xmrig | 50018d478d7aa4682289d1b0c822aef95c5b789bf7e51727d1bf30628692189e

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16-06-2024 08:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
Size

3.2MB
MD5

e31db6dfe499867f82d463b7120de6f0
SHA1

302756c567bd87942d6953505e8c5532b52e8bdd
SHA256

50018d478d7aa4682289d1b0c822aef95c5b789bf7e51727d1bf30628692189e
SHA512

ea9ef6951bed9aed6a95cc24c8465af6ffa62d32f4cd4828fda63deaf277c8438ba72a65276ad10100ccb1667430d85907396bf9ef9c606b53b98eaec6e8c35f
SSDEEP

98304:71ONtyBeSFkXV1etEKLlWUTOfeiRA2R76zHrW5:7bBeSFkd

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/3784-0-0x00007FF72D200000-0x00007FF72D5F6000-memory.dmp	xmrig
behavioral2/files/0x00080000000233ce-6.dat	xmrig
behavioral2/files/0x00070000000233d3-9.dat	xmrig
behavioral2/files/0x00070000000233d2-12.dat	xmrig
behavioral2/files/0x00070000000233d4-33.dat	xmrig
behavioral2/files/0x00070000000233d7-46.dat	xmrig
behavioral2/files/0x00070000000233da-62.dat	xmrig
behavioral2/files/0x00070000000233dc-72.dat	xmrig
behavioral2/files/0x00070000000233df-87.dat	xmrig
behavioral2/files/0x00070000000233e0-92.dat	xmrig
behavioral2/files/0x00070000000233e4-110.dat	xmrig
behavioral2/files/0x00070000000233e6-120.dat	xmrig
behavioral2/files/0x00070000000233e8-138.dat	xmrig
behavioral2/files/0x00070000000233ef-165.dat	xmrig
behavioral2/files/0x00070000000233f1-175.dat	xmrig
behavioral2/files/0x00070000000233f0-170.dat	xmrig
behavioral2/files/0x00070000000233ee-168.dat	xmrig
behavioral2/files/0x00070000000233ed-163.dat	xmrig
behavioral2/files/0x00070000000233ec-158.dat	xmrig
behavioral2/memory/1552-785-0x00007FF647830000-0x00007FF647C26000-memory.dmp	xmrig
behavioral2/files/0x00070000000233eb-153.dat	xmrig
behavioral2/files/0x00070000000233ea-148.dat	xmrig
behavioral2/files/0x00070000000233e9-143.dat	xmrig
behavioral2/memory/2864-792-0x00007FF6FBAE0000-0x00007FF6FBED6000-memory.dmp	xmrig
behavioral2/memory/1852-799-0x00007FF79C390000-0x00007FF79C786000-memory.dmp	xmrig
behavioral2/memory/1680-810-0x00007FF715AF0000-0x00007FF715EE6000-memory.dmp	xmrig
behavioral2/memory/2112-816-0x00007FF784960000-0x00007FF784D56000-memory.dmp	xmrig
behavioral2/memory/960-814-0x00007FF765D30000-0x00007FF766126000-memory.dmp	xmrig
behavioral2/memory/2912-807-0x00007FF6A11D0000-0x00007FF6A15C6000-memory.dmp	xmrig
behavioral2/memory/2408-795-0x00007FF745E90000-0x00007FF746286000-memory.dmp	xmrig
behavioral2/files/0x00070000000233e7-133.dat	xmrig
behavioral2/files/0x00070000000233e5-123.dat	xmrig
behavioral2/files/0x00070000000233e3-113.dat	xmrig
behavioral2/files/0x00070000000233e2-108.dat	xmrig
behavioral2/files/0x00070000000233e1-103.dat	xmrig
behavioral2/files/0x00070000000233de-85.dat	xmrig
behavioral2/files/0x00070000000233dd-81.dat	xmrig
behavioral2/files/0x00070000000233db-70.dat	xmrig
behavioral2/files/0x00070000000233d9-60.dat	xmrig
behavioral2/files/0x00070000000233d8-56.dat	xmrig
behavioral2/files/0x00080000000233d6-45.dat	xmrig
behavioral2/files/0x00080000000233d5-40.dat	xmrig
behavioral2/memory/3760-820-0x00007FF6E4F40000-0x00007FF6E5336000-memory.dmp	xmrig
behavioral2/memory/1608-828-0x00007FF731D00000-0x00007FF7320F6000-memory.dmp	xmrig
behavioral2/memory/1224-835-0x00007FF6C3C10000-0x00007FF6C4006000-memory.dmp	xmrig
behavioral2/memory/3440-840-0x00007FF7055F0000-0x00007FF7059E6000-memory.dmp	xmrig
behavioral2/memory/1536-829-0x00007FF7B2600000-0x00007FF7B29F6000-memory.dmp	xmrig
behavioral2/memory/2244-849-0x00007FF65CDB0000-0x00007FF65D1A6000-memory.dmp	xmrig
behavioral2/memory/548-852-0x00007FF7F66E0000-0x00007FF7F6AD6000-memory.dmp	xmrig
behavioral2/memory/4744-855-0x00007FF759D90000-0x00007FF75A186000-memory.dmp	xmrig
behavioral2/memory/3664-860-0x00007FF72B710000-0x00007FF72BB06000-memory.dmp	xmrig
behavioral2/memory/820-867-0x00007FF60EAF0000-0x00007FF60EEE6000-memory.dmp	xmrig
behavioral2/memory/2120-870-0x00007FF786DD0000-0x00007FF7871C6000-memory.dmp	xmrig
behavioral2/memory/5076-863-0x00007FF655F20000-0x00007FF656316000-memory.dmp	xmrig
behavioral2/memory/384-876-0x00007FF650BF0000-0x00007FF650FE6000-memory.dmp	xmrig
behavioral2/memory/2344-879-0x00007FF7E41B0000-0x00007FF7E45A6000-memory.dmp	xmrig
behavioral2/memory/688-888-0x00007FF65ED40000-0x00007FF65F136000-memory.dmp	xmrig
behavioral2/memory/880-884-0x00007FF76D5E0000-0x00007FF76D9D6000-memory.dmp	xmrig
behavioral2/memory/880-1945-0x00007FF76D5E0000-0x00007FF76D9D6000-memory.dmp	xmrig
behavioral2/memory/1552-1946-0x00007FF647830000-0x00007FF647C26000-memory.dmp	xmrig
behavioral2/memory/2864-1947-0x00007FF6FBAE0000-0x00007FF6FBED6000-memory.dmp	xmrig
behavioral2/memory/688-1948-0x00007FF65ED40000-0x00007FF65F136000-memory.dmp	xmrig
behavioral2/memory/2408-1949-0x00007FF745E90000-0x00007FF746286000-memory.dmp	xmrig
behavioral2/memory/1852-1956-0x00007FF79C390000-0x00007FF79C786000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
3208	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
880	AtAZiZN.exe
1552	HzlEdgm.exe
2864	tvPYwDi.exe
688	JehlghW.exe
2408	zcmWbhy.exe
1852	NJpqMEx.exe
2912	mnOKRpN.exe
1680	CtqEoTd.exe
960	BGvKmKO.exe
2112	vIUncRO.exe
3760	QTiyHrV.exe
1608	SGdysnY.exe
1536	ZPLbvfO.exe
1224	pnXJLPu.exe
3440	RCPFUig.exe
2244	baNzNad.exe
548	erkWGuZ.exe
4744	EhRDnvh.exe
3664	LbDcQfv.exe
5076	tgkMITL.exe
820	FWURzxP.exe
2120	aSfgXcG.exe
384	UscZLGZ.exe
2344	UgpmTDS.exe
4552	rbFGxkx.exe
4572	AskUaQo.exe
2096	xFCecje.exe
3156	MTMIToV.exe
3368	KrdoNmR.exe
5000	dGLyJWA.exe
3952	iibFLgo.exe
5072	wTsaxxn.exe
2100	VfRKXyH.exe
3024	WRAYYaS.exe
4952	ZqPkaDN.exe
3644	NomYLpF.exe
1148	mpwjGyb.exe
3632	ylgzrkZ.exe
4964	kLDHzDP.exe
2884	tXQWGLf.exe
2600	LrGjzmt.exe
980	HVWAtwq.exe
512	bJOuRgY.exe
3288	GzRXemN.exe
1460	JwTvgyD.exe
4360	ToAAWPL.exe
4364	jewIwUy.exe
552	ukjGMUx.exe
4380	gBaKtav.exe
2860	GLSAaYS.exe
652	zPxzTIe.exe
1420	sfrzDdX.exe
4052	mQuBKHp.exe
2020	dfIFNbn.exe
1808	ZWvbAaQ.exe
4884	KigmJbx.exe
3052	OdQmHow.exe
2632	hKhXdIa.exe
5056	uodHFgk.exe
4936	QMEVOja.exe
3992	prKCSgy.exe
4500	SCjbPoT.exe
4076	uuGnWbP.exe
1408	OmjzAZX.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3784-0-0x00007FF72D200000-0x00007FF72D5F6000-memory.dmp	upx
behavioral2/files/0x00080000000233ce-6.dat	upx
behavioral2/files/0x00070000000233d3-9.dat	upx
behavioral2/files/0x00070000000233d2-12.dat	upx
behavioral2/files/0x00070000000233d4-33.dat	upx
behavioral2/files/0x00070000000233d7-46.dat	upx
behavioral2/files/0x00070000000233da-62.dat	upx
behavioral2/files/0x00070000000233dc-72.dat	upx
behavioral2/files/0x00070000000233df-87.dat	upx
behavioral2/files/0x00070000000233e0-92.dat	upx
behavioral2/files/0x00070000000233e4-110.dat	upx
behavioral2/files/0x00070000000233e6-120.dat	upx
behavioral2/files/0x00070000000233e8-138.dat	upx
behavioral2/files/0x00070000000233ef-165.dat	upx
behavioral2/files/0x00070000000233f1-175.dat	upx
behavioral2/files/0x00070000000233f0-170.dat	upx
behavioral2/files/0x00070000000233ee-168.dat	upx
behavioral2/files/0x00070000000233ed-163.dat	upx
behavioral2/files/0x00070000000233ec-158.dat	upx
behavioral2/memory/1552-785-0x00007FF647830000-0x00007FF647C26000-memory.dmp	upx
behavioral2/files/0x00070000000233eb-153.dat	upx
behavioral2/files/0x00070000000233ea-148.dat	upx
behavioral2/files/0x00070000000233e9-143.dat	upx
behavioral2/memory/2864-792-0x00007FF6FBAE0000-0x00007FF6FBED6000-memory.dmp	upx
behavioral2/memory/1852-799-0x00007FF79C390000-0x00007FF79C786000-memory.dmp	upx
behavioral2/memory/1680-810-0x00007FF715AF0000-0x00007FF715EE6000-memory.dmp	upx
behavioral2/memory/2112-816-0x00007FF784960000-0x00007FF784D56000-memory.dmp	upx
behavioral2/memory/960-814-0x00007FF765D30000-0x00007FF766126000-memory.dmp	upx
behavioral2/memory/2912-807-0x00007FF6A11D0000-0x00007FF6A15C6000-memory.dmp	upx
behavioral2/memory/2408-795-0x00007FF745E90000-0x00007FF746286000-memory.dmp	upx
behavioral2/files/0x00070000000233e7-133.dat	upx
behavioral2/files/0x00070000000233e5-123.dat	upx
behavioral2/files/0x00070000000233e3-113.dat	upx
behavioral2/files/0x00070000000233e2-108.dat	upx
behavioral2/files/0x00070000000233e1-103.dat	upx
behavioral2/files/0x00070000000233de-85.dat	upx
behavioral2/files/0x00070000000233dd-81.dat	upx
behavioral2/files/0x00070000000233db-70.dat	upx
behavioral2/files/0x00070000000233d9-60.dat	upx
behavioral2/files/0x00070000000233d8-56.dat	upx
behavioral2/files/0x00080000000233d6-45.dat	upx
behavioral2/files/0x00080000000233d5-40.dat	upx
behavioral2/memory/3760-820-0x00007FF6E4F40000-0x00007FF6E5336000-memory.dmp	upx
behavioral2/memory/1608-828-0x00007FF731D00000-0x00007FF7320F6000-memory.dmp	upx
behavioral2/memory/1224-835-0x00007FF6C3C10000-0x00007FF6C4006000-memory.dmp	upx
behavioral2/memory/3440-840-0x00007FF7055F0000-0x00007FF7059E6000-memory.dmp	upx
behavioral2/memory/1536-829-0x00007FF7B2600000-0x00007FF7B29F6000-memory.dmp	upx
behavioral2/memory/2244-849-0x00007FF65CDB0000-0x00007FF65D1A6000-memory.dmp	upx
behavioral2/memory/548-852-0x00007FF7F66E0000-0x00007FF7F6AD6000-memory.dmp	upx
behavioral2/memory/4744-855-0x00007FF759D90000-0x00007FF75A186000-memory.dmp	upx
behavioral2/memory/3664-860-0x00007FF72B710000-0x00007FF72BB06000-memory.dmp	upx
behavioral2/memory/820-867-0x00007FF60EAF0000-0x00007FF60EEE6000-memory.dmp	upx
behavioral2/memory/2120-870-0x00007FF786DD0000-0x00007FF7871C6000-memory.dmp	upx
behavioral2/memory/5076-863-0x00007FF655F20000-0x00007FF656316000-memory.dmp	upx
behavioral2/memory/384-876-0x00007FF650BF0000-0x00007FF650FE6000-memory.dmp	upx
behavioral2/memory/2344-879-0x00007FF7E41B0000-0x00007FF7E45A6000-memory.dmp	upx
behavioral2/memory/688-888-0x00007FF65ED40000-0x00007FF65F136000-memory.dmp	upx
behavioral2/memory/880-884-0x00007FF76D5E0000-0x00007FF76D9D6000-memory.dmp	upx
behavioral2/memory/880-1945-0x00007FF76D5E0000-0x00007FF76D9D6000-memory.dmp	upx
behavioral2/memory/1552-1946-0x00007FF647830000-0x00007FF647C26000-memory.dmp	upx
behavioral2/memory/2864-1947-0x00007FF6FBAE0000-0x00007FF6FBED6000-memory.dmp	upx
behavioral2/memory/688-1948-0x00007FF65ED40000-0x00007FF65F136000-memory.dmp	upx
behavioral2/memory/2408-1949-0x00007FF745E90000-0x00007FF746286000-memory.dmp	upx
behavioral2/memory/1852-1956-0x00007FF79C390000-0x00007FF79C786000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
3	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\hKhXdIa.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\DNpFajE.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\xpcEDhU.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\aswtLAb.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\eTjJzmD.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\PPzpmQL.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\IICnfWJ.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\JBBNLFc.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\SUJBhZV.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\mFhqWJo.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\mFbGXNE.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\BzVthJF.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\lxuPVzu.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\npaFAEk.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\snFtwXQ.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\gedlgWc.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\XgqZRpI.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\FcVrAQe.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\JlFoAFO.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\sbCFgyJ.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\SEnRINQ.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\vwuZtUl.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\hCdMlgv.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\whIPOjf.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\pljvUBK.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\kxnvCdX.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\vjIlpnN.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\fNxfrwK.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\WclzToI.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\KWGAeJP.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\akOQUQo.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\FWURzxP.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\KrdoNmR.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\UuykQTy.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\NXdRolr.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\ROxdnDj.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\iFHuNgV.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\RCPFUig.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\LrGjzmt.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\QWDISWD.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\qmXyJYM.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\TAThWIU.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\LKpdxQl.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\AFloyLo.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\sIfDPcO.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\SWiWUTy.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\ZOAHsjw.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\HJSlylA.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\PeTADQd.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\bFVahnv.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\PYDJOWm.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\NeSgotS.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\JqhoeqA.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\yjHURqC.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\joUTNSx.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\sNsKlpO.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\KOrZMBD.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\CZbpjxY.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\rhIEWxw.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\NTWSFLk.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\DGEsVEx.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\BGvKmKO.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\HXmXgkJ.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
File created	C:\Windows\System\vMEKheR.exe	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3208	powershell.exe
3208	powershell.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
Token: SeDebugPrivilege	3208	powershell.exe
Token: SeCreateGlobalPrivilege	12308	dwm.exe
Token: SeChangeNotifyPrivilege	12308	dwm.exe
Token: 33	12308	dwm.exe
Token: SeIncBasePriorityPrivilege	12308	dwm.exe
Token: SeShutdownPrivilege	12308	dwm.exe
Token: SeCreatePagefilePrivilege	12308	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3784 wrote to memory of 3208	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	83
PID 3784 wrote to memory of 3208	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	83
PID 3784 wrote to memory of 880	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	84
PID 3784 wrote to memory of 880	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	84
PID 3784 wrote to memory of 1552	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	85
PID 3784 wrote to memory of 1552	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	85
PID 3784 wrote to memory of 2864	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	86
PID 3784 wrote to memory of 2864	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	86
PID 3784 wrote to memory of 688	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	87
PID 3784 wrote to memory of 688	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	87
PID 3784 wrote to memory of 2408	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	88
PID 3784 wrote to memory of 2408	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	88
PID 3784 wrote to memory of 1852	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	89
PID 3784 wrote to memory of 1852	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	89
PID 3784 wrote to memory of 2912	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	90
PID 3784 wrote to memory of 2912	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	90
PID 3784 wrote to memory of 1680	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	91
PID 3784 wrote to memory of 1680	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	91
PID 3784 wrote to memory of 960	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	92
PID 3784 wrote to memory of 960	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	92
PID 3784 wrote to memory of 2112	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	93
PID 3784 wrote to memory of 2112	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	93
PID 3784 wrote to memory of 3760	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	94
PID 3784 wrote to memory of 3760	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	94
PID 3784 wrote to memory of 1608	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	95
PID 3784 wrote to memory of 1608	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	95
PID 3784 wrote to memory of 1536	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	96
PID 3784 wrote to memory of 1536	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	96
PID 3784 wrote to memory of 1224	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	97
PID 3784 wrote to memory of 1224	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	97
PID 3784 wrote to memory of 3440	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	98
PID 3784 wrote to memory of 3440	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	98
PID 3784 wrote to memory of 2244	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	99
PID 3784 wrote to memory of 2244	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	99
PID 3784 wrote to memory of 548	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	100
PID 3784 wrote to memory of 548	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	100
PID 3784 wrote to memory of 4744	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	101
PID 3784 wrote to memory of 4744	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	101
PID 3784 wrote to memory of 3664	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	102
PID 3784 wrote to memory of 3664	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	102
PID 3784 wrote to memory of 5076	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	103
PID 3784 wrote to memory of 5076	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	103
PID 3784 wrote to memory of 820	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	104
PID 3784 wrote to memory of 820	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	104
PID 3784 wrote to memory of 2120	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	105
PID 3784 wrote to memory of 2120	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	105
PID 3784 wrote to memory of 384	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	106
PID 3784 wrote to memory of 384	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	106
PID 3784 wrote to memory of 2344	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	107
PID 3784 wrote to memory of 2344	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	107
PID 3784 wrote to memory of 4552	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	108
PID 3784 wrote to memory of 4552	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	108
PID 3784 wrote to memory of 4572	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	109
PID 3784 wrote to memory of 4572	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	109
PID 3784 wrote to memory of 2096	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	110
PID 3784 wrote to memory of 2096	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	110
PID 3784 wrote to memory of 3156	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	111
PID 3784 wrote to memory of 3156	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	111
PID 3784 wrote to memory of 3368	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	112
PID 3784 wrote to memory of 3368	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	112
PID 3784 wrote to memory of 5000	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	113
PID 3784 wrote to memory of 5000	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	113
PID 3784 wrote to memory of 3952	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	114
PID 3784 wrote to memory of 3952	3784	e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe	114

C:\Users\Admin\AppData\Local\Temp\e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e31db6dfe499867f82d463b7120de6f0_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3208
- C:\Windows\System\AtAZiZN.exe
  C:\Windows\System\AtAZiZN.exe
  2⤵
  - Executes dropped EXE
  PID:880
- C:\Windows\System\HzlEdgm.exe
  C:\Windows\System\HzlEdgm.exe
  2⤵
  - Executes dropped EXE
  PID:1552
- C:\Windows\System\tvPYwDi.exe
  C:\Windows\System\tvPYwDi.exe
  2⤵
  - Executes dropped EXE
  PID:2864
- C:\Windows\System\JehlghW.exe
  C:\Windows\System\JehlghW.exe
  2⤵
  - Executes dropped EXE
  PID:688
- C:\Windows\System\zcmWbhy.exe
  C:\Windows\System\zcmWbhy.exe
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\System\NJpqMEx.exe
  C:\Windows\System\NJpqMEx.exe
  2⤵
  - Executes dropped EXE
  PID:1852
- C:\Windows\System\mnOKRpN.exe
  C:\Windows\System\mnOKRpN.exe
  2⤵
  - Executes dropped EXE
  PID:2912
- C:\Windows\System\CtqEoTd.exe
  C:\Windows\System\CtqEoTd.exe
  2⤵
  - Executes dropped EXE
  PID:1680
- C:\Windows\System\BGvKmKO.exe
  C:\Windows\System\BGvKmKO.exe
  2⤵
  - Executes dropped EXE
  PID:960
- C:\Windows\System\vIUncRO.exe
  C:\Windows\System\vIUncRO.exe
  2⤵
  - Executes dropped EXE
  PID:2112
- C:\Windows\System\QTiyHrV.exe
  C:\Windows\System\QTiyHrV.exe
  2⤵
  - Executes dropped EXE
  PID:3760
- C:\Windows\System\SGdysnY.exe
  C:\Windows\System\SGdysnY.exe
  2⤵
  - Executes dropped EXE
  PID:1608
- C:\Windows\System\ZPLbvfO.exe
  C:\Windows\System\ZPLbvfO.exe
  2⤵
  - Executes dropped EXE
  PID:1536
- C:\Windows\System\pnXJLPu.exe
  C:\Windows\System\pnXJLPu.exe
  2⤵
  - Executes dropped EXE
  PID:1224
- C:\Windows\System\RCPFUig.exe
  C:\Windows\System\RCPFUig.exe
  2⤵
  - Executes dropped EXE
  PID:3440
- C:\Windows\System\baNzNad.exe
  C:\Windows\System\baNzNad.exe
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Windows\System\erkWGuZ.exe
  C:\Windows\System\erkWGuZ.exe
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\System\EhRDnvh.exe
  C:\Windows\System\EhRDnvh.exe
  2⤵
  - Executes dropped EXE
  PID:4744
- C:\Windows\System\LbDcQfv.exe
  C:\Windows\System\LbDcQfv.exe
  2⤵
  - Executes dropped EXE
  PID:3664
- C:\Windows\System\tgkMITL.exe
  C:\Windows\System\tgkMITL.exe
  2⤵
  - Executes dropped EXE
  PID:5076
- C:\Windows\System\FWURzxP.exe
  C:\Windows\System\FWURzxP.exe
  2⤵
  - Executes dropped EXE
  PID:820
- C:\Windows\System\aSfgXcG.exe
  C:\Windows\System\aSfgXcG.exe
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Windows\System\UscZLGZ.exe
  C:\Windows\System\UscZLGZ.exe
  2⤵
  - Executes dropped EXE
  PID:384
- C:\Windows\System\UgpmTDS.exe
  C:\Windows\System\UgpmTDS.exe
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\System\rbFGxkx.exe
  C:\Windows\System\rbFGxkx.exe
  2⤵
  - Executes dropped EXE
  PID:4552
- C:\Windows\System\AskUaQo.exe
  C:\Windows\System\AskUaQo.exe
  2⤵
  - Executes dropped EXE
  PID:4572
- C:\Windows\System\xFCecje.exe
  C:\Windows\System\xFCecje.exe
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\System\MTMIToV.exe
  C:\Windows\System\MTMIToV.exe
  2⤵
  - Executes dropped EXE
  PID:3156
- C:\Windows\System\KrdoNmR.exe
  C:\Windows\System\KrdoNmR.exe
  2⤵
  - Executes dropped EXE
  PID:3368
- C:\Windows\System\dGLyJWA.exe
  C:\Windows\System\dGLyJWA.exe
  2⤵
  - Executes dropped EXE
  PID:5000
- C:\Windows\System\iibFLgo.exe
  C:\Windows\System\iibFLgo.exe
  2⤵
  - Executes dropped EXE
  PID:3952
- C:\Windows\System\wTsaxxn.exe
  C:\Windows\System\wTsaxxn.exe
  2⤵
  - Executes dropped EXE
  PID:5072
- C:\Windows\System\VfRKXyH.exe
  C:\Windows\System\VfRKXyH.exe
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Windows\System\WRAYYaS.exe
  C:\Windows\System\WRAYYaS.exe
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Windows\System\ZqPkaDN.exe
  C:\Windows\System\ZqPkaDN.exe
  2⤵
  - Executes dropped EXE
  PID:4952
- C:\Windows\System\NomYLpF.exe
  C:\Windows\System\NomYLpF.exe
  2⤵
  - Executes dropped EXE
  PID:3644
- C:\Windows\System\mpwjGyb.exe
  C:\Windows\System\mpwjGyb.exe
  2⤵
  - Executes dropped EXE
  PID:1148
- C:\Windows\System\ylgzrkZ.exe
  C:\Windows\System\ylgzrkZ.exe
  2⤵
  - Executes dropped EXE
  PID:3632
- C:\Windows\System\kLDHzDP.exe
  C:\Windows\System\kLDHzDP.exe
  2⤵
  - Executes dropped EXE
  PID:4964
- C:\Windows\System\tXQWGLf.exe
  C:\Windows\System\tXQWGLf.exe
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\System\LrGjzmt.exe
  C:\Windows\System\LrGjzmt.exe
  2⤵
  - Executes dropped EXE
  PID:2600
- C:\Windows\System\HVWAtwq.exe
  C:\Windows\System\HVWAtwq.exe
  2⤵
  - Executes dropped EXE
  PID:980
- C:\Windows\System\bJOuRgY.exe
  C:\Windows\System\bJOuRgY.exe
  2⤵
  - Executes dropped EXE
  PID:512
- C:\Windows\System\GzRXemN.exe
  C:\Windows\System\GzRXemN.exe
  2⤵
  - Executes dropped EXE
  PID:3288
- C:\Windows\System\JwTvgyD.exe
  C:\Windows\System\JwTvgyD.exe
  2⤵
  - Executes dropped EXE
  PID:1460
- C:\Windows\System\ToAAWPL.exe
  C:\Windows\System\ToAAWPL.exe
  2⤵
  - Executes dropped EXE
  PID:4360
- C:\Windows\System\jewIwUy.exe
  C:\Windows\System\jewIwUy.exe
  2⤵
  - Executes dropped EXE
  PID:4364
- C:\Windows\System\ukjGMUx.exe
  C:\Windows\System\ukjGMUx.exe
  2⤵
  - Executes dropped EXE
  PID:552
- C:\Windows\System\gBaKtav.exe
  C:\Windows\System\gBaKtav.exe
  2⤵
  - Executes dropped EXE
  PID:4380
- C:\Windows\System\GLSAaYS.exe
  C:\Windows\System\GLSAaYS.exe
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Windows\System\zPxzTIe.exe
  C:\Windows\System\zPxzTIe.exe
  2⤵
  - Executes dropped EXE
  PID:652
- C:\Windows\System\sfrzDdX.exe
  C:\Windows\System\sfrzDdX.exe
  2⤵
  - Executes dropped EXE
  PID:1420
- C:\Windows\System\mQuBKHp.exe
  C:\Windows\System\mQuBKHp.exe
  2⤵
  - Executes dropped EXE
  PID:4052
- C:\Windows\System\dfIFNbn.exe
  C:\Windows\System\dfIFNbn.exe
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\Windows\System\ZWvbAaQ.exe
  C:\Windows\System\ZWvbAaQ.exe
  2⤵
  - Executes dropped EXE
  PID:1808
- C:\Windows\System\KigmJbx.exe
  C:\Windows\System\KigmJbx.exe
  2⤵
  - Executes dropped EXE
  PID:4884
- C:\Windows\System\OdQmHow.exe
  C:\Windows\System\OdQmHow.exe
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Windows\System\hKhXdIa.exe
  C:\Windows\System\hKhXdIa.exe
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\System\uodHFgk.exe
  C:\Windows\System\uodHFgk.exe
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Windows\System\QMEVOja.exe
  C:\Windows\System\QMEVOja.exe
  2⤵
  - Executes dropped EXE
  PID:4936
- C:\Windows\System\prKCSgy.exe
  C:\Windows\System\prKCSgy.exe
  2⤵
  - Executes dropped EXE
  PID:3992
- C:\Windows\System\SCjbPoT.exe
  C:\Windows\System\SCjbPoT.exe
  2⤵
  - Executes dropped EXE
  PID:4500
- C:\Windows\System\uuGnWbP.exe
  C:\Windows\System\uuGnWbP.exe
  2⤵
  - Executes dropped EXE
  PID:4076
- C:\Windows\System\OmjzAZX.exe
  C:\Windows\System\OmjzAZX.exe
  2⤵
  - Executes dropped EXE
  PID:1408
- C:\Windows\System\qiaaRIv.exe
  C:\Windows\System\qiaaRIv.exe
  2⤵
  PID:3528
- C:\Windows\System\sHPLVZY.exe
  C:\Windows\System\sHPLVZY.exe
  2⤵
  PID:4912
- C:\Windows\System\zKStqTg.exe
  C:\Windows\System\zKStqTg.exe
  2⤵
  PID:2476
- C:\Windows\System\NiqXhWq.exe
  C:\Windows\System\NiqXhWq.exe
  2⤵
  PID:4508
- C:\Windows\System\Spwzlmh.exe
  C:\Windows\System\Spwzlmh.exe
  2⤵
  PID:3420
- C:\Windows\System\EWAowHD.exe
  C:\Windows\System\EWAowHD.exe
  2⤵
  PID:4416
- C:\Windows\System\SJWCfki.exe
  C:\Windows\System\SJWCfki.exe
  2⤵
  PID:3724
- C:\Windows\System\NPSmrjp.exe
  C:\Windows\System\NPSmrjp.exe
  2⤵
  PID:440
- C:\Windows\System\babkyMx.exe
  C:\Windows\System\babkyMx.exe
  2⤵
  PID:2268
- C:\Windows\System\LMHGPpR.exe
  C:\Windows\System\LMHGPpR.exe
  2⤵
  PID:4216
- C:\Windows\System\sPHcLVb.exe
  C:\Windows\System\sPHcLVb.exe
  2⤵
  PID:3048
- C:\Windows\System\KPceKpF.exe
  C:\Windows\System\KPceKpF.exe
  2⤵
  PID:3872
- C:\Windows\System\gQhoiRF.exe
  C:\Windows\System\gQhoiRF.exe
  2⤵
  PID:5148
- C:\Windows\System\HXmXgkJ.exe
  C:\Windows\System\HXmXgkJ.exe
  2⤵
  PID:5176
- C:\Windows\System\btHgFWo.exe
  C:\Windows\System\btHgFWo.exe
  2⤵
  PID:5204
- C:\Windows\System\JXNxZBj.exe
  C:\Windows\System\JXNxZBj.exe
  2⤵
  PID:5232
- C:\Windows\System\pljvUBK.exe
  C:\Windows\System\pljvUBK.exe
  2⤵
  PID:5260
- C:\Windows\System\ZzTfldt.exe
  C:\Windows\System\ZzTfldt.exe
  2⤵
  PID:5288
- C:\Windows\System\PeEnZUF.exe
  C:\Windows\System\PeEnZUF.exe
  2⤵
  PID:5316
- C:\Windows\System\oEQsKwo.exe
  C:\Windows\System\oEQsKwo.exe
  2⤵
  PID:5344
- C:\Windows\System\aflJyDE.exe
  C:\Windows\System\aflJyDE.exe
  2⤵
  PID:5372
- C:\Windows\System\mFbGXNE.exe
  C:\Windows\System\mFbGXNE.exe
  2⤵
  PID:5400
- C:\Windows\System\qUKCFXG.exe
  C:\Windows\System\qUKCFXG.exe
  2⤵
  PID:5428
- C:\Windows\System\KMhSoFF.exe
  C:\Windows\System\KMhSoFF.exe
  2⤵
  PID:5456
- C:\Windows\System\btjhuMR.exe
  C:\Windows\System\btjhuMR.exe
  2⤵
  PID:5484
- C:\Windows\System\ILYtATh.exe
  C:\Windows\System\ILYtATh.exe
  2⤵
  PID:5512
- C:\Windows\System\BcnNIcU.exe
  C:\Windows\System\BcnNIcU.exe
  2⤵
  PID:5540
- C:\Windows\System\OCBVKky.exe
  C:\Windows\System\OCBVKky.exe
  2⤵
  PID:5568
- C:\Windows\System\ttnJipP.exe
  C:\Windows\System\ttnJipP.exe
  2⤵
  PID:5596
- C:\Windows\System\JMdBHOM.exe
  C:\Windows\System\JMdBHOM.exe
  2⤵
  PID:5624
- C:\Windows\System\NmJHsxA.exe
  C:\Windows\System\NmJHsxA.exe
  2⤵
  PID:5652
- C:\Windows\System\kxnvCdX.exe
  C:\Windows\System\kxnvCdX.exe
  2⤵
  PID:5680
- C:\Windows\System\PYDJOWm.exe
  C:\Windows\System\PYDJOWm.exe
  2⤵
  PID:5708
- C:\Windows\System\liUznMy.exe
  C:\Windows\System\liUznMy.exe
  2⤵
  PID:5736
- C:\Windows\System\dqMFGtV.exe
  C:\Windows\System\dqMFGtV.exe
  2⤵
  PID:5764
- C:\Windows\System\xBvlCoq.exe
  C:\Windows\System\xBvlCoq.exe
  2⤵
  PID:5792
- C:\Windows\System\kIypILQ.exe
  C:\Windows\System\kIypILQ.exe
  2⤵
  PID:5820
- C:\Windows\System\RrjclDl.exe
  C:\Windows\System\RrjclDl.exe
  2⤵
  PID:5848
- C:\Windows\System\nOhTocD.exe
  C:\Windows\System\nOhTocD.exe
  2⤵
  PID:5876
- C:\Windows\System\NeSgotS.exe
  C:\Windows\System\NeSgotS.exe
  2⤵
  PID:5904
- C:\Windows\System\DNpFajE.exe
  C:\Windows\System\DNpFajE.exe
  2⤵
  PID:5932
- C:\Windows\System\aoRlwsp.exe
  C:\Windows\System\aoRlwsp.exe
  2⤵
  PID:5960
- C:\Windows\System\KEqxpuy.exe
  C:\Windows\System\KEqxpuy.exe
  2⤵
  PID:5988
- C:\Windows\System\UuykQTy.exe
  C:\Windows\System\UuykQTy.exe
  2⤵
  PID:6016
- C:\Windows\System\iRevhtx.exe
  C:\Windows\System\iRevhtx.exe
  2⤵
  PID:6044
- C:\Windows\System\faSyynu.exe
  C:\Windows\System\faSyynu.exe
  2⤵
  PID:6072
- C:\Windows\System\OtktaVM.exe
  C:\Windows\System\OtktaVM.exe
  2⤵
  PID:6100
- C:\Windows\System\fMCcATI.exe
  C:\Windows\System\fMCcATI.exe
  2⤵
  PID:6128
- C:\Windows\System\TKmFojm.exe
  C:\Windows\System\TKmFojm.exe
  2⤵
  PID:4460
- C:\Windows\System\QilcDhs.exe
  C:\Windows\System\QilcDhs.exe
  2⤵
  PID:4412
- C:\Windows\System\QCjWXKD.exe
  C:\Windows\System\QCjWXKD.exe
  2⤵
  PID:3684
- C:\Windows\System\rfsunim.exe
  C:\Windows\System\rfsunim.exe
  2⤵
  PID:4212
- C:\Windows\System\rULDhFi.exe
  C:\Windows\System\rULDhFi.exe
  2⤵
  PID:3376
- C:\Windows\System\pNYBywP.exe
  C:\Windows\System\pNYBywP.exe
  2⤵
  PID:5160
- C:\Windows\System\dLDxVuh.exe
  C:\Windows\System\dLDxVuh.exe
  2⤵
  PID:5220
- C:\Windows\System\hGWhYPm.exe
  C:\Windows\System\hGWhYPm.exe
  2⤵
  PID:5280
- C:\Windows\System\QJpJTrf.exe
  C:\Windows\System\QJpJTrf.exe
  2⤵
  PID:5356
- C:\Windows\System\kTJBvrJ.exe
  C:\Windows\System\kTJBvrJ.exe
  2⤵
  PID:5416
- C:\Windows\System\JlFoAFO.exe
  C:\Windows\System\JlFoAFO.exe
  2⤵
  PID:5476
- C:\Windows\System\EVcKsPn.exe
  C:\Windows\System\EVcKsPn.exe
  2⤵
  PID:5552
- C:\Windows\System\pqJmtBW.exe
  C:\Windows\System\pqJmtBW.exe
  2⤵
  PID:5612
- C:\Windows\System\fNfKEnq.exe
  C:\Windows\System\fNfKEnq.exe
  2⤵
  PID:5672
- C:\Windows\System\NVowoJI.exe
  C:\Windows\System\NVowoJI.exe
  2⤵
  PID:5748
- C:\Windows\System\NXdRolr.exe
  C:\Windows\System\NXdRolr.exe
  2⤵
  PID:5832
- C:\Windows\System\IqZPeQr.exe
  C:\Windows\System\IqZPeQr.exe
  2⤵
  PID:5896
- C:\Windows\System\sNsKlpO.exe
  C:\Windows\System\sNsKlpO.exe
  2⤵
  PID:5972
- C:\Windows\System\UDloIIz.exe
  C:\Windows\System\UDloIIz.exe
  2⤵
  PID:6032
- C:\Windows\System\BzVthJF.exe
  C:\Windows\System\BzVthJF.exe
  2⤵
  PID:6092
- C:\Windows\System\UPtiHDC.exe
  C:\Windows\System\UPtiHDC.exe
  2⤵
  PID:1972
- C:\Windows\System\SMnDLsJ.exe
  C:\Windows\System\SMnDLsJ.exe
  2⤵
  PID:2292
- C:\Windows\System\PGfKSQe.exe
  C:\Windows\System\PGfKSQe.exe
  2⤵
  PID:5132
- C:\Windows\System\tTHcXmW.exe
  C:\Windows\System\tTHcXmW.exe
  2⤵
  PID:5272
- C:\Windows\System\ZaZaNLj.exe
  C:\Windows\System\ZaZaNLj.exe
  2⤵
  PID:5444
- C:\Windows\System\YmmUuFY.exe
  C:\Windows\System\YmmUuFY.exe
  2⤵
  PID:5584
- C:\Windows\System\pBuoYrC.exe
  C:\Windows\System\pBuoYrC.exe
  2⤵
  PID:5724
- C:\Windows\System\yIYvvpB.exe
  C:\Windows\System\yIYvvpB.exe
  2⤵
  PID:5888
- C:\Windows\System\dnSjlqy.exe
  C:\Windows\System\dnSjlqy.exe
  2⤵
  PID:6008
- C:\Windows\System\danqgzX.exe
  C:\Windows\System\danqgzX.exe
  2⤵
  PID:3732
- C:\Windows\System\WzcDfLk.exe
  C:\Windows\System\WzcDfLk.exe
  2⤵
  PID:6172
- C:\Windows\System\cKQVhTT.exe
  C:\Windows\System\cKQVhTT.exe
  2⤵
  PID:6200
- C:\Windows\System\wqrJxHe.exe
  C:\Windows\System\wqrJxHe.exe
  2⤵
  PID:6228
- C:\Windows\System\kTYCDnm.exe
  C:\Windows\System\kTYCDnm.exe
  2⤵
  PID:6244
- C:\Windows\System\xWASHUc.exe
  C:\Windows\System\xWASHUc.exe
  2⤵
  PID:6272
- C:\Windows\System\sbCFgyJ.exe
  C:\Windows\System\sbCFgyJ.exe
  2⤵
  PID:6300
- C:\Windows\System\uagcNNP.exe
  C:\Windows\System\uagcNNP.exe
  2⤵
  PID:6328
- C:\Windows\System\NrkBOLm.exe
  C:\Windows\System\NrkBOLm.exe
  2⤵
  PID:6356
- C:\Windows\System\RnVfdWr.exe
  C:\Windows\System\RnVfdWr.exe
  2⤵
  PID:6384
- C:\Windows\System\qJhQteo.exe
  C:\Windows\System\qJhQteo.exe
  2⤵
  PID:6412
- C:\Windows\System\vjHItiU.exe
  C:\Windows\System\vjHItiU.exe
  2⤵
  PID:6440
- C:\Windows\System\WrogKCk.exe
  C:\Windows\System\WrogKCk.exe
  2⤵
  PID:6468
- C:\Windows\System\sIfDPcO.exe
  C:\Windows\System\sIfDPcO.exe
  2⤵
  PID:6496
- C:\Windows\System\kxTsPbv.exe
  C:\Windows\System\kxTsPbv.exe
  2⤵
  PID:6524
- C:\Windows\System\SJMdzcR.exe
  C:\Windows\System\SJMdzcR.exe
  2⤵
  PID:6552
- C:\Windows\System\ROxdnDj.exe
  C:\Windows\System\ROxdnDj.exe
  2⤵
  PID:6580
- C:\Windows\System\NNrDSBL.exe
  C:\Windows\System\NNrDSBL.exe
  2⤵
  PID:6608
- C:\Windows\System\WopSbtE.exe
  C:\Windows\System\WopSbtE.exe
  2⤵
  PID:6636
- C:\Windows\System\lEzwgCY.exe
  C:\Windows\System\lEzwgCY.exe
  2⤵
  PID:6664
- C:\Windows\System\yNCIhSL.exe
  C:\Windows\System\yNCIhSL.exe
  2⤵
  PID:6692
- C:\Windows\System\iAIbCcO.exe
  C:\Windows\System\iAIbCcO.exe
  2⤵
  PID:6720
- C:\Windows\System\WBiGKzX.exe
  C:\Windows\System\WBiGKzX.exe
  2⤵
  PID:6748
- C:\Windows\System\paOuiQB.exe
  C:\Windows\System\paOuiQB.exe
  2⤵
  PID:6776
- C:\Windows\System\gEwhJNk.exe
  C:\Windows\System\gEwhJNk.exe
  2⤵
  PID:6804
- C:\Windows\System\VBgMKzS.exe
  C:\Windows\System\VBgMKzS.exe
  2⤵
  PID:6832
- C:\Windows\System\uXYJBmm.exe
  C:\Windows\System\uXYJBmm.exe
  2⤵
  PID:6860
- C:\Windows\System\wbBPnlm.exe
  C:\Windows\System\wbBPnlm.exe
  2⤵
  PID:6888
- C:\Windows\System\ypPDvAZ.exe
  C:\Windows\System\ypPDvAZ.exe
  2⤵
  PID:6924
- C:\Windows\System\bZJiacC.exe
  C:\Windows\System\bZJiacC.exe
  2⤵
  PID:6944
- C:\Windows\System\GxxFXuJ.exe
  C:\Windows\System\GxxFXuJ.exe
  2⤵
  PID:6972
- C:\Windows\System\shhuGkg.exe
  C:\Windows\System\shhuGkg.exe
  2⤵
  PID:7000
- C:\Windows\System\XgqZRpI.exe
  C:\Windows\System\XgqZRpI.exe
  2⤵
  PID:7028
- C:\Windows\System\kDqOuAV.exe
  C:\Windows\System\kDqOuAV.exe
  2⤵
  PID:7056
- C:\Windows\System\JBBNLFc.exe
  C:\Windows\System\JBBNLFc.exe
  2⤵
  PID:7084
- C:\Windows\System\vQnZZpQ.exe
  C:\Windows\System\vQnZZpQ.exe
  2⤵
  PID:7112
- C:\Windows\System\RKvirNH.exe
  C:\Windows\System\RKvirNH.exe
  2⤵
  PID:7140
- C:\Windows\System\DnVTndc.exe
  C:\Windows\System\DnVTndc.exe
  2⤵
  PID:4436
- C:\Windows\System\fOWNZlp.exe
  C:\Windows\System\fOWNZlp.exe
  2⤵
  PID:5248
- C:\Windows\System\aOGPjrx.exe
  C:\Windows\System\aOGPjrx.exe
  2⤵
  PID:5644
- C:\Windows\System\MvhbqnG.exe
  C:\Windows\System\MvhbqnG.exe
  2⤵
  PID:6000
- C:\Windows\System\CcBuUHd.exe
  C:\Windows\System\CcBuUHd.exe
  2⤵
  PID:6164
- C:\Windows\System\GMzyTeU.exe
  C:\Windows\System\GMzyTeU.exe
  2⤵
  PID:6236
- C:\Windows\System\mwQhtga.exe
  C:\Windows\System\mwQhtga.exe
  2⤵
  PID:6292
- C:\Windows\System\NeghVZQ.exe
  C:\Windows\System\NeghVZQ.exe
  2⤵
  PID:6368
- C:\Windows\System\yMRroeR.exe
  C:\Windows\System\yMRroeR.exe
  2⤵
  PID:6428
- C:\Windows\System\FWZJJsv.exe
  C:\Windows\System\FWZJJsv.exe
  2⤵
  PID:6488
- C:\Windows\System\XevFQuI.exe
  C:\Windows\System\XevFQuI.exe
  2⤵
  PID:6544
- C:\Windows\System\OphafTR.exe
  C:\Windows\System\OphafTR.exe
  2⤵
  PID:6620
- C:\Windows\System\FNbVPVB.exe
  C:\Windows\System\FNbVPVB.exe
  2⤵
  PID:6680
- C:\Windows\System\iFHuNgV.exe
  C:\Windows\System\iFHuNgV.exe
  2⤵
  PID:6736
- C:\Windows\System\OOFxZBL.exe
  C:\Windows\System\OOFxZBL.exe
  2⤵
  PID:6796
- C:\Windows\System\elIzGlS.exe
  C:\Windows\System\elIzGlS.exe
  2⤵
  PID:6852
- C:\Windows\System\rRemWAf.exe
  C:\Windows\System\rRemWAf.exe
  2⤵
  PID:6916
- C:\Windows\System\uDoJGSP.exe
  C:\Windows\System\uDoJGSP.exe
  2⤵
  PID:6964
- C:\Windows\System\znZwxEt.exe
  C:\Windows\System\znZwxEt.exe
  2⤵
  PID:7040
- C:\Windows\System\tBUmgGO.exe
  C:\Windows\System\tBUmgGO.exe
  2⤵
  PID:7100
- C:\Windows\System\rrZPAaB.exe
  C:\Windows\System\rrZPAaB.exe
  2⤵
  PID:7160
- C:\Windows\System\UlygOhp.exe
  C:\Windows\System\UlygOhp.exe
  2⤵
  PID:5808
- C:\Windows\System\PNTAFVw.exe
  C:\Windows\System\PNTAFVw.exe
  2⤵
  PID:6212
- C:\Windows\System\bZwAKph.exe
  C:\Windows\System\bZwAKph.exe
  2⤵
  PID:6340
- C:\Windows\System\FcVrAQe.exe
  C:\Windows\System\FcVrAQe.exe
  2⤵
  PID:6480
- C:\Windows\System\WlhdaKw.exe
  C:\Windows\System\WlhdaKw.exe
  2⤵
  PID:6648
- C:\Windows\System\lvyQInj.exe
  C:\Windows\System\lvyQInj.exe
  2⤵
  PID:1444
- C:\Windows\System\LKpdxQl.exe
  C:\Windows\System\LKpdxQl.exe
  2⤵
  PID:6880
- C:\Windows\System\lxuPVzu.exe
  C:\Windows\System\lxuPVzu.exe
  2⤵
  PID:6992
- C:\Windows\System\umGfEJs.exe
  C:\Windows\System\umGfEJs.exe
  2⤵
  PID:7132
- C:\Windows\System\jnxvjGK.exe
  C:\Windows\System\jnxvjGK.exe
  2⤵
  PID:6140
- C:\Windows\System\mwUASdI.exe
  C:\Windows\System\mwUASdI.exe
  2⤵
  PID:7188
- C:\Windows\System\dDnGCIM.exe
  C:\Windows\System\dDnGCIM.exe
  2⤵
  PID:7216
- C:\Windows\System\XWwqXmZ.exe
  C:\Windows\System\XWwqXmZ.exe
  2⤵
  PID:7244
- C:\Windows\System\kbfSEbu.exe
  C:\Windows\System\kbfSEbu.exe
  2⤵
  PID:7272
- C:\Windows\System\ZtyRHOz.exe
  C:\Windows\System\ZtyRHOz.exe
  2⤵
  PID:7300
- C:\Windows\System\XCBhDWn.exe
  C:\Windows\System\XCBhDWn.exe
  2⤵
  PID:7328
- C:\Windows\System\pYUoHDJ.exe
  C:\Windows\System\pYUoHDJ.exe
  2⤵
  PID:7356
- C:\Windows\System\UwQMOFO.exe
  C:\Windows\System\UwQMOFO.exe
  2⤵
  PID:7384
- C:\Windows\System\SEnRINQ.exe
  C:\Windows\System\SEnRINQ.exe
  2⤵
  PID:7412
- C:\Windows\System\YizTyJC.exe
  C:\Windows\System\YizTyJC.exe
  2⤵
  PID:7440
- C:\Windows\System\OsfSKnP.exe
  C:\Windows\System\OsfSKnP.exe
  2⤵
  PID:7468
- C:\Windows\System\hWobMHJ.exe
  C:\Windows\System\hWobMHJ.exe
  2⤵
  PID:7496
- C:\Windows\System\dXNtNDl.exe
  C:\Windows\System\dXNtNDl.exe
  2⤵
  PID:7524
- C:\Windows\System\pAfLThC.exe
  C:\Windows\System\pAfLThC.exe
  2⤵
  PID:7552
- C:\Windows\System\DdmETMa.exe
  C:\Windows\System\DdmETMa.exe
  2⤵
  PID:7580
- C:\Windows\System\LcEdEpF.exe
  C:\Windows\System\LcEdEpF.exe
  2⤵
  PID:7608
- C:\Windows\System\hmopkoK.exe
  C:\Windows\System\hmopkoK.exe
  2⤵
  PID:7636
- C:\Windows\System\uHzhOit.exe
  C:\Windows\System\uHzhOit.exe
  2⤵
  PID:7664
- C:\Windows\System\iFKzxoe.exe
  C:\Windows\System\iFKzxoe.exe
  2⤵
  PID:7692
- C:\Windows\System\npaFAEk.exe
  C:\Windows\System\npaFAEk.exe
  2⤵
  PID:7720
- C:\Windows\System\fNxfrwK.exe
  C:\Windows\System\fNxfrwK.exe
  2⤵
  PID:7748
- C:\Windows\System\UMMpHwR.exe
  C:\Windows\System\UMMpHwR.exe
  2⤵
  PID:7776
- C:\Windows\System\alwIGLn.exe
  C:\Windows\System\alwIGLn.exe
  2⤵
  PID:7804
- C:\Windows\System\woemnVq.exe
  C:\Windows\System\woemnVq.exe
  2⤵
  PID:7832
- C:\Windows\System\IXRFyfa.exe
  C:\Windows\System\IXRFyfa.exe
  2⤵
  PID:7860
- C:\Windows\System\RrfKuZT.exe
  C:\Windows\System\RrfKuZT.exe
  2⤵
  PID:7888
- C:\Windows\System\RAhjRyE.exe
  C:\Windows\System\RAhjRyE.exe
  2⤵
  PID:7916
- C:\Windows\System\oRnTPXk.exe
  C:\Windows\System\oRnTPXk.exe
  2⤵
  PID:7944
- C:\Windows\System\vwuZtUl.exe
  C:\Windows\System\vwuZtUl.exe
  2⤵
  PID:8036
- C:\Windows\System\PtZEoIF.exe
  C:\Windows\System\PtZEoIF.exe
  2⤵
  PID:8076
- C:\Windows\System\uMTlvHK.exe
  C:\Windows\System\uMTlvHK.exe
  2⤵
  PID:8096
- C:\Windows\System\SUJBhZV.exe
  C:\Windows\System\SUJBhZV.exe
  2⤵
  PID:8120
- C:\Windows\System\PsBDwAo.exe
  C:\Windows\System\PsBDwAo.exe
  2⤵
  PID:8152
- C:\Windows\System\YiWfrrz.exe
  C:\Windows\System\YiWfrrz.exe
  2⤵
  PID:8176
- C:\Windows\System\ikZxdKO.exe
  C:\Windows\System\ikZxdKO.exe
  2⤵
  PID:6284
- C:\Windows\System\DRQKqVF.exe
  C:\Windows\System\DRQKqVF.exe
  2⤵
  PID:6572
- C:\Windows\System\wtIFsoM.exe
  C:\Windows\System\wtIFsoM.exe
  2⤵
  PID:6956
- C:\Windows\System\OBjhBaw.exe
  C:\Windows\System\OBjhBaw.exe
  2⤵
  PID:7172
- C:\Windows\System\pokKfdv.exe
  C:\Windows\System\pokKfdv.exe
  2⤵
  PID:2024
- C:\Windows\System\ZTvlJuX.exe
  C:\Windows\System\ZTvlJuX.exe
  2⤵
  PID:7292
- C:\Windows\System\MKuAQoA.exe
  C:\Windows\System\MKuAQoA.exe
  2⤵
  PID:1064
- C:\Windows\System\VBccbuh.exe
  C:\Windows\System\VBccbuh.exe
  2⤵
  PID:2276
- C:\Windows\System\FvPYbzD.exe
  C:\Windows\System\FvPYbzD.exe
  2⤵
  PID:7396
- C:\Windows\System\rppbbzK.exe
  C:\Windows\System\rppbbzK.exe
  2⤵
  PID:1708
- C:\Windows\System\kggvlBH.exe
  C:\Windows\System\kggvlBH.exe
  2⤵
  PID:3392
- C:\Windows\System\JXPbZil.exe
  C:\Windows\System\JXPbZil.exe
  2⤵
  PID:7676
- C:\Windows\System\VcjuSjQ.exe
  C:\Windows\System\VcjuSjQ.exe
  2⤵
  PID:7708
- C:\Windows\System\AeireNW.exe
  C:\Windows\System\AeireNW.exe
  2⤵
  PID:3960
- C:\Windows\System\iTLGaoH.exe
  C:\Windows\System\iTLGaoH.exe
  2⤵
  PID:368
- C:\Windows\System\MRvPssw.exe
  C:\Windows\System\MRvPssw.exe
  2⤵
  PID:7848
- C:\Windows\System\XrJhuEM.exe
  C:\Windows\System\XrJhuEM.exe
  2⤵
  PID:7928
- C:\Windows\System\hBFxXZM.exe
  C:\Windows\System\hBFxXZM.exe
  2⤵
  PID:7932
- C:\Windows\System\QNibQeS.exe
  C:\Windows\System\QNibQeS.exe
  2⤵
  PID:1628
- C:\Windows\System\UkMRPVX.exe
  C:\Windows\System\UkMRPVX.exe
  2⤵
  PID:1784
- C:\Windows\System\xUgKuoM.exe
  C:\Windows\System\xUgKuoM.exe
  2⤵
  PID:8032
- C:\Windows\System\qMnwITt.exe
  C:\Windows\System\qMnwITt.exe
  2⤵
  PID:8092
- C:\Windows\System\FihqdYG.exe
  C:\Windows\System\FihqdYG.exe
  2⤵
  PID:664
- C:\Windows\System\rJjMotA.exe
  C:\Windows\System\rJjMotA.exe
  2⤵
  PID:7320
- C:\Windows\System\zJUveJi.exe
  C:\Windows\System\zJUveJi.exe
  2⤵
  PID:7376
- C:\Windows\System\zAelbAW.exe
  C:\Windows\System\zAelbAW.exe
  2⤵
  PID:7540
- C:\Windows\System\ZUpFZqp.exe
  C:\Windows\System\ZUpFZqp.exe
  2⤵
  PID:8172
- C:\Windows\System\QPCvIIc.exe
  C:\Windows\System\QPCvIIc.exe
  2⤵
  PID:7344
- C:\Windows\System\ekAsovi.exe
  C:\Windows\System\ekAsovi.exe
  2⤵
  PID:3300
- C:\Windows\System\qUwpoGA.exe
  C:\Windows\System\qUwpoGA.exe
  2⤵
  PID:4860
- C:\Windows\System\BDnMlzr.exe
  C:\Windows\System\BDnMlzr.exe
  2⤵
  PID:3180
- C:\Windows\System\IzRiMou.exe
  C:\Windows\System\IzRiMou.exe
  2⤵
  PID:3144
- C:\Windows\System\XhYsUkQ.exe
  C:\Windows\System\XhYsUkQ.exe
  2⤵
  PID:8012
- C:\Windows\System\oBtvrAO.exe
  C:\Windows\System\oBtvrAO.exe
  2⤵
  PID:7180
- C:\Windows\System\tmZFFHC.exe
  C:\Windows\System\tmZFFHC.exe
  2⤵
  PID:2496
- C:\Windows\System\GoLkHkd.exe
  C:\Windows\System\GoLkHkd.exe
  2⤵
  PID:8028
- C:\Windows\System\ZweAUsb.exe
  C:\Windows\System\ZweAUsb.exe
  2⤵
  PID:7508
- C:\Windows\System\EBasdzb.exe
  C:\Windows\System\EBasdzb.exe
  2⤵
  PID:7236
- C:\Windows\System\oIEezbV.exe
  C:\Windows\System\oIEezbV.exe
  2⤵
  PID:7844
- C:\Windows\System\qJNWSZG.exe
  C:\Windows\System\qJNWSZG.exe
  2⤵
  PID:8072
- C:\Windows\System\BqAuLoK.exe
  C:\Windows\System\BqAuLoK.exe
  2⤵
  PID:7684
- C:\Windows\System\CZjEOue.exe
  C:\Windows\System\CZjEOue.exe
  2⤵
  PID:7348
- C:\Windows\System\xrWvlvv.exe
  C:\Windows\System\xrWvlvv.exe
  2⤵
  PID:8184
- C:\Windows\System\tDbXucb.exe
  C:\Windows\System\tDbXucb.exe
  2⤵
  PID:4012
- C:\Windows\System\JHWBojl.exe
  C:\Windows\System\JHWBojl.exe
  2⤵
  PID:6732
- C:\Windows\System\VYptmNF.exe
  C:\Windows\System\VYptmNF.exe
  2⤵
  PID:8228
- C:\Windows\System\iYxQCKp.exe
  C:\Windows\System\iYxQCKp.exe
  2⤵
  PID:8244
- C:\Windows\System\YMZBzXk.exe
  C:\Windows\System\YMZBzXk.exe
  2⤵
  PID:8272
- C:\Windows\System\XwnxWHt.exe
  C:\Windows\System\XwnxWHt.exe
  2⤵
  PID:8312
- C:\Windows\System\EBRQWBw.exe
  C:\Windows\System\EBRQWBw.exe
  2⤵
  PID:8340
- C:\Windows\System\CZbpjxY.exe
  C:\Windows\System\CZbpjxY.exe
  2⤵
  PID:8368
- C:\Windows\System\LuWjFSe.exe
  C:\Windows\System\LuWjFSe.exe
  2⤵
  PID:8396
- C:\Windows\System\stIeozt.exe
  C:\Windows\System\stIeozt.exe
  2⤵
  PID:8424
- C:\Windows\System\htliMXy.exe
  C:\Windows\System\htliMXy.exe
  2⤵
  PID:8452
- C:\Windows\System\Rqhxiat.exe
  C:\Windows\System\Rqhxiat.exe
  2⤵
  PID:8492
- C:\Windows\System\yuAxvGp.exe
  C:\Windows\System\yuAxvGp.exe
  2⤵
  PID:8528
- C:\Windows\System\LyOlBMe.exe
  C:\Windows\System\LyOlBMe.exe
  2⤵
  PID:8560
- C:\Windows\System\noIPcqB.exe
  C:\Windows\System\noIPcqB.exe
  2⤵
  PID:8588
- C:\Windows\System\UZwxEVl.exe
  C:\Windows\System\UZwxEVl.exe
  2⤵
  PID:8632
- C:\Windows\System\WjBHIOU.exe
  C:\Windows\System\WjBHIOU.exe
  2⤵
  PID:8668
- C:\Windows\System\xpcEDhU.exe
  C:\Windows\System\xpcEDhU.exe
  2⤵
  PID:8692
- C:\Windows\System\pxYSfWZ.exe
  C:\Windows\System\pxYSfWZ.exe
  2⤵
  PID:8724
- C:\Windows\System\kMuHMMC.exe
  C:\Windows\System\kMuHMMC.exe
  2⤵
  PID:8756
- C:\Windows\System\kmemIwr.exe
  C:\Windows\System\kmemIwr.exe
  2⤵
  PID:8772
- C:\Windows\System\iLZNMMn.exe
  C:\Windows\System\iLZNMMn.exe
  2⤵
  PID:8816
- C:\Windows\System\aeWgJKq.exe
  C:\Windows\System\aeWgJKq.exe
  2⤵
  PID:8844
- C:\Windows\System\UiILceF.exe
  C:\Windows\System\UiILceF.exe
  2⤵
  PID:8872
- C:\Windows\System\nhPAYTL.exe
  C:\Windows\System\nhPAYTL.exe
  2⤵
  PID:8888
- C:\Windows\System\rFLRXTU.exe
  C:\Windows\System\rFLRXTU.exe
  2⤵
  PID:8916
- C:\Windows\System\LWsiLqI.exe
  C:\Windows\System\LWsiLqI.exe
  2⤵
  PID:8956
- C:\Windows\System\dIIiyme.exe
  C:\Windows\System\dIIiyme.exe
  2⤵
  PID:8984
- C:\Windows\System\jHWBniC.exe
  C:\Windows\System\jHWBniC.exe
  2⤵
  PID:9000
- C:\Windows\System\CXKcTDN.exe
  C:\Windows\System\CXKcTDN.exe
  2⤵
  PID:9044
- C:\Windows\System\txGfbgd.exe
  C:\Windows\System\txGfbgd.exe
  2⤵
  PID:9072
- C:\Windows\System\auAoMFw.exe
  C:\Windows\System\auAoMFw.exe
  2⤵
  PID:9100
- C:\Windows\System\FqgqJlc.exe
  C:\Windows\System\FqgqJlc.exe
  2⤵
  PID:9128
- C:\Windows\System\rOPYzGH.exe
  C:\Windows\System\rOPYzGH.exe
  2⤵
  PID:9152
- C:\Windows\System\eVJrZxP.exe
  C:\Windows\System\eVJrZxP.exe
  2⤵
  PID:9184
- C:\Windows\System\IylYPAt.exe
  C:\Windows\System\IylYPAt.exe
  2⤵
  PID:9212
- C:\Windows\System\fHqOicO.exe
  C:\Windows\System\fHqOicO.exe
  2⤵
  PID:8260
- C:\Windows\System\feaJQoQ.exe
  C:\Windows\System\feaJQoQ.exe
  2⤵
  PID:8308
- C:\Windows\System\FlPppRc.exe
  C:\Windows\System\FlPppRc.exe
  2⤵
  PID:8408
- C:\Windows\System\DNhPFjd.exe
  C:\Windows\System\DNhPFjd.exe
  2⤵
  PID:8448
- C:\Windows\System\JwInVWo.exe
  C:\Windows\System\JwInVWo.exe
  2⤵
  PID:8552
- C:\Windows\System\soxcaWp.exe
  C:\Windows\System\soxcaWp.exe
  2⤵
  PID:8612
- C:\Windows\System\pSwkZIo.exe
  C:\Windows\System\pSwkZIo.exe
  2⤵
  PID:8716
- C:\Windows\System\JotsZjx.exe
  C:\Windows\System\JotsZjx.exe
  2⤵
  PID:8768
- C:\Windows\System\TXbAdWa.exe
  C:\Windows\System\TXbAdWa.exe
  2⤵
  PID:8836
- C:\Windows\System\TJrKteQ.exe
  C:\Windows\System\TJrKteQ.exe
  2⤵
  PID:8908
- C:\Windows\System\OIQULcW.exe
  C:\Windows\System\OIQULcW.exe
  2⤵
  PID:8972
- C:\Windows\System\nLFlnSJ.exe
  C:\Windows\System\nLFlnSJ.exe
  2⤵
  PID:9040
- C:\Windows\System\LEqYNSh.exe
  C:\Windows\System\LEqYNSh.exe
  2⤵
  PID:9112
- C:\Windows\System\UkgcgpN.exe
  C:\Windows\System\UkgcgpN.exe
  2⤵
  PID:9172
- C:\Windows\System\uoDgydO.exe
  C:\Windows\System\uoDgydO.exe
  2⤵
  PID:8264
- C:\Windows\System\nnNTXwz.exe
  C:\Windows\System\nnNTXwz.exe
  2⤵
  PID:8440
- C:\Windows\System\ckPgGnc.exe
  C:\Windows\System\ckPgGnc.exe
  2⤵
  PID:8520
- C:\Windows\System\DLNrMbG.exe
  C:\Windows\System\DLNrMbG.exe
  2⤵
  PID:8708
- C:\Windows\System\XJeuWZI.exe
  C:\Windows\System\XJeuWZI.exe
  2⤵
  PID:8936
- C:\Windows\System\dgBKKKJ.exe
  C:\Windows\System\dgBKKKJ.exe
  2⤵
  PID:9092
- C:\Windows\System\hCdMlgv.exe
  C:\Windows\System\hCdMlgv.exe
  2⤵
  PID:8256
- C:\Windows\System\rKbmSMO.exe
  C:\Windows\System\rKbmSMO.exe
  2⤵
  PID:8676
- C:\Windows\System\NVVRaBr.exe
  C:\Windows\System\NVVRaBr.exe
  2⤵
  PID:9168
- C:\Windows\System\AEVlhpr.exe
  C:\Windows\System\AEVlhpr.exe
  2⤵
  PID:8996
- C:\Windows\System\vOPYtoo.exe
  C:\Windows\System\vOPYtoo.exe
  2⤵
  PID:8604
- C:\Windows\System\bcmOfXc.exe
  C:\Windows\System\bcmOfXc.exe
  2⤵
  PID:8204
- C:\Windows\System\Nqlwvsw.exe
  C:\Windows\System\Nqlwvsw.exe
  2⤵
  PID:9232
- C:\Windows\System\yEtgQCL.exe
  C:\Windows\System\yEtgQCL.exe
  2⤵
  PID:9260
- C:\Windows\System\NBZlmMw.exe
  C:\Windows\System\NBZlmMw.exe
  2⤵
  PID:9276
- C:\Windows\System\OPStVJW.exe
  C:\Windows\System\OPStVJW.exe
  2⤵
  PID:9312
- C:\Windows\System\crAnfHM.exe
  C:\Windows\System\crAnfHM.exe
  2⤵
  PID:9332
- C:\Windows\System\NgxRRKK.exe
  C:\Windows\System\NgxRRKK.exe
  2⤵
  PID:9372
- C:\Windows\System\EKSIfVl.exe
  C:\Windows\System\EKSIfVl.exe
  2⤵
  PID:9400
- C:\Windows\System\YPNENsn.exe
  C:\Windows\System\YPNENsn.exe
  2⤵
  PID:9428
- C:\Windows\System\bznMIld.exe
  C:\Windows\System\bznMIld.exe
  2⤵
  PID:9456
- C:\Windows\System\pFDMebR.exe
  C:\Windows\System\pFDMebR.exe
  2⤵
  PID:9496
- C:\Windows\System\RIBZuqT.exe
  C:\Windows\System\RIBZuqT.exe
  2⤵
  PID:9520
- C:\Windows\System\YKzzCMo.exe
  C:\Windows\System\YKzzCMo.exe
  2⤵
  PID:9548
- C:\Windows\System\hlIGEyt.exe
  C:\Windows\System\hlIGEyt.exe
  2⤵
  PID:9588
- C:\Windows\System\cgtPdpE.exe
  C:\Windows\System\cgtPdpE.exe
  2⤵
  PID:9612
- C:\Windows\System\JsdenmE.exe
  C:\Windows\System\JsdenmE.exe
  2⤵
  PID:9660
- C:\Windows\System\aswtLAb.exe
  C:\Windows\System\aswtLAb.exe
  2⤵
  PID:9688
- C:\Windows\System\YMopGcb.exe
  C:\Windows\System\YMopGcb.exe
  2⤵
  PID:9716
- C:\Windows\System\QNLKNAh.exe
  C:\Windows\System\QNLKNAh.exe
  2⤵
  PID:9748
- C:\Windows\System\JcerSBq.exe
  C:\Windows\System\JcerSBq.exe
  2⤵
  PID:9764
- C:\Windows\System\GYAljeE.exe
  C:\Windows\System\GYAljeE.exe
  2⤵
  PID:9800
- C:\Windows\System\dxNgblA.exe
  C:\Windows\System\dxNgblA.exe
  2⤵
  PID:9824
- C:\Windows\System\HtBdhHE.exe
  C:\Windows\System\HtBdhHE.exe
  2⤵
  PID:9856
- C:\Windows\System\JENLQJo.exe
  C:\Windows\System\JENLQJo.exe
  2⤵
  PID:9888
- C:\Windows\System\ypvqwUm.exe
  C:\Windows\System\ypvqwUm.exe
  2⤵
  PID:9916
- C:\Windows\System\zBHEhTU.exe
  C:\Windows\System\zBHEhTU.exe
  2⤵
  PID:9944
- C:\Windows\System\FHsWlhS.exe
  C:\Windows\System\FHsWlhS.exe
  2⤵
  PID:9968
- C:\Windows\System\YdsoWpk.exe
  C:\Windows\System\YdsoWpk.exe
  2⤵
  PID:9988
- C:\Windows\System\iwiuPFZ.exe
  C:\Windows\System\iwiuPFZ.exe
  2⤵
  PID:10028
- C:\Windows\System\WclzToI.exe
  C:\Windows\System\WclzToI.exe
  2⤵
  PID:10056
- C:\Windows\System\okwyVTt.exe
  C:\Windows\System\okwyVTt.exe
  2⤵
  PID:10084
- C:\Windows\System\izngSVh.exe
  C:\Windows\System\izngSVh.exe
  2⤵
  PID:10112
- C:\Windows\System\KWGAeJP.exe
  C:\Windows\System\KWGAeJP.exe
  2⤵
  PID:10136
- C:\Windows\System\RWWaqsK.exe
  C:\Windows\System\RWWaqsK.exe
  2⤵
  PID:10156
- C:\Windows\System\lIFmxGA.exe
  C:\Windows\System\lIFmxGA.exe
  2⤵
  PID:10184
- C:\Windows\System\VwaeXKq.exe
  C:\Windows\System\VwaeXKq.exe
  2⤵
  PID:10200
- C:\Windows\System\akOQUQo.exe
  C:\Windows\System\akOQUQo.exe
  2⤵
  PID:7624
- C:\Windows\System\dEgunAw.exe
  C:\Windows\System\dEgunAw.exe
  2⤵
  PID:9272
- C:\Windows\System\YSPFAeY.exe
  C:\Windows\System\YSPFAeY.exe
  2⤵
  PID:9324
- C:\Windows\System\gClwlzJ.exe
  C:\Windows\System\gClwlzJ.exe
  2⤵
  PID:9384
- C:\Windows\System\sBlCsZE.exe
  C:\Windows\System\sBlCsZE.exe
  2⤵
  PID:9424
- C:\Windows\System\iWELHwq.exe
  C:\Windows\System\iWELHwq.exe
  2⤵
  PID:9532
- C:\Windows\System\XRlhVnH.exe
  C:\Windows\System\XRlhVnH.exe
  2⤵
  PID:9644
- C:\Windows\System\RYROlVE.exe
  C:\Windows\System\RYROlVE.exe
  2⤵
  PID:9672
- C:\Windows\System\FnWfZob.exe
  C:\Windows\System\FnWfZob.exe
  2⤵
  PID:9732
- C:\Windows\System\DleoTyb.exe
  C:\Windows\System\DleoTyb.exe
  2⤵
  PID:9812
- C:\Windows\System\iAAoUdB.exe
  C:\Windows\System\iAAoUdB.exe
  2⤵
  PID:9872
- C:\Windows\System\lIPKuie.exe
  C:\Windows\System\lIPKuie.exe
  2⤵
  PID:9928
- C:\Windows\System\klINisU.exe
  C:\Windows\System\klINisU.exe
  2⤵
  PID:10000
- C:\Windows\System\UBOWOQr.exe
  C:\Windows\System\UBOWOQr.exe
  2⤵
  PID:10080
- C:\Windows\System\SNOSbfQ.exe
  C:\Windows\System\SNOSbfQ.exe
  2⤵
  PID:10144
- C:\Windows\System\GdAmAKF.exe
  C:\Windows\System\GdAmAKF.exe
  2⤵
  PID:10176
- C:\Windows\System\cFQvcaR.exe
  C:\Windows\System\cFQvcaR.exe
  2⤵
  PID:4300
- C:\Windows\System\hUsArRb.exe
  C:\Windows\System\hUsArRb.exe
  2⤵
  PID:9256
- C:\Windows\System\XxGlCMd.exe
  C:\Windows\System\XxGlCMd.exe
  2⤵
  PID:9484
- C:\Windows\System\biTVlmk.exe
  C:\Windows\System\biTVlmk.exe
  2⤵
  PID:9604
- C:\Windows\System\rpnShYT.exe
  C:\Windows\System\rpnShYT.exe
  2⤵
  PID:9776
- C:\Windows\System\bGrMFCf.exe
  C:\Windows\System\bGrMFCf.exe
  2⤵
  PID:2692
- C:\Windows\System\GsikxzT.exe
  C:\Windows\System\GsikxzT.exe
  2⤵
  PID:1868
- C:\Windows\System\kwAYyFc.exe
  C:\Windows\System\kwAYyFc.exe
  2⤵
  PID:10068
- C:\Windows\System\ESgGkYa.exe
  C:\Windows\System\ESgGkYa.exe
  2⤵
  PID:1320
- C:\Windows\System\edBPGee.exe
  C:\Windows\System\edBPGee.exe
  2⤵
  PID:9248
- C:\Windows\System\ynJyQWG.exe
  C:\Windows\System\ynJyQWG.exe
  2⤵
  PID:9712
- C:\Windows\System\VpwUpzT.exe
  C:\Windows\System\VpwUpzT.exe
  2⤵
  PID:3624
- C:\Windows\System\SOxSYwG.exe
  C:\Windows\System\SOxSYwG.exe
  2⤵
  PID:10152
- C:\Windows\System\yBXidGb.exe
  C:\Windows\System\yBXidGb.exe
  2⤵
  PID:9516
- C:\Windows\System\OMFzcZr.exe
  C:\Windows\System\OMFzcZr.exe
  2⤵
  PID:9740
- C:\Windows\System\lbgaVFL.exe
  C:\Windows\System\lbgaVFL.exe
  2⤵
  PID:10020
- C:\Windows\System\whIPOjf.exe
  C:\Windows\System\whIPOjf.exe
  2⤵
  PID:10256
- C:\Windows\System\mKdZdqb.exe
  C:\Windows\System\mKdZdqb.exe
  2⤵
  PID:10288
- C:\Windows\System\ydUJIbn.exe
  C:\Windows\System\ydUJIbn.exe
  2⤵
  PID:10316
- C:\Windows\System\KOrZMBD.exe
  C:\Windows\System\KOrZMBD.exe
  2⤵
  PID:10332
- C:\Windows\System\JqhoeqA.exe
  C:\Windows\System\JqhoeqA.exe
  2⤵
  PID:10368
- C:\Windows\System\EXQUqcD.exe
  C:\Windows\System\EXQUqcD.exe
  2⤵
  PID:10400
- C:\Windows\System\MNDIGDY.exe
  C:\Windows\System\MNDIGDY.exe
  2⤵
  PID:10420
- C:\Windows\System\gCIVhsD.exe
  C:\Windows\System\gCIVhsD.exe
  2⤵
  PID:10456
- C:\Windows\System\OxpWQbx.exe
  C:\Windows\System\OxpWQbx.exe
  2⤵
  PID:10484
- C:\Windows\System\uhlPKXk.exe
  C:\Windows\System\uhlPKXk.exe
  2⤵
  PID:10512
- C:\Windows\System\hOHBZrx.exe
  C:\Windows\System\hOHBZrx.exe
  2⤵
  PID:10540
- C:\Windows\System\Cfgisek.exe
  C:\Windows\System\Cfgisek.exe
  2⤵
  PID:10556
- C:\Windows\System\NRbQzhz.exe
  C:\Windows\System\NRbQzhz.exe
  2⤵
  PID:10592
- C:\Windows\System\XirmwVX.exe
  C:\Windows\System\XirmwVX.exe
  2⤵
  PID:10616
- C:\Windows\System\Bxbvocb.exe
  C:\Windows\System\Bxbvocb.exe
  2⤵
  PID:10640
- C:\Windows\System\skwrriE.exe
  C:\Windows\System\skwrriE.exe
  2⤵
  PID:10680
- C:\Windows\System\ZgnNPDM.exe
  C:\Windows\System\ZgnNPDM.exe
  2⤵
  PID:10708
- C:\Windows\System\MZyCoGW.exe
  C:\Windows\System\MZyCoGW.exe
  2⤵
  PID:10736
- C:\Windows\System\zwceqJQ.exe
  C:\Windows\System\zwceqJQ.exe
  2⤵
  PID:10764
- C:\Windows\System\dLnLVam.exe
  C:\Windows\System\dLnLVam.exe
  2⤵
  PID:10792
- C:\Windows\System\maKcXeh.exe
  C:\Windows\System\maKcXeh.exe
  2⤵
  PID:10808
- C:\Windows\System\LFuEQvM.exe
  C:\Windows\System\LFuEQvM.exe
  2⤵
  PID:10840
- C:\Windows\System\RrKmizB.exe
  C:\Windows\System\RrKmizB.exe
  2⤵
  PID:10860
- C:\Windows\System\xoKgplh.exe
  C:\Windows\System\xoKgplh.exe
  2⤵
  PID:10908
- C:\Windows\System\sVcirbk.exe
  C:\Windows\System\sVcirbk.exe
  2⤵
  PID:10936
- C:\Windows\System\ZeIdyrr.exe
  C:\Windows\System\ZeIdyrr.exe
  2⤵
  PID:10956
- C:\Windows\System\mVItEoF.exe
  C:\Windows\System\mVItEoF.exe
  2⤵
  PID:10992
- C:\Windows\System\YIIxOgQ.exe
  C:\Windows\System\YIIxOgQ.exe
  2⤵
  PID:11024
- C:\Windows\System\byIFeow.exe
  C:\Windows\System\byIFeow.exe
  2⤵
  PID:11052
- C:\Windows\System\AFloyLo.exe
  C:\Windows\System\AFloyLo.exe
  2⤵
  PID:11080
- C:\Windows\System\zWsBJJj.exe
  C:\Windows\System\zWsBJJj.exe
  2⤵
  PID:11112
- C:\Windows\System\ZWOuDFn.exe
  C:\Windows\System\ZWOuDFn.exe
  2⤵
  PID:11140
- C:\Windows\System\oxUctyy.exe
  C:\Windows\System\oxUctyy.exe
  2⤵
  PID:11168
- C:\Windows\System\kvBjqAk.exe
  C:\Windows\System\kvBjqAk.exe
  2⤵
  PID:11196
- C:\Windows\System\XAEdhVM.exe
  C:\Windows\System\XAEdhVM.exe
  2⤵
  PID:11224
- C:\Windows\System\fHbprte.exe
  C:\Windows\System\fHbprte.exe
  2⤵
  PID:11240
- C:\Windows\System\pLdomMu.exe
  C:\Windows\System\pLdomMu.exe
  2⤵
  PID:10272
- C:\Windows\System\qMFLJgM.exe
  C:\Windows\System\qMFLJgM.exe
  2⤵
  PID:10344
- C:\Windows\System\mRuraTB.exe
  C:\Windows\System\mRuraTB.exe
  2⤵
  PID:10392
- C:\Windows\System\eTjJzmD.exe
  C:\Windows\System\eTjJzmD.exe
  2⤵
  PID:752
- C:\Windows\System\kXeGpVG.exe
  C:\Windows\System\kXeGpVG.exe
  2⤵
  PID:10528
- C:\Windows\System\WOVNEVE.exe
  C:\Windows\System\WOVNEVE.exe
  2⤵
  PID:10584
- C:\Windows\System\SWiWUTy.exe
  C:\Windows\System\SWiWUTy.exe
  2⤵
  PID:10652
- C:\Windows\System\BBekfSL.exe
  C:\Windows\System\BBekfSL.exe
  2⤵
  PID:10728
- C:\Windows\System\MAKmKYI.exe
  C:\Windows\System\MAKmKYI.exe
  2⤵
  PID:10760
- C:\Windows\System\EfPGaMl.exe
  C:\Windows\System\EfPGaMl.exe
  2⤵
  PID:10852
- C:\Windows\System\wGRAhHe.exe
  C:\Windows\System\wGRAhHe.exe
  2⤵
  PID:10928
- C:\Windows\System\FyTwWsk.exe
  C:\Windows\System\FyTwWsk.exe
  2⤵
  PID:10980
- C:\Windows\System\aYHURfC.exe
  C:\Windows\System\aYHURfC.exe
  2⤵
  PID:11048
- C:\Windows\System\JLmBOeq.exe
  C:\Windows\System\JLmBOeq.exe
  2⤵
  PID:11104
- C:\Windows\System\JZzdBdT.exe
  C:\Windows\System\JZzdBdT.exe
  2⤵
  PID:11188
- C:\Windows\System\sHDMrFA.exe
  C:\Windows\System\sHDMrFA.exe
  2⤵
  PID:11256
- C:\Windows\System\jKyiFGT.exe
  C:\Windows\System\jKyiFGT.exe
  2⤵
  PID:2212
- C:\Windows\System\epOUZuH.exe
  C:\Windows\System\epOUZuH.exe
  2⤵
  PID:10548
- C:\Windows\System\OJxyWVE.exe
  C:\Windows\System\OJxyWVE.exe
  2⤵
  PID:10692
- C:\Windows\System\TJhUsDt.exe
  C:\Windows\System\TJhUsDt.exe
  2⤵
  PID:10848
- C:\Windows\System\HXrdGnT.exe
  C:\Windows\System\HXrdGnT.exe
  2⤵
  PID:11016
- C:\Windows\System\PdvpPsJ.exe
  C:\Windows\System\PdvpPsJ.exe
  2⤵
  PID:11076
- C:\Windows\System\XvoffnD.exe
  C:\Windows\System\XvoffnD.exe
  2⤵
  PID:10308
- C:\Windows\System\qxEHZyn.exe
  C:\Windows\System\qxEHZyn.exe
  2⤵
  PID:4136
- C:\Windows\System\xvRYoGi.exe
  C:\Windows\System\xvRYoGi.exe
  2⤵
  PID:10576
- C:\Windows\System\uZnPmLY.exe
  C:\Windows\System\uZnPmLY.exe
  2⤵
  PID:10948
- C:\Windows\System\rnWSbTi.exe
  C:\Windows\System\rnWSbTi.exe
  2⤵
  PID:3588
- C:\Windows\System\qQUZaUO.exe
  C:\Windows\System\qQUZaUO.exe
  2⤵
  PID:10920
- C:\Windows\System\BUSwwpS.exe
  C:\Windows\System\BUSwwpS.exe
  2⤵
  PID:10756
- C:\Windows\System\NIOrifV.exe
  C:\Windows\System\NIOrifV.exe
  2⤵
  PID:11280
- C:\Windows\System\qIyQvPe.exe
  C:\Windows\System\qIyQvPe.exe
  2⤵
  PID:11308
- C:\Windows\System\GESJoCO.exe
  C:\Windows\System\GESJoCO.exe
  2⤵
  PID:11324
- C:\Windows\System\OAhkteY.exe
  C:\Windows\System\OAhkteY.exe
  2⤵
  PID:11364
- C:\Windows\System\TpsWZny.exe
  C:\Windows\System\TpsWZny.exe
  2⤵
  PID:11380
- C:\Windows\System\sodUhoj.exe
  C:\Windows\System\sodUhoj.exe
  2⤵
  PID:11420
- C:\Windows\System\oTtImrS.exe
  C:\Windows\System\oTtImrS.exe
  2⤵
  PID:11448
- C:\Windows\System\uaHESje.exe
  C:\Windows\System\uaHESje.exe
  2⤵
  PID:11464
- C:\Windows\System\TpyIqxF.exe
  C:\Windows\System\TpyIqxF.exe
  2⤵
  PID:11492
- C:\Windows\System\EbBohde.exe
  C:\Windows\System\EbBohde.exe
  2⤵
  PID:11508
- C:\Windows\System\yjHURqC.exe
  C:\Windows\System\yjHURqC.exe
  2⤵
  PID:11552
- C:\Windows\System\rqIZBTC.exe
  C:\Windows\System\rqIZBTC.exe
  2⤵
  PID:11588
- C:\Windows\System\cNptJTT.exe
  C:\Windows\System\cNptJTT.exe
  2⤵
  PID:11620
- C:\Windows\System\BFMdNmp.exe
  C:\Windows\System\BFMdNmp.exe
  2⤵
  PID:11640
- C:\Windows\System\ANrvOlg.exe
  C:\Windows\System\ANrvOlg.exe
  2⤵
  PID:11664
- C:\Windows\System\iVWzwsq.exe
  C:\Windows\System\iVWzwsq.exe
  2⤵
  PID:11704
- C:\Windows\System\AIhtUZo.exe
  C:\Windows\System\AIhtUZo.exe
  2⤵
  PID:11732
- C:\Windows\System\qhWdDXR.exe
  C:\Windows\System\qhWdDXR.exe
  2⤵
  PID:11748
- C:\Windows\System\vMEKheR.exe
  C:\Windows\System\vMEKheR.exe
  2⤵
  PID:11776
- C:\Windows\System\KIRinxb.exe
  C:\Windows\System\KIRinxb.exe
  2⤵
  PID:11816
- C:\Windows\System\snFtwXQ.exe
  C:\Windows\System\snFtwXQ.exe
  2⤵
  PID:11844
- C:\Windows\System\hItbwCc.exe
  C:\Windows\System\hItbwCc.exe
  2⤵
  PID:11860
- C:\Windows\System\aHxBDLM.exe
  C:\Windows\System\aHxBDLM.exe
  2⤵
  PID:11900
- C:\Windows\System\UzpofIs.exe
  C:\Windows\System\UzpofIs.exe
  2⤵
  PID:11928
- C:\Windows\System\sfwcSAd.exe
  C:\Windows\System\sfwcSAd.exe
  2⤵
  PID:11956
- C:\Windows\System\tUGnmhd.exe
  C:\Windows\System\tUGnmhd.exe
  2⤵
  PID:11984
- C:\Windows\System\oLHxKrx.exe
  C:\Windows\System\oLHxKrx.exe
  2⤵
  PID:12004
- C:\Windows\System\sZDLptg.exe
  C:\Windows\System\sZDLptg.exe
  2⤵
  PID:12028
- C:\Windows\System\QWDISWD.exe
  C:\Windows\System\QWDISWD.exe
  2⤵
  PID:12068
- C:\Windows\System\qDfgfBC.exe
  C:\Windows\System\qDfgfBC.exe
  2⤵
  PID:12096
- C:\Windows\System\inSnlBY.exe
  C:\Windows\System\inSnlBY.exe
  2⤵
  PID:12152
- C:\Windows\System\oThmSTF.exe
  C:\Windows\System\oThmSTF.exe
  2⤵
  PID:12172
- C:\Windows\System\SNnMoWs.exe
  C:\Windows\System\SNnMoWs.exe
  2⤵
  PID:12200
- C:\Windows\System\LgDDaLV.exe
  C:\Windows\System\LgDDaLV.exe
  2⤵
  PID:12216
- C:\Windows\System\QNcgikf.exe
  C:\Windows\System\QNcgikf.exe
  2⤵
  PID:12248
- C:\Windows\System\ehyKHks.exe
  C:\Windows\System\ehyKHks.exe
  2⤵
  PID:10432
- C:\Windows\System\UktLwrU.exe
  C:\Windows\System\UktLwrU.exe
  2⤵
  PID:11320
- C:\Windows\System\BEQdeOl.exe
  C:\Windows\System\BEQdeOl.exe
  2⤵
  PID:11396
- C:\Windows\System\AOvdjgu.exe
  C:\Windows\System\AOvdjgu.exe
  2⤵
  PID:11432
- C:\Windows\System\ZQkHina.exe
  C:\Windows\System\ZQkHina.exe
  2⤵
  PID:11520
- C:\Windows\System\NYxTYyJ.exe
  C:\Windows\System\NYxTYyJ.exe
  2⤵
  PID:11584
- C:\Windows\System\otITcFZ.exe
  C:\Windows\System\otITcFZ.exe
  2⤵
  PID:11660
- C:\Windows\System\EdpckKp.exe
  C:\Windows\System\EdpckKp.exe
  2⤵
  PID:11724
- C:\Windows\System\NrhmXGj.exe
  C:\Windows\System\NrhmXGj.exe
  2⤵
  PID:11800
- C:\Windows\System\iUOJybo.exe
  C:\Windows\System\iUOJybo.exe
  2⤵
  PID:11872
- C:\Windows\System\nglfxfL.exe
  C:\Windows\System\nglfxfL.exe
  2⤵
  PID:11920
- C:\Windows\System\ZuGTmgy.exe
  C:\Windows\System\ZuGTmgy.exe
  2⤵
  PID:11972
- C:\Windows\System\SoFrNjx.exe
  C:\Windows\System\SoFrNjx.exe
  2⤵
  PID:12016
- C:\Windows\System\xSdKTJd.exe
  C:\Windows\System\xSdKTJd.exe
  2⤵
  PID:12064
- C:\Windows\System\pyiEgVr.exe
  C:\Windows\System\pyiEgVr.exe
  2⤵
  PID:12132
- C:\Windows\System\uNmCWze.exe
  C:\Windows\System\uNmCWze.exe
  2⤵
  PID:12228
- C:\Windows\System\zrTXraP.exe
  C:\Windows\System\zrTXraP.exe
  2⤵
  PID:11304
- C:\Windows\System\WGlvQCU.exe
  C:\Windows\System\WGlvQCU.exe
  2⤵
  PID:11504
- C:\Windows\System\Lpcpqtp.exe
  C:\Windows\System\Lpcpqtp.exe
  2⤵
  PID:11632
- C:\Windows\System\qmXyJYM.exe
  C:\Windows\System\qmXyJYM.exe
  2⤵
  PID:11716
- C:\Windows\System\XSezAqx.exe
  C:\Windows\System\XSezAqx.exe
  2⤵
  PID:11912
- C:\Windows\System\oYVMfDz.exe
  C:\Windows\System\oYVMfDz.exe
  2⤵
  PID:2332
- C:\Windows\System\FVOhGIw.exe
  C:\Windows\System\FVOhGIw.exe
  2⤵
  PID:5032
- C:\Windows\System\dPTYZZF.exe
  C:\Windows\System\dPTYZZF.exe
  2⤵
  PID:2516
- C:\Windows\System\cXeaSSa.exe
  C:\Windows\System\cXeaSSa.exe
  2⤵
  PID:12108
- C:\Windows\System\UevjkQB.exe
  C:\Windows\System\UevjkQB.exe
  2⤵
  PID:12280
- C:\Windows\System\UGQZUuf.exe
  C:\Windows\System\UGQZUuf.exe
  2⤵
  PID:11540
- C:\Windows\System\mddQWZk.exe
  C:\Windows\System\mddQWZk.exe
  2⤵
  PID:4632
- C:\Windows\System\IFGvBKh.exe
  C:\Windows\System\IFGvBKh.exe
  2⤵
  PID:11892
- C:\Windows\System\wukDQht.exe
  C:\Windows\System\wukDQht.exe
  2⤵
  PID:12000
- C:\Windows\System\LZMdyvq.exe
  C:\Windows\System\LZMdyvq.exe
  2⤵
  PID:11784
- C:\Windows\System\hrFTVqe.exe
  C:\Windows\System\hrFTVqe.exe
  2⤵
  PID:4984
- C:\Windows\System\fOnIrjX.exe
  C:\Windows\System\fOnIrjX.exe
  2⤵
  PID:2580
- C:\Windows\System\McfOniW.exe
  C:\Windows\System\McfOniW.exe
  2⤵
  PID:12312
- C:\Windows\System\vjIlpnN.exe
  C:\Windows\System\vjIlpnN.exe
  2⤵
  PID:12344
- C:\Windows\System\TAThWIU.exe
  C:\Windows\System\TAThWIU.exe
  2⤵
  PID:12372
- C:\Windows\System\VdDoMKt.exe
  C:\Windows\System\VdDoMKt.exe
  2⤵
  PID:12400
- C:\Windows\System\IENKUVF.exe
  C:\Windows\System\IENKUVF.exe
  2⤵
  PID:12428
- C:\Windows\System\BhWHNTd.exe
  C:\Windows\System\BhWHNTd.exe
  2⤵
  PID:12456
- C:\Windows\System\fmVJSZY.exe
  C:\Windows\System\fmVJSZY.exe
  2⤵
  PID:12484
- C:\Windows\System\uXNKiUp.exe
  C:\Windows\System\uXNKiUp.exe
  2⤵
  PID:12512
- C:\Windows\System\HemsTUV.exe
  C:\Windows\System\HemsTUV.exe
  2⤵
  PID:12540
- C:\Windows\System\yMmMJyp.exe
  C:\Windows\System\yMmMJyp.exe
  2⤵
  PID:12568
- C:\Windows\System\rhIEWxw.exe
  C:\Windows\System\rhIEWxw.exe
  2⤵
  PID:12596
- C:\Windows\System\WlTIogJ.exe
  C:\Windows\System\WlTIogJ.exe
  2⤵
  PID:12624
- C:\Windows\System\QrcozJI.exe
  C:\Windows\System\QrcozJI.exe
  2⤵
  PID:12652
- C:\Windows\System\gXbXRhQ.exe
  C:\Windows\System\gXbXRhQ.exe
  2⤵
  PID:12680
- C:\Windows\System\nThHuSW.exe
  C:\Windows\System\nThHuSW.exe
  2⤵
  PID:12708
- C:\Windows\System\SdiJqKo.exe
  C:\Windows\System\SdiJqKo.exe
  2⤵
  PID:12736
- C:\Windows\System\gKftHDu.exe
  C:\Windows\System\gKftHDu.exe
  2⤵
  PID:12764
- C:\Windows\System\yfBYUqu.exe
  C:\Windows\System\yfBYUqu.exe
  2⤵
  PID:12792
- C:\Windows\System\fKuavub.exe
  C:\Windows\System\fKuavub.exe
  2⤵
  PID:12820
- C:\Windows\System\GOhpHJx.exe
  C:\Windows\System\GOhpHJx.exe
  2⤵
  PID:12848
- C:\Windows\System\XEZjdyW.exe
  C:\Windows\System\XEZjdyW.exe
  2⤵
  PID:12876
- C:\Windows\System\jhcbZuY.exe
  C:\Windows\System\jhcbZuY.exe
  2⤵
  PID:12904
- C:\Windows\System\OYyUGBn.exe
  C:\Windows\System\OYyUGBn.exe
  2⤵
  PID:12932
- C:\Windows\System\xjeZaUz.exe
  C:\Windows\System\xjeZaUz.exe
  2⤵
  PID:12960
- C:\Windows\System\nBQzKhP.exe
  C:\Windows\System\nBQzKhP.exe
  2⤵
  PID:12988
- C:\Windows\System\hgwYGvP.exe
  C:\Windows\System\hgwYGvP.exe
  2⤵
  PID:13016
- C:\Windows\System\uMAEpin.exe
  C:\Windows\System\uMAEpin.exe
  2⤵
  PID:13044
- C:\Windows\System\hrpnIsa.exe
  C:\Windows\System\hrpnIsa.exe
  2⤵
  PID:13072
- C:\Windows\System\BvahnpW.exe
  C:\Windows\System\BvahnpW.exe
  2⤵
  PID:13100
- C:\Windows\System\OKucktM.exe
  C:\Windows\System\OKucktM.exe
  2⤵
  PID:13128
- C:\Windows\System\sKhqFyO.exe
  C:\Windows\System\sKhqFyO.exe
  2⤵
  PID:13156
- C:\Windows\System\kzMqFzJ.exe
  C:\Windows\System\kzMqFzJ.exe
  2⤵
  PID:13172
- C:\Windows\System\likxnxR.exe
  C:\Windows\System\likxnxR.exe
  2⤵
  PID:13212
- C:\Windows\System\VmYkAmV.exe
  C:\Windows\System\VmYkAmV.exe
  2⤵
  PID:13240
- C:\Windows\System\BFzuBPk.exe
  C:\Windows\System\BFzuBPk.exe
  2⤵
  PID:13272
- C:\Windows\System\BfCzarL.exe
  C:\Windows\System\BfCzarL.exe
  2⤵
  PID:13300
- C:\Windows\System\sJeqVdZ.exe
  C:\Windows\System\sJeqVdZ.exe
  2⤵
  PID:12336
- C:\Windows\System\ZOAHsjw.exe
  C:\Windows\System\ZOAHsjw.exe
  2⤵
  PID:12392
- C:\Windows\System\oiqqhRM.exe
  C:\Windows\System\oiqqhRM.exe
  2⤵
  PID:12452

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:12308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nzlme3al.hlg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\AskUaQo.exe

Filesize
3.2MB

MD5
e22c94bd278c9715e42299bac9621d79

SHA1
d121121f681d3f15225767862ffe1f07d2d9d1a4

SHA256
af7858a613952421debc5cbf0e21a54613cf1065319f81d3eded85926bb11a46

SHA512
7ef118df077a7893c905a77a7fe5c0c421f2629661f508325abd13c4397d7229c40a8eee9e472bd8519762ffc44a9a6c4c563fa17420ef5738aaee0ab3bcaecd

Download Submit
C:\Windows\System\AtAZiZN.exe

Filesize
3.2MB

MD5
a9c476325c437271f50412db540b3723

SHA1
d137cf0a12d18c8ac116ee0bbb8dc68a18b9473b

SHA256
b9f8f8c69e1fe0efccc11708c5bf000e25daa8fc026518d023325a20992982a5

SHA512
137f4ea707585293b4d5f6264e90c4b8e12e2d0895b507a0753299b04d289af4299c602e5c12ac1edb67ae75337c83dae4f44afdbb2e02ba584844b54393991b

Download Submit
C:\Windows\System\BGvKmKO.exe

Filesize
3.2MB

MD5
0ffde5d823b834440fd610c9d26e633b

SHA1
939eb379d16253847f3cd8b5e5aa992eb6855c88

SHA256
010b5bb9602c22836af53430576fc5692112a2e849154906c6b775e428909c1d

SHA512
15a4a3ee18affe1c8e03345081d5a8901f98f43d4379c24d7ef8553de7417a9ba1030664a19e1627df64e6c4a38888f0704327de5cd8e227e507c263400197a5

Download Submit
C:\Windows\System\CtqEoTd.exe

Filesize
3.2MB

MD5
60629fc70a2f56b5c179c1860ef77ad8

SHA1
12a61f541c5ae91291c2d5bf754073327e739d18

SHA256
1a6ee4eaa691e2bb21e5e203149e8877b79d887b43c1c471c8cd1dce2ec5e09d

SHA512
a2bb294c85ce526bedee582e05167922c9c6b0c796dca4b03ad87ed9a0613b3da2f811d1133928329c9a002340050cfac6e5286152273f2f2d81dcde2017a12b

Download Submit
C:\Windows\System\EhRDnvh.exe

Filesize
3.2MB

MD5
ba8582a75665cdbf19463d27d8553fde

SHA1
8f961258d82adc1e58cc42b1484895b9baee64c2

SHA256
8a2e5e5cb0eb4ca245d4cb42ab2b3b103ee9e421f8f54242f1d60468695f8e57

SHA512
368979d63e6d3bb773e5b6c211dd55c67fb8eeca521810a118ad99f15b044e67fe9fc8427b3e8c6d6022ae36d924488db93eadea3d6d3200baca42eda7f8586c

Download Submit
C:\Windows\System\FWURzxP.exe

Filesize
3.2MB

MD5
150c51f73667bcdfc13aac06d6eb1c82

SHA1
fdde6e1263ebe8731fb8ac4b2dfcf97e5b6b2f20

SHA256
2001aa25655a1ad6291ab956ea2237543b2f6b42d4d75966da85c1a3a8e63e36

SHA512
c0352853e5d1ab44a30941530da73415539e2f119e357373a89be3bce6871432992363b5dd8b7f35a8438a87989c4517ad877f8952e20ab80675da757d2ea590

Download Submit
C:\Windows\System\HzlEdgm.exe

Filesize
3.2MB

MD5
ae65d7aaba384536e4fb0c4b0d702b6f

SHA1
b91681387637100683d1e7b787375a9ac34f4cca

SHA256
799ec73713efdcf1f9d19e1127ce42be99e7d371fd0d49b3feae4825a7fd165e

SHA512
eaafad52ab6bc8cf88a68618feaa0d20a9f20cd5d955c553f966495b273636333840c67980e5d75a7ab5fb58d17be8aab4dc19f5e0017857dd975ac328d3c714

Download Submit
C:\Windows\System\JehlghW.exe

Filesize
3.2MB

MD5
90ae0b906187c656708722f8b1528cbe

SHA1
e0a3bf8095a993a7fe803e8a6777515852773177

SHA256
1217e6c0b39078c950f7e160467507a0c69eabaa01354bc49230278ca2938c34

SHA512
9f8d3ac1058c068b82fa212094115cb1a5944a06147d0640ceec51a0beff22d0f582aa6433db22cf88ec7436fd7fa9939e595981511e093c7e3b484e358c053d

Download Submit
C:\Windows\System\KrdoNmR.exe

Filesize
3.2MB

MD5
32244d37bd79a4ed8d3485cc9d73ce67

SHA1
16a114f2a4cd3484ebf210e045bf40d3e7272c00

SHA256
e7b190f94b7b4732f54e64e42bf7f7d67d654c56603140383e0b6830ebcacf09

SHA512
e49c35cb5187f5c0830f28fdb875ad8e87f6e4d8766fdbcc500932c20a536f030a2395984b80ce2b052b2a500ddc83c8554b9d5f5e38b1bbb9d8dfd337919d38

Download Submit
C:\Windows\System\LbDcQfv.exe

Filesize
3.2MB

MD5
20f4d93700038b98485f4eaf39987a60

SHA1
42ee90f744ff917800a438ee61237cbf39cf6590

SHA256
7038b2a47dd98714ee2385b18d4feb261730b88d8b02c83a3169a8b365365b03

SHA512
50079c059a339db9d9bf6682397bd70dbcc5c95d187b6bd5dbd0af7fe2f8e91e27c21599415db2dbe1644fe1ad70b388f360f0bb35b88e222feeedb9b5e41d83

Download Submit
C:\Windows\System\MTMIToV.exe

Filesize
3.2MB

MD5
306b290806fdd75f5582946fbc6d0390

SHA1
d35d00b9f0a82ddf9ad23e77ffccc24a7aef335a

SHA256
16b25f98fb35109627beee449caa5ec841934b1e8ab72d1a5967f12432f39861

SHA512
b5892e13e71faa04f7f1c3960c8d2702c55fcfd80a72fa215c5b23494e25177badcb0135bba6b5711e59351abe8ec774e10756d70b7296028a5d86cb66d0fad8

Download Submit
C:\Windows\System\NJpqMEx.exe

Filesize
3.2MB

MD5
1f021f989da9b41a2465bf467f03142e

SHA1
5a2ffa90d490fb6684580bb493ce866c54c45d87

SHA256
8fc23314344101b709985d61b93074b073390b7e50d6d75a6db0163a46a3baab

SHA512
afa9b569f2910676cc851871a0f9967d0d35efe7f83bf324a571f87df426e84906b516142b0e4397c640606eb754b87e7a7af3d9b15029fbea7020b3aafefc09

Download Submit
C:\Windows\System\QTiyHrV.exe

Filesize
3.2MB

MD5
d7dababdde3514dbabca11c26e9d9266

SHA1
4d65912ef6a469f45fb8d9f77c42b584b17f76ab

SHA256
85007c153c21aad0e4caf3e7ef314cc46d30459e6c76748365bbb5356ba75e67

SHA512
6a7faaff434fe1dac07cae21f1ee494ddc961fdb43ea60002d351ef4dad4c87cfeee0100b5932e6b5941e5e744c25887bbe5441f52fe673299c2f170185369f2

Download Submit
C:\Windows\System\RCPFUig.exe

Filesize
3.2MB

MD5
9af17d29d253602743965b61445da758

SHA1
65cd235e1bf2e47d9382ab7adb60807f403e6f7a

SHA256
553dd948b647755ca037c929de7f40e533269b11778a7213da5ad6f79932fed3

SHA512
c428ab008c0988fbe8ee5f63b973a8f231867443295216779110c02e0e4d9d73a0f5259bb68031f24bb9f7695d7bfd12fccfa684b2ccc170b9673c0667f80c7d

Download Submit
C:\Windows\System\SGdysnY.exe

Filesize
3.2MB

MD5
673115d90808c58f4de193bc814b0f47

SHA1
bd2b95545ee6144eaf6b1344d733d0408402a131

SHA256
6c41c0de2f20e84e5bd94fad17ac4ca7d992aea7991b1ae270b51c2be69a2190

SHA512
f986ff65186453cb5d089920d7f85692008c9b59f8d219a40f74378c5f47c4ca74e1326107776f43527b368a7aeafd7b4af17cced58513ab21d55a7321c4ea19

Download Submit
C:\Windows\System\UgpmTDS.exe

Filesize
3.2MB

MD5
bcc606568042f562e33b60d641a63055

SHA1
fc6601ef514a1f118f5da5dc6e49b8cc30f102a6

SHA256
1ba4ce69a7626b730bb4fa48b331357a906b55ffdb3321e83475eddfb41e529d

SHA512
f98eb9a2964a84f9210499e98da8b78dde9520937acc9b86ed8fdd1a48b6b52bf4396cca5f33880581310dffbc2bc2b7bba5384e069800a21451474f1779da9a

Download Submit
C:\Windows\System\UscZLGZ.exe

Filesize
3.2MB

MD5
14a453e3f4dc539c1d520c78f4bedb48

SHA1
42f4cabe09e45984a10e08efebaeb07548170ba6

SHA256
9ff6127b701d99d13632c9575c606e0fb68dd0c3095f4ab07b066d0d52041ea2

SHA512
5b76e9f76529803069b043d29dc6f383752a62bc054a348dcf93bcccb1a14022a3771a6f89b589fac7d6c8db7fa3b42166ed4a5f3a54baa2f3780d622055d1f8

Download Submit
C:\Windows\System\VfRKXyH.exe

Filesize
3.2MB

MD5
0909a62ee83977d4bb0c5cf574fc4053

SHA1
254eb3a49ba6d5c897cc456b50cd7d8e6ea9c1d3

SHA256
60a248e9f5ca4c7a76e7f3c7dd2ba71cb5e6aa52edd905c030f1554f0edceb86

SHA512
629e123919dfcc03341497b030338ba11b95299d84ee61669ff029da8c339e4b34edbdbda960a54c619c9b4b715988faeea4bf1f63c930d918c106eddefce695

Download Submit
C:\Windows\System\ZPLbvfO.exe

Filesize
3.2MB

MD5
a9dc149b762e84757b22558f67e03e34

SHA1
d2c4d41020acb7b8ccb0fc2c71f99b791f1f87ce

SHA256
3bc14a3de08dbc424574e838ab39b8f7533d0ca80ed9d1722fac6e3447169a81

SHA512
8afda9808e74ab11221b39d67722cb3c147f1143ba2099cc49f911b65cdea2ef62f2df90d39dfa593742a79ab82b671aace6f27f0950a420f322f22ba8a1cc46

Download Submit
C:\Windows\System\aSfgXcG.exe

Filesize
3.2MB

MD5
89f47c1431fb25af6c60af3e22b858e2

SHA1
1176bfe1b1650ac702465ac42fe37e982a53f638

SHA256
6501ec72dcd59ca9356a6053ea83377d776959580c5e070f6cbbd5aead4d4e56

SHA512
d9df76ef7537e3dcf560c8f59450fa91660248a59c5e6a7f473a86885d8c9b036ce4273f0fc1e4b1d8936e99570e08e3195ea33628dcd19ace52437831329693

Download Submit
C:\Windows\System\baNzNad.exe

Filesize
3.2MB

MD5
cadbd015eb311cad9cfab8a18ba112db

SHA1
a77fd4b8d7727fa6069ef54f8068a0b35ba54dca

SHA256
2e5aef1acf40c11e71dfcf64abd88727da4df68250b1d3478f89ba6c004b4ce0

SHA512
233ab76f8e595e0c3745595e39e5865a06a5880d9d83b75537311172554c75a5071dab2ffce746cce373fec3f0dba38c151049e7901c17e4c659f7846557efd3

Download Submit
C:\Windows\System\dGLyJWA.exe

Filesize
3.2MB

MD5
8db9f15414a1c3cde50207d7e83e377b

SHA1
59f6b5faf50e79fb7475688a84c7dcfad59cfee0

SHA256
cb956a0d09125da0e19b5dac58c9e83ec2bd55f3e2b518f077874e2f95fca82f

SHA512
571c52ad732021d588bb2f803fd95d229dead102d78f0026eac8bdbeff05c63270a56edb52cf4e8d5ae324caef0c87292f32efa0f39602da0294dffb613c007b

Download Submit
C:\Windows\System\erkWGuZ.exe

Filesize
3.2MB

MD5
b4fe914a16ac643cc56d8a5a3529f7a3

SHA1
2537f926eaf5be323b04199d6402f1f12a465a84

SHA256
d853940645900f769c972b4f932f87d7455bd4b6aea8387db8edf19d89508d59

SHA512
b8f0ec000529c677ec494cb960cc1d6be2d9a89eba187c07c7e463124ef1d5154736ef0aeeaaf754078dd60777f522e74a9454968b371b81806b7588f5e87c87

Download Submit
C:\Windows\System\iibFLgo.exe

Filesize
3.2MB

MD5
1942ebd6635ee97e49276b8b3cb82872

SHA1
aa8b92054b900a8539fd1d27d3b67723914b6c0d

SHA256
796d17d684f7bbe7d867146acdce0eecb3e2d670c14c1a75faa0ea2093f5869c

SHA512
bbe07eb369c6c1b6f499b9e19b5c71fe72f6b925275bc96e42df08bc9007a1dda956c0d89e0330209ca469a24d40a95ad93e30ddc5a02f35db3d2474df08337c

Download Submit
C:\Windows\System\mnOKRpN.exe

Filesize
3.2MB

MD5
5a78263c3eeb4ccecd167cddc871d27f

SHA1
44191cb037332e73c51ec62b15366f3d7f342581

SHA256
31bf14556cd0cc4049a37b32d01b86416c9995137c6596225d1a0d1ef1f6e764

SHA512
bbdc4ec577e821b13b43bca676e968d03f7d0580184f8f7d2b0d8cfab29b9ff9fa2ff8f3f32756aac71ddaa25430bb2c71673232324627ba1ade5ad6bc0421df

Download Submit
C:\Windows\System\pnXJLPu.exe

Filesize
3.2MB

MD5
db017606aa8e9800ecdca676b97f09f2

SHA1
4d2dc41b85eb801dd9ef4922a9ed341ea3cba90d

SHA256
3b6ec427b21af53837d34d155df424f20483090d72e33ee6d22fffda26c007ef

SHA512
7cbcc217960aa7daec0d512a5348d14af4991b4e85d69bac26dcfd73b063751bc421653adba52bc6b3a100501895a94b38d2156c3c863068167ad2bcd9adbeeb

Download Submit
C:\Windows\System\rbFGxkx.exe

Filesize
3.2MB

MD5
6cf64dfe513af0edc2d0038fc33d7353

SHA1
24840d4b9f630c8129953b173d1be679c66324a7

SHA256
e3dc1b029970bd99bee8cfd1cc013fd1fc046de6cf3a7de8a89a3f8a94145439

SHA512
2b3806300664a6383ebd57db57cb63a149c61144529284f86ff29704070361b8e6d9b8545ed086e09376a7cfb95836824401216f3944c56591614d0e062ba053

Download Submit
C:\Windows\System\tgkMITL.exe

Filesize
3.2MB

MD5
66b8720fe6a5b3a14f3ce05122c97188

SHA1
840d546a0872ebe45c07b1e80c97a59fab9f994e

SHA256
3b7badb7dccca70f0e8740909b0d352795ca18dfa72dc1342dc7cf15e80889f4

SHA512
9890e5b0ffe07014630e7a65b95026fc7367549ef1ef23d67940149caa69c86e603f36e12035167ccc33aeeabb981ea092fde6d526e454e003003432fc911e30

Download Submit
C:\Windows\System\tvPYwDi.exe

Filesize
3.2MB

MD5
5737046ec39bb8c8a68931f1c7a66b1d

SHA1
444f733ca8bfde1cb63e3058f07a97249a8031ef

SHA256
18cd08f690ab1d8e855faba7b24445fe558c12c8cd6aa5aea51d6ae75ee2525e

SHA512
b2f6193479a4792245bf27e42f366fd3bc8224a2690f288c719dceccda6eb53edfd797209e53608de338cceb1fa2de9bdf3e1edbb705fe9b7b960dfd043d53d8

Download Submit
C:\Windows\System\vIUncRO.exe

Filesize
3.2MB

MD5
ff2421852f6fd117ad190e47c5279ebc

SHA1
c8cb7785b7220dad16b24c019fa754fa39667d5c

SHA256
7d6ae2e93cba7496bc9005ec46465bc911e7fed83498dc05901339b917e09253

SHA512
cacecf11907f7ff11a9f0f1cfcac50885eeb64d714ecbae8f17b26b90c9ef8a3265351d5cf7a081c193ed917f5364ae31f161c937bd0c0ddb210b0b0da207b95

Download Submit
C:\Windows\System\wTsaxxn.exe

Filesize
3.2MB

MD5
340931603bec558c22137e107ab7eab3

SHA1
47d113b5efa54107397bf30a57e11f0f4e59cc56

SHA256
619246513623044206e4bf39f5b8f1067c88bccba311b724ccfc5c957b02680c

SHA512
ad25a549dafc107b06733ce563c35920fc2c0ecc915f209ff1fa313d1a73f040e4790a7be5b4ee5e8f3c8b57dd4f7a040de169a3bccd23c896a2af3998a1fc6a

Download Submit
C:\Windows\System\xFCecje.exe

Filesize
3.2MB

MD5
17a2b6c44aa822bb39a5528bd1d03c15

SHA1
cca6aebfef00ba05ea44b924dc975f345a4d94ec

SHA256
80c645db591d63c8d70f647f8fe8d7fd85022f60389f574d493db3c17af80c6a

SHA512
966a798366a206c737ccbd1bcd602c1921afa2236d49cdf470216a19f64d4629202cd5f072f2dd0ff2718aa47d46158544edbbffa15983d5ba3e744ce2c51223

Download Submit
C:\Windows\System\zcmWbhy.exe

Filesize
3.2MB

MD5
65e3c83f7f110bfb4b6900bab5c6b0fc

SHA1
b91c6a78e1ebfad66d6fad2f05813cf8efe7cb81

SHA256
1818082551da8d55ba08fdd6938dcd0428d16e4e15805af1495c1f0adcae6e62

SHA512
22290d3e936b3ee490c9a0fb5d9a57ba169c47bfea28ae5c8762adc48a9e17b7fd5b3a8bea6c98dbedc2e502eb54cf7358d97d2772a883c5e333ed99fc7a5d58

Download Submit
memory/384-876-0x00007FF650BF0000-0x00007FF650FE6000-memory.dmp

Filesize
4.0MB

Download
memory/384-1965-0x00007FF650BF0000-0x00007FF650FE6000-memory.dmp

Filesize
4.0MB

Download
memory/548-1963-0x00007FF7F66E0000-0x00007FF7F6AD6000-memory.dmp

Filesize
4.0MB

Download
memory/548-852-0x00007FF7F66E0000-0x00007FF7F6AD6000-memory.dmp

Filesize
4.0MB

Download
memory/688-1948-0x00007FF65ED40000-0x00007FF65F136000-memory.dmp

Filesize
4.0MB

Download
memory/688-888-0x00007FF65ED40000-0x00007FF65F136000-memory.dmp

Filesize
4.0MB

Download
memory/820-1961-0x00007FF60EAF0000-0x00007FF60EEE6000-memory.dmp

Filesize
4.0MB

Download
memory/820-867-0x00007FF60EAF0000-0x00007FF60EEE6000-memory.dmp

Filesize
4.0MB

Download
memory/880-884-0x00007FF76D5E0000-0x00007FF76D9D6000-memory.dmp

Filesize
4.0MB

Download
memory/880-1945-0x00007FF76D5E0000-0x00007FF76D9D6000-memory.dmp

Filesize
4.0MB

Download
memory/960-1955-0x00007FF765D30000-0x00007FF766126000-memory.dmp

Filesize
4.0MB

Download
memory/960-814-0x00007FF765D30000-0x00007FF766126000-memory.dmp

Filesize
4.0MB

Download
memory/1224-835-0x00007FF6C3C10000-0x00007FF6C4006000-memory.dmp

Filesize
4.0MB

Download
memory/1224-1957-0x00007FF6C3C10000-0x00007FF6C4006000-memory.dmp

Filesize
4.0MB

Download
memory/1536-829-0x00007FF7B2600000-0x00007FF7B29F6000-memory.dmp

Filesize
4.0MB

Download
memory/1536-1959-0x00007FF7B2600000-0x00007FF7B29F6000-memory.dmp

Filesize
4.0MB

Download
memory/1552-1946-0x00007FF647830000-0x00007FF647C26000-memory.dmp

Filesize
4.0MB

Download
memory/1552-785-0x00007FF647830000-0x00007FF647C26000-memory.dmp

Filesize
4.0MB

Download
memory/1608-1954-0x00007FF731D00000-0x00007FF7320F6000-memory.dmp

Filesize
4.0MB

Download
memory/1608-828-0x00007FF731D00000-0x00007FF7320F6000-memory.dmp

Filesize
4.0MB

Download
memory/1680-1952-0x00007FF715AF0000-0x00007FF715EE6000-memory.dmp

Filesize
4.0MB

Download
memory/1680-810-0x00007FF715AF0000-0x00007FF715EE6000-memory.dmp

Filesize
4.0MB

Download
memory/1852-1956-0x00007FF79C390000-0x00007FF79C786000-memory.dmp

Filesize
4.0MB

Download
memory/1852-799-0x00007FF79C390000-0x00007FF79C786000-memory.dmp

Filesize
4.0MB

Download
memory/2112-816-0x00007FF784960000-0x00007FF784D56000-memory.dmp

Filesize
4.0MB

Download
memory/2112-1951-0x00007FF784960000-0x00007FF784D56000-memory.dmp

Filesize
4.0MB

Download
memory/2120-1968-0x00007FF786DD0000-0x00007FF7871C6000-memory.dmp

Filesize
4.0MB

Download
memory/2120-870-0x00007FF786DD0000-0x00007FF7871C6000-memory.dmp

Filesize
4.0MB

Download
memory/2244-1964-0x00007FF65CDB0000-0x00007FF65D1A6000-memory.dmp

Filesize
4.0MB

Download
memory/2244-849-0x00007FF65CDB0000-0x00007FF65D1A6000-memory.dmp

Filesize
4.0MB

Download
memory/2344-1966-0x00007FF7E41B0000-0x00007FF7E45A6000-memory.dmp

Filesize
4.0MB

Download
memory/2344-879-0x00007FF7E41B0000-0x00007FF7E45A6000-memory.dmp

Filesize
4.0MB

Download
memory/2408-1949-0x00007FF745E90000-0x00007FF746286000-memory.dmp

Filesize
4.0MB

Download
memory/2408-795-0x00007FF745E90000-0x00007FF746286000-memory.dmp

Filesize
4.0MB

Download
memory/2864-792-0x00007FF6FBAE0000-0x00007FF6FBED6000-memory.dmp

Filesize
4.0MB

Download
memory/2864-1947-0x00007FF6FBAE0000-0x00007FF6FBED6000-memory.dmp

Filesize
4.0MB

Download
memory/2912-1953-0x00007FF6A11D0000-0x00007FF6A15C6000-memory.dmp

Filesize
4.0MB

Download
memory/2912-807-0x00007FF6A11D0000-0x00007FF6A15C6000-memory.dmp

Filesize
4.0MB

Download
memory/3208-44-0x00000217F0500000-0x00000217F0522000-memory.dmp

Filesize
136KB

Download
memory/3208-1677-0x00007FF8D81B0000-0x00007FF8D8C71000-memory.dmp

Filesize
10.8MB

Download
memory/3208-784-0x00007FF8D81B0000-0x00007FF8D8C71000-memory.dmp

Filesize
10.8MB

Download
memory/3208-5-0x00007FF8D81B3000-0x00007FF8D81B5000-memory.dmp

Filesize
8KB

Download
memory/3208-29-0x00007FF8D81B0000-0x00007FF8D8C71000-memory.dmp

Filesize
10.8MB

Download
memory/3440-1958-0x00007FF7055F0000-0x00007FF7059E6000-memory.dmp

Filesize
4.0MB

Download
memory/3440-840-0x00007FF7055F0000-0x00007FF7059E6000-memory.dmp

Filesize
4.0MB

Download
memory/3664-1962-0x00007FF72B710000-0x00007FF72BB06000-memory.dmp

Filesize
4.0MB

Download
memory/3664-860-0x00007FF72B710000-0x00007FF72BB06000-memory.dmp

Filesize
4.0MB

Download
memory/3760-1950-0x00007FF6E4F40000-0x00007FF6E5336000-memory.dmp

Filesize
4.0MB

Download
memory/3760-820-0x00007FF6E4F40000-0x00007FF6E5336000-memory.dmp

Filesize
4.0MB

Download
memory/3784-0-0x00007FF72D200000-0x00007FF72D5F6000-memory.dmp

Filesize
4.0MB

Download
memory/3784-1-0x0000028064FB0000-0x0000028064FC0000-memory.dmp

Filesize
64KB

Download
memory/4744-855-0x00007FF759D90000-0x00007FF75A186000-memory.dmp

Filesize
4.0MB

Download
memory/4744-1960-0x00007FF759D90000-0x00007FF75A186000-memory.dmp

Filesize
4.0MB

Download
memory/5076-1967-0x00007FF655F20000-0x00007FF656316000-memory.dmp

Filesize
4.0MB

Download
memory/5076-863-0x00007FF655F20000-0x00007FF656316000-memory.dmp

Filesize
4.0MB

Download