filesize
4.0MB

Download
memory/4704-475-0x00007FF6D6B60000-0x00007FF6D6F56000-memory.dmp

Filesize
4.0MB

Download
memory/4704-2184-0x00007FF6D6B60000-0x00007FF6D6F56000-memory.dmp

Filesize
4.0MB

Download
memory/4740-572-0x00007FF741420000-0x00007FF741816000-memory.dmp

Filesize
4.0MB

Download
memory/4740-2189-0x00007FF741420000-0x00007FF741816000-memory.dmp

Filesize
4.0MB

Download
memory/4756-2187-0x00007FF7EE6E0000-0x00007FF7EEAD6000-memory.dmp

Filesize
4.0MB

Download
memory/4756-563-0x00007FF7EE6E0000-0x00007FF7EEAD6000-memory.dmp

Filesize
4.0MB

Download
memory/4844-2181-0x00007FF7DD230000-0x00007FF7DD626000-memory.dmp

Filesize
4.0MB

Download
memory/4844-469-0x00007FF7DD230000-0x00007FF7DD626000-memory.dmp

Filesize
4.0MB

Download
memory/5096-519-0x00007FF7D7580000-0x00007FF7D7976000-memory.dmp

Filesize
4.0MB

Download
memory/5096-2198-0x00007FF7D7580000-0x00007FF7D7976000-memory.dmp

Filesize
4.0MB

Download