xmrig | aa62a6cecba0c2f8eeb0f820c45a60d7d22aaf277f4578b4d0986db4b6461441

Analysis

max time kernel
106s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 12:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
Size

3.3MB
MD5

0122084e0f4eff7ef2d74600b2237560
SHA1

f45678d9f3a71371ba3081081812cbb9044ea76d
SHA256

aa62a6cecba0c2f8eeb0f820c45a60d7d22aaf277f4578b4d0986db4b6461441
SHA512

90ce77bec681f9be89cb9f6ca48d201eb756d39e56dd9210d680285324ded3a5f1c7c0402b3a42a26ac59c2e9a9b94249070afe288f51a0d72dff8cffb674d7b
SSDEEP

98304:S1ONtyBeSFkXV1etEKLlWUTOfeiRA2R76zHrW0:SbBeSFko

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4608-0-0x00007FF731230000-0x00007FF731626000-memory.dmp	xmrig
C:\Windows\System\fRWgqym.exe	xmrig
C:\Windows\System\yXqkGKn.exe	xmrig
C:\Windows\System\VsBjpOV.exe	xmrig
C:\Windows\System\IFcNBxl.exe	xmrig
C:\Windows\System\ETtNypO.exe	xmrig
C:\Windows\System\HGfBAbC.exe	xmrig
C:\Windows\System\ADPHdiI.exe	xmrig
C:\Windows\System\KsLSyxV.exe	xmrig
C:\Windows\System\MxAQycQ.exe	xmrig
C:\Windows\System\BAMuSig.exe	xmrig
C:\Windows\System\AzplIgg.exe	xmrig
C:\Windows\System\JGEJqDS.exe	xmrig
C:\Windows\System\VthmEsp.exe	xmrig
C:\Windows\System\tQesFUW.exe	xmrig
C:\Windows\System\WgWRebY.exe	xmrig
C:\Windows\System\Htethbx.exe	xmrig
C:\Windows\System\QSxlDCW.exe	xmrig
C:\Windows\System\RJDKDml.exe	xmrig
C:\Windows\System\GdMfhFb.exe	xmrig
C:\Windows\System\JsRtufI.exe	xmrig
C:\Windows\System\lusvstf.exe	xmrig
C:\Windows\System\ioIsLoe.exe	xmrig
C:\Windows\System\eDMTqVY.exe	xmrig
C:\Windows\System\NmsbbFt.exe	xmrig
C:\Windows\System\bjmtBeg.exe	xmrig
C:\Windows\System\Wrzbser.exe	xmrig
C:\Windows\System\cnzpWlz.exe	xmrig
C:\Windows\System\UuCEOkz.exe	xmrig
C:\Windows\System\ZIVPvsO.exe	xmrig
C:\Windows\System\vdjhUWf.exe	xmrig
C:\Windows\System\lhPokcs.exe	xmrig
behavioral2/memory/5076-64-0x00007FF648F70000-0x00007FF649366000-memory.dmp	xmrig
behavioral2/memory/1684-60-0x00007FF708130000-0x00007FF708526000-memory.dmp	xmrig
C:\Windows\System\gHPHaGt.exe	xmrig
C:\Windows\System\VjzNNHz.exe	xmrig
behavioral2/memory/2900-42-0x00007FF68B210000-0x00007FF68B606000-memory.dmp	xmrig
behavioral2/memory/3368-13-0x00007FF7791B0000-0x00007FF7795A6000-memory.dmp	xmrig
behavioral2/memory/2604-824-0x00007FF70DEA0000-0x00007FF70E296000-memory.dmp	xmrig
behavioral2/memory/1852-835-0x00007FF7714F0000-0x00007FF7718E6000-memory.dmp	xmrig
behavioral2/memory/1092-828-0x00007FF7F53C0000-0x00007FF7F57B6000-memory.dmp	xmrig
behavioral2/memory/4940-847-0x00007FF70DB40000-0x00007FF70DF36000-memory.dmp	xmrig
behavioral2/memory/2356-840-0x00007FF7CB850000-0x00007FF7CBC46000-memory.dmp	xmrig
behavioral2/memory/3872-860-0x00007FF7333E0000-0x00007FF7337D6000-memory.dmp	xmrig
behavioral2/memory/1604-868-0x00007FF7D28C0000-0x00007FF7D2CB6000-memory.dmp	xmrig
behavioral2/memory/4536-863-0x00007FF7D0450000-0x00007FF7D0846000-memory.dmp	xmrig
behavioral2/memory/4024-856-0x00007FF755F70000-0x00007FF756366000-memory.dmp	xmrig
behavioral2/memory/3104-852-0x00007FF70D980000-0x00007FF70DD76000-memory.dmp	xmrig
behavioral2/memory/2980-879-0x00007FF6E6800000-0x00007FF6E6BF6000-memory.dmp	xmrig
behavioral2/memory/3636-882-0x00007FF6B8440000-0x00007FF6B8836000-memory.dmp	xmrig
behavioral2/memory/2272-884-0x00007FF682040000-0x00007FF682436000-memory.dmp	xmrig
behavioral2/memory/2928-888-0x00007FF7C0B10000-0x00007FF7C0F06000-memory.dmp	xmrig
behavioral2/memory/1136-891-0x00007FF7B3BD0000-0x00007FF7B3FC6000-memory.dmp	xmrig
behavioral2/memory/4624-896-0x00007FF74F0B0000-0x00007FF74F4A6000-memory.dmp	xmrig
behavioral2/memory/624-900-0x00007FF642240000-0x00007FF642636000-memory.dmp	xmrig
behavioral2/memory/4152-912-0x00007FF7EDC50000-0x00007FF7EE046000-memory.dmp	xmrig
behavioral2/memory/1444-911-0x00007FF775210000-0x00007FF775606000-memory.dmp	xmrig
behavioral2/memory/4984-908-0x00007FF606440000-0x00007FF606836000-memory.dmp	xmrig
behavioral2/memory/2900-2121-0x00007FF68B210000-0x00007FF68B606000-memory.dmp	xmrig
behavioral2/memory/1684-2122-0x00007FF708130000-0x00007FF708526000-memory.dmp	xmrig
behavioral2/memory/3368-2125-0x00007FF7791B0000-0x00007FF7795A6000-memory.dmp	xmrig
behavioral2/memory/4624-2126-0x00007FF74F0B0000-0x00007FF74F4A6000-memory.dmp	xmrig
behavioral2/memory/624-2127-0x00007FF642240000-0x00007FF642636000-memory.dmp	xmrig
behavioral2/memory/4984-2129-0x00007FF606440000-0x00007FF606836000-memory.dmp	xmrig

Blocklisted process makes network request 8 IoCs

Processes:

powershell.exe

flow	pid	process
3	3344	powershell.exe
5	3344	powershell.exe
9	3344	powershell.exe
10	3344	powershell.exe
12	3344	powershell.exe
13	3344	powershell.exe
15	3344	powershell.exe
18	3344	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Powershell Invoke Web Request.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

3344 powershell.exe

pid	process
3344	powershell.exe

Executes dropped EXE 64 IoCs

Processes:

fRWgqym.exeVsBjpOV.exeyXqkGKn.exeIFcNBxl.exeETtNypO.exeVjzNNHz.exeHGfBAbC.exegHPHaGt.exeADPHdiI.exeKsLSyxV.exeMxAQycQ.exelhPokcs.exevdjhUWf.exeBAMuSig.exeAzplIgg.exeZIVPvsO.exeJGEJqDS.exeUuCEOkz.exeVthmEsp.execnzpWlz.exeWrzbser.exetQesFUW.exebjmtBeg.exeNmsbbFt.exeeDMTqVY.exeWgWRebY.exeioIsLoe.exelusvstf.exeJsRtufI.exeGdMfhFb.exeQSxlDCW.exeRJDKDml.exeHtethbx.exeSsYCQMP.exeVpEshHB.exeFjHbdOM.exekGTmYva.exevyHFgaz.exeJDDrsFj.exefUbLVCG.exesLsSGkV.exekhduSFv.exehhofSUx.exeSTdZSzo.exePjUmGvM.exeWuMkCcG.exeLsntrcK.exeaRgMZFm.exeknPasMM.exeDvJobMu.exerwxjuka.exeBllxlfL.exexLYuPIZ.exezaMpovC.exeIVWSwSN.exeuspAHMr.execOdMAbw.exeVluCqlZ.exeEteFozF.exeQhrCzMB.execOyaWbe.exebUKgsRi.exeHoqZINb.exehzKNWKR.exe

pid	process
3368	fRWgqym.exe
4624	VsBjpOV.exe
624	yXqkGKn.exe
2900	IFcNBxl.exe
4984	ETtNypO.exe
1684	VjzNNHz.exe
1444	HGfBAbC.exe
5076	gHPHaGt.exe
4152	ADPHdiI.exe
2604	KsLSyxV.exe
1092	MxAQycQ.exe
1852	lhPokcs.exe
2356	vdjhUWf.exe
4940	BAMuSig.exe
3104	AzplIgg.exe
4024	ZIVPvsO.exe
3872	JGEJqDS.exe
4536	UuCEOkz.exe
1604	VthmEsp.exe
2980	cnzpWlz.exe
3636	Wrzbser.exe
2272	tQesFUW.exe
2928	bjmtBeg.exe
1136	NmsbbFt.exe
5044	eDMTqVY.exe
3256	WgWRebY.exe
4520	ioIsLoe.exe
4064	lusvstf.exe
4372	JsRtufI.exe
4808	GdMfhFb.exe
3120	QSxlDCW.exe
2220	RJDKDml.exe
1968	Htethbx.exe
1488	SsYCQMP.exe
3584	VpEshHB.exe
920	FjHbdOM.exe
552	kGTmYva.exe
3340	vyHFgaz.exe
4244	JDDrsFj.exe
3016	fUbLVCG.exe
640	sLsSGkV.exe
4668	khduSFv.exe
1712	hhofSUx.exe
1484	STdZSzo.exe
4352	PjUmGvM.exe
1620	WuMkCcG.exe
1788	LsntrcK.exe
5008	aRgMZFm.exe
936	knPasMM.exe
4452	DvJobMu.exe
1808	rwxjuka.exe
1020	BllxlfL.exe
4628	xLYuPIZ.exe
1588	zaMpovC.exe
3520	IVWSwSN.exe
224	uspAHMr.exe
1240	cOdMAbw.exe
4076	VluCqlZ.exe
4388	EteFozF.exe
228	QhrCzMB.exe
2392	cOyaWbe.exe
2820	bUKgsRi.exe
3180	HoqZINb.exe
3972	hzKNWKR.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4608-0-0x00007FF731230000-0x00007FF731626000-memory.dmp	upx
C:\Windows\System\fRWgqym.exe	upx
C:\Windows\System\yXqkGKn.exe	upx
C:\Windows\System\VsBjpOV.exe	upx
C:\Windows\System\IFcNBxl.exe	upx
C:\Windows\System\ETtNypO.exe	upx
C:\Windows\System\HGfBAbC.exe	upx
C:\Windows\System\ADPHdiI.exe	upx
C:\Windows\System\KsLSyxV.exe	upx
C:\Windows\System\MxAQycQ.exe	upx
C:\Windows\System\BAMuSig.exe	upx
C:\Windows\System\AzplIgg.exe	upx
C:\Windows\System\JGEJqDS.exe	upx
C:\Windows\System\VthmEsp.exe	upx
C:\Windows\System\tQesFUW.exe	upx
C:\Windows\System\WgWRebY.exe	upx
C:\Windows\System\Htethbx.exe	upx
C:\Windows\System\QSxlDCW.exe	upx
C:\Windows\System\RJDKDml.exe	upx
C:\Windows\System\GdMfhFb.exe	upx
C:\Windows\System\JsRtufI.exe	upx
C:\Windows\System\lusvstf.exe	upx
C:\Windows\System\ioIsLoe.exe	upx
C:\Windows\System\eDMTqVY.exe	upx
C:\Windows\System\NmsbbFt.exe	upx
C:\Windows\System\bjmtBeg.exe	upx
C:\Windows\System\Wrzbser.exe	upx
C:\Windows\System\cnzpWlz.exe	upx
C:\Windows\System\UuCEOkz.exe	upx
C:\Windows\System\ZIVPvsO.exe	upx
C:\Windows\System\vdjhUWf.exe	upx
C:\Windows\System\lhPokcs.exe	upx
behavioral2/memory/5076-64-0x00007FF648F70000-0x00007FF649366000-memory.dmp	upx
behavioral2/memory/1684-60-0x00007FF708130000-0x00007FF708526000-memory.dmp	upx
C:\Windows\System\gHPHaGt.exe	upx
C:\Windows\System\VjzNNHz.exe	upx
behavioral2/memory/2900-42-0x00007FF68B210000-0x00007FF68B606000-memory.dmp	upx
behavioral2/memory/3368-13-0x00007FF7791B0000-0x00007FF7795A6000-memory.dmp	upx
behavioral2/memory/2604-824-0x00007FF70DEA0000-0x00007FF70E296000-memory.dmp	upx
behavioral2/memory/1852-835-0x00007FF7714F0000-0x00007FF7718E6000-memory.dmp	upx
behavioral2/memory/1092-828-0x00007FF7F53C0000-0x00007FF7F57B6000-memory.dmp	upx
behavioral2/memory/4940-847-0x00007FF70DB40000-0x00007FF70DF36000-memory.dmp	upx
behavioral2/memory/2356-840-0x00007FF7CB850000-0x00007FF7CBC46000-memory.dmp	upx
behavioral2/memory/3872-860-0x00007FF7333E0000-0x00007FF7337D6000-memory.dmp	upx
behavioral2/memory/1604-868-0x00007FF7D28C0000-0x00007FF7D2CB6000-memory.dmp	upx
behavioral2/memory/4536-863-0x00007FF7D0450000-0x00007FF7D0846000-memory.dmp	upx
behavioral2/memory/4024-856-0x00007FF755F70000-0x00007FF756366000-memory.dmp	upx
behavioral2/memory/3104-852-0x00007FF70D980000-0x00007FF70DD76000-memory.dmp	upx
behavioral2/memory/2980-879-0x00007FF6E6800000-0x00007FF6E6BF6000-memory.dmp	upx
behavioral2/memory/3636-882-0x00007FF6B8440000-0x00007FF6B8836000-memory.dmp	upx
behavioral2/memory/2272-884-0x00007FF682040000-0x00007FF682436000-memory.dmp	upx
behavioral2/memory/2928-888-0x00007FF7C0B10000-0x00007FF7C0F06000-memory.dmp	upx
behavioral2/memory/1136-891-0x00007FF7B3BD0000-0x00007FF7B3FC6000-memory.dmp	upx
behavioral2/memory/4624-896-0x00007FF74F0B0000-0x00007FF74F4A6000-memory.dmp	upx
behavioral2/memory/624-900-0x00007FF642240000-0x00007FF642636000-memory.dmp	upx
behavioral2/memory/4152-912-0x00007FF7EDC50000-0x00007FF7EE046000-memory.dmp	upx
behavioral2/memory/1444-911-0x00007FF775210000-0x00007FF775606000-memory.dmp	upx
behavioral2/memory/4984-908-0x00007FF606440000-0x00007FF606836000-memory.dmp	upx
behavioral2/memory/2900-2121-0x00007FF68B210000-0x00007FF68B606000-memory.dmp	upx
behavioral2/memory/1684-2122-0x00007FF708130000-0x00007FF708526000-memory.dmp	upx
behavioral2/memory/3368-2125-0x00007FF7791B0000-0x00007FF7795A6000-memory.dmp	upx
behavioral2/memory/4624-2126-0x00007FF74F0B0000-0x00007FF74F4A6000-memory.dmp	upx
behavioral2/memory/624-2127-0x00007FF642240000-0x00007FF642636000-memory.dmp	upx
behavioral2/memory/4984-2129-0x00007FF606440000-0x00007FF606836000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

2 raw.githubusercontent.com
3 raw.githubusercontent.com

flow	ioc
2	raw.githubusercontent.com
3	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

Processes:

0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\System\LyASAup.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\EHEFMhR.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\soZXQst.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\zMaDfxy.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\cRWBvPq.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\nxpUKiV.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\FjtbGWE.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\nIAuvGf.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\buclcph.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\BYAUwFn.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\xVpHAdz.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\YHfvcJb.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\yQeKJpp.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\yGgyXUQ.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\tVLzWCH.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\PkTLXpG.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\LufUhBQ.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\HQgpRgT.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\ayljOgl.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\bTzRtHp.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\nwhNEHg.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\mJKBUxz.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\zeSceof.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\gorYveI.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\BBuJuzr.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\PckzDnC.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\bmPaBjm.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\NTOgdnx.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\oxMVMOR.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\rQtMosh.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\fvPHKEX.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\vAoHOKa.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\nkxvVDf.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\DYUGbNA.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\kTWvKmj.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\nEoAvGc.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\XyFBetG.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\hijRWXe.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\cJXuVFY.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\biRbHSW.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\NqagkaJ.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\QVspJir.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\ltyZlXz.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\txfcmHd.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\nvEAmBr.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\OrSPTux.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\eDMTqVY.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\xEHwLsl.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\WzXsqnl.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\bFaFTyt.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\WaNcKUY.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\CFVeMPu.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\BshoQjs.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\IOuYNSE.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\JCMWUzw.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\JemSdwb.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\QhrCzMB.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\ddDkuWJ.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\LlCdbyc.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\DCRIUvi.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\LlWvCyI.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\rMvAGSp.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\mFzpxEY.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
File created	C:\Windows\System\hkszDRd.exe	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

dwm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dwm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

Processes:

dwm.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

3344 powershell.exe
3344 powershell.exe

pid	process
3344	powershell.exe
3344	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exepowershell.exedwm.exe

description	pid	process
Token: SeLockMemoryPrivilege	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
Token: SeDebugPrivilege	3344	powershell.exe
Token: SeCreateGlobalPrivilege	13272	dwm.exe
Token: SeChangeNotifyPrivilege	13272	dwm.exe
Token: 33	13272	dwm.exe
Token: SeIncBasePriorityPrivilege	13272	dwm.exe
Token: SeShutdownPrivilege	13272	dwm.exe
Token: SeCreatePagefilePrivilege	13272	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe

description	pid	process	target process
PID 4608 wrote to memory of 3344	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	powershell.exe
PID 4608 wrote to memory of 3344	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	powershell.exe
PID 4608 wrote to memory of 3368	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	fRWgqym.exe
PID 4608 wrote to memory of 3368	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	fRWgqym.exe
PID 4608 wrote to memory of 4624	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	VsBjpOV.exe
PID 4608 wrote to memory of 4624	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	VsBjpOV.exe
PID 4608 wrote to memory of 624	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	yXqkGKn.exe
PID 4608 wrote to memory of 624	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	yXqkGKn.exe
PID 4608 wrote to memory of 2900	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	IFcNBxl.exe
PID 4608 wrote to memory of 2900	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	IFcNBxl.exe
PID 4608 wrote to memory of 4984	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	ETtNypO.exe
PID 4608 wrote to memory of 4984	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	ETtNypO.exe
PID 4608 wrote to memory of 1684	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	VjzNNHz.exe
PID 4608 wrote to memory of 1684	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	VjzNNHz.exe
PID 4608 wrote to memory of 1444	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	HGfBAbC.exe
PID 4608 wrote to memory of 1444	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	HGfBAbC.exe
PID 4608 wrote to memory of 5076	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	gHPHaGt.exe
PID 4608 wrote to memory of 5076	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	gHPHaGt.exe
PID 4608 wrote to memory of 4152	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	ADPHdiI.exe
PID 4608 wrote to memory of 4152	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	ADPHdiI.exe
PID 4608 wrote to memory of 2604	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	KsLSyxV.exe
PID 4608 wrote to memory of 2604	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	KsLSyxV.exe
PID 4608 wrote to memory of 1092	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	MxAQycQ.exe
PID 4608 wrote to memory of 1092	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	MxAQycQ.exe
PID 4608 wrote to memory of 1852	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	lhPokcs.exe
PID 4608 wrote to memory of 1852	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	lhPokcs.exe
PID 4608 wrote to memory of 2356	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	vdjhUWf.exe
PID 4608 wrote to memory of 2356	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	vdjhUWf.exe
PID 4608 wrote to memory of 4940	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	BAMuSig.exe
PID 4608 wrote to memory of 4940	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	BAMuSig.exe
PID 4608 wrote to memory of 3104	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	AzplIgg.exe
PID 4608 wrote to memory of 3104	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	AzplIgg.exe
PID 4608 wrote to memory of 4024	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	ZIVPvsO.exe
PID 4608 wrote to memory of 4024	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	ZIVPvsO.exe
PID 4608 wrote to memory of 3872	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	JGEJqDS.exe
PID 4608 wrote to memory of 3872	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	JGEJqDS.exe
PID 4608 wrote to memory of 4536	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	UuCEOkz.exe
PID 4608 wrote to memory of 4536	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	UuCEOkz.exe
PID 4608 wrote to memory of 1604	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	VthmEsp.exe
PID 4608 wrote to memory of 1604	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	VthmEsp.exe
PID 4608 wrote to memory of 2980	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	cnzpWlz.exe
PID 4608 wrote to memory of 2980	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	cnzpWlz.exe
PID 4608 wrote to memory of 3636	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	Wrzbser.exe
PID 4608 wrote to memory of 3636	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	Wrzbser.exe
PID 4608 wrote to memory of 2272	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	tQesFUW.exe
PID 4608 wrote to memory of 2272	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	tQesFUW.exe
PID 4608 wrote to memory of 2928	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	bjmtBeg.exe
PID 4608 wrote to memory of 2928	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	bjmtBeg.exe
PID 4608 wrote to memory of 1136	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	NmsbbFt.exe
PID 4608 wrote to memory of 1136	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	NmsbbFt.exe
PID 4608 wrote to memory of 5044	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	eDMTqVY.exe
PID 4608 wrote to memory of 5044	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	eDMTqVY.exe
PID 4608 wrote to memory of 3256	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	WgWRebY.exe
PID 4608 wrote to memory of 3256	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	WgWRebY.exe
PID 4608 wrote to memory of 4520	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	ioIsLoe.exe
PID 4608 wrote to memory of 4520	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	ioIsLoe.exe
PID 4608 wrote to memory of 4064	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	lusvstf.exe
PID 4608 wrote to memory of 4064	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	lusvstf.exe
PID 4608 wrote to memory of 4372	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	JsRtufI.exe
PID 4608 wrote to memory of 4372	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	JsRtufI.exe
PID 4608 wrote to memory of 4808	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	GdMfhFb.exe
PID 4608 wrote to memory of 4808	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	GdMfhFb.exe
PID 4608 wrote to memory of 3120	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	QSxlDCW.exe
PID 4608 wrote to memory of 3120	4608	0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe	QSxlDCW.exe

C:\Users\Admin\AppData\Local\Temp\0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0122084e0f4eff7ef2d74600b2237560_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3344

C:\Windows\System\fRWgqym.exe
C:\Windows\System\fRWgqym.exe
2⤵
- Executes dropped EXE
PID:3368

C:\Windows\System\VsBjpOV.exe
C:\Windows\System\VsBjpOV.exe
2⤵
- Executes dropped EXE
PID:4624

C:\Windows\System\yXqkGKn.exe
C:\Windows\System\yXqkGKn.exe
2⤵
- Executes dropped EXE
PID:624

C:\Windows\System\IFcNBxl.exe
C:\Windows\System\IFcNBxl.exe
2⤵
- Executes dropped EXE
PID:2900

C:\Windows\System\ETtNypO.exe
C:\Windows\System\ETtNypO.exe
2⤵
- Executes dropped EXE
PID:4984

C:\Windows\System\VjzNNHz.exe
C:\Windows\System\VjzNNHz.exe
2⤵
- Executes dropped EXE
PID:1684

C:\Windows\System\HGfBAbC.exe
C:\Windows\System\HGfBAbC.exe
2⤵
- Executes dropped EXE
PID:1444

C:\Windows\System\gHPHaGt.exe
C:\Windows\System\gHPHaGt.exe
2⤵
- Executes dropped EXE
PID:5076

C:\Windows\System\ADPHdiI.exe
C:\Windows\System\ADPHdiI.exe
2⤵
- Executes dropped EXE
PID:4152

C:\Windows\System\KsLSyxV.exe
C:\Windows\System\KsLSyxV.exe
2⤵
- Executes dropped EXE
PID:2604

C:\Windows\System\MxAQycQ.exe
C:\Windows\System\MxAQycQ.exe
2⤵
- Executes dropped EXE
PID:1092

C:\Windows\System\lhPokcs.exe
C:\Windows\System\lhPokcs.exe
2⤵
- Executes dropped EXE
PID:1852

C:\Windows\System\vdjhUWf.exe
C:\Windows\System\vdjhUWf.exe
2⤵
- Executes dropped EXE
PID:2356

C:\Windows\System\BAMuSig.exe
C:\Windows\System\BAMuSig.exe
2⤵
- Executes dropped EXE
PID:4940

C:\Windows\System\AzplIgg.exe
C:\Windows\System\AzplIgg.exe
2⤵
- Executes dropped EXE
PID:3104

C:\Windows\System\ZIVPvsO.exe
C:\Windows\System\ZIVPvsO.exe
2⤵
- Executes dropped EXE
PID:4024

C:\Windows\System\JGEJqDS.exe
C:\Windows\System\JGEJqDS.exe
2⤵
- Executes dropped EXE
PID:3872

C:\Windows\System\UuCEOkz.exe
C:\Windows\System\UuCEOkz.exe
2⤵
- Executes dropped EXE
PID:4536

C:\Windows\System\VthmEsp.exe
C:\Windows\System\VthmEsp.exe
2⤵
- Executes dropped EXE
PID:1604

C:\Windows\System\cnzpWlz.exe
C:\Windows\System\cnzpWlz.exe
2⤵
- Executes dropped EXE
PID:2980

C:\Windows\System\Wrzbser.exe
C:\Windows\System\Wrzbser.exe
2⤵
- Executes dropped EXE
PID:3636

C:\Windows\System\tQesFUW.exe
C:\Windows\System\tQesFUW.exe
2⤵
- Executes dropped EXE
PID:2272

C:\Windows\System\bjmtBeg.exe
C:\Windows\System\bjmtBeg.exe
2⤵
- Executes dropped EXE
PID:2928

C:\Windows\System\NmsbbFt.exe
C:\Windows\System\NmsbbFt.exe
2⤵
- Executes dropped EXE
PID:1136

C:\Windows\System\eDMTqVY.exe
C:\Windows\System\eDMTqVY.exe
2⤵
- Executes dropped EXE
PID:5044

C:\Windows\System\WgWRebY.exe
C:\Windows\System\WgWRebY.exe
2⤵
- Executes dropped EXE
PID:3256

C:\Windows\System\ioIsLoe.exe
C:\Windows\System\ioIsLoe.exe
2⤵
- Executes dropped EXE
PID:4520

C:\Windows\System\lusvstf.exe
C:\Windows\System\lusvstf.exe
2⤵
- Executes dropped EXE
PID:4064

C:\Windows\System\JsRtufI.exe
C:\Windows\System\JsRtufI.exe
2⤵
- Executes dropped EXE
PID:4372

C:\Windows\System\GdMfhFb.exe
C:\Windows\System\GdMfhFb.exe
2⤵
- Executes dropped EXE
PID:4808

C:\Windows\System\QSxlDCW.exe
C:\Windows\System\QSxlDCW.exe
2⤵
- Executes dropped EXE
PID:3120

C:\Windows\System\RJDKDml.exe
C:\Windows\System\RJDKDml.exe
2⤵
- Executes dropped EXE
PID:2220

C:\Windows\System\Htethbx.exe
C:\Windows\System\Htethbx.exe
2⤵
- Executes dropped EXE
PID:1968

C:\Windows\System\SsYCQMP.exe
C:\Windows\System\SsYCQMP.exe
2⤵
- Executes dropped EXE
PID:1488

C:\Windows\System\VpEshHB.exe
C:\Windows\System\VpEshHB.exe
2⤵
- Executes dropped EXE
PID:3584

C:\Windows\System\FjHbdOM.exe
C:\Windows\System\FjHbdOM.exe
2⤵
- Executes dropped EXE
PID:920

C:\Windows\System\kGTmYva.exe
C:\Windows\System\kGTmYva.exe
2⤵
- Executes dropped EXE
PID:552

C:\Windows\System\vyHFgaz.exe
C:\Windows\System\vyHFgaz.exe
2⤵
- Executes dropped EXE
PID:3340

C:\Windows\System\JDDrsFj.exe
C:\Windows\System\JDDrsFj.exe
2⤵
- Executes dropped EXE
PID:4244

C:\Windows\System\fUbLVCG.exe
C:\Windows\System\fUbLVCG.exe
2⤵
- Executes dropped EXE
PID:3016

C:\Windows\System\sLsSGkV.exe
C:\Windows\System\sLsSGkV.exe
2⤵
- Executes dropped EXE
PID:640

C:\Windows\System\khduSFv.exe
C:\Windows\System\khduSFv.exe
2⤵
- Executes dropped EXE
PID:4668

C:\Windows\System\hhofSUx.exe
C:\Windows\System\hhofSUx.exe
2⤵
- Executes dropped EXE
PID:1712

C:\Windows\System\STdZSzo.exe
C:\Windows\System\STdZSzo.exe
2⤵
- Executes dropped EXE
PID:1484

C:\Windows\System\PjUmGvM.exe
C:\Windows\System\PjUmGvM.exe
2⤵
- Executes dropped EXE
PID:4352

C:\Windows\System\WuMkCcG.exe
C:\Windows\System\WuMkCcG.exe
2⤵
- Executes dropped EXE
PID:1620

C:\Windows\System\LsntrcK.exe
C:\Windows\System\LsntrcK.exe
2⤵
- Executes dropped EXE
PID:1788

C:\Windows\System\aRgMZFm.exe
C:\Windows\System\aRgMZFm.exe
2⤵
- Executes dropped EXE
PID:5008

C:\Windows\System\knPasMM.exe
C:\Windows\System\knPasMM.exe
2⤵
- Executes dropped EXE
PID:936

C:\Windows\System\DvJobMu.exe
C:\Windows\System\DvJobMu.exe
2⤵
- Executes dropped EXE
PID:4452

C:\Windows\System\rwxjuka.exe
C:\Windows\System\rwxjuka.exe
2⤵
- Executes dropped EXE
PID:1808

C:\Windows\System\BllxlfL.exe
C:\Windows\System\BllxlfL.exe
2⤵
- Executes dropped EXE
PID:1020

C:\Windows\System\xLYuPIZ.exe
C:\Windows\System\xLYuPIZ.exe
2⤵
- Executes dropped EXE
PID:4628

C:\Windows\System\zaMpovC.exe
C:\Windows\System\zaMpovC.exe
2⤵
- Executes dropped EXE
PID:1588

C:\Windows\System\IVWSwSN.exe
C:\Windows\System\IVWSwSN.exe
2⤵
- Executes dropped EXE
PID:3520

C:\Windows\System\uspAHMr.exe
C:\Windows\System\uspAHMr.exe
2⤵
- Executes dropped EXE
PID:224

C:\Windows\System\cOdMAbw.exe
C:\Windows\System\cOdMAbw.exe
2⤵
- Executes dropped EXE
PID:1240

C:\Windows\System\VluCqlZ.exe
C:\Windows\System\VluCqlZ.exe
2⤵
- Executes dropped EXE
PID:4076

C:\Windows\System\EteFozF.exe
C:\Windows\System\EteFozF.exe
2⤵
- Executes dropped EXE
PID:4388

C:\Windows\System\QhrCzMB.exe
C:\Windows\System\QhrCzMB.exe
2⤵
- Executes dropped EXE
PID:228

C:\Windows\System\cOyaWbe.exe
C:\Windows\System\cOyaWbe.exe
2⤵
- Executes dropped EXE
PID:2392

C:\Windows\System\bUKgsRi.exe
C:\Windows\System\bUKgsRi.exe
2⤵
- Executes dropped EXE
PID:2820

C:\Windows\System\HoqZINb.exe
C:\Windows\System\HoqZINb.exe
2⤵
- Executes dropped EXE
PID:3180

C:\Windows\System\hzKNWKR.exe
C:\Windows\System\hzKNWKR.exe
2⤵
- Executes dropped EXE
PID:3972

