xmrig | 8e418801667dde95e938226c560571b6123611b15b0866d17b543cd95dba3cf2

Analysis

max time kernel
142s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2024 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
Size

2.8MB
MD5

206524c326754ff1d563b7930466e1a0
SHA1

e0c797669852480dea0b5ed2a702392eb2043e46
SHA256

8e418801667dde95e938226c560571b6123611b15b0866d17b543cd95dba3cf2
SHA512

f453d860b6780a97756dc37c6a55680026b14ece9458ace6df405c9261b7fc090ddeadfcccfcb2cb5646c1a431accae2be8106cb13441b9189b5fb45dba28481
SSDEEP

49152:S1G1NtyBwTI3ySZbrkXV1etEKLlWUTOfeiRA2R76zHrWax9hMkibTIA5UI4:S1ONtyBeSFkXV1etEKLlWUTOfeiRA2RO

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/2012-0-0x00007FF6D0CB0000-0x00007FF6D10A6000-memory.dmp	xmrig
behavioral2/files/0x000800000002343f-7.dat	xmrig
behavioral2/files/0x0007000000023444-10.dat	xmrig
behavioral2/files/0x0007000000023443-13.dat	xmrig
behavioral2/memory/2888-12-0x00007FF710400000-0x00007FF7107F6000-memory.dmp	xmrig
behavioral2/files/0x0007000000023447-34.dat	xmrig
behavioral2/memory/3980-38-0x00007FF613950000-0x00007FF613D46000-memory.dmp	xmrig
behavioral2/files/0x0008000000023445-39.dat	xmrig
behavioral2/memory/4604-44-0x00007FF6C55D0000-0x00007FF6C59C6000-memory.dmp	xmrig
behavioral2/memory/568-53-0x00007FF6466C0000-0x00007FF646AB6000-memory.dmp	xmrig
behavioral2/memory/1632-54-0x00007FF7DF240000-0x00007FF7DF636000-memory.dmp	xmrig
behavioral2/files/0x0007000000023448-56.dat	xmrig
behavioral2/memory/1104-55-0x00007FF66D350000-0x00007FF66D746000-memory.dmp	xmrig
behavioral2/files/0x0008000000023446-50.dat	xmrig
behavioral2/memory/1604-47-0x00007FF726BD0000-0x00007FF726FC6000-memory.dmp	xmrig
behavioral2/files/0x0007000000023449-61.dat	xmrig
behavioral2/files/0x0008000000023440-66.dat	xmrig
behavioral2/memory/2700-65-0x00007FF692F90000-0x00007FF693386000-memory.dmp	xmrig
behavioral2/memory/3228-73-0x00007FF676EB0000-0x00007FF6772A6000-memory.dmp	xmrig
behavioral2/files/0x0007000000023450-97.dat	xmrig
behavioral2/files/0x0007000000023452-113.dat	xmrig
behavioral2/files/0x0007000000023456-142.dat	xmrig
behavioral2/files/0x000700000002345f-181.dat	xmrig
behavioral2/memory/1020-566-0x00007FF7D5670000-0x00007FF7D5A66000-memory.dmp	xmrig
behavioral2/memory/808-567-0x00007FF79DC90000-0x00007FF79E086000-memory.dmp	xmrig
behavioral2/memory/556-568-0x00007FF7E62E0000-0x00007FF7E66D6000-memory.dmp	xmrig
behavioral2/memory/1464-569-0x00007FF684EA0000-0x00007FF685296000-memory.dmp	xmrig
behavioral2/memory/4384-570-0x00007FF7CDAC0000-0x00007FF7CDEB6000-memory.dmp	xmrig
behavioral2/memory/2204-571-0x00007FF61A750000-0x00007FF61AB46000-memory.dmp	xmrig
behavioral2/memory/2552-572-0x00007FF795400000-0x00007FF7957F6000-memory.dmp	xmrig
behavioral2/memory/2212-588-0x00007FF665BC0000-0x00007FF665FB6000-memory.dmp	xmrig
behavioral2/memory/1572-594-0x00007FF720FA0000-0x00007FF721396000-memory.dmp	xmrig
behavioral2/memory/2032-583-0x00007FF77B680000-0x00007FF77BA76000-memory.dmp	xmrig
behavioral2/memory/2012-579-0x00007FF6D0CB0000-0x00007FF6D10A6000-memory.dmp	xmrig
behavioral2/memory/4368-573-0x00007FF792000000-0x00007FF7923F6000-memory.dmp	xmrig
behavioral2/memory/568-1177-0x00007FF6466C0000-0x00007FF646AB6000-memory.dmp	xmrig
behavioral2/files/0x0007000000023461-191.dat	xmrig
behavioral2/files/0x0007000000023460-186.dat	xmrig
behavioral2/files/0x000700000002345e-182.dat	xmrig
behavioral2/files/0x000700000002345d-177.dat	xmrig
behavioral2/files/0x000700000002345c-172.dat	xmrig
behavioral2/files/0x000700000002345b-167.dat	xmrig
behavioral2/files/0x000700000002345a-162.dat	xmrig
behavioral2/files/0x0007000000023459-157.dat	xmrig
behavioral2/files/0x0007000000023458-152.dat	xmrig
behavioral2/files/0x0007000000023457-147.dat	xmrig
behavioral2/files/0x0007000000023455-137.dat	xmrig
behavioral2/files/0x0007000000023454-128.dat	xmrig
behavioral2/files/0x0007000000023451-126.dat	xmrig
behavioral2/files/0x0007000000023453-124.dat	xmrig
behavioral2/files/0x000700000002344e-122.dat	xmrig
behavioral2/memory/736-109-0x00007FF6319C0000-0x00007FF631DB6000-memory.dmp	xmrig
behavioral2/files/0x000700000002344d-104.dat	xmrig
behavioral2/files/0x000700000002344f-100.dat	xmrig
behavioral2/files/0x000700000002344c-98.dat	xmrig
behavioral2/memory/964-93-0x00007FF665290000-0x00007FF665686000-memory.dmp	xmrig
behavioral2/files/0x000700000002344b-89.dat	xmrig
behavioral2/files/0x000700000002344a-78.dat	xmrig
behavioral2/memory/1888-77-0x00007FF753E80000-0x00007FF754276000-memory.dmp	xmrig
behavioral2/memory/3444-70-0x00007FF69BA30000-0x00007FF69BE26000-memory.dmp	xmrig
behavioral2/memory/1104-1455-0x00007FF66D350000-0x00007FF66D746000-memory.dmp	xmrig
behavioral2/memory/3444-2082-0x00007FF69BA30000-0x00007FF69BE26000-memory.dmp	xmrig
behavioral2/memory/3228-2100-0x00007FF676EB0000-0x00007FF6772A6000-memory.dmp	xmrig
behavioral2/memory/1888-2101-0x00007FF753E80000-0x00007FF754276000-memory.dmp	xmrig

Blocklisted process makes network request 13 IoCs

flow	pid	Process
8	3496	powershell.exe
10	3496	powershell.exe
23	3496	powershell.exe
24	3496	powershell.exe
26	3496	powershell.exe
28	3496	powershell.exe
30	3496	powershell.exe
31	3496	powershell.exe
32	3496	powershell.exe
33	3496	powershell.exe
34	3496	powershell.exe
39	3496	powershell.exe
40	3496	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
3496	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
2888	IXoWXXI.exe
3980	sapNATC.exe
4604	YmTHTyc.exe
1604	cDtylCd.exe
1632	EtvWrAU.exe
568	FsQLIYo.exe
1104	fDMWcIR.exe
2700	lwSDbRz.exe
3444	HLqpGTe.exe
1888	aselGGA.exe
3228	yasLjCJ.exe
964	mHlMkbT.exe
736	ZTCVVYI.exe
2032	puUhpyw.exe
2212	qMOXeaQ.exe
1020	pcifPhB.exe
1572	RjYMxkJ.exe
808	yQpxdBa.exe
556	eONuplI.exe
1464	xYqkHcY.exe
4384	UEZKNhO.exe
2204	pxVRMVX.exe
2552	zuahkPO.exe
4368	TNWuPmZ.exe
3680	IaxjktV.exe
3132	cuIlAtB.exe
2640	UOrlmCS.exe
2292	KBTRlTX.exe
4844	eVstPwp.exe
2180	QIcUEhE.exe
2360	JsUkwdC.exe
3092	brLWrkx.exe
4632	jJVdPwR.exe
3544	XWgLJPW.exe
4492	wyfBFsd.exe
452	XHDJRiZ.exe
4012	hYvCCzm.exe
5008	mTWujGN.exe
4376	plucyeF.exe
4752	GZBrcjc.exe
4972	SyhXCSv.exe
652	NuWUzHR.exe
2844	JqQoWsq.exe
4856	mEuoSAv.exe
3108	Vezurec.exe
528	bYfcNgU.exe
1476	EcWVtMr.exe
3192	JXGCysC.exe
4300	PiccYgg.exe
2604	MCHBFsY.exe
2560	TERvXci.exe
2892	jbBUQjX.exe
1512	zGGBgZZ.exe
2236	NZVjbFu.exe
1812	ZeccFFz.exe
2988	AKXtKNx.exe
3904	FqMgBKZ.exe
4312	cKYCchi.exe
3264	rILrBDz.exe
1676	RNTXkVi.exe
4944	uXEtbeQ.exe
1180	TmfqRkB.exe
4812	mUEopyl.exe
4640	ARQInfg.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2012-0-0x00007FF6D0CB0000-0x00007FF6D10A6000-memory.dmp	upx
behavioral2/files/0x000800000002343f-7.dat	upx
behavioral2/files/0x0007000000023444-10.dat	upx
behavioral2/files/0x0007000000023443-13.dat	upx
behavioral2/memory/2888-12-0x00007FF710400000-0x00007FF7107F6000-memory.dmp	upx
behavioral2/files/0x0007000000023447-34.dat	upx
behavioral2/memory/3980-38-0x00007FF613950000-0x00007FF613D46000-memory.dmp	upx
behavioral2/files/0x0008000000023445-39.dat	upx
behavioral2/memory/4604-44-0x00007FF6C55D0000-0x00007FF6C59C6000-memory.dmp	upx
behavioral2/memory/568-53-0x00007FF6466C0000-0x00007FF646AB6000-memory.dmp	upx
behavioral2/memory/1632-54-0x00007FF7DF240000-0x00007FF7DF636000-memory.dmp	upx
behavioral2/files/0x0007000000023448-56.dat	upx
behavioral2/memory/1104-55-0x00007FF66D350000-0x00007FF66D746000-memory.dmp	upx
behavioral2/files/0x0008000000023446-50.dat	upx
behavioral2/memory/1604-47-0x00007FF726BD0000-0x00007FF726FC6000-memory.dmp	upx
behavioral2/files/0x0007000000023449-61.dat	upx
behavioral2/files/0x0008000000023440-66.dat	upx
behavioral2/memory/2700-65-0x00007FF692F90000-0x00007FF693386000-memory.dmp	upx
behavioral2/memory/3228-73-0x00007FF676EB0000-0x00007FF6772A6000-memory.dmp	upx
behavioral2/files/0x0007000000023450-97.dat	upx
behavioral2/files/0x0007000000023452-113.dat	upx
behavioral2/files/0x0007000000023456-142.dat	upx
behavioral2/files/0x000700000002345f-181.dat	upx
behavioral2/memory/1020-566-0x00007FF7D5670000-0x00007FF7D5A66000-memory.dmp	upx
behavioral2/memory/808-567-0x00007FF79DC90000-0x00007FF79E086000-memory.dmp	upx
behavioral2/memory/556-568-0x00007FF7E62E0000-0x00007FF7E66D6000-memory.dmp	upx
behavioral2/memory/1464-569-0x00007FF684EA0000-0x00007FF685296000-memory.dmp	upx
behavioral2/memory/4384-570-0x00007FF7CDAC0000-0x00007FF7CDEB6000-memory.dmp	upx
behavioral2/memory/2204-571-0x00007FF61A750000-0x00007FF61AB46000-memory.dmp	upx
behavioral2/memory/2552-572-0x00007FF795400000-0x00007FF7957F6000-memory.dmp	upx
behavioral2/memory/2212-588-0x00007FF665BC0000-0x00007FF665FB6000-memory.dmp	upx
behavioral2/memory/1572-594-0x00007FF720FA0000-0x00007FF721396000-memory.dmp	upx
behavioral2/memory/2032-583-0x00007FF77B680000-0x00007FF77BA76000-memory.dmp	upx
behavioral2/memory/2012-579-0x00007FF6D0CB0000-0x00007FF6D10A6000-memory.dmp	upx
behavioral2/memory/4368-573-0x00007FF792000000-0x00007FF7923F6000-memory.dmp	upx
behavioral2/memory/568-1177-0x00007FF6466C0000-0x00007FF646AB6000-memory.dmp	upx
behavioral2/files/0x0007000000023461-191.dat	upx
behavioral2/files/0x0007000000023460-186.dat	upx
behavioral2/files/0x000700000002345e-182.dat	upx
behavioral2/files/0x000700000002345d-177.dat	upx
behavioral2/files/0x000700000002345c-172.dat	upx
behavioral2/files/0x000700000002345b-167.dat	upx
behavioral2/files/0x000700000002345a-162.dat	upx
behavioral2/files/0x0007000000023459-157.dat	upx
behavioral2/files/0x0007000000023458-152.dat	upx
behavioral2/files/0x0007000000023457-147.dat	upx
behavioral2/files/0x0007000000023455-137.dat	upx
behavioral2/files/0x0007000000023454-128.dat	upx
behavioral2/files/0x0007000000023451-126.dat	upx
behavioral2/files/0x0007000000023453-124.dat	upx
behavioral2/files/0x000700000002344e-122.dat	upx
behavioral2/memory/736-109-0x00007FF6319C0000-0x00007FF631DB6000-memory.dmp	upx
behavioral2/files/0x000700000002344d-104.dat	upx
behavioral2/files/0x000700000002344f-100.dat	upx
behavioral2/files/0x000700000002344c-98.dat	upx
behavioral2/memory/964-93-0x00007FF665290000-0x00007FF665686000-memory.dmp	upx
behavioral2/files/0x000700000002344b-89.dat	upx
behavioral2/files/0x000700000002344a-78.dat	upx
behavioral2/memory/1888-77-0x00007FF753E80000-0x00007FF754276000-memory.dmp	upx
behavioral2/memory/3444-70-0x00007FF69BA30000-0x00007FF69BE26000-memory.dmp	upx
behavioral2/memory/1104-1455-0x00007FF66D350000-0x00007FF66D746000-memory.dmp	upx
behavioral2/memory/3444-2082-0x00007FF69BA30000-0x00007FF69BE26000-memory.dmp	upx
behavioral2/memory/3228-2100-0x00007FF676EB0000-0x00007FF6772A6000-memory.dmp	upx
behavioral2/memory/1888-2101-0x00007FF753E80000-0x00007FF754276000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	raw.githubusercontent.com
8	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\SnOlgkS.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\AJLJgKO.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\TPhGQDp.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\ktyYwXy.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\oulFUmd.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\leJDtCZ.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\zGGBgZZ.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\NowQptX.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\iwfDpDP.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\ITgYarT.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\xkVskHX.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\GeUiTbn.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\sxCXdoy.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\jbBUQjX.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\cKYCchi.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\QngDwRv.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\yOWTlga.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\ukLgLfa.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\qMOXeaQ.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\FqMgBKZ.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\ljxDizW.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\znulWTJ.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\ZJTJDtz.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\JJpfPLY.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\ASsijvA.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\uSAftui.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\SNBvvOY.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\pQUPIDK.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\AKXtKNx.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\GksVsdw.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\kvJzFKg.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\EloCyIc.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\LRXRwgU.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\umIRbCv.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\LJMlpXE.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\wRgMRcT.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\epNiHkc.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\AYwMZyA.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\KVrobrx.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\HDxKFEO.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\yEZOKmD.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\bYfcNgU.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\hCvuWaE.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\jTOQuRq.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\kTUStYF.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\fEAxovW.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\IUHoszo.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\KHLvkVa.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\CcOIsPu.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\PrEHMCb.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\WtxNhKQ.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\DYAzByY.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\JJqwTRP.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\BbQfEFF.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\FsQLIYo.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\pvYulxK.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\pGUaJMs.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\oljMvNg.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\hXPqWUQ.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\brLWrkx.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\ZIzkcGx.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\EsqGZCz.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\WZWclgx.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
File created	C:\Windows\System\uUPAxMR.exe	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3496	powershell.exe
3496	powershell.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
Token: SeDebugPrivilege	3496	powershell.exe
Token: SeCreateGlobalPrivilege	14124	dwm.exe
Token: SeChangeNotifyPrivilege	14124	dwm.exe
Token: 33	14124	dwm.exe
Token: SeIncBasePriorityPrivilege	14124	dwm.exe
Token: SeShutdownPrivilege	14124	dwm.exe
Token: SeCreatePagefilePrivilege	14124	dwm.exe
Token: SeShutdownPrivilege	14124	dwm.exe
Token: SeCreatePagefilePrivilege	14124	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 3496	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	84
PID 2012 wrote to memory of 3496	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	84
PID 2012 wrote to memory of 2888	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	85
PID 2012 wrote to memory of 2888	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	85
PID 2012 wrote to memory of 3980	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	86
PID 2012 wrote to memory of 3980	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	86
PID 2012 wrote to memory of 4604	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	87
PID 2012 wrote to memory of 4604	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	87
PID 2012 wrote to memory of 1604	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	88
PID 2012 wrote to memory of 1604	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	88
PID 2012 wrote to memory of 1632	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	89
PID 2012 wrote to memory of 1632	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	89
PID 2012 wrote to memory of 568	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	90
PID 2012 wrote to memory of 568	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	90
PID 2012 wrote to memory of 1104	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	91
PID 2012 wrote to memory of 1104	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	91
PID 2012 wrote to memory of 2700	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	92
PID 2012 wrote to memory of 2700	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	92
PID 2012 wrote to memory of 3444	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	95
PID 2012 wrote to memory of 3444	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	95
PID 2012 wrote to memory of 1888	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	96
PID 2012 wrote to memory of 1888	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	96
PID 2012 wrote to memory of 3228	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	97
PID 2012 wrote to memory of 3228	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	97
PID 2012 wrote to memory of 964	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	98
PID 2012 wrote to memory of 964	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	98
PID 2012 wrote to memory of 736	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	99
PID 2012 wrote to memory of 736	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	99
PID 2012 wrote to memory of 1020	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	100
PID 2012 wrote to memory of 1020	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	100
PID 2012 wrote to memory of 2032	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	101
PID 2012 wrote to memory of 2032	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	101
PID 2012 wrote to memory of 2212	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	102
PID 2012 wrote to memory of 2212	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	102
PID 2012 wrote to memory of 556	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	103
PID 2012 wrote to memory of 556	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	103
PID 2012 wrote to memory of 1572	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	104
PID 2012 wrote to memory of 1572	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	104
PID 2012 wrote to memory of 808	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	105
PID 2012 wrote to memory of 808	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	105
PID 2012 wrote to memory of 1464	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	106
PID 2012 wrote to memory of 1464	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	106
PID 2012 wrote to memory of 4384	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	107
PID 2012 wrote to memory of 4384	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	107
PID 2012 wrote to memory of 2204	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	108
PID 2012 wrote to memory of 2204	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	108
PID 2012 wrote to memory of 2552	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	109
PID 2012 wrote to memory of 2552	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	109
PID 2012 wrote to memory of 4368	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	110
PID 2012 wrote to memory of 4368	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	110
PID 2012 wrote to memory of 3680	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	111
PID 2012 wrote to memory of 3680	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	111
PID 2012 wrote to memory of 3132	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	112
PID 2012 wrote to memory of 3132	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	112
PID 2012 wrote to memory of 2640	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	113
PID 2012 wrote to memory of 2640	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	113
PID 2012 wrote to memory of 2292	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	114
PID 2012 wrote to memory of 2292	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	114
PID 2012 wrote to memory of 4844	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	115
PID 2012 wrote to memory of 4844	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	115
PID 2012 wrote to memory of 2180	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	116
PID 2012 wrote to memory of 2180	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	116
PID 2012 wrote to memory of 2360	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	117
PID 2012 wrote to memory of 2360	2012	206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe	117

C:\Users\Admin\AppData\Local\Temp\206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\206524c326754ff1d563b7930466e1a0_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3496
- C:\Windows\System\IXoWXXI.exe
  C:\Windows\System\IXoWXXI.exe
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\System\sapNATC.exe
  C:\Windows\System\sapNATC.exe
  2⤵
  - Executes dropped EXE
  PID:3980
- C:\Windows\System\YmTHTyc.exe
  C:\Windows\System\YmTHTyc.exe
  2⤵
  - Executes dropped EXE
  PID:4604
- C:\Windows\System\cDtylCd.exe
  C:\Windows\System\cDtylCd.exe
  2⤵
  - Executes dropped EXE
  PID:1604
- C:\Windows\System\EtvWrAU.exe
  C:\Windows\System\EtvWrAU.exe
  2⤵
  - Executes dropped EXE
  PID:1632
- C:\Windows\System\FsQLIYo.exe
  C:\Windows\System\FsQLIYo.exe
  2⤵
  - Executes dropped EXE
  PID:568
- C:\Windows\System\fDMWcIR.exe
  C:\Windows\System\fDMWcIR.exe
  2⤵
  - Executes dropped EXE
  PID:1104
- C:\Windows\System\lwSDbRz.exe
  C:\Windows\System\lwSDbRz.exe
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\System\HLqpGTe.exe
  C:\Windows\System\HLqpGTe.exe
  2⤵
  - Executes dropped EXE
  PID:3444
- C:\Windows\System\aselGGA.exe
  C:\Windows\System\aselGGA.exe
  2⤵
  - Executes dropped EXE
  PID:1888
- C:\Windows\System\yasLjCJ.exe
  C:\Windows\System\yasLjCJ.exe
  2⤵
  - Executes dropped EXE
  PID:3228
- C:\Windows\System\mHlMkbT.exe
  C:\Windows\System\mHlMkbT.exe
  2⤵
  - Executes dropped EXE
  PID:964
- C:\Windows\System\ZTCVVYI.exe
  C:\Windows\System\ZTCVVYI.exe
  2⤵
  - Executes dropped EXE
  PID:736
- C:\Windows\System\pcifPhB.exe
  C:\Windows\System\pcifPhB.exe
  2⤵
  - Executes dropped EXE
  PID:1020
- C:\Windows\System\puUhpyw.exe
  C:\Windows\System\puUhpyw.exe
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\System\qMOXeaQ.exe
  C:\Windows\System\qMOXeaQ.exe
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Windows\System\eONuplI.exe
  C:\Windows\System\eONuplI.exe
  2⤵
  - Executes dropped EXE
  PID:556
- C:\Windows\System\RjYMxkJ.exe
  C:\Windows\System\RjYMxkJ.exe
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\System\yQpxdBa.exe
  C:\Windows\System\yQpxdBa.exe
  2⤵
  - Executes dropped EXE
  PID:808
- C:\Windows\System\xYqkHcY.exe
  C:\Windows\System\xYqkHcY.exe
  2⤵
  - Executes dropped EXE
  PID:1464
- C:\Windows\System\UEZKNhO.exe
  C:\Windows\System\UEZKNhO.exe
  2⤵
  - Executes dropped EXE
  PID:4384
- C:\Windows\System\pxVRMVX.exe
  C:\Windows\System\pxVRMVX.exe
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\System\zuahkPO.exe
  C:\Windows\System\zuahkPO.exe
  2⤵
  - Executes dropped EXE
  PID:2552
- C:\Windows\System\TNWuPmZ.exe
  C:\Windows\System\TNWuPmZ.exe
  2⤵
  - Executes dropped EXE
  PID:4368
- C:\Windows\System\IaxjktV.exe
  C:\Windows\System\IaxjktV.exe
  2⤵
  - Executes dropped EXE
  PID:3680
- C:\Windows\System\cuIlAtB.exe
  C:\Windows\System\cuIlAtB.exe
  2⤵
  - Executes dropped EXE
  PID:3132
- C:\Windows\System\UOrlmCS.exe
  C:\Windows\System\UOrlmCS.exe
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\System\KBTRlTX.exe
  C:\Windows\System\KBTRlTX.exe
  2⤵
  - Executes dropped EXE
  PID:2292
- C:\Windows\System\eVstPwp.exe
  C:\Windows\System\eVstPwp.exe
  2⤵
  - Executes dropped EXE
  PID:4844
- C:\Windows\System\QIcUEhE.exe
  C:\Windows\System\QIcUEhE.exe
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Windows\System\JsUkwdC.exe
  C:\Windows\System\JsUkwdC.exe
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\System\brLWrkx.exe
  C:\Windows\System\brLWrkx.exe
  2⤵
  - Executes dropped EXE
  PID:3092
- C:\Windows\System\jJVdPwR.exe
  C:\Windows\System\jJVdPwR.exe
  2⤵
  - Executes dropped EXE
  PID:4632
- C:\Windows\System\XWgLJPW.exe
  C:\Windows\System\XWgLJPW.exe
  2⤵
  - Executes dropped EXE
  PID:3544
- C:\Windows\System\wyfBFsd.exe
  C:\Windows\System\wyfBFsd.exe
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Windows\System\XHDJRiZ.exe
  C:\Windows\System\XHDJRiZ.exe
  2⤵
  - Executes dropped EXE
  PID:452
- C:\Windows\System\hYvCCzm.exe
  C:\Windows\System\hYvCCzm.exe
  2⤵
  - Executes dropped EXE
  PID:4012
- C:\Windows\System\mTWujGN.exe
  C:\Windows\System\mTWujGN.exe
  2⤵
  - Executes dropped EXE
  PID:5008
- C:\Windows\System\plucyeF.exe
  C:\Windows\System\plucyeF.exe
  2⤵
  - Executes dropped EXE
  PID:4376
- C:\Windows\System\GZBrcjc.exe
  C:\Windows\System\GZBrcjc.exe
  2⤵
  - Executes dropped EXE
  PID:4752
- C:\Windows\System\SyhXCSv.exe
  C:\Windows\System\SyhXCSv.exe
  2⤵
  - Executes dropped EXE
  PID:4972
- C:\Windows\System\NuWUzHR.exe
  C:\Windows\System\NuWUzHR.exe
  2⤵
  - Executes dropped EXE
  PID:652
- C:\Windows\System\JqQoWsq.exe
  C:\Windows\System\JqQoWsq.exe
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Windows\System\mEuoSAv.exe
  C:\Windows\System\mEuoSAv.exe
  2⤵
  - Executes dropped EXE
  PID:4856
- C:\Windows\System\Vezurec.exe
  C:\Windows\System\Vezurec.exe
  2⤵
  - Executes dropped EXE
  PID:3108
- C:\Windows\System\bYfcNgU.exe
  C:\Windows\System\bYfcNgU.exe
  2⤵
  - Executes dropped EXE
  PID:528
- C:\Windows\System\EcWVtMr.exe
  C:\Windows\System\EcWVtMr.exe
  2⤵
  - Executes dropped EXE
  PID:1476
- C:\Windows\System\JXGCysC.exe
  C:\Windows\System\JXGCysC.exe
  2⤵
  - Executes dropped EXE
  PID:3192
- C:\Windows\System\PiccYgg.exe
  C:\Windows\System\PiccYgg.exe
  2⤵
  - Executes dropped EXE
  PID:4300
- C:\Windows\System\MCHBFsY.exe
  C:\Windows\System\MCHBFsY.exe
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\System\TERvXci.exe
  C:\Windows\System\TERvXci.exe
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\System\jbBUQjX.exe
  C:\Windows\System\jbBUQjX.exe
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\System\zGGBgZZ.exe
  C:\Windows\System\zGGBgZZ.exe
  2⤵
  - Executes dropped EXE
  PID:1512
- C:\Windows\System\NZVjbFu.exe
  C:\Windows\System\NZVjbFu.exe
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\System\ZeccFFz.exe
  C:\Windows\System\ZeccFFz.exe
  2⤵
  - Executes dropped EXE
  PID:1812
- C:\Windows\System\AKXtKNx.exe
  C:\Windows\System\AKXtKNx.exe
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Windows\System\FqMgBKZ.exe
  C:\Windows\System\FqMgBKZ.exe
  2⤵
  - Executes dropped EXE
  PID:3904
- C:\Windows\System\cKYCchi.exe
  C:\Windows\System\cKYCchi.exe
  2⤵
  - Executes dropped EXE
  PID:4312
- C:\Windows\System\rILrBDz.exe
  C:\Windows\System\rILrBDz.exe
  2⤵
  - Executes dropped EXE
  PID:3264
- C:\Windows\System\RNTXkVi.exe
  C:\Windows\System\RNTXkVi.exe
  2⤵
  - Executes dropped EXE
  PID:1676
- C:\Windows\System\uXEtbeQ.exe
  C:\Windows\System\uXEtbeQ.exe
  2⤵
  - Executes dropped EXE
  PID:4944
- C:\Windows\System\TmfqRkB.exe
  C:\Windows\System\TmfqRkB.exe
  2⤵
  - Executes dropped EXE
  PID:1180
- C:\Windows\System\mUEopyl.exe
  C:\Windows\System\mUEopyl.exe
  2⤵
  - Executes dropped EXE
  PID:4812
- C:\Windows\System\ARQInfg.exe
  C:\Windows\System\ARQInfg.exe
  2⤵
  - Executes dropped EXE
  PID:4640
- C:\Windows\System\jjIAYTI.exe
  C:\Windows\System\jjIAYTI.exe
  2⤵
  PID:1852
- C:\Windows\System\ThfMglt.exe
  C:\Windows\System\ThfMglt.exe
  2⤵
  PID:4460
- C:\Windows\System\uNVLZAU.exe
  C:\Windows\System\uNVLZAU.exe
  2⤵
  PID:5140
- C:\Windows\System\nXpJesX.exe
  C:\Windows\System\nXpJesX.exe
  2⤵
  PID:5176
- C:\Windows\System\zZlQXnH.exe
  C:\Windows\System\zZlQXnH.exe
  2⤵
  PID:5200
- C:\Windows\System\ZqxtoKU.exe
  C:\Windows\System\ZqxtoKU.exe
  2⤵
  PID:5224
- C:\Windows\System\PrEHMCb.exe
  C:\Windows\System\PrEHMCb.exe
  2⤵
  PID:5252
- C:\Windows\System\NowQptX.exe
  C:\Windows\System\NowQptX.exe
  2⤵
  PID:5280
- C:\Windows\System\ivUcMRt.exe
  C:\Windows\System\ivUcMRt.exe
  2⤵
  PID:5308
- C:\Windows\System\yJPcbrC.exe
  C:\Windows\System\yJPcbrC.exe
  2⤵
  PID:5336
- C:\Windows\System\ghbrXam.exe
  C:\Windows\System\ghbrXam.exe
  2⤵
  PID:5364
- C:\Windows\System\PcxvwTB.exe
  C:\Windows\System\PcxvwTB.exe
  2⤵
  PID:5392
- C:\Windows\System\qrnGvGb.exe
  C:\Windows\System\qrnGvGb.exe
  2⤵
  PID:5424
- C:\Windows\System\wRgMRcT.exe
  C:\Windows\System\wRgMRcT.exe
  2⤵
  PID:5452
- C:\Windows\System\LsMIJgL.exe
  C:\Windows\System\LsMIJgL.exe
  2⤵
  PID:5480
- C:\Windows\System\HXeddyN.exe
  C:\Windows\System\HXeddyN.exe
  2⤵
  PID:5508
- C:\Windows\System\bkjCsZY.exe
  C:\Windows\System\bkjCsZY.exe
  2⤵
  PID:5536
- C:\Windows\System\WHjEVAp.exe
  C:\Windows\System\WHjEVAp.exe
  2⤵
  PID:5560
- C:\Windows\System\JFmfgLg.exe
  C:\Windows\System\JFmfgLg.exe
  2⤵
  PID:5588
- C:\Windows\System\FcUjEgP.exe
  C:\Windows\System\FcUjEgP.exe
  2⤵
  PID:5616
- C:\Windows\System\MPCjjPJ.exe
  C:\Windows\System\MPCjjPJ.exe
  2⤵
  PID:5648
- C:\Windows\System\sgecfnX.exe
  C:\Windows\System\sgecfnX.exe
  2⤵
  PID:5676
- C:\Windows\System\WgWtYrR.exe
  C:\Windows\System\WgWtYrR.exe
  2⤵
  PID:5704
- C:\Windows\System\itQEQsA.exe
  C:\Windows\System\itQEQsA.exe
  2⤵
  PID:5728
- C:\Windows\System\axgcqcs.exe
  C:\Windows\System\axgcqcs.exe
  2⤵
  PID:5760
- C:\Windows\System\kUqBlRF.exe
  C:\Windows\System\kUqBlRF.exe
  2⤵
  PID:5784
- C:\Windows\System\hCvuWaE.exe
  C:\Windows\System\hCvuWaE.exe
  2⤵
  PID:5812
- C:\Windows\System\OsrzhPq.exe
  C:\Windows\System\OsrzhPq.exe
  2⤵
  PID:5840
- C:\Windows\System\epNiHkc.exe
  C:\Windows\System\epNiHkc.exe
  2⤵
  PID:5868
- C:\Windows\System\LLLYalv.exe
  C:\Windows\System\LLLYalv.exe
  2⤵
  PID:5896
- C:\Windows\System\xIMNXLS.exe
  C:\Windows\System\xIMNXLS.exe
  2⤵
  PID:5928
- C:\Windows\System\qBCsIea.exe
  C:\Windows\System\qBCsIea.exe
  2⤵
  PID:5956
- C:\Windows\System\cZhUylO.exe
  C:\Windows\System\cZhUylO.exe
  2⤵
  PID:5984
- C:\Windows\System\lwBpyME.exe
  C:\Windows\System\lwBpyME.exe
  2⤵
  PID:6008
- C:\Windows\System\VTzwTJc.exe
  C:\Windows\System\VTzwTJc.exe
  2⤵
  PID:6040
- C:\Windows\System\lMUdMmJ.exe
  C:\Windows\System\lMUdMmJ.exe
  2⤵
  PID:6064
- C:\Windows\System\GYlJtEW.exe
  C:\Windows\System\GYlJtEW.exe
  2⤵
  PID:6096
- C:\Windows\System\ZJTJDtz.exe
  C:\Windows\System\ZJTJDtz.exe
  2⤵
  PID:6120
- C:\Windows\System\GksVsdw.exe
  C:\Windows\System\GksVsdw.exe
  2⤵
  PID:4500
- C:\Windows\System\lLRiLmG.exe
  C:\Windows\System\lLRiLmG.exe
  2⤵
  PID:2732
- C:\Windows\System\lFSuJfi.exe
  C:\Windows\System\lFSuJfi.exe
  2⤵
  PID:908
- C:\Windows\System\DYcfGhU.exe
  C:\Windows\System\DYcfGhU.exe
  2⤵
  PID:3400
- C:\Windows\System\QmHYQRs.exe
  C:\Windows\System\QmHYQRs.exe
  2⤵
  PID:5132
- C:\Windows\System\EfVDPfN.exe
  C:\Windows\System\EfVDPfN.exe
  2⤵
  PID:5212
- C:\Windows\System\hEepsKa.exe
  C:\Windows\System\hEepsKa.exe
  2⤵
  PID:5268
- C:\Windows\System\fEAxovW.exe
  C:\Windows\System\fEAxovW.exe
  2⤵
  PID:5324
- C:\Windows\System\VnzCBVU.exe
  C:\Windows\System\VnzCBVU.exe
  2⤵
  PID:5380
- C:\Windows\System\UeDtXxB.exe
  C:\Windows\System\UeDtXxB.exe
  2⤵
  PID:5440
- C:\Windows\System\nkXOqed.exe
  C:\Windows\System\nkXOqed.exe
  2⤵
  PID:2420
- C:\Windows\System\kAULBUL.exe
  C:\Windows\System\kAULBUL.exe
  2⤵
  PID:5552
- C:\Windows\System\hfHgmiU.exe
  C:\Windows\System\hfHgmiU.exe
  2⤵
  PID:5612
- C:\Windows\System\ZIzkcGx.exe
  C:\Windows\System\ZIzkcGx.exe
  2⤵
  PID:5688
- C:\Windows\System\UlniBLJ.exe
  C:\Windows\System\UlniBLJ.exe
  2⤵
  PID:5744
- C:\Windows\System\uxqMuFc.exe
  C:\Windows\System\uxqMuFc.exe
  2⤵
  PID:4412
- C:\Windows\System\pwnHSdr.exe
  C:\Windows\System\pwnHSdr.exe
  2⤵
  PID:5860
- C:\Windows\System\qHfVRWj.exe
  C:\Windows\System\qHfVRWj.exe
  2⤵
  PID:5920
- C:\Windows\System\AYpNwcs.exe
  C:\Windows\System\AYpNwcs.exe
  2⤵
  PID:5972
- C:\Windows\System\domvIyy.exe
  C:\Windows\System\domvIyy.exe
  2⤵
  PID:6028
- C:\Windows\System\eBPBXQO.exe
  C:\Windows\System\eBPBXQO.exe
  2⤵
  PID:6112
- C:\Windows\System\NzDVJiR.exe
  C:\Windows\System\NzDVJiR.exe
  2⤵
  PID:1740
- C:\Windows\System\xlDETZa.exe
  C:\Windows\System\xlDETZa.exe
  2⤵
  PID:2112
- C:\Windows\System\SpoujMz.exe
  C:\Windows\System\SpoujMz.exe
  2⤵
  PID:3100
- C:\Windows\System\FMJCHrS.exe
  C:\Windows\System\FMJCHrS.exe
  2⤵
  PID:5296
- C:\Windows\System\FvTyOpW.exe
  C:\Windows\System\FvTyOpW.exe
  2⤵
  PID:5436
- C:\Windows\System\OspBDnT.exe
  C:\Windows\System\OspBDnT.exe
  2⤵
  PID:5548
- C:\Windows\System\sdmYJVy.exe
  C:\Windows\System\sdmYJVy.exe
  2⤵
  PID:5716
- C:\Windows\System\WwsAzki.exe
  C:\Windows\System\WwsAzki.exe
  2⤵
  PID:5828
- C:\Windows\System\oeKXNLZ.exe
  C:\Windows\System\oeKXNLZ.exe
  2⤵
  PID:5968
- C:\Windows\System\NVbnElI.exe
  C:\Windows\System\NVbnElI.exe
  2⤵
  PID:6108
- C:\Windows\System\nijCQQM.exe
  C:\Windows\System\nijCQQM.exe
  2⤵
  PID:1088
- C:\Windows\System\cdKmvxy.exe
  C:\Windows\System\cdKmvxy.exe
  2⤵
  PID:4488
- C:\Windows\System\EsqGZCz.exe
  C:\Windows\System\EsqGZCz.exe
  2⤵
  PID:5660
- C:\Windows\System\JdPxlSC.exe
  C:\Windows\System\JdPxlSC.exe
  2⤵
  PID:5952
- C:\Windows\System\qfUQYqq.exe
  C:\Windows\System\qfUQYqq.exe
  2⤵
  PID:6164
- C:\Windows\System\MNtfLRw.exe
  C:\Windows\System\MNtfLRw.exe
  2⤵
  PID:6192
- C:\Windows\System\hruynKH.exe
  C:\Windows\System\hruynKH.exe
  2⤵
  PID:6224
- C:\Windows\System\qUonsdM.exe
  C:\Windows\System\qUonsdM.exe
  2⤵
  PID:6252
- C:\Windows\System\AYwMZyA.exe
  C:\Windows\System\AYwMZyA.exe
  2⤵
  PID:6280
- C:\Windows\System\eYuXFHG.exe
  C:\Windows\System\eYuXFHG.exe
  2⤵
  PID:6308
- C:\Windows\System\HiOlgog.exe
  C:\Windows\System\HiOlgog.exe
  2⤵
  PID:6336
- C:\Windows\System\dnUYFkD.exe
  C:\Windows\System\dnUYFkD.exe
  2⤵
  PID:6364
- C:\Windows\System\mCFEFHC.exe
  C:\Windows\System\mCFEFHC.exe
  2⤵
  PID:6392
- C:\Windows\System\qtOnogt.exe
  C:\Windows\System\qtOnogt.exe
  2⤵
  PID:6420
- C:\Windows\System\dCbZsJP.exe
  C:\Windows\System\dCbZsJP.exe
  2⤵
  PID:6444
- C:\Windows\System\LPXuCud.exe
  C:\Windows\System\LPXuCud.exe
  2⤵
  PID:6476
- C:\Windows\System\LhPnhcP.exe
  C:\Windows\System\LhPnhcP.exe
  2⤵
  PID:6504
- C:\Windows\System\WwkzzzM.exe
  C:\Windows\System\WwkzzzM.exe
  2⤵
  PID:6532
- C:\Windows\System\zZpWDdK.exe
  C:\Windows\System\zZpWDdK.exe
  2⤵
  PID:6560
- C:\Windows\System\lCwVPyj.exe
  C:\Windows\System\lCwVPyj.exe
  2⤵
  PID:6588
- C:\Windows\System\XXcmPIC.exe
  C:\Windows\System\XXcmPIC.exe
  2⤵
  PID:6612
- C:\Windows\System\dbPYXAA.exe
  C:\Windows\System\dbPYXAA.exe
  2⤵
  PID:6640
- C:\Windows\System\TRFAPkB.exe
  C:\Windows\System\TRFAPkB.exe
  2⤵
  PID:6672
- C:\Windows\System\FqeQcJV.exe
  C:\Windows\System\FqeQcJV.exe
  2⤵
  PID:6700
- C:\Windows\System\SNvDOVB.exe
  C:\Windows\System\SNvDOVB.exe
  2⤵
  PID:6728
- C:\Windows\System\WtxNhKQ.exe
  C:\Windows\System\WtxNhKQ.exe
  2⤵
  PID:6756
- C:\Windows\System\kvJzFKg.exe
  C:\Windows\System\kvJzFKg.exe
  2⤵
  PID:6860
- C:\Windows\System\iwfDpDP.exe
  C:\Windows\System\iwfDpDP.exe
  2⤵
  PID:6888
- C:\Windows\System\JJpfPLY.exe
  C:\Windows\System\JJpfPLY.exe
  2⤵
  PID:6920
- C:\Windows\System\JvHwiVc.exe
  C:\Windows\System\JvHwiVc.exe
  2⤵
  PID:6936
- C:\Windows\System\oknBnPk.exe
  C:\Windows\System\oknBnPk.exe
  2⤵
  PID:6956
- C:\Windows\System\IUHoszo.exe
  C:\Windows\System\IUHoszo.exe
  2⤵
  PID:6972
- C:\Windows\System\diWPCFZ.exe
  C:\Windows\System\diWPCFZ.exe
  2⤵
  PID:6992
- C:\Windows\System\TlhogbG.exe
  C:\Windows\System\TlhogbG.exe
  2⤵
  PID:7020
- C:\Windows\System\DRsvLOe.exe
  C:\Windows\System\DRsvLOe.exe
  2⤵
  PID:7056
- C:\Windows\System\QngDwRv.exe
  C:\Windows\System\QngDwRv.exe
  2⤵
  PID:7096
- C:\Windows\System\jptQytE.exe
  C:\Windows\System\jptQytE.exe
  2⤵
  PID:7164
- C:\Windows\System\hSFBDJv.exe
  C:\Windows\System\hSFBDJv.exe
  2⤵
  PID:4908
- C:\Windows\System\qplBzHj.exe
  C:\Windows\System\qplBzHj.exe
  2⤵
  PID:5800
- C:\Windows\System\lrNVOpF.exe
  C:\Windows\System\lrNVOpF.exe
  2⤵
  PID:6184
- C:\Windows\System\MyvRZiX.exe
  C:\Windows\System\MyvRZiX.exe
  2⤵
  PID:6244
- C:\Windows\System\OAqqEtd.exe
  C:\Windows\System\OAqqEtd.exe
  2⤵
  PID:6320
- C:\Windows\System\FhSNQpl.exe
  C:\Windows\System\FhSNQpl.exe
  2⤵
  PID:6348
- C:\Windows\System\LEJyLUu.exe
  C:\Windows\System\LEJyLUu.exe
  2⤵
  PID:6432
- C:\Windows\System\cScOain.exe
  C:\Windows\System\cScOain.exe
  2⤵
  PID:6496
- C:\Windows\System\KhSTCmX.exe
  C:\Windows\System\KhSTCmX.exe
  2⤵
  PID:6576
- C:\Windows\System\MnrkLpm.exe
  C:\Windows\System\MnrkLpm.exe
  2⤵
  PID:6604
- C:\Windows\System\NAHyqHe.exe
  C:\Windows\System\NAHyqHe.exe
  2⤵
  PID:6664
- C:\Windows\System\gLJkjJy.exe
  C:\Windows\System\gLJkjJy.exe
  2⤵
  PID:6688
- C:\Windows\System\SrolaVh.exe
  C:\Windows\System\SrolaVh.exe
  2⤵
  PID:6712
- C:\Windows\System\OlHubtL.exe
  C:\Windows\System\OlHubtL.exe
  2⤵
  PID:1508
- C:\Windows\System\eYIhmPr.exe
  C:\Windows\System\eYIhmPr.exe
  2⤵
  PID:904
- C:\Windows\System\eDARfWg.exe
  C:\Windows\System\eDARfWg.exe
  2⤵
  PID:1592
- C:\Windows\System\PeDLmPO.exe
  C:\Windows\System\PeDLmPO.exe
  2⤵
  PID:60
- C:\Windows\System\XgMecbE.exe
  C:\Windows\System\XgMecbE.exe
  2⤵
  PID:6916
- C:\Windows\System\XcmNkah.exe
  C:\Windows\System\XcmNkah.exe
  2⤵
  PID:1680
- C:\Windows\System\apjFswy.exe
  C:\Windows\System\apjFswy.exe
  2⤵
  PID:5020
- C:\Windows\System\oXjoZrC.exe
  C:\Windows\System\oXjoZrC.exe
  2⤵
  PID:564
- C:\Windows\System\MVedJuF.exe
  C:\Windows\System\MVedJuF.exe
  2⤵
  PID:4444
- C:\Windows\System\qwgWwvS.exe
  C:\Windows\System\qwgWwvS.exe
  2⤵
  PID:784
- C:\Windows\System\otQSXPF.exe
  C:\Windows\System\otQSXPF.exe
  2⤵
  PID:7044
- C:\Windows\System\SaejHHe.exe
  C:\Windows\System\SaejHHe.exe
  2⤵
  PID:7080
- C:\Windows\System\NPuMeWe.exe
  C:\Windows\System\NPuMeWe.exe
  2⤵
  PID:5360
- C:\Windows\System\VdUkZlX.exe
  C:\Windows\System\VdUkZlX.exe
  2⤵
  PID:6236
- C:\Windows\System\sLXxliU.exe
  C:\Windows\System\sLXxliU.exe
  2⤵
  PID:6376
- C:\Windows\System\OohhNMP.exe
  C:\Windows\System\OohhNMP.exe
  2⤵
  PID:6520
- C:\Windows\System\RIkBJeu.exe
  C:\Windows\System\RIkBJeu.exe
  2⤵
  PID:4756
- C:\Windows\System\pGUaJMs.exe
  C:\Windows\System\pGUaJMs.exe
  2⤵
  PID:1664
- C:\Windows\System\AUJxeDz.exe
  C:\Windows\System\AUJxeDz.exe
  2⤵
  PID:6872
- C:\Windows\System\zNktFuw.exe
  C:\Windows\System\zNktFuw.exe
  2⤵
  PID:2356
- C:\Windows\System\bvCvUax.exe
  C:\Windows\System\bvCvUax.exe
  2⤵
  PID:1848
- C:\Windows\System\NUVSzei.exe
  C:\Windows\System\NUVSzei.exe
  2⤵
  PID:6988
- C:\Windows\System\hOFospi.exe
  C:\Windows\System\hOFospi.exe
  2⤵
  PID:6080
- C:\Windows\System\hfOYrdU.exe
  C:\Windows\System\hfOYrdU.exe
  2⤵
  PID:6492
- C:\Windows\System\SZiFokR.exe
  C:\Windows\System\SZiFokR.exe
  2⤵
  PID:1048
- C:\Windows\System\zsSzxcW.exe
  C:\Windows\System\zsSzxcW.exe
  2⤵
  PID:2368
- C:\Windows\System\xqbqGAt.exe
  C:\Windows\System\xqbqGAt.exe
  2⤵
  PID:2460
- C:\Windows\System\yWmfZjz.exe
  C:\Windows\System\yWmfZjz.exe
  2⤵
  PID:2956
- C:\Windows\System\eCgqCFu.exe
  C:\Windows\System\eCgqCFu.exe
  2⤵
  PID:2972
- C:\Windows\System\ZKjZqDn.exe
  C:\Windows\System\ZKjZqDn.exe
  2⤵
  PID:2668
- C:\Windows\System\PsexFTu.exe
  C:\Windows\System\PsexFTu.exe
  2⤵
  PID:7188
- C:\Windows\System\XHYxsPf.exe
  C:\Windows\System\XHYxsPf.exe
  2⤵
  PID:7204
- C:\Windows\System\DdrxqTM.exe
  C:\Windows\System\DdrxqTM.exe
  2⤵
  PID:7244
- C:\Windows\System\IVZNOJB.exe
  C:\Windows\System\IVZNOJB.exe
  2⤵
  PID:7280
- C:\Windows\System\tRuFFdJ.exe
  C:\Windows\System\tRuFFdJ.exe
  2⤵
  PID:7312
- C:\Windows\System\rYabolR.exe
  C:\Windows\System\rYabolR.exe
  2⤵
  PID:7336
- C:\Windows\System\UoxhgFf.exe
  C:\Windows\System\UoxhgFf.exe
  2⤵
  PID:7364
- C:\Windows\System\uzDzNJf.exe
  C:\Windows\System\uzDzNJf.exe
  2⤵
  PID:7400
- C:\Windows\System\CRluIAo.exe
  C:\Windows\System\CRluIAo.exe
  2⤵
  PID:7428
- C:\Windows\System\gtMYGUv.exe
  C:\Windows\System\gtMYGUv.exe
  2⤵
  PID:7448
- C:\Windows\System\ASsijvA.exe
  C:\Windows\System\ASsijvA.exe
  2⤵
  PID:7476
- C:\Windows\System\QpvVJVs.exe
  C:\Windows\System\QpvVJVs.exe
  2⤵
  PID:7504
- C:\Windows\System\wvNPRJB.exe
  C:\Windows\System\wvNPRJB.exe
  2⤵
  PID:7544
- C:\Windows\System\kYzxCur.exe
  C:\Windows\System\kYzxCur.exe
  2⤵
  PID:7576
- C:\Windows\System\nWnEfMf.exe
  C:\Windows\System\nWnEfMf.exe
  2⤵
  PID:7604
- C:\Windows\System\SNYVccg.exe
  C:\Windows\System\SNYVccg.exe
  2⤵
  PID:7632
- C:\Windows\System\pZntTda.exe
  C:\Windows\System\pZntTda.exe
  2⤵
  PID:7684
- C:\Windows\System\hEHaTmX.exe
  C:\Windows\System\hEHaTmX.exe
  2⤵
  PID:7712
- C:\Windows\System\njgxzNT.exe
  C:\Windows\System\njgxzNT.exe
  2⤵
  PID:7740
- C:\Windows\System\ZiEgtzx.exe
  C:\Windows\System\ZiEgtzx.exe
  2⤵
  PID:7768
- C:\Windows\System\HjFOuMf.exe
  C:\Windows\System\HjFOuMf.exe
  2⤵
  PID:7796
- C:\Windows\System\BTMnTbo.exe
  C:\Windows\System\BTMnTbo.exe
  2⤵
  PID:7824
- C:\Windows\System\EloCyIc.exe
  C:\Windows\System\EloCyIc.exe
  2⤵
  PID:7864
- C:\Windows\System\PtYGZRq.exe
  C:\Windows\System\PtYGZRq.exe
  2⤵
  PID:7892
- C:\Windows\System\ZLbAZkw.exe
  C:\Windows\System\ZLbAZkw.exe
  2⤵
  PID:7920
- C:\Windows\System\rIuZxKp.exe
  C:\Windows\System\rIuZxKp.exe
  2⤵
  PID:7956
- C:\Windows\System\tZGuaWa.exe
  C:\Windows\System\tZGuaWa.exe
  2⤵
  PID:7984
- C:\Windows\System\PfkSPab.exe
  C:\Windows\System\PfkSPab.exe
  2⤵
  PID:8020
- C:\Windows\System\BAASHml.exe
  C:\Windows\System\BAASHml.exe
  2⤵
  PID:8040
- C:\Windows\System\BETqjMA.exe
  C:\Windows\System\BETqjMA.exe
  2⤵
  PID:8072
- C:\Windows\System\IohOQLv.exe
  C:\Windows\System\IohOQLv.exe
  2⤵
  PID:8096
- C:\Windows\System\EgDCUmB.exe
  C:\Windows\System\EgDCUmB.exe
  2⤵
  PID:8124
- C:\Windows\System\CAxEzpL.exe
  C:\Windows\System\CAxEzpL.exe
  2⤵
  PID:8140
- C:\Windows\System\DcDLVJA.exe
  C:\Windows\System\DcDLVJA.exe
  2⤵
  PID:8156
- C:\Windows\System\BcyUbuR.exe
  C:\Windows\System\BcyUbuR.exe
  2⤵
  PID:8180
- C:\Windows\System\amsQfxN.exe
  C:\Windows\System\amsQfxN.exe
  2⤵
  PID:7216
- C:\Windows\System\wSScUIs.exe
  C:\Windows\System\wSScUIs.exe
  2⤵
  PID:7328
- C:\Windows\System\rXlfGll.exe
  C:\Windows\System\rXlfGll.exe
  2⤵
  PID:7388
- C:\Windows\System\IWedCYe.exe
  C:\Windows\System\IWedCYe.exe
  2⤵
  PID:7460
- C:\Windows\System\YXYaGxD.exe
  C:\Windows\System\YXYaGxD.exe
  2⤵
  PID:7540
- C:\Windows\System\mIomALI.exe
  C:\Windows\System\mIomALI.exe
  2⤵
  PID:7628
- C:\Windows\System\QATNAku.exe
  C:\Windows\System\QATNAku.exe
  2⤵
  PID:7724
- C:\Windows\System\VIcmeNa.exe
  C:\Windows\System\VIcmeNa.exe
  2⤵
  PID:7780
- C:\Windows\System\PeoFQnd.exe
  C:\Windows\System\PeoFQnd.exe
  2⤵
  PID:7816
- C:\Windows\System\WZWclgx.exe
  C:\Windows\System\WZWclgx.exe
  2⤵
  PID:7860
- C:\Windows\System\kpsujDv.exe
  C:\Windows\System\kpsujDv.exe
  2⤵
  PID:7932
- C:\Windows\System\uuXJmtv.exe
  C:\Windows\System\uuXJmtv.exe
  2⤵
  PID:7976
- C:\Windows\System\TCdNkvj.exe
  C:\Windows\System\TCdNkvj.exe
  2⤵
  PID:8036
- C:\Windows\System\DPBYyQz.exe
  C:\Windows\System\DPBYyQz.exe
  2⤵
  PID:8092
- C:\Windows\System\seCjeTd.exe
  C:\Windows\System\seCjeTd.exe
  2⤵
  PID:8132
- C:\Windows\System\NkRpRkK.exe
  C:\Windows\System\NkRpRkK.exe
  2⤵
  PID:8148
- C:\Windows\System\CwvbLih.exe
  C:\Windows\System\CwvbLih.exe
  2⤵
  PID:7196
- C:\Windows\System\EqlDhnj.exe
  C:\Windows\System\EqlDhnj.exe
  2⤵
  PID:7440
- C:\Windows\System\ASJYady.exe
  C:\Windows\System\ASJYady.exe
  2⤵
  PID:7696
- C:\Windows\System\iCnIkDi.exe
  C:\Windows\System\iCnIkDi.exe
  2⤵
  PID:8116
- C:\Windows\System\eZlySGC.exe
  C:\Windows\System\eZlySGC.exe
  2⤵
  PID:7416
- C:\Windows\System\KNwetUy.exe
  C:\Windows\System\KNwetUy.exe
  2⤵
  PID:7380
- C:\Windows\System\NXjdfUT.exe
  C:\Windows\System\NXjdfUT.exe
  2⤵
  PID:8088
- C:\Windows\System\zMJnsyo.exe
  C:\Windows\System\zMJnsyo.exe
  2⤵
  PID:6904
- C:\Windows\System\OseQMYE.exe
  C:\Windows\System\OseQMYE.exe
  2⤵
  PID:7944
- C:\Windows\System\GuhYMre.exe
  C:\Windows\System\GuhYMre.exe
  2⤵
  PID:6808
- C:\Windows\System\kbahSIy.exe
  C:\Windows\System\kbahSIy.exe
  2⤵
  PID:8200
- C:\Windows\System\cNeCTeF.exe
  C:\Windows\System\cNeCTeF.exe
  2⤵
  PID:8228
- C:\Windows\System\VmLWGzb.exe
  C:\Windows\System\VmLWGzb.exe
  2⤵
  PID:8256
- C:\Windows\System\wqrJkNR.exe
  C:\Windows\System\wqrJkNR.exe
  2⤵
  PID:8284
- C:\Windows\System\ALBOpzJ.exe
  C:\Windows\System\ALBOpzJ.exe
  2⤵
  PID:8312
- C:\Windows\System\NNIOGzd.exe
  C:\Windows\System\NNIOGzd.exe
  2⤵
  PID:8340
- C:\Windows\System\MOgDEEf.exe
  C:\Windows\System\MOgDEEf.exe
  2⤵
  PID:8368
- C:\Windows\System\JUHAkoB.exe
  C:\Windows\System\JUHAkoB.exe
  2⤵
  PID:8396
- C:\Windows\System\AyRnyTE.exe
  C:\Windows\System\AyRnyTE.exe
  2⤵
  PID:8428
- C:\Windows\System\KVrobrx.exe
  C:\Windows\System\KVrobrx.exe
  2⤵
  PID:8456
- C:\Windows\System\OHbDnfk.exe
  C:\Windows\System\OHbDnfk.exe
  2⤵
  PID:8484
- C:\Windows\System\anEDVcJ.exe
  C:\Windows\System\anEDVcJ.exe
  2⤵
  PID:8512
- C:\Windows\System\GrZXJPB.exe
  C:\Windows\System\GrZXJPB.exe
  2⤵
  PID:8540
- C:\Windows\System\XcujeHq.exe
  C:\Windows\System\XcujeHq.exe
  2⤵
  PID:8568
- C:\Windows\System\TYsyxXA.exe
  C:\Windows\System\TYsyxXA.exe
  2⤵
  PID:8596
- C:\Windows\System\adFkcks.exe
  C:\Windows\System\adFkcks.exe
  2⤵
  PID:8624
- C:\Windows\System\pBTPOeb.exe
  C:\Windows\System\pBTPOeb.exe
  2⤵
  PID:8652
- C:\Windows\System\TWlObNq.exe
  C:\Windows\System\TWlObNq.exe
  2⤵
  PID:8684
- C:\Windows\System\OBJTUfN.exe
  C:\Windows\System\OBJTUfN.exe
  2⤵
  PID:8708
- C:\Windows\System\aOBhPqL.exe
  C:\Windows\System\aOBhPqL.exe
  2⤵
  PID:8744
- C:\Windows\System\DorQpic.exe
  C:\Windows\System\DorQpic.exe
  2⤵
  PID:8784
- C:\Windows\System\qFbfUqq.exe
  C:\Windows\System\qFbfUqq.exe
  2⤵
  PID:8820
- C:\Windows\System\yIerMYq.exe
  C:\Windows\System\yIerMYq.exe
  2⤵
  PID:8856
- C:\Windows\System\pJtpnUz.exe
  C:\Windows\System\pJtpnUz.exe
  2⤵
  PID:8892
- C:\Windows\System\wPVnDHW.exe
  C:\Windows\System\wPVnDHW.exe
  2⤵
  PID:8924
- C:\Windows\System\jTjivER.exe
  C:\Windows\System\jTjivER.exe
  2⤵
  PID:8952
- C:\Windows\System\XIeVUUF.exe
  C:\Windows\System\XIeVUUF.exe
  2⤵
  PID:8980
- C:\Windows\System\KxEuAzh.exe
  C:\Windows\System\KxEuAzh.exe
  2⤵
  PID:9016
- C:\Windows\System\SpgnJvN.exe
  C:\Windows\System\SpgnJvN.exe
  2⤵
  PID:9052
- C:\Windows\System\YIRMZhq.exe
  C:\Windows\System\YIRMZhq.exe
  2⤵
  PID:9096
- C:\Windows\System\xgcFxIf.exe
  C:\Windows\System\xgcFxIf.exe
  2⤵
  PID:9124
- C:\Windows\System\aKfYtIg.exe
  C:\Windows\System\aKfYtIg.exe
  2⤵
  PID:9156
- C:\Windows\System\HDxKFEO.exe
  C:\Windows\System\HDxKFEO.exe
  2⤵
  PID:9188
- C:\Windows\System\wYsoRCM.exe
  C:\Windows\System\wYsoRCM.exe
  2⤵
  PID:6828
- C:\Windows\System\FnbzTXd.exe
  C:\Windows\System\FnbzTXd.exe
  2⤵
  PID:8268
- C:\Windows\System\BbuKFRU.exe
  C:\Windows\System\BbuKFRU.exe
  2⤵
  PID:8308
- C:\Windows\System\okffHhm.exe
  C:\Windows\System\okffHhm.exe
  2⤵
  PID:8380
- C:\Windows\System\veZLbGQ.exe
  C:\Windows\System\veZLbGQ.exe
  2⤵
  PID:8468
- C:\Windows\System\KGSXOcT.exe
  C:\Windows\System\KGSXOcT.exe
  2⤵
  PID:8532
- C:\Windows\System\uUPAxMR.exe
  C:\Windows\System\uUPAxMR.exe
  2⤵
  PID:8592
- C:\Windows\System\VQQPuEk.exe
  C:\Windows\System\VQQPuEk.exe
  2⤵
  PID:8664
- C:\Windows\System\LWKgDJw.exe
  C:\Windows\System\LWKgDJw.exe
  2⤵
  PID:8728
- C:\Windows\System\LpqJpKi.exe
  C:\Windows\System\LpqJpKi.exe
  2⤵
  PID:8812
- C:\Windows\System\fVirnTV.exe
  C:\Windows\System\fVirnTV.exe
  2⤵
  PID:8888
- C:\Windows\System\trdpTZa.exe
  C:\Windows\System\trdpTZa.exe
  2⤵
  PID:8964
- C:\Windows\System\emCbfWp.exe
  C:\Windows\System\emCbfWp.exe
  2⤵
  PID:9036
- C:\Windows\System\BvWsbHH.exe
  C:\Windows\System\BvWsbHH.exe
  2⤵
  PID:9140
- C:\Windows\System\QxfLIGX.exe
  C:\Windows\System\QxfLIGX.exe
  2⤵
  PID:9208
- C:\Windows\System\MAxnkSS.exe
  C:\Windows\System\MAxnkSS.exe
  2⤵
  PID:8336
- C:\Windows\System\smusRcs.exe
  C:\Windows\System\smusRcs.exe
  2⤵
  PID:7532
- C:\Windows\System\xPmMCQh.exe
  C:\Windows\System\xPmMCQh.exe
  2⤵
  PID:8524
- C:\Windows\System\uSAftui.exe
  C:\Windows\System\uSAftui.exe
  2⤵
  PID:8580
- C:\Windows\System\DeAQNiG.exe
  C:\Windows\System\DeAQNiG.exe
  2⤵
  PID:8704
- C:\Windows\System\fIZrKEL.exe
  C:\Windows\System\fIZrKEL.exe
  2⤵
  PID:9008
- C:\Windows\System\nZQOMvC.exe
  C:\Windows\System\nZQOMvC.exe
  2⤵
  PID:9172
- C:\Windows\System\wwJSowT.exe
  C:\Windows\System\wwJSowT.exe
  2⤵
  PID:7660
- C:\Windows\System\ZSjQdSh.exe
  C:\Windows\System\ZSjQdSh.exe
  2⤵
  PID:8944
- C:\Windows\System\ljxDizW.exe
  C:\Windows\System\ljxDizW.exe
  2⤵
  PID:8508
- C:\Windows\System\SuNfNoL.exe
  C:\Windows\System\SuNfNoL.exe
  2⤵
  PID:9252
- C:\Windows\System\ITgYarT.exe
  C:\Windows\System\ITgYarT.exe
  2⤵
  PID:9268
- C:\Windows\System\mieRGnA.exe
  C:\Windows\System\mieRGnA.exe
  2⤵
  PID:9316
- C:\Windows\System\rcwuxDo.exe
  C:\Windows\System\rcwuxDo.exe
  2⤵
  PID:9380
- C:\Windows\System\iyHMyYy.exe
  C:\Windows\System\iyHMyYy.exe
  2⤵
  PID:9416
- C:\Windows\System\aWuUago.exe
  C:\Windows\System\aWuUago.exe
  2⤵
  PID:9452
- C:\Windows\System\xkVskHX.exe
  C:\Windows\System\xkVskHX.exe
  2⤵
  PID:9500
- C:\Windows\System\OFWlKTP.exe
  C:\Windows\System\OFWlKTP.exe
  2⤵
  PID:9532
- C:\Windows\System\oljMvNg.exe
  C:\Windows\System\oljMvNg.exe
  2⤵
  PID:9564
- C:\Windows\System\ROuVmjU.exe
  C:\Windows\System\ROuVmjU.exe
  2⤵
  PID:9592
- C:\Windows\System\GeUiTbn.exe
  C:\Windows\System\GeUiTbn.exe
  2⤵
  PID:9620
- C:\Windows\System\uuYMmiX.exe
  C:\Windows\System\uuYMmiX.exe
  2⤵
  PID:9648
- C:\Windows\System\ExVdRDR.exe
  C:\Windows\System\ExVdRDR.exe
  2⤵
  PID:9668
- C:\Windows\System\grkhXxM.exe
  C:\Windows\System\grkhXxM.exe
  2⤵
  PID:9708
- C:\Windows\System\obHstwJ.exe
  C:\Windows\System\obHstwJ.exe
  2⤵
  PID:9740
- C:\Windows\System\hNeDtgq.exe
  C:\Windows\System\hNeDtgq.exe
  2⤵
  PID:9772
- C:\Windows\System\oMjUmEh.exe
  C:\Windows\System\oMjUmEh.exe
  2⤵
  PID:9800
- C:\Windows\System\nbZMZwP.exe
  C:\Windows\System\nbZMZwP.exe
  2⤵
  PID:9832
- C:\Windows\System\FbTsHmH.exe
  C:\Windows\System\FbTsHmH.exe
  2⤵
  PID:9872
- C:\Windows\System\pvYulxK.exe
  C:\Windows\System\pvYulxK.exe
  2⤵
  PID:9900
- C:\Windows\System\nyjWPRs.exe
  C:\Windows\System\nyjWPRs.exe
  2⤵
  PID:9928
- C:\Windows\System\rXICDSF.exe
  C:\Windows\System\rXICDSF.exe
  2⤵
  PID:9956
- C:\Windows\System\RuKyPXU.exe
  C:\Windows\System\RuKyPXU.exe
  2⤵
  PID:9984
- C:\Windows\System\DYAzByY.exe
  C:\Windows\System\DYAzByY.exe
  2⤵
  PID:10012
- C:\Windows\System\wOBCdQQ.exe
  C:\Windows\System\wOBCdQQ.exe
  2⤵
  PID:10040
- C:\Windows\System\DBhtFSD.exe
  C:\Windows\System\DBhtFSD.exe
  2⤵
  PID:10060
- C:\Windows\System\mwYxyFJ.exe
  C:\Windows\System\mwYxyFJ.exe
  2⤵
  PID:10088
- C:\Windows\System\oIZzpdG.exe
  C:\Windows\System\oIZzpdG.exe
  2⤵
  PID:10116
- C:\Windows\System\jHJuGiG.exe
  C:\Windows\System\jHJuGiG.exe
  2⤵
  PID:10156
- C:\Windows\System\RrdEZLk.exe
  C:\Windows\System\RrdEZLk.exe
  2⤵
  PID:10184
- C:\Windows\System\KHLvkVa.exe
  C:\Windows\System\KHLvkVa.exe
  2⤵
  PID:10212
- C:\Windows\System\jbBFGQK.exe
  C:\Windows\System\jbBFGQK.exe
  2⤵
  PID:9220
- C:\Windows\System\aXHgshB.exe
  C:\Windows\System\aXHgshB.exe
  2⤵
  PID:9308
- C:\Windows\System\RuUEyWt.exe
  C:\Windows\System\RuUEyWt.exe
  2⤵
  PID:9392
- C:\Windows\System\ZFMRLQF.exe
  C:\Windows\System\ZFMRLQF.exe
  2⤵
  PID:9524
- C:\Windows\System\JMIsEDm.exe
  C:\Windows\System\JMIsEDm.exe
  2⤵
  PID:9580
- C:\Windows\System\CuaveSH.exe
  C:\Windows\System\CuaveSH.exe
  2⤵
  PID:9660
- C:\Windows\System\xgWaPwZ.exe
  C:\Windows\System\xgWaPwZ.exe
  2⤵
  PID:9724
- C:\Windows\System\TCiQfqe.exe
  C:\Windows\System\TCiQfqe.exe
  2⤵
  PID:9796
- C:\Windows\System\UhZhPas.exe
  C:\Windows\System\UhZhPas.exe
  2⤵
  PID:9868
- C:\Windows\System\anKpWdA.exe
  C:\Windows\System\anKpWdA.exe
  2⤵
  PID:9948
- C:\Windows\System\tLiUqKx.exe
  C:\Windows\System\tLiUqKx.exe
  2⤵
  PID:10008
- C:\Windows\System\zFcezxU.exe
  C:\Windows\System\zFcezxU.exe
  2⤵
  PID:10028
- C:\Windows\System\PALnHjl.exe
  C:\Windows\System\PALnHjl.exe
  2⤵
  PID:10128
- C:\Windows\System\vEycUPF.exe
  C:\Windows\System\vEycUPF.exe
  2⤵
  PID:10204
- C:\Windows\System\KHfdfOA.exe
  C:\Windows\System\KHfdfOA.exe
  2⤵
  PID:9304
- C:\Windows\System\uWmNzCy.exe
  C:\Windows\System\uWmNzCy.exe
  2⤵
  PID:9556
- C:\Windows\System\qFcKeXF.exe
  C:\Windows\System\qFcKeXF.exe
  2⤵
  PID:9704
- C:\Windows\System\tsEpMFS.exe
  C:\Windows\System\tsEpMFS.exe
  2⤵
  PID:9864
- C:\Windows\System\ktyYwXy.exe
  C:\Windows\System\ktyYwXy.exe
  2⤵
  PID:10080
- C:\Windows\System\akcoQii.exe
  C:\Windows\System\akcoQii.exe
  2⤵
  PID:10200
- C:\Windows\System\ZRXyoJl.exe
  C:\Windows\System\ZRXyoJl.exe
  2⤵
  PID:9488
- C:\Windows\System\vFapkPx.exe
  C:\Windows\System\vFapkPx.exe
  2⤵
  PID:9848
- C:\Windows\System\DxocEby.exe
  C:\Windows\System\DxocEby.exe
  2⤵
  PID:9264
- C:\Windows\System\vkGkhau.exe
  C:\Windows\System\vkGkhau.exe
  2⤵
  PID:10180
- C:\Windows\System\nKOXfbQ.exe
  C:\Windows\System\nKOXfbQ.exe
  2⤵
  PID:10256
- C:\Windows\System\ZLCfKOx.exe
  C:\Windows\System\ZLCfKOx.exe
  2⤵
  PID:10284
- C:\Windows\System\WatoDFU.exe
  C:\Windows\System\WatoDFU.exe
  2⤵
  PID:10316
- C:\Windows\System\OgBtXhj.exe
  C:\Windows\System\OgBtXhj.exe
  2⤵
  PID:10344
- C:\Windows\System\cEOdsqz.exe
  C:\Windows\System\cEOdsqz.exe
  2⤵
  PID:10372
- C:\Windows\System\FQmwoNL.exe
  C:\Windows\System\FQmwoNL.exe
  2⤵
  PID:10400
- C:\Windows\System\lehLQke.exe
  C:\Windows\System\lehLQke.exe
  2⤵
  PID:10428
- C:\Windows\System\DeUJUdm.exe
  C:\Windows\System\DeUJUdm.exe
  2⤵
  PID:10460
- C:\Windows\System\RCyCXvz.exe
  C:\Windows\System\RCyCXvz.exe
  2⤵
  PID:10488
- C:\Windows\System\pDlllPa.exe
  C:\Windows\System\pDlllPa.exe
  2⤵
  PID:10504
- C:\Windows\System\fKzxkOL.exe
  C:\Windows\System\fKzxkOL.exe
  2⤵
  PID:10544
- C:\Windows\System\Xmecomq.exe
  C:\Windows\System\Xmecomq.exe
  2⤵
  PID:10572
- C:\Windows\System\eMHKbda.exe
  C:\Windows\System\eMHKbda.exe
  2⤵
  PID:10600
- C:\Windows\System\SmSEeBU.exe
  C:\Windows\System\SmSEeBU.exe
  2⤵
  PID:10628
- C:\Windows\System\IjjVMLY.exe
  C:\Windows\System\IjjVMLY.exe
  2⤵
  PID:10656
- C:\Windows\System\RacYaAy.exe
  C:\Windows\System\RacYaAy.exe
  2⤵
  PID:10684
- C:\Windows\System\pIsEsJN.exe
  C:\Windows\System\pIsEsJN.exe
  2⤵
  PID:10712
- C:\Windows\System\elWLpAn.exe
  C:\Windows\System\elWLpAn.exe
  2⤵
  PID:10740
- C:\Windows\System\jTOQuRq.exe
  C:\Windows\System\jTOQuRq.exe
  2⤵
  PID:10768
- C:\Windows\System\JqUdtnZ.exe
  C:\Windows\System\JqUdtnZ.exe
  2⤵
  PID:10796
- C:\Windows\System\OWZXHWv.exe
  C:\Windows\System\OWZXHWv.exe
  2⤵
  PID:10824
- C:\Windows\System\tTwXcmi.exe
  C:\Windows\System\tTwXcmi.exe
  2⤵
  PID:10852
- C:\Windows\System\pedjnEk.exe
  C:\Windows\System\pedjnEk.exe
  2⤵
  PID:10880
- C:\Windows\System\TJdfAuP.exe
  C:\Windows\System\TJdfAuP.exe
  2⤵
  PID:10908
- C:\Windows\System\AKGMqxE.exe
  C:\Windows\System\AKGMqxE.exe
  2⤵
  PID:10936
- C:\Windows\System\JpqLWCp.exe
  C:\Windows\System\JpqLWCp.exe
  2⤵
  PID:10964
- C:\Windows\System\luMPQxk.exe
  C:\Windows\System\luMPQxk.exe
  2⤵
  PID:10992
- C:\Windows\System\kNztzpA.exe
  C:\Windows\System\kNztzpA.exe
  2⤵
  PID:11020
- C:\Windows\System\RZBldlD.exe
  C:\Windows\System\RZBldlD.exe
  2⤵
  PID:11048
- C:\Windows\System\LRXRwgU.exe
  C:\Windows\System\LRXRwgU.exe
  2⤵
  PID:11076
- C:\Windows\System\yqrxDij.exe
  C:\Windows\System\yqrxDij.exe
  2⤵
  PID:11104
- C:\Windows\System\zIBClTH.exe
  C:\Windows\System\zIBClTH.exe
  2⤵
  PID:11136
- C:\Windows\System\gUmnWDG.exe
  C:\Windows\System\gUmnWDG.exe
  2⤵
  PID:11164
- C:\Windows\System\CjVnfws.exe
  C:\Windows\System\CjVnfws.exe
  2⤵
  PID:11192
- C:\Windows\System\ZXPUuaE.exe
  C:\Windows\System\ZXPUuaE.exe
  2⤵
  PID:11220
- C:\Windows\System\KpLAFAi.exe
  C:\Windows\System\KpLAFAi.exe
  2⤵
  PID:11248
- C:\Windows\System\UanhjSk.exe
  C:\Windows\System\UanhjSk.exe
  2⤵
  PID:10268
- C:\Windows\System\JJqwTRP.exe
  C:\Windows\System\JJqwTRP.exe
  2⤵
  PID:10336
- C:\Windows\System\ARhWnzU.exe
  C:\Windows\System\ARhWnzU.exe
  2⤵
  PID:3276
- C:\Windows\System\icbVpVU.exe
  C:\Windows\System\icbVpVU.exe
  2⤵
  PID:10456
- C:\Windows\System\gtkXFBS.exe
  C:\Windows\System\gtkXFBS.exe
  2⤵
  PID:10528
- C:\Windows\System\QaJpVgH.exe
  C:\Windows\System\QaJpVgH.exe
  2⤵
  PID:10592
- C:\Windows\System\TFREOep.exe
  C:\Windows\System\TFREOep.exe
  2⤵
  PID:10652
- C:\Windows\System\AmFZRlY.exe
  C:\Windows\System\AmFZRlY.exe
  2⤵
  PID:10724
- C:\Windows\System\dfKkUGZ.exe
  C:\Windows\System\dfKkUGZ.exe
  2⤵
  PID:10788
- C:\Windows\System\ZLuIlIm.exe
  C:\Windows\System\ZLuIlIm.exe
  2⤵
  PID:10844
- C:\Windows\System\TWZxKKk.exe
  C:\Windows\System\TWZxKKk.exe
  2⤵
  PID:10904
- C:\Windows\System\XymqKik.exe
  C:\Windows\System\XymqKik.exe
  2⤵
  PID:10976
- C:\Windows\System\CVgJRtA.exe
  C:\Windows\System\CVgJRtA.exe
  2⤵
  PID:11040
- C:\Windows\System\MTddyGP.exe
  C:\Windows\System\MTddyGP.exe
  2⤵
  PID:11100
- C:\Windows\System\xqbMOih.exe
  C:\Windows\System\xqbMOih.exe
  2⤵
  PID:11176
- C:\Windows\System\SZYpVhR.exe
  C:\Windows\System\SZYpVhR.exe
  2⤵
  PID:11244
- C:\Windows\System\qzJlNnw.exe
  C:\Windows\System\qzJlNnw.exe
  2⤵
  PID:10328
- C:\Windows\System\AJLJgKO.exe
  C:\Windows\System\AJLJgKO.exe
  2⤵
  PID:10484
- C:\Windows\System\hOIfZyd.exe
  C:\Windows\System\hOIfZyd.exe
  2⤵
  PID:10648
- C:\Windows\System\KLAwlmh.exe
  C:\Windows\System\KLAwlmh.exe
  2⤵
  PID:10764
- C:\Windows\System\ZhQwggG.exe
  C:\Windows\System\ZhQwggG.exe
  2⤵
  PID:10892
- C:\Windows\System\xrlyDDl.exe
  C:\Windows\System\xrlyDDl.exe
  2⤵
  PID:11068
- C:\Windows\System\OSbjIgD.exe
  C:\Windows\System\OSbjIgD.exe
  2⤵
  PID:10048
- C:\Windows\System\TPhGQDp.exe
  C:\Windows\System\TPhGQDp.exe
  2⤵
  PID:10836
- C:\Windows\System\yEZOKmD.exe
  C:\Windows\System\yEZOKmD.exe
  2⤵
  PID:10752
- C:\Windows\System\BxfmpXW.exe
  C:\Windows\System\BxfmpXW.exe
  2⤵
  PID:11280
- C:\Windows\System\uhIuYas.exe
  C:\Windows\System\uhIuYas.exe
  2⤵
  PID:11296
- C:\Windows\System\ZrSfHJw.exe
  C:\Windows\System\ZrSfHJw.exe
  2⤵
  PID:11316
- C:\Windows\System\bPEFfqf.exe
  C:\Windows\System\bPEFfqf.exe
  2⤵
  PID:11376
- C:\Windows\System\TIqcWqq.exe
  C:\Windows\System\TIqcWqq.exe
  2⤵
  PID:11416
- C:\Windows\System\ukLgLfa.exe
  C:\Windows\System\ukLgLfa.exe
  2⤵
  PID:11456
- C:\Windows\System\apScDFX.exe
  C:\Windows\System\apScDFX.exe
  2⤵
  PID:11484
- C:\Windows\System\gtSNfGM.exe
  C:\Windows\System\gtSNfGM.exe
  2⤵
  PID:11512
- C:\Windows\System\kdNaaIb.exe
  C:\Windows\System\kdNaaIb.exe
  2⤵
  PID:11528
- C:\Windows\System\uwYNdea.exe
  C:\Windows\System\uwYNdea.exe
  2⤵
  PID:11556
- C:\Windows\System\wbRfwqM.exe
  C:\Windows\System\wbRfwqM.exe
  2⤵
  PID:11588
- C:\Windows\System\iHPsHUL.exe
  C:\Windows\System\iHPsHUL.exe
  2⤵
  PID:11616
- C:\Windows\System\SwEAyBj.exe
  C:\Windows\System\SwEAyBj.exe
  2⤵
  PID:11648
- C:\Windows\System\qQmlONn.exe
  C:\Windows\System\qQmlONn.exe
  2⤵
  PID:11684
- C:\Windows\System\lVdCpFX.exe
  C:\Windows\System\lVdCpFX.exe
  2⤵
  PID:11704
- C:\Windows\System\fnxPVOV.exe
  C:\Windows\System\fnxPVOV.exe
  2⤵
  PID:11728
- C:\Windows\System\LMTOAZJ.exe
  C:\Windows\System\LMTOAZJ.exe
  2⤵
  PID:11768
- C:\Windows\System\BbQfEFF.exe
  C:\Windows\System\BbQfEFF.exe
  2⤵
  PID:11796
- C:\Windows\System\gvWNFoz.exe
  C:\Windows\System\gvWNFoz.exe
  2⤵
  PID:11828
- C:\Windows\System\ttnRhuz.exe
  C:\Windows\System\ttnRhuz.exe
  2⤵
  PID:11856
- C:\Windows\System\SNBvvOY.exe
  C:\Windows\System\SNBvvOY.exe
  2⤵
  PID:11884
- C:\Windows\System\ejEnRQM.exe
  C:\Windows\System\ejEnRQM.exe
  2⤵
  PID:11912
- C:\Windows\System\sxCXdoy.exe
  C:\Windows\System\sxCXdoy.exe
  2⤵
  PID:11940
- C:\Windows\System\guQOldA.exe
  C:\Windows\System\guQOldA.exe
  2⤵
  PID:11968
- C:\Windows\System\LaIDyhX.exe
  C:\Windows\System\LaIDyhX.exe
  2⤵
  PID:11996
- C:\Windows\System\hhxKcFd.exe
  C:\Windows\System\hhxKcFd.exe
  2⤵
  PID:12024
- C:\Windows\System\HCbygzT.exe
  C:\Windows\System\HCbygzT.exe
  2⤵
  PID:12052
- C:\Windows\System\MONxRPM.exe
  C:\Windows\System\MONxRPM.exe
  2⤵
  PID:12080
- C:\Windows\System\xfBKWHm.exe
  C:\Windows\System\xfBKWHm.exe
  2⤵
  PID:12108
- C:\Windows\System\DOgiBVc.exe
  C:\Windows\System\DOgiBVc.exe
  2⤵
  PID:12136
- C:\Windows\System\oWVpuEF.exe
  C:\Windows\System\oWVpuEF.exe
  2⤵
  PID:12164
- C:\Windows\System\wUKlZES.exe
  C:\Windows\System\wUKlZES.exe
  2⤵
  PID:12196
- C:\Windows\System\ImBEbOP.exe
  C:\Windows\System\ImBEbOP.exe
  2⤵
  PID:12224
- C:\Windows\System\jsFeknX.exe
  C:\Windows\System\jsFeknX.exe
  2⤵
  PID:12252
- C:\Windows\System\gdPkrxk.exe
  C:\Windows\System\gdPkrxk.exe
  2⤵
  PID:12280
- C:\Windows\System\OiITJck.exe
  C:\Windows\System\OiITJck.exe
  2⤵
  PID:11288
- C:\Windows\System\JgBUGNG.exe
  C:\Windows\System\JgBUGNG.exe
  2⤵
  PID:11364
- C:\Windows\System\AWCuifT.exe
  C:\Windows\System\AWCuifT.exe
  2⤵
  PID:11468
- C:\Windows\System\LkTvqQW.exe
  C:\Windows\System\LkTvqQW.exe
  2⤵
  PID:11520
- C:\Windows\System\zVRXuZc.exe
  C:\Windows\System\zVRXuZc.exe
  2⤵
  PID:11584
- C:\Windows\System\AJQpHzb.exe
  C:\Windows\System\AJQpHzb.exe
  2⤵
  PID:11660
- C:\Windows\System\CHYwKiB.exe
  C:\Windows\System\CHYwKiB.exe
  2⤵
  PID:11712
- C:\Windows\System\sMoonYb.exe
  C:\Windows\System\sMoonYb.exe
  2⤵
  PID:11780
- C:\Windows\System\BtIhCNl.exe
  C:\Windows\System\BtIhCNl.exe
  2⤵
  PID:11876
- C:\Windows\System\pxyHyBG.exe
  C:\Windows\System\pxyHyBG.exe
  2⤵
  PID:11936
- C:\Windows\System\zCTodps.exe
  C:\Windows\System\zCTodps.exe
  2⤵
  PID:12048
- C:\Windows\System\xiYtwaD.exe
  C:\Windows\System\xiYtwaD.exe
  2⤵
  PID:12120
- C:\Windows\System\kTUStYF.exe
  C:\Windows\System\kTUStYF.exe
  2⤵
  PID:12188
- C:\Windows\System\EKEMbXB.exe
  C:\Windows\System\EKEMbXB.exe
  2⤵
  PID:12248
- C:\Windows\System\fFLqunM.exe
  C:\Windows\System\fFLqunM.exe
  2⤵
  PID:11308
- C:\Windows\System\ktbWlFf.exe
  C:\Windows\System\ktbWlFf.exe
  2⤵
  PID:11408
- C:\Windows\System\XfIMNwX.exe
  C:\Windows\System\XfIMNwX.exe
  2⤵
  PID:11576
- C:\Windows\System\evcyfNJ.exe
  C:\Windows\System\evcyfNJ.exe
  2⤵
  PID:11764
- C:\Windows\System\mjFAofF.exe
  C:\Windows\System\mjFAofF.exe
  2⤵
  PID:11904
- C:\Windows\System\RHYrXai.exe
  C:\Windows\System\RHYrXai.exe
  2⤵
  PID:12016
- C:\Windows\System\YJrPTZo.exe
  C:\Windows\System\YJrPTZo.exe
  2⤵
  PID:12156
- C:\Windows\System\ijmtbCf.exe
  C:\Windows\System\ijmtbCf.exe
  2⤵
  PID:11268
- C:\Windows\System\ORwfoJX.exe
  C:\Windows\System\ORwfoJX.exe
  2⤵
  PID:1036
- C:\Windows\System\sBmYbUq.exe
  C:\Windows\System\sBmYbUq.exe
  2⤵
  PID:11640
- C:\Windows\System\FclUpun.exe
  C:\Windows\System\FclUpun.exe
  2⤵
  PID:11872
- C:\Windows\System\djqooek.exe
  C:\Windows\System\djqooek.exe
  2⤵
  PID:3888
- C:\Windows\System\ZWytqUo.exe
  C:\Windows\System\ZWytqUo.exe
  2⤵
  PID:11696
- C:\Windows\System\OJzkyoE.exe
  C:\Windows\System\OJzkyoE.exe
  2⤵
  PID:10780
- C:\Windows\System\erGHRtD.exe
  C:\Windows\System\erGHRtD.exe
  2⤵
  PID:12240
- C:\Windows\System\xseqrkD.exe
  C:\Windows\System\xseqrkD.exe
  2⤵
  PID:1644
- C:\Windows\System\fidtRbW.exe
  C:\Windows\System\fidtRbW.exe
  2⤵
  PID:11412
- C:\Windows\System\Fumbpig.exe
  C:\Windows\System\Fumbpig.exe
  2⤵
  PID:12324
- C:\Windows\System\jKfGBBP.exe
  C:\Windows\System\jKfGBBP.exe
  2⤵
  PID:12352
- C:\Windows\System\MlyCOJh.exe
  C:\Windows\System\MlyCOJh.exe
  2⤵
  PID:12380
- C:\Windows\System\vdDkimA.exe
  C:\Windows\System\vdDkimA.exe
  2⤵
  PID:12420
- C:\Windows\System\zrKfGQj.exe
  C:\Windows\System\zrKfGQj.exe
  2⤵
  PID:12544
- C:\Windows\System\muduGwu.exe
  C:\Windows\System\muduGwu.exe
  2⤵
  PID:12560
- C:\Windows\System\fQjqCie.exe
  C:\Windows\System\fQjqCie.exe
  2⤵
  PID:12600
- C:\Windows\System\ZGnXaeo.exe
  C:\Windows\System\ZGnXaeo.exe
  2⤵
  PID:12640
- C:\Windows\System\QcdzAKE.exe
  C:\Windows\System\QcdzAKE.exe
  2⤵
  PID:12668
- C:\Windows\System\ELDdpIu.exe
  C:\Windows\System\ELDdpIu.exe
  2⤵
  PID:12708
- C:\Windows\System\thGEIVR.exe
  C:\Windows\System\thGEIVR.exe
  2⤵
  PID:12748
- C:\Windows\System\WokwmlC.exe
  C:\Windows\System\WokwmlC.exe
  2⤵
  PID:12764
- C:\Windows\System\fygTMAv.exe
  C:\Windows\System\fygTMAv.exe
  2⤵
  PID:12792
- C:\Windows\System\jrDBsJW.exe
  C:\Windows\System\jrDBsJW.exe
  2⤵
  PID:12824
- C:\Windows\System\MkNIaCO.exe
  C:\Windows\System\MkNIaCO.exe
  2⤵
  PID:12852
- C:\Windows\System\tjAeYIE.exe
  C:\Windows\System\tjAeYIE.exe
  2⤵
  PID:12904
- C:\Windows\System\NkAwBdl.exe
  C:\Windows\System\NkAwBdl.exe
  2⤵
  PID:12932
- C:\Windows\System\NPYeQvI.exe
  C:\Windows\System\NPYeQvI.exe
  2⤵
  PID:12984
- C:\Windows\System\BlPQSvu.exe
  C:\Windows\System\BlPQSvu.exe
  2⤵
  PID:13012
- C:\Windows\System\dFrAPLy.exe
  C:\Windows\System\dFrAPLy.exe
  2⤵
  PID:13040
- C:\Windows\System\EiuMbQT.exe
  C:\Windows\System\EiuMbQT.exe
  2⤵
  PID:13080
- C:\Windows\System\lHYMbGb.exe
  C:\Windows\System\lHYMbGb.exe
  2⤵
  PID:13108
- C:\Windows\System\RIpqewo.exe
  C:\Windows\System\RIpqewo.exe
  2⤵
  PID:13148
- C:\Windows\System\okdKupE.exe
  C:\Windows\System\okdKupE.exe
  2⤵
  PID:13176
- C:\Windows\System\DgYzNSp.exe
  C:\Windows\System\DgYzNSp.exe
  2⤵
  PID:13204
- C:\Windows\System\NwYZbZx.exe
  C:\Windows\System\NwYZbZx.exe
  2⤵
  PID:13252
- C:\Windows\System\gAEHWZd.exe
  C:\Windows\System\gAEHWZd.exe
  2⤵
  PID:13292
- C:\Windows\System\mlqAUlt.exe
  C:\Windows\System\mlqAUlt.exe
  2⤵
  PID:13308
- C:\Windows\System\RUAkcQl.exe
  C:\Windows\System\RUAkcQl.exe
  2⤵
  PID:12348
- C:\Windows\System\ajbDmwm.exe
  C:\Windows\System\ajbDmwm.exe
  2⤵
  PID:12416
- C:\Windows\System\WqVlldS.exe
  C:\Windows\System\WqVlldS.exe
  2⤵
  PID:12500
- C:\Windows\System\wOnzZzJ.exe
  C:\Windows\System\wOnzZzJ.exe
  2⤵
  PID:12528
- C:\Windows\System\YzNKOxf.exe
  C:\Windows\System\YzNKOxf.exe
  2⤵
  PID:12580
- C:\Windows\System\cjlBTqZ.exe
  C:\Windows\System\cjlBTqZ.exe
  2⤵
  PID:12636
- C:\Windows\System\kZszcly.exe
  C:\Windows\System\kZszcly.exe
  2⤵
  PID:12692
- C:\Windows\System\PAPzQkH.exe
  C:\Windows\System\PAPzQkH.exe
  2⤵
  PID:12788
- C:\Windows\System\YeNtjjS.exe
  C:\Windows\System\YeNtjjS.exe
  2⤵
  PID:12872
- C:\Windows\System\xLKyGrh.exe
  C:\Windows\System\xLKyGrh.exe
  2⤵
  PID:12896
- C:\Windows\System\YbERtNO.exe
  C:\Windows\System\YbERtNO.exe
  2⤵
  PID:12952
- C:\Windows\System\rtnPJHT.exe
  C:\Windows\System\rtnPJHT.exe
  2⤵
  PID:3120
- C:\Windows\System\hZEEyUI.exe
  C:\Windows\System\hZEEyUI.exe
  2⤵
  PID:13072
- C:\Windows\System\SMHuBCJ.exe
  C:\Windows\System\SMHuBCJ.exe
  2⤵
  PID:13136
- C:\Windows\System\sxyZkgP.exe
  C:\Windows\System\sxyZkgP.exe
  2⤵
  PID:13168
- C:\Windows\System\bdYnmsw.exe
  C:\Windows\System\bdYnmsw.exe
  2⤵
  PID:13224
- C:\Windows\System\lIFTrAt.exe
  C:\Windows\System\lIFTrAt.exe
  2⤵
  PID:12292
- C:\Windows\System\tPxZaML.exe
  C:\Windows\System\tPxZaML.exe
  2⤵
  PID:12412
- C:\Windows\System\AfzDQFs.exe
  C:\Windows\System\AfzDQFs.exe
  2⤵
  PID:12552
- C:\Windows\System\SLZIqRK.exe
  C:\Windows\System\SLZIqRK.exe
  2⤵
  PID:12868
- C:\Windows\System\BpuXRNE.exe
  C:\Windows\System\BpuXRNE.exe
  2⤵
  PID:3820
- C:\Windows\System\ujpHEAa.exe
  C:\Windows\System\ujpHEAa.exe
  2⤵
  PID:13052
- C:\Windows\System\yrufYiE.exe
  C:\Windows\System\yrufYiE.exe
  2⤵
  PID:12312
- C:\Windows\System\zWGLRLY.exe
  C:\Windows\System\zWGLRLY.exe
  2⤵
  PID:12464
- C:\Windows\System\BjrwTzn.exe
  C:\Windows\System\BjrwTzn.exe
  2⤵
  PID:12996
- C:\Windows\System\gYgDxld.exe
  C:\Windows\System\gYgDxld.exe
  2⤵
  PID:12508
- C:\Windows\System\tIqrNRj.exe
  C:\Windows\System\tIqrNRj.exe
  2⤵
  PID:13064
- C:\Windows\System\PxnrQBL.exe
  C:\Windows\System\PxnrQBL.exe
  2⤵
  PID:13316
- C:\Windows\System\hXPqWUQ.exe
  C:\Windows\System\hXPqWUQ.exe
  2⤵
  PID:13348
- C:\Windows\System\ytTnAfv.exe
  C:\Windows\System\ytTnAfv.exe
  2⤵
  PID:13364
- C:\Windows\System\yOWTlga.exe
  C:\Windows\System\yOWTlga.exe
  2⤵
  PID:13388

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:14124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ftf4eckh.hgm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\EtvWrAU.exe

Filesize
2.8MB

MD5
29f9b2520c571c7e6055922a1bde43b5

SHA1
5055a9c3c1c7f6b3506fc386603b8ef778a8678c

SHA256
e348b3cb5ba008290e119c67611e81e6d02852ea5c738fd7c4c791507090ef88

SHA512
bcaa660e33070b784ddab127c547d99d22c22f4206f582e02fa030a87a38bb9af46aca67f7c020dc5977f85d9c9bf47fea3836603d3a95553c3a4cadc480ff8e

Download Submit
C:\Windows\System\FsQLIYo.exe

Filesize
2.8MB

MD5
5c6a30f8c4f2020822552a419b05e251

SHA1
80115a003082a5d7f5e48906669d29b44c14611a

SHA256
b91bdfdc01d645b647481bc5ff17d255801bca1d51f3ae242c444ccff772bf6a

SHA512
582498617be1b5b09410febb1fcfd5b5ec5e4414ea906d981f2f70bff8c676312f5ac38c844f7a746885614a161a3f87306000338deb8497ee7f6d3569f9218c

Download Submit
C:\Windows\System\HLqpGTe.exe

Filesize
2.8MB

MD5
0b2963656f882de2d22370000bbbeafe

SHA1
baf01dfcc5a99e4d8b627bb46f85b2322ab4baef

SHA256
87a47d5d88bade7074d414c938058774de3eec9d9d8586d911b2a6b4cbda839c

SHA512
f13e40f05c2b171c222d28725035dee630a8b19331b4c17968f9dbc83f36cf16b70c561f8d296785ddc04b9f231ca3991a670ae35d45a1354036fd53ff3919a0

Download Submit
C:\Windows\System\IXoWXXI.exe

Filesize
2.8MB

MD5
4ebdee3d12f709179796c1c7f247f60d

SHA1
de1fdde7cec1e1617dfb3ca0941644831c803b3d

SHA256
807d984ef3148896dc9695784409a9a7f5f248ab0ba89b02240e9f33684eb562

SHA512
8d5f58efa13fdb8087231137f69d7a05a2cb72f2aca198b5e8ea52ce0fbbb1149eaaf71606fa46f6145f2c57349e505a5984caeee80529eeb55fdae10c202371

Download Submit
C:\Windows\System\IaxjktV.exe

Filesize
2.8MB

MD5
1280bcc2030e72769a25fb5a25f2ddfa

SHA1
c9c21ce9844c6e74af9f2cac6f59cf4ad4d33e4c

SHA256
66303d68cc5e3e3545ac8143857fd2026c74ca05ca60b96c2038306a6c22ac95

SHA512
11d7cc4820961674d8e5b483c3bb07ab7e167e7818fbb7cd80ebd8fe56900ba912ff01d4667cd8115ac6f849fb83bc775cdc87856ff6bfec2be2b73b79dff60a

Download Submit
C:\Windows\System\JsUkwdC.exe

Filesize
2.8MB

MD5
5752dd6b9e2a37d9a81d3c7250bafd42

SHA1
593e0d5006908ef19719f4895e839fd90a9f77ad

SHA256
48e3812f4f0b64b72183b733ec9807185a996d6cd7f2912c284b37f9b6626df7

SHA512
74eeda56d3d582573120f834d6b2332ce939049c67879d472a44d2dbd0f203eff501faa6a657a447bd73bc214d8b8e92050a07c169d20d0331ba8632d18b248b

Download Submit
C:\Windows\System\KBTRlTX.exe

Filesize
2.8MB

MD5
8f1a7015a9e74be82753ff85c5771a06

SHA1
9e92f9c4f0741c30ff8ed382a025ffb6cbea1d58

SHA256
a364497e210360f372939f946dabf852b395ee8af685969c39444a3eb33c9112

SHA512
29263929b3d01e0d4eb99dc5bd57099c621a9e8caa57d3b7e96d134098e74f1835e7ec00668ae1ae874c1609309d4c80efdeb3f59c8ac00c880e59bd7c5bd671

Download Submit
C:\Windows\System\QIcUEhE.exe

Filesize
2.8MB

MD5
1b0a465f6df8ab90d83324b00ffcbc07

SHA1
7df46dba80b750d6433cfecb15c2b69cb521dce2

SHA256
38734942c339c32ee4c3ab54360088a58c08ee051be2662b1ee25258ff6fea2a

SHA512
248e1fee088f597267e09018c9c38dae91d0a391346350fec560a37321bf7e90a390641d57efae120db3731d60be92f723592da0990fdead7c1605deb934077b

Download Submit
C:\Windows\System\RjYMxkJ.exe

Filesize
2.8MB

MD5
c1f2da42672d9eb0f84f8215d206398a

SHA1
024c430a9807e8627b6171ea2a8386343cf27840

SHA256
3129bd952ba2177cc11a8c74411b64ffa6955c2bf2151dc897950cda33133f54

SHA512
2c516bbb0a46bea5495c86888771eb2fc78cf270679dc2f1315a901b8d924cbed7bd1083d6c674e0b6b7646a5a505950c911fa6c109ca6dee006d13479ae4d1d

Download Submit
C:\Windows\System\TNWuPmZ.exe

Filesize
2.8MB

MD5
a65314777c10d917e9fc331d1e0d402c

SHA1
c8ea141e5bf5fa04b3d8ddb02bef156c64cd6069

SHA256
9ed75e7d82133fab12cf732aa9c637d010f1142ee34fe5751ef28cc69faabf10

SHA512
3bba3aff4e5e17ef2f855b9e5f11b0e4dc52833e7d9d30ed12b88929ad28c653eb712936dfe0c7b010608f40b3f3458257e9b7f6b6915c0765b0468c8670ae41

Download Submit
C:\Windows\System\UEZKNhO.exe

Filesize
2.8MB

MD5
29a6edfa52364cb642bf224f009f6f7d

SHA1
5baad951bf36982c049b36c30165b40738fda2fd

SHA256
760b4336d25e3bf367a0134531750fa9ee9788b11cd11ca95d77d0bf3b70a42e

SHA512
a7be0e3644bb81e909d49b9e093a75ad42dd602fafc4d2c89e4602e9adfe96c856b5e642baf50cc7eb412fe433f5bbdccd17da0dbba572687eff975ba240ff6f

Download Submit
C:\Windows\System\UOrlmCS.exe

Filesize
2.8MB

MD5
c7403d77b20995c638148e02955d95f8

SHA1
bc2452d034a709a53926497fc15d4960b2f674ef

SHA256
d3b905b64095df54a02db378e373cd203db99d79586933c17dbed87fde0f7939

SHA512
88c80f35777cf6847fad3c58017e89aeabe37a16301e28c4f24ffcb5e3e21eea06e476ede7164fa0fb46cedf97a338117d329efe88e5eff7ace04f22b8a4ace2

Download Submit
C:\Windows\System\YmTHTyc.exe

Filesize
2.8MB

MD5
9fb4754ee5cc26c2c6630bd26835268f

SHA1
354bcd7f319179d7db6e63b18818a96e19129c29

SHA256
dc90684669d8e952bacb35e9c5501bbf642a9b47e17b688622c89202d4c64c78

SHA512
9a70fea7fe8a78f7ded90a4f83232897e2977794f290ab7cdd828476afc83a1ab30aec2b65cd8938bb0970d64ca3c8553d170fd2a2efb506914077d589d9cdd6

Download Submit
C:\Windows\System\ZTCVVYI.exe

Filesize
2.8MB

MD5
2259ae83f4373959c553f50c2b8b32a4

SHA1
a82b6f336d78922f807b869809782495ce60b14b

SHA256
22953c88f589b914e985d769deb3071f154d5d571eb5027bef63940752ca73fc

SHA512
997fe406923b647b916684112ad4e0b70d6c032f84fae6b7a82569626a4724f7e5aa70ab6a51bd9f9a0c8f22a2d78ac86199a92c20ef5273104ae54860f633d1

Download Submit
C:\Windows\System\aselGGA.exe

Filesize
2.8MB

MD5
0d81907db0f72aaf70aa877db847dfeb

SHA1
4171114085aa9eeaee359cfb42c95975b1604da4

SHA256
683cb126766333bf4ec9e57436e059305bcc3f74db2c68fe09593591c53b83da

SHA512
3c4621922d4429163ac0cb6f30ba930265beddc3fcc16fb3620903cb74d1d341d181d60a90a5467fca052b7b9385e9edf688b54ac22bcd369c94597494ea31fc

Download Submit
C:\Windows\System\brLWrkx.exe

Filesize
2.8MB

MD5
880125f5d6ea8ad7507d8e8ef538a9f6

SHA1
43fdbbb5df4d74355c81552f7e9b50d436f2562c

SHA256
4206f66e13d040ed7e5226b005d62083be1000d665ead5e6fc69993bc1752b35

SHA512
d0fca4db808cae71ff5c9035b37cf717b594534feef2c154de98b4e95fc80be25120a042648fdcff32e72d340e0bdcbf59fecc1300c67217f771559c443ceb72

Download Submit
C:\Windows\System\cDtylCd.exe

Filesize
2.8MB

MD5
33e5696c62be30bde49e0532024c19a5

SHA1
88dc1407514e3ba9b9b01a09ede4eb9faed1707e

SHA256
8bc37fff247cb08da82caee81f31f6ad36e6743b74de9ebaa7549f2d2d552cf2

SHA512
c38d4d1690507aa8666d4f1f73a0c4720f60f3fb777a3a8c4e0e273d87b86435fd40b51294c40e8e5306462b45513aa214b76d7428dcc8f29dea718efd65a567

Download Submit
C:\Windows\System\cuIlAtB.exe

Filesize
2.8MB

MD5
ea69bb7c8b7b6b7b6344a83c1b686925

SHA1
18de7fa90bfdd2d6d26dc88b663948d39bea64ce

SHA256
8cd751eb9e1ae709c72a18758e28464adcaba1125dbed1aea1b793a1ceb0fde6

SHA512
a6c55b0c44a6705685d3551c18df5681380a0e0be7505ff0e435b88f03917258646ed244b00d4ec8f196fd9cbd661f125be97a8845aaa748972b2c96ee3d9e51

Download Submit
C:\Windows\System\eONuplI.exe

Filesize
2.8MB

MD5
1f5c1b55cb69b77186f905120ef37f3e

SHA1
60301a4ec6c91d9871ddf169c52124563d4cc0c7

SHA256
a717b92dec4da666930bafbf3ff4faf0fc42676886e9643fbe52d13bf3c12294

SHA512
122b6edbac68ea287cdb23c792c427cf5b34e45a76905439d86f518cc7d341b5bf4db0ae03028fbf40ce0821dad300bf7d8ea399b53af08a3194b35008a49a46

Download Submit
C:\Windows\System\eVstPwp.exe

Filesize
2.8MB

MD5
07e772c0b92d2924825e79dd3203b9a8

SHA1
344e88b381e7cab7b35951a06a20a69d059f08b8

SHA256
a61808c91546c650b31f84f1f49f25c4efa9e1c02cad81f82e7ee82e883d768f

SHA512
ba011942a1fbbf6ef82ee6a68bcd10f2d616bc270430dfeec9b33f30974e2bfcb99bcd98465cc68118dd0d23aec42ed5fb99defddb6dcc5400eccb83807b2a6a

Download Submit
C:\Windows\System\fDMWcIR.exe

Filesize
2.8MB

MD5
2fba17b5d52429a46c9242f5f28c8f37

SHA1
084283559c8482ef61cfc0be3d5f30d477d3388b

SHA256
ac8225445b47e2aa6d457bc38145c1c9ee4fbaf444b0b98e6b81e64109e05063

SHA512
f4de489992a627668e7f8e80e7c8451ac591449611554ce48161020a2f5bf2013e9e2d8a588aae7873b41310096127187150c9925a5086acb0ac6b5901ae9f08

Download Submit
C:\Windows\System\jJVdPwR.exe

Filesize
2.8MB

MD5
5e5659f53173c397f6896ba09da64b90

SHA1
e5bed918b92a691ebca4ed6700bf5f4763491e81

SHA256
bd4f4a4b38e1c3ffe58458bdbbad370c435ffb565e93d525c9e60f1355b39071

SHA512
e0fa08f77c2aa12b5fe4627aaf5df6a0952c1c0fe7a4e9b3131ac64a72c9bd0d9409d4d782f4ed6a750d7f50a265ef1dc97bb0b743d3400f69d47cf60522ccdf

Download Submit
C:\Windows\System\lwSDbRz.exe

Filesize
2.8MB

MD5
1c35bc370560cf2df99c4e48b990db6b

SHA1
ca6abc5e7009b2bcafa84f35cdb1c7a7d0d83946

SHA256
d2374cecda509a1669a0fa5347d13c09217be433155f1d89a4a0e0888adb1354

SHA512
86c6d176b946dc4fb055ec58b22f6aef6255e19f45a2ebbc80aefdda667630e27217abb0b0708de193bd5571e0a5d9a6d9414077552db3c2aab1cd5c46f0a3ea

Download Submit
C:\Windows\System\mHlMkbT.exe

Filesize
2.8MB

MD5
0f644192f7f684eeaf23f73af7dc78f0

SHA1
19464140df5ce2d5b466154dc775ac42c67af9d7

SHA256
3e2720dbcb9e435d5982ff183ccd9c2ff000d2e9e76dfac389bc81c857039f7c

SHA512
a95c0a5d9723900b397f8284a9595d0d8c776e7f4f5b046981b5412825006a2caf8cef23530327e59e76faf273f44d9dd8a3763170a0e627f7ebd11b75e74948

Download Submit
C:\Windows\System\pcifPhB.exe

Filesize
2.8MB

MD5
b3bb0bc1b26ce16bcf828e832dc3d49c

SHA1
027a7f88c91a72f11b3f3a6bda3a6e78d711c8a5

SHA256
a420affba9c427e4667298f623807ff95f21636defd4bb786128370ca6676231

SHA512
90c6191e17f7786fc99737eb67d15281d790761ed4c9a30721fce2efc4e1c3be5325e1341a8b137997aa554a9f96c6824bd793c262ee726a538c1e9e0d9ce65c

Download Submit
C:\Windows\System\puUhpyw.exe

Filesize
2.8MB

MD5
06644d13fa64ba66e115998f1c16a8b1

SHA1
f7f62cd035d2646a5b86f76446b6dc56726eede9

SHA256
1a1c8b8b6e3103afe0b02bb0934bc9df1468b5053a84725c8b57159cfa0b17ce

SHA512
9ffee2d4e2992134592683f83df18d2506cfca0af780135cc253b241b05d1093b2737e77d028c67eab15cc2228d28a6ed0fec82fa53757b6b25fd0b5eff8cb59

Download Submit
C:\Windows\System\pxVRMVX.exe

Filesize
2.8MB

MD5
24ee43d5fe12fa6f4587a2bfb8f6c42c

SHA1
bd55511f717b5d44cef73d5f44487619a6e86f09

SHA256
d45334540ada0941b0f9fdf84700570c4b576be82898de21c424458912e80393

SHA512
beaa58ff2286696572a5b493c510ad813082d92c2e7a5cd7610e3c062b8f709f088835f1ca35d81411bbd69abbc3b4295c562076e47f8ea794fd22804a7a0bf6

Download Submit
C:\Windows\System\qMOXeaQ.exe

Filesize
2.8MB

MD5
bbc04dd71bb192a99577b90b7a46bd4d

SHA1
5c1d1bdf95711154ce800a69b97f559d22966671

SHA256
7f20052b8f32e21e263e4d376b459d8abf7c90b0ab7a743d1174774ec9eb4d39

SHA512
44175633ad12773313d4604f4545aaea245fe3e512df7af37627f985dc4d00569603c53aed87f9b944e1e5a9c41cd402e49b539b1d1fc4102a5ca68748608a91

Download Submit
C:\Windows\System\sapNATC.exe

Filesize
2.8MB

MD5
f7efbaa70af97fecaf3017dba8c3f1c4

SHA1
b8aa67f59f38d11a0853cbeb84ff374830e96444

SHA256
0f1057ed9890eedf251ca2e6392fb0973d6fe305d154b7a48a14c30acd573eb8

SHA512
559a1543f796352449de10a976c48c5c050c25681c373e266278e74b62a957335d013c426b98f419865315d09733749c0b65334bd9978ac513a1952ed080a7c3

Download Submit
C:\Windows\System\xYqkHcY.exe

Filesize
2.8MB

MD5
87d6c9cba9618b2bff7d69f5dd770123

SHA1
b8cd30ae256db23846ad3dab6e4be0d15b6cef9f

SHA256
c0cacfc5f664e99978f03233e4eeb2882c4d25d9f036c24213d583704119c797

SHA512
35b2f2fef49167fa1e749e490c275a9fbde6f8bfc8380bf4a1ba6bf32ea8bd87bd83a20b4dad98be2345f3471c03d58c5a1bc1faf45f2dbf511b75cb2cb068ff

Download Submit
C:\Windows\System\yQpxdBa.exe

Filesize
2.8MB

MD5
22e217919c3f3bfbbc03c181dce8c81d

SHA1
b1c13c289b8274386b66063c8ac3291842a86f74

SHA256
fda404d53d9a408baa209d349198e278f400c313c17c2056f985301ece6c28e0

SHA512
ee35183bc45df166ec053617f23194f6350369d7248409d3f48c58cada8e33c798cce9c0e541b1879f0af377e8cd5568bc0c3566c593403f3d60f75f42a23432

Download Submit
C:\Windows\System\yasLjCJ.exe

Filesize
2.8MB

MD5
38e0831a027847af9f8193b8994ebe03

SHA1
aaec4af61101269c70a1bd0da04f14402e0e5e46

SHA256
4900df820edf133b28b6dfd51c5a5dd965cc86b03c8ba4b0b6f741bb61534d2d

SHA512
46059ac07fc81663a97fee9429a72722f57efc85b823ce56b88df63ee7d152bc8be639abdec8d9d72f5c6ec5641721d2999022a5e819d91418e3b92ac3848df0

Download Submit
C:\Windows\System\zuahkPO.exe

Filesize
2.8MB

MD5
687441f87c1b445991ed50791522512d

SHA1
da46c580f63471472067af67a3bcc33864f53fcc

SHA256
ba57575f0457a0e6e9a3b639fe477e46f7d5a8290704e54481127871cd854226

SHA512
c10cf08e021a292cc015c8633a1fcb64c7e5af3980131c0a6cee909e6a2435bf335a38b9bd9addaebb828becc26df9407f690dcd3a56b0a7f547a1a6f4a070ba

Download Submit
memory/556-568-0x00007FF7E62E0000-0x00007FF7E66D6000-memory.dmp

Filesize
4.0MB

Download
memory/556-2138-0x00007FF7E62E0000-0x00007FF7E66D6000-memory.dmp

Filesize
4.0MB

Download
memory/568-1177-0x00007FF6466C0000-0x00007FF646AB6000-memory.dmp

Filesize
4.0MB

Download
memory/568-2130-0x00007FF6466C0000-0x00007FF646AB6000-memory.dmp

Filesize
4.0MB

Download
memory/568-53-0x00007FF6466C0000-0x00007FF646AB6000-memory.dmp

Filesize
4.0MB

Download
memory/736-2124-0x00007FF6319C0000-0x00007FF631DB6000-memory.dmp

Filesize
4.0MB

Download
memory/736-109-0x00007FF6319C0000-0x00007FF631DB6000-memory.dmp

Filesize
4.0MB

Download
memory/736-2142-0x00007FF6319C0000-0x00007FF631DB6000-memory.dmp

Filesize
4.0MB

Download
memory/808-2139-0x00007FF79DC90000-0x00007FF79E086000-memory.dmp

Filesize
4.0MB

Download
memory/808-567-0x00007FF79DC90000-0x00007FF79E086000-memory.dmp

Filesize
4.0MB

Download
memory/964-2135-0x00007FF665290000-0x00007FF665686000-memory.dmp

Filesize
4.0MB

Download
memory/964-93-0x00007FF665290000-0x00007FF665686000-memory.dmp

Filesize
4.0MB

Download
memory/964-2123-0x00007FF665290000-0x00007FF665686000-memory.dmp

Filesize
4.0MB

Download
memory/1020-566-0x00007FF7D5670000-0x00007FF7D5A66000-memory.dmp

Filesize
4.0MB

Download
memory/1020-2141-0x00007FF7D5670000-0x00007FF7D5A66000-memory.dmp

Filesize
4.0MB

Download
memory/1104-1455-0x00007FF66D350000-0x00007FF66D746000-memory.dmp

Filesize
4.0MB

Download
memory/1104-2131-0x00007FF66D350000-0x00007FF66D746000-memory.dmp

Filesize
4.0MB

Download
memory/1104-55-0x00007FF66D350000-0x00007FF66D746000-memory.dmp

Filesize
4.0MB

Download
memory/1464-2137-0x00007FF684EA0000-0x00007FF685296000-memory.dmp

Filesize
4.0MB

Download
memory/1464-569-0x00007FF684EA0000-0x00007FF685296000-memory.dmp

Filesize
4.0MB

Download
memory/1572-594-0x00007FF720FA0000-0x00007FF721396000-memory.dmp

Filesize
4.0MB

Download
memory/1572-2140-0x00007FF720FA0000-0x00007FF721396000-memory.dmp

Filesize
4.0MB

Download
memory/1604-47-0x00007FF726BD0000-0x00007FF726FC6000-memory.dmp

Filesize
4.0MB

Download
memory/1604-2128-0x00007FF726BD0000-0x00007FF726FC6000-memory.dmp

Filesize
4.0MB

Download
memory/1632-2129-0x00007FF7DF240000-0x00007FF7DF636000-memory.dmp

Filesize
4.0MB

Download
memory/1632-54-0x00007FF7DF240000-0x00007FF7DF636000-memory.dmp

Filesize
4.0MB

Download
memory/1888-77-0x00007FF753E80000-0x00007FF754276000-memory.dmp

Filesize
4.0MB

Download
memory/1888-2101-0x00007FF753E80000-0x00007FF754276000-memory.dmp

Filesize
4.0MB

Download
memory/1888-2133-0x00007FF753E80000-0x00007FF754276000-memory.dmp

Filesize
4.0MB

Download
memory/2012-579-0x00007FF6D0CB0000-0x00007FF6D10A6000-memory.dmp

Filesize
4.0MB

Download
memory/2012-0-0x00007FF6D0CB0000-0x00007FF6D10A6000-memory.dmp

Filesize
4.0MB

Download
memory/2012-1-0x000001EDF4DE0000-0x000001EDF4DF0000-memory.dmp

Filesize
64KB

Download
memory/2032-583-0x00007FF77B680000-0x00007FF77BA76000-memory.dmp

Filesize
4.0MB

Download
memory/2032-2136-0x00007FF77B680000-0x00007FF77BA76000-memory.dmp

Filesize
4.0MB

Download
memory/2204-2147-0x00007FF61A750000-0x00007FF61AB46000-memory.dmp

Filesize
4.0MB

Download
memory/2204-571-0x00007FF61A750000-0x00007FF61AB46000-memory.dmp

Filesize
4.0MB

Download
memory/2212-588-0x00007FF665BC0000-0x00007FF665FB6000-memory.dmp

Filesize
4.0MB

Download
memory/2212-2144-0x00007FF665BC0000-0x00007FF665FB6000-memory.dmp

Filesize
4.0MB

Download
memory/2552-572-0x00007FF795400000-0x00007FF7957F6000-memory.dmp

Filesize
4.0MB

Download
memory/2552-2146-0x00007FF795400000-0x00007FF7957F6000-memory.dmp

Filesize
4.0MB

Download
memory/2700-65-0x00007FF692F90000-0x00007FF693386000-memory.dmp

Filesize
4.0MB

Download
memory/2700-2132-0x00007FF692F90000-0x00007FF693386000-memory.dmp

Filesize
4.0MB

Download
memory/2888-12-0x00007FF710400000-0x00007FF7107F6000-memory.dmp

Filesize
4.0MB

Download
memory/2888-2125-0x00007FF710400000-0x00007FF7107F6000-memory.dmp

Filesize
4.0MB

Download
memory/3228-2100-0x00007FF676EB0000-0x00007FF6772A6000-memory.dmp

Filesize
4.0MB

Download
memory/3228-2143-0x00007FF676EB0000-0x00007FF6772A6000-memory.dmp

Filesize
4.0MB

Download
memory/3228-73-0x00007FF676EB0000-0x00007FF6772A6000-memory.dmp

Filesize
4.0MB

Download
memory/3444-2134-0x00007FF69BA30000-0x00007FF69BE26000-memory.dmp

Filesize
4.0MB

Download
memory/3444-70-0x00007FF69BA30000-0x00007FF69BE26000-memory.dmp

Filesize
4.0MB

Download
memory/3444-2082-0x00007FF69BA30000-0x00007FF69BE26000-memory.dmp

Filesize
4.0MB

Download
memory/3496-107-0x00000169B6DE0000-0x00000169B7586000-memory.dmp

Filesize
7.6MB

Download
memory/3496-900-0x00007FFDAAF20000-0x00007FFDAB9E1000-memory.dmp

Filesize
10.8MB

Download
memory/3496-5-0x00007FFDAAF23000-0x00007FFDAAF25000-memory.dmp

Filesize
8KB

Download
memory/3496-26-0x00000169B3FC0000-0x00000169B3FE2000-memory.dmp

Filesize
136KB

Download
memory/3496-42-0x00007FFDAAF20000-0x00007FFDAB9E1000-memory.dmp

Filesize
10.8MB

Download
memory/3496-871-0x00007FFDAAF23000-0x00007FFDAAF25000-memory.dmp

Filesize
8KB

Download
memory/3496-28-0x00007FFDAAF20000-0x00007FFDAB9E1000-memory.dmp

Filesize
10.8MB

Download
memory/3496-882-0x00007FFDAAF20000-0x00007FFDAB9E1000-memory.dmp

Filesize
10.8MB

Download
memory/3980-38-0x00007FF613950000-0x00007FF613D46000-memory.dmp

Filesize
4.0MB

Download
memory/3980-2126-0x00007FF613950000-0x00007FF613D46000-memory.dmp

Filesize
4.0MB

Download
memory/4368-573-0x00007FF792000000-0x00007FF7923F6000-memory.dmp

Filesize
4.0MB

Download
memory/4368-2148-0x00007FF792000000-0x00007FF7923F6000-memory.dmp

Filesize
4.0MB

Download
memory/4384-570-0x00007FF7CDAC0000-0x00007FF7CDEB6000-memory.dmp

Filesize
4.0MB

Download
memory/4384-2145-0x00007FF7CDAC0000-0x00007FF7CDEB6000-memory.dmp

Filesize
4.0MB

Download
memory/4604-44-0x00007FF6C55D0000-0x00007FF6C59C6000-memory.dmp

Filesize
4.0MB

Download
memory/4604-2127-0x00007FF6C55D0000-0x00007FF6C59C6000-memory.dmp

Filesize
4.0MB

Download