xmrig | 4a08e3c21ec979474908066881eba269038debbbaaed04cdfdb8dfecdf0b0f8b

Analysis

max time kernel
116s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
Size

2.7MB
MD5

c991739ccff543640ab620f70ead6aa0
SHA1

7ce90ffacce0b83796ca2ec4deb4ea57963022c3
SHA256

4a08e3c21ec979474908066881eba269038debbbaaed04cdfdb8dfecdf0b0f8b
SHA512

fe8ec361642bfc1dec3c2c2e8a49a51147936e6ab96579097fa8b56d5fc15a71f8a88040cba1817eac497f0b48e3e50d42a05891968e7a09cd5cae0e0c3f3bf6
SSDEEP

49152:S1G1NtyBwTI3ySZbrkXV1etEKLlWUTOfeiRA2R76zHrWax9hMkHC0IEFTofj:S1ONtyBeSFkXV1etEKLlWUTOfeiRA2Rt

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/3228-0-0x00007FF6E1CF0000-0x00007FF6E20E6000-memory.dmp	xmrig
behavioral2/files/0x0008000000023423-5.dat	xmrig
behavioral2/files/0x0007000000023428-8.dat	xmrig
behavioral2/files/0x0007000000023429-17.dat	xmrig
behavioral2/files/0x000700000002342c-29.dat	xmrig
behavioral2/files/0x000700000002342b-35.dat	xmrig
behavioral2/memory/1744-45-0x00007FF6D34C0000-0x00007FF6D38B6000-memory.dmp	xmrig
behavioral2/files/0x000700000002342e-40.dat	xmrig
behavioral2/files/0x000700000002342f-42.dat	xmrig
behavioral2/files/0x000700000002342a-41.dat	xmrig
behavioral2/files/0x000700000002342d-39.dat	xmrig
behavioral2/files/0x0007000000023427-21.dat	xmrig
behavioral2/files/0x0007000000023432-85.dat	xmrig
behavioral2/files/0x0007000000023447-170.dat	xmrig
behavioral2/files/0x0007000000023441-192.dat	xmrig
behavioral2/memory/4604-201-0x00007FF7B1E70000-0x00007FF7B2266000-memory.dmp	xmrig
behavioral2/memory/1812-219-0x00007FF669490000-0x00007FF669886000-memory.dmp	xmrig
behavioral2/memory/2516-225-0x00007FF7491B0000-0x00007FF7495A6000-memory.dmp	xmrig
behavioral2/memory/3772-230-0x00007FF79DD00000-0x00007FF79E0F6000-memory.dmp	xmrig
behavioral2/memory/4280-232-0x00007FF697A30000-0x00007FF697E26000-memory.dmp	xmrig
behavioral2/memory/4100-231-0x00007FF6711C0000-0x00007FF6715B6000-memory.dmp	xmrig
behavioral2/memory/888-229-0x00007FF630670000-0x00007FF630A66000-memory.dmp	xmrig
behavioral2/memory/4932-228-0x00007FF7DF7A0000-0x00007FF7DFB96000-memory.dmp	xmrig
behavioral2/memory/1972-227-0x00007FF65A840000-0x00007FF65AC36000-memory.dmp	xmrig
behavioral2/memory/540-226-0x00007FF6AF9B0000-0x00007FF6AFDA6000-memory.dmp	xmrig
behavioral2/memory/2292-224-0x00007FF6F5CD0000-0x00007FF6F60C6000-memory.dmp	xmrig
behavioral2/memory/5068-223-0x00007FF60C810000-0x00007FF60CC06000-memory.dmp	xmrig
behavioral2/memory/4992-222-0x00007FF760E90000-0x00007FF761286000-memory.dmp	xmrig
behavioral2/memory/3452-221-0x00007FF7100B0000-0x00007FF7104A6000-memory.dmp	xmrig
behavioral2/memory/4372-220-0x00007FF720CB0000-0x00007FF7210A6000-memory.dmp	xmrig
behavioral2/memory/388-218-0x00007FF739FF0000-0x00007FF73A3E6000-memory.dmp	xmrig
behavioral2/memory/5076-215-0x00007FF769570000-0x00007FF769966000-memory.dmp	xmrig
behavioral2/memory/2660-211-0x00007FF708100000-0x00007FF7084F6000-memory.dmp	xmrig
behavioral2/memory/3012-210-0x00007FF69D0A0000-0x00007FF69D496000-memory.dmp	xmrig
behavioral2/memory/3580-189-0x00007FF69B910000-0x00007FF69BD06000-memory.dmp	xmrig
behavioral2/files/0x000700000002344c-184.dat	xmrig
behavioral2/files/0x000700000002343e-182.dat	xmrig
behavioral2/files/0x000700000002344b-181.dat	xmrig
behavioral2/files/0x000700000002344a-179.dat	xmrig
behavioral2/files/0x000700000002343d-177.dat	xmrig
behavioral2/files/0x0007000000023449-176.dat	xmrig
behavioral2/files/0x000700000002343c-174.dat	xmrig
behavioral2/files/0x0007000000023448-171.dat	xmrig
behavioral2/files/0x0008000000023424-169.dat	xmrig
behavioral2/memory/720-164-0x00007FF6E72F0000-0x00007FF6E76E6000-memory.dmp	xmrig
behavioral2/memory/1564-161-0x00007FF6DC700000-0x00007FF6DCAF6000-memory.dmp	xmrig
behavioral2/files/0x0008000000023440-158.dat	xmrig
behavioral2/files/0x0007000000023445-157.dat	xmrig
behavioral2/files/0x0007000000023444-156.dat	xmrig
behavioral2/files/0x0007000000023439-152.dat	xmrig
behavioral2/files/0x0007000000023431-150.dat	xmrig
behavioral2/files/0x0007000000023443-149.dat	xmrig
behavioral2/files/0x0007000000023438-148.dat	xmrig
behavioral2/files/0x0007000000023442-145.dat	xmrig
behavioral2/files/0x000700000002343b-143.dat	xmrig
behavioral2/files/0x0007000000023437-138.dat	xmrig
behavioral2/files/0x0007000000023446-168.dat	xmrig
behavioral2/files/0x000700000002343a-166.dat	xmrig
behavioral2/files/0x0007000000023436-124.dat	xmrig
behavioral2/files/0x0007000000023435-121.dat	xmrig
behavioral2/files/0x0007000000023434-119.dat	xmrig
behavioral2/files/0x0007000000023433-114.dat	xmrig
behavioral2/memory/4592-96-0x00007FF68B570000-0x00007FF68B966000-memory.dmp	xmrig
behavioral2/files/0x0007000000023430-71.dat	xmrig

Blocklisted process makes network request 6 IoCs

flow	pid	Process
9	3768	powershell.exe
11	3768	powershell.exe
13	3768	powershell.exe
14	3768	powershell.exe
16	3768	powershell.exe
27	3768	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
3768	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
1744	yKFWLJA.exe
888	tVmVvAh.exe
4592	Hdkmcea.exe
1564	FKDtsQz.exe
720	DgTFFXn.exe
3580	TPrRGpz.exe
4604	oMGOddu.exe
3012	VNxorJj.exe
2660	acUzwXD.exe
5076	aLPafWh.exe
3772	TItNwkN.exe
388	TimzReU.exe
1812	faNYZOp.exe
4372	sNBSmvV.exe
3452	GLdRZJX.exe
4992	uOmpYSF.exe
5068	fvTXOcr.exe
2292	WAunkAZ.exe
2516	TFdDXAp.exe
540	giUbklg.exe
4100	OzeTunz.exe
1972	AqHhDLK.exe
4932	MsRKjsv.exe
4280	sZkMWDM.exe
4004	zIDDMXY.exe
4860	bZBTTtc.exe
5056	RupXiiQ.exe
3552	zLoeCpv.exe
1980	qtaFEFB.exe
2764	LBfiRab.exe
2356	WKwpVEK.exe
3756	lvolBfA.exe
1628	edYfbLh.exe
3352	pbyDgbt.exe
2232	BTgltNU.exe
3596	vYEvdJH.exe
764	bzyxFox.exe
1584	pgzrSXF.exe
4220	ngTSkJG.exe
3172	dwAomBC.exe
4660	DElWiGz.exe
1400	PpKPTzC.exe
2380	mWyeYaa.exe
4560	ZrKkbDM.exe
2528	ZReCdLe.exe
1900	PXmmBdb.exe
4204	HlgaWFV.exe
4536	OGmdCbd.exe
4068	UbYNIVv.exe
3264	FHoWpYg.exe
1088	mMITiEX.exe
4152	TfVVFIn.exe
4036	UvnCrRm.exe
3608	EXdnsYh.exe
4008	qNkOjdR.exe
3944	oYiGTRC.exe
4700	kNEloVu.exe
1304	AGVbQTW.exe
5092	QUYmPWR.exe
4708	JvAqcPl.exe
632	MhTlbsU.exe
3268	JgUZnFG.exe
3436	dPmuasH.exe
1264	wpYrDye.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3228-0-0x00007FF6E1CF0000-0x00007FF6E20E6000-memory.dmp	upx
behavioral2/files/0x0008000000023423-5.dat	upx
behavioral2/files/0x0007000000023428-8.dat	upx
behavioral2/files/0x0007000000023429-17.dat	upx
behavioral2/files/0x000700000002342c-29.dat	upx
behavioral2/files/0x000700000002342b-35.dat	upx
behavioral2/memory/1744-45-0x00007FF6D34C0000-0x00007FF6D38B6000-memory.dmp	upx
behavioral2/files/0x000700000002342e-40.dat	upx
behavioral2/files/0x000700000002342f-42.dat	upx
behavioral2/files/0x000700000002342a-41.dat	upx
behavioral2/files/0x000700000002342d-39.dat	upx
behavioral2/files/0x0007000000023427-21.dat	upx
behavioral2/files/0x0007000000023432-85.dat	upx
behavioral2/files/0x0007000000023447-170.dat	upx
behavioral2/files/0x0007000000023441-192.dat	upx
behavioral2/memory/4604-201-0x00007FF7B1E70000-0x00007FF7B2266000-memory.dmp	upx
behavioral2/memory/1812-219-0x00007FF669490000-0x00007FF669886000-memory.dmp	upx
behavioral2/memory/2516-225-0x00007FF7491B0000-0x00007FF7495A6000-memory.dmp	upx
behavioral2/memory/3772-230-0x00007FF79DD00000-0x00007FF79E0F6000-memory.dmp	upx
behavioral2/memory/4280-232-0x00007FF697A30000-0x00007FF697E26000-memory.dmp	upx
behavioral2/memory/4100-231-0x00007FF6711C0000-0x00007FF6715B6000-memory.dmp	upx
behavioral2/memory/888-229-0x00007FF630670000-0x00007FF630A66000-memory.dmp	upx
behavioral2/memory/4932-228-0x00007FF7DF7A0000-0x00007FF7DFB96000-memory.dmp	upx
behavioral2/memory/1972-227-0x00007FF65A840000-0x00007FF65AC36000-memory.dmp	upx
behavioral2/memory/540-226-0x00007FF6AF9B0000-0x00007FF6AFDA6000-memory.dmp	upx
behavioral2/memory/2292-224-0x00007FF6F5CD0000-0x00007FF6F60C6000-memory.dmp	upx
behavioral2/memory/5068-223-0x00007FF60C810000-0x00007FF60CC06000-memory.dmp	upx
behavioral2/memory/4992-222-0x00007FF760E90000-0x00007FF761286000-memory.dmp	upx
behavioral2/memory/3452-221-0x00007FF7100B0000-0x00007FF7104A6000-memory.dmp	upx
behavioral2/memory/4372-220-0x00007FF720CB0000-0x00007FF7210A6000-memory.dmp	upx
behavioral2/memory/388-218-0x00007FF739FF0000-0x00007FF73A3E6000-memory.dmp	upx
behavioral2/memory/5076-215-0x00007FF769570000-0x00007FF769966000-memory.dmp	upx
behavioral2/memory/2660-211-0x00007FF708100000-0x00007FF7084F6000-memory.dmp	upx
behavioral2/memory/3012-210-0x00007FF69D0A0000-0x00007FF69D496000-memory.dmp	upx
behavioral2/memory/3580-189-0x00007FF69B910000-0x00007FF69BD06000-memory.dmp	upx
behavioral2/files/0x000700000002344c-184.dat	upx
behavioral2/files/0x000700000002343e-182.dat	upx
behavioral2/files/0x000700000002344b-181.dat	upx
behavioral2/files/0x000700000002344a-179.dat	upx
behavioral2/files/0x000700000002343d-177.dat	upx
behavioral2/files/0x0007000000023449-176.dat	upx
behavioral2/files/0x000700000002343c-174.dat	upx
behavioral2/files/0x0007000000023448-171.dat	upx
behavioral2/files/0x0008000000023424-169.dat	upx
behavioral2/memory/720-164-0x00007FF6E72F0000-0x00007FF6E76E6000-memory.dmp	upx
behavioral2/memory/1564-161-0x00007FF6DC700000-0x00007FF6DCAF6000-memory.dmp	upx
behavioral2/files/0x0008000000023440-158.dat	upx
behavioral2/files/0x0007000000023445-157.dat	upx
behavioral2/files/0x0007000000023444-156.dat	upx
behavioral2/files/0x0007000000023439-152.dat	upx
behavioral2/files/0x0007000000023431-150.dat	upx
behavioral2/files/0x0007000000023443-149.dat	upx
behavioral2/files/0x0007000000023438-148.dat	upx
behavioral2/files/0x0007000000023442-145.dat	upx
behavioral2/files/0x000700000002343b-143.dat	upx
behavioral2/files/0x0007000000023437-138.dat	upx
behavioral2/files/0x0007000000023446-168.dat	upx
behavioral2/files/0x000700000002343a-166.dat	upx
behavioral2/files/0x0007000000023436-124.dat	upx
behavioral2/files/0x0007000000023435-121.dat	upx
behavioral2/files/0x0007000000023434-119.dat	upx
behavioral2/files/0x0007000000023433-114.dat	upx
behavioral2/memory/4592-96-0x00007FF68B570000-0x00007FF68B966000-memory.dmp	upx
behavioral2/files/0x0007000000023430-71.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	raw.githubusercontent.com
9	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\PJGbLMZ.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\LvSCbkr.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\cOClskg.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\jHcunXd.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\YuAWnrU.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\muiwSIK.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\JUjHOZs.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\avKuEJz.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\IgzHtdP.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\zqnnrnF.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\yzFhpNx.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\xkVOMnj.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\JOwQreW.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\HUQJScP.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\hPdAfiV.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\OZfQTQz.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\OtrsDjJ.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\tySahik.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\kyLXdDN.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\tTfuloH.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\xKJMbEr.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\oJditTq.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\dVJdmHV.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\AqHhDLK.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\zavtqIz.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\ZwYXvAJ.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\vVXLqPB.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\ARWDsiF.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\QJnMQYJ.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\gaGLjMq.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\ZSWqASS.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\PKZZbvi.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\FVQjVXW.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\fyLDfkx.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\MIqtswh.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\rixkHTU.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\GyWCfbA.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\AHulxeI.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\lGbrfhY.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\EMhKfQi.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\PaKiWoR.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\euGtoDA.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\dzxfqqJ.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\OlrOCfZ.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\vtYncNk.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\PkOxDsJ.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\gKFrEVA.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\ZAWrJUd.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\uZiehVT.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\dxoqOPG.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\ZjXnsUg.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\bCNybWh.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\ApingCp.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\sMDiOgQ.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\lMWLmOG.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\COkkKCE.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\rsAUEhc.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\yGrCpSE.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\sjvNcds.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\QUYmPWR.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\GrafBpz.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\xmTzkWm.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\uEijPhF.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
File created	C:\Windows\System\FDUwasJ.exe	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3768	powershell.exe
3768	powershell.exe
3768	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
Token: SeDebugPrivilege	3768	powershell.exe
Token: SeLockMemoryPrivilege	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
Token: SeCreateGlobalPrivilege	12420	dwm.exe
Token: SeChangeNotifyPrivilege	12420	dwm.exe
Token: 33	12420	dwm.exe
Token: SeIncBasePriorityPrivilege	12420	dwm.exe
Token: SeShutdownPrivilege	12420	dwm.exe
Token: SeCreatePagefilePrivilege	12420	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3228 wrote to memory of 3768	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	84
PID 3228 wrote to memory of 3768	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	84
PID 3228 wrote to memory of 1744	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	85
PID 3228 wrote to memory of 1744	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	85
PID 3228 wrote to memory of 888	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	86
PID 3228 wrote to memory of 888	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	86
PID 3228 wrote to memory of 4592	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	87
PID 3228 wrote to memory of 4592	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	87
PID 3228 wrote to memory of 1564	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	88
PID 3228 wrote to memory of 1564	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	88
PID 3228 wrote to memory of 720	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	89
PID 3228 wrote to memory of 720	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	89
PID 3228 wrote to memory of 4604	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	90
PID 3228 wrote to memory of 4604	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	90
PID 3228 wrote to memory of 3580	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	91
PID 3228 wrote to memory of 3580	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	91
PID 3228 wrote to memory of 3012	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	92
PID 3228 wrote to memory of 3012	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	92
PID 3228 wrote to memory of 2660	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	93
PID 3228 wrote to memory of 2660	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	93
PID 3228 wrote to memory of 5076	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	94
PID 3228 wrote to memory of 5076	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	94
PID 3228 wrote to memory of 3772	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	95
PID 3228 wrote to memory of 3772	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	95
PID 3228 wrote to memory of 3452	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	96
PID 3228 wrote to memory of 3452	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	96
PID 3228 wrote to memory of 5068	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	97
PID 3228 wrote to memory of 5068	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	97
PID 3228 wrote to memory of 388	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	98
PID 3228 wrote to memory of 388	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	98
PID 3228 wrote to memory of 1812	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	99
PID 3228 wrote to memory of 1812	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	99
PID 3228 wrote to memory of 4372	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	100
PID 3228 wrote to memory of 4372	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	100
PID 3228 wrote to memory of 4992	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	101
PID 3228 wrote to memory of 4992	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	101
PID 3228 wrote to memory of 2292	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	102
PID 3228 wrote to memory of 2292	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	102
PID 3228 wrote to memory of 2516	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	103
PID 3228 wrote to memory of 2516	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	103
PID 3228 wrote to memory of 540	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	104
PID 3228 wrote to memory of 540	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	104
PID 3228 wrote to memory of 4100	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	105
PID 3228 wrote to memory of 4100	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	105
PID 3228 wrote to memory of 4860	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	106
PID 3228 wrote to memory of 4860	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	106
PID 3228 wrote to memory of 1972	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	107
PID 3228 wrote to memory of 1972	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	107
PID 3228 wrote to memory of 4932	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	108
PID 3228 wrote to memory of 4932	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	108
PID 3228 wrote to memory of 4280	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	109
PID 3228 wrote to memory of 4280	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	109
PID 3228 wrote to memory of 4004	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	110
PID 3228 wrote to memory of 4004	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	110
PID 3228 wrote to memory of 5056	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	111
PID 3228 wrote to memory of 5056	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	111
PID 3228 wrote to memory of 3552	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	112
PID 3228 wrote to memory of 3552	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	112
PID 3228 wrote to memory of 1980	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	113
PID 3228 wrote to memory of 1980	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	113
PID 3228 wrote to memory of 2764	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	114
PID 3228 wrote to memory of 2764	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	114
PID 3228 wrote to memory of 2356	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	115
PID 3228 wrote to memory of 2356	3228	c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe	115

C:\Users\Admin\AppData\Local\Temp\c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c991739ccff543640ab620f70ead6aa0_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3768
- C:\Windows\System\yKFWLJA.exe
  C:\Windows\System\yKFWLJA.exe
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\System\tVmVvAh.exe
  C:\Windows\System\tVmVvAh.exe
  2⤵
  - Executes dropped EXE
  PID:888
- C:\Windows\System\Hdkmcea.exe
  C:\Windows\System\Hdkmcea.exe
  2⤵
  - Executes dropped EXE
  PID:4592
- C:\Windows\System\FKDtsQz.exe
  C:\Windows\System\FKDtsQz.exe
  2⤵
  - Executes dropped EXE
  PID:1564
- C:\Windows\System\DgTFFXn.exe
  C:\Windows\System\DgTFFXn.exe
  2⤵
  - Executes dropped EXE
  PID:720
- C:\Windows\System\oMGOddu.exe
  C:\Windows\System\oMGOddu.exe
  2⤵
  - Executes dropped EXE
  PID:4604
- C:\Windows\System\TPrRGpz.exe
  C:\Windows\System\TPrRGpz.exe
  2⤵
  - Executes dropped EXE
  PID:3580
- C:\Windows\System\VNxorJj.exe
  C:\Windows\System\VNxorJj.exe
  2⤵
  - Executes dropped EXE
  PID:3012
- C:\Windows\System\acUzwXD.exe
  C:\Windows\System\acUzwXD.exe
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\System\aLPafWh.exe
  C:\Windows\System\aLPafWh.exe
  2⤵
  - Executes dropped EXE
  PID:5076
- C:\Windows\System\TItNwkN.exe
  C:\Windows\System\TItNwkN.exe
  2⤵
  - Executes dropped EXE
  PID:3772
- C:\Windows\System\GLdRZJX.exe
  C:\Windows\System\GLdRZJX.exe
  2⤵
  - Executes dropped EXE
  PID:3452
- C:\Windows\System\fvTXOcr.exe
  C:\Windows\System\fvTXOcr.exe
  2⤵
  - Executes dropped EXE
  PID:5068
- C:\Windows\System\TimzReU.exe
  C:\Windows\System\TimzReU.exe
  2⤵
  - Executes dropped EXE
  PID:388
- C:\Windows\System\faNYZOp.exe
  C:\Windows\System\faNYZOp.exe
  2⤵
  - Executes dropped EXE
  PID:1812
- C:\Windows\System\sNBSmvV.exe
  C:\Windows\System\sNBSmvV.exe
  2⤵
  - Executes dropped EXE
  PID:4372
- C:\Windows\System\uOmpYSF.exe
  C:\Windows\System\uOmpYSF.exe
  2⤵
  - Executes dropped EXE
  PID:4992
- C:\Windows\System\WAunkAZ.exe
  C:\Windows\System\WAunkAZ.exe
  2⤵
  - Executes dropped EXE
  PID:2292
- C:\Windows\System\TFdDXAp.exe
  C:\Windows\System\TFdDXAp.exe
  2⤵
  - Executes dropped EXE
  PID:2516
- C:\Windows\System\giUbklg.exe
  C:\Windows\System\giUbklg.exe
  2⤵
  - Executes dropped EXE
  PID:540
- C:\Windows\System\OzeTunz.exe
  C:\Windows\System\OzeTunz.exe
  2⤵
  - Executes dropped EXE
  PID:4100
- C:\Windows\System\bZBTTtc.exe
  C:\Windows\System\bZBTTtc.exe
  2⤵
  - Executes dropped EXE
  PID:4860
- C:\Windows\System\AqHhDLK.exe
  C:\Windows\System\AqHhDLK.exe
  2⤵
  - Executes dropped EXE
  PID:1972
- C:\Windows\System\MsRKjsv.exe
  C:\Windows\System\MsRKjsv.exe
  2⤵
  - Executes dropped EXE
  PID:4932
- C:\Windows\System\sZkMWDM.exe
  C:\Windows\System\sZkMWDM.exe
  2⤵
  - Executes dropped EXE
  PID:4280
- C:\Windows\System\zIDDMXY.exe
  C:\Windows\System\zIDDMXY.exe
  2⤵
  - Executes dropped EXE
  PID:4004
- C:\Windows\System\RupXiiQ.exe
  C:\Windows\System\RupXiiQ.exe
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Windows\System\zLoeCpv.exe
  C:\Windows\System\zLoeCpv.exe
  2⤵
  - Executes dropped EXE
  PID:3552
- C:\Windows\System\qtaFEFB.exe
  C:\Windows\System\qtaFEFB.exe
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\System\LBfiRab.exe
  C:\Windows\System\LBfiRab.exe
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\System\WKwpVEK.exe
  C:\Windows\System\WKwpVEK.exe
  2⤵
  - Executes dropped EXE
  PID:2356
- C:\Windows\System\lvolBfA.exe
  C:\Windows\System\lvolBfA.exe
  2⤵
  - Executes dropped EXE
  PID:3756
- C:\Windows\System\edYfbLh.exe
  C:\Windows\System\edYfbLh.exe
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\System\pbyDgbt.exe
  C:\Windows\System\pbyDgbt.exe
  2⤵
  - Executes dropped EXE
  PID:3352
- C:\Windows\System\BTgltNU.exe
  C:\Windows\System\BTgltNU.exe
  2⤵
  - Executes dropped EXE
  PID:2232
- C:\Windows\System\vYEvdJH.exe
  C:\Windows\System\vYEvdJH.exe
  2⤵
  - Executes dropped EXE
  PID:3596
- C:\Windows\System\bzyxFox.exe
  C:\Windows\System\bzyxFox.exe
  2⤵
  - Executes dropped EXE
  PID:764
- C:\Windows\System\pgzrSXF.exe
  C:\Windows\System\pgzrSXF.exe
  2⤵
  - Executes dropped EXE
  PID:1584
- C:\Windows\System\ngTSkJG.exe
  C:\Windows\System\ngTSkJG.exe
  2⤵
  - Executes dropped EXE
  PID:4220
- C:\Windows\System\dwAomBC.exe
  C:\Windows\System\dwAomBC.exe
  2⤵
  - Executes dropped EXE
  PID:3172
- C:\Windows\System\DElWiGz.exe
  C:\Windows\System\DElWiGz.exe
  2⤵
  - Executes dropped EXE
  PID:4660
- C:\Windows\System\PpKPTzC.exe
  C:\Windows\System\PpKPTzC.exe
  2⤵
  - Executes dropped EXE
  PID:1400
- C:\Windows\System\mWyeYaa.exe
  C:\Windows\System\mWyeYaa.exe
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\System\ZrKkbDM.exe
  C:\Windows\System\ZrKkbDM.exe
  2⤵
  - Executes dropped EXE
  PID:4560
- C:\Windows\System\ZReCdLe.exe
  C:\Windows\System\ZReCdLe.exe
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\System\PXmmBdb.exe
  C:\Windows\System\PXmmBdb.exe
  2⤵
  - Executes dropped EXE
  PID:1900
- C:\Windows\System\HlgaWFV.exe
  C:\Windows\System\HlgaWFV.exe
  2⤵
  - Executes dropped EXE
  PID:4204
- C:\Windows\System\OGmdCbd.exe
  C:\Windows\System\OGmdCbd.exe
  2⤵
  - Executes dropped EXE
  PID:4536
- C:\Windows\System\UbYNIVv.exe
  C:\Windows\System\UbYNIVv.exe
  2⤵
  - Executes dropped EXE
  PID:4068
- C:\Windows\System\FHoWpYg.exe
  C:\Windows\System\FHoWpYg.exe
  2⤵
  - Executes dropped EXE
  PID:3264
- C:\Windows\System\mMITiEX.exe
  C:\Windows\System\mMITiEX.exe
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Windows\System\TfVVFIn.exe
  C:\Windows\System\TfVVFIn.exe
  2⤵
  - Executes dropped EXE
  PID:4152
- C:\Windows\System\UvnCrRm.exe
  C:\Windows\System\UvnCrRm.exe
  2⤵
  - Executes dropped EXE
  PID:4036
- C:\Windows\System\EXdnsYh.exe
  C:\Windows\System\EXdnsYh.exe
  2⤵
  - Executes dropped EXE
  PID:3608
- C:\Windows\System\qNkOjdR.exe
  C:\Windows\System\qNkOjdR.exe
  2⤵
  - Executes dropped EXE
  PID:4008
- C:\Windows\System\oYiGTRC.exe
  C:\Windows\System\oYiGTRC.exe
  2⤵
  - Executes dropped EXE
  PID:3944
- C:\Windows\System\kNEloVu.exe
  C:\Windows\System\kNEloVu.exe
  2⤵
  - Executes dropped EXE
  PID:4700
- C:\Windows\System\AGVbQTW.exe
  C:\Windows\System\AGVbQTW.exe
  2⤵
  - Executes dropped EXE
  PID:1304
- C:\Windows\System\QUYmPWR.exe
  C:\Windows\System\QUYmPWR.exe
  2⤵
  - Executes dropped EXE
  PID:5092
- C:\Windows\System\JvAqcPl.exe
  C:\Windows\System\JvAqcPl.exe
  2⤵
  - Executes dropped EXE
  PID:4708
- C:\Windows\System\MhTlbsU.exe
  C:\Windows\System\MhTlbsU.exe
  2⤵
  - Executes dropped EXE
  PID:632
- C:\Windows\System\JgUZnFG.exe
  C:\Windows\System\JgUZnFG.exe
  2⤵
  - Executes dropped EXE
  PID:3268
- C:\Windows\System\dPmuasH.exe
  C:\Windows\System\dPmuasH.exe
  2⤵
  - Executes dropped EXE
  PID:3436
- C:\Windows\System\wpYrDye.exe
  C:\Windows\System\wpYrDye.exe
  2⤵
  - Executes dropped EXE
  PID:1264
- C:\Windows\System\tgyfYEp.exe
  C:\Windows\System\tgyfYEp.exe
  2⤵
  PID:3316
- C:\Windows\System\ZAWrJUd.exe
  C:\Windows\System\ZAWrJUd.exe
  2⤵
  PID:2844
- C:\Windows\System\nXgVrVl.exe
  C:\Windows\System\nXgVrVl.exe
  2⤵
  PID:1412
- C:\Windows\System\hHQkutT.exe
  C:\Windows\System\hHQkutT.exe
  2⤵
  PID:3460
- C:\Windows\System\zUvQIuK.exe
  C:\Windows\System\zUvQIuK.exe
  2⤵
  PID:3396
- C:\Windows\System\btHrUlk.exe
  C:\Windows\System\btHrUlk.exe
  2⤵
  PID:2028
- C:\Windows\System\bzoiRYT.exe
  C:\Windows\System\bzoiRYT.exe
  2⤵
  PID:5004
- C:\Windows\System\wIhuNpE.exe
  C:\Windows\System\wIhuNpE.exe
  2⤵
  PID:396
- C:\Windows\System\IsGaFsb.exe
  C:\Windows\System\IsGaFsb.exe
  2⤵
  PID:4548
- C:\Windows\System\pDeDdra.exe
  C:\Windows\System\pDeDdra.exe
  2⤵
  PID:5052
- C:\Windows\System\cDWDtbL.exe
  C:\Windows\System\cDWDtbL.exe
  2⤵
  PID:1836
- C:\Windows\System\mnVhYoA.exe
  C:\Windows\System\mnVhYoA.exe
  2⤵
  PID:1560
- C:\Windows\System\LjOHZHk.exe
  C:\Windows\System\LjOHZHk.exe
  2⤵
  PID:2244
- C:\Windows\System\MdupSzA.exe
  C:\Windows\System\MdupSzA.exe
  2⤵
  PID:1008
- C:\Windows\System\cShQJxG.exe
  C:\Windows\System\cShQJxG.exe
  2⤵
  PID:4580
- C:\Windows\System\yDQhrqy.exe
  C:\Windows\System\yDQhrqy.exe
  2⤵
  PID:4460
- C:\Windows\System\ttkuXpK.exe
  C:\Windows\System\ttkuXpK.exe
  2⤵
  PID:4808
- C:\Windows\System\rjnnIvp.exe
  C:\Windows\System\rjnnIvp.exe
  2⤵
  PID:5132
- C:\Windows\System\awobfHr.exe
  C:\Windows\System\awobfHr.exe
  2⤵
  PID:5172
- C:\Windows\System\LjjLxMv.exe
  C:\Windows\System\LjjLxMv.exe
  2⤵
  PID:5228
- C:\Windows\System\fyRKusS.exe
  C:\Windows\System\fyRKusS.exe
  2⤵
  PID:5264
- C:\Windows\System\vkWQLsr.exe
  C:\Windows\System\vkWQLsr.exe
  2⤵
  PID:5316
- C:\Windows\System\NtdXQXo.exe
  C:\Windows\System\NtdXQXo.exe
  2⤵
  PID:5360
- C:\Windows\System\ESSCsvF.exe
  C:\Windows\System\ESSCsvF.exe
  2⤵
  PID:5420
- C:\Windows\System\bkWUpcG.exe
  C:\Windows\System\bkWUpcG.exe
  2⤵
  PID:5464
- C:\Windows\System\hpkrBgT.exe
  C:\Windows\System\hpkrBgT.exe
  2⤵
  PID:5504
- C:\Windows\System\AmbgOgU.exe
  C:\Windows\System\AmbgOgU.exe
  2⤵
  PID:5540
- C:\Windows\System\ZJdebpF.exe
  C:\Windows\System\ZJdebpF.exe
  2⤵
  PID:5588
- C:\Windows\System\IpSPVec.exe
  C:\Windows\System\IpSPVec.exe
  2⤵
  PID:5628
- C:\Windows\System\SfcRRXJ.exe
  C:\Windows\System\SfcRRXJ.exe
  2⤵
  PID:5676
- C:\Windows\System\wIsurTY.exe
  C:\Windows\System\wIsurTY.exe
  2⤵
  PID:5712
- C:\Windows\System\XYfxMOO.exe
  C:\Windows\System\XYfxMOO.exe
  2⤵
  PID:5756
- C:\Windows\System\EjHKCwt.exe
  C:\Windows\System\EjHKCwt.exe
  2⤵
  PID:5796
- C:\Windows\System\WAWAofh.exe
  C:\Windows\System\WAWAofh.exe
  2⤵
  PID:5848
- C:\Windows\System\RvsjGmb.exe
  C:\Windows\System\RvsjGmb.exe
  2⤵
  PID:5904
- C:\Windows\System\OOobchz.exe
  C:\Windows\System\OOobchz.exe
  2⤵
  PID:5948
- C:\Windows\System\OXyXkdH.exe
  C:\Windows\System\OXyXkdH.exe
  2⤵
  PID:5980
- C:\Windows\System\syGdmxT.exe
  C:\Windows\System\syGdmxT.exe
  2⤵
  PID:6016
- C:\Windows\System\JDkfmRL.exe
  C:\Windows\System\JDkfmRL.exe
  2⤵
  PID:6040
- C:\Windows\System\VVgwTsn.exe
  C:\Windows\System\VVgwTsn.exe
  2⤵
  PID:6084
- C:\Windows\System\ePjNyWE.exe
  C:\Windows\System\ePjNyWE.exe
  2⤵
  PID:6112
- C:\Windows\System\BFbMdxG.exe
  C:\Windows\System\BFbMdxG.exe
  2⤵
  PID:5124
- C:\Windows\System\lJJUhlO.exe
  C:\Windows\System\lJJUhlO.exe
  2⤵
  PID:5200
- C:\Windows\System\eFKTAeC.exe
  C:\Windows\System\eFKTAeC.exe
  2⤵
  PID:5260
- C:\Windows\System\yPIImxH.exe
  C:\Windows\System\yPIImxH.exe
  2⤵
  PID:5284
- C:\Windows\System\yszfMwt.exe
  C:\Windows\System\yszfMwt.exe
  2⤵
  PID:4792
- C:\Windows\System\cmnELWh.exe
  C:\Windows\System\cmnELWh.exe
  2⤵
  PID:5344
- C:\Windows\System\vsXrfCp.exe
  C:\Windows\System\vsXrfCp.exe
  2⤵
  PID:5208
- C:\Windows\System\PawbQFL.exe
  C:\Windows\System\PawbQFL.exe
  2⤵
  PID:5460
- C:\Windows\System\QrIAjxR.exe
  C:\Windows\System\QrIAjxR.exe
  2⤵
  PID:5528
- C:\Windows\System\xCiVbJe.exe
  C:\Windows\System\xCiVbJe.exe
  2⤵
  PID:5572
- C:\Windows\System\ZcnqDVY.exe
  C:\Windows\System\ZcnqDVY.exe
  2⤵
  PID:5620
- C:\Windows\System\PtDFyak.exe
  C:\Windows\System\PtDFyak.exe
  2⤵
  PID:5652
- C:\Windows\System\APklltb.exe
  C:\Windows\System\APklltb.exe
  2⤵
  PID:5728
- C:\Windows\System\iGuDjZU.exe
  C:\Windows\System\iGuDjZU.exe
  2⤵
  PID:5776
- C:\Windows\System\ZcmkNuE.exe
  C:\Windows\System\ZcmkNuE.exe
  2⤵
  PID:5868
- C:\Windows\System\tungCip.exe
  C:\Windows\System\tungCip.exe
  2⤵
  PID:5916
- C:\Windows\System\FDvDloo.exe
  C:\Windows\System\FDvDloo.exe
  2⤵
  PID:5972
- C:\Windows\System\ZwcHrJg.exe
  C:\Windows\System\ZwcHrJg.exe
  2⤵
  PID:5988
- C:\Windows\System\VnKpYmx.exe
  C:\Windows\System\VnKpYmx.exe
  2⤵
  PID:6052
- C:\Windows\System\muiwSIK.exe
  C:\Windows\System\muiwSIK.exe
  2⤵
  PID:6104
- C:\Windows\System\ikXqdOy.exe
  C:\Windows\System\ikXqdOy.exe
  2⤵
  PID:5144
- C:\Windows\System\TaBwQUo.exe
  C:\Windows\System\TaBwQUo.exe
  2⤵
  PID:5324
- C:\Windows\System\ttcfZzW.exe
  C:\Windows\System\ttcfZzW.exe
  2⤵
  PID:5372
- C:\Windows\System\yPsbYyU.exe
  C:\Windows\System\yPsbYyU.exe
  2⤵
  PID:5108
- C:\Windows\System\bCNybWh.exe
  C:\Windows\System\bCNybWh.exe
  2⤵
  PID:4996
- C:\Windows\System\YJzdmUt.exe
  C:\Windows\System\YJzdmUt.exe
  2⤵
  PID:5600
- C:\Windows\System\ARfUSPi.exe
  C:\Windows\System\ARfUSPi.exe
  2⤵
  PID:5764
- C:\Windows\System\hTdTzHa.exe
  C:\Windows\System\hTdTzHa.exe
  2⤵
  PID:5820
- C:\Windows\System\iUticoZ.exe
  C:\Windows\System\iUticoZ.exe
  2⤵
  PID:5976
- C:\Windows\System\fxiZeHO.exe
  C:\Windows\System\fxiZeHO.exe
  2⤵
  PID:6072
- C:\Windows\System\AuIlrqB.exe
  C:\Windows\System\AuIlrqB.exe
  2⤵
  PID:5340
- C:\Windows\System\ZydDMIe.exe
  C:\Windows\System\ZydDMIe.exe
  2⤵
  PID:4176
- C:\Windows\System\iHEUfab.exe
  C:\Windows\System\iHEUfab.exe
  2⤵
  PID:5688
- C:\Windows\System\ylipRjF.exe
  C:\Windows\System\ylipRjF.exe
  2⤵
  PID:5836
- C:\Windows\System\mPezkWX.exe
  C:\Windows\System\mPezkWX.exe
  2⤵
  PID:5288
- C:\Windows\System\ZKvfQfW.exe
  C:\Windows\System\ZKvfQfW.exe
  2⤵
  PID:5412
- C:\Windows\System\KpAgAGX.exe
  C:\Windows\System\KpAgAGX.exe
  2⤵
  PID:5256
- C:\Windows\System\lYJzbcu.exe
  C:\Windows\System\lYJzbcu.exe
  2⤵
  PID:5336
- C:\Windows\System\xFqwdtA.exe
  C:\Windows\System\xFqwdtA.exe
  2⤵
  PID:6148
- C:\Windows\System\oyVdgbm.exe
  C:\Windows\System\oyVdgbm.exe
  2⤵
  PID:6168
- C:\Windows\System\OxPUgTX.exe
  C:\Windows\System\OxPUgTX.exe
  2⤵
  PID:6196
- C:\Windows\System\PzGPxvC.exe
  C:\Windows\System\PzGPxvC.exe
  2⤵
  PID:6216
- C:\Windows\System\BkYRoPQ.exe
  C:\Windows\System\BkYRoPQ.exe
  2⤵
  PID:6252
- C:\Windows\System\Nzimpyn.exe
  C:\Windows\System\Nzimpyn.exe
  2⤵
  PID:6304
- C:\Windows\System\fkkCRHx.exe
  C:\Windows\System\fkkCRHx.exe
  2⤵
  PID:6328
- C:\Windows\System\rFgPXDw.exe
  C:\Windows\System\rFgPXDw.exe
  2⤵
  PID:6368
- C:\Windows\System\GsmbYPb.exe
  C:\Windows\System\GsmbYPb.exe
  2⤵
  PID:6392
- C:\Windows\System\iDyiiti.exe
  C:\Windows\System\iDyiiti.exe
  2⤵
  PID:6428
- C:\Windows\System\QGoPNFH.exe
  C:\Windows\System\QGoPNFH.exe
  2⤵
  PID:6472
- C:\Windows\System\ARUBFYM.exe
  C:\Windows\System\ARUBFYM.exe
  2⤵
  PID:6492
- C:\Windows\System\ynngegB.exe
  C:\Windows\System\ynngegB.exe
  2⤵
  PID:6520
- C:\Windows\System\DoMBuRb.exe
  C:\Windows\System\DoMBuRb.exe
  2⤵
  PID:6536
- C:\Windows\System\Rtzpijx.exe
  C:\Windows\System\Rtzpijx.exe
  2⤵
  PID:6552
- C:\Windows\System\SAFoeNI.exe
  C:\Windows\System\SAFoeNI.exe
  2⤵
  PID:6568
- C:\Windows\System\bgEkWcU.exe
  C:\Windows\System\bgEkWcU.exe
  2⤵
  PID:6608
- C:\Windows\System\NvvvSYP.exe
  C:\Windows\System\NvvvSYP.exe
  2⤵
  PID:6636
- C:\Windows\System\IjEoQzp.exe
  C:\Windows\System\IjEoQzp.exe
  2⤵
  PID:6668
- C:\Windows\System\zhGpjMP.exe
  C:\Windows\System\zhGpjMP.exe
  2⤵
  PID:6704
- C:\Windows\System\pRkckPY.exe
  C:\Windows\System\pRkckPY.exe
  2⤵
  PID:6744
- C:\Windows\System\nJyeqWJ.exe
  C:\Windows\System\nJyeqWJ.exe
  2⤵
  PID:6760
- C:\Windows\System\LuiZvBP.exe
  C:\Windows\System\LuiZvBP.exe
  2⤵
  PID:6796
- C:\Windows\System\zvyxtTn.exe
  C:\Windows\System\zvyxtTn.exe
  2⤵
  PID:6828
- C:\Windows\System\mYWhGEp.exe
  C:\Windows\System\mYWhGEp.exe
  2⤵
  PID:6844
- C:\Windows\System\NKCpgKc.exe
  C:\Windows\System\NKCpgKc.exe
  2⤵
  PID:6884
- C:\Windows\System\pRKinoq.exe
  C:\Windows\System\pRKinoq.exe
  2⤵
  PID:6912
- C:\Windows\System\eLpuxyz.exe
  C:\Windows\System\eLpuxyz.exe
  2⤵
  PID:6928
- C:\Windows\System\QgDAfcW.exe
  C:\Windows\System\QgDAfcW.exe
  2⤵
  PID:6968
- C:\Windows\System\tnxejDl.exe
  C:\Windows\System\tnxejDl.exe
  2⤵
  PID:6996
- C:\Windows\System\BTpFygh.exe
  C:\Windows\System\BTpFygh.exe
  2⤵
  PID:7016
- C:\Windows\System\ZNxDueM.exe
  C:\Windows\System\ZNxDueM.exe
  2⤵
  PID:7052
- C:\Windows\System\tpqOMrB.exe
  C:\Windows\System\tpqOMrB.exe
  2⤵
  PID:7068
- C:\Windows\System\eXEEChv.exe
  C:\Windows\System\eXEEChv.exe
  2⤵
  PID:7104
- C:\Windows\System\ITPTkgL.exe
  C:\Windows\System\ITPTkgL.exe
  2⤵
  PID:7128
- C:\Windows\System\fyLDfkx.exe
  C:\Windows\System\fyLDfkx.exe
  2⤵
  PID:7152
- C:\Windows\System\GbuBLaJ.exe
  C:\Windows\System\GbuBLaJ.exe
  2⤵
  PID:6188
- C:\Windows\System\wyqlCpm.exe
  C:\Windows\System\wyqlCpm.exe
  2⤵
  PID:6184
- C:\Windows\System\LLAAPVg.exe
  C:\Windows\System\LLAAPVg.exe
  2⤵
  PID:6292
- C:\Windows\System\RlFihwp.exe
  C:\Windows\System\RlFihwp.exe
  2⤵
  PID:6344
- C:\Windows\System\cPhHrIS.exe
  C:\Windows\System\cPhHrIS.exe
  2⤵
  PID:6420
- C:\Windows\System\OQfJCeS.exe
  C:\Windows\System\OQfJCeS.exe
  2⤵
  PID:6488
- C:\Windows\System\DDkwZPS.exe
  C:\Windows\System\DDkwZPS.exe
  2⤵
  PID:6544
- C:\Windows\System\dfqhBBu.exe
  C:\Windows\System\dfqhBBu.exe
  2⤵
  PID:6616
- C:\Windows\System\IlcOqdz.exe
  C:\Windows\System\IlcOqdz.exe
  2⤵
  PID:6664
- C:\Windows\System\aCsokFd.exe
  C:\Windows\System\aCsokFd.exe
  2⤵
  PID:6724
- C:\Windows\System\rhNFtaM.exe
  C:\Windows\System\rhNFtaM.exe
  2⤵
  PID:6812
- C:\Windows\System\pWgHlQY.exe
  C:\Windows\System\pWgHlQY.exe
  2⤵
  PID:6864
- C:\Windows\System\stWOvda.exe
  C:\Windows\System\stWOvda.exe
  2⤵
  PID:6924
- C:\Windows\System\MHWdJQm.exe
  C:\Windows\System\MHWdJQm.exe
  2⤵
  PID:6988
- C:\Windows\System\yvjktBS.exe
  C:\Windows\System\yvjktBS.exe
  2⤵
  PID:7060
- C:\Windows\System\bZZRohB.exe
  C:\Windows\System\bZZRohB.exe
  2⤵
  PID:7148
- C:\Windows\System\OlWbLXz.exe
  C:\Windows\System\OlWbLXz.exe
  2⤵
  PID:7164
- C:\Windows\System\JdxJpJj.exe
  C:\Windows\System\JdxJpJj.exe
  2⤵
  PID:6248
- C:\Windows\System\UMzPeCg.exe
  C:\Windows\System\UMzPeCg.exe
  2⤵
  PID:6516
- C:\Windows\System\iEpWcpL.exe
  C:\Windows\System\iEpWcpL.exe
  2⤵
  PID:6648
- C:\Windows\System\GrafBpz.exe
  C:\Windows\System\GrafBpz.exe
  2⤵
  PID:6776
- C:\Windows\System\eYUiJPv.exe
  C:\Windows\System\eYUiJPv.exe
  2⤵
  PID:6896
- C:\Windows\System\FethshW.exe
  C:\Windows\System\FethshW.exe
  2⤵
  PID:7112
- C:\Windows\System\CfgQxIo.exe
  C:\Windows\System\CfgQxIo.exe
  2⤵
  PID:6312
- C:\Windows\System\hkbnKTE.exe
  C:\Windows\System\hkbnKTE.exe
  2⤵
  PID:6720
- C:\Windows\System\JUjHOZs.exe
  C:\Windows\System\JUjHOZs.exe
  2⤵
  PID:6960
- C:\Windows\System\CWquhBV.exe
  C:\Windows\System\CWquhBV.exe
  2⤵
  PID:6564
- C:\Windows\System\CXXQrVk.exe
  C:\Windows\System\CXXQrVk.exe
  2⤵
  PID:6600
- C:\Windows\System\aVGHmOX.exe
  C:\Windows\System\aVGHmOX.exe
  2⤵
  PID:7196
- C:\Windows\System\KXoLSkp.exe
  C:\Windows\System\KXoLSkp.exe
  2⤵
  PID:7228
- C:\Windows\System\jKthYgB.exe
  C:\Windows\System\jKthYgB.exe
  2⤵
  PID:7256
- C:\Windows\System\VuqrwAR.exe
  C:\Windows\System\VuqrwAR.exe
  2⤵
  PID:7292
- C:\Windows\System\uDhShBD.exe
  C:\Windows\System\uDhShBD.exe
  2⤵
  PID:7320
- C:\Windows\System\xsjiwer.exe
  C:\Windows\System\xsjiwer.exe
  2⤵
  PID:7336
- C:\Windows\System\uxefApB.exe
  C:\Windows\System\uxefApB.exe
  2⤵
  PID:7356
- C:\Windows\System\YePscVr.exe
  C:\Windows\System\YePscVr.exe
  2⤵
  PID:7380
- C:\Windows\System\upAADrm.exe
  C:\Windows\System\upAADrm.exe
  2⤵
  PID:7420
- C:\Windows\System\dMeKpZp.exe
  C:\Windows\System\dMeKpZp.exe
  2⤵
  PID:7452
- C:\Windows\System\mePsZwM.exe
  C:\Windows\System\mePsZwM.exe
  2⤵
  PID:7488
- C:\Windows\System\yoYusoi.exe
  C:\Windows\System\yoYusoi.exe
  2⤵
  PID:7508
- C:\Windows\System\UjZgfKt.exe
  C:\Windows\System\UjZgfKt.exe
  2⤵
  PID:7544
- C:\Windows\System\sSdXWZS.exe
  C:\Windows\System\sSdXWZS.exe
  2⤵
  PID:7572
- C:\Windows\System\ApingCp.exe
  C:\Windows\System\ApingCp.exe
  2⤵
  PID:7600
- C:\Windows\System\PIGEwmb.exe
  C:\Windows\System\PIGEwmb.exe
  2⤵
  PID:7616
- C:\Windows\System\QjAAkeX.exe
  C:\Windows\System\QjAAkeX.exe
  2⤵
  PID:7644
- C:\Windows\System\jPoiALx.exe
  C:\Windows\System\jPoiALx.exe
  2⤵
  PID:7684
- C:\Windows\System\xaBlfsr.exe
  C:\Windows\System\xaBlfsr.exe
  2⤵
  PID:7720
- C:\Windows\System\fTffjfX.exe
  C:\Windows\System\fTffjfX.exe
  2⤵
  PID:7740
- C:\Windows\System\QdeYSRt.exe
  C:\Windows\System\QdeYSRt.exe
  2⤵
  PID:7776
- C:\Windows\System\NejBEts.exe
  C:\Windows\System\NejBEts.exe
  2⤵
  PID:7804
- C:\Windows\System\FWSrJVe.exe
  C:\Windows\System\FWSrJVe.exe
  2⤵
  PID:7840
- C:\Windows\System\sgFxKIR.exe
  C:\Windows\System\sgFxKIR.exe
  2⤵
  PID:7884
- C:\Windows\System\xjfpOxH.exe
  C:\Windows\System\xjfpOxH.exe
  2⤵
  PID:7916
- C:\Windows\System\HjtznIn.exe
  C:\Windows\System\HjtznIn.exe
  2⤵
  PID:7940
- C:\Windows\System\DTsbIlm.exe
  C:\Windows\System\DTsbIlm.exe
  2⤵
  PID:7972
- C:\Windows\System\BYxFMvs.exe
  C:\Windows\System\BYxFMvs.exe
  2⤵
  PID:7996
- C:\Windows\System\lItXMkl.exe
  C:\Windows\System\lItXMkl.exe
  2⤵
  PID:8024
- C:\Windows\System\JHFQjzk.exe
  C:\Windows\System\JHFQjzk.exe
  2⤵
  PID:8056
- C:\Windows\System\wHrqheg.exe
  C:\Windows\System\wHrqheg.exe
  2⤵
  PID:8084
- C:\Windows\System\JQBlydN.exe
  C:\Windows\System\JQBlydN.exe
  2⤵
  PID:8120
- C:\Windows\System\tlrdBYO.exe
  C:\Windows\System\tlrdBYO.exe
  2⤵
  PID:8136
- C:\Windows\System\wlFOxwF.exe
  C:\Windows\System\wlFOxwF.exe
  2⤵
  PID:8176
- C:\Windows\System\pxRumrB.exe
  C:\Windows\System\pxRumrB.exe
  2⤵
  PID:6180
- C:\Windows\System\euGtoDA.exe
  C:\Windows\System\euGtoDA.exe
  2⤵
  PID:7236
- C:\Windows\System\oGJvsps.exe
  C:\Windows\System\oGJvsps.exe
  2⤵
  PID:7272
- C:\Windows\System\HSoRVVZ.exe
  C:\Windows\System\HSoRVVZ.exe
  2⤵
  PID:7376
- C:\Windows\System\btxKjVj.exe
  C:\Windows\System\btxKjVj.exe
  2⤵
  PID:7400
- C:\Windows\System\sopLIOV.exe
  C:\Windows\System\sopLIOV.exe
  2⤵
  PID:7468
- C:\Windows\System\MaayYAG.exe
  C:\Windows\System\MaayYAG.exe
  2⤵
  PID:7516
- C:\Windows\System\vDscAKi.exe
  C:\Windows\System\vDscAKi.exe
  2⤵
  PID:7584
- C:\Windows\System\vqEwdGd.exe
  C:\Windows\System\vqEwdGd.exe
  2⤵
  PID:7676
- C:\Windows\System\KEDKQOK.exe
  C:\Windows\System\KEDKQOK.exe
  2⤵
  PID:7772
- C:\Windows\System\wrXilLz.exe
  C:\Windows\System\wrXilLz.exe
  2⤵
  PID:7832
- C:\Windows\System\wGElSLl.exe
  C:\Windows\System\wGElSLl.exe
  2⤵
  PID:7816
- C:\Windows\System\rnxyjhc.exe
  C:\Windows\System\rnxyjhc.exe
  2⤵
  PID:7992
- C:\Windows\System\eTTczru.exe
  C:\Windows\System\eTTczru.exe
  2⤵
  PID:8092
- C:\Windows\System\wfIKQTL.exe
  C:\Windows\System\wfIKQTL.exe
  2⤵
  PID:8160
- C:\Windows\System\VoVBjEb.exe
  C:\Windows\System\VoVBjEb.exe
  2⤵
  PID:7184
- C:\Windows\System\rErfCFs.exe
  C:\Windows\System\rErfCFs.exe
  2⤵
  PID:7276
- C:\Windows\System\nktRfXW.exe
  C:\Windows\System\nktRfXW.exe
  2⤵
  PID:6480
- C:\Windows\System\xBpwJua.exe
  C:\Windows\System\xBpwJua.exe
  2⤵
  PID:7628
- C:\Windows\System\KOkcfgU.exe
  C:\Windows\System\KOkcfgU.exe
  2⤵
  PID:7732
- C:\Windows\System\bxxiVHf.exe
  C:\Windows\System\bxxiVHf.exe
  2⤵
  PID:8172
- C:\Windows\System\hEbyQFD.exe
  C:\Windows\System\hEbyQFD.exe
  2⤵
  PID:7556
- C:\Windows\System\eQWaupZ.exe
  C:\Windows\System\eQWaupZ.exe
  2⤵
  PID:7608
- C:\Windows\System\uADUrBD.exe
  C:\Windows\System\uADUrBD.exe
  2⤵
  PID:8132
- C:\Windows\System\KQEzdSM.exe
  C:\Windows\System\KQEzdSM.exe
  2⤵
  PID:5732
- C:\Windows\System\fDAeUTU.exe
  C:\Windows\System\fDAeUTU.exe
  2⤵
  PID:8220
- C:\Windows\System\Erdoqsd.exe
  C:\Windows\System\Erdoqsd.exe
  2⤵
  PID:8244
- C:\Windows\System\ypSXAzb.exe
  C:\Windows\System\ypSXAzb.exe
  2⤵
  PID:8300
- C:\Windows\System\LlQmzGZ.exe
  C:\Windows\System\LlQmzGZ.exe
  2⤵
  PID:8344
- C:\Windows\System\WkcTMad.exe
  C:\Windows\System\WkcTMad.exe
  2⤵
  PID:8384
- C:\Windows\System\hJxmSMW.exe
  C:\Windows\System\hJxmSMW.exe
  2⤵
  PID:8416
- C:\Windows\System\YtbWypK.exe
  C:\Windows\System\YtbWypK.exe
  2⤵
  PID:8452
- C:\Windows\System\mieGPyY.exe
  C:\Windows\System\mieGPyY.exe
  2⤵
  PID:8480
- C:\Windows\System\dzxfqqJ.exe
  C:\Windows\System\dzxfqqJ.exe
  2⤵
  PID:8508
- C:\Windows\System\DvngbmO.exe
  C:\Windows\System\DvngbmO.exe
  2⤵
  PID:8524
- C:\Windows\System\qcWyTSB.exe
  C:\Windows\System\qcWyTSB.exe
  2⤵
  PID:8572
- C:\Windows\System\VTZKFhI.exe
  C:\Windows\System\VTZKFhI.exe
  2⤵
  PID:8588
- C:\Windows\System\FIjNKns.exe
  C:\Windows\System\FIjNKns.exe
  2⤵
  PID:8616
- C:\Windows\System\vOhAChy.exe
  C:\Windows\System\vOhAChy.exe
  2⤵
  PID:8640
- C:\Windows\System\LinYuUu.exe
  C:\Windows\System\LinYuUu.exe
  2⤵
  PID:8668
- C:\Windows\System\gRMYtRp.exe
  C:\Windows\System\gRMYtRp.exe
  2⤵
  PID:8716
- C:\Windows\System\uZbMeqr.exe
  C:\Windows\System\uZbMeqr.exe
  2⤵
  PID:8756
- C:\Windows\System\coUftrD.exe
  C:\Windows\System\coUftrD.exe
  2⤵
  PID:8780
- C:\Windows\System\jHoJqVq.exe
  C:\Windows\System\jHoJqVq.exe
  2⤵
  PID:8816
- C:\Windows\System\WtGvFdL.exe
  C:\Windows\System\WtGvFdL.exe
  2⤵
  PID:8836
- C:\Windows\System\MdgDCWJ.exe
  C:\Windows\System\MdgDCWJ.exe
  2⤵
  PID:8852
- C:\Windows\System\LuaMVVP.exe
  C:\Windows\System\LuaMVVP.exe
  2⤵
  PID:8880
- C:\Windows\System\bJlzDVd.exe
  C:\Windows\System\bJlzDVd.exe
  2⤵
  PID:8920
- C:\Windows\System\mwhOyPl.exe
  C:\Windows\System\mwhOyPl.exe
  2⤵
  PID:8968
- C:\Windows\System\MwWhvgU.exe
  C:\Windows\System\MwWhvgU.exe
  2⤵
  PID:9000
- C:\Windows\System\uOkqdmc.exe
  C:\Windows\System\uOkqdmc.exe
  2⤵
  PID:9028
- C:\Windows\System\dTQgWEz.exe
  C:\Windows\System\dTQgWEz.exe
  2⤵
  PID:9060
- C:\Windows\System\PzvMefH.exe
  C:\Windows\System\PzvMefH.exe
  2⤵
  PID:9096
- C:\Windows\System\gqokFtS.exe
  C:\Windows\System\gqokFtS.exe
  2⤵
  PID:9132
- C:\Windows\System\mFyKlnS.exe
  C:\Windows\System\mFyKlnS.exe
  2⤵
  PID:9164
- C:\Windows\System\NydwUGA.exe
  C:\Windows\System\NydwUGA.exe
  2⤵
  PID:9196
- C:\Windows\System\KppRkaE.exe
  C:\Windows\System\KppRkaE.exe
  2⤵
  PID:9212
- C:\Windows\System\REzXgSq.exe
  C:\Windows\System\REzXgSq.exe
  2⤵
  PID:8268
- C:\Windows\System\OZfQTQz.exe
  C:\Windows\System\OZfQTQz.exe
  2⤵
  PID:8380
- C:\Windows\System\jezKLsX.exe
  C:\Windows\System\jezKLsX.exe
  2⤵
  PID:8432
- C:\Windows\System\ygGFefG.exe
  C:\Windows\System\ygGFefG.exe
  2⤵
  PID:8520
- C:\Windows\System\NRhGUHt.exe
  C:\Windows\System\NRhGUHt.exe
  2⤵
  PID:8568
- C:\Windows\System\CIDMZbQ.exe
  C:\Windows\System\CIDMZbQ.exe
  2⤵
  PID:8648
- C:\Windows\System\WMujiSt.exe
  C:\Windows\System\WMujiSt.exe
  2⤵
  PID:8736
- C:\Windows\System\gTVMzAc.exe
  C:\Windows\System\gTVMzAc.exe
  2⤵
  PID:8792
- C:\Windows\System\WJMbvIV.exe
  C:\Windows\System\WJMbvIV.exe
  2⤵
  PID:8800
- C:\Windows\System\VCZSrEV.exe
  C:\Windows\System\VCZSrEV.exe
  2⤵
  PID:8844
- C:\Windows\System\DeclLKx.exe
  C:\Windows\System\DeclLKx.exe
  2⤵
  PID:8996
- C:\Windows\System\CIWaxnG.exe
  C:\Windows\System\CIWaxnG.exe
  2⤵
  PID:9080
- C:\Windows\System\vFaeREk.exe
  C:\Windows\System\vFaeREk.exe
  2⤵
  PID:9176
- C:\Windows\System\SUvUBcO.exe
  C:\Windows\System\SUvUBcO.exe
  2⤵
  PID:8240
- C:\Windows\System\XcJpboN.exe
  C:\Windows\System\XcJpboN.exe
  2⤵
  PID:8476
- C:\Windows\System\BhuxRLo.exe
  C:\Windows\System\BhuxRLo.exe
  2⤵
  PID:8688
- C:\Windows\System\UhDbysK.exe
  C:\Windows\System\UhDbysK.exe
  2⤵
  PID:8872
- C:\Windows\System\KeuDGPe.exe
  C:\Windows\System\KeuDGPe.exe
  2⤵
  PID:8932
- C:\Windows\System\rsWBczG.exe
  C:\Windows\System\rsWBczG.exe
  2⤵
  PID:9144
- C:\Windows\System\YaReyPI.exe
  C:\Windows\System\YaReyPI.exe
  2⤵
  PID:8536
- C:\Windows\System\vlUMOpP.exe
  C:\Windows\System\vlUMOpP.exe
  2⤵
  PID:9012
- C:\Windows\System\OlrOCfZ.exe
  C:\Windows\System\OlrOCfZ.exe
  2⤵
  PID:8560
- C:\Windows\System\CrEHwYe.exe
  C:\Windows\System\CrEHwYe.exe
  2⤵
  PID:9228
- C:\Windows\System\qjmSrSe.exe
  C:\Windows\System\qjmSrSe.exe
  2⤵
  PID:9264
- C:\Windows\System\pjUKdaz.exe
  C:\Windows\System\pjUKdaz.exe
  2⤵
  PID:9292
- C:\Windows\System\rftjCkJ.exe
  C:\Windows\System\rftjCkJ.exe
  2⤵
  PID:9324
- C:\Windows\System\ICiDEZG.exe
  C:\Windows\System\ICiDEZG.exe
  2⤵
  PID:9352
- C:\Windows\System\oDlMHrP.exe
  C:\Windows\System\oDlMHrP.exe
  2⤵
  PID:9376
- C:\Windows\System\rFDgWdd.exe
  C:\Windows\System\rFDgWdd.exe
  2⤵
  PID:9396
- C:\Windows\System\XjNBPJp.exe
  C:\Windows\System\XjNBPJp.exe
  2⤵
  PID:9436
- C:\Windows\System\WtcvyzB.exe
  C:\Windows\System\WtcvyzB.exe
  2⤵
  PID:9456
- C:\Windows\System\gxaJWoU.exe
  C:\Windows\System\gxaJWoU.exe
  2⤵
  PID:9492
- C:\Windows\System\uDoUHCg.exe
  C:\Windows\System\uDoUHCg.exe
  2⤵
  PID:9520
- C:\Windows\System\DLvZffL.exe
  C:\Windows\System\DLvZffL.exe
  2⤵
  PID:9548
- C:\Windows\System\cJvLWrL.exe
  C:\Windows\System\cJvLWrL.exe
  2⤵
  PID:9572
- C:\Windows\System\LYzQSLw.exe
  C:\Windows\System\LYzQSLw.exe
  2⤵
  PID:9592
- C:\Windows\System\qlfwnFE.exe
  C:\Windows\System\qlfwnFE.exe
  2⤵
  PID:9624
- C:\Windows\System\pHiJSwq.exe
  C:\Windows\System\pHiJSwq.exe
  2⤵
  PID:9660
- C:\Windows\System\WtWggYq.exe
  C:\Windows\System\WtWggYq.exe
  2⤵
  PID:9676
- C:\Windows\System\uZiehVT.exe
  C:\Windows\System\uZiehVT.exe
  2⤵
  PID:9716
- C:\Windows\System\qbmjkhu.exe
  C:\Windows\System\qbmjkhu.exe
  2⤵
  PID:9744
- C:\Windows\System\QUFRiOD.exe
  C:\Windows\System\QUFRiOD.exe
  2⤵
  PID:9772
- C:\Windows\System\STvCBov.exe
  C:\Windows\System\STvCBov.exe
  2⤵
  PID:9796
- C:\Windows\System\QDIXndR.exe
  C:\Windows\System\QDIXndR.exe
  2⤵
  PID:9820
- C:\Windows\System\JrgnKUI.exe
  C:\Windows\System\JrgnKUI.exe
  2⤵
  PID:9852
- C:\Windows\System\RxMxdcq.exe
  C:\Windows\System\RxMxdcq.exe
  2⤵
  PID:9884
- C:\Windows\System\dhFAYua.exe
  C:\Windows\System\dhFAYua.exe
  2⤵
  PID:9904
- C:\Windows\System\dffRheG.exe
  C:\Windows\System\dffRheG.exe
  2⤵
  PID:9940
- C:\Windows\System\bJABkEW.exe
  C:\Windows\System\bJABkEW.exe
  2⤵
  PID:9968
- C:\Windows\System\BekHMHD.exe
  C:\Windows\System\BekHMHD.exe
  2⤵
  PID:9996
- C:\Windows\System\nbmUVjv.exe
  C:\Windows\System\nbmUVjv.exe
  2⤵
  PID:10024
- C:\Windows\System\YHievjH.exe
  C:\Windows\System\YHievjH.exe
  2⤵
  PID:10052
- C:\Windows\System\RYuwvOZ.exe
  C:\Windows\System\RYuwvOZ.exe
  2⤵
  PID:10080
- C:\Windows\System\EbzpWiv.exe
  C:\Windows\System\EbzpWiv.exe
  2⤵
  PID:10108
- C:\Windows\System\YQTakiU.exe
  C:\Windows\System\YQTakiU.exe
  2⤵
  PID:10136
- C:\Windows\System\SRjbhvn.exe
  C:\Windows\System\SRjbhvn.exe
  2⤵
  PID:10164
- C:\Windows\System\TlhDTdu.exe
  C:\Windows\System\TlhDTdu.exe
  2⤵
  PID:10192
- C:\Windows\System\HFSSHqh.exe
  C:\Windows\System\HFSSHqh.exe
  2⤵
  PID:10220
- C:\Windows\System\fXLvLVA.exe
  C:\Windows\System\fXLvLVA.exe
  2⤵
  PID:9240
- C:\Windows\System\dWNaEpT.exe
  C:\Windows\System\dWNaEpT.exe
  2⤵
  PID:9312
- C:\Windows\System\tmYJpwG.exe
  C:\Windows\System\tmYJpwG.exe
  2⤵
  PID:9368
- C:\Windows\System\MGhvYPR.exe
  C:\Windows\System\MGhvYPR.exe
  2⤵
  PID:9444
- C:\Windows\System\HlGCebH.exe
  C:\Windows\System\HlGCebH.exe
  2⤵
  PID:9484
- C:\Windows\System\TpQzZlF.exe
  C:\Windows\System\TpQzZlF.exe
  2⤵
  PID:9564
- C:\Windows\System\SorWCCh.exe
  C:\Windows\System\SorWCCh.exe
  2⤵
  PID:9648
- C:\Windows\System\qLezbIf.exe
  C:\Windows\System\qLezbIf.exe
  2⤵
  PID:9728
- C:\Windows\System\GIUFKvP.exe
  C:\Windows\System\GIUFKvP.exe
  2⤵
  PID:9788
- C:\Windows\System\ouBeEvu.exe
  C:\Windows\System\ouBeEvu.exe
  2⤵
  PID:9860
- C:\Windows\System\gHWkUMQ.exe
  C:\Windows\System\gHWkUMQ.exe
  2⤵
  PID:9924
- C:\Windows\System\BWWjRve.exe
  C:\Windows\System\BWWjRve.exe
  2⤵
  PID:9988
- C:\Windows\System\LwcRcjJ.exe
  C:\Windows\System\LwcRcjJ.exe
  2⤵
  PID:10044
- C:\Windows\System\RoUXPeM.exe
  C:\Windows\System\RoUXPeM.exe
  2⤵
  PID:10104
- C:\Windows\System\gfdSPCN.exe
  C:\Windows\System\gfdSPCN.exe
  2⤵
  PID:10176
- C:\Windows\System\VgyoEmq.exe
  C:\Windows\System\VgyoEmq.exe
  2⤵
  PID:9220
- C:\Windows\System\ZQrZpMR.exe
  C:\Windows\System\ZQrZpMR.exe
  2⤵
  PID:9364
- C:\Windows\System\EYIEslS.exe
  C:\Windows\System\EYIEslS.exe
  2⤵
  PID:9536
- C:\Windows\System\BDbzggZ.exe
  C:\Windows\System\BDbzggZ.exe
  2⤵
  PID:9652
- C:\Windows\System\NVmryKy.exe
  C:\Windows\System\NVmryKy.exe
  2⤵
  PID:9844
- C:\Windows\System\qxfEYSr.exe
  C:\Windows\System\qxfEYSr.exe
  2⤵
  PID:10008
- C:\Windows\System\EqzlkBM.exe
  C:\Windows\System\EqzlkBM.exe
  2⤵
  PID:10092
- C:\Windows\System\cdVFEzn.exe
  C:\Windows\System\cdVFEzn.exe
  2⤵
  PID:9344
- C:\Windows\System\VnKvgzk.exe
  C:\Windows\System\VnKvgzk.exe
  2⤵
  PID:9612
- C:\Windows\System\EGctpvf.exe
  C:\Windows\System\EGctpvf.exe
  2⤵
  PID:9188
- C:\Windows\System\rPZPXoB.exe
  C:\Windows\System\rPZPXoB.exe
  2⤵
  PID:9764
- C:\Windows\System\DkQGfCa.exe
  C:\Windows\System\DkQGfCa.exe
  2⤵
  PID:9488
- C:\Windows\System\luebOYg.exe
  C:\Windows\System\luebOYg.exe
  2⤵
  PID:10268
- C:\Windows\System\SuUftPM.exe
  C:\Windows\System\SuUftPM.exe
  2⤵
  PID:10296
- C:\Windows\System\CyTNXAN.exe
  C:\Windows\System\CyTNXAN.exe
  2⤵
  PID:10316
- C:\Windows\System\ZJxWymR.exe
  C:\Windows\System\ZJxWymR.exe
  2⤵
  PID:10352
- C:\Windows\System\ICeoUiC.exe
  C:\Windows\System\ICeoUiC.exe
  2⤵
  PID:10368
- C:\Windows\System\pBDKBKA.exe
  C:\Windows\System\pBDKBKA.exe
  2⤵
  PID:10384
- C:\Windows\System\yedbhaD.exe
  C:\Windows\System\yedbhaD.exe
  2⤵
  PID:10424
- C:\Windows\System\JPHPppm.exe
  C:\Windows\System\JPHPppm.exe
  2⤵
  PID:10452
- C:\Windows\System\yyyMffY.exe
  C:\Windows\System\yyyMffY.exe
  2⤵
  PID:10476
- C:\Windows\System\NTdBAnO.exe
  C:\Windows\System\NTdBAnO.exe
  2⤵
  PID:10508
- C:\Windows\System\QRPOSfM.exe
  C:\Windows\System\QRPOSfM.exe
  2⤵
  PID:10528
- C:\Windows\System\muqTGTR.exe
  C:\Windows\System\muqTGTR.exe
  2⤵
  PID:10572
- C:\Windows\System\Nbqbmeh.exe
  C:\Windows\System\Nbqbmeh.exe
  2⤵
  PID:10596
- C:\Windows\System\FFnIPYv.exe
  C:\Windows\System\FFnIPYv.exe
  2⤵
  PID:10632
- C:\Windows\System\OtrsDjJ.exe
  C:\Windows\System\OtrsDjJ.exe
  2⤵
  PID:10660
- C:\Windows\System\hkeIcwq.exe
  C:\Windows\System\hkeIcwq.exe
  2⤵
  PID:10688
- C:\Windows\System\fRWoaUj.exe
  C:\Windows\System\fRWoaUj.exe
  2⤵
  PID:10716
- C:\Windows\System\zqnnrnF.exe
  C:\Windows\System\zqnnrnF.exe
  2⤵
  PID:10744
- C:\Windows\System\jMsYkmT.exe
  C:\Windows\System\jMsYkmT.exe
  2⤵
  PID:10772
- C:\Windows\System\RbyHlav.exe
  C:\Windows\System\RbyHlav.exe
  2⤵
  PID:10800
- C:\Windows\System\ZKcbkqe.exe
  C:\Windows\System\ZKcbkqe.exe
  2⤵
  PID:10828
- C:\Windows\System\OJbWXKJ.exe
  C:\Windows\System\OJbWXKJ.exe
  2⤵
  PID:10844
- C:\Windows\System\mjcSzJJ.exe
  C:\Windows\System\mjcSzJJ.exe
  2⤵
  PID:10884
- C:\Windows\System\ZDdTzQj.exe
  C:\Windows\System\ZDdTzQj.exe
  2⤵
  PID:10912
- C:\Windows\System\avKuEJz.exe
  C:\Windows\System\avKuEJz.exe
  2⤵
  PID:10940
- C:\Windows\System\ahzWAzp.exe
  C:\Windows\System\ahzWAzp.exe
  2⤵
  PID:10968
- C:\Windows\System\zIFSgAd.exe
  C:\Windows\System\zIFSgAd.exe
  2⤵
  PID:10992
- C:\Windows\System\WFbnpoB.exe
  C:\Windows\System\WFbnpoB.exe
  2⤵
  PID:11024
- C:\Windows\System\dxoqOPG.exe
  C:\Windows\System\dxoqOPG.exe
  2⤵
  PID:11052
- C:\Windows\System\IijCESJ.exe
  C:\Windows\System\IijCESJ.exe
  2⤵
  PID:11084
- C:\Windows\System\CWbKmHy.exe
  C:\Windows\System\CWbKmHy.exe
  2⤵
  PID:11120
- C:\Windows\System\lUCzVYn.exe
  C:\Windows\System\lUCzVYn.exe
  2⤵
  PID:11148
- C:\Windows\System\acTJfzo.exe
  C:\Windows\System\acTJfzo.exe
  2⤵
  PID:11180
- C:\Windows\System\IsRfvLh.exe
  C:\Windows\System\IsRfvLh.exe
  2⤵
  PID:11220
- C:\Windows\System\HxMkPjy.exe
  C:\Windows\System\HxMkPjy.exe
  2⤵
  PID:11244
- C:\Windows\System\vQBCqYl.exe
  C:\Windows\System\vQBCqYl.exe
  2⤵
  PID:10280
- C:\Windows\System\pYhBtFS.exe
  C:\Windows\System\pYhBtFS.exe
  2⤵
  PID:10344
- C:\Windows\System\maJOsfw.exe
  C:\Windows\System\maJOsfw.exe
  2⤵
  PID:10444
- C:\Windows\System\amnTbeC.exe
  C:\Windows\System\amnTbeC.exe
  2⤵
  PID:10472
- C:\Windows\System\NvlULXI.exe
  C:\Windows\System\NvlULXI.exe
  2⤵
  PID:10540
- C:\Windows\System\vatMKbG.exe
  C:\Windows\System\vatMKbG.exe
  2⤵
  PID:10580
- C:\Windows\System\ktjXrHy.exe
  C:\Windows\System\ktjXrHy.exe
  2⤵
  PID:10700
- C:\Windows\System\xBCspsA.exe
  C:\Windows\System\xBCspsA.exe
  2⤵
  PID:10760
- C:\Windows\System\GenUJbo.exe
  C:\Windows\System\GenUJbo.exe
  2⤵
  PID:10824
- C:\Windows\System\erNoxyW.exe
  C:\Windows\System\erNoxyW.exe
  2⤵
  PID:10872
- C:\Windows\System\ElPLJOM.exe
  C:\Windows\System\ElPLJOM.exe
  2⤵
  PID:10928
- C:\Windows\System\aRdxgfh.exe
  C:\Windows\System\aRdxgfh.exe
  2⤵
  PID:11000
- C:\Windows\System\nCfAeNW.exe
  C:\Windows\System\nCfAeNW.exe
  2⤵
  PID:11048
- C:\Windows\System\moDPBbx.exe
  C:\Windows\System\moDPBbx.exe
  2⤵
  PID:11164
- C:\Windows\System\QmOisjj.exe
  C:\Windows\System\QmOisjj.exe
  2⤵
  PID:11232
- C:\Windows\System\AMNzHNk.exe
  C:\Windows\System\AMNzHNk.exe
  2⤵
  PID:10304
- C:\Windows\System\MAwgqZD.exe
  C:\Windows\System\MAwgqZD.exe
  2⤵
  PID:10556
- C:\Windows\System\WTDEuTN.exe
  C:\Windows\System\WTDEuTN.exe
  2⤵
  PID:10656
- C:\Windows\System\ZqsFvLW.exe
  C:\Windows\System\ZqsFvLW.exe
  2⤵
  PID:10728
- C:\Windows\System\ihCgRpa.exe
  C:\Windows\System\ihCgRpa.exe
  2⤵
  PID:10960
- C:\Windows\System\nCovYbx.exe
  C:\Windows\System\nCovYbx.exe
  2⤵
  PID:11132
- C:\Windows\System\bxPKeFo.exe
  C:\Windows\System\bxPKeFo.exe
  2⤵
  PID:11236
- C:\Windows\System\CsdRTvj.exe
  C:\Windows\System\CsdRTvj.exe
  2⤵
  PID:10396
- C:\Windows\System\RfKuvEt.exe
  C:\Windows\System\RfKuvEt.exe
  2⤵
  PID:11044
- C:\Windows\System\itebRcU.exe
  C:\Windows\System\itebRcU.exe
  2⤵
  PID:10312
- C:\Windows\System\qgztNmd.exe
  C:\Windows\System\qgztNmd.exe
  2⤵
  PID:10284
- C:\Windows\System\PjUOyBN.exe
  C:\Windows\System\PjUOyBN.exe
  2⤵
  PID:11292
- C:\Windows\System\PQHnpQG.exe
  C:\Windows\System\PQHnpQG.exe
  2⤵
  PID:11320
- C:\Windows\System\DIyCiKA.exe
  C:\Windows\System\DIyCiKA.exe
  2⤵
  PID:11340
- C:\Windows\System\uXzTPOP.exe
  C:\Windows\System\uXzTPOP.exe
  2⤵
  PID:11376
- C:\Windows\System\yzFhpNx.exe
  C:\Windows\System\yzFhpNx.exe
  2⤵
  PID:11404
- C:\Windows\System\gkoYjIA.exe
  C:\Windows\System\gkoYjIA.exe
  2⤵
  PID:11420
- C:\Windows\System\OiRODnU.exe
  C:\Windows\System\OiRODnU.exe
  2⤵
  PID:11452
- C:\Windows\System\VizsvjZ.exe
  C:\Windows\System\VizsvjZ.exe
  2⤵
  PID:11476
- C:\Windows\System\XgCWKQn.exe
  C:\Windows\System\XgCWKQn.exe
  2⤵
  PID:11516
- C:\Windows\System\bidhmth.exe
  C:\Windows\System\bidhmth.exe
  2⤵
  PID:11544
- C:\Windows\System\zOwZJzS.exe
  C:\Windows\System\zOwZJzS.exe
  2⤵
  PID:11572
- C:\Windows\System\rwaPIOd.exe
  C:\Windows\System\rwaPIOd.exe
  2⤵
  PID:11596
- C:\Windows\System\AqqdXrm.exe
  C:\Windows\System\AqqdXrm.exe
  2⤵
  PID:11632
- C:\Windows\System\hlesBgV.exe
  C:\Windows\System\hlesBgV.exe
  2⤵
  PID:11660
- C:\Windows\System\xcSuwku.exe
  C:\Windows\System\xcSuwku.exe
  2⤵
  PID:11688
- C:\Windows\System\PJGbLMZ.exe
  C:\Windows\System\PJGbLMZ.exe
  2⤵
  PID:11716
- C:\Windows\System\LzyoQWY.exe
  C:\Windows\System\LzyoQWY.exe
  2⤵
  PID:11736
- C:\Windows\System\SSsqGuR.exe
  C:\Windows\System\SSsqGuR.exe
  2⤵
  PID:11772
- C:\Windows\System\cveFOmv.exe
  C:\Windows\System\cveFOmv.exe
  2⤵
  PID:11800
- C:\Windows\System\HKdrRRg.exe
  C:\Windows\System\HKdrRRg.exe
  2⤵
  PID:11816
- C:\Windows\System\YAINEYa.exe
  C:\Windows\System\YAINEYa.exe
  2⤵
  PID:11856
- C:\Windows\System\XNxNisg.exe
  C:\Windows\System\XNxNisg.exe
  2⤵
  PID:11884
- C:\Windows\System\eFNkifN.exe
  C:\Windows\System\eFNkifN.exe
  2⤵
  PID:11900
- C:\Windows\System\FKzUvAR.exe
  C:\Windows\System\FKzUvAR.exe
  2⤵
  PID:11928
- C:\Windows\System\tySahik.exe
  C:\Windows\System\tySahik.exe
  2⤵
  PID:11968
- C:\Windows\System\kNFfRvU.exe
  C:\Windows\System\kNFfRvU.exe
  2⤵
  PID:11996
- C:\Windows\System\JZcKKfU.exe
  C:\Windows\System\JZcKKfU.exe
  2⤵
  PID:12024
- C:\Windows\System\IlfvSSs.exe
  C:\Windows\System\IlfvSSs.exe
  2⤵
  PID:12052
- C:\Windows\System\oqpyhUC.exe
  C:\Windows\System\oqpyhUC.exe
  2⤵
  PID:12084
- C:\Windows\System\zQWPukE.exe
  C:\Windows\System\zQWPukE.exe
  2⤵
  PID:12112
- C:\Windows\System\LkVRPlM.exe
  C:\Windows\System\LkVRPlM.exe
  2⤵
  PID:12132
- C:\Windows\System\hphLFNw.exe
  C:\Windows\System\hphLFNw.exe
  2⤵
  PID:12156
- C:\Windows\System\ghaRrHj.exe
  C:\Windows\System\ghaRrHj.exe
  2⤵
  PID:12188
- C:\Windows\System\TqIBHLA.exe
  C:\Windows\System\TqIBHLA.exe
  2⤵
  PID:12220
- C:\Windows\System\VJKwQeF.exe
  C:\Windows\System\VJKwQeF.exe
  2⤵
  PID:12240
- C:\Windows\System\yvxRbKh.exe
  C:\Windows\System\yvxRbKh.exe
  2⤵
  PID:12268
- C:\Windows\System\sNAeXaR.exe
  C:\Windows\System\sNAeXaR.exe
  2⤵
  PID:11280
- C:\Windows\System\CFvhJJC.exe
  C:\Windows\System\CFvhJJC.exe
  2⤵
  PID:11360
- C:\Windows\System\BuZgpUQ.exe
  C:\Windows\System\BuZgpUQ.exe
  2⤵
  PID:11416
- C:\Windows\System\SdpNanM.exe
  C:\Windows\System\SdpNanM.exe
  2⤵
  PID:11468
- C:\Windows\System\zIhFYyy.exe
  C:\Windows\System\zIhFYyy.exe
  2⤵
  PID:11528
- C:\Windows\System\fbmOgmT.exe
  C:\Windows\System\fbmOgmT.exe
  2⤵
  PID:11592
- C:\Windows\System\sQyFPhR.exe
  C:\Windows\System\sQyFPhR.exe
  2⤵
  PID:11656
- C:\Windows\System\lalFkVS.exe
  C:\Windows\System\lalFkVS.exe
  2⤵
  PID:11752
- C:\Windows\System\VrJGwqb.exe
  C:\Windows\System\VrJGwqb.exe
  2⤵
  PID:11812
- C:\Windows\System\yYqSsln.exe
  C:\Windows\System\yYqSsln.exe
  2⤵
  PID:11880
- C:\Windows\System\rsRnbCs.exe
  C:\Windows\System\rsRnbCs.exe
  2⤵
  PID:11940
- C:\Windows\System\uXdnwbP.exe
  C:\Windows\System\uXdnwbP.exe
  2⤵
  PID:12008
- C:\Windows\System\KRVWcmR.exe
  C:\Windows\System\KRVWcmR.exe
  2⤵
  PID:12072
- C:\Windows\System\PRSnuqy.exe
  C:\Windows\System\PRSnuqy.exe
  2⤵
  PID:12140
- C:\Windows\System\OSpHtAO.exe
  C:\Windows\System\OSpHtAO.exe
  2⤵
  PID:12212
- C:\Windows\System\MYjGsJZ.exe
  C:\Windows\System\MYjGsJZ.exe
  2⤵
  PID:12264
- C:\Windows\System\ZUGVuGL.exe
  C:\Windows\System\ZUGVuGL.exe
  2⤵
  PID:11304
- C:\Windows\System\IjdmTVF.exe
  C:\Windows\System\IjdmTVF.exe
  2⤵
  PID:11496
- C:\Windows\System\mEKXdRp.exe
  C:\Windows\System\mEKXdRp.exe
  2⤵
  PID:11644
- C:\Windows\System\mPVZGvm.exe
  C:\Windows\System\mPVZGvm.exe
  2⤵
  PID:11808
- C:\Windows\System\OfMmYvE.exe
  C:\Windows\System\OfMmYvE.exe
  2⤵
  PID:11920
- C:\Windows\System\ojpTIts.exe
  C:\Windows\System\ojpTIts.exe
  2⤵
  PID:12048
- C:\Windows\System\QCfASeo.exe
  C:\Windows\System\QCfASeo.exe
  2⤵
  PID:4380
- C:\Windows\System\FsPuGJe.exe
  C:\Windows\System\FsPuGJe.exe
  2⤵
  PID:12252
- C:\Windows\System\wAcFrPN.exe
  C:\Windows\System\wAcFrPN.exe
  2⤵
  PID:11348
- C:\Windows\System\IDxrWQm.exe
  C:\Windows\System\IDxrWQm.exe
  2⤵
  PID:11560
- C:\Windows\System\hfllyBa.exe
  C:\Windows\System\hfllyBa.exe
  2⤵
  PID:4668
- C:\Windows\System\YjIJKcs.exe
  C:\Windows\System\YjIJKcs.exe
  2⤵
  PID:12036
- C:\Windows\System\LvSCbkr.exe
  C:\Windows\System\LvSCbkr.exe
  2⤵
  PID:536
- C:\Windows\System\iXtVdIV.exe
  C:\Windows\System\iXtVdIV.exe
  2⤵
  PID:12296
- C:\Windows\System\nWccXBR.exe
  C:\Windows\System\nWccXBR.exe
  2⤵
  PID:12332
- C:\Windows\System\duDAfyP.exe
  C:\Windows\System\duDAfyP.exe
  2⤵
  PID:12360
- C:\Windows\System\mUuieKw.exe
  C:\Windows\System\mUuieKw.exe
  2⤵
  PID:12384
- C:\Windows\System\UBOLnYc.exe
  C:\Windows\System\UBOLnYc.exe
  2⤵
  PID:12424
- C:\Windows\System\dGQDsOf.exe
  C:\Windows\System\dGQDsOf.exe
  2⤵
  PID:12456
- C:\Windows\System\efZldab.exe
  C:\Windows\System\efZldab.exe
  2⤵
  PID:12472
- C:\Windows\System\zavtqIz.exe
  C:\Windows\System\zavtqIz.exe
  2⤵
  PID:12512
- C:\Windows\System\EDPJAuC.exe
  C:\Windows\System\EDPJAuC.exe
  2⤵
  PID:12540
- C:\Windows\System\cOClskg.exe
  C:\Windows\System\cOClskg.exe
  2⤵
  PID:12568
- C:\Windows\System\JlZGjbO.exe
  C:\Windows\System\JlZGjbO.exe
  2⤵
  PID:12596
- C:\Windows\System\jKAbvKQ.exe
  C:\Windows\System\jKAbvKQ.exe
  2⤵
  PID:12624
- C:\Windows\System\EjUeFVO.exe
  C:\Windows\System\EjUeFVO.exe
  2⤵
  PID:12652
- C:\Windows\System\IpuhSrk.exe
  C:\Windows\System\IpuhSrk.exe
  2⤵
  PID:12672
- C:\Windows\System\gUyJFZM.exe
  C:\Windows\System\gUyJFZM.exe
  2⤵
  PID:12696
- C:\Windows\System\ixbZRJi.exe
  C:\Windows\System\ixbZRJi.exe
  2⤵
  PID:12716
- C:\Windows\System\ptlTbJU.exe
  C:\Windows\System\ptlTbJU.exe
  2⤵
  PID:12752
- C:\Windows\System\yAytiXu.exe
  C:\Windows\System\yAytiXu.exe
  2⤵
  PID:12780
- C:\Windows\System\weOTkUK.exe
  C:\Windows\System\weOTkUK.exe
  2⤵
  PID:12812
- C:\Windows\System\sbhpiJW.exe
  C:\Windows\System\sbhpiJW.exe
  2⤵
  PID:12836
- C:\Windows\System\MukqTWV.exe
  C:\Windows\System\MukqTWV.exe
  2⤵
  PID:12876
- C:\Windows\System\MDahbmD.exe
  C:\Windows\System\MDahbmD.exe
  2⤵
  PID:12904
- C:\Windows\System\wucjcmJ.exe
  C:\Windows\System\wucjcmJ.exe
  2⤵
  PID:12932
- C:\Windows\System\hPbbubg.exe
  C:\Windows\System\hPbbubg.exe
  2⤵
  PID:12948
- C:\Windows\System\CnnjZQd.exe
  C:\Windows\System\CnnjZQd.exe
  2⤵
  PID:12964
- C:\Windows\System\cgiizBw.exe
  C:\Windows\System\cgiizBw.exe
  2⤵
  PID:12992
- C:\Windows\System\TqnxnMD.exe
  C:\Windows\System\TqnxnMD.exe
  2⤵
  PID:13044
- C:\Windows\System\kBdxovC.exe
  C:\Windows\System\kBdxovC.exe
  2⤵
  PID:13072
- C:\Windows\System\APOkJcL.exe
  C:\Windows\System\APOkJcL.exe
  2⤵
  PID:13108
- C:\Windows\System\FGGrfPd.exe
  C:\Windows\System\FGGrfPd.exe
  2⤵
  PID:13136
- C:\Windows\System\YiXWBbI.exe
  C:\Windows\System\YiXWBbI.exe
  2⤵
  PID:13172
- C:\Windows\System\xWEvyYd.exe
  C:\Windows\System\xWEvyYd.exe
  2⤵
  PID:13200

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_54iiimby.5jw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\AqHhDLK.exe

Filesize
2.7MB

MD5
9fa8f3dd4980407a6504ab60e766986e

SHA1
8dc017eb82a06b1a007e06f691a010c157588eb2

SHA256
3defcebff2f4e44b9211e68cd35210a665f7f62d4518647ae066b3ad027db82b

SHA512
4b29c4dcd8d042813df30e65cadfd6c563fdd1ef50f28cae5b83866b45e8f29a46538d96ab66263529b0fec877add63a98daada9edd64e701f5e4436d4c6fa53

Download Submit
C:\Windows\System\BTgltNU.exe

Filesize
2.7MB

MD5
34d383373f913623c4904c6ee3beb4bd

SHA1
dab9d5f54597fb218387a5f0c7d3cfadf5571a3e

SHA256
5096d9ff9a081b531cec086ac83c8028bf10b1edad2ede96bf5267c26bfce831

SHA512
77e755e5b09fbc8b508a645a5ea45455333a153df3925384fe5769af93ab5002e1a4e652fe28a6670c846a89e5356e3bbac82cbc9be45084daca335445cfa85c

Download Submit
C:\Windows\System\DgTFFXn.exe

Filesize
2.7MB

MD5
207168aecf64ea79bf099eed9779c52c

SHA1
9951d309e9960f07d9fcee41226d1eee6f4c8a22

SHA256
be887a6906cdb23c04965b8305e62ee196ed8f55e0e85fac2c44558f7bf7c6b5

SHA512
a383b11838410ddcf9aff8cb057e759500986587930579cb5c659ed4b960613cbda33376497398fc67d90ac95be173467b4e45ee6fc9435cbf4dee0c133bdf38

Download Submit
C:\Windows\System\FKDtsQz.exe

Filesize
2.7MB

MD5
2a8ceebcc9689b84cdeff1949a65a509

SHA1
27b5dac97badf5ff4cb7cfd960f8f07ea23207c7

SHA256
e19c7364f6e04e88374b1af8670efc61f29190ed92f80ba240c175a758b1a5b5

SHA512
66d861e92bc2bdb8658200461b5e77f64b7e69b6fad185b07737ee874f0ab5da76f11097de14ef34468292ebc3d051e2852cf07cf8cce867157b3418db687b7b

Download Submit
C:\Windows\System\GLdRZJX.exe

Filesize
2.7MB

MD5
648a1efb2d66acf32cfde5c8215b395e

SHA1
8414d063bf51e2ae016783ad0aeb19f01700d481

SHA256
92541d84365400b0189c51ea9f004330440a0fb25d8198f1ba810585e4b7d9f7

SHA512
664a49f98d778c2b34f1b069650809e3ad31ea499cf7cdc3cf38ac1f13433b655a42d7df5fbd3356d571a369a2daffd2c0f2697cd7ebfb809dceb0d38baa122b

Download Submit
C:\Windows\System\Hdkmcea.exe

Filesize
2.7MB

MD5
f726f6bf6c4ec454b26fcd3ce2bba23b

SHA1
9c610e614b3642c47d3b1e725c501619e8c7f878

SHA256
9cde2d8dde686301bb5db968d7cdc55a4c2160a0fb1d4e444590c1a29e1cec22

SHA512
370b9de7f0ba6a4fd2c3b08b47620ea4a01ed790abea13d7f302eeae933012f7410bb7adebb0c5e5ef43b4cee4013e00771b0651a8b94f24cea7fbc9e5d9ae53

Download Submit
C:\Windows\System\LBfiRab.exe

Filesize
2.7MB

MD5
01b261cd4d70cd687f3cec01e4425a32

SHA1
411f1fb5585179c4a47161e4b97f34ae086db4c1

SHA256
b7a66508263fdadeb6caa079adc8cdf9c8963b788a83f3a5f0db422870058c78

SHA512
179ac3121ede0716444dd14506c26eb516400b5ac8781593689a497efe0b20a0b664c54a609082a3d8bba1ac0b4d391a9536114e2cc154ccf45dcfd7b671600d

Download Submit
C:\Windows\System\MsRKjsv.exe

Filesize
2.7MB

MD5
a0bd6ae86bec3f2180ae4ce02f9fedea

SHA1
c1ef166128582b6716b25827fb18291b7595eff4

SHA256
e4b13b22c3ae228791d7370a48a4cd0fa4ceb7f819de856934b81564ad537066

SHA512
fe7d11fb6289ef0d4b9eb6cd79890b7b8c10381188e46d78e35249bebab883677d680b8c4f1a4a7be41e2a6ae0eea82be6781f4de2be46ffb4d9aa4f8b29df65

Download Submit
C:\Windows\System\OzeTunz.exe

Filesize
2.7MB

MD5
fdf185b1662b41a515032a7f0fe9829c

SHA1
bbbbe5452e46abeec6f053d71c78299d210a9fcc

SHA256
7b87948e70e76fb69888a5e58013fca016cbd298884dacb356036e46f830a651

SHA512
1c52d2b57f26f5adb85b95bbfb23732a3dcb6f79e8079d409d9f516beaed2b5bc61ee78ccd1221f642e99ca0e938128daba86c3382b4fd45f1a77613715e0727

Download Submit
C:\Windows\System\RupXiiQ.exe

Filesize
2.7MB

MD5
85294c1c12d700b17fe685586627b048

SHA1
27aaa96b638b67b083e60257c80940a28644ceea

SHA256
ff4fd328055e73e74b8cbc8e637b6316e2f755fb0561bb4898eab3059c000b27

SHA512
542abd96ac3d69d64cde9ca0373fc095d41617f63b4305b18312a10a923892a3f570a7a09076204f2acbc311566cb4b1434fd34bbd36918d210d65515a4747ac

Download Submit
C:\Windows\System\TFdDXAp.exe

Filesize
2.7MB

MD5
c4e64ef4d31e4c6e5556556b63127098

SHA1
fe875119329d6a547ebfde0c3b3cef4ade19ce9e

SHA256
229aa685ed649646a2fc1042156f368982f0ceeba7e9f3571497fc03e54399a7

SHA512
affc1422160ee0e82a7b668c0087597ea1e1ce8683943f1ccb16eb55c2f1d6b465e034e5e98926af90848e0596b0396b96067636ee928b5b1cbbef05e33638ff

Download Submit
C:\Windows\System\TItNwkN.exe

Filesize
2.7MB

MD5
01efb8d785e9cd605040f85fb70a45a2

SHA1
93350a5505ae4d9b4ed0886bde49e855560f28f5

SHA256
056b544956e7ed27c27d7ecc3d6af896e68db252841d65491d8caef6a06b1f8a

SHA512
aaa3116464172e6749a247478f180e3f318cc16988f70a447fcc3e156c5f353f2b46b302a9d4ac77f58a700d1c3eecbbfaf5fa82da8b9890ce98d1b7c255e9b9

Download Submit
C:\Windows\System\TPrRGpz.exe

Filesize
2.7MB

MD5
3d6ba95cfe5556a170911c3b7ea057ae

SHA1
66544cdd6043e8720453526efbafe38fa4c3c2c1

SHA256
536a087892a3afc1cd174ca55803c46bfa6586167f2eb2a4c9d99d9bdd510b97

SHA512
b641babdb5ca0a60457937cd3da2f4c042a9866aa1199d6f85780d45a4e9202cc8b84c2896af80a7f5566548b10395e24455554be472b31da2cb4f1bd7cc1b88

Download Submit
C:\Windows\System\TimzReU.exe

Filesize
2.7MB

MD5
667fbef52a324fe2113ca6db21223339

SHA1
59220b00c965707d743bd322a58cf94e1a749725

SHA256
279bac4d651ba5ef3c48cd8a723a6e6fae44d7f410be4e1f6672f14da3af0e0b

SHA512
c263eeee5c20d5f7bf57db78afce0fde851a1832bcb7e80eb0cb54a123160604e1374808971565bfe45a8756fa21cd890ce4f378e3af85be5fba97c58f268378

Download Submit
C:\Windows\System\VNxorJj.exe

Filesize
2.7MB

MD5
b9bb1cc39eded5151c2ec7577a0a1b36

SHA1
7ff966428bac1bd047ee1dfa5fd35e3ac35cbf6e

SHA256
ac3e164160fe79049e977c3a19ad8979ce83aba8228d95d4451d3bbb46efb08a

SHA512
1ffed0ed92d32ba1926280cd8febaafa178c2d209b538eadfe3b89d62e4966ed649d335e4b309807eb922f901d94566507e2bf2517c5e33241713e2957445e8f

Download Submit
C:\Windows\System\WAunkAZ.exe

Filesize
2.7MB

MD5
65fac2ddb5cc774979181220993c0656

SHA1
aaa3d2eb13af774b0c613484baa8e6dd489d080e

SHA256
917c54bc814b0ae06c3621f41ef2ba1d2f1e097f47fec2b1cabbcb38a1d5c05e

SHA512
6c04f20626cba37ee01857ed85deed8a1f1b334a489d33b86243957de6b3c70e11c72acff0f3cb01f4d572414a92d49b1dee6d0b49218fcd3f46ba12d1823447

Download Submit
C:\Windows\System\WKwpVEK.exe

Filesize
2.7MB

MD5
03f401295a214a1e400239b1021db86a

SHA1
2c040348af86106520797fbe017f4d1184476d74

SHA256
25c3d4b23d1b4062cf93e3e265b895b401b1d48fb7da60ea91657cbfcfa03eea

SHA512
ee3c28b788f4dcd452b64610700047612f6cf874ab7e4c3d8b86c803452052459c02f0f8457a7e50ecccf4712339bce29edfa2399e9d8203c12274864eea0389

Download Submit
C:\Windows\System\aLPafWh.exe

Filesize
2.7MB

MD5
7d88847ba73b9737177915852b0c1658

SHA1
8c62fe40991ba5668faad36fe24b2966e0e87306

SHA256
28d3da5d92082f0287875a594128786d50cb15c1ca6cce33fb418011bbff7bfa

SHA512
2cb23c03f5c1a991ad7a5526ef4a143c942ee2a51f173dd45311cc171a952136c458bafb2feb30e8bf15781c93571966d50584aea518dd378d160841985962b7

Download Submit
C:\Windows\System\acUzwXD.exe

Filesize
2.7MB

MD5
49e38c12d33cb14319de23fcc04a654e

SHA1
c6aea78bebe776dd1f8a2a99169d5f4f8078f474

SHA256
fdcd56dc00c74dabecdd4611c4204024ebea91d2cab42b81dc1feb2edd14404a

SHA512
8b00ccb8ac89d1e0eff40da0138f5b781b856771c776babb6a6b09fcdca9fee8d5b9cc3473dde9069c8e7a445692aff91866aa9738c79b12d9fdda22cb2f135b

Download Submit
C:\Windows\System\bZBTTtc.exe

Filesize
2.7MB

MD5
f8dc4a1ad0846c68cdadc4c31943cb18

SHA1
e40dc9ac70842b8c8e4a16dae67618e0228657e3

SHA256
d74551f2fd5167fbd88c76d4297bd4606c764778a60254c830fa9fd6f046ad01

SHA512
5d424d56cdb0ab6cb9618daea5a6b30a644a64bb5ca8c769036f1badd1907994904663c86b0d5c0ad2788b89b5c0759e082e189fc6c855492238596798bb9c1d

Download Submit
C:\Windows\System\bzyxFox.exe

Filesize
2.7MB

MD5
273b5adcc992b365f601cabbaf692fe0

SHA1
277c17e668a1f76d87c2228f594046887d697f90

SHA256
4f3b726093b715a8e6a24eef0acdf2d9342684415481ac3e5f530560256d93c2

SHA512
5415371ac60c77e96c2f20c700fcc49274d6e38ee4b89d7b66e413ded2587f117725459db738649482eded1699e863bc302c294a614563a1d78f41204d05420e

Download Submit
C:\Windows\System\edYfbLh.exe

Filesize
2.7MB

MD5
7f62c3a5623428338c20eb1aaa12e18c

SHA1
12de655683648d770fc84c1b6e850eb718ce52bc

SHA256
1d2e651511dda15e96425c1a4f3fbfc5175d124cb6ecc153e1e1eda2c49cce14

SHA512
182de3c38fc0682d0610312fb258455acd3c8628c6425c209d1edbfef0f84ac990dbd702a5dfe93e6c6fa0ef2c95be02a237c039940e395100bdefa31c4cbd5d

Download Submit
C:\Windows\System\faNYZOp.exe

Filesize
2.7MB

MD5
cd9d876c0e7b1be6894356eb5a03099e

SHA1
a14dc825d2b27d32391e7e55d6d430523699e44b

SHA256
b87e9f1d44f8708165f9f9584eb4121487af20a364ab20fc59949abb0faf6279

SHA512
9a6d67eba551f069f5002292b9429f31071aa6e9a279479a873d7a5c973f50afbe4498906c34b36754382204c7876da31de0a1f6ef07fb4a384e6dfc3073b8d6

Download Submit
C:\Windows\System\fvTXOcr.exe

Filesize
2.7MB

MD5
03d9681847bb4d4fd4eaaac627707994

SHA1
e102e1a3a8f8e72085ded56a2984cdb7023e7f65

SHA256
0e5e4c65c23cc3d7c0c8a05f8cd1feffd9cd708f5e7d884e47a943e80727605b

SHA512
ba032e1ec32aab8e082ad299f64bc5f1d8e9ead687a358f3c4d32cd3e4fbf40e7cb425d3caba3c9654c6dd39a189bc8645eb6f8c26064a98080cda868ca65364

Download Submit
C:\Windows\System\giUbklg.exe

Filesize
2.7MB

MD5
d05c85d2131db52ebf47b1999b2e6230

SHA1
3cae2b49da586e47f457a56145ee771266f46e78

SHA256
d64969abc04d64580db938adc3fb4cccc6a3297d5ce037c3e2f45f62c03c98a9

SHA512
fb799805b2442da412d75636ad307ebb786726b0e0cf7117797a9e586e3825dfb0f727c6620c0cf9f91a6f334e22d9fa3611c994c43c9550dc66a8db48b9caac

Download Submit
C:\Windows\System\lvolBfA.exe

Filesize
2.7MB

MD5
4dc326345474871be97d9aa98874657c

SHA1
33f862bfba25e8dc91f39a0be07c6cf11069113e

SHA256
74291538f9117856e26fc22609bc7be9cd478594a919930179969f6fe02ffeba

SHA512
42b3efa081d16e8cf02027a51027be32b4d690a564418f5ae62a4ea47a236378fc334a5821bc38cba2778fad0ac5ce22c31c833f3f7ec567deb628be68f57db9

Download Submit
C:\Windows\System\ngTSkJG.exe

Filesize
2.7MB

MD5
2f2a6c19d428dfb43f91901508216ed7

SHA1
56478bfdd2207fa6f4f1c96976331222c97bb712

SHA256
2ddb72872dda3175ae72842d9e0a07195c1e21a0846c54b4b5a42868d529c77b

SHA512
c9965c1b8169a07e92b76c71024ce8b3d10036f95b77719aa1614bc852e13f8ffb1d452798184b3effe8ab95d93d75853a38d590fed8ee0d57ea504a451a4fc6

Download Submit
C:\Windows\System\oMGOddu.exe

Filesize
2.7MB

MD5
41a2a2eb476d5dc5b75cf529000fa70d

SHA1
1422a9066a5cd7412242c25f022c4eeb4caa9476

SHA256
befdbcc5ffdeb8bc48a6b978f9e8234e0752892c0d6c113a2de84f6a126c1055

SHA512
8d50f1b95de148d75f591feccf5edb3cba89cba156011e643698950cd145946c3b4742a9dc3fe392f8185c193ccca6c01e680b99f3c789f846827eb1bde102e4

Download Submit
C:\Windows\System\pbyDgbt.exe

Filesize
2.7MB

MD5
2673c18e030876d94b9dcfbe1e38f6f0

SHA1
e29f14ca276735a71367760e584204a2a2e76ccd

SHA256
1201f8f0328ae6fb5d800593d4c7674d904348e72b04b7d250aeda1f1c1a9bd8

SHA512
343f49521f4ebfb21ba0335ec0830f4b946d93b8e25ef89cb6b7132fb47d1c50764c6aba3d3679e58daf336bdc466812467bf4ab43e10515486acd9e07d15ea0

Download Submit
C:\Windows\System\pgzrSXF.exe

Filesize
2.7MB

MD5
4bee439c530da86052c6169365d90ef8

SHA1
5c362105b76aad1399faaaf210385f7fca3ca073

SHA256
4fa6c64357c6a908fb41e71238169262e98d4d5d994330bdfff2a0c406f71b9b

SHA512
6d50d086253e10678f289d0e71e5ac2e7b2d1213178ed074d67ca2297aa2971f7ea5391348f01681a499b5ec1caec7043f88e9c644930970722ddd9881533dde

Download Submit
C:\Windows\System\qtaFEFB.exe

Filesize
2.7MB

MD5
776ba3b45c31d8bdf22bff3f974e4877

SHA1
c213933ec29efc68df860d5196911dcd9a9edabc

SHA256
dbaa468614c5f63d0563b891133ea9f2f5a4982bff562cabdebc785f14b61025

SHA512
3a6865f885acb441fc9fc0812ba492272333deaefa18cc36709b6ebcdc2b41cf4ae4a7c499f882a367440937ec1965d89256e8173922d883c98f6d2165a802f5

Download Submit
C:\Windows\System\sNBSmvV.exe

Filesize
2.7MB

MD5
a70f821c864c35d523c98572299ee83b

SHA1
8319ffa5faa28b32ffbb4e4429efaabc9ce4d255

SHA256
7d68e3c13110b8a2b7ea18aeb67901e79fa35c4887c452f381438f279149a3f5

SHA512
89ca160f23908f390fe24e64a2740f57407694fa38cffe50a86e2d9223f871745d545fd14ba1c0de11f5a719decd5eed012e7976744f0652ff85ab0a76b83a48

Download Submit
C:\Windows\System\sNmqwaX.exe

Filesize
8B

MD5
b4264996759d988d82730e6958cf8074

SHA1
7bbc1f74a3ce00994d790da4622d87f15f45b523

SHA256
8ec7039187958fcd27e56e585c4d65242972777fffc8821de830bc1ff1727bca

SHA512
90e2f3e49d27ab4d11cbf031af514cf6fc3a8851362bc0086d9e25b2d97c3341159ec901fb19a665474ceb995371e4f69eda62c3d14f844ace445c61339d139c

Download Submit
C:\Windows\System\sZkMWDM.exe

Filesize
2.7MB

MD5
bc92a3bc8ed58eed50ce2bc066ec0b9c

SHA1
09e098c6b7f6319a6069a1fba251b7ba671baa10

SHA256
5239fd5402b84647956f63aa87aad767b79ce3d1569ebdc7385057e6efee7725

SHA512
988f740c52a068b8f9aee74860e884fa88b22f0db9180c6bf2c10180f016d01081dc531b036a1d94e475640f9fa0f657d480c9cfea2f518a8506980f6831294d

Download Submit
C:\Windows\System\tVmVvAh.exe

Filesize
2.7MB

MD5
77286f9de14cc13255b2465b53fa64ef

SHA1
0bac978e67320fc00c0f535d7a84afc9b2e9a075

SHA256
ad29b66e9b2bb3875612c7e3d00664dcbe09cceb0ecd4495978ca126a3f73aa3

SHA512
3ea0609506bedd24f0a2edf0125726cfcb2bf1cc9302abed3a2d515ed6b4bad5c18067688b06a3bca05efd0b3cca2be3f16bd70e9ebc80ce9cae528b0045c235

Download Submit
C:\Windows\System\uOmpYSF.exe

Filesize
2.7MB

MD5
029117bbb8ba3a0e20627eb9122554dc

SHA1
7a2880b98a07d6fe7ba6c65b2ebd723cf899539e

SHA256
23b774125e5c2e9d7051fadb9235c63a128a706279f441cec3d259e8db744788

SHA512
48201185ad7f2bd702e59311eec18c70a024ac0be7119c2895aebd54aee0b90f43a950e4a8612c1a886bd524e4f008a71a627826f6529c1aa3ee0a876ee8b4d1

Download Submit
C:\Windows\System\vYEvdJH.exe

Filesize
2.7MB

MD5
f6e40e852c96d1cc955788a6416ec7e0

SHA1
f566a0c3a6d94537e341fef9cb4694580ae73d1b

SHA256
5b41700263382d8d9605770fc3b7b8cbe0bcdf9f6fd717a77c37ae06ad6e89a8

SHA512
ff5df21184c57fea20829b90b682e329e97791bbb2675baf7f9fddfff1ed23b4335407f2efaba59962cd2eaa9dbdef83d8464d1ef86d98cd10a751333e8b61a8

Download Submit
C:\Windows\System\yKFWLJA.exe

Filesize
2.7MB

MD5
f712a3a7533688d748833d0f1ddf330e

SHA1
5dbb8e5ed514e9b883c542cf9ca2d1ae93fe311c

SHA256
34f6d585bac697741a1defa66448ce422d575d4b49fa69aa17df23aa52f9c8fb

SHA512
df3fccb61e0ec6fc52ebe6dc10b87554f98a301c66d6a307eb12f4234b23e53a647f2ac06d10242740185ea0a1899b7a5ee8e7d1323e3b3fc709e27290068908

Download Submit
C:\Windows\System\zIDDMXY.exe

Filesize
2.7MB

MD5
73258e7dbbd63c1f267563d94e77189f

SHA1
ec5131d07ea0338ad17da89e4e3a5e032c6709d3

SHA256
1065e6c7d0d6830dfbe940e76790c2317f0a3d2e49c182517e0e779d13b0620e

SHA512
a094a0e4e4d8b47efaa6daa7289c74a5dfa6415ace281b4ecda84c7974cdf9228ffb6fdf3733ed94c32a3fb331432101cc686e10fcff87932e4b6b4055099ba8

Download Submit
C:\Windows\System\zLoeCpv.exe

Filesize
2.7MB

MD5
3fefa6acb226d465e39ec3d67c5912b0

SHA1
3ef80bfc91c8e78ddab0a5d494af2c02f981080b

SHA256
9a40dfce9ddc6d511c6d6eda3eb427cc3db8f557e3fa8992fb98715b03198ef9

SHA512
32afec58dbbe6d440246b38beaa231c826502cac8c7cbd2137c10a061ada219dc01b2b44bc6972a90f0ae0241788d48396d77a00c30b4fbd8b3c24945cd06ce1

Download Submit
memory/388-218-0x00007FF739FF0000-0x00007FF73A3E6000-memory.dmp

Filesize
4.0MB

Download
memory/388-2204-0x00007FF739FF0000-0x00007FF73A3E6000-memory.dmp

Filesize
4.0MB

Download
memory/540-226-0x00007FF6AF9B0000-0x00007FF6AFDA6000-memory.dmp

Filesize
4.0MB

Download
memory/540-2199-0x00007FF6AF9B0000-0x00007FF6AFDA6000-memory.dmp

Filesize
4.0MB

Download
memory/720-164-0x00007FF6E72F0000-0x00007FF6E76E6000-memory.dmp

Filesize
4.0MB

Download
memory/720-2196-0x00007FF6E72F0000-0x00007FF6E76E6000-memory.dmp

Filesize
4.0MB

Download
memory/888-2189-0x00007FF630670000-0x00007FF630A66000-memory.dmp

Filesize
4.0MB

Download
memory/888-229-0x00007FF630670000-0x00007FF630A66000-memory.dmp

Filesize
4.0MB

Download
memory/1564-161-0x00007FF6DC700000-0x00007FF6DCAF6000-memory.dmp

Filesize
4.0MB

Download
memory/1564-2192-0x00007FF6DC700000-0x00007FF6DCAF6000-memory.dmp

Filesize
4.0MB

Download
memory/1744-2188-0x00007FF6D34C0000-0x00007FF6D38B6000-memory.dmp

Filesize
4.0MB

Download
memory/1744-45-0x00007FF6D34C0000-0x00007FF6D38B6000-memory.dmp

Filesize
4.0MB

Download
memory/1812-219-0x00007FF669490000-0x00007FF669886000-memory.dmp

Filesize
4.0MB

Download
memory/1812-2201-0x00007FF669490000-0x00007FF669886000-memory.dmp

Filesize
4.0MB

Download
memory/1972-2210-0x00007FF65A840000-0x00007FF65AC36000-memory.dmp

Filesize
4.0MB

Download
memory/1972-227-0x00007FF65A840000-0x00007FF65AC36000-memory.dmp

Filesize
4.0MB

Download
memory/2292-224-0x00007FF6F5CD0000-0x00007FF6F60C6000-memory.dmp

Filesize
4.0MB

Download
memory/2292-2202-0x00007FF6F5CD0000-0x00007FF6F60C6000-memory.dmp

Filesize
4.0MB

Download
memory/2516-225-0x00007FF7491B0000-0x00007FF7495A6000-memory.dmp

Filesize
4.0MB

Download
memory/2516-2209-0x00007FF7491B0000-0x00007FF7495A6000-memory.dmp

Filesize
4.0MB

Download
memory/2660-2193-0x00007FF708100000-0x00007FF7084F6000-memory.dmp

Filesize
4.0MB

Download
memory/2660-211-0x00007FF708100000-0x00007FF7084F6000-memory.dmp

Filesize
4.0MB

Download
memory/3012-2191-0x00007FF69D0A0000-0x00007FF69D496000-memory.dmp

Filesize
4.0MB

Download
memory/3012-210-0x00007FF69D0A0000-0x00007FF69D496000-memory.dmp

Filesize
4.0MB

Download
memory/3228-0-0x00007FF6E1CF0000-0x00007FF6E20E6000-memory.dmp

Filesize
4.0MB

Download
memory/3228-1-0x00000247A5660000-0x00000247A5670000-memory.dmp

Filesize
64KB

Download
memory/3452-2200-0x00007FF7100B0000-0x00007FF7104A6000-memory.dmp

Filesize
4.0MB

Download
memory/3452-221-0x00007FF7100B0000-0x00007FF7104A6000-memory.dmp

Filesize
4.0MB

Download
memory/3580-189-0x00007FF69B910000-0x00007FF69BD06000-memory.dmp

Filesize
4.0MB

Download
memory/3580-2194-0x00007FF69B910000-0x00007FF69BD06000-memory.dmp

Filesize
4.0MB

Download
memory/3768-2186-0x00007FF974AC0000-0x00007FF975581000-memory.dmp

Filesize
10.8MB

Download
memory/3768-36-0x00007FF974AC0000-0x00007FF975581000-memory.dmp

Filesize
10.8MB

Download
memory/3768-2187-0x00007FF974AC3000-0x00007FF974AC5000-memory.dmp

Filesize
8KB

Download
memory/3768-6-0x00007FF974AC3000-0x00007FF974AC5000-memory.dmp

Filesize
8KB

Download
memory/3768-110-0x000002446BEF0000-0x000002446BF12000-memory.dmp

Filesize
136KB

Download
memory/3768-81-0x00007FF974AC0000-0x00007FF975581000-memory.dmp

Filesize
10.8MB

Download
memory/3768-233-0x000002446CA60000-0x000002446D206000-memory.dmp

Filesize
7.6MB

Download
memory/3772-2198-0x00007FF79DD00000-0x00007FF79E0F6000-memory.dmp

Filesize
4.0MB

Download
memory/3772-230-0x00007FF79DD00000-0x00007FF79E0F6000-memory.dmp

Filesize
4.0MB

Download
memory/4100-231-0x00007FF6711C0000-0x00007FF6715B6000-memory.dmp

Filesize
4.0MB

Download
memory/4100-2211-0x00007FF6711C0000-0x00007FF6715B6000-memory.dmp

Filesize
4.0MB

Download
memory/4280-2206-0x00007FF697A30000-0x00007FF697E26000-memory.dmp

Filesize
4.0MB

Download
memory/4280-232-0x00007FF697A30000-0x00007FF697E26000-memory.dmp

Filesize
4.0MB

Download
memory/4372-2203-0x00007FF720CB0000-0x00007FF7210A6000-memory.dmp

Filesize
4.0MB

Download
memory/4372-220-0x00007FF720CB0000-0x00007FF7210A6000-memory.dmp

Filesize
4.0MB

Download
memory/4592-2190-0x00007FF68B570000-0x00007FF68B966000-memory.dmp

Filesize
4.0MB

Download
memory/4592-96-0x00007FF68B570000-0x00007FF68B966000-memory.dmp

Filesize
4.0MB

Download
memory/4604-2197-0x00007FF7B1E70000-0x00007FF7B2266000-memory.dmp

Filesize
4.0MB

Download
memory/4604-201-0x00007FF7B1E70000-0x00007FF7B2266000-memory.dmp

Filesize
4.0MB

Download
memory/4932-228-0x00007FF7DF7A0000-0x00007FF7DFB96000-memory.dmp

Filesize
4.0MB

Download
memory/4932-2208-0x00007FF7DF7A0000-0x00007FF7DFB96000-memory.dmp

Filesize
4.0MB

Download
memory/4992-2207-0x00007FF760E90000-0x00007FF761286000-memory.dmp

Filesize
4.0MB

Download
memory/4992-222-0x00007FF760E90000-0x00007FF761286000-memory.dmp

Filesize
4.0MB

Download
memory/5068-223-0x00007FF60C810000-0x00007FF60CC06000-memory.dmp

Filesize
4.0MB

Download
memory/5068-2205-0x00007FF60C810000-0x00007FF60CC06000-memory.dmp

Filesize
4.0MB

Download
memory/5076-2195-0x00007FF769570000-0x00007FF769966000-memory.dmp

Filesize
4.0MB

Download
memory/5076-215-0x00007FF769570000-0x00007FF769966000-memory.dmp

Filesize
4.0MB

Download