xmrig | e8d2ab639f9637c83e3941fafb45e9e2d82fb7e8ae8ae1cf627cc5de21750f7c

Analysis

max time kernel
139s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
Size

2.7MB
MD5

0171e55ed09a89c2bb06f3d1ae6e6740
SHA1

0bd11472dc3a52b4bc4168e575a4b14af12d8a5a
SHA256

e8d2ab639f9637c83e3941fafb45e9e2d82fb7e8ae8ae1cf627cc5de21750f7c
SHA512

9c30c9294399acdde054f1543955853f920d93c22886aeaf2a1eb39e8322cb987b70931dd56b3ea27397db6abc746e4ad93c260c4c76efa4ff86946bcd09191f
SSDEEP

49152:BezaTF8FcNkNdfE0pZ9ozt4wIlMmSdIc1lNpEdxAggHk:BemTLkNdfE0pZrF

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/1428-0-0x00007FF66FF60000-0x00007FF6702B4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023468-21.dat	xmrig
behavioral2/files/0x000700000002346b-36.dat	xmrig
behavioral2/files/0x000700000002346c-43.dat	xmrig
behavioral2/memory/4760-49-0x00007FF7CAD90000-0x00007FF7CB0E4000-memory.dmp	xmrig
behavioral2/memory/628-64-0x00007FF7D7790000-0x00007FF7D7AE4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023471-81.dat	xmrig
behavioral2/memory/3464-123-0x00007FF63EA60000-0x00007FF63EDB4000-memory.dmp	xmrig
behavioral2/memory/384-142-0x00007FF622E90000-0x00007FF6231E4000-memory.dmp	xmrig
behavioral2/memory/1468-180-0x00007FF65CDA0000-0x00007FF65D0F4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023485-185.dat	xmrig
behavioral2/memory/4940-192-0x00007FF6CB250000-0x00007FF6CB5A4000-memory.dmp	xmrig
behavioral2/memory/4292-205-0x00007FF6667F0000-0x00007FF666B44000-memory.dmp	xmrig
behavioral2/memory/4376-209-0x00007FF7F0970000-0x00007FF7F0CC4000-memory.dmp	xmrig
behavioral2/memory/4464-208-0x00007FF767780000-0x00007FF767AD4000-memory.dmp	xmrig
behavioral2/memory/4204-207-0x00007FF624700000-0x00007FF624A54000-memory.dmp	xmrig
behavioral2/memory/2664-201-0x00007FF758F00000-0x00007FF759254000-memory.dmp	xmrig
behavioral2/memory/4308-179-0x00007FF7218A0000-0x00007FF721BF4000-memory.dmp	xmrig
behavioral2/memory/1988-170-0x00007FF6E8C00000-0x00007FF6E8F54000-memory.dmp	xmrig
behavioral2/memory/4764-158-0x00007FF6DFE60000-0x00007FF6E01B4000-memory.dmp	xmrig
behavioral2/memory/4360-120-0x00007FF7BD970000-0x00007FF7BDCC4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023479-116.dat	xmrig
behavioral2/memory/4248-1964-0x00007FF78F7E0000-0x00007FF78FB34000-memory.dmp	xmrig
behavioral2/memory/628-2120-0x00007FF7D7790000-0x00007FF7D7AE4000-memory.dmp	xmrig
behavioral2/memory/2364-1557-0x00007FF65F5E0000-0x00007FF65F934000-memory.dmp	xmrig
behavioral2/memory/4496-2122-0x00007FF715BD0000-0x00007FF715F24000-memory.dmp	xmrig
behavioral2/memory/2456-2121-0x00007FF744C00000-0x00007FF744F54000-memory.dmp	xmrig
behavioral2/memory/4920-2125-0x00007FF68B800000-0x00007FF68BB54000-memory.dmp	xmrig
behavioral2/memory/4764-2127-0x00007FF6DFE60000-0x00007FF6E01B4000-memory.dmp	xmrig
behavioral2/memory/2988-2124-0x00007FF6CFDC0000-0x00007FF6D0114000-memory.dmp	xmrig
behavioral2/memory/1428-1186-0x00007FF66FF60000-0x00007FF6702B4000-memory.dmp	xmrig
behavioral2/memory/3464-2128-0x00007FF63EA60000-0x00007FF63EDB4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023471-99.dat	xmrig
behavioral2/memory/4572-91-0x00007FF7E4D30000-0x00007FF7E5084000-memory.dmp	xmrig
behavioral2/files/0x0007000000023475-101.dat	xmrig
behavioral2/memory/4920-95-0x00007FF68B800000-0x00007FF68BB54000-memory.dmp	xmrig
behavioral2/memory/3332-86-0x00007FF7C5510000-0x00007FF7C5864000-memory.dmp	xmrig
behavioral2/memory/2988-78-0x00007FF6CFDC0000-0x00007FF6D0114000-memory.dmp	xmrig
behavioral2/files/0x0007000000023470-75.dat	xmrig
behavioral2/memory/868-77-0x00007FF68EEA0000-0x00007FF68F1F4000-memory.dmp	xmrig
behavioral2/files/0x000700000002346e-72.dat	xmrig
behavioral2/memory/4496-61-0x00007FF715BD0000-0x00007FF715F24000-memory.dmp	xmrig
behavioral2/memory/2456-53-0x00007FF744C00000-0x00007FF744F54000-memory.dmp	xmrig
behavioral2/files/0x0007000000023469-33.dat	xmrig
behavioral2/memory/2788-40-0x00007FF7132E0000-0x00007FF713634000-memory.dmp	xmrig
behavioral2/memory/2364-32-0x00007FF65F5E0000-0x00007FF65F934000-memory.dmp	xmrig
behavioral2/memory/4248-24-0x00007FF78F7E0000-0x00007FF78FB34000-memory.dmp	xmrig
behavioral2/memory/3472-15-0x00007FF6D9150000-0x00007FF6D94A4000-memory.dmp	xmrig
behavioral2/memory/1044-2130-0x00007FF603D20000-0x00007FF604074000-memory.dmp	xmrig
behavioral2/memory/3472-2131-0x00007FF6D9150000-0x00007FF6D94A4000-memory.dmp	xmrig
behavioral2/memory/4248-2132-0x00007FF78F7E0000-0x00007FF78FB34000-memory.dmp	xmrig
behavioral2/memory/2364-2133-0x00007FF65F5E0000-0x00007FF65F934000-memory.dmp	xmrig
behavioral2/memory/2788-2135-0x00007FF7132E0000-0x00007FF713634000-memory.dmp	xmrig
behavioral2/memory/868-2137-0x00007FF68EEA0000-0x00007FF68F1F4000-memory.dmp	xmrig
behavioral2/memory/2456-2136-0x00007FF744C00000-0x00007FF744F54000-memory.dmp	xmrig
behavioral2/memory/4496-2138-0x00007FF715BD0000-0x00007FF715F24000-memory.dmp	xmrig
behavioral2/memory/3332-2140-0x00007FF7C5510000-0x00007FF7C5864000-memory.dmp	xmrig
behavioral2/memory/2528-2141-0x00007FF62FA70000-0x00007FF62FDC4000-memory.dmp	xmrig
behavioral2/memory/2988-2142-0x00007FF6CFDC0000-0x00007FF6D0114000-memory.dmp	xmrig
behavioral2/memory/4572-2145-0x00007FF7E4D30000-0x00007FF7E5084000-memory.dmp	xmrig
behavioral2/memory/384-2150-0x00007FF622E90000-0x00007FF6231E4000-memory.dmp	xmrig
behavioral2/memory/4308-2149-0x00007FF7218A0000-0x00007FF721BF4000-memory.dmp	xmrig
behavioral2/memory/1988-2148-0x00007FF6E8C00000-0x00007FF6E8F54000-memory.dmp	xmrig
behavioral2/memory/4464-2155-0x00007FF767780000-0x00007FF767AD4000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
1044	ufpKokV.exe
3472	dbouuLW.exe
4248	TUfsvoR.exe
4760	FjzYpqY.exe
2364	TftHoNY.exe
2788	AsbjvBV.exe
2456	EEZCtuA.exe
868	KXHiiki.exe
4496	fHMdDNj.exe
2988	ENQOsUf.exe
628	INUTgYF.exe
3332	JYZBxCC.exe
2528	szRJexX.exe
4360	HnVNufm.exe
4572	OLqIcpg.exe
3464	hUczoCK.exe
4920	rDsRSyI.exe
4292	vKurekk.exe
384	SHbfdnb.exe
4204	SMHrnpr.exe
4764	ngmcQBb.exe
1988	KkYNhno.exe
4464	rAWzGcs.exe
4308	pqmaLJE.exe
1468	AULZazL.exe
4376	bEagORN.exe
4940	abfWBJs.exe
4040	XHLjSwM.exe
2664	GhWYeJQ.exe
1324	yXYgwKG.exe
3100	CLrkrxH.exe
2400	rmlwoQE.exe
1720	ALzijQl.exe
3104	XYRNAKc.exe
1548	DdYWyvv.exe
2836	bAQFQrL.exe
4036	BrhtxPa.exe
1344	zGWqVtW.exe
1460	JCParNU.exe
4776	IsmuyzC.exe
3852	DqfYCVO.exe
624	aXMhgYU.exe
4696	GippBjD.exe
3456	lawoSrA.exe
4684	JgxvNss.exe
1944	yeQxjHS.exe
4652	Npuuqcn.exe
2880	bqYOeCW.exe
4044	OhBNLMS.exe
2408	nRdAqSE.exe
748	lWgfJFc.exe
1780	GYFAFqJ.exe
4124	GzFJgjK.exe
1540	CkywZmL.exe
5020	xlvtGfy.exe
4548	xwyIjWZ.exe
4888	kxUBKWW.exe
2228	uMvcYcW.exe
4644	kKMnDCt.exe
2260	bUAJhVT.exe
3016	HvvVuKZ.exe
3848	GRzOPpY.exe
4000	dTrdBIh.exe
3636	qbWtxMx.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1428-0-0x00007FF66FF60000-0x00007FF6702B4000-memory.dmp	upx
behavioral2/files/0x0007000000023468-21.dat	upx
behavioral2/files/0x000700000002346b-36.dat	upx
behavioral2/files/0x000700000002346c-43.dat	upx
behavioral2/memory/4760-49-0x00007FF7CAD90000-0x00007FF7CB0E4000-memory.dmp	upx
behavioral2/memory/628-64-0x00007FF7D7790000-0x00007FF7D7AE4000-memory.dmp	upx
behavioral2/files/0x0007000000023471-81.dat	upx
behavioral2/memory/3464-123-0x00007FF63EA60000-0x00007FF63EDB4000-memory.dmp	upx
behavioral2/memory/384-142-0x00007FF622E90000-0x00007FF6231E4000-memory.dmp	upx
behavioral2/memory/1468-180-0x00007FF65CDA0000-0x00007FF65D0F4000-memory.dmp	upx
behavioral2/files/0x0007000000023485-185.dat	upx
behavioral2/memory/4940-192-0x00007FF6CB250000-0x00007FF6CB5A4000-memory.dmp	upx
behavioral2/memory/4292-205-0x00007FF6667F0000-0x00007FF666B44000-memory.dmp	upx
behavioral2/memory/4376-209-0x00007FF7F0970000-0x00007FF7F0CC4000-memory.dmp	upx
behavioral2/memory/4464-208-0x00007FF767780000-0x00007FF767AD4000-memory.dmp	upx
behavioral2/memory/4204-207-0x00007FF624700000-0x00007FF624A54000-memory.dmp	upx
behavioral2/memory/2664-201-0x00007FF758F00000-0x00007FF759254000-memory.dmp	upx
behavioral2/memory/4040-200-0x00007FF7A78A0000-0x00007FF7A7BF4000-memory.dmp	upx
behavioral2/memory/4308-179-0x00007FF7218A0000-0x00007FF721BF4000-memory.dmp	upx
behavioral2/memory/1988-170-0x00007FF6E8C00000-0x00007FF6E8F54000-memory.dmp	upx
behavioral2/files/0x0007000000023481-159.dat	upx
behavioral2/memory/4764-158-0x00007FF6DFE60000-0x00007FF6E01B4000-memory.dmp	upx
behavioral2/files/0x0007000000023476-128.dat	upx
behavioral2/memory/4360-120-0x00007FF7BD970000-0x00007FF7BDCC4000-memory.dmp	upx
behavioral2/files/0x0007000000023479-116.dat	upx
behavioral2/memory/4248-1964-0x00007FF78F7E0000-0x00007FF78FB34000-memory.dmp	upx
behavioral2/memory/3472-1960-0x00007FF6D9150000-0x00007FF6D94A4000-memory.dmp	upx
behavioral2/memory/628-2120-0x00007FF7D7790000-0x00007FF7D7AE4000-memory.dmp	upx
behavioral2/memory/2364-1557-0x00007FF65F5E0000-0x00007FF65F934000-memory.dmp	upx
behavioral2/memory/1044-1556-0x00007FF603D20000-0x00007FF604074000-memory.dmp	upx
behavioral2/memory/4496-2122-0x00007FF715BD0000-0x00007FF715F24000-memory.dmp	upx
behavioral2/memory/4572-2123-0x00007FF7E4D30000-0x00007FF7E5084000-memory.dmp	upx
behavioral2/memory/2456-2121-0x00007FF744C00000-0x00007FF744F54000-memory.dmp	upx
behavioral2/memory/4920-2125-0x00007FF68B800000-0x00007FF68BB54000-memory.dmp	upx
behavioral2/memory/384-2126-0x00007FF622E90000-0x00007FF6231E4000-memory.dmp	upx
behavioral2/memory/4764-2127-0x00007FF6DFE60000-0x00007FF6E01B4000-memory.dmp	upx
behavioral2/memory/2988-2124-0x00007FF6CFDC0000-0x00007FF6D0114000-memory.dmp	upx
behavioral2/memory/1428-1186-0x00007FF66FF60000-0x00007FF6702B4000-memory.dmp	upx
behavioral2/memory/3464-2128-0x00007FF63EA60000-0x00007FF63EDB4000-memory.dmp	upx
behavioral2/memory/4940-2129-0x00007FF6CB250000-0x00007FF6CB5A4000-memory.dmp	upx
behavioral2/files/0x0007000000023471-99.dat	upx
behavioral2/memory/2528-109-0x00007FF62FA70000-0x00007FF62FDC4000-memory.dmp	upx
behavioral2/memory/4572-91-0x00007FF7E4D30000-0x00007FF7E5084000-memory.dmp	upx
behavioral2/files/0x0007000000023475-101.dat	upx
behavioral2/memory/4920-95-0x00007FF68B800000-0x00007FF68BB54000-memory.dmp	upx
behavioral2/memory/3332-86-0x00007FF7C5510000-0x00007FF7C5864000-memory.dmp	upx
behavioral2/memory/2988-78-0x00007FF6CFDC0000-0x00007FF6D0114000-memory.dmp	upx
behavioral2/files/0x0007000000023470-75.dat	upx
behavioral2/memory/868-77-0x00007FF68EEA0000-0x00007FF68F1F4000-memory.dmp	upx
behavioral2/files/0x000700000002346e-72.dat	upx
behavioral2/memory/4496-61-0x00007FF715BD0000-0x00007FF715F24000-memory.dmp	upx
behavioral2/memory/2456-53-0x00007FF744C00000-0x00007FF744F54000-memory.dmp	upx
behavioral2/files/0x0007000000023469-33.dat	upx
behavioral2/memory/2788-40-0x00007FF7132E0000-0x00007FF713634000-memory.dmp	upx
behavioral2/memory/2364-32-0x00007FF65F5E0000-0x00007FF65F934000-memory.dmp	upx
behavioral2/memory/4248-24-0x00007FF78F7E0000-0x00007FF78FB34000-memory.dmp	upx
behavioral2/memory/3472-15-0x00007FF6D9150000-0x00007FF6D94A4000-memory.dmp	upx
behavioral2/memory/1044-7-0x00007FF603D20000-0x00007FF604074000-memory.dmp	upx
behavioral2/memory/1044-2130-0x00007FF603D20000-0x00007FF604074000-memory.dmp	upx
behavioral2/memory/3472-2131-0x00007FF6D9150000-0x00007FF6D94A4000-memory.dmp	upx
behavioral2/memory/4248-2132-0x00007FF78F7E0000-0x00007FF78FB34000-memory.dmp	upx
behavioral2/memory/2364-2133-0x00007FF65F5E0000-0x00007FF65F934000-memory.dmp	upx
behavioral2/memory/2788-2135-0x00007FF7132E0000-0x00007FF713634000-memory.dmp	upx
behavioral2/memory/868-2137-0x00007FF68EEA0000-0x00007FF68F1F4000-memory.dmp	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\IsmuyzC.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\dTrdBIh.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\mbFyWWM.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\gPGZJmf.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\ClwpJnC.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\hcpKjJo.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\JmBVNgf.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\MIFLbrs.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\nPJZDYq.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\nrCEaPY.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\ruiTdjs.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\JMSHoOL.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\nGMoJJI.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\cNmDtaI.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\EyKtvsw.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\OzyhEJo.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\UmZLyhg.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\vBhOGhi.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\kXtjFcX.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\slUxfqR.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\CpqWAxC.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\lJHyMNO.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\TLrHsUn.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\smCDnHO.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\fYjJRoE.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\Adlxwkw.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\fmwwMMK.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\qgUADGK.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\DzPvPsr.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\DFPYRxP.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\esruFMk.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\HKyVAPO.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\MCBBxgq.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\klaJWSX.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\InkLfMP.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\XsmTzWx.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\pWoYOqe.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\cnikoMM.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\CzwRdTu.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\gWlLlIO.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\IJQGNKy.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\EEZCtuA.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\QkRnEnm.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\mHVBLhh.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\ekCjJbT.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\BllAjFv.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\zTnLwpO.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\bxbDoAV.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\yZOewof.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\eGPdgjR.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\yJgrYmH.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\DdJYjST.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\QfNdMNq.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\AxEwIdZ.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\CMnizXm.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\mEVBfjY.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\BjcSmgK.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\liSyAEU.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\DdYWyvv.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\GAfVNHb.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\bBJWPaM.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\GJoWPrH.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\XEvrmeD.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
File created	C:\Windows\System\ngmcQBb.exe	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	15016	dwm.exe
Token: SeChangeNotifyPrivilege	15016	dwm.exe
Token: 33	15016	dwm.exe
Token: SeIncBasePriorityPrivilege	15016	dwm.exe
Token: SeShutdownPrivilege	15016	dwm.exe
Token: SeCreatePagefilePrivilege	15016	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 1044	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	83
PID 1428 wrote to memory of 1044	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	83
PID 1428 wrote to memory of 3472	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	84
PID 1428 wrote to memory of 3472	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	84
PID 1428 wrote to memory of 4248	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	85
PID 1428 wrote to memory of 4248	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	85
PID 1428 wrote to memory of 4760	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	86
PID 1428 wrote to memory of 4760	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	86
PID 1428 wrote to memory of 2364	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	87
PID 1428 wrote to memory of 2364	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	87
PID 1428 wrote to memory of 2788	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	88
PID 1428 wrote to memory of 2788	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	88
PID 1428 wrote to memory of 2456	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	89
PID 1428 wrote to memory of 2456	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	89
PID 1428 wrote to memory of 868	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	90
PID 1428 wrote to memory of 868	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	90
PID 1428 wrote to memory of 4496	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	91
PID 1428 wrote to memory of 4496	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	91
PID 1428 wrote to memory of 2988	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	92
PID 1428 wrote to memory of 2988	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	92
PID 1428 wrote to memory of 628	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	93
PID 1428 wrote to memory of 628	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	93
PID 1428 wrote to memory of 3332	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	94
PID 1428 wrote to memory of 3332	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	94
PID 1428 wrote to memory of 4572	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	95
PID 1428 wrote to memory of 4572	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	95
PID 1428 wrote to memory of 2528	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	96
PID 1428 wrote to memory of 2528	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	96
PID 1428 wrote to memory of 4360	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	97
PID 1428 wrote to memory of 4360	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	97
PID 1428 wrote to memory of 3464	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	98
PID 1428 wrote to memory of 3464	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	98
PID 1428 wrote to memory of 4920	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	99
PID 1428 wrote to memory of 4920	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	99
PID 1428 wrote to memory of 4292	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	100
PID 1428 wrote to memory of 4292	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	100
PID 1428 wrote to memory of 384	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	101
PID 1428 wrote to memory of 384	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	101
PID 1428 wrote to memory of 4204	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	102
PID 1428 wrote to memory of 4204	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	102
PID 1428 wrote to memory of 4764	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	103
PID 1428 wrote to memory of 4764	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	103
PID 1428 wrote to memory of 1988	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	104
PID 1428 wrote to memory of 1988	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	104
PID 1428 wrote to memory of 4464	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	105
PID 1428 wrote to memory of 4464	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	105
PID 1428 wrote to memory of 4308	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	106
PID 1428 wrote to memory of 4308	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	106
PID 1428 wrote to memory of 1468	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	107
PID 1428 wrote to memory of 1468	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	107
PID 1428 wrote to memory of 4376	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	108
PID 1428 wrote to memory of 4376	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	108
PID 1428 wrote to memory of 4940	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	109
PID 1428 wrote to memory of 4940	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	109
PID 1428 wrote to memory of 4040	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	110
PID 1428 wrote to memory of 4040	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	110
PID 1428 wrote to memory of 2664	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	111
PID 1428 wrote to memory of 2664	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	111
PID 1428 wrote to memory of 1324	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	112
PID 1428 wrote to memory of 1324	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	112
PID 1428 wrote to memory of 3100	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	113
PID 1428 wrote to memory of 3100	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	113
PID 1428 wrote to memory of 2400	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	114
PID 1428 wrote to memory of 2400	1428	0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe	114

