xmrig | 706802e0d2896493303be6f0e0d391b10f95cf555872f9c75cd587596e68fd65

Analysis

max time kernel
136s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 05:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
Size

1.5MB
MD5

8701ad053eac6898937ebf643a354b50
SHA1

257839ced0a41a04557cc3725803402b7b07780e
SHA256

706802e0d2896493303be6f0e0d391b10f95cf555872f9c75cd587596e68fd65
SHA512

4612bd28c38ec3182b4a347d7111dc888f0e6a195fad2d3d704c196abd212769fbbe9413b29f2f55d1f1df428859bf929385be953d4beeef0e8cc49181c0e867
SSDEEP

24576:zv3/fTLF671TilQFG4P5PMkUCCWvLEvjpbc8nJwbomvu2Nrl/:Lz071uv4BPMkHC0IBcAUNx

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 49 IoCs

miner

resource	yara_rule
behavioral2/memory/2968-292-0x00007FF71D770000-0x00007FF71DB62000-memory.dmp	xmrig
behavioral2/memory/2816-294-0x00007FF6BD6A0000-0x00007FF6BDA92000-memory.dmp	xmrig
behavioral2/memory/4576-300-0x00007FF685870000-0x00007FF685C62000-memory.dmp	xmrig
behavioral2/memory/4144-306-0x00007FF708430000-0x00007FF708822000-memory.dmp	xmrig
behavioral2/memory/2436-308-0x00007FF785850000-0x00007FF785C42000-memory.dmp	xmrig
behavioral2/memory/3424-319-0x00007FF647070000-0x00007FF647462000-memory.dmp	xmrig
behavioral2/memory/3116-343-0x00007FF74C810000-0x00007FF74CC02000-memory.dmp	xmrig
behavioral2/memory/3828-340-0x00007FF746E70000-0x00007FF747262000-memory.dmp	xmrig
behavioral2/memory/2588-313-0x00007FF6B7E40000-0x00007FF6B8232000-memory.dmp	xmrig
behavioral2/memory/4552-357-0x00007FF659BC0000-0x00007FF659FB2000-memory.dmp	xmrig
behavioral2/memory/756-364-0x00007FF630930000-0x00007FF630D22000-memory.dmp	xmrig
behavioral2/memory/1600-371-0x00007FF785660000-0x00007FF785A52000-memory.dmp	xmrig
behavioral2/memory/3472-375-0x00007FF6D4950000-0x00007FF6D4D42000-memory.dmp	xmrig
behavioral2/memory/3880-365-0x00007FF6E51B0000-0x00007FF6E55A2000-memory.dmp	xmrig
behavioral2/memory/384-377-0x00007FF733750000-0x00007FF733B42000-memory.dmp	xmrig
behavioral2/memory/4108-383-0x00007FF66D2B0000-0x00007FF66D6A2000-memory.dmp	xmrig
behavioral2/memory/1964-384-0x00007FF7EDA40000-0x00007FF7EDE32000-memory.dmp	xmrig
behavioral2/memory/4444-358-0x00007FF676DD0000-0x00007FF6771C2000-memory.dmp	xmrig
behavioral2/memory/4508-349-0x00007FF632D50000-0x00007FF633142000-memory.dmp	xmrig
behavioral2/memory/3608-305-0x00007FF740D70000-0x00007FF741162000-memory.dmp	xmrig
behavioral2/memory/1892-83-0x00007FF7266F0000-0x00007FF726AE2000-memory.dmp	xmrig
behavioral2/memory/2944-78-0x00007FF6B2B70000-0x00007FF6B2F62000-memory.dmp	xmrig
behavioral2/memory/2728-73-0x00007FF7DF1E0000-0x00007FF7DF5D2000-memory.dmp	xmrig
behavioral2/memory/4468-71-0x00007FF69EFA0000-0x00007FF69F392000-memory.dmp	xmrig
behavioral2/memory/4788-1951-0x00007FF678530000-0x00007FF678922000-memory.dmp	xmrig
behavioral2/memory/4468-2044-0x00007FF69EFA0000-0x00007FF69F392000-memory.dmp	xmrig
behavioral2/memory/3472-2046-0x00007FF6D4950000-0x00007FF6D4D42000-memory.dmp	xmrig
behavioral2/memory/1892-2048-0x00007FF7266F0000-0x00007FF726AE2000-memory.dmp	xmrig
behavioral2/memory/2944-2052-0x00007FF6B2B70000-0x00007FF6B2F62000-memory.dmp	xmrig
behavioral2/memory/2728-2050-0x00007FF7DF1E0000-0x00007FF7DF5D2000-memory.dmp	xmrig
behavioral2/memory/3608-2054-0x00007FF740D70000-0x00007FF741162000-memory.dmp	xmrig
behavioral2/memory/2968-2056-0x00007FF71D770000-0x00007FF71DB62000-memory.dmp	xmrig
behavioral2/memory/2816-2058-0x00007FF6BD6A0000-0x00007FF6BDA92000-memory.dmp	xmrig
behavioral2/memory/4576-2062-0x00007FF685870000-0x00007FF685C62000-memory.dmp	xmrig
behavioral2/memory/384-2061-0x00007FF733750000-0x00007FF733B42000-memory.dmp	xmrig
behavioral2/memory/4144-2066-0x00007FF708430000-0x00007FF708822000-memory.dmp	xmrig
behavioral2/memory/4108-2065-0x00007FF66D2B0000-0x00007FF66D6A2000-memory.dmp	xmrig
behavioral2/memory/1964-2068-0x00007FF7EDA40000-0x00007FF7EDE32000-memory.dmp	xmrig
behavioral2/memory/2436-2070-0x00007FF785850000-0x00007FF785C42000-memory.dmp	xmrig
behavioral2/memory/2588-2072-0x00007FF6B7E40000-0x00007FF6B8232000-memory.dmp	xmrig
behavioral2/memory/3424-2074-0x00007FF647070000-0x00007FF647462000-memory.dmp	xmrig
behavioral2/memory/3116-2078-0x00007FF74C810000-0x00007FF74CC02000-memory.dmp	xmrig
behavioral2/memory/3828-2077-0x00007FF746E70000-0x00007FF747262000-memory.dmp	xmrig
behavioral2/memory/4508-2080-0x00007FF632D50000-0x00007FF633142000-memory.dmp	xmrig
behavioral2/memory/4552-2082-0x00007FF659BC0000-0x00007FF659FB2000-memory.dmp	xmrig
behavioral2/memory/4444-2084-0x00007FF676DD0000-0x00007FF6771C2000-memory.dmp	xmrig
behavioral2/memory/756-2086-0x00007FF630930000-0x00007FF630D22000-memory.dmp	xmrig
behavioral2/memory/3880-2088-0x00007FF6E51B0000-0x00007FF6E55A2000-memory.dmp	xmrig
behavioral2/memory/1600-2090-0x00007FF785660000-0x00007FF785A52000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
9	1244	powershell.exe
13	1244	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
1244	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
4468	skRRrcw.exe
3472	qkwLioT.exe
2728	kfplIyB.exe
2944	alTbmey.exe
1892	qlphhkQ.exe
384	SAlUPPe.exe
2968	GEPfiHE.exe
2816	pyuyihe.exe
4576	zkzfihe.exe
3608	ROUruTQ.exe
4144	zZgOSCH.exe
4108	cjlyQNc.exe
1964	dKVeZsa.exe
2436	LFZQBAg.exe
2588	wsgYfhn.exe
3424	GPBDxLz.exe
3828	PdfggDK.exe
3116	yQcbYYg.exe
4508	KVMnCaB.exe
4552	sjSevmq.exe
4444	FahlRJN.exe
756	LpmAQbp.exe
3880	ujwQMoe.exe
1600	wgWQMDT.exe
4512	qjXPRhL.exe
1816	vsPNUnf.exe
732	noGlyZv.exe
4716	kDURKJQ.exe
4168	MXjTEdC.exe
3200	IslVWXf.exe
4836	IwFVHPA.exe
3564	ljDxECL.exe
64	zikeVhn.exe
4760	VgnAPmV.exe
2636	QexpCuy.exe
1572	VkadvAB.exe
672	ErXsyMi.exe
412	zyFjUek.exe
4532	bSpSRXL.exe
1948	VGIkrxk.exe
600	XbolpVf.exe
5084	RpMoMnA.exe
4540	jzDRlYx.exe
1068	tAMsNuK.exe
2936	cxWVXRx.exe
4028	oPizcBd.exe
3680	lFqaRDu.exe
824	CRKDMkp.exe
4780	VUehFZD.exe
2060	vBweUiu.exe
5020	pJrXcPP.exe
1728	ClROzxo.exe
3044	PgmlSUR.exe
3004	WlOnPjN.exe
4352	LjMHInb.exe
1404	GyIDDUc.exe
4900	vxUgbwf.exe
5116	aKhaZlw.exe
1592	atsFcqx.exe
4612	UnPqWZN.exe
4672	FbuAlWZ.exe
1676	yEzNyFR.exe
380	eXjvnRS.exe
4172	WVoPniK.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4788-0-0x00007FF678530000-0x00007FF678922000-memory.dmp	upx
behavioral2/files/0x0008000000023413-6.dat	upx
behavioral2/files/0x0007000000023418-9.dat	upx
behavioral2/files/0x0007000000023417-10.dat	upx
behavioral2/files/0x000700000002341a-32.dat	upx
behavioral2/files/0x000800000002341d-67.dat	upx
behavioral2/files/0x0007000000023421-81.dat	upx
behavioral2/files/0x0007000000023423-85.dat	upx
behavioral2/files/0x0007000000023422-89.dat	upx
behavioral2/files/0x0007000000023425-101.dat	upx
behavioral2/files/0x0008000000023414-108.dat	upx
behavioral2/files/0x000700000002342b-130.dat	upx
behavioral2/files/0x000700000002342d-140.dat	upx
behavioral2/files/0x000700000002342f-150.dat	upx
behavioral2/files/0x0007000000023431-160.dat	upx
behavioral2/files/0x0007000000023433-170.dat	upx
behavioral2/memory/2968-292-0x00007FF71D770000-0x00007FF71DB62000-memory.dmp	upx
behavioral2/memory/2816-294-0x00007FF6BD6A0000-0x00007FF6BDA92000-memory.dmp	upx
behavioral2/memory/4576-300-0x00007FF685870000-0x00007FF685C62000-memory.dmp	upx
behavioral2/memory/4144-306-0x00007FF708430000-0x00007FF708822000-memory.dmp	upx
behavioral2/memory/2436-308-0x00007FF785850000-0x00007FF785C42000-memory.dmp	upx
behavioral2/memory/3424-319-0x00007FF647070000-0x00007FF647462000-memory.dmp	upx
behavioral2/memory/3116-343-0x00007FF74C810000-0x00007FF74CC02000-memory.dmp	upx
behavioral2/memory/3828-340-0x00007FF746E70000-0x00007FF747262000-memory.dmp	upx
behavioral2/memory/2588-313-0x00007FF6B7E40000-0x00007FF6B8232000-memory.dmp	upx
behavioral2/memory/4552-357-0x00007FF659BC0000-0x00007FF659FB2000-memory.dmp	upx
behavioral2/memory/756-364-0x00007FF630930000-0x00007FF630D22000-memory.dmp	upx
behavioral2/memory/1600-371-0x00007FF785660000-0x00007FF785A52000-memory.dmp	upx
behavioral2/memory/3472-375-0x00007FF6D4950000-0x00007FF6D4D42000-memory.dmp	upx
behavioral2/memory/3880-365-0x00007FF6E51B0000-0x00007FF6E55A2000-memory.dmp	upx
behavioral2/memory/384-377-0x00007FF733750000-0x00007FF733B42000-memory.dmp	upx
behavioral2/memory/4108-383-0x00007FF66D2B0000-0x00007FF66D6A2000-memory.dmp	upx
behavioral2/memory/1964-384-0x00007FF7EDA40000-0x00007FF7EDE32000-memory.dmp	upx
behavioral2/memory/4444-358-0x00007FF676DD0000-0x00007FF6771C2000-memory.dmp	upx
behavioral2/memory/4508-349-0x00007FF632D50000-0x00007FF633142000-memory.dmp	upx
behavioral2/memory/3608-305-0x00007FF740D70000-0x00007FF741162000-memory.dmp	upx
behavioral2/files/0x0007000000023435-180.dat	upx
behavioral2/files/0x0007000000023434-175.dat	upx
behavioral2/files/0x0007000000023432-173.dat	upx
behavioral2/files/0x0007000000023430-163.dat	upx
behavioral2/files/0x000700000002342e-153.dat	upx
behavioral2/files/0x000700000002342c-143.dat	upx
behavioral2/files/0x000700000002342a-133.dat	upx
behavioral2/files/0x0007000000023429-128.dat	upx
behavioral2/files/0x0007000000023428-123.dat	upx
behavioral2/files/0x0007000000023427-118.dat	upx
behavioral2/files/0x0007000000023426-113.dat	upx
behavioral2/files/0x0007000000023424-93.dat	upx
behavioral2/memory/1892-83-0x00007FF7266F0000-0x00007FF726AE2000-memory.dmp	upx
behavioral2/memory/2944-78-0x00007FF6B2B70000-0x00007FF6B2F62000-memory.dmp	upx
behavioral2/files/0x000800000002341c-76.dat	upx
behavioral2/memory/2728-73-0x00007FF7DF1E0000-0x00007FF7DF5D2000-memory.dmp	upx
behavioral2/memory/4468-71-0x00007FF69EFA0000-0x00007FF69F392000-memory.dmp	upx
behavioral2/files/0x000700000002341b-68.dat	upx
behavioral2/files/0x0007000000023420-60.dat	upx
behavioral2/files/0x000700000002341f-65.dat	upx
behavioral2/files/0x000700000002341e-57.dat	upx
behavioral2/files/0x0007000000023419-33.dat	upx
behavioral2/memory/4788-1951-0x00007FF678530000-0x00007FF678922000-memory.dmp	upx
behavioral2/memory/4468-2044-0x00007FF69EFA0000-0x00007FF69F392000-memory.dmp	upx
behavioral2/memory/3472-2046-0x00007FF6D4950000-0x00007FF6D4D42000-memory.dmp	upx
behavioral2/memory/1892-2048-0x00007FF7266F0000-0x00007FF726AE2000-memory.dmp	upx
behavioral2/memory/2944-2052-0x00007FF6B2B70000-0x00007FF6B2F62000-memory.dmp	upx
behavioral2/memory/2728-2050-0x00007FF7DF1E0000-0x00007FF7DF5D2000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	raw.githubusercontent.com
9	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\XYVPiXt.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\rlzYHnH.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\ymPYDry.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\ZcIHOzV.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\eukljsD.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\polEURq.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\lLUQbqx.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\latOync.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\YxDNvzy.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\xQNoxRl.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\BunGXbi.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\MFMheyb.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\PLBhKzw.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\tAMsNuK.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\vMwqUDO.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\sZLrcqt.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\DCdCLGa.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\FzLbGke.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\sTyaKZy.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\ljDxECL.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\sjSevmq.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\dkJSGfT.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\sGTwyqX.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\MRpUuWH.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\BaAvKUH.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\KVMnCaB.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\oKibuYr.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\iGaVEvD.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\IacKloq.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\yCsLzye.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\QqTVxbT.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\tyEIDIy.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\SRIVPZD.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\bDazOVn.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\yZJjibK.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\NKcWYJR.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\VgAAwkY.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\TUzthCQ.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\mKxRgGR.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\XvZTnGc.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\IKeFUBi.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\whrfvGa.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\ijKOfJQ.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\FijZMzj.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\KoIOYie.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\QrerlKS.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\TdqWpMR.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\UoswoKz.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\CRKDMkp.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\rOhaKTz.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\AcenrQj.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\JwRZVmY.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\MoDWHyu.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\EJIRbaC.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\hCCyPDu.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\hhihgNt.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\lreWauM.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\LGpRMKD.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\NzcxqQS.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\kjOmQoQ.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\VXtoSzl.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\gWDSCgE.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\cjpvQdk.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
File created	C:\Windows\System\ExCimUW.exe	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1244	powershell.exe
1244	powershell.exe
1244	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
Token: SeDebugPrivilege	1244	powershell.exe
Token: SeLockMemoryPrivilege	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4788 wrote to memory of 1244	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	84
PID 4788 wrote to memory of 1244	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	84
PID 4788 wrote to memory of 4468	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	85
PID 4788 wrote to memory of 4468	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	85
PID 4788 wrote to memory of 3472	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	86
PID 4788 wrote to memory of 3472	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	86
PID 4788 wrote to memory of 2728	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	87
PID 4788 wrote to memory of 2728	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	87
PID 4788 wrote to memory of 2944	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	88
PID 4788 wrote to memory of 2944	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	88
PID 4788 wrote to memory of 1892	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	89
PID 4788 wrote to memory of 1892	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	89
PID 4788 wrote to memory of 384	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	90
PID 4788 wrote to memory of 384	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	90
PID 4788 wrote to memory of 4576	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	91
PID 4788 wrote to memory of 4576	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	91
PID 4788 wrote to memory of 2968	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	92
PID 4788 wrote to memory of 2968	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	92
PID 4788 wrote to memory of 2816	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	93
PID 4788 wrote to memory of 2816	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	93
PID 4788 wrote to memory of 3608	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	94
PID 4788 wrote to memory of 3608	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	94
PID 4788 wrote to memory of 4144	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	95
PID 4788 wrote to memory of 4144	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	95
PID 4788 wrote to memory of 4108	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	96
PID 4788 wrote to memory of 4108	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	96
PID 4788 wrote to memory of 1964	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	97
PID 4788 wrote to memory of 1964	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	97
PID 4788 wrote to memory of 2436	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	98
PID 4788 wrote to memory of 2436	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	98
PID 4788 wrote to memory of 2588	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	99
PID 4788 wrote to memory of 2588	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	99
PID 4788 wrote to memory of 3424	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	100
PID 4788 wrote to memory of 3424	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	100
PID 4788 wrote to memory of 3828	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	101
PID 4788 wrote to memory of 3828	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	101
PID 4788 wrote to memory of 3116	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	102
PID 4788 wrote to memory of 3116	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	102
PID 4788 wrote to memory of 4508	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	103
PID 4788 wrote to memory of 4508	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	103
PID 4788 wrote to memory of 4552	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	104
PID 4788 wrote to memory of 4552	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	104
PID 4788 wrote to memory of 4444	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	105
PID 4788 wrote to memory of 4444	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	105
PID 4788 wrote to memory of 756	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	106
PID 4788 wrote to memory of 756	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	106
PID 4788 wrote to memory of 3880	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	107
PID 4788 wrote to memory of 3880	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	107
PID 4788 wrote to memory of 1600	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	108
PID 4788 wrote to memory of 1600	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	108
PID 4788 wrote to memory of 4512	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	109
PID 4788 wrote to memory of 4512	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	109
PID 4788 wrote to memory of 1816	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	110
PID 4788 wrote to memory of 1816	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	110
PID 4788 wrote to memory of 732	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	111
PID 4788 wrote to memory of 732	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	111
PID 4788 wrote to memory of 4716	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	112
PID 4788 wrote to memory of 4716	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	112
PID 4788 wrote to memory of 4168	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	113
PID 4788 wrote to memory of 4168	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	113
PID 4788 wrote to memory of 3200	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	114
PID 4788 wrote to memory of 3200	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	114
PID 4788 wrote to memory of 4836	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	115
PID 4788 wrote to memory of 4836	4788	8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe	115

C:\Users\Admin\AppData\Local\Temp\8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\8701ad053eac6898937ebf643a354b50_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1244
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "1244" "2908" "2840" "2912" "0" "0" "2916" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:9836
- C:\Windows\System\skRRrcw.exe
  C:\Windows\System\skRRrcw.exe
  2⤵
  - Executes dropped EXE
  PID:4468
- C:\Windows\System\qkwLioT.exe
  C:\Windows\System\qkwLioT.exe
  2⤵
  - Executes dropped EXE
  PID:3472
- C:\Windows\System\kfplIyB.exe
  C:\Windows\System\kfplIyB.exe
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\System\alTbmey.exe
  C:\Windows\System\alTbmey.exe
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\Windows\System\qlphhkQ.exe
  C:\Windows\System\qlphhkQ.exe
  2⤵
  - Executes dropped EXE
  PID:1892
- C:\Windows\System\SAlUPPe.exe
  C:\Windows\System\SAlUPPe.exe
  2⤵
  - Executes dropped EXE
  PID:384
- C:\Windows\System\zkzfihe.exe
  C:\Windows\System\zkzfihe.exe
  2⤵
  - Executes dropped EXE
  PID:4576
- C:\Windows\System\GEPfiHE.exe
  C:\Windows\System\GEPfiHE.exe
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\System\pyuyihe.exe
  C:\Windows\System\pyuyihe.exe
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Windows\System\ROUruTQ.exe
  C:\Windows\System\ROUruTQ.exe
  2⤵
  - Executes dropped EXE
  PID:3608
- C:\Windows\System\zZgOSCH.exe
  C:\Windows\System\zZgOSCH.exe
  2⤵
  - Executes dropped EXE
  PID:4144
- C:\Windows\System\cjlyQNc.exe
  C:\Windows\System\cjlyQNc.exe
  2⤵
  - Executes dropped EXE
  PID:4108
- C:\Windows\System\dKVeZsa.exe
  C:\Windows\System\dKVeZsa.exe
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\Windows\System\LFZQBAg.exe
  C:\Windows\System\LFZQBAg.exe
  2⤵
  - Executes dropped EXE
  PID:2436
- C:\Windows\System\wsgYfhn.exe
  C:\Windows\System\wsgYfhn.exe
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\System\GPBDxLz.exe
  C:\Windows\System\GPBDxLz.exe
  2⤵
  - Executes dropped EXE
  PID:3424
- C:\Windows\System\PdfggDK.exe
  C:\Windows\System\PdfggDK.exe
  2⤵
  - Executes dropped EXE
  PID:3828
- C:\Windows\System\yQcbYYg.exe
  C:\Windows\System\yQcbYYg.exe
  2⤵
  - Executes dropped EXE
  PID:3116
- C:\Windows\System\KVMnCaB.exe
  C:\Windows\System\KVMnCaB.exe
  2⤵
  - Executes dropped EXE
  PID:4508
- C:\Windows\System\sjSevmq.exe
  C:\Windows\System\sjSevmq.exe
  2⤵
  - Executes dropped EXE
  PID:4552
- C:\Windows\System\FahlRJN.exe
  C:\Windows\System\FahlRJN.exe
  2⤵
  - Executes dropped EXE
  PID:4444
- C:\Windows\System\LpmAQbp.exe
  C:\Windows\System\LpmAQbp.exe
  2⤵
  - Executes dropped EXE
  PID:756
- C:\Windows\System\ujwQMoe.exe
  C:\Windows\System\ujwQMoe.exe
  2⤵
  - Executes dropped EXE
  PID:3880
- C:\Windows\System\wgWQMDT.exe
  C:\Windows\System\wgWQMDT.exe
  2⤵
  - Executes dropped EXE
  PID:1600
- C:\Windows\System\qjXPRhL.exe
  C:\Windows\System\qjXPRhL.exe
  2⤵
  - Executes dropped EXE
  PID:4512
- C:\Windows\System\vsPNUnf.exe
  C:\Windows\System\vsPNUnf.exe
  2⤵
  - Executes dropped EXE
  PID:1816
- C:\Windows\System\noGlyZv.exe
  C:\Windows\System\noGlyZv.exe
  2⤵
  - Executes dropped EXE
  PID:732
- C:\Windows\System\kDURKJQ.exe
  C:\Windows\System\kDURKJQ.exe
  2⤵
  - Executes dropped EXE
  PID:4716
- C:\Windows\System\MXjTEdC.exe
  C:\Windows\System\MXjTEdC.exe
  2⤵
  - Executes dropped EXE
  PID:4168
- C:\Windows\System\IslVWXf.exe
  C:\Windows\System\IslVWXf.exe
  2⤵
  - Executes dropped EXE
  PID:3200
- C:\Windows\System\IwFVHPA.exe
  C:\Windows\System\IwFVHPA.exe
  2⤵
  - Executes dropped EXE
  PID:4836
- C:\Windows\System\ljDxECL.exe
  C:\Windows\System\ljDxECL.exe
  2⤵
  - Executes dropped EXE
  PID:3564
- C:\Windows\System\zikeVhn.exe
  C:\Windows\System\zikeVhn.exe
  2⤵
  - Executes dropped EXE
  PID:64
- C:\Windows\System\VgnAPmV.exe
  C:\Windows\System\VgnAPmV.exe
  2⤵
  - Executes dropped EXE
  PID:4760
- C:\Windows\System\QexpCuy.exe
  C:\Windows\System\QexpCuy.exe
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\System\VkadvAB.exe
  C:\Windows\System\VkadvAB.exe
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\System\ErXsyMi.exe
  C:\Windows\System\ErXsyMi.exe
  2⤵
  - Executes dropped EXE
  PID:672
- C:\Windows\System\zyFjUek.exe
  C:\Windows\System\zyFjUek.exe
  2⤵
  - Executes dropped EXE
  PID:412
- C:\Windows\System\bSpSRXL.exe
  C:\Windows\System\bSpSRXL.exe
  2⤵
  - Executes dropped EXE
  PID:4532
- C:\Windows\System\VGIkrxk.exe
  C:\Windows\System\VGIkrxk.exe
  2⤵
  - Executes dropped EXE
  PID:1948
- C:\Windows\System\XbolpVf.exe
  C:\Windows\System\XbolpVf.exe
  2⤵
  - Executes dropped EXE
  PID:600
- C:\Windows\System\RpMoMnA.exe
  C:\Windows\System\RpMoMnA.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System\jzDRlYx.exe
  C:\Windows\System\jzDRlYx.exe
  2⤵
  - Executes dropped EXE
  PID:4540
- C:\Windows\System\tAMsNuK.exe
  C:\Windows\System\tAMsNuK.exe
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\System\cxWVXRx.exe
  C:\Windows\System\cxWVXRx.exe
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Windows\System\oPizcBd.exe
  C:\Windows\System\oPizcBd.exe
  2⤵
  - Executes dropped EXE
  PID:4028
- C:\Windows\System\lFqaRDu.exe
  C:\Windows\System\lFqaRDu.exe
  2⤵
  - Executes dropped EXE
  PID:3680
- C:\Windows\System\CRKDMkp.exe
  C:\Windows\System\CRKDMkp.exe
  2⤵
  - Executes dropped EXE
  PID:824
- C:\Windows\System\VUehFZD.exe
  C:\Windows\System\VUehFZD.exe
  2⤵
  - Executes dropped EXE
  PID:4780
- C:\Windows\System\vBweUiu.exe
  C:\Windows\System\vBweUiu.exe
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\Windows\System\pJrXcPP.exe
  C:\Windows\System\pJrXcPP.exe
  2⤵
  - Executes dropped EXE
  PID:5020
- C:\Windows\System\ClROzxo.exe
  C:\Windows\System\ClROzxo.exe
  2⤵
  - Executes dropped EXE
  PID:1728
- C:\Windows\System\PgmlSUR.exe
  C:\Windows\System\PgmlSUR.exe
  2⤵
  - Executes dropped EXE
  PID:3044
- C:\Windows\System\WlOnPjN.exe
  C:\Windows\System\WlOnPjN.exe
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\System\LjMHInb.exe
  C:\Windows\System\LjMHInb.exe
  2⤵
  - Executes dropped EXE
  PID:4352
- C:\Windows\System\GyIDDUc.exe
  C:\Windows\System\GyIDDUc.exe
  2⤵
  - Executes dropped EXE
  PID:1404
- C:\Windows\System\vxUgbwf.exe
  C:\Windows\System\vxUgbwf.exe
  2⤵
  - Executes dropped EXE
  PID:4900
- C:\Windows\System\aKhaZlw.exe
  C:\Windows\System\aKhaZlw.exe
  2⤵
  - Executes dropped EXE
  PID:5116
- C:\Windows\System\atsFcqx.exe
  C:\Windows\System\atsFcqx.exe
  2⤵
  - Executes dropped EXE
  PID:1592
- C:\Windows\System\UnPqWZN.exe
  C:\Windows\System\UnPqWZN.exe
  2⤵
  - Executes dropped EXE
  PID:4612
- C:\Windows\System\FbuAlWZ.exe
  C:\Windows\System\FbuAlWZ.exe
  2⤵
  - Executes dropped EXE
  PID:4672
- C:\Windows\System\yEzNyFR.exe
  C:\Windows\System\yEzNyFR.exe
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\System\eXjvnRS.exe
  C:\Windows\System\eXjvnRS.exe
  2⤵
  - Executes dropped EXE
  PID:380
- C:\Windows\System\WVoPniK.exe
  C:\Windows\System\WVoPniK.exe
  2⤵
  - Executes dropped EXE
  PID:4172
- C:\Windows\System\cvgJyNI.exe
  C:\Windows\System\cvgJyNI.exe
  2⤵
  PID:4092
- C:\Windows\System\ijKOfJQ.exe
  C:\Windows\System\ijKOfJQ.exe
  2⤵
  PID:4324
- C:\Windows\System\xLWWHXd.exe
  C:\Windows\System\xLWWHXd.exe
  2⤵
  PID:2288
- C:\Windows\System\xotVxEZ.exe
  C:\Windows\System\xotVxEZ.exe
  2⤵
  PID:1444
- C:\Windows\System\bOEOtUW.exe
  C:\Windows\System\bOEOtUW.exe
  2⤵
  PID:2844
- C:\Windows\System\OMCTyDu.exe
  C:\Windows\System\OMCTyDu.exe
  2⤵
  PID:1436
- C:\Windows\System\YkiStOP.exe
  C:\Windows\System\YkiStOP.exe
  2⤵
  PID:3068
- C:\Windows\System\RUvbQJs.exe
  C:\Windows\System\RUvbQJs.exe
  2⤵
  PID:3380
- C:\Windows\System\fmTiLsm.exe
  C:\Windows\System\fmTiLsm.exe
  2⤵
  PID:1260
- C:\Windows\System\YXOOywO.exe
  C:\Windows\System\YXOOywO.exe
  2⤵
  PID:2420
- C:\Windows\System\wPWXJLz.exe
  C:\Windows\System\wPWXJLz.exe
  2⤵
  PID:2356
- C:\Windows\System\vACTXYo.exe
  C:\Windows\System\vACTXYo.exe
  2⤵
  PID:1608
- C:\Windows\System\RjICQTq.exe
  C:\Windows\System\RjICQTq.exe
  2⤵
  PID:1312
- C:\Windows\System\IqXtqJc.exe
  C:\Windows\System\IqXtqJc.exe
  2⤵
  PID:3332
- C:\Windows\System\EwDIOSl.exe
  C:\Windows\System\EwDIOSl.exe
  2⤵
  PID:1476
- C:\Windows\System\OZIRNKq.exe
  C:\Windows\System\OZIRNKq.exe
  2⤵
  PID:4388
- C:\Windows\System\KIETCPM.exe
  C:\Windows\System\KIETCPM.exe
  2⤵
  PID:3312
- C:\Windows\System\luzQsmo.exe
  C:\Windows\System\luzQsmo.exe
  2⤵
  PID:4872
- C:\Windows\System\QqFEmrB.exe
  C:\Windows\System\QqFEmrB.exe
  2⤵
  PID:2916
- C:\Windows\System\boDRnJt.exe
  C:\Windows\System\boDRnJt.exe
  2⤵
  PID:5128
- C:\Windows\System\oRpiTmw.exe
  C:\Windows\System\oRpiTmw.exe
  2⤵
  PID:5148
- C:\Windows\System\latOync.exe
  C:\Windows\System\latOync.exe
  2⤵
  PID:5168
- C:\Windows\System\eBaenlS.exe
  C:\Windows\System\eBaenlS.exe
  2⤵
  PID:5188
- C:\Windows\System\WTICdqW.exe
  C:\Windows\System\WTICdqW.exe
  2⤵
  PID:5228
- C:\Windows\System\ExCimUW.exe
  C:\Windows\System\ExCimUW.exe
  2⤵
  PID:5300
- C:\Windows\System\uUAqwih.exe
  C:\Windows\System\uUAqwih.exe
  2⤵
  PID:5388
- C:\Windows\System\UtstxxK.exe
  C:\Windows\System\UtstxxK.exe
  2⤵
  PID:5416
- C:\Windows\System\SVTKlQz.exe
  C:\Windows\System\SVTKlQz.exe
  2⤵
  PID:5456
- C:\Windows\System\HTwwfGx.exe
  C:\Windows\System\HTwwfGx.exe
  2⤵
  PID:5496
- C:\Windows\System\UXCeTMG.exe
  C:\Windows\System\UXCeTMG.exe
  2⤵
  PID:5564
- C:\Windows\System\etZYRCA.exe
  C:\Windows\System\etZYRCA.exe
  2⤵
  PID:5600
- C:\Windows\System\XAYcbaj.exe
  C:\Windows\System\XAYcbaj.exe
  2⤵
  PID:5616
- C:\Windows\System\vMwqUDO.exe
  C:\Windows\System\vMwqUDO.exe
  2⤵
  PID:5644
- C:\Windows\System\xYKwNcM.exe
  C:\Windows\System\xYKwNcM.exe
  2⤵
  PID:5664
- C:\Windows\System\lDgcNpq.exe
  C:\Windows\System\lDgcNpq.exe
  2⤵
  PID:5688
- C:\Windows\System\nvRfuLm.exe
  C:\Windows\System\nvRfuLm.exe
  2⤵
  PID:5712
- C:\Windows\System\zbuopUd.exe
  C:\Windows\System\zbuopUd.exe
  2⤵
  PID:5736
- C:\Windows\System\GBYirTq.exe
  C:\Windows\System\GBYirTq.exe
  2⤵
  PID:5768
- C:\Windows\System\ksvXSmr.exe
  C:\Windows\System\ksvXSmr.exe
  2⤵
  PID:5840
- C:\Windows\System\gGqNCcQ.exe
  C:\Windows\System\gGqNCcQ.exe
  2⤵
  PID:5860
- C:\Windows\System\iiQyTyH.exe
  C:\Windows\System\iiQyTyH.exe
  2⤵
  PID:5880
- C:\Windows\System\NrSmvzE.exe
  C:\Windows\System\NrSmvzE.exe
  2⤵
  PID:5900
- C:\Windows\System\CbaJOxy.exe
  C:\Windows\System\CbaJOxy.exe
  2⤵
  PID:5928
- C:\Windows\System\YqEDBse.exe
  C:\Windows\System\YqEDBse.exe
  2⤵
  PID:5952
- C:\Windows\System\bDnWnWF.exe
  C:\Windows\System\bDnWnWF.exe
  2⤵
  PID:5968
- C:\Windows\System\mGTbfcA.exe
  C:\Windows\System\mGTbfcA.exe
  2⤵
  PID:5996
- C:\Windows\System\UYmCEsb.exe
  C:\Windows\System\UYmCEsb.exe
  2⤵
  PID:6028
- C:\Windows\System\tBtwWjJ.exe
  C:\Windows\System\tBtwWjJ.exe
  2⤵
  PID:6048
- C:\Windows\System\DvAAGpc.exe
  C:\Windows\System\DvAAGpc.exe
  2⤵
  PID:6068
- C:\Windows\System\mYykZWZ.exe
  C:\Windows\System\mYykZWZ.exe
  2⤵
  PID:6084
- C:\Windows\System\LYawVxv.exe
  C:\Windows\System\LYawVxv.exe
  2⤵
  PID:6108
- C:\Windows\System\kusdbxB.exe
  C:\Windows\System\kusdbxB.exe
  2⤵
  PID:868
- C:\Windows\System\IKeFUBi.exe
  C:\Windows\System\IKeFUBi.exe
  2⤵
  PID:3088
- C:\Windows\System\LVjNNXC.exe
  C:\Windows\System\LVjNNXC.exe
  2⤵
  PID:2672
- C:\Windows\System\HOqQZfT.exe
  C:\Windows\System\HOqQZfT.exe
  2⤵
  PID:5124
- C:\Windows\System\XRxpxha.exe
  C:\Windows\System\XRxpxha.exe
  2⤵
  PID:3416
- C:\Windows\System\RFLNSFW.exe
  C:\Windows\System\RFLNSFW.exe
  2⤵
  PID:4104
- C:\Windows\System\mwWvIMn.exe
  C:\Windows\System\mwWvIMn.exe
  2⤵
  PID:2064
- C:\Windows\System\FVCTOuq.exe
  C:\Windows\System\FVCTOuq.exe
  2⤵
  PID:5316
- C:\Windows\System\PLBhKzw.exe
  C:\Windows\System\PLBhKzw.exe
  2⤵
  PID:5372
- C:\Windows\System\cUpjdxo.exe
  C:\Windows\System\cUpjdxo.exe
  2⤵
  PID:4316
- C:\Windows\System\zFjJtpf.exe
  C:\Windows\System\zFjJtpf.exe
  2⤵
  PID:5488
- C:\Windows\System\IXtqdFI.exe
  C:\Windows\System\IXtqdFI.exe
  2⤵
  PID:5592
- C:\Windows\System\mAkkAeY.exe
  C:\Windows\System\mAkkAeY.exe
  2⤵
  PID:5656
- C:\Windows\System\GJVBQHV.exe
  C:\Windows\System\GJVBQHV.exe
  2⤵
  PID:5724
- C:\Windows\System\ejYvCcH.exe
  C:\Windows\System\ejYvCcH.exe
  2⤵
  PID:5848
- C:\Windows\System\yVEKDbU.exe
  C:\Windows\System\yVEKDbU.exe
  2⤵
  PID:5892
- C:\Windows\System\yFJDYYo.exe
  C:\Windows\System\yFJDYYo.exe
  2⤵
  PID:5960
- C:\Windows\System\YxDNvzy.exe
  C:\Windows\System\YxDNvzy.exe
  2⤵
  PID:6044
- C:\Windows\System\bDazOVn.exe
  C:\Windows\System\bDazOVn.exe
  2⤵
  PID:6076
- C:\Windows\System\diUwHww.exe
  C:\Windows\System\diUwHww.exe
  2⤵
  PID:5160
- C:\Windows\System\fAohwyo.exe
  C:\Windows\System\fAohwyo.exe
  2⤵
  PID:3428
- C:\Windows\System\MWCNnTq.exe
  C:\Windows\System\MWCNnTq.exe
  2⤵
  PID:892
- C:\Windows\System\qwkEDwI.exe
  C:\Windows\System\qwkEDwI.exe
  2⤵
  PID:2272
- C:\Windows\System\RZhjFfB.exe
  C:\Windows\System\RZhjFfB.exe
  2⤵
  PID:2448
- C:\Windows\System\PfxoJtl.exe
  C:\Windows\System\PfxoJtl.exe
  2⤵
  PID:5816
- C:\Windows\System\sZLrcqt.exe
  C:\Windows\System\sZLrcqt.exe
  2⤵
  PID:5452
- C:\Windows\System\OKwfGnz.exe
  C:\Windows\System\OKwfGnz.exe
  2⤵
  PID:5536
- C:\Windows\System\ufgMtbA.exe
  C:\Windows\System\ufgMtbA.exe
  2⤵
  PID:5636
- C:\Windows\System\SRIVPZD.exe
  C:\Windows\System\SRIVPZD.exe
  2⤵
  PID:5804
- C:\Windows\System\zjvaDwH.exe
  C:\Windows\System\zjvaDwH.exe
  2⤵
  PID:6064
- C:\Windows\System\kBAyqgB.exe
  C:\Windows\System\kBAyqgB.exe
  2⤵
  PID:5248
- C:\Windows\System\OVHvEOZ.exe
  C:\Windows\System\OVHvEOZ.exe
  2⤵
  PID:3788
- C:\Windows\System\QJDpDec.exe
  C:\Windows\System\QJDpDec.exe
  2⤵
  PID:5700
- C:\Windows\System\DCdCLGa.exe
  C:\Windows\System\DCdCLGa.exe
  2⤵
  PID:5948
- C:\Windows\System\FijZMzj.exe
  C:\Windows\System\FijZMzj.exe
  2⤵
  PID:3708
- C:\Windows\System\HtzdVre.exe
  C:\Windows\System\HtzdVre.exe
  2⤵
  PID:5552
- C:\Windows\System\rOLZsow.exe
  C:\Windows\System\rOLZsow.exe
  2⤵
  PID:1468
- C:\Windows\System\nXgiuLa.exe
  C:\Windows\System\nXgiuLa.exe
  2⤵
  PID:6156
- C:\Windows\System\gCteZVO.exe
  C:\Windows\System\gCteZVO.exe
  2⤵
  PID:6172
- C:\Windows\System\dgGfiQg.exe
  C:\Windows\System\dgGfiQg.exe
  2⤵
  PID:6192
- C:\Windows\System\Wipzbxz.exe
  C:\Windows\System\Wipzbxz.exe
  2⤵
  PID:6212
- C:\Windows\System\hxWwPbC.exe
  C:\Windows\System\hxWwPbC.exe
  2⤵
  PID:6228
- C:\Windows\System\yZpsMix.exe
  C:\Windows\System\yZpsMix.exe
  2⤵
  PID:6252
- C:\Windows\System\PtcXrum.exe
  C:\Windows\System\PtcXrum.exe
  2⤵
  PID:6284
- C:\Windows\System\pJtgbCF.exe
  C:\Windows\System\pJtgbCF.exe
  2⤵
  PID:6304
- C:\Windows\System\gpPiCVp.exe
  C:\Windows\System\gpPiCVp.exe
  2⤵
  PID:6344
- C:\Windows\System\JkDyppv.exe
  C:\Windows\System\JkDyppv.exe
  2⤵
  PID:6360
- C:\Windows\System\ZRwcOqc.exe
  C:\Windows\System\ZRwcOqc.exe
  2⤵
  PID:6392
- C:\Windows\System\GoHlYLj.exe
  C:\Windows\System\GoHlYLj.exe
  2⤵
  PID:6408
- C:\Windows\System\dkJSGfT.exe
  C:\Windows\System\dkJSGfT.exe
  2⤵
  PID:6428
- C:\Windows\System\qkBFChu.exe
  C:\Windows\System\qkBFChu.exe
  2⤵
  PID:6448
- C:\Windows\System\XYVPiXt.exe
  C:\Windows\System\XYVPiXt.exe
  2⤵
  PID:6472
- C:\Windows\System\CzBYuef.exe
  C:\Windows\System\CzBYuef.exe
  2⤵
  PID:6492
- C:\Windows\System\TjyXKfs.exe
  C:\Windows\System\TjyXKfs.exe
  2⤵
  PID:6512
- C:\Windows\System\JHQTmrC.exe
  C:\Windows\System\JHQTmrC.exe
  2⤵
  PID:6572
- C:\Windows\System\xQNoxRl.exe
  C:\Windows\System\xQNoxRl.exe
  2⤵
  PID:6636
- C:\Windows\System\NrLayvv.exe
  C:\Windows\System\NrLayvv.exe
  2⤵
  PID:6652
- C:\Windows\System\LGpRMKD.exe
  C:\Windows\System\LGpRMKD.exe
  2⤵
  PID:6676
- C:\Windows\System\tEHqRFN.exe
  C:\Windows\System\tEHqRFN.exe
  2⤵
  PID:6696
- C:\Windows\System\wbpeeKQ.exe
  C:\Windows\System\wbpeeKQ.exe
  2⤵
  PID:6720
- C:\Windows\System\HbVrLxL.exe
  C:\Windows\System\HbVrLxL.exe
  2⤵
  PID:6740
- C:\Windows\System\vJZXvPh.exe
  C:\Windows\System\vJZXvPh.exe
  2⤵
  PID:6764
- C:\Windows\System\ZbpXwFC.exe
  C:\Windows\System\ZbpXwFC.exe
  2⤵
  PID:6780
- C:\Windows\System\pvmkjWy.exe
  C:\Windows\System\pvmkjWy.exe
  2⤵
  PID:6800
- C:\Windows\System\IaNQWvi.exe
  C:\Windows\System\IaNQWvi.exe
  2⤵
  PID:6856
- C:\Windows\System\shHYTkx.exe
  C:\Windows\System\shHYTkx.exe
  2⤵
  PID:6876
- C:\Windows\System\KEKkncY.exe
  C:\Windows\System\KEKkncY.exe
  2⤵
  PID:6900
- C:\Windows\System\VphBhnX.exe
  C:\Windows\System\VphBhnX.exe
  2⤵
  PID:6928
- C:\Windows\System\oSyeZpw.exe
  C:\Windows\System\oSyeZpw.exe
  2⤵
  PID:6948
- C:\Windows\System\WQkjcvq.exe
  C:\Windows\System\WQkjcvq.exe
  2⤵
  PID:6972
- C:\Windows\System\KoIOYie.exe
  C:\Windows\System\KoIOYie.exe
  2⤵
  PID:7016
- C:\Windows\System\rqQdtwV.exe
  C:\Windows\System\rqQdtwV.exe
  2⤵
  PID:7064
- C:\Windows\System\zSrYCuI.exe
  C:\Windows\System\zSrYCuI.exe
  2⤵
  PID:7084
- C:\Windows\System\iWpHZnZ.exe
  C:\Windows\System\iWpHZnZ.exe
  2⤵
  PID:7136
- C:\Windows\System\BwCkXJv.exe
  C:\Windows\System\BwCkXJv.exe
  2⤵
  PID:6148
- C:\Windows\System\DqFdqGU.exe
  C:\Windows\System\DqFdqGU.exe
  2⤵
  PID:6220
- C:\Windows\System\iEmwzhc.exe
  C:\Windows\System\iEmwzhc.exe
  2⤵
  PID:4072
- C:\Windows\System\KdiZOGC.exe
  C:\Windows\System\KdiZOGC.exe
  2⤵
  PID:6296
- C:\Windows\System\CofGezB.exe
  C:\Windows\System\CofGezB.exe
  2⤵
  PID:6300
- C:\Windows\System\vLCTVOt.exe
  C:\Windows\System\vLCTVOt.exe
  2⤵
  PID:6440
- C:\Windows\System\USJZCYk.exe
  C:\Windows\System\USJZCYk.exe
  2⤵
  PID:6424
- C:\Windows\System\AwfiGSR.exe
  C:\Windows\System\AwfiGSR.exe
  2⤵
  PID:6564
- C:\Windows\System\qBRaBTd.exe
  C:\Windows\System\qBRaBTd.exe
  2⤵
  PID:6624
- C:\Windows\System\VQNnxHe.exe
  C:\Windows\System\VQNnxHe.exe
  2⤵
  PID:6668
- C:\Windows\System\hpJBZCW.exe
  C:\Windows\System\hpJBZCW.exe
  2⤵
  PID:6728
- C:\Windows\System\aVkZvvo.exe
  C:\Windows\System\aVkZvvo.exe
  2⤵
  PID:6852
- C:\Windows\System\oKibuYr.exe
  C:\Windows\System\oKibuYr.exe
  2⤵
  PID:6940
- C:\Windows\System\xZVUHGK.exe
  C:\Windows\System\xZVUHGK.exe
  2⤵
  PID:7024
- C:\Windows\System\EJIRbaC.exe
  C:\Windows\System\EJIRbaC.exe
  2⤵
  PID:7000
- C:\Windows\System\rlzYHnH.exe
  C:\Windows\System\rlzYHnH.exe
  2⤵
  PID:7056
- C:\Windows\System\mKrJjaA.exe
  C:\Windows\System\mKrJjaA.exe
  2⤵
  PID:7128
- C:\Windows\System\ehYgDZk.exe
  C:\Windows\System\ehYgDZk.exe
  2⤵
  PID:6168
- C:\Windows\System\yZJjibK.exe
  C:\Windows\System\yZJjibK.exe
  2⤵
  PID:5424
- C:\Windows\System\VENVLSe.exe
  C:\Windows\System\VENVLSe.exe
  2⤵
  PID:6280
- C:\Windows\System\mVBvmoa.exe
  C:\Windows\System\mVBvmoa.exe
  2⤵
  PID:6420
- C:\Windows\System\IVFErtL.exe
  C:\Windows\System\IVFErtL.exe
  2⤵
  PID:5348
- C:\Windows\System\XYaQuoE.exe
  C:\Windows\System\XYaQuoE.exe
  2⤵
  PID:6508
- C:\Windows\System\xsWXFlT.exe
  C:\Windows\System\xsWXFlT.exe
  2⤵
  PID:6648
- C:\Windows\System\fxTzyJr.exe
  C:\Windows\System\fxTzyJr.exe
  2⤵
  PID:6884
- C:\Windows\System\ilOsPyD.exe
  C:\Windows\System\ilOsPyD.exe
  2⤵
  PID:5584
- C:\Windows\System\IXCjBmJ.exe
  C:\Windows\System\IXCjBmJ.exe
  2⤵
  PID:6920
- C:\Windows\System\NzcxqQS.exe
  C:\Windows\System\NzcxqQS.exe
  2⤵
  PID:6488
- C:\Windows\System\hwnspbG.exe
  C:\Windows\System\hwnspbG.exe
  2⤵
  PID:6628
- C:\Windows\System\JEVLImJ.exe
  C:\Windows\System\JEVLImJ.exe
  2⤵
  PID:6908
- C:\Windows\System\reqQlbj.exe
  C:\Windows\System\reqQlbj.exe
  2⤵
  PID:7076
- C:\Windows\System\rIkdRyj.exe
  C:\Windows\System\rIkdRyj.exe
  2⤵
  PID:7200
- C:\Windows\System\hqDqARh.exe
  C:\Windows\System\hqDqARh.exe
  2⤵
  PID:7216
- C:\Windows\System\YUWakcP.exe
  C:\Windows\System\YUWakcP.exe
  2⤵
  PID:7260
- C:\Windows\System\jwarUpG.exe
  C:\Windows\System\jwarUpG.exe
  2⤵
  PID:7284
- C:\Windows\System\GtFazxs.exe
  C:\Windows\System\GtFazxs.exe
  2⤵
  PID:7332
- C:\Windows\System\slkOOtI.exe
  C:\Windows\System\slkOOtI.exe
  2⤵
  PID:7352
- C:\Windows\System\GcRLFXg.exe
  C:\Windows\System\GcRLFXg.exe
  2⤵
  PID:7388
- C:\Windows\System\LQPMmgB.exe
  C:\Windows\System\LQPMmgB.exe
  2⤵
  PID:7412
- C:\Windows\System\fSxqQVk.exe
  C:\Windows\System\fSxqQVk.exe
  2⤵
  PID:7440
- C:\Windows\System\UeRdZEy.exe
  C:\Windows\System\UeRdZEy.exe
  2⤵
  PID:7468
- C:\Windows\System\jMUUhYz.exe
  C:\Windows\System\jMUUhYz.exe
  2⤵
  PID:7496
- C:\Windows\System\IFgRgMo.exe
  C:\Windows\System\IFgRgMo.exe
  2⤵
  PID:7512
- C:\Windows\System\CArlzyV.exe
  C:\Windows\System\CArlzyV.exe
  2⤵
  PID:7536
- C:\Windows\System\lsDtEGH.exe
  C:\Windows\System\lsDtEGH.exe
  2⤵
  PID:7556
- C:\Windows\System\bnlpeXb.exe
  C:\Windows\System\bnlpeXb.exe
  2⤵
  PID:7576
- C:\Windows\System\Evotlfh.exe
  C:\Windows\System\Evotlfh.exe
  2⤵
  PID:7648
- C:\Windows\System\FeHaLNw.exe
  C:\Windows\System\FeHaLNw.exe
  2⤵
  PID:7672
- C:\Windows\System\aNFibiC.exe
  C:\Windows\System\aNFibiC.exe
  2⤵
  PID:7688
- C:\Windows\System\bweWstu.exe
  C:\Windows\System\bweWstu.exe
  2⤵
  PID:7708
- C:\Windows\System\sOesJTw.exe
  C:\Windows\System\sOesJTw.exe
  2⤵
  PID:7732
- C:\Windows\System\cykjQSL.exe
  C:\Windows\System\cykjQSL.exe
  2⤵
  PID:7748
- C:\Windows\System\vkIdoKN.exe
  C:\Windows\System\vkIdoKN.exe
  2⤵
  PID:7800
- C:\Windows\System\KUPvDXL.exe
  C:\Windows\System\KUPvDXL.exe
  2⤵
  PID:7820
- C:\Windows\System\JxFMlpF.exe
  C:\Windows\System\JxFMlpF.exe
  2⤵
  PID:7844
- C:\Windows\System\AaYdvbA.exe
  C:\Windows\System\AaYdvbA.exe
  2⤵
  PID:7868
- C:\Windows\System\ijEKRby.exe
  C:\Windows\System\ijEKRby.exe
  2⤵
  PID:7888
- C:\Windows\System\NKcWYJR.exe
  C:\Windows\System\NKcWYJR.exe
  2⤵
  PID:7932
- C:\Windows\System\pvTgzEs.exe
  C:\Windows\System\pvTgzEs.exe
  2⤵
  PID:7952
- C:\Windows\System\sGTwyqX.exe
  C:\Windows\System\sGTwyqX.exe
  2⤵
  PID:7980
- C:\Windows\System\ZuePOgy.exe
  C:\Windows\System\ZuePOgy.exe
  2⤵
  PID:8004
- C:\Windows\System\JlLImOv.exe
  C:\Windows\System\JlLImOv.exe
  2⤵
  PID:8024
- C:\Windows\System\JnPrWKI.exe
  C:\Windows\System\JnPrWKI.exe
  2⤵
  PID:8080
- C:\Windows\System\kSOWgkt.exe
  C:\Windows\System\kSOWgkt.exe
  2⤵
  PID:8096
- C:\Windows\System\KPjAZzb.exe
  C:\Windows\System\KPjAZzb.exe
  2⤵
  PID:8116
- C:\Windows\System\HdsFfcI.exe
  C:\Windows\System\HdsFfcI.exe
  2⤵
  PID:8148
- C:\Windows\System\RpTVrMm.exe
  C:\Windows\System\RpTVrMm.exe
  2⤵
  PID:8184
- C:\Windows\System\QlsOLGQ.exe
  C:\Windows\System\QlsOLGQ.exe
  2⤵
  PID:7212
- C:\Windows\System\FySTAMZ.exe
  C:\Windows\System\FySTAMZ.exe
  2⤵
  PID:7252
- C:\Windows\System\rPZjckt.exe
  C:\Windows\System\rPZjckt.exe
  2⤵
  PID:7344
- C:\Windows\System\QGWIUmk.exe
  C:\Windows\System\QGWIUmk.exe
  2⤵
  PID:7404
- C:\Windows\System\YlgFvzr.exe
  C:\Windows\System\YlgFvzr.exe
  2⤵
  PID:7432
- C:\Windows\System\bHaOTHE.exe
  C:\Windows\System\bHaOTHE.exe
  2⤵
  PID:7448
- C:\Windows\System\WawGTvU.exe
  C:\Windows\System\WawGTvU.exe
  2⤵
  PID:7524
- C:\Windows\System\LcbDgIi.exe
  C:\Windows\System\LcbDgIi.exe
  2⤵
  PID:7592
- C:\Windows\System\JXkwrZR.exe
  C:\Windows\System\JXkwrZR.exe
  2⤵
  PID:7716
- C:\Windows\System\BdCxKau.exe
  C:\Windows\System\BdCxKau.exe
  2⤵
  PID:7756
- C:\Windows\System\RqhoeUp.exe
  C:\Windows\System\RqhoeUp.exe
  2⤵
  PID:7840
- C:\Windows\System\wDEGdto.exe
  C:\Windows\System\wDEGdto.exe
  2⤵
  PID:7788
- C:\Windows\System\GBwuvQg.exe
  C:\Windows\System\GBwuvQg.exe
  2⤵
  PID:7960
- C:\Windows\System\sQlTWih.exe
  C:\Windows\System\sQlTWih.exe
  2⤵
  PID:7948
- C:\Windows\System\vyrUsBM.exe
  C:\Windows\System\vyrUsBM.exe
  2⤵
  PID:8000
- C:\Windows\System\RmuvHsg.exe
  C:\Windows\System\RmuvHsg.exe
  2⤵
  PID:8108
- C:\Windows\System\ZFtUQyu.exe
  C:\Windows\System\ZFtUQyu.exe
  2⤵
  PID:8124
- C:\Windows\System\EHyNDQp.exe
  C:\Windows\System\EHyNDQp.exe
  2⤵
  PID:7224
- C:\Windows\System\pOYncPX.exe
  C:\Windows\System\pOYncPX.exe
  2⤵
  PID:7176
- C:\Windows\System\LHzkBDh.exe
  C:\Windows\System\LHzkBDh.exe
  2⤵
  PID:7520
- C:\Windows\System\HfUvpzf.exe
  C:\Windows\System\HfUvpzf.exe
  2⤵
  PID:7612
- C:\Windows\System\WTaecss.exe
  C:\Windows\System\WTaecss.exe
  2⤵
  PID:7564
- C:\Windows\System\SsUzsHw.exe
  C:\Windows\System\SsUzsHw.exe
  2⤵
  PID:8016
- C:\Windows\System\MtiDnvA.exe
  C:\Windows\System\MtiDnvA.exe
  2⤵
  PID:6796
- C:\Windows\System\YjbZKun.exe
  C:\Windows\System\YjbZKun.exe
  2⤵
  PID:7196
- C:\Windows\System\qghFpME.exe
  C:\Windows\System\qghFpME.exe
  2⤵
  PID:7836
- C:\Windows\System\NlYSoXQ.exe
  C:\Windows\System\NlYSoXQ.exe
  2⤵
  PID:7328
- C:\Windows\System\RRhNmyc.exe
  C:\Windows\System\RRhNmyc.exe
  2⤵
  PID:7464
- C:\Windows\System\cMjpYoK.exe
  C:\Windows\System\cMjpYoK.exe
  2⤵
  PID:7740
- C:\Windows\System\CHzoDKF.exe
  C:\Windows\System\CHzoDKF.exe
  2⤵
  PID:8200
- C:\Windows\System\MqfJYHW.exe
  C:\Windows\System\MqfJYHW.exe
  2⤵
  PID:8228
- C:\Windows\System\AklgHCu.exe
  C:\Windows\System\AklgHCu.exe
  2⤵
  PID:8280
- C:\Windows\System\rhpLpGJ.exe
  C:\Windows\System\rhpLpGJ.exe
  2⤵
  PID:8308
- C:\Windows\System\roSQRoo.exe
  C:\Windows\System\roSQRoo.exe
  2⤵
  PID:8328
- C:\Windows\System\GxiMRjc.exe
  C:\Windows\System\GxiMRjc.exe
  2⤵
  PID:8360
- C:\Windows\System\agKKIuM.exe
  C:\Windows\System\agKKIuM.exe
  2⤵
  PID:8408
- C:\Windows\System\JNegEWj.exe
  C:\Windows\System\JNegEWj.exe
  2⤵
  PID:8436
- C:\Windows\System\PDshHsD.exe
  C:\Windows\System\PDshHsD.exe
  2⤵
  PID:8456
- C:\Windows\System\tOPJBnZ.exe
  C:\Windows\System\tOPJBnZ.exe
  2⤵
  PID:8472
- C:\Windows\System\VgAAwkY.exe
  C:\Windows\System\VgAAwkY.exe
  2⤵
  PID:8492
- C:\Windows\System\SLzfRrH.exe
  C:\Windows\System\SLzfRrH.exe
  2⤵
  PID:8512
- C:\Windows\System\MqLGjoX.exe
  C:\Windows\System\MqLGjoX.exe
  2⤵
  PID:8552
- C:\Windows\System\tmWnUdY.exe
  C:\Windows\System\tmWnUdY.exe
  2⤵
  PID:8568
- C:\Windows\System\QCUQpYH.exe
  C:\Windows\System\QCUQpYH.exe
  2⤵
  PID:8592
- C:\Windows\System\kjOmQoQ.exe
  C:\Windows\System\kjOmQoQ.exe
  2⤵
  PID:8612
- C:\Windows\System\pZqqpVn.exe
  C:\Windows\System\pZqqpVn.exe
  2⤵
  PID:8660
- C:\Windows\System\GJiyNJp.exe
  C:\Windows\System\GJiyNJp.exe
  2⤵
  PID:8680
- C:\Windows\System\BSswUrk.exe
  C:\Windows\System\BSswUrk.exe
  2⤵
  PID:8696
- C:\Windows\System\iCJWQut.exe
  C:\Windows\System\iCJWQut.exe
  2⤵
  PID:8760
- C:\Windows\System\VyctnbI.exe
  C:\Windows\System\VyctnbI.exe
  2⤵
  PID:8796
- C:\Windows\System\XxZrpKH.exe
  C:\Windows\System\XxZrpKH.exe
  2⤵
  PID:8820
- C:\Windows\System\EfEbghg.exe
  C:\Windows\System\EfEbghg.exe
  2⤵
  PID:8836
- C:\Windows\System\ATSTtRk.exe
  C:\Windows\System\ATSTtRk.exe
  2⤵
  PID:8876
- C:\Windows\System\EdoRaeh.exe
  C:\Windows\System\EdoRaeh.exe
  2⤵
  PID:8904
- C:\Windows\System\meBvjwG.exe
  C:\Windows\System\meBvjwG.exe
  2⤵
  PID:8944
- C:\Windows\System\hFmBKCe.exe
  C:\Windows\System\hFmBKCe.exe
  2⤵
  PID:8980
- C:\Windows\System\gvySrXg.exe
  C:\Windows\System\gvySrXg.exe
  2⤵
  PID:9000
- C:\Windows\System\QsZSaZe.exe
  C:\Windows\System\QsZSaZe.exe
  2⤵
  PID:9028
- C:\Windows\System\TUzthCQ.exe
  C:\Windows\System\TUzthCQ.exe
  2⤵
  PID:9044
- C:\Windows\System\EoaaqIK.exe
  C:\Windows\System\EoaaqIK.exe
  2⤵
  PID:9096
- C:\Windows\System\hmjjEUT.exe
  C:\Windows\System\hmjjEUT.exe
  2⤵
  PID:9112
- C:\Windows\System\nRjEXqc.exe
  C:\Windows\System\nRjEXqc.exe
  2⤵
  PID:9144
- C:\Windows\System\WGKcXkw.exe
  C:\Windows\System\WGKcXkw.exe
  2⤵
  PID:9200
- C:\Windows\System\ELCpRZv.exe
  C:\Windows\System\ELCpRZv.exe
  2⤵
  PID:8056
- C:\Windows\System\bkmyYfT.exe
  C:\Windows\System\bkmyYfT.exe
  2⤵
  PID:8236
- C:\Windows\System\MxGGYhk.exe
  C:\Windows\System\MxGGYhk.exe
  2⤵
  PID:8288
- C:\Windows\System\nwdxhSY.exe
  C:\Windows\System\nwdxhSY.exe
  2⤵
  PID:8400
- C:\Windows\System\ZlmnmVd.exe
  C:\Windows\System\ZlmnmVd.exe
  2⤵
  PID:8520
- C:\Windows\System\jTdLWgf.exe
  C:\Windows\System\jTdLWgf.exe
  2⤵
  PID:7368
- C:\Windows\System\lbqSJkb.exe
  C:\Windows\System\lbqSJkb.exe
  2⤵
  PID:8704
- C:\Windows\System\NyStcUX.exe
  C:\Windows\System\NyStcUX.exe
  2⤵
  PID:8672
- C:\Windows\System\owJroDm.exe
  C:\Windows\System\owJroDm.exe
  2⤵
  PID:8752
- C:\Windows\System\CQPIKYw.exe
  C:\Windows\System\CQPIKYw.exe
  2⤵
  PID:8784
- C:\Windows\System\iGaVEvD.exe
  C:\Windows\System\iGaVEvD.exe
  2⤵
  PID:8832
- C:\Windows\System\NoaCzOo.exe
  C:\Windows\System\NoaCzOo.exe
  2⤵
  PID:8888
- C:\Windows\System\FgUrmlS.exe
  C:\Windows\System\FgUrmlS.exe
  2⤵
  PID:9008
- C:\Windows\System\QDuOcwK.exe
  C:\Windows\System\QDuOcwK.exe
  2⤵
  PID:9072
- C:\Windows\System\fOSJaPn.exe
  C:\Windows\System\fOSJaPn.exe
  2⤵
  PID:9140
- C:\Windows\System\xqccqBV.exe
  C:\Windows\System\xqccqBV.exe
  2⤵
  PID:9196
- C:\Windows\System\sxMKFgd.exe
  C:\Windows\System\sxMKFgd.exe
  2⤵
  PID:8216
- C:\Windows\System\fdckgiT.exe
  C:\Windows\System\fdckgiT.exe
  2⤵
  PID:8448
- C:\Windows\System\epYKCii.exe
  C:\Windows\System\epYKCii.exe
  2⤵
  PID:8352
- C:\Windows\System\qtsNTQn.exe
  C:\Windows\System\qtsNTQn.exe
  2⤵
  PID:8504
- C:\Windows\System\hhPzfPa.exe
  C:\Windows\System\hhPzfPa.exe
  2⤵
  PID:8648
- C:\Windows\System\EbalGBR.exe
  C:\Windows\System\EbalGBR.exe
  2⤵
  PID:8916
- C:\Windows\System\GckdRkB.exe
  C:\Windows\System\GckdRkB.exe
  2⤵
  PID:8692
- C:\Windows\System\IacKloq.exe
  C:\Windows\System\IacKloq.exe
  2⤵
  PID:7240
- C:\Windows\System\VQOYvfS.exe
  C:\Windows\System\VQOYvfS.exe
  2⤵
  PID:8340
- C:\Windows\System\cCcxppN.exe
  C:\Windows\System\cCcxppN.exe
  2⤵
  PID:8964
- C:\Windows\System\jdwToBR.exe
  C:\Windows\System\jdwToBR.exe
  2⤵
  PID:8628
- C:\Windows\System\MTQudvm.exe
  C:\Windows\System\MTQudvm.exe
  2⤵
  PID:9256
- C:\Windows\System\iMcjQem.exe
  C:\Windows\System\iMcjQem.exe
  2⤵
  PID:9292
- C:\Windows\System\ZBirZuI.exe
  C:\Windows\System\ZBirZuI.exe
  2⤵
  PID:9336
- C:\Windows\System\hCCyPDu.exe
  C:\Windows\System\hCCyPDu.exe
  2⤵
  PID:9356
- C:\Windows\System\RLCdMXM.exe
  C:\Windows\System\RLCdMXM.exe
  2⤵
  PID:9396
- C:\Windows\System\ZsgWAjZ.exe
  C:\Windows\System\ZsgWAjZ.exe
  2⤵
  PID:9424
- C:\Windows\System\Zgfzhrm.exe
  C:\Windows\System\Zgfzhrm.exe
  2⤵
  PID:9444
- C:\Windows\System\eAotZba.exe
  C:\Windows\System\eAotZba.exe
  2⤵
  PID:9460
- C:\Windows\System\GOwujld.exe
  C:\Windows\System\GOwujld.exe
  2⤵
  PID:9484
- C:\Windows\System\eSApmaD.exe
  C:\Windows\System\eSApmaD.exe
  2⤵
  PID:9500
- C:\Windows\System\ayfddSJ.exe
  C:\Windows\System\ayfddSJ.exe
  2⤵
  PID:9524
- C:\Windows\System\UjhRdGg.exe
  C:\Windows\System\UjhRdGg.exe
  2⤵
  PID:9592
- C:\Windows\System\hUMvYyN.exe
  C:\Windows\System\hUMvYyN.exe
  2⤵
  PID:9632
- C:\Windows\System\vohhhsr.exe
  C:\Windows\System\vohhhsr.exe
  2⤵
  PID:9656
- C:\Windows\System\UGNAegS.exe
  C:\Windows\System\UGNAegS.exe
  2⤵
  PID:9684
- C:\Windows\System\DFbNsxB.exe
  C:\Windows\System\DFbNsxB.exe
  2⤵
  PID:9708
- C:\Windows\System\qWfkEyk.exe
  C:\Windows\System\qWfkEyk.exe
  2⤵
  PID:9744
- C:\Windows\System\uozMgSG.exe
  C:\Windows\System\uozMgSG.exe
  2⤵
  PID:9764
- C:\Windows\System\eVuDvJK.exe
  C:\Windows\System\eVuDvJK.exe
  2⤵
  PID:9788
- C:\Windows\System\lgyyWpd.exe
  C:\Windows\System\lgyyWpd.exe
  2⤵
  PID:9808
- C:\Windows\System\gVZrqqY.exe
  C:\Windows\System\gVZrqqY.exe
  2⤵
  PID:9840
- C:\Windows\System\eDmpGLG.exe
  C:\Windows\System\eDmpGLG.exe
  2⤵
  PID:9860
- C:\Windows\System\LtGecPM.exe
  C:\Windows\System\LtGecPM.exe
  2⤵
  PID:9880
- C:\Windows\System\GNsGOEx.exe
  C:\Windows\System\GNsGOEx.exe
  2⤵
  PID:9920
- C:\Windows\System\wwvFcRC.exe
  C:\Windows\System\wwvFcRC.exe
  2⤵
  PID:9960
- C:\Windows\System\FJJfuVj.exe
  C:\Windows\System\FJJfuVj.exe
  2⤵
  PID:9980
- C:\Windows\System\Tapwxeo.exe
  C:\Windows\System\Tapwxeo.exe
  2⤵
  PID:10024
- C:\Windows\System\QGLsbDg.exe
  C:\Windows\System\QGLsbDg.exe
  2⤵
  PID:10056
- C:\Windows\System\xKVUisF.exe
  C:\Windows\System\xKVUisF.exe
  2⤵
  PID:10076
- C:\Windows\System\xdMkKgA.exe
  C:\Windows\System\xdMkKgA.exe
  2⤵
  PID:10104
- C:\Windows\System\RonQYMG.exe
  C:\Windows\System\RonQYMG.exe
  2⤵
  PID:10120
- C:\Windows\System\HfYwjoA.exe
  C:\Windows\System\HfYwjoA.exe
  2⤵
  PID:10144
- C:\Windows\System\UNIkFif.exe
  C:\Windows\System\UNIkFif.exe
  2⤵
  PID:10164
- C:\Windows\System\aUPuVOo.exe
  C:\Windows\System\aUPuVOo.exe
  2⤵
  PID:10200
- C:\Windows\System\ikBBCDU.exe
  C:\Windows\System\ikBBCDU.exe
  2⤵
  PID:10220
- C:\Windows\System\TyaAwyp.exe
  C:\Windows\System\TyaAwyp.exe
  2⤵
  PID:8884
- C:\Windows\System\erWgHge.exe
  C:\Windows\System\erWgHge.exe
  2⤵
  PID:9160
- C:\Windows\System\bvJTFKz.exe
  C:\Windows\System\bvJTFKz.exe
  2⤵
  PID:9224
- C:\Windows\System\QrerlKS.exe
  C:\Windows\System\QrerlKS.exe
  2⤵
  PID:9352
- C:\Windows\System\KxzYdNm.exe
  C:\Windows\System\KxzYdNm.exe
  2⤵
  PID:9404
- C:\Windows\System\mKxRgGR.exe
  C:\Windows\System\mKxRgGR.exe
  2⤵
  PID:9432
- C:\Windows\System\YXRlbFL.exe
  C:\Windows\System\YXRlbFL.exe
  2⤵
  PID:9552
- C:\Windows\System\fCWmqYv.exe
  C:\Windows\System\fCWmqYv.exe
  2⤵
  PID:9612
- C:\Windows\System\hPFhXiC.exe
  C:\Windows\System\hPFhXiC.exe
  2⤵
  PID:9644
- C:\Windows\System\JJCNMie.exe
  C:\Windows\System\JJCNMie.exe
  2⤵
  PID:9700
- C:\Windows\System\dcIGaIM.exe
  C:\Windows\System\dcIGaIM.exe
  2⤵
  PID:9772
- C:\Windows\System\hpYYhLT.exe
  C:\Windows\System\hpYYhLT.exe
  2⤵
  PID:9852
- C:\Windows\System\LEerIgX.exe
  C:\Windows\System\LEerIgX.exe
  2⤵
  PID:9888
- C:\Windows\System\oTIGaiM.exe
  C:\Windows\System\oTIGaiM.exe
  2⤵
  PID:9992
- C:\Windows\System\rcOVnJN.exe
  C:\Windows\System\rcOVnJN.exe
  2⤵
  PID:10072
- C:\Windows\System\SacgTrk.exe
  C:\Windows\System\SacgTrk.exe
  2⤵
  PID:10096
- C:\Windows\System\sTFHlWq.exe
  C:\Windows\System\sTFHlWq.exe
  2⤵
  PID:10156
- C:\Windows\System\aCchXnC.exe
  C:\Windows\System\aCchXnC.exe
  2⤵
  PID:9192
- C:\Windows\System\TdqWpMR.exe
  C:\Windows\System\TdqWpMR.exe
  2⤵
  PID:9348
- C:\Windows\System\iAafjkx.exe
  C:\Windows\System\iAafjkx.exe
  2⤵
  PID:9380
- C:\Windows\System\jFrJbUn.exe
  C:\Windows\System\jFrJbUn.exe
  2⤵
  PID:9652
- C:\Windows\System\CMcorMY.exe
  C:\Windows\System\CMcorMY.exe
  2⤵
  PID:9584
- C:\Windows\System\xGibtQI.exe
  C:\Windows\System\xGibtQI.exe
  2⤵
  PID:9872
- C:\Windows\System\dIltwFN.exe
  C:\Windows\System\dIltwFN.exe
  2⤵
  PID:9952
- C:\Windows\System\RNYfmBD.exe
  C:\Windows\System\RNYfmBD.exe
  2⤵
  PID:10188
- C:\Windows\System\ALPFSbN.exe
  C:\Windows\System\ALPFSbN.exe
  2⤵
  PID:10216
- C:\Windows\System\UoswoKz.exe
  C:\Windows\System\UoswoKz.exe
  2⤵
  PID:9436
- C:\Windows\System\SINEgVj.exe
  C:\Windows\System\SINEgVj.exe
  2⤵
  PID:9516
- C:\Windows\System\oDYwAkg.exe
  C:\Windows\System\oDYwAkg.exe
  2⤵
  PID:9956
- C:\Windows\System\zeNMkXW.exe
  C:\Windows\System\zeNMkXW.exe
  2⤵
  PID:10256
- C:\Windows\System\QWQowrQ.exe
  C:\Windows\System\QWQowrQ.exe
  2⤵
  PID:10308
- C:\Windows\System\WHTXDzc.exe
  C:\Windows\System\WHTXDzc.exe
  2⤵
  PID:10344
- C:\Windows\System\BJEYmaI.exe
  C:\Windows\System\BJEYmaI.exe
  2⤵
  PID:10372
- C:\Windows\System\UnDwEMk.exe
  C:\Windows\System\UnDwEMk.exe
  2⤵
  PID:10404
- C:\Windows\System\ymPYDry.exe
  C:\Windows\System\ymPYDry.exe
  2⤵
  PID:10444
- C:\Windows\System\MRpUuWH.exe
  C:\Windows\System\MRpUuWH.exe
  2⤵
  PID:10480
- C:\Windows\System\YxLHvIj.exe
  C:\Windows\System\YxLHvIj.exe
  2⤵
  PID:10496
- C:\Windows\System\JVHbXDC.exe
  C:\Windows\System\JVHbXDC.exe
  2⤵
  PID:10516
- C:\Windows\System\kYswjeD.exe
  C:\Windows\System\kYswjeD.exe
  2⤵
  PID:10556
- C:\Windows\System\vDRDURF.exe
  C:\Windows\System\vDRDURF.exe
  2⤵
  PID:10592
- C:\Windows\System\zGRAnoi.exe
  C:\Windows\System\zGRAnoi.exe
  2⤵
  PID:10612
- C:\Windows\System\GRYgKHM.exe
  C:\Windows\System\GRYgKHM.exe
  2⤵
  PID:10632
- C:\Windows\System\rViFUno.exe
  C:\Windows\System\rViFUno.exe
  2⤵
  PID:10656
- C:\Windows\System\ggiqDaG.exe
  C:\Windows\System\ggiqDaG.exe
  2⤵
  PID:10680
- C:\Windows\System\VRgOvZj.exe
  C:\Windows\System\VRgOvZj.exe
  2⤵
  PID:10696
- C:\Windows\System\HchLVqi.exe
  C:\Windows\System\HchLVqi.exe
  2⤵
  PID:10744
- C:\Windows\System\pionnSN.exe
  C:\Windows\System\pionnSN.exe
  2⤵
  PID:10760
- C:\Windows\System\ktuODJj.exe
  C:\Windows\System\ktuODJj.exe
  2⤵
  PID:10784
- C:\Windows\System\GypSDuk.exe
  C:\Windows\System\GypSDuk.exe
  2⤵
  PID:10808
- C:\Windows\System\jkOXfAz.exe
  C:\Windows\System\jkOXfAz.exe
  2⤵
  PID:10832
- C:\Windows\System\OJgdIqa.exe
  C:\Windows\System\OJgdIqa.exe
  2⤵
  PID:10848
- C:\Windows\System\xModnZM.exe
  C:\Windows\System\xModnZM.exe
  2⤵
  PID:10904
- C:\Windows\System\YJFGELY.exe
  C:\Windows\System\YJFGELY.exe
  2⤵
  PID:10928
- C:\Windows\System\gglqxjD.exe
  C:\Windows\System\gglqxjD.exe
  2⤵
  PID:10968
- C:\Windows\System\XVBbkjD.exe
  C:\Windows\System\XVBbkjD.exe
  2⤵
  PID:10984
- C:\Windows\System\yCsLzye.exe
  C:\Windows\System\yCsLzye.exe
  2⤵
  PID:11016
- C:\Windows\System\ZaELgFc.exe
  C:\Windows\System\ZaELgFc.exe
  2⤵
  PID:11032
- C:\Windows\System\SdDuhhU.exe
  C:\Windows\System\SdDuhhU.exe
  2⤵
  PID:11052
- C:\Windows\System\hSEdVYP.exe
  C:\Windows\System\hSEdVYP.exe
  2⤵
  PID:11084
- C:\Windows\System\YEiikbs.exe
  C:\Windows\System\YEiikbs.exe
  2⤵
  PID:11132
- C:\Windows\System\ZcIHOzV.exe
  C:\Windows\System\ZcIHOzV.exe
  2⤵
  PID:11180
- C:\Windows\System\ZbpenlZ.exe
  C:\Windows\System\ZbpenlZ.exe
  2⤵
  PID:11200
- C:\Windows\System\MoDWHyu.exe
  C:\Windows\System\MoDWHyu.exe
  2⤵
  PID:11240
- C:\Windows\System\SijuxBP.exe
  C:\Windows\System\SijuxBP.exe
  2⤵
  PID:8624
- C:\Windows\System\QqTVxbT.exe
  C:\Windows\System\QqTVxbT.exe
  2⤵
  PID:10016
- C:\Windows\System\XvZTnGc.exe
  C:\Windows\System\XvZTnGc.exe
  2⤵
  PID:10244
- C:\Windows\System\tvpHyRm.exe
  C:\Windows\System\tvpHyRm.exe
  2⤵
  PID:10320
- C:\Windows\System\iksQRZC.exe
  C:\Windows\System\iksQRZC.exe
  2⤵
  PID:10432
- C:\Windows\System\sGUvQQW.exe
  C:\Windows\System\sGUvQQW.exe
  2⤵
  PID:10464
- C:\Windows\System\RuSnQKN.exe
  C:\Windows\System\RuSnQKN.exe
  2⤵
  PID:10512
- C:\Windows\System\phfgoqB.exe
  C:\Windows\System\phfgoqB.exe
  2⤵
  PID:10584
- C:\Windows\System\FiJAILI.exe
  C:\Windows\System\FiJAILI.exe
  2⤵
  PID:10628
- C:\Windows\System\DSyJlFu.exe
  C:\Windows\System\DSyJlFu.exe
  2⤵
  PID:10672
- C:\Windows\System\jURkhSf.exe
  C:\Windows\System\jURkhSf.exe
  2⤵
  PID:10724
- C:\Windows\System\NiQrCkI.exe
  C:\Windows\System\NiQrCkI.exe
  2⤵
  PID:10792
- C:\Windows\System\BgVMPIa.exe
  C:\Windows\System\BgVMPIa.exe
  2⤵
  PID:10876
- C:\Windows\System\XOrDhEp.exe
  C:\Windows\System\XOrDhEp.exe
  2⤵
  PID:9628
- C:\Windows\System\LrCsKSc.exe
  C:\Windows\System\LrCsKSc.exe
  2⤵
  PID:11060
- C:\Windows\System\DbODHnB.exe
  C:\Windows\System\DbODHnB.exe
  2⤵
  PID:11076
- C:\Windows\System\PiSZItE.exe
  C:\Windows\System\PiSZItE.exe
  2⤵
  PID:11152
- C:\Windows\System\nDeRIBh.exe
  C:\Windows\System\nDeRIBh.exe
  2⤵
  PID:11216
- C:\Windows\System\IgTWHCw.exe
  C:\Windows\System\IgTWHCw.exe
  2⤵
  PID:9508
- C:\Windows\System\BxJFjiv.exe
  C:\Windows\System\BxJFjiv.exe
  2⤵
  PID:10280
- C:\Windows\System\jievvzy.exe
  C:\Windows\System\jievvzy.exe
  2⤵
  PID:10396
- C:\Windows\System\MVTeVJS.exe
  C:\Windows\System\MVTeVJS.exe
  2⤵
  PID:10488
- C:\Windows\System\aJtWogl.exe
  C:\Windows\System\aJtWogl.exe
  2⤵
  PID:10548
- C:\Windows\System\mevLnay.exe
  C:\Windows\System\mevLnay.exe
  2⤵
  PID:10708
- C:\Windows\System\aGlDkRZ.exe
  C:\Windows\System\aGlDkRZ.exe
  2⤵
  PID:10912
- C:\Windows\System\NsHbqQN.exe
  C:\Windows\System\NsHbqQN.exe
  2⤵
  PID:10948
- C:\Windows\System\aTddmnl.exe
  C:\Windows\System\aTddmnl.exe
  2⤵
  PID:11188
- C:\Windows\System\QlRHzcW.exe
  C:\Windows\System\QlRHzcW.exe
  2⤵
  PID:11012
- C:\Windows\System\aGLIaqK.exe
  C:\Windows\System\aGLIaqK.exe
  2⤵
  PID:10300
- C:\Windows\System\IigeGbG.exe
  C:\Windows\System\IigeGbG.exe
  2⤵
  PID:11252
- C:\Windows\System\irexxVN.exe
  C:\Windows\System\irexxVN.exe
  2⤵
  PID:11280
- C:\Windows\System\nmjOxBa.exe
  C:\Windows\System\nmjOxBa.exe
  2⤵
  PID:11320
- C:\Windows\System\zOHVwzT.exe
  C:\Windows\System\zOHVwzT.exe
  2⤵
  PID:11340
- C:\Windows\System\Tmteoye.exe
  C:\Windows\System\Tmteoye.exe
  2⤵
  PID:11360
- C:\Windows\System\AWUsgCo.exe
  C:\Windows\System\AWUsgCo.exe
  2⤵
  PID:11384
- C:\Windows\System\mWTzrva.exe
  C:\Windows\System\mWTzrva.exe
  2⤵
  PID:11400
- C:\Windows\System\iKQRiLJ.exe
  C:\Windows\System\iKQRiLJ.exe
  2⤵
  PID:11440
- C:\Windows\System\qyPArRu.exe
  C:\Windows\System\qyPArRu.exe
  2⤵
  PID:11456
- C:\Windows\System\gtiLIdF.exe
  C:\Windows\System\gtiLIdF.exe
  2⤵
  PID:11480
- C:\Windows\System\DJjPXQg.exe
  C:\Windows\System\DJjPXQg.exe
  2⤵
  PID:11516
- C:\Windows\System\EyYQhYg.exe
  C:\Windows\System\EyYQhYg.exe
  2⤵
  PID:11532
- C:\Windows\System\otkZMEY.exe
  C:\Windows\System\otkZMEY.exe
  2⤵
  PID:11560
- C:\Windows\System\hhihgNt.exe
  C:\Windows\System\hhihgNt.exe
  2⤵
  PID:11580
- C:\Windows\System\wYYDhMU.exe
  C:\Windows\System\wYYDhMU.exe
  2⤵
  PID:11616
- C:\Windows\System\lBZwnyh.exe
  C:\Windows\System\lBZwnyh.exe
  2⤵
  PID:11636
- C:\Windows\System\HTpNrYO.exe
  C:\Windows\System\HTpNrYO.exe
  2⤵
  PID:11660
- C:\Windows\System\srXowKj.exe
  C:\Windows\System\srXowKj.exe
  2⤵
  PID:11676
- C:\Windows\System\eSYzpiB.exe
  C:\Windows\System\eSYzpiB.exe
  2⤵
  PID:11696
- C:\Windows\System\dtnQoFb.exe
  C:\Windows\System\dtnQoFb.exe
  2⤵
  PID:11724
- C:\Windows\System\uYqXjwz.exe
  C:\Windows\System\uYqXjwz.exe
  2⤵
  PID:11760
- C:\Windows\System\kWCMXnA.exe
  C:\Windows\System\kWCMXnA.exe
  2⤵
  PID:11812
- C:\Windows\System\jdkatYW.exe
  C:\Windows\System\jdkatYW.exe
  2⤵
  PID:11828
- C:\Windows\System\cWOxKVU.exe
  C:\Windows\System\cWOxKVU.exe
  2⤵
  PID:11856
- C:\Windows\System\EmnxXJz.exe
  C:\Windows\System\EmnxXJz.exe
  2⤵
  PID:11880
- C:\Windows\System\QFUYcYT.exe
  C:\Windows\System\QFUYcYT.exe
  2⤵
  PID:11900
- C:\Windows\System\XdMTWGI.exe
  C:\Windows\System\XdMTWGI.exe
  2⤵
  PID:11920
- C:\Windows\System\FKfEuyu.exe
  C:\Windows\System\FKfEuyu.exe
  2⤵
  PID:11976
- C:\Windows\System\gJYyAfV.exe
  C:\Windows\System\gJYyAfV.exe
  2⤵
  PID:12000
- C:\Windows\System\sbILrvn.exe
  C:\Windows\System\sbILrvn.exe
  2⤵
  PID:12052
- C:\Windows\System\EfMUhwy.exe
  C:\Windows\System\EfMUhwy.exe
  2⤵
  PID:12136
- C:\Windows\System\dmYQFfE.exe
  C:\Windows\System\dmYQFfE.exe
  2⤵
  PID:12152
- C:\Windows\System\bJkNapE.exe
  C:\Windows\System\bJkNapE.exe
  2⤵
  PID:12172
- C:\Windows\System\aSyyiTp.exe
  C:\Windows\System\aSyyiTp.exe
  2⤵
  PID:12188
- C:\Windows\System\lmeJZXJ.exe
  C:\Windows\System\lmeJZXJ.exe
  2⤵
  PID:12220
- C:\Windows\System\rWnOmje.exe
  C:\Windows\System\rWnOmje.exe
  2⤵
  PID:12240
- C:\Windows\System\nNGNFKp.exe
  C:\Windows\System\nNGNFKp.exe
  2⤵
  PID:12260
- C:\Windows\System\WeLHKsK.exe
  C:\Windows\System\WeLHKsK.exe
  2⤵
  PID:11268
- C:\Windows\System\bZFeZkb.exe
  C:\Windows\System\bZFeZkb.exe
  2⤵
  PID:11352
- C:\Windows\System\ighQpia.exe
  C:\Windows\System\ighQpia.exe
  2⤵
  PID:11392
- C:\Windows\System\GRWRIqt.exe
  C:\Windows\System\GRWRIqt.exe
  2⤵
  PID:11468
- C:\Windows\System\IGnHiMf.exe
  C:\Windows\System\IGnHiMf.exe
  2⤵
  PID:11436
- C:\Windows\System\DxbXAkI.exe
  C:\Windows\System\DxbXAkI.exe
  2⤵
  PID:11504
- C:\Windows\System\gDcPLRc.exe
  C:\Windows\System\gDcPLRc.exe
  2⤵
  PID:11572
- C:\Windows\System\uTyaiNn.exe
  C:\Windows\System\uTyaiNn.exe
  2⤵
  PID:11624
- C:\Windows\System\fNvMtOI.exe
  C:\Windows\System\fNvMtOI.exe
  2⤵
  PID:11672
- C:\Windows\System\eukljsD.exe
  C:\Windows\System\eukljsD.exe
  2⤵
  PID:11732
- C:\Windows\System\zzjgCaz.exe
  C:\Windows\System\zzjgCaz.exe
  2⤵
  PID:11840
- C:\Windows\System\nehxUzu.exe
  C:\Windows\System\nehxUzu.exe
  2⤵
  PID:11836
- C:\Windows\System\polEURq.exe
  C:\Windows\System\polEURq.exe
  2⤵
  PID:11956
- C:\Windows\System\xxxcUWl.exe
  C:\Windows\System\xxxcUWl.exe
  2⤵
  PID:12048
- C:\Windows\System\cnicryf.exe
  C:\Windows\System\cnicryf.exe
  2⤵
  PID:12116
- C:\Windows\System\bWnnumk.exe
  C:\Windows\System\bWnnumk.exe
  2⤵
  PID:3560
- C:\Windows\System\LCoKPKn.exe
  C:\Windows\System\LCoKPKn.exe
  2⤵
  PID:12088
- C:\Windows\System\PPkqesU.exe
  C:\Windows\System\PPkqesU.exe
  2⤵
  PID:12180
- C:\Windows\System\ZDhXVPB.exe
  C:\Windows\System\ZDhXVPB.exe
  2⤵
  PID:12248
- C:\Windows\System\dLTZtJn.exe
  C:\Windows\System\dLTZtJn.exe
  2⤵
  PID:11428
- C:\Windows\System\CazuYaM.exe
  C:\Windows\System\CazuYaM.exe
  2⤵
  PID:11752
- C:\Windows\System\BRnLUmB.exe
  C:\Windows\System\BRnLUmB.exe
  2⤵
  PID:11928
- C:\Windows\System\mORPCMH.exe
  C:\Windows\System\mORPCMH.exe
  2⤵
  PID:12028
- C:\Windows\System\afoeaXk.exe
  C:\Windows\System\afoeaXk.exe
  2⤵
  PID:12200
- C:\Windows\System\VXtoSzl.exe
  C:\Windows\System\VXtoSzl.exe
  2⤵
  PID:12184
- C:\Windows\System\rsAvglE.exe
  C:\Windows\System\rsAvglE.exe
  2⤵
  PID:12280
- C:\Windows\System\XqBhMNV.exe
  C:\Windows\System\XqBhMNV.exe
  2⤵
  PID:11452
- C:\Windows\System\UGZLxEr.exe
  C:\Windows\System\UGZLxEr.exe
  2⤵
  PID:11896
- C:\Windows\System\wwAIrXn.exe
  C:\Windows\System\wwAIrXn.exe
  2⤵
  PID:4296
- C:\Windows\System\JCVoJQm.exe
  C:\Windows\System\JCVoJQm.exe
  2⤵
  PID:12296
- C:\Windows\System\TuBRtWk.exe
  C:\Windows\System\TuBRtWk.exe
  2⤵
  PID:12320
- C:\Windows\System\rPgljDB.exe
  C:\Windows\System\rPgljDB.exe
  2⤵
  PID:12348
- C:\Windows\System\qtycndV.exe
  C:\Windows\System\qtycndV.exe
  2⤵
  PID:12388
- C:\Windows\System\dmssQBQ.exe
  C:\Windows\System\dmssQBQ.exe
  2⤵
  PID:12412
- C:\Windows\System\gWDSCgE.exe
  C:\Windows\System\gWDSCgE.exe
  2⤵
  PID:12432
- C:\Windows\System\zWnHMtJ.exe
  C:\Windows\System\zWnHMtJ.exe
  2⤵
  PID:12456
- C:\Windows\System\ieRIzlf.exe
  C:\Windows\System\ieRIzlf.exe
  2⤵
  PID:12472
- C:\Windows\System\BVkiLbt.exe
  C:\Windows\System\BVkiLbt.exe
  2⤵
  PID:12500
- C:\Windows\System\EpjvLJe.exe
  C:\Windows\System\EpjvLJe.exe
  2⤵
  PID:12520
- C:\Windows\System\eidBdVg.exe
  C:\Windows\System\eidBdVg.exe
  2⤵
  PID:12548
- C:\Windows\System\RsfLaEG.exe
  C:\Windows\System\RsfLaEG.exe
  2⤵
  PID:12576
- C:\Windows\System\PnrKnha.exe
  C:\Windows\System\PnrKnha.exe
  2⤵
  PID:12648
- C:\Windows\System\whrfvGa.exe
  C:\Windows\System\whrfvGa.exe
  2⤵
  PID:12680
- C:\Windows\System\ZNLXwTQ.exe
  C:\Windows\System\ZNLXwTQ.exe
  2⤵
  PID:12736
- C:\Windows\System\EuywFke.exe
  C:\Windows\System\EuywFke.exe
  2⤵
  PID:12756
- C:\Windows\System\JyLvTcB.exe
  C:\Windows\System\JyLvTcB.exe
  2⤵
  PID:12776
- C:\Windows\System\mDZgbYl.exe
  C:\Windows\System\mDZgbYl.exe
  2⤵
  PID:12796
- C:\Windows\System\bAxbffj.exe
  C:\Windows\System\bAxbffj.exe
  2⤵
  PID:12828
- C:\Windows\System\SIJFHUF.exe
  C:\Windows\System\SIJFHUF.exe
  2⤵
  PID:12852
- C:\Windows\System\WFnOjRY.exe
  C:\Windows\System\WFnOjRY.exe
  2⤵
  PID:12876
- C:\Windows\System\WmqtNZd.exe
  C:\Windows\System\WmqtNZd.exe
  2⤵
  PID:12924
- C:\Windows\System\NByNfzc.exe
  C:\Windows\System\NByNfzc.exe
  2⤵
  PID:12948
- C:\Windows\System\rAgFwgp.exe
  C:\Windows\System\rAgFwgp.exe
  2⤵
  PID:12972
- C:\Windows\System\hcRvzGR.exe
  C:\Windows\System\hcRvzGR.exe
  2⤵
  PID:12992
- C:\Windows\System\bswUGom.exe
  C:\Windows\System\bswUGom.exe
  2⤵
  PID:13016
- C:\Windows\System\EvnBgci.exe
  C:\Windows\System\EvnBgci.exe
  2⤵
  PID:13036
- C:\Windows\System\wbYRYPw.exe
  C:\Windows\System\wbYRYPw.exe
  2⤵
  PID:13064
- C:\Windows\System\rOhaKTz.exe
  C:\Windows\System\rOhaKTz.exe
  2⤵
  PID:13124
- C:\Windows\System\jclOFYn.exe
  C:\Windows\System\jclOFYn.exe
  2⤵
  PID:13144
- C:\Windows\System\ZAeRBvK.exe
  C:\Windows\System\ZAeRBvK.exe
  2⤵
  PID:13172
- C:\Windows\System\KeYTHAE.exe
  C:\Windows\System\KeYTHAE.exe
  2⤵
  PID:13196
- C:\Windows\System\jHzZzpN.exe
  C:\Windows\System\jHzZzpN.exe
  2⤵
  PID:13216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bg3i1l33.q1l.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\FahlRJN.exe

Filesize
1.5MB

MD5
52a24737e3734fb6b7e8da8651e498d6

SHA1
0954bb86120558e82ce27d58aafc7395eab11c57

SHA256
94f7b2cf2668c526b769284f73d049928c8c887c7f90b79b00de52e74a16879a

SHA512
f617b141ee4238539a0b064a55a9a8160277e0ec09b52031321a8488aeb88f2c552921ec127c9cbb5631e71379d5c657632a9137bd433f683e2d29d35d627016

Download Submit
C:\Windows\System\GEPfiHE.exe

Filesize
1.5MB

MD5
d101dd173bcced2766dfe6cc631766b0

SHA1
0ca87d084c171324e7159a25993de556d79d8d34

SHA256
5de72bb59ee4b37864f3ed50708393a9c9d63dbdf043a05c6e604e776db36757

SHA512
9742a9bdb1a63e2f2fb5688ea2982f2a4a1ec0437594b22546892f73960bf887a361bcfa58f06feba7f75a5d6f5122e554030566610489bf5537d5ff887f8e4b

Download Submit
C:\Windows\System\GPBDxLz.exe

Filesize
1.5MB

MD5
e17cbeced23da61699f1534c532d7c87

SHA1
5de20d7044841b289601b3db4f69e68eac68435a

SHA256
44b788eac8d10644c9fbd496b15a7dab191c98c89802a9dae40bff1184987c5c

SHA512
b4925181101fdbb74a7b5b6d1ca70cbafe5b61b8b12126c018a5ef2907b6dde727c2c2dd3febb6fa5daa0490e85b6eddfa2a3419f3f3c155cbe4f181ffd96c43

Download Submit
C:\Windows\System\IslVWXf.exe

Filesize
1.5MB

MD5
d9ae11532e70bb29d172580695f1c5fc

SHA1
9a0931dca97432f69fa6e91ba2cead7369f8d03a

SHA256
f1b9fc8531225d5e45327983f8bd7836fa825def7e34e7c02cd846bfea792282

SHA512
221538883260b78f9ae790acdc3276420f81b44a3c572941e91fc79de1d46621c376bd0ef1a1094e211065a61f1e685d9a994f6a6ff7fd788157a698fee2dd25

Download Submit
C:\Windows\System\IwFVHPA.exe

Filesize
1.5MB

MD5
9c273b2b9e27e41fe29d55afd37bbbd3

SHA1
059562f9d3736ec4f2452715144a94eb31debd51

SHA256
26fb16bd8535637c851bb333638a4efd6df1421ffe0a0cda103556014cb50af6

SHA512
9b211bc82a56de505f0c8f4713cf26e45b7e146b7d126fc302505001887c34dd35968774be57ff1c1ca1c280c2527fb3cc6d919e137fdd1412274b2512b47c94

Download Submit
C:\Windows\System\KVMnCaB.exe

Filesize
1.5MB

MD5
e9e3cef6a42480c11bda7a719e11db1b

SHA1
799310f715fd956d5f86ea802bef3e036adb2df6

SHA256
3370fee8405b00786823c1ac1d3219a2aded0d223a0f3c2bd66ffd4a9f307fe2

SHA512
cf402b40e1ba588ef841de8ed54231105e71ced64421bde303882522c221d0b83948e8153c8166c23e463d8f5872f480b095ccf5e3733d662902d603dd04caaa

Download Submit
C:\Windows\System\LFZQBAg.exe

Filesize
1.5MB

MD5
c6eab9cd5bc26106ab558738080638af

SHA1
2283efeddfd7f53e8a37594ad136297eca2dce71

SHA256
0f4e01b856af6b78073149b397931b3e2dda56195c2da5125cbd04ab8f2d4298

SHA512
9e113104b347b3589c13ab31e385f9e319b76126e12860518b25f8ba2ee8f37c875822d285b011976045d18764dcc77561c436e204655d496e2b07c02b22b4a5

Download Submit
C:\Windows\System\LpmAQbp.exe

Filesize
1.5MB

MD5
9659753e296ed4a44eefa47c26f8dfd0

SHA1
cc950b7ab0d529c6d6a3bcd1d6f5e6f833bc4c76

SHA256
e6f677cc75f56845b793120672a4e147e51a72735cb9f6fcf59187c65cfb70e4

SHA512
ebc918a602a4e4a5d8eb1c85af0bdb702c3d0b327a45feb556134d600ee2e285db501f9b990ec93826f9ab11706dbbf45a7673613c3db47746aac881ae26de80

Download Submit
C:\Windows\System\MXjTEdC.exe

Filesize
1.5MB

MD5
ef803a58ee5e294d670f62b2be40661e

SHA1
f8ecfcccf5ba9e4d38a67e4cbde4feaf59421657

SHA256
cb571cd4f89a63ae1e5fdd83011373ed445f9dcfcfcb55c691a33968b1925699

SHA512
0b3fe86fea809c722c54c60fa06881b8745cfbf18a81a86a8ab30d19318a775c3cf278a7fbfa0d035887d2fb329c42b7f04ae117dbe9617365e7215f789b3b4d

Download Submit
C:\Windows\System\PdfggDK.exe

Filesize
1.5MB

MD5
c977ce60193e8a7784ec17e7db1dde9c

SHA1
57c0704b0c706a88eb8422ba137bc264b06b6bd4

SHA256
a608c5f0101c583c480ffdea6fbd9c955f4045e6f7bb4fe3566c935536abd5a4

SHA512
b1487e53f7ad8a78fb6d5ed32183bd219592acfde6e0edbb19f4ea87a5721905aea0a4322c3c47bdb5d2d89b439825574e07c58901f714608f3d47faee3517a1

Download Submit
C:\Windows\System\ROUruTQ.exe

Filesize
1.5MB

MD5
fac6a084deb0d83c5b2e0ca31d628359

SHA1
6226f11a7974ed28f3400644645e91921b88b40b

SHA256
d1e73eb6ad2a9224dcab5e65ba2b591e28d465c7ada9e2c404a8aba675a56517

SHA512
4cb7e6ca97359119af71eebe4f60a9bc047151b280f41d36d8f06572cf391f80c2ba823a4d672bf4cc579c479579488111d0cc5b50b57ed193bb8ac47634b76a

Download Submit
C:\Windows\System\SAlUPPe.exe

Filesize
1.5MB

MD5
55fb80bac3e14cf1e1dee3e87c8cd272

SHA1
ec155d290f1e1dce100d8067189b85dba335a316

SHA256
e0a31fed245140955949c64bbda5d8bc71c244d5105df01a62ff9bc6157b7201

SHA512
7378a575d2d5f5f7eac19927fc26f1210b02f353cf7eb3f284a7b961fed525a2d21022c40648a415cf379ef7f1ca139aac638842b9e4ca23af77e6b855df756e

Download Submit
C:\Windows\System\XKEWlvr.exe

Filesize
8B

MD5
69a2459cf267ca53a07e1000877ec5f5

SHA1
6180fdab39e41b082a5f032106ea0881035fc630

SHA256
ada8e0c66fd35906bd1beeda81d420b6e5f6b475841d10e62bd6374afbeacb69

SHA512
856cc19353d1aa3d8ce28f9d4a1fe10bf85ecb48b19883b3993f89b4192a7bd4dbaf2f158bd3e246dfcbb6a46252185b62c3e867aadc7a9e5bf0721b6b86c55b

Download Submit
C:\Windows\System\alTbmey.exe

Filesize
1.5MB

MD5
95160501cf81c5b2bf3284ce3b63a56b

SHA1
145e74d6481576bc360f8b467a0aa6620fb0bc69

SHA256
e3f26d9f08171379fceceb63718e33aa2dc4c109706af17d00ada3e75ce0bbb6

SHA512
8a9988f620372eeda445248246585ccb55c13806cf106f84dd0243218f2cadf07e34585bc73879ea9cd03c7fbcafc4ef00f4884a0fd658f058f5b7075fd00171

Download Submit
C:\Windows\System\cjlyQNc.exe

Filesize
1.5MB

MD5
440b11b7d58b06e39f43290885b94fbb

SHA1
5fe46f5a79c3b90623dfefa443ff34fe0ae49aae

SHA256
a5d562cfdabac3357d5897e7a44cd3aebc86a446793c4505e0523dc92335de9f

SHA512
2a9a90b7e9893e4b92558b442eda76aace94ef89da5388d155abff409492cef87dce960a4c53ed87c8c4e10ebe2cd8ac8dc4cda206154d45ea6d32c4fffe06de

Download Submit
C:\Windows\System\dKVeZsa.exe

Filesize
1.5MB

MD5
5eca2d9bc044370561256e0717d0c72d

SHA1
ce3e8f959c4ed4444aa98a5311e07273eb43193e

SHA256
ffc4a70883276a93210d58f1bba323482687b7334c1f3c78ede600395a57c403

SHA512
f0b28afc3eec4b23718e42253489effe43aa361110dafcf64362d39146445bf0d79b679f14673a74630213d3d68e1d6ecbf1bce4bae07e7a1bc750a373a22543

Download Submit
C:\Windows\System\kDURKJQ.exe

Filesize
1.5MB

MD5
2ebabff81368abcdcefea99d9bb94618

SHA1
3f2b9d119ad0d386b74e7139a92e35c81d78cf6e

SHA256
f8a3bda526f4520d85a002f6aa96c2e60f71af67f528b3553eaaf59e6cf86533

SHA512
28fd91f7fbb8239d82e744abd0e730f5ffc97d260aeeb8d88a90a96bf0f528c2ee46d875501dfbd03e1bc0a2638218a460346da470b38d4451494669170e2ca6

Download Submit
C:\Windows\System\kfplIyB.exe

Filesize
1.5MB

MD5
a95708a56d9e52109467b458dfc1a251

SHA1
fa2f720c91e177a8e7083a35b6bcdd6f7470edc8

SHA256
974d5ed3f83f524b65007279fd7048f14ce27d1575e85a62225464fb59264ac8

SHA512
e32135721dab00c09963011b5c48d14054e03210db1b75379cbf97e69f2064e6b770c88c653274e934457259fc29494fae5004d0ae64668975f5bd899baddc5c

Download Submit
C:\Windows\System\ljDxECL.exe

Filesize
1.5MB

MD5
69e3a6f375d1be7bf4237cb25aa1efea

SHA1
2b1a8c591c21e743567b8669a688ac65fa6206bf

SHA256
a6684bfa0acdf1fa92883d503270c70938c7d8a212c86b051942902b8a9fd67f

SHA512
a43773b0935ec6f71c25466f4ca114b75c71dabddbd8bdb5c56cd02e957f026b1cc0442aa92720a7388ca94bdd23a0503afdb5abedbaf4c0979ad1b41ce956e8

Download Submit
C:\Windows\System\noGlyZv.exe

Filesize
1.5MB

MD5
d07f0a0256809606333b6b2fab5b7402

SHA1
b4e26befb1677d24f4f19b6764d791f75cfb2820

SHA256
4ffae62877f609da98515230b091b0c91e8ee45ffe657109239d4e02773c245a

SHA512
5d8af4a76b5418be7c1d38508ed0c2d0c6ca730a7d1cc5f8f16b9f7c8fa6f33d8a004699615e39235d9b7160f5c8850d9e1bb57e82ae0a617a54ca53afe10f48

Download Submit
C:\Windows\System\pyuyihe.exe

Filesize
1.5MB

MD5
29cae176223ec8c474a656a09a8a3bc2

SHA1
26b266fd33ca53f8379405691f7ecfccd23d3a97

SHA256
b05df4ff2e420e2f37c82d1b65727b4b38e650ab1c0cd46337718ce4c10d7fda

SHA512
df75a68ee71a21895b129a949364e6cd61c9b1d85eb20deec8999c6d40110471214b0ef6eb992fc27c1e1cbd36d796c17f540192a85ee9fab0abb0bb973faf93

Download Submit
C:\Windows\System\qjXPRhL.exe

Filesize
1.5MB

MD5
5f05d70e336be2b08a7c926004eb77fd

SHA1
0c7d2441e0d36672b1c4c7c8e39d5a0404c63476

SHA256
14ffa4a3da477840f55795334b2a3acdb0baf73aeb8cb41cacfe9bc01e2c5b2b

SHA512
5f20bd560bec342d079ea583cc089567cf8760bfbd3d9906188da3c0c22585ba04aa380da721473f2c093209066482715592c949f4b082f86104c948d760a304

Download Submit
C:\Windows\System\qkwLioT.exe

Filesize
1.5MB

MD5
f1a14d041196e4ef014d30d632261446

SHA1
e3cf180dd94ee47e381a51487054185d269ac298

SHA256
500a9709663f9f7c837f407b3ed7aeaa495e11796175fa8067e6501a4ecb5dd4

SHA512
e92c5cd312a83118a71ca534dea2a0f12f5c8c7feeb6e79a0357c51078b84b17e10273ca76252aabce865b2f305bb570147d3523c63e37ce2fd8aa2422828b54

Download Submit
C:\Windows\System\qlphhkQ.exe

Filesize
1.5MB

MD5
74570ade0dea7035b439d888bc4b3b47

SHA1
9a8e0d872bf51ab44baec2dee97505d5c9ada9ed

SHA256
b5553254e542e119c61d1d75883d8a1531ebc073685923320e0b413e541031d4

SHA512
1ac9213ba56a0fc25658d2224012fe91fe52c989d05415b6c3b9a6148d7e8f369ababc3c528b33c260e816a209aa630d32ab0f70213923bfafd6eb1ed9d720a2

Download Submit
C:\Windows\System\sjSevmq.exe

Filesize
1.5MB

MD5
c944fdb9955bfc15260d7ee85be13b65

SHA1
294fed9a7d149c38698d6e0c5d24a6a4d5156e5e

SHA256
3efe0514b43dab9078b173911977b0f5f8d557cd1c986963212c68174e2b4e26

SHA512
181ecc7ab16d1434bf9423a43a8fc06b42ce9c28298916df292e9ad05e88621d9615e4194e466bd788bfff30c6290a895dde851cc16ba50f58252b6ad17e639f

Download Submit
C:\Windows\System\skRRrcw.exe

Filesize
1.5MB

MD5
911605e467a8c596d7af16a85009a668

SHA1
fea4f47785760b49dd3abf4985e94ee12929084e

SHA256
250e54d3dde27a647f00339ec3159cabddbae909b89b4a1a9cfbd96cc5643928

SHA512
7d9c7369eeb3ac09bd1deaaa70ef38daea8aa3699f1339a05a7443a42c124fd093ca2c22f177a69e0b24fb8813c644970a569e686d90bc6b0ef60359648ff597

Download Submit
C:\Windows\System\ujwQMoe.exe

Filesize
1.5MB

MD5
c98b027d5f8080bbeaebc0913b60c852

SHA1
d455513ba09c123f24fc6143c558e63adeb3b17d

SHA256
4f0b45582d2ce137723ef48186914e83303b22fb46b6a18de15b2896e72ebdae

SHA512
66f85558dc470a8ea7ad309163b2e82268bd35b5332b6c4d9b68bae8dcb77cc1c75ce6a4248497cf0d53cb1f271365e1709e8695c096cc0086869c3c339883f5

Download Submit
C:\Windows\System\vsPNUnf.exe

Filesize
1.5MB

MD5
a2d005bf87c7a0bb9f46cc812bc808a1

SHA1
47c4e5564929a85f8a35cfc8e7e5e1b254e22ca9

SHA256
27737796ecff80d38748ad7e164a23d9a5f4973463d2d98b206712db10651dd2

SHA512
b7e7db639ce1f86d83f9b22e03df9392f67de19ad3d137ee8c15cc1401838c03caa67894cef366fb0b81529dd835fee07fa8f47ca150a17a47fdf21f4d351455

Download Submit
C:\Windows\System\wgWQMDT.exe

Filesize
1.5MB

MD5
982f629f657fea414144de360fe3b620

SHA1
7ad82adc1bf26f1a634dd332d4336a384eeb2ce4

SHA256
ba21eab6d73beefe1f201ea35efb56fc2c7d36c298eb559b5ee7632ad7a5e56f

SHA512
d130ab604ef8e53019dd99f95abc87973aa369918c85bbe3e308b6acf789726f0c9ebb3a341af23961b4a67376a4ea50fbaee0eba580ccb947b06c91c6fa71e0

Download Submit
C:\Windows\System\wsgYfhn.exe

Filesize
1.5MB

MD5
5b16bcb7833f7c032a68a8063ce26f9e

SHA1
f53266e99f946399ccf7446678ed658b272a0818

SHA256
926d0ec22fe874cb7f383fff4ff776e24bcf5915ece2fa92978116d2c5a016b7

SHA512
0eb1883c2ac2ce12e576a1f4826c45b3a7294e10fab87174b8c3494d293b7c7b6b9227e232c80db58efae2ba7a8fa13d5bc9e5bea16c296381eeb1aaa89c363e

Download Submit
C:\Windows\System\yQcbYYg.exe

Filesize
1.5MB

MD5
eb842efa97bef816cbb500ebf30bc012

SHA1
1a1620eeab8fd2e5e9fe9733eece555a946e8b83

SHA256
562df107225c124618d528a835ee03e0a59cda9eb088c1524ee0c31e397e392b

SHA512
478769302ed0e6c5b9e95abc31345cb800eaa077fa67e8a5fa777a28fc20a701fcda27799c8182838d665f0fef96ea5b0118df1235a75ea8f5b6fc8ea2a346f2

Download Submit
C:\Windows\System\zZgOSCH.exe

Filesize
1.5MB

MD5
ebe0ab8fa4dd764a4f9fb62fdbb169fc

SHA1
328514aba68576a22667b7f30a1bd069be6c5c0d

SHA256
9dd2941eef796cd79b8ef02f7beeb65b9e065e1bfa64c98a3e56d0eaad551c03

SHA512
0f504c6aab770b13e2795d7bdfdb56b78f80829420e2d83c79f84fe65d31d8d2a5ce5347a2baec3ad96ad60f32aa09b0136a9f80899cc676ce21c76937a9bab9

Download Submit
C:\Windows\System\zikeVhn.exe

Filesize
1.5MB

MD5
60bd082e8e289c009a3ed66342ee9f29

SHA1
45a74296c817053b0b859c8be7cacf89931c2612

SHA256
c9080a7ecdb9e852d9b374b4d95fea3be85b0a95889a8651343c2c2ad73b611f

SHA512
01854ad8caec7bdf0e0de6bc266cf44b2821657f684ffc617c217a372a805f170c0699cfefffc4c9fad16e8003c93821a3bf58d3a3b94447f10ad19ed2bcfe31

Download Submit
C:\Windows\System\zkzfihe.exe

Filesize
1.5MB

MD5
3c53ff3c715c26ef53c737b077dbc9ed

SHA1
c114d8b0c6f61e6963a21d192a7e3ba565ca98a6

SHA256
fd57f027567bbebb6ebf79db8464b8242803beca3c2d871ffc3c2ea4feb5608e

SHA512
0eea35dfb6a98073c88884570f67efbdeb4068de4ab16dea8a0aa4311802904fed60e6b945ecf0861d9d7d523bea83b58306d03ea3cca0cc74a0de57f55b97bb

Download Submit
memory/384-377-0x00007FF733750000-0x00007FF733B42000-memory.dmp

Filesize
3.9MB

Download
memory/384-2061-0x00007FF733750000-0x00007FF733B42000-memory.dmp

Filesize
3.9MB

Download
memory/756-364-0x00007FF630930000-0x00007FF630D22000-memory.dmp

Filesize
3.9MB

Download
memory/756-2086-0x00007FF630930000-0x00007FF630D22000-memory.dmp

Filesize
3.9MB

Download
memory/1244-2009-0x00007FFFEF2C0000-0x00007FFFEFD81000-memory.dmp

Filesize
10.8MB

Download
memory/1244-1998-0x00007FFFEF2C3000-0x00007FFFEF2C5000-memory.dmp

Filesize
8KB

Download
memory/1244-54-0x00007FFFEF2C0000-0x00007FFFEFD81000-memory.dmp

Filesize
10.8MB

Download
memory/1244-30-0x000002009B070000-0x000002009B092000-memory.dmp

Filesize
136KB

Download
memory/1244-43-0x00007FFFEF2C0000-0x00007FFFEFD81000-memory.dmp

Filesize
10.8MB

Download
memory/1244-2000-0x00007FFFEF2C0000-0x00007FFFEFD81000-memory.dmp

Filesize
10.8MB

Download
memory/1244-339-0x00000200B3E00000-0x00000200B45A6000-memory.dmp

Filesize
7.6MB

Download
memory/1244-3-0x00007FFFEF2C3000-0x00007FFFEF2C5000-memory.dmp

Filesize
8KB

Download
memory/1600-2090-0x00007FF785660000-0x00007FF785A52000-memory.dmp

Filesize
3.9MB

Download
memory/1600-371-0x00007FF785660000-0x00007FF785A52000-memory.dmp

Filesize
3.9MB

Download
memory/1892-2048-0x00007FF7266F0000-0x00007FF726AE2000-memory.dmp

Filesize
3.9MB

Download
memory/1892-83-0x00007FF7266F0000-0x00007FF726AE2000-memory.dmp

Filesize
3.9MB

Download
memory/1964-2068-0x00007FF7EDA40000-0x00007FF7EDE32000-memory.dmp

Filesize
3.9MB

Download
memory/1964-384-0x00007FF7EDA40000-0x00007FF7EDE32000-memory.dmp

Filesize
3.9MB

Download
memory/2436-2070-0x00007FF785850000-0x00007FF785C42000-memory.dmp

Filesize
3.9MB

Download
memory/2436-308-0x00007FF785850000-0x00007FF785C42000-memory.dmp

Filesize
3.9MB

Download
memory/2588-313-0x00007FF6B7E40000-0x00007FF6B8232000-memory.dmp

Filesize
3.9MB

Download
memory/2588-2072-0x00007FF6B7E40000-0x00007FF6B8232000-memory.dmp

Filesize
3.9MB

Download
memory/2728-2050-0x00007FF7DF1E0000-0x00007FF7DF5D2000-memory.dmp

Filesize
3.9MB

Download
memory/2728-73-0x00007FF7DF1E0000-0x00007FF7DF5D2000-memory.dmp

Filesize
3.9MB

Download
memory/2816-294-0x00007FF6BD6A0000-0x00007FF6BDA92000-memory.dmp

Filesize
3.9MB

Download
memory/2816-2058-0x00007FF6BD6A0000-0x00007FF6BDA92000-memory.dmp

Filesize
3.9MB

Download
memory/2944-78-0x00007FF6B2B70000-0x00007FF6B2F62000-memory.dmp

Filesize
3.9MB

Download
memory/2944-2052-0x00007FF6B2B70000-0x00007FF6B2F62000-memory.dmp

Filesize
3.9MB

Download
memory/2968-2056-0x00007FF71D770000-0x00007FF71DB62000-memory.dmp

Filesize
3.9MB

Download
memory/2968-292-0x00007FF71D770000-0x00007FF71DB62000-memory.dmp

Filesize
3.9MB

Download
memory/3116-2078-0x00007FF74C810000-0x00007FF74CC02000-memory.dmp

Filesize
3.9MB

Download
memory/3116-343-0x00007FF74C810000-0x00007FF74CC02000-memory.dmp

Filesize
3.9MB

Download
memory/3424-319-0x00007FF647070000-0x00007FF647462000-memory.dmp

Filesize
3.9MB

Download
memory/3424-2074-0x00007FF647070000-0x00007FF647462000-memory.dmp

Filesize
3.9MB

Download
memory/3472-2046-0x00007FF6D4950000-0x00007FF6D4D42000-memory.dmp

Filesize
3.9MB

Download
memory/3472-375-0x00007FF6D4950000-0x00007FF6D4D42000-memory.dmp

Filesize
3.9MB

Download
memory/3608-2054-0x00007FF740D70000-0x00007FF741162000-memory.dmp

Filesize
3.9MB

Download
memory/3608-305-0x00007FF740D70000-0x00007FF741162000-memory.dmp

Filesize
3.9MB

Download
memory/3828-2077-0x00007FF746E70000-0x00007FF747262000-memory.dmp

Filesize
3.9MB

Download
memory/3828-340-0x00007FF746E70000-0x00007FF747262000-memory.dmp

Filesize
3.9MB

Download
memory/3880-2088-0x00007FF6E51B0000-0x00007FF6E55A2000-memory.dmp

Filesize
3.9MB

Download
memory/3880-365-0x00007FF6E51B0000-0x00007FF6E55A2000-memory.dmp

Filesize
3.9MB

Download
memory/4108-383-0x00007FF66D2B0000-0x00007FF66D6A2000-memory.dmp

Filesize
3.9MB

Download
memory/4108-2065-0x00007FF66D2B0000-0x00007FF66D6A2000-memory.dmp

Filesize
3.9MB

Download
memory/4144-306-0x00007FF708430000-0x00007FF708822000-memory.dmp

Filesize
3.9MB

Download
memory/4144-2066-0x00007FF708430000-0x00007FF708822000-memory.dmp

Filesize
3.9MB

Download
memory/4444-358-0x00007FF676DD0000-0x00007FF6771C2000-memory.dmp

Filesize
3.9MB

Download
memory/4444-2084-0x00007FF676DD0000-0x00007FF6771C2000-memory.dmp

Filesize
3.9MB

Download
memory/4468-2044-0x00007FF69EFA0000-0x00007FF69F392000-memory.dmp

Filesize
3.9MB

Download
memory/4468-71-0x00007FF69EFA0000-0x00007FF69F392000-memory.dmp

Filesize
3.9MB

Download
memory/4508-2080-0x00007FF632D50000-0x00007FF633142000-memory.dmp

Filesize
3.9MB

Download
memory/4508-349-0x00007FF632D50000-0x00007FF633142000-memory.dmp

Filesize
3.9MB

Download
memory/4552-357-0x00007FF659BC0000-0x00007FF659FB2000-memory.dmp

Filesize
3.9MB

Download
memory/4552-2082-0x00007FF659BC0000-0x00007FF659FB2000-memory.dmp

Filesize
3.9MB

Download
memory/4576-2062-0x00007FF685870000-0x00007FF685C62000-memory.dmp

Filesize
3.9MB

Download
memory/4576-300-0x00007FF685870000-0x00007FF685C62000-memory.dmp

Filesize
3.9MB

Download
memory/4788-0-0x00007FF678530000-0x00007FF678922000-memory.dmp

Filesize
3.9MB

Download
memory/4788-1951-0x00007FF678530000-0x00007FF678922000-memory.dmp

Filesize
3.9MB

Download
memory/4788-1-0x000002AC144C0000-0x000002AC144D0000-memory.dmp

Filesize
64KB

Download