xmrig | 704b83c060d1d99c922dba8cee571a189d5b71a12761b51e3db34b273bdfb421

Analysis

max time kernel
92s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04/06/2024, 21:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
Size

1.3MB
MD5

043236d16f631923bcd21da96a45e540
SHA1

b39aec8b27a904ea8441214b74d7be14a178a139
SHA256

704b83c060d1d99c922dba8cee571a189d5b71a12761b51e3db34b273bdfb421
SHA512

e09a1fdf7ab308e18e313b081fc1f64d89a21370a85c4c5d58b4a0bc9f0a09508a51f115b19e5cfc7df791f2f88847160d0a2b784663f1b9ac759c8eb22cf31d
SSDEEP

24576:zv3/fTLF671TilQFG4P5PMkipctp++Ft4mzS1jR254I:Lz071uv4BPMkiqtI+ijR25r

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 49 IoCs

miner

resource	yara_rule
behavioral2/memory/4784-15-0x00007FF6A8110000-0x00007FF6A8502000-memory.dmp	xmrig
behavioral2/memory/1904-50-0x00007FF7874A0000-0x00007FF787892000-memory.dmp	xmrig
behavioral2/memory/4544-137-0x00007FF745610000-0x00007FF745A02000-memory.dmp	xmrig
behavioral2/memory/2640-141-0x00007FF6D5AB0000-0x00007FF6D5EA2000-memory.dmp	xmrig
behavioral2/memory/2028-183-0x00007FF766030000-0x00007FF766422000-memory.dmp	xmrig
behavioral2/memory/3768-202-0x00007FF7138D0000-0x00007FF713CC2000-memory.dmp	xmrig
behavioral2/memory/3972-201-0x00007FF69A650000-0x00007FF69AA42000-memory.dmp	xmrig
behavioral2/memory/1848-194-0x00007FF7A19E0000-0x00007FF7A1DD2000-memory.dmp	xmrig
behavioral2/memory/932-191-0x00007FF603F60000-0x00007FF604352000-memory.dmp	xmrig
behavioral2/memory/4952-184-0x00007FF669F80000-0x00007FF66A372000-memory.dmp	xmrig
behavioral2/memory/3176-170-0x00007FF73A3A0000-0x00007FF73A792000-memory.dmp	xmrig
behavioral2/memory/2340-162-0x00007FF6515F0000-0x00007FF6519E2000-memory.dmp	xmrig
behavioral2/memory/4328-161-0x00007FF6C5E30000-0x00007FF6C6222000-memory.dmp	xmrig
behavioral2/memory/400-156-0x00007FF65F510000-0x00007FF65F902000-memory.dmp	xmrig
behavioral2/memory/4276-149-0x00007FF783ED0000-0x00007FF7842C2000-memory.dmp	xmrig
behavioral2/memory/4772-148-0x00007FF7B0E20000-0x00007FF7B1212000-memory.dmp	xmrig
behavioral2/memory/712-138-0x00007FF6DFB90000-0x00007FF6DFF82000-memory.dmp	xmrig
behavioral2/memory/1308-108-0x00007FF7DFE30000-0x00007FF7E0222000-memory.dmp	xmrig
behavioral2/memory/1624-73-0x00007FF76DDA0000-0x00007FF76E192000-memory.dmp	xmrig
behavioral2/memory/5108-67-0x00007FF79EF50000-0x00007FF79F342000-memory.dmp	xmrig
behavioral2/memory/2472-40-0x00007FF708190000-0x00007FF708582000-memory.dmp	xmrig
behavioral2/memory/4784-2241-0x00007FF6A8110000-0x00007FF6A8502000-memory.dmp	xmrig
behavioral2/memory/2576-2243-0x00007FF75B070000-0x00007FF75B462000-memory.dmp	xmrig
behavioral2/memory/2792-2244-0x00007FF7A5900000-0x00007FF7A5CF2000-memory.dmp	xmrig
behavioral2/memory/1016-2245-0x00007FF7AAC80000-0x00007FF7AB072000-memory.dmp	xmrig
behavioral2/memory/4784-2292-0x00007FF6A8110000-0x00007FF6A8502000-memory.dmp	xmrig
behavioral2/memory/1308-2294-0x00007FF7DFE30000-0x00007FF7E0222000-memory.dmp	xmrig
behavioral2/memory/2472-2296-0x00007FF708190000-0x00007FF708582000-memory.dmp	xmrig
behavioral2/memory/4544-2298-0x00007FF745610000-0x00007FF745A02000-memory.dmp	xmrig
behavioral2/memory/1904-2300-0x00007FF7874A0000-0x00007FF787892000-memory.dmp	xmrig
behavioral2/memory/1624-2304-0x00007FF76DDA0000-0x00007FF76E192000-memory.dmp	xmrig
behavioral2/memory/5108-2302-0x00007FF79EF50000-0x00007FF79F342000-memory.dmp	xmrig
behavioral2/memory/712-2315-0x00007FF6DFB90000-0x00007FF6DFF82000-memory.dmp	xmrig
behavioral2/memory/4328-2318-0x00007FF6C5E30000-0x00007FF6C6222000-memory.dmp	xmrig
behavioral2/memory/400-2320-0x00007FF65F510000-0x00007FF65F902000-memory.dmp	xmrig
behavioral2/memory/1016-2322-0x00007FF7AAC80000-0x00007FF7AB072000-memory.dmp	xmrig
behavioral2/memory/2792-2317-0x00007FF7A5900000-0x00007FF7A5CF2000-memory.dmp	xmrig
behavioral2/memory/2640-2313-0x00007FF6D5AB0000-0x00007FF6D5EA2000-memory.dmp	xmrig
behavioral2/memory/4276-2311-0x00007FF783ED0000-0x00007FF7842C2000-memory.dmp	xmrig
behavioral2/memory/2576-2308-0x00007FF75B070000-0x00007FF75B462000-memory.dmp	xmrig
behavioral2/memory/4772-2307-0x00007FF7B0E20000-0x00007FF7B1212000-memory.dmp	xmrig
behavioral2/memory/1848-2331-0x00007FF7A19E0000-0x00007FF7A1DD2000-memory.dmp	xmrig
behavioral2/memory/932-2334-0x00007FF603F60000-0x00007FF604352000-memory.dmp	xmrig
behavioral2/memory/2340-2333-0x00007FF6515F0000-0x00007FF6519E2000-memory.dmp	xmrig
behavioral2/memory/3972-2332-0x00007FF69A650000-0x00007FF69AA42000-memory.dmp	xmrig
behavioral2/memory/3176-2327-0x00007FF73A3A0000-0x00007FF73A792000-memory.dmp	xmrig
behavioral2/memory/2028-2325-0x00007FF766030000-0x00007FF766422000-memory.dmp	xmrig
behavioral2/memory/4952-2338-0x00007FF669F80000-0x00007FF66A372000-memory.dmp	xmrig
behavioral2/memory/3768-2359-0x00007FF7138D0000-0x00007FF713CC2000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
9	4444	powershell.exe
11	4444	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
4444	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
4784	qCaIAFE.exe
1308	JqlgdRL.exe
4544	ZDKfBNd.exe
2472	JyOaTOJ.exe
1904	hHcRtoY.exe
5108	JDHpmwY.exe
712	AmSYXrb.exe
1624	JRMxpWi.exe
2640	AkKpFQc.exe
4772	TkCdlsj.exe
4276	GxnafVW.exe
2576	bmYiVuU.exe
400	CwUZvhK.exe
2792	saLaIVe.exe
4328	WPKOOeM.exe
1016	YNJeWsn.exe
2340	dxlgIOu.exe
1848	LUSfepf.exe
3176	fKiLXLq.exe
2028	poHZPSE.exe
4952	vCsgPnL.exe
932	HKRNTHH.exe
3972	WGtYcQr.exe
3768	HaCYxZc.exe
4588	LLVNNYa.exe
4056	sdOekIT.exe
448	WJAPVuE.exe
4620	BBMzXnn.exe
1092	ptWijMn.exe
2348	oeopLAR.exe
1768	kUKxBeR.exe
4696	TIjqCKX.exe
1744	qLiZOmo.exe
2056	ypuIGmm.exe
3892	mDqrvxY.exe
964	mpqjzfq.exe
1344	XNZbVzg.exe
3880	qqkkOjB.exe
1444	FJPyUHC.exe
4804	hAzeVug.exe
4520	AIJQeqB.exe
1960	OMQaHaE.exe
5040	RZmxzJB.exe
2404	cpAEnxt.exe
4064	PiRhBsr.exe
4416	ixnujhW.exe
884	KnuojMq.exe
2628	rzInhLy.exe
220	zNALYmU.exe
224	GiJjIsu.exe
3220	HAtvURK.exe
1388	yLENtKc.exe
3640	NuUxGHk.exe
2128	KIYOhUD.exe
4244	fUTNpui.exe
3960	BcPwvjS.exe
2012	pZcVQnd.exe
4028	NuCMhZc.exe
2284	ACUcIWI.exe
1068	oFohzeK.exe
4756	sWJZIXL.exe
5132	fYmEeul.exe
5156	hjqdouk.exe
5180	CTxmhSH.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3936-0-0x00007FF6BC3B0000-0x00007FF6BC7A2000-memory.dmp	upx
behavioral2/files/0x000b000000023430-4.dat	upx
behavioral2/files/0x0007000000023434-9.dat	upx
behavioral2/files/0x0007000000023435-8.dat	upx
behavioral2/memory/4784-15-0x00007FF6A8110000-0x00007FF6A8502000-memory.dmp	upx
behavioral2/files/0x0007000000023438-30.dat	upx
behavioral2/files/0x0007000000023439-36.dat	upx
behavioral2/files/0x000700000002343b-45.dat	upx
behavioral2/memory/1904-50-0x00007FF7874A0000-0x00007FF787892000-memory.dmp	upx
behavioral2/files/0x0007000000023440-70.dat	upx
behavioral2/files/0x000700000002343c-79.dat	upx
behavioral2/memory/2576-84-0x00007FF75B070000-0x00007FF75B462000-memory.dmp	upx
behavioral2/files/0x0007000000023441-93.dat	upx
behavioral2/files/0x0007000000023442-97.dat	upx
behavioral2/files/0x0008000000023431-126.dat	upx
behavioral2/memory/4544-137-0x00007FF745610000-0x00007FF745A02000-memory.dmp	upx
behavioral2/memory/2640-141-0x00007FF6D5AB0000-0x00007FF6D5EA2000-memory.dmp	upx
behavioral2/files/0x0007000000023448-152.dat	upx
behavioral2/files/0x000700000002344c-160.dat	upx
behavioral2/files/0x000700000002344a-166.dat	upx
behavioral2/memory/2028-183-0x00007FF766030000-0x00007FF766422000-memory.dmp	upx
behavioral2/files/0x000700000002344e-192.dat	upx
behavioral2/memory/3768-202-0x00007FF7138D0000-0x00007FF713CC2000-memory.dmp	upx
behavioral2/memory/3972-201-0x00007FF69A650000-0x00007FF69AA42000-memory.dmp	upx
behavioral2/files/0x0007000000023450-197.dat	upx
behavioral2/files/0x000700000002344f-195.dat	upx
behavioral2/memory/1848-194-0x00007FF7A19E0000-0x00007FF7A1DD2000-memory.dmp	upx
behavioral2/memory/932-191-0x00007FF603F60000-0x00007FF604352000-memory.dmp	upx
behavioral2/files/0x0007000000023452-190.dat	upx
behavioral2/files/0x0007000000023451-189.dat	upx
behavioral2/files/0x000700000002344d-186.dat	upx
behavioral2/memory/4952-184-0x00007FF669F80000-0x00007FF66A372000-memory.dmp	upx
behavioral2/memory/3176-170-0x00007FF73A3A0000-0x00007FF73A792000-memory.dmp	upx
behavioral2/memory/2340-162-0x00007FF6515F0000-0x00007FF6519E2000-memory.dmp	upx
behavioral2/memory/4328-161-0x00007FF6C5E30000-0x00007FF6C6222000-memory.dmp	upx
behavioral2/files/0x0007000000023449-159.dat	upx
behavioral2/files/0x000700000002344b-168.dat	upx
behavioral2/memory/400-156-0x00007FF65F510000-0x00007FF65F902000-memory.dmp	upx
behavioral2/memory/4276-149-0x00007FF783ED0000-0x00007FF7842C2000-memory.dmp	upx
behavioral2/memory/4772-148-0x00007FF7B0E20000-0x00007FF7B1212000-memory.dmp	upx
behavioral2/memory/712-138-0x00007FF6DFB90000-0x00007FF6DFF82000-memory.dmp	upx
behavioral2/files/0x0007000000023447-132.dat	upx
behavioral2/files/0x0007000000023446-130.dat	upx
behavioral2/files/0x0007000000023445-128.dat	upx
behavioral2/files/0x0007000000023444-124.dat	upx
behavioral2/files/0x000800000002343e-109.dat	upx
behavioral2/memory/1308-108-0x00007FF7DFE30000-0x00007FF7E0222000-memory.dmp	upx
behavioral2/memory/1016-104-0x00007FF7AAC80000-0x00007FF7AB072000-memory.dmp	upx
behavioral2/files/0x0007000000023443-103.dat	upx
behavioral2/files/0x000800000002343f-95.dat	upx
behavioral2/memory/2792-91-0x00007FF7A5900000-0x00007FF7A5CF2000-memory.dmp	upx
behavioral2/files/0x000700000002343d-86.dat	upx
behavioral2/memory/1624-73-0x00007FF76DDA0000-0x00007FF76E192000-memory.dmp	upx
behavioral2/memory/5108-67-0x00007FF79EF50000-0x00007FF79F342000-memory.dmp	upx
behavioral2/files/0x000700000002343a-48.dat	upx
behavioral2/memory/2472-40-0x00007FF708190000-0x00007FF708582000-memory.dmp	upx
behavioral2/files/0x0007000000023437-31.dat	upx
behavioral2/files/0x0007000000023436-22.dat	upx
behavioral2/memory/4784-2241-0x00007FF6A8110000-0x00007FF6A8502000-memory.dmp	upx
behavioral2/memory/2576-2243-0x00007FF75B070000-0x00007FF75B462000-memory.dmp	upx
behavioral2/memory/2792-2244-0x00007FF7A5900000-0x00007FF7A5CF2000-memory.dmp	upx
behavioral2/memory/1016-2245-0x00007FF7AAC80000-0x00007FF7AB072000-memory.dmp	upx
behavioral2/memory/4784-2292-0x00007FF6A8110000-0x00007FF6A8502000-memory.dmp	upx
behavioral2/memory/1308-2294-0x00007FF7DFE30000-0x00007FF7E0222000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	raw.githubusercontent.com
9	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\DTzTtgF.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\GwzDJya.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\lDyNdQQ.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\MlCSKwg.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\WIbfljF.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\ZPGLjum.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\xHkLXJY.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\LwekRua.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\NmBikEu.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\gnHoKba.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\jzGdKur.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\vwZzHEm.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\WPKOOeM.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\uLPmqph.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\xlLqaur.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\tTBtzvd.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\GxnafVW.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\hcMaShk.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\DDqGrgi.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\GlcyYFU.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\PzarIwL.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\YVgBfPp.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\oAuCszH.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\yBDDPLk.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\ngQVbJJ.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\VEtjnYk.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\QrulXBz.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\VPslewG.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\rhwWZNZ.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\SdpbfUD.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\ljPIOqI.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\CYrKiLJ.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\IlOlFty.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\xcYwCWg.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\tERzyrW.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\cIljgXq.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\HuqHtcp.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\fctjzAV.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\JJTeBVe.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\MswpQPq.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\DQKTPPV.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\AkKpFQc.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\GiJjIsu.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\yJBdFSM.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\joicjys.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\YDnRiUp.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\jUDEsJy.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\HruCoMD.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\EoHXvwK.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\qwpFTNl.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\uoEEikd.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\QZjmwiO.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\BScKGpO.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\hAzeVug.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\drCOdTx.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\eGfMsfB.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\VpZINoe.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\PdqYAlE.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\EAfsyeg.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\GteAvao.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\IGtgmwt.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\BFznlHv.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\kqyCXym.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
File created	C:\Windows\System\RQCvWLZ.exe	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4444	powershell.exe
4444	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4444	powershell.exe
Token: SeLockMemoryPrivilege	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3936 wrote to memory of 4444	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	81
PID 3936 wrote to memory of 4444	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	81
PID 3936 wrote to memory of 4784	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	82
PID 3936 wrote to memory of 4784	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	82
PID 3936 wrote to memory of 1308	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	83
PID 3936 wrote to memory of 1308	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	83
PID 3936 wrote to memory of 4544	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	84
PID 3936 wrote to memory of 4544	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	84
PID 3936 wrote to memory of 2472	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	85
PID 3936 wrote to memory of 2472	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	85
PID 3936 wrote to memory of 1904	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	86
PID 3936 wrote to memory of 1904	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	86
PID 3936 wrote to memory of 5108	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	87
PID 3936 wrote to memory of 5108	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	87
PID 3936 wrote to memory of 712	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	88
PID 3936 wrote to memory of 712	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	88
PID 3936 wrote to memory of 1624	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	89
PID 3936 wrote to memory of 1624	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	89
PID 3936 wrote to memory of 2640	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	90
PID 3936 wrote to memory of 2640	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	90
PID 3936 wrote to memory of 4772	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	91
PID 3936 wrote to memory of 4772	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	91
PID 3936 wrote to memory of 4276	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	92
PID 3936 wrote to memory of 4276	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	92
PID 3936 wrote to memory of 2576	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	93
PID 3936 wrote to memory of 2576	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	93
PID 3936 wrote to memory of 400	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	94
PID 3936 wrote to memory of 400	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	94
PID 3936 wrote to memory of 2792	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	95
PID 3936 wrote to memory of 2792	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	95
PID 3936 wrote to memory of 4328	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	96
PID 3936 wrote to memory of 4328	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	96
PID 3936 wrote to memory of 1016	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	97
PID 3936 wrote to memory of 1016	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	97
PID 3936 wrote to memory of 2340	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	98
PID 3936 wrote to memory of 2340	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	98
PID 3936 wrote to memory of 1848	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	99
PID 3936 wrote to memory of 1848	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	99
PID 3936 wrote to memory of 3176	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	100
PID 3936 wrote to memory of 3176	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	100
PID 3936 wrote to memory of 2028	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	101
PID 3936 wrote to memory of 2028	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	101
PID 3936 wrote to memory of 4952	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	102
PID 3936 wrote to memory of 4952	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	102
PID 3936 wrote to memory of 932	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	103
PID 3936 wrote to memory of 932	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	103
PID 3936 wrote to memory of 3972	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	104
PID 3936 wrote to memory of 3972	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	104
PID 3936 wrote to memory of 3768	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	105
PID 3936 wrote to memory of 3768	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	105
PID 3936 wrote to memory of 4588	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	106
PID 3936 wrote to memory of 4588	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	106
PID 3936 wrote to memory of 4056	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	107
PID 3936 wrote to memory of 4056	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	107
PID 3936 wrote to memory of 448	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	108
PID 3936 wrote to memory of 448	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	108
PID 3936 wrote to memory of 4620	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	109
PID 3936 wrote to memory of 4620	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	109
PID 3936 wrote to memory of 1092	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	110
PID 3936 wrote to memory of 1092	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	110
PID 3936 wrote to memory of 2348	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	111
PID 3936 wrote to memory of 2348	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	111
PID 3936 wrote to memory of 1768	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	112
PID 3936 wrote to memory of 1768	3936	043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe	112

C:\Users\Admin\AppData\Local\Temp\043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\043236d16f631923bcd21da96a45e540_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4444
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4444" "2968" "2920" "2972" "0" "0" "2976" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:13264
- C:\Windows\System\qCaIAFE.exe
  C:\Windows\System\qCaIAFE.exe
  2⤵
  - Executes dropped EXE
  PID:4784
- C:\Windows\System\JqlgdRL.exe
  C:\Windows\System\JqlgdRL.exe
  2⤵
  - Executes dropped EXE
  PID:1308
- C:\Windows\System\ZDKfBNd.exe
  C:\Windows\System\ZDKfBNd.exe
  2⤵
  - Executes dropped EXE
  PID:4544
- C:\Windows\System\JyOaTOJ.exe
  C:\Windows\System\JyOaTOJ.exe
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\System\hHcRtoY.exe
  C:\Windows\System\hHcRtoY.exe
  2⤵
  - Executes dropped EXE
  PID:1904
- C:\Windows\System\JDHpmwY.exe
  C:\Windows\System\JDHpmwY.exe
  2⤵
  - Executes dropped EXE
  PID:5108
- C:\Windows\System\AmSYXrb.exe
  C:\Windows\System\AmSYXrb.exe
  2⤵
  - Executes dropped EXE
  PID:712
- C:\Windows\System\JRMxpWi.exe
  C:\Windows\System\JRMxpWi.exe
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Windows\System\AkKpFQc.exe
  C:\Windows\System\AkKpFQc.exe
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Windows\System\TkCdlsj.exe
  C:\Windows\System\TkCdlsj.exe
  2⤵
  - Executes dropped EXE
  PID:4772
- C:\Windows\System\GxnafVW.exe
  C:\Windows\System\GxnafVW.exe
  2⤵
  - Executes dropped EXE
  PID:4276
- C:\Windows\System\bmYiVuU.exe
  C:\Windows\System\bmYiVuU.exe
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Windows\System\CwUZvhK.exe
  C:\Windows\System\CwUZvhK.exe
  2⤵
  - Executes dropped EXE
  PID:400
- C:\Windows\System\saLaIVe.exe
  C:\Windows\System\saLaIVe.exe
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\System\WPKOOeM.exe
  C:\Windows\System\WPKOOeM.exe
  2⤵
  - Executes dropped EXE
  PID:4328
- C:\Windows\System\YNJeWsn.exe
  C:\Windows\System\YNJeWsn.exe
  2⤵
  - Executes dropped EXE
  PID:1016
- C:\Windows\System\dxlgIOu.exe
  C:\Windows\System\dxlgIOu.exe
  2⤵
  - Executes dropped EXE
  PID:2340
- C:\Windows\System\LUSfepf.exe
  C:\Windows\System\LUSfepf.exe
  2⤵
  - Executes dropped EXE
  PID:1848
- C:\Windows\System\fKiLXLq.exe
  C:\Windows\System\fKiLXLq.exe
  2⤵
  - Executes dropped EXE
  PID:3176
- C:\Windows\System\poHZPSE.exe
  C:\Windows\System\poHZPSE.exe
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Windows\System\vCsgPnL.exe
  C:\Windows\System\vCsgPnL.exe
  2⤵
  - Executes dropped EXE
  PID:4952
- C:\Windows\System\HKRNTHH.exe
  C:\Windows\System\HKRNTHH.exe
  2⤵
  - Executes dropped EXE
  PID:932
- C:\Windows\System\WGtYcQr.exe
  C:\Windows\System\WGtYcQr.exe
  2⤵
  - Executes dropped EXE
  PID:3972
- C:\Windows\System\HaCYxZc.exe
  C:\Windows\System\HaCYxZc.exe
  2⤵
  - Executes dropped EXE
  PID:3768
- C:\Windows\System\LLVNNYa.exe
  C:\Windows\System\LLVNNYa.exe
  2⤵
  - Executes dropped EXE
  PID:4588
- C:\Windows\System\sdOekIT.exe
  C:\Windows\System\sdOekIT.exe
  2⤵
  - Executes dropped EXE
  PID:4056
- C:\Windows\System\WJAPVuE.exe
  C:\Windows\System\WJAPVuE.exe
  2⤵
  - Executes dropped EXE
  PID:448
- C:\Windows\System\BBMzXnn.exe
  C:\Windows\System\BBMzXnn.exe
  2⤵
  - Executes dropped EXE
  PID:4620
- C:\Windows\System\ptWijMn.exe
  C:\Windows\System\ptWijMn.exe
  2⤵
  - Executes dropped EXE
  PID:1092
- C:\Windows\System\oeopLAR.exe
  C:\Windows\System\oeopLAR.exe
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\System\kUKxBeR.exe
  C:\Windows\System\kUKxBeR.exe
  2⤵
  - Executes dropped EXE
  PID:1768
- C:\Windows\System\TIjqCKX.exe
  C:\Windows\System\TIjqCKX.exe
  2⤵
  - Executes dropped EXE
  PID:4696
- C:\Windows\System\qLiZOmo.exe
  C:\Windows\System\qLiZOmo.exe
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\System\ypuIGmm.exe
  C:\Windows\System\ypuIGmm.exe
  2⤵
  - Executes dropped EXE
  PID:2056
- C:\Windows\System\mDqrvxY.exe
  C:\Windows\System\mDqrvxY.exe
  2⤵
  - Executes dropped EXE
  PID:3892
- C:\Windows\System\mpqjzfq.exe
  C:\Windows\System\mpqjzfq.exe
  2⤵
  - Executes dropped EXE
  PID:964
- C:\Windows\System\XNZbVzg.exe
  C:\Windows\System\XNZbVzg.exe
  2⤵
  - Executes dropped EXE
  PID:1344
- C:\Windows\System\qqkkOjB.exe
  C:\Windows\System\qqkkOjB.exe
  2⤵
  - Executes dropped EXE
  PID:3880
- C:\Windows\System\FJPyUHC.exe
  C:\Windows\System\FJPyUHC.exe
  2⤵
  - Executes dropped EXE
  PID:1444
- C:\Windows\System\hAzeVug.exe
  C:\Windows\System\hAzeVug.exe
  2⤵
  - Executes dropped EXE
  PID:4804
- C:\Windows\System\AIJQeqB.exe
  C:\Windows\System\AIJQeqB.exe
  2⤵
  - Executes dropped EXE
  PID:4520
- C:\Windows\System\OMQaHaE.exe
  C:\Windows\System\OMQaHaE.exe
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Windows\System\RZmxzJB.exe
  C:\Windows\System\RZmxzJB.exe
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Windows\System\cpAEnxt.exe
  C:\Windows\System\cpAEnxt.exe
  2⤵
  - Executes dropped EXE
  PID:2404
- C:\Windows\System\PiRhBsr.exe
  C:\Windows\System\PiRhBsr.exe
  2⤵
  - Executes dropped EXE
  PID:4064
- C:\Windows\System\ixnujhW.exe
  C:\Windows\System\ixnujhW.exe
  2⤵
  - Executes dropped EXE
  PID:4416
- C:\Windows\System\KnuojMq.exe
  C:\Windows\System\KnuojMq.exe
  2⤵
  - Executes dropped EXE
  PID:884
- C:\Windows\System\rzInhLy.exe
  C:\Windows\System\rzInhLy.exe
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Windows\System\zNALYmU.exe
  C:\Windows\System\zNALYmU.exe
  2⤵
  - Executes dropped EXE
  PID:220
- C:\Windows\System\GiJjIsu.exe
  C:\Windows\System\GiJjIsu.exe
  2⤵
  - Executes dropped EXE
  PID:224
- C:\Windows\System\HAtvURK.exe
  C:\Windows\System\HAtvURK.exe
  2⤵
  - Executes dropped EXE
  PID:3220
- C:\Windows\System\yLENtKc.exe
  C:\Windows\System\yLENtKc.exe
  2⤵
  - Executes dropped EXE
  PID:1388
- C:\Windows\System\NuUxGHk.exe
  C:\Windows\System\NuUxGHk.exe
  2⤵
  - Executes dropped EXE
  PID:3640
- C:\Windows\System\KIYOhUD.exe
  C:\Windows\System\KIYOhUD.exe
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\System\fUTNpui.exe
  C:\Windows\System\fUTNpui.exe
  2⤵
  - Executes dropped EXE
  PID:4244
- C:\Windows\System\BcPwvjS.exe
  C:\Windows\System\BcPwvjS.exe
  2⤵
  - Executes dropped EXE
  PID:3960
- C:\Windows\System\pZcVQnd.exe
  C:\Windows\System\pZcVQnd.exe
  2⤵
  - Executes dropped EXE
  PID:2012
- C:\Windows\System\NuCMhZc.exe
  C:\Windows\System\NuCMhZc.exe
  2⤵
  - Executes dropped EXE
  PID:4028
- C:\Windows\System\ACUcIWI.exe
  C:\Windows\System\ACUcIWI.exe
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\System\oFohzeK.exe
  C:\Windows\System\oFohzeK.exe
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\System\sWJZIXL.exe
  C:\Windows\System\sWJZIXL.exe
  2⤵
  - Executes dropped EXE
  PID:4756
- C:\Windows\System\fYmEeul.exe
  C:\Windows\System\fYmEeul.exe
  2⤵
  - Executes dropped EXE
  PID:5132
- C:\Windows\System\hjqdouk.exe
  C:\Windows\System\hjqdouk.exe
  2⤵
  - Executes dropped EXE
  PID:5156
- C:\Windows\System\CTxmhSH.exe
  C:\Windows\System\CTxmhSH.exe
  2⤵
  - Executes dropped EXE
  PID:5180
- C:\Windows\System\uHqfthw.exe
  C:\Windows\System\uHqfthw.exe
  2⤵
  PID:5208
- C:\Windows\System\EWwgbLp.exe
  C:\Windows\System\EWwgbLp.exe
  2⤵
  PID:5236
- C:\Windows\System\MbizzQM.exe
  C:\Windows\System\MbizzQM.exe
  2⤵
  PID:5264
- C:\Windows\System\gWiuTyw.exe
  C:\Windows\System\gWiuTyw.exe
  2⤵
  PID:5292
- C:\Windows\System\lnWsIsb.exe
  C:\Windows\System\lnWsIsb.exe
  2⤵
  PID:5320
- C:\Windows\System\XtXcGEj.exe
  C:\Windows\System\XtXcGEj.exe
  2⤵
  PID:5348
- C:\Windows\System\ZmKVxjs.exe
  C:\Windows\System\ZmKVxjs.exe
  2⤵
  PID:5376
- C:\Windows\System\MnwlQxN.exe
  C:\Windows\System\MnwlQxN.exe
  2⤵
  PID:5404
- C:\Windows\System\ZoMFhyr.exe
  C:\Windows\System\ZoMFhyr.exe
  2⤵
  PID:5432
- C:\Windows\System\byXHspL.exe
  C:\Windows\System\byXHspL.exe
  2⤵
  PID:5460
- C:\Windows\System\IbcIQVc.exe
  C:\Windows\System\IbcIQVc.exe
  2⤵
  PID:5484
- C:\Windows\System\yijdJQY.exe
  C:\Windows\System\yijdJQY.exe
  2⤵
  PID:5508
- C:\Windows\System\oauYAWX.exe
  C:\Windows\System\oauYAWX.exe
  2⤵
  PID:5580
- C:\Windows\System\CTfdhio.exe
  C:\Windows\System\CTfdhio.exe
  2⤵
  PID:5596
- C:\Windows\System\bglZHeL.exe
  C:\Windows\System\bglZHeL.exe
  2⤵
  PID:5624
- C:\Windows\System\wfYlSnP.exe
  C:\Windows\System\wfYlSnP.exe
  2⤵
  PID:5656
- C:\Windows\System\iBGBPcj.exe
  C:\Windows\System\iBGBPcj.exe
  2⤵
  PID:5672
- C:\Windows\System\DOSIWAD.exe
  C:\Windows\System\DOSIWAD.exe
  2⤵
  PID:5692
- C:\Windows\System\uyylxVY.exe
  C:\Windows\System\uyylxVY.exe
  2⤵
  PID:5724
- C:\Windows\System\caqQreu.exe
  C:\Windows\System\caqQreu.exe
  2⤵
  PID:5772
- C:\Windows\System\oAuCszH.exe
  C:\Windows\System\oAuCszH.exe
  2⤵
  PID:5812
- C:\Windows\System\bnGqJoo.exe
  C:\Windows\System\bnGqJoo.exe
  2⤵
  PID:5852
- C:\Windows\System\SuaDUqG.exe
  C:\Windows\System\SuaDUqG.exe
  2⤵
  PID:5884
- C:\Windows\System\EyHwjhE.exe
  C:\Windows\System\EyHwjhE.exe
  2⤵
  PID:5900
- C:\Windows\System\jIlMHOP.exe
  C:\Windows\System\jIlMHOP.exe
  2⤵
  PID:5916
- C:\Windows\System\DXuJjyd.exe
  C:\Windows\System\DXuJjyd.exe
  2⤵
  PID:5936
- C:\Windows\System\DiLaKkt.exe
  C:\Windows\System\DiLaKkt.exe
  2⤵
  PID:5980
- C:\Windows\System\uScVVga.exe
  C:\Windows\System\uScVVga.exe
  2⤵
  PID:6000
- C:\Windows\System\JBRmnxx.exe
  C:\Windows\System\JBRmnxx.exe
  2⤵
  PID:6036
- C:\Windows\System\xTCXKYl.exe
  C:\Windows\System\xTCXKYl.exe
  2⤵
  PID:6064
- C:\Windows\System\blyuYYE.exe
  C:\Windows\System\blyuYYE.exe
  2⤵
  PID:6104
- C:\Windows\System\lXCpMFg.exe
  C:\Windows\System\lXCpMFg.exe
  2⤵
  PID:6120
- C:\Windows\System\yZuOxgk.exe
  C:\Windows\System\yZuOxgk.exe
  2⤵
  PID:6140
- C:\Windows\System\LARziAt.exe
  C:\Windows\System\LARziAt.exe
  2⤵
  PID:5340
- C:\Windows\System\XheSELM.exe
  C:\Windows\System\XheSELM.exe
  2⤵
  PID:5252
- C:\Windows\System\PrKddtS.exe
  C:\Windows\System\PrKddtS.exe
  2⤵
  PID:5220
- C:\Windows\System\LuKjckG.exe
  C:\Windows\System\LuKjckG.exe
  2⤵
  PID:1924
- C:\Windows\System\RaXyHVh.exe
  C:\Windows\System\RaXyHVh.exe
  2⤵
  PID:1896
- C:\Windows\System\RosTGDa.exe
  C:\Windows\System\RosTGDa.exe
  2⤵
  PID:2072
- C:\Windows\System\OZEtytg.exe
  C:\Windows\System\OZEtytg.exe
  2⤵
  PID:624
- C:\Windows\System\ggonVVa.exe
  C:\Windows\System\ggonVVa.exe
  2⤵
  PID:740
- C:\Windows\System\eLYdQFX.exe
  C:\Windows\System\eLYdQFX.exe
  2⤵
  PID:1376
- C:\Windows\System\ncJseju.exe
  C:\Windows\System\ncJseju.exe
  2⤵
  PID:4380
- C:\Windows\System\CQQTmDP.exe
  C:\Windows\System\CQQTmDP.exe
  2⤵
  PID:4256
- C:\Windows\System\zCLjlkJ.exe
  C:\Windows\System\zCLjlkJ.exe
  2⤵
  PID:4868
- C:\Windows\System\rtMJoey.exe
  C:\Windows\System\rtMJoey.exe
  2⤵
  PID:4412
- C:\Windows\System\zSdKePN.exe
  C:\Windows\System\zSdKePN.exe
  2⤵
  PID:2244
- C:\Windows\System\jtFflfd.exe
  C:\Windows\System\jtFflfd.exe
  2⤵
  PID:3428
- C:\Windows\System\lHFaemB.exe
  C:\Windows\System\lHFaemB.exe
  2⤵
  PID:8
- C:\Windows\System\EqVSnrC.exe
  C:\Windows\System\EqVSnrC.exe
  2⤵
  PID:1984
- C:\Windows\System\YPstCGt.exe
  C:\Windows\System\YPstCGt.exe
  2⤵
  PID:3680
- C:\Windows\System\RneOHcD.exe
  C:\Windows\System\RneOHcD.exe
  2⤵
  PID:1096
- C:\Windows\System\ygRcXkw.exe
  C:\Windows\System\ygRcXkw.exe
  2⤵
  PID:944
- C:\Windows\System\arMJNgE.exe
  C:\Windows\System\arMJNgE.exe
  2⤵
  PID:3056
- C:\Windows\System\WcekulH.exe
  C:\Windows\System\WcekulH.exe
  2⤵
  PID:5392
- C:\Windows\System\kqgYLDk.exe
  C:\Windows\System\kqgYLDk.exe
  2⤵
  PID:5424
- C:\Windows\System\EBMHypU.exe
  C:\Windows\System\EBMHypU.exe
  2⤵
  PID:5524
- C:\Windows\System\QMRVduW.exe
  C:\Windows\System\QMRVduW.exe
  2⤵
  PID:5504
- C:\Windows\System\xQOZSeI.exe
  C:\Windows\System\xQOZSeI.exe
  2⤵
  PID:4796
- C:\Windows\System\AJpnxgO.exe
  C:\Windows\System\AJpnxgO.exe
  2⤵
  PID:5608
- C:\Windows\System\egooKsr.exe
  C:\Windows\System\egooKsr.exe
  2⤵
  PID:4060
- C:\Windows\System\atRiGrk.exe
  C:\Windows\System\atRiGrk.exe
  2⤵
  PID:5688
- C:\Windows\System\NdhINLo.exe
  C:\Windows\System\NdhINLo.exe
  2⤵
  PID:5720
- C:\Windows\System\vnaCPnU.exe
  C:\Windows\System\vnaCPnU.exe
  2⤵
  PID:5768
- C:\Windows\System\DmJCiJA.exe
  C:\Windows\System\DmJCiJA.exe
  2⤵
  PID:2484
- C:\Windows\System\uLPmqph.exe
  C:\Windows\System\uLPmqph.exe
  2⤵
  PID:1012
- C:\Windows\System\rTWtPqV.exe
  C:\Windows\System\rTWtPqV.exe
  2⤵
  PID:620
- C:\Windows\System\OStxLKs.exe
  C:\Windows\System\OStxLKs.exe
  2⤵
  PID:2288
- C:\Windows\System\FYkIpXZ.exe
  C:\Windows\System\FYkIpXZ.exe
  2⤵
  PID:5908
- C:\Windows\System\beGQaoT.exe
  C:\Windows\System\beGQaoT.exe
  2⤵
  PID:5988
- C:\Windows\System\FsZNvzG.exe
  C:\Windows\System\FsZNvzG.exe
  2⤵
  PID:6088
- C:\Windows\System\vqVWoQC.exe
  C:\Windows\System\vqVWoQC.exe
  2⤵
  PID:6128
- C:\Windows\System\EogEAqW.exe
  C:\Windows\System\EogEAqW.exe
  2⤵
  PID:5304
- C:\Windows\System\jyGvVVN.exe
  C:\Windows\System\jyGvVVN.exe
  2⤵
  PID:4008
- C:\Windows\System\WCajTgU.exe
  C:\Windows\System\WCajTgU.exe
  2⤵
  PID:664
- C:\Windows\System\atgNzTJ.exe
  C:\Windows\System\atgNzTJ.exe
  2⤵
  PID:4924
- C:\Windows\System\qUQmDBr.exe
  C:\Windows\System\qUQmDBr.exe
  2⤵
  PID:4436
- C:\Windows\System\aKmYBlm.exe
  C:\Windows\System\aKmYBlm.exe
  2⤵
  PID:4836
- C:\Windows\System\aEbtQXO.exe
  C:\Windows\System\aEbtQXO.exe
  2⤵
  PID:4432
- C:\Windows\System\QqwSMZy.exe
  C:\Windows\System\QqwSMZy.exe
  2⤵
  PID:1752
- C:\Windows\System\hlGSrjM.exe
  C:\Windows\System\hlGSrjM.exe
  2⤵
  PID:1664
- C:\Windows\System\Adayzfh.exe
  C:\Windows\System\Adayzfh.exe
  2⤵
  PID:3540
- C:\Windows\System\RbKaNhd.exe
  C:\Windows\System\RbKaNhd.exe
  2⤵
  PID:5452
- C:\Windows\System\NMsYGuJ.exe
  C:\Windows\System\NMsYGuJ.exe
  2⤵
  PID:5548
- C:\Windows\System\haZSFRe.exe
  C:\Windows\System\haZSFRe.exe
  2⤵
  PID:1828
- C:\Windows\System\rkFvfjF.exe
  C:\Windows\System\rkFvfjF.exe
  2⤵
  PID:5748
- C:\Windows\System\ESvXZqO.exe
  C:\Windows\System\ESvXZqO.exe
  2⤵
  PID:1668
- C:\Windows\System\EIxPVRo.exe
  C:\Windows\System\EIxPVRo.exe
  2⤵
  PID:5896
- C:\Windows\System\sgqjhVs.exe
  C:\Windows\System\sgqjhVs.exe
  2⤵
  PID:5360
- C:\Windows\System\SCCrDka.exe
  C:\Windows\System\SCCrDka.exe
  2⤵
  PID:5224
- C:\Windows\System\gAOYEJU.exe
  C:\Windows\System\gAOYEJU.exe
  2⤵
  PID:1772
- C:\Windows\System\kBLoPSw.exe
  C:\Windows\System\kBLoPSw.exe
  2⤵
  PID:408
- C:\Windows\System\BClvxxP.exe
  C:\Windows\System\BClvxxP.exe
  2⤵
  PID:1600
- C:\Windows\System\DkzBlWe.exe
  C:\Windows\System\DkzBlWe.exe
  2⤵
  PID:808
- C:\Windows\System\bZswnMM.exe
  C:\Windows\System\bZswnMM.exe
  2⤵
  PID:5536
- C:\Windows\System\yoNFPTf.exe
  C:\Windows\System\yoNFPTf.exe
  2⤵
  PID:5700
- C:\Windows\System\lvIPgUU.exe
  C:\Windows\System\lvIPgUU.exe
  2⤵
  PID:5820
- C:\Windows\System\TXpQYtz.exe
  C:\Windows\System\TXpQYtz.exe
  2⤵
  PID:6024
- C:\Windows\System\HUfbTwH.exe
  C:\Windows\System\HUfbTwH.exe
  2⤵
  PID:3356
- C:\Windows\System\VgcuWpu.exe
  C:\Windows\System\VgcuWpu.exe
  2⤵
  PID:800
- C:\Windows\System\LoTgaBv.exe
  C:\Windows\System\LoTgaBv.exe
  2⤵
  PID:5880
- C:\Windows\System\NYRHhwe.exe
  C:\Windows\System\NYRHhwe.exe
  2⤵
  PID:2328
- C:\Windows\System\TqYvbcS.exe
  C:\Windows\System\TqYvbcS.exe
  2⤵
  PID:6148
- C:\Windows\System\nykCagT.exe
  C:\Windows\System\nykCagT.exe
  2⤵
  PID:6180
- C:\Windows\System\ajBDMxM.exe
  C:\Windows\System\ajBDMxM.exe
  2⤵
  PID:6208
- C:\Windows\System\GrRGGOw.exe
  C:\Windows\System\GrRGGOw.exe
  2⤵
  PID:6236
- C:\Windows\System\xnlliQG.exe
  C:\Windows\System\xnlliQG.exe
  2⤵
  PID:6260
- C:\Windows\System\JDLTNOG.exe
  C:\Windows\System\JDLTNOG.exe
  2⤵
  PID:6292
- C:\Windows\System\rEKYLPe.exe
  C:\Windows\System\rEKYLPe.exe
  2⤵
  PID:6336
- C:\Windows\System\uoMcYpD.exe
  C:\Windows\System\uoMcYpD.exe
  2⤵
  PID:6352
- C:\Windows\System\vASXJqk.exe
  C:\Windows\System\vASXJqk.exe
  2⤵
  PID:6376
- C:\Windows\System\DlztwHk.exe
  C:\Windows\System\DlztwHk.exe
  2⤵
  PID:6396
- C:\Windows\System\EEQZzgS.exe
  C:\Windows\System\EEQZzgS.exe
  2⤵
  PID:6420
- C:\Windows\System\ywNUXNm.exe
  C:\Windows\System\ywNUXNm.exe
  2⤵
  PID:6472
- C:\Windows\System\UuFNgmQ.exe
  C:\Windows\System\UuFNgmQ.exe
  2⤵
  PID:6492
- C:\Windows\System\viLYIgi.exe
  C:\Windows\System\viLYIgi.exe
  2⤵
  PID:6516
- C:\Windows\System\aHOBuYd.exe
  C:\Windows\System\aHOBuYd.exe
  2⤵
  PID:6548
- C:\Windows\System\UVztsCV.exe
  C:\Windows\System\UVztsCV.exe
  2⤵
  PID:6572
- C:\Windows\System\vvQkatB.exe
  C:\Windows\System\vvQkatB.exe
  2⤵
  PID:6588
- C:\Windows\System\WmqVtag.exe
  C:\Windows\System\WmqVtag.exe
  2⤵
  PID:6612
- C:\Windows\System\opzqMkI.exe
  C:\Windows\System\opzqMkI.exe
  2⤵
  PID:6640
- C:\Windows\System\rfLQKZS.exe
  C:\Windows\System\rfLQKZS.exe
  2⤵
  PID:6656
- C:\Windows\System\xjkXddC.exe
  C:\Windows\System\xjkXddC.exe
  2⤵
  PID:6680
- C:\Windows\System\Osdmjnf.exe
  C:\Windows\System\Osdmjnf.exe
  2⤵
  PID:6696
- C:\Windows\System\DUExyoG.exe
  C:\Windows\System\DUExyoG.exe
  2⤵
  PID:6716
- C:\Windows\System\oJDEZpz.exe
  C:\Windows\System\oJDEZpz.exe
  2⤵
  PID:6732
- C:\Windows\System\yzHQelx.exe
  C:\Windows\System\yzHQelx.exe
  2⤵
  PID:6760
- C:\Windows\System\EQEPvaC.exe
  C:\Windows\System\EQEPvaC.exe
  2⤵
  PID:6792
- C:\Windows\System\XtDVDHd.exe
  C:\Windows\System\XtDVDHd.exe
  2⤵
  PID:6848
- C:\Windows\System\gdburis.exe
  C:\Windows\System\gdburis.exe
  2⤵
  PID:6864
- C:\Windows\System\dVUdQqd.exe
  C:\Windows\System\dVUdQqd.exe
  2⤵
  PID:6916
- C:\Windows\System\thicSIg.exe
  C:\Windows\System\thicSIg.exe
  2⤵
  PID:6936
- C:\Windows\System\QjkLvRp.exe
  C:\Windows\System\QjkLvRp.exe
  2⤵
  PID:6960
- C:\Windows\System\EeAzNiw.exe
  C:\Windows\System\EeAzNiw.exe
  2⤵
  PID:7020
- C:\Windows\System\CeOVYQg.exe
  C:\Windows\System\CeOVYQg.exe
  2⤵
  PID:7036
- C:\Windows\System\ayqSmlP.exe
  C:\Windows\System\ayqSmlP.exe
  2⤵
  PID:7060
- C:\Windows\System\JCzEGne.exe
  C:\Windows\System\JCzEGne.exe
  2⤵
  PID:7080
- C:\Windows\System\LTNVQod.exe
  C:\Windows\System\LTNVQod.exe
  2⤵
  PID:7100
- C:\Windows\System\HKkpAKP.exe
  C:\Windows\System\HKkpAKP.exe
  2⤵
  PID:7120
- C:\Windows\System\MGMJSHS.exe
  C:\Windows\System\MGMJSHS.exe
  2⤵
  PID:7136
- C:\Windows\System\gsPhUQG.exe
  C:\Windows\System\gsPhUQG.exe
  2⤵
  PID:7156
- C:\Windows\System\kVfjlEZ.exe
  C:\Windows\System\kVfjlEZ.exe
  2⤵
  PID:6232
- C:\Windows\System\aULURZB.exe
  C:\Windows\System\aULURZB.exe
  2⤵
  PID:6368
- C:\Windows\System\IjQZjin.exe
  C:\Windows\System\IjQZjin.exe
  2⤵
  PID:6388
- C:\Windows\System\qgIbJnK.exe
  C:\Windows\System\qgIbJnK.exe
  2⤵
  PID:6452
- C:\Windows\System\nijXjll.exe
  C:\Windows\System\nijXjll.exe
  2⤵
  PID:6540
- C:\Windows\System\LVCFXRJ.exe
  C:\Windows\System\LVCFXRJ.exe
  2⤵
  PID:6636
- C:\Windows\System\HMobZox.exe
  C:\Windows\System\HMobZox.exe
  2⤵
  PID:6652
- C:\Windows\System\NegVRLr.exe
  C:\Windows\System\NegVRLr.exe
  2⤵
  PID:6740
- C:\Windows\System\uYvZYXr.exe
  C:\Windows\System\uYvZYXr.exe
  2⤵
  PID:6820
- C:\Windows\System\LQCOBnS.exe
  C:\Windows\System\LQCOBnS.exe
  2⤵
  PID:6856
- C:\Windows\System\FiQTenu.exe
  C:\Windows\System\FiQTenu.exe
  2⤵
  PID:6956
- C:\Windows\System\fMnGelq.exe
  C:\Windows\System\fMnGelq.exe
  2⤵
  PID:7052
- C:\Windows\System\YKIzmNl.exe
  C:\Windows\System\YKIzmNl.exe
  2⤵
  PID:7096
- C:\Windows\System\kUvvEBy.exe
  C:\Windows\System\kUvvEBy.exe
  2⤵
  PID:7128
- C:\Windows\System\QcBCsqI.exe
  C:\Windows\System\QcBCsqI.exe
  2⤵
  PID:5144
- C:\Windows\System\VAFXIpP.exe
  C:\Windows\System\VAFXIpP.exe
  2⤵
  PID:6404
- C:\Windows\System\ffazwxr.exe
  C:\Windows\System\ffazwxr.exe
  2⤵
  PID:6488
- C:\Windows\System\RQNtuod.exe
  C:\Windows\System\RQNtuod.exe
  2⤵
  PID:6528
- C:\Windows\System\CxqEYER.exe
  C:\Windows\System\CxqEYER.exe
  2⤵
  PID:6748
- C:\Windows\System\xPBEXEd.exe
  C:\Windows\System\xPBEXEd.exe
  2⤵
  PID:6728
- C:\Windows\System\uPxbsqL.exe
  C:\Windows\System\uPxbsqL.exe
  2⤵
  PID:6768
- C:\Windows\System\fctjzAV.exe
  C:\Windows\System\fctjzAV.exe
  2⤵
  PID:7048
- C:\Windows\System\lAsIzRG.exe
  C:\Windows\System\lAsIzRG.exe
  2⤵
  PID:6176
- C:\Windows\System\SewYtUH.exe
  C:\Windows\System\SewYtUH.exe
  2⤵
  PID:6608
- C:\Windows\System\vKaoysX.exe
  C:\Windows\System\vKaoysX.exe
  2⤵
  PID:6604
- C:\Windows\System\HffUIta.exe
  C:\Windows\System\HffUIta.exe
  2⤵
  PID:6512
- C:\Windows\System\bReUeFl.exe
  C:\Windows\System\bReUeFl.exe
  2⤵
  PID:7152
- C:\Windows\System\BddLizi.exe
  C:\Windows\System\BddLizi.exe
  2⤵
  PID:7176
- C:\Windows\System\yhWNNfQ.exe
  C:\Windows\System\yhWNNfQ.exe
  2⤵
  PID:7204
- C:\Windows\System\qsCInAk.exe
  C:\Windows\System\qsCInAk.exe
  2⤵
  PID:7236
- C:\Windows\System\SoMuHrG.exe
  C:\Windows\System\SoMuHrG.exe
  2⤵
  PID:7276
- C:\Windows\System\GCdqahq.exe
  C:\Windows\System\GCdqahq.exe
  2⤵
  PID:7292
- C:\Windows\System\narHoRY.exe
  C:\Windows\System\narHoRY.exe
  2⤵
  PID:7308
- C:\Windows\System\IhCQAPQ.exe
  C:\Windows\System\IhCQAPQ.exe
  2⤵
  PID:7336
- C:\Windows\System\naReAyA.exe
  C:\Windows\System\naReAyA.exe
  2⤵
  PID:7356
- C:\Windows\System\GgKEDOQ.exe
  C:\Windows\System\GgKEDOQ.exe
  2⤵
  PID:7376
- C:\Windows\System\krfotGM.exe
  C:\Windows\System\krfotGM.exe
  2⤵
  PID:7404
- C:\Windows\System\kzyvRVh.exe
  C:\Windows\System\kzyvRVh.exe
  2⤵
  PID:7420
- C:\Windows\System\esSVRAq.exe
  C:\Windows\System\esSVRAq.exe
  2⤵
  PID:7440
- C:\Windows\System\uXkpqvC.exe
  C:\Windows\System\uXkpqvC.exe
  2⤵
  PID:7512
- C:\Windows\System\bXYAHcj.exe
  C:\Windows\System\bXYAHcj.exe
  2⤵
  PID:7532
- C:\Windows\System\pZwnFuc.exe
  C:\Windows\System\pZwnFuc.exe
  2⤵
  PID:7556
- C:\Windows\System\YfpUokE.exe
  C:\Windows\System\YfpUokE.exe
  2⤵
  PID:7616
- C:\Windows\System\acVRJdU.exe
  C:\Windows\System\acVRJdU.exe
  2⤵
  PID:7648
- C:\Windows\System\FALYlrA.exe
  C:\Windows\System\FALYlrA.exe
  2⤵
  PID:7672
- C:\Windows\System\ljPIOqI.exe
  C:\Windows\System\ljPIOqI.exe
  2⤵
  PID:7688
- C:\Windows\System\RfAFofh.exe
  C:\Windows\System\RfAFofh.exe
  2⤵
  PID:7708
- C:\Windows\System\lYYHYDL.exe
  C:\Windows\System\lYYHYDL.exe
  2⤵
  PID:7728
- C:\Windows\System\agbawVq.exe
  C:\Windows\System\agbawVq.exe
  2⤵
  PID:7756
- C:\Windows\System\EoHXvwK.exe
  C:\Windows\System\EoHXvwK.exe
  2⤵
  PID:7776
- C:\Windows\System\sjurdNo.exe
  C:\Windows\System\sjurdNo.exe
  2⤵
  PID:7820
- C:\Windows\System\XXDMkum.exe
  C:\Windows\System\XXDMkum.exe
  2⤵
  PID:7880
- C:\Windows\System\aUHgOWS.exe
  C:\Windows\System\aUHgOWS.exe
  2⤵
  PID:7900
- C:\Windows\System\joicjys.exe
  C:\Windows\System\joicjys.exe
  2⤵
  PID:7936
- C:\Windows\System\lTGQpbN.exe
  C:\Windows\System\lTGQpbN.exe
  2⤵
  PID:7956
- C:\Windows\System\TSEUXqo.exe
  C:\Windows\System\TSEUXqo.exe
  2⤵
  PID:7976
- C:\Windows\System\TlcvIAJ.exe
  C:\Windows\System\TlcvIAJ.exe
  2⤵
  PID:7996
- C:\Windows\System\UjWSwLP.exe
  C:\Windows\System\UjWSwLP.exe
  2⤵
  PID:8040
- C:\Windows\System\EfkAuqC.exe
  C:\Windows\System\EfkAuqC.exe
  2⤵
  PID:8060
- C:\Windows\System\vcUIgNP.exe
  C:\Windows\System\vcUIgNP.exe
  2⤵
  PID:8104
- C:\Windows\System\OVBpdCU.exe
  C:\Windows\System\OVBpdCU.exe
  2⤵
  PID:8120
- C:\Windows\System\YDnRiUp.exe
  C:\Windows\System\YDnRiUp.exe
  2⤵
  PID:8136
- C:\Windows\System\fLLswwQ.exe
  C:\Windows\System\fLLswwQ.exe
  2⤵
  PID:8160
- C:\Windows\System\xlLqaur.exe
  C:\Windows\System\xlLqaur.exe
  2⤵
  PID:6724
- C:\Windows\System\jjrexdN.exe
  C:\Windows\System\jjrexdN.exe
  2⤵
  PID:7228
- C:\Windows\System\cqKfKht.exe
  C:\Windows\System\cqKfKht.exe
  2⤵
  PID:7256
- C:\Windows\System\fYwjQzf.exe
  C:\Windows\System\fYwjQzf.exe
  2⤵
  PID:7316
- C:\Windows\System\ABJYEdd.exe
  C:\Windows\System\ABJYEdd.exe
  2⤵
  PID:7288
- C:\Windows\System\DHAuXtV.exe
  C:\Windows\System\DHAuXtV.exe
  2⤵
  PID:7388
- C:\Windows\System\RUXquTc.exe
  C:\Windows\System\RUXquTc.exe
  2⤵
  PID:7400
- C:\Windows\System\zMCfEcF.exe
  C:\Windows\System\zMCfEcF.exe
  2⤵
  PID:7568
- C:\Windows\System\VPslewG.exe
  C:\Windows\System\VPslewG.exe
  2⤵
  PID:7660
- C:\Windows\System\GHwaZgy.exe
  C:\Windows\System\GHwaZgy.exe
  2⤵
  PID:7720
- C:\Windows\System\cOHaMMD.exe
  C:\Windows\System\cOHaMMD.exe
  2⤵
  PID:7812
- C:\Windows\System\pSrFIxO.exe
  C:\Windows\System\pSrFIxO.exe
  2⤵
  PID:7928
- C:\Windows\System\AOGBXuF.exe
  C:\Windows\System\AOGBXuF.exe
  2⤵
  PID:7920
- C:\Windows\System\qXuBGon.exe
  C:\Windows\System\qXuBGon.exe
  2⤵
  PID:7992
- C:\Windows\System\kIoFGYD.exe
  C:\Windows\System\kIoFGYD.exe
  2⤵
  PID:8052
- C:\Windows\System\yJBdFSM.exe
  C:\Windows\System\yJBdFSM.exe
  2⤵
  PID:8100
- C:\Windows\System\MTWxQDe.exe
  C:\Windows\System\MTWxQDe.exe
  2⤵
  PID:8144
- C:\Windows\System\tKohPVJ.exe
  C:\Windows\System\tKohPVJ.exe
  2⤵
  PID:8184
- C:\Windows\System\QWJOIim.exe
  C:\Windows\System\QWJOIim.exe
  2⤵
  PID:7432
- C:\Windows\System\noiByxW.exe
  C:\Windows\System\noiByxW.exe
  2⤵
  PID:7300
- C:\Windows\System\ynZhFOT.exe
  C:\Windows\System\ynZhFOT.exe
  2⤵
  PID:7416
- C:\Windows\System\SxJBJpm.exe
  C:\Windows\System\SxJBJpm.exe
  2⤵
  PID:7724
- C:\Windows\System\bBLVowF.exe
  C:\Windows\System\bBLVowF.exe
  2⤵
  PID:7768
- C:\Windows\System\SAINAaU.exe
  C:\Windows\System\SAINAaU.exe
  2⤵
  PID:7876
- C:\Windows\System\drCOdTx.exe
  C:\Windows\System\drCOdTx.exe
  2⤵
  PID:1748
- C:\Windows\System\vvBqDyg.exe
  C:\Windows\System\vvBqDyg.exe
  2⤵
  PID:7220
- C:\Windows\System\AMYcgJD.exe
  C:\Windows\System\AMYcgJD.exe
  2⤵
  PID:3320
- C:\Windows\System\rhwWZNZ.exe
  C:\Windows\System\rhwWZNZ.exe
  2⤵
  PID:8196
- C:\Windows\System\WLoksRt.exe
  C:\Windows\System\WLoksRt.exe
  2⤵
  PID:8228
- C:\Windows\System\ZLYKDya.exe
  C:\Windows\System\ZLYKDya.exe
  2⤵
  PID:8248
- C:\Windows\System\LWjdqXS.exe
  C:\Windows\System\LWjdqXS.exe
  2⤵
  PID:8264
- C:\Windows\System\wVouxlq.exe
  C:\Windows\System\wVouxlq.exe
  2⤵
  PID:8328
- C:\Windows\System\pqluvyg.exe
  C:\Windows\System\pqluvyg.exe
  2⤵
  PID:8368
- C:\Windows\System\JfQvzve.exe
  C:\Windows\System\JfQvzve.exe
  2⤵
  PID:8388
- C:\Windows\System\jxoNCxB.exe
  C:\Windows\System\jxoNCxB.exe
  2⤵
  PID:8444
- C:\Windows\System\qNoEuYQ.exe
  C:\Windows\System\qNoEuYQ.exe
  2⤵
  PID:8460
- C:\Windows\System\hIuYrav.exe
  C:\Windows\System\hIuYrav.exe
  2⤵
  PID:8484
- C:\Windows\System\BDcadic.exe
  C:\Windows\System\BDcadic.exe
  2⤵
  PID:8512
- C:\Windows\System\YMbXbnB.exe
  C:\Windows\System\YMbXbnB.exe
  2⤵
  PID:8532
- C:\Windows\System\rNEzqKG.exe
  C:\Windows\System\rNEzqKG.exe
  2⤵
  PID:8556
- C:\Windows\System\WFCaYmc.exe
  C:\Windows\System\WFCaYmc.exe
  2⤵
  PID:8576
- C:\Windows\System\ADcMqcm.exe
  C:\Windows\System\ADcMqcm.exe
  2⤵
  PID:8632
- C:\Windows\System\VmLbdxr.exe
  C:\Windows\System\VmLbdxr.exe
  2⤵
  PID:8660
- C:\Windows\System\SZIetxq.exe
  C:\Windows\System\SZIetxq.exe
  2⤵
  PID:8676
- C:\Windows\System\xWGlOrN.exe
  C:\Windows\System\xWGlOrN.exe
  2⤵
  PID:8696
- C:\Windows\System\viDbKlh.exe
  C:\Windows\System\viDbKlh.exe
  2⤵
  PID:8716
- C:\Windows\System\RkimsTn.exe
  C:\Windows\System\RkimsTn.exe
  2⤵
  PID:8736
- C:\Windows\System\tcScxYj.exe
  C:\Windows\System\tcScxYj.exe
  2⤵
  PID:8756
- C:\Windows\System\emdwAhb.exe
  C:\Windows\System\emdwAhb.exe
  2⤵
  PID:8776
- C:\Windows\System\neWpqxi.exe
  C:\Windows\System\neWpqxi.exe
  2⤵
  PID:8792
- C:\Windows\System\RbGWTFn.exe
  C:\Windows\System\RbGWTFn.exe
  2⤵
  PID:8812
- C:\Windows\System\UeWyEDs.exe
  C:\Windows\System\UeWyEDs.exe
  2⤵
  PID:8828
- C:\Windows\System\GZeQsbc.exe
  C:\Windows\System\GZeQsbc.exe
  2⤵
  PID:8852
- C:\Windows\System\bAcZuZa.exe
  C:\Windows\System\bAcZuZa.exe
  2⤵
  PID:8900
- C:\Windows\System\gkodfFW.exe
  C:\Windows\System\gkodfFW.exe
  2⤵
  PID:8916
- C:\Windows\System\jPpDEfL.exe
  C:\Windows\System\jPpDEfL.exe
  2⤵
  PID:8944
- C:\Windows\System\WfgPYbp.exe
  C:\Windows\System\WfgPYbp.exe
  2⤵
  PID:9000
- C:\Windows\System\fzOmeML.exe
  C:\Windows\System\fzOmeML.exe
  2⤵
  PID:9016
- C:\Windows\System\MDNDJrP.exe
  C:\Windows\System\MDNDJrP.exe
  2⤵
  PID:9044
- C:\Windows\System\lRGgrqP.exe
  C:\Windows\System\lRGgrqP.exe
  2⤵
  PID:9060
- C:\Windows\System\rJFhCEc.exe
  C:\Windows\System\rJFhCEc.exe
  2⤵
  PID:9080
- C:\Windows\System\NURUvvi.exe
  C:\Windows\System\NURUvvi.exe
  2⤵
  PID:9096
- C:\Windows\System\pNGgGNm.exe
  C:\Windows\System\pNGgGNm.exe
  2⤵
  PID:9120
- C:\Windows\System\IDMYySS.exe
  C:\Windows\System\IDMYySS.exe
  2⤵
  PID:9140
- C:\Windows\System\eLXaaPa.exe
  C:\Windows\System\eLXaaPa.exe
  2⤵
  PID:9184
- C:\Windows\System\wIGOoXd.exe
  C:\Windows\System\wIGOoXd.exe
  2⤵
  PID:7372
- C:\Windows\System\QcEPWpe.exe
  C:\Windows\System\QcEPWpe.exe
  2⤵
  PID:8408
- C:\Windows\System\yrCmbmG.exe
  C:\Windows\System\yrCmbmG.exe
  2⤵
  PID:8496
- C:\Windows\System\gyNyerk.exe
  C:\Windows\System\gyNyerk.exe
  2⤵
  PID:8568
- C:\Windows\System\itTXWRe.exe
  C:\Windows\System\itTXWRe.exe
  2⤵
  PID:8616
- C:\Windows\System\qwpFTNl.exe
  C:\Windows\System\qwpFTNl.exe
  2⤵
  PID:8688
- C:\Windows\System\pDzGyoe.exe
  C:\Windows\System\pDzGyoe.exe
  2⤵
  PID:8768
- C:\Windows\System\hJxcVUU.exe
  C:\Windows\System\hJxcVUU.exe
  2⤵
  PID:8692
- C:\Windows\System\Upzklml.exe
  C:\Windows\System\Upzklml.exe
  2⤵
  PID:7216
- C:\Windows\System\TzwWLbJ.exe
  C:\Windows\System\TzwWLbJ.exe
  2⤵
  PID:8840
- C:\Windows\System\kqyCXym.exe
  C:\Windows\System\kqyCXym.exe
  2⤵
  PID:9160
- C:\Windows\System\aUkgcgp.exe
  C:\Windows\System\aUkgcgp.exe
  2⤵
  PID:9040
- C:\Windows\System\sdwZnzz.exe
  C:\Windows\System\sdwZnzz.exe
  2⤵
  PID:9076
- C:\Windows\System\MOdEBPi.exe
  C:\Windows\System\MOdEBPi.exe
  2⤵
  PID:8988
- C:\Windows\System\GOwAmcA.exe
  C:\Windows\System\GOwAmcA.exe
  2⤵
  PID:9136
- C:\Windows\System\SUHROtP.exe
  C:\Windows\System\SUHROtP.exe
  2⤵
  PID:8156
- C:\Windows\System\kQcwhaT.exe
  C:\Windows\System\kQcwhaT.exe
  2⤵
  PID:1628
- C:\Windows\System\xjzgmdk.exe
  C:\Windows\System\xjzgmdk.exe
  2⤵
  PID:3840
- C:\Windows\System\uoEEikd.exe
  C:\Windows\System\uoEEikd.exe
  2⤵
  PID:4156
- C:\Windows\System\ShjvbBF.exe
  C:\Windows\System\ShjvbBF.exe
  2⤵
  PID:8624
- C:\Windows\System\JYvgoUT.exe
  C:\Windows\System\JYvgoUT.exe
  2⤵
  PID:8884
- C:\Windows\System\asKoUKP.exe
  C:\Windows\System\asKoUKP.exe
  2⤵
  PID:9104
- C:\Windows\System\dOSTYBW.exe
  C:\Windows\System\dOSTYBW.exe
  2⤵
  PID:7700
- C:\Windows\System\bsVyjFO.exe
  C:\Windows\System\bsVyjFO.exe
  2⤵
  PID:8544
- C:\Windows\System\EqnczQf.exe
  C:\Windows\System\EqnczQf.exe
  2⤵
  PID:8520
- C:\Windows\System\nDEhRRh.exe
  C:\Windows\System\nDEhRRh.exe
  2⤵
  PID:8824
- C:\Windows\System\DlbNNpQ.exe
  C:\Windows\System\DlbNNpQ.exe
  2⤵
  PID:8300
- C:\Windows\System\BTKASdx.exe
  C:\Windows\System\BTKASdx.exe
  2⤵
  PID:640
- C:\Windows\System\fnrSdtf.exe
  C:\Windows\System\fnrSdtf.exe
  2⤵
  PID:9228
- C:\Windows\System\npJIDRt.exe
  C:\Windows\System\npJIDRt.exe
  2⤵
  PID:9248
- C:\Windows\System\EUPKeAu.exe
  C:\Windows\System\EUPKeAu.exe
  2⤵
  PID:9264
- C:\Windows\System\EiOVuXB.exe
  C:\Windows\System\EiOVuXB.exe
  2⤵
  PID:9288
- C:\Windows\System\gkomyRl.exe
  C:\Windows\System\gkomyRl.exe
  2⤵
  PID:9304
- C:\Windows\System\vQJTcAi.exe
  C:\Windows\System\vQJTcAi.exe
  2⤵
  PID:9336
- C:\Windows\System\wYgNpRm.exe
  C:\Windows\System\wYgNpRm.exe
  2⤵
  PID:9360
- C:\Windows\System\WedDPDz.exe
  C:\Windows\System\WedDPDz.exe
  2⤵
  PID:9388
- C:\Windows\System\eMzKyqb.exe
  C:\Windows\System\eMzKyqb.exe
  2⤵
  PID:9412
- C:\Windows\System\XfBRvxf.exe
  C:\Windows\System\XfBRvxf.exe
  2⤵
  PID:9432
- C:\Windows\System\RhNxuJs.exe
  C:\Windows\System\RhNxuJs.exe
  2⤵
  PID:9488
- C:\Windows\System\lDtmsju.exe
  C:\Windows\System\lDtmsju.exe
  2⤵
  PID:9544
- C:\Windows\System\DvrjwkB.exe
  C:\Windows\System\DvrjwkB.exe
  2⤵
  PID:9560
- C:\Windows\System\KfFrkAP.exe
  C:\Windows\System\KfFrkAP.exe
  2⤵
  PID:9580
- C:\Windows\System\EcEOryC.exe
  C:\Windows\System\EcEOryC.exe
  2⤵
  PID:9596
- C:\Windows\System\SvJUSGD.exe
  C:\Windows\System\SvJUSGD.exe
  2⤵
  PID:9632
- C:\Windows\System\VlwwYdh.exe
  C:\Windows\System\VlwwYdh.exe
  2⤵
  PID:9664
- C:\Windows\System\hCWrhfC.exe
  C:\Windows\System\hCWrhfC.exe
  2⤵
  PID:9692
- C:\Windows\System\YsOHVGa.exe
  C:\Windows\System\YsOHVGa.exe
  2⤵
  PID:9720
- C:\Windows\System\apjYZTq.exe
  C:\Windows\System\apjYZTq.exe
  2⤵
  PID:9752
- C:\Windows\System\xLwbwjP.exe
  C:\Windows\System\xLwbwjP.exe
  2⤵
  PID:9772
- C:\Windows\System\SCwqGay.exe
  C:\Windows\System\SCwqGay.exe
  2⤵
  PID:9796
- C:\Windows\System\QTpiJUr.exe
  C:\Windows\System\QTpiJUr.exe
  2⤵
  PID:9816
- C:\Windows\System\iFAHMUf.exe
  C:\Windows\System\iFAHMUf.exe
  2⤵
  PID:9840
- C:\Windows\System\HhGncvF.exe
  C:\Windows\System\HhGncvF.exe
  2⤵
  PID:9860
- C:\Windows\System\RxQrdvW.exe
  C:\Windows\System\RxQrdvW.exe
  2⤵
  PID:9876
- C:\Windows\System\jEarqoF.exe
  C:\Windows\System\jEarqoF.exe
  2⤵
  PID:9908
- C:\Windows\System\cVxIDOq.exe
  C:\Windows\System\cVxIDOq.exe
  2⤵
  PID:9964
- C:\Windows\System\JJTeBVe.exe
  C:\Windows\System\JJTeBVe.exe
  2⤵
  PID:9992
- C:\Windows\System\KWmEAPL.exe
  C:\Windows\System\KWmEAPL.exe
  2⤵
  PID:10040
- C:\Windows\System\HNGPulg.exe
  C:\Windows\System\HNGPulg.exe
  2⤵
  PID:10056
- C:\Windows\System\QlnNokq.exe
  C:\Windows\System\QlnNokq.exe
  2⤵
  PID:10092
- C:\Windows\System\HQapugz.exe
  C:\Windows\System\HQapugz.exe
  2⤵
  PID:10112
- C:\Windows\System\FZWUcgp.exe
  C:\Windows\System\FZWUcgp.exe
  2⤵
  PID:10132
- C:\Windows\System\HHwEDem.exe
  C:\Windows\System\HHwEDem.exe
  2⤵
  PID:10164
- C:\Windows\System\CCAAbHp.exe
  C:\Windows\System\CCAAbHp.exe
  2⤵
  PID:10180
- C:\Windows\System\uQDtPFa.exe
  C:\Windows\System\uQDtPFa.exe
  2⤵
  PID:10208
- C:\Windows\System\ZxwWVrE.exe
  C:\Windows\System\ZxwWVrE.exe
  2⤵
  PID:10224
- C:\Windows\System\BncEbhH.exe
  C:\Windows\System\BncEbhH.exe
  2⤵
  PID:9296
- C:\Windows\System\OCLoHDw.exe
  C:\Windows\System\OCLoHDw.exe
  2⤵
  PID:9256
- C:\Windows\System\EddmWUL.exe
  C:\Windows\System\EddmWUL.exe
  2⤵
  PID:9376
- C:\Windows\System\HdHfGiw.exe
  C:\Windows\System\HdHfGiw.exe
  2⤵
  PID:8360
- C:\Windows\System\EVjKpZn.exe
  C:\Windows\System\EVjKpZn.exe
  2⤵
  PID:9476
- C:\Windows\System\wsKcxnx.exe
  C:\Windows\System\wsKcxnx.exe
  2⤵
  PID:9608
- C:\Windows\System\PyZiuiE.exe
  C:\Windows\System\PyZiuiE.exe
  2⤵
  PID:9680
- C:\Windows\System\zKPuWzD.exe
  C:\Windows\System\zKPuWzD.exe
  2⤵
  PID:9764
- C:\Windows\System\IYGxMhA.exe
  C:\Windows\System\IYGxMhA.exe
  2⤵
  PID:9808
- C:\Windows\System\OksMMYl.exe
  C:\Windows\System\OksMMYl.exe
  2⤵
  PID:9832
- C:\Windows\System\xtbDGii.exe
  C:\Windows\System\xtbDGii.exe
  2⤵
  PID:9936
- C:\Windows\System\TkbmWIw.exe
  C:\Windows\System\TkbmWIw.exe
  2⤵
  PID:10024
- C:\Windows\System\DiNjSma.exe
  C:\Windows\System\DiNjSma.exe
  2⤵
  PID:10004
- C:\Windows\System\hJFTmSz.exe
  C:\Windows\System\hJFTmSz.exe
  2⤵
  PID:10068
- C:\Windows\System\FErezkq.exe
  C:\Windows\System\FErezkq.exe
  2⤵
  PID:10160
- C:\Windows\System\IwctYhj.exe
  C:\Windows\System\IwctYhj.exe
  2⤵
  PID:9452
- C:\Windows\System\KOyGcvH.exe
  C:\Windows\System\KOyGcvH.exe
  2⤵
  PID:9352
- C:\Windows\System\zvUttcc.exe
  C:\Windows\System\zvUttcc.exe
  2⤵
  PID:9428
- C:\Windows\System\fARylCQ.exe
  C:\Windows\System\fARylCQ.exe
  2⤵
  PID:9592
- C:\Windows\System\FcSKhoF.exe
  C:\Windows\System\FcSKhoF.exe
  2⤵
  PID:9708
- C:\Windows\System\WkSFoks.exe
  C:\Windows\System\WkSFoks.exe
  2⤵
  PID:9932
- C:\Windows\System\FGURDid.exe
  C:\Windows\System\FGURDid.exe
  2⤵
  PID:10036
- C:\Windows\System\vhQpbgd.exe
  C:\Windows\System\vhQpbgd.exe
  2⤵
  PID:9272
- C:\Windows\System\AiaukKg.exe
  C:\Windows\System\AiaukKg.exe
  2⤵
  PID:9316
- C:\Windows\System\mLKuCHi.exe
  C:\Windows\System\mLKuCHi.exe
  2⤵
  PID:9952
- C:\Windows\System\hiSgnBt.exe
  C:\Windows\System\hiSgnBt.exe
  2⤵
  PID:10264
- C:\Windows\System\dDCsyPD.exe
  C:\Windows\System\dDCsyPD.exe
  2⤵
  PID:10300
- C:\Windows\System\rRvyFXc.exe
  C:\Windows\System\rRvyFXc.exe
  2⤵
  PID:10332
- C:\Windows\System\yTwGUMc.exe
  C:\Windows\System\yTwGUMc.exe
  2⤵
  PID:10360
- C:\Windows\System\aALCiqV.exe
  C:\Windows\System\aALCiqV.exe
  2⤵
  PID:10396
- C:\Windows\System\eTTatoE.exe
  C:\Windows\System\eTTatoE.exe
  2⤵
  PID:10412
- C:\Windows\System\iCNlJJA.exe
  C:\Windows\System\iCNlJJA.exe
  2⤵
  PID:10436
- C:\Windows\System\HQEQnaq.exe
  C:\Windows\System\HQEQnaq.exe
  2⤵
  PID:10456
- C:\Windows\System\gQXXjVr.exe
  C:\Windows\System\gQXXjVr.exe
  2⤵
  PID:10480
- C:\Windows\System\iSegRcJ.exe
  C:\Windows\System\iSegRcJ.exe
  2⤵
  PID:10524
- C:\Windows\System\eTcicBM.exe
  C:\Windows\System\eTcicBM.exe
  2⤵
  PID:10544
- C:\Windows\System\RpAziNZ.exe
  C:\Windows\System\RpAziNZ.exe
  2⤵
  PID:10576
- C:\Windows\System\kfpbFke.exe
  C:\Windows\System\kfpbFke.exe
  2⤵
  PID:10604
- C:\Windows\System\nekDCiy.exe
  C:\Windows\System\nekDCiy.exe
  2⤵
  PID:10628
- C:\Windows\System\ZWBTaBg.exe
  C:\Windows\System\ZWBTaBg.exe
  2⤵
  PID:10644
- C:\Windows\System\FlpIbtS.exe
  C:\Windows\System\FlpIbtS.exe
  2⤵
  PID:10688
- C:\Windows\System\ZPGLjum.exe
  C:\Windows\System\ZPGLjum.exe
  2⤵
  PID:10728
- C:\Windows\System\uZNwQxv.exe
  C:\Windows\System\uZNwQxv.exe
  2⤵
  PID:10744
- C:\Windows\System\Ulmaayz.exe
  C:\Windows\System\Ulmaayz.exe
  2⤵
  PID:10768
- C:\Windows\System\ccpuhVS.exe
  C:\Windows\System\ccpuhVS.exe
  2⤵
  PID:10788
- C:\Windows\System\yJCxrjL.exe
  C:\Windows\System\yJCxrjL.exe
  2⤵
  PID:10816
- C:\Windows\System\hcMaShk.exe
  C:\Windows\System\hcMaShk.exe
  2⤵
  PID:10836
- C:\Windows\System\uUkCCRd.exe
  C:\Windows\System\uUkCCRd.exe
  2⤵
  PID:10856
- C:\Windows\System\jhWgPAY.exe
  C:\Windows\System\jhWgPAY.exe
  2⤵
  PID:10872
- C:\Windows\System\kYInnWy.exe
  C:\Windows\System\kYInnWy.exe
  2⤵
  PID:10896
- C:\Windows\System\cjwwbIn.exe
  C:\Windows\System\cjwwbIn.exe
  2⤵
  PID:10920
- C:\Windows\System\qzoMZlU.exe
  C:\Windows\System\qzoMZlU.exe
  2⤵
  PID:10936
- C:\Windows\System\RfWHHCI.exe
  C:\Windows\System\RfWHHCI.exe
  2⤵
  PID:10956
- C:\Windows\System\SUnYUdp.exe
  C:\Windows\System\SUnYUdp.exe
  2⤵
  PID:11036
- C:\Windows\System\tBLuabJ.exe
  C:\Windows\System\tBLuabJ.exe
  2⤵
  PID:11080
- C:\Windows\System\JYuJQlo.exe
  C:\Windows\System\JYuJQlo.exe
  2⤵
  PID:11136
- C:\Windows\System\ARZDGfK.exe
  C:\Windows\System\ARZDGfK.exe
  2⤵
  PID:11156
- C:\Windows\System\coVuVVJ.exe
  C:\Windows\System\coVuVVJ.exe
  2⤵
  PID:11172
- C:\Windows\System\lVkbAfy.exe
  C:\Windows\System\lVkbAfy.exe
  2⤵
  PID:11196
- C:\Windows\System\RxrWrLT.exe
  C:\Windows\System\RxrWrLT.exe
  2⤵
  PID:11228
- C:\Windows\System\PteBEKh.exe
  C:\Windows\System\PteBEKh.exe
  2⤵
  PID:11244
- C:\Windows\System\CHCLmqa.exe
  C:\Windows\System\CHCLmqa.exe
  2⤵
  PID:10140
- C:\Windows\System\KDDVNpn.exe
  C:\Windows\System\KDDVNpn.exe
  2⤵
  PID:10252
- C:\Windows\System\owDmkey.exe
  C:\Windows\System\owDmkey.exe
  2⤵
  PID:10324
- C:\Windows\System\zUmwZjn.exe
  C:\Windows\System\zUmwZjn.exe
  2⤵
  PID:10384
- C:\Windows\System\xqoRhrA.exe
  C:\Windows\System\xqoRhrA.exe
  2⤵
  PID:10420
- C:\Windows\System\jyBzEuu.exe
  C:\Windows\System\jyBzEuu.exe
  2⤵
  PID:10552
- C:\Windows\System\QMOqmSj.exe
  C:\Windows\System\QMOqmSj.exe
  2⤵
  PID:10560
- C:\Windows\System\hyaySkJ.exe
  C:\Windows\System\hyaySkJ.exe
  2⤵
  PID:10636
- C:\Windows\System\HkIjkaB.exe
  C:\Windows\System\HkIjkaB.exe
  2⤵
  PID:10736
- C:\Windows\System\VGNABqt.exe
  C:\Windows\System\VGNABqt.exe
  2⤵
  PID:10796
- C:\Windows\System\dhwqphS.exe
  C:\Windows\System\dhwqphS.exe
  2⤵
  PID:10844
- C:\Windows\System\ffjKfoY.exe
  C:\Windows\System\ffjKfoY.exe
  2⤵
  PID:10932
- C:\Windows\System\TMHfYYe.exe
  C:\Windows\System\TMHfYYe.exe
  2⤵
  PID:10992
- C:\Windows\System\yBDDPLk.exe
  C:\Windows\System\yBDDPLk.exe
  2⤵
  PID:11076
- C:\Windows\System\OICSBpk.exe
  C:\Windows\System\OICSBpk.exe
  2⤵
  PID:11152
- C:\Windows\System\mJZieCz.exe
  C:\Windows\System\mJZieCz.exe
  2⤵
  PID:11164
- C:\Windows\System\TcckIeV.exe
  C:\Windows\System\TcckIeV.exe
  2⤵
  PID:10000
- C:\Windows\System\MswpQPq.exe
  C:\Windows\System\MswpQPq.exe
  2⤵
  PID:10288
- C:\Windows\System\MogXJaG.exe
  C:\Windows\System\MogXJaG.exe
  2⤵
  PID:10500
- C:\Windows\System\pgJxLIg.exe
  C:\Windows\System\pgJxLIg.exe
  2⤵
  PID:10700
- C:\Windows\System\RgsOyhw.exe
  C:\Windows\System\RgsOyhw.exe
  2⤵
  PID:10760
- C:\Windows\System\hFbSzDm.exe
  C:\Windows\System\hFbSzDm.exe
  2⤵
  PID:10948
- C:\Windows\System\osKizNN.exe
  C:\Windows\System\osKizNN.exe
  2⤵
  PID:11188
- C:\Windows\System\ghdPsxD.exe
  C:\Windows\System\ghdPsxD.exe
  2⤵
  PID:10276
- C:\Windows\System\fuBFdSz.exe
  C:\Windows\System\fuBFdSz.exe
  2⤵
  PID:9572
- C:\Windows\System\DkbjXsV.exe
  C:\Windows\System\DkbjXsV.exe
  2⤵
  PID:10828
- C:\Windows\System\iIgvcZr.exe
  C:\Windows\System\iIgvcZr.exe
  2⤵
  PID:11068
- C:\Windows\System\RbKRuBK.exe
  C:\Windows\System\RbKRuBK.exe
  2⤵
  PID:10468
- C:\Windows\System\Ltkpczq.exe
  C:\Windows\System\Ltkpczq.exe
  2⤵
  PID:11000
- C:\Windows\System\zpCrAAa.exe
  C:\Windows\System\zpCrAAa.exe
  2⤵
  PID:11288
- C:\Windows\System\vGOFJvB.exe
  C:\Windows\System\vGOFJvB.exe
  2⤵
  PID:11304
- C:\Windows\System\ZhnTkRK.exe
  C:\Windows\System\ZhnTkRK.exe
  2⤵
  PID:11344
- C:\Windows\System\ozNJgpL.exe
  C:\Windows\System\ozNJgpL.exe
  2⤵
  PID:11364
- C:\Windows\System\ZesuTts.exe
  C:\Windows\System\ZesuTts.exe
  2⤵
  PID:11388
- C:\Windows\System\ZgXfCmm.exe
  C:\Windows\System\ZgXfCmm.exe
  2⤵
  PID:11412
- C:\Windows\System\deVZdZa.exe
  C:\Windows\System\deVZdZa.exe
  2⤵
  PID:11428
- C:\Windows\System\MEPTOBc.exe
  C:\Windows\System\MEPTOBc.exe
  2⤵
  PID:11480
- C:\Windows\System\uFmIyGC.exe
  C:\Windows\System\uFmIyGC.exe
  2⤵
  PID:11524
- C:\Windows\System\IUrozpg.exe
  C:\Windows\System\IUrozpg.exe
  2⤵
  PID:11540
- C:\Windows\System\PryNleE.exe
  C:\Windows\System\PryNleE.exe
  2⤵
  PID:11580
- C:\Windows\System\fTNzkUJ.exe
  C:\Windows\System\fTNzkUJ.exe
  2⤵
  PID:11596
- C:\Windows\System\JQgPLdy.exe
  C:\Windows\System\JQgPLdy.exe
  2⤵
  PID:11624
- C:\Windows\System\OpEnVvl.exe
  C:\Windows\System\OpEnVvl.exe
  2⤵
  PID:11652
- C:\Windows\System\BaubFwr.exe
  C:\Windows\System\BaubFwr.exe
  2⤵
  PID:11668
- C:\Windows\System\BXjbqPR.exe
  C:\Windows\System\BXjbqPR.exe
  2⤵
  PID:11700
- C:\Windows\System\DuUteos.exe
  C:\Windows\System\DuUteos.exe
  2⤵
  PID:11724
- C:\Windows\System\Gyvrihf.exe
  C:\Windows\System\Gyvrihf.exe
  2⤵
  PID:11752
- C:\Windows\System\VPiFxiu.exe
  C:\Windows\System\VPiFxiu.exe
  2⤵
  PID:11792
- C:\Windows\System\GKlMoHX.exe
  C:\Windows\System\GKlMoHX.exe
  2⤵
  PID:11848
- C:\Windows\System\iPbFbtq.exe
  C:\Windows\System\iPbFbtq.exe
  2⤵
  PID:11868
- C:\Windows\System\XWzepIc.exe
  C:\Windows\System\XWzepIc.exe
  2⤵
  PID:11976
- C:\Windows\System\CTvtDvw.exe
  C:\Windows\System\CTvtDvw.exe
  2⤵
  PID:11996
- C:\Windows\System\TXTjCeC.exe
  C:\Windows\System\TXTjCeC.exe
  2⤵
  PID:12012
- C:\Windows\System\szDnMFT.exe
  C:\Windows\System\szDnMFT.exe
  2⤵
  PID:12028
- C:\Windows\System\rLUfTxa.exe
  C:\Windows\System\rLUfTxa.exe
  2⤵
  PID:12088
- C:\Windows\System\YBIHhZv.exe
  C:\Windows\System\YBIHhZv.exe
  2⤵
  PID:12104
- C:\Windows\System\jEFFWue.exe
  C:\Windows\System\jEFFWue.exe
  2⤵
  PID:12168
- C:\Windows\System\mxiKknd.exe
  C:\Windows\System\mxiKknd.exe
  2⤵
  PID:12224
- C:\Windows\System\jZMKfsl.exe
  C:\Windows\System\jZMKfsl.exe
  2⤵
  PID:12244
- C:\Windows\System\wrKtwZE.exe
  C:\Windows\System\wrKtwZE.exe
  2⤵
  PID:12260
- C:\Windows\System\YqZOhks.exe
  C:\Windows\System\YqZOhks.exe
  2⤵
  PID:11280
- C:\Windows\System\rICAveL.exe
  C:\Windows\System\rICAveL.exe
  2⤵
  PID:11284
- C:\Windows\System\JPYfcpj.exe
  C:\Windows\System\JPYfcpj.exe
  2⤵
  PID:11352
- C:\Windows\System\JfftVwi.exe
  C:\Windows\System\JfftVwi.exe
  2⤵
  PID:11376
- C:\Windows\System\esgZfIR.exe
  C:\Windows\System\esgZfIR.exe
  2⤵
  PID:11476
- C:\Windows\System\ARexPTZ.exe
  C:\Windows\System\ARexPTZ.exe
  2⤵
  PID:11520
- C:\Windows\System\dLUGTSs.exe
  C:\Windows\System\dLUGTSs.exe
  2⤵
  PID:11592
- C:\Windows\System\NmBikEu.exe
  C:\Windows\System\NmBikEu.exe
  2⤵
  PID:11648
- C:\Windows\System\tUbPOZd.exe
  C:\Windows\System\tUbPOZd.exe
  2⤵
  PID:11712
- C:\Windows\System\pvdXLoU.exe
  C:\Windows\System\pvdXLoU.exe
  2⤵
  PID:11812
- C:\Windows\System\ocGIIFk.exe
  C:\Windows\System\ocGIIFk.exe
  2⤵
  PID:11880
- C:\Windows\System\fyzCMjI.exe
  C:\Windows\System\fyzCMjI.exe
  2⤵
  PID:12008
- C:\Windows\System\BRvALfr.exe
  C:\Windows\System\BRvALfr.exe
  2⤵
  PID:12044
- C:\Windows\System\rOoyNrC.exe
  C:\Windows\System\rOoyNrC.exe
  2⤵
  PID:12080
- C:\Windows\System\MAIyvXG.exe
  C:\Windows\System\MAIyvXG.exe
  2⤵
  PID:11952
- C:\Windows\System\FfhNwuj.exe
  C:\Windows\System\FfhNwuj.exe
  2⤵
  PID:12056
- C:\Windows\System\fHlvkCH.exe
  C:\Windows\System\fHlvkCH.exe
  2⤵
  PID:12068
- C:\Windows\System\PjPFVLQ.exe
  C:\Windows\System\PjPFVLQ.exe
  2⤵
  PID:12076
- C:\Windows\System\JdKUFpz.exe
  C:\Windows\System\JdKUFpz.exe
  2⤵
  PID:12216
- C:\Windows\System\KsMWxbO.exe
  C:\Windows\System\KsMWxbO.exe
  2⤵
  PID:12252
- C:\Windows\System\YYfePdv.exe
  C:\Windows\System\YYfePdv.exe
  2⤵
  PID:11252
- C:\Windows\System\YblwBUe.exe
  C:\Windows\System\YblwBUe.exe
  2⤵
  PID:11612
- C:\Windows\System\qiSNewW.exe
  C:\Windows\System\qiSNewW.exe
  2⤵
  PID:11588
- C:\Windows\System\YHMHgtz.exe
  C:\Windows\System\YHMHgtz.exe
  2⤵
  PID:11856
- C:\Windows\System\xcOsvEw.exe
  C:\Windows\System\xcOsvEw.exe
  2⤵
  PID:11956
- C:\Windows\System\TzfILzk.exe
  C:\Windows\System\TzfILzk.exe
  2⤵
  PID:11968
- C:\Windows\System\mOqQrJL.exe
  C:\Windows\System\mOqQrJL.exe
  2⤵
  PID:12196
- C:\Windows\System\IYzdjPv.exe
  C:\Windows\System\IYzdjPv.exe
  2⤵
  PID:11552
- C:\Windows\System\Yydngpg.exe
  C:\Windows\System\Yydngpg.exe
  2⤵
  PID:11740
- C:\Windows\System\VNkZKSR.exe
  C:\Windows\System\VNkZKSR.exe
  2⤵
  PID:11472
- C:\Windows\System\ulHMXoa.exe
  C:\Windows\System\ulHMXoa.exe
  2⤵
  PID:11876
- C:\Windows\System\HTfPSWl.exe
  C:\Windows\System\HTfPSWl.exe
  2⤵
  PID:11340
- C:\Windows\System\bPCZNiv.exe
  C:\Windows\System\bPCZNiv.exe
  2⤵
  PID:11632
- C:\Windows\System\xUDVsoT.exe
  C:\Windows\System\xUDVsoT.exe
  2⤵
  PID:12328
- C:\Windows\System\DQKTPPV.exe
  C:\Windows\System\DQKTPPV.exe
  2⤵
  PID:12376
- C:\Windows\System\OiuDpbp.exe
  C:\Windows\System\OiuDpbp.exe
  2⤵
  PID:12400
- C:\Windows\System\hTPSYPo.exe
  C:\Windows\System\hTPSYPo.exe
  2⤵
  PID:12420
- C:\Windows\System\RsoJBrw.exe
  C:\Windows\System\RsoJBrw.exe
  2⤵
  PID:12440
- C:\Windows\System\ngQVbJJ.exe
  C:\Windows\System\ngQVbJJ.exe
  2⤵
  PID:12456
- C:\Windows\System\qcnQuEM.exe
  C:\Windows\System\qcnQuEM.exe
  2⤵
  PID:12484
- C:\Windows\System\BkqDMBt.exe
  C:\Windows\System\BkqDMBt.exe
  2⤵
  PID:12500
- C:\Windows\System\GFGbwfh.exe
  C:\Windows\System\GFGbwfh.exe
  2⤵
  PID:12524
- C:\Windows\System\zmjdIkW.exe
  C:\Windows\System\zmjdIkW.exe
  2⤵
  PID:12568
- C:\Windows\System\uVCXNsn.exe
  C:\Windows\System\uVCXNsn.exe
  2⤵
  PID:12584
- C:\Windows\System\VJGRlrG.exe
  C:\Windows\System\VJGRlrG.exe
  2⤵
  PID:12608
- C:\Windows\System\opqjVZH.exe
  C:\Windows\System\opqjVZH.exe
  2⤵
  PID:12636
- C:\Windows\System\caFHDKX.exe
  C:\Windows\System\caFHDKX.exe
  2⤵
  PID:12664
- C:\Windows\System\GlcyYFU.exe
  C:\Windows\System\GlcyYFU.exe
  2⤵
  PID:12732
- C:\Windows\System\jRGjiZc.exe
  C:\Windows\System\jRGjiZc.exe
  2⤵
  PID:12756
- C:\Windows\System\bsGgdaE.exe
  C:\Windows\System\bsGgdaE.exe
  2⤵
  PID:12776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t05ymikz.a1b.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\AkKpFQc.exe

Filesize
1.3MB

MD5
728f83d4abcb611b39cd4bbbcf4ec1fa

SHA1
1952a2ea7aec90db38c544c780e2b4f07ca15a37

SHA256
c06bd30922b019bb5c1540937ace802d9c68d32cc986067ff66ca4afb8ed5599

SHA512
fe538d73ace1d244e0b7c3adbd615f9775720adad24fa6d17a3d60880e22a1bfdf35a2fc6ddcfb430c38843ce202cc0e321419cd13426a3f61e369cfd0d8b0b2

Download Submit
C:\Windows\System\AmSYXrb.exe

Filesize
1.3MB

MD5
c5b73709e0216a2adf75aa7e6e0c6b1e

SHA1
2dec90ecf0b52f0db9c6d80a333333217567eed1

SHA256
3c7f16b16503e349763ffeb53639adf1054128e3354ae6cada8ab56633d07abb

SHA512
8be865589fe76c9d108e3bbbd4ecb950c5f660aef9b97890db29e617558d3678cac2331180ef5fe86ba23823a049de0c354252527e538acccebcc7fa217761d6

Download Submit
C:\Windows\System\ApzsQXZ.exe

Filesize
8B

MD5
a8f2921c80c15a3d426e5fdff8a56196

SHA1
4dc21bf95e22427a9dafcd4930e81b62e77d5fda

SHA256
7e9bbeeba45dae16f8c444596ee4180d7313e899e46fa6263fde6904f32d92a1

SHA512
996666f646b1878ee129a778184f9520541ee458797b8bfaefed6e1f152a5436e0ff19d28744463b706ffe3e24e429f5af102aa1e7733dbeeb6210754c828802

Download Submit
C:\Windows\System\BBMzXnn.exe

Filesize
1.3MB

MD5
fdaec59eef0586e191ec4eb9ec07c5f8

SHA1
8e1c9f407755345e5b0712d4874a5370904c7c32

SHA256
f3c6c739ff867d9880a30b71ca287683bc09a93d5a7e0f9ce6b601806f494fb3

SHA512
2a040bfe82d2505fa80f3a0f4a38a53d00ebfa7dce70ed88f7117ec40e89a3596eae1c658f632a3082338c1851b6d1c7095aeaac07107de975bb725d7bc18d83

Download Submit
C:\Windows\System\CwUZvhK.exe

Filesize
1.3MB

MD5
32ec2ac972bee9743f0b280d7ad65f3d

SHA1
49e554129e7ac32dc4ddfca9d55cf7215ee7e3ba

SHA256
b5d259154870e2281412ebfc1ba37e0b9cd82d4c1769c56b5d0efd4830b2985b

SHA512
d2e8e4144e03e5db07b60ce687c84f044e629f0888e632df95842f2bcda7f719a7f4e1a1be6aa4fc8e9c6de83ee5c68ca5a5714b9ca658bcd30eee546524faea

Download Submit
C:\Windows\System\GxnafVW.exe

Filesize
1.3MB

MD5
525b86044f4ccdbb33b34c0302fe0bba

SHA1
1f8cd0e5cb184a7e2f1cea027890bf99f9e0061a

SHA256
c793d08f22968f28240854e17dae0bdfe2005a5c6ca87782f69c9490b7a506b1

SHA512
87dbc2bfe93ca22ca01a97215603ec88891c16761b2ec46907dbe425198c74b0b2b772e6b1d292cf6de2774dc0cb762914c62fbeb0f42aafc404549051aff522

Download Submit
C:\Windows\System\HKRNTHH.exe

Filesize
1.3MB

MD5
acf4bcea4cc6962faf08ac8553f90fa3

SHA1
9eba8b351d7bed7e2e7de4d53846eefc6c256815

SHA256
9aa84c2357ce063041ec6a286e2802a1daefed5a18c95172202f5623e55a8d23

SHA512
9da04159a94ad14f81b971e01dc97aef0b12d749ee542c00be99ad079ccd8fc6b4c8d6717f1e69beb93d56e1e304193a3d893b989ba88fe0d767434f0b891366

Download Submit
C:\Windows\System\HaCYxZc.exe

Filesize
1.3MB

MD5
f7123d0456088208b0aca86ffe1540cc

SHA1
1c0a9618e9a050f437682c1f1f651771032fc4dd

SHA256
7dad3065433aa48a1e1d292e7b1591ca0b97042564a2b3239456f654317c07a1

SHA512
8cccdd5da48202c4e2bba1f1986fd0042a6a91c11a557add578bcb216906a3ba86d383c2e8ed36fd86d473515a478aeebac4ac316bf4076936f491f541e61adc

Download Submit
C:\Windows\System\JDHpmwY.exe

Filesize
1.3MB

MD5
907ce3ea6ca8aaad38b00881c746e419

SHA1
be9f60636495973b7bd70700bfeec7153f044ed0

SHA256
cf07d752aa5c290ba47e046049f4287122e66a13139c248625433ef56981838f

SHA512
cbd6c6567b6053a83e03971bc4ff6c79858822b58d7ba853922809a94f080869f59456b78208a991fcffc367aa8a45a31a242fe02dd7f7cc0b4da6cff444d1a2

Download Submit
C:\Windows\System\JRMxpWi.exe

Filesize
1.3MB

MD5
c26e90431e1a7c179ee1511ae6dbca60

SHA1
4af37d0121d7bf37275926ad2072d551cf43e066

SHA256
05983907f5092af8b92cdab591d2c924d5bfcdff6d2be2fac8b1b345a1fc90ea

SHA512
176a64b86190d610002e0ccaaafc8a00b41a2cef8b845eeadc5aac49eb1ef0fbacfcd0b16b77575279bdb68c0d10bc48a873aabbaae37515cc29112b257db5ca

Download Submit
C:\Windows\System\JqlgdRL.exe

Filesize
1.3MB

MD5
1d0fea71fdda2815295b1451af0a61ca

SHA1
e42378ff7bd31b83adfbfd4af44e0b9066ddf1e6

SHA256
9074474d7a5e6966454a8cdae0b08db92d2544fed35c604d66009e30e515fb39

SHA512
1127327b249320edd8fd38a62f1292ef72fb4aafd92e0684340c708e8ef307ee4260c52a5cce4cad34e79672edb6635ec0ecb2a77b105106a881d040d0a8c8f0

Download Submit
C:\Windows\System\JyOaTOJ.exe

Filesize
1.3MB

MD5
9fb3e2891c0aed48769ed222d8d0ff2c

SHA1
a69bf80e5eb5adb0af0a32112097b919b623bffe

SHA256
25842f5c376438e8cb3560450ea0e153acdd7197f419b6419c30431b3cf26e6c

SHA512
b12089bbbd81e400610ed47125375e1397392bb45b28ee47f4695a8189d6aece9c519376aecf6f7f46e346907f0bc3ce09e35a11887b827b3b3a861e1b30e904

Download Submit
C:\Windows\System\LLVNNYa.exe

Filesize
1.3MB

MD5
511106adf8717081e6e79aab504ece26

SHA1
9ba82dd35f06131e3e4fbd444923fa24d796f056

SHA256
3b5677be38d91416bee40d82731b9cc76e1316c20cc4d558981bffee6837636c

SHA512
30b223de82e574fa34505bb036da38577d25bdde861bdb700696823502936eec6e85d5e41603c19362b6bafe41f10efa05f3f38eddc7c63a620fafc24c0a74ea

Download Submit
C:\Windows\System\LUSfepf.exe

Filesize
1.3MB

MD5
f803d4dab32f2c808c8fcd8015836f80

SHA1
9b522ffa0d90a2e52c0e2290ac86681708567633

SHA256
1e67628048e38da8685f4833bbe585eecd9dea54b3a80e5fff1a1d73636a050b

SHA512
166975cf0491ec5a2dddad8c0f0aeda6f5c59802025002b6c4d53420715318e0d245255653dd2befe3102fdcb1fc202e21d97d9cdf6681e78e2eb01a5dc1a5bd

Download Submit
C:\Windows\System\TIjqCKX.exe

Filesize
1.3MB

MD5
48e323b3df484c872e780176a54436f2

SHA1
21811007f3b8245a9f5420fdd392f86a96b7ab28

SHA256
beec2ed533875a74a0c7de9855a0f10af5273f0e4c4e23c91900071d595ebabb

SHA512
97d6b766182850418ae6af109dd9916c6afada5ff4c9207203f467e15a19e057fef9e459617b328460906a58ccd0cded21190942411a3f8d92b1653f47ccd34b

Download Submit
C:\Windows\System\TkCdlsj.exe

Filesize
1.3MB

MD5
33ed85b235bbdf9967527cc119e2025a

SHA1
b70936d6c0a953a3ad0cb328ff3f944c95520c4f

SHA256
9d48f24109896ffc6434510cc5626f77fc1eac4db26b8082aca977544828886f

SHA512
020d12de313010625bdadb10ee1b8c85e01047aeebd072e645945de833dc9f265d414cb8fb65fe233fbaa970039c898fe5087090ac0edc32f9cfb0f5ce3bd3c7

Download Submit
C:\Windows\System\WGtYcQr.exe

Filesize
1.3MB

MD5
ad0a0fbcb65de2bf3904385babd8e6a9

SHA1
874d05cebd96cda6a1e4e5f9fbc1a82325ec5ad5

SHA256
81ee0ed9e5b61dc6581e1cf9a9dcd59766a7cf5727777534715df9c064ad175d

SHA512
9f1edaec332e798621e567853676df6fb658d91e5d69d9c2d7b30d0616079b1e6341e6562c67b09764999f727c61e7f19d350d9b111f10a6fcb2df56e3af15e5

Download Submit
C:\Windows\System\WJAPVuE.exe

Filesize
1.3MB

MD5
91c1b492f95d407caff11ff83aa735b5

SHA1
1df0ff584986a17964ddf9abf073c04b9f95ab00

SHA256
c64ac4786c966398a3db691787180603dc7236a9da6bfaec252c7fa253165ae1

SHA512
66829b597a35a20fa7f54124753e14ff2c64686eec8991ce9a63251c869fc1c64ca1df461ef08451d0a57a670f6b38e212b924ad9503f8f53c741e36d80b56d7

Download Submit
C:\Windows\System\WPKOOeM.exe

Filesize
1.3MB

MD5
cbb3d417cd8a3259a22aaecbb4d10088

SHA1
b91eab46986c62a66a521e4b8cc3a5e843ab3744

SHA256
83db16ebc516ab3245dcd0fba6fa87afc0db6c4520232cac21a9572e33e98b07

SHA512
19386e89359c6ee8e3e369e8d6a4aa7c13f5e0f241f61fe9c47889c77c78e474b5279a468d844eee99b034235f30cf51c16333252b92d3405d217f6a178e2989

Download Submit
C:\Windows\System\YNJeWsn.exe

Filesize
1.3MB

MD5
107879cd86406d05fd14fdb77d737d73

SHA1
d0ced6784dd86bd52bb3c971e2f731256d70042e

SHA256
e08b3e690d4ef7ff6bc3ebe06e8035fb55d7c55645d967675cc2f2fc78743901

SHA512
0053e1716005df31cb49e48af75f46221a38506f4d7c02dfdf060c67f0f17905bf92af1ed0818213819b29afd4e79ca43332f401cdafe78d2b6277d0d4c22f72

Download Submit
C:\Windows\System\ZDKfBNd.exe

Filesize
1.3MB

MD5
03911673bd0274a5730546900e093897

SHA1
e9edd56531036ff5609a1ee465bf688e85810550

SHA256
027ba43d3cb7f24686f02128e17d9b1e4a568bd7815aca585750d15c102ab249

SHA512
57ad3472610800841a28f1c86984fd37682edaf5cbfff3816e0086f621f48ddb429ea537b33c01242c65aeb0dc07f893387a5698be9c8d5bf8950c54ca0d596a

Download Submit
C:\Windows\System\bmYiVuU.exe

Filesize
1.3MB

MD5
ce206bbdf7f7530c6f22d99c5246cc40

SHA1
c88d99abd9acdf60c88dca460537b07f4f13fc0c

SHA256
164c1e3497964bf58f4e1da24cce3bfb3635b4283a377f850fbc3653aa1651ef

SHA512
04ce1f9fd0e30c30035be5853e053db8d3907a606fb3263bc3c7ff0fc6240f3760e83981f4d31b3400ba127ca579a803b2b6cc67f8f40b446066416b7d436f66

Download Submit
C:\Windows\System\dxlgIOu.exe

Filesize
1.3MB

MD5
47e3853db334f9b85378a424a0415b27

SHA1
1241a86fa431adb48e2d7fc3f364494c83108fb9

SHA256
53202127c6b067e7e3fd91409c09316fc39bfd28ee292984491064fa29e57b4a

SHA512
7a54c8407cb6efe3678913ec22d0683ad126423cc2fc68f955be5894f4d438f58826b9a807da48cdb8a9dd913fa052ae86d33bfc164dbcef3fcd00702734c40a

Download Submit
C:\Windows\System\fKiLXLq.exe

Filesize
1.3MB

MD5
4a83bf9a5939f04a0e19a4652f747c4f

SHA1
d63b5471b0ce846b77ffb5f1a525d0ef1a08823e

SHA256
d0ef946c44ddc72bd157851b88529743b197979c8f32f585f74c797529693e1a

SHA512
4788ba664c402dda1b2d7de9814d95444f45d158327c6806129df04ad14f5ae73d2d1ab5df4a346c0001dea8cf203a9145622cea274e6b78d79a25d7af51791e

Download Submit
C:\Windows\System\hHcRtoY.exe

Filesize
1.3MB

MD5
2f48bd2353f7fd832d2915f6b66436b5

SHA1
16b65af0d3b5fc71b9debe1a98ca6cb7a6434e18

SHA256
ab029a33f69909a1bbd902c7a4fedfa58da076af931f8c7b0e83fecc071008c2

SHA512
43b49760ed6191dda8bac01beb876ec5d367b318dc241c32dbcb31583819c2e67bbf4af86c74a346353c95e5df3ca727d5e83efcbca4af0b6ed44d2d3e6b3483

Download Submit
C:\Windows\System\kUKxBeR.exe

Filesize
1.3MB

MD5
525f2343c55994656043528933c9c53e

SHA1
b407184d49d95b7e1405562b7296a20bc673a707

SHA256
5022b5462534fe97d9a19e117806491f5ffbba966f2fc461b0b0053d7333d2cf

SHA512
3775a48a663da7be6af0351c21f4a4a70594b4d56a1311f25bd3933cbf1ea40b82535f90547d3d3e3aaa9d67701a352e13364c9bcd467e35d2f3d79ed17a8230

Download Submit
C:\Windows\System\oeopLAR.exe

Filesize
1.3MB

MD5
9c824c89a4f405998d00768c8c929026

SHA1
ae4647c5951c9891a61fb4b8d7994d64da80e270

SHA256
714abec1a0f8f51443c9b272b0c95b1848a75d3bac615a5136e55b6f64c28ef9

SHA512
74de84ffd206c8f53fcfb59156d707e21c814570f22c9ea9a17c95be92c503f05939401928327166eb32983269ca9f895809dd82684a36a5a8dad73f8185af74

Download Submit
C:\Windows\System\poHZPSE.exe

Filesize
1.3MB

MD5
2897d6ba1ddebf64461906d84c5de462

SHA1
0870b9d4f50da72114a33ca25dbf52678e86a47a

SHA256
14b652e5e8ea85adb8a17bfd6c57f20c9e34732bc580757e16911e59b3c2c433

SHA512
0060de131ad30f9ad5b482913c063463802b08db07d9036441d054cd40c18e5769d1c001f010497b80e6de2260e683f5564090c53eb28e60ddbb5d9f593948ce

Download Submit
C:\Windows\System\ptWijMn.exe

Filesize
1.3MB

MD5
6ba3dcfad2af399f8d4668b9fdb7a764

SHA1
1a193ba872ee492a536c372094b86308d29c1eea

SHA256
c847f4cca9bf2e11bf8880bfe4bdc811a8ce7775401f4aab0fcc712bd9b0c718

SHA512
604b877a18fa15c521ec195bec808dffce8652c11d748dd6b33514123ad7c3f8f431ba79fafb6ccd4a4f60fd58c50d3a7a7824c3227b87d56633ab5959680fa8

Download Submit
C:\Windows\System\qCaIAFE.exe

Filesize
1.3MB

MD5
0a5207670e866f73fceb02551bbb3a94

SHA1
740eed71c1f5aa43d19ee5ae28b1358f2ab6811c

SHA256
45018b9c72db22f97c32386edbd5439d8b5af870b49aebf461e738c46b09a9f0

SHA512
567e673ce94dea6606dfd7d239b9a7ad4a8454711327b19108769f31d48faac54023f22e883883c04b2603ef43fc13f70544efbd804b3195ad778ae4fdda5077

Download Submit
C:\Windows\System\qLiZOmo.exe

Filesize
1.3MB

MD5
54fb9a9be0697e2aa100a4cb7fc998e8

SHA1
b492aeca2018009fc62c11f159ac54a053999dab

SHA256
b403e528b5a81afd66020d2341fe13baef500cd9ab0bfafa74dfa2be9553c8f9

SHA512
58804b9a51e8395b4c7a82d08363f3dfa79d94a5d56c3ca4b6dcbf972cf0e1a9d69b8871dfbd9904f8906424913b5b23cf010d963f6575d66b2a457c15deae8f

Download Submit
C:\Windows\System\saLaIVe.exe

Filesize
1.3MB

MD5
b2b17d21e8a1aa6c2204704bfee74a32

SHA1
0044230c0ded6fe115db6b543024d8a245eb3255

SHA256
03ddf8f34727883294b33c34c6f813ecdff5015e6032813859ac470e6295c6ec

SHA512
eaf9db8804ad98deab04b6868df3c5adcabfc9e5e532ebeac6dbfd21f8f6ea7adb2fbef3053c6e351e91b2f3771e8e16293ad739b0bd8a0c734c8a6d84f756f5

Download Submit
C:\Windows\System\sdOekIT.exe

Filesize
1.3MB

MD5
aa95ab16035411d26253259cd1cc507d

SHA1
1c18aca8cc3709ab7749c65e0925d48073a50fc9

SHA256
bc3e96b1103c44c64fac38ce486e2b567c0adeb8c971512191e7b6e8f7a04455

SHA512
38ca38d9c5b5078b903a56e66207ab8c5f5ab07f6d311daafea052d3d7c80061753dcce32b480131e21bdb73d4292b75ab306b341e90e5056e5bd25cf33b0276

Download Submit
C:\Windows\System\vCsgPnL.exe

Filesize
1.3MB

MD5
b6df1b56a0e499b9098c04fc2c2cd2fc

SHA1
084549aeb2ea002b7c33229c9a6b9cdad0879ed4

SHA256
f5b9e0c36dfeb11b318b95a65a3226f1c7db2d636cf8f9636dc00bda841d6866

SHA512
52ca33a720976b1f5510a1ac91a6688a4c1f8524bc7b4d97fe070b957c2ee6cb6e72da9b308fad3d4640eb2560fe8b60e3fa41204964b95855416bbb6cf61835

Download Submit
memory/400-156-0x00007FF65F510000-0x00007FF65F902000-memory.dmp

Filesize
3.9MB

Download
memory/400-2320-0x00007FF65F510000-0x00007FF65F902000-memory.dmp

Filesize
3.9MB

Download
memory/712-2315-0x00007FF6DFB90000-0x00007FF6DFF82000-memory.dmp

Filesize
3.9MB

Download
memory/712-138-0x00007FF6DFB90000-0x00007FF6DFF82000-memory.dmp

Filesize
3.9MB

Download
memory/932-191-0x00007FF603F60000-0x00007FF604352000-memory.dmp

Filesize
3.9MB

Download
memory/932-2334-0x00007FF603F60000-0x00007FF604352000-memory.dmp

Filesize
3.9MB

Download
memory/1016-2245-0x00007FF7AAC80000-0x00007FF7AB072000-memory.dmp

Filesize
3.9MB

Download
memory/1016-104-0x00007FF7AAC80000-0x00007FF7AB072000-memory.dmp

Filesize
3.9MB

Download
memory/1016-2322-0x00007FF7AAC80000-0x00007FF7AB072000-memory.dmp

Filesize
3.9MB

Download
memory/1308-108-0x00007FF7DFE30000-0x00007FF7E0222000-memory.dmp

Filesize
3.9MB

Download
memory/1308-2294-0x00007FF7DFE30000-0x00007FF7E0222000-memory.dmp

Filesize
3.9MB

Download
memory/1624-2304-0x00007FF76DDA0000-0x00007FF76E192000-memory.dmp

Filesize
3.9MB

Download
memory/1624-73-0x00007FF76DDA0000-0x00007FF76E192000-memory.dmp

Filesize
3.9MB

Download
memory/1848-2331-0x00007FF7A19E0000-0x00007FF7A1DD2000-memory.dmp

Filesize
3.9MB

Download
memory/1848-194-0x00007FF7A19E0000-0x00007FF7A1DD2000-memory.dmp

Filesize
3.9MB

Download
memory/1904-50-0x00007FF7874A0000-0x00007FF787892000-memory.dmp

Filesize
3.9MB

Download
memory/1904-2300-0x00007FF7874A0000-0x00007FF787892000-memory.dmp

Filesize
3.9MB

Download
memory/2028-2325-0x00007FF766030000-0x00007FF766422000-memory.dmp

Filesize
3.9MB

Download
memory/2028-183-0x00007FF766030000-0x00007FF766422000-memory.dmp

Filesize
3.9MB

Download
memory/2340-162-0x00007FF6515F0000-0x00007FF6519E2000-memory.dmp

Filesize
3.9MB

Download
memory/2340-2333-0x00007FF6515F0000-0x00007FF6519E2000-memory.dmp

Filesize
3.9MB

Download
memory/2472-40-0x00007FF708190000-0x00007FF708582000-memory.dmp

Filesize
3.9MB

Download
memory/2472-2296-0x00007FF708190000-0x00007FF708582000-memory.dmp

Filesize
3.9MB

Download
memory/2576-84-0x00007FF75B070000-0x00007FF75B462000-memory.dmp

Filesize
3.9MB

Download
memory/2576-2243-0x00007FF75B070000-0x00007FF75B462000-memory.dmp

Filesize
3.9MB

Download
memory/2576-2308-0x00007FF75B070000-0x00007FF75B462000-memory.dmp

Filesize
3.9MB

Download
memory/2640-141-0x00007FF6D5AB0000-0x00007FF6D5EA2000-memory.dmp

Filesize
3.9MB

Download
memory/2640-2313-0x00007FF6D5AB0000-0x00007FF6D5EA2000-memory.dmp

Filesize
3.9MB

Download
memory/2792-91-0x00007FF7A5900000-0x00007FF7A5CF2000-memory.dmp

Filesize
3.9MB

Download
memory/2792-2317-0x00007FF7A5900000-0x00007FF7A5CF2000-memory.dmp

Filesize
3.9MB

Download
memory/2792-2244-0x00007FF7A5900000-0x00007FF7A5CF2000-memory.dmp

Filesize
3.9MB

Download
memory/3176-2327-0x00007FF73A3A0000-0x00007FF73A792000-memory.dmp

Filesize
3.9MB

Download
memory/3176-170-0x00007FF73A3A0000-0x00007FF73A792000-memory.dmp

Filesize
3.9MB

Download
memory/3768-202-0x00007FF7138D0000-0x00007FF713CC2000-memory.dmp

Filesize
3.9MB

Download
memory/3768-2359-0x00007FF7138D0000-0x00007FF713CC2000-memory.dmp

Filesize
3.9MB

Download
memory/3936-0-0x00007FF6BC3B0000-0x00007FF6BC7A2000-memory.dmp

Filesize
3.9MB

Download
memory/3936-1-0x000001333DD90000-0x000001333DDA0000-memory.dmp

Filesize
64KB

Download
memory/3972-201-0x00007FF69A650000-0x00007FF69AA42000-memory.dmp

Filesize
3.9MB

Download
memory/3972-2332-0x00007FF69A650000-0x00007FF69AA42000-memory.dmp

Filesize
3.9MB

Download
memory/4276-149-0x00007FF783ED0000-0x00007FF7842C2000-memory.dmp

Filesize
3.9MB

Download
memory/4276-2311-0x00007FF783ED0000-0x00007FF7842C2000-memory.dmp

Filesize
3.9MB

Download
memory/4328-2318-0x00007FF6C5E30000-0x00007FF6C6222000-memory.dmp

Filesize
3.9MB

Download
memory/4328-161-0x00007FF6C5E30000-0x00007FF6C6222000-memory.dmp

Filesize
3.9MB

Download
memory/4444-34-0x00007FF927980000-0x00007FF928441000-memory.dmp

Filesize
10.8MB

Download
memory/4444-64-0x0000022027430000-0x0000022027452000-memory.dmp

Filesize
136KB

Download
memory/4444-347-0x0000022028AD0000-0x0000022029276000-memory.dmp

Filesize
7.6MB

Download
memory/4444-2242-0x00007FF927980000-0x00007FF928441000-memory.dmp

Filesize
10.8MB

Download
memory/4444-16-0x00007FF927983000-0x00007FF927985000-memory.dmp

Filesize
8KB

Download
memory/4444-135-0x00007FF927980000-0x00007FF928441000-memory.dmp

Filesize
10.8MB

Download
memory/4444-2256-0x00007FF927980000-0x00007FF928441000-memory.dmp

Filesize
10.8MB

Download
memory/4444-2246-0x00007FF927983000-0x00007FF927985000-memory.dmp

Filesize
8KB

Download
memory/4544-2298-0x00007FF745610000-0x00007FF745A02000-memory.dmp

Filesize
3.9MB

Download
memory/4544-137-0x00007FF745610000-0x00007FF745A02000-memory.dmp

Filesize
3.9MB

Download
memory/4772-2307-0x00007FF7B0E20000-0x00007FF7B1212000-memory.dmp

Filesize
3.9MB

Download
memory/4772-148-0x00007FF7B0E20000-0x00007FF7B1212000-memory.dmp

Filesize
3.9MB

Download
memory/4784-2292-0x00007FF6A8110000-0x00007FF6A8502000-memory.dmp

Filesize
3.9MB

Download
memory/4784-15-0x00007FF6A8110000-0x00007FF6A8502000-memory.dmp

Filesize
3.9MB

Download
memory/4784-2241-0x00007FF6A8110000-0x00007FF6A8502000-memory.dmp

Filesize
3.9MB

Download
memory/4952-184-0x00007FF669F80000-0x00007FF66A372000-memory.dmp

Filesize
3.9MB

Download
memory/4952-2338-0x00007FF669F80000-0x00007FF66A372000-memory.dmp

Filesize
3.9MB

Download
memory/5108-67-0x00007FF79EF50000-0x00007FF79F342000-memory.dmp

Filesize
3.9MB

Download
memory/5108-2302-0x00007FF79EF50000-0x00007FF79F342000-memory.dmp

Filesize
3.9MB

Download