xmrig | 2d87d51931aac1f6df305ffe1222ac8da267fb3b33567359035dfe73d5060c91

Analysis

max time kernel
129s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 07:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
Size

2.0MB
MD5

0cfb57e014adb5441c3c96df1fefd800
SHA1

4095ff8ac1bc20171a79fe7263d61820ec95f20a
SHA256

2d87d51931aac1f6df305ffe1222ac8da267fb3b33567359035dfe73d5060c91
SHA512

a5798b250ac99f0c076c8f2833e61d5d555e8d641eb3a0340866867e621642be21b602f122ada5e49498a90cfa19ab74a75c6e1ba845b8d53b7edafe211a8637
SSDEEP

49152:knw9oUUEEDl37jcmWH/xbnbJo+kUQw2cTqKL/S:kQUEEd

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 48 IoCs

miner

resource	yara_rule
behavioral2/memory/5008-517-0x00007FF69A350000-0x00007FF69A741000-memory.dmp	xmrig
behavioral2/memory/4848-519-0x00007FF70DA90000-0x00007FF70DE81000-memory.dmp	xmrig
behavioral2/memory/464-518-0x00007FF746870000-0x00007FF746C61000-memory.dmp	xmrig
behavioral2/memory/4992-521-0x00007FF66C640000-0x00007FF66CA31000-memory.dmp	xmrig
behavioral2/memory/5060-520-0x00007FF6A2F10000-0x00007FF6A3301000-memory.dmp	xmrig
behavioral2/memory/2892-29-0x00007FF7909F0000-0x00007FF790DE1000-memory.dmp	xmrig
behavioral2/memory/4828-27-0x00007FF6B5790000-0x00007FF6B5B81000-memory.dmp	xmrig
behavioral2/memory/1536-524-0x00007FF78B580000-0x00007FF78B971000-memory.dmp	xmrig
behavioral2/memory/3312-529-0x00007FF6CCE50000-0x00007FF6CD241000-memory.dmp	xmrig
behavioral2/memory/548-531-0x00007FF6C1560000-0x00007FF6C1951000-memory.dmp	xmrig
behavioral2/memory/3136-535-0x00007FF7B46C0000-0x00007FF7B4AB1000-memory.dmp	xmrig
behavioral2/memory/3192-542-0x00007FF68ABC0000-0x00007FF68AFB1000-memory.dmp	xmrig
behavioral2/memory/1384-547-0x00007FF647210000-0x00007FF647601000-memory.dmp	xmrig
behavioral2/memory/2488-552-0x00007FF6CD500000-0x00007FF6CD8F1000-memory.dmp	xmrig
behavioral2/memory/932-556-0x00007FF6A24F0000-0x00007FF6A28E1000-memory.dmp	xmrig
behavioral2/memory/2232-562-0x00007FF7E2730000-0x00007FF7E2B21000-memory.dmp	xmrig
behavioral2/memory/2820-568-0x00007FF6419D0000-0x00007FF641DC1000-memory.dmp	xmrig
behavioral2/memory/2588-578-0x00007FF750410000-0x00007FF750801000-memory.dmp	xmrig
behavioral2/memory/2408-582-0x00007FF66A3F0000-0x00007FF66A7E1000-memory.dmp	xmrig
behavioral2/memory/2344-541-0x00007FF7BC7C0000-0x00007FF7BCBB1000-memory.dmp	xmrig
behavioral2/memory/3560-1963-0x00007FF6F3FD0000-0x00007FF6F43C1000-memory.dmp	xmrig
behavioral2/memory/3940-1977-0x00007FF6A9D60000-0x00007FF6AA151000-memory.dmp	xmrig
behavioral2/memory/2552-1978-0x00007FF71B3B0000-0x00007FF71B7A1000-memory.dmp	xmrig
behavioral2/memory/384-1980-0x00007FF6EEA90000-0x00007FF6EEE81000-memory.dmp	xmrig
behavioral2/memory/2532-2002-0x00007FF6E5330000-0x00007FF6E5721000-memory.dmp	xmrig
behavioral2/memory/3560-2004-0x00007FF6F3FD0000-0x00007FF6F43C1000-memory.dmp	xmrig
behavioral2/memory/4828-2006-0x00007FF6B5790000-0x00007FF6B5B81000-memory.dmp	xmrig
behavioral2/memory/2892-2008-0x00007FF7909F0000-0x00007FF790DE1000-memory.dmp	xmrig
behavioral2/memory/5008-2012-0x00007FF69A350000-0x00007FF69A741000-memory.dmp	xmrig
behavioral2/memory/548-2027-0x00007FF6C1560000-0x00007FF6C1951000-memory.dmp	xmrig
behavioral2/memory/4848-2030-0x00007FF70DA90000-0x00007FF70DE81000-memory.dmp	xmrig
behavioral2/memory/3192-2032-0x00007FF68ABC0000-0x00007FF68AFB1000-memory.dmp	xmrig
behavioral2/memory/1384-2038-0x00007FF647210000-0x00007FF647601000-memory.dmp	xmrig
behavioral2/memory/2820-2046-0x00007FF6419D0000-0x00007FF641DC1000-memory.dmp	xmrig
behavioral2/memory/2408-2042-0x00007FF66A3F0000-0x00007FF66A7E1000-memory.dmp	xmrig
behavioral2/memory/932-2041-0x00007FF6A24F0000-0x00007FF6A28E1000-memory.dmp	xmrig
behavioral2/memory/2488-2036-0x00007FF6CD500000-0x00007FF6CD8F1000-memory.dmp	xmrig
behavioral2/memory/2588-2044-0x00007FF750410000-0x00007FF750801000-memory.dmp	xmrig
behavioral2/memory/2232-2034-0x00007FF7E2730000-0x00007FF7E2B21000-memory.dmp	xmrig
behavioral2/memory/2344-2029-0x00007FF7BC7C0000-0x00007FF7BCBB1000-memory.dmp	xmrig
behavioral2/memory/3136-2026-0x00007FF7B46C0000-0x00007FF7B4AB1000-memory.dmp	xmrig
behavioral2/memory/1536-2022-0x00007FF78B580000-0x00007FF78B971000-memory.dmp	xmrig
behavioral2/memory/5060-2019-0x00007FF6A2F10000-0x00007FF6A3301000-memory.dmp	xmrig
behavioral2/memory/4992-2017-0x00007FF66C640000-0x00007FF66CA31000-memory.dmp	xmrig
behavioral2/memory/464-2015-0x00007FF746870000-0x00007FF746C61000-memory.dmp	xmrig
behavioral2/memory/2552-2011-0x00007FF71B3B0000-0x00007FF71B7A1000-memory.dmp	xmrig
behavioral2/memory/3312-2023-0x00007FF6CCE50000-0x00007FF6CD241000-memory.dmp	xmrig
behavioral2/memory/3940-2172-0x00007FF6A9D60000-0x00007FF6AA151000-memory.dmp	xmrig

Executes dropped EXE 64 IoCs

pid	Process
2532	fVQbdli.exe
3560	FHSGlDS.exe
4828	tIkTWOf.exe
2892	KiVzHsQ.exe
3940	CtCmICF.exe
2552	lfAhUWV.exe
5008	EnZeJuH.exe
464	ESvNLSb.exe
4848	lMKpjfN.exe
5060	MXtCDDT.exe
4992	bMFuCam.exe
1536	YUjwFng.exe
3312	egvvTSz.exe
548	LXzpJOR.exe
3136	FbhHLwx.exe
2344	PdzSdfv.exe
3192	gihFEWL.exe
1384	BZOmlhw.exe
2488	iORhboL.exe
932	lOfKtSY.exe
2232	wgtoSYY.exe
2820	PpNUBbv.exe
2588	IdFtevK.exe
2408	TJtiFMG.exe
2580	LKDApNS.exe
4980	uxVjSRY.exe
2788	bWnxQDM.exe
2104	BRqRyRZ.exe
3224	PunRUql.exe
636	ElZDEIp.exe
3928	EoNTfnO.exe
4392	ljyMJMH.exe
4956	aNNtvFg.exe
4676	JXpQAXl.exe
3256	ixYAeUy.exe
3424	ODwfZNW.exe
4276	OHCydDZ.exe
4748	GgOMnMf.exe
1980	lWMSKVl.exe
2984	zlgKxJF.exe
3468	PtedFYf.exe
5004	HwpPXUZ.exe
1308	wtPzASi.exe
4424	BvIhDDM.exe
4496	UyUPkCQ.exe
4352	HhQQnyy.exe
1380	kUGbCmC.exe
3180	vcDTyJD.exe
3788	GGvzuMP.exe
5048	siswPuK.exe
3364	UXwLSjH.exe
3716	iXQwPHt.exe
1752	qqQaRMc.exe
4640	sBMvDPH.exe
4284	ZafRDmn.exe
2596	KuQrmzv.exe
744	ArcwxtZ.exe
3264	vJCiETz.exe
4596	TVOiXQb.exe
1076	MUvziIu.exe
5104	glYxvWm.exe
3572	RajQSlN.exe
3952	zlADBoq.exe
2280	oFNDYwm.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/384-0-0x00007FF6EEA90000-0x00007FF6EEE81000-memory.dmp	upx
behavioral2/files/0x000b000000023b97-6.dat	upx
behavioral2/files/0x000a000000023b9b-9.dat	upx
behavioral2/files/0x000a000000023b9c-10.dat	upx
behavioral2/files/0x000a000000023b9d-23.dat	upx
behavioral2/memory/3560-16-0x00007FF6F3FD0000-0x00007FF6F43C1000-memory.dmp	upx
behavioral2/memory/2532-12-0x00007FF6E5330000-0x00007FF6E5721000-memory.dmp	upx
behavioral2/files/0x000a000000023b9e-28.dat	upx
behavioral2/files/0x000a000000023ba2-51.dat	upx
behavioral2/files/0x000a000000023ba3-56.dat	upx
behavioral2/files/0x000a000000023ba4-61.dat	upx
behavioral2/files/0x000a000000023ba6-69.dat	upx
behavioral2/files/0x000a000000023ba9-84.dat	upx
behavioral2/files/0x000a000000023baa-91.dat	upx
behavioral2/files/0x000a000000023bad-104.dat	upx
behavioral2/files/0x000a000000023baf-116.dat	upx
behavioral2/files/0x000a000000023bb1-126.dat	upx
behavioral2/memory/5008-517-0x00007FF69A350000-0x00007FF69A741000-memory.dmp	upx
behavioral2/memory/4848-519-0x00007FF70DA90000-0x00007FF70DE81000-memory.dmp	upx
behavioral2/memory/464-518-0x00007FF746870000-0x00007FF746C61000-memory.dmp	upx
behavioral2/memory/4992-521-0x00007FF66C640000-0x00007FF66CA31000-memory.dmp	upx
behavioral2/memory/5060-520-0x00007FF6A2F10000-0x00007FF6A3301000-memory.dmp	upx
behavioral2/files/0x000a000000023bb9-166.dat	upx
behavioral2/files/0x0031000000023bb8-161.dat	upx
behavioral2/files/0x0031000000023bb7-156.dat	upx
behavioral2/files/0x0031000000023bb6-151.dat	upx
behavioral2/files/0x000a000000023bb5-146.dat	upx
behavioral2/files/0x000a000000023bb4-141.dat	upx
behavioral2/files/0x000a000000023bb3-136.dat	upx
behavioral2/files/0x000a000000023bb2-131.dat	upx
behavioral2/files/0x000a000000023bb0-121.dat	upx
behavioral2/files/0x000a000000023bae-111.dat	upx
behavioral2/files/0x000a000000023bac-101.dat	upx
behavioral2/files/0x000a000000023bab-96.dat	upx
behavioral2/files/0x000a000000023ba8-81.dat	upx
behavioral2/files/0x000a000000023ba7-76.dat	upx
behavioral2/files/0x000a000000023ba5-66.dat	upx
behavioral2/files/0x000a000000023ba1-46.dat	upx
behavioral2/files/0x000a000000023ba0-41.dat	upx
behavioral2/files/0x000a000000023b9f-36.dat	upx
behavioral2/memory/2552-35-0x00007FF71B3B0000-0x00007FF71B7A1000-memory.dmp	upx
behavioral2/memory/3940-34-0x00007FF6A9D60000-0x00007FF6AA151000-memory.dmp	upx
behavioral2/memory/2892-29-0x00007FF7909F0000-0x00007FF790DE1000-memory.dmp	upx
behavioral2/memory/4828-27-0x00007FF6B5790000-0x00007FF6B5B81000-memory.dmp	upx
behavioral2/memory/1536-524-0x00007FF78B580000-0x00007FF78B971000-memory.dmp	upx
behavioral2/memory/3312-529-0x00007FF6CCE50000-0x00007FF6CD241000-memory.dmp	upx
behavioral2/memory/548-531-0x00007FF6C1560000-0x00007FF6C1951000-memory.dmp	upx
behavioral2/memory/3136-535-0x00007FF7B46C0000-0x00007FF7B4AB1000-memory.dmp	upx
behavioral2/memory/3192-542-0x00007FF68ABC0000-0x00007FF68AFB1000-memory.dmp	upx
behavioral2/memory/1384-547-0x00007FF647210000-0x00007FF647601000-memory.dmp	upx
behavioral2/memory/2488-552-0x00007FF6CD500000-0x00007FF6CD8F1000-memory.dmp	upx
behavioral2/memory/932-556-0x00007FF6A24F0000-0x00007FF6A28E1000-memory.dmp	upx
behavioral2/memory/2232-562-0x00007FF7E2730000-0x00007FF7E2B21000-memory.dmp	upx
behavioral2/memory/2820-568-0x00007FF6419D0000-0x00007FF641DC1000-memory.dmp	upx
behavioral2/memory/2588-578-0x00007FF750410000-0x00007FF750801000-memory.dmp	upx
behavioral2/memory/2408-582-0x00007FF66A3F0000-0x00007FF66A7E1000-memory.dmp	upx
behavioral2/memory/2344-541-0x00007FF7BC7C0000-0x00007FF7BCBB1000-memory.dmp	upx
behavioral2/memory/3560-1963-0x00007FF6F3FD0000-0x00007FF6F43C1000-memory.dmp	upx
behavioral2/memory/3940-1977-0x00007FF6A9D60000-0x00007FF6AA151000-memory.dmp	upx
behavioral2/memory/2552-1978-0x00007FF71B3B0000-0x00007FF71B7A1000-memory.dmp	upx
behavioral2/memory/384-1980-0x00007FF6EEA90000-0x00007FF6EEE81000-memory.dmp	upx
behavioral2/memory/2532-2002-0x00007FF6E5330000-0x00007FF6E5721000-memory.dmp	upx
behavioral2/memory/3560-2004-0x00007FF6F3FD0000-0x00007FF6F43C1000-memory.dmp	upx
behavioral2/memory/4828-2006-0x00007FF6B5790000-0x00007FF6B5B81000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\LkRIuzM.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\DJghCwH.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\yoDOtic.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\GzNvVWv.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\nIWbFUM.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\GRLhFVz.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\sipUeST.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\nYmQUjb.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\IcKASte.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\XqcoVCE.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\fzBiikP.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\knWTmKN.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\BXNOpPM.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\rRpWDTw.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\DCZfjOK.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\wtPzASi.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\vkDUSCN.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\HsHUqej.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\BvGEDpo.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\nvptCPt.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\cOeVpEt.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\WIEiNSJ.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\GYmTBHr.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\vrFdJeK.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\mwPIGRZ.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\bLANDZL.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\KuQrmzv.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\bGYuuiP.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\eXmnngc.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\OQEsrnB.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\OTATmwS.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\IzWYgUC.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\kcCHKWs.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\RAEynii.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\gFuBKnJ.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\AjeEUbn.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\rtOjzNa.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\MdNVbYp.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\RAajDPM.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\EvifSAx.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\TVOiXQb.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\QzBffoH.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\Dwflcym.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\oDgOavo.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\kVULVeG.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\qBkHyiS.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\flzlAJP.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\pHOIMGE.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\EnZeJuH.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\ZafRDmn.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\gBfyXmF.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\TpPCXrs.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\ahdHbVz.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\hdVWtdr.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\lxZcsro.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\LmfWtDU.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\rSkFNUe.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\xosLtDY.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\LgQXrCp.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\hWDnTDM.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\tIkTWOf.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\CtCmICF.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\vcDTyJD.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
File created	C:\Windows\System32\glYxvWm.exe	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	dwm.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	13724	dwm.exe
Token: SeChangeNotifyPrivilege	13724	dwm.exe
Token: 33	13724	dwm.exe
Token: SeIncBasePriorityPrivilege	13724	dwm.exe
Token: SeShutdownPrivilege	13724	dwm.exe
Token: SeCreatePagefilePrivilege	13724	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 384 wrote to memory of 2532	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	85
PID 384 wrote to memory of 2532	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	85
PID 384 wrote to memory of 3560	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	86
PID 384 wrote to memory of 3560	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	86
PID 384 wrote to memory of 4828	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	87
PID 384 wrote to memory of 4828	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	87
PID 384 wrote to memory of 2892	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	88
PID 384 wrote to memory of 2892	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	88
PID 384 wrote to memory of 3940	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	89
PID 384 wrote to memory of 3940	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	89
PID 384 wrote to memory of 2552	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	90
PID 384 wrote to memory of 2552	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	90
PID 384 wrote to memory of 5008	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	91
PID 384 wrote to memory of 5008	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	91
PID 384 wrote to memory of 464	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	92
PID 384 wrote to memory of 464	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	92
PID 384 wrote to memory of 4848	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	93
PID 384 wrote to memory of 4848	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	93
PID 384 wrote to memory of 5060	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	94
PID 384 wrote to memory of 5060	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	94
PID 384 wrote to memory of 4992	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	95
PID 384 wrote to memory of 4992	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	95
PID 384 wrote to memory of 1536	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	96
PID 384 wrote to memory of 1536	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	96
PID 384 wrote to memory of 3312	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	97
PID 384 wrote to memory of 3312	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	97
PID 384 wrote to memory of 548	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	98
PID 384 wrote to memory of 548	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	98
PID 384 wrote to memory of 3136	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	99
PID 384 wrote to memory of 3136	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	99
PID 384 wrote to memory of 2344	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	100
PID 384 wrote to memory of 2344	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	100
PID 384 wrote to memory of 3192	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	101
PID 384 wrote to memory of 3192	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	101
PID 384 wrote to memory of 1384	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	102
PID 384 wrote to memory of 1384	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	102
PID 384 wrote to memory of 2488	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	103
PID 384 wrote to memory of 2488	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	103
PID 384 wrote to memory of 932	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	104
PID 384 wrote to memory of 932	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	104
PID 384 wrote to memory of 2232	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	105
PID 384 wrote to memory of 2232	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	105
PID 384 wrote to memory of 2820	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	106
PID 384 wrote to memory of 2820	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	106
PID 384 wrote to memory of 2588	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	107
PID 384 wrote to memory of 2588	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	107
PID 384 wrote to memory of 2408	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	108
PID 384 wrote to memory of 2408	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	108
PID 384 wrote to memory of 2580	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	109
PID 384 wrote to memory of 2580	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	109
PID 384 wrote to memory of 4980	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	110
PID 384 wrote to memory of 4980	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	110
PID 384 wrote to memory of 2788	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	111
PID 384 wrote to memory of 2788	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	111
PID 384 wrote to memory of 2104	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	112
PID 384 wrote to memory of 2104	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	112
PID 384 wrote to memory of 3224	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	113
PID 384 wrote to memory of 3224	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	113
PID 384 wrote to memory of 636	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	114
PID 384 wrote to memory of 636	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	114
PID 384 wrote to memory of 3928	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	115
PID 384 wrote to memory of 3928	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	115
PID 384 wrote to memory of 4392	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	116
PID 384 wrote to memory of 4392	384	0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe	116

C:\Users\Admin\AppData\Local\Temp\0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\0cfb57e014adb5441c3c96df1fefd800_NEIKI.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:384
- C:\Windows\System32\fVQbdli.exe
  C:\Windows\System32\fVQbdli.exe
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Windows\System32\FHSGlDS.exe
  C:\Windows\System32\FHSGlDS.exe
  2⤵
  - Executes dropped EXE
  PID:3560
- C:\Windows\System32\tIkTWOf.exe
  C:\Windows\System32\tIkTWOf.exe
  2⤵
  - Executes dropped EXE
  PID:4828
- C:\Windows\System32\KiVzHsQ.exe
  C:\Windows\System32\KiVzHsQ.exe
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\System32\CtCmICF.exe
  C:\Windows\System32\CtCmICF.exe
  2⤵
  - Executes dropped EXE
  PID:3940
- C:\Windows\System32\lfAhUWV.exe
  C:\Windows\System32\lfAhUWV.exe
  2⤵
  - Executes dropped EXE
  PID:2552
- C:\Windows\System32\EnZeJuH.exe
  C:\Windows\System32\EnZeJuH.exe
  2⤵
  - Executes dropped EXE
  PID:5008
- C:\Windows\System32\ESvNLSb.exe
  C:\Windows\System32\ESvNLSb.exe
  2⤵
  - Executes dropped EXE
  PID:464
- C:\Windows\System32\lMKpjfN.exe
  C:\Windows\System32\lMKpjfN.exe
  2⤵
  - Executes dropped EXE
  PID:4848
- C:\Windows\System32\MXtCDDT.exe
  C:\Windows\System32\MXtCDDT.exe
  2⤵
  - Executes dropped EXE
  PID:5060
- C:\Windows\System32\bMFuCam.exe
  C:\Windows\System32\bMFuCam.exe
  2⤵
  - Executes dropped EXE
  PID:4992
- C:\Windows\System32\YUjwFng.exe
  C:\Windows\System32\YUjwFng.exe
  2⤵
  - Executes dropped EXE
  PID:1536
- C:\Windows\System32\egvvTSz.exe
  C:\Windows\System32\egvvTSz.exe
  2⤵
  - Executes dropped EXE
  PID:3312
- C:\Windows\System32\LXzpJOR.exe
  C:\Windows\System32\LXzpJOR.exe
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\System32\FbhHLwx.exe
  C:\Windows\System32\FbhHLwx.exe
  2⤵
  - Executes dropped EXE
  PID:3136
- C:\Windows\System32\PdzSdfv.exe
  C:\Windows\System32\PdzSdfv.exe
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\System32\gihFEWL.exe
  C:\Windows\System32\gihFEWL.exe
  2⤵
  - Executes dropped EXE
  PID:3192
- C:\Windows\System32\BZOmlhw.exe
  C:\Windows\System32\BZOmlhw.exe
  2⤵
  - Executes dropped EXE
  PID:1384
- C:\Windows\System32\iORhboL.exe
  C:\Windows\System32\iORhboL.exe
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\System32\lOfKtSY.exe
  C:\Windows\System32\lOfKtSY.exe
  2⤵
  - Executes dropped EXE
  PID:932
- C:\Windows\System32\wgtoSYY.exe
  C:\Windows\System32\wgtoSYY.exe
  2⤵
  - Executes dropped EXE
  PID:2232
- C:\Windows\System32\PpNUBbv.exe
  C:\Windows\System32\PpNUBbv.exe
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\System32\IdFtevK.exe
  C:\Windows\System32\IdFtevK.exe
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\System32\TJtiFMG.exe
  C:\Windows\System32\TJtiFMG.exe
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\System32\LKDApNS.exe
  C:\Windows\System32\LKDApNS.exe
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\System32\uxVjSRY.exe
  C:\Windows\System32\uxVjSRY.exe
  2⤵
  - Executes dropped EXE
  PID:4980
- C:\Windows\System32\bWnxQDM.exe
  C:\Windows\System32\bWnxQDM.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\System32\BRqRyRZ.exe
  C:\Windows\System32\BRqRyRZ.exe
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\Windows\System32\PunRUql.exe
  C:\Windows\System32\PunRUql.exe
  2⤵
  - Executes dropped EXE
  PID:3224
- C:\Windows\System32\ElZDEIp.exe
  C:\Windows\System32\ElZDEIp.exe
  2⤵
  - Executes dropped EXE
  PID:636
- C:\Windows\System32\EoNTfnO.exe
  C:\Windows\System32\EoNTfnO.exe
  2⤵
  - Executes dropped EXE
  PID:3928
- C:\Windows\System32\ljyMJMH.exe
  C:\Windows\System32\ljyMJMH.exe
  2⤵
  - Executes dropped EXE
  PID:4392
- C:\Windows\System32\aNNtvFg.exe
  C:\Windows\System32\aNNtvFg.exe
  2⤵
  - Executes dropped EXE
  PID:4956
- C:\Windows\System32\JXpQAXl.exe
  C:\Windows\System32\JXpQAXl.exe
  2⤵
  - Executes dropped EXE
  PID:4676
- C:\Windows\System32\ixYAeUy.exe
  C:\Windows\System32\ixYAeUy.exe
  2⤵
  - Executes dropped EXE
  PID:3256
- C:\Windows\System32\ODwfZNW.exe
  C:\Windows\System32\ODwfZNW.exe
  2⤵
  - Executes dropped EXE
  PID:3424
- C:\Windows\System32\OHCydDZ.exe
  C:\Windows\System32\OHCydDZ.exe
  2⤵
  - Executes dropped EXE
  PID:4276
- C:\Windows\System32\GgOMnMf.exe
  C:\Windows\System32\GgOMnMf.exe
  2⤵
  - Executes dropped EXE
  PID:4748
- C:\Windows\System32\lWMSKVl.exe
  C:\Windows\System32\lWMSKVl.exe
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\System32\zlgKxJF.exe
  C:\Windows\System32\zlgKxJF.exe
  2⤵
  - Executes dropped EXE
  PID:2984
- C:\Windows\System32\PtedFYf.exe
  C:\Windows\System32\PtedFYf.exe
  2⤵
  - Executes dropped EXE
  PID:3468
- C:\Windows\System32\HwpPXUZ.exe
  C:\Windows\System32\HwpPXUZ.exe
  2⤵
  - Executes dropped EXE
  PID:5004
- C:\Windows\System32\wtPzASi.exe
  C:\Windows\System32\wtPzASi.exe
  2⤵
  - Executes dropped EXE
  PID:1308
- C:\Windows\System32\BvIhDDM.exe
  C:\Windows\System32\BvIhDDM.exe
  2⤵
  - Executes dropped EXE
  PID:4424
- C:\Windows\System32\UyUPkCQ.exe
  C:\Windows\System32\UyUPkCQ.exe
  2⤵
  - Executes dropped EXE
  PID:4496
- C:\Windows\System32\HhQQnyy.exe
  C:\Windows\System32\HhQQnyy.exe
  2⤵
  - Executes dropped EXE
  PID:4352
- C:\Windows\System32\kUGbCmC.exe
  C:\Windows\System32\kUGbCmC.exe
  2⤵
  - Executes dropped EXE
  PID:1380
- C:\Windows\System32\vcDTyJD.exe
  C:\Windows\System32\vcDTyJD.exe
  2⤵
  - Executes dropped EXE
  PID:3180
- C:\Windows\System32\GGvzuMP.exe
  C:\Windows\System32\GGvzuMP.exe
  2⤵
  - Executes dropped EXE
  PID:3788
- C:\Windows\System32\siswPuK.exe
  C:\Windows\System32\siswPuK.exe
  2⤵
  - Executes dropped EXE
  PID:5048
- C:\Windows\System32\UXwLSjH.exe
  C:\Windows\System32\UXwLSjH.exe
  2⤵
  - Executes dropped EXE
  PID:3364
- C:\Windows\System32\iXQwPHt.exe
  C:\Windows\System32\iXQwPHt.exe
  2⤵
  - Executes dropped EXE
  PID:3716
- C:\Windows\System32\qqQaRMc.exe
  C:\Windows\System32\qqQaRMc.exe
  2⤵
  - Executes dropped EXE
  PID:1752
- C:\Windows\System32\sBMvDPH.exe
  C:\Windows\System32\sBMvDPH.exe
  2⤵
  - Executes dropped EXE
  PID:4640
- C:\Windows\System32\ZafRDmn.exe
  C:\Windows\System32\ZafRDmn.exe
  2⤵
  - Executes dropped EXE
  PID:4284
- C:\Windows\System32\KuQrmzv.exe
  C:\Windows\System32\KuQrmzv.exe
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Windows\System32\ArcwxtZ.exe
  C:\Windows\System32\ArcwxtZ.exe
  2⤵
  - Executes dropped EXE
  PID:744
- C:\Windows\System32\vJCiETz.exe
  C:\Windows\System32\vJCiETz.exe
  2⤵
  - Executes dropped EXE
  PID:3264
- C:\Windows\System32\TVOiXQb.exe
  C:\Windows\System32\TVOiXQb.exe
  2⤵
  - Executes dropped EXE
  PID:4596
- C:\Windows\System32\MUvziIu.exe
  C:\Windows\System32\MUvziIu.exe
  2⤵
  - Executes dropped EXE
  PID:1076
- C:\Windows\System32\glYxvWm.exe
  C:\Windows\System32\glYxvWm.exe
  2⤵
  - Executes dropped EXE
  PID:5104
- C:\Windows\System32\RajQSlN.exe
  C:\Windows\System32\RajQSlN.exe
  2⤵
  - Executes dropped EXE
  PID:3572
- C:\Windows\System32\zlADBoq.exe
  C:\Windows\System32\zlADBoq.exe
  2⤵
  - Executes dropped EXE
  PID:3952
- C:\Windows\System32\oFNDYwm.exe
  C:\Windows\System32\oFNDYwm.exe
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Windows\System32\ZWaYiur.exe
  C:\Windows\System32\ZWaYiur.exe
  2⤵
  PID:1368
- C:\Windows\System32\UkjcCos.exe
  C:\Windows\System32\UkjcCos.exe
  2⤵
  PID:4344
- C:\Windows\System32\bkdzsnN.exe
  C:\Windows\System32\bkdzsnN.exe
  2⤵
  PID:1492
- C:\Windows\System32\fUHVTPt.exe
  C:\Windows\System32\fUHVTPt.exe
  2⤵
  PID:2072
- C:\Windows\System32\DJQbGNu.exe
  C:\Windows\System32\DJQbGNu.exe
  2⤵
  PID:1912
- C:\Windows\System32\QxTNKnj.exe
  C:\Windows\System32\QxTNKnj.exe
  2⤵
  PID:2328
- C:\Windows\System32\asqDRwN.exe
  C:\Windows\System32\asqDRwN.exe
  2⤵
  PID:1408
- C:\Windows\System32\ADYmvzB.exe
  C:\Windows\System32\ADYmvzB.exe
  2⤵
  PID:2704
- C:\Windows\System32\EDfjknw.exe
  C:\Windows\System32\EDfjknw.exe
  2⤵
  PID:4912
- C:\Windows\System32\vrvcLDI.exe
  C:\Windows\System32\vrvcLDI.exe
  2⤵
  PID:5152
- C:\Windows\System32\pJTYjSW.exe
  C:\Windows\System32\pJTYjSW.exe
  2⤵
  PID:5180
- C:\Windows\System32\uRhnlzi.exe
  C:\Windows\System32\uRhnlzi.exe
  2⤵
  PID:5204
- C:\Windows\System32\xUUowwh.exe
  C:\Windows\System32\xUUowwh.exe
  2⤵
  PID:5232
- C:\Windows\System32\NsRppBe.exe
  C:\Windows\System32\NsRppBe.exe
  2⤵
  PID:5260
- C:\Windows\System32\uANreTD.exe
  C:\Windows\System32\uANreTD.exe
  2⤵
  PID:5288
- C:\Windows\System32\NQzLKho.exe
  C:\Windows\System32\NQzLKho.exe
  2⤵
  PID:5320
- C:\Windows\System32\AwLIilQ.exe
  C:\Windows\System32\AwLIilQ.exe
  2⤵
  PID:5348
- C:\Windows\System32\dPiTNJP.exe
  C:\Windows\System32\dPiTNJP.exe
  2⤵
  PID:5376
- C:\Windows\System32\bqTRypp.exe
  C:\Windows\System32\bqTRypp.exe
  2⤵
  PID:5400
- C:\Windows\System32\XOodgpa.exe
  C:\Windows\System32\XOodgpa.exe
  2⤵
  PID:5428
- C:\Windows\System32\llRHzdy.exe
  C:\Windows\System32\llRHzdy.exe
  2⤵
  PID:5456
- C:\Windows\System32\EHcjDRo.exe
  C:\Windows\System32\EHcjDRo.exe
  2⤵
  PID:5484
- C:\Windows\System32\pMhyYrI.exe
  C:\Windows\System32\pMhyYrI.exe
  2⤵
  PID:5512
- C:\Windows\System32\UweGprE.exe
  C:\Windows\System32\UweGprE.exe
  2⤵
  PID:5544
- C:\Windows\System32\ZjmMTxd.exe
  C:\Windows\System32\ZjmMTxd.exe
  2⤵
  PID:5568
- C:\Windows\System32\LQDtHYz.exe
  C:\Windows\System32\LQDtHYz.exe
  2⤵
  PID:5616
- C:\Windows\System32\bGYuuiP.exe
  C:\Windows\System32\bGYuuiP.exe
  2⤵
  PID:5632
- C:\Windows\System32\OQhUcgm.exe
  C:\Windows\System32\OQhUcgm.exe
  2⤵
  PID:5660
- C:\Windows\System32\vDcNPOd.exe
  C:\Windows\System32\vDcNPOd.exe
  2⤵
  PID:5688
- C:\Windows\System32\SNQWXeH.exe
  C:\Windows\System32\SNQWXeH.exe
  2⤵
  PID:5716
- C:\Windows\System32\LNSxuFb.exe
  C:\Windows\System32\LNSxuFb.exe
  2⤵
  PID:5744
- C:\Windows\System32\ankPgfJ.exe
  C:\Windows\System32\ankPgfJ.exe
  2⤵
  PID:5772
- C:\Windows\System32\miWFnbN.exe
  C:\Windows\System32\miWFnbN.exe
  2⤵
  PID:5800
- C:\Windows\System32\rpjGeHk.exe
  C:\Windows\System32\rpjGeHk.exe
  2⤵
  PID:5828
- C:\Windows\System32\UjBjsLZ.exe
  C:\Windows\System32\UjBjsLZ.exe
  2⤵
  PID:5856
- C:\Windows\System32\CRBAxGb.exe
  C:\Windows\System32\CRBAxGb.exe
  2⤵
  PID:5884
- C:\Windows\System32\AGKYJsm.exe
  C:\Windows\System32\AGKYJsm.exe
  2⤵
  PID:5912
- C:\Windows\System32\XqcoVCE.exe
  C:\Windows\System32\XqcoVCE.exe
  2⤵
  PID:5940
- C:\Windows\System32\bprNEbO.exe
  C:\Windows\System32\bprNEbO.exe
  2⤵
  PID:5968
- C:\Windows\System32\fzBiikP.exe
  C:\Windows\System32\fzBiikP.exe
  2⤵
  PID:5996
- C:\Windows\System32\yaRDTcE.exe
  C:\Windows\System32\yaRDTcE.exe
  2⤵
  PID:6028
- C:\Windows\System32\AAhYOgU.exe
  C:\Windows\System32\AAhYOgU.exe
  2⤵
  PID:6052
- C:\Windows\System32\gBfyXmF.exe
  C:\Windows\System32\gBfyXmF.exe
  2⤵
  PID:6080
- C:\Windows\System32\LmfWtDU.exe
  C:\Windows\System32\LmfWtDU.exe
  2⤵
  PID:6108
- C:\Windows\System32\zzeYNiX.exe
  C:\Windows\System32\zzeYNiX.exe
  2⤵
  PID:6136
- C:\Windows\System32\eRXstpC.exe
  C:\Windows\System32\eRXstpC.exe
  2⤵
  PID:4020
- C:\Windows\System32\fldCMDI.exe
  C:\Windows\System32\fldCMDI.exe
  2⤵
  PID:4068
- C:\Windows\System32\LjGKRTf.exe
  C:\Windows\System32\LjGKRTf.exe
  2⤵
  PID:4588
- C:\Windows\System32\BcAFXcM.exe
  C:\Windows\System32\BcAFXcM.exe
  2⤵
  PID:2732
- C:\Windows\System32\jKAJMky.exe
  C:\Windows\System32\jKAJMky.exe
  2⤵
  PID:2896
- C:\Windows\System32\IkmjCOa.exe
  C:\Windows\System32\IkmjCOa.exe
  2⤵
  PID:5164
- C:\Windows\System32\DYgZCDT.exe
  C:\Windows\System32\DYgZCDT.exe
  2⤵
  PID:5220
- C:\Windows\System32\clyrQhp.exe
  C:\Windows\System32\clyrQhp.exe
  2⤵
  PID:5276
- C:\Windows\System32\fcHpBDg.exe
  C:\Windows\System32\fcHpBDg.exe
  2⤵
  PID:5356
- C:\Windows\System32\HTPCaKM.exe
  C:\Windows\System32\HTPCaKM.exe
  2⤵
  PID:5420
- C:\Windows\System32\WKxLuwf.exe
  C:\Windows\System32\WKxLuwf.exe
  2⤵
  PID:5468
- C:\Windows\System32\rSkFNUe.exe
  C:\Windows\System32\rSkFNUe.exe
  2⤵
  PID:5524
- C:\Windows\System32\qrCSXut.exe
  C:\Windows\System32\qrCSXut.exe
  2⤵
  PID:5580
- C:\Windows\System32\AkuRLzB.exe
  C:\Windows\System32\AkuRLzB.exe
  2⤵
  PID:5656
- C:\Windows\System32\qBkHyiS.exe
  C:\Windows\System32\qBkHyiS.exe
  2⤵
  PID:5704
- C:\Windows\System32\gjFlPlr.exe
  C:\Windows\System32\gjFlPlr.exe
  2⤵
  PID:5768
- C:\Windows\System32\LAkQuWh.exe
  C:\Windows\System32\LAkQuWh.exe
  2⤵
  PID:5816
- C:\Windows\System32\UmDQzuD.exe
  C:\Windows\System32\UmDQzuD.exe
  2⤵
  PID:5896
- C:\Windows\System32\rNVwaDb.exe
  C:\Windows\System32\rNVwaDb.exe
  2⤵
  PID:5964
- C:\Windows\System32\MfWrlJp.exe
  C:\Windows\System32\MfWrlJp.exe
  2⤵
  PID:6020
- C:\Windows\System32\WsEuEzU.exe
  C:\Windows\System32\WsEuEzU.exe
  2⤵
  PID:6068
- C:\Windows\System32\UCWenwy.exe
  C:\Windows\System32\UCWenwy.exe
  2⤵
  PID:372
- C:\Windows\System32\FCvRLma.exe
  C:\Windows\System32\FCvRLma.exe
  2⤵
  PID:3780
- C:\Windows\System32\knWTmKN.exe
  C:\Windows\System32\knWTmKN.exe
  2⤵
  PID:4736
- C:\Windows\System32\jfcEnKE.exe
  C:\Windows\System32\jfcEnKE.exe
  2⤵
  PID:5224
- C:\Windows\System32\NtymNhM.exe
  C:\Windows\System32\NtymNhM.exe
  2⤵
  PID:5336
- C:\Windows\System32\oyqHcoc.exe
  C:\Windows\System32\oyqHcoc.exe
  2⤵
  PID:1484
- C:\Windows\System32\bKbaMrL.exe
  C:\Windows\System32\bKbaMrL.exe
  2⤵
  PID:2172
- C:\Windows\System32\lOSupzi.exe
  C:\Windows\System32\lOSupzi.exe
  2⤵
  PID:5684
- C:\Windows\System32\ickYNPc.exe
  C:\Windows\System32\ickYNPc.exe
  2⤵
  PID:412
- C:\Windows\System32\lydFYDX.exe
  C:\Windows\System32\lydFYDX.exe
  2⤵
  PID:3296
- C:\Windows\System32\IqqZZWu.exe
  C:\Windows\System32\IqqZZWu.exe
  2⤵
  PID:5992
- C:\Windows\System32\BXNOpPM.exe
  C:\Windows\System32\BXNOpPM.exe
  2⤵
  PID:6096
- C:\Windows\System32\cRSMjuJ.exe
  C:\Windows\System32\cRSMjuJ.exe
  2⤵
  PID:1656
- C:\Windows\System32\KHHMsXo.exe
  C:\Windows\System32\KHHMsXo.exe
  2⤵
  PID:5148
- C:\Windows\System32\dGbKaWY.exe
  C:\Windows\System32\dGbKaWY.exe
  2⤵
  PID:5372
- C:\Windows\System32\MAvjfiB.exe
  C:\Windows\System32\MAvjfiB.exe
  2⤵
  PID:1548
- C:\Windows\System32\DcxdDbh.exe
  C:\Windows\System32\DcxdDbh.exe
  2⤵
  PID:5732
- C:\Windows\System32\VUzBPfc.exe
  C:\Windows\System32\VUzBPfc.exe
  2⤵
  PID:5924
- C:\Windows\System32\dLdBFrZ.exe
  C:\Windows\System32\dLdBFrZ.exe
  2⤵
  PID:912
- C:\Windows\System32\efCPhaQ.exe
  C:\Windows\System32\efCPhaQ.exe
  2⤵
  PID:5020
- C:\Windows\System32\nLCpdjr.exe
  C:\Windows\System32\nLCpdjr.exe
  2⤵
  PID:5044
- C:\Windows\System32\EMiWuiq.exe
  C:\Windows\System32\EMiWuiq.exe
  2⤵
  PID:4520
- C:\Windows\System32\xosLtDY.exe
  C:\Windows\System32\xosLtDY.exe
  2⤵
  PID:1584
- C:\Windows\System32\vWarVkk.exe
  C:\Windows\System32\vWarVkk.exe
  2⤵
  PID:5196
- C:\Windows\System32\eQSroqk.exe
  C:\Windows\System32\eQSroqk.exe
  2⤵
  PID:1460
- C:\Windows\System32\EbXlxqQ.exe
  C:\Windows\System32\EbXlxqQ.exe
  2⤵
  PID:4324
- C:\Windows\System32\qnNNofn.exe
  C:\Windows\System32\qnNNofn.exe
  2⤵
  PID:1904
- C:\Windows\System32\RaCyYfZ.exe
  C:\Windows\System32\RaCyYfZ.exe
  2⤵
  PID:1060
- C:\Windows\System32\rrYwYRw.exe
  C:\Windows\System32\rrYwYRw.exe
  2⤵
  PID:6168
- C:\Windows\System32\PnXxdTp.exe
  C:\Windows\System32\PnXxdTp.exe
  2⤵
  PID:6188
- C:\Windows\System32\MAFPLUb.exe
  C:\Windows\System32\MAFPLUb.exe
  2⤵
  PID:6220
- C:\Windows\System32\RqYMFMJ.exe
  C:\Windows\System32\RqYMFMJ.exe
  2⤵
  PID:6276
- C:\Windows\System32\pOSKAzv.exe
  C:\Windows\System32\pOSKAzv.exe
  2⤵
  PID:6320
- C:\Windows\System32\GzNvVWv.exe
  C:\Windows\System32\GzNvVWv.exe
  2⤵
  PID:6348
- C:\Windows\System32\eXmnngc.exe
  C:\Windows\System32\eXmnngc.exe
  2⤵
  PID:6408
- C:\Windows\System32\pkUZdDW.exe
  C:\Windows\System32\pkUZdDW.exe
  2⤵
  PID:6432
- C:\Windows\System32\TFoFRLr.exe
  C:\Windows\System32\TFoFRLr.exe
  2⤵
  PID:6448
- C:\Windows\System32\CUTTInM.exe
  C:\Windows\System32\CUTTInM.exe
  2⤵
  PID:6480
- C:\Windows\System32\zTWvNDF.exe
  C:\Windows\System32\zTWvNDF.exe
  2⤵
  PID:6496
- C:\Windows\System32\beinjdS.exe
  C:\Windows\System32\beinjdS.exe
  2⤵
  PID:6544
- C:\Windows\System32\CozYorj.exe
  C:\Windows\System32\CozYorj.exe
  2⤵
  PID:6560
- C:\Windows\System32\TldAiGc.exe
  C:\Windows\System32\TldAiGc.exe
  2⤵
  PID:6584
- C:\Windows\System32\NCEdrjZ.exe
  C:\Windows\System32\NCEdrjZ.exe
  2⤵
  PID:6636
- C:\Windows\System32\emIKSmd.exe
  C:\Windows\System32\emIKSmd.exe
  2⤵
  PID:6656
- C:\Windows\System32\kOOVpPa.exe
  C:\Windows\System32\kOOVpPa.exe
  2⤵
  PID:6672
- C:\Windows\System32\pUsoWuq.exe
  C:\Windows\System32\pUsoWuq.exe
  2⤵
  PID:6716
- C:\Windows\System32\hDQWPrB.exe
  C:\Windows\System32\hDQWPrB.exe
  2⤵
  PID:6736
- C:\Windows\System32\WNduKTx.exe
  C:\Windows\System32\WNduKTx.exe
  2⤵
  PID:6756
- C:\Windows\System32\kbILLGr.exe
  C:\Windows\System32\kbILLGr.exe
  2⤵
  PID:6800
- C:\Windows\System32\gqeEdWV.exe
  C:\Windows\System32\gqeEdWV.exe
  2⤵
  PID:6832
- C:\Windows\System32\GLcjMXQ.exe
  C:\Windows\System32\GLcjMXQ.exe
  2⤵
  PID:6864
- C:\Windows\System32\AHflqZg.exe
  C:\Windows\System32\AHflqZg.exe
  2⤵
  PID:6888
- C:\Windows\System32\eJxqdZh.exe
  C:\Windows\System32\eJxqdZh.exe
  2⤵
  PID:6908
- C:\Windows\System32\iEaujyt.exe
  C:\Windows\System32\iEaujyt.exe
  2⤵
  PID:6932
- C:\Windows\System32\zRuoUZj.exe
  C:\Windows\System32\zRuoUZj.exe
  2⤵
  PID:6948
- C:\Windows\System32\HkjZcCl.exe
  C:\Windows\System32\HkjZcCl.exe
  2⤵
  PID:6980
- C:\Windows\System32\MhOnIPB.exe
  C:\Windows\System32\MhOnIPB.exe
  2⤵
  PID:7024
- C:\Windows\System32\cOeVpEt.exe
  C:\Windows\System32\cOeVpEt.exe
  2⤵
  PID:7040
- C:\Windows\System32\DZNhQoW.exe
  C:\Windows\System32\DZNhQoW.exe
  2⤵
  PID:7060
- C:\Windows\System32\vjOhlmB.exe
  C:\Windows\System32\vjOhlmB.exe
  2⤵
  PID:7088
- C:\Windows\System32\ftMaNPk.exe
  C:\Windows\System32\ftMaNPk.exe
  2⤵
  PID:7140
- C:\Windows\System32\mUlYJTi.exe
  C:\Windows\System32\mUlYJTi.exe
  2⤵
  PID:7160
- C:\Windows\System32\YxIQkom.exe
  C:\Windows\System32\YxIQkom.exe
  2⤵
  PID:6200
- C:\Windows\System32\rOqrwOG.exe
  C:\Windows\System32\rOqrwOG.exe
  2⤵
  PID:6184
- C:\Windows\System32\hDsFTCo.exe
  C:\Windows\System32\hDsFTCo.exe
  2⤵
  PID:6268
- C:\Windows\System32\RtmSyuv.exe
  C:\Windows\System32\RtmSyuv.exe
  2⤵
  PID:2032
- C:\Windows\System32\PYMrmjT.exe
  C:\Windows\System32\PYMrmjT.exe
  2⤵
  PID:5852
- C:\Windows\System32\QtHfPAS.exe
  C:\Windows\System32\QtHfPAS.exe
  2⤵
  PID:6316
- C:\Windows\System32\VvYLTgv.exe
  C:\Windows\System32\VvYLTgv.exe
  2⤵
  PID:6424
- C:\Windows\System32\mUIXnCG.exe
  C:\Windows\System32\mUIXnCG.exe
  2⤵
  PID:6504
- C:\Windows\System32\ERBabEO.exe
  C:\Windows\System32\ERBabEO.exe
  2⤵
  PID:6520
- C:\Windows\System32\ystcswT.exe
  C:\Windows\System32\ystcswT.exe
  2⤵
  PID:6556
- C:\Windows\System32\uvKJQkF.exe
  C:\Windows\System32\uvKJQkF.exe
  2⤵
  PID:6620
- C:\Windows\System32\ZsjwvdB.exe
  C:\Windows\System32\ZsjwvdB.exe
  2⤵
  PID:6684
- C:\Windows\System32\unwCvWU.exe
  C:\Windows\System32\unwCvWU.exe
  2⤵
  PID:6788
- C:\Windows\System32\yOPtQPu.exe
  C:\Windows\System32\yOPtQPu.exe
  2⤵
  PID:6880
- C:\Windows\System32\DKSOwGH.exe
  C:\Windows\System32\DKSOwGH.exe
  2⤵
  PID:6944
- C:\Windows\System32\OQEsrnB.exe
  C:\Windows\System32\OQEsrnB.exe
  2⤵
  PID:7052
- C:\Windows\System32\XaeRiyl.exe
  C:\Windows\System32\XaeRiyl.exe
  2⤵
  PID:7148
- C:\Windows\System32\eIjMeDo.exe
  C:\Windows\System32\eIjMeDo.exe
  2⤵
  PID:6164
- C:\Windows\System32\flzlAJP.exe
  C:\Windows\System32\flzlAJP.exe
  2⤵
  PID:6256
- C:\Windows\System32\lWUfYUq.exe
  C:\Windows\System32\lWUfYUq.exe
  2⤵
  PID:628
- C:\Windows\System32\sNdXrlf.exe
  C:\Windows\System32\sNdXrlf.exe
  2⤵
  PID:6232
- C:\Windows\System32\BXKqpyJ.exe
  C:\Windows\System32\BXKqpyJ.exe
  2⤵
  PID:6464
- C:\Windows\System32\nwdFhgW.exe
  C:\Windows\System32\nwdFhgW.exe
  2⤵
  PID:6644
- C:\Windows\System32\cMDhLDR.exe
  C:\Windows\System32\cMDhLDR.exe
  2⤵
  PID:6664
- C:\Windows\System32\pxDrqLT.exe
  C:\Windows\System32\pxDrqLT.exe
  2⤵
  PID:7084
- C:\Windows\System32\GGIJYUv.exe
  C:\Windows\System32\GGIJYUv.exe
  2⤵
  PID:6208
- C:\Windows\System32\HRwXnDX.exe
  C:\Windows\System32\HRwXnDX.exe
  2⤵
  PID:6616
- C:\Windows\System32\TfuPRHK.exe
  C:\Windows\System32\TfuPRHK.exe
  2⤵
  PID:6844
- C:\Windows\System32\ldSBthn.exe
  C:\Windows\System32\ldSBthn.exe
  2⤵
  PID:6196
- C:\Windows\System32\VXaxpWa.exe
  C:\Windows\System32\VXaxpWa.exe
  2⤵
  PID:6392
- C:\Windows\System32\UudFmHd.exe
  C:\Windows\System32\UudFmHd.exe
  2⤵
  PID:7016
- C:\Windows\System32\jopzPXT.exe
  C:\Windows\System32\jopzPXT.exe
  2⤵
  PID:7172
- C:\Windows\System32\mXWalME.exe
  C:\Windows\System32\mXWalME.exe
  2⤵
  PID:7208
- C:\Windows\System32\JGpZlJg.exe
  C:\Windows\System32\JGpZlJg.exe
  2⤵
  PID:7264
- C:\Windows\System32\tBjxlPW.exe
  C:\Windows\System32\tBjxlPW.exe
  2⤵
  PID:7304
- C:\Windows\System32\ZnzPTYo.exe
  C:\Windows\System32\ZnzPTYo.exe
  2⤵
  PID:7324
- C:\Windows\System32\vkDUSCN.exe
  C:\Windows\System32\vkDUSCN.exe
  2⤵
  PID:7352
- C:\Windows\System32\pHOIMGE.exe
  C:\Windows\System32\pHOIMGE.exe
  2⤵
  PID:7372
- C:\Windows\System32\UVDalZY.exe
  C:\Windows\System32\UVDalZY.exe
  2⤵
  PID:7404
- C:\Windows\System32\QzBffoH.exe
  C:\Windows\System32\QzBffoH.exe
  2⤵
  PID:7424
- C:\Windows\System32\UVdgxQm.exe
  C:\Windows\System32\UVdgxQm.exe
  2⤵
  PID:7460
- C:\Windows\System32\iLrLMaC.exe
  C:\Windows\System32\iLrLMaC.exe
  2⤵
  PID:7476
- C:\Windows\System32\gxjnBhO.exe
  C:\Windows\System32\gxjnBhO.exe
  2⤵
  PID:7500
- C:\Windows\System32\vhsIyPn.exe
  C:\Windows\System32\vhsIyPn.exe
  2⤵
  PID:7528
- C:\Windows\System32\jQiVGBc.exe
  C:\Windows\System32\jQiVGBc.exe
  2⤵
  PID:7556
- C:\Windows\System32\kbDyrOl.exe
  C:\Windows\System32\kbDyrOl.exe
  2⤵
  PID:7592
- C:\Windows\System32\dAhTtds.exe
  C:\Windows\System32\dAhTtds.exe
  2⤵
  PID:7628
- C:\Windows\System32\jJjSIhq.exe
  C:\Windows\System32\jJjSIhq.exe
  2⤵
  PID:7652
- C:\Windows\System32\GvhfKcF.exe
  C:\Windows\System32\GvhfKcF.exe
  2⤵
  PID:7668
- C:\Windows\System32\HGFeqLq.exe
  C:\Windows\System32\HGFeqLq.exe
  2⤵
  PID:7700
- C:\Windows\System32\HFTydny.exe
  C:\Windows\System32\HFTydny.exe
  2⤵
  PID:7744
- C:\Windows\System32\ewnlaMj.exe
  C:\Windows\System32\ewnlaMj.exe
  2⤵
  PID:7764
- C:\Windows\System32\eUyXCth.exe
  C:\Windows\System32\eUyXCth.exe
  2⤵
  PID:7788
- C:\Windows\System32\ecaOeGN.exe
  C:\Windows\System32\ecaOeGN.exe
  2⤵
  PID:7828
- C:\Windows\System32\KoGiWmm.exe
  C:\Windows\System32\KoGiWmm.exe
  2⤵
  PID:7852
- C:\Windows\System32\dxmVKwd.exe
  C:\Windows\System32\dxmVKwd.exe
  2⤵
  PID:7880
- C:\Windows\System32\npfZuNY.exe
  C:\Windows\System32\npfZuNY.exe
  2⤵
  PID:7912
- C:\Windows\System32\MgTdRqM.exe
  C:\Windows\System32\MgTdRqM.exe
  2⤵
  PID:7928
- C:\Windows\System32\QOGZucn.exe
  C:\Windows\System32\QOGZucn.exe
  2⤵
  PID:7964
- C:\Windows\System32\AJLUGvl.exe
  C:\Windows\System32\AJLUGvl.exe
  2⤵
  PID:7980
- C:\Windows\System32\NIPsvQn.exe
  C:\Windows\System32\NIPsvQn.exe
  2⤵
  PID:8016
- C:\Windows\System32\kHvMElF.exe
  C:\Windows\System32\kHvMElF.exe
  2⤵
  PID:8056
- C:\Windows\System32\LsAaOzl.exe
  C:\Windows\System32\LsAaOzl.exe
  2⤵
  PID:8080
- C:\Windows\System32\nIWbFUM.exe
  C:\Windows\System32\nIWbFUM.exe
  2⤵
  PID:8108
- C:\Windows\System32\yQEiqdM.exe
  C:\Windows\System32\yQEiqdM.exe
  2⤵
  PID:8136
- C:\Windows\System32\rKjsIGi.exe
  C:\Windows\System32\rKjsIGi.exe
  2⤵
  PID:8164
- C:\Windows\System32\ZDFbtlp.exe
  C:\Windows\System32\ZDFbtlp.exe
  2⤵
  PID:8184
- C:\Windows\System32\SkLSwuc.exe
  C:\Windows\System32\SkLSwuc.exe
  2⤵
  PID:6304
- C:\Windows\System32\trmTkMS.exe
  C:\Windows\System32\trmTkMS.exe
  2⤵
  PID:7248
- C:\Windows\System32\ORIdeZj.exe
  C:\Windows\System32\ORIdeZj.exe
  2⤵
  PID:7316
- C:\Windows\System32\SiYpZOK.exe
  C:\Windows\System32\SiYpZOK.exe
  2⤵
  PID:7392
- C:\Windows\System32\EtKjDsm.exe
  C:\Windows\System32\EtKjDsm.exe
  2⤵
  PID:7492
- C:\Windows\System32\vRxkplt.exe
  C:\Windows\System32\vRxkplt.exe
  2⤵
  PID:7548
- C:\Windows\System32\Dwflcym.exe
  C:\Windows\System32\Dwflcym.exe
  2⤵
  PID:7604
- C:\Windows\System32\ZvxJgqE.exe
  C:\Windows\System32\ZvxJgqE.exe
  2⤵
  PID:7688
- C:\Windows\System32\eqPoltr.exe
  C:\Windows\System32\eqPoltr.exe
  2⤵
  PID:7732
- C:\Windows\System32\bGKmXad.exe
  C:\Windows\System32\bGKmXad.exe
  2⤵
  PID:7808
- C:\Windows\System32\UykBGmk.exe
  C:\Windows\System32\UykBGmk.exe
  2⤵
  PID:7860
- C:\Windows\System32\LgQXrCp.exe
  C:\Windows\System32\LgQXrCp.exe
  2⤵
  PID:7908
- C:\Windows\System32\JjwrASN.exe
  C:\Windows\System32\JjwrASN.exe
  2⤵
  PID:7976
- C:\Windows\System32\zeWpUQa.exe
  C:\Windows\System32\zeWpUQa.exe
  2⤵
  PID:8092
- C:\Windows\System32\LykAmVu.exe
  C:\Windows\System32\LykAmVu.exe
  2⤵
  PID:8156
- C:\Windows\System32\hMmkjQn.exe
  C:\Windows\System32\hMmkjQn.exe
  2⤵
  PID:7192
- C:\Windows\System32\etnaJbg.exe
  C:\Windows\System32\etnaJbg.exe
  2⤵
  PID:7240
- C:\Windows\System32\StClnkA.exe
  C:\Windows\System32\StClnkA.exe
  2⤵
  PID:7448
- C:\Windows\System32\pTEBxsh.exe
  C:\Windows\System32\pTEBxsh.exe
  2⤵
  PID:7544
- C:\Windows\System32\jFTrVVN.exe
  C:\Windows\System32\jFTrVVN.exe
  2⤵
  PID:7692
- C:\Windows\System32\eKcomre.exe
  C:\Windows\System32\eKcomre.exe
  2⤵
  PID:7800
- C:\Windows\System32\igJEBaS.exe
  C:\Windows\System32\igJEBaS.exe
  2⤵
  PID:8116
- C:\Windows\System32\EVzOAgc.exe
  C:\Windows\System32\EVzOAgc.exe
  2⤵
  PID:8172
- C:\Windows\System32\MAuTIYk.exe
  C:\Windows\System32\MAuTIYk.exe
  2⤵
  PID:7612
- C:\Windows\System32\zgEbBWQ.exe
  C:\Windows\System32\zgEbBWQ.exe
  2⤵
  PID:7780
- C:\Windows\System32\LabUEXB.exe
  C:\Windows\System32\LabUEXB.exe
  2⤵
  PID:7444
- C:\Windows\System32\OJXFpMw.exe
  C:\Windows\System32\OJXFpMw.exe
  2⤵
  PID:8232
- C:\Windows\System32\PBDEaIu.exe
  C:\Windows\System32\PBDEaIu.exe
  2⤵
  PID:8252
- C:\Windows\System32\SoERJtI.exe
  C:\Windows\System32\SoERJtI.exe
  2⤵
  PID:8280
- C:\Windows\System32\eGZTGuG.exe
  C:\Windows\System32\eGZTGuG.exe
  2⤵
  PID:8312
- C:\Windows\System32\psnqKPh.exe
  C:\Windows\System32\psnqKPh.exe
  2⤵
  PID:8336
- C:\Windows\System32\cqxTDUo.exe
  C:\Windows\System32\cqxTDUo.exe
  2⤵
  PID:8364
- C:\Windows\System32\sWTtpNu.exe
  C:\Windows\System32\sWTtpNu.exe
  2⤵
  PID:8380
- C:\Windows\System32\TufGzDj.exe
  C:\Windows\System32\TufGzDj.exe
  2⤵
  PID:8416
- C:\Windows\System32\pvKEvcB.exe
  C:\Windows\System32\pvKEvcB.exe
  2⤵
  PID:8448
- C:\Windows\System32\RSohIWV.exe
  C:\Windows\System32\RSohIWV.exe
  2⤵
  PID:8472
- C:\Windows\System32\tpLTDof.exe
  C:\Windows\System32\tpLTDof.exe
  2⤵
  PID:8492
- C:\Windows\System32\PruXtoX.exe
  C:\Windows\System32\PruXtoX.exe
  2⤵
  PID:8536
- C:\Windows\System32\UqnWrIP.exe
  C:\Windows\System32\UqnWrIP.exe
  2⤵
  PID:8556
- C:\Windows\System32\NxnQsXY.exe
  C:\Windows\System32\NxnQsXY.exe
  2⤵
  PID:8596
- C:\Windows\System32\BepBajb.exe
  C:\Windows\System32\BepBajb.exe
  2⤵
  PID:8624
- C:\Windows\System32\fpgpmPO.exe
  C:\Windows\System32\fpgpmPO.exe
  2⤵
  PID:8652
- C:\Windows\System32\eZBPDFJ.exe
  C:\Windows\System32\eZBPDFJ.exe
  2⤵
  PID:8668
- C:\Windows\System32\snOecNa.exe
  C:\Windows\System32\snOecNa.exe
  2⤵
  PID:8688
- C:\Windows\System32\YMxLjqB.exe
  C:\Windows\System32\YMxLjqB.exe
  2⤵
  PID:8732
- C:\Windows\System32\gDJXcgO.exe
  C:\Windows\System32\gDJXcgO.exe
  2⤵
  PID:8764
- C:\Windows\System32\gFuBKnJ.exe
  C:\Windows\System32\gFuBKnJ.exe
  2⤵
  PID:8780
- C:\Windows\System32\tGhKsUD.exe
  C:\Windows\System32\tGhKsUD.exe
  2⤵
  PID:8800
- C:\Windows\System32\aHdrqxx.exe
  C:\Windows\System32\aHdrqxx.exe
  2⤵
  PID:8820
- C:\Windows\System32\ybQSUAY.exe
  C:\Windows\System32\ybQSUAY.exe
  2⤵
  PID:8976
- C:\Windows\System32\txnppde.exe
  C:\Windows\System32\txnppde.exe
  2⤵
  PID:8992
- C:\Windows\System32\jTBNjSj.exe
  C:\Windows\System32\jTBNjSj.exe
  2⤵
  PID:9012
- C:\Windows\System32\HIHolTj.exe
  C:\Windows\System32\HIHolTj.exe
  2⤵
  PID:9044
- C:\Windows\System32\tKuAXnV.exe
  C:\Windows\System32\tKuAXnV.exe
  2⤵
  PID:9072
- C:\Windows\System32\bOUAMLU.exe
  C:\Windows\System32\bOUAMLU.exe
  2⤵
  PID:9104
- C:\Windows\System32\yseTVmX.exe
  C:\Windows\System32\yseTVmX.exe
  2⤵
  PID:9128
- C:\Windows\System32\NsqFPKR.exe
  C:\Windows\System32\NsqFPKR.exe
  2⤵
  PID:9180
- C:\Windows\System32\OTATmwS.exe
  C:\Windows\System32\OTATmwS.exe
  2⤵
  PID:9200
- C:\Windows\System32\RXOtRup.exe
  C:\Windows\System32\RXOtRup.exe
  2⤵
  PID:7952
- C:\Windows\System32\ojqsGCu.exe
  C:\Windows\System32\ojqsGCu.exe
  2⤵
  PID:8240
- C:\Windows\System32\AcDHHBf.exe
  C:\Windows\System32\AcDHHBf.exe
  2⤵
  PID:8300
- C:\Windows\System32\IQySPYS.exe
  C:\Windows\System32\IQySPYS.exe
  2⤵
  PID:8356
- C:\Windows\System32\TCJRayx.exe
  C:\Windows\System32\TCJRayx.exe
  2⤵
  PID:8392
- C:\Windows\System32\jdKZvAA.exe
  C:\Windows\System32\jdKZvAA.exe
  2⤵
  PID:8488
- C:\Windows\System32\PluaNUx.exe
  C:\Windows\System32\PluaNUx.exe
  2⤵
  PID:8504
- C:\Windows\System32\rRpWDTw.exe
  C:\Windows\System32\rRpWDTw.exe
  2⤵
  PID:8612
- C:\Windows\System32\qxQYgsd.exe
  C:\Windows\System32\qxQYgsd.exe
  2⤵
  PID:8664
- C:\Windows\System32\pmOhpSB.exe
  C:\Windows\System32\pmOhpSB.exe
  2⤵
  PID:8776
- C:\Windows\System32\sQkXvIE.exe
  C:\Windows\System32\sQkXvIE.exe
  2⤵
  PID:8828
- C:\Windows\System32\iqMoGYk.exe
  C:\Windows\System32\iqMoGYk.exe
  2⤵
  PID:8864
- C:\Windows\System32\KfSWlAz.exe
  C:\Windows\System32\KfSWlAz.exe
  2⤵
  PID:8944
- C:\Windows\System32\rHnVhlE.exe
  C:\Windows\System32\rHnVhlE.exe
  2⤵
  PID:8880
- C:\Windows\System32\MRSPdEl.exe
  C:\Windows\System32\MRSPdEl.exe
  2⤵
  PID:8904
- C:\Windows\System32\XsMKDOg.exe
  C:\Windows\System32\XsMKDOg.exe
  2⤵
  PID:8956
- C:\Windows\System32\TWKDIcu.exe
  C:\Windows\System32\TWKDIcu.exe
  2⤵
  PID:9000
- C:\Windows\System32\gztZmQf.exe
  C:\Windows\System32\gztZmQf.exe
  2⤵
  PID:9172
- C:\Windows\System32\EaJXifP.exe
  C:\Windows\System32\EaJXifP.exe
  2⤵
  PID:9208
- C:\Windows\System32\sipUeST.exe
  C:\Windows\System32\sipUeST.exe
  2⤵
  PID:8264
- C:\Windows\System32\nrULbUa.exe
  C:\Windows\System32\nrULbUa.exe
  2⤵
  PID:8348
- C:\Windows\System32\PCUnuHJ.exe
  C:\Windows\System32\PCUnuHJ.exe
  2⤵
  PID:8620
- C:\Windows\System32\MYxUddC.exe
  C:\Windows\System32\MYxUddC.exe
  2⤵
  PID:8796
- C:\Windows\System32\zoyGsPu.exe
  C:\Windows\System32\zoyGsPu.exe
  2⤵
  PID:8908
- C:\Windows\System32\vsELopy.exe
  C:\Windows\System32\vsELopy.exe
  2⤵
  PID:8940
- C:\Windows\System32\BqXmTgY.exe
  C:\Windows\System32\BqXmTgY.exe
  2⤵
  PID:9008
- C:\Windows\System32\srdiypJ.exe
  C:\Windows\System32\srdiypJ.exe
  2⤵
  PID:8268
- C:\Windows\System32\pzlbEIV.exe
  C:\Windows\System32\pzlbEIV.exe
  2⤵
  PID:8576
- C:\Windows\System32\lbCOFCj.exe
  C:\Windows\System32\lbCOFCj.exe
  2⤵
  PID:8924
- C:\Windows\System32\NSdHZOL.exe
  C:\Windows\System32\NSdHZOL.exe
  2⤵
  PID:9192
- C:\Windows\System32\dxsBrUi.exe
  C:\Windows\System32\dxsBrUi.exe
  2⤵
  PID:9080
- C:\Windows\System32\AywrYpt.exe
  C:\Windows\System32\AywrYpt.exe
  2⤵
  PID:9224
- C:\Windows\System32\xcbSAEL.exe
  C:\Windows\System32\xcbSAEL.exe
  2⤵
  PID:9252
- C:\Windows\System32\mhcgyoY.exe
  C:\Windows\System32\mhcgyoY.exe
  2⤵
  PID:9276
- C:\Windows\System32\pjfCNeK.exe
  C:\Windows\System32\pjfCNeK.exe
  2⤵
  PID:9308
- C:\Windows\System32\TpPCXrs.exe
  C:\Windows\System32\TpPCXrs.exe
  2⤵
  PID:9328
- C:\Windows\System32\gQlCYuh.exe
  C:\Windows\System32\gQlCYuh.exe
  2⤵
  PID:9368
- C:\Windows\System32\yVydamY.exe
  C:\Windows\System32\yVydamY.exe
  2⤵
  PID:9396
- C:\Windows\System32\cbRdtkD.exe
  C:\Windows\System32\cbRdtkD.exe
  2⤵
  PID:9412
- C:\Windows\System32\mcPXcGk.exe
  C:\Windows\System32\mcPXcGk.exe
  2⤵
  PID:9444
- C:\Windows\System32\vbxmYRT.exe
  C:\Windows\System32\vbxmYRT.exe
  2⤵
  PID:9468
- C:\Windows\System32\AAbiCKq.exe
  C:\Windows\System32\AAbiCKq.exe
  2⤵
  PID:9496
- C:\Windows\System32\GhJeUWe.exe
  C:\Windows\System32\GhJeUWe.exe
  2⤵
  PID:9540
- C:\Windows\System32\PKicnSY.exe
  C:\Windows\System32\PKicnSY.exe
  2⤵
  PID:9564
- C:\Windows\System32\dZwoyjP.exe
  C:\Windows\System32\dZwoyjP.exe
  2⤵
  PID:9596
- C:\Windows\System32\FQTyEWw.exe
  C:\Windows\System32\FQTyEWw.exe
  2⤵
  PID:9620
- C:\Windows\System32\HDFIoFX.exe
  C:\Windows\System32\HDFIoFX.exe
  2⤵
  PID:9640
- C:\Windows\System32\LkWZnai.exe
  C:\Windows\System32\LkWZnai.exe
  2⤵
  PID:9664
- C:\Windows\System32\WIEiNSJ.exe
  C:\Windows\System32\WIEiNSJ.exe
  2⤵
  PID:9696
- C:\Windows\System32\oGRvClt.exe
  C:\Windows\System32\oGRvClt.exe
  2⤵
  PID:9716
- C:\Windows\System32\spwdfeO.exe
  C:\Windows\System32\spwdfeO.exe
  2⤵
  PID:9740
- C:\Windows\System32\HsHUqej.exe
  C:\Windows\System32\HsHUqej.exe
  2⤵
  PID:9792
- C:\Windows\System32\kLPhnsq.exe
  C:\Windows\System32\kLPhnsq.exe
  2⤵
  PID:9808
- C:\Windows\System32\aVYcVNO.exe
  C:\Windows\System32\aVYcVNO.exe
  2⤵
  PID:9848
- C:\Windows\System32\ybGLeQn.exe
  C:\Windows\System32\ybGLeQn.exe
  2⤵
  PID:9884
- C:\Windows\System32\lRDVoAB.exe
  C:\Windows\System32\lRDVoAB.exe
  2⤵
  PID:9900
- C:\Windows\System32\BCylUwf.exe
  C:\Windows\System32\BCylUwf.exe
  2⤵
  PID:9944
- C:\Windows\System32\BjpZHQI.exe
  C:\Windows\System32\BjpZHQI.exe
  2⤵
  PID:9960
- C:\Windows\System32\oDgOavo.exe
  C:\Windows\System32\oDgOavo.exe
  2⤵
  PID:10000
- C:\Windows\System32\IzWYgUC.exe
  C:\Windows\System32\IzWYgUC.exe
  2⤵
  PID:10016
- C:\Windows\System32\ODpqkNi.exe
  C:\Windows\System32\ODpqkNi.exe
  2⤵
  PID:10032
- C:\Windows\System32\MyqRFAN.exe
  C:\Windows\System32\MyqRFAN.exe
  2⤵
  PID:10072
- C:\Windows\System32\jvbvAvx.exe
  C:\Windows\System32\jvbvAvx.exe
  2⤵
  PID:10088
- C:\Windows\System32\PUNaXNH.exe
  C:\Windows\System32\PUNaXNH.exe
  2⤵
  PID:10116
- C:\Windows\System32\UMPfKud.exe
  C:\Windows\System32\UMPfKud.exe
  2⤵
  PID:10156
- C:\Windows\System32\GYmTBHr.exe
  C:\Windows\System32\GYmTBHr.exe
  2⤵
  PID:10192
- C:\Windows\System32\Qajmlnt.exe
  C:\Windows\System32\Qajmlnt.exe
  2⤵
  PID:10212
- C:\Windows\System32\TkDEfCY.exe
  C:\Windows\System32\TkDEfCY.exe
  2⤵
  PID:10228
- C:\Windows\System32\trnVZrB.exe
  C:\Windows\System32\trnVZrB.exe
  2⤵
  PID:9248
- C:\Windows\System32\NeUjuMM.exe
  C:\Windows\System32\NeUjuMM.exe
  2⤵
  PID:8712
- C:\Windows\System32\GRLhFVz.exe
  C:\Windows\System32\GRLhFVz.exe
  2⤵
  PID:9364
- C:\Windows\System32\rGDpCKE.exe
  C:\Windows\System32\rGDpCKE.exe
  2⤵
  PID:9456
- C:\Windows\System32\WyJVNqP.exe
  C:\Windows\System32\WyJVNqP.exe
  2⤵
  PID:9548
- C:\Windows\System32\syrLtGE.exe
  C:\Windows\System32\syrLtGE.exe
  2⤵
  PID:9580
- C:\Windows\System32\wCuidnA.exe
  C:\Windows\System32\wCuidnA.exe
  2⤵
  PID:9636
- C:\Windows\System32\SbMyeej.exe
  C:\Windows\System32\SbMyeej.exe
  2⤵
  PID:9712
- C:\Windows\System32\doJuPHi.exe
  C:\Windows\System32\doJuPHi.exe
  2⤵
  PID:9788
- C:\Windows\System32\JpRIwYT.exe
  C:\Windows\System32\JpRIwYT.exe
  2⤵
  PID:9824
- C:\Windows\System32\TBqulSH.exe
  C:\Windows\System32\TBqulSH.exe
  2⤵
  PID:9896
- C:\Windows\System32\mZLiVHh.exe
  C:\Windows\System32\mZLiVHh.exe
  2⤵
  PID:10012
- C:\Windows\System32\XjTzElU.exe
  C:\Windows\System32\XjTzElU.exe
  2⤵
  PID:10084
- C:\Windows\System32\yOrAElC.exe
  C:\Windows\System32\yOrAElC.exe
  2⤵
  PID:10112
- C:\Windows\System32\tayBAwT.exe
  C:\Windows\System32\tayBAwT.exe
  2⤵
  PID:10168
- C:\Windows\System32\BvGEDpo.exe
  C:\Windows\System32\BvGEDpo.exe
  2⤵
  PID:8328
- C:\Windows\System32\erNuNrs.exe
  C:\Windows\System32\erNuNrs.exe
  2⤵
  PID:9524
- C:\Windows\System32\HfzaffK.exe
  C:\Windows\System32\HfzaffK.exe
  2⤵
  PID:9492
- C:\Windows\System32\fQkKopw.exe
  C:\Windows\System32\fQkKopw.exe
  2⤵
  PID:9556
- C:\Windows\System32\DhDvSPa.exe
  C:\Windows\System32\DhDvSPa.exe
  2⤵
  PID:9832
- C:\Windows\System32\ZyumOpL.exe
  C:\Windows\System32\ZyumOpL.exe
  2⤵
  PID:9876
- C:\Windows\System32\PltXlqH.exe
  C:\Windows\System32\PltXlqH.exe
  2⤵
  PID:10008
- C:\Windows\System32\AjeEUbn.exe
  C:\Windows\System32\AjeEUbn.exe
  2⤵
  PID:9268
- C:\Windows\System32\YKzEaAY.exe
  C:\Windows\System32\YKzEaAY.exe
  2⤵
  PID:9516
- C:\Windows\System32\CPJnwst.exe
  C:\Windows\System32\CPJnwst.exe
  2⤵
  PID:9820
- C:\Windows\System32\oTLukMF.exe
  C:\Windows\System32\oTLukMF.exe
  2⤵
  PID:9424
- C:\Windows\System32\nOighwc.exe
  C:\Windows\System32\nOighwc.exe
  2⤵
  PID:10148
- C:\Windows\System32\ccGpBlQ.exe
  C:\Windows\System32\ccGpBlQ.exe
  2⤵
  PID:10252
- C:\Windows\System32\sPeRWzp.exe
  C:\Windows\System32\sPeRWzp.exe
  2⤵
  PID:10280
- C:\Windows\System32\DCbClOR.exe
  C:\Windows\System32\DCbClOR.exe
  2⤵
  PID:10296
- C:\Windows\System32\SJRHeMf.exe
  C:\Windows\System32\SJRHeMf.exe
  2⤵
  PID:10316
- C:\Windows\System32\deeuTSW.exe
  C:\Windows\System32\deeuTSW.exe
  2⤵
  PID:10344
- C:\Windows\System32\qbSyUVq.exe
  C:\Windows\System32\qbSyUVq.exe
  2⤵
  PID:10368
- C:\Windows\System32\QYgiuwG.exe
  C:\Windows\System32\QYgiuwG.exe
  2⤵
  PID:10416
- C:\Windows\System32\KolqdCE.exe
  C:\Windows\System32\KolqdCE.exe
  2⤵
  PID:10452
- C:\Windows\System32\UQoUmxH.exe
  C:\Windows\System32\UQoUmxH.exe
  2⤵
  PID:10472
- C:\Windows\System32\OYeVBgB.exe
  C:\Windows\System32\OYeVBgB.exe
  2⤵
  PID:10496
- C:\Windows\System32\wLZsDND.exe
  C:\Windows\System32\wLZsDND.exe
  2⤵
  PID:10524
- C:\Windows\System32\RZjJTUj.exe
  C:\Windows\System32\RZjJTUj.exe
  2⤵
  PID:10564
- C:\Windows\System32\IizWdfq.exe
  C:\Windows\System32\IizWdfq.exe
  2⤵
  PID:10580
- C:\Windows\System32\ONtvPmp.exe
  C:\Windows\System32\ONtvPmp.exe
  2⤵
  PID:10620
- C:\Windows\System32\kVULVeG.exe
  C:\Windows\System32\kVULVeG.exe
  2⤵
  PID:10648
- C:\Windows\System32\zFCZtfj.exe
  C:\Windows\System32\zFCZtfj.exe
  2⤵
  PID:10672
- C:\Windows\System32\miVlhCA.exe
  C:\Windows\System32\miVlhCA.exe
  2⤵
  PID:10692
- C:\Windows\System32\izCDzFC.exe
  C:\Windows\System32\izCDzFC.exe
  2⤵
  PID:10716
- C:\Windows\System32\lRiVEbz.exe
  C:\Windows\System32\lRiVEbz.exe
  2⤵
  PID:10756
- C:\Windows\System32\ftjVpEx.exe
  C:\Windows\System32\ftjVpEx.exe
  2⤵
  PID:10784
- C:\Windows\System32\LljXCzw.exe
  C:\Windows\System32\LljXCzw.exe
  2⤵
  PID:10804
- C:\Windows\System32\mwPIGRZ.exe
  C:\Windows\System32\mwPIGRZ.exe
  2⤵
  PID:10872
- C:\Windows\System32\KbCzuYk.exe
  C:\Windows\System32\KbCzuYk.exe
  2⤵
  PID:10892
- C:\Windows\System32\EXkNsdO.exe
  C:\Windows\System32\EXkNsdO.exe
  2⤵
  PID:10908
- C:\Windows\System32\rKxgsUV.exe
  C:\Windows\System32\rKxgsUV.exe
  2⤵
  PID:10932
- C:\Windows\System32\aYHLlYk.exe
  C:\Windows\System32\aYHLlYk.exe
  2⤵
  PID:10968
- C:\Windows\System32\sfgjPlx.exe
  C:\Windows\System32\sfgjPlx.exe
  2⤵
  PID:10996
- C:\Windows\System32\QXScUbb.exe
  C:\Windows\System32\QXScUbb.exe
  2⤵
  PID:11048
- C:\Windows\System32\RVRNnAk.exe
  C:\Windows\System32\RVRNnAk.exe
  2⤵
  PID:11068
- C:\Windows\System32\cimgJXj.exe
  C:\Windows\System32\cimgJXj.exe
  2⤵
  PID:11096
- C:\Windows\System32\ZWfCWKS.exe
  C:\Windows\System32\ZWfCWKS.exe
  2⤵
  PID:11124
- C:\Windows\System32\CPefDzt.exe
  C:\Windows\System32\CPefDzt.exe
  2⤵
  PID:11140
- C:\Windows\System32\nYmQUjb.exe
  C:\Windows\System32\nYmQUjb.exe
  2⤵
  PID:11172
- C:\Windows\System32\EdenFoV.exe
  C:\Windows\System32\EdenFoV.exe
  2⤵
  PID:11196
- C:\Windows\System32\FczHACF.exe
  C:\Windows\System32\FczHACF.exe
  2⤵
  PID:11216
- C:\Windows\System32\PDUUVyw.exe
  C:\Windows\System32\PDUUVyw.exe
  2⤵
  PID:11240
- C:\Windows\System32\EsxviHS.exe
  C:\Windows\System32\EsxviHS.exe
  2⤵
  PID:10276
- C:\Windows\System32\vkIRVBw.exe
  C:\Windows\System32\vkIRVBw.exe
  2⤵
  PID:10360
- C:\Windows\System32\maWkHJz.exe
  C:\Windows\System32\maWkHJz.exe
  2⤵
  PID:10408
- C:\Windows\System32\yjelJEA.exe
  C:\Windows\System32\yjelJEA.exe
  2⤵
  PID:10468
- C:\Windows\System32\rtOjzNa.exe
  C:\Windows\System32\rtOjzNa.exe
  2⤵
  PID:10520
- C:\Windows\System32\PvVfxfF.exe
  C:\Windows\System32\PvVfxfF.exe
  2⤵
  PID:10576
- C:\Windows\System32\JiBKkjn.exe
  C:\Windows\System32\JiBKkjn.exe
  2⤵
  PID:10640
- C:\Windows\System32\DmkVQUC.exe
  C:\Windows\System32\DmkVQUC.exe
  2⤵
  PID:10724
- C:\Windows\System32\UVvVpWv.exe
  C:\Windows\System32\UVvVpWv.exe
  2⤵
  PID:10800
- C:\Windows\System32\zcZimqf.exe
  C:\Windows\System32\zcZimqf.exe
  2⤵
  PID:10884
- C:\Windows\System32\aOILbAI.exe
  C:\Windows\System32\aOILbAI.exe
  2⤵
  PID:10960
- C:\Windows\System32\MxRIUrJ.exe
  C:\Windows\System32\MxRIUrJ.exe
  2⤵
  PID:11064
- C:\Windows\System32\pUVRQBs.exe
  C:\Windows\System32\pUVRQBs.exe
  2⤵
  PID:11112
- C:\Windows\System32\shuEXcS.exe
  C:\Windows\System32\shuEXcS.exe
  2⤵
  PID:11188
- C:\Windows\System32\qePJhYo.exe
  C:\Windows\System32\qePJhYo.exe
  2⤵
  PID:11256
- C:\Windows\System32\CeHwUmJ.exe
  C:\Windows\System32\CeHwUmJ.exe
  2⤵
  PID:3148
- C:\Windows\System32\MdNVbYp.exe
  C:\Windows\System32\MdNVbYp.exe
  2⤵
  PID:10560
- C:\Windows\System32\hlihIPI.exe
  C:\Windows\System32\hlihIPI.exe
  2⤵
  PID:10824
- C:\Windows\System32\naqsxoA.exe
  C:\Windows\System32\naqsxoA.exe
  2⤵
  PID:10940
- C:\Windows\System32\YpWTaML.exe
  C:\Windows\System32\YpWTaML.exe
  2⤵
  PID:11028
- C:\Windows\System32\rNjXyAF.exe
  C:\Windows\System32\rNjXyAF.exe
  2⤵
  PID:11132
- C:\Windows\System32\RAajDPM.exe
  C:\Windows\System32\RAajDPM.exe
  2⤵
  PID:11224
- C:\Windows\System32\vrFdJeK.exe
  C:\Windows\System32\vrFdJeK.exe
  2⤵
  PID:4572
- C:\Windows\System32\ctTqatL.exe
  C:\Windows\System32\ctTqatL.exe
  2⤵
  PID:10700
- C:\Windows\System32\hWDnTDM.exe
  C:\Windows\System32\hWDnTDM.exe
  2⤵
  PID:3380
- C:\Windows\System32\uiEbYSN.exe
  C:\Windows\System32\uiEbYSN.exe
  2⤵
  PID:11252
- C:\Windows\System32\GeGBcPs.exe
  C:\Windows\System32\GeGBcPs.exe
  2⤵
  PID:2320
- C:\Windows\System32\nxKBObq.exe
  C:\Windows\System32\nxKBObq.exe
  2⤵
  PID:10444
- C:\Windows\System32\vVvTjNY.exe
  C:\Windows\System32\vVvTjNY.exe
  2⤵
  PID:10828
- C:\Windows\System32\pzSajtv.exe
  C:\Windows\System32\pzSajtv.exe
  2⤵
  PID:11292
- C:\Windows\System32\NXQqavz.exe
  C:\Windows\System32\NXQqavz.exe
  2⤵
  PID:11312
- C:\Windows\System32\ChYPtfN.exe
  C:\Windows\System32\ChYPtfN.exe
  2⤵
  PID:11352
- C:\Windows\System32\AjUcdkp.exe
  C:\Windows\System32\AjUcdkp.exe
  2⤵
  PID:11376
- C:\Windows\System32\oZsGIdC.exe
  C:\Windows\System32\oZsGIdC.exe
  2⤵
  PID:11396
- C:\Windows\System32\YVSfPXC.exe
  C:\Windows\System32\YVSfPXC.exe
  2⤵
  PID:11424
- C:\Windows\System32\EGPRobS.exe
  C:\Windows\System32\EGPRobS.exe
  2⤵
  PID:11464
- C:\Windows\System32\hWhUSlc.exe
  C:\Windows\System32\hWhUSlc.exe
  2⤵
  PID:11492
- C:\Windows\System32\CygXNyr.exe
  C:\Windows\System32\CygXNyr.exe
  2⤵
  PID:11520
- C:\Windows\System32\iukwUWc.exe
  C:\Windows\System32\iukwUWc.exe
  2⤵
  PID:11544
- C:\Windows\System32\wehkafL.exe
  C:\Windows\System32\wehkafL.exe
  2⤵
  PID:11568
- C:\Windows\System32\SKzaKvT.exe
  C:\Windows\System32\SKzaKvT.exe
  2⤵
  PID:11604
- C:\Windows\System32\pxzsFtu.exe
  C:\Windows\System32\pxzsFtu.exe
  2⤵
  PID:11620
- C:\Windows\System32\yJUcPWK.exe
  C:\Windows\System32\yJUcPWK.exe
  2⤵
  PID:11648
- C:\Windows\System32\kcCHKWs.exe
  C:\Windows\System32\kcCHKWs.exe
  2⤵
  PID:11688
- C:\Windows\System32\IbbIRSA.exe
  C:\Windows\System32\IbbIRSA.exe
  2⤵
  PID:11704
- C:\Windows\System32\MTChMkm.exe
  C:\Windows\System32\MTChMkm.exe
  2⤵
  PID:11744
- C:\Windows\System32\jKmphzK.exe
  C:\Windows\System32\jKmphzK.exe
  2⤵
  PID:11772
- C:\Windows\System32\xYGejOX.exe
  C:\Windows\System32\xYGejOX.exe
  2⤵
  PID:11788
- C:\Windows\System32\lvdTmHC.exe
  C:\Windows\System32\lvdTmHC.exe
  2⤵
  PID:11828
- C:\Windows\System32\UoEamXu.exe
  C:\Windows\System32\UoEamXu.exe
  2⤵
  PID:11856
- C:\Windows\System32\ZPxJUnb.exe
  C:\Windows\System32\ZPxJUnb.exe
  2⤵
  PID:11884
- C:\Windows\System32\fQFAOOA.exe
  C:\Windows\System32\fQFAOOA.exe
  2⤵
  PID:11912
- C:\Windows\System32\YVYeyFq.exe
  C:\Windows\System32\YVYeyFq.exe
  2⤵
  PID:11940
- C:\Windows\System32\EvifSAx.exe
  C:\Windows\System32\EvifSAx.exe
  2⤵
  PID:11968
- C:\Windows\System32\hdVWtdr.exe
  C:\Windows\System32\hdVWtdr.exe
  2⤵
  PID:11992
- C:\Windows\System32\snniHEP.exe
  C:\Windows\System32\snniHEP.exe
  2⤵
  PID:12024
- C:\Windows\System32\ujHgyKV.exe
  C:\Windows\System32\ujHgyKV.exe
  2⤵
  PID:12048
- C:\Windows\System32\RAEynii.exe
  C:\Windows\System32\RAEynii.exe
  2⤵
  PID:12072
- C:\Windows\System32\ZEAGlCY.exe
  C:\Windows\System32\ZEAGlCY.exe
  2⤵
  PID:12112
- C:\Windows\System32\WczJRJu.exe
  C:\Windows\System32\WczJRJu.exe
  2⤵
  PID:12140
- C:\Windows\System32\pSAuvNE.exe
  C:\Windows\System32\pSAuvNE.exe
  2⤵
  PID:12172
- C:\Windows\System32\lfApcJO.exe
  C:\Windows\System32\lfApcJO.exe
  2⤵
  PID:12200
- C:\Windows\System32\RufetZv.exe
  C:\Windows\System32\RufetZv.exe
  2⤵
  PID:12256
- C:\Windows\System32\xzFDate.exe
  C:\Windows\System32\xzFDate.exe
  2⤵
  PID:12280
- C:\Windows\System32\OKWXEuN.exe
  C:\Windows\System32\OKWXEuN.exe
  2⤵
  PID:11332
- C:\Windows\System32\cTGxWTZ.exe
  C:\Windows\System32\cTGxWTZ.exe
  2⤵
  PID:11408
- C:\Windows\System32\CAIphGJ.exe
  C:\Windows\System32\CAIphGJ.exe
  2⤵
  PID:11460
- C:\Windows\System32\HhHyXKC.exe
  C:\Windows\System32\HhHyXKC.exe
  2⤵
  PID:11584
- C:\Windows\System32\iLhxqRe.exe
  C:\Windows\System32\iLhxqRe.exe
  2⤵
  PID:11668
- C:\Windows\System32\mBbXRmf.exe
  C:\Windows\System32\mBbXRmf.exe
  2⤵
  PID:11724
- C:\Windows\System32\bEmnWQj.exe
  C:\Windows\System32\bEmnWQj.exe
  2⤵
  PID:11756
- C:\Windows\System32\qZmbMpe.exe
  C:\Windows\System32\qZmbMpe.exe
  2⤵
  PID:11812
- C:\Windows\System32\OIPxkBG.exe
  C:\Windows\System32\OIPxkBG.exe
  2⤵
  PID:11880
- C:\Windows\System32\Uboivjy.exe
  C:\Windows\System32\Uboivjy.exe
  2⤵
  PID:11984
- C:\Windows\System32\hRqmwEH.exe
  C:\Windows\System32\hRqmwEH.exe
  2⤵
  PID:12068
- C:\Windows\System32\diuzqGH.exe
  C:\Windows\System32\diuzqGH.exe
  2⤵
  PID:1668
- C:\Windows\System32\CKkUMcB.exe
  C:\Windows\System32\CKkUMcB.exe
  2⤵
  PID:12236
- C:\Windows\System32\DHKTelR.exe
  C:\Windows\System32\DHKTelR.exe
  2⤵
  PID:11300
- C:\Windows\System32\HXugiCf.exe
  C:\Windows\System32\HXugiCf.exe
  2⤵
  PID:11632
- C:\Windows\System32\CEkGlwx.exe
  C:\Windows\System32\CEkGlwx.exe
  2⤵
  PID:11808
- C:\Windows\System32\IcKASte.exe
  C:\Windows\System32\IcKASte.exe
  2⤵
  PID:11980
- C:\Windows\System32\ierXYPq.exe
  C:\Windows\System32\ierXYPq.exe
  2⤵
  PID:12188
- C:\Windows\System32\acRGodB.exe
  C:\Windows\System32\acRGodB.exe
  2⤵
  PID:11556
- C:\Windows\System32\dumhXyW.exe
  C:\Windows\System32\dumhXyW.exe
  2⤵
  PID:11804
- C:\Windows\System32\GncXWFl.exe
  C:\Windows\System32\GncXWFl.exe
  2⤵
  PID:12036
- C:\Windows\System32\KnkFvsC.exe
  C:\Windows\System32\KnkFvsC.exe
  2⤵
  PID:6376
- C:\Windows\System32\ADzOVRS.exe
  C:\Windows\System32\ADzOVRS.exe
  2⤵
  PID:12324
- C:\Windows\System32\rdpvhEd.exe
  C:\Windows\System32\rdpvhEd.exe
  2⤵
  PID:12344
- C:\Windows\System32\fHVbwhP.exe
  C:\Windows\System32\fHVbwhP.exe
  2⤵
  PID:12376
- C:\Windows\System32\AHMioSq.exe
  C:\Windows\System32\AHMioSq.exe
  2⤵
  PID:12396
- C:\Windows\System32\kkYbNLK.exe
  C:\Windows\System32\kkYbNLK.exe
  2⤵
  PID:12420
- C:\Windows\System32\UUxzFVw.exe
  C:\Windows\System32\UUxzFVw.exe
  2⤵
  PID:12448
- C:\Windows\System32\VNtxHJD.exe
  C:\Windows\System32\VNtxHJD.exe
  2⤵
  PID:12488
- C:\Windows\System32\qLwQMVa.exe
  C:\Windows\System32\qLwQMVa.exe
  2⤵
  PID:12524
- C:\Windows\System32\ElvDvbV.exe
  C:\Windows\System32\ElvDvbV.exe
  2⤵
  PID:12544
- C:\Windows\System32\OkkzIDq.exe
  C:\Windows\System32\OkkzIDq.exe
  2⤵
  PID:12584
- C:\Windows\System32\BEzYXFf.exe
  C:\Windows\System32\BEzYXFf.exe
  2⤵
  PID:12616
- C:\Windows\System32\wCixWSo.exe
  C:\Windows\System32\wCixWSo.exe
  2⤵
  PID:12648
- C:\Windows\System32\wAoEJeY.exe
  C:\Windows\System32\wAoEJeY.exe
  2⤵
  PID:12684
- C:\Windows\System32\UEvBGGX.exe
  C:\Windows\System32\UEvBGGX.exe
  2⤵
  PID:12700
- C:\Windows\System32\WTKcfpX.exe
  C:\Windows\System32\WTKcfpX.exe
  2⤵
  PID:12720
- C:\Windows\System32\jghZsSS.exe
  C:\Windows\System32\jghZsSS.exe
  2⤵
  PID:12744
- C:\Windows\System32\QtyCXJW.exe
  C:\Windows\System32\QtyCXJW.exe
  2⤵
  PID:12780
- C:\Windows\System32\trjGPyo.exe
  C:\Windows\System32\trjGPyo.exe
  2⤵
  PID:12820
- C:\Windows\System32\ZvQDOVJ.exe
  C:\Windows\System32\ZvQDOVJ.exe
  2⤵
  PID:12844
- C:\Windows\System32\zHUygyw.exe
  C:\Windows\System32\zHUygyw.exe
  2⤵
  PID:12868
- C:\Windows\System32\LkRIuzM.exe
  C:\Windows\System32\LkRIuzM.exe
  2⤵
  PID:12892
- C:\Windows\System32\yXErido.exe
  C:\Windows\System32\yXErido.exe
  2⤵
  PID:12924
- C:\Windows\System32\Niqqxfi.exe
  C:\Windows\System32\Niqqxfi.exe
  2⤵
  PID:12976
- C:\Windows\System32\TYIEgtT.exe
  C:\Windows\System32\TYIEgtT.exe
  2⤵
  PID:13004
- C:\Windows\System32\ifAzInB.exe
  C:\Windows\System32\ifAzInB.exe
  2⤵
  PID:13024
- C:\Windows\System32\LaBmzly.exe
  C:\Windows\System32\LaBmzly.exe
  2⤵
  PID:13064
- C:\Windows\System32\HqpxYRH.exe
  C:\Windows\System32\HqpxYRH.exe
  2⤵
  PID:13088
- C:\Windows\System32\qeOArml.exe
  C:\Windows\System32\qeOArml.exe
  2⤵
  PID:13108
- C:\Windows\System32\IjsWMCZ.exe
  C:\Windows\System32\IjsWMCZ.exe
  2⤵
  PID:13124
- C:\Windows\System32\HWIFfVr.exe
  C:\Windows\System32\HWIFfVr.exe
  2⤵
  PID:13160
- C:\Windows\System32\IzDMJfC.exe
  C:\Windows\System32\IzDMJfC.exe
  2⤵
  PID:13184
- C:\Windows\System32\rqAkWqa.exe
  C:\Windows\System32\rqAkWqa.exe
  2⤵
  PID:13232
- C:\Windows\System32\uOxvqXA.exe
  C:\Windows\System32\uOxvqXA.exe
  2⤵
  PID:13260
- C:\Windows\System32\KVAHWSa.exe
  C:\Windows\System32\KVAHWSa.exe
  2⤵
  PID:13284
- C:\Windows\System32\EyWdgXT.exe
  C:\Windows\System32\EyWdgXT.exe
  2⤵
  PID:13308
- C:\Windows\System32\ahdHbVz.exe
  C:\Windows\System32\ahdHbVz.exe
  2⤵
  PID:3100
- C:\Windows\System32\cKkPISd.exe
  C:\Windows\System32\cKkPISd.exe
  2⤵
  PID:12372
- C:\Windows\System32\YJTIDCy.exe
  C:\Windows\System32\YJTIDCy.exe
  2⤵
  PID:12440
- C:\Windows\System32\nTeoTYw.exe
  C:\Windows\System32\nTeoTYw.exe
  2⤵
  PID:12512
- C:\Windows\System32\nkOuWBt.exe
  C:\Windows\System32\nkOuWBt.exe
  2⤵
  PID:12836
- C:\Windows\System32\WlfVDxe.exe
  C:\Windows\System32\WlfVDxe.exe
  2⤵
  PID:12912
- C:\Windows\System32\xzoOSof.exe
  C:\Windows\System32\xzoOSof.exe
  2⤵
  PID:4972
- C:\Windows\System32\EpBQwuH.exe
  C:\Windows\System32\EpBQwuH.exe
  2⤵
  PID:12996
- C:\Windows\System32\JROFYTA.exe
  C:\Windows\System32\JROFYTA.exe
  2⤵
  PID:13044
- C:\Windows\System32\qMzaRjj.exe
  C:\Windows\System32\qMzaRjj.exe
  2⤵
  PID:13100
- C:\Windows\System32\ofcXZek.exe
  C:\Windows\System32\ofcXZek.exe
  2⤵
  PID:13136
- C:\Windows\System32\hbXdfry.exe
  C:\Windows\System32\hbXdfry.exe
  2⤵
  PID:13212
- C:\Windows\System32\NaYdrzG.exe
  C:\Windows\System32\NaYdrzG.exe
  2⤵
  PID:13296

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:13724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\BRqRyRZ.exe

Filesize
2.0MB

MD5
222106047625a376a77394e75cc92f26

SHA1
c6359228f12cd857876863f5d0a16a0be96ea9ba

SHA256
56bde5c610cc95f6cc2b4695e2284d2e5df2ad24ffc31005baa4aa9cf801bb56

SHA512
e2944f59a41b3cef319619fc1d39122164d59f42cece6aa0b4c04e66da253812407a165be77845c925cb44ddfe93f27f61581cb5fcb6bedcdeb2e4f904aaa60a

Download Submit
C:\Windows\System32\BZOmlhw.exe

Filesize
2.0MB

MD5
2238209126a5e5652faf6f7201800420

SHA1
55aa20c55fd4476157db415095294f5d0679099b

SHA256
0b27f02aa3675ab2d9e9aee8b7fe3b40e3de9900270e467e4399da427a544940

SHA512
f84ae007c54bbe6eb47845cd44887df979a17dac3c38f1f44e8bd80f8f92082c068507361eeee3d1fe29caaaa78aeeae2a40fe1bda423eb53151a4596f7120b7

Download Submit
C:\Windows\System32\CtCmICF.exe

Filesize
2.0MB

MD5
3848830ac8953166b6cf64ce3b7849ae

SHA1
edbf5204707b354fd1134fea7d50b2ff770623db

SHA256
12f76d9a6cbf4aa8301871f63f851247ccb90ce45f52573af86049f41711b404

SHA512
792424bdd2d37088d6db3dc6c5ba8478cddde376d74263743946a89b98ba75624fdabcacfbb1d95e50814595b2b1b04b2d0bc84e48e006801f15a097c5cc2a97

Download Submit
C:\Windows\System32\ESvNLSb.exe

Filesize
2.0MB

MD5
fd43c9d7d2873f2ea10078b5a9f5d294

SHA1
28af57778b4b86133b4df1a1276a8b34a39662cb

SHA256
48f9f83570b6dabf472bb10fd644d6baa507ef9816781499c92433c33420d33f

SHA512
336735a5bfcc0066e3202ca976302946c919962e56c789e07055276db14ac04bb14aeb3bb612a5ca62b2e9e1f3ca3e97dcb8b68d2ebee118efc57c9dc8074c8e

Download Submit
C:\Windows\System32\ElZDEIp.exe

Filesize
2.0MB

MD5
1301f56b02d99a72fef5053b919f7dc2

SHA1
e4d7f263e589e59f25928b1725315c49286099e0

SHA256
ecf2d8284016d355710774adde43efe5ac342a1d74cca717d4a98ee63d9a90b1

SHA512
ef56220c0e2a332c499d418468fde5d3d2d9888bd28dc620a419c084366253fc2f79ef9a7a97fae9e79799c3d34e26b4555f803bfda6458dc4ecb182e8d134ea

Download Submit
C:\Windows\System32\EnZeJuH.exe

Filesize
2.0MB

MD5
c3733ad9bd4144c62cc8132490a1678a

SHA1
968166eb267d04683c3056c37aac08e0e6744080

SHA256
087fbb08a66008a2c84c2e386a464b41f09a58fa729e31c1ba8bcb70a9eef3c8

SHA512
3ee1be73a6e900dcec51a068dd8f1cf7f6573caf9a03bf9ec2050e8a10c353ce8c7ec8886506a05522d79acd2c1971c86d36ae05ff195352d43eb5bc0555dcb4

Download Submit
C:\Windows\System32\EoNTfnO.exe

Filesize
2.0MB

MD5
147a8a7038e47c088f18cf8bbbf66a3f

SHA1
b720c273f2ac4052a4092dc76de29a4254ed975c

SHA256
e5baf86c1fdf2fc0d209fd27c8c816abbffc968e6f5d904ade8fb74e14b249ec

SHA512
92fe23be30c49057fa70fe0b00d5e4082a99e7b6a92d0c204b78eb27b3a469f208bd6c0b93418ed2d4d4d40a4a03c6d53eed342100a06df8c06c296b91959731

Download Submit
C:\Windows\System32\FHSGlDS.exe

Filesize
2.0MB

MD5
ad2b34a35d98ac073ddc2a046e3e632c

SHA1
c19b46b1b33a419059268471a5e635023ccde978

SHA256
33efee04d9a4ff902ea55a5d8b503a0bdeb932a96a13a6aeb12733d89b8aba99

SHA512
d0e2fa25ee9bb5fc80cc67fc7a9174c9a1d294eca2f1bfbaf255112f3403f4d8e226b9635ed3dbc9a9af946e9ef72cffa7e9119d2cd0036968074df73ab32550

Download Submit
C:\Windows\System32\FbhHLwx.exe

Filesize
2.0MB

MD5
69f0c56035906e54305e66c6a0bef297

SHA1
53ddfb3da8ce2253d8c05806334245b226458fd9

SHA256
11e5d76334fe03650fd7307ecb1ca94aecfc2fec692909c60ad288b4d9d8a459

SHA512
3e061d24eeb82f92b6b72b8780f031adcf9548680e1c455226add8d0b165eb1661f320f8bb85659e335d36fa4e0a43b81f56f0034485ab69fce63754863d5ea7

Download Submit
C:\Windows\System32\IdFtevK.exe

Filesize
2.0MB

MD5
7fc1fc9d1480a3deb0bfce123957123f

SHA1
c696c5943f30bc4ccef8a35393372aa53c22968e

SHA256
f92e80d1d437f20573399a87a368e8cf765ed1f509122759b08f9938f47f31f9

SHA512
27c874a9bc0127ce40d3c21b884d746cb729de05bf689d7550a3df1b82c259d35f9a082a4395d31d5c552d2da4b105071264acc62e552e69f272b8b750664122

Download Submit
C:\Windows\System32\KiVzHsQ.exe

Filesize
2.0MB

MD5
6ddbbc9561f3dc2eac9db652420b6775

SHA1
3d844e903bd057decb97858fb523124c70d25608

SHA256
a6ad6da2123afc37743344c30b8be24678d4f9bfec5a0acf59380f7887a9f8cc

SHA512
569258f98f1a8d69632e23185f1a17c93efaa8f637219bf2e6de301d127ce5ef8e5f6a6cfc5d5e2ead2cd32307ce01e2b9ed2f53e28bfe8ad6fafa2ca66029f1

Download Submit
C:\Windows\System32\LKDApNS.exe

Filesize
2.0MB

MD5
6286760d9ca1d244b78437f5dbc60734

SHA1
35a5b69aad63ff090399093275236d57dd98629f

SHA256
c4a203e0a8cd39f92a4f5546604565bfac44d42209a778d9582fd6b032dcc45e

SHA512
da07b232fbc32c4d692d5b6839d8b5592219153ebb3535f2c3de884c1238b4ecf4f3285f1c738c80ca1374e7a6e2f28e09d4dfd266fb1a48a99f59592d4b053c

Download Submit
C:\Windows\System32\LXzpJOR.exe

Filesize
2.0MB

MD5
3b1c9ee708ddfc3d74de898ed414a187

SHA1
456aa712478a1f4fe8b4be0272cf652a21fcf51d

SHA256
1a9c70b85706598b101262ca4246c32a262156ff886ecb2a02c16bd8bdb2c5cf

SHA512
94bd989412ff0de223b7e3997c13e71aa86d7ba9b3a317b415ac5f08a502232455ecac5efd9d4dafeee7de6127386a7aa401acec16f8537d726337a1796a3557

Download Submit
C:\Windows\System32\MXtCDDT.exe

Filesize
2.0MB

MD5
c1f737e290d4a1dcaa3d9259445f4fdd

SHA1
31550dfc76f64bb66549712e4ff15545fc211894

SHA256
c444064f531175dc9d13dc21999950d12408bd0166b675264148f38e8b4fcb08

SHA512
a1c6846cb9c2ac3daf50d38535e7a464dc539021412b35d1d7acfd44b731fae1572eab9a13a3f3e710ae7b2e7dac745f89c3822db8f96c3277de5a534afbf0f9

Download Submit
C:\Windows\System32\PdzSdfv.exe

Filesize
2.0MB

MD5
4cbcd0453bcd7e946f44a7d3e9589378

SHA1
6ccdad4643bb003a409645c6360c0434bcadc2f8

SHA256
b4998ed02f91760bd2466d272a7f4f4190aef704aa843a3db3a54a53c4299ed3

SHA512
1d7ba51e1ed420af1f13cdf8e5df7490a0d77f92d56e3826de8d15326f6b15de50a2b72b354e42bdab4ca7942d85c83dabea646c211e1800a9eb2419ef6c8245

Download Submit
C:\Windows\System32\PpNUBbv.exe

Filesize
2.0MB

MD5
cdac323fe3305e8de495b8a20d50581d

SHA1
a02edbda0c0f1911a2d3970980ae3ddd711d6b0d

SHA256
bec8d1dd995c672f833b22e3b687424e33208e8d36bb3a9c65bac10ea2eda025

SHA512
b678e2ff79545b0819e20130519a445b9166bafb867774cee97cc45daeed027dd53a07e51e51964403790a6b80ec3c9742b7a74176c432e257b9291d7187c1cf

Download Submit
C:\Windows\System32\PunRUql.exe

Filesize
2.0MB

MD5
b97eed92f3101d51e234c349d434a511

SHA1
e5dbf489fe58747ce4ae20de572c74a2d6bdc777

SHA256
32335759564a26e785e70b95627da5795d060969c0213e4b1e43f97fb1b1aba6

SHA512
ff60364b566541588a7ee1f2ef9b5afadb56811517cadf494c1e5fb16b7654447a5883233c32b95036feab16d6b0ffa0b5586bef17616b178231b1e660bab8e9

Download Submit
C:\Windows\System32\TJtiFMG.exe

Filesize
2.0MB

MD5
d63c2dd89efc83a78031aa220bbff14f

SHA1
4faae34b01420ab8383a350db1f1f8b5ff7dc371

SHA256
e492a25954c179363af745371b6ad6bd0f71f670dcc33e117824e79b9cec31b7

SHA512
abd71bcf8614127fd44cda0d54b87c3e2c642f337cab380f09fbf9f572cdb4c20b2998abcf79bf481b42c7ca9e6991d9eccc12ede6a093cfd622d3ffc3659308

Download Submit
C:\Windows\System32\YUjwFng.exe

Filesize
2.0MB

MD5
af6e7979af98e5ebec4027f0ff644ceb

SHA1
c4fae53c5f93e265e780840774c7090068376464

SHA256
926b361ef3b13f3ec8ce0ecf91c8ad3605f19baa29cdd922dae0686d75e9e55d

SHA512
f9a2adb74cc0e569089952ccecf80963a7fe4dbaf220353d52527b61dcc3358f31223fecd6677d06e54447bcc12d3fa6722fd1a4b8d6464ab618e116e1da6868

Download Submit
C:\Windows\System32\bMFuCam.exe

Filesize
2.0MB

MD5
713796d6c66ad68b3c3ae73f8253d983

SHA1
17b618781125dbb4c9bc033a15a86071636366f8

SHA256
2e49815bdb203dc3a0a4ae5ec736a876e43929417082e4d17fa05188f8ba590c

SHA512
feea1491e6a3b94c7de8c413ee78d6d0f2a42056c7c09e8cba2de2a9e6182f569665aeb28418168463f37fff836fbf0080c5824e4a84ef366443a85cc13eb5bf

Download Submit
C:\Windows\System32\bWnxQDM.exe

Filesize
2.0MB

MD5
bfc4cd19a1167e855631a65a284c1a3b

SHA1
896553002915b21e2b2c702f9b591a93f1805259

SHA256
2f54caa24d999d937b45d84d049d634464495524d3eadfc579946830ef1c3a9a

SHA512
2b9f3cd7cedb289a84a4b57b8c74daf2455f0f0a521a80ac7bad529705af900d840aa1d0f8daffc507790cc5555a4ea6c497e9b3a7b8a3fa1c587169583470e6

Download Submit
C:\Windows\System32\egvvTSz.exe

Filesize
2.0MB

MD5
bed066033331bf0c98dbb41a978313a1

SHA1
071a6c98ea20093a52abb53760aae325a849b268

SHA256
8ffa93de610ad0a0d39a7f3ec3962742d8a84da836eb6f1abd28462f743ab788

SHA512
44a21062fa74565123a6b3c1a50a5d7a07d94de5dd7f71e3cd4aca8e52a47d840901199c620957a9145f3ade5e448ca9677d9e187fc30e67a2eba6a46859d08c

Download Submit
C:\Windows\System32\fVQbdli.exe

Filesize
2.0MB

MD5
87296ca33b04604d80aa205a0014fce6

SHA1
86e2e9dda480ecbcc364ec41f3c255f4e156e32f

SHA256
802bdfe5bd31ab4840ee31bd7ba11fc591eaa7f1fe7f7137227f18261702a87d

SHA512
cd847227cc904bd3f3175367e0b8d2882cbc0165abec2e96b1622aab988645d3f86cdcd24895e255bc65496d1a506f89ed2412bba1f85e61091594d86835f17e

Download Submit
C:\Windows\System32\gihFEWL.exe

Filesize
2.0MB

MD5
8267d44f721e309e5b22c0549b47c362

SHA1
f9352a29fc227c40424c1b0e92f5df2c58b0712f

SHA256
a728f6e46fa474e0e9d7a31fd88d124e6610709fd584afeb6dc36f5df8851414

SHA512
8a5862f9fef8cc034d9a068099b6bb837749f2baa40008e2337e6e4796c4aa0e8c25dc25b84aaab5b97ab319279d5dda3ef4a5a8334ce97cdd504a5326e9b007

Download Submit
C:\Windows\System32\iORhboL.exe

Filesize
2.0MB

MD5
0f5f02950ca6d9a220a1b75878215a0a

SHA1
97861681e0cd540bf146a1c81206032fe94184de

SHA256
47733a13ccf4812455b7887ef2a2ade05cc476fc9f6f8b85c207ce6e3fc324ef

SHA512
2c2f2b7fc383456ebd1a2fc5cc0f154f17005fc5c32424f4183cfa4f99f043af28b60be8140b91c2b3a02ed601bfb66776ac2aaf182791ab259a437e1475602a

Download Submit
C:\Windows\System32\lMKpjfN.exe

Filesize
2.0MB

MD5
a42f5941138736dbde1653c5afd0932e

SHA1
2b4ecc4a46e64f29d9189d93597d854e1ea7cf70

SHA256
67e15091aad3c8ca6c0bb15230d666a281f185c6b73abdf522909a19643730e8

SHA512
4264357e526fd235ca325c265988a0a64b4d56a8cfff63ba1ef8a2e9d629ade7f2d0df756181142aceb857c86054ffec8978c20b16710739b2e6bb7fc83d8581

Download Submit
C:\Windows\System32\lOfKtSY.exe

Filesize
2.0MB

MD5
f3557e4eed255a29d806a6fcff507a04

SHA1
10da2d434c057c4a0fc72e99c25c386d86d6fa6f

SHA256
7280bbd7befbef72a86c33b2e243f8fffabd2b6494a5d34c125fd798527f7718

SHA512
6b84b8b931a77c02a3ca2ac5e7beac4d24844f19f9c98f08a2fc9ad792b9928ce03a3a8f5a13df9be32d98e2aa596414b5254a61847ec5c8c9bf6d14db342eec

Download Submit
C:\Windows\System32\lfAhUWV.exe

Filesize
2.0MB

MD5
92038c672eba352e9bd7fc9c5decfd82

SHA1
7d7d0ace8b6cdb9667299c39e9a70ce352b0df67

SHA256
e2d6ac5bc27af31b6c82b80ce0bb085edc5bf4c0887166b78de512d84a07b65a

SHA512
431f0ff9059f9ea26223735c499155a8edab9eae4280bd74ae22e4a6c296608e570a6147d96f8c077e15583c76528220916d36088b20df0b8e3c13fee8ff70c8

Download Submit
C:\Windows\System32\ljyMJMH.exe

Filesize
2.0MB

MD5
1570563919f2a2e12753596035f6bcae

SHA1
8cdf8cbb9b3c8a868a4e0db0cc76fffd32f6b329

SHA256
726cfe6cae4be152fad10ace7af648565b25c3578e5c76b38788df6cc3660f7c

SHA512
78759bfa69b70d0723be896d4214b3dfd24b5513a167b39dacc11ecddc927ff54a4583d8b6f596c5ebf56a377587f377db64cac6e4d3f0b76b2abb304c7c510f

Download Submit
C:\Windows\System32\tIkTWOf.exe

Filesize
2.0MB

MD5
96a2f75826a2835a73045b54c62b7d88

SHA1
166c79e0a8ded89b8b0fc4b1f1050da2186e064e

SHA256
da3291814b6464c6f8b88a614355e6f90271d400b5fae747561206653adfd5cc

SHA512
9695e56495ab8754b5d20a0a2ff5ef2e125e4f5af5a8d0b9b23c59e047c07ec538aa84a68981db9fe83995f3bd6a05fb036d98a7716d71c0615ea550fe51f487

Download Submit
C:\Windows\System32\uxVjSRY.exe

Filesize
2.0MB

MD5
f93ebe09495a1164889ce61d0c4cd8d1

SHA1
a3c19c49bdb3f714ad6ffb95aef933b8c9b19412

SHA256
6f3dc14a1f6b01ef8c714edae826cf926715fb07451c03920a8934b86a951492

SHA512
04e3d5d6186018ce4ffbe806f5a7be340f5b9a22389ec02827825814ed43942d828f5ce5d323fab5c6e03396ff7dac78c9d3d70577aa40d0be0bb777845e0cd4

Download Submit
C:\Windows\System32\wgtoSYY.exe

Filesize
2.0MB

MD5
d91098ffe037403b5df6ac1f4cf66634

SHA1
e82184968d81784d6ee52c90c26a174d2c335081

SHA256
b2514c13272482c6266f3421ab137fd1a0e275272e089419a28fe66c0d2111f2

SHA512
afe6e0537c93cbe55fa7298f295c864b4da38ada857c513b089b8446976dfbe2ea61596823facc7643e3b5b7ca12102885fe482d8edc02a25d06ba98ec26faaf

Download Submit
memory/384-1980-0x00007FF6EEA90000-0x00007FF6EEE81000-memory.dmp

Filesize
3.9MB

Download
memory/384-0-0x00007FF6EEA90000-0x00007FF6EEE81000-memory.dmp

Filesize
3.9MB

Download
memory/384-1-0x0000015336530000-0x0000015336540000-memory.dmp

Filesize
64KB

Download
memory/464-518-0x00007FF746870000-0x00007FF746C61000-memory.dmp

Filesize
3.9MB

Download
memory/464-2015-0x00007FF746870000-0x00007FF746C61000-memory.dmp

Filesize
3.9MB

Download
memory/548-2027-0x00007FF6C1560000-0x00007FF6C1951000-memory.dmp

Filesize
3.9MB

Download
memory/548-531-0x00007FF6C1560000-0x00007FF6C1951000-memory.dmp

Filesize
3.9MB

Download
memory/932-2041-0x00007FF6A24F0000-0x00007FF6A28E1000-memory.dmp

Filesize
3.9MB

Download
memory/932-556-0x00007FF6A24F0000-0x00007FF6A28E1000-memory.dmp

Filesize
3.9MB

Download
memory/1384-2038-0x00007FF647210000-0x00007FF647601000-memory.dmp

Filesize
3.9MB

Download
memory/1384-547-0x00007FF647210000-0x00007FF647601000-memory.dmp

Filesize
3.9MB

Download
memory/1536-2022-0x00007FF78B580000-0x00007FF78B971000-memory.dmp

Filesize
3.9MB

Download
memory/1536-524-0x00007FF78B580000-0x00007FF78B971000-memory.dmp

Filesize
3.9MB

Download
memory/2232-2034-0x00007FF7E2730000-0x00007FF7E2B21000-memory.dmp

Filesize
3.9MB

Download
memory/2232-562-0x00007FF7E2730000-0x00007FF7E2B21000-memory.dmp

Filesize
3.9MB

Download
memory/2344-541-0x00007FF7BC7C0000-0x00007FF7BCBB1000-memory.dmp

Filesize
3.9MB

Download
memory/2344-2029-0x00007FF7BC7C0000-0x00007FF7BCBB1000-memory.dmp

Filesize
3.9MB

Download
memory/2408-2042-0x00007FF66A3F0000-0x00007FF66A7E1000-memory.dmp

Filesize
3.9MB

Download
memory/2408-582-0x00007FF66A3F0000-0x00007FF66A7E1000-memory.dmp

Filesize
3.9MB

Download
memory/2488-2036-0x00007FF6CD500000-0x00007FF6CD8F1000-memory.dmp

Filesize
3.9MB

Download
memory/2488-552-0x00007FF6CD500000-0x00007FF6CD8F1000-memory.dmp

Filesize
3.9MB

Download
memory/2532-12-0x00007FF6E5330000-0x00007FF6E5721000-memory.dmp

Filesize
3.9MB

Download
memory/2532-2002-0x00007FF6E5330000-0x00007FF6E5721000-memory.dmp

Filesize
3.9MB

Download
memory/2552-2011-0x00007FF71B3B0000-0x00007FF71B7A1000-memory.dmp

Filesize
3.9MB

Download
memory/2552-35-0x00007FF71B3B0000-0x00007FF71B7A1000-memory.dmp

Filesize
3.9MB

Download
memory/2552-1978-0x00007FF71B3B0000-0x00007FF71B7A1000-memory.dmp

Filesize
3.9MB

Download
memory/2588-2044-0x00007FF750410000-0x00007FF750801000-memory.dmp

Filesize
3.9MB

Download
memory/2588-578-0x00007FF750410000-0x00007FF750801000-memory.dmp

Filesize
3.9MB

Download
memory/2820-2046-0x00007FF6419D0000-0x00007FF641DC1000-memory.dmp

Filesize
3.9MB

Download
memory/2820-568-0x00007FF6419D0000-0x00007FF641DC1000-memory.dmp

Filesize
3.9MB

Download
memory/2892-2008-0x00007FF7909F0000-0x00007FF790DE1000-memory.dmp

Filesize
3.9MB

Download
memory/2892-29-0x00007FF7909F0000-0x00007FF790DE1000-memory.dmp

Filesize
3.9MB

Download
memory/3136-535-0x00007FF7B46C0000-0x00007FF7B4AB1000-memory.dmp

Filesize
3.9MB

Download
memory/3136-2026-0x00007FF7B46C0000-0x00007FF7B4AB1000-memory.dmp

Filesize
3.9MB

Download
memory/3192-542-0x00007FF68ABC0000-0x00007FF68AFB1000-memory.dmp

Filesize
3.9MB

Download
memory/3192-2032-0x00007FF68ABC0000-0x00007FF68AFB1000-memory.dmp

Filesize
3.9MB

Download
memory/3312-2023-0x00007FF6CCE50000-0x00007FF6CD241000-memory.dmp

Filesize
3.9MB

Download
memory/3312-529-0x00007FF6CCE50000-0x00007FF6CD241000-memory.dmp

Filesize
3.9MB

Download
memory/3560-2004-0x00007FF6F3FD0000-0x00007FF6F43C1000-memory.dmp

Filesize
3.9MB

Download
memory/3560-1963-0x00007FF6F3FD0000-0x00007FF6F43C1000-memory.dmp

Filesize
3.9MB

Download
memory/3560-16-0x00007FF6F3FD0000-0x00007FF6F43C1000-memory.dmp

Filesize
3.9MB

Download
memory/3940-34-0x00007FF6A9D60000-0x00007FF6AA151000-memory.dmp

Filesize
3.9MB

Download
memory/3940-1977-0x00007FF6A9D60000-0x00007FF6AA151000-memory.dmp

Filesize
3.9MB

Download
memory/3940-2172-0x00007FF6A9D60000-0x00007FF6AA151000-memory.dmp

Filesize
3.9MB

Download
memory/4828-2006-0x00007FF6B5790000-0x00007FF6B5B81000-memory.dmp

Filesize
3.9MB

Download
memory/4828-27-0x00007FF6B5790000-0x00007FF6B5B81000-memory.dmp

Filesize
3.9MB

Download
memory/4848-2030-0x00007FF70DA90000-0x00007FF70DE81000-memory.dmp

Filesize
3.9MB

Download
memory/4848-519-0x00007FF70DA90000-0x00007FF70DE81000-memory.dmp

Filesize
3.9MB

Download
memory/4992-521-0x00007FF66C640000-0x00007FF66CA31000-memory.dmp

Filesize
3.9MB

Download
memory/4992-2017-0x00007FF66C640000-0x00007FF66CA31000-memory.dmp

Filesize
3.9MB

Download
memory/5008-517-0x00007FF69A350000-0x00007FF69A741000-memory.dmp

Filesize
3.9MB

Download
memory/5008-2012-0x00007FF69A350000-0x00007FF69A741000-memory.dmp

Filesize
3.9MB

Download
memory/5060-520-0x00007FF6A2F10000-0x00007FF6A3301000-memory.dmp

Filesize
3.9MB

Download
memory/5060-2019-0x00007FF6A2F10000-0x00007FF6A3301000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads