xmrig | ec3a833ac3e6ef8fc39398374aa773f4edcf8b985f67b13ba335c04e4ad1e91e

Analysis

max time kernel
121s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 04:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
Size

2.6MB
MD5

a5909f58d248503d9f1564ae44633e30
SHA1

beee61e23375b8148a53f39df26b565a37e03b26
SHA256

ec3a833ac3e6ef8fc39398374aa773f4edcf8b985f67b13ba335c04e4ad1e91e
SHA512

98119889fd49cb82acde958579f2688ade36b23a9112d1c941a7ca7cb876e7886cf33e299756f0b8027b9df0adf225dd4631f1c0338ae2d49ad869b0a262bd1e
SSDEEP

49152:71G1NtyBwTI3ySZbrkXV1etEKLlWUTOfeiRA2R76zHrWax9hMkHC0IlnASEx/R2D:71ONtyBeSFkXV1etEKLlWUTOfeiRA2R5

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1312-0-0x00007FF704380000-0x00007FF704776000-memory.dmp	xmrig
C:\Windows\System\eCWwUht.exe	xmrig
C:\Windows\System\czkTKCh.exe	xmrig
C:\Windows\System\OHeMOjl.exe	xmrig
C:\Windows\System\iBfBSuj.exe	xmrig
C:\Windows\System\UwNhjYH.exe	xmrig
C:\Windows\System\fdPCIEj.exe	xmrig
C:\Windows\System\cpjmhld.exe	xmrig
C:\Windows\System\VkCKSeg.exe	xmrig
behavioral2/memory/3292-123-0x00007FF664CD0000-0x00007FF6650C6000-memory.dmp	xmrig
behavioral2/memory/4048-135-0x00007FF7D8470000-0x00007FF7D8866000-memory.dmp	xmrig
behavioral2/memory/4176-138-0x00007FF6961A0000-0x00007FF696596000-memory.dmp	xmrig
behavioral2/memory/1324-143-0x00007FF67D1E0000-0x00007FF67D5D6000-memory.dmp	xmrig
behavioral2/memory/3916-147-0x00007FF738CA0000-0x00007FF739096000-memory.dmp	xmrig
behavioral2/memory/3932-146-0x00007FF72B8D0000-0x00007FF72BCC6000-memory.dmp	xmrig
behavioral2/memory/636-145-0x00007FF7551E0000-0x00007FF7555D6000-memory.dmp	xmrig
behavioral2/memory/1704-144-0x00007FF663450000-0x00007FF663846000-memory.dmp	xmrig
behavioral2/memory/5076-142-0x00007FF70B1F0000-0x00007FF70B5E6000-memory.dmp	xmrig
behavioral2/memory/4232-141-0x00007FF761400000-0x00007FF7617F6000-memory.dmp	xmrig
behavioral2/memory/2120-140-0x00007FF7AF2E0000-0x00007FF7AF6D6000-memory.dmp	xmrig
behavioral2/memory/4916-139-0x00007FF764270000-0x00007FF764666000-memory.dmp	xmrig
behavioral2/memory/4776-137-0x00007FF6813F0000-0x00007FF6817E6000-memory.dmp	xmrig
behavioral2/memory/3212-136-0x00007FF611DD0000-0x00007FF6121C6000-memory.dmp	xmrig
behavioral2/memory/2984-134-0x00007FF7A7000000-0x00007FF7A73F6000-memory.dmp	xmrig
behavioral2/memory/1548-122-0x00007FF7CC1D0000-0x00007FF7CC5C6000-memory.dmp	xmrig
C:\Windows\System\PbOtelH.exe	xmrig
C:\Windows\System\jIvOeUG.exe	xmrig
behavioral2/memory/2088-114-0x00007FF6FFC40000-0x00007FF700036000-memory.dmp	xmrig
behavioral2/memory/1932-113-0x00007FF7C6910000-0x00007FF7C6D06000-memory.dmp	xmrig
C:\Windows\System\hulHfJc.exe	xmrig
C:\Windows\System\FtIyfYF.exe	xmrig
C:\Windows\System\cNeaHxI.exe	xmrig
C:\Windows\System\VSuuztE.exe	xmrig
C:\Windows\System\DyxbCrN.exe	xmrig
C:\Windows\System\DzLvDJG.exe	xmrig
C:\Windows\System\oLMIAWV.exe	xmrig
C:\Windows\System\udCAnmY.exe	xmrig
C:\Windows\System\tHIewgN.exe	xmrig
behavioral2/memory/3000-60-0x00007FF775840000-0x00007FF775C36000-memory.dmp	xmrig
C:\Windows\System\FtpofRw.exe	xmrig
behavioral2/memory/3444-38-0x00007FF7A6470000-0x00007FF7A6866000-memory.dmp	xmrig
C:\Windows\System\jSKSdUl.exe	xmrig
behavioral2/memory/1056-22-0x00007FF678E30000-0x00007FF679226000-memory.dmp	xmrig
C:\Windows\System\RzAVlas.exe	xmrig
behavioral2/memory/1568-11-0x00007FF63F950000-0x00007FF63FD46000-memory.dmp	xmrig
C:\Windows\System\wpxqeMH.exe	xmrig
C:\Windows\System\gkbVerJ.exe	xmrig
C:\Windows\System\pOGNlGe.exe	xmrig
C:\Windows\System\cLTJRqZ.exe	xmrig
C:\Windows\System\EIqJqsa.exe	xmrig
behavioral2/memory/2232-179-0x00007FF6B02F0000-0x00007FF6B06E6000-memory.dmp	xmrig
C:\Windows\System\kjnFZdM.exe	xmrig
C:\Windows\System\WIJdMrG.exe	xmrig
behavioral2/memory/4604-155-0x00007FF7E0360000-0x00007FF7E0756000-memory.dmp	xmrig
C:\Windows\System\FxuvWwP.exe	xmrig
C:\Windows\System\uCmJbsh.exe	xmrig
C:\Windows\System\tsjXMxY.exe	xmrig
behavioral2/memory/1568-2268-0x00007FF63F950000-0x00007FF63FD46000-memory.dmp	xmrig
behavioral2/memory/1056-2270-0x00007FF678E30000-0x00007FF679226000-memory.dmp	xmrig
behavioral2/memory/4604-2273-0x00007FF7E0360000-0x00007FF7E0756000-memory.dmp	xmrig
behavioral2/memory/1568-2274-0x00007FF63F950000-0x00007FF63FD46000-memory.dmp	xmrig
behavioral2/memory/3444-2275-0x00007FF7A6470000-0x00007FF7A6866000-memory.dmp	xmrig
behavioral2/memory/1056-2276-0x00007FF678E30000-0x00007FF679226000-memory.dmp	xmrig
behavioral2/memory/3000-2277-0x00007FF775840000-0x00007FF775C36000-memory.dmp	xmrig

Blocklisted process makes network request 5 IoCs

Processes:

powershell.exe

flow pid process

9 4872 powershell.exe
11 4872 powershell.exe
16 4872 powershell.exe
17 4872 powershell.exe
22 4872 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Powershell Invoke Web Request.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

4872 powershell.exe

flow	pid	process
9	4872	powershell.exe
11	4872	powershell.exe
16	4872	powershell.exe
17	4872	powershell.exe
22	4872	powershell.exe

pid	process
4872	powershell.exe

Executes dropped EXE 64 IoCs

Processes:

eCWwUht.exejSKSdUl.exeRzAVlas.execzkTKCh.exeFtpofRw.exeiBfBSuj.exeOHeMOjl.exeudCAnmY.exeoLMIAWV.exetHIewgN.exefdPCIEj.exeFtIyfYF.exeDzLvDJG.exeDyxbCrN.exeUwNhjYH.exeVSuuztE.exehulHfJc.execNeaHxI.execpjmhld.exejIvOeUG.exePbOtelH.exeVkCKSeg.exewpxqeMH.exeWIJdMrG.exegkbVerJ.exekjnFZdM.exeEIqJqsa.exepOGNlGe.execLTJRqZ.exeFxuvWwP.exeuCmJbsh.exetsjXMxY.exeJkXXlMZ.exeeEQsbDI.exeLZbwRKr.exeeoGaWgP.execTxoIvA.exeHMEjKTF.exesHrWFHl.exegiwwQyV.exetDDOEcZ.exeXQcYlIw.exeihfIiiI.exeQPXbIjN.exedeAolWw.exeuCGwcLr.exeacVKOgg.exeewsEOSD.exenhXIuzj.exegrbBBQG.exeIMOjyPc.exehAIMwuH.exelHOJEjv.exeJGNWzNx.exeQCrvZcE.exefCEADaU.exePSyEsuV.exectNybSR.exetBlDsFr.exegWWoITj.exeicmkEti.exeimibCKR.exehlYeoUW.exeVwYuMOn.exe

pid	process
1568	eCWwUht.exe
1056	jSKSdUl.exe
3444	RzAVlas.exe
3000	czkTKCh.exe
636	FtpofRw.exe
1932	iBfBSuj.exe
2088	OHeMOjl.exe
3932	udCAnmY.exe
1548	oLMIAWV.exe
3292	tHIewgN.exe
2984	fdPCIEj.exe
3916	FtIyfYF.exe
4048	DzLvDJG.exe
3212	DyxbCrN.exe
4776	UwNhjYH.exe
4176	VSuuztE.exe
4916	hulHfJc.exe
2120	cNeaHxI.exe
4232	cpjmhld.exe
5076	jIvOeUG.exe
1324	PbOtelH.exe
1704	VkCKSeg.exe
4604	wpxqeMH.exe
2232	WIJdMrG.exe
3680	gkbVerJ.exe
2728	kjnFZdM.exe
2224	EIqJqsa.exe
4212	pOGNlGe.exe
4572	cLTJRqZ.exe
4692	FxuvWwP.exe
5112	uCmJbsh.exe
548	tsjXMxY.exe
2732	JkXXlMZ.exe
4504	eEQsbDI.exe
4508	LZbwRKr.exe
2016	eoGaWgP.exe
2636	cTxoIvA.exe
3988	HMEjKTF.exe
1524	sHrWFHl.exe
4296	giwwQyV.exe
2664	tDDOEcZ.exe
5084	XQcYlIw.exe
2284	ihfIiiI.exe
3124	QPXbIjN.exe
4272	deAolWw.exe
4936	uCGwcLr.exe
4900	acVKOgg.exe
4728	ewsEOSD.exe
2448	nhXIuzj.exe
892	grbBBQG.exe
4612	IMOjyPc.exe
1992	hAIMwuH.exe
4928	lHOJEjv.exe
3584	JGNWzNx.exe
3400	QCrvZcE.exe
4740	fCEADaU.exe
2424	PSyEsuV.exe
3744	ctNybSR.exe
4628	tBlDsFr.exe
3376	gWWoITj.exe
4552	icmkEti.exe
3972	imibCKR.exe
4532	hlYeoUW.exe
4756	VwYuMOn.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1312-0-0x00007FF704380000-0x00007FF704776000-memory.dmp	upx
C:\Windows\System\eCWwUht.exe	upx
C:\Windows\System\czkTKCh.exe	upx
C:\Windows\System\OHeMOjl.exe	upx
C:\Windows\System\iBfBSuj.exe	upx
C:\Windows\System\UwNhjYH.exe	upx
C:\Windows\System\fdPCIEj.exe	upx
C:\Windows\System\cpjmhld.exe	upx
C:\Windows\System\VkCKSeg.exe	upx
behavioral2/memory/3292-123-0x00007FF664CD0000-0x00007FF6650C6000-memory.dmp	upx
behavioral2/memory/4048-135-0x00007FF7D8470000-0x00007FF7D8866000-memory.dmp	upx
behavioral2/memory/4176-138-0x00007FF6961A0000-0x00007FF696596000-memory.dmp	upx
behavioral2/memory/1324-143-0x00007FF67D1E0000-0x00007FF67D5D6000-memory.dmp	upx
behavioral2/memory/3916-147-0x00007FF738CA0000-0x00007FF739096000-memory.dmp	upx
behavioral2/memory/3932-146-0x00007FF72B8D0000-0x00007FF72BCC6000-memory.dmp	upx
behavioral2/memory/636-145-0x00007FF7551E0000-0x00007FF7555D6000-memory.dmp	upx
behavioral2/memory/1704-144-0x00007FF663450000-0x00007FF663846000-memory.dmp	upx
behavioral2/memory/5076-142-0x00007FF70B1F0000-0x00007FF70B5E6000-memory.dmp	upx
behavioral2/memory/4232-141-0x00007FF761400000-0x00007FF7617F6000-memory.dmp	upx
behavioral2/memory/2120-140-0x00007FF7AF2E0000-0x00007FF7AF6D6000-memory.dmp	upx
behavioral2/memory/4916-139-0x00007FF764270000-0x00007FF764666000-memory.dmp	upx
behavioral2/memory/4776-137-0x00007FF6813F0000-0x00007FF6817E6000-memory.dmp	upx
behavioral2/memory/3212-136-0x00007FF611DD0000-0x00007FF6121C6000-memory.dmp	upx
behavioral2/memory/2984-134-0x00007FF7A7000000-0x00007FF7A73F6000-memory.dmp	upx
behavioral2/memory/1548-122-0x00007FF7CC1D0000-0x00007FF7CC5C6000-memory.dmp	upx
C:\Windows\System\PbOtelH.exe	upx
C:\Windows\System\jIvOeUG.exe	upx
behavioral2/memory/2088-114-0x00007FF6FFC40000-0x00007FF700036000-memory.dmp	upx
behavioral2/memory/1932-113-0x00007FF7C6910000-0x00007FF7C6D06000-memory.dmp	upx
C:\Windows\System\hulHfJc.exe	upx
C:\Windows\System\FtIyfYF.exe	upx
C:\Windows\System\cNeaHxI.exe	upx
C:\Windows\System\VSuuztE.exe	upx
C:\Windows\System\DyxbCrN.exe	upx
C:\Windows\System\DzLvDJG.exe	upx
C:\Windows\System\oLMIAWV.exe	upx
C:\Windows\System\udCAnmY.exe	upx
C:\Windows\System\tHIewgN.exe	upx
behavioral2/memory/3000-60-0x00007FF775840000-0x00007FF775C36000-memory.dmp	upx
C:\Windows\System\FtpofRw.exe	upx
behavioral2/memory/3444-38-0x00007FF7A6470000-0x00007FF7A6866000-memory.dmp	upx
C:\Windows\System\jSKSdUl.exe	upx
behavioral2/memory/1056-22-0x00007FF678E30000-0x00007FF679226000-memory.dmp	upx
C:\Windows\System\RzAVlas.exe	upx
behavioral2/memory/1568-11-0x00007FF63F950000-0x00007FF63FD46000-memory.dmp	upx
C:\Windows\System\wpxqeMH.exe	upx
C:\Windows\System\gkbVerJ.exe	upx
C:\Windows\System\pOGNlGe.exe	upx
C:\Windows\System\cLTJRqZ.exe	upx
C:\Windows\System\EIqJqsa.exe	upx
behavioral2/memory/2232-179-0x00007FF6B02F0000-0x00007FF6B06E6000-memory.dmp	upx
C:\Windows\System\kjnFZdM.exe	upx
C:\Windows\System\WIJdMrG.exe	upx
behavioral2/memory/4604-155-0x00007FF7E0360000-0x00007FF7E0756000-memory.dmp	upx
C:\Windows\System\FxuvWwP.exe	upx
C:\Windows\System\uCmJbsh.exe	upx
C:\Windows\System\tsjXMxY.exe	upx
behavioral2/memory/1568-2268-0x00007FF63F950000-0x00007FF63FD46000-memory.dmp	upx
behavioral2/memory/1056-2270-0x00007FF678E30000-0x00007FF679226000-memory.dmp	upx
behavioral2/memory/4604-2273-0x00007FF7E0360000-0x00007FF7E0756000-memory.dmp	upx
behavioral2/memory/1568-2274-0x00007FF63F950000-0x00007FF63FD46000-memory.dmp	upx
behavioral2/memory/3444-2275-0x00007FF7A6470000-0x00007FF7A6866000-memory.dmp	upx
behavioral2/memory/1056-2276-0x00007FF678E30000-0x00007FF679226000-memory.dmp	upx
behavioral2/memory/3000-2277-0x00007FF775840000-0x00007FF775C36000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

8 raw.githubusercontent.com
9 raw.githubusercontent.com

flow	ioc
8	raw.githubusercontent.com
9	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

Processes:

a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\System\XocVFuh.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\alayXrb.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\lhUxNNu.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\EsFQsIy.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\riwcMBP.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\LvOINUd.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\amhyzdo.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\oLzGSWq.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\okfjUwl.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\LBuuXXA.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\YRSXOCN.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\hYDHEYf.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\lCZaKKs.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\WlvPiYZ.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\FnGJffa.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\MaZfEZt.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\FJJiQZu.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\fGiyCkL.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\pusHksG.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\YmWlyFV.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\kwEhQPk.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\AveEydl.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\ThZSqZY.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\gVXjgYX.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\NowhAEd.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\JcVDUoP.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\eZGuBfQ.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\uoWdfYU.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\XoOLywJ.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\HudSMwF.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\bRgudQh.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\CPfQWrU.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\WMQXNNn.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\ffRgnYD.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\QjJvoTu.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\FALKzzW.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\talmkKH.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\iboGZre.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\rnMvfjz.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\SKZCQLu.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\WbTEXAf.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\ZIbgBxQ.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\BuvZPnu.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\EDzeHGg.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\XCOKcNm.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\nJbXHai.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\apmYrsR.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\XaISFRZ.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\IMOjyPc.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\dxSfWDh.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\upkKVec.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\gpONvjK.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\jOKZTzA.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\RTxqdEh.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\lsIOTRY.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\pPDVJnW.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\XqekOAB.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\mtRsBYI.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\rdjvtgu.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\JWogIVA.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\HnDtakA.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\NXSnpvi.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\XqNzweM.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
File created	C:\Windows\System\gkNSPSW.exe	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

dwm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

dwm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

Processes:

dwm.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

4872 powershell.exe
4872 powershell.exe
4872 powershell.exe

pid	process
4872	powershell.exe
4872	powershell.exe
4872	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exepowershell.exedwm.exe

description	pid	process
Token: SeLockMemoryPrivilege	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
Token: SeDebugPrivilege	4872	powershell.exe
Token: SeCreateGlobalPrivilege	12640	dwm.exe
Token: SeChangeNotifyPrivilege	12640	dwm.exe
Token: 33	12640	dwm.exe
Token: SeIncBasePriorityPrivilege	12640	dwm.exe
Token: SeShutdownPrivilege	12640	dwm.exe
Token: SeCreatePagefilePrivilege	12640	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe

description	pid	process	target process
PID 1312 wrote to memory of 4872	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	powershell.exe
PID 1312 wrote to memory of 4872	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	powershell.exe
PID 1312 wrote to memory of 1568	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	eCWwUht.exe
PID 1312 wrote to memory of 1568	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	eCWwUht.exe
PID 1312 wrote to memory of 1056	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	jSKSdUl.exe
PID 1312 wrote to memory of 1056	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	jSKSdUl.exe
PID 1312 wrote to memory of 3444	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	RzAVlas.exe
PID 1312 wrote to memory of 3444	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	RzAVlas.exe
PID 1312 wrote to memory of 3000	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	czkTKCh.exe
PID 1312 wrote to memory of 3000	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	czkTKCh.exe
PID 1312 wrote to memory of 636	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	FtpofRw.exe
PID 1312 wrote to memory of 636	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	FtpofRw.exe
PID 1312 wrote to memory of 1932	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	iBfBSuj.exe
PID 1312 wrote to memory of 1932	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	iBfBSuj.exe
PID 1312 wrote to memory of 2088	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	OHeMOjl.exe
PID 1312 wrote to memory of 2088	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	OHeMOjl.exe
PID 1312 wrote to memory of 3292	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	tHIewgN.exe
PID 1312 wrote to memory of 3292	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	tHIewgN.exe
PID 1312 wrote to memory of 3932	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	udCAnmY.exe
PID 1312 wrote to memory of 3932	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	udCAnmY.exe
PID 1312 wrote to memory of 1548	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	oLMIAWV.exe
PID 1312 wrote to memory of 1548	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	oLMIAWV.exe
PID 1312 wrote to memory of 2984	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	fdPCIEj.exe
PID 1312 wrote to memory of 2984	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	fdPCIEj.exe
PID 1312 wrote to memory of 4776	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	UwNhjYH.exe
PID 1312 wrote to memory of 4776	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	UwNhjYH.exe
PID 1312 wrote to memory of 3916	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	FtIyfYF.exe
PID 1312 wrote to memory of 3916	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	FtIyfYF.exe
PID 1312 wrote to memory of 4048	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	DzLvDJG.exe
PID 1312 wrote to memory of 4048	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	DzLvDJG.exe
PID 1312 wrote to memory of 3212	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	DyxbCrN.exe
PID 1312 wrote to memory of 3212	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	DyxbCrN.exe
PID 1312 wrote to memory of 4176	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	VSuuztE.exe
PID 1312 wrote to memory of 4176	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	VSuuztE.exe
PID 1312 wrote to memory of 4916	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	hulHfJc.exe
PID 1312 wrote to memory of 4916	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	hulHfJc.exe
PID 1312 wrote to memory of 2120	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	cNeaHxI.exe
PID 1312 wrote to memory of 2120	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	cNeaHxI.exe
PID 1312 wrote to memory of 4232	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	cpjmhld.exe
PID 1312 wrote to memory of 4232	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	cpjmhld.exe
PID 1312 wrote to memory of 5076	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	jIvOeUG.exe
PID 1312 wrote to memory of 5076	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	jIvOeUG.exe
PID 1312 wrote to memory of 1324	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	PbOtelH.exe
PID 1312 wrote to memory of 1324	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	PbOtelH.exe
PID 1312 wrote to memory of 1704	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	VkCKSeg.exe
PID 1312 wrote to memory of 1704	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	VkCKSeg.exe
PID 1312 wrote to memory of 4604	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	wpxqeMH.exe
PID 1312 wrote to memory of 4604	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	wpxqeMH.exe
PID 1312 wrote to memory of 2232	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	WIJdMrG.exe
PID 1312 wrote to memory of 2232	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	WIJdMrG.exe
PID 1312 wrote to memory of 3680	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	gkbVerJ.exe
PID 1312 wrote to memory of 3680	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	gkbVerJ.exe
PID 1312 wrote to memory of 2728	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	kjnFZdM.exe
PID 1312 wrote to memory of 2728	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	kjnFZdM.exe
PID 1312 wrote to memory of 2224	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	EIqJqsa.exe
PID 1312 wrote to memory of 2224	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	EIqJqsa.exe
PID 1312 wrote to memory of 4212	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	pOGNlGe.exe
PID 1312 wrote to memory of 4212	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	pOGNlGe.exe
PID 1312 wrote to memory of 4572	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	cLTJRqZ.exe
PID 1312 wrote to memory of 4572	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	cLTJRqZ.exe
PID 1312 wrote to memory of 4692	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	FxuvWwP.exe
PID 1312 wrote to memory of 4692	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	FxuvWwP.exe
PID 1312 wrote to memory of 5112	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	uCmJbsh.exe
PID 1312 wrote to memory of 5112	1312	a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe	uCmJbsh.exe

C:\Users\Admin\AppData\Local\Temp\a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\a5909f58d248503d9f1564ae44633e30_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4872
- C:\Windows\System\eCWwUht.exe
  C:\Windows\System\eCWwUht.exe
  2⤵
  - Executes dropped EXE
  PID:1568
- C:\Windows\System\jSKSdUl.exe
  C:\Windows\System\jSKSdUl.exe
  2⤵
  - Executes dropped EXE
  PID:1056
- C:\Windows\System\RzAVlas.exe
  C:\Windows\System\RzAVlas.exe
  2⤵
  - Executes dropped EXE
  PID:3444
- C:\Windows\System\czkTKCh.exe
  C:\Windows\System\czkTKCh.exe
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\System\FtpofRw.exe
  C:\Windows\System\FtpofRw.exe
  2⤵
  - Executes dropped EXE
  PID:636
- C:\Windows\System\iBfBSuj.exe
  C:\Windows\System\iBfBSuj.exe
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Windows\System\OHeMOjl.exe
  C:\Windows\System\OHeMOjl.exe
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\System\tHIewgN.exe
  C:\Windows\System\tHIewgN.exe
  2⤵
  - Executes dropped EXE
  PID:3292
- C:\Windows\System\udCAnmY.exe
  C:\Windows\System\udCAnmY.exe
  2⤵
  - Executes dropped EXE
  PID:3932
- C:\Windows\System\oLMIAWV.exe
  C:\Windows\System\oLMIAWV.exe
  2⤵
  - Executes dropped EXE
  PID:1548
- C:\Windows\System\fdPCIEj.exe
  C:\Windows\System\fdPCIEj.exe
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Windows\System\UwNhjYH.exe
  C:\Windows\System\UwNhjYH.exe
  2⤵
  - Executes dropped EXE
  PID:4776
- C:\Windows\System\FtIyfYF.exe
  C:\Windows\System\FtIyfYF.exe
  2⤵
  - Executes dropped EXE
  PID:3916
- C:\Windows\System\DzLvDJG.exe
  C:\Windows\System\DzLvDJG.exe
  2⤵
  - Executes dropped EXE
  PID:4048
- C:\Windows\System\DyxbCrN.exe
  C:\Windows\System\DyxbCrN.exe
  2⤵
  - Executes dropped EXE
  PID:3212
- C:\Windows\System\VSuuztE.exe
  C:\Windows\System\VSuuztE.exe
  2⤵
  - Executes dropped EXE
  PID:4176
- C:\Windows\System\hulHfJc.exe
  C:\Windows\System\hulHfJc.exe
  2⤵
  - Executes dropped EXE
  PID:4916
- C:\Windows\System\cNeaHxI.exe
  C:\Windows\System\cNeaHxI.exe
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Windows\System\cpjmhld.exe
  C:\Windows\System\cpjmhld.exe
  2⤵
  - Executes dropped EXE
  PID:4232
- C:\Windows\System\jIvOeUG.exe
  C:\Windows\System\jIvOeUG.exe
  2⤵
  - Executes dropped EXE
  PID:5076
- C:\Windows\System\PbOtelH.exe
  C:\Windows\System\PbOtelH.exe
  2⤵
  - Executes dropped EXE
  PID:1324
- C:\Windows\System\VkCKSeg.exe
  C:\Windows\System\VkCKSeg.exe
  2⤵
  - Executes dropped EXE
  PID:1704
- C:\Windows\System\wpxqeMH.exe
  C:\Windows\System\wpxqeMH.exe
  2⤵
  - Executes dropped EXE
  PID:4604
- C:\Windows\System\WIJdMrG.exe
  C:\Windows\System\WIJdMrG.exe
  2⤵
  - Executes dropped EXE
  PID:2232
- C:\Windows\System\gkbVerJ.exe
  C:\Windows\System\gkbVerJ.exe
  2⤵
  - Executes dropped EXE
  PID:3680
- C:\Windows\System\kjnFZdM.exe
  C:\Windows\System\kjnFZdM.exe
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\Windows\System\EIqJqsa.exe
  C:\Windows\System\EIqJqsa.exe
  2⤵
  - Executes dropped EXE
  PID:2224
- C:\Windows\System\pOGNlGe.exe
  C:\Windows\System\pOGNlGe.exe
  2⤵
  - Executes dropped EXE
  PID:4212
- C:\Windows\System\cLTJRqZ.exe
  C:\Windows\System\cLTJRqZ.exe
  2⤵
  - Executes dropped EXE
  PID:4572
- C:\Windows\System\FxuvWwP.exe
  C:\Windows\System\FxuvWwP.exe
  2⤵
  - Executes dropped EXE
  PID:4692
- C:\Windows\System\uCmJbsh.exe
  C:\Windows\System\uCmJbsh.exe
  2⤵
  - Executes dropped EXE
  PID:5112
- C:\Windows\System\tsjXMxY.exe
  C:\Windows\System\tsjXMxY.exe
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\System\JkXXlMZ.exe
  C:\Windows\System\JkXXlMZ.exe
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\System\eEQsbDI.exe
  C:\Windows\System\eEQsbDI.exe
  2⤵
  - Executes dropped EXE
  PID:4504
- C:\Windows\System\LZbwRKr.exe
  C:\Windows\System\LZbwRKr.exe
  2⤵
  - Executes dropped EXE
  PID:4508
- C:\Windows\System\eoGaWgP.exe
  C:\Windows\System\eoGaWgP.exe
  2⤵
  - Executes dropped EXE
  PID:2016
- C:\Windows\System\cTxoIvA.exe
  C:\Windows\System\cTxoIvA.exe
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\System\HMEjKTF.exe
  C:\Windows\System\HMEjKTF.exe
  2⤵
  - Executes dropped EXE
  PID:3988
- C:\Windows\System\sHrWFHl.exe
  C:\Windows\System\sHrWFHl.exe
  2⤵
  - Executes dropped EXE
  PID:1524
- C:\Windows\System\giwwQyV.exe
  C:\Windows\System\giwwQyV.exe
  2⤵
  - Executes dropped EXE
  PID:4296
- C:\Windows\System\tDDOEcZ.exe
  C:\Windows\System\tDDOEcZ.exe
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\System\XQcYlIw.exe
  C:\Windows\System\XQcYlIw.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System\ihfIiiI.exe
  C:\Windows\System\ihfIiiI.exe
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\System\QPXbIjN.exe
  C:\Windows\System\QPXbIjN.exe
  2⤵
  - Executes dropped EXE
  PID:3124
- C:\Windows\System\deAolWw.exe
  C:\Windows\System\deAolWw.exe
  2⤵
  - Executes dropped EXE
  PID:4272
- C:\Windows\System\uCGwcLr.exe
  C:\Windows\System\uCGwcLr.exe
  2⤵
  - Executes dropped EXE
  PID:4936
- C:\Windows\System\acVKOgg.exe
  C:\Windows\System\acVKOgg.exe
  2⤵
  - Executes dropped EXE
  PID:4900
- C:\Windows\System\ewsEOSD.exe
  C:\Windows\System\ewsEOSD.exe
  2⤵
  - Executes dropped EXE
  PID:4728
- C:\Windows\System\nhXIuzj.exe
  C:\Windows\System\nhXIuzj.exe
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\System\grbBBQG.exe
  C:\Windows\System\grbBBQG.exe
  2⤵
  - Executes dropped EXE
  PID:892
- C:\Windows\System\IMOjyPc.exe
  C:\Windows\System\IMOjyPc.exe
  2⤵
  - Executes dropped EXE
  PID:4612
- C:\Windows\System\hAIMwuH.exe
  C:\Windows\System\hAIMwuH.exe
  2⤵
  - Executes dropped EXE
  PID:1992
- C:\Windows\System\lHOJEjv.exe
  C:\Windows\System\lHOJEjv.exe
  2⤵
  - Executes dropped EXE
  PID:4928
- C:\Windows\System\JGNWzNx.exe
  C:\Windows\System\JGNWzNx.exe
  2⤵
  - Executes dropped EXE
  PID:3584
- C:\Windows\System\QCrvZcE.exe
  C:\Windows\System\QCrvZcE.exe
  2⤵
  - Executes dropped EXE
  PID:3400
- C:\Windows\System\fCEADaU.exe
  C:\Windows\System\fCEADaU.exe
  2⤵
  - Executes dropped EXE
  PID:4740
- C:\Windows\System\PSyEsuV.exe
  C:\Windows\System\PSyEsuV.exe
  2⤵
  - Executes dropped EXE
  PID:2424
- C:\Windows\System\ctNybSR.exe
  C:\Windows\System\ctNybSR.exe
  2⤵
  - Executes dropped EXE
  PID:3744
- C:\Windows\System\tBlDsFr.exe
  C:\Windows\System\tBlDsFr.exe
  2⤵
  - Executes dropped EXE
  PID:4628
- C:\Windows\System\gWWoITj.exe
  C:\Windows\System\gWWoITj.exe
  2⤵
  - Executes dropped EXE
  PID:3376
- C:\Windows\System\icmkEti.exe
  C:\Windows\System\icmkEti.exe
  2⤵
  - Executes dropped EXE
  PID:4552
- C:\Windows\System\imibCKR.exe
  C:\Windows\System\imibCKR.exe
  2⤵
  - Executes dropped EXE
  PID:3972
- C:\Windows\System\hlYeoUW.exe
  C:\Windows\System\hlYeoUW.exe
  2⤵
  - Executes dropped EXE
  PID:4532
- C:\Windows\System\VwYuMOn.exe
  C:\Windows\System\VwYuMOn.exe
  2⤵
  - Executes dropped EXE
  PID:4756
- C:\Windows\System\fLsgGij.exe
  C:\Windows\System\fLsgGij.exe
  2⤵
  PID:4660
- C:\Windows\System\dClOZQC.exe
  C:\Windows\System\dClOZQC.exe
  2⤵
  PID:960
- C:\Windows\System\hfgfJoI.exe
  C:\Windows\System\hfgfJoI.exe
  2⤵
  PID:4688
- C:\Windows\System\rJUSqBf.exe
  C:\Windows\System\rJUSqBf.exe
  2⤵
  PID:3572
- C:\Windows\System\uzaGzBt.exe
  C:\Windows\System\uzaGzBt.exe
  2⤵
  PID:1640
- C:\Windows\System\sRmqqnO.exe
  C:\Windows\System\sRmqqnO.exe
  2⤵
  PID:2356
- C:\Windows\System\gSYEDxq.exe
  C:\Windows\System\gSYEDxq.exe
  2⤵
  PID:3156
- C:\Windows\System\CfcXCtg.exe
  C:\Windows\System\CfcXCtg.exe
  2⤵
  PID:1764
- C:\Windows\System\MnCbNKc.exe
  C:\Windows\System\MnCbNKc.exe
  2⤵
  PID:5088
- C:\Windows\System\uZJlhNZ.exe
  C:\Windows\System\uZJlhNZ.exe
  2⤵
  PID:2808
- C:\Windows\System\UzAmcRb.exe
  C:\Windows\System\UzAmcRb.exe
  2⤵
  PID:4392
- C:\Windows\System\qStesdf.exe
  C:\Windows\System\qStesdf.exe
  2⤵
  PID:1620
- C:\Windows\System\mvbVFvw.exe
  C:\Windows\System\mvbVFvw.exe
  2⤵
  PID:5032
- C:\Windows\System\yUTvhnK.exe
  C:\Windows\System\yUTvhnK.exe
  2⤵
  PID:4680
- C:\Windows\System\oAjhNJa.exe
  C:\Windows\System\oAjhNJa.exe
  2⤵
  PID:1400
- C:\Windows\System\dmAbGCF.exe
  C:\Windows\System\dmAbGCF.exe
  2⤵
  PID:5136
- C:\Windows\System\nokxPHF.exe
  C:\Windows\System\nokxPHF.exe
  2⤵
  PID:5180
- C:\Windows\System\jJbeNwc.exe
  C:\Windows\System\jJbeNwc.exe
  2⤵
  PID:5220
- C:\Windows\System\nUoDtkW.exe
  C:\Windows\System\nUoDtkW.exe
  2⤵
  PID:5276
- C:\Windows\System\VWEupBk.exe
  C:\Windows\System\VWEupBk.exe
  2⤵
  PID:5308
- C:\Windows\System\MAZWfwe.exe
  C:\Windows\System\MAZWfwe.exe
  2⤵
  PID:5356
- C:\Windows\System\cefOqjN.exe
  C:\Windows\System\cefOqjN.exe
  2⤵
  PID:5396
- C:\Windows\System\UKXyxYL.exe
  C:\Windows\System\UKXyxYL.exe
  2⤵
  PID:5424
- C:\Windows\System\YVAzrXo.exe
  C:\Windows\System\YVAzrXo.exe
  2⤵
  PID:5452
- C:\Windows\System\oIBXGbV.exe
  C:\Windows\System\oIBXGbV.exe
  2⤵
  PID:5484
- C:\Windows\System\UKfEJIn.exe
  C:\Windows\System\UKfEJIn.exe
  2⤵
  PID:5532
- C:\Windows\System\rXGuotK.exe
  C:\Windows\System\rXGuotK.exe
  2⤵
  PID:5564
- C:\Windows\System\wIMpdkb.exe
  C:\Windows\System\wIMpdkb.exe
  2⤵
  PID:5588
- C:\Windows\System\eGslxvf.exe
  C:\Windows\System\eGslxvf.exe
  2⤵
  PID:5628
- C:\Windows\System\dItzGrH.exe
  C:\Windows\System\dItzGrH.exe
  2⤵
  PID:5660
- C:\Windows\System\XNjwSmM.exe
  C:\Windows\System\XNjwSmM.exe
  2⤵
  PID:5692
- C:\Windows\System\NTmXIQS.exe
  C:\Windows\System\NTmXIQS.exe
  2⤵
  PID:5744
- C:\Windows\System\ViuCPIe.exe
  C:\Windows\System\ViuCPIe.exe
  2⤵
  PID:5760
- C:\Windows\System\JfarEvy.exe
  C:\Windows\System\JfarEvy.exe
  2⤵
  PID:5788
- C:\Windows\System\nVzODMz.exe
  C:\Windows\System\nVzODMz.exe
  2⤵
  PID:5848
- C:\Windows\System\wLAbTpA.exe
  C:\Windows\System\wLAbTpA.exe
  2⤵
  PID:5888
- C:\Windows\System\fqbInRn.exe
  C:\Windows\System\fqbInRn.exe
  2⤵
  PID:5960
- C:\Windows\System\VfRXWPH.exe
  C:\Windows\System\VfRXWPH.exe
  2⤵
  PID:5996
- C:\Windows\System\TZCvYCr.exe
  C:\Windows\System\TZCvYCr.exe
  2⤵
  PID:6016
- C:\Windows\System\yNQMXHI.exe
  C:\Windows\System\yNQMXHI.exe
  2⤵
  PID:6052
- C:\Windows\System\wIqlAgu.exe
  C:\Windows\System\wIqlAgu.exe
  2⤵
  PID:6092
- C:\Windows\System\nShHCNW.exe
  C:\Windows\System\nShHCNW.exe
  2⤵
  PID:6120
- C:\Windows\System\dYpOdJy.exe
  C:\Windows\System\dYpOdJy.exe
  2⤵
  PID:6136
- C:\Windows\System\vpOdDQm.exe
  C:\Windows\System\vpOdDQm.exe
  2⤵
  PID:5160
- C:\Windows\System\yQDqxFL.exe
  C:\Windows\System\yQDqxFL.exe
  2⤵
  PID:5200
- C:\Windows\System\ybWUgKo.exe
  C:\Windows\System\ybWUgKo.exe
  2⤵
  PID:4972
- C:\Windows\System\njBeBJT.exe
  C:\Windows\System\njBeBJT.exe
  2⤵
  PID:5296
- C:\Windows\System\oNTWFhW.exe
  C:\Windows\System\oNTWFhW.exe
  2⤵
  PID:5324
- C:\Windows\System\wqIZSMW.exe
  C:\Windows\System\wqIZSMW.exe
  2⤵
  PID:5412
- C:\Windows\System\JevBIfq.exe
  C:\Windows\System\JevBIfq.exe
  2⤵
  PID:5460
- C:\Windows\System\oaeQDad.exe
  C:\Windows\System\oaeQDad.exe
  2⤵
  PID:5572
- C:\Windows\System\rUaGYKw.exe
  C:\Windows\System\rUaGYKw.exe
  2⤵
  PID:5556
- C:\Windows\System\UaxFgIo.exe
  C:\Windows\System\UaxFgIo.exe
  2⤵
  PID:5652
- C:\Windows\System\IuopcyV.exe
  C:\Windows\System\IuopcyV.exe
  2⤵
  PID:5688
- C:\Windows\System\xkYsucl.exe
  C:\Windows\System\xkYsucl.exe
  2⤵
  PID:5796
- C:\Windows\System\qSGlYOW.exe
  C:\Windows\System\qSGlYOW.exe
  2⤵
  PID:5876
- C:\Windows\System\MukCWcp.exe
  C:\Windows\System\MukCWcp.exe
  2⤵
  PID:5944
- C:\Windows\System\jeOmPYD.exe
  C:\Windows\System\jeOmPYD.exe
  2⤵
  PID:6024
- C:\Windows\System\zuVGGUk.exe
  C:\Windows\System\zuVGGUk.exe
  2⤵
  PID:6040
- C:\Windows\System\tPMByyM.exe
  C:\Windows\System\tPMByyM.exe
  2⤵
  PID:2360
- C:\Windows\System\YumTRCE.exe
  C:\Windows\System\YumTRCE.exe
  2⤵
  PID:5236
- C:\Windows\System\DakDUrh.exe
  C:\Windows\System\DakDUrh.exe
  2⤵
  PID:3920
- C:\Windows\System\OrWccNs.exe
  C:\Windows\System\OrWccNs.exe
  2⤵
  PID:5320
- C:\Windows\System\zBdQjoX.exe
  C:\Windows\System\zBdQjoX.exe
  2⤵
  PID:5348
- C:\Windows\System\LDpplmr.exe
  C:\Windows\System\LDpplmr.exe
  2⤵
  PID:5512
- C:\Windows\System\hPtwDAQ.exe
  C:\Windows\System\hPtwDAQ.exe
  2⤵
  PID:5624
- C:\Windows\System\COjcxGA.exe
  C:\Windows\System\COjcxGA.exe
  2⤵
  PID:5752
- C:\Windows\System\VrIOXeS.exe
  C:\Windows\System\VrIOXeS.exe
  2⤵
  PID:5836
- C:\Windows\System\bTIoSqN.exe
  C:\Windows\System\bTIoSqN.exe
  2⤵
  PID:5952
- C:\Windows\System\JilquWb.exe
  C:\Windows\System\JilquWb.exe
  2⤵
  PID:5972
- C:\Windows\System\lBfeUtk.exe
  C:\Windows\System\lBfeUtk.exe
  2⤵
  PID:6068
- C:\Windows\System\wFTDHyD.exe
  C:\Windows\System\wFTDHyD.exe
  2⤵
  PID:5156
- C:\Windows\System\VskjjTi.exe
  C:\Windows\System\VskjjTi.exe
  2⤵
  PID:5188
- C:\Windows\System\JNvaJMd.exe
  C:\Windows\System\JNvaJMd.exe
  2⤵
  PID:5380
- C:\Windows\System\FwKkDuS.exe
  C:\Windows\System\FwKkDuS.exe
  2⤵
  PID:5644
- C:\Windows\System\zUQJODG.exe
  C:\Windows\System\zUQJODG.exe
  2⤵
  PID:5908
- C:\Windows\System\rokrNZg.exe
  C:\Windows\System\rokrNZg.exe
  2⤵
  PID:6064
- C:\Windows\System\LYugwOE.exe
  C:\Windows\System\LYugwOE.exe
  2⤵
  PID:2680
- C:\Windows\System\rFxDzRc.exe
  C:\Windows\System\rFxDzRc.exe
  2⤵
  PID:5720
- C:\Windows\System\pIEmUEW.exe
  C:\Windows\System\pIEmUEW.exe
  2⤵
  PID:6076
- C:\Windows\System\AzvtbnL.exe
  C:\Windows\System\AzvtbnL.exe
  2⤵
  PID:5828
- C:\Windows\System\kkeBRHM.exe
  C:\Windows\System\kkeBRHM.exe
  2⤵
  PID:5984
- C:\Windows\System\bNjGAsb.exe
  C:\Windows\System\bNjGAsb.exe
  2⤵
  PID:6160
- C:\Windows\System\iEfKJUT.exe
  C:\Windows\System\iEfKJUT.exe
  2⤵
  PID:6200
- C:\Windows\System\hAkIOrw.exe
  C:\Windows\System\hAkIOrw.exe
  2⤵
  PID:6224
- C:\Windows\System\NRIHwWc.exe
  C:\Windows\System\NRIHwWc.exe
  2⤵
  PID:6248
- C:\Windows\System\CIQfFZB.exe
  C:\Windows\System\CIQfFZB.exe
  2⤵
  PID:6280
- C:\Windows\System\Xkdsyni.exe
  C:\Windows\System\Xkdsyni.exe
  2⤵
  PID:6312
- C:\Windows\System\zNPGWXW.exe
  C:\Windows\System\zNPGWXW.exe
  2⤵
  PID:6352
- C:\Windows\System\JcVDUoP.exe
  C:\Windows\System\JcVDUoP.exe
  2⤵
  PID:6380
- C:\Windows\System\jRzbhyZ.exe
  C:\Windows\System\jRzbhyZ.exe
  2⤵
  PID:6428
- C:\Windows\System\SJmjYYM.exe
  C:\Windows\System\SJmjYYM.exe
  2⤵
  PID:6464
- C:\Windows\System\Invjvhx.exe
  C:\Windows\System\Invjvhx.exe
  2⤵
  PID:6492
- C:\Windows\System\scQfCpo.exe
  C:\Windows\System\scQfCpo.exe
  2⤵
  PID:6528
- C:\Windows\System\YhqxOzJ.exe
  C:\Windows\System\YhqxOzJ.exe
  2⤵
  PID:6608
- C:\Windows\System\phAbzMR.exe
  C:\Windows\System\phAbzMR.exe
  2⤵
  PID:6628
- C:\Windows\System\NNFtnTV.exe
  C:\Windows\System\NNFtnTV.exe
  2⤵
  PID:6644
- C:\Windows\System\pXVBgrv.exe
  C:\Windows\System\pXVBgrv.exe
  2⤵
  PID:6664
- C:\Windows\System\IHgWLqT.exe
  C:\Windows\System\IHgWLqT.exe
  2⤵
  PID:6684
- C:\Windows\System\GrlSkRJ.exe
  C:\Windows\System\GrlSkRJ.exe
  2⤵
  PID:6712
- C:\Windows\System\rreLFYN.exe
  C:\Windows\System\rreLFYN.exe
  2⤵
  PID:6744
- C:\Windows\System\ZKGpKJf.exe
  C:\Windows\System\ZKGpKJf.exe
  2⤵
  PID:6780
- C:\Windows\System\lcghorq.exe
  C:\Windows\System\lcghorq.exe
  2⤵
  PID:6804
- C:\Windows\System\UrtMlAe.exe
  C:\Windows\System\UrtMlAe.exe
  2⤵
  PID:6828
- C:\Windows\System\HtdaEzo.exe
  C:\Windows\System\HtdaEzo.exe
  2⤵
  PID:6860
- C:\Windows\System\cXMJtGX.exe
  C:\Windows\System\cXMJtGX.exe
  2⤵
  PID:6900
- C:\Windows\System\tafCDIn.exe
  C:\Windows\System\tafCDIn.exe
  2⤵
  PID:6924
- C:\Windows\System\xYFAbcS.exe
  C:\Windows\System\xYFAbcS.exe
  2⤵
  PID:6964
- C:\Windows\System\UPOvbXi.exe
  C:\Windows\System\UPOvbXi.exe
  2⤵
  PID:6980
- C:\Windows\System\MMtalfa.exe
  C:\Windows\System\MMtalfa.exe
  2⤵
  PID:7012
- C:\Windows\System\qXJfAkZ.exe
  C:\Windows\System\qXJfAkZ.exe
  2⤵
  PID:7044
- C:\Windows\System\XMgbCFo.exe
  C:\Windows\System\XMgbCFo.exe
  2⤵
  PID:7068
- C:\Windows\System\oOJzWTH.exe
  C:\Windows\System\oOJzWTH.exe
  2⤵
  PID:7092
- C:\Windows\System\hTxrFOe.exe
  C:\Windows\System\hTxrFOe.exe
  2⤵
  PID:7128
- C:\Windows\System\EqkTEBR.exe
  C:\Windows\System\EqkTEBR.exe
  2⤵
  PID:7152
- C:\Windows\System\OgnNYEe.exe
  C:\Windows\System\OgnNYEe.exe
  2⤵
  PID:6100
- C:\Windows\System\MiGTqtQ.exe
  C:\Windows\System\MiGTqtQ.exe
  2⤵
  PID:6240
- C:\Windows\System\kDLROYj.exe
  C:\Windows\System\kDLROYj.exe
  2⤵
  PID:6360
- C:\Windows\System\QadhEHr.exe
  C:\Windows\System\QadhEHr.exe
  2⤵
  PID:6444
- C:\Windows\System\tEGGQGE.exe
  C:\Windows\System\tEGGQGE.exe
  2⤵
  PID:6480
- C:\Windows\System\EfRWpkz.exe
  C:\Windows\System\EfRWpkz.exe
  2⤵
  PID:6548
- C:\Windows\System\OskSJFk.exe
  C:\Windows\System\OskSJFk.exe
  2⤵
  PID:6620
- C:\Windows\System\kVzAWjt.exe
  C:\Windows\System\kVzAWjt.exe
  2⤵
  PID:6724
- C:\Windows\System\oAOQULD.exe
  C:\Windows\System\oAOQULD.exe
  2⤵
  PID:6700
- C:\Windows\System\XuABcoq.exe
  C:\Windows\System\XuABcoq.exe
  2⤵
  PID:6752
- C:\Windows\System\PSDzDZX.exe
  C:\Windows\System\PSDzDZX.exe
  2⤵
  PID:6816
- C:\Windows\System\poUEsZr.exe
  C:\Windows\System\poUEsZr.exe
  2⤵
  PID:6948
- C:\Windows\System\izLZNdb.exe
  C:\Windows\System\izLZNdb.exe
  2⤵
  PID:7056
- C:\Windows\System\KQOHRcJ.exe
  C:\Windows\System\KQOHRcJ.exe
  2⤵
  PID:7124
- C:\Windows\System\lzTJQEQ.exe
  C:\Windows\System\lzTJQEQ.exe
  2⤵
  PID:7116
- C:\Windows\System\DrTAzJz.exe
  C:\Windows\System\DrTAzJz.exe
  2⤵
  PID:6108
- C:\Windows\System\eZXjJhS.exe
  C:\Windows\System\eZXjJhS.exe
  2⤵
  PID:6276
- C:\Windows\System\xlMMLjJ.exe
  C:\Windows\System\xlMMLjJ.exe
  2⤵
  PID:6456
- C:\Windows\System\gjDKXrJ.exe
  C:\Windows\System\gjDKXrJ.exe
  2⤵
  PID:6704
- C:\Windows\System\sTZJqDQ.exe
  C:\Windows\System\sTZJqDQ.exe
  2⤵
  PID:6976
- C:\Windows\System\KeTayrC.exe
  C:\Windows\System\KeTayrC.exe
  2⤵
  PID:7144
- C:\Windows\System\RxfkuvB.exe
  C:\Windows\System\RxfkuvB.exe
  2⤵
  PID:6520
- C:\Windows\System\sSHuIgM.exe
  C:\Windows\System\sSHuIgM.exe
  2⤵
  PID:6680
- C:\Windows\System\nWFKcfF.exe
  C:\Windows\System\nWFKcfF.exe
  2⤵
  PID:6880
- C:\Windows\System\avecIHS.exe
  C:\Windows\System\avecIHS.exe
  2⤵
  PID:7108
- C:\Windows\System\ZzmcBAC.exe
  C:\Windows\System\ZzmcBAC.exe
  2⤵
  PID:6484
- C:\Windows\System\OJhKrof.exe
  C:\Windows\System\OJhKrof.exe
  2⤵
  PID:7196
- C:\Windows\System\GrjbPzE.exe
  C:\Windows\System\GrjbPzE.exe
  2⤵
  PID:7220
- C:\Windows\System\eAqdlGO.exe
  C:\Windows\System\eAqdlGO.exe
  2⤵
  PID:7240
- C:\Windows\System\PtGFkND.exe
  C:\Windows\System\PtGFkND.exe
  2⤵
  PID:7292
- C:\Windows\System\RgfXMig.exe
  C:\Windows\System\RgfXMig.exe
  2⤵
  PID:7320
- C:\Windows\System\nYABiTL.exe
  C:\Windows\System\nYABiTL.exe
  2⤵
  PID:7364
- C:\Windows\System\hOCUWOk.exe
  C:\Windows\System\hOCUWOk.exe
  2⤵
  PID:7396
- C:\Windows\System\YxCIECW.exe
  C:\Windows\System\YxCIECW.exe
  2⤵
  PID:7436
- C:\Windows\System\ZIASSIV.exe
  C:\Windows\System\ZIASSIV.exe
  2⤵
  PID:7460
- C:\Windows\System\feRFZVM.exe
  C:\Windows\System\feRFZVM.exe
  2⤵
  PID:7492
- C:\Windows\System\nFooHbL.exe
  C:\Windows\System\nFooHbL.exe
  2⤵
  PID:7524
- C:\Windows\System\spYXPYR.exe
  C:\Windows\System\spYXPYR.exe
  2⤵
  PID:7556
- C:\Windows\System\KnYkFDW.exe
  C:\Windows\System\KnYkFDW.exe
  2⤵
  PID:7584
- C:\Windows\System\HViOdPg.exe
  C:\Windows\System\HViOdPg.exe
  2⤵
  PID:7624
- C:\Windows\System\LWwiFuI.exe
  C:\Windows\System\LWwiFuI.exe
  2⤵
  PID:7644
- C:\Windows\System\PbEdweX.exe
  C:\Windows\System\PbEdweX.exe
  2⤵
  PID:7672
- C:\Windows\System\hsGQgob.exe
  C:\Windows\System\hsGQgob.exe
  2⤵
  PID:7688
- C:\Windows\System\yMCjfaf.exe
  C:\Windows\System\yMCjfaf.exe
  2⤵
  PID:7728
- C:\Windows\System\TQnGIIv.exe
  C:\Windows\System\TQnGIIv.exe
  2⤵
  PID:7756
- C:\Windows\System\ysryLEh.exe
  C:\Windows\System\ysryLEh.exe
  2⤵
  PID:7788
- C:\Windows\System\daqauAQ.exe
  C:\Windows\System\daqauAQ.exe
  2⤵
  PID:7804
- C:\Windows\System\yqvefhC.exe
  C:\Windows\System\yqvefhC.exe
  2⤵
  PID:7844
- C:\Windows\System\xPmaynB.exe
  C:\Windows\System\xPmaynB.exe
  2⤵
  PID:7864
- C:\Windows\System\fyDBNrj.exe
  C:\Windows\System\fyDBNrj.exe
  2⤵
  PID:7900
- C:\Windows\System\YtOwfZA.exe
  C:\Windows\System\YtOwfZA.exe
  2⤵
  PID:7928
- C:\Windows\System\BvJQkuv.exe
  C:\Windows\System\BvJQkuv.exe
  2⤵
  PID:7948
- C:\Windows\System\WuYPyFh.exe
  C:\Windows\System\WuYPyFh.exe
  2⤵
  PID:7988
- C:\Windows\System\kbbMObB.exe
  C:\Windows\System\kbbMObB.exe
  2⤵
  PID:8016
- C:\Windows\System\yyZWDAA.exe
  C:\Windows\System\yyZWDAA.exe
  2⤵
  PID:8044
- C:\Windows\System\ZBIpUnI.exe
  C:\Windows\System\ZBIpUnI.exe
  2⤵
  PID:8076
- C:\Windows\System\RqHNIZj.exe
  C:\Windows\System\RqHNIZj.exe
  2⤵
  PID:8096
- C:\Windows\System\WJrkXGo.exe
  C:\Windows\System\WJrkXGo.exe
  2⤵
  PID:8132
- C:\Windows\System\lgEouCe.exe
  C:\Windows\System\lgEouCe.exe
  2⤵
  PID:8160
- C:\Windows\System\zGMegpU.exe
  C:\Windows\System\zGMegpU.exe
  2⤵
  PID:8188
- C:\Windows\System\rNeESxm.exe
  C:\Windows\System\rNeESxm.exe
  2⤵
  PID:7192
- C:\Windows\System\fnJCHAK.exe
  C:\Windows\System\fnJCHAK.exe
  2⤵
  PID:7180
- C:\Windows\System\TTkpJaG.exe
  C:\Windows\System\TTkpJaG.exe
  2⤵
  PID:7260
- C:\Windows\System\BAPazxt.exe
  C:\Windows\System\BAPazxt.exe
  2⤵
  PID:7352
- C:\Windows\System\ZQkipRa.exe
  C:\Windows\System\ZQkipRa.exe
  2⤵
  PID:7412
- C:\Windows\System\hhQNjKr.exe
  C:\Windows\System\hhQNjKr.exe
  2⤵
  PID:7488
- C:\Windows\System\EZVWUxf.exe
  C:\Windows\System\EZVWUxf.exe
  2⤵
  PID:7536
- C:\Windows\System\SEqUHzQ.exe
  C:\Windows\System\SEqUHzQ.exe
  2⤵
  PID:7612
- C:\Windows\System\NMDNTiR.exe
  C:\Windows\System\NMDNTiR.exe
  2⤵
  PID:7708
- C:\Windows\System\XzWfMub.exe
  C:\Windows\System\XzWfMub.exe
  2⤵
  PID:7780
- C:\Windows\System\dIYRBzd.exe
  C:\Windows\System\dIYRBzd.exe
  2⤵
  PID:7840
- C:\Windows\System\LifdZWW.exe
  C:\Windows\System\LifdZWW.exe
  2⤵
  PID:7896
- C:\Windows\System\SKTnzan.exe
  C:\Windows\System\SKTnzan.exe
  2⤵
  PID:7984
- C:\Windows\System\WBYPTJf.exe
  C:\Windows\System\WBYPTJf.exe
  2⤵
  PID:6184
- C:\Windows\System\WuENvav.exe
  C:\Windows\System\WuENvav.exe
  2⤵
  PID:8116
- C:\Windows\System\PuRgVaB.exe
  C:\Windows\System\PuRgVaB.exe
  2⤵
  PID:7232
- C:\Windows\System\uAbVOLf.exe
  C:\Windows\System\uAbVOLf.exe
  2⤵
  PID:7388
- C:\Windows\System\nwijFXg.exe
  C:\Windows\System\nwijFXg.exe
  2⤵
  PID:7680
- C:\Windows\System\xhbSohl.exe
  C:\Windows\System\xhbSohl.exe
  2⤵
  PID:7828
- C:\Windows\System\FOdIrbi.exe
  C:\Windows\System\FOdIrbi.exe
  2⤵
  PID:8004
- C:\Windows\System\hPiGjGB.exe
  C:\Windows\System\hPiGjGB.exe
  2⤵
  PID:7184
- C:\Windows\System\AVyAvoB.exe
  C:\Windows\System\AVyAvoB.exe
  2⤵
  PID:7520
- C:\Windows\System\XshngWJ.exe
  C:\Windows\System\XshngWJ.exe
  2⤵
  PID:7980
- C:\Windows\System\OOyNxzK.exe
  C:\Windows\System\OOyNxzK.exe
  2⤵
  PID:8208
- C:\Windows\System\pEFhIsY.exe
  C:\Windows\System\pEFhIsY.exe
  2⤵
  PID:8224
- C:\Windows\System\TfZqCdG.exe
  C:\Windows\System\TfZqCdG.exe
  2⤵
  PID:8256
- C:\Windows\System\sOJgNnD.exe
  C:\Windows\System\sOJgNnD.exe
  2⤵
  PID:8288
- C:\Windows\System\yCOXDQw.exe
  C:\Windows\System\yCOXDQw.exe
  2⤵
  PID:8316
- C:\Windows\System\YppBLeU.exe
  C:\Windows\System\YppBLeU.exe
  2⤵
  PID:8356
- C:\Windows\System\kvKozLE.exe
  C:\Windows\System\kvKozLE.exe
  2⤵
  PID:8396
- C:\Windows\System\caIlfxY.exe
  C:\Windows\System\caIlfxY.exe
  2⤵
  PID:8424
- C:\Windows\System\zFUoLoa.exe
  C:\Windows\System\zFUoLoa.exe
  2⤵
  PID:8460
- C:\Windows\System\ISZLAQJ.exe
  C:\Windows\System\ISZLAQJ.exe
  2⤵
  PID:8484
- C:\Windows\System\BIQDFpB.exe
  C:\Windows\System\BIQDFpB.exe
  2⤵
  PID:8532
- C:\Windows\System\DftRhVY.exe
  C:\Windows\System\DftRhVY.exe
  2⤵
  PID:8564
- C:\Windows\System\ceiLuXH.exe
  C:\Windows\System\ceiLuXH.exe
  2⤵
  PID:8600
- C:\Windows\System\LoFPjhf.exe
  C:\Windows\System\LoFPjhf.exe
  2⤵
  PID:8632
- C:\Windows\System\TlZnIdQ.exe
  C:\Windows\System\TlZnIdQ.exe
  2⤵
  PID:8660
- C:\Windows\System\MkQeAbg.exe
  C:\Windows\System\MkQeAbg.exe
  2⤵
  PID:8692
- C:\Windows\System\SEFEaDe.exe
  C:\Windows\System\SEFEaDe.exe
  2⤵
  PID:8728
- C:\Windows\System\jcAffLg.exe
  C:\Windows\System\jcAffLg.exe
  2⤵
  PID:8744
- C:\Windows\System\QlZsFfd.exe
  C:\Windows\System\QlZsFfd.exe
  2⤵
  PID:8768
- C:\Windows\System\gcBZJTA.exe
  C:\Windows\System\gcBZJTA.exe
  2⤵
  PID:8800
- C:\Windows\System\IrfFDYC.exe
  C:\Windows\System\IrfFDYC.exe
  2⤵
  PID:8824
- C:\Windows\System\WMZOuqh.exe
  C:\Windows\System\WMZOuqh.exe
  2⤵
  PID:8856
- C:\Windows\System\jwnqUoI.exe
  C:\Windows\System\jwnqUoI.exe
  2⤵
  PID:8892
- C:\Windows\System\VcvHGKb.exe
  C:\Windows\System\VcvHGKb.exe
  2⤵
  PID:8924
- C:\Windows\System\UstKkXf.exe
  C:\Windows\System\UstKkXf.exe
  2⤵
  PID:8948
- C:\Windows\System\ZODYswY.exe
  C:\Windows\System\ZODYswY.exe
  2⤵
  PID:8980
- C:\Windows\System\fSGIPfv.exe
  C:\Windows\System\fSGIPfv.exe
  2⤵
  PID:9008
- C:\Windows\System\ifluLcc.exe
  C:\Windows\System\ifluLcc.exe
  2⤵
  PID:9036
- C:\Windows\System\UQUlxbI.exe
  C:\Windows\System\UQUlxbI.exe
  2⤵
  PID:9052
- C:\Windows\System\AUbTsQm.exe
  C:\Windows\System\AUbTsQm.exe
  2⤵
  PID:9080
- C:\Windows\System\kvhWUKo.exe
  C:\Windows\System\kvhWUKo.exe
  2⤵
  PID:9112
- C:\Windows\System\dRaEpjb.exe
  C:\Windows\System\dRaEpjb.exe
  2⤵
  PID:9152
- C:\Windows\System\wyLVhPu.exe
  C:\Windows\System\wyLVhPu.exe
  2⤵
  PID:9172
- C:\Windows\System\eotlGvC.exe
  C:\Windows\System\eotlGvC.exe
  2⤵
  PID:9212
- C:\Windows\System\YARvviq.exe
  C:\Windows\System\YARvviq.exe
  2⤵
  PID:8244
- C:\Windows\System\IfzfAms.exe
  C:\Windows\System\IfzfAms.exe
  2⤵
  PID:8304
- C:\Windows\System\iqmMDqA.exe
  C:\Windows\System\iqmMDqA.exe
  2⤵
  PID:8392
- C:\Windows\System\QIqKVdV.exe
  C:\Windows\System\QIqKVdV.exe
  2⤵
  PID:8444
- C:\Windows\System\FNiIjtO.exe
  C:\Windows\System\FNiIjtO.exe
  2⤵
  PID:8500
- C:\Windows\System\AdiEAkk.exe
  C:\Windows\System\AdiEAkk.exe
  2⤵
  PID:8628
- C:\Windows\System\zOHpgUs.exe
  C:\Windows\System\zOHpgUs.exe
  2⤵
  PID:8700
- C:\Windows\System\nUukANw.exe
  C:\Windows\System\nUukANw.exe
  2⤵
  PID:8756
- C:\Windows\System\AUyDZAP.exe
  C:\Windows\System\AUyDZAP.exe
  2⤵
  PID:8868
- C:\Windows\System\pIRCQdh.exe
  C:\Windows\System\pIRCQdh.exe
  2⤵
  PID:8908
- C:\Windows\System\ChsrQBE.exe
  C:\Windows\System\ChsrQBE.exe
  2⤵
  PID:8964
- C:\Windows\System\acRHncP.exe
  C:\Windows\System\acRHncP.exe
  2⤵
  PID:9028
- C:\Windows\System\KWkmvLz.exe
  C:\Windows\System\KWkmvLz.exe
  2⤵
  PID:9076
- C:\Windows\System\WabELoA.exe
  C:\Windows\System\WabELoA.exe
  2⤵
  PID:9164
- C:\Windows\System\DmuYmmi.exe
  C:\Windows\System\DmuYmmi.exe
  2⤵
  PID:7376
- C:\Windows\System\NTuYQTq.exe
  C:\Windows\System\NTuYQTq.exe
  2⤵
  PID:8384
- C:\Windows\System\sUviEHg.exe
  C:\Windows\System\sUviEHg.exe
  2⤵
  PID:8592
- C:\Windows\System\aPGblcl.exe
  C:\Windows\System\aPGblcl.exe
  2⤵
  PID:8672
- C:\Windows\System\qhBiHWm.exe
  C:\Windows\System\qhBiHWm.exe
  2⤵
  PID:8852
- C:\Windows\System\bbwUert.exe
  C:\Windows\System\bbwUert.exe
  2⤵
  PID:9004
- C:\Windows\System\qltbwfs.exe
  C:\Windows\System\qltbwfs.exe
  2⤵
  PID:9204
- C:\Windows\System\fWqwbAQ.exe
  C:\Windows\System\fWqwbAQ.exe
  2⤵
  PID:8920
- C:\Windows\System\EciezSA.exe
  C:\Windows\System\EciezSA.exe
  2⤵
  PID:8944
- C:\Windows\System\qectlhX.exe
  C:\Windows\System\qectlhX.exe
  2⤵
  PID:8456
- C:\Windows\System\fBeDytF.exe
  C:\Windows\System\fBeDytF.exe
  2⤵
  PID:8992
- C:\Windows\System\SlcCzBR.exe
  C:\Windows\System\SlcCzBR.exe
  2⤵
  PID:9236
- C:\Windows\System\TvASLOp.exe
  C:\Windows\System\TvASLOp.exe
  2⤵
  PID:9264
- C:\Windows\System\qJlGhpk.exe
  C:\Windows\System\qJlGhpk.exe
  2⤵
  PID:9292
- C:\Windows\System\cIBWddo.exe
  C:\Windows\System\cIBWddo.exe
  2⤵
  PID:9320
- C:\Windows\System\farKGDP.exe
  C:\Windows\System\farKGDP.exe
  2⤵
  PID:9348
- C:\Windows\System\GOXSJSy.exe
  C:\Windows\System\GOXSJSy.exe
  2⤵
  PID:9376
- C:\Windows\System\JVEDFhd.exe
  C:\Windows\System\JVEDFhd.exe
  2⤵
  PID:9396
- C:\Windows\System\UUzOChF.exe
  C:\Windows\System\UUzOChF.exe
  2⤵
  PID:9420
- C:\Windows\System\cMMKdjR.exe
  C:\Windows\System\cMMKdjR.exe
  2⤵
  PID:9460
- C:\Windows\System\VRJXuSC.exe
  C:\Windows\System\VRJXuSC.exe
  2⤵
  PID:9488
- C:\Windows\System\EEiXfLz.exe
  C:\Windows\System\EEiXfLz.exe
  2⤵
  PID:9504
- C:\Windows\System\HyMbrBO.exe
  C:\Windows\System\HyMbrBO.exe
  2⤵
  PID:9532
- C:\Windows\System\BzHOjLL.exe
  C:\Windows\System\BzHOjLL.exe
  2⤵
  PID:9560
- C:\Windows\System\yLJGwqK.exe
  C:\Windows\System\yLJGwqK.exe
  2⤵
  PID:9644
- C:\Windows\System\nOtlOiR.exe
  C:\Windows\System\nOtlOiR.exe
  2⤵
  PID:9660
- C:\Windows\System\tvSGnYQ.exe
  C:\Windows\System\tvSGnYQ.exe
  2⤵
  PID:9688
- C:\Windows\System\JTMlpFr.exe
  C:\Windows\System\JTMlpFr.exe
  2⤵
  PID:9704
- C:\Windows\System\StyVBKK.exe
  C:\Windows\System\StyVBKK.exe
  2⤵
  PID:9744
- C:\Windows\System\LXUmVjT.exe
  C:\Windows\System\LXUmVjT.exe
  2⤵
  PID:9772
- C:\Windows\System\uXCigUl.exe
  C:\Windows\System\uXCigUl.exe
  2⤵
  PID:9800
- C:\Windows\System\yDEyQhw.exe
  C:\Windows\System\yDEyQhw.exe
  2⤵
  PID:9828
- C:\Windows\System\BaxBAGc.exe
  C:\Windows\System\BaxBAGc.exe
  2⤵
  PID:9856
- C:\Windows\System\wZOhFQp.exe
  C:\Windows\System\wZOhFQp.exe
  2⤵
  PID:9884
- C:\Windows\System\DuOTbRr.exe
  C:\Windows\System\DuOTbRr.exe
  2⤵
  PID:9912
- C:\Windows\System\fEwUozb.exe
  C:\Windows\System\fEwUozb.exe
  2⤵
  PID:9940
- C:\Windows\System\pbRjsOt.exe
  C:\Windows\System\pbRjsOt.exe
  2⤵
  PID:9972
- C:\Windows\System\oZaIMcA.exe
  C:\Windows\System\oZaIMcA.exe
  2⤵
  PID:10000
- C:\Windows\System\MLLemap.exe
  C:\Windows\System\MLLemap.exe
  2⤵
  PID:10020
- C:\Windows\System\kgJKgax.exe
  C:\Windows\System\kgJKgax.exe
  2⤵
  PID:10056
- C:\Windows\System\YwsemRl.exe
  C:\Windows\System\YwsemRl.exe
  2⤵
  PID:10084
- C:\Windows\System\DCJtOsS.exe
  C:\Windows\System\DCJtOsS.exe
  2⤵
  PID:10112
- C:\Windows\System\SRXzoXr.exe
  C:\Windows\System\SRXzoXr.exe
  2⤵
  PID:10140
- C:\Windows\System\faltLFQ.exe
  C:\Windows\System\faltLFQ.exe
  2⤵
  PID:10168
- C:\Windows\System\TVKvtyj.exe
  C:\Windows\System\TVKvtyj.exe
  2⤵
  PID:10196
- C:\Windows\System\VQgRTiE.exe
  C:\Windows\System\VQgRTiE.exe
  2⤵
  PID:10212
- C:\Windows\System\WDuKKpJ.exe
  C:\Windows\System\WDuKKpJ.exe
  2⤵
  PID:9248
- C:\Windows\System\FYtFTrc.exe
  C:\Windows\System\FYtFTrc.exe
  2⤵
  PID:9316
- C:\Windows\System\qNIjPay.exe
  C:\Windows\System\qNIjPay.exe
  2⤵
  PID:9360
- C:\Windows\System\ykzuYgU.exe
  C:\Windows\System\ykzuYgU.exe
  2⤵
  PID:9456
- C:\Windows\System\GiybCHq.exe
  C:\Windows\System\GiybCHq.exe
  2⤵
  PID:9500
- C:\Windows\System\GSXevHB.exe
  C:\Windows\System\GSXevHB.exe
  2⤵
  PID:9548
- C:\Windows\System\gaNFIGY.exe
  C:\Windows\System\gaNFIGY.exe
  2⤵
  PID:9596
- C:\Windows\System\WfLhzLx.exe
  C:\Windows\System\WfLhzLx.exe
  2⤵
  PID:9680
- C:\Windows\System\RzrXYYI.exe
  C:\Windows\System\RzrXYYI.exe
  2⤵
  PID:9784
- C:\Windows\System\rHNBPvc.exe
  C:\Windows\System\rHNBPvc.exe
  2⤵
  PID:9848
- C:\Windows\System\GyGKNSu.exe
  C:\Windows\System\GyGKNSu.exe
  2⤵
  PID:9932
- C:\Windows\System\MtXelxd.exe
  C:\Windows\System\MtXelxd.exe
  2⤵
  PID:9996
- C:\Windows\System\olpwwhl.exe
  C:\Windows\System\olpwwhl.exe
  2⤵
  PID:10040
- C:\Windows\System\TsnSpFs.exe
  C:\Windows\System\TsnSpFs.exe
  2⤵
  PID:10128
- C:\Windows\System\wkLwZoc.exe
  C:\Windows\System\wkLwZoc.exe
  2⤵
  PID:10192
- C:\Windows\System\WYClFAy.exe
  C:\Windows\System\WYClFAy.exe
  2⤵
  PID:9288
- C:\Windows\System\wBWCesq.exe
  C:\Windows\System\wBWCesq.exe
  2⤵
  PID:9384
- C:\Windows\System\HfcgikX.exe
  C:\Windows\System\HfcgikX.exe
  2⤵
  PID:9592
- C:\Windows\System\TACkSjF.exe
  C:\Windows\System\TACkSjF.exe
  2⤵
  PID:9652
- C:\Windows\System\OHTabbu.exe
  C:\Windows\System\OHTabbu.exe
  2⤵
  PID:9824
- C:\Windows\System\csERdxX.exe
  C:\Windows\System\csERdxX.exe
  2⤵
  PID:9964
- C:\Windows\System\HYqUCOJ.exe
  C:\Windows\System\HYqUCOJ.exe
  2⤵
  PID:10224
- C:\Windows\System\KSElndu.exe
  C:\Windows\System\KSElndu.exe
  2⤵
  PID:9556
- C:\Windows\System\iZduqOh.exe
  C:\Windows\System\iZduqOh.exe
  2⤵
  PID:9904
- C:\Windows\System\nHQnHtV.exe
  C:\Windows\System\nHQnHtV.exe
  2⤵
  PID:9332
- C:\Windows\System\PafVYNb.exe
  C:\Windows\System\PafVYNb.exe
  2⤵
  PID:10180
- C:\Windows\System\MaDIxUw.exe
  C:\Windows\System\MaDIxUw.exe
  2⤵
  PID:10248
- C:\Windows\System\HHTjLfe.exe
  C:\Windows\System\HHTjLfe.exe
  2⤵
  PID:10272
- C:\Windows\System\lWKJrlf.exe
  C:\Windows\System\lWKJrlf.exe
  2⤵
  PID:10304
- C:\Windows\System\ojnZPOZ.exe
  C:\Windows\System\ojnZPOZ.exe
  2⤵
  PID:10332
- C:\Windows\System\radTZNX.exe
  C:\Windows\System\radTZNX.exe
  2⤵
  PID:10348
- C:\Windows\System\bAneVmW.exe
  C:\Windows\System\bAneVmW.exe
  2⤵
  PID:10368
- C:\Windows\System\IQGsfeH.exe
  C:\Windows\System\IQGsfeH.exe
  2⤵
  PID:10392
- C:\Windows\System\vPIRFry.exe
  C:\Windows\System\vPIRFry.exe
  2⤵
  PID:10424
- C:\Windows\System\ZNYQFCr.exe
  C:\Windows\System\ZNYQFCr.exe
  2⤵
  PID:10460
- C:\Windows\System\RspfBHv.exe
  C:\Windows\System\RspfBHv.exe
  2⤵
  PID:10500
- C:\Windows\System\cmQyjDt.exe
  C:\Windows\System\cmQyjDt.exe
  2⤵
  PID:10528
- C:\Windows\System\eRhzXbP.exe
  C:\Windows\System\eRhzXbP.exe
  2⤵
  PID:10548
- C:\Windows\System\FeauDPH.exe
  C:\Windows\System\FeauDPH.exe
  2⤵
  PID:10584
- C:\Windows\System\TCMafqA.exe
  C:\Windows\System\TCMafqA.exe
  2⤵
  PID:10604
- C:\Windows\System\nbHuioU.exe
  C:\Windows\System\nbHuioU.exe
  2⤵
  PID:10648
- C:\Windows\System\xUNbYDD.exe
  C:\Windows\System\xUNbYDD.exe
  2⤵
  PID:10680
- C:\Windows\System\ItqhtzS.exe
  C:\Windows\System\ItqhtzS.exe
  2⤵
  PID:10716
- C:\Windows\System\iBwxmIk.exe
  C:\Windows\System\iBwxmIk.exe
  2⤵
  PID:10748
- C:\Windows\System\JSHCeMN.exe
  C:\Windows\System\JSHCeMN.exe
  2⤵
  PID:10780
- C:\Windows\System\AKuBUcJ.exe
  C:\Windows\System\AKuBUcJ.exe
  2⤵
  PID:10808
- C:\Windows\System\wTjpbOl.exe
  C:\Windows\System\wTjpbOl.exe
  2⤵
  PID:10848
- C:\Windows\System\WtCXUDB.exe
  C:\Windows\System\WtCXUDB.exe
  2⤵
  PID:10876
- C:\Windows\System\ijQPRjp.exe
  C:\Windows\System\ijQPRjp.exe
  2⤵
  PID:10896
- C:\Windows\System\KSrAzNi.exe
  C:\Windows\System\KSrAzNi.exe
  2⤵
  PID:10944
- C:\Windows\System\dERqScN.exe
  C:\Windows\System\dERqScN.exe
  2⤵
  PID:10964
- C:\Windows\System\dslHawN.exe
  C:\Windows\System\dslHawN.exe
  2⤵
  PID:10988
- C:\Windows\System\gDarCYD.exe
  C:\Windows\System\gDarCYD.exe
  2⤵
  PID:11012
- C:\Windows\System\yaMrNqZ.exe
  C:\Windows\System\yaMrNqZ.exe
  2⤵
  PID:11036
- C:\Windows\System\IBlAgEK.exe
  C:\Windows\System\IBlAgEK.exe
  2⤵
  PID:11068
- C:\Windows\System\pLOCipw.exe
  C:\Windows\System\pLOCipw.exe
  2⤵
  PID:11104
- C:\Windows\System\EhxSPwB.exe
  C:\Windows\System\EhxSPwB.exe
  2⤵
  PID:11132
- C:\Windows\System\hAZXzkh.exe
  C:\Windows\System\hAZXzkh.exe
  2⤵
  PID:11160
- C:\Windows\System\nkicoGJ.exe
  C:\Windows\System\nkicoGJ.exe
  2⤵
  PID:11188
- C:\Windows\System\GzhNLYj.exe
  C:\Windows\System\GzhNLYj.exe
  2⤵
  PID:11216
- C:\Windows\System\QwhQKbo.exe
  C:\Windows\System\QwhQKbo.exe
  2⤵
  PID:11236
- C:\Windows\System\VkakRls.exe
  C:\Windows\System\VkakRls.exe
  2⤵
  PID:10260
- C:\Windows\System\OzWYsdN.exe
  C:\Windows\System\OzWYsdN.exe
  2⤵
  PID:10324
- C:\Windows\System\xcogrWF.exe
  C:\Windows\System\xcogrWF.exe
  2⤵
  PID:10360
- C:\Windows\System\QgnBvce.exe
  C:\Windows\System\QgnBvce.exe
  2⤵
  PID:10440
- C:\Windows\System\gPwrSum.exe
  C:\Windows\System\gPwrSum.exe
  2⤵
  PID:10516
- C:\Windows\System\XMYBVMw.exe
  C:\Windows\System\XMYBVMw.exe
  2⤵
  PID:10572
- C:\Windows\System\OiCislh.exe
  C:\Windows\System\OiCislh.exe
  2⤵
  PID:10632
- C:\Windows\System\HEjMpCr.exe
  C:\Windows\System\HEjMpCr.exe
  2⤵
  PID:10736
- C:\Windows\System\mAZlttE.exe
  C:\Windows\System\mAZlttE.exe
  2⤵
  PID:10804
- C:\Windows\System\yofmhWE.exe
  C:\Windows\System\yofmhWE.exe
  2⤵
  PID:10844
- C:\Windows\System\aWEgWbD.exe
  C:\Windows\System\aWEgWbD.exe
  2⤵
  PID:10932
- C:\Windows\System\BTtFBTJ.exe
  C:\Windows\System\BTtFBTJ.exe
  2⤵
  PID:11020
- C:\Windows\System\XoOLywJ.exe
  C:\Windows\System\XoOLywJ.exe
  2⤵
  PID:11060
- C:\Windows\System\giEHrlq.exe
  C:\Windows\System\giEHrlq.exe
  2⤵
  PID:11124
- C:\Windows\System\BRLMlpK.exe
  C:\Windows\System\BRLMlpK.exe
  2⤵
  PID:11200
- C:\Windows\System\PWNDaRg.exe
  C:\Windows\System\PWNDaRg.exe
  2⤵
  PID:11244
- C:\Windows\System\PyjhpQT.exe
  C:\Windows\System\PyjhpQT.exe
  2⤵
  PID:10356
- C:\Windows\System\PEbkHEi.exe
  C:\Windows\System\PEbkHEi.exe
  2⤵
  PID:10544
- C:\Windows\System\EZexobD.exe
  C:\Windows\System\EZexobD.exe
  2⤵
  PID:9960
- C:\Windows\System\SONlztA.exe
  C:\Windows\System\SONlztA.exe
  2⤵
  PID:10788
- C:\Windows\System\uNBofDY.exe
  C:\Windows\System\uNBofDY.exe
  2⤵
  PID:10884
- C:\Windows\System\hjaOjSL.exe
  C:\Windows\System\hjaOjSL.exe
  2⤵
  PID:11052
- C:\Windows\System\ENBDaYi.exe
  C:\Windows\System\ENBDaYi.exe
  2⤵
  PID:10316
- C:\Windows\System\jlotmSI.exe
  C:\Windows\System\jlotmSI.exe
  2⤵
  PID:10592
- C:\Windows\System\MKDFvMB.exe
  C:\Windows\System\MKDFvMB.exe
  2⤵
  PID:11120
- C:\Windows\System\SNUwKlF.exe
  C:\Windows\System\SNUwKlF.exe
  2⤵
  PID:10836
- C:\Windows\System\APdNHcS.exe
  C:\Windows\System\APdNHcS.exe
  2⤵
  PID:11176
- C:\Windows\System\kYpKpPN.exe
  C:\Windows\System\kYpKpPN.exe
  2⤵
  PID:11280
- C:\Windows\System\ZmkiSIT.exe
  C:\Windows\System\ZmkiSIT.exe
  2⤵
  PID:11320
- C:\Windows\System\eEvMEoq.exe
  C:\Windows\System\eEvMEoq.exe
  2⤵
  PID:11340
- C:\Windows\System\hKQJTKE.exe
  C:\Windows\System\hKQJTKE.exe
  2⤵
  PID:11376
- C:\Windows\System\eTBMNTD.exe
  C:\Windows\System\eTBMNTD.exe
  2⤵
  PID:11396
- C:\Windows\System\egDezTc.exe
  C:\Windows\System\egDezTc.exe
  2⤵
  PID:11428
- C:\Windows\System\SHsUJIw.exe
  C:\Windows\System\SHsUJIw.exe
  2⤵
  PID:11448
- C:\Windows\System\OiRwlyR.exe
  C:\Windows\System\OiRwlyR.exe
  2⤵
  PID:11480
- C:\Windows\System\IzlBmsB.exe
  C:\Windows\System\IzlBmsB.exe
  2⤵
  PID:11516
- C:\Windows\System\tBdaoIr.exe
  C:\Windows\System\tBdaoIr.exe
  2⤵
  PID:11532
- C:\Windows\System\TUwPhlV.exe
  C:\Windows\System\TUwPhlV.exe
  2⤵
  PID:11572
- C:\Windows\System\KJTnTwn.exe
  C:\Windows\System\KJTnTwn.exe
  2⤵
  PID:11600
- C:\Windows\System\WEtkYTL.exe
  C:\Windows\System\WEtkYTL.exe
  2⤵
  PID:11620
- C:\Windows\System\rTIDJvx.exe
  C:\Windows\System\rTIDJvx.exe
  2⤵
  PID:11644
- C:\Windows\System\CUMBiVt.exe
  C:\Windows\System\CUMBiVt.exe
  2⤵
  PID:11672
- C:\Windows\System\IdBKAvq.exe
  C:\Windows\System\IdBKAvq.exe
  2⤵
  PID:11712
- C:\Windows\System\jSkjwMl.exe
  C:\Windows\System\jSkjwMl.exe
  2⤵
  PID:11732
- C:\Windows\System\HBeKGul.exe
  C:\Windows\System\HBeKGul.exe
  2⤵
  PID:11768
- C:\Windows\System\FHSBvBV.exe
  C:\Windows\System\FHSBvBV.exe
  2⤵
  PID:11796
- C:\Windows\System\VJIhJSC.exe
  C:\Windows\System\VJIhJSC.exe
  2⤵
  PID:11824
- C:\Windows\System\KVBLZfL.exe
  C:\Windows\System\KVBLZfL.exe
  2⤵
  PID:11852
- C:\Windows\System\jfJwRMY.exe
  C:\Windows\System\jfJwRMY.exe
  2⤵
  PID:11880
- C:\Windows\System\PziAjeg.exe
  C:\Windows\System\PziAjeg.exe
  2⤵
  PID:11896
- C:\Windows\System\QgYOrpg.exe
  C:\Windows\System\QgYOrpg.exe
  2⤵
  PID:11924
- C:\Windows\System\jVMwKyK.exe
  C:\Windows\System\jVMwKyK.exe
  2⤵
  PID:11956
- C:\Windows\System\UimfYvd.exe
  C:\Windows\System\UimfYvd.exe
  2⤵
  PID:11992
- C:\Windows\System\NPcBNZT.exe
  C:\Windows\System\NPcBNZT.exe
  2⤵
  PID:12024
- C:\Windows\System\LyqjuNN.exe
  C:\Windows\System\LyqjuNN.exe
  2⤵
  PID:12044
- C:\Windows\System\IguUqSB.exe
  C:\Windows\System\IguUqSB.exe
  2⤵
  PID:12068
- C:\Windows\System\OeStRGK.exe
  C:\Windows\System\OeStRGK.exe
  2⤵
  PID:12108
- C:\Windows\System\qlycmdI.exe
  C:\Windows\System\qlycmdI.exe
  2⤵
  PID:12136
- C:\Windows\System\AtaBtbq.exe
  C:\Windows\System\AtaBtbq.exe
  2⤵
  PID:12164
- C:\Windows\System\yFkoGeJ.exe
  C:\Windows\System\yFkoGeJ.exe
  2⤵
  PID:12192
- C:\Windows\System\YYChPQW.exe
  C:\Windows\System\YYChPQW.exe
  2⤵
  PID:12220
- C:\Windows\System\lMUKcGC.exe
  C:\Windows\System\lMUKcGC.exe
  2⤵
  PID:12248
- C:\Windows\System\SjfwjoT.exe
  C:\Windows\System\SjfwjoT.exe
  2⤵
  PID:12264
- C:\Windows\System\tbiRFsr.exe
  C:\Windows\System\tbiRFsr.exe
  2⤵
  PID:11304
- C:\Windows\System\gbeFeqz.exe
  C:\Windows\System\gbeFeqz.exe
  2⤵
  PID:11360
- C:\Windows\System\ePLkucq.exe
  C:\Windows\System\ePLkucq.exe
  2⤵
  PID:11420
- C:\Windows\System\TJXBPJP.exe
  C:\Windows\System\TJXBPJP.exe
  2⤵
  PID:11488
- C:\Windows\System\PADUiEa.exe
  C:\Windows\System\PADUiEa.exe
  2⤵
  PID:11544
- C:\Windows\System\FjnuCOa.exe
  C:\Windows\System\FjnuCOa.exe
  2⤵
  PID:11592
- C:\Windows\System\uwQBcUb.exe
  C:\Windows\System\uwQBcUb.exe
  2⤵
  PID:11684
- C:\Windows\System\HmoGcHy.exe
  C:\Windows\System\HmoGcHy.exe
  2⤵
  PID:11740
- C:\Windows\System\OOUepkO.exe
  C:\Windows\System\OOUepkO.exe
  2⤵
  PID:11808
- C:\Windows\System\azgaObY.exe
  C:\Windows\System\azgaObY.exe
  2⤵
  PID:11864
- C:\Windows\System\hIZyUxj.exe
  C:\Windows\System\hIZyUxj.exe
  2⤵
  PID:11936
- C:\Windows\System\JVhhVRe.exe
  C:\Windows\System\JVhhVRe.exe
  2⤵
  PID:12008
- C:\Windows\System\uVpOUuy.exe
  C:\Windows\System\uVpOUuy.exe
  2⤵
  PID:12064
- C:\Windows\System\fZwmygH.exe
  C:\Windows\System\fZwmygH.exe
  2⤵
  PID:12080
- C:\Windows\System\QuiKNHn.exe
  C:\Windows\System\QuiKNHn.exe
  2⤵
  PID:12204
- C:\Windows\System\niztXma.exe
  C:\Windows\System\niztXma.exe
  2⤵
  PID:12244
- C:\Windows\System\MvcCSDN.exe
  C:\Windows\System\MvcCSDN.exe
  2⤵
  PID:11332
- C:\Windows\System\aBBgood.exe
  C:\Windows\System\aBBgood.exe
  2⤵
  PID:11472
- C:\Windows\System\OXBHNEt.exe
  C:\Windows\System\OXBHNEt.exe
  2⤵
  PID:4620
- C:\Windows\System\RONSQoR.exe
  C:\Windows\System\RONSQoR.exe
  2⤵
  PID:11636
- C:\Windows\System\NdNjqDy.exe
  C:\Windows\System\NdNjqDy.exe
  2⤵
  PID:11792
- C:\Windows\System\gaiSLFO.exe
  C:\Windows\System\gaiSLFO.exe
  2⤵
  PID:11908
- C:\Windows\System\pJhikbJ.exe
  C:\Windows\System\pJhikbJ.exe
  2⤵
  PID:12088
- C:\Windows\System\qGkvTAO.exe
  C:\Windows\System\qGkvTAO.exe
  2⤵
  PID:12180
- C:\Windows\System\kmvvYFa.exe
  C:\Windows\System\kmvvYFa.exe
  2⤵
  PID:11460
- C:\Windows\System\WTBIayo.exe
  C:\Windows\System\WTBIayo.exe
  2⤵
  PID:11560
- C:\Windows\System\zyTFkVt.exe
  C:\Windows\System\zyTFkVt.exe
  2⤵
  PID:12036
- C:\Windows\System\tFJBoTJ.exe
  C:\Windows\System\tFJBoTJ.exe
  2⤵
  PID:12160
- C:\Windows\System\ejrsKdt.exe
  C:\Windows\System\ejrsKdt.exe
  2⤵
  PID:12132
- C:\Windows\System\imgAMdl.exe
  C:\Windows\System\imgAMdl.exe
  2⤵
  PID:11760
- C:\Windows\System\vqPNfzy.exe
  C:\Windows\System\vqPNfzy.exe
  2⤵
  PID:12304
- C:\Windows\System\fzKumsX.exe
  C:\Windows\System\fzKumsX.exe
  2⤵
  PID:12332
- C:\Windows\System\qFAnMYl.exe
  C:\Windows\System\qFAnMYl.exe
  2⤵
  PID:12348
- C:\Windows\System\huRsFDr.exe
  C:\Windows\System\huRsFDr.exe
  2⤵
  PID:12380
- C:\Windows\System\DTMMcPa.exe
  C:\Windows\System\DTMMcPa.exe
  2⤵
  PID:12404
- C:\Windows\System\TljDRbS.exe
  C:\Windows\System\TljDRbS.exe
  2⤵
  PID:12424
- C:\Windows\System\VUdNtJL.exe
  C:\Windows\System\VUdNtJL.exe
  2⤵
  PID:12464
- C:\Windows\System\NyWQQEC.exe
  C:\Windows\System\NyWQQEC.exe
  2⤵
  PID:12508
- C:\Windows\System\TcMwytR.exe
  C:\Windows\System\TcMwytR.exe
  2⤵
  PID:12540
- C:\Windows\System\TkwmzaY.exe
  C:\Windows\System\TkwmzaY.exe
  2⤵
  PID:12568
- C:\Windows\System\raFbGZH.exe
  C:\Windows\System\raFbGZH.exe
  2⤵
  PID:12596
- C:\Windows\System\qDoegvS.exe
  C:\Windows\System\qDoegvS.exe
  2⤵
  PID:12612
- C:\Windows\System\nlvqhDu.exe
  C:\Windows\System\nlvqhDu.exe
  2⤵
  PID:12644
- C:\Windows\System\VoiwByD.exe
  C:\Windows\System\VoiwByD.exe
  2⤵
  PID:12680
- C:\Windows\System\gszchLa.exe
  C:\Windows\System\gszchLa.exe
  2⤵
  PID:12708
- C:\Windows\System\TPTtcfw.exe
  C:\Windows\System\TPTtcfw.exe
  2⤵
  PID:12736
- C:\Windows\System\MZVyiOF.exe
  C:\Windows\System\MZVyiOF.exe
  2⤵
  PID:12764
- C:\Windows\System\OcNTfFh.exe
  C:\Windows\System\OcNTfFh.exe
  2⤵
  PID:12792
- C:\Windows\System\nYhFtUf.exe
  C:\Windows\System\nYhFtUf.exe
  2⤵
  PID:12820
- C:\Windows\System\MeFdtoa.exe
  C:\Windows\System\MeFdtoa.exe
  2⤵
  PID:12848
- C:\Windows\System\LpbDyim.exe
  C:\Windows\System\LpbDyim.exe
  2⤵
  PID:12868
- C:\Windows\System\MyVVfVZ.exe
  C:\Windows\System\MyVVfVZ.exe
  2⤵
  PID:12892
- C:\Windows\System\gCBslGi.exe
  C:\Windows\System\gCBslGi.exe
  2⤵
  PID:12932
- C:\Windows\System\pGAzlri.exe
  C:\Windows\System\pGAzlri.exe
  2⤵
  PID:12960
- C:\Windows\System\vFXJgXi.exe
  C:\Windows\System\vFXJgXi.exe
  2⤵
  PID:12988
- C:\Windows\System\mxgDAOw.exe
  C:\Windows\System\mxgDAOw.exe
  2⤵
  PID:13016
- C:\Windows\System\WBJWmiM.exe
  C:\Windows\System\WBJWmiM.exe
  2⤵
  PID:13052
- C:\Windows\System\KkBabXv.exe
  C:\Windows\System\KkBabXv.exe
  2⤵
  PID:13080
- C:\Windows\System\eoxffvV.exe
  C:\Windows\System\eoxffvV.exe
  2⤵
  PID:13108
- C:\Windows\System\mXeOZIy.exe
  C:\Windows\System\mXeOZIy.exe
  2⤵
  PID:13136
- C:\Windows\System\ojdBAhJ.exe
  C:\Windows\System\ojdBAhJ.exe
  2⤵
  PID:13164
- C:\Windows\System\LBGQEGt.exe
  C:\Windows\System\LBGQEGt.exe
  2⤵
  PID:13192
- C:\Windows\System\NleuvzM.exe
  C:\Windows\System\NleuvzM.exe
  2⤵
  PID:13220
- C:\Windows\System\bCSbRJj.exe
  C:\Windows\System\bCSbRJj.exe
  2⤵
  PID:13236
- C:\Windows\System\QXTPYPg.exe
  C:\Windows\System\QXTPYPg.exe
  2⤵
  PID:13272
- C:\Windows\System\fVHqFDK.exe
  C:\Windows\System\fVHqFDK.exe
  2⤵
  PID:13304
- C:\Windows\System\TKajXPf.exe
  C:\Windows\System\TKajXPf.exe
  2⤵
  PID:12300
- C:\Windows\System\wiLmsBe.exe
  C:\Windows\System\wiLmsBe.exe
  2⤵
  PID:12400
- C:\Windows\System\jyUpPHy.exe
  C:\Windows\System\jyUpPHy.exe
  2⤵
  PID:12480

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e3yeqh2o.qfx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\DyxbCrN.exe

Filesize
2.6MB

MD5
b04ccada7b8bb4680234c3fe9d5abd4a

SHA1
bb91d3fec523c412400149e19a6ba7d0e48c71ce

SHA256
443e7701307b38a7ac8dea14b411488bf75bf62996d14b7b091e42532897d181

SHA512
a048d392485e6a1d5260b7e1b236671e8c105ca3f1bbf515db3a04d01e837d40c9af5fb775c78d501f3611f51ddc37e3f28ec48479172b3554aaea395b258269

Download Submit
C:\Windows\System\DzLvDJG.exe

Filesize
2.6MB

MD5
6931159c27dcd1b2473be453240725a3

SHA1
c436b61023962c2b3fa82280e458b9ee6893ab81

SHA256
1e8bc17106d5450f03ac26085a6d0c3235ff786de863a0ecb3a4dea947c1c7c6

SHA512
3b0d7c1309ba1a8142d8009339dbb367a2042775dfe90bfb00a2da3d590fcc28d1a249bbafa523eb32d1614f82528a156bfd56e121d69ddf7cd9b2beaf7c6766

Download Submit
C:\Windows\System\EIqJqsa.exe

Filesize
2.6MB

MD5
e209e87875ad74249ca37e445c630e0c

SHA1
d335e372045bf5827fdfc3b18c216f6920e00e8e

SHA256
0b17d6dc23fd6c24e72ccd438722d22dea525b6c7784fe9c31b35f5f3f69e010

SHA512
7b34bceebc3e49bb5f58ed99a82319c1aa551f5defd5e8bf2319c35209015833b3a26ce0d50d40900bec72489a68c3c93ad1e5306f66ae45d8a3f3b33fcd2e22

Download Submit
C:\Windows\System\FtIyfYF.exe

Filesize
2.6MB

MD5
a3ddd1a194e318e9020c4a540d2d1737

SHA1
0ecacc8f47700640296df000f0019dcea46e9fab

SHA256
8685d269682780cb6bbc3b0289150aa28a76096c812f4c50fee686fc69e59bf4

SHA512
db4ca507e4ea4c7529ff100fd9fbf63241cbb59b8036adba8214714da576ebe58dc465641951375ca40c27222b4c1f3f87d30bed1d1ac408b2451abe2ff1dbd2

Download Submit
C:\Windows\System\FtpofRw.exe

Filesize
2.6MB

MD5
dbab5a7d79559da53776756f7825f44c

SHA1
dc4644a3112bbe42b0a700d3d65266359fbff857

SHA256
a2de70b9b48fe5a18089a5b5059ab78c8f5f99015ea6b3eac1b724a029e2def8

SHA512
69814425f34dccd264b2a75d410aac71e6ef84660a8f529fb39c181747b7dc53bdba0b5574d1e16da6a2943aff7fbe1fdef689d1f367b191f757d07ca29d0053

Download Submit
C:\Windows\System\FxuvWwP.exe

Filesize
2.6MB

MD5
74bb38c3b07b53d6d55c918b5462852a

SHA1
16b848362c1987afbb969f1b1cf65e118dfd97d2

SHA256
928b15df551c8ff98314a62f859f1ca90d478bf34c9bb2dea69f879b7b7bf025

SHA512
5ec8ac56a16b4146e11b808bed1951af164773f8a65a51fffa1afdeeeeaaf2ca281a4812c59207e081872d7646934c475a931f995087c1b2b9eeaac427e2a716

Download Submit
C:\Windows\System\OHeMOjl.exe

Filesize
2.6MB

MD5
0727f8761724ce0d13f66175ee4f92bd

SHA1
3a5e8398def0c16060de839f021022041b014788

SHA256
047f597f0b2833863e40e5363602d9f5dfada1f2d4592e225da53cd4f04ebc41

SHA512
71236dfbd113ddc33ac57c0fc43047062fa5220302aa0bf8f3f147857b329bfa4af5f59b8042cde4bce0f2c6f5bb2012514409dca4c178d763b946e32682dd87

Download Submit
C:\Windows\System\PbOtelH.exe

Filesize
2.6MB

MD5
8c5dddc712d2045820018e2b9d43f43b

SHA1
18ca48af96c0678889ead2a7bb2933b973e99dd0

SHA256
92500dd5958d46d9a184eae62dce8b25e4824b33d659fe2571417b5a827cb93e

SHA512
a2f62f7639394fb6b19cb262dfc2a850999491190ece9b2ea21b41aca31c935d032cc703e2cd296648fc9bef872bfbddf2881f7d02397b533c2e956b069f7a4a

Download Submit
C:\Windows\System\RzAVlas.exe

Filesize
2.6MB

MD5
8cfb6d680df173214c00a68a6626cb22

SHA1
ab98adf2bbafe8a6039ff62a8412a7fcdce57bff

SHA256
7b340c990f04b40cf679b96c0ac926fcafe528402390949658b2e9c7612fb4b5

SHA512
53da1172b91932bacbc5185372e1275bb9175db9bf54f42a6972509f49e0c8fdf5983fbfa310626af6909dfa18c9564e09804d63555df0991f3d092a382b15cf

Download Submit
C:\Windows\System\UwNhjYH.exe

Filesize
2.6MB

MD5
33c26c864b2e1585b3ee4f62f57f6b25

SHA1
ea9b6888ecbd72dabc2d463fb0fe21c27ca2a954

SHA256
1b4f8c65300206ef89ec490497a67ce59e9eca7a39505aacc793b3bdc1afce37

SHA512
d43e876c9ce9b6454951630f11fa36a7cdca237fce64a1b01c8384b3a95f161f2612b5a5d6efddffa9a070ee132ab0c34dcfcb94288dfd2869a2f919fe890dab

Download Submit
C:\Windows\System\VSuuztE.exe

Filesize
2.6MB

MD5
d47167837e3c16419624190c8e502d64

SHA1
ba1df88906f7afcf1595939f1d95a855a6a52b05

SHA256
bfec6c95fa332f8053517f0ed62a85191312236bbb112f645b521fb8bbf4d4b6

SHA512
c4e162bc333e71657cc90fea9c76267936b8f9e4de1a9a665333b893b6e5ee320b01eb58709dd916430a591a318f57b8712523dbf3291a8db0baa80f3829b49c

Download Submit
C:\Windows\System\VkCKSeg.exe

Filesize
2.6MB

MD5
2bc3905fede8f526b389deeb21f31cea

SHA1
1f512de534810252a976d68e33e97ee1edd8a15a

SHA256
6f715451e9261aa7d57b94fabb1d85cb010efa004a0b85fde451dd13e030aea4

SHA512
cbc0f54c910c6bd0c3587ba9a1be1de022eede141adca13b7aa906dc9a31182c08cdfc100f5da965acbece56550ee17c13e305ac0267a2587a6e6550c2ebd1c2

Download Submit
C:\Windows\System\WIJdMrG.exe

Filesize
2.6MB

MD5
327292396a3e59ab60f399f6f9cf75dd

SHA1
e66fc20f9ee6de22b093a1bb3e7da1fe2938b0b6

SHA256
9a78afd0a375eafa9956f618c6dacad2443f2ac07a9c7f12c2107184aa5fc0c5

SHA512
ed103af531955e21e22acfef599748e11d14513acdaeb8f75f1ff3cd5956ac5c739863e4d1d83e8e5ca3911e6609120088bad2e40b5fd35e8bf4dbdcf8692d22

Download Submit
C:\Windows\System\cLTJRqZ.exe

Filesize
2.6MB

MD5
fb91259c5bc2f2a352a5130d5b10a52e

SHA1
dd40cc9fd9b0c851e438ec558c79c261452b7658

SHA256
bb07a0cd47f70249dfeb5d836fb122370e13c9ac093950c35c5828592131d785

SHA512
9380b8a5e7c5b70e5a846421b8d9c6ade055b3af2cacff20b79a2f200488fcfd0aac61b076bd21752e797788b33619efb8ab31d7bf0eccabded6b6504af18170

Download Submit
C:\Windows\System\cNeaHxI.exe

Filesize
2.6MB

MD5
aacc4850b402759ff37a7c3478eab87c

SHA1
490fa819718ee550b209ef78dff3d2598961e489

SHA256
499856cdf763164c2c14d743bfd61268570e544c8919bdce1d3a17ae4ee2f0c9

SHA512
e0c4df56c063e7a30629cba44141a1fa01d4edcca87ed50946fb01ab8692c5f13ea7b45c6c52bcbe17500f5107efd451cd0a6dc586f37892cba8ee607a50cc98

Download Submit
C:\Windows\System\cpjmhld.exe

Filesize
2.6MB

MD5
574b190da7fc08b688a183346d10e464

SHA1
09635f92342a18dc1389daef24a8d604aff4ae23

SHA256
ce57c0fb4b8dbc39a7bbac185c593e39d33985b364fb21ede8b061e6d0b51182

SHA512
f17ee4f97e1172d9f346684ab2bc71a194d8500af961d4ef9012fcf3c2e407d222665d51689eea79325ef15ed176b90fc2e66be19a8ff545b0b28489a5b0127c

Download Submit
C:\Windows\System\czkTKCh.exe

Filesize
2.6MB

MD5
7e0652be2869116dec8eae41fdbdeade

SHA1
43e5efb52c260bd6a8077fa4495b567cc413f2e9

SHA256
2f7adf83f7fe910eae187fe7e2c546a59d0fca124352ded037156b39cb29db49

SHA512
c2ab3d3dab7c3deac8038889e5477e56b30160fc3aabcaa8adb02ab00758141a97311f064c7ce043a947025d595b356501b4c95306c39664dbf0dd48b1204848

Download Submit
C:\Windows\System\dxSfWDh.exe

Filesize
8B

MD5
b4264996759d988d82730e6958cf8074

SHA1
7bbc1f74a3ce00994d790da4622d87f15f45b523

SHA256
8ec7039187958fcd27e56e585c4d65242972777fffc8821de830bc1ff1727bca

SHA512
90e2f3e49d27ab4d11cbf031af514cf6fc3a8851362bc0086d9e25b2d97c3341159ec901fb19a665474ceb995371e4f69eda62c3d14f844ace445c61339d139c

Download Submit
C:\Windows\System\eCWwUht.exe

Filesize
2.6MB

MD5
5ffc5e678358e6759ed3242d527ffb7b

SHA1
097acb3b6ad691e9e126fd9d97ab15682e8aea1f

SHA256
d8b3438a4e662e0a71723905775913c2d46a64de91d57e8c1248b19e79b4739a

SHA512
3b68b351fcc21ab409e8050054fc859646b932948a1802b7e5b4cbb91604141767c9c82a8bd5b94f3e6481604292df3cba3eb3b16e664a244cd2b8b8ad87fee2

Download Submit
C:\Windows\System\fdPCIEj.exe

Filesize
2.6MB

MD5
9c4671479b37fe8056ff40a2a3417eee

SHA1
247c855cb830b9a137423fba572537ea6fc1d161

SHA256
ffe7261d9218543761d4f65e1bd2c02a0c0ff812f51dbe321b8b09580b39ef24

SHA512
e4144a099dd3c4419fb0079bff587bd1885cd095ceb81ff2883c4304a7b691227b7b28338581e2f2f1168ad284ec638c4aa9bdc1371d6ab281d4bca235458abb

Download Submit
C:\Windows\System\gkbVerJ.exe

Filesize
2.6MB

MD5
ebaac8b2b6dab6b329ca35f86dd89c18

SHA1
000d8317e3d166b3737306270c73f478e4ebecef

SHA256
28e9a3a883815653726d56857e251057b5cdc3343af16a6c5460e80e99db77b2

SHA512
93c073083d8965fa97ce3506a7a682ca5fa6eb450f6ecfc01ec719d122a786fe7186b735c4f906cdf4c6b42f83b7fbc0594d47c86f13b652ab15163cbeb36f8f

Download Submit
C:\Windows\System\hulHfJc.exe

Filesize
2.6MB

MD5
ac6dd4abe69fff1f03703344bc6dd73b

SHA1
328892734bf585fb5b85ab66a59d84c43f4fbf58

SHA256
2ae9230fb3c012442ddbefba324a7132deb681190f5d4d106fee352dcd8595ed

SHA512
9851fe8ac9a1e51aa5910cf10330865265f52a78d0746fd22b521f249d7764dd2b9580863c34a5c914eba09e690bf27ced0e6c18a771b3589be975872ffcbefb

Download Submit
C:\Windows\System\iBfBSuj.exe

Filesize
2.6MB

MD5
23bbee957a16792a172d4a86649be645

SHA1
bc55fe6027e25cac29b46ba9c1f56dd559a27643

SHA256
ccea2b075e366483903aefbbe7953241bea0070d3bc0eb13bd45e2c0c984fe82

SHA512
0a88da9e98d2daabdd41b40c1b260e5645c2efc696fa6aad1a8c6884c67c1cd807ab783c7df48095cdd092828e02d4580448618752f288ec8d35415014e010f5

Download Submit
C:\Windows\System\jIvOeUG.exe

Filesize
2.6MB

MD5
3c5dd0c670c6a58d9762a58533ea47c3

SHA1
3682bd593cb8400ec6c092137a033a238528e6e5

SHA256
186781053bd81fa706d915906b1649e36fa82c2011a1da19f9d3c93c62818fee

SHA512
e6c63e5de54e55cfaaafbf09d8036dcc77e4e0c2f6278b47df9e9cab683abe5aa96b9b6ac0e94373751e07fba7fa4fe1661ff730b4345003c4d9185f4810d82f

Download Submit
C:\Windows\System\jSKSdUl.exe

Filesize
2.6MB

MD5
01f8b3e2f4f65d21aac9cbef98b3a147

SHA1
829e807b0cd61456ebce7c5fc8e0138cdc4a19a7

SHA256
58edca0e9dabf344de3841fdb627b9677b113141201336768426ef53559ff1fe

SHA512
72004ebda9d6c853882e23820d25f58b8871c9badd9d731600cecf72919e9708e4e1f556792f54bb216c222a740501d3650b3e642651f879a56028ef69d7011c

Download Submit
C:\Windows\System\kjnFZdM.exe

Filesize
2.6MB

MD5
870724a1f8cf6300822b62493fd9efd5

SHA1
a366086acc975eadc8bd915031618c44ccbdad8e

SHA256
bafa33a382f0e8642592696976c34b1ceb1f609445d85369e47b49eeaa5ef325

SHA512
f98365374fe4c58a4bba9823db1f0e5ff70533bbec3c1ccc26f07ac45f7e962aaba5db22e886660e9d7d5a10caa602629801eb8d7921b3119465cb90f0dd6ef4

Download Submit
C:\Windows\System\oLMIAWV.exe

Filesize
2.6MB

MD5
21aa0464b391a5caa4918af9a9eea123

SHA1
0365e2867e6be61421d89bd0c6496fec9387c271

SHA256
493a78e5f5dd34b30636abf5c5974728167e53eeea4a3af1e39740a3569df710

SHA512
b2d254191c4c86bbdbacc788410f51f7b0fc0b08a74bfa6015f953eb565f1f9ec7fe18752eb75fa22b6d704a7b8d76fbbb44c434f63939b4b2800102f6504a11

Download Submit
C:\Windows\System\pOGNlGe.exe

Filesize
2.6MB

MD5
f68b35659e301ca0438f5779120b4036

SHA1
47053dcdf06caefe0c94fa990efb97ac65336bd3

SHA256
4053a28d4a6433d0e052f750b9e32c247fdb00ca15288e47edcc516f932b123a

SHA512
022dc1ed618dfadf92072defb4e8f622f90be11d844830e1cc04783b07a9aac9d114074e7bc487990dc90ce4c63455538a83ede12ac0b848c4c0f4e201fed1d8

Download Submit
C:\Windows\System\tHIewgN.exe

Filesize
2.6MB

MD5
f74a94785d7f26ddd5594344d3932e59

SHA1
301b7d929219d1fb1fbf5649dcab339e044e14ff

SHA256
06ac57e92bfb57a21d0587069b45e781737dc1bfb95f2352b326c334a78ae8f1

SHA512
10260b13d911848f71444d2ec8f3ce41206f0986343f9a092a408b1b2fce23be71032cee8013f2f5bd90c5e81698ce26024decb9989a28f764ccdfcfdebe5318

Download Submit
C:\Windows\System\tsjXMxY.exe

Filesize
2.6MB

MD5
bcc74943184bf4f47beb24d68cdf806c

SHA1
ac50ec969f8a29f4390973afbdc18ef98a00559f

SHA256
35cc5e025ec10745daa2314fdca69b3e9ace2625310623c3c842aeb274c9269d

SHA512
3e96af7cabca73eb8c3eaf22e5f9db5e7ac78831083b45dd7f96eb7517f57a133220e1cf0f2dd3114ccf713cdf4533c527095f98013e3575e9b051409c715e43

Download Submit
C:\Windows\System\uCmJbsh.exe

Filesize
2.6MB

MD5
bc7c3086e5e85b0c089ca4e3226cb61c

SHA1
83cef3661ec77d422b0aabce4d091965b4dbb07c

SHA256
5032f4f3a6ac77d46d5e8aaecabcf3bb5996795247eb4f40855d7e731c12d7e2

SHA512
4d65d63592f69e907daed969f132e394483878bb0d2d880df8566518dd3303445fc5af2d0e69678f001af66ff341faba3fb61c230f9a27ca0445f6787a373bf7

Download Submit
C:\Windows\System\udCAnmY.exe

Filesize
2.6MB

MD5
a0e6d8c984d318338cb390802d4d52e7

SHA1
9130e08c423b2af8566fa3a0afd65283c1afda46

SHA256
47fc3a0de4747b9bfb260d81446fbb1d59f93455e224024fdd7392f8c6383fc3

SHA512
a58ec930736220936df8b9f7399a378cdd59cf272413dd6ed2282bfc714430479f9ebf6a08c4248e85b765c19036f4c4bb0d4b9c9eb6a08ac3226270cd4f3270

Download Submit
C:\Windows\System\wpxqeMH.exe

Filesize
2.6MB

MD5
57d85187451d8b38cc996abd0b282e6a

SHA1
5181320d95bd78016572ac4593fb36a1b897840e

SHA256
3a072cac0a793f6c0d47342d34db71763f134be2c252b736db9a46511fad4f39

SHA512
77478838353053fbb707a59646bb012aa29a65a4bc4b69aa35b9973466f38d6e523d0e0ce5b4a088dff794b85e8593bdce1a799bcf4006bb6241f6d2f9e80e30

Download Submit
memory/636-2278-0x00007FF7551E0000-0x00007FF7555D6000-memory.dmp

Filesize
4.0MB

Download
memory/636-145-0x00007FF7551E0000-0x00007FF7555D6000-memory.dmp

Filesize
4.0MB

Download
memory/1056-2270-0x00007FF678E30000-0x00007FF679226000-memory.dmp

Filesize
4.0MB

Download
memory/1056-22-0x00007FF678E30000-0x00007FF679226000-memory.dmp

Filesize
4.0MB

Download
memory/1056-2276-0x00007FF678E30000-0x00007FF679226000-memory.dmp

Filesize
4.0MB

Download
memory/1312-1-0x0000024590AD0000-0x0000024590AE0000-memory.dmp

Filesize
64KB

Download
memory/1312-0-0x00007FF704380000-0x00007FF704776000-memory.dmp

Filesize
4.0MB

Download
memory/1324-2291-0x00007FF67D1E0000-0x00007FF67D5D6000-memory.dmp

Filesize
4.0MB

Download
memory/1324-143-0x00007FF67D1E0000-0x00007FF67D5D6000-memory.dmp

Filesize
4.0MB

Download
memory/1548-122-0x00007FF7CC1D0000-0x00007FF7CC5C6000-memory.dmp

Filesize
4.0MB

Download
memory/1548-2282-0x00007FF7CC1D0000-0x00007FF7CC5C6000-memory.dmp

Filesize
4.0MB

Download
memory/1568-11-0x00007FF63F950000-0x00007FF63FD46000-memory.dmp

Filesize
4.0MB

Download
memory/1568-2268-0x00007FF63F950000-0x00007FF63FD46000-memory.dmp

Filesize
4.0MB

Download
memory/1568-2274-0x00007FF63F950000-0x00007FF63FD46000-memory.dmp

Filesize
4.0MB

Download
memory/1704-144-0x00007FF663450000-0x00007FF663846000-memory.dmp

Filesize
4.0MB

Download
memory/1704-2295-0x00007FF663450000-0x00007FF663846000-memory.dmp

Filesize
4.0MB

Download
memory/1932-2280-0x00007FF7C6910000-0x00007FF7C6D06000-memory.dmp

Filesize
4.0MB

Download
memory/1932-113-0x00007FF7C6910000-0x00007FF7C6D06000-memory.dmp

Filesize
4.0MB

Download
memory/2088-2279-0x00007FF6FFC40000-0x00007FF700036000-memory.dmp

Filesize
4.0MB

Download
memory/2088-114-0x00007FF6FFC40000-0x00007FF700036000-memory.dmp

Filesize
4.0MB

Download
memory/2120-2287-0x00007FF7AF2E0000-0x00007FF7AF6D6000-memory.dmp

Filesize
4.0MB

Download
memory/2120-140-0x00007FF7AF2E0000-0x00007FF7AF6D6000-memory.dmp

Filesize
4.0MB

Download
memory/2232-2297-0x00007FF6B02F0000-0x00007FF6B06E6000-memory.dmp

Filesize
4.0MB

Download
memory/2232-179-0x00007FF6B02F0000-0x00007FF6B06E6000-memory.dmp

Filesize
4.0MB

Download
memory/2984-134-0x00007FF7A7000000-0x00007FF7A73F6000-memory.dmp

Filesize
4.0MB

Download
memory/2984-2285-0x00007FF7A7000000-0x00007FF7A73F6000-memory.dmp

Filesize
4.0MB

Download
memory/3000-60-0x00007FF775840000-0x00007FF775C36000-memory.dmp

Filesize
4.0MB

Download
memory/3000-2277-0x00007FF775840000-0x00007FF775C36000-memory.dmp

Filesize
4.0MB

Download
memory/3212-136-0x00007FF611DD0000-0x00007FF6121C6000-memory.dmp

Filesize
4.0MB

Download
memory/3212-2283-0x00007FF611DD0000-0x00007FF6121C6000-memory.dmp

Filesize
4.0MB

Download
memory/3292-123-0x00007FF664CD0000-0x00007FF6650C6000-memory.dmp

Filesize
4.0MB

Download
memory/3292-2281-0x00007FF664CD0000-0x00007FF6650C6000-memory.dmp

Filesize
4.0MB

Download
memory/3444-38-0x00007FF7A6470000-0x00007FF7A6866000-memory.dmp

Filesize
4.0MB

Download
memory/3444-2275-0x00007FF7A6470000-0x00007FF7A6866000-memory.dmp

Filesize
4.0MB

Download
memory/3916-2292-0x00007FF738CA0000-0x00007FF739096000-memory.dmp

Filesize
4.0MB

Download
memory/3916-147-0x00007FF738CA0000-0x00007FF739096000-memory.dmp

Filesize
4.0MB

Download
memory/3932-2286-0x00007FF72B8D0000-0x00007FF72BCC6000-memory.dmp

Filesize
4.0MB

Download
memory/3932-146-0x00007FF72B8D0000-0x00007FF72BCC6000-memory.dmp

Filesize
4.0MB

Download
memory/4048-2284-0x00007FF7D8470000-0x00007FF7D8866000-memory.dmp

Filesize
4.0MB

Download
memory/4048-135-0x00007FF7D8470000-0x00007FF7D8866000-memory.dmp

Filesize
4.0MB

Download
memory/4176-138-0x00007FF6961A0000-0x00007FF696596000-memory.dmp

Filesize
4.0MB

Download
memory/4176-2288-0x00007FF6961A0000-0x00007FF696596000-memory.dmp

Filesize
4.0MB

Download
memory/4232-141-0x00007FF761400000-0x00007FF7617F6000-memory.dmp

Filesize
4.0MB

Download
memory/4232-2293-0x00007FF761400000-0x00007FF7617F6000-memory.dmp

Filesize
4.0MB

Download
memory/4604-2273-0x00007FF7E0360000-0x00007FF7E0756000-memory.dmp

Filesize
4.0MB

Download
memory/4604-2296-0x00007FF7E0360000-0x00007FF7E0756000-memory.dmp

Filesize
4.0MB

Download
memory/4604-155-0x00007FF7E0360000-0x00007FF7E0756000-memory.dmp

Filesize
4.0MB

Download
memory/4776-137-0x00007FF6813F0000-0x00007FF6817E6000-memory.dmp

Filesize
4.0MB

Download
memory/4776-2289-0x00007FF6813F0000-0x00007FF6817E6000-memory.dmp

Filesize
4.0MB

Download
memory/4872-121-0x00007FF86A0E0000-0x00007FF86ABA1000-memory.dmp

Filesize
10.8MB

Download
memory/4872-2271-0x00007FF86A0E3000-0x00007FF86A0E5000-memory.dmp

Filesize
8KB

Download
memory/4872-2269-0x00007FF86A0E0000-0x00007FF86ABA1000-memory.dmp

Filesize
10.8MB

Download
memory/4872-63-0x00007FF86A0E3000-0x00007FF86A0E5000-memory.dmp

Filesize
8KB

Download
memory/4872-148-0x000002B176A00000-0x000002B1771A6000-memory.dmp

Filesize
7.6MB

Download
memory/4872-2272-0x00007FF86A0E0000-0x00007FF86ABA1000-memory.dmp

Filesize
10.8MB

Download
memory/4872-133-0x000002B15D900000-0x000002B15D922000-memory.dmp

Filesize
136KB

Download
memory/4872-110-0x00007FF86A0E0000-0x00007FF86ABA1000-memory.dmp

Filesize
10.8MB

Download
memory/4916-139-0x00007FF764270000-0x00007FF764666000-memory.dmp

Filesize
4.0MB

Download
memory/4916-2290-0x00007FF764270000-0x00007FF764666000-memory.dmp

Filesize
4.0MB

Download
memory/5076-2294-0x00007FF70B1F0000-0x00007FF70B5E6000-memory.dmp

Filesize
4.0MB

Download
memory/5076-142-0x00007FF70B1F0000-0x00007FF70B5E6000-memory.dmp

Filesize
4.0MB

Download