xmrig | b6c07fd69a34243ab1fde5e815fe8d2e694433c2d71a0d51167bb74b1f74a76d

Analysis

max time kernel
149s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/06/2024, 10:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
Size

1.4MB
MD5

b91d1089bfe8e3fdf01a0aba8de646a0
SHA1

42a239eed76852931e694a080eedd2e28044b228
SHA256

b6c07fd69a34243ab1fde5e815fe8d2e694433c2d71a0d51167bb74b1f74a76d
SHA512

731cc9d955cfa3cafc84d654932b301b1041256e701108940f70287762263d595d184c1ef6bbfc408166af15300fe6f4143cece56d6df0590ecf35deaf39203d
SSDEEP

24576:RVIl/WDGCi7/qkatXBF6727uROGdN1cASXv8BoC09aYCmcDff91uO3mnVTg0Qsiy:ROdWCCi7/rahwNU6ff91f2wy

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 57 IoCs

miner

resource	yara_rule
behavioral2/memory/2328-12-0x00007FF6E0980000-0x00007FF6E0CD1000-memory.dmp	xmrig
behavioral2/memory/5040-255-0x00007FF6A7390000-0x00007FF6A76E1000-memory.dmp	xmrig
behavioral2/memory/1624-285-0x00007FF7C6660000-0x00007FF7C69B1000-memory.dmp	xmrig
behavioral2/memory/4060-298-0x00007FF727A30000-0x00007FF727D81000-memory.dmp	xmrig
behavioral2/memory/436-306-0x00007FF751560000-0x00007FF7518B1000-memory.dmp	xmrig
behavioral2/memory/832-305-0x00007FF6DF120000-0x00007FF6DF471000-memory.dmp	xmrig
behavioral2/memory/2920-304-0x00007FF696D20000-0x00007FF697071000-memory.dmp	xmrig
behavioral2/memory/4624-303-0x00007FF761490000-0x00007FF7617E1000-memory.dmp	xmrig
behavioral2/memory/2840-302-0x00007FF781E80000-0x00007FF7821D1000-memory.dmp	xmrig
behavioral2/memory/4504-301-0x00007FF6C30F0000-0x00007FF6C3441000-memory.dmp	xmrig
behavioral2/memory/3932-300-0x00007FF7B2580000-0x00007FF7B28D1000-memory.dmp	xmrig
behavioral2/memory/1648-299-0x00007FF7D9D80000-0x00007FF7DA0D1000-memory.dmp	xmrig
behavioral2/memory/1524-297-0x00007FF648090000-0x00007FF6483E1000-memory.dmp	xmrig
behavioral2/memory/3464-296-0x00007FF6450D0000-0x00007FF645421000-memory.dmp	xmrig
behavioral2/memory/2420-295-0x00007FF69B8A0000-0x00007FF69BBF1000-memory.dmp	xmrig
behavioral2/memory/664-294-0x00007FF714B80000-0x00007FF714ED1000-memory.dmp	xmrig
behavioral2/memory/4984-293-0x00007FF764DA0000-0x00007FF7650F1000-memory.dmp	xmrig
behavioral2/memory/4528-292-0x00007FF68EEC0000-0x00007FF68F211000-memory.dmp	xmrig
behavioral2/memory/860-254-0x00007FF6E5320000-0x00007FF6E5671000-memory.dmp	xmrig
behavioral2/memory/3284-237-0x00007FF7F0100000-0x00007FF7F0451000-memory.dmp	xmrig
behavioral2/memory/1468-223-0x00007FF74B520000-0x00007FF74B871000-memory.dmp	xmrig
behavioral2/memory/1144-200-0x00007FF7A5020000-0x00007FF7A5371000-memory.dmp	xmrig
behavioral2/memory/1208-197-0x00007FF6ED1E0000-0x00007FF6ED531000-memory.dmp	xmrig
behavioral2/memory/4772-153-0x00007FF7C7F10000-0x00007FF7C8261000-memory.dmp	xmrig
behavioral2/memory/4764-67-0x00007FF7A6770000-0x00007FF7A6AC1000-memory.dmp	xmrig
behavioral2/memory/3936-64-0x00007FF66AFA0000-0x00007FF66B2F1000-memory.dmp	xmrig
behavioral2/memory/3120-36-0x00007FF6CFAC0000-0x00007FF6CFE11000-memory.dmp	xmrig
behavioral2/memory/1340-2172-0x00007FF750750000-0x00007FF750AA1000-memory.dmp	xmrig
behavioral2/memory/2328-2271-0x00007FF6E0980000-0x00007FF6E0CD1000-memory.dmp	xmrig
behavioral2/memory/3120-2273-0x00007FF6CFAC0000-0x00007FF6CFE11000-memory.dmp	xmrig
behavioral2/memory/2840-2275-0x00007FF781E80000-0x00007FF7821D1000-memory.dmp	xmrig
behavioral2/memory/4764-2278-0x00007FF7A6770000-0x00007FF7A6AC1000-memory.dmp	xmrig
behavioral2/memory/3936-2281-0x00007FF66AFA0000-0x00007FF66B2F1000-memory.dmp	xmrig
behavioral2/memory/3284-2287-0x00007FF7F0100000-0x00007FF7F0451000-memory.dmp	xmrig
behavioral2/memory/4624-2285-0x00007FF761490000-0x00007FF7617E1000-memory.dmp	xmrig
behavioral2/memory/2464-2283-0x00007FF7E8A60000-0x00007FF7E8DB1000-memory.dmp	xmrig
behavioral2/memory/4772-2279-0x00007FF7C7F10000-0x00007FF7C8261000-memory.dmp	xmrig
behavioral2/memory/1208-2289-0x00007FF6ED1E0000-0x00007FF6ED531000-memory.dmp	xmrig
behavioral2/memory/436-2305-0x00007FF751560000-0x00007FF7518B1000-memory.dmp	xmrig
behavioral2/memory/1144-2303-0x00007FF7A5020000-0x00007FF7A5371000-memory.dmp	xmrig
behavioral2/memory/860-2301-0x00007FF6E5320000-0x00007FF6E5671000-memory.dmp	xmrig
behavioral2/memory/4528-2291-0x00007FF68EEC0000-0x00007FF68F211000-memory.dmp	xmrig
behavioral2/memory/3464-2319-0x00007FF6450D0000-0x00007FF645421000-memory.dmp	xmrig
behavioral2/memory/4504-2329-0x00007FF6C30F0000-0x00007FF6C3441000-memory.dmp	xmrig
behavioral2/memory/1524-2327-0x00007FF648090000-0x00007FF6483E1000-memory.dmp	xmrig
behavioral2/memory/1648-2325-0x00007FF7D9D80000-0x00007FF7DA0D1000-memory.dmp	xmrig
behavioral2/memory/2420-2321-0x00007FF69B8A0000-0x00007FF69BBF1000-memory.dmp	xmrig
behavioral2/memory/1624-2317-0x00007FF7C6660000-0x00007FF7C69B1000-memory.dmp	xmrig
behavioral2/memory/664-2313-0x00007FF714B80000-0x00007FF714ED1000-memory.dmp	xmrig
behavioral2/memory/832-2311-0x00007FF6DF120000-0x00007FF6DF471000-memory.dmp	xmrig
behavioral2/memory/4060-2309-0x00007FF727A30000-0x00007FF727D81000-memory.dmp	xmrig
behavioral2/memory/2920-2307-0x00007FF696D20000-0x00007FF697071000-memory.dmp	xmrig
behavioral2/memory/3932-2315-0x00007FF7B2580000-0x00007FF7B28D1000-memory.dmp	xmrig
behavioral2/memory/1468-2299-0x00007FF74B520000-0x00007FF74B871000-memory.dmp	xmrig
behavioral2/memory/5040-2297-0x00007FF6A7390000-0x00007FF6A76E1000-memory.dmp	xmrig
behavioral2/memory/1368-2295-0x00007FF7F0370000-0x00007FF7F06C1000-memory.dmp	xmrig
behavioral2/memory/4984-2293-0x00007FF764DA0000-0x00007FF7650F1000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
2328	lwtXYIq.exe
3120	eNkugrU.exe
3936	aUcDtCC.exe
4764	ZDEZITc.exe
2840	icMKyYp.exe
4624	DVULivZ.exe
2464	HTwPycL.exe
1368	wcLMlKC.exe
4772	gykPRgI.exe
1208	ZMDtfrD.exe
1144	EANeNao.exe
2920	YKupCmP.exe
1468	UFzyeNQ.exe
3284	kIoDeYY.exe
860	PEcVLkL.exe
5040	FsYZzjP.exe
1624	kJCBgVq.exe
4528	RkuPQXX.exe
4984	EoMZWXi.exe
832	vUTMhCG.exe
664	JCegndf.exe
2420	qHyVgZz.exe
3464	arGnJPx.exe
1524	xVJGIKl.exe
4060	htSBzFh.exe
1648	FXjQoPR.exe
3932	wDKcQIE.exe
4504	SefFjcM.exe
436	XdJNWnA.exe
4384	NFEmGTG.exe
3920	mEnmdBl.exe
2036	wsxdyvw.exe
4316	tLKhtDa.exe
2212	sIPoWUh.exe
2900	YNoKNww.exe
400	myKNAJb.exe
760	pFwTltA.exe
4972	LddAtEA.exe
2660	sopcghV.exe
3524	iZmyMrd.exe
2488	eXbqrIH.exe
3976	goCpzTK.exe
408	OsBhuZa.exe
4880	NYEowTg.exe
2268	HCduhtm.exe
1184	HHTgjDr.exe
1656	cVdCEbt.exe
1352	nZPejNo.exe
4864	HeRlDwk.exe
2280	uCTeypW.exe
4364	NujLPbX.exe
5060	YTHDXEw.exe
2100	HvmGkqJ.exe
4904	ReMIlSM.exe
5080	ZuHnCfc.exe
2056	cyelSML.exe
4400	OLMNEKP.exe
5032	zkfaNwh.exe
3196	HOrpEZC.exe
4252	madgkHj.exe
1300	TgeLxLZ.exe
3708	KRgSwwN.exe
4524	azVlvTW.exe
2848	NdvyrVB.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1340-0-0x00007FF750750000-0x00007FF750AA1000-memory.dmp	upx
behavioral2/files/0x0009000000023418-4.dat	upx
behavioral2/files/0x0007000000023420-8.dat	upx
behavioral2/memory/2328-12-0x00007FF6E0980000-0x00007FF6E0CD1000-memory.dmp	upx
behavioral2/files/0x0007000000023425-42.dat	upx
behavioral2/files/0x000700000002342d-83.dat	upx
behavioral2/files/0x0007000000023436-138.dat	upx
behavioral2/memory/5040-255-0x00007FF6A7390000-0x00007FF6A76E1000-memory.dmp	upx
behavioral2/memory/1624-285-0x00007FF7C6660000-0x00007FF7C69B1000-memory.dmp	upx
behavioral2/memory/4060-298-0x00007FF727A30000-0x00007FF727D81000-memory.dmp	upx
behavioral2/memory/436-306-0x00007FF751560000-0x00007FF7518B1000-memory.dmp	upx
behavioral2/memory/832-305-0x00007FF6DF120000-0x00007FF6DF471000-memory.dmp	upx
behavioral2/memory/2920-304-0x00007FF696D20000-0x00007FF697071000-memory.dmp	upx
behavioral2/memory/4624-303-0x00007FF761490000-0x00007FF7617E1000-memory.dmp	upx
behavioral2/memory/2840-302-0x00007FF781E80000-0x00007FF7821D1000-memory.dmp	upx
behavioral2/memory/4504-301-0x00007FF6C30F0000-0x00007FF6C3441000-memory.dmp	upx
behavioral2/memory/3932-300-0x00007FF7B2580000-0x00007FF7B28D1000-memory.dmp	upx
behavioral2/memory/1648-299-0x00007FF7D9D80000-0x00007FF7DA0D1000-memory.dmp	upx
behavioral2/memory/1524-297-0x00007FF648090000-0x00007FF6483E1000-memory.dmp	upx
behavioral2/memory/3464-296-0x00007FF6450D0000-0x00007FF645421000-memory.dmp	upx
behavioral2/memory/2420-295-0x00007FF69B8A0000-0x00007FF69BBF1000-memory.dmp	upx
behavioral2/memory/664-294-0x00007FF714B80000-0x00007FF714ED1000-memory.dmp	upx
behavioral2/memory/4984-293-0x00007FF764DA0000-0x00007FF7650F1000-memory.dmp	upx
behavioral2/memory/4528-292-0x00007FF68EEC0000-0x00007FF68F211000-memory.dmp	upx
behavioral2/memory/860-254-0x00007FF6E5320000-0x00007FF6E5671000-memory.dmp	upx
behavioral2/memory/3284-237-0x00007FF7F0100000-0x00007FF7F0451000-memory.dmp	upx
behavioral2/memory/1468-223-0x00007FF74B520000-0x00007FF74B871000-memory.dmp	upx
behavioral2/memory/1144-200-0x00007FF7A5020000-0x00007FF7A5371000-memory.dmp	upx
behavioral2/memory/1208-197-0x00007FF6ED1E0000-0x00007FF6ED531000-memory.dmp	upx
behavioral2/files/0x0007000000023442-193.dat	upx
behavioral2/files/0x0007000000023441-190.dat	upx
behavioral2/files/0x0007000000023440-189.dat	upx
behavioral2/files/0x000700000002343f-188.dat	upx
behavioral2/files/0x000700000002343e-187.dat	upx
behavioral2/files/0x000700000002343d-182.dat	upx
behavioral2/files/0x0007000000023438-179.dat	upx
behavioral2/files/0x0007000000023437-174.dat	upx
behavioral2/files/0x000700000002342e-173.dat	upx
behavioral2/files/0x0007000000023435-166.dat	upx
behavioral2/files/0x0007000000023432-158.dat	upx
behavioral2/files/0x0007000000023431-151.dat	upx
behavioral2/files/0x000700000002342f-136.dat	upx
behavioral2/files/0x000700000002343c-132.dat	upx
behavioral2/files/0x0007000000023434-131.dat	upx
behavioral2/files/0x000700000002343b-130.dat	upx
behavioral2/files/0x000700000002343a-127.dat	upx
behavioral2/files/0x000700000002342b-125.dat	upx
behavioral2/memory/4772-153-0x00007FF7C7F10000-0x00007FF7C8261000-memory.dmp	upx
behavioral2/memory/1368-123-0x00007FF7F0370000-0x00007FF7F06C1000-memory.dmp	upx
behavioral2/files/0x0007000000023439-122.dat	upx
behavioral2/files/0x0007000000023430-120.dat	upx
behavioral2/files/0x0007000000023429-118.dat	upx
behavioral2/files/0x000700000002342c-133.dat	upx
behavioral2/files/0x0007000000023433-109.dat	upx
behavioral2/files/0x0007000000023428-105.dat	upx
behavioral2/files/0x000700000002342a-102.dat	upx
behavioral2/memory/2464-97-0x00007FF7E8A60000-0x00007FF7E8DB1000-memory.dmp	upx
behavioral2/files/0x0007000000023424-85.dat	upx
behavioral2/files/0x0007000000023423-75.dat	upx
behavioral2/files/0x0007000000023427-74.dat	upx
behavioral2/memory/4764-67-0x00007FF7A6770000-0x00007FF7A6AC1000-memory.dmp	upx
behavioral2/memory/3936-64-0x00007FF66AFA0000-0x00007FF66B2F1000-memory.dmp	upx
behavioral2/files/0x0007000000023421-51.dat	upx
behavioral2/files/0x0007000000023426-46.dat	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\YVQgWxV.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\GHqcorB.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\tckiJeP.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\uEkDBAf.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\qdDjZhm.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\HbmhvYV.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\YHQPCzG.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\RMZunda.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\JwgkxFU.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\UvTsWVF.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\KAdfAKw.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\CHgydNM.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\SZneGmb.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\bVwUrNt.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\aetwhWx.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\DoBaKqq.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\bdiOWUA.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\ullVqeb.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\DGxajoN.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\AINKLQA.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\oKSNkBW.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\BukIlSa.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\xVpYKIh.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\qJdwgQp.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\KVLagCO.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\qHyVgZz.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\HpQppTT.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\KqSdPRM.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\EiJaIXk.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\TqICzrZ.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\cLtUbNo.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\moZZbOV.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\gHVCBjf.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\oXtSEEu.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\GJCXMXh.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\aZtfFiK.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\aAnnQTz.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\XCpQPST.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\rfMBKVc.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\hUHTZwn.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\volsacI.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\BputbNA.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\VVfjnVK.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\dYCqmra.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\wlnTUAa.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\urcqwTg.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\qdyYskZ.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\IquClzE.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\gTLRyuL.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\IbSbkmo.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\BLWsAYI.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\IUkNAIM.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\BMkvYrf.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\mbklyTc.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\xXTtpdJ.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\FXjQoPR.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\sopcghV.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\SwmRHQX.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\VMoeQdk.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\gIrZslS.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\XITMleQ.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\qtIsiWc.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\TczyWcQ.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
File created	C:\Windows\System\xyUeRdh.exe	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13228	dwm.exe
Token: SeChangeNotifyPrivilege	13228	dwm.exe
Token: 33	13228	dwm.exe
Token: SeIncBasePriorityPrivilege	13228	dwm.exe
Token: SeShutdownPrivilege	13228	dwm.exe
Token: SeCreatePagefilePrivilege	13228	dwm.exe
Token: SeShutdownPrivilege	13228	dwm.exe
Token: SeCreatePagefilePrivilege	13228	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 2328	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	84
PID 1340 wrote to memory of 2328	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	84
PID 1340 wrote to memory of 3120	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	85
PID 1340 wrote to memory of 3120	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	85
PID 1340 wrote to memory of 3936	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	86
PID 1340 wrote to memory of 3936	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	86
PID 1340 wrote to memory of 4764	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	87
PID 1340 wrote to memory of 4764	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	87
PID 1340 wrote to memory of 2840	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	88
PID 1340 wrote to memory of 2840	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	88
PID 1340 wrote to memory of 4624	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	89
PID 1340 wrote to memory of 4624	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	89
PID 1340 wrote to memory of 2464	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	90
PID 1340 wrote to memory of 2464	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	90
PID 1340 wrote to memory of 1368	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	91
PID 1340 wrote to memory of 1368	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	91
PID 1340 wrote to memory of 4772	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	92
PID 1340 wrote to memory of 4772	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	92
PID 1340 wrote to memory of 3284	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	93
PID 1340 wrote to memory of 3284	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	93
PID 1340 wrote to memory of 1208	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	94
PID 1340 wrote to memory of 1208	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	94
PID 1340 wrote to memory of 1144	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	95
PID 1340 wrote to memory of 1144	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	95
PID 1340 wrote to memory of 2920	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	96
PID 1340 wrote to memory of 2920	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	96
PID 1340 wrote to memory of 1468	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	97
PID 1340 wrote to memory of 1468	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	97
PID 1340 wrote to memory of 860	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	98
PID 1340 wrote to memory of 860	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	98
PID 1340 wrote to memory of 5040	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	99
PID 1340 wrote to memory of 5040	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	99
PID 1340 wrote to memory of 1624	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	100
PID 1340 wrote to memory of 1624	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	100
PID 1340 wrote to memory of 4528	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	101
PID 1340 wrote to memory of 4528	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	101
PID 1340 wrote to memory of 4984	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	102
PID 1340 wrote to memory of 4984	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	102
PID 1340 wrote to memory of 832	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	103
PID 1340 wrote to memory of 832	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	103
PID 1340 wrote to memory of 664	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	104
PID 1340 wrote to memory of 664	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	104
PID 1340 wrote to memory of 2420	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	105
PID 1340 wrote to memory of 2420	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	105
PID 1340 wrote to memory of 3464	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	106
PID 1340 wrote to memory of 3464	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	106
PID 1340 wrote to memory of 1524	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	107
PID 1340 wrote to memory of 1524	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	107
PID 1340 wrote to memory of 4060	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	108
PID 1340 wrote to memory of 4060	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	108
PID 1340 wrote to memory of 1648	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	109
PID 1340 wrote to memory of 1648	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	109
PID 1340 wrote to memory of 3932	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	110
PID 1340 wrote to memory of 3932	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	110
PID 1340 wrote to memory of 4504	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	111
PID 1340 wrote to memory of 4504	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	111
PID 1340 wrote to memory of 436	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	112
PID 1340 wrote to memory of 436	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	112
PID 1340 wrote to memory of 4384	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	113
PID 1340 wrote to memory of 4384	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	113
PID 1340 wrote to memory of 3920	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	114
PID 1340 wrote to memory of 3920	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	114
PID 1340 wrote to memory of 2036	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	115
PID 1340 wrote to memory of 2036	1340	b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe	115

C:\Users\Admin\AppData\Local\Temp\b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\b91d1089bfe8e3fdf01a0aba8de646a0_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Windows\System\lwtXYIq.exe
  C:\Windows\System\lwtXYIq.exe
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Windows\System\eNkugrU.exe
  C:\Windows\System\eNkugrU.exe
  2⤵
  - Executes dropped EXE
  PID:3120
- C:\Windows\System\aUcDtCC.exe
  C:\Windows\System\aUcDtCC.exe
  2⤵
  - Executes dropped EXE
  PID:3936
- C:\Windows\System\ZDEZITc.exe
  C:\Windows\System\ZDEZITc.exe
  2⤵
  - Executes dropped EXE
  PID:4764
- C:\Windows\System\icMKyYp.exe
  C:\Windows\System\icMKyYp.exe
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Windows\System\DVULivZ.exe
  C:\Windows\System\DVULivZ.exe
  2⤵
  - Executes dropped EXE
  PID:4624
- C:\Windows\System\HTwPycL.exe
  C:\Windows\System\HTwPycL.exe
  2⤵
  - Executes dropped EXE
  PID:2464
- C:\Windows\System\wcLMlKC.exe
  C:\Windows\System\wcLMlKC.exe
  2⤵
  - Executes dropped EXE
  PID:1368
- C:\Windows\System\gykPRgI.exe
  C:\Windows\System\gykPRgI.exe
  2⤵
  - Executes dropped EXE
  PID:4772
- C:\Windows\System\kIoDeYY.exe
  C:\Windows\System\kIoDeYY.exe
  2⤵
  - Executes dropped EXE
  PID:3284
- C:\Windows\System\ZMDtfrD.exe
  C:\Windows\System\ZMDtfrD.exe
  2⤵
  - Executes dropped EXE
  PID:1208
- C:\Windows\System\EANeNao.exe
  C:\Windows\System\EANeNao.exe
  2⤵
  - Executes dropped EXE
  PID:1144
- C:\Windows\System\YKupCmP.exe
  C:\Windows\System\YKupCmP.exe
  2⤵
  - Executes dropped EXE
  PID:2920
- C:\Windows\System\UFzyeNQ.exe
  C:\Windows\System\UFzyeNQ.exe
  2⤵
  - Executes dropped EXE
  PID:1468
- C:\Windows\System\PEcVLkL.exe
  C:\Windows\System\PEcVLkL.exe
  2⤵
  - Executes dropped EXE
  PID:860
- C:\Windows\System\FsYZzjP.exe
  C:\Windows\System\FsYZzjP.exe
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Windows\System\kJCBgVq.exe
  C:\Windows\System\kJCBgVq.exe
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Windows\System\RkuPQXX.exe
  C:\Windows\System\RkuPQXX.exe
  2⤵
  - Executes dropped EXE
  PID:4528
- C:\Windows\System\EoMZWXi.exe
  C:\Windows\System\EoMZWXi.exe
  2⤵
  - Executes dropped EXE
  PID:4984
- C:\Windows\System\vUTMhCG.exe
  C:\Windows\System\vUTMhCG.exe
  2⤵
  - Executes dropped EXE
  PID:832
- C:\Windows\System\JCegndf.exe
  C:\Windows\System\JCegndf.exe
  2⤵
  - Executes dropped EXE
  PID:664
- C:\Windows\System\qHyVgZz.exe
  C:\Windows\System\qHyVgZz.exe
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Windows\System\arGnJPx.exe
  C:\Windows\System\arGnJPx.exe
  2⤵
  - Executes dropped EXE
  PID:3464
- C:\Windows\System\xVJGIKl.exe
  C:\Windows\System\xVJGIKl.exe
  2⤵
  - Executes dropped EXE
  PID:1524
- C:\Windows\System\htSBzFh.exe
  C:\Windows\System\htSBzFh.exe
  2⤵
  - Executes dropped EXE
  PID:4060
- C:\Windows\System\FXjQoPR.exe
  C:\Windows\System\FXjQoPR.exe
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\System\wDKcQIE.exe
  C:\Windows\System\wDKcQIE.exe
  2⤵
  - Executes dropped EXE
  PID:3932
- C:\Windows\System\SefFjcM.exe
  C:\Windows\System\SefFjcM.exe
  2⤵
  - Executes dropped EXE
  PID:4504
- C:\Windows\System\XdJNWnA.exe
  C:\Windows\System\XdJNWnA.exe
  2⤵
  - Executes dropped EXE
  PID:436
- C:\Windows\System\NFEmGTG.exe
  C:\Windows\System\NFEmGTG.exe
  2⤵
  - Executes dropped EXE
  PID:4384
- C:\Windows\System\mEnmdBl.exe
  C:\Windows\System\mEnmdBl.exe
  2⤵
  - Executes dropped EXE
  PID:3920
- C:\Windows\System\wsxdyvw.exe
  C:\Windows\System\wsxdyvw.exe
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\System\tLKhtDa.exe
  C:\Windows\System\tLKhtDa.exe
  2⤵
  - Executes dropped EXE
  PID:4316
- C:\Windows\System\sIPoWUh.exe
  C:\Windows\System\sIPoWUh.exe
  2⤵
  - Executes dropped EXE
  PID:2212
- C:\Windows\System\YNoKNww.exe
  C:\Windows\System\YNoKNww.exe
  2⤵
  - Executes dropped EXE
  PID:2900
- C:\Windows\System\myKNAJb.exe
  C:\Windows\System\myKNAJb.exe
  2⤵
  - Executes dropped EXE
  PID:400
- C:\Windows\System\pFwTltA.exe
  C:\Windows\System\pFwTltA.exe
  2⤵
  - Executes dropped EXE
  PID:760
- C:\Windows\System\LddAtEA.exe
  C:\Windows\System\LddAtEA.exe
  2⤵
  - Executes dropped EXE
  PID:4972
- C:\Windows\System\sopcghV.exe
  C:\Windows\System\sopcghV.exe
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\System\iZmyMrd.exe
  C:\Windows\System\iZmyMrd.exe
  2⤵
  - Executes dropped EXE
  PID:3524
- C:\Windows\System\eXbqrIH.exe
  C:\Windows\System\eXbqrIH.exe
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\System\goCpzTK.exe
  C:\Windows\System\goCpzTK.exe
  2⤵
  - Executes dropped EXE
  PID:3976
- C:\Windows\System\OsBhuZa.exe
  C:\Windows\System\OsBhuZa.exe
  2⤵
  - Executes dropped EXE
  PID:408
- C:\Windows\System\NYEowTg.exe
  C:\Windows\System\NYEowTg.exe
  2⤵
  - Executes dropped EXE
  PID:4880
- C:\Windows\System\HCduhtm.exe
  C:\Windows\System\HCduhtm.exe
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\System\HHTgjDr.exe
  C:\Windows\System\HHTgjDr.exe
  2⤵
  - Executes dropped EXE
  PID:1184
- C:\Windows\System\cVdCEbt.exe
  C:\Windows\System\cVdCEbt.exe
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\Windows\System\nZPejNo.exe
  C:\Windows\System\nZPejNo.exe
  2⤵
  - Executes dropped EXE
  PID:1352
- C:\Windows\System\HeRlDwk.exe
  C:\Windows\System\HeRlDwk.exe
  2⤵
  - Executes dropped EXE
  PID:4864
- C:\Windows\System\uCTeypW.exe
  C:\Windows\System\uCTeypW.exe
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Windows\System\NujLPbX.exe
  C:\Windows\System\NujLPbX.exe
  2⤵
  - Executes dropped EXE
  PID:4364
- C:\Windows\System\YTHDXEw.exe
  C:\Windows\System\YTHDXEw.exe
  2⤵
  - Executes dropped EXE
  PID:5060
- C:\Windows\System\HvmGkqJ.exe
  C:\Windows\System\HvmGkqJ.exe
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Windows\System\ReMIlSM.exe
  C:\Windows\System\ReMIlSM.exe
  2⤵
  - Executes dropped EXE
  PID:4904
- C:\Windows\System\ZuHnCfc.exe
  C:\Windows\System\ZuHnCfc.exe
  2⤵
  - Executes dropped EXE
  PID:5080
- C:\Windows\System\cyelSML.exe
  C:\Windows\System\cyelSML.exe
  2⤵
  - Executes dropped EXE
  PID:2056
- C:\Windows\System\OLMNEKP.exe
  C:\Windows\System\OLMNEKP.exe
  2⤵
  - Executes dropped EXE
  PID:4400
- C:\Windows\System\zkfaNwh.exe
  C:\Windows\System\zkfaNwh.exe
  2⤵
  - Executes dropped EXE
  PID:5032
- C:\Windows\System\HOrpEZC.exe
  C:\Windows\System\HOrpEZC.exe
  2⤵
  - Executes dropped EXE
  PID:3196
- C:\Windows\System\madgkHj.exe
  C:\Windows\System\madgkHj.exe
  2⤵
  - Executes dropped EXE
  PID:4252
- C:\Windows\System\TgeLxLZ.exe
  C:\Windows\System\TgeLxLZ.exe
  2⤵
  - Executes dropped EXE
  PID:1300
- C:\Windows\System\KRgSwwN.exe
  C:\Windows\System\KRgSwwN.exe
  2⤵
  - Executes dropped EXE
  PID:3708
- C:\Windows\System\azVlvTW.exe
  C:\Windows\System\azVlvTW.exe
  2⤵
  - Executes dropped EXE
  PID:4524
- C:\Windows\System\NdvyrVB.exe
  C:\Windows\System\NdvyrVB.exe
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Windows\System\gTLRyuL.exe
  C:\Windows\System\gTLRyuL.exe
  2⤵
  PID:4396
- C:\Windows\System\ffDxNLU.exe
  C:\Windows\System\ffDxNLU.exe
  2⤵
  PID:4760
- C:\Windows\System\DadFBsg.exe
  C:\Windows\System\DadFBsg.exe
  2⤵
  PID:1176
- C:\Windows\System\jyMOIuL.exe
  C:\Windows\System\jyMOIuL.exe
  2⤵
  PID:2208
- C:\Windows\System\besTEvr.exe
  C:\Windows\System\besTEvr.exe
  2⤵
  PID:3928
- C:\Windows\System\mquzwOR.exe
  C:\Windows\System\mquzwOR.exe
  2⤵
  PID:544
- C:\Windows\System\UhNSUUo.exe
  C:\Windows\System\UhNSUUo.exe
  2⤵
  PID:2876
- C:\Windows\System\hMhxyls.exe
  C:\Windows\System\hMhxyls.exe
  2⤵
  PID:1168
- C:\Windows\System\Idcvfkz.exe
  C:\Windows\System\Idcvfkz.exe
  2⤵
  PID:1716
- C:\Windows\System\VQdEdwa.exe
  C:\Windows\System\VQdEdwa.exe
  2⤵
  PID:2332
- C:\Windows\System\WzsBBQt.exe
  C:\Windows\System\WzsBBQt.exe
  2⤵
  PID:4844
- C:\Windows\System\AAnuuiJ.exe
  C:\Windows\System\AAnuuiJ.exe
  2⤵
  PID:4576
- C:\Windows\System\BZgHuzT.exe
  C:\Windows\System\BZgHuzT.exe
  2⤵
  PID:3396
- C:\Windows\System\nmpXLRA.exe
  C:\Windows\System\nmpXLRA.exe
  2⤵
  PID:4328
- C:\Windows\System\zxgNarf.exe
  C:\Windows\System\zxgNarf.exe
  2⤵
  PID:2176
- C:\Windows\System\NbobBmX.exe
  C:\Windows\System\NbobBmX.exe
  2⤵
  PID:2988
- C:\Windows\System\vyfBcXy.exe
  C:\Windows\System\vyfBcXy.exe
  2⤵
  PID:4580
- C:\Windows\System\EDHnuvK.exe
  C:\Windows\System\EDHnuvK.exe
  2⤵
  PID:376
- C:\Windows\System\wBlOWKl.exe
  C:\Windows\System\wBlOWKl.exe
  2⤵
  PID:5268
- C:\Windows\System\DEGeUDR.exe
  C:\Windows\System\DEGeUDR.exe
  2⤵
  PID:5284
- C:\Windows\System\GALlaOG.exe
  C:\Windows\System\GALlaOG.exe
  2⤵
  PID:5300
- C:\Windows\System\arFnoth.exe
  C:\Windows\System\arFnoth.exe
  2⤵
  PID:5316
- C:\Windows\System\QMmpBAl.exe
  C:\Windows\System\QMmpBAl.exe
  2⤵
  PID:5332
- C:\Windows\System\oZpAaAv.exe
  C:\Windows\System\oZpAaAv.exe
  2⤵
  PID:5348
- C:\Windows\System\LoRxDeE.exe
  C:\Windows\System\LoRxDeE.exe
  2⤵
  PID:5364
- C:\Windows\System\UVDzdrL.exe
  C:\Windows\System\UVDzdrL.exe
  2⤵
  PID:5380
- C:\Windows\System\skCKBda.exe
  C:\Windows\System\skCKBda.exe
  2⤵
  PID:5396
- C:\Windows\System\YVQgWxV.exe
  C:\Windows\System\YVQgWxV.exe
  2⤵
  PID:5412
- C:\Windows\System\pguAnrn.exe
  C:\Windows\System\pguAnrn.exe
  2⤵
  PID:5428
- C:\Windows\System\aFpahFN.exe
  C:\Windows\System\aFpahFN.exe
  2⤵
  PID:5444
- C:\Windows\System\mLVUxZJ.exe
  C:\Windows\System\mLVUxZJ.exe
  2⤵
  PID:5460
- C:\Windows\System\oXtSEEu.exe
  C:\Windows\System\oXtSEEu.exe
  2⤵
  PID:5476
- C:\Windows\System\jfSVbIS.exe
  C:\Windows\System\jfSVbIS.exe
  2⤵
  PID:5492
- C:\Windows\System\GCBCQpB.exe
  C:\Windows\System\GCBCQpB.exe
  2⤵
  PID:5508
- C:\Windows\System\hevsqxC.exe
  C:\Windows\System\hevsqxC.exe
  2⤵
  PID:5524
- C:\Windows\System\vbLlJWk.exe
  C:\Windows\System\vbLlJWk.exe
  2⤵
  PID:5540
- C:\Windows\System\wFAaamb.exe
  C:\Windows\System\wFAaamb.exe
  2⤵
  PID:5556
- C:\Windows\System\ttMyQjm.exe
  C:\Windows\System\ttMyQjm.exe
  2⤵
  PID:5572
- C:\Windows\System\SudsAZn.exe
  C:\Windows\System\SudsAZn.exe
  2⤵
  PID:5588
- C:\Windows\System\PMPvGiL.exe
  C:\Windows\System\PMPvGiL.exe
  2⤵
  PID:5604
- C:\Windows\System\vCrvrdz.exe
  C:\Windows\System\vCrvrdz.exe
  2⤵
  PID:5620
- C:\Windows\System\nZXPNtG.exe
  C:\Windows\System\nZXPNtG.exe
  2⤵
  PID:5636
- C:\Windows\System\GJCXMXh.exe
  C:\Windows\System\GJCXMXh.exe
  2⤵
  PID:5652
- C:\Windows\System\SwmRHQX.exe
  C:\Windows\System\SwmRHQX.exe
  2⤵
  PID:5668
- C:\Windows\System\XUmYrOO.exe
  C:\Windows\System\XUmYrOO.exe
  2⤵
  PID:5848
- C:\Windows\System\AINKLQA.exe
  C:\Windows\System\AINKLQA.exe
  2⤵
  PID:5872
- C:\Windows\System\IPbwrRx.exe
  C:\Windows\System\IPbwrRx.exe
  2⤵
  PID:5888
- C:\Windows\System\VybpEPi.exe
  C:\Windows\System\VybpEPi.exe
  2⤵
  PID:5912
- C:\Windows\System\mxnHXpa.exe
  C:\Windows\System\mxnHXpa.exe
  2⤵
  PID:5936
- C:\Windows\System\VQnFiNh.exe
  C:\Windows\System\VQnFiNh.exe
  2⤵
  PID:5952
- C:\Windows\System\VVfjnVK.exe
  C:\Windows\System\VVfjnVK.exe
  2⤵
  PID:5976
- C:\Windows\System\fAYIvsu.exe
  C:\Windows\System\fAYIvsu.exe
  2⤵
  PID:6004
- C:\Windows\System\mCsZONG.exe
  C:\Windows\System\mCsZONG.exe
  2⤵
  PID:6024
- C:\Windows\System\cjNAZxZ.exe
  C:\Windows\System\cjNAZxZ.exe
  2⤵
  PID:6040
- C:\Windows\System\JDCdkdl.exe
  C:\Windows\System\JDCdkdl.exe
  2⤵
  PID:5516
- C:\Windows\System\DJVLahg.exe
  C:\Windows\System\DJVLahg.exe
  2⤵
  PID:5580
- C:\Windows\System\GBrBaRu.exe
  C:\Windows\System\GBrBaRu.exe
  2⤵
  PID:5612
- C:\Windows\System\MXMiFil.exe
  C:\Windows\System\MXMiFil.exe
  2⤵
  PID:5648
- C:\Windows\System\SwncMPh.exe
  C:\Windows\System\SwncMPh.exe
  2⤵
  PID:5696
- C:\Windows\System\tpavWZV.exe
  C:\Windows\System\tpavWZV.exe
  2⤵
  PID:5720
- C:\Windows\System\laVasbo.exe
  C:\Windows\System\laVasbo.exe
  2⤵
  PID:5784
- C:\Windows\System\NlBbpTO.exe
  C:\Windows\System\NlBbpTO.exe
  2⤵
  PID:5816
- C:\Windows\System\KUtBYak.exe
  C:\Windows\System\KUtBYak.exe
  2⤵
  PID:5844
- C:\Windows\System\zAARQEt.exe
  C:\Windows\System\zAARQEt.exe
  2⤵
  PID:5884
- C:\Windows\System\aZtfFiK.exe
  C:\Windows\System\aZtfFiK.exe
  2⤵
  PID:5928
- C:\Windows\System\KvcrwcU.exe
  C:\Windows\System\KvcrwcU.exe
  2⤵
  PID:5972
- C:\Windows\System\YyTDnxu.exe
  C:\Windows\System\YyTDnxu.exe
  2⤵
  PID:6016
- C:\Windows\System\POnRtSH.exe
  C:\Windows\System\POnRtSH.exe
  2⤵
  PID:6124
- C:\Windows\System\BWRosyU.exe
  C:\Windows\System\BWRosyU.exe
  2⤵
  PID:4540
- C:\Windows\System\QULfcvW.exe
  C:\Windows\System\QULfcvW.exe
  2⤵
  PID:4516
- C:\Windows\System\rcRyHdu.exe
  C:\Windows\System\rcRyHdu.exe
  2⤵
  PID:3352
- C:\Windows\System\nusylnK.exe
  C:\Windows\System\nusylnK.exe
  2⤵
  PID:3080
- C:\Windows\System\vBowZqM.exe
  C:\Windows\System\vBowZqM.exe
  2⤵
  PID:3148
- C:\Windows\System\rzcoCkg.exe
  C:\Windows\System\rzcoCkg.exe
  2⤵
  PID:1472
- C:\Windows\System\xxZMPwW.exe
  C:\Windows\System\xxZMPwW.exe
  2⤵
  PID:2736
- C:\Windows\System\XghwUoV.exe
  C:\Windows\System\XghwUoV.exe
  2⤵
  PID:3044
- C:\Windows\System\mWAAQIL.exe
  C:\Windows\System\mWAAQIL.exe
  2⤵
  PID:4936
- C:\Windows\System\pgPmAIS.exe
  C:\Windows\System\pgPmAIS.exe
  2⤵
  PID:2188
- C:\Windows\System\ulcmWNm.exe
  C:\Windows\System\ulcmWNm.exe
  2⤵
  PID:3952
- C:\Windows\System\qpVjpCH.exe
  C:\Windows\System\qpVjpCH.exe
  2⤵
  PID:4636
- C:\Windows\System\ubXlcEL.exe
  C:\Windows\System\ubXlcEL.exe
  2⤵
  PID:4920
- C:\Windows\System\YjGJwbg.exe
  C:\Windows\System\YjGJwbg.exe
  2⤵
  PID:5108
- C:\Windows\System\tDUycdH.exe
  C:\Windows\System\tDUycdH.exe
  2⤵
  PID:2196
- C:\Windows\System\yHxxwei.exe
  C:\Windows\System\yHxxwei.exe
  2⤵
  PID:960
- C:\Windows\System\IUeuzXF.exe
  C:\Windows\System\IUeuzXF.exe
  2⤵
  PID:5248
- C:\Windows\System\xWQWwPI.exe
  C:\Windows\System\xWQWwPI.exe
  2⤵
  PID:5124
- C:\Windows\System\SJdApTX.exe
  C:\Windows\System\SJdApTX.exe
  2⤵
  PID:1916
- C:\Windows\System\vUjqqRL.exe
  C:\Windows\System\vUjqqRL.exe
  2⤵
  PID:1856
- C:\Windows\System\jfAenGg.exe
  C:\Windows\System\jfAenGg.exe
  2⤵
  PID:4236
- C:\Windows\System\wAtBhLM.exe
  C:\Windows\System\wAtBhLM.exe
  2⤵
  PID:5632
- C:\Windows\System\gLzvBtT.exe
  C:\Windows\System\gLzvBtT.exe
  2⤵
  PID:5680
- C:\Windows\System\IrJpCNM.exe
  C:\Windows\System\IrJpCNM.exe
  2⤵
  PID:5800
- C:\Windows\System\jOAGsva.exe
  C:\Windows\System\jOAGsva.exe
  2⤵
  PID:5908
- C:\Windows\System\iSpIZpX.exe
  C:\Windows\System\iSpIZpX.exe
  2⤵
  PID:6012
- C:\Windows\System\qyPQyjV.exe
  C:\Windows\System\qyPQyjV.exe
  2⤵
  PID:3596
- C:\Windows\System\VMoeQdk.exe
  C:\Windows\System\VMoeQdk.exe
  2⤵
  PID:1420
- C:\Windows\System\oUauqnX.exe
  C:\Windows\System\oUauqnX.exe
  2⤵
  PID:3180
- C:\Windows\System\VBwslxw.exe
  C:\Windows\System\VBwslxw.exe
  2⤵
  PID:4084
- C:\Windows\System\HpQppTT.exe
  C:\Windows\System\HpQppTT.exe
  2⤵
  PID:4056
- C:\Windows\System\SZneGmb.exe
  C:\Windows\System\SZneGmb.exe
  2⤵
  PID:568
- C:\Windows\System\UiuUqPG.exe
  C:\Windows\System\UiuUqPG.exe
  2⤵
  PID:648
- C:\Windows\System\jkGScze.exe
  C:\Windows\System\jkGScze.exe
  2⤵
  PID:316
- C:\Windows\System\DdBJcgi.exe
  C:\Windows\System\DdBJcgi.exe
  2⤵
  PID:5140
- C:\Windows\System\hdJvWBx.exe
  C:\Windows\System\hdJvWBx.exe
  2⤵
  PID:2480
- C:\Windows\System\UOOZAwk.exe
  C:\Windows\System\UOOZAwk.exe
  2⤵
  PID:6148
- C:\Windows\System\ThDtFrp.exe
  C:\Windows\System\ThDtFrp.exe
  2⤵
  PID:6168
- C:\Windows\System\yzhoNSc.exe
  C:\Windows\System\yzhoNSc.exe
  2⤵
  PID:6188
- C:\Windows\System\SQgXTzH.exe
  C:\Windows\System\SQgXTzH.exe
  2⤵
  PID:6208
- C:\Windows\System\dIIFiXW.exe
  C:\Windows\System\dIIFiXW.exe
  2⤵
  PID:6228
- C:\Windows\System\fxahXEn.exe
  C:\Windows\System\fxahXEn.exe
  2⤵
  PID:6248
- C:\Windows\System\JSUXjqC.exe
  C:\Windows\System\JSUXjqC.exe
  2⤵
  PID:6268
- C:\Windows\System\YYhHHkj.exe
  C:\Windows\System\YYhHHkj.exe
  2⤵
  PID:6288
- C:\Windows\System\oPlvfki.exe
  C:\Windows\System\oPlvfki.exe
  2⤵
  PID:6308
- C:\Windows\System\hkUzoNf.exe
  C:\Windows\System\hkUzoNf.exe
  2⤵
  PID:6332
- C:\Windows\System\aXNjDIk.exe
  C:\Windows\System\aXNjDIk.exe
  2⤵
  PID:6360
- C:\Windows\System\NOMlAul.exe
  C:\Windows\System\NOMlAul.exe
  2⤵
  PID:6384
- C:\Windows\System\KDbPaAT.exe
  C:\Windows\System\KDbPaAT.exe
  2⤵
  PID:6404
- C:\Windows\System\CdCmCTz.exe
  C:\Windows\System\CdCmCTz.exe
  2⤵
  PID:6428
- C:\Windows\System\bERpTZk.exe
  C:\Windows\System\bERpTZk.exe
  2⤵
  PID:6444
- C:\Windows\System\GHqcorB.exe
  C:\Windows\System\GHqcorB.exe
  2⤵
  PID:6464
- C:\Windows\System\rcdiAtv.exe
  C:\Windows\System\rcdiAtv.exe
  2⤵
  PID:6484
- C:\Windows\System\PADykAQ.exe
  C:\Windows\System\PADykAQ.exe
  2⤵
  PID:6512
- C:\Windows\System\gsVKcuE.exe
  C:\Windows\System\gsVKcuE.exe
  2⤵
  PID:6532
- C:\Windows\System\jQzZEeV.exe
  C:\Windows\System\jQzZEeV.exe
  2⤵
  PID:6560
- C:\Windows\System\YTmrifD.exe
  C:\Windows\System\YTmrifD.exe
  2⤵
  PID:6576
- C:\Windows\System\OuqmPoM.exe
  C:\Windows\System\OuqmPoM.exe
  2⤵
  PID:6604
- C:\Windows\System\tFFnlDo.exe
  C:\Windows\System\tFFnlDo.exe
  2⤵
  PID:6620
- C:\Windows\System\urcqwTg.exe
  C:\Windows\System\urcqwTg.exe
  2⤵
  PID:6640
- C:\Windows\System\msXnIMK.exe
  C:\Windows\System\msXnIMK.exe
  2⤵
  PID:6660
- C:\Windows\System\xKGcztr.exe
  C:\Windows\System\xKGcztr.exe
  2⤵
  PID:6688
- C:\Windows\System\aAnnQTz.exe
  C:\Windows\System\aAnnQTz.exe
  2⤵
  PID:6708
- C:\Windows\System\ZlBVnpB.exe
  C:\Windows\System\ZlBVnpB.exe
  2⤵
  PID:6724
- C:\Windows\System\bVwUrNt.exe
  C:\Windows\System\bVwUrNt.exe
  2⤵
  PID:6748
- C:\Windows\System\NqrRwTA.exe
  C:\Windows\System\NqrRwTA.exe
  2⤵
  PID:6768
- C:\Windows\System\ZidXONa.exe
  C:\Windows\System\ZidXONa.exe
  2⤵
  PID:6784
- C:\Windows\System\iyRmGOv.exe
  C:\Windows\System\iyRmGOv.exe
  2⤵
  PID:6808
- C:\Windows\System\tVbvguX.exe
  C:\Windows\System\tVbvguX.exe
  2⤵
  PID:6828
- C:\Windows\System\FvUzCot.exe
  C:\Windows\System\FvUzCot.exe
  2⤵
  PID:6848
- C:\Windows\System\scReHpT.exe
  C:\Windows\System\scReHpT.exe
  2⤵
  PID:6872
- C:\Windows\System\MUfSqkq.exe
  C:\Windows\System\MUfSqkq.exe
  2⤵
  PID:6892
- C:\Windows\System\cJKRtxS.exe
  C:\Windows\System\cJKRtxS.exe
  2⤵
  PID:7120
- C:\Windows\System\WpgmSRS.exe
  C:\Windows\System\WpgmSRS.exe
  2⤵
  PID:7140
- C:\Windows\System\rSMEisi.exe
  C:\Windows\System\rSMEisi.exe
  2⤵
  PID:7164
- C:\Windows\System\PUnrLVO.exe
  C:\Windows\System\PUnrLVO.exe
  2⤵
  PID:5564
- C:\Windows\System\HUqHEqS.exe
  C:\Windows\System\HUqHEqS.exe
  2⤵
  PID:5832
- C:\Windows\System\kKqrbim.exe
  C:\Windows\System\kKqrbim.exe
  2⤵
  PID:6052
- C:\Windows\System\SkFSoYt.exe
  C:\Windows\System\SkFSoYt.exe
  2⤵
  PID:6244
- C:\Windows\System\bPDRJnY.exe
  C:\Windows\System\bPDRJnY.exe
  2⤵
  PID:6320
- C:\Windows\System\KqSdPRM.exe
  C:\Windows\System\KqSdPRM.exe
  2⤵
  PID:808
- C:\Windows\System\yqDWdrF.exe
  C:\Windows\System\yqDWdrF.exe
  2⤵
  PID:5760
- C:\Windows\System\hGDhSci.exe
  C:\Windows\System\hGDhSci.exe
  2⤵
  PID:692
- C:\Windows\System\qdfjqbM.exe
  C:\Windows\System\qdfjqbM.exe
  2⤵
  PID:6480
- C:\Windows\System\OhqrYLq.exe
  C:\Windows\System\OhqrYLq.exe
  2⤵
  PID:5948
- C:\Windows\System\IqlyQvq.exe
  C:\Windows\System\IqlyQvq.exe
  2⤵
  PID:6636
- C:\Windows\System\CJWfcGP.exe
  C:\Windows\System\CJWfcGP.exe
  2⤵
  PID:6716
- C:\Windows\System\fimTTvw.exe
  C:\Windows\System\fimTTvw.exe
  2⤵
  PID:6868
- C:\Windows\System\ehbDOfY.exe
  C:\Windows\System\ehbDOfY.exe
  2⤵
  PID:1672
- C:\Windows\System\kSijZvl.exe
  C:\Windows\System\kSijZvl.exe
  2⤵
  PID:6164
- C:\Windows\System\vVgggnA.exe
  C:\Windows\System\vVgggnA.exe
  2⤵
  PID:6908
- C:\Windows\System\DXgeknF.exe
  C:\Windows\System\DXgeknF.exe
  2⤵
  PID:6976
- C:\Windows\System\ottlakz.exe
  C:\Windows\System\ottlakz.exe
  2⤵
  PID:6680
- C:\Windows\System\IydcdKX.exe
  C:\Windows\System\IydcdKX.exe
  2⤵
  PID:6760
- C:\Windows\System\mOzBcdU.exe
  C:\Windows\System\mOzBcdU.exe
  2⤵
  PID:7036
- C:\Windows\System\ATsVwnc.exe
  C:\Windows\System\ATsVwnc.exe
  2⤵
  PID:7052
- C:\Windows\System\sqGeIVN.exe
  C:\Windows\System\sqGeIVN.exe
  2⤵
  PID:7068
- C:\Windows\System\aMNawGz.exe
  C:\Windows\System\aMNawGz.exe
  2⤵
  PID:7180
- C:\Windows\System\anQmywv.exe
  C:\Windows\System\anQmywv.exe
  2⤵
  PID:7196
- C:\Windows\System\QkpfFTe.exe
  C:\Windows\System\QkpfFTe.exe
  2⤵
  PID:7224
- C:\Windows\System\juVQtZn.exe
  C:\Windows\System\juVQtZn.exe
  2⤵
  PID:7252
- C:\Windows\System\cSsycpA.exe
  C:\Windows\System\cSsycpA.exe
  2⤵
  PID:7276
- C:\Windows\System\IQFzAkb.exe
  C:\Windows\System\IQFzAkb.exe
  2⤵
  PID:7296
- C:\Windows\System\UkqWoMt.exe
  C:\Windows\System\UkqWoMt.exe
  2⤵
  PID:7320
- C:\Windows\System\LeEBZwB.exe
  C:\Windows\System\LeEBZwB.exe
  2⤵
  PID:7352
- C:\Windows\System\VPjFvWT.exe
  C:\Windows\System\VPjFvWT.exe
  2⤵
  PID:7372
- C:\Windows\System\qdyYskZ.exe
  C:\Windows\System\qdyYskZ.exe
  2⤵
  PID:7392
- C:\Windows\System\cZIAZNs.exe
  C:\Windows\System\cZIAZNs.exe
  2⤵
  PID:7416
- C:\Windows\System\IbSbkmo.exe
  C:\Windows\System\IbSbkmo.exe
  2⤵
  PID:7436
- C:\Windows\System\pqAhVMZ.exe
  C:\Windows\System\pqAhVMZ.exe
  2⤵
  PID:7452
- C:\Windows\System\sCsKcvS.exe
  C:\Windows\System\sCsKcvS.exe
  2⤵
  PID:7480
- C:\Windows\System\OHxQFmK.exe
  C:\Windows\System\OHxQFmK.exe
  2⤵
  PID:7500
- C:\Windows\System\TWgcZoI.exe
  C:\Windows\System\TWgcZoI.exe
  2⤵
  PID:7524
- C:\Windows\System\LSKZDuL.exe
  C:\Windows\System\LSKZDuL.exe
  2⤵
  PID:7544
- C:\Windows\System\kOwKDXk.exe
  C:\Windows\System\kOwKDXk.exe
  2⤵
  PID:7568
- C:\Windows\System\CaYRIhx.exe
  C:\Windows\System\CaYRIhx.exe
  2⤵
  PID:7588
- C:\Windows\System\AvHBUIR.exe
  C:\Windows\System\AvHBUIR.exe
  2⤵
  PID:7612
- C:\Windows\System\pHHkqXD.exe
  C:\Windows\System\pHHkqXD.exe
  2⤵
  PID:7632
- C:\Windows\System\cGRICUq.exe
  C:\Windows\System\cGRICUq.exe
  2⤵
  PID:7656
- C:\Windows\System\rDLjvsK.exe
  C:\Windows\System\rDLjvsK.exe
  2⤵
  PID:7680
- C:\Windows\System\vFYQWTl.exe
  C:\Windows\System\vFYQWTl.exe
  2⤵
  PID:7700
- C:\Windows\System\pCFZmUE.exe
  C:\Windows\System\pCFZmUE.exe
  2⤵
  PID:7720
- C:\Windows\System\OqYCLuh.exe
  C:\Windows\System\OqYCLuh.exe
  2⤵
  PID:7740
- C:\Windows\System\WDgHjDP.exe
  C:\Windows\System\WDgHjDP.exe
  2⤵
  PID:7764
- C:\Windows\System\CTwMEsw.exe
  C:\Windows\System\CTwMEsw.exe
  2⤵
  PID:7784
- C:\Windows\System\YmlQUuF.exe
  C:\Windows\System\YmlQUuF.exe
  2⤵
  PID:7804
- C:\Windows\System\FIpDEVP.exe
  C:\Windows\System\FIpDEVP.exe
  2⤵
  PID:7824
- C:\Windows\System\GtHetGE.exe
  C:\Windows\System\GtHetGE.exe
  2⤵
  PID:7844
- C:\Windows\System\hZJHVlV.exe
  C:\Windows\System\hZJHVlV.exe
  2⤵
  PID:7868
- C:\Windows\System\MXnksdg.exe
  C:\Windows\System\MXnksdg.exe
  2⤵
  PID:7888
- C:\Windows\System\GUsWxOM.exe
  C:\Windows\System\GUsWxOM.exe
  2⤵
  PID:7908
- C:\Windows\System\ZgApDVY.exe
  C:\Windows\System\ZgApDVY.exe
  2⤵
  PID:7932
- C:\Windows\System\dRCzfga.exe
  C:\Windows\System\dRCzfga.exe
  2⤵
  PID:7952
- C:\Windows\System\oKSNkBW.exe
  C:\Windows\System\oKSNkBW.exe
  2⤵
  PID:7980
- C:\Windows\System\rmWTZVb.exe
  C:\Windows\System\rmWTZVb.exe
  2⤵
  PID:8000
- C:\Windows\System\IowlFeR.exe
  C:\Windows\System\IowlFeR.exe
  2⤵
  PID:8016
- C:\Windows\System\aetwhWx.exe
  C:\Windows\System\aetwhWx.exe
  2⤵
  PID:8036
- C:\Windows\System\ZnFjxrP.exe
  C:\Windows\System\ZnFjxrP.exe
  2⤵
  PID:8052
- C:\Windows\System\PYXPryf.exe
  C:\Windows\System\PYXPryf.exe
  2⤵
  PID:8072
- C:\Windows\System\xyUeRdh.exe
  C:\Windows\System\xyUeRdh.exe
  2⤵
  PID:8100
- C:\Windows\System\LBZyKfC.exe
  C:\Windows\System\LBZyKfC.exe
  2⤵
  PID:8116
- C:\Windows\System\dcQICKf.exe
  C:\Windows\System\dcQICKf.exe
  2⤵
  PID:8132
- C:\Windows\System\krXMfWn.exe
  C:\Windows\System\krXMfWn.exe
  2⤵
  PID:8156
- C:\Windows\System\rzlqzqE.exe
  C:\Windows\System\rzlqzqE.exe
  2⤵
  PID:8184
- C:\Windows\System\BukIlSa.exe
  C:\Windows\System\BukIlSa.exe
  2⤵
  PID:6592
- C:\Windows\System\emFDnic.exe
  C:\Windows\System\emFDnic.exe
  2⤵
  PID:7156
- C:\Windows\System\UMWioDP.exe
  C:\Windows\System\UMWioDP.exe
  2⤵
  PID:5776
- C:\Windows\System\TXgioNE.exe
  C:\Windows\System\TXgioNE.exe
  2⤵
  PID:6476
- C:\Windows\System\cogaSDd.exe
  C:\Windows\System\cogaSDd.exe
  2⤵
  PID:4340
- C:\Windows\System\CPOKJTu.exe
  C:\Windows\System\CPOKJTu.exe
  2⤵
  PID:7020
- C:\Windows\System\jkCOFyQ.exe
  C:\Windows\System\jkCOFyQ.exe
  2⤵
  PID:6552
- C:\Windows\System\gVKhkyz.exe
  C:\Windows\System\gVKhkyz.exe
  2⤵
  PID:6280
- C:\Windows\System\inRbojK.exe
  C:\Windows\System\inRbojK.exe
  2⤵
  PID:6396
- C:\Windows\System\lTNkWPW.exe
  C:\Windows\System\lTNkWPW.exe
  2⤵
  PID:7192
- C:\Windows\System\ocZhidc.exe
  C:\Windows\System\ocZhidc.exe
  2⤵
  PID:7260
- C:\Windows\System\xRtwmQS.exe
  C:\Windows\System\xRtwmQS.exe
  2⤵
  PID:5600
- C:\Windows\System\fHwkrMP.exe
  C:\Windows\System\fHwkrMP.exe
  2⤵
  PID:6340
- C:\Windows\System\siLMLPO.exe
  C:\Windows\System\siLMLPO.exe
  2⤵
  PID:7364
- C:\Windows\System\JerpRvx.exe
  C:\Windows\System\JerpRvx.exe
  2⤵
  PID:7012
- C:\Windows\System\FJYhaja.exe
  C:\Windows\System\FJYhaja.exe
  2⤵
  PID:7536
- C:\Windows\System\tckiJeP.exe
  C:\Windows\System\tckiJeP.exe
  2⤵
  PID:6856
- C:\Windows\System\VwnQFjO.exe
  C:\Windows\System\VwnQFjO.exe
  2⤵
  PID:7620
- C:\Windows\System\slgdsLx.exe
  C:\Windows\System\slgdsLx.exe
  2⤵
  PID:7672
- C:\Windows\System\fuXFvSv.exe
  C:\Windows\System\fuXFvSv.exe
  2⤵
  PID:7712
- C:\Windows\System\EWQAfMs.exe
  C:\Windows\System\EWQAfMs.exe
  2⤵
  PID:7756
- C:\Windows\System\Viamevr.exe
  C:\Windows\System\Viamevr.exe
  2⤵
  PID:5904
- C:\Windows\System\eHXaGDR.exe
  C:\Windows\System\eHXaGDR.exe
  2⤵
  PID:7856
- C:\Windows\System\WEnuiPt.exe
  C:\Windows\System\WEnuiPt.exe
  2⤵
  PID:7384
- C:\Windows\System\COWEyhE.exe
  C:\Windows\System\COWEyhE.exe
  2⤵
  PID:7428
- C:\Windows\System\ahkSNGB.exe
  C:\Windows\System\ahkSNGB.exe
  2⤵
  PID:8012
- C:\Windows\System\FlriJJx.exe
  C:\Windows\System\FlriJJx.exe
  2⤵
  PID:8212
- C:\Windows\System\IENMyfR.exe
  C:\Windows\System\IENMyfR.exe
  2⤵
  PID:8232
- C:\Windows\System\riLJRKT.exe
  C:\Windows\System\riLJRKT.exe
  2⤵
  PID:8256
- C:\Windows\System\aCRBZQy.exe
  C:\Windows\System\aCRBZQy.exe
  2⤵
  PID:8284
- C:\Windows\System\eYdEZWf.exe
  C:\Windows\System\eYdEZWf.exe
  2⤵
  PID:8304
- C:\Windows\System\xVpYKIh.exe
  C:\Windows\System\xVpYKIh.exe
  2⤵
  PID:8328
- C:\Windows\System\YfncLLM.exe
  C:\Windows\System\YfncLLM.exe
  2⤵
  PID:8356
- C:\Windows\System\OwSUhjY.exe
  C:\Windows\System\OwSUhjY.exe
  2⤵
  PID:8372
- C:\Windows\System\MPKcHfa.exe
  C:\Windows\System\MPKcHfa.exe
  2⤵
  PID:8392
- C:\Windows\System\TMUMDDt.exe
  C:\Windows\System\TMUMDDt.exe
  2⤵
  PID:8412
- C:\Windows\System\zuVobom.exe
  C:\Windows\System\zuVobom.exe
  2⤵
  PID:8432
- C:\Windows\System\RMZunda.exe
  C:\Windows\System\RMZunda.exe
  2⤵
  PID:8460
- C:\Windows\System\wiiQOrE.exe
  C:\Windows\System\wiiQOrE.exe
  2⤵
  PID:8484
- C:\Windows\System\GOPSHBJ.exe
  C:\Windows\System\GOPSHBJ.exe
  2⤵
  PID:8500
- C:\Windows\System\niJghPv.exe
  C:\Windows\System\niJghPv.exe
  2⤵
  PID:8524
- C:\Windows\System\QjxCRZN.exe
  C:\Windows\System\QjxCRZN.exe
  2⤵
  PID:8544
- C:\Windows\System\GfDSxbQ.exe
  C:\Windows\System\GfDSxbQ.exe
  2⤵
  PID:8564
- C:\Windows\System\qxnPYnJ.exe
  C:\Windows\System\qxnPYnJ.exe
  2⤵
  PID:8592
- C:\Windows\System\bfVSFqY.exe
  C:\Windows\System\bfVSFqY.exe
  2⤵
  PID:8612
- C:\Windows\System\NZDwPfM.exe
  C:\Windows\System\NZDwPfM.exe
  2⤵
  PID:8632
- C:\Windows\System\sHMuGjc.exe
  C:\Windows\System\sHMuGjc.exe
  2⤵
  PID:8652
- C:\Windows\System\qJdwgQp.exe
  C:\Windows\System\qJdwgQp.exe
  2⤵
  PID:8672
- C:\Windows\System\UkLBloC.exe
  C:\Windows\System\UkLBloC.exe
  2⤵
  PID:8700
- C:\Windows\System\mxHkRhS.exe
  C:\Windows\System\mxHkRhS.exe
  2⤵
  PID:8716
- C:\Windows\System\NzPpFmj.exe
  C:\Windows\System\NzPpFmj.exe
  2⤵
  PID:8736
- C:\Windows\System\UYxHtwh.exe
  C:\Windows\System\UYxHtwh.exe
  2⤵
  PID:8760
- C:\Windows\System\YVMUrQw.exe
  C:\Windows\System\YVMUrQw.exe
  2⤵
  PID:8776
- C:\Windows\System\TDFLllu.exe
  C:\Windows\System\TDFLllu.exe
  2⤵
  PID:8804
- C:\Windows\System\XCpQPST.exe
  C:\Windows\System\XCpQPST.exe
  2⤵
  PID:8824
- C:\Windows\System\qsNmprp.exe
  C:\Windows\System\qsNmprp.exe
  2⤵
  PID:8848
- C:\Windows\System\RqhPozY.exe
  C:\Windows\System\RqhPozY.exe
  2⤵
  PID:8868
- C:\Windows\System\XglVtoS.exe
  C:\Windows\System\XglVtoS.exe
  2⤵
  PID:8892
- C:\Windows\System\hlpURNT.exe
  C:\Windows\System\hlpURNT.exe
  2⤵
  PID:8916
- C:\Windows\System\EOmPZsD.exe
  C:\Windows\System\EOmPZsD.exe
  2⤵
  PID:8936
- C:\Windows\System\dqYDwiA.exe
  C:\Windows\System\dqYDwiA.exe
  2⤵
  PID:8956
- C:\Windows\System\GLwQPrx.exe
  C:\Windows\System\GLwQPrx.exe
  2⤵
  PID:8980
- C:\Windows\System\KAyCBSk.exe
  C:\Windows\System\KAyCBSk.exe
  2⤵
  PID:9000
- C:\Windows\System\dPnxJoR.exe
  C:\Windows\System\dPnxJoR.exe
  2⤵
  PID:9024
- C:\Windows\System\INcSGzU.exe
  C:\Windows\System\INcSGzU.exe
  2⤵
  PID:9044
- C:\Windows\System\AGmpiWk.exe
  C:\Windows\System\AGmpiWk.exe
  2⤵
  PID:9068
- C:\Windows\System\JdYFXsW.exe
  C:\Windows\System\JdYFXsW.exe
  2⤵
  PID:9092
- C:\Windows\System\vMrpAjE.exe
  C:\Windows\System\vMrpAjE.exe
  2⤵
  PID:9108
- C:\Windows\System\JrRCUJK.exe
  C:\Windows\System\JrRCUJK.exe
  2⤵
  PID:9132
- C:\Windows\System\jlARckf.exe
  C:\Windows\System\jlARckf.exe
  2⤵
  PID:9152
- C:\Windows\System\SxgoxTI.exe
  C:\Windows\System\SxgoxTI.exe
  2⤵
  PID:9176
- C:\Windows\System\AlKFigT.exe
  C:\Windows\System\AlKFigT.exe
  2⤵
  PID:9200
- C:\Windows\System\WXAjUDA.exe
  C:\Windows\System\WXAjUDA.exe
  2⤵
  PID:8028
- C:\Windows\System\VTlpsCY.exe
  C:\Windows\System\VTlpsCY.exe
  2⤵
  PID:6180
- C:\Windows\System\DDGYgtx.exe
  C:\Windows\System\DDGYgtx.exe
  2⤵
  PID:8152
- C:\Windows\System\DoBaKqq.exe
  C:\Windows\System\DoBaKqq.exe
  2⤵
  PID:7604
- C:\Windows\System\gIrZslS.exe
  C:\Windows\System\gIrZslS.exe
  2⤵
  PID:7172
- C:\Windows\System\xsQTgYk.exe
  C:\Windows\System\xsQTgYk.exe
  2⤵
  PID:6740
- C:\Windows\System\MzmrIFZ.exe
  C:\Windows\System\MzmrIFZ.exe
  2⤵
  PID:6528
- C:\Windows\System\QqTRetm.exe
  C:\Windows\System\QqTRetm.exe
  2⤵
  PID:6220
- C:\Windows\System\vzfeBTZ.exe
  C:\Windows\System\vzfeBTZ.exe
  2⤵
  PID:6204
- C:\Windows\System\WkgCWaf.exe
  C:\Windows\System\WkgCWaf.exe
  2⤵
  PID:6860
- C:\Windows\System\REmpWAW.exe
  C:\Windows\System\REmpWAW.exe
  2⤵
  PID:7924
- C:\Windows\System\MZeDbNz.exe
  C:\Windows\System\MZeDbNz.exe
  2⤵
  PID:7444
- C:\Windows\System\EaeRRFu.exe
  C:\Windows\System\EaeRRFu.exe
  2⤵
  PID:7836
- C:\Windows\System\nQKdmGd.exe
  C:\Windows\System\nQKdmGd.exe
  2⤵
  PID:8292
- C:\Windows\System\kwzYTez.exe
  C:\Windows\System\kwzYTez.exe
  2⤵
  PID:8340
- C:\Windows\System\ZwXPglC.exe
  C:\Windows\System\ZwXPglC.exe
  2⤵
  PID:8148
- C:\Windows\System\dYCqmra.exe
  C:\Windows\System\dYCqmra.exe
  2⤵
  PID:8404
- C:\Windows\System\Jiotard.exe
  C:\Windows\System\Jiotard.exe
  2⤵
  PID:8452
- C:\Windows\System\ncXhfQP.exe
  C:\Windows\System\ncXhfQP.exe
  2⤵
  PID:9240
- C:\Windows\System\llEwZBl.exe
  C:\Windows\System\llEwZBl.exe
  2⤵
  PID:9260
- C:\Windows\System\RVwUosc.exe
  C:\Windows\System\RVwUosc.exe
  2⤵
  PID:9280
- C:\Windows\System\shfBEdL.exe
  C:\Windows\System\shfBEdL.exe
  2⤵
  PID:9304
- C:\Windows\System\tMXNgRU.exe
  C:\Windows\System\tMXNgRU.exe
  2⤵
  PID:9328
- C:\Windows\System\TvkNJlV.exe
  C:\Windows\System\TvkNJlV.exe
  2⤵
  PID:9356
- C:\Windows\System\pLrADvg.exe
  C:\Windows\System\pLrADvg.exe
  2⤵
  PID:9376
- C:\Windows\System\YiyVArf.exe
  C:\Windows\System\YiyVArf.exe
  2⤵
  PID:9396
- C:\Windows\System\eFnUoiR.exe
  C:\Windows\System\eFnUoiR.exe
  2⤵
  PID:9416
- C:\Windows\System\AsKnNFM.exe
  C:\Windows\System\AsKnNFM.exe
  2⤵
  PID:9440
- C:\Windows\System\FJyZAXH.exe
  C:\Windows\System\FJyZAXH.exe
  2⤵
  PID:9456
- C:\Windows\System\FAIfqfM.exe
  C:\Windows\System\FAIfqfM.exe
  2⤵
  PID:9480
- C:\Windows\System\IJpAJqC.exe
  C:\Windows\System\IJpAJqC.exe
  2⤵
  PID:9496
- C:\Windows\System\rpLmncy.exe
  C:\Windows\System\rpLmncy.exe
  2⤵
  PID:9516
- C:\Windows\System\LxbbyQh.exe
  C:\Windows\System\LxbbyQh.exe
  2⤵
  PID:9540
- C:\Windows\System\JwgkxFU.exe
  C:\Windows\System\JwgkxFU.exe
  2⤵
  PID:9560
- C:\Windows\System\sYpvAfg.exe
  C:\Windows\System\sYpvAfg.exe
  2⤵
  PID:9584
- C:\Windows\System\XezjwmE.exe
  C:\Windows\System\XezjwmE.exe
  2⤵
  PID:9600
- C:\Windows\System\sqhxmTF.exe
  C:\Windows\System\sqhxmTF.exe
  2⤵
  PID:9624
- C:\Windows\System\dKuKdQG.exe
  C:\Windows\System\dKuKdQG.exe
  2⤵
  PID:9660
- C:\Windows\System\cLtUbNo.exe
  C:\Windows\System\cLtUbNo.exe
  2⤵
  PID:9676
- C:\Windows\System\RRyErtI.exe
  C:\Windows\System\RRyErtI.exe
  2⤵
  PID:9696
- C:\Windows\System\ABbSowR.exe
  C:\Windows\System\ABbSowR.exe
  2⤵
  PID:9720
- C:\Windows\System\qXjxPPO.exe
  C:\Windows\System\qXjxPPO.exe
  2⤵
  PID:9744
- C:\Windows\System\bdiOWUA.exe
  C:\Windows\System\bdiOWUA.exe
  2⤵
  PID:9764
- C:\Windows\System\pTzJvzi.exe
  C:\Windows\System\pTzJvzi.exe
  2⤵
  PID:9784
- C:\Windows\System\RxPhcjb.exe
  C:\Windows\System\RxPhcjb.exe
  2⤵
  PID:9808
- C:\Windows\System\QRGsphH.exe
  C:\Windows\System\QRGsphH.exe
  2⤵
  PID:9832
- C:\Windows\System\MshnqDz.exe
  C:\Windows\System\MshnqDz.exe
  2⤵
  PID:9852
- C:\Windows\System\nEyYBlv.exe
  C:\Windows\System\nEyYBlv.exe
  2⤵
  PID:9876
- C:\Windows\System\lLXppUj.exe
  C:\Windows\System\lLXppUj.exe
  2⤵
  PID:9900
- C:\Windows\System\IihEpDS.exe
  C:\Windows\System\IihEpDS.exe
  2⤵
  PID:9916
- C:\Windows\System\CSgFXrb.exe
  C:\Windows\System\CSgFXrb.exe
  2⤵
  PID:9944
- C:\Windows\System\rwFgnsF.exe
  C:\Windows\System\rwFgnsF.exe
  2⤵
  PID:9960
- C:\Windows\System\qnGwafA.exe
  C:\Windows\System\qnGwafA.exe
  2⤵
  PID:9984
- C:\Windows\System\IgOkHHh.exe
  C:\Windows\System\IgOkHHh.exe
  2⤵
  PID:10008
- C:\Windows\System\lLQSuJF.exe
  C:\Windows\System\lLQSuJF.exe
  2⤵
  PID:10028
- C:\Windows\System\eTAFDbg.exe
  C:\Windows\System\eTAFDbg.exe
  2⤵
  PID:10048
- C:\Windows\System\AtpTulS.exe
  C:\Windows\System\AtpTulS.exe
  2⤵
  PID:10068
- C:\Windows\System\NiYlRFi.exe
  C:\Windows\System\NiYlRFi.exe
  2⤵
  PID:10084
- C:\Windows\System\ADBVyky.exe
  C:\Windows\System\ADBVyky.exe
  2⤵
  PID:10104
- C:\Windows\System\xDLAnRr.exe
  C:\Windows\System\xDLAnRr.exe
  2⤵
  PID:10132
- C:\Windows\System\gKewTVF.exe
  C:\Windows\System\gKewTVF.exe
  2⤵
  PID:10152
- C:\Windows\System\uBRDfED.exe
  C:\Windows\System\uBRDfED.exe
  2⤵
  PID:10172
- C:\Windows\System\JBABzgT.exe
  C:\Windows\System\JBABzgT.exe
  2⤵
  PID:10196
- C:\Windows\System\LwOSRYI.exe
  C:\Windows\System\LwOSRYI.exe
  2⤵
  PID:10216
- C:\Windows\System\TNpdfwJ.exe
  C:\Windows\System\TNpdfwJ.exe
  2⤵
  PID:8476
- C:\Windows\System\jUMLKeA.exe
  C:\Windows\System\jUMLKeA.exe
  2⤵
  PID:7696
- C:\Windows\System\BLWsAYI.exe
  C:\Windows\System\BLWsAYI.exe
  2⤵
  PID:8644
- C:\Windows\System\XCWmOgi.exe
  C:\Windows\System\XCWmOgi.exe
  2⤵
  PID:6652
- C:\Windows\System\bthuVEy.exe
  C:\Windows\System\bthuVEy.exe
  2⤵
  PID:7100
- C:\Windows\System\moZZbOV.exe
  C:\Windows\System\moZZbOV.exe
  2⤵
  PID:7776
- C:\Windows\System\drNAufF.exe
  C:\Windows\System\drNAufF.exe
  2⤵
  PID:6260
- C:\Windows\System\hJKPFZv.exe
  C:\Windows\System\hJKPFZv.exe
  2⤵
  PID:8884
- C:\Windows\System\FlfhTJi.exe
  C:\Windows\System\FlfhTJi.exe
  2⤵
  PID:6392
- C:\Windows\System\GYWKEzp.exe
  C:\Windows\System\GYWKEzp.exe
  2⤵
  PID:3204
- C:\Windows\System\gHVCBjf.exe
  C:\Windows\System\gHVCBjf.exe
  2⤵
  PID:7732
- C:\Windows\System\EfrASMw.exe
  C:\Windows\System\EfrASMw.exe
  2⤵
  PID:9104
- C:\Windows\System\XaEYAFb.exe
  C:\Windows\System\XaEYAFb.exe
  2⤵
  PID:9128
- C:\Windows\System\uEkDBAf.exe
  C:\Windows\System\uEkDBAf.exe
  2⤵
  PID:7852
- C:\Windows\System\rfMBKVc.exe
  C:\Windows\System\rfMBKVc.exe
  2⤵
  PID:7988
- C:\Windows\System\swIFuEV.exe
  C:\Windows\System\swIFuEV.exe
  2⤵
  PID:7520
- C:\Windows\System\JRDfckF.exe
  C:\Windows\System\JRDfckF.exe
  2⤵
  PID:6744
- C:\Windows\System\LQsRBQG.exe
  C:\Windows\System\LQsRBQG.exe
  2⤵
  PID:5260
- C:\Windows\System\bnPJxJT.exe
  C:\Windows\System\bnPJxJT.exe
  2⤵
  PID:4996
- C:\Windows\System\accmrHN.exe
  C:\Windows\System\accmrHN.exe
  2⤵
  PID:6840
- C:\Windows\System\RMgkLkD.exe
  C:\Windows\System\RMgkLkD.exe
  2⤵
  PID:7472
- C:\Windows\System\WlQkxZQ.exe
  C:\Windows\System\WlQkxZQ.exe
  2⤵
  PID:8128
- C:\Windows\System\saLBCQl.exe
  C:\Windows\System\saLBCQl.exe
  2⤵
  PID:7148
- C:\Windows\System\PFHvwbf.exe
  C:\Windows\System\PFHvwbf.exe
  2⤵
  PID:9252
- C:\Windows\System\UMpKyCr.exe
  C:\Windows\System\UMpKyCr.exe
  2⤵
  PID:9256
- C:\Windows\System\UAJvnMw.exe
  C:\Windows\System\UAJvnMw.exe
  2⤵
  PID:8540
- C:\Windows\System\rzVEtiy.exe
  C:\Windows\System\rzVEtiy.exe
  2⤵
  PID:9320
- C:\Windows\System\OypweHz.exe
  C:\Windows\System\OypweHz.exe
  2⤵
  PID:10256
- C:\Windows\System\hUHTZwn.exe
  C:\Windows\System\hUHTZwn.exe
  2⤵
  PID:10276
- C:\Windows\System\qVuXHGq.exe
  C:\Windows\System\qVuXHGq.exe
  2⤵
  PID:10296
- C:\Windows\System\aimDjdv.exe
  C:\Windows\System\aimDjdv.exe
  2⤵
  PID:10320
- C:\Windows\System\TViEEhU.exe
  C:\Windows\System\TViEEhU.exe
  2⤵
  PID:10340
- C:\Windows\System\hWilqki.exe
  C:\Windows\System\hWilqki.exe
  2⤵
  PID:10360
- C:\Windows\System\cBrfqWh.exe
  C:\Windows\System\cBrfqWh.exe
  2⤵
  PID:10392
- C:\Windows\System\JefxcUy.exe
  C:\Windows\System\JefxcUy.exe
  2⤵
  PID:10412
- C:\Windows\System\ZslxvSJ.exe
  C:\Windows\System\ZslxvSJ.exe
  2⤵
  PID:10440
- C:\Windows\System\fdaZIZA.exe
  C:\Windows\System\fdaZIZA.exe
  2⤵
  PID:10460
- C:\Windows\System\XlmkCpv.exe
  C:\Windows\System\XlmkCpv.exe
  2⤵
  PID:10484
- C:\Windows\System\hKPVucb.exe
  C:\Windows\System\hKPVucb.exe
  2⤵
  PID:10500
- C:\Windows\System\CZXYcQc.exe
  C:\Windows\System\CZXYcQc.exe
  2⤵
  PID:10528
- C:\Windows\System\VAkOqYl.exe
  C:\Windows\System\VAkOqYl.exe
  2⤵
  PID:10552
- C:\Windows\System\FSCMOfX.exe
  C:\Windows\System\FSCMOfX.exe
  2⤵
  PID:10572
- C:\Windows\System\YIATsEj.exe
  C:\Windows\System\YIATsEj.exe
  2⤵
  PID:10596
- C:\Windows\System\GgytPmu.exe
  C:\Windows\System\GgytPmu.exe
  2⤵
  PID:10620
- C:\Windows\System\NlsZtrU.exe
  C:\Windows\System\NlsZtrU.exe
  2⤵
  PID:10648
- C:\Windows\System\xKEjvCm.exe
  C:\Windows\System\xKEjvCm.exe
  2⤵
  PID:10672
- C:\Windows\System\eQbutIq.exe
  C:\Windows\System\eQbutIq.exe
  2⤵
  PID:10692
- C:\Windows\System\bNyXGKH.exe
  C:\Windows\System\bNyXGKH.exe
  2⤵
  PID:10708
- C:\Windows\System\NaTuwup.exe
  C:\Windows\System\NaTuwup.exe
  2⤵
  PID:10736
- C:\Windows\System\volsacI.exe
  C:\Windows\System\volsacI.exe
  2⤵
  PID:10756
- C:\Windows\System\mkSUWHC.exe
  C:\Windows\System\mkSUWHC.exe
  2⤵
  PID:10776
- C:\Windows\System\zweZYoD.exe
  C:\Windows\System\zweZYoD.exe
  2⤵
  PID:10800
- C:\Windows\System\uFcGZiJ.exe
  C:\Windows\System\uFcGZiJ.exe
  2⤵
  PID:10816
- C:\Windows\System\PwJCVDG.exe
  C:\Windows\System\PwJCVDG.exe
  2⤵
  PID:10836
- C:\Windows\System\NYiSJUV.exe
  C:\Windows\System\NYiSJUV.exe
  2⤵
  PID:10856
- C:\Windows\System\KPVBfxd.exe
  C:\Windows\System\KPVBfxd.exe
  2⤵
  PID:10880
- C:\Windows\System\BMkvYrf.exe
  C:\Windows\System\BMkvYrf.exe
  2⤵
  PID:10904
- C:\Windows\System\VedJoxS.exe
  C:\Windows\System\VedJoxS.exe
  2⤵
  PID:10924
- C:\Windows\System\akqatxc.exe
  C:\Windows\System\akqatxc.exe
  2⤵
  PID:10948
- C:\Windows\System\fghxxDe.exe
  C:\Windows\System\fghxxDe.exe
  2⤵
  PID:10968
- C:\Windows\System\SuLeKzZ.exe
  C:\Windows\System\SuLeKzZ.exe
  2⤵
  PID:10996
- C:\Windows\System\ZgTpYVu.exe
  C:\Windows\System\ZgTpYVu.exe
  2⤵
  PID:11016
- C:\Windows\System\YrhKJNX.exe
  C:\Windows\System\YrhKJNX.exe
  2⤵
  PID:11036
- C:\Windows\System\wDxUEiP.exe
  C:\Windows\System\wDxUEiP.exe
  2⤵
  PID:11056
- C:\Windows\System\wlnTUAa.exe
  C:\Windows\System\wlnTUAa.exe
  2⤵
  PID:11076
- C:\Windows\System\MBObBxR.exe
  C:\Windows\System\MBObBxR.exe
  2⤵
  PID:11100
- C:\Windows\System\ZGKhYsZ.exe
  C:\Windows\System\ZGKhYsZ.exe
  2⤵
  PID:11120
- C:\Windows\System\rlgKfyK.exe
  C:\Windows\System\rlgKfyK.exe
  2⤵
  PID:11140
- C:\Windows\System\SzHFAeA.exe
  C:\Windows\System\SzHFAeA.exe
  2⤵
  PID:11164
- C:\Windows\System\EWJidTf.exe
  C:\Windows\System\EWJidTf.exe
  2⤵
  PID:11184
- C:\Windows\System\GszBTuE.exe
  C:\Windows\System\GszBTuE.exe
  2⤵
  PID:11204
- C:\Windows\System\mzhqWXi.exe
  C:\Windows\System\mzhqWXi.exe
  2⤵
  PID:11224
- C:\Windows\System\sdpDALI.exe
  C:\Windows\System\sdpDALI.exe
  2⤵
  PID:11248
- C:\Windows\System\UUHrPut.exe
  C:\Windows\System\UUHrPut.exe
  2⤵
  PID:9348
- C:\Windows\System\yFfMtsj.exe
  C:\Windows\System\yFfMtsj.exe
  2⤵
  PID:8684
- C:\Windows\System\hyVUrXj.exe
  C:\Windows\System\hyVUrXj.exe
  2⤵
  PID:9412
- C:\Windows\System\UeCkUzc.exe
  C:\Windows\System\UeCkUzc.exe
  2⤵
  PID:8772
- C:\Windows\System\xaPkrzx.exe
  C:\Windows\System\xaPkrzx.exe
  2⤵
  PID:4232
- C:\Windows\System\HMTFEgN.exe
  C:\Windows\System\HMTFEgN.exe
  2⤵
  PID:8856
- C:\Windows\System\pVQIBya.exe
  C:\Windows\System\pVQIBya.exe
  2⤵
  PID:9632
- C:\Windows\System\CohcpuS.exe
  C:\Windows\System\CohcpuS.exe
  2⤵
  PID:9668
- C:\Windows\System\nucGAGN.exe
  C:\Windows\System\nucGAGN.exe
  2⤵
  PID:9712
- C:\Windows\System\yfrKloc.exe
  C:\Windows\System\yfrKloc.exe
  2⤵
  PID:9780
- C:\Windows\System\cJmYzxA.exe
  C:\Windows\System\cJmYzxA.exe
  2⤵
  PID:9820
- C:\Windows\System\IsAZSKf.exe
  C:\Windows\System\IsAZSKf.exe
  2⤵
  PID:9124
- C:\Windows\System\tQZakNc.exe
  C:\Windows\System\tQZakNc.exe
  2⤵
  PID:9992
- C:\Windows\System\EnpFSop.exe
  C:\Windows\System\EnpFSop.exe
  2⤵
  PID:8088
- C:\Windows\System\fcqjLsa.exe
  C:\Windows\System\fcqjLsa.exe
  2⤵
  PID:10096
- C:\Windows\System\nIZcTCS.exe
  C:\Windows\System\nIZcTCS.exe
  2⤵
  PID:8228
- C:\Windows\System\QzIHHoG.exe
  C:\Windows\System\QzIHHoG.exe
  2⤵
  PID:8312
- C:\Windows\System\HEuxPFB.exe
  C:\Windows\System\HEuxPFB.exe
  2⤵
  PID:8628
- C:\Windows\System\syWxlBa.exe
  C:\Windows\System\syWxlBa.exe
  2⤵
  PID:8816
- C:\Windows\System\kvXyPYM.exe
  C:\Windows\System\kvXyPYM.exe
  2⤵
  PID:8180
- C:\Windows\System\TFUeoxM.exe
  C:\Windows\System\TFUeoxM.exe
  2⤵
  PID:7220
- C:\Windows\System\IUkNAIM.exe
  C:\Windows\System\IUkNAIM.exe
  2⤵
  PID:11284
- C:\Windows\System\qodXVgA.exe
  C:\Windows\System\qodXVgA.exe
  2⤵
  PID:11304
- C:\Windows\System\qdDjZhm.exe
  C:\Windows\System\qdDjZhm.exe
  2⤵
  PID:11328
- C:\Windows\System\imObXyX.exe
  C:\Windows\System\imObXyX.exe
  2⤵
  PID:11344
- C:\Windows\System\NcNJIAS.exe
  C:\Windows\System\NcNJIAS.exe
  2⤵
  PID:11364
- C:\Windows\System\nVgSguv.exe
  C:\Windows\System\nVgSguv.exe
  2⤵
  PID:11392
- C:\Windows\System\QBZajOF.exe
  C:\Windows\System\QBZajOF.exe
  2⤵
  PID:11408
- C:\Windows\System\JmxBFzE.exe
  C:\Windows\System\JmxBFzE.exe
  2⤵
  PID:11424
- C:\Windows\System\GzHJISn.exe
  C:\Windows\System\GzHJISn.exe
  2⤵
  PID:11440
- C:\Windows\System\SlYuQWO.exe
  C:\Windows\System\SlYuQWO.exe
  2⤵
  PID:11456
- C:\Windows\System\eRPqWbL.exe
  C:\Windows\System\eRPqWbL.exe
  2⤵
  PID:11476
- C:\Windows\System\TcEXllp.exe
  C:\Windows\System\TcEXllp.exe
  2⤵
  PID:11496
- C:\Windows\System\LbaOuur.exe
  C:\Windows\System\LbaOuur.exe
  2⤵
  PID:11520
- C:\Windows\System\TmUBOBR.exe
  C:\Windows\System\TmUBOBR.exe
  2⤵
  PID:11540
- C:\Windows\System\YNepzuH.exe
  C:\Windows\System\YNepzuH.exe
  2⤵
  PID:11560
- C:\Windows\System\KNRaIPO.exe
  C:\Windows\System\KNRaIPO.exe
  2⤵
  PID:11580
- C:\Windows\System\UvTsWVF.exe
  C:\Windows\System\UvTsWVF.exe
  2⤵
  PID:11600
- C:\Windows\System\FReXcNE.exe
  C:\Windows\System\FReXcNE.exe
  2⤵
  PID:11620
- C:\Windows\System\OUFqTMa.exe
  C:\Windows\System\OUFqTMa.exe
  2⤵
  PID:11644
- C:\Windows\System\xqYpToQ.exe
  C:\Windows\System\xqYpToQ.exe
  2⤵
  PID:11664
- C:\Windows\System\sBPXNBK.exe
  C:\Windows\System\sBPXNBK.exe
  2⤵
  PID:11684
- C:\Windows\System\XuVQAkc.exe
  C:\Windows\System\XuVQAkc.exe
  2⤵
  PID:11700
- C:\Windows\System\IquClzE.exe
  C:\Windows\System\IquClzE.exe
  2⤵
  PID:11728
- C:\Windows\System\ytVTakq.exe
  C:\Windows\System\ytVTakq.exe
  2⤵
  PID:11752
- C:\Windows\System\ZbLNewJ.exe
  C:\Windows\System\ZbLNewJ.exe
  2⤵
  PID:11772
- C:\Windows\System\RvGriYH.exe
  C:\Windows\System\RvGriYH.exe
  2⤵
  PID:11792
- C:\Windows\System\SIMelhs.exe
  C:\Windows\System\SIMelhs.exe
  2⤵
  PID:11816
- C:\Windows\System\AilvYsj.exe
  C:\Windows\System\AilvYsj.exe
  2⤵
  PID:11836
- C:\Windows\System\LKTYSlw.exe
  C:\Windows\System\LKTYSlw.exe
  2⤵
  PID:11856
- C:\Windows\System\GMdNdFk.exe
  C:\Windows\System\GMdNdFk.exe
  2⤵
  PID:11880
- C:\Windows\System\ehgJXnj.exe
  C:\Windows\System\ehgJXnj.exe
  2⤵
  PID:11904
- C:\Windows\System\wsSWHhy.exe
  C:\Windows\System\wsSWHhy.exe
  2⤵
  PID:11928
- C:\Windows\System\cvwNMid.exe
  C:\Windows\System\cvwNMid.exe
  2⤵
  PID:11948
- C:\Windows\System\cbrMnbo.exe
  C:\Windows\System\cbrMnbo.exe
  2⤵
  PID:11968
- C:\Windows\System\STfAsRD.exe
  C:\Windows\System\STfAsRD.exe
  2⤵
  PID:11992
- C:\Windows\System\bKpjhSp.exe
  C:\Windows\System\bKpjhSp.exe
  2⤵
  PID:12016
- C:\Windows\System\EiJaIXk.exe
  C:\Windows\System\EiJaIXk.exe
  2⤵
  PID:12036
- C:\Windows\System\rfQRQwl.exe
  C:\Windows\System\rfQRQwl.exe
  2⤵
  PID:12060
- C:\Windows\System\jMYhmqD.exe
  C:\Windows\System\jMYhmqD.exe
  2⤵
  PID:12076
- C:\Windows\System\OiCbaMY.exe
  C:\Windows\System\OiCbaMY.exe
  2⤵
  PID:12100
- C:\Windows\System\bYJJOAb.exe
  C:\Windows\System\bYJJOAb.exe
  2⤵
  PID:12120
- C:\Windows\System\JxESPgn.exe
  C:\Windows\System\JxESPgn.exe
  2⤵
  PID:12140
- C:\Windows\System\LwNUUlU.exe
  C:\Windows\System\LwNUUlU.exe
  2⤵
  PID:12160
- C:\Windows\System\RAHRnEj.exe
  C:\Windows\System\RAHRnEj.exe
  2⤵
  PID:12176
- C:\Windows\System\nwdoqLf.exe
  C:\Windows\System\nwdoqLf.exe
  2⤵
  PID:12208
- C:\Windows\System\XcBfPnH.exe
  C:\Windows\System\XcBfPnH.exe
  2⤵
  PID:12228
- C:\Windows\System\hzDYIGD.exe
  C:\Windows\System\hzDYIGD.exe
  2⤵
  PID:12256
- C:\Windows\System\wGoljmS.exe
  C:\Windows\System\wGoljmS.exe
  2⤵
  PID:12272
- C:\Windows\System\vkfRIHC.exe
  C:\Windows\System\vkfRIHC.exe
  2⤵
  PID:8468
- C:\Windows\System\ABwhtiU.exe
  C:\Windows\System\ABwhtiU.exe
  2⤵
  PID:8248
- C:\Windows\System\PwmzlHA.exe
  C:\Windows\System\PwmzlHA.exe
  2⤵
  PID:8108
- C:\Windows\System\PUfLIOp.exe
  C:\Windows\System\PUfLIOp.exe
  2⤵
  PID:8440
- C:\Windows\System\krvMUhb.exe
  C:\Windows\System\krvMUhb.exe
  2⤵
  PID:9316
- C:\Windows\System\LgupDXA.exe
  C:\Windows\System\LgupDXA.exe
  2⤵
  PID:10288
- C:\Windows\System\GUrzaKU.exe
  C:\Windows\System\GUrzaKU.exe
  2⤵
  PID:8688
- C:\Windows\System\hQJHrKc.exe
  C:\Windows\System\hQJHrKc.exe
  2⤵
  PID:10420
- C:\Windows\System\ldsrRzB.exe
  C:\Windows\System\ldsrRzB.exe
  2⤵
  PID:8820
- C:\Windows\System\wSYzQzr.exe
  C:\Windows\System\wSYzQzr.exe
  2⤵
  PID:10508
- C:\Windows\System\Kietkyx.exe
  C:\Windows\System\Kietkyx.exe
  2⤵
  PID:10612
- C:\Windows\System\hxuLYyu.exe
  C:\Windows\System\hxuLYyu.exe
  2⤵
  PID:10636
- C:\Windows\System\VKqQqpF.exe
  C:\Windows\System\VKqQqpF.exe
  2⤵
  PID:10772
- C:\Windows\System\rJhJfzI.exe
  C:\Windows\System\rJhJfzI.exe
  2⤵
  PID:10864
- C:\Windows\System\STsStRj.exe
  C:\Windows\System\STsStRj.exe
  2⤵
  PID:10876
- C:\Windows\System\tiFMibl.exe
  C:\Windows\System\tiFMibl.exe
  2⤵
  PID:10916
- C:\Windows\System\SJMKfgx.exe
  C:\Windows\System\SJMKfgx.exe
  2⤵
  PID:12308
- C:\Windows\System\PcMDHeW.exe
  C:\Windows\System\PcMDHeW.exe
  2⤵
  PID:12328
- C:\Windows\System\BqqnGlX.exe
  C:\Windows\System\BqqnGlX.exe
  2⤵
  PID:12348
- C:\Windows\System\LTokpkj.exe
  C:\Windows\System\LTokpkj.exe
  2⤵
  PID:12372
- C:\Windows\System\HNalthj.exe
  C:\Windows\System\HNalthj.exe
  2⤵
  PID:12392
- C:\Windows\System\KAdfAKw.exe
  C:\Windows\System\KAdfAKw.exe
  2⤵
  PID:12416
- C:\Windows\System\dNNluVz.exe
  C:\Windows\System\dNNluVz.exe
  2⤵
  PID:12436
- C:\Windows\System\YVlgfUR.exe
  C:\Windows\System\YVlgfUR.exe
  2⤵
  PID:12456
- C:\Windows\System\gpNspth.exe
  C:\Windows\System\gpNspth.exe
  2⤵
  PID:12476
- C:\Windows\System\cKIgGNh.exe
  C:\Windows\System\cKIgGNh.exe
  2⤵
  PID:12500
- C:\Windows\System\MVcYhXm.exe
  C:\Windows\System\MVcYhXm.exe
  2⤵
  PID:12520
- C:\Windows\System\guLIQii.exe
  C:\Windows\System\guLIQii.exe
  2⤵
  PID:12544
- C:\Windows\System\BeDWteZ.exe
  C:\Windows\System\BeDWteZ.exe
  2⤵
  PID:12564
- C:\Windows\System\OfzgfII.exe
  C:\Windows\System\OfzgfII.exe
  2⤵
  PID:12588
- C:\Windows\System\yKDiizP.exe
  C:\Windows\System\yKDiizP.exe
  2⤵
  PID:12608
- C:\Windows\System\QPDgETt.exe
  C:\Windows\System\QPDgETt.exe
  2⤵
  PID:12628
- C:\Windows\System\mbklyTc.exe
  C:\Windows\System\mbklyTc.exe
  2⤵
  PID:12652
- C:\Windows\System\GGRkaiH.exe
  C:\Windows\System\GGRkaiH.exe
  2⤵
  PID:12688
- C:\Windows\System\QogVEBc.exe
  C:\Windows\System\QogVEBc.exe
  2⤵
  PID:12704
- C:\Windows\System\dQnIthh.exe
  C:\Windows\System\dQnIthh.exe
  2⤵
  PID:12720
- C:\Windows\System\JXZsluQ.exe
  C:\Windows\System\JXZsluQ.exe
  2⤵
  PID:12736
- C:\Windows\System\EjNuXkR.exe
  C:\Windows\System\EjNuXkR.exe
  2⤵
  PID:12756
- C:\Windows\System\RUbnZag.exe
  C:\Windows\System\RUbnZag.exe
  2⤵
  PID:12772
- C:\Windows\System\ixMMGUO.exe
  C:\Windows\System\ixMMGUO.exe
  2⤵
  PID:12788
- C:\Windows\System\WRtzbzd.exe
  C:\Windows\System\WRtzbzd.exe
  2⤵
  PID:12804
- C:\Windows\System\mAGOryf.exe
  C:\Windows\System\mAGOryf.exe
  2⤵
  PID:12828
- C:\Windows\System\MzWEAzo.exe
  C:\Windows\System\MzWEAzo.exe
  2⤵
  PID:12852
- C:\Windows\System\xvWKNlF.exe
  C:\Windows\System\xvWKNlF.exe
  2⤵
  PID:12880
- C:\Windows\System\PAMzfvV.exe
  C:\Windows\System\PAMzfvV.exe
  2⤵
  PID:12908
- C:\Windows\System\dNCZQIS.exe
  C:\Windows\System\dNCZQIS.exe
  2⤵
  PID:12932
- C:\Windows\System\lgMmXZL.exe
  C:\Windows\System\lgMmXZL.exe
  2⤵
  PID:12952
- C:\Windows\System\FvQhRWk.exe
  C:\Windows\System\FvQhRWk.exe
  2⤵
  PID:12976
- C:\Windows\System\VVRQHsE.exe
  C:\Windows\System\VVRQHsE.exe
  2⤵
  PID:13004
- C:\Windows\System\DHGAUly.exe
  C:\Windows\System\DHGAUly.exe
  2⤵
  PID:13024
- C:\Windows\System\tfYQmKT.exe
  C:\Windows\System\tfYQmKT.exe
  2⤵
  PID:13040
- C:\Windows\System\xXTtpdJ.exe
  C:\Windows\System\xXTtpdJ.exe
  2⤵
  PID:13056
- C:\Windows\System\hCAyCcw.exe
  C:\Windows\System\hCAyCcw.exe
  2⤵
  PID:13076
- C:\Windows\System\QPyDbWo.exe
  C:\Windows\System\QPyDbWo.exe
  2⤵
  PID:13100
- C:\Windows\System\GKuSukg.exe
  C:\Windows\System\GKuSukg.exe
  2⤵
  PID:13128
- C:\Windows\System\CwluZSI.exe
  C:\Windows\System\CwluZSI.exe
  2⤵
  PID:11092
- C:\Windows\System\pCGEITO.exe
  C:\Windows\System\pCGEITO.exe
  2⤵
  PID:11152
- C:\Windows\System\LUyUhud.exe
  C:\Windows\System\LUyUhud.exe
  2⤵
  PID:10044
- C:\Windows\System\DYzkunZ.exe
  C:\Windows\System\DYzkunZ.exe
  2⤵
  PID:7600
- C:\Windows\System\lxrMbLm.exe
  C:\Windows\System\lxrMbLm.exe
  2⤵
  PID:6456
- C:\Windows\System\mnyIvge.exe
  C:\Windows\System\mnyIvge.exe
  2⤵
  PID:3588
- C:\Windows\System\mwbiqGm.exe
  C:\Windows\System\mwbiqGm.exe
  2⤵
  PID:8928
- C:\Windows\System\zbAiBIk.exe
  C:\Windows\System\zbAiBIk.exe
  2⤵
  PID:9084
- C:\Windows\System\BMjAqUr.exe
  C:\Windows\System\BMjAqUr.exe
  2⤵
  PID:8756
- C:\Windows\System\IxprnbG.exe
  C:\Windows\System\IxprnbG.exe
  2⤵
  PID:8944
- C:\Windows\System\fibjeUD.exe
  C:\Windows\System\fibjeUD.exe
  2⤵
  PID:8712
- C:\Windows\System\JPbmnNR.exe
  C:\Windows\System\JPbmnNR.exe
  2⤵
  PID:7188
- C:\Windows\System\YuaOkZz.exe
  C:\Windows\System\YuaOkZz.exe
  2⤵
  PID:11552
- C:\Windows\System\wWqXhkU.exe
  C:\Windows\System\wWqXhkU.exe
  2⤵
  PID:11616
- C:\Windows\System\yCHsgpS.exe
  C:\Windows\System\yCHsgpS.exe
  2⤵
  PID:9340
- C:\Windows\System\OMWWzAM.exe
  C:\Windows\System\OMWWzAM.exe
  2⤵
  PID:10348
- C:\Windows\System\BbWrEDH.exe
  C:\Windows\System\BbWrEDH.exe
  2⤵
  PID:11812
- C:\Windows\System\ySldXPR.exe
  C:\Windows\System\ySldXPR.exe
  2⤵
  PID:11852
- C:\Windows\System\hxmFska.exe
  C:\Windows\System\hxmFska.exe
  2⤵
  PID:9432
- C:\Windows\System\ullVqeb.exe
  C:\Windows\System\ullVqeb.exe
  2⤵
  PID:9492
- C:\Windows\System\KbcQhew.exe
  C:\Windows\System\KbcQhew.exe
  2⤵
  PID:12068
- C:\Windows\System\aETwFAb.exe
  C:\Windows\System\aETwFAb.exe
  2⤵
  PID:10584
- C:\Windows\System\rZlILWW.exe
  C:\Windows\System\rZlILWW.exe
  2⤵
  PID:10664
- C:\Windows\System\GifXQwT.exe
  C:\Windows\System\GifXQwT.exe
  2⤵
  PID:10728
- C:\Windows\System\TaXJcaV.exe
  C:\Windows\System\TaXJcaV.exe
  2⤵
  PID:13340
- C:\Windows\System\tENeEnt.exe
  C:\Windows\System\tENeEnt.exe
  2⤵
  PID:13356
- C:\Windows\System\rEScKZp.exe
  C:\Windows\System\rEScKZp.exe
  2⤵
  PID:13384
- C:\Windows\System\AaqzyiP.exe
  C:\Windows\System\AaqzyiP.exe
  2⤵
  PID:13404
- C:\Windows\System\OIdSEAY.exe
  C:\Windows\System\OIdSEAY.exe
  2⤵
  PID:13424
- C:\Windows\System\IHjvyZi.exe
  C:\Windows\System\IHjvyZi.exe
  2⤵
  PID:13448
- C:\Windows\System\eNQPmXt.exe
  C:\Windows\System\eNQPmXt.exe
  2⤵
  PID:13468
- C:\Windows\System\QNwECar.exe
  C:\Windows\System\QNwECar.exe
  2⤵
  PID:13484
- C:\Windows\System\HbanguN.exe
  C:\Windows\System\HbanguN.exe
  2⤵
  PID:13500
- C:\Windows\System\zqcXcjs.exe
  C:\Windows\System\zqcXcjs.exe
  2⤵
  PID:13516
- C:\Windows\System\hiYsIGC.exe
  C:\Windows\System\hiYsIGC.exe
  2⤵
  PID:13532
- C:\Windows\System\GmWWivU.exe
  C:\Windows\System\GmWWivU.exe
  2⤵
  PID:13548
- C:\Windows\System\eNhaFYE.exe
  C:\Windows\System\eNhaFYE.exe
  2⤵
  PID:13564
- C:\Windows\System\tttvARY.exe
  C:\Windows\System\tttvARY.exe
  2⤵
  PID:13580
- C:\Windows\System\MujxPcH.exe
  C:\Windows\System\MujxPcH.exe
  2⤵
  PID:13596
- C:\Windows\System\lukQpKc.exe
  C:\Windows\System\lukQpKc.exe
  2⤵
  PID:13616
- C:\Windows\System\DqWduYv.exe
  C:\Windows\System\DqWduYv.exe
  2⤵
  PID:13644
- C:\Windows\System\uGrNYcK.exe
  C:\Windows\System\uGrNYcK.exe
  2⤵
  PID:13672
- C:\Windows\System\CHgydNM.exe
  C:\Windows\System\CHgydNM.exe
  2⤵
  PID:13688
- C:\Windows\System\OKMvHvQ.exe
  C:\Windows\System\OKMvHvQ.exe
  2⤵
  PID:13708
- C:\Windows\System\kDqHURU.exe
  C:\Windows\System\kDqHURU.exe
  2⤵
  PID:13724
- C:\Windows\System\cdtuyAz.exe
  C:\Windows\System\cdtuyAz.exe
  2⤵
  PID:13744
- C:\Windows\System\OVHMMly.exe
  C:\Windows\System\OVHMMly.exe
  2⤵
  PID:13768
- C:\Windows\System\dikZmEP.exe
  C:\Windows\System\dikZmEP.exe
  2⤵
  PID:13784
- C:\Windows\System\abEkgRh.exe
  C:\Windows\System\abEkgRh.exe
  2⤵
  PID:13808
- C:\Windows\System\IMxsiXY.exe
  C:\Windows\System\IMxsiXY.exe
  2⤵
  PID:13832
- C:\Windows\System\FMSOEms.exe
  C:\Windows\System\FMSOEms.exe
  2⤵
  PID:13856
- C:\Windows\System\WEuuGBd.exe
  C:\Windows\System\WEuuGBd.exe
  2⤵
  PID:13880
- C:\Windows\System\gbBKfIW.exe
  C:\Windows\System\gbBKfIW.exe
  2⤵
  PID:13900
- C:\Windows\System\NfwLYug.exe
  C:\Windows\System\NfwLYug.exe
  2⤵
  PID:13924
- C:\Windows\System\hNBvGGc.exe
  C:\Windows\System\hNBvGGc.exe
  2⤵
  PID:13944
- C:\Windows\System\XITMleQ.exe
  C:\Windows\System\XITMleQ.exe
  2⤵
  PID:13964
- C:\Windows\System\pErACbj.exe
  C:\Windows\System\pErACbj.exe
  2⤵
  PID:13984
- C:\Windows\System\nRniQxC.exe
  C:\Windows\System\nRniQxC.exe
  2⤵
  PID:14004
- C:\Windows\System\wrsNdmq.exe
  C:\Windows\System\wrsNdmq.exe
  2⤵
  PID:14036
- C:\Windows\System\ZSrnwff.exe
  C:\Windows\System\ZSrnwff.exe
  2⤵
  PID:14060
- C:\Windows\System\qtIsiWc.exe
  C:\Windows\System\qtIsiWc.exe
  2⤵
  PID:14080
- C:\Windows\System\aerebGa.exe
  C:\Windows\System\aerebGa.exe
  2⤵
  PID:14108
- C:\Windows\System\KNKtxUO.exe
  C:\Windows\System\KNKtxUO.exe
  2⤵
  PID:14132
- C:\Windows\System\wIWwijT.exe
  C:\Windows\System\wIWwijT.exe
  2⤵
  PID:14156
- C:\Windows\System\tttBHEY.exe
  C:\Windows\System\tttBHEY.exe
  2⤵
  PID:14176
- C:\Windows\System\weMGVaM.exe
  C:\Windows\System\weMGVaM.exe
  2⤵
  PID:14196
- C:\Windows\System\TqICzrZ.exe
  C:\Windows\System\TqICzrZ.exe
  2⤵
  PID:14220
- C:\Windows\System\MGybvxh.exe
  C:\Windows\System\MGybvxh.exe
  2⤵
  PID:14240
- C:\Windows\System\fifkPFf.exe
  C:\Windows\System\fifkPFf.exe
  2⤵
  PID:14264
- C:\Windows\System\YHvmkMW.exe
  C:\Windows\System\YHvmkMW.exe
  2⤵
  PID:14284
- C:\Windows\System\xmCvPOd.exe
  C:\Windows\System\xmCvPOd.exe
  2⤵
  PID:14308
- C:\Windows\System\EQVNWYP.exe
  C:\Windows\System\EQVNWYP.exe
  2⤵
  PID:14324
- C:\Windows\System\CIfDYXr.exe
  C:\Windows\System\CIfDYXr.exe
  2⤵
  PID:7960
- C:\Windows\System\eJBltuy.exe
  C:\Windows\System\eJBltuy.exe
  2⤵
  PID:7816
- C:\Windows\System\HbmhvYV.exe
  C:\Windows\System\HbmhvYV.exe
  2⤵
  PID:9292
- C:\Windows\System\zsXIoja.exe
  C:\Windows\System\zsXIoja.exe
  2⤵
  PID:10920
- C:\Windows\System\ptsnthT.exe
  C:\Windows\System\ptsnthT.exe
  2⤵
  PID:9816
- C:\Windows\System\jaUsKGS.exe
  C:\Windows\System\jaUsKGS.exe
  2⤵
  PID:9840
- C:\Windows\System\yFiMJrV.exe
  C:\Windows\System\yFiMJrV.exe
  2⤵
  PID:9892
- C:\Windows\System\tbZusBp.exe
  C:\Windows\System\tbZusBp.exe
  2⤵
  PID:9936
- C:\Windows\System\KYxCPvG.exe
  C:\Windows\System\KYxCPvG.exe
  2⤵
  PID:9952
- C:\Windows\System\UYoGHXM.exe
  C:\Windows\System\UYoGHXM.exe
  2⤵
  PID:12432
- C:\Windows\System\YHQPCzG.exe
  C:\Windows\System\YHQPCzG.exe
  2⤵
  PID:12472
- C:\Windows\System\TLZsczZ.exe
  C:\Windows\System\TLZsczZ.exe
  2⤵
  PID:11220
- C:\Windows\System\NmaTjgn.exe
  C:\Windows\System\NmaTjgn.exe
  2⤵
  PID:12640
- C:\Windows\System\BfyBRJf.exe
  C:\Windows\System\BfyBRJf.exe
  2⤵
  PID:8664
- C:\Windows\System\TczyWcQ.exe
  C:\Windows\System\TczyWcQ.exe
  2⤵
  PID:10144
- C:\Windows\System\JyXBkGR.exe
  C:\Windows\System\JyXBkGR.exe
  2⤵
  PID:10168
- C:\Windows\System\bAreEhy.exe
  C:\Windows\System\bAreEhy.exe
  2⤵
  PID:12800
- C:\Windows\System\xaYiNTJ.exe
  C:\Windows\System\xaYiNTJ.exe
  2⤵
  PID:10180
- C:\Windows\System\CcIyVzi.exe
  C:\Windows\System\CcIyVzi.exe
  2⤵
  PID:10224

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\DVULivZ.exe

Filesize
1.4MB

MD5
e7205a6d21371a3fc8cd8e66a227c141

SHA1
7a66b91071048b468974006cfe7739efb5665aa6

SHA256
c177af39f12cef25a7d40e1f1757b6662a5bc2b02a7949d815507b204a9803b2

SHA512
6faccfff1e115e12e8ce384cefd7e27c45966796be7b5a953aa50e529c0e000c88e2d3f698d74310b3adea7223cec08ea76c98d6250d2bc23caa09e143a952b4

Download Submit
C:\Windows\System\EANeNao.exe

Filesize
1.4MB

MD5
f00cc8cc00e5841332bd9d8871f81629

SHA1
042c868431afc29ca37b97e4c1231d45beea52d9

SHA256
0381776a469f7ac1cc1d4467cbfc552fbb2cefdfe97af54bd7511262f8bcd252

SHA512
d694de63344d36931aeda098b9d964781cd5e433466961f9fbec1afce16998b56564a3e0aa5706e9cafec917c587993a7282bd1fef05a20dc0bff6d4d826c696

Download Submit
C:\Windows\System\EoMZWXi.exe

Filesize
1.4MB

MD5
909c54bd45cf12ec697c06e0bfe72a18

SHA1
976404f2c8addf034f4f5072afa5fb2ebbbd17bb

SHA256
8b160a83c6bf3828b19a89cba0f6254aa51e43649154aff8b7968f3b022c29be

SHA512
57df708de9a6cba0bc96bc3ef36a200a53603c29c05b83ebbd2ffafb481ab2220f3fb79631a660e1593dac57c8f2011dabd20ea9fc2aefba56fe2595e1595826

Download Submit
C:\Windows\System\FXjQoPR.exe

Filesize
1.4MB

MD5
35dccb9526adf3ce4f0db42101f1dc52

SHA1
b927ab87289be90e4ace3356f25e4c503acc11eb

SHA256
e33c0eaf20b6c9975f9d32efa763f34e5937b188d27fdd2cadf6718f0400db1d

SHA512
915897b007444f539d8e1b67cc2fb35f644d9042e49216ac83e8cdb115ae040f49bfc8918e84f75d094dbac683ac89c517e58fa895d3989cdcbabfbaa5bc8c5b

Download Submit
C:\Windows\System\FsYZzjP.exe

Filesize
1.4MB

MD5
a5c3af9d854b203f535b104abb0ac08a

SHA1
9bad8dcb674c5946eb05e94bfd15cbeb7dee629f

SHA256
e4e1641d014119895fb45598940d917bb5fdd39c14cbd8448a3fd3a36f92945c

SHA512
50b3032443fd2b47b6931d538b040c24c310e95f0db20534c8b8e42c36fcd6653de5c13d6c955676d894ab1622e3b5e5e652162dbd41c0f67c2aa5548eaa9292

Download Submit
C:\Windows\System\HTwPycL.exe

Filesize
1.4MB

MD5
4ce28f534b72f63cf51368756584ee51

SHA1
4e326ecd7b7612c8c7858e4753a00f6e439642d0

SHA256
355c737970e74376919ed14ba5251c3ccd7b689ff590d1cc03d58261c15b536a

SHA512
3a6a5d281809216611e55cfbf50b2a9a8cac8789955741e7fd899570155f5bb3dd49f22cc0cc3c7d7502fcfef620508e7b8d97e830c038fbf37dc02fcf33563f

Download Submit
C:\Windows\System\JCegndf.exe

Filesize
1.4MB

MD5
3989dd8f7bfa9d047546798bfb9bbb95

SHA1
180e343897e1659aff3139befa95949bcedd38fe

SHA256
e1c817ec41cf6d50102fbfa4cc9a66d6b3081c8d90accb32dfb7508e48d99315

SHA512
4b53cee997cb4d9ab67d333536deadb343afc6c18864a87993dc8005343f33fecff0e7ae0bab35c26a9280b67fa1ee147ddad62b67bad389aae6500fd3b49a2b

Download Submit
C:\Windows\System\NFEmGTG.exe

Filesize
1.4MB

MD5
a5c40fd96c522d2ba2202a1bdd8e4617

SHA1
82ecf22c03ce4c0a53623ec34105fe041a880a0f

SHA256
3c6d585bf4406bafa2ef10f93288a86753f66876229ef5fae352fd6c47108499

SHA512
fe18727f7af2fb7cf4b397480036c92a164ba64a28c3ded0ee10d0edcfc44d9225e7a9a41d9c06fa28e243602673c8ee231e1555114ce5f6b5442d0f9c9dc84c

Download Submit
C:\Windows\System\PEcVLkL.exe

Filesize
1.4MB

MD5
9e7c629e9e75f5c42c92c437c73cf7de

SHA1
26c82c4a13064b748249abc0d0fbbada23d60b89

SHA256
3d837e929820d6c1b692da1aaa04ded11de87a69bd262628a659b26a82f1c068

SHA512
aad7b7f3612896a01c5a758b614abca64616ca6c1f9d468de51209d7f3e40d4d79d525c188683e1e4110768ef358f88acad6e86614d14c24253c3836d1818156

Download Submit
C:\Windows\System\RkuPQXX.exe

Filesize
1.4MB

MD5
b190ad64b283d4a48d755598ad79e371

SHA1
c20739206a0d2c06a990173da794d748a4288f81

SHA256
5a77cb2bae13250fd94108d80b9069e48a9c98f83085d3a618eaeae3cf246db8

SHA512
c572e0405f3bf25ae35ae3e69549f2ab1204a5277fe94e5fd2e43654f909008908a3986b0973caffdd280989aedc8014fbe1ec53beb96185902ac469daf614a9

Download Submit
C:\Windows\System\SefFjcM.exe

Filesize
1.4MB

MD5
c78be115cc1d90d0cc73ab3200a9fb58

SHA1
0097b628f6338bbdb364aac97422abfbd4f31ae0

SHA256
20df4b78bc73c3c034fb6f88e21845f254e2c5d26fca78e2b6ce3ea56f176d61

SHA512
07360dac8a47a04cb13ad215582e2ef6bb08b8b2e3da8574acdff4180ce18a7881af3c76b595660008fe2fb106b8926347ac8ed50f43a913acd18aa4485f4076

Download Submit
C:\Windows\System\UFzyeNQ.exe

Filesize
1.4MB

MD5
0a5de966f4a98bc30496dd841b3ab39b

SHA1
ef6a7ff8af7d5721c71fee2fd8be62df381d8654

SHA256
adcd8d100dff30374846ce1f28c2ef429abe2b38e44fa1c782f1663a06cdae92

SHA512
7e40b735d03a638ace274d98fa2888a9da132ada9496c3466deb0191344ac13510507c6e10b619a48438f47138f5d733eba0ed4799ebf2b019ab8fadab02c054

Download Submit
C:\Windows\System\XdJNWnA.exe

Filesize
1.4MB

MD5
2755b390b578692b4e18f20c2eddbd3e

SHA1
1f9829737ea5a0d6d01cad6763691b9af0e3ae94

SHA256
e160fa051c7aaa440040b5252d88b3a76348273797c5826037044333fad65c40

SHA512
5260d3157179e319ff4f3ed9000bff445242819b47b7ef91a468d5ecd7c5b0397d2255951c516f177c8f398f8567bb8eed8ec4ab697c6f02284b9c41087a0dfa

Download Submit
C:\Windows\System\YKupCmP.exe

Filesize
1.4MB

MD5
4aeb9ca164ec568aa0cd2cb70c14a0d3

SHA1
80c3e1f8f725b0e04298754275c36e4682e4c2c9

SHA256
e2b8197af184e686c558bc1f2c9870daef91c0ef84c447fff8c20973a9896929

SHA512
2ba246dec9d2ecbfb374c8ac04c2a1a0809f68d854ff4f34b0667fddd0e3fdc61c8263e917f59815d727c01c473f21ee28aceb56e39862ea27523d63de42ff55

Download Submit
C:\Windows\System\YNoKNww.exe

Filesize
1.4MB

MD5
9e89d2628b67706484351da1e665e4a1

SHA1
726e8f43d16a995052d842c98088dffb28aef9f5

SHA256
9012805109ad3e8553d38b78ea823dd82ee47d9fcd48af0d3ac42e4cbf75aa77

SHA512
a689c7513d7d702e9334be0f3dffe0a1556eae89256423b1655ce56826724105274ed961d260dd80073110ce815bf4abf59ce04188e3712702a2c2e865272dab

Download Submit
C:\Windows\System\ZDEZITc.exe

Filesize
1.4MB

MD5
5e75befaf1d4fc38b738eaf213720bc2

SHA1
2e1440cb4becf6c1b2a5197df629ef5a533555e0

SHA256
2c06d11e50ee7216b7936314d538975d495c4bf52a00a341c44881422ffa3daf

SHA512
6207e0a2fc327c133cfcb6745d6361cc8dbf956efbdc32b5612a288cb713cfc19c81a5b402147d771ad8a5210c095b950adbba23b818b9dbfed710eec6e71bd7

Download Submit
C:\Windows\System\ZMDtfrD.exe

Filesize
1.4MB

MD5
49b630c77bb20e5c990867ebc8549c6b

SHA1
eaad728690d9b6f276be2fec03c47bfd8b61ef41

SHA256
ff80339aabe825ca27ba79b3b1c9439465680600d044a5204ca120d7e78da028

SHA512
7fc52816cdb690a8a86b54ca17831fa4e35483cd7b51a061c2d1d9101a6b96b3e539a6b446cda1db8cfb1da9f084a57bae7b700805a9dac2808c6ba35f36956a

Download Submit
C:\Windows\System\aUcDtCC.exe

Filesize
1.4MB

MD5
d091670311ba9b33e5a1cfdab2680208

SHA1
4e3c1a6a8cfbb80fffbb316a90a2ebc78623a9e8

SHA256
34e639e06b97935a97e11511f3e82dd74962d34efed5edee0a9efc41e9fabac1

SHA512
c144d37e53057f80370a3192d53d05aa131cd2f30c7d4973b7072edcf18879d73c06a7d39b2cf7718556fcebd7a689e4f3d72ec759f5bf36fc8bfc20290dc7a0

Download Submit
C:\Windows\System\arGnJPx.exe

Filesize
1.4MB

MD5
c4e28c2bb8eff6dc25c833759093eaa3

SHA1
e7dd08f312580c5f41ef1ff6b3428772d1e184a5

SHA256
b37132552a31733f0edb9a09d754a7fec06ef65e48f894652d698e529440d5ab

SHA512
a276d06de11fb73c703f3a18376f681af4094e0422d7074f7c70c84ae25525fe7d5a60c0067e98e885942c9cb05fc4ef42c2ad21c82fc1ecf65c168e6e744b1d

Download Submit
C:\Windows\System\eNkugrU.exe

Filesize
1.4MB

MD5
8361c07dad526f4a0933b17e8cc7b55b

SHA1
f2e2d2f6b65ab7d3b7ddff33c8c19d809b4f2c1c

SHA256
3c0532b6d0fa7ae9e7a249ff478444d79f0099dc1bbc7ad16e89edd232740539

SHA512
ad65e76ee956939304f1ff0e1d90c0dcefabe362635c599c72b10db5229c6373c54604c23b4d2ce55e486fc0580d4fef568705e4cc24dc5deee2d5925ea4b77f

Download Submit
C:\Windows\System\gykPRgI.exe

Filesize
1.4MB

MD5
4e851acd00c12c90adabfc3968a4c9c1

SHA1
23732f0fdf3a32ef2270bdc92641b30ea48ea487

SHA256
1bdd9ea1e01485a132c394e4d0335ad0c247e3d2452077e372aeb5d156c02129

SHA512
7af0c8d13c54fad0683fe20064524a2855118c258158e7895499f479e3c27575a73f3a6c13d18ec5c62fa411cc8c03c1402a46fbc8521179d88a7beba63ffdce

Download Submit
C:\Windows\System\htSBzFh.exe

Filesize
1.4MB

MD5
ba4dd49b2618613393ce9a24e6a2bb90

SHA1
a2f0b5e724c1b895565532deafb0d83047f005c5

SHA256
59f3abe75c370162405cb311a42472b6de8afcc426587d013115dbbca6275ccd

SHA512
c87683a46531c5c240fd8e3b54e617ecbd0ccd39c06d74cb4532e36d3a57cfc04359975610c3f19a32f135db714e540ff3e74fefe1d9c0690b2cac9e8b71972c

Download Submit
C:\Windows\System\icMKyYp.exe

Filesize
1.4MB

MD5
847c90da9520b9de896c0d3fe879a9e5

SHA1
8696018b2e34c886ea61674c56f4f72be6939b47

SHA256
458939bcfac9a6c201bf8451e2a5f92da85668898cc7f0c8905399683620d18d

SHA512
369bd7f2a2e64258c6767910dcc4f7148d20bb72882be5c965a73edbc8b2ba42ac3e246c9c826f2b4d9546bf8b8350bf8f35b1c911d2f0c9c7f3e3377af9c4e8

Download Submit
C:\Windows\System\kIoDeYY.exe

Filesize
1.4MB

MD5
eb003fa3ad89d8a4df8b3f31cec872d1

SHA1
b3db50bdc8ccdef25ffb4bfe34a9a37cb6098595

SHA256
5ce5a6801d23a7be649ad800d31aef0f59b1b9405b938bec84b92fc6dee2e213

SHA512
8dd91eb194008cec5143a1eaf750d875641a5cb60eb028c8105b070eeea26ecfc71189caaf72ad4838f7b1fa31b361483bf33117ffd720c36634942ce39c58de

Download Submit
C:\Windows\System\kJCBgVq.exe

Filesize
1.4MB

MD5
c0cd49059854cf0cdb7b807c98672f8c

SHA1
f4a1e8d006b887a8fb94f9d781c0f9bc8d679e57

SHA256
e37e5b0e39d78a55c4db8fd8e275e35ead05bf8b381bb67b97925322990816ad

SHA512
220c420c74e5b2a7f4e60d13a7d10b91611e11331b714752e0b2638102fb783411a1fb6cf397a059cdfe86bc039895513fdf787fb0ce5ad67e4b3deb666a69c5

Download Submit
C:\Windows\System\lwtXYIq.exe

Filesize
1.4MB

MD5
d78a5c6f4cafb0742bfcfe768f97b996

SHA1
840f04fa96d3e1a70d6af4b16a197b5c7dda0a27

SHA256
cc25acf9aba7b4f3c59fc2191cbb48c51204ec62c2d4f551f856ac19a685a2a0

SHA512
8b6c03e8a1bf4d416ae53945610bcc90ad382194d745bd0f1b82af3d2fd2914959796ad6ccc3e20476b7b4a719fdd16917df2574b556627ac2b95eb61ea078e8

Download Submit
C:\Windows\System\mEnmdBl.exe

Filesize
1.4MB

MD5
aae023224872aa57f704f53d371bd66a

SHA1
369c944aab3381cc97d35ec711fd33cfd27dd11b

SHA256
c184a78c7586b3064077f3397712dd5b146bbb2d645765131b119d09a5d9e931

SHA512
2a0ac529f8c86fad3d901c8051396a9d9cbd5c403f71a3effa4512d6b9cf18079ebec21043945415825bda1097a15e2e2ac425b6110c81be3811ab738a80246a

Download Submit
C:\Windows\System\myKNAJb.exe

Filesize
1.4MB

MD5
f9a60e5da301dbc2d7c8573665d4cadf

SHA1
a4ad9952f25e342f21f622ab2b23813f922a7ff3

SHA256
caa17fcb2d879dd1d438412cc485bc8985a5ad7a642a549f5ab23f8a1b5ca5dd

SHA512
e5e1056629193797a857bc5daab226a9d3837a0d921a820cb652ea8c6231f80975774d7a5d8ae0f5357d1ce4edf814cf2d7e4a5b4134dd8e525c7a98fddede2d

Download Submit
C:\Windows\System\pFwTltA.exe

Filesize
1.4MB

MD5
fa3815f4680c343a60fb91d1eaff818f

SHA1
c9842b54360c4e910288e903e7bed7a00f384900

SHA256
85a26c177fcf53267af4e465a1e0e15bb0944db5ab8d6b4a4ca9ced1cbbc5a9a

SHA512
e14565b065a48199ac39e627a4e031d27ef10832580868e028e0e05ac186c4b83d3fd89109be798b221b4ab071da5b364561db4b582144e9a0fd24d7179587dd

Download Submit
C:\Windows\System\qHyVgZz.exe

Filesize
1.4MB

MD5
e1ce142c9bed7f058fc0f3e303d4377d

SHA1
6b91fd692b7fe666ebe149bbc19a5eb480a530a6

SHA256
ebd08d4d7a9441029d1568078a867c2e4493e9f4026a9f299ea607c8c3766b6b

SHA512
094977a83f1a3767423495263d18a26aab616f017afbb4d66d6f44ddf5c653a8837a6204aed69d9185e501d0908d88f00eccbd0948c3030fa328d33f109ba76f

Download Submit
C:\Windows\System\sIPoWUh.exe

Filesize
1.4MB

MD5
78f9084b88af5d20fca1efb1caa80452

SHA1
8e24c622565d61e2558dc17e3c85447e89c490f1

SHA256
359b43d4d00a4ade2251dd4843617a548a936df0e5c91aef57a64ffa00df67c8

SHA512
1843d8b68b031ce537c8e6fda25921476a6da0e31cb9cce64b33e94e0739a1f0ab1e5e77fc8ddb5dd61e3b90fc08d07fdaa44fe3b35bdcf14c865c003e8ea7bb

Download Submit
C:\Windows\System\tLKhtDa.exe

Filesize
1.4MB

MD5
5541df4af4f22d4d39d9b948647634f8

SHA1
79ae680a646c60ace15082ba0e56f7fc66ea79fa

SHA256
5f95a880ef6611ff09fb4346e41e712e0d26a95f4285506ca6dd64e890a8a8b9

SHA512
ca6053e9bbf345075b17130b7688aff731064ee4cca60ab57ec85eb8f105aae69e338809fec9815088295a520faa757ff8a4d406447e36ad1cdf34e30a237bd3

Download Submit
C:\Windows\System\vUTMhCG.exe

Filesize
1.4MB

MD5
96822c11d70e9e3d88758f6220e89d4d

SHA1
ba29bd46fee679e5e748a37ac36c94d395cda2a4

SHA256
58b8fc2b02524fada73a469018d18610e0bf03eac4be03c0f7a0f5f56c47e901

SHA512
0aa312336d76cc029c20d3d9ad3603d14e7bb943d5b7313dec9791553dae0994529b31b6cc752e770bf7c0cc6c34e80634b87fd5c7b4c5adf70739f1e8378672

Download Submit
C:\Windows\System\wDKcQIE.exe

Filesize
1.4MB

MD5
532e2dc5bf21452366b18b8ff11b8d55

SHA1
fa5e2c3e09389ac0f84492bf715464b435786385

SHA256
8069f8c88e57e23b46de48e98bf35dc500bdbdf61fbb52b30e93a0b92a0368a7

SHA512
1228d6cbcb82b0b06f2236ff4c85656d624d1283585fd06f1c7c784e8634a7d93dd2a43d85553f898c5c12dde7130355dfd8cef86f7ba5aae0f32a7cd80eda9a

Download Submit
C:\Windows\System\wcLMlKC.exe

Filesize
1.4MB

MD5
d9ba98105f0b621886d89d756364b1ce

SHA1
6c128338d736b71ea4f597f456cf6c28551c1459

SHA256
b9d9ef2c6feff43f7fa0834f4ad57f0230c92cdcd965d51b32b5e22ef0f73936

SHA512
1b1d67a23b0b39fa7c509c98b2ff20154e954942590e758c71b10bbd2c88373d5e9e394b4191be80737e5a1d948da21711ecd2dc1c2cddf2d9560070e06c67b0

Download Submit
C:\Windows\System\wsxdyvw.exe

Filesize
1.4MB

MD5
e693cfec249d4edfc7f9664ce4edd1ce

SHA1
781ec23ddfe1b6074757dda1e0245e93a7d3413d

SHA256
e5c10ae4d370caed82e909b2cd47081214d7893238f202e1a9a9e5349481b605

SHA512
283ea6854d2efb13ac5cb8c6c47bde4d2d094c352d6055bc300d79593a8e6ee97fe528c34bd42afb93b16e1536a6de96a713fd15557451601b066ea1839fc52b

Download Submit
C:\Windows\System\xVJGIKl.exe

Filesize
1.4MB

MD5
261a27b971e5cac25918d3eecf62341a

SHA1
462e14204b46e9f58b99c3511d9881cbb3170bce

SHA256
cb2eefced80f97a50cf635e6fe26ea4eb499591596b8798e522e20d19fa5fa11

SHA512
5f2401f16cb388900a9240dd6d8aeca03f3b9c709f9e058de2a073db771e4b230959b270cd5ddad3e212e55ea3421dc85e008ee0367f4aa6e0a5682d74667256

Download Submit
memory/436-306-0x00007FF751560000-0x00007FF7518B1000-memory.dmp

Filesize
3.3MB

Download
memory/436-2305-0x00007FF751560000-0x00007FF7518B1000-memory.dmp

Filesize
3.3MB

Download
memory/664-2313-0x00007FF714B80000-0x00007FF714ED1000-memory.dmp

Filesize
3.3MB

Download
memory/664-294-0x00007FF714B80000-0x00007FF714ED1000-memory.dmp

Filesize
3.3MB

Download
memory/832-305-0x00007FF6DF120000-0x00007FF6DF471000-memory.dmp

Filesize
3.3MB

Download
memory/832-2311-0x00007FF6DF120000-0x00007FF6DF471000-memory.dmp

Filesize
3.3MB

Download
memory/860-2301-0x00007FF6E5320000-0x00007FF6E5671000-memory.dmp

Filesize
3.3MB

Download
memory/860-254-0x00007FF6E5320000-0x00007FF6E5671000-memory.dmp

Filesize
3.3MB

Download
memory/1144-2303-0x00007FF7A5020000-0x00007FF7A5371000-memory.dmp

Filesize
3.3MB

Download
memory/1144-200-0x00007FF7A5020000-0x00007FF7A5371000-memory.dmp

Filesize
3.3MB

Download
memory/1208-2289-0x00007FF6ED1E0000-0x00007FF6ED531000-memory.dmp

Filesize
3.3MB

Download
memory/1208-197-0x00007FF6ED1E0000-0x00007FF6ED531000-memory.dmp

Filesize
3.3MB

Download
memory/1340-1-0x000001E957E10000-0x000001E957E20000-memory.dmp

Filesize
64KB

Download
memory/1340-0-0x00007FF750750000-0x00007FF750AA1000-memory.dmp

Filesize
3.3MB

Download
memory/1340-2172-0x00007FF750750000-0x00007FF750AA1000-memory.dmp

Filesize
3.3MB

Download
memory/1368-123-0x00007FF7F0370000-0x00007FF7F06C1000-memory.dmp

Filesize
3.3MB

Download
memory/1368-2295-0x00007FF7F0370000-0x00007FF7F06C1000-memory.dmp

Filesize
3.3MB

Download
memory/1468-223-0x00007FF74B520000-0x00007FF74B871000-memory.dmp

Filesize
3.3MB

Download
memory/1468-2299-0x00007FF74B520000-0x00007FF74B871000-memory.dmp

Filesize
3.3MB

Download
memory/1524-2327-0x00007FF648090000-0x00007FF6483E1000-memory.dmp

Filesize
3.3MB

Download
memory/1524-297-0x00007FF648090000-0x00007FF6483E1000-memory.dmp

Filesize
3.3MB

Download
memory/1624-2317-0x00007FF7C6660000-0x00007FF7C69B1000-memory.dmp

Filesize
3.3MB

Download
memory/1624-285-0x00007FF7C6660000-0x00007FF7C69B1000-memory.dmp

Filesize
3.3MB

Download
memory/1648-299-0x00007FF7D9D80000-0x00007FF7DA0D1000-memory.dmp

Filesize
3.3MB

Download
memory/1648-2325-0x00007FF7D9D80000-0x00007FF7DA0D1000-memory.dmp

Filesize
3.3MB

Download
memory/2328-12-0x00007FF6E0980000-0x00007FF6E0CD1000-memory.dmp

Filesize
3.3MB

Download
memory/2328-2271-0x00007FF6E0980000-0x00007FF6E0CD1000-memory.dmp

Filesize
3.3MB

Download
memory/2420-2321-0x00007FF69B8A0000-0x00007FF69BBF1000-memory.dmp

Filesize
3.3MB

Download
memory/2420-295-0x00007FF69B8A0000-0x00007FF69BBF1000-memory.dmp

Filesize
3.3MB

Download
memory/2464-97-0x00007FF7E8A60000-0x00007FF7E8DB1000-memory.dmp

Filesize
3.3MB

Download
memory/2464-2283-0x00007FF7E8A60000-0x00007FF7E8DB1000-memory.dmp

Filesize
3.3MB

Download
memory/2840-2275-0x00007FF781E80000-0x00007FF7821D1000-memory.dmp

Filesize
3.3MB

Download
memory/2840-302-0x00007FF781E80000-0x00007FF7821D1000-memory.dmp

Filesize
3.3MB

Download
memory/2920-304-0x00007FF696D20000-0x00007FF697071000-memory.dmp

Filesize
3.3MB

Download
memory/2920-2307-0x00007FF696D20000-0x00007FF697071000-memory.dmp

Filesize
3.3MB

Download
memory/3120-2273-0x00007FF6CFAC0000-0x00007FF6CFE11000-memory.dmp

Filesize
3.3MB

Download
memory/3120-36-0x00007FF6CFAC0000-0x00007FF6CFE11000-memory.dmp

Filesize
3.3MB

Download
memory/3284-237-0x00007FF7F0100000-0x00007FF7F0451000-memory.dmp

Filesize
3.3MB

Download
memory/3284-2287-0x00007FF7F0100000-0x00007FF7F0451000-memory.dmp

Filesize
3.3MB

Download
memory/3464-2319-0x00007FF6450D0000-0x00007FF645421000-memory.dmp

Filesize
3.3MB

Download
memory/3464-296-0x00007FF6450D0000-0x00007FF645421000-memory.dmp

Filesize
3.3MB

Download
memory/3932-300-0x00007FF7B2580000-0x00007FF7B28D1000-memory.dmp

Filesize
3.3MB

Download
memory/3932-2315-0x00007FF7B2580000-0x00007FF7B28D1000-memory.dmp

Filesize
3.3MB

Download
memory/3936-2281-0x00007FF66AFA0000-0x00007FF66B2F1000-memory.dmp

Filesize
3.3MB

Download
memory/3936-64-0x00007FF66AFA0000-0x00007FF66B2F1000-memory.dmp

Filesize
3.3MB

Download
memory/4060-298-0x00007FF727A30000-0x00007FF727D81000-memory.dmp

Filesize
3.3MB

Download
memory/4060-2309-0x00007FF727A30000-0x00007FF727D81000-memory.dmp

Filesize
3.3MB

Download
memory/4504-2329-0x00007FF6C30F0000-0x00007FF6C3441000-memory.dmp

Filesize
3.3MB

Download
memory/4504-301-0x00007FF6C30F0000-0x00007FF6C3441000-memory.dmp

Filesize
3.3MB

Download
memory/4528-292-0x00007FF68EEC0000-0x00007FF68F211000-memory.dmp

Filesize
3.3MB

Download
memory/4528-2291-0x00007FF68EEC0000-0x00007FF68F211000-memory.dmp

Filesize
3.3MB

Download
memory/4624-303-0x00007FF761490000-0x00007FF7617E1000-memory.dmp

Filesize
3.3MB

Download
memory/4624-2285-0x00007FF761490000-0x00007FF7617E1000-memory.dmp

Filesize
3.3MB

Download
memory/4764-67-0x00007FF7A6770000-0x00007FF7A6AC1000-memory.dmp

Filesize
3.3MB

Download
memory/4764-2278-0x00007FF7A6770000-0x00007FF7A6AC1000-memory.dmp

Filesize
3.3MB

Download
memory/4772-153-0x00007FF7C7F10000-0x00007FF7C8261000-memory.dmp

Filesize
3.3MB

Download
memory/4772-2279-0x00007FF7C7F10000-0x00007FF7C8261000-memory.dmp

Filesize
3.3MB

Download
memory/4984-293-0x00007FF764DA0000-0x00007FF7650F1000-memory.dmp

Filesize
3.3MB

Download
memory/4984-2293-0x00007FF764DA0000-0x00007FF7650F1000-memory.dmp

Filesize
3.3MB

Download
memory/5040-2297-0x00007FF6A7390000-0x00007FF6A76E1000-memory.dmp

Filesize
3.3MB

Download
memory/5040-255-0x00007FF6A7390000-0x00007FF6A76E1000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads