xmrig | 34f5e47cc52d8105966a0cab76326f0586dccd2811178d7bba43d097d86d919e

Analysis

max time kernel
120s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
Size

3.3MB
MD5

ac6c8fe7d3501ec1464b842a590ee0c0
SHA1

db024b1453ccf0f2fa88cb69676f6c5064c0f8d3
SHA256

34f5e47cc52d8105966a0cab76326f0586dccd2811178d7bba43d097d86d919e
SHA512

b76ea512ee9a63c52a38b314855a3b1c1c88f2a6fef76d391a6cbcc3df6e5ffe9f9b654575afc9bcc75ec18bc5653c0f0e240edceaca71c424c5790ece2c9311
SSDEEP

98304:S1ONtyBeSFkXV1etEKLlWUTOfeiRA2R76zHrWk:SbBeSFko

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4880-0-0x00007FF7794C0000-0x00007FF7798B6000-memory.dmp	xmrig
C:\Windows\System\saJimWi.exe	xmrig
C:\Windows\System\kzKRApL.exe	xmrig
C:\Windows\System\zooexLY.exe	xmrig
C:\Windows\System\PcHCRio.exe	xmrig
C:\Windows\System\icHFuYa.exe	xmrig
behavioral2/memory/5016-45-0x00007FF658360000-0x00007FF658756000-memory.dmp	xmrig
C:\Windows\System\MqOgPal.exe	xmrig
behavioral2/memory/4448-55-0x00007FF73FB90000-0x00007FF73FF86000-memory.dmp	xmrig
C:\Windows\System\XZfpItD.exe	xmrig
behavioral2/memory/1020-62-0x00007FF7444C0000-0x00007FF7448B6000-memory.dmp	xmrig
behavioral2/memory/3636-72-0x00007FF6E6F70000-0x00007FF6E7366000-memory.dmp	xmrig
behavioral2/memory/4952-73-0x00007FF734CA0000-0x00007FF735096000-memory.dmp	xmrig
C:\Windows\System\iaZCLcK.exe	xmrig
C:\Windows\System\WpKEEyx.exe	xmrig
behavioral2/memory/1620-63-0x00007FF616F40000-0x00007FF617336000-memory.dmp	xmrig
behavioral2/memory/1756-59-0x00007FF787A30000-0x00007FF787E26000-memory.dmp	xmrig
behavioral2/memory/3916-53-0x00007FF6E36A0000-0x00007FF6E3A96000-memory.dmp	xmrig
behavioral2/memory/3104-48-0x00007FF6CF0A0000-0x00007FF6CF496000-memory.dmp	xmrig
C:\Windows\System\RJARLYx.exe	xmrig
behavioral2/memory/4252-40-0x00007FF777410000-0x00007FF777806000-memory.dmp	xmrig
C:\Windows\System\JvaucBt.exe	xmrig
C:\Windows\System\SHCRzil.exe	xmrig
C:\Windows\System\dYTnvFW.exe	xmrig
behavioral2/memory/2316-90-0x00007FF74C0B0000-0x00007FF74C4A6000-memory.dmp	xmrig
behavioral2/memory/2164-87-0x00007FF695C20000-0x00007FF696016000-memory.dmp	xmrig
behavioral2/memory/1124-98-0x00007FF69FD60000-0x00007FF6A0156000-memory.dmp	xmrig
C:\Windows\System\XiQjgEF.exe	xmrig
C:\Windows\System\tFnKFyZ.exe	xmrig
C:\Windows\System\AVvrpJg.exe	xmrig
C:\Windows\System\ZwooOyF.exe	xmrig
C:\Windows\System\ZTRsQUJ.exe	xmrig
C:\Windows\System\FFDfhoh.exe	xmrig
C:\Windows\System\IgLTGnz.exe	xmrig
behavioral2/memory/3508-391-0x00007FF76AFB0000-0x00007FF76B3A6000-memory.dmp	xmrig
behavioral2/memory/4540-392-0x00007FF648290000-0x00007FF648686000-memory.dmp	xmrig
behavioral2/memory/4368-395-0x00007FF6E7610000-0x00007FF6E7A06000-memory.dmp	xmrig
behavioral2/memory/1624-397-0x00007FF639080000-0x00007FF639476000-memory.dmp	xmrig
behavioral2/memory/1768-398-0x00007FF66EC50000-0x00007FF66F046000-memory.dmp	xmrig
behavioral2/memory/1620-400-0x00007FF616F40000-0x00007FF617336000-memory.dmp	xmrig
behavioral2/memory/2640-399-0x00007FF744620000-0x00007FF744A16000-memory.dmp	xmrig
behavioral2/memory/880-396-0x00007FF673D30000-0x00007FF674126000-memory.dmp	xmrig
behavioral2/memory/3812-394-0x00007FF7B48C0000-0x00007FF7B4CB6000-memory.dmp	xmrig
behavioral2/memory/4964-393-0x00007FF67D930000-0x00007FF67DD26000-memory.dmp	xmrig
behavioral2/memory/3636-759-0x00007FF6E6F70000-0x00007FF6E7366000-memory.dmp	xmrig
behavioral2/memory/4952-1449-0x00007FF734CA0000-0x00007FF735096000-memory.dmp	xmrig
behavioral2/memory/2164-1453-0x00007FF695C20000-0x00007FF696016000-memory.dmp	xmrig
C:\Windows\System\HFymncb.exe	xmrig
C:\Windows\System\bwHAGDN.exe	xmrig
C:\Windows\System\eSOrdaB.exe	xmrig
C:\Windows\System\dBAidil.exe	xmrig
C:\Windows\System\ecRYxQK.exe	xmrig
C:\Windows\System\IDYaHgv.exe	xmrig
C:\Windows\System\rzVERDu.exe	xmrig
C:\Windows\System\VhqZZMy.exe	xmrig
C:\Windows\System\rSHLovx.exe	xmrig
C:\Windows\System\qXkRoql.exe	xmrig
C:\Windows\System\BleAcoF.exe	xmrig
C:\Windows\System\MltVYoC.exe	xmrig
C:\Windows\System\uwQlNPC.exe	xmrig
behavioral2/memory/3264-111-0x00007FF64A8C0000-0x00007FF64ACB6000-memory.dmp	xmrig
behavioral2/memory/4880-104-0x00007FF7794C0000-0x00007FF7798B6000-memory.dmp	xmrig
behavioral2/memory/1080-99-0x00007FF68E3A0000-0x00007FF68E796000-memory.dmp	xmrig
behavioral2/memory/1080-2214-0x00007FF68E3A0000-0x00007FF68E796000-memory.dmp	xmrig

Blocklisted process makes network request 7 IoCs

Processes:

powershell.exe

flow	pid	process
8	2148	powershell.exe
10	2148	powershell.exe
21	2148	powershell.exe
22	2148	powershell.exe
23	2148	powershell.exe
37	2148	powershell.exe
38	2148	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Powershell Invoke Web Request.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2148 powershell.exe

pid	process
2148	powershell.exe

Executes dropped EXE 64 IoCs

Processes:

saJimWi.exezooexLY.exekzKRApL.exePcHCRio.exeRJARLYx.exeicHFuYa.exeMqOgPal.exeXZfpItD.exeWpKEEyx.exeiaZCLcK.exeJvaucBt.exeSHCRzil.exedYTnvFW.exeXiQjgEF.exetFnKFyZ.exeuwQlNPC.exeAVvrpJg.exeMltVYoC.exeZwooOyF.exeBleAcoF.exeqXkRoql.exeZTRsQUJ.exerSHLovx.exeFFDfhoh.exeVhqZZMy.exerzVERDu.exeIDYaHgv.exeecRYxQK.exeIgLTGnz.exedBAidil.exeeSOrdaB.exebwHAGDN.exeHFymncb.exemyrMZQU.exesWvDOCO.exeJbsWzNj.exexnGTvsG.exejqpjpDN.exeeLfMIjO.exekIJitWx.exedChHsib.exetPddjmt.exeroVmFDj.exedAVGDXq.exeBFlQUFF.exeUtXlCnp.exeeSgDQby.exeqSIctwJ.exeWhYBeZM.exexRjLCWD.exeaxdDLqe.exewyvCdmE.exeOUEAdRz.exeVjaqrWf.exeJLruyMi.exeHOzHLWe.exeGfjuoDF.exexFGDGCZ.exeNLASkoK.exeSbeyNLs.exeFKAfYxc.exeWLrUUhc.exeHQOtwQJ.exeniesMki.exe

pid	process
3104	saJimWi.exe
4252	zooexLY.exe
3916	kzKRApL.exe
5016	PcHCRio.exe
4448	RJARLYx.exe
1756	icHFuYa.exe
1020	MqOgPal.exe
1620	XZfpItD.exe
3636	WpKEEyx.exe
4952	iaZCLcK.exe
2164	JvaucBt.exe
2316	SHCRzil.exe
1124	dYTnvFW.exe
1080	XiQjgEF.exe
3264	tFnKFyZ.exe
3508	uwQlNPC.exe
2640	AVvrpJg.exe
4540	MltVYoC.exe
4964	ZwooOyF.exe
3812	BleAcoF.exe
4368	qXkRoql.exe
880	ZTRsQUJ.exe
1624	rSHLovx.exe
1768	FFDfhoh.exe
3052	VhqZZMy.exe
2248	rzVERDu.exe
4688	IDYaHgv.exe
1816	ecRYxQK.exe
4676	IgLTGnz.exe
2880	dBAidil.exe
2276	eSOrdaB.exe
1636	bwHAGDN.exe
2840	HFymncb.exe
3332	myrMZQU.exe
4980	sWvDOCO.exe
4628	JbsWzNj.exe
860	xnGTvsG.exe
4340	jqpjpDN.exe
3116	eLfMIjO.exe
3612	kIJitWx.exe
1616	dChHsib.exe
1268	tPddjmt.exe
4812	roVmFDj.exe
1684	dAVGDXq.exe
4280	BFlQUFF.exe
3860	UtXlCnp.exe
2232	eSgDQby.exe
2672	qSIctwJ.exe
1096	WhYBeZM.exe
1492	xRjLCWD.exe
2740	axdDLqe.exe
500	wyvCdmE.exe
3384	OUEAdRz.exe
3640	VjaqrWf.exe
1036	JLruyMi.exe
3432	HOzHLWe.exe
4816	GfjuoDF.exe
3720	xFGDGCZ.exe
4348	NLASkoK.exe
4848	SbeyNLs.exe
4440	FKAfYxc.exe
2416	WLrUUhc.exe
1312	HQOtwQJ.exe
4432	niesMki.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4880-0-0x00007FF7794C0000-0x00007FF7798B6000-memory.dmp	upx
C:\Windows\System\saJimWi.exe	upx
C:\Windows\System\kzKRApL.exe	upx
C:\Windows\System\zooexLY.exe	upx
C:\Windows\System\PcHCRio.exe	upx
C:\Windows\System\icHFuYa.exe	upx
behavioral2/memory/5016-45-0x00007FF658360000-0x00007FF658756000-memory.dmp	upx
C:\Windows\System\MqOgPal.exe	upx
behavioral2/memory/4448-55-0x00007FF73FB90000-0x00007FF73FF86000-memory.dmp	upx
C:\Windows\System\XZfpItD.exe	upx
behavioral2/memory/1020-62-0x00007FF7444C0000-0x00007FF7448B6000-memory.dmp	upx
behavioral2/memory/3636-72-0x00007FF6E6F70000-0x00007FF6E7366000-memory.dmp	upx
behavioral2/memory/4952-73-0x00007FF734CA0000-0x00007FF735096000-memory.dmp	upx
C:\Windows\System\iaZCLcK.exe	upx
C:\Windows\System\WpKEEyx.exe	upx
behavioral2/memory/1620-63-0x00007FF616F40000-0x00007FF617336000-memory.dmp	upx
behavioral2/memory/1756-59-0x00007FF787A30000-0x00007FF787E26000-memory.dmp	upx
behavioral2/memory/3916-53-0x00007FF6E36A0000-0x00007FF6E3A96000-memory.dmp	upx
behavioral2/memory/3104-48-0x00007FF6CF0A0000-0x00007FF6CF496000-memory.dmp	upx
C:\Windows\System\RJARLYx.exe	upx
behavioral2/memory/4252-40-0x00007FF777410000-0x00007FF777806000-memory.dmp	upx
C:\Windows\System\JvaucBt.exe	upx
C:\Windows\System\SHCRzil.exe	upx
C:\Windows\System\dYTnvFW.exe	upx
behavioral2/memory/2316-90-0x00007FF74C0B0000-0x00007FF74C4A6000-memory.dmp	upx
behavioral2/memory/2164-87-0x00007FF695C20000-0x00007FF696016000-memory.dmp	upx
behavioral2/memory/1124-98-0x00007FF69FD60000-0x00007FF6A0156000-memory.dmp	upx
C:\Windows\System\XiQjgEF.exe	upx
C:\Windows\System\tFnKFyZ.exe	upx
C:\Windows\System\AVvrpJg.exe	upx
C:\Windows\System\ZwooOyF.exe	upx
C:\Windows\System\ZTRsQUJ.exe	upx
C:\Windows\System\FFDfhoh.exe	upx
C:\Windows\System\IgLTGnz.exe	upx
behavioral2/memory/3508-391-0x00007FF76AFB0000-0x00007FF76B3A6000-memory.dmp	upx
behavioral2/memory/4540-392-0x00007FF648290000-0x00007FF648686000-memory.dmp	upx
behavioral2/memory/4368-395-0x00007FF6E7610000-0x00007FF6E7A06000-memory.dmp	upx
behavioral2/memory/1624-397-0x00007FF639080000-0x00007FF639476000-memory.dmp	upx
behavioral2/memory/1768-398-0x00007FF66EC50000-0x00007FF66F046000-memory.dmp	upx
behavioral2/memory/1620-400-0x00007FF616F40000-0x00007FF617336000-memory.dmp	upx
behavioral2/memory/2640-399-0x00007FF744620000-0x00007FF744A16000-memory.dmp	upx
behavioral2/memory/880-396-0x00007FF673D30000-0x00007FF674126000-memory.dmp	upx
behavioral2/memory/3812-394-0x00007FF7B48C0000-0x00007FF7B4CB6000-memory.dmp	upx
behavioral2/memory/4964-393-0x00007FF67D930000-0x00007FF67DD26000-memory.dmp	upx
behavioral2/memory/3636-759-0x00007FF6E6F70000-0x00007FF6E7366000-memory.dmp	upx
behavioral2/memory/4952-1449-0x00007FF734CA0000-0x00007FF735096000-memory.dmp	upx
behavioral2/memory/2164-1453-0x00007FF695C20000-0x00007FF696016000-memory.dmp	upx
C:\Windows\System\HFymncb.exe	upx
C:\Windows\System\bwHAGDN.exe	upx
C:\Windows\System\eSOrdaB.exe	upx
C:\Windows\System\dBAidil.exe	upx
C:\Windows\System\ecRYxQK.exe	upx
C:\Windows\System\IDYaHgv.exe	upx
C:\Windows\System\rzVERDu.exe	upx
C:\Windows\System\VhqZZMy.exe	upx
C:\Windows\System\rSHLovx.exe	upx
C:\Windows\System\qXkRoql.exe	upx
C:\Windows\System\BleAcoF.exe	upx
C:\Windows\System\MltVYoC.exe	upx
C:\Windows\System\uwQlNPC.exe	upx
behavioral2/memory/3264-111-0x00007FF64A8C0000-0x00007FF64ACB6000-memory.dmp	upx
behavioral2/memory/4880-104-0x00007FF7794C0000-0x00007FF7798B6000-memory.dmp	upx
behavioral2/memory/1080-99-0x00007FF68E3A0000-0x00007FF68E796000-memory.dmp	upx
behavioral2/memory/1080-2214-0x00007FF68E3A0000-0x00007FF68E796000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

7 raw.githubusercontent.com
8 raw.githubusercontent.com

flow	ioc
7	raw.githubusercontent.com
8	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

Processes:

ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\System\DOHAaGz.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\tgxlYme.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\cgoqQhm.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\rOVPNLR.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\IDYaHgv.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\zdAZpyx.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\wrKnIXc.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\JtQlIen.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\MWpodCz.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\MwYrDJF.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\pLxAiKR.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\QocbNFr.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\BUDywho.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\PdWUDbK.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\LpJXTLe.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\CmDwyZt.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\vVqkAyb.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\tOCnIyO.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\axdDLqe.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\ZjKErFv.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\suCPyFm.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\gtPmFSe.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\OriKwQr.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\qnepLwb.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\UtXlCnp.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\yNpRkuI.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\pfZvmGb.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\aYfelrb.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\EHLacNC.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\KueGKrq.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\nJEfzBL.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\AzVfCpj.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\zJlmdNI.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\KlmNlRp.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\tjaGylH.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\tqsdfBc.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\WogFBXg.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\tYpiTEB.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\UqZtYvS.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\IgzwmGG.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\WLrUUhc.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\Bfxtglq.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\hZROfeO.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\wgaDNpn.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\DeTYyhF.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\MqHEOJR.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\LPaEFjJ.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\CoJycLt.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\NQpuChJ.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\rUQMJKg.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\eAFxyoK.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\CdSGGLD.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\VjaqrWf.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\UceGOZu.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\seZevYR.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\uPKqVwx.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\VGYNDnA.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\exVCLPe.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\Jrqtfah.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\icHFuYa.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\DeYaCvB.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\XEFpsSR.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\kIJitWx.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
File created	C:\Windows\System\mdxIafr.exe	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

dwm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dwm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

Processes:

dwm.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

2148 powershell.exe
2148 powershell.exe

pid	process
2148	powershell.exe
2148	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exepowershell.exedwm.exe

description	pid	process
Token: SeLockMemoryPrivilege	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeLockMemoryPrivilege	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
Token: SeCreateGlobalPrivilege	14300	dwm.exe
Token: SeChangeNotifyPrivilege	14300	dwm.exe
Token: 33	14300	dwm.exe
Token: SeIncBasePriorityPrivilege	14300	dwm.exe
Token: SeShutdownPrivilege	14300	dwm.exe
Token: SeCreatePagefilePrivilege	14300	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe

description	pid	process	target process
PID 4880 wrote to memory of 2148	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	powershell.exe
PID 4880 wrote to memory of 2148	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	powershell.exe
PID 4880 wrote to memory of 3104	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	saJimWi.exe
PID 4880 wrote to memory of 3104	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	saJimWi.exe
PID 4880 wrote to memory of 4252	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	zooexLY.exe
PID 4880 wrote to memory of 4252	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	zooexLY.exe
PID 4880 wrote to memory of 3916	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	kzKRApL.exe
PID 4880 wrote to memory of 3916	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	kzKRApL.exe
PID 4880 wrote to memory of 5016	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	PcHCRio.exe
PID 4880 wrote to memory of 5016	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	PcHCRio.exe
PID 4880 wrote to memory of 4448	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	RJARLYx.exe
PID 4880 wrote to memory of 4448	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	RJARLYx.exe
PID 4880 wrote to memory of 1756	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	icHFuYa.exe
PID 4880 wrote to memory of 1756	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	icHFuYa.exe
PID 4880 wrote to memory of 1020	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	MqOgPal.exe
PID 4880 wrote to memory of 1020	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	MqOgPal.exe
PID 4880 wrote to memory of 1620	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	XZfpItD.exe
PID 4880 wrote to memory of 1620	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	XZfpItD.exe
PID 4880 wrote to memory of 3636	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	WpKEEyx.exe
PID 4880 wrote to memory of 3636	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	WpKEEyx.exe
PID 4880 wrote to memory of 4952	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	iaZCLcK.exe
PID 4880 wrote to memory of 4952	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	iaZCLcK.exe
PID 4880 wrote to memory of 2164	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	JvaucBt.exe
PID 4880 wrote to memory of 2164	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	JvaucBt.exe
PID 4880 wrote to memory of 2316	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	SHCRzil.exe
PID 4880 wrote to memory of 2316	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	SHCRzil.exe
PID 4880 wrote to memory of 1124	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	dYTnvFW.exe
PID 4880 wrote to memory of 1124	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	dYTnvFW.exe
PID 4880 wrote to memory of 1080	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	XiQjgEF.exe
PID 4880 wrote to memory of 1080	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	XiQjgEF.exe
PID 4880 wrote to memory of 3264	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	tFnKFyZ.exe
PID 4880 wrote to memory of 3264	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	tFnKFyZ.exe
PID 4880 wrote to memory of 3508	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	uwQlNPC.exe
PID 4880 wrote to memory of 3508	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	uwQlNPC.exe
PID 4880 wrote to memory of 2640	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	AVvrpJg.exe
PID 4880 wrote to memory of 2640	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	AVvrpJg.exe
PID 4880 wrote to memory of 4540	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	MltVYoC.exe
PID 4880 wrote to memory of 4540	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	MltVYoC.exe
PID 4880 wrote to memory of 4964	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	ZwooOyF.exe
PID 4880 wrote to memory of 4964	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	ZwooOyF.exe
PID 4880 wrote to memory of 3812	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	BleAcoF.exe
PID 4880 wrote to memory of 3812	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	BleAcoF.exe
PID 4880 wrote to memory of 4368	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	qXkRoql.exe
PID 4880 wrote to memory of 4368	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	qXkRoql.exe
PID 4880 wrote to memory of 880	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	ZTRsQUJ.exe
PID 4880 wrote to memory of 880	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	ZTRsQUJ.exe
PID 4880 wrote to memory of 1624	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	rSHLovx.exe
PID 4880 wrote to memory of 1624	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	rSHLovx.exe
PID 4880 wrote to memory of 1768	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	FFDfhoh.exe
PID 4880 wrote to memory of 1768	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	FFDfhoh.exe
PID 4880 wrote to memory of 3052	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	VhqZZMy.exe
PID 4880 wrote to memory of 3052	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	VhqZZMy.exe
PID 4880 wrote to memory of 2248	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	rzVERDu.exe
PID 4880 wrote to memory of 2248	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	rzVERDu.exe
PID 4880 wrote to memory of 4688	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	IDYaHgv.exe
PID 4880 wrote to memory of 4688	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	IDYaHgv.exe
PID 4880 wrote to memory of 1816	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	ecRYxQK.exe
PID 4880 wrote to memory of 1816	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	ecRYxQK.exe
PID 4880 wrote to memory of 4676	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	IgLTGnz.exe
PID 4880 wrote to memory of 4676	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	IgLTGnz.exe
PID 4880 wrote to memory of 2880	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	dBAidil.exe
PID 4880 wrote to memory of 2880	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	dBAidil.exe
PID 4880 wrote to memory of 2276	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	eSOrdaB.exe
PID 4880 wrote to memory of 2276	4880	ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe	eSOrdaB.exe

C:\Users\Admin\AppData\Local\Temp\ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ac6c8fe7d3501ec1464b842a590ee0c0_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4880

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\System\saJimWi.exe
C:\Windows\System\saJimWi.exe
2⤵
- Executes dropped EXE
PID:3104

C:\Windows\System\zooexLY.exe
C:\Windows\System\zooexLY.exe
2⤵
- Executes dropped EXE
PID:4252

C:\Windows\System\kzKRApL.exe
C:\Windows\System\kzKRApL.exe
2⤵
- Executes dropped EXE
PID:3916

C:\Windows\System\PcHCRio.exe
C:\Windows\System\PcHCRio.exe
2⤵
- Executes dropped EXE
PID:5016

C:\Windows\System\RJARLYx.exe
C:\Windows\System\RJARLYx.exe
2⤵
- Executes dropped EXE
PID:4448

C:\Windows\System\icHFuYa.exe
C:\Windows\System\icHFuYa.exe
2⤵
- Executes dropped EXE
PID:1756

C:\Windows\System\MqOgPal.exe
C:\Windows\System\MqOgPal.exe
2⤵
- Executes dropped EXE
PID:1020

C:\Windows\System\XZfpItD.exe
C:\Windows\System\XZfpItD.exe
2⤵
- Executes dropped EXE
PID:1620

C:\Windows\System\WpKEEyx.exe
C:\Windows\System\WpKEEyx.exe
2⤵
- Executes dropped EXE
PID:3636

C:\Windows\System\iaZCLcK.exe
C:\Windows\System\iaZCLcK.exe
2⤵
- Executes dropped EXE
PID:4952

C:\Windows\System\JvaucBt.exe
C:\Windows\System\JvaucBt.exe
2⤵
- Executes dropped EXE
PID:2164

C:\Windows\System\SHCRzil.exe
C:\Windows\System\SHCRzil.exe
2⤵
- Executes dropped EXE
PID:2316

C:\Windows\System\dYTnvFW.exe
C:\Windows\System\dYTnvFW.exe
2⤵
- Executes dropped EXE
PID:1124

C:\Windows\System\XiQjgEF.exe
C:\Windows\System\XiQjgEF.exe
2⤵
- Executes dropped EXE
PID:1080

C:\Windows\System\tFnKFyZ.exe
C:\Windows\System\tFnKFyZ.exe
2⤵
- Executes dropped EXE
PID:3264

C:\Windows\System\uwQlNPC.exe
C:\Windows\System\uwQlNPC.exe
2⤵
- Executes dropped EXE
PID:3508

C:\Windows\System\AVvrpJg.exe
C:\Windows\System\AVvrpJg.exe
2⤵
- Executes dropped EXE
PID:2640

C:\Windows\System\MltVYoC.exe
C:\Windows\System\MltVYoC.exe
2⤵
- Executes dropped EXE
PID:4540

C:\Windows\System\ZwooOyF.exe
C:\Windows\System\ZwooOyF.exe
2⤵
- Executes dropped EXE
PID:4964

C:\Windows\System\BleAcoF.exe
C:\Windows\System\BleAcoF.exe
2⤵
- Executes dropped EXE
PID:3812

C:\Windows\System\qXkRoql.exe
C:\Windows\System\qXkRoql.exe
2⤵
- Executes dropped EXE
PID:4368

C:\Windows\System\ZTRsQUJ.exe
C:\Windows\System\ZTRsQUJ.exe
2⤵
- Executes dropped EXE
PID:880

C:\Windows\System\rSHLovx.exe
C:\Windows\System\rSHLovx.exe
2⤵
- Executes dropped EXE
PID:1624

C:\Windows\System\FFDfhoh.exe
C:\Windows\System\FFDfhoh.exe
2⤵
- Executes dropped EXE
PID:1768

C:\Windows\System\VhqZZMy.exe
C:\Windows\System\VhqZZMy.exe
2⤵
- Executes dropped EXE
PID:3052

C:\Windows\System\rzVERDu.exe
C:\Windows\System\rzVERDu.exe
2⤵
- Executes dropped EXE
PID:2248

C:\Windows\System\IDYaHgv.exe
C:\Windows\System\IDYaHgv.exe
2⤵
- Executes dropped EXE
PID:4688

C:\Windows\System\ecRYxQK.exe
C:\Windows\System\ecRYxQK.exe
2⤵
- Executes dropped EXE
PID:1816

C:\Windows\System\IgLTGnz.exe
C:\Windows\System\IgLTGnz.exe
2⤵
- Executes dropped EXE
PID:4676

C:\Windows\System\dBAidil.exe
C:\Windows\System\dBAidil.exe
2⤵
- Executes dropped EXE
PID:2880

C:\Windows\System\eSOrdaB.exe
C:\Windows\System\eSOrdaB.exe
2⤵
- Executes dropped EXE
PID:2276

C:\Windows\System\bwHAGDN.exe
C:\Windows\System\bwHAGDN.exe
2⤵
- Executes dropped EXE
PID:1636

C:\Windows\System\HFymncb.exe
C:\Windows\System\HFymncb.exe
2⤵
- Executes dropped EXE
PID:2840

C:\Windows\System\myrMZQU.exe
C:\Windows\System\myrMZQU.exe
2⤵
- Executes dropped EXE
PID:3332

C:\Windows\System\sWvDOCO.exe
C:\Windows\System\sWvDOCO.exe
2⤵
- Executes dropped EXE
PID:4980

C:\Windows\System\JbsWzNj.exe
C:\Windows\System\JbsWzNj.exe
2⤵
- Executes dropped EXE
PID:4628

C:\Windows\System\xnGTvsG.exe
C:\Windows\System\xnGTvsG.exe
2⤵
- Executes dropped EXE
PID:860

C:\Windows\System\jqpjpDN.exe
C:\Windows\System\jqpjpDN.exe
2⤵
- Executes dropped EXE
PID:4340

C:\Windows\System\eLfMIjO.exe
C:\Windows\System\eLfMIjO.exe
2⤵
- Executes dropped EXE
PID:3116

C:\Windows\System\kIJitWx.exe
C:\Windows\System\kIJitWx.exe
2⤵
- Executes dropped EXE
PID:3612

C:\Windows\System\dChHsib.exe
C:\Windows\System\dChHsib.exe
2⤵
- Executes dropped EXE
PID:1616

C:\Windows\System\tPddjmt.exe
C:\Windows\System\tPddjmt.exe
2⤵
- Executes dropped EXE
PID:1268

C:\Windows\System\roVmFDj.exe
C:\Windows\System\roVmFDj.exe
2⤵
- Executes dropped EXE
PID:4812

C:\Windows\System\dAVGDXq.exe
C:\Windows\System\dAVGDXq.exe
2⤵
- Executes dropped EXE
PID:1684

C:\Windows\System\BFlQUFF.exe
C:\Windows\System\BFlQUFF.exe
2⤵
- Executes dropped EXE
PID:4280

C:\Windows\System\UtXlCnp.exe
C:\Windows\System\UtXlCnp.exe
2⤵
- Executes dropped EXE
PID:3860

C:\Windows\System\eSgDQby.exe
C:\Windows\System\eSgDQby.exe
2⤵
- Executes dropped EXE
PID:2232

C:\Windows\System\qSIctwJ.exe
C:\Windows\System\qSIctwJ.exe
2⤵
- Executes dropped EXE
PID:2672

C:\Windows\System\WhYBeZM.exe
C:\Windows\System\WhYBeZM.exe
2⤵
- Executes dropped EXE
PID:1096

C:\Windows\System\xRjLCWD.exe
C:\Windows\System\xRjLCWD.exe
2⤵
- Executes dropped EXE
PID:1492

C:\Windows\System\axdDLqe.exe
C:\Windows\System\axdDLqe.exe
2⤵
- Executes dropped EXE
PID:2740

C:\Windows\System\wyvCdmE.exe
C:\Windows\System\wyvCdmE.exe
2⤵
- Executes dropped EXE
PID:500

C:\Windows\System\OUEAdRz.exe
C:\Windows\System\OUEAdRz.exe
2⤵
- Executes dropped EXE
PID:3384

C:\Windows\System\VjaqrWf.exe
C:\Windows\System\VjaqrWf.exe
2⤵
- Executes dropped EXE
PID:3640

C:\Windows\System\JLruyMi.exe
C:\Windows\System\JLruyMi.exe
2⤵
- Executes dropped EXE
PID:1036

C:\Windows\System\HOzHLWe.exe
C:\Windows\System\HOzHLWe.exe
2⤵
- Executes dropped EXE
PID:3432

C:\Windows\System\GfjuoDF.exe
C:\Windows\System\GfjuoDF.exe
2⤵
- Executes dropped EXE
PID:4816

C:\Windows\System\xFGDGCZ.exe
C:\Windows\System\xFGDGCZ.exe
2⤵
- Executes dropped EXE
PID:3720

C:\Windows\System\NLASkoK.exe
C:\Windows\System\NLASkoK.exe
2⤵
- Executes dropped EXE
PID:4348

C:\Windows\System\SbeyNLs.exe
C:\Windows\System\SbeyNLs.exe
2⤵
- Executes dropped EXE
PID:4848

C:\Windows\System\FKAfYxc.exe
C:\Windows\System\FKAfYxc.exe
2⤵
- Executes dropped EXE
PID:4440

C:\Windows\System\WLrUUhc.exe
C:\Windows\System\WLrUUhc.exe
2⤵
- Executes dropped EXE
PID:2416

C:\Windows\System\HQOtwQJ.exe
C:\Windows\System\HQOtwQJ.exe
2⤵
- Executes dropped EXE
PID:1312

C:\Windows\System\niesMki.exe
C:\Windows\System\niesMki.exe
2⤵
- Executes dropped EXE
PID:4432

C:\Windows\System\lbTqXTv.exe
C:\Windows\System\lbTqXTv.exe
2⤵
PID:5108

C:\Windows\System\MlRjuJl.exe
C:\Windows\System\MlRjuJl.exe
2⤵
PID:4968

C:\Windows\System\PWHhhMW.exe
C:\Windows\System\PWHhhMW.exe
2⤵
PID:4408

C:\Windows\System\IxEJwBl.exe
C:\Windows\System\IxEJwBl.exe
2⤵
PID:3420

C:\Windows\System\mdxIafr.exe
C:\Windows\System\mdxIafr.exe
2⤵
PID:4932

C:\Windows\System\TVrrSzD.exe
C:\Windows\System\TVrrSzD.exe
2⤵
PID:4452

C:\Windows\System\UmryemJ.exe
C:\Windows\System\UmryemJ.exe
2⤵
PID:5064

C:\Windows\System\KCrcxND.exe
C:\Windows\System\KCrcxND.exe
2⤵
PID:984

C:\Windows\System\ZbpOjAt.exe
C:\Windows\System\ZbpOjAt.exe
2⤵
PID:5144

C:\Windows\System\ThJgBAW.exe
C:\Windows\System\ThJgBAW.exe
2⤵
PID:5172

C:\Windows\System\XIugusq.exe
C:\Windows\System\XIugusq.exe
2⤵
PID:5200

C:\Windows\System\GXvshTt.exe
C:\Windows\System\GXvshTt.exe
2⤵
PID:5228

C:\Windows\System\TOKAxvl.exe
C:\Windows\System\TOKAxvl.exe
2⤵
PID:5256

C:\Windows\System\ZoznfgR.exe
C:\Windows\System\ZoznfgR.exe
2⤵
PID:5284

C:\Windows\System\RdSUCqL.exe
C:\Windows\System\RdSUCqL.exe
2⤵
PID:5312

C:\Windows\System\umVAIwb.exe
C:\Windows\System\umVAIwb.exe
2⤵
PID:5340

C:\Windows\System\pPXsFsE.exe
C:\Windows\System\pPXsFsE.exe
2⤵
PID:5364

C:\Windows\System\tYpiTEB.exe
C:\Windows\System\tYpiTEB.exe
2⤵
PID:5392

C:\Windows\System\JmzLXlT.exe
C:\Windows\System\JmzLXlT.exe
2⤵
PID:5424

C:\Windows\System\VBCtGeU.exe
C:\Windows\System\VBCtGeU.exe
2⤵
PID:5460

C:\Windows\System\xnoMsTM.exe
C:\Windows\System\xnoMsTM.exe
2⤵
PID:5488

C:\Windows\System\XJSqIlO.exe
C:\Windows\System\XJSqIlO.exe
2⤵
PID:5516

C:\Windows\System\AoBGsmK.exe
C:\Windows\System\AoBGsmK.exe
2⤵
PID:5536

C:\Windows\System\fIqavqb.exe
C:\Windows\System\fIqavqb.exe
2⤵
PID:5564

C:\Windows\System\WFnNZZj.exe
C:\Windows\System\WFnNZZj.exe
2⤵
PID:5592

C:\Windows\System\AohYeux.exe
C:\Windows\System\AohYeux.exe
2⤵
PID:5620

C:\Windows\System\KbdmgNv.exe
C:\Windows\System\KbdmgNv.exe
2⤵
PID:5648

C:\Windows\System\TSYQQsL.exe
C:\Windows\System\TSYQQsL.exe
2⤵
PID:5676

C:\Windows\System\iDqRJro.exe
C:\Windows\System\iDqRJro.exe
2⤵
PID:5704

C:\Windows\System\uYpnksh.exe
C:\Windows\System\uYpnksh.exe
2⤵
PID:5728

C:\Windows\System\DCWitvP.exe
C:\Windows\System\DCWitvP.exe
2⤵
PID:5756

C:\Windows\System\NffDWBn.exe
C:\Windows\System\NffDWBn.exe
2⤵
PID:5788

C:\Windows\System\zdAZpyx.exe
C:\Windows\System\zdAZpyx.exe
2⤵
PID:5816

C:\Windows\System\hgJAlEv.exe
C:\Windows\System\hgJAlEv.exe
2⤵
PID:5844

C:\Windows\System\UuNmZDz.exe
C:\Windows\System\UuNmZDz.exe
2⤵
PID:5872

C:\Windows\System\nHtHgEB.exe
C:\Windows\System\nHtHgEB.exe
2⤵
PID:5944

C:\Windows\System\NiCQtnd.exe
C:\Windows\System\NiCQtnd.exe
2⤵
PID:5972

C:\Windows\System\gbpvOQE.exe
C:\Windows\System\gbpvOQE.exe
2⤵
PID:6000

C:\Windows\System\UceGOZu.exe
C:\Windows\System\UceGOZu.exe
2⤵
PID:6028

C:\Windows\System\wrKnIXc.exe
C:\Windows\System\wrKnIXc.exe
2⤵
PID:6056

C:\Windows\System\qCuqnoX.exe
C:\Windows\System\qCuqnoX.exe
2⤵
PID:6084

C:\Windows\System\RMEcRtZ.exe
C:\Windows\System\RMEcRtZ.exe
2⤵
PID:6112

C:\Windows\System\AgtduZN.exe
C:\Windows\System\AgtduZN.exe
2⤵
PID:6140

C:\Windows\System\yNAhFvV.exe
C:\Windows\System\yNAhFvV.exe
2⤵
PID:4240

C:\Windows\System\ZjKErFv.exe
C:\Windows\System\ZjKErFv.exe
2⤵
PID:1972

C:\Windows\System\QAwRwqY.exe
C:\Windows\System\QAwRwqY.exe
2⤵
PID:3912

C:\Windows\System\qtvLGDl.exe
C:\Windows\System\qtvLGDl.exe
2⤵
PID:5156

C:\Windows\System\Bfxtglq.exe
C:\Windows\System\Bfxtglq.exe
2⤵
PID:5216

C:\Windows\System\PykHfNK.exe
C:\Windows\System\PykHfNK.exe
2⤵
PID:5276

C:\Windows\System\TpEQfIZ.exe
C:\Windows\System\TpEQfIZ.exe
2⤵
PID:5332

C:\Windows\System\EEWFOPv.exe
C:\Windows\System\EEWFOPv.exe
2⤵
PID:4324

C:\Windows\System\tqsdfBc.exe
C:\Windows\System\tqsdfBc.exe
2⤵
PID:5444

C:\Windows\System\crvAUqr.exe
C:\Windows\System\crvAUqr.exe
2⤵
PID:5512

C:\Windows\System\gVcTtXS.exe
C:\Windows\System\gVcTtXS.exe
2⤵
PID:2300

C:\Windows\System\AatVCRT.exe
C:\Windows\System\AatVCRT.exe
2⤵
PID:5636

C:\Windows\System\eaMBUqi.exe
C:\Windows\System\eaMBUqi.exe
2⤵
PID:5692

C:\Windows\System\pBiHYPu.exe
C:\Windows\System\pBiHYPu.exe
2⤵
PID:5744

C:\Windows\System\txSHbdh.exe
C:\Windows\System\txSHbdh.exe
2⤵
PID:3728

C:\Windows\System\zVdHpNC.exe
C:\Windows\System\zVdHpNC.exe
2⤵
PID:5856

C:\Windows\System\JugWPFg.exe
C:\Windows\System\JugWPFg.exe
2⤵
PID:4944

C:\Windows\System\lSsMeDU.exe
C:\Windows\System\lSsMeDU.exe
2⤵
PID:5932

C:\Windows\System\oojZqKo.exe
C:\Windows\System\oojZqKo.exe
2⤵
PID:5984

C:\Windows\System\fEmiRSE.exe
C:\Windows\System\fEmiRSE.exe
2⤵
PID:6124

C:\Windows\System\APBIohs.exe
C:\Windows\System\APBIohs.exe
2⤵
PID:4552

C:\Windows\System\asynhGy.exe
C:\Windows\System\asynhGy.exe
2⤵
PID:4608

C:\Windows\System\MwweMfb.exe
C:\Windows\System\MwweMfb.exe
2⤵
PID:5188

C:\Windows\System\syrjKHh.exe
C:\Windows\System\syrjKHh.exe
2⤵
PID:2956

C:\Windows\System\amCkiBo.exe
C:\Windows\System\amCkiBo.exe
2⤵
PID:5556

C:\Windows\System\JORGUPS.exe
C:\Windows\System\JORGUPS.exe
2⤵
PID:5720

C:\Windows\System\VGEahYT.exe
C:\Windows\System\VGEahYT.exe
2⤵
PID:5800

C:\Windows\System\PuEQogt.exe
C:\Windows\System\PuEQogt.exe
2⤵
PID:3940

C:\Windows\System\rRGomNE.exe
C:\Windows\System\rRGomNE.exe
2⤵
PID:4164

C:\Windows\System\UxwiWds.exe
C:\Windows\System\UxwiWds.exe
2⤵
PID:4680

C:\Windows\System\KxQMDMz.exe
C:\Windows\System\KxQMDMz.exe
2⤵
PID:6100

C:\Windows\System\iIFJnGM.exe
C:\Windows\System\iIFJnGM.exe
2⤵
PID:1092

C:\Windows\System\RSRAyuE.exe
C:\Windows\System\RSRAyuE.exe
2⤵
PID:3540

C:\Windows\System\sJkAXYW.exe
C:\Windows\System\sJkAXYW.exe
2⤵
PID:5380

C:\Windows\System\AtXIdyz.exe
C:\Windows\System\AtXIdyz.exe
2⤵
PID:4272

C:\Windows\System\dYmUJfQ.exe
C:\Windows\System\dYmUJfQ.exe
2⤵
PID:1040

C:\Windows\System\UyRCzhg.exe
C:\Windows\System\UyRCzhg.exe
2⤵
PID:1232

C:\Windows\System\fojkTgA.exe
C:\Windows\System\fojkTgA.exe
2⤵
PID:4048

C:\Windows\System\UowqWkl.exe
C:\Windows\System\UowqWkl.exe
2⤵
PID:2024

C:\Windows\System\XNNQwUj.exe
C:\Windows\System\XNNQwUj.exe
2⤵
PID:4420

C:\Windows\System\OwAmhed.exe
C:\Windows\System\OwAmhed.exe
2⤵
PID:3796

C:\Windows\System\bprCXfl.exe
C:\Windows\System\bprCXfl.exe
2⤵
PID:5552

C:\Windows\System\KTIJuYW.exe
C:\Windows\System\KTIJuYW.exe
2⤵
PID:2684

C:\Windows\System\CaBBeyP.exe
C:\Windows\System\CaBBeyP.exe
2⤵
PID:5000

C:\Windows\System\AUdourD.exe
C:\Windows\System\AUdourD.exe
2⤵
PID:1516

C:\Windows\System\rYNeAYD.exe
C:\Windows\System\rYNeAYD.exe
2⤵
PID:4484

C:\Windows\System\seZevYR.exe
C:\Windows\System\seZevYR.exe
2⤵
PID:6164

C:\Windows\System\yNpRkuI.exe
C:\Windows\System\yNpRkuI.exe
2⤵
PID:6192

C:\Windows\System\ZvAcCNa.exe
C:\Windows\System\ZvAcCNa.exe
2⤵
PID:6224

C:\Windows\System\LAoJFuH.exe
C:\Windows\System\LAoJFuH.exe
2⤵
PID:6252

C:\Windows\System\ijIVaEJ.exe
C:\Windows\System\ijIVaEJ.exe
2⤵
PID:6280

C:\Windows\System\gGHNQyc.exe
C:\Windows\System\gGHNQyc.exe
2⤵
PID:6312

C:\Windows\System\pLxAiKR.exe
C:\Windows\System\pLxAiKR.exe
2⤵
PID:6352

C:\Windows\System\cWsMsKm.exe
C:\Windows\System\cWsMsKm.exe
2⤵
PID:6384

C:\Windows\System\VseTEcM.exe
C:\Windows\System\VseTEcM.exe
2⤵
PID:6412

C:\Windows\System\KnbwAQt.exe
C:\Windows\System\KnbwAQt.exe
2⤵
PID:6444

C:\Windows\System\VcUZPJi.exe
C:\Windows\System\VcUZPJi.exe
2⤵
PID:6472

C:\Windows\System\PSOvDeA.exe
C:\Windows\System\PSOvDeA.exe
2⤵
PID:6496

C:\Windows\System\yQPsSOd.exe
C:\Windows\System\yQPsSOd.exe
2⤵
PID:6524

C:\Windows\System\GmmkzaR.exe
C:\Windows\System\GmmkzaR.exe
2⤵
PID:6560

C:\Windows\System\uevPDJQ.exe
C:\Windows\System\uevPDJQ.exe
2⤵
PID:6588

C:\Windows\System\rREOIfO.exe
C:\Windows\System\rREOIfO.exe
2⤵
PID:6616

C:\Windows\System\fbLCHdr.exe
C:\Windows\System\fbLCHdr.exe
2⤵
PID:6644

C:\Windows\System\TyDwwHb.exe
C:\Windows\System\TyDwwHb.exe
2⤵
PID:6676

C:\Windows\System\bapNRIA.exe
C:\Windows\System\bapNRIA.exe
2⤵
PID:6716

C:\Windows\System\jjFbDsi.exe
C:\Windows\System\jjFbDsi.exe
2⤵
PID:6740

C:\Windows\System\lTraBuy.exe
C:\Windows\System\lTraBuy.exe
2⤵
PID:6760

C:\Windows\System\msHVChk.exe
C:\Windows\System\msHVChk.exe
2⤵
PID:6792

C:\Windows\System\qOorXCM.exe
C:\Windows\System\qOorXCM.exe
2⤵
PID:6836

C:\Windows\System\pfZvmGb.exe
C:\Windows\System\pfZvmGb.exe
2⤵
PID:6864

C:\Windows\System\PSJDNGY.exe
C:\Windows\System\PSJDNGY.exe
2⤵
PID:6892

C:\Windows\System\PxtBZwi.exe
C:\Windows\System\PxtBZwi.exe
2⤵
PID:6936

C:\Windows\System\xpuBbZr.exe
C:\Windows\System\xpuBbZr.exe
2⤵
PID:6980

C:\Windows\System\pkergNo.exe
C:\Windows\System\pkergNo.exe
2⤵
PID:7020

C:\Windows\System\CzXAsTv.exe
C:\Windows\System\CzXAsTv.exe
2⤵
PID:7036

C:\Windows\System\AOzBfUK.exe
C:\Windows\System\AOzBfUK.exe
2⤵
PID:7112

C:\Windows\System\kTJOlBw.exe
C:\Windows\System\kTJOlBw.exe
2⤵
PID:7148

C:\Windows\System\MqHEOJR.exe
C:\Windows\System\MqHEOJR.exe
2⤵
PID:5888

C:\Windows\System\UbKvInJ.exe
C:\Windows\System\UbKvInJ.exe
2⤵
PID:6244

C:\Windows\System\iKQfVCM.exe
C:\Windows\System\iKQfVCM.exe
2⤵
PID:6340

C:\Windows\System\xlSPgKg.exe
C:\Windows\System\xlSPgKg.exe
2⤵
PID:6408

C:\Windows\System\Kwonkgl.exe
C:\Windows\System\Kwonkgl.exe
2⤵
PID:6516

C:\Windows\System\nJEfzBL.exe
C:\Windows\System\nJEfzBL.exe
2⤵
PID:388

C:\Windows\System\QocbNFr.exe
C:\Windows\System\QocbNFr.exe
2⤵
PID:5896

C:\Windows\System\IWDrgLj.exe
C:\Windows\System\IWDrgLj.exe
2⤵
PID:6752

C:\Windows\System\rEbsaKF.exe
C:\Windows\System\rEbsaKF.exe
2⤵
PID:6888

C:\Windows\System\ZgOgFFu.exe
C:\Windows\System\ZgOgFFu.exe
2⤵
PID:6972

C:\Windows\System\uIOIDKm.exe
C:\Windows\System\uIOIDKm.exe
2⤵
PID:7060

C:\Windows\System\wytIyOX.exe
C:\Windows\System\wytIyOX.exe
2⤵
PID:7160

C:\Windows\System\eWUvTxT.exe
C:\Windows\System\eWUvTxT.exe
2⤵
PID:6152

C:\Windows\System\LSiWyvW.exe
C:\Windows\System\LSiWyvW.exe
2⤵
PID:7000

C:\Windows\System\rNeToLf.exe
C:\Windows\System\rNeToLf.exe
2⤵
PID:6464

C:\Windows\System\qeAgvAO.exe
C:\Windows\System\qeAgvAO.exe
2⤵
PID:6728

C:\Windows\System\XqBCCPf.exe
C:\Windows\System\XqBCCPf.exe
2⤵
PID:6804

C:\Windows\System\LPaEFjJ.exe
C:\Windows\System\LPaEFjJ.exe
2⤵
PID:6952

C:\Windows\System\MkjxVwL.exe
C:\Windows\System\MkjxVwL.exe
2⤵
PID:7136

C:\Windows\System\NdUEFiq.exe
C:\Windows\System\NdUEFiq.exe
2⤵
PID:6368

C:\Windows\System\UCieFlM.exe
C:\Windows\System\UCieFlM.exe
2⤵
PID:4228

C:\Windows\System\POhVUZF.exe
C:\Windows\System\POhVUZF.exe
2⤵
PID:6668

C:\Windows\System\xqjnrmB.exe
C:\Windows\System\xqjnrmB.exe
2⤵
PID:4528

C:\Windows\System\YbIaixH.exe
C:\Windows\System\YbIaixH.exe
2⤵
PID:7080

C:\Windows\System\hZROfeO.exe
C:\Windows\System\hZROfeO.exe
2⤵
PID:6492

C:\Windows\System\SOXxejO.exe
C:\Windows\System\SOXxejO.exe
2⤵
PID:7032

C:\Windows\System\YSOwpzw.exe
C:\Windows\System\YSOwpzw.exe
2⤵
PID:7200

C:\Windows\System\XnqQjSu.exe
C:\Windows\System\XnqQjSu.exe
2⤵
PID:7232

C:\Windows\System\yshefWW.exe
C:\Windows\System\yshefWW.exe
2⤵
PID:7260

C:\Windows\System\NsnBDcd.exe
C:\Windows\System\NsnBDcd.exe
2⤵
PID:7332

C:\Windows\System\YbqZjou.exe
C:\Windows\System\YbqZjou.exe
2⤵
PID:7368

C:\Windows\System\iGfsNgT.exe
C:\Windows\System\iGfsNgT.exe
2⤵
PID:7400

C:\Windows\System\wDkHpRK.exe
C:\Windows\System\wDkHpRK.exe
2⤵
PID:7432

C:\Windows\System\pGAXgCq.exe
C:\Windows\System\pGAXgCq.exe
2⤵
PID:7464

C:\Windows\System\RYYaRLK.exe
C:\Windows\System\RYYaRLK.exe
2⤵
PID:7492

C:\Windows\System\uPKqVwx.exe
C:\Windows\System\uPKqVwx.exe
2⤵
PID:7520

C:\Windows\System\WKpYBJn.exe
C:\Windows\System\WKpYBJn.exe
2⤵
PID:7556

C:\Windows\System\DOHAaGz.exe
C:\Windows\System\DOHAaGz.exe
2⤵
PID:7592

C:\Windows\System\letJZWE.exe
C:\Windows\System\letJZWE.exe
2⤵
PID:7616

C:\Windows\System\glPkynt.exe
C:\Windows\System\glPkynt.exe
2⤵
PID:7652

C:\Windows\System\lRlTqPn.exe
C:\Windows\System\lRlTqPn.exe
2⤵
PID:7672

C:\Windows\System\wNmdbfN.exe
C:\Windows\System\wNmdbfN.exe
2⤵
PID:7712

C:\Windows\System\qxUoPEs.exe
C:\Windows\System\qxUoPEs.exe
2⤵
PID:7744

C:\Windows\System\vkTfATr.exe
C:\Windows\System\vkTfATr.exe
2⤵
PID:7788

C:\Windows\System\jodNmth.exe
C:\Windows\System\jodNmth.exe
2⤵
PID:7824

C:\Windows\System\DIBSwta.exe
C:\Windows\System\DIBSwta.exe
2⤵
PID:7844

C:\Windows\System\PHjIOYv.exe
C:\Windows\System\PHjIOYv.exe
2⤵
PID:7908

C:\Windows\System\yEOqxmo.exe
C:\Windows\System\yEOqxmo.exe
2⤵
PID:7932

C:\Windows\System\IUjOPQc.exe
C:\Windows\System\IUjOPQc.exe
2⤵
PID:7956

C:\Windows\System\joRitYd.exe
C:\Windows\System\joRitYd.exe
2⤵
PID:7984

C:\Windows\System\jyRRNRX.exe
C:\Windows\System\jyRRNRX.exe
2⤵
PID:8000

C:\Windows\System\JyTRjol.exe
C:\Windows\System\JyTRjol.exe
2⤵
PID:8024

C:\Windows\System\ntkFnzW.exe
C:\Windows\System\ntkFnzW.exe
2⤵
PID:8080

C:\Windows\System\OhHMzcY.exe
C:\Windows\System\OhHMzcY.exe
2⤵
PID:8108

C:\Windows\System\aWBvgdS.exe
C:\Windows\System\aWBvgdS.exe
2⤵
PID:8156

C:\Windows\System\NOXlSKk.exe
C:\Windows\System\NOXlSKk.exe
2⤵
PID:8180

C:\Windows\System\HoresBv.exe
C:\Windows\System\HoresBv.exe
2⤵
PID:7180

C:\Windows\System\FkVRazg.exe
C:\Windows\System\FkVRazg.exe
2⤵
PID:7220

C:\Windows\System\ZXzQYIR.exe
C:\Windows\System\ZXzQYIR.exe
2⤵
PID:7272

C:\Windows\System\iclxeXN.exe
C:\Windows\System\iclxeXN.exe
2⤵
PID:7384

C:\Windows\System\omTRklW.exe
C:\Windows\System\omTRklW.exe
2⤵
PID:7512

C:\Windows\System\dgbaiYI.exe
C:\Windows\System\dgbaiYI.exe
2⤵
PID:7584

C:\Windows\System\MlOWyll.exe
C:\Windows\System\MlOWyll.exe
2⤵
PID:7664

C:\Windows\System\nmUWukL.exe
C:\Windows\System\nmUWukL.exe
2⤵
PID:7732

C:\Windows\System\PHkZdok.exe
C:\Windows\System\PHkZdok.exe
2⤵
PID:7808

C:\Windows\System\ZqYZZFP.exe
C:\Windows\System\ZqYZZFP.exe
2⤵
PID:7856

C:\Windows\System\vwvaSyr.exe
C:\Windows\System\vwvaSyr.exe
2⤵
PID:7952

C:\Windows\System\tXydyHq.exe
C:\Windows\System\tXydyHq.exe
2⤵
PID:8016

C:\Windows\System\GLnqpQE.exe
C:\Windows\System\GLnqpQE.exe
2⤵
PID:8072

C:\Windows\System\uhSuSKt.exe
C:\Windows\System\uhSuSKt.exe
2⤵
PID:8172

C:\Windows\System\tLXBrGE.exe
C:\Windows\System\tLXBrGE.exe
2⤵
PID:6632

C:\Windows\System\xblkcoc.exe
C:\Windows\System\xblkcoc.exe
2⤵
PID:7360

C:\Windows\System\obciptD.exe
C:\Windows\System\obciptD.exe
2⤵
PID:7580

C:\Windows\System\BqEZKKK.exe
C:\Windows\System\BqEZKKK.exe
2⤵
PID:7724

C:\Windows\System\fzIYwQT.exe
C:\Windows\System\fzIYwQT.exe
2⤵
PID:7880

C:\Windows\System\JlmAUhR.exe
C:\Windows\System\JlmAUhR.exe
2⤵
PID:7996

C:\Windows\System\CuXeBog.exe
C:\Windows\System\CuXeBog.exe
2⤵
PID:8136

C:\Windows\System\EyZqFAU.exe
C:\Windows\System\EyZqFAU.exe
2⤵
PID:7268

C:\Windows\System\bICnRsV.exe
C:\Windows\System\bICnRsV.exe
2⤵
PID:7700

C:\Windows\System\zoFSTiW.exe
C:\Windows\System\zoFSTiW.exe
2⤵
PID:7980

C:\Windows\System\CnPPUHg.exe
C:\Windows\System\CnPPUHg.exe
2⤵
PID:7016

C:\Windows\System\LOnlDic.exe
C:\Windows\System\LOnlDic.exe
2⤵
PID:7420

C:\Windows\System\AzVfCpj.exe
C:\Windows\System\AzVfCpj.exe
2⤵
PID:7784

C:\Windows\System\QrYJmkT.exe
C:\Windows\System\QrYJmkT.exe
2⤵
PID:7992

C:\Windows\System\RJWXfem.exe
C:\Windows\System\RJWXfem.exe
2⤵
PID:8212

C:\Windows\System\aWXHWeq.exe
C:\Windows\System\aWXHWeq.exe
2⤵
PID:8252

C:\Windows\System\FwBwSmI.exe
C:\Windows\System\FwBwSmI.exe
2⤵
PID:8280

C:\Windows\System\CiSZxFP.exe
C:\Windows\System\CiSZxFP.exe
2⤵
PID:8320

C:\Windows\System\vdcsZCA.exe
C:\Windows\System\vdcsZCA.exe
2⤵
PID:8348

C:\Windows\System\pJIqBap.exe
C:\Windows\System\pJIqBap.exe
2⤵
PID:8376

C:\Windows\System\qBqOLhm.exe
C:\Windows\System\qBqOLhm.exe
2⤵
PID:8404

C:\Windows\System\suCPyFm.exe
C:\Windows\System\suCPyFm.exe
2⤵
PID:8432

C:\Windows\System\oJOladp.exe
C:\Windows\System\oJOladp.exe
2⤵
PID:8460

C:\Windows\System\sJExlmD.exe
C:\Windows\System\sJExlmD.exe
2⤵
PID:8488

C:\Windows\System\lsUahHk.exe
C:\Windows\System\lsUahHk.exe
2⤵
PID:8528

C:\Windows\System\beIvspd.exe
C:\Windows\System\beIvspd.exe
2⤵
PID:8556

C:\Windows\System\VGYNDnA.exe
C:\Windows\System\VGYNDnA.exe
2⤵
PID:8584

C:\Windows\System\NcGmagE.exe
C:\Windows\System\NcGmagE.exe
2⤵
PID:8612

C:\Windows\System\GZGSFXG.exe
C:\Windows\System\GZGSFXG.exe
2⤵
PID:8640

C:\Windows\System\wkwIToT.exe
C:\Windows\System\wkwIToT.exe
2⤵
PID:8668

C:\Windows\System\PDBdNbc.exe
C:\Windows\System\PDBdNbc.exe
2⤵
PID:8724

C:\Windows\System\AUcrolh.exe
C:\Windows\System\AUcrolh.exe
2⤵
PID:8752

C:\Windows\System\exIRDor.exe
C:\Windows\System\exIRDor.exe
2⤵
PID:8780

C:\Windows\System\BcsquYC.exe
C:\Windows\System\BcsquYC.exe
2⤵
PID:8852

C:\Windows\System\uxPfqSq.exe
C:\Windows\System\uxPfqSq.exe
2⤵
PID:8908

C:\Windows\System\JUlZXek.exe
C:\Windows\System\JUlZXek.exe
2⤵
PID:8960

C:\Windows\System\kuMvXhM.exe
C:\Windows\System\kuMvXhM.exe
2⤵
PID:9012

C:\Windows\System\pPkhTTK.exe
C:\Windows\System\pPkhTTK.exe
2⤵
PID:9080

C:\Windows\System\aYfelrb.exe
C:\Windows\System\aYfelrb.exe
2⤵
PID:9120

C:\Windows\System\tgxlYme.exe
C:\Windows\System\tgxlYme.exe
2⤵
PID:9140

C:\Windows\System\tsZULkF.exe
C:\Windows\System\tsZULkF.exe
2⤵
PID:9180

C:\Windows\System\ESdMoeW.exe
C:\Windows\System\ESdMoeW.exe
2⤵
PID:8208

C:\Windows\System\dDsLIOx.exe
C:\Windows\System\dDsLIOx.exe
2⤵
PID:8316

C:\Windows\System\muldoWF.exe
C:\Windows\System\muldoWF.exe
2⤵
PID:8372

C:\Windows\System\LLKIXGH.exe
C:\Windows\System\LLKIXGH.exe
2⤵
PID:8452

C:\Windows\System\nPNTrBC.exe
C:\Windows\System\nPNTrBC.exe
2⤵
PID:8548

C:\Windows\System\BhjFfJM.exe
C:\Windows\System\BhjFfJM.exe
2⤵
PID:8632

C:\Windows\System\zwImgkM.exe
C:\Windows\System\zwImgkM.exe
2⤵
PID:8680

C:\Windows\System\KwviFGf.exe
C:\Windows\System\KwviFGf.exe
2⤵
PID:8764

C:\Windows\System\qIpVuys.exe
C:\Windows\System\qIpVuys.exe
2⤵
PID:8840

C:\Windows\System\FVfjbpK.exe
C:\Windows\System\FVfjbpK.exe
2⤵
PID:8992

C:\Windows\System\aEkOIsh.exe
C:\Windows\System\aEkOIsh.exe
2⤵
PID:9048

C:\Windows\System\ceNOIgS.exe
C:\Windows\System\ceNOIgS.exe
2⤵
PID:9132

C:\Windows\System\LidKnuP.exe
C:\Windows\System\LidKnuP.exe
2⤵
PID:9176

C:\Windows\System\omwtLMq.exe
C:\Windows\System\omwtLMq.exe
2⤵
PID:8240

C:\Windows\System\AdTtdOz.exe
C:\Windows\System\AdTtdOz.exe
2⤵
PID:8400

C:\Windows\System\sobbQzv.exe
C:\Windows\System\sobbQzv.exe
2⤵
PID:8540

C:\Windows\System\pOmMfCQ.exe
C:\Windows\System\pOmMfCQ.exe
2⤵
PID:8736

C:\Windows\System\uELDvNe.exe
C:\Windows\System\uELDvNe.exe
2⤵
PID:8836

C:\Windows\System\YemOWza.exe
C:\Windows\System\YemOWza.exe
2⤵
PID:9072

C:\Windows\System\zLFDjTX.exe
C:\Windows\System\zLFDjTX.exe
2⤵
PID:8360

C:\Windows\System\gFPDnbf.exe
C:\Windows\System\gFPDnbf.exe
2⤵
PID:8604

C:\Windows\System\kkNaMJY.exe
C:\Windows\System\kkNaMJY.exe
2⤵
PID:5916

C:\Windows\System\NdqyXIW.exe
C:\Windows\System\NdqyXIW.exe
2⤵
PID:9156

C:\Windows\System\XizAfpt.exe
C:\Windows\System\XizAfpt.exe
2⤵
PID:8796

C:\Windows\System\VhBsQBJ.exe
C:\Windows\System\VhBsQBJ.exe
2⤵
PID:1844

C:\Windows\System\hnPQhUw.exe
C:\Windows\System\hnPQhUw.exe
2⤵
PID:9236

C:\Windows\System\ruxIYTv.exe
C:\Windows\System\ruxIYTv.exe
2⤵
PID:9264

C:\Windows\System\HUWqqCi.exe
C:\Windows\System\HUWqqCi.exe
2⤵
PID:9292

C:\Windows\System\gtPmFSe.exe
C:\Windows\System\gtPmFSe.exe
2⤵
PID:9328

C:\Windows\System\Hdsosqb.exe
C:\Windows\System\Hdsosqb.exe
2⤵
PID:9348

C:\Windows\System\WSpTKmK.exe
C:\Windows\System\WSpTKmK.exe
2⤵
PID:9376

C:\Windows\System\zXnjJzK.exe
C:\Windows\System\zXnjJzK.exe
2⤵
PID:9404

C:\Windows\System\SwpTkRi.exe
C:\Windows\System\SwpTkRi.exe
2⤵
PID:9432

C:\Windows\System\BzGIwwR.exe
C:\Windows\System\BzGIwwR.exe
2⤵
PID:9460

C:\Windows\System\kfPKiII.exe
C:\Windows\System\kfPKiII.exe
2⤵
PID:9500

C:\Windows\System\GTNUUrQ.exe
C:\Windows\System\GTNUUrQ.exe
2⤵
PID:9532

C:\Windows\System\ohCSCUD.exe
C:\Windows\System\ohCSCUD.exe
2⤵
PID:9560

C:\Windows\System\otaSReS.exe
C:\Windows\System\otaSReS.exe
2⤵
PID:9600

C:\Windows\System\lSfuRQm.exe
C:\Windows\System\lSfuRQm.exe
2⤵
PID:9628

C:\Windows\System\tyQJsse.exe
C:\Windows\System\tyQJsse.exe
2⤵
PID:9656

C:\Windows\System\uvHOYwb.exe
C:\Windows\System\uvHOYwb.exe
2⤵
PID:9684

C:\Windows\System\BWALdrp.exe
C:\Windows\System\BWALdrp.exe
2⤵
PID:9712

C:\Windows\System\vGIaRNk.exe
C:\Windows\System\vGIaRNk.exe
2⤵
PID:9740

C:\Windows\System\XyBfQDh.exe
C:\Windows\System\XyBfQDh.exe
2⤵
PID:9768

C:\Windows\System\BUDywho.exe
C:\Windows\System\BUDywho.exe
2⤵
PID:9796

C:\Windows\System\McaCmsF.exe
C:\Windows\System\McaCmsF.exe
2⤵
PID:9824

C:\Windows\System\HGlCSpg.exe
C:\Windows\System\HGlCSpg.exe
2⤵
PID:9852

C:\Windows\System\zQvHyEu.exe
C:\Windows\System\zQvHyEu.exe
2⤵
PID:9880

C:\Windows\System\arkhLBE.exe
C:\Windows\System\arkhLBE.exe
2⤵
PID:9908

C:\Windows\System\XsZUYye.exe
C:\Windows\System\XsZUYye.exe
2⤵
PID:9936

C:\Windows\System\vUzIfGk.exe
C:\Windows\System\vUzIfGk.exe
2⤵
PID:9964

C:\Windows\System\gLrZeXS.exe
C:\Windows\System\gLrZeXS.exe
2⤵
PID:9992

C:\Windows\System\GoIqvqQ.exe
C:\Windows\System\GoIqvqQ.exe
2⤵
PID:10020

C:\Windows\System\pEdNZFK.exe
C:\Windows\System\pEdNZFK.exe
2⤵
PID:10048

C:\Windows\System\OKSPoaW.exe
C:\Windows\System\OKSPoaW.exe
2⤵
PID:10076

C:\Windows\System\HfxGQzl.exe
C:\Windows\System\HfxGQzl.exe
2⤵
PID:10104

C:\Windows\System\XxErXFU.exe
C:\Windows\System\XxErXFU.exe
2⤵
PID:10144

C:\Windows\System\rkqcUDh.exe
C:\Windows\System\rkqcUDh.exe
2⤵
PID:10172

C:\Windows\System\gIjfaEw.exe
C:\Windows\System\gIjfaEw.exe
2⤵
PID:10200

C:\Windows\System\QHbZiMm.exe
C:\Windows\System\QHbZiMm.exe
2⤵
PID:10228

C:\Windows\System\biCVUFl.exe
C:\Windows\System\biCVUFl.exe
2⤵
PID:9232

C:\Windows\System\aVAtEoi.exe
C:\Windows\System\aVAtEoi.exe
2⤵
PID:9304

C:\Windows\System\Twugjph.exe
C:\Windows\System\Twugjph.exe
2⤵
PID:9368

C:\Windows\System\PQcUWpR.exe
C:\Windows\System\PQcUWpR.exe
2⤵
PID:9428

C:\Windows\System\Bbfswqh.exe
C:\Windows\System\Bbfswqh.exe
2⤵
PID:9488

C:\Windows\System\ftlpAnd.exe
C:\Windows\System\ftlpAnd.exe
2⤵
PID:9580

C:\Windows\System\amlvalK.exe
C:\Windows\System\amlvalK.exe
2⤵
PID:9624

C:\Windows\System\AeWHRjR.exe
C:\Windows\System\AeWHRjR.exe
2⤵
PID:9724

C:\Windows\System\tnZYmvq.exe
C:\Windows\System\tnZYmvq.exe
2⤵
PID:9788

C:\Windows\System\aqEErry.exe
C:\Windows\System\aqEErry.exe
2⤵
PID:9848

C:\Windows\System\pNidbdM.exe
C:\Windows\System\pNidbdM.exe
2⤵
PID:9948

C:\Windows\System\eKzJTxj.exe
C:\Windows\System\eKzJTxj.exe
2⤵
PID:10016

C:\Windows\System\mgWEtVp.exe
C:\Windows\System\mgWEtVp.exe
2⤵
PID:10100

C:\Windows\System\vRXoQzM.exe
C:\Windows\System\vRXoQzM.exe
2⤵
PID:10164

C:\Windows\System\oCOVpoD.exe
C:\Windows\System\oCOVpoD.exe
2⤵
PID:9224

C:\Windows\System\OriKwQr.exe
C:\Windows\System\OriKwQr.exe
2⤵
PID:9364

C:\Windows\System\oUiTyvL.exe
C:\Windows\System\oUiTyvL.exe
2⤵
PID:9512

C:\Windows\System\rEUoDna.exe
C:\Windows\System\rEUoDna.exe
2⤵
PID:9612

C:\Windows\System\PdWUDbK.exe
C:\Windows\System\PdWUDbK.exe
2⤵
PID:9708

C:\Windows\System\kCMkzSV.exe
C:\Windows\System\kCMkzSV.exe
2⤵
PID:9876

C:\Windows\System\hwklMgd.exe
C:\Windows\System\hwklMgd.exe
2⤵
PID:10004

C:\Windows\System\CUrSLXD.exe
C:\Windows\System\CUrSLXD.exe
2⤵
PID:10096

C:\Windows\System\NkexEsu.exe
C:\Windows\System\NkexEsu.exe
2⤵
PID:10216

C:\Windows\System\VYODEWM.exe
C:\Windows\System\VYODEWM.exe
2⤵
PID:10136

C:\Windows\System\YLSeWMs.exe
C:\Windows\System\YLSeWMs.exe
2⤵
PID:9844

C:\Windows\System\kzqGqRM.exe
C:\Windows\System\kzqGqRM.exe
2⤵
PID:10088

C:\Windows\System\tBKabbb.exe
C:\Windows\System\tBKabbb.exe
2⤵
PID:9344

C:\Windows\System\kpccRRJ.exe
C:\Windows\System\kpccRRJ.exe
2⤵
PID:9976

C:\Windows\System\zJlmdNI.exe
C:\Windows\System\zJlmdNI.exe
2⤵
PID:9284

C:\Windows\System\ShqPciA.exe
C:\Windows\System\ShqPciA.exe
2⤵
PID:10260

C:\Windows\System\zrBSirK.exe
C:\Windows\System\zrBSirK.exe
2⤵
PID:10300

C:\Windows\System\EbCPYPm.exe
C:\Windows\System\EbCPYPm.exe
2⤵
PID:10328

C:\Windows\System\iwGLPsa.exe
C:\Windows\System\iwGLPsa.exe
2⤵
PID:10368

C:\Windows\System\rVZQzHS.exe
C:\Windows\System\rVZQzHS.exe
2⤵
PID:10396

C:\Windows\System\QuXQhhu.exe
C:\Windows\System\QuXQhhu.exe
2⤵
PID:10432

C:\Windows\System\LpJXTLe.exe
C:\Windows\System\LpJXTLe.exe
2⤵
PID:10460

C:\Windows\System\opdnafg.exe
C:\Windows\System\opdnafg.exe
2⤵
PID:10504

C:\Windows\System\hgWOTbx.exe
C:\Windows\System\hgWOTbx.exe
2⤵
PID:10544

C:\Windows\System\kmfhUjR.exe
C:\Windows\System\kmfhUjR.exe
2⤵
PID:10560

C:\Windows\System\bIFsuDi.exe
C:\Windows\System\bIFsuDi.exe
2⤵
PID:10592

C:\Windows\System\gjIYDCu.exe
C:\Windows\System\gjIYDCu.exe
2⤵
PID:10624

C:\Windows\System\iLNQrmb.exe
C:\Windows\System\iLNQrmb.exe
2⤵
PID:10652

C:\Windows\System\lKnxvop.exe
C:\Windows\System\lKnxvop.exe
2⤵
PID:10688

C:\Windows\System\ifAuXYw.exe
C:\Windows\System\ifAuXYw.exe
2⤵
PID:10740

C:\Windows\System\ZWkmAwF.exe
C:\Windows\System\ZWkmAwF.exe
2⤵
PID:10788

C:\Windows\System\HpdGUuN.exe
C:\Windows\System\HpdGUuN.exe
2⤵
PID:10816

C:\Windows\System\yBwRZDt.exe
C:\Windows\System\yBwRZDt.exe
2⤵
PID:10848

C:\Windows\System\esnPecB.exe
C:\Windows\System\esnPecB.exe
2⤵
PID:10876

C:\Windows\System\eWoaAnq.exe
C:\Windows\System\eWoaAnq.exe
2⤵
PID:10908

C:\Windows\System\SoWvSfW.exe
C:\Windows\System\SoWvSfW.exe
2⤵
PID:10936

C:\Windows\System\qmMQhac.exe
C:\Windows\System\qmMQhac.exe
2⤵
PID:10964

C:\Windows\System\awHlweD.exe
C:\Windows\System\awHlweD.exe
2⤵
PID:10992

C:\Windows\System\Terhelc.exe
C:\Windows\System\Terhelc.exe
2⤵
PID:11032

C:\Windows\System\UeAfwQS.exe
C:\Windows\System\UeAfwQS.exe
2⤵
PID:11060

C:\Windows\System\YhrNISM.exe
C:\Windows\System\YhrNISM.exe
2⤵
PID:11100

C:\Windows\System\hTwyfzQ.exe
C:\Windows\System\hTwyfzQ.exe
2⤵
PID:11128

C:\Windows\System\gnhhxWY.exe
C:\Windows\System\gnhhxWY.exe
2⤵
PID:11176

C:\Windows\System\PHLktLK.exe
C:\Windows\System\PHLktLK.exe
2⤵
PID:11196

C:\Windows\System\rbVDToG.exe
C:\Windows\System\rbVDToG.exe
2⤵
PID:11224

C:\Windows\System\VObIAUX.exe
C:\Windows\System\VObIAUX.exe
2⤵
PID:10248

C:\Windows\System\wgMDrJY.exe
C:\Windows\System\wgMDrJY.exe
2⤵
PID:10292

C:\Windows\System\EHLacNC.exe
C:\Windows\System\EHLacNC.exe
2⤵
PID:10392

C:\Windows\System\Rapsuyt.exe
C:\Windows\System\Rapsuyt.exe
2⤵
PID:10476

C:\Windows\System\OzVZacE.exe
C:\Windows\System\OzVZacE.exe
2⤵
PID:10528

C:\Windows\System\RNGNcsv.exe
C:\Windows\System\RNGNcsv.exe
2⤵
PID:10644

C:\Windows\System\JYIrLKj.exe
C:\Windows\System\JYIrLKj.exe
2⤵
PID:10684

C:\Windows\System\FncMnir.exe
C:\Windows\System\FncMnir.exe
2⤵
PID:10768

C:\Windows\System\VoVhnwJ.exe
C:\Windows\System\VoVhnwJ.exe
2⤵
PID:10832

C:\Windows\System\bdITraW.exe
C:\Windows\System\bdITraW.exe
2⤵
PID:10896

C:\Windows\System\APQzhcg.exe
C:\Windows\System\APQzhcg.exe
2⤵
PID:10960

C:\Windows\System\FbUbFWj.exe
C:\Windows\System\FbUbFWj.exe
2⤵
PID:11012

C:\Windows\System\LiRHbDE.exe
C:\Windows\System\LiRHbDE.exe
2⤵
PID:11084

C:\Windows\System\vWunmjR.exe
C:\Windows\System\vWunmjR.exe
2⤵
PID:11124

C:\Windows\System\QVQpAFi.exe
C:\Windows\System\QVQpAFi.exe
2⤵
PID:11184

C:\Windows\System\qnepLwb.exe
C:\Windows\System\qnepLwb.exe
2⤵
PID:10320

C:\Windows\System\rvsVAlG.exe
C:\Windows\System\rvsVAlG.exe
2⤵
PID:10388

C:\Windows\System\HxmFswo.exe
C:\Windows\System\HxmFswo.exe
2⤵
PID:10584

C:\Windows\System\eUFFkTe.exe
C:\Windows\System\eUFFkTe.exe
2⤵
PID:10728

C:\Windows\System\FKrXrkK.exe
C:\Windows\System\FKrXrkK.exe
2⤵
PID:10892

C:\Windows\System\Suexfrq.exe
C:\Windows\System\Suexfrq.exe
2⤵
PID:11056

C:\Windows\System\eqxGvWD.exe
C:\Windows\System\eqxGvWD.exe
2⤵
PID:11164

C:\Windows\System\MvDKrpM.exe
C:\Windows\System\MvDKrpM.exe
2⤵
PID:10276

C:\Windows\System\udBwLsI.exe
C:\Windows\System\udBwLsI.exe
2⤵
PID:10364

C:\Windows\System\AYXOhUp.exe
C:\Windows\System\AYXOhUp.exe
2⤵
PID:10576

C:\Windows\System\zIxcJOf.exe
C:\Windows\System\zIxcJOf.exe
2⤵
PID:10956

C:\Windows\System\JMkiBXn.exe
C:\Windows\System\JMkiBXn.exe
2⤵
PID:11156

C:\Windows\System\wgaDNpn.exe
C:\Windows\System\wgaDNpn.exe
2⤵
PID:10540

C:\Windows\System\BzixVae.exe
C:\Windows\System\BzixVae.exe
2⤵
PID:10352

C:\Windows\System\oUhtTOw.exe
C:\Windows\System\oUhtTOw.exe
2⤵
PID:11044

C:\Windows\System\SXKMEUO.exe
C:\Windows\System\SXKMEUO.exe
2⤵
PID:8

C:\Windows\System\cgoqQhm.exe
C:\Windows\System\cgoqQhm.exe
2⤵
PID:11284

C:\Windows\System\VrOghzw.exe
C:\Windows\System\VrOghzw.exe
2⤵
PID:11316

C:\Windows\System\jjkDlpw.exe
C:\Windows\System\jjkDlpw.exe
2⤵
PID:11348

C:\Windows\System\vcbTSdM.exe
C:\Windows\System\vcbTSdM.exe
2⤵
PID:11376

C:\Windows\System\OGcXADd.exe
C:\Windows\System\OGcXADd.exe
2⤵
PID:11404

C:\Windows\System\rzCHRJP.exe
C:\Windows\System\rzCHRJP.exe
2⤵
PID:11432

C:\Windows\System\YiCCzRO.exe
C:\Windows\System\YiCCzRO.exe
2⤵
PID:11460

C:\Windows\System\ceNgWQT.exe
C:\Windows\System\ceNgWQT.exe
2⤵
PID:11488

C:\Windows\System\exVCLPe.exe
C:\Windows\System\exVCLPe.exe
2⤵
PID:11516

C:\Windows\System\nDUZsdN.exe
C:\Windows\System\nDUZsdN.exe
2⤵
PID:11548

C:\Windows\System\vQXxjQj.exe
C:\Windows\System\vQXxjQj.exe
2⤵
PID:11576

C:\Windows\System\kDHtkrk.exe
C:\Windows\System\kDHtkrk.exe
2⤵
PID:11608

C:\Windows\System\Rmyufcw.exe
C:\Windows\System\Rmyufcw.exe
2⤵
PID:11636

C:\Windows\System\pIkukQS.exe
C:\Windows\System\pIkukQS.exe
2⤵
PID:11668

C:\Windows\System\wAYLrFl.exe
C:\Windows\System\wAYLrFl.exe
2⤵
PID:11700

C:\Windows\System\CXjJJBa.exe
C:\Windows\System\CXjJJBa.exe
2⤵
PID:11732

C:\Windows\System\YhdVfeU.exe
C:\Windows\System\YhdVfeU.exe
2⤵
PID:11764

C:\Windows\System\KlmNlRp.exe
C:\Windows\System\KlmNlRp.exe
2⤵
PID:11796

C:\Windows\System\lRoNziB.exe
C:\Windows\System\lRoNziB.exe
2⤵
PID:11824

C:\Windows\System\etXGRys.exe
C:\Windows\System\etXGRys.exe
2⤵
PID:11852

C:\Windows\System\gBHColj.exe
C:\Windows\System\gBHColj.exe
2⤵
PID:11880

C:\Windows\System\uDpFwBL.exe
C:\Windows\System\uDpFwBL.exe
2⤵
PID:11908

C:\Windows\System\DkPOOnE.exe
C:\Windows\System\DkPOOnE.exe
2⤵
PID:11948

C:\Windows\System\GmIpWlg.exe
C:\Windows\System\GmIpWlg.exe
2⤵
PID:11968

C:\Windows\System\FaIqqBQ.exe
C:\Windows\System\FaIqqBQ.exe
2⤵
PID:11996

C:\Windows\System\QMIkpvH.exe
C:\Windows\System\QMIkpvH.exe
2⤵
PID:12024

C:\Windows\System\uytLhAF.exe
C:\Windows\System\uytLhAF.exe
2⤵
PID:12052

C:\Windows\System\WAvHVWO.exe
C:\Windows\System\WAvHVWO.exe
2⤵
PID:12084

C:\Windows\System\KbvUCru.exe
C:\Windows\System\KbvUCru.exe
2⤵
PID:12112

C:\Windows\System\MBTOImT.exe
C:\Windows\System\MBTOImT.exe
2⤵
PID:12144

C:\Windows\System\qzrhBcD.exe
C:\Windows\System\qzrhBcD.exe
2⤵
PID:12172

C:\Windows\System\eAFxyoK.exe
C:\Windows\System\eAFxyoK.exe
2⤵
PID:12204

C:\Windows\System\McBUvIZ.exe
C:\Windows\System\McBUvIZ.exe
2⤵
PID:12232

C:\Windows\System\KstrFHr.exe
C:\Windows\System\KstrFHr.exe
2⤵
PID:12264

C:\Windows\System\fVmBoMQ.exe
C:\Windows\System\fVmBoMQ.exe
2⤵
PID:11280

C:\Windows\System\yJccSdP.exe
C:\Windows\System\yJccSdP.exe
2⤵
PID:11396

C:\Windows\System\MCpcusj.exe
C:\Windows\System\MCpcusj.exe
2⤵
PID:11472

C:\Windows\System\HkyEGqw.exe
C:\Windows\System\HkyEGqw.exe
2⤵
PID:11536

C:\Windows\System\TPWeJBc.exe
C:\Windows\System\TPWeJBc.exe
2⤵
PID:11600

C:\Windows\System\FUjTCbc.exe
C:\Windows\System\FUjTCbc.exe
2⤵
PID:11660

C:\Windows\System\ISLgBgw.exe
C:\Windows\System\ISLgBgw.exe
2⤵
PID:11780

C:\Windows\System\QUareNr.exe
C:\Windows\System\QUareNr.exe
2⤵
PID:11820

C:\Windows\System\URoAmZr.exe
C:\Windows\System\URoAmZr.exe
2⤵
PID:11872

C:\Windows\System\mZYOBcT.exe
C:\Windows\System\mZYOBcT.exe
2⤵
PID:11928

C:\Windows\System\mqbezMO.exe
C:\Windows\System\mqbezMO.exe
2⤵
PID:11988

C:\Windows\System\tsYPhQA.exe
C:\Windows\System\tsYPhQA.exe
2⤵
PID:10608

C:\Windows\System\hVBGRNP.exe
C:\Windows\System\hVBGRNP.exe
2⤵
PID:12164

C:\Windows\System\JtQlIen.exe
C:\Windows\System\JtQlIen.exe
2⤵
PID:12256

C:\Windows\System\vIWxilg.exe
C:\Windows\System\vIWxilg.exe
2⤵
PID:11428

C:\Windows\System\zEytbnw.exe
C:\Windows\System\zEytbnw.exe
2⤵
PID:11596

C:\Windows\System\zgRNELk.exe
C:\Windows\System\zgRNELk.exe
2⤵
PID:11676

C:\Windows\System\QDEUmEf.exe
C:\Windows\System\QDEUmEf.exe
2⤵
PID:11304

C:\Windows\System\UDLnZkC.exe
C:\Windows\System\UDLnZkC.exe
2⤵
PID:11868

C:\Windows\System\gTpqTCa.exe
C:\Windows\System\gTpqTCa.exe
2⤵
PID:12016

C:\Windows\System\HTgYSGp.exe
C:\Windows\System\HTgYSGp.exe
2⤵
PID:4184

C:\Windows\System\svpSTLy.exe
C:\Windows\System\svpSTLy.exe
2⤵
PID:11500

C:\Windows\System\ZJBZNkd.exe
C:\Windows\System\ZJBZNkd.exe
2⤵
PID:11728

C:\Windows\System\whPplnI.exe
C:\Windows\System\whPplnI.exe
2⤵
PID:11984

C:\Windows\System\TRoijHT.exe
C:\Windows\System\TRoijHT.exe
2⤵
PID:11648

C:\Windows\System\tjaGylH.exe
C:\Windows\System\tjaGylH.exe
2⤵
PID:11420

C:\Windows\System\tCtsrxF.exe
C:\Windows\System\tCtsrxF.exe
2⤵
PID:12320

C:\Windows\System\HIlTypF.exe
C:\Windows\System\HIlTypF.exe
2⤵
PID:12388

C:\Windows\System\ZxlReSL.exe
C:\Windows\System\ZxlReSL.exe
2⤵
PID:12428

C:\Windows\System\OYRJCXZ.exe
C:\Windows\System\OYRJCXZ.exe
2⤵
PID:12484

C:\Windows\System\UfuQUwJ.exe
C:\Windows\System\UfuQUwJ.exe
2⤵
PID:12528

C:\Windows\System\nBhBvbK.exe
C:\Windows\System\nBhBvbK.exe
2⤵
PID:12572

C:\Windows\System\ZeaDOkd.exe
C:\Windows\System\ZeaDOkd.exe
2⤵
PID:12600

C:\Windows\System\xGBYZCe.exe
C:\Windows\System\xGBYZCe.exe
2⤵
PID:12624

C:\Windows\System\KueGKrq.exe
C:\Windows\System\KueGKrq.exe
2⤵
PID:12668

C:\Windows\System\ZZJFHFV.exe
C:\Windows\System\ZZJFHFV.exe
2⤵
PID:12696

C:\Windows\System\KMOdqyk.exe
C:\Windows\System\KMOdqyk.exe
2⤵
PID:12728

C:\Windows\System\gJsFaZt.exe
C:\Windows\System\gJsFaZt.exe
2⤵
PID:12748

C:\Windows\System\NvRRCuV.exe
C:\Windows\System\NvRRCuV.exe
2⤵
PID:12796

C:\Windows\System\TgoPWIv.exe
C:\Windows\System\TgoPWIv.exe
2⤵
PID:12824

C:\Windows\System\RdphAKm.exe
C:\Windows\System\RdphAKm.exe
2⤵
PID:12856

C:\Windows\System\sDCgWJa.exe
C:\Windows\System\sDCgWJa.exe
2⤵
PID:12884

C:\Windows\System\FMfrCyz.exe
C:\Windows\System\FMfrCyz.exe
2⤵
PID:12904

C:\Windows\System\aIanCoa.exe
C:\Windows\System\aIanCoa.exe
2⤵
PID:12940

C:\Windows\System\UNVSUZa.exe
C:\Windows\System\UNVSUZa.exe
2⤵
PID:12968

C:\Windows\System\jMstgcN.exe
C:\Windows\System\jMstgcN.exe
2⤵
PID:12996

C:\Windows\System\UsQdNpR.exe
C:\Windows\System\UsQdNpR.exe
2⤵
PID:13024

C:\Windows\System\jFUHtkV.exe
C:\Windows\System\jFUHtkV.exe
2⤵
PID:13052

C:\Windows\System\wfKGfxR.exe
C:\Windows\System\wfKGfxR.exe
2⤵
PID:13084

C:\Windows\System\sASuHgK.exe
C:\Windows\System\sASuHgK.exe
2⤵
PID:13116

C:\Windows\System\gLBGIum.exe
C:\Windows\System\gLBGIum.exe
2⤵
PID:13144

C:\Windows\System\WJlyuiJ.exe
C:\Windows\System\WJlyuiJ.exe
2⤵
PID:13176

C:\Windows\System\pFcUuQY.exe
C:\Windows\System\pFcUuQY.exe
2⤵
PID:13196

C:\Windows\System\duqzLzf.exe
C:\Windows\System\duqzLzf.exe
2⤵
PID:13224

C:\Windows\System\IahNZFj.exe
C:\Windows\System\IahNZFj.exe
2⤵
PID:13264

C:\Windows\System\OgLDYAa.exe
C:\Windows\System\OgLDYAa.exe
2⤵
PID:13300

C:\Windows\System\TIeFRTD.exe
C:\Windows\System\TIeFRTD.exe
2⤵
PID:12308

C:\Windows\System\PBsjIfZ.exe
C:\Windows\System\PBsjIfZ.exe
2⤵
PID:12340

C:\Windows\System\CoJycLt.exe
C:\Windows\System\CoJycLt.exe
2⤵
PID:12296

C:\Windows\System\pUOsmJj.exe
C:\Windows\System\pUOsmJj.exe
2⤵
PID:12524

C:\Windows\System\cVaOvfa.exe
C:\Windows\System\cVaOvfa.exe
2⤵
PID:12608

C:\Windows\System\LzuNOtU.exe
C:\Windows\System\LzuNOtU.exe
2⤵
PID:12640

C:\Windows\System\ypHymin.exe
C:\Windows\System\ypHymin.exe
2⤵
PID:12744

C:\Windows\System\YdhGkDD.exe
C:\Windows\System\YdhGkDD.exe
2⤵
PID:12808

C:\Windows\System\InMiQga.exe
C:\Windows\System\InMiQga.exe
2⤵
PID:12876

C:\Windows\System\TPnDiHn.exe
C:\Windows\System\TPnDiHn.exe
2⤵
PID:12936

C:\Windows\System\SrhPOOm.exe
C:\Windows\System\SrhPOOm.exe
2⤵
PID:13012

C:\Windows\System\VTyGydg.exe
C:\Windows\System\VTyGydg.exe
2⤵
PID:13064

C:\Windows\System\eBLLhAc.exe
C:\Windows\System\eBLLhAc.exe
2⤵
PID:13112

C:\Windows\System\gyaqZQe.exe
C:\Windows\System\gyaqZQe.exe
2⤵
PID:13172

C:\Windows\System\qYjxiIs.exe
C:\Windows\System\qYjxiIs.exe
2⤵
PID:13244

C:\Windows\System\WDJVUnh.exe
C:\Windows\System\WDJVUnh.exe
2⤵
PID:13272

C:\Windows\System\CmDwyZt.exe
C:\Windows\System\CmDwyZt.exe
2⤵
PID:220

C:\Windows\System\EiBObpk.exe
C:\Windows\System\EiBObpk.exe
2⤵
PID:12480

C:\Windows\System\MTEgqFf.exe
C:\Windows\System\MTEgqFf.exe
2⤵
PID:12632

C:\Windows\System\UQBhfjZ.exe
C:\Windows\System\UQBhfjZ.exe
2⤵
PID:12792

C:\Windows\System\zkMNlpc.exe
C:\Windows\System\zkMNlpc.exe
2⤵
PID:12932

C:\Windows\System\wHOUNvp.exe
C:\Windows\System\wHOUNvp.exe
2⤵
PID:13068

C:\Windows\System\JMEiXjl.exe
C:\Windows\System\JMEiXjl.exe
2⤵
PID:13208

C:\Windows\System\QMtvbvW.exe
C:\Windows\System\QMtvbvW.exe
2⤵
PID:13296

C:\Windows\System\MUHAwlo.exe
C:\Windows\System\MUHAwlo.exe
2⤵
PID:12724

C:\Windows\System\yiXWmra.exe
C:\Windows\System\yiXWmra.exe
2⤵
PID:13048

C:\Windows\System\tFDuDLA.exe
C:\Windows\System\tFDuDLA.exe
2⤵
PID:13260

C:\Windows\System\MJzTjNT.exe
C:\Windows\System\MJzTjNT.exe
2⤵
PID:10580

C:\Windows\System\VgZArUP.exe
C:\Windows\System\VgZArUP.exe
2⤵
PID:12596

C:\Windows\System\RuCskQW.exe
C:\Windows\System\RuCskQW.exe
2⤵
PID:13332

C:\Windows\System\RInmRNl.exe
C:\Windows\System\RInmRNl.exe
2⤵
PID:13360

C:\Windows\System\hDUVPHL.exe
C:\Windows\System\hDUVPHL.exe
2⤵
PID:13388

C:\Windows\System\RIPLEAQ.exe
C:\Windows\System\RIPLEAQ.exe
2⤵
PID:13416

C:\Windows\System\tmvAhgS.exe
C:\Windows\System\tmvAhgS.exe
2⤵
PID:13640

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:14300

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jkx00ra4.xoz.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\AVvrpJg.exe
Filesize
3.3MB

MD5
d9811db3846bd27114691614bf33c760

SHA1
849bd60fd4ed064fc4a1d42bc80cb5039c70cba0

SHA256
9cd61145076733ee7196ae88f89fc082fad19c478a00657276879521efa3038a

SHA512
cf11fbe9fd7aa81305a927c34922573bc0ec7961194edda6d215e666153f9819664e1393497df0f83b02252dc07efc91dc1fc87d1cced5e881049c776420fbd4

Download Submit
C:\Windows\System\BleAcoF.exe
Filesize
3.3MB

MD5
10e1e7acd07f2122f59486ac063b57b2

SHA1
ca71baa020d6ae65351578dc1d748443f9850134

SHA256
ce8bdf482a4b531e53bcedaf2d68c7a351e9fa7f5a9b3bd29bf6974220473fb8

SHA512
1adcacc9726dfdc08dbb19506405d4bd7a38b84f09510ad63bba57e7fd357af2824372809335b8e7a875a76b0e310d8a527b767bb8fec2bd7d0e4beaeb8018ae

Download Submit
C:\Windows\System\FFDfhoh.exe
Filesize
3.3MB

MD5
0694291a5d20d863fa2908ee88bd9c9e

SHA1
44869af2df603f27440f103ab7f6f07b9f5b4fb3

SHA256
af2a5fb6ed5ae440ab351d40bf1d1e45e0d043888b36ff7b2f2531b7e02c6107

SHA512
ab17bf09ccbec0942a1bba9d6bd2c5ae0c8d4d0e257ea40cb4da5912ab17da0f68b96d101b1f1d5842ab2f9187d92bdbbd5ca5b6bc6cbfdea98cedf0ba6b7a6b

Download Submit
C:\Windows\System\HFymncb.exe
Filesize
3.3MB

MD5
d32d1acc395ba67de81596de05a95143

SHA1
e924043000af99cf125fd328d37098d121c32e10

SHA256
8d69e08ac353395010efe353f25d3c0bec956597fb9ca2fec6abc0d946db06ef

SHA512
3e7ac0a2a3e0adb12f7760f4f6a38959f03bf1caecee3eb0e1bb71d13dca0983c8d1d95906b09bca279c48f53102ed5b0106042a9a41d4cf8eed00b77b9fc6fb

Download Submit
C:\Windows\System\IDYaHgv.exe
Filesize
3.3MB

MD5
67041c83eea14d721f78108a86df15bf

SHA1
852c4138e822e78403291b94483f9767aa11070c

SHA256
4f31ba7a597f4c573f7e6c05ffe45be0637ff44787fc38a00af5dce5e2df5c27

SHA512
ea34e472e2093f60a01717be05a1388206bd83210f7ad3ce6eb59361d2290d1818187dc2101a56a4658b119b611c2bf75b9464f775a2d630a154428e19c2d707

Download Submit
C:\Windows\System\IgLTGnz.exe
Filesize
3.3MB

MD5
6e3c7dc1d3a2768236c1855185a135da

SHA1
027d08ff1653f2c8fe30515c9d0f82037f4c86c1

SHA256
cb154b74a32c9d26f04254918c7a8657f170a3c0da2663f811092c621452c577

SHA512
c0133571e5dfea3c03265c2875324214b8f069c17a53524bf00305860b33abc6eadd435b8d1082ac934dce9c136339425c0fb7bf867153ef71aafc3537662298

Download Submit
C:\Windows\System\JvaucBt.exe
Filesize
3.3MB

MD5
72db21e8a382ef250a1e61e376938c24

SHA1
8200ac1366b08b6318d4929578e946c6685624d0

SHA256
0605413d262d97121a937363a1a1b45bf981bcf2f727ed36ce55b4668afe33cb

SHA512
a267960d61104e61af6b4f58667f8e1b9ce6dd059ab5ea09273de267432a602bde251bef24bef4ac7d0ebe6f3422e13c2df4aa05b3fd472b22156c076f34e1bf

Download Submit
C:\Windows\System\MltVYoC.exe
Filesize
3.3MB

MD5
0f696dcc6a71d575415a5af7c14768c2

SHA1
cece888fc361373bdcecac8405059b30a5708d4e

SHA256
5457b5f5deb7e9e5fdceb3fa2925e885d86b23b328258fa8055168ce880ff641

SHA512
fedb7bcede167cf1da90a8659ddf710a53572966740baf9eac38becf82edad59a45c6b805b63654ff43412baa7992065bbcac77bd0326f4ff7b137b5ec08ed8b

Download Submit
C:\Windows\System\MqOgPal.exe
Filesize
3.3MB

MD5
3b4ee05dbad5f166115b252f1be14c83

SHA1
01f4668236bbb31ab206f2a347c42b7ab39a9911

SHA256
57e49f768c79f505a17245091a4fb71dde8e99d43070f51f3e0c4accf8704a1f

SHA512
9950e91a060bb2db0c943ae858ca2522981a42469b3f7a37dc6419fe1525ec067c0093cd7eb8cb3e82c60ea19be43588206706b494896c0fa946e5a972535eb6

Download Submit
C:\Windows\System\PcHCRio.exe
Filesize
3.3MB

MD5
dbff65a5a1b2f5465b471688ae00bc71

SHA1
01318bcfcc8ae2ee8599204920389bb51bda9fbd

SHA256
bcf4217fe2198edcf469676fd661eb1b2054ba41a9136d660cd8527a8633e46e

SHA512
b66b3b1de57876e9d8ee339eb36709385865ae9385857295bdca9141800a015ab25f77b5fed03c3d419c1fcb940a073ad19abb8a8b422d095e4880de7d281bfd

Download Submit
C:\Windows\System\RJARLYx.exe
Filesize
3.3MB

MD5
158d292ed07e13c0ea68e92c51dc64ba

SHA1
d53357e2a9cac4417d24212c41444833b25ae3c3

SHA256
26d16d622b09f9051e97bfea19b21c18f7443d4683c1056ab2c698c11cf16a66

SHA512
c56ca36bbdaf8b04f6067167fa82bebf73e9f62231f7fb0c8635de8ec266cf9577382e07306c89829a270a09a3559e27d512222ae262e21499d6b70eabe64d16

Download Submit
C:\Windows\System\SHCRzil.exe
Filesize
3.3MB

MD5
e325ebdb03e64cc298aecd14b5bf298a

SHA1
e6863bb691e7bb6361449c37d66c0efa61d4d093

SHA256
ce9ffd964f450ccf46b55390b4f1a3290d650179308f1b292b85681c4ce78d31

SHA512
1399627979647fed36aa2fddb83b130f2dd7ca0963f4be675134fc3867e34e6469f718b26227ab5ea34161108953ac750afe4b3646c06df278ae87bf5e2ce4e4

Download Submit
C:\Windows\System\VhqZZMy.exe
Filesize
3.3MB

MD5
2bbf8c4c64e923e906d1a96f1d2dfb8a

SHA1
330f2c692fc017fa446f949f78f0ed95ac35e0c7

SHA256
28dcf4a3ce3c9c6e1c30592dbfd09ae1543f6e31634c13c84c235e3e843afa3b

SHA512
fdbc84cbc959cd25dc8456a3c565fed93c6ef062f768e563bec72af58ff303670cbb81d7b7a079a8edd296d8380a5d2235caf333419175c9f0510a5ad78a60ac

Download Submit
C:\Windows\System\WpKEEyx.exe
Filesize
3.3MB

MD5
8ba3613d3e17b4d7a970331f391188fc

SHA1
b38e4cf2c1bad3a18b7445e7c5441d69fc34ab2e

SHA256
1f5b822819a5dd6c98a6d2dc75d1ce27c8b477c0a8e0b40978af54718ae5e66b

SHA512
ae807c9e88541dc1a291ba18eb74bdcb497e4c4f8959f1521a598fe5ced0a921fec118e7e151a881d897fa94bea520791ccfd9f39f53c70018aec07c4ad56360

Download Submit
C:\Windows\System\XZfpItD.exe
Filesize
3.3MB

MD5
a31c4dd5a62ac88df27f98d346aeec62

SHA1
4d32f6bf948744f6d21a795caaad97c6a2135e92

SHA256
884d60fec580a77813eca41ba0025faf3900cbf3c00916d943d081fed3190e2f

SHA512
602c25a112567a3b130b11040229ac8bd2106de24473d04d01f1e915b6dc77cbf7f71591e77985ae548c8237c54d703199ed61b3ca9f63e63d0de92160ce6045

Download Submit
C:\Windows\System\XiQjgEF.exe
Filesize
3.3MB

MD5
3eb7f79cadea2a4872a2ebc8bec07a7b

SHA1
ae2d7ccccc3ec788f58a398726a65262fbe24aa0

SHA256
cce6cd2e150138e07383411ffd2f32a657dcb5ef47387de2c494d8856a9fa6fa

SHA512
97251f34753ac4468e2871c9ebf6a1c97fc9d76fccf5123a8350c772e230f866a707182221dd65fe01606e555a633e4d436ea997c37167030b06dceed5ce729f

Download Submit
C:\Windows\System\ZTRsQUJ.exe
Filesize
3.3MB

MD5
c93909941f02e9d1e84c1ae4086457b4

SHA1
8052b8e75d93796ce11bced75b444b325d9a10e3

SHA256
da6ef101b3e6ddf40fb4719131adb607d9969496798be64f8a5967cc0a8f6465

SHA512
8a2ba5c2ffe48e6cb4fb84bfe63e448122cbf6a6ace75912e5bd7b31fc2f6d5bb9db1586ed78fa645f957087f118883e626bde7692f006c30c2173888b1d9fe3

Download Submit
C:\Windows\System\ZwooOyF.exe
Filesize
3.3MB

MD5
dea22379794bfe27eba3ec886a6724f4

SHA1
1fee7051d4538f17f79956744c696038c9497423

SHA256
d2632841a078557d8b8f82d55f6c09e4d519f9027d1383c0a6463fedf4eee60d

SHA512
9bff6a039970463f05af6a267bf1fa9ff610313d7345f02d22efb09c2cfc0406eb175f1df45a3ec0c3c2f22cd89098f7d1d0d13fd8d471b825906a0e9565e87b

Download Submit
C:\Windows\System\bwHAGDN.exe
Filesize
3.3MB

MD5
6c692a1c86cd19db3d7ab976fa4b37d3

SHA1
7181ecf0385d92bfed3daca9f6168557e40d3483

SHA256
041b46ced267566f8ec38c3b134e5a177bf3ab52e6108ef2a5c0850fe9879ed6

SHA512
2c39f012fe6034d6dd0a6207e975736de8d98723237b15d41546597048649e7def56c4fc2445211586f6fb294dd575e4d3605c674f1fe81a5c9a41e6e32247f1

Download Submit
C:\Windows\System\dBAidil.exe
Filesize
3.3MB

MD5
22070fe65e32f2bae3477db9b6ff1f71

SHA1
3f79c760962e34eb6e4457eb73e2697430dd499a

SHA256
c5ba7a07e4a0e832c1c38686915cfc35a97e537a60c1ff7fc7052d294ba30724

SHA512
6c0f04befe8b073e43e5ebf29c6266b87fda08683d6e5cc45050c7b9b18d683ad3bb195dd5b5030eb3cfad61f4af499ff12af6474b230486ae0a14fac32ca322

Download Submit
C:\Windows\System\dYTnvFW.exe
Filesize
3.3MB

MD5
03290a99e507c4803eacb58af4bd6268

SHA1
a02f3dee954bbd4ea01d4211d1bc01fdc423f005

SHA256
80d6c9daed0bd66c3fb6767518493401f673e50c38aa29de4e55464bf40b93d0

SHA512
e00fe20ba9c771ed94dd11428df20b375c6ab5c81eaceb9c60af21d49a1f78897131800517796042c089b1c504a626ac5c1cbaf8ef967d5dbe8bb226b1681315

