xmrig | 4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 10:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
Size

3.0MB
MD5

d5375a069cff8aff4d379ce2c72a53b0
SHA1

1dcb813c766d3703f0992bae01acca00c7423ec4
SHA256

4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c
SHA512

3fb1a5d2ae0f4e30ba620097b262bbb0f1988e9bbf04218a71d1e7b36ecaee4dfccc690fac14f25082447ddfd741250ee1256e62741aa2443115af1c164f621b
SSDEEP

98304:71ONtyBeSFkXV1etEKLlWUTOfeiRA2R76zHrWi:7bBeSFkW

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/112-0-0x00007FF6C4C60000-0x00007FF6C5056000-memory.dmp	xmrig
behavioral2/files/0x000800000002344d-6.dat	xmrig
behavioral2/files/0x0007000000023451-14.dat	xmrig
behavioral2/files/0x0007000000023452-15.dat	xmrig
behavioral2/files/0x0008000000023456-40.dat	xmrig
behavioral2/files/0x0007000000023457-54.dat	xmrig
behavioral2/files/0x0008000000023455-62.dat	xmrig
behavioral2/files/0x000700000002345a-77.dat	xmrig
behavioral2/files/0x000700000002345d-86.dat	xmrig
behavioral2/files/0x000700000002345f-104.dat	xmrig
behavioral2/files/0x0007000000023463-116.dat	xmrig
behavioral2/files/0x0007000000023464-129.dat	xmrig
behavioral2/files/0x0007000000023468-141.dat	xmrig
behavioral2/files/0x000700000002346b-156.dat	xmrig
behavioral2/memory/1016-819-0x00007FF6E1990000-0x00007FF6E1D86000-memory.dmp	xmrig
behavioral2/memory/1708-864-0x00007FF70B4C0000-0x00007FF70B8B6000-memory.dmp	xmrig
behavioral2/memory/3876-881-0x00007FF6B5330000-0x00007FF6B5726000-memory.dmp	xmrig
behavioral2/memory/2428-878-0x00007FF7C0910000-0x00007FF7C0D06000-memory.dmp	xmrig
behavioral2/memory/2512-852-0x00007FF7D9A90000-0x00007FF7D9E86000-memory.dmp	xmrig
behavioral2/memory/3376-840-0x00007FF719B80000-0x00007FF719F76000-memory.dmp	xmrig
behavioral2/memory/3676-832-0x00007FF68CFE0000-0x00007FF68D3D6000-memory.dmp	xmrig
behavioral2/memory/1984-897-0x00007FF78D260000-0x00007FF78D656000-memory.dmp	xmrig
behavioral2/memory/4848-911-0x00007FF7BCAC0000-0x00007FF7BCEB6000-memory.dmp	xmrig
behavioral2/memory/820-934-0x00007FF76C300000-0x00007FF76C6F6000-memory.dmp	xmrig
behavioral2/memory/1296-936-0x00007FF7F72C0000-0x00007FF7F76B6000-memory.dmp	xmrig
behavioral2/memory/3468-942-0x00007FF6EA650000-0x00007FF6EAA46000-memory.dmp	xmrig
behavioral2/memory/4592-946-0x00007FF7F8850000-0x00007FF7F8C46000-memory.dmp	xmrig
behavioral2/memory/2296-948-0x00007FF673030000-0x00007FF673426000-memory.dmp	xmrig
behavioral2/memory/1444-954-0x00007FF77CCD0000-0x00007FF77D0C6000-memory.dmp	xmrig
behavioral2/memory/2228-953-0x00007FF7B4270000-0x00007FF7B4666000-memory.dmp	xmrig
behavioral2/memory/3788-947-0x00007FF6FCB30000-0x00007FF6FCF26000-memory.dmp	xmrig
behavioral2/memory/2832-944-0x00007FF673830000-0x00007FF673C26000-memory.dmp	xmrig
behavioral2/memory/1660-943-0x00007FF789810000-0x00007FF789C06000-memory.dmp	xmrig
behavioral2/memory/3368-941-0x00007FF66A320000-0x00007FF66A716000-memory.dmp	xmrig
behavioral2/memory/2812-927-0x00007FF7787B0000-0x00007FF778BA6000-memory.dmp	xmrig
behavioral2/memory/2576-924-0x00007FF7D4150000-0x00007FF7D4546000-memory.dmp	xmrig
behavioral2/memory/3284-920-0x00007FF779040000-0x00007FF779436000-memory.dmp	xmrig
behavioral2/memory/516-903-0x00007FF766B60000-0x00007FF766F56000-memory.dmp	xmrig
behavioral2/files/0x000700000002346f-176.dat	xmrig
behavioral2/files/0x000700000002346d-174.dat	xmrig
behavioral2/files/0x000700000002346e-171.dat	xmrig
behavioral2/files/0x000700000002346c-169.dat	xmrig
behavioral2/files/0x000700000002346a-159.dat	xmrig
behavioral2/files/0x0007000000023469-154.dat	xmrig
behavioral2/files/0x0007000000023467-144.dat	xmrig
behavioral2/files/0x0007000000023466-139.dat	xmrig
behavioral2/files/0x0007000000023465-134.dat	xmrig
behavioral2/files/0x0007000000023462-119.dat	xmrig
behavioral2/files/0x0007000000023461-114.dat	xmrig
behavioral2/files/0x0007000000023460-109.dat	xmrig
behavioral2/files/0x000700000002345e-99.dat	xmrig
behavioral2/files/0x000700000002345c-87.dat	xmrig
behavioral2/files/0x000700000002345b-82.dat	xmrig
behavioral2/files/0x0007000000023459-71.dat	xmrig
behavioral2/files/0x000800000002344e-67.dat	xmrig
behavioral2/files/0x0007000000023458-56.dat	xmrig
behavioral2/files/0x0007000000023454-41.dat	xmrig
behavioral2/files/0x0007000000023453-33.dat	xmrig
behavioral2/memory/2296-2106-0x00007FF673030000-0x00007FF673426000-memory.dmp	xmrig
behavioral2/memory/1016-2107-0x00007FF6E1990000-0x00007FF6E1D86000-memory.dmp	xmrig
behavioral2/memory/3676-2108-0x00007FF68CFE0000-0x00007FF68D3D6000-memory.dmp	xmrig
behavioral2/memory/3376-2109-0x00007FF719B80000-0x00007FF719F76000-memory.dmp	xmrig
behavioral2/memory/2228-2111-0x00007FF7B4270000-0x00007FF7B4666000-memory.dmp	xmrig
behavioral2/memory/2512-2112-0x00007FF7D9A90000-0x00007FF7D9E86000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

flow	pid	Process
8	1336	powershell.exe
10	1336	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
1336	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
2296	bgFdxZn.exe
1016	kifhDlp.exe
3676	MjTGJJQ.exe
3376	lRavJJg.exe
2512	GgrLNQj.exe
2228	McZKoLa.exe
1444	IOUVTrE.exe
1708	wrQXhaD.exe
2428	zjtJqkX.exe
3876	NUqzQWb.exe
1984	xZMrAAh.exe
516	KJRxUyt.exe
4848	IYDAYEG.exe
3284	WRYcOHB.exe
2576	MbFFklt.exe
2812	trcTcnr.exe
820	cYUlToz.exe
1296	YslTZRg.exe
3368	DNpsLSD.exe
3468	kyzDKOY.exe
1660	yJFudGe.exe
2832	cBlTllN.exe
4592	LVrvwEb.exe
3788	nSqDLbr.exe
4564	fEuLsRf.exe
3668	sSerOsw.exe
3744	iTBvqTO.exe
3040	bGaQSHr.exe
2052	wRegoxK.exe
4496	BqUQGeK.exe
3352	fKqCJcj.exe
2044	wjEkeWT.exe
1536	mXIsuNK.exe
1052	sANzFbX.exe
4000	zEtnGtN.exe
1236	nONpeId.exe
4240	xqBEpyZ.exe
3472	ZMeOtIh.exe
4516	Vmzbqmm.exe
3280	ddljNlo.exe
4796	idRrEew.exe
4580	pOVxBZw.exe
4572	GLcSZog.exe
4864	IfFqbrc.exe
1200	lqYMmiT.exe
4368	gvGOBel.exe
2648	KgugVls.exe
3308	RkcNSHI.exe
764	NKRuogY.exe
1576	LjFxBtR.exe
3996	vDeXGEw.exe
4112	MzWXEXc.exe
1868	qbTDJCl.exe
3416	zYExuOD.exe
400	JlTrSoq.exe
4632	MdGwowc.exe
2752	krUZFfL.exe
32	XOhcick.exe
4132	fUgMebV.exe
3232	TyccNwM.exe
4808	lpSOAYO.exe
4028	bIvJPva.exe
4064	gKuOfVZ.exe
5056	qwETLAc.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/112-0-0x00007FF6C4C60000-0x00007FF6C5056000-memory.dmp	upx
behavioral2/files/0x000800000002344d-6.dat	upx
behavioral2/files/0x0007000000023451-14.dat	upx
behavioral2/files/0x0007000000023452-15.dat	upx
behavioral2/files/0x0008000000023456-40.dat	upx
behavioral2/files/0x0007000000023457-54.dat	upx
behavioral2/files/0x0008000000023455-62.dat	upx
behavioral2/files/0x000700000002345a-77.dat	upx
behavioral2/files/0x000700000002345d-86.dat	upx
behavioral2/files/0x000700000002345f-104.dat	upx
behavioral2/files/0x0007000000023463-116.dat	upx
behavioral2/files/0x0007000000023464-129.dat	upx
behavioral2/files/0x0007000000023468-141.dat	upx
behavioral2/files/0x000700000002346b-156.dat	upx
behavioral2/memory/1016-819-0x00007FF6E1990000-0x00007FF6E1D86000-memory.dmp	upx
behavioral2/memory/1708-864-0x00007FF70B4C0000-0x00007FF70B8B6000-memory.dmp	upx
behavioral2/memory/3876-881-0x00007FF6B5330000-0x00007FF6B5726000-memory.dmp	upx
behavioral2/memory/2428-878-0x00007FF7C0910000-0x00007FF7C0D06000-memory.dmp	upx
behavioral2/memory/2512-852-0x00007FF7D9A90000-0x00007FF7D9E86000-memory.dmp	upx
behavioral2/memory/3376-840-0x00007FF719B80000-0x00007FF719F76000-memory.dmp	upx
behavioral2/memory/3676-832-0x00007FF68CFE0000-0x00007FF68D3D6000-memory.dmp	upx
behavioral2/memory/1984-897-0x00007FF78D260000-0x00007FF78D656000-memory.dmp	upx
behavioral2/memory/4848-911-0x00007FF7BCAC0000-0x00007FF7BCEB6000-memory.dmp	upx
behavioral2/memory/820-934-0x00007FF76C300000-0x00007FF76C6F6000-memory.dmp	upx
behavioral2/memory/1296-936-0x00007FF7F72C0000-0x00007FF7F76B6000-memory.dmp	upx
behavioral2/memory/3468-942-0x00007FF6EA650000-0x00007FF6EAA46000-memory.dmp	upx
behavioral2/memory/4592-946-0x00007FF7F8850000-0x00007FF7F8C46000-memory.dmp	upx
behavioral2/memory/2296-948-0x00007FF673030000-0x00007FF673426000-memory.dmp	upx
behavioral2/memory/1444-954-0x00007FF77CCD0000-0x00007FF77D0C6000-memory.dmp	upx
behavioral2/memory/2228-953-0x00007FF7B4270000-0x00007FF7B4666000-memory.dmp	upx
behavioral2/memory/3788-947-0x00007FF6FCB30000-0x00007FF6FCF26000-memory.dmp	upx
behavioral2/memory/2832-944-0x00007FF673830000-0x00007FF673C26000-memory.dmp	upx
behavioral2/memory/1660-943-0x00007FF789810000-0x00007FF789C06000-memory.dmp	upx
behavioral2/memory/3368-941-0x00007FF66A320000-0x00007FF66A716000-memory.dmp	upx
behavioral2/memory/2812-927-0x00007FF7787B0000-0x00007FF778BA6000-memory.dmp	upx
behavioral2/memory/2576-924-0x00007FF7D4150000-0x00007FF7D4546000-memory.dmp	upx
behavioral2/memory/3284-920-0x00007FF779040000-0x00007FF779436000-memory.dmp	upx
behavioral2/memory/516-903-0x00007FF766B60000-0x00007FF766F56000-memory.dmp	upx
behavioral2/files/0x000700000002346f-176.dat	upx
behavioral2/files/0x000700000002346d-174.dat	upx
behavioral2/files/0x000700000002346e-171.dat	upx
behavioral2/files/0x000700000002346c-169.dat	upx
behavioral2/files/0x000700000002346a-159.dat	upx
behavioral2/files/0x0007000000023469-154.dat	upx
behavioral2/files/0x0007000000023467-144.dat	upx
behavioral2/files/0x0007000000023466-139.dat	upx
behavioral2/files/0x0007000000023465-134.dat	upx
behavioral2/files/0x0007000000023462-119.dat	upx
behavioral2/files/0x0007000000023461-114.dat	upx
behavioral2/files/0x0007000000023460-109.dat	upx
behavioral2/files/0x000700000002345e-99.dat	upx
behavioral2/files/0x000700000002345c-87.dat	upx
behavioral2/files/0x000700000002345b-82.dat	upx
behavioral2/files/0x0007000000023459-71.dat	upx
behavioral2/files/0x000800000002344e-67.dat	upx
behavioral2/files/0x0007000000023458-56.dat	upx
behavioral2/files/0x0007000000023454-41.dat	upx
behavioral2/files/0x0007000000023453-33.dat	upx
behavioral2/memory/2296-2106-0x00007FF673030000-0x00007FF673426000-memory.dmp	upx
behavioral2/memory/1016-2107-0x00007FF6E1990000-0x00007FF6E1D86000-memory.dmp	upx
behavioral2/memory/3676-2108-0x00007FF68CFE0000-0x00007FF68D3D6000-memory.dmp	upx
behavioral2/memory/3376-2109-0x00007FF719B80000-0x00007FF719F76000-memory.dmp	upx
behavioral2/memory/2228-2111-0x00007FF7B4270000-0x00007FF7B4666000-memory.dmp	upx
behavioral2/memory/2512-2112-0x00007FF7D9A90000-0x00007FF7D9E86000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	raw.githubusercontent.com
8	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\zouFCvC.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\qtBxoJU.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\gdgSbLB.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\nkbteiU.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\EsYbFcB.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\uoaIhVb.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\LVrvwEb.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\nikfYFD.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\lXLSZtW.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\cyDsNla.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\uMdrRRb.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\PnxJzuZ.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\aoSoXGk.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\avwQney.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\UrWchka.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\EdqkNGb.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\sLkRHil.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\zokcZsc.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\aiGDuIm.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\KoNSsvj.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\plEDrLZ.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\KNdvcOS.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\PqyjGGM.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\ziDZQKn.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\NlkIhHR.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\yXENMoE.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\GLpfUyQ.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\BKbBiqV.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\yuvvTJK.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\SZhmwSp.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\TRFEMiJ.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\LfKwyYD.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\aCrMruo.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\FopoRmZ.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\JMocVeh.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\fLSoOlm.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\YgzFUmM.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\tjtyVsq.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\fsXzNia.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\joEmjjY.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\RHTzPhX.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\HGmfhNi.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\tyAQnNW.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\yiDEGoo.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\VhIYntM.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\QmoETBk.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\rtpPqjd.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\nifYySf.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\clmIIXV.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\msNjjfs.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\kXyCohv.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\wkJcaQz.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\HEOxpPk.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\fTXhYBU.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\SqfxQRx.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\vOGiBkx.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\umrCzTg.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\FJpXWAy.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\WrjtoHu.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\dYYXcuM.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\COWqcbx.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\XwPukIr.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\egVhsbW.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
File created	C:\Windows\System\jYudtjV.exe	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1336	powershell.exe
1336	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeLockMemoryPrivilege	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 112 wrote to memory of 1336	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	84
PID 112 wrote to memory of 1336	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	84
PID 112 wrote to memory of 2296	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	85
PID 112 wrote to memory of 2296	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	85
PID 112 wrote to memory of 1016	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	86
PID 112 wrote to memory of 1016	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	86
PID 112 wrote to memory of 3676	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	87
PID 112 wrote to memory of 3676	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	87
PID 112 wrote to memory of 3376	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	88
PID 112 wrote to memory of 3376	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	88
PID 112 wrote to memory of 2512	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	89
PID 112 wrote to memory of 2512	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	89
PID 112 wrote to memory of 2228	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	90
PID 112 wrote to memory of 2228	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	90
PID 112 wrote to memory of 1444	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	91
PID 112 wrote to memory of 1444	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	91
PID 112 wrote to memory of 1708	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	92
PID 112 wrote to memory of 1708	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	92
PID 112 wrote to memory of 2428	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	93
PID 112 wrote to memory of 2428	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	93
PID 112 wrote to memory of 3876	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	94
PID 112 wrote to memory of 3876	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	94
PID 112 wrote to memory of 1984	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	95
PID 112 wrote to memory of 1984	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	95
PID 112 wrote to memory of 516	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	96
PID 112 wrote to memory of 516	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	96
PID 112 wrote to memory of 4848	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	97
PID 112 wrote to memory of 4848	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	97
PID 112 wrote to memory of 3284	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	98
PID 112 wrote to memory of 3284	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	98
PID 112 wrote to memory of 2576	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	99
PID 112 wrote to memory of 2576	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	99
PID 112 wrote to memory of 2812	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	100
PID 112 wrote to memory of 2812	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	100
PID 112 wrote to memory of 820	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	101
PID 112 wrote to memory of 820	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	101
PID 112 wrote to memory of 1296	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	102
PID 112 wrote to memory of 1296	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	102
PID 112 wrote to memory of 3368	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	103
PID 112 wrote to memory of 3368	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	103
PID 112 wrote to memory of 3468	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	104
PID 112 wrote to memory of 3468	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	104
PID 112 wrote to memory of 1660	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	105
PID 112 wrote to memory of 1660	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	105
PID 112 wrote to memory of 2832	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	106
PID 112 wrote to memory of 2832	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	106
PID 112 wrote to memory of 4592	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	107
PID 112 wrote to memory of 4592	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	107
PID 112 wrote to memory of 3788	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	108
PID 112 wrote to memory of 3788	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	108
PID 112 wrote to memory of 4564	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	109
PID 112 wrote to memory of 4564	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	109
PID 112 wrote to memory of 3668	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	110
PID 112 wrote to memory of 3668	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	110
PID 112 wrote to memory of 3744	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	111
PID 112 wrote to memory of 3744	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	111
PID 112 wrote to memory of 3040	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	112
PID 112 wrote to memory of 3040	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	112
PID 112 wrote to memory of 2052	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	113
PID 112 wrote to memory of 2052	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	113
PID 112 wrote to memory of 4496	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	114
PID 112 wrote to memory of 4496	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	114
PID 112 wrote to memory of 3352	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	115
PID 112 wrote to memory of 3352	112	4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe	115

C:\Users\Admin\AppData\Local\Temp\4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4a7a8e5aa6e8880adcd7a301d15c06148ea2a5d727ac6b91b23d76396eba496c_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1336
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "1336" "2944" "2876" "2948" "0" "0" "2952" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:12292
- C:\Windows\System\bgFdxZn.exe
  C:\Windows\System\bgFdxZn.exe
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\System\kifhDlp.exe
  C:\Windows\System\kifhDlp.exe
  2⤵
  - Executes dropped EXE
  PID:1016
- C:\Windows\System\MjTGJJQ.exe
  C:\Windows\System\MjTGJJQ.exe
  2⤵
  - Executes dropped EXE
  PID:3676
- C:\Windows\System\lRavJJg.exe
  C:\Windows\System\lRavJJg.exe
  2⤵
  - Executes dropped EXE
  PID:3376
- C:\Windows\System\GgrLNQj.exe
  C:\Windows\System\GgrLNQj.exe
  2⤵
  - Executes dropped EXE
  PID:2512
- C:\Windows\System\McZKoLa.exe
  C:\Windows\System\McZKoLa.exe
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Windows\System\IOUVTrE.exe
  C:\Windows\System\IOUVTrE.exe
  2⤵
  - Executes dropped EXE
  PID:1444
- C:\Windows\System\wrQXhaD.exe
  C:\Windows\System\wrQXhaD.exe
  2⤵
  - Executes dropped EXE
  PID:1708
- C:\Windows\System\zjtJqkX.exe
  C:\Windows\System\zjtJqkX.exe
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\System\NUqzQWb.exe
  C:\Windows\System\NUqzQWb.exe
  2⤵
  - Executes dropped EXE
  PID:3876
- C:\Windows\System\xZMrAAh.exe
  C:\Windows\System\xZMrAAh.exe
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\Windows\System\KJRxUyt.exe
  C:\Windows\System\KJRxUyt.exe
  2⤵
  - Executes dropped EXE
  PID:516
- C:\Windows\System\IYDAYEG.exe
  C:\Windows\System\IYDAYEG.exe
  2⤵
  - Executes dropped EXE
  PID:4848
- C:\Windows\System\WRYcOHB.exe
  C:\Windows\System\WRYcOHB.exe
  2⤵
  - Executes dropped EXE
  PID:3284
- C:\Windows\System\MbFFklt.exe
  C:\Windows\System\MbFFklt.exe
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Windows\System\trcTcnr.exe
  C:\Windows\System\trcTcnr.exe
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\System\cYUlToz.exe
  C:\Windows\System\cYUlToz.exe
  2⤵
  - Executes dropped EXE
  PID:820
- C:\Windows\System\YslTZRg.exe
  C:\Windows\System\YslTZRg.exe
  2⤵
  - Executes dropped EXE
  PID:1296
- C:\Windows\System\DNpsLSD.exe
  C:\Windows\System\DNpsLSD.exe
  2⤵
  - Executes dropped EXE
  PID:3368
- C:\Windows\System\kyzDKOY.exe
  C:\Windows\System\kyzDKOY.exe
  2⤵
  - Executes dropped EXE
  PID:3468
- C:\Windows\System\yJFudGe.exe
  C:\Windows\System\yJFudGe.exe
  2⤵
  - Executes dropped EXE
  PID:1660
- C:\Windows\System\cBlTllN.exe
  C:\Windows\System\cBlTllN.exe
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\Windows\System\LVrvwEb.exe
  C:\Windows\System\LVrvwEb.exe
  2⤵
  - Executes dropped EXE
  PID:4592
- C:\Windows\System\nSqDLbr.exe
  C:\Windows\System\nSqDLbr.exe
  2⤵
  - Executes dropped EXE
  PID:3788
- C:\Windows\System\fEuLsRf.exe
  C:\Windows\System\fEuLsRf.exe
  2⤵
  - Executes dropped EXE
  PID:4564
- C:\Windows\System\sSerOsw.exe
  C:\Windows\System\sSerOsw.exe
  2⤵
  - Executes dropped EXE
  PID:3668
- C:\Windows\System\iTBvqTO.exe
  C:\Windows\System\iTBvqTO.exe
  2⤵
  - Executes dropped EXE
  PID:3744
- C:\Windows\System\bGaQSHr.exe
  C:\Windows\System\bGaQSHr.exe
  2⤵
  - Executes dropped EXE
  PID:3040
- C:\Windows\System\wRegoxK.exe
  C:\Windows\System\wRegoxK.exe
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Windows\System\BqUQGeK.exe
  C:\Windows\System\BqUQGeK.exe
  2⤵
  - Executes dropped EXE
  PID:4496
- C:\Windows\System\fKqCJcj.exe
  C:\Windows\System\fKqCJcj.exe
  2⤵
  - Executes dropped EXE
  PID:3352
- C:\Windows\System\wjEkeWT.exe
  C:\Windows\System\wjEkeWT.exe
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\System\mXIsuNK.exe
  C:\Windows\System\mXIsuNK.exe
  2⤵
  - Executes dropped EXE
  PID:1536
- C:\Windows\System\sANzFbX.exe
  C:\Windows\System\sANzFbX.exe
  2⤵
  - Executes dropped EXE
  PID:1052
- C:\Windows\System\zEtnGtN.exe
  C:\Windows\System\zEtnGtN.exe
  2⤵
  - Executes dropped EXE
  PID:4000
- C:\Windows\System\nONpeId.exe
  C:\Windows\System\nONpeId.exe
  2⤵
  - Executes dropped EXE
  PID:1236
- C:\Windows\System\xqBEpyZ.exe
  C:\Windows\System\xqBEpyZ.exe
  2⤵
  - Executes dropped EXE
  PID:4240
- C:\Windows\System\ZMeOtIh.exe
  C:\Windows\System\ZMeOtIh.exe
  2⤵
  - Executes dropped EXE
  PID:3472
- C:\Windows\System\Vmzbqmm.exe
  C:\Windows\System\Vmzbqmm.exe
  2⤵
  - Executes dropped EXE
  PID:4516
- C:\Windows\System\ddljNlo.exe
  C:\Windows\System\ddljNlo.exe
  2⤵
  - Executes dropped EXE
  PID:3280
- C:\Windows\System\idRrEew.exe
  C:\Windows\System\idRrEew.exe
  2⤵
  - Executes dropped EXE
  PID:4796
- C:\Windows\System\pOVxBZw.exe
  C:\Windows\System\pOVxBZw.exe
  2⤵
  - Executes dropped EXE
  PID:4580
- C:\Windows\System\GLcSZog.exe
  C:\Windows\System\GLcSZog.exe
  2⤵
  - Executes dropped EXE
  PID:4572
- C:\Windows\System\IfFqbrc.exe
  C:\Windows\System\IfFqbrc.exe
  2⤵
  - Executes dropped EXE
  PID:4864
- C:\Windows\System\lqYMmiT.exe
  C:\Windows\System\lqYMmiT.exe
  2⤵
  - Executes dropped EXE
  PID:1200
- C:\Windows\System\gvGOBel.exe
  C:\Windows\System\gvGOBel.exe
  2⤵
  - Executes dropped EXE
  PID:4368
- C:\Windows\System\KgugVls.exe
  C:\Windows\System\KgugVls.exe
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\System\RkcNSHI.exe
  C:\Windows\System\RkcNSHI.exe
  2⤵
  - Executes dropped EXE
  PID:3308
- C:\Windows\System\NKRuogY.exe
  C:\Windows\System\NKRuogY.exe
  2⤵
  - Executes dropped EXE
  PID:764
- C:\Windows\System\LjFxBtR.exe
  C:\Windows\System\LjFxBtR.exe
  2⤵
  - Executes dropped EXE
  PID:1576
- C:\Windows\System\vDeXGEw.exe
  C:\Windows\System\vDeXGEw.exe
  2⤵
  - Executes dropped EXE
  PID:3996
- C:\Windows\System\MzWXEXc.exe
  C:\Windows\System\MzWXEXc.exe
  2⤵
  - Executes dropped EXE
  PID:4112
- C:\Windows\System\qbTDJCl.exe
  C:\Windows\System\qbTDJCl.exe
  2⤵
  - Executes dropped EXE
  PID:1868
- C:\Windows\System\zYExuOD.exe
  C:\Windows\System\zYExuOD.exe
  2⤵
  - Executes dropped EXE
  PID:3416
- C:\Windows\System\JlTrSoq.exe
  C:\Windows\System\JlTrSoq.exe
  2⤵
  - Executes dropped EXE
  PID:400
- C:\Windows\System\MdGwowc.exe
  C:\Windows\System\MdGwowc.exe
  2⤵
  - Executes dropped EXE
  PID:4632
- C:\Windows\System\krUZFfL.exe
  C:\Windows\System\krUZFfL.exe
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\System\XOhcick.exe
  C:\Windows\System\XOhcick.exe
  2⤵
  - Executes dropped EXE
  PID:32
- C:\Windows\System\fUgMebV.exe
  C:\Windows\System\fUgMebV.exe
  2⤵
  - Executes dropped EXE
  PID:4132
- C:\Windows\System\TyccNwM.exe
  C:\Windows\System\TyccNwM.exe
  2⤵
  - Executes dropped EXE
  PID:3232
- C:\Windows\System\lpSOAYO.exe
  C:\Windows\System\lpSOAYO.exe
  2⤵
  - Executes dropped EXE
  PID:4808
- C:\Windows\System\bIvJPva.exe
  C:\Windows\System\bIvJPva.exe
  2⤵
  - Executes dropped EXE
  PID:4028
- C:\Windows\System\gKuOfVZ.exe
  C:\Windows\System\gKuOfVZ.exe
  2⤵
  - Executes dropped EXE
  PID:4064
- C:\Windows\System\qwETLAc.exe
  C:\Windows\System\qwETLAc.exe
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Windows\System\aKILQKG.exe
  C:\Windows\System\aKILQKG.exe
  2⤵
  PID:3968
- C:\Windows\System\fhEPoqw.exe
  C:\Windows\System\fhEPoqw.exe
  2⤵
  PID:4664
- C:\Windows\System\iPADDtJ.exe
  C:\Windows\System\iPADDtJ.exe
  2⤵
  PID:4124
- C:\Windows\System\QKiaQCb.exe
  C:\Windows\System\QKiaQCb.exe
  2⤵
  PID:4388
- C:\Windows\System\zqROdUp.exe
  C:\Windows\System\zqROdUp.exe
  2⤵
  PID:4284
- C:\Windows\System\TYszfOu.exe
  C:\Windows\System\TYszfOu.exe
  2⤵
  PID:1048
- C:\Windows\System\RNCQJeC.exe
  C:\Windows\System\RNCQJeC.exe
  2⤵
  PID:2096
- C:\Windows\System\RHGcIju.exe
  C:\Windows\System\RHGcIju.exe
  2⤵
  PID:1104
- C:\Windows\System\ePvRWkF.exe
  C:\Windows\System\ePvRWkF.exe
  2⤵
  PID:2248
- C:\Windows\System\SfQOlvp.exe
  C:\Windows\System\SfQOlvp.exe
  2⤵
  PID:5128
- C:\Windows\System\aDFqrMN.exe
  C:\Windows\System\aDFqrMN.exe
  2⤵
  PID:5156
- C:\Windows\System\uUZqhZn.exe
  C:\Windows\System\uUZqhZn.exe
  2⤵
  PID:5184
- C:\Windows\System\nrgLFDH.exe
  C:\Windows\System\nrgLFDH.exe
  2⤵
  PID:5208
- C:\Windows\System\fKPShov.exe
  C:\Windows\System\fKPShov.exe
  2⤵
  PID:5236
- C:\Windows\System\zWDYVBU.exe
  C:\Windows\System\zWDYVBU.exe
  2⤵
  PID:5268
- C:\Windows\System\rQzuiOl.exe
  C:\Windows\System\rQzuiOl.exe
  2⤵
  PID:5296
- C:\Windows\System\InldgoV.exe
  C:\Windows\System\InldgoV.exe
  2⤵
  PID:5324
- C:\Windows\System\kGhcYnv.exe
  C:\Windows\System\kGhcYnv.exe
  2⤵
  PID:5352
- C:\Windows\System\dZbzVVp.exe
  C:\Windows\System\dZbzVVp.exe
  2⤵
  PID:5380
- C:\Windows\System\mioUAAj.exe
  C:\Windows\System\mioUAAj.exe
  2⤵
  PID:5408
- C:\Windows\System\YQVUbfb.exe
  C:\Windows\System\YQVUbfb.exe
  2⤵
  PID:5436
- C:\Windows\System\YtmVxrE.exe
  C:\Windows\System\YtmVxrE.exe
  2⤵
  PID:5464
- C:\Windows\System\bWpwhbR.exe
  C:\Windows\System\bWpwhbR.exe
  2⤵
  PID:5492
- C:\Windows\System\Olvrzue.exe
  C:\Windows\System\Olvrzue.exe
  2⤵
  PID:5520
- C:\Windows\System\wJbViGk.exe
  C:\Windows\System\wJbViGk.exe
  2⤵
  PID:5548
- C:\Windows\System\HIBiqvi.exe
  C:\Windows\System\HIBiqvi.exe
  2⤵
  PID:5576
- C:\Windows\System\ZNmlQpL.exe
  C:\Windows\System\ZNmlQpL.exe
  2⤵
  PID:5600
- C:\Windows\System\xnxuWnh.exe
  C:\Windows\System\xnxuWnh.exe
  2⤵
  PID:5628
- C:\Windows\System\lAmfrGT.exe
  C:\Windows\System\lAmfrGT.exe
  2⤵
  PID:5660
- C:\Windows\System\QkvcYUz.exe
  C:\Windows\System\QkvcYUz.exe
  2⤵
  PID:5688
- C:\Windows\System\IuyVRvc.exe
  C:\Windows\System\IuyVRvc.exe
  2⤵
  PID:5716
- C:\Windows\System\vaFCVWm.exe
  C:\Windows\System\vaFCVWm.exe
  2⤵
  PID:5740
- C:\Windows\System\mYSaWaN.exe
  C:\Windows\System\mYSaWaN.exe
  2⤵
  PID:5768
- C:\Windows\System\gbtJQdv.exe
  C:\Windows\System\gbtJQdv.exe
  2⤵
  PID:5796
- C:\Windows\System\aPFdyBa.exe
  C:\Windows\System\aPFdyBa.exe
  2⤵
  PID:5828
- C:\Windows\System\mzEPauD.exe
  C:\Windows\System\mzEPauD.exe
  2⤵
  PID:5852
- C:\Windows\System\dWZuudP.exe
  C:\Windows\System\dWZuudP.exe
  2⤵
  PID:5880
- C:\Windows\System\gjPzVvd.exe
  C:\Windows\System\gjPzVvd.exe
  2⤵
  PID:5912
- C:\Windows\System\lumcgfv.exe
  C:\Windows\System\lumcgfv.exe
  2⤵
  PID:5940
- C:\Windows\System\ctLJyvo.exe
  C:\Windows\System\ctLJyvo.exe
  2⤵
  PID:5968
- C:\Windows\System\jqTdzBk.exe
  C:\Windows\System\jqTdzBk.exe
  2⤵
  PID:5992
- C:\Windows\System\YWCWKyR.exe
  C:\Windows\System\YWCWKyR.exe
  2⤵
  PID:6024
- C:\Windows\System\azPvIDv.exe
  C:\Windows\System\azPvIDv.exe
  2⤵
  PID:6052
- C:\Windows\System\yLRsrBY.exe
  C:\Windows\System\yLRsrBY.exe
  2⤵
  PID:6080
- C:\Windows\System\COFgVKe.exe
  C:\Windows\System\COFgVKe.exe
  2⤵
  PID:6108
- C:\Windows\System\HRaSAFA.exe
  C:\Windows\System\HRaSAFA.exe
  2⤵
  PID:6136
- C:\Windows\System\GmbzQlv.exe
  C:\Windows\System\GmbzQlv.exe
  2⤵
  PID:3356
- C:\Windows\System\vrurYpc.exe
  C:\Windows\System\vrurYpc.exe
  2⤵
  PID:392
- C:\Windows\System\acVVOka.exe
  C:\Windows\System\acVVOka.exe
  2⤵
  PID:4820
- C:\Windows\System\MdkvOgt.exe
  C:\Windows\System\MdkvOgt.exe
  2⤵
  PID:1464
- C:\Windows\System\uckHXgy.exe
  C:\Windows\System\uckHXgy.exe
  2⤵
  PID:1672
- C:\Windows\System\OHpMPZL.exe
  C:\Windows\System\OHpMPZL.exe
  2⤵
  PID:1424
- C:\Windows\System\nZhLyth.exe
  C:\Windows\System\nZhLyth.exe
  2⤵
  PID:5168
- C:\Windows\System\nwLSYQK.exe
  C:\Windows\System\nwLSYQK.exe
  2⤵
  PID:5228
- C:\Windows\System\bbdBSZC.exe
  C:\Windows\System\bbdBSZC.exe
  2⤵
  PID:5288
- C:\Windows\System\UwiJjgH.exe
  C:\Windows\System\UwiJjgH.exe
  2⤵
  PID:5364
- C:\Windows\System\XWepLCa.exe
  C:\Windows\System\XWepLCa.exe
  2⤵
  PID:5424
- C:\Windows\System\OqSyvTd.exe
  C:\Windows\System\OqSyvTd.exe
  2⤵
  PID:5484
- C:\Windows\System\aouWVAE.exe
  C:\Windows\System\aouWVAE.exe
  2⤵
  PID:5560
- C:\Windows\System\ogQEgGI.exe
  C:\Windows\System\ogQEgGI.exe
  2⤵
  PID:5616
- C:\Windows\System\rnNFFiw.exe
  C:\Windows\System\rnNFFiw.exe
  2⤵
  PID:5680
- C:\Windows\System\AXHqxeB.exe
  C:\Windows\System\AXHqxeB.exe
  2⤵
  PID:5736
- C:\Windows\System\QJpNrMa.exe
  C:\Windows\System\QJpNrMa.exe
  2⤵
  PID:5812
- C:\Windows\System\clwLjae.exe
  C:\Windows\System\clwLjae.exe
  2⤵
  PID:5872
- C:\Windows\System\uaRBVQp.exe
  C:\Windows\System\uaRBVQp.exe
  2⤵
  PID:5932
- C:\Windows\System\dkERNNl.exe
  C:\Windows\System\dkERNNl.exe
  2⤵
  PID:6012
- C:\Windows\System\WWhmZeL.exe
  C:\Windows\System\WWhmZeL.exe
  2⤵
  PID:6068
- C:\Windows\System\IakTcPJ.exe
  C:\Windows\System\IakTcPJ.exe
  2⤵
  PID:6132
- C:\Windows\System\rjaLiui.exe
  C:\Windows\System\rjaLiui.exe
  2⤵
  PID:704
- C:\Windows\System\imfngyi.exe
  C:\Windows\System\imfngyi.exe
  2⤵
  PID:644
- C:\Windows\System\wmeyKRU.exe
  C:\Windows\System\wmeyKRU.exe
  2⤵
  PID:5196
- C:\Windows\System\lbcCrVD.exe
  C:\Windows\System\lbcCrVD.exe
  2⤵
  PID:5336
- C:\Windows\System\BCWFpRa.exe
  C:\Windows\System\BCWFpRa.exe
  2⤵
  PID:5476
- C:\Windows\System\FFzeyih.exe
  C:\Windows\System\FFzeyih.exe
  2⤵
  PID:5596
- C:\Windows\System\CJtxydT.exe
  C:\Windows\System\CJtxydT.exe
  2⤵
  PID:5788
- C:\Windows\System\iZuVJBl.exe
  C:\Windows\System\iZuVJBl.exe
  2⤵
  PID:6164
- C:\Windows\System\NyYPuYb.exe
  C:\Windows\System\NyYPuYb.exe
  2⤵
  PID:6192
- C:\Windows\System\UNUnPpY.exe
  C:\Windows\System\UNUnPpY.exe
  2⤵
  PID:6220
- C:\Windows\System\fvbehNq.exe
  C:\Windows\System\fvbehNq.exe
  2⤵
  PID:6248
- C:\Windows\System\UhvokKf.exe
  C:\Windows\System\UhvokKf.exe
  2⤵
  PID:6276
- C:\Windows\System\xYRrGlH.exe
  C:\Windows\System\xYRrGlH.exe
  2⤵
  PID:6304
- C:\Windows\System\LQcOsjL.exe
  C:\Windows\System\LQcOsjL.exe
  2⤵
  PID:6332
- C:\Windows\System\FGJrvio.exe
  C:\Windows\System\FGJrvio.exe
  2⤵
  PID:6360
- C:\Windows\System\VlaxQCC.exe
  C:\Windows\System\VlaxQCC.exe
  2⤵
  PID:6388
- C:\Windows\System\MIgHFFS.exe
  C:\Windows\System\MIgHFFS.exe
  2⤵
  PID:6416
- C:\Windows\System\RIMmQlf.exe
  C:\Windows\System\RIMmQlf.exe
  2⤵
  PID:6444
- C:\Windows\System\kYocEKz.exe
  C:\Windows\System\kYocEKz.exe
  2⤵
  PID:6472
- C:\Windows\System\TcsRsun.exe
  C:\Windows\System\TcsRsun.exe
  2⤵
  PID:6500
- C:\Windows\System\lqZLIqd.exe
  C:\Windows\System\lqZLIqd.exe
  2⤵
  PID:6528
- C:\Windows\System\gCUXPBK.exe
  C:\Windows\System\gCUXPBK.exe
  2⤵
  PID:6556
- C:\Windows\System\rDmFrFN.exe
  C:\Windows\System\rDmFrFN.exe
  2⤵
  PID:6584
- C:\Windows\System\UaaPYbr.exe
  C:\Windows\System\UaaPYbr.exe
  2⤵
  PID:6612
- C:\Windows\System\IqhraEu.exe
  C:\Windows\System\IqhraEu.exe
  2⤵
  PID:6640
- C:\Windows\System\sxfjBpw.exe
  C:\Windows\System\sxfjBpw.exe
  2⤵
  PID:6668
- C:\Windows\System\Jnckmit.exe
  C:\Windows\System\Jnckmit.exe
  2⤵
  PID:6696
- C:\Windows\System\RpPaUHA.exe
  C:\Windows\System\RpPaUHA.exe
  2⤵
  PID:6724
- C:\Windows\System\GICgUnH.exe
  C:\Windows\System\GICgUnH.exe
  2⤵
  PID:6752
- C:\Windows\System\WnNkABd.exe
  C:\Windows\System\WnNkABd.exe
  2⤵
  PID:6780
- C:\Windows\System\rbChSQB.exe
  C:\Windows\System\rbChSQB.exe
  2⤵
  PID:6812
- C:\Windows\System\iWZoEft.exe
  C:\Windows\System\iWZoEft.exe
  2⤵
  PID:6840
- C:\Windows\System\gyoBfqS.exe
  C:\Windows\System\gyoBfqS.exe
  2⤵
  PID:6864
- C:\Windows\System\kgCWEaJ.exe
  C:\Windows\System\kgCWEaJ.exe
  2⤵
  PID:6892
- C:\Windows\System\qEejwQa.exe
  C:\Windows\System\qEejwQa.exe
  2⤵
  PID:6916
- C:\Windows\System\pdxszTy.exe
  C:\Windows\System\pdxszTy.exe
  2⤵
  PID:6948
- C:\Windows\System\pmTmJTa.exe
  C:\Windows\System\pmTmJTa.exe
  2⤵
  PID:6976
- C:\Windows\System\XLKlQkD.exe
  C:\Windows\System\XLKlQkD.exe
  2⤵
  PID:7004
- C:\Windows\System\JXFxIfY.exe
  C:\Windows\System\JXFxIfY.exe
  2⤵
  PID:7032
- C:\Windows\System\RWwtjnT.exe
  C:\Windows\System\RWwtjnT.exe
  2⤵
  PID:7060
- C:\Windows\System\FlZNIIu.exe
  C:\Windows\System\FlZNIIu.exe
  2⤵
  PID:7084
- C:\Windows\System\nNsVhNH.exe
  C:\Windows\System\nNsVhNH.exe
  2⤵
  PID:7116
- C:\Windows\System\mOZctFB.exe
  C:\Windows\System\mOZctFB.exe
  2⤵
  PID:7140
- C:\Windows\System\LGTHiJy.exe
  C:\Windows\System\LGTHiJy.exe
  2⤵
  PID:5868
- C:\Windows\System\rcrLapo.exe
  C:\Windows\System\rcrLapo.exe
  2⤵
  PID:6040
- C:\Windows\System\xTnZwJq.exe
  C:\Windows\System\xTnZwJq.exe
  2⤵
  PID:4480
- C:\Windows\System\DANbbWy.exe
  C:\Windows\System\DANbbWy.exe
  2⤵
  PID:5140
- C:\Windows\System\GoukAwK.exe
  C:\Windows\System\GoukAwK.exe
  2⤵
  PID:5536
- C:\Windows\System\rjWdtDG.exe
  C:\Windows\System\rjWdtDG.exe
  2⤵
  PID:6152
- C:\Windows\System\ApsTQnY.exe
  C:\Windows\System\ApsTQnY.exe
  2⤵
  PID:6212
- C:\Windows\System\mOdPEiy.exe
  C:\Windows\System\mOdPEiy.exe
  2⤵
  PID:6288
- C:\Windows\System\bzzHmhA.exe
  C:\Windows\System\bzzHmhA.exe
  2⤵
  PID:6348
- C:\Windows\System\yrpUYUF.exe
  C:\Windows\System\yrpUYUF.exe
  2⤵
  PID:6408
- C:\Windows\System\fruRfro.exe
  C:\Windows\System\fruRfro.exe
  2⤵
  PID:6484
- C:\Windows\System\vZYsQsV.exe
  C:\Windows\System\vZYsQsV.exe
  2⤵
  PID:6544
- C:\Windows\System\dIiSqUA.exe
  C:\Windows\System\dIiSqUA.exe
  2⤵
  PID:6608
- C:\Windows\System\EisxihU.exe
  C:\Windows\System\EisxihU.exe
  2⤵
  PID:6680
- C:\Windows\System\ipEStCA.exe
  C:\Windows\System\ipEStCA.exe
  2⤵
  PID:6740
- C:\Windows\System\yRJAmfX.exe
  C:\Windows\System\yRJAmfX.exe
  2⤵
  PID:6808
- C:\Windows\System\FBLJaPi.exe
  C:\Windows\System\FBLJaPi.exe
  2⤵
  PID:6876
- C:\Windows\System\bVQGtFH.exe
  C:\Windows\System\bVQGtFH.exe
  2⤵
  PID:6932
- C:\Windows\System\NnIpHWs.exe
  C:\Windows\System\NnIpHWs.exe
  2⤵
  PID:6992
- C:\Windows\System\dltiMuC.exe
  C:\Windows\System\dltiMuC.exe
  2⤵
  PID:7052
- C:\Windows\System\hsgYkMa.exe
  C:\Windows\System\hsgYkMa.exe
  2⤵
  PID:7128
- C:\Windows\System\ltPNnGI.exe
  C:\Windows\System\ltPNnGI.exe
  2⤵
  PID:5928
- C:\Windows\System\imlmolS.exe
  C:\Windows\System\imlmolS.exe
  2⤵
  PID:4672
- C:\Windows\System\fFLTpgR.exe
  C:\Windows\System\fFLTpgR.exe
  2⤵
  PID:5732
- C:\Windows\System\IbBFOeB.exe
  C:\Windows\System\IbBFOeB.exe
  2⤵
  PID:6264
- C:\Windows\System\JDawCpq.exe
  C:\Windows\System\JDawCpq.exe
  2⤵
  PID:6400
- C:\Windows\System\CrNDoMy.exe
  C:\Windows\System\CrNDoMy.exe
  2⤵
  PID:880
- C:\Windows\System\wLheTpy.exe
  C:\Windows\System\wLheTpy.exe
  2⤵
  PID:6712
- C:\Windows\System\oJNToJK.exe
  C:\Windows\System\oJNToJK.exe
  2⤵
  PID:6792
- C:\Windows\System\dSbdYAQ.exe
  C:\Windows\System\dSbdYAQ.exe
  2⤵
  PID:6964
- C:\Windows\System\eiOTkXM.exe
  C:\Windows\System\eiOTkXM.exe
  2⤵
  PID:7104
- C:\Windows\System\LaIsAln.exe
  C:\Windows\System\LaIsAln.exe
  2⤵
  PID:5396
- C:\Windows\System\wySyPNY.exe
  C:\Windows\System\wySyPNY.exe
  2⤵
  PID:6324
- C:\Windows\System\zraNgJw.exe
  C:\Windows\System\zraNgJw.exe
  2⤵
  PID:7172
- C:\Windows\System\tDjxgCZ.exe
  C:\Windows\System\tDjxgCZ.exe
  2⤵
  PID:7204
- C:\Windows\System\YqyoqdN.exe
  C:\Windows\System\YqyoqdN.exe
  2⤵
  PID:7232
- C:\Windows\System\VJWwfdl.exe
  C:\Windows\System\VJWwfdl.exe
  2⤵
  PID:7260
- C:\Windows\System\vQHuzKS.exe
  C:\Windows\System\vQHuzKS.exe
  2⤵
  PID:7284
- C:\Windows\System\GIAmyAl.exe
  C:\Windows\System\GIAmyAl.exe
  2⤵
  PID:7312
- C:\Windows\System\BZYzGJc.exe
  C:\Windows\System\BZYzGJc.exe
  2⤵
  PID:7340
- C:\Windows\System\nHwMKgt.exe
  C:\Windows\System\nHwMKgt.exe
  2⤵
  PID:7368
- C:\Windows\System\DkdAMHt.exe
  C:\Windows\System\DkdAMHt.exe
  2⤵
  PID:7396
- C:\Windows\System\RlesEln.exe
  C:\Windows\System\RlesEln.exe
  2⤵
  PID:7428
- C:\Windows\System\kNuumnd.exe
  C:\Windows\System\kNuumnd.exe
  2⤵
  PID:7456
- C:\Windows\System\PXkXVLo.exe
  C:\Windows\System\PXkXVLo.exe
  2⤵
  PID:7484
- C:\Windows\System\qNTQKRW.exe
  C:\Windows\System\qNTQKRW.exe
  2⤵
  PID:7512
- C:\Windows\System\AbppUHM.exe
  C:\Windows\System\AbppUHM.exe
  2⤵
  PID:7540
- C:\Windows\System\GfMGvmi.exe
  C:\Windows\System\GfMGvmi.exe
  2⤵
  PID:7568
- C:\Windows\System\xzASUav.exe
  C:\Windows\System\xzASUav.exe
  2⤵
  PID:7592
- C:\Windows\System\DKvkZpl.exe
  C:\Windows\System\DKvkZpl.exe
  2⤵
  PID:7624
- C:\Windows\System\EadgEnh.exe
  C:\Windows\System\EadgEnh.exe
  2⤵
  PID:7652
- C:\Windows\System\gOmdvkF.exe
  C:\Windows\System\gOmdvkF.exe
  2⤵
  PID:7680
- C:\Windows\System\vnHUJwK.exe
  C:\Windows\System\vnHUJwK.exe
  2⤵
  PID:7704
- C:\Windows\System\KaLBwuP.exe
  C:\Windows\System\KaLBwuP.exe
  2⤵
  PID:7736
- C:\Windows\System\orqFxeQ.exe
  C:\Windows\System\orqFxeQ.exe
  2⤵
  PID:7764
- C:\Windows\System\bsoOaFJ.exe
  C:\Windows\System\bsoOaFJ.exe
  2⤵
  PID:7792
- C:\Windows\System\JdqbFBJ.exe
  C:\Windows\System\JdqbFBJ.exe
  2⤵
  PID:7820
- C:\Windows\System\nEAjyOx.exe
  C:\Windows\System\nEAjyOx.exe
  2⤵
  PID:7848
- C:\Windows\System\UzupqZz.exe
  C:\Windows\System\UzupqZz.exe
  2⤵
  PID:7876
- C:\Windows\System\aXfQpyC.exe
  C:\Windows\System\aXfQpyC.exe
  2⤵
  PID:7904
- C:\Windows\System\diggotq.exe
  C:\Windows\System\diggotq.exe
  2⤵
  PID:7932
- C:\Windows\System\eNArQYA.exe
  C:\Windows\System\eNArQYA.exe
  2⤵
  PID:7956
- C:\Windows\System\LfzCxgx.exe
  C:\Windows\System\LfzCxgx.exe
  2⤵
  PID:7988
- C:\Windows\System\XQFZJZq.exe
  C:\Windows\System\XQFZJZq.exe
  2⤵
  PID:8016
- C:\Windows\System\SgQwaHR.exe
  C:\Windows\System\SgQwaHR.exe
  2⤵
  PID:8040
- C:\Windows\System\FznQUVh.exe
  C:\Windows\System\FznQUVh.exe
  2⤵
  PID:8072
- C:\Windows\System\UOWdHpx.exe
  C:\Windows\System\UOWdHpx.exe
  2⤵
  PID:8100
- C:\Windows\System\HEOxpPk.exe
  C:\Windows\System\HEOxpPk.exe
  2⤵
  PID:8128
- C:\Windows\System\uMxjxCM.exe
  C:\Windows\System\uMxjxCM.exe
  2⤵
  PID:8156
- C:\Windows\System\RYbrwXi.exe
  C:\Windows\System\RYbrwXi.exe
  2⤵
  PID:8180
- C:\Windows\System\FdHWnNG.exe
  C:\Windows\System\FdHWnNG.exe
  2⤵
  PID:6856
- C:\Windows\System\lcKjpfl.exe
  C:\Windows\System\lcKjpfl.exe
  2⤵
  PID:7080
- C:\Windows\System\oKbuutD.exe
  C:\Windows\System\oKbuutD.exe
  2⤵
  PID:4188
- C:\Windows\System\PXlKvfT.exe
  C:\Windows\System\PXlKvfT.exe
  2⤵
  PID:7332
- C:\Windows\System\mzmdFmk.exe
  C:\Windows\System\mzmdFmk.exe
  2⤵
  PID:7392
- C:\Windows\System\rZOYHtc.exe
  C:\Windows\System\rZOYHtc.exe
  2⤵
  PID:7440
- C:\Windows\System\XqJQKKX.exe
  C:\Windows\System\XqJQKKX.exe
  2⤵
  PID:7496
- C:\Windows\System\LoKmQzl.exe
  C:\Windows\System\LoKmQzl.exe
  2⤵
  PID:7528
- C:\Windows\System\ZEKKnWm.exe
  C:\Windows\System\ZEKKnWm.exe
  2⤵
  PID:7580
- C:\Windows\System\LIkZcCz.exe
  C:\Windows\System\LIkZcCz.exe
  2⤵
  PID:7616
- C:\Windows\System\xyWsKVk.exe
  C:\Windows\System\xyWsKVk.exe
  2⤵
  PID:7672
- C:\Windows\System\sqYynrZ.exe
  C:\Windows\System\sqYynrZ.exe
  2⤵
  PID:7720
- C:\Windows\System\MfUqaJw.exe
  C:\Windows\System\MfUqaJw.exe
  2⤵
  PID:7776
- C:\Windows\System\vpVLwoj.exe
  C:\Windows\System\vpVLwoj.exe
  2⤵
  PID:3008
- C:\Windows\System\OgFkaGA.exe
  C:\Windows\System\OgFkaGA.exe
  2⤵
  PID:7864
- C:\Windows\System\GTDvScT.exe
  C:\Windows\System\GTDvScT.exe
  2⤵
  PID:7924
- C:\Windows\System\qgoYfww.exe
  C:\Windows\System\qgoYfww.exe
  2⤵
  PID:7972
- C:\Windows\System\zSSIPTy.exe
  C:\Windows\System\zSSIPTy.exe
  2⤵
  PID:8008
- C:\Windows\System\xniWitm.exe
  C:\Windows\System\xniWitm.exe
  2⤵
  PID:4052
- C:\Windows\System\KloXyOe.exe
  C:\Windows\System\KloXyOe.exe
  2⤵
  PID:8088
- C:\Windows\System\fSjdLvM.exe
  C:\Windows\System\fSjdLvM.exe
  2⤵
  PID:8140
- C:\Windows\System\cJdUvrz.exe
  C:\Windows\System\cJdUvrz.exe
  2⤵
  PID:8172
- C:\Windows\System\CaqBBRX.exe
  C:\Windows\System\CaqBBRX.exe
  2⤵
  PID:4908
- C:\Windows\System\IKjUqRO.exe
  C:\Windows\System\IKjUqRO.exe
  2⤵
  PID:6652
- C:\Windows\System\lhqzLtI.exe
  C:\Windows\System\lhqzLtI.exe
  2⤵
  PID:3444
- C:\Windows\System\wAaYJKN.exe
  C:\Windows\System\wAaYJKN.exe
  2⤵
  PID:2036
- C:\Windows\System\COtBmHi.exe
  C:\Windows\System\COtBmHi.exe
  2⤵
  PID:2776
- C:\Windows\System\msgCEJV.exe
  C:\Windows\System\msgCEJV.exe
  2⤵
  PID:4444
- C:\Windows\System\tlhtFLN.exe
  C:\Windows\System\tlhtFLN.exe
  2⤵
  PID:4100
- C:\Windows\System\VPTuKfM.exe
  C:\Windows\System\VPTuKfM.exe
  2⤵
  PID:2608
- C:\Windows\System\lowPxXX.exe
  C:\Windows\System\lowPxXX.exe
  2⤵
  PID:7384
- C:\Windows\System\ZgBEutQ.exe
  C:\Windows\System\ZgBEutQ.exe
  2⤵
  PID:8084
- C:\Windows\System\PfpxGGj.exe
  C:\Windows\System\PfpxGGj.exe
  2⤵
  PID:7840
- C:\Windows\System\noeBSYV.exe
  C:\Windows\System\noeBSYV.exe
  2⤵
  PID:8036
- C:\Windows\System\iOYHIdE.exe
  C:\Windows\System\iOYHIdE.exe
  2⤵
  PID:1208
- C:\Windows\System\SkSUGUm.exe
  C:\Windows\System\SkSUGUm.exe
  2⤵
  PID:4648
- C:\Windows\System\EPHbePn.exe
  C:\Windows\System\EPHbePn.exe
  2⤵
  PID:7308
- C:\Windows\System\oAJArAe.exe
  C:\Windows\System\oAJArAe.exe
  2⤵
  PID:3336
- C:\Windows\System\XqgOpbV.exe
  C:\Windows\System\XqgOpbV.exe
  2⤵
  PID:592
- C:\Windows\System\DYtKKYA.exe
  C:\Windows\System\DYtKKYA.exe
  2⤵
  PID:8244
- C:\Windows\System\xcYWyFJ.exe
  C:\Windows\System\xcYWyFJ.exe
  2⤵
  PID:8296
- C:\Windows\System\NdVwuxW.exe
  C:\Windows\System\NdVwuxW.exe
  2⤵
  PID:8312
- C:\Windows\System\oOwURoL.exe
  C:\Windows\System\oOwURoL.exe
  2⤵
  PID:8328
- C:\Windows\System\tumktyL.exe
  C:\Windows\System\tumktyL.exe
  2⤵
  PID:8356
- C:\Windows\System\AFIORXy.exe
  C:\Windows\System\AFIORXy.exe
  2⤵
  PID:8384
- C:\Windows\System\XmaDxbj.exe
  C:\Windows\System\XmaDxbj.exe
  2⤵
  PID:8412
- C:\Windows\System\BuXzoeX.exe
  C:\Windows\System\BuXzoeX.exe
  2⤵
  PID:8440
- C:\Windows\System\WOFvzLp.exe
  C:\Windows\System\WOFvzLp.exe
  2⤵
  PID:8468
- C:\Windows\System\JYQftNL.exe
  C:\Windows\System\JYQftNL.exe
  2⤵
  PID:8496
- C:\Windows\System\FGMETeo.exe
  C:\Windows\System\FGMETeo.exe
  2⤵
  PID:8524
- C:\Windows\System\fFfAzRW.exe
  C:\Windows\System\fFfAzRW.exe
  2⤵
  PID:8552
- C:\Windows\System\OMbzVVb.exe
  C:\Windows\System\OMbzVVb.exe
  2⤵
  PID:8580
- C:\Windows\System\jYudtjV.exe
  C:\Windows\System\jYudtjV.exe
  2⤵
  PID:8608
- C:\Windows\System\esgdufu.exe
  C:\Windows\System\esgdufu.exe
  2⤵
  PID:8636
- C:\Windows\System\dRFzNPZ.exe
  C:\Windows\System\dRFzNPZ.exe
  2⤵
  PID:8664
- C:\Windows\System\XRbOdWT.exe
  C:\Windows\System\XRbOdWT.exe
  2⤵
  PID:8692
- C:\Windows\System\sUgbTMv.exe
  C:\Windows\System\sUgbTMv.exe
  2⤵
  PID:8720
- C:\Windows\System\sZrdcmP.exe
  C:\Windows\System\sZrdcmP.exe
  2⤵
  PID:8748
- C:\Windows\System\ffgKlvS.exe
  C:\Windows\System\ffgKlvS.exe
  2⤵
  PID:8776
- C:\Windows\System\QTVRKua.exe
  C:\Windows\System\QTVRKua.exe
  2⤵
  PID:8804
- C:\Windows\System\mUYRKHB.exe
  C:\Windows\System\mUYRKHB.exe
  2⤵
  PID:8832
- C:\Windows\System\qtLEzpT.exe
  C:\Windows\System\qtLEzpT.exe
  2⤵
  PID:8856
- C:\Windows\System\mdeRMUK.exe
  C:\Windows\System\mdeRMUK.exe
  2⤵
  PID:8904
- C:\Windows\System\yrLLHdG.exe
  C:\Windows\System\yrLLHdG.exe
  2⤵
  PID:8936
- C:\Windows\System\LPfRxow.exe
  C:\Windows\System\LPfRxow.exe
  2⤵
  PID:8968
- C:\Windows\System\CotfZZg.exe
  C:\Windows\System\CotfZZg.exe
  2⤵
  PID:8988
- C:\Windows\System\QBDXXqk.exe
  C:\Windows\System\QBDXXqk.exe
  2⤵
  PID:9012
- C:\Windows\System\IcQAxah.exe
  C:\Windows\System\IcQAxah.exe
  2⤵
  PID:9044
- C:\Windows\System\VgxWbQa.exe
  C:\Windows\System\VgxWbQa.exe
  2⤵
  PID:9080
- C:\Windows\System\GdPQoUc.exe
  C:\Windows\System\GdPQoUc.exe
  2⤵
  PID:9108
- C:\Windows\System\VvWtRYq.exe
  C:\Windows\System\VvWtRYq.exe
  2⤵
  PID:9128
- C:\Windows\System\FXUZLbA.exe
  C:\Windows\System\FXUZLbA.exe
  2⤵
  PID:9156
- C:\Windows\System\EuSBspM.exe
  C:\Windows\System\EuSBspM.exe
  2⤵
  PID:9184
- C:\Windows\System\uZgygKH.exe
  C:\Windows\System\uZgygKH.exe
  2⤵
  PID:9212
- C:\Windows\System\nnghHqo.exe
  C:\Windows\System\nnghHqo.exe
  2⤵
  PID:1412
- C:\Windows\System\ilOtYYz.exe
  C:\Windows\System\ilOtYYz.exe
  2⤵
  PID:8284
- C:\Windows\System\JuHYiqa.exe
  C:\Windows\System\JuHYiqa.exe
  2⤵
  PID:8320
- C:\Windows\System\rBstAke.exe
  C:\Windows\System\rBstAke.exe
  2⤵
  PID:8424
- C:\Windows\System\oPMPTDJ.exe
  C:\Windows\System\oPMPTDJ.exe
  2⤵
  PID:8516
- C:\Windows\System\RRcHUBs.exe
  C:\Windows\System\RRcHUBs.exe
  2⤵
  PID:8596
- C:\Windows\System\jMtpMMT.exe
  C:\Windows\System\jMtpMMT.exe
  2⤵
  PID:8628
- C:\Windows\System\XJmLvmT.exe
  C:\Windows\System\XJmLvmT.exe
  2⤵
  PID:8712
- C:\Windows\System\pXTrbzc.exe
  C:\Windows\System\pXTrbzc.exe
  2⤵
  PID:8760
- C:\Windows\System\ruwoZzm.exe
  C:\Windows\System\ruwoZzm.exe
  2⤵
  PID:3012
- C:\Windows\System\GhklqlF.exe
  C:\Windows\System\GhklqlF.exe
  2⤵
  PID:8820
- C:\Windows\System\QckPlDW.exe
  C:\Windows\System\QckPlDW.exe
  2⤵
  PID:7668
- C:\Windows\System\YSIhRqs.exe
  C:\Windows\System\YSIhRqs.exe
  2⤵
  PID:8924
- C:\Windows\System\mylEZIy.exe
  C:\Windows\System\mylEZIy.exe
  2⤵
  PID:8980
- C:\Windows\System\MOcNtnQ.exe
  C:\Windows\System\MOcNtnQ.exe
  2⤵
  PID:9036
- C:\Windows\System\mbHQheW.exe
  C:\Windows\System\mbHQheW.exe
  2⤵
  PID:7504
- C:\Windows\System\nwXGfKm.exe
  C:\Windows\System\nwXGfKm.exe
  2⤵
  PID:9148
- C:\Windows\System\JwwWyiW.exe
  C:\Windows\System\JwwWyiW.exe
  2⤵
  PID:4008
- C:\Windows\System\ErzSOBe.exe
  C:\Windows\System\ErzSOBe.exe
  2⤵
  PID:7920
- C:\Windows\System\dznSPGg.exe
  C:\Windows\System\dznSPGg.exe
  2⤵
  PID:8236
- C:\Windows\System\ypPxlet.exe
  C:\Windows\System\ypPxlet.exe
  2⤵
  PID:416
- C:\Windows\System\JUXGWiQ.exe
  C:\Windows\System\JUXGWiQ.exe
  2⤵
  PID:1416
- C:\Windows\System\tcdLxxV.exe
  C:\Windows\System\tcdLxxV.exe
  2⤵
  PID:4804
- C:\Windows\System\CdiSBwS.exe
  C:\Windows\System\CdiSBwS.exe
  2⤵
  PID:8452
- C:\Windows\System\jOTQfIe.exe
  C:\Windows\System\jOTQfIe.exe
  2⤵
  PID:8276
- C:\Windows\System\NnOPTpN.exe
  C:\Windows\System\NnOPTpN.exe
  2⤵
  PID:5096
- C:\Windows\System\lGkmkEL.exe
  C:\Windows\System\lGkmkEL.exe
  2⤵
  PID:8816
- C:\Windows\System\CiAwrKB.exe
  C:\Windows\System\CiAwrKB.exe
  2⤵
  PID:8964
- C:\Windows\System\EbmUXEJ.exe
  C:\Windows\System\EbmUXEJ.exe
  2⤵
  PID:8120
- C:\Windows\System\afjJLNU.exe
  C:\Windows\System\afjJLNU.exe
  2⤵
  PID:2916
- C:\Windows\System\mnxeKXg.exe
  C:\Windows\System\mnxeKXg.exe
  2⤵
  PID:7416
- C:\Windows\System\kJYUztu.exe
  C:\Windows\System\kJYUztu.exe
  2⤵
  PID:8484
- C:\Windows\System\uZxfasJ.exe
  C:\Windows\System\uZxfasJ.exe
  2⤵
  PID:8896
- C:\Windows\System\fYrHzEN.exe
  C:\Windows\System\fYrHzEN.exe
  2⤵
  PID:9176
- C:\Windows\System\zJLYLlh.exe
  C:\Windows\System\zJLYLlh.exe
  2⤵
  PID:7560
- C:\Windows\System\EJFZUMD.exe
  C:\Windows\System\EJFZUMD.exe
  2⤵
  PID:9120
- C:\Windows\System\PbReaPg.exe
  C:\Windows\System\PbReaPg.exe
  2⤵
  PID:9220
- C:\Windows\System\BKbBiqV.exe
  C:\Windows\System\BKbBiqV.exe
  2⤵
  PID:9240
- C:\Windows\System\SELAoFV.exe
  C:\Windows\System\SELAoFV.exe
  2⤵
  PID:9276
- C:\Windows\System\MbJRHnX.exe
  C:\Windows\System\MbJRHnX.exe
  2⤵
  PID:9304
- C:\Windows\System\cxzrmnZ.exe
  C:\Windows\System\cxzrmnZ.exe
  2⤵
  PID:9332
- C:\Windows\System\JxTifMt.exe
  C:\Windows\System\JxTifMt.exe
  2⤵
  PID:9360
- C:\Windows\System\epJrpcA.exe
  C:\Windows\System\epJrpcA.exe
  2⤵
  PID:9376
- C:\Windows\System\pcJGQGX.exe
  C:\Windows\System\pcJGQGX.exe
  2⤵
  PID:9412
- C:\Windows\System\mugeYts.exe
  C:\Windows\System\mugeYts.exe
  2⤵
  PID:9448
- C:\Windows\System\WdCHGzg.exe
  C:\Windows\System\WdCHGzg.exe
  2⤵
  PID:9476
- C:\Windows\System\OGyEhYk.exe
  C:\Windows\System\OGyEhYk.exe
  2⤵
  PID:9504
- C:\Windows\System\SnGkdCo.exe
  C:\Windows\System\SnGkdCo.exe
  2⤵
  PID:9532
- C:\Windows\System\jHdFiKB.exe
  C:\Windows\System\jHdFiKB.exe
  2⤵
  PID:9560
- C:\Windows\System\LCEEeWa.exe
  C:\Windows\System\LCEEeWa.exe
  2⤵
  PID:9588
- C:\Windows\System\mbeXyKb.exe
  C:\Windows\System\mbeXyKb.exe
  2⤵
  PID:9604
- C:\Windows\System\fCDsJKg.exe
  C:\Windows\System\fCDsJKg.exe
  2⤵
  PID:9632
- C:\Windows\System\QxESiHA.exe
  C:\Windows\System\QxESiHA.exe
  2⤵
  PID:9664
- C:\Windows\System\hhnYnFp.exe
  C:\Windows\System\hhnYnFp.exe
  2⤵
  PID:9692
- C:\Windows\System\euxXBmh.exe
  C:\Windows\System\euxXBmh.exe
  2⤵
  PID:9728
- C:\Windows\System\XeGmDaS.exe
  C:\Windows\System\XeGmDaS.exe
  2⤵
  PID:9760
- C:\Windows\System\DwakgCG.exe
  C:\Windows\System\DwakgCG.exe
  2⤵
  PID:9788
- C:\Windows\System\SMItNdD.exe
  C:\Windows\System\SMItNdD.exe
  2⤵
  PID:9816
- C:\Windows\System\VhkwKLO.exe
  C:\Windows\System\VhkwKLO.exe
  2⤵
  PID:9844
- C:\Windows\System\zGsWRKm.exe
  C:\Windows\System\zGsWRKm.exe
  2⤵
  PID:9876
- C:\Windows\System\oRYhLKM.exe
  C:\Windows\System\oRYhLKM.exe
  2⤵
  PID:9904
- C:\Windows\System\paexvZM.exe
  C:\Windows\System\paexvZM.exe
  2⤵
  PID:9924
- C:\Windows\System\smkrsxh.exe
  C:\Windows\System\smkrsxh.exe
  2⤵
  PID:9960
- C:\Windows\System\hUNKnRH.exe
  C:\Windows\System\hUNKnRH.exe
  2⤵
  PID:9988
- C:\Windows\System\QBuqtVd.exe
  C:\Windows\System\QBuqtVd.exe
  2⤵
  PID:10016
- C:\Windows\System\Amtkcys.exe
  C:\Windows\System\Amtkcys.exe
  2⤵
  PID:10056
- C:\Windows\System\RSKDKht.exe
  C:\Windows\System\RSKDKht.exe
  2⤵
  PID:10092
- C:\Windows\System\ugXQpmW.exe
  C:\Windows\System\ugXQpmW.exe
  2⤵
  PID:10120
- C:\Windows\System\WvYtqBF.exe
  C:\Windows\System\WvYtqBF.exe
  2⤵
  PID:10148
- C:\Windows\System\PfzQQzP.exe
  C:\Windows\System\PfzQQzP.exe
  2⤵
  PID:10176
- C:\Windows\System\VjPuEER.exe
  C:\Windows\System\VjPuEER.exe
  2⤵
  PID:10204
- C:\Windows\System\Yjghqlg.exe
  C:\Windows\System\Yjghqlg.exe
  2⤵
  PID:10232
- C:\Windows\System\vUzWgGP.exe
  C:\Windows\System\vUzWgGP.exe
  2⤵
  PID:2392
- C:\Windows\System\JhRMyYu.exe
  C:\Windows\System\JhRMyYu.exe
  2⤵
  PID:9272
- C:\Windows\System\zsNxSVb.exe
  C:\Windows\System\zsNxSVb.exe
  2⤵
  PID:9348
- C:\Windows\System\yuvvTJK.exe
  C:\Windows\System\yuvvTJK.exe
  2⤵
  PID:9420
- C:\Windows\System\bYQVLyU.exe
  C:\Windows\System\bYQVLyU.exe
  2⤵
  PID:9492
- C:\Windows\System\aOAUdeM.exe
  C:\Windows\System\aOAUdeM.exe
  2⤵
  PID:9552
- C:\Windows\System\NejXWJg.exe
  C:\Windows\System\NejXWJg.exe
  2⤵
  PID:9596
- C:\Windows\System\Mpxqgve.exe
  C:\Windows\System\Mpxqgve.exe
  2⤵
  PID:9684
- C:\Windows\System\OddPfbH.exe
  C:\Windows\System\OddPfbH.exe
  2⤵
  PID:9752
- C:\Windows\System\EVWZwzm.exe
  C:\Windows\System\EVWZwzm.exe
  2⤵
  PID:9808
- C:\Windows\System\eGdZRat.exe
  C:\Windows\System\eGdZRat.exe
  2⤵
  PID:9888
- C:\Windows\System\DczOjMF.exe
  C:\Windows\System\DczOjMF.exe
  2⤵
  PID:9944
- C:\Windows\System\nvEZgcG.exe
  C:\Windows\System\nvEZgcG.exe
  2⤵
  PID:10012
- C:\Windows\System\gYlNnFl.exe
  C:\Windows\System\gYlNnFl.exe
  2⤵
  PID:10080
- C:\Windows\System\AflATMS.exe
  C:\Windows\System\AflATMS.exe
  2⤵
  PID:10140
- C:\Windows\System\Fwoyffe.exe
  C:\Windows\System\Fwoyffe.exe
  2⤵
  PID:10220
- C:\Windows\System\jNDCvBU.exe
  C:\Windows\System\jNDCvBU.exe
  2⤵
  PID:9296
- C:\Windows\System\xTiRzSR.exe
  C:\Windows\System\xTiRzSR.exe
  2⤵
  PID:9396
- C:\Windows\System\NNpTrqe.exe
  C:\Windows\System\NNpTrqe.exe
  2⤵
  PID:9524
- C:\Windows\System\uJbQkLS.exe
  C:\Windows\System\uJbQkLS.exe
  2⤵
  PID:9660
- C:\Windows\System\drlmVEy.exe
  C:\Windows\System\drlmVEy.exe
  2⤵
  PID:9868
- C:\Windows\System\IqhNhAJ.exe
  C:\Windows\System\IqhNhAJ.exe
  2⤵
  PID:10008
- C:\Windows\System\UQoWKhc.exe
  C:\Windows\System\UQoWKhc.exe
  2⤵
  PID:10172
- C:\Windows\System\TbYbQUd.exe
  C:\Windows\System\TbYbQUd.exe
  2⤵
  PID:9352
- C:\Windows\System\SZhmwSp.exe
  C:\Windows\System\SZhmwSp.exe
  2⤵
  PID:9628
- C:\Windows\System\iEtogKq.exe
  C:\Windows\System\iEtogKq.exe
  2⤵
  PID:10108
- C:\Windows\System\AwSgJKR.exe
  C:\Windows\System\AwSgJKR.exe
  2⤵
  PID:9616
- C:\Windows\System\kNcJLDQ.exe
  C:\Windows\System\kNcJLDQ.exe
  2⤵
  PID:10000
- C:\Windows\System\BOgkGJk.exe
  C:\Windows\System\BOgkGJk.exe
  2⤵
  PID:10252
- C:\Windows\System\uCtFhkH.exe
  C:\Windows\System\uCtFhkH.exe
  2⤵
  PID:10280
- C:\Windows\System\QNwkRJz.exe
  C:\Windows\System\QNwkRJz.exe
  2⤵
  PID:10304
- C:\Windows\System\zdMNRBB.exe
  C:\Windows\System\zdMNRBB.exe
  2⤵
  PID:10344
- C:\Windows\System\cmjeyox.exe
  C:\Windows\System\cmjeyox.exe
  2⤵
  PID:10372
- C:\Windows\System\hSmQvrq.exe
  C:\Windows\System\hSmQvrq.exe
  2⤵
  PID:10404
- C:\Windows\System\XNcnVLh.exe
  C:\Windows\System\XNcnVLh.exe
  2⤵
  PID:10432
- C:\Windows\System\KJyRmHy.exe
  C:\Windows\System\KJyRmHy.exe
  2⤵
  PID:10460
- C:\Windows\System\gFxTOUC.exe
  C:\Windows\System\gFxTOUC.exe
  2⤵
  PID:10488
- C:\Windows\System\vlAkoxb.exe
  C:\Windows\System\vlAkoxb.exe
  2⤵
  PID:10504
- C:\Windows\System\ImejAoS.exe
  C:\Windows\System\ImejAoS.exe
  2⤵
  PID:10548
- C:\Windows\System\FEHONLw.exe
  C:\Windows\System\FEHONLw.exe
  2⤵
  PID:10576
- C:\Windows\System\iiIZjuZ.exe
  C:\Windows\System\iiIZjuZ.exe
  2⤵
  PID:10604
- C:\Windows\System\naEvUvi.exe
  C:\Windows\System\naEvUvi.exe
  2⤵
  PID:10632
- C:\Windows\System\VtjKOIT.exe
  C:\Windows\System\VtjKOIT.exe
  2⤵
  PID:10660
- C:\Windows\System\vzHlRIL.exe
  C:\Windows\System\vzHlRIL.exe
  2⤵
  PID:10688
- C:\Windows\System\hzrXySd.exe
  C:\Windows\System\hzrXySd.exe
  2⤵
  PID:10720
- C:\Windows\System\jHSWAfJ.exe
  C:\Windows\System\jHSWAfJ.exe
  2⤵
  PID:10748
- C:\Windows\System\tclActS.exe
  C:\Windows\System\tclActS.exe
  2⤵
  PID:10768
- C:\Windows\System\IKQDMfw.exe
  C:\Windows\System\IKQDMfw.exe
  2⤵
  PID:10804
- C:\Windows\System\wwVDSwh.exe
  C:\Windows\System\wwVDSwh.exe
  2⤵
  PID:10832
- C:\Windows\System\UhxEBYI.exe
  C:\Windows\System\UhxEBYI.exe
  2⤵
  PID:10852
- C:\Windows\System\ZyfQpQz.exe
  C:\Windows\System\ZyfQpQz.exe
  2⤵
  PID:10888
- C:\Windows\System\PThJCtt.exe
  C:\Windows\System\PThJCtt.exe
  2⤵
  PID:10916
- C:\Windows\System\QpFMIRG.exe
  C:\Windows\System\QpFMIRG.exe
  2⤵
  PID:10944
- C:\Windows\System\VFXpXFO.exe
  C:\Windows\System\VFXpXFO.exe
  2⤵
  PID:10972
- C:\Windows\System\UUwELCb.exe
  C:\Windows\System\UUwELCb.exe
  2⤵
  PID:10992
- C:\Windows\System\hpotRBi.exe
  C:\Windows\System\hpotRBi.exe
  2⤵
  PID:11024
- C:\Windows\System\LywYTqf.exe
  C:\Windows\System\LywYTqf.exe
  2⤵
  PID:11044
- C:\Windows\System\XVSlyAt.exe
  C:\Windows\System\XVSlyAt.exe
  2⤵
  PID:11084
- C:\Windows\System\ENgXWnP.exe
  C:\Windows\System\ENgXWnP.exe
  2⤵
  PID:11104
- C:\Windows\System\Yoawuqk.exe
  C:\Windows\System\Yoawuqk.exe
  2⤵
  PID:11132
- C:\Windows\System\JZaKArV.exe
  C:\Windows\System\JZaKArV.exe
  2⤵
  PID:11156
- C:\Windows\System\EKvujAI.exe
  C:\Windows\System\EKvujAI.exe
  2⤵
  PID:11188
- C:\Windows\System\TTbSHIn.exe
  C:\Windows\System\TTbSHIn.exe
  2⤵
  PID:11212
- C:\Windows\System\yOQPEFQ.exe
  C:\Windows\System\yOQPEFQ.exe
  2⤵
  PID:11252
- C:\Windows\System\YAjKGsk.exe
  C:\Windows\System\YAjKGsk.exe
  2⤵
  PID:10260
- C:\Windows\System\figAGhd.exe
  C:\Windows\System\figAGhd.exe
  2⤵
  PID:10388
- C:\Windows\System\PeqruTH.exe
  C:\Windows\System\PeqruTH.exe
  2⤵
  PID:10428
- C:\Windows\System\uRxwiRk.exe
  C:\Windows\System\uRxwiRk.exe
  2⤵
  PID:10472
- C:\Windows\System\zMaQcjM.exe
  C:\Windows\System\zMaQcjM.exe
  2⤵
  PID:10516
- C:\Windows\System\FWOTByw.exe
  C:\Windows\System\FWOTByw.exe
  2⤵
  PID:10600
- C:\Windows\System\tLwsJPr.exe
  C:\Windows\System\tLwsJPr.exe
  2⤵
  PID:10684
- C:\Windows\System\PsQQVMe.exe
  C:\Windows\System\PsQQVMe.exe
  2⤵
  PID:10756
- C:\Windows\System\UCrONjC.exe
  C:\Windows\System\UCrONjC.exe
  2⤵
  PID:10824
- C:\Windows\System\ddGHXoO.exe
  C:\Windows\System\ddGHXoO.exe
  2⤵
  PID:10884
- C:\Windows\System\mBmQnNW.exe
  C:\Windows\System\mBmQnNW.exe
  2⤵
  PID:10960
- C:\Windows\System\lBzQRnR.exe
  C:\Windows\System\lBzQRnR.exe
  2⤵
  PID:11008
- C:\Windows\System\iIadyvH.exe
  C:\Windows\System\iIadyvH.exe
  2⤵
  PID:11072
- C:\Windows\System\FlGqceU.exe
  C:\Windows\System\FlGqceU.exe
  2⤵
  PID:11168
- C:\Windows\System\UYgFTnX.exe
  C:\Windows\System\UYgFTnX.exe
  2⤵
  PID:11200
- C:\Windows\System\htXtPje.exe
  C:\Windows\System\htXtPje.exe
  2⤵
  PID:10268
- C:\Windows\System\CVtdbQZ.exe
  C:\Windows\System\CVtdbQZ.exe
  2⤵
  PID:10456
- C:\Windows\System\uKtHOHs.exe
  C:\Windows\System\uKtHOHs.exe
  2⤵
  PID:10592
- C:\Windows\System\womRvmG.exe
  C:\Windows\System\womRvmG.exe
  2⤵
  PID:10744
- C:\Windows\System\uTZOCaw.exe
  C:\Windows\System\uTZOCaw.exe
  2⤵
  PID:10904
- C:\Windows\System\vsqWUBZ.exe
  C:\Windows\System\vsqWUBZ.exe
  2⤵
  PID:11040
- C:\Windows\System\MFSqwto.exe
  C:\Windows\System\MFSqwto.exe
  2⤵
  PID:11204
- C:\Windows\System\zPEcDbj.exe
  C:\Windows\System\zPEcDbj.exe
  2⤵
  PID:10416
- C:\Windows\System\XnqOjkB.exe
  C:\Windows\System\XnqOjkB.exe
  2⤵
  PID:10872
- C:\Windows\System\sEoTSun.exe
  C:\Windows\System\sEoTSun.exe
  2⤵
  PID:11196
- C:\Windows\System\dixlQgP.exe
  C:\Windows\System\dixlQgP.exe
  2⤵
  PID:10656
- C:\Windows\System\UYUJcwj.exe
  C:\Windows\System\UYUJcwj.exe
  2⤵
  PID:11272
- C:\Windows\System\nJOGfFH.exe
  C:\Windows\System\nJOGfFH.exe
  2⤵
  PID:11300
- C:\Windows\System\Bktsmjo.exe
  C:\Windows\System\Bktsmjo.exe
  2⤵
  PID:11328
- C:\Windows\System\qvqKikW.exe
  C:\Windows\System\qvqKikW.exe
  2⤵
  PID:11356
- C:\Windows\System\bRHbBZR.exe
  C:\Windows\System\bRHbBZR.exe
  2⤵
  PID:11384
- C:\Windows\System\fSIAOyT.exe
  C:\Windows\System\fSIAOyT.exe
  2⤵
  PID:11412
- C:\Windows\System\yDzaaaL.exe
  C:\Windows\System\yDzaaaL.exe
  2⤵
  PID:11440
- C:\Windows\System\GkpZiiL.exe
  C:\Windows\System\GkpZiiL.exe
  2⤵
  PID:11468
- C:\Windows\System\CqKTuAr.exe
  C:\Windows\System\CqKTuAr.exe
  2⤵
  PID:11496
- C:\Windows\System\WyqllSX.exe
  C:\Windows\System\WyqllSX.exe
  2⤵
  PID:11524
- C:\Windows\System\KGDDiDP.exe
  C:\Windows\System\KGDDiDP.exe
  2⤵
  PID:11552
- C:\Windows\System\fxajLqf.exe
  C:\Windows\System\fxajLqf.exe
  2⤵
  PID:11580
- C:\Windows\System\HNshvhj.exe
  C:\Windows\System\HNshvhj.exe
  2⤵
  PID:11612
- C:\Windows\System\YatQMMo.exe
  C:\Windows\System\YatQMMo.exe
  2⤵
  PID:11640
- C:\Windows\System\sFoiANT.exe
  C:\Windows\System\sFoiANT.exe
  2⤵
  PID:11668
- C:\Windows\System\sxqRFcK.exe
  C:\Windows\System\sxqRFcK.exe
  2⤵
  PID:11696
- C:\Windows\System\KsJiIoV.exe
  C:\Windows\System\KsJiIoV.exe
  2⤵
  PID:11724
- C:\Windows\System\xQyTtdf.exe
  C:\Windows\System\xQyTtdf.exe
  2⤵
  PID:11752
- C:\Windows\System\IjZylRm.exe
  C:\Windows\System\IjZylRm.exe
  2⤵
  PID:11772
- C:\Windows\System\EiBduHf.exe
  C:\Windows\System\EiBduHf.exe
  2⤵
  PID:11808
- C:\Windows\System\BgGAxUT.exe
  C:\Windows\System\BgGAxUT.exe
  2⤵
  PID:11836
- C:\Windows\System\yscEghu.exe
  C:\Windows\System\yscEghu.exe
  2⤵
  PID:11864
- C:\Windows\System\gzYWwUX.exe
  C:\Windows\System\gzYWwUX.exe
  2⤵
  PID:11880
- C:\Windows\System\rtpPqjd.exe
  C:\Windows\System\rtpPqjd.exe
  2⤵
  PID:11908
- C:\Windows\System\zraIZMW.exe
  C:\Windows\System\zraIZMW.exe
  2⤵
  PID:11948
- C:\Windows\System\WPxRhPi.exe
  C:\Windows\System\WPxRhPi.exe
  2⤵
  PID:11964
- C:\Windows\System\wEqyCcM.exe
  C:\Windows\System\wEqyCcM.exe
  2⤵
  PID:11992
- C:\Windows\System\eEgjsvm.exe
  C:\Windows\System\eEgjsvm.exe
  2⤵
  PID:12024
- C:\Windows\System\xstcgWj.exe
  C:\Windows\System\xstcgWj.exe
  2⤵
  PID:12056
- C:\Windows\System\dcRjxBx.exe
  C:\Windows\System\dcRjxBx.exe
  2⤵
  PID:12088
- C:\Windows\System\JvlwiZb.exe
  C:\Windows\System\JvlwiZb.exe
  2⤵
  PID:12104
- C:\Windows\System\bKhabSu.exe
  C:\Windows\System\bKhabSu.exe
  2⤵
  PID:12164
- C:\Windows\System\ZNuJcSl.exe
  C:\Windows\System\ZNuJcSl.exe
  2⤵
  PID:12212
- C:\Windows\System\wgESIgY.exe
  C:\Windows\System\wgESIgY.exe
  2⤵
  PID:12240
- C:\Windows\System\hGWeUFh.exe
  C:\Windows\System\hGWeUFh.exe
  2⤵
  PID:12272
- C:\Windows\System\kgKGcLu.exe
  C:\Windows\System\kgKGcLu.exe
  2⤵
  PID:11284
- C:\Windows\System\WSJUgEl.exe
  C:\Windows\System\WSJUgEl.exe
  2⤵
  PID:11348
- C:\Windows\System\EktQUYL.exe
  C:\Windows\System\EktQUYL.exe
  2⤵
  PID:11404
- C:\Windows\System\XxfDtDT.exe
  C:\Windows\System\XxfDtDT.exe
  2⤵
  PID:11464
- C:\Windows\System\qepDECs.exe
  C:\Windows\System\qepDECs.exe
  2⤵
  PID:11536
- C:\Windows\System\yyGmTrg.exe
  C:\Windows\System\yyGmTrg.exe
  2⤵
  PID:11592
- C:\Windows\System\eUTXBzb.exe
  C:\Windows\System\eUTXBzb.exe
  2⤵
  PID:11624
- C:\Windows\System\wyZKvHA.exe
  C:\Windows\System\wyZKvHA.exe
  2⤵
  PID:11736
- C:\Windows\System\CCguWjx.exe
  C:\Windows\System\CCguWjx.exe
  2⤵
  PID:11804
- C:\Windows\System\SzLnfNd.exe
  C:\Windows\System\SzLnfNd.exe
  2⤵
  PID:11856
- C:\Windows\System\bmJBxgG.exe
  C:\Windows\System\bmJBxgG.exe
  2⤵
  PID:11900
- C:\Windows\System\VvIyvMT.exe
  C:\Windows\System\VvIyvMT.exe
  2⤵
  PID:11984
- C:\Windows\System\xvnIqVl.exe
  C:\Windows\System\xvnIqVl.exe
  2⤵
  PID:12032
- C:\Windows\System\pQLdfKo.exe
  C:\Windows\System\pQLdfKo.exe
  2⤵
  PID:12148
- C:\Windows\System\YauCbBq.exe
  C:\Windows\System\YauCbBq.exe
  2⤵
  PID:12224
- C:\Windows\System\IwKxSOs.exe
  C:\Windows\System\IwKxSOs.exe
  2⤵
  PID:12284
- C:\Windows\System\thvbeap.exe
  C:\Windows\System\thvbeap.exe
  2⤵
  PID:11368
- C:\Windows\System\AbkceCH.exe
  C:\Windows\System\AbkceCH.exe
  2⤵
  PID:11564
- C:\Windows\System\VUnAGON.exe
  C:\Windows\System\VUnAGON.exe
  2⤵
  PID:2460
- C:\Windows\System\TsAuXRT.exe
  C:\Windows\System\TsAuXRT.exe
  2⤵
  PID:11708
- C:\Windows\System\zXtzHsP.exe
  C:\Windows\System\zXtzHsP.exe
  2⤵
  PID:11848
- C:\Windows\System\WLmETdT.exe
  C:\Windows\System\WLmETdT.exe
  2⤵
  PID:11976
- C:\Windows\System\DOvUBKw.exe
  C:\Windows\System\DOvUBKw.exe
  2⤵
  PID:12156
- C:\Windows\System\WApySxV.exe
  C:\Windows\System\WApySxV.exe
  2⤵
  PID:11608
- C:\Windows\System\jAGlLss.exe
  C:\Windows\System\jAGlLss.exe
  2⤵
  PID:520
- C:\Windows\System\voWCwJZ.exe
  C:\Windows\System\voWCwJZ.exe
  2⤵
  PID:11792
- C:\Windows\System\cdOjAIH.exe
  C:\Windows\System\cdOjAIH.exe
  2⤵
  PID:11460
- C:\Windows\System\OrXGeMq.exe
  C:\Windows\System\OrXGeMq.exe
  2⤵
  PID:11924
- C:\Windows\System\RCSmeWf.exe
  C:\Windows\System\RCSmeWf.exe
  2⤵
  PID:12308
- C:\Windows\System\OoWzYZK.exe
  C:\Windows\System\OoWzYZK.exe
  2⤵
  PID:12328
- C:\Windows\System\dZAkzQH.exe
  C:\Windows\System\dZAkzQH.exe
  2⤵
  PID:12364
- C:\Windows\System\hMAoQBY.exe
  C:\Windows\System\hMAoQBY.exe
  2⤵
  PID:12392
- C:\Windows\System\JLTHHiD.exe
  C:\Windows\System\JLTHHiD.exe
  2⤵
  PID:12436
- C:\Windows\System\SqvpcBC.exe
  C:\Windows\System\SqvpcBC.exe
  2⤵
  PID:12464
- C:\Windows\System\sReeawk.exe
  C:\Windows\System\sReeawk.exe
  2⤵
  PID:12492
- C:\Windows\System\HbawnPr.exe
  C:\Windows\System\HbawnPr.exe
  2⤵
  PID:12520
- C:\Windows\System\rMLRshU.exe
  C:\Windows\System\rMLRshU.exe
  2⤵
  PID:12548
- C:\Windows\System\gkognTY.exe
  C:\Windows\System\gkognTY.exe
  2⤵
  PID:12580
- C:\Windows\System\dvyuhAp.exe
  C:\Windows\System\dvyuhAp.exe
  2⤵
  PID:12608
- C:\Windows\System\ptLrNRl.exe
  C:\Windows\System\ptLrNRl.exe
  2⤵
  PID:12624
- C:\Windows\System\idgvqlV.exe
  C:\Windows\System\idgvqlV.exe
  2⤵
  PID:12656
- C:\Windows\System\nikfYFD.exe
  C:\Windows\System\nikfYFD.exe
  2⤵
  PID:12688
- C:\Windows\System\AnRothI.exe
  C:\Windows\System\AnRothI.exe
  2⤵
  PID:12708
- C:\Windows\System\MFbdjRn.exe
  C:\Windows\System\MFbdjRn.exe
  2⤵
  PID:12736
- C:\Windows\System\RWmSRtl.exe
  C:\Windows\System\RWmSRtl.exe
  2⤵
  PID:12792
- C:\Windows\System\rPRoxGU.exe
  C:\Windows\System\rPRoxGU.exe
  2⤵
  PID:12816
- C:\Windows\System\GRtCNAd.exe
  C:\Windows\System\GRtCNAd.exe
  2⤵
  PID:12848
- C:\Windows\System\rRQpWkm.exe
  C:\Windows\System\rRQpWkm.exe
  2⤵
  PID:12884
- C:\Windows\System\nEwNwNC.exe
  C:\Windows\System\nEwNwNC.exe
  2⤵
  PID:12932
- C:\Windows\System\lTdnJnz.exe
  C:\Windows\System\lTdnJnz.exe
  2⤵
  PID:12984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kcu1oxfr.je4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\BqUQGeK.exe

Filesize
3.0MB

MD5
f0620fd9cb3a3807a747ef52df4b8ff1

SHA1
5a54a3705b2f5ff9d159a5b8a709328376b043da

SHA256
2b618a3b566dad13f5a60c7933ad7c175faec59fb660e12429a7ed5324093f9a

SHA512
a3774f9b246e2e8cee7dfcd013c756369901ce6a13169874a22e3bef7e256a808771ca8cb749c7186fc2c2ed1a54d711b138758962b2eac18fa6022eac79a45b

Download Submit
C:\Windows\System\DNpsLSD.exe

Filesize
3.0MB

MD5
ab05d5be9f8874809ea18b04791b33ae

SHA1
1f2e3568539a1709b2b8b43522015416559735e5

SHA256
58702fd3831a808bb7aeef02b15a63708049cd282d60a87145274ee39cc46ce6

SHA512
ef2bca3e25eb8514d77c6622c0838e01c419ffdeb9d471ea6a4636752fd569c7040fd88f710f40861c120c58b31535d9c7ea7bea55a93568ce42c0dada4d5f74

Download Submit
C:\Windows\System\GgrLNQj.exe

Filesize
3.0MB

MD5
efa59bb4b48bc89b412976e9df215661

SHA1
c338d33d0a45862b0eadb1282cdbae2d9493c187

SHA256
660a1d5700d88584a37b561cd21440425d35e22d2e4876cfe6ebb1449eb48cbd

SHA512
e9a412185fd57d8b892e2c5ed14bac907ae9435df2d9c6b936f5bcc58b90989b17a99571f112c7da33e44ccdddc308ba976d0ce80a71946adfd81982fb0ef55b

Download Submit
C:\Windows\System\IOUVTrE.exe

Filesize
3.0MB

MD5
fdd588050b6ffff68ceeea9846520e56

SHA1
0bd32f4d961571289395575d034fd55492a31fa3

SHA256
9eefc10e2527ef2599d66c2acb3ddb80ec8e3fb43132bafef4777e3c4459e771

SHA512
9a4e050632cdcb76068e7680655d7b636e3e4d48831aaf86ec8f03ebced0512fc24de6452887b2eb3a37745b43786f07350a76168db7e322450965a1632d584f

Download Submit
C:\Windows\System\IYDAYEG.exe

Filesize
3.0MB

MD5
a41de5bf0d7e4acf4c1750dc16239e30

SHA1
3b7954bd3433700840a08d071f3c5971dcd7cd07

SHA256
ee993b26bd8ad0d111503c9f77a928b5f588e8ac907bd7fc815ed76e30fe4cac

SHA512
4cb3a92b2c6d3612eb038134f2fe197669aaa9645a6cc3f7ba3b241ff3629f00a4ff5801027931cc7f7c48e8acee8c804370493f447152bbbb6014da36ec4eaf

Download Submit
C:\Windows\System\KJRxUyt.exe

Filesize
3.0MB

MD5
6fd10518999e42c81fe2e37ff05e725e

SHA1
e9e541bb98629b45c8ea3795c9d18f20b656bb7b

SHA256
5bb4c563a611dbaf18e339c5ba097710b3c70d985d4e4118de11c29398df066b

SHA512
d3bd7641dd723c9b3e0f6fa2cb88c01d108ed0801eae38d1e4b316136e9f645e3e89976528038b4cd4a3471488fd04b22561a31c991893c24e0d01ab6aa61938

Download Submit
C:\Windows\System\LVrvwEb.exe

Filesize
3.0MB

MD5
a605a062bbf79df4f52869ca7368fa4c

SHA1
26cb94cf5efa400490b49b418e78f8460bf6b374

SHA256
def65be6899ecba258c82e7acc595c7cba4596645f90b2deb0805824b0d4c30e

SHA512
3d42b6e967aa8ef95e669470e2a8b5c026296bd6dea413ac2c459d2349d4041f28120e0dd0c89272aac671c3e920d4fdcab1f4877d8476e393bf2a1f30487278

Download Submit
C:\Windows\System\MbFFklt.exe

Filesize
3.0MB

MD5
20ad3cb097f581963f3601508be5346f

SHA1
58f73b477710b9f98a0b56cfae49ce16c6384ad2

SHA256
bba431266d85b1038449f5114c2242df83dd72b79d5110123344746cdbf4f80a

SHA512
5405a48bace591b7e8f5e094a8b23a4bb9edbeeee36b9352b66192945cb56c4750c5b14be4228e0c004c07a0a4ab81ae85ecffa00567172a5387c43becc43c65

Download Submit
C:\Windows\System\McZKoLa.exe

Filesize
3.0MB

MD5
25e2c84cda7215f30c2fb6c2709300a5

SHA1
9bf2cf66f75ba441aceec79078e1f9f45d608425

SHA256
24d4db092f1896dac8af33b082fbbe1a846e047cf13af88e372471a324e00d49

SHA512
448f79e048b7ca2400ee304575b9988dd33d848f338c31ad0ec76647f7268daffba2fe9c560b5bbaf43ad374df704165217ca09ff814945a03f0a6ddc069b49e

Download Submit
C:\Windows\System\MjTGJJQ.exe

Filesize
3.0MB

MD5
48fcbfaeab3cd5ae9dc8e58ce3843984

SHA1
7555700c73c1263f20fe0eaa4b74ab15d65f5ddc

SHA256
4e48e3e1c370a5006ae0124f6d6f5accd376ebf7c155765319626ef3301f52da

SHA512
6fc3bc60656be8a68860ebc65cac3e4d2a66a2379a69612ce83835cc13f19494a5f371125f35cd788867bc1f79e45e7f784991c7cd6b84f3b0643d38f2d91968

Download Submit
C:\Windows\System\NUqzQWb.exe

Filesize
3.0MB

MD5
083b8b5dc2513db29ee9b610c887d096

SHA1
3fc157c29ea413b27f8e63d353c3451b4812c054

SHA256
923c6a24f4483165913be381e7f91be3f525d9e0bffc6afb339883849b8fec7a

SHA512
cef0dbcc0d33ba098901d07c871cea79c81332c6086d67da450230ea1ee3ef1703de266aef60cc93fa51d3c96154356db2d686375b4d2a60e205576b96f3cbb6

Download Submit
C:\Windows\System\WRYcOHB.exe

Filesize
3.0MB

MD5
ad4a84768bee3a19fe5012caf98369dd

SHA1
6aaf58bb15a67a3c8ea75f4a743de3c5e8ec9482

SHA256
482eee1d291a6c6622f266f4a23cc4afbc9deb1080868f67ac6a232fea1d65a5

SHA512
53bee62fd7ad85bf95dc2551024d07d4b8c062591eafbdc7ac5893cdea4ec02c5ec6e9cbf4d30f18c913b5727745ff52291f75a411a005683e174575a51dc984

Download Submit
C:\Windows\System\YslTZRg.exe

Filesize
3.0MB

MD5
967b4fcdd02d51416478653ebf4abc36

SHA1
3a9df58dd6d4e34dfc9105b7ef4e66f2c8839f41

SHA256
29e80130a2a3e1dba069f90a4c4c88b58996424c2d71f773a41e46c258decd90

SHA512
13b9ef1378d195a6444906c5800536f8aa6a4374729e83230c39f662b299b324ce45604914dd1df517f06d6b79f90ccc7b382cdaff4a45f95e509b08fbdac604

Download Submit
C:\Windows\System\bGaQSHr.exe

Filesize
3.0MB

MD5
ca019656c90259c4d854e3d0a67ffbab

SHA1
b6f80c0f7c4345229e90f66fa201f81e4a49f8bf

SHA256
d4fd9869da697c9681434aed6df0cd9ec5191d85f08d482250126caa756a3f3a

SHA512
fc5712e90c82e12bee340b1da2403a100ec49029a5e7900edb93e1ae5b797a7fe1a121ddb5f5f2bd23a8b974d1928c18c3cb50d3cf1a3ea8c4acac58864d5453

Download Submit
C:\Windows\System\bgFdxZn.exe

Filesize
3.0MB

MD5
0a2079387c40d70961baa7e08547b41d

SHA1
c9be10d4fbb2dd3b21e20cb3908834a478bc8632

SHA256
12c6b43cd26b405219ee25314cc4d5880ec94a6ff9a47d576dc7e99d60a8731a

SHA512
ec8420e8d2d99d710d4ca5ce28e142df39e29d33f8d435707df5cd8cae4f3c54790e0c391b37b14a98254c42a0c4af86b970f1c4614d912a385df1ccf139c72e

Download Submit
C:\Windows\System\cBlTllN.exe

Filesize
3.0MB

MD5
56720d3415b1bd91cdc7e2b287fbf1d6

SHA1
2cd14d5f397c3a31a95852339d8a3982e5a6bea9

SHA256
0c6e5a34d960447edc6c16a63578478c02566beb6438eb1307103da656da093a

SHA512
8cfc3c26a3ed1ea923351919d7632a07e4b247e032ff4bc06dbe07823e0aad90204313d9d407fa77742f52e6ca72b6e02b667db7e0a116ea9ad7c9a2e1c26328

Download Submit
C:\Windows\System\cYUlToz.exe

Filesize
3.0MB

MD5
d7b8ee726ff51edd04af2237ddef8634

SHA1
874fbbf2e0b3ce52a0117c384ecf2b75b1530a0f

SHA256
b849414098ce26889533cd21fffc71c45466d4e467aa20e9f075b7b8fc38aed9

SHA512
84e78c1d2ee9bfe6f37570ca000fefc4371325637cb90d3496c0a32a0f4904a2b8b51ba62917ff25516c64fd9031ad539fef7ccad4c756f477f658367a30aa6f

Download Submit
C:\Windows\System\fEuLsRf.exe

Filesize
3.0MB

MD5
30ee8e3fce0354327d9f4f3dd31125ce

SHA1
1a7c710a03ba073a20c6aa5cb61e068d7bf1af72

SHA256
a12c1bc773430eacc2c8b0b2925aa60961e837636830263708cd93189765125f

SHA512
1decd91cf36183de277919752fee425d1e83fd03ecce406e03e54f88e041ab669f19ed2580e323bae9dbae83052a27dfc915165abd7086fd9ca9ed4fcd200704

Download Submit
C:\Windows\System\fKqCJcj.exe

Filesize
3.0MB

MD5
00e84c706682db76f75b37c855503fd1

SHA1
9fabf8f35426c1e820e6cea42b0b02f514e07901

SHA256
c2b5d9fb611dde9496e8e8f82f11de0a26859f46891416c764f907c7a67f8854

SHA512
3199a7ef859b45935dbac9ad0ab032aab6dc503012951d0eb5119427de87a2f29a50fd4683b9036e093106ce07f5a7766d0185e9d3444477d9df832c2a91fec8

Download Submit
C:\Windows\System\iTBvqTO.exe

Filesize
3.0MB

MD5
628c943ec91f0a966ba88ff08c16cfc4

SHA1
1e7eea27a4f21f3595a72d279d5379d6fa244656

SHA256
74a1798ac8686484b6c58d29b8d5374d442a1d601878d24b9ad3f023b1f3df74

SHA512
e6aa10f7a0670bc8b78fa4629cb223f2e14787a76e81eecb0dbc6f3db40b4de9ed16c61f616246ffd74375a4bdbb9d77dd34267290aad759477e8c300f7ca372

Download Submit
C:\Windows\System\kifhDlp.exe

Filesize
3.0MB

MD5
c18cb581e269016d215ee9fccc70e32c

SHA1
4dbf4951b0d1e6237b9ddcb1edc869fadb8b32db

SHA256
9e4abe5d47b0601173fff41f563b1df239d989d4a37791438c47ddca0c3a2b3c

SHA512
ecf132cdee12d3e0001e02a921ac5709d0a561918d32b34141e639b5490f77d6fb105cf4d6f791a826d20ad1577c0de1ae56c5ff5c4b43ab159b334235ec630f

Download Submit
C:\Windows\System\kyzDKOY.exe

Filesize
3.0MB

MD5
6003678bcdbd6ed4c58dc79f4c599d57

SHA1
63134034e6e98d1f884bb38864c900f950a59946

SHA256
1fb70a8212bf670f265ebbd66d5adf2dd49bb121acdbbc98897cabba04de2961

SHA512
146e9500c60ddcab78ff0767d3f8e57dce6b6801a080ee9bab254c2afa8e0d558bc5d75bbbdae9a4de3be0a5368313689d46fce985107ebdcdcecc03c2f9ffdc

Download Submit
C:\Windows\System\lRavJJg.exe

Filesize
3.0MB

MD5
b56fe6ddbe25c033419721b15f147a25

SHA1
839c007f78668bdb8922a1a052e66b833c2e8caa

SHA256
5b6540b2c006891459a89c123b89069eeadaf3b1bb6f137966ce9674726e3bf0

SHA512
3162949b137823ac6c0640d5a704a2a7af60dabe97ef61fbac422365f598a42d6827297a9c83fec2ab637034e895834e0f4b7ed1ded2b2e0bb1a305cc4758030

Download Submit
C:\Windows\System\mXIsuNK.exe

Filesize
3.0MB

MD5
bd5b131352fb21cb5d0ff18ef9b11240

SHA1
ae72f8db65a2c9edd389d1a89ec2001ddffa1a64

SHA256
32cb04d2ecf22915c1f094469d88529feb8e4c323d8d8aaba114481a28a07a38

SHA512
583c3f26d246c10c49a92dbf1dcd366a11479e0696a065e563f9be7fa3ba4513196efacccb634668c2b7d2d3601b9bb476f9bbed193d164314cc79695d2b3c34

Download Submit
C:\Windows\System\nSqDLbr.exe

Filesize
3.0MB

MD5
1ee502ea6576a2a20dbfad72f75c1f3b

SHA1
3b9984e1dca13b32d51a336971545249be9bb913

SHA256
2799f9580acae02225950b408ba24644fdbe4f05cbb473013c9b0af091de1d9e

SHA512
e6d06ce8565124626d69be733885c2969b84db8ff37d9312b567d5930c4970d0651f0c9cb4e472a10975050dec22d1898c798f1d4285d18dadeb0adf856ed05b

Download Submit
C:\Windows\System\ohwlKGv.exe

Filesize
8B

MD5
b73fb21d67a247f9ac438fe8c351430a

SHA1
ac15c6df2acefe1e2c420375d1bd91b327f057b3

SHA256
77e445c1cb08291b551a6e118f41f72afa8a9daa5aca4c3c569cc658b22917c9

SHA512
bc8df04059daaf4c0ca4dce970d2391c3b5cff5f655aab83ca1f095c275eda1fc7df90df8beafd0388f09945ec4e45ad9333e05dcca93e4d255767e86c4a3f85

Download Submit
C:\Windows\System\sSerOsw.exe

Filesize
3.0MB

MD5
fbc3af06588d27c4038b3b1d334b5cbb

SHA1
39ede692b4aa7e27067266402ef7861046533bc6

SHA256
f0fb5f75a1a977c01f918704ac3e71e0325ade4f5e62b6746c1e7a98e05f0ba6

SHA512
b1ba1555ae29ba23b9c0c1803638aa97bfa00e6d4a887525e0095f480c85403ac55ba9786924ed09060c2ff7b144f44ba61e4adf8793fa9a1c0a0ab6105e38e8

Download Submit
C:\Windows\System\trcTcnr.exe

Filesize
3.0MB

MD5
6382d0f0eca1545f90f85f3637d5986b

SHA1
e6c06b84f5c7c403d12469224349bcff13511d68

SHA256
ae1b8442fb8f4c61dfc1aeb426cc2589fed01da36012e0fd40ce13a5be4a4c89

SHA512
ec35976e6487449b9aa7a91313414c1766846084621f8f34ec67822bd5ee0148d9e086dfc83498e974e43b211cf94e921b05f0dd3a14bbf0cf1e23e7d96ad086

Download Submit
C:\Windows\System\wRegoxK.exe

Filesize
3.0MB

MD5
24ee2d9cfee110118cf30cfd5ff1dcba

SHA1
7fd78ab4271e95e499d7f50ac4596cda2a5f8fa6

SHA256
c852ca8a8cd8c772797d86aa8ba908faabf99785a12be8d727d8972c0876290e

SHA512
e475be755a6e59cb3e1beb4491d253fea1379ba1cb347bab519ec680ebf6fb521d72446e4a114c0aec78ac4574fcd8cabe88051e6dfda03350ceca696a441c41

Download Submit
C:\Windows\System\wjEkeWT.exe

Filesize
3.0MB

MD5
75903f1ea1682baea484869a5d3c2d4d

SHA1
72d0fd48c6070e83a76246cdb3463e7d255f17b9

SHA256
5ebc14d705ed47804110acc566f3393c229c5c34499c732447da29bb1dcf9e9e

SHA512
c96c86419185cbbbe607ed6fed88a1a46cbdba488543603193ea2c97373a6dc14ab38f7c9e5751da2fa10e68ff8a4ee97daf381fdcb2df154d2c52b33cf567a8

Download Submit
C:\Windows\System\wrQXhaD.exe

Filesize
3.0MB

MD5
62ba3656318d57cc581199a60f044819

SHA1
07ce84b84c17c4a111461f2f6035f2e68b270f53

SHA256
c12ac6ab10f3b13db5d05f2d3ff92c1fd6df01093d74b3eaf21f792bea20592f

SHA512
2b5b81fcafd3081625435008dfba82a7b39bdda5307b0430d53d6ec34a9aff56a25b19b515ddfd5153b709d2f5a84e58a9205d186c68c4df6fc8cdca6775f245

Download Submit
C:\Windows\System\xZMrAAh.exe

Filesize
3.0MB

MD5
0e91ca1f1d55267509f21e668480bf69

SHA1
6f8c35ab155ab92535c419d2f6854ba7b48db8a1

SHA256
d80e1bd86994655c1e45a0740470eaeb60e6dcc17cd8654fa69138f80354cbed

SHA512
0439de20e9ce3fc67c28f382d7faae283968511ddc1618ddacc9ac6e2f34e14a748eaa4026c392a91b903885587bb62a23a6711cb14855fccf85178562c8e585

Download Submit
C:\Windows\System\yJFudGe.exe

Filesize
3.0MB

MD5
dcd26be503a08092086cecc9dddcc17c

SHA1
f398b8eb53d16f4df690f2864b65fd70583ff204

SHA256
11247682ffe3edcc34d1dd7cf355084d1d6483a7b8eaaa69c19c4fd2ae7e852e

SHA512
de41a32e01165b9000ed788be589f04e2c0bdabc4039b1fd24c15b6c42e94d15b6f826dec483033cc78c7f802869ae235ed09c022b2aefe3c1678249e0529d0d

Download Submit
C:\Windows\System\zjtJqkX.exe

Filesize
3.0MB

MD5
4f23b439c80d9db82b0d0d70ac35b63f

SHA1
b5abe82733741d8b951c87d2686565a8d26fe39d

SHA256
f5f8232d2bc75d79e9a46c2bb4662e25be47991dac7b2d36e581196e28423912

SHA512
96775fa70ffcc97fdce38db518b37a7182c2b4e17b7f602fb532212ba78ea85faadd4318ec1957e80b19ddd3d4379f29d46748904c8ee9b3d164790b218fabe9

Download Submit
memory/112-0-0x00007FF6C4C60000-0x00007FF6C5056000-memory.dmp

Filesize
4.0MB

Download
memory/112-1-0x00000269D7380000-0x00000269D7390000-memory.dmp

Filesize
64KB

Download
memory/516-2117-0x00007FF766B60000-0x00007FF766F56000-memory.dmp

Filesize
4.0MB

Download
memory/516-903-0x00007FF766B60000-0x00007FF766F56000-memory.dmp

Filesize
4.0MB

Download
memory/820-2129-0x00007FF76C300000-0x00007FF76C6F6000-memory.dmp

Filesize
4.0MB

Download
memory/820-934-0x00007FF76C300000-0x00007FF76C6F6000-memory.dmp

Filesize
4.0MB

Download
memory/1016-2107-0x00007FF6E1990000-0x00007FF6E1D86000-memory.dmp

Filesize
4.0MB

Download
memory/1016-819-0x00007FF6E1990000-0x00007FF6E1D86000-memory.dmp

Filesize
4.0MB

Download
memory/1296-936-0x00007FF7F72C0000-0x00007FF7F76B6000-memory.dmp

Filesize
4.0MB

Download
memory/1296-2121-0x00007FF7F72C0000-0x00007FF7F76B6000-memory.dmp

Filesize
4.0MB

Download
memory/1336-2139-0x00007FFD8DD60000-0x00007FFD8E821000-memory.dmp

Filesize
10.8MB

Download
memory/1336-956-0x00000202E9DF0000-0x00000202EA596000-memory.dmp

Filesize
7.6MB

Download
memory/1336-2120-0x00007FFD8DD63000-0x00007FFD8DD65000-memory.dmp

Filesize
8KB

Download
memory/1336-32-0x00007FFD8DD60000-0x00007FFD8E821000-memory.dmp

Filesize
10.8MB

Download
memory/1336-4-0x00007FFD8DD63000-0x00007FFD8DD65000-memory.dmp

Filesize
8KB

Download
memory/1336-2105-0x00007FFD8DD60000-0x00007FFD8E821000-memory.dmp

Filesize
10.8MB

Download
memory/1336-39-0x00000202E92A0000-0x00000202E92C2000-memory.dmp

Filesize
136KB

Download
memory/1336-45-0x00007FFD8DD60000-0x00007FFD8E821000-memory.dmp

Filesize
10.8MB

Download
memory/1444-954-0x00007FF77CCD0000-0x00007FF77D0C6000-memory.dmp

Filesize
4.0MB

Download
memory/1444-2116-0x00007FF77CCD0000-0x00007FF77D0C6000-memory.dmp

Filesize
4.0MB

Download
memory/1660-943-0x00007FF789810000-0x00007FF789C06000-memory.dmp

Filesize
4.0MB

Download
memory/1660-2126-0x00007FF789810000-0x00007FF789C06000-memory.dmp

Filesize
4.0MB

Download
memory/1708-864-0x00007FF70B4C0000-0x00007FF70B8B6000-memory.dmp

Filesize
4.0MB

Download
memory/1708-2110-0x00007FF70B4C0000-0x00007FF70B8B6000-memory.dmp

Filesize
4.0MB

Download
memory/1984-2113-0x00007FF78D260000-0x00007FF78D656000-memory.dmp

Filesize
4.0MB

Download
memory/1984-897-0x00007FF78D260000-0x00007FF78D656000-memory.dmp

Filesize
4.0MB

Download
memory/2228-953-0x00007FF7B4270000-0x00007FF7B4666000-memory.dmp

Filesize
4.0MB

Download
memory/2228-2111-0x00007FF7B4270000-0x00007FF7B4666000-memory.dmp

Filesize
4.0MB

Download
memory/2296-948-0x00007FF673030000-0x00007FF673426000-memory.dmp

Filesize
4.0MB

Download
memory/2296-2106-0x00007FF673030000-0x00007FF673426000-memory.dmp

Filesize
4.0MB

Download
memory/2428-878-0x00007FF7C0910000-0x00007FF7C0D06000-memory.dmp

Filesize
4.0MB

Download
memory/2428-2115-0x00007FF7C0910000-0x00007FF7C0D06000-memory.dmp

Filesize
4.0MB

Download
memory/2512-852-0x00007FF7D9A90000-0x00007FF7D9E86000-memory.dmp

Filesize
4.0MB

Download
memory/2512-2112-0x00007FF7D9A90000-0x00007FF7D9E86000-memory.dmp

Filesize
4.0MB

Download
memory/2576-924-0x00007FF7D4150000-0x00007FF7D4546000-memory.dmp

Filesize
4.0MB

Download
memory/2576-2128-0x00007FF7D4150000-0x00007FF7D4546000-memory.dmp

Filesize
4.0MB

Download
memory/2812-2125-0x00007FF7787B0000-0x00007FF778BA6000-memory.dmp

Filesize
4.0MB

Download
memory/2812-927-0x00007FF7787B0000-0x00007FF778BA6000-memory.dmp

Filesize
4.0MB

Download
memory/2832-2130-0x00007FF673830000-0x00007FF673C26000-memory.dmp

Filesize
4.0MB

Download
memory/2832-944-0x00007FF673830000-0x00007FF673C26000-memory.dmp

Filesize
4.0MB

Download
memory/3284-2119-0x00007FF779040000-0x00007FF779436000-memory.dmp

Filesize
4.0MB

Download
memory/3284-920-0x00007FF779040000-0x00007FF779436000-memory.dmp

Filesize
4.0MB

Download
memory/3368-941-0x00007FF66A320000-0x00007FF66A716000-memory.dmp

Filesize
4.0MB

Download
memory/3368-2127-0x00007FF66A320000-0x00007FF66A716000-memory.dmp

Filesize
4.0MB

Download
memory/3376-840-0x00007FF719B80000-0x00007FF719F76000-memory.dmp

Filesize
4.0MB

Download
memory/3376-2109-0x00007FF719B80000-0x00007FF719F76000-memory.dmp

Filesize
4.0MB

Download
memory/3468-942-0x00007FF6EA650000-0x00007FF6EAA46000-memory.dmp

Filesize
4.0MB

Download
memory/3468-2124-0x00007FF6EA650000-0x00007FF6EAA46000-memory.dmp

Filesize
4.0MB

Download
memory/3676-2108-0x00007FF68CFE0000-0x00007FF68D3D6000-memory.dmp

Filesize
4.0MB

Download
memory/3676-832-0x00007FF68CFE0000-0x00007FF68D3D6000-memory.dmp

Filesize
4.0MB

Download
memory/3788-947-0x00007FF6FCB30000-0x00007FF6FCF26000-memory.dmp

Filesize
4.0MB

Download
memory/3788-2122-0x00007FF6FCB30000-0x00007FF6FCF26000-memory.dmp

Filesize
4.0MB

Download
memory/3876-2114-0x00007FF6B5330000-0x00007FF6B5726000-memory.dmp

Filesize
4.0MB

Download
memory/3876-881-0x00007FF6B5330000-0x00007FF6B5726000-memory.dmp

Filesize
4.0MB

Download
memory/4592-946-0x00007FF7F8850000-0x00007FF7F8C46000-memory.dmp

Filesize
4.0MB

Download
memory/4592-2123-0x00007FF7F8850000-0x00007FF7F8C46000-memory.dmp

Filesize
4.0MB

Download
memory/4848-911-0x00007FF7BCAC0000-0x00007FF7BCEB6000-memory.dmp

Filesize
4.0MB

Download
memory/4848-2118-0x00007FF7BCAC0000-0x00007FF7BCEB6000-memory.dmp

Filesize
4.0MB

Download