C:\Users\Admin\AppData\Local\Temp\0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0171e55ed09a89c2bb06f3d1ae6e6740_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Windows\System\ufpKokV.exe
  C:\Windows\System\ufpKokV.exe
  2⤵
  - Executes dropped EXE
  PID:1044
- C:\Windows\System\dbouuLW.exe
  C:\Windows\System\dbouuLW.exe
  2⤵
  - Executes dropped EXE
  PID:3472
- C:\Windows\System\TUfsvoR.exe
  C:\Windows\System\TUfsvoR.exe
  2⤵
  - Executes dropped EXE
  PID:4248
- C:\Windows\System\FjzYpqY.exe
  C:\Windows\System\FjzYpqY.exe
  2⤵
  - Executes dropped EXE
  PID:4760
- C:\Windows\System\TftHoNY.exe
  C:\Windows\System\TftHoNY.exe
  2⤵
  - Executes dropped EXE
  PID:2364
- C:\Windows\System\AsbjvBV.exe
  C:\Windows\System\AsbjvBV.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\System\EEZCtuA.exe
  C:\Windows\System\EEZCtuA.exe
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\System\KXHiiki.exe
  C:\Windows\System\KXHiiki.exe
  2⤵
  - Executes dropped EXE
  PID:868
- C:\Windows\System\fHMdDNj.exe
  C:\Windows\System\fHMdDNj.exe
  2⤵
  - Executes dropped EXE
  PID:4496
- C:\Windows\System\ENQOsUf.exe
  C:\Windows\System\ENQOsUf.exe
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Windows\System\INUTgYF.exe
  C:\Windows\System\INUTgYF.exe
  2⤵
  - Executes dropped EXE
  PID:628
- C:\Windows\System\JYZBxCC.exe
  C:\Windows\System\JYZBxCC.exe
  2⤵
  - Executes dropped EXE
  PID:3332
- C:\Windows\System\OLqIcpg.exe
  C:\Windows\System\OLqIcpg.exe
  2⤵
  - Executes dropped EXE
  PID:4572
- C:\Windows\System\szRJexX.exe
  C:\Windows\System\szRJexX.exe
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\System\HnVNufm.exe
  C:\Windows\System\HnVNufm.exe
  2⤵
  - Executes dropped EXE
  PID:4360
- C:\Windows\System\hUczoCK.exe
  C:\Windows\System\hUczoCK.exe
  2⤵
  - Executes dropped EXE
  PID:3464
- C:\Windows\System\rDsRSyI.exe
  C:\Windows\System\rDsRSyI.exe
  2⤵
  - Executes dropped EXE
  PID:4920
- C:\Windows\System\vKurekk.exe
  C:\Windows\System\vKurekk.exe
  2⤵
  - Executes dropped EXE
  PID:4292
- C:\Windows\System\SHbfdnb.exe
  C:\Windows\System\SHbfdnb.exe
  2⤵
  - Executes dropped EXE
  PID:384
- C:\Windows\System\SMHrnpr.exe
  C:\Windows\System\SMHrnpr.exe
  2⤵
  - Executes dropped EXE
  PID:4204
- C:\Windows\System\ngmcQBb.exe
  C:\Windows\System\ngmcQBb.exe
  2⤵
  - Executes dropped EXE
  PID:4764
- C:\Windows\System\KkYNhno.exe
  C:\Windows\System\KkYNhno.exe
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\System\rAWzGcs.exe
  C:\Windows\System\rAWzGcs.exe
  2⤵
  - Executes dropped EXE
  PID:4464
- C:\Windows\System\pqmaLJE.exe
  C:\Windows\System\pqmaLJE.exe
  2⤵
  - Executes dropped EXE
  PID:4308
- C:\Windows\System\AULZazL.exe
  C:\Windows\System\AULZazL.exe
  2⤵
  - Executes dropped EXE
  PID:1468
- C:\Windows\System\bEagORN.exe
  C:\Windows\System\bEagORN.exe
  2⤵
  - Executes dropped EXE
  PID:4376
- C:\Windows\System\abfWBJs.exe
  C:\Windows\System\abfWBJs.exe
  2⤵
  - Executes dropped EXE
  PID:4940
- C:\Windows\System\XHLjSwM.exe
  C:\Windows\System\XHLjSwM.exe
  2⤵
  - Executes dropped EXE
  PID:4040
- C:\Windows\System\GhWYeJQ.exe
  C:\Windows\System\GhWYeJQ.exe
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\System\yXYgwKG.exe
  C:\Windows\System\yXYgwKG.exe
  2⤵
  - Executes dropped EXE
  PID:1324
- C:\Windows\System\CLrkrxH.exe
  C:\Windows\System\CLrkrxH.exe
  2⤵
  - Executes dropped EXE
  PID:3100
- C:\Windows\System\rmlwoQE.exe
  C:\Windows\System\rmlwoQE.exe
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\System\ALzijQl.exe
  C:\Windows\System\ALzijQl.exe
  2⤵
  - Executes dropped EXE
  PID:1720
- C:\Windows\System\XYRNAKc.exe
  C:\Windows\System\XYRNAKc.exe
  2⤵
  - Executes dropped EXE
  PID:3104
- C:\Windows\System\DdYWyvv.exe
  C:\Windows\System\DdYWyvv.exe
  2⤵
  - Executes dropped EXE
  PID:1548
- C:\Windows\System\bAQFQrL.exe
  C:\Windows\System\bAQFQrL.exe
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\System\BrhtxPa.exe
  C:\Windows\System\BrhtxPa.exe
  2⤵
  - Executes dropped EXE
  PID:4036
- C:\Windows\System\zGWqVtW.exe
  C:\Windows\System\zGWqVtW.exe
  2⤵
  - Executes dropped EXE
  PID:1344
- C:\Windows\System\JCParNU.exe
  C:\Windows\System\JCParNU.exe
  2⤵
  - Executes dropped EXE
  PID:1460
- C:\Windows\System\IsmuyzC.exe
  C:\Windows\System\IsmuyzC.exe
  2⤵
  - Executes dropped EXE
  PID:4776
- C:\Windows\System\DqfYCVO.exe
  C:\Windows\System\DqfYCVO.exe
  2⤵
  - Executes dropped EXE
  PID:3852
- C:\Windows\System\aXMhgYU.exe
  C:\Windows\System\aXMhgYU.exe
  2⤵
  - Executes dropped EXE
  PID:624
- C:\Windows\System\GippBjD.exe
  C:\Windows\System\GippBjD.exe
  2⤵
  - Executes dropped EXE
  PID:4696
- C:\Windows\System\lawoSrA.exe
  C:\Windows\System\lawoSrA.exe
  2⤵
  - Executes dropped EXE
  PID:3456
- C:\Windows\System\JgxvNss.exe
  C:\Windows\System\JgxvNss.exe
  2⤵
  - Executes dropped EXE
  PID:4684
- C:\Windows\System\yeQxjHS.exe
  C:\Windows\System\yeQxjHS.exe
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\System\Npuuqcn.exe
  C:\Windows\System\Npuuqcn.exe
  2⤵
  - Executes dropped EXE
  PID:4652
- C:\Windows\System\bqYOeCW.exe
  C:\Windows\System\bqYOeCW.exe
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\System\OhBNLMS.exe
  C:\Windows\System\OhBNLMS.exe
  2⤵
  - Executes dropped EXE
  PID:4044
- C:\Windows\System\nRdAqSE.exe
  C:\Windows\System\nRdAqSE.exe
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\System\lWgfJFc.exe
  C:\Windows\System\lWgfJFc.exe
  2⤵
  - Executes dropped EXE
  PID:748
- C:\Windows\System\GYFAFqJ.exe
  C:\Windows\System\GYFAFqJ.exe
  2⤵
  - Executes dropped EXE
  PID:1780
- C:\Windows\System\GzFJgjK.exe
  C:\Windows\System\GzFJgjK.exe
  2⤵
  - Executes dropped EXE
  PID:4124
- C:\Windows\System\CkywZmL.exe
  C:\Windows\System\CkywZmL.exe
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Windows\System\xlvtGfy.exe
  C:\Windows\System\xlvtGfy.exe
  2⤵
  - Executes dropped EXE
  PID:5020
- C:\Windows\System\xwyIjWZ.exe
  C:\Windows\System\xwyIjWZ.exe
  2⤵
  - Executes dropped EXE
  PID:4548
- C:\Windows\System\kxUBKWW.exe
  C:\Windows\System\kxUBKWW.exe
  2⤵
  - Executes dropped EXE
  PID:4888
- C:\Windows\System\uMvcYcW.exe
  C:\Windows\System\uMvcYcW.exe
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Windows\System\kKMnDCt.exe
  C:\Windows\System\kKMnDCt.exe
  2⤵
  - Executes dropped EXE
  PID:4644
- C:\Windows\System\bUAJhVT.exe
  C:\Windows\System\bUAJhVT.exe
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\Windows\System\HvvVuKZ.exe
  C:\Windows\System\HvvVuKZ.exe
  2⤵
  - Executes dropped EXE
  PID:3016
- C:\Windows\System\GRzOPpY.exe
  C:\Windows\System\GRzOPpY.exe
  2⤵
  - Executes dropped EXE
  PID:3848
- C:\Windows\System\dTrdBIh.exe
  C:\Windows\System\dTrdBIh.exe
  2⤵
  - Executes dropped EXE
  PID:4000
- C:\Windows\System\qbWtxMx.exe
  C:\Windows\System\qbWtxMx.exe
  2⤵
  - Executes dropped EXE
  PID:3636
- C:\Windows\System\oglZfZO.exe
  C:\Windows\System\oglZfZO.exe
  2⤵
  PID:2984
- C:\Windows\System\XPfRFUe.exe
  C:\Windows\System\XPfRFUe.exe
  2⤵
  PID:2116
- C:\Windows\System\PuGAkTN.exe
  C:\Windows\System\PuGAkTN.exe
  2⤵
  PID:3644
- C:\Windows\System\ftAKUeK.exe
  C:\Windows\System\ftAKUeK.exe
  2⤵
  PID:2868
- C:\Windows\System\CXiKVRH.exe
  C:\Windows\System\CXiKVRH.exe
  2⤵
  PID:2908
- C:\Windows\System\NdLdXGI.exe
  C:\Windows\System\NdLdXGI.exe
  2⤵
  PID:3180
- C:\Windows\System\bXXoEHX.exe
  C:\Windows\System\bXXoEHX.exe
  2⤵
  PID:3516
- C:\Windows\System\lvUJDFX.exe
  C:\Windows\System\lvUJDFX.exe
  2⤵
  PID:4352
- C:\Windows\System\YqPlLHf.exe
  C:\Windows\System\YqPlLHf.exe
  2⤵
  PID:992
- C:\Windows\System\LmuEpXG.exe
  C:\Windows\System\LmuEpXG.exe
  2⤵
  PID:4968
- C:\Windows\System\IqOXnXf.exe
  C:\Windows\System\IqOXnXf.exe
  2⤵
  PID:4600
- C:\Windows\System\PFBZIZb.exe
  C:\Windows\System\PFBZIZb.exe
  2⤵
  PID:1496
- C:\Windows\System\tNlaJoz.exe
  C:\Windows\System\tNlaJoz.exe
  2⤵
  PID:5152
- C:\Windows\System\MVrrlLk.exe
  C:\Windows\System\MVrrlLk.exe
  2⤵
  PID:5180
- C:\Windows\System\fVcVInH.exe
  C:\Windows\System\fVcVInH.exe
  2⤵
  PID:5216
- C:\Windows\System\ndVehhS.exe
  C:\Windows\System\ndVehhS.exe
  2⤵
  PID:5240
- C:\Windows\System\gqLVPxL.exe
  C:\Windows\System\gqLVPxL.exe
  2⤵
  PID:5268
- C:\Windows\System\DfIHdbB.exe
  C:\Windows\System\DfIHdbB.exe
  2⤵
  PID:5296
- C:\Windows\System\mdDKJaX.exe
  C:\Windows\System\mdDKJaX.exe
  2⤵
  PID:5348
- C:\Windows\System\iOuHShC.exe
  C:\Windows\System\iOuHShC.exe
  2⤵
  PID:5396
- C:\Windows\System\QkRnEnm.exe
  C:\Windows\System\QkRnEnm.exe
  2⤵
  PID:5412
- C:\Windows\System\zzoIXHB.exe
  C:\Windows\System\zzoIXHB.exe
  2⤵
  PID:5452
- C:\Windows\System\DhYHMzy.exe
  C:\Windows\System\DhYHMzy.exe
  2⤵
  PID:5476
- C:\Windows\System\KzBilQN.exe
  C:\Windows\System\KzBilQN.exe
  2⤵
  PID:5512
- C:\Windows\System\GyjnZJu.exe
  C:\Windows\System\GyjnZJu.exe
  2⤵
  PID:5544
- C:\Windows\System\lAEIozV.exe
  C:\Windows\System\lAEIozV.exe
  2⤵
  PID:5568
- C:\Windows\System\NPQFReA.exe
  C:\Windows\System\NPQFReA.exe
  2⤵
  PID:5600
- C:\Windows\System\xWAodvo.exe
  C:\Windows\System\xWAodvo.exe
  2⤵
  PID:5632
- C:\Windows\System\XBbDoWE.exe
  C:\Windows\System\XBbDoWE.exe
  2⤵
  PID:5660
- C:\Windows\System\zTbErnz.exe
  C:\Windows\System\zTbErnz.exe
  2⤵
  PID:5696
- C:\Windows\System\arqGjLB.exe
  C:\Windows\System\arqGjLB.exe
  2⤵
  PID:5724
- C:\Windows\System\esruFMk.exe
  C:\Windows\System\esruFMk.exe
  2⤵
  PID:5744
- C:\Windows\System\XelQcXM.exe
  C:\Windows\System\XelQcXM.exe
  2⤵
  PID:5780
- C:\Windows\System\nmTBCKg.exe
  C:\Windows\System\nmTBCKg.exe
  2⤵
  PID:5800
- C:\Windows\System\VwOqKkr.exe
  C:\Windows\System\VwOqKkr.exe
  2⤵
  PID:5832
- C:\Windows\System\GXDOlaD.exe
  C:\Windows\System\GXDOlaD.exe
  2⤵
  PID:5876
- C:\Windows\System\EjDOPwq.exe
  C:\Windows\System\EjDOPwq.exe
  2⤵
  PID:5920
- C:\Windows\System\FhPkvIo.exe
  C:\Windows\System\FhPkvIo.exe
  2⤵
  PID:5948
- C:\Windows\System\GvYBKFb.exe
  C:\Windows\System\GvYBKFb.exe
  2⤵
  PID:5972
- C:\Windows\System\xxJGuTW.exe
  C:\Windows\System\xxJGuTW.exe
  2⤵
  PID:6000
- C:\Windows\System\MHOKqsq.exe
  C:\Windows\System\MHOKqsq.exe
  2⤵
  PID:6032
- C:\Windows\System\NMXFqAw.exe
  C:\Windows\System\NMXFqAw.exe
  2⤵
  PID:6052
- C:\Windows\System\jCfgkqb.exe
  C:\Windows\System\jCfgkqb.exe
  2⤵
  PID:6084
- C:\Windows\System\SWwVKTu.exe
  C:\Windows\System\SWwVKTu.exe
  2⤵
  PID:6112
- C:\Windows\System\yLKxhiD.exe
  C:\Windows\System\yLKxhiD.exe
  2⤵
  PID:6132
- C:\Windows\System\xGepeRw.exe
  C:\Windows\System\xGepeRw.exe
  2⤵
  PID:5160
- C:\Windows\System\SfjKSOC.exe
  C:\Windows\System\SfjKSOC.exe
  2⤵
  PID:5208
- C:\Windows\System\oedStSL.exe
  C:\Windows\System\oedStSL.exe
  2⤵
  PID:5260
- C:\Windows\System\YFukSRI.exe
  C:\Windows\System\YFukSRI.exe
  2⤵
  PID:5308
- C:\Windows\System\JhlgJkw.exe
  C:\Windows\System\JhlgJkw.exe
  2⤵
  PID:5428
- C:\Windows\System\TGmnDTH.exe
  C:\Windows\System\TGmnDTH.exe
  2⤵
  PID:5536
- C:\Windows\System\ripAiIy.exe
  C:\Windows\System\ripAiIy.exe
  2⤵
  PID:5652
- C:\Windows\System\zTsipFn.exe
  C:\Windows\System\zTsipFn.exe
  2⤵
  PID:5128
- C:\Windows\System\UwfSVzf.exe
  C:\Windows\System\UwfSVzf.exe
  2⤵
  PID:5704
- C:\Windows\System\wBxVEuh.exe
  C:\Windows\System\wBxVEuh.exe
  2⤵
  PID:5740
- C:\Windows\System\MvwhUIF.exe
  C:\Windows\System\MvwhUIF.exe
  2⤵
  PID:5820
- C:\Windows\System\lqkQlfW.exe
  C:\Windows\System\lqkQlfW.exe
  2⤵
  PID:5908
- C:\Windows\System\MIFLbrs.exe
  C:\Windows\System\MIFLbrs.exe
  2⤵
  PID:5992
- C:\Windows\System\guGYgwD.exe
  C:\Windows\System\guGYgwD.exe
  2⤵
  PID:6048
- C:\Windows\System\YmFgfvL.exe
  C:\Windows\System\YmFgfvL.exe
  2⤵
  PID:5188
- C:\Windows\System\aFfUrmh.exe
  C:\Windows\System\aFfUrmh.exe
  2⤵
  PID:5168
- C:\Windows\System\BQpcipp.exe
  C:\Windows\System\BQpcipp.exe
  2⤵
  PID:5236
- C:\Windows\System\mfQuffO.exe
  C:\Windows\System\mfQuffO.exe
  2⤵
  PID:5588
- C:\Windows\System\doluHpS.exe
  C:\Windows\System\doluHpS.exe
  2⤵
  PID:3652
- C:\Windows\System\crQzymU.exe
  C:\Windows\System\crQzymU.exe
  2⤵
  PID:5936
- C:\Windows\System\pWoYOqe.exe
  C:\Windows\System\pWoYOqe.exe
  2⤵
  PID:6100
- C:\Windows\System\UnPxwrl.exe
  C:\Windows\System\UnPxwrl.exe
  2⤵
  PID:5564
- C:\Windows\System\gNBGPii.exe
  C:\Windows\System\gNBGPii.exe
  2⤵
  PID:6024
- C:\Windows\System\WvFJUzp.exe
  C:\Windows\System\WvFJUzp.exe
  2⤵
  PID:6012
- C:\Windows\System\UACzPXZ.exe
  C:\Windows\System\UACzPXZ.exe
  2⤵
  PID:6172
- C:\Windows\System\cjbUYzM.exe
  C:\Windows\System\cjbUYzM.exe
  2⤵
  PID:6208
- C:\Windows\System\FuKFHMy.exe
  C:\Windows\System\FuKFHMy.exe
  2⤵
  PID:6244
- C:\Windows\System\DCWsDew.exe
  C:\Windows\System\DCWsDew.exe
  2⤵
  PID:6276
- C:\Windows\System\VomPcMo.exe
  C:\Windows\System\VomPcMo.exe
  2⤵
  PID:6292
- C:\Windows\System\xWZMQqF.exe
  C:\Windows\System\xWZMQqF.exe
  2⤵
  PID:6308
- C:\Windows\System\XflccIJ.exe
  C:\Windows\System\XflccIJ.exe
  2⤵
  PID:6348
- C:\Windows\System\QfNdMNq.exe
  C:\Windows\System\QfNdMNq.exe
  2⤵
  PID:6392
- C:\Windows\System\yYUMNZS.exe
  C:\Windows\System\yYUMNZS.exe
  2⤵
  PID:6420
- C:\Windows\System\iAnpbXo.exe
  C:\Windows\System\iAnpbXo.exe
  2⤵
  PID:6448
- C:\Windows\System\AxEwIdZ.exe
  C:\Windows\System\AxEwIdZ.exe
  2⤵
  PID:6476
- C:\Windows\System\cnikoMM.exe
  C:\Windows\System\cnikoMM.exe
  2⤵
  PID:6504
- C:\Windows\System\LFzIOwt.exe
  C:\Windows\System\LFzIOwt.exe
  2⤵
  PID:6532
- C:\Windows\System\XOgBvLh.exe
  C:\Windows\System\XOgBvLh.exe
  2⤵
  PID:6564
- C:\Windows\System\lJZWpRi.exe
  C:\Windows\System\lJZWpRi.exe
  2⤵
  PID:6600
- C:\Windows\System\QtVvuSM.exe
  C:\Windows\System\QtVvuSM.exe
  2⤵
  PID:6624
- C:\Windows\System\WDDOdOo.exe
  C:\Windows\System\WDDOdOo.exe
  2⤵
  PID:6640
- C:\Windows\System\orddzyq.exe
  C:\Windows\System\orddzyq.exe
  2⤵
  PID:6656
- C:\Windows\System\IQZjWVd.exe
  C:\Windows\System\IQZjWVd.exe
  2⤵
  PID:6696
- C:\Windows\System\GdHkwyK.exe
  C:\Windows\System\GdHkwyK.exe
  2⤵
  PID:6736
- C:\Windows\System\msiRhHB.exe
  C:\Windows\System\msiRhHB.exe
  2⤵
  PID:6764
- C:\Windows\System\xiboMlL.exe
  C:\Windows\System\xiboMlL.exe
  2⤵
  PID:6796
- C:\Windows\System\mHVBLhh.exe
  C:\Windows\System\mHVBLhh.exe
  2⤵
  PID:6820
- C:\Windows\System\AkykXRE.exe
  C:\Windows\System\AkykXRE.exe
  2⤵
  PID:6848
- C:\Windows\System\lgpHmgk.exe
  C:\Windows\System\lgpHmgk.exe
  2⤵
  PID:6876
- C:\Windows\System\gfgeLpx.exe
  C:\Windows\System\gfgeLpx.exe
  2⤵
  PID:6904
- C:\Windows\System\EVrRnaX.exe
  C:\Windows\System\EVrRnaX.exe
  2⤵
  PID:6932
- C:\Windows\System\IaJxJuM.exe
  C:\Windows\System\IaJxJuM.exe
  2⤵
  PID:6960
- C:\Windows\System\jziwOkP.exe
  C:\Windows\System\jziwOkP.exe
  2⤵
  PID:6988
- C:\Windows\System\nLZHJbv.exe
  C:\Windows\System\nLZHJbv.exe
  2⤵
  PID:7016
- C:\Windows\System\wAVtSfB.exe
  C:\Windows\System\wAVtSfB.exe
  2⤵
  PID:7044
- C:\Windows\System\smCDnHO.exe
  C:\Windows\System\smCDnHO.exe
  2⤵
  PID:7072
- C:\Windows\System\GAfVNHb.exe
  C:\Windows\System\GAfVNHb.exe
  2⤵
  PID:7100
- C:\Windows\System\yaQKSVA.exe
  C:\Windows\System\yaQKSVA.exe
  2⤵
  PID:7128
- C:\Windows\System\byqyhoB.exe
  C:\Windows\System\byqyhoB.exe
  2⤵
  PID:7156
- C:\Windows\System\mbFyWWM.exe
  C:\Windows\System\mbFyWWM.exe
  2⤵
  PID:6188
- C:\Windows\System\MdLmydM.exe
  C:\Windows\System\MdLmydM.exe
  2⤵
  PID:6268
- C:\Windows\System\rmXICnu.exe
  C:\Windows\System\rmXICnu.exe
  2⤵
  PID:6304
- C:\Windows\System\RkQRxiU.exe
  C:\Windows\System\RkQRxiU.exe
  2⤵
  PID:6404
- C:\Windows\System\fbAljFF.exe
  C:\Windows\System\fbAljFF.exe
  2⤵
  PID:6496
- C:\Windows\System\KwzsCfX.exe
  C:\Windows\System\KwzsCfX.exe
  2⤵
  PID:6556
- C:\Windows\System\yozlmTe.exe
  C:\Windows\System\yozlmTe.exe
  2⤵
  PID:6636
- C:\Windows\System\GTEQFXk.exe
  C:\Windows\System\GTEQFXk.exe
  2⤵
  PID:6748
- C:\Windows\System\gPGZJmf.exe
  C:\Windows\System\gPGZJmf.exe
  2⤵
  PID:6840
- C:\Windows\System\fYjJRoE.exe
  C:\Windows\System\fYjJRoE.exe
  2⤵
  PID:6928
- C:\Windows\System\xxmScqN.exe
  C:\Windows\System\xxmScqN.exe
  2⤵
  PID:7028
- C:\Windows\System\iKBOEmN.exe
  C:\Windows\System\iKBOEmN.exe
  2⤵
  PID:7084
- C:\Windows\System\kcwEoiy.exe
  C:\Windows\System\kcwEoiy.exe
  2⤵
  PID:6168
- C:\Windows\System\QNbXZUA.exe
  C:\Windows\System\QNbXZUA.exe
  2⤵
  PID:6360
- C:\Windows\System\kKqBzRF.exe
  C:\Windows\System\kKqBzRF.exe
  2⤵
  PID:6524
- C:\Windows\System\sKjyTYZ.exe
  C:\Windows\System\sKjyTYZ.exe
  2⤵
  PID:6732
- C:\Windows\System\oXrekBe.exe
  C:\Windows\System\oXrekBe.exe
  2⤵
  PID:6924
- C:\Windows\System\xYgSBkt.exe
  C:\Windows\System\xYgSBkt.exe
  2⤵
  PID:6236
- C:\Windows\System\Adlxwkw.exe
  C:\Windows\System\Adlxwkw.exe
  2⤵
  PID:7068
- C:\Windows\System\DyBqFNF.exe
  C:\Windows\System\DyBqFNF.exe
  2⤵
  PID:7152
- C:\Windows\System\ReTZiUA.exe
  C:\Windows\System\ReTZiUA.exe
  2⤵
  PID:7204
- C:\Windows\System\XkzsVOH.exe
  C:\Windows\System\XkzsVOH.exe
  2⤵
  PID:7240
- C:\Windows\System\VcEOVjg.exe
  C:\Windows\System\VcEOVjg.exe
  2⤵
  PID:7288
- C:\Windows\System\oKNrive.exe
  C:\Windows\System\oKNrive.exe
  2⤵
  PID:7320
- C:\Windows\System\ekCjJbT.exe
  C:\Windows\System\ekCjJbT.exe
  2⤵
  PID:7356
- C:\Windows\System\bpKVtrt.exe
  C:\Windows\System\bpKVtrt.exe
  2⤵
  PID:7392
- C:\Windows\System\YwRGJJc.exe
  C:\Windows\System\YwRGJJc.exe
  2⤵
  PID:7412
- C:\Windows\System\zScJiOW.exe
  C:\Windows\System\zScJiOW.exe
  2⤵
  PID:7428
- C:\Windows\System\ClwpJnC.exe
  C:\Windows\System\ClwpJnC.exe
  2⤵
  PID:7452
- C:\Windows\System\eNwioES.exe
  C:\Windows\System\eNwioES.exe
  2⤵
  PID:7488
- C:\Windows\System\HQbzAKt.exe
  C:\Windows\System\HQbzAKt.exe
  2⤵
  PID:7524
- C:\Windows\System\QZhSdUV.exe
  C:\Windows\System\QZhSdUV.exe
  2⤵
  PID:7544
- C:\Windows\System\wBvFfsy.exe
  C:\Windows\System\wBvFfsy.exe
  2⤵
  PID:7576
- C:\Windows\System\cNmDtaI.exe
  C:\Windows\System\cNmDtaI.exe
  2⤵
  PID:7604
- C:\Windows\System\SGROfgB.exe
  C:\Windows\System\SGROfgB.exe
  2⤵
  PID:7636
- C:\Windows\System\QcwJrzM.exe
  C:\Windows\System\QcwJrzM.exe
  2⤵
  PID:7668
- C:\Windows\System\TEJJSbQ.exe
  C:\Windows\System\TEJJSbQ.exe
  2⤵
  PID:7700
- C:\Windows\System\CZFoJiF.exe
  C:\Windows\System\CZFoJiF.exe
  2⤵
  PID:7736
- C:\Windows\System\aJInNOm.exe
  C:\Windows\System\aJInNOm.exe
  2⤵
  PID:7768
- C:\Windows\System\WeLYqns.exe
  C:\Windows\System\WeLYqns.exe
  2⤵
  PID:7808
- C:\Windows\System\xtIBazh.exe
  C:\Windows\System\xtIBazh.exe
  2⤵
  PID:7832
- C:\Windows\System\vqHdyrx.exe
  C:\Windows\System\vqHdyrx.exe
  2⤵
  PID:7868
- C:\Windows\System\DDSiDVP.exe
  C:\Windows\System\DDSiDVP.exe
  2⤵
  PID:7896
- C:\Windows\System\NSSzJFX.exe
  C:\Windows\System\NSSzJFX.exe
  2⤵
  PID:7924
- C:\Windows\System\lEZbzQh.exe
  C:\Windows\System\lEZbzQh.exe
  2⤵
  PID:7952
- C:\Windows\System\zFYWIkQ.exe
  C:\Windows\System\zFYWIkQ.exe
  2⤵
  PID:7980
- C:\Windows\System\oralhRH.exe
  C:\Windows\System\oralhRH.exe
  2⤵
  PID:8008
- C:\Windows\System\dRidYgB.exe
  C:\Windows\System\dRidYgB.exe
  2⤵
  PID:8036
- C:\Windows\System\UlBzvfb.exe
  C:\Windows\System\UlBzvfb.exe
  2⤵
  PID:8064
- C:\Windows\System\kEiLHlL.exe
  C:\Windows\System\kEiLHlL.exe
  2⤵
  PID:8092
- C:\Windows\System\dtyooSN.exe
  C:\Windows\System\dtyooSN.exe
  2⤵
  PID:8120
- C:\Windows\System\sOAwSLX.exe
  C:\Windows\System\sOAwSLX.exe
  2⤵
  PID:8152
- C:\Windows\System\BzxFNaS.exe
  C:\Windows\System\BzxFNaS.exe
  2⤵
  PID:8180
- C:\Windows\System\qMnUhof.exe
  C:\Windows\System\qMnUhof.exe
  2⤵
  PID:7196
- C:\Windows\System\wGqNoWV.exe
  C:\Windows\System\wGqNoWV.exe
  2⤵
  PID:7272
- C:\Windows\System\HazZcht.exe
  C:\Windows\System\HazZcht.exe
  2⤵
  PID:7372
- C:\Windows\System\nPJZDYq.exe
  C:\Windows\System\nPJZDYq.exe
  2⤵
  PID:7440
- C:\Windows\System\LkmFQrm.exe
  C:\Windows\System\LkmFQrm.exe
  2⤵
  PID:7508
- C:\Windows\System\SaOshoZ.exe
  C:\Windows\System\SaOshoZ.exe
  2⤵
  PID:7540
- C:\Windows\System\kWqDHdd.exe
  C:\Windows\System\kWqDHdd.exe
  2⤵
  PID:7624
- C:\Windows\System\wBauxUd.exe
  C:\Windows\System\wBauxUd.exe
  2⤵
  PID:7720
- C:\Windows\System\JeTgbej.exe
  C:\Windows\System\JeTgbej.exe
  2⤵
  PID:7800
- C:\Windows\System\Yaojhce.exe
  C:\Windows\System\Yaojhce.exe
  2⤵
  PID:7860
- C:\Windows\System\QHTXyXP.exe
  C:\Windows\System\QHTXyXP.exe
  2⤵
  PID:7920
- C:\Windows\System\usiFOgu.exe
  C:\Windows\System\usiFOgu.exe
  2⤵
  PID:7992
- C:\Windows\System\fmwwMMK.exe
  C:\Windows\System\fmwwMMK.exe
  2⤵
  PID:2216
- C:\Windows\System\EyYkXhc.exe
  C:\Windows\System\EyYkXhc.exe
  2⤵
  PID:8112
- C:\Windows\System\ZfWEdRk.exe
  C:\Windows\System\ZfWEdRk.exe
  2⤵
  PID:8176
- C:\Windows\System\cakloOq.exe
  C:\Windows\System\cakloOq.exe
  2⤵
  PID:7268
- C:\Windows\System\JQnBewb.exe
  C:\Windows\System\JQnBewb.exe
  2⤵
  PID:7408
- C:\Windows\System\PFCGjJX.exe
  C:\Windows\System\PFCGjJX.exe
  2⤵
  PID:7652
- C:\Windows\System\QSIxfNg.exe
  C:\Windows\System\QSIxfNg.exe
  2⤵
  PID:7820
- C:\Windows\System\bCimRmO.exe
  C:\Windows\System\bCimRmO.exe
  2⤵
  PID:7948
- C:\Windows\System\FnqbklD.exe
  C:\Windows\System\FnqbklD.exe
  2⤵
  PID:8104
- C:\Windows\System\IrKPEbe.exe
  C:\Windows\System\IrKPEbe.exe
  2⤵
  PID:7404
- C:\Windows\System\wQAalTo.exe
  C:\Windows\System\wQAalTo.exe
  2⤵
  PID:7764
- C:\Windows\System\hrBmSoQ.exe
  C:\Windows\System\hrBmSoQ.exe
  2⤵
  PID:8088
- C:\Windows\System\ynqLhsK.exe
  C:\Windows\System\ynqLhsK.exe
  2⤵
  PID:8076
- C:\Windows\System\rJGrajS.exe
  C:\Windows\System\rJGrajS.exe
  2⤵
  PID:8200
- C:\Windows\System\zhjkMuM.exe
  C:\Windows\System\zhjkMuM.exe
  2⤵
  PID:8228
- C:\Windows\System\lfhivWE.exe
  C:\Windows\System\lfhivWE.exe
  2⤵
  PID:8256
- C:\Windows\System\XcVyoSF.exe
  C:\Windows\System\XcVyoSF.exe
  2⤵
  PID:8284
- C:\Windows\System\UchYdmk.exe
  C:\Windows\System\UchYdmk.exe
  2⤵
  PID:8312
- C:\Windows\System\IrsOAaw.exe
  C:\Windows\System\IrsOAaw.exe
  2⤵
  PID:8348
- C:\Windows\System\QHlOLry.exe
  C:\Windows\System\QHlOLry.exe
  2⤵
  PID:8368
- C:\Windows\System\fLILcGb.exe
  C:\Windows\System\fLILcGb.exe
  2⤵
  PID:8396
- C:\Windows\System\qkmAUOc.exe
  C:\Windows\System\qkmAUOc.exe
  2⤵
  PID:8424
- C:\Windows\System\HKyVAPO.exe
  C:\Windows\System\HKyVAPO.exe
  2⤵
  PID:8452
- C:\Windows\System\mbXmRPX.exe
  C:\Windows\System\mbXmRPX.exe
  2⤵
  PID:8480
- C:\Windows\System\lsZtqoz.exe
  C:\Windows\System\lsZtqoz.exe
  2⤵
  PID:8508
- C:\Windows\System\pNsrNRi.exe
  C:\Windows\System\pNsrNRi.exe
  2⤵
  PID:8536
- C:\Windows\System\ApHCutI.exe
  C:\Windows\System\ApHCutI.exe
  2⤵
  PID:8564
- C:\Windows\System\WgtFkEW.exe
  C:\Windows\System\WgtFkEW.exe
  2⤵
  PID:8592
- C:\Windows\System\iLNFkIx.exe
  C:\Windows\System\iLNFkIx.exe
  2⤵
  PID:8620
- C:\Windows\System\ALqJfOc.exe
  C:\Windows\System\ALqJfOc.exe
  2⤵
  PID:8636
- C:\Windows\System\sntvYui.exe
  C:\Windows\System\sntvYui.exe
  2⤵
  PID:8652
- C:\Windows\System\slUxfqR.exe
  C:\Windows\System\slUxfqR.exe
  2⤵
  PID:8668
- C:\Windows\System\Xtkbgis.exe
  C:\Windows\System\Xtkbgis.exe
  2⤵
  PID:8700
- C:\Windows\System\zqTZwON.exe
  C:\Windows\System\zqTZwON.exe
  2⤵
  PID:8732
- C:\Windows\System\UhCVLOE.exe
  C:\Windows\System\UhCVLOE.exe
  2⤵
  PID:8776
- C:\Windows\System\itEdxLh.exe
  C:\Windows\System\itEdxLh.exe
  2⤵
  PID:8812
- C:\Windows\System\koRDeTi.exe
  C:\Windows\System\koRDeTi.exe
  2⤵
  PID:8844
- C:\Windows\System\hMdAcNO.exe
  C:\Windows\System\hMdAcNO.exe
  2⤵
  PID:8876
- C:\Windows\System\sJPoBWV.exe
  C:\Windows\System\sJPoBWV.exe
  2⤵
  PID:8904
- C:\Windows\System\BllAjFv.exe
  C:\Windows\System\BllAjFv.exe
  2⤵
  PID:8932
- C:\Windows\System\nHovQvQ.exe
  C:\Windows\System\nHovQvQ.exe
  2⤵
  PID:8960
- C:\Windows\System\UXiCFFo.exe
  C:\Windows\System\UXiCFFo.exe
  2⤵
  PID:8988
- C:\Windows\System\jQHXIEp.exe
  C:\Windows\System\jQHXIEp.exe
  2⤵
  PID:9016
- C:\Windows\System\iIDbFKx.exe
  C:\Windows\System\iIDbFKx.exe
  2⤵
  PID:9044
- C:\Windows\System\yEZduTU.exe
  C:\Windows\System\yEZduTU.exe
  2⤵
  PID:9072
- C:\Windows\System\ZkuIgfJ.exe
  C:\Windows\System\ZkuIgfJ.exe
  2⤵
  PID:9100
- C:\Windows\System\LCkTkMD.exe
  C:\Windows\System\LCkTkMD.exe
  2⤵
  PID:9128
- C:\Windows\System\cwDgWEx.exe
  C:\Windows\System\cwDgWEx.exe
  2⤵
  PID:9156
- C:\Windows\System\WYzBoAt.exe
  C:\Windows\System\WYzBoAt.exe
  2⤵
  PID:9184
- C:\Windows\System\hwTFrkj.exe
  C:\Windows\System\hwTFrkj.exe
  2⤵
  PID:9212
- C:\Windows\System\gqvlZMv.exe
  C:\Windows\System\gqvlZMv.exe
  2⤵
  PID:8248
- C:\Windows\System\OiJKiUo.exe
  C:\Windows\System\OiJKiUo.exe
  2⤵
  PID:8304
- C:\Windows\System\VtPMEon.exe
  C:\Windows\System\VtPMEon.exe
  2⤵
  PID:8364
- C:\Windows\System\KmueIvP.exe
  C:\Windows\System\KmueIvP.exe
  2⤵
  PID:8436
- C:\Windows\System\ardhDaW.exe
  C:\Windows\System\ardhDaW.exe
  2⤵
  PID:8500
- C:\Windows\System\QrofsGl.exe
  C:\Windows\System\QrofsGl.exe
  2⤵
  PID:8560
- C:\Windows\System\kpkmMDP.exe
  C:\Windows\System\kpkmMDP.exe
  2⤵
  PID:8664
- C:\Windows\System\JMjOkKT.exe
  C:\Windows\System\JMjOkKT.exe
  2⤵
  PID:8720
- C:\Windows\System\WhmwZuF.exe
  C:\Windows\System\WhmwZuF.exe
  2⤵
  PID:8772
- C:\Windows\System\ofokZin.exe
  C:\Windows\System\ofokZin.exe
  2⤵
  PID:8836
- C:\Windows\System\qlBpKws.exe
  C:\Windows\System\qlBpKws.exe
  2⤵
  PID:8896
- C:\Windows\System\xYCdtDq.exe
  C:\Windows\System\xYCdtDq.exe
  2⤵
  PID:8972
- C:\Windows\System\SzGdFEg.exe
  C:\Windows\System\SzGdFEg.exe
  2⤵
  PID:9036
- C:\Windows\System\pveCaiC.exe
  C:\Windows\System\pveCaiC.exe
  2⤵
  PID:9096
- C:\Windows\System\aGfXddo.exe
  C:\Windows\System\aGfXddo.exe
  2⤵
  PID:8048
- C:\Windows\System\dSmNdtx.exe
  C:\Windows\System\dSmNdtx.exe
  2⤵
  PID:8224
- C:\Windows\System\orbxFTw.exe
  C:\Windows\System\orbxFTw.exe
  2⤵
  PID:8356
- C:\Windows\System\dYQtOBr.exe
  C:\Windows\System\dYQtOBr.exe
  2⤵
  PID:8548
- C:\Windows\System\vlytjtM.exe
  C:\Windows\System\vlytjtM.exe
  2⤵
  PID:8648
- C:\Windows\System\TlsmXhR.exe
  C:\Windows\System\TlsmXhR.exe
  2⤵
  PID:8928
- C:\Windows\System\GWtcbaT.exe
  C:\Windows\System\GWtcbaT.exe
  2⤵
  PID:9152
- C:\Windows\System\rWMFQaT.exe
  C:\Windows\System\rWMFQaT.exe
  2⤵
  PID:8644
- C:\Windows\System\MCBBxgq.exe
  C:\Windows\System\MCBBxgq.exe
  2⤵
  PID:9064
- C:\Windows\System\jygUduL.exe
  C:\Windows\System\jygUduL.exe
  2⤵
  PID:8888
- C:\Windows\System\bDOWnAh.exe
  C:\Windows\System\bDOWnAh.exe
  2⤵
  PID:9224
- C:\Windows\System\CzwRdTu.exe
  C:\Windows\System\CzwRdTu.exe
  2⤵
  PID:9252
- C:\Windows\System\LMRJSgq.exe
  C:\Windows\System\LMRJSgq.exe
  2⤵
  PID:9300
- C:\Windows\System\TBxfsVt.exe
  C:\Windows\System\TBxfsVt.exe
  2⤵
  PID:9332
- C:\Windows\System\zTnLwpO.exe
  C:\Windows\System\zTnLwpO.exe
  2⤵
  PID:9364
- C:\Windows\System\YgGleiD.exe
  C:\Windows\System\YgGleiD.exe
  2⤵
  PID:9392
- C:\Windows\System\lraTKfI.exe
  C:\Windows\System\lraTKfI.exe
  2⤵
  PID:9420
- C:\Windows\System\EaPTBVr.exe
  C:\Windows\System\EaPTBVr.exe
  2⤵
  PID:9448
- C:\Windows\System\EyKtvsw.exe
  C:\Windows\System\EyKtvsw.exe
  2⤵
  PID:9476
- C:\Windows\System\DUkMmos.exe
  C:\Windows\System\DUkMmos.exe
  2⤵
  PID:9504
- C:\Windows\System\MiUcIyD.exe
  C:\Windows\System\MiUcIyD.exe
  2⤵
  PID:9532
- C:\Windows\System\VQEQGtA.exe
  C:\Windows\System\VQEQGtA.exe
  2⤵
  PID:9560
- C:\Windows\System\afVsExN.exe
  C:\Windows\System\afVsExN.exe
  2⤵
  PID:9580
- C:\Windows\System\ojbwkmM.exe
  C:\Windows\System\ojbwkmM.exe
  2⤵
  PID:9616
- C:\Windows\System\vzBPKIX.exe
  C:\Windows\System\vzBPKIX.exe
  2⤵
  PID:9644
- C:\Windows\System\yRkNzWr.exe
  C:\Windows\System\yRkNzWr.exe
  2⤵
  PID:9672
- C:\Windows\System\nuJupIz.exe
  C:\Windows\System\nuJupIz.exe
  2⤵
  PID:9700
- C:\Windows\System\yOTuNPG.exe
  C:\Windows\System\yOTuNPG.exe
  2⤵
  PID:9728
- C:\Windows\System\kTlKRgc.exe
  C:\Windows\System\kTlKRgc.exe
  2⤵
  PID:9756
- C:\Windows\System\ngwBnxA.exe
  C:\Windows\System\ngwBnxA.exe
  2⤵
  PID:9784
- C:\Windows\System\klaJWSX.exe
  C:\Windows\System\klaJWSX.exe
  2⤵
  PID:9812
- C:\Windows\System\aKYIPzl.exe
  C:\Windows\System\aKYIPzl.exe
  2⤵
  PID:9840
- C:\Windows\System\mNfjZrM.exe
  C:\Windows\System\mNfjZrM.exe
  2⤵
  PID:9872
- C:\Windows\System\gKhEEjA.exe
  C:\Windows\System\gKhEEjA.exe
  2⤵
  PID:9908
- C:\Windows\System\mNHcHkZ.exe
  C:\Windows\System\mNHcHkZ.exe
  2⤵
  PID:9936
- C:\Windows\System\qNjCTUB.exe
  C:\Windows\System\qNjCTUB.exe
  2⤵
  PID:9968
- C:\Windows\System\dQYsuMA.exe
  C:\Windows\System\dQYsuMA.exe
  2⤵
  PID:9996
- C:\Windows\System\ugIfecD.exe
  C:\Windows\System\ugIfecD.exe
  2⤵
  PID:10028
- C:\Windows\System\qcldiPV.exe
  C:\Windows\System\qcldiPV.exe
  2⤵
  PID:10056
- C:\Windows\System\qutzBSD.exe
  C:\Windows\System\qutzBSD.exe
  2⤵
  PID:10084
- C:\Windows\System\LTOVsZl.exe
  C:\Windows\System\LTOVsZl.exe
  2⤵
  PID:10112
- C:\Windows\System\ZnGwGbA.exe
  C:\Windows\System\ZnGwGbA.exe
  2⤵
  PID:10140
- C:\Windows\System\gcyKsHI.exe
  C:\Windows\System\gcyKsHI.exe
  2⤵
  PID:10168
- C:\Windows\System\nrCEaPY.exe
  C:\Windows\System\nrCEaPY.exe
  2⤵
  PID:10196
- C:\Windows\System\gWlLlIO.exe
  C:\Windows\System\gWlLlIO.exe
  2⤵
  PID:10224
- C:\Windows\System\hcpKjJo.exe
  C:\Windows\System\hcpKjJo.exe
  2⤵
  PID:9244
- C:\Windows\System\desSjKN.exe
  C:\Windows\System\desSjKN.exe
  2⤵
  PID:9376
- C:\Windows\System\iQMFGEl.exe
  C:\Windows\System\iQMFGEl.exe
  2⤵
  PID:9412
- C:\Windows\System\wrykXpC.exe
  C:\Windows\System\wrykXpC.exe
  2⤵
  PID:9472
- C:\Windows\System\peNmwMj.exe
  C:\Windows\System\peNmwMj.exe
  2⤵
  PID:9544
- C:\Windows\System\zkdmHBP.exe
  C:\Windows\System\zkdmHBP.exe
  2⤵
  PID:9608
- C:\Windows\System\zgPkwEN.exe
  C:\Windows\System\zgPkwEN.exe
  2⤵
  PID:9668
- C:\Windows\System\CLTPrPU.exe
  C:\Windows\System\CLTPrPU.exe
  2⤵
  PID:9752
- C:\Windows\System\mkKeRbC.exe
  C:\Windows\System\mkKeRbC.exe
  2⤵
  PID:9808
- C:\Windows\System\xbUiwUK.exe
  C:\Windows\System\xbUiwUK.exe
  2⤵
  PID:9868
- C:\Windows\System\XzVsSQl.exe
  C:\Windows\System\XzVsSQl.exe
  2⤵
  PID:9964
- C:\Windows\System\kprQPWw.exe
  C:\Windows\System\kprQPWw.exe
  2⤵
  PID:10020
- C:\Windows\System\cSadBmc.exe
  C:\Windows\System\cSadBmc.exe
  2⤵
  PID:10080
- C:\Windows\System\eTSbqvG.exe
  C:\Windows\System\eTSbqvG.exe
  2⤵
  PID:10152
- C:\Windows\System\kNmYruc.exe
  C:\Windows\System\kNmYruc.exe
  2⤵
  PID:10216
- C:\Windows\System\hVbSFha.exe
  C:\Windows\System\hVbSFha.exe
  2⤵
  PID:9316
- C:\Windows\System\nYILRaS.exe
  C:\Windows\System\nYILRaS.exe
  2⤵
  PID:9468
- C:\Windows\System\oTaTKaI.exe
  C:\Windows\System\oTaTKaI.exe
  2⤵
  PID:9656
- C:\Windows\System\eTCCunf.exe
  C:\Windows\System\eTCCunf.exe
  2⤵
  PID:9780
- C:\Windows\System\duuazfY.exe
  C:\Windows\System\duuazfY.exe
  2⤵
  PID:9932
- C:\Windows\System\iZtqVOF.exe
  C:\Windows\System\iZtqVOF.exe
  2⤵
  PID:10180
- C:\Windows\System\tCkltJG.exe
  C:\Windows\System\tCkltJG.exe
  2⤵
  PID:9440
- C:\Windows\System\HvmLfZj.exe
  C:\Windows\System\HvmLfZj.exe
  2⤵
  PID:9600
- C:\Windows\System\eshznFq.exe
  C:\Windows\System\eshznFq.exe
  2⤵
  PID:9928
- C:\Windows\System\tGlFMyw.exe
  C:\Windows\System\tGlFMyw.exe
  2⤵
  PID:10136
- C:\Windows\System\QdvjCrl.exe
  C:\Windows\System\QdvjCrl.exe
  2⤵
  PID:9724
- C:\Windows\System\CpqWAxC.exe
  C:\Windows\System\CpqWAxC.exe
  2⤵
  PID:10252
- C:\Windows\System\awSoEZX.exe
  C:\Windows\System\awSoEZX.exe
  2⤵
  PID:10288
- C:\Windows\System\GDDCEam.exe
  C:\Windows\System\GDDCEam.exe
  2⤵
  PID:10332
- C:\Windows\System\RgvYcxW.exe
  C:\Windows\System\RgvYcxW.exe
  2⤵
  PID:10368
- C:\Windows\System\fGXxTBb.exe
  C:\Windows\System\fGXxTBb.exe
  2⤵
  PID:10408
- C:\Windows\System\NGuaHYa.exe
  C:\Windows\System\NGuaHYa.exe
  2⤵
  PID:10440
- C:\Windows\System\ibkSbzd.exe
  C:\Windows\System\ibkSbzd.exe
  2⤵
  PID:10468
- C:\Windows\System\XlWqBRX.exe
  C:\Windows\System\XlWqBRX.exe
  2⤵
  PID:10496
- C:\Windows\System\tXHTCGj.exe
  C:\Windows\System\tXHTCGj.exe
  2⤵
  PID:10524
- C:\Windows\System\ouhUuwf.exe
  C:\Windows\System\ouhUuwf.exe
  2⤵
  PID:10552
- C:\Windows\System\kolGjqt.exe
  C:\Windows\System\kolGjqt.exe
  2⤵
  PID:10580
- C:\Windows\System\RDjfCwt.exe
  C:\Windows\System\RDjfCwt.exe
  2⤵
  PID:10608
- C:\Windows\System\bsguXbA.exe
  C:\Windows\System\bsguXbA.exe
  2⤵
  PID:10636
- C:\Windows\System\dYvkjVE.exe
  C:\Windows\System\dYvkjVE.exe
  2⤵
  PID:10668
- C:\Windows\System\CniLRDS.exe
  C:\Windows\System\CniLRDS.exe
  2⤵
  PID:10696
- C:\Windows\System\VfIXKYH.exe
  C:\Windows\System\VfIXKYH.exe
  2⤵
  PID:10724
- C:\Windows\System\corIMyS.exe
  C:\Windows\System\corIMyS.exe
  2⤵
  PID:10752
- C:\Windows\System\yZuFrtY.exe
  C:\Windows\System\yZuFrtY.exe
  2⤵
  PID:10780
- C:\Windows\System\rkFcnoo.exe
  C:\Windows\System\rkFcnoo.exe
  2⤵
  PID:10808
- C:\Windows\System\cQetRiL.exe
  C:\Windows\System\cQetRiL.exe
  2⤵
  PID:10836
- C:\Windows\System\CsykIYY.exe
  C:\Windows\System\CsykIYY.exe
  2⤵
  PID:10868
- C:\Windows\System\IoYZxgN.exe
  C:\Windows\System\IoYZxgN.exe
  2⤵
  PID:10896
- C:\Windows\System\kCucXTt.exe
  C:\Windows\System\kCucXTt.exe
  2⤵
  PID:10924
- C:\Windows\System\sTVnPzT.exe
  C:\Windows\System\sTVnPzT.exe
  2⤵
  PID:10952
- C:\Windows\System\RNHxYtO.exe
  C:\Windows\System\RNHxYtO.exe
  2⤵
  PID:10980
- C:\Windows\System\BFrVxGu.exe
  C:\Windows\System\BFrVxGu.exe
  2⤵
  PID:11008
- C:\Windows\System\JchzNFC.exe
  C:\Windows\System\JchzNFC.exe
  2⤵
  PID:11036
- C:\Windows\System\aCXZfKT.exe
  C:\Windows\System\aCXZfKT.exe
  2⤵
  PID:11068
- C:\Windows\System\FZvwDHQ.exe
  C:\Windows\System\FZvwDHQ.exe
  2⤵
  PID:11096
- C:\Windows\System\fWZfykC.exe
  C:\Windows\System\fWZfykC.exe
  2⤵
  PID:11124
- C:\Windows\System\YSDVJGM.exe
  C:\Windows\System\YSDVJGM.exe
  2⤵
  PID:11152
- C:\Windows\System\Qvgamad.exe
  C:\Windows\System\Qvgamad.exe
  2⤵
  PID:11180
- C:\Windows\System\SdYYPfc.exe
  C:\Windows\System\SdYYPfc.exe
  2⤵
  PID:11208
- C:\Windows\System\MHmhmwm.exe
  C:\Windows\System\MHmhmwm.exe
  2⤵
  PID:11236
- C:\Windows\System\KTEqQaz.exe
  C:\Windows\System\KTEqQaz.exe
  2⤵
  PID:9992
- C:\Windows\System\WCBXgRQ.exe
  C:\Windows\System\WCBXgRQ.exe
  2⤵
  PID:10276
- C:\Windows\System\JSvSpFe.exe
  C:\Windows\System\JSvSpFe.exe
  2⤵
  PID:10352
- C:\Windows\System\rwUzDuS.exe
  C:\Windows\System\rwUzDuS.exe
  2⤵
  PID:10392
- C:\Windows\System\PoDDGWg.exe
  C:\Windows\System\PoDDGWg.exe
  2⤵
  PID:10456
- C:\Windows\System\vlgSLuu.exe
  C:\Windows\System\vlgSLuu.exe
  2⤵
  PID:10508
- C:\Windows\System\KVTApkl.exe
  C:\Windows\System\KVTApkl.exe
  2⤵
  PID:1220
- C:\Windows\System\bOVPsMu.exe
  C:\Windows\System\bOVPsMu.exe
  2⤵
  PID:10628
- C:\Windows\System\psDsbCX.exe
  C:\Windows\System\psDsbCX.exe
  2⤵
  PID:10688
- C:\Windows\System\gcmEeiJ.exe
  C:\Windows\System\gcmEeiJ.exe
  2⤵
  PID:10748
- C:\Windows\System\xexrEOZ.exe
  C:\Windows\System\xexrEOZ.exe
  2⤵
  PID:10820
- C:\Windows\System\RcqgvvS.exe
  C:\Windows\System\RcqgvvS.exe
  2⤵
  PID:3040
- C:\Windows\System\NLIVCDO.exe
  C:\Windows\System\NLIVCDO.exe
  2⤵
  PID:10936
- C:\Windows\System\EfcfnEa.exe
  C:\Windows\System\EfcfnEa.exe
  2⤵
  PID:2052
- C:\Windows\System\UOCcgtW.exe
  C:\Windows\System\UOCcgtW.exe
  2⤵
  PID:11032
- C:\Windows\System\hxymfan.exe
  C:\Windows\System\hxymfan.exe
  2⤵
  PID:11108
- C:\Windows\System\DAekYkj.exe
  C:\Windows\System\DAekYkj.exe
  2⤵
  PID:11164
- C:\Windows\System\syoVknZ.exe
  C:\Windows\System\syoVknZ.exe
  2⤵
  PID:11232
- C:\Windows\System\sTFwQHk.exe
  C:\Windows\System\sTFwQHk.exe
  2⤵
  PID:10296
- C:\Windows\System\qTEVPLm.exe
  C:\Windows\System\qTEVPLm.exe
  2⤵
  PID:10536
- C:\Windows\System\zJNzVMM.exe
  C:\Windows\System\zJNzVMM.exe
  2⤵
  PID:10620
- C:\Windows\System\WeXKJuA.exe
  C:\Windows\System\WeXKJuA.exe
  2⤵
  PID:10804
- C:\Windows\System\BpIRXMY.exe
  C:\Windows\System\BpIRXMY.exe
  2⤵
  PID:3144
- C:\Windows\System\sqvlnfk.exe
  C:\Windows\System\sqvlnfk.exe
  2⤵
  PID:11168
- C:\Windows\System\YkJUIpN.exe
  C:\Windows\System\YkJUIpN.exe
  2⤵
  PID:11256
- C:\Windows\System\VqzPpSh.exe
  C:\Windows\System\VqzPpSh.exe
  2⤵
  PID:10736
- C:\Windows\System\cIldiPp.exe
  C:\Windows\System\cIldiPp.exe
  2⤵
  PID:11088
- C:\Windows\System\ABCELlN.exe
  C:\Windows\System\ABCELlN.exe
  2⤵
  PID:10716
- C:\Windows\System\dNyKFGc.exe
  C:\Windows\System\dNyKFGc.exe
  2⤵
  PID:10964
- C:\Windows\System\CMnizXm.exe
  C:\Windows\System\CMnizXm.exe
  2⤵
  PID:11288
- C:\Windows\System\bxbDoAV.exe
  C:\Windows\System\bxbDoAV.exe