C:\Windows\System\fJMDfmc.exe
C:\Windows\System\fJMDfmc.exe
2⤵
PID:4484

C:\Windows\System\JBLgQPY.exe
C:\Windows\System\JBLgQPY.exe
2⤵
PID:2024

C:\Windows\System\SYTWpiS.exe
C:\Windows\System\SYTWpiS.exe
2⤵
PID:4336

C:\Windows\System\uWcYfkH.exe
C:\Windows\System\uWcYfkH.exe
2⤵
PID:4908

C:\Windows\System\yBAolph.exe
C:\Windows\System\yBAolph.exe
2⤵
PID:2132

C:\Windows\System\FTtYCjN.exe
C:\Windows\System\FTtYCjN.exe
2⤵
PID:2440

C:\Windows\System\pIMilKQ.exe
C:\Windows\System\pIMilKQ.exe
2⤵
PID:2564

C:\Windows\System\JNDYXKz.exe
C:\Windows\System\JNDYXKz.exe
2⤵
PID:3480

C:\Windows\System\UafZJMY.exe
C:\Windows\System\UafZJMY.exe
2⤵
PID:5028

C:\Windows\System\tfRdLHs.exe
C:\Windows\System\tfRdLHs.exe
2⤵
PID:1804

C:\Windows\System\GFDLyBn.exe
C:\Windows\System\GFDLyBn.exe
2⤵
PID:5140

C:\Windows\System\aMvItmg.exe
C:\Windows\System\aMvItmg.exe
2⤵
PID:5168

C:\Windows\System\qhOxgLA.exe
C:\Windows\System\qhOxgLA.exe
2⤵
PID:5196

C:\Windows\System\YDComsr.exe
C:\Windows\System\YDComsr.exe
2⤵
PID:5224

C:\Windows\System\oLacXGC.exe
C:\Windows\System\oLacXGC.exe
2⤵
PID:5252

C:\Windows\System\jIBUggm.exe
C:\Windows\System\jIBUggm.exe
2⤵
PID:5280

C:\Windows\System\KHqGmBN.exe
C:\Windows\System\KHqGmBN.exe
2⤵
PID:5308

C:\Windows\System\rGKlXIy.exe
C:\Windows\System\rGKlXIy.exe
2⤵
PID:5332

C:\Windows\System\ZfuZqQj.exe
C:\Windows\System\ZfuZqQj.exe
2⤵
PID:5364

C:\Windows\System\IALtlEB.exe
C:\Windows\System\IALtlEB.exe
2⤵
PID:5392

C:\Windows\System\qKSAsoi.exe
C:\Windows\System\qKSAsoi.exe
2⤵
PID:5420

C:\Windows\System\uKvyOKd.exe
C:\Windows\System\uKvyOKd.exe
2⤵
PID:5452

C:\Windows\System\WgMGqoE.exe
C:\Windows\System\WgMGqoE.exe
2⤵
PID:5488

C:\Windows\System\WnefNIE.exe
C:\Windows\System\WnefNIE.exe
2⤵
PID:5516

C:\Windows\System\wJwVXJL.exe
C:\Windows\System\wJwVXJL.exe
2⤵
PID:5544

C:\Windows\System\VCWYaEY.exe
C:\Windows\System\VCWYaEY.exe
2⤵
PID:5572

C:\Windows\System\NvmJesx.exe
C:\Windows\System\NvmJesx.exe
2⤵
PID:5600

C:\Windows\System\nTlfiix.exe
C:\Windows\System\nTlfiix.exe
2⤵
PID:5628

C:\Windows\System\oiCcszN.exe
C:\Windows\System\oiCcszN.exe
2⤵
PID:5656

C:\Windows\System\jjmhNlw.exe
C:\Windows\System\jjmhNlw.exe
2⤵
PID:5684

C:\Windows\System\hrxTxqx.exe
C:\Windows\System\hrxTxqx.exe
2⤵
PID:5712

C:\Windows\System\WCspwXY.exe
C:\Windows\System\WCspwXY.exe
2⤵
PID:5740

C:\Windows\System\qZlLnNg.exe
C:\Windows\System\qZlLnNg.exe
2⤵
PID:5768

C:\Windows\System\aEDJAJc.exe
C:\Windows\System\aEDJAJc.exe
2⤵
PID:5796

C:\Windows\System\plPWJGD.exe
C:\Windows\System\plPWJGD.exe
2⤵
PID:5824

C:\Windows\System\ieTeLjL.exe
C:\Windows\System\ieTeLjL.exe
2⤵
PID:5852

C:\Windows\System\sFYgiJm.exe
C:\Windows\System\sFYgiJm.exe
2⤵
PID:5880

C:\Windows\System\bwdoCBS.exe
C:\Windows\System\bwdoCBS.exe
2⤵
PID:5908

C:\Windows\System\MwTyYrz.exe
C:\Windows\System\MwTyYrz.exe
2⤵
PID:5936

C:\Windows\System\AdtpraC.exe
C:\Windows\System\AdtpraC.exe
2⤵
PID:5964

C:\Windows\System\NxKDpSJ.exe
C:\Windows\System\NxKDpSJ.exe
2⤵
PID:5992

C:\Windows\System\KkNXrEZ.exe
C:\Windows\System\KkNXrEZ.exe
2⤵
PID:6020

C:\Windows\System\BdamSGc.exe
C:\Windows\System\BdamSGc.exe
2⤵
PID:6048

C:\Windows\System\YEzkdCk.exe
C:\Windows\System\YEzkdCk.exe
2⤵
PID:6076

C:\Windows\System\HVZjksE.exe
C:\Windows\System\HVZjksE.exe
2⤵
PID:6104

C:\Windows\System\PVMoxOl.exe
C:\Windows\System\PVMoxOl.exe
2⤵
PID:6132

C:\Windows\System\CtVUHsx.exe
C:\Windows\System\CtVUHsx.exe
2⤵
PID:2348

C:\Windows\System\vdcoZeW.exe
C:\Windows\System\vdcoZeW.exe
2⤵
PID:5116

C:\Windows\System\tCJvRch.exe
C:\Windows\System\tCJvRch.exe
2⤵
PID:940

C:\Windows\System\fJOSFcb.exe
C:\Windows\System\fJOSFcb.exe
2⤵
PID:4848

C:\Windows\System\wwXjirp.exe
C:\Windows\System\wwXjirp.exe
2⤵
PID:4912

C:\Windows\System\tfpdpom.exe
C:\Windows\System\tfpdpom.exe
2⤵
PID:5156

C:\Windows\System\vDGGrbr.exe
C:\Windows\System\vDGGrbr.exe
2⤵
PID:5216

C:\Windows\System\vRRvlsf.exe
C:\Windows\System\vRRvlsf.exe
2⤵
PID:5292

C:\Windows\System\hhuxgUA.exe
C:\Windows\System\hhuxgUA.exe
2⤵
PID:5348

C:\Windows\System\jDINrWw.exe
C:\Windows\System\jDINrWw.exe
2⤵
PID:5412

C:\Windows\System\zjvAvoi.exe
C:\Windows\System\zjvAvoi.exe
2⤵
PID:5476

C:\Windows\System\fcFnWYl.exe
C:\Windows\System\fcFnWYl.exe
2⤵
PID:5536

C:\Windows\System\xEHwLsl.exe
C:\Windows\System\xEHwLsl.exe
2⤵
PID:5612

C:\Windows\System\EqJIXOT.exe
C:\Windows\System\EqJIXOT.exe
2⤵
PID:5672

C:\Windows\System\UyseVuK.exe
C:\Windows\System\UyseVuK.exe
2⤵
PID:5736

C:\Windows\System\mZDcLOn.exe
C:\Windows\System\mZDcLOn.exe
2⤵
PID:5808

C:\Windows\System\PvCbToA.exe
C:\Windows\System\PvCbToA.exe
2⤵
PID:5868

C:\Windows\System\kYaTfZU.exe
C:\Windows\System\kYaTfZU.exe
2⤵
PID:5928

C:\Windows\System\BnPBxqc.exe
C:\Windows\System\BnPBxqc.exe
2⤵
PID:6004

C:\Windows\System\uMUIOnX.exe
C:\Windows\System\uMUIOnX.exe
2⤵
PID:6064

C:\Windows\System\umDVSzu.exe
C:\Windows\System\umDVSzu.exe
2⤵
PID:6124

C:\Windows\System\iKLyGMA.exe
C:\Windows\System\iKLyGMA.exe
2⤵
PID:4340

C:\Windows\System\MkwpQYA.exe
C:\Windows\System\MkwpQYA.exe
2⤵
PID:876

C:\Windows\System\lCDHlkh.exe
C:\Windows\System\lCDHlkh.exe
2⤵
PID:5208

C:\Windows\System\lpSngpH.exe
C:\Windows\System\lpSngpH.exe
2⤵
PID:5380

C:\Windows\System\kElfSRG.exe
C:\Windows\System\kElfSRG.exe
2⤵
PID:5508

C:\Windows\System\fnvErKj.exe
C:\Windows\System\fnvErKj.exe
2⤵
PID:5648

C:\Windows\System\KIIIUPD.exe
C:\Windows\System\KIIIUPD.exe
2⤵
PID:5784

C:\Windows\System\eqpVewS.exe
C:\Windows\System\eqpVewS.exe
2⤵
PID:2892

C:\Windows\System\qlvFntz.exe
C:\Windows\System\qlvFntz.exe
2⤵
PID:6092

C:\Windows\System\PiIXkuO.exe
C:\Windows\System\PiIXkuO.exe
2⤵
PID:6164

C:\Windows\System\bRdqbGQ.exe
C:\Windows\System\bRdqbGQ.exe
2⤵
PID:6192

C:\Windows\System\fVbHvxu.exe
C:\Windows\System\fVbHvxu.exe
2⤵
PID:6220

C:\Windows\System\aQQnwPW.exe
C:\Windows\System\aQQnwPW.exe
2⤵
PID:6248

C:\Windows\System\dnAfoTX.exe
C:\Windows\System\dnAfoTX.exe
2⤵
PID:6276

C:\Windows\System\TjdUCHV.exe
C:\Windows\System\TjdUCHV.exe
2⤵
PID:6304

C:\Windows\System\HkmmcCM.exe
C:\Windows\System\HkmmcCM.exe
2⤵
PID:6332

C:\Windows\System\bEQlagJ.exe
C:\Windows\System\bEQlagJ.exe
2⤵
PID:6360

C:\Windows\System\rZjDfRw.exe
C:\Windows\System\rZjDfRw.exe
2⤵
PID:6388

C:\Windows\System\Ovooomz.exe
C:\Windows\System\Ovooomz.exe
2⤵
PID:6416

C:\Windows\System\UDarFmK.exe
C:\Windows\System\UDarFmK.exe
2⤵
PID:6444

C:\Windows\System\XoCxema.exe
C:\Windows\System\XoCxema.exe
2⤵
PID:6472

C:\Windows\System\VZgchiY.exe
C:\Windows\System\VZgchiY.exe
2⤵
PID:6500

C:\Windows\System\uOTQVEU.exe
C:\Windows\System\uOTQVEU.exe
2⤵
PID:6528

C:\Windows\System\kEqDVbt.exe
C:\Windows\System\kEqDVbt.exe
2⤵
PID:6556

C:\Windows\System\dylIURC.exe
C:\Windows\System\dylIURC.exe
2⤵
PID:6584

C:\Windows\System\YOZNmVH.exe
C:\Windows\System\YOZNmVH.exe
2⤵
PID:6612

C:\Windows\System\jrUXSuY.exe
C:\Windows\System\jrUXSuY.exe
2⤵
PID:6640

C:\Windows\System\cjlNgLb.exe
C:\Windows\System\cjlNgLb.exe
2⤵
PID:6668

C:\Windows\System\DLDmpDX.exe
C:\Windows\System\DLDmpDX.exe
2⤵
PID:6704

C:\Windows\System\NUgJRjB.exe
C:\Windows\System\NUgJRjB.exe
2⤵
PID:6732

C:\Windows\System\sgpZYUx.exe
C:\Windows\System\sgpZYUx.exe
2⤵
PID:6760

C:\Windows\System\BlDHQao.exe
C:\Windows\System\BlDHQao.exe
2⤵
PID:6780

C:\Windows\System\OryFDyl.exe
C:\Windows\System\OryFDyl.exe
2⤵
PID:6808

C:\Windows\System\qoEPRph.exe
C:\Windows\System\qoEPRph.exe
2⤵
PID:6836

C:\Windows\System\SRLHmFj.exe
C:\Windows\System\SRLHmFj.exe
2⤵
PID:6864

C:\Windows\System\yxvNlbG.exe
C:\Windows\System\yxvNlbG.exe
2⤵
PID:6892

C:\Windows\System\zHMZswP.exe
C:\Windows\System\zHMZswP.exe
2⤵
PID:6920

C:\Windows\System\GmAPtgj.exe
C:\Windows\System\GmAPtgj.exe
2⤵
PID:6948

C:\Windows\System\BBcxPBs.exe
C:\Windows\System\BBcxPBs.exe
2⤵
PID:6976

C:\Windows\System\LrDeCbK.exe
C:\Windows\System\LrDeCbK.exe
2⤵
PID:7004

C:\Windows\System\edhmaxZ.exe
C:\Windows\System\edhmaxZ.exe
2⤵
PID:7032

C:\Windows\System\cFTFhTo.exe
C:\Windows\System\cFTFhTo.exe
2⤵
PID:7060

C:\Windows\System\PWckEEJ.exe
C:\Windows\System\PWckEEJ.exe
2⤵
PID:7088

C:\Windows\System\dRKmbhm.exe
C:\Windows\System\dRKmbhm.exe
2⤵
PID:7116

C:\Windows\System\ENFhoSa.exe
C:\Windows\System\ENFhoSa.exe
2⤵
PID:7144

C:\Windows\System\EyjQbFU.exe
C:\Windows\System\EyjQbFU.exe
2⤵
PID:1424

C:\Windows\System\sUqmGWM.exe
C:\Windows\System\sUqmGWM.exe
2⤵
PID:5184

C:\Windows\System\mYrZcJh.exe
C:\Windows\System\mYrZcJh.exe
2⤵
PID:5468

C:\Windows\System\nAmkyzj.exe
C:\Windows\System\nAmkyzj.exe
2⤵
PID:5780

C:\Windows\System\ifaUalK.exe
C:\Windows\System\ifaUalK.exe
2⤵
PID:6148

C:\Windows\System\DzLNQex.exe
C:\Windows\System\DzLNQex.exe
2⤵
PID:6208

C:\Windows\System\sYiAdad.exe
C:\Windows\System\sYiAdad.exe
2⤵
PID:6268

C:\Windows\System\tXVEmbA.exe
C:\Windows\System\tXVEmbA.exe
2⤵
PID:6344

C:\Windows\System\tyFkDVm.exe
C:\Windows\System\tyFkDVm.exe
2⤵
PID:6404

C:\Windows\System\KMeusBQ.exe
C:\Windows\System\KMeusBQ.exe
2⤵
PID:6464

C:\Windows\System\XBGFVxN.exe
C:\Windows\System\XBGFVxN.exe
2⤵
PID:6540

C:\Windows\System\flwiYlL.exe
C:\Windows\System\flwiYlL.exe
2⤵
PID:6604

C:\Windows\System\MwBIIYa.exe
C:\Windows\System\MwBIIYa.exe
2⤵
PID:6660

C:\Windows\System\shfkDDa.exe
C:\Windows\System\shfkDDa.exe
2⤵
PID:6728

C:\Windows\System\aEuIzDq.exe
C:\Windows\System\aEuIzDq.exe
2⤵
PID:212

C:\Windows\System\DaILjzr.exe
C:\Windows\System\DaILjzr.exe
2⤵
PID:6848

C:\Windows\System\DzubQmP.exe
C:\Windows\System\DzubQmP.exe
2⤵
PID:6908

C:\Windows\System\AOndHim.exe
C:\Windows\System\AOndHim.exe
2⤵
PID:6968

C:\Windows\System\PckzDnC.exe
C:\Windows\System\PckzDnC.exe
2⤵
PID:7044

C:\Windows\System\uEbVzEa.exe
C:\Windows\System\uEbVzEa.exe
2⤵
PID:7104

C:\Windows\System\YHfLhWA.exe
C:\Windows\System\YHfLhWA.exe
2⤵
PID:7156

C:\Windows\System\DIJpNGT.exe
C:\Windows\System\DIJpNGT.exe
2⤵
PID:5444

C:\Windows\System\hkszDRd.exe
C:\Windows\System\hkszDRd.exe
2⤵
PID:6176

C:\Windows\System\HkBXpnl.exe
C:\Windows\System\HkBXpnl.exe
2⤵
PID:6316

C:\Windows\System\xvYaWQY.exe
C:\Windows\System\xvYaWQY.exe
2⤵
PID:6436

C:\Windows\System\PopKvyV.exe
C:\Windows\System\PopKvyV.exe
2⤵
PID:6572

C:\Windows\System\uMpMReN.exe
C:\Windows\System\uMpMReN.exe
2⤵
PID:6700

C:\Windows\System\lwUheRD.exe
C:\Windows\System\lwUheRD.exe
2⤵
PID:6824

C:\Windows\System\AMoWTII.exe
C:\Windows\System\AMoWTII.exe
2⤵
PID:6996

C:\Windows\System\kFnohkg.exe
C:\Windows\System\kFnohkg.exe
2⤵
PID:7140

C:\Windows\System\oipqcVI.exe
C:\Windows\System\oipqcVI.exe
2⤵
PID:4544

C:\Windows\System\qlInywG.exe
C:\Windows\System\qlInywG.exe
2⤵
PID:7196

C:\Windows\System\kdegqqf.exe
C:\Windows\System\kdegqqf.exe
2⤵
PID:7224

C:\Windows\System\hYloBAE.exe
C:\Windows\System\hYloBAE.exe
2⤵
PID:7252

C:\Windows\System\BjfxsXC.exe
C:\Windows\System\BjfxsXC.exe
2⤵
PID:7280

C:\Windows\System\BydMrsX.exe
C:\Windows\System\BydMrsX.exe
2⤵
PID:7308

C:\Windows\System\BmmsiAT.exe
C:\Windows\System\BmmsiAT.exe
2⤵
PID:7336

C:\Windows\System\KuBBjqS.exe
C:\Windows\System\KuBBjqS.exe
2⤵
PID:7364

C:\Windows\System\WmcrNRu.exe
C:\Windows\System\WmcrNRu.exe
2⤵
PID:7388

C:\Windows\System\OuMlrup.exe
C:\Windows\System\OuMlrup.exe
2⤵
PID:7416

C:\Windows\System\ZTkugoI.exe
C:\Windows\System\ZTkugoI.exe
2⤵
PID:7448

C:\Windows\System\UuTWjPP.exe
C:\Windows\System\UuTWjPP.exe
2⤵
PID:7476

C:\Windows\System\RkoOWpZ.exe
C:\Windows\System\RkoOWpZ.exe
2⤵
PID:7504

C:\Windows\System\SBxYYTN.exe
C:\Windows\System\SBxYYTN.exe
2⤵
PID:7532

C:\Windows\System\ddDkuWJ.exe
C:\Windows\System\ddDkuWJ.exe
2⤵
PID:7560

C:\Windows\System\PaPxtcv.exe
C:\Windows\System\PaPxtcv.exe
2⤵
PID:7588

C:\Windows\System\jiWawRW.exe
C:\Windows\System\jiWawRW.exe
2⤵
PID:7616

C:\Windows\System\hNkFAGS.exe
C:\Windows\System\hNkFAGS.exe
2⤵
PID:7644

C:\Windows\System\iSnuNTF.exe
C:\Windows\System\iSnuNTF.exe
2⤵
PID:7672

C:\Windows\System\rKBHGqG.exe
C:\Windows\System\rKBHGqG.exe
2⤵
PID:7700

C:\Windows\System\vZeZPiq.exe
C:\Windows\System\vZeZPiq.exe
2⤵
PID:7728

C:\Windows\System\NjKrgMI.exe
C:\Windows\System\NjKrgMI.exe
2⤵
PID:7756

C:\Windows\System\ArGkOEh.exe
C:\Windows\System\ArGkOEh.exe
2⤵
PID:7784

C:\Windows\System\IExdiBu.exe
C:\Windows\System\IExdiBu.exe
2⤵
PID:7812

C:\Windows\System\nHjzLfz.exe
C:\Windows\System\nHjzLfz.exe
2⤵
PID:7840

C:\Windows\System\ndhyYRs.exe
C:\Windows\System\ndhyYRs.exe
2⤵
PID:7868

C:\Windows\System\lSezCLe.exe
C:\Windows\System\lSezCLe.exe
2⤵
PID:7896

C:\Windows\System\Bqsdayj.exe
C:\Windows\System\Bqsdayj.exe
2⤵
PID:7924

C:\Windows\System\ahOIsCl.exe
C:\Windows\System\ahOIsCl.exe
2⤵
PID:7952

C:\Windows\System\fgkcgJp.exe
C:\Windows\System\fgkcgJp.exe
2⤵
PID:7980

C:\Windows\System\HkYVhEw.exe
C:\Windows\System\HkYVhEw.exe
2⤵
PID:8008

C:\Windows\System\GRdHRrI.exe
C:\Windows\System\GRdHRrI.exe
2⤵
PID:8036

C:\Windows\System\mfzlJfN.exe
C:\Windows\System\mfzlJfN.exe
2⤵
PID:8064

C:\Windows\System\LHFUKZi.exe
C:\Windows\System\LHFUKZi.exe
2⤵
PID:8092

C:\Windows\System\KyZsmCl.exe
C:\Windows\System\KyZsmCl.exe
2⤵
PID:8120

C:\Windows\System\iXjPTfd.exe
C:\Windows\System\iXjPTfd.exe
2⤵
PID:8148

C:\Windows\System\tRtxnJE.exe
C:\Windows\System\tRtxnJE.exe
2⤵
PID:8176

C:\Windows\System\RHPLtVW.exe
C:\Windows\System\RHPLtVW.exe
2⤵
PID:5080

C:\Windows\System\LfMAUKR.exe
C:\Windows\System\LfMAUKR.exe
2⤵
PID:6516

C:\Windows\System\SEQWMga.exe
C:\Windows\System\SEQWMga.exe
2⤵
PID:4556

C:\Windows\System\XFeOktg.exe
C:\Windows\System\XFeOktg.exe
2⤵
PID:7272

C:\Windows\System\wnocYLB.exe
C:\Windows\System\wnocYLB.exe
2⤵
PID:7320

C:\Windows\System\jsnApft.exe
C:\Windows\System\jsnApft.exe
2⤵
PID:7376

C:\Windows\System\zsxXyZc.exe
C:\Windows\System\zsxXyZc.exe
2⤵
PID:7412

C:\Windows\System\GucPWLR.exe
C:\Windows\System\GucPWLR.exe
2⤵
PID:7552

C:\Windows\System\GqasKAV.exe
C:\Windows\System\GqasKAV.exe
2⤵
PID:7604

C:\Windows\System\henITcW.exe
C:\Windows\System\henITcW.exe
2⤵
PID:7632

C:\Windows\System\JLYnsVn.exe
C:\Windows\System\JLYnsVn.exe
2⤵
PID:7664

C:\Windows\System\gczeUnz.exe
C:\Windows\System\gczeUnz.exe
2⤵
PID:3252

C:\Windows\System\IVgsWvO.exe
C:\Windows\System\IVgsWvO.exe
2⤵
PID:7852

C:\Windows\System\tupwlMb.exe
C:\Windows\System\tupwlMb.exe
2⤵
PID:7880

C:\Windows\System\weATDIt.exe
C:\Windows\System\weATDIt.exe
2⤵
PID:7912

C:\Windows\System\GfoCHKF.exe
C:\Windows\System\GfoCHKF.exe
2⤵
PID:7944

C:\Windows\System\xWbzcVv.exe
C:\Windows\System\xWbzcVv.exe
2⤵
PID:8048

C:\Windows\System\FrUjiKM.exe
C:\Windows\System\FrUjiKM.exe
2⤵
PID:2236

C:\Windows\System\ZoUjaZT.exe
C:\Windows\System\ZoUjaZT.exe
2⤵
PID:1104

C:\Windows\System\Mavfwtw.exe
C:\Windows\System\Mavfwtw.exe
2⤵
PID:8164

C:\Windows\System\rMUxLDg.exe
C:\Windows\System\rMUxLDg.exe
2⤵
PID:6632

C:\Windows\System\mKEbBzH.exe
C:\Windows\System\mKEbBzH.exe
2⤵
PID:2924

C:\Windows\System\WaNcKUY.exe
C:\Windows\System\WaNcKUY.exe
2⤵
PID:5372

C:\Windows\System\LaetXnM.exe
C:\Windows\System\LaetXnM.exe
2⤵
PID:1624

C:\Windows\System\jnBJDxi.exe
C:\Windows\System\jnBJDxi.exe
2⤵
PID:4820

C:\Windows\System\bKVbJNm.exe
C:\Windows\System\bKVbJNm.exe
2⤵
PID:2384

C:\Windows\System\VQWdQwW.exe
C:\Windows\System\VQWdQwW.exe
2⤵
PID:7300

C:\Windows\System\xyCQqNV.exe
C:\Windows\System\xyCQqNV.exe
2⤵
PID:7408

C:\Windows\System\DjTxAke.exe
C:\Windows\System\DjTxAke.exe
2⤵
PID:7496

C:\Windows\System\aKEEKGp.exe
C:\Windows\System\aKEEKGp.exe
2⤵
PID:3956

C:\Windows\System\MlwSjcX.exe
C:\Windows\System\MlwSjcX.exe
2⤵
PID:7348

C:\Windows\System\dyeJMnM.exe
C:\Windows\System\dyeJMnM.exe
2⤵
PID:7688

C:\Windows\System\vrBLaSv.exe
C:\Windows\System\vrBLaSv.exe
2⤵
PID:7384

C:\Windows\System\kHkqfya.exe
C:\Windows\System\kHkqfya.exe
2⤵
PID:8140

C:\Windows\System\gwfasSE.exe
C:\Windows\System\gwfasSE.exe
2⤵
PID:4980

C:\Windows\System\qavLGAQ.exe
C:\Windows\System\qavLGAQ.exe
2⤵
PID:376

C:\Windows\System\dtICKNs.exe
C:\Windows\System\dtICKNs.exe
2⤵
PID:836

C:\Windows\System\EBAXICd.exe
C:\Windows\System\EBAXICd.exe
2⤵
PID:3796

C:\Windows\System\TeVVJwX.exe
C:\Windows\System\TeVVJwX.exe
2⤵
PID:7520

C:\Windows\System\CGdzbZN.exe
C:\Windows\System\CGdzbZN.exe
2⤵
PID:7936

C:\Windows\System\LOebEbS.exe
C:\Windows\System\LOebEbS.exe
2⤵
PID:7800

C:\Windows\System\PWOkyNf.exe
C:\Windows\System\PWOkyNf.exe
2⤵
PID:532

C:\Windows\System\igeKJrT.exe
C:\Windows\System\igeKJrT.exe
2⤵
PID:372

C:\Windows\System\wPWzBHU.exe
C:\Windows\System\wPWzBHU.exe
2⤵
PID:4472

C:\Windows\System\RkLhDUl.exe
C:\Windows\System\RkLhDUl.exe
2⤵
PID:8208

C:\Windows\System\zzasiGG.exe
C:\Windows\System\zzasiGG.exe
2⤵
PID:8240

C:\Windows\System\DHXuMjH.exe
C:\Windows\System\DHXuMjH.exe
2⤵
PID:8284

C:\Windows\System\PCHxksc.exe
C:\Windows\System\PCHxksc.exe
2⤵
PID:8332

C:\Windows\System\oZuNqUi.exe
C:\Windows\System\oZuNqUi.exe
2⤵
PID:8404

C:\Windows\System\TTanWVd.exe
C:\Windows\System\TTanWVd.exe
2⤵
PID:8440

C:\Windows\System\atcXIuY.exe
C:\Windows\System\atcXIuY.exe
2⤵
PID:8500

C:\Windows\System\vlzhfPN.exe
C:\Windows\System\vlzhfPN.exe
2⤵
PID:8556

C:\Windows\System\IzFkoxs.exe
C:\Windows\System\IzFkoxs.exe
2⤵
PID:8580

C:\Windows\System\UgJyYus.exe
C:\Windows\System\UgJyYus.exe
2⤵
PID:8636

C:\Windows\System\qsProoy.exe
C:\Windows\System\qsProoy.exe
2⤵
PID:8676

C:\Windows\System\WTnEqAs.exe
C:\Windows\System\WTnEqAs.exe
2⤵
PID:8692

C:\Windows\System\rlKuDqi.exe
C:\Windows\System\rlKuDqi.exe
2⤵
PID:8736

C:\Windows\System\OFPvNcg.exe
C:\Windows\System\OFPvNcg.exe
2⤵
PID:8764

C:\Windows\System\hwuOHHp.exe
C:\Windows\System\hwuOHHp.exe
2⤵
PID:8808

C:\Windows\System\zIlnsue.exe
C:\Windows\System\zIlnsue.exe
2⤵
PID:8848

C:\Windows\System\bNetEie.exe
C:\Windows\System\bNetEie.exe
2⤵
PID:8888

C:\Windows\System\MIHcmsv.exe
C:\Windows\System\MIHcmsv.exe
2⤵
PID:8928

C:\Windows\System\pHPCiai.exe
C:\Windows\System\pHPCiai.exe
2⤵
PID:8968

C:\Windows\System\JaSqUsk.exe
C:\Windows\System\JaSqUsk.exe
2⤵
PID:8996

C:\Windows\System\eOIKcFP.exe
C:\Windows\System\eOIKcFP.exe
2⤵
PID:9024

C:\Windows\System\Bhpthpb.exe
C:\Windows\System\Bhpthpb.exe
2⤵
PID:9044

C:\Windows\System\YHKLQHJ.exe
C:\Windows\System\YHKLQHJ.exe
2⤵
PID:9076

C:\Windows\System\mluDnVG.exe
C:\Windows\System\mluDnVG.exe
2⤵
PID:9104

C:\Windows\System\FoBLllW.exe
C:\Windows\System\FoBLllW.exe
2⤵
PID:9164

C:\Windows\System\PZOfgyZ.exe
C:\Windows\System\PZOfgyZ.exe
2⤵
PID:8196

C:\Windows\System\URGZjgw.exe
C:\Windows\System\URGZjgw.exe
2⤵
PID:8216

C:\Windows\System\mgzbSNF.exe
C:\Windows\System\mgzbSNF.exe
2⤵
PID:8280

C:\Windows\System\sLZtyUt.exe
C:\Windows\System\sLZtyUt.exe
2⤵
PID:8316

C:\Windows\System\kxURoqa.exe
C:\Windows\System\kxURoqa.exe
2⤵
PID:8392

C:\Windows\System\BQpemgG.exe
C:\Windows\System\BQpemgG.exe
2⤵
PID:8412

C:\Windows\System\ZHfuKMC.exe
C:\Windows\System\ZHfuKMC.exe
2⤵
PID:8456

C:\Windows\System\DICjslS.exe
C:\Windows\System\DICjslS.exe
2⤵
PID:8464

C:\Windows\System\NYstqmq.exe
C:\Windows\System\NYstqmq.exe
2⤵
PID:8540

C:\Windows\System\USzfGMI.exe
C:\Windows\System\USzfGMI.exe
2⤵
PID:8576

C:\Windows\System\NvCemUN.exe
C:\Windows\System\NvCemUN.exe
2⤵
PID:8624

C:\Windows\System\nqjoDbN.exe
C:\Windows\System\nqjoDbN.exe
2⤵
PID:8672

C:\Windows\System\jgvUyBQ.exe
C:\Windows\System\jgvUyBQ.exe
2⤵
PID:8756

C:\Windows\System\WLatEkp.exe
C:\Windows\System\WLatEkp.exe
2⤵
PID:8796

C:\Windows\System\inBzCGu.exe
C:\Windows\System\inBzCGu.exe
2⤵
PID:8836

C:\Windows\System\RlNoAWy.exe
C:\Windows\System\RlNoAWy.exe
2⤵
PID:8876

C:\Windows\System\zfUkWfg.exe
C:\Windows\System\zfUkWfg.exe
2⤵
PID:8936

C:\Windows\System\KYaxIMb.exe
C:\Windows\System\KYaxIMb.exe
2⤵
PID:8964

C:\Windows\System\iFmkkWb.exe
C:\Windows\System\iFmkkWb.exe
2⤵
PID:9004

C:\Windows\System\BwNcUuG.exe
C:\Windows\System\BwNcUuG.exe
2⤵
PID:9084

C:\Windows\System\LpdxmhQ.exe
C:\Windows\System\LpdxmhQ.exe
2⤵
PID:9132

C:\Windows\System\xpBGNsZ.exe
C:\Windows\System\xpBGNsZ.exe
2⤵
PID:9140

C:\Windows\System\RosGRBL.exe
C:\Windows\System\RosGRBL.exe
2⤵
PID:2512

C:\Windows\System\aBrQBeO.exe
C:\Windows\System\aBrQBeO.exe
2⤵
PID:8232

C:\Windows\System\DtGYbml.exe
C:\Windows\System\DtGYbml.exe
2⤵
PID:8276

C:\Windows\System\jwcZkrK.exe
C:\Windows\System\jwcZkrK.exe
2⤵
PID:8248

C:\Windows\System\StwfDBm.exe
C:\Windows\System\StwfDBm.exe
2⤵
PID:8368

C:\Windows\System\MfCJyDd.exe
C:\Windows\System\MfCJyDd.exe
2⤵
PID:8516

C:\Windows\System\wtHuImt.exe
C:\Windows\System\wtHuImt.exe
2⤵
PID:8572

C:\Windows\System\alwzFTY.exe
C:\Windows\System\alwzFTY.exe
2⤵
PID:8712

C:\Windows\System\SOZaAQB.exe
C:\Windows\System\SOZaAQB.exe
2⤵
PID:8788

C:\Windows\System\GAallbr.exe
C:\Windows\System\GAallbr.exe
2⤵
PID:8896

C:\Windows\System\idpABtZ.exe
C:\Windows\System\idpABtZ.exe
2⤵
PID:9032

C:\Windows\System\rbpqBYj.exe
C:\Windows\System\rbpqBYj.exe
2⤵
PID:9096

C:\Windows\System\ZYHGTgh.exe
C:\Windows\System\ZYHGTgh.exe
2⤵
PID:4436

C:\Windows\System\KpLDqDV.exe
C:\Windows\System\KpLDqDV.exe
2⤵
PID:8388

C:\Windows\System\yrMWtvi.exe
C:\Windows\System\yrMWtvi.exe
2⤵
PID:8520

C:\Windows\System\TgxrxSd.exe
C:\Windows\System\TgxrxSd.exe
2⤵
PID:8728

C:\Windows\System\NvLkwmg.exe
C:\Windows\System\NvLkwmg.exe
2⤵
PID:2504

C:\Windows\System\SAgTJsM.exe
C:\Windows\System\SAgTJsM.exe
2⤵
PID:9208

C:\Windows\System\HqJEMfu.exe
C:\Windows\System\HqJEMfu.exe
2⤵
PID:8320

C:\Windows\System\omTPImF.exe
C:\Windows\System\omTPImF.exe
2⤵
PID:9008

C:\Windows\System\jEyClNi.exe
C:\Windows\System\jEyClNi.exe
2⤵
PID:8268

C:\Windows\System\xqqmBXR.exe
C:\Windows\System\xqqmBXR.exe
2⤵
PID:8620

C:\Windows\System\gsQrSdh.exe
C:\Windows\System\gsQrSdh.exe
2⤵
PID:9232

C:\Windows\System\KSHdrrT.exe
C:\Windows\System\KSHdrrT.exe
2⤵
PID:9260

C:\Windows\System\XVwSTwi.exe
C:\Windows\System\XVwSTwi.exe
2⤵
PID:9276

C:\Windows\System\yqPROjJ.exe
C:\Windows\System\yqPROjJ.exe
2⤵
PID:9304

C:\Windows\System\ycvpkWA.exe
C:\Windows\System\ycvpkWA.exe
2⤵
PID:9344

C:\Windows\System\tSnmhCd.exe
C:\Windows\System\tSnmhCd.exe
2⤵
PID:9372

C:\Windows\System\vyOtykA.exe
C:\Windows\System\vyOtykA.exe
2⤵
PID:9400

C:\Windows\System\uRRXPLG.exe
C:\Windows\System\uRRXPLG.exe
2⤵
PID:9428

C:\Windows\System\WCgerzA.exe
C:\Windows\System\WCgerzA.exe
2⤵
PID:9456

C:\Windows\System\yNbhOTY.exe
C:\Windows\System\yNbhOTY.exe
2⤵
PID:9480

C:\Windows\System\CwOIPlK.exe
C:\Windows\System\CwOIPlK.exe
2⤵
PID:9508

C:\Windows\System\cLmDEmy.exe
C:\Windows\System\cLmDEmy.exe
2⤵
PID:9540

C:\Windows\System\IttYjnF.exe
C:\Windows\System\IttYjnF.exe
2⤵
PID:9564

C:\Windows\System\mbQeckz.exe
C:\Windows\System\mbQeckz.exe
2⤵
PID:9584

C:\Windows\System\DIEZkSA.exe
C:\Windows\System\DIEZkSA.exe
2⤵
PID:9624

C:\Windows\System\bapEQJq.exe
C:\Windows\System\bapEQJq.exe
2⤵
PID:9644

C:\Windows\System\oDfnJfe.exe
C:\Windows\System\oDfnJfe.exe
2⤵
PID:9668

C:\Windows\System\FRDLmbG.exe
C:\Windows\System\FRDLmbG.exe
2⤵
PID:9708

C:\Windows\System\nsLNIOB.exe
C:\Windows\System\nsLNIOB.exe
2⤵
PID:9724

C:\Windows\System\KBomxiT.exe
C:\Windows\System\KBomxiT.exe
2⤵
PID:9764

C:\Windows\System\DYUGbNA.exe
C:\Windows\System\DYUGbNA.exe
2⤵
PID:9792

C:\Windows\System\HmZBfBI.exe
C:\Windows\System\HmZBfBI.exe
2⤵
PID:9824

C:\Windows\System\veVZCth.exe
C:\Windows\System\veVZCth.exe
2⤵
PID:9844

C:\Windows\System\VyArCEP.exe
C:\Windows\System\VyArCEP.exe
2⤵
PID:9864

C:\Windows\System\gMKbEEa.exe
C:\Windows\System\gMKbEEa.exe
2⤵
PID:9904

C:\Windows\System\QAytynE.exe
C:\Windows\System\QAytynE.exe
2⤵
PID:9940

C:\Windows\System\VwsjlFX.exe
C:\Windows\System\VwsjlFX.exe
2⤵
PID:9968

C:\Windows\System\yHWcdHZ.exe
C:\Windows\System\yHWcdHZ.exe
2⤵
PID:9996

C:\Windows\System\EIcSpcO.exe
C:\Windows\System\EIcSpcO.exe
2⤵
PID:10012

C:\Windows\System\mzAhMnM.exe
C:\Windows\System\mzAhMnM.exe
2⤵
PID:10040

C:\Windows\System\WrWMckd.exe
C:\Windows\System\WrWMckd.exe
2⤵
PID:10080

C:\Windows\System\cATGWRy.exe
C:\Windows\System\cATGWRy.exe
2⤵
PID:10108

C:\Windows\System\iNMDhbc.exe
C:\Windows\System\iNMDhbc.exe
2⤵
PID:10136

C:\Windows\System\GVRfnrK.exe
C:\Windows\System\GVRfnrK.exe
2⤵
PID:10164

C:\Windows\System\bmPaBjm.exe
C:\Windows\System\bmPaBjm.exe
2⤵
PID:10192

C:\Windows\System\vvTyILa.exe
C:\Windows\System\vvTyILa.exe
2⤵
PID:10220

C:\Windows\System\iHNFEQT.exe
C:\Windows\System\iHNFEQT.exe
2⤵
PID:10236

C:\Windows\System\nSKrxXm.exe
C:\Windows\System\nSKrxXm.exe
2⤵
PID:9296

C:\Windows\System\GkFUxni.exe
C:\Windows\System\GkFUxni.exe
2⤵
PID:9364

C:\Windows\System\avqXrQF.exe
C:\Windows\System\avqXrQF.exe
2⤵
PID:9424

C:\Windows\System\YoUWWHb.exe
C:\Windows\System\YoUWWHb.exe
2⤵
PID:9464

C:\Windows\System\gJcDPYr.exe
C:\Windows\System\gJcDPYr.exe
2⤵
PID:9548

C:\Windows\System\RpdbSjn.exe
C:\Windows\System\RpdbSjn.exe
2⤵
PID:9608

C:\Windows\System\dsmRxji.exe
C:\Windows\System\dsmRxji.exe
2⤵
PID:9692

C:\Windows\System\Hzowxvj.exe
C:\Windows\System\Hzowxvj.exe
2⤵
PID:9748

C:\Windows\System\UGnjIhe.exe
C:\Windows\System\UGnjIhe.exe
2⤵
PID:9836

C:\Windows\System\EOIXkaQ.exe
C:\Windows\System\EOIXkaQ.exe
2⤵
PID:9888

C:\Windows\System\DtcLzal.exe
C:\Windows\System\DtcLzal.exe
2⤵
PID:9980

C:\Windows\System\mLVQYGs.exe
C:\Windows\System\mLVQYGs.exe
2⤵
PID:10008

C:\Windows\System\vQuvEZa.exe
C:\Windows\System\vQuvEZa.exe
2⤵
PID:10120

C:\Windows\System\VQniLdD.exe
C:\Windows\System\VQniLdD.exe
2⤵
PID:10180

C:\Windows\System\YTGaPnC.exe
C:\Windows\System\YTGaPnC.exe
2⤵
PID:10232

C:\Windows\System\bvdJzdu.exe
C:\Windows\System\bvdJzdu.exe
2⤵
PID:9360

C:\Windows\System\QVspJir.exe
C:\Windows\System\QVspJir.exe
2⤵
PID:9516

C:\Windows\System\pWcLmdC.exe
C:\Windows\System\pWcLmdC.exe
2⤵
PID:9680

C:\Windows\System\Ezcxdgn.exe
C:\Windows\System\Ezcxdgn.exe
2⤵
PID:9736

C:\Windows\System\iUHhDME.exe
C:\Windows\System\iUHhDME.exe
2⤵
PID:9992

C:\Windows\System\kHogLxW.exe
C:\Windows\System\kHogLxW.exe
2⤵
PID:10160

C:\Windows\System\ZCwQUxe.exe
C:\Windows\System\ZCwQUxe.exe
2⤵
PID:9340

C:\Windows\System\jILyiLQ.exe
C:\Windows\System\jILyiLQ.exe
2⤵
PID:9596

C:\Windows\System\BUkVHLD.exe
C:\Windows\System\BUkVHLD.exe
2⤵
PID:10156

C:\Windows\System\CRyxMoy.exe
C:\Windows\System\CRyxMoy.exe
2⤵
PID:10076

C:\Windows\System\sPzhMlI.exe
C:\Windows\System\sPzhMlI.exe
2⤵
PID:10256

C:\Windows\System\qyabKMP.exe
C:\Windows\System\qyabKMP.exe
2⤵
PID:10272

C:\Windows\System\iiApwAV.exe
C:\Windows\System\iiApwAV.exe
2⤵
PID:10312

C:\Windows\System\WBdOmht.exe
C:\Windows\System\WBdOmht.exe
2⤵
PID:10340

C:\Windows\System\WLMXFWp.exe
C:\Windows\System\WLMXFWp.exe
2⤵
PID:10368

C:\Windows\System\JqvToUj.exe
C:\Windows\System\JqvToUj.exe
2⤵
PID:10396

C:\Windows\System\XIKEMfr.exe
C:\Windows\System\XIKEMfr.exe
2⤵
PID:10424

C:\Windows\System\IpOLCiU.exe
C:\Windows\System\IpOLCiU.exe
2⤵
PID:10452

C:\Windows\System\VSvIOzr.exe
C:\Windows\System\VSvIOzr.exe
2⤵
PID:10468

C:\Windows\System\wcAoQxM.exe
C:\Windows\System\wcAoQxM.exe
2⤵
PID:10508

C:\Windows\System\skzTxss.exe
C:\Windows\System\skzTxss.exe
2⤵
PID:10536

C:\Windows\System\ngIwGIx.exe
C:\Windows\System\ngIwGIx.exe
2⤵
PID:10564

C:\Windows\System\NCMFwMv.exe
C:\Windows\System\NCMFwMv.exe
2⤵
PID:10592

C:\Windows\System\KuQfkQu.exe
C:\Windows\System\KuQfkQu.exe
2⤵
PID:10620

C:\Windows\System\ssUbuyc.exe
C:\Windows\System\ssUbuyc.exe
2⤵
PID:10636

C:\Windows\System\PxowaBR.exe
C:\Windows\System\PxowaBR.exe
2⤵
PID:10676

C:\Windows\System\ynhdQiI.exe
C:\Windows\System\ynhdQiI.exe
2⤵
PID:10692

C:\Windows\System\GmemqWH.exe
C:\Windows\System\GmemqWH.exe
2⤵
PID:10720

C:\Windows\System\ERcMkTa.exe
C:\Windows\System\ERcMkTa.exe
2⤵
PID:10760

C:\Windows\System\uuloFvB.exe
C:\Windows\System\uuloFvB.exe
2⤵
PID:10788

C:\Windows\System\nJbNeDT.exe
C:\Windows\System\nJbNeDT.exe
2⤵
PID:10816

C:\Windows\System\YfpYdtQ.exe
C:\Windows\System\YfpYdtQ.exe
2⤵
PID:10844

C:\Windows\System\Wevlwdk.exe
C:\Windows\System\Wevlwdk.exe
2⤵
PID:10860

C:\Windows\System\PkmaXYd.exe
C:\Windows\System\PkmaXYd.exe
2⤵
PID:10896

C:\Windows\System\CVJQIoS.exe
C:\Windows\System\CVJQIoS.exe
2⤵
PID:10928

C:\Windows\System\tvHXYxY.exe
C:\Windows\System\tvHXYxY.exe
2⤵
PID:10956

C:\Windows\System\BMLIwwT.exe
C:\Windows\System\BMLIwwT.exe
2⤵
PID:10972

C:\Windows\System\zCvPmHH.exe
C:\Windows\System\zCvPmHH.exe
2⤵
PID:11000

C:\Windows\System\ZYhnlXi.exe
C:\Windows\System\ZYhnlXi.exe
2⤵
PID:11028

C:\Windows\System\iIoOOTA.exe
C:\Windows\System\iIoOOTA.exe
2⤵
PID:11060

C:\Windows\System\LnbuAgR.exe
C:\Windows\System\LnbuAgR.exe
2⤵
PID:11088

C:\Windows\System\oUkAVMj.exe
C:\Windows\System\oUkAVMj.exe
2⤵
PID:11128

C:\Windows\System\YDRAZfF.exe
C:\Windows\System\YDRAZfF.exe
2⤵
PID:11148

C:\Windows\System\MNfbnMR.exe
C:\Windows\System\MNfbnMR.exe
2⤵
PID:11184

C:\Windows\System\yTrcjbM.exe
C:\Windows\System\yTrcjbM.exe
2⤵
PID:11212

C:\Windows\System\pJYowcg.exe
C:\Windows\System\pJYowcg.exe
2⤵
PID:11240

C:\Windows\System\fkmxhFc.exe
C:\Windows\System\fkmxhFc.exe
2⤵
PID:10248

C:\Windows\System\jdUoDEB.exe
C:\Windows\System\jdUoDEB.exe
2⤵
PID:10308

C:\Windows\System\hOGSnVQ.exe
C:\Windows\System\hOGSnVQ.exe
2⤵
PID:10380

C:\Windows\System\htonVEK.exe
C:\Windows\System\htonVEK.exe
2⤵
PID:10408

C:\Windows\System\WQNJUwi.exe
C:\Windows\System\WQNJUwi.exe
2⤵
PID:10496

C:\Windows\System\FVjxPey.exe
C:\Windows\System\FVjxPey.exe
2⤵
PID:10556

C:\Windows\System\KBsfdrh.exe
C:\Windows\System\KBsfdrh.exe
2⤵
PID:10616

C:\Windows\System\DQnrBVs.exe
C:\Windows\System\DQnrBVs.exe
2⤵
PID:10688

C:\Windows\System\vZzcLVm.exe
C:\Windows\System\vZzcLVm.exe
2⤵
PID:10736

C:\Windows\System\SnrYhfL.exe
C:\Windows\System\SnrYhfL.exe
2⤵
PID:10804

C:\Windows\System\asbjoQT.exe
C:\Windows\System\asbjoQT.exe
2⤵
PID:10872

C:\Windows\System\aicxjdl.exe
C:\Windows\System\aicxjdl.exe
2⤵
PID:10920

C:\Windows\System\XXVMJxC.exe
C:\Windows\System\XXVMJxC.exe
2⤵
PID:10968

C:\Windows\System\KaJFlVU.exe
C:\Windows\System\KaJFlVU.exe
2⤵
PID:3604

C:\Windows\System\AWZXnbb.exe
C:\Windows\System\AWZXnbb.exe
2⤵
PID:11124

C:\Windows\System\KGcfbMm.exe
C:\Windows\System\KGcfbMm.exe
2⤵
PID:11196

C:\Windows\System\DQGksGY.exe
C:\Windows\System\DQGksGY.exe
2⤵
PID:11232

C:\Windows\System\nEVEoCp.exe
C:\Windows\System\nEVEoCp.exe
2⤵
PID:10336

C:\Windows\System\IBOpaVW.exe
C:\Windows\System\IBOpaVW.exe
2⤵
PID:10520

C:\Windows\System\XvgVEHU.exe
C:\Windows\System\XvgVEHU.exe
2⤵
PID:10668

C:\Windows\System\SJLBYti.exe
C:\Windows\System\SJLBYti.exe
2⤵
PID:10740

C:\Windows\System\akJcVFW.exe
C:\Windows\System\akJcVFW.exe
2⤵
PID:10964

C:\Windows\System\DnxGIHy.exe
C:\Windows\System\DnxGIHy.exe
2⤵
PID:11120

C:\Windows\System\cIbseGM.exe
C:\Windows\System\cIbseGM.exe
2⤵
PID:11208

C:\Windows\System\QbEcgVG.exe
C:\Windows\System\QbEcgVG.exe
2⤵
PID:10580

C:\Windows\System\OcdwOMH.exe
C:\Windows\System\OcdwOMH.exe
2⤵
PID:10944

C:\Windows\System\IcEFgVf.exe
C:\Windows\System\IcEFgVf.exe
2⤵
PID:11224

C:\Windows\System\JlOOPVo.exe
C:\Windows\System\JlOOPVo.exe
2⤵
PID:11072

C:\Windows\System\HmDFTLa.exe
C:\Windows\System\HmDFTLa.exe
2⤵
PID:10912

C:\Windows\System\JNmwDFL.exe
C:\Windows\System\JNmwDFL.exe
2⤵
PID:11296

C:\Windows\System\IQSpWGx.exe
C:\Windows\System\IQSpWGx.exe
2⤵
PID:11324

C:\Windows\System\guwLHQc.exe
C:\Windows\System\guwLHQc.exe
2⤵
PID:11352

C:\Windows\System\nhhnfxy.exe
C:\Windows\System\nhhnfxy.exe
2⤵
PID:11384

C:\Windows\System\OPJuhfA.exe
C:\Windows\System\OPJuhfA.exe
2⤵
PID:11412

C:\Windows\System\bKcOyVb.exe
C:\Windows\System\bKcOyVb.exe
2⤵
PID:11428

C:\Windows\System\ZErWVlb.exe
C:\Windows\System\ZErWVlb.exe
2⤵
PID:11468

C:\Windows\System\hWSAVJa.exe
C:\Windows\System\hWSAVJa.exe
2⤵
PID:11488

C:\Windows\System\VmvQHIk.exe
C:\Windows\System\VmvQHIk.exe
2⤵
PID:11528

C:\Windows\System\bCJSaQR.exe
C:\Windows\System\bCJSaQR.exe
2⤵
PID:11548

C:\Windows\System\DqdaEdc.exe
C:\Windows\System\DqdaEdc.exe
2⤵
PID:11572

C:\Windows\System\rXGuOMr.exe
C:\Windows\System\rXGuOMr.exe
2⤵
PID:11612

C:\Windows\System\tKocHtv.exe
C:\Windows\System\tKocHtv.exe
2⤵
PID:11640

C:\Windows\System\jKWOaJt.exe
C:\Windows\System\jKWOaJt.exe
2⤵
PID:11668

C:\Windows\System\ezObzAn.exe
C:\Windows\System\ezObzAn.exe
2⤵
PID:11684

C:\Windows\System\BiYHShx.exe
C:\Windows\System\BiYHShx.exe
2⤵
PID:11724

C:\Windows\System\NczUJfD.exe
C:\Windows\System\NczUJfD.exe
2⤵
PID:11756

C:\Windows\System\JgvyHql.exe
C:\Windows\System\JgvyHql.exe
2⤵
PID:11784

C:\Windows\System\FpjXaUq.exe
C:\Windows\System\FpjXaUq.exe
2⤵
PID:11812

C:\Windows\System\XhEyRgm.exe
C:\Windows\System\XhEyRgm.exe
2⤵
PID:11840

C:\Windows\System\YOVzrnG.exe
C:\Windows\System\YOVzrnG.exe
2⤵
PID:11868

C:\Windows\System\kTWvKmj.exe
C:\Windows\System\kTWvKmj.exe
2⤵
PID:11896

C:\Windows\System\IzKhNXl.exe
C:\Windows\System\IzKhNXl.exe
2⤵
PID:11936

C:\Windows\System\SIjpSJu.exe
C:\Windows\System\SIjpSJu.exe
2⤵
PID:11952

C:\Windows\System\snunSHu.exe
C:\Windows\System\snunSHu.exe
2⤵
PID:11988

C:\Windows\System\XgOqavz.exe
C:\Windows\System\XgOqavz.exe
2⤵
PID:12016

C:\Windows\System\sagNokd.exe
C:\Windows\System\sagNokd.exe
2⤵
PID:12084

C:\Windows\System\YjGjudD.exe
C:\Windows\System\YjGjudD.exe
2⤵
PID:12112

C:\Windows\System\MBxqOCM.exe
C:\Windows\System\MBxqOCM.exe
2⤵
PID:12136

C:\Windows\System\QZPORQy.exe
C:\Windows\System\QZPORQy.exe
2⤵
PID:12172

C:\Windows\System\QqFxKcD.exe
C:\Windows\System\QqFxKcD.exe
2⤵
PID:12212

C:\Windows\System\HBlBCQm.exe
C:\Windows\System\HBlBCQm.exe
2⤵
PID:12232

C:\Windows\System\XdQTpYe.exe
C:\Windows\System\XdQTpYe.exe
2⤵
PID:12256

C:\Windows\System\opZXANc.exe
C:\Windows\System\opZXANc.exe
2⤵
PID:10444

C:\Windows\System\HYXAxBV.exe
C:\Windows\System\HYXAxBV.exe
2⤵
PID:11336

C:\Windows\System\OpRTGcc.exe
C:\Windows\System\OpRTGcc.exe
2⤵
PID:11404

C:\Windows\System\oUnlVGE.exe
C:\Windows\System\oUnlVGE.exe
2⤵
PID:11444

C:\Windows\System\XvKGwbH.exe
C:\Windows\System\XvKGwbH.exe
2⤵
PID:11560

C:\Windows\System\YlwBQEx.exe
C:\Windows\System\YlwBQEx.exe
2⤵
PID:11608

C:\Windows\System\IpjhqnZ.exe
C:\Windows\System\IpjhqnZ.exe
2⤵
PID:2548

C:\Windows\System\IiUUkZt.exe
C:\Windows\System\IiUUkZt.exe
2⤵
PID:11664

C:\Windows\System\xtqzDTI.exe
C:\Windows\System\xtqzDTI.exe
2⤵
PID:11736

C:\Windows\System\oienFbe.exe
C:\Windows\System\oienFbe.exe
2⤵
PID:11804

C:\Windows\System\ELpJqrn.exe
C:\Windows\System\ELpJqrn.exe
2⤵
PID:11836

C:\Windows\System\AXOErRD.exe
C:\Windows\System\AXOErRD.exe
2⤵
PID:11920

C:\Windows\System\ZPeKsaG.exe
C:\Windows\System\ZPeKsaG.exe
2⤵
PID:12004

C:\Windows\System\BGjapLF.exe
C:\Windows\System\BGjapLF.exe
2⤵
PID:12108

C:\Windows\System\wEJCaHE.exe
C:\Windows\System\wEJCaHE.exe
2⤵
PID:12184

C:\Windows\System\UtebhIA.exe
C:\Windows\System\UtebhIA.exe
2⤵
PID:12252

C:\Windows\System\gxTYRMP.exe
C:\Windows\System\gxTYRMP.exe
2⤵
PID:11288

C:\Windows\System\VfqbcDY.exe
C:\Windows\System\VfqbcDY.exe
2⤵
PID:11484

C:\Windows\System\gYpnxsK.exe
C:\Windows\System\gYpnxsK.exe
2⤵
PID:11636

C:\Windows\System\bNlAwvN.exe
C:\Windows\System\bNlAwvN.exe
2⤵
PID:11716

C:\Windows\System\jVfxnKg.exe
C:\Windows\System\jVfxnKg.exe
2⤵
PID:11880

C:\Windows\System\aebzeTE.exe
C:\Windows\System\aebzeTE.exe
2⤵
PID:12080

C:\Windows\System\wNwxWwj.exe
C:\Windows\System\wNwxWwj.exe
2⤵
PID:12240

C:\Windows\System\LEaaWvQ.exe
C:\Windows\System\LEaaWvQ.exe
2⤵
PID:11020

C:\Windows\System\ydddQNp.exe
C:\Windows\System\ydddQNp.exe
2⤵
PID:11776

C:\Windows\System\LQuAzKt.exe
C:\Windows\System\LQuAzKt.exe
2⤵
PID:12120

C:\Windows\System\LnZnKiY.exe
C:\Windows\System\LnZnKiY.exe
2⤵
PID:11696

C:\Windows\System\iGgqRUH.exe
C:\Windows\System\iGgqRUH.exe
2⤵
PID:11948

C:\Windows\System\FvDdRTB.exe
C:\Windows\System\FvDdRTB.exe
2⤵
PID:12316

C:\Windows\System\tFVTNMx.exe
C:\Windows\System\tFVTNMx.exe
2⤵
PID:12332

C:\Windows\System\CFAYFXY.exe
C:\Windows\System\CFAYFXY.exe
2⤵
PID:12368

C:\Windows\System\oenYevl.exe
C:\Windows\System\oenYevl.exe
2⤵
PID:12400

C:\Windows\System\QyzWPGS.exe
C:\Windows\System\QyzWPGS.exe
2⤵
PID:12428

C:\Windows\System\uabQtPW.exe
C:\Windows\System\uabQtPW.exe
2⤵
PID:12456

C:\Windows\System\ARqIjMm.exe
C:\Windows\System\ARqIjMm.exe
2⤵
PID:12484

C:\Windows\System\nYxwYNd.exe
C:\Windows\System\nYxwYNd.exe
2⤵
PID:12512

C:\Windows\System\vuLopTN.exe
C:\Windows\System\vuLopTN.exe
2⤵
PID:12540

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_geapwivt.53e.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\ADPHdiI.exe
Filesize
3.3MB

MD5
fa2eb027cf72991934e2fae5e8703f1f

SHA1
680caddd2448c096334c30b1018be9862f5fe887

SHA256
8fbbd8ab963dfefea2209460d736799759a44e93d57877c08df68cfe5bb61a82

SHA512
389dc49371069c92c0788229eed07f6a588714dbe7bf7c827b878196c5d3978d4187fb1543ccc614bc376c8b4f925d0b13498c0e2eb0b7fa67220b868e5f2d0f

Download Submit
C:\Windows\System\AzplIgg.exe
Filesize
3.3MB

MD5
157c55477885e9065d30ca1a3decfba7

SHA1
3297695c4ea003d0beeced87ab925a47991a1583

SHA256
01087eef054fded6ebd61cc3bdb070da7d802b31b456b6244794655cd17a4465

SHA512
a81e3088e1c7f7c542cd7930d640886948165d9a7bf7ff953f9e6f8479535acfdc6be37f71c075bf8649a79c7118c8b7eb92d369f2ffae4a10969c6fc3860df9

Download Submit
C:\Windows\System\BAMuSig.exe
Filesize
3.3MB

MD5
5188f53a9f10007e120ff43b0feb0fe5

SHA1
841abe82a5ef3708df7ed5c80c9ebf07f14cd3b1

SHA256
d32a364bb9df80394ac759aedd403c7a5e6830027a9268ed5e1f8929d0ddb518

SHA512
750c0c2255bca03393765317bebc9bc5c993d40167621b43331ca0f8d832ba782077285b4e85fbf8d258770426a59a4c446ff7f6c45b6e747d8e88f44ecbdfe4

Download Submit
C:\Windows\System\ETtNypO.exe
Filesize
3.3MB

MD5
450fa29391728824b5c437116019e885

SHA1
dddc2c9db1f4daffb006f5fbf433b6ceda666484

SHA256
103c1b50b3282d9370172edfe72e6597a6c483a3d590821eeb70ea992fc0c6e5

SHA512
3df2488fe321d1d9b5baa4623d10f861d1251ad9353005dba9668ca5699b0ac61516266559278c74457d724f65fd51fb27ec29830b03dea27ba3d2c03647e613

Download Submit
C:\Windows\System\GdMfhFb.exe
Filesize
3.3MB

MD5
0a95d13feec2dc20104e170883922bea

SHA1
472fc85681293523c683ad0b2e105b35987ae700

SHA256
9f9684e17933133b1afebc6341aaeb01ae199c42666ef0e709f6a6623070e036

SHA512
299902348067e345ff87e2a3faa12e0065cc5632eee583756526df55cb59c391a2c79ef988220d878c6f5a19a719a6566cfbff7a2a244b08cb112b85332a6fd2

Download Submit
C:\Windows\System\HGfBAbC.exe
Filesize
3.3MB

MD5
03fcf49c2909deb38e7f7aef1fc9a0c5

SHA1
dd92a7fb35ae57d61948df6f6696654d9117b31d

SHA256
53eaff08eef7b26e6fb811be8e3127dcdecf0b5961543e7145a12dc85714326a

SHA512
6729e6be5e2cdeb61dec063908246fecc1a7e65a44a31cc2b8721da74b44a1b8b2217005033c9d246e698d7fefe9eeea89ea1373faf80ae8fc83aec877c54d47

Download Submit
C:\Windows\System\Htethbx.exe
Filesize
3.3MB

MD5
469fae22639ac870d764e48f19c00082

SHA1
65da6f186d64c66bad1b095f61106b98abb79630

SHA256
3679ed43aa1d06b7d8ccd905766304caacae7444468e08979afb23f017ec4e95

SHA512
7c497bf7d151ac9418d0d1a020886469983b30e28734314bdfdfa7e7eb0a77927e318071070ccca80adeba7502bca086e45fc5520caeddcaa306c6206c138e1f

Download Submit
C:\Windows\System\IFcNBxl.exe
Filesize
3.3MB

MD5
521a671b01e976fa9c311af725645bee

SHA1
9b0e717671bea9423a692b3435dee7c9697cfb9b

SHA256
bc1a546d40f007022248b0cac4705f76542fb6519f9751169824d507e0d9e33c

SHA512
2c7e3f232b81cef4858a0c6f89e45e3bed6db2f17f3603b393ad6e48e37bd9c5b52a12a8bebd5e9d316510d4a9789b673084d07dc135590ade16de66fe966a12

Download Submit
C:\Windows\System\JGEJqDS.exe
Filesize
3.3MB

MD5
b68a225b135eff2ee80dc9dafb5820cc

SHA1
31731c32e922b08f96006e793d161c67719df126

SHA256
216c96af70700ddfab35e97126d33df7a070462fb2f8902b30c06a19c0539b57

SHA512
2db6393d052eaf4b2fa8af6e123a3868ccb0ac4a8e0ba4a5762b5d0a47e8491492c9ed336bde1e281b2e051904e42310271cc90b96ddfd906be8441bd09041f2

Download Submit
C:\Windows\System\JsRtufI.exe
Filesize
3.3MB

MD5
b2c7d7dbc36639639caa362a8d380ea9

SHA1
eb8a1f18e0588c781b267cee57cb05aa49396277

SHA256
c8fe2a2b753a165ed15bd6e90f3155b46456c30abeb181d90c5cb920a68d52bf

SHA512
c5c71e6ec5874ee013169614fbe2672b761343cb02abe0743650fa6e0a653d51369e93ec76fc800fcca90e8638acf7662511c6b7bf917cc506e81e53253c2c3e

Download Submit
C:\Windows\System\KsLSyxV.exe
Filesize
3.3MB

MD5
8030b16ff4ef599be9807e442f6eec87

SHA1
d6ef464daf3f42d773c1d0b0921074b9c6b10c1b

SHA256
d995eb9f30556f25fe58f191b3b2866e342ee7dff132a77cfd0ec92507e7e8fe

SHA512
a0d4241742f9738a50ecd3ffe4ee9c901b4629bc539e81a832b873fbdbcc0ab078ab1de3dad3f9834b68d4fcf53521051ff0d1142cea59e7dfff24e85cf122a7

Download Submit
C:\Windows\System\MxAQycQ.exe
Filesize
3.3MB

MD5
3a5e601124704fa46573bff71be1bf4d

SHA1
ff0678625099efd8d6148416d0447e0176416be9

SHA256
17a7b84a194886ad9ab2adb9f1bdb2f97672119cd05a0f75efb68279860b709d

SHA512
b4b86dc1001f64fbbd73e4f64d58ecf6e1d43713f11026d17c88ef9a3b7fc07b1d4a23edda859933f5ae92000c245e11d206b837616c43735b5361b5ed2628fd

Download Submit
C:\Windows\System\NmsbbFt.exe
Filesize
3.3MB

MD5
4a0d3f634dd7bcaa3549abcfeb9d9cfd

SHA1
5b92249b9eaa969c861cddba6c65d4ef4c436c75

SHA256
882cd433fc985db4f56576825b8d0985ef43ce8ffe23d6fc7f1364d8ebe613b2

SHA512
f5c47e228d82f442b27b43b9880ef04d75532607848393a8adf0ee3f2dffe70beac3d536e0a85863594b9e6d7d3d52104b97842a2f9e92ac2059d52356e5772a

Download Submit
C:\Windows\System\QSxlDCW.exe
Filesize
3.3MB

MD5
4ace03fd9fe5ceeeff111635c206d94c

SHA1
ba69580704b08dc6c20797a406ce6a3aa468bea5

SHA256
6ff92b0f042f0172ec82e9a0f3a5dcfcc681acde26a7c989f3588587cd3f7547

SHA512
80c28b127450a553ce8b44bf54930b2a3337790c770760f2a02ece8e2f63a3837d8900b743c85a3d9c097e155270e327cee791f6dee4a0e97b96ad6c53c721d7

Download Submit
C:\Windows\System\RJDKDml.exe
Filesize
3.3MB

MD5
b6923c469b8522f82ee2cb9948cef953

SHA1
f085f93ca5f011e534e4cb8583983a058178bdac

SHA256
5103eb56baa06cc4ff20e43d410be27fe031f02669745e24d6cbfd39849d5429

SHA512
588eb85c1842b9e847037eae787903eb2790d5ac6a7d25dc2a819de900d50664e61ad80c3b34194af34616e4885e58b33402bb4d2eec9912b40b9dafdfdfe998

Download Submit
C:\Windows\System\UuCEOkz.exe
Filesize
3.3MB

MD5
99d5af03a31ba052ec4738d165fb44d0

SHA1
b62115154ccf44b54731b1bd61b81dc3a9934131

SHA256
86f8da889f8d3bbdf0537c0e74dd94989055342fa6e60d93fbfa3cef572b940c

SHA512
08fadc541ed96321b41ccace5747b0e84c0b008ed3e9af28c76fe19f21bc71133a4c236039a8cc1d29ba0d0de9aa848c66aa2433cf87e82d88169884b1bdebb6

Download Submit
C:\Windows\System\VjzNNHz.exe
Filesize
3.3MB

MD5
8dfa559ffd74c40b543d91e5d1fc9ee9

SHA1
ef935642975510486c42a740e39e8fa8a1f476ac

SHA256
4e189dfbc2477c20b2c23e4b5d912e8656a8a60df142741c2b4f6ebcb59f9d36

SHA512
4fddec63377494d09020989a2b71176de4b21a97e3ece3a49bcf581127b8000b72ed06e96503113356565af80650711ccebcdbb991ab9f10bc9cdee0303c948f

Download Submit
C:\Windows\System\VsBjpOV.exe
Filesize
3.3MB

MD5
3cd7e92cdcdcdcf9e79b4d04ec5c8215

SHA1
c46ed0bd88fa95e696e20b51a50e4e9e515cf19a

SHA256
bad401b29d111cb75e2f3bed76880df7e28136630b78569740c5c5625e9dc7b7

SHA512
6a2b195b80404d2aaaac3dcd2ccac5f2fa631b4cf435cd9dbd78037daad70258d95834e98e38f247151f62690c2ae5dd4b15d589f983ab1b2f296a296201300e

Download Submit
C:\Windows\System\VthmEsp.exe
Filesize
3.3MB

MD5
5aa871c929d3b22de63796c0e644174e

SHA1
39789a1b8d4672dee6270e6a33379e159f182858

SHA256
4a4a671ef37a16b5e5e2b8dce0004dee84a841cced18970a22c72c56972f4abf

SHA512
499ea5b515e67d51db918c4715f3f7ce0dbdedc004dc1ee8c667a65d9ed7df1fae36dcd6a5460b81b5be6a8eedcc9d59cdf66d06b0405a594b39f25832688ad8

Download Submit
C:\Windows\System\WgWRebY.exe
Filesize
3.3MB

MD5
fb1118e21a2f4de744c1100ab67c7149

SHA1
651bbe171ba0225a833053101eed2df710e5f24f

SHA256
52f169a6649b7644fd01c52611ba2b142bf4860cdab606aab6bc8525a0d83488

SHA512
5979a19075ea7a5bbfde7fc3fbe9817a8e6548d607b12bd280b62e758bac35ba361731d2e30424808dcf910329b511e97eeae518a6298c767dd3cd1a3592e8f4

Download Submit
C:\Windows\System\Wrzbser.exe
Filesize
3.3MB

MD5
2115ba23faaa1f3673c99cc0cff4984b

SHA1
934a399f917eb5ed8ecc97ebd1fb1f53f233fc60

SHA256
0af693e090c4cf4e82a2b5e5458903355ed1f4465cbda7092cdbf097566d6e3d

SHA512
3317fe69f32663df0b6886a1ac8244b1fb4a2db0f6678d4b1c31e120af8d70e09029e4bf7fc7016ef5872a299b38512ba58e16f71592940d08c4b9b9171b0a5b

Download Submit
C:\Windows\System\ZIVPvsO.exe
Filesize
3.3MB

MD5
6c1592798aba0737f950124d5b9f03a6

SHA1
cfb296a2b52c6b48a2e380d5e314ac8a2d46c534

SHA256
36d1af564f6b597184ac45075f6b9d96332c3f3292cbf257b853fe6bce260bbc

SHA512
1ea0a8ebabf3bdad48973a689284d8f15ad0b8a532a1e07eb65b1a2c264041bcc801c7b7094af42791d45d10355a1a7f4ca2c03ccf602ba4095c6247c289685f

Download Submit
C:\Windows\System\bjmtBeg.exe
Filesize
3.3MB

MD5
071749c26e62d74a8e882623ac5c9681

SHA1
ec77088e18e88096d6c27f9a118ae4c1fb7822b5

SHA256
efec3a52b619c1f05220378af3855d45fbb594542f3392ebe29cd5d669b7510f

SHA512
691a295a78c58b8882726e118dcb0dfe2a4e688b317a01e85d9b2c60d41581364ae51c18e61ed929383c29c47047be7d0fc8b6920c5ed0a6f60bccb5b805c655

Download Submit
C:\Windows\System\cnzpWlz.exe
Filesize
3.3MB

MD5
4329f499b95b36dab1103ee8a46164d6

SHA1
fac01e31e9f26b7c8910efde8b46ae5f0e52d44c

SHA256
ad4167c6be9f7c20ab342858ac3fbf18ce9fcad4316128da3edf3ccd1b183d53

SHA512
e3347d12f398c0cecdc2e41dbee069c80e45375105d7d0b04a4f25f16ec1ff78bf8976faf58a1210af5fcde3645e530fda57669c3e0265d1c7e3a8c3c8550c1b

Download Submit
C:\Windows\System\eDMTqVY.exe
Filesize
3.3MB

MD5
43e74a429967020d81dbc214e9d8885b

SHA1
dd931b7520db1a5dca35a2662f9964f362d326d0

SHA256
eb55bf22d0cb80aa2859b4ff84a3640c2bd688ecd2b1452ff7f198b9f23b5fa9

SHA512
dfd54b3f1ce618f5e9885dcd6a37affb0f75ccbf0004bdee36034e0f1aa3a4b5d911c591be31d1535ee0df31b73ebf67e9c8dc582b5e53610ffff9a3e508e37f

Download Submit
C:\Windows\System\fRWgqym.exe
Filesize
3.3MB

MD5
3a44fd2df33802fba86cacadc77ce2a5

SHA1
084e1665be1c0027853e2fcf00bb6f54aefb7079

SHA256
5d4d91e4fdaf4e59423353251298265842f5d26c1489e3ff2e2ef8db25c012fd

SHA512
07692ed6841475e5409a8de7b15d7effd8d832d3c369e2da22a240a9bd8c8c026a221276ee31dcdd8df44b6f77119e74e6fcd77280bc1019cea93f53a6e3bee4

Download Submit
C:\Windows\System\gHPHaGt.exe
Filesize
3.3MB

MD5
2d355da58164675159bbf0a911d7dc56

SHA1
04136e73fae6213fb096e45dab3f5555529162f3

SHA256
dd4be2a38bf2dd68c0f3fb79246f87cc50b46909adefc89b7168f9e9f0d45f31

SHA512
472bb23b4d6024174cea6976826407be60b2bab662558f0a15aabf29943edb35021e70376ed283430a0194990311a7b5f22fa8db78ba37c441746387b3f2b07c

Download Submit
C:\Windows\System\ioIsLoe.exe
Filesize
3.3MB

MD5
5d0175a501b506b43b364cab9f342f22

SHA1
3e594eb7c50ffc1abd8cc78ee8f8f1bb7e0a5689

SHA256
ab97f2ab6a178c44df323eb25c633032f43fc824634fd9741e5976109f80998e

SHA512
ed5a4c9db25dff66cd1cf3aa06d880a4b3d4d0813a1eb5d40c3cdd8d90dd33322a8afc7dbae48ceb8a623cba51f0d21bc1fcf12b4dbeb28248f2a2917461d287

Download Submit
C:\Windows\System\lhPokcs.exe
Filesize
3.3MB

MD5
4b0a8ba24aaf98f5919e1d23d31010a9

SHA1
507bf7b078b255c4c2bd17b2fbbc7efb7ffecadd

SHA256
cb19a34612482ec1cfb29e88dff5ab65b68fc82a430eda5dfcf2bd5c80c766d4

SHA512
53e26973fb19e158150041a18975f1c6720ce036040ea29985b7ee56713f0ca4017df874780c1cb0dc517a5a2c7e7c33b4be252e611781b6c08738909c712bac

Download Submit
C:\Windows\System\lusvstf.exe
Filesize
3.3MB

MD5
00d323b2ac100f4dc39cf3aba1ec489b

SHA1
53b5bcee67c0a99b544fe73eea6f3067051b82a5

SHA256
86aa4a17ae61c2070ffdcaed5a5b01b0fc598b8322b9ace73a4444cd6a64be18

SHA512
a32fff9aec65a62b19016c915128f65524e94b2052df83340a0465404e746dd6911945f02092a12af7e2a6c7172805fcbd97b377cfe04ba8a1c369d038a0c3e4

Download Submit
C:\Windows\System\mCYgexw.exe
Filesize
8B

MD5
9962fa9c120fa4be5b0a3f7a74dbcadf

SHA1
b6f88aa1c093b2340de068ac2ff30cce108e3fc6

SHA256
945d12760562a76bb5610a082b9c7801a49c6c9de534141d0c528ee6828f8992

SHA512
b2eeefcd3c65dccb02eb4079fd8fe88b36ae6927cd8ddb4de7afd16b396b895522c8feb1cc1373ad7adcb7732e1d37129de60c1aaea95865a3c1e13ac02b6cac

Download Submit
C:\Windows\System\tQesFUW.exe
Filesize
3.3MB

MD5
4a13a98f0d46f5fb1f6ab4de5487963a

SHA1
ba80005e6ad2a1445dc2846840a5eb0fafdc1a12

SHA256
1eff846742aec910dae88153ce2c97f65f166a26f7eef1858ea52a2307517478

SHA512
05217e9cc96e5bad65d53953b27ec1cd4f06040d516063e98fba0f7014e619ecaa40d76d015d29fd44e4bb26d5c7eb0a8338ba113e4071465c96effad590ef7b

Download Submit
C:\Windows\System\vdjhUWf.exe
Filesize
3.3MB

MD5
a38cab590d3e45b59826d3b7ab26ad73

SHA1
761ec0a0fd0dc5fb3a7b4af058c8daec2d99c378

SHA256
cedc324d9ad9c8777ce7dbf7f653c305693e8ece56652b211cd277a939739792

SHA512
e9247a7529566bd969342a36007910390287a9294363db702e2be50cca0731f82ba6b157384f960302012ae5eec385b0f2de453d299c322261399f991c68d763

Download Submit
C:\Windows\System\yXqkGKn.exe
Filesize
3.3MB

MD5
cbebde22acce43dc6b6d5f3ed75341a9

SHA1
947a218dd4cdee4aa50859fd69276132c34b98c3

SHA256
a42f506ffe8ab4cb7b80574f17e85609fa78899fae4da0c6dfc963c249a86673

SHA512
b595cb90246521f5df5d03b6e45c785ee6ba17867478f081f542c8aaae1367507fec1a0a1413d400dbb47d7539be9c64f2b2f604a0bdf891287acc64fcb0efaa

Download Submit
memory/624-900-0x00007FF642240000-0x00007FF642636000-memory.dmp

Filesize
4.0MB

Download
memory/624-2127-0x00007FF642240000-0x00007FF642636000-memory.dmp

Filesize
4.0MB

Download
memory/1092-2134-0x00007FF7F53C0000-0x00007FF7F57B6000-memory.dmp

Filesize
4.0MB

Download
memory/1092-828-0x00007FF7F53C0000-0x00007FF7F57B6000-memory.dmp

Filesize
4.0MB

Download
memory/1136-891-0x00007FF7B3BD0000-0x00007FF7B3FC6000-memory.dmp

Filesize
4.0MB

Download
memory/1136-2142-0x00007FF7B3BD0000-0x00007FF7B3FC6000-memory.dmp

Filesize
4.0MB

Download
memory/1444-2131-0x00007FF775210000-0x00007FF775606000-memory.dmp

Filesize
4.0MB

Download
memory/1444-911-0x00007FF775210000-0x00007FF775606000-memory.dmp

Filesize
4.0MB

Download
memory/1604-868-0x00007FF7D28C0000-0x00007FF7D2CB6000-memory.dmp

Filesize
4.0MB

Download
memory/1604-2146-0x00007FF7D28C0000-0x00007FF7D2CB6000-memory.dmp

Filesize
4.0MB

Download
memory/1684-2122-0x00007FF708130000-0x00007FF708526000-memory.dmp

Filesize
4.0MB

Download
memory/1684-2132-0x00007FF708130000-0x00007FF708526000-memory.dmp

Filesize
4.0MB

Download
memory/1684-60-0x00007FF708130000-0x00007FF708526000-memory.dmp

Filesize
4.0MB

Download
memory/1852-835-0x00007FF7714F0000-0x00007FF7718E6000-memory.dmp

Filesize
4.0MB

Download
memory/1852-2141-0x00007FF7714F0000-0x00007FF7718E6000-memory.dmp

Filesize
4.0MB

Download
memory/2272-884-0x00007FF682040000-0x00007FF682436000-memory.dmp

Filesize
4.0MB

Download
memory/2272-2147-0x00007FF682040000-0x00007FF682436000-memory.dmp

Filesize
4.0MB

Download
memory/2356-840-0x00007FF7CB850000-0x00007FF7CBC46000-memory.dmp

Filesize
4.0MB

Download
memory/2356-2140-0x00007FF7CB850000-0x00007FF7CBC46000-memory.dmp

Filesize
4.0MB

Download
memory/2604-2138-0x00007FF70DEA0000-0x00007FF70E296000-memory.dmp

Filesize
4.0MB

Download
memory/2604-824-0x00007FF70DEA0000-0x00007FF70E296000-memory.dmp

Filesize
4.0MB

Download
memory/2900-2121-0x00007FF68B210000-0x00007FF68B606000-memory.dmp

Filesize
4.0MB

Download
memory/2900-2128-0x00007FF68B210000-0x00007FF68B606000-memory.dmp

Filesize
4.0MB

Download
memory/2900-42-0x00007FF68B210000-0x00007FF68B606000-memory.dmp

Filesize
4.0MB

Download
memory/2928-888-0x00007FF7C0B10000-0x00007FF7C0F06000-memory.dmp

Filesize
4.0MB

Download
memory/2928-2148-0x00007FF7C0B10000-0x00007FF7C0F06000-memory.dmp

Filesize
4.0MB

Download
memory/2980-2144-0x00007FF6E6800000-0x00007FF6E6BF6000-memory.dmp

Filesize
4.0MB

Download
memory/2980-879-0x00007FF6E6800000-0x00007FF6E6BF6000-memory.dmp

Filesize
4.0MB

Download
memory/3104-852-0x00007FF70D980000-0x00007FF70DD76000-memory.dmp

Filesize
4.0MB

Download
memory/3104-2137-0x00007FF70D980000-0x00007FF70DD76000-memory.dmp

Filesize
4.0MB

Download
memory/3344-23-0x00007FF894870000-0x00007FF895331000-memory.dmp

Filesize
10.8MB

Download
memory/3344-2120-0x00007FF894870000-0x00007FF895331000-memory.dmp

Filesize
10.8MB

Download
memory/3344-36-0x00007FF894870000-0x00007FF895331000-memory.dmp

Filesize
10.8MB

Download
memory/3344-30-0x000001DD73D70000-0x000001DD73D92000-memory.dmp

Filesize
136KB

Download
memory/3344-2123-0x00007FF894873000-0x00007FF894875000-memory.dmp

Filesize
8KB

Download
memory/3344-2124-0x00007FF894870000-0x00007FF895331000-memory.dmp

Filesize
10.8MB

Download
memory/3344-14-0x00007FF894873000-0x00007FF894875000-memory.dmp

Filesize
8KB

Download
memory/3344-327-0x000001DD76B10000-0x000001DD772B6000-memory.dmp

Filesize
7.6MB

Download
memory/3368-2125-0x00007FF7791B0000-0x00007FF7795A6000-memory.dmp

Filesize
4.0MB

Download
memory/3368-13-0x00007FF7791B0000-0x00007FF7795A6000-memory.dmp

Filesize
4.0MB

Download
memory/3636-882-0x00007FF6B8440000-0x00007FF6B8836000-memory.dmp

Filesize
4.0MB

Download
memory/3636-2143-0x00007FF6B8440000-0x00007FF6B8836000-memory.dmp

Filesize
4.0MB

Download
memory/3872-860-0x00007FF7333E0000-0x00007FF7337D6000-memory.dmp

Filesize
4.0MB

Download
memory/3872-2136-0x00007FF7333E0000-0x00007FF7337D6000-memory.dmp

Filesize
4.0MB

Download
memory/4024-2139-0x00007FF755F70000-0x00007FF756366000-memory.dmp

Filesize
4.0MB

Download
memory/4024-856-0x00007FF755F70000-0x00007FF756366000-memory.dmp

Filesize
4.0MB

Download
memory/4152-2135-0x00007FF7EDC50000-0x00007FF7EE046000-memory.dmp

Filesize
4.0MB

Download
memory/4152-912-0x00007FF7EDC50000-0x00007FF7EE046000-memory.dmp

Filesize
4.0MB

Download
memory/4536-2145-0x00007FF7D0450000-0x00007FF7D0846000-memory.dmp

Filesize
4.0MB

Download
memory/4536-863-0x00007FF7D0450000-0x00007FF7D0846000-memory.dmp

Filesize
4.0MB

Download
memory/4608-0-0x00007FF731230000-0x00007FF731626000-memory.dmp

Filesize
4.0MB

Download
memory/4608-1-0x000001B2D72B0000-0x000001B2D72C0000-memory.dmp

Filesize
64KB

Download
memory/4624-896-0x00007FF74F0B0000-0x00007FF74F4A6000-memory.dmp

Filesize
4.0MB

Download
memory/4624-2126-0x00007FF74F0B0000-0x00007FF74F4A6000-memory.dmp

Filesize
4.0MB

Download
memory/4940-847-0x00007FF70DB40000-0x00007FF70DF36000-memory.dmp

Filesize
4.0MB

Download
memory/4940-2133-0x00007FF70DB40000-0x00007FF70DF36000-memory.dmp

Filesize
4.0MB

Download
memory/4984-908-0x00007FF606440000-0x00007FF606836000-memory.dmp

Filesize
4.0MB

Download
memory/4984-2129-0x00007FF606440000-0x00007FF606836000-memory.dmp

Filesize
4.0MB

Download
memory/5076-2130-0x00007FF648F70000-0x00007FF649366000-memory.dmp

Filesize
4.0MB

Download
memory/5076-64-0x00007FF648F70000-0x00007FF649366000-memory.dmp

Filesize
4.0MB

Download