Download Submit
C:\Windows\System\eSOrdaB.exe
Filesize
3.3MB

MD5
a31df6f4144eb94a5a90ac41de984047

SHA1
70145233818e9a12ea8399edc35eb6051d400808

SHA256
69465e35bbe86fbaafaa768cbb4a307277a85a5b407321b62cead6227ae297ec

SHA512
67c3572ea1ed67a27a054d398e389860a899cc463391726be6bf41bc5785b765fd3543c4a3f56e388f600cbde6546a7dd2156c719e979b23f713f562caba2a1d

Download Submit
C:\Windows\System\ecRYxQK.exe
Filesize
3.3MB

MD5
a002f92830207353968024a4e91794bd

SHA1
a0d69b5e2b6f5352ede6169fb82d50febb389dd6

SHA256
caad2ab5e685976a0cf78536d79479843d57f797f4ca21cfc0c7c66816889277

SHA512
2c3b6d60767cdc9dc348371ebf6d1402160320554673205ebd320caf59f1d98d590389ef151a7f9eaf469bf03668eda5a5b71ec9d2e613e7c2188915e55f458e

Download Submit
C:\Windows\System\iaZCLcK.exe
Filesize
3.3MB

MD5
e25908825a4488100db6134827124654

SHA1
f7114253d7810c046b77a7fe15aa8d6c5b172406

SHA256
20f6791f2bbc24a2d1fc7a1b285ae7254327134ebf3413ec828839677ba534f2

SHA512
d113b352f644e7d45cd791680e9cefce344bf3c435cd2906f1b9e6b27fe1b0e3df8c1cb3ff1e3e4d310c85ed912e120ed8e8618454eda1f252b0f9eedc94fdf3

Download Submit
C:\Windows\System\icHFuYa.exe
Filesize
3.3MB

MD5
72629c2c34d5b5a35456cbe6a7cc1fc9

SHA1
5e7925cf306a0ef2fb400c74fead60666e02b900

SHA256
970a630a19f8fc6fda8fd1abcf23076607ed863bc07f54ed6c4aba1b6e9dab9b

SHA512
8b20602f7d2a706104ac3c86ed65c7e5bd40f884f01cdf301fcdc0cdb1a8303613ffd3c847434f42e19780f521e27f736a7d98f88585575930a4a0386ebd49bc

Download Submit
C:\Windows\System\kzKRApL.exe
Filesize
3.3MB

MD5
ef68a21b1455a3c2a23c9a48d2d9b96e

SHA1
df04f338ac4fee9b84e3172382a47c0d681ec027

SHA256
cdd4a143999a797e804083f22cdfc3aa18e2e325a6e29daddb2a7095ef1da27c

SHA512
a2bf0143cfdbfcf74eff42a8fd7e6de2f77ccf0fc8c212811e2042b3a2aae8ebe519935a6d66a8fd458de8f01f92523ca4d2425eba85ce21fb9597c5a908f80e

Download Submit
C:\Windows\System\qXkRoql.exe
Filesize
3.3MB

MD5
f873d1e3d1d68a832ccec85db4d71d67

SHA1
efccf941b918828bde136c1620eff13de47956bd

SHA256
57a3fa22f03cd48f33572eae9294454ba3a30898257e684beb3341441d53118f

SHA512
8f5abf99c933eb2b63f80b9ef1d37dda90fefe6691f5299514f9143139e9748a3cdbb8844f1fbe2a1ec970bf2134fc6a0cb84e36e224a6c166e871a608178ddc

Download Submit
C:\Windows\System\rSHLovx.exe
Filesize
3.3MB

MD5
66d18bb841a80ff140acfc837450e17c

SHA1
9dd84ee5f52f82b6d2791d76aae3fc773dce6ff5

SHA256
251cd78f3b011e36f9dc8da15810b28018093524dd51a31e68bbef1e58cdbdb0

SHA512
4740cb96cda72fe348e02a232d05804eb6055adbdd8f1204adb67bc1c53f4675c59b533dab16ea072dcc8a523fe27df0ca1038d79bae53b7c65f455ad708d82f

Download Submit
C:\Windows\System\rzVERDu.exe
Filesize
3.3MB

MD5
6b31445f712c183591696b3a51d08d47

SHA1
e6acd077c6bf9b6bc23733fc1c46f1655173010d

SHA256
fd1267c995edcb8d47b95b714b2fca9765cf98ba4162b25d69eeb2eca4b9b2d9

SHA512
05611c38ba36785db86dcda172e532e13574db6e6027977d37da4e9460fb5015d726a01a205384843d44f49cb98acf09e686ab0cffbd301d3dfe64b292cea40e

Download Submit
C:\Windows\System\saJimWi.exe
Filesize
3.3MB

MD5
1c3e5710a8a719a06fb22ba683024e29

SHA1
bc746b8a433f57f30062bcd5ad3060f05303e5b5

SHA256
c66ed5ecd3806a190997f35196f5c43663311d5e831961d8253e959ad70b21ea

SHA512
7de89546d6a9f96fa85a277ac355d31f03a135e855ddb9a3013afc0df32c7fc89d8eebb86b4ffd781625ab8fe7b0e759d79c112ea8db139ea9d7412b3e294bbd

Download Submit
C:\Windows\System\tFnKFyZ.exe
Filesize
3.3MB

MD5
f8a55c9c84d8f7056f150a6b5975ed21

SHA1
1698a818e34f08a23db1398681bc34c19fe84d43

SHA256
3e6e2ec47c7546f8587cc6f7e2956c938e39d6bd94729b082989629149b1f224

SHA512
1d83cbe8ac0de800d6215189988bae68916f606c0b90ad4e04f129de7d89a562a7f8d1fcc2d80cf23cbf94ac759096e8869dbec3d3db98498e499b2bcdc644e6

Download Submit
C:\Windows\System\uwQlNPC.exe
Filesize
3.3MB

MD5
701600a333f2c484c1d1ebe24b5f1c1f

SHA1
f9c79ff618863b6fe56f3919d23e8022cd3e2d8d

SHA256
4dc1fd9e8d164b65f7541950a427ea0b471cfa408ffc4655856d159ff267de6c

SHA512
6ea6083df485c7427027a2b9da978d3ce5ec58ff9eb912dd847233d3ac017bb355fcae8e9aee3a9fc6a21625b75862f1074069afa3a95cedb131ef34b5aa5d8d

Download Submit
C:\Windows\System\zooexLY.exe
Filesize
3.3MB

MD5
ef27fe6581ff4626462b86219b0c77a6

SHA1
cb4478be087eae44c92ee16e6d934f571463ccb2

SHA256
164c9bf0d1defec82b79bf91a87cce6f8bea2a7ecee9f6c13f6b5c8ac6e39761

SHA512
59ec25456a86619ec228718c65fbaab8bc5cb731036f51b0b24c6079091104b4494ea48636cc8d25a5d55ec041e6402b44e183985ff37733197813ede04dfc9f

Download Submit
memory/880-396-0x00007FF673D30000-0x00007FF674126000-memory.dmp

Filesize
4.0MB

Download
memory/880-2233-0x00007FF673D30000-0x00007FF674126000-memory.dmp

Filesize
4.0MB

Download
memory/1020-2221-0x00007FF7444C0000-0x00007FF7448B6000-memory.dmp

Filesize
4.0MB

Download
memory/1020-62-0x00007FF7444C0000-0x00007FF7448B6000-memory.dmp

Filesize
4.0MB

Download
memory/1080-2214-0x00007FF68E3A0000-0x00007FF68E796000-memory.dmp

Filesize
4.0MB

Download
memory/1080-99-0x00007FF68E3A0000-0x00007FF68E796000-memory.dmp

Filesize
4.0MB

Download
memory/1080-2229-0x00007FF68E3A0000-0x00007FF68E796000-memory.dmp

Filesize
4.0MB

Download
memory/1124-98-0x00007FF69FD60000-0x00007FF6A0156000-memory.dmp

Filesize
4.0MB

Download
memory/1124-2227-0x00007FF69FD60000-0x00007FF6A0156000-memory.dmp

Filesize
4.0MB

Download
memory/1620-400-0x00007FF616F40000-0x00007FF617336000-memory.dmp

Filesize
4.0MB

Download
memory/1620-2222-0x00007FF616F40000-0x00007FF617336000-memory.dmp

Filesize
4.0MB

Download
memory/1620-63-0x00007FF616F40000-0x00007FF617336000-memory.dmp

Filesize
4.0MB

Download
memory/1624-2237-0x00007FF639080000-0x00007FF639476000-memory.dmp

Filesize
4.0MB

Download
memory/1624-397-0x00007FF639080000-0x00007FF639476000-memory.dmp

Filesize
4.0MB

Download
memory/1756-59-0x00007FF787A30000-0x00007FF787E26000-memory.dmp

Filesize
4.0MB

Download
memory/1756-2220-0x00007FF787A30000-0x00007FF787E26000-memory.dmp

Filesize
4.0MB

Download
memory/1768-398-0x00007FF66EC50000-0x00007FF66F046000-memory.dmp

Filesize
4.0MB

Download
memory/1768-2238-0x00007FF66EC50000-0x00007FF66F046000-memory.dmp

Filesize
4.0MB

Download
memory/2148-24-0x00007FFC549E0000-0x00007FFC554A1000-memory.dmp

Filesize
10.8MB

Download
memory/2148-17-0x00000221F0910000-0x00000221F0932000-memory.dmp

Filesize
136KB

Download
memory/2148-105-0x00007FFC549E0000-0x00007FFC554A1000-memory.dmp

Filesize
10.8MB

Download
memory/2148-86-0x00000221F1840000-0x00000221F1FE6000-memory.dmp

Filesize
7.6MB

Download
memory/2148-35-0x00007FFC549E0000-0x00007FFC554A1000-memory.dmp

Filesize
10.8MB

Download
memory/2148-112-0x00007FFC549E3000-0x00007FFC549E5000-memory.dmp

Filesize
8KB

Download
memory/2148-3-0x00007FFC549E3000-0x00007FFC549E5000-memory.dmp

Filesize
8KB

Download
memory/2164-2226-0x00007FF695C20000-0x00007FF696016000-memory.dmp

Filesize
4.0MB

Download
memory/2164-1453-0x00007FF695C20000-0x00007FF696016000-memory.dmp

Filesize
4.0MB

Download
memory/2164-87-0x00007FF695C20000-0x00007FF696016000-memory.dmp

Filesize
4.0MB

Download
memory/2316-2225-0x00007FF74C0B0000-0x00007FF74C4A6000-memory.dmp

Filesize
4.0MB

Download
memory/2316-90-0x00007FF74C0B0000-0x00007FF74C4A6000-memory.dmp

Filesize
4.0MB

Download
memory/2640-2236-0x00007FF744620000-0x00007FF744A16000-memory.dmp

Filesize
4.0MB

Download
memory/2640-399-0x00007FF744620000-0x00007FF744A16000-memory.dmp

Filesize
4.0MB

Download
memory/3104-48-0x00007FF6CF0A0000-0x00007FF6CF496000-memory.dmp

Filesize
4.0MB

Download
memory/3104-2215-0x00007FF6CF0A0000-0x00007FF6CF496000-memory.dmp

Filesize
4.0MB

Download
memory/3264-2228-0x00007FF64A8C0000-0x00007FF64ACB6000-memory.dmp

Filesize
4.0MB

Download
memory/3264-111-0x00007FF64A8C0000-0x00007FF64ACB6000-memory.dmp

Filesize
4.0MB

Download
memory/3508-2230-0x00007FF76AFB0000-0x00007FF76B3A6000-memory.dmp

Filesize
4.0MB

Download
memory/3508-391-0x00007FF76AFB0000-0x00007FF76B3A6000-memory.dmp

Filesize
4.0MB

Download
memory/3636-759-0x00007FF6E6F70000-0x00007FF6E7366000-memory.dmp

Filesize
4.0MB

Download
memory/3636-2223-0x00007FF6E6F70000-0x00007FF6E7366000-memory.dmp

Filesize
4.0MB

Download
memory/3636-72-0x00007FF6E6F70000-0x00007FF6E7366000-memory.dmp

Filesize
4.0MB

Download
memory/3812-394-0x00007FF7B48C0000-0x00007FF7B4CB6000-memory.dmp

Filesize
4.0MB

Download
memory/3812-2232-0x00007FF7B48C0000-0x00007FF7B4CB6000-memory.dmp

Filesize
4.0MB

Download
memory/3916-53-0x00007FF6E36A0000-0x00007FF6E3A96000-memory.dmp

Filesize
4.0MB

Download
memory/3916-2217-0x00007FF6E36A0000-0x00007FF6E3A96000-memory.dmp

Filesize
4.0MB

Download
memory/4252-40-0x00007FF777410000-0x00007FF777806000-memory.dmp

Filesize
4.0MB

Download
memory/4252-2216-0x00007FF777410000-0x00007FF777806000-memory.dmp

Filesize
4.0MB

Download
memory/4368-395-0x00007FF6E7610000-0x00007FF6E7A06000-memory.dmp

Filesize
4.0MB

Download
memory/4368-2231-0x00007FF6E7610000-0x00007FF6E7A06000-memory.dmp

Filesize
4.0MB

Download
memory/4448-2219-0x00007FF73FB90000-0x00007FF73FF86000-memory.dmp

Filesize
4.0MB

Download
memory/4448-55-0x00007FF73FB90000-0x00007FF73FF86000-memory.dmp

Filesize
4.0MB

Download
memory/4540-2235-0x00007FF648290000-0x00007FF648686000-memory.dmp

Filesize
4.0MB

Download
memory/4540-392-0x00007FF648290000-0x00007FF648686000-memory.dmp

Filesize
4.0MB

Download
memory/4880-104-0x00007FF7794C0000-0x00007FF7798B6000-memory.dmp

Filesize
4.0MB

Download
memory/4880-1-0x0000023E6ACA0000-0x0000023E6ACB0000-memory.dmp

Filesize
64KB

Download
memory/4880-0-0x00007FF7794C0000-0x00007FF7798B6000-memory.dmp

Filesize
4.0MB

Download
memory/4952-1449-0x00007FF734CA0000-0x00007FF735096000-memory.dmp

Filesize
4.0MB

Download
memory/4952-2224-0x00007FF734CA0000-0x00007FF735096000-memory.dmp

Filesize
4.0MB

Download
memory/4952-73-0x00007FF734CA0000-0x00007FF735096000-memory.dmp

Filesize
4.0MB

Download
memory/4964-393-0x00007FF67D930000-0x00007FF67DD26000-memory.dmp

Filesize
4.0MB

Download
memory/4964-2234-0x00007FF67D930000-0x00007FF67DD26000-memory.dmp

Filesize
4.0MB

Download
memory/5016-2218-0x00007FF658360000-0x00007FF658756000-memory.dmp

Filesize
4.0MB

Download
memory/5016-45-0x00007FF658360000-0x00007FF658756000-memory.dmp

Filesize
4.0MB

Download