  2⤵
  PID:11320
- C:\Windows\System\VyoPVDb.exe
  C:\Windows\System\VyoPVDb.exe
  2⤵
  PID:11360
- C:\Windows\System\FBfESot.exe
  C:\Windows\System\FBfESot.exe
  2⤵
  PID:11392
- C:\Windows\System\UaPEGJx.exe
  C:\Windows\System\UaPEGJx.exe
  2⤵
  PID:11424
- C:\Windows\System\MkwljLH.exe
  C:\Windows\System\MkwljLH.exe
  2⤵
  PID:11456
- C:\Windows\System\WRrqLHk.exe
  C:\Windows\System\WRrqLHk.exe
  2⤵
  PID:11512
- C:\Windows\System\TfJkScZ.exe
  C:\Windows\System\TfJkScZ.exe
  2⤵
  PID:11552
- C:\Windows\System\rmBSJAc.exe
  C:\Windows\System\rmBSJAc.exe
  2⤵
  PID:11572
- C:\Windows\System\VDabROg.exe
  C:\Windows\System\VDabROg.exe
  2⤵
  PID:11596
- C:\Windows\System\SlRuIUg.exe
  C:\Windows\System\SlRuIUg.exe
  2⤵
  PID:11628
- C:\Windows\System\IWMynQK.exe
  C:\Windows\System\IWMynQK.exe
  2⤵
  PID:11660
- C:\Windows\System\NSoDlBT.exe
  C:\Windows\System\NSoDlBT.exe
  2⤵
  PID:11684
- C:\Windows\System\mEVBfjY.exe
  C:\Windows\System\mEVBfjY.exe
  2⤵
  PID:11704
- C:\Windows\System\DzuXHgb.exe
  C:\Windows\System\DzuXHgb.exe
  2⤵
  PID:11720
- C:\Windows\System\OzyhEJo.exe
  C:\Windows\System\OzyhEJo.exe
  2⤵
  PID:11736
- C:\Windows\System\UmZLyhg.exe
  C:\Windows\System\UmZLyhg.exe
  2⤵
  PID:11764
- C:\Windows\System\jIBrgdW.exe
  C:\Windows\System\jIBrgdW.exe
  2⤵
  PID:11792
- C:\Windows\System\InkLfMP.exe
  C:\Windows\System\InkLfMP.exe
  2⤵
  PID:11820
- C:\Windows\System\MAsktNj.exe
  C:\Windows\System\MAsktNj.exe
  2⤵
  PID:11840
- C:\Windows\System\PAmuQsI.exe
  C:\Windows\System\PAmuQsI.exe
  2⤵
  PID:11860
- C:\Windows\System\fGivuya.exe
  C:\Windows\System\fGivuya.exe
  2⤵
  PID:11880
- C:\Windows\System\mnjwmXP.exe
  C:\Windows\System\mnjwmXP.exe
  2⤵
  PID:11916
- C:\Windows\System\Ufyhvtb.exe
  C:\Windows\System\Ufyhvtb.exe
  2⤵
  PID:11944
- C:\Windows\System\IJQGNKy.exe
  C:\Windows\System\IJQGNKy.exe
  2⤵
  PID:11984
- C:\Windows\System\fmdtQlB.exe
  C:\Windows\System\fmdtQlB.exe
  2⤵
  PID:12016
- C:\Windows\System\ttIjXjr.exe
  C:\Windows\System\ttIjXjr.exe
  2⤵
  PID:12112
- C:\Windows\System\SftAJpT.exe
  C:\Windows\System\SftAJpT.exe
  2⤵
  PID:12128
- C:\Windows\System\hxmJDTb.exe
  C:\Windows\System\hxmJDTb.exe
  2⤵
  PID:12156
- C:\Windows\System\tZUOlYO.exe
  C:\Windows\System\tZUOlYO.exe
  2⤵
  PID:12184
- C:\Windows\System\EivyvEe.exe
  C:\Windows\System\EivyvEe.exe
  2⤵
  PID:12212
- C:\Windows\System\JmFtAsH.exe
  C:\Windows\System\JmFtAsH.exe
  2⤵
  PID:12240
- C:\Windows\System\XqMEMKo.exe
  C:\Windows\System\XqMEMKo.exe
  2⤵
  PID:12268
- C:\Windows\System\cOujsMt.exe
  C:\Windows\System\cOujsMt.exe
  2⤵
  PID:4320
- C:\Windows\System\InWYumm.exe
  C:\Windows\System\InWYumm.exe
  2⤵
  PID:11312
- C:\Windows\System\DWCwdyV.exe
  C:\Windows\System\DWCwdyV.exe
  2⤵
  PID:10396
- C:\Windows\System\PBXDDHB.exe
  C:\Windows\System\PBXDDHB.exe
  2⤵
  PID:11444
- C:\Windows\System\CcUFuYw.exe
  C:\Windows\System\CcUFuYw.exe
  2⤵
  PID:11548
- C:\Windows\System\pBuGiXe.exe
  C:\Windows\System\pBuGiXe.exe
  2⤵
  PID:11616
- C:\Windows\System\nbcChnJ.exe
  C:\Windows\System\nbcChnJ.exe
  2⤵
  PID:11680
- C:\Windows\System\tkOumbK.exe
  C:\Windows\System\tkOumbK.exe
  2⤵
  PID:11732
- C:\Windows\System\xkudxUn.exe
  C:\Windows\System\xkudxUn.exe
  2⤵
  PID:11804
- C:\Windows\System\FANPbwd.exe
  C:\Windows\System\FANPbwd.exe
  2⤵
  PID:11908
- C:\Windows\System\lJHyMNO.exe
  C:\Windows\System\lJHyMNO.exe
  2⤵
  PID:11936
- C:\Windows\System\OJemJCU.exe
  C:\Windows\System\OJemJCU.exe
  2⤵
  PID:11972
- C:\Windows\System\mUhafZo.exe
  C:\Windows\System\mUhafZo.exe
  2⤵
  PID:12068
- C:\Windows\System\eaPcGhR.exe
  C:\Windows\System\eaPcGhR.exe
  2⤵
  PID:12124
- C:\Windows\System\ZUeezbn.exe
  C:\Windows\System\ZUeezbn.exe
  2⤵
  PID:12180
- C:\Windows\System\EytNkSw.exe
  C:\Windows\System\EytNkSw.exe
  2⤵
  PID:12252
- C:\Windows\System\sizWyCI.exe
  C:\Windows\System\sizWyCI.exe
  2⤵
  PID:3416
- C:\Windows\System\dhDhKbS.exe
  C:\Windows\System\dhDhKbS.exe
  2⤵
  PID:11388
- C:\Windows\System\yxPcZzm.exe
  C:\Windows\System\yxPcZzm.exe
  2⤵
  PID:11560
- C:\Windows\System\kCCWObg.exe
  C:\Windows\System\kCCWObg.exe
  2⤵
  PID:11728
- C:\Windows\System\Voiwuqf.exe
  C:\Windows\System\Voiwuqf.exe
  2⤵
  PID:11876
- C:\Windows\System\BjcSmgK.exe
  C:\Windows\System\BjcSmgK.exe
  2⤵
  PID:11976
- C:\Windows\System\icpiJSu.exe
  C:\Windows\System\icpiJSu.exe
  2⤵
  PID:12104
- C:\Windows\System\IONBaIP.exe
  C:\Windows\System\IONBaIP.exe
  2⤵
  PID:12232
- C:\Windows\System\yZOewof.exe
  C:\Windows\System\yZOewof.exe
  2⤵
  PID:684
- C:\Windows\System\flECCJL.exe
  C:\Windows\System\flECCJL.exe
  2⤵
  PID:11676
- C:\Windows\System\pmursGP.exe
  C:\Windows\System\pmursGP.exe
  2⤵
  PID:11760
- C:\Windows\System\erSoJLh.exe
  C:\Windows\System\erSoJLh.exe
  2⤵
  PID:11852
- C:\Windows\System\qiFrjSP.exe
  C:\Windows\System\qiFrjSP.exe
  2⤵
  PID:12152
- C:\Windows\System\QnTYIVV.exe
  C:\Windows\System\QnTYIVV.exe
  2⤵
  PID:12320
- C:\Windows\System\vBhOGhi.exe
  C:\Windows\System\vBhOGhi.exe
  2⤵
  PID:12344
- C:\Windows\System\FKLeKMe.exe
  C:\Windows\System\FKLeKMe.exe
  2⤵
  PID:12372
- C:\Windows\System\eGPdgjR.exe
  C:\Windows\System\eGPdgjR.exe
  2⤵
  PID:12404
- C:\Windows\System\LXvcsDz.exe
  C:\Windows\System\LXvcsDz.exe
  2⤵
  PID:12440
- C:\Windows\System\sGUfBAH.exe
  C:\Windows\System\sGUfBAH.exe
  2⤵
  PID:12484
- C:\Windows\System\GqDcchp.exe
  C:\Windows\System\GqDcchp.exe
  2⤵
  PID:12508
- C:\Windows\System\uiCqxIe.exe
  C:\Windows\System\uiCqxIe.exe
  2⤵
  PID:12536
- C:\Windows\System\lDnMEOj.exe
  C:\Windows\System\lDnMEOj.exe
  2⤵
  PID:12580
- C:\Windows\System\mkWQuVL.exe
  C:\Windows\System\mkWQuVL.exe
  2⤵
  PID:12608
- C:\Windows\System\HbtvjcT.exe
  C:\Windows\System\HbtvjcT.exe
  2⤵
  PID:12636
- C:\Windows\System\mBZmRdm.exe
  C:\Windows\System\mBZmRdm.exe
  2⤵
  PID:12664
- C:\Windows\System\UTSUEQt.exe
  C:\Windows\System\UTSUEQt.exe
  2⤵
  PID:12692
- C:\Windows\System\kXtjFcX.exe
  C:\Windows\System\kXtjFcX.exe
  2⤵
  PID:12720
- C:\Windows\System\vWvaQdS.exe
  C:\Windows\System\vWvaQdS.exe
  2⤵
  PID:12748
- C:\Windows\System\KDwNwRO.exe
  C:\Windows\System\KDwNwRO.exe
  2⤵
  PID:12776
- C:\Windows\System\rozYevf.exe
  C:\Windows\System\rozYevf.exe
  2⤵
  PID:12804
- C:\Windows\System\bBJWPaM.exe
  C:\Windows\System\bBJWPaM.exe
  2⤵
  PID:12832
- C:\Windows\System\ruiTdjs.exe
  C:\Windows\System\ruiTdjs.exe
  2⤵
  PID:12860
- C:\Windows\System\jJTogLf.exe
  C:\Windows\System\jJTogLf.exe
  2⤵
  PID:12888
- C:\Windows\System\HgPrxst.exe
  C:\Windows\System\HgPrxst.exe
  2⤵
  PID:12916
- C:\Windows\System\JXDUhPJ.exe
  C:\Windows\System\JXDUhPJ.exe
  2⤵
  PID:12964
- C:\Windows\System\sNducma.exe
  C:\Windows\System\sNducma.exe
  2⤵
  PID:12980
- C:\Windows\System\rzjONKH.exe
  C:\Windows\System\rzjONKH.exe
  2⤵
  PID:13008
- C:\Windows\System\qgUADGK.exe
  C:\Windows\System\qgUADGK.exe
  2⤵
  PID:13036
- C:\Windows\System\lQFJofi.exe
  C:\Windows\System\lQFJofi.exe
  2⤵
  PID:13064
- C:\Windows\System\QtZiByd.exe
  C:\Windows\System\QtZiByd.exe
  2⤵
  PID:13104
- C:\Windows\System\fADoJiY.exe
  C:\Windows\System\fADoJiY.exe
  2⤵
  PID:13124
- C:\Windows\System\YgfBKVI.exe
  C:\Windows\System\YgfBKVI.exe
  2⤵
  PID:13152
- C:\Windows\System\IZXlaKT.exe
  C:\Windows\System\IZXlaKT.exe
  2⤵
  PID:13180
- C:\Windows\System\FdEPfwT.exe
  C:\Windows\System\FdEPfwT.exe
  2⤵
  PID:13208
- C:\Windows\System\EwvlhSg.exe
  C:\Windows\System\EwvlhSg.exe
  2⤵
  PID:13236
- C:\Windows\System\DzPvPsr.exe
  C:\Windows\System\DzPvPsr.exe
  2⤵
  PID:13264
- C:\Windows\System\tfekvWj.exe
  C:\Windows\System\tfekvWj.exe
  2⤵
  PID:13292
- C:\Windows\System\dUVOkQW.exe
  C:\Windows\System\dUVOkQW.exe
  2⤵
  PID:11412
- C:\Windows\System\EwkZSBU.exe
  C:\Windows\System\EwkZSBU.exe
  2⤵
  PID:11896
- C:\Windows\System\tqwBEoZ.exe
  C:\Windows\System\tqwBEoZ.exe
  2⤵
  PID:12332
- C:\Windows\System\stqsAZS.exe
  C:\Windows\System\stqsAZS.exe
  2⤵
  PID:12384
- C:\Windows\System\OGMKfNg.exe
  C:\Windows\System\OGMKfNg.exe
  2⤵
  PID:12472
- C:\Windows\System\LOKwFmU.exe
  C:\Windows\System\LOKwFmU.exe
  2⤵
  PID:12436
- C:\Windows\System\tLcMlQz.exe
  C:\Windows\System\tLcMlQz.exe
  2⤵
  PID:12592
- C:\Windows\System\tDcwAwM.exe
  C:\Windows\System\tDcwAwM.exe
  2⤵
  PID:12656
- C:\Windows\System\XfZnfOQ.exe
  C:\Windows\System\XfZnfOQ.exe
  2⤵
  PID:12740
- C:\Windows\System\BhYaxjm.exe
  C:\Windows\System\BhYaxjm.exe
  2⤵
  PID:12772
- C:\Windows\System\wqHYgWz.exe
  C:\Windows\System\wqHYgWz.exe
  2⤵
  PID:12844
- C:\Windows\System\GHlpHiw.exe
  C:\Windows\System\GHlpHiw.exe
  2⤵
  PID:12912
- C:\Windows\System\bsluBSY.exe
  C:\Windows\System\bsluBSY.exe
  2⤵
  PID:12976
- C:\Windows\System\IBeWzCi.exe
  C:\Windows\System\IBeWzCi.exe
  2⤵
  PID:13048
- C:\Windows\System\ZBYzOoF.exe
  C:\Windows\System\ZBYzOoF.exe
  2⤵
  PID:13112
- C:\Windows\System\EGrWcbK.exe
  C:\Windows\System\EGrWcbK.exe
  2⤵
  PID:13164
- C:\Windows\System\blAQEdi.exe
  C:\Windows\System\blAQEdi.exe
  2⤵
  PID:13232
- C:\Windows\System\JMSHoOL.exe
  C:\Windows\System\JMSHoOL.exe
  2⤵
  PID:13276
- C:\Windows\System\iQBhjzw.exe
  C:\Windows\System\iQBhjzw.exe
  2⤵
  PID:3580
- C:\Windows\System\RCVokos.exe
  C:\Windows\System\RCVokos.exe
  2⤵
  PID:12396
- C:\Windows\System\bhHBgGF.exe
  C:\Windows\System\bhHBgGF.exe
  2⤵
  PID:12560
- C:\Windows\System\RZwuvvl.exe
  C:\Windows\System\RZwuvvl.exe
  2⤵
  PID:1476
- C:\Windows\System\uBfuNsg.exe
  C:\Windows\System\uBfuNsg.exe
  2⤵
  PID:12884
- C:\Windows\System\foszqwG.exe
  C:\Windows\System\foszqwG.exe
  2⤵
  PID:13028
- C:\Windows\System\aYkFKTY.exe
  C:\Windows\System\aYkFKTY.exe
  2⤵
  PID:13220
- C:\Windows\System\JeLGshg.exe
  C:\Windows\System\JeLGshg.exe
  2⤵
  PID:11468
- C:\Windows\System\rkPCzkB.exe
  C:\Windows\System\rkPCzkB.exe
  2⤵
  PID:12548
- C:\Windows\System\iYpaPsF.exe
  C:\Windows\System\iYpaPsF.exe
  2⤵
  PID:12816
- C:\Windows\System\lKcQZAS.exe
  C:\Windows\System\lKcQZAS.exe
  2⤵
  PID:13088
- C:\Windows\System\MDKSewY.exe
  C:\Windows\System\MDKSewY.exe
  2⤵
  PID:12568
- C:\Windows\System\lnqSdwD.exe
  C:\Windows\System\lnqSdwD.exe
  2⤵
  PID:12292
- C:\Windows\System\fjQRPdg.exe
  C:\Windows\System\fjQRPdg.exe
  2⤵
  PID:13368
- C:\Windows\System\XkZTKra.exe
  C:\Windows\System\XkZTKra.exe
  2⤵
  PID:13384
- C:\Windows\System\PxGLIST.exe
  C:\Windows\System\PxGLIST.exe
  2⤵
  PID:13412
- C:\Windows\System\CgMURxG.exe
  C:\Windows\System\CgMURxG.exe
  2⤵
  PID:13432
- C:\Windows\System\vLzrXFs.exe
  C:\Windows\System\vLzrXFs.exe
  2⤵
  PID:13460
- C:\Windows\System\GAVtaEG.exe
  C:\Windows\System\GAVtaEG.exe
  2⤵
  PID:13484
- C:\Windows\System\nMpHhOY.exe
  C:\Windows\System\nMpHhOY.exe
  2⤵
  PID:13532
- C:\Windows\System\JmBVNgf.exe
  C:\Windows\System\JmBVNgf.exe
  2⤵
  PID:13560
- C:\Windows\System\LXCUdde.exe
  C:\Windows\System\LXCUdde.exe
  2⤵
  PID:13588
- C:\Windows\System\koKEjuW.exe
  C:\Windows\System\koKEjuW.exe
  2⤵
  PID:13612
- C:\Windows\System\KFecFFm.exe
  C:\Windows\System\KFecFFm.exe
  2⤵
  PID:13640
- C:\Windows\System\XtsfnnB.exe
  C:\Windows\System\XtsfnnB.exe
  2⤵
  PID:13668
- C:\Windows\System\tETUCuG.exe
  C:\Windows\System\tETUCuG.exe
  2⤵
  PID:13696
- C:\Windows\System\PzGrrNH.exe
  C:\Windows\System\PzGrrNH.exe
  2⤵
  PID:13736
- C:\Windows\System\aODFklI.exe
  C:\Windows\System\aODFklI.exe
  2⤵
  PID:13764
- C:\Windows\System\tmAEiVA.exe
  C:\Windows\System\tmAEiVA.exe
  2⤵
  PID:13788
- C:\Windows\System\zsgRiEN.exe
  C:\Windows\System\zsgRiEN.exe
  2⤵
  PID:13812
- C:\Windows\System\zZxcxzb.exe
  C:\Windows\System\zZxcxzb.exe
  2⤵
  PID:13848
- C:\Windows\System\unUBwSQ.exe
  C:\Windows\System\unUBwSQ.exe
  2⤵
  PID:13876
- C:\Windows\System\yJgrYmH.exe
  C:\Windows\System\yJgrYmH.exe
  2⤵
  PID:13904
- C:\Windows\System\OBAZPGH.exe
  C:\Windows\System\OBAZPGH.exe
  2⤵
  PID:13924
- C:\Windows\System\IojUMsW.exe
  C:\Windows\System\IojUMsW.exe
  2⤵
  PID:13952
- C:\Windows\System\ckBhXYT.exe
  C:\Windows\System\ckBhXYT.exe
  2⤵
  PID:13976
- C:\Windows\System\tqdMMgP.exe
  C:\Windows\System\tqdMMgP.exe
  2⤵
  PID:14000
- C:\Windows\System\RQEoAcG.exe
  C:\Windows\System\RQEoAcG.exe
  2⤵
  PID:14032
- C:\Windows\System\AmaGkgi.exe
  C:\Windows\System\AmaGkgi.exe
  2⤵
  PID:14060
- C:\Windows\System\dkHNqdZ.exe
  C:\Windows\System\dkHNqdZ.exe
  2⤵
  PID:14096
- C:\Windows\System\AiatgBv.exe
  C:\Windows\System\AiatgBv.exe
  2⤵
  PID:14132
- C:\Windows\System\dPyumGi.exe
  C:\Windows\System\dPyumGi.exe
  2⤵
  PID:14156
- C:\Windows\System\jXysrEd.exe
  C:\Windows\System\jXysrEd.exe
  2⤵
  PID:14184
- C:\Windows\System\ozncTGE.exe
  C:\Windows\System\ozncTGE.exe
  2⤵
  PID:14216
- C:\Windows\System\UxuuQzh.exe
  C:\Windows\System\UxuuQzh.exe
  2⤵
  PID:14244
- C:\Windows\System\CpzSajx.exe
  C:\Windows\System\CpzSajx.exe
  2⤵
  PID:14272
- C:\Windows\System\EyvpGEP.exe
  C:\Windows\System\EyvpGEP.exe
  2⤵
  PID:14292
- C:\Windows\System\OcoKtxY.exe
  C:\Windows\System\OcoKtxY.exe
  2⤵
  PID:14316
- C:\Windows\System\atPKcNs.exe
  C:\Windows\System\atPKcNs.exe
  2⤵
  PID:13136
- C:\Windows\System\trjYEhr.exe
  C:\Windows\System\trjYEhr.exe
  2⤵
  PID:3972
- C:\Windows\System\bYwfTKb.exe
  C:\Windows\System\bYwfTKb.exe
  2⤵
  PID:13448
- C:\Windows\System\lQWkKZQ.exe
  C:\Windows\System\lQWkKZQ.exe
  2⤵
  PID:13528
- C:\Windows\System\HfIMkwa.exe
  C:\Windows\System\HfIMkwa.exe
  2⤵
  PID:13576
- C:\Windows\System\ttrscIr.exe
  C:\Windows\System\ttrscIr.exe
  2⤵
  PID:13632
- C:\Windows\System\pWdduWT.exe
  C:\Windows\System\pWdduWT.exe
  2⤵
  PID:13692
- C:\Windows\System\UgSZFyq.exe
  C:\Windows\System\UgSZFyq.exe
  2⤵
  PID:13772
- C:\Windows\System\KEuVoJp.exe
  C:\Windows\System\KEuVoJp.exe
  2⤵
  PID:13836
- C:\Windows\System\izrBgMZ.exe
  C:\Windows\System\izrBgMZ.exe
  2⤵
  PID:13860
- C:\Windows\System\yAzpIxp.exe
  C:\Windows\System\yAzpIxp.exe
  2⤵
  PID:3096
- C:\Windows\System\aWwHOcg.exe
  C:\Windows\System\aWwHOcg.exe
  2⤵
  PID:13948
- C:\Windows\System\rSwoiaO.exe
  C:\Windows\System\rSwoiaO.exe
  2⤵
  PID:13992
- C:\Windows\System\dKXsZmN.exe
  C:\Windows\System\dKXsZmN.exe
  2⤵
  PID:12496
- C:\Windows\System\PUfPtmP.exe
  C:\Windows\System\PUfPtmP.exe
  2⤵
  PID:14128
- C:\Windows\System\pnoSuev.exe
  C:\Windows\System\pnoSuev.exe
  2⤵
  PID:14172
- C:\Windows\System\vTMtyLh.exe
  C:\Windows\System\vTMtyLh.exe
  2⤵
  PID:14228
- C:\Windows\System\QuMNSam.exe
  C:\Windows\System\QuMNSam.exe
  2⤵
  PID:14308
- C:\Windows\System\XEvrmeD.exe
  C:\Windows\System\XEvrmeD.exe
  2⤵
  PID:14324
- C:\Windows\System\KOLMBlX.exe
  C:\Windows\System\KOLMBlX.exe
  2⤵
  PID:13476
- C:\Windows\System\mQlNExH.exe
  C:\Windows\System\mQlNExH.exe
  2⤵
  PID:13600
- C:\Windows\System\taiPOtP.exe
  C:\Windows\System\taiPOtP.exe
  2⤵
  PID:13808
- C:\Windows\System\BnoCjgd.exe
  C:\Windows\System\BnoCjgd.exe
  2⤵
  PID:8
- C:\Windows\System\ChjNtEF.exe
  C:\Windows\System\ChjNtEF.exe
  2⤵
  PID:13960
- C:\Windows\System\bznECJS.exe
  C:\Windows\System\bznECJS.exe
  2⤵
  PID:14148
- C:\Windows\System\kSIyIsK.exe
  C:\Windows\System\kSIyIsK.exe
  2⤵
  PID:4896
- C:\Windows\System\LLBflpI.exe
  C:\Windows\System\LLBflpI.exe
  2⤵
  PID:13480
- C:\Windows\System\ickyHaM.exe
  C:\Windows\System\ickyHaM.exe
  2⤵
  PID:13708
- C:\Windows\System\BlhnGjq.exe
  C:\Windows\System\BlhnGjq.exe
  2⤵
  PID:13888
- C:\Windows\System\liSyAEU.exe
  C:\Windows\System\liSyAEU.exe
  2⤵
  PID:13940
- C:\Windows\System\eOvJunQ.exe
  C:\Windows\System\eOvJunQ.exe
  2⤵
  PID:14240
- C:\Windows\System\qOIDcfh.exe
  C:\Windows\System\qOIDcfh.exe
  2⤵
  PID:3576
- C:\Windows\System\FhdqdMn.exe
  C:\Windows\System\FhdqdMn.exe
  2⤵
  PID:13620
- C:\Windows\System\zPWzbUI.exe
  C:\Windows\System\zPWzbUI.exe
  2⤵
  PID:14028
- C:\Windows\System\wnrGgTM.exe
  C:\Windows\System\wnrGgTM.exe
  2⤵
  PID:13544
- C:\Windows\System\ZGVJTSR.exe
  C:\Windows\System\ZGVJTSR.exe
  2⤵
  PID:14348
- C:\Windows\System\YSDAOTc.exe
  C:\Windows\System\YSDAOTc.exe
  2⤵
  PID:14376
- C:\Windows\System\jIxdUtu.exe
  C:\Windows\System\jIxdUtu.exe
  2⤵
  PID:14408
- C:\Windows\System\YglChtD.exe
  C:\Windows\System\YglChtD.exe
  2⤵
  PID:14432
- C:\Windows\System\seLEJvy.exe
  C:\Windows\System\seLEJvy.exe
  2⤵
  PID:14460
- C:\Windows\System\uGLDHXQ.exe
  C:\Windows\System\uGLDHXQ.exe
  2⤵
  PID:14496
- C:\Windows\System\GBhCIZx.exe
  C:\Windows\System\GBhCIZx.exe
  2⤵
  PID:14528
- C:\Windows\System\RekvLYI.exe
  C:\Windows\System\RekvLYI.exe
  2⤵
  PID:14564
- C:\Windows\System\qhUiJiB.exe
  C:\Windows\System\qhUiJiB.exe
  2⤵
  PID:14584
- C:\Windows\System\CyrbaPe.exe
  C:\Windows\System\CyrbaPe.exe
  2⤵
  PID:14604
- C:\Windows\System\JBJflIH.exe
  C:\Windows\System\JBJflIH.exe
  2⤵
  PID:14640
- C:\Windows\System\vzJmQlR.exe
  C:\Windows\System\vzJmQlR.exe
  2⤵
  PID:14664
- C:\Windows\System\TLrHsUn.exe
  C:\Windows\System\TLrHsUn.exe
  2⤵
  PID:14700
- C:\Windows\System\BGWDWav.exe
  C:\Windows\System\BGWDWav.exe
  2⤵
  PID:14728
- C:\Windows\System\oIdSoEw.exe
  C:\Windows\System\oIdSoEw.exe
  2⤵
  PID:14752
- C:\Windows\System\lpBVJpW.exe
  C:\Windows\System\lpBVJpW.exe
  2⤵
  PID:14776
- C:\Windows\System\YEYVHLq.exe
  C:\Windows\System\YEYVHLq.exe
  2⤵
  PID:14820
- C:\Windows\System\tSBqlGk.exe
  C:\Windows\System\tSBqlGk.exe
  2⤵
  PID:14856
- C:\Windows\System\fQmxAVc.exe
  C:\Windows\System\fQmxAVc.exe
  2⤵
  PID:14888
- C:\Windows\System\gWRHQYO.exe
  C:\Windows\System\gWRHQYO.exe
  2⤵
  PID:14920
- C:\Windows\System\KyrhTpP.exe
  C:\Windows\System\KyrhTpP.exe
  2⤵
  PID:14952
- C:\Windows\System\gFHsUzq.exe
  C:\Windows\System\gFHsUzq.exe
  2⤵
  PID:14988
- C:\Windows\System\bRGsYqV.exe
  C:\Windows\System\bRGsYqV.exe
  2⤵
  PID:15020
- C:\Windows\System\oryssRM.exe
  C:\Windows\System\oryssRM.exe
  2⤵
  PID:15052
- C:\Windows\System\wycAvAw.exe
  C:\Windows\System\wycAvAw.exe
  2⤵
  PID:15080
- C:\Windows\System\DFPYRxP.exe
  C:\Windows\System\DFPYRxP.exe
  2⤵
  PID:15176
- C:\Windows\System\vUcPfgt.exe
  C:\Windows\System\vUcPfgt.exe
  2⤵
  PID:15192
- C:\Windows\System\UMSXLMU.exe
  C:\Windows\System\UMSXLMU.exe
  2⤵
  PID:15216
- C:\Windows\System\FxePlex.exe
  C:\Windows\System\FxePlex.exe
  2⤵
  PID:15256
- C:\Windows\System\jQStUYZ.exe
  C:\Windows\System\jQStUYZ.exe
  2⤵
  PID:15284

C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
1⤵
PID:3652

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:15016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\EEZCtuA.exe

Filesize
1.2MB

MD5
9b5ffe17eb97d2bdab425be6416dacfa

SHA1
472cea03dcce5e290d0d2f01eca57b477f025b60

SHA256
e6fa1ad449ef0a1fd0005092d5d8bd2ad20af634b89687e60a1cb4a01f050653

SHA512
f12f251e7257c3122b05aafac05fb702c9dd102aa105ce00e0fba58f133d0ece1dd69b4c340870ae93646092c1da8f575641d8c22ce7f538fbf110e4ddfbac64

Download Submit
C:\Windows\System\ENQOsUf.exe

Filesize
1.8MB

MD5
2fb5dee2fabd518b5b809d99f0f35a23

SHA1
2fccdd2811b851d4668da13316662b6d3f5f7649

SHA256
3a902de1196076577c2501f6de59b7aaa10beb77cc913bdea848fd845f8f88c1

SHA512
a5f01fe3ac23ac1632319732bc0a16549c3cbda6f5462cae324511916312387245af796b2122049adbbe6e47ee4ecb27af2c072c8e91f3fa8a7b6ccaa112fb22

Download Submit
C:\Windows\System\FjzYpqY.exe

Filesize
2.1MB

MD5
2555bbea10074fa8ece39c0130f55ccd

SHA1
12e205f4e65e8ae2eff1179749eb6f986229c470

SHA256
bfc11f9733b2a091ead65b069ac0e900c82b92e153e1e3b74fc09c5d489cbee2

SHA512
87ce958e01a09d6e2222f40b67860428e8fc91dfa5ff764e42f8c2e9b17ef502b719591facd3074f9dbedbf46ada901497ac9920314d5410e7bfade14968f165

Download Submit
C:\Windows\System\JYZBxCC.exe

Filesize
2.7MB

MD5
d65fc235b9483aa10cbf812cf59786c3

SHA1
701c2970d3661c0802e580f734179b31ee12923e

SHA256
531fbfe8aa6e97d0217c7cacd76df1258af9422c0015c949dfcda1e50ef363be

SHA512
18bf6550175e38c1c5da4ae10746b4defbee1aa09b8430f69e48a2d5017fe6a897b64247292f00915702739c2c15d2f5524a8d2228e03551a9fceb7a41b7286c

Download Submit
C:\Windows\System\KXHiiki.exe

Filesize
2.7MB

MD5
618d761e7eb5842846208526da623629

SHA1
b7511814ab04ff9640815663e48a035f19046517

SHA256
7998615d1db84a6260953ea82d50ff043b06ee4444a4a0e37fbca69d1754b073

SHA512
73df8a9b66359e19b3be23a310f96df1a7cd6707db6690934ee59749d22697787e76de9c10a0d7403c705cd8f78670cdcba7939f47e00b522329bce1c605fd43

Download Submit
C:\Windows\System\OLqIcpg.exe

Filesize
1.1MB

MD5
d063340395593e509d11d972ac1707f4

SHA1
af92659aaffcbb53c0c53088d69018919b301ccc

SHA256
d91f5dd32da88956f3010f394aee3cd7bb5fbcd8d4ef05e181a07c1ad640379d

SHA512
5c94641154f556a8d7263d104742794f9e394f91d881f016c491a204adb391125e93ce42356ca26bd6919d2750d5bf61fcad8319588a5efcf2a902e66faa01b2

Download Submit
C:\Windows\System\OLqIcpg.exe

Filesize
2.7MB

MD5
1cf4f2f70309f8130fcdd929048cb896

SHA1
ad5d66452fbde0ef5d2df0b6b3d1661fff8426d2

SHA256
757b04b434bb8f2f06512b6a7498a0eedb6c74574286f828a2a61f9e6f17229b

SHA512
6cf83f12275f252a80abf33976dce700e8f53638e54ca8999be57c7d901dcc85b7e2383828f4012b3577fdf855e544fa3aacea240e328c96c760fa9a455ba15f

Download Submit
C:\Windows\System\TftHoNY.exe

Filesize
2.7MB

MD5
71f274910f99f49d17aeafa8330c7913

SHA1
7227dd5dafe96025db515d6dde9d45d52bee62eb

SHA256
fc96dd46e36162f74963c4d9199735a96641ac722e9ce8c30bc5a85e9551c21a

SHA512
1fd20e3350a5c8ba1d7bd766dfa7f69d936a52391c47da557f3507e312d497f2aca8a3e6372431ce4dbadff610b9119ad73137328da26273b16fde8da5777720

Download Submit
C:\Windows\System\XYRNAKc.exe

Filesize
1.9MB

MD5
785774e6674810547189409ebf8c7625

SHA1
a0a31e7e756569b9fe85cdb4e0baa3f9d2618757

SHA256
29287dd4c8d55ed2c18196b7700555ed2b97220c131a5dfabd9e26a2924cd84f

SHA512
2287772bf2bd92273e776b2046d68bc9658928f58415b20af01a93865b2ea0743900d266842a1e2f687dd80550d293955eaecfdb62c84a43e5423ba1d3d3d089

Download Submit
C:\Windows\System\ngmcQBb.exe

Filesize
2.7MB

MD5
0ab3dedaa56fd0a3d6c37aadb997b58d

SHA1
02dfed472ce8304e86870ce2835b097094160e7b

SHA256
baa3f55adc0cefd1bca783dfb54f95fc0e58bcef956881e107762c5c273a1404

SHA512
94bd16ff83a611ca1fc1b808070dd7bd412c79f6ab50421235b068f7ebc6a0d8cade98cd2c3216f9d3c2f6e6c47b7372427834f3c48c226dbf1196e46ac9a9f1

Download Submit
C:\Windows\System\rDsRSyI.exe

Filesize
2.1MB

MD5
f6a66528702c8fde3d6196c758d98449

SHA1
894c4ed80103983ca9c8ba3818adc02dd74c86b7

SHA256
7a4578399d5bbe2ba496d20523ab8986531b1b7f0604eef28b338aed05271e47

SHA512
f51230f6f1a0ea17623ec0ff78baf17056015dd30c2dd4d4355cf7d29c2249d4783fd6266eb74b9e39d1fe402322b4969adb3054523474f3be5fff5a95182e43

Download Submit
C:\Windows\System\vKurekk.exe

Filesize
512KB

MD5
6b5887af4274a78686a788865765637c

SHA1
5afc15e6fcbc11377bbabbda47ff43f6ebedd369

SHA256
ecdfed9bc02368fefbebe0d02090e93826b7e5cc1043e339dd245299c8b23006

SHA512
4f563e539f8ec68bbc27d4cc59c42ea4897bb131085e08433f745cc558ab7a030701a601ddb711cda19dfa6cd9086b458fb74762092be15aaa4190c05134d077

Download Submit
C:\Windows\System\yXYgwKG.exe

Filesize
448KB

MD5
0642442db4acbbfb6037e06789624264

SHA1
923aee440a6887c7a7a8a78085aa492b2cdcee65

SHA256
5d6249e3d37c32c515e6f20e0771180c7b51c791102dfffe39e4510d623eda85

SHA512
7fc8231c299b64743a966130c519362217b11d421c0ccc65ca7c97570221449b6e5bd90caefa97b416470db36fac07c3f48ea41836b395ab190e6121598e88a1

Download Submit
memory/384-142-0x00007FF622E90000-0x00007FF6231E4000-memory.dmp

Filesize
3.3MB

Download
memory/384-2150-0x00007FF622E90000-0x00007FF6231E4000-memory.dmp

Filesize
3.3MB

Download
memory/384-2126-0x00007FF622E90000-0x00007FF6231E4000-memory.dmp

Filesize
3.3MB

Download
memory/628-2139-0x00007FF7D7790000-0x00007FF7D7AE4000-memory.dmp

Filesize
3.3MB

Download
memory/628-2120-0x00007FF7D7790000-0x00007FF7D7AE4000-memory.dmp

Filesize
3.3MB

Download
memory/628-64-0x00007FF7D7790000-0x00007FF7D7AE4000-memory.dmp

Filesize
3.3MB

Download
memory/868-2137-0x00007FF68EEA0000-0x00007FF68F1F4000-memory.dmp

Filesize
3.3MB

Download
memory/868-77-0x00007FF68EEA0000-0x00007FF68F1F4000-memory.dmp

Filesize
3.3MB

Download
memory/1044-7-0x00007FF603D20000-0x00007FF604074000-memory.dmp

Filesize
3.3MB

Download
memory/1044-2130-0x00007FF603D20000-0x00007FF604074000-memory.dmp

Filesize
3.3MB

Download
memory/1044-1556-0x00007FF603D20000-0x00007FF604074000-memory.dmp

Filesize
3.3MB

Download
memory/1428-1-0x000002E099A10000-0x000002E099A20000-memory.dmp

Filesize
64KB

Download
memory/1428-0-0x00007FF66FF60000-0x00007FF6702B4000-memory.dmp

Filesize
3.3MB

Download
memory/1428-1186-0x00007FF66FF60000-0x00007FF6702B4000-memory.dmp

Filesize
3.3MB

Download
memory/1468-2153-0x00007FF65CDA0000-0x00007FF65D0F4000-memory.dmp

Filesize
3.3MB

Download
memory/1468-180-0x00007FF65CDA0000-0x00007FF65D0F4000-memory.dmp

Filesize
3.3MB

Download
memory/1988-170-0x00007FF6E8C00000-0x00007FF6E8F54000-memory.dmp

Filesize
3.3MB

Download
memory/1988-2148-0x00007FF6E8C00000-0x00007FF6E8F54000-memory.dmp

Filesize
3.3MB

Download
memory/2364-2133-0x00007FF65F5E0000-0x00007FF65F934000-memory.dmp

Filesize
3.3MB

Download
memory/2364-1557-0x00007FF65F5E0000-0x00007FF65F934000-memory.dmp

Filesize
3.3MB

Download
memory/2364-32-0x00007FF65F5E0000-0x00007FF65F934000-memory.dmp

Filesize
3.3MB

Download
memory/2456-53-0x00007FF744C00000-0x00007FF744F54000-memory.dmp

Filesize
3.3MB

Download
memory/2456-2121-0x00007FF744C00000-0x00007FF744F54000-memory.dmp

Filesize
3.3MB

Download
memory/2456-2136-0x00007FF744C00000-0x00007FF744F54000-memory.dmp

Filesize
3.3MB

Download
memory/2528-109-0x00007FF62FA70000-0x00007FF62FDC4000-memory.dmp

Filesize
3.3MB

Download
memory/2528-2141-0x00007FF62FA70000-0x00007FF62FDC4000-memory.dmp

Filesize
3.3MB

Download
memory/2664-201-0x00007FF758F00000-0x00007FF759254000-memory.dmp

Filesize
3.3MB

Download
memory/2664-2157-0x00007FF758F00000-0x00007FF759254000-memory.dmp

Filesize
3.3MB

Download
memory/2788-2135-0x00007FF7132E0000-0x00007FF713634000-memory.dmp

Filesize
3.3MB

Download
memory/2788-40-0x00007FF7132E0000-0x00007FF713634000-memory.dmp

Filesize
3.3MB

Download
memory/2988-2124-0x00007FF6CFDC0000-0x00007FF6D0114000-memory.dmp

Filesize
3.3MB

Download
memory/2988-2142-0x00007FF6CFDC0000-0x00007FF6D0114000-memory.dmp

Filesize
3.3MB

Download
memory/2988-78-0x00007FF6CFDC0000-0x00007FF6D0114000-memory.dmp

Filesize
3.3MB

Download
memory/3332-2140-0x00007FF7C5510000-0x00007FF7C5864000-memory.dmp

Filesize
3.3MB

Download
memory/3332-86-0x00007FF7C5510000-0x00007FF7C5864000-memory.dmp

Filesize
3.3MB

Download
memory/3464-2147-0x00007FF63EA60000-0x00007FF63EDB4000-memory.dmp

Filesize
3.3MB

Download
memory/3464-123-0x00007FF63EA60000-0x00007FF63EDB4000-memory.dmp

Filesize
3.3MB

Download
memory/3464-2128-0x00007FF63EA60000-0x00007FF63EDB4000-memory.dmp

Filesize
3.3MB

Download
memory/3472-15-0x00007FF6D9150000-0x00007FF6D94A4000-memory.dmp

Filesize
3.3MB

Download
memory/3472-2131-0x00007FF6D9150000-0x00007FF6D94A4000-memory.dmp

Filesize
3.3MB

Download
memory/3472-1960-0x00007FF6D9150000-0x00007FF6D94A4000-memory.dmp

Filesize
3.3MB

Download
memory/4040-200-0x00007FF7A78A0000-0x00007FF7A7BF4000-memory.dmp

Filesize
3.3MB

Download
memory/4040-2152-0x00007FF7A78A0000-0x00007FF7A7BF4000-memory.dmp

Filesize
3.3MB

Download
memory/4204-2156-0x00007FF624700000-0x00007FF624A54000-memory.dmp

Filesize
3.3MB

Download
memory/4204-207-0x00007FF624700000-0x00007FF624A54000-memory.dmp

Filesize
3.3MB

Download
memory/4248-24-0x00007FF78F7E0000-0x00007FF78FB34000-memory.dmp

Filesize
3.3MB

Download
memory/4248-2132-0x00007FF78F7E0000-0x00007FF78FB34000-memory.dmp

Filesize
3.3MB

Download
memory/4248-1964-0x00007FF78F7E0000-0x00007FF78FB34000-memory.dmp

Filesize
3.3MB

Download
memory/4292-2146-0x00007FF6667F0000-0x00007FF666B44000-memory.dmp

Filesize
3.3MB

Download
memory/4292-205-0x00007FF6667F0000-0x00007FF666B44000-memory.dmp

Filesize
3.3MB

Download
memory/4308-2149-0x00007FF7218A0000-0x00007FF721BF4000-memory.dmp

Filesize
3.3MB

Download
memory/4308-179-0x00007FF7218A0000-0x00007FF721BF4000-memory.dmp

Filesize
3.3MB

Download
memory/4360-120-0x00007FF7BD970000-0x00007FF7BDCC4000-memory.dmp

Filesize
3.3MB

Download
memory/4360-2144-0x00007FF7BD970000-0x00007FF7BDCC4000-memory.dmp

Filesize
3.3MB

Download
memory/4376-2154-0x00007FF7F0970000-0x00007FF7F0CC4000-memory.dmp

Filesize
3.3MB

Download
memory/4376-209-0x00007FF7F0970000-0x00007FF7F0CC4000-memory.dmp

Filesize
3.3MB

Download
memory/4464-208-0x00007FF767780000-0x00007FF767AD4000-memory.dmp

Filesize
3.3MB

Download
memory/4464-2155-0x00007FF767780000-0x00007FF767AD4000-memory.dmp

Filesize
3.3MB

Download
memory/4496-2138-0x00007FF715BD0000-0x00007FF715F24000-memory.dmp

Filesize
3.3MB

Download
memory/4496-61-0x00007FF715BD0000-0x00007FF715F24000-memory.dmp

Filesize
3.3MB

Download
memory/4496-2122-0x00007FF715BD0000-0x00007FF715F24000-memory.dmp

Filesize
3.3MB

Download
memory/4572-2145-0x00007FF7E4D30000-0x00007FF7E5084000-memory.dmp

Filesize
3.3MB

Download
memory/4572-91-0x00007FF7E4D30000-0x00007FF7E5084000-memory.dmp

Filesize
3.3MB

Download
memory/4572-2123-0x00007FF7E4D30000-0x00007FF7E5084000-memory.dmp

Filesize
3.3MB

Download
memory/4760-2134-0x00007FF7CAD90000-0x00007FF7CB0E4000-memory.dmp

Filesize
3.3MB

Download
memory/4760-49-0x00007FF7CAD90000-0x00007FF7CB0E4000-memory.dmp

Filesize
3.3MB

Download
memory/4764-2127-0x00007FF6DFE60000-0x00007FF6E01B4000-memory.dmp

Filesize
3.3MB

Download
memory/4764-158-0x00007FF6DFE60000-0x00007FF6E01B4000-memory.dmp

Filesize
3.3MB

Download
memory/4764-2151-0x00007FF6DFE60000-0x00007FF6E01B4000-memory.dmp

Filesize
3.3MB

Download
memory/4920-95-0x00007FF68B800000-0x00007FF68BB54000-memory.dmp

Filesize
3.3MB

Download
memory/4920-2125-0x00007FF68B800000-0x00007FF68BB54000-memory.dmp

Filesize
3.3MB

Download
memory/4920-2143-0x00007FF68B800000-0x00007FF68BB54000-memory.dmp

Filesize
3.3MB

Download
memory/4940-2158-0x00007FF6CB250000-0x00007FF6CB5A4000-memory.dmp

Filesize
3.3MB

Download
memory/4940-2129-0x00007FF6CB250000-0x00007FF6CB5A4000-memory.dmp

Filesize
3.3MB

Download
memory/4940-192-0x00007FF6CB250000-0x00007FF6CB5A4000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads