xmrig | 3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0

Analysis

max time kernel
125s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 04:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
Size

728KB
MD5

29c233f4e7cd2b9466aa85eb868aa710
SHA1

f8a754dd31d367083ca8c3d48517a211258c0029
SHA256

3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0
SHA512

a0a4bae297040a3ff08225e5bcbf3d37ac353d0e38b08a0629a0d3cc5d5126ffe562e2cd242cd8935681693725b806d1ffb1f1ad60706c4bfb14fde93143e3e7
SSDEEP

12288:UuqZ0GO3/fTn5rPtFDO5BTVo2hZiavoQFNc6E4PUwgsF+FkL3xdTK96a:zv3/fTLF671TilQFG4P5PMkLO96a

Score

10^/10

xmrig execution miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/812-319-0x00007FF7EAC30000-0x00007FF7EB022000-memory.dmp	xmrig
behavioral2/memory/2100-330-0x00007FF7BAC90000-0x00007FF7BB082000-memory.dmp	xmrig
behavioral2/memory/1120-326-0x00007FF77ED00000-0x00007FF77F0F2000-memory.dmp	xmrig
behavioral2/memory/3624-332-0x00007FF610A50000-0x00007FF610E42000-memory.dmp	xmrig
behavioral2/memory/4944-313-0x00007FF694250000-0x00007FF694642000-memory.dmp	xmrig
behavioral2/memory/4112-311-0x00007FF693990000-0x00007FF693D82000-memory.dmp	xmrig
behavioral2/memory/4928-351-0x00007FF75CA50000-0x00007FF75CE42000-memory.dmp	xmrig
behavioral2/memory/1488-354-0x00007FF759AE0000-0x00007FF759ED2000-memory.dmp	xmrig
behavioral2/memory/1280-353-0x00007FF63D850000-0x00007FF63DC42000-memory.dmp	xmrig
behavioral2/memory/2952-352-0x00007FF6D7640000-0x00007FF6D7A32000-memory.dmp	xmrig
behavioral2/memory/3472-343-0x00007FF706DA0000-0x00007FF707192000-memory.dmp	xmrig
behavioral2/memory/5012-128-0x00007FF776830000-0x00007FF776C22000-memory.dmp	xmrig
behavioral2/memory/3984-99-0x00007FF76DBC0000-0x00007FF76DFB2000-memory.dmp	xmrig
behavioral2/memory/3992-77-0x00007FF70AFF0000-0x00007FF70B3E2000-memory.dmp	xmrig
behavioral2/memory/4736-52-0x00007FF6543B0000-0x00007FF6547A2000-memory.dmp	xmrig
behavioral2/memory/1096-3354-0x00007FF689BB0000-0x00007FF689FA2000-memory.dmp	xmrig
behavioral2/memory/1376-3355-0x00007FF6B9760000-0x00007FF6B9B52000-memory.dmp	xmrig
behavioral2/memory/4516-3357-0x00007FF668820000-0x00007FF668C12000-memory.dmp	xmrig
behavioral2/memory/4028-3390-0x00007FF676AA0000-0x00007FF676E92000-memory.dmp	xmrig
behavioral2/memory/4800-3391-0x00007FF64B0C0000-0x00007FF64B4B2000-memory.dmp	xmrig
behavioral2/memory/1980-3392-0x00007FF718CD0000-0x00007FF7190C2000-memory.dmp	xmrig
behavioral2/memory/376-3393-0x00007FF6507A0000-0x00007FF650B92000-memory.dmp	xmrig
behavioral2/memory/4476-3405-0x00007FF6C80C0000-0x00007FF6C84B2000-memory.dmp	xmrig
behavioral2/memory/4452-3406-0x00007FF611350000-0x00007FF611742000-memory.dmp	xmrig
behavioral2/memory/1096-3408-0x00007FF689BB0000-0x00007FF689FA2000-memory.dmp	xmrig
behavioral2/memory/1376-3410-0x00007FF6B9760000-0x00007FF6B9B52000-memory.dmp	xmrig
behavioral2/memory/4516-3412-0x00007FF668820000-0x00007FF668C12000-memory.dmp	xmrig
behavioral2/memory/4736-3414-0x00007FF6543B0000-0x00007FF6547A2000-memory.dmp	xmrig
behavioral2/memory/3624-3420-0x00007FF610A50000-0x00007FF610E42000-memory.dmp	xmrig
behavioral2/memory/3984-3430-0x00007FF76DBC0000-0x00007FF76DFB2000-memory.dmp	xmrig
behavioral2/memory/3472-3428-0x00007FF706DA0000-0x00007FF707192000-memory.dmp	xmrig
behavioral2/memory/5012-3432-0x00007FF776830000-0x00007FF776C22000-memory.dmp	xmrig
behavioral2/memory/1980-3426-0x00007FF718CD0000-0x00007FF7190C2000-memory.dmp	xmrig
behavioral2/memory/4800-3424-0x00007FF64B0C0000-0x00007FF64B4B2000-memory.dmp	xmrig
behavioral2/memory/4028-3422-0x00007FF676AA0000-0x00007FF676E92000-memory.dmp	xmrig
behavioral2/memory/4928-3417-0x00007FF75CA50000-0x00007FF75CE42000-memory.dmp	xmrig
behavioral2/memory/3992-3419-0x00007FF70AFF0000-0x00007FF70B3E2000-memory.dmp	xmrig
behavioral2/memory/1280-3434-0x00007FF63D850000-0x00007FF63DC42000-memory.dmp	xmrig
behavioral2/memory/2952-3441-0x00007FF6D7640000-0x00007FF6D7A32000-memory.dmp	xmrig
behavioral2/memory/4476-3437-0x00007FF6C80C0000-0x00007FF6C84B2000-memory.dmp	xmrig
behavioral2/memory/812-3456-0x00007FF7EAC30000-0x00007FF7EB022000-memory.dmp	xmrig
behavioral2/memory/2100-3455-0x00007FF7BAC90000-0x00007FF7BB082000-memory.dmp	xmrig
behavioral2/memory/4112-3449-0x00007FF693990000-0x00007FF693D82000-memory.dmp	xmrig
behavioral2/memory/4944-3447-0x00007FF694250000-0x00007FF694642000-memory.dmp	xmrig
behavioral2/memory/4452-3445-0x00007FF611350000-0x00007FF611742000-memory.dmp	xmrig
behavioral2/memory/376-3439-0x00007FF6507A0000-0x00007FF650B92000-memory.dmp	xmrig
behavioral2/memory/1120-3462-0x00007FF77ED00000-0x00007FF77F0F2000-memory.dmp	xmrig
behavioral2/memory/1488-3458-0x00007FF759AE0000-0x00007FF759ED2000-memory.dmp	xmrig

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

8 1892 powershell.exe
10 1892 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Powershell Invoke Web Request.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

1892 powershell.exe

flow	pid	process
8	1892	powershell.exe
10	1892	powershell.exe

pid	process
1892	powershell.exe

Executes dropped EXE 64 IoCs

Processes:

aSMQhDU.exeznYnYbC.exeqLjjaCV.exeJwpkugi.exeovsgbqR.exejsModGW.exembMFwrv.exeIcrdABL.exeKWHUAVA.exeCKDdNWY.exeZUCvjzk.exepEUMhlA.exeVagQGYs.exegAeOKEy.exejwsCMoL.exeycxEMmS.exetuCPreH.exeLgEMWxS.exesJHRmXv.exefXnHMrC.exeVoAwaUa.exeVzZpsJQ.exeKZggdMk.exeYnFpJgM.exedqWgeFe.exegNNxgps.exeAjchIQs.exeCtkHofi.exeJaOKcuK.exeoVAnQGS.exeLiRNiMb.exemXBrMky.exeTormnbi.exeSzAdOdo.exeROycCdT.exeFbEXFzi.exeolqRIiv.exezIumWkv.exeAzvxuPq.exeLlfVuNc.exemZKseTx.exeghwOyas.exedbzFsqU.exehHmqeKB.exeOwBjfaQ.exekRWdfET.exekThNkYx.exeCFcQKjK.exeHDtxsEu.exebDYwkgg.exemvfTfnf.exebYDTWSA.exesYRHAzD.exeRUMKWSL.exeSPuYsLm.exekqGwnEu.exeYZFhiUn.execsbbJqd.exeqcJvBlw.exeNnvvvYU.exeESGoRPv.exeWHemJRJ.execbLwsPC.exeuoSlgBo.exe

pid	process
1096	aSMQhDU.exe
1376	znYnYbC.exe
4516	qLjjaCV.exe
4028	Jwpkugi.exe
4736	ovsgbqR.exe
3624	jsModGW.exe
4800	mbMFwrv.exe
3992	IcrdABL.exe
1980	KWHUAVA.exe
3472	CKDdNWY.exe
4928	ZUCvjzk.exe
3984	pEUMhlA.exe
2952	VagQGYs.exe
376	gAeOKEy.exe
4476	jwsCMoL.exe
5012	ycxEMmS.exe
1280	tuCPreH.exe
1488	LgEMWxS.exe
4452	sJHRmXv.exe
4112	fXnHMrC.exe
4944	VoAwaUa.exe
812	VzZpsJQ.exe
1120	KZggdMk.exe
2100	YnFpJgM.exe
3900	dqWgeFe.exe
5020	gNNxgps.exe
3584	AjchIQs.exe
2788	CtkHofi.exe
3260	JaOKcuK.exe
3680	oVAnQGS.exe
1692	LiRNiMb.exe
536	mXBrMky.exe
4496	Tormnbi.exe
1164	SzAdOdo.exe
2832	ROycCdT.exe
2668	FbEXFzi.exe
1432	olqRIiv.exe
4360	zIumWkv.exe
2232	AzvxuPq.exe
1220	LlfVuNc.exe
3268	mZKseTx.exe
4192	ghwOyas.exe
2052	dbzFsqU.exe
3124	hHmqeKB.exe
3668	OwBjfaQ.exe
5000	kRWdfET.exe
4040	kThNkYx.exe
3648	CFcQKjK.exe
4364	HDtxsEu.exe
4488	bDYwkgg.exe
2996	mvfTfnf.exe
4388	bYDTWSA.exe
2400	sYRHAzD.exe
3672	RUMKWSL.exe
4484	SPuYsLm.exe
2988	kqGwnEu.exe
2860	YZFhiUn.exe
4868	csbbJqd.exe
4468	qcJvBlw.exe
1080	NnvvvYU.exe
848	ESGoRPv.exe
844	WHemJRJ.exe
4544	cbLwsPC.exe
2280	uoSlgBo.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3252-0-0x00007FF65B9F0000-0x00007FF65BDE2000-memory.dmp	upx
C:\Windows\System\aSMQhDU.exe	upx
C:\Windows\System\znYnYbC.exe	upx
C:\Windows\System\qLjjaCV.exe	upx
C:\Windows\System\ovsgbqR.exe	upx
C:\Windows\System\CKDdNWY.exe	upx
C:\Windows\System\KWHUAVA.exe	upx
C:\Windows\System\ycxEMmS.exe	upx
C:\Windows\System\dqWgeFe.exe	upx
behavioral2/memory/4476-127-0x00007FF6C80C0000-0x00007FF6C84B2000-memory.dmp	upx
C:\Windows\System\gNNxgps.exe	upx
C:\Windows\System\JaOKcuK.exe	upx
C:\Windows\System\LiRNiMb.exe	upx
behavioral2/memory/812-319-0x00007FF7EAC30000-0x00007FF7EB022000-memory.dmp	upx
behavioral2/memory/2100-330-0x00007FF7BAC90000-0x00007FF7BB082000-memory.dmp	upx
behavioral2/memory/1120-326-0x00007FF77ED00000-0x00007FF77F0F2000-memory.dmp	upx
behavioral2/memory/3624-332-0x00007FF610A50000-0x00007FF610E42000-memory.dmp	upx
behavioral2/memory/4944-313-0x00007FF694250000-0x00007FF694642000-memory.dmp	upx
behavioral2/memory/4112-311-0x00007FF693990000-0x00007FF693D82000-memory.dmp	upx
behavioral2/memory/4928-351-0x00007FF75CA50000-0x00007FF75CE42000-memory.dmp	upx
behavioral2/memory/1488-354-0x00007FF759AE0000-0x00007FF759ED2000-memory.dmp	upx
behavioral2/memory/1280-353-0x00007FF63D850000-0x00007FF63DC42000-memory.dmp	upx
behavioral2/memory/2952-352-0x00007FF6D7640000-0x00007FF6D7A32000-memory.dmp	upx
behavioral2/memory/3472-343-0x00007FF706DA0000-0x00007FF707192000-memory.dmp	upx
C:\Windows\System\Tormnbi.exe	upx
C:\Windows\System\mXBrMky.exe	upx
C:\Windows\System\oVAnQGS.exe	upx
C:\Windows\System\CtkHofi.exe	upx
C:\Windows\System\AjchIQs.exe	upx
behavioral2/memory/4452-151-0x00007FF611350000-0x00007FF611742000-memory.dmp	upx
C:\Windows\System\YnFpJgM.exe	upx
C:\Windows\System\KZggdMk.exe	upx
C:\Windows\System\VzZpsJQ.exe	upx
C:\Windows\System\VoAwaUa.exe	upx
C:\Windows\System\fXnHMrC.exe	upx
C:\Windows\System\sJHRmXv.exe	upx
C:\Windows\System\LgEMWxS.exe	upx
behavioral2/memory/5012-128-0x00007FF776830000-0x00007FF776C22000-memory.dmp	upx
C:\Windows\System\tuCPreH.exe	upx
behavioral2/memory/376-121-0x00007FF6507A0000-0x00007FF650B92000-memory.dmp	upx
C:\Windows\System\jwsCMoL.exe	upx
C:\Windows\System\gAeOKEy.exe	upx
C:\Windows\System\VagQGYs.exe	upx
behavioral2/memory/3984-99-0x00007FF76DBC0000-0x00007FF76DFB2000-memory.dmp	upx
behavioral2/memory/1980-89-0x00007FF718CD0000-0x00007FF7190C2000-memory.dmp	upx
C:\Windows\System\pEUMhlA.exe	upx
behavioral2/memory/3992-77-0x00007FF70AFF0000-0x00007FF70B3E2000-memory.dmp	upx
behavioral2/memory/4800-75-0x00007FF64B0C0000-0x00007FF64B4B2000-memory.dmp	upx
C:\Windows\System\ZUCvjzk.exe	upx
C:\Windows\System\IcrdABL.exe	upx
C:\Windows\System\jsModGW.exe	upx
C:\Windows\System\mbMFwrv.exe	upx
behavioral2/memory/4736-52-0x00007FF6543B0000-0x00007FF6547A2000-memory.dmp	upx
behavioral2/memory/4028-46-0x00007FF676AA0000-0x00007FF676E92000-memory.dmp	upx
C:\Windows\System\Jwpkugi.exe	upx
behavioral2/memory/4516-20-0x00007FF668820000-0x00007FF668C12000-memory.dmp	upx
behavioral2/memory/1376-17-0x00007FF6B9760000-0x00007FF6B9B52000-memory.dmp	upx
behavioral2/memory/1096-15-0x00007FF689BB0000-0x00007FF689FA2000-memory.dmp	upx
behavioral2/memory/1096-3354-0x00007FF689BB0000-0x00007FF689FA2000-memory.dmp	upx
behavioral2/memory/1376-3355-0x00007FF6B9760000-0x00007FF6B9B52000-memory.dmp	upx
behavioral2/memory/4516-3357-0x00007FF668820000-0x00007FF668C12000-memory.dmp	upx
behavioral2/memory/4028-3390-0x00007FF676AA0000-0x00007FF676E92000-memory.dmp	upx
behavioral2/memory/4800-3391-0x00007FF64B0C0000-0x00007FF64B4B2000-memory.dmp	upx
behavioral2/memory/1980-3392-0x00007FF718CD0000-0x00007FF7190C2000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

7 raw.githubusercontent.com
8 raw.githubusercontent.com

flow	ioc
7	raw.githubusercontent.com
8	raw.githubusercontent.com

Drops file in Windows directory 64 IoCs

Processes:

3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\System\CpbdGIB.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\oIpDCIi.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\dOnkIdC.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\jYwTDVP.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\YfEOGcc.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\eIkWybH.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\DgOlDyo.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\TMFqaeX.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\HuskSsd.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\lLJVdoj.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\fqqHOpG.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\LMQfnuT.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\MUpeHOw.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\rsXkhbI.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\DOPLEWO.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\RCaAQQQ.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\TGOgjJW.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\WCloYQO.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\iPtkhTw.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\vhUKQna.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\PSdjLMX.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\IHFPgMp.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\IYvAvKX.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\qdCPlAv.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\SvGoVpg.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\vVXugVf.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\EnngYrj.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\kqGwnEu.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\xcjvDyr.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\RmymJUQ.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\fqMIfYM.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\MhURXCu.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\WbrSURf.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\tyArgAv.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\DrfHDIQ.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\pXhfqFy.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\nWYYYFA.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\FTSnwOL.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\pHSfabD.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\nYMaYHW.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\NvbyPsw.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\OwBjfaQ.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\jspntVz.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\HfLjQMJ.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\frxHhrn.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\ZBOcboJ.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\ljqiTuk.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\RyhFwDP.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\XwFzztN.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\jYmdFgg.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\GESNOQj.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\qMOXFbb.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\EFnZXrc.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\ItsaPCG.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\llRKkaJ.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\HqUfifQ.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\vNMxkqt.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\dPfvsnD.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\cNqoHuO.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\naXKPYq.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\yhmIosk.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\yBWxEvN.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\wAzqFUZ.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
File created	C:\Windows\System\UjpFXmm.exe	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wermgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

wermgr.exe

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS wermgr.exe
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU wermgr.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exe

pid process

1892 powershell.exe
1892 powershell.exe
1892 powershell.exe
1892 powershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

pid	process
1892	powershell.exe
1892	powershell.exe
1892	powershell.exe
1892	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exepowershell.exe

description	pid	process
Token: SeLockMemoryPrivilege	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
Token: SeLockMemoryPrivilege	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
Token: SeDebugPrivilege	1892	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe

description	pid	process	target process
PID 3252 wrote to memory of 1892	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	powershell.exe
PID 3252 wrote to memory of 1892	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	powershell.exe
PID 3252 wrote to memory of 1096	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	aSMQhDU.exe
PID 3252 wrote to memory of 1096	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	aSMQhDU.exe
PID 3252 wrote to memory of 1376	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	znYnYbC.exe
PID 3252 wrote to memory of 1376	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	znYnYbC.exe
PID 3252 wrote to memory of 4516	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	qLjjaCV.exe
PID 3252 wrote to memory of 4516	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	qLjjaCV.exe
PID 3252 wrote to memory of 4028	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	Jwpkugi.exe
PID 3252 wrote to memory of 4028	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	Jwpkugi.exe
PID 3252 wrote to memory of 4736	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	ovsgbqR.exe
PID 3252 wrote to memory of 4736	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	ovsgbqR.exe
PID 3252 wrote to memory of 3624	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	jsModGW.exe
PID 3252 wrote to memory of 3624	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	jsModGW.exe
PID 3252 wrote to memory of 4800	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	mbMFwrv.exe
PID 3252 wrote to memory of 4800	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	mbMFwrv.exe
PID 3252 wrote to memory of 3992	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	IcrdABL.exe
PID 3252 wrote to memory of 3992	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	IcrdABL.exe
PID 3252 wrote to memory of 1980	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	KWHUAVA.exe
PID 3252 wrote to memory of 1980	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	KWHUAVA.exe
PID 3252 wrote to memory of 3472	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	CKDdNWY.exe
PID 3252 wrote to memory of 3472	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	CKDdNWY.exe
PID 3252 wrote to memory of 4928	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	ZUCvjzk.exe
PID 3252 wrote to memory of 4928	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	ZUCvjzk.exe
PID 3252 wrote to memory of 3984	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	pEUMhlA.exe
PID 3252 wrote to memory of 3984	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	pEUMhlA.exe
PID 3252 wrote to memory of 2952	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	VagQGYs.exe
PID 3252 wrote to memory of 2952	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	VagQGYs.exe
PID 3252 wrote to memory of 376	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	gAeOKEy.exe
PID 3252 wrote to memory of 376	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	gAeOKEy.exe
PID 3252 wrote to memory of 4476	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	jwsCMoL.exe
PID 3252 wrote to memory of 4476	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	jwsCMoL.exe
PID 3252 wrote to memory of 1280	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	tuCPreH.exe
PID 3252 wrote to memory of 1280	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	tuCPreH.exe
PID 3252 wrote to memory of 5012	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	ycxEMmS.exe
PID 3252 wrote to memory of 5012	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	ycxEMmS.exe
PID 3252 wrote to memory of 1488	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	LgEMWxS.exe
PID 3252 wrote to memory of 1488	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	LgEMWxS.exe
PID 3252 wrote to memory of 4452	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	sJHRmXv.exe
PID 3252 wrote to memory of 4452	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	sJHRmXv.exe
PID 3252 wrote to memory of 4112	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	fXnHMrC.exe
PID 3252 wrote to memory of 4112	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	fXnHMrC.exe
PID 3252 wrote to memory of 4944	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	VoAwaUa.exe
PID 3252 wrote to memory of 4944	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	VoAwaUa.exe
PID 3252 wrote to memory of 812	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	VzZpsJQ.exe
PID 3252 wrote to memory of 812	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	VzZpsJQ.exe
PID 3252 wrote to memory of 1120	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	KZggdMk.exe
PID 3252 wrote to memory of 1120	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	KZggdMk.exe
PID 3252 wrote to memory of 2100	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	YnFpJgM.exe
PID 3252 wrote to memory of 2100	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	YnFpJgM.exe
PID 3252 wrote to memory of 3900	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	dqWgeFe.exe
PID 3252 wrote to memory of 3900	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	dqWgeFe.exe
PID 3252 wrote to memory of 5020	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	gNNxgps.exe
PID 3252 wrote to memory of 5020	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	gNNxgps.exe
PID 3252 wrote to memory of 3584	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	AjchIQs.exe
PID 3252 wrote to memory of 3584	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	AjchIQs.exe
PID 3252 wrote to memory of 2788	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	CtkHofi.exe
PID 3252 wrote to memory of 2788	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	CtkHofi.exe
PID 3252 wrote to memory of 3260	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	JaOKcuK.exe
PID 3252 wrote to memory of 3260	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	JaOKcuK.exe
PID 3252 wrote to memory of 3680	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	oVAnQGS.exe
PID 3252 wrote to memory of 3680	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	oVAnQGS.exe
PID 3252 wrote to memory of 1692	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	LiRNiMb.exe
PID 3252 wrote to memory of 1692	3252	3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe	LiRNiMb.exe

C:\Users\Admin\AppData\Local\Temp\3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3713f77d92744dccf59d99a68986909ee75ce4e91f62c2d052a0c31b9d2b82c0_NeikiAnalytics.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3252

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "1892" "2900" "2828" "2904" "0" "0" "2908" "0" "0" "0" "0" "0"
3⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:924

C:\Windows\System\aSMQhDU.exe
C:\Windows\System\aSMQhDU.exe
2⤵
- Executes dropped EXE
PID:1096

C:\Windows\System\znYnYbC.exe
C:\Windows\System\znYnYbC.exe
2⤵
- Executes dropped EXE
PID:1376

C:\Windows\System\qLjjaCV.exe
C:\Windows\System\qLjjaCV.exe
2⤵
- Executes dropped EXE
PID:4516

C:\Windows\System\Jwpkugi.exe
C:\Windows\System\Jwpkugi.exe
2⤵
- Executes dropped EXE
PID:4028

C:\Windows\System\ovsgbqR.exe
C:\Windows\System\ovsgbqR.exe
2⤵
- Executes dropped EXE
PID:4736

C:\Windows\System\jsModGW.exe
C:\Windows\System\jsModGW.exe
2⤵
- Executes dropped EXE
PID:3624

C:\Windows\System\mbMFwrv.exe
C:\Windows\System\mbMFwrv.exe
2⤵
- Executes dropped EXE
PID:4800

C:\Windows\System\IcrdABL.exe
C:\Windows\System\IcrdABL.exe
2⤵
- Executes dropped EXE
PID:3992

C:\Windows\System\KWHUAVA.exe
C:\Windows\System\KWHUAVA.exe
2⤵
- Executes dropped EXE
PID:1980

C:\Windows\System\CKDdNWY.exe
C:\Windows\System\CKDdNWY.exe
2⤵
- Executes dropped EXE
PID:3472

C:\Windows\System\ZUCvjzk.exe
C:\Windows\System\ZUCvjzk.exe
2⤵
- Executes dropped EXE
PID:4928

C:\Windows\System\pEUMhlA.exe
C:\Windows\System\pEUMhlA.exe
2⤵
- Executes dropped EXE
PID:3984

C:\Windows\System\VagQGYs.exe
C:\Windows\System\VagQGYs.exe
2⤵
- Executes dropped EXE
PID:2952

C:\Windows\System\gAeOKEy.exe
C:\Windows\System\gAeOKEy.exe
2⤵
- Executes dropped EXE
PID:376

C:\Windows\System\jwsCMoL.exe
C:\Windows\System\jwsCMoL.exe
2⤵
- Executes dropped EXE
PID:4476

C:\Windows\System\tuCPreH.exe
C:\Windows\System\tuCPreH.exe
2⤵
- Executes dropped EXE
PID:1280

C:\Windows\System\ycxEMmS.exe
C:\Windows\System\ycxEMmS.exe
2⤵
- Executes dropped EXE
PID:5012

C:\Windows\System\LgEMWxS.exe
C:\Windows\System\LgEMWxS.exe
2⤵
- Executes dropped EXE
PID:1488

C:\Windows\System\sJHRmXv.exe
C:\Windows\System\sJHRmXv.exe
2⤵
- Executes dropped EXE
PID:4452

C:\Windows\System\fXnHMrC.exe
C:\Windows\System\fXnHMrC.exe
2⤵
- Executes dropped EXE
PID:4112

C:\Windows\System\VoAwaUa.exe
C:\Windows\System\VoAwaUa.exe
2⤵
- Executes dropped EXE
PID:4944

C:\Windows\System\VzZpsJQ.exe
C:\Windows\System\VzZpsJQ.exe
2⤵
- Executes dropped EXE
PID:812

C:\Windows\System\KZggdMk.exe
C:\Windows\System\KZggdMk.exe
2⤵
- Executes dropped EXE
PID:1120

C:\Windows\System\YnFpJgM.exe
C:\Windows\System\YnFpJgM.exe
2⤵
- Executes dropped EXE
PID:2100

C:\Windows\System\dqWgeFe.exe
C:\Windows\System\dqWgeFe.exe
2⤵
- Executes dropped EXE
PID:3900

C:\Windows\System\gNNxgps.exe
C:\Windows\System\gNNxgps.exe
2⤵
- Executes dropped EXE
PID:5020

C:\Windows\System\AjchIQs.exe
C:\Windows\System\AjchIQs.exe
2⤵
- Executes dropped EXE
PID:3584

C:\Windows\System\CtkHofi.exe
C:\Windows\System\CtkHofi.exe
2⤵
- Executes dropped EXE
PID:2788

C:\Windows\System\JaOKcuK.exe
C:\Windows\System\JaOKcuK.exe
2⤵
- Executes dropped EXE
PID:3260

C:\Windows\System\oVAnQGS.exe
C:\Windows\System\oVAnQGS.exe
2⤵
- Executes dropped EXE
PID:3680

C:\Windows\System\LiRNiMb.exe
C:\Windows\System\LiRNiMb.exe
2⤵
- Executes dropped EXE
PID:1692

C:\Windows\System\mXBrMky.exe
C:\Windows\System\mXBrMky.exe
2⤵
- Executes dropped EXE
PID:536

C:\Windows\System\Tormnbi.exe
C:\Windows\System\Tormnbi.exe
2⤵
- Executes dropped EXE
PID:4496

C:\Windows\System\SzAdOdo.exe
C:\Windows\System\SzAdOdo.exe
2⤵
- Executes dropped EXE
PID:1164

C:\Windows\System\ROycCdT.exe
C:\Windows\System\ROycCdT.exe
2⤵
- Executes dropped EXE
PID:2832

C:\Windows\System\FbEXFzi.exe
C:\Windows\System\FbEXFzi.exe
2⤵
- Executes dropped EXE
PID:2668

C:\Windows\System\olqRIiv.exe
C:\Windows\System\olqRIiv.exe
2⤵
- Executes dropped EXE
PID:1432

C:\Windows\System\zIumWkv.exe
C:\Windows\System\zIumWkv.exe
2⤵
- Executes dropped EXE
PID:4360

C:\Windows\System\AzvxuPq.exe
C:\Windows\System\AzvxuPq.exe
2⤵
- Executes dropped EXE
PID:2232

C:\Windows\System\LlfVuNc.exe
C:\Windows\System\LlfVuNc.exe
2⤵
- Executes dropped EXE
PID:1220

C:\Windows\System\mZKseTx.exe
C:\Windows\System\mZKseTx.exe
2⤵
- Executes dropped EXE
PID:3268

C:\Windows\System\ghwOyas.exe
C:\Windows\System\ghwOyas.exe
2⤵
- Executes dropped EXE
PID:4192

C:\Windows\System\dbzFsqU.exe
C:\Windows\System\dbzFsqU.exe
2⤵
- Executes dropped EXE
PID:2052

C:\Windows\System\hHmqeKB.exe
C:\Windows\System\hHmqeKB.exe
2⤵
- Executes dropped EXE
PID:3124

C:\Windows\System\OwBjfaQ.exe
C:\Windows\System\OwBjfaQ.exe
2⤵
- Executes dropped EXE
PID:3668

C:\Windows\System\kRWdfET.exe
C:\Windows\System\kRWdfET.exe
2⤵
- Executes dropped EXE
PID:5000

C:\Windows\System\kThNkYx.exe
C:\Windows\System\kThNkYx.exe
2⤵
- Executes dropped EXE
PID:4040

C:\Windows\System\CFcQKjK.exe
C:\Windows\System\CFcQKjK.exe
2⤵
- Executes dropped EXE
PID:3648

C:\Windows\System\HDtxsEu.exe
C:\Windows\System\HDtxsEu.exe
2⤵
- Executes dropped EXE
PID:4364

C:\Windows\System\bDYwkgg.exe
C:\Windows\System\bDYwkgg.exe
2⤵
- Executes dropped EXE
PID:4488

C:\Windows\System\mvfTfnf.exe
C:\Windows\System\mvfTfnf.exe
2⤵
- Executes dropped EXE
PID:2996

C:\Windows\System\bYDTWSA.exe
C:\Windows\System\bYDTWSA.exe
2⤵
- Executes dropped EXE
PID:4388

C:\Windows\System\sYRHAzD.exe
C:\Windows\System\sYRHAzD.exe
2⤵
- Executes dropped EXE
PID:2400

C:\Windows\System\RUMKWSL.exe
C:\Windows\System\RUMKWSL.exe
2⤵
- Executes dropped EXE
PID:3672

C:\Windows\System\SPuYsLm.exe
C:\Windows\System\SPuYsLm.exe
2⤵
- Executes dropped EXE
PID:4484

C:\Windows\System\kqGwnEu.exe
C:\Windows\System\kqGwnEu.exe
2⤵
- Executes dropped EXE
PID:2988

C:\Windows\System\YZFhiUn.exe
C:\Windows\System\YZFhiUn.exe
2⤵
- Executes dropped EXE
PID:2860

C:\Windows\System\csbbJqd.exe
C:\Windows\System\csbbJqd.exe
2⤵
- Executes dropped EXE
PID:4868

C:\Windows\System\qcJvBlw.exe
C:\Windows\System\qcJvBlw.exe
2⤵
- Executes dropped EXE
PID:4468

C:\Windows\System\NnvvvYU.exe
C:\Windows\System\NnvvvYU.exe
2⤵
- Executes dropped EXE
PID:1080

C:\Windows\System\ESGoRPv.exe
C:\Windows\System\ESGoRPv.exe
2⤵
- Executes dropped EXE
PID:848

C:\Windows\System\WHemJRJ.exe
C:\Windows\System\WHemJRJ.exe
2⤵
- Executes dropped EXE
PID:844

C:\Windows\System\cbLwsPC.exe
C:\Windows\System\cbLwsPC.exe
2⤵
- Executes dropped EXE
PID:4544

C:\Windows\System\uoSlgBo.exe
C:\Windows\System\uoSlgBo.exe
2⤵
- Executes dropped EXE
PID:2280

C:\Windows\System\BRIPOoD.exe
C:\Windows\System\BRIPOoD.exe
2⤵
PID:2696

C:\Windows\System\BRaRBsA.exe
C:\Windows\System\BRaRBsA.exe
2⤵
PID:2436

C:\Windows\System\JnXcTRz.exe
C:\Windows\System\JnXcTRz.exe
2⤵
PID:2380

C:\Windows\System\dBwqFpc.exe
C:\Windows\System\dBwqFpc.exe
2⤵
PID:4540

C:\Windows\System\jspntVz.exe
C:\Windows\System\jspntVz.exe
2⤵
PID:3408

C:\Windows\System\cfGcjVL.exe
C:\Windows\System\cfGcjVL.exe
2⤵
PID:3516

C:\Windows\System\gVXrREi.exe
C:\Windows\System\gVXrREi.exe
2⤵
PID:840

C:\Windows\System\gWTNztd.exe
C:\Windows\System\gWTNztd.exe
2⤵
PID:1712

C:\Windows\System\OBPEVQo.exe
C:\Windows\System\OBPEVQo.exe
2⤵
PID:3860

C:\Windows\System\ESBaYeO.exe
C:\Windows\System\ESBaYeO.exe
2⤵
PID:2584

C:\Windows\System\hsoQMEw.exe
C:\Windows\System\hsoQMEw.exe
2⤵
PID:4668

C:\Windows\System\wBtyuTQ.exe
C:\Windows\System\wBtyuTQ.exe
2⤵
PID:1552

C:\Windows\System\QIfUmkD.exe
C:\Windows\System\QIfUmkD.exe
2⤵
PID:888

C:\Windows\System\BaYBSba.exe
C:\Windows\System\BaYBSba.exe
2⤵
PID:4472

C:\Windows\System\UwyKzZU.exe
C:\Windows\System\UwyKzZU.exe
2⤵
PID:3852

C:\Windows\System\Rndwjmx.exe
C:\Windows\System\Rndwjmx.exe
2⤵
PID:2684

C:\Windows\System\TfIYnWx.exe
C:\Windows\System\TfIYnWx.exe
2⤵
PID:4772

C:\Windows\System\GOBARwH.exe
C:\Windows\System\GOBARwH.exe
2⤵
PID:2744

C:\Windows\System\rNTwgOW.exe
C:\Windows\System\rNTwgOW.exe
2⤵
PID:3636

C:\Windows\System\SiyAXBR.exe
C:\Windows\System\SiyAXBR.exe
2⤵
PID:5144

C:\Windows\System\hMcxlDD.exe
C:\Windows\System\hMcxlDD.exe
2⤵
PID:5160

C:\Windows\System\TGedbvB.exe
C:\Windows\System\TGedbvB.exe
2⤵
PID:5180

C:\Windows\System\jVXEVJj.exe
C:\Windows\System\jVXEVJj.exe
2⤵
PID:5212

C:\Windows\System\ygQoOpq.exe
C:\Windows\System\ygQoOpq.exe
2⤵
PID:5248

C:\Windows\System\DelhGPl.exe
C:\Windows\System\DelhGPl.exe
2⤵
PID:5264

C:\Windows\System\sUHGGnv.exe
C:\Windows\System\sUHGGnv.exe
2⤵
PID:5284

C:\Windows\System\OkNJsHE.exe
C:\Windows\System\OkNJsHE.exe
2⤵
PID:5304

C:\Windows\System\SCofIxa.exe
C:\Windows\System\SCofIxa.exe
2⤵
PID:5320

C:\Windows\System\aHPeGnY.exe
C:\Windows\System\aHPeGnY.exe
2⤵
PID:5336

C:\Windows\System\HwkcvVC.exe
C:\Windows\System\HwkcvVC.exe
2⤵
PID:5360

C:\Windows\System\ZjtWufb.exe
C:\Windows\System\ZjtWufb.exe
2⤵
PID:5408

C:\Windows\System\ayfhpVb.exe
C:\Windows\System\ayfhpVb.exe
2⤵
PID:5436

C:\Windows\System\LWTElcR.exe
C:\Windows\System\LWTElcR.exe
2⤵
PID:5480

C:\Windows\System\teWXJoD.exe
C:\Windows\System\teWXJoD.exe
2⤵
PID:5496

C:\Windows\System\leCSqtu.exe
C:\Windows\System\leCSqtu.exe
2⤵
PID:5552

C:\Windows\System\VWmUGQM.exe
C:\Windows\System\VWmUGQM.exe
2⤵
PID:5628

C:\Windows\System\btaiScU.exe
C:\Windows\System\btaiScU.exe
2⤵
PID:5660

C:\Windows\System\cZUJlLl.exe
C:\Windows\System\cZUJlLl.exe
2⤵
PID:5692

C:\Windows\System\oKcoPqX.exe
C:\Windows\System\oKcoPqX.exe
2⤵
PID:5716

C:\Windows\System\sjbdPCD.exe
C:\Windows\System\sjbdPCD.exe
2⤵
PID:5800

C:\Windows\System\wFHEmXG.exe
C:\Windows\System\wFHEmXG.exe
2⤵
PID:5816

C:\Windows\System\NvkxUcZ.exe
C:\Windows\System\NvkxUcZ.exe
2⤵
PID:5832

C:\Windows\System\IGyUZGO.exe
C:\Windows\System\IGyUZGO.exe
2⤵
PID:5852

C:\Windows\System\ipMNuxX.exe
C:\Windows\System\ipMNuxX.exe
2⤵
PID:5868

C:\Windows\System\zBDUSLc.exe
C:\Windows\System\zBDUSLc.exe
2⤵
PID:5888

C:\Windows\System\vDwCXpN.exe
C:\Windows\System\vDwCXpN.exe
2⤵
PID:5940

C:\Windows\System\iySloty.exe
C:\Windows\System\iySloty.exe
2⤵
PID:5984

C:\Windows\System\dLyrGar.exe
C:\Windows\System\dLyrGar.exe
2⤵
PID:6008

C:\Windows\System\ICLRwMM.exe
C:\Windows\System\ICLRwMM.exe
2⤵
PID:6036

C:\Windows\System\IVBZhvq.exe
C:\Windows\System\IVBZhvq.exe
2⤵
PID:6060

C:\Windows\System\uQnKADT.exe
C:\Windows\System\uQnKADT.exe
2⤵
PID:6080

C:\Windows\System\TitjHNb.exe
C:\Windows\System\TitjHNb.exe
2⤵
PID:6104

C:\Windows\System\QuOuIpK.exe
C:\Windows\System\QuOuIpK.exe
2⤵
PID:6136

C:\Windows\System\TWcevMz.exe
C:\Windows\System\TWcevMz.exe
2⤵
PID:5008

C:\Windows\System\kguRvev.exe
C:\Windows\System\kguRvev.exe
2⤵
PID:5156

C:\Windows\System\ozYfmOk.exe
C:\Windows\System\ozYfmOk.exe
2⤵
PID:5260

C:\Windows\System\VbGftIc.exe
C:\Windows\System\VbGftIc.exe
2⤵
PID:5300

C:\Windows\System\syHvzzy.exe
C:\Windows\System\syHvzzy.exe
2⤵
PID:5332

C:\Windows\System\EKwDVTb.exe
C:\Windows\System\EKwDVTb.exe
2⤵
PID:5404

C:\Windows\System\AusAqkO.exe
C:\Windows\System\AusAqkO.exe
2⤵
PID:5504

C:\Windows\System\TfEZSRq.exe
C:\Windows\System\TfEZSRq.exe
2⤵
PID:5568

C:\Windows\System\DXHRcCw.exe
C:\Windows\System\DXHRcCw.exe
2⤵
PID:5612

C:\Windows\System\jjVEJGR.exe
C:\Windows\System\jjVEJGR.exe
2⤵
PID:5728

C:\Windows\System\ahBPuor.exe
C:\Windows\System\ahBPuor.exe
2⤵
PID:1188

C:\Windows\System\tnmtCVi.exe
C:\Windows\System\tnmtCVi.exe
2⤵
PID:4280

C:\Windows\System\lMEYSYM.exe
C:\Windows\System\lMEYSYM.exe
2⤵
PID:2248

C:\Windows\System\KXurSqv.exe
C:\Windows\System\KXurSqv.exe
2⤵
PID:5776

C:\Windows\System\polLLyS.exe
C:\Windows\System\polLLyS.exe
2⤵
PID:5796

C:\Windows\System\eyjbvOu.exe
C:\Windows\System\eyjbvOu.exe
2⤵
PID:5844

C:\Windows\System\hTDbbbM.exe
C:\Windows\System\hTDbbbM.exe
2⤵
PID:5860

C:\Windows\System\LaQMxiA.exe
C:\Windows\System\LaQMxiA.exe
2⤵
PID:5996

C:\Windows\System\LYTxePp.exe
C:\Windows\System\LYTxePp.exe
2⤵
PID:6088

C:\Windows\System\TmtSYyD.exe
C:\Windows\System\TmtSYyD.exe
2⤵
PID:6120

C:\Windows\System\omzYbcW.exe
C:\Windows\System\omzYbcW.exe
2⤵
PID:5196

C:\Windows\System\vJpRuPK.exe
C:\Windows\System\vJpRuPK.exe
2⤵
PID:3696

C:\Windows\System\jHHfpVP.exe
C:\Windows\System\jHHfpVP.exe
2⤵
PID:5524

C:\Windows\System\PJRevGz.exe
C:\Windows\System\PJRevGz.exe
2⤵
PID:1308

C:\Windows\System\qVbfBuz.exe
C:\Windows\System\qVbfBuz.exe
2⤵
PID:5644

C:\Windows\System\iqBpABE.exe
C:\Windows\System\iqBpABE.exe
2⤵
PID:5772

C:\Windows\System\zTpivAF.exe
C:\Windows\System\zTpivAF.exe
2⤵
PID:4600

C:\Windows\System\fZVLgnv.exe
C:\Windows\System\fZVLgnv.exe
2⤵
PID:5880

C:\Windows\System\wMVmVlG.exe
C:\Windows\System\wMVmVlG.exe
2⤵
PID:5828

C:\Windows\System\MqrwSGT.exe
C:\Windows\System\MqrwSGT.exe
2⤵
PID:5168

C:\Windows\System\RHYQBEk.exe
C:\Windows\System\RHYQBEk.exe
2⤵
PID:3144

C:\Windows\System\QzQHVVl.exe
C:\Windows\System\QzQHVVl.exe
2⤵
PID:3376

C:\Windows\System\ZnNJhNp.exe
C:\Windows\System\ZnNJhNp.exe
2⤵
PID:5884

C:\Windows\System\jnrXnmC.exe
C:\Windows\System\jnrXnmC.exe
2⤵
PID:5972

C:\Windows\System\PlWoLMJ.exe
C:\Windows\System\PlWoLMJ.exe
2⤵
PID:6184

C:\Windows\System\utHBsqY.exe
C:\Windows\System\utHBsqY.exe
2⤵
PID:6212

C:\Windows\System\XgVZgPT.exe
C:\Windows\System\XgVZgPT.exe
2⤵
PID:6252

C:\Windows\System\wIKjVdG.exe
C:\Windows\System\wIKjVdG.exe
2⤵
PID:6280

C:\Windows\System\rqqVNnN.exe
C:\Windows\System\rqqVNnN.exe
2⤵
PID:6308

C:\Windows\System\yHwMNXI.exe
C:\Windows\System\yHwMNXI.exe
2⤵
PID:6332

C:\Windows\System\zRnMYFG.exe
C:\Windows\System\zRnMYFG.exe
2⤵
PID:6384

C:\Windows\System\wCjexTS.exe
C:\Windows\System\wCjexTS.exe
2⤵
PID:6404

C:\Windows\System\RhMJDXt.exe
C:\Windows\System\RhMJDXt.exe
2⤵
PID:6420

C:\Windows\System\HvYmqFQ.exe
C:\Windows\System\HvYmqFQ.exe
2⤵
PID:6436

C:\Windows\System\qwYKIQz.exe
C:\Windows\System\qwYKIQz.exe
2⤵
PID:6468

C:\Windows\System\IRFSDfO.exe
C:\Windows\System\IRFSDfO.exe
2⤵
PID:6500

C:\Windows\System\RQCVxWe.exe
C:\Windows\System\RQCVxWe.exe
2⤵
PID:6520

C:\Windows\System\EsVhZcq.exe
C:\Windows\System\EsVhZcq.exe
2⤵
PID:6572

C:\Windows\System\RZjIeGJ.exe
C:\Windows\System\RZjIeGJ.exe
2⤵
PID:6612

C:\Windows\System\hQquSyH.exe
C:\Windows\System\hQquSyH.exe
2⤵
PID:6672

C:\Windows\System\pNeCQVM.exe
C:\Windows\System\pNeCQVM.exe
2⤵
PID:6688

C:\Windows\System\EQeopcX.exe
C:\Windows\System\EQeopcX.exe
2⤵
PID:6704

C:\Windows\System\sxYOYZr.exe
C:\Windows\System\sxYOYZr.exe
2⤵
PID:6728

C:\Windows\System\SoogzYK.exe
C:\Windows\System\SoogzYK.exe
2⤵
PID:6748

C:\Windows\System\vUHjMdV.exe
C:\Windows\System\vUHjMdV.exe
2⤵
PID:6768

C:\Windows\System\ffdDliB.exe
C:\Windows\System\ffdDliB.exe
2⤵
PID:6796

C:\Windows\System\iMsSRCr.exe
C:\Windows\System\iMsSRCr.exe
2⤵
PID:6816

C:\Windows\System\xcjvDyr.exe
C:\Windows\System\xcjvDyr.exe
2⤵
PID:6832

C:\Windows\System\TyvPbza.exe
C:\Windows\System\TyvPbza.exe
2⤵
PID:6848

C:\Windows\System\BDabfVV.exe
C:\Windows\System\BDabfVV.exe
2⤵
PID:6876

C:\Windows\System\rbJAThG.exe
C:\Windows\System\rbJAThG.exe
2⤵
PID:6932

C:\Windows\System\BYHTNIc.exe
C:\Windows\System\BYHTNIc.exe
2⤵
PID:6952

C:\Windows\System\GyRSeft.exe
C:\Windows\System\GyRSeft.exe
2⤵
PID:6968

C:\Windows\System\OgMPoKz.exe
C:\Windows\System\OgMPoKz.exe
2⤵
PID:6988

C:\Windows\System\SulyuyX.exe
C:\Windows\System\SulyuyX.exe
2⤵
PID:7008

C:\Windows\System\oXPpJqv.exe
C:\Windows\System\oXPpJqv.exe
2⤵
PID:7024

C:\Windows\System\mxeUqfM.exe
C:\Windows\System\mxeUqfM.exe
2⤵
PID:7080

C:\Windows\System\TPkZOBh.exe
C:\Windows\System\TPkZOBh.exe
2⤵
PID:7116

C:\Windows\System\qgzgJXx.exe
C:\Windows\System\qgzgJXx.exe
2⤵
PID:7132

C:\Windows\System\JJPTvsc.exe
C:\Windows\System\JJPTvsc.exe
2⤵
PID:7148

C:\Windows\System\oHmMvcH.exe
C:\Windows\System\oHmMvcH.exe
2⤵
PID:5712

C:\Windows\System\kTRjvmz.exe
C:\Windows\System\kTRjvmz.exe
2⤵
PID:5784

C:\Windows\System\FBzWwsW.exe
C:\Windows\System\FBzWwsW.exe
2⤵
PID:5488

C:\Windows\System\CdyUqCp.exe
C:\Windows\System\CdyUqCp.exe
2⤵
PID:6192

C:\Windows\System\QqElsyk.exe
C:\Windows\System\QqElsyk.exe
2⤵
PID:6272

C:\Windows\System\NumjgXx.exe
C:\Windows\System\NumjgXx.exe
2⤵
PID:6236

C:\Windows\System\IvdnYlx.exe
C:\Windows\System\IvdnYlx.exe
2⤵
PID:6360

C:\Windows\System\bOdLpls.exe
C:\Windows\System\bOdLpls.exe
2⤵
PID:6460

C:\Windows\System\uZErgnv.exe
C:\Windows\System\uZErgnv.exe
2⤵
PID:6548

C:\Windows\System\rEAMKxH.exe
C:\Windows\System\rEAMKxH.exe
2⤵
PID:6608

C:\Windows\System\qaERCuZ.exe
C:\Windows\System\qaERCuZ.exe
2⤵
PID:6660

C:\Windows\System\SYvwHHK.exe
C:\Windows\System\SYvwHHK.exe
2⤵
PID:6680

C:\Windows\System\diWDGnC.exe
C:\Windows\System\diWDGnC.exe
2⤵
PID:6716

C:\Windows\System\tKJsepG.exe
C:\Windows\System\tKJsepG.exe
2⤵
PID:6228

C:\Windows\System\meYfDAE.exe
C:\Windows\System\meYfDAE.exe
2⤵
PID:6788

C:\Windows\System\ZtNQpoF.exe
C:\Windows\System\ZtNQpoF.exe
2⤵
PID:6844

C:\Windows\System\DIrHXPn.exe
C:\Windows\System\DIrHXPn.exe
2⤵
PID:5788

C:\Windows\System\MfLNUaW.exe
C:\Windows\System\MfLNUaW.exe
2⤵
PID:7140

C:\Windows\System\oHEtzRe.exe
C:\Windows\System\oHEtzRe.exe
2⤵
PID:5316

C:\Windows\System\RnmToCp.exe
C:\Windows\System\RnmToCp.exe
2⤵
PID:6432

C:\Windows\System\wAgUBkS.exe
C:\Windows\System\wAgUBkS.exe
2⤵
PID:6712

C:\Windows\System\ZmLtoDM.exe
C:\Windows\System\ZmLtoDM.exe
2⤵
PID:6840

C:\Windows\System\NdBpBUG.exe
C:\Windows\System\NdBpBUG.exe
2⤵
PID:6888

C:\Windows\System\YvjdGBW.exe
C:\Windows\System\YvjdGBW.exe
2⤵
PID:6944

C:\Windows\System\JjqjJaC.exe
C:\Windows\System\JjqjJaC.exe
2⤵
PID:7160

C:\Windows\System\aXLaBRo.exe
C:\Windows\System\aXLaBRo.exe
2⤵
PID:6400

C:\Windows\System\wmlUiDA.exe
C:\Windows\System\wmlUiDA.exe
2⤵
PID:7180

C:\Windows\System\dnRUAQc.exe
C:\Windows\System\dnRUAQc.exe
2⤵
PID:7200

C:\Windows\System\OyQqFau.exe
C:\Windows\System\OyQqFau.exe
2⤵
PID:7232

C:\Windows\System\KfqAgQf.exe
C:\Windows\System\KfqAgQf.exe
2⤵
PID:7276

C:\Windows\System\oESsvGd.exe
C:\Windows\System\oESsvGd.exe
2⤵
PID:7296

C:\Windows\System\sxSSrAm.exe
C:\Windows\System\sxSSrAm.exe
2⤵
PID:7312

C:\Windows\System\tpNDypE.exe
C:\Windows\System\tpNDypE.exe
2⤵
PID:7328

C:\Windows\System\dwFSggO.exe
C:\Windows\System\dwFSggO.exe
2⤵
PID:7364

C:\Windows\System\jsnPwcy.exe
C:\Windows\System\jsnPwcy.exe
2⤵
PID:7396

C:\Windows\System\cfWdHDW.exe
C:\Windows\System\cfWdHDW.exe
2⤵
PID:7428

C:\Windows\System\aEtSdsI.exe
C:\Windows\System\aEtSdsI.exe
2⤵
PID:7448

C:\Windows\System\TtuLOOj.exe
C:\Windows\System\TtuLOOj.exe
2⤵
PID:7464

C:\Windows\System\DLhvlDl.exe
C:\Windows\System\DLhvlDl.exe
2⤵
PID:7492

C:\Windows\System\ihjSAHY.exe
C:\Windows\System\ihjSAHY.exe
2⤵
PID:7512

C:\Windows\System\SJvBvnz.exe
C:\Windows\System\SJvBvnz.exe
2⤵
PID:7532

C:\Windows\System\dQItcCG.exe
C:\Windows\System\dQItcCG.exe
2⤵
PID:7584

C:\Windows\System\vGDaWVS.exe
C:\Windows\System\vGDaWVS.exe
2⤵
PID:7632

C:\Windows\System\Pghsctn.exe
C:\Windows\System\Pghsctn.exe
2⤵
PID:7656

C:\Windows\System\UPVZXme.exe
C:\Windows\System\UPVZXme.exe
2⤵
PID:7700

C:\Windows\System\YRerWsQ.exe
C:\Windows\System\YRerWsQ.exe
2⤵
PID:7720

C:\Windows\System\SfHUcUA.exe
C:\Windows\System\SfHUcUA.exe
2⤵
PID:7736

C:\Windows\System\XDHZWMs.exe
C:\Windows\System\XDHZWMs.exe
2⤵
PID:7752

C:\Windows\System\xOrNRuq.exe
C:\Windows\System\xOrNRuq.exe
2⤵
PID:7776

C:\Windows\System\xoLmRrE.exe
C:\Windows\System\xoLmRrE.exe
2⤵
PID:7792

C:\Windows\System\bqKZWrl.exe
C:\Windows\System\bqKZWrl.exe
2⤵
PID:7808

C:\Windows\System\XorNoij.exe
C:\Windows\System\XorNoij.exe
2⤵
PID:7832

C:\Windows\System\TZTFYeW.exe
C:\Windows\System\TZTFYeW.exe
2⤵
PID:7888

C:\Windows\System\bKjRkdL.exe
C:\Windows\System\bKjRkdL.exe
2⤵
PID:7904

C:\Windows\System\VURneBb.exe
C:\Windows\System\VURneBb.exe
2⤵
PID:7968

C:\Windows\System\elbsicU.exe
C:\Windows\System\elbsicU.exe
2⤵
PID:7984

C:\Windows\System\WlnNMdH.exe
C:\Windows\System\WlnNMdH.exe
2⤵
PID:8000

C:\Windows\System\TyZhwFR.exe
C:\Windows\System\TyZhwFR.exe
2⤵
PID:8024

C:\Windows\System\pQwkggq.exe
C:\Windows\System\pQwkggq.exe
2⤵
PID:8040

C:\Windows\System\HoaslNn.exe
C:\Windows\System\HoaslNn.exe
2⤵
PID:8064

C:\Windows\System\LmYOOpG.exe
C:\Windows\System\LmYOOpG.exe
2⤵
PID:8080

C:\Windows\System\lxgauRq.exe
C:\Windows\System\lxgauRq.exe
2⤵
PID:8104

C:\Windows\System\iOWmBEy.exe
C:\Windows\System\iOWmBEy.exe
2⤵
PID:8120

C:\Windows\System\koZhNGS.exe
C:\Windows\System\koZhNGS.exe
2⤵
PID:8140

C:\Windows\System\AmjLDtQ.exe
C:\Windows\System\AmjLDtQ.exe
2⤵
PID:8160

C:\Windows\System\sUVhFVZ.exe
C:\Windows\System\sUVhFVZ.exe
2⤵
PID:8176

C:\Windows\System\slkrcxH.exe
C:\Windows\System\slkrcxH.exe
2⤵
PID:7320

C:\Windows\System\SlQuZug.exe
C:\Windows\System\SlQuZug.exe
2⤵
PID:7304

C:\Windows\System\ZPbdiNy.exe
C:\Windows\System\ZPbdiNy.exe
2⤵
PID:7356

C:\Windows\System\CAvPRMf.exe
C:\Windows\System\CAvPRMf.exe
2⤵
PID:7392

C:\Windows\System\GKqMbpr.exe
C:\Windows\System\GKqMbpr.exe
2⤵
PID:7444

C:\Windows\System\duoQVKH.exe
C:\Windows\System\duoQVKH.exe
2⤵
PID:7572

C:\Windows\System\HkgWrpR.exe
C:\Windows\System\HkgWrpR.exe
2⤵
PID:7728

C:\Windows\System\amRiiHG.exe
C:\Windows\System\amRiiHG.exe
2⤵
PID:7896

C:\Windows\System\AbYWnFh.exe
C:\Windows\System\AbYWnFh.exe
2⤵
PID:7924

C:\Windows\System\CNAXwFI.exe
C:\Windows\System\CNAXwFI.exe
2⤵
PID:7976

C:\Windows\System\qsBeWdN.exe
C:\Windows\System\qsBeWdN.exe
2⤵
PID:8112

C:\Windows\System\HgCgvDA.exe
C:\Windows\System\HgCgvDA.exe
2⤵
PID:8008

C:\Windows\System\vCNorWv.exe
C:\Windows\System\vCNorWv.exe
2⤵
PID:8052

C:\Windows\System\ZahgYXh.exe
C:\Windows\System\ZahgYXh.exe
2⤵
PID:7172

C:\Windows\System\biwubNN.exe
C:\Windows\System\biwubNN.exe
2⤵
PID:8168

C:\Windows\System\DcMSiol.exe
C:\Windows\System\DcMSiol.exe
2⤵
PID:7388

C:\Windows\System\eHyFfUC.exe
C:\Windows\System\eHyFfUC.exe
2⤵
PID:7760

C:\Windows\System\QGIVbbZ.exe
C:\Windows\System\QGIVbbZ.exe
2⤵
PID:7744

C:\Windows\System\fdeYyGx.exe
C:\Windows\System\fdeYyGx.exe
2⤵
PID:7876

C:\Windows\System\LgSHXbp.exe
C:\Windows\System\LgSHXbp.exe
2⤵
PID:8020

C:\Windows\System\QrdWmhc.exe
C:\Windows\System\QrdWmhc.exe
2⤵
PID:7352

C:\Windows\System\KUzXeOS.exe
C:\Windows\System\KUzXeOS.exe
2⤵
PID:7688

C:\Windows\System\iZntwNo.exe
C:\Windows\System\iZntwNo.exe
2⤵
PID:7768

C:\Windows\System\KHVrGuJ.exe
C:\Windows\System\KHVrGuJ.exe
2⤵
PID:7676

C:\Windows\System\nAviFJv.exe
C:\Windows\System\nAviFJv.exe
2⤵
PID:8148

C:\Windows\System\bhRhYFF.exe
C:\Windows\System\bhRhYFF.exe
2⤵
PID:8216

C:\Windows\System\svGUEyY.exe
C:\Windows\System\svGUEyY.exe
2⤵
PID:8232

C:\Windows\System\WKPjEPF.exe
C:\Windows\System\WKPjEPF.exe
2⤵
PID:8248

C:\Windows\System\EFnZXrc.exe
C:\Windows\System\EFnZXrc.exe
2⤵
PID:8268

C:\Windows\System\SiGqZOP.exe
C:\Windows\System\SiGqZOP.exe
2⤵
PID:8288

C:\Windows\System\sJiQVPz.exe
C:\Windows\System\sJiQVPz.exe
2⤵
PID:8324

C:\Windows\System\yQJRtQV.exe
C:\Windows\System\yQJRtQV.exe
2⤵
PID:8384

C:\Windows\System\spJazjp.exe
C:\Windows\System\spJazjp.exe
2⤵
PID:8424

C:\Windows\System\NHvjTPM.exe
C:\Windows\System\NHvjTPM.exe
2⤵
PID:8488

C:\Windows\System\nbBloOS.exe
C:\Windows\System\nbBloOS.exe
2⤵
PID:8520

C:\Windows\System\oyyvIol.exe
C:\Windows\System\oyyvIol.exe
2⤵
PID:8544

C:\Windows\System\dCNQaXg.exe
C:\Windows\System\dCNQaXg.exe
2⤵
PID:8560

C:\Windows\System\GZCTKiY.exe
C:\Windows\System\GZCTKiY.exe
2⤵
PID:8576

C:\Windows\System\oXKMEkI.exe
C:\Windows\System\oXKMEkI.exe
2⤵
PID:8596

C:\Windows\System\jcjtEvA.exe
C:\Windows\System\jcjtEvA.exe
2⤵
PID:8612

C:\Windows\System\OqNDNYm.exe
C:\Windows\System\OqNDNYm.exe
2⤵
PID:8652

C:\Windows\System\hxzlUpO.exe
C:\Windows\System\hxzlUpO.exe
2⤵
PID:8700

C:\Windows\System\WhocBWG.exe
C:\Windows\System\WhocBWG.exe
2⤵
PID:8716

C:\Windows\System\kzgmqxA.exe
C:\Windows\System\kzgmqxA.exe
2⤵
PID:8752

C:\Windows\System\KdSrJih.exe
C:\Windows\System\KdSrJih.exe
2⤵
PID:8768

C:\Windows\System\eqBMGOE.exe
C:\Windows\System\eqBMGOE.exe
2⤵
PID:8788

C:\Windows\System\AJyxlKa.exe
C:\Windows\System\AJyxlKa.exe
2⤵
PID:8820

C:\Windows\System\eWAfJmB.exe
C:\Windows\System\eWAfJmB.exe
2⤵
PID:8852

C:\Windows\System\YLpnZMK.exe
C:\Windows\System\YLpnZMK.exe
2⤵
PID:8896

C:\Windows\System\rRwyYvT.exe
C:\Windows\System\rRwyYvT.exe
2⤵
PID:8928

C:\Windows\System\WYAHvfk.exe
C:\Windows\System\WYAHvfk.exe
2⤵
PID:8964

C:\Windows\System\BXZKAKw.exe
C:\Windows\System\BXZKAKw.exe
2⤵
PID:8984

C:\Windows\System\tiZQZEK.exe
C:\Windows\System\tiZQZEK.exe
2⤵
PID:9028

C:\Windows\System\CGODgiJ.exe
C:\Windows\System\CGODgiJ.exe
2⤵
PID:9048

C:\Windows\System\bSSLIkF.exe
C:\Windows\System\bSSLIkF.exe
2⤵
PID:9080

C:\Windows\System\PUNAxmJ.exe
C:\Windows\System\PUNAxmJ.exe
2⤵
PID:9116

C:\Windows\System\IJJGoKh.exe
C:\Windows\System\IJJGoKh.exe
2⤵
PID:9144

C:\Windows\System\MXvLElX.exe
C:\Windows\System\MXvLElX.exe
2⤵
PID:9184

C:\Windows\System\evmtPKN.exe
C:\Windows\System\evmtPKN.exe
2⤵
PID:9212

C:\Windows\System\XZKuZGu.exe
C:\Windows\System\XZKuZGu.exe
2⤵
PID:8172

C:\Windows\System\RExZJgk.exe
C:\Windows\System\RExZJgk.exe
2⤵
PID:7556

C:\Windows\System\GPPnDva.exe
C:\Windows\System\GPPnDva.exe
2⤵
PID:8284

C:\Windows\System\RUMVlVt.exe
C:\Windows\System\RUMVlVt.exe
2⤵
PID:8244

C:\Windows\System\rBthEOB.exe
C:\Windows\System\rBthEOB.exe
2⤵
PID:8308

C:\Windows\System\DnOPuqM.exe
C:\Windows\System\DnOPuqM.exe
2⤵
PID:8416

C:\Windows\System\vXPAmSb.exe
C:\Windows\System\vXPAmSb.exe
2⤵
PID:8468

C:\Windows\System\cgFymbf.exe
C:\Windows\System\cgFymbf.exe
2⤵
PID:3796

C:\Windows\System\vMGLpNt.exe
C:\Windows\System\vMGLpNt.exe
2⤵
PID:8632

C:\Windows\System\SRfWSPr.exe
C:\Windows\System\SRfWSPr.exe
2⤵
PID:8588

C:\Windows\System\jLuWNOP.exe
C:\Windows\System\jLuWNOP.exe
2⤵
PID:8708

C:\Windows\System\BNBZBCt.exe
C:\Windows\System\BNBZBCt.exe
2⤵
PID:8688

C:\Windows\System\gsZGWCi.exe
C:\Windows\System\gsZGWCi.exe
2⤵
PID:8780

C:\Windows\System\fRxLfZd.exe
C:\Windows\System\fRxLfZd.exe
2⤵
PID:8836

C:\Windows\System\jYSRMWa.exe
C:\Windows\System\jYSRMWa.exe
2⤵
PID:8872

C:\Windows\System\ZmDWnJS.exe
C:\Windows\System\ZmDWnJS.exe
2⤵
PID:8980

C:\Windows\System\CQlIeSu.exe
C:\Windows\System\CQlIeSu.exe
2⤵
PID:9056

C:\Windows\System\vzKJIHv.exe
C:\Windows\System\vzKJIHv.exe
2⤵
PID:9024

C:\Windows\System\vLFBfVI.exe
C:\Windows\System\vLFBfVI.exe
2⤵
PID:9092

C:\Windows\System\ATrkuQU.exe
C:\Windows\System\ATrkuQU.exe
2⤵
PID:9108

C:\Windows\System\pKevltn.exe
C:\Windows\System\pKevltn.exe
2⤵
PID:3404

C:\Windows\System\KsupRAV.exe
C:\Windows\System\KsupRAV.exe
2⤵
PID:8264

C:\Windows\System\AGUZckA.exe
C:\Windows\System\AGUZckA.exe
2⤵
PID:8368

C:\Windows\System\liMZBWG.exe
C:\Windows\System\liMZBWG.exe
2⤵
PID:9176

C:\Windows\System\KcATIwa.exe
C:\Windows\System\KcATIwa.exe
2⤵
PID:9104

C:\Windows\System\edZXvhE.exe
C:\Windows\System\edZXvhE.exe
2⤵
PID:8260

C:\Windows\System\jFuvmpA.exe
C:\Windows\System\jFuvmpA.exe
2⤵
PID:8648

C:\Windows\System\rsRiGje.exe
C:\Windows\System\rsRiGje.exe
2⤵
PID:8320

C:\Windows\System\xHohfCg.exe
C:\Windows\System\xHohfCg.exe
2⤵
PID:7628

C:\Windows\System\jruUXTW.exe
C:\Windows\System\jruUXTW.exe
2⤵
PID:9220

C:\Windows\System\GdLhSXb.exe
C:\Windows\System\GdLhSXb.exe
2⤵
PID:9236

C:\Windows\System\BhgbrzM.exe
C:\Windows\System\BhgbrzM.exe
2⤵
PID:9260

C:\Windows\System\jfhMxOj.exe
C:\Windows\System\jfhMxOj.exe
2⤵
PID:9276

C:\Windows\System\WNgjrtK.exe
C:\Windows\System\WNgjrtK.exe
2⤵
PID:9308

C:\Windows\System\DfKbUeF.exe
C:\Windows\System\DfKbUeF.exe
2⤵
PID:9340

C:\Windows\System\fXVYLet.exe
C:\Windows\System\fXVYLet.exe
2⤵
PID:9364

C:\Windows\System\qVBGyKu.exe
C:\Windows\System\qVBGyKu.exe
2⤵
PID:9428

C:\Windows\System\lQYvMjA.exe
C:\Windows\System\lQYvMjA.exe
2⤵
PID:9476

C:\Windows\System\KwhcqbT.exe
C:\Windows\System\KwhcqbT.exe
2⤵
PID:9516

C:\Windows\System\VedAIXR.exe
C:\Windows\System\VedAIXR.exe
2⤵
PID:9536

C:\Windows\System\alMaZJW.exe
C:\Windows\System\alMaZJW.exe
2⤵
PID:9560

C:\Windows\System\DBufbqB.exe
C:\Windows\System\DBufbqB.exe
2⤵
PID:9576

C:\Windows\System\NuculeJ.exe
C:\Windows\System\NuculeJ.exe
2⤵
PID:9592

C:\Windows\System\TjeejmR.exe
C:\Windows\System\TjeejmR.exe
2⤵
PID:9636

C:\Windows\System\BkBHJJP.exe
C:\Windows\System\BkBHJJP.exe
2⤵
PID:9652

C:\Windows\System\hQVHGLK.exe
C:\Windows\System\hQVHGLK.exe
2⤵
PID:9676

C:\Windows\System\UFNZbZW.exe
C:\Windows\System\UFNZbZW.exe
2⤵
PID:9692

C:\Windows\System\uAmVJrr.exe
C:\Windows\System\uAmVJrr.exe
2⤵
PID:9712

C:\Windows\System\JwUDEmk.exe
C:\Windows\System\JwUDEmk.exe
2⤵
PID:9784

C:\Windows\System\BPtLCxd.exe
C:\Windows\System\BPtLCxd.exe
2⤵
PID:9812

C:\Windows\System\gRjHqLF.exe
C:\Windows\System\gRjHqLF.exe
2⤵
PID:9860

C:\Windows\System\TfapbaD.exe
C:\Windows\System\TfapbaD.exe
2⤵
PID:9900

C:\Windows\System\ycNViwn.exe
C:\Windows\System\ycNViwn.exe
2⤵
PID:9916

C:\Windows\System\lKRoTuf.exe
C:\Windows\System\lKRoTuf.exe
2⤵
PID:9932

C:\Windows\System\rdPmnku.exe
C:\Windows\System\rdPmnku.exe
2⤵
PID:9956

C:\Windows\System\DfcTZDz.exe
C:\Windows\System\DfcTZDz.exe
2⤵
PID:9980

C:\Windows\System\UPqOziU.exe
C:\Windows\System\UPqOziU.exe
2⤵
PID:10000

C:\Windows\System\YMsWZoi.exe
C:\Windows\System\YMsWZoi.exe
2⤵
PID:10016

C:\Windows\System\cYlvHer.exe
C:\Windows\System\cYlvHer.exe
2⤵
PID:10048

C:\Windows\System\htvofbf.exe
C:\Windows\System\htvofbf.exe
2⤵
PID:10084

C:\Windows\System\dKhkbtD.exe
C:\Windows\System\dKhkbtD.exe
2⤵
PID:10100

C:\Windows\System\dfPTHUk.exe
C:\Windows\System\dfPTHUk.exe
2⤵
PID:10116

C:\Windows\System\RMdhKJi.exe
C:\Windows\System\RMdhKJi.exe
2⤵
PID:10140

C:\Windows\System\wEzkExC.exe
C:\Windows\System\wEzkExC.exe
2⤵
PID:10168

C:\Windows\System\XwFdGHG.exe
C:\Windows\System\XwFdGHG.exe
2⤵
PID:10192

C:\Windows\System\LHvCBmI.exe
C:\Windows\System\LHvCBmI.exe
2⤵
PID:10208

C:\Windows\System\uqEHyqE.exe
C:\Windows\System\uqEHyqE.exe
2⤵
PID:8948

C:\Windows\System\yrAXaBt.exe
C:\Windows\System\yrAXaBt.exe
2⤵
PID:9304

C:\Windows\System\YqdqrpP.exe
C:\Windows\System\YqdqrpP.exe
2⤵
PID:9296

C:\Windows\System\ewSSagJ.exe
C:\Windows\System\ewSSagJ.exe
2⤵
PID:9392

C:\Windows\System\EwFsmSt.exe
C:\Windows\System\EwFsmSt.exe
2⤵
PID:9468

C:\Windows\System\GhnrqHo.exe
C:\Windows\System\GhnrqHo.exe
2⤵
PID:9552

C:\Windows\System\aSPufXC.exe
C:\Windows\System\aSPufXC.exe
2⤵
PID:9684

C:\Windows\System\honyaiJ.exe
C:\Windows\System\honyaiJ.exe
2⤵
PID:9644

C:\Windows\System\PXoVWbZ.exe
C:\Windows\System\PXoVWbZ.exe
2⤵
PID:9732

C:\Windows\System\wFNfaIe.exe
C:\Windows\System\wFNfaIe.exe
2⤵
PID:9748

C:\Windows\System\ByFCvLY.exe
C:\Windows\System\ByFCvLY.exe
2⤵
PID:9836

C:\Windows\System\beXvyUg.exe
C:\Windows\System\beXvyUg.exe
2⤵
PID:9868

C:\Windows\System\UhlvCwz.exe
C:\Windows\System\UhlvCwz.exe
2⤵
PID:9952

C:\Windows\System\CdFQtns.exe
C:\Windows\System\CdFQtns.exe
2⤵
PID:10056

C:\Windows\System\CainEhY.exe
C:\Windows\System\CainEhY.exe
2⤵
PID:10024

C:\Windows\System\BreYSRS.exe
C:\Windows\System\BreYSRS.exe
2⤵
PID:10124

C:\Windows\System\YYxroIY.exe
C:\Windows\System\YYxroIY.exe
2⤵
PID:9268

C:\Windows\System\dmIlIaS.exe
C:\Windows\System\dmIlIaS.exe
2⤵
PID:9384

C:\Windows\System\qEqdQTK.exe
C:\Windows\System\qEqdQTK.exe
2⤵
PID:9228

C:\Windows\System\ycjkXXE.exe
C:\Windows\System\ycjkXXE.exe
2⤵
PID:9532

C:\Windows\System\JxiVwhM.exe
C:\Windows\System\JxiVwhM.exe
2⤵
PID:9776

C:\Windows\System\KDmPopk.exe
C:\Windows\System\KDmPopk.exe
2⤵
PID:9924

C:\Windows\System\lbrqENi.exe
C:\Windows\System\lbrqENi.exe
2⤵
PID:10176

C:\Windows\System\qMYehip.exe
C:\Windows\System\qMYehip.exe
2⤵
PID:10204

C:\Windows\System\HSIXHib.exe
C:\Windows\System\HSIXHib.exe
2⤵
PID:9356

C:\Windows\System\luJbSev.exe
C:\Windows\System\luJbSev.exe
2⤵
PID:9972

C:\Windows\System\qrmjNcR.exe
C:\Windows\System\qrmjNcR.exe
2⤵
PID:10244

C:\Windows\System\YwPMnFx.exe
C:\Windows\System\YwPMnFx.exe
2⤵
PID:10264

C:\Windows\System\VEmBjJc.exe
C:\Windows\System\VEmBjJc.exe
2⤵
PID:10312

C:\Windows\System\oClYzji.exe
C:\Windows\System\oClYzji.exe
2⤵
PID:10332

C:\Windows\System\ZjJZadV.exe
C:\Windows\System\ZjJZadV.exe
2⤵
PID:10392

C:\Windows\System\fpUWMSU.exe
C:\Windows\System\fpUWMSU.exe
2⤵
PID:10408

C:\Windows\System\PASmfYe.exe
C:\Windows\System\PASmfYe.exe
2⤵
PID:10436

C:\Windows\System\ejxHHAL.exe
C:\Windows\System\ejxHHAL.exe
2⤵
PID:10452

C:\Windows\System\dmxDXqM.exe
C:\Windows\System\dmxDXqM.exe
2⤵
PID:10472

C:\Windows\System\niZDwKr.exe
C:\Windows\System\niZDwKr.exe
2⤵
PID:10496

C:\Windows\System\zjVdDHt.exe
C:\Windows\System\zjVdDHt.exe
2⤵
PID:10512

C:\Windows\System\jtZgwmq.exe
C:\Windows\System\jtZgwmq.exe
2⤵
PID:10528

C:\Windows\System\RWXFFTE.exe
C:\Windows\System\RWXFFTE.exe
2⤵
PID:10556

C:\Windows\System\DcaHJTs.exe
C:\Windows\System\DcaHJTs.exe
2⤵
PID:10572

C:\Windows\System\yOxiglI.exe
C:\Windows\System\yOxiglI.exe
2⤵
PID:10600

C:\Windows\System\SKsXNox.exe
C:\Windows\System\SKsXNox.exe
2⤵
PID:10668

C:\Windows\System\NNneiGI.exe
C:\Windows\System\NNneiGI.exe
2⤵
PID:10688

C:\Windows\System\BYLSKrF.exe
C:\Windows\System\BYLSKrF.exe
2⤵
PID:10716

C:\Windows\System\rrWQANt.exe
C:\Windows\System\rrWQANt.exe
2⤵
PID:10740

C:\Windows\System\heAXBui.exe
C:\Windows\System\heAXBui.exe
2⤵
PID:10756

C:\Windows\System\zjFPSXX.exe
C:\Windows\System\zjFPSXX.exe
2⤵
PID:10776

C:\Windows\System\PWjsEWG.exe
C:\Windows\System\PWjsEWG.exe
2⤵
PID:10820

C:\Windows\System\EMUMyZw.exe
C:\Windows\System\EMUMyZw.exe
2⤵
PID:10836

C:\Windows\System\LzrgcrK.exe
C:\Windows\System\LzrgcrK.exe
2⤵
PID:10856

C:\Windows\System\UytskvT.exe
C:\Windows\System\UytskvT.exe
2⤵
PID:10872

C:\Windows\System\Pvcosow.exe
C:\Windows\System\Pvcosow.exe
2⤵
PID:10956

C:\Windows\System\ofotQVx.exe
C:\Windows\System\ofotQVx.exe
2⤵
PID:11024

C:\Windows\System\vfLLhEQ.exe
C:\Windows\System\vfLLhEQ.exe
2⤵
PID:11040

C:\Windows\System\gUjJQPl.exe
C:\Windows\System\gUjJQPl.exe
2⤵
PID:11072

C:\Windows\System\KjHdhCE.exe
C:\Windows\System\KjHdhCE.exe
2⤵
PID:11088

C:\Windows\System\VlUUXcc.exe
C:\Windows\System\VlUUXcc.exe
2⤵
PID:11116

C:\Windows\System\numQMNI.exe
C:\Windows\System\numQMNI.exe
2⤵
PID:11132

C:\Windows\System\SURamGy.exe
C:\Windows\System\SURamGy.exe
2⤵
PID:11156

C:\Windows\System\eAzbdPC.exe
C:\Windows\System\eAzbdPC.exe
2⤵
PID:11172

C:\Windows\System\qYltOIp.exe
C:\Windows\System\qYltOIp.exe
2⤵
PID:11208

C:\Windows\System\ViYOGCI.exe
C:\Windows\System\ViYOGCI.exe
2⤵
PID:11224

C:\Windows\System\fEeXKMF.exe
C:\Windows\System\fEeXKMF.exe
2⤵
PID:11256

C:\Windows\System\vpRnqmC.exe
C:\Windows\System\vpRnqmC.exe
2⤵
PID:9728

C:\Windows\System\KVCIOff.exe
C:\Windows\System\KVCIOff.exe
2⤵
PID:10352

C:\Windows\System\IZZXqaR.exe
C:\Windows\System\IZZXqaR.exe
2⤵
PID:10444

C:\Windows\System\UjpFXmm.exe
C:\Windows\System\UjpFXmm.exe
2⤵
PID:10548

C:\Windows\System\DugciWq.exe
C:\Windows\System\DugciWq.exe
2⤵
PID:10644

C:\Windows\System\KakYlCn.exe
C:\Windows\System\KakYlCn.exe
2⤵
PID:10632

C:\Windows\System\TCsKKpE.exe
C:\Windows\System\TCsKKpE.exe
2⤵
PID:10844

C:\Windows\System\UKRfgxX.exe
C:\Windows\System\UKRfgxX.exe
2⤵
PID:10980

C:\Windows\System\WjuyqQh.exe
C:\Windows\System\WjuyqQh.exe
2⤵
PID:11032

C:\Windows\System\OPhtInN.exe
C:\Windows\System\OPhtInN.exe
2⤵
PID:11064

C:\Windows\System\nCKLRyS.exe
C:\Windows\System\nCKLRyS.exe
2⤵
PID:11128

C:\Windows\System\ZIpYRfY.exe
C:\Windows\System\ZIpYRfY.exe
2⤵
PID:11096

C:\Windows\System\rpghHnU.exe
C:\Windows\System\rpghHnU.exe
2⤵
PID:11164

C:\Windows\System\qIfHHGL.exe
C:\Windows\System\qIfHHGL.exe
2⤵
PID:11196

C:\Windows\System\HzrGfQQ.exe
C:\Windows\System\HzrGfQQ.exe
2⤵
PID:11248

C:\Windows\System\eSklhAZ.exe
C:\Windows\System\eSklhAZ.exe
2⤵
PID:11252

C:\Windows\System\ukqPlFu.exe
C:\Windows\System\ukqPlFu.exe
2⤵
PID:10096

C:\Windows\System\IBsORel.exe
C:\Windows\System\IBsORel.exe
2⤵
PID:10404

C:\Windows\System\vzDZolY.exe
C:\Windows\System\vzDZolY.exe
2⤵
PID:10540

C:\Windows\System\mCnNEgi.exe
C:\Windows\System\mCnNEgi.exe
2⤵
PID:10520

C:\Windows\System\KqvRvPq.exe
C:\Windows\System\KqvRvPq.exe
2⤵
PID:10792

C:\Windows\System\KOdbaKr.exe
C:\Windows\System\KOdbaKr.exe
2⤵
PID:10732

C:\Windows\System\qNTjMBQ.exe
C:\Windows\System\qNTjMBQ.exe
2⤵
PID:10488

C:\Windows\System\pfftrNW.exe
C:\Windows\System\pfftrNW.exe
2⤵
PID:10908

C:\Windows\System\ZGitIhE.exe
C:\Windows\System\ZGitIhE.exe
2⤵
PID:10388

C:\Windows\System\iEbdJdg.exe
C:\Windows\System\iEbdJdg.exe
2⤵
PID:10260

C:\Windows\System\ruGmltw.exe
C:\Windows\System\ruGmltw.exe
2⤵
PID:10712

C:\Windows\System\GQTDYAn.exe
C:\Windows\System\GQTDYAn.exe
2⤵
PID:11036

C:\Windows\System\xUCECEL.exe
C:\Windows\System\xUCECEL.exe
2⤵
PID:11004

C:\Windows\System\xNPbaTY.exe
C:\Windows\System\xNPbaTY.exe
2⤵
PID:11192

C:\Windows\System\uEpuHFp.exe
C:\Windows\System\uEpuHFp.exe
2⤵
PID:11276

C:\Windows\System\TInRNcW.exe
C:\Windows\System\TInRNcW.exe
2⤵
PID:11292

C:\Windows\System\jOwGxpd.exe
C:\Windows\System\jOwGxpd.exe
2⤵
PID:11320

C:\Windows\System\CVdRrEk.exe
C:\Windows\System\CVdRrEk.exe
2⤵
PID:11336

C:\Windows\System\PuHRmft.exe
C:\Windows\System\PuHRmft.exe
2⤵
PID:11436

C:\Windows\System\mTMqFss.exe
C:\Windows\System\mTMqFss.exe
2⤵
PID:11480

C:\Windows\System\uWUrbKJ.exe
C:\Windows\System\uWUrbKJ.exe
2⤵
PID:11504

C:\Windows\System\SZHorLz.exe
C:\Windows\System\SZHorLz.exe
2⤵
PID:11520

C:\Windows\System\bsMKBjQ.exe
C:\Windows\System\bsMKBjQ.exe
2⤵
PID:11544

C:\Windows\System\kRwuvhF.exe
C:\Windows\System\kRwuvhF.exe
2⤵
PID:11564

C:\Windows\System\qYRkIKE.exe
C:\Windows\System\qYRkIKE.exe
2⤵
PID:11640

C:\Windows\System\aWbDAxI.exe
C:\Windows\System\aWbDAxI.exe
2⤵
PID:11704

C:\Windows\System\VaILqyB.exe
C:\Windows\System\VaILqyB.exe
2⤵
PID:11720

C:\Windows\System\kBAjcwi.exe
C:\Windows\System\kBAjcwi.exe
2⤵
PID:11736

C:\Windows\System\JqSoNik.exe
C:\Windows\System\JqSoNik.exe
2⤵
PID:11828

C:\Windows\System\crwGJZr.exe
C:\Windows\System\crwGJZr.exe
2⤵
PID:11852

C:\Windows\System\PxeaFkT.exe
C:\Windows\System\PxeaFkT.exe
2⤵
PID:11908

C:\Windows\System\OBUfhsK.exe
C:\Windows\System\OBUfhsK.exe
2⤵
PID:11944

C:\Windows\System\XAkebmh.exe
C:\Windows\System\XAkebmh.exe
2⤵
PID:11960

C:\Windows\System\zfpdvKI.exe
C:\Windows\System\zfpdvKI.exe
2⤵
PID:11980

C:\Windows\System\fRmyUkO.exe
C:\Windows\System\fRmyUkO.exe
2⤵
PID:12000

C:\Windows\System\MEqcWVk.exe
C:\Windows\System\MEqcWVk.exe
2⤵
PID:12028

C:\Windows\System\yuwIXFI.exe
C:\Windows\System\yuwIXFI.exe
2⤵
PID:12064

C:\Windows\System\WrKsYrE.exe
C:\Windows\System\WrKsYrE.exe
2⤵
PID:12084

C:\Windows\System\WqvpFMP.exe
C:\Windows\System\WqvpFMP.exe
2⤵
PID:12112

C:\Windows\System\YMnvMQQ.exe
C:\Windows\System\YMnvMQQ.exe
2⤵
PID:12140

C:\Windows\System\HhNVujk.exe
C:\Windows\System\HhNVujk.exe
2⤵
PID:12160

C:\Windows\System\heOKLUl.exe
C:\Windows\System\heOKLUl.exe
2⤵
PID:12248

C:\Windows\System\uhKDNgM.exe
C:\Windows\System\uhKDNgM.exe
2⤵
PID:12264

C:\Windows\System\FyYUBFL.exe
C:\Windows\System\FyYUBFL.exe
2⤵
PID:10812

C:\Windows\System\zyESZRg.exe
C:\Windows\System\zyESZRg.exe
2⤵
PID:10620

C:\Windows\System\lqztxZb.exe
C:\Windows\System\lqztxZb.exe
2⤵
PID:11188

C:\Windows\System\AMswVhp.exe
C:\Windows\System\AMswVhp.exe
2⤵
PID:10884

C:\Windows\System\bbgJUJs.exe
C:\Windows\System\bbgJUJs.exe
2⤵
PID:10460

C:\Windows\System\SgPmgUB.exe
C:\Windows\System\SgPmgUB.exe
2⤵
PID:11284

C:\Windows\System\PgSOPLk.exe
C:\Windows\System\PgSOPLk.exe
2⤵
PID:11360

C:\Windows\System\DEPnsDg.exe
C:\Windows\System\DEPnsDg.exe
2⤵
PID:11408

C:\Windows\System\KAgIbVH.exe
C:\Windows\System\KAgIbVH.exe
2⤵
PID:11492

C:\Windows\System\ILUtszO.exe
C:\Windows\System\ILUtszO.exe
2⤵
PID:11576

C:\Windows\System\JrwfGOF.exe
C:\Windows\System\JrwfGOF.exe
2⤵
PID:11556

C:\Windows\System\qwxzXdZ.exe
C:\Windows\System\qwxzXdZ.exe
2⤵
PID:11660

C:\Windows\System\cUFEDbI.exe
C:\Windows\System\cUFEDbI.exe
2⤵
PID:11732

C:\Windows\System\uGerjpW.exe
C:\Windows\System\uGerjpW.exe
2⤵
PID:11812

C:\Windows\System\nwSfKhG.exe
C:\Windows\System\nwSfKhG.exe
2⤵
PID:11864

C:\Windows\System\jucjXgF.exe
C:\Windows\System\jucjXgF.exe
2⤵
PID:11844

C:\Windows\System\PLojjVV.exe
C:\Windows\System\PLojjVV.exe
2⤵
PID:12020

C:\Windows\System\ALJXbnC.exe
C:\Windows\System\ALJXbnC.exe
2⤵
PID:12108

C:\Windows\System\wROPuMk.exe
C:\Windows\System\wROPuMk.exe
2⤵
PID:12188

C:\Windows\System\GOcOKzS.exe
C:\Windows\System\GOcOKzS.exe
2⤵
PID:10328

C:\Windows\System\nYMaYHW.exe
C:\Windows\System\nYMaYHW.exe
2⤵
PID:11152

C:\Windows\System\aoKMTYf.exe
C:\Windows\System\aoKMTYf.exe
2⤵
PID:10044

C:\Windows\System\TOzWSqQ.exe
C:\Windows\System\TOzWSqQ.exe
2⤵
PID:11332

C:\Windows\System\mOnlzTt.exe
C:\Windows\System\mOnlzTt.exe
2⤵
PID:11488

C:\Windows\System\sYvFtLF.exe
C:\Windows\System\sYvFtLF.exe
2⤵
PID:11432

C:\Windows\System\PPEOpfs.exe
C:\Windows\System\PPEOpfs.exe
2⤵
PID:3440

C:\Windows\System\bSClTnJ.exe
C:\Windows\System\bSClTnJ.exe
2⤵
PID:11996

C:\Windows\System\MiMzwAF.exe
C:\Windows\System\MiMzwAF.exe
2⤵
PID:12156

C:\Windows\System\JqqXsae.exe
C:\Windows\System\JqqXsae.exe
2⤵
PID:12172

C:\Windows\System\vQRaTbk.exe
C:\Windows\System\vQRaTbk.exe
2⤵
PID:11084

C:\Windows\System\HZVsEKP.exe
C:\Windows\System\HZVsEKP.exe
2⤵
PID:3988

C:\Windows\System\zZVhPAt.exe
C:\Windows\System\zZVhPAt.exe
2⤵
PID:11512

C:\Windows\System\VQwUgvK.exe
C:\Windows\System\VQwUgvK.exe
2⤵
PID:2796

C:\Windows\System\fqWKkKB.exe
C:\Windows\System\fqWKkKB.exe
2⤵
PID:11956

C:\Windows\System\KLZschx.exe
C:\Windows\System\KLZschx.exe
2⤵
PID:10932

C:\Windows\System\zadcsKm.exe
C:\Windows\System\zadcsKm.exe
2⤵
PID:12344

C:\Windows\System\aoObLDX.exe
C:\Windows\System\aoObLDX.exe
2⤵
PID:12364

C:\Windows\System\VSTLzCX.exe
C:\Windows\System\VSTLzCX.exe
2⤵
PID:12392

C:\Windows\System\faPqAfT.exe
C:\Windows\System\faPqAfT.exe
2⤵
PID:12408

C:\Windows\System\wzaKkFu.exe
C:\Windows\System\wzaKkFu.exe
2⤵
PID:12460

C:\Windows\System\OMrOMce.exe
C:\Windows\System\OMrOMce.exe
2⤵
PID:12476

C:\Windows\System\NnIiUOr.exe
C:\Windows\System\NnIiUOr.exe
2⤵
PID:12512

C:\Windows\System\tpWLmvo.exe
C:\Windows\System\tpWLmvo.exe
2⤵
PID:12532

C:\Windows\System\BsDpmaA.exe
C:\Windows\System\BsDpmaA.exe
2⤵
PID:12592

C:\Windows\System\YeTzUTp.exe
C:\Windows\System\YeTzUTp.exe
2⤵
PID:12608

C:\Windows\System\zfMWAXS.exe
C:\Windows\System\zfMWAXS.exe
2⤵
PID:12624

C:\Windows\System\hnjJhAe.exe
C:\Windows\System\hnjJhAe.exe
2⤵
PID:12652

C:\Windows\System\dZBzhUY.exe
C:\Windows\System\dZBzhUY.exe
2⤵
PID:12672

C:\Windows\System\htxInlW.exe
C:\Windows\System\htxInlW.exe
2⤵
PID:12708

C:\Windows\System\yOLyqqb.exe
C:\Windows\System\yOLyqqb.exe
2⤵
PID:12740

C:\Windows\System\gaobvxB.exe
C:\Windows\System\gaobvxB.exe
2⤵
PID:12756

C:\Windows\System\zIfyrQR.exe
C:\Windows\System\zIfyrQR.exe
2⤵
PID:12804

C:\Windows\System\BsVGkJp.exe
C:\Windows\System\BsVGkJp.exe
2⤵
PID:12824

C:\Windows\System\afSKWwh.exe
C:\Windows\System\afSKWwh.exe
2⤵
PID:12868

C:\Windows\System\lrlwhtq.exe
C:\Windows\System\lrlwhtq.exe
2⤵
PID:12892

C:\Windows\System\QGTjeEZ.exe
C:\Windows\System\QGTjeEZ.exe
2⤵
PID:12920

C:\Windows\System\QWlBdZf.exe
C:\Windows\System\QWlBdZf.exe
2⤵
PID:12956

C:\Windows\System\NomuZjI.exe
C:\Windows\System\NomuZjI.exe
2⤵
PID:12976

C:\Windows\System\QCNdeMq.exe
C:\Windows\System\QCNdeMq.exe
2⤵
PID:13008

C:\Windows\System\riVwtab.exe
C:\Windows\System\riVwtab.exe
2⤵
PID:13028

C:\Windows\System\lKIYulw.exe
C:\Windows\System\lKIYulw.exe
2⤵
PID:13048

C:\Windows\System\qInnPCR.exe
C:\Windows\System\qInnPCR.exe
2⤵
PID:13120

C:\Windows\System\vUYxcOV.exe
C:\Windows\System\vUYxcOV.exe
2⤵
PID:13136

C:\Windows\System\pmbNDDB.exe
C:\Windows\System\pmbNDDB.exe
2⤵
PID:13160

C:\Windows\System\DpTIVON.exe
C:\Windows\System\DpTIVON.exe
2⤵
PID:13184

C:\Windows\System\qzrkQEt.exe
C:\Windows\System\qzrkQEt.exe
2⤵
PID:13232

C:\Windows\System\ERegOVx.exe
C:\Windows\System\ERegOVx.exe
2⤵
PID:13252

C:\Windows\System\qWsrZeK.exe
C:\Windows\System\qWsrZeK.exe
2⤵
PID:13272

C:\Windows\System\oEcZtan.exe
C:\Windows\System\oEcZtan.exe
2⤵
PID:13304

C:\Windows\System\AmgNbga.exe
C:\Windows\System\AmgNbga.exe
2⤵
PID:11272

C:\Windows\System\wnDhQYm.exe
C:\Windows\System\wnDhQYm.exe
2⤵
PID:11684

C:\Windows\System\auHKhPr.exe
C:\Windows\System\auHKhPr.exe
2⤵
PID:12372

C:\Windows\System\PdipoOV.exe
C:\Windows\System\PdipoOV.exe
2⤵
PID:12432

C:\Windows\System\JaZxAZG.exe
C:\Windows\System\JaZxAZG.exe
2⤵
PID:12492

C:\Windows\System\IKSKerG.exe
C:\Windows\System\IKSKerG.exe
2⤵
PID:12556

C:\Windows\System\UpSkRzg.exe
C:\Windows\System\UpSkRzg.exe
2⤵
PID:12524

C:\Windows\System\ogqhOBo.exe
C:\Windows\System\ogqhOBo.exe
2⤵
PID:12572

C:\Windows\System\hKNiZvt.exe
C:\Windows\System\hKNiZvt.exe
2⤵
PID:12716

C:\Windows\System\XgbFJcZ.exe
C:\Windows\System\XgbFJcZ.exe
2⤵
PID:12700

C:\Windows\System\kAkyUqV.exe
C:\Windows\System\kAkyUqV.exe
2⤵
PID:12884

C:\Windows\System\PBfKyVU.exe
C:\Windows\System\PBfKyVU.exe
2⤵
PID:12888

C:\Windows\System\NWZEOvt.exe
C:\Windows\System\NWZEOvt.exe
2⤵
PID:13016

C:\Windows\System\bQKGwuk.exe
C:\Windows\System\bQKGwuk.exe
2⤵
PID:13092

C:\Windows\System\rIFddrE.exe
C:\Windows\System\rIFddrE.exe
2⤵
PID:11836

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zwo4a3ye.zka.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System\AjchIQs.exe
Filesize
735KB

MD5
f9f5e05c2454d0cffc4312371a62212f

SHA1
f3a501a98490d22a9ef8caafec7cc16a2d59c630

SHA256
ee2eefb2eafc6e099116fde10c3b0c65f29da23e09b76373f4bcc0fe01cc8e6d

SHA512
9afd82a79c95169d1b5bbf58ff3273d87258ac05f26de69eb46ab3697e5ddac166f247d4c8bf8854c40760ad112d2aa08c4ac1ed9486751c701437a322cb432d

Download Submit
C:\Windows\System\CKDdNWY.exe
Filesize
731KB

MD5
5910ee7ae4fc7aac6b07b6c3af434334

SHA1
0dd4d9cf77a5143105bcbefb10e87a166e69ea7f

SHA256
e861d76b1c516bc58495119ff41f121ee74d8fe15f208b8d7d7c8809693d5696

SHA512
e437b7b40fbf0683ab527e58822218ad751f82cf1416a78dce788f95a7dcb9ea80b6ebafc03065193b3c40069d48e7a310c6681c39bf15a3ca5f0aa98a078fd5

Download Submit
C:\Windows\System\CtkHofi.exe
Filesize
735KB

MD5
69a22ca5019c8387e03a92a9ef81a5a2

SHA1
839c6b7051fb33605b511e0afdcc0397b9bb1525

SHA256
637e1ab1049fc314c661651502fc5f3a9abfd953fa3a8d904ee5a495404f43e8

SHA512
30c2e08dd8420c76e825eb5a597e6cd8f7dcff99f5a4c9f29c0aeb0824c3baea382626194943fdf88d4e7d5feff9d4d0ca9dc421b39e88b6d4e3c4609d7bcf05

Download Submit
C:\Windows\System\IcrdABL.exe
Filesize
730KB

MD5
2160d4dee80371b021dc7fff8a46a5c3

SHA1
1732759cd14e4fb419ee522eda0f41598fa6eb95

SHA256
71733110d798a12dd1d5f160d6a17965378bfdde07d22893e1f9f69fafb271fd

SHA512
308cb1c482aa3002a484d3d83721fe05e55990f77d4095bd63b5f66b1de705b25902fe85c729f5c99d58c27c7d6239ebfa1cbf24171db8627f7041fa1c9b9d61

Download Submit
C:\Windows\System\JaOKcuK.exe
Filesize
735KB

MD5
360773fcc9b76816d631fc902a993baa

SHA1
dc9036ac6501bfd174ee080afc7fac941ce89eb9

SHA256
03d026b535f1eb416ca0f1d95a675106db565f191c6ddaaa81ea6a29af92ba1b

SHA512
08a082d3e146b2161c97ff23b44ffc83c8a4c16e934f2486451ff592e763ec60916821fd24e4de1c797ae2e0839c20bc33f4e5458fc13c8e31fef173b8644c16

Download Submit
C:\Windows\System\Jwpkugi.exe
Filesize
729KB

MD5
e5e3efe078aff284ed233fa7cb72c3f5

SHA1
4172d7369b4840be8efc8f8708b9819ba205a10b

SHA256
440eaf40ebc860c96991190ae9fe410bb167536a804e6dd95245697681b025bf

SHA512
6c6e5ff5a1fdf1bfd47fe46873c18e2d53556a0c758eab25a982ec91ee80d18e571f25cd5dc5fb0c2c119d330513959615c367928c317cdb2b53fde84cbddf86

Download Submit
C:\Windows\System\KWHUAVA.exe
Filesize
730KB

MD5
1dcbb720558bcb7bdefe55f476bb1780

SHA1
d0f904eab2c549d3f10551d2bccd73bb4f38d97d

SHA256
d11f2aa3d066fff39b31e6333016e0bff0750cc0bea86b7d04a5715e5dfe688e

SHA512
91543e1bc0a45f5ba07997348b899e8e3afcb3fe78e4cb53ebc91f69babad808bd7dfc750f4379366d4d6e43b50e605b26d3e1e8ecc61cbeb4ea1fb06720654e

Download Submit
C:\Windows\System\KZggdMk.exe
Filesize
734KB

MD5
f684569461c105585456e19d9609e725

SHA1
82413cd00cfa135ac9c8506c65b19c9d484e5790

SHA256
fefb87cad13af4b983e107fb43d63207a916e6c3cdf80fe0b84f5729919070e0

SHA512
e53c64f825b9216b8bba6edc1b0accd038d29d7eafd451220dc856f81b2bf060e6707fc591e7e395efd9083d6d541de8f4c0ec0cc52b72b5bbe76d9d1d1b2377

Download Submit
C:\Windows\System\LgEMWxS.exe
Filesize
732KB

MD5
9d1d4e23c5030c14c2df870125928f52

SHA1
7f04ee7ebdb9620497b9f3b604ecbcf8e8393bdf

SHA256
d0d7cf1bc5291f25ca3655a9afdc53bc2a08af03ce63330551f1024b46069408

SHA512
906234ef8abff80e61933099547fc1256a6a7f161b70fce16cc5e25a1dadf5f0fbe6835352dd68c621bcd617d0834b3b40fc720354e85070e023b8c07fae02cb

Download Submit
C:\Windows\System\LiRNiMb.exe
Filesize
736KB

MD5
96c95edb14f1347d88466c7f90c385d8

SHA1
c427d98cc18073cbf8477ced7c51f22dbce65590

SHA256
993595181cf0ffe5cb3f90c7d45fed4a6d24c30245a46535e558a1b0cc32808c

SHA512
44857bd754925931562cd74c9a4840e9a20110ed7006ae93ffc6d96f9e8a418db2944ccaeae54cc6cb482d5cc37d1cbe379374caeff5040265b25b8e99fdeb21

Download Submit
C:\Windows\System\Tormnbi.exe
Filesize
736KB

MD5
ade66657088b2062696f2747c1d170dc

SHA1
d55dc5da3fad64de4649947438e98dc591bd6e54

SHA256
a970ec5d36abb74a12c0334ac448371d6231e2c0c8310f8e626103b90ef1899b

SHA512
7e08e7fac2ece1bd9bbf9bcf7836d18e421ae63c7bbe1eb99fca3c6198509a691aa5533e7018416b8f7cf6464d99cadaa91095982663380b3d86311f66aaecbe

Download Submit
C:\Windows\System\VagQGYs.exe
Filesize
731KB

MD5
c37c7e7ed4e6fc56a6982aaaace14d7a

SHA1
6ed1cf5cca1c5468b672f031b2d3918686189f9f

SHA256
da6e228874153a12f1347dc53468abaf1f6d5a8d95a1c9cb6728606dc1cf5705

SHA512
1f03af5fa9dc65b63d1f968d3a6da364305d37b9113cb6905792eeeb6e6e498a47d37cebcc6059531c23358d13698ba0f779a88b6e0dd8844d8bf5872c3bd113

Download Submit
C:\Windows\System\VoAwaUa.exe
Filesize
733KB

MD5
7c559c511286fff842e7af4001387fe2

SHA1
b5a4da5e500f9303659ccc631cb64b6f6065bd3f

SHA256
5cec10d2f98031ac159f099e2d108b0a3d5533465140b8125ffc26238332a1eb

SHA512
c5b3cbdcb5005fa3a366955b0ccf46a0558455db4fafd96d32b7980a658c334526d614e3a12aa9991d3244ec449432fd166d5269df088a95dbbc1d93f8560d53

Download Submit
C:\Windows\System\VzZpsJQ.exe
Filesize
733KB

MD5
801d0b2ca93618915d63acfc7c6a024c

SHA1
77ada090af8bd80cec7fd35ac2839060315fc6fd

SHA256
90ec4226cf92ff599ab145837f05686b5c04c08875ddab044871f2498d2b21d9

SHA512
394d05a685b81d5122228d5dbaec426ec745703cb6eca33d25655484f5b56f6b01bbcdbfcfcb9118dce97ffd6436ffac8c50fb37cb4d1045c4f0e28c14ca04fd

Download Submit
C:\Windows\System\YnFpJgM.exe
Filesize
734KB

MD5
0442cda839e02cf1c10b6ff9ada2c3a2

SHA1
9791ea365524a982a70f379dea30cae340c23ced

SHA256
90d31af34e9d71f30e23ab2dda5276e2ba934290afc90b2d63b50190aa5060e6

SHA512
6dc35729814255b80433be4ac4cc1585a28c517c5ea8d7661644e35b828dc84aaf244afa85cce5debfcb25b3afadc41977201b929cadfe4cf5bd6f48c32feeb6

Download Submit
C:\Windows\System\ZUCvjzk.exe
Filesize
731KB

MD5
700b2e8fbea54baa65d5f5c93b83ac29

SHA1
8d5ce98bb279c7844af3486ef22fb4182d8ba1e5

SHA256
e64e0f0213c46d372abd960e53acff3010cd97fd47a3f4e3226cbd8b426bc904

SHA512
c8feaa6a0ac4a116136501daabc24bdaa215b82e0d8b96904612dec497cce1ce7c611a3645acaaf508740d8fb34415f7d66190647f0fe3f6167987bea45c75de

Download Submit
C:\Windows\System\aSMQhDU.exe
Filesize
728KB

MD5
79fd004a2477b6eab5a17aa9e1a29875

SHA1
62d77e1091561372314d5382ec319e8bfa8d47d5

SHA256
b38116e4ee29cf102b563863eb807b11709585400b6b6f71a8885f03b8fa7586

SHA512
6745bc5da738048e9785e24fe4c460690a7f7cd4856d875372c5bc24a8f1304123d5c16d8a87b2937a4221e9ce43a3e5723e8402d5ef88971f5163daa97253aa

Download Submit
C:\Windows\System\dqWgeFe.exe
Filesize
734KB

MD5
e74d521d274c09aa7e25705477cb8889

SHA1
9fb7e1b01e54df2c0028de82b8709709f6c6a00d

SHA256
6d2213ec90eb674a8d677c13ed04f179e0b223983874a461c171e05d1989ee8c

SHA512
fc79089c8f900d8693ae551bb96c4fb443aa2cfa98d48962c18991fbc2e87d06f6327f1957a77e80957261bd4de0dcf9ecb9ae87e9fc0adc2fe2251d918680ba

Download Submit
C:\Windows\System\fXnHMrC.exe
Filesize
733KB

MD5
41d9c99a75ee9e7ec744334bfba40535

SHA1
501b63d6387f2b794eeb2b496ca7d6ea5a7c6e6f

SHA256
26ebc2e28447a49dd7bc5da16dfe148941cd69aeb8d7b6a65c17f9c2da75c5ea

SHA512
b343c94d56c1f72a102cb2748845291fded7ebb9c212781ec150887187776c961271f34d5e84a28d14f2f0648b1f75db11060d16a91d9b00e26eb1af7dfc979a

Download Submit
C:\Windows\System\gAeOKEy.exe
Filesize
731KB

MD5
148b2f31f37df4ed2c530589c30d06b3

SHA1
c218f4423e415cfeb077a034f06322ff3a8785ad

SHA256
d8a4a119160db6953d8ee04a0b282ddf3e877b61f4c58ba6c86c4a883e87a068

SHA512
4eaeeb528fe3e396e55567b5761b2c09770cb1c8d4afd3de533059b3c0793b02b57e4b5c5feed815aae43e0fd6447e140a1e2d7713e377c0712c3b724561e4cb

Download Submit
C:\Windows\System\gNNxgps.exe
Filesize
734KB

MD5
b9b142527dfd04be726f5d567fb36609

SHA1
7d055736d7461927781dea27fca0bafe8be49046

SHA256
87e06ad3cdd5fc0e7f550fdd20c5664c74c85a01539c2f8b042bb9b2ee449c39

SHA512
017354c4b43d836214b0f67537523640cd9ba8aa3b05c895b4fd4b92d94d0841a3523c177e1dd350c164703e22c031f2e00398e1b45ce4994ec832f5f53945e8

Download Submit
C:\Windows\System\jsModGW.exe
Filesize
730KB

MD5
02e64fe7cae5abff4e4cff75b7cea358

SHA1
62a6089124f4fb45e031b6e1a147586e7181bff7

SHA256
3d06758d9a79bf50914d4a559d4011a5871772896e8d838d0015b16127791d2c

SHA512
4adfff2cfcf19d7ca6ec067fa8fd00848e08d16edbf82f6abd9a6ffec898dc459f79730620452672ff9b3e0b729459cd6c20520c952fdf15ddfe08ac681aff5c

Download Submit
C:\Windows\System\jwsCMoL.exe
Filesize
732KB

MD5
d461d6e724efe74b11b464ef196662b5

SHA1
ac64a0c9627db8a73b9bbe5876b605b84d658158

SHA256
e90a48b9c0ed54520b545725a39985e3103f5741a5da43ed04645bf7ad43bd66

SHA512
ff29818a8c22856196f4e3e978c664f13156dc23af2008700d28c08f6617836055a31ff897285d3125ee3b02b5dbb27c9c0b79f2a57cdba053d8fc0f98eafc55

Download Submit
C:\Windows\System\mXBrMky.exe
Filesize
736KB

MD5
1c178ba46760614305e4aaa8b98b8896

SHA1
1079ba0334e7cc1eae76612a3bef10baf7d21ce7

SHA256
4819bae38aa303416d635113dc3c3d3d9e97f9deae255f0bf9542ffde6c1ae29

SHA512
9d6880f8d1bb372f8c5ea657bbf1c2c8f3ca19964702fc912308aa3a54ab3902f58ca6060de6bf0cc19aad442b668188b0235266cbe89685894570099da8a77c

Download Submit
C:\Windows\System\mbMFwrv.exe
Filesize
730KB

MD5
325165c317877e2685a01f19098f2a0a

SHA1
df8ac53647e31b2ce2c039ba9aa0dd32a3f8ab82

SHA256
0993947409445e1a8027bd425e77ecf779598b570a918f4182a827c306451e14

SHA512
5c85c9a4409402b32feb02dd1f358988e50089a1ca218b6b8d57b226fa4b6796de7bbb216e4f5b9599256b1cfc09b6bc84ee3ce72e10e1db5834be01a0c73204

Download Submit
C:\Windows\System\oVAnQGS.exe
Filesize
735KB

MD5
8273bc2f8c9c495520b6ebba7b4b3e16

SHA1
240fac668fce9b6d4c3bd7889fe8e8b39688c40d

SHA256
b54ba9f5ed2e453cbae3739eb3d593338905b6d21f26c893c12fc331a62f4384

SHA512
878773258c320e3b8156b0185b1b8216af18956a1eae3668aa5fc48ef124982e4e7895237b0743a018e4a7547ede1bb55d7d14bc595bd278c70e093e10696845

Download Submit
C:\Windows\System\ovsgbqR.exe
Filesize
729KB

MD5
5162bcd839134332d695dc62892a7389

SHA1
0aae5b073c257be352401bb07e501bc7eb8cf58d

SHA256
aacfaebaa15594ca9e1e5e70763317afeaf0807405b4e70bd5aa5083d5487d50

SHA512
39e0030b52df3429c0d09ab77aa6b2f73a9daf096cdc1957c1bec58881175b2fe6205973d3aa470feb6cd73b4405ce52be2a7b13b65a108ecd9bca7e4cb78584

Download Submit
C:\Windows\System\pEUMhlA.exe
Filesize
731KB

MD5
0edfe42c3b49f3cbe899ca17528a59db

SHA1
43adb7044735d30617c522c383ad6745dd2fa7ee

SHA256
2bdd44cfe5f502aa5bbaf7a3d55ebea8479082002c79644bd12a8fd9e61bceaa

SHA512
3cb366326f6426064bf5a3fbf6aeecddc15b4f8da78dd2c4a2c78b366dd612cbffe0e5b76a6668bd853ed873347b8cdfc1e17390d049a4a348466227a14ab1c4

Download Submit
C:\Windows\System\qLjjaCV.exe
Filesize
729KB

MD5
1a6879a8a65e5061b936d070dc4133e6

SHA1
1eb24da83d561e9574b2749e6ae8d6475a90fe78

SHA256
38b6e2584d7d1c30874fe14b87dd3174bb0ef3dcd53b650e29f7e8fd9d4a177f

SHA512
c6c24e0d86e2d15839d9d19f5304dbb9ee050e68d6a212eb1297b4dba35a79f4a9a2ee9d4283f3c3dde66335dd4c0e45cae993a236d9458a939bcd51bed5505d

Download Submit
C:\Windows\System\sJHRmXv.exe
Filesize
733KB

MD5
bac4832550f578b09da7cf0b485564d2

SHA1
466441ff73ff151914e5f9395731ebe38501002d

SHA256
a8c6a771b6f3b628c68c765645d1a860dc584ec152372d24cf68c4dd095fe438

SHA512
c6e30d4d39a7b148041c82efb0210acfbe362ee4e5df09290ff684029e6741d04c7c7c997e0021b99a33fddfb776955eadbab41d374c426ef4c8dc72f21d5f8a

Download Submit
C:\Windows\System\tuCPreH.exe
Filesize
732KB

MD5
f325d35f00c87dd5bea40980b58c4418

SHA1
12c4c38eadc266d7c404d643f60702cee7d6eb70

SHA256
b1afb714767d3f95b6348482f86864c3b3ab6fdd4ba6cc8f1ae322565d08bf1f

SHA512
a64111303fd0dc50e7ec080b6a5d187672e7854552874803354495e7f5b9c3d9877638e9bc3e34785be2139775dfcbcdaf8640aadb849f30df8dd2c134f623b2

Download Submit
C:\Windows\System\ycxEMmS.exe
Filesize
732KB

MD5
e8d160f76cfe626657dc25404d261b14

SHA1
f33bc1841314311099e41dc4272cabc11b6afe6f

SHA256
a16aef0093ec75bc94233ecc9231c49c474f6644a6bc9713b75e9186dde83b93

SHA512
fbcd4d92627cd5eb2bc5f10d1810431bd73a1bb865203c7168022d051c3b9b17619c1ea9bb5a61fe07dddc6b4c19f0d6ab80583f2eb7a97d714664f63396d4b1

Download Submit
C:\Windows\System\znYnYbC.exe
Filesize
729KB

MD5
cf1af0cf972da7f7c3df067d87d05fc9

SHA1
ae0cd570108fb8d8794d1fd1a5f4ab8373257aad

SHA256
81840a86be9ca3fbe7d797ec24929be030758e22a6a26144a86ec7a010d0c45f

SHA512
58a30e2df51d949587ff30e995d9c0e0d98e5d1fe71df3c579fd4d41ba47e4c0e1dc2d25b6b8eac730ba63c8b5c8a731f3057c612d9b2dce56bada3e585d64e0

Download Submit
memory/376-121-0x00007FF6507A0000-0x00007FF650B92000-memory.dmp

Filesize
3.9MB

Download
memory/376-3439-0x00007FF6507A0000-0x00007FF650B92000-memory.dmp

Filesize
3.9MB

Download
memory/376-3393-0x00007FF6507A0000-0x00007FF650B92000-memory.dmp

Filesize
3.9MB

Download
memory/812-3456-0x00007FF7EAC30000-0x00007FF7EB022000-memory.dmp

Filesize
3.9MB

Download
memory/812-319-0x00007FF7EAC30000-0x00007FF7EB022000-memory.dmp

Filesize
3.9MB

Download
memory/1096-3354-0x00007FF689BB0000-0x00007FF689FA2000-memory.dmp

Filesize
3.9MB

Download
memory/1096-15-0x00007FF689BB0000-0x00007FF689FA2000-memory.dmp

Filesize
3.9MB

Download
memory/1096-3408-0x00007FF689BB0000-0x00007FF689FA2000-memory.dmp

Filesize
3.9MB

Download
memory/1120-3462-0x00007FF77ED00000-0x00007FF77F0F2000-memory.dmp

Filesize
3.9MB

Download
memory/1120-326-0x00007FF77ED00000-0x00007FF77F0F2000-memory.dmp

Filesize
3.9MB

Download
memory/1280-353-0x00007FF63D850000-0x00007FF63DC42000-memory.dmp

Filesize
3.9MB

Download
memory/1280-3434-0x00007FF63D850000-0x00007FF63DC42000-memory.dmp

Filesize
3.9MB

Download
memory/1376-17-0x00007FF6B9760000-0x00007FF6B9B52000-memory.dmp

Filesize
3.9MB

Download
memory/1376-3355-0x00007FF6B9760000-0x00007FF6B9B52000-memory.dmp

Filesize
3.9MB

Download
memory/1376-3410-0x00007FF6B9760000-0x00007FF6B9B52000-memory.dmp

Filesize
3.9MB

Download
memory/1488-3458-0x00007FF759AE0000-0x00007FF759ED2000-memory.dmp

Filesize
3.9MB

Download
memory/1488-354-0x00007FF759AE0000-0x00007FF759ED2000-memory.dmp

Filesize
3.9MB

Download
memory/1892-408-0x000002744F5E0000-0x000002744FD86000-memory.dmp

Filesize
7.6MB

Download
memory/1892-3356-0x000002744E770000-0x000002744E780000-memory.dmp

Filesize
64KB

Download
memory/1892-3389-0x00007FFAB7B13000-0x00007FFAB7B15000-memory.dmp

Filesize
8KB

Download
memory/1892-21-0x00007FFAB7B13000-0x00007FFAB7B15000-memory.dmp

Filesize
8KB

Download
memory/1892-143-0x000002744E690000-0x000002744E6B2000-memory.dmp

Filesize
136KB

Download
memory/1892-19-0x000002744E770000-0x000002744E780000-memory.dmp

Filesize
64KB

Download
memory/1892-18-0x000002744E770000-0x000002744E780000-memory.dmp

Filesize
64KB

Download
memory/1980-89-0x00007FF718CD0000-0x00007FF7190C2000-memory.dmp

Filesize
3.9MB

Download
memory/1980-3392-0x00007FF718CD0000-0x00007FF7190C2000-memory.dmp

Filesize
3.9MB

Download
memory/1980-3426-0x00007FF718CD0000-0x00007FF7190C2000-memory.dmp

Filesize
3.9MB

Download
memory/2100-330-0x00007FF7BAC90000-0x00007FF7BB082000-memory.dmp

Filesize
3.9MB

Download
memory/2100-3455-0x00007FF7BAC90000-0x00007FF7BB082000-memory.dmp

Filesize
3.9MB

Download
memory/2952-352-0x00007FF6D7640000-0x00007FF6D7A32000-memory.dmp

Filesize
3.9MB

Download
memory/2952-3441-0x00007FF6D7640000-0x00007FF6D7A32000-memory.dmp

Filesize
3.9MB

Download
memory/3252-1-0x0000016178860000-0x0000016178870000-memory.dmp

Filesize
64KB

Download
memory/3252-0-0x00007FF65B9F0000-0x00007FF65BDE2000-memory.dmp

Filesize
3.9MB

Download
memory/3472-343-0x00007FF706DA0000-0x00007FF707192000-memory.dmp

Filesize
3.9MB

Download
memory/3472-3428-0x00007FF706DA0000-0x00007FF707192000-memory.dmp

Filesize
3.9MB

Download
memory/3624-3420-0x00007FF610A50000-0x00007FF610E42000-memory.dmp

Filesize
3.9MB

Download
memory/3624-332-0x00007FF610A50000-0x00007FF610E42000-memory.dmp

Filesize
3.9MB

Download
memory/3984-99-0x00007FF76DBC0000-0x00007FF76DFB2000-memory.dmp

Filesize
3.9MB

Download
memory/3984-3430-0x00007FF76DBC0000-0x00007FF76DFB2000-memory.dmp

Filesize
3.9MB

Download
memory/3992-77-0x00007FF70AFF0000-0x00007FF70B3E2000-memory.dmp

Filesize
3.9MB

Download
memory/3992-3419-0x00007FF70AFF0000-0x00007FF70B3E2000-memory.dmp

Filesize
3.9MB

Download
memory/4028-3390-0x00007FF676AA0000-0x00007FF676E92000-memory.dmp

Filesize
3.9MB

Download
memory/4028-46-0x00007FF676AA0000-0x00007FF676E92000-memory.dmp

Filesize
3.9MB

Download
memory/4028-3422-0x00007FF676AA0000-0x00007FF676E92000-memory.dmp

Filesize
3.9MB

Download
memory/4112-3449-0x00007FF693990000-0x00007FF693D82000-memory.dmp

Filesize
3.9MB

Download
memory/4112-311-0x00007FF693990000-0x00007FF693D82000-memory.dmp

Filesize
3.9MB

Download
memory/4452-3445-0x00007FF611350000-0x00007FF611742000-memory.dmp

Filesize
3.9MB

Download
memory/4452-151-0x00007FF611350000-0x00007FF611742000-memory.dmp

Filesize
3.9MB

Download
memory/4452-3406-0x00007FF611350000-0x00007FF611742000-memory.dmp

Filesize
3.9MB

Download
memory/4476-3437-0x00007FF6C80C0000-0x00007FF6C84B2000-memory.dmp

Filesize
3.9MB

Download
memory/4476-127-0x00007FF6C80C0000-0x00007FF6C84B2000-memory.dmp

Filesize
3.9MB

Download
memory/4476-3405-0x00007FF6C80C0000-0x00007FF6C84B2000-memory.dmp

Filesize
3.9MB

Download
memory/4516-20-0x00007FF668820000-0x00007FF668C12000-memory.dmp

Filesize
3.9MB

Download
memory/4516-3412-0x00007FF668820000-0x00007FF668C12000-memory.dmp

Filesize
3.9MB

Download
memory/4516-3357-0x00007FF668820000-0x00007FF668C12000-memory.dmp

Filesize
3.9MB

Download
memory/4736-52-0x00007FF6543B0000-0x00007FF6547A2000-memory.dmp

Filesize
3.9MB

Download
memory/4736-3414-0x00007FF6543B0000-0x00007FF6547A2000-memory.dmp

Filesize
3.9MB

Download
memory/4800-75-0x00007FF64B0C0000-0x00007FF64B4B2000-memory.dmp

Filesize
3.9MB

Download
memory/4800-3391-0x00007FF64B0C0000-0x00007FF64B4B2000-memory.dmp

Filesize
3.9MB

Download
memory/4800-3424-0x00007FF64B0C0000-0x00007FF64B4B2000-memory.dmp

Filesize
3.9MB

Download
memory/4928-351-0x00007FF75CA50000-0x00007FF75CE42000-memory.dmp

Filesize
3.9MB

Download
memory/4928-3417-0x00007FF75CA50000-0x00007FF75CE42000-memory.dmp

Filesize
3.9MB

Download
memory/4944-313-0x00007FF694250000-0x00007FF694642000-memory.dmp

Filesize
3.9MB

Download
memory/4944-3447-0x00007FF694250000-0x00007FF694642000-memory.dmp

Filesize
3.9MB

Download
memory/5012-128-0x00007FF776830000-0x00007FF776C22000-memory.dmp

Filesize
3.9MB

Download
memory/5012-3432-0x00007FF776830000-0x00007FF776C22000-memory.dmp

Filesize
3.9MB

Download