xmrig | 2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18

Analysis

max time kernel
131s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
Size

2.0MB
MD5

b6bfa2d03200793757fcda023ddfd8a0
SHA1

a216df1216fcef7f969ed966db0a14ef05663044
SHA256

2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18
SHA512

a4081a679c08040c677d04d2bc09bb559300e8e73db2426d019dd9c2d1ac02068fca37185a7dd0e65d2e92a4801c14174ea390fb552a68cd2fe26e3fe2fc59fa
SSDEEP

49152:Lz071uv4BPMkibTIA5sf6r+WVc2HhG82g1Vr5s1PTRikI/:NAB4

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/2572-329-0x00007FF7AFF70000-0x00007FF7B0362000-memory.dmp	xmrig
behavioral2/memory/2392-335-0x00007FF7EB710000-0x00007FF7EBB02000-memory.dmp	xmrig
behavioral2/memory/4460-338-0x00007FF72E420000-0x00007FF72E812000-memory.dmp	xmrig
behavioral2/memory/4932-343-0x00007FF6815D0000-0x00007FF6819C2000-memory.dmp	xmrig
behavioral2/memory/3020-346-0x00007FF7EFA80000-0x00007FF7EFE72000-memory.dmp	xmrig
behavioral2/memory/216-344-0x00007FF606A30000-0x00007FF606E22000-memory.dmp	xmrig
behavioral2/memory/4996-345-0x00007FF7681E0000-0x00007FF7685D2000-memory.dmp	xmrig
behavioral2/memory/4180-341-0x00007FF7010D0000-0x00007FF7014C2000-memory.dmp	xmrig
behavioral2/memory/3708-348-0x00007FF783ED0000-0x00007FF7842C2000-memory.dmp	xmrig
behavioral2/memory/4644-349-0x00007FF704BB0000-0x00007FF704FA2000-memory.dmp	xmrig
behavioral2/memory/1144-350-0x00007FF6E6780000-0x00007FF6E6B72000-memory.dmp	xmrig
behavioral2/memory/744-363-0x00007FF757140000-0x00007FF757532000-memory.dmp	xmrig
behavioral2/memory/4752-385-0x00007FF64A1A0000-0x00007FF64A592000-memory.dmp	xmrig
behavioral2/memory/3408-395-0x00007FF7C28F0000-0x00007FF7C2CE2000-memory.dmp	xmrig
behavioral2/memory/4788-399-0x00007FF67C740000-0x00007FF67CB32000-memory.dmp	xmrig
behavioral2/memory/4688-392-0x00007FF724680000-0x00007FF724A72000-memory.dmp	xmrig
behavioral2/memory/880-376-0x00007FF70F730000-0x00007FF70FB22000-memory.dmp	xmrig
behavioral2/memory/3556-371-0x00007FF76EDB0000-0x00007FF76F1A2000-memory.dmp	xmrig
behavioral2/memory/2244-358-0x00007FF607B10000-0x00007FF607F02000-memory.dmp	xmrig
behavioral2/memory/2204-2459-0x00007FF7FD3F0000-0x00007FF7FD7E2000-memory.dmp	xmrig
behavioral2/memory/1168-2460-0x00007FF7CEFA0000-0x00007FF7CF392000-memory.dmp	xmrig
behavioral2/memory/552-2493-0x00007FF681120000-0x00007FF681512000-memory.dmp	xmrig
behavioral2/memory/3620-2494-0x00007FF776880000-0x00007FF776C72000-memory.dmp	xmrig
behavioral2/memory/4672-2495-0x00007FF7BB490000-0x00007FF7BB882000-memory.dmp	xmrig
behavioral2/memory/2204-2509-0x00007FF7FD3F0000-0x00007FF7FD7E2000-memory.dmp	xmrig
behavioral2/memory/1168-2511-0x00007FF7CEFA0000-0x00007FF7CF392000-memory.dmp	xmrig
behavioral2/memory/4672-2513-0x00007FF7BB490000-0x00007FF7BB882000-memory.dmp	xmrig
behavioral2/memory/552-2515-0x00007FF681120000-0x00007FF681512000-memory.dmp	xmrig
behavioral2/memory/3620-2517-0x00007FF776880000-0x00007FF776C72000-memory.dmp	xmrig
behavioral2/memory/4788-2519-0x00007FF67C740000-0x00007FF67CB32000-memory.dmp	xmrig
behavioral2/memory/4460-2526-0x00007FF72E420000-0x00007FF72E812000-memory.dmp	xmrig
behavioral2/memory/2392-2529-0x00007FF7EB710000-0x00007FF7EBB02000-memory.dmp	xmrig
behavioral2/memory/2572-2527-0x00007FF7AFF70000-0x00007FF7B0362000-memory.dmp	xmrig
behavioral2/memory/4180-2523-0x00007FF7010D0000-0x00007FF7014C2000-memory.dmp	xmrig
behavioral2/memory/4932-2522-0x00007FF6815D0000-0x00007FF6819C2000-memory.dmp	xmrig
behavioral2/memory/3020-2541-0x00007FF7EFA80000-0x00007FF7EFE72000-memory.dmp	xmrig
behavioral2/memory/216-2547-0x00007FF606A30000-0x00007FF606E22000-memory.dmp	xmrig
behavioral2/memory/880-2549-0x00007FF70F730000-0x00007FF70FB22000-memory.dmp	xmrig
behavioral2/memory/3556-2546-0x00007FF76EDB0000-0x00007FF76F1A2000-memory.dmp	xmrig
behavioral2/memory/744-2544-0x00007FF757140000-0x00007FF757532000-memory.dmp	xmrig
behavioral2/memory/4996-2540-0x00007FF7681E0000-0x00007FF7685D2000-memory.dmp	xmrig
behavioral2/memory/3708-2538-0x00007FF783ED0000-0x00007FF7842C2000-memory.dmp	xmrig
behavioral2/memory/1144-2534-0x00007FF6E6780000-0x00007FF6E6B72000-memory.dmp	xmrig
behavioral2/memory/2244-2532-0x00007FF607B10000-0x00007FF607F02000-memory.dmp	xmrig
behavioral2/memory/4644-2536-0x00007FF704BB0000-0x00007FF704FA2000-memory.dmp	xmrig
behavioral2/memory/4752-2563-0x00007FF64A1A0000-0x00007FF64A592000-memory.dmp	xmrig
behavioral2/memory/3408-2560-0x00007FF7C28F0000-0x00007FF7C2CE2000-memory.dmp	xmrig
behavioral2/memory/4688-2559-0x00007FF724680000-0x00007FF724A72000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
7	2960	powershell.exe
9	2960	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2960	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
2204	YnMycyA.exe
1168	HRPRQWl.exe
4672	IvBXspy.exe
552	NMdweoR.exe
3620	aPWvdbG.exe
4788	cnXzPEM.exe
2572	UDHLOAu.exe
2392	TFdPvkt.exe
4460	hNrsJMw.exe
4180	PmOnWft.exe
4932	tQueFlt.exe
216	IchcTQf.exe
4996	dbtarVH.exe
3020	lCOiZpd.exe
3708	iHwYUKr.exe
4644	TbyNdvt.exe
1144	QQILErW.exe
2244	tOVGZHe.exe
744	FAHQQcE.exe
3556	lIbkJZS.exe
880	wzazpWL.exe
4752	QDVEbIt.exe
4688	ipzlMop.exe
3408	scQgymY.exe
2284	vYEDdQY.exe
3248	rcsTIKC.exe
2740	dtMiEQq.exe
1944	bwecRmL.exe
4372	QNaefOi.exe
4568	JRdRGls.exe
4404	KMTGUnK.exe
4616	GLvXeXT.exe
3380	pBYYaYF.exe
3228	kQZJKZf.exe
2676	cJzSIGl.exe
4140	JItHBsk.exe
444	wWddlAP.exe
4624	ltChbSm.exe
4288	fvpJRAd.exe
3144	CXbeNmT.exe
1736	WfDDNEM.exe
588	lYmQuJK.exe
2916	wviNvnz.exe
1044	QNqmotH.exe
4852	GvVshKm.exe
1900	fgGIlMz.exe
3956	INcEzzD.exe
1196	hYWLKpy.exe
4200	qrPRIVE.exe
1440	zSWJRmf.exe
984	AppDHjk.exe
540	jKjbKVL.exe
5148	hMYlwBZ.exe
5176	PJLaopw.exe
5204	dWrrPxn.exe
5232	cCDwKDF.exe
5268	NmDEbqB.exe
5288	rMJcWJD.exe
5316	WGeYAjg.exe
5344	owHcbiJ.exe
5372	uEXJfvQ.exe
5400	cQzzmEq.exe
5428	QbaypHn.exe
5456	PciZSbw.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1592-0-0x00007FF7B9730000-0x00007FF7B9B22000-memory.dmp	upx
behavioral2/files/0x000900000002353a-5.dat	upx
behavioral2/files/0x0007000000023541-7.dat	upx
behavioral2/files/0x0007000000023542-19.dat	upx
behavioral2/files/0x0007000000023545-37.dat	upx
behavioral2/files/0x0007000000023546-42.dat	upx
behavioral2/files/0x0007000000023547-48.dat	upx
behavioral2/files/0x0007000000023548-53.dat	upx
behavioral2/files/0x0007000000023549-61.dat	upx
behavioral2/files/0x000700000002354a-79.dat	upx
behavioral2/files/0x000700000002354d-94.dat	upx
behavioral2/files/0x0007000000023554-123.dat	upx
behavioral2/files/0x0007000000023557-138.dat	upx
behavioral2/files/0x0007000000023559-156.dat	upx
behavioral2/files/0x000700000002355c-163.dat	upx
behavioral2/files/0x000700000002355e-173.dat	upx
behavioral2/memory/2572-329-0x00007FF7AFF70000-0x00007FF7B0362000-memory.dmp	upx
behavioral2/memory/2392-335-0x00007FF7EB710000-0x00007FF7EBB02000-memory.dmp	upx
behavioral2/memory/4460-338-0x00007FF72E420000-0x00007FF72E812000-memory.dmp	upx
behavioral2/memory/4932-343-0x00007FF6815D0000-0x00007FF6819C2000-memory.dmp	upx
behavioral2/memory/3020-346-0x00007FF7EFA80000-0x00007FF7EFE72000-memory.dmp	upx
behavioral2/memory/216-344-0x00007FF606A30000-0x00007FF606E22000-memory.dmp	upx
behavioral2/memory/4996-345-0x00007FF7681E0000-0x00007FF7685D2000-memory.dmp	upx
behavioral2/memory/4180-341-0x00007FF7010D0000-0x00007FF7014C2000-memory.dmp	upx
behavioral2/memory/3708-348-0x00007FF783ED0000-0x00007FF7842C2000-memory.dmp	upx
behavioral2/memory/4644-349-0x00007FF704BB0000-0x00007FF704FA2000-memory.dmp	upx
behavioral2/memory/1144-350-0x00007FF6E6780000-0x00007FF6E6B72000-memory.dmp	upx
behavioral2/memory/744-363-0x00007FF757140000-0x00007FF757532000-memory.dmp	upx
behavioral2/memory/4752-385-0x00007FF64A1A0000-0x00007FF64A592000-memory.dmp	upx
behavioral2/memory/3408-395-0x00007FF7C28F0000-0x00007FF7C2CE2000-memory.dmp	upx
behavioral2/memory/4788-399-0x00007FF67C740000-0x00007FF67CB32000-memory.dmp	upx
behavioral2/memory/4688-392-0x00007FF724680000-0x00007FF724A72000-memory.dmp	upx
behavioral2/memory/880-376-0x00007FF70F730000-0x00007FF70FB22000-memory.dmp	upx
behavioral2/memory/3556-371-0x00007FF76EDB0000-0x00007FF76F1A2000-memory.dmp	upx
behavioral2/memory/2244-358-0x00007FF607B10000-0x00007FF607F02000-memory.dmp	upx
behavioral2/files/0x000700000002355f-178.dat	upx
behavioral2/files/0x000700000002355d-176.dat	upx
behavioral2/files/0x000700000002355b-166.dat	upx
behavioral2/files/0x000700000002355a-161.dat	upx
behavioral2/files/0x0007000000023558-151.dat	upx
behavioral2/files/0x0007000000023556-141.dat	upx
behavioral2/files/0x0007000000023555-136.dat	upx
behavioral2/files/0x0007000000023553-126.dat	upx
behavioral2/files/0x0007000000023552-118.dat	upx
behavioral2/files/0x0007000000023551-114.dat	upx
behavioral2/files/0x0007000000023550-109.dat	upx
behavioral2/files/0x000700000002354f-104.dat	upx
behavioral2/files/0x000700000002354e-99.dat	upx
behavioral2/files/0x000800000002354b-89.dat	upx
behavioral2/files/0x000800000002354c-83.dat	upx
behavioral2/memory/4672-46-0x00007FF7BB490000-0x00007FF7BB882000-memory.dmp	upx
behavioral2/files/0x0007000000023544-40.dat	upx
behavioral2/files/0x0007000000023543-31.dat	upx
behavioral2/files/0x000800000002353d-27.dat	upx
behavioral2/memory/3620-26-0x00007FF776880000-0x00007FF776C72000-memory.dmp	upx
behavioral2/memory/552-22-0x00007FF681120000-0x00007FF681512000-memory.dmp	upx
behavioral2/memory/1168-21-0x00007FF7CEFA0000-0x00007FF7CF392000-memory.dmp	upx
behavioral2/memory/2204-13-0x00007FF7FD3F0000-0x00007FF7FD7E2000-memory.dmp	upx
behavioral2/memory/2204-2459-0x00007FF7FD3F0000-0x00007FF7FD7E2000-memory.dmp	upx
behavioral2/memory/1168-2460-0x00007FF7CEFA0000-0x00007FF7CF392000-memory.dmp	upx
behavioral2/memory/552-2493-0x00007FF681120000-0x00007FF681512000-memory.dmp	upx
behavioral2/memory/3620-2494-0x00007FF776880000-0x00007FF776C72000-memory.dmp	upx
behavioral2/memory/4672-2495-0x00007FF7BB490000-0x00007FF7BB882000-memory.dmp	upx
behavioral2/memory/2204-2509-0x00007FF7FD3F0000-0x00007FF7FD7E2000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	raw.githubusercontent.com
7	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\AtzOEQL.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\bIOOapP.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\vflwhnf.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\MZTjtIO.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\owHcbiJ.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\cRFyEBw.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\dMQYrwq.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\drUsHkn.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\wwwzSLW.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\JrUUmox.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\ziVkfom.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\TDNjqfX.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\Ifasdcz.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\WqcIdom.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\JSDXYBb.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\PSWWOdY.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\HgJZvcY.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\ciESjIr.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\bwJbYZq.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\XMDqrKh.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\MIsgSXR.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\tivvFsI.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\EpdUmtb.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\BlHbnHb.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\BBtpdlR.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\PRIWrER.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\tOVGZHe.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\jKjbKVL.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\fBssOVS.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\zcgfHbt.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\NLjrAJu.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\VyuvPBM.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\OxKXawh.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\QXmiUNb.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\MtQhFJX.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\sdtkczq.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\aRoxufc.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\bMyhgYk.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\xDsgwNT.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\UqihlmO.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\ZuYkIjY.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\pBYYaYF.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\vYktQeN.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\wJTydrA.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\rdefgLX.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\EWmsLFJ.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\JRTIkUg.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\AgNbRRs.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\dtMiEQq.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\FFHVqgv.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\ugMXMti.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\TcXToYR.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\sOfMkjg.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\HRPRQWl.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\GCSkeSJ.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\zfJleeZ.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\PqQlREq.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\AWsVXrE.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\JaJEAKz.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\rmSFQXB.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\EfOFUuz.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\xlgkDcq.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\VfPsoEf.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
File created	C:\Windows\System\gUSlyIr.exe	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2960	powershell.exe
2960	powershell.exe
2960	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
Token: SeDebugPrivilege	2960	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1592 wrote to memory of 2960	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	90
PID 1592 wrote to memory of 2960	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	90
PID 1592 wrote to memory of 2204	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	91
PID 1592 wrote to memory of 2204	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	91
PID 1592 wrote to memory of 4672	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	92
PID 1592 wrote to memory of 4672	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	92
PID 1592 wrote to memory of 1168	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	93
PID 1592 wrote to memory of 1168	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	93
PID 1592 wrote to memory of 552	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	94
PID 1592 wrote to memory of 552	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	94
PID 1592 wrote to memory of 3620	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	95
PID 1592 wrote to memory of 3620	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	95
PID 1592 wrote to memory of 4788	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	96
PID 1592 wrote to memory of 4788	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	96
PID 1592 wrote to memory of 2572	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	97
PID 1592 wrote to memory of 2572	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	97
PID 1592 wrote to memory of 2392	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	98
PID 1592 wrote to memory of 2392	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	98
PID 1592 wrote to memory of 4460	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	99
PID 1592 wrote to memory of 4460	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	99
PID 1592 wrote to memory of 4180	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	100
PID 1592 wrote to memory of 4180	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	100
PID 1592 wrote to memory of 4932	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	101
PID 1592 wrote to memory of 4932	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	101
PID 1592 wrote to memory of 216	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	102
PID 1592 wrote to memory of 216	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	102
PID 1592 wrote to memory of 4996	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	103
PID 1592 wrote to memory of 4996	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	103
PID 1592 wrote to memory of 3020	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	104
PID 1592 wrote to memory of 3020	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	104
PID 1592 wrote to memory of 3708	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	105
PID 1592 wrote to memory of 3708	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	105
PID 1592 wrote to memory of 4644	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	106
PID 1592 wrote to memory of 4644	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	106
PID 1592 wrote to memory of 1144	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	107
PID 1592 wrote to memory of 1144	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	107
PID 1592 wrote to memory of 2244	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	108
PID 1592 wrote to memory of 2244	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	108
PID 1592 wrote to memory of 744	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	109
PID 1592 wrote to memory of 744	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	109
PID 1592 wrote to memory of 3556	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	110
PID 1592 wrote to memory of 3556	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	110
PID 1592 wrote to memory of 880	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	111
PID 1592 wrote to memory of 880	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	111
PID 1592 wrote to memory of 4752	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	112
PID 1592 wrote to memory of 4752	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	112
PID 1592 wrote to memory of 4688	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	113
PID 1592 wrote to memory of 4688	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	113
PID 1592 wrote to memory of 3408	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	114
PID 1592 wrote to memory of 3408	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	114
PID 1592 wrote to memory of 2284	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	115
PID 1592 wrote to memory of 2284	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	115
PID 1592 wrote to memory of 3248	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	116
PID 1592 wrote to memory of 3248	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	116
PID 1592 wrote to memory of 2740	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	117
PID 1592 wrote to memory of 2740	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	117
PID 1592 wrote to memory of 1944	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	118
PID 1592 wrote to memory of 1944	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	118
PID 1592 wrote to memory of 4372	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	119
PID 1592 wrote to memory of 4372	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	119
PID 1592 wrote to memory of 4568	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	120
PID 1592 wrote to memory of 4568	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	120
PID 1592 wrote to memory of 4404	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	121
PID 1592 wrote to memory of 4404	1592	2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe	121

C:\Users\Admin\AppData\Local\Temp\2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2b1fe0397d599a3c2ede2c105078ef9d4b7e3d7bd170df78adc5cc77dd3cea18_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2960
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2960" "2960" "2904" "2964" "0" "0" "2968" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:12304
- C:\Windows\System\YnMycyA.exe
  C:\Windows\System\YnMycyA.exe
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\System\IvBXspy.exe
  C:\Windows\System\IvBXspy.exe
  2⤵
  - Executes dropped EXE
  PID:4672
- C:\Windows\System\HRPRQWl.exe
  C:\Windows\System\HRPRQWl.exe
  2⤵
  - Executes dropped EXE
  PID:1168
- C:\Windows\System\NMdweoR.exe
  C:\Windows\System\NMdweoR.exe
  2⤵
  - Executes dropped EXE
  PID:552
- C:\Windows\System\aPWvdbG.exe
  C:\Windows\System\aPWvdbG.exe
  2⤵
  - Executes dropped EXE
  PID:3620
- C:\Windows\System\cnXzPEM.exe
  C:\Windows\System\cnXzPEM.exe
  2⤵
  - Executes dropped EXE
  PID:4788
- C:\Windows\System\UDHLOAu.exe
  C:\Windows\System\UDHLOAu.exe
  2⤵
  - Executes dropped EXE
  PID:2572
- C:\Windows\System\TFdPvkt.exe
  C:\Windows\System\TFdPvkt.exe
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Windows\System\hNrsJMw.exe
  C:\Windows\System\hNrsJMw.exe
  2⤵
  - Executes dropped EXE
  PID:4460
- C:\Windows\System\PmOnWft.exe
  C:\Windows\System\PmOnWft.exe
  2⤵
  - Executes dropped EXE
  PID:4180
- C:\Windows\System\tQueFlt.exe
  C:\Windows\System\tQueFlt.exe
  2⤵
  - Executes dropped EXE
  PID:4932
- C:\Windows\System\IchcTQf.exe
  C:\Windows\System\IchcTQf.exe
  2⤵
  - Executes dropped EXE
  PID:216
- C:\Windows\System\dbtarVH.exe
  C:\Windows\System\dbtarVH.exe
  2⤵
  - Executes dropped EXE
  PID:4996
- C:\Windows\System\lCOiZpd.exe
  C:\Windows\System\lCOiZpd.exe
  2⤵
  - Executes dropped EXE
  PID:3020
- C:\Windows\System\iHwYUKr.exe
  C:\Windows\System\iHwYUKr.exe
  2⤵
  - Executes dropped EXE
  PID:3708
- C:\Windows\System\TbyNdvt.exe
  C:\Windows\System\TbyNdvt.exe
  2⤵
  - Executes dropped EXE
  PID:4644
- C:\Windows\System\QQILErW.exe
  C:\Windows\System\QQILErW.exe
  2⤵
  - Executes dropped EXE
  PID:1144
- C:\Windows\System\tOVGZHe.exe
  C:\Windows\System\tOVGZHe.exe
  2⤵
  - Executes dropped EXE
  PID:2244
- C:\Windows\System\FAHQQcE.exe
  C:\Windows\System\FAHQQcE.exe
  2⤵
  - Executes dropped EXE
  PID:744
- C:\Windows\System\lIbkJZS.exe
  C:\Windows\System\lIbkJZS.exe
  2⤵
  - Executes dropped EXE
  PID:3556
- C:\Windows\System\wzazpWL.exe
  C:\Windows\System\wzazpWL.exe
  2⤵
  - Executes dropped EXE
  PID:880
- C:\Windows\System\QDVEbIt.exe
  C:\Windows\System\QDVEbIt.exe
  2⤵
  - Executes dropped EXE
  PID:4752
- C:\Windows\System\ipzlMop.exe
  C:\Windows\System\ipzlMop.exe
  2⤵
  - Executes dropped EXE
  PID:4688
- C:\Windows\System\scQgymY.exe
  C:\Windows\System\scQgymY.exe
  2⤵
  - Executes dropped EXE
  PID:3408
- C:\Windows\System\vYEDdQY.exe
  C:\Windows\System\vYEDdQY.exe
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Windows\System\rcsTIKC.exe
  C:\Windows\System\rcsTIKC.exe
  2⤵
  - Executes dropped EXE
  PID:3248
- C:\Windows\System\dtMiEQq.exe
  C:\Windows\System\dtMiEQq.exe
  2⤵
  - Executes dropped EXE
  PID:2740
- C:\Windows\System\bwecRmL.exe
  C:\Windows\System\bwecRmL.exe
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Windows\System\QNaefOi.exe
  C:\Windows\System\QNaefOi.exe
  2⤵
  - Executes dropped EXE
  PID:4372
- C:\Windows\System\JRdRGls.exe
  C:\Windows\System\JRdRGls.exe
  2⤵
  - Executes dropped EXE
  PID:4568
- C:\Windows\System\KMTGUnK.exe
  C:\Windows\System\KMTGUnK.exe
  2⤵
  - Executes dropped EXE
  PID:4404
- C:\Windows\System\GLvXeXT.exe
  C:\Windows\System\GLvXeXT.exe
  2⤵
  - Executes dropped EXE
  PID:4616
- C:\Windows\System\pBYYaYF.exe
  C:\Windows\System\pBYYaYF.exe
  2⤵
  - Executes dropped EXE
  PID:3380
- C:\Windows\System\kQZJKZf.exe
  C:\Windows\System\kQZJKZf.exe
  2⤵
  - Executes dropped EXE
  PID:3228
- C:\Windows\System\cJzSIGl.exe
  C:\Windows\System\cJzSIGl.exe
  2⤵
  - Executes dropped EXE
  PID:2676
- C:\Windows\System\JItHBsk.exe
  C:\Windows\System\JItHBsk.exe
  2⤵
  - Executes dropped EXE
  PID:4140
- C:\Windows\System\wWddlAP.exe
  C:\Windows\System\wWddlAP.exe
  2⤵
  - Executes dropped EXE
  PID:444
- C:\Windows\System\ltChbSm.exe
  C:\Windows\System\ltChbSm.exe
  2⤵
  - Executes dropped EXE
  PID:4624
- C:\Windows\System\fvpJRAd.exe
  C:\Windows\System\fvpJRAd.exe
  2⤵
  - Executes dropped EXE
  PID:4288
- C:\Windows\System\CXbeNmT.exe
  C:\Windows\System\CXbeNmT.exe
  2⤵
  - Executes dropped EXE
  PID:3144
- C:\Windows\System\WfDDNEM.exe
  C:\Windows\System\WfDDNEM.exe
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\Windows\System\lYmQuJK.exe
  C:\Windows\System\lYmQuJK.exe
  2⤵
  - Executes dropped EXE
  PID:588
- C:\Windows\System\wviNvnz.exe
  C:\Windows\System\wviNvnz.exe
  2⤵
  - Executes dropped EXE
  PID:2916
- C:\Windows\System\QNqmotH.exe
  C:\Windows\System\QNqmotH.exe
  2⤵
  - Executes dropped EXE
  PID:1044
- C:\Windows\System\GvVshKm.exe
  C:\Windows\System\GvVshKm.exe
  2⤵
  - Executes dropped EXE
  PID:4852
- C:\Windows\System\fgGIlMz.exe
  C:\Windows\System\fgGIlMz.exe
  2⤵
  - Executes dropped EXE
  PID:1900
- C:\Windows\System\INcEzzD.exe
  C:\Windows\System\INcEzzD.exe
  2⤵
  - Executes dropped EXE
  PID:3956
- C:\Windows\System\hYWLKpy.exe
  C:\Windows\System\hYWLKpy.exe
  2⤵
  - Executes dropped EXE
  PID:1196
- C:\Windows\System\qrPRIVE.exe
  C:\Windows\System\qrPRIVE.exe
  2⤵
  - Executes dropped EXE
  PID:4200
- C:\Windows\System\zSWJRmf.exe
  C:\Windows\System\zSWJRmf.exe
  2⤵
  - Executes dropped EXE
  PID:1440
- C:\Windows\System\AppDHjk.exe
  C:\Windows\System\AppDHjk.exe
  2⤵
  - Executes dropped EXE
  PID:984
- C:\Windows\System\jKjbKVL.exe
  C:\Windows\System\jKjbKVL.exe
  2⤵
  - Executes dropped EXE
  PID:540
- C:\Windows\System\hMYlwBZ.exe
  C:\Windows\System\hMYlwBZ.exe
  2⤵
  - Executes dropped EXE
  PID:5148
- C:\Windows\System\PJLaopw.exe
  C:\Windows\System\PJLaopw.exe
  2⤵
  - Executes dropped EXE
  PID:5176
- C:\Windows\System\dWrrPxn.exe
  C:\Windows\System\dWrrPxn.exe
  2⤵
  - Executes dropped EXE
  PID:5204
- C:\Windows\System\cCDwKDF.exe
  C:\Windows\System\cCDwKDF.exe
  2⤵
  - Executes dropped EXE
  PID:5232
- C:\Windows\System\NmDEbqB.exe
  C:\Windows\System\NmDEbqB.exe
  2⤵
  - Executes dropped EXE
  PID:5268
- C:\Windows\System\rMJcWJD.exe
  C:\Windows\System\rMJcWJD.exe
  2⤵
  - Executes dropped EXE
  PID:5288
- C:\Windows\System\WGeYAjg.exe
  C:\Windows\System\WGeYAjg.exe
  2⤵
  - Executes dropped EXE
  PID:5316
- C:\Windows\System\owHcbiJ.exe
  C:\Windows\System\owHcbiJ.exe
  2⤵
  - Executes dropped EXE
  PID:5344
- C:\Windows\System\uEXJfvQ.exe
  C:\Windows\System\uEXJfvQ.exe
  2⤵
  - Executes dropped EXE
  PID:5372
- C:\Windows\System\cQzzmEq.exe
  C:\Windows\System\cQzzmEq.exe
  2⤵
  - Executes dropped EXE
  PID:5400
- C:\Windows\System\QbaypHn.exe
  C:\Windows\System\QbaypHn.exe
  2⤵
  - Executes dropped EXE
  PID:5428
- C:\Windows\System\PciZSbw.exe
  C:\Windows\System\PciZSbw.exe
  2⤵
  - Executes dropped EXE
  PID:5456
- C:\Windows\System\NFTHYqG.exe
  C:\Windows\System\NFTHYqG.exe
  2⤵
  PID:5484
- C:\Windows\System\cRFyEBw.exe
  C:\Windows\System\cRFyEBw.exe
  2⤵
  PID:5512
- C:\Windows\System\oKSWYAt.exe
  C:\Windows\System\oKSWYAt.exe
  2⤵
  PID:5540
- C:\Windows\System\IaLVHHe.exe
  C:\Windows\System\IaLVHHe.exe
  2⤵
  PID:5568
- C:\Windows\System\QIGVoaX.exe
  C:\Windows\System\QIGVoaX.exe
  2⤵
  PID:5596
- C:\Windows\System\KdEeXEL.exe
  C:\Windows\System\KdEeXEL.exe
  2⤵
  PID:5624
- C:\Windows\System\BsphkgL.exe
  C:\Windows\System\BsphkgL.exe
  2⤵
  PID:5648
- C:\Windows\System\XYHaFua.exe
  C:\Windows\System\XYHaFua.exe
  2⤵
  PID:5680
- C:\Windows\System\zwiDTpI.exe
  C:\Windows\System\zwiDTpI.exe
  2⤵
  PID:5704
- C:\Windows\System\dcJprnf.exe
  C:\Windows\System\dcJprnf.exe
  2⤵
  PID:5732
- C:\Windows\System\ZJFuASH.exe
  C:\Windows\System\ZJFuASH.exe
  2⤵
  PID:5764
- C:\Windows\System\qjtfwSB.exe
  C:\Windows\System\qjtfwSB.exe
  2⤵
  PID:5792
- C:\Windows\System\GLQFwOV.exe
  C:\Windows\System\GLQFwOV.exe
  2⤵
  PID:5820
- C:\Windows\System\mwLDeoO.exe
  C:\Windows\System\mwLDeoO.exe
  2⤵
  PID:5848
- C:\Windows\System\LvsGkVV.exe
  C:\Windows\System\LvsGkVV.exe
  2⤵
  PID:5872
- C:\Windows\System\EfOFUuz.exe
  C:\Windows\System\EfOFUuz.exe
  2⤵
  PID:5900
- C:\Windows\System\plvZJdk.exe
  C:\Windows\System\plvZJdk.exe
  2⤵
  PID:5928
- C:\Windows\System\nBRNXmZ.exe
  C:\Windows\System\nBRNXmZ.exe
  2⤵
  PID:5956
- C:\Windows\System\lYTyoDV.exe
  C:\Windows\System\lYTyoDV.exe
  2⤵
  PID:6040
- C:\Windows\System\KYjQSbK.exe
  C:\Windows\System\KYjQSbK.exe
  2⤵
  PID:6084
- C:\Windows\System\rMFXhsM.exe
  C:\Windows\System\rMFXhsM.exe
  2⤵
  PID:6108
- C:\Windows\System\GMWlnpU.exe
  C:\Windows\System\GMWlnpU.exe
  2⤵
  PID:6128
- C:\Windows\System\ptqdbzn.exe
  C:\Windows\System\ptqdbzn.exe
  2⤵
  PID:3424
- C:\Windows\System\VQpemHG.exe
  C:\Windows\System\VQpemHG.exe
  2⤵
  PID:5164
- C:\Windows\System\iMzgsYB.exe
  C:\Windows\System\iMzgsYB.exe
  2⤵
  PID:5244
- C:\Windows\System\HIkWAGm.exe
  C:\Windows\System\HIkWAGm.exe
  2⤵
  PID:5284
- C:\Windows\System\TsIWlym.exe
  C:\Windows\System\TsIWlym.exe
  2⤵
  PID:5420
- C:\Windows\System\qLTJTrm.exe
  C:\Windows\System\qLTJTrm.exe
  2⤵
  PID:5500
- C:\Windows\System\liRBGkE.exe
  C:\Windows\System\liRBGkE.exe
  2⤵
  PID:5528
- C:\Windows\System\MoeTQWG.exe
  C:\Windows\System\MoeTQWG.exe
  2⤵
  PID:5560
- C:\Windows\System\uurZhjA.exe
  C:\Windows\System\uurZhjA.exe
  2⤵
  PID:5640
- C:\Windows\System\zkSBSgQ.exe
  C:\Windows\System\zkSBSgQ.exe
  2⤵
  PID:5696
- C:\Windows\System\QvABClR.exe
  C:\Windows\System\QvABClR.exe
  2⤵
  PID:3812
- C:\Windows\System\YqYyPDQ.exe
  C:\Windows\System\YqYyPDQ.exe
  2⤵
  PID:5804
- C:\Windows\System\YngoIUI.exe
  C:\Windows\System\YngoIUI.exe
  2⤵
  PID:3332
- C:\Windows\System\PGoYiXo.exe
  C:\Windows\System\PGoYiXo.exe
  2⤵
  PID:5868
- C:\Windows\System\IKJJjeZ.exe
  C:\Windows\System\IKJJjeZ.exe
  2⤵
  PID:5088
- C:\Windows\System\Sjhwrew.exe
  C:\Windows\System\Sjhwrew.exe
  2⤵
  PID:6016
- C:\Windows\System\adjpBDO.exe
  C:\Windows\System\adjpBDO.exe
  2⤵
  PID:3576
- C:\Windows\System\minuLSL.exe
  C:\Windows\System\minuLSL.exe
  2⤵
  PID:6116
- C:\Windows\System\IEhcxno.exe
  C:\Windows\System\IEhcxno.exe
  2⤵
  PID:4748
- C:\Windows\System\BpVeSEu.exe
  C:\Windows\System\BpVeSEu.exe
  2⤵
  PID:3404
- C:\Windows\System\pGdUsuS.exe
  C:\Windows\System\pGdUsuS.exe
  2⤵
  PID:2832
- C:\Windows\System\GmqImGt.exe
  C:\Windows\System\GmqImGt.exe
  2⤵
  PID:2952
- C:\Windows\System\iTbcXNT.exe
  C:\Windows\System\iTbcXNT.exe
  2⤵
  PID:1652
- C:\Windows\System\ecfbnpE.exe
  C:\Windows\System\ecfbnpE.exe
  2⤵
  PID:2428
- C:\Windows\System\HUiSjqD.exe
  C:\Windows\System\HUiSjqD.exe
  2⤵
  PID:5412
- C:\Windows\System\coGejLh.exe
  C:\Windows\System\coGejLh.exe
  2⤵
  PID:5524
- C:\Windows\System\qIDrNLY.exe
  C:\Windows\System\qIDrNLY.exe
  2⤵
  PID:5476
- C:\Windows\System\MCRhbDs.exe
  C:\Windows\System\MCRhbDs.exe
  2⤵
  PID:5724
- C:\Windows\System\AuMSTgV.exe
  C:\Windows\System\AuMSTgV.exe
  2⤵
  PID:5860
- C:\Windows\System\rxkoTLp.exe
  C:\Windows\System\rxkoTLp.exe
  2⤵
  PID:2892
- C:\Windows\System\xQLcuvD.exe
  C:\Windows\System\xQLcuvD.exe
  2⤵
  PID:5948
- C:\Windows\System\sixWJee.exe
  C:\Windows\System\sixWJee.exe
  2⤵
  PID:6080
- C:\Windows\System\NTVRYyG.exe
  C:\Windows\System\NTVRYyG.exe
  2⤵
  PID:1512
- C:\Windows\System\NGzDGWi.exe
  C:\Windows\System\NGzDGWi.exe
  2⤵
  PID:3792
- C:\Windows\System\NnqDAcX.exe
  C:\Windows\System\NnqDAcX.exe
  2⤵
  PID:5024
- C:\Windows\System\VTealpU.exe
  C:\Windows\System\VTealpU.exe
  2⤵
  PID:4780
- C:\Windows\System\VgOQkgs.exe
  C:\Windows\System\VgOQkgs.exe
  2⤵
  PID:5612
- C:\Windows\System\AMHLPJM.exe
  C:\Windows\System\AMHLPJM.exe
  2⤵
  PID:5616
- C:\Windows\System\DeNVfVK.exe
  C:\Windows\System\DeNVfVK.exe
  2⤵
  PID:6028
- C:\Windows\System\TsAbGws.exe
  C:\Windows\System\TsAbGws.exe
  2⤵
  PID:756
- C:\Windows\System\UAwtawz.exe
  C:\Windows\System\UAwtawz.exe
  2⤵
  PID:712
- C:\Windows\System\OrpOUEr.exe
  C:\Windows\System\OrpOUEr.exe
  2⤵
  PID:6180
- C:\Windows\System\zrccYAs.exe
  C:\Windows\System\zrccYAs.exe
  2⤵
  PID:6200
- C:\Windows\System\wgeQaEo.exe
  C:\Windows\System\wgeQaEo.exe
  2⤵
  PID:6236
- C:\Windows\System\pFhVxMq.exe
  C:\Windows\System\pFhVxMq.exe
  2⤵
  PID:6256
- C:\Windows\System\FQErJzw.exe
  C:\Windows\System\FQErJzw.exe
  2⤵
  PID:6272
- C:\Windows\System\DObcZhq.exe
  C:\Windows\System\DObcZhq.exe
  2⤵
  PID:6308
- C:\Windows\System\troJuET.exe
  C:\Windows\System\troJuET.exe
  2⤵
  PID:6348
- C:\Windows\System\lTGrgKc.exe
  C:\Windows\System\lTGrgKc.exe
  2⤵
  PID:6388
- C:\Windows\System\rIxSkmi.exe
  C:\Windows\System\rIxSkmi.exe
  2⤵
  PID:6420
- C:\Windows\System\SvQyPrJ.exe
  C:\Windows\System\SvQyPrJ.exe
  2⤵
  PID:6436
- C:\Windows\System\SUleauV.exe
  C:\Windows\System\SUleauV.exe
  2⤵
  PID:6460
- C:\Windows\System\ITQgwRX.exe
  C:\Windows\System\ITQgwRX.exe
  2⤵
  PID:6480
- C:\Windows\System\VFcrMan.exe
  C:\Windows\System\VFcrMan.exe
  2⤵
  PID:6528
- C:\Windows\System\FIouqTq.exe
  C:\Windows\System\FIouqTq.exe
  2⤵
  PID:6572
- C:\Windows\System\eyujhsr.exe
  C:\Windows\System\eyujhsr.exe
  2⤵
  PID:6596
- C:\Windows\System\lZcgMhz.exe
  C:\Windows\System\lZcgMhz.exe
  2⤵
  PID:6620
- C:\Windows\System\AtzOEQL.exe
  C:\Windows\System\AtzOEQL.exe
  2⤵
  PID:6636
- C:\Windows\System\YiLvmYW.exe
  C:\Windows\System\YiLvmYW.exe
  2⤵
  PID:6668
- C:\Windows\System\YpuKiJG.exe
  C:\Windows\System\YpuKiJG.exe
  2⤵
  PID:6684
- C:\Windows\System\VmBfcJu.exe
  C:\Windows\System\VmBfcJu.exe
  2⤵
  PID:6720
- C:\Windows\System\iOdBWGG.exe
  C:\Windows\System\iOdBWGG.exe
  2⤵
  PID:6744
- C:\Windows\System\RWJkuev.exe
  C:\Windows\System\RWJkuev.exe
  2⤵
  PID:6764
- C:\Windows\System\iZBtkPE.exe
  C:\Windows\System\iZBtkPE.exe
  2⤵
  PID:6792
- C:\Windows\System\JAwZWDl.exe
  C:\Windows\System\JAwZWDl.exe
  2⤵
  PID:6852
- C:\Windows\System\yVYWbcG.exe
  C:\Windows\System\yVYWbcG.exe
  2⤵
  PID:6876
- C:\Windows\System\aDWxeEb.exe
  C:\Windows\System\aDWxeEb.exe
  2⤵
  PID:6904
- C:\Windows\System\amFHdWx.exe
  C:\Windows\System\amFHdWx.exe
  2⤵
  PID:6928
- C:\Windows\System\EhRtIWY.exe
  C:\Windows\System\EhRtIWY.exe
  2⤵
  PID:6948
- C:\Windows\System\mRmWdBd.exe
  C:\Windows\System\mRmWdBd.exe
  2⤵
  PID:6992
- C:\Windows\System\yclqSwi.exe
  C:\Windows\System\yclqSwi.exe
  2⤵
  PID:7020
- C:\Windows\System\BFPWOhB.exe
  C:\Windows\System\BFPWOhB.exe
  2⤵
  PID:7040
- C:\Windows\System\FAyUSgy.exe
  C:\Windows\System\FAyUSgy.exe
  2⤵
  PID:7064
- C:\Windows\System\TmmZrBk.exe
  C:\Windows\System\TmmZrBk.exe
  2⤵
  PID:7084
- C:\Windows\System\ZtvGVDh.exe
  C:\Windows\System\ZtvGVDh.exe
  2⤵
  PID:7100
- C:\Windows\System\AOrENIU.exe
  C:\Windows\System\AOrENIU.exe
  2⤵
  PID:7128
- C:\Windows\System\NCRsOyh.exe
  C:\Windows\System\NCRsOyh.exe
  2⤵
  PID:7152
- C:\Windows\System\qDihvng.exe
  C:\Windows\System\qDihvng.exe
  2⤵
  PID:2324
- C:\Windows\System\AmaMyUq.exe
  C:\Windows\System\AmaMyUq.exe
  2⤵
  PID:432
- C:\Windows\System\QxCzaze.exe
  C:\Windows\System\QxCzaze.exe
  2⤵
  PID:6264
- C:\Windows\System\eePgfII.exe
  C:\Windows\System\eePgfII.exe
  2⤵
  PID:6328
- C:\Windows\System\OTQYosy.exe
  C:\Windows\System\OTQYosy.exe
  2⤵
  PID:6304
- C:\Windows\System\INylLIF.exe
  C:\Windows\System\INylLIF.exe
  2⤵
  PID:6400
- C:\Windows\System\MTNSYbo.exe
  C:\Windows\System\MTNSYbo.exe
  2⤵
  PID:6444
- C:\Windows\System\OPtFMFv.exe
  C:\Windows\System\OPtFMFv.exe
  2⤵
  PID:6472
- C:\Windows\System\GOQJQds.exe
  C:\Windows\System\GOQJQds.exe
  2⤵
  PID:6560
- C:\Windows\System\NJBvmjg.exe
  C:\Windows\System\NJBvmjg.exe
  2⤵
  PID:6680
- C:\Windows\System\SUiRtgq.exe
  C:\Windows\System\SUiRtgq.exe
  2⤵
  PID:6728
- C:\Windows\System\IansLnE.exe
  C:\Windows\System\IansLnE.exe
  2⤵
  PID:6848
- C:\Windows\System\mgPrTEy.exe
  C:\Windows\System\mgPrTEy.exe
  2⤵
  PID:6892
- C:\Windows\System\PcBZteR.exe
  C:\Windows\System\PcBZteR.exe
  2⤵
  PID:6940
- C:\Windows\System\NugvvkA.exe
  C:\Windows\System\NugvvkA.exe
  2⤵
  PID:7008
- C:\Windows\System\flvsMbo.exe
  C:\Windows\System\flvsMbo.exe
  2⤵
  PID:7056
- C:\Windows\System\ZbgMXrc.exe
  C:\Windows\System\ZbgMXrc.exe
  2⤵
  PID:7080
- C:\Windows\System\FFHVqgv.exe
  C:\Windows\System\FFHVqgv.exe
  2⤵
  PID:6176
- C:\Windows\System\CrSWNlg.exe
  C:\Windows\System\CrSWNlg.exe
  2⤵
  PID:6296
- C:\Windows\System\OIyjBZJ.exe
  C:\Windows\System\OIyjBZJ.exe
  2⤵
  PID:6384
- C:\Windows\System\mksgIoS.exe
  C:\Windows\System\mksgIoS.exe
  2⤵
  PID:6692
- C:\Windows\System\mzrnMTJ.exe
  C:\Windows\System\mzrnMTJ.exe
  2⤵
  PID:6756
- C:\Windows\System\CkPepQs.exe
  C:\Windows\System\CkPepQs.exe
  2⤵
  PID:6760
- C:\Windows\System\QjrZhoU.exe
  C:\Windows\System\QjrZhoU.exe
  2⤵
  PID:6912
- C:\Windows\System\lwKeLmL.exe
  C:\Windows\System\lwKeLmL.exe
  2⤵
  PID:5752
- C:\Windows\System\vErTwrn.exe
  C:\Windows\System\vErTwrn.exe
  2⤵
  PID:6428
- C:\Windows\System\lDHgVpj.exe
  C:\Windows\System\lDHgVpj.exe
  2⤵
  PID:6820
- C:\Windows\System\RdcwjWg.exe
  C:\Windows\System\RdcwjWg.exe
  2⤵
  PID:7028
- C:\Windows\System\UYFxAsU.exe
  C:\Windows\System\UYFxAsU.exe
  2⤵
  PID:6628
- C:\Windows\System\rcwljqK.exe
  C:\Windows\System\rcwljqK.exe
  2⤵
  PID:7188
- C:\Windows\System\wMvnNCn.exe
  C:\Windows\System\wMvnNCn.exe
  2⤵
  PID:7212
- C:\Windows\System\JcxuoLL.exe
  C:\Windows\System\JcxuoLL.exe
  2⤵
  PID:7236
- C:\Windows\System\nMLcxkr.exe
  C:\Windows\System\nMLcxkr.exe
  2⤵
  PID:7268
- C:\Windows\System\cBAZjCQ.exe
  C:\Windows\System\cBAZjCQ.exe
  2⤵
  PID:7284
- C:\Windows\System\uEXZeav.exe
  C:\Windows\System\uEXZeav.exe
  2⤵
  PID:7336
- C:\Windows\System\ppVtBZS.exe
  C:\Windows\System\ppVtBZS.exe
  2⤵
  PID:7360
- C:\Windows\System\yMkNCCI.exe
  C:\Windows\System\yMkNCCI.exe
  2⤵
  PID:7380
- C:\Windows\System\btsakGe.exe
  C:\Windows\System\btsakGe.exe
  2⤵
  PID:7408
- C:\Windows\System\HgJZvcY.exe
  C:\Windows\System\HgJZvcY.exe
  2⤵
  PID:7436
- C:\Windows\System\PHYUaIO.exe
  C:\Windows\System\PHYUaIO.exe
  2⤵
  PID:7460
- C:\Windows\System\xLZynfS.exe
  C:\Windows\System\xLZynfS.exe
  2⤵
  PID:7476
- C:\Windows\System\xiwSzTl.exe
  C:\Windows\System\xiwSzTl.exe
  2⤵
  PID:7516
- C:\Windows\System\uHtoxll.exe
  C:\Windows\System\uHtoxll.exe
  2⤵
  PID:7540
- C:\Windows\System\oiWOMKW.exe
  C:\Windows\System\oiWOMKW.exe
  2⤵
  PID:7588
- C:\Windows\System\JAsyiga.exe
  C:\Windows\System\JAsyiga.exe
  2⤵
  PID:7636
- C:\Windows\System\oRbZWYM.exe
  C:\Windows\System\oRbZWYM.exe
  2⤵
  PID:7660
- C:\Windows\System\IqnFqrR.exe
  C:\Windows\System\IqnFqrR.exe
  2⤵
  PID:7684
- C:\Windows\System\UBvNrCN.exe
  C:\Windows\System\UBvNrCN.exe
  2⤵
  PID:7700
- C:\Windows\System\qsOVhmf.exe
  C:\Windows\System\qsOVhmf.exe
  2⤵
  PID:7732
- C:\Windows\System\mhdQUGY.exe
  C:\Windows\System\mhdQUGY.exe
  2⤵
  PID:7756
- C:\Windows\System\vYktQeN.exe
  C:\Windows\System\vYktQeN.exe
  2⤵
  PID:7780
- C:\Windows\System\rWExAgJ.exe
  C:\Windows\System\rWExAgJ.exe
  2⤵
  PID:7800
- C:\Windows\System\SbfZJHR.exe
  C:\Windows\System\SbfZJHR.exe
  2⤵
  PID:7884
- C:\Windows\System\xwfXRZW.exe
  C:\Windows\System\xwfXRZW.exe
  2⤵
  PID:7900
- C:\Windows\System\dtCLQtf.exe
  C:\Windows\System\dtCLQtf.exe
  2⤵
  PID:7924
- C:\Windows\System\lqKmcNI.exe
  C:\Windows\System\lqKmcNI.exe
  2⤵
  PID:7944
- C:\Windows\System\IGBDCQe.exe
  C:\Windows\System\IGBDCQe.exe
  2⤵
  PID:7964
- C:\Windows\System\HXGRIPy.exe
  C:\Windows\System\HXGRIPy.exe
  2⤵
  PID:7992
- C:\Windows\System\rGSVDQQ.exe
  C:\Windows\System\rGSVDQQ.exe
  2⤵
  PID:8024
- C:\Windows\System\FAwEXnB.exe
  C:\Windows\System\FAwEXnB.exe
  2⤵
  PID:8040
- C:\Windows\System\XJnTlQn.exe
  C:\Windows\System\XJnTlQn.exe
  2⤵
  PID:8068
- C:\Windows\System\QNkPUqa.exe
  C:\Windows\System\QNkPUqa.exe
  2⤵
  PID:8092
- C:\Windows\System\EmeZxTi.exe
  C:\Windows\System\EmeZxTi.exe
  2⤵
  PID:8152
- C:\Windows\System\RKLSCnU.exe
  C:\Windows\System\RKLSCnU.exe
  2⤵
  PID:8176
- C:\Windows\System\PITbUtR.exe
  C:\Windows\System\PITbUtR.exe
  2⤵
  PID:6504
- C:\Windows\System\kEjInWl.exe
  C:\Windows\System\kEjInWl.exe
  2⤵
  PID:7224
- C:\Windows\System\rVaHBNQ.exe
  C:\Windows\System\rVaHBNQ.exe
  2⤵
  PID:7304
- C:\Windows\System\vlCYqFH.exe
  C:\Windows\System\vlCYqFH.exe
  2⤵
  PID:7252
- C:\Windows\System\VsFHGZo.exe
  C:\Windows\System\VsFHGZo.exe
  2⤵
  PID:7324
- C:\Windows\System\qpOjphL.exe
  C:\Windows\System\qpOjphL.exe
  2⤵
  PID:7416
- C:\Windows\System\vGBsvoF.exe
  C:\Windows\System\vGBsvoF.exe
  2⤵
  PID:7448
- C:\Windows\System\HRipgQP.exe
  C:\Windows\System\HRipgQP.exe
  2⤵
  PID:7504
- C:\Windows\System\TFJqhkr.exe
  C:\Windows\System\TFJqhkr.exe
  2⤵
  PID:7568
- C:\Windows\System\hHXHDhO.exe
  C:\Windows\System\hHXHDhO.exe
  2⤵
  PID:7600
- C:\Windows\System\nmLkCQN.exe
  C:\Windows\System\nmLkCQN.exe
  2⤵
  PID:7696
- C:\Windows\System\mHmqjMJ.exe
  C:\Windows\System\mHmqjMJ.exe
  2⤵
  PID:7840
- C:\Windows\System\gBZxcFO.exe
  C:\Windows\System\gBZxcFO.exe
  2⤵
  PID:7936
- C:\Windows\System\mPSfZfC.exe
  C:\Windows\System\mPSfZfC.exe
  2⤵
  PID:7980
- C:\Windows\System\igYPkTP.exe
  C:\Windows\System\igYPkTP.exe
  2⤵
  PID:8060
- C:\Windows\System\CcbLgCT.exe
  C:\Windows\System\CcbLgCT.exe
  2⤵
  PID:8108
- C:\Windows\System\FweROkL.exe
  C:\Windows\System\FweROkL.exe
  2⤵
  PID:8144
- C:\Windows\System\hfHkEEG.exe
  C:\Windows\System\hfHkEEG.exe
  2⤵
  PID:6300
- C:\Windows\System\imSnRcD.exe
  C:\Windows\System\imSnRcD.exe
  2⤵
  PID:7488
- C:\Windows\System\BAStFBd.exe
  C:\Windows\System\BAStFBd.exe
  2⤵
  PID:7468
- C:\Windows\System\WGJbvxQ.exe
  C:\Windows\System\WGJbvxQ.exe
  2⤵
  PID:7724
- C:\Windows\System\NWUCITc.exe
  C:\Windows\System\NWUCITc.exe
  2⤵
  PID:7796
- C:\Windows\System\fpUtvHL.exe
  C:\Windows\System\fpUtvHL.exe
  2⤵
  PID:7960
- C:\Windows\System\bfZdYWh.exe
  C:\Windows\System\bfZdYWh.exe
  2⤵
  PID:1644
- C:\Windows\System\cTLaGLw.exe
  C:\Windows\System\cTLaGLw.exe
  2⤵
  PID:8124
- C:\Windows\System\sEKbior.exe
  C:\Windows\System\sEKbior.exe
  2⤵
  PID:7352
- C:\Windows\System\sCStNvb.exe
  C:\Windows\System\sCStNvb.exe
  2⤵
  PID:2336
- C:\Windows\System\ktHbDRq.exe
  C:\Windows\System\ktHbDRq.exe
  2⤵
  PID:8080
- C:\Windows\System\SVufmvM.exe
  C:\Windows\System\SVufmvM.exe
  2⤵
  PID:1200
- C:\Windows\System\pkGyCmx.exe
  C:\Windows\System\pkGyCmx.exe
  2⤵
  PID:8216
- C:\Windows\System\oBdVuMo.exe
  C:\Windows\System\oBdVuMo.exe
  2⤵
  PID:8232
- C:\Windows\System\BhRxZea.exe
  C:\Windows\System\BhRxZea.exe
  2⤵
  PID:8292
- C:\Windows\System\LcdeCKq.exe
  C:\Windows\System\LcdeCKq.exe
  2⤵
  PID:8316
- C:\Windows\System\WCZxbzE.exe
  C:\Windows\System\WCZxbzE.exe
  2⤵
  PID:8372
- C:\Windows\System\wYgkxZA.exe
  C:\Windows\System\wYgkxZA.exe
  2⤵
  PID:8404
- C:\Windows\System\wbEnFMJ.exe
  C:\Windows\System\wbEnFMJ.exe
  2⤵
  PID:8444
- C:\Windows\System\iGzGJJN.exe
  C:\Windows\System\iGzGJJN.exe
  2⤵
  PID:8484
- C:\Windows\System\hbbNwqY.exe
  C:\Windows\System\hbbNwqY.exe
  2⤵
  PID:8524
- C:\Windows\System\kuOytRD.exe
  C:\Windows\System\kuOytRD.exe
  2⤵
  PID:8544
- C:\Windows\System\ivlrypE.exe
  C:\Windows\System\ivlrypE.exe
  2⤵
  PID:8568
- C:\Windows\System\ILBFqxq.exe
  C:\Windows\System\ILBFqxq.exe
  2⤵
  PID:8596
- C:\Windows\System\YRJfwlP.exe
  C:\Windows\System\YRJfwlP.exe
  2⤵
  PID:8616
- C:\Windows\System\BEWVsTo.exe
  C:\Windows\System\BEWVsTo.exe
  2⤵
  PID:8644
- C:\Windows\System\uDLhodC.exe
  C:\Windows\System\uDLhodC.exe
  2⤵
  PID:8680
- C:\Windows\System\AgmsGMj.exe
  C:\Windows\System\AgmsGMj.exe
  2⤵
  PID:8712
- C:\Windows\System\uYZQKZU.exe
  C:\Windows\System\uYZQKZU.exe
  2⤵
  PID:8732
- C:\Windows\System\FBFeMYX.exe
  C:\Windows\System\FBFeMYX.exe
  2⤵
  PID:8772
- C:\Windows\System\LNVSPii.exe
  C:\Windows\System\LNVSPii.exe
  2⤵
  PID:8800
- C:\Windows\System\QoCihjU.exe
  C:\Windows\System\QoCihjU.exe
  2⤵
  PID:8824
- C:\Windows\System\kKyalNU.exe
  C:\Windows\System\kKyalNU.exe
  2⤵
  PID:8848
- C:\Windows\System\mjhuEiO.exe
  C:\Windows\System\mjhuEiO.exe
  2⤵
  PID:8872
- C:\Windows\System\rkjZSWR.exe
  C:\Windows\System\rkjZSWR.exe
  2⤵
  PID:8900
- C:\Windows\System\CCHtOOb.exe
  C:\Windows\System\CCHtOOb.exe
  2⤵
  PID:8932
- C:\Windows\System\xBTcTIV.exe
  C:\Windows\System\xBTcTIV.exe
  2⤵
  PID:8956
- C:\Windows\System\ckkppqX.exe
  C:\Windows\System\ckkppqX.exe
  2⤵
  PID:8972
- C:\Windows\System\uFMoGnz.exe
  C:\Windows\System\uFMoGnz.exe
  2⤵
  PID:8996
- C:\Windows\System\gGNZvAm.exe
  C:\Windows\System\gGNZvAm.exe
  2⤵
  PID:9036
- C:\Windows\System\XMDqrKh.exe
  C:\Windows\System\XMDqrKh.exe
  2⤵
  PID:9068
- C:\Windows\System\rCLYEZM.exe
  C:\Windows\System\rCLYEZM.exe
  2⤵
  PID:9088
- C:\Windows\System\LHNrTut.exe
  C:\Windows\System\LHNrTut.exe
  2⤵
  PID:9104
- C:\Windows\System\rJQEdro.exe
  C:\Windows\System\rJQEdro.exe
  2⤵
  PID:9124
- C:\Windows\System\QZwhjXs.exe
  C:\Windows\System\QZwhjXs.exe
  2⤵
  PID:9140
- C:\Windows\System\bATDGuO.exe
  C:\Windows\System\bATDGuO.exe
  2⤵
  PID:9160
- C:\Windows\System\NEKaMvy.exe
  C:\Windows\System\NEKaMvy.exe
  2⤵
  PID:9176
- C:\Windows\System\KDidkbO.exe
  C:\Windows\System\KDidkbO.exe
  2⤵
  PID:9204
- C:\Windows\System\nHFTaWT.exe
  C:\Windows\System\nHFTaWT.exe
  2⤵
  PID:4620
- C:\Windows\System\lhRKIls.exe
  C:\Windows\System\lhRKIls.exe
  2⤵
  PID:8380
- C:\Windows\System\ewrJEfK.exe
  C:\Windows\System\ewrJEfK.exe
  2⤵
  PID:8476
- C:\Windows\System\MDvNWFE.exe
  C:\Windows\System\MDvNWFE.exe
  2⤵
  PID:8560
- C:\Windows\System\BLoofQF.exe
  C:\Windows\System\BLoofQF.exe
  2⤵
  PID:8884
- C:\Windows\System\haiIcFN.exe
  C:\Windows\System\haiIcFN.exe
  2⤵
  PID:8912
- C:\Windows\System\UdfmvNy.exe
  C:\Windows\System\UdfmvNy.exe
  2⤵
  PID:8928
- C:\Windows\System\DXskmBn.exe
  C:\Windows\System\DXskmBn.exe
  2⤵
  PID:9096
- C:\Windows\System\XXviKBY.exe
  C:\Windows\System\XXviKBY.exe
  2⤵
  PID:9152
- C:\Windows\System\bUPTnUM.exe
  C:\Windows\System\bUPTnUM.exe
  2⤵
  PID:9200
- C:\Windows\System\yPYNGvT.exe
  C:\Windows\System\yPYNGvT.exe
  2⤵
  PID:8284
- C:\Windows\System\CDPyKAV.exe
  C:\Windows\System\CDPyKAV.exe
  2⤵
  PID:8412
- C:\Windows\System\ztFuxJz.exe
  C:\Windows\System\ztFuxJz.exe
  2⤵
  PID:8744
- C:\Windows\System\GvUdXeR.exe
  C:\Windows\System\GvUdXeR.exe
  2⤵
  PID:8820
- C:\Windows\System\ZgYBVUc.exe
  C:\Windows\System\ZgYBVUc.exe
  2⤵
  PID:8796
- C:\Windows\System\yATaFGm.exe
  C:\Windows\System\yATaFGm.exe
  2⤵
  PID:8880
- C:\Windows\System\UGcxjPb.exe
  C:\Windows\System\UGcxjPb.exe
  2⤵
  PID:8924
- C:\Windows\System\YggzVxa.exe
  C:\Windows\System\YggzVxa.exe
  2⤵
  PID:9060
- C:\Windows\System\BWYHtlN.exe
  C:\Windows\System\BWYHtlN.exe
  2⤵
  PID:8200
- C:\Windows\System\amDtodl.exe
  C:\Windows\System\amDtodl.exe
  2⤵
  PID:8396
- C:\Windows\System\OFnqwwc.exe
  C:\Windows\System\OFnqwwc.exe
  2⤵
  PID:8856
- C:\Windows\System\jTbueUF.exe
  C:\Windows\System\jTbueUF.exe
  2⤵
  PID:8588
- C:\Windows\System\JxnjlkS.exe
  C:\Windows\System\JxnjlkS.exe
  2⤵
  PID:9064
- C:\Windows\System\ZkzRxml.exe
  C:\Windows\System\ZkzRxml.exe
  2⤵
  PID:8704
- C:\Windows\System\LNdtCFR.exe
  C:\Windows\System\LNdtCFR.exe
  2⤵
  PID:8768
- C:\Windows\System\ozDyfan.exe
  C:\Windows\System\ozDyfan.exe
  2⤵
  PID:9232
- C:\Windows\System\dwNDHFo.exe
  C:\Windows\System\dwNDHFo.exe
  2⤵
  PID:9252
- C:\Windows\System\bYbudFj.exe
  C:\Windows\System\bYbudFj.exe
  2⤵
  PID:9280
- C:\Windows\System\wfLTQTR.exe
  C:\Windows\System\wfLTQTR.exe
  2⤵
  PID:9308
- C:\Windows\System\vTkgEgg.exe
  C:\Windows\System\vTkgEgg.exe
  2⤵
  PID:9348
- C:\Windows\System\JrmqnHz.exe
  C:\Windows\System\JrmqnHz.exe
  2⤵
  PID:9364
- C:\Windows\System\xrGkqFW.exe
  C:\Windows\System\xrGkqFW.exe
  2⤵
  PID:9396
- C:\Windows\System\fTsuhvb.exe
  C:\Windows\System\fTsuhvb.exe
  2⤵
  PID:9420
- C:\Windows\System\sfEInRm.exe
  C:\Windows\System\sfEInRm.exe
  2⤵
  PID:9452
- C:\Windows\System\YXERheZ.exe
  C:\Windows\System\YXERheZ.exe
  2⤵
  PID:9472
- C:\Windows\System\EVgBBnl.exe
  C:\Windows\System\EVgBBnl.exe
  2⤵
  PID:9492
- C:\Windows\System\NLlRgDb.exe
  C:\Windows\System\NLlRgDb.exe
  2⤵
  PID:9516
- C:\Windows\System\IIzaJtk.exe
  C:\Windows\System\IIzaJtk.exe
  2⤵
  PID:9552
- C:\Windows\System\QdSXnKY.exe
  C:\Windows\System\QdSXnKY.exe
  2⤵
  PID:9572
- C:\Windows\System\wToVZUy.exe
  C:\Windows\System\wToVZUy.exe
  2⤵
  PID:9600
- C:\Windows\System\bJHrMrU.exe
  C:\Windows\System\bJHrMrU.exe
  2⤵
  PID:9644
- C:\Windows\System\JrpmfXP.exe
  C:\Windows\System\JrpmfXP.exe
  2⤵
  PID:9672
- C:\Windows\System\JvunvYS.exe
  C:\Windows\System\JvunvYS.exe
  2⤵
  PID:9720
- C:\Windows\System\YVIwEQI.exe
  C:\Windows\System\YVIwEQI.exe
  2⤵
  PID:9744
- C:\Windows\System\hGyShXk.exe
  C:\Windows\System\hGyShXk.exe
  2⤵
  PID:9776
- C:\Windows\System\FMQNQxA.exe
  C:\Windows\System\FMQNQxA.exe
  2⤵
  PID:9800
- C:\Windows\System\RmwBxOf.exe
  C:\Windows\System\RmwBxOf.exe
  2⤵
  PID:9828
- C:\Windows\System\kIkLEOm.exe
  C:\Windows\System\kIkLEOm.exe
  2⤵
  PID:9852
- C:\Windows\System\FAPjHEj.exe
  C:\Windows\System\FAPjHEj.exe
  2⤵
  PID:9888
- C:\Windows\System\HdIHjDX.exe
  C:\Windows\System\HdIHjDX.exe
  2⤵
  PID:9908
- C:\Windows\System\kgsBcCJ.exe
  C:\Windows\System\kgsBcCJ.exe
  2⤵
  PID:9932
- C:\Windows\System\qSzPTIX.exe
  C:\Windows\System\qSzPTIX.exe
  2⤵
  PID:9960
- C:\Windows\System\mZJycLd.exe
  C:\Windows\System\mZJycLd.exe
  2⤵
  PID:9984
- C:\Windows\System\WRXgHbN.exe
  C:\Windows\System\WRXgHbN.exe
  2⤵
  PID:10008
- C:\Windows\System\yBmdeNp.exe
  C:\Windows\System\yBmdeNp.exe
  2⤵
  PID:10028
- C:\Windows\System\uKUOEpM.exe
  C:\Windows\System\uKUOEpM.exe
  2⤵
  PID:10052
- C:\Windows\System\eFRZAYK.exe
  C:\Windows\System\eFRZAYK.exe
  2⤵
  PID:10104
- C:\Windows\System\YVXPVmx.exe
  C:\Windows\System\YVXPVmx.exe
  2⤵
  PID:10124
- C:\Windows\System\uigbvbG.exe
  C:\Windows\System\uigbvbG.exe
  2⤵
  PID:10152
- C:\Windows\System\PydqjNg.exe
  C:\Windows\System\PydqjNg.exe
  2⤵
  PID:10180
- C:\Windows\System\evuSiEm.exe
  C:\Windows\System\evuSiEm.exe
  2⤵
  PID:10208
- C:\Windows\System\OvIUCwy.exe
  C:\Windows\System\OvIUCwy.exe
  2⤵
  PID:10224
- C:\Windows\System\QmBtDyf.exe
  C:\Windows\System\QmBtDyf.exe
  2⤵
  PID:9260
- C:\Windows\System\rhQPkbA.exe
  C:\Windows\System\rhQPkbA.exe
  2⤵
  PID:9328
- C:\Windows\System\afcAyhb.exe
  C:\Windows\System\afcAyhb.exe
  2⤵
  PID:9388
- C:\Windows\System\bIOOapP.exe
  C:\Windows\System\bIOOapP.exe
  2⤵
  PID:9428
- C:\Windows\System\LnDFxPO.exe
  C:\Windows\System\LnDFxPO.exe
  2⤵
  PID:9500
- C:\Windows\System\rGtRzhr.exe
  C:\Windows\System\rGtRzhr.exe
  2⤵
  PID:9564
- C:\Windows\System\qphqpUs.exe
  C:\Windows\System\qphqpUs.exe
  2⤵
  PID:9596
- C:\Windows\System\zMEGXsI.exe
  C:\Windows\System\zMEGXsI.exe
  2⤵
  PID:9664
- C:\Windows\System\oZgNHhM.exe
  C:\Windows\System\oZgNHhM.exe
  2⤵
  PID:9732
- C:\Windows\System\rUGhbmP.exe
  C:\Windows\System\rUGhbmP.exe
  2⤵
  PID:9808
- C:\Windows\System\CQbSmco.exe
  C:\Windows\System\CQbSmco.exe
  2⤵
  PID:9864
- C:\Windows\System\QNSKzWr.exe
  C:\Windows\System\QNSKzWr.exe
  2⤵
  PID:9924
- C:\Windows\System\Uetrpje.exe
  C:\Windows\System\Uetrpje.exe
  2⤵
  PID:10020
- C:\Windows\System\jvmNXbP.exe
  C:\Windows\System\jvmNXbP.exe
  2⤵
  PID:10088
- C:\Windows\System\FPTYAnt.exe
  C:\Windows\System\FPTYAnt.exe
  2⤵
  PID:10116
- C:\Windows\System\GTFqDAB.exe
  C:\Windows\System\GTFqDAB.exe
  2⤵
  PID:10188
- C:\Windows\System\zCGNzhT.exe
  C:\Windows\System\zCGNzhT.exe
  2⤵
  PID:9132
- C:\Windows\System\QXmiUNb.exe
  C:\Windows\System\QXmiUNb.exe
  2⤵
  PID:9412
- C:\Windows\System\aSmEUBA.exe
  C:\Windows\System\aSmEUBA.exe
  2⤵
  PID:9560
- C:\Windows\System\baxQQnq.exe
  C:\Windows\System\baxQQnq.exe
  2⤵
  PID:9640
- C:\Windows\System\UoAVsLW.exe
  C:\Windows\System\UoAVsLW.exe
  2⤵
  PID:9772
- C:\Windows\System\SfidzZR.exe
  C:\Windows\System\SfidzZR.exe
  2⤵
  PID:9968
- C:\Windows\System\orUxUGM.exe
  C:\Windows\System\orUxUGM.exe
  2⤵
  PID:10080
- C:\Windows\System\zLlAfwF.exe
  C:\Windows\System\zLlAfwF.exe
  2⤵
  PID:10172
- C:\Windows\System\LfenAaR.exe
  C:\Windows\System\LfenAaR.exe
  2⤵
  PID:9464
- C:\Windows\System\TJChICq.exe
  C:\Windows\System\TJChICq.exe
  2⤵
  PID:9716
- C:\Windows\System\vDdlMUd.exe
  C:\Windows\System\vDdlMUd.exe
  2⤵
  PID:10136
- C:\Windows\System\romXaWQ.exe
  C:\Windows\System\romXaWQ.exe
  2⤵
  PID:9356
- C:\Windows\System\HSZybKb.exe
  C:\Windows\System\HSZybKb.exe
  2⤵
  PID:10256
- C:\Windows\System\NYxgxbw.exe
  C:\Windows\System\NYxgxbw.exe
  2⤵
  PID:10276
- C:\Windows\System\AdXxTdd.exe
  C:\Windows\System\AdXxTdd.exe
  2⤵
  PID:10296
- C:\Windows\System\NDPyMAD.exe
  C:\Windows\System\NDPyMAD.exe
  2⤵
  PID:10324
- C:\Windows\System\ciESjIr.exe
  C:\Windows\System\ciESjIr.exe
  2⤵
  PID:10368
- C:\Windows\System\gtlKWCS.exe
  C:\Windows\System\gtlKWCS.exe
  2⤵
  PID:10388
- C:\Windows\System\HSfmwdd.exe
  C:\Windows\System\HSfmwdd.exe
  2⤵
  PID:10412
- C:\Windows\System\iWnsZio.exe
  C:\Windows\System\iWnsZio.exe
  2⤵
  PID:10444
- C:\Windows\System\tPckcAZ.exe
  C:\Windows\System\tPckcAZ.exe
  2⤵
  PID:10472
- C:\Windows\System\jiEmPsT.exe
  C:\Windows\System\jiEmPsT.exe
  2⤵
  PID:10500
- C:\Windows\System\HSlcfuW.exe
  C:\Windows\System\HSlcfuW.exe
  2⤵
  PID:10528
- C:\Windows\System\YsBjucI.exe
  C:\Windows\System\YsBjucI.exe
  2⤵
  PID:10548
- C:\Windows\System\egUqqGW.exe
  C:\Windows\System\egUqqGW.exe
  2⤵
  PID:10584
- C:\Windows\System\dehNcov.exe
  C:\Windows\System\dehNcov.exe
  2⤵
  PID:10624
- C:\Windows\System\lzhAVAT.exe
  C:\Windows\System\lzhAVAT.exe
  2⤵
  PID:10644
- C:\Windows\System\LZHfFzj.exe
  C:\Windows\System\LZHfFzj.exe
  2⤵
  PID:10684
- C:\Windows\System\ptIGVRb.exe
  C:\Windows\System\ptIGVRb.exe
  2⤵
  PID:10708
- C:\Windows\System\njvmfmq.exe
  C:\Windows\System\njvmfmq.exe
  2⤵
  PID:10736
- C:\Windows\System\rrdEQiA.exe
  C:\Windows\System\rrdEQiA.exe
  2⤵
  PID:10764
- C:\Windows\System\wJLjJwj.exe
  C:\Windows\System\wJLjJwj.exe
  2⤵
  PID:10784
- C:\Windows\System\XAcWAYB.exe
  C:\Windows\System\XAcWAYB.exe
  2⤵
  PID:10804
- C:\Windows\System\CPVoaqJ.exe
  C:\Windows\System\CPVoaqJ.exe
  2⤵
  PID:10848
- C:\Windows\System\RCtBOuV.exe
  C:\Windows\System\RCtBOuV.exe
  2⤵
  PID:10876
- C:\Windows\System\hKbUONm.exe
  C:\Windows\System\hKbUONm.exe
  2⤵
  PID:10896
- C:\Windows\System\rkASByq.exe
  C:\Windows\System\rkASByq.exe
  2⤵
  PID:10924
- C:\Windows\System\dMQYrwq.exe
  C:\Windows\System\dMQYrwq.exe
  2⤵
  PID:10948
- C:\Windows\System\NlSceUB.exe
  C:\Windows\System\NlSceUB.exe
  2⤵
  PID:10988
- C:\Windows\System\gsWifXT.exe
  C:\Windows\System\gsWifXT.exe
  2⤵
  PID:11008
- C:\Windows\System\muegHGO.exe
  C:\Windows\System\muegHGO.exe
  2⤵
  PID:11044
- C:\Windows\System\EkycUUp.exe
  C:\Windows\System\EkycUUp.exe
  2⤵
  PID:11060
- C:\Windows\System\dwbGeJm.exe
  C:\Windows\System\dwbGeJm.exe
  2⤵
  PID:11088
- C:\Windows\System\gwSyFJS.exe
  C:\Windows\System\gwSyFJS.exe
  2⤵
  PID:11124
- C:\Windows\System\zDNSTdP.exe
  C:\Windows\System\zDNSTdP.exe
  2⤵
  PID:11140
- C:\Windows\System\KlEjrmS.exe
  C:\Windows\System\KlEjrmS.exe
  2⤵
  PID:11168
- C:\Windows\System\GhvMnDA.exe
  C:\Windows\System\GhvMnDA.exe
  2⤵
  PID:11192
- C:\Windows\System\drxXWeM.exe
  C:\Windows\System\drxXWeM.exe
  2⤵
  PID:11212
- C:\Windows\System\fSZFIBT.exe
  C:\Windows\System\fSZFIBT.exe
  2⤵
  PID:11240
- C:\Windows\System\kPUlPYH.exe
  C:\Windows\System\kPUlPYH.exe
  2⤵
  PID:10304
- C:\Windows\System\MMHWMAO.exe
  C:\Windows\System\MMHWMAO.exe
  2⤵
  PID:10360
- C:\Windows\System\MGKyMXM.exe
  C:\Windows\System\MGKyMXM.exe
  2⤵
  PID:10400
- C:\Windows\System\mASJPou.exe
  C:\Windows\System\mASJPou.exe
  2⤵
  PID:10456
- C:\Windows\System\JrUUmox.exe
  C:\Windows\System\JrUUmox.exe
  2⤵
  PID:10488
- C:\Windows\System\BulICpE.exe
  C:\Windows\System\BulICpE.exe
  2⤵
  PID:10576
- C:\Windows\System\xavnXLB.exe
  C:\Windows\System\xavnXLB.exe
  2⤵
  PID:10680
- C:\Windows\System\zuzHUlU.exe
  C:\Windows\System\zuzHUlU.exe
  2⤵
  PID:10752
- C:\Windows\System\isKHPRI.exe
  C:\Windows\System\isKHPRI.exe
  2⤵
  PID:10796
- C:\Windows\System\IuzRgPu.exe
  C:\Windows\System\IuzRgPu.exe
  2⤵
  PID:10888
- C:\Windows\System\itEdvlo.exe
  C:\Windows\System\itEdvlo.exe
  2⤵
  PID:10956
- C:\Windows\System\whYqYMJ.exe
  C:\Windows\System\whYqYMJ.exe
  2⤵
  PID:11028
- C:\Windows\System\AIZrZNj.exe
  C:\Windows\System\AIZrZNj.exe
  2⤵
  PID:11100
- C:\Windows\System\BzsfXHI.exe
  C:\Windows\System\BzsfXHI.exe
  2⤵
  PID:11108
- C:\Windows\System\lRPcOBr.exe
  C:\Windows\System\lRPcOBr.exe
  2⤵
  PID:11160
- C:\Windows\System\dFUjPFF.exe
  C:\Windows\System\dFUjPFF.exe
  2⤵
  PID:11200
- C:\Windows\System\NiEzXNM.exe
  C:\Windows\System\NiEzXNM.exe
  2⤵
  PID:10264
- C:\Windows\System\hgpZaGW.exe
  C:\Windows\System\hgpZaGW.exe
  2⤵
  PID:10404
- C:\Windows\System\QStpLmX.exe
  C:\Windows\System\QStpLmX.exe
  2⤵
  PID:10620
- C:\Windows\System\fRgkvOn.exe
  C:\Windows\System\fRgkvOn.exe
  2⤵
  PID:10776
- C:\Windows\System\tBFKTzv.exe
  C:\Windows\System\tBFKTzv.exe
  2⤵
  PID:11000
- C:\Windows\System\YPpBPlU.exe
  C:\Windows\System\YPpBPlU.exe
  2⤵
  PID:11132
- C:\Windows\System\HwZtqAk.exe
  C:\Windows\System\HwZtqAk.exe
  2⤵
  PID:11236
- C:\Windows\System\hDJNUqX.exe
  C:\Windows\System\hDJNUqX.exe
  2⤵
  PID:10660
- C:\Windows\System\jJLRWnV.exe
  C:\Windows\System\jJLRWnV.exe
  2⤵
  PID:10996
- C:\Windows\System\CnaoTuN.exe
  C:\Windows\System\CnaoTuN.exe
  2⤵
  PID:11180
- C:\Windows\System\rUUwwzV.exe
  C:\Windows\System\rUUwwzV.exe
  2⤵
  PID:11148
- C:\Windows\System\aDEGTky.exe
  C:\Windows\System\aDEGTky.exe
  2⤵
  PID:11268
- C:\Windows\System\ylgHkjv.exe
  C:\Windows\System\ylgHkjv.exe
  2⤵
  PID:11308
- C:\Windows\System\vfRmcYa.exe
  C:\Windows\System\vfRmcYa.exe
  2⤵
  PID:11336
- C:\Windows\System\sfjWtyk.exe
  C:\Windows\System\sfjWtyk.exe
  2⤵
  PID:11356
- C:\Windows\System\bSiUxUu.exe
  C:\Windows\System\bSiUxUu.exe
  2⤵
  PID:11376
- C:\Windows\System\ZzzUtvL.exe
  C:\Windows\System\ZzzUtvL.exe
  2⤵
  PID:11404
- C:\Windows\System\EJaQxza.exe
  C:\Windows\System\EJaQxza.exe
  2⤵
  PID:11432
- C:\Windows\System\drUsHkn.exe
  C:\Windows\System\drUsHkn.exe
  2⤵
  PID:11452
- C:\Windows\System\oSGGYjR.exe
  C:\Windows\System\oSGGYjR.exe
  2⤵
  PID:11476
- C:\Windows\System\VzatzEg.exe
  C:\Windows\System\VzatzEg.exe
  2⤵
  PID:11552
- C:\Windows\System\fBssOVS.exe
  C:\Windows\System\fBssOVS.exe
  2⤵
  PID:11568
- C:\Windows\System\HBwupeS.exe
  C:\Windows\System\HBwupeS.exe
  2⤵
  PID:11592
- C:\Windows\System\sczmWVY.exe
  C:\Windows\System\sczmWVY.exe
  2⤵
  PID:11620
- C:\Windows\System\xoBQOhU.exe
  C:\Windows\System\xoBQOhU.exe
  2⤵
  PID:11644
- C:\Windows\System\jxEQERl.exe
  C:\Windows\System\jxEQERl.exe
  2⤵
  PID:11664
- C:\Windows\System\ancwXxE.exe
  C:\Windows\System\ancwXxE.exe
  2⤵
  PID:11688
- C:\Windows\System\nzlEcig.exe
  C:\Windows\System\nzlEcig.exe
  2⤵
  PID:11708
- C:\Windows\System\OizHEjA.exe
  C:\Windows\System\OizHEjA.exe
  2⤵
  PID:11756
- C:\Windows\System\dLDTXDx.exe
  C:\Windows\System\dLDTXDx.exe
  2⤵
  PID:11776
- C:\Windows\System\ffLKwDJ.exe
  C:\Windows\System\ffLKwDJ.exe
  2⤵
  PID:11824
- C:\Windows\System\tAhRZOz.exe
  C:\Windows\System\tAhRZOz.exe
  2⤵
  PID:11852
- C:\Windows\System\FphpdGU.exe
  C:\Windows\System\FphpdGU.exe
  2⤵
  PID:11872
- C:\Windows\System\NyMRECR.exe
  C:\Windows\System\NyMRECR.exe
  2⤵
  PID:11900
- C:\Windows\System\xibodBN.exe
  C:\Windows\System\xibodBN.exe
  2⤵
  PID:11928
- C:\Windows\System\ISPqmME.exe
  C:\Windows\System\ISPqmME.exe
  2⤵
  PID:11944
- C:\Windows\System\IDSTAUr.exe
  C:\Windows\System\IDSTAUr.exe
  2⤵
  PID:11972
- C:\Windows\System\SjFivyO.exe
  C:\Windows\System\SjFivyO.exe
  2⤵
  PID:12000
- C:\Windows\System\xDuyQeL.exe
  C:\Windows\System\xDuyQeL.exe
  2⤵
  PID:12036
- C:\Windows\System\VBtOKyF.exe
  C:\Windows\System\VBtOKyF.exe
  2⤵
  PID:12072
- C:\Windows\System\pCPmcgc.exe
  C:\Windows\System\pCPmcgc.exe
  2⤵
  PID:12104
- C:\Windows\System\sYCizRl.exe
  C:\Windows\System\sYCizRl.exe
  2⤵
  PID:12132
- C:\Windows\System\MtQhFJX.exe
  C:\Windows\System\MtQhFJX.exe
  2⤵
  PID:12160
- C:\Windows\System\hklquMk.exe
  C:\Windows\System\hklquMk.exe
  2⤵
  PID:12180
- C:\Windows\System\EguugaX.exe
  C:\Windows\System\EguugaX.exe
  2⤵
  PID:12216
- C:\Windows\System\vmLZJSc.exe
  C:\Windows\System\vmLZJSc.exe
  2⤵
  PID:12232
- C:\Windows\System\zUvMViY.exe
  C:\Windows\System\zUvMViY.exe
  2⤵
  PID:12252
- C:\Windows\System\GCSkeSJ.exe
  C:\Windows\System\GCSkeSJ.exe
  2⤵
  PID:11280
- C:\Windows\System\YkgTzyj.exe
  C:\Windows\System\YkgTzyj.exe
  2⤵
  PID:11344
- C:\Windows\System\uOHLAdI.exe
  C:\Windows\System\uOHLAdI.exe
  2⤵
  PID:11400
- C:\Windows\System\GzsOquh.exe
  C:\Windows\System\GzsOquh.exe
  2⤵
  PID:11472
- C:\Windows\System\eInWnWr.exe
  C:\Windows\System\eInWnWr.exe
  2⤵
  PID:1476
- C:\Windows\System\HBMEeVN.exe
  C:\Windows\System\HBMEeVN.exe
  2⤵
  PID:11496
- C:\Windows\System\VmfOfXY.exe
  C:\Windows\System\VmfOfXY.exe
  2⤵
  PID:11628
- C:\Windows\System\mpeJZlg.exe
  C:\Windows\System\mpeJZlg.exe
  2⤵
  PID:11684
- C:\Windows\System\rdefgLX.exe
  C:\Windows\System\rdefgLX.exe
  2⤵
  PID:11696
- C:\Windows\System\ygiVDlS.exe
  C:\Windows\System\ygiVDlS.exe
  2⤵
  PID:11832
- C:\Windows\System\mNUaUZM.exe
  C:\Windows\System\mNUaUZM.exe
  2⤵
  PID:11912
- C:\Windows\System\yEoEDmo.exe
  C:\Windows\System\yEoEDmo.exe
  2⤵
  PID:11940
- C:\Windows\System\hauhmHx.exe
  C:\Windows\System\hauhmHx.exe
  2⤵
  PID:11960
- C:\Windows\System\xiJucOF.exe
  C:\Windows\System\xiJucOF.exe
  2⤵
  PID:12068
- C:\Windows\System\XrTVpoA.exe
  C:\Windows\System\XrTVpoA.exe
  2⤵
  PID:12096
- C:\Windows\System\MzJZRpV.exe
  C:\Windows\System\MzJZRpV.exe
  2⤵
  PID:12196
- C:\Windows\System\rRjEdYi.exe
  C:\Windows\System\rRjEdYi.exe
  2⤵
  PID:12244
- C:\Windows\System\fPFNJGt.exe
  C:\Windows\System\fPFNJGt.exe
  2⤵
  PID:11412
- C:\Windows\System\byApWuI.exe
  C:\Windows\System\byApWuI.exe
  2⤵
  PID:11460
- C:\Windows\System\HqraZig.exe
  C:\Windows\System\HqraZig.exe
  2⤵
  PID:11256
- C:\Windows\System\ZCqaeGV.exe
  C:\Windows\System\ZCqaeGV.exe
  2⤵
  PID:11764
- C:\Windows\System\EwJWNhQ.exe
  C:\Windows\System\EwJWNhQ.exe
  2⤵
  PID:11844
- C:\Windows\System\qTYpNpu.exe
  C:\Windows\System\qTYpNpu.exe
  2⤵
  PID:12044
- C:\Windows\System\aZNZSDJ.exe
  C:\Windows\System\aZNZSDJ.exe
  2⤵
  PID:12204
- C:\Windows\System\KsRdJJD.exe
  C:\Windows\System\KsRdJJD.exe
  2⤵
  PID:11372
- C:\Windows\System\kNTxAZg.exe
  C:\Windows\System\kNTxAZg.exe
  2⤵
  PID:11608
- C:\Windows\System\VfPsoEf.exe
  C:\Windows\System\VfPsoEf.exe
  2⤵
  PID:11816
- C:\Windows\System\oHpdtic.exe
  C:\Windows\System\oHpdtic.exe
  2⤵
  PID:11316
- C:\Windows\System\gPSmqIq.exe
  C:\Windows\System\gPSmqIq.exe
  2⤵
  PID:11992
- C:\Windows\System\WnDVkLy.exe
  C:\Windows\System\WnDVkLy.exe
  2⤵
  PID:12292
- C:\Windows\System\zjKISNY.exe
  C:\Windows\System\zjKISNY.exe
  2⤵
  PID:12344
- C:\Windows\System\etTgpUA.exe
  C:\Windows\System\etTgpUA.exe
  2⤵
  PID:12372
- C:\Windows\System\lTVTQzY.exe
  C:\Windows\System\lTVTQzY.exe
  2⤵
  PID:12408
- C:\Windows\System\znjGMuh.exe
  C:\Windows\System\znjGMuh.exe
  2⤵
  PID:12432
- C:\Windows\System\EWmsLFJ.exe
  C:\Windows\System\EWmsLFJ.exe
  2⤵
  PID:12460
- C:\Windows\System\OsgwIsi.exe
  C:\Windows\System\OsgwIsi.exe
  2⤵
  PID:12480
- C:\Windows\System\xwehynr.exe
  C:\Windows\System\xwehynr.exe
  2⤵
  PID:12504
- C:\Windows\System\WqYvMLL.exe
  C:\Windows\System\WqYvMLL.exe
  2⤵
  PID:12528
- C:\Windows\System\HWeEVKu.exe
  C:\Windows\System\HWeEVKu.exe
  2⤵
  PID:12548
- C:\Windows\System\ybLkiQT.exe
  C:\Windows\System\ybLkiQT.exe
  2⤵
  PID:12600
- C:\Windows\System\hRytNXc.exe
  C:\Windows\System\hRytNXc.exe
  2⤵
  PID:12632
- C:\Windows\System\xlgkDcq.exe
  C:\Windows\System\xlgkDcq.exe
  2⤵
  PID:12652
- C:\Windows\System\plUGsoe.exe
  C:\Windows\System\plUGsoe.exe
  2⤵
  PID:12680
- C:\Windows\System\PojBMIl.exe
  C:\Windows\System\PojBMIl.exe
  2⤵
  PID:12700
- C:\Windows\System\vdgLWZj.exe
  C:\Windows\System\vdgLWZj.exe
  2⤵
  PID:12720
- C:\Windows\System\IiMBKow.exe
  C:\Windows\System\IiMBKow.exe
  2⤵
  PID:12740
- C:\Windows\System\ujkapoz.exe
  C:\Windows\System\ujkapoz.exe
  2⤵
  PID:12768
- C:\Windows\System\WqcIdom.exe
  C:\Windows\System\WqcIdom.exe
  2⤵
  PID:12784
- C:\Windows\System\iAyjPLX.exe
  C:\Windows\System\iAyjPLX.exe
  2⤵
  PID:12816
- C:\Windows\System\eGPaLEA.exe
  C:\Windows\System\eGPaLEA.exe
  2⤵
  PID:12844
- C:\Windows\System\lffkuGP.exe
  C:\Windows\System\lffkuGP.exe
  2⤵
  PID:12860
- C:\Windows\System\OyzeDOY.exe
  C:\Windows\System\OyzeDOY.exe
  2⤵
  PID:12884
- C:\Windows\System\ecQrHOn.exe
  C:\Windows\System\ecQrHOn.exe
  2⤵
  PID:12940
- C:\Windows\System\HesUzUH.exe
  C:\Windows\System\HesUzUH.exe
  2⤵
  PID:12968
- C:\Windows\System\sojAjZo.exe
  C:\Windows\System\sojAjZo.exe
  2⤵
  PID:12996
- C:\Windows\System\CrScDBO.exe
  C:\Windows\System\CrScDBO.exe
  2⤵
  PID:13016
- C:\Windows\System\AYahiNi.exe
  C:\Windows\System\AYahiNi.exe
  2⤵
  PID:13040
- C:\Windows\System\vOSoQkH.exe
  C:\Windows\System\vOSoQkH.exe
  2⤵
  PID:13108
- C:\Windows\System\LNOzAcq.exe
  C:\Windows\System\LNOzAcq.exe
  2⤵
  PID:13148
- C:\Windows\System\DBAIJWK.exe
  C:\Windows\System\DBAIJWK.exe
  2⤵
  PID:13176
- C:\Windows\System\mkoChEX.exe
  C:\Windows\System\mkoChEX.exe
  2⤵
  PID:13200
- C:\Windows\System\HNaCXVD.exe
  C:\Windows\System\HNaCXVD.exe
  2⤵
  PID:13220
- C:\Windows\System\mydHOjg.exe
  C:\Windows\System\mydHOjg.exe
  2⤵
  PID:13236
- C:\Windows\System\omejxtU.exe
  C:\Windows\System\omejxtU.exe
  2⤵
  PID:13280
- C:\Windows\System\EonNabG.exe
  C:\Windows\System\EonNabG.exe
  2⤵
  PID:13304
- C:\Windows\System\VMFFtRr.exe
  C:\Windows\System\VMFFtRr.exe
  2⤵
  PID:11504
- C:\Windows\System\kRomNis.exe
  C:\Windows\System\kRomNis.exe
  2⤵
  PID:12356
- C:\Windows\System\iTpWLqn.exe
  C:\Windows\System\iTpWLqn.exe
  2⤵
  PID:12396
- C:\Windows\System\TcXToYR.exe
  C:\Windows\System\TcXToYR.exe
  2⤵
  PID:12472
- C:\Windows\System\IIdiFyg.exe
  C:\Windows\System\IIdiFyg.exe
  2⤵
  PID:12516
- C:\Windows\System\XNUEnGl.exe
  C:\Windows\System\XNUEnGl.exe
  2⤵
  PID:12612
- C:\Windows\System\jqVaEmv.exe
  C:\Windows\System\jqVaEmv.exe
  2⤵
  PID:12640
- C:\Windows\System\SsJJlJc.exe
  C:\Windows\System\SsJJlJc.exe
  2⤵
  PID:12736
- C:\Windows\System\feHvmCo.exe
  C:\Windows\System\feHvmCo.exe
  2⤵
  PID:12808
- C:\Windows\System\zxSRBmc.exe
  C:\Windows\System\zxSRBmc.exe
  2⤵
  PID:12856
- C:\Windows\System\QKjwPDG.exe
  C:\Windows\System\QKjwPDG.exe
  2⤵
  PID:12980
- C:\Windows\System\zDasTqN.exe
  C:\Windows\System\zDasTqN.exe
  2⤵
  PID:13008
- C:\Windows\System\dAOzxKH.exe
  C:\Windows\System\dAOzxKH.exe
  2⤵
  PID:13076
- C:\Windows\System\Cqdcfyo.exe
  C:\Windows\System\Cqdcfyo.exe
  2⤵
  PID:13156
- C:\Windows\System\fnAnrQI.exe
  C:\Windows\System\fnAnrQI.exe
  2⤵
  PID:13244
- C:\Windows\System\YqeaEih.exe
  C:\Windows\System\YqeaEih.exe
  2⤵
  PID:13292
- C:\Windows\System\KgxOilL.exe
  C:\Windows\System\KgxOilL.exe
  2⤵
  PID:12320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4204,i,6166776566165096562,4582328833313060853,262144 --variations-seed-version --mojo-platform-channel-handle=3804 /prefetch:8
1⤵
PID:7792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a1m1w2iq.cug.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\FAHQQcE.exe

Filesize
2.0MB

MD5
e2cb694f91d0578ee73740fc5827ffdd

SHA1
175bb0131cb77566cd52d23094c0d43d5ba538f4

SHA256
bf9663e68b63f93920e9349591b510c8ad9b8410f46d27494923ed9b9b2de341

SHA512
7c23e2dbcdf78eca262233baecb6f7b74bd182c513e3a20067a3d4b4760cc0014be5ecda45c69767367b009489df9c42cdd181eb9f77852b7399969ede7ed611

Download Submit
C:\Windows\System\GLvXeXT.exe

Filesize
2.0MB

MD5
4a07f4b67a30be9a48349975a9e56949

SHA1
885c5117b0267e34eb73b45a9fb4eca87639e85a

SHA256
e2b08319c7a84b3043d2893975686c1900910e33cde5503352e717905fe252ea

SHA512
79572bdd4633082bd889510702943956e2742e5fd7052434e6df9cb654ea11dc95945d08e0a149f2f6316a29d9d326587b681670c499bf209d1bdc77bb6250b2

Download Submit
C:\Windows\System\HRPRQWl.exe

Filesize
2.0MB

MD5
0b8131ef10ac4f520188a31a1d8f4d87

SHA1
9bf9e1509ea278038b258797ebb5693f4fa205cf

SHA256
6af25dec56e69f8a54cd58d5657c1371150b1b003ba3f2cb41958794c293df3d

SHA512
129ba8b774f07c52e965afc476aad9d4e3cdca4ec2df3050e552bcffa4b1d1dea822bdcda6595f116f58a7ec1a46b8885c60f39677899e90ffddb20c6e22b49f

Download Submit
C:\Windows\System\IchcTQf.exe

Filesize
2.0MB

MD5
5c427562bb9776681191eb391f839522

SHA1
ff68eaf02850b42f3d2dfead02b8a797a8a405ff

SHA256
a28d49e9fd6438d1bf31b9ca9b3e24e5956ca2467ced35842a578fe7e42b4c38

SHA512
0efc7a60f25c25af4287405268bee7777736b95484ff4c2615cd26e0b5528266cf927ea5b6afe3aec8ce3fea7ad9cd78a67db75e6b445f27cb3c67ab3aca0801

Download Submit
C:\Windows\System\IvBXspy.exe

Filesize
2.0MB

MD5
15b877fb22f7b15a4a48b76f10d54781

SHA1
5be0111c9db2a4c09d1cfdd58f07a0b38efa129a

SHA256
89cc676270dd8fa484b2c216b87323601fe10b1293a5e4f6165488d8f9e5ab8f

SHA512
6c1835f717ff58cb6cf1ef0f8997fa0b0bee31f85e6a60e2c3c0847455b01913fdfa4d3f18ee98e5ef49c755b518b42a9b68dc1c033e9b3995ba40c1f882ffe4

Download Submit
C:\Windows\System\JRdRGls.exe

Filesize
2.0MB

MD5
4c5214b6f53e01c74b4d5246aee041e7

SHA1
cd14eb88a594d23d9af2108234ea5bd607cdcc1a

SHA256
27c7a05158129271388733bdaaa186314214a9e24e42b94d7472b2330fb9e19a

SHA512
f58b79a4d4b2a8412878446e070d00b834826820ee12333c07983be856b52f425a0907262553c84120ffb36bea79c4b8d4e7a9f4761a4178e9c1f60585e8c79d

Download Submit
C:\Windows\System\KMTGUnK.exe

Filesize
2.0MB

MD5
040b9e06e455ec45ac9597a243236413

SHA1
769ea95696c304c7ff3d4bf7080242631810a753

SHA256
0946a403cbcc53aa959ae6ce26569fe1ecbd1f032a95933e6fbbe4e87f219452

SHA512
d8a87d7608e8b0f18035d49570d8b57302f0ef5f77970cedd390719d66c89b532ffa7ad8eb9919bb59bc74c3bb41ba53512d514eecc000786fd70055d71c3839

Download Submit
C:\Windows\System\NMdweoR.exe

Filesize
2.0MB

MD5
5aa137a727bd406e69df4bfd41c891ab

SHA1
ed798d31ff472984c9a9da736b0b4d385cd2a17d

SHA256
9b16510a7dc4e70444472d08ae44637f400f4e3cb8ad56f93f647237e9dd7eb7

SHA512
2ba90a973ed5700b867cf07b5accd8667cf1e1169a1a5f6240eef7a24d9c606fe54451605951ff192ad537bc5303fcd47fc58fe3872bee0e0e4a0cddba79bdcb

Download Submit
C:\Windows\System\OoOBfqF.exe

Filesize
8B

MD5
20f50227b408431507e9e4298a89a7d5

SHA1
021be5cef03ca413a261257f3fa674d51e4eaecb

SHA256
f053af72ebaae8c20b4aa760dccbaa50d5e8c1b0612207e6dff562e592b0ee16

SHA512
a69e9f155961cdfb2c580f410cf1f9148255cadde0f420c64800ffc84ebbf2c4fc4d8c24eda7cee14ae357ad0398853cbe4f84f9db0bb9573e1f43351f2da9c0

Download Submit
C:\Windows\System\PmOnWft.exe

Filesize
2.0MB

MD5
f6896bee5f5aaf4920fee28c3301f9d6

SHA1
bd4a8153b72e6a72df810a628b9d7a8ab75c66f7

SHA256
bea55d712be75b707bdcd469ae6dca8f62a0005c63dca773eef1a61f0d5c726a

SHA512
8c068907f8c4bd3c713e4dbb5a0a83b154f4231abefebd1bf8187b055640c3a1d4c832b837eac6030010da1aabef43c3edf0b20efa24421a926ebc21b29e2532

Download Submit
C:\Windows\System\QDVEbIt.exe

Filesize
2.0MB

MD5
b1ed2941af1a53a6ca5fe33682882ea8

SHA1
cd49a18dea19b8e50f45523d75fc076c108f94e4

SHA256
f70da12b96aa7d204dce5e6989ddbac29d7ab010a085f6dc091338780db3205d

SHA512
7f47405e6eb47fdab614f0365212b8f1d6c51f2e61da3bee86024b683fd9fe69cae485450144c6ce1b94c6f263bceaa024bf047ba3386b21147a2e014b1c76fb

Download Submit
C:\Windows\System\QNaefOi.exe

Filesize
2.0MB

MD5
04e64cdbf3e04f5fb285dcec6aebbd3d

SHA1
f2a825d8637d6b651cfffa28c1472cda8782a5bc

SHA256
c053c41364f80ce27babb6882410bd5c36180baf6b5b49eedb24600f8ea0fb1b

SHA512
d2f31eff8cef8dee0083730b4fc15083baacb8ef9e7d18ee9015cd0ae2ab8045922a0b9b4ed7edf86c863381d02213eee25d3f67f2d437473ef9ba6667a52c95

Download Submit
C:\Windows\System\QQILErW.exe

Filesize
2.0MB

MD5
b2d865b381e1e1b4f603b519e26b5a58

SHA1
b61e1f7e21a979b45f706b7df2a3811e876048eb

SHA256
9fdfb9b411455ccdc064ae92b64270af676d8b86dcd7a54914faa896b86cdb60

SHA512
53233fa15a453787f34db9e8336b326c4e5948288017f2e2d1883a91d648a7d432c250dbd2a219e684be636b90769f3c01ea07ebd0ecd208596cfc3727dc3643

Download Submit
C:\Windows\System\TFdPvkt.exe

Filesize
2.0MB

MD5
27d1625fa05d4c79283b40e93910deb8

SHA1
8819bdc5bcb5312e1fb7bbfe36342c09044422fa

SHA256
20fc06d5a4e62c36c577f6f7e814b2d2dce835dc29f3493450d623e2e87f509c

SHA512
6b12848614b2f688bb76890c37d35cb980bf666c6a094f8bd953d083f1766b0d6220341421157329f9f27a6d1a017ca58d7b694724544657980e06c57e710a09

Download Submit
C:\Windows\System\TbyNdvt.exe

Filesize
2.0MB

MD5
41bf87a7a8f3dc8ba233386818616f2e

SHA1
e3f63472beecf67fdcb15519d54336381510a6cd

SHA256
1643660f536ebedec07082d0a47b37facdadea508133e0902b5f42e4348890d9

SHA512
37d233c732ffb18dea807c431e8b404d3b576f3f83d62064e46563a6a76f6dd3bdf18e77216d1c24b766f9aaa06a4062cdf9287a8fcdb225b8b6051571b4b71b

Download Submit
C:\Windows\System\UDHLOAu.exe

Filesize
2.0MB

MD5
206ba377dafd063bcd5227ad9a344486

SHA1
a25b7de508d9c3c75201506a721705590fc4d1d3

SHA256
7ca09d39037331176b86aafaf68b5a7bab61ec435c7c90b397695a0218a86bfe

SHA512
109fb9a377f1b9ea14b01f0e28dbf403b310faa261eda108adb729de0af3424f2eab44a233a078a02a32923f53db1be71d70513ec1deacdbe2f46e93635bbb7d

Download Submit
C:\Windows\System\YnMycyA.exe

Filesize
2.0MB

MD5
74c17e4ba8c5959935d6be1e23833359

SHA1
2609a5d4293893f0196af601ef48937668b3d34b

SHA256
4e7eafb302814d2cb695a62a3023c3e32cff28842542d0e0c4346510ffb2c39f

SHA512
8ce79d3337e4bf203d46e6a0316953c3086ce32c72907079f8b83b7e6b86c0a36cd286739fe3aa717180172ff766d39548d7e94d8c51234301ee291da84c7932

Download Submit
C:\Windows\System\aPWvdbG.exe

Filesize
2.0MB

MD5
17d11fc46f657af92b97453b02b9a46f

SHA1
97a3f4d42a7b2f070f0809777b21fb724470c64b

SHA256
4658694903d0c72bf61c3b94289495c8885b302603d5c16e712d795a2f1c2523

SHA512
73e8988bfc1daa9966c802227b934c4f4ef45f7ecdc3c4d098c24ceb4aed8c856ef0d76c4bf89721cef9a6cf7463c1dd2726104d0e41f5dc7407d0cf4e492fe8

Download Submit
C:\Windows\System\bwecRmL.exe

Filesize
2.0MB

MD5
6056a59f2e2c2d3ed573440af9a12743

SHA1
c0d453ec8d592fb11c06c079cb7564b81af90500

SHA256
9d7379abff0ed37059678018ca852a2ae6ea5edddbd75c48fa9123a6810b4989

SHA512
313b22b42de479b3e278b6fb2fb78e5ea0a94fbacd7c7e9ca519aa4b90e0a1ac12fc500ac11a657db33361202eaa2e64b7edae76360494d86ab55334294fb77b

Download Submit
C:\Windows\System\cnXzPEM.exe

Filesize
2.0MB

MD5
da17853833ba1dab08097fd077521b48

SHA1
dfd106b60c85b8439d616434c9ded2f8b6d1bc21

SHA256
6124a08a5ab20aab4705ec7f35bb3112658df9eb693637199acf1b157f73afa1

SHA512
365c437817e43039f9b4d38584f3fa0be25b14f2d900141140c467a165421b768dd4a05168c6bf6f111b254080e0f358f95dcc9dc563f5b453c9b3e1bebe5fb0

Download Submit
C:\Windows\System\dbtarVH.exe

Filesize
2.0MB

MD5
19531ab872ef7373b43b871ad4f89dd1

SHA1
c6995b2da7c96eb7595cbc5c6f3cfda3d0993328

SHA256
6b4aac985dcd435a21eb934e9f0b30626e2ff5a5e618e5ef6c364232d03f7eb6

SHA512
2d989cbb61546831657b13804672a937ac47c0a96f26fb7c33b0e0d77e97ee41c8d92d3447060944d7b90f56b9cc3e01ac796ecb7aabc9c9170c2b69c5e4e43d

Download Submit
C:\Windows\System\dtMiEQq.exe

Filesize
2.0MB

MD5
ed73c8e891e4e4bf9b2834545f524914

SHA1
3ee97047e94f5b4efe1de262f7afe19b34118941

SHA256
59c89572a4118cb49b095018cc3bfc6600716a6a6c2d0e2120c7cdd2cba88ce7

SHA512
d11b54ad3f77ee7f0ac87024c1be2816b7eebdd6e8ae5a31919e2abe9c14587eb7d6f3bb95bf943bc57fd7b95cf0dfa89bc9736c8b3ce698916078daf48f6663

Download Submit
C:\Windows\System\hNrsJMw.exe

Filesize
2.0MB

MD5
6e20e0cf5ddc7a9024e89826f43f6b2f

SHA1
a9f21c8fade7bdfd5ee0d038b008370a3bc3c274

SHA256
298d254391537f5a59879c48b2df58b0aa252a7adff1ce2d48976fbc21e4f4a4

SHA512
f66c263c75fccedee2693f9cb9244d0f65668dc6838dd0340696bcee46fe87ee75194615aeec6401b0556684e4e35800607485ba82f1f88637a0a924b7547fa4

Download Submit
C:\Windows\System\iHwYUKr.exe

Filesize
2.0MB

MD5
91c8b6eedcafe25888ba38ee40d516f8

SHA1
3695fddb30ad8a9fff49254d24e6df5e59d2a06f

SHA256
fd21a37d9e8457594f2e82cc23f6ad5dbe51f1db9e5fd279ca9f92f61d17595b

SHA512
7ae70e2ff532e0ac875e8a62b796a15656a2a41fe87ee6508a472ad4fa8df4637e96749df5b0352d825f04c9645ac262a68fc11c38b06772ae093f13616964dc

Download Submit
C:\Windows\System\ipzlMop.exe

Filesize
2.0MB

MD5
eec0dc2b6c8bd184e6fa921a67730402

SHA1
b5e6607f3e168318bb7ecdc56fb4756bcea50e68

SHA256
648e7d71d91ceb9e484783aef4ae255b3dbb40817bbcdce42a0812a21d17c8da

SHA512
bcce064183370b644dda214df61a435c1e09ecd4d1c4faf8d99989aac4330c074ed9e24edd22491b5a50b9c6665b13f14f67480e0bb287b65387152817c8aabe

Download Submit
C:\Windows\System\lCOiZpd.exe

Filesize
2.0MB

MD5
4ae38dc2a410913103d5ef19b04e7b92

SHA1
5e1c42e9a269969b07f7690d219294382e23924c

SHA256
ab3a3716e00a2d993616efa9ab0cfeba1825deaf1062fe4c5d9588904c93b067

SHA512
d8c741c351cee509f1fabb5a15e3b6d6b3b6ac0e5259309cbeb4625d773208b9ab7ca965c785b478de97e2695c10928224013651aeda40f3975be69faeea5e1c

Download Submit
C:\Windows\System\lIbkJZS.exe

Filesize
2.0MB

MD5
dd0351b16dfecfd415cb5ccf04b003a0

SHA1
397eb7c2794c3172e320239fb69e28db5f68fa5c

SHA256
b2584f0805b7607e5e5a63ccb6f234d92bfb65a61a4ab1f689f98d227a65b822

SHA512
b407e5bb075fc190e06a2a443c346cd9b526e851d58efdb627dd3d69fe7f4cd4b86836a01795714c667ecbdc9ccb1a2287327bbace81252c0999da170148be2b

Download Submit
C:\Windows\System\pBYYaYF.exe

Filesize
2.0MB

MD5
a40ab8bba3be444ce421bde286e31f6f

SHA1
0587a50b0c5398802d3e8ad1ef911bc7abeecf05

SHA256
023f7d5fda30659878e2cc5c38a1b45db9feb4ff2154c65f5112b4aa8ecd757b

SHA512
dd685ecf1125713dc043e92d5e653c22a4baa1a7e985f766e3752edccb70be418e288bc948daaec56ae61a4d6cc4bc6aba8719c5526e2e2a8cd508a94ced0bdb

Download Submit
C:\Windows\System\rcsTIKC.exe

Filesize
2.0MB

MD5
33fd65edf9eafaa968ee001a5e1b7eaf

SHA1
6d522ae6ed134e7b94ab585bf00e3409b5a11914

SHA256
a67da2afa22432ebc8dfa21343493481c3a1ca6ac79fa982ebd3c3be308a51b8

SHA512
32cbd1b5febf2bf7f5da0ca8435d98244f1ed2c17677f947542dd703d3feb4fc62ae568fc43693518ee6f9e40a48b79dae8e7bbc4783f42e0d9dd199ca03494b

Download Submit
C:\Windows\System\scQgymY.exe

Filesize
2.0MB

MD5
00d8d67f80d08193ab504eede9bd9b6c

SHA1
78efc7921de123ff2290dfe7636dce130ec902e3

SHA256
4180491555eea7b4d9571c84f9ba8a0cd363d8e0c053b19ea988ce81a468ea30

SHA512
23562851239d478914503ed33d0864c76814ca80a6b74e33792fb118aff5ffdf549820ba6e459b5dd60816dd1a3502c2e4e58b8a3c5a18a6c0e1c33b3987ce0c

Download Submit
C:\Windows\System\tOVGZHe.exe

Filesize
2.0MB

MD5
3a85ecca221b4ebac72d859a389fa89d

SHA1
2a524e03c19f22a5c1e7b2d3313b0060ba14daa5

SHA256
7a6f4545da0ef8669ddda5757d1882d3e47dea7261b03129b3c8b09777bb03ce

SHA512
d5d81f954e0490fc63a3da35f4265feeef896ebdda9790bc5fd368e792bf4392ec3e37a89538af98f224dff4042920c7497cdc7f23c200b53a8591291ed4e205

Download Submit
C:\Windows\System\tQueFlt.exe

Filesize
2.0MB

MD5
3578824bd5e343ef2fb1af662f7e9f23

SHA1
e27d1d7295d7301e3fe6cdedcf4a07b8d1f87065

SHA256
f33a2c17cd0b29e6623767c932f35a9f59bffe7fd6801ac50044515f0466dc3d

SHA512
841a8a4d9f5954a67f51d5adb926920f7422cf6753acdf18fec8eb28fc0cdc0de6269bc75e02a93798054bcc84e8831f5f10f80d17e816d81912d5f0227552fb

Download Submit
C:\Windows\System\vYEDdQY.exe

Filesize
2.0MB

MD5
4cc8d1ef5ae5e871e36a384077107940

SHA1
39c40623833fda647e36eaef0c446b68114c011f

SHA256
330b0410796109d61dc7cf4c058e0f6d2323b85ddf93d34bf39c7671c3e3c834

SHA512
49d6debc11fc8e83a4b3281f89e36f39805f55b08c01151d41aff95ac56205a5a3573c3ff987ccd208c1e5b4cf46f1468f7f04d402d732f6e3d5ba4b1960afe6

Download Submit
C:\Windows\System\wzazpWL.exe

Filesize
2.0MB

MD5
70691f38f853a2e793c71352fd6dfa05

SHA1
9f426fff5c22c118eb4b0c9a0aa428ae74517d87

SHA256
bd311bbfd1228e6d7e06072c903c90de2f6f1c6f0766b908ce8304661bb8cf1f

SHA512
c562d88d2d4d8b453411b7449b7fee27c20201376f7b0f4905c6c14a79ee83b765249ff5df75247a6c1d7c9beebeb54dc45a71178b923c30423bddf5f9f23c4f

Download Submit
memory/216-2547-0x00007FF606A30000-0x00007FF606E22000-memory.dmp

Filesize
3.9MB

Download
memory/216-344-0x00007FF606A30000-0x00007FF606E22000-memory.dmp

Filesize
3.9MB

Download
memory/552-2493-0x00007FF681120000-0x00007FF681512000-memory.dmp

Filesize
3.9MB

Download
memory/552-22-0x00007FF681120000-0x00007FF681512000-memory.dmp

Filesize
3.9MB

Download
memory/552-2515-0x00007FF681120000-0x00007FF681512000-memory.dmp

Filesize
3.9MB

Download
memory/744-2544-0x00007FF757140000-0x00007FF757532000-memory.dmp

Filesize
3.9MB

Download
memory/744-363-0x00007FF757140000-0x00007FF757532000-memory.dmp

Filesize
3.9MB

Download
memory/880-376-0x00007FF70F730000-0x00007FF70FB22000-memory.dmp

Filesize
3.9MB

Download
memory/880-2549-0x00007FF70F730000-0x00007FF70FB22000-memory.dmp

Filesize
3.9MB

Download
memory/1144-2534-0x00007FF6E6780000-0x00007FF6E6B72000-memory.dmp

Filesize
3.9MB

Download
memory/1144-350-0x00007FF6E6780000-0x00007FF6E6B72000-memory.dmp

Filesize
3.9MB

Download
memory/1168-2460-0x00007FF7CEFA0000-0x00007FF7CF392000-memory.dmp

Filesize
3.9MB

Download
memory/1168-21-0x00007FF7CEFA0000-0x00007FF7CF392000-memory.dmp

Filesize
3.9MB

Download
memory/1168-2511-0x00007FF7CEFA0000-0x00007FF7CF392000-memory.dmp

Filesize
3.9MB

Download
memory/1592-0-0x00007FF7B9730000-0x00007FF7B9B22000-memory.dmp

Filesize
3.9MB

Download
memory/1592-1-0x00000174C2D60000-0x00000174C2D70000-memory.dmp

Filesize
64KB

Download
memory/2204-2509-0x00007FF7FD3F0000-0x00007FF7FD7E2000-memory.dmp

Filesize
3.9MB

Download
memory/2204-2459-0x00007FF7FD3F0000-0x00007FF7FD7E2000-memory.dmp

Filesize
3.9MB

Download
memory/2204-13-0x00007FF7FD3F0000-0x00007FF7FD7E2000-memory.dmp

Filesize
3.9MB

Download
memory/2244-358-0x00007FF607B10000-0x00007FF607F02000-memory.dmp

Filesize
3.9MB

Download
memory/2244-2532-0x00007FF607B10000-0x00007FF607F02000-memory.dmp

Filesize
3.9MB

Download
memory/2392-335-0x00007FF7EB710000-0x00007FF7EBB02000-memory.dmp

Filesize
3.9MB

Download
memory/2392-2529-0x00007FF7EB710000-0x00007FF7EBB02000-memory.dmp

Filesize
3.9MB

Download
memory/2572-329-0x00007FF7AFF70000-0x00007FF7B0362000-memory.dmp

Filesize
3.9MB

Download
memory/2572-2527-0x00007FF7AFF70000-0x00007FF7B0362000-memory.dmp

Filesize
3.9MB

Download
memory/2960-220-0x00000146DC9F0000-0x00000146DD196000-memory.dmp

Filesize
7.6MB

Download
memory/2960-72-0x00000146D9BF0000-0x00000146D9C12000-memory.dmp

Filesize
136KB

Download
memory/3020-2541-0x00007FF7EFA80000-0x00007FF7EFE72000-memory.dmp

Filesize
3.9MB

Download
memory/3020-346-0x00007FF7EFA80000-0x00007FF7EFE72000-memory.dmp

Filesize
3.9MB

Download
memory/3408-395-0x00007FF7C28F0000-0x00007FF7C2CE2000-memory.dmp

Filesize
3.9MB

Download
memory/3408-2560-0x00007FF7C28F0000-0x00007FF7C2CE2000-memory.dmp

Filesize
3.9MB

Download
memory/3556-2546-0x00007FF76EDB0000-0x00007FF76F1A2000-memory.dmp

Filesize
3.9MB

Download
memory/3556-371-0x00007FF76EDB0000-0x00007FF76F1A2000-memory.dmp

Filesize
3.9MB

Download
memory/3620-2517-0x00007FF776880000-0x00007FF776C72000-memory.dmp

Filesize
3.9MB

Download
memory/3620-2494-0x00007FF776880000-0x00007FF776C72000-memory.dmp

Filesize
3.9MB

Download
memory/3620-26-0x00007FF776880000-0x00007FF776C72000-memory.dmp

Filesize
3.9MB

Download
memory/3708-2538-0x00007FF783ED0000-0x00007FF7842C2000-memory.dmp

Filesize
3.9MB

Download
memory/3708-348-0x00007FF783ED0000-0x00007FF7842C2000-memory.dmp

Filesize
3.9MB

Download
memory/4180-2523-0x00007FF7010D0000-0x00007FF7014C2000-memory.dmp

Filesize
3.9MB

Download
memory/4180-341-0x00007FF7010D0000-0x00007FF7014C2000-memory.dmp

Filesize
3.9MB

Download
memory/4460-2526-0x00007FF72E420000-0x00007FF72E812000-memory.dmp

Filesize
3.9MB

Download
memory/4460-338-0x00007FF72E420000-0x00007FF72E812000-memory.dmp

Filesize
3.9MB

Download
memory/4644-2536-0x00007FF704BB0000-0x00007FF704FA2000-memory.dmp

Filesize
3.9MB

Download
memory/4644-349-0x00007FF704BB0000-0x00007FF704FA2000-memory.dmp

Filesize
3.9MB

Download
memory/4672-2513-0x00007FF7BB490000-0x00007FF7BB882000-memory.dmp

Filesize
3.9MB

Download
memory/4672-2495-0x00007FF7BB490000-0x00007FF7BB882000-memory.dmp

Filesize
3.9MB

Download
memory/4672-46-0x00007FF7BB490000-0x00007FF7BB882000-memory.dmp

Filesize
3.9MB

Download
memory/4688-392-0x00007FF724680000-0x00007FF724A72000-memory.dmp

Filesize
3.9MB

Download
memory/4688-2559-0x00007FF724680000-0x00007FF724A72000-memory.dmp

Filesize
3.9MB

Download
memory/4752-385-0x00007FF64A1A0000-0x00007FF64A592000-memory.dmp

Filesize
3.9MB

Download
memory/4752-2563-0x00007FF64A1A0000-0x00007FF64A592000-memory.dmp

Filesize
3.9MB

Download
memory/4788-2519-0x00007FF67C740000-0x00007FF67CB32000-memory.dmp

Filesize
3.9MB

Download
memory/4788-399-0x00007FF67C740000-0x00007FF67CB32000-memory.dmp

Filesize
3.9MB

Download
memory/4932-2522-0x00007FF6815D0000-0x00007FF6819C2000-memory.dmp

Filesize
3.9MB

Download
memory/4932-343-0x00007FF6815D0000-0x00007FF6819C2000-memory.dmp

Filesize
3.9MB

Download
memory/4996-2540-0x00007FF7681E0000-0x00007FF7685D2000-memory.dmp

Filesize
3.9MB

Download
memory/4996-345-0x00007FF7681E0000-0x00007FF7685D2000-memory.dmp

Filesize
3.9MB

Download