xmrig | 31acae5de025fa46fc23a8463b94020e6949aac72e6d1a92a6e05b694d8129d8

Analysis

max time kernel
148s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
13/05/2024, 09:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
Size

1.5MB
MD5

accbb15c8be0964054a7c5bb875aac10
SHA1

d59f09caa824a1d0d389222f378056b58eefa2fa
SHA256

31acae5de025fa46fc23a8463b94020e6949aac72e6d1a92a6e05b694d8129d8
SHA512

e4ee3fc10d1bb3eb9f023d66a812a564f0005a0db1418016d771b5784b219ff33d70c93ab7a08ce5122c6d9579f425891e437dcb449c33c9b9a5ead9281d31f0
SSDEEP

24576:zv3/fTLF671TilQFG4P5PMkUCCWvLEvjuJoz5XdUK6S1uBkr5GqlfiQzf0Y01XrW:Lz071uv4BPMkHC0I6Gz3N1pHVf0wQu

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

resource	yara_rule
behavioral2/memory/3692-18-0x00007FF7DF190000-0x00007FF7DF582000-memory.dmp	xmrig
behavioral2/memory/1516-60-0x00007FF7D0E90000-0x00007FF7D1282000-memory.dmp	xmrig
behavioral2/memory/1784-542-0x00007FF7BA500000-0x00007FF7BA8F2000-memory.dmp	xmrig
behavioral2/memory/3996-543-0x00007FF64CC90000-0x00007FF64D082000-memory.dmp	xmrig
behavioral2/memory/736-102-0x00007FF6CD730000-0x00007FF6CDB22000-memory.dmp	xmrig
behavioral2/memory/2888-80-0x00007FF6AE5E0000-0x00007FF6AE9D2000-memory.dmp	xmrig
behavioral2/memory/4512-63-0x00007FF7A9230000-0x00007FF7A9622000-memory.dmp	xmrig
behavioral2/memory/1760-56-0x00007FF71EE60000-0x00007FF71F252000-memory.dmp	xmrig
behavioral2/memory/2744-49-0x00007FF67BB40000-0x00007FF67BF32000-memory.dmp	xmrig
behavioral2/memory/1904-587-0x00007FF6F2830000-0x00007FF6F2C22000-memory.dmp	xmrig
behavioral2/memory/4944-608-0x00007FF7AD310000-0x00007FF7AD702000-memory.dmp	xmrig
behavioral2/memory/5020-597-0x00007FF7C1D10000-0x00007FF7C2102000-memory.dmp	xmrig
behavioral2/memory/4656-594-0x00007FF66E340000-0x00007FF66E732000-memory.dmp	xmrig
behavioral2/memory/1672-628-0x00007FF715330000-0x00007FF715722000-memory.dmp	xmrig
behavioral2/memory/464-634-0x00007FF7FB330000-0x00007FF7FB722000-memory.dmp	xmrig
behavioral2/memory/3108-632-0x00007FF72DD10000-0x00007FF72E102000-memory.dmp	xmrig
behavioral2/memory/4676-619-0x00007FF604920000-0x00007FF604D12000-memory.dmp	xmrig
behavioral2/memory/2316-640-0x00007FF705850000-0x00007FF705C42000-memory.dmp	xmrig
behavioral2/memory/1924-646-0x00007FF6473B0000-0x00007FF6477A2000-memory.dmp	xmrig
behavioral2/memory/2440-673-0x00007FF7E3DB0000-0x00007FF7E41A2000-memory.dmp	xmrig
behavioral2/memory/5040-660-0x00007FF6E8B40000-0x00007FF6E8F32000-memory.dmp	xmrig
behavioral2/memory/2520-656-0x00007FF7BFB90000-0x00007FF7BFF82000-memory.dmp	xmrig
behavioral2/memory/1748-2215-0x00007FF6A25D0000-0x00007FF6A29C2000-memory.dmp	xmrig
behavioral2/memory/3692-2217-0x00007FF7DF190000-0x00007FF7DF582000-memory.dmp	xmrig
behavioral2/memory/736-2219-0x00007FF6CD730000-0x00007FF6CDB22000-memory.dmp	xmrig
behavioral2/memory/1760-2224-0x00007FF71EE60000-0x00007FF71F252000-memory.dmp	xmrig
behavioral2/memory/2744-2226-0x00007FF67BB40000-0x00007FF67BF32000-memory.dmp	xmrig
behavioral2/memory/1516-2223-0x00007FF7D0E90000-0x00007FF7D1282000-memory.dmp	xmrig
behavioral2/memory/1784-2227-0x00007FF7BA500000-0x00007FF7BA8F2000-memory.dmp	xmrig
behavioral2/memory/3996-2229-0x00007FF64CC90000-0x00007FF64D082000-memory.dmp	xmrig
behavioral2/memory/1672-2253-0x00007FF715330000-0x00007FF715722000-memory.dmp	xmrig
behavioral2/memory/464-2257-0x00007FF7FB330000-0x00007FF7FB722000-memory.dmp	xmrig
behavioral2/memory/3108-2255-0x00007FF72DD10000-0x00007FF72E102000-memory.dmp	xmrig
behavioral2/memory/4676-2251-0x00007FF604920000-0x00007FF604D12000-memory.dmp	xmrig
behavioral2/memory/1748-2247-0x00007FF6A25D0000-0x00007FF6A29C2000-memory.dmp	xmrig
behavioral2/memory/4656-2243-0x00007FF66E340000-0x00007FF66E732000-memory.dmp	xmrig
behavioral2/memory/4944-2241-0x00007FF7AD310000-0x00007FF7AD702000-memory.dmp	xmrig
behavioral2/memory/2440-2249-0x00007FF7E3DB0000-0x00007FF7E41A2000-memory.dmp	xmrig
behavioral2/memory/5020-2239-0x00007FF7C1D10000-0x00007FF7C2102000-memory.dmp	xmrig
behavioral2/memory/4512-2235-0x00007FF7A9230000-0x00007FF7A9622000-memory.dmp	xmrig
behavioral2/memory/2888-2233-0x00007FF6AE5E0000-0x00007FF6AE9D2000-memory.dmp	xmrig
behavioral2/memory/3168-2231-0x00007FF7F7DA0000-0x00007FF7F8192000-memory.dmp	xmrig
behavioral2/memory/5040-2245-0x00007FF6E8B40000-0x00007FF6E8F32000-memory.dmp	xmrig
behavioral2/memory/1904-2237-0x00007FF6F2830000-0x00007FF6F2C22000-memory.dmp	xmrig
behavioral2/memory/2316-2259-0x00007FF705850000-0x00007FF705C42000-memory.dmp	xmrig
behavioral2/memory/2520-2263-0x00007FF7BFB90000-0x00007FF7BFF82000-memory.dmp	xmrig
behavioral2/memory/1924-2261-0x00007FF6473B0000-0x00007FF6477A2000-memory.dmp	xmrig

Blocklisted process makes network request 5 IoCs

flow	pid	Process
8	2740	powershell.exe
10	2740	powershell.exe
15	2740	powershell.exe
16	2740	powershell.exe
18	2740	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2740	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
3692	AXgtIfY.exe
736	TShdvCX.exe
1784	TmhIqZM.exe
2744	kGcFhFU.exe
1760	lmEZsoE.exe
1516	HArwkkf.exe
3996	xfktjBB.exe
4512	qtJQoWt.exe
3168	PyQcanW.exe
1748	aFmmCFk.exe
2888	NdAWkLk.exe
1904	AGhVxhL.exe
4656	VRhfKcz.exe
5020	heaEaYn.exe
5040	whZtGJu.exe
4944	WXMRfCC.exe
2440	Lgxevcl.exe
4676	WstxybA.exe
1672	vHuqwAN.exe
3108	qRfqIyr.exe
464	FNsrOxS.exe
2316	cryEIkb.exe
1924	TTBezQE.exe
2520	zCOuHtt.exe
3268	zJHvuAs.exe
3224	jPVUsFe.exe
2400	Ucjpokx.exe
668	eXAMhJM.exe
4364	QfaTUzK.exe
2264	KXSXYDU.exe
4472	UegMRqs.exe
4004	WSPzqMU.exe
4700	ZqkZDpx.exe
1448	zyHWYQK.exe
3992	enJAKeG.exe
2896	oFArdrj.exe
388	hrKwXZk.exe
2348	mYiREMZ.exe
208	kznvSRE.exe
3248	UVRmsTA.exe
3960	TKBCBnT.exe
1464	DermjTd.exe
4836	fDeGtPy.exe
1848	MaXhYMk.exe
952	BJaROxj.exe
4344	oToywQF.exe
228	IgrTPIu.exe
3672	YgEcqbc.exe
3128	DPgRWAj.exe
5008	ndCbOwi.exe
4040	svOGLpF.exe
2276	YSwwrbW.exe
1104	UvrkQbz.exe
3888	ZAgQtKw.exe
3436	XsJXJGg.exe
1764	GXKiviX.exe
2508	LgglLwt.exe
3112	VoeQUUk.exe
4500	zqFxJav.exe
656	ANxpqYK.exe
3848	wkrekoe.exe
3704	nBxbFqY.exe
1812	fppoXsv.exe
2892	OEckJMr.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4548-0-0x00007FF6608B0000-0x00007FF660CA2000-memory.dmp	upx
behavioral2/files/0x000800000002348f-5.dat	upx
behavioral2/files/0x0007000000023492-25.dat	upx
behavioral2/files/0x0007000000023491-20.dat	upx
behavioral2/memory/3692-18-0x00007FF7DF190000-0x00007FF7DF582000-memory.dmp	upx
behavioral2/files/0x0007000000023490-16.dat	upx
behavioral2/files/0x0007000000023493-29.dat	upx
behavioral2/files/0x0007000000023494-35.dat	upx
behavioral2/files/0x0007000000023497-51.dat	upx
behavioral2/files/0x0007000000023496-58.dat	upx
behavioral2/memory/1516-60-0x00007FF7D0E90000-0x00007FF7D1282000-memory.dmp	upx
behavioral2/files/0x000700000002349c-87.dat	upx
behavioral2/files/0x000700000002349d-103.dat	upx
behavioral2/files/0x00070000000234a4-138.dat	upx
behavioral2/files/0x00070000000234a7-153.dat	upx
behavioral2/files/0x00070000000234ac-175.dat	upx
behavioral2/memory/1784-542-0x00007FF7BA500000-0x00007FF7BA8F2000-memory.dmp	upx
behavioral2/files/0x00070000000234ae-185.dat	upx
behavioral2/files/0x00070000000234ad-180.dat	upx
behavioral2/files/0x00070000000234ab-178.dat	upx
behavioral2/files/0x00070000000234aa-173.dat	upx
behavioral2/files/0x00070000000234a9-168.dat	upx
behavioral2/files/0x000800000002349f-163.dat	upx
behavioral2/files/0x00070000000234a8-158.dat	upx
behavioral2/files/0x00070000000234a6-148.dat	upx
behavioral2/files/0x00070000000234a5-143.dat	upx
behavioral2/files/0x00070000000234a3-133.dat	upx
behavioral2/files/0x00070000000234a2-128.dat	upx
behavioral2/files/0x00080000000234a0-123.dat	upx
behavioral2/files/0x00070000000234a1-118.dat	upx
behavioral2/memory/3996-543-0x00007FF64CC90000-0x00007FF64D082000-memory.dmp	upx
behavioral2/files/0x000700000002349e-113.dat	upx
behavioral2/files/0x000800000002348d-108.dat	upx
behavioral2/memory/736-102-0x00007FF6CD730000-0x00007FF6CDB22000-memory.dmp	upx
behavioral2/files/0x000700000002349b-81.dat	upx
behavioral2/memory/2888-80-0x00007FF6AE5E0000-0x00007FF6AE9D2000-memory.dmp	upx
behavioral2/files/0x000700000002349a-74.dat	upx
behavioral2/memory/1748-73-0x00007FF6A25D0000-0x00007FF6A29C2000-memory.dmp	upx
behavioral2/files/0x0007000000023499-68.dat	upx
behavioral2/files/0x0007000000023498-67.dat	upx
behavioral2/memory/3168-64-0x00007FF7F7DA0000-0x00007FF7F8192000-memory.dmp	upx
behavioral2/memory/4512-63-0x00007FF7A9230000-0x00007FF7A9622000-memory.dmp	upx
behavioral2/memory/1760-56-0x00007FF71EE60000-0x00007FF71F252000-memory.dmp	upx
behavioral2/memory/2744-49-0x00007FF67BB40000-0x00007FF67BF32000-memory.dmp	upx
behavioral2/files/0x0007000000023495-41.dat	upx
behavioral2/memory/1904-587-0x00007FF6F2830000-0x00007FF6F2C22000-memory.dmp	upx
behavioral2/memory/4944-608-0x00007FF7AD310000-0x00007FF7AD702000-memory.dmp	upx
behavioral2/memory/5020-597-0x00007FF7C1D10000-0x00007FF7C2102000-memory.dmp	upx
behavioral2/memory/4656-594-0x00007FF66E340000-0x00007FF66E732000-memory.dmp	upx
behavioral2/memory/1672-628-0x00007FF715330000-0x00007FF715722000-memory.dmp	upx
behavioral2/memory/464-634-0x00007FF7FB330000-0x00007FF7FB722000-memory.dmp	upx
behavioral2/memory/3108-632-0x00007FF72DD10000-0x00007FF72E102000-memory.dmp	upx
behavioral2/memory/4676-619-0x00007FF604920000-0x00007FF604D12000-memory.dmp	upx
behavioral2/memory/2316-640-0x00007FF705850000-0x00007FF705C42000-memory.dmp	upx
behavioral2/memory/1924-646-0x00007FF6473B0000-0x00007FF6477A2000-memory.dmp	upx
behavioral2/memory/2440-673-0x00007FF7E3DB0000-0x00007FF7E41A2000-memory.dmp	upx
behavioral2/memory/5040-660-0x00007FF6E8B40000-0x00007FF6E8F32000-memory.dmp	upx
behavioral2/memory/2520-656-0x00007FF7BFB90000-0x00007FF7BFF82000-memory.dmp	upx
behavioral2/memory/1748-2215-0x00007FF6A25D0000-0x00007FF6A29C2000-memory.dmp	upx
behavioral2/memory/3692-2217-0x00007FF7DF190000-0x00007FF7DF582000-memory.dmp	upx
behavioral2/memory/736-2219-0x00007FF6CD730000-0x00007FF6CDB22000-memory.dmp	upx
behavioral2/memory/1760-2224-0x00007FF71EE60000-0x00007FF71F252000-memory.dmp	upx
behavioral2/memory/2744-2226-0x00007FF67BB40000-0x00007FF67BF32000-memory.dmp	upx
behavioral2/memory/1516-2223-0x00007FF7D0E90000-0x00007FF7D1282000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	raw.githubusercontent.com
8	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\ShfBDPx.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\uRbkSlK.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\fDeGtPy.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\wMYqsiI.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\HryCsIa.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\psbJdfG.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\inGWNhy.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\hmrhZAr.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\ZeollAb.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\ASdfQzt.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\KXSXYDU.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\enJAKeG.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\BPmOCXn.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\CPKaCxJ.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\nATHqOg.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\QSljtBZ.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\fpPuRCv.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\UMSFFOW.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\BNQTIxo.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\jcpxAkm.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\lsWUwCt.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\pueQbvD.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\IgrTPIu.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\GtZienU.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\NbHprRZ.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\WxxGXgH.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\xIAvmyT.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\UvPUPLb.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\nChITMh.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\oFArdrj.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\IXxNXoA.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\ZQOBTRA.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\uCJSigx.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\ZPOGmBO.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\PWZsNWV.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\fppoXsv.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\dZGhweo.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\xUjQcnL.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\zlcrmSt.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\eXAMhJM.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\DPgRWAj.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\nIYloew.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\OlIcUfb.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\BTyKsuy.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\YDWElsw.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\iBNxLYu.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\qLovuiY.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\dsbbhfz.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\BlXhBRv.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\nsyZttQ.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\TPkdJkw.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\FNsrOxS.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\bWCmtrP.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\JVsRmOY.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\oPmLqAa.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\tGIYFoL.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\yQkjbux.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\yfFhUmO.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\RePeCZU.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\zgfwJXz.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\FthOQHK.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\PhumMjY.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\VIpTuon.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
File created	C:\Windows\System\SQXrIAF.exe	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2740	powershell.exe
2740	powershell.exe
2740	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeLockMemoryPrivilege	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
Token: SeCreateGlobalPrivilege	13304	dwm.exe
Token: SeChangeNotifyPrivilege	13304	dwm.exe
Token: 33	13304	dwm.exe
Token: SeIncBasePriorityPrivilege	13304	dwm.exe
Token: SeShutdownPrivilege	13304	dwm.exe
Token: SeCreatePagefilePrivilege	13304	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4548 wrote to memory of 2740	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	84
PID 4548 wrote to memory of 2740	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	84
PID 4548 wrote to memory of 3692	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	85
PID 4548 wrote to memory of 3692	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	85
PID 4548 wrote to memory of 736	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	86
PID 4548 wrote to memory of 736	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	86
PID 4548 wrote to memory of 1784	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	87
PID 4548 wrote to memory of 1784	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	87
PID 4548 wrote to memory of 1760	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	88
PID 4548 wrote to memory of 1760	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	88
PID 4548 wrote to memory of 2744	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	89
PID 4548 wrote to memory of 2744	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	89
PID 4548 wrote to memory of 1516	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	90
PID 4548 wrote to memory of 1516	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	90
PID 4548 wrote to memory of 3996	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	91
PID 4548 wrote to memory of 3996	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	91
PID 4548 wrote to memory of 4512	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	92
PID 4548 wrote to memory of 4512	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	92
PID 4548 wrote to memory of 3168	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	93
PID 4548 wrote to memory of 3168	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	93
PID 4548 wrote to memory of 1748	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	94
PID 4548 wrote to memory of 1748	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	94
PID 4548 wrote to memory of 2888	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	95
PID 4548 wrote to memory of 2888	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	95
PID 4548 wrote to memory of 1904	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	96
PID 4548 wrote to memory of 1904	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	96
PID 4548 wrote to memory of 4656	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	97
PID 4548 wrote to memory of 4656	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	97
PID 4548 wrote to memory of 5020	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	98
PID 4548 wrote to memory of 5020	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	98
PID 4548 wrote to memory of 5040	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	99
PID 4548 wrote to memory of 5040	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	99
PID 4548 wrote to memory of 4944	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	100
PID 4548 wrote to memory of 4944	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	100
PID 4548 wrote to memory of 2440	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	101
PID 4548 wrote to memory of 2440	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	101
PID 4548 wrote to memory of 4676	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	102
PID 4548 wrote to memory of 4676	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	102
PID 4548 wrote to memory of 1672	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	103
PID 4548 wrote to memory of 1672	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	103
PID 4548 wrote to memory of 3108	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	104
PID 4548 wrote to memory of 3108	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	104
PID 4548 wrote to memory of 464	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	105
PID 4548 wrote to memory of 464	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	105
PID 4548 wrote to memory of 2316	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	106
PID 4548 wrote to memory of 2316	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	106
PID 4548 wrote to memory of 1924	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	107
PID 4548 wrote to memory of 1924	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	107
PID 4548 wrote to memory of 2520	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	108
PID 4548 wrote to memory of 2520	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	108
PID 4548 wrote to memory of 3268	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	109
PID 4548 wrote to memory of 3268	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	109
PID 4548 wrote to memory of 3224	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	110
PID 4548 wrote to memory of 3224	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	110
PID 4548 wrote to memory of 2400	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	111
PID 4548 wrote to memory of 2400	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	111
PID 4548 wrote to memory of 668	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	112
PID 4548 wrote to memory of 668	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	112
PID 4548 wrote to memory of 4364	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	113
PID 4548 wrote to memory of 4364	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	113
PID 4548 wrote to memory of 2264	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	114
PID 4548 wrote to memory of 2264	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	114
PID 4548 wrote to memory of 4472	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	115
PID 4548 wrote to memory of 4472	4548	accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe	115

C:\Users\Admin\AppData\Local\Temp\accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\accbb15c8be0964054a7c5bb875aac10_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2740
- C:\Windows\System\AXgtIfY.exe
  C:\Windows\System\AXgtIfY.exe
  2⤵
  - Executes dropped EXE
  PID:3692
- C:\Windows\System\TShdvCX.exe
  C:\Windows\System\TShdvCX.exe
  2⤵
  - Executes dropped EXE
  PID:736
- C:\Windows\System\TmhIqZM.exe
  C:\Windows\System\TmhIqZM.exe
  2⤵
  - Executes dropped EXE
  PID:1784
- C:\Windows\System\lmEZsoE.exe
  C:\Windows\System\lmEZsoE.exe
  2⤵
  - Executes dropped EXE
  PID:1760
- C:\Windows\System\kGcFhFU.exe
  C:\Windows\System\kGcFhFU.exe
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\System\HArwkkf.exe
  C:\Windows\System\HArwkkf.exe
  2⤵
  - Executes dropped EXE
  PID:1516
- C:\Windows\System\xfktjBB.exe
  C:\Windows\System\xfktjBB.exe
  2⤵
  - Executes dropped EXE
  PID:3996
- C:\Windows\System\qtJQoWt.exe
  C:\Windows\System\qtJQoWt.exe
  2⤵
  - Executes dropped EXE
  PID:4512
- C:\Windows\System\PyQcanW.exe
  C:\Windows\System\PyQcanW.exe
  2⤵
  - Executes dropped EXE
  PID:3168
- C:\Windows\System\aFmmCFk.exe
  C:\Windows\System\aFmmCFk.exe
  2⤵
  - Executes dropped EXE
  PID:1748
- C:\Windows\System\NdAWkLk.exe
  C:\Windows\System\NdAWkLk.exe
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\System\AGhVxhL.exe
  C:\Windows\System\AGhVxhL.exe
  2⤵
  - Executes dropped EXE
  PID:1904
- C:\Windows\System\VRhfKcz.exe
  C:\Windows\System\VRhfKcz.exe
  2⤵
  - Executes dropped EXE
  PID:4656
- C:\Windows\System\heaEaYn.exe
  C:\Windows\System\heaEaYn.exe
  2⤵
  - Executes dropped EXE
  PID:5020
- C:\Windows\System\whZtGJu.exe
  C:\Windows\System\whZtGJu.exe
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Windows\System\WXMRfCC.exe
  C:\Windows\System\WXMRfCC.exe
  2⤵
  - Executes dropped EXE
  PID:4944
- C:\Windows\System\Lgxevcl.exe
  C:\Windows\System\Lgxevcl.exe
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\System\WstxybA.exe
  C:\Windows\System\WstxybA.exe
  2⤵
  - Executes dropped EXE
  PID:4676
- C:\Windows\System\vHuqwAN.exe
  C:\Windows\System\vHuqwAN.exe
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Windows\System\qRfqIyr.exe
  C:\Windows\System\qRfqIyr.exe
  2⤵
  - Executes dropped EXE
  PID:3108
- C:\Windows\System\FNsrOxS.exe
  C:\Windows\System\FNsrOxS.exe
  2⤵
  - Executes dropped EXE
  PID:464
- C:\Windows\System\cryEIkb.exe
  C:\Windows\System\cryEIkb.exe
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\System\TTBezQE.exe
  C:\Windows\System\TTBezQE.exe
  2⤵
  - Executes dropped EXE
  PID:1924
- C:\Windows\System\zCOuHtt.exe
  C:\Windows\System\zCOuHtt.exe
  2⤵
  - Executes dropped EXE
  PID:2520
- C:\Windows\System\zJHvuAs.exe
  C:\Windows\System\zJHvuAs.exe
  2⤵
  - Executes dropped EXE
  PID:3268
- C:\Windows\System\jPVUsFe.exe
  C:\Windows\System\jPVUsFe.exe
  2⤵
  - Executes dropped EXE
  PID:3224
- C:\Windows\System\Ucjpokx.exe
  C:\Windows\System\Ucjpokx.exe
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\System\eXAMhJM.exe
  C:\Windows\System\eXAMhJM.exe
  2⤵
  - Executes dropped EXE
  PID:668
- C:\Windows\System\QfaTUzK.exe
  C:\Windows\System\QfaTUzK.exe
  2⤵
  - Executes dropped EXE
  PID:4364
- C:\Windows\System\KXSXYDU.exe
  C:\Windows\System\KXSXYDU.exe
  2⤵
  - Executes dropped EXE
  PID:2264
- C:\Windows\System\UegMRqs.exe
  C:\Windows\System\UegMRqs.exe
  2⤵
  - Executes dropped EXE
  PID:4472
- C:\Windows\System\WSPzqMU.exe
  C:\Windows\System\WSPzqMU.exe
  2⤵
  - Executes dropped EXE
  PID:4004
- C:\Windows\System\ZqkZDpx.exe
  C:\Windows\System\ZqkZDpx.exe
  2⤵
  - Executes dropped EXE
  PID:4700
- C:\Windows\System\zyHWYQK.exe
  C:\Windows\System\zyHWYQK.exe
  2⤵
  - Executes dropped EXE
  PID:1448
- C:\Windows\System\enJAKeG.exe
  C:\Windows\System\enJAKeG.exe
  2⤵
  - Executes dropped EXE
  PID:3992
- C:\Windows\System\oFArdrj.exe
  C:\Windows\System\oFArdrj.exe
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\System\hrKwXZk.exe
  C:\Windows\System\hrKwXZk.exe
  2⤵
  - Executes dropped EXE
  PID:388
- C:\Windows\System\mYiREMZ.exe
  C:\Windows\System\mYiREMZ.exe
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\System\kznvSRE.exe
  C:\Windows\System\kznvSRE.exe
  2⤵
  - Executes dropped EXE
  PID:208
- C:\Windows\System\UVRmsTA.exe
  C:\Windows\System\UVRmsTA.exe
  2⤵
  - Executes dropped EXE
  PID:3248
- C:\Windows\System\TKBCBnT.exe
  C:\Windows\System\TKBCBnT.exe
  2⤵
  - Executes dropped EXE
  PID:3960
- C:\Windows\System\DermjTd.exe
  C:\Windows\System\DermjTd.exe
  2⤵
  - Executes dropped EXE
  PID:1464
- C:\Windows\System\fDeGtPy.exe
  C:\Windows\System\fDeGtPy.exe
  2⤵
  - Executes dropped EXE
  PID:4836
- C:\Windows\System\MaXhYMk.exe
  C:\Windows\System\MaXhYMk.exe
  2⤵
  - Executes dropped EXE
  PID:1848
- C:\Windows\System\BJaROxj.exe
  C:\Windows\System\BJaROxj.exe
  2⤵
  - Executes dropped EXE
  PID:952
- C:\Windows\System\oToywQF.exe
  C:\Windows\System\oToywQF.exe
  2⤵
  - Executes dropped EXE
  PID:4344
- C:\Windows\System\IgrTPIu.exe
  C:\Windows\System\IgrTPIu.exe
  2⤵
  - Executes dropped EXE
  PID:228
- C:\Windows\System\YgEcqbc.exe
  C:\Windows\System\YgEcqbc.exe
  2⤵
  - Executes dropped EXE
  PID:3672
- C:\Windows\System\DPgRWAj.exe
  C:\Windows\System\DPgRWAj.exe
  2⤵
  - Executes dropped EXE
  PID:3128
- C:\Windows\System\ndCbOwi.exe
  C:\Windows\System\ndCbOwi.exe
  2⤵
  - Executes dropped EXE
  PID:5008
- C:\Windows\System\svOGLpF.exe
  C:\Windows\System\svOGLpF.exe
  2⤵
  - Executes dropped EXE
  PID:4040
- C:\Windows\System\YSwwrbW.exe
  C:\Windows\System\YSwwrbW.exe
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\Windows\System\UvrkQbz.exe
  C:\Windows\System\UvrkQbz.exe
  2⤵
  - Executes dropped EXE
  PID:1104
- C:\Windows\System\ZAgQtKw.exe
  C:\Windows\System\ZAgQtKw.exe
  2⤵
  - Executes dropped EXE
  PID:3888
- C:\Windows\System\XsJXJGg.exe
  C:\Windows\System\XsJXJGg.exe
  2⤵
  - Executes dropped EXE
  PID:3436
- C:\Windows\System\GXKiviX.exe
  C:\Windows\System\GXKiviX.exe
  2⤵
  - Executes dropped EXE
  PID:1764
- C:\Windows\System\LgglLwt.exe
  C:\Windows\System\LgglLwt.exe
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Windows\System\VoeQUUk.exe
  C:\Windows\System\VoeQUUk.exe
  2⤵
  - Executes dropped EXE
  PID:3112
- C:\Windows\System\zqFxJav.exe
  C:\Windows\System\zqFxJav.exe
  2⤵
  - Executes dropped EXE
  PID:4500
- C:\Windows\System\ANxpqYK.exe
  C:\Windows\System\ANxpqYK.exe
  2⤵
  - Executes dropped EXE
  PID:656
- C:\Windows\System\wkrekoe.exe
  C:\Windows\System\wkrekoe.exe
  2⤵
  - Executes dropped EXE
  PID:3848
- C:\Windows\System\nBxbFqY.exe
  C:\Windows\System\nBxbFqY.exe
  2⤵
  - Executes dropped EXE
  PID:3704
- C:\Windows\System\fppoXsv.exe
  C:\Windows\System\fppoXsv.exe
  2⤵
  - Executes dropped EXE
  PID:1812
- C:\Windows\System\OEckJMr.exe
  C:\Windows\System\OEckJMr.exe
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\System\ofzvEsf.exe
  C:\Windows\System\ofzvEsf.exe
  2⤵
  PID:1468
- C:\Windows\System\lSwnQFh.exe
  C:\Windows\System\lSwnQFh.exe
  2⤵
  PID:4940
- C:\Windows\System\JJYNpCi.exe
  C:\Windows\System\JJYNpCi.exe
  2⤵
  PID:1120
- C:\Windows\System\kiYExtm.exe
  C:\Windows\System\kiYExtm.exe
  2⤵
  PID:4620
- C:\Windows\System\PrryHPg.exe
  C:\Windows\System\PrryHPg.exe
  2⤵
  PID:3464
- C:\Windows\System\GKUPTgq.exe
  C:\Windows\System\GKUPTgq.exe
  2⤵
  PID:5104
- C:\Windows\System\vYQOKFt.exe
  C:\Windows\System\vYQOKFt.exe
  2⤵
  PID:2944
- C:\Windows\System\TybYOlB.exe
  C:\Windows\System\TybYOlB.exe
  2⤵
  PID:832
- C:\Windows\System\PRXaAEB.exe
  C:\Windows\System\PRXaAEB.exe
  2⤵
  PID:336
- C:\Windows\System\HRtmoNt.exe
  C:\Windows\System\HRtmoNt.exe
  2⤵
  PID:5128
- C:\Windows\System\HgrdZpH.exe
  C:\Windows\System\HgrdZpH.exe
  2⤵
  PID:5156
- C:\Windows\System\VFqTeCB.exe
  C:\Windows\System\VFqTeCB.exe
  2⤵
  PID:5184
- C:\Windows\System\fpPuRCv.exe
  C:\Windows\System\fpPuRCv.exe
  2⤵
  PID:5216
- C:\Windows\System\PfVaKKY.exe
  C:\Windows\System\PfVaKKY.exe
  2⤵
  PID:5240
- C:\Windows\System\NHmoVCg.exe
  C:\Windows\System\NHmoVCg.exe
  2⤵
  PID:5268
- C:\Windows\System\hKpEFMk.exe
  C:\Windows\System\hKpEFMk.exe
  2⤵
  PID:5300
- C:\Windows\System\TmkLqqy.exe
  C:\Windows\System\TmkLqqy.exe
  2⤵
  PID:5324
- C:\Windows\System\lkpgPVv.exe
  C:\Windows\System\lkpgPVv.exe
  2⤵
  PID:5360
- C:\Windows\System\elwzcTX.exe
  C:\Windows\System\elwzcTX.exe
  2⤵
  PID:5388
- C:\Windows\System\VuySbCg.exe
  C:\Windows\System\VuySbCg.exe
  2⤵
  PID:5416
- C:\Windows\System\Gqmhvqq.exe
  C:\Windows\System\Gqmhvqq.exe
  2⤵
  PID:5444
- C:\Windows\System\mJsrWlH.exe
  C:\Windows\System\mJsrWlH.exe
  2⤵
  PID:5472
- C:\Windows\System\yUiHDym.exe
  C:\Windows\System\yUiHDym.exe
  2⤵
  PID:5500
- C:\Windows\System\nURbBIx.exe
  C:\Windows\System\nURbBIx.exe
  2⤵
  PID:5532
- C:\Windows\System\QXrcZHx.exe
  C:\Windows\System\QXrcZHx.exe
  2⤵
  PID:5560
- C:\Windows\System\RQaqjeq.exe
  C:\Windows\System\RQaqjeq.exe
  2⤵
  PID:5588
- C:\Windows\System\TpIWynO.exe
  C:\Windows\System\TpIWynO.exe
  2⤵
  PID:5616
- C:\Windows\System\OWCNuAA.exe
  C:\Windows\System\OWCNuAA.exe
  2⤵
  PID:5676
- C:\Windows\System\pQBrUVY.exe
  C:\Windows\System\pQBrUVY.exe
  2⤵
  PID:5696
- C:\Windows\System\NXqlAMn.exe
  C:\Windows\System\NXqlAMn.exe
  2⤵
  PID:5712
- C:\Windows\System\QmhNYNb.exe
  C:\Windows\System\QmhNYNb.exe
  2⤵
  PID:5736
- C:\Windows\System\AJAgWZW.exe
  C:\Windows\System\AJAgWZW.exe
  2⤵
  PID:5764
- C:\Windows\System\hBmTsWh.exe
  C:\Windows\System\hBmTsWh.exe
  2⤵
  PID:5792
- C:\Windows\System\LZyoSYg.exe
  C:\Windows\System\LZyoSYg.exe
  2⤵
  PID:5812
- C:\Windows\System\GCrWHdN.exe
  C:\Windows\System\GCrWHdN.exe
  2⤵
  PID:5840
- C:\Windows\System\KVHCLEt.exe
  C:\Windows\System\KVHCLEt.exe
  2⤵
  PID:5864
- C:\Windows\System\mWaENiv.exe
  C:\Windows\System\mWaENiv.exe
  2⤵
  PID:5896
- C:\Windows\System\tmSokMn.exe
  C:\Windows\System\tmSokMn.exe
  2⤵
  PID:5932
- C:\Windows\System\AxkuULe.exe
  C:\Windows\System\AxkuULe.exe
  2⤵
  PID:5956
- C:\Windows\System\SSrbMoQ.exe
  C:\Windows\System\SSrbMoQ.exe
  2⤵
  PID:5980
- C:\Windows\System\WyApzSk.exe
  C:\Windows\System\WyApzSk.exe
  2⤵
  PID:6012
- C:\Windows\System\okjsImJ.exe
  C:\Windows\System\okjsImJ.exe
  2⤵
  PID:6040
- C:\Windows\System\QwrIWhI.exe
  C:\Windows\System\QwrIWhI.exe
  2⤵
  PID:6064
- C:\Windows\System\quwUZQd.exe
  C:\Windows\System\quwUZQd.exe
  2⤵
  PID:6096
- C:\Windows\System\LWcnQdA.exe
  C:\Windows\System\LWcnQdA.exe
  2⤵
  PID:6124
- C:\Windows\System\VRwpcdb.exe
  C:\Windows\System\VRwpcdb.exe
  2⤵
  PID:380
- C:\Windows\System\dZGhweo.exe
  C:\Windows\System\dZGhweo.exe
  2⤵
  PID:1324
- C:\Windows\System\axviEpx.exe
  C:\Windows\System\axviEpx.exe
  2⤵
  PID:2840
- C:\Windows\System\fIvmTuH.exe
  C:\Windows\System\fIvmTuH.exe
  2⤵
  PID:4348
- C:\Windows\System\TBqPFvu.exe
  C:\Windows\System\TBqPFvu.exe
  2⤵
  PID:1112
- C:\Windows\System\JlbDidb.exe
  C:\Windows\System\JlbDidb.exe
  2⤵
  PID:4596
- C:\Windows\System\fKJvPvr.exe
  C:\Windows\System\fKJvPvr.exe
  2⤵
  PID:5140
- C:\Windows\System\AXDwKni.exe
  C:\Windows\System\AXDwKni.exe
  2⤵
  PID:5200
- C:\Windows\System\DRlxlKP.exe
  C:\Windows\System\DRlxlKP.exe
  2⤵
  PID:5256
- C:\Windows\System\cukpkSF.exe
  C:\Windows\System\cukpkSF.exe
  2⤵
  PID:5316
- C:\Windows\System\ABxUeSU.exe
  C:\Windows\System\ABxUeSU.exe
  2⤵
  PID:1836
- C:\Windows\System\KXZwtqb.exe
  C:\Windows\System\KXZwtqb.exe
  2⤵
  PID:5428
- C:\Windows\System\mMcZXMi.exe
  C:\Windows\System\mMcZXMi.exe
  2⤵
  PID:5464
- C:\Windows\System\JlclLoL.exe
  C:\Windows\System\JlclLoL.exe
  2⤵
  PID:5548
- C:\Windows\System\zFoAKps.exe
  C:\Windows\System\zFoAKps.exe
  2⤵
  PID:5604
- C:\Windows\System\GtZienU.exe
  C:\Windows\System\GtZienU.exe
  2⤵
  PID:5636
- C:\Windows\System\MaWShtF.exe
  C:\Windows\System\MaWShtF.exe
  2⤵
  PID:5728
- C:\Windows\System\LVhEkmO.exe
  C:\Windows\System\LVhEkmO.exe
  2⤵
  PID:5804
- C:\Windows\System\XhPnCUl.exe
  C:\Windows\System\XhPnCUl.exe
  2⤵
  PID:5860
- C:\Windows\System\hZMUfhH.exe
  C:\Windows\System\hZMUfhH.exe
  2⤵
  PID:5916
- C:\Windows\System\zxrKlmA.exe
  C:\Windows\System\zxrKlmA.exe
  2⤵
  PID:5976
- C:\Windows\System\lsWUwCt.exe
  C:\Windows\System\lsWUwCt.exe
  2⤵
  PID:6032
- C:\Windows\System\PhumMjY.exe
  C:\Windows\System\PhumMjY.exe
  2⤵
  PID:6108
- C:\Windows\System\ARFBSzl.exe
  C:\Windows\System\ARFBSzl.exe
  2⤵
  PID:1772
- C:\Windows\System\OjHWgAU.exe
  C:\Windows\System\OjHWgAU.exe
  2⤵
  PID:4780
- C:\Windows\System\HryCsIa.exe
  C:\Windows\System\HryCsIa.exe
  2⤵
  PID:3020
- C:\Windows\System\qHxtQjh.exe
  C:\Windows\System\qHxtQjh.exe
  2⤵
  PID:1072
- C:\Windows\System\RePeCZU.exe
  C:\Windows\System\RePeCZU.exe
  2⤵
  PID:5292
- C:\Windows\System\zgfwJXz.exe
  C:\Windows\System\zgfwJXz.exe
  2⤵
  PID:5400
- C:\Windows\System\LDGGGqA.exe
  C:\Windows\System\LDGGGqA.exe
  2⤵
  PID:5520
- C:\Windows\System\RysXRwD.exe
  C:\Windows\System\RysXRwD.exe
  2⤵
  PID:5660
- C:\Windows\System\XilBuyJ.exe
  C:\Windows\System\XilBuyJ.exe
  2⤵
  PID:5832
- C:\Windows\System\qyibRZA.exe
  C:\Windows\System\qyibRZA.exe
  2⤵
  PID:5952
- C:\Windows\System\ybMFXsV.exe
  C:\Windows\System\ybMFXsV.exe
  2⤵
  PID:6080
- C:\Windows\System\PNqqPFk.exe
  C:\Windows\System\PNqqPFk.exe
  2⤵
  PID:448
- C:\Windows\System\ziaQBEa.exe
  C:\Windows\System\ziaQBEa.exe
  2⤵
  PID:2324
- C:\Windows\System\mxloEZk.exe
  C:\Windows\System\mxloEZk.exe
  2⤵
  PID:2900
- C:\Windows\System\grhpZce.exe
  C:\Windows\System\grhpZce.exe
  2⤵
  PID:516
- C:\Windows\System\CdOJciI.exe
  C:\Windows\System\CdOJciI.exe
  2⤵
  PID:1376
- C:\Windows\System\mkAAhUk.exe
  C:\Windows\System\mkAAhUk.exe
  2⤵
  PID:5724
- C:\Windows\System\RwHwnyq.exe
  C:\Windows\System\RwHwnyq.exe
  2⤵
  PID:5912
- C:\Windows\System\FOpXlXM.exe
  C:\Windows\System\FOpXlXM.exe
  2⤵
  PID:6140
- C:\Windows\System\iaECDtX.exe
  C:\Windows\System\iaECDtX.exe
  2⤵
  PID:4772
- C:\Windows\System\BzRYzrB.exe
  C:\Windows\System\BzRYzrB.exe
  2⤵
  PID:372
- C:\Windows\System\ZOiieAv.exe
  C:\Windows\System\ZOiieAv.exe
  2⤵
  PID:5632
- C:\Windows\System\oNlZQZZ.exe
  C:\Windows\System\oNlZQZZ.exe
  2⤵
  PID:2196
- C:\Windows\System\vmaeers.exe
  C:\Windows\System\vmaeers.exe
  2⤵
  PID:1536
- C:\Windows\System\lVogwBz.exe
  C:\Windows\System\lVogwBz.exe
  2⤵
  PID:3968
- C:\Windows\System\kCYlMZO.exe
  C:\Windows\System\kCYlMZO.exe
  2⤵
  PID:6156
- C:\Windows\System\JxoZKMB.exe
  C:\Windows\System\JxoZKMB.exe
  2⤵
  PID:6188
- C:\Windows\System\YgNBcsD.exe
  C:\Windows\System\YgNBcsD.exe
  2⤵
  PID:6208
- C:\Windows\System\ziyQEvo.exe
  C:\Windows\System\ziyQEvo.exe
  2⤵
  PID:6268
- C:\Windows\System\xpZLSCU.exe
  C:\Windows\System\xpZLSCU.exe
  2⤵
  PID:6348
- C:\Windows\System\UpxqkCi.exe
  C:\Windows\System\UpxqkCi.exe
  2⤵
  PID:6364
- C:\Windows\System\eeEIYFa.exe
  C:\Windows\System\eeEIYFa.exe
  2⤵
  PID:6380
- C:\Windows\System\PuSVUqj.exe
  C:\Windows\System\PuSVUqj.exe
  2⤵
  PID:6404
- C:\Windows\System\VmUefAR.exe
  C:\Windows\System\VmUefAR.exe
  2⤵
  PID:6428
- C:\Windows\System\atKghMQ.exe
  C:\Windows\System\atKghMQ.exe
  2⤵
  PID:6448
- C:\Windows\System\vvBJMzJ.exe
  C:\Windows\System\vvBJMzJ.exe
  2⤵
  PID:6464
- C:\Windows\System\aARnAGB.exe
  C:\Windows\System\aARnAGB.exe
  2⤵
  PID:6544
- C:\Windows\System\HWnEusz.exe
  C:\Windows\System\HWnEusz.exe
  2⤵
  PID:6592
- C:\Windows\System\oYTLYQP.exe
  C:\Windows\System\oYTLYQP.exe
  2⤵
  PID:6644
- C:\Windows\System\VMfDvTx.exe
  C:\Windows\System\VMfDvTx.exe
  2⤵
  PID:6700
- C:\Windows\System\ZWmjqKG.exe
  C:\Windows\System\ZWmjqKG.exe
  2⤵
  PID:6720
- C:\Windows\System\ehBUGCa.exe
  C:\Windows\System\ehBUGCa.exe
  2⤵
  PID:6740
- C:\Windows\System\PAveowh.exe
  C:\Windows\System\PAveowh.exe
  2⤵
  PID:6760
- C:\Windows\System\TadaLkI.exe
  C:\Windows\System\TadaLkI.exe
  2⤵
  PID:6788
- C:\Windows\System\PorBfYX.exe
  C:\Windows\System\PorBfYX.exe
  2⤵
  PID:6832
- C:\Windows\System\RKxQkwc.exe
  C:\Windows\System\RKxQkwc.exe
  2⤵
  PID:6868
- C:\Windows\System\oTUxKrD.exe
  C:\Windows\System\oTUxKrD.exe
  2⤵
  PID:6884
- C:\Windows\System\EgYmJHb.exe
  C:\Windows\System\EgYmJHb.exe
  2⤵
  PID:6904
- C:\Windows\System\HumNwhj.exe
  C:\Windows\System\HumNwhj.exe
  2⤵
  PID:6924
- C:\Windows\System\ifjvfTm.exe
  C:\Windows\System\ifjvfTm.exe
  2⤵
  PID:6944
- C:\Windows\System\xmbzSdV.exe
  C:\Windows\System\xmbzSdV.exe
  2⤵
  PID:6968
- C:\Windows\System\sLcnLcD.exe
  C:\Windows\System\sLcnLcD.exe
  2⤵
  PID:6988
- C:\Windows\System\eoTOSfe.exe
  C:\Windows\System\eoTOSfe.exe
  2⤵
  PID:7024
- C:\Windows\System\ykGPqWG.exe
  C:\Windows\System\ykGPqWG.exe
  2⤵
  PID:7040
- C:\Windows\System\WHryeQZ.exe
  C:\Windows\System\WHryeQZ.exe
  2⤵
  PID:7060
- C:\Windows\System\iuZCSyi.exe
  C:\Windows\System\iuZCSyi.exe
  2⤵
  PID:7076
- C:\Windows\System\zrArwos.exe
  C:\Windows\System\zrArwos.exe
  2⤵
  PID:7148
- C:\Windows\System\RKZxAAN.exe
  C:\Windows\System\RKZxAAN.exe
  2⤵
  PID:6180
- C:\Windows\System\MCGoXFo.exe
  C:\Windows\System\MCGoXFo.exe
  2⤵
  PID:3620
- C:\Windows\System\LmSCcqA.exe
  C:\Windows\System\LmSCcqA.exe
  2⤵
  PID:4568
- C:\Windows\System\uJvpoKa.exe
  C:\Windows\System\uJvpoKa.exe
  2⤵
  PID:3376
- C:\Windows\System\flWKaVZ.exe
  C:\Windows\System\flWKaVZ.exe
  2⤵
  PID:6456
- C:\Windows\System\cXLLbUP.exe
  C:\Windows\System\cXLLbUP.exe
  2⤵
  PID:6376
- C:\Windows\System\yJxbukh.exe
  C:\Windows\System\yJxbukh.exe
  2⤵
  PID:6400
- C:\Windows\System\faKkJyM.exe
  C:\Windows\System\faKkJyM.exe
  2⤵
  PID:6576
- C:\Windows\System\Wywwwfi.exe
  C:\Windows\System\Wywwwfi.exe
  2⤵
  PID:6624
- C:\Windows\System\SURCUUG.exe
  C:\Windows\System\SURCUUG.exe
  2⤵
  PID:6780
- C:\Windows\System\AFDbmnc.exe
  C:\Windows\System\AFDbmnc.exe
  2⤵
  PID:6696
- C:\Windows\System\elUKdLy.exe
  C:\Windows\System\elUKdLy.exe
  2⤵
  PID:6880
- C:\Windows\System\iMAKwEn.exe
  C:\Windows\System\iMAKwEn.exe
  2⤵
  PID:6936
- C:\Windows\System\TdQXYAy.exe
  C:\Windows\System\TdQXYAy.exe
  2⤵
  PID:7016
- C:\Windows\System\rCQLPBt.exe
  C:\Windows\System\rCQLPBt.exe
  2⤵
  PID:7048
- C:\Windows\System\xaqyCVM.exe
  C:\Windows\System\xaqyCVM.exe
  2⤵
  PID:7088
- C:\Windows\System\lDxDzZI.exe
  C:\Windows\System\lDxDzZI.exe
  2⤵
  PID:7144
- C:\Windows\System\sBoWAyq.exe
  C:\Windows\System\sBoWAyq.exe
  2⤵
  PID:1592
- C:\Windows\System\nQmcGjB.exe
  C:\Windows\System\nQmcGjB.exe
  2⤵
  PID:1656
- C:\Windows\System\LBlLhua.exe
  C:\Windows\System\LBlLhua.exe
  2⤵
  PID:6356
- C:\Windows\System\RFkSyoq.exe
  C:\Windows\System\RFkSyoq.exe
  2⤵
  PID:1544
- C:\Windows\System\ZVBwrLb.exe
  C:\Windows\System\ZVBwrLb.exe
  2⤵
  PID:2620
- C:\Windows\System\SCkbbfw.exe
  C:\Windows\System\SCkbbfw.exe
  2⤵
  PID:6496
- C:\Windows\System\cRiEHJw.exe
  C:\Windows\System\cRiEHJw.exe
  2⤵
  PID:6620
- C:\Windows\System\ACUtHrN.exe
  C:\Windows\System\ACUtHrN.exe
  2⤵
  PID:6392
- C:\Windows\System\ZPOGmBO.exe
  C:\Windows\System\ZPOGmBO.exe
  2⤵
  PID:6532
- C:\Windows\System\oprpWFD.exe
  C:\Windows\System\oprpWFD.exe
  2⤵
  PID:6584
- C:\Windows\System\fmIUbyh.exe
  C:\Windows\System\fmIUbyh.exe
  2⤵
  PID:7032
- C:\Windows\System\tUVLZxN.exe
  C:\Windows\System\tUVLZxN.exe
  2⤵
  PID:2056
- C:\Windows\System\cWdljgG.exe
  C:\Windows\System\cWdljgG.exe
  2⤵
  PID:4896
- C:\Windows\System\VJnBVWY.exe
  C:\Windows\System\VJnBVWY.exe
  2⤵
  PID:6304
- C:\Windows\System\bWCmtrP.exe
  C:\Windows\System\bWCmtrP.exe
  2⤵
  PID:4520
- C:\Windows\System\bWQlSaQ.exe
  C:\Windows\System\bWQlSaQ.exe
  2⤵
  PID:3560
- C:\Windows\System\eqwgPvv.exe
  C:\Windows\System\eqwgPvv.exe
  2⤵
  PID:7176
- C:\Windows\System\njRPqqM.exe
  C:\Windows\System\njRPqqM.exe
  2⤵
  PID:7212
- C:\Windows\System\MBXcmZf.exe
  C:\Windows\System\MBXcmZf.exe
  2⤵
  PID:7236
- C:\Windows\System\zRDsqSy.exe
  C:\Windows\System\zRDsqSy.exe
  2⤵
  PID:7256
- C:\Windows\System\kYKOiow.exe
  C:\Windows\System\kYKOiow.exe
  2⤵
  PID:7284
- C:\Windows\System\pueQbvD.exe
  C:\Windows\System\pueQbvD.exe
  2⤵
  PID:7304
- C:\Windows\System\SCxrcjl.exe
  C:\Windows\System\SCxrcjl.exe
  2⤵
  PID:7352
- C:\Windows\System\xUjQcnL.exe
  C:\Windows\System\xUjQcnL.exe
  2⤵
  PID:7372
- C:\Windows\System\UMSFFOW.exe
  C:\Windows\System\UMSFFOW.exe
  2⤵
  PID:7392
- C:\Windows\System\qQzUNLh.exe
  C:\Windows\System\qQzUNLh.exe
  2⤵
  PID:7412
- C:\Windows\System\uwQYnxh.exe
  C:\Windows\System\uwQYnxh.exe
  2⤵
  PID:7428
- C:\Windows\System\psbJdfG.exe
  C:\Windows\System\psbJdfG.exe
  2⤵
  PID:7472
- C:\Windows\System\zlcrmSt.exe
  C:\Windows\System\zlcrmSt.exe
  2⤵
  PID:7500
- C:\Windows\System\VAQIZeU.exe
  C:\Windows\System\VAQIZeU.exe
  2⤵
  PID:7520
- C:\Windows\System\NSXNRKm.exe
  C:\Windows\System\NSXNRKm.exe
  2⤵
  PID:7548
- C:\Windows\System\IXxNXoA.exe
  C:\Windows\System\IXxNXoA.exe
  2⤵
  PID:7568
- C:\Windows\System\BhmWmSm.exe
  C:\Windows\System\BhmWmSm.exe
  2⤵
  PID:7588
- C:\Windows\System\qLovuiY.exe
  C:\Windows\System\qLovuiY.exe
  2⤵
  PID:7612
- C:\Windows\System\shpUBCT.exe
  C:\Windows\System\shpUBCT.exe
  2⤵
  PID:7628
- C:\Windows\System\uHBOkIP.exe
  C:\Windows\System\uHBOkIP.exe
  2⤵
  PID:7688
- C:\Windows\System\TVQFWXp.exe
  C:\Windows\System\TVQFWXp.exe
  2⤵
  PID:7752
- C:\Windows\System\VIpTuon.exe
  C:\Windows\System\VIpTuon.exe
  2⤵
  PID:7788
- C:\Windows\System\pqGArJW.exe
  C:\Windows\System\pqGArJW.exe
  2⤵
  PID:7804
- C:\Windows\System\SQXrIAF.exe
  C:\Windows\System\SQXrIAF.exe
  2⤵
  PID:7824
- C:\Windows\System\jbsoOBA.exe
  C:\Windows\System\jbsoOBA.exe
  2⤵
  PID:7868
- C:\Windows\System\bGOkgEE.exe
  C:\Windows\System\bGOkgEE.exe
  2⤵
  PID:7892
- C:\Windows\System\mIzfOUU.exe
  C:\Windows\System\mIzfOUU.exe
  2⤵
  PID:7948
- C:\Windows\System\hAnmCmg.exe
  C:\Windows\System\hAnmCmg.exe
  2⤵
  PID:7980
- C:\Windows\System\BWVJJPc.exe
  C:\Windows\System\BWVJJPc.exe
  2⤵
  PID:8032
- C:\Windows\System\KCDnMoL.exe
  C:\Windows\System\KCDnMoL.exe
  2⤵
  PID:8048
- C:\Windows\System\fMGaXnt.exe
  C:\Windows\System\fMGaXnt.exe
  2⤵
  PID:8064
- C:\Windows\System\znWGOXx.exe
  C:\Windows\System\znWGOXx.exe
  2⤵
  PID:8084
- C:\Windows\System\qmFnZkK.exe
  C:\Windows\System\qmFnZkK.exe
  2⤵
  PID:8112
- C:\Windows\System\tzUrGGs.exe
  C:\Windows\System\tzUrGGs.exe
  2⤵
  PID:8188
- C:\Windows\System\ZTXMjjd.exe
  C:\Windows\System\ZTXMjjd.exe
  2⤵
  PID:6360
- C:\Windows\System\FhIXguL.exe
  C:\Windows\System\FhIXguL.exe
  2⤵
  PID:7204
- C:\Windows\System\uqBIwHS.exe
  C:\Windows\System\uqBIwHS.exe
  2⤵
  PID:7380
- C:\Windows\System\zoGrjWJ.exe
  C:\Windows\System\zoGrjWJ.exe
  2⤵
  PID:2008
- C:\Windows\System\usXFxyR.exe
  C:\Windows\System\usXFxyR.exe
  2⤵
  PID:7532
- C:\Windows\System\frelrPM.exe
  C:\Windows\System\frelrPM.exe
  2⤵
  PID:7640
- C:\Windows\System\foRMTXF.exe
  C:\Windows\System\foRMTXF.exe
  2⤵
  PID:7604
- C:\Windows\System\ZSwjpNo.exe
  C:\Windows\System\ZSwjpNo.exe
  2⤵
  PID:7012
- C:\Windows\System\xyklYEo.exe
  C:\Windows\System\xyklYEo.exe
  2⤵
  PID:7748
- C:\Windows\System\TMiBnyZ.exe
  C:\Windows\System\TMiBnyZ.exe
  2⤵
  PID:7864
- C:\Windows\System\kQWaCRi.exe
  C:\Windows\System\kQWaCRi.exe
  2⤵
  PID:8020
- C:\Windows\System\BTyKsuy.exe
  C:\Windows\System\BTyKsuy.exe
  2⤵
  PID:8040
- C:\Windows\System\LTHUMNI.exe
  C:\Windows\System\LTHUMNI.exe
  2⤵
  PID:8060
- C:\Windows\System\ZihKHAQ.exe
  C:\Windows\System\ZihKHAQ.exe
  2⤵
  PID:7208
- C:\Windows\System\jpGtoYL.exe
  C:\Windows\System\jpGtoYL.exe
  2⤵
  PID:7324
- C:\Windows\System\iLSPmUA.exe
  C:\Windows\System\iLSPmUA.exe
  2⤵
  PID:8180
- C:\Windows\System\NVOtBQy.exe
  C:\Windows\System\NVOtBQy.exe
  2⤵
  PID:7344
- C:\Windows\System\bSXoUUa.exe
  C:\Windows\System\bSXoUUa.exe
  2⤵
  PID:7556
- C:\Windows\System\hbBgRwt.exe
  C:\Windows\System\hbBgRwt.exe
  2⤵
  PID:7740
- C:\Windows\System\EODoqPw.exe
  C:\Windows\System\EODoqPw.exe
  2⤵
  PID:7796
- C:\Windows\System\NbHprRZ.exe
  C:\Windows\System\NbHprRZ.exe
  2⤵
  PID:7848
- C:\Windows\System\UhXlpEf.exe
  C:\Windows\System\UhXlpEf.exe
  2⤵
  PID:7964
- C:\Windows\System\dawYimw.exe
  C:\Windows\System\dawYimw.exe
  2⤵
  PID:8104
- C:\Windows\System\MPBqpaF.exe
  C:\Windows\System\MPBqpaF.exe
  2⤵
  PID:8128
- C:\Windows\System\aToOeuR.exe
  C:\Windows\System\aToOeuR.exe
  2⤵
  PID:7408
- C:\Windows\System\qygQtEt.exe
  C:\Windows\System\qygQtEt.exe
  2⤵
  PID:8012
- C:\Windows\System\ynVWnlI.exe
  C:\Windows\System\ynVWnlI.exe
  2⤵
  PID:8000
- C:\Windows\System\HeWoaqH.exe
  C:\Windows\System\HeWoaqH.exe
  2⤵
  PID:7816
- C:\Windows\System\UMEFXzd.exe
  C:\Windows\System\UMEFXzd.exe
  2⤵
  PID:7940
- C:\Windows\System\INaszLh.exe
  C:\Windows\System\INaszLh.exe
  2⤵
  PID:7268
- C:\Windows\System\EsWrGyh.exe
  C:\Windows\System\EsWrGyh.exe
  2⤵
  PID:7724
- C:\Windows\System\sKBrRFA.exe
  C:\Windows\System\sKBrRFA.exe
  2⤵
  PID:8204
- C:\Windows\System\LaLHPmm.exe
  C:\Windows\System\LaLHPmm.exe
  2⤵
  PID:8232
- C:\Windows\System\TZhGiIt.exe
  C:\Windows\System\TZhGiIt.exe
  2⤵
  PID:8284
- C:\Windows\System\jPbzsRU.exe
  C:\Windows\System\jPbzsRU.exe
  2⤵
  PID:8304
- C:\Windows\System\qAakNdD.exe
  C:\Windows\System\qAakNdD.exe
  2⤵
  PID:8324
- C:\Windows\System\DOsDMnZ.exe
  C:\Windows\System\DOsDMnZ.exe
  2⤵
  PID:8348
- C:\Windows\System\SIsEkAI.exe
  C:\Windows\System\SIsEkAI.exe
  2⤵
  PID:8412
- C:\Windows\System\rcThrkT.exe
  C:\Windows\System\rcThrkT.exe
  2⤵
  PID:8432
- C:\Windows\System\MWwYTuq.exe
  C:\Windows\System\MWwYTuq.exe
  2⤵
  PID:8456
- C:\Windows\System\bGQQUFN.exe
  C:\Windows\System\bGQQUFN.exe
  2⤵
  PID:8476
- C:\Windows\System\xqCPAFK.exe
  C:\Windows\System\xqCPAFK.exe
  2⤵
  PID:8492
- C:\Windows\System\oybItKv.exe
  C:\Windows\System\oybItKv.exe
  2⤵
  PID:8536
- C:\Windows\System\KueNVBr.exe
  C:\Windows\System\KueNVBr.exe
  2⤵
  PID:8556
- C:\Windows\System\bTEjRTz.exe
  C:\Windows\System\bTEjRTz.exe
  2⤵
  PID:8644
- C:\Windows\System\CPKaCxJ.exe
  C:\Windows\System\CPKaCxJ.exe
  2⤵
  PID:8660
- C:\Windows\System\ktPVHce.exe
  C:\Windows\System\ktPVHce.exe
  2⤵
  PID:8684
- C:\Windows\System\RAKBKeS.exe
  C:\Windows\System\RAKBKeS.exe
  2⤵
  PID:8700
- C:\Windows\System\KVUyatj.exe
  C:\Windows\System\KVUyatj.exe
  2⤵
  PID:8724
- C:\Windows\System\hwHddBn.exe
  C:\Windows\System\hwHddBn.exe
  2⤵
  PID:8776
- C:\Windows\System\zXkJyGs.exe
  C:\Windows\System\zXkJyGs.exe
  2⤵
  PID:8800
- C:\Windows\System\frbAWVq.exe
  C:\Windows\System\frbAWVq.exe
  2⤵
  PID:8820
- C:\Windows\System\hmtkCbm.exe
  C:\Windows\System\hmtkCbm.exe
  2⤵
  PID:8836
- C:\Windows\System\OOYufJD.exe
  C:\Windows\System\OOYufJD.exe
  2⤵
  PID:8856
- C:\Windows\System\ijvvlZM.exe
  C:\Windows\System\ijvvlZM.exe
  2⤵
  PID:8908
- C:\Windows\System\hoEdCfy.exe
  C:\Windows\System\hoEdCfy.exe
  2⤵
  PID:8924
- C:\Windows\System\beInEmR.exe
  C:\Windows\System\beInEmR.exe
  2⤵
  PID:8948
- C:\Windows\System\qIIaHMv.exe
  C:\Windows\System\qIIaHMv.exe
  2⤵
  PID:9044
- C:\Windows\System\fZaARzR.exe
  C:\Windows\System\fZaARzR.exe
  2⤵
  PID:9068
- C:\Windows\System\DAuHtxI.exe
  C:\Windows\System\DAuHtxI.exe
  2⤵
  PID:9084
- C:\Windows\System\taMpDok.exe
  C:\Windows\System\taMpDok.exe
  2⤵
  PID:9108
- C:\Windows\System\lfEDOrY.exe
  C:\Windows\System\lfEDOrY.exe
  2⤵
  PID:9132
- C:\Windows\System\UsGNqPf.exe
  C:\Windows\System\UsGNqPf.exe
  2⤵
  PID:9148
- C:\Windows\System\GIOGhNH.exe
  C:\Windows\System\GIOGhNH.exe
  2⤵
  PID:9168
- C:\Windows\System\PrlvStr.exe
  C:\Windows\System\PrlvStr.exe
  2⤵
  PID:4168
- C:\Windows\System\rBitHxH.exe
  C:\Windows\System\rBitHxH.exe
  2⤵
  PID:7484
- C:\Windows\System\HNCiMBW.exe
  C:\Windows\System\HNCiMBW.exe
  2⤵
  PID:8212
- C:\Windows\System\zxxXKve.exe
  C:\Windows\System\zxxXKve.exe
  2⤵
  PID:8248
- C:\Windows\System\bigLihI.exe
  C:\Windows\System\bigLihI.exe
  2⤵
  PID:8264
- C:\Windows\System\QXitYQN.exe
  C:\Windows\System\QXitYQN.exe
  2⤵
  PID:8372
- C:\Windows\System\IVTWFzs.exe
  C:\Windows\System\IVTWFzs.exe
  2⤵
  PID:8488
- C:\Windows\System\sYxjFQu.exe
  C:\Windows\System\sYxjFQu.exe
  2⤵
  PID:8760
- C:\Windows\System\UJYKtKK.exe
  C:\Windows\System\UJYKtKK.exe
  2⤵
  PID:8904
- C:\Windows\System\npXGOXl.exe
  C:\Windows\System\npXGOXl.exe
  2⤵
  PID:8964
- C:\Windows\System\FvEWeYg.exe
  C:\Windows\System\FvEWeYg.exe
  2⤵
  PID:8916
- C:\Windows\System\cixwzIr.exe
  C:\Windows\System\cixwzIr.exe
  2⤵
  PID:8884
- C:\Windows\System\zLUnVYL.exe
  C:\Windows\System\zLUnVYL.exe
  2⤵
  PID:9196
- C:\Windows\System\SDXwBrL.exe
  C:\Windows\System\SDXwBrL.exe
  2⤵
  PID:9100
- C:\Windows\System\eAVwaSz.exe
  C:\Windows\System\eAVwaSz.exe
  2⤵
  PID:9076
- C:\Windows\System\HieryHt.exe
  C:\Windows\System\HieryHt.exe
  2⤵
  PID:9128
- C:\Windows\System\rsgjLnp.exe
  C:\Windows\System\rsgjLnp.exe
  2⤵
  PID:8384
- C:\Windows\System\YzuDHzn.exe
  C:\Windows\System\YzuDHzn.exe
  2⤵
  PID:8252
- C:\Windows\System\LNhRYsB.exe
  C:\Windows\System\LNhRYsB.exe
  2⤵
  PID:8320
- C:\Windows\System\KvBcfcv.exe
  C:\Windows\System\KvBcfcv.exe
  2⤵
  PID:8508
- C:\Windows\System\FlwjGiw.exe
  C:\Windows\System\FlwjGiw.exe
  2⤵
  PID:8600
- C:\Windows\System\JzjbetV.exe
  C:\Windows\System\JzjbetV.exe
  2⤵
  PID:8580
- C:\Windows\System\XnPCUwN.exe
  C:\Windows\System\XnPCUwN.exe
  2⤵
  PID:8844
- C:\Windows\System\nxnQNuA.exe
  C:\Windows\System\nxnQNuA.exe
  2⤵
  PID:9008
- C:\Windows\System\NhjsUpl.exe
  C:\Windows\System\NhjsUpl.exe
  2⤵
  PID:9016
- C:\Windows\System\XQbLaCr.exe
  C:\Windows\System\XQbLaCr.exe
  2⤵
  PID:9208
- C:\Windows\System\TgJAvBQ.exe
  C:\Windows\System\TgJAvBQ.exe
  2⤵
  PID:9052
- C:\Windows\System\GdTaKVm.exe
  C:\Windows\System\GdTaKVm.exe
  2⤵
  PID:8676
- C:\Windows\System\AKVddJF.exe
  C:\Windows\System\AKVddJF.exe
  2⤵
  PID:8748
- C:\Windows\System\UitOCxT.exe
  C:\Windows\System\UitOCxT.exe
  2⤵
  PID:9116
- C:\Windows\System\iRCsshG.exe
  C:\Windows\System\iRCsshG.exe
  2⤵
  PID:9180
- C:\Windows\System\QVdMkKZ.exe
  C:\Windows\System\QVdMkKZ.exe
  2⤵
  PID:9188
- C:\Windows\System\GxDJjDA.exe
  C:\Windows\System\GxDJjDA.exe
  2⤵
  PID:8732
- C:\Windows\System\tZWcrAO.exe
  C:\Windows\System\tZWcrAO.exe
  2⤵
  PID:9232
- C:\Windows\System\JrQJgMZ.exe
  C:\Windows\System\JrQJgMZ.exe
  2⤵
  PID:9260
- C:\Windows\System\nATHqOg.exe
  C:\Windows\System\nATHqOg.exe
  2⤵
  PID:9280
- C:\Windows\System\jGnLZhO.exe
  C:\Windows\System\jGnLZhO.exe
  2⤵
  PID:9296
- C:\Windows\System\kCbUScJ.exe
  C:\Windows\System\kCbUScJ.exe
  2⤵
  PID:9320
- C:\Windows\System\emascxQ.exe
  C:\Windows\System\emascxQ.exe
  2⤵
  PID:9340
- C:\Windows\System\dfNhlvY.exe
  C:\Windows\System\dfNhlvY.exe
  2⤵
  PID:9408
- C:\Windows\System\YDWElsw.exe
  C:\Windows\System\YDWElsw.exe
  2⤵
  PID:9480
- C:\Windows\System\wApygdN.exe
  C:\Windows\System\wApygdN.exe
  2⤵
  PID:9544
- C:\Windows\System\AjTKQQI.exe
  C:\Windows\System\AjTKQQI.exe
  2⤵
  PID:9568
- C:\Windows\System\fDaczdm.exe
  C:\Windows\System\fDaczdm.exe
  2⤵
  PID:9604
- C:\Windows\System\dYoyxfT.exe
  C:\Windows\System\dYoyxfT.exe
  2⤵
  PID:9624
- C:\Windows\System\xxAOUSm.exe
  C:\Windows\System\xxAOUSm.exe
  2⤵
  PID:9640
- C:\Windows\System\cCxDKWO.exe
  C:\Windows\System\cCxDKWO.exe
  2⤵
  PID:9660
- C:\Windows\System\tKPEWku.exe
  C:\Windows\System\tKPEWku.exe
  2⤵
  PID:9684
- C:\Windows\System\EHZvtvC.exe
  C:\Windows\System\EHZvtvC.exe
  2⤵
  PID:9744
- C:\Windows\System\kNWZmZR.exe
  C:\Windows\System\kNWZmZR.exe
  2⤵
  PID:9796
- C:\Windows\System\nhsXgOB.exe
  C:\Windows\System\nhsXgOB.exe
  2⤵
  PID:9824
- C:\Windows\System\xjPYoWl.exe
  C:\Windows\System\xjPYoWl.exe
  2⤵
  PID:9896
- C:\Windows\System\YurRykn.exe
  C:\Windows\System\YurRykn.exe
  2⤵
  PID:9912
- C:\Windows\System\LfLllyZ.exe
  C:\Windows\System\LfLllyZ.exe
  2⤵
  PID:9936
- C:\Windows\System\WNkyjhv.exe
  C:\Windows\System\WNkyjhv.exe
  2⤵
  PID:9952
- C:\Windows\System\hHCrEvO.exe
  C:\Windows\System\hHCrEvO.exe
  2⤵
  PID:9996
- C:\Windows\System\cFTOREf.exe
  C:\Windows\System\cFTOREf.exe
  2⤵
  PID:10056
- C:\Windows\System\lwhUIZT.exe
  C:\Windows\System\lwhUIZT.exe
  2⤵
  PID:10080
- C:\Windows\System\HkgtiKc.exe
  C:\Windows\System\HkgtiKc.exe
  2⤵
  PID:10096
- C:\Windows\System\QkoDAHl.exe
  C:\Windows\System\QkoDAHl.exe
  2⤵
  PID:10124
- C:\Windows\System\GQtOTXs.exe
  C:\Windows\System\GQtOTXs.exe
  2⤵
  PID:10144
- C:\Windows\System\tZQuQOU.exe
  C:\Windows\System\tZQuQOU.exe
  2⤵
  PID:10236
- C:\Windows\System\HIdGJWg.exe
  C:\Windows\System\HIdGJWg.exe
  2⤵
  PID:8548
- C:\Windows\System\BlXhBRv.exe
  C:\Windows\System\BlXhBRv.exe
  2⤵
  PID:8880
- C:\Windows\System\DxNpfep.exe
  C:\Windows\System\DxNpfep.exe
  2⤵
  PID:9304
- C:\Windows\System\OhvwyGh.exe
  C:\Windows\System\OhvwyGh.exe
  2⤵
  PID:9312
- C:\Windows\System\SUyBiCd.exe
  C:\Windows\System\SUyBiCd.exe
  2⤵
  PID:9360
- C:\Windows\System\dAhVARZ.exe
  C:\Windows\System\dAhVARZ.exe
  2⤵
  PID:9448
- C:\Windows\System\mcZGTGY.exe
  C:\Windows\System\mcZGTGY.exe
  2⤵
  PID:9508
- C:\Windows\System\mIbMDMC.exe
  C:\Windows\System\mIbMDMC.exe
  2⤵
  PID:9588
- C:\Windows\System\dsbbhfz.exe
  C:\Windows\System\dsbbhfz.exe
  2⤵
  PID:9516
- C:\Windows\System\epyhqPV.exe
  C:\Windows\System\epyhqPV.exe
  2⤵
  PID:9652
- C:\Windows\System\EyPnAMH.exe
  C:\Windows\System\EyPnAMH.exe
  2⤵
  PID:9728
- C:\Windows\System\VdDsyGW.exe
  C:\Windows\System\VdDsyGW.exe
  2⤵
  PID:9768
- C:\Windows\System\UqheNFP.exe
  C:\Windows\System\UqheNFP.exe
  2⤵
  PID:9784
- C:\Windows\System\nsyZttQ.exe
  C:\Windows\System\nsyZttQ.exe
  2⤵
  PID:9920
- C:\Windows\System\VMAPgpv.exe
  C:\Windows\System\VMAPgpv.exe
  2⤵
  PID:9948
- C:\Windows\System\PqWyTXi.exe
  C:\Windows\System\PqWyTXi.exe
  2⤵
  PID:10108
- C:\Windows\System\icWSXYL.exe
  C:\Windows\System\icWSXYL.exe
  2⤵
  PID:10140
- C:\Windows\System\fCplnAT.exe
  C:\Windows\System\fCplnAT.exe
  2⤵
  PID:4388
- C:\Windows\System\BNQTIxo.exe
  C:\Windows\System\BNQTIxo.exe
  2⤵
  PID:10168
- C:\Windows\System\coUQKoa.exe
  C:\Windows\System\coUQKoa.exe
  2⤵
  PID:9316
- C:\Windows\System\TXYfAlP.exe
  C:\Windows\System\TXYfAlP.exe
  2⤵
  PID:9364
- C:\Windows\System\IXPDWBi.exe
  C:\Windows\System\IXPDWBi.exe
  2⤵
  PID:7620
- C:\Windows\System\jvUjbJs.exe
  C:\Windows\System\jvUjbJs.exe
  2⤵
  PID:9536
- C:\Windows\System\aHpSdWb.exe
  C:\Windows\System\aHpSdWb.exe
  2⤵
  PID:9668
- C:\Windows\System\cmxSBOZ.exe
  C:\Windows\System\cmxSBOZ.exe
  2⤵
  PID:9808
- C:\Windows\System\dAdzqPc.exe
  C:\Windows\System\dAdzqPc.exe
  2⤵
  PID:9944
- C:\Windows\System\xqDZIlE.exe
  C:\Windows\System\xqDZIlE.exe
  2⤵
  PID:10132
- C:\Windows\System\qviLjVH.exe
  C:\Windows\System\qviLjVH.exe
  2⤵
  PID:10224
- C:\Windows\System\vNkTciW.exe
  C:\Windows\System\vNkTciW.exe
  2⤵
  PID:9292
- C:\Windows\System\RiNLVxx.exe
  C:\Windows\System\RiNLVxx.exe
  2⤵
  PID:9928
- C:\Windows\System\ysemDWi.exe
  C:\Windows\System\ysemDWi.exe
  2⤵
  PID:3808
- C:\Windows\System\CtGXsiD.exe
  C:\Windows\System\CtGXsiD.exe
  2⤵
  PID:9288
- C:\Windows\System\mAvZsMz.exe
  C:\Windows\System\mAvZsMz.exe
  2⤵
  PID:9692
- C:\Windows\System\nIYloew.exe
  C:\Windows\System\nIYloew.exe
  2⤵
  PID:9676
- C:\Windows\System\inGWNhy.exe
  C:\Windows\System\inGWNhy.exe
  2⤵
  PID:10256
- C:\Windows\System\WhoUNPU.exe
  C:\Windows\System\WhoUNPU.exe
  2⤵
  PID:10284
- C:\Windows\System\RmAhnxo.exe
  C:\Windows\System\RmAhnxo.exe
  2⤵
  PID:10312
- C:\Windows\System\hmrhZAr.exe
  C:\Windows\System\hmrhZAr.exe
  2⤵
  PID:10328
- C:\Windows\System\WipBfoJ.exe
  C:\Windows\System\WipBfoJ.exe
  2⤵
  PID:10356
- C:\Windows\System\LHrzbwW.exe
  C:\Windows\System\LHrzbwW.exe
  2⤵
  PID:10388
- C:\Windows\System\qHjGrDx.exe
  C:\Windows\System\qHjGrDx.exe
  2⤵
  PID:10428
- C:\Windows\System\kVFvISU.exe
  C:\Windows\System\kVFvISU.exe
  2⤵
  PID:10448
- C:\Windows\System\WxxGXgH.exe
  C:\Windows\System\WxxGXgH.exe
  2⤵
  PID:10492
- C:\Windows\System\avbHpjt.exe
  C:\Windows\System\avbHpjt.exe
  2⤵
  PID:10524
- C:\Windows\System\SEyCUoi.exe
  C:\Windows\System\SEyCUoi.exe
  2⤵
  PID:10564
- C:\Windows\System\EuMXVxh.exe
  C:\Windows\System\EuMXVxh.exe
  2⤵
  PID:10588
- C:\Windows\System\MZAvmdf.exe
  C:\Windows\System\MZAvmdf.exe
  2⤵
  PID:10604
- C:\Windows\System\ZeollAb.exe
  C:\Windows\System\ZeollAb.exe
  2⤵
  PID:10636
- C:\Windows\System\AyEVYIC.exe
  C:\Windows\System\AyEVYIC.exe
  2⤵
  PID:10656
- C:\Windows\System\dLcMIgn.exe
  C:\Windows\System\dLcMIgn.exe
  2⤵
  PID:10792
- C:\Windows\System\nPovXOs.exe
  C:\Windows\System\nPovXOs.exe
  2⤵
  PID:10848
- C:\Windows\System\gGACcfR.exe
  C:\Windows\System\gGACcfR.exe
  2⤵
  PID:10864
- C:\Windows\System\tMzailH.exe
  C:\Windows\System\tMzailH.exe
  2⤵
  PID:10884
- C:\Windows\System\ECFndzk.exe
  C:\Windows\System\ECFndzk.exe
  2⤵
  PID:10904
- C:\Windows\System\daZGLSy.exe
  C:\Windows\System\daZGLSy.exe
  2⤵
  PID:10920
- C:\Windows\System\BuIKmMv.exe
  C:\Windows\System\BuIKmMv.exe
  2⤵
  PID:10936
- C:\Windows\System\mFWhvBJ.exe
  C:\Windows\System\mFWhvBJ.exe
  2⤵
  PID:10952
- C:\Windows\System\UGjvvCP.exe
  C:\Windows\System\UGjvvCP.exe
  2⤵
  PID:10968
- C:\Windows\System\PnwcNyA.exe
  C:\Windows\System\PnwcNyA.exe
  2⤵
  PID:10984
- C:\Windows\System\gFVSpPS.exe
  C:\Windows\System\gFVSpPS.exe
  2⤵
  PID:11000
- C:\Windows\System\zXxCPGh.exe
  C:\Windows\System\zXxCPGh.exe
  2⤵
  PID:11016
- C:\Windows\System\SGjBmwN.exe
  C:\Windows\System\SGjBmwN.exe
  2⤵
  PID:11032
- C:\Windows\System\mtuowlT.exe
  C:\Windows\System\mtuowlT.exe
  2⤵
  PID:11048
- C:\Windows\System\odqdOKK.exe
  C:\Windows\System\odqdOKK.exe
  2⤵
  PID:11068
- C:\Windows\System\KOhiyJt.exe
  C:\Windows\System\KOhiyJt.exe
  2⤵
  PID:11092
- C:\Windows\System\TPkdJkw.exe
  C:\Windows\System\TPkdJkw.exe
  2⤵
  PID:11108
- C:\Windows\System\PSaeCYn.exe
  C:\Windows\System\PSaeCYn.exe
  2⤵
  PID:11128
- C:\Windows\System\JVsRmOY.exe
  C:\Windows\System\JVsRmOY.exe
  2⤵
  PID:11144
- C:\Windows\System\PYuRsQw.exe
  C:\Windows\System\PYuRsQw.exe
  2⤵
  PID:11216
- C:\Windows\System\PJbbgvt.exe
  C:\Windows\System\PJbbgvt.exe
  2⤵
  PID:9600
- C:\Windows\System\QSljtBZ.exe
  C:\Windows\System\QSljtBZ.exe
  2⤵
  PID:10416
- C:\Windows\System\xDmjawW.exe
  C:\Windows\System\xDmjawW.exe
  2⤵
  PID:10572
- C:\Windows\System\ASdfQzt.exe
  C:\Windows\System\ASdfQzt.exe
  2⤵
  PID:10628
- C:\Windows\System\Dvqozrq.exe
  C:\Windows\System\Dvqozrq.exe
  2⤵
  PID:10648
- C:\Windows\System\wKLgaqY.exe
  C:\Windows\System\wKLgaqY.exe
  2⤵
  PID:10668
- C:\Windows\System\qZsbPnB.exe
  C:\Windows\System\qZsbPnB.exe
  2⤵
  PID:10704
- C:\Windows\System\qleESlo.exe
  C:\Windows\System\qleESlo.exe
  2⤵
  PID:10736
- C:\Windows\System\ngwFybw.exe
  C:\Windows\System\ngwFybw.exe
  2⤵
  PID:10816
- C:\Windows\System\eFIgvAU.exe
  C:\Windows\System\eFIgvAU.exe
  2⤵
  PID:10856
- C:\Windows\System\dkzCvqN.exe
  C:\Windows\System\dkzCvqN.exe
  2⤵
  PID:10960
- C:\Windows\System\fDIbCez.exe
  C:\Windows\System\fDIbCez.exe
  2⤵
  PID:10828
- C:\Windows\System\OlIcUfb.exe
  C:\Windows\System\OlIcUfb.exe
  2⤵
  PID:11040
- C:\Windows\System\MIWnbAn.exe
  C:\Windows\System\MIWnbAn.exe
  2⤵
  PID:10944
- C:\Windows\System\eyeOvzf.exe
  C:\Windows\System\eyeOvzf.exe
  2⤵
  PID:10280
- C:\Windows\System\rWDzwJK.exe
  C:\Windows\System\rWDzwJK.exe
  2⤵
  PID:11260
- C:\Windows\System\wMYqsiI.exe
  C:\Windows\System\wMYqsiI.exe
  2⤵
  PID:10476
- C:\Windows\System\rVwzwnu.exe
  C:\Windows\System\rVwzwnu.exe
  2⤵
  PID:10308
- C:\Windows\System\oNAzHkY.exe
  C:\Windows\System\oNAzHkY.exe
  2⤵
  PID:10644
- C:\Windows\System\rDEyJke.exe
  C:\Windows\System\rDEyJke.exe
  2⤵
  PID:10688
- C:\Windows\System\pnynXzP.exe
  C:\Windows\System\pnynXzP.exe
  2⤵
  PID:11080
- C:\Windows\System\lZAlXVa.exe
  C:\Windows\System\lZAlXVa.exe
  2⤵
  PID:10980
- C:\Windows\System\sFoYtGU.exe
  C:\Windows\System\sFoYtGU.exe
  2⤵
  PID:11208
- C:\Windows\System\maWruyd.exe
  C:\Windows\System\maWruyd.exe
  2⤵
  PID:11248
- C:\Windows\System\VJlHKlD.exe
  C:\Windows\System\VJlHKlD.exe
  2⤵
  PID:10652
- C:\Windows\System\nNvAjEZ.exe
  C:\Windows\System\nNvAjEZ.exe
  2⤵
  PID:11120
- C:\Windows\System\wqEnJQU.exe
  C:\Windows\System\wqEnJQU.exe
  2⤵
  PID:10424
- C:\Windows\System\FeSFHfr.exe
  C:\Windows\System\FeSFHfr.exe
  2⤵
  PID:10916
- C:\Windows\System\gkfohUM.exe
  C:\Windows\System\gkfohUM.exe
  2⤵
  PID:11292
- C:\Windows\System\GOazebT.exe
  C:\Windows\System\GOazebT.exe
  2⤵
  PID:11308
- C:\Windows\System\SpsxTHE.exe
  C:\Windows\System\SpsxTHE.exe
  2⤵
  PID:11336
- C:\Windows\System\QRsSQpt.exe
  C:\Windows\System\QRsSQpt.exe
  2⤵
  PID:11352
- C:\Windows\System\firmTyf.exe
  C:\Windows\System\firmTyf.exe
  2⤵
  PID:11372
- C:\Windows\System\YOnghCV.exe
  C:\Windows\System\YOnghCV.exe
  2⤵
  PID:11392
- C:\Windows\System\iBNxLYu.exe
  C:\Windows\System\iBNxLYu.exe
  2⤵
  PID:11420
- C:\Windows\System\PWZsNWV.exe
  C:\Windows\System\PWZsNWV.exe
  2⤵
  PID:11448
- C:\Windows\System\GnhSfIG.exe
  C:\Windows\System\GnhSfIG.exe
  2⤵
  PID:11472
- C:\Windows\System\NxeEBMm.exe
  C:\Windows\System\NxeEBMm.exe
  2⤵
  PID:11496
- C:\Windows\System\GNVouvW.exe
  C:\Windows\System\GNVouvW.exe
  2⤵
  PID:11516
- C:\Windows\System\LWIWFOF.exe
  C:\Windows\System\LWIWFOF.exe
  2⤵
  PID:11548
- C:\Windows\System\yaPlltX.exe
  C:\Windows\System\yaPlltX.exe
  2⤵
  PID:11568
- C:\Windows\System\XNUJPpO.exe
  C:\Windows\System\XNUJPpO.exe
  2⤵
  PID:11632
- C:\Windows\System\JAePIew.exe
  C:\Windows\System\JAePIew.exe
  2⤵
  PID:11648
- C:\Windows\System\RwqBteq.exe
  C:\Windows\System\RwqBteq.exe
  2⤵
  PID:11696
- C:\Windows\System\rlBVdWZ.exe
  C:\Windows\System\rlBVdWZ.exe
  2⤵
  PID:11720
- C:\Windows\System\mpljHYX.exe
  C:\Windows\System\mpljHYX.exe
  2⤵
  PID:11744
- C:\Windows\System\wzqgGDP.exe
  C:\Windows\System\wzqgGDP.exe
  2⤵
  PID:11760
- C:\Windows\System\FWGKUaz.exe
  C:\Windows\System\FWGKUaz.exe
  2⤵
  PID:11780
- C:\Windows\System\ETgdsQK.exe
  C:\Windows\System\ETgdsQK.exe
  2⤵
  PID:11828
- C:\Windows\System\ZiHGwLX.exe
  C:\Windows\System\ZiHGwLX.exe
  2⤵
  PID:11872
- C:\Windows\System\fzefZps.exe
  C:\Windows\System\fzefZps.exe
  2⤵
  PID:11912
- C:\Windows\System\zwSmWNn.exe
  C:\Windows\System\zwSmWNn.exe
  2⤵
  PID:11936
- C:\Windows\System\xIAvmyT.exe
  C:\Windows\System\xIAvmyT.exe
  2⤵
  PID:11956
- C:\Windows\System\xXTOzcg.exe
  C:\Windows\System\xXTOzcg.exe
  2⤵
  PID:11980
- C:\Windows\System\FthOQHK.exe
  C:\Windows\System\FthOQHK.exe
  2⤵
  PID:11996
- C:\Windows\System\wvJlNRH.exe
  C:\Windows\System\wvJlNRH.exe
  2⤵
  PID:12056
- C:\Windows\System\sDHfWSx.exe
  C:\Windows\System\sDHfWSx.exe
  2⤵
  PID:12076
- C:\Windows\System\oPmLqAa.exe
  C:\Windows\System\oPmLqAa.exe
  2⤵
  PID:12092
- C:\Windows\System\hLVPOZx.exe
  C:\Windows\System\hLVPOZx.exe
  2⤵
  PID:12144
- C:\Windows\System\WWnCHRh.exe
  C:\Windows\System\WWnCHRh.exe
  2⤵
  PID:12160
- C:\Windows\System\AsFLqpf.exe
  C:\Windows\System\AsFLqpf.exe
  2⤵
  PID:12200
- C:\Windows\System\fMpGZCo.exe
  C:\Windows\System\fMpGZCo.exe
  2⤵
  PID:12228
- C:\Windows\System\uttGLbR.exe
  C:\Windows\System\uttGLbR.exe
  2⤵
  PID:12248
- C:\Windows\System\MbibjgO.exe
  C:\Windows\System\MbibjgO.exe
  2⤵
  PID:12272
- C:\Windows\System\qhPULBI.exe
  C:\Windows\System\qhPULBI.exe
  2⤵
  PID:10744
- C:\Windows\System\xctQrKh.exe
  C:\Windows\System\xctQrKh.exe
  2⤵
  PID:11360
- C:\Windows\System\gRDYjpm.exe
  C:\Windows\System\gRDYjpm.exe
  2⤵
  PID:11380
- C:\Windows\System\zKMatvH.exe
  C:\Windows\System\zKMatvH.exe
  2⤵
  PID:11416
- C:\Windows\System\SlWjdpc.exe
  C:\Windows\System\SlWjdpc.exe
  2⤵
  PID:11468
- C:\Windows\System\JPdLLYk.exe
  C:\Windows\System\JPdLLYk.exe
  2⤵
  PID:11580
- C:\Windows\System\WKHPVuB.exe
  C:\Windows\System\WKHPVuB.exe
  2⤵
  PID:11688
- C:\Windows\System\KtyEDma.exe
  C:\Windows\System\KtyEDma.exe
  2⤵
  PID:11664
- C:\Windows\System\beQlZBY.exe
  C:\Windows\System\beQlZBY.exe
  2⤵
  PID:11676
- C:\Windows\System\WaLqfVI.exe
  C:\Windows\System\WaLqfVI.exe
  2⤵
  PID:11840
- C:\Windows\System\sICiRuf.exe
  C:\Windows\System\sICiRuf.exe
  2⤵
  PID:11852
- C:\Windows\System\AkwzcQK.exe
  C:\Windows\System\AkwzcQK.exe
  2⤵
  PID:11992
- C:\Windows\System\zNbkulJ.exe
  C:\Windows\System\zNbkulJ.exe
  2⤵
  PID:12032
- C:\Windows\System\YBVmBLp.exe
  C:\Windows\System\YBVmBLp.exe
  2⤵
  PID:12072
- C:\Windows\System\zLjxTYh.exe
  C:\Windows\System\zLjxTYh.exe
  2⤵
  PID:12136
- C:\Windows\System\lgCDdvf.exe
  C:\Windows\System\lgCDdvf.exe
  2⤵
  PID:12176
- C:\Windows\System\kombBza.exe
  C:\Windows\System\kombBza.exe
  2⤵
  PID:4092
- C:\Windows\System\HUUVdmG.exe
  C:\Windows\System\HUUVdmG.exe
  2⤵
  PID:12240
- C:\Windows\System\GtVDMpZ.exe
  C:\Windows\System\GtVDMpZ.exe
  2⤵
  PID:12280
- C:\Windows\System\ySMZvay.exe
  C:\Windows\System\ySMZvay.exe
  2⤵
  PID:11408
- C:\Windows\System\YGyAFVf.exe
  C:\Windows\System\YGyAFVf.exe
  2⤵
  PID:11804
- C:\Windows\System\nubokdF.exe
  C:\Windows\System\nubokdF.exe
  2⤵
  PID:11640
- C:\Windows\System\gQeDEuf.exe
  C:\Windows\System\gQeDEuf.exe
  2⤵
  PID:12048
- C:\Windows\System\jcpxAkm.exe
  C:\Windows\System\jcpxAkm.exe
  2⤵
  PID:12156
- C:\Windows\System\GjKGONU.exe
  C:\Windows\System\GjKGONU.exe
  2⤵
  PID:11368
- C:\Windows\System\usrszlq.exe
  C:\Windows\System\usrszlq.exe
  2⤵
  PID:11412
- C:\Windows\System\rhQPAaw.exe
  C:\Windows\System\rhQPAaw.exe
  2⤵
  PID:11620
- C:\Windows\System\udTUZzr.exe
  C:\Windows\System\udTUZzr.exe
  2⤵
  PID:6460
- C:\Windows\System\YMOZCwy.exe
  C:\Windows\System\YMOZCwy.exe
  2⤵
  PID:12216
- C:\Windows\System\boLPakM.exe
  C:\Windows\System\boLPakM.exe
  2⤵
  PID:12084
- C:\Windows\System\Etlwque.exe
  C:\Windows\System\Etlwque.exe
  2⤵
  PID:12308
- C:\Windows\System\aNQshiz.exe
  C:\Windows\System\aNQshiz.exe
  2⤵
  PID:12332
- C:\Windows\System\uZyHbRO.exe
  C:\Windows\System\uZyHbRO.exe
  2⤵
  PID:12364
- C:\Windows\System\YedDEDj.exe
  C:\Windows\System\YedDEDj.exe
  2⤵
  PID:12384
- C:\Windows\System\FmoGFhe.exe
  C:\Windows\System\FmoGFhe.exe
  2⤵
  PID:12424
- C:\Windows\System\crBkWwV.exe
  C:\Windows\System\crBkWwV.exe
  2⤵
  PID:12452
- C:\Windows\System\LthrbDJ.exe
  C:\Windows\System\LthrbDJ.exe
  2⤵
  PID:12480
- C:\Windows\System\csUtFgg.exe
  C:\Windows\System\csUtFgg.exe
  2⤵
  PID:12516
- C:\Windows\System\FsDnIlV.exe
  C:\Windows\System\FsDnIlV.exe
  2⤵
  PID:12532
- C:\Windows\System\HbnUnTz.exe
  C:\Windows\System\HbnUnTz.exe
  2⤵
  PID:12564
- C:\Windows\System\ZBwezpw.exe
  C:\Windows\System\ZBwezpw.exe
  2⤵
  PID:12628
- C:\Windows\System\kTHTyze.exe
  C:\Windows\System\kTHTyze.exe
  2⤵
  PID:12644

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mmdihf0l.shg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\AGhVxhL.exe

Filesize
1.5MB

MD5
e9fb918025a2bf6c3fc10cd7e4653fe0

SHA1
856c257d520953c6b26ac734bce22877f088e5eb

SHA256
946920cfe9eba5d9a811d7623f8ab40d17b21eb66ec84bd31f482c546527a332

SHA512
538845c8728d723c317733d91ea6cf22d0049bf9fc0380e6d0babd1abfda761854b7ea518db76fde42bee8ec2aa45a80e2ea313874a428b0a4df0d91de57370b

Download Submit
C:\Windows\System\AXgtIfY.exe

Filesize
1.5MB

MD5
69d5a7511a254a0bd609740bd9da227f

SHA1
fe85ff7dc0f2314739f4b1f986d08ece59836106

SHA256
59efe95dcbc9a69c90b4315a38686777cbe9eda37d65df1187190e51fc27325d

SHA512
212af117ebaa52ff39214dd49a4fd4e5e9106172a9860f13f12a854eedd6e41402e6b911c2b90c36b1439157eaab3631500035d2b870f0da9983df99e146dcc2

Download Submit
C:\Windows\System\FNsrOxS.exe

Filesize
1.5MB

MD5
cbe5b91dfbd977303e50a9b0a7b436bc

SHA1
69c6ffc2db6ac34295423e85a3a73146b869f3d0

SHA256
e1f5d1e1a9b953443cc7617149941870ae90dba89e4536885d100a8a345ac9e0

SHA512
c1f3af288fc5b8e5a06dec53ef4e529aa6ecc1202e32f58f6131b9414e3d62e47c998987513044561929737b8ae5c3ea183c4ec7abf3e1f570bee33f280edab4

Download Submit
C:\Windows\System\HArwkkf.exe

Filesize
1.5MB

MD5
7b9adc769b39187bbe6ffcb1bed37fb6

SHA1
98b43668f20838202becdf243aa7eefbd2c7d22f

SHA256
3a0555195584201b9517a5b898a22b1cb637009e416b0dd0f365417cc46ebc8e

SHA512
d3549b5059f813af34f3b66abea4b69e439f2a862cd0c48613f7dae1004e399013459fb326e18603ac667216b23590951b68f311d37c100a801f4dfd5a1a2dec

Download Submit
C:\Windows\System\KXSXYDU.exe

Filesize
1.5MB

MD5
5e737e7d087da84906f17d407aeab2e3

SHA1
cfe9d1c37657f6b166cb7c2feccb9c36a1a8d208

SHA256
2a9b5ca5b8d029c9fefb2ef536e225dbe84f89c7304c81c38c85692598f9bcf8

SHA512
48683df5377872286707997b6e7321fb8e2ed415689ed2d90add77f84bc173d960beb380568b3852d7b498173bbef09e87077cd8bde4e452fd0a0e7c5de58492

Download Submit
C:\Windows\System\Lgxevcl.exe

Filesize
1.5MB

MD5
ef3fd3932e1ec55478ab5b765896875e

SHA1
3eac5e8b1d4681888f74d7fd8549de2b8eb6eee4

SHA256
293719b98a21258812d520ea935de7bdb3d3c55e522da0a06843ded71fe8e718

SHA512
dde58db9ebe101af7a3ccf2139868f41aad1f32f5dcb237dfbe4ccde228f3a436edd122fd98a7532d29591ea5d633df5fb503b119fa12524d6ffabf3e180977b

Download Submit
C:\Windows\System\NdAWkLk.exe

Filesize
1.5MB

MD5
29c22ce9e150b09f310a8837108e38e4

SHA1
eb8c5219df9503e7a8762649d1fc7b23cf3c3b81

SHA256
8558ccc48c2bd2d00d8a53316f78347892b14dbc8bc4250b732150dddff9fcdc

SHA512
801cd20d0f893f474b87679b5ae5fa6525c0069d66fc173fd551665f142d645a48f317a3bb52f7bab503d17e5bc01453cbbcb5f3fd15dac4aeed6be4733278b6

Download Submit
C:\Windows\System\PyQcanW.exe

Filesize
1.5MB

MD5
2ae027057d766b39d6b2a769834fcb4d

SHA1
7106d9bc35f652c83e94788ae0e869f9871c699b

SHA256
c3a9d8b1f3fdafe7a68a62ba239b45f04b87fa6b812880e93a3d5f65295a912a

SHA512
548fd75e6ce8a744e9715f24cda2b053845910e07574f548c01a35bd42d8db8d966de86a2a7a8460b08e575ba7bdb1454556c714a1a655227c5f59850437e192

Download Submit
C:\Windows\System\QfaTUzK.exe

Filesize
1.5MB

MD5
2b5e3bca63ef232167b1515119f0768a

SHA1
b97b00f312b99ddd342eb24d7333351a80fa6f56

SHA256
180e6ea18a3d8e0d770ad8a398aa190ee647b08fb60fa0dfb7c2d3659cd24c69

SHA512
de71803407a5c9736f43f59383b1737266d0369022f8c35c68a5bf8597d35254e19d49b592de86beffde35d486e3d10a149a4a7f87e09004a7b147561273dce1

Download Submit
C:\Windows\System\TShdvCX.exe

Filesize
1.5MB

MD5
ec2f0bac59784bf3fa2a8564e98e0d4e

SHA1
34daf3ea6fedb34031f4ae9f9f2ce364abc17d81

SHA256
cc26876eedee30bfeb7c6203b4d3eea991a200e2169487fdff7ab5c195135388

SHA512
dc8ddad0f52455d3cb876c773f874edd70cd25479d24defc6920c455cb9017194e7e3ed5b04fd10eda08a5fdab52510f38758b472b61c94bb17eddbbfe439921

Download Submit
C:\Windows\System\TTBezQE.exe

Filesize
1.5MB

MD5
37dd206e6c27b73a917d7d950cca3e22

SHA1
a3a79e555e3a8c4ceaa0c1302178619a2b7738ac

SHA256
efc833dc71fa919582051477fbe20e705cb6b10b41122bb136ccbc15a7b793ec

SHA512
93d6c81629ea6c29569956cc1f7ff90183aa35e75569382160543b86f2448b2f8934120b79657b3f6ce014064cf298aaeb220c94db1cc7eaf213ea7bdec5ea85

Download Submit
C:\Windows\System\TmhIqZM.exe

Filesize
1.5MB

MD5
b67f7db5da827d81d8c5bd612a2e9be7

SHA1
d3e2528489fc5bc3105d76e641d10d09143d00f1

SHA256
373f94cd429629e31130eb5874960edc8113537faabaefdcbc0b978e31ae0434

SHA512
9b31d34d2cf9c9b91f437ec2fda4286aac9c868afdfe38ebb3201375a27f0833c7d83f04914d1314ae23e33baeae6e5aecda88468cff91cf4588f5aec019c5a1

Download Submit
C:\Windows\System\Ucjpokx.exe

Filesize
1.5MB

MD5
31756b2fda4b45310ce6fc2bac440f7c

SHA1
b057df9c5bb89aa1e36d23e65869222c8b610aa0

SHA256
0b8618cd062c31832a8fe845ddeae476b7d2ddc35a660906d8a5becd21b5684d

SHA512
9a14ee153b0bcbe2cabc702b5f49bfcef85c15e5fe59d9c9ea2d024ef1fc4de869ae07f4ed754edb9245ca10a0b6191bee758ff478f546069f366a4f58f0b6e0

Download Submit
C:\Windows\System\UegMRqs.exe

Filesize
1.5MB

MD5
8ebc242ce5f903bc306e308b18d728df

SHA1
cfe641b689df9114e3007ef4161b8eeff438e7bb

SHA256
3d90c96ec12a474ddc3fb9fb6e593cf232b741b3ef275ef67a0364ec2facfc8d

SHA512
09a5689d95120cecd7bdf50750d011832dcc8d1b4344738b32229dd1cb6d76bc4a5fc90a04c8d2bc3dcb809c604f905c7f51517789e8f235f78f4fb432becfcb

Download Submit
C:\Windows\System\VRhfKcz.exe

Filesize
1.5MB

MD5
07355dbd0847c6266b4cefd1ad6bb04e

SHA1
3643981703a21be639abd63810b933607f3b6835

SHA256
5f77a20ecec6442e0a8949a9d19eaea60d368dde707e8428a8473003bf3213b5

SHA512
9f83897fa2ac4c13e11f5f43a9322366225b53a0873a8544f55b08a6b125a8dbadf9d6dd4f9c9548a784abc625a2fcb27125e1953d83d95ec2298b68c1289dbe

Download Submit
C:\Windows\System\WSPzqMU.exe

Filesize
1.5MB

MD5
754b222cfdc50e814052bd6148d00452

SHA1
4bd8695a2639f65f8b51702beb7a07ca4be27960

SHA256
e7cc87148100ea3c1350f3da04fd3238445e1d9c58c4d98c07b709017e37e92a

SHA512
7527f05c3dc3288cd36f7b599d40efb2db152562edc64cd8396b9265ca75092631e0ae0d1edb2501461213eb0de5c15326ef27145321bf22f346df71192e8eb4

Download Submit
C:\Windows\System\WXMRfCC.exe

Filesize
1.5MB

MD5
6610c0533a0580bb62c9d5d72c73056b

SHA1
607fa06a429ca9c1d76655162aceadcb9f514591

SHA256
c051494c85ecbbd33b32bd431edadcf4e3e76cd7393bb61560a35c550410b4e3

SHA512
fe555794ea562027226e36ac8b53b707f0fa257506cb742d1798d793ac012ab753e460d1360817a08174ce72705c426af340856db8ae1a9cf6a2c2be847305e7

Download Submit
C:\Windows\System\WstxybA.exe

Filesize
1.5MB

MD5
14eb552a9872a07bbbf98b80844fa5da

SHA1
ae377cd168e1cda38138ece3d936c27625e995f3

SHA256
8c67295131d9175304cafdc354c05b18bb7da2a2f2981d2c71a4f52315f4b26a

SHA512
a8fab2ca5b10e52a711907bffa861bf5059b38f9c7a0b7bfac2dc92facf19d9fc670e214789099ab3eae1aa31d8952613e6fe883ce7676d099433b5fff8e296d

Download Submit
C:\Windows\System\ZqkZDpx.exe

Filesize
1.5MB

MD5
72363b686852eaeef1643d05a71fe5bb

SHA1
44178d16fbf3d48364c262f7dc830a1fd0c50eb1

SHA256
8c83cab78af8427253c187b5da0921b04b5ef34e275b7a0bbc763f1e6d458b47

SHA512
30693df0770e5fbdef0962540588ffff2a5f4c3486b7050bcb55481fdcea12a3fdcc49fb40f02174c894d2e41a66dafe6aab83203bf4b6822902be21d644b0d2

Download Submit
C:\Windows\System\aFmmCFk.exe

Filesize
1.5MB

MD5
d9c85df4d89fef3524e2f2a03f8ee0dd

SHA1
18d21871b58a1fc099c7a3c52d897a16fd8a1ea8

SHA256
e9d88e64cba51aa3c2d4bc1ba63004241deaf996742e34a2b4a9cfd69d1f7c0b

SHA512
54192633802b04743fa8ee2e3e0aa0e7910ec26de7a3f01cdbe57a92b787ebde6451a57cbe818b5ed122ccba33ec74ad7e416d93015cb1527586a5e23bce4c8e

Download Submit
C:\Windows\System\cryEIkb.exe

Filesize
1.5MB

MD5
d4adaffa610680f47d18d6137f02a9f1

SHA1
dc16051ef275804c888215b728a30f36782f71cf

SHA256
6fdffbe45d357c48c94198a0120283c2ff7c509a3afbe6c210e03d6286c9b2e0

SHA512
08a64c7be9524d00899991ff5807215077e27ffa1a230de1b752ee3b9e56645d27a602ba118f0a694dd277881aa8cebd05604ff1538fa67dab6b6fefdacb4b0c

Download Submit
C:\Windows\System\eXAMhJM.exe

Filesize
1.5MB

MD5
14269b1cedf801d5439740a2f1866b4a

SHA1
20855e88e9c07e83953d9a947ecbe996fe80ca18

SHA256
2f3a54923b8a0b563575dccc9adbf774f7b5bfa3a32aee8b6c5cceef0208e913

SHA512
3ada375110dad069cae5b680a49ed9057269d1800c8de0322072995267676ac1c29b3c2f96293fcba0ca3b1db878d0ff926768632d125e37e099c940de2f3413

Download Submit
C:\Windows\System\heaEaYn.exe

Filesize
1.5MB

MD5
e908332ae7c2cf1888228c4600cfd1d7

SHA1
bc33e6202cdb0707e3e275760b29d1326b31948a

SHA256
330542221734116d5c42b58ac4477e5935f1f0c2637332e206f2c820978496eb

SHA512
355bded55ecf0c0566b963d3702b133f7f1780ab5c75d05b13acbce583e74c3f821c378c3f0279099196ac8418e94a20677ab8db136224fb5162b3b0ffcf1d99

Download Submit
C:\Windows\System\jPVUsFe.exe

Filesize
1.5MB

MD5
397605023582f77fd44555fd6d155bbc

SHA1
0f127001a41fe64157bca369e159e295964e4e85

SHA256
f1bed57566a90b9059b79162669e6e1ddf525127131d8436c6721b074a7d8782

SHA512
58f898ebf6d6e24ef5a5f34bffea5462cee4a7052d6015032ae0e0e18196c0181223da8eb91feca7f1b537f0f091a2f26dc25af51841627bb7bbbec476d0d8d6

Download Submit
C:\Windows\System\kGcFhFU.exe

Filesize
1.5MB

MD5
40109a4962d3189c963433bc8ae7b405

SHA1
e4d26e36cb0bcfa836e4c170a6784d6c7f5220e2

SHA256
b972310f5c28223f47f5a1ff23fd843a16feece40cc65bb58bedc53a85888f9c

SHA512
42edcc553d1cf072ba9967a9a46179842d97ac91ff3d8227458d100a344254902b32330b74e8500315c1739de66c0677ced6a9c008e00f6f8003469167282439

Download Submit
C:\Windows\System\lmEZsoE.exe

Filesize
1.5MB

MD5
a136a2c3dc9208c117449fcb544479da

SHA1
8d559e045ca7f543cfac6694b668098bef7c9c40

SHA256
1b5617e74723638035e66b5fd75884e3a39d7529ae1a048c9baef83061c594c4

SHA512
48e98556dd4233ab9469f78c513d9afac8fe75de181a9a42e54553325cda3491d753e86384636d90462d542b5c6080953e7ee4418c657dd3e4849aaf9783aec6

Download Submit
C:\Windows\System\qRfqIyr.exe

Filesize
1.5MB

MD5
a133ed7f87842409beb7a1149a1a8602

SHA1
9bdc67822b0b25f1380c9c94c76a0ef534be37e2

SHA256
e5432d0405f75193ba8ec82c156a4e8c12206150e401fd674e47c3f1c6dee287

SHA512
adf14d1cf253412e198d7eaa5bf024640c9538b2626d275250adc166b74161a69cf88e8d1c4e62af305e3f797ecccda38847b9039c2b7e862b03f7afe6af66bc

Download Submit
C:\Windows\System\qtJQoWt.exe

Filesize
1.5MB

MD5
a1b81b135c5a673c3a9bf8381b7b68b2

SHA1
d938acbde97b7566a2dda250a64cd2ecdd546247

SHA256
ea1031874dedff88f31018bdc0c9930ade227e2f7d07bc36f50aa5a89e5d7467

SHA512
3929e6f38ee5fe7d63f1c95f235738f93b496ae4128bdb0e54e4db01fe6a1b6abf8041708d633db055fa7c69685184d01f5bf6817f5f955f4219e34267f86aff

Download Submit
C:\Windows\System\vHuqwAN.exe

Filesize
1.5MB

MD5
8064858dc7f5a8e123eb05b338f88dc4

SHA1
498307aa68e6a99d9e79e9657adc8eb800274c63

SHA256
6e948660cbc7d772516793ab240a8be5e8c7a907a653135b6375d2bea202394c

SHA512
977df75344f3048cf2ea87d5e55117076c1b9b4f68a74bdaaea4004e9539417b6a4ba0370c9a7a6d0ee84f43d1fd4c63c08c79c6a1b5f26f9a645bdbd1dce1ef

Download Submit
C:\Windows\System\whZtGJu.exe

Filesize
1.5MB

MD5
4a7b03cb41ac4ea32bde467e49cfa3fe

SHA1
545b3d9178a8a82fcd0dba64ac74634b96d0b5d0

SHA256
b9af5d52177a316a977a18b66aa86e127dc7e4db226dc59f940ce2b88d8d57a3

SHA512
4eb82ea1f5fbaa067574580eec94891a7ba4482dbb9f3ba47c6d3c77451ac9dda661adae20c790c783fa4ac4dde65dbd01b3df7b6d3c225fb2c53aefc77130ff

Download Submit
C:\Windows\System\xfktjBB.exe

Filesize
1.5MB

MD5
0a9ddc8a3b2766ebd1f1d0f68d6953d3

SHA1
c208701082f480f6af2230c0024f93e95c7c5ed5

SHA256
6a36731a82edfde85da61f88713dbdcf9471b53b51fc79fdf8a85fa730d0de85

SHA512
301c35b03d4cc777a82c90f7048ce77ffc465d4f0300ca5d1c4c3ba50ba1c709a47f91f1af8f90e6fb1d603944ea1ddb1ea25ed6c1066897c681f5f3a0d84d23

Download Submit
C:\Windows\System\zCOuHtt.exe

Filesize
1.5MB

MD5
df918f4a9459f0959518cfd7d9d330c9

SHA1
d3982edcd082b10708bfa65dc8cec362b2503123

SHA256
1fb9a85fcc6db2b65a3457c76b9a2685faf53e724caf5d51d2a763e6686771e0

SHA512
c704af49c6cf3c23ea63e58d732f028a6b3907ce0e2539a47cddc6eead950eff356ff70b5dca99cd8875b31d6fca79ea22728c7d78d581d9a0d3be7770447bbd

Download Submit
C:\Windows\System\zJHvuAs.exe

Filesize
1.5MB

MD5
aef4d40a816fea7289dbbf35ed11c1a9

SHA1
b04213d1a052661ac66db2c1becef6f3163d0046

SHA256
c84e7c9b93dc223aff96a3231c605eda6235d446d9222277d84a13ea2791d436

SHA512
37d7373214d2d9e031cff3f60a8d04fad6367e64451be90859db5a1235ce78ec41d1dccc4d19bca87673ecddca9c9504751d83b33aa0543daf425818f69ae706

Download Submit
memory/464-634-0x00007FF7FB330000-0x00007FF7FB722000-memory.dmp

Filesize
3.9MB

Download
memory/464-2257-0x00007FF7FB330000-0x00007FF7FB722000-memory.dmp

Filesize
3.9MB

Download
memory/736-102-0x00007FF6CD730000-0x00007FF6CDB22000-memory.dmp

Filesize
3.9MB

Download
memory/736-2219-0x00007FF6CD730000-0x00007FF6CDB22000-memory.dmp

Filesize
3.9MB

Download
memory/1516-2223-0x00007FF7D0E90000-0x00007FF7D1282000-memory.dmp

Filesize
3.9MB

Download
memory/1516-60-0x00007FF7D0E90000-0x00007FF7D1282000-memory.dmp

Filesize
3.9MB

Download
memory/1672-628-0x00007FF715330000-0x00007FF715722000-memory.dmp

Filesize
3.9MB

Download
memory/1672-2253-0x00007FF715330000-0x00007FF715722000-memory.dmp

Filesize
3.9MB

Download
memory/1748-2215-0x00007FF6A25D0000-0x00007FF6A29C2000-memory.dmp

Filesize
3.9MB

Download
memory/1748-73-0x00007FF6A25D0000-0x00007FF6A29C2000-memory.dmp

Filesize
3.9MB

Download
memory/1748-2247-0x00007FF6A25D0000-0x00007FF6A29C2000-memory.dmp

Filesize
3.9MB

Download
memory/1760-2224-0x00007FF71EE60000-0x00007FF71F252000-memory.dmp

Filesize
3.9MB

Download
memory/1760-56-0x00007FF71EE60000-0x00007FF71F252000-memory.dmp

Filesize
3.9MB

Download
memory/1784-2227-0x00007FF7BA500000-0x00007FF7BA8F2000-memory.dmp

Filesize
3.9MB

Download
memory/1784-542-0x00007FF7BA500000-0x00007FF7BA8F2000-memory.dmp

Filesize
3.9MB

Download
memory/1904-587-0x00007FF6F2830000-0x00007FF6F2C22000-memory.dmp

Filesize
3.9MB

Download
memory/1904-2237-0x00007FF6F2830000-0x00007FF6F2C22000-memory.dmp

Filesize
3.9MB

Download
memory/1924-2261-0x00007FF6473B0000-0x00007FF6477A2000-memory.dmp

Filesize
3.9MB

Download
memory/1924-646-0x00007FF6473B0000-0x00007FF6477A2000-memory.dmp

Filesize
3.9MB

Download
memory/2316-2259-0x00007FF705850000-0x00007FF705C42000-memory.dmp

Filesize
3.9MB

Download
memory/2316-640-0x00007FF705850000-0x00007FF705C42000-memory.dmp

Filesize
3.9MB

Download
memory/2440-2249-0x00007FF7E3DB0000-0x00007FF7E41A2000-memory.dmp

Filesize
3.9MB

Download
memory/2440-673-0x00007FF7E3DB0000-0x00007FF7E41A2000-memory.dmp

Filesize
3.9MB

Download
memory/2520-2263-0x00007FF7BFB90000-0x00007FF7BFF82000-memory.dmp

Filesize
3.9MB

Download
memory/2520-656-0x00007FF7BFB90000-0x00007FF7BFF82000-memory.dmp

Filesize
3.9MB

Download
memory/2740-486-0x000001E8F3D20000-0x000001E8F44C6000-memory.dmp

Filesize
7.6MB

Download
memory/2740-2410-0x00007FFC21F33000-0x00007FFC21F35000-memory.dmp

Filesize
8KB

Download
memory/2740-99-0x000001E8F3200000-0x000001E8F3222000-memory.dmp

Filesize
136KB

Download
memory/2740-86-0x00007FFC21F30000-0x00007FFC229F1000-memory.dmp

Filesize
10.8MB

Download
memory/2740-2214-0x00007FFC21F30000-0x00007FFC229F1000-memory.dmp

Filesize
10.8MB

Download
memory/2740-39-0x00007FFC21F30000-0x00007FFC229F1000-memory.dmp

Filesize
10.8MB

Download
memory/2740-19-0x00007FFC21F33000-0x00007FFC21F35000-memory.dmp

Filesize
8KB

Download
memory/2744-2226-0x00007FF67BB40000-0x00007FF67BF32000-memory.dmp

Filesize
3.9MB

Download
memory/2744-49-0x00007FF67BB40000-0x00007FF67BF32000-memory.dmp

Filesize
3.9MB

Download
memory/2888-80-0x00007FF6AE5E0000-0x00007FF6AE9D2000-memory.dmp

Filesize
3.9MB

Download
memory/2888-2233-0x00007FF6AE5E0000-0x00007FF6AE9D2000-memory.dmp

Filesize
3.9MB

Download
memory/3108-2255-0x00007FF72DD10000-0x00007FF72E102000-memory.dmp

Filesize
3.9MB

Download
memory/3108-632-0x00007FF72DD10000-0x00007FF72E102000-memory.dmp

Filesize
3.9MB

Download
memory/3168-2231-0x00007FF7F7DA0000-0x00007FF7F8192000-memory.dmp

Filesize
3.9MB

Download
memory/3168-64-0x00007FF7F7DA0000-0x00007FF7F8192000-memory.dmp

Filesize
3.9MB

Download
memory/3692-2217-0x00007FF7DF190000-0x00007FF7DF582000-memory.dmp

Filesize
3.9MB

Download
memory/3692-18-0x00007FF7DF190000-0x00007FF7DF582000-memory.dmp

Filesize
3.9MB

Download
memory/3996-2229-0x00007FF64CC90000-0x00007FF64D082000-memory.dmp

Filesize
3.9MB

Download
memory/3996-543-0x00007FF64CC90000-0x00007FF64D082000-memory.dmp

Filesize
3.9MB

Download
memory/4512-63-0x00007FF7A9230000-0x00007FF7A9622000-memory.dmp

Filesize
3.9MB

Download
memory/4512-2235-0x00007FF7A9230000-0x00007FF7A9622000-memory.dmp

Filesize
3.9MB

Download
memory/4548-1-0x00000219A1250000-0x00000219A1260000-memory.dmp

Filesize
64KB

Download
memory/4548-0-0x00007FF6608B0000-0x00007FF660CA2000-memory.dmp

Filesize
3.9MB

Download
memory/4656-2243-0x00007FF66E340000-0x00007FF66E732000-memory.dmp

Filesize
3.9MB

Download
memory/4656-594-0x00007FF66E340000-0x00007FF66E732000-memory.dmp

Filesize
3.9MB

Download
memory/4676-2251-0x00007FF604920000-0x00007FF604D12000-memory.dmp

Filesize
3.9MB

Download
memory/4676-619-0x00007FF604920000-0x00007FF604D12000-memory.dmp

Filesize
3.9MB

Download
memory/4944-608-0x00007FF7AD310000-0x00007FF7AD702000-memory.dmp

Filesize
3.9MB

Download
memory/4944-2241-0x00007FF7AD310000-0x00007FF7AD702000-memory.dmp

Filesize
3.9MB

Download
memory/5020-2239-0x00007FF7C1D10000-0x00007FF7C2102000-memory.dmp

Filesize
3.9MB

Download
memory/5020-597-0x00007FF7C1D10000-0x00007FF7C2102000-memory.dmp

Filesize
3.9MB

Download
memory/5040-2245-0x00007FF6E8B40000-0x00007FF6E8F32000-memory.dmp

Filesize
3.9MB

Download
memory/5040-660-0x00007FF6E8B40000-0x00007FF6E8F32000-memory.dmp

Filesize
3.9MB

Download