xmrig | 2c6292844f3bc0f90f1fc8e43ca28211d97448e1b980e1374fc3b48561d45168

Analysis

max time kernel
125s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
Size

1.7MB
MD5

f4beb2936cb8f15e005c9b1290eba830
SHA1

2fec2c04a00d870910e5f556828ff84e98820a5b
SHA256

2c6292844f3bc0f90f1fc8e43ca28211d97448e1b980e1374fc3b48561d45168
SHA512

5572c3688e160afbb9b480e89228481b7aceb42084ce7081cd29f9564909aa1c1ae3cf60598b9ba3cd995d9d8a06d9f727832e4957311215846e520fe65d38cc
SSDEEP

24576:zv3/fTLF671TilQFG4P5PMkUCCWvLEvjhMgQhCwbvj72hsuWBzHB1vLNku/uo:Lz071uv4BPMkHC0INFWEWBxuo

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/3408-42-0x00007FF6AEF50000-0x00007FF6AF342000-memory.dmp	xmrig
behavioral2/memory/736-45-0x00007FF7AA070000-0x00007FF7AA462000-memory.dmp	xmrig
behavioral2/memory/1748-445-0x00007FF7194D0000-0x00007FF7198C2000-memory.dmp	xmrig
behavioral2/memory/3996-446-0x00007FF7F3730000-0x00007FF7F3B22000-memory.dmp	xmrig
behavioral2/memory/5020-447-0x00007FF7B0F40000-0x00007FF7B1332000-memory.dmp	xmrig
behavioral2/memory/516-448-0x00007FF73DBC0000-0x00007FF73DFB2000-memory.dmp	xmrig
behavioral2/memory/2768-49-0x00007FF7A7160000-0x00007FF7A7552000-memory.dmp	xmrig
behavioral2/memory/4680-43-0x00007FF70E9A0000-0x00007FF70ED92000-memory.dmp	xmrig
behavioral2/memory/968-19-0x00007FF774370000-0x00007FF774762000-memory.dmp	xmrig
behavioral2/memory/1652-449-0x00007FF6A5F70000-0x00007FF6A6362000-memory.dmp	xmrig
behavioral2/memory/4676-451-0x00007FF6EA020000-0x00007FF6EA412000-memory.dmp	xmrig
behavioral2/memory/4532-450-0x00007FF75DE40000-0x00007FF75E232000-memory.dmp	xmrig
behavioral2/memory/2960-453-0x00007FF693640000-0x00007FF693A32000-memory.dmp	xmrig
behavioral2/memory/4656-454-0x00007FF7073F0000-0x00007FF7077E2000-memory.dmp	xmrig
behavioral2/memory/1560-452-0x00007FF7FEA40000-0x00007FF7FEE32000-memory.dmp	xmrig
behavioral2/memory/4196-459-0x00007FF77C620000-0x00007FF77CA12000-memory.dmp	xmrig
behavioral2/memory/2216-471-0x00007FF79EBE0000-0x00007FF79EFD2000-memory.dmp	xmrig
behavioral2/memory/4640-464-0x00007FF679410000-0x00007FF679802000-memory.dmp	xmrig
behavioral2/memory/3076-494-0x00007FF6DA2D0000-0x00007FF6DA6C2000-memory.dmp	xmrig
behavioral2/memory/3532-480-0x00007FF7E06D0000-0x00007FF7E0AC2000-memory.dmp	xmrig
behavioral2/memory/1504-2624-0x00007FF706120000-0x00007FF706512000-memory.dmp	xmrig
behavioral2/memory/2792-2647-0x00007FF688F50000-0x00007FF689342000-memory.dmp	xmrig
behavioral2/memory/4644-2648-0x00007FF795170000-0x00007FF795562000-memory.dmp	xmrig
behavioral2/memory/3952-2650-0x00007FF73F140000-0x00007FF73F532000-memory.dmp	xmrig
behavioral2/memory/968-2674-0x00007FF774370000-0x00007FF774762000-memory.dmp	xmrig
behavioral2/memory/4680-2677-0x00007FF70E9A0000-0x00007FF70ED92000-memory.dmp	xmrig
behavioral2/memory/736-2678-0x00007FF7AA070000-0x00007FF7AA462000-memory.dmp	xmrig
behavioral2/memory/1504-2680-0x00007FF706120000-0x00007FF706512000-memory.dmp	xmrig
behavioral2/memory/3408-2682-0x00007FF6AEF50000-0x00007FF6AF342000-memory.dmp	xmrig
behavioral2/memory/2768-2688-0x00007FF7A7160000-0x00007FF7A7552000-memory.dmp	xmrig
behavioral2/memory/2792-2696-0x00007FF688F50000-0x00007FF689342000-memory.dmp	xmrig
behavioral2/memory/4644-2694-0x00007FF795170000-0x00007FF795562000-memory.dmp	xmrig
behavioral2/memory/1652-2700-0x00007FF6A5F70000-0x00007FF6A6362000-memory.dmp	xmrig
behavioral2/memory/4532-2702-0x00007FF75DE40000-0x00007FF75E232000-memory.dmp	xmrig
behavioral2/memory/516-2698-0x00007FF73DBC0000-0x00007FF73DFB2000-memory.dmp	xmrig
behavioral2/memory/1748-2693-0x00007FF7194D0000-0x00007FF7198C2000-memory.dmp	xmrig
behavioral2/memory/3996-2691-0x00007FF7F3730000-0x00007FF7F3B22000-memory.dmp	xmrig
behavioral2/memory/3952-2687-0x00007FF73F140000-0x00007FF73F532000-memory.dmp	xmrig
behavioral2/memory/5020-2685-0x00007FF7B0F40000-0x00007FF7B1332000-memory.dmp	xmrig
behavioral2/memory/4640-2711-0x00007FF679410000-0x00007FF679802000-memory.dmp	xmrig
behavioral2/memory/4656-2716-0x00007FF7073F0000-0x00007FF7077E2000-memory.dmp	xmrig
behavioral2/memory/3532-2733-0x00007FF7E06D0000-0x00007FF7E0AC2000-memory.dmp	xmrig
behavioral2/memory/3076-2732-0x00007FF6DA2D0000-0x00007FF6DA6C2000-memory.dmp	xmrig
behavioral2/memory/2960-2739-0x00007FF693640000-0x00007FF693A32000-memory.dmp	xmrig
behavioral2/memory/4676-2726-0x00007FF6EA020000-0x00007FF6EA412000-memory.dmp	xmrig
behavioral2/memory/4196-2715-0x00007FF77C620000-0x00007FF77CA12000-memory.dmp	xmrig
behavioral2/memory/2216-2712-0x00007FF79EBE0000-0x00007FF79EFD2000-memory.dmp	xmrig
behavioral2/memory/1560-2729-0x00007FF7FEA40000-0x00007FF7FEE32000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
7	3268	powershell.exe
9	3268	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
3268	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
968	cdaJelJ.exe
1504	zfBPNSI.exe
2792	JvDoIpQ.exe
3408	tucBwhi.exe
4680	SpcYDOB.exe
736	HTPtlwv.exe
2768	ZyCTaTv.exe
4644	cquSmrK.exe
3952	ToghWmf.exe
1748	cZEsEqO.exe
3996	UWDOxaR.exe
5020	vhcHonO.exe
516	nUKyNCR.exe
1652	yNWDdHk.exe
4532	dRVMMOe.exe
4676	hDMdlYy.exe
1560	eThAuZb.exe
2960	RAdTJvL.exe
4656	JIbrqih.exe
4196	dponXAc.exe
4640	zqsNrNB.exe
2216	CvcYKKM.exe
3532	VJcdaJT.exe
3076	eCjvQUl.exe
4556	tRdaqTQ.exe
4060	TAUtDkX.exe
3872	jJTlRbO.exe
4464	VeVwaRx.exe
4396	xqulnIO.exe
4332	gHeFZGR.exe
3208	EvODGin.exe
4036	uytqMon.exe
4200	JyIYfdD.exe
5068	KmoNgRb.exe
4836	JpIPXTv.exe
2628	MiMqvLc.exe
5088	pcfcOBM.exe
4268	YRVEMYu.exe
4580	QkTWcDN.exe
1444	vaIiLBc.exe
3228	mYIErNX.exe
5044	EoNqwbB.exe
2800	zWOoshQ.exe
1800	HrMyCsY.exe
1792	oeuBWbv.exe
5140	rYLDAFd.exe
5172	QQuhkwx.exe
5196	cLCJrYi.exe
5224	pHkSJkm.exe
5252	jjBacHm.exe
5280	BjWICNF.exe
5308	LCbUSXQ.exe
5336	tDbrmSL.exe
5364	opBqMLE.exe
5392	ekvubwD.exe
5416	slitpNj.exe
5452	glZxYCA.exe
5480	nrFNylh.exe
5508	wyOwibB.exe
5552	dxAiJOi.exe
5576	QRzJUhI.exe
5604	QgVTLlY.exe
5620	NFEbJzi.exe
5648	XWrROSO.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5060-0-0x00007FF75D640000-0x00007FF75DA32000-memory.dmp	upx
behavioral2/files/0x000700000002354e-7.dat	upx
behavioral2/files/0x0009000000023547-5.dat	upx
behavioral2/files/0x000700000002354f-22.dat	upx
behavioral2/files/0x0007000000023553-41.dat	upx
behavioral2/memory/3408-42-0x00007FF6AEF50000-0x00007FF6AF342000-memory.dmp	upx
behavioral2/memory/736-45-0x00007FF7AA070000-0x00007FF7AA462000-memory.dmp	upx
behavioral2/files/0x0007000000023554-52.dat	upx
behavioral2/files/0x0007000000023555-60.dat	upx
behavioral2/files/0x0007000000023556-64.dat	upx
behavioral2/files/0x0007000000023557-73.dat	upx
behavioral2/files/0x0007000000023558-88.dat	upx
behavioral2/files/0x000800000002355b-122.dat	upx
behavioral2/files/0x0007000000023561-135.dat	upx
behavioral2/files/0x0007000000023565-147.dat	upx
behavioral2/files/0x0007000000023566-160.dat	upx
behavioral2/memory/1748-445-0x00007FF7194D0000-0x00007FF7198C2000-memory.dmp	upx
behavioral2/memory/3996-446-0x00007FF7F3730000-0x00007FF7F3B22000-memory.dmp	upx
behavioral2/memory/5020-447-0x00007FF7B0F40000-0x00007FF7B1332000-memory.dmp	upx
behavioral2/memory/516-448-0x00007FF73DBC0000-0x00007FF73DFB2000-memory.dmp	upx
behavioral2/files/0x000700000002356c-182.dat	upx
behavioral2/files/0x000700000002356a-180.dat	upx
behavioral2/files/0x000700000002356b-177.dat	upx
behavioral2/files/0x0007000000023569-175.dat	upx
behavioral2/files/0x0007000000023568-170.dat	upx
behavioral2/files/0x0007000000023567-165.dat	upx
behavioral2/files/0x0007000000023564-150.dat	upx
behavioral2/files/0x0007000000023563-145.dat	upx
behavioral2/files/0x0007000000023562-140.dat	upx
behavioral2/files/0x0007000000023560-125.dat	upx
behavioral2/files/0x000700000002355f-120.dat	upx
behavioral2/files/0x000700000002355e-115.dat	upx
behavioral2/files/0x000700000002355d-110.dat	upx
behavioral2/files/0x000800000002355c-105.dat	upx
behavioral2/files/0x000700000002355a-100.dat	upx
behavioral2/files/0x0007000000023559-95.dat	upx
behavioral2/memory/3952-53-0x00007FF73F140000-0x00007FF73F532000-memory.dmp	upx
behavioral2/memory/2768-49-0x00007FF7A7160000-0x00007FF7A7552000-memory.dmp	upx
behavioral2/memory/4644-46-0x00007FF795170000-0x00007FF795562000-memory.dmp	upx
behavioral2/files/0x0007000000023552-44.dat	upx
behavioral2/memory/4680-43-0x00007FF70E9A0000-0x00007FF70ED92000-memory.dmp	upx
behavioral2/memory/2792-37-0x00007FF688F50000-0x00007FF689342000-memory.dmp	upx
behavioral2/files/0x000800000002354a-29.dat	upx
behavioral2/files/0x0007000000023550-26.dat	upx
behavioral2/files/0x0007000000023551-24.dat	upx
behavioral2/memory/1504-20-0x00007FF706120000-0x00007FF706512000-memory.dmp	upx
behavioral2/memory/968-19-0x00007FF774370000-0x00007FF774762000-memory.dmp	upx
behavioral2/memory/1652-449-0x00007FF6A5F70000-0x00007FF6A6362000-memory.dmp	upx
behavioral2/memory/4676-451-0x00007FF6EA020000-0x00007FF6EA412000-memory.dmp	upx
behavioral2/memory/4532-450-0x00007FF75DE40000-0x00007FF75E232000-memory.dmp	upx
behavioral2/memory/2960-453-0x00007FF693640000-0x00007FF693A32000-memory.dmp	upx
behavioral2/memory/4656-454-0x00007FF7073F0000-0x00007FF7077E2000-memory.dmp	upx
behavioral2/memory/1560-452-0x00007FF7FEA40000-0x00007FF7FEE32000-memory.dmp	upx
behavioral2/memory/4196-459-0x00007FF77C620000-0x00007FF77CA12000-memory.dmp	upx
behavioral2/memory/2216-471-0x00007FF79EBE0000-0x00007FF79EFD2000-memory.dmp	upx
behavioral2/memory/4640-464-0x00007FF679410000-0x00007FF679802000-memory.dmp	upx
behavioral2/memory/3076-494-0x00007FF6DA2D0000-0x00007FF6DA6C2000-memory.dmp	upx
behavioral2/memory/3532-480-0x00007FF7E06D0000-0x00007FF7E0AC2000-memory.dmp	upx
behavioral2/memory/1504-2624-0x00007FF706120000-0x00007FF706512000-memory.dmp	upx
behavioral2/memory/2792-2647-0x00007FF688F50000-0x00007FF689342000-memory.dmp	upx
behavioral2/memory/4644-2648-0x00007FF795170000-0x00007FF795562000-memory.dmp	upx
behavioral2/memory/3952-2650-0x00007FF73F140000-0x00007FF73F532000-memory.dmp	upx
behavioral2/memory/968-2674-0x00007FF774370000-0x00007FF774762000-memory.dmp	upx
behavioral2/memory/4680-2677-0x00007FF70E9A0000-0x00007FF70ED92000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	raw.githubusercontent.com
7	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\ryuJuhC.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\bZdrGJD.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\mivnwkD.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\WoTVeRh.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\VeVwaRx.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\QgVTLlY.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\WvYGXJR.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\Hyabtuk.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\ZUnFBtJ.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\NCaQQLH.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\jntaYvT.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\RLGsvFR.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\tGmOFOc.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\jeMMmAL.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\uGiOtiS.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\OsrInnn.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\GcZeOEQ.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\axkcIsg.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\XSaaiwj.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\rRBJveW.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\KOTYMfA.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\LjDHIAw.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\opBqMLE.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\NEzhdHS.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\gMhZZLW.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\ZHLzgPI.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\cwltFEV.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\qJRRgBd.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\bhVyjJl.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\rSMwOYq.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\VNLIaop.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\SeYgmbC.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\jyxQABK.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\adKSqja.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\dxAiJOi.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\XEFnewE.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\SVWSweY.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\GgVXtcQ.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\QJOhqJf.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\RpTVrkm.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\EvODGin.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\phWmARd.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\BBePOEc.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\nUsHUXP.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\cBmASeX.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\wBBwWrZ.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\RkKDXDN.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\WzVKhYo.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\qXxihAq.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\aRaySci.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\WxFOoIh.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\ZcCfoIG.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\rwpzwCM.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\TYLTJDX.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\KTOctSI.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\yHCNSID.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\oOtWHfF.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\uUUfMLg.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\gpEKSkC.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\YLrBikj.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\jjGaAkW.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\mrloSku.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\qXIKmOb.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
File created	C:\Windows\System\PUrhlPU.exe	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3268	powershell.exe
3268	powershell.exe
3268	powershell.exe
3268	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
Token: SeDebugPrivilege	3268	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 3268	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	91
PID 5060 wrote to memory of 3268	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	91
PID 5060 wrote to memory of 968	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	92
PID 5060 wrote to memory of 968	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	92
PID 5060 wrote to memory of 1504	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	93
PID 5060 wrote to memory of 1504	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	93
PID 5060 wrote to memory of 2792	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	94
PID 5060 wrote to memory of 2792	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	94
PID 5060 wrote to memory of 3408	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	95
PID 5060 wrote to memory of 3408	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	95
PID 5060 wrote to memory of 4680	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	96
PID 5060 wrote to memory of 4680	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	96
PID 5060 wrote to memory of 736	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	97
PID 5060 wrote to memory of 736	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	97
PID 5060 wrote to memory of 2768	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	98
PID 5060 wrote to memory of 2768	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	98
PID 5060 wrote to memory of 4644	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	99
PID 5060 wrote to memory of 4644	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	99
PID 5060 wrote to memory of 3952	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	100
PID 5060 wrote to memory of 3952	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	100
PID 5060 wrote to memory of 1748	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	101
PID 5060 wrote to memory of 1748	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	101
PID 5060 wrote to memory of 3996	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	102
PID 5060 wrote to memory of 3996	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	102
PID 5060 wrote to memory of 5020	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	103
PID 5060 wrote to memory of 5020	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	103
PID 5060 wrote to memory of 516	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	104
PID 5060 wrote to memory of 516	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	104
PID 5060 wrote to memory of 1652	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	105
PID 5060 wrote to memory of 1652	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	105
PID 5060 wrote to memory of 4532	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	106
PID 5060 wrote to memory of 4532	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	106
PID 5060 wrote to memory of 4676	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	107
PID 5060 wrote to memory of 4676	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	107
PID 5060 wrote to memory of 1560	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	108
PID 5060 wrote to memory of 1560	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	108
PID 5060 wrote to memory of 2960	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	109
PID 5060 wrote to memory of 2960	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	109
PID 5060 wrote to memory of 4656	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	110
PID 5060 wrote to memory of 4656	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	110
PID 5060 wrote to memory of 4196	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	111
PID 5060 wrote to memory of 4196	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	111
PID 5060 wrote to memory of 4640	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	112
PID 5060 wrote to memory of 4640	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	112
PID 5060 wrote to memory of 2216	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	113
PID 5060 wrote to memory of 2216	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	113
PID 5060 wrote to memory of 3532	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	114
PID 5060 wrote to memory of 3532	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	114
PID 5060 wrote to memory of 3076	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	115
PID 5060 wrote to memory of 3076	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	115
PID 5060 wrote to memory of 4556	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	116
PID 5060 wrote to memory of 4556	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	116
PID 5060 wrote to memory of 4060	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	117
PID 5060 wrote to memory of 4060	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	117
PID 5060 wrote to memory of 3872	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	118
PID 5060 wrote to memory of 3872	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	118
PID 5060 wrote to memory of 4464	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	119
PID 5060 wrote to memory of 4464	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	119
PID 5060 wrote to memory of 4396	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	120
PID 5060 wrote to memory of 4396	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	120
PID 5060 wrote to memory of 4332	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	121
PID 5060 wrote to memory of 4332	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	121
PID 5060 wrote to memory of 3208	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	122
PID 5060 wrote to memory of 3208	5060	f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe	122

C:\Users\Admin\AppData\Local\Temp\f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\f4beb2936cb8f15e005c9b1290eba830_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3268
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3268" "2960" "2900" "2964" "0" "0" "2968" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:748
- C:\Windows\System\cdaJelJ.exe
  C:\Windows\System\cdaJelJ.exe
  2⤵
  - Executes dropped EXE
  PID:968
- C:\Windows\System\zfBPNSI.exe
  C:\Windows\System\zfBPNSI.exe
  2⤵
  - Executes dropped EXE
  PID:1504
- C:\Windows\System\JvDoIpQ.exe
  C:\Windows\System\JvDoIpQ.exe
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\System\tucBwhi.exe
  C:\Windows\System\tucBwhi.exe
  2⤵
  - Executes dropped EXE
  PID:3408
- C:\Windows\System\SpcYDOB.exe
  C:\Windows\System\SpcYDOB.exe
  2⤵
  - Executes dropped EXE
  PID:4680
- C:\Windows\System\HTPtlwv.exe
  C:\Windows\System\HTPtlwv.exe
  2⤵
  - Executes dropped EXE
  PID:736
- C:\Windows\System\ZyCTaTv.exe
  C:\Windows\System\ZyCTaTv.exe
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\System\cquSmrK.exe
  C:\Windows\System\cquSmrK.exe
  2⤵
  - Executes dropped EXE
  PID:4644
- C:\Windows\System\ToghWmf.exe
  C:\Windows\System\ToghWmf.exe
  2⤵
  - Executes dropped EXE
  PID:3952
- C:\Windows\System\cZEsEqO.exe
  C:\Windows\System\cZEsEqO.exe
  2⤵
  - Executes dropped EXE
  PID:1748
- C:\Windows\System\UWDOxaR.exe
  C:\Windows\System\UWDOxaR.exe
  2⤵
  - Executes dropped EXE
  PID:3996
- C:\Windows\System\vhcHonO.exe
  C:\Windows\System\vhcHonO.exe
  2⤵
  - Executes dropped EXE
  PID:5020
- C:\Windows\System\nUKyNCR.exe
  C:\Windows\System\nUKyNCR.exe
  2⤵
  - Executes dropped EXE
  PID:516
- C:\Windows\System\yNWDdHk.exe
  C:\Windows\System\yNWDdHk.exe
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Windows\System\dRVMMOe.exe
  C:\Windows\System\dRVMMOe.exe
  2⤵
  - Executes dropped EXE
  PID:4532
- C:\Windows\System\hDMdlYy.exe
  C:\Windows\System\hDMdlYy.exe
  2⤵
  - Executes dropped EXE
  PID:4676
- C:\Windows\System\eThAuZb.exe
  C:\Windows\System\eThAuZb.exe
  2⤵
  - Executes dropped EXE
  PID:1560
- C:\Windows\System\RAdTJvL.exe
  C:\Windows\System\RAdTJvL.exe
  2⤵
  - Executes dropped EXE
  PID:2960
- C:\Windows\System\JIbrqih.exe
  C:\Windows\System\JIbrqih.exe
  2⤵
  - Executes dropped EXE
  PID:4656
- C:\Windows\System\dponXAc.exe
  C:\Windows\System\dponXAc.exe
  2⤵
  - Executes dropped EXE
  PID:4196
- C:\Windows\System\zqsNrNB.exe
  C:\Windows\System\zqsNrNB.exe
  2⤵
  - Executes dropped EXE
  PID:4640
- C:\Windows\System\CvcYKKM.exe
  C:\Windows\System\CvcYKKM.exe
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\System\VJcdaJT.exe
  C:\Windows\System\VJcdaJT.exe
  2⤵
  - Executes dropped EXE
  PID:3532
- C:\Windows\System\eCjvQUl.exe
  C:\Windows\System\eCjvQUl.exe
  2⤵
  - Executes dropped EXE
  PID:3076
- C:\Windows\System\tRdaqTQ.exe
  C:\Windows\System\tRdaqTQ.exe
  2⤵
  - Executes dropped EXE
  PID:4556
- C:\Windows\System\TAUtDkX.exe
  C:\Windows\System\TAUtDkX.exe
  2⤵
  - Executes dropped EXE
  PID:4060
- C:\Windows\System\jJTlRbO.exe
  C:\Windows\System\jJTlRbO.exe
  2⤵
  - Executes dropped EXE
  PID:3872
- C:\Windows\System\VeVwaRx.exe
  C:\Windows\System\VeVwaRx.exe
  2⤵
  - Executes dropped EXE
  PID:4464
- C:\Windows\System\xqulnIO.exe
  C:\Windows\System\xqulnIO.exe
  2⤵
  - Executes dropped EXE
  PID:4396
- C:\Windows\System\gHeFZGR.exe
  C:\Windows\System\gHeFZGR.exe
  2⤵
  - Executes dropped EXE
  PID:4332
- C:\Windows\System\EvODGin.exe
  C:\Windows\System\EvODGin.exe
  2⤵
  - Executes dropped EXE
  PID:3208
- C:\Windows\System\uytqMon.exe
  C:\Windows\System\uytqMon.exe
  2⤵
  - Executes dropped EXE
  PID:4036
- C:\Windows\System\JyIYfdD.exe
  C:\Windows\System\JyIYfdD.exe
  2⤵
  - Executes dropped EXE
  PID:4200
- C:\Windows\System\KmoNgRb.exe
  C:\Windows\System\KmoNgRb.exe
  2⤵
  - Executes dropped EXE
  PID:5068
- C:\Windows\System\JpIPXTv.exe
  C:\Windows\System\JpIPXTv.exe
  2⤵
  - Executes dropped EXE
  PID:4836
- C:\Windows\System\MiMqvLc.exe
  C:\Windows\System\MiMqvLc.exe
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\System\pcfcOBM.exe
  C:\Windows\System\pcfcOBM.exe
  2⤵
  - Executes dropped EXE
  PID:5088
- C:\Windows\System\YRVEMYu.exe
  C:\Windows\System\YRVEMYu.exe
  2⤵
  - Executes dropped EXE
  PID:4268
- C:\Windows\System\QkTWcDN.exe
  C:\Windows\System\QkTWcDN.exe
  2⤵
  - Executes dropped EXE
  PID:4580
- C:\Windows\System\vaIiLBc.exe
  C:\Windows\System\vaIiLBc.exe
  2⤵
  - Executes dropped EXE
  PID:1444
- C:\Windows\System\mYIErNX.exe
  C:\Windows\System\mYIErNX.exe
  2⤵
  - Executes dropped EXE
  PID:3228
- C:\Windows\System\EoNqwbB.exe
  C:\Windows\System\EoNqwbB.exe
  2⤵
  - Executes dropped EXE
  PID:5044
- C:\Windows\System\zWOoshQ.exe
  C:\Windows\System\zWOoshQ.exe
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\System\HrMyCsY.exe
  C:\Windows\System\HrMyCsY.exe
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\System\oeuBWbv.exe
  C:\Windows\System\oeuBWbv.exe
  2⤵
  - Executes dropped EXE
  PID:1792
- C:\Windows\System\rYLDAFd.exe
  C:\Windows\System\rYLDAFd.exe
  2⤵
  - Executes dropped EXE
  PID:5140
- C:\Windows\System\QQuhkwx.exe
  C:\Windows\System\QQuhkwx.exe
  2⤵
  - Executes dropped EXE
  PID:5172
- C:\Windows\System\cLCJrYi.exe
  C:\Windows\System\cLCJrYi.exe
  2⤵
  - Executes dropped EXE
  PID:5196
- C:\Windows\System\pHkSJkm.exe
  C:\Windows\System\pHkSJkm.exe
  2⤵
  - Executes dropped EXE
  PID:5224
- C:\Windows\System\jjBacHm.exe
  C:\Windows\System\jjBacHm.exe
  2⤵
  - Executes dropped EXE
  PID:5252
- C:\Windows\System\BjWICNF.exe
  C:\Windows\System\BjWICNF.exe
  2⤵
  - Executes dropped EXE
  PID:5280
- C:\Windows\System\LCbUSXQ.exe
  C:\Windows\System\LCbUSXQ.exe
  2⤵
  - Executes dropped EXE
  PID:5308
- C:\Windows\System\tDbrmSL.exe
  C:\Windows\System\tDbrmSL.exe
  2⤵
  - Executes dropped EXE
  PID:5336
- C:\Windows\System\opBqMLE.exe
  C:\Windows\System\opBqMLE.exe
  2⤵
  - Executes dropped EXE
  PID:5364
- C:\Windows\System\ekvubwD.exe
  C:\Windows\System\ekvubwD.exe
  2⤵
  - Executes dropped EXE
  PID:5392
- C:\Windows\System\slitpNj.exe
  C:\Windows\System\slitpNj.exe
  2⤵
  - Executes dropped EXE
  PID:5416
- C:\Windows\System\glZxYCA.exe
  C:\Windows\System\glZxYCA.exe
  2⤵
  - Executes dropped EXE
  PID:5452
- C:\Windows\System\nrFNylh.exe
  C:\Windows\System\nrFNylh.exe
  2⤵
  - Executes dropped EXE
  PID:5480
- C:\Windows\System\wyOwibB.exe
  C:\Windows\System\wyOwibB.exe
  2⤵
  - Executes dropped EXE
  PID:5508
- C:\Windows\System\dxAiJOi.exe
  C:\Windows\System\dxAiJOi.exe
  2⤵
  - Executes dropped EXE
  PID:5552
- C:\Windows\System\QRzJUhI.exe
  C:\Windows\System\QRzJUhI.exe
  2⤵
  - Executes dropped EXE
  PID:5576
- C:\Windows\System\QgVTLlY.exe
  C:\Windows\System\QgVTLlY.exe
  2⤵
  - Executes dropped EXE
  PID:5604
- C:\Windows\System\NFEbJzi.exe
  C:\Windows\System\NFEbJzi.exe
  2⤵
  - Executes dropped EXE
  PID:5620
- C:\Windows\System\XWrROSO.exe
  C:\Windows\System\XWrROSO.exe
  2⤵
  - Executes dropped EXE
  PID:5648
- C:\Windows\System\jzNfCtQ.exe
  C:\Windows\System\jzNfCtQ.exe
  2⤵
  PID:5680
- C:\Windows\System\HyySBqw.exe
  C:\Windows\System\HyySBqw.exe
  2⤵
  PID:5708
- C:\Windows\System\gbTVbvv.exe
  C:\Windows\System\gbTVbvv.exe
  2⤵
  PID:5732
- C:\Windows\System\YaIyExJ.exe
  C:\Windows\System\YaIyExJ.exe
  2⤵
  PID:5764
- C:\Windows\System\WfbWRBG.exe
  C:\Windows\System\WfbWRBG.exe
  2⤵
  PID:5792
- C:\Windows\System\dnobVug.exe
  C:\Windows\System\dnobVug.exe
  2⤵
  PID:5824
- C:\Windows\System\Glzoonx.exe
  C:\Windows\System\Glzoonx.exe
  2⤵
  PID:5848
- C:\Windows\System\SvSLAtZ.exe
  C:\Windows\System\SvSLAtZ.exe
  2⤵
  PID:5884
- C:\Windows\System\WVaDcRb.exe
  C:\Windows\System\WVaDcRb.exe
  2⤵
  PID:5912
- C:\Windows\System\PwCBGuv.exe
  C:\Windows\System\PwCBGuv.exe
  2⤵
  PID:5940
- C:\Windows\System\gLgkKZs.exe
  C:\Windows\System\gLgkKZs.exe
  2⤵
  PID:5972
- C:\Windows\System\GNSXdgq.exe
  C:\Windows\System\GNSXdgq.exe
  2⤵
  PID:5996
- C:\Windows\System\gixYktB.exe
  C:\Windows\System\gixYktB.exe
  2⤵
  PID:6032
- C:\Windows\System\mrloSku.exe
  C:\Windows\System\mrloSku.exe
  2⤵
  PID:6056
- C:\Windows\System\ENOQFDE.exe
  C:\Windows\System\ENOQFDE.exe
  2⤵
  PID:6084
- C:\Windows\System\ibLhTKQ.exe
  C:\Windows\System\ibLhTKQ.exe
  2⤵
  PID:6112
- C:\Windows\System\yZFRVux.exe
  C:\Windows\System\yZFRVux.exe
  2⤵
  PID:3624
- C:\Windows\System\iharSBi.exe
  C:\Windows\System\iharSBi.exe
  2⤵
  PID:2672
- C:\Windows\System\GgVXtcQ.exe
  C:\Windows\System\GgVXtcQ.exe
  2⤵
  PID:4348
- C:\Windows\System\vsHSBAt.exe
  C:\Windows\System\vsHSBAt.exe
  2⤵
  PID:372
- C:\Windows\System\aEaCzZz.exe
  C:\Windows\System\aEaCzZz.exe
  2⤵
  PID:5160
- C:\Windows\System\ghvSeiN.exe
  C:\Windows\System\ghvSeiN.exe
  2⤵
  PID:5236
- C:\Windows\System\llXHJzG.exe
  C:\Windows\System\llXHJzG.exe
  2⤵
  PID:5296
- C:\Windows\System\nlPCUgm.exe
  C:\Windows\System\nlPCUgm.exe
  2⤵
  PID:5356
- C:\Windows\System\GgAWDId.exe
  C:\Windows\System\GgAWDId.exe
  2⤵
  PID:5412
- C:\Windows\System\mWzAYGo.exe
  C:\Windows\System\mWzAYGo.exe
  2⤵
  PID:5472
- C:\Windows\System\olJhNFt.exe
  C:\Windows\System\olJhNFt.exe
  2⤵
  PID:5528
- C:\Windows\System\KFttEJm.exe
  C:\Windows\System\KFttEJm.exe
  2⤵
  PID:5596
- C:\Windows\System\lytPpEh.exe
  C:\Windows\System\lytPpEh.exe
  2⤵
  PID:4100
- C:\Windows\System\zXsbSUs.exe
  C:\Windows\System\zXsbSUs.exe
  2⤵
  PID:5696
- C:\Windows\System\RfgezUQ.exe
  C:\Windows\System\RfgezUQ.exe
  2⤵
  PID:5776
- C:\Windows\System\pyjOcfx.exe
  C:\Windows\System\pyjOcfx.exe
  2⤵
  PID:5836
- C:\Windows\System\YEPccFf.exe
  C:\Windows\System\YEPccFf.exe
  2⤵
  PID:5900
- C:\Windows\System\bDyfqzr.exe
  C:\Windows\System\bDyfqzr.exe
  2⤵
  PID:5960
- C:\Windows\System\yiegQjc.exe
  C:\Windows\System\yiegQjc.exe
  2⤵
  PID:6012
- C:\Windows\System\gyxBMEw.exe
  C:\Windows\System\gyxBMEw.exe
  2⤵
  PID:6072
- C:\Windows\System\INFzZcd.exe
  C:\Windows\System\INFzZcd.exe
  2⤵
  PID:6128
- C:\Windows\System\mOjEhPN.exe
  C:\Windows\System\mOjEhPN.exe
  2⤵
  PID:2568
- C:\Windows\System\fxuPOCP.exe
  C:\Windows\System\fxuPOCP.exe
  2⤵
  PID:5152
- C:\Windows\System\pcJHbJl.exe
  C:\Windows\System\pcJHbJl.exe
  2⤵
  PID:5272
- C:\Windows\System\HXIzPKy.exe
  C:\Windows\System\HXIzPKy.exe
  2⤵
  PID:5468
- C:\Windows\System\FqfxmKP.exe
  C:\Windows\System\FqfxmKP.exe
  2⤵
  PID:5588
- C:\Windows\System\HmTbhsY.exe
  C:\Windows\System\HmTbhsY.exe
  2⤵
  PID:5692
- C:\Windows\System\BCAqGAj.exe
  C:\Windows\System\BCAqGAj.exe
  2⤵
  PID:5816
- C:\Windows\System\apqywoh.exe
  C:\Windows\System\apqywoh.exe
  2⤵
  PID:3760
- C:\Windows\System\KcQAPAb.exe
  C:\Windows\System\KcQAPAb.exe
  2⤵
  PID:6048
- C:\Windows\System\noQDjtg.exe
  C:\Windows\System\noQDjtg.exe
  2⤵
  PID:812
- C:\Windows\System\jOYKiqo.exe
  C:\Windows\System\jOYKiqo.exe
  2⤵
  PID:5348
- C:\Windows\System\RuFKCON.exe
  C:\Windows\System\RuFKCON.exe
  2⤵
  PID:5520
- C:\Windows\System\pNzNbew.exe
  C:\Windows\System\pNzNbew.exe
  2⤵
  PID:5668
- C:\Windows\System\LztITNK.exe
  C:\Windows\System\LztITNK.exe
  2⤵
  PID:1940
- C:\Windows\System\NEzhdHS.exe
  C:\Windows\System\NEzhdHS.exe
  2⤵
  PID:3232
- C:\Windows\System\PccWGWq.exe
  C:\Windows\System\PccWGWq.exe
  2⤵
  PID:3684
- C:\Windows\System\viMWMXf.exe
  C:\Windows\System\viMWMXf.exe
  2⤵
  PID:6148
- C:\Windows\System\czMsxxt.exe
  C:\Windows\System\czMsxxt.exe
  2⤵
  PID:6176
- C:\Windows\System\KwfGsQX.exe
  C:\Windows\System\KwfGsQX.exe
  2⤵
  PID:6200
- C:\Windows\System\YNHlxKQ.exe
  C:\Windows\System\YNHlxKQ.exe
  2⤵
  PID:6228
- C:\Windows\System\pEEaTPq.exe
  C:\Windows\System\pEEaTPq.exe
  2⤵
  PID:6360
- C:\Windows\System\gRHOKlv.exe
  C:\Windows\System\gRHOKlv.exe
  2⤵
  PID:6380
- C:\Windows\System\wNDjmFK.exe
  C:\Windows\System\wNDjmFK.exe
  2⤵
  PID:6420
- C:\Windows\System\ZZkWsjd.exe
  C:\Windows\System\ZZkWsjd.exe
  2⤵
  PID:6452
- C:\Windows\System\luVhbrz.exe
  C:\Windows\System\luVhbrz.exe
  2⤵
  PID:6472
- C:\Windows\System\NybFHeN.exe
  C:\Windows\System\NybFHeN.exe
  2⤵
  PID:6488
- C:\Windows\System\dJRiKUJ.exe
  C:\Windows\System\dJRiKUJ.exe
  2⤵
  PID:6508
- C:\Windows\System\eFdNEad.exe
  C:\Windows\System\eFdNEad.exe
  2⤵
  PID:6528
- C:\Windows\System\efurIVy.exe
  C:\Windows\System\efurIVy.exe
  2⤵
  PID:6564
- C:\Windows\System\KBruyga.exe
  C:\Windows\System\KBruyga.exe
  2⤵
  PID:6592
- C:\Windows\System\zhdTDvX.exe
  C:\Windows\System\zhdTDvX.exe
  2⤵
  PID:6616
- C:\Windows\System\gWlXwzI.exe
  C:\Windows\System\gWlXwzI.exe
  2⤵
  PID:6632
- C:\Windows\System\qAvMjhZ.exe
  C:\Windows\System\qAvMjhZ.exe
  2⤵
  PID:6652
- C:\Windows\System\ofYlRgi.exe
  C:\Windows\System\ofYlRgi.exe
  2⤵
  PID:6684
- C:\Windows\System\ZmpgaQt.exe
  C:\Windows\System\ZmpgaQt.exe
  2⤵
  PID:6740
- C:\Windows\System\lKgyDVu.exe
  C:\Windows\System\lKgyDVu.exe
  2⤵
  PID:6776
- C:\Windows\System\bhEOYJi.exe
  C:\Windows\System\bhEOYJi.exe
  2⤵
  PID:6832
- C:\Windows\System\vVYlzYA.exe
  C:\Windows\System\vVYlzYA.exe
  2⤵
  PID:6872
- C:\Windows\System\qZajJnx.exe
  C:\Windows\System\qZajJnx.exe
  2⤵
  PID:6896
- C:\Windows\System\WRrMpHj.exe
  C:\Windows\System\WRrMpHj.exe
  2⤵
  PID:6924
- C:\Windows\System\LaRlcin.exe
  C:\Windows\System\LaRlcin.exe
  2⤵
  PID:6976
- C:\Windows\System\gssAByM.exe
  C:\Windows\System\gssAByM.exe
  2⤵
  PID:7020
- C:\Windows\System\oJhEGHb.exe
  C:\Windows\System\oJhEGHb.exe
  2⤵
  PID:7040
- C:\Windows\System\OcmAzgy.exe
  C:\Windows\System\OcmAzgy.exe
  2⤵
  PID:7056
- C:\Windows\System\kMGlYWd.exe
  C:\Windows\System\kMGlYWd.exe
  2⤵
  PID:7084
- C:\Windows\System\dFyrwNg.exe
  C:\Windows\System\dFyrwNg.exe
  2⤵
  PID:7112
- C:\Windows\System\lOEOBdx.exe
  C:\Windows\System\lOEOBdx.exe
  2⤵
  PID:3676
- C:\Windows\System\joGbnsb.exe
  C:\Windows\System\joGbnsb.exe
  2⤵
  PID:1128
- C:\Windows\System\jubAbfu.exe
  C:\Windows\System\jubAbfu.exe
  2⤵
  PID:4300
- C:\Windows\System\ApbuFrf.exe
  C:\Windows\System\ApbuFrf.exe
  2⤵
  PID:4976
- C:\Windows\System\mtmHMlR.exe
  C:\Windows\System\mtmHMlR.exe
  2⤵
  PID:6104
- C:\Windows\System\oOtWHfF.exe
  C:\Windows\System\oOtWHfF.exe
  2⤵
  PID:5264
- C:\Windows\System\itebpYZ.exe
  C:\Windows\System\itebpYZ.exe
  2⤵
  PID:6160
- C:\Windows\System\Hyabtuk.exe
  C:\Windows\System\Hyabtuk.exe
  2⤵
  PID:6196
- C:\Windows\System\ITbyYeG.exe
  C:\Windows\System\ITbyYeG.exe
  2⤵
  PID:2644
- C:\Windows\System\SWnUXRp.exe
  C:\Windows\System\SWnUXRp.exe
  2⤵
  PID:3504
- C:\Windows\System\mYyiJFv.exe
  C:\Windows\System\mYyiJFv.exe
  2⤵
  PID:1668
- C:\Windows\System\CwLvesc.exe
  C:\Windows\System\CwLvesc.exe
  2⤵
  PID:6220
- C:\Windows\System\WkwsQOJ.exe
  C:\Windows\System\WkwsQOJ.exe
  2⤵
  PID:6344
- C:\Windows\System\jFkBPrG.exe
  C:\Windows\System\jFkBPrG.exe
  2⤵
  PID:4992
- C:\Windows\System\jhYwLsD.exe
  C:\Windows\System\jhYwLsD.exe
  2⤵
  PID:6432
- C:\Windows\System\pszQNaS.exe
  C:\Windows\System\pszQNaS.exe
  2⤵
  PID:6516
- C:\Windows\System\HZWJwLw.exe
  C:\Windows\System\HZWJwLw.exe
  2⤵
  PID:6584
- C:\Windows\System\GbTZUCw.exe
  C:\Windows\System\GbTZUCw.exe
  2⤵
  PID:6784
- C:\Windows\System\riTUYwM.exe
  C:\Windows\System\riTUYwM.exe
  2⤵
  PID:6752
- C:\Windows\System\TpaBFOz.exe
  C:\Windows\System\TpaBFOz.exe
  2⤵
  PID:6884
- C:\Windows\System\CDubARM.exe
  C:\Windows\System\CDubARM.exe
  2⤵
  PID:6996
- C:\Windows\System\sxJquaR.exe
  C:\Windows\System\sxJquaR.exe
  2⤵
  PID:6956
- C:\Windows\System\oJNXEZG.exe
  C:\Windows\System\oJNXEZG.exe
  2⤵
  PID:7028
- C:\Windows\System\UYfKCvw.exe
  C:\Windows\System\UYfKCvw.exe
  2⤵
  PID:7052
- C:\Windows\System\KYaKFiC.exe
  C:\Windows\System\KYaKFiC.exe
  2⤵
  PID:7096
- C:\Windows\System\xteSawh.exe
  C:\Windows\System\xteSawh.exe
  2⤵
  PID:7128
- C:\Windows\System\xdHqxtY.exe
  C:\Windows\System\xdHqxtY.exe
  2⤵
  PID:2172
- C:\Windows\System\bbCKUhG.exe
  C:\Windows\System\bbCKUhG.exe
  2⤵
  PID:2572
- C:\Windows\System\VOuTEPv.exe
  C:\Windows\System\VOuTEPv.exe
  2⤵
  PID:2540
- C:\Windows\System\pwGTwtY.exe
  C:\Windows\System\pwGTwtY.exe
  2⤵
  PID:6288
- C:\Windows\System\gJtyfVW.exe
  C:\Windows\System\gJtyfVW.exe
  2⤵
  PID:6224
- C:\Windows\System\oREDQYB.exe
  C:\Windows\System\oREDQYB.exe
  2⤵
  PID:6500
- C:\Windows\System\UuQvulw.exe
  C:\Windows\System\UuQvulw.exe
  2⤵
  PID:6628
- C:\Windows\System\rSMwOYq.exe
  C:\Windows\System\rSMwOYq.exe
  2⤵
  PID:6324
- C:\Windows\System\WvYGXJR.exe
  C:\Windows\System\WvYGXJR.exe
  2⤵
  PID:6960
- C:\Windows\System\hhrjpTa.exe
  C:\Windows\System\hhrjpTa.exe
  2⤵
  PID:7008
- C:\Windows\System\WhHHGmk.exe
  C:\Windows\System\WhHHGmk.exe
  2⤵
  PID:3888
- C:\Windows\System\bmalzjH.exe
  C:\Windows\System\bmalzjH.exe
  2⤵
  PID:3564
- C:\Windows\System\phWmARd.exe
  C:\Windows\System\phWmARd.exe
  2⤵
  PID:3292
- C:\Windows\System\KgEuCGf.exe
  C:\Windows\System\KgEuCGf.exe
  2⤵
  PID:6828
- C:\Windows\System\YFLBedB.exe
  C:\Windows\System\YFLBedB.exe
  2⤵
  PID:6948
- C:\Windows\System\MSnnEFf.exe
  C:\Windows\System\MSnnEFf.exe
  2⤵
  PID:6332
- C:\Windows\System\SMSgBKs.exe
  C:\Windows\System\SMSgBKs.exe
  2⤵
  PID:6700
- C:\Windows\System\yOHYYni.exe
  C:\Windows\System\yOHYYni.exe
  2⤵
  PID:6496
- C:\Windows\System\dipWBXS.exe
  C:\Windows\System\dipWBXS.exe
  2⤵
  PID:7188
- C:\Windows\System\ZancgsG.exe
  C:\Windows\System\ZancgsG.exe
  2⤵
  PID:7208
- C:\Windows\System\neNXHgJ.exe
  C:\Windows\System\neNXHgJ.exe
  2⤵
  PID:7256
- C:\Windows\System\qohtNxr.exe
  C:\Windows\System\qohtNxr.exe
  2⤵
  PID:7284
- C:\Windows\System\zskGbXg.exe
  C:\Windows\System\zskGbXg.exe
  2⤵
  PID:7308
- C:\Windows\System\lbCGPFj.exe
  C:\Windows\System\lbCGPFj.exe
  2⤵
  PID:7328
- C:\Windows\System\MUzrvyB.exe
  C:\Windows\System\MUzrvyB.exe
  2⤵
  PID:7356
- C:\Windows\System\lJLjDjS.exe
  C:\Windows\System\lJLjDjS.exe
  2⤵
  PID:7372
- C:\Windows\System\XvLbFSi.exe
  C:\Windows\System\XvLbFSi.exe
  2⤵
  PID:7412
- C:\Windows\System\YuAmcLA.exe
  C:\Windows\System\YuAmcLA.exe
  2⤵
  PID:7464
- C:\Windows\System\xrFdaDd.exe
  C:\Windows\System\xrFdaDd.exe
  2⤵
  PID:7488
- C:\Windows\System\zmkZRyF.exe
  C:\Windows\System\zmkZRyF.exe
  2⤵
  PID:7508
- C:\Windows\System\BBePOEc.exe
  C:\Windows\System\BBePOEc.exe
  2⤵
  PID:7528
- C:\Windows\System\OuYvRlZ.exe
  C:\Windows\System\OuYvRlZ.exe
  2⤵
  PID:7544
- C:\Windows\System\dgWURRs.exe
  C:\Windows\System\dgWURRs.exe
  2⤵
  PID:7584
- C:\Windows\System\kcTBPmo.exe
  C:\Windows\System\kcTBPmo.exe
  2⤵
  PID:7608
- C:\Windows\System\VJvORpS.exe
  C:\Windows\System\VJvORpS.exe
  2⤵
  PID:7656
- C:\Windows\System\aihrqAP.exe
  C:\Windows\System\aihrqAP.exe
  2⤵
  PID:7680
- C:\Windows\System\gMhZZLW.exe
  C:\Windows\System\gMhZZLW.exe
  2⤵
  PID:7696
- C:\Windows\System\LQGoDit.exe
  C:\Windows\System\LQGoDit.exe
  2⤵
  PID:7720
- C:\Windows\System\UcCSboj.exe
  C:\Windows\System\UcCSboj.exe
  2⤵
  PID:7764
- C:\Windows\System\ayKNTjX.exe
  C:\Windows\System\ayKNTjX.exe
  2⤵
  PID:7788
- C:\Windows\System\ebUundt.exe
  C:\Windows\System\ebUundt.exe
  2⤵
  PID:7804
- C:\Windows\System\kxgNhUM.exe
  C:\Windows\System\kxgNhUM.exe
  2⤵
  PID:7824
- C:\Windows\System\MLECloF.exe
  C:\Windows\System\MLECloF.exe
  2⤵
  PID:7880
- C:\Windows\System\RAPLxbY.exe
  C:\Windows\System\RAPLxbY.exe
  2⤵
  PID:7900
- C:\Windows\System\lVPnras.exe
  C:\Windows\System\lVPnras.exe
  2⤵
  PID:7916
- C:\Windows\System\khuxJkd.exe
  C:\Windows\System\khuxJkd.exe
  2⤵
  PID:7944
- C:\Windows\System\JopQKxR.exe
  C:\Windows\System\JopQKxR.exe
  2⤵
  PID:7972
- C:\Windows\System\upgXtRV.exe
  C:\Windows\System\upgXtRV.exe
  2⤵
  PID:7992
- C:\Windows\System\VUVpanA.exe
  C:\Windows\System\VUVpanA.exe
  2⤵
  PID:8012
- C:\Windows\System\ioswsCb.exe
  C:\Windows\System\ioswsCb.exe
  2⤵
  PID:8028
- C:\Windows\System\OscibYH.exe
  C:\Windows\System\OscibYH.exe
  2⤵
  PID:8052
- C:\Windows\System\KOaGsiM.exe
  C:\Windows\System\KOaGsiM.exe
  2⤵
  PID:8072
- C:\Windows\System\NElzltw.exe
  C:\Windows\System\NElzltw.exe
  2⤵
  PID:8096
- C:\Windows\System\lBHGOZa.exe
  C:\Windows\System\lBHGOZa.exe
  2⤵
  PID:8116
- C:\Windows\System\bMpWCDW.exe
  C:\Windows\System\bMpWCDW.exe
  2⤵
  PID:8148
- C:\Windows\System\dTzCTbP.exe
  C:\Windows\System\dTzCTbP.exe
  2⤵
  PID:8176
- C:\Windows\System\BGvRZSd.exe
  C:\Windows\System\BGvRZSd.exe
  2⤵
  PID:7184
- C:\Windows\System\OcQjvny.exe
  C:\Windows\System\OcQjvny.exe
  2⤵
  PID:7204
- C:\Windows\System\BNulQBw.exe
  C:\Windows\System\BNulQBw.exe
  2⤵
  PID:7248
- C:\Windows\System\qXIKmOb.exe
  C:\Windows\System\qXIKmOb.exe
  2⤵
  PID:7320
- C:\Windows\System\mmJnaff.exe
  C:\Windows\System\mmJnaff.exe
  2⤵
  PID:7476
- C:\Windows\System\oXTPLVC.exe
  C:\Windows\System\oXTPLVC.exe
  2⤵
  PID:7552
- C:\Windows\System\bZdrGJD.exe
  C:\Windows\System\bZdrGJD.exe
  2⤵
  PID:7580
- C:\Windows\System\OTFkccq.exe
  C:\Windows\System\OTFkccq.exe
  2⤵
  PID:7640
- C:\Windows\System\FpKVQzw.exe
  C:\Windows\System\FpKVQzw.exe
  2⤵
  PID:7800
- C:\Windows\System\XOiFrmv.exe
  C:\Windows\System\XOiFrmv.exe
  2⤵
  PID:7848
- C:\Windows\System\hMDNHYo.exe
  C:\Windows\System\hMDNHYo.exe
  2⤵
  PID:7940
- C:\Windows\System\RKmcJyy.exe
  C:\Windows\System\RKmcJyy.exe
  2⤵
  PID:8048
- C:\Windows\System\ZONSjAq.exe
  C:\Windows\System\ZONSjAq.exe
  2⤵
  PID:8092
- C:\Windows\System\CxioCLR.exe
  C:\Windows\System\CxioCLR.exe
  2⤵
  PID:8168
- C:\Windows\System\GkySZhk.exe
  C:\Windows\System\GkySZhk.exe
  2⤵
  PID:7268
- C:\Windows\System\pLoMqnz.exe
  C:\Windows\System\pLoMqnz.exe
  2⤵
  PID:7452
- C:\Windows\System\ZcCfoIG.exe
  C:\Windows\System\ZcCfoIG.exe
  2⤵
  PID:7576
- C:\Windows\System\PynPbXG.exe
  C:\Windows\System\PynPbXG.exe
  2⤵
  PID:7568
- C:\Windows\System\AwjahkW.exe
  C:\Windows\System\AwjahkW.exe
  2⤵
  PID:7876
- C:\Windows\System\majeZHS.exe
  C:\Windows\System\majeZHS.exe
  2⤵
  PID:7816
- C:\Windows\System\jVDoFGw.exe
  C:\Windows\System\jVDoFGw.exe
  2⤵
  PID:8036
- C:\Windows\System\qCUJLfd.exe
  C:\Windows\System\qCUJLfd.exe
  2⤵
  PID:8144
- C:\Windows\System\fVtrryE.exe
  C:\Windows\System\fVtrryE.exe
  2⤵
  PID:7688
- C:\Windows\System\puuRpTj.exe
  C:\Windows\System\puuRpTj.exe
  2⤵
  PID:8020
- C:\Windows\System\XqwolDJ.exe
  C:\Windows\System\XqwolDJ.exe
  2⤵
  PID:7480
- C:\Windows\System\POsTXGv.exe
  C:\Windows\System\POsTXGv.exe
  2⤵
  PID:8212
- C:\Windows\System\MVdMlxv.exe
  C:\Windows\System\MVdMlxv.exe
  2⤵
  PID:8228
- C:\Windows\System\cSxjSdZ.exe
  C:\Windows\System\cSxjSdZ.exe
  2⤵
  PID:8260
- C:\Windows\System\OfTuvid.exe
  C:\Windows\System\OfTuvid.exe
  2⤵
  PID:8296
- C:\Windows\System\cNfvJGZ.exe
  C:\Windows\System\cNfvJGZ.exe
  2⤵
  PID:8328
- C:\Windows\System\uvvpGkE.exe
  C:\Windows\System\uvvpGkE.exe
  2⤵
  PID:8348
- C:\Windows\System\fKaQems.exe
  C:\Windows\System\fKaQems.exe
  2⤵
  PID:8368
- C:\Windows\System\yjnWdZU.exe
  C:\Windows\System\yjnWdZU.exe
  2⤵
  PID:8392
- C:\Windows\System\bjbqEnR.exe
  C:\Windows\System\bjbqEnR.exe
  2⤵
  PID:8412
- C:\Windows\System\bRdYHkF.exe
  C:\Windows\System\bRdYHkF.exe
  2⤵
  PID:8456
- C:\Windows\System\cSpCgbJ.exe
  C:\Windows\System\cSpCgbJ.exe
  2⤵
  PID:8484
- C:\Windows\System\WPBDFRG.exe
  C:\Windows\System\WPBDFRG.exe
  2⤵
  PID:8528
- C:\Windows\System\qnHjykQ.exe
  C:\Windows\System\qnHjykQ.exe
  2⤵
  PID:8544
- C:\Windows\System\IUvsaeF.exe
  C:\Windows\System\IUvsaeF.exe
  2⤵
  PID:8584
- C:\Windows\System\VNxodPF.exe
  C:\Windows\System\VNxodPF.exe
  2⤵
  PID:8600
- C:\Windows\System\WOMzsnz.exe
  C:\Windows\System\WOMzsnz.exe
  2⤵
  PID:8616
- C:\Windows\System\MqsGYAS.exe
  C:\Windows\System\MqsGYAS.exe
  2⤵
  PID:8660
- C:\Windows\System\oGvKEdj.exe
  C:\Windows\System\oGvKEdj.exe
  2⤵
  PID:8688
- C:\Windows\System\XbUjwaW.exe
  C:\Windows\System\XbUjwaW.exe
  2⤵
  PID:8704
- C:\Windows\System\fmLxHbN.exe
  C:\Windows\System\fmLxHbN.exe
  2⤵
  PID:8740
- C:\Windows\System\WAKJLjn.exe
  C:\Windows\System\WAKJLjn.exe
  2⤵
  PID:8760
- C:\Windows\System\fSxXwVl.exe
  C:\Windows\System\fSxXwVl.exe
  2⤵
  PID:8788
- C:\Windows\System\PRxfDxR.exe
  C:\Windows\System\PRxfDxR.exe
  2⤵
  PID:8804
- C:\Windows\System\pTayBWY.exe
  C:\Windows\System\pTayBWY.exe
  2⤵
  PID:8828
- C:\Windows\System\bEuxynY.exe
  C:\Windows\System\bEuxynY.exe
  2⤵
  PID:8848
- C:\Windows\System\HCdJqsV.exe
  C:\Windows\System\HCdJqsV.exe
  2⤵
  PID:8868
- C:\Windows\System\jaOgFSi.exe
  C:\Windows\System\jaOgFSi.exe
  2⤵
  PID:8888
- C:\Windows\System\uUUfMLg.exe
  C:\Windows\System\uUUfMLg.exe
  2⤵
  PID:8904
- C:\Windows\System\kBOFaVn.exe
  C:\Windows\System\kBOFaVn.exe
  2⤵
  PID:8944
- C:\Windows\System\yqtGXZX.exe
  C:\Windows\System\yqtGXZX.exe
  2⤵
  PID:9012
- C:\Windows\System\ZBohfUH.exe
  C:\Windows\System\ZBohfUH.exe
  2⤵
  PID:9052
- C:\Windows\System\wQWlGfU.exe
  C:\Windows\System\wQWlGfU.exe
  2⤵
  PID:9076
- C:\Windows\System\vLlpoRm.exe
  C:\Windows\System\vLlpoRm.exe
  2⤵
  PID:9096
- C:\Windows\System\LdDWjuF.exe
  C:\Windows\System\LdDWjuF.exe
  2⤵
  PID:9124
- C:\Windows\System\aLtcfTt.exe
  C:\Windows\System\aLtcfTt.exe
  2⤵
  PID:9152
- C:\Windows\System\JpUdOlu.exe
  C:\Windows\System\JpUdOlu.exe
  2⤵
  PID:9192
- C:\Windows\System\AOqjUAi.exe
  C:\Windows\System\AOqjUAi.exe
  2⤵
  PID:7252
- C:\Windows\System\qCVbtJo.exe
  C:\Windows\System\qCVbtJo.exe
  2⤵
  PID:8204
- C:\Windows\System\roTRqRY.exe
  C:\Windows\System\roTRqRY.exe
  2⤵
  PID:8248
- C:\Windows\System\nFEyspi.exe
  C:\Windows\System\nFEyspi.exe
  2⤵
  PID:8316
- C:\Windows\System\esSeTLd.exe
  C:\Windows\System\esSeTLd.exe
  2⤵
  PID:8364
- C:\Windows\System\yLcelhV.exe
  C:\Windows\System\yLcelhV.exe
  2⤵
  PID:8400
- C:\Windows\System\LRPDhhA.exe
  C:\Windows\System\LRPDhhA.exe
  2⤵
  PID:8448
- C:\Windows\System\tdweBNU.exe
  C:\Windows\System\tdweBNU.exe
  2⤵
  PID:8596
- C:\Windows\System\WodiVvR.exe
  C:\Windows\System\WodiVvR.exe
  2⤵
  PID:8652
- C:\Windows\System\MCxIciQ.exe
  C:\Windows\System\MCxIciQ.exe
  2⤵
  PID:8752
- C:\Windows\System\anvoXnt.exe
  C:\Windows\System\anvoXnt.exe
  2⤵
  PID:8768
- C:\Windows\System\sErQmLL.exe
  C:\Windows\System\sErQmLL.exe
  2⤵
  PID:8860
- C:\Windows\System\TMHEUJD.exe
  C:\Windows\System\TMHEUJD.exe
  2⤵
  PID:8836
- C:\Windows\System\fEPvyJB.exe
  C:\Windows\System\fEPvyJB.exe
  2⤵
  PID:8984
- C:\Windows\System\KPauHUT.exe
  C:\Windows\System\KPauHUT.exe
  2⤵
  PID:9060
- C:\Windows\System\dARxiqj.exe
  C:\Windows\System\dARxiqj.exe
  2⤵
  PID:9116
- C:\Windows\System\KqHojmm.exe
  C:\Windows\System\KqHojmm.exe
  2⤵
  PID:9172
- C:\Windows\System\FylxvSU.exe
  C:\Windows\System\FylxvSU.exe
  2⤵
  PID:7912
- C:\Windows\System\JZevmhd.exe
  C:\Windows\System\JZevmhd.exe
  2⤵
  PID:8320
- C:\Windows\System\YUURiBf.exe
  C:\Windows\System\YUURiBf.exe
  2⤵
  PID:7276
- C:\Windows\System\pYLjglm.exe
  C:\Windows\System\pYLjglm.exe
  2⤵
  PID:8580
- C:\Windows\System\wABLDRm.exe
  C:\Windows\System\wABLDRm.exe
  2⤵
  PID:8700
- C:\Windows\System\axkcIsg.exe
  C:\Windows\System\axkcIsg.exe
  2⤵
  PID:8920
- C:\Windows\System\TyrsTvd.exe
  C:\Windows\System\TyrsTvd.exe
  2⤵
  PID:8924
- C:\Windows\System\pBfKzwf.exe
  C:\Windows\System\pBfKzwf.exe
  2⤵
  PID:8276
- C:\Windows\System\WYDdOul.exe
  C:\Windows\System\WYDdOul.exe
  2⤵
  PID:8648
- C:\Windows\System\wPTHxEn.exe
  C:\Windows\System\wPTHxEn.exe
  2⤵
  PID:8940
- C:\Windows\System\oYXoIGF.exe
  C:\Windows\System\oYXoIGF.exe
  2⤵
  PID:9228
- C:\Windows\System\clTDnGz.exe
  C:\Windows\System\clTDnGz.exe
  2⤵
  PID:9244
- C:\Windows\System\ItslRGa.exe
  C:\Windows\System\ItslRGa.exe
  2⤵
  PID:9268
- C:\Windows\System\TvQcCDE.exe
  C:\Windows\System\TvQcCDE.exe
  2⤵
  PID:9308
- C:\Windows\System\LtprjlZ.exe
  C:\Windows\System\LtprjlZ.exe
  2⤵
  PID:9356
- C:\Windows\System\EkIjUzx.exe
  C:\Windows\System\EkIjUzx.exe
  2⤵
  PID:9404
- C:\Windows\System\iVIIbvr.exe
  C:\Windows\System\iVIIbvr.exe
  2⤵
  PID:9424
- C:\Windows\System\gmKMxXJ.exe
  C:\Windows\System\gmKMxXJ.exe
  2⤵
  PID:9460
- C:\Windows\System\MCRiKiu.exe
  C:\Windows\System\MCRiKiu.exe
  2⤵
  PID:9476
- C:\Windows\System\NQcdLlj.exe
  C:\Windows\System\NQcdLlj.exe
  2⤵
  PID:9508
- C:\Windows\System\tlJdCBR.exe
  C:\Windows\System\tlJdCBR.exe
  2⤵
  PID:9556
- C:\Windows\System\AxqbiAe.exe
  C:\Windows\System\AxqbiAe.exe
  2⤵
  PID:9580
- C:\Windows\System\wFsfLTA.exe
  C:\Windows\System\wFsfLTA.exe
  2⤵
  PID:9596
- C:\Windows\System\LLJsAmb.exe
  C:\Windows\System\LLJsAmb.exe
  2⤵
  PID:9616
- C:\Windows\System\kDaWMhJ.exe
  C:\Windows\System\kDaWMhJ.exe
  2⤵
  PID:9640
- C:\Windows\System\WpUclAW.exe
  C:\Windows\System\WpUclAW.exe
  2⤵
  PID:9672
- C:\Windows\System\Dvzigeq.exe
  C:\Windows\System\Dvzigeq.exe
  2⤵
  PID:9696
- C:\Windows\System\cxFAuUY.exe
  C:\Windows\System\cxFAuUY.exe
  2⤵
  PID:9732
- C:\Windows\System\xgvlPCF.exe
  C:\Windows\System\xgvlPCF.exe
  2⤵
  PID:9760
- C:\Windows\System\fdZrMZx.exe
  C:\Windows\System\fdZrMZx.exe
  2⤵
  PID:9796
- C:\Windows\System\MtAjtIM.exe
  C:\Windows\System\MtAjtIM.exe
  2⤵
  PID:9816
- C:\Windows\System\jeMMmAL.exe
  C:\Windows\System\jeMMmAL.exe
  2⤵
  PID:9832
- C:\Windows\System\lnEBWri.exe
  C:\Windows\System\lnEBWri.exe
  2⤵
  PID:9852
- C:\Windows\System\CubTvfr.exe
  C:\Windows\System\CubTvfr.exe
  2⤵
  PID:9980
- C:\Windows\System\oXxBRbK.exe
  C:\Windows\System\oXxBRbK.exe
  2⤵
  PID:10000
- C:\Windows\System\HfyFRIX.exe
  C:\Windows\System\HfyFRIX.exe
  2⤵
  PID:10016
- C:\Windows\System\sjhGabn.exe
  C:\Windows\System\sjhGabn.exe
  2⤵
  PID:10032
- C:\Windows\System\QMiGUxL.exe
  C:\Windows\System\QMiGUxL.exe
  2⤵
  PID:10048
- C:\Windows\System\SkEFmwG.exe
  C:\Windows\System\SkEFmwG.exe
  2⤵
  PID:10064
- C:\Windows\System\hLwDORp.exe
  C:\Windows\System\hLwDORp.exe
  2⤵
  PID:10084
- C:\Windows\System\IXmhdTU.exe
  C:\Windows\System\IXmhdTU.exe
  2⤵
  PID:10192
- C:\Windows\System\pfrSqPa.exe
  C:\Windows\System\pfrSqPa.exe
  2⤵
  PID:10208
- C:\Windows\System\nHDeXQU.exe
  C:\Windows\System\nHDeXQU.exe
  2⤵
  PID:10224
- C:\Windows\System\sDsIlez.exe
  C:\Windows\System\sDsIlez.exe
  2⤵
  PID:9164
- C:\Windows\System\eRWQPzg.exe
  C:\Windows\System\eRWQPzg.exe
  2⤵
  PID:8812
- C:\Windows\System\FDxGkSK.exe
  C:\Windows\System\FDxGkSK.exe
  2⤵
  PID:9220
- C:\Windows\System\jEnxUBW.exe
  C:\Windows\System\jEnxUBW.exe
  2⤵
  PID:9252
- C:\Windows\System\ROkXRiY.exe
  C:\Windows\System\ROkXRiY.exe
  2⤵
  PID:9300
- C:\Windows\System\WsvVLxt.exe
  C:\Windows\System\WsvVLxt.exe
  2⤵
  PID:9316
- C:\Windows\System\bUyXZZy.exe
  C:\Windows\System\bUyXZZy.exe
  2⤵
  PID:9376
- C:\Windows\System\JgHoGHB.exe
  C:\Windows\System\JgHoGHB.exe
  2⤵
  PID:9468
- C:\Windows\System\uTSqwQz.exe
  C:\Windows\System\uTSqwQz.exe
  2⤵
  PID:9504
- C:\Windows\System\FgeFegL.exe
  C:\Windows\System\FgeFegL.exe
  2⤵
  PID:9604
- C:\Windows\System\VzboWRo.exe
  C:\Windows\System\VzboWRo.exe
  2⤵
  PID:9632
- C:\Windows\System\nJrEvTK.exe
  C:\Windows\System\nJrEvTK.exe
  2⤵
  PID:9664
- C:\Windows\System\GeCtbkd.exe
  C:\Windows\System\GeCtbkd.exe
  2⤵
  PID:9952
- C:\Windows\System\KXCrxwQ.exe
  C:\Windows\System\KXCrxwQ.exe
  2⤵
  PID:9912
- C:\Windows\System\YIgEVCU.exe
  C:\Windows\System\YIgEVCU.exe
  2⤵
  PID:10056
- C:\Windows\System\rPJQiVp.exe
  C:\Windows\System\rPJQiVp.exe
  2⤵
  PID:10096
- C:\Windows\System\DjpNABW.exe
  C:\Windows\System\DjpNABW.exe
  2⤵
  PID:8880
- C:\Windows\System\TeSjVtE.exe
  C:\Windows\System\TeSjVtE.exe
  2⤵
  PID:9660
- C:\Windows\System\aEnBIUH.exe
  C:\Windows\System\aEnBIUH.exe
  2⤵
  PID:10132
- C:\Windows\System\nEoOWUs.exe
  C:\Windows\System\nEoOWUs.exe
  2⤵
  PID:10156
- C:\Windows\System\VtvasAg.exe
  C:\Windows\System\VtvasAg.exe
  2⤵
  PID:10180
- C:\Windows\System\UbKZyFa.exe
  C:\Windows\System\UbKZyFa.exe
  2⤵
  PID:9592
- C:\Windows\System\zYMgCzQ.exe
  C:\Windows\System\zYMgCzQ.exe
  2⤵
  PID:9780
- C:\Windows\System\zQQrHEK.exe
  C:\Windows\System\zQQrHEK.exe
  2⤵
  PID:9824
- C:\Windows\System\XEFnewE.exe
  C:\Windows\System\XEFnewE.exe
  2⤵
  PID:10076
- C:\Windows\System\bmzseWO.exe
  C:\Windows\System\bmzseWO.exe
  2⤵
  PID:9184
- C:\Windows\System\eNLzVKg.exe
  C:\Windows\System\eNLzVKg.exe
  2⤵
  PID:9708
- C:\Windows\System\VteUpsr.exe
  C:\Windows\System\VteUpsr.exe
  2⤵
  PID:9612
- C:\Windows\System\BWpCQgy.exe
  C:\Windows\System\BWpCQgy.exe
  2⤵
  PID:9872
- C:\Windows\System\OqCtQaW.exe
  C:\Windows\System\OqCtQaW.exe
  2⤵
  PID:10176
- C:\Windows\System\eFgPGRh.exe
  C:\Windows\System\eFgPGRh.exe
  2⤵
  PID:9280
- C:\Windows\System\KJLxUeY.exe
  C:\Windows\System\KJLxUeY.exe
  2⤵
  PID:10252
- C:\Windows\System\VMSrqka.exe
  C:\Windows\System\VMSrqka.exe
  2⤵
  PID:10268
- C:\Windows\System\rjqVhUG.exe
  C:\Windows\System\rjqVhUG.exe
  2⤵
  PID:10288
- C:\Windows\System\rflExue.exe
  C:\Windows\System\rflExue.exe
  2⤵
  PID:10312
- C:\Windows\System\yoxjHqw.exe
  C:\Windows\System\yoxjHqw.exe
  2⤵
  PID:10340
- C:\Windows\System\GMbmXXV.exe
  C:\Windows\System\GMbmXXV.exe
  2⤵
  PID:10360
- C:\Windows\System\evagCHy.exe
  C:\Windows\System\evagCHy.exe
  2⤵
  PID:10388
- C:\Windows\System\Togkdwb.exe
  C:\Windows\System\Togkdwb.exe
  2⤵
  PID:10408
- C:\Windows\System\ThMCQEP.exe
  C:\Windows\System\ThMCQEP.exe
  2⤵
  PID:10456
- C:\Windows\System\CISZIxQ.exe
  C:\Windows\System\CISZIxQ.exe
  2⤵
  PID:10504
- C:\Windows\System\hetwtyF.exe
  C:\Windows\System\hetwtyF.exe
  2⤵
  PID:10520
- C:\Windows\System\bRxRiDS.exe
  C:\Windows\System\bRxRiDS.exe
  2⤵
  PID:10568
- C:\Windows\System\NUqCqZP.exe
  C:\Windows\System\NUqCqZP.exe
  2⤵
  PID:10588
- C:\Windows\System\mUmkqvc.exe
  C:\Windows\System\mUmkqvc.exe
  2⤵
  PID:10608
- C:\Windows\System\zuiJwbB.exe
  C:\Windows\System\zuiJwbB.exe
  2⤵
  PID:10632
- C:\Windows\System\NDvzCpv.exe
  C:\Windows\System\NDvzCpv.exe
  2⤵
  PID:10652
- C:\Windows\System\ZwEiPiw.exe
  C:\Windows\System\ZwEiPiw.exe
  2⤵
  PID:10716
- C:\Windows\System\AHwHCZd.exe
  C:\Windows\System\AHwHCZd.exe
  2⤵
  PID:10736
- C:\Windows\System\sNJmmWB.exe
  C:\Windows\System\sNJmmWB.exe
  2⤵
  PID:10760
- C:\Windows\System\YJTUFuL.exe
  C:\Windows\System\YJTUFuL.exe
  2⤵
  PID:10776
- C:\Windows\System\eewHPnA.exe
  C:\Windows\System\eewHPnA.exe
  2⤵
  PID:10796
- C:\Windows\System\XSaaiwj.exe
  C:\Windows\System\XSaaiwj.exe
  2⤵
  PID:10836
- C:\Windows\System\IcyrXXz.exe
  C:\Windows\System\IcyrXXz.exe
  2⤵
  PID:10856
- C:\Windows\System\gotSrVv.exe
  C:\Windows\System\gotSrVv.exe
  2⤵
  PID:10892
- C:\Windows\System\nPZCbPn.exe
  C:\Windows\System\nPZCbPn.exe
  2⤵
  PID:10920
- C:\Windows\System\veeGDqN.exe
  C:\Windows\System\veeGDqN.exe
  2⤵
  PID:10944
- C:\Windows\System\YCkJTeS.exe
  C:\Windows\System\YCkJTeS.exe
  2⤵
  PID:10992
- C:\Windows\System\yJPJwbk.exe
  C:\Windows\System\yJPJwbk.exe
  2⤵
  PID:11012
- C:\Windows\System\rRTpXQU.exe
  C:\Windows\System\rRTpXQU.exe
  2⤵
  PID:11032
- C:\Windows\System\liWpfdh.exe
  C:\Windows\System\liWpfdh.exe
  2⤵
  PID:11048
- C:\Windows\System\dDkJefw.exe
  C:\Windows\System\dDkJefw.exe
  2⤵
  PID:11072
- C:\Windows\System\bOiZkOb.exe
  C:\Windows\System\bOiZkOb.exe
  2⤵
  PID:11092
- C:\Windows\System\XSSHvzG.exe
  C:\Windows\System\XSSHvzG.exe
  2⤵
  PID:11120
- C:\Windows\System\ylMqhJs.exe
  C:\Windows\System\ylMqhJs.exe
  2⤵
  PID:11144
- C:\Windows\System\slzVTEt.exe
  C:\Windows\System\slzVTEt.exe
  2⤵
  PID:11188
- C:\Windows\System\BDWRvOp.exe
  C:\Windows\System\BDWRvOp.exe
  2⤵
  PID:11208
- C:\Windows\System\QJOhqJf.exe
  C:\Windows\System\QJOhqJf.exe
  2⤵
  PID:9808
- C:\Windows\System\JbBlncD.exe
  C:\Windows\System\JbBlncD.exe
  2⤵
  PID:10260
- C:\Windows\System\GyZPwyl.exe
  C:\Windows\System\GyZPwyl.exe
  2⤵
  PID:10296
- C:\Windows\System\xwsbgqd.exe
  C:\Windows\System\xwsbgqd.exe
  2⤵
  PID:10380
- C:\Windows\System\UzCbBWk.exe
  C:\Windows\System\UzCbBWk.exe
  2⤵
  PID:10448
- C:\Windows\System\SVWSweY.exe
  C:\Windows\System\SVWSweY.exe
  2⤵
  PID:10536
- C:\Windows\System\KSbwzXr.exe
  C:\Windows\System\KSbwzXr.exe
  2⤵
  PID:10584
- C:\Windows\System\fkRKtTj.exe
  C:\Windows\System\fkRKtTj.exe
  2⤵
  PID:10644
- C:\Windows\System\DTRoyoi.exe
  C:\Windows\System\DTRoyoi.exe
  2⤵
  PID:10708
- C:\Windows\System\wibWMBK.exe
  C:\Windows\System\wibWMBK.exe
  2⤵
  PID:10744
- C:\Windows\System\IUotUBH.exe
  C:\Windows\System\IUotUBH.exe
  2⤵
  PID:10848
- C:\Windows\System\kboGUJM.exe
  C:\Windows\System\kboGUJM.exe
  2⤵
  PID:10884
- C:\Windows\System\bOQFQFn.exe
  C:\Windows\System\bOQFQFn.exe
  2⤵
  PID:11000
- C:\Windows\System\rYMWpzV.exe
  C:\Windows\System\rYMWpzV.exe
  2⤵
  PID:11024
- C:\Windows\System\lNEaQJg.exe
  C:\Windows\System\lNEaQJg.exe
  2⤵
  PID:11168
- C:\Windows\System\LpxsXWX.exe
  C:\Windows\System\LpxsXWX.exe
  2⤵
  PID:11160
- C:\Windows\System\XiKeqlf.exe
  C:\Windows\System\XiKeqlf.exe
  2⤵
  PID:11228
- C:\Windows\System\exWXiOT.exe
  C:\Windows\System\exWXiOT.exe
  2⤵
  PID:10216
- C:\Windows\System\fnUuEyQ.exe
  C:\Windows\System\fnUuEyQ.exe
  2⤵
  PID:10400
- C:\Windows\System\EiZsmwY.exe
  C:\Windows\System\EiZsmwY.exe
  2⤵
  PID:10372
- C:\Windows\System\KkJGOgJ.exe
  C:\Windows\System\KkJGOgJ.exe
  2⤵
  PID:10648
- C:\Windows\System\ZlcFjRO.exe
  C:\Windows\System\ZlcFjRO.exe
  2⤵
  PID:10756
- C:\Windows\System\gGcydLc.exe
  C:\Windows\System\gGcydLc.exe
  2⤵
  PID:10792
- C:\Windows\System\SEzmcyo.exe
  C:\Windows\System\SEzmcyo.exe
  2⤵
  PID:10832
- C:\Windows\System\qNNlikF.exe
  C:\Windows\System\qNNlikF.exe
  2⤵
  PID:11128
- C:\Windows\System\YkPoNAf.exe
  C:\Windows\System\YkPoNAf.exe
  2⤵
  PID:10488
- C:\Windows\System\CdfxrJG.exe
  C:\Windows\System\CdfxrJG.exe
  2⤵
  PID:11100
- C:\Windows\System\RJoBySA.exe
  C:\Windows\System\RJoBySA.exe
  2⤵
  PID:11232
- C:\Windows\System\TaQbfTu.exe
  C:\Windows\System\TaQbfTu.exe
  2⤵
  PID:11280
- C:\Windows\System\OXWxDjV.exe
  C:\Windows\System\OXWxDjV.exe
  2⤵
  PID:11304
- C:\Windows\System\bvTceUT.exe
  C:\Windows\System\bvTceUT.exe
  2⤵
  PID:11320
- C:\Windows\System\imzOhjD.exe
  C:\Windows\System\imzOhjD.exe
  2⤵
  PID:11352
- C:\Windows\System\MNZiHAH.exe
  C:\Windows\System\MNZiHAH.exe
  2⤵
  PID:11404
- C:\Windows\System\WyiITuy.exe
  C:\Windows\System\WyiITuy.exe
  2⤵
  PID:11436
- C:\Windows\System\eRdVvdH.exe
  C:\Windows\System\eRdVvdH.exe
  2⤵
  PID:11452
- C:\Windows\System\AkmpEoz.exe
  C:\Windows\System\AkmpEoz.exe
  2⤵
  PID:11480
- C:\Windows\System\hYQDVoI.exe
  C:\Windows\System\hYQDVoI.exe
  2⤵
  PID:11504
- C:\Windows\System\hBKBbGF.exe
  C:\Windows\System\hBKBbGF.exe
  2⤵
  PID:11524
- C:\Windows\System\jNzFsGf.exe
  C:\Windows\System\jNzFsGf.exe
  2⤵
  PID:11552
- C:\Windows\System\nnujAgI.exe
  C:\Windows\System\nnujAgI.exe
  2⤵
  PID:11584
- C:\Windows\System\QczLYeP.exe
  C:\Windows\System\QczLYeP.exe
  2⤵
  PID:11664
- C:\Windows\System\sTGeLkS.exe
  C:\Windows\System\sTGeLkS.exe
  2⤵
  PID:11684
- C:\Windows\System\LUCMqCs.exe
  C:\Windows\System\LUCMqCs.exe
  2⤵
  PID:11704
- C:\Windows\System\iLYcPWS.exe
  C:\Windows\System\iLYcPWS.exe
  2⤵
  PID:11732
- C:\Windows\System\qZpzAkN.exe
  C:\Windows\System\qZpzAkN.exe
  2⤵
  PID:11756
- C:\Windows\System\kQDmhYt.exe
  C:\Windows\System\kQDmhYt.exe
  2⤵
  PID:11780
- C:\Windows\System\FKHuJel.exe
  C:\Windows\System\FKHuJel.exe
  2⤵
  PID:11804
- C:\Windows\System\cOKNZsf.exe
  C:\Windows\System\cOKNZsf.exe
  2⤵
  PID:11824
- C:\Windows\System\DloapPu.exe
  C:\Windows\System\DloapPu.exe
  2⤵
  PID:11848
- C:\Windows\System\hjzKxzB.exe
  C:\Windows\System\hjzKxzB.exe
  2⤵
  PID:11876
- C:\Windows\System\zcsOOsq.exe
  C:\Windows\System\zcsOOsq.exe
  2⤵
  PID:11908
- C:\Windows\System\rwpzwCM.exe
  C:\Windows\System\rwpzwCM.exe
  2⤵
  PID:11944
- C:\Windows\System\bXjjDwn.exe
  C:\Windows\System\bXjjDwn.exe
  2⤵
  PID:11960
- C:\Windows\System\vgIIiaq.exe
  C:\Windows\System\vgIIiaq.exe
  2⤵
  PID:11992
- C:\Windows\System\mivnwkD.exe
  C:\Windows\System\mivnwkD.exe
  2⤵
  PID:12016
- C:\Windows\System\cBmASeX.exe
  C:\Windows\System\cBmASeX.exe
  2⤵
  PID:12040
- C:\Windows\System\WEFotsT.exe
  C:\Windows\System\WEFotsT.exe
  2⤵
  PID:12064
- C:\Windows\System\vIzRsxe.exe
  C:\Windows\System\vIzRsxe.exe
  2⤵
  PID:12100
- C:\Windows\System\TPXBdwk.exe
  C:\Windows\System\TPXBdwk.exe
  2⤵
  PID:12144
- C:\Windows\System\kHjDzBk.exe
  C:\Windows\System\kHjDzBk.exe
  2⤵
  PID:12160
- C:\Windows\System\TsOFcjU.exe
  C:\Windows\System\TsOFcjU.exe
  2⤵
  PID:12208
- C:\Windows\System\vsResJY.exe
  C:\Windows\System\vsResJY.exe
  2⤵
  PID:12228
- C:\Windows\System\QIEpYNe.exe
  C:\Windows\System\QIEpYNe.exe
  2⤵
  PID:12252
- C:\Windows\System\YyApFQk.exe
  C:\Windows\System\YyApFQk.exe
  2⤵
  PID:12272
- C:\Windows\System\CvvCwog.exe
  C:\Windows\System\CvvCwog.exe
  2⤵
  PID:3060
- C:\Windows\System\iZWqIiX.exe
  C:\Windows\System\iZWqIiX.exe
  2⤵
  PID:11316
- C:\Windows\System\GLgSmxE.exe
  C:\Windows\System\GLgSmxE.exe
  2⤵
  PID:11444
- C:\Windows\System\VzJesGh.exe
  C:\Windows\System\VzJesGh.exe
  2⤵
  PID:11472
- C:\Windows\System\GBbSvuG.exe
  C:\Windows\System\GBbSvuG.exe
  2⤵
  PID:11544
- C:\Windows\System\KjwrCOI.exe
  C:\Windows\System\KjwrCOI.exe
  2⤵
  PID:11652
- C:\Windows\System\RqwYABf.exe
  C:\Windows\System\RqwYABf.exe
  2⤵
  PID:11680
- C:\Windows\System\xAQgSyl.exe
  C:\Windows\System\xAQgSyl.exe
  2⤵
  PID:11800
- C:\Windows\System\xjqbVFK.exe
  C:\Windows\System\xjqbVFK.exe
  2⤵
  PID:11792
- C:\Windows\System\EcudWCh.exe
  C:\Windows\System\EcudWCh.exe
  2⤵
  PID:11896
- C:\Windows\System\qwEteau.exe
  C:\Windows\System\qwEteau.exe
  2⤵
  PID:12028
- C:\Windows\System\CLbqWbW.exe
  C:\Windows\System\CLbqWbW.exe
  2⤵
  PID:12124
- C:\Windows\System\zVYqgGP.exe
  C:\Windows\System\zVYqgGP.exe
  2⤵
  PID:12152
- C:\Windows\System\UCVbZPW.exe
  C:\Windows\System\UCVbZPW.exe
  2⤵
  PID:12184
- C:\Windows\System\VpyLMIc.exe
  C:\Windows\System\VpyLMIc.exe
  2⤵
  PID:12236
- C:\Windows\System\AtNoAZl.exe
  C:\Windows\System\AtNoAZl.exe
  2⤵
  PID:11400
- C:\Windows\System\BGDMGDz.exe
  C:\Windows\System\BGDMGDz.exe
  2⤵
  PID:11520
- C:\Windows\System\ojcWYDP.exe
  C:\Windows\System\ojcWYDP.exe
  2⤵
  PID:11576
- C:\Windows\System\azmTwMJ.exe
  C:\Windows\System\azmTwMJ.exe
  2⤵
  PID:11956
- C:\Windows\System\yENfbVu.exe
  C:\Windows\System\yENfbVu.exe
  2⤵
  PID:12076
- C:\Windows\System\qDbVkqv.exe
  C:\Windows\System\qDbVkqv.exe
  2⤵
  PID:4312
- C:\Windows\System\TRBHtsa.exe
  C:\Windows\System\TRBHtsa.exe
  2⤵
  PID:11276
- C:\Windows\System\CXAwUDT.exe
  C:\Windows\System\CXAwUDT.exe
  2⤵
  PID:11724
- C:\Windows\System\yqgNGgI.exe
  C:\Windows\System\yqgNGgI.exe
  2⤵
  PID:12260
- C:\Windows\System\kbrqgYl.exe
  C:\Windows\System\kbrqgYl.exe
  2⤵
  PID:11844
- C:\Windows\System\xUnBagI.exe
  C:\Windows\System\xUnBagI.exe
  2⤵
  PID:7704
- C:\Windows\System\WzgZxlN.exe
  C:\Windows\System\WzgZxlN.exe
  2⤵
  PID:12300
- C:\Windows\System\rrvfnGf.exe
  C:\Windows\System\rrvfnGf.exe
  2⤵
  PID:12324
- C:\Windows\System\xyzhXvY.exe
  C:\Windows\System\xyzhXvY.exe
  2⤵
  PID:12344
- C:\Windows\System\gpEKSkC.exe
  C:\Windows\System\gpEKSkC.exe
  2⤵
  PID:12368
- C:\Windows\System\WoTVeRh.exe
  C:\Windows\System\WoTVeRh.exe
  2⤵
  PID:12404
- C:\Windows\System\WmikMuf.exe
  C:\Windows\System\WmikMuf.exe
  2⤵
  PID:12424
- C:\Windows\System\PUwzPBT.exe
  C:\Windows\System\PUwzPBT.exe
  2⤵
  PID:12448
- C:\Windows\System\ItAInOF.exe
  C:\Windows\System\ItAInOF.exe
  2⤵
  PID:12500
- C:\Windows\System\iONrHlQ.exe
  C:\Windows\System\iONrHlQ.exe
  2⤵
  PID:12552
- C:\Windows\System\jduicgU.exe
  C:\Windows\System\jduicgU.exe
  2⤵
  PID:12572
- C:\Windows\System\HieFPBj.exe
  C:\Windows\System\HieFPBj.exe
  2⤵
  PID:12592
- C:\Windows\System\LxWPoZs.exe
  C:\Windows\System\LxWPoZs.exe
  2⤵
  PID:12612
- C:\Windows\System\rRBJveW.exe
  C:\Windows\System\rRBJveW.exe
  2⤵
  PID:12632
- C:\Windows\System\LqzyUSC.exe
  C:\Windows\System\LqzyUSC.exe
  2⤵
  PID:12660
- C:\Windows\System\ZPEcnHQ.exe
  C:\Windows\System\ZPEcnHQ.exe
  2⤵
  PID:12688
- C:\Windows\System\zflfNwI.exe
  C:\Windows\System\zflfNwI.exe
  2⤵
  PID:12720
- C:\Windows\System\fScMDSl.exe
  C:\Windows\System\fScMDSl.exe
  2⤵
  PID:12756
- C:\Windows\System\FcloTWf.exe
  C:\Windows\System\FcloTWf.exe
  2⤵
  PID:12776
- C:\Windows\System\ARQNIEh.exe
  C:\Windows\System\ARQNIEh.exe
  2⤵
  PID:12808
- C:\Windows\System\FVgWSYg.exe
  C:\Windows\System\FVgWSYg.exe
  2⤵
  PID:12828
- C:\Windows\System\gqgtMFe.exe
  C:\Windows\System\gqgtMFe.exe
  2⤵
  PID:12848
- C:\Windows\System\BCOzgFE.exe
  C:\Windows\System\BCOzgFE.exe
  2⤵
  PID:12920
- C:\Windows\System\alSwnGw.exe
  C:\Windows\System\alSwnGw.exe
  2⤵
  PID:12940
- C:\Windows\System\ReaVNaI.exe
  C:\Windows\System\ReaVNaI.exe
  2⤵
  PID:12988
- C:\Windows\System\esDmevg.exe
  C:\Windows\System\esDmevg.exe
  2⤵
  PID:13004
- C:\Windows\System\NGNHoLO.exe
  C:\Windows\System\NGNHoLO.exe
  2⤵
  PID:13032
- C:\Windows\System\SNSVlbb.exe
  C:\Windows\System\SNSVlbb.exe
  2⤵
  PID:13052
- C:\Windows\System\fqTyUHy.exe
  C:\Windows\System\fqTyUHy.exe
  2⤵
  PID:13068
- C:\Windows\System\WwQolHE.exe
  C:\Windows\System\WwQolHE.exe
  2⤵
  PID:13108
- C:\Windows\System\uWZAjum.exe
  C:\Windows\System\uWZAjum.exe
  2⤵
  PID:13124
- C:\Windows\System\chuyvoc.exe
  C:\Windows\System\chuyvoc.exe
  2⤵
  PID:13140
- C:\Windows\System\GSvPlFR.exe
  C:\Windows\System\GSvPlFR.exe
  2⤵
  PID:13172
- C:\Windows\System\xHrqJHO.exe
  C:\Windows\System\xHrqJHO.exe
  2⤵
  PID:13220
- C:\Windows\System\SeYgmbC.exe
  C:\Windows\System\SeYgmbC.exe
  2⤵
  PID:13260
- C:\Windows\System\yHXocSF.exe
  C:\Windows\System\yHXocSF.exe
  2⤵
  PID:13280
- C:\Windows\System\EmDasrP.exe
  C:\Windows\System\EmDasrP.exe
  2⤵
  PID:11292
- C:\Windows\System\yHTXMtF.exe
  C:\Windows\System\yHTXMtF.exe
  2⤵
  PID:12308
- C:\Windows\System\QxjltoC.exe
  C:\Windows\System\QxjltoC.exe
  2⤵
  PID:12352
- C:\Windows\System\TSvDHvj.exe
  C:\Windows\System\TSvDHvj.exe
  2⤵
  PID:12388
- C:\Windows\System\tmmuGTU.exe
  C:\Windows\System\tmmuGTU.exe
  2⤵
  PID:12472
- C:\Windows\System\CcFWCNi.exe
  C:\Windows\System\CcFWCNi.exe
  2⤵
  PID:12604
- C:\Windows\System\DLuUvGb.exe
  C:\Windows\System\DLuUvGb.exe
  2⤵
  PID:12584
- C:\Windows\System\dvJuXgD.exe
  C:\Windows\System\dvJuXgD.exe
  2⤵
  PID:12684
- C:\Windows\System\KBfEDov.exe
  C:\Windows\System\KBfEDov.exe
  2⤵
  PID:12712
- C:\Windows\System\OrjYdXd.exe
  C:\Windows\System\OrjYdXd.exe
  2⤵
  PID:12928
- C:\Windows\System\TYLTJDX.exe
  C:\Windows\System\TYLTJDX.exe
  2⤵
  PID:12932
- C:\Windows\System\BUudomE.exe
  C:\Windows\System\BUudomE.exe
  2⤵
  PID:13000
- C:\Windows\System\nzJjcqM.exe
  C:\Windows\System\nzJjcqM.exe
  2⤵
  PID:13120
- C:\Windows\System\fbUZpun.exe
  C:\Windows\System\fbUZpun.exe
  2⤵
  PID:13044
- C:\Windows\System\DcaTjUe.exe
  C:\Windows\System\DcaTjUe.exe
  2⤵
  PID:13116
- C:\Windows\System\YRyYfqz.exe
  C:\Windows\System\YRyYfqz.exe
  2⤵
  PID:13088
- C:\Windows\System\ZXvRrLt.exe
  C:\Windows\System\ZXvRrLt.exe
  2⤵
  PID:13236
- C:\Windows\System\VnqxxQM.exe
  C:\Windows\System\VnqxxQM.exe
  2⤵
  PID:12468
- C:\Windows\System\dTWpWQB.exe
  C:\Windows\System\dTWpWQB.exe
  2⤵
  PID:12696
- C:\Windows\System\XWpNtqj.exe
  C:\Windows\System\XWpNtqj.exe
  2⤵
  PID:13200
- C:\Windows\System\sSIKlTm.exe
  C:\Windows\System\sSIKlTm.exe
  2⤵
  PID:12340
- C:\Windows\System\VXxFMyN.exe
  C:\Windows\System\VXxFMyN.exe
  2⤵
  PID:12960
- C:\Windows\System\CaOvHwP.exe
  C:\Windows\System\CaOvHwP.exe
  2⤵
  PID:11672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4404,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4136 /prefetch:8
1⤵
PID:6352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0neyiuwj.rsw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\CvcYKKM.exe

Filesize
1.7MB

MD5
86f6a507b99889b3bb73c4f5b099d2fa

SHA1
82ee36bc0f506ff70f90f1933a19f0abc13c6ad9

SHA256
1a2bdb74ed48dfa30e49cdc27f6152f3602c71e3ac05f10d02cd4ab959320db1

SHA512
095ea235af63df8ee49ec262e9d656454f4832a6b379115f7b7c87cf2ff7a61496eec0d75dd2a6b163e818dc421fc97554e6670b172b959fef4d1a22ba6a478c

Download Submit
C:\Windows\System\EvODGin.exe

Filesize
1.7MB

MD5
cf391d080123d5dd1584a6a87e0c7c05

SHA1
f0a539eafb1196a1795d66675ff59119817140fd

SHA256
a99481961014a4a2e29f90737d00ac14594fba599f0a378490708b10af85a0fc

SHA512
9b66f2b65693b46cae460e9c10c3fc06f79051c7e9f27dc24a30082649bd738ed294ead07a6c91af4fa4896a065ae5c0bb9aaa25947a083dd2aba28fccf24643

Download Submit
C:\Windows\System\HTPtlwv.exe

Filesize
1.7MB

MD5
e1362c4004e96c0490956e68f98cd35f

SHA1
095fb97ea382c0d1f898e1c324cf4480ffbba6f7

SHA256
d809d273930fdb190ad837738835f02dde32ccb7903081a3074f7b030e151cac

SHA512
a64891618fe5caefd321e87edf121473c1d716f6169145c68ebbb477805abcb4cd4584ca07f7a087c83aad020e30d605d7b7eadfcea456af2c19f8b0f90c3567

Download Submit
C:\Windows\System\JIbrqih.exe

Filesize
1.7MB

MD5
3cf0c16bd4a91b8e50e397e67453fd33

SHA1
6b59a6f6c01ac470a0b09f5463b9f31642f5ed87

SHA256
35bdda2beb252e29090cc112b6e1d446730ccd97c2aa0b65788cec97a91fd305

SHA512
edad6d58dee3dcea3237a4397235c4dfd31116e45bbfc7f94179d14e26f8f1fdfa8fa5232360249ab90b2374b72cd4f294445a065bbf30e06d09b92a12af2140

Download Submit
C:\Windows\System\JvDoIpQ.exe

Filesize
1.7MB

MD5
c416d9d02f3b669e7dcedd00c95090d0

SHA1
ac1b1afb2f028e8f34d767cecf88b960481c5d29

SHA256
add73c3ae7ab2babf8a6bf8f86804aee30b7ab5fe9b0e6247a1959c61fe40ed4

SHA512
a22d97754eb6a22ab3700af5b4e8c947eda5e42eb5cf91e7df3a8332bf44a2268583d763d7ac3d5b7eacdb7d775de43188efd13122f11c4d60745fb4e694d504

Download Submit
C:\Windows\System\JyIYfdD.exe

Filesize
1.7MB

MD5
b641bf228082f222fbbab34fee112c22

SHA1
7bc52c6327a125dff01a33bcede4a477b15003b9

SHA256
166992297766131bc2bd1268bb583c676f2fb7a2908ead770877692606dcf9e0

SHA512
09bec3dd0d39d305d722ec0d33275539c22e99a5a20b440d827098bf8076ee09cb86db2a22a9f7b297828bc84666611880326503ceb393c9c1e72bf0b5d810b2

Download Submit
C:\Windows\System\RAdTJvL.exe

Filesize
1.7MB

MD5
e55eb410bbcb1c48a2c4936eb65d9d3a

SHA1
7ca7d5e3ae9faeaa6a7e15d24a68dcbcd8b63805

SHA256
e90c022f55a13ed4c6087b8d494859e461d491c5e1de2155e33ac3ce3725e18d

SHA512
7ff925c4770740cc00f5d544fa9e7097246c49a926375f90f82ce49c93412e3327f80217314c1967aa8b628f3abc3612f4e6af7ee4ff40aa2f88d21d95033e15

Download Submit
C:\Windows\System\SpcYDOB.exe

Filesize
1.7MB

MD5
85e4e9e287eb18a289b8754e21fa4a61

SHA1
993e88aa48b4abfe89a47d766bc35d71f112cddd

SHA256
0541942393ee1db49f0234bebd82ca1e203a1ffd6784cea78c9ba29be45c93a3

SHA512
b09db09fa46a4465298136b6e9597566fd87459a1fe22247ec2ecee04a9f9de3ac8627981a1e569a633aadf61bf9fe236d15be72898b3b8e23a49ba6313f4fd2

Download Submit
C:\Windows\System\TAUtDkX.exe

Filesize
1.7MB

MD5
9a744526c177467543d53184339e36f2

SHA1
02bb089303d439a0ffaad972206323c565e339cc

SHA256
e07ae0e612bd59a0178879a92298fa68d3b5ff49901c2b5964c0669445a93438

SHA512
38760b6254ec5e6d11a08c6090f121b43c1dbe15b9595e32b6610672a588db6ebc1db886f0bd1d1851b7eceefc387caeb8da8e2b820e75de3883b6e82830da2c

Download Submit
C:\Windows\System\ToghWmf.exe

Filesize
1.7MB

MD5
750b61422d9a98ea0711520855efed42

SHA1
02929f09c1fe10c1e6f397f2da94d0cf34b05917

SHA256
5a3761f2ef1d83820179ba4fb9f79d970158708dc73736ab40eed8c33380e960

SHA512
b5fd0ff9c35627e85222ecac117ba14a77912612067ad046edb5a8564824ce7cd3e8fc52cf58ca5e9005ad905617c6ba6155b41c9b9575035bd0bf6ea0dd4203

Download Submit
C:\Windows\System\UWDOxaR.exe

Filesize
1.7MB

MD5
6e8a608dc61f9f616c27eb29b52aaaba

SHA1
7cb78e011eb37f70e1a24380034596ad6ceeefad

SHA256
e1aa084098387fda7029b25523da5fadc02007ed8e79f5277fdd7796724b353f

SHA512
e275309e56579de74e84b6242eb7663c7c3d9c76c8d2c684433cec68c878de72d467ae203181bcff621f8011346d25b522caaca1761e19bf1d58168a806fbd4a

Download Submit
C:\Windows\System\VJcdaJT.exe

Filesize
1.7MB

MD5
02c6c0526896f656472fdf27ef109fcb

SHA1
eed4053a063015ccab5fe236848af0a47c9d9d7e

SHA256
dcd45b48ff9fc8524cda70f27104b86b0bd471d58ed9047bc48602da0b8b49a9

SHA512
cac0e8d33da3f26206eb0ff2282cfe49bb17d1c194de3659a25c81f3917ad470cbddd5a2a05e78ace1f449aa46776a233c957751f5ba5f7754b59d44c6660c84

Download Submit
C:\Windows\System\VeVwaRx.exe

Filesize
1.7MB

MD5
f03868ee70d46ca208832644d4053621

SHA1
1b4bf1a4656d3e329d00d924937d29d2f1a53ea5

SHA256
43af8270db286372919281a6afc5689bb383b87416a9c5a9c99b5ad5cf4ccfbd

SHA512
7449282fa35ea025c81fae44fd043555061d79c5a4d8dea2b3ba2759efe168dc0fcc05ffd35fb3a60c68325bc94604a55bcf6a5d56506a55ba4bd9751a70793d

Download Submit
C:\Windows\System\ZyCTaTv.exe

Filesize
1.7MB

MD5
a6a983cb8223ec198da8fcc3cfa947e4

SHA1
f4239e1a06993350d3f3ac074bede3773e3eb5bd

SHA256
008024ac0029d1294689c4b5179b2d85a955f3b46a8321ef0a8ca1e213309015

SHA512
cb6f12cf2589b76415df30486cea3efa5182f9479dce9e57b20c7df76726bc5b051fa9b51fe0aa780673004a045a6e560ea77e4e162e699523136304d014ac72

Download Submit
C:\Windows\System\cZEsEqO.exe

Filesize
1.7MB

MD5
6b82688b5a7a7eb73e1ccec8e9ecb46f

SHA1
2a0730d32b5bffeb88cc407488afd3aaa682d364

SHA256
b1f9108d89ba1a5d1c0deacf130c538d26a9e377d490b7dd69c0ce70335da8b9

SHA512
7eb1bd67dbba5fce9e32424a0dbf98fbcae49591ef6910a637e40d68e741e8de8bb12ee28a2e784b511bc504a0901255d96612fdec973ad1aac48f629b3b6c05

Download Submit
C:\Windows\System\cdaJelJ.exe

Filesize
1.7MB

MD5
ff1ce4f48d34a20887fe4c393281069a

SHA1
62e060df3e0dd5658ade14b301fa3cae8a823678

SHA256
380f688b69ca33d0c7ff64332b14cc6ee3fe657df9dc148840eba8c2dea3bf7d

SHA512
5943e074f24b457be18f893e68fad299086d6ca5f3fbd486cf69a23ac34b35b6ea20e06b21ad3867d99b6d13a5fabe052106d5fb027def1b772ecc9a96bed744

Download Submit
C:\Windows\System\cquSmrK.exe

Filesize
1.7MB

MD5
bb4f7d4c0dceba81c44b946ad6c9c03e

SHA1
5fa744ed20e7031b0bfdbd0892b8af349b978914

SHA256
4310cb5380e44f32b5784c3b42c105b0be1b5983c8fb16f20de1c0ddb4efd2ae

SHA512
e2a30a0bf7b22dd2ed40ed9c36f281781eb57f5c05f3ab378e7e7b0a844346d5de4087733b2920ef9334f63c85ade810e8841d378d82dc85d9b2a9cc541eec2f

Download Submit
C:\Windows\System\dRVMMOe.exe

Filesize
1.7MB

MD5
4391957611c01ff06e7fc43d590afea2

SHA1
c3abab1d6a73716a0836c54f850b12368c6d80c5

SHA256
56c6deb06ba7d04e47ade0f540546833fff4a160b14b5c0adbc3fd0dca3b6536

SHA512
c6143abe2a3b56efdfb68cf90d7823cc802de647f9c62e2a063caab6ddca0a8e0ad6af49fc63feb49ee859c4d0589b90c1395d01424851c3004bdf095976d77a

Download Submit
C:\Windows\System\dponXAc.exe

Filesize
1.7MB

MD5
bad32a6b385321de602c2a6395b9d6f5

SHA1
099519b2a25238eff52af7135254ecc961cf632f

SHA256
48c12e693d598c3f1bdf23f1f85739b98db277b095943d374ab5324093b646b0

SHA512
048ae19aae6e4741d2d3fe7241fbdddb761180785c179e814c8c3bd9af4c7984198c83a98b14dcfc5034ac91fd0aec976b5885b49f2e79028847dc48462322dd

Download Submit
C:\Windows\System\eCjvQUl.exe

Filesize
1.7MB

MD5
e6312e9895e343cd70029a3f4ec15b27

SHA1
f9687d429cd140d5a87d3012c88fb2754b3c20fe

SHA256
f643638c2915fbfcf506dfe25be904fa4fbada78f3ad637b6cefeddd199a8ef4

SHA512
0024f3d0abcf48cff127bc384ce5563dc65455811dee337f865af0443a8203ce6d7987812b5d75e614b72816ba18d0e50fa0b97129d268685ba5cef2a2462e62

Download Submit
C:\Windows\System\eThAuZb.exe

Filesize
1.7MB

MD5
56d9cb639efa2b55b178674338822509

SHA1
b31b3a5594c2caaa3c8841f607c59978ed52b7ad

SHA256
53a6712d2e4867999ce6fcb4d771f8667f0d07fe86e479604e2772403dbe392e

SHA512
80d790562e7c768157f0e168e79fbb1c9233d07db209a6b4fa064a4a5a1fe728e60f1cd76c735d5abf45bb4ae4321d8672028e98400a0d790673f04bf0fadff4

Download Submit
C:\Windows\System\gHeFZGR.exe

Filesize
1.7MB

MD5
be9844873e4ddc39186f5037dd64d01a

SHA1
f8069cc8b868c5f3d0bbad2b4fc3d322d8b013bb

SHA256
af703ffd2e3be157e58ff28c69647246529f42e4bb52006fa1860d22c57695cb

SHA512
ef86348e3114eb28113e0f4e56671d38c914692ebc4bd4fbf9068bc2eceea82b05890cca913fd6137a346cde0bd3ce89fe95b887a69ba725c464b6aae045ba1d

Download Submit
C:\Windows\System\hBtXAJJ.exe

Filesize
8B

MD5
67d893d1a2095d39d451d08ee1cc05e9

SHA1
dad7ef4487e41ff3c3e600250e691ed16832dc94

SHA256
cc871666e89dd430f5e3dc9cc361cd1a4ecf7214b4b8daeb86cca2257079f3ce

SHA512
7799e4db272ac6c136cb55f2e50c1582a5027767dc6d148dbf159fdb6f776a047cf2ac573fbb2f2ca5a994173cf0465c93ef3f6e6c86e8981136e854def9801d

Download Submit
C:\Windows\System\hDMdlYy.exe

Filesize
1.7MB

MD5
d06dd48aaf351d5ec721bdce84bfebca

SHA1
17b24b16ea808f0573f8c3b377ed3cf7ceecd476

SHA256
09e21c3545722e72f8f62b01493c4c33992d94b5638f66c2ab599f45c4c5ae67

SHA512
abcaeec154488a5c7d9e36184c7dd9263ce7d518ef071b45331eddad553dc157ac6071d3098ccdce32385ddd30977378ecd187552392dd7d6cc1d6e8032ef8f8

Download Submit
C:\Windows\System\jJTlRbO.exe

Filesize
1.7MB

MD5
4717a03657dccafaa85d2a326ed04d12

SHA1
a070f48c4544049114f8ff965a04e146d2c6a0ed

SHA256
d6bce93ca3ac5e078f0add3e3e7254d999b12967321132c39297ade06f631397

SHA512
aba67bb7d1990860e7b118b9b463b08d8576396140a4554c5015551c61e8de6510ae3577e0cfccbcebf412e110b68fd77ce864822a66df128ce1232c5d51ea6d

Download Submit
C:\Windows\System\nUKyNCR.exe

Filesize
1.7MB

MD5
ab3edb75504a88c01238a3cca16794c0

SHA1
45c938043414e0d7dfd62c9be2d45bc89a614df7

SHA256
cab005606e8a297f6d655fcfa793268dd962876285af7ed954a98ad20ae53758

SHA512
e57cc6a4d0bebd533291f88ae1d02b2216abdda965926f7981aa99fbb8d84f6cc95a03bdddb278116da99fa2bb594ebd8720ebe8bcc997235a75295b567ea319

Download Submit
C:\Windows\System\tRdaqTQ.exe

Filesize
1.7MB

MD5
07a82ffb2de8e0dc735038c4093faa8e

SHA1
d35fdc53c3846bc175dd1bf50c9af6b8bce37981

SHA256
67b00fc077062226bc289df5c1f8680450957b756c8ad0c2348b0e8cba4f2b61

SHA512
fb9309bb7a855734f7740bae3c96f05aaa01d8f7c0251b02cfeb3fb312d349f41d0aaf5dee6380990c7dcc63642a9f620f1434e43c19b289c323dd2e2ffdca6b

Download Submit
C:\Windows\System\tucBwhi.exe

Filesize
1.7MB

MD5
207b8ac7525355fb93f3ede9413a5cc2

SHA1
ce084aab8d9fcbee223d0bf17e249b8dd31e411f

SHA256
de89cc9f7a5b722401dd39e0b4c707c7262533a65dbe37059f2ccd7cdf6e0bff

SHA512
be826bc4214c2864bea495ecc3d0b4a5d3363d6d2577bc222ae051928a9a1d26d514ffaa8f2d211ab846572cdbc11fa2cd618ce6d7e80a4e214a61a00ae30d77

Download Submit
C:\Windows\System\uytqMon.exe

Filesize
1.7MB

MD5
e363701a3626d045a3f3954e0d35dff2

SHA1
c91fa271e3762569a682dd56bb2738da203bf87e

SHA256
a7b8a4ffed71d2b26c46f6b9980d01a78f4ff73bb157b69aa81f367676eb9c53

SHA512
dc5375c75e6da42a5c51eae842530708c39b756469059445fa87ebe5c99dac5cadc8e1b079099390cbc447a3c54a221327d489064fb34b2b8dc33f92dd5872f7

Download Submit
C:\Windows\System\vhcHonO.exe

Filesize
1.7MB

MD5
bf25336b4bfbcc589abd053065d3e840

SHA1
686255cbb24a0c8c82958800b1ca4b857a207326

SHA256
5f80c41b728943256e40e398a35fc98243521e2157eb6adeaaf995619732baae

SHA512
a2c913cdb7719a5931353605f497d817f6da3b657a04398cea66bb5cf37ecad3f507f4437aa010917762af20883d508d7648e66be68497a1a2e72401f305a6ce

Download Submit
C:\Windows\System\xqulnIO.exe

Filesize
1.7MB

MD5
5260fba6a80e505bb4824d8382b97dcf

SHA1
17ca81297d5529692889665d3002fbdd3e69a4e8

SHA256
fce4c5825e9a1fe41d0ef14de7fdf107069fcb23f46448a6e439ffb253bd9d8a

SHA512
0c0c130c50e62de520c764afa430430149b69ccc52663e262ab167698a35dda1a5c867beca149b90c7e7782643b4692857de4642f95d06da8defc650eb87c7e5

Download Submit
C:\Windows\System\yNWDdHk.exe

Filesize
1.7MB

MD5
d439b02af5bf698497571eb939e6652c

SHA1
de6d1999e4c91c73d0b7b1fb873b2cfed6a67563

SHA256
01da75f325685203b2228216a9c4fb9ee12c1eca1c0f703910af3cab848153d2

SHA512
bef5e2abd82a652ad7b82a38890c755c533d8bb2d186444f7baa1d3d5cd00b46c18a3dc463728223fb2525c1d7510d99e147fc629ae4c51e584332449119ecab

Download Submit
C:\Windows\System\zfBPNSI.exe

Filesize
1.7MB

MD5
c89d846e380b6ed3178dd06f77b1232f

SHA1
6c17e87055f428f747f4ed310b86aecadae5cadf

SHA256
47798076db90c644952efa25da07f44d605c3b9d186fdbaf1c187a4406223a29

SHA512
33d3062625e295f0a7805d6c55ec74ec1c59a210b09697cd464b21d1bf22fec1adcf3d3f0d9914131e8e95e1ff2f136a489b099b3b2137d9389e600dc6ac5065

Download Submit
C:\Windows\System\zqsNrNB.exe

Filesize
1.7MB

MD5
9508f45f0c0897b9a00c842fd1c844c6

SHA1
afb8b142f17c42c53e580ab444ba534afa7959d1

SHA256
ed2431bb9d8121b947f5519029546754631080cfa19d1abd8d880faf6d1c5d36

SHA512
e4bac765947a7af45c9e62aeba68a448b99887bad5cd77eaa85075cd901c4d4ab09d62031693dd72caf7a6727cafabe95a73a06b0957e79ee47230e7d9ab533b

Download Submit
memory/516-2698-0x00007FF73DBC0000-0x00007FF73DFB2000-memory.dmp

Filesize
3.9MB

Download
memory/516-448-0x00007FF73DBC0000-0x00007FF73DFB2000-memory.dmp

Filesize
3.9MB

Download
memory/736-2678-0x00007FF7AA070000-0x00007FF7AA462000-memory.dmp

Filesize
3.9MB

Download
memory/736-45-0x00007FF7AA070000-0x00007FF7AA462000-memory.dmp

Filesize
3.9MB

Download
memory/968-2674-0x00007FF774370000-0x00007FF774762000-memory.dmp

Filesize
3.9MB

Download
memory/968-19-0x00007FF774370000-0x00007FF774762000-memory.dmp

Filesize
3.9MB

Download
memory/1504-2624-0x00007FF706120000-0x00007FF706512000-memory.dmp

Filesize
3.9MB

Download
memory/1504-2680-0x00007FF706120000-0x00007FF706512000-memory.dmp

Filesize
3.9MB

Download
memory/1504-20-0x00007FF706120000-0x00007FF706512000-memory.dmp

Filesize
3.9MB

Download
memory/1560-452-0x00007FF7FEA40000-0x00007FF7FEE32000-memory.dmp

Filesize
3.9MB

Download
memory/1560-2729-0x00007FF7FEA40000-0x00007FF7FEE32000-memory.dmp

Filesize
3.9MB

Download
memory/1652-2700-0x00007FF6A5F70000-0x00007FF6A6362000-memory.dmp

Filesize
3.9MB

Download
memory/1652-449-0x00007FF6A5F70000-0x00007FF6A6362000-memory.dmp

Filesize
3.9MB

Download
memory/1748-445-0x00007FF7194D0000-0x00007FF7198C2000-memory.dmp

Filesize
3.9MB

Download
memory/1748-2693-0x00007FF7194D0000-0x00007FF7198C2000-memory.dmp

Filesize
3.9MB

Download
memory/2216-2712-0x00007FF79EBE0000-0x00007FF79EFD2000-memory.dmp

Filesize
3.9MB

Download
memory/2216-471-0x00007FF79EBE0000-0x00007FF79EFD2000-memory.dmp

Filesize
3.9MB

Download
memory/2768-49-0x00007FF7A7160000-0x00007FF7A7552000-memory.dmp

Filesize
3.9MB

Download
memory/2768-2688-0x00007FF7A7160000-0x00007FF7A7552000-memory.dmp

Filesize
3.9MB

Download
memory/2792-37-0x00007FF688F50000-0x00007FF689342000-memory.dmp

Filesize
3.9MB

Download
memory/2792-2696-0x00007FF688F50000-0x00007FF689342000-memory.dmp

Filesize
3.9MB

Download
memory/2792-2647-0x00007FF688F50000-0x00007FF689342000-memory.dmp

Filesize
3.9MB

Download
memory/2960-2739-0x00007FF693640000-0x00007FF693A32000-memory.dmp

Filesize
3.9MB

Download
memory/2960-453-0x00007FF693640000-0x00007FF693A32000-memory.dmp

Filesize
3.9MB

Download
memory/3076-494-0x00007FF6DA2D0000-0x00007FF6DA6C2000-memory.dmp

Filesize
3.9MB

Download
memory/3076-2732-0x00007FF6DA2D0000-0x00007FF6DA6C2000-memory.dmp

Filesize
3.9MB

Download
memory/3268-393-0x000001BE643E0000-0x000001BE64B86000-memory.dmp

Filesize
7.6MB

Download
memory/3268-86-0x000001BE493D0000-0x000001BE493F2000-memory.dmp

Filesize
136KB

Download
memory/3408-2682-0x00007FF6AEF50000-0x00007FF6AF342000-memory.dmp

Filesize
3.9MB

Download
memory/3408-42-0x00007FF6AEF50000-0x00007FF6AF342000-memory.dmp

Filesize
3.9MB

Download
memory/3532-480-0x00007FF7E06D0000-0x00007FF7E0AC2000-memory.dmp

Filesize
3.9MB

Download
memory/3532-2733-0x00007FF7E06D0000-0x00007FF7E0AC2000-memory.dmp

Filesize
3.9MB

Download
memory/3952-2650-0x00007FF73F140000-0x00007FF73F532000-memory.dmp

Filesize
3.9MB

Download
memory/3952-53-0x00007FF73F140000-0x00007FF73F532000-memory.dmp

Filesize
3.9MB

Download
memory/3952-2687-0x00007FF73F140000-0x00007FF73F532000-memory.dmp

Filesize
3.9MB

Download
memory/3996-446-0x00007FF7F3730000-0x00007FF7F3B22000-memory.dmp

Filesize
3.9MB

Download
memory/3996-2691-0x00007FF7F3730000-0x00007FF7F3B22000-memory.dmp

Filesize
3.9MB

Download
memory/4196-2715-0x00007FF77C620000-0x00007FF77CA12000-memory.dmp

Filesize
3.9MB

Download
memory/4196-459-0x00007FF77C620000-0x00007FF77CA12000-memory.dmp

Filesize
3.9MB

Download
memory/4532-2702-0x00007FF75DE40000-0x00007FF75E232000-memory.dmp

Filesize
3.9MB

Download
memory/4532-450-0x00007FF75DE40000-0x00007FF75E232000-memory.dmp

Filesize
3.9MB

Download
memory/4640-2711-0x00007FF679410000-0x00007FF679802000-memory.dmp

Filesize
3.9MB

Download
memory/4640-464-0x00007FF679410000-0x00007FF679802000-memory.dmp

Filesize
3.9MB

Download
memory/4644-2694-0x00007FF795170000-0x00007FF795562000-memory.dmp

Filesize
3.9MB

Download
memory/4644-46-0x00007FF795170000-0x00007FF795562000-memory.dmp

Filesize
3.9MB

Download
memory/4644-2648-0x00007FF795170000-0x00007FF795562000-memory.dmp

Filesize
3.9MB

Download
memory/4656-454-0x00007FF7073F0000-0x00007FF7077E2000-memory.dmp

Filesize
3.9MB

Download
memory/4656-2716-0x00007FF7073F0000-0x00007FF7077E2000-memory.dmp

Filesize
3.9MB

Download
memory/4676-2726-0x00007FF6EA020000-0x00007FF6EA412000-memory.dmp

Filesize
3.9MB

Download
memory/4676-451-0x00007FF6EA020000-0x00007FF6EA412000-memory.dmp

Filesize
3.9MB

Download
memory/4680-2677-0x00007FF70E9A0000-0x00007FF70ED92000-memory.dmp

Filesize
3.9MB

Download
memory/4680-43-0x00007FF70E9A0000-0x00007FF70ED92000-memory.dmp

Filesize
3.9MB

Download
memory/5020-2685-0x00007FF7B0F40000-0x00007FF7B1332000-memory.dmp

Filesize
3.9MB

Download
memory/5020-447-0x00007FF7B0F40000-0x00007FF7B1332000-memory.dmp

Filesize
3.9MB

Download
memory/5060-0-0x00007FF75D640000-0x00007FF75DA32000-memory.dmp

Filesize
3.9MB

Download
memory/5060-1-0x000002E55BF70000-0x000002E55BF80000-memory.dmp

Filesize
64KB

Download