xmrig | ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5

Analysis

max time kernel
138s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29/06/2024, 20:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
Size

1.8MB
MD5

c111572f9ed397d20a83851323695f90
SHA1

c3ff1861a0556ac13a9db685b08da572a2a63fe7
SHA256

ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5
SHA512

6a869c7f1f2b239b21cfadbfa2f83725d437539602aa6b45d67cccd22a9a61afc968e0cb762158372c844bb6348ce5b4137231dad16c294dd4a98a68ae7ba332
SSDEEP

24576:RVIl/WDGCi7/qkatXBF6727XL1+KvSjsvxP09W4fuiN/NH7UkvMlGAdL6fENMAyL:ROdWCCi7/rahHxxZeLckoVJMA6

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 57 IoCs

miner

resource	yara_rule
behavioral2/memory/2792-64-0x00007FF7BE1F0000-0x00007FF7BE541000-memory.dmp	xmrig
behavioral2/memory/1068-472-0x00007FF637730000-0x00007FF637A81000-memory.dmp	xmrig
behavioral2/memory/5072-473-0x00007FF7DC5D0000-0x00007FF7DC921000-memory.dmp	xmrig
behavioral2/memory/3752-478-0x00007FF63C970000-0x00007FF63CCC1000-memory.dmp	xmrig
behavioral2/memory/5008-489-0x00007FF742BC0000-0x00007FF742F11000-memory.dmp	xmrig
behavioral2/memory/4964-496-0x00007FF7F90F0000-0x00007FF7F9441000-memory.dmp	xmrig
behavioral2/memory/2428-491-0x00007FF736150000-0x00007FF7364A1000-memory.dmp	xmrig
behavioral2/memory/4068-485-0x00007FF6D1F30000-0x00007FF6D2281000-memory.dmp	xmrig
behavioral2/memory/2648-75-0x00007FF61BB90000-0x00007FF61BEE1000-memory.dmp	xmrig
behavioral2/memory/3508-63-0x00007FF6C4A40000-0x00007FF6C4D91000-memory.dmp	xmrig
behavioral2/memory/5116-60-0x00007FF630000000-0x00007FF630351000-memory.dmp	xmrig
behavioral2/memory/1940-44-0x00007FF7E0460000-0x00007FF7E07B1000-memory.dmp	xmrig
behavioral2/memory/752-524-0x00007FF7F2540000-0x00007FF7F2891000-memory.dmp	xmrig
behavioral2/memory/1812-533-0x00007FF729150000-0x00007FF7294A1000-memory.dmp	xmrig
behavioral2/memory/2156-536-0x00007FF79AB10000-0x00007FF79AE61000-memory.dmp	xmrig
behavioral2/memory/1148-540-0x00007FF7A7EB0000-0x00007FF7A8201000-memory.dmp	xmrig
behavioral2/memory/4672-514-0x00007FF774570000-0x00007FF7748C1000-memory.dmp	xmrig
behavioral2/memory/4468-511-0x00007FF641570000-0x00007FF6418C1000-memory.dmp	xmrig
behavioral2/memory/632-504-0x00007FF6E9280000-0x00007FF6E95D1000-memory.dmp	xmrig
behavioral2/memory/2888-503-0x00007FF75E980000-0x00007FF75ECD1000-memory.dmp	xmrig
behavioral2/memory/3028-2221-0x00007FF7494D0000-0x00007FF749821000-memory.dmp	xmrig
behavioral2/memory/4996-2222-0x00007FF7DAD30000-0x00007FF7DB081000-memory.dmp	xmrig
behavioral2/memory/924-2223-0x00007FF666860000-0x00007FF666BB1000-memory.dmp	xmrig
behavioral2/memory/2392-2224-0x00007FF793D20000-0x00007FF794071000-memory.dmp	xmrig
behavioral2/memory/4220-2225-0x00007FF60AAC0000-0x00007FF60AE11000-memory.dmp	xmrig
behavioral2/memory/2088-2258-0x00007FF62EC00000-0x00007FF62EF51000-memory.dmp	xmrig
behavioral2/memory/1088-2259-0x00007FF63A1B0000-0x00007FF63A501000-memory.dmp	xmrig
behavioral2/memory/5040-2262-0x00007FF71F440000-0x00007FF71F791000-memory.dmp	xmrig
behavioral2/memory/3788-2266-0x00007FF6B9280000-0x00007FF6B95D1000-memory.dmp	xmrig
behavioral2/memory/5116-2268-0x00007FF630000000-0x00007FF630351000-memory.dmp	xmrig
behavioral2/memory/3028-2270-0x00007FF7494D0000-0x00007FF749821000-memory.dmp	xmrig
behavioral2/memory/3508-2274-0x00007FF6C4A40000-0x00007FF6C4D91000-memory.dmp	xmrig
behavioral2/memory/924-2278-0x00007FF666860000-0x00007FF666BB1000-memory.dmp	xmrig
behavioral2/memory/2792-2280-0x00007FF7BE1F0000-0x00007FF7BE541000-memory.dmp	xmrig
behavioral2/memory/4996-2276-0x00007FF7DAD30000-0x00007FF7DB081000-memory.dmp	xmrig
behavioral2/memory/1940-2272-0x00007FF7E0460000-0x00007FF7E07B1000-memory.dmp	xmrig
behavioral2/memory/4220-2286-0x00007FF60AAC0000-0x00007FF60AE11000-memory.dmp	xmrig
behavioral2/memory/2392-2284-0x00007FF793D20000-0x00007FF794071000-memory.dmp	xmrig
behavioral2/memory/1068-2292-0x00007FF637730000-0x00007FF637A81000-memory.dmp	xmrig
behavioral2/memory/3752-2296-0x00007FF63C970000-0x00007FF63CCC1000-memory.dmp	xmrig
behavioral2/memory/5008-2302-0x00007FF742BC0000-0x00007FF742F11000-memory.dmp	xmrig
behavioral2/memory/2428-2300-0x00007FF736150000-0x00007FF7364A1000-memory.dmp	xmrig
behavioral2/memory/4068-2298-0x00007FF6D1F30000-0x00007FF6D2281000-memory.dmp	xmrig
behavioral2/memory/5072-2294-0x00007FF7DC5D0000-0x00007FF7DC921000-memory.dmp	xmrig
behavioral2/memory/2648-2282-0x00007FF61BB90000-0x00007FF61BEE1000-memory.dmp	xmrig
behavioral2/memory/1088-2290-0x00007FF63A1B0000-0x00007FF63A501000-memory.dmp	xmrig
behavioral2/memory/5040-2288-0x00007FF71F440000-0x00007FF71F791000-memory.dmp	xmrig
behavioral2/memory/632-2304-0x00007FF6E9280000-0x00007FF6E95D1000-memory.dmp	xmrig
behavioral2/memory/4964-2306-0x00007FF7F90F0000-0x00007FF7F9441000-memory.dmp	xmrig
behavioral2/memory/752-2328-0x00007FF7F2540000-0x00007FF7F2891000-memory.dmp	xmrig
behavioral2/memory/1812-2324-0x00007FF729150000-0x00007FF7294A1000-memory.dmp	xmrig
behavioral2/memory/4468-2319-0x00007FF641570000-0x00007FF6418C1000-memory.dmp	xmrig
behavioral2/memory/1148-2317-0x00007FF7A7EB0000-0x00007FF7A8201000-memory.dmp	xmrig
behavioral2/memory/4672-2310-0x00007FF774570000-0x00007FF7748C1000-memory.dmp	xmrig
behavioral2/memory/2156-2322-0x00007FF79AB10000-0x00007FF79AE61000-memory.dmp	xmrig
behavioral2/memory/2888-2308-0x00007FF75E980000-0x00007FF75ECD1000-memory.dmp	xmrig
behavioral2/memory/2088-2454-0x00007FF62EC00000-0x00007FF62EF51000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
3788	RaepDpt.exe
3028	yzvRXcA.exe
5116	sZddTRd.exe
4996	LgUvMZR.exe
1940	ebslbSh.exe
3508	XrNmpdw.exe
924	GRRwTnw.exe
2792	KtTbQQb.exe
2392	qzqwHpD.exe
4220	QcMlBvC.exe
2648	MOlIsft.exe
2088	KIXRYFL.exe
1088	xYRjhOy.exe
5040	PfdZrNy.exe
1068	vmysfWs.exe
5072	sORMAKO.exe
3752	mhkEjpQ.exe
4068	nUtITUP.exe
5008	wCcdacM.exe
2428	RPmhgXr.exe
4964	UhFfTkn.exe
2888	jIuYfce.exe
632	MlYhvRb.exe
4468	RgGFEGA.exe
4672	uiYAxMO.exe
752	SluOVeC.exe
1812	hlpJihw.exe
2156	NtrZlJe.exe
1148	uqjMwux.exe
3764	zGJEzRv.exe
1952	UFbTRWt.exe
744	dNzBDPI.exe
4664	ntWVMLO.exe
3360	dXwmwMC.exe
4152	cwYbKxZ.exe
4656	JcnHkeM.exe
3480	wzffJHg.exe
4280	RdPoiJO.exe
4828	ZhRudmz.exe
2664	FrADPar.exe
3860	yNiTvUp.exe
4356	UWNhGgr.exe
4476	muDhEyv.exe
1236	zLEZSTt.exe
116	dIiMVXd.exe
3368	ufvBVyQ.exe
4784	ClIlFSu.exe
4444	qfQGFgt.exe
3180	wGteofI.exe
2604	toqxcKV.exe
992	YGnMGzl.exe
2652	sWvsUdj.exe
4532	GmPKINu.exe
4676	RomZghD.exe
4932	EBmtiDa.exe
3744	swoLCeB.exe
3400	BRnLzZx.exe
4004	sDpSsiC.exe
4944	SZICbrV.exe
1228	BeUxKLu.exe
3612	lrMsoRB.exe
2112	jzttCAc.exe
4140	IKKXXaC.exe
1192	fMNcnVi.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2500-0-0x00007FF7DE300000-0x00007FF7DE651000-memory.dmp	upx
behavioral2/files/0x000900000002327a-5.dat	upx
behavioral2/files/0x0007000000023412-18.dat	upx
behavioral2/files/0x0007000000023413-22.dat	upx
behavioral2/memory/3028-29-0x00007FF7494D0000-0x00007FF749821000-memory.dmp	upx
behavioral2/files/0x0007000000023417-34.dat	upx
behavioral2/files/0x0007000000023419-41.dat	upx
behavioral2/files/0x0007000000023416-47.dat	upx
behavioral2/files/0x000700000002341b-57.dat	upx
behavioral2/memory/2792-64-0x00007FF7BE1F0000-0x00007FF7BE541000-memory.dmp	upx
behavioral2/memory/4220-70-0x00007FF60AAC0000-0x00007FF60AE11000-memory.dmp	upx
behavioral2/memory/2088-76-0x00007FF62EC00000-0x00007FF62EF51000-memory.dmp	upx
behavioral2/files/0x000700000002341d-83.dat	upx
behavioral2/files/0x000700000002341f-94.dat	upx
behavioral2/files/0x0007000000023423-114.dat	upx
behavioral2/files/0x0007000000023429-136.dat	upx
behavioral2/files/0x000700000002342a-149.dat	upx
behavioral2/memory/1068-472-0x00007FF637730000-0x00007FF637A81000-memory.dmp	upx
behavioral2/memory/5072-473-0x00007FF7DC5D0000-0x00007FF7DC921000-memory.dmp	upx
behavioral2/memory/3752-478-0x00007FF63C970000-0x00007FF63CCC1000-memory.dmp	upx
behavioral2/memory/5008-489-0x00007FF742BC0000-0x00007FF742F11000-memory.dmp	upx
behavioral2/memory/4964-496-0x00007FF7F90F0000-0x00007FF7F9441000-memory.dmp	upx
behavioral2/memory/2428-491-0x00007FF736150000-0x00007FF7364A1000-memory.dmp	upx
behavioral2/memory/4068-485-0x00007FF6D1F30000-0x00007FF6D2281000-memory.dmp	upx
behavioral2/files/0x0007000000023431-176.dat	upx
behavioral2/files/0x000700000002342f-174.dat	upx
behavioral2/files/0x0007000000023430-171.dat	upx
behavioral2/files/0x000700000002342e-169.dat	upx
behavioral2/files/0x000700000002342d-164.dat	upx
behavioral2/files/0x000700000002342c-159.dat	upx
behavioral2/files/0x000700000002342b-154.dat	upx
behavioral2/files/0x0007000000023428-139.dat	upx
behavioral2/files/0x0007000000023427-134.dat	upx
behavioral2/files/0x0007000000023426-129.dat	upx
behavioral2/files/0x0007000000023425-124.dat	upx
behavioral2/files/0x0007000000023424-119.dat	upx
behavioral2/files/0x0007000000023422-109.dat	upx
behavioral2/files/0x0007000000023421-104.dat	upx
behavioral2/files/0x0007000000023420-99.dat	upx
behavioral2/memory/5040-87-0x00007FF71F440000-0x00007FF71F791000-memory.dmp	upx
behavioral2/files/0x000700000002341e-85.dat	upx
behavioral2/memory/1088-80-0x00007FF63A1B0000-0x00007FF63A501000-memory.dmp	upx
behavioral2/files/0x000700000002341c-77.dat	upx
behavioral2/memory/2648-75-0x00007FF61BB90000-0x00007FF61BEE1000-memory.dmp	upx
behavioral2/files/0x0007000000023418-68.dat	upx
behavioral2/memory/3508-63-0x00007FF6C4A40000-0x00007FF6C4D91000-memory.dmp	upx
behavioral2/files/0x000700000002341a-61.dat	upx
behavioral2/memory/5116-60-0x00007FF630000000-0x00007FF630351000-memory.dmp	upx
behavioral2/memory/2392-56-0x00007FF793D20000-0x00007FF794071000-memory.dmp	upx
behavioral2/memory/924-55-0x00007FF666860000-0x00007FF666BB1000-memory.dmp	upx
behavioral2/memory/1940-44-0x00007FF7E0460000-0x00007FF7E07B1000-memory.dmp	upx
behavioral2/memory/4996-37-0x00007FF7DAD30000-0x00007FF7DB081000-memory.dmp	upx
behavioral2/files/0x0007000000023414-36.dat	upx
behavioral2/files/0x0007000000023415-30.dat	upx
behavioral2/memory/3788-13-0x00007FF6B9280000-0x00007FF6B95D1000-memory.dmp	upx
behavioral2/memory/752-524-0x00007FF7F2540000-0x00007FF7F2891000-memory.dmp	upx
behavioral2/memory/1812-533-0x00007FF729150000-0x00007FF7294A1000-memory.dmp	upx
behavioral2/memory/2156-536-0x00007FF79AB10000-0x00007FF79AE61000-memory.dmp	upx
behavioral2/memory/1148-540-0x00007FF7A7EB0000-0x00007FF7A8201000-memory.dmp	upx
behavioral2/memory/4672-514-0x00007FF774570000-0x00007FF7748C1000-memory.dmp	upx
behavioral2/memory/4468-511-0x00007FF641570000-0x00007FF6418C1000-memory.dmp	upx
behavioral2/memory/632-504-0x00007FF6E9280000-0x00007FF6E95D1000-memory.dmp	upx
behavioral2/memory/2888-503-0x00007FF75E980000-0x00007FF75ECD1000-memory.dmp	upx
behavioral2/memory/3028-2221-0x00007FF7494D0000-0x00007FF749821000-memory.dmp	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\YpFPppL.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\CnyDBgV.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\TzLcNdS.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\ICQrYoo.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\mbITPJw.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\fGfxcqH.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\fRgdolJ.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\NBPCwoW.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\fygZYGL.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\mkggChS.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\lXSdMMr.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\lVZBfXR.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\TdjJvLJ.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\eUWldZg.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\Xtsetjc.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\dLChygN.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\IvQeVWa.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\ntWVMLO.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\jZRzaBr.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\mxylYWJ.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\wtpCtdN.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\mFjwyla.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\ePtiMdu.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\wjmhMtP.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\yzvRXcA.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\OgKUoif.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\pzfQKQx.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\ACCLFFA.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\jhGyjJO.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\ZsaqslL.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\vmysfWs.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\gPVlyve.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\buhgcHY.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\FRLLqZA.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\toqxcKV.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\oGCrimg.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\mQxaLMq.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\LiWKLbA.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\Qsihakv.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\ATsQODz.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\CHJnMcc.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\jVRrira.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\pJNTiZG.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\oAcyGbn.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\tXaxkjw.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\byLXdGq.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\ChPVDyn.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\LgUvMZR.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\ebslbSh.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\qUoEOXi.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\KoFmQqA.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\NBtRQmG.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\LWUhVNs.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\WzRwiCd.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\KtTbQQb.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\teQoGjM.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\HVZByJh.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\TInkhpZ.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\pKOSiYY.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\NZgYlmm.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\eiOPbQh.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\kYFCSfV.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\HXuzezI.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
File created	C:\Windows\System\hQlaUqd.exe	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	2852	dwm.exe
Token: SeChangeNotifyPrivilege	2852	dwm.exe
Token: 33	2852	dwm.exe
Token: SeIncBasePriorityPrivilege	2852	dwm.exe
Token: SeShutdownPrivilege	2852	dwm.exe
Token: SeCreatePagefilePrivilege	2852	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 3788	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	83
PID 2500 wrote to memory of 3788	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	83
PID 2500 wrote to memory of 3028	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	84
PID 2500 wrote to memory of 3028	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	84
PID 2500 wrote to memory of 5116	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	85
PID 2500 wrote to memory of 5116	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	85
PID 2500 wrote to memory of 4996	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	86
PID 2500 wrote to memory of 4996	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	86
PID 2500 wrote to memory of 1940	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	87
PID 2500 wrote to memory of 1940	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	87
PID 2500 wrote to memory of 3508	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	88
PID 2500 wrote to memory of 3508	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	88
PID 2500 wrote to memory of 924	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	89
PID 2500 wrote to memory of 924	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	89
PID 2500 wrote to memory of 2392	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	90
PID 2500 wrote to memory of 2392	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	90
PID 2500 wrote to memory of 2792	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	91
PID 2500 wrote to memory of 2792	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	91
PID 2500 wrote to memory of 4220	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	92
PID 2500 wrote to memory of 4220	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	92
PID 2500 wrote to memory of 2648	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	93
PID 2500 wrote to memory of 2648	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	93
PID 2500 wrote to memory of 2088	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	94
PID 2500 wrote to memory of 2088	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	94
PID 2500 wrote to memory of 1088	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	95
PID 2500 wrote to memory of 1088	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	95
PID 2500 wrote to memory of 5040	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	96
PID 2500 wrote to memory of 5040	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	96
PID 2500 wrote to memory of 1068	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	97
PID 2500 wrote to memory of 1068	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	97
PID 2500 wrote to memory of 5072	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	98
PID 2500 wrote to memory of 5072	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	98
PID 2500 wrote to memory of 3752	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	99
PID 2500 wrote to memory of 3752	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	99
PID 2500 wrote to memory of 4068	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	100
PID 2500 wrote to memory of 4068	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	100
PID 2500 wrote to memory of 5008	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	101
PID 2500 wrote to memory of 5008	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	101
PID 2500 wrote to memory of 2428	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	102
PID 2500 wrote to memory of 2428	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	102
PID 2500 wrote to memory of 4964	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	103
PID 2500 wrote to memory of 4964	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	103
PID 2500 wrote to memory of 2888	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	104
PID 2500 wrote to memory of 2888	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	104
PID 2500 wrote to memory of 632	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	105
PID 2500 wrote to memory of 632	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	105
PID 2500 wrote to memory of 4468	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	106
PID 2500 wrote to memory of 4468	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	106
PID 2500 wrote to memory of 4672	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	107
PID 2500 wrote to memory of 4672	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	107
PID 2500 wrote to memory of 752	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	108
PID 2500 wrote to memory of 752	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	108
PID 2500 wrote to memory of 1812	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	109
PID 2500 wrote to memory of 1812	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	109
PID 2500 wrote to memory of 2156	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	110
PID 2500 wrote to memory of 2156	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	110
PID 2500 wrote to memory of 1148	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	111
PID 2500 wrote to memory of 1148	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	111
PID 2500 wrote to memory of 3764	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	112
PID 2500 wrote to memory of 3764	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	112
PID 2500 wrote to memory of 1952	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	113
PID 2500 wrote to memory of 1952	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	113
PID 2500 wrote to memory of 744	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	114
PID 2500 wrote to memory of 744	2500	ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe	114

C:\Users\Admin\AppData\Local\Temp\ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\ba304be84abd7af3f0779196075b3208f5603f1cab2c311553e2c9898604e4d5_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Windows\System\RaepDpt.exe
  C:\Windows\System\RaepDpt.exe
  2⤵
  - Executes dropped EXE
  PID:3788
- C:\Windows\System\yzvRXcA.exe
  C:\Windows\System\yzvRXcA.exe
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\System\sZddTRd.exe
  C:\Windows\System\sZddTRd.exe
  2⤵
  - Executes dropped EXE
  PID:5116
- C:\Windows\System\LgUvMZR.exe
  C:\Windows\System\LgUvMZR.exe
  2⤵
  - Executes dropped EXE
  PID:4996
- C:\Windows\System\ebslbSh.exe
  C:\Windows\System\ebslbSh.exe
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Windows\System\XrNmpdw.exe
  C:\Windows\System\XrNmpdw.exe
  2⤵
  - Executes dropped EXE
  PID:3508
- C:\Windows\System\GRRwTnw.exe
  C:\Windows\System\GRRwTnw.exe
  2⤵
  - Executes dropped EXE
  PID:924
- C:\Windows\System\qzqwHpD.exe
  C:\Windows\System\qzqwHpD.exe
  2⤵
  - Executes dropped EXE
  PID:2392
- C:\Windows\System\KtTbQQb.exe
  C:\Windows\System\KtTbQQb.exe
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\System\QcMlBvC.exe
  C:\Windows\System\QcMlBvC.exe
  2⤵
  - Executes dropped EXE
  PID:4220
- C:\Windows\System\MOlIsft.exe
  C:\Windows\System\MOlIsft.exe
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\System\KIXRYFL.exe
  C:\Windows\System\KIXRYFL.exe
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\System\xYRjhOy.exe
  C:\Windows\System\xYRjhOy.exe
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Windows\System\PfdZrNy.exe
  C:\Windows\System\PfdZrNy.exe
  2⤵
  - Executes dropped EXE
  PID:5040
- C:\Windows\System\vmysfWs.exe
  C:\Windows\System\vmysfWs.exe
  2⤵
  - Executes dropped EXE
  PID:1068
- C:\Windows\System\sORMAKO.exe
  C:\Windows\System\sORMAKO.exe
  2⤵
  - Executes dropped EXE
  PID:5072
- C:\Windows\System\mhkEjpQ.exe
  C:\Windows\System\mhkEjpQ.exe
  2⤵
  - Executes dropped EXE
  PID:3752
- C:\Windows\System\nUtITUP.exe
  C:\Windows\System\nUtITUP.exe
  2⤵
  - Executes dropped EXE
  PID:4068
- C:\Windows\System\wCcdacM.exe
  C:\Windows\System\wCcdacM.exe
  2⤵
  - Executes dropped EXE
  PID:5008
- C:\Windows\System\RPmhgXr.exe
  C:\Windows\System\RPmhgXr.exe
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\System\UhFfTkn.exe
  C:\Windows\System\UhFfTkn.exe
  2⤵
  - Executes dropped EXE
  PID:4964
- C:\Windows\System\jIuYfce.exe
  C:\Windows\System\jIuYfce.exe
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\System\MlYhvRb.exe
  C:\Windows\System\MlYhvRb.exe
  2⤵
  - Executes dropped EXE
  PID:632
- C:\Windows\System\RgGFEGA.exe
  C:\Windows\System\RgGFEGA.exe
  2⤵
  - Executes dropped EXE
  PID:4468
- C:\Windows\System\uiYAxMO.exe
  C:\Windows\System\uiYAxMO.exe
  2⤵
  - Executes dropped EXE
  PID:4672
- C:\Windows\System\SluOVeC.exe
  C:\Windows\System\SluOVeC.exe
  2⤵
  - Executes dropped EXE
  PID:752
- C:\Windows\System\hlpJihw.exe
  C:\Windows\System\hlpJihw.exe
  2⤵
  - Executes dropped EXE
  PID:1812
- C:\Windows\System\NtrZlJe.exe
  C:\Windows\System\NtrZlJe.exe
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\System\uqjMwux.exe
  C:\Windows\System\uqjMwux.exe
  2⤵
  - Executes dropped EXE
  PID:1148
- C:\Windows\System\zGJEzRv.exe
  C:\Windows\System\zGJEzRv.exe
  2⤵
  - Executes dropped EXE
  PID:3764
- C:\Windows\System\UFbTRWt.exe
  C:\Windows\System\UFbTRWt.exe
  2⤵
  - Executes dropped EXE
  PID:1952
- C:\Windows\System\dNzBDPI.exe
  C:\Windows\System\dNzBDPI.exe
  2⤵
  - Executes dropped EXE
  PID:744
- C:\Windows\System\ntWVMLO.exe
  C:\Windows\System\ntWVMLO.exe
  2⤵
  - Executes dropped EXE
  PID:4664
- C:\Windows\System\dXwmwMC.exe
  C:\Windows\System\dXwmwMC.exe
  2⤵
  - Executes dropped EXE
  PID:3360
- C:\Windows\System\cwYbKxZ.exe
  C:\Windows\System\cwYbKxZ.exe
  2⤵
  - Executes dropped EXE
  PID:4152
- C:\Windows\System\JcnHkeM.exe
  C:\Windows\System\JcnHkeM.exe
  2⤵
  - Executes dropped EXE
  PID:4656
- C:\Windows\System\wzffJHg.exe
  C:\Windows\System\wzffJHg.exe
  2⤵
  - Executes dropped EXE
  PID:3480
- C:\Windows\System\RdPoiJO.exe
  C:\Windows\System\RdPoiJO.exe
  2⤵
  - Executes dropped EXE
  PID:4280
- C:\Windows\System\ZhRudmz.exe
  C:\Windows\System\ZhRudmz.exe
  2⤵
  - Executes dropped EXE
  PID:4828
- C:\Windows\System\FrADPar.exe
  C:\Windows\System\FrADPar.exe
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\System\yNiTvUp.exe
  C:\Windows\System\yNiTvUp.exe
  2⤵
  - Executes dropped EXE
  PID:3860
- C:\Windows\System\UWNhGgr.exe
  C:\Windows\System\UWNhGgr.exe
  2⤵
  - Executes dropped EXE
  PID:4356
- C:\Windows\System\muDhEyv.exe
  C:\Windows\System\muDhEyv.exe
  2⤵
  - Executes dropped EXE
  PID:4476
- C:\Windows\System\zLEZSTt.exe
  C:\Windows\System\zLEZSTt.exe
  2⤵
  - Executes dropped EXE
  PID:1236
- C:\Windows\System\dIiMVXd.exe
  C:\Windows\System\dIiMVXd.exe
  2⤵
  - Executes dropped EXE
  PID:116
- C:\Windows\System\ufvBVyQ.exe
  C:\Windows\System\ufvBVyQ.exe
  2⤵
  - Executes dropped EXE
  PID:3368
- C:\Windows\System\ClIlFSu.exe
  C:\Windows\System\ClIlFSu.exe
  2⤵
  - Executes dropped EXE
  PID:4784
- C:\Windows\System\qfQGFgt.exe
  C:\Windows\System\qfQGFgt.exe
  2⤵
  - Executes dropped EXE
  PID:4444
- C:\Windows\System\wGteofI.exe
  C:\Windows\System\wGteofI.exe
  2⤵
  - Executes dropped EXE
  PID:3180
- C:\Windows\System\toqxcKV.exe
  C:\Windows\System\toqxcKV.exe
  2⤵
  - Executes dropped EXE
  PID:2604
- C:\Windows\System\YGnMGzl.exe
  C:\Windows\System\YGnMGzl.exe
  2⤵
  - Executes dropped EXE
  PID:992
- C:\Windows\System\sWvsUdj.exe
  C:\Windows\System\sWvsUdj.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System\GmPKINu.exe
  C:\Windows\System\GmPKINu.exe
  2⤵
  - Executes dropped EXE
  PID:4532
- C:\Windows\System\RomZghD.exe
  C:\Windows\System\RomZghD.exe
  2⤵
  - Executes dropped EXE
  PID:4676
- C:\Windows\System\EBmtiDa.exe
  C:\Windows\System\EBmtiDa.exe
  2⤵
  - Executes dropped EXE
  PID:4932
- C:\Windows\System\swoLCeB.exe
  C:\Windows\System\swoLCeB.exe
  2⤵
  - Executes dropped EXE
  PID:3744
- C:\Windows\System\BRnLzZx.exe
  C:\Windows\System\BRnLzZx.exe
  2⤵
  - Executes dropped EXE
  PID:3400
- C:\Windows\System\sDpSsiC.exe
  C:\Windows\System\sDpSsiC.exe
  2⤵
  - Executes dropped EXE
  PID:4004
- C:\Windows\System\SZICbrV.exe
  C:\Windows\System\SZICbrV.exe
  2⤵
  - Executes dropped EXE
  PID:4944
- C:\Windows\System\BeUxKLu.exe
  C:\Windows\System\BeUxKLu.exe
  2⤵
  - Executes dropped EXE
  PID:1228
- C:\Windows\System\lrMsoRB.exe
  C:\Windows\System\lrMsoRB.exe
  2⤵
  - Executes dropped EXE
  PID:3612
- C:\Windows\System\jzttCAc.exe
  C:\Windows\System\jzttCAc.exe
  2⤵
  - Executes dropped EXE
  PID:2112
- C:\Windows\System\IKKXXaC.exe
  C:\Windows\System\IKKXXaC.exe
  2⤵
  - Executes dropped EXE
  PID:4140
- C:\Windows\System\fMNcnVi.exe
  C:\Windows\System\fMNcnVi.exe
  2⤵
  - Executes dropped EXE
  PID:1192
- C:\Windows\System\jAFHzey.exe
  C:\Windows\System\jAFHzey.exe
  2⤵
  PID:4376
- C:\Windows\System\kwMfdBZ.exe
  C:\Windows\System\kwMfdBZ.exe
  2⤵
  PID:4912
- C:\Windows\System\UBqNUHr.exe
  C:\Windows\System\UBqNUHr.exe
  2⤵
  PID:1128
- C:\Windows\System\VFhWpJG.exe
  C:\Windows\System\VFhWpJG.exe
  2⤵
  PID:3408
- C:\Windows\System\zLpDeNE.exe
  C:\Windows\System\zLpDeNE.exe
  2⤵
  PID:4344
- C:\Windows\System\tgGIPAD.exe
  C:\Windows\System\tgGIPAD.exe
  2⤵
  PID:708
- C:\Windows\System\ORVTvqV.exe
  C:\Windows\System\ORVTvqV.exe
  2⤵
  PID:1372
- C:\Windows\System\GeEDMsj.exe
  C:\Windows\System\GeEDMsj.exe
  2⤵
  PID:3928
- C:\Windows\System\ZvvLNLy.exe
  C:\Windows\System\ZvvLNLy.exe
  2⤵
  PID:2688
- C:\Windows\System\yzPaXQu.exe
  C:\Windows\System\yzPaXQu.exe
  2⤵
  PID:2020
- C:\Windows\System\UqXIJqm.exe
  C:\Windows\System\UqXIJqm.exe
  2⤵
  PID:1084
- C:\Windows\System\cPkjcAR.exe
  C:\Windows\System\cPkjcAR.exe
  2⤵
  PID:3484
- C:\Windows\System\dqDUNqW.exe
  C:\Windows\System\dqDUNqW.exe
  2⤵
  PID:2372
- C:\Windows\System\VeupttW.exe
  C:\Windows\System\VeupttW.exe
  2⤵
  PID:5136
- C:\Windows\System\tMofSFp.exe
  C:\Windows\System\tMofSFp.exe
  2⤵
  PID:5164
- C:\Windows\System\XPXVCOq.exe
  C:\Windows\System\XPXVCOq.exe
  2⤵
  PID:5192
- C:\Windows\System\rJgVZhB.exe
  C:\Windows\System\rJgVZhB.exe
  2⤵
  PID:5220
- C:\Windows\System\KDbOlUz.exe
  C:\Windows\System\KDbOlUz.exe
  2⤵
  PID:5248
- C:\Windows\System\zezHyfv.exe
  C:\Windows\System\zezHyfv.exe
  2⤵
  PID:5272
- C:\Windows\System\ngKoMLT.exe
  C:\Windows\System\ngKoMLT.exe
  2⤵
  PID:5296
- C:\Windows\System\mOhsBtQ.exe
  C:\Windows\System\mOhsBtQ.exe
  2⤵
  PID:5320
- C:\Windows\System\DjBCDKV.exe
  C:\Windows\System\DjBCDKV.exe
  2⤵
  PID:5352
- C:\Windows\System\AAigCrN.exe
  C:\Windows\System\AAigCrN.exe
  2⤵
  PID:5376
- C:\Windows\System\wSxPoxj.exe
  C:\Windows\System\wSxPoxj.exe
  2⤵
  PID:5404
- C:\Windows\System\SzqQBPG.exe
  C:\Windows\System\SzqQBPG.exe
  2⤵
  PID:5432
- C:\Windows\System\TjSXMrS.exe
  C:\Windows\System\TjSXMrS.exe
  2⤵
  PID:5460
- C:\Windows\System\QEcKxhd.exe
  C:\Windows\System\QEcKxhd.exe
  2⤵
  PID:5488
- C:\Windows\System\UGjURYi.exe
  C:\Windows\System\UGjURYi.exe
  2⤵
  PID:5516
- C:\Windows\System\MTVVRJA.exe
  C:\Windows\System\MTVVRJA.exe
  2⤵
  PID:5544
- C:\Windows\System\xtUcswA.exe
  C:\Windows\System\xtUcswA.exe
  2⤵
  PID:5568
- C:\Windows\System\mFHGCrW.exe
  C:\Windows\System\mFHGCrW.exe
  2⤵
  PID:5608
- C:\Windows\System\RXAMoBK.exe
  C:\Windows\System\RXAMoBK.exe
  2⤵
  PID:5628
- C:\Windows\System\JROPurB.exe
  C:\Windows\System\JROPurB.exe
  2⤵
  PID:5656
- C:\Windows\System\EznmFMD.exe
  C:\Windows\System\EznmFMD.exe
  2⤵
  PID:5684
- C:\Windows\System\JbDNewH.exe
  C:\Windows\System\JbDNewH.exe
  2⤵
  PID:5712
- C:\Windows\System\nHNGyFD.exe
  C:\Windows\System\nHNGyFD.exe
  2⤵
  PID:5740
- C:\Windows\System\FMNREhQ.exe
  C:\Windows\System\FMNREhQ.exe
  2⤵
  PID:5768
- C:\Windows\System\rYBOyjI.exe
  C:\Windows\System\rYBOyjI.exe
  2⤵
  PID:5796
- C:\Windows\System\rhkgJOM.exe
  C:\Windows\System\rhkgJOM.exe
  2⤵
  PID:5824
- C:\Windows\System\jVRrira.exe
  C:\Windows\System\jVRrira.exe
  2⤵
  PID:5852
- C:\Windows\System\UPlaARY.exe
  C:\Windows\System\UPlaARY.exe
  2⤵
  PID:5880
- C:\Windows\System\COkmUrl.exe
  C:\Windows\System\COkmUrl.exe
  2⤵
  PID:5908
- C:\Windows\System\NCZFZcB.exe
  C:\Windows\System\NCZFZcB.exe
  2⤵
  PID:5936
- C:\Windows\System\YyECiLn.exe
  C:\Windows\System\YyECiLn.exe
  2⤵
  PID:5964
- C:\Windows\System\TCSzdzt.exe
  C:\Windows\System\TCSzdzt.exe
  2⤵
  PID:5992
- C:\Windows\System\HXuzezI.exe
  C:\Windows\System\HXuzezI.exe
  2⤵
  PID:6028
- C:\Windows\System\hCrWRsd.exe
  C:\Windows\System\hCrWRsd.exe
  2⤵
  PID:6048
- C:\Windows\System\BZOnbKa.exe
  C:\Windows\System\BZOnbKa.exe
  2⤵
  PID:6076
- C:\Windows\System\OgKUoif.exe
  C:\Windows\System\OgKUoif.exe
  2⤵
  PID:6104
- C:\Windows\System\yeJhECM.exe
  C:\Windows\System\yeJhECM.exe
  2⤵
  PID:6132
- C:\Windows\System\xCUvITE.exe
  C:\Windows\System\xCUvITE.exe
  2⤵
  PID:3192
- C:\Windows\System\ndMFSMY.exe
  C:\Windows\System\ndMFSMY.exe
  2⤵
  PID:2612
- C:\Windows\System\DcvqOIQ.exe
  C:\Windows\System\DcvqOIQ.exe
  2⤵
  PID:1864
- C:\Windows\System\eFWzFyN.exe
  C:\Windows\System\eFWzFyN.exe
  2⤵
  PID:4660
- C:\Windows\System\XhvnEak.exe
  C:\Windows\System\XhvnEak.exe
  2⤵
  PID:4496
- C:\Windows\System\pJNTiZG.exe
  C:\Windows\System\pJNTiZG.exe
  2⤵
  PID:2024
- C:\Windows\System\TqciLBF.exe
  C:\Windows\System\TqciLBF.exe
  2⤵
  PID:5232
- C:\Windows\System\pTtDbaD.exe
  C:\Windows\System\pTtDbaD.exe
  2⤵
  PID:5304
- C:\Windows\System\QijKyKn.exe
  C:\Windows\System\QijKyKn.exe
  2⤵
  PID:5360
- C:\Windows\System\CMfuFPB.exe
  C:\Windows\System\CMfuFPB.exe
  2⤵
  PID:2504
- C:\Windows\System\xHYXvxT.exe
  C:\Windows\System\xHYXvxT.exe
  2⤵
  PID:5452
- C:\Windows\System\QafYORl.exe
  C:\Windows\System\QafYORl.exe
  2⤵
  PID:5508
- C:\Windows\System\jVnnNeJ.exe
  C:\Windows\System\jVnnNeJ.exe
  2⤵
  PID:1444
- C:\Windows\System\LwZvlOS.exe
  C:\Windows\System\LwZvlOS.exe
  2⤵
  PID:5620
- C:\Windows\System\KKTyjSj.exe
  C:\Windows\System\KKTyjSj.exe
  2⤵
  PID:5676
- C:\Windows\System\VIVoUGF.exe
  C:\Windows\System\VIVoUGF.exe
  2⤵
  PID:5732
- C:\Windows\System\zEbsjGo.exe
  C:\Windows\System\zEbsjGo.exe
  2⤵
  PID:5784
- C:\Windows\System\ompWgrj.exe
  C:\Windows\System\ompWgrj.exe
  2⤵
  PID:5844
- C:\Windows\System\DNDxNhZ.exe
  C:\Windows\System\DNDxNhZ.exe
  2⤵
  PID:1728
- C:\Windows\System\YpFPppL.exe
  C:\Windows\System\YpFPppL.exe
  2⤵
  PID:6060
- C:\Windows\System\KCPjyzu.exe
  C:\Windows\System\KCPjyzu.exe
  2⤵
  PID:6096
- C:\Windows\System\WkehRFZ.exe
  C:\Windows\System\WkehRFZ.exe
  2⤵
  PID:220
- C:\Windows\System\VNwoNhJ.exe
  C:\Windows\System\VNwoNhJ.exe
  2⤵
  PID:3440
- C:\Windows\System\TEyORdh.exe
  C:\Windows\System\TEyORdh.exe
  2⤵
  PID:4580
- C:\Windows\System\zQqcnTB.exe
  C:\Windows\System\zQqcnTB.exe
  2⤵
  PID:2732
- C:\Windows\System\QtrToio.exe
  C:\Windows\System\QtrToio.exe
  2⤵
  PID:2384
- C:\Windows\System\hjkNTLV.exe
  C:\Windows\System\hjkNTLV.exe
  2⤵
  PID:5208
- C:\Windows\System\gPVlyve.exe
  C:\Windows\System\gPVlyve.exe
  2⤵
  PID:5264
- C:\Windows\System\xqdIXCy.exe
  C:\Windows\System\xqdIXCy.exe
  2⤵
  PID:5480
- C:\Windows\System\xGZtJmd.exe
  C:\Windows\System\xGZtJmd.exe
  2⤵
  PID:4480
- C:\Windows\System\lGjHaDC.exe
  C:\Windows\System\lGjHaDC.exe
  2⤵
  PID:5584
- C:\Windows\System\gVUAoYx.exe
  C:\Windows\System\gVUAoYx.exe
  2⤵
  PID:2576
- C:\Windows\System\NpuoHTU.exe
  C:\Windows\System\NpuoHTU.exe
  2⤵
  PID:5760
- C:\Windows\System\vZdeQxu.exe
  C:\Windows\System\vZdeQxu.exe
  2⤵
  PID:3116
- C:\Windows\System\HqOBkDe.exe
  C:\Windows\System\HqOBkDe.exe
  2⤵
  PID:5044
- C:\Windows\System\VjWIClB.exe
  C:\Windows\System\VjWIClB.exe
  2⤵
  PID:1880
- C:\Windows\System\BQDpcEb.exe
  C:\Windows\System\BQDpcEb.exe
  2⤵
  PID:4952
- C:\Windows\System\yqLFqkc.exe
  C:\Windows\System\yqLFqkc.exe
  2⤵
  PID:6124
- C:\Windows\System\elyqAwS.exe
  C:\Windows\System\elyqAwS.exe
  2⤵
  PID:2416
- C:\Windows\System\vYqpkRU.exe
  C:\Windows\System\vYqpkRU.exe
  2⤵
  PID:5644
- C:\Windows\System\lmjnYKb.exe
  C:\Windows\System\lmjnYKb.exe
  2⤵
  PID:636
- C:\Windows\System\kINMbNt.exe
  C:\Windows\System\kINMbNt.exe
  2⤵
  PID:4644
- C:\Windows\System\lPrWPFV.exe
  C:\Windows\System\lPrWPFV.exe
  2⤵
  PID:3724
- C:\Windows\System\FIhxwCF.exe
  C:\Windows\System\FIhxwCF.exe
  2⤵
  PID:4388
- C:\Windows\System\SKBCFvj.exe
  C:\Windows\System\SKBCFvj.exe
  2⤵
  PID:1496
- C:\Windows\System\wohHLTa.exe
  C:\Windows\System\wohHLTa.exe
  2⤵
  PID:5152
- C:\Windows\System\QpEPozk.exe
  C:\Windows\System\QpEPozk.exe
  2⤵
  PID:5424
- C:\Windows\System\yCqlaal.exe
  C:\Windows\System\yCqlaal.exe
  2⤵
  PID:1664
- C:\Windows\System\ppuqbSn.exe
  C:\Windows\System\ppuqbSn.exe
  2⤵
  PID:6172
- C:\Windows\System\qvdzHCT.exe
  C:\Windows\System\qvdzHCT.exe
  2⤵
  PID:6196
- C:\Windows\System\lfPetzu.exe
  C:\Windows\System\lfPetzu.exe
  2⤵
  PID:6228
- C:\Windows\System\CnyDBgV.exe
  C:\Windows\System\CnyDBgV.exe
  2⤵
  PID:6248
- C:\Windows\System\DThLfYq.exe
  C:\Windows\System\DThLfYq.exe
  2⤵
  PID:6272
- C:\Windows\System\gudDmzT.exe
  C:\Windows\System\gudDmzT.exe
  2⤵
  PID:6300
- C:\Windows\System\SCuuQIz.exe
  C:\Windows\System\SCuuQIz.exe
  2⤵
  PID:6344
- C:\Windows\System\bNryLTY.exe
  C:\Windows\System\bNryLTY.exe
  2⤵
  PID:6384
- C:\Windows\System\YykEgzJ.exe
  C:\Windows\System\YykEgzJ.exe
  2⤵
  PID:6400
- C:\Windows\System\SpSdKaS.exe
  C:\Windows\System\SpSdKaS.exe
  2⤵
  PID:6420
- C:\Windows\System\zyOKxcz.exe
  C:\Windows\System\zyOKxcz.exe
  2⤵
  PID:6444
- C:\Windows\System\MAYznDw.exe
  C:\Windows\System\MAYznDw.exe
  2⤵
  PID:6464
- C:\Windows\System\qbdHkEY.exe
  C:\Windows\System\qbdHkEY.exe
  2⤵
  PID:6488
- C:\Windows\System\iyMHXde.exe
  C:\Windows\System\iyMHXde.exe
  2⤵
  PID:6508
- C:\Windows\System\gDmfngy.exe
  C:\Windows\System\gDmfngy.exe
  2⤵
  PID:6532
- C:\Windows\System\qUoEOXi.exe
  C:\Windows\System\qUoEOXi.exe
  2⤵
  PID:6556
- C:\Windows\System\tBFyvnQ.exe
  C:\Windows\System\tBFyvnQ.exe
  2⤵
  PID:6580
- C:\Windows\System\MlwzUKx.exe
  C:\Windows\System\MlwzUKx.exe
  2⤵
  PID:6600
- C:\Windows\System\wicbShH.exe
  C:\Windows\System\wicbShH.exe
  2⤵
  PID:6664
- C:\Windows\System\lvgiaBW.exe
  C:\Windows\System\lvgiaBW.exe
  2⤵
  PID:6684
- C:\Windows\System\WlHSigC.exe
  C:\Windows\System\WlHSigC.exe
  2⤵
  PID:6728
- C:\Windows\System\MtpiKJi.exe
  C:\Windows\System\MtpiKJi.exe
  2⤵
  PID:6760
- C:\Windows\System\CjDvBsR.exe
  C:\Windows\System\CjDvBsR.exe
  2⤵
  PID:6776
- C:\Windows\System\oKJAbCa.exe
  C:\Windows\System\oKJAbCa.exe
  2⤵
  PID:6828
- C:\Windows\System\ZVDHmhC.exe
  C:\Windows\System\ZVDHmhC.exe
  2⤵
  PID:6856
- C:\Windows\System\lmcRvCp.exe
  C:\Windows\System\lmcRvCp.exe
  2⤵
  PID:6872
- C:\Windows\System\LiYWAJD.exe
  C:\Windows\System\LiYWAJD.exe
  2⤵
  PID:6896
- C:\Windows\System\aCbgqsn.exe
  C:\Windows\System\aCbgqsn.exe
  2⤵
  PID:6948
- C:\Windows\System\PwbcelM.exe
  C:\Windows\System\PwbcelM.exe
  2⤵
  PID:6992
- C:\Windows\System\FGWmXWP.exe
  C:\Windows\System\FGWmXWP.exe
  2⤵
  PID:7008
- C:\Windows\System\JyuihFo.exe
  C:\Windows\System\JyuihFo.exe
  2⤵
  PID:7036
- C:\Windows\System\cmiKUEf.exe
  C:\Windows\System\cmiKUEf.exe
  2⤵
  PID:7056
- C:\Windows\System\INsTLlr.exe
  C:\Windows\System\INsTLlr.exe
  2⤵
  PID:7080
- C:\Windows\System\jhmbnzd.exe
  C:\Windows\System\jhmbnzd.exe
  2⤵
  PID:7108
- C:\Windows\System\KaRuOlg.exe
  C:\Windows\System\KaRuOlg.exe
  2⤵
  PID:7136
- C:\Windows\System\TzLcNdS.exe
  C:\Windows\System\TzLcNdS.exe
  2⤵
  PID:4812
- C:\Windows\System\AnLBZDH.exe
  C:\Windows\System\AnLBZDH.exe
  2⤵
  PID:6152
- C:\Windows\System\hQlaUqd.exe
  C:\Windows\System\hQlaUqd.exe
  2⤵
  PID:6256
- C:\Windows\System\uQsbEak.exe
  C:\Windows\System\uQsbEak.exe
  2⤵
  PID:6244
- C:\Windows\System\cBhGdMW.exe
  C:\Windows\System\cBhGdMW.exe
  2⤵
  PID:6292
- C:\Windows\System\kQMXmkS.exe
  C:\Windows\System\kQMXmkS.exe
  2⤵
  PID:5560
- C:\Windows\System\RltEDaC.exe
  C:\Windows\System\RltEDaC.exe
  2⤵
  PID:4016
- C:\Windows\System\rXOifoG.exe
  C:\Windows\System\rXOifoG.exe
  2⤵
  PID:6380
- C:\Windows\System\IfCsCcv.exe
  C:\Windows\System\IfCsCcv.exe
  2⤵
  PID:6428
- C:\Windows\System\SiTbAOj.exe
  C:\Windows\System\SiTbAOj.exe
  2⤵
  PID:6460
- C:\Windows\System\SInIRnq.exe
  C:\Windows\System\SInIRnq.exe
  2⤵
  PID:6644
- C:\Windows\System\sbsDrwr.exe
  C:\Windows\System\sbsDrwr.exe
  2⤵
  PID:6704
- C:\Windows\System\yehlUJu.exe
  C:\Windows\System\yehlUJu.exe
  2⤵
  PID:6680
- C:\Windows\System\jHlJprT.exe
  C:\Windows\System\jHlJprT.exe
  2⤵
  PID:6368
- C:\Windows\System\AjGFmrt.exe
  C:\Windows\System\AjGFmrt.exe
  2⤵
  PID:6868
- C:\Windows\System\LkflkKz.exe
  C:\Windows\System\LkflkKz.exe
  2⤵
  PID:6940
- C:\Windows\System\dzBRJEA.exe
  C:\Windows\System\dzBRJEA.exe
  2⤵
  PID:6924
- C:\Windows\System\nZhrBre.exe
  C:\Windows\System\nZhrBre.exe
  2⤵
  PID:7004
- C:\Windows\System\PNOimEi.exe
  C:\Windows\System\PNOimEi.exe
  2⤵
  PID:7116
- C:\Windows\System\TTACioO.exe
  C:\Windows\System\TTACioO.exe
  2⤵
  PID:7128
- C:\Windows\System\WguppTV.exe
  C:\Windows\System\WguppTV.exe
  2⤵
  PID:440
- C:\Windows\System\GKLDMjk.exe
  C:\Windows\System\GKLDMjk.exe
  2⤵
  PID:6220
- C:\Windows\System\tmdqxtB.exe
  C:\Windows\System\tmdqxtB.exe
  2⤵
  PID:2244
- C:\Windows\System\JZNqXtt.exe
  C:\Windows\System\JZNqXtt.exe
  2⤵
  PID:6436
- C:\Windows\System\xoZUrDy.exe
  C:\Windows\System\xoZUrDy.exe
  2⤵
  PID:6756
- C:\Windows\System\yvdEQNo.exe
  C:\Windows\System\yvdEQNo.exe
  2⤵
  PID:6836
- C:\Windows\System\GwyaeKA.exe
  C:\Windows\System\GwyaeKA.exe
  2⤵
  PID:6908
- C:\Windows\System\JnMgQsL.exe
  C:\Windows\System\JnMgQsL.exe
  2⤵
  PID:6972
- C:\Windows\System\DXWhMwq.exe
  C:\Windows\System\DXWhMwq.exe
  2⤵
  PID:3456
- C:\Windows\System\oGCrimg.exe
  C:\Windows\System\oGCrimg.exe
  2⤵
  PID:6264
- C:\Windows\System\DvPJYCW.exe
  C:\Windows\System\DvPJYCW.exe
  2⤵
  PID:6804
- C:\Windows\System\jZRzaBr.exe
  C:\Windows\System\jZRzaBr.exe
  2⤵
  PID:7088
- C:\Windows\System\nYwMfLr.exe
  C:\Windows\System\nYwMfLr.exe
  2⤵
  PID:7184
- C:\Windows\System\HUIQNpr.exe
  C:\Windows\System\HUIQNpr.exe
  2⤵
  PID:7220
- C:\Windows\System\RWGOQtP.exe
  C:\Windows\System\RWGOQtP.exe
  2⤵
  PID:7252
- C:\Windows\System\KNkoDGi.exe
  C:\Windows\System\KNkoDGi.exe
  2⤵
  PID:7280
- C:\Windows\System\zzuasTa.exe
  C:\Windows\System\zzuasTa.exe
  2⤵
  PID:7300
- C:\Windows\System\FQWPPiE.exe
  C:\Windows\System\FQWPPiE.exe
  2⤵
  PID:7336
- C:\Windows\System\VdjRlAl.exe
  C:\Windows\System\VdjRlAl.exe
  2⤵
  PID:7396
- C:\Windows\System\PNWwvGb.exe
  C:\Windows\System\PNWwvGb.exe
  2⤵
  PID:7416
- C:\Windows\System\HZAUrdF.exe
  C:\Windows\System\HZAUrdF.exe
  2⤵
  PID:7440
- C:\Windows\System\vIVzjLz.exe
  C:\Windows\System\vIVzjLz.exe
  2⤵
  PID:7492
- C:\Windows\System\zFySoQU.exe
  C:\Windows\System\zFySoQU.exe
  2⤵
  PID:7512
- C:\Windows\System\YTkkJUJ.exe
  C:\Windows\System\YTkkJUJ.exe
  2⤵
  PID:7532
- C:\Windows\System\JwYzkgR.exe
  C:\Windows\System\JwYzkgR.exe
  2⤵
  PID:7548
- C:\Windows\System\seydwYm.exe
  C:\Windows\System\seydwYm.exe
  2⤵
  PID:7572
- C:\Windows\System\BZSPwzL.exe
  C:\Windows\System\BZSPwzL.exe
  2⤵
  PID:7592
- C:\Windows\System\rClrOqh.exe
  C:\Windows\System\rClrOqh.exe
  2⤵
  PID:7648
- C:\Windows\System\teQoGjM.exe
  C:\Windows\System\teQoGjM.exe
  2⤵
  PID:7668
- C:\Windows\System\umJEyVp.exe
  C:\Windows\System\umJEyVp.exe
  2⤵
  PID:7688
- C:\Windows\System\ajWVQSo.exe
  C:\Windows\System\ajWVQSo.exe
  2⤵
  PID:7708
- C:\Windows\System\uulpLlR.exe
  C:\Windows\System\uulpLlR.exe
  2⤵
  PID:7732
- C:\Windows\System\DTiNVSY.exe
  C:\Windows\System\DTiNVSY.exe
  2⤵
  PID:7752
- C:\Windows\System\VyemrQM.exe
  C:\Windows\System\VyemrQM.exe
  2⤵
  PID:7804
- C:\Windows\System\ExLaFDZ.exe
  C:\Windows\System\ExLaFDZ.exe
  2⤵
  PID:7824
- C:\Windows\System\JLUESWe.exe
  C:\Windows\System\JLUESWe.exe
  2⤵
  PID:7868
- C:\Windows\System\RaqdMSU.exe
  C:\Windows\System\RaqdMSU.exe
  2⤵
  PID:7892
- C:\Windows\System\oAcyGbn.exe
  C:\Windows\System\oAcyGbn.exe
  2⤵
  PID:7916
- C:\Windows\System\nDvkrMW.exe
  C:\Windows\System\nDvkrMW.exe
  2⤵
  PID:7936
- C:\Windows\System\CBHIzih.exe
  C:\Windows\System\CBHIzih.exe
  2⤵
  PID:7952
- C:\Windows\System\rOcSNjT.exe
  C:\Windows\System\rOcSNjT.exe
  2⤵
  PID:7976
- C:\Windows\System\RsGtEdY.exe
  C:\Windows\System\RsGtEdY.exe
  2⤵
  PID:8000
- C:\Windows\System\IzZuRTy.exe
  C:\Windows\System\IzZuRTy.exe
  2⤵
  PID:8056
- C:\Windows\System\kqqnMqq.exe
  C:\Windows\System\kqqnMqq.exe
  2⤵
  PID:8072
- C:\Windows\System\kmGzdbS.exe
  C:\Windows\System\kmGzdbS.exe
  2⤵
  PID:8108
- C:\Windows\System\HVZByJh.exe
  C:\Windows\System\HVZByJh.exe
  2⤵
  PID:8136
- C:\Windows\System\YvkbkkI.exe
  C:\Windows\System\YvkbkkI.exe
  2⤵
  PID:8168
- C:\Windows\System\dMaYjBT.exe
  C:\Windows\System\dMaYjBT.exe
  2⤵
  PID:8188
- C:\Windows\System\kDUVCCZ.exe
  C:\Windows\System\kDUVCCZ.exe
  2⤵
  PID:6772
- C:\Windows\System\OkzaDOi.exe
  C:\Windows\System\OkzaDOi.exe
  2⤵
  PID:7176
- C:\Windows\System\HlsnSxx.exe
  C:\Windows\System\HlsnSxx.exe
  2⤵
  PID:7244
- C:\Windows\System\gJByPCF.exe
  C:\Windows\System\gJByPCF.exe
  2⤵
  PID:7292
- C:\Windows\System\SlpsJMT.exe
  C:\Windows\System\SlpsJMT.exe
  2⤵
  PID:7344
- C:\Windows\System\ZqszAMU.exe
  C:\Windows\System\ZqszAMU.exe
  2⤵
  PID:7404
- C:\Windows\System\iAxwnUB.exe
  C:\Windows\System\iAxwnUB.exe
  2⤵
  PID:7544
- C:\Windows\System\cRXhyco.exe
  C:\Windows\System\cRXhyco.exe
  2⤵
  PID:7620
- C:\Windows\System\vFnmWvY.exe
  C:\Windows\System\vFnmWvY.exe
  2⤵
  PID:7700
- C:\Windows\System\AMoygAA.exe
  C:\Windows\System\AMoygAA.exe
  2⤵
  PID:7744
- C:\Windows\System\zGFRwnt.exe
  C:\Windows\System\zGFRwnt.exe
  2⤵
  PID:7800
- C:\Windows\System\SqnBNlW.exe
  C:\Windows\System\SqnBNlW.exe
  2⤵
  PID:7876
- C:\Windows\System\NMirytY.exe
  C:\Windows\System\NMirytY.exe
  2⤵
  PID:7948
- C:\Windows\System\OmqPVtA.exe
  C:\Windows\System\OmqPVtA.exe
  2⤵
  PID:7992
- C:\Windows\System\DehfqJr.exe
  C:\Windows\System\DehfqJr.exe
  2⤵
  PID:8132
- C:\Windows\System\axhHHfy.exe
  C:\Windows\System\axhHHfy.exe
  2⤵
  PID:7260
- C:\Windows\System\Eyrmvqb.exe
  C:\Windows\System\Eyrmvqb.exe
  2⤵
  PID:7200
- C:\Windows\System\iVmWyZv.exe
  C:\Windows\System\iVmWyZv.exe
  2⤵
  PID:7268
- C:\Windows\System\nyTamMx.exe
  C:\Windows\System\nyTamMx.exe
  2⤵
  PID:7528
- C:\Windows\System\ABTufWW.exe
  C:\Windows\System\ABTufWW.exe
  2⤵
  PID:7656
- C:\Windows\System\jVzMBaM.exe
  C:\Windows\System\jVzMBaM.exe
  2⤵
  PID:7588
- C:\Windows\System\kVzXWOt.exe
  C:\Windows\System\kVzXWOt.exe
  2⤵
  PID:8144
- C:\Windows\System\fqLcTWp.exe
  C:\Windows\System\fqLcTWp.exe
  2⤵
  PID:7104
- C:\Windows\System\WxHDbdD.exe
  C:\Windows\System\WxHDbdD.exe
  2⤵
  PID:7608
- C:\Windows\System\wDRXofl.exe
  C:\Windows\System\wDRXofl.exe
  2⤵
  PID:7720
- C:\Windows\System\DJJjhSc.exe
  C:\Windows\System\DJJjhSc.exe
  2⤵
  PID:7428
- C:\Windows\System\ksANABi.exe
  C:\Windows\System\ksANABi.exe
  2⤵
  PID:7352
- C:\Windows\System\deagEBd.exe
  C:\Windows\System\deagEBd.exe
  2⤵
  PID:8208
- C:\Windows\System\khRAEBt.exe
  C:\Windows\System\khRAEBt.exe
  2⤵
  PID:8240
- C:\Windows\System\MXZnqZQ.exe
  C:\Windows\System\MXZnqZQ.exe
  2⤵
  PID:8276
- C:\Windows\System\pUTxWHU.exe
  C:\Windows\System\pUTxWHU.exe
  2⤵
  PID:8304
- C:\Windows\System\zJhYBeJ.exe
  C:\Windows\System\zJhYBeJ.exe
  2⤵
  PID:8324
- C:\Windows\System\mHedBBH.exe
  C:\Windows\System\mHedBBH.exe
  2⤵
  PID:8364
- C:\Windows\System\KoFmQqA.exe
  C:\Windows\System\KoFmQqA.exe
  2⤵
  PID:8384
- C:\Windows\System\ddFTOUz.exe
  C:\Windows\System\ddFTOUz.exe
  2⤵
  PID:8400
- C:\Windows\System\COuuKwZ.exe
  C:\Windows\System\COuuKwZ.exe
  2⤵
  PID:8416
- C:\Windows\System\vbPDCiB.exe
  C:\Windows\System\vbPDCiB.exe
  2⤵
  PID:8468
- C:\Windows\System\yOaIYRu.exe
  C:\Windows\System\yOaIYRu.exe
  2⤵
  PID:8484
- C:\Windows\System\bDUpiQU.exe
  C:\Windows\System\bDUpiQU.exe
  2⤵
  PID:8508
- C:\Windows\System\pvEqCTF.exe
  C:\Windows\System\pvEqCTF.exe
  2⤵
  PID:8528
- C:\Windows\System\fGfxcqH.exe
  C:\Windows\System\fGfxcqH.exe
  2⤵
  PID:8564
- C:\Windows\System\CVbnyJi.exe
  C:\Windows\System\CVbnyJi.exe
  2⤵
  PID:8592
- C:\Windows\System\Myesjmw.exe
  C:\Windows\System\Myesjmw.exe
  2⤵
  PID:8608
- C:\Windows\System\OUiCoXV.exe
  C:\Windows\System\OUiCoXV.exe
  2⤵
  PID:8628
- C:\Windows\System\pFSSNby.exe
  C:\Windows\System\pFSSNby.exe
  2⤵
  PID:8656
- C:\Windows\System\AoBfWAn.exe
  C:\Windows\System\AoBfWAn.exe
  2⤵
  PID:8680
- C:\Windows\System\UIrczPA.exe
  C:\Windows\System\UIrczPA.exe
  2⤵
  PID:8700
- C:\Windows\System\fRgdolJ.exe
  C:\Windows\System\fRgdolJ.exe
  2⤵
  PID:8764
- C:\Windows\System\lXSdMMr.exe
  C:\Windows\System\lXSdMMr.exe
  2⤵
  PID:8816
- C:\Windows\System\BXSeRkc.exe
  C:\Windows\System\BXSeRkc.exe
  2⤵
  PID:8836
- C:\Windows\System\ZIAAxHZ.exe
  C:\Windows\System\ZIAAxHZ.exe
  2⤵
  PID:8864
- C:\Windows\System\CLwWJHK.exe
  C:\Windows\System\CLwWJHK.exe
  2⤵
  PID:8892
- C:\Windows\System\tLPNivi.exe
  C:\Windows\System\tLPNivi.exe
  2⤵
  PID:8924
- C:\Windows\System\yIfvuzD.exe
  C:\Windows\System\yIfvuzD.exe
  2⤵
  PID:8940
- C:\Windows\System\DigWhik.exe
  C:\Windows\System\DigWhik.exe
  2⤵
  PID:8964
- C:\Windows\System\oSLowhD.exe
  C:\Windows\System\oSLowhD.exe
  2⤵
  PID:9004
- C:\Windows\System\RmufLix.exe
  C:\Windows\System\RmufLix.exe
  2⤵
  PID:9048
- C:\Windows\System\xjvLuym.exe
  C:\Windows\System\xjvLuym.exe
  2⤵
  PID:9080
- C:\Windows\System\ObHnLxQ.exe
  C:\Windows\System\ObHnLxQ.exe
  2⤵
  PID:9100
- C:\Windows\System\aowjLwZ.exe
  C:\Windows\System\aowjLwZ.exe
  2⤵
  PID:9124
- C:\Windows\System\aZorgJO.exe
  C:\Windows\System\aZorgJO.exe
  2⤵
  PID:9144
- C:\Windows\System\XINSGyu.exe
  C:\Windows\System\XINSGyu.exe
  2⤵
  PID:9164
- C:\Windows\System\ZpDARis.exe
  C:\Windows\System\ZpDARis.exe
  2⤵
  PID:9192
- C:\Windows\System\sIyKpLH.exe
  C:\Windows\System\sIyKpLH.exe
  2⤵
  PID:8204
- C:\Windows\System\eNUwEyC.exe
  C:\Windows\System\eNUwEyC.exe
  2⤵
  PID:8232
- C:\Windows\System\WyFsYEX.exe
  C:\Windows\System\WyFsYEX.exe
  2⤵
  PID:8292
- C:\Windows\System\NViAbbc.exe
  C:\Windows\System\NViAbbc.exe
  2⤵
  PID:8452
- C:\Windows\System\NBPCwoW.exe
  C:\Windows\System\NBPCwoW.exe
  2⤵
  PID:8444
- C:\Windows\System\QLSOoiU.exe
  C:\Windows\System\QLSOoiU.exe
  2⤵
  PID:8504
- C:\Windows\System\gWHVXhJ.exe
  C:\Windows\System\gWHVXhJ.exe
  2⤵
  PID:8580
- C:\Windows\System\WsDHJXa.exe
  C:\Windows\System\WsDHJXa.exe
  2⤵
  PID:8604
- C:\Windows\System\yEIUBiu.exe
  C:\Windows\System\yEIUBiu.exe
  2⤵
  PID:8672
- C:\Windows\System\PjxqYtt.exe
  C:\Windows\System\PjxqYtt.exe
  2⤵
  PID:8736
- C:\Windows\System\oTsqQeE.exe
  C:\Windows\System\oTsqQeE.exe
  2⤵
  PID:8812
- C:\Windows\System\uuaPZFZ.exe
  C:\Windows\System\uuaPZFZ.exe
  2⤵
  PID:8856
- C:\Windows\System\cREAbRb.exe
  C:\Windows\System\cREAbRb.exe
  2⤵
  PID:8912
- C:\Windows\System\yFViztg.exe
  C:\Windows\System\yFViztg.exe
  2⤵
  PID:8996
- C:\Windows\System\yQRBFSr.exe
  C:\Windows\System\yQRBFSr.exe
  2⤵
  PID:9096
- C:\Windows\System\ijIsPPz.exe
  C:\Windows\System\ijIsPPz.exe
  2⤵
  PID:9136
- C:\Windows\System\WFfVgpu.exe
  C:\Windows\System\WFfVgpu.exe
  2⤵
  PID:9188
- C:\Windows\System\WvjOraM.exe
  C:\Windows\System\WvjOraM.exe
  2⤵
  PID:8284
- C:\Windows\System\tXaxkjw.exe
  C:\Windows\System\tXaxkjw.exe
  2⤵
  PID:8480
- C:\Windows\System\WJvzSNF.exe
  C:\Windows\System\WJvzSNF.exe
  2⤵
  PID:8620
- C:\Windows\System\ChKyNES.exe
  C:\Windows\System\ChKyNES.exe
  2⤵
  PID:8908
- C:\Windows\System\tiOGeYG.exe
  C:\Windows\System\tiOGeYG.exe
  2⤵
  PID:9056
- C:\Windows\System\SEgNrOL.exe
  C:\Windows\System\SEgNrOL.exe
  2⤵
  PID:8216
- C:\Windows\System\zvsyhSX.exe
  C:\Windows\System\zvsyhSX.exe
  2⤵
  PID:8268
- C:\Windows\System\pXjYmwi.exe
  C:\Windows\System\pXjYmwi.exe
  2⤵
  PID:8780
- C:\Windows\System\YeZppyf.exe
  C:\Windows\System\YeZppyf.exe
  2⤵
  PID:8200
- C:\Windows\System\oCIbujm.exe
  C:\Windows\System\oCIbujm.exe
  2⤵
  PID:8524
- C:\Windows\System\XWHPaCB.exe
  C:\Windows\System\XWHPaCB.exe
  2⤵
  PID:8692
- C:\Windows\System\yCBsYVW.exe
  C:\Windows\System\yCBsYVW.exe
  2⤵
  PID:9236
- C:\Windows\System\fygZYGL.exe
  C:\Windows\System\fygZYGL.exe
  2⤵
  PID:9260
- C:\Windows\System\jyVjqHq.exe
  C:\Windows\System\jyVjqHq.exe
  2⤵
  PID:9288
- C:\Windows\System\wBMUCFM.exe
  C:\Windows\System\wBMUCFM.exe
  2⤵
  PID:9372
- C:\Windows\System\lJVpqeA.exe
  C:\Windows\System\lJVpqeA.exe
  2⤵
  PID:9408
- C:\Windows\System\ABBAoqh.exe
  C:\Windows\System\ABBAoqh.exe
  2⤵
  PID:9436
- C:\Windows\System\OwEoybf.exe
  C:\Windows\System\OwEoybf.exe
  2⤵
  PID:9492
- C:\Windows\System\zGOOTLy.exe
  C:\Windows\System\zGOOTLy.exe
  2⤵
  PID:9532
- C:\Windows\System\EyDMiXJ.exe
  C:\Windows\System\EyDMiXJ.exe
  2⤵
  PID:9548
- C:\Windows\System\MJXUMOy.exe
  C:\Windows\System\MJXUMOy.exe
  2⤵
  PID:9596
- C:\Windows\System\yVeeBNJ.exe
  C:\Windows\System\yVeeBNJ.exe
  2⤵
  PID:9616
- C:\Windows\System\SjOAJoe.exe
  C:\Windows\System\SjOAJoe.exe
  2⤵
  PID:9660
- C:\Windows\System\vMqKjVI.exe
  C:\Windows\System\vMqKjVI.exe
  2⤵
  PID:9708
- C:\Windows\System\JYjchcb.exe
  C:\Windows\System\JYjchcb.exe
  2⤵
  PID:9728
- C:\Windows\System\AoFdtnt.exe
  C:\Windows\System\AoFdtnt.exe
  2⤵
  PID:9760
- C:\Windows\System\ossDioK.exe
  C:\Windows\System\ossDioK.exe
  2⤵
  PID:9788
- C:\Windows\System\UZnaPtU.exe
  C:\Windows\System\UZnaPtU.exe
  2⤵
  PID:9812
- C:\Windows\System\XdbjrrQ.exe
  C:\Windows\System\XdbjrrQ.exe
  2⤵
  PID:9832
- C:\Windows\System\byLXdGq.exe
  C:\Windows\System\byLXdGq.exe
  2⤵
  PID:9856
- C:\Windows\System\cDczbJa.exe
  C:\Windows\System\cDczbJa.exe
  2⤵
  PID:9876
- C:\Windows\System\eAKjAMF.exe
  C:\Windows\System\eAKjAMF.exe
  2⤵
  PID:9920
- C:\Windows\System\mxylYWJ.exe
  C:\Windows\System\mxylYWJ.exe
  2⤵
  PID:9936
- C:\Windows\System\neGxshi.exe
  C:\Windows\System\neGxshi.exe
  2⤵
  PID:9984
- C:\Windows\System\TInkhpZ.exe
  C:\Windows\System\TInkhpZ.exe
  2⤵
  PID:10012
- C:\Windows\System\eeMLZRF.exe
  C:\Windows\System\eeMLZRF.exe
  2⤵
  PID:10040
- C:\Windows\System\HFmeyyv.exe
  C:\Windows\System\HFmeyyv.exe
  2⤵
  PID:10064
- C:\Windows\System\NBtRQmG.exe
  C:\Windows\System\NBtRQmG.exe
  2⤵
  PID:10080
- C:\Windows\System\DwekLgc.exe
  C:\Windows\System\DwekLgc.exe
  2⤵
  PID:10100
- C:\Windows\System\wGNCkAN.exe
  C:\Windows\System\wGNCkAN.exe
  2⤵
  PID:10124
- C:\Windows\System\bTAPWpK.exe
  C:\Windows\System\bTAPWpK.exe
  2⤵
  PID:10180
- C:\Windows\System\AsZBhDE.exe
  C:\Windows\System\AsZBhDE.exe
  2⤵
  PID:10216
- C:\Windows\System\eSDtTJK.exe
  C:\Windows\System\eSDtTJK.exe
  2⤵
  PID:9244
- C:\Windows\System\OAnQjOj.exe
  C:\Windows\System\OAnQjOj.exe
  2⤵
  PID:9284
- C:\Windows\System\aRgJCsO.exe
  C:\Windows\System\aRgJCsO.exe
  2⤵
  PID:9320
- C:\Windows\System\InwJyOs.exe
  C:\Windows\System\InwJyOs.exe
  2⤵
  PID:9300
- C:\Windows\System\FpetzJf.exe
  C:\Windows\System\FpetzJf.exe
  2⤵
  PID:9500
- C:\Windows\System\VBEaJny.exe
  C:\Windows\System\VBEaJny.exe
  2⤵
  PID:9340
- C:\Windows\System\EdXDbui.exe
  C:\Windows\System\EdXDbui.exe
  2⤵
  PID:9576
- C:\Windows\System\ZSgyyPn.exe
  C:\Windows\System\ZSgyyPn.exe
  2⤵
  PID:9460
- C:\Windows\System\OTKKLvX.exe
  C:\Windows\System\OTKKLvX.exe
  2⤵
  PID:9488
- C:\Windows\System\lVZBfXR.exe
  C:\Windows\System\lVZBfXR.exe
  2⤵
  PID:9652
- C:\Windows\System\IyZZhPk.exe
  C:\Windows\System\IyZZhPk.exe
  2⤵
  PID:9692
- C:\Windows\System\wXgYypG.exe
  C:\Windows\System\wXgYypG.exe
  2⤵
  PID:9784
- C:\Windows\System\wtpCtdN.exe
  C:\Windows\System\wtpCtdN.exe
  2⤵
  PID:9868
- C:\Windows\System\EnHNnvU.exe
  C:\Windows\System\EnHNnvU.exe
  2⤵
  PID:9960
- C:\Windows\System\eAPGAQs.exe
  C:\Windows\System\eAPGAQs.exe
  2⤵
  PID:9948
- C:\Windows\System\SsHBiMa.exe
  C:\Windows\System\SsHBiMa.exe
  2⤵
  PID:10028
- C:\Windows\System\bydvZPg.exe
  C:\Windows\System\bydvZPg.exe
  2⤵
  PID:10048
- C:\Windows\System\JwuTPxK.exe
  C:\Windows\System\JwuTPxK.exe
  2⤵
  PID:10152
- C:\Windows\System\xvLsKwg.exe
  C:\Windows\System\xvLsKwg.exe
  2⤵
  PID:10164
- C:\Windows\System\rOiUnBN.exe
  C:\Windows\System\rOiUnBN.exe
  2⤵
  PID:10204
- C:\Windows\System\MRThKNs.exe
  C:\Windows\System\MRThKNs.exe
  2⤵
  PID:9256
- C:\Windows\System\XUQyTBz.exe
  C:\Windows\System\XUQyTBz.exe
  2⤵
  PID:9392
- C:\Windows\System\KzYCbOP.exe
  C:\Windows\System\KzYCbOP.exe
  2⤵
  PID:9468
- C:\Windows\System\rLmQYKj.exe
  C:\Windows\System\rLmQYKj.exe
  2⤵
  PID:9480
- C:\Windows\System\nWxdyZB.exe
  C:\Windows\System\nWxdyZB.exe
  2⤵
  PID:9636
- C:\Windows\System\EzUxDas.exe
  C:\Windows\System\EzUxDas.exe
  2⤵
  PID:9800
- C:\Windows\System\JwMOuZH.exe
  C:\Windows\System\JwMOuZH.exe
  2⤵
  PID:9904
- C:\Windows\System\ivGvvAM.exe
  C:\Windows\System\ivGvvAM.exe
  2⤵
  PID:10000
- C:\Windows\System\buhgcHY.exe
  C:\Windows\System\buhgcHY.exe
  2⤵
  PID:9448
- C:\Windows\System\hjOKvxC.exe
  C:\Windows\System\hjOKvxC.exe
  2⤵
  PID:9768
- C:\Windows\System\aTdTaqO.exe
  C:\Windows\System\aTdTaqO.exe
  2⤵
  PID:10264
- C:\Windows\System\ZPQXztu.exe
  C:\Windows\System\ZPQXztu.exe
  2⤵
  PID:10284
- C:\Windows\System\LwfmwGZ.exe
  C:\Windows\System\LwfmwGZ.exe
  2⤵
  PID:10304
- C:\Windows\System\qAHUEBd.exe
  C:\Windows\System\qAHUEBd.exe
  2⤵
  PID:10344
- C:\Windows\System\zwFkotF.exe
  C:\Windows\System\zwFkotF.exe
  2⤵
  PID:10364
- C:\Windows\System\aBmFlco.exe
  C:\Windows\System\aBmFlco.exe
  2⤵
  PID:10392
- C:\Windows\System\mQxaLMq.exe
  C:\Windows\System\mQxaLMq.exe
  2⤵
  PID:10416
- C:\Windows\System\QOqrCLM.exe
  C:\Windows\System\QOqrCLM.exe
  2⤵
  PID:10436
- C:\Windows\System\WbVvXpF.exe
  C:\Windows\System\WbVvXpF.exe
  2⤵
  PID:10480
- C:\Windows\System\MqTexsn.exe
  C:\Windows\System\MqTexsn.exe
  2⤵
  PID:10520
- C:\Windows\System\GPNADgR.exe
  C:\Windows\System\GPNADgR.exe
  2⤵
  PID:10544
- C:\Windows\System\ChPVDyn.exe
  C:\Windows\System\ChPVDyn.exe
  2⤵
  PID:10576
- C:\Windows\System\yoJWNML.exe
  C:\Windows\System\yoJWNML.exe
  2⤵
  PID:10620
- C:\Windows\System\blsmREd.exe
  C:\Windows\System\blsmREd.exe
  2⤵
  PID:10648
- C:\Windows\System\AKUHthy.exe
  C:\Windows\System\AKUHthy.exe
  2⤵
  PID:10664
- C:\Windows\System\iZmYmho.exe
  C:\Windows\System\iZmYmho.exe
  2⤵
  PID:10696
- C:\Windows\System\hTHtvgV.exe
  C:\Windows\System\hTHtvgV.exe
  2⤵
  PID:10728
- C:\Windows\System\oljnJle.exe
  C:\Windows\System\oljnJle.exe
  2⤵
  PID:10816
- C:\Windows\System\Njpsblk.exe
  C:\Windows\System\Njpsblk.exe
  2⤵
  PID:10852
- C:\Windows\System\RpoELEA.exe
  C:\Windows\System\RpoELEA.exe
  2⤵
  PID:10872
- C:\Windows\System\CpFZEIC.exe
  C:\Windows\System\CpFZEIC.exe
  2⤵
  PID:10900
- C:\Windows\System\TdjJvLJ.exe
  C:\Windows\System\TdjJvLJ.exe
  2⤵
  PID:10924
- C:\Windows\System\glNNwjr.exe
  C:\Windows\System\glNNwjr.exe
  2⤵
  PID:10944
- C:\Windows\System\BhOWDOu.exe
  C:\Windows\System\BhOWDOu.exe
  2⤵
  PID:10968
- C:\Windows\System\iGjIpsp.exe
  C:\Windows\System\iGjIpsp.exe
  2⤵
  PID:10988
- C:\Windows\System\ZPuMdPu.exe
  C:\Windows\System\ZPuMdPu.exe
  2⤵
  PID:11008
- C:\Windows\System\CtkyYXl.exe
  C:\Windows\System\CtkyYXl.exe
  2⤵
  PID:11064
- C:\Windows\System\BPdUDTG.exe
  C:\Windows\System\BPdUDTG.exe
  2⤵
  PID:11084
- C:\Windows\System\pzfQKQx.exe
  C:\Windows\System\pzfQKQx.exe
  2⤵
  PID:11104
- C:\Windows\System\xPkoSYZ.exe
  C:\Windows\System\xPkoSYZ.exe
  2⤵
  PID:11128
- C:\Windows\System\aNPeSfd.exe
  C:\Windows\System\aNPeSfd.exe
  2⤵
  PID:11148
- C:\Windows\System\sEQJDFS.exe
  C:\Windows\System\sEQJDFS.exe
  2⤵
  PID:11188
- C:\Windows\System\LshHmmk.exe
  C:\Windows\System\LshHmmk.exe
  2⤵
  PID:11212
- C:\Windows\System\fbCrVAP.exe
  C:\Windows\System\fbCrVAP.exe
  2⤵
  PID:11236
- C:\Windows\System\yHQNSIA.exe
  C:\Windows\System\yHQNSIA.exe
  2⤵
  PID:9484
- C:\Windows\System\GwRjcZr.exe
  C:\Windows\System\GwRjcZr.exe
  2⤵
  PID:9932
- C:\Windows\System\aNKpTPS.exe
  C:\Windows\System\aNKpTPS.exe
  2⤵
  PID:10248
- C:\Windows\System\eLFKxcy.exe
  C:\Windows\System\eLFKxcy.exe
  2⤵
  PID:10460
- C:\Windows\System\hsZtXEA.exe
  C:\Windows\System\hsZtXEA.exe
  2⤵
  PID:10360
- C:\Windows\System\KuhERWR.exe
  C:\Windows\System\KuhERWR.exe
  2⤵
  PID:10432
- C:\Windows\System\ljbqYXX.exe
  C:\Windows\System\ljbqYXX.exe
  2⤵
  PID:10516
- C:\Windows\System\rVjUynU.exe
  C:\Windows\System\rVjUynU.exe
  2⤵
  PID:10656
- C:\Windows\System\TAruDem.exe
  C:\Windows\System\TAruDem.exe
  2⤵
  PID:10692
- C:\Windows\System\Dbcsefm.exe
  C:\Windows\System\Dbcsefm.exe
  2⤵
  PID:10776
- C:\Windows\System\oVTeGLJ.exe
  C:\Windows\System\oVTeGLJ.exe
  2⤵
  PID:10744
- C:\Windows\System\KNDJPvM.exe
  C:\Windows\System\KNDJPvM.exe
  2⤵
  PID:10836
- C:\Windows\System\yKbsxJG.exe
  C:\Windows\System\yKbsxJG.exe
  2⤵
  PID:10892
- C:\Windows\System\oagjUzF.exe
  C:\Windows\System\oagjUzF.exe
  2⤵
  PID:10920
- C:\Windows\System\UXpOkzJ.exe
  C:\Windows\System\UXpOkzJ.exe
  2⤵
  PID:10960
- C:\Windows\System\dtLtYbZ.exe
  C:\Windows\System\dtLtYbZ.exe
  2⤵
  PID:11056
- C:\Windows\System\QDzhcHg.exe
  C:\Windows\System\QDzhcHg.exe
  2⤵
  PID:11096
- C:\Windows\System\GlrWjSw.exe
  C:\Windows\System\GlrWjSw.exe
  2⤵
  PID:11196
- C:\Windows\System\ACCLFFA.exe
  C:\Windows\System\ACCLFFA.exe
  2⤵
  PID:11184
- C:\Windows\System\utJZNnM.exe
  C:\Windows\System\utJZNnM.exe
  2⤵
  PID:10120
- C:\Windows\System\tDaplID.exe
  C:\Windows\System\tDaplID.exe
  2⤵
  PID:10172
- C:\Windows\System\BNbUWHv.exe
  C:\Windows\System\BNbUWHv.exe
  2⤵
  PID:10492
- C:\Windows\System\uNJddrg.exe
  C:\Windows\System\uNJddrg.exe
  2⤵
  PID:10848
- C:\Windows\System\IaGXNGM.exe
  C:\Windows\System\IaGXNGM.exe
  2⤵
  PID:10916
- C:\Windows\System\ojlWcvJ.exe
  C:\Windows\System\ojlWcvJ.exe
  2⤵
  PID:11044
- C:\Windows\System\EkaEDhk.exe
  C:\Windows\System\EkaEDhk.exe
  2⤵
  PID:9432
- C:\Windows\System\GaoIGAZ.exe
  C:\Windows\System\GaoIGAZ.exe
  2⤵
  PID:11228
- C:\Windows\System\LrfMqxG.exe
  C:\Windows\System\LrfMqxG.exe
  2⤵
  PID:10384
- C:\Windows\System\hALpAlP.exe
  C:\Windows\System\hALpAlP.exe
  2⤵
  PID:11276
- C:\Windows\System\hXbuoGq.exe
  C:\Windows\System\hXbuoGq.exe
  2⤵
  PID:11396
- C:\Windows\System\wrFpNXU.exe
  C:\Windows\System\wrFpNXU.exe
  2⤵
  PID:11440
- C:\Windows\System\VqMWyft.exe
  C:\Windows\System\VqMWyft.exe
  2⤵
  PID:11464
- C:\Windows\System\THeHlFB.exe
  C:\Windows\System\THeHlFB.exe
  2⤵
  PID:11488
- C:\Windows\System\mtdciex.exe
  C:\Windows\System\mtdciex.exe
  2⤵
  PID:11516
- C:\Windows\System\ATsQODz.exe
  C:\Windows\System\ATsQODz.exe
  2⤵
  PID:11540
- C:\Windows\System\zGCcYkS.exe
  C:\Windows\System\zGCcYkS.exe
  2⤵
  PID:11564
- C:\Windows\System\HPOcEwS.exe
  C:\Windows\System\HPOcEwS.exe
  2⤵
  PID:11584
- C:\Windows\System\QodwSIz.exe
  C:\Windows\System\QodwSIz.exe
  2⤵
  PID:11624
- C:\Windows\System\GGZpAQg.exe
  C:\Windows\System\GGZpAQg.exe
  2⤵
  PID:11660
- C:\Windows\System\WqWDJmu.exe
  C:\Windows\System\WqWDJmu.exe
  2⤵
  PID:11680
- C:\Windows\System\FaCCaEl.exe
  C:\Windows\System\FaCCaEl.exe
  2⤵
  PID:11708
- C:\Windows\System\GyUShWv.exe
  C:\Windows\System\GyUShWv.exe
  2⤵
  PID:11736
- C:\Windows\System\eUWldZg.exe
  C:\Windows\System\eUWldZg.exe
  2⤵
  PID:11776
- C:\Windows\System\ddhUcag.exe
  C:\Windows\System\ddhUcag.exe
  2⤵
  PID:11796
- C:\Windows\System\qwLhafl.exe
  C:\Windows\System\qwLhafl.exe
  2⤵
  PID:11836
- C:\Windows\System\CHJnMcc.exe
  C:\Windows\System\CHJnMcc.exe
  2⤵
  PID:11852
- C:\Windows\System\lKDTiDt.exe
  C:\Windows\System\lKDTiDt.exe
  2⤵
  PID:11872
- C:\Windows\System\cYYIqhI.exe
  C:\Windows\System\cYYIqhI.exe
  2⤵
  PID:11916
- C:\Windows\System\PCfSAwm.exe
  C:\Windows\System\PCfSAwm.exe
  2⤵
  PID:11936
- C:\Windows\System\pzyLsPC.exe
  C:\Windows\System\pzyLsPC.exe
  2⤵
  PID:11964
- C:\Windows\System\eeGldhY.exe
  C:\Windows\System\eeGldhY.exe
  2⤵
  PID:11988
- C:\Windows\System\wUdtEKs.exe
  C:\Windows\System\wUdtEKs.exe
  2⤵
  PID:12012
- C:\Windows\System\HaKTKWR.exe
  C:\Windows\System\HaKTKWR.exe
  2⤵
  PID:12056
- C:\Windows\System\Sigvhym.exe
  C:\Windows\System\Sigvhym.exe
  2⤵
  PID:12076
- C:\Windows\System\eRYbXzj.exe
  C:\Windows\System\eRYbXzj.exe
  2⤵
  PID:12108
- C:\Windows\System\FTSmqZd.exe
  C:\Windows\System\FTSmqZd.exe
  2⤵
  PID:12140
- C:\Windows\System\qjMdGSt.exe
  C:\Windows\System\qjMdGSt.exe
  2⤵
  PID:12156
- C:\Windows\System\TvlhlDF.exe
  C:\Windows\System\TvlhlDF.exe
  2⤵
  PID:12180
- C:\Windows\System\hquMBFn.exe
  C:\Windows\System\hquMBFn.exe
  2⤵
  PID:12208
- C:\Windows\System\jFmyDYh.exe
  C:\Windows\System\jFmyDYh.exe
  2⤵
  PID:12236
- C:\Windows\System\MkBmXfN.exe
  C:\Windows\System\MkBmXfN.exe
  2⤵
  PID:10984
- C:\Windows\System\pKOSiYY.exe
  C:\Windows\System\pKOSiYY.exe
  2⤵
  PID:10640
- C:\Windows\System\iXgSkfF.exe
  C:\Windows\System\iXgSkfF.exe
  2⤵
  PID:11392
- C:\Windows\System\QuoEGbU.exe
  C:\Windows\System\QuoEGbU.exe
  2⤵
  PID:11448
- C:\Windows\System\rQIXByC.exe
  C:\Windows\System\rQIXByC.exe
  2⤵
  PID:11500
- C:\Windows\System\lmXvGlp.exe
  C:\Windows\System\lmXvGlp.exe
  2⤵
  PID:11292
- C:\Windows\System\zaeePce.exe
  C:\Windows\System\zaeePce.exe
  2⤵
  PID:11548
- C:\Windows\System\JAvUHJE.exe
  C:\Windows\System\JAvUHJE.exe
  2⤵
  PID:11288
- C:\Windows\System\YFUkLZT.exe
  C:\Windows\System\YFUkLZT.exe
  2⤵
  PID:11616
- C:\Windows\System\tAHHcsF.exe
  C:\Windows\System\tAHHcsF.exe
  2⤵
  PID:11676
- C:\Windows\System\NYLkREn.exe
  C:\Windows\System\NYLkREn.exe
  2⤵
  PID:11304
- C:\Windows\System\dDmlvPI.exe
  C:\Windows\System\dDmlvPI.exe
  2⤵
  PID:11812
- C:\Windows\System\hbLUaHN.exe
  C:\Windows\System\hbLUaHN.exe
  2⤵
  PID:11824
- C:\Windows\System\JbiPjXW.exe
  C:\Windows\System\JbiPjXW.exe
  2⤵
  PID:11892
- C:\Windows\System\mFjwyla.exe
  C:\Windows\System\mFjwyla.exe
  2⤵
  PID:11868
- C:\Windows\System\poZoAQC.exe
  C:\Windows\System\poZoAQC.exe
  2⤵
  PID:11956
- C:\Windows\System\jhGyjJO.exe
  C:\Windows\System\jhGyjJO.exe
  2⤵
  PID:12008
- C:\Windows\System\szwTUVz.exe
  C:\Windows\System\szwTUVz.exe
  2⤵
  PID:12032
- C:\Windows\System\pNfpiIM.exe
  C:\Windows\System\pNfpiIM.exe
  2⤵
  PID:11116
- C:\Windows\System\KTvgozD.exe
  C:\Windows\System\KTvgozD.exe
  2⤵
  PID:12200
- C:\Windows\System\voSQHNc.exe
  C:\Windows\System\voSQHNc.exe
  2⤵
  PID:12272
- C:\Windows\System\VpwQJEH.exe
  C:\Windows\System\VpwQJEH.exe
  2⤵
  PID:10312
- C:\Windows\System\lhInXpt.exe
  C:\Windows\System\lhInXpt.exe
  2⤵
  PID:11508
- C:\Windows\System\dVicRQf.exe
  C:\Windows\System\dVicRQf.exe
  2⤵
  PID:11636
- C:\Windows\System\eXNIWXF.exe
  C:\Windows\System\eXNIWXF.exe
  2⤵
  PID:11332
- C:\Windows\System\ICQrYoo.exe
  C:\Windows\System\ICQrYoo.exe
  2⤵
  PID:11848
- C:\Windows\System\tOdIjVv.exe
  C:\Windows\System\tOdIjVv.exe
  2⤵
  PID:12036
- C:\Windows\System\dnqtzKY.exe
  C:\Windows\System\dnqtzKY.exe
  2⤵
  PID:11948
- C:\Windows\System\fkcwFkp.exe
  C:\Windows\System\fkcwFkp.exe
  2⤵
  PID:12176
- C:\Windows\System\UDNvowi.exe
  C:\Windows\System\UDNvowi.exe
  2⤵
  PID:12192
- C:\Windows\System\EZjbEer.exe
  C:\Windows\System\EZjbEer.exe
  2⤵
  PID:11532
- C:\Windows\System\ZsaqslL.exe
  C:\Windows\System\ZsaqslL.exe
  2⤵
  PID:12248
- C:\Windows\System\Xtsetjc.exe
  C:\Windows\System\Xtsetjc.exe
  2⤵
  PID:11908
- C:\Windows\System\nLajIQa.exe
  C:\Windows\System\nLajIQa.exe
  2⤵
  PID:12264
- C:\Windows\System\RRdGBYz.exe
  C:\Windows\System\RRdGBYz.exe
  2⤵
  PID:12328
- C:\Windows\System\cbIdKJx.exe
  C:\Windows\System\cbIdKJx.exe
  2⤵
  PID:12348
- C:\Windows\System\tzzChON.exe
  C:\Windows\System\tzzChON.exe
  2⤵
  PID:12380
- C:\Windows\System\oUXfhUg.exe
  C:\Windows\System\oUXfhUg.exe
  2⤵
  PID:12400
- C:\Windows\System\WfpCMnd.exe
  C:\Windows\System\WfpCMnd.exe
  2⤵
  PID:12424
- C:\Windows\System\hGEBhaw.exe
  C:\Windows\System\hGEBhaw.exe
  2⤵
  PID:12444
- C:\Windows\System\brHSnxc.exe
  C:\Windows\System\brHSnxc.exe
  2⤵
  PID:12488
- C:\Windows\System\iOLSsWb.exe
  C:\Windows\System\iOLSsWb.exe
  2⤵
  PID:12516
- C:\Windows\System\ilZXWvk.exe
  C:\Windows\System\ilZXWvk.exe
  2⤵
  PID:12544
- C:\Windows\System\cBBEPpj.exe
  C:\Windows\System\cBBEPpj.exe
  2⤵
  PID:12568
- C:\Windows\System\OUdjJTQ.exe
  C:\Windows\System\OUdjJTQ.exe
  2⤵
  PID:12608
- C:\Windows\System\quUyAvi.exe
  C:\Windows\System\quUyAvi.exe
  2⤵
  PID:12636
- C:\Windows\System\akRDEUV.exe
  C:\Windows\System\akRDEUV.exe
  2⤵
  PID:12660
- C:\Windows\System\gxnIyqk.exe
  C:\Windows\System\gxnIyqk.exe
  2⤵
  PID:12688
- C:\Windows\System\OsBOhJZ.exe
  C:\Windows\System\OsBOhJZ.exe
  2⤵
  PID:12720
- C:\Windows\System\fyFYmJc.exe
  C:\Windows\System\fyFYmJc.exe
  2⤵
  PID:12748
- C:\Windows\System\gTbAXkX.exe
  C:\Windows\System\gTbAXkX.exe
  2⤵
  PID:12768
- C:\Windows\System\zyGMElh.exe
  C:\Windows\System\zyGMElh.exe
  2⤵
  PID:12788
- C:\Windows\System\LNYqgyI.exe
  C:\Windows\System\LNYqgyI.exe
  2⤵
  PID:12812
- C:\Windows\System\wInVOrr.exe
  C:\Windows\System\wInVOrr.exe
  2⤵
  PID:12836
- C:\Windows\System\EfYyMce.exe
  C:\Windows\System\EfYyMce.exe
  2⤵
  PID:12864
- C:\Windows\System\uMlWcMz.exe
  C:\Windows\System\uMlWcMz.exe
  2⤵
  PID:12896
- C:\Windows\System\NZgYlmm.exe
  C:\Windows\System\NZgYlmm.exe
  2⤵
  PID:12924
- C:\Windows\System\XzEBuwr.exe
  C:\Windows\System\XzEBuwr.exe
  2⤵
  PID:12956
- C:\Windows\System\oUVyuPf.exe
  C:\Windows\System\oUVyuPf.exe
  2⤵
  PID:12984
- C:\Windows\System\FOiUVnd.exe
  C:\Windows\System\FOiUVnd.exe
  2⤵
  PID:13012
- C:\Windows\System\jVFKntl.exe
  C:\Windows\System\jVFKntl.exe
  2⤵
  PID:13036
- C:\Windows\System\sKyZxKC.exe
  C:\Windows\System\sKyZxKC.exe
  2⤵
  PID:13052
- C:\Windows\System\FxbqDEB.exe
  C:\Windows\System\FxbqDEB.exe
  2⤵
  PID:13072
- C:\Windows\System\JAONyHl.exe
  C:\Windows\System\JAONyHl.exe
  2⤵
  PID:13092
- C:\Windows\System\lGWDZkf.exe
  C:\Windows\System\lGWDZkf.exe
  2⤵
  PID:13108
- C:\Windows\System\IpmcTyW.exe
  C:\Windows\System\IpmcTyW.exe
  2⤵
  PID:13140
- C:\Windows\System\ZRWpWsX.exe
  C:\Windows\System\ZRWpWsX.exe
  2⤵
  PID:13156
- C:\Windows\System\ZmqIhms.exe
  C:\Windows\System\ZmqIhms.exe
  2⤵
  PID:13176
- C:\Windows\System\qWvKfPk.exe
  C:\Windows\System\qWvKfPk.exe
  2⤵
  PID:13196
- C:\Windows\System\LnCqCBV.exe
  C:\Windows\System\LnCqCBV.exe
  2⤵
  PID:13220
- C:\Windows\System\mgUIign.exe
  C:\Windows\System\mgUIign.exe
  2⤵
  PID:13240
- C:\Windows\System\mZwAgYO.exe
  C:\Windows\System\mZwAgYO.exe
  2⤵
  PID:13304
- C:\Windows\System\VlEMxxQ.exe
  C:\Windows\System\VlEMxxQ.exe
  2⤵
  PID:11220
- C:\Windows\System\FTEQGEV.exe
  C:\Windows\System\FTEQGEV.exe
  2⤵
  PID:12336
- C:\Windows\System\kYDlHOQ.exe
  C:\Windows\System\kYDlHOQ.exe
  2⤵
  PID:12432
- C:\Windows\System\yUlCNoq.exe
  C:\Windows\System\yUlCNoq.exe
  2⤵
  PID:12480
- C:\Windows\System\Rqejrjx.exe
  C:\Windows\System\Rqejrjx.exe
  2⤵
  PID:12500
- C:\Windows\System\yHhlBYQ.exe
  C:\Windows\System\yHhlBYQ.exe
  2⤵
  PID:12540
- C:\Windows\System\tZYRpuX.exe
  C:\Windows\System\tZYRpuX.exe
  2⤵
  PID:12680
- C:\Windows\System\obUEfwf.exe
  C:\Windows\System\obUEfwf.exe
  2⤵
  PID:12708
- C:\Windows\System\rCZjCVT.exe
  C:\Windows\System\rCZjCVT.exe
  2⤵
  PID:12796
- C:\Windows\System\CMhdjSd.exe
  C:\Windows\System\CMhdjSd.exe
  2⤵
  PID:12912
- C:\Windows\System\JZtYBMt.exe
  C:\Windows\System\JZtYBMt.exe
  2⤵
  PID:12976
- C:\Windows\System\aNrKBrD.exe
  C:\Windows\System\aNrKBrD.exe
  2⤵
  PID:13032
- C:\Windows\System\fCcAkOE.exe
  C:\Windows\System\fCcAkOE.exe
  2⤵
  PID:13080
- C:\Windows\System\YLuyXaJ.exe
  C:\Windows\System\YLuyXaJ.exe
  2⤵
  PID:13148
- C:\Windows\System\jpflQfZ.exe
  C:\Windows\System\jpflQfZ.exe
  2⤵
  PID:13168
- C:\Windows\System\yNmwpvu.exe
  C:\Windows\System\yNmwpvu.exe
  2⤵
  PID:13216
- C:\Windows\System\xmdTEPM.exe
  C:\Windows\System\xmdTEPM.exe
  2⤵
  PID:12412
- C:\Windows\System\sozsQcN.exe
  C:\Windows\System\sozsQcN.exe
  2⤵
  PID:12416
- C:\Windows\System\LiWKLbA.exe
  C:\Windows\System\LiWKLbA.exe
  2⤵
  PID:12696
- C:\Windows\System\wfWDGvJ.exe
  C:\Windows\System\wfWDGvJ.exe
  2⤵
  PID:12704
- C:\Windows\System\OXQbSYu.exe
  C:\Windows\System\OXQbSYu.exe
  2⤵
  PID:12828
- C:\Windows\System\jhkdCNa.exe
  C:\Windows\System\jhkdCNa.exe
  2⤵
  PID:2492
- C:\Windows\System\MJfjeKl.exe
  C:\Windows\System\MJfjeKl.exe
  2⤵
  PID:13256
- C:\Windows\System\sVrGqzZ.exe
  C:\Windows\System\sVrGqzZ.exe
  2⤵
  PID:12744
- C:\Windows\System\oICmnuD.exe
  C:\Windows\System\oICmnuD.exe
  2⤵
  PID:13104
- C:\Windows\System\LQjPniW.exe
  C:\Windows\System\LQjPniW.exe
  2⤵
  PID:12632
- C:\Windows\System\JyVrDuR.exe
  C:\Windows\System\JyVrDuR.exe
  2⤵
  PID:13324
- C:\Windows\System\mbITPJw.exe
  C:\Windows\System\mbITPJw.exe
  2⤵
  PID:13356
- C:\Windows\System\ZzqeBlt.exe
  C:\Windows\System\ZzqeBlt.exe
  2⤵
  PID:13380
- C:\Windows\System\ieKiNnO.exe
  C:\Windows\System\ieKiNnO.exe
  2⤵
  PID:13404
- C:\Windows\System\BrEldWL.exe
  C:\Windows\System\BrEldWL.exe
  2⤵
  PID:13424
- C:\Windows\System\gEAgyrW.exe
  C:\Windows\System\gEAgyrW.exe
  2⤵
  PID:13460
- C:\Windows\System\jXJvMeg.exe
  C:\Windows\System\jXJvMeg.exe
  2⤵
  PID:13476
- C:\Windows\System\ctGBuYT.exe
  C:\Windows\System\ctGBuYT.exe
  2⤵
  PID:13500
- C:\Windows\System\pipEVAT.exe
  C:\Windows\System\pipEVAT.exe
  2⤵
  PID:13544
- C:\Windows\System\QbwdpoW.exe
  C:\Windows\System\QbwdpoW.exe
  2⤵
  PID:13584
- C:\Windows\System\Qsihakv.exe
  C:\Windows\System\Qsihakv.exe
  2⤵
  PID:13612
- C:\Windows\System\QtFydcT.exe
  C:\Windows\System\QtFydcT.exe
  2⤵
  PID:13636
- C:\Windows\System\Ihtaveu.exe
  C:\Windows\System\Ihtaveu.exe
  2⤵
  PID:13652
- C:\Windows\System\FjXRblY.exe
  C:\Windows\System\FjXRblY.exe
  2⤵
  PID:13696
- C:\Windows\System\lLIQcQA.exe
  C:\Windows\System\lLIQcQA.exe
  2⤵
  PID:13724
- C:\Windows\System\CRcTvpE.exe
  C:\Windows\System\CRcTvpE.exe
  2⤵
  PID:13748
- C:\Windows\System\GvMtgNr.exe
  C:\Windows\System\GvMtgNr.exe
  2⤵
  PID:13764
- C:\Windows\System\QzgdLRY.exe
  C:\Windows\System\QzgdLRY.exe
  2⤵
  PID:13792
- C:\Windows\System\fWOPfay.exe
  C:\Windows\System\fWOPfay.exe
  2⤵
  PID:13812
- C:\Windows\System\ygxbhcZ.exe
  C:\Windows\System\ygxbhcZ.exe
  2⤵
  PID:13852
- C:\Windows\System\yKhtXaJ.exe
  C:\Windows\System\yKhtXaJ.exe
  2⤵
  PID:13880
- C:\Windows\System\VpwOcUa.exe
  C:\Windows\System\VpwOcUa.exe
  2⤵
  PID:13900
- C:\Windows\System\ajlJiyw.exe
  C:\Windows\System\ajlJiyw.exe
  2⤵
  PID:13920
- C:\Windows\System\WdWpDxU.exe
  C:\Windows\System\WdWpDxU.exe
  2⤵
  PID:13968
- C:\Windows\System\qYOpyvi.exe
  C:\Windows\System\qYOpyvi.exe
  2⤵
  PID:13996
- C:\Windows\System\YXuSQzA.exe
  C:\Windows\System\YXuSQzA.exe
  2⤵
  PID:14020
- C:\Windows\System\hLBknui.exe
  C:\Windows\System\hLBknui.exe
  2⤵
  PID:14044
- C:\Windows\System\JXjFdbR.exe
  C:\Windows\System\JXjFdbR.exe
  2⤵
  PID:14084
- C:\Windows\System\fBOaFGU.exe
  C:\Windows\System\fBOaFGU.exe
  2⤵
  PID:14108
- C:\Windows\System\tzAJFZF.exe
  C:\Windows\System\tzAJFZF.exe
  2⤵
  PID:14132
- C:\Windows\System\aTgjrpE.exe
  C:\Windows\System\aTgjrpE.exe
  2⤵
  PID:14180
- C:\Windows\System\swdkkLQ.exe
  C:\Windows\System\swdkkLQ.exe
  2⤵
  PID:14200
- C:\Windows\System\jpovGrQ.exe
  C:\Windows\System\jpovGrQ.exe
  2⤵
  PID:14220
- C:\Windows\System\QqoNZKl.exe
  C:\Windows\System\QqoNZKl.exe
  2⤵
  PID:14280
- C:\Windows\System\ysDrXyi.exe
  C:\Windows\System\ysDrXyi.exe
  2⤵
  PID:14300
- C:\Windows\System\YiccOaT.exe
  C:\Windows\System\YiccOaT.exe
  2⤵
  PID:12464
- C:\Windows\System\iiRBEyT.exe
  C:\Windows\System\iiRBEyT.exe
  2⤵
  PID:13368
- C:\Windows\System\fXvtEis.exe
  C:\Windows\System\fXvtEis.exe
  2⤵
  PID:13392
- C:\Windows\System\egPXzTH.exe
  C:\Windows\System\egPXzTH.exe
  2⤵
  PID:13420
- C:\Windows\System\uOqWTzp.exe
  C:\Windows\System\uOqWTzp.exe
  2⤵
  PID:13484
- C:\Windows\System\nDnbzQc.exe
  C:\Windows\System\nDnbzQc.exe
  2⤵
  PID:13576
- C:\Windows\System\ePtiMdu.exe
  C:\Windows\System\ePtiMdu.exe
  2⤵
  PID:13624
- C:\Windows\System\JWSsMeo.exe
  C:\Windows\System\JWSsMeo.exe
  2⤵
  PID:13736
- C:\Windows\System\zdEHEKj.exe
  C:\Windows\System\zdEHEKj.exe
  2⤵
  PID:13808
- C:\Windows\System\ZjErHlR.exe
  C:\Windows\System\ZjErHlR.exe
  2⤵
  PID:13800
- C:\Windows\System\ZauCGeF.exe
  C:\Windows\System\ZauCGeF.exe
  2⤵
  PID:12712
- C:\Windows\System\GSHIqfr.exe
  C:\Windows\System\GSHIqfr.exe
  2⤵
  PID:13964
- C:\Windows\System\tpxlVNQ.exe
  C:\Windows\System\tpxlVNQ.exe
  2⤵
  PID:13912
- C:\Windows\System\dUripCE.exe
  C:\Windows\System\dUripCE.exe
  2⤵
  PID:14152
- C:\Windows\System\eZfgjQx.exe
  C:\Windows\System\eZfgjQx.exe
  2⤵
  PID:14188
- C:\Windows\System\AorblOJ.exe
  C:\Windows\System\AorblOJ.exe
  2⤵
  PID:14276
- C:\Windows\System\SALXzVJ.exe
  C:\Windows\System\SALXzVJ.exe
  2⤵
  PID:14316
- C:\Windows\System\aaNpMwu.exe
  C:\Windows\System\aaNpMwu.exe
  2⤵
  PID:13340
- C:\Windows\System\YOvGsIB.exe
  C:\Windows\System\YOvGsIB.exe
  2⤵
  PID:13604
- C:\Windows\System\sHYCLfq.exe
  C:\Windows\System\sHYCLfq.exe
  2⤵
  PID:13648
- C:\Windows\System\LSnkTBB.exe
  C:\Windows\System\LSnkTBB.exe
  2⤵
  PID:13892

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\GRRwTnw.exe

Filesize
1.8MB

MD5
32a47b5ffeca2aea342dfe8291353c7a

SHA1
fab9bebf8cc4094063624ddcf5df5e0ccfed8766

SHA256
61bfd128380ce262afaca111f30049ce8129a78ef456a091131e017677541d5b

SHA512
1e781acf8fb5a63780f914c73f6783b6c792e33d9c5590b549f534f696636409815150c57514f92bad111f8ce235e6ce84a344af2960cff62e49c9b0df9bbcd6

Download Submit
C:\Windows\System\KIXRYFL.exe

Filesize
1.8MB

MD5
c2dc46b71f6137e20c379379f2f004a6

SHA1
77adfe855c515d61898872707be6535987be39a8

SHA256
a031c6f21dac7f2400f1348454f8cae2fac6e35f335dd6dc8fe75dba5e6d081b

SHA512
1ffc1f1c89b430fa17613b293bc7783a472c2e8cf102a9d44a5974b284eb0e05d650a6da33feeb6d9cf6b1b7330b433b82aca24ff5ba20e41af5a11311791398

Download Submit
C:\Windows\System\KtTbQQb.exe

Filesize
1.8MB

MD5
b99e45d211055ee9e332b805c690d033

SHA1
639e054b294f8207eb05335f6d811defa9b69665

SHA256
d560a840eb8671a46751328fe6839ccad76a2c0fbe3d28f03ae02f3f9bdb5b90

SHA512
4566c12c5d8604c3fa383ccffc1c4a82088966b836b5c23577893f251b3761f4adf3189a6eac68d60109f869b2acf3874158b35872d8907d230876119af5f838

Download Submit
C:\Windows\System\LgUvMZR.exe

Filesize
1.8MB

MD5
3de9c1559ca3e707d527fa22e2baf111

SHA1
6512ff78fecd841fb768859e17445223a9300248

SHA256
f9a52aa5adc20944ba09a1bc079b7b27bd88dd3a900d7c4ef1ee87de109da8c8

SHA512
653fc9a827053173995b6f8a7629d3e595645a46bc6cee5c6a2857916938119183e617635fd06121c0589d19021f8aedbf8803b44c89493b4d079ad13de0f0af

Download Submit
C:\Windows\System\MOlIsft.exe

Filesize
1.8MB

MD5
f62e2c956b908b3fc663e64605a7339d

SHA1
2b705da287d310a9079520bf6cc6e7d74f1e193b

SHA256
230d192c599713db4dcb976ecf26ac13e4e5b28bb872ed2a44546e8d7571821c

SHA512
053948c81a5c6d5aac836e283bd868281ab83cebc42e092d8730b542ba2a9856a62aa25b5edab2f57772e8a0bd0ade8529cc0c39011bc03c9dbaaf6d1fd9f7ac

Download Submit
C:\Windows\System\MlYhvRb.exe

Filesize
1.8MB

MD5
feaed75d6289f007298789836ec1704e

SHA1
01542e6b24b6fe3d2288a3d9dc0645b5175cfc5a

SHA256
4bc7ca0fb44c2aa50952bc6ce5dd971c6e2e1613621d322a58b1e52c5ee9d6b1

SHA512
e9021c126cdad26b0919f5d52c763368dd30c906fcededd419a5c12850cd9a46cabf1dedb47b2f54a13ab53113e36b7f32c6c90e61dd31f1ecf6338e7de6f786

Download Submit
C:\Windows\System\NtrZlJe.exe

Filesize
1.8MB

MD5
a9f93bfb85d7f07db643d51127fa5fe0

SHA1
42d7c6031b6bcd8ce7bc953b606334b6b3d0dd27

SHA256
6f4e6c548b710bcb59f37632e10c8ffd0a3618a369d7ccb7dfccf1731e395aaa

SHA512
c364cc035287c6882bc1ff2f867871e5577f21bad7a1d378447329249277106eafaf2e6a863feb2f265aad815849d4fdaffa39b05ce9cf2f191b69103375f48e

Download Submit
C:\Windows\System\PfdZrNy.exe

Filesize
1.8MB

MD5
6f35c7ffc53e4a87f1973a0d43d88c2b

SHA1
d9b12461f0df018af8e6f2ecb3d2a0b37d12b8b2

SHA256
43a175810dd11cd6819b794faf7d8cfde9ea31e75c6aedb6c46bfa46d654ce2c

SHA512
f7bce4c8e873f428aabdef930b3b5c8ed328c0450cf638a8fb05ee452d0eb9ed0068c96dbd9a024cc9f3dae52aa0293f20f99551a563d538b288bf97e9e86fb2

Download Submit
C:\Windows\System\QcMlBvC.exe

Filesize
1.8MB

MD5
36adf8fc6029b0a54bd09fa2cd90b3cb

SHA1
263ce446bf87f6828005a3554dda4e49fa16c040

SHA256
8b049f7b22422ecb3933efaea47c26a8c5f817ddd6bf9b0ab5bab3b22f37de65

SHA512
8a1cc932725a430d5bb1a9104e1ebe0644184e45e95d8e641384ee6de1674eb27b01f9771c24ee527ef5f8a74d0056e2fcfb03797052cbbf57f19a477268f45f

Download Submit
C:\Windows\System\RPmhgXr.exe

Filesize
1.8MB

MD5
80d0ab9ed2a31148b0301d5103165148

SHA1
217fee5696abad25881c9322bbf49e7e7429cd43

SHA256
ee4bacce59d2b5f7290cddcb9c780c85ff562711b7cc658d945314e4eaa81a59

SHA512
aa9fc94bedc2788f73d4a95cc06b6afa2274e4d67992ee279a6c35fe327900a2dc5ecf79764229aa634ff34e6f3330b5d9c8904a786b08b39ae2a52bd939de83

Download Submit
C:\Windows\System\RaepDpt.exe

Filesize
1.8MB

MD5
b2f268c347c2c093e8005ac44ede34c3

SHA1
a14e044a680b6b009a6e2f25580dfcf1d4fe3cea

SHA256
61546b4271686cec4c6080dc81d163e67056644adf6f2974b816e21599b05ad0

SHA512
21afe7e6173d7e282d47e48b52a12d8f962caf2f167d63a6fc216fc233bd20399aa90574cc70c1ee3c76a17c7cc3e5c48b1927693d8cd7235853a5661039e66a

Download Submit
C:\Windows\System\RgGFEGA.exe

Filesize
1.8MB

MD5
e256d95e92d73865fc0d59db6738b67f

SHA1
3d36931c7064073acd4e2514eeb11a8eb33b8b0e

SHA256
b6a1dfb4b7a2875aefeffe39c49d2c4b210d1b719b83d6443549c54dd76153c0

SHA512
c4f4463410173496600a1e4609546818edf8fd167b03106807e1900947c5374bf39d22a8d9466a58e57469507727f479ad0fdd4c93773f4979461768bba7aec2

Download Submit
C:\Windows\System\SluOVeC.exe

Filesize
1.8MB

MD5
2a97699cc67042fa916c6d71bdeaf926

SHA1
02f1138e6c04bba08ec48bda1bb4f7034a392c62

SHA256
9afecd576bc9cd7e8ea08d53b9b4afbd9853e7275cfe6d4f755bfae998964f93

SHA512
6f03a017dfd5fad4e1a7fcc3ede6b758a1ae9f8ad9141d6e20207db6ad936aa90b2226d0a291feed1d96dc81305e79eb8a91f4baf3121c36a8d96570d59becce

Download Submit
C:\Windows\System\UFbTRWt.exe

Filesize
1.8MB

MD5
b6df82a2841f8ea28a41162ce27d69ad

SHA1
9723e0b3c4447808e188b5ac0560d5adb480ca67

SHA256
e5cd070451a0f55bb4f7b36c310f22da42e1cb1e56b1af64bf6a7192f4fb1c94

SHA512
301b0fe054d9903e2f284808cd05564b6bc088cbf311b79bf1047a4f472743f4f8e381e0a99ce4299d50942497451801dc2e015899059779de89feb64c4b0e9c

Download Submit
C:\Windows\System\UhFfTkn.exe

Filesize
1.8MB

MD5
1a29902204d74818a2d11ef79dd56681

SHA1
be6f94fb0c8e849371ad183d4d833e156f6eb823

SHA256
958fc9025159c9a8aac47b852e19096e30cb74f93f92e5be08d269d2f4304d59

SHA512
c3ec97fe8a1aa3300fa07a4e9762d161493100a960017dc47b9cc80026c539ef1daf9d16b26f669385905b4ddde4637f6794ebea18a6fb3993b10732c958d359

Download Submit
C:\Windows\System\XrNmpdw.exe

Filesize
1.8MB

MD5
7fe4514f7e1fac4c916678cce0948e8e

SHA1
0509d15baa1537ba9ce3c1246c0d23e5ba4e07e2

SHA256
151066850c7ce69dba8364a9dbde380bfa956aaab695431ae127658b248d228b

SHA512
123d0495baa3895884ba8d6dd3f6f8d66fd19d6a86a3059de088f8323b168b6545199200ae95d76022d9933dde643acd94fde427205169b13246b1018fa1ab73

Download Submit
C:\Windows\System\dNzBDPI.exe

Filesize
1.8MB

MD5
3685da76c2ded3f58f077479f9262b9e

SHA1
7f4950d1aff75b9ea6a666ea18cae6add65ecd42

SHA256
7c61ed6945d03f83272eaaa4c14379411dd13eab7132d71ccb4de1d6b279d1f7

SHA512
338b2220e57564bf3d860fd0b7e7ef89fc95529ad61d1a7debd9571393260fd9fdcb9c78af54e240ac58a1c3370cb0fde329327db8c86fcaa58cfc44b347d38e

Download Submit
C:\Windows\System\ebslbSh.exe

Filesize
1.8MB

MD5
b45f878500da0e9f53a4a5d2efeb4cc3

SHA1
4be48732c815640d8c3bce8cc7c514ee42c9dfc3

SHA256
f5c30f5861f1a89491ceca7fd35350f02144c5056e5c520828515f6df78f5648

SHA512
ea4e115dfff377485e80cdc605a0503a283829e8389822b3a4d2550fa85f0f6334feb45aada3268fc56b04e127fc4dec5c0d3225c38f705385b35f09847200f1

Download Submit
C:\Windows\System\hlpJihw.exe

Filesize
1.8MB

MD5
e64705a6d84830198fd21e22e30b968c

SHA1
8f36d490592e43e42698b96b2b7dba9fa9d9afda

SHA256
811cbce5840e8cc0d0fac15d92e4a61c489ea9f91d37eb4ca4aa6fac2dec4846

SHA512
c488a7056effb6bca34a7d45fe60addb49679e7ebbacd7177fc983ad6cc2a41c7081bad433966e2cb62570a21fd4a91e51a0851285bcb7af0f4df960ae49edbc

Download Submit
C:\Windows\System\jIuYfce.exe

Filesize
1.8MB

MD5
00edad6a8c7e3e4ef346c4311f7f9075

SHA1
cb41859755d72e840621e344dc6b66f4568c06ad

SHA256
a0ab38134da7c8df60166e2144efe5edbf1248f7a06662fb13c1bc861a4f776d

SHA512
6b185d0ad2910993ef37e9f883c2352be65318b5dcfc85b041e6033cda5c70bb3f0c9fb9bdde2af32072e0af723281dbf483d18e4bccdc502afcce71856fc37a

Download Submit
C:\Windows\System\mhkEjpQ.exe

Filesize
1.8MB

MD5
950c331dd4f76ce284787f94a2c5d2e8

SHA1
701d5034ec0f9334b35edcdfc7db84da5921d813

SHA256
c3751c0275564cb7eb2600625f892613637315499568e575aec0cc6dcec1c736

SHA512
c680a4e9fb8febc029a4fe153e0ede398b3bf3a014d1c661ac5db564d3b88be162e63b05e504a068c526133b71964ad0e476dc44250745f861e28c7a8adddf5f

Download Submit
C:\Windows\System\nUtITUP.exe

Filesize
1.8MB

MD5
dd8b05c4cc6b5a5464bcf188087e93d3

SHA1
358b32075af92339b4d5970024a34a87b5122325

SHA256
bc82d3b8c4cf9a19d10b4095ffa7fb0d33c0be4128ed3d23699911d9547d6554

SHA512
6a0dd7923ed2570a194fcd6c7340b5d82662462a7e80f34ddd955f478b40eabbe37fc7d770b0f95a7f1bf024c6fddbfd33632f7766fd9c249f212017c4095098

Download Submit
C:\Windows\System\ntWVMLO.exe

Filesize
1.8MB

MD5
565b6b7e58a48a6424cf976a2c14bf62

SHA1
e0d316a03acc2ea4f3edf5395fa3c6ff841122e5

SHA256
0dd44927d99cb514a2f37482353f3c08ef95f4c5041832f31e36cc4480c0803c

SHA512
76a67190477763a989653282982932a26567de2740347101387244797e7049ed76bd09d0954014218e15f7cfab32df95492dd60d6309a93b699abbb70325651a

Download Submit
C:\Windows\System\qzqwHpD.exe

Filesize
1.8MB

MD5
93c8e6c10304a73e8a6b67c0d7c8e80c

SHA1
06cd4eedb23a0ffd50bcf6a9330ea9861be46b32

SHA256
7ff98d8d7b8451ca2a07643ca8652d10dfb864a240c0253472ee7b3afcd5931e

SHA512
4a2f8b04bf3b5fcf6400f20f872e4f7b4af05e38a2ed757a93982324683787902332698aed4675019a5ada89315e4e47a5ab16f7b7021387a0aac6d1850fc35e

Download Submit
C:\Windows\System\sORMAKO.exe

Filesize
1.8MB

MD5
e8d28d48092cceb7bf5b1d2545f5f4f0

SHA1
86071a155a826c9c09a9530ad448600cbe2cef3b

SHA256
3c9477c1fec80ffca080326bb34270e658c1af0c4ff7b66a0e1a42eb32d68d11

SHA512
d82815ccf85c98d9e2ee5212b3ac85af5952f632393c980d5aff9c239e585c48979b3f51ccb0cf2d786687b0438188880cb60cfc644c716f36b39f94487be54a

Download Submit
C:\Windows\System\sZddTRd.exe

Filesize
1.8MB

MD5
96b7a7d4ac8f8c6b6f949b327ff03c73

SHA1
11fe2b9eb766093467d865fe234a7d42d1f8902e

SHA256
9243115095c74128e8bdf5a3947c9a6528e510b1748c81fe9af1258afe39b5a0

SHA512
dc4426271a7904b43b7de75965beebb360f1cf32e883761ff11f60a3b0f2a4d81356d7dbc24cbf19597b767d3c27f7e377e877ba01054281449fe26ebaf98f67

Download Submit
C:\Windows\System\uiYAxMO.exe

Filesize
1.8MB

MD5
edae8b1e7049aeec1b2f105ce962f152

SHA1
f7a6b6c52c102fe87f1f7a5379eac8796d008fb1

SHA256
d5ea9b3af31c220164f5da5f27bfa58a16d4a2866349d6094fdb0e3ae7e2f41a

SHA512
e9d13b915648a58a8930d779db0db6264227e4282f71e7acbb03d5fc09ac18230c5841d6d2c040d57c64658d0a98f941a6d26915dfe7995a73229a7a58964fde

Download Submit
C:\Windows\System\uqjMwux.exe

Filesize
1.8MB

MD5
bfd0c2860c6b4aceda5f43ddf3f7afb5

SHA1
a9f4a7a509976000f2063cce79c092b2adae7161

SHA256
4ead81b086abe73a871adf472f7639b4c96f026070b2ba1f3c1e5505cd723cc4

SHA512
072f3264b00bfe8c24e3107d6cc443796ef4058ea8fc5590d6e3b0903d1b46f78a27bc2c5f330ab1dada829c2c271da05ff8b90b802407c08e54385104695dae

Download Submit
C:\Windows\System\vmysfWs.exe

Filesize
1.8MB

MD5
f431dc52bf1ed4e08f5703acf0523be4

SHA1
62ae54c8a482bdeadb92cf798b81c334e20ea108

SHA256
af8edb5502d5ba3ba4d5f0c086b1d59c2c04173de5129aa88af569f68b18a5b4

SHA512
7d2312d1d88e73b818a7ab81b78776c14a1e93b274ac7f68368546afffe4ce31397a0fabd1d89c03bca5baac8852a3e7e8dca36458eff175dd2a1886105cdc1d

Download Submit
C:\Windows\System\wCcdacM.exe

Filesize
1.8MB

MD5
aee2ed4aaec230be5d5bc4aac18c1fa3

SHA1
017d2749ee7f63bc519742539db8c406f34cc562

SHA256
b67a9d34f70762bac3af8dc6f93f2088cab132c6ebd7b8ccaa1c59057c4ab5eb

SHA512
37338a6f9714e5e414800f0359554cbcacad0f7cc9404cc03330663999957549397e2f82ed6cc0cb466ca733bcbf362684799ccbff52734ddce76f1ed7b91d70

Download Submit
C:\Windows\System\xYRjhOy.exe

Filesize
1.8MB

MD5
b92a1b0da7b23a7e180cf3a3a57a2261

SHA1
36873998fbbd058bc5f1e4237fd77ce4042eac08

SHA256
ae0e0acfded336b41d1df94b5a88932d72d1e881d77f4607f5a22f0de06eee9c

SHA512
10591a6de413ce7a62dff8a01950bcd9ebba58a167ff6de0085da5d814f395b647c13fedea73123d882ae6d1c73408c9168503c7b8c3420817755489cd2c6db5

Download Submit
C:\Windows\System\yzvRXcA.exe

Filesize
1.8MB

MD5
c4a758cce5fb56b212a5bb0835528fcd

SHA1
bd6631d9e11eefd37978858903e21370509d526b

SHA256
6071c2e8518a5903f076811dbb261cb11ee98963539904b79b50aee3eaf68d10

SHA512
1834598c585c41bdc612248116736dbafc9de50c041ff876b3a76c12e49c19473dd2acdb3e774d1bb6ec1cba6737401c55ba2ec5269a0b2ee7b971bb377c8ed1

Download Submit
C:\Windows\System\zGJEzRv.exe

Filesize
1.8MB

MD5
87129e68598e3cfd86d3ca8616b5d558

SHA1
47587b0837df5f75ab57edeb078d1364ca16e842

SHA256
f14385142b1031eec55ad1700b68590e9e0c62bc2682c6eb627b30caf6b44338

SHA512
c1e603b361df14e0fd42b05afedf5974b011b8f28ecdc85dc96c65cb932f4f45a7859268f171afc5f84e4f247a7481325f006cf8601ac8941084680725d60400

Download Submit
memory/632-504-0x00007FF6E9280000-0x00007FF6E95D1000-memory.dmp

Filesize
3.3MB

Download
memory/632-2304-0x00007FF6E9280000-0x00007FF6E95D1000-memory.dmp

Filesize
3.3MB

Download
memory/752-2328-0x00007FF7F2540000-0x00007FF7F2891000-memory.dmp

Filesize
3.3MB

Download
memory/752-524-0x00007FF7F2540000-0x00007FF7F2891000-memory.dmp

Filesize
3.3MB

Download
memory/924-2223-0x00007FF666860000-0x00007FF666BB1000-memory.dmp

Filesize
3.3MB

Download
memory/924-2278-0x00007FF666860000-0x00007FF666BB1000-memory.dmp

Filesize
3.3MB

Download
memory/924-55-0x00007FF666860000-0x00007FF666BB1000-memory.dmp

Filesize
3.3MB

Download
memory/1068-2292-0x00007FF637730000-0x00007FF637A81000-memory.dmp

Filesize
3.3MB

Download
memory/1068-472-0x00007FF637730000-0x00007FF637A81000-memory.dmp

Filesize
3.3MB

Download
memory/1088-2290-0x00007FF63A1B0000-0x00007FF63A501000-memory.dmp

Filesize
3.3MB

Download
memory/1088-80-0x00007FF63A1B0000-0x00007FF63A501000-memory.dmp

Filesize
3.3MB

Download
memory/1088-2259-0x00007FF63A1B0000-0x00007FF63A501000-memory.dmp

Filesize
3.3MB

Download
memory/1148-540-0x00007FF7A7EB0000-0x00007FF7A8201000-memory.dmp

Filesize
3.3MB

Download
memory/1148-2317-0x00007FF7A7EB0000-0x00007FF7A8201000-memory.dmp

Filesize
3.3MB

Download
memory/1812-533-0x00007FF729150000-0x00007FF7294A1000-memory.dmp

Filesize
3.3MB

Download
memory/1812-2324-0x00007FF729150000-0x00007FF7294A1000-memory.dmp

Filesize
3.3MB

Download
memory/1940-44-0x00007FF7E0460000-0x00007FF7E07B1000-memory.dmp

Filesize
3.3MB

Download
memory/1940-2272-0x00007FF7E0460000-0x00007FF7E07B1000-memory.dmp

Filesize
3.3MB

Download
memory/2088-76-0x00007FF62EC00000-0x00007FF62EF51000-memory.dmp

Filesize
3.3MB

Download
memory/2088-2454-0x00007FF62EC00000-0x00007FF62EF51000-memory.dmp

Filesize
3.3MB

Download
memory/2088-2258-0x00007FF62EC00000-0x00007FF62EF51000-memory.dmp

Filesize
3.3MB

Download
memory/2156-2322-0x00007FF79AB10000-0x00007FF79AE61000-memory.dmp

Filesize
3.3MB

Download
memory/2156-536-0x00007FF79AB10000-0x00007FF79AE61000-memory.dmp

Filesize
3.3MB

Download
memory/2392-56-0x00007FF793D20000-0x00007FF794071000-memory.dmp

Filesize
3.3MB

Download
memory/2392-2224-0x00007FF793D20000-0x00007FF794071000-memory.dmp

Filesize
3.3MB

Download
memory/2392-2284-0x00007FF793D20000-0x00007FF794071000-memory.dmp

Filesize
3.3MB

Download
memory/2428-2300-0x00007FF736150000-0x00007FF7364A1000-memory.dmp

Filesize
3.3MB

Download
memory/2428-491-0x00007FF736150000-0x00007FF7364A1000-memory.dmp

Filesize
3.3MB

Download
memory/2500-1-0x00000235B2850000-0x00000235B2860000-memory.dmp

Filesize
64KB

Download
memory/2500-0-0x00007FF7DE300000-0x00007FF7DE651000-memory.dmp

Filesize
3.3MB

Download
memory/2648-2282-0x00007FF61BB90000-0x00007FF61BEE1000-memory.dmp

Filesize
3.3MB

Download
memory/2648-75-0x00007FF61BB90000-0x00007FF61BEE1000-memory.dmp

Filesize
3.3MB

Download
memory/2792-64-0x00007FF7BE1F0000-0x00007FF7BE541000-memory.dmp

Filesize
3.3MB

Download
memory/2792-2280-0x00007FF7BE1F0000-0x00007FF7BE541000-memory.dmp

Filesize
3.3MB

Download
memory/2888-503-0x00007FF75E980000-0x00007FF75ECD1000-memory.dmp

Filesize
3.3MB

Download
memory/2888-2308-0x00007FF75E980000-0x00007FF75ECD1000-memory.dmp

Filesize
3.3MB

Download
memory/3028-2221-0x00007FF7494D0000-0x00007FF749821000-memory.dmp

Filesize
3.3MB

Download
memory/3028-2270-0x00007FF7494D0000-0x00007FF749821000-memory.dmp

Filesize
3.3MB

Download
memory/3028-29-0x00007FF7494D0000-0x00007FF749821000-memory.dmp

Filesize
3.3MB

Download
memory/3508-2274-0x00007FF6C4A40000-0x00007FF6C4D91000-memory.dmp

Filesize
3.3MB

Download
memory/3508-63-0x00007FF6C4A40000-0x00007FF6C4D91000-memory.dmp

Filesize
3.3MB

Download
memory/3752-2296-0x00007FF63C970000-0x00007FF63CCC1000-memory.dmp

Filesize
3.3MB

Download
memory/3752-478-0x00007FF63C970000-0x00007FF63CCC1000-memory.dmp

Filesize
3.3MB

Download
memory/3788-2266-0x00007FF6B9280000-0x00007FF6B95D1000-memory.dmp

Filesize
3.3MB

Download
memory/3788-13-0x00007FF6B9280000-0x00007FF6B95D1000-memory.dmp

Filesize
3.3MB

Download
memory/4068-485-0x00007FF6D1F30000-0x00007FF6D2281000-memory.dmp

Filesize
3.3MB

Download
memory/4068-2298-0x00007FF6D1F30000-0x00007FF6D2281000-memory.dmp

Filesize
3.3MB

Download
memory/4220-70-0x00007FF60AAC0000-0x00007FF60AE11000-memory.dmp

Filesize
3.3MB

Download
memory/4220-2225-0x00007FF60AAC0000-0x00007FF60AE11000-memory.dmp

Filesize
3.3MB

Download
memory/4220-2286-0x00007FF60AAC0000-0x00007FF60AE11000-memory.dmp

Filesize
3.3MB

Download
memory/4468-511-0x00007FF641570000-0x00007FF6418C1000-memory.dmp

Filesize
3.3MB

Download
memory/4468-2319-0x00007FF641570000-0x00007FF6418C1000-memory.dmp

Filesize
3.3MB

Download
memory/4672-2310-0x00007FF774570000-0x00007FF7748C1000-memory.dmp

Filesize
3.3MB

Download
memory/4672-514-0x00007FF774570000-0x00007FF7748C1000-memory.dmp

Filesize
3.3MB

Download
memory/4964-496-0x00007FF7F90F0000-0x00007FF7F9441000-memory.dmp

Filesize
3.3MB

Download
memory/4964-2306-0x00007FF7F90F0000-0x00007FF7F9441000-memory.dmp

Filesize
3.3MB

Download
memory/4996-2222-0x00007FF7DAD30000-0x00007FF7DB081000-memory.dmp

Filesize
3.3MB

Download
memory/4996-2276-0x00007FF7DAD30000-0x00007FF7DB081000-memory.dmp

Filesize
3.3MB

Download
memory/4996-37-0x00007FF7DAD30000-0x00007FF7DB081000-memory.dmp

Filesize
3.3MB

Download
memory/5008-2302-0x00007FF742BC0000-0x00007FF742F11000-memory.dmp

Filesize
3.3MB

Download
memory/5008-489-0x00007FF742BC0000-0x00007FF742F11000-memory.dmp

Filesize
3.3MB

Download
memory/5040-87-0x00007FF71F440000-0x00007FF71F791000-memory.dmp

Filesize
3.3MB

Download
memory/5040-2288-0x00007FF71F440000-0x00007FF71F791000-memory.dmp

Filesize
3.3MB

Download
memory/5040-2262-0x00007FF71F440000-0x00007FF71F791000-memory.dmp

Filesize
3.3MB

Download
memory/5072-2294-0x00007FF7DC5D0000-0x00007FF7DC921000-memory.dmp

Filesize
3.3MB

Download
memory/5072-473-0x00007FF7DC5D0000-0x00007FF7DC921000-memory.dmp

Filesize
3.3MB

Download
memory/5116-2268-0x00007FF630000000-0x00007FF630351000-memory.dmp

Filesize
3.3MB

Download
memory/5116-60-0x00007FF630000000-0x00007FF630351000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads